diff options
Diffstat (limited to 'modules')
439 files changed, 8600 insertions, 4881 deletions
diff --git a/modules/amavis/templates/amavisd.conf b/modules/amavis/templates/amavisd.conf index 0e3b3f1d..84a44944 100644 --- a/modules/amavis/templates/amavisd.conf +++ b/modules/amavis/templates/amavisd.conf @@ -22,7 +22,7 @@ $daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g # a convenient default for other settings could be localhost.localdomain # or change this as your needs -# $MYHOME = '/var/lib/amavis'; # a convenient default for other settings, -H +$MYHOME = '/run/amavis'; # a convenient default for other settings, -H $TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc. $QUARANTINEDIR = '/var/spool/amavis/virusmails'; # -Q @@ -154,8 +154,8 @@ $defang_by_ccat{+CC_BADH.",6"} = 1; # header field syntax error # $myhostname = 'host.example.com'; # must be a fully-qualified domain name! -# $notify_method = 'smtp:[127.0.0.1]:10026'; -# $forward_method = 'smtp:[127.0.0.1]:10026'; # set to undef with milter! +$notify_method = 'smtp:[127.0.0.1]:10026'; +$forward_method = 'smtp:[127.0.0.1]:10026'; # set to undef with milter! # $final_virus_destiny = D_DISCARD; # $final_banned_destiny = D_BOUNCE; @@ -441,7 +441,7 @@ $banned_filename_re = new_RE( # qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m, # ], # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious, - # currupted or protected archives are to be handled + # corrupted or protected archives are to be handled ### http://www.kaspersky.com/ # ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], diff --git a/modules/apache/manifests/base.pp b/modules/apache/manifests/base.pp index 1af8c256..4e1d6ed4 100644 --- a/modules/apache/manifests/base.pp +++ b/modules/apache/manifests/base.pp @@ -1,34 +1,34 @@ class apache::base { + include apache::var - # number of time the log file are rotated before being removed - $httpdlogs_rotate = '24' + $conf_d = '/etc/httpd/conf/conf.d' - $apache_user = 'apache' - $apache_group = 'apache' - - package { 'apache-mpm-prefork': } - - if ($lsbdistrelease == '1') or ($lsbdistid == 'MandrivaLinux') { - package { 'apache-conf': } - } else { - package { 'apache': } + package { 'apache': + alias => 'apache-server', } service { 'httpd': alias => 'apache', - subscribe => [ Package['apache-mpm-prefork'] ], + subscribe => [ Package['apache-server'] ], } - exec { 'service httpd configtest': + exec { 'apachectl configtest': refreshonly => true, notify => Service['apache'], } apache::config { - '/etc/httpd/conf.d/customization.conf': - content => template('apache/customization.conf'); + "${conf_d}/no_hidden_file_dir.conf": + content => template('apache/no_hidden_file_dir.conf'), + require => Package[$apache::var::pkg_conf]; + "${conf_d}/customization.conf": + content => template('apache/customization.conf'), + require => Package[$apache::var::pkg_conf]; '/etc/httpd/conf/vhosts.d/00_default_vhosts.conf': - content => template('apache/00_default_vhosts.conf'); + content => template('apache/00_default_vhosts.conf'), + require => Package[$apache::var::pkg_conf]; + '/etc/httpd/conf/modules.d/50_mod_deflate.conf': + content => template('apache/50_mod_deflate.conf'); } file { '/etc/logrotate.d/httpd': diff --git a/modules/apache/manifests/config.pp b/modules/apache/manifests/config.pp index a6e1e231..0ff0962c 100644 --- a/modules/apache/manifests/config.pp +++ b/modules/apache/manifests/config.pp @@ -1,6 +1,6 @@ define apache::config($content) { file { $name: content => $content, - notify => Exec['service httpd configtest'], + notify => Exec['apachectl configtest'], } } diff --git a/modules/apache/manifests/cve-2011-3192.pp b/modules/apache/manifests/cve-2011-3192.pp index 20b53216..1e39ac04 100644 --- a/modules/apache/manifests/cve-2011-3192.pp +++ b/modules/apache/manifests/cve-2011-3192.pp @@ -1,8 +1,9 @@ class apache::cve-2011-3192 { + include apache::base # temporary protection against CVE-2011-3192 - # http://httpd.apache.org/security/CVE-2011-3192.txt + # https://httpd.apache.org/security/CVE-2011-3192.txt apache::config { - '/etc/httpd/conf.d/CVE-2011-3192.conf': - content => template('apache/CVE-2011-3192.conf'), + "${apache::base::conf_d}/CVE-2011-3192.conf": + content => template('apache/CVE-2011-3192.conf'), } } diff --git a/modules/apache/manifests/init.pp b/modules/apache/manifests/init.pp index 5bfaa004..40779d4d 100644 --- a/modules/apache/manifests/init.pp +++ b/modules/apache/manifests/init.pp @@ -3,18 +3,23 @@ class apache { include apache::base apache::vhost::base { $name: location => $location, - } - } + } + apache::vhost::base { "ssl_${name}": + vhost => $name, + use_ssl => true, + location => $location, + } + } define vhost_redirect($url, - $vhost = false, + $vhost = false, $use_ssl = false) { include apache::base apache::vhost::base { $name: use_ssl => $use_ssl, - vhost => $vhost, + vhost => $vhost, content => template("apache/vhost_redirect.conf"), - } - } + } + } } diff --git a/modules/apache/manifests/mod/deflate.pp b/modules/apache/manifests/mod/deflate.pp deleted file mode 100644 index 0e2211aa..00000000 --- a/modules/apache/manifests/mod/deflate.pp +++ /dev/null @@ -1,4 +0,0 @@ -class apache::mod::deflate { - include apache::base - package { 'apache-mod_deflate': } -} diff --git a/modules/apache/manifests/mod/fastcgi.pp b/modules/apache/manifests/mod/fastcgi.pp index 4f10ccab..2b421291 100644 --- a/modules/apache/manifests/mod/fastcgi.pp +++ b/modules/apache/manifests/mod/fastcgi.pp @@ -2,3 +2,4 @@ class apache::mod::fastcgi { include apache::base package { 'apache-mod_fastcgi': } } + diff --git a/modules/apache/manifests/mod/fcgid.pp b/modules/apache/manifests/mod/fcgid.pp index 6c815681..b8186a64 100644 --- a/modules/apache/manifests/mod/fcgid.pp +++ b/modules/apache/manifests/mod/fcgid.pp @@ -1,4 +1,11 @@ class apache::mod::fcgid { include apache::base package { 'apache-mod_fcgid': } + + file { 'urlescape': + path => '/usr/local/bin/urlescape', + mode => '0755', + notify => Service['apache'], + content => template('apache/urlescape'), + } } diff --git a/modules/apache/manifests/mod/php.pp b/modules/apache/manifests/mod/php.pp index c5de893e..2c8d6733 100644 --- a/modules/apache/manifests/mod/php.pp +++ b/modules/apache/manifests/mod/php.pp @@ -4,7 +4,7 @@ class apache::mod::php { package { 'apache-mod_php': } - apache::config { '/etc/httpd/conf.d/mod_php.conf': + apache::config { "${apache::base::conf_d}/mod_php.conf": content => template('apache/mod/php.conf'), } } diff --git a/modules/apache/manifests/mod/ssl.pp b/modules/apache/manifests/mod/ssl.pp index 6e9be525..ab3d24e4 100644 --- a/modules/apache/manifests/mod/ssl.pp +++ b/modules/apache/manifests/mod/ssl.pp @@ -14,7 +14,7 @@ class apache::mod::ssl { apache::config { '/etc/httpd/conf/vhosts.d/01_default_ssl_vhost.conf': content => template('apache/01_default_ssl_vhost.conf'); - '/etc/httpd/conf.d/ssl.conf': - content => template('apache/mod/ssl.conf'); + "${apache::base::conf_d}/ssl_vhost.conf": + content => template('apache/mod/ssl_vhost.conf'); } } diff --git a/modules/apache/manifests/mod/wsgi.pp b/modules/apache/manifests/mod/wsgi.pp index d2ab72d2..7f4fb719 100644 --- a/modules/apache/manifests/mod/wsgi.pp +++ b/modules/apache/manifests/mod/wsgi.pp @@ -6,7 +6,7 @@ class apache::mod::wsgi { ensure => directory, } - apache::config { '/etc/httpd/conf.d/mod_wsgi.conf': + apache::config { "${apache::base::conf_d}/mod_wsgi.conf": content => template('apache/mod/wsgi.conf'), } } diff --git a/modules/apache/manifests/var.pp b/modules/apache/manifests/var.pp new file mode 100644 index 00000000..4a6d68eb --- /dev/null +++ b/modules/apache/manifests/var.pp @@ -0,0 +1,12 @@ +# $httpdlogs_rotate: +# number of time the log file are rotated before being removed +# $default_vhost_redirect: +# URL to redirect to in case of unknown vhost +class apache::var( + $httpdlogs_rotate = '24', + $apache_user = 'apache', + $apache_group = 'apache', + $default_vhost_redirect = '' +) { + $pkg_conf = 'apache' +} diff --git a/modules/apache/manifests/vhost/base.pp b/modules/apache/manifests/vhost/base.pp index a7e5720d..27a19998 100644 --- a/modules/apache/manifests/vhost/base.pp +++ b/modules/apache/manifests/vhost/base.pp @@ -7,10 +7,11 @@ define apache::vhost::base ($content = '', $access_logfile = false, $error_logfile = false, $options = [], - $enable_public_html = false) { + $enable_public_html = false, + $enable_location = true) { include apache::base $httpd_logdir = '/var/log/httpd' - $filename = "$name.conf" + $filename = "${name}.conf" if ! $vhost { $real_vhost = $name @@ -19,12 +20,12 @@ define apache::vhost::base ($content = '', } if ! $access_logfile { - $real_access_logfile = "$httpd_logdir/${real_vhost}-access_log" + $real_access_logfile = "${httpd_logdir}/${real_vhost}-access_log" } else { $real_access_logfile = $access_logfile } if ! $error_logfile { - $real_error_logfile = "$httpd_logdir/${real_vhost}-error_log" + $real_error_logfile = "${httpd_logdir}/${real_vhost}-error_log" } else { $real_error_logfile = $error_logfile } @@ -34,7 +35,7 @@ define apache::vhost::base ($content = '', if $wildcard_sslcert != true { openssl::self_signed_cert{ $real_vhost: directory => '/etc/ssl/apache/', - before => Apache::Config["/etc/httpd/conf/vhosts.d/$filename"], + before => Apache::Config["/etc/httpd/conf/vhosts.d/${filename}"], } } } @@ -43,8 +44,7 @@ define apache::vhost::base ($content = '', include apache::mod::public_html } - apache::config { "/etc/httpd/conf/vhosts.d/$filename": + apache::config { "/etc/httpd/conf/vhosts.d/${filename}": content => template('apache/vhost_base.conf') } } - diff --git a/modules/apache/manifests/vhost/catalyst_app.pp b/modules/apache/manifests/vhost/catalyst_app.pp index 54a00fb2..1ce40747 100644 --- a/modules/apache/manifests/vhost/catalyst_app.pp +++ b/modules/apache/manifests/vhost/catalyst_app.pp @@ -2,12 +2,22 @@ define apache::vhost::catalyst_app( $script, $location = '', $process = 4, $use_ssl = false, + $aliases = {}, $vhost = false) { - include apache::mod::fastcgi + include apache::mod::fcgid + if ($location) { + $aliases['/static'] = "${location}/root/static" + } + + $script_aliases = { + '/' => "$script/", + } + apache::vhost::base { $name: vhost => $vhost, use_ssl => $use_ssl, - content => template('apache/vhost_catalyst_app.conf'), + content => template('apache/vhost_fcgid.conf'), + aliases => $aliases, } } diff --git a/modules/apache/manifests/vhost/django_app.pp b/modules/apache/manifests/vhost/django_app.pp index 5613e384..91974acd 100644 --- a/modules/apache/manifests/vhost/django_app.pp +++ b/modules/apache/manifests/vhost/django_app.pp @@ -11,8 +11,8 @@ define apache::vhost::django_app ($module = false, # module is a ruby reserved keyword, cannot be used in templates $django_module = $module - file { "$name.wsgi": - path => "/usr/local/lib/wsgi/$name.wsgi", + file { "${name}.wsgi": + path => "/usr/local/lib/wsgi/${name}.wsgi", mode => '0755', notify => Service['apache'], content => template('apache/django.wsgi'), diff --git a/modules/apache/manifests/vhost/other_app.pp b/modules/apache/manifests/vhost/other_app.pp index 69b3ec56..f5a71574 100644 --- a/modules/apache/manifests/vhost/other_app.pp +++ b/modules/apache/manifests/vhost/other_app.pp @@ -1,6 +1,6 @@ define apache::vhost::other_app($vhost_file) { include apache::base - apache::config { "/etc/httpd/conf/vhosts.d/$name.conf": + apache::config { "/etc/httpd/conf/vhosts.d/${name}.conf": content => template($vhost_file), } } diff --git a/modules/apache/manifests/vhost/redirect_ssl.pp b/modules/apache/manifests/vhost/redirect_ssl.pp index 3458d59d..22a4d4f6 100644 --- a/modules/apache/manifests/vhost/redirect_ssl.pp +++ b/modules/apache/manifests/vhost/redirect_ssl.pp @@ -1,5 +1,5 @@ define apache::vhost::redirect_ssl() { - apache::vhost::base { "redirect_ssl_$name": + apache::vhost::base { "redirect_ssl_${name}": vhost => $name, content => template('apache/vhost_ssl_redirect.conf') } diff --git a/modules/apache/manifests/vhost/reverse_proxy.pp b/modules/apache/manifests/vhost/reverse_proxy.pp index a6570c2f..a32aaff0 100644 --- a/modules/apache/manifests/vhost/reverse_proxy.pp +++ b/modules/apache/manifests/vhost/reverse_proxy.pp @@ -1,6 +1,7 @@ define apache::vhost::reverse_proxy($url, $vhost = false, - $use_ssl = false) { + $use_ssl = false, + $content = '') { include apache::mod::proxy apache::vhost::base { $name: use_ssl => $use_ssl, diff --git a/modules/apache/manifests/webapp_other.pp b/modules/apache/manifests/webapp_other.pp index 277558b5..147a2370 100644 --- a/modules/apache/manifests/webapp_other.pp +++ b/modules/apache/manifests/webapp_other.pp @@ -1,7 +1,7 @@ define apache::webapp_other($webapp_file) { include apache::base $webappname = $name - apache::config { "/etc/httpd/conf/webapps.d/$webappname.conf": + apache::config { "/etc/httpd/conf/webapps.d/${webappname}.conf": content => template($webapp_file), } } diff --git a/modules/apache/templates/00_default_vhosts.conf b/modules/apache/templates/00_default_vhosts.conf index 25f59b5e..9a5f586c 100644 --- a/modules/apache/templates/00_default_vhosts.conf +++ b/modules/apache/templates/00_default_vhosts.conf @@ -3,5 +3,13 @@ <Location /> Allow from all </Location> - Redirect / http://www.<%= domain %>/ + <%- + default_redirect = scope.lookupvar('apache::var::default_vhost_redirect') + if default_redirect == '' + -%> + Redirect 404 / + ErrorDocument 404 "Page Not Found" + <%- else -%> + Redirect / <%= default_redirect %> + <%- end -%> </VirtualHost> diff --git a/modules/apache/templates/01_default_ssl_vhost.conf b/modules/apache/templates/01_default_ssl_vhost.conf index d2aa9f94..323bf145 100644 --- a/modules/apache/templates/01_default_ssl_vhost.conf +++ b/modules/apache/templates/01_default_ssl_vhost.conf @@ -15,7 +15,7 @@ # General setup for the virtual host DocumentRoot "/var/www/html" #ServerName localhost:443 -ServerAdmin root@<%= domain %> +ServerAdmin root@<%= @domain %> ErrorLog logs/ssl_error_log <IfModule mod_log_config.c> @@ -29,17 +29,19 @@ SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW +SSLHonorCipherOrder On +SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS + # SSL Protocol support: # List the enable protocol levels with which clients will be able to -# connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +# connect. Disable SSLv2/v3 access by default: +SSLProtocol ALL -SSLv2 -SSLv3 -<%- if wildcard_sslcert == 'true' then -%> -SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt -SSLCertificateKeyFile /etc/ssl/wildcard.<%= domain %>.key -SSLCACertificateFile /etc/ssl/wildcard.<%= domain %>.pem +<%- if @wildcard_sslcert == 'true' then -%> +SSLCertificateFile /etc/ssl/wildcard.<%= @domain %>.crt +SSLCertificateKeyFile /etc/ssl/wildcard.<%= @domain %>.key +SSLCACertificateFile /etc/ssl/wildcard.<%= @domain %>.pem SSLVerifyClient None <%- else -%> SSLCertificateFile /etc/ssl/apache/localhost.pem diff --git a/modules/apache/templates/50_mod_deflate.conf b/modules/apache/templates/50_mod_deflate.conf new file mode 100644 index 00000000..5192bf6e --- /dev/null +++ b/modules/apache/templates/50_mod_deflate.conf @@ -0,0 +1,36 @@ +<IfModule mod_deflate.c> + # Compress HTML, CSS, JavaScript, JSON, Text, XML and fonts + AddOutputFilterByType DEFLATE application/javascript + AddOutputFilterByType DEFLATE application/json + AddOutputFilterByType DEFLATE application/rss+xml + AddOutputFilterByType DEFLATE application/vnd.ms-fontobject + AddOutputFilterByType DEFLATE application/x-font + AddOutputFilterByType DEFLATE application/x-font-opentype + AddOutputFilterByType DEFLATE application/x-font-otf + AddOutputFilterByType DEFLATE application/x-font-truetype + AddOutputFilterByType DEFLATE application/x-font-ttf + AddOutputFilterByType DEFLATE application/x-javascript + AddOutputFilterByType DEFLATE application/xhtml+xml + AddOutputFilterByType DEFLATE application/xml + AddOutputFilterByType DEFLATE font/opentype + AddOutputFilterByType DEFLATE font/otf + AddOutputFilterByType DEFLATE font/ttf + AddOutputFilterByType DEFLATE image/svg+xml + AddOutputFilterByType DEFLATE image/x-icon + AddOutputFilterByType DEFLATE text/css + AddOutputFilterByType DEFLATE text/html + AddOutputFilterByType DEFLATE text/javascript + AddOutputFilterByType DEFLATE text/plain + AddOutputFilterByType DEFLATE text/xml + + # Level of compression (9=highest compression level) + DeflateCompressionLevel 1 + + # Do not compress certain file types + SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|heif|heic|webp|mp4|mov|mpg|webm|avi)$ no-gzip dont-vary + SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|xz|zst|lzo|lzma|sit|rar|cab|rpm)$ no-gzip dont-vary + SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary + + # Make sure proxies don't deliver the wrong content + Header append Vary User-Agent env=!dont-vary +</IfModule> diff --git a/modules/apache/templates/django.wsgi b/modules/apache/templates/django.wsgi index aa0b82c8..2188e1e7 100644 --- a/modules/apache/templates/django.wsgi +++ b/modules/apache/templates/django.wsgi @@ -6,8 +6,8 @@ if path not in sys.path: sys.path.append(path) <%- end -%> -<%- if django_module -%> -os.environ['DJANGO_SETTINGS_MODULE'] = '<%= django_module %>.settings' +<%- if @django_module -%> +os.environ['DJANGO_SETTINGS_MODULE'] = '<%= @django_module %>.settings' <%- else -%> os.environ['DJANGO_SETTINGS_MODULE'] = 'settings' <%- end -%> diff --git a/modules/apache/templates/logrotate b/modules/apache/templates/logrotate index f84ae9fe..823989eb 100644 --- a/modules/apache/templates/logrotate +++ b/modules/apache/templates/logrotate @@ -1,13 +1,23 @@ /var/log/httpd/*_log /var/log/httpd/apache_runtime_status /var/log/httpd/ssl_mutex { - rotate <%= httpdlogs_rotate %> +<% if @hostname == 'duvel' %> + rotate 60 + daily +<% elsif @hostname == 'friteuse' %> + # The virtual disk is very small so keep log sizes down + rotate 26 + weekly +<% elsif @hostname == 'sucuk' %> + rotate 52 + weekly +<% else %> + rotate <%= scope.lookupvar('apache::var::httpdlogs_rotate') %> monthly +<% end %> missingok notifempty + sharedscripts compress - prerotate - /etc/rc.d/init.d/httpd closelogs > /dev/null 2>&1 || : - endscript postrotate - /etc/rc.d/init.d/httpd closelogs > /dev/null 2>&1 || : + /bin/systemctl restart httpd.service > /dev/null 2>/dev/null || true endscript } diff --git a/modules/apache/templates/mod/php.conf b/modules/apache/templates/mod/php.conf index 6d64ffb8..8bc20078 100644 --- a/modules/apache/templates/mod/php.conf +++ b/modules/apache/templates/mod/php.conf @@ -1,5 +1,5 @@ # as php insist to have this value set, let's # look on the system for him -php_value date.timezone "<%= php_date_timezone %>" -php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f root@<%= domain %>" +php_value date.timezone "<%= @php_date_timezone %>" +php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f root@<%= @domain %>" diff --git a/modules/apache/templates/mod/ssl.conf b/modules/apache/templates/mod/ssl_vhost.conf index bcfe8201..bcfe8201 100644 --- a/modules/apache/templates/mod/ssl.conf +++ b/modules/apache/templates/mod/ssl_vhost.conf diff --git a/modules/apache/templates/mod/wsgi.conf b/modules/apache/templates/mod/wsgi.conf index 0ecba31a..18678bc6 100644 --- a/modules/apache/templates/mod/wsgi.conf +++ b/modules/apache/templates/mod/wsgi.conf @@ -1,4 +1,4 @@ -# http://code.google.com/p/modwsgi/wiki/ApplicationIssues +# https://code.google.com/p/modwsgi/wiki/ApplicationIssues # mainly for viewvc at the moment , when doing a diff WSGIRestrictStdout Off # again viewvc : @@ -7,6 +7,6 @@ WSGIRestrictStdout Off # WSGIRestrictSignal Off # reenabled, as this prevent apache from restarting properly -# make sure transifex client work fine, as we need wsgi to pass autorisation +# make sure transifex client work fine, as we need wsgi to pass authorisation # header to django ( otherwise, this just show error 401 ) WSGIPassAuthorization On diff --git a/modules/apache/templates/no_hidden_file_dir.conf b/modules/apache/templates/no_hidden_file_dir.conf new file mode 100644 index 00000000..dce78912 --- /dev/null +++ b/modules/apache/templates/no_hidden_file_dir.conf @@ -0,0 +1,4 @@ +# +# dont serve up any hidden files or dirs like .git*, .svn, ... +# +RedirectMatch 404 /\..*$ diff --git a/modules/apache/templates/urlescape b/modules/apache/templates/urlescape new file mode 100644 index 00000000..8feb7fa4 --- /dev/null +++ b/modules/apache/templates/urlescape @@ -0,0 +1,9 @@ +#!/usr/bin/python3 -u +# URL escape each path given on stdin +import sys +import urllib.parse +while True: + l = sys.stdin.readline() + if not l: + break + print(urllib.parse.quote(l.rstrip("\n"))) diff --git a/modules/apache/templates/vhost_base.conf b/modules/apache/templates/vhost_base.conf index 2d89dccc..da26b683 100644 --- a/modules/apache/templates/vhost_base.conf +++ b/modules/apache/templates/vhost_base.conf @@ -1,4 +1,4 @@ -<%- if use_ssl then +<%- if @use_ssl then port = 443 else port = 80 @@ -6,28 +6,19 @@ end -%> <VirtualHost *:<%= port %>> -<%- if use_ssl then -%> - SSLEngine on - <%- if wildcard_sslcert == 'true' then -%> - SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt - SSLCertificateKeyFile /etc/ssl/wildcard.<%= domain %>.key - SSLCACertificateFile /etc/ssl/wildcard.<%= domain %>.pem - SSLVerifyClient None - <%- else -%> - SSLCertificateFile /etc/ssl/apache/<%= real_vhost %>.pem - SSLCertificateKeyFile /etc/ssl/apache/<%= real_vhost %>.pem - <%- end -%> +<%- if @use_ssl then -%> +<%= scope.function_template(["apache/vhost_ssl.conf"]) %> <%- end -%> - ServerName <%= real_vhost %> -<%- server_aliases.each do |key| -%> + ServerName <%= @real_vhost %> +<%- @server_aliases.each do |key| -%> ServerAlias <%= key %> <%- end -%> - DocumentRoot <%= location %> + DocumentRoot <%= @location %> - CustomLog <%= real_access_logfile %> combined - ErrorLog <%= real_error_logfile %> + CustomLog <%= @real_access_logfile %> combined + ErrorLog <%= @real_error_logfile %> -<%- if enable_public_html -%> +<%- if @enable_public_html -%> #TODO add the rest UserDir public_html <%- else -%> @@ -36,20 +27,27 @@ end </IfModule> <%- end -%> -<%- aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%> - Alias <%= key %> <%= aliases[key] %> +<%- @aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%> + Alias <%= key %> <%= @aliases[key] %> <%- end -%> - <%= content %> + <%= @content %> -<%- if options.length > 0 -%> - <Directory <%= location %>> - Options <%= options.join(" ") %> +<%- if @options.length > 0 -%> + <Directory <%= @location %>> + Options <%= @options.join(" ") %> </Directory> <%- end -%> +<%- if @enable_location -%> <Location /> - Allow from all + <IfModule mod_authz_core.c> + Require all granted + </IfModule> + <IfModule !mod_authz_core.c> + Allow from all + </IfModule> </Location> +<%- end -%> </VirtualHost> diff --git a/modules/apache/templates/vhost_catalyst_app.conf b/modules/apache/templates/vhost_catalyst_app.conf deleted file mode 100644 index eaa652d7..00000000 --- a/modules/apache/templates/vhost_catalyst_app.conf +++ /dev/null @@ -1,5 +0,0 @@ -<%- if location != '' then -%> -Alias /static <%= location %>/root/static -<%- end -%> -Alias / <%= script %>/ -FastCgiServer <%= script %> -processes <%= process %> -idle-timeout 30 diff --git a/modules/apache/templates/vhost_django_app.conf b/modules/apache/templates/vhost_django_app.conf index 3310045e..d85cf7a9 100644 --- a/modules/apache/templates/vhost_django_app.conf +++ b/modules/apache/templates/vhost_django_app.conf @@ -1 +1 @@ -WSGIScriptAlias / /usr/local/lib/wsgi/<%= name %>.wsgi +WSGIScriptAlias / /usr/local/lib/wsgi/<%= @name %>.wsgi diff --git a/modules/apache/templates/vhost_fcgid.conf b/modules/apache/templates/vhost_fcgid.conf new file mode 100644 index 00000000..fefa4a49 --- /dev/null +++ b/modules/apache/templates/vhost_fcgid.conf @@ -0,0 +1,6 @@ +AddHandler fcgid-script .pl +<%- @script_aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%> + ScriptAlias <%= key %> <%= @script_aliases[key] %> +<%- end -%> +FcgidMinProcessesPerClass <%= @process %> +FcgidIdleTimeout 30 diff --git a/modules/apache/templates/vhost_fcgid_norobot.conf b/modules/apache/templates/vhost_fcgid_norobot.conf new file mode 100644 index 00000000..0643cac9 --- /dev/null +++ b/modules/apache/templates/vhost_fcgid_norobot.conf @@ -0,0 +1,45 @@ +AddHandler fcgid-script .pl +<%- @script_aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%> + ScriptAlias <%= key %> <%= @script_aliases[key] %> +<%- end -%> +FcgidMinProcessesPerClass <%= @process %> +FcgidIdleTimeout 30 + +# These robots were scraping the whole of svnweb in 2024-04, causing severe +# load, so they are banned. It's not clear whether they obey robots.txt or +# not (we didn't give them enough of a chance to find out), so we could +# consider giving them a chance to redeem themselves at some point in the +# future. +RewriteEngine on +RewriteCond %{HTTP_USER_AGENT} ClaudeBot|Amazonbot +RewriteRule . - [R=403,L] + +# Block expensive SVN operations on all common robots ("spider" covers a +# bunch). "Expensive" is considered to be most operations other than showing a +# directory or downloading a specific version of a file. +# Note: eliminating view=log and annotate= doesn't make much difference to the +# CPU load when robots are hitting the server in real world operation. +#RewriteCond %{QUERY_STRING} pathrev=|r1= +# Treat anything other than a plain path as "expensive" +RewriteCond %{QUERY_STRING} . +RewriteCond %{HTTP_USER_AGENT} "Googlebot|GoogleOther|bingbot|Yahoo! Slurp|ClaudeBot|Amazonbot|YandexBot|SemrushBot|Barkrowler|DataForSeoBot|PetalBot|facebookexternalhit|GPTBot|ImagesiftBot|spider|Spider|iPod|Trident|Presto" +RewriteRule . - [R=403,L] + +# Only let expensive operations through when a cookie is set. If no cookie is +# set, redirect to a page where it will be set using JavaScript and redirect +# back. This will block requests from user agents that do not support +# JavaScript, which includes many robots. +RewriteMap urlescape prg:/usr/local/bin/urlescape +#RewriteCond %{QUERY_STRING} pathrev=|r1= +# Treat anything other than a plain path as "expensive" +RewriteCond %{QUERY_STRING} . +RewriteCond %{REQUEST_URI} !/_check +RewriteCond %{HTTP_COOKIE} !session=([^;]+) [novary] +RewriteRule . %{REQUEST_SCHEME}://%{SERVER_NAME}:%{SERVER_PORT}/_check?to=%{REQUEST_URI}?${urlescape:%{QUERY_STRING}} [R=302,L] + +# Block abusive spiders by IP address who don't identify themselves in the +# User-Agent: string +RewriteCond expr "-R '47.76.0.0/14' || -R '47.80.0.0/14' || -R '47.208.0.0/16' || -R '47.238.0.0/16' || -R '8.210.0.0/16' || -R '8.218.0.0/16' || -R '188.239.0.0/18' || -R '166.108.192.0/18' || -R '124.243.160.0/19' || -R '101.46.0.0/20'" +RewriteRule . - [R=403,L] + +ErrorDocument 403 "<html><body>Impolite robots are not allowed</body></html>" diff --git a/modules/apache/templates/vhost_redirect.conf b/modules/apache/templates/vhost_redirect.conf index 0f256881..c787311e 100644 --- a/modules/apache/templates/vhost_redirect.conf +++ b/modules/apache/templates/vhost_redirect.conf @@ -1,2 +1,2 @@ -Redirect / <%= url %> +Redirect / <%= @url %> diff --git a/modules/apache/templates/vhost_reverse_proxy.conf b/modules/apache/templates/vhost_reverse_proxy.conf index 23dc7545..4859bda3 100644 --- a/modules/apache/templates/vhost_reverse_proxy.conf +++ b/modules/apache/templates/vhost_reverse_proxy.conf @@ -1,3 +1,5 @@ +<%= @content %> + ProxyRequests Off ProxyPreserveHost On @@ -5,9 +7,9 @@ Order deny,allow Allow from all </Proxy> -<%- if url =~ /^https/ -%> +<%- if @url =~ /^https/ -%> SSLProxyEngine On <%- end -%> - ProxyPass / <%= url %> - ProxyPassReverse / <%= url %> + ProxyPass / <%= @url %> + ProxyPassReverse / <%= @url %> diff --git a/modules/apache/templates/vhost_simple.conf b/modules/apache/templates/vhost_simple.conf index ec39b192..77b55287 100644 --- a/modules/apache/templates/vhost_simple.conf +++ b/modules/apache/templates/vhost_simple.conf @@ -1,9 +1,14 @@ <VirtualHost *:80> - ServerName <%= name %> - DocumentRoot <%= location %> + ServerName <%= @name %> + DocumentRoot <%= @location %> <Location /> - Allow from all + <IfModule mod_authz_core.c> + Require all granted + </IfModule> + <IfModule !mod_authz_core.c> + Allow from all + </IfModule> </Location> </VirtualHost> diff --git a/modules/apache/templates/vhost_ssl.conf b/modules/apache/templates/vhost_ssl.conf new file mode 100644 index 00000000..0cb52eca --- /dev/null +++ b/modules/apache/templates/vhost_ssl.conf @@ -0,0 +1,13 @@ + SSLEngine on + SSLProtocol ALL -SSLv2 -SSLv3 + SSLHonorCipherOrder On + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS + <%- if @wildcard_sslcert == 'true' then -%> + SSLCertificateFile /etc/ssl/wildcard.<%= @domain %>.crt + SSLCertificateKeyFile /etc/ssl/wildcard.<%= @domain %>.key + SSLCACertificateFile /etc/ssl/wildcard.<%= @domain %>.pem + SSLVerifyClient None + <%- else -%> + SSLCertificateFile /etc/ssl/apache/<%= @real_vhost %>.pem + SSLCertificateKeyFile /etc/ssl/apache/<%= @real_vhost %>.pem + <%- end -%> diff --git a/modules/apache/templates/vhost_ssl_redirect.conf b/modules/apache/templates/vhost_ssl_redirect.conf index d13c3093..23a7eabe 100644 --- a/modules/apache/templates/vhost_ssl_redirect.conf +++ b/modules/apache/templates/vhost_ssl_redirect.conf @@ -1 +1 @@ -Redirect / https://<%= name %>/ +Redirect / https://<%= @name %>/ diff --git a/modules/apache/templates/vhost_wsgi.conf b/modules/apache/templates/vhost_wsgi.conf index 34926411..2f1ba585 100644 --- a/modules/apache/templates/vhost_wsgi.conf +++ b/modules/apache/templates/vhost_wsgi.conf @@ -1,3 +1,3 @@ -WSGIScriptAlias / <%= wsgi_path %> +WSGIScriptAlias / <%= @wsgi_path %> diff --git a/modules/auto_installation/manifests/init.pp b/modules/auto_installation/manifests/init.pp index 1c4fbbd1..642cddfd 100644 --- a/modules/auto_installation/manifests/init.pp +++ b/modules/auto_installation/manifests/init.pp @@ -1,21 +1,21 @@ # what should be possible : -# install a base system +# install a base system # - mandriva # - mageia # - others ? ( for testing package ? ) -# install a server -# - by name, with a valstart clone +# install a server +# - by name, with a valstar clone class auto_installation { class variables { $pxe_dir = "/var/lib/pxe" # m/ for menu. There is limitation on the path length so # while we will likely not hit the limit, it may be easier - $pxe_menu_dir = "$pxe_dir/pxelinux.cfg/m/" + $pxe_menu_dir = "${pxe_dir}/pxelinux.cfg/m/" } - class download { + class download { import "download.rb" } @@ -23,77 +23,77 @@ class auto_installation { package { 'syslinux': } - + file { $pxe_dir: ensure => directory, } - file { "$pxe_dir/pxelinux.0": + file { "${pxe_dir}/pxelinux.0": ensure => "/usr/lib/syslinux/pxelinux.0", } - - file { "$pxe_dir/menu.c32": + + file { "${pxe_dir}/menu.c32": ensure => "/usr/lib/syslinux/menu.c32" } - - file { "$pxe_dir/pxelinux.cfg": + + file { "${pxe_dir}/pxelinux.cfg": ensure => directory, } - # m for menu, there is some limitation on the path lenght so I - # prefer to - file { "$pxe_menu_dir": + # m for menu, there is some limitation on the path length so I + # prefer to + file { "${pxe_menu_dir}": ensure => directory, } # TODO make it tag aware $menu_entries = list_exported_ressources('Auto_installation::Pxe_menu_base') - # default file should have exported ressources - file { "$pxe_dir/pxelinux.cfg/default": - ensure => present, + # default file should have exported resources + file { "${pxe_dir}/pxelinux.cfg/default": + ensure => present, content => template('auto_installation/default'), } - Auto_installation::Pxe_menu_base <<| tag == $fqdn |>> + Auto_installation::Pxe_menu_base <<| tag == $fqdn |>> } define pxe_menu_base($content) { include auto_installation::variables - file { "$auto_installation::variables::pxe_menu_dir/$name": - ensure => present, + file { "${auto_installation::variables::pxe_menu_dir}/${name}": + ensure => present, content => $content, } } define pxe_menu_entry($kernel_path, $append, $label) { - @@auto_installation::pxe_menu_base { $name: - tag => $fqdn, + @@auto_installation::pxe_menu_base { $name: + tag => $fqdn, content => template('auto_installation/menu'), } } - # define pxe_linux_entry + # define pxe_linux_entry # meant to be exported - # name - # label + # name + # label # kernel # append class netinst_storage { - # to ease the creation of test iso + # to ease the creation of test iso $netinst_path = "/var/lib/libvirt/netinst" file { $netinst_path: - ensure => directory, + ensure => directory, require => Package[libvirt-utils], } libvirtd::storage { "netinst": - path => $netinst_path, + path => $netinst_path, require => File[$netinst_path], } } define download_file($destination_path, $download_url) { - exec { "wget -q -O $destination_path/$name $download_url/$name": - creates => "$destination_path/$name", + exec { "wget -q -O ${destination_path}/${name} ${download_url}/${name}": + creates => "${destination_path}/${name}", } } @@ -103,36 +103,36 @@ class auto_installation { $server = "ftp.free.fr" $mirror_url_base = "/pub/Distributions_Linux/MandrivaLinux/" $mirror_url_middle = $version ? { - "cooker" => "devel/cooker/$arch/", - default => "official/$version/$arch/" + "cooker" => "devel/cooker/${arch}/", + default => "official/${version}/${arch}/" } - $mirror_url = "$mirror_url_base/$mirror_url_middle" + $mirror_url = "${mirror_url_base}/${mirror_url_middle}" $mirror_url_end = "isolinux/alt0" - $destination_path = "$netinst_storage::netinst_path/$name" + $destination_path = "${netinst_storage::netinst_path}/${name}" - file { "$destination_path": + file { "${destination_path}": ensure => directory, } - $download_url = "$protocol\\://$server/$mirror_url/$mirror_url_end" - + $download_url = "${protocol}\\://${server}/${mirror_url}/${mirror_url_end}" + download_file { ['all.rdz','vmlinuz']: destination_path => $destination_path, - download_url => $download_url, - require => File[$destination_path], + download_url => $download_url, + require => File[$destination_path], } - pxe_menu_entry { "mandriva_$version_$arch": - kernel_path => "$name/vmlinuz", - label => "Mandriva $version $arch", + pxe_menu_entry { "mandriva_${version}_${arch}": + kernel_path => "${name}/vmlinuz", + label => "Mandriva ${version} ${arch}", #TODO add autoinst.cfg - append => "$name/all.rdz useless_thing_accepted=1 lang=fr automatic=int:eth0,netw:dhcp,met:$protocol,ser:$server,dir:$mirror_url ", - } + append => "${name}/all.rdz useless_thing_accepted=1 lang=fr automatic=int:eth0,netw:dhcp,met:${protocol},ser:${server},dir:${mirror_url} ", + } } - # + # # define a template for autoinst # - basic installation # - server installation ( with server name as a parameter ) diff --git a/modules/auto_installation/templates/default b/modules/auto_installation/templates/default index f8b8e82b..a9ea8de3 100644 --- a/modules/auto_installation/templates/default +++ b/modules/auto_installation/templates/default @@ -13,5 +13,3 @@ LABEL local <% for m in menu_entries %> INCLUDE pxelinux.cfg/m/<%= m %> <% end %> - - diff --git a/modules/auto_installation/templates/menu b/modules/auto_installation/templates/menu index b7f6c910..3d0ce6fa 100644 --- a/modules/auto_installation/templates/menu +++ b/modules/auto_installation/templates/menu @@ -2,4 +2,4 @@ LABEL <%= name %> MENU DEFAULT MENU LABEL Install <%= label %> kernel <%= kernel_path %> - append <%= append %> + append <%= append %> diff --git a/modules/bcd/manifests/base.pp b/modules/bcd/manifests/base.pp index 8bee2907..d515f3e1 100644 --- a/modules/bcd/manifests/base.pp +++ b/modules/bcd/manifests/base.pp @@ -1,6 +1,6 @@ class bcd::base { include sudo - include bcd + include bcd group { $bcd::login: } diff --git a/modules/bcd/manifests/init.pp b/modules/bcd/manifests/init.pp index 81f0ef1c..1ff57144 100644 --- a/modules/bcd/manifests/init.pp +++ b/modules/bcd/manifests/init.pp @@ -1,5 +1,5 @@ class bcd { $login = 'bcd' $home = '/home/bcd' - $public_isos = "$home/public_html/isos" + $public_isos = "${home}/public_html/isos" } diff --git a/modules/bcd/manifests/rsync.pp b/modules/bcd/manifests/rsync.pp index 7b772b24..0a9ccc34 100644 --- a/modules/bcd/manifests/rsync.pp +++ b/modules/bcd/manifests/rsync.pp @@ -1,7 +1,7 @@ class bcd::rsync { include bcd::base $public_isos = $bcd::public_isos - class { rsyncd: - rsyncd_conf => 'bcd/rsyncd.conf', - } + class { 'rsyncd': + rsyncd_conf => 'bcd/rsyncd.conf', + } } diff --git a/modules/bcd/manifests/web.pp b/modules/bcd/manifests/web.pp index abfa5647..d670cf5d 100644 --- a/modules/bcd/manifests/web.pp +++ b/modules/bcd/manifests/web.pp @@ -1,15 +1,9 @@ class bcd::web { include bcd::base - $location = "$bcd::home/public_html" + $location = "${bcd::home}/public_html" - apache::vhost::base { "bcd.$::domain": + apache::vhost::base { "bcd.${::domain}": location => $location, content => template('bcd/vhost_bcd.conf'), } - - # not sure if that's useful, since the file is public and trivially - # bruteforced - file { "$bcd::home/htpasswd": - content => template('bcd/htpasswd') - } } diff --git a/modules/bcd/templates/htpasswd b/modules/bcd/templates/htpasswd deleted file mode 100644 index 457a13a7..00000000 --- a/modules/bcd/templates/htpasswd +++ /dev/null @@ -1,2 +0,0 @@ -valstar:42Mx5EawIqVTY - diff --git a/modules/bcd/templates/rsyncd.conf b/modules/bcd/templates/rsyncd.conf index 26197765..75c7d335 100644 --- a/modules/bcd/templates/rsyncd.conf +++ b/modules/bcd/templates/rsyncd.conf @@ -4,7 +4,7 @@ uid = nobody gid = nogroup [isos] - path = <%= public_isos %> + path = <%= scope.lookupvar("bcd::public_isos") %> comment = Mageia ISOs exclude = .htaccess .htpasswd read only = yes diff --git a/modules/bcd/templates/sudoers.bcd b/modules/bcd/templates/sudoers.bcd index b768f653..c462bffd 100644 --- a/modules/bcd/templates/sudoers.bcd +++ b/modules/bcd/templates/sudoers.bcd @@ -3,6 +3,8 @@ /usr/sbin/urpmi, \ /usr/sbin/urpmi.addmedia, \ /usr/sbin/urpmi.removemedia, \ +/usr/sbin/urpmi.update, \ +/usr/bin/urpmq, \ /bin/rm -%<%= isomakers_group %> ALL=(<%= scope.lookupvar('bcd::login') %>) SETENV: NOPASSWD: ALL +%<%= @isomakers_group %> ALL=(<%= scope.lookupvar('bcd::login') %>) SETENV: NOPASSWD: ALL diff --git a/modules/bcd/templates/vhost_bcd.conf b/modules/bcd/templates/vhost_bcd.conf index 536b09d5..c89955e2 100644 --- a/modules/bcd/templates/vhost_bcd.conf +++ b/modules/bcd/templates/vhost_bcd.conf @@ -1,8 +1,8 @@ -<Directory <%= location %>> +<Directory <%= @location %>> AuthUserFile <%= scope.lookupvar('bcd::home') %>/htpasswd AuthGroupFile /dev/null AuthName "QA test isos, restricted access" - ErrorDocument 403 "For the password, please contact the QA team ( http://wiki.<%= domain %>/en/QA_Team )" + ErrorDocument 403 "For the password, please contact the QA team ( https://wiki.<%= @domain %>/en/QA_Team )" AuthType Basic require valid-user diff --git a/modules/bind/manifests/master.pp b/modules/bind/manifests/master.pp index c5ea1ccc..a82d4757 100644 --- a/modules/bind/manifests/master.pp +++ b/modules/bind/manifests/master.pp @@ -2,6 +2,15 @@ class bind::master inherits bind { Tld_redirections::Domain <<| |>> $managed_tlds = list_exported_ressources('Tld_redirections::Domain') + + file { "/var/lib/named/var/named/master": + ensure => directory + } + + file { "/var/lib/named/var/named/reverse": + ensure => directory + } + File['/var/lib/named/etc/named.conf'] { content => template('bind/named_base.conf', 'bind/named_master.conf'), } diff --git a/modules/bind/manifests/zone.pp b/modules/bind/manifests/zone.pp index 24367206..17f2075e 100644 --- a/modules/bind/manifests/zone.pp +++ b/modules/bind/manifests/zone.pp @@ -1,10 +1,11 @@ define bind::zone($type, $content = false) { if ! $content { - $zone_content = template("bind/zones/$name.zone") + $zone_content = template("bind/zones/${name}.zone") } else { $zone_content = $content } - file { "/var/lib/named/var/named/$type/$name.zone": + + file { "/var/named/${type}/${name}.zone": content => $zone_content, require => Package['bind'], notify => Exec['named_reload'] diff --git a/modules/bind/templates/named_base.conf b/modules/bind/templates/named_base.conf index c066f16a..5adba9f3 100644 --- a/modules/bind/templates/named_base.conf +++ b/modules/bind/templates/named_base.conf @@ -32,7 +32,6 @@ options { version ""; directory "/var/named"; dump-file "/var/tmp/named_dump.db"; - pid-file "/var/run/named.pid"; statistics-file "/var/tmp/named.stats"; zone-statistics yes; // datasize 256M; @@ -101,37 +100,31 @@ zone "." IN { zone "localdomain" IN { type master; - file "master/localdomain.zone"; + file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; - file "master/localhost.zone"; + file "named.localhost"; allow-update { none; }; }; -zone "0.0.127.in-addr.arpa" IN { +zone "1.0.0.127.in-addr.arpa" IN { type master; - file "reverse/named.local"; + file "named.loopback"; allow-update { none; }; }; -zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { +zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; - file "reverse/named.ip6.local"; - allow-update { none; }; -}; - -zone "255.in-addr.arpa" IN { - type master; - file "reverse/named.broadcast"; + file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; - file "reverse/named.zero"; + file "named.empty"; allow-update { none; }; }; diff --git a/modules/bind/templates/named_slave.conf b/modules/bind/templates/named_slave.conf index feae30ef..b59db37f 100644 --- a/modules/bind/templates/named_slave.conf +++ b/modules/bind/templates/named_slave.conf @@ -1,7 +1,7 @@ zone "mageia.org" IN { type slave; file "slave/mageia.org"; - allow-update { 212.85.158.146; }; + allow-update { 212.85.158.151; }; }; <% @@ -11,7 +11,7 @@ for tld in managed_tlds zone "mageia.<%= tld %>" IN { type master; file "master/mageia.<= tld %>"; - allow-update { 212.85.158.146; }; + allow-update { 212.85.158.151; }; }; <% @@ -21,11 +21,11 @@ end zone "7.0.0.0.2.0.0.0.8.7.1.2.2.0.a.2.ip6.arpa" IN { type slave; file "slave/7.0.0.0.2.0.0.0.8.7.1.2.2.0.a.2.ip6.arpa.zone"; - allow-update { 212.85.158.146; }; + allow-update { 212.85.158.151; }; }; zone "2.1.0.0.0.0.0.1.b.0.e.0.1.0.a.2.ip6.arpa" IN { type slave; file "slave/2.1.0.0.0.0.0.1.b.0.e.0.1.0.a.2.ip6.arpa.zone"; - allow-update { 212.85.158.146; }; + allow-update { 212.85.158.151; }; }; diff --git a/modules/blog/manifests/init.pp b/modules/blog/manifests/init.pp index 585b5c16..c89a8168 100644 --- a/modules/blog/manifests/init.pp +++ b/modules/blog/manifests/init.pp @@ -1,9 +1,11 @@ class blog { class base { - $blog_domain = "blog.$::domain" - $blog_location = "/var/www/vhosts/$blog_domain" - $blog_db_backupdir = "/var/lib/backups/blog_db" - $blog_files_backupdir = "/var/lib/backups/blog_files" + $blog_domain = "blog.${::domain}" + $blog_location = "/var/www/vhosts/${blog_domain}" + $blog_db_backupdir = '/var/lib/backups/blog_db' + $blog_files_backupdir = '/var/lib/backups/blog_files' + $blog_newpost_email_to = "i18n-reports@ml.${::domain}" + $blog_newpost_email_from = "Mageia Blog bot <blog@${::domain}>" user { 'blog': groups => apache, @@ -11,13 +13,21 @@ class blog { home => '/var/lib/blog', } } - + class files_bots inherits base { - package { ['php-mysql', +if versioncmp($::lsbdistrelease, '9') < 0 { + package { ['php-mysqlnd', + 'php-ldap', + 'unzip', + 'nail']: } +} else { + package { ['php-mysqlnd', 'php-ldap', - 'unzip']: } + 'unzip', + 's-nail']: } +} - mga-common::local_script { 'check_new-blog-post.sh': + mga_common::local_script { 'check_new-blog-post.sh': content => template('blog/check_new-blog-post.sh'), } @@ -25,27 +35,27 @@ class blog { user => 'blog', minute => '*/15', command => '/usr/local/bin/check_new-blog-post.sh', - require => Local_script['check_new-blog-post.sh'], + require => Mga_common::Local_script['check_new-blog-post.sh'], } include apache::mod::php - apache::vhost::base { "$blog_domain": + apache::vhost::base { "${blog_domain}": location => $blog_location, - content => template('blog/blogs_vhosts.conf'), + content => template('blog/blogs_vhosts.conf'), } - apache::vhost::base { "ssl_$blog_domain": - use_ssl => true, - vhost => $blog_domain, + apache::vhost::base { "ssl_${blog_domain}": + use_ssl => true, + vhost => $blog_domain, location => $blog_location, - content => template('blog/blogs_vhosts.conf'), + content => template('blog/blogs_vhosts.conf'), } file { $blog_location: - ensure => directory, - owner => apache, - group => apache, + ensure => directory, + owner => apache, + group => apache, } } @@ -54,7 +64,7 @@ class blog { ensure => directory, } - mga-common::local_script { 'backup_blog-db.sh': + mga_common::local_script { 'backup_blog-db.sh': content => template('blog/backup_blog-db.sh'), } @@ -63,7 +73,7 @@ class blog { hour => '23', minute => '42', command => '/usr/local/bin/backup_blog-db.sh', - require => Local_script['backup_blog-db.sh'], + require => Mga_common::Local_script['backup_blog-db.sh'], } } @@ -72,7 +82,7 @@ class blog { ensure => directory, } - mga-common::local_script { 'backup_blog-files.sh': + mga_common::local_script { 'backup_blog-files.sh': content => template('blog/backup_blog-files.sh'), } @@ -81,7 +91,7 @@ class blog { hour => '23', minute => '42', command => '/usr/local/bin/backup_blog-files.sh', - require => Local_script['backup_blog-files.sh'], + require => Mga_common::Local_script['backup_blog-files.sh'], } } } diff --git a/modules/blog/templates/backup_blog-files.sh b/modules/blog/templates/backup_blog-files.sh index 3d66caa0..e268ad2b 100755 --- a/modules/blog/templates/backup_blog-files.sh +++ b/modules/blog/templates/backup_blog-files.sh @@ -1,17 +1,18 @@ -#!/bin/sh +#!/bin/bash # Initialization PATH_TO_FILE=${PATH_TO_FILE:-<%= blog_files_backupdir %>} [ ! -f $PATH_TO_FILE/count ] && echo 0 > $PATH_TO_FILE/count COUNT=$(cat "$PATH_TO_FILE/count") # Backup each locale -for locale in de el en es fr it nl pl pt ro ru tr uk +for locale in de el en es fr it nl pl pt ro ru sv tr uk do if [ ! -d $PATH_TO_FILE/$locale ] then /bin/mkdir $PATH_TO_FILE/$locale fi - tar Jcf $PATH_TO_FILE/$locale/$locale-$COUNT.tar.xz <%= blog_location %>/$locale + # use relative paths to avoid "Removing leading `/' from member names'" warning + tar -C / -Jcf "$PATH_TO_FILE/$locale/$locale-$COUNT.tar.xz" "$(sed s,^/,, <<< "<%= blog_location %>/$locale")" done # Check count file to have a week of backup in the directory if [ $COUNT -ne 6 ] diff --git a/modules/blog/templates/blogs_vhosts.conf b/modules/blog/templates/blogs_vhosts.conf index 48b6d9ad..ff3c792f 100644 --- a/modules/blog/templates/blogs_vhosts.conf +++ b/modules/blog/templates/blogs_vhosts.conf @@ -2,7 +2,7 @@ Order deny,allow Allow from All AllowOverride All - Options FollowSymlinks + Options FollowSymlinks Options +Indexes </Directory> # Add a permanent redirection for 'pt' as it was 'pt-br' before diff --git a/modules/blog/templates/check_new-blog-post.sh b/modules/blog/templates/check_new-blog-post.sh index da142fd0..f2089a52 100755 --- a/modules/blog/templates/check_new-blog-post.sh +++ b/modules/blog/templates/check_new-blog-post.sh @@ -2,14 +2,15 @@ # Initialization PATH_TO_FILE=${PATH_TO_FILE:-/var/lib/blog} -/usr/bin/wget -qO $PATH_TO_FILE"/last_tmp" http://blog.mageia.org/en/?feed=rss2 -if [ $? -ne 0 ] +/usr/bin/wget -qO $PATH_TO_FILE"/last_tmp" https://blog.mageia.org/en/?feed=rss2 +if [ $? -ne 0 ] then - exit 2 + exit 2 fi last_title=$(grep "title" $PATH_TO_FILE"/last_tmp" | head -n 2 | sed '1d' | sed 's/<title>//' | sed 's/<\/title>//' | sed 's/^[ \t]*//') last_pub=$(grep "pubDate" $PATH_TO_FILE"/last_tmp" | head -n 1 | sed 's/<pubDate>//' | sed 's/<\/pubDate>//' | sed 's/^[ \t]*//') -echo -e "$last_title\n$last_pub" > $PATH_TO_FILE"/last_tmp" +last_creator=$(grep "creator" $PATH_TO_FILE"/last_tmp" | head -n 1 | sed 's/<dc:creator>//' | sed 's/<\/dc:creator>//' | sed 's/^[ \t]*//') +echo -e "$last_title\n$last_pub\n$last_creator" > $PATH_TO_FILE"/last_tmp" # Check if 'last_entry' exists if [ ! -f $PATH_TO_FILE"/last_entry" ] @@ -22,32 +23,28 @@ fi /bin/date +"%d:%m:%Y %H:%M" > $PATH_TO_FILE"/last_check" # Check if a new blog post on EN needs to be translated on other blogs -tmp_new=$(cat $PATH_TO_FILE"/last_tmp" | sed '1d') -tmp_old=$(cat $PATH_TO_FILE"/last_entry" | sed '1d') +tmp_new=$(cat $PATH_TO_FILE"/last_tmp" | sed -n '1p') +tmp_old=$(cat $PATH_TO_FILE"/last_entry" | sed -n '1p') if [ "$tmp_old" = "$tmp_new" ] then # Nothing new - echo "NO" >> $PATH_TO_FILE"/last_check" - else - tmp_new=$(cat $PATH_TO_FILE"/last_tmp" | sed '2d') - tmp_old=$(cat $PATH_TO_FILE"/last_entry" | sed '2d') - if [ "$tmp_old" = "$tmp_new" ] + tmp_new=$(cat $PATH_TO_FILE"/last_tmp" | sed -n '2p') + tmp_old=$(cat $PATH_TO_FILE"/last_entry" | sed -n '2p') + if [ "$tmp_old" != "$tmp_new" ] then - # Modification on last post - cat $PATH_TO_FILE"/last_check" > $PATH_TO_FILE"/last_need_translation" - echo $tmp_new >> $PATH_TO_FILE"/last_need_translation" + # Modification on latest post echo "YES - Modification" >> $PATH_TO_FILE"/last_check" - echo -e "Info: the last blog post had been modified and need to be checked.\nTitle: \"$tmp_new\"\n-- \nMail sent by the script '$0' on `hostname`" | /bin/mail -s "Modification of the last entry on English Blog" mageia-blogteam@<%= domain %> + echo -e "The latest blog post has been modified and needs to be checked!\n\nTitle:\t$last_title\nAuthor:\t$last_creator\n-- \nMail sent by the script '$0' on `hostname`" | /bin/mail -r '<%= blog_newpost_email_from %>' -s "Modification of the latest entry on English Blog" <%= blog_newpost_email_to %> echo $DATE else - # New post to translate - cat $PATH_TO_FILE"/last_check" > $PATH_TO_FILE"/last_need_translation" - echo $tmp_new >> $PATH_TO_FILE"/last_need_translation" - echo "YES - New entry" >> $PATH_TO_FILE"/last_check" - echo -e "Info: a new blog post is waiting for translation.\nTitle: \"$tmp_new\"\n-- \nMail sent by the script '$0' on `hostname`" | /bin/mail -s "New entry on English Blog" mageia-blogteam@<%= domain %> - echo $DATE - fi - fi + echo "NO" >> $PATH_TO_FILE"/last_check" + fi + else + # New post to translate + echo "YES - New entry" >> $PATH_TO_FILE"/last_check" + echo -e "A new blog post is waiting for translation:\n\nTitle:\t$last_title\nAuthor:\t$last_creator\n-- \nMail sent by the script '$0' on `hostname`" | /bin/mail -r '<%= blog_newpost_email_from %>' -s "New entry on English Blog" <%= blog_newpost_email_to %> + echo $DATE +fi # Clean tmp files and copy RSS_new to RSS_old /bin/mv -f $PATH_TO_FILE"/last_tmp" $PATH_TO_FILE"/last_entry" diff --git a/modules/bugzilla-dev/manifests/init.pp b/modules/bugzilla-dev/manifests/init.pp new file mode 100755 index 00000000..c6623872 --- /dev/null +++ b/modules/bugzilla-dev/manifests/init.pp @@ -0,0 +1,81 @@ +class bugzilla-dev { + + $bugzilla_dev_location = '/usr/share/bugzilla/' + + package {['graphviz', + 'perl-Template-GD', # needed for graphical_report support + 'perl-Test-Taint', + 'perl-JSON-RPC', + 'perl-Email-MIME', + 'perl-Email-Sender', + 'Math-Random-ISAAC', + 'perl-Chart', + 'perl-PatchReader', + 'perl-ldap', + 'perl-SOAP-Lite', + 'perl-XMLRPC-Lite', + 'perl-CGI']: } + + $pgsql_password = extlookup('bugzilla_pgsql','x') + $ldap_password = extlookup('bugzilla_ldap','x') + + postgresql::remote_db_and_user { 'bugs': + description => 'Bugzilla database', + password => $pgsql_password, + } + + file { '/usr/share/bugzilla/localconfig': + group => 'apache', + mode => '0640', + content => template('bugzilla-dev/localconfig') + } + + + file { '/usr/share/bugzilla/data/params.json': + group => 'apache', + mode => '0640', + content => template('bugzilla-dev/params.json') + } + + apache::webapp_other { 'bugzilla-dev': + webapp_file => 'bugzilla-dev/webapp_bugzilla.conf', + } + + $bugs_vhost = "bugs-dev.${::domain}" + $vhost_root = '/usr/share/bugzilla' + + apache::vhost::redirect_ssl { $bugs_vhost: } + + apache::vhost::base { $bugs_vhost: + content => template('bugzilla-dev/vhost.conf'), + aliases => { '/bugzilla/' => $vhost_root }, + use_ssl => true, + location => $vhost_root, + vhost => $bugs_vhost, + } + + git::snapshot { $bugzilla_dev_location: + source => "git://git.${::domain}/web/bugs" + } + + file { 'Mageia': + ensure => directory, + path => '/usr/share/bugzilla', + group => 'apache', + recurse => true, + require => Git::Snapshot[$bugzilla_dev_location], + } + + file { '/usr/share/bugzilla/robots.txt': + group => 'apache', + mode => '0640', + content => template('bugzilla-dev/robots.txt') + } + + cron { 'collectstats': + command => '/usr/share/bugzilla/bin/collectstats.pl', + user => 'apache', + hour => 2, + minute => 30, + } +} diff --git a/modules/bugzilla-dev/templates/localconfig b/modules/bugzilla-dev/templates/localconfig new file mode 100755 index 00000000..2b7d6035 --- /dev/null +++ b/modules/bugzilla-dev/templates/localconfig @@ -0,0 +1,121 @@ +# If you are using Apache as your web server, Bugzilla can create .htaccess +# files for you, which will keep this file (localconfig) and other +# confidential files from being read over the web. +# +# If this is set to 1, checksetup.pl will create .htaccess files if +# they don't exist. +# +# If this is set to 0, checksetup.pl will not create .htaccess files. +$create_htaccess = 0; + +# The name of the group that your web server runs as. On Red Hat +# distributions, this is usually "apache". On Debian/Ubuntu, it is +# usually "www-data". +# +# If you have use_suexec turned on below, then this is instead the name +# of the group that your web server switches to to run cgi files. +# +# If this is a Windows machine, ignore this setting, as it does nothing. +# +# If you do not have access to the group your scripts will run under, +# set this to "". If you do set this to "", then your Bugzilla installation +# will be _VERY_ insecure, because some files will be world readable/writable, +# and so anyone who can get local access to your machine can do whatever they +# want. You should only have this set to "" if this is a testing installation +# and you cannot set this up any other way. YOU HAVE BEEN WARNED! +# +# If you set this to anything other than "", you will need to run checksetup.pl +# as root or as a user who is a member of the specified group. +$webservergroup = 'apache'; + +# Set this to 1 if Bugzilla runs in an Apache SuexecUserGroup environment. +# +# If your web server runs control panel software (cPanel, Plesk or similar), +# or if your Bugzilla is to run in a shared hosting environment, then you are +# almost certainly in an Apache SuexecUserGroup environment. +# +# If this is a Windows box, ignore this setting, as it does nothing. +# +# If set to 0, checksetup.pl will set file permissions appropriately for +# a normal webserver environment. +# +# If set to 1, checksetup.pl will set file permissions so that Bugzilla +# works in a SuexecUserGroup environment. +$use_suexec = 0; + +# What SQL database to use. Default is mysql. List of supported databases +# can be obtained by listing Bugzilla/DB directory - every module corresponds +# to one supported database and the name of the module (before ".pm") +# corresponds to a valid value for this variable. +$db_driver = 'pg'; + +# The DNS name or IP address of the host that the database server runs on. +$db_host = 'pg.mageia.org'; + +# The name of the database. For Oracle, this is the database's SID. For +# SQLite, this is a name (or path) for the DB file. +$db_name = 'bugs'; + +# Who we connect to the database as. +$db_user = 'bugs'; + +# Enter your database password here. It's normally advisable to specify +# a password for your bugzilla database user. +# If you use apostrophe (') or a backslash (\) in your password, you'll +# need to escape it by preceding it with a '\' character. (\') or (\) +# (It is far simpler to just not use those characters.) +$db_pass = '<%= pgsql_password %>'; + +# Sometimes the database server is running on a non-standard port. If that's +# the case for your database server, set this to the port number that your +# database server is running on. Setting this to 0 means "use the default +# port for my database server." +$db_port = 0; + +# MySQL Only: Enter a path to the unix socket for MySQL. If this is +# blank, then MySQL's compiled-in default will be used. You probably +# want that. +$db_sock = ''; + +# Should checksetup.pl try to verify that your database setup is correct? +# With some combinations of database servers/Perl modules/moonphase this +# doesn't work, and so you can try setting this to 0 to make checksetup.pl +# run. +$db_check = 1; + +# Path to a PEM file with a list of trusted SSL CA certificates. +# The file must be readable by web server user. +$db_mysql_ssl_ca_file = ''; + +# Path to a directory containing trusted SSL CA certificates in PEM format. +# Directory and files inside must be readable by the web server user. +$db_mysql_ssl_ca_path = ''; + +# Full path to the client SSL certificate in PEM format we will present to the DB server. +# The file must be readable by web server user. +$db_mysql_ssl_client_cert = ''; + +# Full path to the private key corresponding to the client SSL certificate. +# The file must not be password-protected and must be readable by web server user. +$db_mysql_ssl_client_key = ''; + +# Most web servers will allow you to use index.cgi as a directory +# index, and many come preconfigured that way, but if yours doesn't +# then you'll need an index.html file that provides redirection +# to index.cgi. Setting $index_html to 1 below will allow +# checksetup.pl to create an index.html for you if it doesn't exist. +# NOTE: checksetup.pl will not replace an existing file, so if you +# wish to have checksetup.pl create one for you, you must +# make sure that index.html doesn't already exist. +$index_html = 0; + +# If you want to use the "Difference Between Two Patches" feature of the +# Patch Viewer, please specify the full path to the "interdiff" executable +# here. +$interdiffbin = '/usr/bin/interdiff'; + +# For the "Difference Between Two Patches" feature to work, we need to know +# what directory the "diff" bin is in. (You only need to set this if you +# are using that feature of the Patch Viewer.) +$diffpath = '/usr/bin'; + diff --git a/modules/bugzilla-dev/templates/params.json b/modules/bugzilla-dev/templates/params.json new file mode 100644 index 00000000..b51b4c00 --- /dev/null +++ b/modules/bugzilla-dev/templates/params.json @@ -0,0 +1,104 @@ +{ + "LDAPBaseDN" : "ou=People,<%= dc_suffix %>", + "LDAPbinddn" : "cn=bugzilla-alamut,ou=System Accounts,<%= dc_suffix %>:<%= ldap_password %>", + "LDAPfilter" : "", + "LDAPmailattribute" : "mail", + "LDAPserver" : "ldap.<%= domain %>", + "LDAPstarttls" : "1", + "LDAPuidattribute" : "uid", + "RADIUS_NAS_IP" : "", + "RADIUS_email_suffix" : "", + "RADIUS_secret" : "", + "RADIUS_server" : "", + "ajax_user_autocompletion" : "1", + "allow_attachment_deletion" : "0", + "allow_attachment_display" : "1", + "allowbugdeletion" : "0", + "allowemailchange" : "0", + "allowuserdeletion" : "0", + "announcehtml" : "", + "attachment_base" : "", + "auth_env_email" : "", + "auth_env_id" : "", + "auth_env_realname" : "", + "chartgroup" : "editbugs", + "collapsed_comment_tags" : "obsolete, spam", + "comment_taggers_group" : "editbugs", + "commentonchange_resolution" : "1", + "commentonduplicate" : "0", + "confirmuniqueusermatch" : "1", + "cookiedomain" : "", + "cookiepath" : "/", + "createemailregexp" : ".*", + "debug_group" : "editbugs", + "default_search_limit" : "500", + "defaultopsys" : "Linux", + "defaultplatform" : "All", + "defaultpriority" : "Normal", + "defaultquery" : "bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailqa_contact2=1&order=Importance&long_desc_type=substring", + "defaultseverity" : "normal", + "duplicate_or_move_bug_status" : "RESOLVED", + "emailregexp" : "^[\\w\\.\\+\\-=]+@[\\w\\.\\-]+\\.[\\w\\-]+$", + "emailregexpdesc" : "A legal address must contain exactly one '@', and at least one '.' after the @.", + "emailsuffix" : "", + "font_file" : "", + "globalwatchers" : "bugs-dev@ml.mageia.org", + "inbound_proxies" : "", + "insidergroup" : "secteam", + "last_visit_keep_days" : "10", + "letsubmitterchoosemilestone" : "1", + "letsubmitterchoosepriority" : "1", + "mail_delivery_method" : "SMTP", + "mailfrom" : "bugzilla-daemon@<%= domain %>", + "maintainer" : "sysadmin@group.<%= domain %>", + "makeproductgroups" : "0", + "max_search_results" : "10000", + "maxattachmentsize" : "1000", + "maxlocalattachment" : "0", + "maxusermatches" : "1000", + "memcached_namespace" : "bugzilla:", + "memcached_servers" : "", + "musthavemilestoneonaccept" : "0", + "mybugstemplate" : "buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailreporter1=1&emailtype1=exact&email1=%userid%&field0-0-0=bug_status&type0-0-0=notequals&value0-0-0=UNCONFIRMED&field0-0-1=reporter&type0-0-1=equals&value0-0-1=%userid%", + "noresolveonopenblockers" : "0", + "or_groups" : "0", + "password_check_on_login" : "1", + "password_complexity" : "no_constraints", + "proxy_url" : "", + "querysharegroup" : "editbugs", + "quip_list_entry_control" : "open", + "rememberlogin" : "on", + "requirelogin" : "0", + "search_allow_no_criteria" : "0", + "shadowdb" : "", + "shadowdbhost" : "", + "shadowdbport" : "3306", + "shadowdbsock" : "", + "shutdownhtml" : "", + "smtp_debug" : "0", + "smtp_password" : "", + "smtp_ssl" : "0", + "smtp_username" : "", + "smtpserver" : "localhost", + "ssl_redirect" : "1", + "sslbase" : "https://bugs-dev.<%= domain %>/", + "strict_isolation" : "0", + "strict_transport_security" : "off", + "timetrackinggroup" : "", + "upgrade_notification" : "latest_stable_release", + "urlbase" : "http://bugs-dev.<%= domain %>/", + "use_mailer_queue" : "0", + "use_see_also" : "1", + "useclassification" : "0", + "usemenuforusers" : "0", + "useqacontact" : "1", + "user_info_class" : "CGI", + "user_verify_class" : "LDAP", + "usestatuswhiteboard" : "1", + "usetargetmilestone" : "1", + "usevisibilitygroups" : "0", + "utf8" : "1", + "webdotbase" : "/usr/bin/dot", + "webservice_email_filter" : "0", + "whinedays" : "0" +} diff --git a/modules/bugzilla/templates/robots.txt b/modules/bugzilla-dev/templates/robots.txt index 63639f02..63639f02 100644..100755 --- a/modules/bugzilla/templates/robots.txt +++ b/modules/bugzilla-dev/templates/robots.txt diff --git a/modules/bugzilla-dev/templates/vhost.conf b/modules/bugzilla-dev/templates/vhost.conf new file mode 100755 index 00000000..79eab9fb --- /dev/null +++ b/modules/bugzilla-dev/templates/vhost.conf @@ -0,0 +1,2 @@ +RewriteEngine On +RewriteRule ^/([0-9]+)$ /show_bug.cgi?id=$1 [R=301,L] diff --git a/modules/bugzilla-dev/templates/webapp_bugzilla.conf b/modules/bugzilla-dev/templates/webapp_bugzilla.conf new file mode 100755 index 00000000..a8f37a00 --- /dev/null +++ b/modules/bugzilla-dev/templates/webapp_bugzilla.conf @@ -0,0 +1,73 @@ +<% +path_data_directory = "/var/lib/bugzilla" +%> + +<Directory /usr/share/bugzilla/> + AddHandler cgi-script .cgi + Options +ExecCGI +FollowSymLinks + DirectoryIndex index.cgi index.html + AllowOverride All +</Directory> + +# The duplicates.rdf must be accessible, as it is used by +# duplicates.xul +<Directory <%= path_data_directory %>> + <Files duplicates.rdf> + <IfModule mod_authz_core.c> + # Apache 2.4 + Require all granted + </IfModule> + <IfModule !mod_authz_core.c> + # Apache 2.2 + Order allow,deny + Allow from all + </IfModule> + </Files> +</Directory> + +# The png files locally created locally must be accessible +<Directory <%= path_data_directory %>/webdot> + <FilesMatch \.png$> + <IfModule mod_authz_core.c> + # Apache 2.4 + Require all granted + </IfModule> + <IfModule !mod_authz_core.c> + # Apache 2.2 + Order allow,deny + Allow from all + </IfModule> + </FilesMatch> +</Directory> + +Alias /graphs/ <%= path_data_directory %>/graphs/ +<Directory <%= path_data_directory %>/graphs> + <FilesMatch \.png$> + <IfModule mod_authz_core.c> + # Apache 2.4 + Require all granted + </IfModule> + <IfModule !mod_authz_core.c> + # Apache 2.2 + Order allow,deny + Allow from all + </IfModule> + </FilesMatch> +</Directory> + +# This should work automatically, but perhaps something +# in our Bugzilla packaging breaks this? +Alias /extensions/Mageia/web/ <%= scope.lookupvar("bugzilla::extension_location") %>/web/ +<Directory <%= scope.lookupvar("bugzilla::extension_location") %>/web/> + <FilesMatch \.png$> + <IfModule mod_authz_core.c> + # Apache 2.4 + Require all granted + </IfModule> + <IfModule !mod_authz_core.c> + # Apache 2.2 + Order allow,deny + Allow from all + </IfModule> + </FilesMatch> +</Directory> diff --git a/modules/bugzilla/manifests/init.pp b/modules/bugzilla/manifests/init.pp index 2acb1d95..e66ddf0e 100644..100755 --- a/modules/bugzilla/manifests/init.pp +++ b/modules/bugzilla/manifests/init.pp @@ -1,71 +1,202 @@ class bugzilla { - $bugzilla_location = '/usr/share/bugzilla/template/en/custom' + $bugzilla_location = '/usr/share/bugzilla' - package {['bugzilla', - 'bugzilla-extension-sitemap', - 'graphviz', + package {['graphviz', 'perl-Template-GD', # needed for graphical_report support 'perl-Test-Taint', - 'perl-JSON-RPC']: } + 'perl-JSON-RPC', + 'perl-JSON-XS', + 'perl-Email-MIME', + 'perl-Email-Sender', + 'perl-Math-Random-ISAAC', + 'perl-Chart', + 'perl-PatchReader', + 'perl-ldap', + 'perl-SOAP-Lite', + 'perl-XMLRPC-Lite', + 'perl-CGI', + 'perl-HTML-Scrubber', + 'perl-Encode-Detect', + 'perl-File-MimeInfo', + 'perl-Email-Reply', + 'perl-HTML-FormatText-WithLinks', + 'perl-Cache-Memcached', + 'perl-File-Copy-Recursive', + 'perl-Daemon-Generic']: } $pgsql_password = extlookup('bugzilla_pgsql','x') $ldap_password = extlookup('bugzilla_ldap','x') + $bugzilla_secret_key = extlookup('bugzilla_secret_key','x') postgresql::remote_db_and_user { 'bugs': description => 'Bugzilla database', password => $pgsql_password, } - file { '/etc/bugzilla/localconfig': + file { "$bugzilla_location/localconfig": group => 'apache', mode => '0640', - content => template('bugzilla/localconfig'), - require => Package['bugzilla'], + content => template('bugzilla/localconfig') } - file { '/var/lib/bugzilla/params': + file { "$bugzilla_location/data/params.json": group => 'apache', mode => '0640', - content => template('bugzilla/params'), - require => Package['bugzilla'], + content => template('bugzilla/params.json') + } + file { "$bugzilla_location/graphs": + ensure => directory, + owner => 'apache', + group => 'apache', + mode => '0770' } apache::webapp_other { 'bugzilla': webapp_file => 'bugzilla/webapp_bugzilla.conf', } - $bugs_vhost = "bugs.$::domain" - $vhost_root = '/usr/share/bugzilla/www' + $bugs_vhost = "bugs.${::domain}" + $vhost_root = $bugzilla_location apache::vhost::redirect_ssl { $bugs_vhost: } apache::vhost::base { $bugs_vhost: + content => template('bugzilla/vhost.conf'), aliases => { '/bugzilla/' => $vhost_root }, use_ssl => true, location => $vhost_root, vhost => $bugs_vhost, + enable_location => false, } - subversion::snapshot { $bugzilla_location: - source => 'svn://svn.mageia.org/svn/web/templates/bugzilla/trunk', - require => Package['bugzilla'], + git::snapshot { $bugzilla_location: + source => "git://git.${::domain}/web/bugs" } - file { 'custom': + file { 'Mageia': ensure => directory, - path => '/usr/share/bugzilla/template/en/custom', + path => $bugzilla_location, group => 'apache', - mode => '0640', recurse => true, - require => Subversion::Snapshot[$bugzilla_location], + require => Git::Snapshot[$bugzilla_location], } - file { '/usr/share/bugzilla/www/robots.txt': + file { ["$bugzilla_location/data", + "$bugzilla_location/data/mining"]: + ensure => directory, + owner => 'apache', + group => 'apache', + mode => '0770' + } + + file { "$bugzilla_location/data/assets": + ensure => directory, + owner => 'apache', + group => 'apache', + mode => '0770' + } + + file { "$bugzilla_location/robots.txt": group => 'apache', - mode => '0640', - content => template('bugzilla/robots.txt'), - require => Package['bugzilla-extension-sitemap'], + mode => '0640' + } + + file { "$bugzilla_location/data/bugzilla-update.xml": + owner => 'apache', + group => 'apache', + mode => '0640' } + + file { [ + "$bugzilla_location/admin.cgi", + "$bugzilla_location/attachment.cgi", + "$bugzilla_location/buglist.cgi", + "$bugzilla_location/chart.cgi", + "$bugzilla_location/colchange.cgi", + "$bugzilla_location/config.cgi", + "$bugzilla_location/createaccount.cgi", + "$bugzilla_location/describecomponents.cgi", + "$bugzilla_location/describekeywords.cgi", + "$bugzilla_location/duplicates.cgi", + "$bugzilla_location/editclassifications.cgi", + "$bugzilla_location/editfields.cgi", + "$bugzilla_location/editgroups.cgi", + "$bugzilla_location/editmilestones.cgi", + "$bugzilla_location/editproducts.cgi", + "$bugzilla_location/editusers.cgi", + "$bugzilla_location/editversions.cgi", + "$bugzilla_location/editworkflow.cgi", + "$bugzilla_location/editcomponents.cgi", + "$bugzilla_location/editflagtypes.cgi", + "$bugzilla_location/editkeywords.cgi", + "$bugzilla_location/editparams.cgi", + "$bugzilla_location/editsettings.cgi", + "$bugzilla_location/editvalues.cgi", + "$bugzilla_location/editwhines.cgi", + "$bugzilla_location/enter_bug.cgi", + "$bugzilla_location/index.cgi", + "$bugzilla_location/jsonrpc.cgi", + "$bugzilla_location/page.cgi", + "$bugzilla_location/post_bug.cgi", + "$bugzilla_location/process_bug.cgi", + "$bugzilla_location/query.cgi", + "$bugzilla_location/quips.cgi", + "$bugzilla_location/relogin.cgi", + "$bugzilla_location/reports.cgi", + "$bugzilla_location/rest.cgi", + "$bugzilla_location/search_plugin.cgi", + "$bugzilla_location/show_bug.cgi", + "$bugzilla_location/showdependencytree.cgi", + "$bugzilla_location/testagent.cgi", + "$bugzilla_location/userprefs.cgi", + "$bugzilla_location/xmlrpc.cgi", + "$bugzilla_location/report.cgi", + "$bugzilla_location/request.cgi", + "$bugzilla_location/sanitycheck.cgi", + "$bugzilla_location/show_activity.cgi", + "$bugzilla_location/showdependencygraph.cgi", + "$bugzilla_location/summarize_time.cgi", + "$bugzilla_location/token.cgi", + "$bugzilla_location/votes.cgi", + "$bugzilla_location/checksetup.pl", + "$bugzilla_location/clean-bug-user-last-visit.pl", + "$bugzilla_location/collectstats.pl", + "$bugzilla_location/email_in.pl", + "$bugzilla_location/importxml.pl", + "$bugzilla_location/install-module.pl", + "$bugzilla_location/jobqueue.pl", + "$bugzilla_location/migrate.pl", + "$bugzilla_location/runtests.pl", + "$bugzilla_location/sanitycheck.pl", + "$bugzilla_location/testserver.pl", + "$bugzilla_location/whineatnews.pl", + "$bugzilla_location/whine.pl", + ]: + group => 'apache', + mode => '0750', + } + +# Improper file permissions makes this fail, and nobody seems to care +# cron { 'collectstats': +# command => "cd $bugzilla_location && ./collectstats.pl", +# user => 'apache', +# hour => 2, +# minute => 30, +# } + + cron { 'clean-bug-user-last-visit': + command => "cd $bugzilla_location && ./clean-bug-user-last-visit.pl", + user => 'apache', + hour => 3, + minute => 0, + } + cron { 'sanitycheck': + command => "cd $bugzilla_location && $bugzilla_location/sanitycheck.pl --login LpSolit@gmail.com", + user => 'apache', + hour => 21, + minute => 0, + } + } diff --git a/modules/bugzilla/templates/localconfig b/modules/bugzilla/templates/localconfig index 5ef4a9ab..61935552 100644 --- a/modules/bugzilla/templates/localconfig +++ b/modules/bugzilla/templates/localconfig @@ -1,51 +1,59 @@ - # If you are using Apache as your web server, Bugzilla can create .htaccess -# files for you that will instruct Apache not to serve files that shouldn't -# be accessed from the web browser (like your local configuration data and non-cgi -# executable files). For this to work, the directory your Bugzilla -# installation is in must be within the jurisdiction of a <Directory> block -# in the httpd.conf file that has 'AllowOverride Limit' in it. If it has -# 'AllowOverride All' or other options with Limit, that's fine. -# (Older Apache installations may use an access.conf file to store these -# <Directory> blocks.) -# If this is set to 1, Bugzilla will create these files if they don't exist. -# If this is set to 0, Bugzilla will not create these files. -$create_htaccess = 0; - -# Usually, this is the group your web server runs as. -# If you have a Windows box, ignore this setting. -# If you have use_suexec switched on below, this is the group Apache switches -# to in order to run Bugzilla scripts. +# files for you, which will keep this file (localconfig) and other +# confidential files from being read over the web. +# +# If this is set to 1, checksetup.pl will create .htaccess files if +# they don't exist. +# +# If this is set to 0, checksetup.pl will not create .htaccess files. +$create_htaccess = 1; + +# The name of the group that your web server runs as. On Red Hat +# distributions, this is usually "apache". On Debian/Ubuntu, it is +# usually "www-data". +# +# If you have use_suexec turned on below, then this is instead the name +# of the group that your web server switches to to run cgi files. +# +# If this is a Windows machine, ignore this setting, as it does nothing. +# # If you do not have access to the group your scripts will run under, # set this to "". If you do set this to "", then your Bugzilla installation # will be _VERY_ insecure, because some files will be world readable/writable, # and so anyone who can get local access to your machine can do whatever they # want. You should only have this set to "" if this is a testing installation # and you cannot set this up any other way. YOU HAVE BEEN WARNED! +# # If you set this to anything other than "", you will need to run checksetup.pl -# asroot, or as a user who is a member of the specified group. +# as root or as a user who is a member of the specified group. $webservergroup = 'apache'; -# Set this if Bugzilla runs in an Apache SuexecUserGroup environment. -# (If your web server runs control panel software (cPanel, Plesk or similar), +# Set this to 1 if Bugzilla runs in an Apache SuexecUserGroup environment. +# +# If your web server runs control panel software (cPanel, Plesk or similar), # or if your Bugzilla is to run in a shared hosting environment, then you are -# almost certainly in an Apache SuexecUserGroup environment.) -# If you have a Windows box, ignore this setting. -# If set to 0, Bugzilla will set file permissions as tightly as possible. -# If set to 1, Bugzilla will set file permissions so that it may work in an -# SuexecUserGroup environment. The difference is that static files (CSS, -# JavaScript and so on) will receive world read permissions. +# almost certainly in an Apache SuexecUserGroup environment. +# +# If this is a Windows box, ignore this setting, as it does nothing. +# +# If set to 0, checksetup.pl will set file permissions appropriately for +# a normal webserver environment. +# +# If set to 1, checksetup.pl will set file permissions so that Bugzilla +# works in a SuexecUserGroup environment. $use_suexec = 0; # What SQL database to use. Default is mysql. List of supported databases # can be obtained by listing Bugzilla/DB directory - every module corresponds -# to one supported database and the name corresponds to a driver name. +# to one supported database and the name of the module (before ".pm") +# corresponds to a valid value for this variable. $db_driver = 'pg'; -# The DNS name of the host that the database server runs on. -$db_host = 'pgsql.<%= domain %>'; +# The DNS name or IP address of the host that the database server runs on. +$db_host = 'pg.mageia.org'; -# The name of the database +# The name of the database. For Oracle, this is the database's SID. For +# SQLite, this is a name (or path) for the DB file. $db_name = 'bugs'; # Who we connect to the database as. @@ -55,7 +63,7 @@ $db_user = 'bugs'; # a password for your bugzilla database user. # If you use apostrophe (') or a backslash (\) in your password, you'll # need to escape it by preceding it with a '\' character. (\') or (\) -# (Far simpler just not to use those characters.) +# (It is far simpler to just not use those characters.) $db_pass = '<%= pgsql_password %>'; # Sometimes the database server is running on a non-standard port. If that's @@ -70,35 +78,50 @@ $db_port = 0; $db_sock = ''; # Should checksetup.pl try to verify that your database setup is correct? -# (with some combinations of database servers/Perl modules/moonphase this -# doesn't work) +# With some combinations of database servers/Perl modules/moonphase this +# doesn't work, and so you can try setting this to 0 to make checksetup.pl +# run. $db_check = 1; -# With the introduction of a configurable index page using the -# template toolkit, Bugzilla's main index page is now index.cgi. +# Path to a PEM file with a list of trusted SSL CA certificates. +# The file must be readable by web server user. +$db_mysql_ssl_ca_file = ''; + +# Path to a directory containing trusted SSL CA certificates in PEM format. +# Directory and files inside must be readable by the web server user. +$db_mysql_ssl_ca_path = ''; + +# Full path to the client SSL certificate in PEM format we will present to the DB server. +# The file must be readable by web server user. +$db_mysql_ssl_client_cert = ''; + +# Full path to the private key corresponding to the client SSL certificate. +# The file must not be password-protected and must be readable by web server user. +$db_mysql_ssl_client_key = ''; + # Most web servers will allow you to use index.cgi as a directory # index, and many come preconfigured that way, but if yours doesn't # then you'll need an index.html file that provides redirection # to index.cgi. Setting $index_html to 1 below will allow -# checksetup.pl to create one for you if it doesn't exist. +# checksetup.pl to create an index.html for you if it doesn't exist. # NOTE: checksetup.pl will not replace an existing file, so if you # wish to have checksetup.pl create one for you, you must -# make sure that index.html doesn't already exist +# make sure that index.html doesn't already exist. $index_html = 0; -# For some optional functions of Bugzilla (such as the pretty-print patch -# viewer), we need the cvs binary to access files and revisions. -# Because it's possible that this program is not in your path, you can specify -# its location here. Please specify the full path to the executable. -$cvsbin = '/usr/bin/cvs'; - -# For some optional functions of Bugzilla (such as the pretty-print patch -# viewer), we need the interdiff binary to make diffs between two patches. -# Because it's possible that this program is not in your path, you can specify -# its location here. Please specify the full path to the executable. +# If you want to use the "Difference Between Two Patches" feature of the +# Patch Viewer, please specify the full path to the "interdiff" executable +# here. $interdiffbin = '/usr/bin/interdiff'; -# The interdiff feature needs diff, so we have to have that path. -# Please specify the directory name only; do not use trailing slash. +# For the "Difference Between Two Patches" feature to work, we need to know +# what directory the "diff" bin is in. (You only need to set this if you +# are using that feature of the Patch Viewer.) $diffpath = '/usr/bin'; +# This secret key is used by your installation for the creation and +# validation of encrypted tokens. These tokens are used to implement +# security features in Bugzilla, to protect against certain types of attacks. +# A random string is generated by default. It's very important that this key +# is kept secret. It also must be very long. +$site_wide_secret = '<%= bugzilla_secret_key %>'; diff --git a/modules/bugzilla/templates/params b/modules/bugzilla/templates/params index 0be18af3..2e71a39d 100644 --- a/modules/bugzilla/templates/params +++ b/modules/bugzilla/templates/params @@ -1,6 +1,6 @@ %param = ( 'LDAPBaseDN' => 'ou=People,<%= dc_suffix %>', - 'LDAPbinddn' => 'cn=bugzilla-<%= hostname %>,ou=System Accounts,<%= dc_suffix %>:<%= ldap_password %>', + 'LDAPbinddn' => 'cn=bugzilla-alamut,ou=System Accounts,<%= dc_suffix %>:<%= ldap_password %>', 'LDAPfilter' => '', 'LDAPmailattribute' => 'mail', 'LDAPserver' => 'ldap.<%= domain %>', @@ -10,6 +10,7 @@ 'RADIUS_email_suffix' => '', 'RADIUS_secret' => '', 'RADIUS_server' => '', + 'ajax_user_autocompletion' => '1', 'allow_attach_url' => 0, 'allow_attachment_deletion' => 0, 'allow_attachment_display' => 1, @@ -29,28 +30,31 @@ 'confirmuniqueusermatch' => 1, 'cookiedomain' => '', 'cookiepath' => '/', - 'createemailregexp' => '.*', - 'cvsroot' => '', - 'cvsroot_get' => '', - 'defaultopsys' => 'Linux', - 'defaultplatform' => 'i586', - 'defaultpriority' => 'Normal', - 'defaultquery' => 'bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailqa_contact2=1&order=Importance&long_desc_type=substring', - 'defaultseverity' => 'normal', - 'docs_urlbase' => ' http://www.bugzilla.org/docs/3.6/en/html/', + 'createemailregexp' => '.*', + 'cvsroot' => '', + 'cvsroot_get' => '', + 'debug_group' => 'editbugs', + 'default_search_limit' => '500', + 'defaultopsys' => 'Linux', + 'defaultplatform' => 'All', + 'defaultpriority' => 'Normal', + 'defaultquery' => 'bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailqa_contact2=1&order=Importance&long_desc_type=substring', + 'defaultseverity' => 'normal', + 'docs_urlbase' => ' https://www.bugzilla.org/docs/4.4/en/html/', 'duplicate_or_move_bug_status' => 'RESOLVED', 'emailregexp' => '^[\\w\\.\\+\\-=]+@[\\w\\.\\-]+\\.[\\w\\-]+$', 'emailregexpdesc' => 'A legal address must contain exactly one \'@\', and at least one \'.\' after the @.', 'emailsuffix' => '', 'globalwatchers' => 'bugs@ml.<%= domain %>', 'inbound_proxies' => '', - 'insidergroup' => '', + 'insidergroup' => 'secteam', 'letsubmitterchoosemilestone' => 1, 'letsubmitterchoosepriority' => 1, 'lxr_root' => '', 'lxr_url' => '', 'mail_delivery_method' => 'SMTP', - 'mailfrom' => 'bugzilla-daemon@<%= domain %>', + 'mailfrom' => 'bugzilla_noreply@ml.<%= domain %>', + 'maintainer' => 'sysadmin@group.<%= domain %>', 'makeproductgroups' => 0, 'maxattachmentsize' => '1000', 'maxlocalattachment' => '0', @@ -72,23 +76,23 @@ 'quip_list_entry_control' => 'open', 'rememberlogin' => 'on', 'requirelogin' => '0', + 'search_allow_no_criteria' => '0', 'sendmailnow' => 1, - 'shadowdb' => '', - 'shadowdbhost' => '', - 'shadowdbport' => '3306', - 'shadowdbsock' => '', - 'shutdownhtml' => '', - 'smtp_debug' => 0, - 'smtp_password' => '', - 'smtp_username' => '', - 'smtpserver' => 'localhost', - 'specific_search_allow_empty_words' => 1, - 'ssl_redirect' => 1, - 'sslbase' => 'https://bugs.<%= domain %>/', - 'strict_isolation' => 0, - 'timetrackinggroup' => '', + 'shadowdb' => '', + 'shadowdbhost' => '', + 'shadowdbport' => '3306', + 'shadowdbsock' => '', + 'smtp_debug' => 0, + 'smtp_password' => '', + 'smtp_username' => '', + 'smtpserver' => 'localhost', + 'specific_search_allow_empty_words' => 1, + 'ssl_redirect' => 1, + 'sslbase' => 'https://bugs.<%= domain %>/', + 'strict_isolation' => 0, + 'timetrackinggroup' => '', 'upgrade_notification' => 'latest_stable_release', - 'urlbase' => 'http://bugs.<%= domain %>/', + 'urlbase' => 'https://bugs.<%= domain %>/', 'use_mailer_queue' => 0, 'use_see_also' => 1, 'usebugaliases' => 0, diff --git a/modules/bugzilla/templates/params.json b/modules/bugzilla/templates/params.json new file mode 100644 index 00000000..05325bc7 --- /dev/null +++ b/modules/bugzilla/templates/params.json @@ -0,0 +1,104 @@ +{ + "LDAPBaseDN" : "ou=People,<%= dc_suffix %>", + "LDAPbinddn" : "cn=bugzilla-alamut,ou=System Accounts,<%= dc_suffix %>:<%= ldap_password %>", + "LDAPfilter" : "", + "LDAPmailattribute" : "mail", + "LDAPserver" : "ldap.<%= domain %>", + "LDAPstarttls" : "1", + "LDAPuidattribute" : "uid", + "RADIUS_NAS_IP" : "", + "RADIUS_email_suffix" : "", + "RADIUS_secret" : "", + "RADIUS_server" : "", + "ajax_user_autocompletion" : "1", + "allow_attachment_deletion" : "0", + "allow_attachment_display" : "1", + "allowbugdeletion" : "0", + "allowemailchange" : "0", + "allowuserdeletion" : "0", + "announcehtml" : "", + "attachment_base" : "", + "auth_env_email" : "", + "auth_env_id" : "", + "auth_env_realname" : "", + "chartgroup" : "editbugs", + "collapsed_comment_tags" : "obsolete, spam, off-topic", + "comment_taggers_group" : "editbugs", + "commentonchange_resolution" : "1", + "commentonduplicate" : "0", + "confirmuniqueusermatch" : "1", + "cookiedomain" : "", + "cookiepath" : "/", + "createemailregexp" : ".*", + "debug_group" : "admin", + "default_search_limit" : "500", + "defaultopsys" : "Linux", + "defaultplatform" : "All", + "defaultpriority" : "Normal", + "defaultquery" : "resolution=---&emailassigned_to1=1&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailqa_contact2=1&emaillongdesc3=1&order=Importance&long_desc_type=substring", + "defaultseverity" : "normal", + "duplicate_or_move_bug_status" : "RESOLVED", + "emailregexp" : "^[\\w\\.\\+\\-=]+@[\\w\\.\\-]+\\.[\\w\\-]+$", + "emailregexpdesc" : "A legal address must contain exactly one '@', and at least one '.' after the @.", + "emailsuffix" : "", + "font_file" : "", + "globalwatchers" : "bugs@ml.mageia.org", + "inbound_proxies" : "", + "insidergroup" : "secteam", + "last_visit_keep_days" : "60", + "letsubmitterchoosemilestone" : "1", + "letsubmitterchoosepriority" : "1", + "mail_delivery_method" : "SMTP", + "mailfrom" : "bugzilla_noreply@ml.<%= domain %>", + "maintainer" : "sysadmin@group.<%= domain %>", + "makeproductgroups" : "0", + "max_search_results" : "10000", + "maxattachmentsize" : "1000", + "maxlocalattachment" : "0", + "maxusermatches" : "1000", + "memcached_namespace" : "bugzilla:", + "memcached_servers" : "", + "musthavemilestoneonaccept" : "0", + "mybugstemplate" : "buglist.cgi?resolution=---&emailassigned_to1=1&emailreporter1=1&emailtype1=exact&email1=%userid%", + "noresolveonopenblockers" : "0", + "or_groups" : "0", + "password_check_on_login" : "1", + "password_complexity" : "no_constraints", + "proxy_url" : "", + "querysharegroup" : "editbugs", + "quip_list_entry_control" : "open", + "rememberlogin" : "on", + "requirelogin" : "0", + "search_allow_no_criteria" : "0", + "shadowdb" : "", + "shadowdbhost" : "", + "shadowdbport" : "3306", + "shadowdbsock" : "", + "shutdownhtml" : "", + "smtp_debug" : "0", + "smtp_password" : "", + "smtp_ssl" : "0", + "smtp_username" : "", + "smtpserver" : "localhost", + "ssl_redirect" : "1", + "sslbase" : "https://bugs.<%= domain %>/", + "strict_isolation" : "0", + "strict_transport_security" : "off", + "timetrackinggroup" : "", + "upgrade_notification" : "latest_stable_release", + "urlbase" : "https://bugs.<%= domain %>/", + "use_mailer_queue" : "0", + "use_see_also" : "1", + "useclassification" : "0", + "usemenuforusers" : "0", + "useqacontact" : "1", + "user_info_class" : "CGI", + "user_verify_class" : "LDAP", + "usestatuswhiteboard" : "1", + "usetargetmilestone" : "1", + "usevisibilitygroups" : "0", + "utf8" : "1", + "webdotbase" : "/usr/bin/dot", + "webservice_email_filter" : "0", + "whinedays" : "0" +} diff --git a/modules/bugzilla/templates/vhost.conf b/modules/bugzilla/templates/vhost.conf new file mode 100644 index 00000000..fd55e5f2 --- /dev/null +++ b/modules/bugzilla/templates/vhost.conf @@ -0,0 +1,14 @@ +RewriteEngine On +RewriteRule ^/([0-9]+)$ /show_bug.cgi?id=$1 [R=301,L] + + <Directory /usr/share/bugzilla> + Require all granted + </Directory> + + + <Directory /usr/share/bugzilla> + AllowOverride all + AddHandler cgi-script .cgi + Options +ExecCGI +FollowSymLinks + DirectoryIndex index.cgi index.html + </Directory> diff --git a/modules/bugzilla/templates/webapp_bugzilla.conf b/modules/bugzilla/templates/webapp_bugzilla.conf index 16e94168..d2e3f395 100644 --- a/modules/bugzilla/templates/webapp_bugzilla.conf +++ b/modules/bugzilla/templates/webapp_bugzilla.conf @@ -1,37 +1,11 @@ <% -path_data_directory = "/var/lib/bugzilla" +path_data_directory = "/usr/share/bugzilla/" %> -<Directory /usr/share/bugzilla/www> - Order allow,deny - Allow from all - - Options ExecCGI - DirectoryIndex index.cgi -</Directory> - -# The duplicates.rdf must be accessible, as it is used by -# duplicates.xul -<Directory <%= path_data_directory %>> - <Files duplicates.rdf> - Order allow,deny - Allow from all - </Files> +<Directory <%= path_data_directory %> > + AddHandler cgi-script .cgi + Options +ExecCGI +FollowSymLinks + DirectoryIndex index.cgi index.html + AllowOverride All </Directory> -# The png files locally created locally must be accessible -<Directory <%= path_data_directory %>/webdot> - <FilesMatch \.png$> - Order allow,deny - Allow from all - </FilesMatch> -</Directory> - -Alias /graphs/ <%= path_data_directory %>/graphs/ -<Directory <%= path_data_directory %>/graphs> - - <FilesMatch \.png$> - Order allow,deny - Allow from all - </FilesMatch> -</Directory> diff --git a/modules/buildsystem/files/Mageia.pm b/modules/buildsystem/files/Mageia.pm index 109aeb29..443f6cb7 100644 --- a/modules/buildsystem/files/Mageia.pm +++ b/modules/buildsystem/files/Mageia.pm @@ -225,7 +225,7 @@ sub _get_distribution_paths { my $arch = $package->get_arch(); $arch = $translate_arch{$arch} || $arch; if ($arch eq 'noarch') { - map { "$target/$_" } $self->get_extra_arches; + map { "$target/$_" } $self->get_target_arches($target); } elsif ($arch eq 'src') { die "no way to get distribution path using a $arch package"; } else { @@ -264,26 +264,7 @@ sub get_replaced_packages { my @replaced_packages = $self->SUPER::get_replaced_packages($package, $target, $user_context, $app_context); - # mandriva lib policy: - # library package names change with revision, making mandatory to - # duplicate older revisions search with a custom pattern my $name = $package->get_name(); - if ($name =~ /^(lib\w+[a-zA-Z_])[\d_\.]+([-\w]*)$/) { - push(@replaced_packages, - grep { $package->compare($_) > 0 } - map { PACKAGE_CLASS->new(file => $_) } - $self->get_files( - $self->{_install_root}, - $self->get_install_path($package, $target, $user_context, $app_context), - PACKAGE_CLASS->get_pattern( - $1 . '[\d_\.]+' . $2, # custom name pattern - undef, - undef, - $package->get_arch() - ), - ) - ); - } # kernel packages have the version in the name # binary dkms built for old kernels have to be removed too @@ -454,13 +435,14 @@ sub get_upload_newer_revisions { my ($self, $package, $target, $user_context, $app_context) = @_; croak "Not a class method" unless ref $self; my $arch = $package->get_arch(); - my $name = $package->get_full_name; + my $name = $package->as_string(); $name =~ s/^\@\d+://; my $pattern = $self->get_package_class()->get_pattern($package->get_name(), undef, undef, $arch); my $media = $self->_get_media_config($target); my @packages; foreach my $state (@{$self->{_upload_state}}) { foreach my $m (keys %{$media->{$arch}}) { + next if defined($user_context->{section}) and $user_context->{section} ne $m; my $path = "$self->{_upload_root}/$state/$target/$m"; print "Looking for package $package revisions for $target in $path (pattern $pattern)\n" if $self->{_verbose}; find( @@ -498,35 +480,6 @@ sub get_svn_url { $self->{_svn} } -sub get_revisions { - my ($self, $package, $target, $user_context, $app_context, $filter) = @_; - croak "Not a class method" unless ref $self; - print "Looking for package $package revisions for $target\n" if $self->{_verbose} > 0; - - my $arch = $app_context->{arch} || $user_context->{arch} || $package->get_arch(); - my $media_arch = $arch eq 'noarch' ? $self->{_noarch} : $arch; - my $path = $arch eq 'src' ? "$target/SRPMS/" : "$target/$media_arch/media"; - my $media = $self->_get_section($package, $target, $user_context, $app_context); - my $name = $package->get_name(); - my @packages = map { $self->get_package_class()->new(file => $_) } - $self->get_files( - $self->{_install_root}, - "$path/$media", - $self->get_package_class()->get_pattern( - $name, - undef, - undef, - $package->get_arch(), - ) - ); - - @packages = grep { $filter->($_) } @packages if $filter; - - return - sort { $b->compare($a) } # sort by revision order - @packages; -} - sub reject { my ($self, $package, $target, $user_context, $app_context) = @_; croak "Not a class method" unless ref $self; diff --git a/modules/buildsystem/templates/signbot/mga-signpackage b/modules/buildsystem/files/signbot/mga-signpackage index bd88efeb..199dbe0e 100755 --- a/modules/buildsystem/templates/signbot/mga-signpackage +++ b/modules/buildsystem/files/signbot/mga-signpackage @@ -16,7 +16,7 @@ sub signpackage { my $sign = RPM4::Sign->new( name => $name, path => $path, - passphrase => '', + passphrase => '', ); $sign->rpmssign($file) diff --git a/modules/buildsystem/templates/signbot/sign-check-package b/modules/buildsystem/files/signbot/sign-check-package index fc9704fd..fc9704fd 100644 --- a/modules/buildsystem/templates/signbot/sign-check-package +++ b/modules/buildsystem/files/signbot/sign-check-package diff --git a/modules/buildsystem/templates/signbot/signbot-rpmmacros b/modules/buildsystem/files/signbot/signbot-rpmmacros index aab7e389..aab7e389 100644 --- a/modules/buildsystem/templates/signbot/signbot-rpmmacros +++ b/modules/buildsystem/files/signbot/signbot-rpmmacros diff --git a/modules/buildsystem/lib/puppet/parser/functions/group_members.rb b/modules/buildsystem/lib/puppet/parser/functions/group_members.rb deleted file mode 100644 index c5cecbe8..00000000 --- a/modules/buildsystem/lib/puppet/parser/functions/group_members.rb +++ /dev/null @@ -1,10 +0,0 @@ -require 'etc' -# group_members($group) -# -> return a array with the login of the group members - -module Puppet::Parser::Functions - newfunction(:group_members, :type => :rvalue) do |args| - group = args[0] - return Etc.getgrnam(group).mem - end -end diff --git a/modules/buildsystem/manifests/base.pp b/modules/buildsystem/manifests/base.pp deleted file mode 100644 index 8befa33d..00000000 --- a/modules/buildsystem/manifests/base.pp +++ /dev/null @@ -1,4 +0,0 @@ -class buildsystem::base { - $packagers_group = 'mga-packagers' - $packagers_committers_group = 'mga-packagers-committers' -} diff --git a/modules/buildsystem/manifests/binrepo.pp b/modules/buildsystem/manifests/binrepo.pp index 037352a0..5bf16b53 100644 --- a/modules/buildsystem/manifests/binrepo.pp +++ b/modules/buildsystem/manifests/binrepo.pp @@ -1,29 +1,29 @@ class buildsystem::binrepo { - include buildsystem::base + include buildsystem::var::binrepo + include buildsystem::var::groups include sudo - $login = 'binrepo' - $homedir = "/var/lib/$login" - $repodir = "$homedir/data" - $uploadinfosdir = "$homedir/infos" - $uploadbinpath = '/usr/local/bin/upload-bin' - $uploadmail_from = "root@$::domain" - $uploadmail_to = "packages-commits@ml.$::domain" - - # used in templates - $packagers_committers_group = $buildsystem::base::packagers_committers_group + # upload-bin script uses the mailx command provided by nail +if versioncmp($::lsbdistrelease, '9') < 0 { + package { 'nail': + ensure => installed, + } +} else { + package { 's-nail': + ensure => installed, + } +} - user { $login: - comment => 'Binary files repository', - home => $homedir, + user { $buildsystem::var::binrepo::login: + home => $buildsystem::var::binrepo::homedir, } - file { [$repodir, $uploadinfosdir]: + file { [$buildsystem::var::binrepo::repodir, $buildsystem::var::binrepo::uploadinfosdir]: ensure => directory, - owner => $login, + owner => $buildsystem::var::binrepo::login, } - mga-common::local_script { + mga_common::local_script { 'upload-bin': content => template('buildsystem/binrepo/upload-bin'); 'wrapper.upload-bin': @@ -34,8 +34,15 @@ class buildsystem::binrepo { content => template('buildsystem/binrepo/sudoers.binrepo') } - apache::vhost::base { "binrepo.$::domain": - location => $repodir, + apache::vhost::base { $buildsystem::var::binrepo::hostname: + location => $buildsystem::var::binrepo::repodir, + content => template('buildsystem/binrepo/vhost_binrepo.conf'), + } + + apache::vhost::base { "ssl_${buildsystem::var::binrepo::hostname}": + use_ssl => true, + vhost => $buildsystem::var::binrepo::hostname, + location => $buildsystem::var::binrepo::repodir, content => template('buildsystem/binrepo/vhost_binrepo.conf'), } } diff --git a/modules/buildsystem/manifests/buildnode.pp b/modules/buildsystem/manifests/buildnode.pp index bf898f32..1573c093 100644 --- a/modules/buildsystem/manifests/buildnode.pp +++ b/modules/buildsystem/manifests/buildnode.pp @@ -1,11 +1,12 @@ class buildsystem::buildnode { - include buildsystem::base include buildsystem::iurt - include buildsystem::scheduler::var + include buildsystem::var::scheduler + include buildsystem::var::iurt include buildsystem::sshkeys - # permit to scheduler to run iurt - ssh::auth::server { $buildsystem::scheduler::var::login: - user => $buildsystem::iurt::user::login, + sshkeys::set_authorized_keys { 'iurt-allow-scheduler': + keyname => $buildsystem::var::scheduler::login, + home => $buildsystem::var::iurt::homedir, + user => $buildsystem::var::iurt::login, } } diff --git a/modules/buildsystem/manifests/config.pp b/modules/buildsystem/manifests/config.pp deleted file mode 100644 index b038da21..00000000 --- a/modules/buildsystem/manifests/config.pp +++ /dev/null @@ -1,10 +0,0 @@ -class buildsystem::config( - architectures = ['i586', 'x86_64'], - dev_distros = ['cauldron'], - stable_distros = ['1', '2'], - distrosections = ['core', 'nonfree', 'tainted'], - sectionsrepos = ['release', 'updates', 'updates_testing', 'backports', - 'backports_testing'] -) -{ -} diff --git a/modules/buildsystem/manifests/create_upload_dir.rb b/modules/buildsystem/manifests/create_upload_dir.rb index dd30d00d..8023ab5d 100644 --- a/modules/buildsystem/manifests/create_upload_dir.rb +++ b/modules/buildsystem/manifests/create_upload_dir.rb @@ -1,22 +1,25 @@ -define "create_upload_dir", :owner, :group, :releases do +hostclass "buildsystem::create_upload_dir" do states = ["todo","done","failure","queue","rejected"] + owner = scope.lookupvar('buildsystem::var::scheduler::login') + group = owner + uploads_dir = scope.lookupvar('buildsystem::var::scheduler::homedir') + '/uploads' - file @name, :ensure => 'directory', :owner => @owner, :group => @group + file uploads_dir, :ensure => 'directory', :owner => owner, :group => group for st in states do - file [@name, st].join('/'), :ensure => 'directory', :owner => @owner, :group => @group - - @releases.each{|rel, repositories| - file [@name, st, rel].join('/'), :ensure => 'directory', :owner => @owner, :group => @group - - repositories.each{|rep, medias| - file [@name, st, rel, rep].join('/'), :ensure => 'directory', :owner => @owner, :group => @group - - for med in medias do + file [uploads_dir, st].join('/'), :ensure => 'directory', :owner => owner, :group => group + + scope.lookupvar('buildsystem::var::distros::distros').each{|rel, distro| + file [uploads_dir, st, rel].join('/'), :ensure => 'directory', :owner => owner, :group => group + medias = distro['medias'] + medias.each{|media, m| + file [uploads_dir, st, rel, media].join('/'), :ensure => 'directory', :owner => owner, :group => group + + for repo in m['repos'].keys do if st == 'done' - file [@name, st, rel, rep, med].join('/'), :ensure => 'directory', :owner => @owner, :group => @group, :mode => 0775 + file [uploads_dir, st, rel, media, repo].join('/'), :ensure => 'directory', :owner => owner, :group => group, :mode => 0775 else - file [@name, st, rel, rep, med].join('/'), :ensure => 'directory', :owner => @owner, :group => @group + file [uploads_dir, st, rel, media, repo].join('/'), :ensure => 'directory', :owner => owner, :group => group end end } diff --git a/modules/buildsystem/manifests/distros.rb b/modules/buildsystem/manifests/distros.rb new file mode 100644 index 00000000..a298c0a8 --- /dev/null +++ b/modules/buildsystem/manifests/distros.rb @@ -0,0 +1,97 @@ +hostclass "buildsystem::distros" do + mirror_user = 'root' + schedbot_user = scope.lookupvar('buildsystem::var::scheduler::login') + bootstrap_reporoot = scope.lookupvar('buildsystem::var::repository::bootstrap_reporoot') + scope.lookupvar('buildsystem::var::distros::distros').each{|rel, distro| + file [ bootstrap_reporoot, rel ].join('/'), :ensure => 'directory', + :owner => mirror_user, :group => mirror_user + for arch in distro['arch'] do + # As ruby dsl cannot use defined resources, we have to use a + # workaround with 'find_resource_type' as described in this + # puppet issue: http://projects.puppetlabs.com/issues/11912 + scope.find_resource_type 'buildsystem::media_cfg' + media_cfg_args = { + :distro_name => rel, + :arch => arch, + } + if distro['tmpl_media.cfg'] != nil + media_cfg_args['templatefile'] = distro['tmpl_media.cfg'] + end + if ! distro['no_media_cfg_update'] + create_resource 'buildsystem::media_cfg', + [ rel, ' ', arch ].join('/'), media_cfg_args + end + file [ bootstrap_reporoot, rel, arch ].join('/'), + :ensure => 'directory', :owner => schedbot_user, + :group => schedbot_user + mediadir = [ bootstrap_reporoot, rel, arch, 'media' ].join('/') + file mediadir, :ensure => 'directory', :owner => schedbot_user, + :group => schedbot_user + file [ mediadir, 'media_info' ].join('/'), :ensure => 'directory', + :owner => schedbot_user, :group => schedbot_user + file [ mediadir, 'debug' ].join('/'), :ensure => 'directory', + :owner => schedbot_user, :group => schedbot_user + distro['medias'].each{|media, m| + file [ mediadir, media ].join('/'), :ensure => 'directory', + :owner => schedbot_user, :group => schedbot_user + file [ mediadir, 'debug', media ].join('/'), + :ensure => 'directory', :owner => schedbot_user, + :group => schedbot_user + for repo in m['repos'].keys do + file [ mediadir, media, repo ].join('/'), + :ensure => 'directory', :owner => schedbot_user, + :group => schedbot_user + file [ mediadir, media, repo, 'media_info' ].join('/'), + :ensure => 'directory', :owner => schedbot_user, + :group => schedbot_user + file [ mediadir, media, repo, 'repodata' ].join('/'), + :ensure => 'directory', :owner => schedbot_user, + :group => schedbot_user + file [ mediadir, 'debug', media, repo ].join('/'), + :ensure => 'directory', :owner => schedbot_user, + :group => schedbot_user + file [ mediadir, 'debug', media, repo, 'media_info' ].join('/'), + :ensure => 'directory', :owner => schedbot_user, + :group => schedbot_user + file [ mediadir, 'debug', media, repo, 'repodata' ].join('/'), + :ensure => 'directory', :owner => schedbot_user, + :group => schedbot_user + end + } + if distro['based_on'] != nil + distro['based_on'].each{|bdistroname, medias| + file [ mediadir, bdistroname ].join('/'), + :ensure => 'directory', :owner => mirror_user, + :group => mirror_user + medias.each{|medianame, media| + mdir = [ mediadir, bdistroname, medianame ].join('/') + file mdir, :ensure => 'directory', + :owner => mirror_user, :group => mirror_user + for reponame in media + file [ mdir, reponame ].join('/'), + :ensure => 'link', + :target => [ + '../../../../..', bdistroname, arch, + 'media', medianame, reponame ].join('/'), + :owner => mirror_user, :group => mirror_user + end + } + } + end + end + # SRPMS + srpmsdir = [ bootstrap_reporoot, rel, 'SRPMS' ].join('/') + file srpmsdir, + :ensure => 'directory', :owner => schedbot_user, + :group => schedbot_user + distro['medias'].each{|media, m| + file [ srpmsdir, media ].join('/'), :ensure => 'directory', + :owner => schedbot_user, :group => schedbot_user + for repo in m['repos'].keys do + file [ srpmsdir, media, repo ].join('/'), + :ensure => 'directory', :owner => schedbot_user, + :group => schedbot_user + end + } + } +end diff --git a/modules/buildsystem/manifests/init.pp b/modules/buildsystem/manifests/init.pp index 65b38b62..f15b5dbf 100644 --- a/modules/buildsystem/manifests/init.pp +++ b/modules/buildsystem/manifests/init.pp @@ -1,18 +1,2 @@ class buildsystem { - # A script to copy on valstar the 2010.1 rpms built on jonund - class sync20101 inherits base { - $build_login = $buildsystem::iurt::user::login - # TODO user iurt::user::homedir too - mga-common::local_script { 'sync2010.1': - content => template('buildsystem/sync2010.1'), - } - } - - # a script to build 2010.1 packages. used on jonund - class iurt20101 inherits base { - $build_login = $buildsystem::iurt::user::login - mga-common::local_script { 'iurt2010.1': - content => template('buildsystem/iurt2010.1'), - } - } } diff --git a/modules/buildsystem/manifests/iurt.pp b/modules/buildsystem/manifests/iurt.pp index e0856a23..231c5373 100644 --- a/modules/buildsystem/manifests/iurt.pp +++ b/modules/buildsystem/manifests/iurt.pp @@ -2,13 +2,11 @@ class buildsystem::iurt { include sudo include buildsystem::iurt::user include buildsystem::iurt::packages - $login = $buildsystem::iurt::user::login - $homedir = $buildsystem::iurt::user::homedir - - ssh::auth::client { $login: } + include buildsystem::var::iurt + include buildsystem::var::distros # remove old build directory - tidy { "$homedir/iurt": + tidy { "${buildsystem::var::iurt::homedir}/iurt": age => '8w', recurse => true, matches => ['[0-9][0-9].*\..*\..*\.[0-9]*','log','*.rpm','*.log','*.mga[0-9]+'], @@ -19,9 +17,10 @@ class buildsystem::iurt { ensure => directory, } - buildsystem::iurt::config { ['2','1','cauldron','mandriva2010.1','infra_1', 'infra_2']: } + $distros_list = hash_keys($buildsystem::var::distros::distros) + buildsystem::iurt::config { $distros_list: } sudo::sudoers_config { 'iurt': - content => template('buildsystem/iurt/sudoers.iurt') + content => template('buildsystem/sudoers.iurt') } } diff --git a/modules/buildsystem/manifests/iurt/config.pp b/modules/buildsystem/manifests/iurt/config.pp index 88c08b66..02f5be63 100644 --- a/modules/buildsystem/manifests/iurt/config.pp +++ b/modules/buildsystem/manifests/iurt/config.pp @@ -1,11 +1,50 @@ define buildsystem::iurt::config() { + include buildsystem::var::iurt + include buildsystem::var::webstatus + include buildsystem::var::repository $distribution = $name # TODO rename the variable too in template - $build_login = $buildsystem::iurt::user::login + $build_login = $buildsystem::var::iurt::login - file { "/etc/iurt/build/$distribution.conf": + $build_timeout = { + 'default' => 36000, + 'atlas' => 57600, + 'blender' => 57600, + 'chromium-browser-stable' => 172800, + 'clang' => 172800, + 'cross-gcc' => 115200, + 'gcc' => 115200, + 'itk' => 115200, + 'java-1.8.0-openjdk' => 172800, + 'java-17-openjdk' => 172800, + 'java-21-openjdk' => 172800, + 'java-latest-openjdk' => 172800, + 'kernel' => 115200, + 'libreoffice' => 432000, + 'llvm' => 115200, + 'llvm17-suite' => 115200, + 'llvm19-suite' => 115200, + 'openfoam' => 115200, + 'paraview' => 115200, + 'qgis' => 57600, + 'qtwebengine5' => 115200, + 'qtwebengine6' => 172800, + 'rust' => 180000, + 'salome' => 57600, + 'vtk' => 57600, + 'webkit' => 57600, + 'webkit2' => 115200, + 'wrapitk' => 115200, + 'rocm-llvm' => 70000, + } + + $allow_network_access = [ + 'libguestfs', # Needs access to the configured mirrors + ] + + file { "/etc/iurt/build/${distribution}.conf": owner => $build_login, group => $build_login, - content => template("buildsystem/iurt/$distribution.conf") + content => template("buildsystem/iurt.conf") } } diff --git a/modules/buildsystem/manifests/iurt/packages.pp b/modules/buildsystem/manifests/iurt/packages.pp index 448b4a89..e814b7c2 100644 --- a/modules/buildsystem/manifests/iurt/packages.pp +++ b/modules/buildsystem/manifests/iurt/packages.pp @@ -1,3 +1,3 @@ class buildsystem::iurt::packages { package { 'iurt': } -} +} diff --git a/modules/buildsystem/manifests/iurt/upload.pp b/modules/buildsystem/manifests/iurt/upload.pp index 8c9026c0..5417d36e 100644 --- a/modules/buildsystem/manifests/iurt/upload.pp +++ b/modules/buildsystem/manifests/iurt/upload.pp @@ -1,8 +1,7 @@ class buildsystem::iurt::upload { - $login = $buildsystem::iurt::user::login - $homedir = $buildsystem::iurt::user::homedir - $sched_login = $buildsystem::scheduler::login - + include buildsystem::var::iurt + include buildsystem::var::webstatus + include buildsystem::var::repository file { '/etc/iurt/upload.conf': require => File['/etc/iurt'], content => template('buildsystem/upload.conf'), diff --git a/modules/buildsystem/manifests/iurt/user.pp b/modules/buildsystem/manifests/iurt/user.pp index b169ee2d..a93ac7e7 100644 --- a/modules/buildsystem/manifests/iurt/user.pp +++ b/modules/buildsystem/manifests/iurt/user.pp @@ -1,10 +1,8 @@ class buildsystem::iurt::user { - $login = 'iurt' - $homedir = "/home/$login" + include buildsystem::var::iurt - buildsystem::sshuser { $login: - homedir => $homedir, - comment => 'System user used to run build bots', + buildsystem::sshuser { $buildsystem::var::iurt::login: + homedir => $buildsystem::var::iurt::homedir, } file { '/etc/iurt': diff --git a/modules/buildsystem/manifests/mainnode.pp b/modules/buildsystem/manifests/mainnode.pp index 45dff1dd..01de764f 100644 --- a/modules/buildsystem/manifests/mainnode.pp +++ b/modules/buildsystem/manifests/mainnode.pp @@ -1,5 +1,7 @@ class buildsystem::mainnode { - include buildsystem::base + include buildsystem::var::repository + include buildsystem::var::scheduler + include buildsystem::var::distros include buildsystem::iurt::user include buildsystem::scheduler include buildsystem::gatherer @@ -7,27 +9,15 @@ class buildsystem::mainnode { include buildsystem::signbot include buildsystem::youri_submit include buildsystem::sshkeys + include buildsystem::distros - $sched_login = $buildsystem::scheduler::var::login - $sched_home_dir = $buildsystem::scheduler::var::homedir - - $build_login = $buildsystem::iurt::user::login - - ssh::auth::client { $sched_login: } - - ssh::auth::server { [$sched_login, $build_login]: } - - $mirror_root = '/distrib/mirror' - apache::vhost::other_app { "repository.$::domain": - vhost_file => 'buildsystem/vhost_repository.conf', - } - - buildsystem::media_cfg { "cauldron i586": - distro => 'cauldron', - arch => 'i586', + sshkeys::set_client_key_pair { $buildsystem::var::scheduler::login: + home => $buildsystem::var::scheduler::homedir, + user => $buildsystem::var::scheduler::login, } - buildsystem::media_cfg { "cauldron x86_64": - distro => 'cauldron', - arch => 'x86_64', + sshkeys::set_authorized_keys { 'scheduler-allow-scheduler': + keyname => $buildsystem::var::scheduler::login, + home => $buildsystem::var::scheduler::homedir, + user => $buildsystem::var::scheduler::login, } } diff --git a/modules/buildsystem/manifests/maintdb.pp b/modules/buildsystem/manifests/maintdb.pp index 02782271..5a961b63 100644 --- a/modules/buildsystem/manifests/maintdb.pp +++ b/modules/buildsystem/manifests/maintdb.pp @@ -1,31 +1,27 @@ class buildsystem::maintdb { + include buildsystem::var::maintdb + include buildsystem::var::groups + include buildsystem::var::webstatus include sudo - $login = 'maintdb' - $homedir = '/var/lib/maintdb' - $dbdir = "$homedir/db" - $binpath = '/usr/local/sbin/maintdb' - $dump = '/var/www/bs/data/maintdb.txt' - $unmaintained = '/var/www/bs/data/unmaintained.txt' - user { $login: - comment => 'Maintainers database', - home => $homedir, + user { $buildsystem::var::maintdb::login: + home => $buildsystem::var::maintdb::homedir, } - file { [$homedir,$dbdir]: + file { [$buildsystem::var::maintdb::homedir,$buildsystem::var::maintdb::dbdir]: ensure => directory, - owner => $login, - group => $login, + owner => $buildsystem::var::maintdb::login, + group => $buildsystem::var::maintdb::login, mode => '0711', - require => User[$login], + require => User[$buildsystem::var::maintdb::login], } - file { $binpath: + file { $buildsystem::var::maintdb::binpath: mode => '0755', content => template('buildsystem/maintdb/maintdb.bin') } - mga-common::local_script { 'wrapper.maintdb': + mga_common::local_script { 'wrapper.maintdb': content => template('buildsystem/maintdb/wrapper.maintdb') } @@ -33,22 +29,30 @@ class buildsystem::maintdb { content => template('buildsystem/maintdb/sudoers.maintdb') } - file { [$dump,"$dump.new", - $unmaintained,"$unmaintained.new"]: - owner => $login, -# TODO uncomment once the situation with pkgsubmit module is cleared ( ie, maintdb depend on it ) -# require => File['/var/www/bs/data'], + file { [$buildsystem::var::maintdb::dump, + "${buildsystem::var::maintdb::dump}.new", + $buildsystem::var::maintdb::unmaintained, + "${buildsystem::var::maintdb::unmaintained}.new"]: + owner => $buildsystem::var::maintdb::login, + require => File["${buildsystem::var::webstatus::location}/data"], } cron { 'update maintdb export': - user => $login, - command => "$binpath root get > $dump.new; cp -f $dump.new $dump; grep ' nobody\$' $dump | sed 's/ nobody\$//' > $unmaintained.new; cp -f $unmaintained.new $unmaintained", + user => $buildsystem::var::maintdb::login, + command => "${buildsystem::var::maintdb::binpath} root get > ${buildsystem::var::maintdb::dump}.new; cp -f ${buildsystem::var::maintdb::dump}.new ${buildsystem::var::maintdb::dump}; grep ' nobody\$' ${buildsystem::var::maintdb::dump} | sed 's/ nobody\$//' > ${buildsystem::var::maintdb::unmaintained}.new; cp -f ${buildsystem::var::maintdb::unmaintained}.new ${buildsystem::var::maintdb::unmaintained}", minute => '*/30', - require => User[$login], + require => User[$buildsystem::var::maintdb::login], } - apache::vhost::base { "maintdb.$::domain": - location => $dbdir, + apache::vhost::base { $buildsystem::var::maintdb::hostname: + location => $buildsystem::var::maintdb::dbdir, + content => template('buildsystem/maintdb/vhost_maintdb.conf'), + } + + apache::vhost::base { "ssl_${buildsystem::var::maintdb::hostname}": + use_ssl => true, + vhost => $buildsystem::var::maintdb::hostname, + location => $buildsystem::var::maintdb::dbdir, content => template('buildsystem/maintdb/vhost_maintdb.conf'), } } diff --git a/modules/buildsystem/manifests/media_cfg.pp b/modules/buildsystem/manifests/media_cfg.pp index c6de0d35..77fcc8fd 100644 --- a/modules/buildsystem/manifests/media_cfg.pp +++ b/modules/buildsystem/manifests/media_cfg.pp @@ -1,10 +1,11 @@ -define buildsystem::media_cfg($distro, $arch, $templatefile = 'buildsystem/media.cfg') { - include buildsystem::scheduler::var +define buildsystem::media_cfg($distro_name, $arch, $templatefile = 'buildsystem/media.cfg') { + include buildsystem::var::repository + include buildsystem::var::scheduler include buildsystem::repository - - file { "${buildsystem::repository::dir}/distrib/${distro}/${arch}/media/media_info/media.cfg": - owner => $buildsystem::base::sched_login, - group => $buildsystem::base::sched_login, - content => template($templatefile), + + file { "${buildsystem::var::repository::bootstrap_reporoot}/${distro_name}/${arch}/media/media_info/media.cfg": + owner => $buildsystem::var::scheduler::login, + group => $buildsystem::var::scheduler::login, + content => template($templatefile), } } diff --git a/modules/buildsystem/manifests/mgarepo.pp b/modules/buildsystem/manifests/mgarepo.pp index 70b71202..14e11e1a 100644 --- a/modules/buildsystem/manifests/mgarepo.pp +++ b/modules/buildsystem/manifests/mgarepo.pp @@ -1,72 +1,36 @@ class buildsystem::mgarepo { - include buildsystem::scheduler::var - $sched_login = $buildsystem::scheduler::var::login - $sched_home_dir = $buildsystem::scheduler::var::homedir + include buildsystem::var::scheduler + include buildsystem::var::distros + include buildsystem::var::groups + include buildsystem::var::binrepo + include buildsystem::create_upload_dir + $sched_login = $buildsystem::var::scheduler::login + $sched_home_dir = $buildsystem::var::scheduler::homedir package { ['mgarepo','rpm-build']: } - file { - '/etc/mgarepo.conf': content => template('buildsystem/mgarepo.conf'); - '/etc/repsys.conf': content => template('buildsystem/mgarepo.conf'); + file { '/etc/mgarepo.conf': + content => template('buildsystem/mgarepo.conf'), } - file { "$sched_home_dir/repsys": + file { "${sched_home_dir}/repsys": ensure => 'directory', owner => $sched_login, require => File[$sched_home_dir], } - file { ["$sched_home_dir/repsys/tmp", "$sched_home_dir/repsys/srpms"]: + file { ["${sched_home_dir}/repsys/tmp", "${sched_home_dir}/repsys/srpms"]: ensure => 'directory', owner => $sched_login, - group => $buildsystem::base::packagers_group, + group => $buildsystem::var::groups::packagers, mode => '1775', - require => File["$sched_home_dir/repsys"], + require => File["${sched_home_dir}/repsys"], } - # FIXME: disabled temporarly as upload dir is a symlink to /var/lib/repsys/uploads - #file { "$sched_home_dir/uploads": + # FIXME: disabled temporarily as upload dir is a symlink to /var/lib/repsys/uploads + #file { "${sched_home_dir}/uploads": # ensure => "directory", # owner => $sched_login, # require => File[$sched_home_dir], #} - - #FIXME This config information should be moved out of this class - $releases = { - 'cauldron' => { - 'core' => ['release','updates_testing','backports_testing','backports','updates'], - 'nonfree' => ['release','updates_testing','backports_testing','backports','updates'], - 'tainted' => ['release','updates_testing','backports_testing','backports','updates'], - }, - '1' => { - 'core' => ['release','updates_testing','backports_testing','backports','updates'], - 'nonfree' => ['release','updates_testing','backports_testing','backports','updates'], - 'tainted' => ['release','updates_testing','backports_testing','backports','updates'], - }, - '2' => { - 'core' => ['release','updates_testing','backports_testing','backports','updates'], - 'nonfree' => ['release','updates_testing','backports_testing','backports','updates'], - 'tainted' => ['release','updates_testing','backports_testing','backports','updates'], - }, - 'infra_1' => { - 'infra' => ['release'] - }, - 'infra_2' => { - 'infra' => ['release'] - }, - } - - import 'create_upload_dir.rb' - create_upload_dir { "$sched_home_dir/uploads": - owner => $sched_login, - group => $sched_login, - releases => $releases, - } - - tidy { "$sched_home_dir/uploads": - type => 'ctime', - recurse => true, - age => '2w', - } - } diff --git a/modules/buildsystem/manifests/pkgsubmit.pp b/modules/buildsystem/manifests/pkgsubmit.pp deleted file mode 100644 index ba575cd2..00000000 --- a/modules/buildsystem/manifests/pkgsubmit.pp +++ /dev/null @@ -1,19 +0,0 @@ -class buildsystem::pkgsubmit { - include buildsystem::scheduler::var - $sched_home_dir = $buildsystem::scheduler::var::homedir - - $location = '/var/www/bs' - file { [$location,"$location/data"]: - ensure => directory, - } - - apache::vhost::base { "pkgsubmit.$::domain": - aliases => { '/uploads' => "$sched_home_dir/uploads" }, - location => $location, - content => template('buildsystem/vhost_pkgsubmit.conf'), - } - - subversion::snapshot { $location: - source => "svn://svn.$::domain/soft/buildsystem/web/", - } -} diff --git a/modules/buildsystem/manifests/release.pp b/modules/buildsystem/manifests/release.pp index 1682d71b..d9feac8e 100644 --- a/modules/buildsystem/manifests/release.pp +++ b/modules/buildsystem/manifests/release.pp @@ -1,7 +1,5 @@ class buildsystem::release { - subversion::snapshot { '/root/release': - source => "svn://svn.$::domain/soft/release/trunk/", + git::snapshot { '/root/release': + source => "git://git.${::domain}/software/infrastructure/release", } - - package { 'hardlink': } } diff --git a/modules/buildsystem/manifests/repoctl.pp b/modules/buildsystem/manifests/repoctl.pp index 024a4a09..8d44e52c 100644 --- a/modules/buildsystem/manifests/repoctl.pp +++ b/modules/buildsystem/manifests/repoctl.pp @@ -1,16 +1,11 @@ class buildsystem::repoctl { - include buildsystem::config + include buildsystem::var::distros + include buildsystem::var::repository - $distroreleases = [$buildsystem::config::dev_distros, - $buildsystem::config::stable_distros] - $distrosections = $buildsystem::config::distrosections - $sectionsrepos = $buildsystem::config::sectionsrepos - $arches = $buildsystem::config::architectures + package{ 'repoctl': } - package{ 'repoctl': } - - file { '/etc/repoctl.conf': - content => template('buildsystem/repoctl.conf'), - require => Package['repoctl'], - } + file { '/etc/repoctl.conf': + content => template('buildsystem/repoctl.conf'), + require => Package['repoctl'], + } } diff --git a/modules/buildsystem/manifests/repository.pp b/modules/buildsystem/manifests/repository.pp index 19e69eff..dda90eb2 100644 --- a/modules/buildsystem/manifests/repository.pp +++ b/modules/buildsystem/manifests/repository.pp @@ -1,6 +1,11 @@ class buildsystem::repository { - $dir = '/distrib/bootstrap' - file { $dir: + include buildsystem::var::repository + file { [ $buildsystem::var::repository::bootstrap_root, + $buildsystem::var::repository::bootstrap_reporoot ] : ensure => directory, - } + } + + apache::vhost::other_app { $buildsystem::var::repository::hostname: + vhost_file => 'buildsystem/vhost_repository.conf', + } } diff --git a/modules/buildsystem/manifests/scheduler.pp b/modules/buildsystem/manifests/scheduler.pp index 6facc8e9..53b248fc 100644 --- a/modules/buildsystem/manifests/scheduler.pp +++ b/modules/buildsystem/manifests/scheduler.pp @@ -1,28 +1,57 @@ class buildsystem::scheduler { - # until ulri is splitted from main iurt rpm - include ssh::auth + # until ulri is split from main iurt rpm include buildsystem::iurt::packages include buildsystem::iurt::upload - include buildsystem::scheduler::var + include buildsystem::var::scheduler - $login = $buildsystem::scheduler::var::login - $homedir = $buildsystem::scheduler::var::homedir - $logdir = $buildsystem::scheduler::var::logdir + $login = $buildsystem::var::scheduler::login + $homedir = $buildsystem::var::scheduler::homedir + $logdir = $buildsystem::var::scheduler::logdir buildsystem::sshuser { $login: homedir => $homedir, - comment => 'System user used to schedule builds', } - file { $logdir: - ensure => directory, - mode => 0755, - owner => $login, - } + file { $logdir: + ensure => directory, + mode => '0755', + owner => $login, + } + + cron { 'dispatch jobs': + user => $login, + command => "EMI_LOG_FILE=${logdir}/emi.log ULRI_LOG_FILE=${logdir}/ulri.log ulri; EMI_LOG_FILE=${logdir}/emi.log emi", + minute => '*', + } - cron { 'dispatch jobs': - user => $login, - command => "ULRI_LOG_FILE=$logdir/ulri.log ulri; EMI_LOG_FILE=$logdir/emi.log emi", - minute => '*', - } + if ($buildsystem::var::scheduler::clean_uploads_logs_age != 0) { + cron { 'clean uploads logs': + user => $login, + # Delete old upload logs + command => sprintf("/usr/bin/find %s/uploads -ignore_readdir_race -xdev -depth -type f -ctime +%d -delete", shellquote($homedir), shellquote($buildsystem::var::scheduler::clean_uploads_logs_age)), + hour => '*/4', + minute => '51', + } + cron { 'clean uploads dirs': + user => $login, + # Remove old empty uploads directories. This will take several + # passes (over several weeks) to delete a directory hierarchy + # because it is looking at ctime instead of mtime, which resets + # every time a file/directory underneath it is deleted. + # Directories don't take much space, so this shouldn't be a + # real issue. + command => sprintf("/usr/bin/find %s/uploads -ignore_readdir_race -mindepth 5 -xdev -depth -type d -ctime +%d -empty -delete", shellquote($homedir), shellquote($buildsystem::var::scheduler::clean_uploads_logs_age)), + hour => '*/4', + minute => '53', + } + } + if ($buildsystem::var::scheduler::clean_uploads_packages_age != 0) { + cron { 'clean uploads packages': + user => $login, + # Delete old upload RPMs + command => sprintf("/usr/bin/find %s/uploads -ignore_readdir_race -xdev -depth -type f -name '*.rpm' -ctime +%d -delete", shellquote($homedir), shellquote($buildsystem::var::scheduler::clean_uploads_packages_age)), + hour => '*/4', + minute => '52', + } + } } diff --git a/modules/buildsystem/manifests/scheduler/var.pp b/modules/buildsystem/manifests/scheduler/var.pp deleted file mode 100644 index e89ef634..00000000 --- a/modules/buildsystem/manifests/scheduler/var.pp +++ /dev/null @@ -1,5 +0,0 @@ -class buildsystem::scheduler::var { - $login = 'schedbot' - $homedir = "/var/lib/$login" - $logdir = "/var/log/$login" -} diff --git a/modules/buildsystem/manifests/signbot.pp b/modules/buildsystem/manifests/signbot.pp index 5e5db5d9..60c7c318 100644 --- a/modules/buildsystem/manifests/signbot.pp +++ b/modules/buildsystem/manifests/signbot.pp @@ -1,38 +1,31 @@ class buildsystem::signbot { - include buildsystem::scheduler::var - $login = 'signbot' - $home_dir = "/var/lib/$login" - $sign_keydir = "$home_dir/keys" - # FIXME: maybe keyid should be defined at an other place - $keyid = '80420F66' - $sched_login = $buildsystem::scheduler::var::login + include buildsystem::var::scheduler + include buildsystem::var::signbot + $sched_login = $buildsystem::var::scheduler::login - sshuser { $login: - homedir => $home_dir, - comment => 'System user used to sign packages', + sshuser { $buildsystem::var::signbot::login: + homedir => $buildsystem::var::signbot::home_dir, groups => [$sched_login], } gnupg::keys{ 'packages': - email => "packages@$::domain", - #FIXME there should be a variable somewhere to change - # the name of the distribution - key_name => 'Mageia Packages', - login => $login, - batchdir => "$home_dir/batches", - keydir => $sign_keydir, + email => $buildsystem::var::signbot::keyemail, + key_name => $buildsystem::var::signbot::keyname, + login => $buildsystem::var::signbot::login, + batchdir => "${buildsystem::var::signbot::home_dir}/batches", + keydir => $buildsystem::var::signbot::sign_keydir, } sudo::sudoers_config { 'signpackage': content => template('buildsystem/signbot/sudoers.signpackage') } - file { "$home_dir/.rpmmacros": - content => template('buildsystem/signbot/signbot-rpmmacros') + file { "${home_dir}/.rpmmacros": + source => 'puppet:///modules/buildsystem/signbot/signbot-rpmmacros', } - mga-common::local_script { - 'sign-check-package': content => template('buildsystem/signbot/sign-check-package'); - 'mga-signpackage': content => template('buildsystem/signbot/mga-signpackage'); + mga_common::local_script { + 'sign-check-package': source => 'puppet:///modules/buildsystem/signbot/sign-check-package'; + 'mga-signpackage': source => 'puppet:///modules/buildsystem/signbot/mga-signpackage'; } } diff --git a/modules/buildsystem/manifests/sshkeys.pp b/modules/buildsystem/manifests/sshkeys.pp index bea2959f..5a1b2900 100644 --- a/modules/buildsystem/manifests/sshkeys.pp +++ b/modules/buildsystem/manifests/sshkeys.pp @@ -1,13 +1,5 @@ class buildsystem::sshkeys { - include ssh::auth - include buildsystem::scheduler::var - include buildsystem::iurt::user + include buildsystem::var::scheduler - ssh::auth::key { $buildsystem::scheduler::var::login: - home => $buildsystem::scheduler::var::homedir, - } - - ssh::auth::key { $buildsystem::iurt::user::login: - home => $buildsystem::iurt::user::homedir - } + sshkeys::create_key { $buildsystem::var::scheduler::login: } } diff --git a/modules/buildsystem/manifests/sshuser.pp b/modules/buildsystem/manifests/sshuser.pp index 0a1cd176..5cad97ad 100644 --- a/modules/buildsystem/manifests/sshuser.pp +++ b/modules/buildsystem/manifests/sshuser.pp @@ -1,5 +1,5 @@ # $groups: array of secondary groups (only local groups, no ldap) -define buildsystem::sshuser($homedir, $comment, $groups = []) { +define buildsystem::sshuser($homedir, $comment = undef, $groups = []) { group { $name: } user { $name: @@ -9,13 +9,13 @@ define buildsystem::sshuser($homedir, $comment, $groups = []) { gid => $name, groups => $groups, shell => '/bin/bash', - notify => Exec["unlock $name"], + notify => Exec["unlock ${name}"], require => Group[$title], } # set password to * to unlock the account but forbid login through login - exec { "unlock $name": - command => "usermod -p '*' $name", + exec { "unlock ${name}": + command => "usermod -p '*' ${name}", refreshonly => true, } @@ -26,7 +26,7 @@ define buildsystem::sshuser($homedir, $comment, $groups = []) { require => User[$name], } - file { "$homedir/.ssh": + file { "${homedir}/.ssh": ensure => directory, mode => '0600', owner => $name, diff --git a/modules/buildsystem/manifests/var/binrepo.pp b/modules/buildsystem/manifests/var/binrepo.pp new file mode 100644 index 00000000..1431ed25 --- /dev/null +++ b/modules/buildsystem/manifests/var/binrepo.pp @@ -0,0 +1,15 @@ +# $uploadmail_from: +# from who will be sent the binrepo upload email notifications +# $uploadmail_to: +# where binrepo email notifications are sent +class buildsystem::var::binrepo( + $hostname = "binrepo.${::domain}", + $login = 'binrepo', + $homedir = '/var/lib/binrepo', + $uploadmail_from, + $uploadmail_to +) { + $repodir = "${homedir}/data" + $uploadinfosdir = "${homedir}/infos" + $uploadbinpath = '/usr/local/bin/upload-bin' +} diff --git a/modules/buildsystem/manifests/var/distros.pp b/modules/buildsystem/manifests/var/distros.pp new file mode 100644 index 00000000..9e45e2c2 --- /dev/null +++ b/modules/buildsystem/manifests/var/distros.pp @@ -0,0 +1,126 @@ +# $default_distro: +# the name of the default distribution +# $repo_allow_from_ips: +# $repo_allow_from_domains: +# list of IP or domains allowed to access the repository. If you don't want to +# filter allowed IPs, don't those values. +# $distros: +# a hash variable containing distributions information indexed by +# distribution name. Each distribution is itself an hash containing +# the following infos: +# { +# # the 'cauldron' distribution +# 'cauldron' => { +# # list of arch supported by 'cauldron' +# 'arch' => [ 'i586', 'x86_64' ], +# # Set this if you don't want media.cfg to be generated +# 'no_media_cfg_update' => true, +# 'medias' => { +# # the 'core' media +# 'core' => { +# 'repos' => { +# # the 'release' repo in the 'core' media +# 'release' => { +# 'media_type' => [ 'release' ], +# 'noauto' => '1', +# # the 'release' repo should be listed first in media.cfg +# 'order' => 0, +# }, +# # the 'updates' repo +# 'updates' => { +# 'media_type' => [ 'updates' ], +# 'noauto' => '1', +# # the 'updates' repo requires the 'release' repo +# 'requires' => [ 'release' ], +# # the 'updates' repo should be listed after 'release' in media.cfg +# 'order' => 1, +# }, +# }, +# # media_type for media.cfg +# 'media_type' => [ 'official', 'free' ], +# # if noauto is set to '1' either in medias or repos, +# # the option will be added to media.cfg +# 'noauto' => '1', +# # list 'core' first in media.cfg +# 'order' => 0, +# }, +# # the 'non-free' media +# 'non-free' => { +# 'repos' => { +# ... +# }, +# 'media_type' => [ 'official', 'non-free' ], +# # the 'non-free' media requires the 'core' media +# 'requires' => [ 'core' ], +# # list 'non-free' second +# 'order' => 1, +# } +# }, +# # the list of media used by iurt to build the chroots +# 'base_medias' => [ 'core/release' ], +# # optionally, a media.cfg template file can be specified, if +# # the default one should not be used +# 'tmpl_media.cfg' => 'buildsystem/something', +# # branch is Devel or Official. Used in media.cfg. +# 'branch' => 'Devel', +# # Version of the distribution +# 'version' => '3', +# # SVN Urls allowed to submit +# 'submit_allowed' => 'svn://svn.something/svn/packages/cauldron', +# # rpm macros to set when build source package +# 'macros' => { +# 'distsuffix' => '.mga', +# 'distribution' => 'Mageia', +# 'vendor' => 'Mageia.Org', +# }, +# # set this if the distro is not mirrored. This is used to add +# # an Alias in the vhost. +# 'no_mirror' => true, +# Optionally, the distribution can be based on the repos from an other +# distribution. In this example we're saying that the distribution is +# based on 2/core/release and 2/core/updates. +# 'based_on' => { +# '2' => { +# 'core' => [ 'release', 'updates' ], +# }, +# }, +# 'youri' => { +# # Configuration for youri-upload +# 'upload' => { +# # list of enabled checks, actions and posts +# 'targets' => { +# 'checks' => [ +# ... +# ], +# 'actions' => [ +# ... +# ], +# 'posts' => [ +# ... +# ], +# }, +# 'checks' => { +# # rpmlint checks options +# 'rpmlint' => { +# 'config' => '/usr/share/rpmlint/config', +# 'path' => ''/usr/bin/rpmlint', +# }, +# }, +# # options for actions +# 'actions' => { +# ... +# }, +# }, +# # Configuration for youri-todo +# 'todo' => { +# ... +# }, +# }, +# }, +# } +class buildsystem::var::distros( + $default_distro, + $repo_allow_from_ips, + $repo_allow_from_domains, + $distros, +) { } diff --git a/modules/buildsystem/manifests/var/groups.pp b/modules/buildsystem/manifests/var/groups.pp new file mode 100644 index 00000000..c0b2c917 --- /dev/null +++ b/modules/buildsystem/manifests/var/groups.pp @@ -0,0 +1,9 @@ +# $packagers: +# name of packagers group, who should be allowed to submit packages +# $packagers_committers: +# name of group of users who are allowed to commit on packages +class buildsystem::var::groups( + $packagers, + $packagers_committers +) { +} diff --git a/modules/buildsystem/manifests/var/iurt.pp b/modules/buildsystem/manifests/var/iurt.pp new file mode 100644 index 00000000..fb65a160 --- /dev/null +++ b/modules/buildsystem/manifests/var/iurt.pp @@ -0,0 +1,5 @@ +class buildsystem::var::iurt( + $login = 'iurt', + $homedir = '/home/iurt', + $timeout_multiplier = 1, +) { } diff --git a/modules/buildsystem/manifests/var/maintdb.pp b/modules/buildsystem/manifests/var/maintdb.pp new file mode 100644 index 00000000..e0079e40 --- /dev/null +++ b/modules/buildsystem/manifests/var/maintdb.pp @@ -0,0 +1,11 @@ +class buildsystem::var::maintdb( + $hostname = "maintdb.${::domain}", + $login = 'maintdb', + $homedir = '/var/lib/maintdb' +) { + include buildsystem::var::webstatus + $dbdir = "${homedir}/db" + $binpath = '/usr/local/sbin/maintdb' + $dump = "${buildsystem::var::webstatus::location}/data/maintdb.txt" + $unmaintained = "${buildsystem::var::webstatus::location}/data/unmaintained.txt" +} diff --git a/modules/buildsystem/manifests/var/mgarepo.pp b/modules/buildsystem/manifests/var/mgarepo.pp new file mode 100644 index 00000000..9099c7ee --- /dev/null +++ b/modules/buildsystem/manifests/var/mgarepo.pp @@ -0,0 +1,22 @@ +# $submit_host: +# hostname used to submit packages +# $svn_hostname: +# hostname of the svn server used for packages +# $svn_root_packages: +# svn root url of the svn repository for packages +# $svn_root_packages_ssh: +# svn+ssh root url of the svn repository for packages +# $oldurl: +# svn url where the import logs of the rpm are stored +# $conf: +# $conf{'global'} is a has table of values used in mgarepo.conf in +# the [global] section +class buildsystem::var::mgarepo( + $submit_host, + $svn_hostname, + $svn_root_packages, + $svn_root_packages_ssh, + $oldurl, + $conf +) { +} diff --git a/modules/buildsystem/manifests/var/repository.pp b/modules/buildsystem/manifests/var/repository.pp new file mode 100644 index 00000000..0ea1058c --- /dev/null +++ b/modules/buildsystem/manifests/var/repository.pp @@ -0,0 +1,9 @@ +class buildsystem::var::repository( + $hostname = "repository.${::domain}", + $bootstrap_root = '/distrib/bootstrap', + $mirror_root = '/distrib/mirror', + $distribdir = 'distrib' +) { + $bootstrap_reporoot = "${bootstrap_root}/${distribdir}" + $mirror_reporoot = "${mirror_root}/${distribdir}" +} diff --git a/modules/buildsystem/manifests/var/scheduler.pp b/modules/buildsystem/manifests/var/scheduler.pp new file mode 100644 index 00000000..b431594c --- /dev/null +++ b/modules/buildsystem/manifests/var/scheduler.pp @@ -0,0 +1,31 @@ +# $admin_mail: +# the email address from which the build failure notifications +# will be sent +# $pkg_uphost: +# hostname of the server where submitted packages are uploaded +# $build_nodes: +# a hash containing available build nodes indexed by architecture +# $build_nodes_aliases: +# a hash containing build nodes indexed by their alias +# $build_src_node: +# hostname of the server building the initial src.rpm +# $clean_uploads_logs_age: +# old logs are cleaned when they are older than some amount of days. +# You can define this amount of time using this variable. Set it to +# 14 for two weeks, 2 for two days, or 0 if you don't want to +# clean old logs at all +# $clean_uploads_packages_age: +# same as $clean_uploads_logs_age but for old RPMs +class buildsystem::var::scheduler( + $admin_mail = "root@${::domain}", + $pkg_uphost = "pkgsubmit.${::domain}", + $build_nodes, + $build_nodes_aliases = {}, + $build_src_node, + $clean_uploads_logs_age = 14, + $clean_uploads_packages_age = 7 +){ + $login = 'schedbot' + $homedir = "/var/lib/${login}" + $logdir = "/var/log/${login}" +} diff --git a/modules/buildsystem/manifests/var/signbot.pp b/modules/buildsystem/manifests/var/signbot.pp new file mode 100644 index 00000000..7d92a324 --- /dev/null +++ b/modules/buildsystem/manifests/var/signbot.pp @@ -0,0 +1,15 @@ +# $keyid: +# the key id of the gnupg key used to sign packages +# $keyemail: +# email address of the key used to sign packages +# $keyname: +# name of the key used to sign packages +class buildsystem::var::signbot( + $keyid, + $keyemail, + $keyname +) { + $login = 'signbot' + $home_dir = "/var/lib/${login}" + $sign_keydir = "${home_dir}/keys" +} diff --git a/modules/buildsystem/manifests/var/webstatus.pp b/modules/buildsystem/manifests/var/webstatus.pp new file mode 100644 index 00000000..21f8d59f --- /dev/null +++ b/modules/buildsystem/manifests/var/webstatus.pp @@ -0,0 +1,25 @@ +# $git_url: +# git url where the sources of webstatus are located +# $hostname: +# vhost name of the webstatus page +# $location: +# path of the directory where the webstatus files are located +# $package_commit_url: +# url to view a commit on a package. %d is replaced by the commit id. +# $max_modified: +# how much history should we display, in days +# $theme_name: +# name of the webstatus theme +# $themes_dir: +# path of the directory where the themes are located. If you want +# to use a theme not included in webstatus, you need to change this. +class buildsystem::var::webstatus( + $git_url = "git://git.${::domain}/web/pkgsubmit", + $hostname = "pkgsubmit.${::domain}", + $location = '/var/www/bs', + $package_commit_url, + $max_modified = '2', + $theme_name = 'mageia', + $themes_dir = '/var/www/bs/themes/' +) { +} diff --git a/modules/buildsystem/manifests/var/youri.pp b/modules/buildsystem/manifests/var/youri.pp new file mode 100644 index 00000000..f20b6c7b --- /dev/null +++ b/modules/buildsystem/manifests/var/youri.pp @@ -0,0 +1,401 @@ +# The youri configuration files are created using information from 3 +# different hash variables : +# - the $youri_conf_default variable defined in this class, containing +# the default configuration for youri. It contains the repository +# configuration, and the definitions of the checks, actions and posts. +# - the $youri_conf parameter passed to this class. The values defined +# in this hash override the values defined in the default configuration. +# - for each distribution defined in the hash variable $distros from +# var::buildsystem::distros the hash defined in index 'youri' contains +# some distro specific options for youri checks, actions or posts. It +# also contains for each distribution the list of active checks, +# actions and posts. +# +# Each of those variables contain the configuration for youri submit-todo +# (in index 'todo') and youri submit-upload (in index 'upload') +# +# +# Parameters : +# $tmpl_youri_upload_conf: +# template file for youri submit-upload.conf +# $tmpl_youri_todo_conf: +# template file for youri submit-todo.conf +# $packages_archivedir: +# the directory where youri will archive old packages when they are +# replaced by a new version +# $youri_conf: +# a hash containing the youri configuration +class buildsystem::var::youri( + $tmpl_youri_upload_conf = 'buildsystem/youri/submit.conf', + $tmpl_youri_todo_conf = 'buildsystem/youri/submit.conf', + $packages_archivedir, + $youri_conf = {} +) { + include buildsystem::var::repository + include buildsystem::var::mgarepo + include buildsystem::var::distros + include buildsystem::var::signbot + include buildsystem::var::scheduler + + $check_tag = { 'class' => 'Youri::Submit::Check::Tag', } + $check_recency = { 'class' => 'Youri::Submit::Check::Recency', } + $check_queue_recency = { 'class' => 'Youri::Submit::Check::Queue_recency', } + $check_host = { + 'class' => 'Youri::Submit::Check::Host', + 'options' => { + 'host_file' => '/etc/youri/host.conf', + }, + } + $check_rpmlint = { 'class' => 'Youri::Submit::Check::Rpmlint', } + $check_acl = { + 'class' => 'Youri::Submit::Check::ACL', + 'options' => { + 'acl_file' => '/etc/youri/acl.conf', + }, + } + $check_source = { 'class' => 'Youri::Submit::Check::Source', } + $check_version = { + 'class' => 'Youri::Submit::Check::Version', + 'options' => {}, + } + + $youri_conf_default = { + 'upload' => { + 'repository' => { + 'class' => 'Youri::Repository::Mageia', + 'options' => { + 'install_root' => $buildsystem::var::repository::bootstrap_reporoot, + 'upload_root' => '$home/uploads/', + 'archive_root' => $packages_archivedir, + 'upload_state' => 'queue', + 'queue' => 'queue', + 'noarch' => 'x86_64', + 'svn' => "${buildsystem::var::mgarepo::svn_root_packages_ssh}/${buildsystem::var::distros::default_distro}", + }, + }, + 'checks' => { + 'tag' => $check_tag, + 'recency' => $check_recency, + 'queue_recency' => $check_queue_recency, + 'host' => $check_host, + 'section' => { + 'class' => 'Youri::Submit::Check::Section', + }, + 'rpmlint' => $check_rpmlint, + 'svn' => { + 'class' => 'Youri::Submit::Check::SVN', + }, + 'acl' => $check_acl, + 'history' => { + 'class' => 'Youri::Submit::Check::History', + }, + 'source' => $check_source, + 'precedence' => { + 'class' => 'Youri::Submit::Check::Precedence', + 'options' => { + 'target' => $buildsystem::var::distros::default_distro, + }, + }, + 'version' => $check_version, + }, + 'actions' => { + 'install' => { + 'class' => 'Youri::Submit::Action::Install', + }, + 'markrelease' => { + 'class' => 'Youri::Submit::Action::Markrelease', + }, + 'link' => { + 'class' => 'Youri::Submit::Action::Link', + }, + 'archive' => { + 'class' => 'Youri::Submit::Action::Archive', + }, + 'clean' => { + 'class' => 'Youri::Submit::Action::Clean', + }, + 'sign' => { + 'class' => 'Youri::Submit::Action::Sign', + 'options' => { + 'signuser' => $buildsystem::var::signbot::login, + 'path' => $buildsystem::var::signbot::sign_keydir, + 'name' => $buildsystem::var::signbot::keyid, + 'signscript' => '/usr/local/bin/sign-check-package', + }, + }, + 'unpack_gfxboot_theme' => { + 'class' => 'Youri::Submit::Action::Unpack', + 'options' => { + 'name' => 'mageia-gfxboot-theme', + 'source_subdir' => '/usr/share/gfxboot/themes/Mageia/install/', + 'dest_directory' => 'isolinux', + 'unpack_inside_distribution_root' => '1', + }, + }, + 'unpack_meta_task' => { + 'class' => 'Youri::Submit::Action::Unpack', + 'options' => { + 'name' => 'meta-task', + 'source_subdir' => '/usr/share/meta-task', + 'dest_directory' => 'media/media_info', + 'unpack_inside_distribution_root' => '1', + }, + }, + 'unpack_installer_images' => { + 'class' => 'Youri::Submit::Action::Unpack', + 'options' => { + 'name' => 'drakx-installer-images', + 'source_subdir' => '/usr/lib*/drakx-installer-images', + 'dest_directory' => '.', + 'preclean_directory' => 'install/images/alternatives', + 'unpack_inside_distribution_root' => '1', + }, + }, + 'unpack_installer_images_nonfree' => { + 'class' => 'Youri::Submit::Action::Unpack', + 'options' => { + 'name' => 'drakx-installer-images-nonfree', + 'source_subdir' => '/usr/lib*/drakx-installer-images', + 'dest_directory' => '.', + 'unpack_inside_distribution_root' => '1', + }, + }, + 'unpack_installer_stage2' => { + 'class' => 'Youri::Submit::Action::Unpack', + 'options' => { + 'name' => 'drakx-installer-stage2', + 'source_subdir' => '/usr/lib*/drakx-installer-stage2', + 'dest_directory' => '.', + 'unpack_inside_distribution_root' => '1', + }, + }, + 'unpack_installer_advertising' => { + 'class' => 'Youri::Submit::Action::Unpack', + 'options' => { + 'name' => 'drakx-installer-advertising', + 'source_subdir' => '/usr/share/drakx-installer-advertising', + 'dest_directory' => '.', + 'unpack_inside_distribution_root' => '1', + }, + }, + 'unpack_installer_rescue' => { + 'class' => 'Youri::Submit::Action::Unpack', + 'options' => { + 'name' => 'drakx-installer-rescue', + 'source_subdir' => '/usr/lib*/drakx-installer-rescue', + 'dest_directory' => 'install/stage2', + 'unpack_inside_distribution_root' => '1', + }, + }, + 'unpack_release_notes' => { + 'class' => 'Youri::Submit::Action::Unpack', + 'options' => { + 'name' => 'mageia-release-common', + 'source_subdir' => '/usr/share/doc/mageia-release-common', + 'grep_files' => 'release-notes.*', + 'dest_directory' => '.', + 'unpack_inside_distribution_root' => '1', + }, + }, + 'unpack_syslinux' => { + 'class' => 'Youri::Submit::Action::Unpack', + 'options' => { + 'name' => 'syslinux', + 'source_subdir' => '/usr/lib/syslinux/', + 'grep_files' => '\\(hdt\\|ifcpu\\|ldlinux\\|libcom32\\|libgpl\\|libmenu\\|libutil\\).c32', + 'dest_directory' => 'isolinux', + 'unpack_inside_distribution_root' => '1', + }, + }, + 'unpack_pci_usb_ids' => { + 'class' => 'Youri::Submit::Action::Unpack', + 'options' => { + 'name' => 'ldetect-lst', + 'source_subdir' => '/usr/share/', + 'grep_files' => '\\(pci\\|usb\\).ids', + 'dest_directory' => 'isolinux', + 'unpack_inside_distribution_root' => '1', + }, + }, + 'mail' => { + 'class' => 'Youri::Submit::Action::Mail', + 'options' => { + 'mta' => '/usr/sbin/sendmail', + }, + }, + 'maintdb' => { + 'class' => 'Youri::Submit::Action::UpdateMaintDb', + }, + 'rebuild' => { + 'class' => 'Youri::Submit::Action::RebuildPackage', + 'options' => { + 'rules' => { + 'drakx-installer-binaries' => ['drakx-installer-images'], + 'drakx-kbd-mouse-x11' => ['drakx-installer-stage2'], + 'drakx-net' => ['drakx-installer-stage2'], + 'kernel-desktop-latest' => ['drakx-installer-images', 'kmod-virtualbox', 'kmod-xtables-addons'], + 'kernel-desktop586-latest' => ['drakx-installer-images', 'kmod-virtualbox', 'kmod-xtables-addons'], + 'kernel-server-latest' => ['kmod-virtualbox', 'kmod-xtables-addons'], + 'ldetect-lst' => ['drakx-installer-stage2'], + 'meta-task' => ['drakx-installer-stage2'], + 'perl' => ['drakx-installer-stage2'], + 'perl-URPM' => ['drakx-installer-stage2'], + 'rpm' => ['drakx-installer-stage2'], + 'rpm-mageia-setup' => ['drakx-installer-stage2'], + 'urpmi' => ['drakx-installer-stage2'], + }, + }, + }, + }, + 'posts' => { + 'genhdlist2' => { + 'class' => 'Youri::Submit::Post::Genhdlist2', + 'options' => { + 'command' => '/usr/bin/genhdlist2 --xml-info-filter ".lzma:xz -T4" --synthesis-filter ".cz:xz -7 -T8"', + }, + }, + 'genhdlist2_zstd' => { + 'class' => 'Youri::Submit::Post::Genhdlist2', + 'options' => { + 'command' => '/usr/bin/genhdlist2 --xml-info-filter ".lzma:xz -T4" --synthesis-filter ".cz:zstd -19 -T8"', + }, + }, + 'createrepo_mga6' => { + 'class' => 'Youri::Submit::Post::RunOnModifiedMedia', + 'options' => { + 'command' => 'createrepo_c --no-database --update --workers=10', + }, + }, + 'createrepo_mga7' => { + 'class' => 'Youri::Submit::Post::RunOnModifiedMedia', + 'options' => { + 'command' => 'createrepo_c --no-database --update --workers=10 --zck --zck-dict-dir /usr/share/mageia-repo-zdicts/mga7/', + }, + }, + 'createrepo_mga8' => { + 'class' => 'Youri::Submit::Post::RunOnModifiedMedia', + 'options' => { + 'command' => 'createrepo_c --no-database --update --workers=10 --zck --zck-dict-dir /usr/share/mageia-repo-zdicts/mga7/', + }, + }, + 'createrepo_mga9' => { + 'class' => 'Youri::Submit::Post::RunOnModifiedMedia', + 'options' => { + 'command' => 'createrepo_c --no-database --update --workers=10 --zck --zck-dict-dir /usr/share/mageia-repo-zdicts/mga7/', + }, + }, + 'createrepo_cauldron' => { + 'class' => 'Youri::Submit::Post::RunOnModifiedMedia', + 'options' => { + 'command' => 'createrepo_c --no-database --update --workers=10', + }, + }, + 'appstream_mga6' => { + 'class' => 'Youri::Submit::Post::RunOnModifiedMedia', + 'options' => { + 'command' => '/distrib/appstream/appstream-6-modifyrepo.sh', + }, + }, + 'appstream_mga7' => { + 'class' => 'Youri::Submit::Post::RunOnModifiedMedia', + 'options' => { + 'command' => '/distrib/appstream/appstream-7-modifyrepo.sh', + }, + }, + 'appstream_mga8' => { + 'class' => 'Youri::Submit::Post::RunOnModifiedMedia', + 'options' => { + 'command' => '/distrib/appstream/appstream-8-modifyrepo.sh', + }, + }, + 'appstream_mga9' => { + 'class' => 'Youri::Submit::Post::RunOnModifiedMedia', + 'options' => { + 'command' => '/distrib/appstream/appstream-9-modifyrepo.sh', + }, + }, + 'appstream_cauldron' => { + 'class' => 'Youri::Submit::Post::RunOnModifiedMedia', + 'options' => { + 'command' => '/distrib/appstream/appstream-cauldron-modifyrepo.sh', + }, + }, + 'clean_rpmsrate' => { + 'class' => 'Youri::Submit::Post::CleanRpmsrate', + }, + 'mirror' => { + 'class' => 'Youri::Submit::Post::Mirror', + 'options' => { + 'destination' => $buildsystem::var::repository::mirror_reporoot, + }, + }, + }, + }, + 'todo' => { + 'repository' => { + 'class' => 'Youri::Repository::Mageia', + 'options' => { + 'install_root' => $buildsystem::var::repository::bootstrap_reporoot, + 'upload_root' => '$home/uploads/', + 'upload_state' => 'todo done queue', + 'queue' => 'todo', + 'noarch' => 'x86_64', + 'svn' => "${buildsystem::var::mgarepo::svn_root_packages_ssh}/${buildsystem::var::distros::default_distro}", + }, + }, + 'checks' => { + 'tag' => $check_tag, + 'recency' => $check_recency, + 'queue_recency' => $check_queue_recency, + 'host' => $check_host, + 'rpmlint' => $check_rpmlint, + 'acl' => $check_acl, + 'source' => $check_source, + 'version' => $check_version, + 'deps' => { + 'class' => 'Youri::Submit::Check::Deps', + }, + }, + 'actions' => { + 'send' => { + 'class' => 'Youri::Submit::Action::Send', + 'options' => { + 'user' => $buildsystem::var::scheduler::login, + 'keep_svn_release' => 'yes', + 'uphost' => $buildsystem::var::scheduler::pkg_uphost, + 'root' => '$home/uploads', + 'ssh_key' => '$home/.ssh/id_rsa', + }, + }, + 'dependencies' => { + 'class' => 'Youri::Submit::Action::Dependencies', + 'options' => { + 'user' => $buildsystem::var::scheduler::login, + 'uphost' => $buildsystem::var::scheduler::pkg_uphost, + 'root' => '$home/uploads', + 'ssh_key' => '$home/.ssh/id_rsa', + }, + }, + 'rpminfo' => { + 'class' => 'Youri::Submit::Action::Rpminfo', + 'options' => { + 'user' => $buildsystem::var::scheduler::login, + 'uphost' => $buildsystem::var::scheduler::pkg_uphost, + 'root' => '$home/uploads', + 'ssh_key' => '$home/.ssh/id_rsa', + }, + }, + 'ulri' => { + 'class' => 'Youri::Submit::Action::Ulri', + 'options' => { + 'user' => $buildsystem::var::scheduler::login, + 'uphost' => $buildsystem::var::scheduler::pkg_uphost, + 'ssh_key' => '$home/.ssh/id_rsa', + }, + }, + }, + 'posts' => { + }, + }, + } +} diff --git a/modules/buildsystem/manifests/webstatus.pp b/modules/buildsystem/manifests/webstatus.pp new file mode 100644 index 00000000..49346dbc --- /dev/null +++ b/modules/buildsystem/manifests/webstatus.pp @@ -0,0 +1,44 @@ +class buildsystem::webstatus { + include buildsystem::var::webstatus + include buildsystem::var::scheduler + include apache::mod::php + + file { [ $buildsystem::var::webstatus::location, "${buildsystem::var::webstatus::location}/data" ]: + ensure => directory, + } + + $vhost = $buildsystem::var::webstatus::hostname + apache::vhost::base { $vhost: + aliases => { + '/uploads' => "${buildsystem::var::scheduler::homedir}/uploads", + '/autobuild/cauldron/x86_64/core/log/status.core.log' => "${buildsystem::var::webstatus::location}/autobuild/broken.php", + '/themes' => $buildsystem::var::webstatus::themes_dir, + }, + location => $buildsystem::var::webstatus::location, + content => template('buildsystem/vhost_webstatus.conf'), + } + + apache::vhost::base { "ssl_${vhost}": + vhost => $vhost, + use_ssl => true, + aliases => { + '/uploads' => "${buildsystem::var::scheduler::homedir}/uploads", + '/autobuild/cauldron/x86_64/core/log/status.core.log' => "${buildsystem::var::webstatus::location}/autobuild/broken.php", + '/themes' => $buildsystem::var::webstatus::themes_dir, + }, + location => $buildsystem::var::webstatus::location, + content => template('buildsystem/vhost_webstatus.conf'), + } + + git::snapshot { $buildsystem::var::webstatus::location: + source => $buildsystem::var::webstatus::git_url, + } + + file { '/etc/bs-webstatus.conf': + ensure => present, + content => template('buildsystem/bs-webstatus.conf'), + mode => '0644', + owner => root, + group => root, + } +} diff --git a/modules/buildsystem/manifests/youri_submit.pp b/modules/buildsystem/manifests/youri_submit.pp index e5e38fb8..6b4d7dc2 100644 --- a/modules/buildsystem/manifests/youri_submit.pp +++ b/modules/buildsystem/manifests/youri_submit.pp @@ -2,14 +2,10 @@ class buildsystem::youri_submit { include sudo include buildsystem::rpmlint include buildsystem::repository - include buildsystem::scheduler::var + include buildsystem::var::scheduler + include buildsystem::var::youri - $repository_root = $buildsystem::repository::dir - $sched_home_dir = $buildsystem::scheduler::var::homedir - $sched_login = $buildsystem::scheduler::var::login - $packages_archivedir = "$sched_home_dir/old" - - mga-common::local_script { + mga_common::local_script { 'mga-youri-submit': content => template('buildsystem/mga-youri-submit'); 'mga-youri-submit.wrapper': @@ -23,34 +19,54 @@ class buildsystem::youri_submit { sudo::sudoers_config { 'mga-youri-submit': content => template('buildsystem/sudoers.youri') } + $release_managers = group_members('mga-release_managers') # ordering is automatic : - # http://docs.puppetlabs.com/learning/ordering.html#autorequire + # https://docs.puppetlabs.com/learning/ordering.html#autorequire file { '/etc/youri/': ensure => 'directory'; - '/etc/youri/submit-todo.conf': - content => template('buildsystem/youri/submit-todo.conf'); - '/etc/youri/submit-upload.conf': - content => template('buildsystem/youri/submit-upload.conf'); '/etc/youri/acl.conf': content => template('buildsystem/youri/acl.conf'); + '/etc/youri/host.conf': + content => template('buildsystem/youri/host.conf'); + } + + buildsystem::youri_submit_conf{ 'upload': + tmpl_file => $buildsystem::var::youri::tmpl_youri_upload_conf, + } + buildsystem::youri_submit_conf{ 'todo': + tmpl_file => $buildsystem::var::youri::tmpl_youri_todo_conf, } - file { $packages_archivedir: + cron { 'Archive orphan packages from cauldron': + command => "/usr/local/bin/mga-clean-distrib --auto -v cauldron -d ${buildsystem::var::youri::packages_archivedir} -l ${buildsystem::var::scheduler::homedir}/tmp/upload", + hour => 5, + minute => 30, + user => $buildsystem::var::scheduler::login, + } + + file { $buildsystem::var::youri::packages_archivedir: ensure => 'directory', - owner => $sched_login, - require => File[$sched_home_dir], + owner => $buildsystem::var::scheduler::login, + require => File[$buildsystem::var::scheduler::homedir], } - tidy { $packages_archivedir: + tidy { $buildsystem::var::youri::packages_archivedir: type => 'ctime', recurse => true, age => '1w', matches => '*.rpm', } - # FIXME use /usr/local/ once it will be in @INC - file { '/usr/lib/perl5/vendor_perl/5.12.3/Youri/Repository/Mageia.pm': + include mga_common::var::perl + file { [ "${mga_common::var::perl::site_perl_dir}/Youri", + "${mga_common::var::perl::site_perl_dir}/Youri/Repository"]: + ensure => directory, + mode => '0755', + owner => root, + group => root, + } + file { "${mga_common::var::perl::site_perl_dir}/Youri/Repository/Mageia.pm": source => 'puppet:///modules/buildsystem/Mageia.pm', } diff --git a/modules/buildsystem/manifests/youri_submit_conf.pp b/modules/buildsystem/manifests/youri_submit_conf.pp new file mode 100644 index 00000000..28b911d9 --- /dev/null +++ b/modules/buildsystem/manifests/youri_submit_conf.pp @@ -0,0 +1,6 @@ +define buildsystem::youri_submit_conf($tmpl_file) { + $conf_name = $name + file { "/etc/youri/submit-${conf_name}.conf": + content => template($tmpl_file), + } +} diff --git a/modules/buildsystem/templates/binrepo/sudoers.binrepo b/modules/buildsystem/templates/binrepo/sudoers.binrepo index 405f43a3..c20810cf 100644 --- a/modules/buildsystem/templates/binrepo/sudoers.binrepo +++ b/modules/buildsystem/templates/binrepo/sudoers.binrepo @@ -1 +1 @@ -%<%= packagers_committers_group %> ALL =(<%= login %>) NOPASSWD: <%= uploadbinpath %> +%<%= scope.lookupvar('buildsystem::var::groups::packagers_committers') %> ALL =(<%= scope.lookupvar('buildsystem::var::binrepo::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::binrepo::uploadbinpath') %> diff --git a/modules/buildsystem/templates/binrepo/upload-bin b/modules/buildsystem/templates/binrepo/upload-bin index f90130f3..7cad5838 100755 --- a/modules/buildsystem/templates/binrepo/upload-bin +++ b/modules/buildsystem/templates/binrepo/upload-bin @@ -1,11 +1,11 @@ #!/bin/sh set -e -binrepodir=<%= repodir %> -uploadinfosdir=<%= uploadinfosdir %> +binrepodir=<%= scope.lookupvar('buildsystem::var::binrepo::repodir') %> +uploadinfosdir=<%= scope.lookupvar('buildsystem::var::binrepo::uploadinfosdir') %> tmpfile=$(mktemp) -mail_from="<%= uploadmail_from %>" -mail_dest="<%= uploadmail_to %>" +mail_from="<%= scope.lookupvar('buildsystem::var::binrepo::uploadmail_from') %>" +mail_dest="<%= scope.lookupvar('buildsystem::var::binrepo::uploadmail_to') %>" test $# = 2 || exit 3 username="$1" diff --git a/modules/buildsystem/templates/binrepo/vhost_binrepo.conf b/modules/buildsystem/templates/binrepo/vhost_binrepo.conf index ce29accf..f411c07a 100644 --- a/modules/buildsystem/templates/binrepo/vhost_binrepo.conf +++ b/modules/buildsystem/templates/binrepo/vhost_binrepo.conf @@ -1,3 +1,3 @@ -<Directory <%= repodir %>> +<Directory <%= scope.lookupvar('buildsystem::var::binrepo::repodir') %>> Options None </Directory> diff --git a/modules/buildsystem/templates/binrepo/wrapper.upload-bin b/modules/buildsystem/templates/binrepo/wrapper.upload-bin index 48385a47..3def84a0 100644 --- a/modules/buildsystem/templates/binrepo/wrapper.upload-bin +++ b/modules/buildsystem/templates/binrepo/wrapper.upload-bin @@ -1,8 +1,8 @@ #!/bin/sh -binrepouser="<%= login %>" -uploadbinpath="<%= uploadbinpath %>" -packagerscommittersgroup="<%= packagers_committers_group %>" +binrepouser="<%= scope.lookupvar('buildsystem::var::binrepo::login') %>" +uploadbinpath="<%= scope.lookupvar('buildsystem::var::binrepo::uploadbinpath') %>" +packagerscommittersgroup="<%= scope.lookupvar('buildsystem::var::groups::packagers_committers') %>" function isingroup() { diff --git a/modules/buildsystem/templates/bs-webstatus.conf b/modules/buildsystem/templates/bs-webstatus.conf new file mode 100644 index 00000000..9f37a990 --- /dev/null +++ b/modules/buildsystem/templates/bs-webstatus.conf @@ -0,0 +1,32 @@ +<?php + +/** Where is the current app located. */ +$g_webapp_dir = '<%= scope.lookupvar('buildsystem::var::webstatus::location') %>'; + +/** Full system path where packages are uploaded. */ +$upload_dir = '<%= scope.lookupvar('buildsystem::var::scheduler::homedir') %>/uploads'; + +/** How long a history should we keep, in days. */ +$max_modified = <%= scope.lookupvar('buildsystem::var::webstatus::max_modified') %>; + +/** How many nodes are available. */ +$g_nodes_count = 2; + +/** html > body > h1 title */ +$title = 'Build system status'; + +/** Should crawlers index this page or not? meta[robots] tag.*/ +$robots = 'index,nofollow,nosnippet,noarchive'; + +/** */ +$g_root_url = 'https://<%= scope.lookupvar('buildsystem::var::webstatus::hostname') %>/'; + +/** URL to view a package svn revision. %d is replaced by the revision */ +$package_commit_url = '<%= scope.lookupvar('buildsystem::var::webstatus::package_commit_url') %>'; + +/** name of the theme */ +$theme_name = '<%= scope.lookupvar('buildsystem::var::webstatus::theme_name') %>'; + +/** themes directory */ +$themes_dir = '<%= scope.lookupvar('buildsystem::var::webstatus::themes_dir') %>'; + diff --git a/modules/buildsystem/templates/cleaner.rb b/modules/buildsystem/templates/cleaner.rb index 338d66ba..fa0d08ca 100755 --- a/modules/buildsystem/templates/cleaner.rb +++ b/modules/buildsystem/templates/cleaner.rb @@ -1,114 +1,235 @@ #!/usr/bin/ruby def usage - puts "Usage: #{$0} [options]" - puts "Moves obsolete packages" - puts - puts "-h, --help show help" - puts "-m, --media <path> path to the binary media" - puts "-s, --src <path> path to the associated src media" - puts "-d, --destination <path> path to the old packages storage" + puts "Usage: #{$0} [options]" + puts "Moves obsolete packages" + puts + puts "-h, --help show this help" + puts "-a, --archs <arch1>,<arch2>,... list of architectures to clean" + puts "-a, --auto do not ask confirmation" + puts "-p, --base <path> base path to the repository" + puts "-m, --media <media1>,<media2>,... list of media to clean (default: core/release,tainted/release,nonfree/release)" + puts "-d, --destination <path> path to the old packages storage" + puts "-v, --version <version> version to clean (default: cauldron)" end require 'fileutils' require 'getoptlong' require 'readline' -opts = GetoptLong.new( - [ '--help', '-h', GetoptLong::NO_ARGUMENT ], - [ '--archs', '-a', GetoptLong::REQUIRED_ARGUMENT ], - [ '--base', '-p', GetoptLong::REQUIRED_ARGUMENT ], - [ '--media', '-m', GetoptLong::REQUIRED_ARGUMENT ], - [ '--bmedia', '-b', GetoptLong::REQUIRED_ARGUMENT ], - [ '--smedia', '-s', GetoptLong::REQUIRED_ARGUMENT ], - [ '--destination', '-d', GetoptLong::REQUIRED_ARGUMENT ], - [ '--version', '-v', GetoptLong::REQUIRED_ARGUMENT ] -) - -base_path = "<%= repository_root %>/distrib" -archs = [ "i586", "x86_64" ] -media = "core/release" -old_path = "<%= packages_archivedir %>" -version = "cauldron" - -opts.each do |opt, arg| - case opt - when '--help' - usage - exit 0 - when '--bmedia' - bin_path = arg.split(",") - when '--smedia' - src_path = arg - when '--destination' - old_path = arg - when '--media' - media = arg - when '--archs' - archs = arg.split(",") - when '--base' - base_path = arg - when '--version' - version = arg - end -end +def process + opts = GetoptLong.new( + [ '--help', '-h', GetoptLong::NO_ARGUMENT ], + [ '--archs', '-a', GetoptLong::REQUIRED_ARGUMENT ], + [ '--auto', '-A', GetoptLong::NO_ARGUMENT ], + [ '--base', '-p', GetoptLong::REQUIRED_ARGUMENT ], + [ '--media', '-m', GetoptLong::REQUIRED_ARGUMENT ], + [ '--destination', '-d', GetoptLong::REQUIRED_ARGUMENT ], + [ '--version', '-v', GetoptLong::REQUIRED_ARGUMENT ], + [ '--lockfile', '-l', GetoptLong::REQUIRED_ARGUMENT ], + ) + + base_path = "<%= scope.lookupvar('buildsystem::var::repository::bootstrap_root') %>/distrib" + archs = [ "x86_64", "i686", "aarch64", "armv7hl" ] + medias = ["core/release", "tainted/release", "nonfree/release"] + old_path = "<%= scope.lookupvar('buildsystem::var::youri::packages_archivedir') %>" + version = "cauldron" + auto = false + lockfile = nil + + opts.each do |opt, arg| + case opt + when '--help' + usage + exit 0 + when '--destination' + old_path = arg + when '--media' + medias = arg.split(",") + when '--archs' + archs = arg.split(",") + when '--auto' + auto = true + when '--base' + base_path = arg + when '--version' + version = arg + when '--lockfile' + lockfile = arg + end + end + + take_upload_lock(lockfile) if lockfile -bin_path ||= archs.map{|arch| "#{base_path}/#{version}/#{arch}/media/#{media}" } -src_path ||= "#{base_path}/#{version}/SRPMS/#{media}" -debug_path = bin_path.map{|path| path.sub("/media/", "/media/debug/")} + medias.each{|media| + src_path = "#{base_path}/#{version}/SRPMS/#{media}" -$used_srcs = {} -$srcs = {} + $used_srcs = {} + $old_srcs = {} + $srcs = {} + $srcages = {} + $noarch = {} -# Get a list of all src.rpm + # Get a list of all src.rpm and their build time + `urpmf --synthesis "#{src_path}/media_info/synthesis.hdlist.cz" --qf '%filename:%buildtime:%buildarchs' "."`.each_line{|l| + l2 = l.split(':') + filename = l2[0] + buildtime = l2[1].to_i + buildarch = l2[2].rstrip + name = name_from_filename(filename) + if $srcages[name] then + if buildtime < $srcages[name][1] then + # This src.rpm is older, ignore it and store it in the list to be deleted + $old_srcs[filename] = true + next + else + # This src.rpm has an older version, ignore that version and store it in the list to be deleted + old_filename = $srcages[name][0] + $old_srcs[old_filename] = true + $srcs.delete(old_filename) + end + end + $srcages[name] = [ filename, buildtime ] + $srcs[filename] = true + $noarch[name] = true if buildarch == 'noarch' + } + archs.each{|arch| + bin_path = "#{base_path}/#{version}/#{arch}/media/#{media}" + debug_path = bin_path.sub("/media/", "/media/debug/") + old_packages = check_binaries(arch, $srcs, $srcages, src_path, bin_path, $used_srcs) + old_debug_packages = check_binaries(arch, $srcs, {}, src_path, debug_path, nil) + move_packages(bin_path, old_path, old_packages, auto) + move_packages(debug_path, old_path, old_debug_packages, auto) + } + $used_srcs.keys.each{|s| $srcs.delete(s)} -`urpmf --synthesis "#{src_path}/media_info/synthesis.hdlist.cz" --qf '%filename' "."`.each_line{|l| - $srcs[l.rstrip] = true -} + move_packages(src_path, old_path, $srcs.keys + $old_srcs.keys, auto) + } +end + +def take_upload_lock(path) + start_time = Time.new + has_lock = false + at_exit { + if File.exists?(path) + if File.readlines(path)[0].to_i == Process.pid + File.delete(path) + end + end + } + until has_lock + while File.exists?(path) + if Time.new - start_time > 2*3600.0 + puts "Could not acquire upload lock for more than 2h, giving up" + end + sleep(5) + end + File.write(path, Process.pid) + if File.readlines(path)[0].to_i == Process.pid + has_lock = true + end + end +end + +def move_packages(src, dst, list, auto) + list.reject!{|f| !File.exist?(src + "/" + f)} + return if list.empty? + list.each{|b| + puts b + } + puts "The #{list.length} listed packages will be moved from #{src} to #{dst}." + line = Readline::readline('Are you sure [Yn]? ') unless auto + if auto || line =~ /^y?$/i + list.each{|s| + oldfile = src + "/" + s + newfile = dst + "/" + s + next unless File.exist?(oldfile) + if (File.exist?(newfile)) + File.unlink(oldfile) + else + FileUtils.mv(oldfile, newfile) + end + } + end +end # For each binary media: # - Check if we have the src.rpm (else the binary package is obsolete) +# * If we don't have the src.rpm, check if we have a newer version +# - If there is a new version: +# * check if this architecture has packages from it to avoid deleting armv7hl packages before the new one get rebuilt +# * check if the new version is old enough to allow rebuilding everything (7d?) # - Mark used src.rpm (if one is never marked, the src.rpm is obsolete) -def move_packages(src, dst, list) - list.reject!{|f| !File.exist?(src + "/" + f)} - return if list.empty? - list.each{|b| - puts b - } - puts "The #{list.length} listed packages will be moved from #{src} to #{dst}." - line = Readline::readline('Are you sure [Yn]? ') - if (line =~ /^y?$/i) - list.each{|s| - oldfile = src + "/" + s - newfile = dst + "/" + s - next unless File.exist?(oldfile) - if (File.exist?(newfile)) - File.unlink(oldfile) - else - FileUtils.mv(oldfile, newfile) - end - } - end +def packages(path) + `urpmf --synthesis "#{path}/media_info/synthesis.hdlist.cz" --qf '%sourcerpm:%filename:%buildtime' ":"`.each_line{|l| + l2 = l.split(':') + sourcerpm = l2[0] + filename = l2[1] + buildtime = l2[2].to_i + yield(sourcerpm, filename, buildtime) + } end -def check_binaries(path_list, old_path, mark_used) - path_list.each{|bm| - old_binaries = [] - `urpmf --synthesis "#{bm}/media_info/synthesis.hdlist.cz" --qf '%sourcerpm:%filename' ":"`.each_line{|l| - l2 = l.split(':') - src = l2[0] - filename = l2[1].rstrip - old_binaries << filename unless $srcs[src] - $used_srcs[src] = true if mark_used - } - move_packages(bm, old_path, old_binaries) - } +def name_from_filename(filename) + filename.sub(/-[^-]*-[^-]*$/, '') end -check_binaries(bin_path, old_path, true) -check_binaries(debug_path, old_path, false) +def arch_wanted(src, arch) + exclusive_arch = `rpmquery -p #{src} --qf '[%{EXCLUSIVEARCH} ]'`.rstrip + if exclusive_arch != "" then + if !exclusive_arch.split(/ /).include?(arch) then + return false + end + end + exclude_arch = `rpmquery -p #{src} --qf '[%{EXCLUDEARCH} ]'`.rstrip + if exclude_arch != "" then + if exclude_arch.split(/ /).include?(arch) then + return false + end + end + + return true +end -$used_srcs.keys.each{|s| $srcs.delete(s)} +def check_binaries(arch, srcs, srcages, src_path, path, used_srcs) + used_here_srcs = {} + all_versions = {} + packages(path) {|src, filename, buildtime| + used_srcs[src] = true if used_srcs != nil + if filename =~ /noarch.rpm$/ then + # We need to mark the src.rpm present on this arch only for full noarch packages + used_here_srcs[src] = true if $noarch[name_from_filename(src)] + else + used_here_srcs[src] = true + end + name = name_from_filename(filename) + if all_versions[name] then + all_versions[name] << src + else + all_versions[name] = [src] + end + } + old_binaries = [] + packages(path) {|src, filename, buildtime| + if ! srcs[src] then + srcname = name_from_filename(src) + if srcages[srcname] then + # The src.rpm is gone but there is a different version of it + latestsrc = srcages[srcname][0] + # Only delete old binaries after 7d or if there is a new version + name = name_from_filename(filename) + next unless (srcages[srcname][1] < Time.now.to_i - 24*60*60*7 || all_versions[name].include?(latestsrc)) + # Do not delete if the new version of the package hasn't been built for this arch yet + # but still delete it if it is no longer expected to be built. + next unless (used_here_srcs[latestsrc] || !arch_wanted("#{src_path}/#{latestsrc}", arch)) + end + old_binaries << filename + end + } + old_binaries +end -move_packages(src_path, old_path, $srcs.keys) +if __FILE__ == $0 then + process +end diff --git a/modules/buildsystem/templates/cleaner_test.rb b/modules/buildsystem/templates/cleaner_test.rb new file mode 100644 index 00000000..804bd1b5 --- /dev/null +++ b/modules/buildsystem/templates/cleaner_test.rb @@ -0,0 +1,83 @@ +require 'cleaner' +require "test/unit" + +class TestCleaner < Test::Unit::TestCase + + @pkgs = [] + + def setpackages(pkgs) + @pkgs = pkgs + end + + def packages(path) + @pkgs.map{|p| + l2 = p.split(':') + sourcerpm = l2[0] + filename = l2[1] + buildtime = l2[2].to_i + yield(sourcerpm, filename, buildtime) + } + end + + def test_old + # Package was built on this arch and src.rpm for new version is 15d old + setpackages(['foo-43-1.src.rpm:libfoo2-43-1.armv7hl.rpm:43', 'foo-42-1.src.rpm:libfoo1-42-1.armv7hl.rpm:42']) + srcages = {} + srcages['foo'] = [ 'foo-43-1.src.rpm', Time.now.to_i - 15*24*3600 ] + srcs = {} + srcs['foo-43-1.src.rpm'] = true + assert_equal(['libfoo1-42-1.armv7hl.rpm'], check_binaries('armv7hl', srcs, srcages, '', '', nil)) + end + + def test_recent + # Package was built on this arch but src.rpm for new version is only 1d old + setpackages(['foo-43-1.src.rpm:foo-43-1.armv7hl.rpm:43', 'foo-42-1.src.rpm:foo-42-1.armv7hl.rpm:42']) + srcages = {} + srcages['foo'] = [ 'foo-43.src.rpm', Time.now.to_i - 24*3600 ] + srcs = {} + srcs['foo-43-1.src.rpm'] = true + assert_equal([], check_binaries('armv7hl', srcs, srcages, '', '', nil)) + end + + def test_arm_late + # Package was not yet built on this arch + setpackages(['foo-42-1.src.rpm:foo-42-1.armv7hl.rpm:42']) + srcages = {} + srcages['foo'] = [ 'foo-43.src.rpm', Time.now.to_i - 24*3600 ] + srcs = {} + srcs['foo-43-1.src.rpm'] = true + assert_equal([], check_binaries('armv7hl', srcs, srcages, '', '', nil)) + end + + def test_multiple_versions + # Old package remains (usually happens to noarch due to youri bug) + $noarch = { 'foo' => true } + setpackages(['foo-42-1.src.rpm:foo-42-1.noarch.rpm:42', 'foo-42-2.src.rpm:foo-42-2.noarch.rpm:43']) + srcages = {} + srcages['foo'] = [ 'foo-42-2.src.rpm', Time.now.to_i - 24*3600 ] + srcs = {} + srcs['foo-42-2.src.rpm'] = true + assert_equal(['foo-42-1.noarch.rpm'], check_binaries('i586', srcs, srcages, '', '', nil)) + end + + def test_icu + $noarch = {} + now = Time.now.to_i + srctime = now - 3600 + oldbintime = now - 10*24*3600 + newbintime = now - 3200 + setpackages([ + "icu-71.1-2.mga9.src.rpm:icu71-data-71.1-2.mga9.noarch.rpm:#{oldbintime}", + "icu-71.1-2.mga9.src.rpm:lib64icu71-71.1-2.mga9.aarch64.rpm:#{oldbintime}", + "icu-72.1-1.mga9.src.rpm:icu72-data-72.1-1.mga9.noarch.rpm:#{newbintime}", + "icu-72.1-1.mga9.src.rpm:lib64icu-devel-72.1-1.mga9.aarch64.rpm:#{newbintime}", + "icu-72.1-1.mga9.src.rpm:lib64icu72-72.1-1.mga9.aarch64.rpm:#{newbintime}" + ]) + srcages = {} + srcages['icu'] = [ 'icu-71.1-2.mga9.src.rpm', srctime ] + srcs = {} + srcs['icu-71.1-2.mga9.src.rpm'] = true + assert_equal([], check_binaries('aarch64', srcs, srcages, '', '', nil)) + end + +end diff --git a/modules/buildsystem/templates/iurt.conf b/modules/buildsystem/templates/iurt.conf new file mode 100644 index 00000000..2dd8bf0e --- /dev/null +++ b/modules/buildsystem/templates/iurt.conf @@ -0,0 +1,37 @@ +<%- distro = scope.lookupvar('buildsystem::var::distros::distros')[@distribution] -%> +{ + supported_arch => [ '<%= distro['arch'].join("', '") %>' ], + all_media =>{ +<%- distro['medias'].keys.sort.each{|media| -%> + '<%= media %>' => [ '<%= + distro['medias'][media]['repos'].keys.sort.join("', '") %>' ], +<%- +} -%> + }, + distribution => '<%= distro['macros']['distribution'] %>', + vendor => '<%= distro['macros']['vendor'] %>', + base_media => [ '<%= distro['base_media'].join("', '") %>' ], + upload => '<%= build_login %>@pkgsubmit:~/uploads/', + upload_queue => '<%= build_login %>@pkgsubmit:~/uploads/queue/', + unwanted_packages => '^monotone-', + repository => 'http://<%= scope.lookupvar('buildsystem::var::repository::hostname') %>/<%= scope.lookupvar('buildsystem::var::repository::distribdir') %>/', + log_url => 'https://<%= scope.lookupvar('buildsystem::var::webstatus::hostname') %>/queue/build/', + admin => 'mageia-sysadm@mageia.org', + packager => 'Iurt the rebuild bot <mageia-sysadm@mageia.org>', + sendmail => 0, + log_size_limit => '600M', + build_timeout => { +<%- build_timeout.keys.sort.each{|package| -%> + '<%= package %>' => <%= (build_timeout[package].to_f * scope.lookupvar('buildsystem::var::iurt::timeout_multiplier').to_f).to_i %>, +<%- +} -%> + }, + use_netns => { + 'default' => 1, +<%- allow_network_access.sort.each{|package| -%> + '<%= package %>' => 0, +<%- +} -%> + }, +} + diff --git a/modules/buildsystem/templates/iurt/1.conf b/modules/buildsystem/templates/iurt/1.conf deleted file mode 100644 index a37f336c..00000000 --- a/modules/buildsystem/templates/iurt/1.conf +++ /dev/null @@ -1,23 +0,0 @@ -{ - supported_arch => [ 'i586', 'x86_64' ], - all_media => { 'core' => [ 'release' ], 'nonfree' => [ 'release' ], 'tainted' => [ 'release' ] }, - base_media => [ 'core/release' ], - upload => '<%= build_login %>@pkgsubmit:~/uploads/', - upload_queue => '<%= build_login %>@pkgsubmit:~/uploads/queue/', - unwanted_packages => '^monotone-', - repository => 'http://repository.<%= domain %>/distrib/', - log_url => 'http://pkgsubmit.<%= domain %>/queue/build/', - admin => 'mageia-sysadm@mageia.org', - packager => 'Iurt the rebuild bot <mageia-sysadm@mageia.org>', - sendmail => 0, - build_timeout => { - 'default' => 18000, - 'gcc' => 57600, - 'paraview' => 115200, - 'salome' => 57600, - 'itk' => 115200, - 'wrapitk' => 115200, - 'libreoffice' => 345600 - }, -} - diff --git a/modules/buildsystem/templates/iurt/2.conf b/modules/buildsystem/templates/iurt/2.conf deleted file mode 100644 index a37f336c..00000000 --- a/modules/buildsystem/templates/iurt/2.conf +++ /dev/null @@ -1,23 +0,0 @@ -{ - supported_arch => [ 'i586', 'x86_64' ], - all_media => { 'core' => [ 'release' ], 'nonfree' => [ 'release' ], 'tainted' => [ 'release' ] }, - base_media => [ 'core/release' ], - upload => '<%= build_login %>@pkgsubmit:~/uploads/', - upload_queue => '<%= build_login %>@pkgsubmit:~/uploads/queue/', - unwanted_packages => '^monotone-', - repository => 'http://repository.<%= domain %>/distrib/', - log_url => 'http://pkgsubmit.<%= domain %>/queue/build/', - admin => 'mageia-sysadm@mageia.org', - packager => 'Iurt the rebuild bot <mageia-sysadm@mageia.org>', - sendmail => 0, - build_timeout => { - 'default' => 18000, - 'gcc' => 57600, - 'paraview' => 115200, - 'salome' => 57600, - 'itk' => 115200, - 'wrapitk' => 115200, - 'libreoffice' => 345600 - }, -} - diff --git a/modules/buildsystem/templates/iurt/cauldron.conf b/modules/buildsystem/templates/iurt/cauldron.conf deleted file mode 100644 index a37f336c..00000000 --- a/modules/buildsystem/templates/iurt/cauldron.conf +++ /dev/null @@ -1,23 +0,0 @@ -{ - supported_arch => [ 'i586', 'x86_64' ], - all_media => { 'core' => [ 'release' ], 'nonfree' => [ 'release' ], 'tainted' => [ 'release' ] }, - base_media => [ 'core/release' ], - upload => '<%= build_login %>@pkgsubmit:~/uploads/', - upload_queue => '<%= build_login %>@pkgsubmit:~/uploads/queue/', - unwanted_packages => '^monotone-', - repository => 'http://repository.<%= domain %>/distrib/', - log_url => 'http://pkgsubmit.<%= domain %>/queue/build/', - admin => 'mageia-sysadm@mageia.org', - packager => 'Iurt the rebuild bot <mageia-sysadm@mageia.org>', - sendmail => 0, - build_timeout => { - 'default' => 18000, - 'gcc' => 57600, - 'paraview' => 115200, - 'salome' => 57600, - 'itk' => 115200, - 'wrapitk' => 115200, - 'libreoffice' => 345600 - }, -} - diff --git a/modules/buildsystem/templates/iurt/infra_1.conf b/modules/buildsystem/templates/iurt/infra_1.conf deleted file mode 100644 index 5f41e9f2..00000000 --- a/modules/buildsystem/templates/iurt/infra_1.conf +++ /dev/null @@ -1,13 +0,0 @@ -{ - supported_arch => [ 'i586', 'x86_64' ], - all_media => { 'infra' => [ 'release' ] }, - base_media => [ 'base/core/release' ], - upload => '<%= build_login %>@pkgsubmit:~/uploads/', - upload_queue => '<%= build_login %>@pkgsubmit:~/uploads/queue/', - repository => 'http://repository.<%= domain %>/distrib/', - log_url => 'http://pkgsubmit.<%= domain %>/queue/build/', - admin => 'mageia-sysadm@mageia.org', - packager => 'Iurt the rebuild bot <mageia-sysadm@mageia.org>', - sendmail => 0, -} - diff --git a/modules/buildsystem/templates/iurt/infra_2.conf b/modules/buildsystem/templates/iurt/infra_2.conf deleted file mode 100644 index 5f41e9f2..00000000 --- a/modules/buildsystem/templates/iurt/infra_2.conf +++ /dev/null @@ -1,13 +0,0 @@ -{ - supported_arch => [ 'i586', 'x86_64' ], - all_media => { 'infra' => [ 'release' ] }, - base_media => [ 'base/core/release' ], - upload => '<%= build_login %>@pkgsubmit:~/uploads/', - upload_queue => '<%= build_login %>@pkgsubmit:~/uploads/queue/', - repository => 'http://repository.<%= domain %>/distrib/', - log_url => 'http://pkgsubmit.<%= domain %>/queue/build/', - admin => 'mageia-sysadm@mageia.org', - packager => 'Iurt the rebuild bot <mageia-sysadm@mageia.org>', - sendmail => 0, -} - diff --git a/modules/buildsystem/templates/iurt/mandriva2010.1.conf b/modules/buildsystem/templates/iurt/mandriva2010.1.conf deleted file mode 100644 index 124625f6..00000000 --- a/modules/buildsystem/templates/iurt/mandriva2010.1.conf +++ /dev/null @@ -1,23 +0,0 @@ -{ - supported_arch => [ 'i586', 'x86_64' ], - all_media => { 'main' => [ 'release' ], 'contrib' => [ 'release' ] }, - base_media => [ 'main/release' ], - upload => '<%= build_login %>@pkgsubmit:~/uploads/', - upload_queue => '<%= build_login %>@pkgsubmit:~/uploads/queue/', - unwanted_packages => '^monotone-', - repository => 'http://repository.<%= domain %>/mandriva/', - rsync_to => '<%= build_login %>@pkgsubmit:/mnt/BIG/dis/uploads/build/', - log_url => 'http://pkgsubmit.<%= domain %>/queue/build/', - admin => 'mageia-sysadm@mageia.org', - packager => 'Iurt the rebuild bot <mageia-sysadm@mageia.org>', - sendmail => 0, - build_timeout => { - 'default' => 18000, - 'gcc' => 57600, - 'paraview' => 115200, - 'salome' => 57600, - 'itk' => 115200, - 'wrapitk' => 115200 - }, -} - diff --git a/modules/buildsystem/templates/iurt/sudoers.iurt b/modules/buildsystem/templates/iurt/sudoers.iurt deleted file mode 100644 index 408aa92c..00000000 --- a/modules/buildsystem/templates/iurt/sudoers.iurt +++ /dev/null @@ -1 +0,0 @@ -<%= login %> ALL = NOPASSWD: /usr/sbin/iurt_root_command diff --git a/modules/buildsystem/templates/iurt2010.1 b/modules/buildsystem/templates/iurt2010.1 deleted file mode 100755 index 44633e9b..00000000 --- a/modules/buildsystem/templates/iurt2010.1 +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -if [ `whoami` != <%= build_login %> ] -then - echo 'this script should be run as <%= build_login %>' >&2 - exit 1 -fi -ARCH=$(rpm --eval %_target_cpu) -iurt --chrooted-urpmi -m contrib/release main/release ../../../2010.1-mgaserv/$ARCH -- http://repository.<%= domain %>/mandriva/ -r mandriva2010.1 $ARCH $@ diff --git a/modules/buildsystem/templates/maintdb/maintdb.bin b/modules/buildsystem/templates/maintdb/maintdb.bin index b0cfb1ef..903ee009 100755 --- a/modules/buildsystem/templates/maintdb/maintdb.bin +++ b/modules/buildsystem/templates/maintdb/maintdb.bin @@ -1,30 +1,28 @@ -#!/bin/sh +#!/bin/bash -MAINTDBDIR="<%= dbdir %>" +MAINTDBDIR="<%= scope.lookupvar('buildsystem::var::maintdb::dbdir') %>" function checkname() { if [ -z "$1" ] || - echo "$1" | grep -q '[/*{}%]' || - echo "$1" | fgrep -q '..' + echo "$1" | grep -q '[/*{}%]' || + echo "$1" | fgrep -q '..' then - echo "Error: invalid package name." >&2 - exit 1 + echo "Error: invalid package name." >&2 + exit 1 fi } function maintnew() { - if [ a"$user" != "aroot" ] - then - echo "Error: new is only allowed to root." >&2 - exit 1 + if [ "$user" != "root" ]; then + echo "Error: new is only allowed to root." >&2 + exit 1 fi checkname "$1" maintfile="$MAINTDBDIR/$1" - if [ -f "$maintfile" ] - then - exit 0 + if [ -f "$maintfile" ]; then + exit 0 fi echo "$2" > "$maintfile" } @@ -34,79 +32,67 @@ function maintset() checkname "$1" maintfile="$MAINTDBDIR/$1" newmaint="$2" - if ! [ -f "$maintfile" ] - then - echo "Error: package $1 does not exist in maintdb." >&2 - exit 1 + if [ ! -f "$maintfile" ]; then + echo "Error: package $1 does not exist in maintdb." >&2 + exit 1 fi curmaint=$(cat "$maintfile") - if [ a"$newmaint" = "anobody" ] - then - if [ a"$curmaint" = a"$user" ] - then - echo "$newmaint" > "$maintfile" - exit 0 - else - echo "Error: cannot set maintainer for $1." >&2 - exit 1 - fi - elif [ a"$newmaint" = a"$user" ] - then - if [ a"$curmaint" = "anobody" ] - then - echo "$newmaint" > "$maintfile" - exit 0 - else - echo "Error: cannot set maintainer for $1." >&2 - exit 1 - fi + if [ "$newmaint" = "nobody" ] || [[ "$newmaint" = *-team ]]; then + if [ "$curmaint" = "$user" ]; then + echo "$newmaint" > "$maintfile" + exit 0 + else + echo "Error: cannot set maintainer for $1." >&2 + exit 1 + fi + elif [ "$newmaint" = "$user" ]; then + if [ "$curmaint" = "nobody" ] || [[ "$curmaint" = *-team ]]; then + echo "$newmaint" > "$maintfile" + exit 0 + else + echo "Error: cannot set maintainer for $1." >&2 + exit 1 + fi else - echo "Error: cannot set someone else as maintainer." >&2 - exit 1 + echo "Error: cannot set someone else as maintainer." >&2 + exit 1 fi } function maintgetall() { cd "$MAINTDBDIR" - for file in * - do - echo "$file $(cat $file)" + for file in *; do + echo "$file $(cat $file)" done exit 0 } function maintget() { - if [ -z "$1" ] - then - maintgetall + if [ -z "$1" ]; then + maintgetall fi checkname "$1" maintfile="$MAINTDBDIR/$1" - if [ -f "$maintfile" ] - then - cat "$maintfile" + if [ -f "$maintfile" ]; then + cat "$maintfile" else - echo "Error: package $1 does not exist in maintdb." >&2 - exit 1 + echo "Error: package $1 does not exist in maintdb." >&2 + exit 1 fi } user="$1" action="$2" -if [ a"$action" = "anew" ] -then +if [ "$action" = "new" ]; then maintnew "$3" "$4" -elif [ a"$action" = "aset" ] -then +elif [ "$action" = "set" ]; then maintset "$3" "$4" -elif [ a"$action" = "aget" ] -then +elif [ "$action" = "get" ]; then maintget "$3" else - echo "Error: unknow command." >&2 + echo "Error: unknown command." >&2 exit 2 fi - diff --git a/modules/buildsystem/templates/maintdb/sudoers.maintdb b/modules/buildsystem/templates/maintdb/sudoers.maintdb index 8dd19c42..91c88e47 100644 --- a/modules/buildsystem/templates/maintdb/sudoers.maintdb +++ b/modules/buildsystem/templates/maintdb/sudoers.maintdb @@ -1,2 +1,4 @@ -%<%= scope.lookupvar('buildsystem::base::packagers_group') %> ALL =(<%= login %>) NOPASSWD: <%= binpath %> -<%= scope.lookupvar('buildsystem::base::sched_login') %> ALL =(<%= login %>) NOPASSWD: <%= binpath %> +%<%= scope.lookupvar('buildsystem::var::groups::packagers') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* get +%<%= scope.lookupvar('buildsystem::var::groups::packagers') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* [gs]et [a-zA-Z0-9]* +%<%= scope.lookupvar('buildsystem::var::groups::packagers') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* set [a-zA-Z0-9]* [a-z]* +<%= scope.lookupvar('buildsystem::var::scheduler::login') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* new [a-zA-Z0-9]* [a-z]* diff --git a/modules/buildsystem/templates/maintdb/vhost_maintdb.conf b/modules/buildsystem/templates/maintdb/vhost_maintdb.conf index 225c7215..146413a7 100644 --- a/modules/buildsystem/templates/maintdb/vhost_maintdb.conf +++ b/modules/buildsystem/templates/maintdb/vhost_maintdb.conf @@ -1,3 +1,3 @@ -<Directory <%= dbdir %>> +<Directory <%= scope.lookupvar('buildsystem::var::maintdb::dbdir') %>> Options None </Directory> diff --git a/modules/buildsystem/templates/maintdb/wrapper.maintdb b/modules/buildsystem/templates/maintdb/wrapper.maintdb index 8420022d..fcf69dab 100644 --- a/modules/buildsystem/templates/maintdb/wrapper.maintdb +++ b/modules/buildsystem/templates/maintdb/wrapper.maintdb @@ -1,8 +1,8 @@ #!/bin/sh -maintdbuser="<%= login %>" -maintdbpath="<%= binpath %>" -packagersgroup="<%= scope.lookupvar('buildsystem::base::packagers_group') %>" +maintdbuser="<%= scope.lookupvar('buildsystem::var::maintdb::login') %>" +maintdbpath="<%= scope.lookupvar('buildsystem::var::maintdb::binpath') %>" +packagersgroup="<%= scope.lookupvar('buildsystem::var::groups::packagers') %>" function isingroup() { @@ -22,5 +22,4 @@ then exit 1 fi -sudo -u "$maintdbuser" "$maintdbpath" $(whoami) $@ - +sudo -u "$maintdbuser" "$maintdbpath" $(whoami) "$@" diff --git a/modules/buildsystem/templates/media.cfg b/modules/buildsystem/templates/media.cfg index e0470733..64757a2b 100644 --- a/modules/buildsystem/templates/media.cfg +++ b/modules/buildsystem/templates/media.cfg @@ -1,395 +1,142 @@ +<%- +def media_name(media, repo, type, archname) + name = [ media.capitalize ] + if archname != nil + name += [ archname ] + end + for r in repo.split('_') do + name += [ r.capitalize ] + end + if type != nil + name += [ type.capitalize ] + end + return name.join(' ') +end + +def media_out(name, media_hash) + media_out = "[%s]\n" % name + media_hash.keys.sort.each{|key| + value = media_hash[key] + if value != nil + media_out += "%s=%s\n" % [ key, value ] + end + } + return media_out +end +distro = scope.lookupvar('buildsystem::var::distros::distros')[@distro_name] +-%> [media_info] -<% - if @distro == 'cauldron' -%>version=3<% - else -%>version=<%= @distro %><% end %> +version=<%= distro['version'] %> mediacfg_version=2 -<% - if @distro == 'cauldron' -%>branch=Devel<% - else -%>branch=Official<% - end -%> +branch=<%= distro['branch'] %> +<%- +if @arch != 'armv7hl' +-%> arch=<%= @arch %> +<%- +end +-%> xml-info=1 -[core/release] -hdlist=hdlist_core_release.cz -name=Core Release -srpms=../../SRPMS/core/release -media_type=official:free:release - -[debug/core/release] -hdlist=hdlist_debug_core_release.cz -name=Core Release Debug -srpms=../../SRPMS/debug/core/release -media_type=official:free:release:debug -noauto=1 - -[../../SRPMS/core/release] -hdlist=hdlist_core_release.src.cz -name=Core Release Sources -rpms=core/release -media_type=official:free:release:source -noauto=1 - -[core/updates] -hdlist=hdlist_core_updates.cz -name=Core Updates -srpms=../../SRPMS/core/updates -media_type=official:free:updates -updates_for=core/release - -[debug/core/updates] -hdlist=hdlist_debug_core_updates.cz -name=Core Updates Debug -srpms=../../SRPMS/debug/core/updates -media_type=official:free:updates:debug -noauto=1 - -[../../SRPMS/core/updates] -hdlist=hdlist_core_updates.src.cz -name=Core Updates Sources -rpms=core/updates -media_type=official:free:updates:source -noauto=1 - -[core/updates_testing] -hdlist=hdlist_core_updates_testing.cz -name=Core Updates Testing -srpms=../../SRPMS/core/updates_testing -media_type=official:free:testing -noauto=1 - -[debug/core/updates_testing] -hdlist=hdlist_debug_core_updates_testing.cz -name=Core Updates Testing Debug -srpms=../../SRPMS/debug/core/updates_testing -media_type=official:free:testing:debug -noauto=1 - -[../../SRPMS/core/updates_testing] -hdlist=hdlist_core_updates_testing.src.cz -name=Core Updates Testing Sources -rpms=core/updates_testing -media_type=official:free:testing:source -noauto=1 - -[core/backports] -hdlist=hdlist_core_backports.cz -name=Core Backports -srpms=../../SRPMS/core/backports -media_type=official:free:backports -noauto=1 - -[debug/core/backports] -hdlist=hdlist_debug_core_backports.cz -name=Core Backports Debug -srpms=../../SRPMS/debug/core/backports -media_type=official:free:backports:debug -noauto=1 - -[../../SRPMS/core/backports] -hdlist=hdlist_core_backports.src.cz -name=Core Backports Sources -rpms=core/backports -media_type=official:free:backports:source -noauto=1 - -[core/backports_testing] -hdlist=hdlist_core_backports_testing.cz -name=Core Backports Testing -srpms=../../SRPMS/core/backports_testing -media_type=official:free:backports:testing -noauto=1 - -[debug/core/backports_testing] -hdlist=hdlist_debug_core_backports_testing.cz -name=Core Backports Testing Debug -srpms=../../SRPMS/debug/core/backports_testing -media_type=official:free:backports:testing:debug -noauto=1 - -[../../SRPMS/core/backports_testing] -hdlist=hdlist_core_backports_testing.src.cz -name=Core Backports Testing Sources -rpms=core/backports_testing -media_type=official:free:backports:testing:source -noauto=1 - -[nonfree/release] -hdlist=hdlist_nonfree_release.cz -name=Nonfree Release -srpms=../../SRPMS/nonfree/release -media_type=official:release -noauto=1 - -[debug/nonfree/release] -hdlist=hdlist_debug_nonfree_release.cz -name=Nonfree Release Debug -srpms=../../SRPMS/debug/nonfree/release -media_type=official:release:debug -noauto=1 - -[../../SRPMS/nonfree/release] -hdlist=hdlist_nonfree_release.src.cz -name=Nonfree Release Sources -rpms=nonfree/release -media_type=official:release:source -noauto=1 - -[nonfree/updates] -hdlist=hdlist_nonfree_updates.cz -name=Nonfree Updates -srpms=../../SRPMS/nonfree/updates -media_type=official:updates -updates_for=nonfree/release -noauto=1 - -[debug/nonfree/updates] -hdlist=hdlist_debug_nonfree_updates.cz -name=Nonfree Updates Debug -srpms=../../SRPMS/debug/nonfree/updates -media_type=official:updates:debug -noauto=1 - -[../../SRPMS/nonfree/updates] -hdlist=hdlist_nonfree_updates.src.cz -name=Nonfree Updates Sources -rpms=nonfree/updates -media_type=official:updates:source -noauto=1 - -[nonfree/updates_testing] -hdlist=hdlist_nonfree_updates_testing.cz -name=Nonfree Updates Testing -srpms=../../SRPMS/nonfree/updates_testing -media_type=official:testing -noauto=1 - -[debug/nonfree/updates_testing] -hdlist=hdlist_debug_nonfree_updates_testing.cz -name=Nonfree Updates Testing Debug -srpms=../../SRPMS/debug/nonfree/updates_testing -media_type=official:testing:debug -noauto=1 - -[../../SRPMS/nonfree/updates_testing] -hdlist=hdlist_nonfree_updates_testing.src.cz -name=Nonfree Updates Testing Sources -rpms=nonfree/updates_testing -media_type=official:testing:source -noauto=1 - -[nonfree/backports] -hdlist=hdlist_nonfree_backports.cz -name=Nonfree Backports -srpms=../../SRPMS/nonfree/backports -media_type=official:backports -noauto=1 - -[debug/nonfree/backports] -hdlist=hdlist_debug_nonfree_backports.cz -name=Nonfree Backports Debug -srpms=../../SRPMS/debug/nonfree/backports -media_type=official:backports:debug -noauto=1 - -[../../SRPMS/nonfree/backports] -hdlist=hdlist_nonfree_backports.src.cz -name=Nonfree Backports Sources -rpms=nonfree/backports -media_type=official:backports:source -noauto=1 - -[nonfree/backports_testing] -hdlist=hdlist_nonfree_backports_testing.cz -name=Nonfree Backports Testing -srpms=../../SRPMS/nonfree/backports_testing -media_type=official:backports:testing -noauto=1 - -[debug/nonfree/backports_testing] -hdlist=hdlist_debug_nonfree_backports_testing.cz -name=Nonfree Backports Testing Debug -srpms=../../SRPMS/debug/nonfree/backports_testing -media_type=official:backports:testing:debug -noauto=1 - -[../../SRPMS/nonfree/backports_testing] -hdlist=hdlist_nonfree_backports_testing.src.cz -name=Nonfree Backports Testing Sources -rpms=nonfree/backports_testing -media_type=official:backports:testing:source -noauto=1 - -[tainted/release] -hdlist=hdlist_tainted_release.cz -name=Tainted Release -srpms=../../SRPMS/tainted/release -media_type=official:release -noauto=1 - -[debug/tainted/release] -hdlist=hdlist_debug_tainted_release.cz -name=Tainted Release Debug -srpms=../../SRPMS/debug/tainted/release -media_type=official:release:debug -noauto=1 - -[../../SRPMS/tainted/release] -hdlist=hdlist_tainted_release.src.cz -name=Tainted Release Sources -rpms=tainted/release -media_type=official:release:source -noauto=1 - -[tainted/updates] -hdlist=hdlist_tainted_updates.cz -name=Tainted Updates -srpms=../../SRPMS/tainted/updates -media_type=official:updates -updates_for=tainted/release -noauto=1 - -[debug/tainted/updates] -hdlist=hdlist_debug_tainted_updates.cz -name=Tainted Updates Debug -srpms=../../SRPMS/debug/tainted/updates -media_type=official:updates:debug -noauto=1 - -[../../SRPMS/tainted/updates] -hdlist=hdlist_tainted_updates.src.cz -name=Tainted Updates Sources -rpms=tainted/updates -media_type=official:updates:source -noauto=1 - -[tainted/updates_testing] -hdlist=hdlist_tainted_updates_testing.cz -name=Tainted Updates Testing -srpms=../../SRPMS/tainted/updates_testing -media_type=official:testing -noauto=1 - -[debug/tainted/updates_testing] -hdlist=hdlist_debug_tainted_updates_testing.cz -name=Tainted Updates Testing Debug -srpms=../../SRPMS/debug/tainted/updates_testing -media_type=official:testing:debug -noauto=1 - -[../../SRPMS/tainted/updates_testing] -hdlist=hdlist_tainted_updates_testing.src.cz -name=Tainted Updates Testing Sources -rpms=tainted/updates_testing -media_type=official:testing:source -noauto=1 - -[tainted/backports] -hdlist=hdlist_tainted_backports.cz -name=Tainted Backports -srpms=../../SRPMS/tainted/backports -media_type=official:backports -noauto=1 - -[debug/tainted/backports] -hdlist=hdlist_debug_tainted_backports.cz -name=Tainted Backports Debug -srpms=../../SRPMS/debug/tainted/backports -media_type=official:backports:debug -noauto=1 - -[../../SRPMS/tainted/backports] -hdlist=hdlist_tainted_backports.src.cz -name=Tainted Backports Sources -rpms=tainted/backports -media_type=official:backports:source -noauto=1 - -[tainted/backports_testing] -hdlist=hdlist_tainted_backports_testing.cz -name=Tainted Backports Testing -srpms=../../SRPMS/tainted/backports_testing -media_type=official:backports:testing -noauto=1 - -[debug/tainted/backports_testing] -hdlist=hdlist_debug_tainted_backports_testing.cz -name=Tainted Backports Testing Debug -srpms=../../SRPMS/debug/tainted/backports_testing -media_type=official:backports:testing:debug -noauto=1 - -[../../SRPMS/tainted/backports_testing] -hdlist=hdlist_tainted_backports_testing.src.cz -name=Tainted Backports Testing Sources -rpms=tainted/backports_testing -media_type=official:backports:testing:source -noauto=1 - -<% - if arch == 'x86_64' -%>[../../i586/media/core/release] -hdlist=hdlist_core32_release.cz -name=Core 32bit Release -media_type=official:free:release - -[../../i586/media/debug/core/release] -hdlist=hdlist_debug_core32_release.cz -name=Core 32bit Release Debug -media_type=official:free:release:debug -noauto=1 - -[../../i586/media/core/updates] -hdlist=hdlist_core32_updates.cz -name=Core 32bit Updates -media_type=official:free:updates -updates_for=../../i586/media/core/release - -[../../i586/media/debug/core/updates] -hdlist=hdlist_debug_core32_updates.cz -name=Core 32bit Updates Debug -media_type=official:free:updates:debug -noauto=1 - -[../../i586/media/core/updates_testing] -hdlist=hdlist_core32_updates_testing.cz -name=Core 32bit Updates Testing -media_type=official:free:testing -noauto=1 - -[../../i586/media/debug/core/updates_testing] -hdlist=hdlist_debug_core32_updates_testing.cz -name=Core 32bit Updates Testing Debug -media_type=official:free:testing:debug -noauto=1 - -[../../i586/media/core/backports] -hdlist=hdlist_core32_backports.cz -name=Core 32bit Backports -media_type=official:free:backports -noauto=1 - -[../../i586/media/debug/core/backports] -hdlist=hdlist_debug_core32_backports.cz -name=Core 32bit Backports Debug -media_type=official:free:backports:debug -noauto=1 - -[../../i586/media/core/backports_testing] -hdlist=hdlist_core32_backports_testing.cz -name=Core 32bit Backports Testing -media_type=official:free:backports:testing -noauto=1 - -[../../i586/media/debug/core/backports_testing] -hdlist=hdlist_debug_core32_backports_testing.cz -name=Core 32bit Backports Testing Debug -media_type=official:free:backports:testing:debug -noauto=1<% - end -%> +<%- +distro['medias'].keys.sort { |x,y| distro['medias'][x]['order'] <=> distro['medias'][y]['order'] }.each{|medianame| + media = distro['medias'][medianame] + media['repos'].keys.sort { |x,y| media['repos'][x]['order'] <=> media['repos'][y]['order'] }.each{|reponame| + repo = media['repos'][reponame] + media_type = [] + if media['media_type'] != nil + media_type += media['media_type'] + end + if repo['media_type'] != nil + media_type += repo['media_type'] + end + noauto=nil + if (media['noauto'] == '1') or (repo['noauto'] == '1') + noauto='1' + end + updates_for = nil + if repo['updates_for'] != nil + updates_for = [ medianame, repo['updates_for'] ].join('/') + end + -%><%= + media_out [ medianame, reponame ].join('/'), + :hdlist => [ 'hdlist', medianame, reponame ].join('_') + '.cz', + :name => media_name(medianame, reponame, nil, nil), + :srpms => [ '../../SRPMS', medianame, reponame ].join('/'), + :media_type => media_type.join(':'), + :updates_for => updates_for, + :noauto => noauto + + %> + <%-# debug -%> + <%- + debug_media_type = media_type + [ 'debug' ] + -%><%= + media_out [ 'debug', medianame, reponame ].join('/'), + :hdlist => [ 'hdlist_debug', medianame, reponame ].join('_') + '.cz', + :name => media_name(medianame, reponame, 'debug', nil), + :srpms => [ '../../SRPMS', medianame, reponame ].join('/'), + :media_type => debug_media_type.join(':'), + :noauto => '1' + + %> + <%-# source -%> + <%- + source_media_type = media_type + [ 'source' ] + -%><%= + media_out [ '../../SRPMS', medianame, reponame ].join('/'), + :hdlist => [ 'hdlist', medianame, reponame ].join('_') + '.src.cz', + :name => media_name(medianame, reponame, 'sources', nil), + :rpms => [ medianame, reponame ].join('/'), + :media_type => source_media_type.join(':'), + :noauto => '1' + + %> + <%-# we add 32bit media if arch is x86_64 -%> + <%- + if @arch == 'x86_64' and distro['arch'].include?('i586') + medianame32 = [ medianame, '32' ].join('') + -%><%= + media_out [ '../../i586/media', medianame, reponame ].join('/'), + :hdlist => [ 'hdlist', medianame32, reponame ].join('_') + '.src.cz', + :name => media_name(medianame, reponame, nil, '32bit'), + :media_type => media_type.join(':'), + :noauto => noauto + + %> + <%- + end + if @arch == 'x86_64' and distro['arch'].include?('i686') + medianame32 = [ medianame, '32' ].join('') + -%><%= + media_out [ '../../i686/media', medianame, reponame ].join('/'), + :hdlist => [ 'hdlist', medianame32, reponame ].join('_') + '.src.cz', + :name => media_name(medianame, reponame, nil, '32bit'), + :media_type => media_type.join(':'), + :noauto => noauto + + %> + <%- + end + } +} +if distro['based_on'] != nil + distro['based_on'].keys.sort.each{|bdistroname| + bdistro = distro['based_on'][bdistroname] + bdistro.keys.sort.each{|medianame| + media = bdistro[medianame] + for reponame in media + -%><%= + media_out [ bdistroname, medianame, reponame ].join('/'), + :hdlist => [ 'hdlist', bdistroname, medianame, + reponame ].join('_'), + :name => media_name([ medianame, bdistroname].join(''), reponame, nil, nil), + :media_type => 'base_distro', + :noauto => 1 + %> + <%- + end + } + } +end +-%> diff --git a/modules/buildsystem/templates/mgarepo.conf b/modules/buildsystem/templates/mgarepo.conf index 81c21d3b..fbe5109c 100644 --- a/modules/buildsystem/templates/mgarepo.conf +++ b/modules/buildsystem/templates/mgarepo.conf @@ -1,25 +1,27 @@ +<%- + default_distro = scope.lookupvar('buildsystem::var::distros::default_distro') + distros = scope.lookupvar('buildsystem::var::distros::distros') +-%> [global] verbose = no -default_parent = svn://svn.<%= domain %>/svn/packages/cauldron +default_parent = <%= scope.lookupvar('buildsystem::var::mgarepo::svn_root_packages') %>/<%= default_distro %> #url-map = svn\+ssh://svn\.mageia\.org/(.*) file:///\1 tempdir = <%= sched_home_dir %>/repsys/tmp -use-binaries-repository = yes -binaries-repository = svn://svn.<%= domain %>/svn/binrepos -# ldap settings -# ldap is searched first: if not found, then [users] is read -# if ldap search matched, then [users] is not consulted -# if ldap is down, [users] is not consulted either -# -# we should have a generic fqdn here to use round-robin DNS -# enhancement for repsys: support multiple ldap servers here -ldap-server = ldap.<%= domain %> -ldap-base = ou=People,<%= dc_suffix %> -ldap-filterformat = (&(objectClass=inetOrgPerson)(uid=$username)) -ldap-resultformat = $cn <$mail> -trunk-dir = cauldron +trunk-dir = <%= default_distro %> +<%- +conf = scope.lookupvar('buildsystem::var::mgarepo::conf') +if conf['global'] != nil + conf['global'].keys.sort.each{|key| + value = conf['global'][key] + -%><%= key %> = <%= value %> +<%- + } +end +-%> + [log] -oldurl = svn+ssh://svn.<%= domain %>/svn/packages/misc +oldurl = <%= scope.lookupvar('buildsystem::var::mgarepo::oldurl') %> # controls up to which revision the rpm changelog # will be constructed (default zero, i.e., oldest # commit) @@ -28,63 +30,46 @@ oldurl = svn+ssh://svn.<%= domain %>/svn/packages/misc ignore-string = SILENT [template] -path = /usr/share/repsys/default.chlog +path = /usr/share/mgarepo/default.chlog [users] iurt = Mageia build bot <mageia-sysadm@<%= domain %>> [submit] -default = cauldron -host = pkgsubmit.<%= domain %> - -[submit cauldron] -target = <%= sched_home_dir %>/repsys/srpms -allowed = svn://svn.<%= domain %>/svn/packages/cauldron -rpm-macros = global cauldron - -[submit 1] -target = <%= sched_home_dir %>/repsys/srpms -allowed = svn://svn.<%= domain %>/svn/packages/updates/1 -rpm-macros = global 1 - -[submit 2] +default = <%= default_distro %> +host = <%= scope.lookupvar('buildsystem::var::mgarepo::submit_host') %> + +<%- + distros.keys.sort.each{|d| + distro = distros[d] +-%> +[submit <%= d %>] target = <%= sched_home_dir %>/repsys/srpms -allowed = svn://svn.<%= domain %>/svn/packages/updates/2 -rpm-macros = global 2 +allowed = <%= distro['submit_allowed'] %> <%= distro['backports_allowed'] %> +rpm-macros = global <%= d %> -[submit infra_1] -target = <%= sched_home_dir %>/repsys/srpms -allowed = svn://svn.mageia.org/svn/packages/ -rpm-macros = global 1 - -[submit infra_2] -target = <%= sched_home_dir %>/repsys/srpms -allowed = svn://svn.mageia.org/svn/packages/ -rpm-macros = global 2 +<%- + } +-%> [macros global] -distsuffix = .mga # mkrel definition to be removed when rpm-setup is updated on main build node mkrel(c:) = %{-c: 0.%{-c*}.}%{1}%{?subrel:.%subrel}%{?distsuffix:%distsuffix}%{?!distsuffix:.mga}%{?distro_release:%distro_release} -distribution = Mageia -vendor = Mageia.Org -_real_vendor = mageia - -[macros cauldron] -distro_release = 3 -# 100 * major + minor -mgaversion = 300 -mageia_branch = cauldron - -[macros 1] -distro_release = 1 -# 100 * major + minor -mgaversion = 100 - -[macros 2] -distro_release = 2 -# 100 * major + minor -mgaversion = 200 +dist = %{?distsuffix:%distsuffix}%{?!distsuffix:.mga}%{?distro_release:%distro_release} + +<%- + distros.keys.sort.each{|d| + distro = distros[d] +-%> +[macros <%= d %>] +distro_release = <%= distro['version'] %> +<%- + distro['macros'].keys.sort.each{|macro| + value = distro['macros'][macro] + -%><%= macro %> = <%= value %> + <%- } %> +<%- } +%> [helper] create-srpm = /usr/share/repsys/create-srpm @@ -97,6 +82,7 @@ upload-bin = /usr/local/bin/wrapper.upload-bin run-prep = yes [binrepo] -download_url = http://binrepo.<%= domain %>/ -upload_host = binrepo.<%= domain %> +<%- binrepo_hostname = scope.lookupvar('buildsystem::var::binrepo::hostname') -%> +download_url = http://<%= binrepo_hostname %>/ +upload_host = <%= binrepo_hostname %> diff --git a/modules/buildsystem/templates/repoctl.conf b/modules/buildsystem/templates/repoctl.conf index a538fcde..14506a25 100644 --- a/modules/buildsystem/templates/repoctl.conf +++ b/modules/buildsystem/templates/repoctl.conf @@ -1,3 +1,21 @@ +<%- +distribdir = scope.lookupvar('buildsystem::var::repository::distribdir') +distros = scope.lookupvar('buildsystem::var::distros::distros') +arches = {} +distrosections = {} +sectionsrepos = {} +distros.each{|distroname, distro| + distro['medias'].each{|medianame, media| + distrosections[medianame] = 1 + media['repos'].each{|reponame, repo| + sectionsrepos[reponame] = 1 + } + } + distro['arch'].each{|arch| + arches[arch] = 1 + } +} +-%> dryrun=echo if [ -z $SUDO_USER ] then @@ -7,14 +25,14 @@ else fi lockdir=/var/lib/repoctl/locks hdlistsdir=/var/lib/repoctl/hdlists -rootdir=/distrib/bootstrap -finalrootdir=/distrib/mirror -distribdir=$rootdir/distrib -finaldistribdir=$finalrootdir/distrib -distroreleases='<%= distroreleases.flatten.join(' ') -%>' -distrosections='<%= distrosections.flatten.join(' ') -%>' -sectionsrepos='<%= sectionsrepos.flatten.join(' ') -%>' -arches='<%= arches.flatten.join(' ') -%>' +rootdir=<%= scope.lookupvar('buildsystem::var::repository::bootstrap_root') %> +finalrootdir=<%= scope.lookupvar('buildsystem::var::repository::mirror_root') %> +distribdir=$rootdir/<%= distribdir %> +finaldistribdir=$finalrootdir/<%= distribdir %> +distroreleases='<%= distros.keys.sort.join(' ') -%>' +distrosections='<%= distrosections.keys.sort.join(' ') -%>' +sectionsrepos='<%= sectionsrepos.keys.sort.join(' ') -%>' +arches='<%= arches.keys.sort.join(' ') -%>' mirror_rsync_options="-v --delete -alH" timestampfile="mageia_timestamp" sha1sumfile="mageia_sha1sum" diff --git a/modules/buildsystem/templates/signbot/sudoers.signpackage b/modules/buildsystem/templates/signbot/sudoers.signpackage index 05653d30..4ea30238 100644 --- a/modules/buildsystem/templates/signbot/sudoers.signpackage +++ b/modules/buildsystem/templates/signbot/sudoers.signpackage @@ -1,2 +1,2 @@ -<%= sched_login %> ALL =(<%= login %>) NOPASSWD: /usr/local/bin/mga-signpackage -<%= sched_login %> ALL =(<%= login %>) NOPASSWD: /usr/local/bin/sign-check-package +<%= sched_login %> ALL =(<%= scope.lookupvar('buildsystem::var::signbot::login') %>) NOPASSWD: /usr/local/bin/mga-signpackage +<%= sched_login %> ALL =(<%= scope.lookupvar('buildsystem::var::signbot::login') %>) NOPASSWD: /usr/local/bin/sign-check-package diff --git a/modules/buildsystem/templates/submit_package.pl b/modules/buildsystem/templates/submit_package.pl index 2b0e966d..1fdf7749 100755 --- a/modules/buildsystem/templates/submit_package.pl +++ b/modules/buildsystem/templates/submit_package.pl @@ -2,8 +2,8 @@ use strict; use warnings; -my $svn_server = 'svn.<%= domain %>'; -my $packagersgroup="<%= scope.lookupvar('buildsystem::base::packagers_group') %>"; +my $svn_server = '<%= scope.lookupvar('buildsystem::var::mgarepo::svn_hostname') %>'; +my $packagersgroup="<%= scope.lookupvar('buildsystem::var::groups::packagers') %>"; my $login = getpwuid($<); my (undef, undef, undef, $members) = getgrnam $packagersgroup; diff --git a/modules/buildsystem/templates/sudoers.iurt b/modules/buildsystem/templates/sudoers.iurt new file mode 100644 index 00000000..21e81e87 --- /dev/null +++ b/modules/buildsystem/templates/sudoers.iurt @@ -0,0 +1 @@ +<%= scope.lookupvar('buildsystem::var::iurt::login') %> ALL = NOPASSWD: /usr/sbin/iurt_root_command diff --git a/modules/buildsystem/templates/sudoers.youri b/modules/buildsystem/templates/sudoers.youri index f3fa35b0..3bc7cc2d 100644 --- a/modules/buildsystem/templates/sudoers.youri +++ b/modules/buildsystem/templates/sudoers.youri @@ -1,5 +1,6 @@ +<%- sched_login = scope.lookupvar('buildsystem::var::scheduler::login') -%> Cmnd_Alias YOURI = /usr/local/bin/mga-youri-submit.wrapper Defaults!YOURI always_set_home Defaults!YOURI runas_default = <%= sched_login %> Defaults!YOURI !requiretty -%mga-packagers ALL = (<%= sched_login %>) NOPASSWD: YOURI +%<%= scope.lookupvar('buildsystem::var::groups::packagers') -%> ALL = (<%= sched_login %>) NOPASSWD: YOURI diff --git a/modules/buildsystem/templates/sync2010.1 b/modules/buildsystem/templates/sync2010.1 deleted file mode 100644 index 5f8eeebf..00000000 --- a/modules/buildsystem/templates/sync2010.1 +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -if [ `whoami` != <%= sched_login %> ] -then - echo 'this script should be run as <%= sched_login %>' >&2 - exit 1 -fi - -cd /distrib/mandriva/2010.1-mgaserv || exit 1 -rsync -avH <%= build_login %>@jonund:/home/iurt/2010.1-SRPMS/ ./SRPMS - -for i in i586 x86_64; do - mkdir -p $i - cd $i - rsync -avH <%= build_login %>@jonund:/home/iurt/iurt/mandriva2010.1/$i/*.rpm . - ssh <%= build_login %>@jonund rm -f '/home/iurt/iurt/mandriva2010.1/$i/*.rpm' - genhdlist2 . - cd .. -done - diff --git a/modules/buildsystem/templates/upload.conf b/modules/buildsystem/templates/upload.conf index 0118ca7c..af610c92 100644 --- a/modules/buildsystem/templates/upload.conf +++ b/modules/buildsystem/templates/upload.conf @@ -7,12 +7,20 @@ # ### +<%- + build_nodes = scope.lookupvar('buildsystem::var::scheduler::build_nodes') +-%> my %nodes = ( - i586 => [ qw(jonund0 ecosse0 jonund1 ecosse1 ) ], - x86_64 => [ qw(ecosse0 jonund0 ecosse1 jonund1 ) ], +<%- + build_nodes.keys.sort.each{|arch| +-%> + <%= arch -%> => [ '<%= build_nodes[arch].join("', '") -%>' ], +<%- + } +-%> ); -my $repository = "http://repository.<%= domain %>/distrib/"; -my $homedir = "<%= homedir %>"; +my $repository = "http://<%= scope.lookupvar('buildsystem::var::repository::hostname') %>/<%= scope.lookupvar('buildsystem::var::repository::distribdir') %>/"; +my $homedir = "<%= scope.lookupvar('buildsystem::var::iurt::homedir') %>"; { bot => { @@ -23,7 +31,7 @@ my $homedir = "<%= homedir %>"; my $node = $_; ($node => { iurt => { - user => '<%= login %>', + user => '<%= scope.lookupvar('buildsystem::var::iurt::login') %>', # (spuk, 2007-08-16) disabled iurt_cache additional media, locks trying to mount -o bind # command => "iurt --copy-srpm --group -v 6 --config local_spool $homedir/iurt/__DIR__ --no_rsync --chrooted-urpmi -m __MEDIA__ -- $repository --additional-media -m __MEDIA__ -- file://$homedir/cache/ -p \"__PACKAGER__\" -r __TARGET__ __ARCH__", command => "iurt --copy_srpm --group --rpmmacros \"%distro_section __SECTION__\" --config local_spool $homedir/iurt/__DIR__ --no_rsync --chrooted-urpmi -m __MEDIA__ -- $repository -p \"__PACKAGER__\" -r __TARGET__ __ARCH__", @@ -35,39 +43,89 @@ my $homedir = "<%= homedir %>"; } keys %nodes), }, media => { - default => { - "infra/release" => [ "infra/release", "base/core/updates", "base/core/release" ], - "core/release" => [ "core/updates", "core/release" ], - "core/updates" => [ "core/updates", "core/release" ], - "core/updates_testing" => [ "core/updates_testing", "core/updates", "core/release" ], - "core/backports" => [ "core/backports", "core/updates_testing", "core/updates", "core/release" ], - "core/backports_testing" => [ "core/backports_testing", "core/backports", "core/updates_testing", "core/updates", "core/release" ], - "nonfree/release" => [ "core/release", "nonfree/release" ], - "nonfree/updates" => [ "core/updates", "core/release", "nonfree/release", "nonfree/updates" ], - "nonfree/updates_testing" => [ "core/updates", "core/release", "core/updates_testing", "nonfree/release", "nonfree/updates", "nonfree/updates_testing" ], - "nonfree/backports" => [ "core/backports", "core/updates_testing", "core/updates", "core/release", - "nonfree/release", "nonfree/updates", "nonfree/updates_testing", "nonfree/backports" ], - "nonfree/backports_testing" => [ "core/backports_testing", "core/backports", "core/updates_testing", "core/updates", "core/release", - "nonfree/release", "nonfree/updates", "nonfree/updates_testing", "nonfree/backports", "nonfree/backports_testing" ], - "tainted/release" => [ "core/release", "nonfree/release", "tainted/release" ], - "tainted/updates" => [ "core/release", "nonfree/release", "tainted/release", - "core/updates", "nonfree/updates", "tainted/updates" ], - "tainted/updates_testing" => [ "core/release", "nonfree/release", "tainted/release", - "core/updates", "nonfree/updates", "tainted/updates", - "core/updates_testing", "nonfree/updates_testing", "tainted/updates_testing" ], - "tainted/backports" => [ "core/release", "nonfree/release", "tainted/release", - "core/updates", "nonfree/updates", "tainted/updates", - "core/updates_testing", "nonfree/updates_testing", "tainted/updates_testing", - "core/backports", "nonfree/backports", "tainted/backports" ], - "tainted/backports_testing" => [ "core/release", "nonfree/release", "tainted/release", - "core/updates", "nonfree/updates", "tainted/updates", - "core/updates_testing", "nonfree/updates_testing", "tainted/updates_testing", - "core/backports", "nonfree/backports", "tainted/backports", - "core/backports_testing", "nonfree/backports_testing", "tainted/backports_testing" ], - }, + <%- + def repo_deps(distros, dname, mname, rname) + deps = {} + distro = distros[dname] + if distro['based_on'] != nil + distro['based_on'].each{|bdistro, bmedias| + if bmedias[mname] != nil and \ + bmedias[mname].include?(rname) then + deps[ [ bdistro, mname, rname ].join('/') ] = 1 + end + } + end + if distro['medias'][mname] != nil \ + and distro['medias'][mname]['repos'][rname] != nil + then + deps[ [ mname, rname ].join('/') ] = 1 + else + return deps + end + mlist = distro['medias'][mname]['requires'] + mlist = mlist == nil ? [ mname ] : [ mname ] + mlist + mlist.each{|mreq| + rlist = distro['medias'][mname]['repos'][rname]['requires'] + rlist = [] if rlist == nil + rlist += [ rname ] if mreq != mname + rlist.each{|rreq| + deps.merge!(repo_deps(distros, dname, mreq, rreq)) + } + } + return deps + end + distros = scope.lookupvar('buildsystem::var::distros::distros') + distros.keys.sort.each{|distroname| + -%> + '<%= distroname -%>' => { + <%- + distro = distros[distroname] + distro['medias'].keys.sort.each{|medianame| + media = distro['medias'][medianame] + media['repos'].keys.sort.each{|reponame| + deps = repo_deps(distros, distroname, medianame, reponame) + -%> + "<%= [ medianame, reponame ].join('/') %>" => [ "<%= + deps.keys.sort.join('", "') + %>" ], + <%- + } + } + -%> + }, + <%- + } + -%> }, - admin => 'mageia-sysadm@mageia.org', - http_queue => 'http://pkgsubmit.<%= domain %>/uploads', - upload_user => '<%= sched_login %>', + admin => '<%= scope.lookupvar('buildsystem::var::scheduler::admin_mail') %>', + http_queue => 'https://<%= scope.lookupvar('buildsystem::var::webstatus::hostname') %>/uploads', + upload_user => '<%= scope.lookupvar('buildsystem::var::scheduler::login') %>', email_domain => '<%= domain %>', + arch => { + <%- + distros.keys.sort.each{|distroname| + -%> + <%= distroname -%> => [ '<%= distros[distroname]['arch'].join("', '") %>' ], + <%- + } + -%> + default => [ 'i586', 'x86_64' ], + }, + mandatory_arch => { + <%- + distros.keys.sort.each{|distroname| + if distros[distroname]['mandatory_arch'] != nil + march = distros[distroname]['mandatory_arch'] + else + march = distros[distroname]['arch'] + end + -%> + <%= distroname -%> => [ '<%= march.join("', '") %>' ], + <%- + } + -%> + default => [ 'i586', 'x86_64' ], + }, + ssh_options => "-o ServerAliveInterval=10 -o ConnectTimeout=20 -o BatchMode=yes", + faildelay => 360000, } diff --git a/modules/buildsystem/templates/vhost_pkgsubmit.conf b/modules/buildsystem/templates/vhost_pkgsubmit.conf deleted file mode 100644 index af8bb70c..00000000 --- a/modules/buildsystem/templates/vhost_pkgsubmit.conf +++ /dev/null @@ -1,4 +0,0 @@ -<Location /uploads> - Allow from all - Options Indexes -</Location> diff --git a/modules/buildsystem/templates/vhost_repository.conf b/modules/buildsystem/templates/vhost_repository.conf index 176b7f39..e082ffca 100644 --- a/modules/buildsystem/templates/vhost_repository.conf +++ b/modules/buildsystem/templates/vhost_repository.conf @@ -1,61 +1,73 @@ -<% -# FIXME: add a reverse lookup for IPv6 adresses -# allowed hosts are: valstar, ecosse, jonund -buildsystem_nodes = "2a02:2178:2:7::3/64 2a02:2178:2:7::4/64 2a02:2178:2:7::5/64" -%> - +<%- +mirror_root = scope.lookupvar('buildsystem::var::repository::mirror_root') +mirror_reporoot = scope.lookupvar('buildsystem::var::repository::mirror_reporoot') +bootstrap_reporoot = scope.lookupvar('buildsystem::var::repository::bootstrap_reporoot') +distribdir = scope.lookupvar('buildsystem::var::repository::distribdir') +repo_allow_from_ips = scope.lookupvar('buildsystem::var::distros::repo_allow_from_ips') +repo_allow_from_domains = scope.lookupvar('buildsystem::var::distros::repo_allow_from_ips') +distros = scope.lookupvar('buildsystem::var::distros::distros') +-%> <VirtualHost *:80> - ServerName repository.<%= domain %> + ServerName <%= scope.lookupvar('buildsystem::var::repository::hostname') %> DocumentRoot <%= mirror_root %> - Alias /distrib/infra_1/ "/distrib/bootstrap/distrib/infra_1/" - Alias /distrib/infra_2/ "/distrib/bootstrap/distrib/infra_2/" - Alias /mandriva/ "/distrib/mandriva/" - Alias /mageiatools/ "/distrib/mageiatools/" - <Directory <%= mirror_root %>> - Order deny,allow - Deny from all - Allow from localhost, 127.0.0.1 - Allow from <%= buildsystem_nodes %> - Allow from .<%= domain %> - Allow from 10.42.0 - # FIXME: add a reverse lookup for rabbit - Allow from 212.85.158.152 - Options Indexes FollowSymLinks - </Directory> + # Some simple API to check existence of SRPMs for QA + RewriteEngine On - <Directory /distrib/bootstrap/distrib/infra_1> - Header append Cache-Control "public, must-revalidate" - Order deny,allow - Allow from all - Options Indexes FollowSymLinks - </Directory> + RewriteCond /distrib/bootstrap/distrib/$2/SRPMS/$3/$1s_testing/$4.src.rpm -f + RewriteRule ^/qa/checksrpm/(update|backport)/([1-9][0-9]*)/([a-z_]+)/([^/]+)$ http://repository.mageia.org/qa/checksrpm/found [L,R=302] - <Directory /distrib/bootstrap/distrib/infra_2> - Header append Cache-Control "public, must-revalidate" - Order deny,allow - Allow from all - Options Indexes FollowSymLinks - </Directory> + RewriteRule ^/qa/checksrpm/ - [L,G] - <Directory /distrib/mandriva> - Order deny,allow - Deny from all - Allow from localhost, 127.0.0.1 - Allow from <%= buildsystem_nodes %> - Allow from .<%= domain %> - Options Indexes FollowSymLinks - </Directory> - - <Directory /distrib/mandriva/2010.1-mgaserv/> - Order deny,allow - Allow from all +<%- + if repo_allow_from_ips != nil || repo_allow_from_domains != nil then + access_requires = [ 'all denied' ] + if repo_allow_from_ips != nil then + for allow in repo_allow_from_ips do + access_requires << 'ip ' + allow + end + end + if repo_allow_from_domains != nil then + for allow in repo_allow_from_domains do + access_requires << 'host ' + allow + end + end + else + access_requires = [ 'all granted' ] + end +%> + Alias /bootstrap/ "<%= bootstrap_reporoot %>/" +<%- + distros.keys.sort.each{|distroname| + distro = distros[distroname] + if distro['no_mirror'] -%> + Alias /<%= distribdir %>/<%= distroname %>/ "<%= bootstrap_reporoot %>/<%= distroname %>/" +<%- + end + } +-%> + + <Directory <%= bootstrap_reporoot %>> + Header append Cache-Control "public, must-revalidate" +<%- + for req in access_requires do +-%> + Require <%= req %> +<%- + end +-%> Options Indexes FollowSymLinks </Directory> - <Directory /distrib/mageiatools> - Order deny,allow - Allow from all + <Directory <%= mirror_root %>> + Header append Cache-Control "public, must-revalidate" +<%- + for req in access_requires do +-%> + Require <%= req %> +<%- + end +-%> Options Indexes FollowSymLinks </Directory> </VirtualHost> diff --git a/modules/buildsystem/templates/vhost_webstatus.conf b/modules/buildsystem/templates/vhost_webstatus.conf new file mode 100644 index 00000000..3b0e6246 --- /dev/null +++ b/modules/buildsystem/templates/vhost_webstatus.conf @@ -0,0 +1,13 @@ +<Location /uploads> + Require all granted + Options Indexes + IndexOptions NameWidth=* +</Location> +<Location /autobuild> + Require all granted + Options Indexes + IndexOptions NameWidth=* +</Location> +<Directory /var/www/bs/autobuild> + Options FollowSymlinks FollowSymLinks +</Directory> diff --git a/modules/buildsystem/templates/youri/acl.conf b/modules/buildsystem/templates/youri/acl.conf index ada865f0..f0949f8a 100644 --- a/modules/buildsystem/templates/youri/acl.conf +++ b/modules/buildsystem/templates/youri/acl.conf @@ -1,5 +1 @@ .* .* .* ^glib$ ^blacklisted$ -.* .* .* ^cinnamon$ ^blacklisted$ -.* .* .* ^muffin$ ^blacklisted$ -.* .* .* ^nemo$ ^blacklisted$ -.* .* .* ^task-cinnamon$ ^blacklisted$ diff --git a/modules/buildsystem/templates/youri/host.conf b/modules/buildsystem/templates/youri/host.conf new file mode 100644 index 00000000..bf4fa086 --- /dev/null +++ b/modules/buildsystem/templates/youri/host.conf @@ -0,0 +1,23 @@ +<%- + aliases = scope.lookupvar('buildsystem::var::scheduler::build_nodes_aliases') + nodes = {} + nodes['src'] = [ scope.lookupvar('buildsystem::var::scheduler::build_src_node') ] + scope.lookupvar('buildsystem::var::scheduler::build_nodes').each{|arch,n| + a = arch + '|noarch|src' + nodes[a] = [] + n.each{|node| + if aliases[node] != nil + nodes[a] += [ aliases[node] ] + else + nodes[a] += [ node ] + end + } + } + str = '' + nodes.keys.sort.each{|arch| + nodes[arch].sort.uniq.each{|node| + str += node + ' ' + arch + "\n" + } + } +-%> +<%= str -%> diff --git a/modules/buildsystem/templates/youri/submit-todo.conf b/modules/buildsystem/templates/youri/submit-todo.conf deleted file mode 100644 index 2d5d18ff..00000000 --- a/modules/buildsystem/templates/youri/submit-todo.conf +++ /dev/null @@ -1,245 +0,0 @@ -<% -escaped_domain = domain.gsub('.','\.') -%> - -home: <%= sched_home_dir %> - -# repository declaration -repository: - class: Youri::Repository::Mageia - options: - install_root: <%= repository_root %>/distrib - upload_root: ${home}/uploads/ - upload_state: todo done queue - queue: todo - noarch: i586 - svn: svn+ssh://svn.<%= domain %>/svn/packages/cauldron/ - 2: - arch: i586 x86_64 - 1: - arch: i586 x86_64 - infra_1: - arch: i586 x86_64 - infra_2: - arch: i586 x86_64 - cauldron: - arch: i586 x86_64 - -# targets definition -targets: - cauldron: - checks: - - source - - deps - - version - #- svn - - tag - - acl - - host - #- section - - rpmlint - - recency - #- history - - queue_recency - actions: - - send - - rpminfo - - ulri - - 1: - checks: - - source - - version - #- svn - - tag - - acl - - host - #- section - - rpmlint - - recency - #- history - - queue_recency - actions: - - send - - rpminfo - - ulri - - 2: - checks: - - source - - version - #- svn - - tag - - acl - - host - #- section - - rpmlint - - recency - #- history - - queue_recency - actions: - - send - - rpminfo - - ulri - - infra_1: - checks: - - source - - version - - tag - - acl - - rpmlint - - recency - - queue_recency - actions: - - send - - rpminfo - - ulri - - infra_2: - checks: - - source - - version - - tag - - acl - - rpmlint - - recency - - queue_recency - actions: - - send - - rpminfo - - ulri - -# checks definition -checks: - tag: - class: Youri::Submit::Check::Tag - options: - tags: - release: 'mga\d+' - # packager: '<\S+@<%= escaped_domain %>>$' - distribution: '^Mageia' - vendor: '^Mageia.Org$' - - recency: - class: Youri::Submit::Check::Recency - - queue_recency: - class: Youri::Submit::Check::Queue_recency - - host: - class: Youri::Submit::Check::Host - options: - host_file: /etc/youri/host.conf - - section: - class: Youri::Submit::Check::Section - - rpmlint: - class: Youri::Submit::Check::Rpmlint - options: - config: /etc/rpmlint/config - results: - - buildprereq-use - - no-description-tag - - no-summary-tag - - non-standard-group - - non-xdg-migrated-menu - # it breaks dbus - #- patch-not-applied - - percent-in-conflicts - - percent-in-dependency - - percent-in-obsoletes - - percent-in-provides - - summary-ended-with-dot - - invalid-spec-name - - noarch-python-in-64bit-path - cauldron: - config: /usr/share/rpmlint/config - path: /usr/bin/rpmlint - 1: - config: /usr/share/rpmlint/config.mga2 - path: /usr/bin/mga2-rpmlint - 2: - config: /usr/share/rpmlint/config.mga2 - path: /usr/bin/mga2-rpmlint - infra_1: - config: /usr/share/rpmlint/config.mga2 - path: /usr/bin/mga2-rpmlint - infra_2: - config: /usr/share/rpmlint/config.mga2 - path: /usr/bin/mga2-rpmlint - svn: - class: Youri::Submit::Check::SVN - - acl: - class: Youri::Submit::Check::ACL - options: - acl_file: /etc/youri/acl.conf - - history: - class: Youri::Submit::Check::History - - source: - class: Youri::Submit::Check::Source - - precedence: - class: Youri::Submit::Check::Precedence - options: - target: cauldron - - version: - class: Youri::Submit::Check::Version - options: - 2: - authorized_packages: none_package_authorized - authorized_sections: ^(core|nonfree|tainted)/(updates_testing|backports_testing)$ - authorized_arches: none - mode: freeze - - 1: - authorized_packages: none_package_authorized - # authorized_sections: ^(core|nonfree|tainted)/(updates_testing|backports_testing)$ - authorized_arches: none - mode: freeze - - cauldron: - authorized_sections: ^[a-z]+/updates_testing$ - authorized_packages: ^$ - authorized_arches: none - authorized_users: ^<%= scope.function_group_members(['mga-release_managers']).join('|') %>$ - mode: normal -# mode: version_freeze -# mode: freeze - - deps: - class: Youri::Submit::Check::Deps - -# actions definitions -actions: - send: - class: Youri::Submit::Action::Send - options: - user: <%= sched_login %> - keep_svn_release: yes - uphost: pkgsubmit.<%= domain %> - root: ${home}/uploads - ssh_key: ${home}/.ssh/id_rsa - - rpminfo: - class: Youri::Submit::Action::Rpminfo - options: - user: <%= sched_login %> - uphost: pkgsubmit.<%= domain %> - root: ${home}/uploads - ssh_key: ${home}/.ssh/id_rsa - - ulri: - class: Youri::Submit::Action::Ulri - options: - user: <%= sched_login %> - uphost: pkgsubmit.<%= domain %> - ssh_key: ${home}/.ssh/id_rsa - logfile: /var/log/<%= sched_login %>/ulri.log - -# vim:ft=yaml:et:sw=4 diff --git a/modules/buildsystem/templates/youri/submit-upload.conf b/modules/buildsystem/templates/youri/submit-upload.conf deleted file mode 100644 index 879296cb..00000000 --- a/modules/buildsystem/templates/youri/submit-upload.conf +++ /dev/null @@ -1,403 +0,0 @@ -<% -Puppet::Parser::Functions.autoloader.loadall -escaped_domain = domain.gsub('.','\.') -%> - -home: <%= sched_home_dir %> - -# repository declaration -repository: - class: Youri::Repository::Mageia - options: - install_root: <%= repository_root %>/distrib - upload_root: ${home}/uploads/ - archive_root: <%= packages_archivedir %> - upload_state: queue - queue: queue - noarch: i586 - svn: svn+ssh://svn.<%= domain %>/svn/packages/cauldron/ - 2: - arch: i586 x86_64 - 1: - arch: i586 x86_64 - infra_1: - arch: i586 x86_64 - infra_2: - arch: i586 x86_64 - cauldron: - arch: i586 x86_64 - -# targets definition -targets: - cauldron: - checks: - - version - - tag - - acl - - rpmlint - - recency - actions: - - markrelease - - sign - - install - - link - - unpack_release_notes - - unpack_gfxboot_theme - - unpack_meta_task - - unpack_installer_images - - unpack_installer_images_nonfree - - unpack_installer_stage2 - - unpack_installer_advertising - - unpack_installer_rescue - - unpack_syslinux -# - dkms_module_info - - archive - - mail - - maintdb - posts: - - genhdlist2 - - clean_rpmsrate - - mirror - - 1: - checks: - - version - - tag - - acl - - rpmlint - - recency - actions: -# - markrelease - - sign - - install - - link -# - unpack_release_notes -# - unpack_gfxboot_theme -# - unpack_meta_task -# - unpack_installer_images -# - unpack_installer_stage2 -# - unpack_installer_advertising -# - unpack_installer_rescue -# - dkms_module_info - - archive - - mail -# - maintdb - posts: - - genhdlist2 - - clean_rpmsrate - - mirror - - 2: - checks: - - version - - tag - - acl - - rpmlint - - recency - actions: -# - markrelease - - sign - - install - - link -# - unpack_release_notes -# - unpack_gfxboot_theme -# - unpack_meta_task -# - unpack_installer_images -# - unpack_installer_stage2 -# - unpack_installer_advertising -# - unpack_installer_rescue -# - dkms_module_info - - archive - - mail -# - maintdb - posts: - - genhdlist2 - - clean_rpmsrate - - mirror - - infra_1: - checks: - - version - - tag - - acl - - rpmlint - - recency - actions: - - sign - - install - - link - - archive - posts: - - genhdlist2 - - infra_2: - checks: - - version - - tag - - acl - - rpmlint - - recency - actions: - - sign - - install - - link - - archive - posts: - - genhdlist2 - -# checks definition -checks: - tag: - class: Youri::Submit::Check::Tag - options: - tags: - release: 'mga\d+' - # packager: '<\S+@<%= escaped_domain %>>$' - distribution: '^Mageia' - vendor: '^Mageia.Org$' - - recency: - class: Youri::Submit::Check::Recency - - queue_recency: - class: Youri::Submit::Check::Queue_recency - - host: - class: Youri::Submit::Check::Host - options: - host_file: /etc/youri/host.conf - - section: - class: Youri::Submit::Check::Section - - rpmlint: - class: Youri::Submit::Check::Rpmlint - options: - results: - - buildprereq-use - - no-description-tag - - no-summary-tag - - non-standard-group - - non-xdg-migrated-menu - # it breaks dbus - #- patch-not-applied - - percent-in-conflicts - - percent-in-dependency - - percent-in-obsoletes - - percent-in-provides - - summary-ended-with-dot - - unexpanded-macro - - unknown-lsb-keyword - - malformed-line-in-lsb-comment-block - - empty-%postun - - empty-%post - - invalid-desktopfile - - standard-dir-owned-by-package - - use-tmp-in-%postun - - bogus-variable-use-in-%posttrans - - dir-or-file-in-usr-local - - dir-or-file-in-tmp - - dir-or-file-in-mnt - - dir-or-file-in-opt - - dir-or-file-in-home - - dir-or-file-in-var-local - cauldron: - config: /usr/share/rpmlint/config - path: /usr/bin/rpmlint - 1: - config: /usr/share/rpmlint/config.mga2 - path: /usr/bin/mga2-rpmlint - 2: - config: /usr/share/rpmlint/config.mga2 - path: /usr/bin/mga2-rpmlint - infra_1: - config: /usr/share/rpmlint/config.mga2 - path: /usr/bin/mga2-rpmlint - infra_2: - config: /usr/share/rpmlint/config.mga2 - path: /usr/bin/mga2-rpmlint - svn: - class: Youri::Submit::Check::SVN - - acl: - class: Youri::Submit::Check::ACL - options: - acl_file: /etc/youri/acl.conf - - history: - class: Youri::Submit::Check::History - - source: - class: Youri::Submit::Check::Source - - precedence: - class: Youri::Submit::Check::Precedence - options: - target: cauldron - - version: - class: Youri::Submit::Check::Version - options: - 2: - authorized_packages: none_package_authorized - authorized_sections: ^(debug/)?(core|nonfree|tainted)/(updates_testing|backports_testing)$ - authorized_arches: none - mode: freeze - - 1: - authorized_packages: none_package_authorized - # authorized_sections: ^(debug/)?(core|nonfree|tainted)/(updates_testing|backports_testing)$ - authorized_arches: none - mode: freeze - - infra_1: - authorized_users: ^<%= scope.function_group_members(['mga-sysadmin']).join('|') %>$ - mode: freeze - - infra_2: - authorized_users: ^<%= scope.function_group_members(['mga-sysadmin']).join('|') %>$ - mode: freeze - - cauldron: -# <mrl> Prior freeze - mode: normal -## <blino> Version freeze -# authorized_packages: ^$ -# authorized_sections: ^(debug/)?(core|nonfree|tainted)/updates_testing$ -# authorized_arches: ^$ -# authorized_users: ^blino|ennael|nvigier$ -# mode: version_freeze -# <mrl> Freeze config -# authorized_packages: ^mdkonline|drakxtools|urpmi|ia_ora-gnome|ldetect|ldetect-lst|rpm-mageia-setup|perl-MDK-Common$ -# authorized_packages: none_package_authorized -# authorized_sections: ^restricted/release|main/updates_testing|contrib/updates_testing$ -# authorized_arches: none -# authorized_users: ^blino|ennael|nvigier$ -# mode: freeze - -# actions definitions -actions: - install: - class: Youri::Submit::Action::Install - - markrelease: - class: Youri::Submit::Action::Markrelease - - link: - class: Youri::Submit::Action::Link - - archive: - class: Youri::Submit::Action::Archive - - clean: - class: Youri::Submit::Action::Clean - - sign: - class: Youri::Submit::Action::Sign - options: - signuser: <%= scope.lookupvar('buildsystem::signbot::login') %> - path: <%= scope.lookupvar('buildsystem::signbot::sign_keydir') %> - name: <%= scope.lookupvar('buildsystem::signbot::keyid') %> - signscript: /usr/local/bin/sign-check-package - - unpack_gfxboot_theme: - class: Youri::Submit::Action::Unpack - options: - name: mageia-gfxboot-theme - source_subdir: /usr/share/gfxboot/themes/Mageia/install/ - dest_directory: isolinux - unpack_inside_distribution_root: 1 - - unpack_meta_task: - class: Youri::Submit::Action::Unpack - options: - name: meta-task - source_subdir: /usr/share/meta-task - dest_directory: media/media_info - unpack_inside_distribution_root: 1 - - unpack_installer_images: - class: Youri::Submit::Action::Unpack - options: - name: drakx-installer-images - source_subdir: /usr/lib*/drakx-installer-images - dest_directory: . - preclean_directory: install/images/alternatives - unpack_inside_distribution_root: 1 - - unpack_installer_images_nonfree: - class: Youri::Submit::Action::Unpack - options: - name: drakx-installer-images-nonfree - source_subdir: /usr/lib*/drakx-installer-images - dest_directory: . - unpack_inside_distribution_root: 1 - - unpack_installer_stage2: - class: Youri::Submit::Action::Unpack - options: - name: drakx-installer-stage2 - source_subdir: /usr/lib*/drakx-installer-stage2 - dest_directory: . - unpack_inside_distribution_root: 1 - - unpack_installer_advertising: - class: Youri::Submit::Action::Unpack - options: - name: drakx-installer-advertising - source_subdir: /usr/share/drakx-installer-advertising - dest_directory: . - unpack_inside_distribution_root: 1 - - unpack_installer_rescue: - class: Youri::Submit::Action::Unpack - options: - name: drakx-installer-rescue - source_subdir: /usr/lib*/drakx-installer-rescue - dest_directory: install/stage2 - unpack_inside_distribution_root: 1 - - unpack_release_notes: - class: Youri::Submit::Action::Unpack - options: - name: mageia-release-common - source_subdir: /usr/share/doc/mageia-release-common - grep_files: release-notes.* - dest_directory: . - unpack_inside_distribution_root: 1 - - unpack_syslinux: - class: Youri::Submit::Action::Unpack - options: - name: syslinux - source_subdir: /usr/lib/syslinux/ - grep_files: hdt.c32 - dest_directory: isolinux - unpack_inside_distribution_root: 1 - - mail: - class: Youri::Submit::Action::Mail - options: - mta: /usr/sbin/sendmail - to: changelog@ml.<%= domain %> - reply_to: mageia-dev@<%= domain %> - from: buildsystem-daemon@<%= domain %> - prefix: RPM - - maintdb: - class: Youri::Submit::Action::UpdateMaintDb - options: - -posts: - genhdlist2: - class: Youri::Submit::Post::Genhdlist2 - options: - command: /usr/bin/genhdlist2 - clean_rpmsrate: - class: Youri::Submit::Post::CleanRpmsrate - mirror: - class: Youri::Submit::Post::Mirror - options: - destination: /distrib/mirror/distrib - -# vim:ft=yaml:et:sw=4 diff --git a/modules/buildsystem/templates/youri/submit.conf b/modules/buildsystem/templates/youri/submit.conf new file mode 100644 index 00000000..0d7cf927 --- /dev/null +++ b/modules/buildsystem/templates/youri/submit.conf @@ -0,0 +1,140 @@ +<% +Puppet::Parser::Functions.autoloader.loadall +sched_home_dir = scope.lookupvar('buildsystem::var::scheduler::homedir') + +conf = scope.lookupvar('buildsystem::var::youri::youri_conf') +conf_default = scope.lookupvar('buildsystem::var::youri::youri_conf_default') +distros = scope.lookupvar('buildsystem::var::distros::distros') + +def line(text, indent) + res = '' + i = 0 + while i < indent + res += ' ' + i += 1 + end + res += text + "\n" +end + +def array_text(array, indent) + res = '' + array.each{|a| + res += line('- ' + a, indent) + } + return res +end + +def hash_text(hash, indent) + res = '' + curindent = indent + hash.keys.sort.each{|key| + if hash[key].instance_of? Hash + res += line(key + ':', indent) + res += hash_text(hash[key], indent + 4) + elsif hash[key].instance_of? Array + res += line(key + ':', indent) + res += array_text(hash[key], indent + 4) + elsif hash[key].instance_of? String + res += line(key + ': ' + hash[key], indent) + end + } + return res +end + +def class_hash(conf, conf_default) + res = {} + res['class'] = get_conf(conf, ['class']) == nil ? + conf_default['class'] : conf['class'] + res['options'] = get_conf(conf_default, ['options']) == nil ? {} : + conf_default['options'].dup + if get_conf(conf, ['options']) != nil + res['options'].merge!(conf['options']) + end + return res +end + +def get_conf(conf, path) + res = conf + path.each{|p| + if res == nil + return nil + end + res = res[p] + } + return res +end + +def get_distros_conf(distros, conf_name, path) + res = {} + distros.keys.each{|distro| + t = get_conf(distros[distro], [ 'youri', conf_name ] + path) + if t != nil + res[distro] = t.dup + end + } + return res +end + +def get_definitions(def_name, conf_name, conf, conf_default, distros) + res = {} + res[def_name] = {} + def_list = conf_default[conf_name][def_name].keys + def_list += get_conf(conf, [ conf_name, def_name ]) != nil ? \ + conf[conf_name][def_name].keys : [] + def_list.uniq.each{|d| + res[def_name][d] = class_hash( + get_conf(conf, [ conf_name, def_name, d ]), + get_conf(conf_default, [ conf_name, def_name, d ]) + ) + res[def_name][d]['options'].merge!(get_distros_conf(distros, + conf_name, [ def_name, d ])) + } + return res +end + +%> +home: <%= sched_home_dir %> + +<%- + repository = { + 'repository' => class_hash(get_conf(conf[conf_name], + ['repository']), + conf_default[conf_name]['repository']), + } + distros.keys.each{|distro| + repository['repository']['options'][distro] = { + 'arch' => distros[distro]['arch'].join(' '), + } + } +-%> +# repository declaration +<%= hash_text(repository, 0) %> + +<%- + targets = { + 'targets' => get_distros_conf(distros, conf_name, [ 'targets' ]), + } +-%> +# targets definition +<%= hash_text(targets, 0) %> + +<%- + checks = get_definitions('checks', conf_name, conf, conf_default, distros) +-%> +# checks definition +<%= hash_text(checks, 0) -%> + +<%- + actions = get_definitions('actions', conf_name, conf, conf_default, distros) +-%> +# actions definitions +<%= hash_text(actions, 0) -%> + +<%- + posts = get_definitions('posts', conf_name, conf, conf_default, distros) +-%> + +# posts definitions +<%= hash_text(posts, 0) -%> + +# vim:ft=yaml:et:sw=4 diff --git a/modules/catdap/manifests/init.pp b/modules/catdap/manifests/init.pp index 9cb4d22f..f7172208 100644 --- a/modules/catdap/manifests/init.pp +++ b/modules/catdap/manifests/init.pp @@ -1,6 +1,6 @@ class catdap { - $upstream_svn = 'svn://svn.mageia.org/svn/soft/identity/CatDap/' + $upstream_git = "git://git.${::domain}/web/identity" # TODO switch to a proper rpm packaging $rpm_requirement = ['perl-Catalyst-Runtime', @@ -16,7 +16,6 @@ class catdap { 'perl-Catalyst-Plugin-Session-Store-File', 'perl-Catalyst-Plugin-Static-Simple', 'perl-Catalyst-P-S-State-Cookie', - 'perl-Catalyst-P-S-Store-File', 'perl-Catalyst-View-Email', 'perl-Catalyst-View-TT', 'perl-Config-General', @@ -29,20 +28,20 @@ class catdap { 'perl-Crypt-Blowfish', 'perl-Email-Date-Format', 'perl-YAML-LibYAML', - 'perl-Catalyst-Plugin-Unicode-Encoding', 'perl-IO-Socket-INET6' ] package { $rpm_requirement: } $ldap_password = extlookup('catdap_ldap','x') - catdap::snapshot { "identity.$::domain": + catdap::snapshot { "identity.${::domain}": location => '/var/www/identity', - svn_location => "$upstream_svn/branches/live" + git_location => $upstream_git, + git_branch => 'topic/production', } - catdap::snapshot { "identity-trunk.$::domain": + catdap::snapshot { "identity-trunk.${::domain}": location => '/var/www/identity-trunk', - svn_location => "$upstream_svn/trunk" + git_location => $upstream_git, } } diff --git a/modules/catdap/manifests/snapshot.pp b/modules/catdap/manifests/snapshot.pp index 95adefe2..35ca692e 100644 --- a/modules/catdap/manifests/snapshot.pp +++ b/modules/catdap/manifests/snapshot.pp @@ -1,17 +1,18 @@ -define catdap::snapshot($location, $svn_location) { - file { "$location/catdap_local.yml": +define catdap::snapshot($location, $git_location, $git_branch = 'master') { + file { "${location}/catdap_local.yml": group => apache, mode => '0640', content => template('catdap/catdap_local.yml'), - require => Subversion::Snapshot[$location], + require => Git::Snapshot[$location], } - subversion::snapshot { $location: - source => $svn_location + git::snapshot { $location: + source => $git_location, + branch => $git_branch, } apache::vhost::catalyst_app { $name: - script => "$location/script/catdap_fastcgi.pl", + script => "${location}/script/catdap_fastcgi.pl", location => $location, use_ssl => true, } diff --git a/modules/catdap/templates/catdap_local.yml b/modules/catdap/templates/catdap_local.yml index 48dbc99a..d982b40b 100644 --- a/modules/catdap/templates/catdap_local.yml +++ b/modules/catdap/templates/catdap_local.yml @@ -6,15 +6,15 @@ ldap_account = "cn=catdap-#{hostname},ou=System Accounts,#{dc_suffix}" organisation: Mageia apptitle: Mageia Identity Management -emailfrom: noreply@<%= domain %> +emailfrom: noreply@<%= @domain %> Model::Proxy: - base: ou=People,<%= dc_suffix %> + base: ou=People,<%= @dc_suffix %> dn: <%= ldap_account %> - password: <%= ldap_password %> + password: <%= scope.lookupvar("catdap::ldap_password") %> Model::User: - base: <%= dc_suffix %> + base: <%= @dc_suffix %> host: <%= ldap_server %> start_tls: 1 @@ -25,29 +25,98 @@ authentication: store: ldap_server: <%= ldap_server %> binddn: <%= ldap_account %> - bindpw: <%= ldap_password %> - user_basedn: ou=People,<%= dc_suffix %> - role_basedn: <%= dc_suffix %> + bindpw: <%= scope.lookupvar("catdap::ldap_password") %> + user_basedn: ou=People,<%= @dc_suffix %> + role_basedn: <%= @dc_suffix %> register: - login_regex: ^[a-z][a-z0-9-]*$ + login_regex: ^[a-z][a-z0-9]*$ login_blacklist: + - abuse - apache - - mirror - bcd - - iurt - - schedbot - - signbot - - postmaster - hostmaster - - abuse - - noc - - security + - iurt - listmaster - MAILER-DAEMON - - webmaster - - www - - treasurer + - mirror + - noc + - postmaster - president + - schedbot - secretary - security + - signbot + - treasurer + - webmaster + - www + + email_domain_blacklist: + - armyspy.com + - bitmessage.ch + - codehot.co.uk + - crazymailing.com + - dayrep.com + - group.mageia.org + - grr.la + - guerrillamail.biz + - guerrillamail.com + - guerrillamail.de + - guerrillamail.info + - guerrillamail.net + - guerrillamail.org + - guerrillamailblock.com + - jourrapide.com + - ml.mageia.org + - namecheap.com + - pokemail.net + - rhyta.com + - runbox.com + - sharklasers.com + - spam4.me + - vmani.com + - wowring.ru + - yopmail.com + - zasod.com + +Controller::User: + editable_attrs: + - cn + - sn + - givenName + - mobile + - mailForwardingAddress + - preferredLanguage + uneditable_attrs: + - uid + - uidNumber + - gidNumber + - homeDirectory + - mail + - sshPublicKey + - loginShell + skip_attrs: + - objectClass + - krb5Key + - sambaMungedDial + - sambaPasswordHistory + - userPassword + - sambaLMPassword + - sambaNTPassword + - sambaPwdMustChange + - sambaSID + - sambaPrimaryGroupSID + - sambaAcctFlags + - sambaPwdCanChange + - sambaPwdLastSet + - sambaKickOffTime + - sambaUserWorkstations + - sambaLogonTime + - krb5KeyVersionNumber + - krb5PasswordEnd + - krb5MaxLife + - krb5MaxRenew + - krb5KDCFlags + - shadowLastChange + - roomNumber + - secretary diff --git a/modules/cgit/manifests/init.pp b/modules/cgit/manifests/init.pp new file mode 100644 index 00000000..60dc9bad --- /dev/null +++ b/modules/cgit/manifests/init.pp @@ -0,0 +1,27 @@ +class cgit { + package { 'cgit': } + + file { '/etc/cgitrc': + content => template('cgit/cgitrc'), + notify => Service['apache'], + require => Package['cgit'], + } + + apache::webapp_other { 'cgit': + webapp_file => 'cgit/webapp.conf', + } + + mga_common::local_script { 'cgit.filter.commit-links.sh': + content => template('cgit/filter.commit-links.sh'), + } + + apache::vhost::base { "gitweb.${::domain}": + content => template('cgit/vhost.conf') + } + + apache::vhost::base { "ssl_gitweb.${::domain}": + use_ssl => true, + vhost => "gitweb.${::domain}", + content => template('cgit/vhost.conf') + } +} diff --git a/modules/cgit/templates/cgitrc b/modules/cgit/templates/cgitrc new file mode 100644 index 00000000..1e1a399c --- /dev/null +++ b/modules/cgit/templates/cgitrc @@ -0,0 +1,137 @@ +# +# See cgitrc(5) or /usr/share/doc/cgit-*/cgitrc.5.html for details +# + +# Enable caching of up to 1000 output entries +cache-size=1000 + + +# Specify some default clone urls using macro expansion +clone-url=git://git.mageia.org/$CGIT_REPO_URL ssh://git@git.mageia.org/$CGIT_REPO_URL + +# Specify the css url +css=/cgit-data/cgit.css + + +# Show owner on index page +enable-index-owner=1 + + +# Allow http transport git clone +enable-git-clone=1 + + +# Show extra links for each repository on the index page +enable-index-links=1 + + +# Enable ASCII art commit history graph on the log pages +enable-commit-graph=1 + + +# Show number of affected files per commit on the log pages +enable-log-filecount=1 + + +# Show number of added/removed lines per commit on the log pages +enable-log-linecount=1 + + +# Sort branches by date +branch-sort=age + + +# Add a cgit favicon +#favicon=/favicon.ico + + +# Use a custom logo +logo=//nav.mageia.org/css/mageia-logo-nav-3.png + +# Try to avoid pagination on the mail page (until we have too many software repos) +max-repo-count=200 + +# Enable statistics per week, month and quarter +max-stats=quarter + + +# Set the title and heading of the repository index page +root-title=Mageia git Repositories + + +# Set a subheading for the repository index page +root-desc=A web frontend to the git repositories of the Mageia project + + +# Include some more info about example.com on the index page +#root-readme=/var/www/htdocs/about.html + + +# Allow download of tar.gz, tar.bz2 and zip-files +#snapshots=tar.gz tar.bz2 zip +snapshots=all + + +## +## List of common mimetypes +## + +mimetype.gif=image/gif +mimetype.html=text/html +mimetype.jpg=image/jpeg +mimetype.jpeg=image/jpeg +mimetype.pdf=application/pdf +mimetype.png=image/png +mimetype.svg=image/svg+xml + + +# Highlight source code with python pygments-based highlighter +source-filter=/usr/libexec/cgit/filters/syntax-highlighting.sh + +# Format markdown, restructuredtext, manpages, text files, and html files +# through the right converters +about-filter=/usr/libexec/cgit/filters/about-formatting.sh + +## +## Search for these files in the root of the default branch of repositories +## for coming up with the about page: +## +readme=:README.mga.md +readme=:README.md +readme=:README.rst +readme=:README.html +readme=:README.txt +readme=:README +readme=:INSTALL.md +readme=:INSTALL.rst +readme=:INSTALL.html +readme=:INSTALL.txt +readme=:INSTALL + +# Special Case mainly for initscripts git repo where we cannot write to master +readme=distro/mga:README.md + +## +## List of repositories. +## PS: Any repositories listed when section is unset will not be +## displayed under a section heading +## PPS: This list could be kept in a different file (e.g. '/etc/cgitrepos') +## and included like this: +## include=/etc/cgitrepos +## + +#repo.url=foo +#repo.path=/var/lib/git/foo.git +#repo.desc=the master foo repository +#repo.owner=fooman@example.com +#repo.readme=info/web/about.html + + +commit-filter=/usr/local/bin/cgit.filter.commit-links.sh + +enable-git-config=1 +section-from-path=-1 +case-sensitive-sort=0 +remove-suffix=1 +scan-path=/git +enable-http-clone=0 diff --git a/modules/cgit/templates/filter.commit-links.sh b/modules/cgit/templates/filter.commit-links.sh new file mode 100755 index 00000000..f0f7ee14 --- /dev/null +++ b/modules/cgit/templates/filter.commit-links.sh @@ -0,0 +1,44 @@ +#!/bin/sh +# This script can be used to generate links in commit messages. +# +# To use this script, refer to this file with either the commit-filter or the +# repo.commit-filter options in cgitrc. +# +# The following environment variables can be used to retrieve the configuration +# of the repository for which this script is called: +# CGIT_REPO_URL ( = repo.url setting ) +# CGIT_REPO_NAME ( = repo.name setting ) +# CGIT_REPO_PATH ( = repo.path setting ) +# CGIT_REPO_OWNER ( = repo.owner setting ) +# CGIT_REPO_DEFBRANCH ( = repo.defbranch setting ) +# CGIT_REPO_SECTION ( = section setting ) +# CGIT_REPO_CLONE_URL ( = repo.clone-url setting ) +# + +regex='' + +# This expression generates links to commits referenced by their SHA1. +regex=$regex' +s|\b([0-9a-fA-F]{7,40})\b|<a href="./?id=\1">\1</a>|g' + +# This expression generates links various common bugtrackers. +# When editing this list, remember to edit the same list in +# deployment/mgagit/templates/git-post-receive-hook +regex=$regex' +s|mga#([0-9]+)\b|<a href="https://bugs.mageia.org/\1">mga#\1</a>|g' +regex=$regex' +s|rhbz#([0-9]+)\b|<a href="https://bugzilla.redhat.com/show_bug.cgi?id=\1">rhbz#\1</a>|g' +regex=$regex' +s|fdo#([0-9]+)\b|<a href="https://bugs.freedesktop.org/show_bug.cgi?id=\1">fdo#\1</a>|g' +regex=$regex' +s|bko#([0-9]+)\b|<a href="https://bugs.kde.org/show_bug.cgi?id=\1">bko#\1</a>|g' +regex=$regex' +s|kde#([0-9]+)\b|<a href="https://bugs.kde.org/show_bug.cgi?id=\1">kde#\1</a>|g' +regex=$regex' +s|bgo#([0-9]+)\b|<a href="https://bugzilla.gnome.org/show_bug.cgi?id=\1">bgo#\1</a>|g' +regex=$regex' +s|gnome#([0-9]+)\b|<a href="https://bugzilla.gnome.org/show_bug.cgi?id=\1">gnome#\1</a>|g' +regex=$regex' +s|lp#([0-9]+)\b|<a href="https://launchpad.net/bugs/\1">lp#\1</a>|g' + +sed -re "$regex" diff --git a/modules/cgit/templates/vhost.conf b/modules/cgit/templates/vhost.conf new file mode 100644 index 00000000..5c1d99e7 --- /dev/null +++ b/modules/cgit/templates/vhost.conf @@ -0,0 +1,8 @@ +Alias /cgit-data /usr/share/cgit +Alias /robots.txt /usr/share/cgit/robots.txt +ScriptAliasMatch ^(.*) /var/www/cgi-bin/cgit$1 + +<Directory /usr/share/cgit> + Order allow,deny + Allow from all +</Directory> diff --git a/modules/cgit/templates/webapp.conf b/modules/cgit/templates/webapp.conf new file mode 100644 index 00000000..4e1d8289 --- /dev/null +++ b/modules/cgit/templates/webapp.conf @@ -0,0 +1,3 @@ +# Disable standard cgit configuration +#Alias /cgit-data /usr/share/cgit +#ScriptAlias /cgit /var/www/cgi-bin/cgit diff --git a/modules/dashboard/manifests/init.pp b/modules/dashboard/manifests/init.pp index ff804010..34ef41b3 100644 --- a/modules/dashboard/manifests/init.pp +++ b/modules/dashboard/manifests/init.pp @@ -1,17 +1,17 @@ class dashboard { $dashboard_login = 'dashboard' - $dashboard_home_dir = "/var/lib/$dashboard_login" - $dashboard_dir = "$dashboard_home_dir/dashboard" - $dashboard_bindir = "$dashboard_home_dir/bin" - $dashboard_wwwdir = "/var/www/vhosts/dashboard.$::domain" + $dashboard_home_dir = "/var/lib/${dashboard_login}" + $dashboard_dir = "${dashboard_home_dir}/dashboard" + $dashboard_bindir = "${dashboard_home_dir}/bin" + $dashboard_wwwdir = "/var/www/vhosts/dashboard.${::domain}" user { $dashboard_login: comment => 'dashboard system user', home => $dashboard_home_dir, } - subversion::snapshot { $dashboard_dir: - source => "svn://svn.$::domain/soft/dashboard/", + git::snapshot { $dashboard_dir: + source => "git://git.${::domain}/web/generators/dashboard", } package { 'php-cli': } @@ -26,17 +26,17 @@ class dashboard { ensure => directory, } - file { "$dashboard_bindir/make_report": + file { "${dashboard_bindir}/make_report": mode => '0755', content => template('dashboard/make_report'), } - apache::vhost::base { "dashboard.$::domain": + apache::vhost::base { "dashboard.${::domain}": location => $dashboard_wwwdir, } cron { 'update dashboard': - command => "$dashboard_bindir/make_report", + command => "${dashboard_bindir}/make_report", user => $dashboard_login, hour => '*/2', minute => '15', diff --git a/modules/dashboard/templates/make_report b/modules/dashboard/templates/make_report index 25c2f316..5da59617 100644 --- a/modules/dashboard/templates/make_report +++ b/modules/dashboard/templates/make_report @@ -1,7 +1,7 @@ #!/bin/sh -dashboard_dir='<%= dashboard_dir %>' -dashboard_wwwdir='<%= dashboard_wwwdir %>' +dashboard_dir='<%= @dashboard_dir %>' +dashboard_wwwdir='<%= @dashboard_wwwdir %>' cd "$dashboard_dir" /usr/bin/php ./make_report.php > "$dashboard_wwwdir/index.html" diff --git a/modules/django_application/files/custom_backend.py b/modules/django_application/files/custom_backend.py index 828744fb..5ab35385 100644 --- a/modules/django_application/files/custom_backend.py +++ b/modules/django_application/files/custom_backend.py @@ -1,9 +1,7 @@ -from django_auth_ldap.backend import LDAPBackend,_LDAPUser +from django_auth_ldap.backend import LDAPBackend,_LDAPUser class ForceUidLDAPBackend(LDAPBackend): def ldap_to_django_username(self, username): # force uid if someone give a email return _LDAPUser(self, username=username).attrs['uid'][0] - - diff --git a/modules/django_application/files/django_add_permission_to_group.py b/modules/django_application/files/django_add_permission_to_group.py index 4fa77e8d..69ac7be5 100644 --- a/modules/django_application/files/django_add_permission_to_group.py +++ b/modules/django_application/files/django_add_permission_to_group.py @@ -16,12 +16,12 @@ if app: permissions = permissions.filter(content_type__app_label__exact=app) if len(permissions) > 1: - print "Error, result not unique, please give the application among :" - print ' '.join([p.content_type.app_label for p in permissions]) - sys.exit(1) + print "Error, result not unique, please give the application among :" + print ' '.join([p.content_type.app_label for p in permissions]) + sys.exit(1) elif len(permissions) < 1: - print "Error, wrong codename" - sys.exit(1) + print "Error, wrong codename" + sys.exit(1) group.permissions.add(permissions[0]) group.save() diff --git a/modules/django_application/files/django_create_group.py b/modules/django_application/files/django_create_group.py index 69079f66..b5052217 100644 --- a/modules/django_application/files/django_create_group.py +++ b/modules/django_application/files/django_create_group.py @@ -8,5 +8,3 @@ try: except Group.DoesNotExist: group = Group.objects.create(name=group_name) group.save() - - diff --git a/modules/django_application/manifests/add_permission_to_group.pp b/modules/django_application/manifests/add_permission_to_group.pp index 037ec882..6e0663ed 100644 --- a/modules/django_application/manifests/add_permission_to_group.pp +++ b/modules/django_application/manifests/add_permission_to_group.pp @@ -2,11 +2,10 @@ define django_application::add_permission_to_group( $path, $module, $group, $app='') { - exec { "/usr/local/bin/django_add_permission_to_group.py $group $name $app": + exec { "/usr/local/bin/django_add_permission_to_group.py ${group} ${name} ${app}": user => 'root', - environment => ["DJANGO_SETTINGS_MODULE=$module.settings", - "PYTHONPATH=$path" ], + environment => ["DJANGO_SETTINGS_MODULE=${module}.settings", + "PYTHONPATH=${path}" ], require => Django_application::Script['django_add_permission_to_group.py'] } } - diff --git a/modules/django_application/manifests/create_group.pp b/modules/django_application/manifests/create_group.pp index 26a9a811..1931205f 100644 --- a/modules/django_application/manifests/create_group.pp +++ b/modules/django_application/manifests/create_group.pp @@ -1,8 +1,8 @@ define django_application::create_group($path, $module) { - exec { "/usr/local/bin/django_create_group.py $name": + exec { "/usr/local/bin/django_create_group.py ${name}": user => 'root', - environment => ["DJANGO_SETTINGS_MODULE=$module.settings", - "PYTHONPATH=$path" ], + environment => ["DJANGO_SETTINGS_MODULE=${module}.settings", + "PYTHONPATH=${path}" ], require => Django_application::Script['django_create_group.py'] } } diff --git a/modules/django_application/manifests/init.pp b/modules/django_application/manifests/init.pp index 2f209a54..f56f73ef 100644 --- a/modules/django_application/manifests/init.pp +++ b/modules/django_application/manifests/init.pp @@ -1,5 +1,5 @@ # this class hold the common stuff for all django applications -# as we cannot declare the same ressource twice ( ie, +# as we cannot declare the same resource twice ( ie, # python-psycopg2 for example ) # it is required to place this in a common class class django_application { diff --git a/modules/django_application/manifests/script.pp b/modules/django_application/manifests/script.pp index 96179c96..f414d864 100644 --- a/modules/django_application/manifests/script.pp +++ b/modules/django_application/manifests/script.pp @@ -1,8 +1,8 @@ define django_application::script() { file { $name: - path => "/usr/local/bin/$name", + path => "/usr/local/bin/${name}", mode => '0755', - source => "puppet:///modules/django_application/$name", + source => "puppet:///modules/django_application/${name}", } } diff --git a/modules/draklive/manifests/init.pp b/modules/draklive/manifests/init.pp index 38d44529..ade2527f 100644 --- a/modules/draklive/manifests/init.pp +++ b/modules/draklive/manifests/init.pp @@ -1,44 +1,45 @@ class draklive { $login = 'draklive' $home = '/home/draklive' - $config = "$home/live-config" - $var_data = "$home/var-data" + $config = "${home}/live-config" + $var_data = "${home}/var-data" # TODO merge with bcd - $isomakers_group = 'mga-iso_makers' + $isomakers_group = 'mga-iso_makers' - include sudo + include sudo group { $login: } - + user { $login: home => $home, comment => 'User for creating live ISOs', } - package { 'draklive': } + package { 'drakiso': } sudo::sudoers_config { 'draklive': content => template('draklive/sudoers.draklive') } - file { $var_data: - ensure => directory, - owner => $login, - group => $login, - mode => '0755', - } - - file { '/var/lib/draklive': - ensure => symlink, - target => $var_data, - } - - subversion::snapshot { $config: - source => "svn://svn.$::domain/soft/images-config/draklive/trunk/", + file { $var_data: + ensure => directory, + owner => $login, + group => $login, + mode => '0755', + } + + file { '/var/lib/draklive': + ensure => symlink, + target => $var_data, + } + + git::snapshot { $config: + source => "git://git.${::domain}/software/build-system/draklive-config", + user => $login, } cron { 'build live images': - command => "$config/tools/build_live.sh", + command => "${config}/tools/build_live.sh", user => $login, hour => '4', minute => '30', @@ -48,7 +49,7 @@ class draklive { mode => '0755', source => 'puppet:///modules/draklive/clean-live.sh', } - + cron { 'clean live build data': command => '/usr/local/bin/clean-live.sh', hour => '4', diff --git a/modules/draklive/templates/sudoers.draklive b/modules/draklive/templates/sudoers.draklive index 208d6967..536e4e9f 100644 --- a/modules/draklive/templates/sudoers.draklive +++ b/modules/draklive/templates/sudoers.draklive @@ -1,2 +1,3 @@ -<%= login %> ALL=(root) NOPASSWD: /usr/sbin/draklive -%<%= isomakers_group %> ALL=(<%= login %>) SETENV: NOPASSWD: ALL +<%= @login %> ALL=(root) NOPASSWD: /usr/sbin/draklive +<%= @login %> ALL=(root) NOPASSWD: /usr/bin/draklive2 +%<%= isomakers_group %> ALL=(<%= @login %>) SETENV: NOPASSWD: ALL diff --git a/modules/epoll/manifests/create_db.pp b/modules/epoll/manifests/create_db.pp new file mode 100644 index 00000000..8ef9c0aa --- /dev/null +++ b/modules/epoll/manifests/create_db.pp @@ -0,0 +1,7 @@ +class epoll::create_db () { + postgresql::remote_db_and_user { $epoll::var::db_name: + description => 'Epoll database', + password => $epoll::var::db_password, + } +} +# vim: sw=2 diff --git a/modules/epoll/manifests/init.pp b/modules/epoll/manifests/init.pp index f00d2a3e..fb86f23a 100644 --- a/modules/epoll/manifests/init.pp +++ b/modules/epoll/manifests/init.pp @@ -1,23 +1,15 @@ class epoll { - - $vhost = "epoll.$::domain" + include epoll::var package { 'Epoll': } - apache::vhost::catalyst_app { $vhost: + apache::vhost::catalyst_app { $epoll::var::vhost: script => '/usr/bin/epoll_fastcgi.pl', use_ssl => true, require => Package['Epoll'] } - apache::vhost::redirect_ssl { $vhost: } - - $pgsql_password = extlookup('epoll_pgsql','x') - - postgresql::remote_db_and_user { 'epoll': - description => 'Epoll database', - password => $pgsql_password, - } + apache::vhost::redirect_ssl { $epoll::var::vhost: } file { 'epoll.yml': path => '/etc/epoll.yml', diff --git a/modules/epoll/manifests/var.pp b/modules/epoll/manifests/var.pp new file mode 100644 index 00000000..1ddc342a --- /dev/null +++ b/modules/epoll/manifests/var.pp @@ -0,0 +1,35 @@ +# == Class: epoll::var +# +# epoll configuration +# +# === Parameters +# +# [*vhost*] +# epoll vhost +# +# [*db_hostname*] +# hostname of the database server +# +# [*db_name*] +# name of the database +# +# [*db_user*] +# user to connect to the database +# +# [*db_password*] +# password to connect to the database +# +# [*password*] +# password to create new polls +# + +class epoll::var ( + $vhost = "epoll.${::domain}", + $db_hostname = 'localhost', + $db_name = 'epoll', + $db_user = 'epoll', + $db_password, + $password +) { +} +# vim: sw=2 diff --git a/modules/epoll/templates/epoll.yml b/modules/epoll/templates/epoll.yml index 0ca519c9..d442a41e 100644 --- a/modules/epoll/templates/epoll.yml +++ b/modules/epoll/templates/epoll.yml @@ -2,10 +2,10 @@ name: Vote # db: connection, see libpq documentation # dbname=BASENAME;host=SERVER;user=USER;password=PASS -db: dbname=epoll;host=localhost;user=epoll;password=<%= pgsql_password %> +db: dbname=<%= scope.lookupvar('epoll::var::db_name') %>;host=<%= scope.lookupvar('epoll::var::db_hostname') %>;user=<%= scope.lookupvar('epoll::var::db_user') %>;password=<%= scope.lookupvar('epoll::var::db_password') %> # The smtp serveur to use, default is localhost # smtp: # This change the poll creation behavior, instead ask want confirmation by # mail # it ask for this password (in clear) -# newpollpasswd: +newpollpasswd: <%= scope.lookupvar('epoll::var::password') %> diff --git a/modules/facter/lib/facter/dc_suffix.rb b/modules/facter/lib/facter/dc_suffix.rb index a8526978..c480e3ac 100644 --- a/modules/facter/lib/facter/dc_suffix.rb +++ b/modules/facter/lib/facter/dc_suffix.rb @@ -2,9 +2,9 @@ Facter.add("dc_suffix") do setcode do begin Facter.domain - rescue + rescue Facter.loadfacts() end dc_suffix = 'dc=' + Facter.value('domain').gsub('.',',dc=') end -end +end diff --git a/modules/facter/lib/facter/lib_dir.rb b/modules/facter/lib/facter/lib_dir.rb index fe7d6a31..315d7594 100644 --- a/modules/facter/lib/facter/lib_dir.rb +++ b/modules/facter/lib/facter/lib_dir.rb @@ -2,9 +2,9 @@ Facter.add("lib_dir") do setcode do begin Facter.architecture - rescue + rescue Facter.loadfacts() end - '/usr/lib' + ( Facter.value('architecture') == "x86_64" ? '64' : '') + '/' + '/usr/lib' + ( Facter.value('architecture') == "x86_64" ? '64' : '') end -end +end diff --git a/modules/facter/lib/facter/wildcard_sslcert.rb b/modules/facter/lib/facter/wildcard_sslcert.rb index 1f7c4dd7..093982d9 100644 --- a/modules/facter/lib/facter/wildcard_sslcert.rb +++ b/modules/facter/lib/facter/wildcard_sslcert.rb @@ -1,16 +1,16 @@ Facter.add("wildcard_sslcert") do - setcode do - begin - Facter.domain - rescue - Facter.loadfacts() - end - sslfiles = '/etc/ssl/wildcard.' + Facter.value('domain') - if File.exist?(sslfiles + '.crt') and File.exist?(sslfiles + '.key') \ - and File.exist?(sslfiles + '.pem') - 'true' - else - 'false' - end - end + setcode do + begin + Facter.domain + rescue + Facter.loadfacts() + end + sslfiles = '/etc/ssl/wildcard.' + Facter.value('domain') + if File.exist?(sslfiles + '.crt') and File.exist?(sslfiles + '.key') \ + and File.exist?(sslfiles + '.pem') + 'true' + else + 'false' + end + end end diff --git a/modules/facter/spec/spec_helper.rb b/modules/facter/spec/spec_helper.rb index 81d9f79b..ec3fe615 100644 --- a/modules/facter/spec/spec_helper.rb +++ b/modules/facter/spec/spec_helper.rb @@ -32,4 +32,3 @@ RSpec.configure do |config| to_remove.each {|key| ENV.delete key } end end - diff --git a/modules/facter/spec/unit/lib_dir.rb b/modules/facter/spec/unit/lib_dir.rb index 1d5c4624..50049f19 100644 --- a/modules/facter/spec/unit/lib_dir.rb +++ b/modules/facter/spec/unit/lib_dir.rb @@ -5,14 +5,14 @@ require 'spec_helper' describe "Lib_dir fact" do it "should default to /usr/lib" do Facter.fact(:architecture).stubs(:value).returns("bogus") - Facter.fact(:lib_dir).value.should == "/usr/lib/" + Facter.fact(:lib_dir).value.should == "/usr/lib" end archs = Hash.new # TODO add arm 64 and others archs = { - "i586" => "/usr/lib/", - "x86_64" => "/usr/lib64/", + "i586" => "/usr/lib", + "x86_64" => "/usr/lib64", } archs.each do |arch, dir| it "should be #{dir} on #{arch}" do diff --git a/modules/git/files/apply_git_puppet_config.sh b/modules/git/files/apply_git_puppet_config.sh index 29ede998..1ed6fbf1 100644 --- a/modules/git/files/apply_git_puppet_config.sh +++ b/modules/git/files/apply_git_puppet_config.sh @@ -4,4 +4,4 @@ while read line do # --local is a option for the newer git git config --add $line -done < config.puppet +done < config.puppet diff --git a/modules/git/files/create_git_repo.sh b/modules/git/files/create_git_repo.sh index 1104edbe..144d063b 100644 --- a/modules/git/files/create_git_repo.sh +++ b/modules/git/files/create_git_repo.sh @@ -1,6 +1,6 @@ #!/bin/bash umask 0002 -# http://eagleas.livejournal.com/18907.html +# https://eagleas.livejournal.com/18907.html name="$1" mkdir -p $name cd $name @@ -8,4 +8,3 @@ git --bare init --shared=group chmod g+ws branches info objects refs ( cd objects; chmod g+ws * ) git config receive.denyNonFastForwards true - diff --git a/modules/git/manifests/mirror.pp b/modules/git/manifests/mirror.pp index 0e0c30cd..f7364846 100644 --- a/modules/git/manifests/mirror.pp +++ b/modules/git/manifests/mirror.pp @@ -3,18 +3,18 @@ define git::mirror( $source, $refresh = '*/5') { include git::common - exec { "/usr/bin/git clone --bare $source $name": - alias => "git mirror $name", + exec { "/usr/bin/git clone --mirror ${source} ${name}": + alias => "git mirror ${name}", creates => $name, - before => File["$name/description"], + before => File["${name}/description"], } - file { "$name/description": + file { "${name}/description": content => $description, } - cron { "update $name": - command => "cd $name ; /usr/bin/git fetch -q", + cron { "update ${name}": + command => "cd ${name} ; /usr/bin/git fetch -q", minute => $refresh } } diff --git a/modules/git/manifests/repository.pp b/modules/git/manifests/repository.pp deleted file mode 100644 index 4f4f0615..00000000 --- a/modules/git/manifests/repository.pp +++ /dev/null @@ -1,40 +0,0 @@ -define git::repository($group, - $description = '') { - - include git::server - # http://eagleas.livejournal.com/18907.html - # TODO group permission should be handled here too - exec { "/usr/local/bin/create_git_repo.sh $name": - user => 'root', - group => $group, - creates => $name, - } - - file { "$name/git-daemon-export-ok": - require => Exec["/usr/local/bin/create_git_repo.sh $name"] - } - - file { "$name/description": - content => $description, - require => File["$name/git-daemon-export-ok"] - } - - file { "$name/hooks/post-receive": - mode => '0755', - content => template('git/post-receive'), - require => File["$name/git-daemon-export-ok"] - } - - file { "$name/config.puppet": - require => File["$name/git-daemon-export-ok"], - notify => Exec["/usr/local/bin/apply_git_puppet_config.sh $name"], - content => template('git/config.puppet'), - } - - # $name is not really used, but this prevent duplicate declaration error - exec { "/usr/local/bin/apply_git_puppet_config.sh $name": - cwd => $name, - user => 'root', - refreshonly => true, - } -} diff --git a/modules/git/manifests/server.pp b/modules/git/manifests/server.pp index 155cd9ae..3f07ed9c 100644 --- a/modules/git/manifests/server.pp +++ b/modules/git/manifests/server.pp @@ -7,10 +7,6 @@ class git::server { content => template('git/xinetd') } - file { $git_base_path: - ensure => directory - } - file { '/usr/local/bin/create_git_repo.sh': mode => '0755', source => 'puppet:///modules/git/create_git_repo.sh', @@ -24,16 +20,16 @@ class git::server { # TODO # define common syntax check, see svn - # http://stackoverflow.com/questions/3719883/git-hook-syntax-check + # https://stackoverflow.com/questions/3719883/git-hook-syntax-check # proper policy : fast-forward-only - # ( http://progit.org/book/ch7-4.html ) + # ( https://progit.org/book/ch7-4.html ) # no branch ? # no binary # no big file # no empty commit message # no commit from root - # see http://www.itk.org/Wiki/Git/Hooks - # automated push to another git repo ( see http://noone.org/blog/English/Computer/VCS/Thoughts%20on%20Gitorious%20and%20GitHub%20plus%20a%20useful%20git%20hook.futile + # see https://www.itk.org/Wiki/Git/Hooks + # automated push to another git repo ( see https://noone.org/blog/English/Computer/VCS/Thoughts%20on%20Gitorious%20and%20GitHub%20plus%20a%20useful%20git%20hook.futile # # how do we handle commit permission ? # mail sending diff --git a/modules/git/manifests/snapshot.pp b/modules/git/manifests/snapshot.pp index 8b903700..06473efe 100644 --- a/modules/git/manifests/snapshot.pp +++ b/modules/git/manifests/snapshot.pp @@ -1,22 +1,24 @@ define git::snapshot( $source, $refresh = '*/5', - $user = 'root') { + $user = 'root', + $branch = 'master') { include git::client #TODO # should handle branch -> clone -n + branch + checkout # create a script - # Idealy, should be handled by vcsrepo + # Ideally, should be handled by vcsrepo # https://github.com/bruce/puppet-vcsrepo # once it is merged in puppet - exec { "/usr/bin/git clone $source $name": + exec { "/usr/bin/git clone -b ${branch} ${source} ${name}": creates => $name, user => $user } - cron { "update $name": - # FIXME no -q ? - command => "cd $name && /usr/bin/git pull", - user => $user, - minute => $refresh + if ($refresh != '0') { + cron { "update ${name}": + command => "cd ${name} && /usr/bin/git pull -q && /usr/bin/git submodule --quiet update --init --recursive", + user => $user, + minute => $refresh + } } } diff --git a/modules/git/manifests/svn_repository.pp b/modules/git/manifests/svn_repository.pp index 93ddb792..ea215ce6 100644 --- a/modules/git/manifests/svn_repository.pp +++ b/modules/git/manifests/svn_repository.pp @@ -11,8 +11,8 @@ define git::svn_repository( $source, $options = '' } - exec { "/usr/bin/git svn init $options $source $name": - alias => "git svn $name", + exec { "/usr/bin/git svn init ${options} ${source} ${name}": + alias => "git svn ${name}", creates => $name, } @@ -21,15 +21,15 @@ define git::svn_repository( $source, source => 'puppet:///modules/git/update_git_svn.sh', } - cron { "update $name": + cron { "update ${name}": # done in 2 times, so fetch can fill the repo after init - command => "/usr/local/bin/update_git_svn.sh $name" , + command => "/usr/local/bin/update_git_svn.sh ${name}" , minute => $refresh } - file { "$name/.git/hooks/pre-receive": + file { "${name}/.git/hooks/pre-receive": mode => '0755', content => template('git/pre-receive'), - require => Exec["git svn $name"] + require => Exec["git svn ${name}"] } } diff --git a/modules/git/templates/xinetd b/modules/git/templates/xinetd index 2cbf78e3..654ae2be 100644 --- a/modules/git/templates/xinetd +++ b/modules/git/templates/xinetd @@ -4,10 +4,10 @@ service git type = UNLISTED port = 9418 socket_type = stream - server = <%= lib_dir %>/git-core/git-daemon + server = <%= @lib_dir %>/git-core/git-daemon wait = no user = nobody - server_args = --inetd --verbose --export-all --base-path=<%= git_base_path %> + server_args = --inetd --verbose --export-all --base-path=<%= @git_base_path %> log_on_failure += HOST flags = IPv6 } diff --git a/modules/gitmirror/files/on-the-pull b/modules/gitmirror/files/on-the-pull new file mode 100755 index 00000000..416b75a4 --- /dev/null +++ b/modules/gitmirror/files/on-the-pull @@ -0,0 +1,365 @@ +#!/usr/bin/python3 + +import cgi +import http.server +import os +import pwd +import re +import subprocess +import sys +from optparse import OptionParser +from queue import Queue +from threading import Thread + + +GitUpdaterQueue = Queue(0) + + +# NB The following class and bits for running git commands were "liberated" +# from git_multimail.py + +class CommandError(Exception): + def __init__(self, cmd, retcode): + self.cmd = cmd + self.retcode = retcode + Exception.__init__( + self, + 'Command "%s" failed with retcode %s' % (' '.join(cmd), retcode,) + ) + + +# It is assumed in many places that the encoding is uniformly UTF-8, +# so changing these constants is unsupported. But define them here +# anyway, to make it easier to find (at least most of) the places +# where the encoding is important. +ENCODING = 'UTF-8' + + +# The "git" program (this could be changed to include a full path): +GIT_EXECUTABLE = 'git' + + +# How "git" should be invoked (including global arguments), as a list +# of words. This variable is usually initialized automatically by +# read_git_output() via choose_git_command(), but if a value is set +# here then it will be used unconditionally. +GIT_CMD = None + + +def choose_git_command(): + """Decide how to invoke git, and record the choice in GIT_CMD.""" + + global GIT_CMD + + if GIT_CMD is None: + try: + # Check to see whether the "-c" option is accepted (it was + # only added in Git 1.7.2). We don't actually use the + # output of "git --version", though if we needed more + # specific version information this would be the place to + # do it. + cmd = [GIT_EXECUTABLE, '-c', 'foo.bar=baz', '--version'] + read_output(cmd) + GIT_CMD = [GIT_EXECUTABLE, '-c', f'i18n.logoutputencoding={ENCODING}'] + except CommandError: + GIT_CMD = [GIT_EXECUTABLE] + + +def read_git_output(args, inp=None, keepends=False, **kw): + """Read the output of a Git command.""" + + if GIT_CMD is None: + choose_git_command() + + return read_output(GIT_CMD + args, inp=inp, keepends=keepends, **kw) + + +# NOTE: output is in bytes, not a string +def read_output(cmd, inp=None, keepends=False, **kw): + if inp: + stdin = subprocess.PIPE + else: + stdin = None + p = subprocess.Popen( + cmd, stdin=stdin, stdout=subprocess.PIPE, stderr=subprocess.PIPE, **kw + ) + (out, err) = p.communicate(inp) + retcode = p.wait() + if retcode: + raise CommandError(cmd, retcode) + if not keepends: + out = out.rstrip(b'\n\r') + return out + + +def run_git_command(args, **kw): + """Runs a git command, ignoring the output. + """ + + read_git_output(args, **kw) + + +def run_command(args, **kw): + """Runs a git command, ignoring the output. + """ + + read_output(args, **kw) + + +class GitUpdater(Thread): + def __init__(self, server, basedir, repoprefix, branch='master', cmd=''): + Thread.__init__(self) + self.server = server + self.basedir = basedir + self.repoprefix = repoprefix + self.branch = branch + self.cmd = cmd + + def run(self): + while 42: + repo = GitUpdaterQueue.get() + if repo is None: + break + try: + print(f"Got update request for '{repo}'", file=sys.stderr) + clonefolder = os.path.join(self.basedir, repo) + if self.repoprefix: + if not repo.startswith(self.repoprefix): + print(f"Ignoring repo '{repo}' due to invalid prefix", file=sys.stderr) + GitUpdaterQueue.task_done() + continue + clonefolder = os.path.join(self.basedir, repo[len(self.repoprefix):]) + command = [] + treeish = '' + changed = True + if not os.path.exists(clonefolder): + cloneparent = os.path.dirname(clonefolder) + if not os.path.exists(cloneparent): + os.makedirs(cloneparent) + cloneurl = self.server + '/' + repo + command = ['clone'] + if '--mirror' == self.branch: + command.append('--mirror') + command.append(cloneurl) + command.append(clonefolder) + print(f"Cloning repo '{repo}' ('{cloneurl}' -> '{clonefolder}')", file=sys.stderr) + + run_git_command(command) + if not os.path.isdir(clonefolder): + raise Exception(f"Clone folder '{clonefolder}' is not a directory. Cloning failed or file in it's place?") + os.chdir(clonefolder) + if '--mirror' != self.branch and 'master' != self.branch: + command = ['checkout', '-t', 'origin/' + self.branch] + run_git_command(command) + elif os.path.isdir(clonefolder): + os.chdir(clonefolder) + print(f"Updating existing repo '{repo}' ({clonefolder})", file=sys.stderr) + command = ['remote', 'update'] + run_git_command(command) + if '--mirror' != self.branch: + sha1before = read_git_output(['rev-parse', 'refs/heads/' + self.branch]) + sha1after = read_git_output(['rev-parse', 'refs/remotes/origin/' + self.branch]) + if sha1before and sha1after: + if sha1before == sha1after: + changed = False + print(f"Repo '{repo}' update on branch '{self.branch}': No changed detected", file=sys.stderr) + else: + treeish = sha1before.decode(ENCODING) + '..' + sha1after.decode(ENCODING) + print(f"Repo '{repo}' update on branch '{self.branch}': Treeish '{treeish}'", file=sys.stderr) + else: + print(f"Repo '{repo}' update on branch '{self.branch}': Before or after sha1 could not be extracted.", file=sys.stderr) + command = ['update-ref', 'refs/heads/' + self.branch, 'refs/remotes/origin/' + self.branch] + run_git_command(command) + command = ['checkout', '-f', self.branch] + run_git_command(command) + else: + raise Exception(f"Clone folder '{clonefolder}' appears to be a file :s") + + if changed and self.cmd: + # Update the info/web/last-modified file as used by cgit + os.chdir(clonefolder) + command = [self.cmd, repo] + if treeish: + command += [treeish] + run_command(command) + + print(f"Update for '{repo}' complete.", file=sys.stderr) + except Exception as e: + print(f"Error processing repo '{repo}'", file=sys.stderr) + print(str(e), file=sys.stderr) + + GitUpdaterQueue.task_done() + sys.stderr.flush() + + +class TimeoutServer(http.server.HTTPServer): + def get_request(self): + result = self.socket.accept() + result[0].settimeout(10) + return result + + +class PostHandler(http.server.BaseHTTPRequestHandler): + def do_POST(self): + ctype, pdict = cgi.parse_header(self.headers['content-type']) + repo = "" + try: + if ctype != 'x-git/repo': + self.send_response(415) + self.end_headers() + return + + # chunked mode is a legitimate reason there would be no content-length, + # but it's easier to just insist on it + length = int(self.headers['content-length']) if self.headers['content-length'] else 0 + if length < 1: + self.send_response(411) + self.end_headers() + return + if length > 1024: + self.send_response(413) + self.end_headers() + return + repo = self.rfile.read(length).decode(ENCODING) + + if re.match(r"^[-_/a-zA-Z0-9\+\.]+$", repo) is None: + self.send_response(400) + self.end_headers() + return + + GitUpdaterQueue.put(repo) + self.send_response(202) + self.end_headers() + + except Exception as e: + print("Error processing request", file=sys.stderr) + print(str(e), file=sys.stderr) + self.send_response(500) + self.end_headers() + + sys.stderr.flush() + + +def Demote(pidfile, uid, gid): + def result(): + piddir = os.path.dirname(pidfile) + if not os.path.exists(piddir): + os.makedirs(piddir) + fd = open(pidfile, 'w') + fd.write(str(os.getpid())) + fd.close() + + if uid and gid: + os.setgid(gid) + os.setuid(uid) + return result + + +def daemonise(options, serverprefix, basefolder): + pw = None + uid = False + gid = False + if options.user: + pw = pwd.getpwnam(options.user) + uid = pw.pw_uid + gid = pw.pw_gid + else: + pw = pwd.getpwnam(os.getlogin()) + + user = pw.pw_name + dirname = pw.pw_dir + env = { + 'HOME': dirname, + 'LOGNAME': user, + 'PWD': dirname, + 'USER': user, + } + if os.getenv('PATH') is not None: + env['PATH'] = os.getenv('PATH') + if os.getenv('PYTHONPATH') is not None: + env['PYTHONPATH'] = os.getenv('PYTHONPATH') + + args = [os.path.abspath(sys.argv[0])] + args.append('-a') + args.append(options.addr) + args.append('-p') + args.append(str(options.port)) + args.append('-r') + args.append(options.repoprefix) + args.append('-b') + args.append(options.branch) + args.append('-c') + args.append(options.cmd) + args.append(serverprefix) + args.append(basefolder) + + subprocess.Popen( + args, preexec_fn=Demote(options.pidfile, uid, gid), cwd=dirname, env=env + ) + exit(0) + + +def main(): + usage = "usage: %prog [options] <serverprefix> <basefolder>" + description = """Listen for repository names being posted via a simple HTTP interface and clone/update them. +POST data simply via curl: +e.g. curl --header 'Content-Type: x-git/repo' --data 'my/repo/name' http://localhost:8000 +""" + parser = OptionParser(usage=usage, description=description) + parser.add_option("-a", "--addr", + type="string", dest="addr", default="0.0.0.0", + help="The interface address to bind to") + parser.add_option("-p", "--port", + type="int", dest="port", default=8000, + help="The port to bind to") + parser.add_option("-r", "--repo-prefix", + type="string", dest="repoprefix", default="", + help="Only handle repositories with the following prefix. This SHOULD contain a trailing slash if it's a folder but SHOULD NOT include a leading slash") + parser.add_option("-b", "--branch", + type="string", dest="branch", default="--mirror", + help="The branch to track on clone. If you pass '--mirror' (the default) as the branch name we will clone as a bare mirror") + parser.add_option("-c", "--cmd", + type="string", dest="cmd", default="", + help="Third party command to execute after updates. It will execute in the " + "folder of the repo and if we're not in mirror mode, a treeish will be " + "passed as the only argument containing the refs that changed otherwise " + "the command will be run without any arguments") + parser.add_option("-d", "--pid-file", + type="string", dest="pidfile", default="", + help="Daemonise and write pidfile") + parser.add_option("-u", "--user", + type="string", dest="user", default="", + help="Drop privileges to the given user (must be run as root)") + + (options, args) = parser.parse_args() + if len(args) < 2: + parser.error("Both the <serverprefix> and <basefolder> arguments must be supplied.") + if len(args) > 2: + parser.print_usage() + exit(1) + + serverprefix = args[0] + basefolder = args[1] + + if options.pidfile: + daemonise(options, serverprefix, basefolder) + + if options.user: + parser.error("You can only specify a user if you're also deamonising (with a pid file).") + + print("Server started", file=sys.stderr) + sys.stderr.flush() + srvr = TimeoutServer((options.addr, options.port), PostHandler) + updater = GitUpdater(serverprefix, basefolder, options.repoprefix, options.branch, options.cmd) + updater.start() + + try: + srvr.serve_forever() + except KeyboardInterrupt: + srvr.socket.close() + GitUpdaterQueue.put(None) + updater.join() + + +if __name__ == "__main__": + main() diff --git a/modules/gitmirror/files/on-the-pull.init b/modules/gitmirror/files/on-the-pull.init new file mode 100755 index 00000000..cc256a06 --- /dev/null +++ b/modules/gitmirror/files/on-the-pull.init @@ -0,0 +1,67 @@ +#! /bin/bash +# +# on-the-pull Keep git mirrors up-to-date via external triggers +# +# chkconfig: 2345 80 30 +# description: Keep git mirrors up-to-date via external triggers +# +### BEGIN INIT INFO +# Provides: on-the-pull +# Required-Start: $network +# Required-Stop: $network +# Default-Start: 2 3 4 5 +# Short-Description: Keep git mirrors up-to-date via external triggers +# Description: Keep git mirrors up-to-date via external triggers +### END INIT INFO + +# Source function library. +. /etc/init.d/functions + +pidfile=/var/run/on-the-pull/on-the-pull.pid +prog=/usr/local/bin/on-the-pull +args="--pid-file=$pidfile --user=git --cmd=/usr/local/bin/gitmirror-sync-metadata git://git.mageia.org /git" + + +start() { + gprintf "Starting On-The-Pull Git Mirror Daemon: " + daemon --check on-the-pull --pidfile $pidfile "$prog $args >>/var/log/on-the-pull.log 2>&1" + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/on-the-pull + return $RETVAL +} + +stop() { + gprintf "Stopping On-The-Pull Git Mirror Daemon: " + killproc -p $pidfile on-the-pull + echo + rm -f /var/lock/subsys/on-the-pull +} + +restart() { + stop + start +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + status) + status on-the-pull $pidfile + ;; + restart|reload) + restart + ;; + condrestart) + [ -f /var/lock/subsys/on-the-pull ] && restart || : + ;; + *) + gprintf "Usage: %s {start|stop|status|restart|condrestart}\n" "$(basename $0)" + exit 1 +esac + +exit 0 diff --git a/modules/gitmirror/files/rsync-metadata.sh b/modules/gitmirror/files/rsync-metadata.sh new file mode 100755 index 00000000..03a0fe41 --- /dev/null +++ b/modules/gitmirror/files/rsync-metadata.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +REPO="$1" +GITROOT="/git" +RSYNCROOT="rsync://duvel.mageia.org/git" + +if [ ! -d "$GITROOT/$REPO" ]; then + echo "No repository found $REPO" >&2 + exit 1 +fi + +/usr/bin/rsync -a --include="description" --include="info" --include="info/web" --include="info/web/last-modified" --exclude="*" "$RSYNCROOT/$REPO/" "$GITROOT/$REPO/" +/usr/bin/rsync -a "$RSYNCROOT/$REPO/config" "$GITROOT/$REPO/config.upstream" + +OWNER=$(git config --file "$GITROOT/$REPO/config.upstream" gitweb.owner) +DESC=$(git config --file "$GITROOT/$REPO/config.upstream" gitweb.description) +rm -f "$GITROOT/$REPO/config.upstream" + +CUROWNER=$(git config --file "$GITROOT/$REPO/config" gitweb.owner) +if [ "$CUROWNER" != "$OWNER" ]; then + git config --file "$GITROOT/$REPO/config" gitweb.owner "$OWNER" +fi + +CURDESC=$(git config --file "$GITROOT/$REPO/config" gitweb.description) +if [ "$CURDESC" != "$DESC" ]; then + git config --file "$GITROOT/$REPO/config" gitweb.description "$DESC" +fi diff --git a/modules/gitmirror/manifests/init.pp b/modules/gitmirror/manifests/init.pp new file mode 100644 index 00000000..c1dcd894 --- /dev/null +++ b/modules/gitmirror/manifests/init.pp @@ -0,0 +1,48 @@ +class gitmirror { + + $git_dir = '/git' + $git_login = 'git' + $git_homedir = "/var/lib/${git_login}" + $git_rundir = '/var/run/on-the-pull' + + group { $git_login: + ensure => present, + } + + user { $git_login: + ensure => present, + home => $git_homedir, + } + + file { $git_dir: + ensure => directory, + owner => $git_login, + group => $git_login, + mode => '0755', + } + + file { $git_rundir: + ensure => directory, + mode => '0755', + } + + mga_common::local_script { 'on-the-pull': + source => 'puppet:///modules/gitmirror/on-the-pull', + } + + file { '/etc/init.d/on-the-pull': + source => 'puppet:///modules/gitmirror/on-the-pull.init', + mode => '0755', + } + + service { 'on-the-pull': + require => [ + Mga_common::Local_script["on-the-pull"], + File['/etc/init.d/on-the-pull'], + ], + } + + mga_common::local_script { 'gitmirror-sync-metadata': + source => 'puppet:///modules/gitmirror/rsync-metadata.sh', + } +} diff --git a/modules/gitweb/manifests/init.pp b/modules/gitweb/manifests/init.pp index 59e74657..d7c07b22 100644 --- a/modules/gitweb/manifests/init.pp +++ b/modules/gitweb/manifests/init.pp @@ -15,12 +15,18 @@ class gitweb { webapp_file => 'gitweb/webapp.conf', } - mga-common::local_script { 'gitweb.wrapper.sh': + mga_common::local_script { 'gitweb.wrapper.sh': content => template('gitweb/wrapper.sh'), notify => Service['apache'], } - apache::vhost::base { "gitweb.$::domain": + $vhost = "gitweb.${::domain}" + apache::vhost::base { $vhost: content => template('gitweb/vhost.conf') } + apache::vhost::base { "ssl_${vhost}": + vhost => $vhost, + use_ssl => true, + content => template('gitweb/vhost.conf'), + } } diff --git a/modules/gitweb/templates/gitweb.conf b/modules/gitweb/templates/gitweb.conf index 5216077c..688844a8 100644 --- a/modules/gitweb/templates/gitweb.conf +++ b/modules/gitweb/templates/gitweb.conf @@ -121,5 +121,3 @@ our $site_name = "Mageia Git"; # To enable system wide have in /etc/gitweb.conf # $feature{'forks'}{'default'} = [1]; # Project specific override is not supported. - - diff --git a/modules/gitweb/templates/webapp.conf b/modules/gitweb/templates/webapp.conf index 54c85a29..a4d13624 100644 --- a/modules/gitweb/templates/webapp.conf +++ b/modules/gitweb/templates/webapp.conf @@ -6,4 +6,3 @@ Order allow,deny Allow from all </Directory> - diff --git a/modules/gitweb/templates/wrapper.sh b/modules/gitweb/templates/wrapper.sh index c8fdcb6d..4303007b 100644 --- a/modules/gitweb/templates/wrapper.sh +++ b/modules/gitweb/templates/wrapper.sh @@ -2,4 +2,3 @@ export FCGI_SOCKET_PATH=/tmp/gitweb.socket /usr/share/gitweb/gitweb.cgi --fastcgi - diff --git a/modules/gnupg/manifests/client.pp b/modules/gnupg/manifests/client.pp index a032b323..301e569a 100644 --- a/modules/gnupg/manifests/client.pp +++ b/modules/gnupg/manifests/client.pp @@ -1,9 +1,15 @@ class gnupg::client { +if versioncmp($::lsbdistrelease, '7') < 0 { package {['gnupg', 'rng-utils']: } +} else { + package {['gnupg2', + 'rng-utils']: + } +} - mga-common::local_script { 'create_gnupg_keys.sh': + mga_common::local_script { 'create_gnupg_keys.sh': content => template('gnupg/create_gnupg_keys.sh') } } diff --git a/modules/gnupg/manifests/keys.pp b/modules/gnupg/manifests/keys.pp index 948619a2..b99ed393 100644 --- a/modules/gnupg/manifests/keys.pp +++ b/modules/gnupg/manifests/keys.pp @@ -1,5 +1,5 @@ # debian recommend SHA2, with 4096 - # http://wiki.debian.org/Keysigning + # https://wiki.debian.org/Keysigning # as they are heavy users of gpg, I will tend # to follow them # however, for testing purpose, 4096 is too strong, @@ -14,8 +14,8 @@ define gnupg::keys($email, $keydir = '/var/lib/signbot/keys') { include gnupg::client - file { "$name.batch": - path => "$batchdir/$name.batch", + file { "${name}.batch": + path => "${batchdir}/${name}.batch", content => template('gnupg/batch') } @@ -30,9 +30,9 @@ define gnupg::keys($email, owner => $login, } - exec { "/usr/local/bin/create_gnupg_keys.sh $batchdir/$name.batch $keydir $batchdir/$name.done": + exec { "/usr/local/bin/create_gnupg_keys.sh ${batchdir}/${name}.batch ${keydir} ${batchdir}/${name}.done": user => $login, - creates => "$batchdir/$name.done", - require => [File[$keydir], File["$batchdir/$name.batch"], Package['rng-utils']], + creates => "${batchdir}/${name}.done", + require => [File[$keydir], File["${batchdir}/${name}.batch"], Package['rng-utils']], } } diff --git a/modules/gnupg/templates/batch b/modules/gnupg/templates/batch index 4dff44eb..d55bdd52 100644 --- a/modules/gnupg/templates/batch +++ b/modules/gnupg/templates/batch @@ -1,9 +1,8 @@ %echo Generating a standard key -Key-Type: <%= key_type %> -Key-Length: <%= key_length %> -Name-Real: <%= key_name %> -Name-Email: <%= email %> -Expire-Date: <%= expire_date %> +Key-Type: <%= @key_type %> +Key-Length: <%= @key_length %> +Name-Real: <%= @key_name %> +Name-Email: <%= @email %> +Expire-Date: <%= @expire_date %> %commit %echo done - diff --git a/modules/icecream/manifests/client.pp b/modules/icecream/manifests/client.pp index d58a5e65..5364d87d 100644 --- a/modules/icecream/manifests/client.pp +++ b/modules/icecream/manifests/client.pp @@ -1,4 +1,4 @@ -define icecream::client($host => '') { +define icecream::client($host = '') { include icecream::client_common file { '/etc/sysconfig/icecream': content => template('icecream/sysconfig'), diff --git a/modules/icecream/templates/sysconfig b/modules/icecream/templates/sysconfig index a3ae80c8..8a5bc92c 100644 --- a/modules/icecream/templates/sysconfig +++ b/modules/icecream/templates/sysconfig @@ -12,7 +12,7 @@ ICECREAM_NICE_LEVEL="5" # ## Type: string ## Path: Applications/icecream -## Defaut: /var/log/iceccd +## Default: /var/log/iceccd # # icecream daemon log file # @@ -21,7 +21,7 @@ ICECREAM_LOG_FILE="/var/log/icecream.log" # ## Type: string ## Path: Applications/icecream -## Defaut: no +## Default: no # # Start also the scheduler? # @@ -30,7 +30,7 @@ ICECREAM_RUN_SCHEDULER="no" # ## Type: string ## Path: Applications/icecream -## Defaut: /var/log/icecc_scheduler +## Default: /var/log/icecc_scheduler # # icecream scheduler log file # @@ -39,7 +39,7 @@ ICECREAM_SCHEDULER_LOG_FILE="/var/log/scheduler.log" # ## Type: string ## Path: Applications/icecream -## Defaut: "" +## Default: "" # # Identification for the network the scheduler and daemon run on. # You can have several distinct icecream networks in the same LAN @@ -50,17 +50,17 @@ ICECREAM_NETNAME="" # ## Type: string ## Path: Applications/icecream -## Defaut: "" +## Default: "" # # If the daemon can't find the scheduler by broadcast (e.g. because # of a firewall) you can specify it. # -ICECREAM_SCHEDULER_HOST="<%= host %>" +ICECREAM_SCHEDULER_HOST="<%= @host %>" # ## Type: string ## Path: Applications/icecream -## Defaut: "" +## Default: "" ## Type: integer # # You can overwrite here the number of jobs to run in parallel. Per diff --git a/modules/ii/manifests/init.pp b/modules/ii/manifests/init.pp index 8a63f130..2947c75d 100644 --- a/modules/ii/manifests/init.pp +++ b/modules/ii/manifests/init.pp @@ -15,23 +15,23 @@ class ii { $nick = $name include ii::base - # a custom wrappper is needed since ii do not fork in the + # a custom wrapper is needed since ii does not fork in the # background, and bash is not able to properly do it - mga-common::local_script { "ii_$nick": + mga_common::local_script { "ii_${nick}": content => template('ii/ii_wrapper.pl'), require => Class['ii::base'], } service { 'ii': provider => base, - start => "/usr/local/bin/ii_$nick", - require => Local_script["ii_$nick"], + start => "/usr/local/bin/ii_${nick}", + require => Mga_common::Local_script["ii_${nick}"], } - exec { "join channel $nick": - command => "echo '/j $channel' > /var/lib/ii/$nick/$server/in", + exec { "join channel ${nick}": + command => "echo '/j ${channel}' > /var/lib/ii/${nick}/${server}/in", user => 'nobody', - creates => "/var/lib/ii/$nick/$server/$channel/in", + creates => "/var/lib/ii/${nick}/${server}/${channel}/in", require => Service['ii'], } } diff --git a/modules/ii/templates/ii_wrapper.pl b/modules/ii/templates/ii_wrapper.pl index 5e5cc65e..68128314 100644 --- a/modules/ii/templates/ii_wrapper.pl +++ b/modules/ii/templates/ii_wrapper.pl @@ -3,8 +3,8 @@ use warnings; use strict; use POSIX; use Proc::Daemon; -my $nick = "<%= nick %>"; -my $server = "<%= server %>"; +my $nick = "<%= @nick %>"; +my $server = "<%= @server %>"; Proc::Daemon::Init(); diff --git a/modules/irkerd/manifests/init.pp b/modules/irkerd/manifests/init.pp new file mode 100644 index 00000000..adffc452 --- /dev/null +++ b/modules/irkerd/manifests/init.pp @@ -0,0 +1,9 @@ +class irkerd { + package { 'irker': + ensure => installed, + } + + service { 'irkerd': + ensure => running, + } +} diff --git a/modules/libvirtd/files/network_add.py b/modules/libvirtd/files/network_add.py index ab40bf0e..4ed63109 100644 --- a/modules/libvirtd/files/network_add.py +++ b/modules/libvirtd/files/network_add.py @@ -1,9 +1,9 @@ -#!/usr/bin/python +#!/usr/bin/python3 import libvirt import os import IPy -# bridge_name +# bridge_name # forward -> nat/ route # forward-dev @@ -59,4 +59,3 @@ network_xml = """ c=libvirt.open("qemu:///system") c.networkDefineXML(network_xml) - diff --git a/modules/libvirtd/files/storage_add.py b/modules/libvirtd/files/storage_add.py index 5d95922d..10369e36 100644 --- a/modules/libvirtd/files/storage_add.py +++ b/modules/libvirtd/files/storage_add.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python3 import libvirt import sys @@ -25,4 +25,3 @@ storage_xml = """ c=libvirt.open("qemu:///system") c.storagePoolDefineXML(storage_xml,0) - diff --git a/modules/libvirtd/manifests/init.pp b/modules/libvirtd/manifests/init.pp index 7dcf5fc4..f0cbb887 100644 --- a/modules/libvirtd/manifests/init.pp +++ b/modules/libvirtd/manifests/init.pp @@ -6,14 +6,12 @@ class libvirtd { # iptables -> for dhcp, message error was quite puzzling # python-* => needed for helper script package {['libvirt-utils', - 'dnsmasq-base', + 'dnsmasq', 'netcat-openbsd', 'iptables', - 'python-libvirt', - 'python-IPy']: - + 'python3-libvirt', + 'python3-IPy']: } - service { 'libvirtd': require => Package['libvirt-utils'], } @@ -40,32 +38,37 @@ class libvirtd { class kvm inherits base { # pull cyrus-sasl, should be checked package { 'qemu': } - } - # see http://wiki.libvirt.org/page/SSHPolicyKitSetup + # see https://wiki.libvirt.org/page/SSHPolicyKitSetup define group_access() { # to pull polkit and create the directory include libvirtd::base - file { "/etc/polkit-1/localauthority/50-local.d/50-$name-libvirt-remote-access.pkla": + file { "/etc/polkit-1/localauthority/50-local.d/50-${name}-libvirt-remote-access.pkla": content => template('libvirtd/50-template-libvirt-remote-access.pkla'), require => Package['libvirt-utils'], } + # give access to /dev/kvm to people allowed to use libvirt + file { '/dev/kvm': + group => $name, + owner => 'root', + mode => '0660', + } } define storage($path, $autostart = true) { include libvirtd::base - exec { "/usr/local/bin/storage_add.py $name $path": - creates => "/etc/libvirt/storage/$name.xml", + exec { "/usr/local/bin/storage_add.py ${name} ${path}": + creates => "/etc/libvirt/storage/${name}.xml", require => [File['/usr/local/bin/storage_add.py'], - Package['python-libvirt'] ] + Package['python3-libvirt'] ] } #TODO use API of libvirt - file { "/etc/libvirt/storage/autostart/$name.xml": - ensure => $autostart ? { - true => "/etc/libvirt/storage/$name.xml", + file { "/etc/libvirt/storage/autostart/${name}.xml": + ensure => $autostart ? { + true => "/etc/libvirt/storage/${name}.xml", false => absent }, require => Package['libvirt-utils'], @@ -82,22 +85,22 @@ class libvirtd { $vm_type = 'qemu') { exec { '/usr/local/bin/network_add.py': - environment => ["BRIDGE_NAME=$bridge_name", - "FORWARD=$forward", - "FORWARD_DEV=$forward_dev", - "NETWORK=$network", - "TFTP_ROOT=$tftp_root", - "DISABLE_PXE=\"$disable_pxe\""], - - creates => "/etc/libvirt/$vm_type/networks/$name.xml", - require => [File['/usr/local/bin/network_add.py'], - Package['python-IPy'], Package["python-libvirt"] ] + environment => ["BRIDGE_NAME=${bridge_name}", + "FORWARD=${forward}", + "FORWARD_DEV=${forward_dev}", + "NETWORK=${network}", + "TFTP_ROOT=${tftp_root}", + "DISABLE_PXE=\"${disable_pxe}\""], + + creates => "/etc/libvirt/${vm_type}/networks/${name}.xml", + require => [File['/usr/local/bin/network_add.py'], + Package['python3-IPy'], Package['python3-libvirt'] ] } #TODO use API of libvirt - file { "/etc/libvirt/$vm_type/networks/autostart/$name.xml": - ensure => $autostart ? { - true => "/etc/libvirt/$vm_type/networks/$name.xml", + file { "/etc/libvirt/${vm_type}/networks/autostart/${name}.xml": + ensure => $autostart ? { + true => "/etc/libvirt/${vm_type}/networks/${name}.xml", false => absent }, require => Package['libvirt-utils'], diff --git a/modules/libvirtd/templates/50-template-libvirt-remote-access.pkla b/modules/libvirtd/templates/50-template-libvirt-remote-access.pkla index 201e89a0..8806e3cb 100644 --- a/modules/libvirtd/templates/50-template-libvirt-remote-access.pkla +++ b/modules/libvirtd/templates/50-template-libvirt-remote-access.pkla @@ -1,5 +1,5 @@ [Remote libvirt SSH access] -Identity=unix-user:root;unix-group:<%= name %> +Identity=unix-user:root;unix-group:<%= @name %> Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes diff --git a/modules/mediawiki/files/init_wiki.php b/modules/mediawiki/files/init_wiki.php index a0e3a520..da1d46f5 100644 --- a/modules/mediawiki/files/init_wiki.php +++ b/modules/mediawiki/files/init_wiki.php @@ -15,12 +15,10 @@ require_once("$mw_root/includes/GlobalFunctions.php"); include("$wiki_root/LocalSettings.php"); $dbclass = 'Database'.ucfirst($wgDBtype); -$dbc = new $dbclass; - -$wgDatabase = $dbc->newFromParams($wgDBserver, - $wgDBuser, - $wgDBpassword, $wgDBname, 1); - +$wgDatabase = new $dbclass($wgDBserver, + $wgDBuser, + $wgDBpassword, $wgDBname, 1); + $wgDatabase->initial_setup($wgDBpassword, $wgDBname); $wgDatabase->setup_database(); diff --git a/modules/mediawiki/files/robots.txt b/modules/mediawiki/files/robots.txt new file mode 100644 index 00000000..a58c6199 --- /dev/null +++ b/modules/mediawiki/files/robots.txt @@ -0,0 +1,4 @@ +User-agent: * +Disallow: /mw-*/index.php? +Disallow: /*/Special: +Crawl-delay: 30 diff --git a/modules/mediawiki/manifests/base.pp b/modules/mediawiki/manifests/base.pp index 52600ac1..76c8625b 100644 --- a/modules/mediawiki/manifests/base.pp +++ b/modules/mediawiki/manifests/base.pp @@ -3,17 +3,27 @@ class mediawiki::base { $vhost = $mediawiki::config::vhost $root = $mediawiki::config::root - package { ['mediawiki-minimal','mediawiki-ldapauthentication']: } + package { ['mediawiki','mediawiki-ldapauthentication']: } file { $mediawiki::config::root: ensure => directory, } - file { '/usr/local/bin/init_wiki.php': - mode => '0755', - source => 'puppet:///modules/mediawiki/init_wiki.php', + $wiki_root = $mediawiki::config::root + $robotsfile = "$wiki_root/robots.txt" + file { $robotsfile: + ensure => present, + mode => '0644', + owner => root, + group => root, + source => 'puppet:///modules/mediawiki/robots.txt', } +# file { '/usr/local/bin/init_wiki.php': +# mode => '0755', +# source => 'puppet:///modules/mediawiki/init_wiki.php', +# } + $user = 'mediawiki' postgresql::remote_user { $user: @@ -25,7 +35,7 @@ class mediawiki::base { if $vhost { apache::vhost::redirect_ssl { $vhost: } - apache::vhost::base { "ssl_$vhost": + apache::vhost::base { "ssl_${vhost}": location => $root, use_ssl => true, vhost => $vhost, diff --git a/modules/mediawiki/manifests/config.pp b/modules/mediawiki/manifests/config.pp index 1375ea0b..0c54cdf6 100644 --- a/modules/mediawiki/manifests/config.pp +++ b/modules/mediawiki/manifests/config.pp @@ -1,9 +1,9 @@ # the class is just here to handle global configuration # a smart variation of the methods exposed on -# http://puppetlabs.com/blog/the-problem-with-separating-data-from-puppet-code/ +# https://puppetlabs.com/blog/the-problem-with-separating-data-from-puppet-code/ class mediawiki::config( $pgsql_password, $secretkey, $ldap_password, - $vhost = "wiki.$::domain", + $vhost = "wiki.${::domain}", $root = '/srv/wiki/') {} diff --git a/modules/mediawiki/manifests/instance.pp b/modules/mediawiki/manifests/instance.pp index 301c9809..c6906449 100644 --- a/modules/mediawiki/manifests/instance.pp +++ b/modules/mediawiki/manifests/instance.pp @@ -6,49 +6,95 @@ define mediawiki::instance( $title, $path = $name $lang = $name - $wiki_root = "$mediawiki::base::root/$path" - $db_name = "mediawiki_$name" + $wiki_root = "${mediawiki::base::root}/${path}" + $db_name = "mediawiki_${name}" $db_user = $mediawiki::base::user $db_password = $mediawiki::config::pgsql_password $secret_key = $mediawiki::config::secretkey $ldap_password = $mediawiki::config::ldap_password + $includedir = "/usr/share/mediawiki/includes" + $maintenancedir = "/usr/share/mediawiki/maintenance" + $vendordir = "/usr/share/mediawiki/vendor" + $resourcesdir = "/usr/share/mediawiki/resources" + $extensionsdir = "/usr/share/mediawiki/extensions" file { $wiki_root: ensure => directory } - file { "$wiki_root/skins": + file { "${wiki_root}/skins": ensure => link, target => $skinsdir, require => File[$wiki_root], } + file { "${wiki_root}/includes": + ensure => link, + target => $includedir, + require => File[$wiki_root], + } - exec { "wikicreate $name": - command => "mediawiki-create $wiki_root", - cwd => $mediawiki::base::root, - require => [File[$wiki_root],Package['mediawiki-minimal']], - creates => "$wiki_root/index.php", + file { "${wiki_root}/maintenance": + ensure => link, + target => $maintenancedir, + require => File[$wiki_root], + } + + file { "${wiki_root}/vendor": + ensure => link, + target => $vendordir, + require => File[$wiki_root], + } + + file { "${wiki_root}/resources": + ensure => link, + target => $resourcesdir, + require => File[$wiki_root], } - postgresql::remote_database { $db_name: - user => $db_user, - callback_notify => Exec["deploy_db $name"], + file { "${wiki_root}/extensions": + ensure => link, + target => $extensionsdir, + require => File[$wiki_root], } - exec { "deploy_db $name": - command => "php /usr/local/bin/init_wiki.php $wiki_root", - refreshonly => true, - onlyif => "/usr/bin/test -d $wiki_root/config", + file { "${wiki_root}/cache": + ensure => directory, + owner => apache, + mode => '0755', } - file { "$wiki_root/LocalSettings.php": + file { "${wiki_root}/tmp": + ensure => directory, + owner => apache, + mode => '0755', + } + + exec { "wikicreate ${name}": + command => "mediawiki-create ${wiki_root}", + cwd => $mediawiki::base::root, + require => [File[$wiki_root],Package['mediawiki']], + creates => "${wiki_root}/index.php", + } + +# postgresql::remote_database { $db_name: +# user => $db_user, +# callback_notify => Exec["deploy_db ${name}"], +# } +# +# exec { "deploy_db ${name}": +# command => "php /usr/local/bin/init_wiki.php ${wiki_root}", +# refreshonly => true, +# onlyif => "/usr/bin/test -d ${wiki_root}/config", +# } + + file { "${wiki_root}/LocalSettings.php": owner => 'apache', mode => '0600', content => template('mediawiki/LocalSettings.php'), # if LocalSettings is created first, the wikicreate script # do not create a confg directory, and so it doesn't # trigger deploy_db exec - require => Exec["wikicreate $name"], + require => Exec["wikicreate ${name}"], } } diff --git a/modules/mediawiki/templates/LocalSettings.php b/modules/mediawiki/templates/LocalSettings.php index 3e0b7bd3..c340dfd9 100644 --- a/modules/mediawiki/templates/LocalSettings.php +++ b/modules/mediawiki/templates/LocalSettings.php @@ -7,105 +7,121 @@ # file, not there. # # Further documentation for configuration settings may be found at: -# http://www.mediawiki.org/wiki/Manual:Configuration_settings +# https://www.mediawiki.org/wiki/Manual:Configuration_settings +# Protect against web entry +if ( !defined( 'MEDIAWIKI' ) ) { + exit; +} + +## Installation path (should default to this value, but define for clarity) $IP = '/usr/share/mediawiki'; -if (! isset($DIR)) $DIR = getcwd(); +## Include path necessary to load LDAP module $path = array( $IP, "$IP/includes", "$IP/languages" ); set_include_path( implode( PATH_SEPARATOR, $path ) . PATH_SEPARATOR . get_include_path() ); -require_once( "$IP/includes/DefaultSettings.php" ); - -if ( $wgCommandLineMode ) { - if ( isset( $_SERVER ) && array_key_exists( 'REQUEST_METHOD', $_SERVER ) ) { - die( "This script must be run from the command line\n" ); - } -} ## Uncomment this to disable output compression # $wgDisableOutputCompression = true; -$wgSitename = "<%= title %>"; +$wgSitename = "<%= @title %>"; +# $wgMetaNamespace = ""; # Defaults to $wgSitename ## The URL base path to the directory containing the wiki; ## defaults for all runtime URL paths are based off of this. -## For more information on customizing the URLs please see: -## http://www.mediawiki.org/wiki/Manual:Short_URL -$wgScriptPath = "/<%= path %>"; -$wgScriptExtension = ".php"; +## For more information on customizing the URLs +## (like /w/index.php/Page_title to /wiki/Page_title) please see: +## https://www.mediawiki.org/wiki/Manual:Short_URL +$wgScriptPath = "/<%= @path %>"; + +## The protocol and server name to use in fully-qualified URLs +$wgServer = "https://wiki.mageia.org"; + +## The URL path to static resources (images, scripts, etc.) +$wgResourceBasePath = $wgScriptPath; ## The relative URL path to the skins directory -$wgStylePath = "$wgScriptPath/skins"; +$wgStylePath = "$wgScriptPath/skins"; ## The relative URL path to the logo. Make sure you change this from the default, ## or else you'll overwrite your logo when you upgrade! -$wgLogo = "$wgStylePath/common/images/wiki.png"; +$wgLogo = "$wgStylePath/common/images/wiki_mga.png"; ## UPO means: this is also a user preference option -$wgEnableEmail = true; -$wgEnableUserEmail = true; # UPO +$wgEnableEmail = true; +$wgEnableUserEmail = true; # UPO -$wgEmergencyContact = "root@<%= domain %>"; -$wgPasswordSender = "root@<%= domain %>"; +$wgEmergencyContact = "root@<%= @domain %>"; +$wgPasswordSender = "wiki_noreply@ml.<%= @domain %>"; $wgEnotifUserTalk = true; # UPO $wgEnotifWatchlist = true; # UPO $wgEmailAuthentication = true; ## Database settings -$wgDBtype = "postgres"; -$wgDBserver = "pgsql.<%= domain %>"; -$wgDBname = "<%= db_name %>"; -$wgDBuser = "<%= db_user %>"; -$wgDBpassword = "<%= db_password %>"; +$wgDBtype = "postgres"; +$wgDBserver = "pg.<%= @domain %>"; +$wgDBname = "<%= @db_name %>"; +$wgDBuser = "<%= @db_user %>"; +$wgDBpassword = "<%= @db_password %>"; # Postgres specific settings -$wgDBport = "5432"; -$wgDBmwschema = "mediawiki"; -$wgDBts2schema = "public"; +$wgDBport = "5432"; +$wgDBmwschema = "mediawiki"; +$wgDBts2schema = "public"; ## Shared memory settings $wgMainCacheType = CACHE_NONE; -$wgMemCachedServers = array(); +$wgMemCachedServers = []; ## To enable image uploads, make sure the 'images' directory ## is writable, then set this to true: -$wgEnableUploads = false; -# use gd, as convert do not work for big image +$wgEnableUploads = true; +# use gd, as convert do not work for big image # see https://bugs.mageia.org/show_bug.cgi?id=3202 -$wgUseImageMagick = false; +$wgUseImageMagick = true; #$wgImageMagickConvertCommand = "/usr/bin/convert"; +# InstantCommons allows wiki to use images from https://commons.wikimedia.org +$wgUseInstantCommons = false; + ## If you use ImageMagick (or any other shell command) on a ## Linux server, this will need to be set to the name of an ## available UTF-8 locale $wgShellLocale = "en_US.UTF-8"; -## If you want to use image uploads under safe mode, -## create the directories images/archive, images/thumb and -## images/temp, and make them all writable. Then uncomment -## this, if it's not already uncommented: -# $wgHashedUploadDirectory = false; - -## If you have the appropriate support software installed -## you can enable inline LaTeX equations: -$wgUseTeX = false; - ## Set $wgCacheDirectory to a writable directory on the web server ## to make your wiki go slightly faster. The directory should not -## be publically accessible from the web. -#$wgCacheDirectory = "$IP/cache"; +## be publicly accessible from the web. +# This seems actually mandatory to get the Vector skin to work properly +# https://serverfault.com/a/744059 +# FIXME: Dehardcode that path (maybe via ${wiki_root} if exposed?) +$wgCacheDirectory = "/srv/wiki/<%= @path %>/cache"; -$wgLocalInterwiki = strtolower( $wgSitename ); +$wgUploadDirectory = "/srv/wiki/<%= @path %>/images"; -$wgLanguageCode = "<%= lang %>"; +# This seems mandatory to get the Vector skin to work properly +# https://phabricator.wikimedia.org/T119934 +# FIXME: Dehardcode that path (maybe via ${wiki_root} if exposed?) +$wgTmpDirectory = "/srv/wiki/<%= @path %>/tmp"; -$wgSecretKey = "<%= secret_key %>"; +# Array of interwiki prefixes for current wiki. +$wgLocalInterwikis = array( strtolower( $wgSitename ) ); -## Default skin: you can change the default skin. Use the internal symbolic -## names, ie 'vector', 'monobook': -$wgDefaultSkin = 'modern'; +# Site language code, should be one of the list in ./languages/data/Names.php +$wgLanguageCode = "<%= @lang %>"; + +$wgSecretKey = "<%= @secret_key %>"; + +# Changing this will log out all existing sessions. +$wgAuthenticationTokenVersion = "1"; + +# Site upgrade key. Must be set to a string (default provided) to turn on the +# web installer while LocalSettings.php is in place +# FIXME: This should be set to a secure value: +# https://www.mediawiki.org/wiki/Manual:$wgUpgradeKey +# $wgUpgradeKey = ""; ## For attaching licensing metadata to pages, and displaying an ## appropriate copyright notice / icon. GNU Free Documentation @@ -113,17 +129,41 @@ $wgDefaultSkin = 'modern'; $wgEnableCreativeCommonsRdf = true; # TODO add a proper page $wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright -$wgRightsUrl = "http://creativecommons.org/licenses/by-sa/3.0/"; -$wgRightsText = "Creative Common - Attibution - ShareAlike 3.0"; +$wgRightsUrl = "https://creativecommons.org/licenses/by-sa/3.0/"; +$wgRightsText = "Creative Commons - Attribution-ShareAlike 3.0 Unported"; # TODO get the icon to host it on our server -$wgRightsIcon = "http://i.creativecommons.org/l/by-sa/3.0/88x31.png"; -# $wgRightsCode = "gfdl1_3"; # Not yet used +$wgRightsIcon = "https://licensebuttons.net/l/by-sa/3.0/88x31.png"; +# Path to the GNU diff3 utility. Used for conflict resolution. $wgDiff3 = "/usr/bin/diff3"; -# When you make changes to this configuration file, this will make -# sure that cached pages are cleared. -$wgCacheEpoch = max( $wgCacheEpoch, gmdate( 'YmdHis', @filemtime( __FILE__ ) ) ); +## Default skin: you can change the default skin. Use the internal symbolic +## names, ie 'vector', 'monobook': +$wgDefaultSkin = 'vector'; + +# Enabled skins. +# The following skins were automatically enabled: +wfLoadSkin( 'MonoBook' ); +wfLoadSkin( 'Vector' ); + + +# End of automatically generated settings. +# Add more configuration options below. + + +# Setting this to true will invalidate all cached pages whenever +# LocalSettings.php is changed. +$wgInvalidateCacheOnLocalSettingsChange = true; + +# FIXME: Obsoleted, to be replaced by $wgPasswordPolicy +# https://www.mediawiki.org/wiki/Manual:$wgPasswordPolicy +$wgMinimalPasswordLength = 1; + +# Give more details on errors +$wgShowExceptionDetails = true; + + +## LDAP setup require_once 'extensions/LdapAuthentication/LdapAuthentication.php'; $wgAuth = new LdapAuthenticationPlugin(); @@ -132,39 +172,37 @@ $wgAuth = new LdapAuthenticationPlugin(); # $wgLDAPDebug = 10; # $wgDebugLogGroups["ldap"] = "/tmp/wiki_ldap.log"; # -# $wgDebugLogFile = "/tmp/wiki.log"; +$wgDebugLogFile = "/tmp/wiki.log"; # $wgLDAPUseLocal = false; -$wgLDAPDomainNames = array( 'ldap'); +$wgLDAPDomainNames = array( 'ldap' ); + +# TODO make it workable with more than one server +$wgLDAPServerNames = array( 'ldap' => 'ldap.<%= @domain %>' ); + +$wgLDAPSearchStrings = array( 'ldap' => 'uid=USER-NAME,ou=People,<%= @dc_suffix %>' ); -#TODO make it workable with more than one server -$wgLDAPServerNames = array( 'ldap' => 'ldap.<%= domain %>' ); - -$wgLDAPSearchStrings = array( 'ldap' => 'uid=USER-NAME,ou=People,<%= dc_suffix %>'); +$wgLDAPEncryptionType = array( 'ldap' => 'tls' ); -$wgLDAPEncryptionType = array( 'ldap' => 'tls'); +$wgLDAPBaseDNs = array( 'ldap' => '<%= @dc_suffix %>' ); +$wgLDAPUserBaseDNs = array( 'ldap' => 'ou=People,<%= @dc_suffix %>' ); +$wgLDAPGroupBaseDNs = array ( 'ldap' => 'ou=Group,<%= @dc_suffix %>' ); -$wgLDAPBaseDNs = array( 'ldap' => '<%= dc_suffix %>'); -$wgLDAPUserBaseDNs = array( 'ldap' => 'ou=People,<%= dc_suffix %>'); -$wgLDAPGroupBaseDNs = array ( 'ldap' => 'ou=Group,<%= dc_suffix %>' ); +$wgLDAPProxyAgent = array( 'ldap' => 'cn=mediawiki-alamut,ou=System Accounts,<%= @dc_suffix %>' ); -$wgLDAPProxyAgent = array( 'ldap' => 'cn=mediawiki-alamut,ou=System Accounts,<%= dc_suffix %>'); - -$wgLDAPProxyAgentPassword = array( 'ldap' => '<%= ldap_password %>' ); +$wgLDAPProxyAgentPassword = array( 'ldap' => '<%= @ldap_password %>' ); -$wgLDAPUseLDAPGroups = array( "ldap" => true ); -$wgLDAPGroupNameAttribute = array( "ldap" => "cn" ); +$wgLDAPUseLDAPGroups = array( 'ldap' => true ); +$wgLDAPGroupNameAttribute = array( 'ldap' => 'cn' ); $wgLDAPGroupUseFullDN = array( 'ldap' => true ); $wgLDAPLowerCaseUsername = array( 'ldap' => true ); $wgLDAPGroupObjectclass = array( 'ldap' => 'posixGroup' ); $wgLDAPGroupAttribute = array( 'ldap' => 'member' ); -$wgLDAPLowerCaseUsername = array( "ldap" => true ); - -$wgLDAPPreferences = array( "ldap" => array( "email"=>"mail","realname"=>"cn","nickname"=>"uid","language"=>"preferredlanguage") ); +$wgLDAPLowerCaseUsername = array( 'ldap' => true ); -$wgMinimalPasswordLength = 1; +$wgLDAPPreferences = array( 'ldap' => array( 'email'=>'mail','realname'=>'cn','nickname'=>'uid','language'=>'preferredlanguage') ); -<%= wiki_settings %> +<%= @wiki_settings %> diff --git a/modules/mediawiki/templates/wiki_vhost.conf b/modules/mediawiki/templates/wiki_vhost.conf index 3fe038c3..1ae3492d 100644 --- a/modules/mediawiki/templates/wiki_vhost.conf +++ b/modules/mediawiki/templates/wiki_vhost.conf @@ -1,9 +1,9 @@ # heavily used by the wiki farm stuff -<Directory <%= root %>> +<Directory <%= @root %>> Options +FollowSymLinks </Directory> -<Directory <%= root %>/images> +<Directory <%= @root %>/images> SetHandler default-handler </Directory> diff --git a/modules/mga-advisories/manifests/init.pp b/modules/mga-advisories/manifests/init.pp new file mode 100644 index 00000000..1937bb62 --- /dev/null +++ b/modules/mga-advisories/manifests/init.pp @@ -0,0 +1,98 @@ +class mga-advisories( + $advisories_svn = "svn://svn.${::domain}/svn/advisories", + $vhost +){ + $mgaadv_login = 'mga-advisories' + $mgaadv_homedir = "/var/lib/${mgaadv_login}" + $vhostdir = "${mgaadv_homedir}/vhost" + $advisories_dir = "${mgaadv_homedir}/advisories" + $status_dir = "${mgaadv_homedir}/status" + $update_script = '/usr/local/bin/update_mga-advisories' + $move_script = '/root/tmp/mgatools-new/mga-move-pkg' + $move_wrapper_script = '/usr/local/bin/mga-adv-move-pkg' + + group { $mgaadv_login: + ensure => present, + } + + user { $mgaadv_login: + ensure => present, + home => $mgaadv_homedir, + managehome => true, + gid => $mgaadv_login, + } + + package { 'mga-advisories': + ensure => installed, + } + + file {'/etc/mga-advisories.conf': + ensure => present, + owner => root, + group => root, + mode => '0644', + content => template('mga-advisories/mga-advisories.conf'), + require => Package['mga-advisories'], + } + + file { [ $vhostdir, $status_dir ]: + ensure => directory, + owner => $mgaadv_login, + group => $mgaadv_login, + mode => '0755', + } + + $vhost_aliases = { + "/static" => '/usr/share/mga-advisories/static', + } + apache::vhost::base { $vhost: + location => $vhostdir, + aliases => $vhost_aliases, + require => File[$vhostdir], + } + + apache::vhost::base { "ssl_${vhost}": + use_ssl => true, + vhost => $vhost, + aliases => $vhost_aliases, + location => $vhostdir, + require => File[$vhostdir], + } + + subversion::snapshot { $advisories_dir: + source => $advisories_svn, + user => $mgaadv_login, + refresh => '0', + require => User[$mgaadv_login], + } + + file { $update_script: + ensure => present, + owner => root, + group => root, + mode => '0755', + content => template('mga-advisories/update_script'), + } + + file { $move_wrapper_script: + ensure => present, + owner => root, + group => root, + mode => '0755', + content => template('mga-advisories/adv-move-pkg'), + } + + sudo::sudoers_config { 'mga-adv-move-pkg': + content => template('mga-advisories/sudoers.adv-move-pkg') + } + + # Disable for now... we may re-instate once it's been a little more tested. + #cron { $update_script: + # command => $update_script, + # user => $mgaadv_login, + # hour => '*', + # minute => '10', + # require => Subversion::Snapshot[$advisories_dir], + #} +} +# vim: sw=2 diff --git a/modules/mga-advisories/templates/adv-move-pkg b/modules/mga-advisories/templates/adv-move-pkg new file mode 100644 index 00000000..71e1880e --- /dev/null +++ b/modules/mga-advisories/templates/adv-move-pkg @@ -0,0 +1,8 @@ +#!/bin/sh + +if [ "$USER" != "<%= @mgaadv_login %>" ]; then + echo "This script must be run as the <%= @mgaadv_login %> user." >&2 + exit 1 +fi + +exec sudo <%= @move_script %> "$@" diff --git a/modules/mga-advisories/templates/mga-advisories.conf b/modules/mga-advisories/templates/mga-advisories.conf new file mode 100644 index 00000000..4dab1543 --- /dev/null +++ b/modules/mga-advisories/templates/mga-advisories.conf @@ -0,0 +1,14 @@ +mode: site +send_adv_mail: yes +move_pkg_cmd: <%= @move_wrapper_script %> +send_report_mail: yes +out_dir: <%= @vhostdir %> +advisories_dir: <%= @advisories_dir %> +status_dir: <%= @status_dir %> +adv_mail_to: updates-announce@ml.mageia.org +adv_mail_from: Mageia Updates <buildsystem-daemon@mageia.org> +report_mail_to: qa-reports@ml.mageia.org +report_mail_from: Mageia Advisories <buildsystem-daemon@mageia.org> +bugzilla_url: https://bugs.mageia.org/ +bugzilla_login: bot +bugzilla_password: file:///var/lib/git/.gitzilla-password diff --git a/modules/mga-advisories/templates/sudoers.adv-move-pkg b/modules/mga-advisories/templates/sudoers.adv-move-pkg new file mode 100644 index 00000000..5d9618a9 --- /dev/null +++ b/modules/mga-advisories/templates/sudoers.adv-move-pkg @@ -0,0 +1 @@ +<%= @mgaadv_login %> ALL=(root) NOPASSWD:<%= @move_script %> * diff --git a/modules/mga-advisories/templates/update_script b/modules/mga-advisories/templates/update_script new file mode 100644 index 00000000..71d8d1d4 --- /dev/null +++ b/modules/mga-advisories/templates/update_script @@ -0,0 +1,16 @@ +#!/bin/sh +set -e + +if [ "$UID" = "0" ]; then + echo "Re-running as '<%= @mgaadv_login %>' user." >&2 + exec /bin/su -c <%= @update_script %> - <%= @mgaadv_login %> +fi + +if [ "$USER" != "<%= @mgaadv_login %>" ]; then + echo "This script must be run as the <%= @mgaadv_login %> user." >&2 + exit 1 +fi + +cd <%= @advisories_dir %> +svn up +exec /usr/bin/mgaadv process diff --git a/modules/mga-common/manifests/local_script.pp b/modules/mga-common/manifests/local_script.pp deleted file mode 100644 index 0b8f4514..00000000 --- a/modules/mga-common/manifests/local_script.pp +++ /dev/null @@ -1,11 +0,0 @@ -define mga-common::local_script($content, - $owner = 'root', - $group = 'root', - $mode = '0755') { - file { "/usr/local/bin/$name": - owner => $owner, - group => $group, - mode => $mode, - content => $content, - } -} diff --git a/modules/mga-mirrors/files/check_mirrors_status b/modules/mga-mirrors/files/check_mirrors_status new file mode 100755 index 00000000..9c00ac8d --- /dev/null +++ b/modules/mga-mirrors/files/check_mirrors_status @@ -0,0 +1,271 @@ +#!/usr/bin/ruby + +require 'date' +require 'net/http' +require 'optparse' +require 'thread' +require 'uri' + +def get_dates(base, archs_per_distro, optional=true) + r = {} + begin + r['base'] = get_timestamp(base) + rescue Net::OpenTimeout, Timeout::Error, ArgumentError, NoMethodError, Errno::EHOSTUNREACH, Errno::ECONNREFUSED, Errno::ECONNRESET, IOError, OpenSSL::SSL::SSLError => e + end + + archs_per_distro.each{|d, archs| + r[d] = {} + archs.each{|a| + begin + r[d][a] = get_date(base, d, a) + rescue Net::OpenTimeout, Timeout::Error, ArgumentError, NoMethodError, Errno::EHOSTUNREACH, Errno::ECONNREFUSED, Errno::ECONNRESET, IOError, OpenSSL::SSL::SSLError => e + if !optional then + STDERR.puts "Failed to fetch #{version_url(base, d, a)}" + raise + end + end + } + } + r +end + +def get_mirrors + # TODO Get it from the DB + mirrors = [] + url = nil + tier1 = false + fetch_url("https://mirrors.mageia.org/").each_line{|l| + if l =~ /rsync.mageia.org/ then + tier1 = true + next + end + if l=~ /<\/tr>/ && !url.nil? then + if tier1 then + mirrors.prepend url + tier1 = false + else + mirrors.append url + end + url = nil + next + end + next unless l =~ /https?:.*>http/ + # No need to check twice mirrors available in http + https + if !url.nil? && url =~ /https:/ && l =~ /https:\/\// + # Skip http:// if https:// already seen for current mirror + # If the are in the other order http one will just be replaced + next + end + url = l.sub(/<a href="(http[^"]*)".*\n/, '\1') + url += "/" unless url =~ /\/$/ + } + mirrors +end + +def fetch_url(url, redirect_limit = 3) + return if redirect_limit < 0 + if url =~ /^\// then + open(url){|f| + return f.read + } + else + uri = URI.parse(url) + http = Net::HTTP.new(uri.host, uri.port) + http.open_timeout = 30 + http.read_timeout = 30 + if uri.scheme == 'https' then + http.use_ssl = true + end + # Ruby 1.8.7 doesn't set a default User-Agent which causes at + # least one mirror to return 403 + response = http.get(uri.path, {'User-Agent' => 'check_mirrors'}) + case response + when Net::HTTPSuccess then + return response.body + when Net::HTTPRedirection then + location = response['location'] + # Make location absolute if it was not + if location =~ /:\/\// then + fetch_url(location, redirect_limit - 1) + else + uri.path = location + fetch_url(uri.to_s, redirect_limit - 1) + end + end + end +end + +def timestamp_url(url) + "#{url}mageia_timestamp" +end + +def get_timestamp(url) + ti = fetch_url(timestamp_url(url)).to_i + if ti == 0 then + return nil + end + return DateTime.strptime(ti.to_s, '%s') +end + +def parse_version(version) + date = version.sub(/.* (........ ..:..)$/, '\1').rstrip + DateTime.strptime(date, '%Y%m%d %H:%M') +end + +def version_url(url, distrib, arch) + "#{url}distrib/#{distrib}/#{arch}/VERSION" +end + +def get_date(url, distrib, arch) + return parse_version(fetch_url(version_url(url, distrib, arch))) +end + +def format_age(ref_time, time) + return " <td class='broken'>X</td>" unless ref_time and time + + diff = ref_time - time + cls = 'broken' + if diff == 0 then + cls = 'ok' + elsif diff < 0.5 then + cls = 'almost' + elsif diff < 2 then + cls = 'bad' + end + if cls == 'ok' then + return " <td class='#{cls}'> </td>" + else + return " <td class='#{cls}'>#{time.strftime("%F %R")}</td>" + end +end + +def print_output(archs_per_distro, mirrors, ref_times, times) + puts "<html><head><title>Mageia Mirror Status #{Time.now.utc.strftime("%F")}</title> +<link rel=\"icon\" type=\"image/png\" href=\"//www.mageia.org/g/favicon.png\"> +<style> +td.broken {background-color:#FF0033;} +td.bad {background-color:#FF9933;} +td.almost {background-color:#CCFF66;} +td.ok {background-color:#00FF66;} + +td {text-align:center;} +td.name {text-align:left;} + +td.sep {width:12px;} +table.legend td {padding:4px;} + +th {background-color:#EEEEEE;} +</style> +</head> +<body>" + puts "Last checked on #{Time.now.utc.strftime("%F %R %Z")}<br/>" + puts "<table class='legend'><tr><td class='ok'>Up to date</td><td class='almost'>Less than 12h old</td><td class='bad'>Less than 2 days old</td><td class='broken'>Old or broken</td></tr></table>" + puts "<table><thead>" + puts "<tr><td/>" + puts "<td/><th>Base directory</th>" + archs_per_distro.each{|d, archs| + nb_arches = archs.size + puts " <td/><th colspan='#{nb_arches}'>#{d}</th>" + } + puts "</tr>" + puts "<tr><td/><td/><td/>" + archs_per_distro.each{|d, archs| + puts " <td class='sep' />" + archs.each{|a| + puts " <th>#{a}</th>" + } + } + puts "</tr></thead>" + puts "<tbody>" + puts "<tr><td class='name'>Reference</td>" + puts " <td class='sep' />" + puts " <td>#{!ref_times['base'].nil? ? ref_times['base'].strftime("%F %R") : "?"}</td>" + archs_per_distro.each{|d, archs| + puts " <td class='sep' />" + archs.each{|a| + puts " <td>#{ref_times[d][a].strftime("%F %R")}</td>" + } + } + puts "</tr>" + + mirrors.each{|u| + puts "<tr><td class='name'><a href='#{u}'>#{u}</a></td>" + puts " <td class='sep' />" + puts format_age(ref_times['base'], times[u]['base']) + archs_per_distro.each{|d, archs| + puts " <td class='sep' />" + archs.each{|a| + puts format_age(ref_times[d][a], times[u][d][a]) + } + } + puts "</tr>" + } + puts "</tbody></table>" + puts "</body></html>" +end + + + +# Defaults +ref = 'http://repository.mageia.org/' +archs_per_distro = { + 'cauldron' => ['i686', 'x86_64', 'armv7hl', 'aarch64'], + '9' => ['i586', 'x86_64', 'armv7hl', 'aarch64'] +} +parallel = 8 + +OptionParser.new {|opts| + opts.banner = "Usage: #{$0} [options]" + opts.on("--repository URL", + "Reference repository. Default: #{ref}") { + |url| ref = url + } + opts.on("--parallel n", Integer, + "Max number of parallel connections. Default: #{parallel}") { + |n| $parallel = n + } + opts.on("--output file", + "Write output into given file. Default to STDOUT") { + |f| $stdout.reopen(f, "w") + } +}.parse! + +# Get dates from the reference repository, and fail if some requested distros +# or archs are missing +ref_times = get_dates(ref, archs_per_distro, false) + +# Get the list of mirror URLs to check +mirrors = get_mirrors + +workqueue = Queue.new +times = {} + +# Create all the thread and have them loop on the work queue +threads = (1..parallel).map{|n| + Thread.new { + loop do + u = workqueue.pop + break if u == :exit + times[u] = get_dates(u, archs_per_distro) + end + } +} + +# Push all mirrors into the queue +mirrors.each{|u| + workqueue << u +} + +# Get all the threads to exit after all the work is done +parallel.times{|i| + workqueue << :exit +} + +# Wait for the threads to exit +threads.each{|t| + t.join +} + +# Generate output +print_output(archs_per_distro, mirrors, ref_times, times) + diff --git a/modules/mga-mirrors/manifests/init.pp b/modules/mga-mirrors/manifests/init.pp index ce55538a..4b8b5552 100644 --- a/modules/mga-mirrors/manifests/init.pp +++ b/modules/mga-mirrors/manifests/init.pp @@ -1,12 +1,26 @@ class mga-mirrors { - $vhost = "mirrors.$::domain" + $vhost = "mirrors.${::domain}" + $mirrors_dir = '/var/www/mirrors' package { 'mga-mirrors': } apache::vhost::catalyst_app { $vhost: script => '/usr/bin/mga_mirrors_fastcgi.pl', require => Package['mga-mirrors'], + aliases => { + '/status' => '/var/www/mirrors/status.html', + } + } + + apache::vhost::catalyst_app { "ssl_${vhost}": + script => '/usr/bin/mga_mirrors_fastcgi.pl', + require => Package['mga-mirrors'], + vhost => $vhost, + use_ssl => true, + aliases => { + '/status' => '/var/www/mirrors/status.html', + }, } $pgsql_password = extlookup('mga_mirror_pgsql','x') @@ -23,8 +37,18 @@ class mga-mirrors { require => Package['mga-mirrors'] } - file { '/etc/cron.d/mga_mirrors': + file { '/etc/cron.d/check_mga_mirrors': content => template('mga-mirrors/cron-mga_mirrors'), require => Package['mga-mirrors'] } + + file { $mirrors_dir: + ensure => directory, + owner => 'nobody', + } + + file { '/usr/local/bin/check_mirrors_status': + mode => '0755', + source => 'puppet:///modules/mga-mirrors/check_mirrors_status', + } } diff --git a/modules/mga-mirrors/templates/cron-mga_mirrors b/modules/mga-mirrors/templates/cron-mga_mirrors index 0f9410a8..7236be04 100644 --- a/modules/mga-mirrors/templates/cron-mga_mirrors +++ b/modules/mga-mirrors/templates/cron-mga_mirrors @@ -1,2 +1,2 @@ MAILTO=root -0 * * * * apache /usr/bin/check_mirror > /dev/null 2>&1 +*/20 * * * * nobody /usr/local/bin/check_mirrors_status --output /var/www/mirrors/status.html.tmp && mv -f /var/www/mirrors/status.html.tmp /var/www/mirrors/status.html diff --git a/modules/mga-mirrors/templates/mga-mirrors.ini b/modules/mga-mirrors/templates/mga-mirrors.ini index ce7ee911..b438edd1 100644 --- a/modules/mga-mirrors/templates/mga-mirrors.ini +++ b/modules/mga-mirrors/templates/mga-mirrors.ini @@ -1,4 +1,4 @@ [db] -pgconn=host=pgsql.<%= domain %>;dbname=mirrors +pgconn=host=pg.<%= @domain %>;dbname=mirrors user=mirrors -password=<%= pgsql_password %> +password=<%= @pgsql_password %> diff --git a/modules/mga-treasurer/manifests/init.pp b/modules/mga-treasurer/manifests/init.pp new file mode 100644 index 00000000..d092e982 --- /dev/null +++ b/modules/mga-treasurer/manifests/init.pp @@ -0,0 +1,91 @@ +class mga-treasurer( + $grisbi_git = "git://git.${::domain}/org/accounts", + $grisbi_filename = 'mageia-accounts.gsb', + $vhost, + $vhostdir +){ + $mgatres_login = 'mga-treasurer' + $mgatres_homedir = "/var/lib/${mgatres_login}" + $grisbi_dir = "${mgatres_homedir}/grisbi" + $grisbi_path = "${grisbi_dir}/${grisbi_filename}" + + $update_script = '/usr/local/bin/update_mga-treasurer' + + group { $mgatres_login: + ensure => present, + } + + user { $mgatres_login: + ensure => present, + comment => 'mga-treasurer user', + home => $mgatres_homedir, + managehome => true, + gid => $mgatres_login, + } + + package { 'mga-treasurer': + ensure => installed, + } + + file {'/etc/mga-treasurer.conf': + ensure => present, + owner => root, + group => root, + mode => '0644', + content => template('mga-treasurer/mga-treasurer.conf'), + require => Package['mga-treasurer'], + } + + file { $vhostdir: + ensure => directory, + owner => $mgatres_login, + group => $mgatres_login, + mode => '0755', + } + + apache::vhost::base { $vhost: + location => $vhostdir, + aliases => { + "/${grisbi_filename}" => $grisbi_path, + "/static" => '/usr/share/mga-treasurer/static', + }, + content => template('mga-treasurer/vhost_mga-treasurer.conf'), + require => File[$vhostdir], + } + + apache::vhost::base { "ssl_${vhost}": + use_ssl => true, + vhost => $vhost, + location => $vhostdir, + aliases => { + "/${grisbi_filename}" => $grisbi_path, + "/static" => '/usr/share/mga-treasurer/static', + }, + content => template('mga-treasurer/vhost_mga-treasurer.conf'), + require => File[$vhostdir], + } + + file { $update_script: + ensure => present, + owner => root, + group => root, + mode => '0755', + content => template('mga-treasurer/update_script'), + } + + git::snapshot { $grisbi_dir: + source => $grisbi_git, + user => $mgatres_login, + refresh => '0', + require => User[$mgatres_login], + } + + cron { $update_script: + command => $update_script, + user => $mgatres_login, + hour => '*/2', + minute => '10', + require => Git::Snapshot[$grisbi_dir], + } +} +# vim: sw=2 diff --git a/modules/mga-treasurer/templates/mga-treasurer.conf b/modules/mga-treasurer/templates/mga-treasurer.conf new file mode 100644 index 00000000..75ac180f --- /dev/null +++ b/modules/mga-treasurer/templates/mga-treasurer.conf @@ -0,0 +1,2 @@ +grisbi_file: <%= @grisbi_path %> +out_dir: <%= @vhostdir %> diff --git a/modules/mga-treasurer/templates/update_script b/modules/mga-treasurer/templates/update_script new file mode 100644 index 00000000..30fab72d --- /dev/null +++ b/modules/mga-treasurer/templates/update_script @@ -0,0 +1,6 @@ +#!/bin/sh +set -e + +cd <%= @grisbi_dir %> +git pull +exec /usr/bin/mktreasurer diff --git a/modules/mga-treasurer/templates/vhost_mga-treasurer.conf b/modules/mga-treasurer/templates/vhost_mga-treasurer.conf new file mode 100644 index 00000000..763cd87d --- /dev/null +++ b/modules/mga-treasurer/templates/vhost_mga-treasurer.conf @@ -0,0 +1,3 @@ +<FilesMatch "\.json$"> + Header set Access-Control-Allow-Origin "*" +</FilesMatch> diff --git a/modules/mga_common/lib/puppet/parser/functions/group_members.rb b/modules/mga_common/lib/puppet/parser/functions/group_members.rb new file mode 100644 index 00000000..ea275be2 --- /dev/null +++ b/modules/mga_common/lib/puppet/parser/functions/group_members.rb @@ -0,0 +1,14 @@ +# group_members($group) +# -> return a array with the login of the group members + +module Puppet::Parser::Functions + newfunction(:group_members, :type => :rvalue) do |args| + group = args[0] + `getent group`.each_line do |l| + if l =~ /^#{group}:/ then + return l.chomp.split(':')[3].split(',') + end + end + raise ArgumentError, "can't find group for #{group}" + end +end diff --git a/modules/mga_common/lib/puppet/parser/functions/hash_keys.rb b/modules/mga_common/lib/puppet/parser/functions/hash_keys.rb new file mode 100644 index 00000000..3a926bee --- /dev/null +++ b/modules/mga_common/lib/puppet/parser/functions/hash_keys.rb @@ -0,0 +1,10 @@ +module Puppet::Parser::Functions + newfunction(:hash_keys, :type => :rvalue) do |args| + unless args[0].is_a?(Hash) + Puppet.warning "hash_keys takes one argument, the input hash" + nil + else + args[0].keys + end + end +end diff --git a/modules/mga_common/lib/puppet/parser/functions/hash_merge.rb b/modules/mga_common/lib/puppet/parser/functions/hash_merge.rb new file mode 100644 index 00000000..375bffa4 --- /dev/null +++ b/modules/mga_common/lib/puppet/parser/functions/hash_merge.rb @@ -0,0 +1,11 @@ +module Puppet::Parser::Functions + newfunction(:hash_merge, :type => :rvalue) do |args| + unless args[0].is_a?(Hash) and args[1].is_a?(Hash) + Puppet.warning "hash_merge takes two arguments" + nil + else + print "hash_merge\n" + args[0].merge(args[1]) + end + end +end diff --git a/modules/mga_common/lib/puppet/parser/functions/str_join.rb b/modules/mga_common/lib/puppet/parser/functions/str_join.rb new file mode 100644 index 00000000..c881c37d --- /dev/null +++ b/modules/mga_common/lib/puppet/parser/functions/str_join.rb @@ -0,0 +1,11 @@ +# str_join($array, $sep) +# -> return a string created by converting each element of the array to +# a string, separated by $sep + +module Puppet::Parser::Functions + newfunction(:str_join, :type => :rvalue) do |args| + array = args[0] + sep = args[1] + return array.join(sep) + end +end diff --git a/modules/mga_common/manifests/local_script.pp b/modules/mga_common/manifests/local_script.pp new file mode 100644 index 00000000..3272786b --- /dev/null +++ b/modules/mga_common/manifests/local_script.pp @@ -0,0 +1,22 @@ +define mga_common::local_script( + $content = undef, + $source = undef, + $owner = 'root', + $group = 'root', + $mode = '0755') { + $filename = "/usr/local/bin/${name}" + file { $filename: + owner => $owner, + group => $group, + mode => $mode, + } + if ($source == undef) { + File[$filename] { + content => $content, + } + } else { + File[$filename] { + source => $source, + } + } +} diff --git a/modules/mga_common/manifests/var/perl.pp b/modules/mga_common/manifests/var/perl.pp new file mode 100644 index 00000000..47ff54be --- /dev/null +++ b/modules/mga_common/manifests/var/perl.pp @@ -0,0 +1,3 @@ +class mga_common::var::perl( + $site_perl_dir = '/usr/lib/perl5/site_perl' +) {} diff --git a/modules/mgapeople/manifests/init.pp b/modules/mgapeople/manifests/init.pp new file mode 100644 index 00000000..7c40ab9c --- /dev/null +++ b/modules/mgapeople/manifests/init.pp @@ -0,0 +1,77 @@ +class mgapeople( + $site_name = "people.${::domain}", + $groupbase = 'ou=Group,dc=mageia,dc=org', + $maintdburl = undef, + $ldap_server, + $binddn, + $bindpw, + $vhost, + $vhostdir +){ + $mgapeople_login = 'mgapeople' + $bindpw_file = '/etc/mgapeople.ldapsecret' + + group { $mgapeople_login: + ensure => present, + } + + user { $mgapeople_login: + ensure => present, + comment => 'mgapeople user', + home => "/var/lib/${mgapeople_login}", + managehome => true, + gid => $mgapeople_login, + } + + file { $bindpw_file: + ensure => present, + owner => $mgapeople_login, + group => $mgapeople_login, + mode => '0600', + content => $bindpw, + } + + package { 'mgapeople': + ensure => installed, + } + + file {'/etc/mgapeople.conf': + ensure => present, + owner => root, + group => root, + mode => '0644', + content => template('mgapeople/mgapeople.conf'), + require => Package['mgapeople'], + } + + file { $vhostdir: + ensure => directory, + owner => $mgapeople_login, + group => $mgapeople_login, + mode => '0755', + } + + $vhost_aliases = { + '/static' => '/usr/share/mgapeople/static', + } + apache::vhost::base { $vhost: + location => $vhostdir, + require => File[$vhostdir], + aliases => $vhost_aliases, + } + apache::vhost::base { "ssl_${vhost}": + vhost => $vhost, + use_ssl => true, + location => $vhostdir, + require => File[$vhostdir], + aliases => $vhost_aliases, + } + + cron { '/usr/bin/mkpeople': + command => '/usr/bin/mkpeople', + user => $mgapeople_login, + hour => '*/2', + minute => '10', + } +} +# vim: sw=2 diff --git a/modules/mgapeople/templates/mgapeople.conf b/modules/mgapeople/templates/mgapeople.conf new file mode 100644 index 00000000..5bc7b21b --- /dev/null +++ b/modules/mgapeople/templates/mgapeople.conf @@ -0,0 +1,17 @@ +ldapserver: <%= @ldap_server %> +binddn: <%= @binddn %> +bindpwfile: <%= @bindpw_file %> +groupbase: <%= @groupbase %> +output_dir: <%= @vhostdir %> +output_format: + - html + - txt +tmpl_dir: /usr/share/mgapeople/tmpl +<%- if @maintdburl -%> +maintdburl: <%= @maintdburl %> +<%- end -%> +sitename: <%= @site_name %> +staticdir_url: //people.mageia.org/static +links_protocol: https:// +package_url: https://svnweb.mageia.org/packages/cauldron/ +package_url_suffix: /current/ diff --git a/modules/mgasoft/manifests/init.pp b/modules/mgasoft/manifests/init.pp index 68c54ba7..70431701 100644 --- a/modules/mgasoft/manifests/init.pp +++ b/modules/mgasoft/manifests/init.pp @@ -1,5 +1,5 @@ class mgasoft( - $anonsvn_soft = 'svn://svn.mageia.org/svn/soft', + $anonsvn_soft = "svn://svn.${::domain}/svn/soft", $pubinfodir = '/var/lib/mgasoft/infos', $pubmirrordir = '/distrib/mirror/software', $svn_soft_publish = 'file:///svn/soft_publish', @@ -8,9 +8,8 @@ class mgasoft( group { $mgasoft_login: } user { $mgasoft_login: - comment => 'System user to publish software', managehome => true, - home => "/var/lib/$mgasoft_login", + home => "/var/lib/${mgasoft_login}", gid => $mgasoft_login, require => Group[$mgasoft_login], } diff --git a/modules/mgasoft/templates/mgasoft.conf b/modules/mgasoft/templates/mgasoft.conf index eaf6e416..81cce013 100644 --- a/modules/mgasoft/templates/mgasoft.conf +++ b/modules/mgasoft/templates/mgasoft.conf @@ -1,5 +1,5 @@ svn_soft=svn+ssh://svn.mageia.org/svn/soft -anonsvn_soft=<%= anonsvn_soft %> -svn_soft_publish=<%= svn_soft_publish %> -pubinfodir=<%= pubinfodir %> -pubmirrordir=<%= pubmirrordir %> +anonsvn_soft=<%= @anonsvn_soft %> +svn_soft_publish=<%= @svn_soft_publish %> +pubinfodir=<%= @pubinfodir %> +pubmirrordir=<%= @pubmirrordir %> diff --git a/modules/mirror/manifests/base.pp b/modules/mirror/manifests/base.pp index 7470547d..db48f808 100644 --- a/modules/mirror/manifests/base.pp +++ b/modules/mirror/manifests/base.pp @@ -10,7 +10,6 @@ class mirror::base { group { 'mirror': } user { 'mirror': - comment => 'System user use to run mirror scripts', gid => 'mirror', } } diff --git a/modules/mirror/manifests/mageia.pp b/modules/mirror/manifests/mageia.pp index 4b39ccb8..c14a09bb 100644 --- a/modules/mirror/manifests/mageia.pp +++ b/modules/mirror/manifests/mageia.pp @@ -1,7 +1,7 @@ class mirror::mageia { include mirror::base mirrordir { 'mageia': - remoteurl => "rsync://rsync.$::domain/mageia", + remoteurl => "rsync://rsync.${::domain}/mageia", localdir => '/distrib/mageia', } } diff --git a/modules/mirror/manifests/main.pp b/modules/mirror/manifests/main.pp index 2fef6800..f368038d 100644 --- a/modules/mirror/manifests/main.pp +++ b/modules/mirror/manifests/main.pp @@ -1,7 +1,7 @@ # For main Mageia mirror class mirror::main { include mirror::base - mga-common::local_script { 'update_timestamp': + mga_common::local_script { 'update_timestamp': content => template('mirror/update_timestamp') } @@ -9,6 +9,6 @@ class mirror::main { user => 'mirror', minute => '*/10', command => '/usr/local/bin/update_timestamp', - require => [Local_script['update_timestamp'], User['mirror']], + require => [Mga_common::Local_script['update_timestamp'], User['mirror']], } } diff --git a/modules/mirror/manifests/mirrordir.pp b/modules/mirror/manifests/mirrordir.pp index 49367116..2100bc6c 100644 --- a/modules/mirror/manifests/mirrordir.pp +++ b/modules/mirror/manifests/mirrordir.pp @@ -2,7 +2,7 @@ define mirror::mirrordir ($remoteurl, $localdir, $rsync_options='-avH --delete') { include mirror::base - $lockfile = "$mirror::base::locksdir/$name" + $lockfile = "${mirror::base::locksdir}/${name}" file { $localdir: ensure => directory, @@ -10,14 +10,14 @@ define mirror::mirrordir ($remoteurl, group => 'mirror', } - mga-common::local_script { "mirror_$name": + mga_common::local_script { "mirror_${name}": content => template('mirror/mirrordir'), } - cron { "mirror_$name": + cron { "mirror_${name}": user => mirror, minute => '*/10', - command => "/usr/local/bin/mirror_$name", - require => Local_script["mirror_$name"], + command => "/usr/local/bin/mirror_${name}", + require => Mga_common::Local_script["mirror_${name}"], } } diff --git a/modules/mirror/templates/mirrordir b/modules/mirror/templates/mirrordir index 53655aa0..9cf09650 100644 --- a/modules/mirror/templates/mirrordir +++ b/modules/mirror/templates/mirrordir @@ -1,9 +1,9 @@ #!/bin/sh -remoteurl="<%= remoteurl%>" -localdir="<%= localdir %>" -rsync_options="<%= rsync_options %>" -lockfile="<%= lockfile %>" +remoteurl="<%= @remoteurl%>" +localdir="<%= @localdir %>" +rsync_options="<%= @rsync_options %>" +lockfile="<%= @lockfile %>" if [ -f "$lockfile" ]; then # show error message when run from command line @@ -13,4 +13,3 @@ fi echo "sync in progress since $(date)" > "$lockfile" /usr/bin/rsync $rsync_options "$remoteurl" "$localdir" rm -f "$lockfile" - diff --git a/modules/mirror/templates/update_timestamp b/modules/mirror/templates/update_timestamp index a037d10d..1f7711c6 100644 --- a/modules/mirror/templates/update_timestamp +++ b/modules/mirror/templates/update_timestamp @@ -2,4 +2,4 @@ # $id$ -date +%s%n%c > /distrib/mirror/mageia_timestamp +LC_ALL=C.UTF-8 date -u '+%s%n%c %Z' > /distrib/mirror/mageia_timestamp diff --git a/modules/mirror_cleaner/files/orphans_cleaner.pl b/modules/mirror_cleaner/files/orphans_cleaner.pl index f1af3dee..73e08912 100755 --- a/modules/mirror_cleaner/files/orphans_cleaner.pl +++ b/modules/mirror_cleaner/files/orphans_cleaner.pl @@ -10,7 +10,7 @@ use File::Basename; use File::Copy; use File::Path qw(make_path); -my @arches = ('i586','x86_64'); +my @arches = ('i586','x86_64', 'aarch64'); my @sections = ('core','nonfree','tainted'); my @medias = ('backports', 'backports_testing', 'release', 'updates', 'updates_testing'); my $move_delay = 60*60*24*14; @@ -34,11 +34,11 @@ foreach my $a ( @arches ) { $binary_hdlist = "$rpm_path/media_info/hdlist.cz"; $source_hdlist = "$srpm_path/media_info/hdlist.cz"; - next if not -f $source_hdlist; - next if not -f $binary_hdlist; + next if not -f $source_hdlist; + next if not -f $binary_hdlist; - next if stat($source_hdlist)->size() <= 64; - next if stat($binary_hdlist)->size() <= 64; + next if stat($source_hdlist)->size() <= 64; + next if stat($binary_hdlist)->size() <= 64; open(my $hdfh, "zcat '$binary_hdlist' 2>/dev/null |") or die "Can't open $_"; while (my $hdr = stream2header($hdfh)) { @@ -60,15 +60,15 @@ foreach my $a ( @arches ) { # Be safe, maybe hdlists were not in sync next if -f "$srpm_path/$s"; foreach my $rpm ( @{$hash{$s}} ) { - $rpm = "$rpm_path/$rpm"; - # sometimes, packages are removed without hdlist to be updated - next if not -f "$rpm"; - if (time() > $move_delay + stat("$rpm")->ctime()) { - ( $dest_rpm = $rpm ) =~ s/$path/$dest_path/; - my $dir = dirname $dest_rpm; - make_path $dir if not -d $dir; - move($rpm, $dest_rpm) - } + $rpm = "$rpm_path/$rpm"; + # sometimes, packages are removed without hdlist to be updated + next if not -f "$rpm"; + if (time() > $move_delay + stat("$rpm")->ctime()) { + ( $dest_rpm = $rpm ) =~ s/$path/$dest_path/; + my $dir = dirname $dest_rpm; + make_path $dir if not -d $dir; + move($rpm, $dest_rpm) + } } } } diff --git a/modules/mirror_cleaner/manifests/orphans.pp b/modules/mirror_cleaner/manifests/orphans.pp index 135fc822..90be9a8c 100644 --- a/modules/mirror_cleaner/manifests/orphans.pp +++ b/modules/mirror_cleaner/manifests/orphans.pp @@ -7,12 +7,16 @@ define mirror_cleaner::orphans($base) { ensure => directory } - cron { "clean orphans $name": - command => "/usr/local/bin/orphans_cleaner.pl $base/$name $orphan_dir", - hour => 5, - minute => 30, - user => root, - } +# Disable cleaning as the ruby version is smarter and this one tends to break things +# It should probably be deleted +# +# cron { "clean orphans ${name}": +# command => "/usr/local/bin/orphans_cleaner.pl ${base}/${name} ${orphan_dir}", +# hour => 5, +# minute => 30, +# weekday => 1, +# user => root, +# } tidy { $orphan_dir: type => 'ctime', diff --git a/modules/mirrorbrain/manifests/init.pp b/modules/mirrorbrain/manifests/init.pp new file mode 100644 index 00000000..f7f74ead --- /dev/null +++ b/modules/mirrorbrain/manifests/init.pp @@ -0,0 +1,154 @@ +class mirrorbrain { + + $mb_user = 'mirrorbrain' + $mb_home = "/var/lib/${mb_user}" + $mb_repo = "${mb_home}/mirror" + $mb_vhost = "dl.${::domain}" + + $mb_pgsql_pw = extlookup('mirrorbrain_pgsql','x') + + group { $mb_user: + ensure => present + } + + user { $mb_user: + ensure => present, + home => $mb_home + } + + file { $mb_home: + ensure => directory, + owner => $mb_user, + group => $mb_user, + mode => '0751' + } + + file { $mb_repo: + ensure => directory, + owner => $mb_user, + group => $mb_user, + mode => '0755' + } + + package {['mirrorbrain', + 'mirrorbrain-scanner', + 'mirrorbrain-tools', + 'apache-mod_mirrorbrain', + 'apache-mod_dbd']: } + + + postgresql::remote_db_and_user { 'mirrorbrain': + description => 'Mirrorbrain database', + password => $mb_pgsql_pw, + } + + file { '/etc/httpd/conf/geoip.conf': + owner => 'root', + group => 'root', + mode => '0644', + content => template('mirrorbrain/geoip.conf') + } + + file { '/etc/httpd/conf/modules.d/11-mirrorbrain.conf': + owner => 'root', + group => 'root', + mode => '0644', + content => template('mirrorbrain/mod_mirrorbrain.conf') + } + + file { '/etc/mirrorbrain.conf': + owner => 'root', + group => "$mb_user", + mode => '0640', + content => template('mirrorbrain/mirrorbrain.conf') + } + + apache::vhost::base { "${mb_vhost}": + vhost => "${mb_vhost}", + location => "${mb_repo}" + } + + apache::vhost::base { "ssl_${mb_vhost}": + vhost => "${mb_vhost}", + use_ssl => true, + location => "${mb_repo}" + } + + apache::webapp_other { 'mirrorbrain': + webapp_file => 'mirrorbrain/webapp.conf', + } + + # Update GeoIP db + cron { 'MirrorBrain: weekly GeoIP update': + command => 'sleep $(($RANDOM/1024)); /usr/bin/geoip-lite-update', + user => 'root', + minute => 30, + hour => 3, + weekday => 0 + } + + # distrib tree + # mga 1-4 are frozen, so only one manual run has been done + # distrib/5 still active + cron { 'MirrorBrain: Sync Mga 5 every 4 hours ': + command => "/usr/bin/null-rsync rsync.mageia.org::mageia/distrib/5 ${mb_repo}/distrib/", + user => "$mb_user", + minute => '15', + hour => '*/4', + } + + # distrib/cauldron + cron { 'MirrorBrain: Sync Cauldron every 1 hours ': + command => "/usr/bin/null-rsync rsync.mageia.org::mageia/distrib/cauldron ${mb_repo}/distrib/", + user => "$mb_user", + minute => '0', + hour => '*/1', + } + + # iso tree + cron { 'MirrorBrain: Sync iso tree every 1 day ': + command => "/usr/bin/null-rsync rsync.mageia.org::mageia/iso ${mb_repo}/", + user => "$mb_user", + hour => '2', + minute => '30', + } + + # people tree + cron { 'MirrorBrain: Sync people tree every 1 day ': + command => "/usr/bin/null-rsync rsync.mageia.org::mageia/people ${mb_repo}/", + user => "$mb_user", + hour => '3', + minute => '45', + } + + # software tree + cron { 'MirrorBrain: Sync software tree every 1 day ': + command => "/usr/bin/null-rsync rsync.mageia.org::mageia/software ${mb_repo}/", + user => "$mb_user", + hour => '4', + minute => '45', + } + + # Mirror online check + cron { 'MirrorBrain: mirror online status check every 5 minute': + command => '/usr/bin/mirrorprobe', + user => "$mb_user", + minute => 5 + } + + # Mirror scanning + cron { 'MirrorBrain: mirror scanning every 30 minute': + command => '/usr/bin/mb scan --quiet --jobs 4 --all', + user => "$mb_user", + minute => 30 + } + + # Mirror database cleanup + cron { 'MirrorBrain: mirror database cleanup every 1 week': + command => '/usr/bin/mb db vacuum', + user => "$mb_user", + minute => 45, + hour => 5, + weekday => 1 + } +} diff --git a/modules/mirrorbrain/templates/geoip.conf b/modules/mirrorbrain/templates/geoip.conf new file mode 100644 index 00000000..1f71a67d --- /dev/null +++ b/modules/mirrorbrain/templates/geoip.conf @@ -0,0 +1,5 @@ +<IfModule mod_geoip.c> + GeoIPEnable On + GeoIPDBFile /var/lib/GeoIP/GeoLiteCity.dat.updated + GeoIPOutput Env +</IfModule> diff --git a/modules/mirrorbrain/templates/mirrorbrain.conf b/modules/mirrorbrain/templates/mirrorbrain.conf new file mode 100644 index 00000000..94bef340 --- /dev/null +++ b/modules/mirrorbrain/templates/mirrorbrain.conf @@ -0,0 +1,14 @@ +[general] +instances = main + +[main] +dbuser = mirrorbrain +dbpass = <%= @mb_pgsql_pw %> +dbdriver = postgresql +dbhost = pgsql.<%= @domain %> +# optional: dbport = ... +dbname = mirrorbrain + +[mirrorprobe] +# logfile = /var/log/mirrorbrain/mirrorprobe.log +# loglevel = INFO diff --git a/modules/mirrorbrain/templates/mod_mirrorbrain.conf b/modules/mirrorbrain/templates/mod_mirrorbrain.conf new file mode 100644 index 00000000..9b67d7fe --- /dev/null +++ b/modules/mirrorbrain/templates/mod_mirrorbrain.conf @@ -0,0 +1,3 @@ +LoadModule form_module modules/mod_form.so +LoadModule mirrorbrain_module modules/mod_mirrorbrain.so + diff --git a/modules/mirrorbrain/templates/webapp.conf b/modules/mirrorbrain/templates/webapp.conf new file mode 100644 index 00000000..9606be64 --- /dev/null +++ b/modules/mirrorbrain/templates/webapp.conf @@ -0,0 +1,16 @@ +<Directory /var/lib/mirrorbrain/mirror> + MirrorBrainEngine On + MirrorBrainDebug Off + FormGET On + MirrorBrainHandleHEADRequestLocally Off + MirrorBrainFallback na us https://mirrors.kernel.org/mageia/ + MirrorBrainFallback eu fr http://ftp.free.fr/mirrors/mageia.org/ + MirrorBrainFallback eu se https://ftp.acc.umu.se/mirror/mageia/ + MirrorBrainMinSize 0 + #MirrorBrainExcludeUserAgent rpm/4.4.2* + #MirrorBrainExcludeUserAgent *APT-HTTP* + #MirrorBrainExcludeMimeType application/pgp-keys + DirectoryIndex disable + Options +FollowSymLinks +Indexes + Require all granted +</Directory> diff --git a/modules/mysql/manifests/init.pp b/modules/mysql/manifests/init.pp index 28a5109f..1d180778 100644 --- a/modules/mysql/manifests/init.pp +++ b/modules/mysql/manifests/init.pp @@ -1,23 +1,24 @@ class mysql { class server { - package { "mysql": } + package {['mariadb', + 'mariadb-obsolete']: } - service { mysqld: - alias => mysql, - subscribe => Package['mysql'], + service { 'mysqld': + alias => mysql, + subscribe => Package['mariadb'], } - + # file { "/etc/my.cnf": -# +# # } } - - define database() { - exec { "mysqladmin create $name": - user => root, - # not sure if /dev/null is needed - unless => "mysqlshow $name" - } + + define database() { + exec { "mysqladmin create ${name}": + user => root, + # not sure if /dev/null is needed + unless => "mysqlshow ${name}" + } } # define user($password) { # diff --git a/modules/ntp/manifests/init.pp b/modules/ntp/manifests/init.pp index a647925f..f75310e7 100644 --- a/modules/ntp/manifests/init.pp +++ b/modules/ntp/manifests/init.pp @@ -1,12 +1,17 @@ class ntp { - package { 'ntp': } +if versioncmp($::lsbdistrelease, '9') < 0 { + $ntppkg = 'ntp' +} else { + $ntppkg = 'ntpsec' +} + package { $ntppkg: } service { 'ntpd': - subscribe => [Package['ntp'], File['/etc/ntp.conf']], + subscribe => [Package[$ntppkg], File['/etc/ntp.conf']], } file { '/etc/ntp.conf': - require => Package['ntp'], + require => Package[$ntppkg], content => template('ntp/ntp.conf'), } } diff --git a/modules/ntp/templates/ntp.conf b/modules/ntp/templates/ntp.conf index 3f9582d7..72f233c0 100644 --- a/modules/ntp/templates/ntp.conf +++ b/modules/ntp/templates/ntp.conf @@ -25,6 +25,12 @@ driftfile /var/lib/ntp/drift multicastclient # listen on default 224.0.1.1 broadcastdelay 0.008 +# https://www.kb.cert.org/vuls/id/348126 +restrict default nomodify notrap nopeer noquery +restrict -6 default nomodify notrap nopeer noquery +# https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300 +disable monitor + # # Keys file. If you want to diddle your server at run time, make a # keys file (mode 600 for sure) and define the key number to be diff --git a/modules/opendkim/Gemfile b/modules/opendkim/Gemfile new file mode 100644 index 00000000..68ba397d --- /dev/null +++ b/modules/opendkim/Gemfile @@ -0,0 +1,19 @@ +source 'https://rubygems.org' + +puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>= 3.3'] +gem 'puppet', puppetversion +gem 'puppetlabs_spec_helper', '>= 0.1.0' +gem 'facter', '>= 1.7.0' + +gem 'puppet-lint', '>= 0.3.2' +gem 'rspec-puppet' +gem "metadata-json-lint" +gem 'beaker-rspec' +gem "travis" +gem "travis-lint" +gem "puppet-blacksmith" +gem "guard-rake" + +gem 'test-kitchen', '>= 1.4.0' +gem 'kitchen-docker', '>= 2.1.0' +gem 'kitchen-puppet', '>= 0.0.27' diff --git a/modules/opendkim/LICENSE b/modules/opendkim/LICENSE new file mode 100644 index 00000000..8f71f43f --- /dev/null +++ b/modules/opendkim/LICENSE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/modules/opendkim/Modulefile b/modules/opendkim/Modulefile new file mode 100644 index 00000000..7790c510 --- /dev/null +++ b/modules/opendkim/Modulefile @@ -0,0 +1,8 @@ + name "bi4o4ek-opendkim" + version "0.0.7" + author "Vladimir Bykanov" + summary "Configures OpenDKIM" + license "Apache-2.0" + source "https://github.com/bi4o4ek/puppet-opendkim" + project_page "https://github.com/bi4o4ek/puppet-opendkim" + diff --git a/modules/opendkim/Puppetfile b/modules/opendkim/Puppetfile new file mode 100644 index 00000000..177adf16 --- /dev/null +++ b/modules/opendkim/Puppetfile @@ -0,0 +1,7 @@ +#!/usr/bin/env ruby +#^syntax detection + +forge "https://forgeapi.puppetlabs.com" + +# use dependencies defined in metadata.json +metadata diff --git a/modules/opendkim/README.md b/modules/opendkim/README.md new file mode 100644 index 00000000..13c40bde --- /dev/null +++ b/modules/opendkim/README.md @@ -0,0 +1,98 @@ +[](https://travis-ci.org/bi4o4ek/puppet-opendkim) + +# opendkim + +#### Table of Contents + +1. [Overview](#overview) +2. [Module Description](#module-description) +3. [Setup - The basics of getting started with opendkim](#setup) + * [Beginning with opendkim](#beginning-with-opendkim) + * [Add domains for signing](#add-domains-for-signing) + * [Add allowed hosts](#add-allowed-hosts) +4. [Usage - Configuration options and additional functionality](#usage) +5. [Reference - An under-the-hood peek at what the module is doing and how](#reference) +5. [Limitations - OS compatibility, etc.](#limitations) +6. [Development - Guide for contributing to the module](#development) + +## Overview + +The opendkim module allows you to set up mail signing and manage DKIM services with minimal effort. + +## Module Description + +OpenDKIM is a widely-used DKIM service, and this module provides a simplified way of creating configurations to manage your infrastructure. +This includes the ability to configure and manage a range of different domain, as well as a streamlined way to install and configure OpenDKIM service. + +## Setup + +### What opendkim affects + +* configuration files and directories (created and written to) +* package/service/configuration files for OpenDKIM +* signing domains list +* trusted hosts list + +### Beginning with opendkim + +To install OpenDKIM with the default parameters + + include opendkim + +### Add domains for signing + + opendkim::domain{['example.com', 'example.org']:} + + +### Add allowed hosts + + opendkim::trusted{['10.0.0.0/8', '203.0.113.0/24']:} + +## Usage + +For example. +There is internal ip 10.3.3.80 and external ip 203.0.113.100 on our mail-relay host with OpenDKIM. +This host signs all mails for domains example.com and example.org. + + # Postfix-relay + class{ 'postfix::server': + inet_interfaces => '10.3.3.80, localhost', + mynetworks => '10.0.0.0/8, 203.0.113.0/24', + smtpd_recipient_restrictions => 'permit_mynetworks, reject_unauth_destination', + smtpd_client_restrictions => 'permit_mynetworks, reject', + mydestination => '$myhostname', + myhostname => 'relay-site.example.com', + smtpd_banner => 'Hello', + extra_main_parameters => { + smtp_bind_address => '203.0.113.100', + smtpd_milters => 'inet:127.0.0.1:8891', + non_smtpd_milters => '$smtpd_milters', + milter_default_action => 'accept', + milter_protocol => '2', + }, + } + + # OpenDKIM + include opendkim + opendkim::domain{['example.com', 'example.org']:} + opendkim::trusted{['10.0.0.0/8', '203.0.113.0/24']:} + +After puppet-run you need to copy contents of /etc/opendkim/keys/example.com/relay-site.txt and paste into corresponding DNS-zone as TXT. +Then repeat this action for example.org + +Puppet module for postfix in this example is [thias/postfix](https://forge.puppetlabs.com/thias/postfix) v0.3.3 +## Reference + +Puppetlabs are working on automating this section. + +## Limitations + +This module is tested on: +* CentOS 6 +* Ubuntu 12.04 +* Ubuntu 14.04 + +## Development + +Fork me on github and make pull request. + diff --git a/modules/opendkim/Rakefile b/modules/opendkim/Rakefile new file mode 100644 index 00000000..312b2952 --- /dev/null +++ b/modules/opendkim/Rakefile @@ -0,0 +1,12 @@ +require 'rubygems' +require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet-lint/tasks/puppet-lint' + +PuppetLint.configuration.fail_on_warnings = true +PuppetLint.configuration.send('relative') +PuppetLint.configuration.send('disable_80chars') +PuppetLint.configuration.send('disable_class_inherits_from_params_class') +PuppetLint.configuration.send('disable_documentation') +PuppetLint.configuration.send('disable_single_quote_string_with_variables') +PuppetLint.configuration.send('disable_only_variable_string') +PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"] diff --git a/modules/opendkim/manifests/domain.pp b/modules/opendkim/manifests/domain.pp new file mode 100644 index 00000000..c708ad08 --- /dev/null +++ b/modules/opendkim/manifests/domain.pp @@ -0,0 +1,46 @@ +define opendkim::domain ( + $domain = $name, + $selector = $hostname, + $pathkeys = '/etc/opendkim/keys', + $keytable = 'KeyTable', + $signing_table = 'SigningTable', +) { + # $pathConf and $pathKeys must be without trailing '/'. + # For example, '/etc/opendkim/keys' + + Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] } + + # Create directory for domain + file { "${pathkeys}/${domain}": + ensure => directory, + owner => $opendkim::owner, + group => $opendkim::group, + mode => '0755', + notify => Service[$opendkim::service_name], + require => Package[$opendkim::package_name], + } + + # Generate dkim-keys + exec { "opendkim-genkey -D ${pathkeys}/${domain}/ -d ${domain} -s ${selector}": + unless => "/usr/bin/test -f ${pathkeys}/${domain}/${selector}.private && /usr/bin/test -f ${pathkeys}/${domain}/${selector}.txt", + user => $opendkim::owner, + notify => Service[$opendkim::service_name], + require => [ Package[$opendkim::package_name], File["${pathkeys}/${domain}"], ], + } + + # Add line into KeyTable + file_line { "${opendkim::pathconf}/${keytable}_${domain}": + path => "${opendkim::pathconf}/${keytable}", + line => "${selector}._domainkey.${domain} ${domain}:${selector}:${pathkeys}/${domain}/${selector}.private", + notify => Service[$opendkim::service_name], + require => Package[$opendkim::package_name], + } + + # Add line into SigningTable + file_line { "${opendkim::pathconf}/${signing_table}_${domain}": + path => "${opendkim::pathconf}/${signing_table}", + line => "*@${domain} ${selector}._domainkey.${domain}", + notify => Service[$opendkim::service_name], + require => Package[$opendkim::package_name], + } +} diff --git a/modules/opendkim/manifests/init.pp b/modules/opendkim/manifests/init.pp new file mode 100644 index 00000000..6e45345a --- /dev/null +++ b/modules/opendkim/manifests/init.pp @@ -0,0 +1,105 @@ +# == Class: opendkim +# +# === Examples +# +# class { 'opendkim':} +# +# === Authors +# +# Vladimir Bykanov <vladimir@bykanov.ru> +# +# === Copyright +# +# Copyright 2015 Vladimir Bykanov +# +class opendkim ( + $autorestart = 'Yes', + $autorestart_rate = '10/1h', + $log_why = 'Yes', + $syslog = 'Yes', + $syslog_success = 'Yes', + $mode = 's', + $canonicalization = 'relaxed/simple', + $external_ignore_list = 'refile:/etc/opendkim/TrustedHosts', + $internal_hosts = 'refile:/etc/opendkim/TrustedHosts', + $keytable = 'refile:/etc/opendkim/KeyTable', + $signing_table = 'refile:/etc/opendkim/SigningTable', + $signature_algorithm = 'rsa-sha256', + $socket = 'inet:8891@localhost', + $pidfile = '/var/run/opendkim/opendkim.pid', + $umask = '022', + $userid = 'opendkim:opendkim', + $temporary_directory = '/var/tmp', + $package_name = 'opendkim', + $service_name = 'opendkim', + $pathconf = '/etc/opendkim', + $owner = 'opendkim', + $group = 'opendkim', +) { + + package { $package_name: + ensure => present, + } + + case $::operatingsystem { + /^(Debian|Ubuntu)$/: { + package { 'opendkim-tools': + ensure => present, + } + # Debian/Ubuntu doesn't ship this directory in its package + file { $pathconf: + ensure => directory, + owner => 'root', + group => 'opendkim', + mode => '0755', + require => Package[$package_name], + } + file { "${pathconf}/keys": + ensure => directory, + owner => 'opendkim', + group => 'opendkim', + mode => '0750', + require => Package[$package_name], + } + file { "${pathconf}/KeyTable": + ensure => present, + owner => 'opendkim', + group => 'opendkim', + mode => '0640', + require => Package[$package_name], + } + file { "${pathconf}/SigningTable": + ensure => present, + owner => 'opendkim', + group => 'opendkim', + mode => '0640', + require => Package[$package_name], + } + file { "${pathconf}/TrustedHosts": + ensure => present, + owner => 'opendkim', + group => 'opendkim', + mode => '0644', + require => Package[$package_name], + } + } + default: {} + } + + file {'/etc/opendkim.conf': + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + content => template('opendkim/opendkim.conf'), + notify => Service[$service_name], + require => Package[$package_name], + } + + service { $service_name: + ensure => running, + enable => true, + require => Package[$package_name], + } +} + diff --git a/modules/opendkim/manifests/trusted.pp b/modules/opendkim/manifests/trusted.pp new file mode 100644 index 00000000..dcf0f8b8 --- /dev/null +++ b/modules/opendkim/manifests/trusted.pp @@ -0,0 +1,13 @@ +define opendkim::trusted ( + $host = $name, + $trusted_hosts = 'TrustedHosts', + +) { + # Add line into KeyTable + file_line { "${opendkim::pathconf}/${trusted_hosts}_${host}": + path => "${opendkim::pathconf}/${trusted_hosts}", + line => $host, + notify => Service[$opendkim::service_name], + require => Package[$opendkim::package_name], + } +} diff --git a/modules/opendkim/metadata.json b/modules/opendkim/metadata.json new file mode 100644 index 00000000..81b2f70d --- /dev/null +++ b/modules/opendkim/metadata.json @@ -0,0 +1,60 @@ +{ + "name": "bi4o4ek-opendkim", + "version": "0.0.7", + "author": "Vladimir Bykanov", + "summary": "Configures OpenDKIM", + "license": "Apache-2.0", + "source": "https://github.com/bi4o4ek/puppet-opendkim", + "project_page": "https://github.com/bi4o4ek/puppet-opendkim", + "issues_url": "https://github.com/bi4o4ek/puppet-opendkim/issues", + "operatingsystem_support": [ + { + "operatingsystem": "RedHat", + "operatingsystemrelease": [ + "5", + "6", + "7" + ] + }, + { + "operatingsystem": "CentOS", + "operatingsystemrelease": [ + "5", + "6", + "7" + ] + }, + { + "operatingsystem": "Mageia", + "operatingsystemrelease": [ + "7", + "8", + "9" + ] + } + ], + "dependencies": [ + { + } + ], + "description": "UNKNOWN", + "types": [ + + ], + "checksums": { + "Gemfile": "19456e851851a3bd7aa6729108429dde", + "LICENSE": "fa818a259cbed7ce8bc2a22d35a464fc", + "Modulefile": "9a3b46c73c1ae7309fe2d35c5e6fa549", + "Puppetfile": "607001b25e4f9d020b2ce4444174a654", + "README.md": "0764cc9bb9de221c97bce2664ba99657", + "Rakefile": "a162d9397ed53fa8fa49c57609feedcb", + "manifests/domain.pp": "61f78cbd4376e58a7b26f1298f38804b", + "manifests/init.pp": "4987dcd9ebc88e7ea0de3b74c9af6d9c", + "manifests/trusted.pp": "bcc132622e2c2e39bcbc3116c7788c8b", + "spec/classes/init_spec.rb": "0451831b29191c21b2cdc045c94a2243", + "spec/classes/opendkim_spec.rb": "9f06a3f005344875a0fb5753ab43cb34", + "spec/spec_helper.rb": "0db89c9a486df193c0e40095422e19dc", + "templates/opendkim.conf": "047e76e4c2a0a15754101f2da32ab2fe", + "tests/init.pp": "8c9ab8c85cd89dae1ad97cbe949a7e6e" + } +} diff --git a/modules/opendkim/spec/classes/init_spec.rb b/modules/opendkim/spec/classes/init_spec.rb new file mode 100644 index 00000000..5ce0a75d --- /dev/null +++ b/modules/opendkim/spec/classes/init_spec.rb @@ -0,0 +1,7 @@ +require 'spec_helper' +describe 'opendkim' do + + context 'with defaults for all parameters' do + it { should contain_class('opendkim') } + end +end diff --git a/modules/opendkim/spec/classes/opendkim_spec.rb b/modules/opendkim/spec/classes/opendkim_spec.rb new file mode 100644 index 00000000..1901c1c0 --- /dev/null +++ b/modules/opendkim/spec/classes/opendkim_spec.rb @@ -0,0 +1,13 @@ +require 'spec_helper' + +describe 'opendkim', :type => :class do + + describe "Opendkim class with no parameters, basic test" do + let(:params) { { } } + + it { + should contain_package('opendkim') + should contain_service('opendkim') + } + end +end diff --git a/modules/opendkim/spec/spec_helper.rb b/modules/opendkim/spec/spec_helper.rb new file mode 100644 index 00000000..2c6f5664 --- /dev/null +++ b/modules/opendkim/spec/spec_helper.rb @@ -0,0 +1 @@ +require 'puppetlabs_spec_helper/module_spec_helper' diff --git a/modules/opendkim/templates/opendkim.conf b/modules/opendkim/templates/opendkim.conf new file mode 100644 index 00000000..5dc61aa6 --- /dev/null +++ b/modules/opendkim/templates/opendkim.conf @@ -0,0 +1,52 @@ +<%- if @autorestart -%> +AutoRestart <%= @autorestart %> +<%- end -%> +<%- if @autorestart_rate -%> +AutoRestartRate <%= @autorestart_rate %> +<%- end -%> +<%- if @log_why -%> +LogWhy <%= @log_why %> +<%- end -%> +<%- if @syslog -%> +Syslog <%= @syslog %> +<%- end -%> +<%- if @syslog_success -%> +SyslogSuccess <%= @syslog_success %> +<%- end -%> +<%- if @mode -%> +Mode <%= @mode %> +<%- end -%> +<%- if @canonicalization -%> +Canonicalization <%= @canonicalization %> +<%- end -%> +<%- if @external_ignore_list -%> +ExternalIgnoreList <%= @external_ignore_list %> +<%- end -%> +<%- if @internal_hosts -%> +InternalHosts <%= @internal_hosts %> +<%- end -%> +<%- if @keytable -%> +KeyTable <%= @keytable %> +<%- end -%> +<%- if @signing_table -%> +SigningTable <%= @signing_table %> +<%- end -%> +<%- if @signature_algorithm -%> +SignatureAlgorithm <%= @signature_algorithm %> +<%- end -%> +<%- if @socket -%> +Socket <%= @socket %> +<%- end -%> +<%- if @pidfile -%> +PidFile <%= @pidfile %> +<%- end -%> +<%- if @umask -%> +UMask <%= @umask %> +<%- end -%> +<%- if @userid -%> +UserID <%= @userid %> +<%- end -%> +<%- if @temporary_directory -%> +TemporaryDirectory <%= @temporary_directory %> +<%- end -%> + diff --git a/modules/opendkim/tests/init.pp b/modules/opendkim/tests/init.pp new file mode 100644 index 00000000..ff3d3b06 --- /dev/null +++ b/modules/opendkim/tests/init.pp @@ -0,0 +1,15 @@ +# The baseline for module testing used by Puppet Labs is that each manifest +# should have a corresponding test manifest that declares that class or defined +# type. +# +# Tests are then run by using puppet apply --noop (to check for compilation +# errors and view a log of events) or by fully applying the test in a virtual +# environment (to compare the resulting system state to the desired state). +# +# Learn more about module testing here: +# http://docs.puppetlabs.com/guides/tests_smoke.html +# +Class['epel'] -> Class['opendkim'] + +include epel +include opendkim diff --git a/modules/openldap/lib/puppet/parser/functions/get_ldap_servers.rb b/modules/openldap/lib/puppet/parser/functions/get_ldap_servers.rb index 204da558..0d620926 100644 --- a/modules/openldap/lib/puppet/parser/functions/get_ldap_servers.rb +++ b/modules/openldap/lib/puppet/parser/functions/get_ldap_servers.rb @@ -1,11 +1,11 @@ # return a list of all ldap servers declared module Puppet::Parser::Functions - newfunction(:get_ldap_servers, :type => :rvalue) do |args| + newfunction(:get_ldap_servers, :type => :rvalue) do |args| Puppet::Parser::Functions.autoloader.loadall res = ["master"] - - function_list_exported_ressources(['Openldap::Exported_slave']).each { |i| - res << "slave-#{i}" + + function_list_exported_ressources(['Openldap::Exported_slave']).each { |i| + res << "slave-#{i}" } res.map! { |x| "ldap-#{x}." + lookupvar("domain") } return res diff --git a/modules/openldap/manifests/config.pp b/modules/openldap/manifests/config.pp index 6f364ffc..336f8a23 100644 --- a/modules/openldap/manifests/config.pp +++ b/modules/openldap/manifests/config.pp @@ -2,6 +2,6 @@ define openldap::config($content) { file { $name: require => Package['openldap-servers'], content => $content, - notify => Exec['/etc/init.d/ldap check'], + notify => Exec["slaptest"], } } diff --git a/modules/openldap/manifests/init.pp b/modules/openldap/manifests/init.pp index 35455d1a..34a214a2 100644 --- a/modules/openldap/manifests/init.pp +++ b/modules/openldap/manifests/init.pp @@ -1,21 +1,23 @@ class openldap { + include openldap::var + package { 'openldap-servers': } - service { 'ldap': + service { $openldap::var::service: subscribe => Package['openldap-servers'], - require => Openssl::Self_signed_cert["ldap.$::domain"], + require => Openssl::Self_signed_cert["ldap.${::domain}"], } - exec { '/etc/init.d/ldap check': + exec { "slaptest": refreshonly => true, - notify => Service['ldap'], + notify => Service[$openldap::var::service], } file { '/etc/ssl/openldap/': ensure => directory, } - openssl::self_signed_cert{ "ldap.$::domain": + openssl::self_signed_cert{ "ldap.${::domain}": directory => '/etc/ssl/openldap/', } @@ -26,5 +28,7 @@ class openldap { content => ''; '/etc/sysconfig/ldap': content => ''; + '/etc/sysconfig/slapd': + content => ''; } } diff --git a/modules/openldap/manifests/master.pp b/modules/openldap/manifests/master.pp index 730feb19..53122628 100644 --- a/modules/openldap/manifests/master.pp +++ b/modules/openldap/manifests/master.pp @@ -1,4 +1,6 @@ class openldap::master inherits openldap { + include openldap::var + Openldap::Config['/etc/openldap/mandriva-dit-access.conf'] { content => template('openldap/mandriva-dit-access.conf'), } @@ -10,7 +12,7 @@ class openldap::master inherits openldap { group => 'ldap', owner => 'ldap', require => Package['openldap-servers'], - before => Service['ldap'], + before => Service[$openldap::var::service], } Openldap::Config['/etc/openldap/slapd.conf'] { @@ -21,12 +23,20 @@ class openldap::master inherits openldap { content => template('openldap/ldap.sysconfig'), } + Openldap::Config['/etc/sysconfig/slapd'] { + content => template('openldap/slapd.sysconfig'), + } + + host { "ldap.${::domain}": + ip => '127.0.0.1', + } + if $::environment == 'test' { # if we are in a test vm, we need to fill the directory # with data package { 'openldap-clients': } - mga-common::local_script { 'init_ldap.sh': + mga_common::local_script { 'init_ldap.sh': content => template('openldap/init_ldap.sh'), require => Package['openldap-clients'], } @@ -34,7 +44,7 @@ class openldap::master inherits openldap { exec { 'init_ldap.sh': # taken arbitrary among all possible files creates => '/var/lib/ldap/objectClass.bdb', - require => Local_script['init_ldap.sh'], + require => Mga_common::Local_script['init_ldap.sh'], } } } diff --git a/modules/openldap/manifests/slave.pp b/modules/openldap/manifests/slave.pp index a3559ef8..ba0cfb9d 100644 --- a/modules/openldap/manifests/slave.pp +++ b/modules/openldap/manifests/slave.pp @@ -2,7 +2,7 @@ class openldap::slave($rid) inherits openldap { @@openldap::exported_slave { $rid: } - $sync_password = extlookup("ldap_syncuser-$::hostname",'x') + $sync_password = extlookup("ldap_syncuser-${::hostname}",'x') # same access rights as master Openldap::Config['/etc/openldap/mandriva-dit-access.conf'] { @@ -16,4 +16,8 @@ class openldap::slave($rid) inherits openldap { Openldap::Config['/etc/sysconfig/ldap'] { content => template('openldap/ldap.sysconfig'), } + + Openldap::Config['/etc/sysconfig/slapd'] { + content => template('openldap/slapd-slave.sysconfig'), + } } diff --git a/modules/openldap/manifests/slave_instance.pp b/modules/openldap/manifests/slave_instance.pp index a12771a3..fbf998c6 100644 --- a/modules/openldap/manifests/slave_instance.pp +++ b/modules/openldap/manifests/slave_instance.pp @@ -1,10 +1,8 @@ # TODO create the user for sync in ldap -# this define is mainly syntaxic sugar +# this define is mainly syntactic sugar define openldap::slave_instance($rid) { include openldap class { 'openldap::slave': rid => $rid, } } - - diff --git a/modules/openldap/manifests/var.pp b/modules/openldap/manifests/var.pp new file mode 100644 index 00000000..d6947eb8 --- /dev/null +++ b/modules/openldap/manifests/var.pp @@ -0,0 +1,3 @@ +class openldap::var { + $service = 'slapd' +} diff --git a/modules/openldap/templates/init_ldap.sh b/modules/openldap/templates/init_ldap.sh index a596cfe7..dfcaf236 100644 --- a/modules/openldap/templates/init_ldap.sh +++ b/modules/openldap/templates/init_ldap.sh @@ -28,7 +28,7 @@ end -%> <% # FIXME automatically get the list of servers -for g in ['valstar','alamut'] %> +for g in ['duvel','alamut'] %> dn: cn=<%= g%>.<%= domain %>,ou=Hosts,<%= dc_suffix %> objectClass: device objectClass: simpleSecurityObject diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf index 68a2c7f8..361d956b 100644 --- a/modules/openldap/templates/mandriva-dit-access.conf +++ b/modules/openldap/templates/mandriva-dit-access.conf @@ -66,7 +66,7 @@ access to dn.subtree="<%= dc_suffix %>" by self write by * none # password history attribute -# pwdHistory is read-only, but ACL is simplier with it here +# pwdHistory is read-only, but ACL is simpler with it here access to dn.subtree="<%= dc_suffix %>" attrs=sambaPasswordHistory,pwdHistory by self read @@ -113,7 +113,7 @@ access to dn.subtree="ou=People,<%= dc_suffix %>" # let the user change some of his/her attributes access to dn.subtree="ou=People,<%= dc_suffix %>" - attrs=cn,sn,givenName,carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey + attrs=cn,sn,givenName,carLicense,drink,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey by self write by users read @@ -193,4 +193,3 @@ access to dn.sub="ou=KDEConfig,<%= dc_suffix %>" # last one access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn by users read - diff --git a/modules/openldap/templates/slapd-slave.sysconfig b/modules/openldap/templates/slapd-slave.sysconfig new file mode 100644 index 00000000..9bff24ff --- /dev/null +++ b/modules/openldap/templates/slapd-slave.sysconfig @@ -0,0 +1,38 @@ +# debug level for slapd +SLAPDSYSLOGLEVEL="0" +SLAPDSYSLOGLOCALUSER="local4" + +# SLAPD URL list +SLAPDURLLIST="ldap:/// ldaps:/// ldapi:///" + +# Config file to use for slapd +#SLAPDCONF=/etc/openldap/slapd.conf + +# Which user to run as +#LDAPUSER=ldap +#LDAPGROUP=ldap + +# Should file permissions on database files be fixed at startup. Default is yes +# FIXPERMS=no + +# Whether database recovery should be run before starting slapd in start +# (not strictly be necessary in 2.3). Default is no +# AUTORECOVER=yes + +# At what intervals to run ldap-hot-db-backup from cron, which will +# do hot database backups for all bdb/hdb databases, and archive +# unnecessary transaction logs, one of hourly,daily,weekly,monthly,yearly +# Default is daily +# Slave does not need a backup +RUN_DB_BACKUP=never + +# How many days to keep archived transaction logs for. This should be just +# greater than the backup interval on these files. Default is 7 +# KEEP_ARCHIVES_DAYS=7 + +# How many files slapd should be able to have open. By default, the process +# will inherit the default per-process limit (usually 1024), which may +# not be enough, so ulimit -n is run with the value in MAXFILES (which +# defaults to 1024 as well). 4096 is the maximum OpenLDAP will use without +# recompiling. +# MAXFILES=4096 diff --git a/modules/openldap/templates/slapd.conf b/modules/openldap/templates/slapd.conf index 9451d6cd..d82fe088 100644 --- a/modules/openldap/templates/slapd.conf +++ b/modules/openldap/templates/slapd.conf @@ -30,6 +30,11 @@ pidfile /var/run/ldap/slapd.pid argsfile /var/run/ldap/slapd.args modulepath <%= lib_dir %>/openldap +<% if @hostname == 'duvel' then %> +moduleload back_bdb.la +<% else %> +moduleload back_mdb.la +<% end %> moduleload back_monitor.la moduleload syncprov.la moduleload ppolicy.la @@ -59,17 +64,25 @@ access to dn.subtree="cn=Monitor" by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" read by * none +<% if @hostname == 'duvel' then %> database bdb +<% else %> +database mdb +# mdb defaults to 10MB max DB, so we need to hardcode some better value :( +maxsize 500000000 +<% end %> suffix "<%= dc_suffix %>" directory /var/lib/ldap rootdn "cn=manager,<%= dc_suffix %>" checkpoint 256 5 +<% if @hostname == 'duvel' then %> # 32Mbytes, can hold about 10k posixAccount entries dbconfig set_cachesize 0 33554432 1 dbconfig set_lg_bsize 2097152 cachesize 1000 idlcachesize 3000 +<% end %> index objectClass eq index uidNumber,gidNumber,memberuid,member,owner eq @@ -104,7 +117,7 @@ dynlist-attrset groupOfURLs memberURL member overlay constraint -constraint_attribute sshPublicKey regex "^ssh-(rsa|dss) [[:graph:]]+ [[:graph:]]+$" +constraint_attribute sshPublicKey regex "^ssh-(rsa|dss|ed25519) [[:graph:]]+ [[:graph:]]+$" # uncomment if you want to automatically update group # memberships when an user is removed from the tree diff --git a/modules/openldap/templates/slapd.syncrepl.conf b/modules/openldap/templates/slapd.syncrepl.conf index d9aa4cfe..2bfe7d50 100644 --- a/modules/openldap/templates/slapd.syncrepl.conf +++ b/modules/openldap/templates/slapd.syncrepl.conf @@ -6,6 +6,6 @@ syncrepl rid=<%= rid %> bindmethod=simple binddn="cn=syncuser-<%= hostname%>,ou=System Accounts,<%= dc_suffix %>" credentials=<%= sync_password %> - -updateref ldaps://ldap-master.<%= domain %>:636 + tls_reqcert=never +updateref ldaps://ldap-master.<%= domain %>:636 diff --git a/modules/openldap/templates/slapd.sysconfig b/modules/openldap/templates/slapd.sysconfig new file mode 100644 index 00000000..e6ae2e05 --- /dev/null +++ b/modules/openldap/templates/slapd.sysconfig @@ -0,0 +1,37 @@ +# debug level for slapd +SLAPDSYSLOGLEVEL="0" +SLAPDSYSLOGLOCALUSER="local4" + +# SLAPD URL list +SLAPDURLLIST="ldap:/// ldaps:/// ldapi:///" + +# Config file to use for slapd +#SLAPDCONF=/etc/openldap/slapd.conf + +# Which user to run as +#LDAPUSER=ldap +#LDAPGROUP=ldap + +# Should file permissions on database files be fixed at startup. Default is yes +# FIXPERMS=no + +# Whether database recovery should be run before starting slapd in start +# (not strictly be necessary in 2.3). Default is no +# AUTORECOVER=yes + +# At what intervals to run ldap-hot-db-backup from cron, which will +# do hot database backups for all bdb/hdb databases, and archive +# unnecessary transaction logs, one of hourly,daily,weekly,monthly,yearly +# Default is daily +# RUN_DB_BACKUP=daily + +# How many days to keep archived transaction logs for. This should be just +# greater than the backup interval on these files. Default is 7 +# KEEP_ARCHIVES_DAYS=7 + +# How many files slapd should be able to have open. By default, the process +# will inherit the default per-process limit (usually 1024), which may +# not be enough, so ulimit -n is run with the value in MAXFILES (which +# defaults to 1024 as well). 4096 is the maximum OpenLDAP will use without +# recompiling. +# MAXFILES=4096 diff --git a/modules/openldap/templates/slapd.test.conf b/modules/openldap/templates/slapd.test.conf index 355efb8e..8befa55a 100644 --- a/modules/openldap/templates/slapd.test.conf +++ b/modules/openldap/templates/slapd.test.conf @@ -7,4 +7,3 @@ authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=manager,dc=test_ldap" # force ssl security ssf=56 - diff --git a/modules/openssh/manifests/pubkeys_directory.pp b/modules/openssh/manifests/pubkeys_directory.pp deleted file mode 100644 index cbcaeb88..00000000 --- a/modules/openssh/manifests/pubkeys_directory.pp +++ /dev/null @@ -1,17 +0,0 @@ -class openssh::pubkeys_directory { - $pubkeys_directory = '/var/lib/pubkeys' - file { $pubkeys_directory: - ensure => directory, - } - - file { "$pubkeys_directory/root": - ensure => directory, - mode => '0700', - } - - file { "$pubkeys_directory/root/authorized_keys": - ensure => link, - target => '/root/.ssh/authorized_keys', - mode => '0700', - } -} diff --git a/modules/openssh/manifests/server.pp b/modules/openssh/manifests/server.pp index ce60646b..c45268d2 100644 --- a/modules/openssh/manifests/server.pp +++ b/modules/openssh/manifests/server.pp @@ -1,6 +1,7 @@ class openssh::server { # some trick to manage sftp server, who is arch dependent on mdv - $path_to_sftp = "$::lib_dir/ssh/" + # TODO: the path changed on Mageia 6 to /usr/libexec/openssh/sftp-server + $path_to_sftp = "${::lib_dir}/ssh/" package { 'openssh-server': } diff --git a/modules/openssh/manifests/ssh_keys_from_ldap.pp b/modules/openssh/manifests/ssh_keys_from_ldap.pp index d35f4d2a..9ea6c139 100644 --- a/modules/openssh/manifests/ssh_keys_from_ldap.pp +++ b/modules/openssh/manifests/ssh_keys_from_ldap.pp @@ -1,32 +1,20 @@ -class openssh::ssh_keys_from_ldap($symlink_users = [], - $config = '') inherits server { - # root account authorized_keys will be symlinked - # if you want to add symlink on other accounts, use $symlink_users parameter - - File ['/etc/ssh/sshd_config'] { - content => template('openssh/sshd_config','openssh/sshd_config_ldap') - } - - package { 'python-ldap': } - - include openssh::pubkeys_directory - $pubkeys_directory = $openssh::pubkeys_directory::pubkeys_directory - - symlink_user { $symlink_users: } +class openssh::ssh_keys_from_ldap inherits server { + package { 'python3-ldap': } $ldap_pwfile = '/etc/ldap.secret' + $nslcd_conf_file = '/etc/nslcd.conf' $ldap_servers = get_ldap_servers() - mga-common::local_script { 'ldap-sshkey2file.py': + mga_common::local_script { 'ldap-sshkey2file.py': content => template('openssh/ldap-sshkey2file.py'), - require => Package['python-ldap'] + require => Package['python3-ldap'] } cron { 'sshkey2file': - command => '/usr/local/bin/ldap-sshkey2file.py', + command => '/bin/bash -c "/usr/local/bin/ldap-sshkey2file.py && ( [[ -f /usr/bin/mgagit && -d /var/lib/git/.gitolite ]] && /bin/su -c \'/usr/bin/mgagit glrun\' - git ) ||:"', hour => '*', minute => '*/10', user => 'root', environment => 'MAILTO=root', - require => Local_script['ldap-sshkey2file.py'], + require => Mga_common::Local_script['ldap-sshkey2file.py'], } } diff --git a/modules/openssh/manifests/symlink_user.pp b/modules/openssh/manifests/symlink_user.pp deleted file mode 100644 index f2e107b1..00000000 --- a/modules/openssh/manifests/symlink_user.pp +++ /dev/null @@ -1,19 +0,0 @@ -define openssh::symlink_user() { - include openssh::pubkeys_directory - $pubkeys_directory = $openssh::pubkeys_directory::pubkeys_directory - file { "$pubkeys_directory/$name": - ensure => directory, - owner => $name, - group => $name, - mode => '0700', - } - - file { "$pubkeys_directory/$name/authorized_keys": - # FIXME : fragile approximation for $HOME - ensure => link, - target => "/home/$name/.ssh/authorized_keys", - mode => '0700', - } -} - - diff --git a/modules/openssh/templates/ldap-sshkey2file.py b/modules/openssh/templates/ldap-sshkey2file.py index eb8456ab..934e2865 100755 --- a/modules/openssh/templates/ldap-sshkey2file.py +++ b/modules/openssh/templates/ldap-sshkey2file.py @@ -1,96 +1,194 @@ -#!/usr/bin/python +#!/usr/bin/python3 -import sys +import argparse import os import random +import shutil +import sys +import tempfile +import textwrap +from typing import Iterable try: import ldap -except ImportError, e: - print "Please install python-ldap before running this program" +except ImportError: + print("Please install python-ldap before running this program") sys.exit(1) -basedn="<%= dc_suffix %>" -peopledn="ou=people,%s" % basedn +basedn = "<%= @dc_suffix %>" +peopledn = f"ou=people,{basedn}" <%- ldap_servers.map! { |l| "'ldaps://#{l}'" } -%> -uris=[<%= ldap_servers.join(", ") %>] +uris = [<%= ldap_servers.join(", ") %>] random.shuffle(uris) uri = " ".join(uris) -timeout=5 -binddn="cn=<%= fqdn %>,ou=Hosts,%s" % basedn -pwfile="<%= ldap_pwfile %>" +timeout = 5 +binddn = f"cn=<%= @fqdn %>,ou=Hosts,{basedn}" +ldap_secret_file = "<%= @ldap_pwfile %>" +nslcd_conf_file = "<%= @nslcd_conf_file %>" # filter out disabled accounts also # too bad uidNumber doesn't support >= filters -filter="(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*))" -keypathprefix="<%= pubkeys_directory %>" - -def usage(): - print "%s" % sys.argv[0] - print - print "Will fetch all enabled user accounts under %s" % peopledn - print "with ssh keys in them and write each one to" - print "%s/<login>/authorized_keys" % keypathprefix - print - print "This script is intented to be run from cron as root" - print - -def get_pw(pwfile): +objfilter = "(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*))" +keypathprefix = "/home" + +parser = argparse.ArgumentParser( + formatter_class=argparse.RawDescriptionHelpFormatter, + description=textwrap.dedent(f'''\ + Will fetch all enabled user accounts under {peopledn} + with ssh keys in them and write each one to + {keypathprefix}/<login>/.ssh/authorized_keys + + It will return failure when no keys are updated and success + when one or more keys have changed. + + This script is intended to be run from cron as root; + ''')) +parser.add_argument('-n', '--dry-run', action='store_true') +parser.add_argument('-v', '--verbose', action='store_true') +args = parser.parse_args() + + +def get_bindpw() -> str: try: - f = open(pwfile, 'r') - except IOError, e: - print "Error while reading password file, aborting" - print e - sys.exit(1) - pw = f.readline().strip() - f.close() - return pw + return get_nslcd_bindpw(nslcd_conf_file) + except: + pass -def write_keys(keys, user, uid, gid): try: - os.makedirs("%s/%s" % (keypathprefix,user), 0700) + return get_ldap_secret(ldap_secret_file) except: pass - keyfile = "%s/%s/authorized_keys" % (keypathprefix,user) - f = open(keyfile, 'w') + + print("Error while reading password file, aborting") + sys.exit(1) + + +def get_nslcd_bindpw(pwfile: str) -> str: + try: + with open(pwfile, 'r') as f: + pwfield = "bindpw" + for line in f: + ls = line.strip().split() + if len(ls) == 2 and ls[0] == pwfield: + return ls[1] + except IOError as e: + print("Error while reading nslcd file " + pwfile) + print(e) + raise + + print("No " + pwfield + " field found in nslcd file " + pwfile) + raise Exception() + + +def get_ldap_secret(pwfile: str) -> str: + try: + with open(pwfile, 'r') as f: + pw = f.readline().strip() + except IOError as e: + print("Error while reading password file " + pwfile) + print(e) + raise + return pw + + +def write_keys(keys: Iterable[bytes], user: bytes, uid: int, gid: int) -> bool: + userdir = f"{keypathprefix}/{user.decode('utf-8')}" + keyfile = f"{userdir}/.ssh/authorized_keys" + + fromldap = "" for key in keys: - f.write(key.strip() + "\n") - f.close() - os.chmod(keyfile, 0600) + fromldap += key.decode("utf-8").strip() + "\n" + + fromfile = "" + try: + with open(keyfile, 'r') as f: + fromfile = f.read() + except FileNotFoundError: + pass + + if fromldap == fromfile: + return False + + if args.dry_run: + print(f"Would write {keyfile}") + return True + + if args.verbose: + print(f"Writing {keyfile}") + + if not os.path.isdir(userdir): + shutil.copytree('/etc/skel', userdir) + os.chown(userdir, uid, gid) + for root, dirs, files in os.walk(userdir): + for d in dirs: + os.chown(os.path.join(root, d), uid, gid) + for f in files: + os.chown(os.path.join(root, f), uid, gid) + + try: + os.makedirs(f"{userdir}/.ssh", 0o700) + except FileExistsError: + pass + os.chmod(f"{userdir}/.ssh", 0o700) + os.chown(f"{userdir}/.ssh", uid, gid) + + with tempfile.NamedTemporaryFile( + prefix='ldap-sshkey2file-', mode='w', delete=False) as tmpfile: + tmpfile.write(fromldap) + os.chmod(tmpfile.name, 0o600) + os.chown(tmpfile.name, uid, gid) + shutil.move(tmpfile.name, keyfile) + # Hmm, apparently shutil.move does not preserve user/group so let's reapply + # them. I still like doing it before as this should be more "atomic" + # if it actually worked, so it's "good practice", even if shutil.move sucks os.chown(keyfile, uid, gid) - os.chmod("%s/%s" % (keypathprefix,user), 0700) - os.chown("%s/%s" % (keypathprefix,user), uid, gid) + os.chmod(keyfile, 0o600) + return True -if len(sys.argv) != 1: - usage() - sys.exit(1) -bindpw = get_pw(pwfile) +bindpw = get_bindpw() +changed = False try: ld = ldap.initialize(uri) ld.set_option(ldap.OPT_NETWORK_TIMEOUT, timeout) if uri.startswith("ldap:/"): ld.start_tls_s() ld.bind_s(binddn, bindpw) - res = ld.search_s(peopledn, ldap.SCOPE_ONELEVEL, filter, ['uid','sshPublicKey','uidNumber','gidNumber']) + res = ld.search_s(peopledn, ldap.SCOPE_ONELEVEL, objfilter, + ['uid', 'sshPublicKey', 'uidNumber', 'gidNumber']) try: - os.makedirs(keypathprefix, 0701) - except: + os.makedirs(keypathprefix, 0o701) + except FileExistsError: pass + + if args.verbose: + print("Found users:", + ", ".join(sorted([x[1]['uid'][0].decode('utf-8') for x in res]))) + for result in res: dn, entry = result # skip possible system users - if int(entry['uidNumber'][0]) < 500: + if 'uidNumber' not in entry or int(entry['uidNumber'][0]) < 500: continue - write_keys(entry['sshPublicKey'], entry['uid'][0], int(entry['uidNumber'][0]), int(entry['gidNumber'][0])) + if write_keys(entry['sshPublicKey'], entry['uid'][0], + int(entry['uidNumber'][0]), int(entry['gidNumber'][0])): + changed = True + ld.unbind_s() -except Exception, e: - print "Error" +except Exception: + print("Error") raise -sys.exit(0) +if changed: + if args.verbose: + print("SSH keys changed") + sys.exit(0) + +if args.verbose: + print("No changes in SSH keys") +sys.exit(1) # vim:ts=4:sw=4:et:ai:si diff --git a/modules/openssh/templates/sshd_config b/modules/openssh/templates/sshd_config index 27eee0f1..56ddd725 100644 --- a/modules/openssh/templates/sshd_config +++ b/modules/openssh/templates/sshd_config @@ -18,11 +18,10 @@ # The default requires explicit activation of protocol 1 #Protocol 2 -# HostKey for protocol version 1 -HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h @@ -57,11 +56,11 @@ PermitRootLogin without-password #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes +PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no @@ -82,7 +81,7 @@ PermitRootLogin without-password # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM yes +UsePAM no # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES @@ -99,7 +98,6 @@ X11Forwarding yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 @@ -114,10 +112,15 @@ UsePrivilegeSeparation yes #Banner none # override default of no subsystems -Subsystem sftp <%= path_to_sftp %>/sftp-server +Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server +<% if @hostname == 'duvel' then %> +# git command is already forced to "gitolite <username>" in /var/lib/git/.ssh/authorized_keys +Match User *,!schedbot,!root,!git Group *,!mga-sysadmin,!mga-unrestricted_shell_access + ForceCommand /usr/local/bin/sv_membersh.pl -c "$SSH_ORIGINAL_COMMAND" +<% end %> diff --git a/modules/openssh/templates/sshd_config_ldap b/modules/openssh/templates/sshd_config_ldap deleted file mode 100644 index 31b29e21..00000000 --- a/modules/openssh/templates/sshd_config_ldap +++ /dev/null @@ -1,3 +0,0 @@ - -AuthorizedKeysFile /var/lib/pubkeys/%u/authorized_keys - diff --git a/modules/openssl/manifests/init.pp b/modules/openssl/manifests/init.pp index bf05d35e..b8c4d91e 100644 --- a/modules/openssl/manifests/init.pp +++ b/modules/openssl/manifests/init.pp @@ -6,10 +6,10 @@ class openssl { define self_signed_cert($directory = '/etc/certs') { include openssl::base - $pem_file = "$name.pem" - exec { "openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $pem_file -out $pem_file -subj '/CN=$name'": + $pem_file = "${name}.pem" + exec { "openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${pem_file} -out ${pem_file} -subj '/CN=${name}'": cwd => $directory, - creates => "$directory/$name.pem", + creates => "${directory}/${name}.pem", require => Package['openssl'] } } @@ -21,17 +21,17 @@ class openssl { $mode = '0600') { include openssl::base - $crt_file = "$filename.crt" - $key_file = "$filename.key" - exec { "openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $key_file -out $crt_file -subj '/CN=$name'": + $crt_file = "${filename}.crt" + $key_file = "${filename}.key" + exec { "openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${key_file} -out ${crt_file} -subj '/CN=${name}'": cwd => $directory, - creates => "$directory/$key_file", + creates => "${directory}/${key_file}", require => Package['openssl'], - before => [File["$directory/$key_file"], - File["$directory/$crt_file"]] + before => [File["${directory}/${key_file}"], + File["${directory}/${crt_file}"]] } - file { ["$directory/$key_file","$directory/$crt_file"]: + file { ["${directory}/${key_file}","${directory}/${crt_file}"]: owner => $owner, group => $group, mode => $mode, diff --git a/modules/pam/manifests/base.pp b/modules/pam/manifests/base.pp index df913101..e29c8555 100644 --- a/modules/pam/manifests/base.pp +++ b/modules/pam/manifests/base.pp @@ -1,5 +1,13 @@ class pam::base { - package { ['pam_ldap','nss_ldap','nscd']: } + include pam::multiple_ldap_access + package { ['nscd', 'nss-pam-ldapd']: } + + # This needs configuration or it generates an error every hour. + # If it's ever enabled, make sure restrict permissions on + # /var/db/passwd.db and /var/db/group.db at the same time. + package { 'nss_updatedb': + ensure => 'absent', + } service { 'nscd': require => Package['nscd'], diff --git a/modules/pam/manifests/multiple_ldap_access.pp b/modules/pam/manifests/multiple_ldap_access.pp index ecda7018..1c5a391f 100644 --- a/modules/pam/manifests/multiple_ldap_access.pp +++ b/modules/pam/manifests/multiple_ldap_access.pp @@ -1,4 +1,13 @@ -define pam::multiple_ldap_access($access_classes, $restricted_shell = false) { +class pam::multiple_ldap_access($access_classes, $restricted_shell = false) { + include stdlib + + $default_access_classes = [ 'mga-sysadmin', 'mga-unrestricted_shell_access' ] + if empty($access_classes) { + $allowed_access_classes = $default_access_classes + } else { + $allowed_access_classes = concat($default_access_classes, $access_classes) + } + if $restricted_shell { include restrictshell } diff --git a/modules/pam/templates/ldap.conf b/modules/pam/templates/ldap.conf index a1d751cf..235a6aac 100644 --- a/modules/pam/templates/ldap.conf +++ b/modules/pam/templates/ldap.conf @@ -15,8 +15,10 @@ nss_map_attribute uniqueMember member sudoers_base ou=sudoers,<%= dc_suffix %> #sudoers_debug 2 -<% if restricted_shell %> +<%- +restricted_shell = scope.lookupvar('pam::multiple_ldap_access::restricted_shell') +if restricted_shell +-%> # for restricted access nss_override_attribute_value loginShell /usr/local/bin/sv_membersh.pl <% end %> - diff --git a/modules/pam/templates/nsswitch.conf b/modules/pam/templates/nsswitch.conf index fdd32996..bfd042c1 100644 --- a/modules/pam/templates/nsswitch.conf +++ b/modules/pam/templates/nsswitch.conf @@ -13,4 +13,3 @@ netgroup: files ldap publickey: files automount: files aliases: files - diff --git a/modules/pam/templates/openldap.ldap.conf b/modules/pam/templates/openldap.ldap.conf index 812538be..cd6ee640 100644 --- a/modules/pam/templates/openldap.ldap.conf +++ b/modules/pam/templates/openldap.ldap.conf @@ -18,9 +18,8 @@ TLS_REQCERT allow # Use the default self-signed cert generated by openldap-server postinstall # by default #TLS_CACERT /etc/pki/tls/certs/ldap.pem -#TLS_CACERT /etc/ssl/openldap/ldap.mageia.org.pem +#TLS_CACERT /etc/ssl/openldap/ldap.<%= domain %>.pem # If requiring support for certificates signed by all CAs (noting risks # pam_ldap if doing DNS-based suffix lookup etc. #TLS_CACERTDIR /etc/pki/tls/rootcerts - diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth index 4df9555e..37d1da7d 100644 --- a/modules/pam/templates/system-auth +++ b/modules/pam/templates/system-auth @@ -11,8 +11,9 @@ auth required pam_deny.so account sufficient pam_localuser.so # not sure if the following bring something useful account required pam_ldap.so -<%- if access_classes -%> -<%- access_classes.each { |ldap_group| -%> +<%- allowed_access_classes = scope.lookupvar('pam::multiple_ldap_access::allowed_access_classes') -%> +<%- if allowed_access_classes -%> +<%- allowed_access_classes.each { |ldap_group| -%> account sufficient pam_succeed_if.so quiet user ingroup <%= ldap_group %> <%- } -%> <%- end -%> @@ -32,4 +33,3 @@ session optional pam_mkhomedir.so session required pam_limits.so session required pam_unix.so session optional pam_ldap.so - diff --git a/modules/phpbb/files/phpbb_apply_config.pl b/modules/phpbb/files/phpbb_apply_config.pl index 5bd094e4..a58df24e 100644 --- a/modules/phpbb/files/phpbb_apply_config.pl +++ b/modules/phpbb/files/phpbb_apply_config.pl @@ -16,7 +16,7 @@ my $dbh = DBI->connect("dbi:Pg:","","", { my $table = "phpbb_config"; # FIXME add rollback if there is a problem -# http://docstore.mik.ua/orelly/linux/dbi/ch06_03.htm +# https://docstore.mik.ua/orelly/linux/dbi/ch06_03.htm my $update = $dbh->prepare("UPDATE $table SET config_value = ?, is_dynamic = ? WHERE config_name = ?"); my $insert = $dbh->prepare("INSERT INTO $table ( config_value, is_dynamic, config_name ) VALUES ( ? , ? , ? )"); diff --git a/modules/phpbb/files/robots.txt b/modules/phpbb/files/robots.txt new file mode 100644 index 00000000..1c335a73 --- /dev/null +++ b/modules/phpbb/files/robots.txt @@ -0,0 +1,7 @@ +User-agent: * +Disallow: /*/faq.php? +Disallow: /*/memberlist.php? +Disallow: /*/posting.php? +Disallow: /*/search.php? +Disallow: /*/ucp.php? +Crawl-delay: 30 diff --git a/modules/phpbb/manifests/base.pp b/modules/phpbb/manifests/base.pp index 115c4592..9f676cb4 100644 --- a/modules/phpbb/manifests/base.pp +++ b/modules/phpbb/manifests/base.pp @@ -9,7 +9,6 @@ class phpbb::base { 'php-xml', 'php-zlib', 'php-ftp', - 'php-apc', 'php-magickwand', 'php-pgsql', 'php-ldap']: } @@ -30,14 +29,23 @@ class phpbb::base { ensure => directory, } + $robotsfile = "$forums_dir/robots.txt" + file { $robotsfile: + ensure => present, + mode => '0644', + owner => root, + group => root, + source => 'puppet:///modules/phpbb/robots.txt', + } + # TODO check that everything is locked down - apache::vhost::base { "forums.$::domain": + apache::vhost::base { "forums.${::domain}": content => template('phpbb/forums_vhost.conf'), } - apache::vhost::base { "ssl_forums.$::domain": + apache::vhost::base { "ssl_forums.${::domain}": use_ssl => true, - vhost => "forums.$::domain", + vhost => "forums.${::domain}", content => template('phpbb/forums_vhost.conf'), } diff --git a/modules/phpbb/manifests/config.pp b/modules/phpbb/manifests/config.pp index 52bd5419..553b0f74 100644 --- a/modules/phpbb/manifests/config.pp +++ b/modules/phpbb/manifests/config.pp @@ -1,12 +1,12 @@ define phpbb::config($key, $value, $database) { - exec { "phpbb_apply $name": - command => "/usr/local/bin/phpbb_apply_config.pl $key", + exec { "phpbb_apply ${name}": + command => "/usr/local/bin/phpbb_apply_config.pl ${key}", user => 'root', - environment => ["PGDATABASE=$database", - "PGUSER=$phpbb::base::user", - "PGPASSWORD=$phpbb::base::pgsql_password", - "PGHOST=pgsql.$::domain", - "VALUE=$value"], + environment => ["PGDATABASE=${database}", + "PGUSER=${phpbb::base::user}", + "PGPASSWORD=${phpbb::base::pgsql_password}", + "PGHOST=pgsql.${::domain}", + "VALUE=${value}"], require => File['/usr/local/bin/phpbb_apply_config.pl'], } } diff --git a/modules/phpbb/manifests/instance.pp b/modules/phpbb/manifests/instance.pp index d260ff7b..e300d9e0 100644 --- a/modules/phpbb/manifests/instance.pp +++ b/modules/phpbb/manifests/instance.pp @@ -2,27 +2,27 @@ define phpbb::instance() { include phpbb::base $lang = $name - $database = "${phpbb::base::db}_$lang" + $database = "${phpbb::base::db}_${lang}" $user = $phpbb::base::user $pgsql_password = $phpbb::base::pgsql_password $forums_dir = $phpbb::base::forums_dir include git::client - exec { "git_clone $lang": - command =>"git clone git://git.$::domain/forum/ $lang", + exec { "git_clone ${lang}": + command =>"git clone git://git.${::domain}/web/forums/ ${lang}", cwd => $forums_dir, - creates => "$forums_dir/$lang", + creates => "${forums_dir}/${lang}", require => File[$forums_dir], - notify => Exec["rm_install $lang"], + notify => Exec["rm_install ${lang}"], } # remove this or the forum will not work ( 'board disabled' ) - # maybe it would be better to move this elsehwere, I + # maybe it would be better to move this elsewhere, I # am not sure ( and in any case, that's still in git ) - exec { "rm_install $lang": - command => "rm -Rf $forums_dir/$lang/phpBB/install", - onlyif => "test -d $forums_dir/$lang/phpBB/install", + exec { "rm_install ${lang}": + command => "rm -Rf ${forums_dir}/${lang}/phpBB/install", + onlyif => "test -d ${forums_dir}/${lang}/phpBB/install", } # list found by reading ./install/install_install.php @@ -33,15 +33,15 @@ define phpbb::instance() { 'files', 'store' ] - $dir_names = regsubst($writable_dirs,'^',"$forums_dir/$lang/phpBB/") + $dir_names = regsubst($writable_dirs,'^',"${forums_dir}/${lang}/phpBB/") file { $dir_names: ensure => directory, owner => 'apache', - require => Exec["git_clone $lang"], + require => Exec["git_clone ${lang}"], } - file { "$forums_dir/$lang/phpBB/config.php": + file { "${forums_dir}/${lang}/phpBB/config.php": content => template('phpbb/config.php'), } @@ -56,25 +56,25 @@ define phpbb::instance() { $ldap_password = extlookup( 'phpbb_ldap','x') phpbb::config { - "ldap_user/$lang": - key => 'ldap_user', value => "cn=phpbb-$::hostname,ou=System Accounts,$::dc_suffix"; - "ldap_server/$lang": - key => 'ldap_server', value => "ldaps://ldap.$::domain ldaps://ldap-slave-1.$::domain"; - "ldap_password/$lang": + "ldap_user/${lang}": + key => 'ldap_user', value => "cn=phpbb-${::hostname},ou=System Accounts,${::dc_suffix}"; + "ldap_server/${lang}": + key => 'ldap_server', value => "ldaps://ldap.${::domain} ldaps://ldap-slave-1.${::domain}"; + "ldap_password/${lang}": key => 'ldap_password', value => $ldap_password; - "ldap_base_dn/$lang": - key => 'ldap_base_dn', value => "ou=People,$::dc_suffix"; - "auth_method/$lang": + "ldap_base_dn/${lang}": + key => 'ldap_base_dn', value => "ou=People,${::dc_suffix}"; + "auth_method/${lang}": key => 'auth_method', value => 'ldap'; - "ldap_mail/$lang": + "ldap_mail/${lang}": key => 'ldap_mail', value => 'mail'; - "ldap_uid/$lang": + "ldap_uid/${lang}": key => 'ldap_uid', value => 'uid'; - "cookie_domain/$lang": - key => 'cookie_domain', value => "forums.$::domain"; - "server_name/$lang": - key => 'server_name', value => "forums.$::domain"; - "default_lang/$lang": + "cookie_domain/${lang}": + key => 'cookie_domain', value => "forums.${::domain}"; + "server_name/${lang}": + key => 'server_name', value => "forums.${::domain}"; + "default_lang/${lang}": key => 'default_lang', value => $lang; } } diff --git a/modules/phpbb/manifests/locale_db.pp b/modules/phpbb/manifests/locale_db.pp index 8111f18f..70116962 100644 --- a/modules/phpbb/manifests/locale_db.pp +++ b/modules/phpbb/manifests/locale_db.pp @@ -1,7 +1,8 @@ +# FIXME: In puppet >3.0 word 'tag' is reserved, so it have to be renamed define phpbb::locale_db($tag = 'default', $user = $phpbb::base::user) { postgresql::database { $name: - description => "$lang db for phpbb forum", + description => "${lang} db for phpbb forum", user => $user, tag => $tag, # this break due to the way it is remotely declared diff --git a/modules/phpbb/manifests/redirection_instance.pp b/modules/phpbb/manifests/redirection_instance.pp index 48446d3e..332eac53 100644 --- a/modules/phpbb/manifests/redirection_instance.pp +++ b/modules/phpbb/manifests/redirection_instance.pp @@ -1,7 +1,7 @@ define phpbb::redirection_instance($url) { $lang = $name - file { "/etc/httpd/conf/vhosts.d/forums.d/redirect_$name.conf": + file { "/etc/httpd/conf/vhosts.d/forums.d/redirect_${name}.conf": content => template('phpbb/forums_redirect.conf'), - notify => Exec['service httpd configtest'], + notify => Exec['apachectl configtest'], } } diff --git a/modules/phpbb/templates/config.php b/modules/phpbb/templates/config.php index 95bf1f2a..5d878235 100644 --- a/modules/phpbb/templates/config.php +++ b/modules/phpbb/templates/config.php @@ -2,7 +2,7 @@ // phpBB 3.0.x auto-generated configuration file // // Do not change anything in this file! $dbms = 'postgres'; -$dbhost = 'pgsql.<%= domain %>'; +$dbhost = 'pg.<%= domain %>'; $dbport = ''; $dbname = '<%= database %>'; $dbuser = '<%= user %>'; diff --git a/modules/phpbb/templates/forums_vhost.conf b/modules/phpbb/templates/forums_vhost.conf index 2c715485..440dad1f 100644 --- a/modules/phpbb/templates/forums_vhost.conf +++ b/modules/phpbb/templates/forums_vhost.conf @@ -1,19 +1,32 @@ # TODO redirect based on language settings # and the presence of the forum - + # for locale redirection Include conf/vhosts.d/forums.d/*.conf + # Prevent including forum site in tier iframe + Header set X-Frame-Options DENY + # using Redirect create a loop, so we use mod_rewrite here RewriteEngine On RewriteRule ^/$ /en/ [R] RewriteRule ^/(..)$ /$1/ [R] + Alias /robots.txt <%= forums_dir %>/robots.txt + AliasMatch ^/(..)/(.*) <%= forums_dir %>/$1/phpBB/$2 <Directory ~ "<%= forums_dir %>/.*/phpBB/"> + <IfModule mod_authz_core.c> + # Apache 2.4 + Require all granted + </IfModule> + <IfModule !mod_authz_core.c> + # Apache 2.2 + Order Allow,Deny Allow from all + </IfModule> </Directory> <%- @@ -35,8 +48,15 @@ forbidden = ['install', for f in forbidden -%> <Directory <%= forums_dir %>/.*/phpBB/<%= f %>/ > - Order Allow,Deny + <IfModule mod_authz_core.c> + # Apache 2.4 + Require all denied + </IfModule> + <IfModule !mod_authz_core.c> + # Apache 2.2 + Order Deny,Allow Deny from all + </IfModule> </Directory> <%- end -%> diff --git a/modules/planet/manifests/init.pp b/modules/planet/manifests/init.pp index 2fbfab85..8aacd5cc 100644 --- a/modules/planet/manifests/init.pp +++ b/modules/planet/manifests/init.pp @@ -6,18 +6,24 @@ class planet { home => '/var/lib/planet', } - $vhost = "planet.$::domain" - $location = "/var/www/vhosts/$vhost" - + $vhost = "planet.${::domain}" + $location = "/var/www/vhosts/${vhost}" + include apache::mod::php - include apache::mod::deflate apache::vhost::base { $vhost: location => $location, content => template('planet/planet_vhosts.conf') } - local_script { 'deploy_new-planet.sh': + apache::vhost::base { "ssl_${vhost}": + use_ssl => true, + vhost => $vhost, + location => $location, + content => template('planet/planet_vhosts.conf') + } + + mga_common::local_script { 'deploy_new-planet.sh': content => template('planet/deploy_new-planet.sh') } @@ -25,27 +31,27 @@ class planet { ensure => directory, } - file { "$location/index.php": + file { "${location}/index.php": content => template('planet/index.php') } - package { ['php-iconv']: } + package { ['php-iconv']: } class files_backup inherits base { - file { "/var/lib/planet/backup": + file { '/var/lib/planet/backup': ensure => directory, } - local_script { "backup_planet-files.sh": - content => template("blog/backup_planet-files.sh") + mga_common::local_script { 'backup_planet-files.sh': + content => template('blog/backup_planet-files.sh') } cron { "Backup files (planet)": - user => root, - hour => '23', - minute => '42', - command => "/usr/local/bin/backup_planet-files.sh", - require => [File["backup_planet-files"]], + user => root, + hour => '23', + minute => '42', + command => '/usr/local/bin/backup_planet-files.sh', + require => [File['backup_planet-files']], } } } diff --git a/modules/planet/templates/deploy_new-planet.sh b/modules/planet/templates/deploy_new-planet.sh index 605fa273..b3889d31 100755 --- a/modules/planet/templates/deploy_new-planet.sh +++ b/modules/planet/templates/deploy_new-planet.sh @@ -22,7 +22,8 @@ then # Deploy new planet with locale given /bin/mkdir $FILE /bin/chown planet:apache $FILE - /usr/bin/wget -O $PATH_TO_FILE"/moonmoon.tar.gz" http://damsweb.net/files/moonmoon_mageia.tar.gz + # TODO: this URL returns 403 (2024-01) + /usr/bin/wget -O $PATH_TO_FILE"/moonmoon.tar.gz" https://damsweb.net/files/moonmoon_mageia.tar.gz if [ $? -ne 0 ] then echo "Aborted, can't download GZIP file" @@ -32,7 +33,7 @@ then /bin/mkdir $FILE"cache" /bin/chown -R planet:apache $FILE /bin/chmod g+w $FILE"custom" $FILE"custom/people.opml" $FILE"admin/inc/pwd.inc.php" $FILE"cache" - echo -e "Info: a new Planet had been deployed.\nThe locale is: \"$locale\" - http://planet.<%= domain %>/$locale \n-- \nMail sent by the script '$0' on `hostname`" | /bin/mail -s "New planet Mageia deployed" mageia-webteam@<%= domain %> mageia-marketing@<%= domain %> + echo -e "Info: a new Planet had been deployed.\nThe locale is: \"$locale\" - https://planet.<%= domain %>/$locale \n-- \nMail sent by the script '$0' on `hostname`" | /bin/mail -s "New planet Mageia deployed" mageia-webteam@<%= domain %> mageia-marketing@<%= domain %> fi else echo "Aborted, please try again." diff --git a/modules/planet/templates/planet_vhosts.conf b/modules/planet/templates/planet_vhosts.conf index 841e33cb..b3a07ab9 100644 --- a/modules/planet/templates/planet_vhosts.conf +++ b/modules/planet/templates/planet_vhosts.conf @@ -1,11 +1,11 @@ <Directory <%= location %> > - Order deny,allow + Order deny,allow Allow from All AllowOverride All - Options FollowSymlinks + Options FollowSymlinks Options +Indexes </Directory> # Add a permanent redirection for '/*' as '/en/' for english planet <IfModule mod_alias.c> - RedirectMatch permanent ^/?$ /en/ + RedirectMatch permanent ^/?$ /en/ </IfModule> diff --git a/modules/postfix/manifests/init.pp b/modules/postfix/manifests/init.pp index e13e86b5..8a4394df 100644 --- a/modules/postfix/manifests/init.pp +++ b/modules/postfix/manifests/init.pp @@ -1,5 +1,5 @@ class postfix { - package { ['postfix', 'nail']: } + package { postfix: } service { 'postfix': subscribe => Package['postfix'], @@ -10,4 +10,15 @@ class postfix { content => '', notify => Service['postfix'], } + + file { '/etc/ssl/postfix/': + ensure => directory, + } + + openssl::self_signed_splitted_cert { "${::hostname}.${::domain}": + filename => 'postfix', + directory => '/etc/ssl/postfix/', + owner => 'postfix', + group => 'postfix' + } } diff --git a/modules/postfix/manifests/server/primary.pp b/modules/postfix/manifests/server/primary.pp index 3f089685..c14a8606 100644 --- a/modules/postfix/manifests/server/primary.pp +++ b/modules/postfix/manifests/server/primary.pp @@ -1,10 +1,16 @@ class postfix::server::primary inherits postfix::server { - package { 'postfix-ldap': } + # Adding DKIM server + include opendkim + opendkim::domain{['mageia.org', 'sucuk.mageia.org', 'duvel.mageia.org', 'forums.mageia.org', 'madb.mageia.org','rabbit.mageia.org', 'fiona.mageia.org','identity.mageia.org', 'group.mageia.org', 'neru.mageia.org']:} + opendkim::trusted{['127.0.0.0/8', '212.85.158.0/24']:} + + package { ['postfix-ldap', 'sqlite3-tools', 'dovecot-plugins-sqlite','rspamd']: } # council is here until we fully decide who has aliases in com team, + # see https://bugs.mageia.org/show_bug.cgi?id=1345 - # alumini is a special group for tracking previous members of + # alumni is a special group for tracking previous members of # the project, so they keep their aliases for a time $aliases_group = ['mga-founders', 'mga-packagers', diff --git a/modules/postfix/manifests/simple_relay.pp b/modules/postfix/manifests/simple_relay.pp index 265960ae..8911f781 100644 --- a/modules/postfix/manifests/simple_relay.pp +++ b/modules/postfix/manifests/simple_relay.pp @@ -2,4 +2,8 @@ class postfix::simple_relay inherits postfix { File['/etc/postfix/main.cf'] { content => template('postfix/simple_relay_main.cf'), } + file { + '/etc/postfix/sympa_aliases': + content => template('postfix/sympa_aliases'); + } } diff --git a/modules/postfix/templates/main.cf b/modules/postfix/templates/main.cf index ffda06b3..6b42a4de 100644 --- a/modules/postfix/templates/main.cf +++ b/modules/postfix/templates/main.cf @@ -11,26 +11,37 @@ sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop command_directory = /usr/sbin manpage_directory = /usr/share/man -daemon_directory = <%= lib_dir %>/postfix/ +daemon_directory = /usr/libexec/postfix +meta_directory = /etc/postfix +shlib_directory = /usr/lib64 +compatibility_level = 2 data_directory = /var/lib/postfix newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq queue_directory = /var/spool/postfix mail_owner = postfix +<% if all_tags.include?('postfix::simple_relay') || all_tags.include?('postfix::server::secondary') %> +relayhost = sucuk.<%= domain %> +<%- end -%> # User configurable parameters <% if all_tags.include?('postfix::simple_relay') %> -inet_interfaces = localhost +inet_interfaces = localhost, 127.0.0.1 <% else %> inet_interfaces = all <% end %> inet_protocols = all -mynetworks_style = host +<% if @hostname == 'neru' then %> +# We do not have a reverse on ipv6 :( +smtp_address_preference = ipv4 +<%- end -%> + +# FIXME Do not hardcode this +mynetworks = 212.85.158.144/28 [2a02:2178:2:7::]/64 127.0.0.0/16 163.172.148.228 [2001:bc8:4400:2800::4115] myhostname = <%= fqdn %> mydomain = <%= domain %> -myorigin = $mydomain <%- if all_tags.include?('postfix::server::secondary') -%> relay_domains = <%= domain %>, ml.<%= domain %>, @@ -38,7 +49,7 @@ relay_domains = <%= domain %>, <%- end -%> mydestination = <%= fqdn %> -<%- if classes.include?('sympa::server') -%> +<%- if all_tags.include?('postfix::server::primary') -%> ml.<%= domain %> <%- end -%> @@ -71,8 +82,25 @@ virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.conf <%- if classes.include?('sympa::server') -%> regexp:/etc/postfix/sympa_aliases <%- end -%> +<% else %> +<%- if classes.include?('sympa::server') -%> +virtual_alias_maps = regexp:/etc/postfix/sympa_aliases +<%- end -%> <%- end -%> +<%- if all_tags.include?('postfix::server::primary') -%> +# Adding DKIM Miler for primaryserver (sucuk) +smtpd_milters = inet:127.0.0.1:8891 +non_smtpd_milters = $smtpd_milters +milter_default_action = accept +milter_protocol = 2 + +# Adding Sender Rewriting Scheme +sender_canonical_maps = socketmap:inet:localhost:10003:forward +sender_canonical_classes = envelope_sender +recipient_canonical_maps = socketmap:inet:localhost:10003:reverse +recipient_canonical_classes= envelope_recipient,header_recipient +<%- end -%> <%- if all_tags.include?('postfix::server') -%> transport_maps = regexp:/etc/postfix/transport_regexp @@ -89,12 +117,15 @@ smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (<%= lsbdistid %>) unknown_local_recipient_reject_code = 450 smtp-filter_destination_concurrency_limit = 2 lmtp-filter_destination_concurrency_limit = 2 -# disabled for the time being, as the certificate do not exist -# FIXME create the cert in puppet -smtpd_use_tls = no -#smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem -#smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem -#smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt +# enable opportunistic TLS when receiving +smtpd_use_tls = yes +smtpd_tls_received_header = yes +smtpd_tls_cert_file = /etc/ssl/postfix/postfix.crt +smtpd_tls_key_file = /etc/ssl/postfix/postfix.key +smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt +# enable opportunistic TLS when sending +smtp_tls_security_level = may +smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt <%- if all_tags.include?('postfix::server') -%> smtpd_etrn_restrictions = reject @@ -105,13 +136,18 @@ smtpd_data_restrictions = permit_mynetworks reject_unauth_pipelining reject_multi_recipient_bounce -smtpd_recipient_restrictions = reject_non_fqdn_recipient - reject_non_fqdn_sender +smtpd_recipient_restrictions = permit_mynetworks # not done yet, not sure if we need to offer this kind of service # permit_sasl_authenticated - permit_mynetworks - reject_unauth_destination reject_non_fqdn_helo_hostname + reject_non_fqdn_recipient + reject_non_fqdn_sender + check_sender_access hash:/etc/postfix/access + reject_rhsbl_helo sbl.spamhaus.org + reject_rhsbl_reverse_client sbl.spamhaus.org + reject_rhsbl_sender sbl.spamhaus.org + reject_rbl_client sbl.spamhaus.org + reject_unauth_destination reject_unknown_sender_domain reject_unknown_client <%- if classes.include?('postgrey') -%> @@ -119,3 +155,5 @@ smtpd_recipient_restrictions = reject_non_fqdn_recipient <%- end -%> <%- end -%> +# Needed for buggy clients +always_add_missing_headers = yes diff --git a/modules/postfix/templates/primary_master.cf b/modules/postfix/templates/primary_master.cf index 8037d037..e05d33dc 100644 --- a/modules/postfix/templates/primary_master.cf +++ b/modules/postfix/templates/primary_master.cf @@ -174,4 +174,3 @@ smtp-filter unix - - y - - smtp -o max_use=20 # ##### END OF CONTENT FILTER CUSTOMIZATIONS ##### - diff --git a/modules/postfix/templates/simple_relay_main.cf b/modules/postfix/templates/simple_relay_main.cf index a6cf2113..e0c116a7 100644 --- a/modules/postfix/templates/simple_relay_main.cf +++ b/modules/postfix/templates/simple_relay_main.cf @@ -11,7 +11,7 @@ sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop command_directory = /usr/sbin manpage_directory = /usr/share/man -daemon_directory = <%= lib_dir %>/postfix/ +daemon_directory = /usr/libexec/postfix/ data_directory = /var/lib/postfix newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq @@ -22,11 +22,10 @@ mail_owner = postfix myhostname = <%= fqdn %> mydomain = <%= domain %> -inet_interfaces = localhost inet_protocols = all mynetworks_style = host #delay_warning_time = 4h -smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandriva Linux) +smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mageia Linux) unknown_local_recipient_reject_code = 450 smtp-filter_destination_concurrency_limit = 2 lmtp-filter_destination_concurrency_limit = 2 @@ -34,3 +33,19 @@ smtpd_use_tls = yes smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt + +<%- if classes.include?('sympa::server') -%> +local_recipient_maps = +fallback_transport_maps = regexp:/etc/postfix/transport_regexp +transport_maps = regexp:/etc/postfix/transport_regexp +mydestination = ml.<%= domain %> +sympa_destination_recipient_limit = 1 +sympabounce_destination_recipient_limit = 1 +virtual_alias_maps = regexp:/etc/postfix/sympa_aliases +# needed by sympa to handle bounce, according to the doc +recipient_delimiter = + +# This is ugly for a simple relay but we need ml.mageia.org to accept email :( +inet_interfaces = all +<%- else -%> +inet_interfaces = localhost +<%- end -%> diff --git a/modules/postfix/templates/sympa_aliases b/modules/postfix/templates/sympa_aliases index e5f74c0b..436e7a28 100644 --- a/modules/postfix/templates/sympa_aliases +++ b/modules/postfix/templates/sympa_aliases @@ -1,5 +1,5 @@ # everything is handled with transports in postfix, -# but according to http://www.sympa.org/faq/postfix, we also need this one +# but according to https://www.sympa.org/faq/postfix, we also need this one <% escaped_domain = ( 'ml.' + domain ).sub('.','\.') %> /^(.*)-owner\@<%= escaped_domain %>$/ $1+owner@ml.<%= domain %> # redirect the mail from the ml domain to sysadmin diff --git a/modules/postfix/templates/transport_regexp b/modules/postfix/templates/transport_regexp index ceb8e2fb..3eb5494f 100644 --- a/modules/postfix/templates/transport_regexp +++ b/modules/postfix/templates/transport_regexp @@ -3,15 +3,8 @@ ml_domain = 'ml\.' + domain.gsub('.','\.') %> <%- if classes.include?('sympa::server') -%> /^.*+owner\@<%= ml_domain %>$/ sympabounce: +/^bounce+.*\@<%= ml_domain %>$/ sympabounce: /^.*\@<%= ml_domain %>$/ sympa: +<%- else -%> +/^.*\@<%= ml_domain %>$/ smtp:sucuk.mageia.org <%- end -%> - -# temporary work around for bugzilla being unable to send mail to webteam -# -# the current setup ( 13/02/2011 ) is that most active mls are on zarb.org, -# using @mageia domain. But we want to start hosting aliases on the current -# ml server ( and main smtp, ie alamut ). So we need to dispatch old mls -# to zarb, and the rest on alamut. Old mls are all prefixed by mageia-*@mageia -# this hack should be removed once all mls are migrated from zarb.org -# -/^mageia-.*\@<%= domain %>$/ smtp:ryu.zarb.org diff --git a/modules/postfix/templates/virtual_aliases b/modules/postfix/templates/virtual_aliases index 0890dd06..861e79c6 100644 --- a/modules/postfix/templates/virtual_aliases +++ b/modules/postfix/templates/virtual_aliases @@ -1,16 +1,22 @@ # do not forget to add $domain or it will not work # do not hardcode the domain, or it will be harvested by bot -treasurer@<%= domain %> rda@<%= domain %> +treasurer@<%= domain %> treasurer@group.<%= domain %> president@<%= domain %> ennael@<%= domain %> secretary@<%= domain %> obgr_seneca@<%= domain %> +contact@<%= domain %> council@group.<%= domain %> +press@<%= domain %> council@group.<%= domain %> + # later switch to a team alias root@<%= domain %> sysadmin@group.<%= domain %> -security@<%= domain %> security_officers@group.<%= domain %> +security@<%= domain %> security@group.<%= domain %> + +# Temporary(?) alias until there is a real board-commits@ list +board-commits@ml.<%= domain %> board-public@ml.<%= domain %> -# TODO see http://www.ietf.org/rfc/rfc2142.txt +# TODO see https://www.ietf.org/rfc/rfc2142.txt <% ['postmaster','hostmaster','abuse','noc','listmaster','MAILER-DAEMON'].each { |a| %> diff --git a/modules/postgresql/manifests/database.pp b/modules/postgresql/manifests/database.pp index 82670b5e..34cee2a6 100644 --- a/modules/postgresql/manifests/database.pp +++ b/modules/postgresql/manifests/database.pp @@ -3,15 +3,16 @@ define postgresql::database($description = '', $user = 'postgres', $callback_notify = '') { - exec { "createdb -O $user -U postgres $name '$description'": + exec { "createdb -O ${user} -U postgres ${name} '${description}' ": user => 'root', - unless => "psql -A -t -U postgres -l | grep '^$name|'", + unless => "psql -A -t -U postgres -l | grep '^${name}|'", require => Service['postgresql'], } # this is fetched by the manifest asking the database creation, # once the db have been created # FIXME proper ordering ? + # FIXME In puppet >3.0 word 'tag' is reserved, so it has to be renamed @@postgresql::database_callback { $name: tag => $name, callback_notify => $callback_notify, diff --git a/modules/postgresql/manifests/database_callback.pp b/modules/postgresql/manifests/database_callback.pp index 8d4b217c..0ab1771f 100644 --- a/modules/postgresql/manifests/database_callback.pp +++ b/modules/postgresql/manifests/database_callback.pp @@ -1,7 +1,7 @@ define postgresql::database_callback($callback_notify = '') { # dummy declaration, so we can trigger the notify if $callback_notify { - exec { "callback $name": + exec { "callback ${name}": command => '/bin/true', notify => $callback_notify, } diff --git a/modules/postgresql/manifests/hba_entry.pp b/modules/postgresql/manifests/hba_entry.pp new file mode 100644 index 00000000..30fccda0 --- /dev/null +++ b/modules/postgresql/manifests/hba_entry.pp @@ -0,0 +1,40 @@ +# == Define: postgresql::hba_entry +# +# Set a new entry to pg_hba.conf file +# +# === Parameters +# +# See pgsql doc for more details about pg_hba.conf parameters : +# https://www.postgresql.org/docs/9.1/static/auth-pg-hba-conf.html +# +# [*namevar*] +# namevar is not used. +# +# [*type*] +# can be local, host, hostssl, hostnossl +# +# [*database*] +# database name +# +# [*user*] +# user name +# +# [*address*] +# host name or IP address range +# +# [*method*] +# authentication method to use +# +define postgresql::hba_entry( + $type, + $database, + $user, + $address, + $method +) { + include postgresql::var + Postgresql::Pg_hba <| title == $postgresql::var::hba_file |> { + conf_lines +> "${type} ${database} ${user} ${address} ${method}", + } +} +# vim: sw=2 diff --git a/modules/postgresql/manifests/pg_hba.pp b/modules/postgresql/manifests/pg_hba.pp new file mode 100644 index 00000000..777eee47 --- /dev/null +++ b/modules/postgresql/manifests/pg_hba.pp @@ -0,0 +1,13 @@ +define postgresql::pg_hba( + $conf_lines = [] +) { + $db = list_exported_ressources('Postgresql::Db_and_user') + + $forum_lang = list_exported_ressources('Phpbb::Locale_db') + +# (tmb) disable rewriting config as we are moving to mariadb +# postgresql::config { $name: +# content => template('postgresql/pg_hba.conf'), +# } +} +# vim: sw=2 diff --git a/modules/postgresql/manifests/remote_database.pp b/modules/postgresql/manifests/remote_database.pp index 19beb712..15b54651 100644 --- a/modules/postgresql/manifests/remote_database.pp +++ b/modules/postgresql/manifests/remote_database.pp @@ -1,3 +1,4 @@ +# FIXME: In puppet >3.0 word 'tag' is reserved, so it has to be renamed define postgresql::remote_database($description = '', $user = 'postgresql', $callback_notify = '', diff --git a/modules/postgresql/manifests/remote_db_and_user.pp b/modules/postgresql/manifests/remote_db_and_user.pp index bb331304..07e3ea23 100644 --- a/modules/postgresql/manifests/remote_db_and_user.pp +++ b/modules/postgresql/manifests/remote_db_and_user.pp @@ -1,3 +1,4 @@ +# FIXME: In puppet >3.0 word 'tag' is reserved, so it have to be renamed define postgresql::remote_db_and_user($password, $description = '', $tag = 'default', @@ -10,7 +11,7 @@ define postgresql::remote_db_and_user($password, password => $password, } - # fetch the exported ressources that should have been exported + # fetch the exported resources that should have been exported # once the db was created, and trigger a notify to the object # passed as callback_notify Postgresql::Database_callback <<| tag == $name |>> diff --git a/modules/postgresql/manifests/remote_user.pp b/modules/postgresql/manifests/remote_user.pp index ed2bf033..fb53df4c 100644 --- a/modules/postgresql/manifests/remote_user.pp +++ b/modules/postgresql/manifests/remote_user.pp @@ -1,3 +1,4 @@ +# FIXME: In puppet >3.0 word 'tag' is reserved, so it have to be renamed define postgresql::remote_user( $password, $tag = 'default') { @@postgresql::user { $name: diff --git a/modules/postgresql/manifests/server.pp b/modules/postgresql/manifests/server.pp index 84be87ad..8b92bb2b 100644 --- a/modules/postgresql/manifests/server.pp +++ b/modules/postgresql/manifests/server.pp @@ -1,15 +1,14 @@ class postgresql::server { - $pgsql_data = '/var/lib/pgsql/data/' - $pg_version = '9.0' + include postgresql::var # missing requires is corrected in cooker, # should be removed # once the fix is in a stable release - package { "postgresql${pg_version}-plpgsql": + package { "postgresql${postgresql::var::pg_version}-plpgsql": alias => 'postgresql-plpgsql', } - package { "postgresql${pg_version}-server": + package { "postgresql${postgresql::var::pg_version}-server": alias => 'postgresql-server', require => Package['postgresql-plpgsql'], } @@ -22,9 +21,9 @@ class postgresql::server { refreshonly => true, } - openssl::self_signed_splitted_cert { "pgsql.$::domain": + openssl::self_signed_splitted_cert { "pgsql.${::domain}": filename => 'server', - directory => $pgsql_data, + directory => $postgresql::var::pgsql_data, owner => 'postgres', group => 'postgres', require => Package['postgresql-server'] @@ -35,16 +34,20 @@ class postgresql::server { content => template('postgresql/pam'), } - $db = list_exported_ressources('Postgresql::Db_and_user') + @postgresql::pg_hba { $postgresql::var::hba_file: } - $forum_lang = list_exported_ressources('Phpbb::Locale_db') + postgresql::hba_entry { 'allow_local_ipv4': + type => 'host', + database => 'all', + user => 'all', + address => '127.0.0.1/32', + method => 'md5', + } postgresql::config { - "$pgsql_data/pg_hba.conf": - content => template('postgresql/pg_hba.conf'); - "$pgsql_data/pg_ident.conf": + "${postgresql::var::pgsql_data}/pg_ident.conf": content => template('postgresql/pg_ident.conf'); - "$pgsql_data/postgresql.conf": + "${postgresql::var::pgsql_data}/postgresql.conf": content => template('postgresql/postgresql.conf'); } } diff --git a/modules/postgresql/manifests/tagged.pp b/modules/postgresql/manifests/tagged.pp index 56cdc033..6a49e3ff 100644 --- a/modules/postgresql/manifests/tagged.pp +++ b/modules/postgresql/manifests/tagged.pp @@ -1,3 +1,4 @@ +# FIXME: In puppet >3.0 word 'tag' is reserved, so it have to be renamed define postgresql::tagged() { # TODO add a system of tag so we can declare database on more than one # server diff --git a/modules/postgresql/manifests/user.pp b/modules/postgresql/manifests/user.pp index b70dd122..5b73b243 100644 --- a/modules/postgresql/manifests/user.pp +++ b/modules/postgresql/manifests/user.pp @@ -1,13 +1,13 @@ # TODO convert to a regular type, so we can later change password # without erasing the current user define postgresql::user($password) { - $sql = "CREATE ROLE $name ENCRYPTED PASSWORD '\$pass' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;" + $sql = "CREATE ROLE ${name} ENCRYPTED PASSWORD '\${pass}' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;" - exec { "psql -U postgres -c \"$sql\" ": + exec { "psql -U postgres -c \"${sql}\" ": user => 'root', # do not leak the password on commandline - environment => "pass=$password", - unless => "psql -A -t -U postgres -c '\\du $name' | grep '$name'", + environment => "pass=${password}", + unless => "psql -A -t -U postgres -c '\\du ${name}' | grep '${name}'", require => Service['postgresql'], } } diff --git a/modules/postgresql/manifests/var.pp b/modules/postgresql/manifests/var.pp new file mode 100644 index 00000000..b31c7ffe --- /dev/null +++ b/modules/postgresql/manifests/var.pp @@ -0,0 +1,7 @@ +class postgresql::var { + + $pgsql_data = '/var/lib/pgsql/data/' + $pg_version = '9.6' + $hba_file = "${pgsql_data}/pg_hba.conf" +} +# vim: sw=2 diff --git a/modules/postgresql/templates/pg_hba.conf b/modules/postgresql/templates/pg_hba.conf index 91012a30..e4232a4e 100644 --- a/modules/postgresql/templates/pg_hba.conf +++ b/modules/postgresql/templates/pg_hba.conf @@ -75,8 +75,14 @@ # TYPE DATABASE USER CIDR-ADDRESS METHOD -# This file is in mageia svn: -# $Id$ + +<%- + for line in @conf_lines +-%> +<%= line %> +<%- + end +-%> # Nanar: # This bypass global config for specific user/base @@ -114,11 +120,11 @@ host template1 bugs ::1/128 md5 hostssl template1 bugs 212.85.158.146/32 md5 hostssl template1 bugs 2a02:2178:2:7::2/128 md5 -# Allow youri-ckeck on rabbit to access the results db +# Allow youri-check on rabbit to access the results db hostssl youri_check youri 88.190.12.224/32 md5 # Allow local access too -hostssl youri_check youri 212.85.158.146/32 md5 -hostssl youri_check youri 2a02:2178:2:7::2/128 md5 +hostssl youri_check youri 212.85.158.151/32 md5 +hostssl youri_check youri 2a02:2178:2:7::7/128 md5 # "local" is for Unix domain socket connections only local all all ident map=local diff --git a/modules/postgresql/templates/postgresql.conf b/modules/postgresql/templates/postgresql.conf index 813c0910..c1e7c994 100644 --- a/modules/postgresql/templates/postgresql.conf +++ b/modules/postgresql/templates/postgresql.conf @@ -113,7 +113,7 @@ ssl = on # - Memory - -shared_buffers = 24MB # min 128kB +shared_buffers = 2048MB # min 128kB # (change requires restart) #temp_buffers = 8MB # min 800kB #max_prepared_transactions = 0 # zero disables the feature @@ -122,8 +122,8 @@ shared_buffers = 24MB # min 128kB # per transaction slot, plus lock space (see max_locks_per_transaction). # It is not advisable to set max_prepared_transactions nonzero unless you # actively intend to use prepared transactions. -#work_mem = 1MB # min 64kB -#maintenance_work_mem = 16MB # min 1MB +work_mem = 64MB # min 64kB +maintenance_work_mem = 512MB # min 1MB #max_stack_depth = 2MB # min 100kB # - Kernel Resource Usage - @@ -144,7 +144,7 @@ shared_buffers = 24MB # min 128kB #bgwriter_delay = 200ms # 10-10000ms between rounds #bgwriter_lru_maxpages = 100 # 0-1000 max buffers written/round -#bgwriter_lru_multiplier = 2.0 # 0-10.0 multipler on buffers scanned/round +#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round # - Asynchronous Behavior - @@ -235,7 +235,7 @@ shared_buffers = 24MB # min 128kB #cpu_tuple_cost = 0.01 # same scale as above #cpu_index_tuple_cost = 0.005 # same scale as above #cpu_operator_cost = 0.0025 # same scale as above -#effective_cache_size = 128MB +effective_cache_size = 4096MB # - Genetic Query Optimizer - @@ -467,7 +467,7 @@ shared_buffers = 24MB # min 128kB datestyle = 'iso, mdy' #intervalstyle = 'postgres' -#timezone = unknown # actually, defaults to TZ environment +timezone = 'Europe/Paris' # actually, defaults to TZ environment # setting #timezone_abbreviations = 'Default' # Select the set of available time zone # abbreviations. Currently, there are diff --git a/modules/postgrey/templates/postgrey.sysconfig b/modules/postgrey/templates/postgrey.sysconfig index ec4e6947..f08b8f6f 100644 --- a/modules/postgrey/templates/postgrey.sysconfig +++ b/modules/postgrey/templates/postgrey.sysconfig @@ -1,12 +1,10 @@ # change default configuration option here -# SOCKET=$(postconf -h queue_directory)/extern/postgrey/socket -# OPTIONS="--unix=$SOCKET" -# DBPATH=/var/lib/postgrey -# OPTIONS="$OPTIONS --dbdir=$DBPATH" +# default: unix socket +SOCKET="--unix=/var/spool/postfix/extern/postgrey/socket" -# to use an inet connection instead of a socket -#OPTIONS="--inet=127.0.0.1:10031" +# to use an inet socket instead +#SOCKET="--inet=127.0.0.1:10031" # enable whitelisting OPTIONS="$OPTIONS --auto-whitelist-clients" diff --git a/modules/postgrey/templates/whitelist_clients.local b/modules/postgrey/templates/whitelist_clients.local index 7510506d..8c87b88c 100644 --- a/modules/postgrey/templates/whitelist_clients.local +++ b/modules/postgrey/templates/whitelist_clients.local @@ -1,7 +1,2 @@ -# zarb -ryu.zarb.org -cthulhu.zarb.org # mageia -*.<%= domain %> -# for damsweb mail server -/mail-out\.ovh\.net$/ +<%= domain %> diff --git a/modules/puppet/manifests/client.pp b/modules/puppet/manifests/client.pp index 38857810..1168373b 100644 --- a/modules/puppet/manifests/client.pp +++ b/modules/puppet/manifests/client.pp @@ -2,7 +2,7 @@ class puppet::client inherits puppet { cron { 'puppet': ensure => present, - command => '/usr/sbin/puppetd -o --no-daemonize -l syslog >/dev/null 2>&1', + command => 'puppet agent --onetime --no-daemonize -l syslog >/dev/null 2>&1', user => 'root', minute => fqdn_rand( 60 ), } diff --git a/modules/puppet/manifests/hiera.pp b/modules/puppet/manifests/hiera.pp index 8b692316..02900cd7 100644 --- a/modules/puppet/manifests/hiera.pp +++ b/modules/puppet/manifests/hiera.pp @@ -1,12 +1,5 @@ class puppet::hiera { - package { ['ruby-hiera','ruby-hiera-puppet']: } - - # ugly, remove once hiera is either fixed or integrated to puppet - file { '/etc/puppet/external/hiera': - ensure => link, - target => '/usr/lib/ruby/gems/1.8/gems/hiera-puppet-0.3.0/', - require => Package['ruby-hiera-puppet'], - } + package { ['ruby-hiera']: } # ease the use fo the command line tool # who use a different location for the config file diff --git a/modules/puppet/manifests/master.pp b/modules/puppet/manifests/master.pp index 1d2420a5..55529466 100644 --- a/modules/puppet/manifests/master.pp +++ b/modules/puppet/manifests/master.pp @@ -6,7 +6,8 @@ class puppet::master inherits puppet { # do not enable until bug 4591 is solved # include puppet::thin - package { ["ruby-$puppet::stored_config::database", 'ruby-rails']: } + # rails and sqlite3 are used for stored config + package { ["ruby-${puppet::stored_config::database}"]: } File['/etc/puppet/puppet.conf'] { content => template('puppet/puppet.conf', @@ -15,13 +16,12 @@ class puppet::master inherits puppet { } - # rails and sqlite3 are used for stored config package { 'puppet-server': } service { 'puppetmaster': # uncomment once thin is enabled -# ensure => stopped, - subscribe => [Package['puppet-server'], +# ensure => stopped, + subscribe => [Package['puppet-server'], File['/etc/puppet/puppet.conf']], } diff --git a/modules/puppet/manifests/queue.pp b/modules/puppet/manifests/queue.pp index d68fd63c..770fc6df 100644 --- a/modules/puppet/manifests/queue.pp +++ b/modules/puppet/manifests/queue.pp @@ -5,7 +5,7 @@ class puppet::queue { service { 'puppetqd': provider => base, - start => '/usr/sbin/puppetqd', + start => 'puppet queue', require => [Package['puppet-server'], Package['ruby-stomp'], File['/etc/puppet/puppet.conf']], diff --git a/modules/puppet/manifests/stored_config.pp b/modules/puppet/manifests/stored_config.pp index 9b19702b..51820d83 100644 --- a/modules/puppet/manifests/stored_config.pp +++ b/modules/puppet/manifests/stored_config.pp @@ -9,7 +9,7 @@ class puppet::stored_config { # # if ($::environment == 'production') { # # FIXME not really elegant, but we do not have much choice -# # this make servers not bootstrapable for now +# # this make servers not bootstrappable for now # $pgsql_password = extlookup('puppet_pgsql','x') # # postgresql::remote_db_and_user { 'bugs': diff --git a/modules/puppet/manifests/thin.pp b/modules/puppet/manifests/thin.pp index 0c6259e4..1ca03a7e 100644 --- a/modules/puppet/manifests/thin.pp +++ b/modules/puppet/manifests/thin.pp @@ -1,6 +1,7 @@ class puppet::thin { package { 'ruby-thin': } + include apache::base include apache::mod::ssl include apache::mod::proxy @@ -8,7 +9,7 @@ class puppet::thin { vhost_file => 'puppet/apache_proxy_vhost.conf', } - apache::config { '/etc/httpd/conf.d/puppet.conf': + apache::config { "${apache::base::conf_d}/puppet.conf": content => 'Listen 8140', } diff --git a/modules/puppet/templates/apache_proxy_vhost.conf b/modules/puppet/templates/apache_proxy_vhost.conf index d1e797e2..89157fc2 100644 --- a/modules/puppet/templates/apache_proxy_vhost.conf +++ b/modules/puppet/templates/apache_proxy_vhost.conf @@ -1,7 +1,7 @@ ProxyRequests Off <Proxy balancer://puppet> -# TODO dynamically ajust that with a variable +# TODO dynamically adjust that with a variable BalancerMember http://127.0.0.1:18140 BalancerMember http://127.0.0.1:18141 BalancerMember http://127.0.0.1:18142 @@ -40,4 +40,3 @@ ProxyRequests Off ProxyPreserveHost on </VirtualHost> - diff --git a/modules/puppet/templates/hiera.yaml b/modules/puppet/templates/hiera.yaml index 84e75607..fcef4278 100644 --- a/modules/puppet/templates/hiera.yaml +++ b/modules/puppet/templates/hiera.yaml @@ -1,10 +1,9 @@ --- -:backends: - yaml - -:logger: console - -:hierarchy: - %{env} - - common +:backends: + - yaml :yaml: - :datadir: /etc/puppet/hieradata - + :datadir: /etc/puppet/hieradata +:logger: console +:hierarchy: + - "%{::environment}" + - common diff --git a/modules/puppet/templates/puppet.agent.conf b/modules/puppet/templates/puppet.agent.conf index b08a903b..44dfedb7 100644 --- a/modules/puppet/templates/puppet.agent.conf +++ b/modules/puppet/templates/puppet.agent.conf @@ -15,7 +15,7 @@ environment = <%= environment %> <% end %> # The file in which puppetd stores a list of the classes - # associated with the retrieved configuratiion. Can be loaded in + # associated with the retrieved configuration. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. diff --git a/modules/puppet/templates/puppet.conf b/modules/puppet/templates/puppet.conf index fdda64ab..28e8c363 100644 --- a/modules/puppet/templates/puppet.conf +++ b/modules/puppet/templates/puppet.conf @@ -1,5 +1,8 @@ <% db_config = scope.lookupvar('puppet::stored_config::db_config') %> [main] + # listen on both ipv4 and ipv6 + bindaddress = * + # The Puppet log directory. # The default value is '$vardir/log'. logdir = /var/log/puppet @@ -11,10 +14,8 @@ # Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/ssl - + modulepath = $confdir/modules:$confdir/deployment:$confdir/external:/usr/share/puppet/modules queue_type = stomp queue_source = stomp://localhost:61613 <%= db_config %> - - diff --git a/modules/restrictshell/manifests/allow.pp b/modules/restrictshell/manifests/allow.pp index 361ee4a7..cb1fd9a2 100644 --- a/modules/restrictshell/manifests/allow.pp +++ b/modules/restrictshell/manifests/allow.pp @@ -1,7 +1,7 @@ define restrictshell::allow { include shell - file { "/etc/membersh-conf.d/allow_$name.pl": + file { "/etc/membersh-conf.d/allow_${name}.pl": mode => '0755', - content => "\$use_$name = 1;\n", + content => "\$use_${name} = 1;\n", } } diff --git a/modules/restrictshell/manifests/shell.pp b/modules/restrictshell/manifests/shell.pp index 77044ed4..3ef2a036 100644 --- a/modules/restrictshell/manifests/shell.pp +++ b/modules/restrictshell/manifests/shell.pp @@ -3,7 +3,7 @@ class restrictshell::shell { ensure => directory, } - mga-common::local_script { 'sv_membersh.pl': + mga_common::local_script { 'sv_membersh.pl': content => template('restrictshell/sv_membersh.pl'), } diff --git a/modules/restrictshell/templates/membersh-conf.pl b/modules/restrictshell/templates/membersh-conf.pl index ea7d2957..9e0c8bf5 100755 --- a/modules/restrictshell/templates/membersh-conf.pl +++ b/modules/restrictshell/templates/membersh-conf.pl @@ -5,13 +5,13 @@ $regexp_svn = "^svnserve -t\$"; #@prepend_args_svn = ( '-r', '/svn' ); @prepend_args_svn = (); -$bin_git = "/usr/bin/git-shell"; +$bin_git = "/usr/share/gitolite/gitolite-shell"; $bin_rsync = "/usr/bin/rsync"; $regexp_rsync = "^rsync --server"; $regexp_dir_rsync = "^/.*"; -$bin_sftp = "<%= lib_dir %>/ssh/sftp-server"; +$bin_sftp = "<%= @lib_dir %>/ssh/sftp-server"; $regexp_sftp = "^(/usr/lib{64,}/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server|/usr/lib/openssh/sftp-server)"; foreach my $f (glob("/etc/membersh-conf.d/allow_*pl")) { diff --git a/modules/restrictshell/templates/sv_membersh.pl b/modules/restrictshell/templates/sv_membersh.pl index 155bc300..0b07f23a 100644 --- a/modules/restrictshell/templates/sv_membersh.pl +++ b/modules/restrictshell/templates/sv_membersh.pl @@ -147,10 +147,11 @@ if ($#ARGV == 1 and $ARGV[0] eq "-c") { push( @args, @args_user ); exec($bin_svn, @args) or die("Failed to exec $bin_svn: $!"); - } elsif ($use_git and $ARGV[1] =~ m:^git-.+:) { + } elsif ($use_git and $ARGV[1] =~ m:^$bin_git\b:) { - # Delegate filtering to git-shell - exec($bin_git, @ARGV) or die("Failed to exec $bin_git: $!"); + # Delegate filtering to gitolite-shell + my ($gitolite_bin, @rest) = split(' ', $ARGV[1]); + exec($bin_git, @rest) or die("Failed to exec $bin_git: $!"); } elsif ($use_pkgsubmit and $ARGV[1] =~ m:$regexp_pkgsubmit:) { @@ -169,7 +170,7 @@ if ($#ARGV == 1 and $ARGV[0] eq "-c") { } unless (-e "/etc/membersh-errormsg") { - if ($ARGV) { + if (@ARGV) { print STDERR "You tried to execute: @ARGV[1..$#ARGV]\n"; } else { print STDERR "You tried to run a interactive shell.\n" diff --git a/modules/rsnapshot/manifests/init.pp b/modules/rsnapshot/manifests/init.pp index fdfa1616..5d145172 100644 --- a/modules/rsnapshot/manifests/init.pp +++ b/modules/rsnapshot/manifests/init.pp @@ -1,30 +1,30 @@ class rsnapshot { - class base($confdir = '/backups/conf') { - package { ['rsnapshot']: } + class base($confdir = '/data/backups/conf') { + package { ['rsnapshot']: } - file { $confdir: - ensure => directory, - owner => root, - group => root, - mode => 0700, - } + file { $confdir: + ensure => directory, + owner => root, + group => root, + mode => '0700', + } - @rsnapshot::cron_file { 'hourly': } - @rsnapshot::cron_file { 'daily': } - @rsnapshot::cron_file { 'weekly': } - @rsnapshot::cron_file { 'monthly': } + @rsnapshot::cron_file { 'hourly': } + @rsnapshot::cron_file { 'daily': } + @rsnapshot::cron_file { 'weekly': } + @rsnapshot::cron_file { 'monthly': } } define cron_file($rsnapshot_conf = []) { - $filepath = "/tmp/cron.${name}_rsnapshot-backups" - $rsnapshot_arg = $name - file { $filepath: - ensure => present, - content => template('rsnapshot/cron_file'), - owner => root, - group => root, - mode => 0755, - } + $filepath = "/tmp/cron.${name}_rsnapshot-backups" + $rsnapshot_arg = $name + file { $filepath: + ensure => present, + content => template('rsnapshot/cron_file'), + owner => root, + group => root, + mode => '0755', + } } # - 'backup' is an array of "source destination" to backup @@ -33,42 +33,42 @@ class rsnapshot { # backups that should be kept. If you don't want hourly, daily, # weekly or monthly backups, set ${x}_interval to '0' define backup( - $snapshot_root = '/backups', - $one_fs = '1', - $backup = [], - $backup_script = [], - $hourly_interval = '0', - $daily_interval = '6', - $weekly_interval = '4', - $monthly_interval = '3' + $snapshot_root = '/data/backups', + $one_fs = '1', + $backup = [], + $backup_script = [], + $hourly_interval = '0', + $daily_interval = '6', + $weekly_interval = '4', + $monthly_interval = '3' ) { - $conffile = "${rsnapshot::base::confdir}/${name}.conf" - file { $conffile: - owner => root, - group => root, - mode => 0700, - content => template('rsnapshot/rsnapshot.conf'), - } + $conffile = "${rsnapshot::base::confdir}/${name}.conf" + file { $conffile: + owner => root, + group => root, + mode => '0700', + content => template('rsnapshot/rsnapshot.conf'), + } - if ($hourly_interval != '0') { - Rsnapshot::Cron_file <| title == 'hourly' |> { - rsnapshot_conf +> $conffile, - } - } - if ($daily_interval != '0') { - Rsnapshot::Cron_file <| title == 'daily' |> { - rsnapshot_conf +> $conffile, - } - } - if ($weekly_interval != '0') { - Rsnapshot::Cron_file <| title == 'weekly' |> { - rsnapshot_conf +> $conffile, - } - } - if ($monthly_interval != '0') { - Rsnapshot::Cron_file <| title == 'monthly' |> { - rsnapshot_conf +> $conffile, - } - } + if ($hourly_interval != '0') { + Rsnapshot::Cron_file <| title == 'hourly' |> { + rsnapshot_conf +> $conffile, + } + } + if ($daily_interval != '0') { + Rsnapshot::Cron_file <| title == 'daily' |> { + rsnapshot_conf +> $conffile, + } + } + if ($weekly_interval != '0') { + Rsnapshot::Cron_file <| title == 'weekly' |> { + rsnapshot_conf +> $conffile, + } + } + if ($monthly_interval != '0') { + Rsnapshot::Cron_file <| title == 'monthly' |> { + rsnapshot_conf +> $conffile, + } + } } } diff --git a/modules/rsnapshot/templates/rsnapshot.conf b/modules/rsnapshot/templates/rsnapshot.conf index d3da0495..4eeee4d0 100644 --- a/modules/rsnapshot/templates/rsnapshot.conf +++ b/modules/rsnapshot/templates/rsnapshot.conf @@ -24,7 +24,7 @@ config_version 1.2 # All snapshots will be stored under this root directory. # -snapshot_root <%= snapshot_root %> +snapshot_root <%= @snapshot_root %> # If no_create_root is enabled, rsnapshot will not automatically create the # snapshot_root directory. This is particularly useful if you are backing @@ -201,10 +201,9 @@ link_dest 1 ############################### <%- for b in @backup -%> -backup <%= b %> +<%= b.split().unshift("backup").join("\t") %> <%- end -%> <%- for bs in @backup_script -%> -backup_script <%= bs %> +<%= bs.split().unshift("backup_script").join("\t") %> <%- end -%> - diff --git a/modules/rsyncd/templates/xinetd b/modules/rsyncd/templates/xinetd index 3359ca84..b477e413 100644 --- a/modules/rsyncd/templates/xinetd +++ b/modules/rsyncd/templates/xinetd @@ -8,8 +8,8 @@ service rsync server_args = --daemon log_on_failure += USERID flags = IPv6 - # some mirorrs do not seems to use lock when downloading from - # us and try to download the same stuff 15 time in a row + # some mirrors do not seems to use locks when downloading from + # us and try to download the same stuff 15 times in a row per_source = 4 } diff --git a/modules/serial_console/manifests/init.pp b/modules/serial_console/manifests/init.pp new file mode 100644 index 00000000..b6716954 --- /dev/null +++ b/modules/serial_console/manifests/init.pp @@ -0,0 +1 @@ +class serial_console {} diff --git a/modules/serial_console/manifests/serial_console.pp b/modules/serial_console/manifests/serial_console.pp new file mode 100644 index 00000000..dd68c84c --- /dev/null +++ b/modules/serial_console/manifests/serial_console.pp @@ -0,0 +1,8 @@ +# name: ttyS0 +define serial_console::serial_console() { + service { "serial-getty@${name}": + provider => systemd, + ensure => running, + enable => true, + } +} diff --git a/modules/shorewall/manifests/init.pp b/modules/shorewall/manifests/init.pp index 7c8e1f55..daea6b2c 100644 --- a/modules/shorewall/manifests/init.pp +++ b/modules/shorewall/manifests/init.pp @@ -2,101 +2,101 @@ class shorewall { include concat::setup define shorewallfile () { - $filename = "/tmp/shorewall/${name}" - $header = "puppet:///modules/shorewall/headers/${name}" - $footer = "puppet:///modules/shorewall/footers/${name}" - concat{$filename: - owner => root, - group => root, - mode => 600, - } + $filename = "/tmp/shorewall/${name}" + $header = "puppet:///modules/shorewall/headers/${name}" + $footer = "puppet:///modules/shorewall/footers/${name}" + concat{$filename: + owner => root, + group => root, + mode => '0600', + } - concat::fragment{"${name}_header": - target => $filename, - order => 1, - source => $header, - } + concat::fragment{"${name}_header": + target => $filename, + order => 1, + source => $header, + } - concat::fragment{"${name}_footer": - target => $filename, - order => 99, - source => $footer, - } + concat::fragment{"${name}_footer": + target => $filename, + order => 99, + source => $footer, + } } ### Rules shorewallfile{ rules: } define rule_line($order = 50) { - $filename = "/tmp/shorewall/rules" - $line = "${name}\n" - concat::fragment{"newline_${name}": - target => $filename, - order => $order, - content => $line, - } + $filename = "/tmp/shorewall/rules" + $line = "${name}\n" + concat::fragment{"newline_${name}": + target => $filename, + order => $order, + content => $line, + } } class allow_ssh_in { - rule_line { "ACCEPT all all tcp 22": - order => 5, - } + rule_line { "ACCEPT all all tcp 22": + order => 5, + } } class allow_dns_in { - rule_line { "ACCEPT net fw tcp 53": } - rule_line { "ACCEPT net fw udp 53": } + rule_line { "ACCEPT net fw tcp 53": } + rule_line { "ACCEPT net fw udp 53": } } class allow_smtp_in { - rule_line { "ACCEPT net fw tcp 25": } + rule_line { "ACCEPT net fw tcp 25": } } class allow_www_in { - rule_line { "ACCEPT net fw tcp 80": } + rule_line { "ACCEPT net fw tcp 80": } } ### Zones shorewallfile{ zones: } define zone_line($order = 50) { - $filename = "/tmp/shorewall/zones" - $line = "${name}\n" - concat::fragment{"newline_${name}": - target => $filename, - order => $order, - content => $line, - } + $filename = "/tmp/shorewall/zones" + $line = "${name}\n" + concat::fragment{"newline_${name}": + target => $filename, + order => $order, + content => $line, + } } class default_zones { - zone_line { "net ipv4": - order => 2, - } - zone_line { "fw firewall": - order => 3, - } + zone_line { "net ipv4": + order => 2, + } + zone_line { "fw firewall": + order => 3, + } } ### Policy shorewallfile{ policy: } define policy_line($order = 50) { - $filename = "/tmp/shorewall/policy" - $line = "${name}\n" - concat::fragment{"newline_${name}": - target => $filename, - order => $order, - content => $line, - } + $filename = "/tmp/shorewall/policy" + $line = "${name}\n" + concat::fragment{"newline_${name}": + target => $filename, + order => $order, + content => $line, + } } class default_policy { - policy_line{ "fw net ACCEPT": - order => 2, - } - policy_line{ "net all DROP info": - order => 3, - } - policy_line{ "all all REJECT info": - order => 4, - } + policy_line{ "fw net ACCEPT": + order => 2, + } + policy_line{ "net all DROP info": + order => 3, + } + policy_line{ "all all REJECT info": + order => 4, + } } class default_firewall { - include default_zones - include default_policy - include allow_ssh_in + include default_zones + include default_policy + include allow_ssh_in } } diff --git a/modules/spec-tree-reports/manifests/init.pp b/modules/spec-tree-reports/manifests/init.pp new file mode 100644 index 00000000..dc78ea72 --- /dev/null +++ b/modules/spec-tree-reports/manifests/init.pp @@ -0,0 +1,50 @@ +# spec-rpm-mismatch is a report that compares the versions of RPMs available +# in the repository versus the versions created by the latest spec files and +# shows those that don't match. + +class spec-tree-reports( + $report = '/var/www/bs/spec-rpm-mismatch.html', + $srpms = 'file:///distrib/bootstrap/distrib/{version}/SRPMS/{media}/{section}/', + $release = "mga${buildsystem::var::distros::distros['cauldron']['version']}", +) { + $user = 'spec-tree-reports' + $home = "/var/lib/${user}" + $hour = 6 + $minute = 39 + + user { $user: + comment => 'spec-tree report generator', + home => $home, + } + + file { $home: + ensure => directory, + owner => $user, + mode => '0755', + } + + package { 'spec-tree': + ensure => installed, + } + + file { "${report}": + ensure => present, + owner => $user, + mode => '0644', + replace => false, + content => '*', + } + + mga_common::local_script { 'generate-spec-rpm-mismatch-report': + content => template('spec-tree-reports/generate-spec-rpm-mismatch-report'), + } + + cron { "rpm_mismatch_report": + command => "/usr/local/bin/generate-spec-rpm-mismatch-report |& systemd-cat -t generate-spec-rpm-mismatch-report", + hour => $hour, + minute => $minute, + user => $user, + environment => "MAILTO=root", + require => User[$user], + } +} diff --git a/modules/spec-tree-reports/templates/generate-spec-rpm-mismatch-report b/modules/spec-tree-reports/templates/generate-spec-rpm-mismatch-report new file mode 100644 index 00000000..4bc2db65 --- /dev/null +++ b/modules/spec-tree-reports/templates/generate-spec-rpm-mismatch-report @@ -0,0 +1,10 @@ +#!/bin/bash +# GENERATED BY PUPPET--DO NOT EDIT +set -e +trap 'test "$?" -ne 0 && echo Error in script' EXIT + +cd "$HOME" +test -e errors.log && mv -f errors.log errors.log.1 +/usr/share/doc/spec-tree/examples/generate-mismatch-report --srpm_source <%= scope.function_shellquote([scope.lookupvar('srpms')]) -%> --release <%= scope.function_shellquote([scope.lookupvar('release')]) %> +cp report.html <%= scope.function_shellquote([scope.lookupvar('report')]) %> +rm -f report.html diff --git a/modules/ssmtp/templates/ssmtp.conf b/modules/ssmtp/templates/ssmtp.conf index b535bc29..d7a9125f 100644 --- a/modules/ssmtp/templates/ssmtp.conf +++ b/modules/ssmtp/templates/ssmtp.conf @@ -1,9 +1,9 @@ -root=mageia-sysadm@<%= domain %> +root=mageia-sysadm@<%= @domain %> -mailhub=mx.<%= domain %> +mailhub=mx.<%= @domain %> rewriteDomain= # The full hostname -hostname=<%= fqdn %> +hostname=<%= @fqdn %> diff --git a/modules/subversion/manifests/client.pp b/modules/subversion/manifests/client.pp index a2aa42ee..083a58da 100644 --- a/modules/subversion/manifests/client.pp +++ b/modules/subversion/manifests/client.pp @@ -2,7 +2,7 @@ class subversion::client { # svn spam log with # Oct 26 13:30:01 valstar svn: No worthy mechs found # without it, - # http://mail-index.netbsd.org/pkgsrc-users/2008/11/23/msg008706.html + # https://mail-index.netbsd.org/pkgsrc-users/2008/11/23/msg008706.html # $sasl2_package = $::architecture ? { x86_64 => 'lib64sasl2-plug-anonymous', diff --git a/modules/subversion/manifests/hook.pp b/modules/subversion/manifests/hook.pp index 08b626ad..a29ae22d 100644 --- a/modules/subversion/manifests/hook.pp +++ b/modules/subversion/manifests/hook.pp @@ -2,7 +2,7 @@ define subversion::hook($content, $type) { $array = split($name,'\|') $repo = $array[0] $script = $array[1] - file { "$repo/hooks/$type.d/$script": + file { "${repo}/hooks/${type}.d/${script}": content => $content, mode => '0755', } diff --git a/modules/subversion/manifests/init.pp b/modules/subversion/manifests/init.pp index 01b06a62..9f009b5e 100644 --- a/modules/subversion/manifests/init.pp +++ b/modules/subversion/manifests/init.pp @@ -20,41 +20,46 @@ class subversion { package { ['perl-SVN-Notify-Config', 'perl-SVN-Notify-Mirror']: } $local_dir = '/usr/local/share/subversion/' - $local_dirs = ["$local_dir/pre-commit.d", "$local_dir/post-commit.d"] + $local_dirs = ["${local_dir}/pre-commit.d", "${local_dir}/post-commit.d"] file { [$local_dir,$local_dirs]: ensure => directory, } # workaround the lack of umask command in puppet < 2.7 - mga-common::local_script { 'create_svn_repo.sh': + mga_common::local_script { 'create_svn_repo.sh': content => template('subversion/create_svn_repo.sh') } - file { "$local_dir/pre-commit.d/no_binary": + file { "${local_dir}/pre-commit.d/no_binary": mode => '0755', content => template('subversion/no_binary') } - file { "$local_dir/pre-commit.d/no_root_commit": + file { "${local_dir}/pre-commit.d/no_root_commit": mode => '0755', content => template('subversion/no_root_commit') } - file { "$local_dir/pre-commit.d/no_empty_message": + file { "${local_dir}/pre-commit.d/no_empty_message": mode => '0755', content => template('subversion/no_empty_message') } - file { "$local_dir/pre-commit.d/single_word_commit": + file { "${local_dir}/pre-commit.d/single_word_commit": mode => '0755', content => template('subversion/single_word_commit') } - file { "$local_dir/pre-revprop-change": + file { "${local_dir}/pre-revprop-change": mode => '0755', content => template('subversion/pre-revprop-change') } + file { "${local_dir}/pre-commit.d/converted_to_git": + mode => '0755', + content => template('subversion/converted_to_git') + } + # TODO : add check for # - ym perl -MYAML -e 'YAML::LoadFile("-");' # - tt ( do not seem to be possible, but this would be great ) @@ -65,7 +70,7 @@ class subversion { # - openldap , like named define syntax_check($regexp_ext,$check_cmd) { - file { "$local_dir/pre-commit.d/$name": + file { "${subversion::server::local_dir}/pre-commit.d/${name}": mode => '0755', content => template('subversion/syntax_check.sh') } diff --git a/modules/subversion/manifests/mirror.pp b/modules/subversion/manifests/mirror.pp index 27741752..2285ecb2 100644 --- a/modules/subversion/manifests/mirror.pp +++ b/modules/subversion/manifests/mirror.pp @@ -1,6 +1,6 @@ class subversion::mirror { include subversion::tools - mga-common::local_script { 'create_svn_mirror.sh': + mga_common::local_script { 'create_svn_mirror.sh': content => template('subversion/create_svn_mirror.sh') } } diff --git a/modules/subversion/manifests/mirror_repository.pp b/modules/subversion/manifests/mirror_repository.pp index cf41ea63..1e0fabd3 100644 --- a/modules/subversion/manifests/mirror_repository.pp +++ b/modules/subversion/manifests/mirror_repository.pp @@ -2,14 +2,14 @@ define subversion::mirror_repository( $source, $refresh = '*/5') { include subversion::mirror - exec { "/usr/local/bin/create_svn_mirror.sh $name $source": + exec { "/usr/local/bin/create_svn_mirror.sh ${name} ${source}": creates => $name, require => Package['subversion-tools'] } - cron { "update $name": - command => "/usr/bin/svnsync synchronize -q file://$name", + cron { "update ${name}": + command => "/usr/bin/svnsync synchronize -q file://${name}", minute => $refresh, - require => Exec["/usr/local/bin/create_svn_mirror.sh $name $source"], + require => Exec["/usr/local/bin/create_svn_mirror.sh ${name} ${source}"], } } diff --git a/modules/subversion/manifests/pre_commit_link.pp b/modules/subversion/manifests/pre_commit_link.pp index a9b543a7..fa3c2b2c 100644 --- a/modules/subversion/manifests/pre_commit_link.pp +++ b/modules/subversion/manifests/pre_commit_link.pp @@ -2,7 +2,7 @@ define subversion::pre_commit_link() { $scriptname = regsubst($name,'^.*/', '') file { $name: ensure => 'link', - target => "/usr/local/share/subversion/pre-commit.d/$scriptname", + target => "/usr/local/share/subversion/pre-commit.d/${scriptname}", mode => '0755', } } diff --git a/modules/subversion/manifests/repository.pp b/modules/subversion/manifests/repository.pp index 7f2f8356..b223e6ae 100644 --- a/modules/subversion/manifests/repository.pp +++ b/modules/subversion/manifests/repository.pp @@ -2,10 +2,10 @@ # group : group that have commit access on the svn # public : boolean if the svn is readable by anybody or not # commit_mail : array of people who will receive mail after each commit -# cia_post : send commits to cia.vc -# cia_module : name of the module to send to cia.vc -# cia_ignore_author : a regexp to ignore commits from some authors -# no_binary : do not accept files with common binary extensions +# irker_conf : hash containing irker config values. See man irkerhook +# for possible values in irker.conf. +# irkerhook_path : path to irkerhook.py script +# no_binary : do not accept files with common binary extensions # on this repository # restricted_to_user : restrict commits to select user # syntax_check : array of pre-commit script with syntax check to add @@ -16,115 +16,117 @@ define subversion::repository($group = 'svn', $public = true, $commit_mail = '', + $irker_conf = undef, + $irkerhook_path = '/usr/lib/irker/irkerhook.py', $i18n_mail = '', - $cia_post = true, - $cia_module = 'default', - $cia_ignore_author = '', $no_binary = false, $restricted_to_user = false, $syntax_check = '', $extract_dir = '') { # check permissions - # http://svnbook.red-bean.com/nightly/fr/svn.serverconfig.multimethod.html + # https://svnbook.red-bean.com/nightly/fr/svn.serverconfig.multimethod.html # $name ==> directory of the repo include subversion::server # TODO set umask -> requires puppet 2.7.0 - # unfortunatly, umask is required - # http://projects.puppetlabs.com/issues/4424 - exec { "/usr/local/bin/create_svn_repo.sh $name": + # unfortunately, umask is required + # https://projects.puppetlabs.com/issues/4424 + exec { "/usr/local/bin/create_svn_repo.sh ${name}": user => 'root', group => $group, - creates => "$name/hooks", + creates => "${name}/hooks", require => Package['subversion-tools'], } file { $name: + ensure => directory, group => $group, owner => 'root', mode => $public ? { - true => 644, - false => 640, + true => '0644', + false => '0640', }, - ensure => directory } - file { ["$name/hooks/pre-commit","$name/hooks/post-commit"]: + file { ["${name}/hooks/pre-commit","${name}/hooks/post-commit"]: mode => '0755', content => template('subversion/hook_commit.sh'), - require => Exec["/usr/local/bin/create_svn_repo.sh $name"], + require => Exec["/usr/local/bin/create_svn_repo.sh ${name}"], } - file { ["$name/hooks/post-commit.d", "$name/hooks/pre-commit.d"]: + file { ["${name}/hooks/post-commit.d", "${name}/hooks/pre-commit.d"]: ensure => directory, - require => File["$name/hooks/pre-commit"], + require => File["${name}/hooks/pre-commit"], } - file { "$name/hooks/pre-revprop-change": - ensure => "$subversion::server::local_dir/pre-revprop-change", + file { "${name}/hooks/pre-revprop-change": + ensure => "${subversion::server::local_dir}/pre-revprop-change", mode => '0755', - require => File["$name/hooks/pre-commit"], + require => File["${name}/hooks/pre-commit"], } if $restricted_to_user { - subversion::hook::pre_commit { "$name|restricted_to_user": + subversion::hook::pre_commit { "${name}|restricted_to_user": content => template('subversion/restricted_to_user'), } } else { - file { "$name/hooks/pre-commit.d/restricted_to_user": + file { "${name}/hooks/pre-commit.d/restricted_to_user": ensure => absent, } } if $commit_mail { - subversion::hook::post_commit { "$name|send_mail": + subversion::hook::post_commit { "${name}|send_mail": content => template('subversion/hook_sendmail.pl'), require => Package['perl-SVN-Notify-Config'], } } else { - file { "$name/hooks/post-commit.d/send_mail": + file { "${name}/hooks/post-commit.d/send_mail": ensure => absent, } } - if $cia_post { - subversion::hook::post_commit { "$name|cia.vc": - content => template('subversion/ciabot_svn.sh'), + if $irker_conf { + subversion::hook::post_commit { "${name}|irker": + content => template('subversion/hook_irker'), + } + file { "${name}/irker.conf": + content => template('subversion/irker.conf'), } } else { - file { "$name/hooks/post-commit.d/cia.vc": + file { "${name}/hooks/post-commit.d/irker": ensure => absent, } } if $no_binary { - pre_commit_link { "$name/hooks/pre-commit.d/no_binary": } + pre_commit_link { "${name}/hooks/pre-commit.d/no_binary": } } else { - file { "$name/hooks/pre-commit.d/no_binary": + file { "${name}/hooks/pre-commit.d/no_binary": ensure => absent, } } if $extract_dir { - subversion::hook::post_commit {"$name|extract_dir": + subversion::hook::post_commit {"${name}|extract_dir": content => template('subversion/hook_extract.pl'), require => [Package['perl-SVN-Notify-Mirror']], } } else { - file { "$name/hooks/post-commit.d/extract_dir": + file { "${name}/hooks/post-commit.d/extract_dir": ensure => absent, } } - pre_commit_link { "$name/hooks/pre-commit.d/no_empty_message": } + pre_commit_link { "${name}/hooks/pre-commit.d/no_empty_message": } + + pre_commit_link { "${name}/hooks/pre-commit.d/no_root_commit": } - pre_commit_link { "$name/hooks/pre-commit.d/no_root_commit": } + pre_commit_link { "${name}/hooks/pre-commit.d/converted_to_git": } if $syntax_check { - $syntax_check_array = regsubst($syntax_check,'^',"$name/hooks/pre-commit.d/") + $syntax_check_array = regsubst($syntax_check,'^',"${name}/hooks/pre-commit.d/") pre_commit_link { $syntax_check_array: } } } - - diff --git a/modules/subversion/manifests/snapshot.pp b/modules/subversion/manifests/snapshot.pp index 179f1ef1..00e66dde 100644 --- a/modules/subversion/manifests/snapshot.pp +++ b/modules/subversion/manifests/snapshot.pp @@ -4,18 +4,18 @@ define subversion::snapshot($source, include subversion::client - exec { "/usr/bin/svn co $source $name": + exec { "/usr/bin/svn co ${source} ${name}": creates => $name, user => $user, require => Package['subversion'], } if ($refresh != '0') { - cron { "update $name": - command => "cd $name && /usr/bin/svn update -q", + cron { "update ${name}": + command => "cd ${name} && /usr/bin/svn update -q", user => $user, minute => $refresh, - require => Exec["/usr/bin/svn co $source $name"], + require => Exec["/usr/bin/svn co ${source} ${name}"], } } } diff --git a/modules/subversion/templates/ciabot_svn.py b/modules/subversion/templates/ciabot_svn.py deleted file mode 100644 index ab7828b4..00000000 --- a/modules/subversion/templates/ciabot_svn.py +++ /dev/null @@ -1,398 +0,0 @@ -#!/usr/bin/env python -# -# This is a CIA client script for Subversion repositories, written in python. -# It generates commit messages using CIA's XML format, and can deliver them -# using either XML-RPC or email. See below for usage and cuztomization -# information. -# -# -------------------------------------------------------------------------- -# -# Copyright (c) 2004-2007, Micah Dowty -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# * The name of the author may not be used to endorse or promote products -# derived from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. -# -# -------------------------------------------------------------------------- -# -# This script is cleaner and much more featureful than the shell -# script version, but won't work on systems without Python. -# -# To use the CIA bot in your Subversion repository... -# -# 1. Customize the parameters below -# -# 2. This script should be called from your repository's post-commit -# hook with the repository and revision as arguments. For example, -# you could copy this script into your repository's "hooks" directory -# and add something like the following to the "post-commit" script, -# also in the repository's "hooks" directory: -# -# REPOS="$1" -# REV="$2" -# $REPOS/hooks/ciabot_svn.py "$REPOS" "$REV" & -# -# Or, if you have multiple project hosted, you can add each -# project's name to the commandline in that project's post-commit -# hook: -# -# $REPOS/hooks/ciabot_svn.py "$REPOS" "$REV" "ProjectName" & -# -############# There are some parameters for this script that you can customize: - -class config: - # Replace this with your project's name, or always provide a project - # name on the commandline. - # - # NOTE: This shouldn't be a long description of your project. Ideally - # it is a short identifier with no spaces, punctuation, or - # unnecessary capitalization. This will be used in URLs related - # to your project, as an internal identifier, and in IRC messages. - # If you want a longer name shown for your project on the web - # interface, please use the "title" metadata key rather than - # putting that here. - # - project = "Mageia" - - # Subversion's normal directory hierarchy is powerful enough that - # it doesn't have special methods of specifying modules, tags, or - # branches like CVS does. Most projects do use a naming - # convention though that works similarly to CVS's modules, tags, - # and branches. - # - # This is a list of regular expressions that are tested against - # paths in the order specified. If a regex matches, the 'branch' - # and 'module' groups are stored and the matching section of the - # path is removed. - # - # Several common directory structure styles are below as defaults. - # Uncomment the ones you're using, or add your own regexes. - # Whitespace in the each regex are ignored. - - pathRegexes = [ - # r"^ trunk/ (?P<module>[^/]+)/ ", - # r"^ (branches|tags)/ (?P<branch>[^/]+)/ ", - # r"^ (branches|tags)/ (?P<module>[^/]+)/ (?P<branch>[^/]+)/ ", - ] - - # If your repository is accessible over the web, put its base URL here - # and 'uri' attributes will be given to all <file> elements. This means - # that in CIA's online message viewer, each file in the tree will link - # directly to the file in your repository. - repositoryURI = None - - # If your repository is accessible over the web via a tool like ViewVC - # that allows viewing information about a full revision, put a format string - # for its URL here. You can specify various substitution keys in the Python - # syntax: "%(project)s" is replaced by the project name, and likewise - # "%(revision)s" and "%(author)s" are replaced by the revision / author. - # The resulting URI is added to the data sent to CIA. After this, in CIA's - # online message viewer, the commit will link directly to the corresponding - # revision page. - revisionURI = None - # Example (works for ViewVC as used by SourceForge.net): - #revisionURI = "https://svn.sourceforge.net/viewcvs.cgi/%(project)s?view=rev&rev=%(revision)s" - - # This can be the http:// URI of the CIA server to deliver commits over - # XML-RPC, or it can be an email address to deliver using SMTP. The - # default here should work for most people. If you need to use e-mail - # instead, you can replace this with "cia@cia.navi.cx" - server = "http://cia.navi.cx" - - # The SMTP server to use, only used if the CIA server above is an - # email address. - smtpServer = "localhost" - - # The 'from' address to use. If you're delivering commits via email, set - # this to the address you would normally send email from on this host. - fromAddress = "cia-user@localhost" - - # When nonzero, print the message to stdout instead of delivering it to CIA. - debug = 0 - - -############# Normally the rest of this won't need modification - -import sys, os, re, urllib, getopt - -class File: - """A file in a Subversion repository. According to our current - configuration, this may have a module, branch, and URI in addition - to a path.""" - - # Map svn's status letters to our action names - actionMap = { - 'U': 'modify', - 'A': 'add', - 'D': 'remove', - } - - def __init__(self, fullPath, status=None): - self.fullPath = fullPath - self.path = fullPath - self.action = self.actionMap.get(status) - - def getURI(self, repo): - """Get the URI of this file, given the repository's URI. This - encodes the full path and joins it to the given URI.""" - quotedPath = urllib.quote(self.fullPath) - if quotedPath[0] == '/': - quotedPath = quotedPath[1:] - if repo[-1] != '/': - repo = repo + '/' - return repo + quotedPath - - def makeTag(self, config): - """Return an XML tag for this file, using the given config""" - attrs = {} - - if config.repositoryURI is not None: - attrs['uri'] = self.getURI(config.repositoryURI) - - if self.action: - attrs['action'] = self.action - - attrString = ''.join([' %s="%s"' % (key, escapeToXml(value,1)) - for key, value in attrs.items()]) - return "<file%s>%s</file>" % (attrString, escapeToXml(self.path)) - - -class SvnClient: - """A CIA client for Subversion repositories. Uses svnlook to - gather information""" - name = 'Python Subversion client for CIA' - version = '1.20' - - def __init__(self, repository, revision, config): - self.repository = repository - self.revision = revision - self.config = config - - def deliver(self, message): - if config.debug: - print message - else: - server = self.config.server - if server.startswith('http:') or server.startswith('https:'): - # Deliver over XML-RPC - import xmlrpclib - xmlrpclib.ServerProxy(server).hub.deliver(message) - else: - # Deliver over email - import smtplib - smtp = smtplib.SMTP(self.config.smtpServer) - smtp.sendmail(self.config.fromAddress, server, - "From: %s\r\nTo: %s\r\n" - "Subject: DeliverXML\r\n\r\n%s" % - (self.config.fromAddress, server, message)) - - def main(self): - self.collectData() - self.deliver("<message>" + - self.makeGeneratorTag() + - self.makeSourceTag() + - self.makeBodyTag() + - "</message>") - - def makeAttrTags(self, *names): - """Given zero or more attribute names, generate XML elements for - those attributes only if they exist and are non-None. - """ - s = '' - for name in names: - if hasattr(self, name): - v = getattr(self, name) - if v is not None: - # Recent Pythons don't need this, but Python 2.1 - # at least can't convert other types directly - # to Unicode. We have to take an intermediate step. - if type(v) not in (type(''), type(u'')): - v = str(v) - - s += "<%s>%s</%s>" % (name, escapeToXml(v), name) - return s - - def makeGeneratorTag(self): - return "<generator>%s</generator>" % self.makeAttrTags( - 'name', - 'version', - ) - - def makeSourceTag(self): - return "<source>%s</source>" % self.makeAttrTags( - 'project', - 'module', - 'branch', - ) - - def makeBodyTag(self): - return "<body><commit>%s%s</commit></body>" % ( - self.makeAttrTags( - 'revision', - 'author', - 'log', - 'diffLines', - 'url', - ), - self.makeFileTags(), - ) - - def makeFileTags(self): - """Return XML tags for our file list""" - return "<files>%s</files>" % ''.join([file.makeTag(self.config) - for file in self.files]) - - def svnlook(self, command): - """Run the given svnlook command on our current repository and - revision, returning all output""" - # We have to set LC_ALL to force svnlook to give us UTF-8 output, - # then we explicitly slurp that into a unicode object. - return unicode(os.popen( - 'LC_ALL="en_US.UTF-8" svnlook %s -r "%s" "%s"' % - (command, self.revision, self.repository)).read(), - 'utf-8', 'replace') - - def collectData(self): - self.author = self.svnlook('author').strip() - self.project = self.config.project - self.log = self.svnlook('log') - self.diffLines = len(self.svnlook('diff').split('\n')) - self.files = self.collectFiles() - if self.config.revisionURI is not None: - self.url = self.config.revisionURI % self.__dict__ - else: - self.url = None - - def collectFiles(self): - # Extract all the files from the output of 'svnlook changed' - files = [] - for line in self.svnlook('changed').split('\n'): - path = line[2:].strip() - if path: - status = line[0] - files.append(File(path, status)) - - # Try each of our several regexes. To be applied, the same - # regex must mach every file under consideration and they must - # all return the same results. If we find one matching regex, - # or we try all regexes without a match, we're done. - matchDict = None - for regex in self.config.pathRegexes: - matchDict = matchAgainstFiles(regex, files) - if matchDict is not None: - self.__dict__.update(matchDict) - break - - return files - - -def matchAgainstFiles(regex, files): - """Try matching a regex against all File objects in the provided list. - If the regex returns the same matches for every file, the matches - are returned in a dict and the matched portions are filtered out. - If not, returns None. - """ - prevMatchDict = None - compiled = re.compile(regex, re.VERBOSE) - for f in files: - - match = compiled.match(f.fullPath) - if not match: - # Give up, it must match every file - return None - - matchDict = match.groupdict() - if prevMatchDict is not None and prevMatchDict != matchDict: - # Give up, we got conflicting matches - return None - - prevMatchDict = matchDict - - # If we got this far, the regex matched every file with - # the same results. Now filter the matched portion out of - # each file and store the matches we found. - for f in files: - f.path = compiled.sub('', f.fullPath) - return prevMatchDict - - -def escapeToXml(text, isAttrib=0): - text = unicode(text) - text = text.replace("&", "&") - text = text.replace("<", "<") - text = text.replace(">", ">") - if isAttrib == 1: - text = text.replace("'", "'") - text = text.replace("\"", """) - return text - - -def usage(): - """Print a short usage description of this script and exit""" - sys.stderr.write("Usage: %s [OPTIONS] REPOS-PATH REVISION [PROJECTNAME]\n" % - sys.argv[0]) - - -def version(): - """Print out the version of this script""" - sys.stderr.write("%s %s\n" % (sys.argv[0], SvnClient.version)) - - -def main(): - try: - options = [ "version" ] - for key in config.__dict__: - if not key.startswith("_"): - options.append(key + "="); - opts, args = getopt.getopt(sys.argv[1:], "", options) - except getopt.GetoptError: - usage() - sys.exit(2) - - for o, a in opts: - if o == "--version": - version() - sys.exit() - else: - # Everything else maps straight to a config key. Just have - # to remove the "--" prefix from the option name. - config.__dict__[o[2:]] = a - - # Print a usage message when not enough parameters are provided. - if not len(args) in (2,3): - sys.stderr.write("%s: incorrect number of arguments\n" % sys.argv[0]) - usage(); - sys.exit(2); - - # If a project name was provided, override the default project name. - if len(args) == 3: - config.project = args[2] - - # Go do the real work. - SvnClient(args[0], args[1], config).main() - - -if __name__ == "__main__": - main() - -### The End ### diff --git a/modules/subversion/templates/ciabot_svn.sh b/modules/subversion/templates/ciabot_svn.sh deleted file mode 100755 index 63aa77a8..00000000 --- a/modules/subversion/templates/ciabot_svn.sh +++ /dev/null @@ -1,125 +0,0 @@ -#!/bin/sh -# -# This is a CIA bot client script for Subversion repositories, -# delivering via email. See below for usage and customization information. -# -# -------------------------------------------------------------------------- -# -# Copyright (c) 2004-2005, Micah Dowty -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# * The name of the author may not be used to endorse or promote products -# derived from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. -# -# -------------------------------------------------------------------------- -# -# See http://cia.vc for more information on what the CIA bot -# is and how it works, and links to other client scripts. -# -# To use the CIA bot in your Subversion repository... -# -# 1. Customize the parameters below, specifically the ones under -# the "Project information" section -# -# 2. This script should be called from your repository's post-commit -# hook with the repository and revision as arguments. For example, -# you could copy this script into your repository's "hooks" directory -# and add something like the following to the "post-commit" script, -# also in the repository's "hooks" directory: -# -# REPOS="$1" -# REV="$2" -# $REPOS/hooks/ciabot_svn.sh "$REPOS" "$REV"& -# -# ------ There are some parameters for this script that you can customize: - -# Project information -# -# NOTE: This shouldn't be a long description of your project. Ideally -# it is a short identifier with no spaces, punctuation, or -# unnecessary capitalization. This will be used in URLs related -# to your project, as an internal identifier, and in IRC messages. -# If you want a longer name shown for your project on the web -# interface, please use the "title" metadata key rather than -# putting that here. -# -project_name="Mageia" -module_name="<%= cia_module %>" -return_address="root@<%= domain %>" -ignore_author="<%= cia_ignore_author %>" - -# System -sendmail_command="/usr/sbin/sendmail -t" - -############# Below this line you shouldn't have to change anything - -# Script arguments -REPOS="$1" -REV="$2" - -# The email address CIA lives at -cia_address="cia@cia.vc" - -author=`svnlook author -r "$REV" "$REPOS" | sed 's/\&/\&/g;s/</\</g;s/>/\>/g'` -if test -n "$ignore_author" && echo "$author" | grep -q "$ignore_author" -then - exit 0 -fi -log=`svnlook log -r "$REV" "$REPOS" | sed 's/\&/\&/g;s/</\</g;s/>/\>/g'` -diff_lines=`svnlook diff -r "$REV" "$REPOS" | wc -l` -for file in `svnlook changed -r "$REV" "$REPOS" | cut -c 3- | sed 's/\&/\&/g;s/</\</g;s/>/\>/g'`; do - files="$files<file>$file</file>" -done - -url="http://svnweb.<%= domain%>/${REPOS/\/svn\//}?view=revision&revision=$REV" - -# Send an email with the final XML message -(cat <<EOF -From: $return_address -To: $cia_address -Subject: DeliverXML - -<message> - <generator> - <name>Subversion CIA Bot client shell script</name> - <version>1.1</version> - </generator> - <source> - <project>$project_name</project> - <module>$module_name</module> - </source> - <body> - <commit> - <revision>$REV</revision> - <author>$author</author> - <files>$files</files> - <log>$log</log> - <url>$url</url> - <diffLines>$diff_lines</diffLines> - </commit> - </body> -</message> -EOF -) | $sendmail_command - -### The End ### diff --git a/modules/subversion/templates/converted_to_git b/modules/subversion/templates/converted_to_git new file mode 100644 index 00000000..8f137506 --- /dev/null +++ b/modules/subversion/templates/converted_to_git @@ -0,0 +1,16 @@ +#!/bin/sh + +REPOS="$1" +TXN="$2" + +if [ ! -f "$REPOS/conf/git.conf" ]; then + exit 0 +fi + +REGEX=$(cat "$REPOS/conf/git.conf" | grep -v "^#" | grep -v "^ *$" | xargs | sed 's/ /|/g') + +if (svnlook dirs-changed -t $TXN "$REPOS" | grep -qE "^($REGEX)"); then + echo "The subversion path you have attempted to commit to has been converted to git." >&2 + echo "Please see: https://wiki.mageia.org/en/Git_Migration" >&2 + exit 1 +fi diff --git a/modules/subversion/templates/hook_commit.sh b/modules/subversion/templates/hook_commit.sh index ec7ea1cb..2b1b6ff3 100644 --- a/modules/subversion/templates/hook_commit.sh +++ b/modules/subversion/templates/hook_commit.sh @@ -9,9 +9,9 @@ author=$(svnlook author -t "$TXN" "$REP") # We will be able to remove it when updating to a better send mail hook if [ "$author" = 'schedbot' ]; then - LIST= `ls $0.d/* | grep -v send_mail` + LIST=`ls -1 $0.d/* | grep -v send_mail` else - LIST=`ls $0.d/*` + LIST=`ls -1 $0.d/*` fi for script in $LIST; do @@ -25,4 +25,3 @@ for script in $LIST; do $script $@ || exit 1 done - diff --git a/modules/subversion/templates/hook_irker b/modules/subversion/templates/hook_irker new file mode 100644 index 00000000..8fd7a874 --- /dev/null +++ b/modules/subversion/templates/hook_irker @@ -0,0 +1,4 @@ +#!/bin/sh +REPO=$1 +REV=$2 +<%= irkerhook_path %> --repository=$REPO $REV diff --git a/modules/subversion/templates/hook_sendmail.pl b/modules/subversion/templates/hook_sendmail.pl index aab1db5a..cf3be6a4 100644 --- a/modules/subversion/templates/hook_sendmail.pl +++ b/modules/subversion/templates/hook_sendmail.pl @@ -7,7 +7,11 @@ alternative: HTML::ColorDiff with-diff: 1 max_diff_length: 20000 - from: root@<%= domain %> + ticket_map: + '(\bmga#(\d+)\b)': 'https://bugs.mageia.org/show_bug.cgi?id=%s' + revision-url: "https://svnweb.mageia.org/packages/?revision=%s&view=revision" + subject_cx: 1 + from: subversion_noreply@ml.<%= @domain %> to: <%- commit_mail.each do |mail| -%> - <%= mail %> @@ -19,6 +23,10 @@ alternative: HTML::ColorDiff with-diff: 1 max_diff_length: 20000 - from: root@<%= domain %> + ticket_map: + '(\bmga#(\d+)\b)': 'https://bugs.mageia.org/show_bug.cgi?id=%s' + revision-url: "https://svnweb.mageia.org/packages/?revision=%s&view=revision" + subject_cx: 1 + from: subversion_noreply@ml.<%= @domain %> to: <%= i18n_mail %> <%- end -%> diff --git a/modules/subversion/templates/irker.conf b/modules/subversion/templates/irker.conf new file mode 100644 index 00000000..d037a120 --- /dev/null +++ b/modules/subversion/templates/irker.conf @@ -0,0 +1,7 @@ +<%- + content = '' + @irker_conf.keys.sort.each {|key| + content += key + ' = ' + @irker_conf[key] + "\n" + } +-%> +<%= content %> diff --git a/modules/subversion/templates/no_binary b/modules/subversion/templates/no_binary index a7f2eb94..284642e5 100644 --- a/modules/subversion/templates/no_binary +++ b/modules/subversion/templates/no_binary @@ -3,7 +3,7 @@ REP="$1" TXN="$2" -# Filter some binary files based on common filename extentions. +# Filter some binary files based on common filename extensions. # It does not fully prevent commit of binary files, this script is only # here to avoid simple mistakes if svnlook changed -t "$TXN" "$REP" | grep -qi '\.\(gz\|bz2\|xz\|lzma\|Z\|7z\|tar\|tgz\|zip\|jpg\|gif\|png\|ogg\|mp3\|wav\|rar\|pdf\)$' diff --git a/modules/subversion/templates/restricted_to_user b/modules/subversion/templates/restricted_to_user index 5c70132e..98297627 100644 --- a/modules/subversion/templates/restricted_to_user +++ b/modules/subversion/templates/restricted_to_user @@ -6,7 +6,7 @@ TXN="$2" author=$(svnlook author -t "$TXN" "$REP") if [ "$author" != '<%= restricted_to_user %>' ]; then - echo "this repository is restrected to user <%= restricted_to_user %>" >&2 + echo "this repository is restricted to user <%= restricted_to_user %>" >&2 exit 1 fi diff --git a/modules/subversion/templates/xinetd b/modules/subversion/templates/xinetd index 87827ec2..0919ae60 100644 --- a/modules/subversion/templates/xinetd +++ b/modules/subversion/templates/xinetd @@ -12,4 +12,3 @@ service svnserve server_args = -i -r <%= svn_base_path %> flags = IPv6 } - diff --git a/modules/sudo/manifests/sudoers_config.pp b/modules/sudo/manifests/sudoers_config.pp index 29e51c8a..fdc38e9b 100644 --- a/modules/sudo/manifests/sudoers_config.pp +++ b/modules/sudo/manifests/sudoers_config.pp @@ -1,5 +1,5 @@ define sudo::sudoers_config($content) { - file { "/etc/sudoers.d/$name": + file { "/etc/sudoers.d/${name}": mode => '0440', content => $content, } diff --git a/modules/sympa/files/scenari/open_web_only_notify b/modules/sympa/files/scenari/open_web_only_notify index 9c0b1dbc..621e425c 100644 --- a/modules/sympa/files/scenari/open_web_only_notify +++ b/modules/sympa/files/scenari/open_web_only_notify @@ -3,4 +3,3 @@ title.gettext anyone on the web, notification is sent to list owner # do not notify if it is just an update is_subscriber([listname],[sender]) smtp,smime,md5 -> do_it true() md5 -> do_it,notify - diff --git a/modules/sympa/files/scenari/subscriber_moderated b/modules/sympa/files/scenari/subscriber_moderated deleted file mode 100644 index 9e301213..00000000 --- a/modules/sympa/files/scenari/subscriber_moderated +++ /dev/null @@ -1,6 +0,0 @@ -title.gettext Reserved to subscriber - -is_subscriber([listname],[sender]) smtp,smime,md5 -> do_it -true() smime,md5 -> do_it -true() smtp -> reject(reason='send_subscriber') - diff --git a/modules/sympa/files/topics.conf b/modules/sympa/files/topics.conf index 53824f0d..92e1809c 100644 --- a/modules/sympa/files/topics.conf +++ b/modules/sympa/files/topics.conf @@ -1,3 +1,6 @@ +bugsquad +title Bug triaging + sysadmin title System administration, infrastructure @@ -24,3 +27,6 @@ title Local Community atelier title Atelier (Artwork, Web, Marketing, Communication) + +users +title Users discussions diff --git a/modules/sympa/manifests/announce_list_email.pp b/modules/sympa/manifests/announce_list_email.pp deleted file mode 100644 index bebeea13..00000000 --- a/modules/sympa/manifests/announce_list_email.pp +++ /dev/null @@ -1,18 +0,0 @@ -# list where announce are sent by $email only -# reply_to is set to $reply_to -define sympa::announce_list_email($subject, - $reply_to, - $sender_email, - $subscriber_ldap_group = false, - $language = 'en', - $topics = false) { - list { $name: - subject => $subject, - profile => '', - language => $language, - topics => $topics, - reply_to => $reply_to, - sender_email => $sender_email, - subscriber_ldap_group => $subscriber_ldap_group, - } -} diff --git a/modules/sympa/manifests/announce_list_group.pp b/modules/sympa/manifests/announce_list_group.pp deleted file mode 100644 index ddb3747a..00000000 --- a/modules/sympa/manifests/announce_list_group.pp +++ /dev/null @@ -1,17 +0,0 @@ -# list where announce are sent by member of ldap_group -# reply_to is set to $reply_to -define sympa::announce_list_group($subject, - $reply_to, - $sender_ldap_group, - $language = 'en', - $topics = false) { - # profile + scenario - list { $name: - subject => $subject, - profile => '', - language => $language, - topics => $topics, - reply_to => $reply_to, - sender_ldap_group => $sender_ldap_group, - } -} diff --git a/modules/sympa/manifests/datasource/ldap_group.pp b/modules/sympa/manifests/datasource/ldap_group.pp index 6b34ec92..6060bec4 100644 --- a/modules/sympa/manifests/datasource/ldap_group.pp +++ b/modules/sympa/manifests/datasource/ldap_group.pp @@ -1,5 +1,5 @@ define sympa::datasource::ldap_group { - file { "/etc/sympa/data_sources/$name.incl": + file { "/etc/sympa/data_sources/${name}.incl": content => template('sympa/data_sources/ldap_group.incl') } } diff --git a/modules/sympa/manifests/list.pp b/modules/sympa/manifests/list.pp index 4e265f31..205d2719 100644 --- a/modules/sympa/manifests/list.pp +++ b/modules/sympa/manifests/list.pp @@ -1,38 +1,33 @@ define sympa::list( $subject, - $profile = false, $language = 'en', $topics = false, $reply_to = false, + $sender_subscriber = false, $sender_email = false, $sender_ldap_group = false, $subscriber_ldap_group = false, $public_archive = true, - $subscription_open = false) { + $subscription_open = false, + $critical = false) { include sympa::variable $ldap_password = extlookup('sympa_ldap','x') $custom_subject = $name - $xml_file = "/etc/sympa/lists_xml/$name.xml" - - if $sender_email { - $sender_email_file = regsubst($sender_email,'\@','-at-') - } else { - $sender_email_file = '' - } + $xml_file = "/etc/sympa/lists_xml/${name}.xml" file { $xml_file: content => template('sympa/list.xml'), require => Package[sympa], } - exec { "sympa.pl --create_list --robot=$sympa::variable::vhost --input_file=$xml_file": + exec { "sympa.pl --create_list --robot=${sympa::variable::vhost} --input_file=${xml_file}": require => File[$xml_file], - creates => "/var/lib/sympa/expl/$name", - before => File["/var/lib/sympa/expl/$name/config"], + creates => "/var/lib/sympa/expl/${name}", + before => File["/var/lib/sympa/expl/${name}/config"], } - file { "/var/lib/sympa/expl/$name/config": + file { "/var/lib/sympa/expl/${name}/config": owner => 'sympa', group => 'sympa', mode => '0750', @@ -40,16 +35,10 @@ define sympa::list( $subject, notify => Service['sympa'], } - if $sender_ldap_group { - if ! defined(Sympa::Scenario::Sender_ldap_group[$sender_ldap_group]) { - sympa::scenario::sender_ldap_group { $sender_ldap_group: } - } - } - - if $sender_email { - if ! defined(Sympa::Scenario::Sender_email[$sender_email]) { - sympa::scenario::sender_email { $sender_email: } - } + sympa::scenario::sender_restricted { $name: + ldap_group => $sender_ldap_group, + email => $sender_email, + allow_subscriber => $sender_subscriber, } if $subscriber_ldap_group { @@ -57,6 +46,12 @@ define sympa::list( $subject, sympa::search_filter::ldap { $subscriber_ldap_group: } } } + + if $sender_ldap_group { + if ! defined(Sympa::Search_filter::Ldap[$sender_ldap_group]) { + sympa::search_filter::ldap { $sender_ldap_group: } + } + } } diff --git a/modules/sympa/manifests/list/announce.pp b/modules/sympa/manifests/list/announce.pp new file mode 100644 index 00000000..2dd1c647 --- /dev/null +++ b/modules/sympa/manifests/list/announce.pp @@ -0,0 +1,21 @@ +# list where announce are sent by $email or $ldap_group only +# reply_to is set to $reply_to +define sympa::list::announce($subject, + $reply_to, + $sender_email = false, + $sender_ldap_group = false, + $subscriber_ldap_group = false, + $language = 'en', + $topics = false, + $critical = false) { + list { $name: + subject => $subject, + language => $language, + topics => $topics, + reply_to => $reply_to, + sender_email => $sender_email, + sender_ldap_group => $sender_ldap_group, + subscriber_ldap_group => $subscriber_ldap_group, + critical => $critical + } +} diff --git a/modules/sympa/manifests/list/private.pp b/modules/sympa/manifests/list/private.pp index d58d7ab2..c8d9b38e 100644 --- a/modules/sympa/manifests/list/private.pp +++ b/modules/sympa/manifests/list/private.pp @@ -1,15 +1,16 @@ # list with private archive, restricted to member of $ldap_group define sympa::list::private($subject, $subscriber_ldap_group, + $sender_email = false, $language ='en', $topics = false) { list { $name: subject => $subject, - profile => '', language => $language, topics => $topics, subscriber_ldap_group => $subscriber_ldap_group, sender_ldap_group => $subscriber_ldap_group, + sender_email => $sender_email, public_archive => false, } } diff --git a/modules/sympa/manifests/list/private_email.pp b/modules/sympa/manifests/list/private_email.pp deleted file mode 100644 index 54e70592..00000000 --- a/modules/sympa/manifests/list/private_email.pp +++ /dev/null @@ -1,17 +0,0 @@ -# same as private_list, but post are restricted to $email -# ( scripting ) -define sympa::list::private_email($subject, - $subscriber_ldap_group, - $sender_email, - $language ='en', - $topics = false) { - list { $name: - subject => $subject, - profile => '', - language => $language, - topics => $topics, - subscriber_ldap_group => $subscriber_ldap_group, - sender_email => $sender_email, - public_archive => false, - } -} diff --git a/modules/sympa/manifests/list/private_open.pp b/modules/sympa/manifests/list/private_open.pp deleted file mode 100644 index 7f3f5105..00000000 --- a/modules/sympa/manifests/list/private_open.pp +++ /dev/null @@ -1,18 +0,0 @@ -# list with private archive, restricted to member of $ldap_group -# everybody can post -# used for contact alias -define sympa::list::private_open( $subject, - $subscriber_ldap_group, - $language = 'en', - $topics = false) { - sympa::list { $name: - subject => $subject, - profile => '', - language => $language, - topics => $topics, - subscriber_ldap_group => $subscriber_ldap_group, - public_archive => false, - } -} - - diff --git a/modules/sympa/manifests/list/public.pp b/modules/sympa/manifests/list/public.pp new file mode 100644 index 00000000..7b97534a --- /dev/null +++ b/modules/sympa/manifests/list/public.pp @@ -0,0 +1,16 @@ +# public discussion list +# reply_to is set to the list +define sympa::list::public($subject, + $language = 'en', + $topics = false, + $sender_email = false) { + include sympa::variable + list { $name: + subject => $subject, + language => $language, + topics => $topics, + sender_email => $sender_email, + sender_subscriber => true, + reply_to => "${name}@${sympa::variable::vhost}", + } +} diff --git a/modules/sympa/manifests/public_restricted_list.pp b/modules/sympa/manifests/list/public_restricted.pp index fec079f7..5c316368 100644 --- a/modules/sympa/manifests/public_restricted_list.pp +++ b/modules/sympa/manifests/list/public_restricted.pp @@ -1,17 +1,17 @@ -# list where only people from the ldap_group can post, ad where +# list where only people from the ldap_group can post, and where # they are subscribed by default, but anybody else can subscribe # to read and receive messages -define sympa::public_restricted_list( $subject, +define sympa::list::public_restricted($subject, $subscriber_ldap_group, $language = 'en', $topics = false) { list { $name: subject => $subject, - profile => '', topics => $topics, language => $language, subscriber_ldap_group => $subscriber_ldap_group, sender_ldap_group => $subscriber_ldap_group, subscription_open => true, + reply_to => "${name}@${sympa::variable::vhost}", } } diff --git a/modules/sympa/manifests/list/restricted.pp b/modules/sympa/manifests/list/restricted.pp deleted file mode 100644 index 779cd3fb..00000000 --- a/modules/sympa/manifests/list/restricted.pp +++ /dev/null @@ -1,15 +0,0 @@ -# list where people cannot subscribe, where people from $ldap_group receive -# mail, with public archive -define sympa::list::restricted($subject, - $subscriber_ldap_group, - $language = 'en', - $topics = false) { - list { $name: - subject => $subject, - profile => '', - topics => $topics, - language => $language, - subscriber_ldap_group => $subscriber_ldap_group, - sender_ldap_group => $subscriber_ldap_group, - } -} diff --git a/modules/sympa/manifests/public_list.pp b/modules/sympa/manifests/public_list.pp deleted file mode 100644 index 6b660abf..00000000 --- a/modules/sympa/manifests/public_list.pp +++ /dev/null @@ -1,13 +0,0 @@ -# public discussion list -# reply_to is set to the list -define sympa::public_list($subject, - $language = 'en', - $topics = false) { - include sympa::variable - list { $name: - subject => $subject, - language => $language, - topics => $topics, - reply_to => "$name@$sympa::variable::vhost", - } -} diff --git a/modules/sympa/manifests/restricted_list_open.pp b/modules/sympa/manifests/restricted_list_open.pp deleted file mode 100644 index 1730b970..00000000 --- a/modules/sympa/manifests/restricted_list_open.pp +++ /dev/null @@ -1,14 +0,0 @@ -# same as restricted list, but anybody can post -define sympa::restricted_list_open( $subject, - $subscriber_ldap_group, - $language = 'en', - $topics = false) { - list { $name: - subject => $subject, - profile => '', - language => $language, - topics => $topics, - subscriber_ldap_group => $subscriber_ldap_group, - sender_ldap_group => $subscriber_ldap_group, - } -} diff --git a/modules/sympa/manifests/scenario/sender_email.pp b/modules/sympa/manifests/scenario/sender_email.pp deleted file mode 100644 index 4f811189..00000000 --- a/modules/sympa/manifests/scenario/sender_email.pp +++ /dev/null @@ -1,6 +0,0 @@ -define sympa::scenario::sender_email { - $sender_email_file = regsubst($name,'\@','-at-') - file { "/etc/sympa/scenari/send.restricted_$sender_email_file": - content => template('sympa/scenari/sender.email') - } -} diff --git a/modules/sympa/manifests/scenario/sender_ldap_group.pp b/modules/sympa/manifests/scenario/sender_ldap_group.pp deleted file mode 100644 index 363af4f3..00000000 --- a/modules/sympa/manifests/scenario/sender_ldap_group.pp +++ /dev/null @@ -1,7 +0,0 @@ -define sympa::scenario::sender_ldap_group { - file { "/etc/sympa/scenari/send.restricted_$name": - content => template('sympa/scenari/sender.ldap_group') - } -} - - diff --git a/modules/sympa/manifests/scenario/sender_restricted.pp b/modules/sympa/manifests/scenario/sender_restricted.pp new file mode 100644 index 00000000..c69d3669 --- /dev/null +++ b/modules/sympa/manifests/scenario/sender_restricted.pp @@ -0,0 +1,9 @@ +define sympa::scenario::sender_restricted( + $email = false, + $ldap_group = false, + $allow_subscriber = false +) { + file { "/etc/sympa/scenari/send.restricted_${name}": + content => template('sympa/scenari/sender.restricted') + } +} diff --git a/modules/sympa/manifests/server.pp b/modules/sympa/manifests/server.pp index daed4e07..bcdda789 100644 --- a/modules/sympa/manifests/server.pp +++ b/modules/sympa/manifests/server.pp @@ -10,12 +10,17 @@ class sympa::server( 'perl-CGI-Fast', 'perl-Socket6']: } - # sympa script start 5 differents script, I am not + # sympa script starts 5 different scripts; I am not # sure that puppet will correctly handle this service { 'sympa': subscribe => [ Package['sympa'], File['/etc/sympa/sympa.conf']] } + service { 'sympa-outgoing': + ensure => running, + require => Service['sympa'] + } + $pgsql_password = extlookup('sympa_pgsql','x') $ldap_password = extlookup('sympa_ldap','x') @@ -30,8 +35,8 @@ class sympa::server( $vhost = $sympa::variable::vhost file { '/etc/sympa/sympa.conf': - # should be cleaner to have it root owned, but puppet do not support acl - # and in any case, config will be reset if it change + # should be cleaner to have it root owned, but puppet does not support acls + # and in any case, config will be reset if it changes owner => 'sympa', group => 'apache', mode => '0640', @@ -56,9 +61,9 @@ class sympa::server( content => template('sympa/vhost_ml.conf'), } - subversion::snapshot { '/etc/sympa/web_tt2': - source => 'svn://svn.mageia.org/svn/web/templates/sympa/trunk', - } +# git::snapshot { '/etc/sympa/web_tt2': +# source => "git://git.${::domain}/web/templates/sympa", +# } file { ['/etc/sympa/lists_xml/', '/etc/sympa/scenari/', @@ -75,8 +80,6 @@ class sympa::server( source => 'puppet:///modules/sympa/scenari/open_web_only_notify'; '/etc/sympa/scenari/unsubscribe.open_web_only_notify': source => 'puppet:///modules/sympa/scenari/open_web_only_notify'; - '/etc/sympa/scenari/send.subscriber_moderated': - source => 'puppet:///modules/sympa/scenari/subscriber_moderated'; '/etc/sympa/scenari/create_list.forbidden': source => 'puppet:///modules/sympa/scenari/forbidden'; '/etc/sympa/topics.conf': @@ -96,4 +99,5 @@ class sympa::server( ensure => directory, owner => 'sympa', } + } diff --git a/modules/sympa/manifests/variable.pp b/modules/sympa/manifests/variable.pp index 274c4bb8..26f60294 100644 --- a/modules/sympa/manifests/variable.pp +++ b/modules/sympa/manifests/variable.pp @@ -1,3 +1,3 @@ class sympa::variable { - $vhost = "ml.$::domain" + $vhost = "ml.${::domain}" } diff --git a/modules/sympa/templates/auth.conf b/modules/sympa/templates/auth.conf index af998b68..854fdf9c 100644 --- a/modules/sympa/templates/auth.conf +++ b/modules/sympa/templates/auth.conf @@ -6,8 +6,10 @@ ldap get_dn_by_email_filter (|(mail=[sender])(mailalternateaddress=[sender])) email_attribute mail scope sub - use_ssl 1 + use_tls ldaps + ssl_version tlsv1_2 + ca_verify none bind_dn cn=sympa-<%= hostname %>,ou=System Accounts,<%= dc_suffix %> - bind_password <%= ldap_password %> + bind_password <%= scope.lookupvar("sympa::server::ldap_password") %> authentication_info_url <%= authentication_info_url %> diff --git a/modules/sympa/templates/config b/modules/sympa/templates/config index 36510531..4262f3ca 100644 --- a/modules/sympa/templates/config +++ b/modules/sympa/templates/config @@ -1,10 +1,16 @@ -subject <%= subject %> -status open +archive +period month +mail_access owner +<%- if public_archive and not @critical -%> +web_access public +<%- else -%> +web_access private +<%- end -%> visibility noconceal -lang <%= language %> +digest 1,4 13:26 <% if subscriber_ldap_group and not subscription_open %> # TODO check scenari @@ -17,91 +23,81 @@ subscribe open_web_only_notify unsubscribe open_web_only_notify <% end %> -# TODO reception nomail -# profile normal - -owner -email postmaster@<%= domain %> -gecos Sysadmin team -reception nomail - -owner_include -source mga-sysadmin +editor +email listmaster@<%= domain %> reception nomail -profile normal +gecos Moderator team visibility conceal -editor -email listmaster@<%= domain %> -gecos Moderator team +editor_include reception nomail - -editor_include source mga-ml_moderators -reception nomail visibility conceal +subject <%= subject %> -<% if reply_to %> -# TODO -reply_to_header -value other_email -other_email <%= reply_to %> -apply forced +custom_subject <%= custom_subject %> + +<%- if @critical -%> +info conceal + +subscribe auth owner + +unsubscribe auth_notify + +invite owner <% end %> +lang <%= language %> +owner +gecos Sysadmin team +reception nomail +email postmaster@<%= domain %> +visibility noconceal +profile normal -<% if sender_email %> -#TODO write scenari -send restricted_<%= sender_email_file %> +owner_include +profile normal +visibility conceal +source mga-sysadmin +reception nomail -<% elsif sender_ldap_group %> -#TODO write scenari -send restricted_<%= sender_ldap_group %> -<% else %> -#TODO write scenari -send subscriber_moderated +<%- if @reply_to -%> +reply_to_header +value other_email +other_email <%= reply_to %> +apply forced +<%- end -%> -<% end %> +review owner <% if topics %> topics <%= topics %> <% end %> +send restricted_<%= @name %> + <% if subscriber_ldap_group %> include_ldap_query - host ldap.<%= domain %> - suffix ou=People,<%= dc_suffix %> timeout 10 - filter (memberOf=cn=<%= subscriber_ldap_group %>,ou=Group,<%= dc_suffix %>) - attrs mail - select first scope one - use_ssl yes - user cn=sympa-<%= hostname %>,ou=System Accounts,<%= dc_suffix %> - passwd <%= ldap_password %> - -<% end %> - -<%- if public_archive -%> -web_archive - #TODO check - access public -<%- else -%> -web_archive - #TODO check - access private -<%- end -%> - -archive -access owner -period month + select first + ssl_version tlsv1_2 + ca_verify none + use_tls ldaps + attrs mail + ssl_ciphers ALL + passwd <%= scope.lookupvar("sympa::server::ldap_password") %> + user cn=sympa-<%= hostname %>,ou=System Accounts,<%= dc_suffix %> + suffix ou=People,<%= dc_suffix %> + filter (memberOf=cn=<%= subscriber_ldap_group %>,ou=Group,<%= dc_suffix %>) + host ldap.<%= domain %> -digest 1,4 13:26 +<% end %> -review private +process_archive on -custom_subject <%= custom_subject %> +status open diff --git a/modules/sympa/templates/data_sources/ldap_group.incl b/modules/sympa/templates/data_sources/ldap_group.incl index 4517fe26..609a7e42 100644 --- a/modules/sympa/templates/data_sources/ldap_group.incl +++ b/modules/sympa/templates/data_sources/ldap_group.incl @@ -1,8 +1,10 @@ include_ldap_2level_query host ldap.<%= domain %> - use_ssl yes + use_tls ldaps + ssl_version tlsv1_2 + ca_verify none user cn=sympa-<%= hostname %>,ou=System Accounts,<%= dc_suffix %> - passwd <%= ldap_password %> + passwd <%= scope.lookupvar("sympa::server::ldap_password") %> suffix1 ou=Group,<%= dc_suffix %> scope1 one filter1 (&(objectClass=groupOfNames)(cn=<%= name %>)) @@ -13,4 +15,3 @@ include_ldap_2level_query filter2 (objectClass=inetOrgPerson) attrs2 mail select2 first - diff --git a/modules/sympa/templates/list.xml b/modules/sympa/templates/list.xml index 1d83125e..74e4f07f 100644 --- a/modules/sympa/templates/list.xml +++ b/modules/sympa/templates/list.xml @@ -6,10 +6,11 @@ <description/> <status>open</status> <language><%= language %></language> - <owner_include> - <source>mga-sysadm</source> + <owner_include multiple="1"> + <source>mga-sysadmin</source> </owner_include> - <editor_include> + <editor_include multiple="1"> <source>mga-ml_moderators</source> </editor_include> + <topic><%= topics %></topic> </list> diff --git a/modules/sympa/templates/scenari/sender.email b/modules/sympa/templates/scenari/sender.email deleted file mode 100644 index ee293dfd..00000000 --- a/modules/sympa/templates/scenari/sender.email +++ /dev/null @@ -1,5 +0,0 @@ -title.gettext restricted to email <%= name %> - -equal([sender], '<%= name %>') smtp,md5,smime -> do_it -true() smtp,md5,smime -> reject(reason='send_subscriber') - diff --git a/modules/sympa/templates/scenari/sender.ldap_group b/modules/sympa/templates/scenari/sender.ldap_group deleted file mode 100644 index d1abe66d..00000000 --- a/modules/sympa/templates/scenari/sender.ldap_group +++ /dev/null @@ -1,5 +0,0 @@ -title.gettext restricted to group <%= name %> - -search(<%= name %>.ldap) smtp,md5,smime -> do_it -true() smtp,md5,smime -> reject(reason='send_subscriber') - diff --git a/modules/sympa/templates/scenari/sender.restricted b/modules/sympa/templates/scenari/sender.restricted new file mode 100644 index 00000000..66139e6c --- /dev/null +++ b/modules/sympa/templates/scenari/sender.restricted @@ -0,0 +1,17 @@ +title.gettext restricted list + +<%- if @ldap_group -%> +search(<%= @ldap_group %>.ldap) smtp,md5,smime -> do_it +<%- end -%> +<%- if @email -%> + <%- for e in @email -%> +equal([sender], '<%= e %>') smtp,md5,smime -> do_it + <%- end -%> +<%- end -%> +<%- if allow_subscriber -%> +equal([sender], 'sysadmin@group.mageia.org') smtp,smime,md5 -> do_it +match([sender], /@mageia\.org$/) smtp,smime,md5 -> do_it +is_subscriber([listname],[sender]) smtp,smime,md5 -> do_it +true() smime,md5 -> do_it +<%- end -%> +true() smtp,md5,smime -> reject(reason='send_subscriber') diff --git a/modules/sympa/templates/search_filters/group.ldap b/modules/sympa/templates/search_filters/group.ldap index fd1f28d9..884e0db1 100644 --- a/modules/sympa/templates/search_filters/group.ldap +++ b/modules/sympa/templates/search_filters/group.ldap @@ -1,7 +1,9 @@ host ldap.<%= domain %>:636 bind_dn cn=sympa-<%= hostname %>,ou=System Accounts,<%= dc_suffix %> -bind_password <%= ldap_password %> -use_ssl yes +bind_password <%= scope.lookupvar("sympa::server::ldap_password") %> +use_tls ldaps +ssl_version tlsv1_2 +ca_verify none suffix ou=People,<%= dc_suffix %> filter (&(mail=[sender])(memberOf=cn=<%= name %>,ou=Group,<%= dc_suffix %>)) scope sub diff --git a/modules/sympa/templates/sympa.conf b/modules/sympa/templates/sympa.conf index 83654914..edfaba15 100644 --- a/modules/sympa/templates/sympa.conf +++ b/modules/sympa/templates/sympa.conf @@ -1,297 +1,627 @@ -###\\\\ Directories and file location ////### +###\\\\ Service description ////### -## Directory containing mailing lists subdirectories -home /var/lib/sympa/expl +## Primary mail domain name +domain <%= vhost %> -## Directory for configuration files ; it also contains scenari/ and templates/ directories -etc /etc/sympa +## Email addresses of listmasters +## Email addresses of the listmasters (users authorized to perform global +## server commands). Some error reports may also be sent to these addresses. +## Listmasters can be defined for each virtual host, however, the default +## listmasters will have privileges to manage all virtual hosts. +listmaster listmaster@<%= vhost %> -## File containing Sympa PID while running. -## Sympa also locks this file to ensure that it is not running more than once. Caution : user sympa need to write access without special privilegee. -pidfile /var/run/sympa/sympa.pid +## Default language +## This is the default language used by Sympa. One of supported languages +## should be chosen. +lang en-US -pidfile_distribute /var/run/sympa/sympa-distribute.pid - -pidfile_creation /var/run/sympa/sympa-creation.pid - -pidfile_bulk /var/run/sympa/bulk.pid - -## Umask used for file creation by Sympa -umask 027 - -## Directory containing available NLS catalogues (Message internationalization) -localedir /usr/share/locale - -## The main spool containing various specialized spools -## All spool are created at runtime by sympa.pl -spool /var/spool/sympa - -## Incoming spool -queue /var/spool/sympa/msg - -## Bounce incoming spool -queuebounce /var/spool/sympa/bounce - -## Automatic list creation spool -queueautomatic /var/spool/sympa/automatic - -## -queuedigest /var/spool/sympa/digest - -## -queuemod /var/spool/sympa/moderation - -## -queuetopic /var/spool/sympa/topic - -## -queueauth /var/spool/sympa/auth - -## -queueoutgoing /var/spool/sympa/outgoing - -## -queuetask /var/spool/sympa/task - -## -queuesubscribe /var/spool/sympa/subscribe - -## URL to a virtual host. -http_host http://domain.tld - -## The directory where Sympa stores static contents (CSS, members pictures, documentation) directly delivered by Apache -static_content_path /var/lib/sympa/static_content - -## The URL mapped with the static_content_path directory defined above -static_content_url /static-sympa - -###\\\\ Syslog ////### - -## The syslog facility for sympa -## Do not forget to edit syslog.conf -syslog mail +## Supported languages +## All supported languages for the user interface. Languages proper locale +## information not installed are ignored. +supported_lang en_US + +## Title of service +## The name of your mailing list service. It will appear in the header of web +## interface and subjects of several service messages. +title Mageia Mailing lists service + +## Display name of Sympa +## This parameter is used for display name in the "From:" header field for the +## messages sent by Sympa itself. +gecos SYMPA + +## Support of legacy character set +## If set to "on", enables support of legacy character set according to +## charset.conf(5) configuration file. +## In some language environments, legacy encoding (character set) can be +## preferred for e-mail messages: for example iso-2022-jp in Japanese +## language. +legacy_character_support_feature off + +###\\\\ Database related ////### + +## Type of the database +## Possible types are "MySQL", "PostgreSQL", "Oracle", "Sybase" and "SQLite". +db_type PostgreSQL + +## Hostname of the database server +## With PostgreSQL, you can also use the path to Unix Socket Directory, e.g. +## "/var/run/postgresql" for connection with Unix domain socket. +db_host pg.<%= domain %> + +## Port of the database server +db_port 5432/tcp -## Communication mode with syslogd is either unix (via Unix sockets) or inet (use of UDP) -log_socket_type unix +## Name of the database +## With SQLite, this must be the full path to database file. With Oracle +## Database, this must be Oracle SID. +db_name sympa + +## User for the database connection +db_user sympa + +## Password for the database connection +## What ever you use a password or not, you must protect the SQL server (is it +## not a public internet service ?) +db_passwd <%= scope.lookupvar("sympa::server::pgsql_password") %> + +## Environment variables setting for database +## With Oracle Database, this is useful for defining ORACLE_HOME and NLS_LANG. +# db_env NLS_LANG=American_America.AL32UTF8;ORACLE_HOME=/u01/app/oracle/product/11.2.0/server + +## Database private extension to subscriber table +## Adds more fields to "subscriber_table" table. Sympa recognizes fields +## defined with this parameter. You will then be able to use them from within +## templates and scenarios: +## * for scenarios: [subscriber->field] +## * for templates: [% subscriber.field %] +## These fields will also appear in the list members review page and will be +## editable by the list owner. This parameter is a comma-separated list. +## You need to extend the database format with these fields +# db_additional_subscriber_fields billing_delay,subscription_expiration -## Log intensity -## 0 : normal, 2,3,4 for debug -log_level 0 +## Database private extension to user table +## Adds more fields to "user_table" table. Sympa recognizes fields defined +## with this parameter. You will then be able to use them from within +## templates: [% subscriber.field %] +## This parameter is a comma-separated list. +## You need to extend the database format with these fields +# db_additional_user_fields age,address -log_smtp off +###\\\\ System log ////### -## Number of months that elapse before a log is expired. -logs_expiration_period 3 +## System log facility for Sympa +## Do not forget to configure syslog server. +syslog mail -###\\\\ General definition ////### +## Communication mode with syslog server +log_socket_type unix -## Main robot hostname -domain <%= vhost %> +## Log verbosity +## Sets the verbosity of logs. +## 0: Only main operations are logged +## 3: Almost everything is logged. +log_level 0 -## Listmasters email list comma separated -## Sympa will associate listmaster privileges to these email addresses (mail and web interfaces). Some error reports may also be sent to these addresses. -listmaster listmaster@<%= vhost %> +###\\\\ Receiving ////### -## Local part of sympa email adresse -## Effective address will be \[EMAIL\]@\[HOST\] -email sympa +## Default maximum number of list members +## Default limit for the number of subscribers per list (0 means no limit). +default_max_list_members 0 -## Who is able to create lists -## This parameter is a scenario, check sympa documentation about scenarios if you want to define one -create_list forbidden +## Maximum size of messages +## Incoming messages smaller than this size is allowed distribution by Sympa. +max_size 5242880 -edit_list owner +## Reject mail sent from automated services to list +## Rejects messages that seem to be from automated services, based on a few +## header fields ("Content-Identifier:", "Auto-Submitted:"). +## Sympa also can be configured to reject messages based on the "From:" header +## field value (see "loop_prevention_regex"). +reject_mail_from_automates_feature off -###\\\\ Tuning ////### +## Priority for command messages +## Priority applied to messages sent to Sympa command address. +sympa_priority 1 -## Use of binary version of the list config structure on disk: none | binary_file -## Set this parameter to "binary_file" if you manage a big amount of lists (1000+) ; it should make the web interface startup faster -cache_list_config none +## Priority for messages bound for list owners +## Priority for processing of messages bound for "LIST-request" address, i.e. +## owners of the list +request_priority 0 -## Sympa commands priority -sympa_priority 1 +## Priority for non-VERP bounces +## Priority for processing of messages bound for "LIST-owner" address, i.e. +## non-delivery reports (bounces). +owner_priority 9 ## Default priority for list messages -default_list_priority 5 - -## Default timeout between two scheduled synchronizations of list members with data sources. -default_ttl 3600 - -## Default timeout between two action-triggered synchronizations of list members with data sources. -default_distribution_ttl 300 - -## Default priority for a packet to be sent by bulk. -sympa_packet_priority 5 - -request_priority 0 - -owner_priority 9 - -## The minimum number of packets in database before the bulk forks to increase sending rate -## -bulk_fork_threshold 1 - -## The max number of bulks that will run on the same server. -## -bulk_max_count 3 - -## the number of seconds a slave bulk will remain running without processing a message before it spontaneously dies. -## -bulk_lazytime 600 - -## The number of seconds a master bulk waits between two packets number checks. -## Keep it small if you expect brutal increases in the message sending load. -bulk_wait_to_fork 10 - -## the number of seconds a bulk sleeps between starting a new loop if it didn't find a message to send. +## Priority for processing of messages posted to list addresses. +default_list_priority 5 + +###\\\\ Sending related ////### + +## Header fields to be removed from incoming messages +## Use it, for example, to ensure some privacy for your users in case that +## "anonymous_sender" mode is inappropriate. +## The removal of these header fields is applied before Sympa adds its own +## header fields ("rfc2369_header_fields" and "custom_header"). +# was remove_headers ARRAY(0x4116e50) +remove_headers X-Sympa-To,X-Family-To,Return-Receipt-To,Precedence,X-Sequence,Disposition-Notification-To + +## RFC 2369 header fields +## Specify which RFC 2369 mailing list header fields to be added. +## "List-Id:" header field defined in RFC 2919 is always added. Sympa also +## adds "Archived-At:" header field defined in RFC 5064. +# was rfc2369_header_fields ARRAY(0x4116c88) +rfc2369_header_fields help,subscribe,unsubscribe,post,owner,archive + +## Default priority for a packet +## The default priority set to a packet to be sent by the bulk. +sympa_packet_priority 5 + +## Fork threshold of bulk daemon +## The minimum number of packets before bulk daemon forks the new worker to +## increase sending rate. +bulk_fork_threshold 1 + +## Maximum number of bulk workers +bulk_max_count 3 + +## Idle timeout of bulk workers +## The number of seconds a bulk worker will remain running without processing +## a message before it spontaneously exists. +bulk_lazytime 600 + +## Sleep time of bulk workers +## The number of seconds a bulk worker sleeps between starting a new loop if +## it didn't find a message to send. ## Keep it small if you want your server to be reactive. -bulk_sleep 1 - -## Secret used by Sympa to make MD5 fingerprint in web cookies secure -## Should not be changed ! May invalid all user password -#cookie 123456789 - -## If set to "on", enables support of legacy characters -## -legacy_character_support_feature off - -## The default maximum size (in bytes) for messages (can be re-defined for each list) -max_size 5242880 - -## comma separated list of operations for which blacklist filter is applied -## Setting this parameter to "none" will hide the blacklist feature -use_blacklist send,create_list - -## Specify which rfc2369 mailing list headers to add -rfc2369_header_fields help,subscribe,unsubscribe,post,owner,archive - -## Specify header fields to be removed before message distribution -remove_headers X-Sympa-To,X-Family-To,Return-Receipt-To,Precedence,X-Sequence,Disposition-Notification-To - -bounce_warn_rate 30 +bulk_sleep 1 -bounce_halt_rate 50 - -###\\\\ Internationalization ////### - -## Default lang (ca | cs | de | el | es | et_EE | en_US | fr | fi | hu | it | ja_JP | ko | nl | nb_NO | oc | pl | pt_BR | ru | sv | tr | vi | zh_CN | zh_TW) -## This is the default language used by Sympa -lang en_US - -## Supported languages -## This is the set of language that will be proposed to your users for the Sympa GUI. Don't select a language if you don't have the proper locale packages installed. -#supported_lang ca,cs,de,el,es,et_EE,en_US,fr,fi,hu,it,ja_JP,ko,nl,nb_NO,oc,pl,pt_BR,ru,sv,tr,vi,zh_CN,zh_TW -supported_lang en_US +## Interval between checks of packet numbers +## Number of seconds a master bulk daemon waits between two packets number +## checks. +## Keep it small if you expect brutal increases in the message sending load. +bulk_wait_to_fork 10 + +## Path to sendmail +## Absolute path to sendmail command line utility (e.g.: a binary named +## "sendmail" is distributed with Postfix). +## Sympa expects this binary to be sendmail compatible (exim, Postfix, qmail +## and so on provide it). Sympa also bundles "sympa_smtpc" program which may +## be a replacement to sendmail binary. +sendmail /usr/sbin/sendmail + +## Log invocation of sendmail +## This can be overwritten by "-m" option for sympa.pl. +log_smtp off + +## Maximum number of sendmail processes +## Maximum number of simultaneous child processes spawned by Sympa. This is +## the main load control parameter. +## Proposed value is quite low, but you can rise it up to 100, 200 or even 300 +## with powerful systems. +maxsmtp 40 + +## Maximum number of recipients per call to sendmail +## This grouping factor makes it possible for the sendmail processes to +## optimize the number of SMTP sessions for message distribution. If needed, +## you can limit the number of recipients for a particular domain. Check the +## "nrcpt_by_domain.conf" configuration file. +nrcpt 25 + +## Maximum number of different mail domains per call to sendmail +avg 10 + +###\\\\ Privileges ////### -###\\\\ Errors management ////### +## Who is able to create lists +## Defines who can create lists (or request list creation) by creating new +## lists or by renaming or copying existing lists. +create_list forbidden + +## Use blacklist +## List of operations separated by comma for which blacklist filter is +## applied. Setting this parameter to "none" will hide the blacklist feature. +use_blacklist send,create_list + +## List of required domains for list owner addresses +## Restrict list ownership to addresses in the specified domains. This can be +## used to reserve list ownership to a group of trusted users from a set of +## domains associated with an organization, while allowing editors and +## subscribers from the Internet at large. +# owner_domain domain1.tld domain2.tld + +## Minimum number of list owners that must match owner_domain restriction +## Minimum number of list owners that must satisfy the owner_domain +## restriction. The default of zero (0) means *all* list owners must match. +## Setting to 1 requires only one list owner to match owner_domain; all other +## owners can be from any domain. This setting can be used to ensure that +## there is always at least one known contact point for a mailing list. +owner_domain_min 0 + +###\\\\ Archives ////### + +## Store distributed messages into archive +## If enabled, distributed messages via lists will be archived. Otherwise +## archiving is disabled. +## Note that even if setting this parameter disabled, past archives will not +## be removed and will be accessible according to access settings by each +## list. +process_archive on + +## Path to MHonArc mail-to-HTML converter +## This is required for HTML mail archiving. +mhonarc /usr/bin/mhonarc + +# There is a need to protect Sympa website against spambot +spam_protection javascript + +# The same as spam_protection, but restricted to the web archive. +web_archive_spam_protection cookie + +###\\\\ Bounce management and tracking ////### + +## Default bounce warn rate +## The list owner receives a warning whenever a message is distributed and the +## number (percentage) of bounces exceeds this value. +bounce_warn_rate 30 + +## Default bounce halt rate +## NOT USED YET. If bounce rate reaches the halt_rate, messages for the list +## will be halted, i.e. they are retained for subsequent moderation. +bounce_halt_rate 50 + +## Remove bouncing new subscribers +## If set to unique, the welcome message is sent using a unique return path in +## order to remove the subscriber immediately in the case of a bounce. +welcome_return_path owner + +## Remove subscribers bouncing remind message +## Same as welcome_return_path, but applied to remind messages. +remind_return_path owner + +## Task for expiration of old bounces +## This task resets bouncing information for addresses not bouncing in the +## last 10 days after the latest message distribution. +expire_bounce_task daily + +###\\\\ Automatic lists ////### + +## Definition of automatic list families +## Defines the families the automatic lists are based on. It is a character +## string structured as follows: +## * each family is separated from the other by a semi-column (;) +## * inside a family definition, each field is separated from the other by a +## column (:) +## * each field has the structure: "<field name>=<filed value>" +## Basically, each time Sympa uses the automatic lists families, the values +## defined in this parameter will be available in the family object. +## * for scenarios: [family->name] +## * for templates: [% family.name %] +# automatic_list_families name=family_one:prefix=f1:display=My automatic lists:prefix_separator=+:classes separator=-:family_owners_list=alist@domain.tld;name=family_two:prefix=f2:display=My other automatic lists:prefix_separator=+:classes separator=-:family_owners_list=anotherlist@domain.tld; + +## Parsed files for families +## comma-separated list of files that will be parsed by Sympa when +## instantiating a family (no space allowed in file names) +parsed_family_files message.footer,message.header,message.footer.mime,message.header.mime,info + +###\\\\ Tag based spam filtering ////### + +## Header field to tag spams +## If a spam filter (like spamassassin or j-chkmail) add a header field to tag +## spams, name of this header field (example X-Spam-Status) +antispam_tag_header_name X-Spam-Status + +## Regular expression to check header field to tag spams +## Regular expression applied on this header to verify message is a spam +## (example Yes) +antispam_tag_header_spam_regexp ^\s*Yes + +## Regular expression to determine spam or ham. +## Regular expression applied on this header field to verify message is NOT a +## spam (example No) +antispam_tag_header_ham_regexp ^\s*No + +## Name of header field to inform +## Messages are supposed to be filtered by an spam filter that add one more +## headers to messages. This parameter is used to select a special scenario in +## order to decide the message spam status: ham, spam or unsure. This +## parameter replace antispam_tag_header_name, antispam_tag_header_spam_regexp +## and antispam_tag_header_ham_regexp. +spam_status x-spam-status + +###\\\\ Directories ////### + +## List home +## Base directory of list configurations. +home /var/lib/sympa/expl + +## Directory for configuration files +## Base directory of global configuration (except "sympa.conf"). +etc /etc/sympa + +## Base directory of spools +## Base directory of all spools which are created at runtime. This directory +## must be writable by Sympa user. +spool /var/spool/sympa + +## Directory for message incoming spool +## This spool is used both by "queue" program and "sympa_msg.pl" daemon." +queue /var/spool/sympa/msg + +## Directory for moderation spool +queuemod /var/spool/sympa/moderation + +## Directory for digest spool +queuedigest /var/spool/sympa/digest + +## Directory for held message spool +## This parameter is named such by historical reason. +queueauth /var/spool/sympa/auth + +## Directory for archive spool +## This parameter is named such by historical reason. +queueoutgoing /var/spool/sympa/outgoing + +## Directory for held request spool +## This parameter is named such by historical reason. +queuesubscribe /var/spool/sympa/subscribe + +## Directory for topic spool +queuetopic /var/spool/sympa/topic + +## Directory for bounce incoming spool +## This spool is used both by "bouncequeue" program and "bounced.pl" daemon. +queuebounce /var/spool/sympa/bounce + +## Directory for task spool +queuetask /var/spool/sympa/task + +## Directory for automatic list creation spool +## This spool is used both by "familyqueue" program and "sympa_automatic.pl" +## daemon. +queueautomatic /var/spool/sympa/automatic + +## Directory for message outgoing spool +## This parameter is named such by historical reason. +queuebulk /var/spool/sympa/bulk + +## Directory to cache formatted messages +## Base directory path of directories where HTML view of messages are cached. +viewmail_dir /var/spool/sympa/viewmail + +## Directory for storing bounces +## The directory where bounced.pl daemon will store the last bouncing message +## for each user. A message is stored in the file: <bounce_path>/<list +## name>@<mail domain name>/<email address>, or, if tracking is enabled: +## <bounce_path>/<list name>@<mail domain name>/<email address>_<envelope ID>. +## Users can access to these messages using web interface in the bounce +## management page. +## Don't confuse with "queuebounce" parameter which defines the spool where +## incoming error reports are stored and picked by bounced.pl daemon. +bounce_path /var/lib/sympa/bounce + +## Directory for storing archives +## Where to store HTML archives. This parameter is used by the "archived.pl" +## daemon. It is a good idea to install the archive outside the web document +## hierarchy to ensure accesses passing WWSympa's access control will be +## prevented. +arc_path /var/lib/sympa/arc + +###\\\\ Miscellaneous ////### + +## Local part of Sympa email address +## Local part (the part preceding the "@" sign) of the address by which mail +## interface of Sympa accepts mail commands. +## If you change the default value, you must modify the mail aliases too. +email sympa + +## Custom robot parameter +## Used to define a custom parameter for your server. Do not forget the +## semicolon between the parameter name and the parameter value. +## You will be able to access the custom parameter value in web templates by +## variable "conf.custom_robot_parameter.<param_name>" +# custom_robot_parameter param_name ; param_value + +## Use of binary cache of list configuration +## binary_file: Sympa processes will maintain a binary version of the list +## configuration, "config.bin" file on local disk. If you manage a big amount +## of lists (1000+), it should make the web interface startup faster. +## You can recreate cache by running "sympa.pl --reload_list_config". +cache_list_config none + +## Max age of logs in database +## Number of months that elapse before a log is expired +logs_expiration_period 3 + +## Umask +## Default mask for file creation (see umask(2)). Note that it will be +## interpreted as an octal value. +umask 027 + +## Secret string for generating unique keys +## This allows generated authentication keys to differ from a site to another. +## It is also used for encryption of user passwords stored in the database. +## The presence of this string is one reason why access to "sympa.conf" needs +## to be restricted to the "sympa" user. +## Note that changing this parameter will break all HTTP cookies stored in +## users' browsers, as well as all user passwords and lists X509 private keys. +## To prevent a catastrophe, Sympa refuses to start if this "cookie" parameter +## was changed. +# cookie 123456789 + +###\\\\ Web interface parameters ////### + +## URL prefix of web interface +## This is used to construct URLs of web interface. +wwsympa_url https://<%= vhost %>/l + +## URL prefix of WWSympa behind proxy +#http_host http://domain.tld + +## URL for static contents +## HTTP server have to map it with "static_content_path" directory. +static_content_url /static-sympa +css_url /static-sympa/css +pictures_url /static-sympa/pictures + +## Directory for static contents +static_content_path /var/lib/sympa/static_content +css_path /var/lib/sympa/static_content/css +pictures_path /var/lib/sympa/static_content/pictures + +## System log facility for web interface +## System log facility for WWSympa, archived.pl and bounced.pl. Default is to +## use value of "syslog" parameter. +log_facility LOCAL1 + +###\\\\ Web interface parameters: Appearances ////### + +## Type of main web page +## "lists" for the page of list of lists. "home" for home page. +default_home lists + +## Default index organization of web archive +## thrd: Threaded index. +## mail: Chronological index. +archive_default_index thrd + +## Size of review page +## Default number of lines of the array displaying users in the review page +review_page_size 25 + +## Size of viewlogs page +## Default number of lines of the array displaying the log entries in the logs +## page. +viewlogs_page_size 25 + +###\\\\ Web interface parameters: Miscellaneous ////### + +## HTTP cookies validity domain +## If beginning with a dot ("."), the cookie is available within the specified +## Internet domain. Otherwise, for the specified host. The only reason for +## replacing the default value would be where WWSympa's authentication process +## is shared with an application running on another host. +cookie_domain <%= vhost %> + +## HTTP cookies lifetime +## This is the default value when not set explicitly by users. "0" means the +## cookie may be retained during browser session. +cookie_expire 0 + +## Average interval to refresh HTTP session ID. +cookie_refresh 60 + +## Use HTML editor +## If set to "on", users will be able to post messages in HTML using a +## javascript WYSIWYG editor. +use_html_editor 0 + +## URL of HTML editor +## URL path to the javascript file making the WYSIWYG HTML editor available. +## Relative path under <static_content_url> or absolute path. +## Example is for TinyMCE 4 installed under <static_content_path>/js/tinymce/. +# html_editor_url js/tinymce/tinymce.min.js + +## HTML editor initialization +## Javascript excerpt that enables and configures the WYSIWYG HTML editor. +# html_editor_init tinymce.init({selector:"#body",language:lang.split(/[^a-zA-Z]+/).join("_")}); + +## Count limit of wrong password submission +## If this limit is reached, the account is locked until the user renews their +## password. The default value is chosen in order to block bots trying to log +## in using brute force strategy. This value should never be reached by real +## users that will probably uses the renew password service before they +## performs so many tries. +max_wrong_password 19 + +## Password case +## "insensitive" or "sensitive". +## If set to "insensitive", WWSympa's password check will be insensitive. This +## only concerns passwords stored in the Sympa database, not the ones in LDAP. +## Should not be changed! May invalid all user password. +password_case insensitive + +###\\\\ S/MIME and TLS ////### -## Bouncing email rate for warn list owner -#bounce_warn_rate 20 +## Password used to crypt lists private keys +## If not defined, Sympa assumes that list private keys are not encrypted. +# key_passwd your_password -## Bouncing email rate for halt the list (not implemented) -## Not yet used in current version, Default is 50 -#bounce_halt_rate 50 +## Directory containing user certificates +ssl_cert_dir /var/lib/sympa/X509-user-certs -## Task name for expiration of old bounces -#expire_bounce_task daily +###\\\\ Data sources setup ////### -## Welcome message return-path -## If set to unique, new subcriber is removed if welcome message bounce -#welcome_return_path unique +## Default of SQL fetch timeout +## Default timeout while performing a fetch with include_sql_query. +default_sql_fetch_timeout 300 -###\\\\ MTA related ////### +###\\\\ DKIM ////### -## Path to the MTA (sendmail, postfix, exim or qmail) -## should point to a sendmail-compatible binary (eg: a binary named "sendmail" is distributed with Postfix) -sendmail /usr/sbin/sendmail +## Enable DKIM +## If set to "on", Sympa may verify DKIM signatures of incoming messages and/ +## or insert DKIM signature to outgoing messages. +dkim_feature off -## Maximum number of recipients per call to Sendmail. The nrcpt_by_domain.conf file allows a different tuning per destination domain. -nrcpt 25 +## Which service messages to be signed +## Inserts a DKIM signature to service messages in context of robot, list or +## both +dkim_add_signature_to robot,list -## Max. number of different domains per call to Sendmail -avg 10 +## The "d=" tag as defined in rfc 4871 +## The DKIM "d=" tag, is the domain of the signing entity. Default is virtual +## host domain name +dkim_signer_domain <%= vhost %> -## Max. number of Sendmail processes (launched by Sympa) running simultaneously -## Proposed value is quite low, you can rise it up to 100, 200 or even 300 with powerfull systems. -maxsmtp 40 +## Rewrite header for DKIM signed messages and DMARC rejecting domains +dmarc_protection_mode dkim_signature,dmarc_reject -###\\\\ Plugin ////### +###\\\\ Antivirus plug-in ////### ## Path to the antivirus scanner engine -## supported antivirus : McAfee/uvscan, Fsecure/fsav, Sophos, AVP and Trend Micro/VirusWall -#antivirus_path /usr/local/uvscan/uvscan - -## Antivirus pluggin command argument -#antivirus_args --secure --summary --dat /usr/local/uvscan +## Supported antivirus: Clam AntiVirus/clamscan & clamdscan, McAfee/uvscan, +## Fsecure/fsav, Sophos, AVP and Trend Micro/VirusWall +# antivirus_path /usr/local/bin/clamscan -###\\\\ S/MIME pluggin ////### +## Antivirus plugin command line arguments +# antivirus_args --no-summary --database /usr/local/share/clamav -## Path to OpenSSL -## Sympa knowns S/MIME if openssl is installed -#openssl /usr/bin/ssl +###\\\\ Password validation ////### -## The directory path use by OpenSSL for trusted CA certificates -#capath /etc/sympa/ssl.crt +## Password validation +## The password validation techniques to be used against user passwords that +## are added to mailing lists. Options come from Data::Password +## (https://search.cpan.org/~razinf/Data-Password-1.07/Password.pm#VARIABLES) +# password_validation MINLEN=8,GROUPS=3,DICTIONARY=4,DICTIONARIES=/pentest/dictionaries -## This parameter sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA) -#cafile /usr/local/apache/conf/ssl.crt/ca-bundle.crt - -## User CERTs directory -ssl_cert_dir /var/lib/sympa/X509-user-certs - -crl_dir /var/lib/sympa/crl - -## Password used to crypt lists private keys -#key_passwd your_password - -###\\\\ Database ////### - -## Database type (mysql | Pg | Oracle | Sybase | SQLite) -## be carefull to the case -db_type Pg - -## Name of the database -## with SQLite, the name of the DB corresponds to the DB file -db_name sympa - -## The host hosting your sympa database -db_host pgsql.<%= domain %> - -## The database port -db_port 5432/tcp - -## Database user for connexion -db_user sympa - -## Database password (associated to the db_user) -## What ever you use a password or not, you must protect the SQL server (is it a not a public internet service ?) -db_passwd <%= pgsql_password %> - -## Database private extention to user table -## You need to extend the database format with these fields -#db_additional_user_fields age,address - -## Database private extention to subscriber table -## You need to extend the database format with these fields -#db_additional_subscriber_fields billing_delay,subscription_expiration +###\\\\ Authentication with LDAP ////### -###\\\\ Web interface ////### +## Use canonical email address for LDAP authentication +## When using LDAP authentication, if the identifier provided by the user was +## a valid email, if this parameter is set to false, then the provided email +## will be used to authenticate the user. Otherwise, use of the first email +## returned by the LDAP server will be used. +ldap_force_canonical_email 1 -## Sympa's main page URL -wwsympa_url https://<%= vhost %>/l +###\\\\ Obsoleted parameters ////### -## If a spam filter (like spamassassin or j-chkmail) add a smtp headers to tag spams, name of this header (example X-Spam-Status) -antispam_tag_header_name X-Spam-Status +## Default timeout between two scheduled synchronizations of list members with +## data sources. +default_ttl 3600 -## The regexp applied on this header to verify message is a spam (example \s*Yes) -antispam_tag_header_spam_regexp ^\s*Yes +## Default timeout between two action-triggered synchronizations of list +## members with data sources. +default_distribution_ttl 300 -## The regexp applied on this header to verify message is NOT a spam (example \s*No) -antispam_tag_header_ham_regexp ^\s*No +edit_list owner -# Disable alias management, already managed in postfix -sendmail_aliases none +## Enable FastCGI +## Is FastCGI module for HTTP server installed. This module provide much +## faster web interface. +use_fast_cgi 1 -# keep this enabled for bugzilla automatic mail sending -# feature ( which are marked as such in the header ) -reject_mail_from_automates_feature off +# Upgrade from 6.2.40 to 6.2.42 +# 22 May 2019 at 21:22:06 +shared_feature on diff --git a/modules/sympa/templates/vhost_ml.conf b/modules/sympa/templates/vhost_ml.conf index ad6b4400..11aa7ae5 100644 --- a/modules/sympa/templates/vhost_ml.conf +++ b/modules/sympa/templates/vhost_ml.conf @@ -2,13 +2,19 @@ RewriteRule ^/?$ /l/home [R] RewriteRule ^/l$ /l/ RewriteRule ^/l/(.*)$ /wwsympa-wrapper.fcgi/$1 - + DocumentRoot <%= lib_dir + "/sympa/cgi" %> Alias /static-sympa /var/lib/sympa/static_content <Directory /var/lib/sympa/static_content> - Order allow,deny - Allow from all + <IfModule mod_authz_core.c> + # Apache 2.4 + Require all granted + </IfModule> + <IfModule !mod_authz_core.c> + # Apache 2.2 + Order allow,deny + Allow from all + </IfModule> </Directory> - diff --git a/modules/sympa/templates/webapp_sympa.conf b/modules/sympa/templates/webapp_sympa.conf index b920a8f1..1a508199 100644 --- a/modules/sympa/templates/webapp_sympa.conf +++ b/modules/sympa/templates/webapp_sympa.conf @@ -1,8 +1,16 @@ <Directory <%= lib_dir + "/sympa/cgi" %> > - Options ExecCGI - AddHandler fastcgi-script .fcgi + SetHandler fcgid-script + Options +ExecCGI + AddHandler cgi-script .fcgi DirectoryIndex wwsympa-wrapper.fcgi - Order allow,deny - Allow from all + <IfModule mod_authz_core.c> + # Apache 2.4 + Require all granted + </IfModule> + <IfModule !mod_authz_core.c> + # Apache 2.2 + Order allow,deny + Allow from all + </IfModule> </Directory> diff --git a/modules/testvm/manifests/init.pp b/modules/testvm/manifests/init.pp index a13608f1..d8ca9564 100644 --- a/modules/testvm/manifests/init.pp +++ b/modules/testvm/manifests/init.pp @@ -1,40 +1,40 @@ class testvm { - $testvm_login = "testvm" - $testvmdir = "/home/testvm" + $testvm_login = 'testvm' + $testvmdir = '/home/testvm' - group {"$testvm_login": - ensure => present, + group {"${testvm_login}": + ensure => present, } - user {"$testvm_login": - ensure => present, - comment => "System user used to run test VMs", - managehome => true, - gid => $vmtest_login, - shell => "/bin/bash", + user {"${testvm_login}": + ensure => present, + comment => "System user used to run test VMs", + managehome => true, + gid => $vmtest_login, + shell => '/bin/bash', } - - file { "$testvmdir/bin/": - ensure => directory, + + file { "${testvmdir}/bin/": + ensure => directory, require => User[$testvm_login], } - file { "$testvmdir/bin/_vm": - ensure => present, - owner => root, - group => root, - mode => 644, - source => "puppet:///modules/testvm/_vm", - require => File["$testvmdir/bin"], + file { "${testvmdir}/bin/_vm": + ensure => present, + owner => root, + group => root, + mode => '0644', + source => "puppet:///modules/testvm/_vm", + require => File["${testvmdir}/bin"], } - file { "$testvmdir/bin/vm-jonund": - ensure => present, - owner => root, - group => $testvm_login, - mode => 750, - source => "puppet:///modules/testvm/vm-jonund", - require => File["$testvmdir/bin"], + file { "${testvmdir}/bin/vm-jonund": + ensure => present, + owner => root, + group => $testvm_login, + mode => '0750', + source => "puppet:///modules/testvm/vm-jonund", + require => File["${testvmdir}/bin"], } } diff --git a/modules/timezone/manifests/timezone.pp b/modules/timezone/manifests/timezone.pp index 04abfb73..8f3298a2 100644 --- a/modules/timezone/manifests/timezone.pp +++ b/modules/timezone/manifests/timezone.pp @@ -1,6 +1,6 @@ define timezone::timezone() { file { '/etc/localtime': ensure => link, - target => "/usr/share/zoneinfo/$name" + target => "/usr/share/zoneinfo/${name}" } } diff --git a/modules/transifex/manifests/init.pp b/modules/transifex/manifests/init.pp index 56ad2bf2..282b3f9a 100644 --- a/modules/transifex/manifests/init.pp +++ b/modules/transifex/manifests/init.pp @@ -6,7 +6,7 @@ class transifex { $pgsql_password = extlookup('transifex_pgsql','x') $ldap_password = extlookup('transifex_ldap','x') - $templates_dir = "/var/lib/transifex/templates" + $templates_dir = '/var/lib/transifex/templates' postgresql::remote_db_and_user { 'transifex': description => 'Transifex database', @@ -16,12 +16,12 @@ class transifex { define config() { $filename = $name - file { "/etc/transifex/$filename": + file { "/etc/transifex/${filename}": group => 'apache', mode => '0640', require => Package['transifex'], notify => Service['apache'], - content => template("transifex/$filename"), + content => template("transifex/${filename}"), } } @@ -31,11 +31,11 @@ class transifex { '45-ldap.conf', '50-project.conf']: } - subversion::snapshot { $templates_dir: - source => 'svn://svn.mageia.org/svn/web/templates/transifex/trunk' + git::snapshot { $templates_dir: + source => "git://git.${::domain}/web/templates/transifex" } - apache::vhost::django_app { "transifex.$::domain": + apache::vhost::django_app { "transifex.${::domain}": module => 'transifex', use_ssl => true, module_path => ['/usr/share/transifex','/usr/share','/usr/local/lib/'], @@ -50,7 +50,7 @@ class transifex { require => Package['transifex'], } - apache::vhost::redirect_ssl { "transifex.$::domain": } + apache::vhost::redirect_ssl { "transifex.${::domain}": } # the group are mapped from ldap, since AUTH_LDAP_FIND_GROUP_PERMS is set to yes # but the group need to exist in django first diff --git a/modules/transifex/templates/20-engines.conf b/modules/transifex/templates/20-engines.conf index 13eb0334..620a9556 100644 --- a/modules/transifex/templates/20-engines.conf +++ b/modules/transifex/templates/20-engines.conf @@ -3,14 +3,14 @@ ## Database configuration -# http://docs.djangoproject.com/en/dev/ref/settings/#database-engine +# https://docs.djangoproject.com/en/dev/ref/settings/#database-engine DATABASE_ENGINE = 'postgresql_psycopg2' # Use file path for sqlite3 DATABASE_NAME = 'transifex' # The following are not used for sqlite3 DATABASE_USER = 'transifex' -DATABASE_PASSWORD = '<%= pgsql_password %>' -DATABASE_HOST = 'pgsql.<%= domain %>' # Set to empty string for local socket +DATABASE_PASSWORD = '<%= @pgsql_password %>' +DATABASE_HOST = 'pgsql.<%= @domain %>' # Set to empty string for local socket DATABASE_PORT = '' # Set to empty string for default ## Caching (optional) diff --git a/modules/transifex/templates/30-site.conf b/modules/transifex/templates/30-site.conf index 4d4e9e4c..3c386354 100644 --- a/modules/transifex/templates/30-site.conf +++ b/modules/transifex/templates/30-site.conf @@ -1,7 +1,7 @@ # Sites SITE_ID = 1 # Your site's domain. This is used only in this file. -SITE_DOMAIN = '<%= domain %>' +SITE_DOMAIN = '<%= @domain %>' ADMINS = ( # ('Your Name', 'your_email@domain.com'), diff --git a/modules/transifex/templates/40-apps.conf b/modules/transifex/templates/40-apps.conf index fe1d0492..dd92fb1c 100644 --- a/modules/transifex/templates/40-apps.conf +++ b/modules/transifex/templates/40-apps.conf @@ -56,4 +56,3 @@ AJAX_LOOKUP_CHANNELS = { 'projects' : ('projects.lookups', 'ProjectsLookup'), 'resources' : ('resources.lookups', 'ResourcesLookup'), } - diff --git a/modules/transifex/templates/45-ldap.conf b/modules/transifex/templates/45-ldap.conf index dd215dc9..2532edf5 100644 --- a/modules/transifex/templates/45-ldap.conf +++ b/modules/transifex/templates/45-ldap.conf @@ -17,16 +17,16 @@ from django_auth_ldap.config import LDAPSearch, GroupOfNamesType # Baseline configuration. -AUTH_LDAP_SERVER_URI = "ldap://ldap.<%= domain %> ldap://ldap-slave-1.<%= domain %>" +AUTH_LDAP_SERVER_URI = "ldap://ldap.<%= @domain %> ldap://ldap-slave-1.<%= @domain %>" -AUTH_LDAP_BIND_DN = "cn=transifex-<%= hostname %>,ou=System Accounts,<%= dc_suffix %>" -AUTH_LDAP_BIND_PASSWORD = "<%= ldap_password %>" +AUTH_LDAP_BIND_DN = "cn=transifex-<%= @hostname %>,ou=System Accounts,<%= @dc_suffix %>" +AUTH_LDAP_BIND_PASSWORD = "<%= @ldap_password %>" -AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=People,<%= dc_suffix %> ", +AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=People,<%= @dc_suffix %> ", ldap.SCOPE_SUBTREE, "(|(uid=%(user)s)(mail=%(user)s))") # Set up the basic group parameters. -AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=Group,<%= dc_suffix %>", +AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=Group,<%= @dc_suffix %>", ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)" ) AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn") @@ -42,7 +42,7 @@ AUTH_LDAP_USER_ATTR_MAP = { } AUTH_LDAP_USER_FLAGS_BY_GROUP = { - "is_active": "cn=mga-i18n,ou=Group,<%= dc_suffix %>", - "is_staff": "cn=mga-i18n-committers,ou=Group,<%= dc_suffix %>", - "is_superuser": "cn=mga-sysadmin,ou=Group,<%= dc_suffix %>" + "is_active": "cn=mga-i18n,ou=Group,<%= @dc_suffix %>", + "is_staff": "cn=mga-i18n-committers,ou=Group,<%= @dc_suffix %>", + "is_superuser": "cn=mga-sysadmin,ou=Group,<%= @dc_suffix %>" } diff --git a/modules/transifex/templates/50-project.conf b/modules/transifex/templates/50-project.conf index 761dc725..013741b2 100644 --- a/modules/transifex/templates/50-project.conf +++ b/modules/transifex/templates/50-project.conf @@ -40,7 +40,7 @@ MIDDLEWARE_CLASSES = [ ROOT_URLCONF = 'urls' TEMPLATE_DIRS = [ - '<%= templates_dir %>', + '<%= @templates_dir %>', os.path.join(TX_ROOT, 'templates'), ] @@ -68,7 +68,7 @@ INSTALLED_APPS = [ 'authority', # Transifex specific apps: 'transifex.txcommon', - # It's coming here due http://trac.transifex.org/ticket/596 + # It's coming here due https://trac.transifex.org/ticket/596 'userprofile', 'transifex.languages', 'transifex.projects', diff --git a/modules/viewvc/files/robots.txt b/modules/viewvc/files/robots.txt new file mode 100644 index 00000000..dbb13834 --- /dev/null +++ b/modules/viewvc/files/robots.txt @@ -0,0 +1,29 @@ +User-agent: Googlebot +User-agent: Baiduspider +User-agent: bingbot +User-agent: YandexBot +User-agent: Mail.RU_Bot +User-agent: MJ12bot +User-agent: ClaudeBot +User-agent: Amazonbot +User-agent: PetalBot +User-agent: Bytespider +User-agent: facebookexternalhit +Disallow: /*/tags/ +Disallow: *?view=annotate* +Disallow: *?annotate=* +Disallow: *?view=diff* +Disallow: *?r1=* +Disallow: *sortby=* +Disallow: *sortdir=* +Disallow: *?revision=*&view=markup&* +Disallow: *pathrev=* +Disallow: *?*&view=log* +Disallow: *view=log&* +Disallow: *diff_format=* +User-agent: AhrefsBot +Disallow: / +User-agent: Sogou web spider +Disallow: / +User-agent: * +Crawl-delay: 30 diff --git a/modules/viewvc/files/setcookieredirect.html b/modules/viewvc/files/setcookieredirect.html new file mode 100644 index 00000000..fe98b9dc --- /dev/null +++ b/modules/viewvc/files/setcookieredirect.html @@ -0,0 +1,28 @@ +<!DOCTYPE html> +<html> + <head> + <title>User check</title> + <script type="text/javascript" defer> + const randomValue = "6436"; // Chosen by fair dice roll. Guaranteed to be random. + document.cookie = `session=${randomValue}; path=/; expires=${new Date(Date.now() + 24*3600*1000).toUTCString()}`; + const params = new Proxy(new URLSearchParams(window.location.search), { + get: (searchParams, prop) => searchParams.get(prop), + }); + let path = params.to; + // Sanitize redirect path to avoid malicious arbitrary redirects + if (/^\/[-a-zA-Z0-9~_.?&=/+]*$/.test(decodeURIComponent(path))) { + const current = new URL(window.location.toLocaleString()); + window.location.href = encodeURI(current.origin + decodeURIComponent(path)); + } else { + window.onload = function() { + document.getElementById('error').innerHTML = 'Error! Bad redirect location!'; + } + } + </script> + </head> + <body> + Redirecting back... + <br> + <p id="error"><!-- space for error message --></p> + </body> +</html> diff --git a/modules/viewvc/manifests/init.pp b/modules/viewvc/manifests/init.pp index 882fe288..bd676f29 100644 --- a/modules/viewvc/manifests/init.pp +++ b/modules/viewvc/manifests/init.pp @@ -1,13 +1,15 @@ class viewvc { + include apache::mod::fcgid + include viewvc::var package {['viewvc', - 'python-svn', + 'python2-svn', 'python-flup']: } # http_expiration_time = 600 # svn_roots = admin: svn://svn.mageia.org/svn/adm/ file { '/etc/viewvc/viewvc.conf': - content => template('viewvc/viewvc.conf'), + content => template($viewvc::var::tmpl_viewvc_conf), notify => Service['apache'], require => Package['viewvc'], } @@ -16,7 +18,7 @@ class viewvc { webapp_file => 'viewvc/webapp.conf', } - local_script { 'kill_viewvc': + mga_common::local_script { 'kill_viewvc': content => template('viewvc/kill_viewvc.sh'), } @@ -28,10 +30,45 @@ class viewvc { environment => 'MAILTO=root', } - apache::vhost::base { "svnweb.$::domain": - aliases => {'/viewvc' => '/var/www/viewvc/', - '/' => '/usr/share/viewvc/bin/wsgi/viewvc.fcgi/'}, - content => template('viewvc/vhost.conf') + $viewvc_docroot = '/usr/share/viewvc/templates/docroot' + $robotsfile = "$viewvc_docroot/robots.txt" + file { $robotsfile: + ensure => present, + mode => '0644', + owner => root, + group => root, + source => 'puppet:///modules/viewvc/robots.txt', + } + + file { "$viewvc_docroot/setcookieredirect.html": + ensure => present, + mode => '0644', + owner => root, + group => root, + source => 'puppet:///modules/viewvc/setcookieredirect.html', + } + + $vhost_aliases = { + '/viewvc' => $viewvc_docroot, + '/robots.txt' => $robotsfile, + '/_check' => "$viewvc_docroot/setcookieredirect.html", + } + + $script_aliases = { + '/' => '/usr/share/viewvc/bin/wsgi/viewvc.fcgi/', + } + + $process = 4 + + apache::vhost::base { $viewvc::var::hostname: + aliases => $vhost_aliases, + content => template('apache/vhost_fcgid_norobot.conf'), } -} + apache::vhost::base { "ssl_${viewvc::var::hostname}": + vhost => $viewvc::var::hostname, + use_ssl => true, + aliases => $vhost_aliases, + content => template('apache/vhost_fcgid_norobot.conf'), + } +} diff --git a/modules/viewvc/manifests/var.pp b/modules/viewvc/manifests/var.pp new file mode 100644 index 00000000..9027d808 --- /dev/null +++ b/modules/viewvc/manifests/var.pp @@ -0,0 +1,9 @@ +# $hostname: +# vhost used by viewvc +# $tmpl_viewvc_conf: +# path to /etc/viewvc.conf template file +class viewvc::var( + $hostname = "svnweb.${::domain}", + $tmpl_viewvc_conf = 'viewvc/viewvc.conf' +) { +} diff --git a/modules/viewvc/templates/kill_viewvc.sh b/modules/viewvc/templates/kill_viewvc.sh index 4c27d3f3..7283a10c 100755 --- a/modules/viewvc/templates/kill_viewvc.sh +++ b/modules/viewvc/templates/kill_viewvc.sh @@ -1,13 +1,12 @@ #!/bin/sh +# Kill viewvc if the process gets too large +max_memory=1000000 # size in KiB -max_memory=1000000 - -for process in `pgrep viewvc.fcgi` +for process in $(pgrep viewvc.fcgi) do process_mem=$(pmap "$process" | grep total | sed 's/ \+total \+\([[:digit:]]\+\)K/\1/') - if [ "$process_mem" -gt "$max_memory" ] + if [ -n "$process_mem" ] && [ "$process_mem" -gt "$max_memory" ] then - kill -15 "$process" + kill -15 "$process" fi done - diff --git a/modules/viewvc/templates/vhost.conf b/modules/viewvc/templates/vhost.conf deleted file mode 100644 index 28916f98..00000000 --- a/modules/viewvc/templates/vhost.conf +++ /dev/null @@ -1,2 +0,0 @@ - FastCgiServer /usr/share/viewvc/bin/wsgi/viewvc.fcgi -processes 4 -idle-timeout 30 - diff --git a/modules/viewvc/templates/viewvc.conf b/modules/viewvc/templates/viewvc.conf index 920aa9ed..dec74771 100644 --- a/modules/viewvc/templates/viewvc.conf +++ b/modules/viewvc/templates/viewvc.conf @@ -113,7 +113,7 @@ ## repositories may reside. Rather than force you to add a new entry ## to 'cvs_roots' or 'svn_roots' each time you create a new repository, ## ViewVC rewards you for organising all your repositories under a few -## parent directories by allowing you to simply specifiy just those +## parent directories by allowing you to simply specify just those ## parent directories. ViewVC will then notice each repository in that ## directory as a new root whose name is the subdirectory of the parent ## path in which that repository lives. @@ -326,7 +326,7 @@ mime_types_files = /etc/viewvc/mimetypes.conf, /etc/httpd/conf/mime.types #checkout_magic = 0 ## allowed_views: List the ViewVC views which are enabled. Views not -## in this comma-delited list will not be served (or, will return an +## in this comma-delimited list will not be served (or, will return an ## error on attempted access). ## Possible values: "annotate", "co", "diff", "markup", "roots", "tar" ## @@ -484,7 +484,7 @@ http_expiration_time = 600 ## #hr_funout = 0 -## hr_ignore_white: Ignore whitespace (indendation and stuff) for human +## hr_ignore_white: Ignore whitespace (indentation and stuff) for human ## readable diffs. ## ('-w' option to diff) ## @@ -650,7 +650,7 @@ log_pagesize = 100 ## directory specified by the "template_dir" configuration option (see ## the documentation for that option for details). But if you want to ## use a different template for a particular view, simply uncomment the -## appropriate option below and specify the currect location of the EZT +## appropriate option below and specify the correct location of the EZT ## template file you wish to use for that view. ## ## Templates are specified relative to the configured template diff --git a/modules/xinetd/manifests/port_forward.pp b/modules/xinetd/manifests/port_forward.pp index 23d00f03..2717466e 100644 --- a/modules/xinetd/manifests/port_forward.pp +++ b/modules/xinetd/manifests/port_forward.pp @@ -1,6 +1,6 @@ define xinetd::port_forward($target_ip, $target_port, $port, $proto = 'tcp') { include xinetd - file { "/etc/xinetd.d/$name": + file { "/etc/xinetd.d/${name}": require => Package['xinetd'], content => template('xinetd/port_forward'), notify => Service['xinetd'] diff --git a/modules/xinetd/manifests/service.pp b/modules/xinetd/manifests/service.pp index 23ebeedf..24caafd9 100644 --- a/modules/xinetd/manifests/service.pp +++ b/modules/xinetd/manifests/service.pp @@ -1,6 +1,6 @@ define xinetd::service($content) { include xinetd - file { "/etc/xinetd.d/$name": + file { "/etc/xinetd.d/${name}": require => Package['xinetd'], content => $content, notify => Service['xinetd'] diff --git a/modules/xinetd/templates/port_forward b/modules/xinetd/templates/port_forward index 16ba9a1c..99518dcd 100644 --- a/modules/xinetd/templates/port_forward +++ b/modules/xinetd/templates/port_forward @@ -1,16 +1,15 @@ -service <%= name %> +service <%= @name %> { disable = no type = UNLISTED -<%- if proto == 'tcp' -%> +<%- if @proto == 'tcp' -%> socket_type = stream <%- else -%> socket_type = dgram <%- end -%> - protocol = <%= proto %> + protocol = <%= @proto %> user = nobody wait = no - redirect = <%= target_ip %> <%= target_port %> - port = <%= port %> + redirect = <%= @target_ip %> <%= @target_port %> + port = <%= @port %> } - diff --git a/modules/xymon/manifests/client.pp b/modules/xymon/manifests/client.pp index 58d44257..cfde8134 100644 --- a/modules/xymon/manifests/client.pp +++ b/modules/xymon/manifests/client.pp @@ -1,17 +1,19 @@ class xymon::client { package { 'xymon-client': } - service { 'xymon-client': + $service = 'xymon' + + service { $service: hasstatus => false, - status => "$::lib_dir/xymon/client/runclient.sh status", + status => "${::lib_dir}/xymon/client/runclient.sh status", require => Package['xymon-client'], } - # TODO replace with a exported ressource + # TODO replace with a exported resource $server = extlookup('hobbit_server','x') file { '/etc/sysconfig/xymon-client': content => template('xymon/xymon-client'), - notify => Service['xymon-client'], + notify => Service[$service], require => Package['xymon-client'], } } diff --git a/modules/xymon/manifests/server.pp b/modules/xymon/manifests/server.pp index 223dab6b..b6c269cf 100644 --- a/modules/xymon/manifests/server.pp +++ b/modules/xymon/manifests/server.pp @@ -1,12 +1,6 @@ class xymon::server { package { ['xymon','fping']: } - service { 'xymon': - hasstatus => false, - status => "su xymon -c '$::lib_dir/xymon/server/hobbit.sh status'", - require => Package['xymon'], - } - File { group => 'xymon', require => Package['xymon'], @@ -14,6 +8,11 @@ class xymon::server { } file { + # Define hosts and web view layout, and lists tests to be run against + # host by e.g. network tests from xymon server + '/etc/xymon/hosts.cfg': + content => template('xymon/bb-hosts'); + # Environment variables user by hobbitd,hobbitlaunch,hobbitd_rrd,CGIs # and bbgen (which generates the static html pages) # hobbitlaunch (started by init script) may need to be restarted for @@ -22,11 +21,6 @@ class xymon::server { '/etc/xymon/hobbitserver.cfg': content => template('xymon/hobbitserver.cfg'); - # Define hosts and web view layout, and lists tests to be run against - # host by e.g. network tests from xymon server - '/etc/xymon/bb-hosts': - content => template('xymon/bb-hosts'); - # Defines thresholds for test data reported by clients, e.g. load # disk, procs, ports, memory, as well as those which require some # configuration server side to the client: files, msgs, diff --git a/modules/xymon/templates/bb-hosts b/modules/xymon/templates/bb-hosts index 4d0370f3..140932b5 100644 --- a/modules/xymon/templates/bb-hosts +++ b/modules/xymon/templates/bb-hosts @@ -13,37 +13,40 @@ # You need to define at least the Xymon server itself here. page visible Visible Services -0.0.0.0 blog.<%= domain %> # http://blog.<%= domain %> +0.0.0.0 blog.<%= domain %> # sni https://blog.<%= domain %>/en/ 0.0.0.0 identity.<%= domain %> # https://identity.<%= domain %> 0.0.0.0 bugs.<%= domain %> # https://bugs.<%= domain %> 0.0.0.0 ml.<%= domain %> # https://ml.<%= domain %> -0.0.0.0 www.<%= domain %> # http://www.<%= domain %> -0.0.0.0 svnweb.<%= domain %> # http://svnweb.<%= domain %> +0.0.0.0 www.<%= domain %> # https://www.<%= domain %> +0.0.0.0 svnweb.<%= domain %> # https://svnweb.<%= domain %> 0.0.0.0 epoll.<%= domain %> # https://epoll.<%= domain %> -0.0.0.0 transifex.<%= domain %> # https://transifex.<%= domain %> -0.0.0.0 planet.<%= domain %> # http://planet.<%= domain %> -0.0.0.0 forums.<%= domain %> # https://forums.<%= domain %>=212.85.158.146/ -0.0.0.0 check.<%= domain %> # http://check.<%= domain %> -0.0.0.0 pkgsubmit.<%= domain %> # http://pkgsubmit.<%= domain %> -0.0.0.0 bcd.<%= domain %> # http://bcd.<%= domain %> +0.0.0.0 planet.<%= domain %> # sni https://planet.<%= domain %>/en/ +# This checks the public reverse proxy +0.0.0.0 forums.<%= domain %> # sni https://forums.<%= domain %>=<%= @nodes_ipaddr['sucuk']['ipv4'] %>/ +0.0.0.0 check.<%= domain %> # https://check.<%= domain %> +0.0.0.0 madb.<%= domain %> # https://madb.mageia.org +0.0.0.0 pkgsubmit.<%= domain %> # sni https://pkgsubmit.<%= domain %> +#0.0.0.0 bcd.<%= domain %> # http://bcd.<%= domain %> 0.0.0.0 hugs.<%= domain %> # http://hugs.<%= domain %> 0.0.0.0 dashboard.<%= domain %> # http://dashboard.<%= domain %> -0.0.0.0 meetbot.<%= domain %> # http://meetbot.<%= domain %> +0.0.0.0 meetbot.<%= domain %> # sni https://meetbot.<%= domain %> page servers Servers group-compress Marseille -212.85.158.146 alamut.<%= domain %> # testip bbd dns smtp ssh CLIENT:xymon.<%= domain %> http://xymon.<%= domain %> -212.85.158.147 valstar.<%= domain %> # testip ssh rsync svn git ldapssl ldap +212.85.158.151 sucuk.<%= domain %> # testip bbd dns smtp ssh CLIENT:xymon.<%= domain %> http://xymon.<%= domain %> 212.85.158.148 ecosse.<%= domain %> # testip ssh -212.85.158.149 jonund.<%= domain %> # testip ssh 212.85.158.150 fiona.<%= domain %> # testip ssh -212.85.158.151 sucuk.<%= domain %> # testip ssh 212.85.158.152 rabbit.<%= domain %> # testip ssh +212.85.158.153 duvel.<%= domain %> # testip ssh rsync svn git ldapssl ldap -group-compress Gandi -95.142.164.207 krampouezh.<%= domain %> # ssh dns ldap ldapssl smtp -217.70.188.116 champagne.<%= domain %> # ssh +group-compress VM Sucuk +192.168.122.131 friteuse.<%= domain %> # testip ssh http://forums.<%= domain %>=<%= @nodes_ipaddr['friteuse']['ipv4'] %>/ %>/ -group-compress VM Alamut -192.168.122.131 friteuse.<%= domain %> # testip ssh http://forums.<%= domain %>=192.168.122.131/ https://forums.<%= domain %>=192.168.122.131/ +group-compress Scaleway +163.172.148.228 neru.mageia.org # testip ssh dns ldap ldapssl smtp +163.172.201.211 madb.mageia.org # testip + +# NOTE: lines with IPv6 addresses are ignored in xymon versions before 4.4 or 5.0 +group-compress Oracle cloud +2603:c026:c101:f00::1:1 ociaa1.<%= domain %> # testip ssh diff --git a/modules/xymon/templates/client-local.cfg b/modules/xymon/templates/client-local.cfg index e42ce467..44428778 100644 --- a/modules/xymon/templates/client-local.cfg +++ b/modules/xymon/templates/client-local.cfg @@ -99,7 +99,7 @@ ignore MARK log:/var/log/messages:10240 ignore MARK -[mandrake] +[mageia] log:/var/log/messages:10240 ignore MARK diff --git a/modules/xymon/templates/hobbit-alerts.cfg b/modules/xymon/templates/hobbit-alerts.cfg index 36ff44a4..763e253d 100644 --- a/modules/xymon/templates/hobbit-alerts.cfg +++ b/modules/xymon/templates/hobbit-alerts.cfg @@ -74,10 +74,10 @@ # TIME - rule matching an alert by the time-of-day. This # is specified as the DOWNTIME timespecification # in the bb-hosts file (see bb-hosts(5)). -# DURATION - Rule matcing an alert if the event has lasted +# DURATION - Rule matching an alert if the event has lasted # longer/shorter than the given duration. E.g. # DURATION>10 (lasted longer than 10 minutes) or -# DURARION<30 (only sends alerts the first 30 minutes). +# DURATION<30 (only sends alerts the first 30 minutes). # RECOVERED - Rule matches if the alert has recovered from an # alert state. # NOTICE - Rule matches if the message is a "notify" message @@ -118,7 +118,7 @@ # N is the DOWNSECS value. <% -builder = ['jonund','ecosse','rabbit'] +builder = ['ecosse','rabbit'] builders = builder.map{|x| x + "." + domain }.join(',') %> HOST=<%= builders %> SERVICE=cpu diff --git a/modules/xymon/templates/hobbit-clients.cfg b/modules/xymon/templates/hobbit-clients.cfg index 72140850..ff010681 100644 --- a/modules/xymon/templates/hobbit-clients.cfg +++ b/modules/xymon/templates/hobbit-clients.cfg @@ -102,7 +102,7 @@ # show up in the "ps" listing as a command. The scanner will find # a ps-listing of e.g. "/usr/sbin/cron" if you only specify "processname" # as "cron". -# "processname" can also be a Perl-compatiable regular expression, e.g. +# "processname" can also be a Perl-compatible regular expression, e.g. # "%java.*inst[0123]" can be used to find entries in the ps-listing for # "java -Xmx512m inst2" and "java -Xmx256 inst3". In that case, # "processname" must begin with "%" followed by the reg.expression. @@ -253,7 +253,7 @@ # the output from netstat. This is typically "10.0.0.1:80" for the IP # 10.0.0.1, port 80. Or "*:80" for any local address, port 80. # NB: The Xymon clients normally report only the numeric data for -# IP-adresses and port-numbers, so you must specify the port +# IP-addresses and port-numbers, so you must specify the port # number (e.g. "80") instead of the service name ("www"). # "state" causes only the sockets in the specified state to be included; # it is usually LISTEN or ESTABLISHED. @@ -265,7 +265,7 @@ # # "addr" and "state" can be a simple strings, in which case these string must # show up in the "netstat" at the appropriate column. -# "addr" and "state" can also be a Perl-compatiable regular expression, e.g. +# "addr" and "state" can also be a Perl-compatible regular expression, e.g. # "LOCAL=%(:80|:443)" can be used to find entries in the netstat local port for # both http (port 80) and https (port 443). In that case, portname or state must # begin with "%" followed by the reg.expression. @@ -349,19 +349,20 @@ HOST=rabbit.<%= domain %> DISK %.*stage2$ IGNORE -# jonund has 24 cores and we try and utilise it as much as possible -# la of up to 1.5*cores is probably not problematic -HOST=jonund.<%= domain %> - LOAD 36.0 48.0 - # ecosse has 24 cores, is a builder, and we try to use them all HOST=ecosse.<%= domain %> LOAD 36.0 48.0 -# rabbit has 12 and mksquashfs uses all of them +# rabbit has 12 cores and mksquashfs uses all of them HOST=rabbit.<%= domain %> LOAD 18.0 24.0 +# duvel has 24 cores, dont trigger alarms too soon +HOST=duvel.<%= domain %> + LOAD 18.0 24.0 + DISK /var/lib/binrepo 95 98 + DISK /var/www 95 98 + DEFAULT # These are the built-in defaults. UP 1h diff --git a/modules/xymon/templates/hobbitserver.cfg b/modules/xymon/templates/hobbitserver.cfg index 60dd1a75..a5a7aacf 100644 --- a/modules/xymon/templates/hobbitserver.cfg +++ b/modules/xymon/templates/hobbitserver.cfg @@ -5,7 +5,7 @@ BBSERVERLOGS="/var/log/xymon" # Directory for server logs. The hobbit user must HOBBITCLIENTHOME="<%= lib_dir %>/xymon/client" # BBHOME directory for the client -BBSERVERHOSTNAME="alamut.<%= domain %>" # The hostname of your server +BBSERVERHOSTNAME="sucuk.<%= domain %>" # The hostname of your server BBSERVERIP="<%= ipaddress %>" # The IP-address of your server. Use the real one, not 127.0.0.1 . BBSERVEROS="linux" # The operating system of your server. linux,freebsd,solaris,hpux,aix,osf @@ -29,7 +29,7 @@ PATH="/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/lib64/xy # 2011-07-17 15:32:54 Oversize status msg from # 212.85.158.149 for jonund.mageia.org:procs truncated (n=350049, limit=262144) # -# http://en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Other_Docs/FAQ#Q._How_do_I_fix_.22Oversize_status_msg_from_192.168.1.31_for_test.my.com:ports_truncated_.28n.3D508634.2C_limit.3D262144.29.22 +# https://en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Other_Docs/FAQ#Q._How_do_I_fix_.22Oversize_status_msg_from_192.168.1.31_for_test.my.com:ports_truncated_.28n.3D508634.2C_limit.3D262144.29.22 MAXMSG_STATUS="496" ##### Normally you do not need to modify anything below this point ##### @@ -58,7 +58,7 @@ MACHINEDOTS="$BBSERVERHOSTNAME" # This systems hostname MACHINEADDR="$BBSERVERIP" # This systems IP-address # URL's generated/used by bbgen -BBWEBHOST="http://$BBSERVERWWWNAME" # Just the host part of the URL - http://www.foo.com +BBWEBHOST="https://$BBSERVERWWWNAME" # Just the host part of the URL - http://www.foo.com BBWEBHOSTURL="$BBWEBHOST$BBSERVERWWWURL" # Prefix for all static Xymon pages - http://www.foo.com/bb BBWEBHTMLLOGS="$BBWEBHOSTURL/html" # Prefix for the Xymon HTML logs (only if BBLOGSTATUS=STATIC) BBWEB="$BBSERVERWWWURL" # Xymon URL prefix without the host part diff --git a/modules/xymon/templates/xymon-client b/modules/xymon/templates/xymon-client index 1635457c..e846d2a5 100644 --- a/modules/xymon/templates/xymon-client +++ b/modules/xymon/templates/xymon-client @@ -2,19 +2,18 @@ # You MUST set the list of Hobbit servers that this # client reports to. -# It is good to use IP-adresses here instead of DNS +# It is good to use IP-addresses here instead of DNS # names - DNS might not work if there's a problem. # # E.g. (a single Hobbit server) -# HOBBITSERVERS="192.168.1.1" +# HOBBITSERVERS="192.168.1.1" # or (multiple servers) -# HOBBITSERVERS="10.0.0.1 192.168.1.1" +# HOBBITSERVERS="10.0.0.1 192.168.1.1" +XYMONSERVERS="<%= server %>" -HOBBITSERVERS="<%= server %>" - -# The defaults usually suffice for the rest of this file, -# but you can tweak the hostname that the client reports -# data with, and the OS name used (typically needed only on +# The defaults usually suffice for the rest of this file, +# but you can tweak the hostname that the client reports +# data with, and the OS name used (typically needed only on # RHEL or RHAS servers). # CLIENTHOSTNAME="" diff --git a/modules/youri-check/manifests/init.pp b/modules/youri-check/manifests/init.pp index 37902ba2..ebdaa492 100644 --- a/modules/youri-check/manifests/init.pp +++ b/modules/youri-check/manifests/init.pp @@ -1,52 +1,81 @@ class youri-check { class base { - $vhost = "check.$domain" + $vhost = "check.${::domain}" $user = 'youri' $home = '/var/lib/youri' + $home_check = '/var/www/youri-check' + $pgsql_password = extlookup('youri_pgsql','x') user { $user: comment => 'Youri Check', home => $home, } - file { $home: - ensure => directory, - owner => $user, - group => $user, - } + file { $home: + ensure => directory, + owner => $user, + group => $user, + } + + file { $home_check: + ensure => directory, + owner => $user, + group => $user, + } - $pgsql_server = "$vhost" + $pgsql_server = "${vhost}" - package { ['youri-check', 'perl-DBD-Pg', 'perl-Youri-Media']: } + package { ['youri-check', 'perl-DBD-Pg', 'perl-Youri-Media']: } } + define config($version) { - include youri-check::base + include stdlib + include youri-check::base + + $config = "/etc/youri/${version}.conf" + $outdir = "/var/www/youri-check/${version}" + $pgsql_db = "youri_check_${version}" + $pgsql_server = $base::pgsql_server + $pgsql_user = "youri${version}" + $pgsql_password = extlookup('youri_pgsql','x') + # We want to alert for packages older than the cut-off for latest mass rebuild + # 1745539200 is 2025-04-25 + $max_days = (time() - 1745539200)/(24*3600) + + file { "${config}": + ensure => present, + owner => $base::user, + mode => '0640', + content => template("youri-check/${version}.conf"), + require => User[$base::user], + } + } + - $config = "/etc/youri/$version.conf" - $outdir = "/var/www/youri-check/$version" - $pgsql_db = "youri_check_$version" - $pgsql_server = $base::pgsql_server - $pgsql_user = "youri$version" + define createdb_user($version) { + $pgsql_db = "youri_check_${version}" + $pgsql_user = "youri${version}" $pgsql_password = extlookup('youri_pgsql','x') - file { "$config": - ensure => present, - owner => $base::user, - mode => 640, - content => template("youri-check/$version.conf"), - require => User[$base::user], - } + postgresql::remote_user { $pgsql_user: + password => $base::pgsql_password, + } + + postgresql::remote_database { $pgsql_db: + description => "Youri Check results", + user => $pgsql_user, + } } define check($version, $hour = "*", $minute = 0) { - include youri-check::base - $config = "/etc/youri/$version.conf" - $pgsql_server = $base::pgsql_server - $pgsql_db = "youri_check_$version" - $pgsql_user = "youri$version" - $pgsql_password = extlookup('youri_pgsql','x') + include youri-check::base + $config = "/etc/youri/${version}.conf" + $pgsql_server = $base::pgsql_server + $pgsql_db = "youri_check_${version}" + $pgsql_user = "youri${version}" + $pgsql_password = extlookup('youri_pgsql','x') postgresql::remote_user { $pgsql_user: password => $base::pgsql_password, @@ -54,44 +83,51 @@ class youri-check { postgresql::remote_database { $pgsql_db: description => "Youri Check results", - user => $pgsql_user, + user => $pgsql_user, } - cron { "check_$version": - command => "youri-check -c $config test", - hour => $hour, - minute => $minute, - user => $base::user, - environment => "MAILTO=root", - require => User[$base::user], + cron { "check_${version}": + command => "youri-check -c ${config} --parallel test", + hour => $hour, + minute => $minute, + user => $base::user, + environment => "MAILTO=root", + require => User[$base::user], } } define report_www { include youri-check::base - $outdir = "/var/www/youri-check/" - apache::vhost_simple { $base::vhost: + $outdir = "/var/www/youri-check/" + apache::vhost::base { $base::vhost: + location => $outdir, + content => template('youri-check/vhost_check.conf'), + } + apache::vhost::base { "ssl_${base::vhost}": + vhost => $base::vhost, + use_ssl => true, location => $outdir, + content => template('youri-check/vhost_check.conf'), } } define report($version, $hour = "*", $minute = 20) { include youri-check::base - $config = "/etc/youri/$version.conf" + $config = "/etc/youri/${version}.conf" - $outdir = "/var/www/youri-check/$version" - file { "$outdir": + $outdir = "/var/www/youri-check/${version}" + file { "${outdir}": ensure => directory, - owner => $base::user, - mode => 755, + owner => $base::user, + mode => '0755', } - cron { "check_$version": - command => "youri-check -c $config report", - hour => $hour, - minute => $minute, - user => $base::user, - require => User[$base::user], + cron { "check_${version}": + command => "youri-check -c ${config} report", + hour => $hour, + minute => $minute, + user => $base::user, + require => User[$base::user], } } } diff --git a/modules/youri-check/templates/1.conf b/modules/youri-check/templates/1.conf deleted file mode 100644 index f9feefc7..00000000 --- a/modules/youri-check/templates/1.conf +++ /dev/null @@ -1,177 +0,0 @@ -# vim:ft=yaml:et:sw=4 - -# helper variables -mirror: http://repository.mageia.org/distrib/1 -mirror_i586: ${mirror}/i586/media -mirror_x86_64: ${mirror}/x86_64/media - -# resultset definition -resultset: - class: Youri::Check::Resultset::DBI - options: - driver: Pg - host: <%= pgsql_server %>;sslmode=require - base: <%= pgsql_db %> - user: <%= pgsql_user %> - pass: <%= pgsql_password %> - -resolver: - class: Youri::Check::Maintainer::Resolver::CGI - options: - url: http://pkgsubmit.<%= domain %>/data/maintdb.txt - exceptions: - - nobody - - -# checks definitions -tests: - dependencies: - class: Youri::Check::Test::Dependencies - - missing: - class: Youri::Check::Test::Missing - - updates_mandriva_2010_2: - class: Youri::Check::Test::Updates - options: - aliases: - # Only add exceptions here after making sure that the package has an Epoch - basesystem: ~ - bash-completion: ~ - sources: - mandriva: - class: Youri::Check::Test::Updates::Source::Media::Mandriva - options: - medias: - main.sources: - class: Youri::Media::URPM - options: - name: main - type: source - hdlist: http://ftp.free.fr/pub/Distributions_Linux/MandrivaLinux/official/2010.2/SRPMS/main/release/media_info/hdlist.cz - mainupdates.sources: - class: Youri::Media::URPM - options: - name: main-updates - type: source - hdlist: http://ftp.free.fr/pub/Distributions_Linux/MandrivaLinux/official/2010.2/SRPMS/main/updates/media_info/hdlist.cz - contrib.sources: - class: Youri::Media::URPM - options: - name: contrib - type: source - hdlist: http://ftp.free.fr/pub/Distributions_Linux/MandrivaLinux/official/2010.2/SRPMS/contrib/release/media_info/hdlist.cz - contribupdates.sources: - class: Youri::Media::URPM - options: - name: contrib-updates - type: source - hdlist: http://ftp.free.fr/pub/Distributions_Linux/MandrivaLinux/official/2010.2/SRPMS/contrib/updates/media_info/hdlist.cz - -# reports definitions -reports: - file: - class: Youri::Check::Report::File - options: - to: <%= outdir %> - global: 1 - individual: 1 - formats: - html: - class: Youri::Check::Report::Format::HTML - text: - class: Youri::Check::Report::Format::Text - rss: - class: Youri::Check::Report::Format::RSS - -# media definitions -medias: - core.i586: - class: Youri::Media::URPM - options: - name: core - type: binary - hdlist: ${mirror_i586}/media_info/hdlist_core.cz - options: - dependencies: - allowed: - - core.i586 - missing: - allowed: - - core.sources - - core.x86_64: - class: Youri::Media::URPM - options: - name: core - type: binary - hdlist: ${mirror_x86_64}/media_info/hdlist_core.cz - options: - dependencies: - allowed: - - core.x86_64 - - core.i586 - missing: - allowed: - - core.sources - - - core.sources: - class: Youri::Media::URPM - options: - name: core - type: source - hdlist: ${mirror_i586}/media_info/hdlist_core.src.cz - options: - dependencies: - allowed: - - core.x86_64 - - core.i586 - - nonfree.i586: - class: Youri::Media::URPM - options: - name: nonfree - type: binary - hdlist: ${mirror_i586}/media_info/hdlist_nonfree_release.cz - options: - dependencies: - allowed: - - core.i586 - - nonfree.i586 - missing: - allowed: - - nonfree.sources - - nonfree.x86_64: - class: Youri::Media::URPM - options: - name: nonfree - type: binary - hdlist: ${mirror_x86_64}/media_info/hdlist_nonfree_release.cz - options: - dependencies: - allowed: - - core.x86_64 - - core.i586 - - nonfree.x86_64 - - nonfree.i586 - missing: - allowed: - - nonfree.sources - - - nonfree.sources: - class: Youri::Media::URPM - options: - name: nonfree - type: source - hdlist: ${mirror_i586}/media_info/hdlist_nonfree_release.src.cz - options: - dependencies: - allowed: - - core.x86_64 - - nonfree.x86_64 - - core.i586 - - nonfree.i586 - diff --git a/modules/youri-check/templates/2.conf b/modules/youri-check/templates/9.conf index e2b09837..28028080 100644 --- a/modules/youri-check/templates/2.conf +++ b/modules/youri-check/templates/9.conf @@ -1,7 +1,7 @@ # vim:ft=yaml:et:sw=4 # helper variables -mirror: http://repository.mageia.org/distrib/2 +mirror: http://repository.mageia.org/distrib/9 mirror_i586: ${mirror}/i586/media mirror_x86_64: ${mirror}/x86_64/media @@ -18,7 +18,7 @@ resultset: resolver: class: Youri::Check::Maintainer::Resolver::CGI options: - url: http://pkgsubmit.<%= domain %>/data/maintdb.txt + url: https://pkgsubmit.<%= domain %>/data/maintdb.txt exceptions: - nobody @@ -31,43 +31,6 @@ tests: missing: class: Youri::Check::Test::Missing - updates_mandriva_2010_2: - class: Youri::Check::Test::Updates - options: - aliases: - # Only add exceptions here after making sure that the package has an Epoch - basesystem: ~ - bash-completion: ~ - sources: - mandriva: - class: Youri::Check::Test::Updates::Source::Media::Mandriva - options: - medias: - main.sources: - class: Youri::Media::URPM - options: - name: main - type: source - hdlist: http://ftp.free.fr/pub/Distributions_Linux/MandrivaLinux/official/2010.2/SRPMS/main/release/media_info/hdlist.cz - mainupdates.sources: - class: Youri::Media::URPM - options: - name: main-updates - type: source - hdlist: http://ftp.free.fr/pub/Distributions_Linux/MandrivaLinux/official/2010.2/SRPMS/main/updates/media_info/hdlist.cz - contrib.sources: - class: Youri::Media::URPM - options: - name: contrib - type: source - hdlist: http://ftp.free.fr/pub/Distributions_Linux/MandrivaLinux/official/2010.2/SRPMS/contrib/release/media_info/hdlist.cz - contribupdates.sources: - class: Youri::Media::URPM - options: - name: contrib-updates - type: source - hdlist: http://ftp.free.fr/pub/Distributions_Linux/MandrivaLinux/official/2010.2/SRPMS/contrib/updates/media_info/hdlist.cz - # reports definitions reports: file: @@ -100,6 +63,40 @@ medias: allowed: - core.sources + core_updates.i586: + class: Youri::Media::URPM + options: + name: core_updates + type: binary + hdlist: ${mirror_i586}/media_info/hdlist_core_updates.cz + options: + dependencies: + allowed: + - core.i586 + - core_updates.i586 + missing: + allowed: + - core.sources + - core_updates.sources + + core_updates_testing.i586: + class: Youri::Media::URPM + options: + name: core_updates_testing + type: binary + hdlist: ${mirror_i586}/media_info/hdlist_core_updates_testing.cz + options: + dependencies: + allowed: + - core.i586 + - core_updates.i586 + - core_updates_testing.i586 + missing: + allowed: + - core.sources + - core_updates.sources + - core_updates_testing.sources + core.x86_64: class: Youri::Media::URPM options: @@ -115,6 +112,44 @@ medias: allowed: - core.sources + core_updates.x86_64: + class: Youri::Media::URPM + options: + name: core_updates + type: binary + hdlist: ${mirror_x86_64}/media_info/hdlist_core_updates.cz + options: + dependencies: + allowed: + - core.i586 + - core_updates.i586 + - core.x86_64 + - core_updates.x86_64 + missing: + allowed: + - core.sources + - core_updates.sources + + core_updates_testing.x86_64: + class: Youri::Media::URPM + options: + name: core_updates_testing + type: binary + hdlist: ${mirror_x86_64}/media_info/hdlist_core_updates_testing.cz + options: + dependencies: + allowed: + - core.x86_64 + - core_updates.x86_64 + - core_updates_testing.x86_64 + - core.i586 + - core_updates.i586 + - core_updates_testing.i586 + missing: + allowed: + - core.sources + - core_updates.sources + - core_updates_testing.sources core.sources: class: Youri::Media::URPM @@ -128,6 +163,36 @@ medias: - core.x86_64 - core.i586 + core_updates.sources: + class: Youri::Media::URPM + options: + name: core_updates + type: source + hdlist: ${mirror_i586}/media_info/hdlist_core_updates.src.cz + options: + dependencies: + allowed: + - core.x86_64 + - core_updates.x86_64 + - core.i586 + - core_updates.i586 + + core_updates_testing.sources: + class: Youri::Media::URPM + options: + name: core_updates_testing + type: source + hdlist: ${mirror_i586}/media_info/hdlist_core_updates_testing.src.cz + options: + dependencies: + allowed: + - core.x86_64 + - core_updates.x86_64 + - core_updates_testing.x86_64 + - core.i586 + - core_updates.i586 + - core_updates_testing.i586 + nonfree.i586: class: Youri::Media::URPM options: @@ -174,4 +239,3 @@ medias: - nonfree.x86_64 - core.i586 - nonfree.i586 - diff --git a/modules/youri-check/templates/cauldron.conf b/modules/youri-check/templates/cauldron.conf index f294f530..aeace447 100644 --- a/modules/youri-check/templates/cauldron.conf +++ b/modules/youri-check/templates/cauldron.conf @@ -2,7 +2,9 @@ # helper variables mirror: http://repository.mageia.org/distrib/cauldron -mirror_i586: ${mirror}/i586/media +mirror_aarch64: ${mirror}/aarch64/media +mirror_armv7hl: ${mirror}/armv7hl/media +mirror_i686: ${mirror}/i686/media mirror_x86_64: ${mirror}/x86_64/media # resultset definition @@ -18,7 +20,7 @@ resultset: resolver: class: Youri::Check::Maintainer::Resolver::CGI options: - url: http://pkgsubmit.<%= domain %>/data/maintdb.txt + url: https://pkgsubmit.<%= domain %>/data/maintdb.txt exceptions: - nobody @@ -35,6 +37,13 @@ tests: class: Youri::Check::Test::Updates options: aliases: + basesystem: ~ + drakxtools: ~ + drakx-installer-advertising: ~ + drakx-installer-binaries: ~ + drakx-installer-images: ~ + drakx-installer-rescue: ~ + drakx-installer-stage2: ~ horde-accounts: accounts horde-chora: chora horde-forwards: forwards @@ -46,17 +55,26 @@ tests: horde-passwd: passwd horde-turba: turba horde-vacation: vacation - freetype2: freetype - freetype: freetype1 + freetype: freetype2 gstreamer: ~ gstreamer0.10: gstreamer gnupg2: gnupg gnupg: ~ gnome-vfs2: gnome-vfs gnome-vfs: ~ - basesystem: ~ + ldetect: ~ + ldetect-lst: ~ + libutempter: utempter + perl-URPM: ~ + rpm: ~ + rpmdrake: ~ + rpmstats: ~ + rpmtools: ~ + urpmi: ~ vte: ~ vte3: vte + xine-lib: xine-lib1.2 + xine-lib-1.2: xine-lib1.2 sources: cpan: order: 0 @@ -67,30 +85,10 @@ tests: perl-Catalyst-P-S-State-Cookie: Catalyst::Plugin::State::State::Cookie perl-Catalyst-P-S-Store-FastMmap: Catalyst::Plugin::State::Store::FastMmap perl-Catalyst-P-S-Store-File: Catalyst::Plugin::State::Store::File - mandriva: - class: Youri::Check::Test::Updates::Source::Media::Mandriva + gettext: ~ + pear: order: 0 - options: - aliases: - basesystem: ~ - drakxtools: ~ - drakx-installer-advertising: ~ - drakx-installer-binaries: ~ - drakx-installer-images: ~ - drakx-installer-rescue: ~ - drakx-installer-stage2: ~ - enigma: enigma-freeoxyd - ldetect: ~ - ldetect-lst: ~ - perl-URPM: ~ - rpm: ~ - rpmdrake: ~ - rpmstats: ~ - rpmtools: ~ - urpmi: ~ -# pear: -# order: 0 -# class: Youri::Check::Test::Updates::Source::PEAR + class: Youri::Check::Test::Updates::Source::PEAR # pypi: # order: 0 # class: Youri::Check::Test::Updates::Source::PyPI @@ -116,67 +114,35 @@ tests: nilfs-utils: nilfs-tools mobile-broadband-provider-info: ~ cpulimit: ~ + icecream: ~ + colorize: ~ fedora: order: 1 class: Youri::Check::Test::Updates::Source::Fedora options: - url: http://ftp.free.fr/mirrors/fedora.redhat.com/fedora/linux/development/rawhide/source/SRPMS/ aliases: authd: ~ + basesystem: ~ + bash: ~ + freetype: ~ + freetype2: freetype gle: ~ gtksourceview-sharp: ~ - sqlite: sqlite2 - OpenIPMI: OpenIPMI2 + modemmanager: ModemManager + netcat-openbsd: netcat + networkmanager: NetworkManager + networkmanager-applet: network-manager-applet + networkmanager-fortisslvpn: NetworkManager-fortisslvpn + networkmanager-l2tp: NetworkManager-l2tp + networkmanager-libreswan: NetworkManager-libreswan + networkmanager-openconnect: NetworkManager-openconnect + networkmanager-openvpn: NetworkManager-openvpn + networkmanager-pptp: NetworkManager-pptp + networkmanager-vpnc: NetworkManager-vpnc ocaml-lablgtk: ~ ocaml-lablgtk2: ocaml-lablgtk - netcat-openbsd: netcat - freetype: ~ - freetype2: freetype - bash: ~ -# freshmeat: -# order: 1 -# class: Youri::Check::Test::Updates::Source::Freshmeat -# options: -# preload: 1 -# aliases: -# photon: ~ -# cmt: ~ -# boo: ~ -# db2: ~ -# dsh: ~ -# torque: ~ -# mserver: ~ -# svl: ~ -# lam: lammpi -# bazaar: baz -# db4: berkeleydb -# pcp: caltech-pcp -# kamikaze: ~ -# nut: ~ -# sqlite3: sqlite -# sqlite: ~ -# ruby-evas: ~ -# acl: ~ -# listen: ~ -# knob: ~ -# dolphin: ~ -# cheese: ~ -# dumb: ~ -# serpentine: ~ -# mms: ~ -# tasks: ~ -# xsp: ~ -# pd: ~ -# deluge: deluge-torrent -# contacts: ~ -# rt: requesttracker -# psi: psijabberclient -# arena: ~ -# ccp: ~ -# ocaml-camlpdf: camlpdf -# libxml: ~ -# glib: ~ - + OpenIPMI: OpenIPMI2 + sqlite: sqlite2 gentoo: order: 1 class: Youri::Check::Test::Updates::Source::Gentoo @@ -196,7 +162,6 @@ tests: unclutter: ~ pam-krb5: pam_krb5 pam_krb5: ~ - freetype: ~ akonadi: akonadi-server attica: libattica raptor2: raptor @@ -204,77 +169,98 @@ tests: libevent: ~ wifi-radar: ~ tuxmathscrabble: ~ + chromium: ~ + cpulimit: ~ + icecream: ~ + nodejs: ~ gnome: order: 1 class: Youri::Check::Test::Updates::Source::GNOME options: + url: https://download.gnome.org/sources/ aliases: + acme: ~ GConf: ~ GConf2: GConf + gcr: ~ + gcr4: gcr + gdk-pixbuf2.0: gdk-pixbuf glib: ~ glib2.0: glib - glibmm: ~ - glibmm2.4: glibmm - gnome-desktop: ~ - gnome-desktop3: gnome-desktop - goocanvas: ~ - goocanvas2: goocanvas - gtkhtml: ~ - gtkhtml4: gtkhtml + glibmm2.4: ~ + goocanvas2: ~ + gtkmm-documentation3.0: ~ + gtkmm: ~ + gtkmm2.4: ~ + gtkmm3.0: ~ + gtkmm4.0: gtkmm + gtksourceviewmm3.0: ~ gtk: ~ gtk+2.0: ~ - gtk+3.0: gtk - libgda: ~ - libgda4.0: ~ - libgda5.0: libgda - libunique: ~ - libunique3: libunique - libwnck: ~ - libwnck3: libwnck - vte: ~ - vte3: vte + gtk+3.0: ~ + gtk4.0: gtk + modemmanager: ModemManager + networkmanager: NetworkManager + networkmanager-applet: network-manager-applet + networkmanager-fortisslvpn: NetworkManager-fortisslvpn + networkmanager-l2tp: NetworkManager-l2tp + networkmanager-libreswan: NetworkManager-libreswan + networkmanager-openconnect: NetworkManager-openconnect + networkmanager-openvpn: NetworkManager-openvpn + networkmanager-pptp: NetworkManager-pptp + networkmanager-vpnc: NetworkManager-vpnc + notify-sharp: ~ + notify-sharp3: notify-sharp + pango: ~ + pango2.0: pango netbsd: order: 1 class: Youri::Check::Test::Updates::Source::NetBSD - sourceforge: - class: Youri::Check::Test::Updates::Source::Sourceforge - options: - aliases: - bigforth: ~ - gtkmm: ~ - hydrogen: ~ - ltp: ~ - pblogan: ~ - console-tools: ~ - maxima: ~ - clisp: ~ +# sourceforge: +# class: Youri::Check::Test::Updates::Source::Sourceforge +# options: +# aliases: +# bigforth: ~ +# gtkmm: ~ +# hydrogen: ~ +# ltp: ~ +# pblogan: ~ +# console-tools: ~ +# maxima: ~ +# clisp: ~ - updates_fedora: + updates_fedora: class: Youri::Check::Test::Updates options: - aliases: - basesystem: ~ - rpm: ~ sources: fedora: order: 1 class: Youri::Check::Test::Updates::Source::Fedora options: - url: http://ftp.free.fr/mirrors/fedora.redhat.com/fedora/linux/development/rawhide/source/SRPMS/ aliases: authd: ~ + basesystem: ~ + bash: ~ + freetype: ~ + freetype2: freetype gle: ~ gtksourceview-sharp: ~ - sqlite: sqlite2 - OpenIPMI: OpenIPMI2 + modemmanager: ModemManager + netcat-openbsd: netcat + networkmanager: NetworkManager + networkmanager-applet: network-manager-applet + networkmanager-fortisslvpn: NetworkManager-fortisslvpn + networkmanager-l2tp: NetworkManager-l2tp + networkmanager-libreswan: NetworkManager-libreswan + networkmanager-openconnect: NetworkManager-openconnect + networkmanager-openvpn: NetworkManager-openvpn + networkmanager-pptp: NetworkManager-pptp + networkmanager-vpnc: NetworkManager-vpnc ocaml-lablgtk: ~ ocaml-lablgtk2: ocaml-lablgtk - netcat-openbsd: netcat - freetype: ~ - freetype2: freetype - bash: ~ - - updates_gnome: + OpenIPMI: OpenIPMI2 + sqlite: sqlite2 + updates_gnome: class: Youri::Check::Test::Updates options: sources: @@ -282,55 +268,42 @@ tests: order: 1 class: Youri::Check::Test::Updates::Source::GNOME options: + url: https://download.gnome.org/sources/ aliases: + acme: ~ GConf: ~ GConf2: GConf + gcr: ~ + gcr4: gcr + gdk-pixbuf2.0: gdk-pixbuf glib: ~ glib2.0: glib - glibmm: ~ - glibmm2.4: glibmm - gnome-desktop: ~ - gnome-desktop3: gnome-desktop - goocanvas: ~ - goocanvas2: goocanvas - gtkhtml: ~ - gtkhtml4: gtkhtml + glibmm2.4: ~ + goocanvas2: ~ + gtkmm-documentation3.0: ~ + gtkmm: ~ + gtkmm2.4: ~ + gtkmm3.0: ~ + gtkmm4.0: gtkmm + gtksourceviewmm3.0: ~ gtk: ~ gtk+2.0: ~ - gtk+3.0: gtk - libgda: ~ - libgda4.0: ~ - libgda5.0: libgda - libunique: ~ - libunique3: libunique - libwnck: ~ - libwnck3: libwnck - vte: ~ - vte3: vte - updates_mandriva: - class: Youri::Check::Test::Updates - options: - sources: - mandriva: - class: Youri::Check::Test::Updates::Source::Media::Mandriva - options: - aliases: - basesystem: ~ - drakxtools: ~ - drakx-installer-advertising: ~ - drakx-installer-binaries: ~ - drakx-installer-images: ~ - drakx-installer-rescue: ~ - drakx-installer-stage2: ~ - enigma: enigma-freeoxyd - ldetect: ~ - ldetect-lst: ~ - perl-URPM: ~ - rpm: ~ - rpmdrake: ~ - rpmstats: ~ - rpmtools: ~ - urpmi: ~ + gtk+3.0: ~ + gtk4.0: gtk + modemmanager: ModemManager + networkmanager: NetworkManager + networkmanager-applet: network-manager-applet + networkmanager-fortisslvpn: NetworkManager-fortisslvpn + networkmanager-l2tp: NetworkManager-l2tp + networkmanager-libreswan: NetworkManager-libreswan + networkmanager-openconnect: NetworkManager-openconnect + networkmanager-openvpn: NetworkManager-openvpn + networkmanager-pptp: NetworkManager-pptp + networkmanager-vpnc: NetworkManager-vpnc + notify-sharp: ~ + notify-sharp3: notify-sharp + pango: ~ + pango2.0: pango build: class: Youri::Check::Test::Build options: @@ -338,12 +311,16 @@ tests: iurt: class: Youri::Check::Test::Build::Source::Iurt options: - url: http://pkgsubmit.mageia.org/autobuild/cauldron + url: https://pkgsubmit.mageia.org/autobuild/cauldron arches: - x86_64 medias: - core - + age: + class: Youri::Check::Test::Age + options: + max: <%= max_days %> days + pattern: "%d days" # reports definitions reports: @@ -363,16 +340,44 @@ reports: # media definitions medias: - core.i586: + core.aarch64: class: Youri::Media::URPM options: name: core type: binary - hdlist: ${mirror_i586}/media_info/hdlist_core.cz + hdlist: ${mirror_aarch64}/core/release/media_info/hdlist.cz options: dependencies: allowed: - - core.i586 + - core.aarch64 + missing: + allowed: + - core.sources + + core.armv7hl: + class: Youri::Media::URPM + options: + name: core + type: binary + hdlist: ${mirror_armv7hl}/core/release/media_info/hdlist.cz + options: + dependencies: + allowed: + - core.armv7hl + missing: + allowed: + - core.sources + + core.i686: + class: Youri::Media::URPM + options: + name: core + type: binary + hdlist: ${mirror_i686}/media_info/hdlist_core.cz + options: + dependencies: + allowed: + - core.i686 missing: allowed: - core.sources @@ -387,7 +392,7 @@ medias: dependencies: allowed: - core.x86_64 - - core.i586 + - core.i686 missing: allowed: - core.sources @@ -398,24 +403,24 @@ medias: options: name: core type: source - hdlist: ${mirror_i586}/media_info/hdlist_core.src.cz + hdlist: ${mirror_i686}/media_info/hdlist_core.src.cz options: dependencies: allowed: - core.x86_64 - - core.i586 + - core.i686 - nonfree.i586: + nonfree.i686: class: Youri::Media::URPM options: name: nonfree type: binary - hdlist: ${mirror_i586}/media_info/hdlist_nonfree_release.cz + hdlist: ${mirror_i686}/media_info/hdlist_nonfree_release.cz options: dependencies: allowed: - - core.i586 - - nonfree.i586 + - core.i686 + - nonfree.i686 missing: allowed: - nonfree.sources @@ -430,9 +435,9 @@ medias: dependencies: allowed: - core.x86_64 - - core.i586 + - core.i686 - nonfree.x86_64 - - nonfree.i586 + - nonfree.i686 missing: allowed: - nonfree.sources @@ -443,12 +448,57 @@ medias: options: name: nonfree type: source - hdlist: ${mirror_i586}/media_info/hdlist_nonfree_release.src.cz + hdlist: ${mirror_i686}/media_info/hdlist_nonfree_release.src.cz options: dependencies: allowed: - core.x86_64 - nonfree.x86_64 - - core.i586 - - nonfree.i586 + - core.i686 + - nonfree.i686 + tainted.i686: + class: Youri::Media::URPM + options: + name: nonfree + type: binary + hdlist: ${mirror_i686}/media_info/hdlist_tainted_release.cz + options: + dependencies: + allowed: + - core.i686 + - tainted.i686 + missing: + allowed: + - tainted.sources + + tainted.x86_64: + class: Youri::Media::URPM + options: + name: tainted + type: binary + hdlist: ${mirror_x86_64}/media_info/hdlist_tainted_release.cz + options: + dependencies: + allowed: + - core.x86_64 + - core.i686 + - tainted.x86_64 + - tainted.i686 + missing: + allowed: + - tainted.sources + + tainted.sources: + class: Youri::Media::URPM + options: + name: tainted + type: source + hdlist: ${mirror_i686}/media_info/hdlist_tainted_release.src.cz + options: + dependencies: + allowed: + - core.x86_64 + - tainted.x86_64 + - core.i686 + - tainted.i686 diff --git a/modules/youri-check/templates/vhost_check.conf b/modules/youri-check/templates/vhost_check.conf new file mode 100644 index 00000000..2cf598b5 --- /dev/null +++ b/modules/youri-check/templates/vhost_check.conf @@ -0,0 +1,2 @@ +Header set Access-Control-Allow-Origin "http://pkgsubmit.<%= domain %>" +Header set Access-Control-Allow-Origin "https://pkgsubmit.<%= domain %>" env=HTTPS |