- do not let file with passwords to be world readable

    ( even if being readable by apache is not good either, but needed as the password is used by apache )
- use ldaps for sympa
- use the 2 new facter macro and remove the version copied everywhere
- remove hardcoded domain in bugzilla and others

18 files changed, 35 insertions, 58 deletions

diff --git a/modules/bugzilla/manifests/init.pp b/modules/bugzilla/manifests/init.pp
index 4a72fb75..23a24f1e 100644
--- a/modules/bugzilla/manifests/init.pp
+++ b/modules/bugzilla/manifests/init.pp
@@ -10,8 +10,8 @@ class bugzilla {
     file { '/etc/bugzilla/localconfig':
       ensure => present,
       owner => root,
-      group => root,
-      mode => 644,
+      group => apache,
+      mode => 640,
       content => template("bugzilla/localconfig")
     }
 
@@ -19,8 +19,8 @@ class bugzilla {
     file { '/var/lib/bugzilla/params':
       ensure => present,
       owner => root,
-      group => root,
-      mode => 644,
+      group => apache,
+      mode => 640,
       content => template("bugzilla/params")
     }
 
@@ -30,7 +30,7 @@ class bugzilla {
       }
 
     apache::vhost_other_app { "bugs.$domain":
-      vhost_file => "bugzilla/vhost_bugs.mageia.org.conf",
+      vhost_file => "bugzilla/vhost_bugs.conf",
     }
 }
 
diff --git a/modules/bugzilla/templates/params b/modules/bugzilla/templates/params
index 78c5b5e3..df5c98a2 100644
--- a/modules/bugzilla/templates/params
+++ b/modules/bugzilla/templates/params
@@ -1,9 +1,9 @@
 %param = (
-           'LDAPBaseDN' => 'ou=People,dc=mageia,dc=org',
-           'LDAPbinddn' => 'cn=bugzilla-alamut,ou=System Accounts,dc=mageia,dc=org:<%= passwordLdap %>',
+           'LDAPBaseDN' => 'ou=People,<%= dc_suffix %>',
+           'LDAPbinddn' => 'cn=bugzilla-alamut,ou=System Accounts,<%= dc_suffix %>:<%= passwordLdap %>',
            'LDAPfilter' => '',
            'LDAPmailattribute' => 'mail',
-           'LDAPserver' => 'ldap.mageia.org',
+           'LDAPserver' => 'ldap.<%= domain %>',
            'LDAPstarttls' => '1',
            'LDAPuidattribute' => 'uid',
            'RADIUS_NAS_IP' => '',
@@ -88,7 +88,7 @@
            'strict_isolation' => 0,
            'timetrackinggroup' => 'editbugs',
            'upgrade_notification' => 'latest_stable_release',
-           'urlbase' => 'http://bugs.mageia.org/',
+           'urlbase' => 'http://bugs.<%= domain %>/',
            'use_mailer_queue' => 0,
            'use_see_also' => 1,
            'usebugaliases' => 0,
diff --git a/modules/bugzilla/templates/vhost_bugs.mageia.org.conf b/modules/bugzilla/templates/vhost_bugs.conf
index 60cd8195..25306b1e 100644
--- a/modules/bugzilla/templates/vhost_bugs.mageia.org.conf
+++ b/modules/bugzilla/templates/vhost_bugs.conf
@@ -1,5 +1,5 @@
 <%
-path_data_directory = "/usr/lib" + ( architecture == "x86_64" ? '64' : '') + "/bugzilla"
+path_data_directory = lib_dir + "/bugzilla"
 %>
 
 <VirtualHost *:80>
diff --git a/modules/bugzilla/templates/webapp_bugzilla.conf b/modules/bugzilla/templates/webapp_bugzilla.conf
index 6f22eed0..a37760d8 100644
--- a/modules/bugzilla/templates/webapp_bugzilla.conf
+++ b/modules/bugzilla/templates/webapp_bugzilla.conf
@@ -1,5 +1,5 @@
 <%
-path_data_directory = "/usr/lib" + ( architecture == "x86_64" ? '64' : '') + "/bugzilla"
+path_data_directory = lib_dir + "/bugzilla"
 %>
 
 <Directory /usr/share/bugzilla/www>
diff --git a/modules/catdap/manifests/init.pp b/modules/catdap/manifests/init.pp
index ad97fc29..018b6ed5 100644
--- a/modules/catdap/manifests/init.pp
+++ b/modules/catdap/manifests/init.pp
@@ -25,8 +25,9 @@ class catdap {
     
     file { "$catdap_location/catdap_local.yml":
         ensure => present,
-        owner => apache,
-        mode => 600,
+	owner => root,
+        group => apache,
+        mode => 640,
         content => template("catdap/catdap_local.yml"),
         require => Subversion::Snapshot[$catdap_location]
     }
diff --git a/modules/catdap/templates/catdap_local.yml b/modules/catdap/templates/catdap_local.yml
index b62f80a4..50f43601 100644
--- a/modules/catdap/templates/catdap_local.yml
+++ b/modules/catdap/templates/catdap_local.yml
@@ -1,8 +1,4 @@
 <%
-# domain come from facter
-
-dc_suffix = 'dc=' + domain.gsub('.',',dc=')
-
 ldap_server = 'ldap.' + domain
 
 ldap_password = catdap_password
diff --git a/modules/epoll/manifests/init.pp b/modules/epoll/manifests/init.pp
index b63673f9..e981a952 100644
--- a/modules/epoll/manifests/init.pp
+++ b/modules/epoll/manifests/init.pp
@@ -15,9 +15,9 @@ class epoll {
     file { "epoll.yml": 
         path => "/etc/epoll.yml",    
         ensure => "present",
-        owner => apache,
+        owner => root,
         group => apache,
-        mode => 600,
+        mode => 640,
         content => template("epoll/epoll.yml")
     }
 }
diff --git a/modules/mga-mirrors/manifests/init.pp b/modules/mga-mirrors/manifests/init.pp
index 128fc7a9..f602a47e 100644
--- a/modules/mga-mirrors/manifests/init.pp
+++ b/modules/mga-mirrors/manifests/init.pp
@@ -15,9 +15,9 @@ class mga-mirrors {
     file { "mga-mirrors.ini": 
         path => "/etc/mga-mirrors.ini",    
         ensure => "present",
-        owner => apache,
+        owner => root,
         group => apache,
-        mode => 600,
+        mode => 640,
         content => template("mga-mirrors/mga-mirrors.ini")
     }
 }
diff --git a/modules/openldap/templates/slapd.conf b/modules/openldap/templates/slapd.conf
index faf46dba..7edab29b 100644
--- a/modules/openldap/templates/slapd.conf
+++ b/modules/openldap/templates/slapd.conf
@@ -1,9 +1,3 @@
-<%
-dc_suffix = 'dc=' + domain.gsub('.',',dc=')
-path_module_directory = "/usr/lib" + ( architecture == "x86_64" ? '64' : '') + "/openldap"
-
-%>
-
 # slapd.conf template
 include	/usr/share/openldap/schema/core.schema
 include	/usr/share/openldap/schema/cosine.schema
@@ -32,7 +26,7 @@ include /usr/share/openldap/schema/openssh-lpk_openldap.schema
 pidfile		/var/run/ldap/slapd.pid
 argsfile	/var/run/ldap/slapd.args
 
-modulepath	<%= path_module_directory %>
+modulepath	<%= lib_dir %>/openldap
 moduleload	back_monitor.la
 moduleload	syncprov.la
 moduleload	ppolicy.la
diff --git a/modules/openssh/manifests/init.pp b/modules/openssh/manifests/init.pp
index 6c818aea..e55660fd 100644
--- a/modules/openssh/manifests/init.pp
+++ b/modules/openssh/manifests/init.pp
@@ -1,12 +1,7 @@
 class openssh {
 
     # some trick to manage sftp server, who is arch dependent on mdv    
-    $usr_lib = $architecture ? {
-        x86_64 => "lib64",
-        default => "lib"
-    }
-
-    $path_to_sftp = "/usr/$usr_lib/ssh/"
+    $path_to_sftp = "$lib_dir/ssh/"
 
     package { "openssh-server":
         ensure => installed
diff --git a/modules/pam/templates/ldap.conf b/modules/pam/templates/ldap.conf
index c614223e..0b3a19fc 100644
--- a/modules/pam/templates/ldap.conf
+++ b/modules/pam/templates/ldap.conf
@@ -1,6 +1,3 @@
-<%
-dc_suffix = 'dc=' + domain.gsub('.',',dc=')
-%>
 
 uri ldap://ldap.<%= domain %>
 base <%= dc_suffix %>
diff --git a/modules/postfix/templates/main.cf b/modules/postfix/templates/main.cf
index e6f53bbf..7b60f3a3 100644
--- a/modules/postfix/templates/main.cf
+++ b/modules/postfix/templates/main.cf
@@ -3,9 +3,6 @@
 # This file contains only the parameters changed from a default install
 # see /etc/postfix/main.cf.dist for a commented, fuller version of this file.
 
-<%
-path_daemon_directory = "/usr/lib" + ( architecture == "x86_64" ? '64' : '') + "/postfix/"
-%>
 
 # These are changed by postfix install script
 readme_directory = /usr/share/doc/postfix/README_FILES
@@ -14,7 +11,7 @@ sendmail_path = /usr/sbin/sendmail.postfix
 setgid_group = postdrop
 command_directory = /usr/sbin
 manpage_directory = /usr/share/man
-daemon_directory = <%= path_daemon_directory %>
+daemon_directory = <%= lib_dir %>/postfix/
 data_directory = /var/lib/postfix
 newaliases_path = /usr/bin/newaliases
 mailq_path = /usr/bin/mailq
diff --git a/modules/postfix/templates/simple_relay_main.cf b/modules/postfix/templates/simple_relay_main.cf
index dbe473d1..5f8d44ca 100644
--- a/modules/postfix/templates/simple_relay_main.cf
+++ b/modules/postfix/templates/simple_relay_main.cf
@@ -3,9 +3,6 @@
 # This file contains only the parameters changed from a default install
 # see /etc/postfix/main.cf.dist for a commented, fuller version of this file.
 
-<%
-path_daemon_directory = "/usr/lib" + ( architecture == "x86_64" ? '64' : '') + "/postfix/"
-%>
 
 # These are changed by postfix install script
 readme_directory = /usr/share/doc/postfix/README_FILES
@@ -14,7 +11,7 @@ sendmail_path = /usr/sbin/sendmail.postfix
 setgid_group = postdrop
 command_directory = /usr/sbin
 manpage_directory = /usr/share/man
-daemon_directory = <%= path_daemon_directory %>
+daemon_directory = <%= lib_dir %>/postfix/
 data_directory = /var/lib/postfix
 newaliases_path = /usr/bin/newaliases
 mailq_path = /usr/bin/mailq
diff --git a/modules/restrictshell/templates/ldap-sshkey2file.py b/modules/restrictshell/templates/ldap-sshkey2file.py
index 9668973d..ec5afc8e 100755
--- a/modules/restrictshell/templates/ldap-sshkey2file.py
+++ b/modules/restrictshell/templates/ldap-sshkey2file.py
@@ -9,9 +9,7 @@ try:
 except ImportError, e:
     print "Please install python-ldap before running this program"
     sys.exit(1)
-<%
-dc_suffix = 'dc=' + domain.gsub('.',',dc=')
-%>
+
 basedn="<%= dc_suffix %>"
 peopledn="ou=people,%s" % basedn
 uris=['ldap://ldap.<%= domain %>']
diff --git a/modules/sympa/manifests/init.pp b/modules/sympa/manifests/init.pp
index d97560fa..3a68ddcd 100644
--- a/modules/sympa/manifests/init.pp
+++ b/modules/sympa/manifests/init.pp
@@ -11,9 +11,11 @@ class sympa {
 
     file { '/etc/sympa/sympa.conf':
         ensure => present,
-        owner => root,
-        group => root,
-        mode => 644,
+	# should be cleaner to have it root owned, but puppet do not support acl
+	# and in any case, config will be reset if it change
+        owner => sympa,
+        group => apache,
+        mode => 640,
         content => template("sympa/sympa.conf")
     }
 
diff --git a/modules/sympa/templates/auth.conf b/modules/sympa/templates/auth.conf
index d6882a47..220118b5 100644
--- a/modules/sympa/templates/auth.conf
+++ b/modules/sympa/templates/auth.conf
@@ -1,12 +1,12 @@
 ldap
-        host                            ldap.mageia.org:389
+        host                            ldap.<%= domain %>:389
         timeout                         30
-        suffix                          dc=mageia,dc=org
+        suffix                          <%= dc_suffix %>
         get_dn_by_uid_filter            (uid=[sender])
         get_dn_by_email                 (|(mail=[sender])(mailalternateaddress=[sender]))
         email_attribute                 mail
         scope                           sub
-
+	use_ssl                         1
 
 user_table
         regexp                 .*
diff --git a/modules/transifex/manifests/init.pp b/modules/transifex/manifests/init.pp
index 73322e9d..32069430 100644
--- a/modules/transifex/manifests/init.pp
+++ b/modules/transifex/manifests/init.pp
@@ -8,8 +8,8 @@ class transifex {
     path => "/etc/transifex/20-engines.conf",
     ensure => present,
     owner => root,
-    group => root,
-    mode => 755,
+    group => apache,
+    mode => 640,
     content => template("transifex/20-engines.conf")
   }
 
@@ -18,7 +18,7 @@ class transifex {
     ensure => present,
     owner => root,
     group => root,
-    mode => 755,
+    mode => 644,
     content => template("transifex/30-site.conf")
   }
 
diff --git a/modules/transifex/templates/20-engines.conf b/modules/transifex/templates/20-engines.conf
index ed826902..1906a438 100644
--- a/modules/transifex/templates/20-engines.conf
+++ b/modules/transifex/templates/20-engines.conf
@@ -10,7 +10,7 @@ DATABASE_NAME = 'transifex'
 # The following are not used for sqlite3
 DATABASE_USER = 'transifex'
 DATABASE_PASSWORD = '<%= password %>'
-DATABASE_HOST = 'pgsql.mageia.org'           # Set to empty string for local socket
+DATABASE_HOST = 'pgsql.<%= domain %>'           # Set to empty string for local socket
 DATABASE_PORT = ''             # Set to empty string for default
 
 ## Caching (optional)