diff options
23 files changed, 149 insertions, 24 deletions
diff --git a/deployment/common/manifests/default_ssh_root_key.pp b/deployment/common/manifests/default_ssh_root_key.pp index b2d55a7c..ab17466d 100644 --- a/deployment/common/manifests/default_ssh_root_key.pp +++ b/deployment/common/manifests/default_ssh_root_key.pp @@ -69,6 +69,7 @@ class common::default_ssh_root_key { } ssh_authorized_key { 'ssh_key_neoclust': + ensure => 'absent', type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDGyI8oIP8SgahPbMZ04Msr/vnI2gf4yx//QhEnZv8b++WIH0oibfK8g5Lz4HXReJRHzNXN1EhKQXoClgAKwv7zqkTLxV44tVcz8cwvfldkKNB+QxfL74JgsxCyNW8mpJdrJ71kbkT4Jt6AxeEd10ltQyqT7QDQMM7fxH8dbOCMcc7jtgOqwPXLy7hEumqkYxNuMxjrAbiDk2Nx0ddP2Ta4NJjSsGzUzSPsGhLVCO3+Wv6Ymss9Vacbe684ERwqz6odi5ZX0utfXXNphqqAckKCxurrI+LoWzt9MgWtR9iJC1joVDqRbggNm6bNNPZIdhmi5/yJrk3x7qwXb7uQNiE7', } diff --git a/deployment/dns/templates/mageia.org.zone b/deployment/dns/templates/mageia.org.zone index 2a21bc5f..cf3c7069 100644 --- a/deployment/dns/templates/mageia.org.zone +++ b/deployment/dns/templates/mageia.org.zone @@ -7,7 +7,7 @@ ; $Id$ $TTL 30m @ IN SOA ns0.mageia.org. root.mageia.org. ( - 2025021002 ; Serial + 2025062701 ; Serial 7200 ; Refresh 3600 ; Retry 3600000 ; Expire @@ -166,5 +166,8 @@ ociaa1-c IN CNAME ociaa1 ociaa2-a IN CNAME ociaa2 ociaa2-b IN CNAME ociaa2 ociaa2-c IN CNAME ociaa2 +ncaa1-a IN CNAME ncaa1 +ncaa1-b IN CNAME ncaa1 +ncaa1-c IN CNAME ncaa1 <%# vim: set filetype=bindzone : -%> diff --git a/deployment/mga_buildsystem/manifests/config.pp b/deployment/mga_buildsystem/manifests/config.pp index 7d2e5ebb..c0c62cc4 100644 --- a/deployment/mga_buildsystem/manifests/config.pp +++ b/deployment/mga_buildsystem/manifests/config.pp @@ -29,8 +29,8 @@ class mga_buildsystem::config { 'i586' => [ 'ecosse0', 'rabbit0', 'ecosse1', 'rabbit1', 'rabbit2' ], 'i686' => [ 'ecosse0', 'rabbit0', 'ecosse1', 'rabbit1', 'rabbit2' ], 'x86_64' => [ 'rabbit0', 'ecosse0', 'rabbit1', 'ecosse1', 'rabbit2' ], - 'armv7hl' => [ 'ociaa1-a', 'ociaa1-b'], - 'aarch64' => [ 'ociaa1-a', 'ociaa1-b'], + 'armv7hl' => [ 'ncaa1-a', 'ncaa1-b', 'ncaa1-c', 'ociaa1-a', 'ociaa1-b'], + 'aarch64' => [ 'ncaa1-a', 'ncaa1-b', 'ncaa1-c', 'ociaa1-a', 'ociaa1-b'], }, build_nodes_aliases => { 'ecosse0' => "ecosse.${::domain}", @@ -173,6 +173,8 @@ class mga_buildsystem::config { '2001:bc8:628:1f00::1', # Oracle cloud VMs '2603:c026:c101:f00::/64', + $::nodes_ipaddr[ncaa1][ipv4], + $::nodes_ipaddr[ncaa1][ipv6], ] $repo_allow_from_domains = [ ".${::domain}", diff --git a/deployment/wikis/templates/wiki_vhost.conf b/deployment/wikis/templates/wiki_vhost.conf index 077de211..4e1355bc 100644 --- a/deployment/wikis/templates/wiki_vhost.conf +++ b/deployment/wikis/templates/wiki_vhost.conf @@ -5,6 +5,8 @@ RewriteEngine On RewriteRule ^/?$ /en/ [R] +Alias /robots.txt <%= @wikis_root %>/robots.txt + <%- for lang in wiki_languages -%> <Directory <%= @wikis_root %>/<%= lang %>/images> diff --git a/manifests/nodes/ncaa1.pp b/manifests/nodes/ncaa1.pp new file mode 100644 index 00000000..b512939a --- /dev/null +++ b/manifests/nodes/ncaa1.pp @@ -0,0 +1,7 @@ +node ncaa1 { +# Location: Netcup, Vienna +# + include common::default_mageia_server + include mga_buildsystem::buildnode + timezone::timezone { 'Europe/Paris': } +} diff --git a/manifests/nodes_ip.pp b/manifests/nodes_ip.pp index ca395ac0..38553b61 100644 --- a/manifests/nodes_ip.pp +++ b/manifests/nodes_ip.pp @@ -60,6 +60,10 @@ $nodes_ipaddr = { }, ociaa2 => { ipv6 => '2603:c026:c101:f00::1:2', + }, + ncaa1 => { + ipv4 => '89.58.19.166', + ipv6 => '2a0a:4cc0:0:61c::1', } } diff --git a/modules/apache/manifests/mod/fcgid.pp b/modules/apache/manifests/mod/fcgid.pp index 6c815681..b8186a64 100644 --- a/modules/apache/manifests/mod/fcgid.pp +++ b/modules/apache/manifests/mod/fcgid.pp @@ -1,4 +1,11 @@ class apache::mod::fcgid { include apache::base package { 'apache-mod_fcgid': } + + file { 'urlescape': + path => '/usr/local/bin/urlescape', + mode => '0755', + notify => Service['apache'], + content => template('apache/urlescape'), + } } diff --git a/modules/apache/templates/logrotate b/modules/apache/templates/logrotate index b0f41b55..823989eb 100644 --- a/modules/apache/templates/logrotate +++ b/modules/apache/templates/logrotate @@ -4,6 +4,9 @@ daily <% elsif @hostname == 'friteuse' %> # The virtual disk is very small so keep log sizes down + rotate 26 + weekly +<% elsif @hostname == 'sucuk' %> rotate 52 weekly <% else %> diff --git a/modules/apache/templates/urlescape b/modules/apache/templates/urlescape new file mode 100644 index 00000000..8feb7fa4 --- /dev/null +++ b/modules/apache/templates/urlescape @@ -0,0 +1,9 @@ +#!/usr/bin/python3 -u +# URL escape each path given on stdin +import sys +import urllib.parse +while True: + l = sys.stdin.readline() + if not l: + break + print(urllib.parse.quote(l.rstrip("\n"))) diff --git a/modules/apache/templates/vhost_fcgid.conf b/modules/apache/templates/vhost_fcgid.conf index 6e34fc5d..f137c866 100644 --- a/modules/apache/templates/vhost_fcgid.conf +++ b/modules/apache/templates/vhost_fcgid.conf @@ -17,13 +17,25 @@ RewriteRule . - [R=403,L] # Block expensive SVN operations on all common robots ("spider" covers a # bunch). "Expensive" is considered to be most operations other than showing a # directory or downloading a specific version of a file. -RewriteCond %{QUERY_STRING} pathrev=|annotate=|view=log|r1= -RewriteCond %{HTTP_USER_AGENT} "Googlebot|bingbot|Yahoo! Slurp|ClaudeBot|Amazonbot|YandexBot|SemrushBot|Barkrowler|DataForSeoBot|PetalBot|facebookexternalhit|GPTBot|ImagesiftBot|spider|Spider" +# Note: eliminating view=log and annotate= doesn't make much difference to the +# CPU load when robots are hitting the server in real world operation. +RewriteCond %{QUERY_STRING} pathrev=|r1= +RewriteCond %{HTTP_USER_AGENT} "Googlebot|GoogleOther|bingbot|Yahoo! Slurp|ClaudeBot|Amazonbot|YandexBot|SemrushBot|Barkrowler|DataForSeoBot|PetalBot|facebookexternalhit|GPTBot|ImagesiftBot|spider|Spider|iPod|Trident|Presto" RewriteRule . - [R=403,L] +# Only let expensive operations through when a cookie is set. If no cookie is +# set, redirect to a page where it will be set using JavaScript and redirect +# back. This will block requests from user agents that do not support +# JavaScript, which includes many robots. +RewriteMap urlescape prg:/usr/local/bin/urlescape +RewriteCond %{QUERY_STRING} pathrev=|r1= +RewriteCond %{REQUEST_URI} !/_check +RewriteCond %{HTTP_COOKIE} !session=([^;]+) [novary] +RewriteRule . %{REQUEST_SCHEME}://%{SERVER_NAME}:%{SERVER_PORT}/_check?to=%{REQUEST_URI}?${urlescape:%{QUERY_STRING}} [R=302,L] + # Block abusive spiders by IP address who don't identify themselves in the # User-Agent: string -RewriteCond expr "-R '47.76.0.0/14' || -R '47.80.0.0/14' || -R '47.208.0.0/16' || -R '47.238.0.0/16' || -R '8.210.0.0/16' || -R '8.218.0.0/16'" +RewriteCond expr "-R '47.76.0.0/14' || -R '47.80.0.0/14' || -R '47.208.0.0/16' || -R '47.238.0.0/16' || -R '8.210.0.0/16' || -R '8.218.0.0/16' || -R '188.239.0.0/18' || -R '166.108.192.0/18' || -R '124.243.160.0/19' || -R '101.46.0.0/20'" RewriteRule . - [R=403,L] ErrorDocument 403 "<html><body>Impolite robots are not allowed</body></html>" diff --git a/modules/bugzilla/manifests/init.pp b/modules/bugzilla/manifests/init.pp index 5da26c07..e66ddf0e 100755 --- a/modules/bugzilla/manifests/init.pp +++ b/modules/bugzilla/manifests/init.pp @@ -178,12 +178,13 @@ class bugzilla { mode => '0750', } - cron { 'collectstats': - command => "cd $bugzilla_location && ./collectstats.pl", - user => 'apache', - hour => 2, - minute => 30, - } +# Improper file permissions makes this fail, and nobody seems to care +# cron { 'collectstats': +# command => "cd $bugzilla_location && ./collectstats.pl", +# user => 'apache', +# hour => 2, +# minute => 30, +# } cron { 'clean-bug-user-last-visit': command => "cd $bugzilla_location && ./clean-bug-user-last-visit.pl", diff --git a/modules/buildsystem/manifests/iurt/config.pp b/modules/buildsystem/manifests/iurt/config.pp index be440e39..b8be373e 100644 --- a/modules/buildsystem/manifests/iurt/config.pp +++ b/modules/buildsystem/manifests/iurt/config.pp @@ -20,9 +20,9 @@ define buildsystem::iurt::config() { 'java-latest-openjdk' => 172800, 'kernel' => 115200, 'libreoffice' => 432000, - 'llvm' => 86400, - 'llvm17-suite' => 86400, - 'llvm19-suite' => 86400, + 'llvm' => 115200, + 'llvm17-suite' => 115200, + 'llvm19-suite' => 115200, 'openfoam' => 115200, 'paraview' => 115200, 'qgis' => 57600, diff --git a/modules/mediawiki/files/robots.txt b/modules/mediawiki/files/robots.txt new file mode 100644 index 00000000..a58c6199 --- /dev/null +++ b/modules/mediawiki/files/robots.txt @@ -0,0 +1,4 @@ +User-agent: * +Disallow: /mw-*/index.php? +Disallow: /*/Special: +Crawl-delay: 30 diff --git a/modules/mediawiki/manifests/base.pp b/modules/mediawiki/manifests/base.pp index 2685d2b3..76c8625b 100644 --- a/modules/mediawiki/manifests/base.pp +++ b/modules/mediawiki/manifests/base.pp @@ -9,6 +9,16 @@ class mediawiki::base { ensure => directory, } + $wiki_root = $mediawiki::config::root + $robotsfile = "$wiki_root/robots.txt" + file { $robotsfile: + ensure => present, + mode => '0644', + owner => root, + group => root, + source => 'puppet:///modules/mediawiki/robots.txt', + } + # file { '/usr/local/bin/init_wiki.php': # mode => '0755', # source => 'puppet:///modules/mediawiki/init_wiki.php', diff --git a/modules/mga-mirrors/files/check_mirrors_status b/modules/mga-mirrors/files/check_mirrors_status index 2d5fc7d4..9c00ac8d 100755 --- a/modules/mga-mirrors/files/check_mirrors_status +++ b/modules/mga-mirrors/files/check_mirrors_status @@ -71,8 +71,8 @@ def fetch_url(url, redirect_limit = 3) else uri = URI.parse(url) http = Net::HTTP.new(uri.host, uri.port) - http.open_timeout = 9 - http.read_timeout = 9 + http.open_timeout = 30 + http.read_timeout = 30 if uri.scheme == 'https' then http.use_ssl = true end diff --git a/modules/phpbb/files/robots.txt b/modules/phpbb/files/robots.txt new file mode 100644 index 00000000..1c335a73 --- /dev/null +++ b/modules/phpbb/files/robots.txt @@ -0,0 +1,7 @@ +User-agent: * +Disallow: /*/faq.php? +Disallow: /*/memberlist.php? +Disallow: /*/posting.php? +Disallow: /*/search.php? +Disallow: /*/ucp.php? +Crawl-delay: 30 diff --git a/modules/phpbb/manifests/base.pp b/modules/phpbb/manifests/base.pp index 82340c7d..9f676cb4 100644 --- a/modules/phpbb/manifests/base.pp +++ b/modules/phpbb/manifests/base.pp @@ -29,6 +29,15 @@ class phpbb::base { ensure => directory, } + $robotsfile = "$forums_dir/robots.txt" + file { $robotsfile: + ensure => present, + mode => '0644', + owner => root, + group => root, + source => 'puppet:///modules/phpbb/robots.txt', + } + # TODO check that everything is locked down apache::vhost::base { "forums.${::domain}": content => template('phpbb/forums_vhost.conf'), diff --git a/modules/phpbb/templates/forums_vhost.conf b/modules/phpbb/templates/forums_vhost.conf index d60e65ab..440dad1f 100644 --- a/modules/phpbb/templates/forums_vhost.conf +++ b/modules/phpbb/templates/forums_vhost.conf @@ -13,6 +13,8 @@ RewriteRule ^/$ /en/ [R] RewriteRule ^/(..)$ /$1/ [R] + Alias /robots.txt <%= forums_dir %>/robots.txt + AliasMatch ^/(..)/(.*) <%= forums_dir %>/$1/phpBB/$2 <Directory ~ "<%= forums_dir %>/.*/phpBB/"> diff --git a/modules/postgresql/templates/postgresql.conf b/modules/postgresql/templates/postgresql.conf index bc5caa09..c1e7c994 100644 --- a/modules/postgresql/templates/postgresql.conf +++ b/modules/postgresql/templates/postgresql.conf @@ -113,7 +113,7 @@ ssl = on # - Memory - -shared_buffers = 24MB # min 128kB +shared_buffers = 2048MB # min 128kB # (change requires restart) #temp_buffers = 8MB # min 800kB #max_prepared_transactions = 0 # zero disables the feature @@ -122,8 +122,8 @@ shared_buffers = 24MB # min 128kB # per transaction slot, plus lock space (see max_locks_per_transaction). # It is not advisable to set max_prepared_transactions nonzero unless you # actively intend to use prepared transactions. -#work_mem = 1MB # min 64kB -#maintenance_work_mem = 16MB # min 1MB +work_mem = 64MB # min 64kB +maintenance_work_mem = 512MB # min 1MB #max_stack_depth = 2MB # min 100kB # - Kernel Resource Usage - @@ -235,7 +235,7 @@ shared_buffers = 24MB # min 128kB #cpu_tuple_cost = 0.01 # same scale as above #cpu_index_tuple_cost = 0.005 # same scale as above #cpu_operator_cost = 0.0025 # same scale as above -#effective_cache_size = 128MB +effective_cache_size = 4096MB # - Genetic Query Optimizer - diff --git a/modules/sympa/manifests/server.pp b/modules/sympa/manifests/server.pp index e0fb71ef..bcdda789 100644 --- a/modules/sympa/manifests/server.pp +++ b/modules/sympa/manifests/server.pp @@ -16,6 +16,11 @@ class sympa::server( subscribe => [ Package['sympa'], File['/etc/sympa/sympa.conf']] } + service { 'sympa-outgoing': + ensure => running, + require => Service['sympa'] + } + $pgsql_password = extlookup('sympa_pgsql','x') $ldap_password = extlookup('sympa_ldap','x') diff --git a/modules/viewvc/files/setcookieredirect.html b/modules/viewvc/files/setcookieredirect.html new file mode 100644 index 00000000..fe98b9dc --- /dev/null +++ b/modules/viewvc/files/setcookieredirect.html @@ -0,0 +1,28 @@ +<!DOCTYPE html> +<html> + <head> + <title>User check</title> + <script type="text/javascript" defer> + const randomValue = "6436"; // Chosen by fair dice roll. Guaranteed to be random. + document.cookie = `session=${randomValue}; path=/; expires=${new Date(Date.now() + 24*3600*1000).toUTCString()}`; + const params = new Proxy(new URLSearchParams(window.location.search), { + get: (searchParams, prop) => searchParams.get(prop), + }); + let path = params.to; + // Sanitize redirect path to avoid malicious arbitrary redirects + if (/^\/[-a-zA-Z0-9~_.?&=/+]*$/.test(decodeURIComponent(path))) { + const current = new URL(window.location.toLocaleString()); + window.location.href = encodeURI(current.origin + decodeURIComponent(path)); + } else { + window.onload = function() { + document.getElementById('error').innerHTML = 'Error! Bad redirect location!'; + } + } + </script> + </head> + <body> + Redirecting back... + <br> + <p id="error"><!-- space for error message --></p> + </body> +</html> diff --git a/modules/viewvc/manifests/init.pp b/modules/viewvc/manifests/init.pp index 99acec90..e1d336c9 100644 --- a/modules/viewvc/manifests/init.pp +++ b/modules/viewvc/manifests/init.pp @@ -40,9 +40,18 @@ class viewvc { source => 'puppet:///modules/viewvc/robots.txt', } + file { "$viewvc_docroot/setcookieredirect.html": + ensure => present, + mode => '0644', + owner => root, + group => root, + source => 'puppet:///modules/viewvc/setcookieredirect.html', + } + $vhost_aliases = { '/viewvc' => $viewvc_docroot, '/robots.txt' => $robotsfile, + '/_check' => "$viewvc_docroot/setcookieredirect.html", } $script_aliases = { diff --git a/modules/youri-check/manifests/init.pp b/modules/youri-check/manifests/init.pp index aef33d17..d83ba1a6 100644 --- a/modules/youri-check/manifests/init.pp +++ b/modules/youri-check/manifests/init.pp @@ -40,9 +40,9 @@ class youri-check { $pgsql_server = $base::pgsql_server $pgsql_user = "youri${version}" $pgsql_password = extlookup('youri_pgsql','x') - # We want to alert to packages older than last mass rebuild - # 1646092800 is 2022-03-01 (get it with "TZ=UTC date -d2022-03-01 +%s") - $max_days = (time() - 1646092800)/(24*3600) + # We want to alert for packages older than the cut-off for latest mass rebuild + # 1745539200 is 2025-04-25 + $max_days = (time() - 1745539200)/(24*3600) file { "${config}": ensure => present, |