6 files changed, 121 insertions, 52 deletions

diff --git a/hieradata/nodes/proxyout.yaml b/hieradata/nodes/proxyout.yaml
index cac5293..0740128 100644
--- a/hieradata/nodes/proxyout.yaml
+++ b/hieradata/nodes/proxyout.yaml
@@ -11,24 +11,21 @@ profiles::squid::acls:
   - "jenkins src 172.16.2.115"
   - "puppet src 10.0.0.200"
   - "puppet src 172.16.2.10"
-  - "sun1 src 172.16.3.11"
   - "test src 172.16.2.248"
   - "testmgr src 172.16.2.10"
   - "wiki src 10.0.0.12"
   - "wiki src 172.16.2.12"
   - "cacert dstdomain .cacert.org"
-  - "debjenkins dstdomain archives.jenkins-ci.org"
+  - "debjenkins dstdomain .jenkins-ci.org"
+  - "debjenkins dstdomain .jenkins.io"
   - "debjenkins dstdomain ftp-chi.osuosl.org"
   - "debjenkins dstdomain ftp-nyc.osuosl.org"
+  - "debjenkins dstdomain ftp.belnet.be"
   - "debjenkins dstdomain ftp.yz.yamagata-u.ac.jp"
-  - "debjenkins dstdomain get.jenkins.io"
   - "debjenkins dstdomain mirror.esuni.jp"
   - "debjenkins dstdomain mirror.gruenehoelle.nl"
-  - "debjenkins dstdomain mirrors.jenkins.io"
   - "debjenkins dstdomain mirrors.seville-jam.es"
   - "debjenkins dstdomain mirrors.tuna.tsinghua.edu.cn"
-  - "debjenkins dstdomain pkg.jenkins-ci.org"
-  - "debjenkins dstdomain pkg.jenkins.io"
   - "debjenkins dstdomain prodjenkinsreleases.blob.core.windows.net"
   - "debmariadb dstdomain mirror2.hs-esslingen.de"
   - "debmirror dstdomain .debian.org"
@@ -53,7 +50,6 @@ profiles::squid::http_access:
   - "allow jenkins pypi"
   - "allow puppet puppetforge"
   - "allow puppet rubygems"
-  - "allow sun1 debmirror"
   - "allow test github"
   - "allow testmgr github"
   - "allow wiki debnginx"
diff --git a/sitemodules/profiles/files/icinga2_external_commands/check_ocsp b/sitemodules/profiles/files/icinga2_external_commands/check_ocsp
index be3f0f0..97885e2 100644
--- a/sitemodules/profiles/files/icinga2_external_commands/check_ocsp
+++ b/sitemodules/profiles/files/icinga2_external_commands/check_ocsp
@@ -93,38 +93,38 @@ case ${CLASS} in
 	;;
 esac
 
+if [ ! -f "${ISSUER}" ]; then
+    echo "CRITICAL: issuer certificate file ${ISSUER} not found."
+    exit 2
+fi
+
 TMP=$(mktemp)
 ERR=${TMP}-err
 trap 'rm -f ${TMP} ${ERR}' 0 1 2 3 15
 
-openssl ocsp -issuer "${ISSUER}" -serial "${SERIAL}" -CApath "${CAPATH}" -url "${RESPONDER}" >"${TMP}" 2>&1
-
-awk '
-NR == 1 {
-		response = $0
-		next
-	}
-/This Update:/ {
-		next
-	}
-/Next Update:/ {
-		next
-	}
-	{
-		answer = answer " " $0;
-	}
-END	{
-		if (response != "Response verify OK")
-			exitcode = 2
-		else
-			exitcode = 0
-		print response " " answer;
-		exit(exitcode)
-	}
-' "${TMP}"
-EXITCODE=$?
-rm -f "${TMP}"
-exit ${EXITCODE}
+if ! openssl ocsp -issuer "${ISSUER}" -serial "${SERIAL}" -CApath "${CAPATH}" -url "${RESPONDER}" -resp_text >"${TMP}" 2>&1; then
+    echo "CRITICAL: openssl ocsp command failed"
+    echo
+    echo "captured output:"
+    cat "${TMP}"
+    exit 2
+fi
+
+if grep -q "${SERIAL}: good" "${TMP}"; then
+    echo "OK: OCSP check successful, certificate OK"
+    exit 0
+fi
+
+if grep -q "${SERIAL}: revoked" "${TMP}"; then
+    echo "WARNING: OCSP check successful, certificate revoked"
+    exit 1
+fi
+
+echo "UNKNOWN: unexpected response"
+echo
+echo "captured output:"
+cat "${TMP}"
+exit 3
 
 ##Response Verify Failure
 ##17914:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:122:Verify error:certificate has expired
diff --git a/sitemodules/profiles/manifests/base.pp b/sitemodules/profiles/manifests/base.pp
index 719fe21..fd6f225 100644
--- a/sitemodules/profiles/manifests/base.pp
+++ b/sitemodules/profiles/manifests/base.pp
@@ -99,18 +99,37 @@ class profiles::base (
     source => 'puppet:///modules/profiles/base/apt_periodic.conf',
   }
 
-  package { ['lsb-release', 'distro-info-data', 'sudo']:
+  package { ['lsb-release', 'distro-info-data']:
     ensure => present,
   }
+  class { 'sudo':
+    config_file_replace => false,
+  }
 
   package { ['zsh', 'tmux', 'less', 'vim-nox']:
     ensure => latest,
   }
 
+  if $facts['virtual'] == 'lxc' {
+    file { '/etc/network/interfaces':
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => "auto lo\niface lo inet loopback\n",
+    }
+  }
+
   Package['zsh'] -> User <| |>
 
-  package { ['aptitude', 'apticron']:
-    ensure => purged,
+  if !$is_external {
+    package { ['aptitude', 'apticron', 'isc-dhcp-client']:
+      ensure => purged,
+    }
+  } else {
+    package { ['aptitude', 'apticron']:
+      ensure => purged,
+    }
   }
 
   file { '/etc/zsh/newuser.zshrc.recommended':
@@ -153,10 +172,18 @@ class profiles::base (
     repos    => 'main',
     release  => "${::lsbdistcodename}-updates",
   }
-  apt::source { "security.debian.org-${::lsbdistcodename}-security":
-    location => 'http://security.debian.org/debian-security',
-    repos    => 'main',
-    release  => "${::lsbdistcodename}/updates",
+  if Integer($facts['os']['release']['major']) < 11 {
+    apt::source { "security.debian.org-${::lsbdistcodename}-security":
+      location => 'http://security.debian.org/debian-security',
+      repos    => 'main',
+      release  => "${::lsbdistcodename}/updates",
+    }
+  } else {
+    apt::source { "security.debian.org-${::lsbdistcodename}-security":
+      location => 'http://security.debian.org/',
+      repos    => 'main',
+      release  => "${::lsbdistcodename}-security",
+    }
   }
   apt::source { "ftp.nl.debian.org-${::lsbdistcodename}-backports":
     location => 'http://ftp.nl.debian.org/debian',
@@ -197,20 +224,35 @@ class profiles::base (
     recipient => $rootalias,
   }
 
-  package { ['ca-certificates', 'ca-cacert']:
+  package { 'ca-certificates':
     ensure => installed,
   }
 
-  file { '/usr/local/share/ca-certificates/cacert_class3_2021.crt':
+  $cacert_class1_file = '/usr/local/share/ca-certificates/cacert_class1_X0F.crt'
+  $cacert_class3_file = '/usr/local/share/ca-certificates/cacert_class3_2021.crt'
+
+  file { $cacert_class1_file:
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    source  => 'puppet:///modules/profiles/base/cacert_class1_X0F.crt',
+    require => Package['ca-certificates'],
+  }
+
+  file { $cacert_class3_file:
     ensure  => file,
     owner   => 'root',
     group   => 'root',
     mode    => '0644',
     source  => 'puppet:///modules/profiles/base/cacert_class3_2021.crt',
     require => Package['ca-certificates'],
-  } ~>
+  }
+
   exec { '/usr/sbin/update-ca-certificates':
-    require => Package['ca-certificates'],
+    require     => Package['ca-certificates'],
+    refreshonly => true,
+    subscribe   => [File[$cacert_class1_file], File[$cacert_class3_file]],
   }
 
   if ($crl_job_enable) {
@@ -239,9 +281,9 @@ class profiles::base (
         { 'services' => $crl_job_services }),
       require => [
         Package['ca-certificates'],
-        Package['ca-cacert'],
         File['/var/local/ssl/crls'],
-        File['/usr/local/share/ca-certificates/cacert_class3_2021.crt']
+        File[$cacert_class1_file],
+        File[$cacert_class3_file]
       ],
     }
   } else {
diff --git a/sitemodules/profiles/manifests/icinga2_satellite.pp b/sitemodules/profiles/manifests/icinga2_satellite.pp
index 82ff7f7..2dea62b 100644
--- a/sitemodules/profiles/manifests/icinga2_satellite.pp
+++ b/sitemodules/profiles/manifests/icinga2_satellite.pp
@@ -35,13 +35,21 @@ class profiles::icinga2_satellite {
     group  => 'root',
     mode   => '0755',
   }
+
+  $cacert_class1_file = '/usr/local/share/ca-certificates/cacert_class1_X0F.crt'
+  $cacert_class3_file = '/usr/local/share/ca-certificates/cacert_class3_2021.crt'
+
   file { '/usr/local/lib/nagios/plugins/check_ocsp':
     ensure  => file,
     owner   => 'root',
     group   => 'root',
     mode    => '0755',
     source  => 'puppet:///modules/profiles/icinga2_external_commands/check_ocsp',
-    require => Package['ca-cacert'],
+    require => [
+      Package['ca-certificates'],
+      File[$cacert_class1_file],
+      File[$cacert_class3_file]
+    ],
   }
 
   package {['rsync', 'python3-nagiosplugin', 'python3-cryptography']:
diff --git a/sitemodules/profiles/manifests/pootle.pp b/sitemodules/profiles/manifests/pootle.pp
index 7bf6a90..0d724d3 100644
--- a/sitemodules/profiles/manifests/pootle.pp
+++ b/sitemodules/profiles/manifests/pootle.pp
@@ -45,9 +45,6 @@ class profiles::pootle {
     gid    => 200,
     system => true,
   }
-  class { 'sudo':
-    config_file_replace => false,
-  }
   file { '/usr/local/bin/pootle-update':
     ensure => file,
     source => 'puppet:///modules/profiles/pootle/pootle-update',
diff --git a/sitemodules/roles/manifests/traininginstance.pp b/sitemodules/roles/manifests/traininginstance.pp
new file mode 100644
index 0000000..9cacf78
--- /dev/null
+++ b/sitemodules/roles/manifests/traininginstance.pp
@@ -0,0 +1,26 @@
+# Class: roles::traininginstance
+# ==============================
+#
+# This class defines the traininginstance role for servers providing training
+# environments for CAcert sytem administration volunteers. You should assign
+# this class using hiera or via an ENC.
+#
+# Examples
+# --------
+#
+# @example
+#   class { 'roles::traininginstance': }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2020 Jan Dittberner
+#
+class roles::traininginstance {
+  include profiles::base
+}