summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hieradata/nodes/proxyout.yaml10
-rw-r--r--sitemodules/profiles/files/icinga2_external_commands/check_ocsp56
-rw-r--r--sitemodules/profiles/manifests/base.pp68
-rw-r--r--sitemodules/profiles/manifests/icinga2_satellite.pp10
-rw-r--r--sitemodules/profiles/manifests/pootle.pp3
-rw-r--r--sitemodules/roles/manifests/traininginstance.pp26
6 files changed, 121 insertions, 52 deletions
diff --git a/hieradata/nodes/proxyout.yaml b/hieradata/nodes/proxyout.yaml
index cac5293..0740128 100644
--- a/hieradata/nodes/proxyout.yaml
+++ b/hieradata/nodes/proxyout.yaml
@@ -11,24 +11,21 @@ profiles::squid::acls:
- "jenkins src 172.16.2.115"
- "puppet src 10.0.0.200"
- "puppet src 172.16.2.10"
- - "sun1 src 172.16.3.11"
- "test src 172.16.2.248"
- "testmgr src 172.16.2.10"
- "wiki src 10.0.0.12"
- "wiki src 172.16.2.12"
- "cacert dstdomain .cacert.org"
- - "debjenkins dstdomain archives.jenkins-ci.org"
+ - "debjenkins dstdomain .jenkins-ci.org"
+ - "debjenkins dstdomain .jenkins.io"
- "debjenkins dstdomain ftp-chi.osuosl.org"
- "debjenkins dstdomain ftp-nyc.osuosl.org"
+ - "debjenkins dstdomain ftp.belnet.be"
- "debjenkins dstdomain ftp.yz.yamagata-u.ac.jp"
- - "debjenkins dstdomain get.jenkins.io"
- "debjenkins dstdomain mirror.esuni.jp"
- "debjenkins dstdomain mirror.gruenehoelle.nl"
- - "debjenkins dstdomain mirrors.jenkins.io"
- "debjenkins dstdomain mirrors.seville-jam.es"
- "debjenkins dstdomain mirrors.tuna.tsinghua.edu.cn"
- - "debjenkins dstdomain pkg.jenkins-ci.org"
- - "debjenkins dstdomain pkg.jenkins.io"
- "debjenkins dstdomain prodjenkinsreleases.blob.core.windows.net"
- "debmariadb dstdomain mirror2.hs-esslingen.de"
- "debmirror dstdomain .debian.org"
@@ -53,7 +50,6 @@ profiles::squid::http_access:
- "allow jenkins pypi"
- "allow puppet puppetforge"
- "allow puppet rubygems"
- - "allow sun1 debmirror"
- "allow test github"
- "allow testmgr github"
- "allow wiki debnginx"
diff --git a/sitemodules/profiles/files/icinga2_external_commands/check_ocsp b/sitemodules/profiles/files/icinga2_external_commands/check_ocsp
index be3f0f0..97885e2 100644
--- a/sitemodules/profiles/files/icinga2_external_commands/check_ocsp
+++ b/sitemodules/profiles/files/icinga2_external_commands/check_ocsp
@@ -93,38 +93,38 @@ case ${CLASS} in
;;
esac
+if [ ! -f "${ISSUER}" ]; then
+ echo "CRITICAL: issuer certificate file ${ISSUER} not found."
+ exit 2
+fi
+
TMP=$(mktemp)
ERR=${TMP}-err
trap 'rm -f ${TMP} ${ERR}' 0 1 2 3 15
-openssl ocsp -issuer "${ISSUER}" -serial "${SERIAL}" -CApath "${CAPATH}" -url "${RESPONDER}" >"${TMP}" 2>&1
-
-awk '
-NR == 1 {
- response = $0
- next
- }
-/This Update:/ {
- next
- }
-/Next Update:/ {
- next
- }
- {
- answer = answer " " $0;
- }
-END {
- if (response != "Response verify OK")
- exitcode = 2
- else
- exitcode = 0
- print response " " answer;
- exit(exitcode)
- }
-' "${TMP}"
-EXITCODE=$?
-rm -f "${TMP}"
-exit ${EXITCODE}
+if ! openssl ocsp -issuer "${ISSUER}" -serial "${SERIAL}" -CApath "${CAPATH}" -url "${RESPONDER}" -resp_text >"${TMP}" 2>&1; then
+ echo "CRITICAL: openssl ocsp command failed"
+ echo
+ echo "captured output:"
+ cat "${TMP}"
+ exit 2
+fi
+
+if grep -q "${SERIAL}: good" "${TMP}"; then
+ echo "OK: OCSP check successful, certificate OK"
+ exit 0
+fi
+
+if grep -q "${SERIAL}: revoked" "${TMP}"; then
+ echo "WARNING: OCSP check successful, certificate revoked"
+ exit 1
+fi
+
+echo "UNKNOWN: unexpected response"
+echo
+echo "captured output:"
+cat "${TMP}"
+exit 3
##Response Verify Failure
##17914:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:122:Verify error:certificate has expired
diff --git a/sitemodules/profiles/manifests/base.pp b/sitemodules/profiles/manifests/base.pp
index 719fe21..fd6f225 100644
--- a/sitemodules/profiles/manifests/base.pp
+++ b/sitemodules/profiles/manifests/base.pp
@@ -99,18 +99,37 @@ class profiles::base (
source => 'puppet:///modules/profiles/base/apt_periodic.conf',
}
- package { ['lsb-release', 'distro-info-data', 'sudo']:
+ package { ['lsb-release', 'distro-info-data']:
ensure => present,
}
+ class { 'sudo':
+ config_file_replace => false,
+ }
package { ['zsh', 'tmux', 'less', 'vim-nox']:
ensure => latest,
}
+ if $facts['virtual'] == 'lxc' {
+ file { '/etc/network/interfaces':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => "auto lo\niface lo inet loopback\n",
+ }
+ }
+
Package['zsh'] -> User <| |>
- package { ['aptitude', 'apticron']:
- ensure => purged,
+ if !$is_external {
+ package { ['aptitude', 'apticron', 'isc-dhcp-client']:
+ ensure => purged,
+ }
+ } else {
+ package { ['aptitude', 'apticron']:
+ ensure => purged,
+ }
}
file { '/etc/zsh/newuser.zshrc.recommended':
@@ -153,10 +172,18 @@ class profiles::base (
repos => 'main',
release => "${::lsbdistcodename}-updates",
}
- apt::source { "security.debian.org-${::lsbdistcodename}-security":
- location => 'http://security.debian.org/debian-security',
- repos => 'main',
- release => "${::lsbdistcodename}/updates",
+ if Integer($facts['os']['release']['major']) < 11 {
+ apt::source { "security.debian.org-${::lsbdistcodename}-security":
+ location => 'http://security.debian.org/debian-security',
+ repos => 'main',
+ release => "${::lsbdistcodename}/updates",
+ }
+ } else {
+ apt::source { "security.debian.org-${::lsbdistcodename}-security":
+ location => 'http://security.debian.org/',
+ repos => 'main',
+ release => "${::lsbdistcodename}-security",
+ }
}
apt::source { "ftp.nl.debian.org-${::lsbdistcodename}-backports":
location => 'http://ftp.nl.debian.org/debian',
@@ -197,20 +224,35 @@ class profiles::base (
recipient => $rootalias,
}
- package { ['ca-certificates', 'ca-cacert']:
+ package { 'ca-certificates':
ensure => installed,
}
- file { '/usr/local/share/ca-certificates/cacert_class3_2021.crt':
+ $cacert_class1_file = '/usr/local/share/ca-certificates/cacert_class1_X0F.crt'
+ $cacert_class3_file = '/usr/local/share/ca-certificates/cacert_class3_2021.crt'
+
+ file { $cacert_class1_file:
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ source => 'puppet:///modules/profiles/base/cacert_class1_X0F.crt',
+ require => Package['ca-certificates'],
+ }
+
+ file { $cacert_class3_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/profiles/base/cacert_class3_2021.crt',
require => Package['ca-certificates'],
- } ~>
+ }
+
exec { '/usr/sbin/update-ca-certificates':
- require => Package['ca-certificates'],
+ require => Package['ca-certificates'],
+ refreshonly => true,
+ subscribe => [File[$cacert_class1_file], File[$cacert_class3_file]],
}
if ($crl_job_enable) {
@@ -239,9 +281,9 @@ class profiles::base (
{ 'services' => $crl_job_services }),
require => [
Package['ca-certificates'],
- Package['ca-cacert'],
File['/var/local/ssl/crls'],
- File['/usr/local/share/ca-certificates/cacert_class3_2021.crt']
+ File[$cacert_class1_file],
+ File[$cacert_class3_file]
],
}
} else {
diff --git a/sitemodules/profiles/manifests/icinga2_satellite.pp b/sitemodules/profiles/manifests/icinga2_satellite.pp
index 82ff7f7..2dea62b 100644
--- a/sitemodules/profiles/manifests/icinga2_satellite.pp
+++ b/sitemodules/profiles/manifests/icinga2_satellite.pp
@@ -35,13 +35,21 @@ class profiles::icinga2_satellite {
group => 'root',
mode => '0755',
}
+
+ $cacert_class1_file = '/usr/local/share/ca-certificates/cacert_class1_X0F.crt'
+ $cacert_class3_file = '/usr/local/share/ca-certificates/cacert_class3_2021.crt'
+
file { '/usr/local/lib/nagios/plugins/check_ocsp':
ensure => file,
owner => 'root',
group => 'root',
mode => '0755',
source => 'puppet:///modules/profiles/icinga2_external_commands/check_ocsp',
- require => Package['ca-cacert'],
+ require => [
+ Package['ca-certificates'],
+ File[$cacert_class1_file],
+ File[$cacert_class3_file]
+ ],
}
package {['rsync', 'python3-nagiosplugin', 'python3-cryptography']:
diff --git a/sitemodules/profiles/manifests/pootle.pp b/sitemodules/profiles/manifests/pootle.pp
index 7bf6a90..0d724d3 100644
--- a/sitemodules/profiles/manifests/pootle.pp
+++ b/sitemodules/profiles/manifests/pootle.pp
@@ -45,9 +45,6 @@ class profiles::pootle {
gid => 200,
system => true,
}
- class { 'sudo':
- config_file_replace => false,
- }
file { '/usr/local/bin/pootle-update':
ensure => file,
source => 'puppet:///modules/profiles/pootle/pootle-update',
diff --git a/sitemodules/roles/manifests/traininginstance.pp b/sitemodules/roles/manifests/traininginstance.pp
new file mode 100644
index 0000000..9cacf78
--- /dev/null
+++ b/sitemodules/roles/manifests/traininginstance.pp
@@ -0,0 +1,26 @@
+# Class: roles::traininginstance
+# ==============================
+#
+# This class defines the traininginstance role for servers providing training
+# environments for CAcert sytem administration volunteers. You should assign
+# this class using hiera or via an ENC.
+#
+# Examples
+# --------
+#
+# @example
+# class { 'roles::traininginstance': }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2020 Jan Dittberner
+#
+class roles::traininginstance {
+ include profiles::base
+}