From jmeeuwen at puppetmanaged.org Sun Mar 7 11:47:35 2010 From: jmeeuwen at puppetmanaged.org (Jeroen van Meeuwen) Date: Sun, 7 Mar 2010 11:47:35 +0100 Subject: [Commits] Branch 'development' - templates/mailman-virtualhost.conf.erb Message-ID: <201003071047.o27AlZCu013524@master.puppetmanaged.org> templates/mailman-virtualhost.conf.erb | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) New commits: commit f9d1c99b6246dda1ff6cf80a0f63eb6d0a4728ae Author: Jeroen van Meeuwen (Fedora Unity) Date: Sun Mar 7 11:46:03 2010 +0100 Update the mailman-virtualhost.conf template diff --git a/templates/mailman-virtualhost.conf.erb b/templates/mailman-virtualhost.conf.erb index f821228..9d7fba4 100644 --- a/templates/mailman-virtualhost.conf.erb +++ b/templates/mailman-virtualhost.conf.erb @@ -11,8 +11,10 @@ <% if virtualhost_ssl then %> RedirectMatch ^/mailman[/]*$ https://<%= servername -%>/mailman/listinfo + RedirectMatch ^[/]*$ https://<%= servername -%>/mailman/listinfo <% else %> - RedirectMatch ^/mailman[/]*$ https://<%= servername -%>/mailman/listinfo + RedirectMatch ^/mailman[/]*$ http://<%= servername -%>/mailman/listinfo + RedirectMatch ^[/]*$ http://<%= servername -%>/mailman/listinfo <% end %> /cgi-bin"> @@ -38,7 +40,10 @@ ScriptAlias /mailman /usr/lib/mailman-<%= name -%>/cgi-bin/ Alias /pipermail /var/lib/mailman-<%= name -%>/archives/public/ - RedirectMatch ^/mailman[/]*$ https://<%= servername -%>/mailman/listinfo + + RewriteEngine On + RewriteRule ^/mailman[/]*$ /mailman/listinfo [R,L] + RewriteRule ^[/]*$ /mailman/listinfo [R,L] SSLEngine On SSLEngine On From ynemoy at puppetmanaged.org Tue Mar 9 12:55:56 2010 From: ynemoy at puppetmanaged.org (Yaakov Nemoy) Date: Tue, 9 Mar 2010 12:55:56 +0100 Subject: [Commits] Branch 'development' - 4 commits - manifests/init.pp Message-ID: <201003091155.o29Btu8Y031225@master.puppetmanaged.org> manifests/init.pp | 65 +++++++++++++++++++++++++++++------------------------- 1 file changed, 36 insertions(+), 29 deletions(-) New commits: commit 3620651cd77d749d4d99cefc7d7100252ce12715 Author: Yaakov M. Nemoy Date: Tue Mar 9 12:55:05 2010 +0100 Fixes a missing disable on the service for disabled diff --git a/manifests/init.pp b/manifests/init.pp index 0c67ed0..f84a3df 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -39,7 +39,7 @@ class autofs { class disabled inherits autofs { Package["autofs"] { ensure => absent } - Service["autofs"] { ensure => stopped } + Service["autofs"] { ensure => stopped, enable => false } Automountmap["auto.master"] { ensure => absent } } commit 7e34161855c5caa40058a59fd188250bbfebd7a0 Author: Yaakov M. Nemoy Date: Thu Jan 14 14:45:45 2010 +0100 Adds disabled classes diff --git a/manifests/init.pp b/manifests/init.pp index 98b0011..0c67ed0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -37,7 +37,17 @@ class autofs { automountmap {"auto.master":} + class disabled inherits autofs { + Package["autofs"] { ensure => absent } + Service["autofs"] { ensure => stopped } + Automountmap["auto.master"] { ensure => absent } + } + class home inherits autofs { automountmap {"auto.home":} + + class disabled inherits home { + Automountmap["auto.home"] { ensure => absent } + } } } commit c1230371766c59d2fa51ea2fffca0a5eb3e11d3e Author: Yaakov M. Nemoy Date: Thu Jan 14 11:30:14 2010 +0100 Replaces redundant file resources with an automount map definition diff --git a/manifests/init.pp b/manifests/init.pp index 5ac18f7..98b0011 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -7,7 +7,7 @@ class autofs { ensure => running, enable => true, require => [ - File["/etc/auto.master"], + Automountmap["auto.master"], Package["autofs"] ] } @@ -17,35 +17,27 @@ class autofs { Package["autofs"] ) - file { "/etc/auto.master": - owner => "root", - group => "root", - mode => 640, - source => [ - "puppet://$server/private/$environment/autofs/auto.master.$hostname", - "puppet://$server/private/$environment/autofs/auto.master", - "puppet://$server/files/autofs/auto.master.$hostname", - "puppet://$server/files/autofs/auto.master", - "puppet://$server/autofs/auto.master" - ], - notify => Service["autofs"], - require => Package["autofs"] + define automountmap ( $ensure = "present" ) { + file { "/etc/$name": + ensure => $ensure, + mode => 640, + owner => "root", + group => "root", + source => [ + "puppet://$server/private/$environment/autofs/$name.$hostname", + "puppet://$server/private/$environment/autofs/$name", + "puppet://$server/files/autofs/$name.$hostname", + "puppet://$server/files/autofs/$name.master", + "puppet://$server/autofs/$name", + ], + notify => Service["autofs"], + require => Package["autofs"] + } } + automountmap {"auto.master":} + class home inherits autofs { - file { "/etc/auto.home": - owner => "root", - group => "root", - mode => 640, - source => [ - "puppet://$server/private/$environment/autofs/auto.home.$hostname", - "puppet://$server/private/$environment/autofs/auto.home", - "puppet://$server/files/autofs/auto.home.$hostname", - "puppet://$server/files/autofs/auto.home", - "puppet://$server/autofs/auto.home" - ], - notify => Service["autofs"], - require => Package["autofs"] - } + automountmap {"auto.home":} } } commit a7415be13a4b59696af97b387c1027393bd12c94 Author: Yaakov M. Nemoy Date: Thu Jan 14 11:29:12 2010 +0100 Replaces service and package with virtual resources diff --git a/manifests/init.pp b/manifests/init.pp index f584c92..5ac18f7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,9 +1,9 @@ class autofs { - package { "autofs": + @package { "autofs": ensure => installed } - service { "autofs": + @service { "autofs": ensure => running, enable => true, require => [ @@ -12,6 +12,11 @@ class autofs { ] } + realize( + Service["autofs"], + Package["autofs"] + ) + file { "/etc/auto.master": owner => "root", group => "root", From jmeeuwen at puppetmanaged.org Tue Mar 9 14:24:06 2010 From: jmeeuwen at puppetmanaged.org (Jeroen van Meeuwen) Date: Tue, 9 Mar 2010 14:24:06 +0100 Subject: [Commits] Branch 'development' - files/includes.d Message-ID: <201003091324.o29DO6hm024922@master.puppetmanaged.org> files/includes.d/do-not-bloat-httpd.conf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) New commits: commit ea9c0083b03ebd5fb01a82551853c25a63492460 Author: Jeroen van Meeuwen (Fedora Unity) Date: Tue Mar 9 14:22:29 2010 +0100 Work around the .docx / Internet Explorer realm of problems by adding more types. See also: http://www.webdeveloper.com/forum/showthread.php?t=162526 diff --git a/files/includes.d/do-not-bloat-httpd.conf b/files/includes.d/do-not-bloat-httpd.conf index 66d301e..6df9593 100644 --- a/files/includes.d/do-not-bloat-httpd.conf +++ b/files/includes.d/do-not-bloat-httpd.conf @@ -44,6 +44,25 @@ AddHandler type-map var AddType text/html .shtml AddOutputFilter INCLUDES .shtml +# See also: http://www.webdeveloper.com/forum/showthread.php?t=162526 +AddType application/vnd.ms-word.document.macroEnabled.12 .docm +AddType application/vnd.openxmlformats-officedocument.wordprocessingml.document docx +AddType application/vnd.openxmlformats-officedocument.wordprocessingml.template dotx +AddType application/vnd.ms-powerpoint.template.macroEnabled.12 potm +AddType application/vnd.openxmlformats-officedocument.presentationml.template potx +AddType application/vnd.ms-powerpoint.addin.macroEnabled.12 ppam +AddType application/vnd.ms-powerpoint.slideshow.macroEnabled.12 ppsm +AddType application/vnd.openxmlformats-officedocument.presentationml.slideshow ppsx +AddType application/vnd.ms-powerpoint.presentation.macroEnabled.12 pptm +AddType application/vnd.openxmlformats-officedocument.presentationml.presentation pptx +AddType application/vnd.ms-excel.addin.macroEnabled.12 xlam +AddType application/vnd.ms-excel.sheet.binary.macroEnabled.12 xlsb +AddType application/vnd.ms-excel.sheet.macroEnabled.12 xlsm +AddType application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx +AddType application/vnd.ms-excel.template.macroEnabled.12 xltm +AddType application/vnd.openxmlformats-officedocument.spreadsheetml.template xltx +# /See also + BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 From ynemoy at puppetmanaged.org Thu Mar 11 17:41:24 2010 From: ynemoy at puppetmanaged.org (Yaakov Nemoy) Date: Thu, 11 Mar 2010 17:41:24 +0100 Subject: [Commits] Branch 'loup-development' - 3 commits - Puppet_Reference_Guide/en-US Puppet_Reference_Guide/.gitignore Message-ID: <201003111641.o2BGfOhC004238@master.puppetmanaged.org> Puppet_Reference_Guide/.gitignore | 1 Puppet_Reference_Guide/en-US/Author_Group.xml | 10 Puppet_Reference_Guide/en-US/Modules.xml | 1 Puppet_Reference_Guide/en-US/Modules/Authconfig_Module.xml | 131 +++++++++++++ 4 files changed, 143 insertions(+) New commits: commit 9f37b0a87e1092b7cb1cac407fb6e2923e84223a Author: Yaakov M. Nemoy Date: Thu Mar 11 17:40:55 2010 +0100 Adds an authconfig chapter for documenting that module diff --git a/Puppet_Reference_Guide/en-US/Modules.xml b/Puppet_Reference_Guide/en-US/Modules.xml index ed63731..6075d8c 100644 --- a/Puppet_Reference_Guide/en-US/Modules.xml +++ b/Puppet_Reference_Guide/en-US/Modules.xml @@ -20,6 +20,7 @@ + diff --git a/Puppet_Reference_Guide/en-US/Modules/Authconfig_Module.xml b/Puppet_Reference_Guide/en-US/Modules/Authconfig_Module.xml new file mode 100644 index 0000000..230a547 --- /dev/null +++ b/Puppet_Reference_Guide/en-US/Modules/Authconfig_Module.xml @@ -0,0 +1,131 @@ + + + + + Authconfig Module + +
+ Introduction + + The puppetmanaged.org Authconfig module allows you to manage the Authconfig subsystem of Red Hat based Linux machines. This includes management of nss, libuser, pam and possibly ldap. + +
+ +
+ Prerequisites + + This module requires that you are running it on puppet. It requires Authconfig present on all nodes. + +
+ +
+ Installation + + A step-by-step description of how to install this module + +
+ +
+ Implementation + + The Authconfig module manages the following resources by classes. It currently supports two modes of authentication, files based (local user accounts) and LDAP. It does not yet support Kerberos, Kerberos + LDAP, NIS, SSSD, Hesiod nor Active Directory. + + + + Classes + + + <code>authconfig</code> + This is the base class and it does nothing + + + + + <code>authconfig::files</code> + The class to configure local account authentication only. It touches nsswitch.conf only. + + + + + <code>authconfig::ldap</code> + The class to configure ldap authentication. It touches nss, libuser, ldap, pam and the authconfig file. It also delivers an SSL certificate for authentication against the LDAP server. + + + + +
+ +
+ Extension + + The Authconfig module allows you to customize nearly every file it manages. + +
+ Customizing the certificate + You can supply any ldap certificate you want to authenticate against your ldap servers. This allows you to enable certificate based authentication and verification of the servers. + The certificate can be stored in the ldap/subdirectory as cacert.pem.$host or cacert.pem. The standard ldap configuration expects this file name. If you would prefer to use a different file name, you will have to modify the source code of the module. It is simpler to modify ldap.conf to comply with this naming scheme. The file will end up in /etc/openldap/cacerts/cacert.pem on the node. + +
+
+ Customizing NSS + The standard delivered NSS config file will take care of switching LDAP on and off where needed. For custom situations, a custom nsswitch.conf file can be provided. There are two versions of nsswitch.conf to provide, one for the files/ subdirectory and the second for the ldap/ subdirectory. As standard with puppetmanaged.org, you can provide a host specific, environment specific, or system wide version. + +
+
+ Customizing LDAP + The standard provided ldap.conf file will not authenticate against any known good server, therefore it's necessary to provide a custom one for your environment. The ldap.conf file should be put in the ldap/ subdirectory of either your environment domain configuration or your system wide configuration. + On most Linux distributions it's possible to use a seperate LDAP configuration for NSS and for OpenLDAP client programs. The NSS configuration belongs in /etc/ldap.conf and the OpenLDAP one belongs in /etc/openldap/ldap.conf. In the absence of an OpenLDAP specific configuration, this module will use the provided ldap.conf in both cases. Should you prefer a seperate configuration, put ldap.conf in ldap/openldap/. + +
+
+ Customizing Libuser + While libuser.conf probably does not require any modification, the option is present. It can be put in both the files/ and ldap/ directories per choice. + +
+
+ Customizing Authconfig + The configuration file in /etc/sysconfig can be customized as well. This is generally unadvised. The standard files provided will enable the correct authentication methods. + +
+
+ Customizing PAM + Red Hat based distributions use a special pam file system-auth and system-auth-ac for managing unified login for PAM enabled services. Since versions of PAM can vary widely from OS releases, it is possible to specify not only a node specific but also an OS specific file. The priorities are: + + + + Host specific + + + OS Minor release specific + + + OS Major release specific + + + OS Specific + + + System default + + + Module default + + + +
+
+
+ FAQ + + Frequently asked questions + + + Question? + + Answer + + +
+ + commit 1d5f9cde6186d02a32f8f3ac23b9fea6dc928f4d Author: Yaakov M. Nemoy Date: Thu Mar 11 17:40:32 2010 +0100 Adds yours truely to the authors list diff --git a/Puppet_Reference_Guide/en-US/Author_Group.xml b/Puppet_Reference_Guide/en-US/Author_Group.xml index 1986386..ad279e0 100644 --- a/Puppet_Reference_Guide/en-US/Author_Group.xml +++ b/Puppet_Reference_Guide/en-US/Author_Group.xml @@ -12,4 +12,14 @@ j.van.meeuwen at ogd.nl + + Yaakov + Nemoy + + Systeembeheerder + Universiteit Medische Centrum Utrecht + Divisie Biomedische Genetica + + y.m.nemoy at umcutrecht.nl + commit 9f2493230b26f6049061f8852840f0542ff13252 Author: Yaakov M. Nemoy Date: Thu Mar 11 17:40:10 2010 +0100 Removes annoying backup files diff --git a/Puppet_Reference_Guide/.gitignore b/Puppet_Reference_Guide/.gitignore index 3fec32c..4ed10cb 100644 --- a/Puppet_Reference_Guide/.gitignore +++ b/Puppet_Reference_Guide/.gitignore @@ -1 +1,2 @@ tmp/ +*~ From jmeeuwen at puppetmanaged.org Thu Mar 11 22:36:05 2010 From: jmeeuwen at puppetmanaged.org (Jeroen van Meeuwen) Date: Thu, 11 Mar 2010 22:36:05 +0100 Subject: [Commits] Branch 'development' - 2 commits - files/iptables-functions files/ipt_whitelist Message-ID: <201003112136.o2BLa5b6009358@master.puppetmanaged.org> files/ipt_whitelist | 4 files/iptables-functions | 196 ++++++++++++++++++++++++----------------------- 2 files changed, 105 insertions(+), 95 deletions(-) New commits: commit faee106a5e637b5154fbdaa4b236b71b28410407 Author: Jeroen van Meeuwen (Fedora Unity) Date: Thu Mar 11 22:34:34 2010 +0100 Remove the example whitelist IP address that is now allocated diff --git a/files/ipt_whitelist b/files/ipt_whitelist index ee531d1..e56ea71 100644 --- a/files/ipt_whitelist +++ b/files/ipt_whitelist @@ -1,3 +1 @@ -127.0.0.1 -# Whitelist foo -1.2.3.4 +127.0.0.1 \ No newline at end of file commit 5fdaa6ecc7ac94ce49753578cc03bd1596cdde7e Author: Jeroen van Meeuwen (Fedora Unity) Date: Thu Mar 11 22:34:13 2010 +0100 Add allow_munin(), and sort functions alphabetically, by function name diff --git a/files/iptables-functions b/files/iptables-functions index c58bd7d..72cbd55 100644 --- a/files/iptables-functions +++ b/files/iptables-functions @@ -15,12 +15,14 @@ function flush_chain() { } function delete_chain() { + [ -z "$1" ] && break [ -z "$2" ] && table="filter" || table="$2" $iptables -t $table -F $1 > /dev/null 2>&1 $iptables -t $table -X $1 > /dev/null 2>&1 } function create_chain() { + [ -z "$1" ] && break [ -z "$2" ] && table="filter" || table="$2" $iptables -t $table -N $1 > /dev/null 2>&1 # $iptables -t $table -A $1 -j LOG @@ -57,10 +59,12 @@ function flush_all_chains() { } function trust_if() { + [ -z "$1" ] && break $iptables -A INPUT -i $1 -j ACCEPT > /dev/null 2>&1 $iptables -A FORWARD -i $1 -j ACCEPT > /dev/null 2>&1 $iptables -A FORWARD -o $1 -j ACCEPT > /dev/null 2>&1 $iptables -A OUTPUT -o $1 -j ACCEPT > /dev/null 2>&1 + $iptables -A OUTPUT -t nat -o $1 -j ACCEPT > /dev/null 2>&1 } function tcpflags_chain() { @@ -122,6 +126,7 @@ function whitelist_chain() { $iptables -A INPUT -j whitelist $iptables -A FORWARD -j whitelist + $iptables -A OUTPUT -j whitelist } function blacklist_chain() { @@ -135,9 +140,11 @@ function blacklist_chain() { $iptables -A INPUT -j blacklist $iptables -A FORWARD -j blacklist + $iptables -A OUTPUT -j blacklist } function read_chains_from_file() { + [ -z "$1" ] && break [ -z "$2" ] && table="filter" || table="$2" for chain in `cat $1 | grep -vE "^#" | awk '{print $1}' | sort | uniq`; do delete_chain $chain $table @@ -171,21 +178,36 @@ function allow_standard_protocol() { esac } -function allow_ssh() { - # Allows ssh based on protocol, source, destination, chain, port and state - allow_standard_protocol "22" "tcp" $@ +function allow_certmaster() { + allow_standard_protocol "51235" "tcp" $@ } -function allow_smtp() { - allow_standard_protocol "25" "tcp" $@ +function allow_cifs() { + allow_standard_protocol "137" "udp" $@ + allow_standard_protocol "138" "udp" $@ + allow_standard_protocol "139" "tcp" $@ } -function allow_ipp() { - allow_standard_protocol "631" "tcp" $@ +function allow_dns_queries() { + allow_standard_protocol "53" "udp" $@ } -function allow_lpd() { - allow_standard_protocol "515" "tcp" $@ +function allow_dns_transfers() { + allow_standard_protocol "53" "tcp" $@ +} + +function allow_ftp() { + [ -z "$1" ] && source="0/0" || source="$1" + [ -z "$2" ] && destination="0/0" || destination="$2" + [ -z "$3" ] && chain="INPUT" || chain="$3" + allow_standard_protocol "21" "tcp" "$source" "$destination" "$chain" + + $iptables -A OUTPUT -s $source -d $destination -p udp -m udp --sport 20 -m state --state NEW,ESTABLISHED -j ACCEPT + $iptables -A $chain -s $source -d $destination -p tcp -m tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT +} + +function allow_func() { + allow_standard_protocol "51234" "tcp" $@ } function allow_git() { @@ -200,58 +222,57 @@ function allow_https() { allow_standard_protocol "443" "tcp" $@ } -function allow_rsync() { - allow_standard_protocol "873" "tcp" $@ +function allow_icmp() { + [ -z "$1" ] && source="-s 0/0" || source="-s $1" + [ -z "$2" ] && destination="-d 0/0" || destination="-d $2" + [ -z "$3" ] && chain="INPUT" || chain="$3" + $iptables -A $chain $source $destination -p icmp -j ACCEPT } -function allow_dns_queries() { - allow_standard_protocol "53" "udp" $@ +function allow_imap() { + allow_standard_protocol "143" "tcp" $@ } -function allow_dns_transfers() { - allow_standard_protocol "53" "tcp" $@ +function allow_imaps() { + allow_standard_protocol "993" "tcp" $@ } -function allow_postgres() { - allow_standard_protocol "5432" "tcp" $@ - allow_standard_protocol "5432" "udp" $@ +function allow_ipp() { + allow_standard_protocol "631" "tcp" $@ } -function allow_ftp() { - [ -z "$1" ] && source="0/0" || source="$1" - [ -z "$2" ] && destination="0/0" || destination="$2" - [ -z "$3" ] && chain="INPUT" || chain="$3" - allow_standard_protocol "21" "tcp" "$source" "$destination" "$chain" - - $iptables -A OUTPUT -s $source -d $destination -p udp -m udp --sport 20 -m state --state NEW,ESTABLISHED -j ACCEPT - $iptables -A $chain -s $source -d $destination -p tcp -m tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT +function allow_kerberos() { + allow_standard_protocol "88" "udp" $@ + allow_standard_protocol "88" "tcp" $@ } -function allow_func() { - allow_standard_protocol "51234" "tcp" $@ +function allow_ldap() { + allow_standard_protocol "389" "tcp" $@ } -function allow_certmaster() { - allow_standard_protocol "51235" "tcp" $@ +function allow_ldaps() { + allow_standard_protocol "636" "tcp" $@ } -function allow_cifs() { - allow_standard_protocol "137" "udp" $@ - allow_standard_protocol "138" "udp" $@ - allow_standard_protocol "139" "tcp" $@ +function allow_lpd() { + allow_standard_protocol "515" "tcp" $@ } -function allow_ntp() { - allow_standard_protocol "123" "udp" $@ +function allow_microsoft_ds() { + allow_standard_protocol "445" "udp" $@ + allow_standard_protocol "445" "tcp" $@ } function allow_msds() { allow_microsoft_ds $@ } -function allow_microsoft_ds() { - allow_standard_protocol "445" "udp" $@ - allow_standard_protocol "445" "tcp" $@ +function allow_munin() { + allow_standard_protocol "4949" "tcp" $@ +} + +function allow_mysql() { + allow_standard_protocol "3306" "tcp" $@ } function allow_nfs() { @@ -264,19 +285,40 @@ function allow_nfs() { allow_rpcstatd $@ } +function allow_nrpe() { + allow_standard_protocol "5666" "tcp" $@ +} + +function allow_ntp() { + allow_standard_protocol "123" "udp" $@ +} + +function allow_openvpn() { + port=`grep ^port /etc/openvpn/server.conf | awk '{print $2}'` + proto=`grep ^proto /etc/openvpn/server.conf | awk '{print $2}'` + [ -z "$port" ] && break + [ -z "$proto" ] && break + allow_standard_protocol $port $proto $@ +} + +function allow_pop() { + allow_standard_protocol "110" "tcp" $@ +} + +function allow_postgres() { + allow_standard_protocol "5432" "tcp" $@ + allow_standard_protocol "5432" "udp" $@ +} + +function allow_puppet() { + allow_standard_protocol "8140" "tcp" $@ +} + function allow_rpcbind() { allow_standard_protocol "111" "udp" $@ allow_standard_protocol "111" "tcp" $@ } -function allow_rpcrquotad() { - eval `grep -E "^RQUOTAD_PORT=" /etc/sysconfig/nfs` - if [ ! -z "$RQUOTAD_PORT" ]; then - allow_standard_protocol $RQUOTAD_PORT "udp" $@ - allow_standard_protocol $RQUOTAD_PORT "tcp" $@ - fi -} - function allow_rpclockd() { eval `grep -E "^LOCKD_TCPPORT=" /etc/sysconfig/nfs` eval `grep -E "^LOCKD_UDPPORT=" /etc/sysconfig/nfs` @@ -292,6 +334,14 @@ function allow_rpcmountd() { fi } +function allow_rpcrquotad() { + eval `grep -E "^RQUOTAD_PORT=" /etc/sysconfig/nfs` + if [ ! -z "$RQUOTAD_PORT" ]; then + allow_standard_protocol $RQUOTAD_PORT "udp" $@ + allow_standard_protocol $RQUOTAD_PORT "tcp" $@ + fi +} + function allow_rpcstatd() { eval `grep -E "^STATD_PORT=" /etc/sysconfig/nfs` eval `grep -E "^STATD_OUTGOING_PORT=" /etc/sysconfig/nfs` @@ -304,26 +354,17 @@ function allow_rpcstatd() { fi } -function allow_nrpe() { - allow_standard_protocol "5666" "tcp" $@ -} - -function allow_kerberos() { - allow_standard_protocol "88" "udp" $@ - allow_standard_protocol "88" "tcp" $@ +function allow_rsync() { + allow_standard_protocol "873" "tcp" $@ } -function allow_icmp() { - [ -z "$1" ] && source="-s 0/0" || source="-s $1" - [ -z "$2" ] && destination="-d 0/0" || destination="-d $2" - [ -z "$3" ] && chain="INPUT" || chain="$3" - $iptables -A $chain $source $destination -p icmp -j ACCEPT +function allow_smtp() { + allow_standard_protocol "25" "tcp" $@ } -function allow_openvpn() { - port=`grep ^port /etc/openvpn/server.conf | awk '{print $2}'` - proto=`grep ^proto /etc/openvpn/server.conf | awk '{print $2}'` - allow_standard_protocol $port $proto $@ +function allow_ssh() { + # Allows ssh based on protocol, source, destination, chain, port and state + allow_standard_protocol "22" "tcp" $@ } function allow_snmp() { @@ -341,32 +382,3 @@ function allow_syslog() { allow_standard_protocol "514" "tcp" $@ } -function allow_ldap() { - allow_standard_protocol "389" "tcp" $@ -} - -function allow_ldaps() { - allow_standard_protocol "636" "tcp" $@ -} - -allow_pop() { - allow_standard_protocol "110" "tcp" $@ -} - -allow_puppet() { - allow_standard_protocol "8140" "tcp" $@ -} - -function allow_mysql() { - allow_standard_protocol "3306" "tcp" $@ -} - -function allow_imap() { - allow_standard_protocol "143" "tcp" $@ -} - -function allow_imaps() { - allow_standard_protocol "993" "tcp" $@ -} - - From jmeeuwen at puppetmanaged.org Sat Mar 20 05:57:13 2010 From: jmeeuwen at puppetmanaged.org (Jeroen van Meeuwen) Date: Sat, 20 Mar 2010 05:57:13 +0100 Subject: [Commits] Branch 'development' - Makefile puppet-module-ntp.spec Message-ID: <201003200457.o2K4vDQ6014465@master.puppetmanaged.org> Makefile | 66 +++++++++++++++++++++++++++++++++++++++++++++++++ puppet-module-ntp.spec | 52 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 118 insertions(+) New commits: commit 9ac8ad0d6be41a1216f34c23c4075f37cdd6ebec Author: Jeroen van Meeuwen (Fedora Unity) Date: Sat Jan 23 17:12:08 2010 +0100 Add Makefile and .spec diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..5a5a488 --- /dev/null +++ b/Makefile @@ -0,0 +1,66 @@ +MODULENAME := ntp +BRANCH := development +PKGNAME := puppet-module-$(MODULENAME) +SPECFILE := $(shell [ -f $(PKGNAME).spec ] && echo $(PKGNAME).spec || echo $(PKGNAME)-$(BRANCH).spec) +VERSION := $(shell rpm -q --qf "%{VERSION}\n" --specfile $(SPECFILE)| head -1) +RELEASE := $(shell rpm -q --qf "%{RELEASE}\n" --specfile $(SPECFILE)| head -1) + +clean: + @git clean -d -f + @rm -rf ChangeLog + @rm -rf documentation/tmp + @rm -rf $(PKGNAME)-$(BRANCH)-$(VERSION)/ + @rm -rf ./*.tar.gz + @rm -rf $(PKGNAME)-$(BRANCH)-$(VERSION).spec + +test: clean + @puppet --noop --parseonly manifests/init.pp + @echo All OK + @echo Current Version: $(VERSION) + @echo Current Release: $(RELEASE) + @echo Current Branch: $(BRANCH) + +archive: test ChangeLog + @rm -rf $(PKGNAME)-$(BRANCH)-$(VERSION).tar.gz + @rm -rf /tmp/$(PKGNAME)-$(BRANCH)-$(VERSION) /tmp/$(PKGNAME) + @dir=$$PWD; cd /tmp; cp -a $$dir $(PKGNAME)-$(BRANCH)-$(VERSION) + @mv /tmp/$(PKGNAME)-$(BRANCH)-$(VERSION)/$(PKGNAME).spec /tmp/$(PKGNAME)-$(BRANCH)-$(VERSION)/$(PKGNAME)-$(BRANCH).spec + @sed -i -e 's/%{environment}/$(BRANCH)/g' /tmp/$(PKGNAME)-$(BRANCH)-$(VERSION)/$(PKGNAME)-$(BRANCH).spec + @sed -i -e 's/%{modulename}/$(MODULENAME)/g' /tmp/$(PKGNAME)-$(BRANCH)-$(VERSION)/$(PKGNAME)-$(BRANCH).spec + @dir=$$PWD; cd /tmp; tar --exclude .git --gzip -cf $$dir/$(PKGNAME)-$(BRANCH)-$(VERSION).tar.gz $(PKGNAME)-$(BRANCH)-$(VERSION) + @rm -rf /tmp/$(PKGNAME)-$(BRANCH)-$(VERSION) + @echo "The archive is in $(PKGNAME)-$(BRANCH)-$(VERSION).tar.gz" + +ChangeLog: clean + (GIT_DIR=.git git log --pretty=oneline --abbrev-commit > .changelog.tmp && mv .changelog.tmp ChangeLog; rm -f .changelog.tmp) || (touch ChangeLog; echo 'git directory not found: installing possibly empty changelog.' >&2) + +bumpspec: test + @rpmdev-bumpspec $(SPECFILE) + +rpm: archive + @rpmbuild --define "modulename $(MODULENAME)" --define "environment $(BRANCH)" -ta $(PKGNAME)-$(BRANCH)-$(VERSION).tar.gz + +srpm: archive + @rpmbuild --define "modulename $(MODULENAME)" --define "environment $(BRANCH)" -ts $(PKGNAME)-$(BRANCH)-$(VERSION).tar.gz + +tag: + @git tag -m "$(PKGNAME)-$(BRANCH)-$(VERSION)" $(PKGNAME)-$(BRANCH)-$(VERSION) + +release: tag rpm + @cp $(PKGNAME).spec $(PKGNAME)-$(BRANCH).spec + @sed -i -e 's/%{environment}/$(BRANCH)/g' $(PKGNAME)-$(BRANCH).spec + @sed -i -e 's/%{modulename}/$(MODULENAME)/g' $(PKGNAME)-$(BRANCH).spec + @scp $(PKGNAME)-$(BRANCH).spec puppetmanaged.org:/var/www/puppetmanaged.org/www/releases/. + @scp $(PKGNAME)-$(BRANCH)-$(VERSION).tar.gz puppetmanaged.org:/var/www/puppetmanaged.org/www/releases/. + (for dist in el4 el5 f10 f11 f12; do \ + scp $(shell rpm --eval=%{_srcrpmdir})/$(PKGNAME)-$(BRANCH)-$(VERSION)-$(RELEASE).src.rpm puppetmanaged.org:/data/os/repos/puppet-modules/$$dist/SRPMS/.; \ + for arch in i386 x86_64; do \ + scp $(shell rpm --eval=%{_rpmdir})/noarch/$(PKGNAME)-$(BRANCH)-$(VERSION)-$(RELEASE).noarch.rpm puppetmanaged.org:/data/os/repos/puppet-modules/$$dist/$$arch/.; \ + done; \ + done) + +install: + mkdir -p $(DESTDIR)/var/lib/puppet/puppetmanaged.org/modules/$(BRANCH)/ntp + (if [ -d "files/" ]; then cp -r files $(DESTDIR)/var/lib/puppet/puppetmanaged.org/modules/$(BRANCH)/ntp/; fi) + (if [ -d "manifests/" ]; then cp -r manifests $(DESTDIR)/var/lib/puppet/puppetmanaged.org/modules/$(BRANCH)/ntp/; fi) + (if [ -d "templates/" ]; then cp -r templates $(DESTDIR)/var/lib/puppet/puppetmanaged.org/modules/$(BRANCH)/ntp/; fi) diff --git a/puppet-module-ntp.spec b/puppet-module-ntp.spec new file mode 100644 index 0000000..e9858a1 --- /dev/null +++ b/puppet-module-ntp.spec @@ -0,0 +1,52 @@ +Name: puppet-module-%{modulename}-%{environment} +Summary: Puppet module for %{modulename} (%{environment}) +Group: Applications/System +Version: 1.1 +Release: 1 +License: GPLv3+ +URL: http://puppetmanaged.org/ +Source0: http://puppetmanaged.org/releases/puppet-module-%{modulename}-%{environment}-%{version}.tar.gz +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildArch: noarch +BuildRequires: publican +Requires: puppet-server + +%description +Puppet module for managing %{modulename} (this is the %{environment} branch) + +%prep +%setup -q + +%build +cd documentation +make html-all pdf-all + +%install +rm -rf %{buildroot} +mkdir -p %{buildroot} +make install DESTDIR=%{buildroot} +mkdir docs +for lang in `find documentation/tmp/ -mindepth 1 -maxdepth 1 -type d`; do + mkdir docs/`basename $lang` + mv $lang/html/ docs/`basename $lang`/html + mv $lang/pdf/ docs/`basename $lang`/pdf +done + +%clean +rm -rf %{buildroot} + +%files +%defattr(-,root,root,-) +%doc COPYING ChangeLog docs +%dir /var/lib/puppet/puppetmanaged.org/modules/%{environment}/%{modulename}/ +/var/lib/puppet/puppetmanaged.org/modules/%{environment}/%{modulename}/* + +%changelog +* Sun Sep 20 2009 Jeroen van Meeuwen - 1.0-1 +- First real version + +* Tue Dec 30 2008 Jeroen van Meeuwen - 0.0.1-2 +- rebuilt + +* Thu Sep 25 2008 Jeroen van Meeuwen - 0.0.1-1 +- First packaged version From jmeeuwen at puppetmanaged.org Sat Mar 20 12:05:10 2010 From: jmeeuwen at puppetmanaged.org (Jeroen van Meeuwen) Date: Sat, 20 Mar 2010 12:05:10 +0100 Subject: [Commits] Changes to 'development' Message-ID: <201003201105.o2KB5A2e003865@master.puppetmanaged.org> New branch 'development' available with the following commits: commit 1bbb3d8f5cc84283c6c92617f720bd39c60bb150 Author: Jeroen van Meeuwen (Fedora Unity) Date: Sat Mar 20 12:03:03 2010 +0100 Initial commit From jmeeuwen at puppetmanaged.org Sat Mar 20 12:05:26 2010 From: jmeeuwen at puppetmanaged.org (Jeroen van Meeuwen) Date: Sat, 20 Mar 2010 12:05:26 +0100 Subject: [Commits] Changes to 'production' Message-ID: <201003201105.o2KB5QKK003938@master.puppetmanaged.org> New branch 'production' available with the following commits: From jmeeuwen at puppetmanaged.org Sat Mar 20 12:05:38 2010 From: jmeeuwen at puppetmanaged.org (Jeroen van Meeuwen) Date: Sat, 20 Mar 2010 12:05:38 +0100 Subject: [Commits] Changes to 'testing' Message-ID: <201003201105.o2KB5cY9003958@master.puppetmanaged.org> New branch 'testing' available with the following commits: From jmeeuwen at puppetmanaged.org Mon Mar 22 02:06:23 2010 From: jmeeuwen at puppetmanaged.org (Jeroen van Meeuwen) Date: Mon, 22 Mar 2010 02:06:23 +0100 Subject: [Commits] Branch 'production' - 4 commits - files/iptables-functions Message-ID: <201003220106.o2M16NmN028525@master.puppetmanaged.org> files/iptables-functions | 4 ++++ 1 file changed, 4 insertions(+) New commits: commit 9d3e78ac8fe8c785f64320756b8fc8d910d5fa64 Author: Jeroen van Meeuwen (Fedora Unity) Date: Mon Mar 22 02:04:41 2010 +0100 Add allow_pops diff --git a/files/iptables-functions b/files/iptables-functions index 72cbd55..5b8683b 100644 --- a/files/iptables-functions +++ b/files/iptables-functions @@ -305,6 +305,10 @@ function allow_pop() { allow_standard_protocol "110" "tcp" $@ } +function allow_pops() { + allow_standard_protocol "995" "tcp" $@ +} + function allow_postgres() { allow_standard_protocol "5432" "tcp" $@ allow_standard_protocol "5432" "udp" $@ commit 40e1ef63b4eac1bb14bc8d332707029025227f5c Merge: faee106... 13d4e9b... Author: Jeroen van Meeuwen (Fedora Unity) Date: Thu Mar 11 22:37:44 2010 +0100 Merge remote branch 'ogd-ext/production' into production Conflicts: files/iptables-functions commit 13d4e9bc39410f13f9dfc8364de3783fed417ffa Merge: 89eb874... d5626c7... Author: Sandro Janke Date: Tue Jun 2 15:16:59 2009 +0200 Merge branch 'production' of ssh://puppet.ogd.nl/git/puppet/iptables into production commit d5626c7f9ec841187a95461a0c051bb800a8df38 Author: Sandro Janke Date: Tue Jun 2 14:41:05 2009 +0200 Added allow-mysql function to iptables-functions diff --git a/files/iptables-functions b/files/iptables-functions index 0d928ae..80db842 100644 --- a/files/iptables-functions +++ b/files/iptables-functions @@ -385,3 +385,7 @@ function allow_ldap() { function allow_ldaps() { allow_standard_protocol "636" "tcp" $@ } + +function allow_mysql() { + allow_standard_protocol "3306" "tcp" $@ +} From jmeeuwen at puppetmanaged.org Mon Mar 22 02:34:19 2010 From: jmeeuwen at puppetmanaged.org (Jeroen van Meeuwen) Date: Mon, 22 Mar 2010 02:34:19 +0100 Subject: [Commits] Branch 'development' - 4 commits - files/iptables-functions Message-ID: <201003220134.o2M1YJsZ024815@master.puppetmanaged.org> files/iptables-functions | 4 ++++ 1 file changed, 4 insertions(+) New commits: commit 9d3e78ac8fe8c785f64320756b8fc8d910d5fa64 Author: Jeroen van Meeuwen (Fedora Unity) Date: Mon Mar 22 02:04:41 2010 +0100 Add allow_pops diff --git a/files/iptables-functions b/files/iptables-functions index 72cbd55..5b8683b 100644 --- a/files/iptables-functions +++ b/files/iptables-functions @@ -305,6 +305,10 @@ function allow_pop() { allow_standard_protocol "110" "tcp" $@ } +function allow_pops() { + allow_standard_protocol "995" "tcp" $@ +} + function allow_postgres() { allow_standard_protocol "5432" "tcp" $@ allow_standard_protocol "5432" "udp" $@ commit 40e1ef63b4eac1bb14bc8d332707029025227f5c Merge: faee106... 13d4e9b... Author: Jeroen van Meeuwen (Fedora Unity) Date: Thu Mar 11 22:37:44 2010 +0100 Merge remote branch 'ogd-ext/production' into production Conflicts: files/iptables-functions commit 13d4e9bc39410f13f9dfc8364de3783fed417ffa Merge: 89eb874... d5626c7... Author: Sandro Janke Date: Tue Jun 2 15:16:59 2009 +0200 Merge branch 'production' of ssh://puppet.ogd.nl/git/puppet/iptables into production commit d5626c7f9ec841187a95461a0c051bb800a8df38 Author: Sandro Janke Date: Tue Jun 2 14:41:05 2009 +0200 Added allow-mysql function to iptables-functions diff --git a/files/iptables-functions b/files/iptables-functions index 0d928ae..80db842 100644 --- a/files/iptables-functions +++ b/files/iptables-functions @@ -385,3 +385,7 @@ function allow_ldap() { function allow_ldaps() { allow_standard_protocol "636" "tcp" $@ } + +function allow_mysql() { + allow_standard_protocol "3306" "tcp" $@ +} From jmeeuwen at puppetmanaged.org Mon Mar 22 02:34:44 2010 From: jmeeuwen at puppetmanaged.org (Jeroen van Meeuwen) Date: Mon, 22 Mar 2010 02:34:44 +0100 Subject: [Commits] Branch 'testing' - 4 commits - files/iptables-functions Message-ID: <201003220134.o2M1YiH1027504@master.puppetmanaged.org> files/iptables-functions | 4 ++++ 1 file changed, 4 insertions(+) New commits: commit 9d3e78ac8fe8c785f64320756b8fc8d910d5fa64 Author: Jeroen van Meeuwen (Fedora Unity) Date: Mon Mar 22 02:04:41 2010 +0100 Add allow_pops diff --git a/files/iptables-functions b/files/iptables-functions index 72cbd55..5b8683b 100644 --- a/files/iptables-functions +++ b/files/iptables-functions @@ -305,6 +305,10 @@ function allow_pop() { allow_standard_protocol "110" "tcp" $@ } +function allow_pops() { + allow_standard_protocol "995" "tcp" $@ +} + function allow_postgres() { allow_standard_protocol "5432" "tcp" $@ allow_standard_protocol "5432" "udp" $@ commit 40e1ef63b4eac1bb14bc8d332707029025227f5c Merge: faee106... 13d4e9b... Author: Jeroen van Meeuwen (Fedora Unity) Date: Thu Mar 11 22:37:44 2010 +0100 Merge remote branch 'ogd-ext/production' into production Conflicts: files/iptables-functions commit 13d4e9bc39410f13f9dfc8364de3783fed417ffa Merge: 89eb874... d5626c7... Author: Sandro Janke Date: Tue Jun 2 15:16:59 2009 +0200 Merge branch 'production' of ssh://puppet.ogd.nl/git/puppet/iptables into production commit d5626c7f9ec841187a95461a0c051bb800a8df38 Author: Sandro Janke Date: Tue Jun 2 14:41:05 2009 +0200 Added allow-mysql function to iptables-functions diff --git a/files/iptables-functions b/files/iptables-functions index 0d928ae..80db842 100644 --- a/files/iptables-functions +++ b/files/iptables-functions @@ -385,3 +385,7 @@ function allow_ldap() { function allow_ldaps() { allow_standard_protocol "636" "tcp" $@ } + +function allow_mysql() { + allow_standard_protocol "3306" "tcp" $@ +}