...
 
Commits (9)
......@@ -9,4 +9,5 @@ end
mod 'puppet-healthcheck'
mod 'scl', :git => 'https://git-ipuppet.immerda.ch/module-scl'
mod 'selinux', :git => 'https://git-ipuppet.immerda.ch/module-selinux'
mod 'tor', :git => 'https://git-ipuppet.immerda.ch/module-tor'
......@@ -22,12 +22,12 @@ class schleuder::base {
ensure => running,
enable => true,
} -> http_conn_validator { 'schleuder-api-ready':
host => $schleuder::api_host,
port => $schleuder::api_port,
use_ssl => true,
test_url => '/status.json',
host => $schleuder::api_host,
port => $schleuder::api_port,
use_ssl => true,
test_url => '/status.json',
# api likely uses custom certs
verify_peer => false,
verify_peer => false,
}
file{'/var/lib/schleuder/adminkeys':
......@@ -43,7 +43,7 @@ class schleuder::base {
}
if $schleuder::cli_api_key {
class{'schleuder::client':
class{'::schleuder::client':
api_key => $schleuder::cli_api_key,
tls_fingerprint => $schleuder::tls_fingerprint,
host => $schleuder::api_host,
......@@ -72,7 +72,7 @@ class schleuder::base {
# export data as fragment, so it can be collected somewhere else
if $schleuder::tls_fingerprint and $schleuder::export_tls_fingerprint {
@@concat::fragment{
"schleuder-tls-fingerprint-${fqdn}":
"schleuder-tls-fingerprint-${facts['fqdn']}":
target => '/tmp/some_path_for_tls_fingerprint',
content => $schleuder::tls_fingerprint,
order => '050';
......@@ -80,10 +80,28 @@ class schleuder::base {
}
if $schleuder::web_api_key and $schleuder::export_web_api_key {
@@concat::fragment{
"schleuder-web-api-key-${fqdn}":
"schleuder-web-api-key-${facts['fqdn']}":
target => '/tmp/some_path_for_web_api_key',
content => $schleuder::web_api_key,
order => '050';
}
}
if $schleuder::gpg_use_tor {
include ::tor::daemon
file{
'/var/lib/schleuder/.gnupg':
ensure => directory,
owner => 'schleuder',
group => 'schleuder',
mode => '0600',
require => Package['schleuder'];
'/var/lib/schleuder/.gnupg/dirmngr.conf':
content => template('schleuder/dirmngr.conf.erb'),
owner => 'schleuder',
group => 'schleuder',
mode => '0600',
require => Service['tor'],
}
}
}
# manage schleuder-gitlab-ticketing config
class schleuder::gitlab_ticketing(
Array[String] $subject_filters = [],
Array[String] $sender_filters = [],
Optional[
Struct[{endpoint => String, token => String }]
] $gitlab = undef,
Hash[String,
Struct[{
Optional[gitlab] => Struct[{
Optional[endpoint] => String,
Optional[token] => String, }],
project => String,
namespace => String,
Optional[ticket_prefix] => String,
Optional[subject_filters] => Array[String],
Optional[sender_filters] => Array[String],
}]] $lists = {},
){
file{'/etc/schleuder/gitlab.yml': }
if !empty($lists) {
File['/etc/schleuder/gitlab.yml']{
content => template('schleuder/gitlab_ticketing/config.yml.erb'),
owner => root,
group => 'schleuder',
mode => '0640',
require => Package['schleuder'],
before => Service['schleuder-api-daemon'],
}
} else {
File['/etc/schleuder/gitlab.yml']{
ensure => absent,
}
}
}
......@@ -24,13 +24,15 @@ class schleuder(
$lists = {},
$web_api_key = undef,
$export_web_api_key = false,
$gpg_use_tor = false,
$gpg_keyserver = undef,
) {
case $operatingsystem {
'CentOS': { include schleuder::centos }
default: { include schleuder::base }
case $facts['operatingsystem'] {
'CentOS': { include ::schleuder::centos }
default: { include ::schleuder::base }
}
if $use_shorewall and $api_host != 'localhost' {
include schleuder::shorewall
include ::schleuder::shorewall
}
create_resources('schleuder::list',$lists)
......
......@@ -16,6 +16,18 @@ define schleuder::list(
ensure => $ensure,
}
if $ensure == present {
if $schleuder::gpg_use_tor {
$parts = split($name,'@')
# every gnupg homedir needs this config
file{"/var/lib/schleuder/lists/${parts[1]}/${parts[0]}/dirmngr.conf":
source => '/var/lib/schleuder/.gnupg/dirmngr.conf',
owner => 'schleuder',
group => 'schleuder',
mode => '0600',
require => Schleuder_list[$name],
}
}
if "${admin_publickey}" =~ /^\// {
$real_admin_publickey = $admin_publickey
} else {
......
require 'spec_helper'
describe 'schleuder::gitlab_ticketing' do
let(:facts){
{
:operatingsystem => 'CentOS',
:puppetversion => ENV['PUPPET_VERSION'].nil? ? '5.0.0' : ENV['PUPPET_VERSION'],
:concat_basedir => '/tmp',
}
}
let(:pre_condition){
'Exec{ path => "/tmp" }
include schleuder'
}
context 'default' do
it { is_expected.to compile.with_all_deps }
it { is_expected.to contain_file('/etc/schleuder/gitlab.yml').with_ensure('absent') }
end
context 'with params' do
let(:params) {
{
:subject_filters => [
"Encrypt certificate expiration notice",
'Mailman.* post from .* requires approval',
'Uncaught bounce notification',
],
:lists => {
'schleuder@example.com' => {
'project' => 'tickets',
'namespace' => 'group',
'ticket_prefix' => 'tg',
'gitlab' => {
'endpoint' => 'https://gitlab.example.com/api/v4',
'token' => 'hababa',
}
}
}
}
}
it { is_expected.to compile.with_all_deps }
it { is_expected.to contain_file('/etc/schleuder/gitlab.yml').with_content("---
subject_filters:
- 'Encrypt certificate expiration notice'
- 'Mailman.* post from .* requires approval'
- 'Uncaught bounce notification'
sender_filters: []
lists:
'schleuder@example.com':
project: 'tickets'
namespace: 'group'
ticket_prefix: 'tg'
gitlab:
endpoint: 'https://gitlab.example.com/api/v4'
token: 'hababa'
") }
end
end
use-tor
keyserver hkp://jirk5u4osbsr34t5.onion
---
<% if !@subject_filters.empty? -%>
subject_filters:
<% @subject_filters.sort.each do |f| -%>
- '<%= f %>'
<% end
else -%>
subject_filters: []
<% end -%>
<% if !@sender_filters.empty? -%>
sender_filters:
<% @sender_filters.sort.each do |f| -%>
- '<%= f %>'
<% end
else -%>
sender_filters: []
<% end -%>
<% if @gitlab -%>
gitlab:
endpoint: '<%= @gitlab['endpoint'] %>'
token: '<%= @gitlab['token'] %>'
<% end -%>
lists:
<% @lists.keys.sort.each do |l| -%>
'<%= l %>':
<% ['project','namespace','ticket_prefix'].each do |v|
if @lists[l][v] -%>
<%= v %>: '<%= @lists[l][v] %>'
<% end
end
if @lists[l]['subject_filters'] -%>
subject_filters:
<% @lists[l]['subject_filters'].sort.each do |f| -%>
- '<%= f %>'
<% end
end
if @lists[l]['sender_filters'] -%>
sender_filters:
<% @lists[l]['sender_filters'].sort.each do |f| -%>
- '<%= f %>'
<% end
end
if @lists[l]['gitlab'] -%>
gitlab:
endpoint: '<%= @lists[l]['gitlab']['endpoint'] %>'
token: '<%= @lists[l]['gitlab']['token'] %>'
<% end
end -%>
......@@ -16,10 +16,25 @@ log_level: warn
#keyserver: hkps://hkps.pool.sks-keyservers.net
# If you have gnupg 2.1 and TOR running locally, use a onion-keyserver:
#keyserver: hkp://jirk5u4osbsr34t5.onion
# If you have an OS-wide defined keyserver, specify a blank value to have that
# one used:
#keyserver:
# The default works for all supported versions of gnupg:
keyserver: pool.sks-keyservers.net
#keyserver: pool.sks-keyservers.net
keyserver: <%= if scope['schleuder::gpg_keyserver']
scope['schleuder::gpg_keyserver']
elsif scope['schleuder::gpg_use_tor']
'hkp://jirk5u4osbsr34t5.onion'
else
'pool.sks-keyservers.net'
end %>
# who receives global schleuder notifications
# Who is maintaining the overall schleuder installation and should be
# notified about severe problems with lists.
# This address should be a postmaster-like account, especially it should
# not be another schleuder list.
# Is also used as an envelope sender of admin notifications.
superadmin: <%= scope['schleuder::superadmin'] %>
# For these options see documentation for ActionMailer::smtp_settings, e.g. <http://api.rubyonrails.org/classes/ActionMailer/Base.html>.
......