changeset 256:0ebd8efeef04

Merge Puppet divergences and fix SSL chain issues it caused
author IBBoard <dev@ibboard.co.uk>
date Sun, 29 Dec 2019 15:31:28 +0000
parents d4b2bdfe47a6 (diff) 47750947f4dc (current diff)
children 241fbf45e6f3
files manifests/templates.pp modules/mysql/lib/puppet/parser/functions/mysql_deepmerge.rb modules/mysql/lib/puppet/parser/functions/mysql_dirname.rb modules/mysql/lib/puppet/parser/functions/mysql_strip_hash.rb modules/mysql/spec/acceptance/nodesets/centos-510-x64.yml modules/mysql/spec/acceptance/nodesets/centos-59-x64.yml modules/mysql/spec/acceptance/nodesets/centos-64-x64-pe.yml modules/mysql/spec/acceptance/nodesets/centos-65-x64.yml modules/mysql/spec/acceptance/nodesets/default.yml modules/mysql/spec/acceptance/nodesets/fedora-18-x64.yml modules/mysql/spec/acceptance/nodesets/sles-11-x64.yml modules/mysql/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml modules/mysql/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml modules/mysql/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml modules/mysql/spec/spec.opts modules/mysql/spec/unit/puppet/functions/mysql_deepmerge_spec.rb modules/private/manifests modules/private/templates/apache modules/website/manifests/https.pp modules/website/manifests/https/redir.pp modules/website/manifests/init.pp
diffstat 6 files changed, 23 insertions(+), 14 deletions(-) [+]
line wrap: on
line diff
--- a/common/fail2ban/ibb-sshd-bad-user.conf	Sun Dec 22 09:41:45 2019 -0500
+++ b/common/fail2ban/ibb-sshd-bad-user.conf	Sun Dec 29 15:31:28 2019 +0000
@@ -10,7 +10,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = Failed password for invalid user ([0-9]+|[0-9a-z][0-9a-z]?|([0-9a-z])\2{2,}|abc123|abused|adm|admin[0-9]+|administrateur|administracion|altibase|alumni|amavisd?|anwenderschnittstelle|anonymous|ansible|aptproxy|arkserver|asterisk|avis|backlog|backup(s|er|pc|user)?|bf2|bitnami|bitrix|boinc|botmaster|build|buscador|cacti(user)?|catchall|cemergen|chef|cinema|cliente?[0-9]*|clouduser|com|comercial|control|cpanel|create|cron|(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)se?rve?r?|cyrus|daemon|danger|debian|dell|deploy(er)?|desktop|devteam|dietpi|django|dotblot|download|easy|ec2-user|edu(cation)?[0-9]*|e-shop|engin(eer)?|events|exports?|facebook|factorio|fax|filter|fuser|games|gdm|geniuz|ggc_user|ghost|git(olite?|blit|lab(_ci)?)?|gmail|guest|hadoop|harvard|helpdesk|httpd?|huawei|iceuser|imscp|info(rmix)?|java|jboss|jira|jsboss|kafka|kodi|library|libsys|linode|linux|login|logout|mailer|mailman|majordomo|man|mantis|marketing|master|minecraft|modem|mongo(db|user)|monitor|more|moher|mpiuser|musi[ck]bot|(my|pg)sq(ue)?l|nagios|nasa|netdump|netzplatz|newadmin|nexus|(nfs)?nobody|noc|nothing|NpC|nux|odoo|odroid|onyxeye|openbravo|openvpn|operador|operator|ops(code)?|oprofile|ora(cle|prod)|osmc|papernet|password|payments|pay_?pal|pentaho|PlcmSpIp(PlcmSpIp)?|postfix|postgres|print|privoxy|puppet|qhsupport|rabbit(mq)?|radiusd?|redis|redmine|root[0-9]+|rpc(user)?|rtorrent|sales[0-9]+|s?bin|(samba|sshd|git|student|tomcat|abc|web|info|(vpn|appl?|my|b)?(use?r|server|manager|mgr)|account)[0-9]*|saslauth|scaner|screen|search|setup|service|(s|u|ams|admin|inss|pro)?ftp(d|_?user|home|_?test)?[0-9]*|shop|sinusbot|smmsp|socket|software|splunk|squid|squirrelmail|sshusr|staffc|steam(cmd)?|superuser|support|svnroot|sysadmin|system|teamspeak3?|telkom|test((ing|ftp|man|use?r|u)[0-9]*|[0-9]+)?|(test)?username|tomcat|tools|toor|ts[23](serv(er)?|(musi[ck])?bot)?|tunstall|ubnt|ubuntu|upload|unity|USERID|user[0-9]*|usuario|uucp|vagrant|vbox|ventrilo|vhbackup|virusalter|vmadmin|vmail|vyatta|weblogic|webmaster|WinD3str0y|wp-?user|write|www|(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|user|data)|xbian|xoadmin|yahoo|zabbix|zimbra|zookeeper|0fordn1on@#\$%%\^&|P@\$\$w0rd|pass123?4?)? from <HOST> port [0-9]+ ssh2
+failregex = Failed password for invalid user ([0-9]+|[0-9a-z][0-9a-z]?|([0-9a-z])\2{2,}|abc123|abused|adm|Admin|admin[0-9]+|administrateur|administracion|altibase|alumni|amavisd?|anwenderschnittstelle|anonymous|ansible|aptproxy|arkserver|asterisk|avis|backlog|backup(s|er|pc|user)?|bf2|bitnami|bitrix|boinc|botmaster|build|buscador|cacti(user)?|catchall|cemergen|chef|cinema|cliente?[0-9]*|clouduser|com|comercial|control|cpanel|create|cron|(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)se?rve?r?|cyrus|daemon|danger|debian|dell|deploy(er)?|desktop|devteam|dietpi|django|dotblot|download|dovecot|easy|ec2-user|edu(cation)?[0-9]*|e-shop|engin(eer)?|events|exports?|facebook|factorio|fax|filter|fuser|games|gdm|geniuz|ggc_user|ghost|git(olite?|blit|lab(_ci)?)?|gmail|guest|hacker|hadoop|harvard|helpdesk|home|host|httpd?|huawei|iceuser|imscp|info(rmix)?|java|jboss|jira|jsboss|kafka|kodi|library|libsys|linode|linux|login|logout|mailer|mailman|majordomo|man|mantis|marketing|master|minecraft|modem|mongo(db|user)|monitor|more|moher|mpiuser|musi[ck]bot|(my|pg)sq(ue)?l|nagios|nasa|netdump|netzplatz|newadmin|nexus|(nfs)?nobody|noc|nothing|NpC|nux|odoo|odroid|onyxeye|openbravo|openvpn|operador|operator|ops(code)?|oprofile|ora(cle|prod)|osmc|papernet|password|payments|pay_?pal|pentaho|PlcmSpIp(PlcmSpIp)?|postfix|postgres|print|privoxy|puppet|qhsupport|rabbit(mq)?|radiusd?|redis|redmine|root[0-9]+|rpc(user)?|RPM|rtorrent|sales[0-9]+|s?bin|(samba|sshd|git|student|tomcat|abc|web|info|(vpn|appl?|my|b)?(use?r|server|manager|mgr)|account)[0-9]*|saslauth|scaner|screen|search|setup|service|(s|u|ams|admin|inss|pro)?ftp(d|_?user|home|_?test)?[0-9]*|shop|sinusbot|smmsp|socket|software|splunk|squid|squirrelmail|sshusr|staffc|steam(cmd)?|superuser|support|svnroot|sysadmin|system|teamspeak3?|telkom|test((ing|ftp|man|use?r|u)[0-9]*|[0-9]+)?|(test)?username|text|tomcat|tools|toor|ts[23](serv(er)?|(musi[ck])?bot)?|tunstall|ubnt|ubuntu|upload|unity|USERID|user[0-9]*|usuario|uucp|vagrant|vbox|ventrilo|vhbackup|virusalter|vmadmin|vmail|vyatta|weblogic|webmaster|WinD3str0y|wp-?user|write|www|(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|user|data)|xbian|xoadmin|yahoo|zabbix|zimbra|zookeeper|0fordn1on@#\$%%\^&|P@\$\$w0rd|pass123?4?)? from <HOST> port [0-9]+ ssh2
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/manifests/templates.pp	Sun Dec 22 09:41:45 2019 -0500
+++ b/manifests/templates.pp	Sun Dec 29 15:31:28 2019 +0000
@@ -802,7 +802,7 @@
 	}
 	# Notify of available updates
 	cron { 'check-yum-updates':
-		command => '/usr/bin/yum check-updates | tail -2 | grep -Ev "^ \* \w+: \w+"',
+		command => '/usr/bin/yum check-updates | tail -2 | grep -Ev "^ \* [[:alnum:]-]+: [[:alnum:]\.]+$"',
 		hour => '4',
 		minute => '30',
 		weekday => '0-6/3', #Sunday, Wednesday and Saturday morning
--- a/modules/website/manifests/https.pp	Sun Dec 22 09:41:45 2019 -0500
+++ b/modules/website/manifests/https.pp	Sun Dec 29 15:31:28 2019 +0000
@@ -106,7 +106,10 @@
     $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem"
   }
 
-  if $ssl_ca_chain != '' {
+  if $ssl_ca_chain == '' and '' in [$ssl_ca_chain] {
+    # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert
+    $ssl_chain = undef
+  } elsif $ssl_ca_chain != undef {
     $ssl_chain = "/etc/pki/custom/$ssl_ca_chain"
     if ! defined(File[$ssl_chain]) {
       file { $ssl_chain:
@@ -115,9 +118,6 @@
         notify  => Service['httpd'],
       }
     }
-  } elsif $ssl_ca_chain == '' and '' in [$ssl_ca_chain] {
-    # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert
-    $ssl_chain = undef
   } elsif $letsencrypt_name != undef {
     $ssl_chain = "/etc/letsencrypt/live/${letsencrypt_name}/chain.pem"
   } else {
--- a/modules/website/manifests/https/redir.pp	Sun Dec 22 09:41:45 2019 -0500
+++ b/modules/website/manifests/https/redir.pp	Sun Dec 29 15:31:28 2019 +0000
@@ -71,7 +71,10 @@
     $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem"
   }
 
-  if $ssl_ca_chain != '' {
+  if $ssl_ca_chain == '' and '' in [$ssl_ca_chain] {
+    # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert
+    $ssl_chain = undef
+  } elsif $ssl_ca_chain != undef {
     $ssl_chain = "/etc/pki/custom/$ssl_ca_chain"
     if ! defined(File[$ssl_chain]) {
       file { $ssl_chain:
@@ -80,9 +83,6 @@
         notify  => Service['httpd'],
       }
     }
-  } elsif $ssl_ca_chain == '' and '' in [$ssl_ca_chain] {
-    # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert
-    $ssl_chain = undef
   } elsif $letsencrypt_name != undef {
     $ssl_chain = "/etc/letsencrypt/live/${letsencrypt_name}/chain.pem"
   } else {
--- a/modules/website/manifests/init.pp	Sun Dec 22 09:41:45 2019 -0500
+++ b/modules/website/manifests/init.pp	Sun Dec 29 15:31:28 2019 +0000
@@ -48,7 +48,10 @@
   }
   apache::mod {
     'rewrite':;
-    'expires':; 'setenvif':; 'headers':;
+    'expires':;
+    'env':;
+    'setenvif':;
+    'headers':;
     'version':;
   }
 
@@ -132,7 +135,13 @@
       hour => '*/12',
       minute => '21',
     }
+    if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 {
+      $certbot_package = 'python3-certbot-apache'
+    } else {
+      $certbot_package = 'python2-certbot-apache'
+    }
     package { 'python-certbot-apache':
+      name => $certbot_package,
       ensure => installed,
     }
   }
--- a/modules/website/templates/https_core_conf.erb	Sun Dec 22 09:41:45 2019 -0500
+++ b/modules/website/templates/https_core_conf.erb	Sun Dec 29 15:31:28 2019 +0000
@@ -1,9 +1,9 @@
 Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
 Header always set Content-Security-Policy "upgrade-insecure-requests; <%= @csp_string %>"
 Header always set Content-Security-Policy-Report-Only "<%= @csp_report_string %>"
-Header set X-Xss-Protection "1; mode=block"
-Header set X-Content-Type-Options "nosniff"
-Header set X-Frame-Options "SAMEORIGIN"
+Header always set X-Xss-Protection "1; mode=block"
+Header always set X-Content-Type-Options "nosniff"
+Header always set X-Frame-Options "SAMEORIGIN"
 
 RewriteCond %{HTTP_HOST} !=<%= @primary_name %>
 RewriteRule ^(.*)$ https://<%= @primary_name %>$1 [R=301,L]