paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-23 04:52:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

[manual] Move puppet modules to the top level

Browse Source 
The new puppet.conf file has to be moved into place manually.

(imported from commit 253d9a95386dae8c803a998ce2dc7e8be40c880a)
This commit is contained in:
Zev Benjamin
2013-10-29 19:20:04 -04:00
parent 8ca76ba13f
commit dd678465ae
210 changed files with 12 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
puppet/apt Symbolic link
View File

@@ -0,0 +1 @@
puppet-apt/

1
puppet/common Symbolic link
View File

@@ -0,0 +1 @@
puppet-common/

674
puppet/puppet-apt/LICENSE Normal file
View File

@@ -0,0 +1,674 @@
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
<program> Copyright (C) <year> <name of author>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
<http://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
<http://www.gnu.org/philosophy/why-not-lgpl.html>.

8
puppet/puppet-apt/Modulefile Normal file
View File

@@ -0,0 +1,8 @@
name 'camptocamp-apt'
version '0.0.2'
source 'https://github.com/camptocamp/puppet-apt'
author 'DevOps Team / Camptocamp'
license 'GNU GPLv3'
summary 'Camptocamp Apt Module'
description 'APT Module for Puppet'
project_page 'https://github.com/camptocamp/puppet-apt'

98
puppet/puppet-apt/README.md Normal file
View File

@@ -0,0 +1,98 @@
# Apt module for Puppet
**Manages apt configuration under Debian or Ubuntu.**
This module is provided by [Camptocamp](http://www.camptocamp.com/)
## Classes
* apt
* apt::backports
* apt::clean
* apt::params
* apt::unattended-upgrade
* apt::unattended-upgrade::automatic
### apt::clean
Variables
* **$apt\_clean\_minutes**: cronjob minutes - default uses fqdn\_rand()
* **$apt\_clean\_hours** : cronjob hours - default to 0
* **$apt\_clean\_mday** : cronjob monthday - default uses fqdn\_rand()
## Definitions
* apt::conf
* apt::key
* apt::ppa
* apt::preferences
* apt::sources\_list
### apt::conf
apt::conf{'99unattended-upgrade':
ensure => present,
content => "APT::Periodic::Unattended-Upgrade \"1\";\n",
}
### apt::key
apt::key {"A37E4CF5":
source => "http://dev.camptocamp.com/packages/debian/pub.key",
}
apt::key {"997D3880":
keyserver => "keyserver.ubuntu.com",
}
### apt::ppa
apt::ppa {'chris-lea':
ensure => present,
key => 'C7917B12',
ppa => 'node.js'
}
### apt::preferences
apt::preferences {"${lsbdistcodename}-backports":
ensure => present,
package => '*',
pin => "release a=${lsbdistcodename}-backports",
priority => 400,
}
### apt::sources\_list
apt::sources_list {"camptocamp":
ensure => present,
content => 'deb http://dev.camptocamp.com/packages/ etch puppet',
}
## Contributing
Please report bugs and feature request using [GitHub issue
tracker](https://github.com/camptocamp/puppet-apt/issues).
For pull requests, it is very much appreciated to check your Puppet manifest
with [puppet-lint](https://github.com/camptocamp/puppet-apt/issues) to follow the recommended Puppet style guidelines from the
[Puppet Labs style guide](http://docs.puppetlabs.com/guides/style_guide.html).
## License
Copyright (c) 2012 <mailto:puppet@camptocamp.com> All rights reserved.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.

4
puppet/puppet-apt/files/10periodic Normal file
View File

@@ -0,0 +1,4 @@
// Unattended-Upgrade::Mail "root";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "1";

0
puppet/puppet-apt/files/empty/.placeholder Normal file
View File

10
puppet/puppet-apt/lib/facter/apt_version.rb Normal file
View File

@@ -0,0 +1,10 @@
output = %x{apt-get -v 2>&1}
if $?.exitstatus and output.match(/apt (\d+\.\d+\.\d+).*/)
Facter.add("apt_version") do
setcode do
$1
end
end
end

23
puppet/puppet-apt/manifests/backports.pp Normal file
View File

@@ -0,0 +1,23 @@
class apt::backports ($priority = 400) {
$debian_mirror = 'http://backports.debian.org/debian-backports'
$ubuntu_mirror = 'http://archive.ubuntu.com/ubuntu'
$uri = $::operatingsystem ? {
Debian => "deb ${debian_mirror} ${::lsbdistcodename}-backports main contrib non-free\n",
Ubuntu => "deb ${ubuntu_mirror} ${::lsbdistcodename}-backports main universe multiverse restricted\n",
}
apt::sources_list{'backports':
ensure => present,
content => $uri,
}
apt::preferences {"${::lsbdistcodename}-backports":
ensure => present,
package => '*',
pin => "release a=${::lsbdistcodename}-backports",
priority => $priority,
}
}

23
puppet/puppet-apt/manifests/clean.pp Normal file
View File

@@ -0,0 +1,23 @@
# == Class: apt::clean
#
# Create a cronjob which will run "apt-get clean" once a month.
#
# === Variables
#
# *$apt_clean_minutes*: cronjob minutes - default uses fqdn_rand()
# *$apt_clean_hours*: cronjob hours - default to 0
# *$apt_clean_mday*: cronjob monthday - default uses fqdn_rand()
#
class apt::clean {
$minutes = $apt_clean_minutes? {'' => fqdn_rand(60), default => $apt_clean_minutes }
$hours = $apt_clean_hours? {'' => '0' , default => $apt_clean_hours }
$monthday = $apt_clean_mday? {'' => fqdn_rand(29), default => $apt_clean_mday }
cron {'cleanup APT cache - prevents diskfull':
ensure => present,
command => 'apt-get clean',
hour => $hours,
minute => $minutes,
monthday => $monthday,
}
}

19
puppet/puppet-apt/manifests/conf.pp Normal file
View File

@@ -0,0 +1,19 @@
define apt::conf($ensure, $content = false, $source = false) {
if $content {
file {"/etc/apt/apt.conf.d/${name}":
ensure => $ensure,
content => $content,
before => Exec['apt-get_update'],
notify => Exec['apt-get_update'],
}
}
if $source {
file {"/etc/apt/apt.conf.d/${name}":
ensure => $ensure,
source => $source,
before => Exec['apt-get_update'],
notify => Exec['apt-get_update'],
}
}
}

50
puppet/puppet-apt/manifests/init.pp Normal file
View File

@@ -0,0 +1,50 @@
class apt {
include apt::params
Package {
require => Exec['apt-get_update']
}
# apt support preferences.d since version >= 0.7.22
if versioncmp($::apt_version, '0.7.22') >= 0 {
file {'/etc/apt/preferences':
ensure => absent,
}
file {'/etc/apt/preferences.d':
ensure => directory,
owner => root,
group => root,
mode => '0755',
recurse => $apt::params::manage_preferences,
purge => $apt::params::manage_preferences,
force => $apt::params::manage_preferences,
}
}
package {$apt::params::keyring_package:
ensure => present,
}
# ensure only files managed by puppet be present in this directory.
file {'/etc/apt/sources.list.d':
ensure => directory,
source => 'puppet:///modules/apt/empty/',
recurse => $apt::params::manage_sourceslist,
purge => $apt::params::manage_sourceslist,
force => $apt::params::manage_sourceslist,
ignore => $apt::params::ignore_sourceslist,
}
apt::conf {'10periodic':
ensure => present,
source => 'puppet:///modules/apt/10periodic',
}
exec {'apt-get_update':
command => 'apt-get update',
refreshonly => true,
}
}

43
puppet/puppet-apt/manifests/key.pp Normal file
View File

@@ -0,0 +1,43 @@
define apt::key (
$keyserver = 'pgp.mit.edu',
$ensure = present,
$source = '',
$content = ''
) {
case $ensure {
present: {
if $content == '' {
if $source == '' {
$thekey = "gpg --keyserver ${keyserver} --recv-key '${name}' && gpg --export --armor '${name}'"
}
else {
$thekey = "wget -O - '${source}'"
}
}
else {
$thekey = "echo '${content}'"
}
exec { "import gpg key ${name}":
command => "${thekey} | apt-key add -",
unless => "apt-key list | grep -Fqe '${name}'",
before => Exec['apt-get_update'],
notify => Exec['apt-get_update'],
}
}
absent: {
exec {"apt-key del ${name}":
onlyif => "apt-key list | grep -Fqe '${name}'",
}
}
default: {
fail "Invalid 'ensure' value '${ensure}' for apt::key"
}
}
}

23
puppet/puppet-apt/manifests/params.pp Normal file
View File

@@ -0,0 +1,23 @@
class apt::params {
$manage_preferences = $apt_manage_preferences ? {
'' => true,
default => $apt_manage_preferences,
}
$manage_sourceslist = $apt_manage_sourceslist ? {
'' => true,
default => $apt_manage_sourceslist,
}
$ignore_sourceslist = $apt_ignore_sourceslist ? {
'' => '.placeholder',
default => $apt_ignore_sourceslist,
}
$keyring_package = $::lsbdistid ? {
Debian => ['debian-keyring', 'debian-archive-keyring'],
Ubuntu => 'ubuntu-keyring',
}
}

23
puppet/puppet-apt/manifests/ppa.pp Normal file
View File

@@ -0,0 +1,23 @@
define apt::ppa (
$key,
$ensure = present,
$ppa ='ppa'
) {
apt::key {$key:
ensure => $ensure,
}
$ppa_name = inline_template("<%=
if ppa.is_a?(Array)
ppa.join('-')
else
ppa
end %>")
apt::sources_list {"${name}-${ppa_name}-${lsbdistcodename}":
ensure => $ensure,
content => template('apt/ppa-list.erb'),
}
}

23
puppet/puppet-apt/manifests/preferences.pp Normal file
View File

@@ -0,0 +1,23 @@
define apt::preferences($ensure="present", $package="", $pin, $priority) {
$pkg = $package ? {
"" => $name,
default => $package,
}
$fname = regsubst($name, '\.', '-', 'G')
# apt support preferences.d since version >= 0.7.22
if versioncmp($::apt_version, '0.7.22') >= 0 {
file {"/etc/apt/preferences.d/$fname":
ensure => $ensure,
owner => root,
group => root,
mode => 644,
content => template("apt/preferences.erb"),
before => Exec["apt-get_update"],
notify => Exec["apt-get_update"],
}
}
}

23
puppet/puppet-apt/manifests/sources_list.pp Normal file
View File

@@ -0,0 +1,23 @@
define apt::sources_list (
$ensure = present,
$source = false,
$content = false
) {
if $source {
file {"/etc/apt/sources.list.d/${name}.list":
ensure => $ensure,
source => $source,
before => Exec['apt-get_update'],
notify => Exec['apt-get_update'],
}
} else {
file {"/etc/apt/sources.list.d/${name}.list":
ensure => $ensure,
content => $content,
before => Exec['apt-get_update'],
notify => Exec['apt-get_update'],
}
}
}

5
puppet/puppet-apt/manifests/unattended-upgrade.pp Normal file
View File

@@ -0,0 +1,5 @@
class apt::unattended-upgrade {
package {'unattended-upgrades':
ensure => present,
}
}

18
puppet/puppet-apt/manifests/unattended-upgrade/automatic.pp Normal file
View File

@@ -0,0 +1,18 @@
class apt::unattended-upgrade::automatic inherits apt::unattended-upgrade {
apt::conf{'99unattended-upgrade':
ensure => present,
content => "APT::Periodic::Unattended-Upgrade \"1\";\n",
}
$dist = $::lsbdistid? {
Debian => $::lsbdistcodename,
default => $::lsbdistid,
}
apt::conf{'50unattended-upgrades':
ensure => present,
content => template("apt/unattended-upgrades.${dist}.erb"),
}
}

4
puppet/puppet-apt/templates/ppa-list.erb Normal file
View File

@@ -0,0 +1,4 @@
<% ppa.each do |one_ppa| %>
deb http://ppa.launchpad.net/<%= name %>/<%= one_ppa %>/ubuntu <%= lsbdistcodename %> main
deb-src http://ppa.launchpad.net/<%= name %>/<%= one_ppa %>/ubuntu <%= lsbdistcodename %> main
<% end %>

5
puppet/puppet-apt/templates/preferences.erb Normal file
View File

@@ -0,0 +1,5 @@
# file managed by puppet
Package: <%= pkg %>
Pin: <%= pin %>
Pin-Priority: <%= priority %>

8
puppet/puppet-apt/templates/unattended-upgrades.Ubuntu.erb Normal file
View File

@@ -0,0 +1,8 @@
Unattended-Upgrade::Allowed-Origins {
"Ubuntu <%= lsbdistcodename %>-security";
"Ubuntu <%= lsbdistcodename %>-updates";
"Ubuntu <%= lsbdistcodename %>";
"Canonical <%= lsbdistcodename %>";
};
Dpkg::Options { "--force-confold"; }

6
puppet/puppet-apt/templates/unattended-upgrades.lenny.erb Normal file
View File

@@ -0,0 +1,6 @@
// file managed by puppet
Unattended-Upgrade::Allowed-Origins {
"Debian oldstable";
};
Dpkg::Options { "--force-confold"; }

7
puppet/puppet-apt/templates/unattended-upgrades.squeeze.erb Normal file
View File

@@ -0,0 +1,7 @@
// file managed by puppet
Unattended-Upgrade::Allowed-Origins {
"Debian stable";
"Debian squeeze-security";
};
Dpkg::Options { "--force-confold"; }

30
puppet/puppet-common/README Normal file
View File

@@ -0,0 +1,30 @@
puppet module common
====================
written by David Schmitt
Copyright (C) 2007 David Schmitt
<david@schmitt.edv-bus.at>
adapted by immerda project group
admin+puppet(at)immerda.ch
#################################################
The common module installs various functions that are
required by other modules. This module should be
installed before any of the other module.
To use this module, follow these directions:
1. Your modules directory will need all the files
included in this repository placed under a directory
called "common"
2. Add the following line to manifests/site.pp:
import "modules.pp"
3. Add the following line to manifests/modules.pp:
import "common"

1
puppet/puppet-common/files/empty/.ignore Normal file
View File

@@ -0,0 +1 @@
# A placeholder to nail this directory into git

1
puppet/puppet-common/files/modules/README Normal file
View File

@@ -0,0 +1 @@
this directory contains various data collected for system wide configurations

16
puppet/puppet-common/lib/puppet/parser/functions/basename.rb Normal file
View File

@@ -0,0 +1,16 @@
# basename(string) : string
# basename(string[]) : string[]
#
# Returns the last component of the filename given as argument, which must be
# formed using forward slashes (``/..) regardless of the separator used on the
# local file system.
module Puppet::Parser::Functions
newfunction(:basename, :type => :rvalue) do |args|
if args[0].is_a?(Array)
args.collect do |a| File.basename(a) end
else
File.basename(args[0])
end
end
end

16
puppet/puppet-common/lib/puppet/parser/functions/dirname.rb Normal file
View File

@@ -0,0 +1,16 @@
# dirname(string) : string
# dirname(string[]) : string[]
#
# Returns all components of the filename given as argument except the last
# one. The filename must be formed using forward slashes (``/..) regardless of
# the separator used on the local file system.
module Puppet::Parser::Functions
newfunction(:dirname, :type => :rvalue) do |args|
if args[0].is_a?(Array)
args.collect do |a| File.dirname(a) end
else
File.dirname(args[0])
end
end
end

17
puppet/puppet-common/lib/puppet/parser/functions/gsub.rb Normal file
View File

@@ -0,0 +1,17 @@
module Puppet::Parser::Functions
# thin wrapper around the ruby gsub function
# gsub($string, $pattern, $replacement) will replace all occurrences of
# $pattern in $string with $replacement. $string can be either a singel
# value or an array. In the latter case, each element of the array will
# be processed in turn.
newfunction(:gsub, :type => :rvalue) do |args|
if args[0].is_a?(Array)
args[0].collect do |val|
val.gsub(/#{args[1]}/, args[2])
end
else
args[0].gsub(/#{args[1]}/, args[2])
end
end
end

13
puppet/puppet-common/lib/puppet/parser/functions/hostname.rb Normal file
View File

@@ -0,0 +1,13 @@
# get an uniq array of ipaddresses for a hostname
require 'resolv'
module Puppet::Parser::Functions
newfunction(:hostname, :type => :rvalue) do |args|
res = Array.new
Resolv::DNS.new.each_address(args[0]){ |addr|
res << addr
}
res.uniq
end
end

12
puppet/puppet-common/lib/puppet/parser/functions/network_lookup.rb Normal file
View File

@@ -0,0 +1,12 @@
module Puppet::Parser::Functions
newfunction(:network_lookup, :type => :rvalue) do |args|
case args[0]
when "ip" then
IPSocket::getaddress(lookupvar('fqdn'))
when "netmask" then
"255.255.255.0"
when "gateway" then
IPSocket::getaddress(lookupvar('fqdn')).gsub(/\.\d+$/, '.1')
end
end
end

9
puppet/puppet-common/lib/puppet/parser/functions/prefix_with.rb Normal file
View File

@@ -0,0 +1,9 @@
# prefix arguments 2..n with first argument
module Puppet::Parser::Functions
newfunction(:prefix_with, :type => :rvalue) do |args|
prefix = args.shift
args.collect {|v| "%s%s" % [prefix, v] }
end
end

7
puppet/puppet-common/lib/puppet/parser/functions/re_escape.rb Normal file
View File

@@ -0,0 +1,7 @@
# apply regexp escaping to a string
module Puppet::Parser::Functions
newfunction(:re_escape, :type => :rvalue) do |args|
Regexp.escape(args[0])
end
end

7
puppet/puppet-common/lib/puppet/parser/functions/slash_escape.rb Normal file
View File

@@ -0,0 +1,7 @@
# escape slashes in a String
module Puppet::Parser::Functions
newfunction(:slash_escape, :type => :rvalue) do |args|
args[0].gsub(/\//, '\\/')
end
end

17
puppet/puppet-common/lib/puppet/parser/functions/split.rb Normal file
View File

@@ -0,0 +1,17 @@
# split($string, $delimiter) : $string
# split($string[], $delimiter) : $string[][]
#
# Split the first argument(s) on every $delimiter. $delimiter is interpreted as
# Ruby regular expression.
#
# For long-term portability it is recommended to refrain from using Ruby's
# extended RE features.
module Puppet::Parser::Functions
newfunction(:split, :type => :rvalue) do |args|
if args[0].is_a?(Array)
args.collect do |a| a.split(/#{args[1]}/) end
else
args[0].split(/#{args[1]}/)
end
end
end

20
puppet/puppet-common/lib/puppet/parser/functions/substitute.rb Normal file
View File

@@ -0,0 +1,20 @@
# subsititute($string, $regex, $replacement) : $string
# subsititute($string[], $regex, $replacement) : $string[]
#
# Replace all ocurrences of $regex in $string by $replacement.
# $regex is interpreted as Ruby regular expression.
#
# For long-term portability it is recommended to refrain from using Ruby's
# extended RE features.
module Puppet::Parser::Functions
newfunction(:substitute, :type => :rvalue) do |args|
if args[0].is_a?(Array)
args[0].collect do |val|
val.gsub(/#{args[1]}/, args[2])
end
else
args[0].gsub(/#{args[1]}/, args[2])
end
end
end

19
puppet/puppet-common/lib/puppet/parser/functions/url_get.rb Normal file
View File

@@ -0,0 +1,19 @@
# Returns the content at given URL
module Puppet::Parser::Functions
newfunction(:url_get, :type => :rvalue) do |args|
require 'open-uri'
url = args[0]
begin
data = open(url, :proxy => nil)
# Ignore header
data.readline
data.readline.chomp
rescue OpenURI::HTTPError => error
fail "Fetching URL #{url} failed with status #{error.message}"
end
end
end

8
puppet/puppet-common/manifests/append_if_no_such_line.pp Normal file
View File

@@ -0,0 +1,8 @@
define common::append_if_no_such_line($file, $line, $refreshonly = 'false') {
exec { "/bin/echo '$line' >> '$file'":
unless => "/bin/grep -Fxqe '$line' '$file'",
path => "/bin",
refreshonly => $refreshonly,
subscribe => File[$file],
}
}

41
puppet/puppet-common/manifests/assert_lsbdistcodename.pp Normal file
View File

@@ -0,0 +1,41 @@
# common/manifests/classes/lsb_release.pp -- request the installation of
# lsb_release to get to lsbdistcodename, which is used throughout the manifests
#
# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
# See LICENSE for the full license granted to you.
# Changelog:
# 2007-08-26: micah <micah@riseup.net> reported, that lsb_release can report
# nonsensical values for lsbdistcodename; assert_lsbdistcodename now
# recognises "n/a" and acts accordingly
# This lightweight class only asserts that $lsbdistcodename is set.
# If the assertion fails, an error is printed on the server
#
# To fail individual resources on a missing lsbdistcodename, require
# Exec[assert_lsbdistcodename] on the specific resource
class common::assert_lsbdistcodename {
case $lsbdistcodename {
'': {
err("Please install lsb_release or set facter_lsbdistcodename in the environment of $fqdn")
exec { "false # assert_lsbdistcodename": alias => assert_lsbdistcodename }
}
'n/a': {
case $operatingsystem {
"Debian": {
err("lsb_release was unable to report your distcodename; This seems to indicate a broken apt/sources.list on $fqdn")
}
default: {
err("lsb_release was unable to report your distcodename; please set facter_lsbdistcodename in the environment of $fqdn")
}
}
exec { "false # assert_lsbdistcodename": alias => assert_lsbdistcodename }
}
default: {
exec { "true # assert_lsbdistcodename": alias => assert_lsbdistcodename }
exec { "true # require_lsbdistcodename": alias => require_lsbdistcodename }
}
}
}

71
puppet/puppet-common/manifests/concatenated_file.pp Normal file
View File

@@ -0,0 +1,71 @@
# common/manifests/defines/concatenated_file.pp -- create a file from snippets
# stored in a directory
#
# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
# See LICENSE for the full license granted to you.
# TODO:
# * create the directory in _part too
# Usage:
# concatenated_file { "/etc/some.conf":
# dir => "/etc/some.conf.d",
# }
# Use Exec["concat_$name"] as Semaphor
define common::concatenated_file (
# where the snippets are located
$dir = '',
# a file with content to prepend
$header = '',
# a file with content to append
$footer = '',
$mode = 0644, $owner = root, $group = 0
)
{
$dir_real = $dir ? { '' => "${name}.d", default => $dir }
if defined(File[$dir_real]) {
debug("${dir_real} already defined")
} else {
file {
$dir_real:
source => "puppet://$server/common/empty",
checksum => mtime,
ignore => '\.ignore',
recurse => true, purge => true, force => true,
mode => $mode, owner => $owner, group => $group,
notify => Exec["concat_${name}"];
}
}
file {
$name:
ensure => present, checksum => md5,
mode => $mode, owner => $owner, group => $group;
}
# if there is a header or footer file, add it
$additional_cmd = $header ? {
'' => $footer ? {
'' => '',
default => "| cat - '${footer}' "
},
default => $footer ? {
'' => "| cat '${header}' - ",
default => "| cat '${header}' - '${footer}' "
}
}
# use >| to force clobbering the target file
exec { "concat_${name}":
command => "/usr/bin/find ${dir_real} -maxdepth 1 -type f ! -name '*puppettmp' -print0 | sort -z | xargs -0 cat ${additional_cmd} >| ${name}",
refreshonly => true,
subscribe => [ File[$dir_real] ],
before => File[$name],
refreshonly => true,
subscribe => [ File[$dir_real] ],
before => File[$name],
alias => [ "concat_${dir_real}"] ,
}
}

16
puppet/puppet-common/manifests/concatenated_file_part.pp Normal file
View File

@@ -0,0 +1,16 @@
# Add a snippet called $name to the concatenated_file at $dir.
# The file can be referenced as File["cf_part_${name}"]
define common::concatenated_file_part (
$dir, $content = '', $ensure = present,
$mode = 0644, $owner = root, $group = 0
)
{
file { "${dir}/${name}":
ensure => $ensure, content => $content,
mode => $mode, owner => $owner, group => $group,
alias => "cf_part_${name}",
notify => Exec["concat_${dir}"],
}
}

91
puppet/puppet-common/manifests/concatfilepart.pp Normal file
View File

@@ -0,0 +1,91 @@
# Inspired by David Schmitt's concatenated_file.pp
define common::concatfilepart (
$ensure = present,
$file,
$content = false,
$source = false,
$manage = false
) {
# Resulting file
if defined(File[$file]) {
debug("${file} already defined")
} else {
file {$file:
ensure => present,
}
}
# Directory containing file parts
$dir = "${file}.d"
if defined(File[$dir]) {
debug("${dir} already defined")
} else {
file {$dir:
ensure => directory,
mode => 0600,
source => "puppet:///modules/common/empty/",
recurse => $manage,
purge => $manage,
force => $manage,
ignore => '.ignore',
}
}
if $notify {
if $content {
file {"${dir}/${name}":
ensure => $ensure,
content => $content,
mode => 0600,
notify => [Exec["${file} concatenation"], $notify],
}
} else {
file {"${dir}/${name}":
ensure => $ensure,
source => $source,
mode => 0600,
notify => [Exec["${file} concatenation"], $notify],
}
}
} else {
if $content {
file {"${dir}/${name}":
ensure => $ensure,
content => $content,
mode => 0600,
notify => Exec["${file} concatenation"],
}
} else {
file {"${dir}/${name}":
ensure => $ensure,
source => $source,
mode => 0600,
notify => Exec["${file} concatenation"],
}
}
}
# The actual file generation
if defined(Exec["${file} concatenation"]) {
debug("Blah")
#Exec["${file} concatenation"] {
# require +> File["${dir}/${name}"],
#}
} else {
# use >| to force clobbering the target file
exec { "${file} concatenation":
command => "/usr/bin/find ${dir} -maxdepth 1 -type f ! -name '*puppettmp' -print0 | sort -z | xargs -0 cat >| ${file}",
refreshonly => true,
subscribe => File[$dir],
before => File[$file],
# require => File["${dir}/${name}"],
#alias => [ "concat_${name}", "concat_${dir}"] ,
}
}
}

53
puppet/puppet-common/manifests/config_file.pp Normal file
View File

@@ -0,0 +1,53 @@
# common/manifests/defines/config_file.pp -- create a config file with default permissions
# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
# See LICENSE for the full license granted to you.
# Usage:
# config_file { filename:
# content => "....\n",
# }
#
# Examples:
#
# To create the file /etc/vservers/${vs_name}/context with specific
# content:
#
# config_file { "/etc/vservers/${vs_name}/context":
# content => "${context}\n",
# notify => Exec["vs_restart_${vs_name}"],
# require => Exec["vs_create_${vs_name}"];
# }
#
# To create the file /etc/apache2/sites-available/munin-stats with the
# content pulled from a template:
#
# config_file { "/etc/apache2/sites-available/munin-stats":
# content => template("apache/munin-stats"),
# require => Package["apache2"],
# notify => Exec["reload-apache2"]
# }
define config_file ($content = '', $source = '', $ensure = 'present') {
file { $name:
ensure => $ensure,
# keep old versions on the server
backup => server,
# default permissions for config files
mode => 0644, owner => root, group => 0,
# really detect changes to this file
checksum => md5,
}
case $source {
'': { }
default: { File[$name] { source => $source } }
}
case $content {
'': { }
default: { File[$name] { content => $content } }
}
}

42
puppet/puppet-common/manifests/line.pp Normal file
View File

@@ -0,0 +1,42 @@
# common/manifests/defines/line.pp -- a trivial mechanism to ensure a line exists in a file
# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
# See LICENSE for the full license granted to you.
# Usage:
# line { description:
# file => "filename",
# line => "content",
# ensure => {absent,*present*}
# }
#
# Example:
# The following ensures that the line "allow ^$munin_host$" exists
# in /etc/munin/munin-node.conf, and if there are any changes notify the service for
# a restart
#
# line { allow_munin_host:
# file => "/etc/munin/munin-node.conf",
# line => "allow ^$munin_host$",
# ensure => present,
# notify => Service[munin-node],
# require => Package[munin-node],
# }
#
#
define common::line($file, $line, $ensure = 'present') {
case $ensure {
default : { err ( "unknown ensure value '${ensure}'" ) }
present: {
exec { "/bin/echo '${line}' >> '${file}'":
unless => "/bin/grep -qFx '${line}' '${file}'"
}
}
absent: {
exec { "/usr/bin/perl -ni -e 'print if \$_ ne \"${line}\n\";' '${file}'":
onlyif => "/bin/grep -qFx '${line}' '${file}'"
}
}
}
}

27
puppet/puppet-common/manifests/modules_dir.pp Normal file
View File

@@ -0,0 +1,27 @@
# common/manifests/defines/modules_dir.pp -- create a default directory
# for storing module specific information
#
# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
# See LICENSE for the full license granted to you.
# Usage:
# modules_dir { ["common", "common/dir1", "common/dir2" ]: }
define modules_dir (
$mode = 0644, $owner = root, $group = 0
)
{
$dir = "/var/lib/puppet/modules/${name}"
if defined(File[$dir]) {
debug("${dir} already defined")
} else {
file {
"/var/lib/puppet/modules/${name}":
source => [ "puppet:///modules/${name}/modules_dir", "puppet:///modules/common/empty"],
checksum => mtime,
# ignore the placeholder
ignore => '\.ignore',
recurse => true, purge => true, force => true,
mode => $mode, owner => $owner, group => $group;
}
}
}

24
puppet/puppet-common/manifests/modules_file.pp Normal file
View File

@@ -0,0 +1,24 @@
# common/manifests/defines/modules_file.pp -- use a modules_dir to store module
# specific files
#
# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
# See LICENSE for the full license granted to you.
# Usage:
# modules_file { "module/file":
# source => "puppet://..",
# mode => 644, # default
# owner => root, # default
# group => root, # default
# }
define common::modules_file (
$source,
$mode = 0644, $owner = root, $group = root
)
{
file {
"/var/lib/puppet/modules/${name}":
source => $source,
mode => $mode, owner => $owner, group => $group;
}
}

30
puppet/puppet-common/manifests/replace.pp Normal file
View File

@@ -0,0 +1,30 @@
# common/manifests/defines/replace.pp -- replace a pattern in a file with a string
# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
# See LICENSE for the full license granted to you.
# Usage:
#
# replace { description:
# file => "filename",
# pattern => "regexp",
# replacement => "replacement"
#
# Example:
# To replace the current port in /etc/munin/munin-node.conf
# with a new port, but only disturbing the file when needed:
#
# replace { set_munin_node_port:
# file => "/etc/munin/munin-node.conf",
# pattern => "^port (?!$port)[0-9]*",
# replacement => "port $port"
# }
define common::replace($file, $pattern, $replacement) {
$pattern_no_slashes = slash_escape($pattern)
$replacement_no_slashes = slash_escape($replacement)
exec { "replace_${pattern}_${file}":
command => "/usr/bin/perl -pi -e 's/${pattern_no_slashes}/${replacement_no_slashes}/' '${file}'",
onlyif => "/usr/bin/perl -ne 'BEGIN { \$ret = 1; } \$ret = 0 if /${pattern_no_slashes}/ && ! /\\Q${replacement_no_slashes}\\E/; END { exit \$ret; }' '${file}'",
alias => "exec_$name",
}
}

4
puppet/puppet-common/manifests/require_lsbdistcodename.pp Normal file
View File

@@ -0,0 +1,4 @@
# To fail the complete compilation, include this class
class common::require_lsbdistcodename inherits common::assert_lsbdistcodename {
exec { "false # require_lsbdistcodename": require => Exec[require_lsbdistcodename], }
}

19
puppet/puppet-common/tests/concatfilepart1.pp Executable file
View File

@@ -0,0 +1,19 @@
import "../manifests/concatfilepart.pp"
common::concatfilepart{"0_header":
ensure => present,
content => "A",
file => "/tmp/test-concat.txt",
}
common::concatfilepart{"1_body":
ensure => present,
content => "B",
file => "/tmp/test-concat.txt",
}
common::concatfilepart{"9_footer":
ensure => present,
content => "C",
file => "/tmp/test-concat.txt",
}

19
puppet/puppet-common/tests/concatfilepart2.pp Executable file
View File

@@ -0,0 +1,19 @@
import "../manifests/concatfilepart.pp"
common::concatfilepart{"0_header":
ensure => absent,
content => "A",
file => "/tmp/test-concat.txt",
}
common::concatfilepart{"1_body":
ensure => present,
content => "B",
file => "/tmp/test-concat.txt",
}
common::concatfilepart{"9_footer":
ensure => present,
content => "C",
file => "/tmp/test-concat.txt",
}

19
puppet/puppet-common/tests/concatfilepart3.pp Executable file
View File

@@ -0,0 +1,19 @@
import "../manifests/concatfilepart.pp"
common::concatfilepart{"0_blah":
ensure => present,
content => "Z",
file => "/tmp/test-concat.txt",
}
common::concatfilepart{"1_body":
ensure => present,
content => "B",
file => "/tmp/test-concat.txt",
}
common::concatfilepart{"9_footer":
ensure => present,
content => "C",
file => "/tmp/test-concat.txt",
}

19
puppet/puppet-common/tests/concatfilepart4.pp Executable file
View File

@@ -0,0 +1,19 @@
import "../manifests/concatfilepart.pp"
common::concatfilepart{"0_blah":
ensure => absent,
content => "Z",
file => "/tmp/test-concat.txt",
}
common::concatfilepart{"1_body":
ensure => absent,
content => "B",
file => "/tmp/test-concat.txt",
}
common::concatfilepart{"9_footer":
ensure => absent,
content => "C",
file => "/tmp/test-concat.txt",
}

25
puppet/puppet-common/tests/run-tests.sh Executable file
View File

@@ -0,0 +1,25 @@
#!/bin/sh
error() {
echo "Error"
exit 1
}
TF="/tmp/test-concat.txt"
echo "concatfilepart"
echo
rm -r /tmp/test-concat.txt*
puppet concatfilepart1.pp
echo "ABC =? $(cat /tmp/test-concat.txt)"
puppet concatfilepart2.pp
echo "BC =? $(cat /tmp/test-concat.txt)"
puppet concatfilepart3.pp
echo "ZBC =? $(cat /tmp/test-concat.txt)"
puppet concatfilepart4.pp
echo " =? $(cat /tmp/test-concat.txt)"

27
puppet/zulip-internal/files/apache/ports.conf Normal file
View File

@@ -0,0 +1,27 @@
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
# This line added by Zulip.
NameVirtualHost *:443
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>

50
puppet/zulip-internal/files/apache/sites/graphite Normal file
View File

@@ -0,0 +1,50 @@
WSGISocketPrefix /usr/lib/apache2/modules/
Listen 444
<VirtualHost *:444>
ServerName stats1.zulip.net
SSLEngine on
SSLCertificateFile /etc/ssl/certs/stats1.zulip.net.crt
SSLCertificateKeyFile /etc/ssl/certs/stats1.zulip.net.key
Header add Strict-Transport-Security "max-age=15768000"
<Location "/">
AuthType Digest
AuthName "wiki"
AuthDigestProvider file
AuthUserFile /etc/apache2/users/wiki
Require valid-user
</Location>
# Graphite specific setup
DocumentRoot "/opt/graphite/webapp"
WSGIDaemonProcess graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120
WSGIProcessGroup graphite
WSGIApplicationGroup %{GLOBAL}
WSGIImportScript /opt/graphite/conf/graphite.wsgi process-group=graphite application-group=%{GLOBAL}
WSGIScriptAlias / /opt/graphite/conf/graphite.wsgi
Alias /content/ /opt/graphite/webapp/content/
<Location "/content/">
SetHandler None
</Location>
Alias /media/ "/usr/lib/pymodules/python2.7/django/contrib/admin/media/"
<Location "/media/">
SetHandler None
</Location>
<Directory /opt/graphite/conf/>
Order deny,allow
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
</VirtualHost>

43
puppet/zulip-internal/files/apache/sites/graphiti Normal file
View File

@@ -0,0 +1,43 @@
<VirtualHost *:80>
ServerName graphiti.zulip.net
Redirect permanent / https://graphiti.zulip.net/
</VirtualHost>
<VirtualHost *:443>
ServerName graphiti.zulip.net
SSLEngine on
SSLCertificateFile /etc/ssl/certs/stats1.zulip.net.crt
SSLCertificateKeyFile /etc/ssl/certs/stats1.zulip.net.key
Header add Strict-Transport-Security "max-age=15768000"
Header add X-Frame-Options DENY
<Location "/">
AuthType Digest
AuthName "wiki"
AuthDigestProvider file
AuthUserFile /etc/apache2/users/wiki
Require valid-user
</Location>
# Graphiti reverse-proxy to unicorn serving at localhost:8088
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:8088/
ProxyPassReverse / http://127.0.0.1:8088/
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
</VirtualHost>

37
puppet/zulip-internal/files/apache/sites/humbug-default Normal file
View File

@@ -0,0 +1,37 @@
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName dev.humbughq.com
DocumentRoot /var/www
<Directory *>
Options FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName dev.humbughq.com
SSLEngine on
SSLCertificateFile /etc/apache2/certs/humbug-self-signed.crt
SSLCertificateKeyFile /etc/apache2/certs/humbug-self-signed.key
DocumentRoot /var/www
<Directory *>
Options FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

57
puppet/zulip-internal/files/apache/sites/mediawiki Normal file
View File

@@ -0,0 +1,57 @@
<VirtualHost *:80>
ServerName wiki.zulip.net
Redirect permanent / https://wiki.zulip.net/
</VirtualHost>
<VirtualHost *:443>
ServerName wiki.zulip.net
SSLEngine on
SSLCertificateFile /etc/ssl/certs/wiki.zulip.net.crt
SSLCertificateKeyFile /etc/ssl/private/wiki.key
SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/ca.pem
Header add Strict-Transport-Security "max-age=15768000"
Header add X-Frame-Options DENY
<Location "/">
AuthType Digest
AuthName "wiki"
AuthDigestProvider file
AuthUserFile /etc/apache2/users/wiki
Require valid-user
</Location>
Alias /wiki /var/lib/mediawiki/index.php
RewriteEngine on
RewriteRule ^(/)?$ /wiki [L,R=301]
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /w /var/lib/mediawiki
<Directory /var/lib/mediawiki/>
Options +FollowSymLinks
AllowOverride All
order allow,deny
allow from all
</Directory>
# some directories must be protected
<Directory /var/lib/mediawiki/config>
Options -FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/lib/mediawiki/upload>
Options -FollowSymLinks
AllowOverride None
</Directory>
</VirtualHost>

70
puppet/zulip-internal/files/apache/sites/nagios Normal file
View File

@@ -0,0 +1,70 @@
<VirtualHost *:80>
ServerName nagios.humbughq.com
Redirect permanent / https://nagios.zulip.net/
</VirtualHost>
<VirtualHost *:80>
ServerName nagios.zulip.net
Redirect permanent / https://nagios.zulip.net/
</VirtualHost>
<VirtualHost *:443>
ServerName nagios.humbughq.com
Redirect permanent / https://nagios.zulip.net/
SSLEngine on
SSLCertificateFile /etc/ssl/certs/nagios.humbughq.com.crt
SSLCertificateKeyFile /etc/ssl/private/nagios.key
SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/ca.pem
</VirtualHost>
<VirtualHost *:443>
ServerName nagios.zulip.net
SSLEngine on
SSLCertificateFile /etc/ssl/certs/nagios.zulip.net.crt
SSLCertificateKeyFile /etc/ssl/private/nagios.key
SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/ca.pem
Header add Strict-Transport-Security "max-age=15768000"
Header add X-Frame-Options DENY
ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3
ScriptAlias /nagios3/cgi-bin /usr/lib/cgi-bin/nagios3
# Where the stylesheets (config files) reside
Alias /nagios3/stylesheets /etc/nagios3/stylesheets
# Where the HTML pages live
Alias /nagios3 /usr/share/nagios3/htdocs
RedirectMatch ^/?$ https://nagios.zulip.net/cgi-bin/nagios3/status.cgi?host=all
<Location "/">
AuthType Digest
AuthName "wiki"
AuthDigestProvider file
AuthUserFile /etc/apache2/users/wiki
Require valid-user
</Location>
<DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
Options FollowSymLinks
DirectoryIndex index.php index.html
Order Allow,Deny
Allow From All
</DirectoryMatch>
<Directory /usr/share/nagios3/htdocs>
Options +ExecCGI
</Directory>
# Enable this ScriptAlias if you want to enable the grouplist patch.
# See http://apan.sourceforge.net/download.html for more info
# It allows you to see a clickable list of all hostgroups in the
# left pane of the Nagios web interface
ScriptAlias /nagios3/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi
</VirtualHost>

38
puppet/zulip-internal/files/apache/sites/stats Normal file
View File

@@ -0,0 +1,38 @@
WSGISocketPrefix /usr/lib/apache2/modules/
<VirtualHost *:443>
ServerName stats1.zulip.net
SSLEngine on
SSLCertificateFile /etc/ssl/certs/stats1.zulip.net.crt
SSLCertificateKeyFile /etc/ssl/certs/stats1.zulip.net.key
Header add Strict-Transport-Security "max-age=15768000"
<Location "/">
AuthType Digest
AuthName "wiki"
AuthDigestProvider file
AuthUserFile /etc/apache2/users/wiki
Require valid-user
</Location>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Header add Strict-Transport-Security "max-age=15768000"
# Graphiti reverse-proxy to unicorn serving at localhost:8088
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:8088/
ProxyPassReverse /grapiti http://127.0.0.1:8088/
</VirtualHost>

64
puppet/zulip-internal/files/apache/sites/trac Normal file
View File

@@ -0,0 +1,64 @@
<VirtualHost *:80>
ServerName trac.zulip.net
Redirect permanent / https://trac.zulip.net/
</VirtualHost>
<VirtualHost *:80>
ServerName trac.humbughq.com
Redirect permanent / https://trac.zulip.net/
</VirtualHost>
<VirtualHost *:443>
ServerName trac.humbughq.com
Redirect permanent / https://trac.zulip.net/
SSLEngine on
SSLCertificateFile /etc/ssl/certs/trac.humbughq.com.crt
SSLCertificateKeyFile /etc/ssl/private/trac.key
SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/ca.pem
</VirtualHost>
<VirtualHost *:443>
ServerName trac.zulip.net
SSLEngine on
SSLCertificateFile /etc/ssl/certs/trac.zulip.net.crt
SSLCertificateKeyFile /etc/ssl/private/trac.key
SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/ca.pem
Header add Strict-Transport-Security "max-age=15768000"
Header add X-Frame-Options DENY
Alias /chrome/common /home/zulip/trac/htdocs/common
Alias /chrome/site /home/zulip/trac/htdocs/site
<Directory "/home/zulip/trac/htdocs">
Order allow,deny
Allow from all
</Directory>
WSGIScriptAlias / /home/zulip/trac/cgi-bin/trac.wsgi
<Directory /home/zulip/trac>
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
<Location "/">
AuthType Digest
AuthName "wiki"
AuthDigestProvider file
AuthUserFile /etc/apache2/users/wiki
Require valid-user
</Location>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
</VirtualHost>

21
puppet/zulip-internal/files/builder/sbuildrc Normal file
View File

@@ -0,0 +1,21 @@
# Mail address where logs are sent to (mandatory, no default!)
$mailto = 'buildd-maintainers@zulip.net';
# Directory for chroot symlinks and sbuild logs. Defaults to the
# current directory if unspecified. (Deprecated.) Leave this unset;
# umt compare-bin relies upon this being unset.
#
# The above comment is a lie. ~ lfaraone
$build_dir='/home/zulip/ubuntu/build';
# Directory for writing build logs to
$log_dir="/home/zulip/ubuntu/logs";
# Override default sbuild dependency resolver (see 'man sbuild'). The default
# resolver (apt) mostly works ok but not always (eg, oneiric libreoffice).
# Use 'apt', 'aptitude', 'internal'. Can also use '--build-dep-resolver' with
# sbuild or '--sbuild-dep-resolver' with umt.
#$build_dep_resolver="apt";
# don't remove this, Perl needs it:
1;

BIN
puppet/zulip-internal/files/builder/ubuntu-archive-keyring.gpg Normal file
View File

Binary file not shown.

3
puppet/zulip-internal/files/camo_defaults Normal file
View File

@@ -0,0 +1,3 @@
ENABLED=yes
PORT=9292
CAMO_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

3
puppet/zulip-internal/files/cron.d/active-user-stats Normal file
View File

@@ -0,0 +1,3 @@
MAILTO=root
*/10 * * * * zulip cd /home/zulip/deployments/current && python manage.py active_user_stats

4
puppet/zulip-internal/files/cron.d/check-apns-tokens Normal file
View File

@@ -0,0 +1,4 @@
MAILTO=root
# Remove any stale apple device tokens from our list
0 3 * * * zulip cd /home/zulip/deployments/current && python manage.py check_apns_tokens

4
puppet/zulip-internal/files/cron.d/clearsessions Normal file
View File

@@ -0,0 +1,4 @@
MAILTO=root
# Clear all expired Django sessions at 10:22 PM every day.
22 22 * * * zulip cd /home/zulip/deployments/current && python manage.py clearsessions

3
puppet/zulip-internal/files/cron.d/email-mirror Normal file
View File

@@ -0,0 +1,3 @@
MAILTO=root
* * * * * zulip cd /home/zulip/deployments/current && python manage.py email-mirror

4
puppet/zulip-internal/files/cron.d/graphite_backup Normal file
View File

@@ -0,0 +1,4 @@
MAILTO=root
SHELL=/bin/bash
0 3 * * * zulip /home/zulip/zulip/puppet/zulip-internal/files/graphite/daily_rsync_backup.sh

4
puppet/zulip-internal/files/cron.d/test_zephyr_personal_mirrors Normal file
View File

@@ -0,0 +1,4 @@
# We don't actually need a valid Kerberos cache since these are sent
# unauth anyway -- but a cache is required for zwrite to run.
* * * * * zulip env KRB5CCNAME=/home/zulip/ccache/zmirror-tabbott zwrite -c zulip-mirror-nagios -i nagios-test -m test -Szulip-nagios@mit.edu -d -q >/dev/null 2>/dev/null

26
puppet/zulip-internal/files/cron.d/zephyr-mirror Normal file
View File

@@ -0,0 +1,26 @@
SHELL=/bin/bash
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
35 * * * * zulip /home/zulip/zulip/bots/zmirror-renew-kerberos
*/2 * * * * zulip /home/zulip/zulip/bots/check-mirroring --sharded &> /var/lib/nagios_state/check-mirroring-results-tmp; mv /var/lib/nagios_state/check-mirroring-results-tmp /var/lib/nagios_state/check-mirroring-results

2
puppet/zulip-internal/files/debathena.list Normal file
View File

@@ -0,0 +1,2 @@
deb http://debathena.mit.edu/apt wheezy debathena debathena-config
deb-src http://debathena.mit.edu/apt wheezy debathena debathena-config

46
puppet/zulip-internal/files/graphite/aggregation-rules.conf Normal file
View File

@@ -0,0 +1,46 @@
# The form of each line in this file should be as follows:
#
# output_template (frequency) = method input_pattern
#
# This will capture any received metrics that match 'input_pattern'
# for calculating an aggregate metric. The calculation will occur
# every 'frequency' seconds and the 'method' can specify 'sum' or
# 'avg'. The name of the aggregate metric will be derived from
# 'output_template' filling in any captured fields from 'input_pattern'.
#
# For example, if you're metric naming scheme is:
#
# <env>.applications.<app>.<server>.<metric>
#
# You could configure some aggregations like so:
#
# <env>.applications.<app>.all.requests (60) = sum <env>.applications.<app>.*.requests
# <env>.applications.<app>.all.latency (60) = avg <env>.applications.<app>.*.latency
#
# As an example, if the following metrics are received:
#
# prod.applications.apache.www01.requests
# prod.applications.apache.www01.requests
#
# They would all go into the same aggregation buffer and after 60 seconds the
# aggregate metric 'prod.applications.apache.all.requests' would be calculated
# by summing their values.
#
# Note that any time this file is modified, it will be re-read automatically.
# NOTE: If you use the `sum` aggregation method, make sure the aggregation period is
# 5 seconds unless you know what you are doing. statsd pushes to carbon
# every 5 seconds (see local.js), so aggregating over a longer period of time
# will inflate the output value
# Aggregate all per-bucket memcached stats into a generic hit/miss stat
stats.<app>.cache.all.hit (5) = sum stats.<app>.cache.*.hit
stats.<app>.cache.all.miss (5) = sum stats.<app>.cache.*.miss
# Aggregate all per-bucket memcached stats counts into a generic hit/miss stat
stats_counts.<app>.cache.all.hit (5) = sum stats_counts.<app>.cache.*.hit
stats_counts.<app>.cache.all.miss (5) = sum stats_counts.<app>.cache.*.miss
# Aggregate all per-domain active stats to overall active stats
stats.gauges.<app>.users.active.all.<bucket> (5) = sum stats.gauges.<app>.users.active.*.<bucket>
stats.gauges.<app>.users.reading.all.<bucket> (5) = sum stats.gauges.<app>.users.reading.*.<bucket>

280
puppet/zulip-internal/files/graphite/carbon.conf Normal file
View File

@@ -0,0 +1,280 @@
[cache]
# Configure carbon directories.
#
# OS environment variables can be used to tell carbon where graphite is
# installed, where to read configuration from and where to write data.
#
# GRAPHITE_ROOT - Root directory of the graphite installation.
# Defaults to ../
# GRAPHITE_CONF_DIR - Configuration directory (where this file lives).
# Defaults to $GRAPHITE_ROOT/conf/
# GRAPHITE_STORAGE_DIR - Storage directory for whipser/rrd/log/pid files.
# Defaults to $GRAPHITE_ROOT/storage/
#
# To change other directory paths, add settings to this file. The following
# configuration variables are available with these default values:
#
# STORAGE_DIR = $GRAPHITE_STORAGE_DIR
# LOCAL_DATA_DIR = STORAGE_DIR/whisper/
# WHITELISTS_DIR = STORAGE_DIR/lists/
# CONF_DIR = STORAGE_DIR/conf/
# LOG_DIR = STORAGE_DIR/log/
# PID_DIR = STORAGE_DIR/
#
# For FHS style directory structures, use:
#
# STORAGE_DIR = /var/lib/carbon/
# CONF_DIR = /etc/carbon/
# LOG_DIR = /var/log/carbon/
# PID_DIR = /var/run/
#
#LOCAL_DATA_DIR = /opt/graphite/storage/whisper/
# Specify the user to drop privileges to
# If this is blank carbon runs as the user that invokes it
# This user must have write access to the local data directory
USER =
# Limit the size of the cache to avoid swapping or becoming CPU bound.
# Sorts and serving cache queries gets more expensive as the cache grows.
# Use the value "inf" (infinity) for an unlimited cache size.
MAX_CACHE_SIZE = inf
# Limits the number of whisper update_many() calls per second, which effectively
# means the number of write requests sent to the disk. This is intended to
# prevent over-utilizing the disk and thus starving the rest of the system.
# When the rate of required updates exceeds this, then carbon's caching will
# take effect and increase the overall throughput accordingly.
MAX_UPDATES_PER_SECOND = 500
# Softly limits the number of whisper files that get created each minute.
# Setting this value low (like at 50) is a good way to ensure your graphite
# system will not be adversely impacted when a bunch of new metrics are
# sent to it. The trade off is that it will take much longer for those metrics'
# database files to all get created and thus longer until the data becomes usable.
# Setting this value high (like "inf" for infinity) will cause graphite to create
# the files quickly but at the risk of slowing I/O down considerably for a while.
MAX_CREATES_PER_MINUTE = 50
LINE_RECEIVER_INTERFACE = 0.0.0.0
LINE_RECEIVER_PORT = 2003
# Set this to True to enable the UDP listener. By default this is off
# because it is very common to run multiple carbon daemons and managing
# another (rarely used) port for every carbon instance is not fun.
ENABLE_UDP_LISTENER = False
UDP_RECEIVER_INTERFACE = 0.0.0.0
UDP_RECEIVER_PORT = 2003
PICKLE_RECEIVER_INTERFACE = 0.0.0.0
PICKLE_RECEIVER_PORT = 2004
# Per security concerns outlined in Bug #817247 the pickle receiver
# will use a more secure and slightly less efficient unpickler.
# Set this to True to revert to the old-fashioned insecure unpickler.
USE_INSECURE_UNPICKLER = False
CACHE_QUERY_INTERFACE = 0.0.0.0
CACHE_QUERY_PORT = 7002
# Set this to False to drop datapoints received after the cache
# reaches MAX_CACHE_SIZE. If this is True (the default) then sockets
# over which metrics are received will temporarily stop accepting
# data until the cache size falls below 95% MAX_CACHE_SIZE.
USE_FLOW_CONTROL = True
# By default, carbon-cache will log every whisper update. This can be excessive and
# degrade performance if logging on the same volume as the whisper data is stored.
LOG_UPDATES = False
# On some systems it is desirable for whisper to write synchronously.
# Set this option to True if you'd like to try this. Basically it will
# shift the onus of buffering writes from the kernel into carbon's cache.
WHISPER_AUTOFLUSH = False
# By default new Whisper files are created pre-allocated with the data region
# filled with zeros to prevent fragmentation and speed up contiguous reads and
# writes (which are common). Enabling this option will cause Whisper to create
# the file sparsely instead. Enabling this option may allow a large increase of
# MAX_CREATES_PER_MINUTE but may have longer term performance implications
# depending on the underlying storage configuration.
# WHISPER_SPARSE_CREATE = False
# Enabling this option will cause Whisper to lock each Whisper file it writes
# to with an exclusive lock (LOCK_EX, see: man 2 flock). This is useful when
# multiple carbon-cache daemons are writing to the same files
# WHISPER_LOCK_WRITES = False
# Set this to True to enable whitelisting and blacklisting of metrics in
# CONF_DIR/whitelist and CONF_DIR/blacklist. If the whitelist is missing or
# empty, all metrics will pass through
# USE_WHITELIST = False
# By default, carbon itself will log statistics (such as a count,
# metricsReceived) with the top level prefix of 'carbon' at an interval of 60
# seconds. Set CARBON_METRIC_INTERVAL to 0 to disable instrumentation
# CARBON_METRIC_PREFIX = carbon
# CARBON_METRIC_INTERVAL = 60
# Enable AMQP if you want to receve metrics using an amqp broker
# ENABLE_AMQP = False
# Verbose means a line will be logged for every metric received
# useful for testing
# AMQP_VERBOSE = False
# AMQP_HOST = localhost
# AMQP_PORT = 5672
# AMQP_VHOST = /
# AMQP_USER = guest
# AMQP_PASSWORD = guest
# AMQP_EXCHANGE = graphite
# AMQP_METRIC_NAME_IN_BODY = False
# The manhole interface allows you to SSH into the carbon daemon
# and get a python interpreter. BE CAREFUL WITH THIS! If you do
# something like time.sleep() in the interpreter, the whole process
# will sleep! This is *extremely* helpful in debugging, assuming
# you are familiar with the code. If you are not, please don't
# mess with this, you are asking for trouble :)
#
# ENABLE_MANHOLE = False
# MANHOLE_INTERFACE = 127.0.0.1
# MANHOLE_PORT = 7222
# MANHOLE_USER = admin
# MANHOLE_PUBLIC_KEY = ssh-rsa AAAAB3NzaC1yc2EAAAABiwAaAIEAoxN0sv/e4eZCPpi3N3KYvyzRaBaMeS2RsOQ/cDuKv11dlNzVeiyc3RFmCv5Rjwn/lQ79y0zyHxw67qLyhQ/kDzINc4cY41ivuQXm2tPmgvexdrBv5nsfEpjs3gLZfJnyvlcVyWK/lId8WUvEWSWHTzsbtmXAF2raJMdgLTbQ8wE=
# Patterns for all of the metrics this machine will store. Read more at
# http://en.wikipedia.org/wiki/Advanced_Message_Queuing_Protocol#Bindings
#
# Example: store all sales, linux servers, and utilization metrics
# BIND_PATTERNS = sales.#, servers.linux.#, #.utilization
#
# Example: store everything
# BIND_PATTERNS = #
# To configure special settings for the carbon-cache instance 'b', uncomment this:
#[cache:b]
#LINE_RECEIVER_PORT = 2103
#PICKLE_RECEIVER_PORT = 2104
#CACHE_QUERY_PORT = 7102
# and any other settings you want to customize, defaults are inherited
# from [carbon] section.
# You can then specify the --instance=b option to manage this instance
[relay]
LINE_RECEIVER_INTERFACE = 0.0.0.0
LINE_RECEIVER_PORT = 2013
PICKLE_RECEIVER_INTERFACE = 0.0.0.0
PICKLE_RECEIVER_PORT = 2014
# To use consistent hashing instead of the user defined relay-rules.conf,
# change this to:
# RELAY_METHOD = consistent-hashing
RELAY_METHOD = rules
# If you use consistent-hashing you may want to add redundancy
# of your data by replicating every datapoint to more than
# one machine.
REPLICATION_FACTOR = 1
# This is a list of carbon daemons we will send any relayed or
# generated metrics to. The default provided would send to a single
# carbon-cache instance on the default port. However if you
# use multiple carbon-cache instances then it would look like this:
#
# DESTINATIONS = 127.0.0.1:2004:a, 127.0.0.1:2104:b
#
# The general form is IP:PORT:INSTANCE where the :INSTANCE part is
# optional and refers to the "None" instance if omitted.
#
# Note that if the destinations are all carbon-caches then this should
# exactly match the webapp's CARBONLINK_HOSTS setting in terms of
# instances listed (order matters!).
#
# If using RELAY_METHOD = rules, all destinations used in relay-rules.conf
# must be defined in this list
DESTINATIONS = 127.0.0.1:2004
# This defines the maximum "message size" between carbon daemons.
# You shouldn't need to tune this unless you really know what you're doing.
MAX_DATAPOINTS_PER_MESSAGE = 500
MAX_QUEUE_SIZE = 10000
# Set this to False to drop datapoints when any send queue (sending datapoints
# to a downstream carbon daemon) hits MAX_QUEUE_SIZE. If this is True (the
# default) then sockets over which metrics are received will temporarily stop accepting
# data until the send queues fall below 80% MAX_QUEUE_SIZE.
USE_FLOW_CONTROL = True
# Set this to True to enable whitelisting and blacklisting of metrics in
# CONF_DIR/whitelist and CONF_DIR/blacklist. If the whitelist is missing or
# empty, all metrics will pass through
# USE_WHITELIST = False
# By default, carbon itself will log statistics (such as a count,
# metricsReceived) with the top level prefix of 'carbon' at an interval of 60
# seconds. Set CARBON_METRIC_INTERVAL to 0 to disable instrumentation
# CARBON_METRIC_PREFIX = carbon
# CARBON_METRIC_INTERVAL = 60
[aggregator]
LINE_RECEIVER_INTERFACE = 0.0.0.0
LINE_RECEIVER_PORT = 2023
PICKLE_RECEIVER_INTERFACE = 0.0.0.0
PICKLE_RECEIVER_PORT = 2024
# This is a list of carbon daemons we will send any relayed or
# generated metrics to. The default provided would send to a single
# carbon-cache instance on the default port. However if you
# use multiple carbon-cache instances then it would look like this:
#
# DESTINATIONS = 127.0.0.1:2004:a, 127.0.0.1:2104:b
#
# The format is comma-delimited IP:PORT:INSTANCE where the :INSTANCE part is
# optional and refers to the "None" instance if omitted.
#
# Note that if the destinations are all carbon-caches then this should
# exactly match the webapp's CARBONLINK_HOSTS setting in terms of
# instances listed (order matters!).
DESTINATIONS = 127.0.0.1:2004
# If you want to add redundancy to your data by replicating every
# datapoint to more than one machine, increase this.
REPLICATION_FACTOR = 1
# This is the maximum number of datapoints that can be queued up
# for a single destination. Once this limit is hit, we will
# stop accepting new data if USE_FLOW_CONTROL is True, otherwise
# we will drop any subsequently received datapoints.
MAX_QUEUE_SIZE = 10000
# Set this to False to drop datapoints when any send queue (sending datapoints
# to a downstream carbon daemon) hits MAX_QUEUE_SIZE. If this is True (the
# default) then sockets over which metrics are received will temporarily stop accepting
# data until the send queues fall below 80% MAX_QUEUE_SIZE.
USE_FLOW_CONTROL = True
# This defines the maximum "message size" between carbon daemons.
# You shouldn't need to tune this unless you really know what you're doing.
MAX_DATAPOINTS_PER_MESSAGE = 500
# This defines how many datapoints the aggregator remembers for
# each metric. Aggregation only happens for datapoints that fall in
# the past MAX_AGGREGATION_INTERVALS * intervalSize seconds.
MAX_AGGREGATION_INTERVALS = 5
# Set this to True to enable whitelisting and blacklisting of metrics in
# CONF_DIR/whitelist and CONF_DIR/blacklist. If the whitelist is missing or
# empty, all metrics will pass through
# USE_WHITELIST = False
# By default, carbon itself will log statistics (such as a count,
# metricsReceived) with the top level prefix of 'carbon' at an interval of 60
# seconds. Set CARBON_METRIC_INTERVAL to 0 to disable instrumentation
# CARBON_METRIC_PREFIX = carbon
# CARBON_METRIC_INTERVAL = 60

3
puppet/zulip-internal/files/graphite/daily_rsync_backup.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/usr/bin/env bash
rsync -avz /srv/graphite/ /mnt/graphite-backup

16
puppet/zulip-internal/files/graphite/graphite.wsgi Normal file
View File

@@ -0,0 +1,16 @@
import os, sys
sys.path.append('/opt/graphite/webapp')
os.environ['DJANGO_SETTINGS_MODULE'] = 'graphite.settings'
import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()
# READ THIS
# Initializing the search index can be very expensive, please include
# the WSGIScriptImport directive pointing to this script in your vhost
# config to ensure the index is preloaded before any requests are handed
# to the process.
from graphite.logger import log
log.info("graphite.wsgi - pid %d - reloading search index" % os.getpid())
import graphite.metrics.search

13
puppet/zulip-internal/files/graphite/local_settings.py Normal file
View File

@@ -0,0 +1,13 @@
TIME_ZONE="America/New_York"
ALLOWED_HOSTS=['graphite.humbughq.com', 'graphite.zulip.net', 'stats1.zulip.net']
DATABASES = {
'default': {
'NAME': '/opt/graphite/storage/graphite.db',
'ENGINE': 'django.db.backends.sqlite3',
'USER': '',
'PASSWORD': '',
'HOST': '',
'PORT': ''
}
}

6
puppet/zulip-internal/files/graphite/setup_disks.sh Normal file
View File

@@ -0,0 +1,6 @@
#!/bin/sh
mkdir /srv/graphite
mkfs.ext4 /dev/xvdb
echo "/dev/xvdb /srv/graphite ext4 noatime,defaults,barrier=0 1 1" >> /etc/fstab
mount /srv/graphite

31
puppet/zulip-internal/files/graphite/storage-aggregation.conf Normal file
View File

@@ -0,0 +1,31 @@
# Example configuration from
# https://gist.github.com/tristanbes/4046457#file-example-sh
[min]
pattern = \.min$
xFilesFactor = 0.1
aggregationMethod = min
[max]
pattern = \.max$
xFilesFactor = 0.1
aggregationMethod = max
[sum]
pattern = \.sum$
xFilesFactor = 0
aggregationMethod = sum
[count]
pattern = \.count$
xFilesFactor = 0
aggregationMethod = sum
[count_legacy]
pattern = ^stats_counts.*
xFilesFactor = 0
aggregationMethod = sum
[default_average]
pattern = .*
xFilesFactor = 0.3
aggregationMethod = average

26
puppet/zulip-internal/files/graphite/storage-schemas.conf Normal file
View File

@@ -0,0 +1,26 @@
# Schema definitions for Whisper files. Entries are scanned in order,
# and first match wins. This file is scanned for changes every 60 seconds.
#
# [name]
# pattern = regex
# retentions = timePerPoint:timeToStore, timePerPoint:timeToStore, ...
# statsd specific
[stats]
pattern = ^stats.*
#retentions = 10:2160,60:10080,600:262974
# 5s data for 6hr
# 10s data for 12hr
# 1min data for 2 weeks
# 10min data for 5 years
retentions = 5s:6h,10s:12h,1min:14d,10min:5y
# Carbon's internal metrics. This entry should match what is specified in
# CARBON_METRIC_PREFIX and CARBON_METRIC_INTERVAL settings
[carbon]
pattern = ^carbon\.
retentions = 60:90d
[default_1min_for_1day]
pattern = .*
retentions = 60s:1d

61
puppet/zulip-internal/files/graphiti/settings.yml Normal file
View File

@@ -0,0 +1,61 @@
---
graphiti_base_url: https://stats1.zulip.net/graphiti/
graphite_base_url: https://graphiti:xxxxxxxxxxxxxxxxxx@stats1.zulip.net:444/
graphite_userpw: "graphiti:xxxxxxxxxxxxxxxxxx"
graphite_auth: :digest
graphite_cert: "/home/zulip/graphiti/humbughq_cert_internal.pem"
#graphite_base_url: https://user:pass@graphite01.pp.local
redis_url: localhost:6978:1/graphiti
tmp_dir: /tmp
fonts:
- DroidSans
- DejaVuSans
auto_refresh:
enabled: true # checked by default?
interval: 120 # seconds
default_options:
title: "New Graph"
from: -7d
font: DroidSans
fontSize: 10
thickness: 2
bgcolor: "#FFFFFF"
fgcolor: "#333333"
majorGridLineColor: "#ADADAD"
minorGridLineColor: "#E5E5E5"
default_metrics:
- "stats.foobar"
metric_prefix: "stats"
# Configure a service for snapshoting graphs. Current options are
# s3 (amazon s3) and fs (filesystem)
snapshots:
# for s3 you need to provide `bucket`, `access_key_id`, and `secret_access_key`
#
# service: s3
# bucket: mysnapshots
# access_key_id: BLAH
# secret_access_key: BLAHBLAH
# for local filesystem you need to provide a dir to save the images
# and the public route to that dir
#
# service: fs
# dir: public/storage
# public_host: http://graphiti.local/storage
# These are options that are passed to Pony
# https://github.com/benprew/pony
# in `to:` SLUG gets replaced with the slug of the dashboard being sent
reports:
from: "Stampy <stampy@paperlesspost.com>"
to: "graphiti+SLUG@paperlesspost.com"
via: smtp
via_options:
address: 'smtp.gmail.com'
port: 587
authentication: plain
enable_starttls_auto: true,
user_name: "stampy@paperlesspost.com"
password: "PASSWORD"
snapshots:
service: none

37
puppet/zulip-internal/files/iptables/rules.zmirror Normal file
View File

@@ -0,0 +1,37 @@
*filter
# Set up logging for dropped packets
-N LOGDROP
-A LOGDROP -m limit --limit 15/min -j LOG --log-prefix "iptables dropped: " --log-level 7
-A LOGDROP -j DROP
# Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Accept all loopback traffic
-A INPUT -i lo -j ACCEPT
# Drop all traffic to loopback IPs on other interfaces
-A INPUT ! -i lo -d 127.0.0.0/8 -j LOGDROP
# Accept incoming traffic related to established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept incoming traffic on TCP port 22 (SSH)
-A INPUT -p tcp --dport 22 -j ACCEPT
# Accept incoming traffic on UDP port 2104 (zhm)
-A INPUT -p udp --dport 2104 -j ACCEPT
# It's hard to know what ephemeral ports the zephyr clients are listening on.
# Apparently they do not send outgoing traffic sufficient for the
# ESTABLISHED,RELATED rule above. So for now we allow all UDP traffic.
#
# FIXME: do something better here.
-A INPUT -p udp -j ACCEPT
# Drop everything else
-A INPUT -j LOGDROP
-A FORWARD -j LOGDROP
COMMIT

432
puppet/zulip-internal/files/mediawiki/Auth_remoteuser.php Normal file
View File

@@ -0,0 +1,432 @@
<?php
// vim:sw=2:softtabstop=2:textwidth=80
//
// This program is free software: you can redistribute it and/or modify it
// under the terms of the GNU General Public License as published by the Free
// Software Foundation, either version 2 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
// FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
// more details.
//
// You should have received a copy of the GNU General Public License along with
// this program. If not, see <http://www.gnu.org/licenses/>.
//
// Copyright 2006 Otheus Shelling
// Copyright 2007 Rusty Burchfield
// Copyright 2009 James Kinsman
// Copyright 2010 Daniel Thomas
// Copyright 2010 Ian Ward Comfort
//
// In 2009, the copyright holders determined that the original publishing of this code
// under GPLv3 was legally and logistically in error, and re-licensed it under GPLv2.
//
// See http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER
//
// Adapted by Rusty to be compatible with version 1.9 of MediaWiki
// Optional settings from Emmanuel Dreyfus
// Adapted by VibroAxe (James Kinsman) to be compatible with version 1.16 of MediaWiki
// Adapted by VibroAxe (James Kinsman) to allow domain substitution for Integrated Windows Authentication
// Adapted by drt24 (Daniel Thomas) to add the optional $wgAuthRemoteuserMailDomain and remove hardcoding
// of permissions for anonymous users.
// Adapted by Ian Ward Comfort to detect mismatches between the session user and REMOTE_USER
//
// Add these lines to your LocalSettings.php
//
// // Don't let anonymous people do things...
// $wgGroupPermissions['*']['createaccount'] = false;
// $wgGroupPermissions['*']['read'] = false;
// $wgGroupPermissions['*']['edit'] = false;
//
// /* This is required for Auth_remoteuser operation
// require_once('extensions/Auth_remoteuser.php');
// $wgAuth = new Auth_remoteuser();
//
// The constructor of Auth_remoteuser registers a hook to do the automatic
// login. Storing the Auth_remoteuser object in $wgAuth tells mediawiki to use
// that object as the AuthPlugin. This way the login attempts by the hook will
// be handled by us.
//
// You probably want to edit the initUser function to set the users real name
// and email address properly for your configuration.
// Extension credits that show up on Special:Version
$wgExtensionCredits['other'][] = array(
'name' => 'AutomaticREMOTE USER',
'version' => '1.1.4',
'author' => array( 'Otheus Shelling', 'Rusty Burchfield', 'James Kinsman', 'Daniel Thomas', 'Ian Ward Comfort' ),
'url' => 'https://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER',
'description' => 'Automatically logs users using the REMOTE_USER environment variable.',
);
// We must allow zero length passwords. This extension does not work in MW 1.16 without this.
$wgMinimalPasswordLength = 0;
$wgAuthRemoteuserAuthz = true;
$wgAuthRemoteuserDomain = null;
/* User's name */
$wgAuthRemoteuserName = isset( $_SERVER["AUTHENTICATE_CN"] )
? $_SERVER["AUTHENTICATE_CN"]
: '';
/* User's Mail */
$wgAuthRemoteuserMail = isset( $_SERVER["AUTHENTICATE_MAIL"] )
? $_SERVER["AUTHENTICATE_MAIL"]
: '';
$wgAuthRemoteuserNotify = false; /* Do not send mail notifications */
$wgAuthRemoteuserDomain = "NETBIOSDOMAIN"; /* Remove NETBIOSDOMAIN\ from the beginning or @NETBIOSDOMAIN at the end of a IWA username */
/* User's mail domain to append to the user name to make their email address */
$wgAuthRemoteuserMailDomain = "example.com";
$wgExtensionFunctions[] = 'Auth_remote_user_hook';
/**
* This hook is registered by the Auth_remoteuser constructor. It will be
* called on every page load. It serves the function of automatically logging
* in the user. The Auth_remoteuser class is an AuthPlugin and handles the
* actual authentication, user creation, etc.
*
* Details:
* 1. Check to see if the user has a session and is not anonymous. If this is
* true, check whether REMOTE_USER matches the session user. If so, we can
* just return; otherwise we must logout the session user and login as the
* REMOTE_USER.
* 2. If the user doesn't have a session, we create a login form with our own
* fake request and ask the form to authenticate the user. If the user does
* not exist authenticateUserData will attempt to create one. The login form
* uses our Auth_remoteuser class as an AuthPlugin.
*
* Note: If cookies are disabled, an infinite loop /might/ occur?
*/
function Auth_remote_user_hook() {
global $wgUser, $wgRequest, $wgAuthRemoteuserDomain, $wgAuth;
// For a few special pages, don't do anything.
$title = $wgRequest->getVal( 'title' );
if ( ( $title == Title::makeName( NS_SPECIAL, 'UserLogout' ) ) ||
( $title == Title::makeName( NS_SPECIAL, 'UserLogin' ) ) ) {
return;
}
// Process the username if required
if ( !isset( $_SERVER['REMOTE_USER'] ) ) {
return;
}
if ( isset( $wgAuthRemoteuserDomain ) && strlen( $wgAuthRemoteuserDomain ) ) {
$username = str_replace( "$wgAuthRemoteuserDomain\\", "", $_SERVER['REMOTE_USER'] );
$username = str_replace( "@$wgAuthRemoteuserDomain", "", $username );
} else {
$username = $_SERVER['REMOTE_USER'];
}
// Check for valid session
$user = User::newFromSession();
if ( !$user->isAnon() ) {
if ( $user->getName() == $wgAuth->getCanonicalName( $username ) ) {
return; // Correct user is already logged in.
} else {
$user->doLogout(); // Logout mismatched user.
}
}
// Copied from includes/SpecialUserlogin.php
if ( !isset( $wgCommandLineMode ) && !isset( $_COOKIE[session_name()] ) ) {
wfSetupSession();
}
// If the login form returns NEED_TOKEN try once more with the right token
$trycount = 0;
$token = '';
$errormessage = '';
do {
$tryagain = false;
// Submit a fake login form to authenticate the user.
$params = new FauxRequest( array(
'wpName' => $username,
'wpPassword' => '',
'wpDomain' => '',
'wpLoginToken' => $token,
'wpRemember' => ''
) );
// Authenticate user data will automatically create new users.
$loginForm = new LoginForm( $params );
$result = $loginForm->authenticateUserData();
switch ( $result ) {
case LoginForm :: SUCCESS :
$wgUser->setOption( 'rememberpassword', 1 );
$wgUser->setCookies();
break;
case LoginForm :: NEED_TOKEN:
$token = $loginForm->getLoginToken();
$tryagain = ( $trycount == 0 );
break;
case LoginForm :: WRONG_TOKEN:
$errormessage = 'WrongToken';
break;
case LoginForm :: NO_NAME :
$errormessage = 'NoName';
break;
case LoginForm :: ILLEGAL :
$errormessage = 'Illegal';
break;
case LoginForm :: WRONG_PLUGIN_PASS :
$errormessage = 'WrongPluginPass';
break;
case LoginForm :: NOT_EXISTS :
$errormessage = 'NotExists';
break;
case LoginForm :: WRONG_PASS :
$errormessage = 'WrongPass';
break;
case LoginForm :: EMPTY_PASS :
$errormessage = 'EmptyPass';
break;
default:
$errormessage = 'Unknown';
break;
}
if ( $result != LoginForm::SUCCESS && $result != LoginForm::NEED_TOKEN ) {
error_log( 'Unexpected REMOTE_USER authentication failure. Login Error was:' . $errormessage );
}
$trycount++;
} while ( $tryagain );
return;
}
class Auth_remoteuser extends AuthPlugin {
/**
* Disallow password change.
*
* @return bool
*/
function allowPasswordChange() {
return false;
}
/**
* This should not be called because we do not allow password change. Always
* fail by returning false.
*
* @param $user User object.
* @param $password String: password.
* @return bool
* @public
*/
function setPassword( $user, $password ) {
return false;
}
/**
* We don't support this but we have to return true for preferences to save.
*
* @param $user User object.
* @return bool
* @public
*/
function updateExternalDB( $user ) {
return true;
}
/**
* We can't create external accounts so return false.
*
* @return bool
* @public
*/
function canCreateAccounts() {
return false;
}
/**
* We don't support adding users to whatever service provides REMOTE_USER, so
* fail by always returning false.
*
* @param User $user
* @param string $password
* @return bool
* @public
*/
function addUser( $user, $password ) {
return false;
}
/**
* Pretend all users exist. This is checked by authenticateUserData to
* determine if a user exists in our 'db'. By returning true we tell it that
* it can create a local wiki user automatically.
*
* @param $username String: username.
* @return bool
* @public
*/
function userExists( $username ) {
return true;
}
/**
* Check whether the given name matches REMOTE_USER.
* The name will be normalized to MediaWiki's requirements, so
* lower it and the REMOTE_USER before checking.
*
* @param $username String: username.
* @param $password String: user password.
* @return bool
* @public
*/
function authenticate( $username, $password ) {
global $wgAuthRemoteuserAuthz, $wgAuthRemoteuserDomain;
if ( isset( $wgAuthRemoteuserAuthz ) && !$wgAuthRemoteuserAuthz ) {
return false;
}
if ( !isset( $_SERVER['REMOTE_USER'] ) ) {
$_SERVER['REMOTE_USER'] = "";
}
if ( isset( $wgAuthRemoteuserDomain ) && strlen( $wgAuthRemoteuserDomain ) > 0 ) {
$usertest = str_replace( "$wgAuthRemoteuserDomain\\", "", $_SERVER['REMOTE_USER'] );
$usertest = str_replace( "@$wgAuthRemoteuserDomain", "", $usertest );
} else {
$usertest = $_SERVER['REMOTE_USER'];
}
return ( strtolower( $username ) == strtolower( $usertest ) );
}
/**
* Check to see if the specific domain is a valid domain.
*
* @param $domain String: authentication domain.
* @return bool
* @public
*/
function validDomain( $domain ) {
return true;
}
/**
* When a user logs in, optionally fill in preferences and such.
* For instance, you might pull the email address or real name from the
* external user database.
*
* The User object is passed by reference so it can be modified; don't
* forget the & on your function declaration.
*
* @param User $user
* @public
*/
function updateUser( &$user ) {
// We only set this stuff when accounts are created.
return true;
}
/**
* Return true because the wiki should create a new local account
* automatically when asked to login a user who doesn't exist locally but
* does in the external auth database.
*
* @return bool
* @public
*/
function autoCreate() {
return true;
}
/**
* Return true to prevent logins that don't authenticate here from being
* checked against the local database's password fields.
*
* @return bool
* @public
*/
function strict() {
return true;
}
/**
* When creating a user account, optionally fill in preferences and such.
* For instance, you might pull the email address or real name from the
* external user database.
*
* @param $user User object.
* @public
*/
function initUser( &$user ) {
global $wgAuthRemoteuserName, $wgAuthRemoteuserMail, $wgAuthRemoteuserMailDomain,
$wgAuthRemoteuserNotify, $wgAuthRemoteuserDomain;
if ( isset( $wgAuthRemoteuserDomain ) && strlen( $wgAuthRemoteuserDomain ) ) {
$username = str_replace( "$wgAuthRemoteuserDomain\\", "", $_SERVER['REMOTE_USER'] );
$username = str_replace( "@$wgAuthRemoteuserDomain", "", $username );
} else {
$username = $_SERVER['REMOTE_USER'];
}
if ( isset( $wgAuthRemoteuserName ) ) {
$user->setRealName( $wgAuthRemoteuserName );
} else {
$user->setRealName( '' );
}
if ( isset( $wgAuthRemoteuserMail ) ) {
$user->setEmail( $wgAuthRemoteuserMail );
} elseif ( isset( $wgAuthRemoteuserMailDomain ) ) {
$user->setEmail( $username . '@' . $wgAuthRemoteuserMailDomain );
} else {
$user->setEmail( $username . "@example.com" );
}
$user->mEmailAuthenticated = wfTimestampNow();
$user->setToken();
// turn on e-mail notifications
if ( isset( $wgAuthRemoteuserNotify ) && $wgAuthRemoteuserNotify ) {
$user->setOption( 'enotifwatchlistpages', 1 );
$user->setOption( 'enotifusertalkpages', 1 );
$user->setOption( 'enotifminoredits', 1 );
$user->setOption( 'enotifrevealaddr', 1 );
}
$user->saveSettings();
}
/**
* Modify options in the login template. This shouldn't be very important
* because no one should really be bothering with the login page.
*
* @param $template UserLoginTemplate object.
* @public
*/
function modifyUITemplate( &$template ) {
// disable the mail new password box
$template->set( 'useemail', false );
// disable 'remember me' box
$template->set( 'remember', false );
$template->set( 'create', false );
$template->set( 'domain', false );
$template->set( 'usedomain', false );
}
/**
* Normalize user names to the MediaWiki standard to prevent duplicate
* accounts.
*
* @param $username String: username.
* @return string
* @public
*/
function getCanonicalName( $username ) {
// lowercase the username
$username = strtolower( $username );
// uppercase first letter to make MediaWiki happy
return ucfirst( $username );
}
}

163
puppet/zulip-internal/files/mediawiki/LocalSettings.php Normal file
View File

@@ -0,0 +1,163 @@
<?php
# This file was automatically generated by the MediaWiki 1.19.5-1
# installer. If you make manual changes, please keep track in case you
# need to recreate them later.
#
# See includes/DefaultSettings.php for all configurable settings
# and their default values, but don't forget to make changes in _this_
# file, not there.
#
# Further documentation for configuration settings may be found at:
# http://www.mediawiki.org/wiki/Manual:Configuration_settings
# Protect against web entry
if ( !defined( 'MEDIAWIKI' ) ) {
exit;
}
# Debugging
#error_reporting( E_ALL );
#ini_set( 'display_errors', 1 );
## Uncomment this to disable output compression
# $wgDisableOutputCompression = true;
$wgSitename = "Zulip Wiki";
$wgMetaNamespace = "Project";
## The URL base path to the directory containing the wiki;
## defaults for all runtime URL paths are based off of this.
## For more information on customizing the URLs please see:
## http://www.mediawiki.org/wiki/Manual:Short_URL
$wgScriptPath = "/w";
$wgScriptExtension = ".php";
$wgArticlePath = "/wiki/$1";
## The protocol and server name to use in fully-qualified URLs
$wgServer = "https://wiki.zulip.net";
## The relative URL path to the skins directory
$wgStylePath = "$wgScriptPath/skins";
## The relative URL path to the logo. Make sure you change this from the default,
## or else you'll overwrite your logo when you upgrade!
$wgLogo = "$wgStylePath/common/images/wiki.png";
## UPO means: this is also a user preference option
$wgEnableEmail = true;
$wgEnableUserEmail = true; # UPO
$wgEmergencyContact = "support@zulip.com";
$wgPasswordSender = "support@zulip.com";
$wgEnotifUserTalk = true; # UPO
$wgEnotifWatchlist = true; # UPO
$wgEmailAuthentication = false;
## Database settings
$wgDBtype = "postgres";
$wgDBport = "5432";
$wgDBserver = "localhost";
$wgDBname = "wiki";
$wgDBuser = "wikiuser";
$wgDBpassword = "xxxxxxxxxx";
$wgDBport = "5432";
$wgDBmwschema = "mediawiki";
# MySQL specific settings
#$wgDBprefix = "";
# MySQL table options to use during installation or update
#$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";
# Experimental charset support for MySQL 5.0.
$wgDBmysql5 = false;
## Shared memory settings
$wgMainCacheType = CACHE_NONE;
$wgMemCachedServers = array();
## To enable image uploads, make sure the 'images' directory
## is writable, then set this to true:
$wgEnableUploads = true;
$wgUseImageMagick = true;
$wgImageMagickConvertCommand = "/usr/bin/convert";
# InstantCommons allows wiki to use images from http://commons.wikimedia.org
$wgUseInstantCommons = true;
## If you use ImageMagick (or any other shell command) on a
## Linux server, this will need to be set to the name of an
## available UTF-8 locale
$wgShellLocale = "en_US.utf8";
## If you want to use image uploads under safe mode,
## create the directories images/archive, images/thumb and
## images/temp, and make them all writable. Then uncomment
## this, if it's not already uncommented:
#$wgHashedUploadDirectory = false;
## Set $wgCacheDirectory to a writable directory on the web server
## to make your wiki go slightly faster. The directory should not
## be publically accessible from the web.
#$wgCacheDirectory = "$IP/cache";
# Site language code, should be one of the list in ./languages/Names.php
$wgLanguageCode = "en";
# Keeping this in git isn't the end of the world, see:
# <http://www.mediawiki.org/wiki/Manual:$wgSecretKey>
$wgSecretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
# Site upgrade key. Must be set to a string (default provided) to turn on the
# web installer while LocalSettings.php is in place
$wgUpgradeKey = "xxxxxxxxxxxxxxxx";
## Default skin: you can change the default skin. Use the internal symbolic
## names, ie 'standard', 'nostalgia', 'cologneblue', 'monobook', 'vector':
$wgDefaultSkin = "modern";
## For attaching licensing metadata to pages, and displaying an
## appropriate copyright notice / icon. GNU Free Documentation
## License and Creative Commons licenses are supported so far.
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
$wgRightsUrl = "";
$wgRightsText = "";
$wgRightsIcon = "";
# Path to the GNU diff3 utility. Used for conflict resolution.
$wgDiff3 = "/usr/bin/diff3";
# debian-specific include:
if (is_file("/etc/mediawiki-extensions/extensions.php")) {
include("/etc/mediawiki-extensions/extensions.php");
}
# Query string length limit for ResourceLoader. You should only set this if
# your web server has a query string length limit (then set it to that limit),
# or if you have suhosin.get.max_value_length set in php.ini (then set it to
# that value)
$wgResourceLoaderMaxQueryLength = -1;
# Enabled Extensions. Most extensions are enabled by including the base extension file here
# but check specific extension documentation for more details
# The following extensions were automatically enabled:
require_once( "$IP/extensions/Cite/Cite.php" );
require_once( "$IP/extensions/Vector/Vector.php" );
require_once( "$IP/extensions/WikiEditor/WikiEditor.php" );
# End of automatically generated settings.
# Add more configuration options below.
$wgAuth = new Auth_remoteuser();
// Don't let anonymous people do things...
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgFileExtensions[] = 'svg';

1
puppet/zulip-internal/files/mediawiki/apache_config Symbolic link
View File

@@ -0,0 +1 @@
../apache/sites/mediawiki

15
puppet/zulip-internal/files/motd.lb0 Normal file
View File

@@ -0,0 +1,15 @@
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

You are connected to lb0.zulip.net.

To connect to an app server, you need to run:
ssh <servername>.zulip.net
Note the .net, not the .com.

7
puppet/zulip-internal/files/munin-plugins/humbug_send_receive Executable file
View File

@@ -0,0 +1,7 @@
#!/bin/sh
if [ "$(hostname)" = "staging.zulip.net" ]; then
site="https://staging.zulip.com"
else
site="https://api.zulip.com"
fi
/home/zulip/deployments/current/bots/check_send_receive.py --munin $1 --site="$site"

66
puppet/zulip-internal/files/munin-plugins/rabbitmq_connections Executable file
View File

@@ -0,0 +1,66 @@
#!/bin/sh
#
# Plugin to monitor the number of connections to RabbitMQ
#
# Usage: Link or copy into /etc/munin/node.d/
#
# Parameters
# env.conn_warn <warning connections>
# env.conn_crit <critical connections>
#
# Magic markers (optional - only used by munin-config and some
# installation scripts):
#
#%# family=auto
#%# capabilities=autoconf
# If run with the "autoconf"-parameter, give our opinion on wether we
# should be run on this system or not. This is optinal, and only used by
# munin-config. In the case of this plugin, we should most probably
# always be included.
if [ "$1" = "autoconf" ]; then
echo yes
exit 0
fi
HOME=/tmp/
# If run with the "config"-parameter, give out information on how the
# graphs should look.
if [ "$1" = "config" ]; then
CONN_WARN=${queue_warn:-500}
CONN_CRIT=${queue_crit:-1000}
# The host name this plugin is for. (Can be overridden to have
# one machine answer for several)
# The title of the graph
echo 'graph_title RabbitMQ connections'
# Arguments to "rrdtool graph". In this case, tell it that the
# lower limit of the graph is '0', and that 1k=1000 (not 1024)
echo 'graph_args --base 1000 -l 0'
# The Y-axis label
echo 'graph_vlabel connections'
# We want Cur/Min/Avg/Max unscaled (i.e. 0.42 load instead of
# 420 milliload)
#echo 'graph_scale no'
echo 'graph_category RabbitMQ'
echo "connections.label Connections"
echo "connections.warning $CONN_WARN"
echo "connections.critical $CONN_CRIT"
echo "connections.info Number of active connections"
echo 'graph_info Shows the number of connections to RabbitMQ'
# Last, if run with the "config"-parameter, quit here (don't
# display any data)
exit 0
fi
# If not run with any parameters at all (or only unknown ones), do the
# real work - i.e. display the data. Almost always this will be
# "value" subfield for every data field.
echo "connections.value $(HOME=$HOME rabbitmqctl list_connections | grep -v "^Listing" | grep -v "done.$" | wc -l)"

75
puppet/zulip-internal/files/munin-plugins/rabbitmq_consumers Executable file
View File

@@ -0,0 +1,75 @@
#!/bin/sh
#
# Plugin to monitor the queues of a virtual_host in RabbitMQ
#
# Usage: Link or copy into /etc/munin/node.d/
#
# Parameters
# env.vhost <AMQ virtual host>
# env.queue_warn <warning queuesize>
# env.queue_crit <critical queuesize>
#
# Magic markers (optional - only used by munin-config and some
# installation scripts):
#
#%# family=auto
#%# capabilities=autoconf
# If run with the "autoconf"-parameter, give our opinion on wether we
# should be run on this system or not. This is optinal, and only used by
# munin-config. In the case of this plugin, we should most probably
# always be included.
if [ "$1" = "autoconf" ]; then
echo yes
exit 0
fi
# If run with the "config"-parameter, give out information on how the
# graphs should look.
HOME=/tmp/
VHOST=${vhost:-"/"}
QUEUES=$(HOME=$HOME rabbitmqctl list_queues name | \
grep -v '^Listing' | \
grep -v 'done\.$' | sed -e 's/[.=-]/_/g' )
if [ "$1" = "config" ]; then
QUEUE_WARN=${queue_warn:-100}
QUEUE_CRIT=${queue_crit:-500}
# The host name this plugin is for. (Can be overridden to have
# one machine answer for several)
# The title of the graph
echo "graph_title RabbitMQ consumers"
# Arguments to "rrdtool graph". In this case, tell it that the
# lower limit of the graph is '0', and that 1k=1000 (not 1024)
echo 'graph_args --base 1000 -l 0'
# The Y-axis label
echo 'graph_vlabel consumers'
# We want Cur/Min/Avg/Max unscaled (i.e. 0.42 load instead of
# 420 milliload)
#echo 'graph_scale no'
echo 'graph_category RabbitMQ'
for queue in $QUEUES; do
echo "$queue.label $queue"
echo "$queue.warning $QUEUE_WARN"
echo "$queue.critical $QUEUE_CRIT"
echo "$queue.info Active consumers for $queue"
done
echo 'graph_info Lists active consumers for a queue.'
# Last, if run with the "config"-parameter, quit here (don't
# display any data)
exit 0
fi
# If not run with any parameters at all (or only unknown ones), do the
# real work - i.e. display the data. Almost always this will be
# "value" subfield for every data field.
HOME=$HOME rabbitmqctl list_queues name consumers| \
grep -v "^Listing" | grep -v "done.$" | \
perl -nle'($q, $s) = split; $q =~ s/[.=-]/_/g; print("$q.value $s")'

75
puppet/zulip-internal/files/munin-plugins/rabbitmq_messages Executable file
View File

@@ -0,0 +1,75 @@
#!/bin/sh
#
# Plugin to monitor the queues of a virtual_host in RabbitMQ
#
# Usage: Link or copy into /etc/munin/node.d/
#
# Parameters
# env.vhost <AMQ virtual host>
# env.queue_warn <warning queuesize>
# env.queue_crit <critical queuesize>
#
# Magic markers (optional - only used by munin-config and some
# installation scripts):
#
#%# family=auto
#%# capabilities=autoconf
# If run with the "autoconf"-parameter, give our opinion on wether we
# should be run on this system or not. This is optinal, and only used by
# munin-config. In the case of this plugin, we should most probably
# always be included.
if [ "$1" = "autoconf" ]; then
echo yes
exit 0
fi
# If run with the "config"-parameter, give out information on how the
# graphs should look.
HOME=/tmp/
VHOST=${vhost:-"/"}
QUEUES=$(HOME=$HOME rabbitmqctl list_queues name | \
grep -v '^Listing' | \
grep -v 'done\.$' | sed -e 's/[.=-]/_/g' )
if [ "$1" = "config" ]; then
QUEUE_WARN=${queue_warn:-10000}
QUEUE_CRIT=${queue_crit:-20000}
# The host name this plugin is for. (Can be overridden to have
# one machine answer for several)
# The title of the graph
echo "graph_title RabbitMQ list_queues"
# Arguments to "rrdtool graph". In this case, tell it that the
# lower limit of the graph is '0', and that 1k=1000 (not 1024)
echo 'graph_args --base 1000 -l 0'
# The Y-axis label
echo 'graph_vlabel queue_size'
# We want Cur/Min/Avg/Max unscaled (i.e. 0.42 load instead of
# 420 milliload)
#echo 'graph_scale no'
echo 'graph_category RabbitMQ'
for queue in $QUEUES; do
echo "$queue.label $queue"
echo "$queue.warning $QUEUE_WARN"
echo "$queue.critical $QUEUE_CRIT"
echo "$queue.info Queue size for $queue"
done
echo 'graph_info Lists how many messages are in each queue.'
# Last, if run with the "config"-parameter, quit here (don't
# display any data)
exit 0
fi
# If not run with any parameters at all (or only unknown ones), do the
# real work - i.e. display the data. Almost always this will be
# "value" subfield for every data field.
HOME=$HOME rabbitmqctl list_queues | \
grep -v "^Listing" | grep -v "done.$" | \
perl -nle'($q, $s) = split; $q =~ s/[.=-]/_/g; print("$q.value $s")'

75
puppet/zulip-internal/files/munin-plugins/rabbitmq_messages_unacknowledged Executable file
View File

@@ -0,0 +1,75 @@
#!/bin/sh
#
# Plugin to monitor the queues of a virtual_host in RabbitMQ
#
# Usage: Link or copy into /etc/munin/node.d/
#
# Parameters
# env.vhost <AMQ virtual host>
# env.queue_warn <warning queuesize>
# env.queue_crit <critical queuesize>
#
# Magic markers (optional - only used by munin-config and some
# installation scripts):
#
#%# family=auto
#%# capabilities=autoconf
# If run with the "autoconf"-parameter, give our opinion on wether we
# should be run on this system or not. This is optinal, and only used by
# munin-config. In the case of this plugin, we should most probably
# always be included.
if [ "$1" = "autoconf" ]; then
echo yes
exit 0
fi
# If run with the "config"-parameter, give out information on how the
# graphs should look.
HOME=/tmp/
VHOST=${vhost:-"/"}
QUEUES=$(HOME=$HOME rabbitmqctl list_queues name | \
grep -v '^Listing' | \
grep -v 'done\.$' | sed -e 's/[.=-]/_/g' )
if [ "$1" = "config" ]; then
QUEUE_WARN=${queue_warn:-10000}
QUEUE_CRIT=${queue_crit:-20000}
# The host name this plugin is for. (Can be overridden to have
# one machine answer for several)
# The title of the graph
echo "graph_title RabbitMQ Unacknowledged Messages"
# Arguments to "rrdtool graph". In this case, tell it that the
# lower limit of the graph is '0', and that 1k=1000 (not 1024)
echo 'graph_args --base 1000 -l 0'
# The Y-axis label
echo 'graph_vlabel unacknowledged'
# We want Cur/Min/Avg/Max unscaled (i.e. 0.42 load instead of
# 420 milliload)
#echo 'graph_scale no'
echo 'graph_category RabbitMQ'
for queue in $QUEUES; do
echo "$queue.label $queue"
echo "$queue.warning $QUEUE_WARN"
echo "$queue.critical $QUEUE_CRIT"
echo "$queue.info Unacknowledged messages for $queue"
done
echo 'graph_info Lists how many messages are in each queue.'
# Last, if run with the "config"-parameter, quit here (don't
# display any data)
exit 0
fi
# If not run with any parameters at all (or only unknown ones), do the
# real work - i.e. display the data. Almost always this will be
# "value" subfield for every data field.
HOME=$HOME rabbitmqctl list_queues name messages_unacknowledged | \
grep -v "^Listing" | grep -v "done.$" | \
perl -nle'($q, $s) = split; $q =~ s/[.=-]/_/g; print("$q.value $s")'

75
puppet/zulip-internal/files/munin-plugins/rabbitmq_messages_uncommitted Executable file
View File

@@ -0,0 +1,75 @@
#!/bin/sh
#
# Plugin to monitor the queues of a virtual_host in RabbitMQ
#
# Usage: Link or copy into /etc/munin/node.d/
#
# Parameters
# env.vhost <AMQ virtual host>
# env.queue_warn <warning queuesize>
# env.queue_crit <critical queuesize>
#
# Magic markers (optional - only used by munin-config and some
# installation scripts):
#
#%# family=auto
#%# capabilities=autoconf
# If run with the "autoconf"-parameter, give our opinion on wether we
# should be run on this system or not. This is optinal, and only used by
# munin-config. In the case of this plugin, we should most probably
# always be included.
if [ "$1" = "autoconf" ]; then
echo yes
exit 0
fi
# If run with the "config"-parameter, give out information on how the
# graphs should look.
HOME=/tmp/
VHOST=${vhost:-"/"}
QUEUES=$(HOME=$HOME rabbitmqctl list_queues name | \
grep -v '^Listing' | \
grep -v 'done\.$' | sed -e 's/[.=-]/_/g' )
if [ "$1" = "config" ]; then
QUEUE_WARN=${queue_warn:-10000}
QUEUE_CRIT=${queue_crit:-20000}
# The host name this plugin is for. (Can be overridden to have
# one machine answer for several)
# The title of the graph
echo "graph_title RabbitMQ Uncommitted Messages"
# Arguments to "rrdtool graph". In this case, tell it that the
# lower limit of the graph is '0', and that 1k=1000 (not 1024)
echo 'graph_args --base 1000 -l 0'
# The Y-axis label
echo 'graph_vlabel uncommitted'
# We want Cur/Min/Avg/Max unscaled (i.e. 0.42 load instead of
# 420 milliload)
#echo 'graph_scale no'
echo 'graph_category RabbitMQ'
for queue in $QUEUES; do
echo "$queue.label $queue"
echo "$queue.warning $QUEUE_WARN"
echo "$queue.critical $QUEUE_CRIT"
echo "$queue.info Uncommitted messages for $queue"
done
echo 'graph_info Lists how many messages are in each queue.'
# Last, if run with the "config"-parameter, quit here (don't
# display any data)
exit 0
fi
# If not run with any parameters at all (or only unknown ones), do the
# real work - i.e. display the data. Almost always this will be
# "value" subfield for every data field.
HOME=$HOME rabbitmqctl list_channels name messages_uncommitted | \
grep -v "^Listing" | grep -v "done.$" | \
perl -nle'($q, $s) = split; $q =~ s/[.=-]/_/g; print("$q.value $s")'

75
puppet/zulip-internal/files/munin-plugins/rabbitmq_queue_memory Executable file
View File

@@ -0,0 +1,75 @@
#!/bin/sh
#
# Plugin to monitor the queues of a virtual_host in RabbitMQ
#
# Usage: Link or copy into /etc/munin/node.d/
#
# Parameters
# env.vhost <AMQ virtual host>
# env.queue_warn <warning queuesize>
# env.queue_crit <critical queuesize>
#
# Magic markers (optional - only used by munin-config and some
# installation scripts):
#
#%# family=auto
#%# capabilities=autoconf
# If run with the "autoconf"-parameter, give our opinion on wether we
# should be run on this system or not. This is optinal, and only used by
# munin-config. In the case of this plugin, we should most probably
# always be included.
if [ "$1" = "autoconf" ]; then
echo yes
exit 0
fi
# If run with the "config"-parameter, give out information on how the
# graphs should look.
HOME=/tmp/
VHOST=${vhost:-"/"}
QUEUES=$(rabbitmqctl list_queues name | \
grep -v '^Listing' | \
grep -v 'done\.$' | sed -e 's/[.=-]/_/g' )
if [ "$1" = "config" ]; then
QUEUE_WARN=${queue_warn:-10000}
QUEUE_CRIT=${queue_crit:-20000}
# The host name this plugin is for. (Can be overridden to have
# one machine answer for several)
# The title of the graph
echo "graph_title RabbitMQ Memory used by queue"
# Arguments to "rrdtool graph". In this case, tell it that the
# lower limit of the graph is '0', and that 1k=1000 (not 1024)
echo 'graph_args --base 1024 --vertical-label Bytes -l 0'
# The Y-axis label
echo 'graph_vlabel memory'
# We want Cur/Min/Avg/Max unscaled (i.e. 0.42 load instead of
# 420 milliload)
#echo 'graph_scale no'
echo 'graph_category RabbitMQ'
for queue in $QUEUES; do
echo "$queue.label $queue"
echo "$queue.warning $QUEUE_WARN"
echo "$queue.critical $QUEUE_CRIT"
echo "$queue.info Memory used by $queue"
done
echo 'graph_info Show memory usage by queue'
# Last, if run with the "config"-parameter, quit here (don't
# display any data)
exit 0
fi
# If not run with any parameters at all (or only unknown ones), do the
# real work - i.e. display the data. Almost always this will be
# "value" subfield for every data field.
HOME=$HOME rabbitmqctl list_queues name memory | \
grep -v "^Listing" | grep -v "done.$" | \
perl -nle'($q, $s) = split; $q =~ s/[.=-]/_/g; print("$q.value $s")'

62
puppet/zulip-internal/files/munin-plugins/tornado_event_queues Executable file
View File

@@ -0,0 +1,62 @@
#!/bin/sh
#
# Plugin to monitor the number of active event queues
#
# Usage: Link or copy into /etc/munin/node.d/
#
# No Parameters
#
# Magic markers (optional - only used by munin-config and some
# installation scripts):
#
#%# family=auto
#%# capabilities=autoconf
# If run with the "autoconf"-parameter, give our opinion on wether we
# should be run on this system or not. This is optinal, and only used by
# munin-config. In the case of this plugin, we should most probably
# always be included.
if [ "$1" = "autoconf" ]; then
echo yes
exit 0
fi
HOME=/tmp/
# If run with the "config"-parameter, give out information on how the
# graphs should look.
if [ "$1" = "config" ]; then
# The host name this plugin is for. (Can be overridden to have
# one machine answer for several)
# The title of the graph
echo 'graph_title Event queues'
# Arguments to "rrdtool graph". In this case, tell it that the
# lower limit of the graph is '0', and that 1k=1000 (not 1024)
echo 'graph_args --base 1000 -l 0'
# The Y-axis label
echo 'graph_vlabel Number'
# We want Cur/Min/Avg/Max unscaled (i.e. 0.42 load instead of
# 420 milliload)
#echo 'graph_scale no'
echo 'graph_category Tornado'
echo "active_queues.label Total active event queues"
echo "active_queues.info Total number of active event queues"
echo "active_users.label Users with active event queues"
echo "active_users.info Number of users with active event queues"
echo 'graph_info Shows the number of active event queues'
# Last, if run with the "config"-parameter, quit here (don't
# display any data)
exit 0
fi
# If not run with any parameters at all (or only unknown ones), do the
# real work - i.e. display the data. Almost always this will be
# "value" subfield for every data field.
echo "active_queues.value $(cat /home/zulip/stats/tornado.active_queues)"
echo "active_users.value $(cat /home/zulip/stats/tornado.active_users)"

53
puppet/zulip-internal/files/munin/munin-node.conf Normal file
View File

@@ -0,0 +1,53 @@
#
# Example config-file for munin-node
#
log_level 4
log_file /var/log/munin/munin-node.log
pid_file /var/run/munin/munin-node.pid
background 1
setsid 1
user root
group root
# Regexps for files to ignore
ignore_file [\#~]$
ignore_file DEADJOE$
ignore_file \.bak$
ignore_file %$
ignore_file \.dpkg-(tmp|new|old|dist)$
ignore_file \.rpm(save|new)$
ignore_file \.pod$
# Set this if the client doesn't report the correct hostname when
# telnetting to localhost, port 4949
#
#host_name localhost.localdomain
# A list of addresses that are allowed to connect. This must be a
# regular expression, since Net::Server does not understand CIDR-style
# network notation unless the perl module Net::CIDR is installed. You
# may repeat the allow line as many times as you'd like
allow ^127\.0\.0\.1$
# If you have installed the Net::CIDR perl module, you can use one or more
# cidr_allow and cidr_deny address/mask patterns. A connecting client must
# match any cidr_allow, and not match any cidr_deny. Note that a netmask
# *must* be provided, even if it's /32
#
# Example:
#
# cidr_allow 127.0.0.1/32
# cidr_allow 192.0.2.0/24
# cidr_deny 192.0.2.42/32
# Which address to bind to;
#host *
host 127.0.0.1
# And which port
port 4949

63
puppet/zulip-internal/files/munin/munin.conf Normal file
View File

@@ -0,0 +1,63 @@
# Configfile for Munin master
dbdir /var/lib/munin
htmldir /var/www/munin
logdir /var/log/munin
rundir /var/run/munin
# We run Munin through SSH tunnels. Until setting these up is
# puppetized, follow the instructions in
# https://wiki.zulip.net/wiki/Deployment_process/components#Munin for
# how to set them up.
#
# If you add a new Munin node, update the documentation to include
# the SSH tunnel instructions for that node. Also change the number
# of autossh processes that we check for with Nagios.
[nagios]
address 127.0.0.1
use_node_name yes
[trac]
address 127.0.0.1
port 5000
use_node_name yes
[zmirror]
address 127.0.0.1
port 5001
use_node_name yes
[staging]
address 127.0.0.1
port 5002
use_node_name yes
[git]
address 127.0.0.1
port 5003
use_node_name yes
[bots]
address 127.0.0.1
port 5004
use_node_name yes
[app]
address 127.0.0.1
port 5005
use_node_name yes
[postgres0]
address 127.0.0.1
port 5006
use_node_name yes
[stats]
address 127.0.0.1
port 5007
use_node_name yes
[postgres1]
address 127.0.0.1
port 5008
use_node_name yes

142
puppet/zulip-internal/files/munin/plugin-conf.d/munin-node.conf Normal file
View File

@@ -0,0 +1,142 @@
# This file is used to configure how the plugins are invoked.
# Place in /etc/munin/plugin-conf.d/ or corresponding directory.
#
# PLEASE NOTE: Changes in the plugin-conf.d directory are only
# read at munin-node startup, so restart at any changes.
#
# user <user> # Set the user to run the plugin as.
# group <group> # Set the group to run the plugin as.
# command <command> # Run <command> instead of the plugin. %c expands to
# what would normally be run.
# env.<variable> <value> # Sets <variable> in the plugin's environment, see the
# individual plugins to find out which variables they
# care about.
[amavis]
group adm
env.MUNIN_MKTEMP /bin/mktemp -p /tmp/ $1
env.amavislog /var/log/mail.info
[apt]
user root
[courier_mta_mailqueue]
group daemon
[courier_mta_mailstats]
group adm
[courier_mta_mailvolume]
group adm
[cps*]
user root
[df*]
env.exclude none unknown iso9660 squashfs udf romfs ramfs debugfs
env.warning 92
env.critical 98
[exim_mailqueue]
group adm, (Debian-exim)
[exim_mailstats]
group adm, (Debian-exim)
env.logdir /var/log/exim4/
env.logname mainlog
[fw_conntrack]
user root
[fw_forwarded_local]
user root
[hddtemp_smartctl]
user root
[hddtemp2]
user root
[if_*]
user root
[if_err_*]
user nobody
[ip_*]
user root
[ipmi_*]
user root
[mysql*]
user root
env.mysqlopts --defaults-file=/etc/mysql/debian.cnf
env.mysqluser debian-sys-maint
env.mysqlconnection DBI:mysql:mysql;mysql_read_default_file=/etc/mysql/debian.cnf
[postfix_mailqueue]
user postfix
[postfix_mailstats]
group adm
[postfix_mailvolume]
group adm
env.logfile mail.log
[smart_*]
user root
[vlan*]
user root
[ejabberd*]
user ejabberd
env.statuses available away chat xa
env.days 1 7 30
[dhcpd3]
user root
env.leasefile /var/lib/dhcp3/dhcpd.leases
env.configfile /etc/dhcp3/dhcpd.conf
[jmx_*]
env.ip 127.0.0.1
env.port 5400
[samba]
user root
[munin_stats]
user munin
group munin
[postgres_*]
user postgres
env.PGUSER postgres
env.PGPORT 5432
[humbug_send_receive]
user zulip
group zulip
[rabbitmq_messages]
env.queue_warn 50
env.queue_crit 100
[rabbitmq_messages_unacknowledged]
env.queue_warn 50
env.queue_crit 100
[rabbitmq_queue_memory]
env.queue_warn 20000000
env.queue_crit 40000000
[rabbitmq_*]
user root
[tornado_event_queues]
user zulip
group zulip

373
puppet/zulip-internal/files/nagios3/cgi.cfg Normal file
View File

@@ -0,0 +1,373 @@
#################################################################
#
# CGI.CFG - Sample CGI Configuration File for Nagios
#
#################################################################
# MAIN CONFIGURATION FILE
# This tells the CGIs where to find your main configuration file.
# The CGIs will read the main and host config files for any other
# data they might need.
main_config_file=/etc/nagios3/nagios.cfg
# PHYSICAL HTML PATH
# This is the path where the HTML files for Nagios reside. This
# value is used to locate the logo images needed by the statusmap
# and statuswrl CGIs.
physical_html_path=/usr/share/nagios3/htdocs
# URL HTML PATH
# This is the path portion of the URL that corresponds to the
# physical location of the Nagios HTML files (as defined above).
# This value is used by the CGIs to locate the online documentation
# and graphics. If you access the Nagios pages with an URL like
# http://www.myhost.com/nagios, this value should be '/nagios'
# (without the quotes).
url_html_path=/nagios3
# CONTEXT-SENSITIVE HELP
# This option determines whether or not a context-sensitive
# help icon will be displayed for most of the CGIs.
# Values: 0 = disables context-sensitive help
# 1 = enables context-sensitive help
show_context_help=1
# PENDING STATES OPTION
# This option determines what states should be displayed in the web
# interface for hosts/services that have not yet been checked.
# Values: 0 = leave hosts/services that have not been check yet in their original state
# 1 = mark hosts/services that have not been checked yet as PENDING
use_pending_states=1
# NAGIOS PROCESS CHECK COMMAND
# This is the full path and filename of the program used to check
# the status of the Nagios process. It is used only by the CGIs
# and is completely optional. However, if you don't use it, you'll
# see warning messages in the CGIs about the Nagios process
# not running and you won't be able to execute any commands from
# the web interface. The program should follow the same rules
# as plugins; the return codes are the same as for the plugins,
# it should have timeout protection, it should output something
# to STDIO, etc.
#
# Note: The command line for the check_nagios plugin below may
# have to be tweaked a bit, as different versions of the plugin
# use different command line arguments/syntaxes.
nagios_check_command=/usr/lib/nagios/plugins/check_nagios /var/cache/nagios3/status.dat 5 '/usr/sbin/nagios3'
# AUTHENTICATION USAGE
# This option controls whether or not the CGIs will use any
# authentication when displaying host and service information, as
# well as committing commands to Nagios for processing.
#
# Read the HTML documentation to learn how the authorization works!
#
# NOTE: It is a really *bad* idea to disable authorization, unless
# you plan on removing the command CGI (cmd.cgi)! Failure to do
# so will leave you wide open to kiddies messing with Nagios and
# possibly hitting you with a denial of service attack by filling up
# your drive by continuously writing to your command file!
#
# Setting this value to 0 will cause the CGIs to *not* use
# authentication (bad idea), while any other value will make them
# use the authentication functions (the default).
use_authentication=1
# x509 CERT AUTHENTICATION
# When enabled, this option allows you to use x509 cert (SSL)
# authentication in the CGIs. This is an advanced option and should
# not be enabled unless you know what you're doing.
use_ssl_authentication=0
# DEFAULT USER
# Setting this variable will define a default user name that can
# access pages without authentication. This allows people within a
# secure domain (i.e., behind a firewall) to see the current status
# without authenticating. You may want to use this to avoid basic
# authentication if you are not using a secure server since basic
# authentication transmits passwords in the clear.
#
# Important: Do not define a default username unless you are
# running a secure web server and are sure that everyone who has
# access to the CGIs has been authenticated in some manner! If you
# define this variable, anyone who has not authenticated to the web
# server will inherit all rights you assign to this user!
#default_user_name=guest
# SYSTEM/PROCESS INFORMATION ACCESS
# This option is a comma-delimited list of all usernames that
# have access to viewing the Nagios process information as
# provided by the Extended Information CGI (extinfo.cgi). By
# default, *no one* has access to this unless you choose to
# not use authorization. You may use an asterisk (*) to
# authorize any user who has authenticated to the web server.
authorized_for_system_information=nagiosadmin
# CONFIGURATION INFORMATION ACCESS
# This option is a comma-delimited list of all usernames that
# can view ALL configuration information (hosts, commands, etc).
# By default, users can only view configuration information
# for the hosts and services they are contacts for. You may use
# an asterisk (*) to authorize any user who has authenticated
# to the web server.
authorized_for_configuration_information=nagiosadmin
# SYSTEM/PROCESS COMMAND ACCESS
# This option is a comma-delimited list of all usernames that
# can issue shutdown and restart commands to Nagios via the
# command CGI (cmd.cgi). Users in this list can also change
# the program mode to active or standby. By default, *no one*
# has access to this unless you choose to not use authorization.
# You may use an asterisk (*) to authorize any user who has
# authenticated to the web server.
authorized_for_system_commands=nagiosadmin
# GLOBAL HOST/SERVICE VIEW ACCESS
# These two options are comma-delimited lists of all usernames that
# can view information for all hosts and services that are being
# monitored. By default, users can only view information
# for hosts or services that they are contacts for (unless you
# you choose to not use authorization). You may use an asterisk (*)
# to authorize any user who has authenticated to the web server.
authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
# GLOBAL HOST/SERVICE COMMAND ACCESS
# These two options are comma-delimited lists of all usernames that
# can issue host or service related commands via the command
# CGI (cmd.cgi) for all hosts and services that are being monitored.
# By default, users can only issue commands for hosts or services
# that they are contacts for (unless you you choose to not use
# authorization). You may use an asterisk (*) to authorize any
# user who has authenticated to the web server.
authorized_for_all_service_commands=nagiosadmin
authorized_for_all_host_commands=nagiosadmin
# READ-ONLY USERS
# A comma-delimited list of usernames that have read-only rights in
# the CGIs. This will block any service or host commands normally shown
# on the extinfo CGI pages. It will also block comments from being shown
# to read-only users.
#authorized_for_read_only=user1,user2
# STATUSMAP BACKGROUND IMAGE
# This option allows you to specify an image to be used as a
# background in the statusmap CGI. It is assumed that the image
# resides in the HTML images path (i.e. /usr/local/nagios/share/images).
# This path is automatically determined by appending "/images"
# to the path specified by the 'physical_html_path' directive.
# Note: The image file may be in GIF, PNG, JPEG, or GD2 format.
# However, I recommend that you convert your image to GD2 format
# (uncompressed), as this will cause less CPU load when the CGI
# generates the image.
#statusmap_background_image=smbackground.gd2
# STATUSMAP TRANSPARENCY INDEX COLOR
# These options set the r,g,b values of the background color used the statusmap CGI,
# so normal browsers that can't show real png transparency set the desired color as
# a background color instead (to make it look pretty).
# Defaults to white: (R,G,B) = (255,255,255).
#color_transparency_index_r=255
#color_transparency_index_g=255
#color_transparency_index_b=255
# DEFAULT STATUSMAP LAYOUT METHOD
# This option allows you to specify the default layout method
# the statusmap CGI should use for drawing hosts. If you do
# not use this option, the default is to use user-defined
# coordinates. Valid options are as follows:
# 0 = User-defined coordinates
# 1 = Depth layers
# 2 = Collapsed tree
# 3 = Balanced tree
# 4 = Circular
# 5 = Circular (Marked Up)
default_statusmap_layout=5
# DEFAULT STATUSWRL LAYOUT METHOD
# This option allows you to specify the default layout method
# the statuswrl (VRML) CGI should use for drawing hosts. If you
# do not use this option, the default is to use user-defined
# coordinates. Valid options are as follows:
# 0 = User-defined coordinates
# 2 = Collapsed tree
# 3 = Balanced tree
# 4 = Circular
default_statuswrl_layout=4
# STATUSWRL INCLUDE
# This option allows you to include your own objects in the
# generated VRML world. It is assumed that the file
# resides in the HTML path (i.e. /usr/local/nagios/share).
#statuswrl_include=myworld.wrl
# PING SYNTAX
# This option determines what syntax should be used when
# attempting to ping a host from the WAP interface (using
# the statuswml CGI. You must include the full path to
# the ping binary, along with all required options. The
# $HOSTADDRESS$ macro is substituted with the address of
# the host before the command is executed.
# Please note that the syntax for the ping binary is
# notorious for being different on virtually ever *NIX
# OS and distribution, so you may have to tweak this to
# work on your system.
ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$
# REFRESH RATE
# This option allows you to specify the refresh rate in seconds
# of various CGIs (status, statusmap, extinfo, and outages).
refresh_rate=90
# ESCAPE HTML TAGS
# This option determines whether HTML tags in host and service
# status output is escaped in the web interface. If enabled,
# your plugin output will not be able to contain clickable links.
escape_html_tags=1
# SOUND OPTIONS
# These options allow you to specify an optional audio file
# that should be played in your browser window when there are
# problems on the network. The audio files are used only in
# the status CGI. Only the sound for the most critical problem
# will be played. Order of importance (higher to lower) is as
# follows: unreachable hosts, down hosts, critical services,
# warning services, and unknown services. If there are no
# visible problems, the sound file optionally specified by
# 'normal_sound' variable will be played.
#
#
# <varname>=<sound_file>
#
# Note: All audio files must be placed in the /media subdirectory
# under the HTML path (i.e. /usr/local/nagios/share/media/).
#host_unreachable_sound=hostdown.wav
#host_down_sound=hostdown.wav
#service_critical_sound=critical.wav
#service_warning_sound=warning.wav
#service_unknown_sound=warning.wav
#normal_sound=noproblem.wav
# URL TARGET FRAMES
# These options determine the target frames in which notes and
# action URLs will open.
action_url_target=_blank
notes_url_target=_blank
# LOCK AUTHOR NAMES OPTION
# This option determines whether users can change the author name
# when submitting comments, scheduling downtime. If disabled, the
# author names will be locked into their contact name, as defined in Nagios.
# Values: 0 = allow editing author names
# 1 = lock author names (disallow editing)
lock_author_names=1
# SPLUNK INTEGRATION OPTIONS
# These options allow you to enable integration with Splunk
# in the web interface. If enabled, you'll be presented with
# "Splunk It" links in various places in the CGIs (log file,
# alert history, host/service detail, etc). Useful if you're
# trying to research why a particular problem occurred.
# For more information on Splunk, visit http://www.splunk.com/
# This option determines whether the Splunk integration is enabled
# Values: 0 = disable Splunk integration
# 1 = enable Splunk integration
#enable_splunk_integration=1
# This option should be the URL used to access your instance of Splunk
#splunk_url=http://127.0.0.1:8000/
# Show all results on the same page
result_limit=0

152
puppet/zulip-internal/files/nagios3/commands.cfg Normal file
View File

@@ -0,0 +1,152 @@
###############################################################################
# COMMANDS.CFG - SAMPLE COMMAND DEFINITIONS FOR NAGIOS
###############################################################################
################################################################################
# NOTIFICATION COMMANDS
################################################################################
# 'notify-host-by-email' command definition
define command{
command_name notify-host-by-email
command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$
}
# 'notify-service-by-email' command definition
define command{
command_name notify-service-by-email
command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n$LONGSERVICEOUTPUT$\n" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
}
################################################################################
# HOST CHECK COMMANDS
################################################################################
# On Debian, check-host-alive is being defined from within the
# nagios-plugins-basic package
################################################################################
# PERFORMANCE DATA COMMANDS
################################################################################
# 'process-host-perfdata' command definition
define command{
command_name process-host-perfdata
command_line /usr/bin/printf "%b" "$LASTHOSTCHECK$\t$HOSTNAME$\t$HOSTSTATE$\t$HOSTATTEMPT$\t$HOSTSTATETYPE$\t$HOSTEXECUTIONTIME$\t$HOSTOUTPUT$\t$HOSTPERFDATA$\n" >> /var/lib/nagios3/host-perfdata.out
}
# 'process-service-perfdata' command definition
define command{
command_name process-service-perfdata
command_line /usr/bin/printf "%b" "$LASTSERVICECHECK$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICESTATE$\t$SERVICEATTEMPT$\t$SERVICESTATETYPE$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$\n" >> /var/lib/nagios3/service-perfdata.out
}
define command{
command_name check_remote_disk
command_line /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l nagios -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_disk -W$ARG2$ -K$ARG3$ -w $ARG2$ -c $ARG3$ -p $ARG4$'
}
define command{
command_name check_remote_load
command_line /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l nagios -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_load -w $ARG2$ -c $ARG3$'
}
define command{
command_name check_zephyr_mirror_forwarding
command_line /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l nagios -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_zephyr_mirror'
}
define command{
command_name check_personal_zephyr_mirrors
command_line /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l nagios -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_personal_zephyr_mirrors'
}
define command{
command_name check_user_zephyr_mirror_liveness
command_line /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l zulip -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_user_zephyr_mirror_liveness'
}
define command{
command_name check_debian_packages
command_line /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l nagios -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_debian_packages'
}
define command{
command_name check_ntp_time
command_line /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l nagios -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_ntp_time -H time.mit.edu -w .5 -c 1'
}
define command{
command_name check_send_receive_time
command_line /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l zulip -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_send_receive_time --nagios --site=https://$HOSTADDRESS$'
}
define command{
command_name check_queue_worker_errors
command_line /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l zulip -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_queue_worker_errors'
}
define command{
command_name check_postgres
command_line /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l zulip -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_postgres.pl --dbname=zulip --dbuser=zulip --action $ARG2$'
}
define command{
command_name check_postgres_alert_args
command_line /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l zulip -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_postgres.pl --dbname=zulip --dbuser=zulip --action $ARG2$ --warning="$ARG3$" --critical="$ARG4$"'
}
define command{
command_name check_sync_public_streams
command_line /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l nagios -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_procs -u zulip -c 1:1 -a "/home/zulip/zulip/bots/sync-public-streams"'
}
define command{
command_name check_rabbitmq_queues
command_line /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l zulip -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_rabbitmq_queues'
}
define command{
command_name check_rabbitmq_consumers
command_line /usr/lib/nagios/plugins/check_by_ssh -p 22 -l zulip -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_rabbitmq_consumers $ARG1$'
}
define command{
command_name check_remote_swap
command_line /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l nagios -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_swap -w $ARG2$ -c $ARG3$'
}
define command {
command_name check_named_procs
command_line /usr/lib/nagios/plugins/check_procs -C $ARG1$ -w $ARG2$ -c $ARG3$
}
define command {
command_name check_remote_arg_string
command_line /usr/lib/nagios/plugins/check_by_ssh -p 22 -l nagios -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_procs -a "$ARG1$" -w $ARG2$ -c $ARG3$'
}
define command {
command_name check_fts_update_log
command_line /usr/lib/nagios/plugins/check_by_ssh -l zulip -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_fts_update_log'
}
define command {
command_name check_pg_replication_lag
command_line /usr/lib/nagios/plugins/check_pg_replication_lag
}
define command {
command_name check_postgres_backup
command_line /usr/lib/nagios/plugins/check_by_ssh -l zulip -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_postgres_backup'
}
define command {
command_name check_email_mirror
command_line /usr/lib/nagios/plugins/check_by_ssh -l zulip -t 30 -i /var/lib/nagios/.ssh/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_email_mirror'
}

Some files were not shown because too many files have changed in this diff Show More