ahpook

The problem

There's enough trouble with puppet's ssl model (mandatory client certs) that people go and do odd things to get around it. The primary problem is that for lab/preproduction environments, if you reinstall machines frequently, you lose access to the private key that generated the original cert but (absent some puppet cert --clean [node] operation) the cert still exists, leading to the dreaded Retrieved certificate doesn't match private key error.

A solution

Generate a single client certificate which all your nodes use, and have the master determine node names from facter rather than the SSL DN. This way you can re-install nodes with impunity and as long as your bootstrap plops down the correct config and the cert+key, you don't have any more SSL issues.

The caveats

If you have autosign turned on, this change represents a shift in security tradeoffs: you can turn off autosign and therefore more tightly control which clients can talk to your server because they need to have your clie

stigkj

#!/bin/bash
#
# Changes author and committer name and email throughout the whole repository.
# Uses a file with the following format:
#
# john.doe@hotmail.com=John Doe <john.doe@hotmail.com>
# jill.doe@hotmail.com=Jill Doe <jill.doe@hotmail.com>
#

if [ ! -e "$1" ]

troystribling

#!/usr/bin/env ruby

require 'rubygems'
require 'fog'

config = YAML.load(File.read(ARGV[0]))
volumes_to_snap = YAML.load(File.read(ARGV[1]))
time = Time.now

puts "\nCreating snaps #{time.to_s}"

piscisaureus

Locate the section for your github remote in the .git/config file. It looks like this:

[remote "origin"]
	fetch = +refs/heads/*:refs/remotes/origin/*
	url = git@github.com:joyent/node.git

Now add the line fetch = +refs/pull/*/head:refs/remotes/origin/pr/* to this section. Obviously, change the github url to match your project's URL. It ends up looking like this:

UtahDave

Here is a sample of how I am currently dealing with users.

Big thanks to uggedal! I used his user states as an example: https://github.com/uggedal/states

###
# How to create password hashes
###
python -c "import crypt; print crypt.crypt('password', '\$6\$SALTsalt\$')"

###

bodgit

### MANAGED BY PUPPET ###
---
action:
  auto_create_index: +logstash-*,-*
bootstrap:
  mlockall: true
cloud:
  aws:
    access_key: abc123
    region: ap-southeast-2

kylemanna

#!/bin/bash
#
# Wrapper script for dovecot-antispam without using temporary files
# Look mom, no temporary files!
#
# Security is provided by locking the vmail user (dovecot-imap/antispam)
# only run this script via the sudoers line.  The script checks arguments
# to stay safe.  Log everything to syslog and return intelligent codes.
#
# sudoers:

sigmaris

We couldn’t find that file to show.

solusipse

Postfix Installer

Following script may be used for configuring complete and secure email server on fresh install of Debian 7. It will probably work on other distributions using apt-get. After minor changes you'll be able to use it on other Linux distros.

Usage

1. Run postfix.sh script.
2. Configure postgres to allow connections.
3. Configure postfix admin. Remember to set these:

paskal

# read more at https://terrty.net/2014/ssl-tls-in-nginx/
# latest version on https://gist.github.com/paskal/628882bee1948ef126dd/126e4d1daeb5244aacbbd847c5247c2e293f6adf
# security test score: https://www.ssllabs.com/ssltest/analyze.html?d=terrty.net
# your nginx version might not have all directives included, test this configuration before using in production against your nginx:
# $ nginx -c /etc/nginx/nginx.conf -t

server {
        # public key, contains your public key and class 1 certificate, to create:
        # (example for startssl)
        # $ (cat example.com.pem & wget -O - https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem) | tee -a /etc/nginx/ssl/domain.pem > /dev/null