### MANAGED BY PUPPET ### | |
--- | |
action: | |
auto_create_index: +logstash-*,-* | |
bootstrap: | |
mlockall: true | |
cloud: | |
aws: | |
access_key: abc123 | |
region: ap-southeast-2 |
#!/usr/bin/env ruby | |
require 'rubygems' | |
require 'fog' | |
config = YAML.load(File.read(ARGV[0])) | |
volumes_to_snap = YAML.load(File.read(ARGV[1])) | |
time = Time.now | |
puts "\nCreating snaps #{time.to_s}" |
sks_build: | |
cmd.run: | |
- name: /usr/sbin/sks build {{ sks.datadir }}/dump/*.pgp -n 2 -cache 50 | |
- creates: {{ sks.datadir }}/DB/key | |
- user: {{ sks.user }} | |
- require: | |
- pkg: sks | |
sks_build_done: | |
file.exists: |
There's enough trouble with puppet's ssl model (mandatory client certs) that people go and do odd things to get around it. The primary problem is that for lab/preproduction environments, if you reinstall machines frequently, you lose access to the private key that generated the original cert but (absent some puppet cert --clean [node]
operation) the cert still exists, leading to the dreaded Retrieved certificate doesn't match private key
error.
Generate a single client certificate which all your nodes use, and have the master determine node names from facter rather than the SSL DN. This way you can re-install nodes with impunity and as long as your bootstrap plops down the correct config and the cert+key, you don't have any more SSL issues.
If you have autosign turned on, this change represents a shift in security tradeoffs: you can turn off autosign and therefore more tightly control which clients can talk to your server because they need to have your clie
# Sources: | |
# https://cloudonaut.io/how-to-create-a-customized-cloudwatch-dashboard-with-cloudformation/ | |
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html | |
# https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/ECS.html | |
Resources: | |
CustomTaskDefinition: | |
Type: 'Custom::TaskDefinition' | |
Version: '1.0' | |
Properties: |
#!/bin/bash | |
# | |
# Wrapper script for dovecot-antispam without using temporary files | |
# Look mom, no temporary files! | |
# | |
# Security is provided by locking the vmail user (dovecot-imap/antispam) | |
# only run this script via the sudoers line. The script checks arguments | |
# to stay safe. Log everything to syslog and return intelligent codes. | |
# | |
# sudoers: |
// define the bitbucket project + repos we want to build | |
def bitbucket_project = 'myproj' | |
def bitbucket_repos = ['myrepo1', 'myrepo2'] | |
// create a pipeline job for each of the repos and for each feature branch. | |
for (bitbucket_repo in bitbucket_repos) | |
{ | |
multibranchPipelineJob("${bitbucket_repo}-ci") { | |
// configure the branch / PR sources | |
branchSources { |
// define the bitbucket project + repos we want to build | |
def bitbucket_project = 'awesome' | |
def bitbucket_repos = ['foo','bar','baz'] | |
// create a pipeline job for each of the repos and for each feature branch. | |
for (bitbucket_repo in bitbucket_repos) | |
{ | |
multibranchPipelineJob("${bitbucket_repo}-ci") { | |
// configure the branch / PR sources | |
branchSources { |