#30020: switch from our custom YAML implementation to Hiera -------------------------------------------------+------------------------- Reporter: anarcat | Owner: anarcat Type: project | Status: | assigned Priority: Medium | Milestone: Component: Internal Services/Tor Sysadmin Team | Version: Severity: Normal | Resolution: Keywords: | Actual Points: Parent ID: #29387 | Points: Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by anarcat): site.pp is now mostly empty. all the `has_role` constructs are gone from there. those two are gone as well: {{{ HOST_ROLE_BACULA_DIRECTOR HOST_ROLE_BACULA_STORAGE }}} the trickiest part, surprisingly, was the little warning added to the motd. i've hacked something together using `update-motd.d` but i'm actually quite unhappy about it, because it doesn't display the same way that it did before. if the machines were all running buster, this wouldn't be a problem anymore because there's /etc/motd.d there, but we're probably stuck in stretch for a while. since this is only for *three* machines, I think we can afford the little ugliness for now. {{{ Linux build-arm-02 4.19.0-0.bpo.4-arm64 #1 SMP Debian 4.19.28-2~bpo9+1 (2019-03-27) aarch64 Note that this host is _NOT_ being backed up. If you care about your data, run your own backups. This device is for authorized users only. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Welcome to build-arm-02.torproject.org, used for the following services: buildbox porterbox If you use this as a porter/buildbox, you might find https://dsa.debian.org/doc/schroot/ helpful. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Last login: Fri Apr 19 20:44:31 2019 from 95.216.141.241 }}} I have also found HOST_TPO which is basically a list of the public IP of all TPO hosts, as taken from LDAP (`modules/puppetmaster/lib/puppet/parser/functions/allnodeinfo.rb`). So we can keep that macro for now until we decide about the overlap between LDAP and Hiera. The motd is similarly extracted mostly from stuff in LDAP and would benefit from such a refactoring as well. Anyways. Next up is the roles file, which has tons more fun stuff like this to clear out. :) Note that I've had answers to my earlier questions, somehow: 1. I don't think there's any serious security issues with exported resources, they way they're setup. At worst a host might be able to push different firewall holes than expected. If we want to fix that issue, we can make new defines with hardcoded definitions that, when collected on hosts, will only poke the holes that are expected. 2. it's just a copy-paste historical error, that I've made myself in other occasions 3. no solution to the NRPE `allowed_hosts` problem just yet, but I'm tempted to just use a hardcoded variable for now. this is what is used for `bacula::bacula_director_address` for example: it's hardcoded to `dictyotum.torproject.org` so there's prior art to hardcoding stuff like that. of course it would be hardcoded into hiera, not the class name, ideally... -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30020#comment:4> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs