From 57b78e1c4c5b7dcf18df805e037d0c469eecde80 Mon Sep 17 00:00:00 2001 From: Luis Buriola Date: Tue, 4 Apr 2017 13:18:42 +0100 Subject: [PATCH 1/2] show_diff => false for postfix upstream to protect sasl password This is to avoid displaying the content of /etc/postfix/sasl_passwd on puppet client logs backup => false is also needed to prevent sensitive files from being saved on the clientbucket (usually /var/lib/puppet/clientbucket) This is useful in a situation where you have an encrypted /etc but /var is not encrypted --- manifests/dbfile.pp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/manifests/dbfile.pp b/manifests/dbfile.pp index fd97201..c816f96 100644 --- a/manifests/dbfile.pp +++ b/manifests/dbfile.pp @@ -33,12 +33,14 @@ ) { file { "${postfixdir}/${title}": - owner => $owner, - group => $group, - mode => $mode, - content => $content, - source => $source, - ensure => $ensure, + owner => $owner, + group => $group, + mode => $mode, + content => $content, + source => $source, + ensure => $ensure, + show_diff => false, + backup => false, } if $ensure == 'absent' { From e564a210a7a35fdcb65205abae341d100f3e2457 Mon Sep 17 00:00:00 2001 From: Luis Buriola Date: Tue, 4 Apr 2017 14:38:35 +0100 Subject: [PATCH 2/2] More reliable way to manage ${postfixdir}/${title}.db https://github.com/thias/puppet-postfix/issues/113 --- manifests/dbfile.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/dbfile.pp b/manifests/dbfile.pp index c816f96..fa1ebe9 100644 --- a/manifests/dbfile.pp +++ b/manifests/dbfile.pp @@ -50,9 +50,9 @@ } else { exec { "${postmap} ${title}": - cwd => $postfixdir, - subscribe => File["${postfixdir}/${title}"], - refreshonly => true, + cwd => $postfixdir, + subscribe => File["${postfixdir}/${title}"], + creates => "${postfixdir}/${title}.db", # No need to notify the service, since it detects changed files }