diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2014-09-18 12:55:40 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2014-09-18 12:55:40 -0300 |
commit | 89bcdaf1cbbaa1f0fa28b08eb4e350fdb1e40b1f (patch) | |
tree | 067f4c4ced7ef70aaa76c23609cf95909a61042f | |
parent | 84baf3dfea376e4b35156acc682f93bfae7e23eb (diff) | |
download | debian-89bcdaf1cbbaa1f0fa28b08eb4e350fdb1e40b1f.tar.gz debian-89bcdaf1cbbaa1f0fa28b08eb4e350fdb1e40b1f.tar.bz2 |
Puppet configuration
-rw-r--r-- | puppet/auth.conf | 99 | ||||
-rw-r--r-- | puppet/fileserver.conf | 7 | ||||
-rw-r--r-- | puppet/hiera/bootstrap.yaml | 12 | ||||
-rw-r--r-- | puppet/manifests/classes/users.pp | 33 | ||||
-rw-r--r-- | puppet/puppet.conf | 30 |
5 files changed, 175 insertions, 6 deletions
diff --git a/puppet/auth.conf b/puppet/auth.conf new file mode 100644 index 0000000..47740dc --- /dev/null +++ b/puppet/auth.conf @@ -0,0 +1,99 @@ +# This is an example auth.conf file, it mimics the puppetmasterd defaults +# +# The ACL are checked in order of appearance in this file. +# +# Supported syntax: +# This file supports two different syntax depending on how +# you want to express the ACL. +# +# Path syntax (the one used below): +# --------------------------------- +# path /path/to/resource +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|ip|*] +# deny [host|ip] +# +# The path is matched as a prefix. That is /file match at +# the same time /file_metadat and /file_content. +# +# Regex syntax: +# ------------- +# This one is differenciated from the path one by a '~' +# +# path ~ regex +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|ip|*] +# deny [host|ip] +# +# The regex syntax is the same as ruby ones. +# +# Ex: +# path ~ .pp$ +# will match every resource ending in .pp (manifests files for instance) +# +# path ~ ^/path/to/resource +# is essentially equivalent to path /path/to/resource +# +# environment:: restrict an ACL to a specific set of environments +# method:: restrict an ACL to a specific set of methods +# auth:: restrict an ACL to an authenticated or unauthenticated request +# the default when unspecified is to restrict the ACL to authenticated requests +# (ie exactly as if auth yes was present). +# + +# Allow authenticated nodes to retrieve their own catalogs: + +path ~ ^/catalog/([^/]+)$ +method find +allow $1 + +# allow nodes to retrieve their own node definition + +path ~ ^/node/([^/]+)$ +method find +allow $1 + +# Allow authenticated nodes to access any file services --- in practice, this results in fileserver.conf being consulted: + +path /file +allow * + +# Allow authenticated nodes to access the certificate revocation list: + +path /certificate_revocation_list/ca +method find +allow * + +# Allow authenticated nodes to send reports: + +path /report +method save +allow * + +# Allow unauthenticated access to certificates: + +path /certificate/ca +auth no +method find +allow * + +path /certificate/ +auth no +method find +allow * + +# Allow unauthenticated nodes to submit certificate signing requests: + +path /certificate_request +auth no +method find, save +allow * + +# Deny all other requests: + +path / +auth any diff --git a/puppet/fileserver.conf b/puppet/fileserver.conf new file mode 100644 index 0000000..e777078 --- /dev/null +++ b/puppet/fileserver.conf @@ -0,0 +1,7 @@ +# This file consists of arbitrarily named sections/modules +# defining where files are served from and to whom + +# Files +[files] + path /etc/puppet/files + allow *.vagrantup.com diff --git a/puppet/hiera/bootstrap.yaml b/puppet/hiera/bootstrap.yaml index ce72bfb..c4f6bca 100644 --- a/puppet/hiera/bootstrap.yaml +++ b/puppet/hiera/bootstrap.yaml @@ -16,15 +16,15 @@ bootstrap::base_domain: 'vagrantup.com' # Root password. # # Use "mkpasswd -m sha-512" to generate root and first user's passwords. -bootstrap::root::password: '' +bootstrap::root::password: '$5$aosRByu9U0$Cc7l2vpjV4sRLlao2JmG0lxOnD2crNLU7gZfn2eayu.' # # First user account # # Do not include "ssh-rsa " into the sshkey definition. -bootstrap::first_user: '' -bootstrap::first_user::password: '' -bootstrap::first_user::sshkey: '' +bootstrap::first_user: 'vagrant' +bootstrap::first_user::password: '$5$NCuDu81a$iHr7tZiGX0tKooq6N0bEwE7QDhRqfI9/yyD7WU1GiFB' +bootstrap::first_user::sshkey: 'AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ==' bootstrap::first_user::email: '' # @@ -38,7 +38,7 @@ bootstrap:first_hostname: '' bootstrap::first_nodes: false # MySQL password -mysql::server::rootpw: '' +mysql::server::rootpw: 'hackme' # Puppet master db password -nodo::role::master::db_password: '' +nodo::role::master::db_password: 'hackme' diff --git a/puppet/manifests/classes/users.pp b/puppet/manifests/classes/users.pp new file mode 100644 index 0000000..7ebc9a8 --- /dev/null +++ b/puppet/manifests/classes/users.pp @@ -0,0 +1,33 @@ +class users::virtual inherits user { + # define custom users here +} + +class users::backup inherits user { + # define third-party hosted backup users here +} + +class users::admin inherits user { + + # Reprepro group needed for web nodes + #if !defined(Group["reprepro"]) { + # group { "reprepro": + # ensure => present, + # } + #} + + # root user and password (default 'vagrant' passphrase) + user::manage { "root": + tag => "admin", + homedir => '/root', + password => '$5$aosRByu9U0$Cc7l2vpjV4sRLlao2JmG0lxOnD2crNLU7gZfn2eayu.', + } + + # first user config (default 'vagrant' passphrase and pubkey) + user::manage { "vagrant": + tag => "admin", + groups => [ "sudo", ], + password => '$5$NCuDu81a$iHr7tZiGX0tKooq6N0bEwE7QDhRqfI9/yyD7WU1GiFB', + sshkey => [ "AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ==" ], + } + +} diff --git a/puppet/puppet.conf b/puppet/puppet.conf new file mode 100644 index 0000000..81c47ed --- /dev/null +++ b/puppet/puppet.conf @@ -0,0 +1,30 @@ +[main] +logdir = /var/log/puppet +vardir = /var/lib/puppetmaster +ssldir = $vardir/ssl +rundir = /var/run/puppet +factpath = $vardir/lib/facter +pluginsync = true + +[master] +templatedir = $vardir/templates +masterport = 8140 +autosign = false +storeconfigs = true +dbadapter = sqlite3 +#dbadapter = mysql +#dbserver = localhost +#dbuser = puppet +#dbpassword = hackme +dbconnections = 15 +certname = puppet.vagrantup.com +ssl_client_header = SSL_CLIENT_S_DN +ssl_client_verify_header = SSL_CLIENT_VERIFY + +[agent] +server = puppet.vagrantup.com +vardir = /var/lib/puppet +ssldir = $vardir/ssl +runinterval = 7200 +puppetport = 8139 +configtimeout = 300 |