diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2017-10-23 19:42:32 -0200 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2017-10-23 19:42:32 -0200 |
commit | 1bfffe2e0adff6e44ec33726988b64f95ea2f599 (patch) | |
tree | faee925240714b633218448633c841f0de89dbe1 /templates/puppet/auth.conf.erb | |
parent | 5512c493e13998d4c83d7eab3d89e5a1c0836566 (diff) | |
download | debian-1bfffe2e0adff6e44ec33726988b64f95ea2f599.tar.gz debian-1bfffe2e0adff6e44ec33726988b64f95ea2f599.tar.bz2 |
Squashed 'puppet/' changes from 8f7043a..59b7f11
59b7f11 Rollback sshd::print_motd
29e15a3 Set sshd::print_motd to yes
8a13cb5 Post-receive: git submodule sync
d0d65d6 Ignore ssl, unignore modules
662bf5a Exclude also .git at provision_rsync_opts
745b98a Configure provision_rsync_opts at kvmxfile
1434057 Set default backupninja::keystore
36de179 Use scripts from /etc/puppet at kvmxfile provision_command
fe2d343 Fixes provision_command at kvmxfile
0a45a48 Use puppet hostname at kvmxfile
e3a3408 Updates kvmxfile
8648b94 Adds kvmxfile
07b03c2 Deploy: check for sudo config
c6414a8 Removes examples
6507997 Cleanup manifests
e867618 Fetch submodules using https
ee8938e Use projects.list on mrconfig
9e67e02 Support for compiled config
ceddd20 Cleanup TODO
6dad16a Adds modules folder
6f98b51 Updates hiera mount location
48f2491 Removes templates
319bdcb Cleanup modules folder
84516c6 Updates TODO
a43c2f9 Updates README
ca1735f Updates TODO
a67e9d4 TODO: vagrant issues
2838e86 Updates TODO
9662168 Updates TODO
afa676d Rename default box
58b18e5 Updates TODO
20858dc Updates TODO
cd876e6 Default eyaml extension
3645ef8 Adds eyaml backend into hiera config
158f12a Adds hiera-eyaml into DEVELOP_DEPENDENCIES
ec33fd1 Adds keys into .gitignore
490f2e2 Adds hiera-eyaml into DEPLOY_DEPENDENCIES
7d1fc96 Fix site_users inheritance
80088c7 Remove usb-utils from deployment dependencies
03764c2 Deploy: check for rsync
5eb3983 Updates git vhost
739c79f Test deployment without git reset
c8a14ca Preload HSTS
e096f08 Deploy: setup DEPLOY_DEPENDENCIES
0a4a8cc Config cleanup
ace1840 Do not install storedconfigs dependencies on provision
b83d85a Check for puppet.conf on provision
54c68a0 Default SSH config
56e4bea Updates TODO
51c1763 Comment wheezy dependencies specifics
3cc7d47 Removes key folder
41b8ef0 Fix deploy dependencies
64b8d70 Deploy dependencies, TODO update
6051509 Cleanup storedconfigs dependencies
1cf6e4b TODO ordering
9de3634 Updates TODO
2cf2a3b Drop pear
4048095 Get rid of storedconfigs
2eeb10b Updates TODO
e678885 Fix manifest lookup on deployment
9078cac Updates Vagrantfile with new config folder
0cb845b Updates TODO
b75d0f3 Rename 'hiera' to 'config'
ae7cfbd Updates TODO
28e3e25 Cleanup unused, old and broken submodules
deaf0de Updates TODO
c33d108 Updates TODO
15abd2e Removes post-update hook
8a14f6d Deploy: dependency: augeas-tools
c71aa65 Updates TODO
4c5f117 Development dependencies
73d6006 Deploy: dependencies in a single place
364912a Adds examples
85d41ce Hiera cleanup
e4d5f1b Updates TODO
08bd8b7 Deploy fixes
15c0293 TODO cleanup
51b910e Updates TODO
4580c2e Updates TODO
69d46bf More TODO cleanup
0c91d41 More TODO cleanup
cee91df More TODO cleanup
082c901 Updates TODO cleanup
d088390 Updates TODO
d721391 Updates TODO
6ec4ac1 Updates TODO
ebfed6b About collected resources patch
3529cff Updates TODO
701ed3b Removes post-update hook
4a684e7 Updates TODO
4b85c5e Updates TODO
b50dbb6 Removes icecast module
907ffde Deploy: support for default.pp
dc8de77 Cleanup proxy template
git-subtree-dir: puppet
git-subtree-split: 59b7f114e4db75aa3d134b8d2d8a3a36271f37d7
Diffstat (limited to 'templates/puppet/auth.conf.erb')
-rw-r--r-- | templates/puppet/auth.conf.erb | 120 |
1 files changed, 0 insertions, 120 deletions
diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb deleted file mode 100644 index 96f078c..0000000 --- a/templates/puppet/auth.conf.erb +++ /dev/null @@ -1,120 +0,0 @@ -# This is the default auth.conf file, which implements the default rules -# used by the puppet master. (That is, the rules below will still apply -# even if this file is deleted.) -# -# The ACLs are evaluated in top-down order. More specific stanzas should -# be towards the top of the file and more general ones at the bottom; -# otherwise, the general rules may "steal" requests that should be -# governed by the specific rules. -# -# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete -# description of auth.conf's behavior. -# -# Supported syntax: -# Each stanza in auth.conf starts with a path to match, followed -# by optional modifiers, and finally, a series of allow or deny -# directives. -# -# Example Stanza -# --------------------------------- -# path /path/to/resource # simple prefix match -# # path ~ regex # alternately, regex match -# [environment envlist] -# [method methodlist] -# [auth[enthicated] {yes|no|on|off|any}] -# allow [host|backreference|*|regex] -# deny [host|backreference|*|regex] -# allow_ip [ip|cidr|ip_wildcard|*] -# deny_ip [ip|cidr|ip_wildcard|*] -# -# The path match can either be a simple prefix match or a regular -# expression. `path /file` would match both `/file_metadata` and -# `/file_content`. Regex matches allow the use of backreferences -# in the allow/deny directives. -# -# The regex syntax is the same as for Ruby regex, and captures backreferences -# for use in the `allow` and `deny` lines of that stanza -# -# Examples: -# -# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`. -# allow * # Allow all authenticated nodes (since auth -# # defaults to `yes`). -# -# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by -# allow $1 # certname), but not any other node's catalog. -# -# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to -# auth yes # access the "extra_files" -# allow /^(.+)\.example\.com$/ # mount point; note this must -# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, -# # since it is more specific. -# -# environment:: restrict an ACL to a comma-separated list of environments -# method:: restrict an ACL to a comma-separated list of HTTP methods -# auth:: restrict an ACL to an authenticated or unauthenticated request -# the default when unspecified is to restrict the ACL to authenticated requests -# (ie exactly as if auth yes was present). -# - -### Authenticated ACLs - these rules apply only when the client -### has a valid certificate and is thus authenticated - -# allow nodes to retrieve their own catalog -path ~ ^/catalog/([^/]+)$ -method find -allow $1 - -# allow nodes to retrieve their own node definition -path ~ ^/node/([^/]+)$ -method find -allow $1 - -# allow all nodes to access the certificates services -path /certificate_revocation_list/ca -method find -allow * - -# allow all nodes to store their own reports -path ~ ^/report/([^/]+)$ -method save -allow $1 - -# Allow all nodes to access all file services; this is necessary for -# pluginsync, file serving from modules, and file serving from custom -# mount points (see fileserver.conf). Note that the `/file` prefix matches -# requests to both the file_metadata and file_content paths. See "Examples" -# above if you need more granular access control for custom mount points. -path /file -allow * - -### Unauthenticated ACLs, for clients without valid certificates; authenticated -### clients can also access these paths, though they rarely need to. - -# allow access to the CA certificate; unauthenticated nodes need this -# in order to validate the puppet master's certificate -path /certificate/ca -auth any -method find -allow * - -# allow nodes to retrieve the certificate they requested earlier -path /certificate/ -auth any -method find -allow * - -# allow nodes to request a new certificate -path /certificate_request -auth any -method find, save -allow * - -path /v2.0/environments -method find -allow * - -# deny everything else; this ACL is not strictly necessary, but -# illustrates the default policy. -path / -auth any |