summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--puppet/auth.conf99
-rw-r--r--puppet/fileserver.conf7
-rw-r--r--puppet/hiera/bootstrap.yaml12
-rw-r--r--puppet/manifests/classes/users.pp33
-rw-r--r--puppet/puppet.conf30
5 files changed, 175 insertions, 6 deletions
diff --git a/puppet/auth.conf b/puppet/auth.conf
new file mode 100644
index 0000000..47740dc
--- /dev/null
+++ b/puppet/auth.conf
@@ -0,0 +1,99 @@
+# This is an example auth.conf file, it mimics the puppetmasterd defaults
+#
+# The ACL are checked in order of appearance in this file.
+#
+# Supported syntax:
+# This file supports two different syntax depending on how
+# you want to express the ACL.
+#
+# Path syntax (the one used below):
+# ---------------------------------
+# path /path/to/resource
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The path is matched as a prefix. That is /file match at
+# the same time /file_metadat and /file_content.
+#
+# Regex syntax:
+# -------------
+# This one is differenciated from the path one by a '~'
+#
+# path ~ regex
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The regex syntax is the same as ruby ones.
+#
+# Ex:
+# path ~ .pp$
+# will match every resource ending in .pp (manifests files for instance)
+#
+# path ~ ^/path/to/resource
+# is essentially equivalent to path /path/to/resource
+#
+# environment:: restrict an ACL to a specific set of environments
+# method:: restrict an ACL to a specific set of methods
+# auth:: restrict an ACL to an authenticated or unauthenticated request
+# the default when unspecified is to restrict the ACL to authenticated requests
+# (ie exactly as if auth yes was present).
+#
+
+# Allow authenticated nodes to retrieve their own catalogs:
+
+path ~ ^/catalog/([^/]+)$
+method find
+allow $1
+
+# allow nodes to retrieve their own node definition
+
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+
+# Allow authenticated nodes to access any file services --- in practice, this results in fileserver.conf being consulted:
+
+path /file
+allow *
+
+# Allow authenticated nodes to access the certificate revocation list:
+
+path /certificate_revocation_list/ca
+method find
+allow *
+
+# Allow authenticated nodes to send reports:
+
+path /report
+method save
+allow *
+
+# Allow unauthenticated access to certificates:
+
+path /certificate/ca
+auth no
+method find
+allow *
+
+path /certificate/
+auth no
+method find
+allow *
+
+# Allow unauthenticated nodes to submit certificate signing requests:
+
+path /certificate_request
+auth no
+method find, save
+allow *
+
+# Deny all other requests:
+
+path /
+auth any
diff --git a/puppet/fileserver.conf b/puppet/fileserver.conf
new file mode 100644
index 0000000..e777078
--- /dev/null
+++ b/puppet/fileserver.conf
@@ -0,0 +1,7 @@
+# This file consists of arbitrarily named sections/modules
+# defining where files are served from and to whom
+
+# Files
+[files]
+ path /etc/puppet/files
+ allow *.vagrantup.com
diff --git a/puppet/hiera/bootstrap.yaml b/puppet/hiera/bootstrap.yaml
index ce72bfb..c4f6bca 100644
--- a/puppet/hiera/bootstrap.yaml
+++ b/puppet/hiera/bootstrap.yaml
@@ -16,15 +16,15 @@ bootstrap::base_domain: 'vagrantup.com'
# Root password.
#
# Use "mkpasswd -m sha-512" to generate root and first user's passwords.
-bootstrap::root::password: ''
+bootstrap::root::password: '$5$aosRByu9U0$Cc7l2vpjV4sRLlao2JmG0lxOnD2crNLU7gZfn2eayu.'
#
# First user account
#
# Do not include "ssh-rsa " into the sshkey definition.
-bootstrap::first_user: ''
-bootstrap::first_user::password: ''
-bootstrap::first_user::sshkey: ''
+bootstrap::first_user: 'vagrant'
+bootstrap::first_user::password: '$5$NCuDu81a$iHr7tZiGX0tKooq6N0bEwE7QDhRqfI9/yyD7WU1GiFB'
+bootstrap::first_user::sshkey: 'AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ=='
bootstrap::first_user::email: ''
#
@@ -38,7 +38,7 @@ bootstrap:first_hostname: ''
bootstrap::first_nodes: false
# MySQL password
-mysql::server::rootpw: ''
+mysql::server::rootpw: 'hackme'
# Puppet master db password
-nodo::role::master::db_password: ''
+nodo::role::master::db_password: 'hackme'
diff --git a/puppet/manifests/classes/users.pp b/puppet/manifests/classes/users.pp
new file mode 100644
index 0000000..7ebc9a8
--- /dev/null
+++ b/puppet/manifests/classes/users.pp
@@ -0,0 +1,33 @@
+class users::virtual inherits user {
+ # define custom users here
+}
+
+class users::backup inherits user {
+ # define third-party hosted backup users here
+}
+
+class users::admin inherits user {
+
+ # Reprepro group needed for web nodes
+ #if !defined(Group["reprepro"]) {
+ # group { "reprepro":
+ # ensure => present,
+ # }
+ #}
+
+ # root user and password (default 'vagrant' passphrase)
+ user::manage { "root":
+ tag => "admin",
+ homedir => '/root',
+ password => '$5$aosRByu9U0$Cc7l2vpjV4sRLlao2JmG0lxOnD2crNLU7gZfn2eayu.',
+ }
+
+ # first user config (default 'vagrant' passphrase and pubkey)
+ user::manage { "vagrant":
+ tag => "admin",
+ groups => [ "sudo", ],
+ password => '$5$NCuDu81a$iHr7tZiGX0tKooq6N0bEwE7QDhRqfI9/yyD7WU1GiFB',
+ sshkey => [ "AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ==" ],
+ }
+
+}
diff --git a/puppet/puppet.conf b/puppet/puppet.conf
new file mode 100644
index 0000000..81c47ed
--- /dev/null
+++ b/puppet/puppet.conf
@@ -0,0 +1,30 @@
+[main]
+logdir = /var/log/puppet
+vardir = /var/lib/puppetmaster
+ssldir = $vardir/ssl
+rundir = /var/run/puppet
+factpath = $vardir/lib/facter
+pluginsync = true
+
+[master]
+templatedir = $vardir/templates
+masterport = 8140
+autosign = false
+storeconfigs = true
+dbadapter = sqlite3
+#dbadapter = mysql
+#dbserver = localhost
+#dbuser = puppet
+#dbpassword = hackme
+dbconnections = 15
+certname = puppet.vagrantup.com
+ssl_client_header = SSL_CLIENT_S_DN
+ssl_client_verify_header = SSL_CLIENT_VERIFY
+
+[agent]
+server = puppet.vagrantup.com
+vardir = /var/lib/puppet
+ssldir = $vardir/ssl
+runinterval = 7200
+puppetport = 8139
+configtimeout = 300