From 89bcdaf1cbbaa1f0fa28b08eb4e350fdb1e40b1f Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Thu, 18 Sep 2014 12:55:40 -0300
Subject: Puppet configuration

---
 puppet/auth.conf                  | 99 +++++++++++++++++++++++++++++++++++++++
 puppet/fileserver.conf            |  7 +++
 puppet/hiera/bootstrap.yaml       | 12 ++---
 puppet/manifests/classes/users.pp | 33 +++++++++++++
 puppet/puppet.conf                | 30 ++++++++++++
 5 files changed, 175 insertions(+), 6 deletions(-)
 create mode 100644 puppet/auth.conf
 create mode 100644 puppet/fileserver.conf
 create mode 100644 puppet/manifests/classes/users.pp
 create mode 100644 puppet/puppet.conf

(limited to 'puppet')

diff --git a/puppet/auth.conf b/puppet/auth.conf
new file mode 100644
index 0000000..47740dc
--- /dev/null
+++ b/puppet/auth.conf
@@ -0,0 +1,99 @@
+# This is an example auth.conf file, it mimics the puppetmasterd defaults
+#
+# The ACL are checked in order of appearance in this file.
+#
+# Supported syntax:
+# This file supports two different syntax depending on how
+# you want to express the ACL.
+#
+# Path syntax (the one used below):
+# ---------------------------------
+# path /path/to/resource
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The path is matched as a prefix. That is /file match at
+# the same time /file_metadat and /file_content.
+#
+# Regex syntax:
+# -------------
+# This one is differenciated from the path one by a '~'
+#
+# path ~ regex
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The regex syntax is the same as ruby ones.
+#
+# Ex:
+# path ~ .pp$
+# will match every resource ending in .pp (manifests files for instance)
+#
+# path ~ ^/path/to/resource
+# is essentially equivalent to path /path/to/resource
+#
+# environment:: restrict an ACL to a specific set of environments
+# method:: restrict an ACL to a specific set of methods
+# auth:: restrict an ACL to an authenticated or unauthenticated request
+# the default when unspecified is to restrict the ACL to authenticated requests
+# (ie exactly as if auth yes was present).
+#
+
+# Allow authenticated nodes to retrieve their own catalogs:
+
+path ~ ^/catalog/([^/]+)$
+method find
+allow $1
+
+# allow nodes to retrieve their own node definition
+
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+
+# Allow authenticated nodes to access any file services --- in practice, this results in fileserver.conf being consulted:
+
+path /file
+allow *
+
+# Allow authenticated nodes to access the certificate revocation list:
+
+path /certificate_revocation_list/ca
+method find
+allow *
+
+# Allow authenticated nodes to send reports:
+
+path /report
+method save
+allow *
+
+# Allow unauthenticated access to certificates:
+
+path /certificate/ca
+auth no
+method find
+allow *
+
+path /certificate/
+auth no
+method find
+allow *
+
+# Allow unauthenticated nodes to submit certificate signing requests:
+
+path /certificate_request
+auth no
+method find, save
+allow *
+
+# Deny all other requests:
+
+path /
+auth any
diff --git a/puppet/fileserver.conf b/puppet/fileserver.conf
new file mode 100644
index 0000000..e777078
--- /dev/null
+++ b/puppet/fileserver.conf
@@ -0,0 +1,7 @@
+# This file consists of arbitrarily named sections/modules
+# defining where files are served from and to whom
+
+# Files
+[files]
+  path /etc/puppet/files
+  allow *.vagrantup.com
diff --git a/puppet/hiera/bootstrap.yaml b/puppet/hiera/bootstrap.yaml
index ce72bfb..c4f6bca 100644
--- a/puppet/hiera/bootstrap.yaml
+++ b/puppet/hiera/bootstrap.yaml
@@ -16,15 +16,15 @@ bootstrap::base_domain: 'vagrantup.com'
 # Root password.
 #
 # Use "mkpasswd -m sha-512" to generate root and first user's passwords.
-bootstrap::root::password: ''
+bootstrap::root::password: '$5$aosRByu9U0$Cc7l2vpjV4sRLlao2JmG0lxOnD2crNLU7gZfn2eayu.'
 
 #
 # First user account
 #
 # Do not include "ssh-rsa " into the sshkey definition.
-bootstrap::first_user:           ''
-bootstrap::first_user::password: ''
-bootstrap::first_user::sshkey:   ''
+bootstrap::first_user:           'vagrant'
+bootstrap::first_user::password: '$5$NCuDu81a$iHr7tZiGX0tKooq6N0bEwE7QDhRqfI9/yyD7WU1GiFB'
+bootstrap::first_user::sshkey:   'AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ=='
 bootstrap::first_user::email:    ''
 
 #
@@ -38,7 +38,7 @@ bootstrap:first_hostname: ''
 bootstrap::first_nodes:   false
 
 # MySQL password
-mysql::server::rootpw: ''
+mysql::server::rootpw: 'hackme'
 
 # Puppet master db password
-nodo::role::master::db_password: ''
+nodo::role::master::db_password: 'hackme'
diff --git a/puppet/manifests/classes/users.pp b/puppet/manifests/classes/users.pp
new file mode 100644
index 0000000..7ebc9a8
--- /dev/null
+++ b/puppet/manifests/classes/users.pp
@@ -0,0 +1,33 @@
+class users::virtual inherits user {
+  # define custom users here
+}
+
+class users::backup inherits user {
+  # define third-party hosted backup users here
+}
+
+class users::admin inherits user {
+
+  # Reprepro group needed for web nodes
+  #if !defined(Group["reprepro"]) {
+  #  group { "reprepro":
+  #    ensure => present,
+  #  }
+  #}
+
+  # root user and password (default 'vagrant' passphrase)
+  user::manage { "root":
+    tag      => "admin",
+    homedir  => '/root',
+    password => '$5$aosRByu9U0$Cc7l2vpjV4sRLlao2JmG0lxOnD2crNLU7gZfn2eayu.',
+  }
+
+  # first user config (default 'vagrant' passphrase and pubkey)
+  user::manage { "vagrant":
+    tag      => "admin",
+    groups   => [ "sudo", ],
+    password => '$5$NCuDu81a$iHr7tZiGX0tKooq6N0bEwE7QDhRqfI9/yyD7WU1GiFB',
+    sshkey   => [ "AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ==" ],
+  }
+
+}
diff --git a/puppet/puppet.conf b/puppet/puppet.conf
new file mode 100644
index 0000000..81c47ed
--- /dev/null
+++ b/puppet/puppet.conf
@@ -0,0 +1,30 @@
+[main]
+logdir                   = /var/log/puppet
+vardir                   = /var/lib/puppetmaster
+ssldir                   = $vardir/ssl
+rundir                   = /var/run/puppet
+factpath                 = $vardir/lib/facter
+pluginsync               = true
+
+[master]
+templatedir              = $vardir/templates
+masterport               = 8140
+autosign                 = false
+storeconfigs             = true
+dbadapter                = sqlite3
+#dbadapter                = mysql
+#dbserver                 = localhost
+#dbuser                   = puppet
+#dbpassword               = hackme
+dbconnections            = 15
+certname                 = puppet.vagrantup.com
+ssl_client_header        = SSL_CLIENT_S_DN
+ssl_client_verify_header = SSL_CLIENT_VERIFY
+
+[agent]
+server                   = puppet.vagrantup.com
+vardir                   = /var/lib/puppet
+ssldir                   = $vardir/ssl
+runinterval              = 7200
+puppetport               = 8139
+configtimeout            = 300
-- 
cgit v1.2.3