Adding missing puppetmaster configs

4 files changed, 144 insertions, 0 deletions

diff --git a/auth.conf b/auth.conf
new file mode 100644
index 0000000..92aae26
--- /dev/null
+++ b/auth.conf
@@ -0,0 +1,100 @@
+# This is an example auth.conf file, it mimics the puppetmasterd defaults
+#
+# The ACL are checked in order of appearance in this file.
+#
+# Supported syntax:
+# This file supports two different syntax depending on how
+# you want to express the ACL.
+#
+# Path syntax (the one used below):
+# ---------------------------------
+# path /path/to/resource
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The path is matched as a prefix. That is /file match at
+# the same time /file_metadat and /file_content.
+#
+# Regex syntax:
+# -------------
+# This one is differenciated from the path one by a '~'
+#
+# path ~ regex
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The regex syntax is the same as ruby ones.
+#
+# Ex:
+# path ~ .pp$
+# will match every resource ending in .pp (manifests files for instance)
+#
+# path ~ ^/path/to/resource
+# is essentially equivalent to path /path/to/resource
+#
+# environment:: restrict an ACL to a specific set of environments
+# method:: restrict an ACL to a specific set of methods
+# auth:: restrict an ACL to an authenticated or unauthenticated request
+# the default when unspecified is to restrict the ACL to authenticated requests
+# (ie exactly as if auth yes was present).
+#
+
+### Authenticated ACL - those applies only when the client
+### has a valid certificate and is thus authenticated
+
+# allow nodes to retrieve their own catalog (ie their configuration)
+path ~ ^/catalog/([^/]+)$
+method find
+allow $1
+
+# allow nodes to retrieve their own node definition
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+
+# allow all nodes to access the certificates services
+path /certificate_revocation_list/ca
+method find
+allow *
+
+# allow all nodes to store their own reports
+path ~ ^/report/([^/]+)$
+method save
+allow $1
+
+# inconditionnally allow access to all files services
+# which means in practice that fileserver.conf will
+# still be used
+path /file
+allow *
+
+### Unauthenticated ACL, for clients for which the current master doesn't
+### have a valid certificate; we allow authenticated users, too, because
+### there isn't a great harm in letting that request through.
+
+# allow access to the master CA
+path /certificate/ca
+auth any
+method find
+allow *
+
+path /certificate/
+auth any
+method find
+allow *
+
+path /certificate_request
+auth any
+method find, save
+allow *
+
+# this one is not stricly necessary, but it has the merit
+# to show the default policy which is deny everything else
+path /
+auth any
diff --git a/fileserver.conf b/fileserver.conf
new file mode 100644
index 0000000..4b663e4
--- /dev/null
+++ b/fileserver.conf
@@ -0,0 +1,17 @@
+# This file consists of arbitrarily named sections/modules
+# defining where files are served from and to whom
+
+# Define a section 'files'
+# Adapt the allow/deny settings to your needs. Order
+# for allow/deny does not matter, allow always takes precedence
+# over deny
+[files]
+  path /etc/puppet/files
+#  allow *.example.com
+#  deny *.evil.example.com
+#  allow 192.168.0.0/24
+
+#[plugins]
+#  allow *.example.com
+#  deny *.evil.example.com
+#  allow 192.168.0.0/24
diff --git a/hiera.yaml b/hiera.yaml
new file mode 120000
index 0000000..5230565
--- /dev/null
+++ b/hiera.yaml
@@ -0,0 +1 @@
+hiera/hiera.yaml
\ No newline at end of file
diff --git a/puppet.conf b/puppet.conf
new file mode 100644
index 0000000..cc3dcd4
--- /dev/null
+++ b/puppet.conf
@@ -0,0 +1,26 @@
+[main]
+logdir                   = /var/log/puppet
+vardir                   = /var/lib/puppetmaster
+ssldir                   = $vardir/ssl
+rundir                   = /var/run/puppet
+factpath                 = $vardir/lib/facter
+pluginsync               = true
+
+[master]
+templatedir              = $vardir/templates
+masterport               = 8140
+autosign                 = false
+storeconfigs             = true
+dbadapter                = mysql
+dbserver                 = localhost
+dbuser                   = puppet
+dbpassword               = CHANGEME!
+ssl_client_header        = SSL_CLIENT_S_DN
+ssl_client_verify_header = SSL_CLIENT_VERIFY
+
+[agent]
+server                   = puppet.example.org
+vardir                   = /var/lib/puppet
+ssldir                   = $vardir/ssl
+runinterval              = 7200
+puppetport               = 8139