aboutsummaryrefslogtreecommitdiff
path: root/templates/puppet
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2014-03-04 11:38:24 -0300
committerSilvio Rhatto <rhatto@riseup.net>2014-03-04 11:38:24 -0300
commit71e2d679d6757b9f7b6680468c4c6d6e3c42dcc6 (patch)
treeba38cef2d9f7aac04f5e333f65e6ba29eedd655b /templates/puppet
parente1db7cfa877187a2e711e1f6500e452cf24fa006 (diff)
downloadpuppet-bootstrap-71e2d679d6757b9f7b6680468c4c6d6e3c42dcc6.tar.gz
puppet-bootstrap-71e2d679d6757b9f7b6680468c4c6d6e3c42dcc6.tar.bz2
Initial config target
Diffstat (limited to 'templates/puppet')
-rw-r--r--templates/puppet/auth.conf.erb37
-rw-r--r--templates/puppet/fileserver.conf.erb20
-rw-r--r--templates/puppet/modules.pp.erb6
-rw-r--r--templates/puppet/puppet.conf.erb48
-rw-r--r--templates/puppet/site.pp.erb8
5 files changed, 50 insertions, 69 deletions
diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb
index 431e4b2..47740dc 100644
--- a/templates/puppet/auth.conf.erb
+++ b/templates/puppet/auth.conf.erb
@@ -45,34 +45,37 @@
# (ie exactly as if auth yes was present).
#
-### Authenticated ACL - those applies only when the client
-### has a valid certificate and is thus authenticated
+# Allow authenticated nodes to retrieve their own catalogs:
-# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
-# allow all nodes to access the certificates services
+# allow nodes to retrieve their own node definition
+
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+
+# Allow authenticated nodes to access any file services --- in practice, this results in fileserver.conf being consulted:
+
+path /file
+allow *
+
+# Allow authenticated nodes to access the certificate revocation list:
+
path /certificate_revocation_list/ca
method find
allow *
-# allow all nodes to store their reports
+# Allow authenticated nodes to send reports:
+
path /report
method save
allow *
-# inconditionnally allow access to all files services
-# which means in practice that fileserver.conf will
-# still be used
-path /file
-allow *
+# Allow unauthenticated access to certificates:
-### Unauthenticated ACL, for clients for which the current master doesn't
-### have a valid certificate
-
-# allow access to the master CA
path /certificate/ca
auth no
method find
@@ -83,12 +86,14 @@ auth no
method find
allow *
+# Allow unauthenticated nodes to submit certificate signing requests:
+
path /certificate_request
auth no
method find, save
allow *
-# this one is not stricly necessary, but it has the merit
-# to show the default policy which is deny everything else
+# Deny all other requests:
+
path /
auth any
diff --git a/templates/puppet/fileserver.conf.erb b/templates/puppet/fileserver.conf.erb
index b8ad720..3046e96 100644
--- a/templates/puppet/fileserver.conf.erb
+++ b/templates/puppet/fileserver.conf.erb
@@ -1,17 +1,7 @@
-# top-level
+# This file consists of arbitrarily named sections/modules
+# defining where files are served from and to whom
+
+# Files
[files]
path /etc/puppet/files
- allow *.<%= domain %>
-
-[keys]
- path /etc/puppet/files/keys
- allow *.<%= domain %>
-
-# modules
-[common]
- path /etc/puppet/modules/common/files
- allow *.<%= domain %>
-
-[puppet]
- path /etc/puppet/modules/puppet/files
- allow *.<%= domain %>
+ allow *.<%= base_domain %>
diff --git a/templates/puppet/modules.pp.erb b/templates/puppet/modules.pp.erb
deleted file mode 100644
index 3df3fe3..0000000
--- a/templates/puppet/modules.pp.erb
+++ /dev/null
@@ -1,6 +0,0 @@
-#
-# Module definitions.
-#
-
-# Nodo automatically import all modules we need.
-import "nodo"
diff --git a/templates/puppet/puppet.conf.erb b/templates/puppet/puppet.conf.erb
index 72306a2..2ebfc9e 100644
--- a/templates/puppet/puppet.conf.erb
+++ b/templates/puppet/puppet.conf.erb
@@ -1,29 +1,29 @@
[main]
-rundir = /var/run/puppet
-logdir = /var/log/puppet
-vardir = /var/lib/puppetmaster
-ssldir = $vardir/ssl
-factpath = $vardir/lib/facter
-pluginsync = true
+logdir = /var/log/puppet
+vardir = /var/lib/puppetmaster
+ssldir = $vardir/ssl
+rundir = /var/run/puppet
+factpath = $vardir/lib/facter
+pluginsync = true
[master]
-vardir = /var/lib/puppet
-templatedir = $vardir/templates
-autosign = false
-certname = puppet.<%= domain%>
-#storeconfigs = true
-#dbadapter = mysql
-#dbserver = localhost
-#dbuser = puppet
-#dbpassword =
-#dbconnections = 15
-
-# Needed by mongrel
-ssl_client_header = HTTP_X_SSL_SUBJECT
+templatedir = $vardir/templates
+masterport = 8140
+autosign = false
+storeconfigs = true
+dbadapter = mysql
+dbserver = localhost
+dbuser = puppet
+dbpassword = <%= storeconfigs_pw %>
+dbconnections = 15
+certname = puppet.<%= base_domain %>
+ssl_client_header = SSL_CLIENT_S_DN
+ssl_client_verify_header = SSL_CLIENT_VERIFY
[agent]
-server = puppet.<%= domain%>
-vardir = /var/lib/puppet
-ssldir = $vardir/ssl
-runinterval = 1800
-puppetport = 8139
+server = puppet.<%= base_domain %>
+vardir = /var/lib/puppet
+ssldir = $vardir/ssl
+runinterval = 7200
+puppetport = 8139
+configtimeout = 300
diff --git a/templates/puppet/site.pp.erb b/templates/puppet/site.pp.erb
deleted file mode 100644
index 6f3e5aa..0000000
--- a/templates/puppet/site.pp.erb
+++ /dev/null
@@ -1,8 +0,0 @@
-#
-# Puppet site configuration.
-#
-
-import "classes/users.pp"
-import "classes/websites.pp"
-import "modules.pp"
-import "nodes.pp"