aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile6
-rw-r--r--TODO.md1
-rw-r--r--auth.conf100
-rw-r--r--fileserver.conf17
-rw-r--r--manifests/classes/configurator.pp232
-rw-r--r--manifests/classes/default_conf.pp296
-rw-r--r--puppet.conf26
-rw-r--r--templates/puppet/auth.conf.erb37
-rw-r--r--templates/puppet/fileserver.conf.erb20
-rw-r--r--templates/puppet/modules.pp.erb6
-rw-r--r--templates/puppet/puppet.conf.erb48
-rw-r--r--templates/puppet/site.pp.erb8
12 files changed, 287 insertions, 510 deletions
diff --git a/Makefile b/Makefile
index 7971008..4b491a7 100644
--- a/Makefile
+++ b/Makefile
@@ -15,6 +15,7 @@
#
REPO = git://git.sarava.org/puppet-bootstrap.git
+CWD = $(shell pwd)
all: clean remote modules
@@ -31,7 +32,10 @@ remote:
git remote add bootstrap $(REPO)
config:
- @echo "TODO: not implemented :("
+ FACTER_BOOTSTRAP_PATH="$(CWD)" puppet apply --hiera-config=hiera.yaml --modulepath=modules manifests/classes/configurator.pp
+
+apply:
+ FACTER_BOOTSTRAP_PATH="$(CWD)" puppet apply --hiera-config=hiera.yaml --modulepath=modules manifests/$(stage).pp
clean:
rm -rf modules
diff --git a/TODO.md b/TODO.md
index 92fbb00..6156bad 100644
--- a/TODO.md
+++ b/TODO.md
@@ -4,4 +4,3 @@ TODO
* Make `config` target:
* Moving from `config.pp` to hiera.
* Refactoring and `default_conf.pp`.
- * Configuration should be generated directly into the repository.
diff --git a/auth.conf b/auth.conf
deleted file mode 100644
index 92aae26..0000000
--- a/auth.conf
+++ /dev/null
@@ -1,100 +0,0 @@
-# This is an example auth.conf file, it mimics the puppetmasterd defaults
-#
-# The ACL are checked in order of appearance in this file.
-#
-# Supported syntax:
-# This file supports two different syntax depending on how
-# you want to express the ACL.
-#
-# Path syntax (the one used below):
-# ---------------------------------
-# path /path/to/resource
-# [environment envlist]
-# [method methodlist]
-# [auth[enthicated] {yes|no|on|off|any}]
-# allow [host|ip|*]
-# deny [host|ip]
-#
-# The path is matched as a prefix. That is /file match at
-# the same time /file_metadat and /file_content.
-#
-# Regex syntax:
-# -------------
-# This one is differenciated from the path one by a '~'
-#
-# path ~ regex
-# [environment envlist]
-# [method methodlist]
-# [auth[enthicated] {yes|no|on|off|any}]
-# allow [host|ip|*]
-# deny [host|ip]
-#
-# The regex syntax is the same as ruby ones.
-#
-# Ex:
-# path ~ .pp$
-# will match every resource ending in .pp (manifests files for instance)
-#
-# path ~ ^/path/to/resource
-# is essentially equivalent to path /path/to/resource
-#
-# environment:: restrict an ACL to a specific set of environments
-# method:: restrict an ACL to a specific set of methods
-# auth:: restrict an ACL to an authenticated or unauthenticated request
-# the default when unspecified is to restrict the ACL to authenticated requests
-# (ie exactly as if auth yes was present).
-#
-
-### Authenticated ACL - those applies only when the client
-### has a valid certificate and is thus authenticated
-
-# allow nodes to retrieve their own catalog (ie their configuration)
-path ~ ^/catalog/([^/]+)$
-method find
-allow $1
-
-# allow nodes to retrieve their own node definition
-path ~ ^/node/([^/]+)$
-method find
-allow $1
-
-# allow all nodes to access the certificates services
-path /certificate_revocation_list/ca
-method find
-allow *
-
-# allow all nodes to store their own reports
-path ~ ^/report/([^/]+)$
-method save
-allow $1
-
-# inconditionnally allow access to all files services
-# which means in practice that fileserver.conf will
-# still be used
-path /file
-allow *
-
-### Unauthenticated ACL, for clients for which the current master doesn't
-### have a valid certificate; we allow authenticated users, too, because
-### there isn't a great harm in letting that request through.
-
-# allow access to the master CA
-path /certificate/ca
-auth any
-method find
-allow *
-
-path /certificate/
-auth any
-method find
-allow *
-
-path /certificate_request
-auth any
-method find, save
-allow *
-
-# this one is not stricly necessary, but it has the merit
-# to show the default policy which is deny everything else
-path /
-auth any
diff --git a/fileserver.conf b/fileserver.conf
deleted file mode 100644
index 4b663e4..0000000
--- a/fileserver.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# This file consists of arbitrarily named sections/modules
-# defining where files are served from and to whom
-
-# Define a section 'files'
-# Adapt the allow/deny settings to your needs. Order
-# for allow/deny does not matter, allow always takes precedence
-# over deny
-[files]
- path /etc/puppet/files
-# allow *.example.com
-# deny *.evil.example.com
-# allow 192.168.0.0/24
-
-#[plugins]
-# allow *.example.com
-# deny *.evil.example.com
-# allow 192.168.0.0/24
diff --git a/manifests/classes/configurator.pp b/manifests/classes/configurator.pp
new file mode 100644
index 0000000..d0dd787
--- /dev/null
+++ b/manifests/classes/configurator.pp
@@ -0,0 +1,232 @@
+#
+# Puppet Bootstrap Configuration Manifest
+#
+# This file is responsible to set custom configuration in the bootstrap
+# repository for values set in the hiera configuration.
+#
+# While this manifest can be run many times, it's useful mostly after you
+# cloned the puppet-boostrap module and want to configure it to boostrap a
+# whole puppetmaster infrastructure.
+#
+
+# Variables
+$templates = "$bootstrap_path/templates"
+
+# Puppet configuration
+file { "$bootstrap_path/puppet.conf":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/puppet/puppet.conf.erb"),
+}
+
+# Fileserver configuration
+file { "$bootstrap_path/fileserver.conf":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/puppet/fileserver.conf.erb"),
+}
+
+file { "$bootstrap_path/auth.conf":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/puppet/auth.conf.erb"),
+}
+
+## Basic nodes
+#file { "$bootstrap_path/manifests/nodes.pp":
+# ensure => present,
+# mode => 0644,
+# content => template("$templates/puppet/nodes.pp.erb"),
+#}
+#
+## Basic users
+#file { "$bootstrap_path/manifests/classes/users.pp":
+# ensure => present,
+# owner => "puppet",
+# group => "puppet",
+# mode => 0644,
+# require => [ Package["puppet"], File["$bootstrap_path/manifests/classes"] ],
+# content => template("$templates/puppet/users.pp.erb"),
+#}
+#
+## First host
+#file { "$bootstrap_path/manifests/nodes/$hostname.pp":
+# ensure => present,
+# mode => 0644,
+# content => template("$templates/puppet/server.pp.erb"),
+#}
+#
+## Master node
+#file { "$bootstrap_path/manifests/nodes/$hostname-master.pp":
+# ensure => present,
+# mode => 0644,
+# content => template("$templates/puppet/master.pp.erb"),
+#}
+#
+## Proxy node
+#file { "$bootstrap_path/manifests/nodes/$hostname-proxy.pp":
+# ensure => present,
+# mode => 0644,
+# content => template("$templates/puppet/proxy.pp.erb"),
+#}
+#
+## Web node
+#file { "$bootstrap_path/manifests/nodes/$hostname-web.pp":
+# ensure => present,
+# mode => 0644,
+# content => template("$templates/puppet/web.pp.erb"),
+#}
+#
+## Storage node
+#file { "$bootstrap_path/manifests/nodes/$hostname-storage.pp":
+# ensure => present,
+# mode => 0644,
+# content => template("$templates/puppet/storage.pp.erb"),
+#}
+#
+## Test node
+#file { "$bootstrap_path/manifests/nodes/$hostname-test.pp":
+# ensure => present,
+# mode => 0644,
+# content => template("$templates/puppet/test.pp.erb"),
+#}
+#
+## files in $bootstrap_path/files
+#file { [ "$bootstrap_path/files",
+# "$bootstrap_path/modules/site_nginx",
+# "$bootstrap_path/modules/site_nginx/files",
+# "$bootstrap_path/modules/site_nagios",
+# "$bootstrap_path/modules/site_nagios/files",
+# "$bootstrap_path/modules/site_postfix",
+# "$bootstrap_path/modules/site_postfix/files",
+# "$bootstrap_path/modules/site_mail",
+# "$bootstrap_path/modules/site_mail/files",
+# "$bootstrap_path/modules/site_apache",
+# "$bootstrap_path/modules/site_apache/files",
+# "$bootstrap_path/modules/site_apache/files/vhosts",
+# "$bootstrap_path/modules/site_apache/files/htdocs",
+# "$bootstrap_path/modules/site_apache/files/htdocs/images",
+# "$bootstrap_path/modules/site_keys",
+# "$bootstrap_path/modules/site_keys/files",
+# "$bootstrap_path/modules/site_keys/files/ssl", ]:
+# ensure => directory,
+# owner => "puppet",
+# group => "puppet",
+# mode => 0755,
+#}
+#
+#file { "$bootstrap_path/files/empty":
+# ensure => present,
+# owner => "puppet",
+# group => "puppet",
+# mode => 0644,
+# require => [ Package["puppet"], File["$bootstrap_path/files"] ],
+#}
+#
+#file { "$bootstrap_path/modules/site-apache/htdocs/images/README.html":
+# ensure => present,
+# owner => "puppet",
+# group => "puppet",
+# mode => 0644,
+# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/htdocs/images"] ],
+# content => template("$templates/apache/htdocs/images/README.html.erb"),
+#}
+#
+#file { "$bootstrap_path/modules/site-apache/files/htdocs/index.html":
+# ensure => present,
+# owner => "puppet",
+# group => "puppet",
+# mode => 0644,
+# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/htdocs"] ],
+# content => template("$templates/apache/htdocs/index.html.erb"),
+#}
+#
+#file { "$bootstrap_path/modules/site-apache/files/htdocs/missing.html":
+# ensure => present,
+# owner => "puppet",
+# group => "puppet",
+# mode => 0644,
+# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/htdocs"] ],
+# content => template("$templates/apache/htdocs/missing.html.erb"),
+#}
+#
+#file { "$bootstrap_path/modules/site-apache/files/vhosts/git":
+# ensure => present,
+# owner => "puppet",
+# group => "puppet",
+# mode => 0644,
+# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/vhosts"] ],
+# content => template("$templates/apache/vhosts/git.erb"),
+#}
+#
+#file { "$bootstrap_path/modules/site-apache/files/vhosts/lists":
+# ensure => present,
+# owner => "puppet",
+# group => "puppet",
+# mode => 0644,
+# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/vhosts"] ],
+# content => template("$templates/apache/vhosts/lists.erb"),
+#}
+#
+#file { "$bootstrap_path/modules/site-apache/files/vhosts/mail":
+# ensure => present,
+# owner => "puppet",
+# group => "puppet",
+# mode => 0644,
+# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/vhosts"] ],
+# content => template("$templates/apache/vhosts/mail.erb"),
+#}
+#
+#file { "$bootstrap_path/modules/site-apache/files/vhosts/nagios":
+# ensure => present,
+# owner => "puppet",
+# group => "puppet",
+# mode => 0644,
+# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/vhosts"] ],
+# content => template("$templates/apache/vhosts/nagios.erb"),
+#}
+#
+#file { "$bootstrap_path/modules/site-apache/files/vhosts/wiki":
+# ensure => present,
+# owner => "puppet",
+# group => "puppet",
+# mode => 0644,
+# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/vhosts"] ],
+# content => template("$templates/apache/vhosts/wiki.erb"),
+#}
+#
+#file { "$bootstrap_path/modules/site-mail/files/aliases":
+# ensure => present,
+# owner => "puppet",
+# group => "puppet",
+# mode => 0644,
+# require => [ Package["puppet"], File["$bootstrap_path/modules/site-mail/files"] ],
+# content => template("$templates/etc/aliases.erb"),
+#}
+#
+#file { "$bootstrap_path/modules/site-nagios/files/htpasswd.users":
+# ensure => present,
+# owner => "puppet",
+# group => "puppet",
+# mode => 0644,
+# require => [ Package["puppet"], File["$bootstrap_path/modules/site-nagios/files"] ],
+# content => template("$templates/etc/nagios3/htpasswd.users.erb"),
+#}
+#
+#file { "$bootstrap_path/modules/site-nginx/files/$domain":
+# ensure => present,
+# owner => "puppet",
+# group => "puppet",
+# mode => 0644,
+# require => [ Package["puppet"], File["$bootstrap_path/modules/site-nginx/files"] ],
+# content => template("$templates/etc/nginx/domain.erb"),
+#}
+#
+#file { "$bootstrap_path/modules/site-postfix/files/tls_policy":
+# ensure => present,
+# owner => "puppet",
+# group => "puppet",
+# mode => 0644,
+# require => [ Package["puppet"], File["$bootstrap_path/modules/site-postfix/files"] ],
+# content => template("$templates/postfix/tls_policy.erb"),
+#}
diff --git a/manifests/classes/default_conf.pp b/manifests/classes/default_conf.pp
deleted file mode 100644
index ab8280d..0000000
--- a/manifests/classes/default_conf.pp
+++ /dev/null
@@ -1,296 +0,0 @@
-class default_conf {
-
- $templates_dir = "$puppet_bootstrap_tmpdir/templates"
- $default_puppet_conf_dir = "$puppet_dir/default-conf"
-
- # directories
- file { ["$puppet_dir", "$default_puppet_conf_dir"]:
- ensure => directory,
- owner => "puppet",
- group => "puppet",
- mode => 0755,
- require => Package["puppet"],
- }
-
- file { [ "$default_puppet_conf_dir/files",
- "$default_puppet_conf_dir/manifests",
- "$default_puppet_conf_dir/modules",
- "$default_puppet_conf_dir/manifests/classes",
- "$default_puppet_conf_dir/manifests/nodes" ]:
- ensure => directory,
- owner => "puppet",
- group => "puppet",
- mode => 0755,
- require => File["$default_puppet_conf_dir"],
- }
-
- # files in $default_puppet_conf_dir
- file { "$default_puppet_conf_dir/puppet.conf":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => Package["puppet"],
- content => template("$templates_dir/puppet/puppet.conf.erb"),
- }
-
- file { "$default_puppet_conf_dir/fileserver.conf":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => Package["puppet"],
- content => template("$templates_dir/puppet/fileserver.conf.erb"),
- }
-
- file { "$default_puppet_conf_dir/auth.conf":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => Package["puppet"],
- content => template("$templates_dir/puppet/auth.conf.erb"),
- }
-
- # files in $default_puppet_conf_dir/manifests
- file { "$default_puppet_conf_dir/manifests/site.pp":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests"] ],
- content => template("$templates_dir/puppet/site.pp.erb"),
- }
-
- file { "$default_puppet_conf_dir/manifests/modules.pp":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests"] ],
- content => template("$templates_dir/puppet/modules.pp.erb"),
- }
-
- file { "$default_puppet_conf_dir/manifests/nodes.pp":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests"] ],
- content => template("$templates_dir/puppet/nodes.pp.erb"),
- }
-
- # files in $default_puppet_conf_dir/manifests/classes
- file { "$default_puppet_conf_dir/manifests/classes/websites.pp":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/classes"] ],
- content => template("$templates_dir/puppet/websites.pp.erb"),
- }
-
- file { "$default_puppet_conf_dir/manifests/classes/users.pp":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/classes"] ],
- content => template("$templates_dir/puppet/users.pp.erb"),
- }
-
- # files in $default_puppet_conf_dir/manifests/nodes
- file { "$default_puppet_conf_dir/manifests/nodes/$hostname.pp":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/nodes"] ],
- content => template("$templates_dir/puppet/server.pp.erb"),
- }
-
- file { "$default_puppet_conf_dir/manifests/nodes/$hostname-master.pp":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/nodes"] ],
- content => template("$templates_dir/puppet/master.pp.erb"),
- }
-
- file { "$default_puppet_conf_dir/manifests/nodes/$hostname-proxy.pp":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/nodes"] ],
- content => template("$templates_dir/puppet/proxy.pp.erb"),
- }
-
- file { "$default_puppet_conf_dir/manifests/nodes/$hostname-web.pp":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/nodes"] ],
- content => template("$templates_dir/puppet/web.pp.erb"),
- }
-
- file { "$default_puppet_conf_dir/manifests/nodes/$hostname-storage.pp":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/nodes"] ],
- content => template("$templates_dir/puppet/storage.pp.erb"),
- }
-
- file { "$default_puppet_conf_dir/manifests/nodes/$hostname-test.pp":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/nodes"] ],
- content => template("$templates_dir/puppet/test.pp.erb"),
- }
-
- # files in $default_puppet_conf_dir/files
- file { [ "$default_puppet_conf_dir/files",
- "$default_puppet_conf_dir/modules/site_nginx",
- "$default_puppet_conf_dir/modules/site_nginx/files",
- "$default_puppet_conf_dir/modules/site_nagios",
- "$default_puppet_conf_dir/modules/site_nagios/files",
- "$default_puppet_conf_dir/modules/site_postfix",
- "$default_puppet_conf_dir/modules/site_postfix/files",
- "$default_puppet_conf_dir/modules/site_mail",
- "$default_puppet_conf_dir/modules/site_mail/files",
- "$default_puppet_conf_dir/modules/site_apache",
- "$default_puppet_conf_dir/modules/site_apache/files",
- "$default_puppet_conf_dir/modules/site_apache/files/vhosts",
- "$default_puppet_conf_dir/modules/site_apache/files/htdocs",
- "$default_puppet_conf_dir/modules/site_apache/files/htdocs/images",
- "$default_puppet_conf_dir/modules/site_keys",
- "$default_puppet_conf_dir/modules/site_keys/files",
- "$default_puppet_conf_dir/modules/site_keys/files/ssl", ]:
- ensure => directory,
- owner => "puppet",
- group => "puppet",
- mode => 0755,
- }
-
- file { "$default_puppet_conf_dir/files/empty":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/files"] ],
- }
-
- file { "$default_puppet_conf_dir/modules/site-apache/htdocs/images/README.html":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/htdocs/images"] ],
- content => template("$templates_dir/apache/htdocs/images/README.html.erb"),
- }
-
- file { "$default_puppet_conf_dir/modules/site-apache/files/htdocs/index.html":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/htdocs"] ],
- content => template("$templates_dir/apache/htdocs/index.html.erb"),
- }
-
- file { "$default_puppet_conf_dir/modules/site-apache/files/htdocs/missing.html":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/htdocs"] ],
- content => template("$templates_dir/apache/htdocs/missing.html.erb"),
- }
-
- file { "$default_puppet_conf_dir/modules/site-apache/files/vhosts/git":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/vhosts"] ],
- content => template("$templates_dir/apache/vhosts/git.erb"),
- }
-
- file { "$default_puppet_conf_dir/modules/site-apache/files/vhosts/lists":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/vhosts"] ],
- content => template("$templates_dir/apache/vhosts/lists.erb"),
- }
-
- file { "$default_puppet_conf_dir/modules/site-apache/files/vhosts/mail":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/vhosts"] ],
- content => template("$templates_dir/apache/vhosts/mail.erb"),
- }
-
- file { "$default_puppet_conf_dir/modules/site-apache/files/vhosts/nagios":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/vhosts"] ],
- content => template("$templates_dir/apache/vhosts/nagios.erb"),
- }
-
- file { "$default_puppet_conf_dir/modules/site-apache/files/vhosts/wiki":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/vhosts"] ],
- content => template("$templates_dir/apache/vhosts/wiki.erb"),
- }
-
- file { "$default_puppet_conf_dir/modules/site-mail/files/aliases":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-mail/files"] ],
- content => template("$templates_dir/etc/aliases.erb"),
- }
-
- file { "$default_puppet_conf_dir/modules/site-nagios/files/htpasswd.users":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-nagios/files"] ],
- content => template("$templates_dir/etc/nagios3/htpasswd.users.erb"),
- }
-
- file { "$default_puppet_conf_dir/modules/site-nginx/files/$domain":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-nginx/files"] ],
- content => template("$templates_dir/etc/nginx/domain.erb"),
- }
-
- file { "$default_puppet_conf_dir/modules/site-postfix/files/tls_policy":
- ensure => present,
- owner => "puppet",
- group => "puppet",
- mode => 0644,
- require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-postfix/files"] ],
- content => template("$templates_dir/postfix/tls_policy.erb"),
- }
-}
diff --git a/puppet.conf b/puppet.conf
deleted file mode 100644
index eae3864..0000000
--- a/puppet.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-[main]
-logdir = /var/log/puppet
-vardir = /var/lib/puppetmaster
-ssldir = $vardir/ssl
-rundir = /var/run/puppet
-factpath = $vardir/lib/facter
-pluginsync = true
-
-[master]
-templatedir = $vardir/templates
-masterport = 8140
-autosign = false
-storeconfigs = true
-dbadapter = mysql
-dbserver = localhost
-dbuser = puppet
-dbpassword = CHANGEME!
-ssl_client_header = SSL_CLIENT_S_DN
-ssl_client_verify_header = SSL_CLIENT_VERIFY
-
-[agent]
-server = puppet
-vardir = /var/lib/puppet
-ssldir = $vardir/ssl
-runinterval = 7200
-puppetport = 8139
diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb
index 431e4b2..47740dc 100644
--- a/templates/puppet/auth.conf.erb
+++ b/templates/puppet/auth.conf.erb
@@ -45,34 +45,37 @@
# (ie exactly as if auth yes was present).
#
-### Authenticated ACL - those applies only when the client
-### has a valid certificate and is thus authenticated
+# Allow authenticated nodes to retrieve their own catalogs:
-# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
-# allow all nodes to access the certificates services
+# allow nodes to retrieve their own node definition
+
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+
+# Allow authenticated nodes to access any file services --- in practice, this results in fileserver.conf being consulted:
+
+path /file
+allow *
+
+# Allow authenticated nodes to access the certificate revocation list:
+
path /certificate_revocation_list/ca
method find
allow *
-# allow all nodes to store their reports
+# Allow authenticated nodes to send reports:
+
path /report
method save
allow *
-# inconditionnally allow access to all files services
-# which means in practice that fileserver.conf will
-# still be used
-path /file
-allow *
+# Allow unauthenticated access to certificates:
-### Unauthenticated ACL, for clients for which the current master doesn't
-### have a valid certificate
-
-# allow access to the master CA
path /certificate/ca
auth no
method find
@@ -83,12 +86,14 @@ auth no
method find
allow *
+# Allow unauthenticated nodes to submit certificate signing requests:
+
path /certificate_request
auth no
method find, save
allow *
-# this one is not stricly necessary, but it has the merit
-# to show the default policy which is deny everything else
+# Deny all other requests:
+
path /
auth any
diff --git a/templates/puppet/fileserver.conf.erb b/templates/puppet/fileserver.conf.erb
index b8ad720..3046e96 100644
--- a/templates/puppet/fileserver.conf.erb
+++ b/templates/puppet/fileserver.conf.erb
@@ -1,17 +1,7 @@
-# top-level
+# This file consists of arbitrarily named sections/modules
+# defining where files are served from and to whom
+
+# Files
[files]
path /etc/puppet/files
- allow *.<%= domain %>
-
-[keys]
- path /etc/puppet/files/keys
- allow *.<%= domain %>
-
-# modules
-[common]
- path /etc/puppet/modules/common/files
- allow *.<%= domain %>
-
-[puppet]
- path /etc/puppet/modules/puppet/files
- allow *.<%= domain %>
+ allow *.<%= base_domain %>
diff --git a/templates/puppet/modules.pp.erb b/templates/puppet/modules.pp.erb
deleted file mode 100644
index 3df3fe3..0000000
--- a/templates/puppet/modules.pp.erb
+++ /dev/null
@@ -1,6 +0,0 @@
-#
-# Module definitions.
-#
-
-# Nodo automatically import all modules we need.
-import "nodo"
diff --git a/templates/puppet/puppet.conf.erb b/templates/puppet/puppet.conf.erb
index 72306a2..2ebfc9e 100644
--- a/templates/puppet/puppet.conf.erb
+++ b/templates/puppet/puppet.conf.erb
@@ -1,29 +1,29 @@
[main]
-rundir = /var/run/puppet
-logdir = /var/log/puppet
-vardir = /var/lib/puppetmaster
-ssldir = $vardir/ssl
-factpath = $vardir/lib/facter
-pluginsync = true
+logdir = /var/log/puppet
+vardir = /var/lib/puppetmaster
+ssldir = $vardir/ssl
+rundir = /var/run/puppet
+factpath = $vardir/lib/facter
+pluginsync = true
[master]
-vardir = /var/lib/puppet
-templatedir = $vardir/templates
-autosign = false
-certname = puppet.<%= domain%>
-#storeconfigs = true
-#dbadapter = mysql
-#dbserver = localhost
-#dbuser = puppet
-#dbpassword =
-#dbconnections = 15
-
-# Needed by mongrel
-ssl_client_header = HTTP_X_SSL_SUBJECT
+templatedir = $vardir/templates
+masterport = 8140
+autosign = false
+storeconfigs = true
+dbadapter = mysql
+dbserver = localhost
+dbuser = puppet
+dbpassword = <%= storeconfigs_pw %>
+dbconnections = 15
+certname = puppet.<%= base_domain %>
+ssl_client_header = SSL_CLIENT_S_DN
+ssl_client_verify_header = SSL_CLIENT_VERIFY
[agent]
-server = puppet.<%= domain%>
-vardir = /var/lib/puppet
-ssldir = $vardir/ssl
-runinterval = 1800
-puppetport = 8139
+server = puppet.<%= base_domain %>
+vardir = /var/lib/puppet
+ssldir = $vardir/ssl
+runinterval = 7200
+puppetport = 8139
+configtimeout = 300
diff --git a/templates/puppet/site.pp.erb b/templates/puppet/site.pp.erb
deleted file mode 100644
index 6f3e5aa..0000000
--- a/templates/puppet/site.pp.erb
+++ /dev/null
@@ -1,8 +0,0 @@
-#
-# Puppet site configuration.
-#
-
-import "classes/users.pp"
-import "classes/websites.pp"
-import "modules.pp"
-import "nodes.pp"