diff options
| -rw-r--r-- | Makefile | 6 | ||||
| -rw-r--r-- | TODO.md | 1 | ||||
| -rw-r--r-- | auth.conf | 100 | ||||
| -rw-r--r-- | fileserver.conf | 17 | ||||
| -rw-r--r-- | manifests/classes/configurator.pp | 232 | ||||
| -rw-r--r-- | manifests/classes/default_conf.pp | 296 | ||||
| -rw-r--r-- | puppet.conf | 26 | ||||
| -rw-r--r-- | templates/puppet/auth.conf.erb | 37 | ||||
| -rw-r--r-- | templates/puppet/fileserver.conf.erb | 20 | ||||
| -rw-r--r-- | templates/puppet/modules.pp.erb | 6 | ||||
| -rw-r--r-- | templates/puppet/puppet.conf.erb | 48 | ||||
| -rw-r--r-- | templates/puppet/site.pp.erb | 8 |
12 files changed, 287 insertions, 510 deletions
@@ -15,6 +15,7 @@ # REPO = git://git.sarava.org/puppet-bootstrap.git +CWD = $(shell pwd) all: clean remote modules @@ -31,7 +32,10 @@ remote: git remote add bootstrap $(REPO) config: - @echo "TODO: not implemented :(" + FACTER_BOOTSTRAP_PATH="$(CWD)" puppet apply --hiera-config=hiera.yaml --modulepath=modules manifests/classes/configurator.pp + +apply: + FACTER_BOOTSTRAP_PATH="$(CWD)" puppet apply --hiera-config=hiera.yaml --modulepath=modules manifests/$(stage).pp clean: rm -rf modules @@ -4,4 +4,3 @@ TODO * Make `config` target: * Moving from `config.pp` to hiera. * Refactoring and `default_conf.pp`. - * Configuration should be generated directly into the repository. diff --git a/auth.conf b/auth.conf deleted file mode 100644 index 92aae26..0000000 --- a/auth.conf +++ /dev/null @@ -1,100 +0,0 @@ -# This is an example auth.conf file, it mimics the puppetmasterd defaults -# -# The ACL are checked in order of appearance in this file. -# -# Supported syntax: -# This file supports two different syntax depending on how -# you want to express the ACL. -# -# Path syntax (the one used below): -# --------------------------------- -# path /path/to/resource -# [environment envlist] -# [method methodlist] -# [auth[enthicated] {yes|no|on|off|any}] -# allow [host|ip|*] -# deny [host|ip] -# -# The path is matched as a prefix. That is /file match at -# the same time /file_metadat and /file_content. -# -# Regex syntax: -# ------------- -# This one is differenciated from the path one by a '~' -# -# path ~ regex -# [environment envlist] -# [method methodlist] -# [auth[enthicated] {yes|no|on|off|any}] -# allow [host|ip|*] -# deny [host|ip] -# -# The regex syntax is the same as ruby ones. -# -# Ex: -# path ~ .pp$ -# will match every resource ending in .pp (manifests files for instance) -# -# path ~ ^/path/to/resource -# is essentially equivalent to path /path/to/resource -# -# environment:: restrict an ACL to a specific set of environments -# method:: restrict an ACL to a specific set of methods -# auth:: restrict an ACL to an authenticated or unauthenticated request -# the default when unspecified is to restrict the ACL to authenticated requests -# (ie exactly as if auth yes was present). -# - -### Authenticated ACL - those applies only when the client -### has a valid certificate and is thus authenticated - -# allow nodes to retrieve their own catalog (ie their configuration) -path ~ ^/catalog/([^/]+)$ -method find -allow $1 - -# allow nodes to retrieve their own node definition -path ~ ^/node/([^/]+)$ -method find -allow $1 - -# allow all nodes to access the certificates services -path /certificate_revocation_list/ca -method find -allow * - -# allow all nodes to store their own reports -path ~ ^/report/([^/]+)$ -method save -allow $1 - -# inconditionnally allow access to all files services -# which means in practice that fileserver.conf will -# still be used -path /file -allow * - -### Unauthenticated ACL, for clients for which the current master doesn't -### have a valid certificate; we allow authenticated users, too, because -### there isn't a great harm in letting that request through. - -# allow access to the master CA -path /certificate/ca -auth any -method find -allow * - -path /certificate/ -auth any -method find -allow * - -path /certificate_request -auth any -method find, save -allow * - -# this one is not stricly necessary, but it has the merit -# to show the default policy which is deny everything else -path / -auth any diff --git a/fileserver.conf b/fileserver.conf deleted file mode 100644 index 4b663e4..0000000 --- a/fileserver.conf +++ /dev/null @@ -1,17 +0,0 @@ -# This file consists of arbitrarily named sections/modules -# defining where files are served from and to whom - -# Define a section 'files' -# Adapt the allow/deny settings to your needs. Order -# for allow/deny does not matter, allow always takes precedence -# over deny -[files] - path /etc/puppet/files -# allow *.example.com -# deny *.evil.example.com -# allow 192.168.0.0/24 - -#[plugins] -# allow *.example.com -# deny *.evil.example.com -# allow 192.168.0.0/24 diff --git a/manifests/classes/configurator.pp b/manifests/classes/configurator.pp new file mode 100644 index 0000000..d0dd787 --- /dev/null +++ b/manifests/classes/configurator.pp @@ -0,0 +1,232 @@ +# +# Puppet Bootstrap Configuration Manifest +# +# This file is responsible to set custom configuration in the bootstrap +# repository for values set in the hiera configuration. +# +# While this manifest can be run many times, it's useful mostly after you +# cloned the puppet-boostrap module and want to configure it to boostrap a +# whole puppetmaster infrastructure. +# + +# Variables +$templates = "$bootstrap_path/templates" + +# Puppet configuration +file { "$bootstrap_path/puppet.conf": + ensure => present, + mode => 0644, + content => template("$templates/puppet/puppet.conf.erb"), +} + +# Fileserver configuration +file { "$bootstrap_path/fileserver.conf": + ensure => present, + mode => 0644, + content => template("$templates/puppet/fileserver.conf.erb"), +} + +file { "$bootstrap_path/auth.conf": + ensure => present, + mode => 0644, + content => template("$templates/puppet/auth.conf.erb"), +} + +## Basic nodes +#file { "$bootstrap_path/manifests/nodes.pp": +# ensure => present, +# mode => 0644, +# content => template("$templates/puppet/nodes.pp.erb"), +#} +# +## Basic users +#file { "$bootstrap_path/manifests/classes/users.pp": +# ensure => present, +# owner => "puppet", +# group => "puppet", +# mode => 0644, +# require => [ Package["puppet"], File["$bootstrap_path/manifests/classes"] ], +# content => template("$templates/puppet/users.pp.erb"), +#} +# +## First host +#file { "$bootstrap_path/manifests/nodes/$hostname.pp": +# ensure => present, +# mode => 0644, +# content => template("$templates/puppet/server.pp.erb"), +#} +# +## Master node +#file { "$bootstrap_path/manifests/nodes/$hostname-master.pp": +# ensure => present, +# mode => 0644, +# content => template("$templates/puppet/master.pp.erb"), +#} +# +## Proxy node +#file { "$bootstrap_path/manifests/nodes/$hostname-proxy.pp": +# ensure => present, +# mode => 0644, +# content => template("$templates/puppet/proxy.pp.erb"), +#} +# +## Web node +#file { "$bootstrap_path/manifests/nodes/$hostname-web.pp": +# ensure => present, +# mode => 0644, +# content => template("$templates/puppet/web.pp.erb"), +#} +# +## Storage node +#file { "$bootstrap_path/manifests/nodes/$hostname-storage.pp": +# ensure => present, +# mode => 0644, +# content => template("$templates/puppet/storage.pp.erb"), +#} +# +## Test node +#file { "$bootstrap_path/manifests/nodes/$hostname-test.pp": +# ensure => present, +# mode => 0644, +# content => template("$templates/puppet/test.pp.erb"), +#} +# +## files in $bootstrap_path/files +#file { [ "$bootstrap_path/files", +# "$bootstrap_path/modules/site_nginx", +# "$bootstrap_path/modules/site_nginx/files", +# "$bootstrap_path/modules/site_nagios", +# "$bootstrap_path/modules/site_nagios/files", +# "$bootstrap_path/modules/site_postfix", +# "$bootstrap_path/modules/site_postfix/files", +# "$bootstrap_path/modules/site_mail", +# "$bootstrap_path/modules/site_mail/files", +# "$bootstrap_path/modules/site_apache", +# "$bootstrap_path/modules/site_apache/files", +# "$bootstrap_path/modules/site_apache/files/vhosts", +# "$bootstrap_path/modules/site_apache/files/htdocs", +# "$bootstrap_path/modules/site_apache/files/htdocs/images", +# "$bootstrap_path/modules/site_keys", +# "$bootstrap_path/modules/site_keys/files", +# "$bootstrap_path/modules/site_keys/files/ssl", ]: +# ensure => directory, +# owner => "puppet", +# group => "puppet", +# mode => 0755, +#} +# +#file { "$bootstrap_path/files/empty": +# ensure => present, +# owner => "puppet", +# group => "puppet", +# mode => 0644, +# require => [ Package["puppet"], File["$bootstrap_path/files"] ], +#} +# +#file { "$bootstrap_path/modules/site-apache/htdocs/images/README.html": +# ensure => present, +# owner => "puppet", +# group => "puppet", +# mode => 0644, +# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/htdocs/images"] ], +# content => template("$templates/apache/htdocs/images/README.html.erb"), +#} +# +#file { "$bootstrap_path/modules/site-apache/files/htdocs/index.html": +# ensure => present, +# owner => "puppet", +# group => "puppet", +# mode => 0644, +# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/htdocs"] ], +# content => template("$templates/apache/htdocs/index.html.erb"), +#} +# +#file { "$bootstrap_path/modules/site-apache/files/htdocs/missing.html": +# ensure => present, +# owner => "puppet", +# group => "puppet", +# mode => 0644, +# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/htdocs"] ], +# content => template("$templates/apache/htdocs/missing.html.erb"), +#} +# +#file { "$bootstrap_path/modules/site-apache/files/vhosts/git": +# ensure => present, +# owner => "puppet", +# group => "puppet", +# mode => 0644, +# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/vhosts"] ], +# content => template("$templates/apache/vhosts/git.erb"), +#} +# +#file { "$bootstrap_path/modules/site-apache/files/vhosts/lists": +# ensure => present, +# owner => "puppet", +# group => "puppet", +# mode => 0644, +# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/vhosts"] ], +# content => template("$templates/apache/vhosts/lists.erb"), +#} +# +#file { "$bootstrap_path/modules/site-apache/files/vhosts/mail": +# ensure => present, +# owner => "puppet", +# group => "puppet", +# mode => 0644, +# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/vhosts"] ], +# content => template("$templates/apache/vhosts/mail.erb"), +#} +# +#file { "$bootstrap_path/modules/site-apache/files/vhosts/nagios": +# ensure => present, +# owner => "puppet", +# group => "puppet", +# mode => 0644, +# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/vhosts"] ], +# content => template("$templates/apache/vhosts/nagios.erb"), +#} +# +#file { "$bootstrap_path/modules/site-apache/files/vhosts/wiki": +# ensure => present, +# owner => "puppet", +# group => "puppet", +# mode => 0644, +# require => [ Package["puppet"], File["$bootstrap_path/modules/site-apache/files/vhosts"] ], +# content => template("$templates/apache/vhosts/wiki.erb"), +#} +# +#file { "$bootstrap_path/modules/site-mail/files/aliases": +# ensure => present, +# owner => "puppet", +# group => "puppet", +# mode => 0644, +# require => [ Package["puppet"], File["$bootstrap_path/modules/site-mail/files"] ], +# content => template("$templates/etc/aliases.erb"), +#} +# +#file { "$bootstrap_path/modules/site-nagios/files/htpasswd.users": +# ensure => present, +# owner => "puppet", +# group => "puppet", +# mode => 0644, +# require => [ Package["puppet"], File["$bootstrap_path/modules/site-nagios/files"] ], +# content => template("$templates/etc/nagios3/htpasswd.users.erb"), +#} +# +#file { "$bootstrap_path/modules/site-nginx/files/$domain": +# ensure => present, +# owner => "puppet", +# group => "puppet", +# mode => 0644, +# require => [ Package["puppet"], File["$bootstrap_path/modules/site-nginx/files"] ], +# content => template("$templates/etc/nginx/domain.erb"), +#} +# +#file { "$bootstrap_path/modules/site-postfix/files/tls_policy": +# ensure => present, +# owner => "puppet", +# group => "puppet", +# mode => 0644, +# require => [ Package["puppet"], File["$bootstrap_path/modules/site-postfix/files"] ], +# content => template("$templates/postfix/tls_policy.erb"), +#} diff --git a/manifests/classes/default_conf.pp b/manifests/classes/default_conf.pp deleted file mode 100644 index ab8280d..0000000 --- a/manifests/classes/default_conf.pp +++ /dev/null @@ -1,296 +0,0 @@ -class default_conf { - - $templates_dir = "$puppet_bootstrap_tmpdir/templates" - $default_puppet_conf_dir = "$puppet_dir/default-conf" - - # directories - file { ["$puppet_dir", "$default_puppet_conf_dir"]: - ensure => directory, - owner => "puppet", - group => "puppet", - mode => 0755, - require => Package["puppet"], - } - - file { [ "$default_puppet_conf_dir/files", - "$default_puppet_conf_dir/manifests", - "$default_puppet_conf_dir/modules", - "$default_puppet_conf_dir/manifests/classes", - "$default_puppet_conf_dir/manifests/nodes" ]: - ensure => directory, - owner => "puppet", - group => "puppet", - mode => 0755, - require => File["$default_puppet_conf_dir"], - } - - # files in $default_puppet_conf_dir - file { "$default_puppet_conf_dir/puppet.conf": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => Package["puppet"], - content => template("$templates_dir/puppet/puppet.conf.erb"), - } - - file { "$default_puppet_conf_dir/fileserver.conf": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => Package["puppet"], - content => template("$templates_dir/puppet/fileserver.conf.erb"), - } - - file { "$default_puppet_conf_dir/auth.conf": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => Package["puppet"], - content => template("$templates_dir/puppet/auth.conf.erb"), - } - - # files in $default_puppet_conf_dir/manifests - file { "$default_puppet_conf_dir/manifests/site.pp": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests"] ], - content => template("$templates_dir/puppet/site.pp.erb"), - } - - file { "$default_puppet_conf_dir/manifests/modules.pp": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests"] ], - content => template("$templates_dir/puppet/modules.pp.erb"), - } - - file { "$default_puppet_conf_dir/manifests/nodes.pp": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests"] ], - content => template("$templates_dir/puppet/nodes.pp.erb"), - } - - # files in $default_puppet_conf_dir/manifests/classes - file { "$default_puppet_conf_dir/manifests/classes/websites.pp": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/classes"] ], - content => template("$templates_dir/puppet/websites.pp.erb"), - } - - file { "$default_puppet_conf_dir/manifests/classes/users.pp": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/classes"] ], - content => template("$templates_dir/puppet/users.pp.erb"), - } - - # files in $default_puppet_conf_dir/manifests/nodes - file { "$default_puppet_conf_dir/manifests/nodes/$hostname.pp": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/nodes"] ], - content => template("$templates_dir/puppet/server.pp.erb"), - } - - file { "$default_puppet_conf_dir/manifests/nodes/$hostname-master.pp": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/nodes"] ], - content => template("$templates_dir/puppet/master.pp.erb"), - } - - file { "$default_puppet_conf_dir/manifests/nodes/$hostname-proxy.pp": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/nodes"] ], - content => template("$templates_dir/puppet/proxy.pp.erb"), - } - - file { "$default_puppet_conf_dir/manifests/nodes/$hostname-web.pp": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/nodes"] ], - content => template("$templates_dir/puppet/web.pp.erb"), - } - - file { "$default_puppet_conf_dir/manifests/nodes/$hostname-storage.pp": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/nodes"] ], - content => template("$templates_dir/puppet/storage.pp.erb"), - } - - file { "$default_puppet_conf_dir/manifests/nodes/$hostname-test.pp": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/manifests/nodes"] ], - content => template("$templates_dir/puppet/test.pp.erb"), - } - - # files in $default_puppet_conf_dir/files - file { [ "$default_puppet_conf_dir/files", - "$default_puppet_conf_dir/modules/site_nginx", - "$default_puppet_conf_dir/modules/site_nginx/files", - "$default_puppet_conf_dir/modules/site_nagios", - "$default_puppet_conf_dir/modules/site_nagios/files", - "$default_puppet_conf_dir/modules/site_postfix", - "$default_puppet_conf_dir/modules/site_postfix/files", - "$default_puppet_conf_dir/modules/site_mail", - "$default_puppet_conf_dir/modules/site_mail/files", - "$default_puppet_conf_dir/modules/site_apache", - "$default_puppet_conf_dir/modules/site_apache/files", - "$default_puppet_conf_dir/modules/site_apache/files/vhosts", - "$default_puppet_conf_dir/modules/site_apache/files/htdocs", - "$default_puppet_conf_dir/modules/site_apache/files/htdocs/images", - "$default_puppet_conf_dir/modules/site_keys", - "$default_puppet_conf_dir/modules/site_keys/files", - "$default_puppet_conf_dir/modules/site_keys/files/ssl", ]: - ensure => directory, - owner => "puppet", - group => "puppet", - mode => 0755, - } - - file { "$default_puppet_conf_dir/files/empty": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/files"] ], - } - - file { "$default_puppet_conf_dir/modules/site-apache/htdocs/images/README.html": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/htdocs/images"] ], - content => template("$templates_dir/apache/htdocs/images/README.html.erb"), - } - - file { "$default_puppet_conf_dir/modules/site-apache/files/htdocs/index.html": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/htdocs"] ], - content => template("$templates_dir/apache/htdocs/index.html.erb"), - } - - file { "$default_puppet_conf_dir/modules/site-apache/files/htdocs/missing.html": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/htdocs"] ], - content => template("$templates_dir/apache/htdocs/missing.html.erb"), - } - - file { "$default_puppet_conf_dir/modules/site-apache/files/vhosts/git": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/vhosts"] ], - content => template("$templates_dir/apache/vhosts/git.erb"), - } - - file { "$default_puppet_conf_dir/modules/site-apache/files/vhosts/lists": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/vhosts"] ], - content => template("$templates_dir/apache/vhosts/lists.erb"), - } - - file { "$default_puppet_conf_dir/modules/site-apache/files/vhosts/mail": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/vhosts"] ], - content => template("$templates_dir/apache/vhosts/mail.erb"), - } - - file { "$default_puppet_conf_dir/modules/site-apache/files/vhosts/nagios": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/vhosts"] ], - content => template("$templates_dir/apache/vhosts/nagios.erb"), - } - - file { "$default_puppet_conf_dir/modules/site-apache/files/vhosts/wiki": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-apache/files/vhosts"] ], - content => template("$templates_dir/apache/vhosts/wiki.erb"), - } - - file { "$default_puppet_conf_dir/modules/site-mail/files/aliases": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-mail/files"] ], - content => template("$templates_dir/etc/aliases.erb"), - } - - file { "$default_puppet_conf_dir/modules/site-nagios/files/htpasswd.users": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-nagios/files"] ], - content => template("$templates_dir/etc/nagios3/htpasswd.users.erb"), - } - - file { "$default_puppet_conf_dir/modules/site-nginx/files/$domain": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-nginx/files"] ], - content => template("$templates_dir/etc/nginx/domain.erb"), - } - - file { "$default_puppet_conf_dir/modules/site-postfix/files/tls_policy": - ensure => present, - owner => "puppet", - group => "puppet", - mode => 0644, - require => [ Package["puppet"], File["$default_puppet_conf_dir/modules/site-postfix/files"] ], - content => template("$templates_dir/postfix/tls_policy.erb"), - } -} diff --git a/puppet.conf b/puppet.conf deleted file mode 100644 index eae3864..0000000 --- a/puppet.conf +++ /dev/null @@ -1,26 +0,0 @@ -[main] -logdir = /var/log/puppet -vardir = /var/lib/puppetmaster -ssldir = $vardir/ssl -rundir = /var/run/puppet -factpath = $vardir/lib/facter -pluginsync = true - -[master] -templatedir = $vardir/templates -masterport = 8140 -autosign = false -storeconfigs = true -dbadapter = mysql -dbserver = localhost -dbuser = puppet -dbpassword = CHANGEME! -ssl_client_header = SSL_CLIENT_S_DN -ssl_client_verify_header = SSL_CLIENT_VERIFY - -[agent] -server = puppet -vardir = /var/lib/puppet -ssldir = $vardir/ssl -runinterval = 7200 -puppetport = 8139 diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb index 431e4b2..47740dc 100644 --- a/templates/puppet/auth.conf.erb +++ b/templates/puppet/auth.conf.erb @@ -45,34 +45,37 @@ # (ie exactly as if auth yes was present). # -### Authenticated ACL - those applies only when the client -### has a valid certificate and is thus authenticated +# Allow authenticated nodes to retrieve their own catalogs: -# allow nodes to retrieve their own catalog (ie their configuration) path ~ ^/catalog/([^/]+)$ method find allow $1 -# allow all nodes to access the certificates services +# allow nodes to retrieve their own node definition + +path ~ ^/node/([^/]+)$ +method find +allow $1 + +# Allow authenticated nodes to access any file services --- in practice, this results in fileserver.conf being consulted: + +path /file +allow * + +# Allow authenticated nodes to access the certificate revocation list: + path /certificate_revocation_list/ca method find allow * -# allow all nodes to store their reports +# Allow authenticated nodes to send reports: + path /report method save allow * -# inconditionnally allow access to all files services -# which means in practice that fileserver.conf will -# still be used -path /file -allow * +# Allow unauthenticated access to certificates: -### Unauthenticated ACL, for clients for which the current master doesn't -### have a valid certificate - -# allow access to the master CA path /certificate/ca auth no method find @@ -83,12 +86,14 @@ auth no method find allow * +# Allow unauthenticated nodes to submit certificate signing requests: + path /certificate_request auth no method find, save allow * -# this one is not stricly necessary, but it has the merit -# to show the default policy which is deny everything else +# Deny all other requests: + path / auth any diff --git a/templates/puppet/fileserver.conf.erb b/templates/puppet/fileserver.conf.erb index b8ad720..3046e96 100644 --- a/templates/puppet/fileserver.conf.erb +++ b/templates/puppet/fileserver.conf.erb @@ -1,17 +1,7 @@ -# top-level +# This file consists of arbitrarily named sections/modules +# defining where files are served from and to whom + +# Files [files] path /etc/puppet/files - allow *.<%= domain %> - -[keys] - path /etc/puppet/files/keys - allow *.<%= domain %> - -# modules -[common] - path /etc/puppet/modules/common/files - allow *.<%= domain %> - -[puppet] - path /etc/puppet/modules/puppet/files - allow *.<%= domain %> + allow *.<%= base_domain %> diff --git a/templates/puppet/modules.pp.erb b/templates/puppet/modules.pp.erb deleted file mode 100644 index 3df3fe3..0000000 --- a/templates/puppet/modules.pp.erb +++ /dev/null @@ -1,6 +0,0 @@ -# -# Module definitions. -# - -# Nodo automatically import all modules we need. -import "nodo" diff --git a/templates/puppet/puppet.conf.erb b/templates/puppet/puppet.conf.erb index 72306a2..2ebfc9e 100644 --- a/templates/puppet/puppet.conf.erb +++ b/templates/puppet/puppet.conf.erb @@ -1,29 +1,29 @@ [main] -rundir = /var/run/puppet -logdir = /var/log/puppet -vardir = /var/lib/puppetmaster -ssldir = $vardir/ssl -factpath = $vardir/lib/facter -pluginsync = true +logdir = /var/log/puppet +vardir = /var/lib/puppetmaster +ssldir = $vardir/ssl +rundir = /var/run/puppet +factpath = $vardir/lib/facter +pluginsync = true [master] -vardir = /var/lib/puppet -templatedir = $vardir/templates -autosign = false -certname = puppet.<%= domain%> -#storeconfigs = true -#dbadapter = mysql -#dbserver = localhost -#dbuser = puppet -#dbpassword = -#dbconnections = 15 - -# Needed by mongrel -ssl_client_header = HTTP_X_SSL_SUBJECT +templatedir = $vardir/templates +masterport = 8140 +autosign = false +storeconfigs = true +dbadapter = mysql +dbserver = localhost +dbuser = puppet +dbpassword = <%= storeconfigs_pw %> +dbconnections = 15 +certname = puppet.<%= base_domain %> +ssl_client_header = SSL_CLIENT_S_DN +ssl_client_verify_header = SSL_CLIENT_VERIFY [agent] -server = puppet.<%= domain%> -vardir = /var/lib/puppet -ssldir = $vardir/ssl -runinterval = 1800 -puppetport = 8139 +server = puppet.<%= base_domain %> +vardir = /var/lib/puppet +ssldir = $vardir/ssl +runinterval = 7200 +puppetport = 8139 +configtimeout = 300 diff --git a/templates/puppet/site.pp.erb b/templates/puppet/site.pp.erb deleted file mode 100644 index 6f3e5aa..0000000 --- a/templates/puppet/site.pp.erb +++ /dev/null @@ -1,8 +0,0 @@ -# -# Puppet site configuration. -# - -import "classes/users.pp" -import "classes/websites.pp" -import "modules.pp" -import "nodes.pp" |