5 files changed, 50 insertions, 69 deletions

diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb
index 431e4b2..47740dc 100644
--- a/templates/puppet/auth.conf.erb
+++ b/templates/puppet/auth.conf.erb
@@ -45,34 +45,37 @@
 # (ie exactly as if auth yes was present).
 #
 
-### Authenticated ACL - those applies only when the client
-### has a valid certificate and is thus authenticated
+# Allow authenticated nodes to retrieve their own catalogs:
 
-# allow nodes to retrieve their own catalog (ie their configuration)
 path ~ ^/catalog/([^/]+)$
 method find
 allow $1
 
-# allow all nodes to access the certificates services
+# allow nodes to retrieve their own node definition
+
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+
+# Allow authenticated nodes to access any file services --- in practice, this results in fileserver.conf being consulted:
+
+path /file
+allow *
+
+# Allow authenticated nodes to access the certificate revocation list:
+
 path /certificate_revocation_list/ca
 method find
 allow *
 
-# allow all nodes to store their reports
+# Allow authenticated nodes to send reports:
+
 path /report
 method save
 allow *
 
-# inconditionnally allow access to all files services
-# which means in practice that fileserver.conf will
-# still be used
-path /file
-allow *
+# Allow unauthenticated access to certificates:
 
-### Unauthenticated ACL, for clients for which the current master doesn't
-### have a valid certificate
-
-# allow access to the master CA
 path /certificate/ca
 auth no
 method find
@@ -83,12 +86,14 @@ auth no
 method find
 allow *
 
+# Allow unauthenticated nodes to submit certificate signing requests:
+
 path /certificate_request
 auth no
 method find, save
 allow *
 
-# this one is not stricly necessary, but it has the merit
-# to show the default policy which is deny everything else
+# Deny all other requests:
+
 path /
 auth any
diff --git a/templates/puppet/fileserver.conf.erb b/templates/puppet/fileserver.conf.erb
index b8ad720..3046e96 100644
--- a/templates/puppet/fileserver.conf.erb
+++ b/templates/puppet/fileserver.conf.erb
@@ -1,17 +1,7 @@
-# top-level
+# This file consists of arbitrarily named sections/modules
+# defining where files are served from and to whom
+
+# Files
 [files]
   path /etc/puppet/files
-  allow *.<%= domain %>
-
-[keys]
-  path /etc/puppet/files/keys
-  allow *.<%= domain %>
-
-# modules
-[common]
-  path /etc/puppet/modules/common/files
-  allow *.<%= domain %>
-
-[puppet]
-  path /etc/puppet/modules/puppet/files
-  allow *.<%= domain %>
+  allow *.<%= base_domain %>
diff --git a/templates/puppet/modules.pp.erb b/templates/puppet/modules.pp.erb
deleted file mode 100644
index 3df3fe3..0000000
--- a/templates/puppet/modules.pp.erb
+++ /dev/null
@@ -1,6 +0,0 @@
-#
-# Module definitions.
-#
-
-# Nodo automatically import all modules we need.
-import "nodo"
diff --git a/templates/puppet/puppet.conf.erb b/templates/puppet/puppet.conf.erb
index 72306a2..2ebfc9e 100644
--- a/templates/puppet/puppet.conf.erb
+++ b/templates/puppet/puppet.conf.erb
@@ -1,29 +1,29 @@
 [main]
-rundir        = /var/run/puppet
-logdir        = /var/log/puppet
-vardir        = /var/lib/puppetmaster
-ssldir        = $vardir/ssl
-factpath      = $vardir/lib/facter
-pluginsync    = true
+logdir                   = /var/log/puppet
+vardir                   = /var/lib/puppetmaster
+ssldir                   = $vardir/ssl
+rundir                   = /var/run/puppet
+factpath                 = $vardir/lib/facter
+pluginsync               = true
 
 [master]
-vardir        = /var/lib/puppet
-templatedir   = $vardir/templates
-autosign      = false
-certname      = puppet.<%= domain%>
-#storeconfigs  = true
-#dbadapter     = mysql
-#dbserver      = localhost
-#dbuser        = puppet
-#dbpassword    = 
-#dbconnections = 15
-
-# Needed by mongrel
-ssl_client_header = HTTP_X_SSL_SUBJECT
+templatedir              = $vardir/templates
+masterport               = 8140
+autosign                 = false
+storeconfigs             = true
+dbadapter                = mysql
+dbserver                 = localhost
+dbuser                   = puppet
+dbpassword               = <%= storeconfigs_pw %>
+dbconnections            = 15
+certname                 = puppet.<%= base_domain %>
+ssl_client_header        = SSL_CLIENT_S_DN
+ssl_client_verify_header = SSL_CLIENT_VERIFY
 
 [agent]
-server        = puppet.<%= domain%>
-vardir        = /var/lib/puppet
-ssldir        = $vardir/ssl
-runinterval   = 1800
-puppetport    = 8139
+server                   = puppet.<%= base_domain %>
+vardir                   = /var/lib/puppet
+ssldir                   = $vardir/ssl
+runinterval              = 7200
+puppetport               = 8139
+configtimeout            = 300
diff --git a/templates/puppet/site.pp.erb b/templates/puppet/site.pp.erb
deleted file mode 100644
index 6f3e5aa..0000000
--- a/templates/puppet/site.pp.erb
+++ /dev/null
@@ -1,8 +0,0 @@
-#
-# Puppet site configuration.
-#
-
-import "classes/users.pp"
-import "classes/websites.pp"
-import "modules.pp"
-import "nodes.pp"