port to Puppet 4.x

5 files changed, 76 insertions, 69 deletions

diff --git a/auth.conf b/auth.conf
index 96f078c..bf327a2 100644
--- a/auth.conf
+++ b/auth.conf
@@ -7,8 +7,8 @@
 # otherwise, the general rules may "steal" requests that should be
 # governed by the specific rules.
 #
-# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete
-# description of auth.conf's behavior.
+# See https://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html
+# for a more complete description of auth.conf's behavior.
 #
 # Supported syntax:
 # Each stanza in auth.conf starts with a path to match, followed
@@ -37,18 +37,18 @@
 #
 # Examples:
 #
-# path ~ ^/path/to/resource    # Equivalent to `path /path/to/resource`.
-# allow *                      # Allow all authenticated nodes (since auth
-#                              # defaults to `yes`).
+# path ~ ^/puppet/v3/path/to/resource    # Equivalent to `path /puppet/v3/path/to/resource`.
+# allow *                                # Allow all authenticated nodes (since auth
+#                                        # defaults to `yes`).
 #
-# path ~ ^/catalog/([^/]+)$    # Permit nodes to access their own catalog (by
-# allow $1                     # certname), but not any other node's catalog.
+# path ~ ^/puppet/v3/catalog/([^/]+)$    # Permit nodes to access their own catalog (by
+# allow $1                               # certname), but not any other node's catalog.
 #
-# path ~ ^/file_(metadata|content)/extra_files/  # Only allow certain nodes to
-# auth yes                                       # access the "extra_files"
-# allow /^(.+)\.example\.com$/                   # mount point; note this must
-# allow_ip 192.168.100.0/24                      # go ABOVE the "/file" rule,
-#                                                # since it is more specific.
+# path ~ ^/puppet/v3/file_(metadata|content)/extra_files/  # Only allow certain nodes to
+# auth yes                                                 # access the "extra_files"
+# allow /^(.+)\.example\.com$/                             # mount point; note this must
+# allow_ip 192.168.100.0/24                                # go ABOVE the "/file" rule,
+#                                                          # since it is more specific.
 #
 # environment:: restrict an ACL to a comma-separated list of environments
 # method:: restrict an ACL to a comma-separated list of HTTP methods
@@ -60,23 +60,22 @@
 ### Authenticated ACLs - these rules apply only when the client
 ### has a valid certificate and is thus authenticated
 
+path /puppet/v3/environments
+method find
+allow *
+
 # allow nodes to retrieve their own catalog
-path ~ ^/catalog/([^/]+)$
+path ~ ^/puppet/v3/catalog/([^/]+)$
 method find
 allow $1
 
 # allow nodes to retrieve their own node definition
-path ~ ^/node/([^/]+)$
+path ~ ^/puppet/v3/node/([^/]+)$
 method find
 allow $1
 
-# allow all nodes to access the certificates services
-path /certificate_revocation_list/ca
-method find
-allow *
-
 # allow all nodes to store their own reports
-path ~ ^/report/([^/]+)$
+path ~ ^/puppet/v3/report/([^/]+)$
 method save
 allow $1
 
@@ -85,7 +84,16 @@ allow $1
 # mount points (see fileserver.conf). Note that the `/file` prefix matches
 # requests to both the file_metadata and file_content paths. See "Examples"
 # above if you need more granular access control for custom mount points.
-path /file
+path /puppet/v3/file
+allow *
+
+path /puppet/v3/status
+method find
+allow *
+
+# allow all nodes to access the certificates services
+path /puppet-ca/v1/certificate_revocation_list/ca
+method find
 allow *
 
 ### Unauthenticated ACLs, for clients without valid certificates; authenticated
@@ -93,27 +101,23 @@ allow *
 
 # allow access to the CA certificate; unauthenticated nodes need this
 # in order to validate the puppet master's certificate
-path /certificate/ca
+path /puppet-ca/v1/certificate/ca
 auth any
 method find
 allow *
 
 # allow nodes to retrieve the certificate they requested earlier
-path /certificate/
+path /puppet-ca/v1/certificate/
 auth any
 method find
 allow *
 
 # allow nodes to request a new certificate
-path /certificate_request
+path /puppet-ca/v1/certificate_request
 auth any
 method find, save
 allow *
 
-path /v2.0/environments
-method find
-allow *
-
 # deny everything else; this ACL is not strictly necessary, but
 # illustrates the default policy.
 path /
diff --git a/manifests/site.pp b/code/environments/production/manifests/site.pp
index ea59081..685e417 100644
--- a/manifests/site.pp
+++ b/code/environments/production/manifests/site.pp
@@ -45,19 +45,19 @@ class ssh_pubkeys_backupserver {
 }
 
 class login_manager {
-    package { 'kdm':
-	ensure => 'installed',
-    }
-    package { 'lightdm':
-	ensure => 'purged',
-    }
+	package { 'arctica-greeter':
+		ensure => 'installed',
+	}
+	package { 'kdm':
+		ensure => 'purged',
+	}
 }
 
-node "all_hosts" {
-	class { 'ssh_pubkeys_admins': }
-	class { 'ssh_pubkeys_firedadmins': }
-	class { 'login_manager': }
-}
+#node "all_hosts" {
+#	class { 'ssh_pubkeys_admins': }
+#	class { 'ssh_pubkeys_firedadmins': }
+#	class { 'login_manager': }
+#}
 
 node "all_servers" {
 	class { 'ssh_pubkeys_admins': }
@@ -65,7 +65,10 @@ node "all_servers" {
 	class { 'ssh_pubkeys_backupserver': }
 }
 
-node "disklserver.intern" inherits "all_servers" {
+node "disklserver.intern" {
+	class { 'ssh_pubkeys_admins': }
+	class { 'ssh_pubkeys_firedadmins': }
+	class { 'ssh_pubkeys_backupserver': }
 	# vidar.das-netzwerkteam.de is the deployment source for diskless workstation chroots
 	ssh_authorized_key { 'root@vidar.das-netzwerkteam.de':
 		type => 'ssh-rsa',
@@ -74,10 +77,22 @@ node "disklserver.intern" inherits "all_servers" {
 	}
 }
 
-node "tjener.intern" inherits "all_servers" {}
-node "filter.intern" inherits "all_servers" {}
+node "tjener.intern" {
+	class { 'ssh_pubkeys_admins': }
+	class { 'ssh_pubkeys_firedadmins': }
+	class { 'ssh_pubkeys_backupserver': }
+}
+node "filter.intern" {
+	class { 'ssh_pubkeys_admins': }
+	class { 'ssh_pubkeys_firedadmins': }
+	class { 'ssh_pubkeys_backupserver': }
+}
 # NOT PRESENT node "bibserv.intern" inherits "all_servers" {}
-node "opsiserver.intern" inherits "all_servers" {}
+node "opsiserver.intern" {
+	class { 'ssh_pubkeys_admins': }
+	class { 'ssh_pubkeys_firedadmins': }
+	class { 'ssh_pubkeys_backupserver': }
+}
 # NOT PRESENT node "displayserver.intern" inherits "all_servers" {}
 # NOT PRESENT node "contentserver.intern" inherits "all_servers" {}
 # NOT PRESENT node "devserver.intern" inherits "all_servers" {}
diff --git a/fileserver.conf b/fileserver.conf
deleted file mode 100644
index 19cccda..0000000
--- a/fileserver.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# This file consists of arbitrarily named sections/modules
-# defining where files are served from and to whom
-
-# Define a section 'files'
-# Adapt the allow/deny settings to your needs. Order
-# for allow/deny does not matter, allow always takes precedence
-# over deny
-[files]
-  path /etc/puppet/files
-#  allow *.example.com
-#  deny *.evil.example.com
-#  allow 192.168.0.0/24
-
-[plugins]
-#  allow *.example.com
-#  deny *.evil.example.com
-#  allow 192.168.0.0/24
diff --git a/hiera.yaml b/hiera.yaml
new file mode 100644
index 0000000..dde32ca
--- /dev/null
+++ b/hiera.yaml
@@ -0,0 +1,10 @@
+---
+:backends:
+  - yaml
+
+:hierarchy:
+  - "osfamily/%{::osfamily}"
+  - common
+
+:yaml:
+  :datadir: /etc/puppet/code/hiera
diff --git a/puppet.conf b/puppet.conf
index 266ec51..c317c16 100644
--- a/puppet.conf
+++ b/puppet.conf
@@ -1,14 +1,9 @@
 [main]
-logdir=/var/log/puppet
-vardir=/var/lib/puppet
-ssldir=/var/lib/puppet/ssl
-rundir=/var/run/puppet
-factpath=$vardir/lib/facter
+ssldir = /var/lib/puppet/ssl
 prerun_command=/etc/puppet/etckeeper-commit-pre
 postrun_command=/etc/puppet/etckeeper-commit-post
 
 [master]
-# These are needed when the puppetmaster is run by passenger
-# and can safely be removed if webrick is used.
-ssl_client_header = SSL_CLIENT_S_DN 
-ssl_client_verify_header = SSL_CLIENT_VERIFY
+vardir = /var/lib/puppet
+cadir  = /var/lib/puppet/ssl/ca
+dns_alt_names = puppet