From 87b13ac5fdf74b8420776ce9df85bdb98acc8974 Mon Sep 17 00:00:00 2001 From: Mike Gabriel Date: Tue, 13 Feb 2018 20:08:50 +0100 Subject: port to Puppet 4.x --- auth.conf | 60 ++++++++-------- code/environments/production/manifests/site.pp | 98 ++++++++++++++++++++++++++ fileserver.conf | 17 ----- hiera.yaml | 10 +++ manifests/site.pp | 83 ---------------------- puppet.conf | 13 ++-- 6 files changed, 144 insertions(+), 137 deletions(-) create mode 100644 code/environments/production/manifests/site.pp delete mode 100644 fileserver.conf create mode 100644 hiera.yaml delete mode 100644 manifests/site.pp diff --git a/auth.conf b/auth.conf index 96f078c..bf327a2 100644 --- a/auth.conf +++ b/auth.conf @@ -7,8 +7,8 @@ # otherwise, the general rules may "steal" requests that should be # governed by the specific rules. # -# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete -# description of auth.conf's behavior. +# See https://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html +# for a more complete description of auth.conf's behavior. # # Supported syntax: # Each stanza in auth.conf starts with a path to match, followed @@ -37,18 +37,18 @@ # # Examples: # -# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`. -# allow * # Allow all authenticated nodes (since auth -# # defaults to `yes`). +# path ~ ^/puppet/v3/path/to/resource # Equivalent to `path /puppet/v3/path/to/resource`. +# allow * # Allow all authenticated nodes (since auth +# # defaults to `yes`). # -# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by -# allow $1 # certname), but not any other node's catalog. +# path ~ ^/puppet/v3/catalog/([^/]+)$ # Permit nodes to access their own catalog (by +# allow $1 # certname), but not any other node's catalog. # -# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to -# auth yes # access the "extra_files" -# allow /^(.+)\.example\.com$/ # mount point; note this must -# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, -# # since it is more specific. +# path ~ ^/puppet/v3/file_(metadata|content)/extra_files/ # Only allow certain nodes to +# auth yes # access the "extra_files" +# allow /^(.+)\.example\.com$/ # mount point; note this must +# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, +# # since it is more specific. # # environment:: restrict an ACL to a comma-separated list of environments # method:: restrict an ACL to a comma-separated list of HTTP methods @@ -60,23 +60,22 @@ ### Authenticated ACLs - these rules apply only when the client ### has a valid certificate and is thus authenticated +path /puppet/v3/environments +method find +allow * + # allow nodes to retrieve their own catalog -path ~ ^/catalog/([^/]+)$ +path ~ ^/puppet/v3/catalog/([^/]+)$ method find allow $1 # allow nodes to retrieve their own node definition -path ~ ^/node/([^/]+)$ +path ~ ^/puppet/v3/node/([^/]+)$ method find allow $1 -# allow all nodes to access the certificates services -path /certificate_revocation_list/ca -method find -allow * - # allow all nodes to store their own reports -path ~ ^/report/([^/]+)$ +path ~ ^/puppet/v3/report/([^/]+)$ method save allow $1 @@ -85,7 +84,16 @@ allow $1 # mount points (see fileserver.conf). Note that the `/file` prefix matches # requests to both the file_metadata and file_content paths. See "Examples" # above if you need more granular access control for custom mount points. -path /file +path /puppet/v3/file +allow * + +path /puppet/v3/status +method find +allow * + +# allow all nodes to access the certificates services +path /puppet-ca/v1/certificate_revocation_list/ca +method find allow * ### Unauthenticated ACLs, for clients without valid certificates; authenticated @@ -93,27 +101,23 @@ allow * # allow access to the CA certificate; unauthenticated nodes need this # in order to validate the puppet master's certificate -path /certificate/ca +path /puppet-ca/v1/certificate/ca auth any method find allow * # allow nodes to retrieve the certificate they requested earlier -path /certificate/ +path /puppet-ca/v1/certificate/ auth any method find allow * # allow nodes to request a new certificate -path /certificate_request +path /puppet-ca/v1/certificate_request auth any method find, save allow * -path /v2.0/environments -method find -allow * - # deny everything else; this ACL is not strictly necessary, but # illustrates the default policy. path / diff --git a/code/environments/production/manifests/site.pp b/code/environments/production/manifests/site.pp new file mode 100644 index 0000000..685e417 --- /dev/null +++ b/code/environments/production/manifests/site.pp @@ -0,0 +1,98 @@ +class ssh_pubkeys_admins { + # Mike Gabriel, IT-Zukunft Schule + ssh_authorized_key { 'mike@minobo': + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDn2moKR4u3yJW+/hvwmhUDjiLBxiMPB+46YO9iEo8HXsdulpMi20hi2TTmWA0w3hog1IEnre6C7UGHcZG0HfPg+eROIuuXRcOfg3WP/IBV0KMF4DTa1KDoN/Nw7HMlhWxGxFrdbumAoj/s2ZaA/of1fpaPKOhunF8S9Ch60LYmgnR3tzJW/b0jS9fww8o/rMB3pZy2WSW0uUfpOIbDv+XHhNiC/iu8IgD+M5KkK+qbNZFPoTQkebc0RPRBcOrmEYroofFGg+7jPU++AEKJUKSaGjZRWzACuXiUzTo2F9fT09EMWU4oiYV9zRqjx6ctncwfEB4qOfoRUycfxBSJk7t7', + user => 'root', + } + # Marcel Sandow, IT-Zukunft Schule + ssh_authorized_key { 'marcel@Bigblue': + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQD3RPZTCJNjuV2vq8cO6AwPaVcjimg2DgRi2GitC/K4HzQuy0+RswVktyBACKpFogx254S1gjGoueYDfHq+T4hdoBussGln0MEsJKbEPEgWpGUZgurg3eWSAlzAWlhf9Goy5ZA362sOz3NsbY3DE+4CqxQWth+CctpGz1WzAvFy0K7oclfoncbOlftgEUukvKqJtSapxNAb+O+Ijjur/yaXKwk/dK7T+ZTPhZwChlxo50kLuiN8d3TYgFxc19LncJxq6s8BqQs70Z6m1CNHA07t6UD01Pto29TRNZfAnjuAP8FiO9Cu06cUnHrwlG2jgvr5hA0rLFYnVtgGaQX6RCsT', + user => 'root', + } + # Benjamin Schlüter, LOGO EDV-Systeme GmbH + ssh_authorized_key { 'benni@nbbenni': + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCy2oN7DNtxUXsKUEOsQiUWW9fupzVJAuoaGe3OWxlcZN1je9EpObfHEn5HuYJFcBgHK6PSapPIOJ9QXbLsUYX5vhQwx9oBOg7W8He0kNscO23kjVOLJGaebGX5zNpf96RjZIy/Jhwlb73hCMqTTdp+D3/VDIm7q1UbMn2KOl9ldGwPJCxppeBeHdr89CED1RX/XAXt69qknrC1wm1NXp+UGz9FaG9YWJPNrFXBBvrGCt1oUrB8bXo/poo+doIuVmMqvN0e7lBDOzsRIiorDEk/cFc+ZOUBn4QOeY7J7keX6l2v3AxRXq6ErZrX+ooa83duRGXj2HkNWufmAi0CqzeXqGFIw+9S9vextn/zCp15G737cruJ50nX5jK38I9fnf3rfGveYdGuf3ta3Eihw1QiK/J4DQeTFKscsR4+P/iRcnsFO4/aVgDbOtCeKIaLK0fh9JWa/H2NVaLWvYv7beDoPtZ7I8TW+SsnO6mykmqUg679fcA/ZTIoAfLfK99UDiOhpye0EtWxGMiBBHn0V1RbERNjfHEVcBnlvcnPRIqkfwOEK5bASXpzzPvEuEGkFlHhtuXQ6WoWdA8zCq+lakNLYeq8CemU9Hd20JgILOidP4Yt9yNuusTP/EDg0AN9fggQe/rc1Raui/5/rVgkzqYFp8DMbgFAAcBTqsBCh1GVDQ==', + user => 'root', + } +} + +class ssh_pubkeys_firedadmins { + # Lucian Anderwald, IT-Zukunft Schule + ssh_authorized_key { 'lucian@SATELLITE': + ensure => 'absent', + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC71S/LYktwTalKjE6Sb7XlOyV1tr1O+codh4C3g9uVtjqytYj/Lx6hExxegwN2tiTAjb3skEKpdg7uRbmpEZBtyST/UrrJCB0l0KbjJelfh4MANuRF+H9CNAPwaxcLfCWeTFwmQW8mcSHE20ljY7kpJykEoihBVjK49k+kD+sphIG1o4BU8nQii0i5/U2HqHkPZHzCIjIprN9kTx/n/zMmCLwuIW58KJitG/ttBXPq+TMsN/zcUQm7/PL7UmIMlvUtKzApuM36PUyah7/rpOB5mIYrqFcDXSBUpFLT1CIvfH6ZR5umhnwiRXDsVfP8e0WB1JhOZV1LqOez8s7c4a6/', + user => 'root', + } + # Marius Rasch, IT-Zukunft Schule + ssh_authorized_key { 'marius@soledad': + ensure => 'absent', + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCuoOfxXovfHlODw7dDlfcLKHaD7fotGT5Kb/HADNQY+GMINKy9Zu71/qpjVZtrckLl92nS7ygCf7+KpyfihdJgKBIeacikD4Y8/slDA2AbBuTZsHOp9HEzopmE1DbJbjeFtnjv8usPx/zB0buEtXy7Fa+bMIu6gIDIK7pO83kqiI/uv1sDyyaElw50Hn8tvZg7OtVHuShxjRCZVDolqUKBDDrQ+lZQG24XeMrQ4cEZ9yLYNAeeLwqqiWqnQ0jrCf2JYI4V7Oo1tvjKJM8HiVFSjsPh8cEu5iLBi08fuKCR7p1efSTOsy06HeraZpWJw5MH+At7sy3qjuuJ0oftrg3n', + user => 'root', + } +} + +class ssh_pubkeys_backupserver { + ssh_authorized_key { 'root@idunn.das-netzwerkteam.de': + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAoP6h9pYVdFMlSj/EgXpgYVZZ61mrm3KTS7CNWjAaefPSU1dXk6NUqTP3QbgVQGVQwb/9usW4Wz2xOjarZUAKWZsrH8kkkoitZMBHUSnYVp2hx33MS62NreSuMSKCf8U5hwiR9S4aifg5l6Bcq1uJ8ht2zcUnsuEV1Prrey0YXAfw29mpVMJSr57pQRYsRTWjcPrO959PB4rQFuj3/SN1z5lMH9gfurVN1o7Hz2C+GQVhSW5ngb+Hmb4T3Y7bcLZomWQZLLkmZNv98gfsL33bl0WFEPQ3lH8x2OjUSO7lDuxzKxl0c5HY71fNk7nPU1mx17MPzHOQfleJJPrfSKrf4Q==', + user => 'root', + } +} + +class login_manager { + package { 'arctica-greeter': + ensure => 'installed', + } + package { 'kdm': + ensure => 'purged', + } +} + +#node "all_hosts" { +# class { 'ssh_pubkeys_admins': } +# class { 'ssh_pubkeys_firedadmins': } +# class { 'login_manager': } +#} + +node "all_servers" { + class { 'ssh_pubkeys_admins': } + class { 'ssh_pubkeys_firedadmins': } + class { 'ssh_pubkeys_backupserver': } +} + +node "disklserver.intern" { + class { 'ssh_pubkeys_admins': } + class { 'ssh_pubkeys_firedadmins': } + class { 'ssh_pubkeys_backupserver': } + # vidar.das-netzwerkteam.de is the deployment source for diskless workstation chroots + ssh_authorized_key { 'root@vidar.das-netzwerkteam.de': + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDiLGbx/U9slB9db8PAy8FTRo7/avVvLJUOZzkoBxZa5Edeo+74ezoU2Kv1OxcRJRnSGBe41XDcpLxDS04JMA5xBddUfdq5c+Y1A2SYChUPK1fkrGoKfmGC60dFmEqAQZ33dJhN9rxzQvuvxlmexX8x2TYJC8/jATa+6QuO4chHAFvGo9RLs8hzet5y06fammJDkf0yD6R32GT7q4XMNXilKQ564D1yBJygE6vZx/W3V3l8/QMr6m1lYTTk+W+29IkoxvQBZ6YXKFdnuTVkSYyanafjZwznTFSuBtBZKcgLXFFmyplcB4QlZGvdrrsEJazwwj+pnJeGx0HwV8ePbKxN', + user => 'root', + } +} + +node "tjener.intern" { + class { 'ssh_pubkeys_admins': } + class { 'ssh_pubkeys_firedadmins': } + class { 'ssh_pubkeys_backupserver': } +} +node "filter.intern" { + class { 'ssh_pubkeys_admins': } + class { 'ssh_pubkeys_firedadmins': } + class { 'ssh_pubkeys_backupserver': } +} +# NOT PRESENT node "bibserv.intern" inherits "all_servers" {} +node "opsiserver.intern" { + class { 'ssh_pubkeys_admins': } + class { 'ssh_pubkeys_firedadmins': } + class { 'ssh_pubkeys_backupserver': } +} +# NOT PRESENT node "displayserver.intern" inherits "all_servers" {} +# NOT PRESENT node "contentserver.intern" inherits "all_servers" {} +# NOT PRESENT node "devserver.intern" inherits "all_servers" {} diff --git a/fileserver.conf b/fileserver.conf deleted file mode 100644 index 19cccda..0000000 --- a/fileserver.conf +++ /dev/null @@ -1,17 +0,0 @@ -# This file consists of arbitrarily named sections/modules -# defining where files are served from and to whom - -# Define a section 'files' -# Adapt the allow/deny settings to your needs. Order -# for allow/deny does not matter, allow always takes precedence -# over deny -[files] - path /etc/puppet/files -# allow *.example.com -# deny *.evil.example.com -# allow 192.168.0.0/24 - -[plugins] -# allow *.example.com -# deny *.evil.example.com -# allow 192.168.0.0/24 diff --git a/hiera.yaml b/hiera.yaml new file mode 100644 index 0000000..dde32ca --- /dev/null +++ b/hiera.yaml @@ -0,0 +1,10 @@ +--- +:backends: + - yaml + +:hierarchy: + - "osfamily/%{::osfamily}" + - common + +:yaml: + :datadir: /etc/puppet/code/hiera diff --git a/manifests/site.pp b/manifests/site.pp deleted file mode 100644 index ea59081..0000000 --- a/manifests/site.pp +++ /dev/null @@ -1,83 +0,0 @@ -class ssh_pubkeys_admins { - # Mike Gabriel, IT-Zukunft Schule - ssh_authorized_key { 'mike@minobo': - type => 'ssh-rsa', - key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDn2moKR4u3yJW+/hvwmhUDjiLBxiMPB+46YO9iEo8HXsdulpMi20hi2TTmWA0w3hog1IEnre6C7UGHcZG0HfPg+eROIuuXRcOfg3WP/IBV0KMF4DTa1KDoN/Nw7HMlhWxGxFrdbumAoj/s2ZaA/of1fpaPKOhunF8S9Ch60LYmgnR3tzJW/b0jS9fww8o/rMB3pZy2WSW0uUfpOIbDv+XHhNiC/iu8IgD+M5KkK+qbNZFPoTQkebc0RPRBcOrmEYroofFGg+7jPU++AEKJUKSaGjZRWzACuXiUzTo2F9fT09EMWU4oiYV9zRqjx6ctncwfEB4qOfoRUycfxBSJk7t7', - user => 'root', - } - # Marcel Sandow, IT-Zukunft Schule - ssh_authorized_key { 'marcel@Bigblue': - type => 'ssh-rsa', - key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQD3RPZTCJNjuV2vq8cO6AwPaVcjimg2DgRi2GitC/K4HzQuy0+RswVktyBACKpFogx254S1gjGoueYDfHq+T4hdoBussGln0MEsJKbEPEgWpGUZgurg3eWSAlzAWlhf9Goy5ZA362sOz3NsbY3DE+4CqxQWth+CctpGz1WzAvFy0K7oclfoncbOlftgEUukvKqJtSapxNAb+O+Ijjur/yaXKwk/dK7T+ZTPhZwChlxo50kLuiN8d3TYgFxc19LncJxq6s8BqQs70Z6m1CNHA07t6UD01Pto29TRNZfAnjuAP8FiO9Cu06cUnHrwlG2jgvr5hA0rLFYnVtgGaQX6RCsT', - user => 'root', - } - # Benjamin Schlüter, LOGO EDV-Systeme GmbH - ssh_authorized_key { 'benni@nbbenni': - type => 'ssh-rsa', - key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCy2oN7DNtxUXsKUEOsQiUWW9fupzVJAuoaGe3OWxlcZN1je9EpObfHEn5HuYJFcBgHK6PSapPIOJ9QXbLsUYX5vhQwx9oBOg7W8He0kNscO23kjVOLJGaebGX5zNpf96RjZIy/Jhwlb73hCMqTTdp+D3/VDIm7q1UbMn2KOl9ldGwPJCxppeBeHdr89CED1RX/XAXt69qknrC1wm1NXp+UGz9FaG9YWJPNrFXBBvrGCt1oUrB8bXo/poo+doIuVmMqvN0e7lBDOzsRIiorDEk/cFc+ZOUBn4QOeY7J7keX6l2v3AxRXq6ErZrX+ooa83duRGXj2HkNWufmAi0CqzeXqGFIw+9S9vextn/zCp15G737cruJ50nX5jK38I9fnf3rfGveYdGuf3ta3Eihw1QiK/J4DQeTFKscsR4+P/iRcnsFO4/aVgDbOtCeKIaLK0fh9JWa/H2NVaLWvYv7beDoPtZ7I8TW+SsnO6mykmqUg679fcA/ZTIoAfLfK99UDiOhpye0EtWxGMiBBHn0V1RbERNjfHEVcBnlvcnPRIqkfwOEK5bASXpzzPvEuEGkFlHhtuXQ6WoWdA8zCq+lakNLYeq8CemU9Hd20JgILOidP4Yt9yNuusTP/EDg0AN9fggQe/rc1Raui/5/rVgkzqYFp8DMbgFAAcBTqsBCh1GVDQ==', - user => 'root', - } -} - -class ssh_pubkeys_firedadmins { - # Lucian Anderwald, IT-Zukunft Schule - ssh_authorized_key { 'lucian@SATELLITE': - ensure => 'absent', - type => 'ssh-rsa', - key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC71S/LYktwTalKjE6Sb7XlOyV1tr1O+codh4C3g9uVtjqytYj/Lx6hExxegwN2tiTAjb3skEKpdg7uRbmpEZBtyST/UrrJCB0l0KbjJelfh4MANuRF+H9CNAPwaxcLfCWeTFwmQW8mcSHE20ljY7kpJykEoihBVjK49k+kD+sphIG1o4BU8nQii0i5/U2HqHkPZHzCIjIprN9kTx/n/zMmCLwuIW58KJitG/ttBXPq+TMsN/zcUQm7/PL7UmIMlvUtKzApuM36PUyah7/rpOB5mIYrqFcDXSBUpFLT1CIvfH6ZR5umhnwiRXDsVfP8e0WB1JhOZV1LqOez8s7c4a6/', - user => 'root', - } - # Marius Rasch, IT-Zukunft Schule - ssh_authorized_key { 'marius@soledad': - ensure => 'absent', - type => 'ssh-rsa', - key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCuoOfxXovfHlODw7dDlfcLKHaD7fotGT5Kb/HADNQY+GMINKy9Zu71/qpjVZtrckLl92nS7ygCf7+KpyfihdJgKBIeacikD4Y8/slDA2AbBuTZsHOp9HEzopmE1DbJbjeFtnjv8usPx/zB0buEtXy7Fa+bMIu6gIDIK7pO83kqiI/uv1sDyyaElw50Hn8tvZg7OtVHuShxjRCZVDolqUKBDDrQ+lZQG24XeMrQ4cEZ9yLYNAeeLwqqiWqnQ0jrCf2JYI4V7Oo1tvjKJM8HiVFSjsPh8cEu5iLBi08fuKCR7p1efSTOsy06HeraZpWJw5MH+At7sy3qjuuJ0oftrg3n', - user => 'root', - } -} - -class ssh_pubkeys_backupserver { - ssh_authorized_key { 'root@idunn.das-netzwerkteam.de': - type => 'ssh-rsa', - key => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAoP6h9pYVdFMlSj/EgXpgYVZZ61mrm3KTS7CNWjAaefPSU1dXk6NUqTP3QbgVQGVQwb/9usW4Wz2xOjarZUAKWZsrH8kkkoitZMBHUSnYVp2hx33MS62NreSuMSKCf8U5hwiR9S4aifg5l6Bcq1uJ8ht2zcUnsuEV1Prrey0YXAfw29mpVMJSr57pQRYsRTWjcPrO959PB4rQFuj3/SN1z5lMH9gfurVN1o7Hz2C+GQVhSW5ngb+Hmb4T3Y7bcLZomWQZLLkmZNv98gfsL33bl0WFEPQ3lH8x2OjUSO7lDuxzKxl0c5HY71fNk7nPU1mx17MPzHOQfleJJPrfSKrf4Q==', - user => 'root', - } -} - -class login_manager { - package { 'kdm': - ensure => 'installed', - } - package { 'lightdm': - ensure => 'purged', - } -} - -node "all_hosts" { - class { 'ssh_pubkeys_admins': } - class { 'ssh_pubkeys_firedadmins': } - class { 'login_manager': } -} - -node "all_servers" { - class { 'ssh_pubkeys_admins': } - class { 'ssh_pubkeys_firedadmins': } - class { 'ssh_pubkeys_backupserver': } -} - -node "disklserver.intern" inherits "all_servers" { - # vidar.das-netzwerkteam.de is the deployment source for diskless workstation chroots - ssh_authorized_key { 'root@vidar.das-netzwerkteam.de': - type => 'ssh-rsa', - key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDiLGbx/U9slB9db8PAy8FTRo7/avVvLJUOZzkoBxZa5Edeo+74ezoU2Kv1OxcRJRnSGBe41XDcpLxDS04JMA5xBddUfdq5c+Y1A2SYChUPK1fkrGoKfmGC60dFmEqAQZ33dJhN9rxzQvuvxlmexX8x2TYJC8/jATa+6QuO4chHAFvGo9RLs8hzet5y06fammJDkf0yD6R32GT7q4XMNXilKQ564D1yBJygE6vZx/W3V3l8/QMr6m1lYTTk+W+29IkoxvQBZ6YXKFdnuTVkSYyanafjZwznTFSuBtBZKcgLXFFmyplcB4QlZGvdrrsEJazwwj+pnJeGx0HwV8ePbKxN', - user => 'root', - } -} - -node "tjener.intern" inherits "all_servers" {} -node "filter.intern" inherits "all_servers" {} -# NOT PRESENT node "bibserv.intern" inherits "all_servers" {} -node "opsiserver.intern" inherits "all_servers" {} -# NOT PRESENT node "displayserver.intern" inherits "all_servers" {} -# NOT PRESENT node "contentserver.intern" inherits "all_servers" {} -# NOT PRESENT node "devserver.intern" inherits "all_servers" {} diff --git a/puppet.conf b/puppet.conf index 266ec51..c317c16 100644 --- a/puppet.conf +++ b/puppet.conf @@ -1,14 +1,9 @@ [main] -logdir=/var/log/puppet -vardir=/var/lib/puppet -ssldir=/var/lib/puppet/ssl -rundir=/var/run/puppet -factpath=$vardir/lib/facter +ssldir = /var/lib/puppet/ssl prerun_command=/etc/puppet/etckeeper-commit-pre postrun_command=/etc/puppet/etckeeper-commit-post [master] -# These are needed when the puppetmaster is run by passenger -# and can safely be removed if webrick is used. -ssl_client_header = SSL_CLIENT_S_DN -ssl_client_verify_header = SSL_CLIENT_VERIFY +vardir = /var/lib/puppet +cadir = /var/lib/puppet/ssl/ca +dns_alt_names = puppet -- cgit v1.2.3