diff options
| -rw-r--r-- | auth.conf | 60 | ||||
| -rw-r--r-- | code/environments/production/manifests/site.pp (renamed from manifests/site.pp) | 124 | ||||
| -rw-r--r-- | fileserver.conf | 17 | ||||
| -rw-r--r-- | hiera.yaml | 10 | ||||
| -rw-r--r-- | puppet.conf | 13 |
5 files changed, 121 insertions, 103 deletions
@@ -7,8 +7,8 @@ # otherwise, the general rules may "steal" requests that should be # governed by the specific rules. # -# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete -# description of auth.conf's behavior. +# See https://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html +# for a more complete description of auth.conf's behavior. # # Supported syntax: # Each stanza in auth.conf starts with a path to match, followed @@ -37,18 +37,18 @@ # # Examples: # -# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`. -# allow * # Allow all authenticated nodes (since auth -# # defaults to `yes`). +# path ~ ^/puppet/v3/path/to/resource # Equivalent to `path /puppet/v3/path/to/resource`. +# allow * # Allow all authenticated nodes (since auth +# # defaults to `yes`). # -# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by -# allow $1 # certname), but not any other node's catalog. +# path ~ ^/puppet/v3/catalog/([^/]+)$ # Permit nodes to access their own catalog (by +# allow $1 # certname), but not any other node's catalog. # -# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to -# auth yes # access the "extra_files" -# allow /^(.+)\.example\.com$/ # mount point; note this must -# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, -# # since it is more specific. +# path ~ ^/puppet/v3/file_(metadata|content)/extra_files/ # Only allow certain nodes to +# auth yes # access the "extra_files" +# allow /^(.+)\.example\.com$/ # mount point; note this must +# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, +# # since it is more specific. # # environment:: restrict an ACL to a comma-separated list of environments # method:: restrict an ACL to a comma-separated list of HTTP methods @@ -60,23 +60,22 @@ ### Authenticated ACLs - these rules apply only when the client ### has a valid certificate and is thus authenticated +path /puppet/v3/environments +method find +allow * + # allow nodes to retrieve their own catalog -path ~ ^/catalog/([^/]+)$ +path ~ ^/puppet/v3/catalog/([^/]+)$ method find allow $1 # allow nodes to retrieve their own node definition -path ~ ^/node/([^/]+)$ +path ~ ^/puppet/v3/node/([^/]+)$ method find allow $1 -# allow all nodes to access the certificates services -path /certificate_revocation_list/ca -method find -allow * - # allow all nodes to store their own reports -path ~ ^/report/([^/]+)$ +path ~ ^/puppet/v3/report/([^/]+)$ method save allow $1 @@ -85,7 +84,16 @@ allow $1 # mount points (see fileserver.conf). Note that the `/file` prefix matches # requests to both the file_metadata and file_content paths. See "Examples" # above if you need more granular access control for custom mount points. -path /file +path /puppet/v3/file +allow * + +path /puppet/v3/status +method find +allow * + +# allow all nodes to access the certificates services +path /puppet-ca/v1/certificate_revocation_list/ca +method find allow * ### Unauthenticated ACLs, for clients without valid certificates; authenticated @@ -93,27 +101,23 @@ allow * # allow access to the CA certificate; unauthenticated nodes need this # in order to validate the puppet master's certificate -path /certificate/ca +path /puppet-ca/v1/certificate/ca auth any method find allow * # allow nodes to retrieve the certificate they requested earlier -path /certificate/ +path /puppet-ca/v1/certificate/ auth any method find allow * # allow nodes to request a new certificate -path /certificate_request +path /puppet-ca/v1/certificate_request auth any method find, save allow * -path /v2.0/environments -method find -allow * - # deny everything else; this ACL is not strictly necessary, but # illustrates the default policy. path / diff --git a/manifests/site.pp b/code/environments/production/manifests/site.pp index 087c210..da0c84d 100644 --- a/manifests/site.pp +++ b/code/environments/production/manifests/site.pp @@ -53,16 +53,15 @@ class anacron_on_battery { } class login_manager { - package { 'kdm': + package { 'arctica-greeter': ensure => 'installed', } - package { 'lightdm': + package { 'kdm': ensure => 'purged', } } - -class itzks-systems-common { +class itzks_systems_common { package { 'itzks-systems-common': ensure => 'latest', } @@ -93,44 +92,46 @@ class fsautoresizetab_change_usr { } } - -node "all_hosts" { - class { 'ssh_pubkeys_admins': } - class { 'ssh_pubkeys_firedadmins': } - class { 'login_manager': } - class { 'itzks-systems-common': } - - # settings appropriate for workstation hosts - class { 'apt::unattended_upgrades': - origins => [ - 'o=Debian,n=${distro_codename}', - 'o=Debian,n=${distro_codename}-updates', - 'o=Debian,n=${distro_codename},l=Debian-Security', - 'o=IT-Zukunft Schule,n=${distro_codename},l=IT-Zukunft Schule', - ], - update => "1", - download => "1", - upgrade => "1", - autoclean => "7", - auto_fix => true, - minimal_steps => true, - install_on_shutdown => false, - remove_unused => true, - auto_reboot => false, - download_delta => "1", - } - -} - - -node "all_servers" { +#node "all_hosts" { +# class { 'ssh_pubkeys_admins': } +# class { 'ssh_pubkeys_firedadmins': } +# class { 'login_manager': } +# class { 'itzks-systems-common': } +# +# # settings appropriate for workstation hosts +# class { 'apt::unattended_upgrades': +# origins => [ +# 'o=Debian,n=${distro_codename}', +# 'o=Debian,n=${distro_codename}-updates', +# 'o=Debian,n=${distro_codename},l=Debian-Security', +# 'o=IT-Zukunft Schule,n=${distro_codename},l=IT-Zukunft Schule', +# ], +# update => "1", +# download => "1", +# upgrade => "1", +# autoclean => "7", +# auto_fix => true, +# minimal_steps => true, +# install_on_shutdown => false, +# remove_unused => true, +# auto_reboot => false, +# download_delta => "1", +# } +# +#} + +#node "all_servers" { +# class { 'ssh_pubkeys_admins': } +# class { 'ssh_pubkeys_firedadmins': } +# class { 'ssh_pubkeys_backupserver': } +# class { 'itzks_systems_common': } +#} + +node "disklserver.intern" { class { 'ssh_pubkeys_admins': } class { 'ssh_pubkeys_firedadmins': } class { 'ssh_pubkeys_backupserver': } - class { 'itzks-systems-common': } -} - -node "disklserver.intern" inherits "all_servers" { + class { 'itzks_systems_common': } # vidar.das-netzwerkteam.de is the deployment source for diskless workstation chroots ssh_authorized_key { 'root@vidar.das-netzwerkteam.de': type => 'ssh-rsa', @@ -139,19 +140,44 @@ node "disklserver.intern" inherits "all_servers" { } } -node "tjener.intern" inherits "all_servers" {} -node "filter.intern" inherits "all_servers" {} +node "tjener.intern" inherits "all_servers" { + class { 'ssh_pubkeys_admins': } + class { 'ssh_pubkeys_firedadmins': } + class { 'ssh_pubkeys_backupserver': } + class { 'itzks_systems_common': } +} +node "filter.intern" inherits "all_servers" { + class { 'ssh_pubkeys_admins': } + class { 'ssh_pubkeys_firedadmins': } + class { 'ssh_pubkeys_backupserver': } + class { 'itzks_systems_common': } +} # NOT PRESENT node "opsiserver.intern" inherits "all_servers" {} # NOT PRESENT node "displayserver.intern" inherits "all_servers" {} -node "contentserver.intern" inherits "all_servers" {} -node "devserver.intern" inherits "all_servers" {} -node "bibserv.intern" inherits "all_servers" {} +node "contentserver.intern" inherits "all_servers" { + class { 'ssh_pubkeys_admins': } + class { 'ssh_pubkeys_firedadmins': } + class { 'ssh_pubkeys_backupserver': } + class { 'itzks_systems_common': } +} +node "devserver.intern" inherits "all_servers" { + class { 'ssh_pubkeys_admins': } + class { 'ssh_pubkeys_firedadmins': } + class { 'ssh_pubkeys_backupserver': } + class { 'itzks_systems_common': } +} +node "bibserv.intern" inherits "all_servers" { + class { 'ssh_pubkeys_admins': } + class { 'ssh_pubkeys_firedadmins': } + class { 'ssh_pubkeys_backupserver': } + class { 'itzks_systems_common': } +} # Notebooks in den Medienwägen -node /mw.*.intern$/ inherits "all_hosts" { - class { 'anacron_on_battery': } - class { 'fsautoresizetab': } - class { 'fsautoresizetab_change_var': } - class { 'fsautoresizetab_change_usr': } +node /mw.*.intern$/ { + class { 'anacron_on_battery': } + class { 'ssh_pubkeys_admins': } + class { 'ssh_pubkeys_firedadmins': } + class { 'login_manager': } } diff --git a/fileserver.conf b/fileserver.conf deleted file mode 100644 index 19cccda..0000000 --- a/fileserver.conf +++ /dev/null @@ -1,17 +0,0 @@ -# This file consists of arbitrarily named sections/modules -# defining where files are served from and to whom - -# Define a section 'files' -# Adapt the allow/deny settings to your needs. Order -# for allow/deny does not matter, allow always takes precedence -# over deny -[files] - path /etc/puppet/files -# allow *.example.com -# deny *.evil.example.com -# allow 192.168.0.0/24 - -[plugins] -# allow *.example.com -# deny *.evil.example.com -# allow 192.168.0.0/24 diff --git a/hiera.yaml b/hiera.yaml new file mode 100644 index 0000000..dde32ca --- /dev/null +++ b/hiera.yaml @@ -0,0 +1,10 @@ +--- +:backends: + - yaml + +:hierarchy: + - "osfamily/%{::osfamily}" + - common + +:yaml: + :datadir: /etc/puppet/code/hiera diff --git a/puppet.conf b/puppet.conf index 266ec51..c317c16 100644 --- a/puppet.conf +++ b/puppet.conf @@ -1,14 +1,9 @@ [main] -logdir=/var/log/puppet -vardir=/var/lib/puppet -ssldir=/var/lib/puppet/ssl -rundir=/var/run/puppet -factpath=$vardir/lib/facter +ssldir = /var/lib/puppet/ssl prerun_command=/etc/puppet/etckeeper-commit-pre postrun_command=/etc/puppet/etckeeper-commit-post [master] -# These are needed when the puppetmaster is run by passenger -# and can safely be removed if webrick is used. -ssl_client_header = SSL_CLIENT_S_DN -ssl_client_verify_header = SSL_CLIENT_VERIFY +vardir = /var/lib/puppet +cadir = /var/lib/puppet/ssl/ca +dns_alt_names = puppet |