diff options
| -rw-r--r-- | auth.conf | 150 | ||||
| -rw-r--r-- | hiera.yaml | 15 | ||||
| -rw-r--r-- | puppet.conf | 2 |
3 files changed, 9 insertions, 158 deletions
diff --git a/auth.conf b/auth.conf deleted file mode 100644 index 9629d3e..0000000 --- a/auth.conf +++ /dev/null @@ -1,150 +0,0 @@ -# This is the default auth.conf file, which implements the default rules -# used by the puppet master. (That is, the rules below will still apply -# even if this file is deleted.) -# -# The ACLs are evaluated in top-down order. More specific stanzas should -# be towards the top of the file and more general ones at the bottom; -# otherwise, the general rules may "steal" requests that should be -# governed by the specific rules. -# -# See https://puppet.com/docs/puppet/latest/config_file_auth.html -# for a more complete description of auth.conf's behavior. -# -# Supported syntax: -# Each stanza in auth.conf starts with a path to match, followed -# by optional modifiers, and finally, a series of allow or deny -# directives. -# -# Example Stanza -# --------------------------------- -# path /path/to/resource # simple prefix match -# # path ~ regex # alternately, regex match -# [environment envlist] -# [method methodlist] -# [auth[enthicated] {yes|no|on|off|any}] -# allow [host|backreference|*|regex] -# deny [host|backreference|*|regex] -# allow_ip [ip|cidr|ip_wildcard|*] -# deny_ip [ip|cidr|ip_wildcard|*] -# -# The path match can either be a simple prefix match or a regular -# expression. `path /file` would match both `/file_metadata` and -# `/file_content`. Regex matches allow the use of backreferences -# in the allow/deny directives. -# -# The regex syntax is the same as for Ruby regex, and captures backreferences -# for use in the `allow` and `deny` lines of that stanza -# -# Examples: -# -# path ~ ^/puppet/v3/path/to/resource # Equivalent to `path /puppet/v3/path/to/resource`. -# allow * # Allow all authenticated nodes (since auth -# # defaults to `yes`). -# -# path ~ ^/puppet/v3/catalog/([^/]+)$ # Permit nodes to access their own catalog (by -# allow $1 # certname), but not any other node's catalog. -# -# path ~ ^/puppet/v3/file_(metadata|content)/extra_files/ # Only allow certain nodes to -# auth yes # access the "extra_files" -# allow /^(.+)\.example\.com$/ # mount point; note this must -# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, -# # since it is more specific. -# -# environment:: restrict an ACL to a comma-separated list of environments -# method:: restrict an ACL to a comma-separated list of HTTP methods -# auth:: restrict an ACL to an authenticated or unauthenticated request -# the default when unspecified is to restrict the ACL to authenticated requests -# (ie exactly as if auth yes was present). -# - -# CONTROLLING FILE ACCESS (previously in fileserver.conf) - -# In previous versions of Puppet, you controlled file access by adding -# rules to fileserver.conf. In Puppet 5 with Puppet Server, you can control -# file access in auth.conf by controlling the /file_metadata(s)/<mount point>, -# /file_content(s)/<mount point>, and /static_file_content/<file> paths. See the -# Puppet Server documentation at -# https://puppet.com/docs/puppetserver/latest/config_file_auth.html. -# -# If you are not using Puppet Server, or are using Puppet Server but with the -# "jruby-puppet.use-legacy-auth-conf" setting set to "true", you could set the -# desired file access in a new rule in this file. For example: -# -# path ~ ^/file_(metadata|content)s?/extra_files/ -# auth yes -# allow /^(.+)\.example\.com$/ -# allow_ip 192.168.100.0/24 -# -# If added to auth.conf BEFORE the default "path /file" rule, this rule -# will add stricter restrictions to the extra_files mount point. - -### Authenticated ACLs - these rules apply only when the client -### has a valid certificate and is thus authenticated - -path /puppet/v3/environments -method find -allow * - -# allow nodes to retrieve their own catalog -path ~ ^/puppet/v3/catalog/([^/]+)$ -method find -allow $1 - -# allow nodes to retrieve their own node definition -path ~ ^/puppet/v3/node/([^/]+)$ -method find -allow $1 - -# allow all nodes to store their own reports -path ~ ^/puppet/v3/report/([^/]+)$ -method save -allow $1 - -# allow all nodes to update their own facts -path ~ ^/puppet/v3/facts/([^/]+)$ -method save -allow $1 - -# Allow all nodes to access all file services; this is necessary for -# pluginsync, file serving from modules, and file serving from custom -# mount points (see fileserver.conf). Note that the `/file` prefix matches -# requests to both the file_metadata and file_content paths. See "Examples" -# above if you need more granular access control for custom mount points. -path /puppet/v3/file -allow * - -path /puppet/v3/status -method find -allow * - -# allow all nodes to access the certificates services -path /puppet-ca/v1/certificate_revocation_list/ca -method find -allow * - -### Unauthenticated ACLs, for clients without valid certificates; authenticated -### clients can also access these paths, though they rarely need to. - -# allow access to the CA certificate; unauthenticated nodes need this -# in order to validate the puppet master's certificate -path /puppet-ca/v1/certificate/ca -auth any -method find -allow * - -# allow nodes to retrieve the certificate they requested earlier -path /puppet-ca/v1/certificate/ -auth any -method find -allow * - -# allow nodes to request a new certificate -path /puppet-ca/v1/certificate_request -auth any -method find, save -allow * - -# deny everything else; this ACL is not strictly necessary, but -# illustrates the default policy. -path / -auth any @@ -1,10 +1,11 @@ --- -:backends: - - yaml +# Hiera 5 Global configuration file -:hierarchy: - - "osfamily/%{::osfamily}" - - common +version: 5 -:yaml: - :datadir: /etc/puppet/code/hiera +# defaults: +# data_hash: yaml_data +# hierarchy: +# - name: Common +# data_hash: yaml_data +hierarchy: [] diff --git a/puppet.conf b/puppet.conf index f9e4817..64302d8 100644 --- a/puppet.conf +++ b/puppet.conf @@ -9,5 +9,5 @@ http_proxy_port = 3128 [master] vardir = /var/lib/puppet -cadir = /var/lib/puppet/ssl/ca +cadir = /etc/puppet/puppetserver/ca dns_alt_names = puppet |