initial draft of a minimal puppet config template

1 files changed, 124 insertions, 0 deletions

diff --git a/auth.conf b/auth.conf
new file mode 100644
index 0000000..bf327a2
--- /dev/null
+++ b/auth.conf
@@ -0,0 +1,124 @@
+# This is the default auth.conf file, which implements the default rules
+# used by the puppet master. (That is, the rules below will still apply
+# even if this file is deleted.)
+#
+# The ACLs are evaluated in top-down order. More specific stanzas should
+# be towards the top of the file and more general ones at the bottom;
+# otherwise, the general rules may "steal" requests that should be
+# governed by the specific rules.
+#
+# See https://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html
+# for a more complete description of auth.conf's behavior.
+#
+# Supported syntax:
+# Each stanza in auth.conf starts with a path to match, followed
+# by optional modifiers, and finally, a series of allow or deny
+# directives.
+#
+# Example Stanza
+# ---------------------------------
+# path /path/to/resource     # simple prefix match
+# # path ~ regex             # alternately, regex match
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|backreference|*|regex]
+# deny [host|backreference|*|regex]
+# allow_ip [ip|cidr|ip_wildcard|*]
+# deny_ip [ip|cidr|ip_wildcard|*]
+#
+# The path match can either be a simple prefix match or a regular
+# expression. `path /file` would match both `/file_metadata` and
+# `/file_content`. Regex matches allow the use of backreferences
+# in the allow/deny directives.
+#
+# The regex syntax is the same as for Ruby regex, and captures backreferences
+# for use in the `allow` and `deny` lines of that stanza
+#
+# Examples:
+#
+# path ~ ^/puppet/v3/path/to/resource    # Equivalent to `path /puppet/v3/path/to/resource`.
+# allow *                                # Allow all authenticated nodes (since auth
+#                                        # defaults to `yes`).
+#
+# path ~ ^/puppet/v3/catalog/([^/]+)$    # Permit nodes to access their own catalog (by
+# allow $1                               # certname), but not any other node's catalog.
+#
+# path ~ ^/puppet/v3/file_(metadata|content)/extra_files/  # Only allow certain nodes to
+# auth yes                                                 # access the "extra_files"
+# allow /^(.+)\.example\.com$/                             # mount point; note this must
+# allow_ip 192.168.100.0/24                                # go ABOVE the "/file" rule,
+#                                                          # since it is more specific.
+#
+# environment:: restrict an ACL to a comma-separated list of environments
+# method:: restrict an ACL to a comma-separated list of HTTP methods
+# auth:: restrict an ACL to an authenticated or unauthenticated request
+# the default when unspecified is to restrict the ACL to authenticated requests
+# (ie exactly as if auth yes was present).
+#
+
+### Authenticated ACLs - these rules apply only when the client
+### has a valid certificate and is thus authenticated
+
+path /puppet/v3/environments
+method find
+allow *
+
+# allow nodes to retrieve their own catalog
+path ~ ^/puppet/v3/catalog/([^/]+)$
+method find
+allow $1
+
+# allow nodes to retrieve their own node definition
+path ~ ^/puppet/v3/node/([^/]+)$
+method find
+allow $1
+
+# allow all nodes to store their own reports
+path ~ ^/puppet/v3/report/([^/]+)$
+method save
+allow $1
+
+# Allow all nodes to access all file services; this is necessary for
+# pluginsync, file serving from modules, and file serving from custom
+# mount points (see fileserver.conf). Note that the `/file` prefix matches
+# requests to both the file_metadata and file_content paths. See "Examples"
+# above if you need more granular access control for custom mount points.
+path /puppet/v3/file
+allow *
+
+path /puppet/v3/status
+method find
+allow *
+
+# allow all nodes to access the certificates services
+path /puppet-ca/v1/certificate_revocation_list/ca
+method find
+allow *
+
+### Unauthenticated ACLs, for clients without valid certificates; authenticated
+### clients can also access these paths, though they rarely need to.
+
+# allow access to the CA certificate; unauthenticated nodes need this
+# in order to validate the puppet master's certificate
+path /puppet-ca/v1/certificate/ca
+auth any
+method find
+allow *
+
+# allow nodes to retrieve the certificate they requested earlier
+path /puppet-ca/v1/certificate/
+auth any
+method find
+allow *
+
+# allow nodes to request a new certificate
+path /puppet-ca/v1/certificate_request
+auth any
+method find, save
+allow *
+
+# deny everything else; this ACL is not strictly necessary, but
+# illustrates the default policy.
+path /
+auth any