summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Gabriel <mike.gabriel@das-netzwerkteam.de>2016-02-09 09:14:54 +0100
committerLocal Administrator <root@localhost>2016-02-09 09:15:33 +0100
commit3bdd5e324ed918c26a230fb76620561b1a017f87 (patch)
tree91104631af0930d4c24393bb146a61e9d8d03278
downloadpuppet.WDORF-3bdd5e324ed918c26a230fb76620561b1a017f87.tar.gz
puppet.WDORF-3bdd5e324ed918c26a230fb76620561b1a017f87.tar.bz2
puppet.WDORF-3bdd5e324ed918c26a230fb76620561b1a017f87.zip
initial commit, distribute SSH pubkeys
-rw-r--r--auth.conf120
-rwxr-xr-xetckeeper-commit-post10
-rwxr-xr-xetckeeper-commit-pre10
-rw-r--r--fileserver.conf17
-rw-r--r--manifests/site.pp58
-rw-r--r--puppet.conf14
6 files changed, 229 insertions, 0 deletions
diff --git a/auth.conf b/auth.conf
new file mode 100644
index 0000000..96f078c
--- /dev/null
+++ b/auth.conf
@@ -0,0 +1,120 @@
+# This is the default auth.conf file, which implements the default rules
+# used by the puppet master. (That is, the rules below will still apply
+# even if this file is deleted.)
+#
+# The ACLs are evaluated in top-down order. More specific stanzas should
+# be towards the top of the file and more general ones at the bottom;
+# otherwise, the general rules may "steal" requests that should be
+# governed by the specific rules.
+#
+# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete
+# description of auth.conf's behavior.
+#
+# Supported syntax:
+# Each stanza in auth.conf starts with a path to match, followed
+# by optional modifiers, and finally, a series of allow or deny
+# directives.
+#
+# Example Stanza
+# ---------------------------------
+# path /path/to/resource # simple prefix match
+# # path ~ regex # alternately, regex match
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|backreference|*|regex]
+# deny [host|backreference|*|regex]
+# allow_ip [ip|cidr|ip_wildcard|*]
+# deny_ip [ip|cidr|ip_wildcard|*]
+#
+# The path match can either be a simple prefix match or a regular
+# expression. `path /file` would match both `/file_metadata` and
+# `/file_content`. Regex matches allow the use of backreferences
+# in the allow/deny directives.
+#
+# The regex syntax is the same as for Ruby regex, and captures backreferences
+# for use in the `allow` and `deny` lines of that stanza
+#
+# Examples:
+#
+# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`.
+# allow * # Allow all authenticated nodes (since auth
+# # defaults to `yes`).
+#
+# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by
+# allow $1 # certname), but not any other node's catalog.
+#
+# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to
+# auth yes # access the "extra_files"
+# allow /^(.+)\.example\.com$/ # mount point; note this must
+# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule,
+# # since it is more specific.
+#
+# environment:: restrict an ACL to a comma-separated list of environments
+# method:: restrict an ACL to a comma-separated list of HTTP methods
+# auth:: restrict an ACL to an authenticated or unauthenticated request
+# the default when unspecified is to restrict the ACL to authenticated requests
+# (ie exactly as if auth yes was present).
+#
+
+### Authenticated ACLs - these rules apply only when the client
+### has a valid certificate and is thus authenticated
+
+# allow nodes to retrieve their own catalog
+path ~ ^/catalog/([^/]+)$
+method find
+allow $1
+
+# allow nodes to retrieve their own node definition
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+
+# allow all nodes to access the certificates services
+path /certificate_revocation_list/ca
+method find
+allow *
+
+# allow all nodes to store their own reports
+path ~ ^/report/([^/]+)$
+method save
+allow $1
+
+# Allow all nodes to access all file services; this is necessary for
+# pluginsync, file serving from modules, and file serving from custom
+# mount points (see fileserver.conf). Note that the `/file` prefix matches
+# requests to both the file_metadata and file_content paths. See "Examples"
+# above if you need more granular access control for custom mount points.
+path /file
+allow *
+
+### Unauthenticated ACLs, for clients without valid certificates; authenticated
+### clients can also access these paths, though they rarely need to.
+
+# allow access to the CA certificate; unauthenticated nodes need this
+# in order to validate the puppet master's certificate
+path /certificate/ca
+auth any
+method find
+allow *
+
+# allow nodes to retrieve the certificate they requested earlier
+path /certificate/
+auth any
+method find
+allow *
+
+# allow nodes to request a new certificate
+path /certificate_request
+auth any
+method find, save
+allow *
+
+path /v2.0/environments
+method find
+allow *
+
+# deny everything else; this ACL is not strictly necessary, but
+# illustrates the default policy.
+path /
+auth any
diff --git a/etckeeper-commit-post b/etckeeper-commit-post
new file mode 100755
index 0000000..489b2bd
--- /dev/null
+++ b/etckeeper-commit-post
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+which etckeeper > /dev/null 2>&1 || exit 0
+
+etckeeper commit "committing changes in /etc after puppet catalog run"
+
+# Failure of etckeeper should not be fatal.
+exit 0
diff --git a/etckeeper-commit-pre b/etckeeper-commit-pre
new file mode 100755
index 0000000..a66fb62
--- /dev/null
+++ b/etckeeper-commit-pre
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+which etckeeper > /dev/null 2>&1 || exit 0
+
+etckeeper commit "saving uncommitted changes in /etc prior to puppet catalog run"
+
+# Failure of etckeeper should not be fatal.
+exit 0
diff --git a/fileserver.conf b/fileserver.conf
new file mode 100644
index 0000000..19cccda
--- /dev/null
+++ b/fileserver.conf
@@ -0,0 +1,17 @@
+# This file consists of arbitrarily named sections/modules
+# defining where files are served from and to whom
+
+# Define a section 'files'
+# Adapt the allow/deny settings to your needs. Order
+# for allow/deny does not matter, allow always takes precedence
+# over deny
+[files]
+ path /etc/puppet/files
+# allow *.example.com
+# deny *.evil.example.com
+# allow 192.168.0.0/24
+
+[plugins]
+# allow *.example.com
+# deny *.evil.example.com
+# allow 192.168.0.0/24
diff --git a/manifests/site.pp b/manifests/site.pp
new file mode 100644
index 0000000..27fcd63
--- /dev/null
+++ b/manifests/site.pp
@@ -0,0 +1,58 @@
+class ssh_pubkeys_admins {
+ # Mike Gabriel, IT-Zukunft Schule
+ ssh_authorized_key { 'mike@minobo':
+ type => 'ssh-rsa',
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDn2moKR4u3yJW+/hvwmhUDjiLBxiMPB+46YO9iEo8HXsdulpMi20hi2TTmWA0w3hog1IEnre6C7UGHcZG0HfPg+eROIuuXRcOfg3WP/IBV0KMF4DTa1KDoN/Nw7HMlhWxGxFrdbumAoj/s2ZaA/of1fpaPKOhunF8S9Ch60LYmgnR3tzJW/b0jS9fww8o/rMB3pZy2WSW0uUfpOIbDv+XHhNiC/iu8IgD+M5KkK+qbNZFPoTQkebc0RPRBcOrmEYroofFGg+7jPU++AEKJUKSaGjZRWzACuXiUzTo2F9fT09EMWU4oiYV9zRqjx6ctncwfEB4qOfoRUycfxBSJk7t7',
+ user => 'root',
+ }
+ # Marcel Sandow, IT-Zukunft Schule
+ ssh_authorized_key { 'marcel@Bigblue':
+ type => 'ssh-rsa',
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQD3RPZTCJNjuV2vq8cO6AwPaVcjimg2DgRi2GitC/K4HzQuy0+RswVktyBACKpFogx254S1gjGoueYDfHq+T4hdoBussGln0MEsJKbEPEgWpGUZgurg3eWSAlzAWlhf9Goy5ZA362sOz3NsbY3DE+4CqxQWth+CctpGz1WzAvFy0K7oclfoncbOlftgEUukvKqJtSapxNAb+O+Ijjur/yaXKwk/dK7T+ZTPhZwChlxo50kLuiN8d3TYgFxc19LncJxq6s8BqQs70Z6m1CNHA07t6UD01Pto29TRNZfAnjuAP8FiO9Cu06cUnHrwlG2jgvr5hA0rLFYnVtgGaQX6RCsT',
+ user => 'root',
+ }
+ # Marius Rasch, IT-Zukunft Schule
+ ssh_authorized_key { 'marius@soledad':
+ type => 'ssh-rsa',
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCuoOfxXovfHlODw7dDlfcLKHaD7fotGT5Kb/HADNQY+GMINKy9Zu71/qpjVZtrckLl92nS7ygCf7+KpyfihdJgKBIeacikD4Y8/slDA2AbBuTZsHOp9HEzopmE1DbJbjeFtnjv8usPx/zB0buEtXy7Fa+bMIu6gIDIK7pO83kqiI/uv1sDyyaElw50Hn8tvZg7OtVHuShxjRCZVDolqUKBDDrQ+lZQG24XeMrQ4cEZ9yLYNAeeLwqqiWqnQ0jrCf2JYI4V7Oo1tvjKJM8HiVFSjsPh8cEu5iLBi08fuKCR7p1efSTOsy06HeraZpWJw5MH+At7sy3qjuuJ0oftrg3n',
+ user => 'root',
+ }
+}
+
+class ssh_pubkeys_firedadmins {
+ ssh_authorized_key { 'lucian@SATELLITE':
+ ensure => 'absent',
+ type => 'ssh-rsa',
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC71S/LYktwTalKjE6Sb7XlOyV1tr1O+codh4C3g9uVtjqytYj/Lx6hExxegwN2tiTAjb3skEKpdg7uRbmpEZBtyST/UrrJCB0l0KbjJelfh4MANuRF+H9CNAPwaxcLfCWeTFwmQW8mcSHE20ljY7kpJykEoihBVjK49k+kD+sphIG1o4BU8nQii0i5/U2HqHkPZHzCIjIprN9kTx/n/zMmCLwuIW58KJitG/ttBXPq+TMsN/zcUQm7/PL7UmIMlvUtKzApuM36PUyah7/rpOB5mIYrqFcDXSBUpFLT1CIvfH6ZR5umhnwiRXDsVfP8e0WB1JhOZV1LqOez8s7c4a6/',
+ user => 'root',
+ }
+}
+
+class ssh_pubkeys_backupserver {
+ ssh_authorized_key { 'root@backup-01':
+ type => 'ssh-rsa',
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDuL2erF6MsjPHWe/Xprqdqnc+CuCs6PD0RCL52UcOAOpK24Ra4WHFdufBGr4HFtaSdF1I6jMi/iXaUZCfvsjkAM6YZ9qkSTeODQVFEqX5oxEnHqGQAK9eAEPFGd+EY4ZOAtvIzT2MXMXvePwMDoAolaPG5bQFTnochYLeUS38VJViKdasOH9QC4mSxlyt+PAPN8Ou2mGPvnbr0TIWdh+wYHA5IFaqfFae36hJNFrHZ6h9cusaYTFF8+lFne/zgGI3AnirkRXjwfE2zQDn1/XNay7jsVRCPZLrFtKpf0zJrdrIS1sgkT3cwAM4ZUZG/Jog/fbRpjB0SRTfEROJrW7Ox',
+ user => 'root',
+ }
+}
+
+node "all_hosts" {
+ class { 'ssh_pubkeys_admins': }
+}
+
+node "all_servers" {
+ class { 'ssh_pubkeys_admins': }
+ class { 'ssh_pubkeys_backupserver': }
+}
+
+node "disklserver.intern" inherits "all_servers" {
+ # vidar.das-netzwerkteam.de is the deployment source for diskless workstation chroots
+ ssh_authorized_key { 'root@vidar.das-netzwerkteam.de':
+ type => 'ssh-rsa',
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDiLGbx/U9slB9db8PAy8FTRo7/avVvLJUOZzkoBxZa5Edeo+74ezoU2Kv1OxcRJRnSGBe41XDcpLxDS04JMA5xBddUfdq5c+Y1A2SYChUPK1fkrGoKfmGC60dFmEqAQZ33dJhN9rxzQvuvxlmexX8x2TYJC8/jATa+6QuO4chHAFvGo9RLs8hzet5y06fammJDkf0yD6R32GT7q4XMNXilKQ564D1yBJygE6vZx/W3V3l8/QMr6m1lYTTk+W+29IkoxvQBZ6YXKFdnuTVkSYyanafjZwznTFSuBtBZKcgLXFFmyplcB4QlZGvdrrsEJazwwj+pnJeGx0HwV8ePbKxN',
+ user => 'root',
+ }
+}
+
+node "bibserv.intern" inherits "all_servers" {
+}
diff --git a/puppet.conf b/puppet.conf
new file mode 100644
index 0000000..266ec51
--- /dev/null
+++ b/puppet.conf
@@ -0,0 +1,14 @@
+[main]
+logdir=/var/log/puppet
+vardir=/var/lib/puppet
+ssldir=/var/lib/puppet/ssl
+rundir=/var/run/puppet
+factpath=$vardir/lib/facter
+prerun_command=/etc/puppet/etckeeper-commit-pre
+postrun_command=/etc/puppet/etckeeper-commit-post
+
+[master]
+# These are needed when the puppetmaster is run by passenger
+# and can safely be removed if webrick is used.
+ssl_client_header = SSL_CLIENT_S_DN
+ssl_client_verify_header = SSL_CLIENT_VERIFY