diff --git a/templates/_header.erb b/templates/_header.erb deleted file mode 100644 index f0b5c2e..0000000 --- a/templates/_header.erb +++ /dev/null @@ -1,2 +0,0 @@ -### File managed with puppet ### -## Module: '<%= scope.to_hash['module_name'] %>' diff --git a/templates/agent/systemd.puppet-run.service.erb b/templates/agent/systemd.puppet-run.service.erb index 44fa798..20339ca 100644 --- a/templates/agent/systemd.puppet-run.service.erb +++ b/templates/agent/systemd.puppet-run.service.erb @@ -1,9 +1,12 @@ +# +# Managed by Puppet +# [Unit] Description=Systemd Timer Service for Puppet Agent [Service] Type=oneshot ExecStart=<%= @command %> SuccessExitStatus=2 User=root Group=root diff --git a/templates/agent/systemd.puppet-run.timer.erb b/templates/agent/systemd.puppet-run.timer.erb index 794f765..27ede70 100644 --- a/templates/agent/systemd.puppet-run.timer.erb +++ b/templates/agent/systemd.puppet-run.timer.erb @@ -1,10 +1,13 @@ +# +# Managed by Puppet +# [Unit] Description=Systemd Timer for Puppet Agent [Timer] OnCalendar=*-*-* <%= Array(@times[0]).join(',') %>:<%= Array(@times[1]).join(',') %>:00 Persistent=true RandomizedDelaySec=<%= @randomizeddelaysec %> [Install] WantedBy=timers.target diff --git a/templates/auth.conf.erb b/templates/auth.conf.erb index 394bed9..9d2f70c 100644 --- a/templates/auth.conf.erb +++ b/templates/auth.conf.erb @@ -1,168 +1,171 @@ +# +# Managed by Puppet +# # This is the default auth.conf file, which implements the default rules # used by the puppet master. (That is, the rules below will still apply # even if this file is deleted.) # # The ACLs are evaluated in top-down order. More specific stanzas should # be towards the top of the file and more general ones at the bottom; # otherwise, the general rules may "steal" requests that should be # governed by the specific rules. # # See https://puppet.com/docs/puppet/latest/config_file_auth.html # for a more complete description of auth.conf's behavior. # # Supported syntax: # Each stanza in auth.conf starts with a path to match, followed # by optional modifiers, and finally, a series of allow or deny # directives. # # Example Stanza # --------------------------------- # path /path/to/resource # simple prefix match # # path ~ regex # alternately, regex match # [environment envlist] # [method methodlist] # [auth[enthicated] {yes|no|on|off|any}] # allow [host|backreference|*|regex] # deny [host|backreference|*|regex] # allow_ip [ip|cidr|ip_wildcard|*] # deny_ip [ip|cidr|ip_wildcard|*] # # The path match can either be a simple prefix match or a regular # expression. `path /file` would match both `/file_metadata` and # `/file_content`. Regex matches allow the use of backreferences # in the allow/deny directives. # # The regex syntax is the same as for Ruby regex, and captures backreferences # for use in the `allow` and `deny` lines of that stanza # # Examples: # # path ~ ^/puppet/v3/path/to/resource # Equivalent to `path /puppet/v3/path/to/resource`. # allow * # Allow all authenticated nodes (since auth # # defaults to `yes`). # # path ~ ^/puppet/v3/catalog/([^/]+)$ # Permit nodes to access their own catalog (by # allow $1 # certname), but not any other node's catalog. # # path ~ ^/puppet/v3/file_(metadata|content)/extra_files/ # Only allow certain nodes to # auth yes # access the "extra_files" # allow /^(.+)\.example\.com$/ # mount point; note this must # allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, # # since it is more specific. # # environment:: restrict an ACL to a comma-separated list of environments # method:: restrict an ACL to a comma-separated list of HTTP methods # auth:: restrict an ACL to an authenticated or unauthenticated request # the default when unspecified is to restrict the ACL to authenticated requests # (ie exactly as if auth yes was present). # # CONTROLLING FILE ACCESS (previously in fileserver.conf) # In previous versions of Puppet, you controlled file access by adding # rules to fileserver.conf. In Puppet 5 with Puppet Server, you can control # file access in auth.conf by controlling the /file_metadata(s)/, # /file_content(s)/, and /static_file_content/ paths. See the # Puppet Server documentation at # https://puppet.com/docs/puppetserver/latest/config_file_auth.html. # # If you are not using Puppet Server, or are using Puppet Server but with the # "jruby-puppet.use-legacy-auth-conf" setting set to "true", you could set the # desired file access in a new rule in this file. For example: # # path ~ ^/file_(metadata|content)s?/extra_files/ # auth yes # allow /^(.+)\.example\.com$/ # allow_ip 192.168.100.0/24 # # If added to auth.conf BEFORE the default "path /file" rule, this rule # will add stricter restrictions to the extra_files mount point. ### Authenticated ACLs - these rules apply only when the client ### has a valid certificate and is thus authenticated path /puppet/v3/environments method find allow * <% if @puppetversion.to_f < 5.0 -%> path /puppet/v3/resource_type method search allow * <% end -%> # allow nodes to retrieve their own catalog path ~ ^/puppet/v3/catalog/([^/]+)$ method find allow <%= @auth_allowed.join(', ') %> # allow nodes to retrieve their own node definition path ~ ^/puppet/v3/node/([^/]+)$ method find allow <%= @auth_allowed.join(', ') %> # allow all nodes to store their own reports path ~ ^/puppet/v3/report/([^/]+)$ method save allow <%= @auth_allowed.join(', ') %> <% if @puppetversion.to_f >= 5.5 -%> # allow all nodes to update their own facts path ~ ^/puppet/v3/facts/([^/]+)$ method save allow <%= @auth_allowed.join(', ') %> <% end -%> # Allow all nodes to access all file services; this is necessary for # pluginsync, file serving from modules, and file serving from custom # mount points (see fileserver.conf). Note that the `/file` prefix matches # requests to both the file_metadata and file_content paths. See "Examples" # above if you need more granular access control for custom mount points. path /puppet/v3/file allow * path /puppet/v3/status method find allow * # allow all nodes to access the certificates services path /puppet-ca/v1/certificate_revocation_list/ca <% if @allow_any_crl_auth -%> auth any <% end -%> method find allow * ### Unauthenticated ACLs, for clients without valid certificates; authenticated ### clients can also access these paths, though they rarely need to. # allow access to the CA certificate; unauthenticated nodes need this # in order to validate the puppet master's certificate path /puppet-ca/v1/certificate/ca auth any method find allow * # allow nodes to retrieve the certificate they requested earlier path /puppet-ca/v1/certificate/ auth any method find allow * # allow nodes to request a new certificate path /puppet-ca/v1/certificate_request auth any method find, save allow * <% if scope.lookupvar('::puppet::listen') -%> path /run auth any method save allow <%= if (!@listen_to.empty?) then @listen_to.join(",") elsif ( @puppetmaster and !@puppetmaster.empty? ) then @puppetmaster else @fqdn end %> <% end -%> # deny everything else; this ACL is not strictly necessary, but # illustrates the default policy. path / auth any diff --git a/templates/server/autosign.conf.erb b/templates/server/autosign.conf.erb index b299689..9c8d272 100644 --- a/templates/server/autosign.conf.erb +++ b/templates/server/autosign.conf.erb @@ -1,4 +1,6 @@ +# # Managed by Puppet +# <% scope.lookupvar("puppet::server::autosign_entries").each do |entry| -%> <%= entry %> <% end -%> diff --git a/templates/server/environment.conf.erb b/templates/server/environment.conf.erb index 7355602..a625f33 100644 --- a/templates/server/environment.conf.erb +++ b/templates/server/environment.conf.erb @@ -1,12 +1,15 @@ +# +# Managed by Puppet +# <% if @manifest -%> manifest = <%= @manifest %> <% end -%> <% if @custom_modulepath && @real_modulepath -%> modulepath = <%= [@real_modulepath].flatten.join(":") %> <% end -%> <% if !@config_version.nil? && !@config_version.empty? -%> config_version = <%= @config_version %> <% end -%> <% if @environment_timeout -%> environment_timeout = <%= @environment_timeout %> <% end -%> diff --git a/templates/server/post-receive.erb b/templates/server/post-receive.erb index 2a66295..37173b0 100644 --- a/templates/server/post-receive.erb +++ b/templates/server/post-receive.erb @@ -1,122 +1,122 @@ -<% @template_header = '' -ERB.new(File.read(File.expand_path("../_header.erb",File.dirname(file))), nil, nil, "@template_header").result(binding) -%> #!/usr/bin/env ruby -<%= @template_header %> +# +# Managed by Puppet +# require 'fileutils' require 'etc' $stdout.sync = true $stderr.sync = true # Set this to where you want to keep your environments ENVIRONMENT_BASEDIR = "<%= scope.lookupvar("puppet::server::envs_dir") %>" # post-receive hooks set GIT_DIR to the current repository. If you want to # clone from a non-local repository, set this to the URL of the repository, # such as git@git.host:puppet.git SOURCE_REPOSITORY = File.expand_path(ENV['GIT_DIR']) # Mapping of branches to directories. In many cases, the master branch is # checked out to the 'development' environment. BRANCH_MAP = { <% if @git_branch_map -%> <% @git_branch_map.sort.each do |g,p| -%> "<%= g %>" => "<%= p %>", <% end -%> <% end -%> } # The git_dir environment variable will override the --git-dir, so we remove it # to allow us to create new directories cleanly. ENV.delete('GIT_DIR') # Ensure that we have the underlying directories, otherwise the later commands # may fail in somewhat cryptic manners. unless File.directory? ENVIRONMENT_BASEDIR puts %Q{#{ENVIRONMENT_BASEDIR} does not exist, cannot create environment directories.} exit 1 end # If we're running as root we change our UID to the owner of this file. file_uid = File.stat($0).uid if file_uid != Process.uid and Process.uid == 0 Process::UID.change_privilege(file_uid) # Set LOGNAME and HOME directories to file-owning user's values # so git can read ~/.config/git/attributes (for example) without error file_pwuid = Etc::getpwuid(file_uid) ENV.store('LOGNAME',file_pwuid.name) ENV.store('HOME',file_pwuid.dir) end # Run a command, return its output and abort if it fails def do_cmd(cmd) ret = %x{#{cmd}} if $?.exitstatus != 0 puts("'#{cmd}' failed. Giving up.") exit 1 end ret end # You can push multiple refspecs at once, like 'git push origin branch1 branch2', # so we need to handle each one. $stdin.each_line do |line| oldrev, newrev, refname = line.split(" ") # Determine the branch name from the refspec we're received, which is in the # format refs/heads/, and make sure that it doesn't have any possibly # dangerous characters branchname = refname.sub(%r{^refs/heads/(.*$)}) { $1 } if branchname =~ /[\W]/ puts %Q{Branch "#{branchname}" contains non-word characters, ignoring it.} next end if BRANCH_MAP[branchname] != nil environment_name = BRANCH_MAP[branchname] environment_path = "#{ENVIRONMENT_BASEDIR}/#{BRANCH_MAP[branchname]}" else environment_name = branchname environment_path = "#{ENVIRONMENT_BASEDIR}/#{branchname}" end if newrev =~ /^0+$/ # We've received a push with a null revision, something like 000000000000, # which means that we should delete the given branch. puts "Deleting existing environment #{environment_name}" if File.directory? environment_path FileUtils.rm_rf environment_path, :secure => true end else # We have been given a branch that needs to be created or updated. If the # environment exists, update it. Else, create it. if File.directory? environment_path # Update an existing environment. We do a fetch and then reset in the # case that someone did a force push to a branch. puts "Updating existing environment #{environment_name}" Dir.chdir environment_path do_cmd("git fetch --all") do_cmd("git reset --hard 'origin/#{branchname}'") if File.exists? "#{environment_path}/.gitmodules" # ensure that we remove deleted sub modules too do_cmd("git status --short").split("\n").each do |file| # ?? old_submodule/ if file =~ /\s*\?{2}\s*(\S*)/ puts "Found a few unknown files.. deleting #{$1}" FileUtils.rm_rf $1, :secure => true end end do_cmd("git submodule sync") do_cmd("git submodule update --init --recursive") end else # Instantiate a new environment from the current repository. puts "Creating new environment #{environment_name}" do_cmd("git clone --recursive #{SOURCE_REPOSITORY} #{environment_path} --branch #{branchname}") end end end diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb index 533101f..04bcc95 100644 --- a/templates/server/puppetserver/conf.d/auth.conf.erb +++ b/templates/server/puppetserver/conf.d/auth.conf.erb @@ -1,331 +1,334 @@ +# +# Managed by Puppet +# authorization: { version: 1 allow-header-cert-info: <%= @server_http || @allow_header_cert_info %> rules: [ { # Allow nodes to retrieve their own catalog match-request: { path: "^/puppet/v3/catalog/([^/]+)$" type: regex method: [get, post] } allow: <%= @server_trusted_agents << '$1' %> sort-order: 500 name: "puppetlabs catalog" }, { # Allow nodes to retrieve the certificate they requested earlier match-request: { path: "/puppet-ca/v1/certificate/" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs certificate" }, { # Allow all nodes to access the certificate revocation list match-request: { path: "/puppet-ca/v1/certificate_revocation_list/ca" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs crl" }, { # Allow nodes to request a new certificate match-request: { path: "/puppet-ca/v1/certificate_request" type: path method: [get, put] } allow-unauthenticated: true sort-order: 500 name: "puppetlabs csr" }, <%- if @server_ca -%> { # Allow the CA CLI to access the certificate_status endpoint match-request: { path: "/puppet-ca/v1/certificate_status" type: path method: [get, put, delete] } <%- if @server_ca_auth_required == false -%> allow-unauthenticated: true <%- else -%> allow: [ <%- @server_ca_client_whitelist.each do |client| -%> "<%= client %>", <%- end -%> <%- if scope.function_versioncmp([@server_puppetserver_version, '5.3.6']) >= 0 -%> { extensions: { pp_cli_auth: "true" } } <%- end -%> ] <%- end -%> sort-order: 500 name: "puppetlabs cert status" }, { # Allow the CA CLI to access the certificate_statuses endpoint match-request: { path: "/puppet-ca/v1/certificate_statuses" type: path method: get } <%- if @server_ca_auth_required == false -%> allow-unauthenticated: true <%- else -%> allow: [ <%- @server_ca_client_whitelist.each do |client| -%> "<%= client %>", <%- end -%> <%- if scope.function_versioncmp([@server_puppetserver_version, '5.3.6']) >= 0 -%> { extensions: { pp_cli_auth: "true" } } <%- end -%> ] <%- end -%> sort-order: 500 name: "puppetlabs cert statuses" }, <%- end -%> { # Allow unauthenticated access to the status service endpoint match-request: { path: "/status/v1/services" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs status service - full" }, <%- if scope.function_versioncmp([@server_puppetserver_version, '5.3.6']) >= 0 -%> { match-request: { path: "/status/v1/simple" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs status service - simple" }, <%- end -%> { match-request: { path: "/puppet-admin-api/v1/environment-cache" type: path method: delete } allow: [ <%- @server_admin_api_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] sort-order: 200 name: "environment-cache" }, { match-request: { path: "/puppet-admin-api/v1/jruby-pool" type: path method: delete } allow: [ <%- @server_admin_api_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] sort-order: 200 name: "jruby-pool" }, { match-request: { path: "/puppet/v3/environments" type: path method: get } allow: "*" sort-order: 500 name: "puppetlabs environments" }, { match-request: { path: "/puppet/v3/environment_classes" type: path method: get } allow: "*" sort-order: 500 name: "puppetlabs environment classes" }, <%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) < 0 -%> { match-request: { path: "/puppet/v3/resource_type" type: path method: [get, post] } allow: "*" sort-order: 500 name: "puppetlabs resource type" }, { # Allow nodes to access all file services; this is necessary for # pluginsync, file serving from modules, and file serving from # custom mount points (see fileserver.conf). Note that the `/file` # prefix matches requests to file_metadata, file_content, and # file_bucket_file paths. match-request: { path: "/puppet/v3/file" type: path } allow: "*" sort-order: 500 name: "puppetlabs file" }, <%- else -%> { # Allow nodes to access all file_bucket_files. Note that access for # the 'delete' method is forbidden by Puppet regardless of the # configuration of this rule. match-request: { path: "/puppet/v3/file_bucket_file" type: path method: [get, head, post, put] } allow: "*" sort-order: 500 name: "puppetlabs file bucket file" }, { # Allow nodes to access all file_content. Note that access for the # 'delete' method is forbidden by Puppet regardless of the # configuration of this rule. match-request: { path: "/puppet/v3/file_content" type: path method: [get, post] } allow: "*" sort-order: 500 name: "puppetlabs file content" }, { # Allow nodes to access all file_metadata. Note that access for the # 'delete' method is forbidden by Puppet regardless of the # configuration of this rule. match-request: { path: "/puppet/v3/file_metadata" type: path method: [get, post] } allow: "*" sort-order: 500 name: "puppetlabs file metadata" }, <%- end -%> { # Allow nodes to retrieve only their own node definition match-request: { path: "^/puppet/v3/node/([^/]+)$" type: regex method: get } allow: "$1" sort-order: 500 name: "puppetlabs node" }, { # Allow nodes to store only their own reports match-request: { path: "^/puppet/v3/report/([^/]+)$" type: regex method: put } allow: "$1" sort-order: 500 name: "puppetlabs report" }, <%- if scope.function_versioncmp([@server_puppetserver_version, '5.3']) >= 0 -%> { # Allow nodes to update their own facts match-request: { path: "^/puppet/v3/facts/([^/]+)$" type: regex method: put } allow: "$1" sort-order: 500 name: "puppetlabs facts" }, <%- end -%> { match-request: { path: "/puppet/v3/status" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs status" }, { match-request: { path: "/puppet/v3/static_file_content" type: path method: get } allow: "*" sort-order: 500 name: "puppetlabs static file content" }, <%- if scope.function_versioncmp([@server_puppetserver_version, '5.1']) >= 0 -%> { match-request: { path: "/puppet/v3/tasks" type: path } allow: "*" sort-order: 500 name: "puppet tasks information" }, <%- end -%> <%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) >= 0 && @server_experimental -%> { # Allow all users access to the experimental endpoint # which currently only provides a dashboard web ui. match-request: { path: "/puppet/experimental" type: path } allow-unauthenticated: true sort-order: 500 name: "puppetlabs experimental" }, <%- end -%> { # Deny everything else. This ACL is not strictly # necessary, but illustrates the default policy match-request: { path: "/" type: path } deny: "*" sort-order: 999 name: "puppetlabs deny all" } ] } diff --git a/templates/server/puppetserver/conf.d/metrics.conf.erb b/templates/server/puppetserver/conf.d/metrics.conf.erb index 2a77b3f..e1f3308 100644 --- a/templates/server/puppetserver/conf.d/metrics.conf.erb +++ b/templates/server/puppetserver/conf.d/metrics.conf.erb @@ -1,61 +1,64 @@ +# +# Managed by Puppet +# # settings related to metrics metrics: { # a server id that will be used as part of the namespace for metrics produced # by this server server-id: "<%= @metrics_server_id %>" registries: { puppetserver: { # specify metrics to allow in addition to those in the default list <% if @metrics_allowed -%> metrics-allowed: [ <%- @metrics_allowed.each do |allowed_host| -%> "<%= allowed_host %>", <%- end -%> ] <%- else -%> #metrics-allowed: ["compiler.compile.production"] <% end -%> reporters: { # enable or disable JMX metrics reporter jmx: { enabled: <%= @metrics_jmx_enable %> } # enable or disable Graphite metrics reporter graphite: { enabled: <%= @metrics_graphite_enable %> } } } } # this section is used to configure settings for reporters that will send # the metrics to various destinations for external viewing reporters: { graphite: { # graphite host host: "<%= @metrics_graphite_host %>" # graphite metrics port port: <%= @metrics_graphite_port %> # how often to send metrics to graphite update-interval-seconds: <%= @metrics_graphite_interval %> } } metrics-webservice: { jolokia: { # Enable or disable the Jolokia-based metrics/v2 endpoint. # Default is true. # enabled: false # Configure any of the settings listed at: # https://jolokia.org/reference/html/agents.html#war-agent-installation servlet-init-params: { # Specify a custom security policy: # https://jolokia.org/reference/html/security.html # policyLocation: "file:///etc/puppetlabs/puppetserver/jolokia-access.xml" } } } } diff --git a/templates/server/puppetserver/conf.d/product.conf.erb b/templates/server/puppetserver/conf.d/product.conf.erb index 0f72646..d508d93 100644 --- a/templates/server/puppetserver/conf.d/product.conf.erb +++ b/templates/server/puppetserver/conf.d/product.conf.erb @@ -1,4 +1,7 @@ +# +# Managed by Puppet +# product: { # automatic update checks and corresponding analytic data collection check-for-updates: <%= @server_check_for_updates %> } diff --git a/templates/server/puppetserver/conf.d/puppetserver.conf.erb b/templates/server/puppetserver/conf.d/puppetserver.conf.erb index c7908df..0f52a38 100644 --- a/templates/server/puppetserver/conf.d/puppetserver.conf.erb +++ b/templates/server/puppetserver/conf.d/puppetserver.conf.erb @@ -1,118 +1,121 @@ +# +# Managed by Puppet +# # configuration for the JRuby interpreters jruby-puppet: { # Where the puppet-agent dependency places puppet, facter, etc... # Puppet server expects to load Puppet from this location ruby-load-path: [ <%- @server_ruby_load_paths.each do |ruby_load_path| -%> <%= ruby_load_path %>, <%- end -%> ] # This setting determines where JRuby will install gems. It is used for loading gems, # and also by the `puppetserver gem` command line tool. gem-home: <%= @server_jruby_gem_home %> # This setting defines the complete "GEM_PATH" for jruby. If set, it should include # the gem-home directory as well as any other directories that gems can be loaded # from (including the vendored gems directory for gems that ship with puppetserver) gem-path: [<%= @server_gem_paths.join(', ') %>] # PLEASE NOTE: Use caution when modifying the below settings. Modifying # these settings will change the value of the corresponding Puppet settings # for Puppet Server, but not for the Puppet CLI tools. This likely will not # be a problem with master-var-dir, master-run-dir, or master-log-dir unless # some critical setting in puppet.conf is interpolating the value of one # of the corresponding settings, but it is important that any changes made to # master-conf-dir and master-code-dir are also made to the corresponding Puppet # settings when running the Puppet CLI tools. See # https://docs.puppetlabs.com/puppetserver/latest/puppet_conf_setting_diffs.html#overriding-puppet-settings-in-puppet-server # for more information. # (optional) path to puppet conf dir; if not specified, will use # the puppet default master-conf-dir: <%= @server_dir %> # (optional) path to puppet code dir; if not specified, will use # the puppet default master-code-dir: <%= @codedir %> # (optional) path to puppet var dir; if not specified, will use # the puppet default master-var-dir: <%= @server_puppetserver_vardir %> # (optional) path to puppet run dir; if not specified, will use # the puppet default master-run-dir: <%= @server_puppetserver_rundir %> # (optional) path to puppet log dir; if not specified, will use # the puppet default master-log-dir: <%= @server_puppetserver_logdir %> # (optional) maximum number of JRuby instances to allow max-active-instances: <%= @server_max_active_instances %> # (optional) the number of HTTP requests a given JRuby instance will handle in its lifetime. max-requests-per-instance: <%= @server_max_requests_per_instance %> <%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) >= 0 -%> # (optional) The maximum number of requests that may be queued waiting to borrow a JRuby from the pool. max-queued-requests: <%= @server_max_queued_requests %> # (optional) Sets the upper limit for the random sleep set as a Retry-After header on 503 responses returned when max-queued-requests is enabled. max-retry-delay: <%= @server_max_retry_delay %> <%- end -%> # (optional) Authorize access to Puppet master endpoints via rules # specified in the legacy Puppet auth.conf file (if true) or via rules # specified in the Puppet Server HOCON-formatted auth.conf (if false or not # specified). use-legacy-auth-conf: <%= @server_use_legacy_auth_conf %> # (optional) enable or disable environment class cache environment-class-cache-enabled: <%= @server_environment_class_cache_enabled %> <%- if @compile_mode %> compile-mode: <%= @compile_mode %> <%- end -%> } # settings related to HTTPS client requests made by Puppet Server http-client: { # A list of acceptable protocols for making HTTPS requests ssl-protocols: [ <%- @server_ssl_protocols.each do |protocol| -%> <%= protocol %>, <%- end -%> ] # A list of acceptable cipher suites for making HTTPS requests cipher-suites: [ <%- @server_cipher_suites.each do |cipher| -%> <%= cipher %>, <%- end -%> ] <%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) >= 0 -%> # Whether to enable http-client metrics; defaults to 'true'. metrics-enabled: <%= @server_metrics %> <%- end -%> # The amount of time, in milliseconds, that an outbound HTTP connection # will wait for data to be available before closing the socket. If not # defined, defaults to 20 minutes. If 0, the timeout is infinite and if # negative, the value is undefined by the application and governed by the # system default behavior. idle-timeout-milliseconds: <%= @server_idle_timeout %> # The amount of time, in milliseconds, that an outbound HTTP connection will # wait to connect before giving up. Defaults to 2 minutes if not set. If 0, # the timeout is infinite and if negative, the value is undefined in the # application and governed by the system default behavior. connect-timeout-milliseconds: <%= @server_connect_timeout %> } # settings related to profiling the puppet Ruby code profiler: { # enable or disable profiling for the Ruby code; enabled: <%= @server_metrics %> } diff --git a/templates/server/puppetserver/conf.d/webserver.conf.erb b/templates/server/puppetserver/conf.d/webserver.conf.erb index d12ad20..b3a7c9d 100644 --- a/templates/server/puppetserver/conf.d/webserver.conf.erb +++ b/templates/server/puppetserver/conf.d/webserver.conf.erb @@ -1,45 +1,48 @@ +# +# Managed by Puppet +# webserver: { access-log-config: <%= @server_puppetserver_dir %>/request-logging.xml client-auth: want <%- if @server_http -%> host: <%= @server_ip %> port: <%= @server_http_port %> <%- end -%> ssl-host: <%= @server_ip %> ssl-port: <%= @server_port %> ssl-cert: <%= @server_ssl_cert %> ssl-key: <%= @server_ssl_cert_key %> ssl-ca-cert: <%= @server_ssl_ca_cert %> <%- if @server_crl_enable -%> ssl-crl-path: <%= @server_ssl_ca_crl %> <%- end -%> <%- if @server_ca -%> ssl-cert-chain: <%= @server_ssl_chain %> <%- end -%> idle-timeout-milliseconds: <%= @server_web_idle_timeout %> ssl-protocols: [ <%- @server_ssl_protocols.each do |ssl_protocol| -%> <%= ssl_protocol %>, <%- end -%> ] cipher-suites: [ <%- @server_cipher_suites.each do |cipher_suite| -%> <%= cipher_suite %>, <%- end -%> ] <%- if @acceptor_threads -%> acceptor-threads: <%= @acceptor_threads %> <%- end -%> <%- if @selector_threads -%> selector-threads: <%= @selector_threads %> <%- end -%> <%- if @ssl_acceptor_threads -%> ssl-acceptor-threads: <%= @ssl_acceptor_threads %> <%- end -%> <%- if @ssl_selector_threads -%> ssl-selector-threads: <%= @ssl_selector_threads %> <%- end -%> <%- if @max_threads -%> max-threads: <%= @max_threads %> <%- end -%> } diff --git a/templates/server/puppetserver/services.d/ca.cfg.erb b/templates/server/puppetserver/services.d/ca.cfg.erb index 65d31f5..71e93ba 100644 --- a/templates/server/puppetserver/services.d/ca.cfg.erb +++ b/templates/server/puppetserver/services.d/ca.cfg.erb @@ -1,7 +1,10 @@ +# +# Managed by Puppet +# # To enable the CA service, leave the following line uncommented <%= '#' unless @server_ca -%>puppetlabs.services.ca.certificate-authority-service/certificate-authority-service # To disable the CA service, comment out the above line and uncomment the line below <%= '#' if @server_ca -%>puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service <%- if scope.function_versioncmp([@server_puppetserver_version, '5.1']) >= 0 -%> puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service <%- end -%>