forked from Normation/rudder-techniques
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cf-served.cf
113 lines (89 loc) · 3.56 KB
/
cf-served.cf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#####################################################################################
# Copyright 2011 Normation SAS
#####################################################################################
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, Version 3.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#####################################################################################
#######################################################
#
# Server specific configuration
#
#######################################################
bundle server access_rules
{
# Access rules are only defined on a policy server. Standard nodes should not share any files.
access:
policy_server::
"${def.dir_masterfiles}"
handle => "grant_access_policy",
comment => "Grant access to the policy updates",
maproot => { @{def.acl} },
admit => { @{def.acl} };
"${g.rudder_tools}"
maproot => { @{def.acl} },
admit => { @{def.acl} };
"${g.rudder_ncf_origin_common}"
maproot => { @{def.acl} },
admit => { @{def.acl} };
"${g.rudder_ncf_origin_local}"
maproot => { @{def.acl} },
admit => { @{def.acl} };
"/var/rudder/share/root/"
maproot => { host2ip("${server_info.cfserved}"), escape("${server_info.cfserved}") },
admit => { host2ip("${server_info.cfserved}"), escape("${server_info.cfserved}") };
# the policy server must have access to the cfengine folder
"${sys.workdir}"
maproot => { host2ip("${server_info.cfserved}"), escape("${server_info.cfserved}") },
admit => { host2ip("${server_info.cfserved}"), escape("${server_info.cfserved}") };
roles:
# Allow user root to set any class
".*" authorize => { "root" };
}
bundle common def
{
vars:
"policy_server_file" string => translatepath("${sys.workdir}/policy_server.dat"),
comment => "Path to file containing address to policy server";
"policy_server" string => readfile("${policy_server_file}", 40),
comment => "IP address to locate your policy host.";
"dir_masterfiles" string => translatepath("${sys.workdir}/masterfiles");
# List here the IP masks that we grant access to on the server
policy_server::
"acl" slist => {
'%%POLICY_SERVER_ALLOWED_NETWORKS%%'
};
!policy_server::
"acl" slist => {
"${def.policy_server}"
};
}
body server control
{
trustkeysfrom => {
"127.0.0.0/8" , "::1",
@{def.acl} ,
host2ip("${server_info.cfserved}"), "${server_info.cfserved}"
}; #trustkey allows the exchange of keys
allowconnects => {
@{def.acl} ,
host2ip("${server_info.cfserved}"), "${server_info.cfserved}"
};
maxconnections => "1000";
logallconnections => "true";
cfruncommand => "${sys.workdir}/bin/cf-agent -f failsafe.cf && ${sys.workdir}/bin/cf-agent";
allowusers => { "root" };
skipverify => { "127.0.0.0/8" , "::1", @{def.acl} };
community_edition::
port => "5309";
}