File: puppetserver.conf

package info (click to toggle)
puppetserver 8.7.0-6
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 5,476 kB
  • sloc: ruby: 5,764; sh: 997; java: 221; xml: 111; makefile: 94
file content (210 lines) | stat: -rw-r--r-- 8,998 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
 
global: {
    logging-config: ./dev/logback-dev.xml
}

product: {
    update-server-url: "http://some.update.server.that.does.not.exist/"
    name: {group-id: puppetlabs.dev
           artifact-id: puppetserver}
}

dropsonde: {
    enabled: false
}

webserver: {
    access-log-config: ./dev/request-logging-dev.xml
    client-auth: want
    # ssl-host controls what networks the server will accept connections from.
    # The default value below is '0.0.0.0', so will accept connections from
    # any client.  For better security, you might wish to set this to 'localhost'.
    ssl-host: 0.0.0.0
    #ssl-host: localhost
    ssl-port: 8140
}

# configure the mount points for the web apps
web-router-service: {
    # These two should not be modified because the Puppet 4.x agent expects
    # them to be mounted at these specific paths
    "puppetlabs.services.ca.certificate-authority-service/certificate-authority-service": "/puppet-ca"
    "puppetlabs.services.master.master-service/master-service": "/puppet"

    # This controls the mount point for the puppet admin API.
    "puppetlabs.services.puppet-admin.puppet-admin-service/puppet-admin-service": "/puppet-admin-api"

    # 3.x agent compatibility routes. The legacy routes are only mounted if the
    # puppetlabs.services.legacy-routes.legacy-routes-service/legacy-routes-service
    # service is in the bootstrap.cfg
    "puppetlabs.services.legacy-routes.legacy-routes-service/legacy-routes-service": ""

    # This controls the mount point for the status API
    "puppetlabs.trapperkeeper.services.status.status-service/status-service": "/status"

    # This controls the mount point for the metrics API
    "puppetlabs.trapperkeeper.services.metrics.metrics-service/metrics-webservice": "/metrics"
}

# configuration for the JRuby interpreters
jruby-puppet: {
    # Where the puppet-agent dependency places puppet, facter, etc...
    # Puppet server expects to load Puppet from this location
    ruby-load-path: [./ruby/puppet/lib, ./ruby/facter/lib, ./ruby/hiera/lib, ./ruby/resource_api/lib]

    # This setting determines where JRuby will install gems.  It is used for loading gems,
    # and also by the `puppetserver gem` command line tool.
    gem-home: ${HOME}"/.puppetlabs/opt/server/data/puppetserver/jruby-gems"

    # This setting defines the complete "GEM_PATH" for jruby.  If set, it should include
    # the gem-home directory as well as any other directories that gems can be loaded
    # from (including the vendored gems directory for gems that ship with puppetserver)
    gem-path: [${jruby-puppet.gem-home}, ${HOME}"/.puppetlabs/opt/server/data/puppetserver/vendored-jruby-gems"]

    # (optional) path to puppet conf dir; if not specified, will use the puppet default
    server-conf-dir: ${HOME}"/.puppetlabs/etc/puppet"

    # (optional) path to puppet code dir; if not specified, will use the puppet default
    server-code-dir: ${HOME}"/.puppetlabs/etc/code"

    # (optional) path to puppet var dir; if not specified, will use the puppet default
    server-var-dir: ${HOME}"/.puppetlabs/opt/puppet/cache"

    # (optional) path to puppet run dir; if not specified, will use the puppet default
    server-run-dir: ${HOME}"/.puppetlabs/var/run"

    # (optional) path to puppet log dir; if not specified, will use the puppet default
    server-log-dir: ${HOME}"/.puppetlabs/var/log"

    # (optional) maximum number of JRuby instances to allow
    max-active-instances: 1

    # (optional) whether to use the environment class cache. If unspecified
    # defaults to false
    environment-class-cache-enabled: true

    # (optional) Whether or not to track lookups during compilation; turning
    # this on will send that information to puppetdb
    # track-lookups: true

    # For testing running requests through a single JRuby instance. DO NOT ENABLE unless
    # explicitly testing this functionality.
    # multithreaded: true

    # (optional) When (re)filling a pool one instance will be initialized first, then
    # the remaining instances will be initialized at the specified level of concurrency.
    # Set to one for the previous serialized behavior. Default is three.
    # instance-creation-concurrency: 1
}

# Settings related to HTTP client requests made by Puppet Server.
# These settings only apply to client connections using the Puppet::Network::HttpPool
# classes. Client connections using net/http or net/https directly will not be
# configured with these settings automatically.
http-client: {
    # A list of acceptable protocols for making HTTP requests
    #ssl-protocols: [TLSv1.3, TLSv1.2]

    # A list of acceptable cipher suites for making HTTP requests
    #cipher-suites: [TLS_RSA_WITH_AES_256_CBC_SHA256,
    #                TLS_RSA_WITH_AES_256_CBC_SHA,
    #                TLS_RSA_WITH_AES_128_CBC_SHA256,
    #                TLS_RSA_WITH_AES_128_CBC_SHA]

    # The amount of time, in milliseconds, that an outbound HTTP connection
    # will wait for data to be available before closing the socket. If not
    # defined, defaults to 20 minutes. If 0, the timeout is infinite and if
    # negative, the value is undefined by the application and governed by the
    # system default behavior.
    #idle-timeout-milliseconds: 1200000

    # The amount of time, in milliseconds, that an outbound HTTP connection will
    # wait to connect before giving up. Defaults to 2 minutes if not set. If 0,
    # the timeout is infinite and if negative, the value is undefined in the
    # application and governed by the system default behavior.
    #connect-timeout-milliseconds: 120000
}

# settings related to profiling the puppet Ruby code
profiler: {
    # enable or disable profiling for the Ruby code; defaults to 'false'.
    enabled: true
}

metrics: {
    # a server id that will be used as part of the namespace for metrics produced
    # by this server
    server-id: localhost
    registries: {
        puppetserver: {
            # specify metrics to allow in addition to those in the default list
            #metrics-allowed: ["compiler.compile.production"]
            reporters: {
                # enable or disable JMX metrics reporter
                jmx: {
                    enabled: true
                }
                # enable or disable Graphite metrics reporter
                #graphite: {
                #    enabled: true
                #}
            }
        }
    }
    # this section is used to configure settings for reporters that will send
    # the metrics to various destinations for external viewing
    reporters: {
        #graphite: {
        #    # graphite host
        #    host: "127.0.0.1"
        #    # graphite metrics port
        #    port: 2003
        #    # how often to send metrics to graphite
        #    update-interval-seconds: 5
        #}
    }
}

# authorization rules for web service endpoints
authorization: {
    version: 1
    rules: [
        {
            match-request: {
                path: "/"
                type: "path"
            }
            allow-unauthenticated: true
            sort-order: 1
            name: "allow all"
        }
    ]
}

certificate-authority: {
    # Puppet 6 onwards will have support for infrastructure CRL which would be enabled by default.
    # An infrastructure CRL would consist of only serial numbers of any compile masters and hence small.
    # While full CRL will continue to exist, agent nodes would get the infrastructure CRL if enabled.
    # Infra structure CRL can be disabled by setting the below option to false
    # enable-infra-crl: true


    # The infrastructure CRL feature uses the following files:
    # infra-crl-path: this maintains the infrastructure CRL which will reside in cadir (full crl)
    # infra-node-serials-path: this maintains the serial numbers of the infrastructure nodes whose revocation would
    #                          result in infrastructure crl getting updated. It will reside in the cadir.
    # infra-nodes-path: This file maintains the list of compile master nodes that would be used to generate the above
    #                   infra nodes serials path. In case of a PE install, this file would be managed by PE module
    #                   Note: FOSS would need to create and manage this file themselves. At any given time,
    #                   it needs to have the list of all active compile masters including the MoM.
    #                   It is expected to be at /etc/puppetlabs/puppetserver/ca/infra-nodes.txt. The file-path
    #                   is fixed and cannot be changed.

    allow-subject-alt-names: false
    allow-authorization-extensions: false
    # Disable auto renewal of certs by default.
    allow-auto-renewal: false
    # This value determines the lifetime of the cert if auto-renewal is enabled
    auto-renewal-cert-ttl: "90d"
    # Default cert expiration time. If the value is set here, it will take precedence over ca-ttl setting in puppet.conf
    #ca-ttl: "60d"
}