forked from jethrocarr/pupistry
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsettings.example.yaml
105 lines (86 loc) · 4.07 KB
/
settings.example.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
## Configuration file for Pupistry.
# The following settings apply for all use cases of Pupistry and must be set
general:
# We need somewhere to cache files like archives and git repos. This will
# be as big as the total size of all your git repos when being used to
# build artifacts. Agent-only systems will be far smaller as it only includes
# the latest version of the artifacts.
app_cache: ~/.pupistry/cache
# Some users like to use Pupistry with a non-AWS S3 endpoint such as Minio
# which requires setting an alternative endpoint below. DO NOT UNCOMMENT IF
# USING STANDARD AWS S3.
# s3_endpoint: s3.notaws.example.com
# The S3 bucket must be set in order to have a place to push and
# pull artifact and manifests from. This bucket should be PRIVATE, we
# only want your servers accessing the files!
#
# REMEMBER - S3 buckets are a global namespace, other people might have
# already picked the name you want. Make sure you update this default
# with something you actually own :-)
s3_bucket: example
# S3 prefix is entirely optional, useful if you're reusing/sharing an S3
# bucket with other applications. Leave blank if not needed.
s3_prefix:
# GPG key to use for signing & validating the artifacts. It is possible to
# run pupistry in an unsigned mode, but you will lose the protection against
# someone with access to the S3 bucket tampering with the files and pushing
# malicious puppet manifests to your servers
gpg_disable: true
gpg_signing_key: XXXXXX
# Settings for agents, these are required on the machines that will be
# downloading and applying artifacts but also need to be set for build
# machines so we can popular bootstrap templates for you and automatically
# check stuff like IAM permissions before you roll your hosts.
agent:
# Puppet3 doesn't care what this is, but if using Puppet4, you need to set it
# to /etc/puppetlabs/code/environments otherwise it blows up.
puppetcode: /etc/puppetlabs/code/environments
# The AWS credentials with READ permission to the S3 bucket for downloading
# artifact files. If unset, we try to figure it out from any AWS creds
access_key_id:
secret_access_key:
region: ap-southeast-2
proxy_uri:
# (If Daemonised)
# Default is to check for a new artifact every 60 seconds, but only to
# actually run Puppet if there has been a change to the artifact contents.
#
# At a polling rate of 60 seconds, the cost of S3 will be about $0.02 per
# month per system running Pupistry.
#
# If you want to force regular Puppet runs regardless whether or not a new
# artifact has been released, turn daemon_minimal off, but make sure the
# frequency isn't too low - 300 seconds+ recommended otherwise Puppet will
# be hammering your system resources.
daemon_frequency: 60
daemon_minimal: true
# The following settings are only needed on the build machines (people building
# new artifacts) and are not needed on the actual agent servers that will be
# downloading and applying them.
build:
# Define the Git repo for the Puppet manifest & r10k data
# (ie repo where your Puppetfile & site.pp is)
puppetcode: [email protected]:jethrocarr/pupistry-samplepuppet.git
# The AWS credentials with write permission to the S3 bucket for uploading
# new artifact files. If unset, we try to figure it out from any AWS creds
# set in the environmnt, but you're best to make it explicit here to avoid
# surprises....
#
access_key_id:
secret_access_key:
region: ap-southeast-2
proxy_uri:
# Enable the HieraCrypt feature
#
# Note - Once enabled, all your servers must have their definition added,
# otherwise they will not recieve any Hiera information as it will no longer
# be delivered in an unencrypted form.
#
# You will want to run `pupistry hieracrypt --generate` on each node to
# generate a file which needs to be saved into `hieracrypt/nodes/hostname`
# in your puppetcode repo (right alongside the `hieradata/` directory).
#
# If you later decide to disable hieracrypt, you should remove the entire
# `hieracrypt` directory to avoid confusion.
#
hieracrypt: false