P:puppet::server: Do not expose Puppetserver to the internet

supertassu · supertassu · commit bb98142705bb · 2025-06-02T21:51:33.000+03:00
Limit access to the Puppetserver endpoint to jQuery hosts, as a hardening measure. The provisioning script is adapted to manually add a firewall rule until the host is fully enrolled in Puppet. Refs #76.
diff --git a/bin/provision-instance.sh b/bin/provision-instance.sh
@@ -26,6 +26,8 @@ fi
 ssh root@"$INSTANCE" apt-get update
 ssh root@"$INSTANCE" apt-get -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-confdef" upgrade -y
 ssh root@"$INSTANCE" apt-get -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-confdef" install -y puppet-agent
+INSTANCE_IP=$(ssh root@"$INSTANCE" facter networking.ip)
+ssh "$PUPPET_SERVER" sudo nft add rule inet filter input tcp dport 8140 ip saddr "$INSTANCE_IP" ct state new accept
 ssh root@"$INSTANCE" "$PUPPET" config --section agent set server "$PUPPET_SERVER"
 ssh root@"$INSTANCE" "$PUPPET" config --section agent set environment "$ENVIRONMENT"
 ssh root@"$INSTANCE" "$PUPPET" agent -t || true
@@ -39,3 +41,4 @@ fi
 
 ssh "$PUPPET_SERVER" sudo puppetserver ca sign --certname "$INSTANCE"
 ssh root@"$INSTANCE" "$PUPPET" agent -t
+ssh "$PUPPET_SERVER" sudo run-puppet-agent
diff --git a/modules/jqlib/functions/resource_hosts.pp b/modules/jqlib/functions/resource_hosts.pp
@@ -1,18 +1,20 @@
 # @summary function to return a list of hosts running a specific resource
 function jqlib::resource_hosts (
   String[1]           $resource_type,
-  Optional[String[1]] $resource_title = undef,
+  Optional[String[1]] $resource_title   = undef,
+  Boolean             $all_environments = false,
 ) >> Array[Stdlib::Host] {
   $title_query = $resource_title ? {
     undef   => '',
     default => "and title = \"${jqlib::format_puppet_title($resource_title)}\"",
   }
+  $environment_query = $all_environments.bool2str('', "and environment = \"${::environment}\"")
 
   $pql = @("PQL")
   resources[certname] {
     type = "${jqlib::format_puppet_title($resource_type)}"
     ${title_query}
-    and environment = "${::environment}"
+    ${environment_query}
   }
   | PQL
 
diff --git a/modules/profile/manifests/puppet/server.pp b/modules/profile/manifests/puppet/server.pp
@@ -209,9 +209,13 @@
     interval    => ['OnCalendar=*-*-* 12:00:00'],
   }
 
+  $clients = jqlib::resource_hosts('class', 'profile::puppet::agent', true)
+  $client_ips = $puppetservers.map |Stdlib::Fqdn $fqdn| { dnsquery::lookup($fqdn, true) }.flatten
+
   nftables::allow { 'puppetserver':
     proto => 'tcp',
     dport => 8140,
+    saddr => $client_ips,
   }
 
   notifier::run_command { 'puppet-public':

Original file line number	Diff line number	Diff line change
`@@ -209,9 +209,13 @@`
`209`	`209`	`interval => ['OnCalendar=--* 12:00:00'],`
`210`	`210`	`}`
`211`	`211`
	`212`	`+ $clients = jqlib::resource_hosts('class', 'profile::puppet::agent', true)`
	`213`	`+ $client_ips = $puppetservers.map \|Stdlib::Fqdn $fqdn\| { dnsquery::lookup($fqdn, true) }.flatten`
	`214`	`+`
`212`	`215`	`nftables::allow { 'puppetserver':`
`213`	`216`	`proto => 'tcp',`
`214`	`217`	`dport => 8140,`
	`218`	`+ saddr => $client_ips,`
`215`	`219`	`}`
`216`	`220`
`217`	`221`	`notifier::run_command { 'puppet-public':`