body server control { any:: allowconnects => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; allowallconnects => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; trustkeysfrom => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; maxconnections => "200"; denybadclocks => "false"; # last single quote in cfruncommand is left open, so that # arguments (like -K and --remote-bundles) are properly appended. cfruncommand => "$(def.cf_runagent_shell) -c \' $(sys.cf_agent) -I -D cfruncommand -f $(sys.update_policy_path) ; $(sys.cf_agent) -I -D cfruncommand"; !policy_server:: allowusers => { "root" }; } bundle server access_rules() { access: any:: "$(sys.masterdir)" shortcut => "masterfiles", admit => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; "$(sys.masterdir)/modules" shortcut => "modules", admit => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; "$(sys.workdir)/inventory" shortcut => "inventory", admit => { "10.1.0.204/32" }; "/bin/sh" admit => { "$(sys.policy_hub)" }; roles: any:: ".*" authorize => { "root" }; }