Added support for bootstrapping puppet server to empty host.

puppet/bootstrap-server.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+mkdir -p /etc/puppet/manifests
+if [ ! -s /etc/puppet/manifests/site.pp ]; then
+    echo "" > /etc/puppet/manifests/site.pp
+fi
+
+ssldir=`echo "require 'puppet'; Puppet.parse_config; print Puppet.settings.value('ssldir')" | ruby`
+
+(
+    echo "\$puppet_ssldir = '${ssldir}'"
+    echo "include puppet::server"
+) | puppet --no-report

puppet/manifests/init.pp

@@ -131,6 +131,13 @@ class puppet::server inherits puppet::client {
         ensure => installed,
     }
 
+    include apache::sslserver
+    apache::configfile { "puppet.conf":
+        content => template("puppet/puppet-httpd.conf.erb"),
+        http    => false,
+        require => Service["puppetmaster"],
+    }
+
     include mongrel
 
     package { [ "rubygem-rails",

puppet/templates/puppet-httpd.conf.erb

@@ -0,0 +1,135 @@
+#
+# Load SSL module if not loaded
+#
+<IfModule !mod_ssl.so>
+LoadModule ssl_module modules/mod_ssl.so
+</IfModule>
+#
+# Listen to puppet port also
+#
+Listen 8140
+
+#
+# Proxy balancer settings
+#
+<Proxy balancer://puppetmaster>
+<% puppet_listenports.each do |port| -%>
+  BalancerMember http://127.0.0.1:<%= port %> keepalive=on max=2 retry=30
+<% end -%>
+</Proxy>
+
+##
+## Puppet Virtual Host
+##
+
+<VirtualHost _default_:8140>
+
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+#   SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
+
+#   Server Certificate:
+# Point SSLCertificateFile at a PEM encoded certificate.  If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase.  Note that a kill -HUP will prompt again.  A new
+# certificate can be generated using the genkey(1) command.
+SSLCertificateFile <%= puppet_ssldir %>/certs/<%= fqdn %>.pem
+
+#   Server Private Key:
+#   If the key is not combined with the certificate, use this
+#   directive to point at the key file.  Keep in mind that if
+#   you've both a RSA and a DSA private key you can configure
+#   both in parallel (to also allow the use of DSA ciphers, etc.)
+SSLCertificateKeyFile <%= puppet_ssldir %>/private_keys/<%= fqdn %>.pem
+
+#   Server Certificate Chain:
+#   Point SSLCertificateChainFile at a file containing the
+#   concatenation of PEM encoded CA certificates which form the
+#   certificate chain for the server certificate. Alternatively
+#   the referenced file can be the same as SSLCertificateFile
+#   when the CA certificates are directly appended to the server
+#   certificate for convinience.
+SSLCertificateChainFile <%= puppet_ssldir %>/certs/ca.pem
+
+#   Certificate Authority (CA):
+#   Set the CA certificate verification path where to find CA
+#   certificates for client authentication or alternatively one
+#   huge file containing all of them (file must be PEM encoded)
+SSLCACertificateFile <%= puppet_ssldir %>/certs/ca.pem
+
+#   Client Authentication (Type):
+#   Client certificate verification type and depth.  Types are
+#   none, optional, require and optional_no_ca.  Depth is a
+#   number which specifies how deeply to verify the certificate
+#   issuer chain before deciding the certificate is not valid.
+SSLVerifyClient optional
+SSLVerifyDepth  1
+
+#   Access Control:
+#   With SSLRequire you can do per-directory access control based
+#   on arbitrary complex boolean expressions containing server
+#   variable checks and other lookup directives.  The syntax is a
+#   mixture between C and Perl.  See the mod_ssl documentation
+#   for more details.
+#<Location />
+#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+#   SSL Engine Options:
+#   Set various options for the SSL engine.
+#   o FakeBasicAuth:
+#     Translate the client X.509 into a Basic Authorisation.  This means that
+#     the standard Auth/DBMAuth methods can be used for access control.  The
+#     user name is the `one line' version of the client's X.509 certificate.
+#     Note that no password is obtained from the user. Every entry in the user
+#     file needs this password: `xxj31ZMTZzkVA'.
+#   o ExportCertData:
+#     This exports two additional environment variables: SSL_CLIENT_CERT and
+#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+#     server (always existing) and the client (only existing when client
+#     authentication is used). This can be used to import the certificates
+#     into CGI scripts.
+#   o StdEnvVars:
+#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+#     Per default this exportation is switched off for performance reasons,
+#     because the extraction step is an expensive operation and is usually
+#     useless for serving static content. So one usually enables the
+#     exportation for CGI and SSI requests only.
+#   o StrictRequire:
+#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+#     under a "Satisfy any" situation, i.e. when it applies access is denied
+#     and no other module can change it.
+#   o OptRenegotiate:
+#     This enables optimized SSL connection renegotiation handling when SSL
+#     directives are used in per-directory context.
+SSLOptions +StdEnvVars
+
+# The following client headers allow the same configuration to work with Pound.
+RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
+RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
+RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
+
+<Location />
+  SetHandler balancer-manager
+  Order allow,deny
+  Allow from all
+</Location>
+
+ProxyPass / balancer://puppetmaster:8140/ timeout=180
+ProxyPassReverse / balancer://puppetmaster:8140/
+ProxyPreserveHost on
+SetEnv force-proxy-request-1.0 1
+SetEnv proxy-nokeepalive 1
+
+</VirtualHost>
+