diff --git a/puppet/bootstrap-server.sh b/puppet/bootstrap-server.sh
new file mode 100755
index 0000000..d69e402
--- /dev/null
+++ b/puppet/bootstrap-server.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+mkdir -p /etc/puppet/manifests
+if [ ! -s /etc/puppet/manifests/site.pp ]; then
+ echo "" > /etc/puppet/manifests/site.pp
+fi
+
+ssldir=`echo "require 'puppet'; Puppet.parse_config; print Puppet.settings.value('ssldir')" | ruby`
+
+(
+ echo "\$puppet_ssldir = '${ssldir}'"
+ echo "include puppet::server"
+) | puppet --no-report
diff --git a/puppet/manifests/init.pp b/puppet/manifests/init.pp
index 45d4d84..ab31897 100644
--- a/puppet/manifests/init.pp
+++ b/puppet/manifests/init.pp
@@ -131,6 +131,13 @@ class puppet::server inherits puppet::client {
ensure => installed,
}
+ include apache::sslserver
+ apache::configfile { "puppet.conf":
+ content => template("puppet/puppet-httpd.conf.erb"),
+ http => false,
+ require => Service["puppetmaster"],
+ }
+
include mongrel
package { [ "rubygem-rails",
diff --git a/puppet/templates/puppet-httpd.conf.erb b/puppet/templates/puppet-httpd.conf.erb
new file mode 100644
index 0000000..494ab53
--- /dev/null
+++ b/puppet/templates/puppet-httpd.conf.erb
@@ -0,0 +1,135 @@
+#
+# Load SSL module if not loaded
+#
+
+LoadModule ssl_module modules/mod_ssl.so
+
+#
+# Listen to puppet port also
+#
+Listen 8140
+
+#
+# Proxy balancer settings
+#
+
+<% puppet_listenports.each do |port| -%>
+ BalancerMember http://127.0.0.1:<%= port %> keepalive=on max=2 retry=30
+<% end -%>
+
+
+##
+## Puppet Virtual Host
+##
+
+
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
+
+# Server Certificate:
+# Point SSLCertificateFile at a PEM encoded certificate. If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase. Note that a kill -HUP will prompt again. A new
+# certificate can be generated using the genkey(1) command.
+SSLCertificateFile <%= puppet_ssldir %>/certs/<%= fqdn %>.pem
+
+# Server Private Key:
+# If the key is not combined with the certificate, use this
+# directive to point at the key file. Keep in mind that if
+# you've both a RSA and a DSA private key you can configure
+# both in parallel (to also allow the use of DSA ciphers, etc.)
+SSLCertificateKeyFile <%= puppet_ssldir %>/private_keys/<%= fqdn %>.pem
+
+# Server Certificate Chain:
+# Point SSLCertificateChainFile at a file containing the
+# concatenation of PEM encoded CA certificates which form the
+# certificate chain for the server certificate. Alternatively
+# the referenced file can be the same as SSLCertificateFile
+# when the CA certificates are directly appended to the server
+# certificate for convinience.
+SSLCertificateChainFile <%= puppet_ssldir %>/certs/ca.pem
+
+# Certificate Authority (CA):
+# Set the CA certificate verification path where to find CA
+# certificates for client authentication or alternatively one
+# huge file containing all of them (file must be PEM encoded)
+SSLCACertificateFile <%= puppet_ssldir %>/certs/ca.pem
+
+# Client Authentication (Type):
+# Client certificate verification type and depth. Types are
+# none, optional, require and optional_no_ca. Depth is a
+# number which specifies how deeply to verify the certificate
+# issuer chain before deciding the certificate is not valid.
+SSLVerifyClient optional
+SSLVerifyDepth 1
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_ssl documentation
+# for more details.
+#
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+SSLOptions +StdEnvVars
+
+# The following client headers allow the same configuration to work with Pound.
+RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
+RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
+RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
+
+
+ SetHandler balancer-manager
+ Order allow,deny
+ Allow from all
+
+
+ProxyPass / balancer://puppetmaster:8140/ timeout=180
+ProxyPassReverse / balancer://puppetmaster:8140/
+ProxyPreserveHost on
+SetEnv force-proxy-request-1.0 1
+SetEnv proxy-nokeepalive 1
+
+
+