Added support for bootstrapping puppet server to empty host.
This commit is contained in:
parent
f0d1712c27
commit
49edab924a
3 changed files with 155 additions and 0 deletions
13
puppet/bootstrap-server.sh
Executable file
13
puppet/bootstrap-server.sh
Executable file
|
|
@ -0,0 +1,13 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
mkdir -p /etc/puppet/manifests
|
||||||
|
if [ ! -s /etc/puppet/manifests/site.pp ]; then
|
||||||
|
echo "" > /etc/puppet/manifests/site.pp
|
||||||
|
fi
|
||||||
|
|
||||||
|
ssldir=`echo "require 'puppet'; Puppet.parse_config; print Puppet.settings.value('ssldir')" | ruby`
|
||||||
|
|
||||||
|
(
|
||||||
|
echo "\$puppet_ssldir = '${ssldir}'"
|
||||||
|
echo "include puppet::server"
|
||||||
|
) | puppet --no-report
|
||||||
|
|
@ -131,6 +131,13 @@ class puppet::server inherits puppet::client {
|
||||||
ensure => installed,
|
ensure => installed,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
include apache::sslserver
|
||||||
|
apache::configfile { "puppet.conf":
|
||||||
|
content => template("puppet/puppet-httpd.conf.erb"),
|
||||||
|
http => false,
|
||||||
|
require => Service["puppetmaster"],
|
||||||
|
}
|
||||||
|
|
||||||
include mongrel
|
include mongrel
|
||||||
|
|
||||||
package { [ "rubygem-rails",
|
package { [ "rubygem-rails",
|
||||||
|
|
|
||||||
135
puppet/templates/puppet-httpd.conf.erb
Normal file
135
puppet/templates/puppet-httpd.conf.erb
Normal file
|
|
@ -0,0 +1,135 @@
|
||||||
|
#
|
||||||
|
# Load SSL module if not loaded
|
||||||
|
#
|
||||||
|
<IfModule !mod_ssl.so>
|
||||||
|
LoadModule ssl_module modules/mod_ssl.so
|
||||||
|
</IfModule>
|
||||||
|
#
|
||||||
|
# Listen to puppet port also
|
||||||
|
#
|
||||||
|
Listen 8140
|
||||||
|
|
||||||
|
#
|
||||||
|
# Proxy balancer settings
|
||||||
|
#
|
||||||
|
<Proxy balancer://puppetmaster>
|
||||||
|
<% puppet_listenports.each do |port| -%>
|
||||||
|
BalancerMember http://127.0.0.1:<%= port %> keepalive=on max=2 retry=30
|
||||||
|
<% end -%>
|
||||||
|
</Proxy>
|
||||||
|
|
||||||
|
##
|
||||||
|
## Puppet Virtual Host
|
||||||
|
##
|
||||||
|
|
||||||
|
<VirtualHost _default_:8140>
|
||||||
|
|
||||||
|
# SSL Engine Switch:
|
||||||
|
# Enable/Disable SSL for this virtual host.
|
||||||
|
SSLEngine on
|
||||||
|
|
||||||
|
# SSL Cipher Suite:
|
||||||
|
# List the ciphers that the client is permitted to negotiate.
|
||||||
|
# See the mod_ssl documentation for a complete list.
|
||||||
|
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
|
||||||
|
|
||||||
|
# Server Certificate:
|
||||||
|
# Point SSLCertificateFile at a PEM encoded certificate. If
|
||||||
|
# the certificate is encrypted, then you will be prompted for a
|
||||||
|
# pass phrase. Note that a kill -HUP will prompt again. A new
|
||||||
|
# certificate can be generated using the genkey(1) command.
|
||||||
|
SSLCertificateFile <%= puppet_ssldir %>/certs/<%= fqdn %>.pem
|
||||||
|
|
||||||
|
# Server Private Key:
|
||||||
|
# If the key is not combined with the certificate, use this
|
||||||
|
# directive to point at the key file. Keep in mind that if
|
||||||
|
# you've both a RSA and a DSA private key you can configure
|
||||||
|
# both in parallel (to also allow the use of DSA ciphers, etc.)
|
||||||
|
SSLCertificateKeyFile <%= puppet_ssldir %>/private_keys/<%= fqdn %>.pem
|
||||||
|
|
||||||
|
# Server Certificate Chain:
|
||||||
|
# Point SSLCertificateChainFile at a file containing the
|
||||||
|
# concatenation of PEM encoded CA certificates which form the
|
||||||
|
# certificate chain for the server certificate. Alternatively
|
||||||
|
# the referenced file can be the same as SSLCertificateFile
|
||||||
|
# when the CA certificates are directly appended to the server
|
||||||
|
# certificate for convinience.
|
||||||
|
SSLCertificateChainFile <%= puppet_ssldir %>/certs/ca.pem
|
||||||
|
|
||||||
|
# Certificate Authority (CA):
|
||||||
|
# Set the CA certificate verification path where to find CA
|
||||||
|
# certificates for client authentication or alternatively one
|
||||||
|
# huge file containing all of them (file must be PEM encoded)
|
||||||
|
SSLCACertificateFile <%= puppet_ssldir %>/certs/ca.pem
|
||||||
|
|
||||||
|
# Client Authentication (Type):
|
||||||
|
# Client certificate verification type and depth. Types are
|
||||||
|
# none, optional, require and optional_no_ca. Depth is a
|
||||||
|
# number which specifies how deeply to verify the certificate
|
||||||
|
# issuer chain before deciding the certificate is not valid.
|
||||||
|
SSLVerifyClient optional
|
||||||
|
SSLVerifyDepth 1
|
||||||
|
|
||||||
|
# Access Control:
|
||||||
|
# With SSLRequire you can do per-directory access control based
|
||||||
|
# on arbitrary complex boolean expressions containing server
|
||||||
|
# variable checks and other lookup directives. The syntax is a
|
||||||
|
# mixture between C and Perl. See the mod_ssl documentation
|
||||||
|
# for more details.
|
||||||
|
#<Location />
|
||||||
|
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
|
||||||
|
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
|
||||||
|
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
|
||||||
|
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
|
||||||
|
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
|
||||||
|
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
|
||||||
|
#</Location>
|
||||||
|
|
||||||
|
# SSL Engine Options:
|
||||||
|
# Set various options for the SSL engine.
|
||||||
|
# o FakeBasicAuth:
|
||||||
|
# Translate the client X.509 into a Basic Authorisation. This means that
|
||||||
|
# the standard Auth/DBMAuth methods can be used for access control. The
|
||||||
|
# user name is the `one line' version of the client's X.509 certificate.
|
||||||
|
# Note that no password is obtained from the user. Every entry in the user
|
||||||
|
# file needs this password: `xxj31ZMTZzkVA'.
|
||||||
|
# o ExportCertData:
|
||||||
|
# This exports two additional environment variables: SSL_CLIENT_CERT and
|
||||||
|
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
|
||||||
|
# server (always existing) and the client (only existing when client
|
||||||
|
# authentication is used). This can be used to import the certificates
|
||||||
|
# into CGI scripts.
|
||||||
|
# o StdEnvVars:
|
||||||
|
# This exports the standard SSL/TLS related `SSL_*' environment variables.
|
||||||
|
# Per default this exportation is switched off for performance reasons,
|
||||||
|
# because the extraction step is an expensive operation and is usually
|
||||||
|
# useless for serving static content. So one usually enables the
|
||||||
|
# exportation for CGI and SSI requests only.
|
||||||
|
# o StrictRequire:
|
||||||
|
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
|
||||||
|
# under a "Satisfy any" situation, i.e. when it applies access is denied
|
||||||
|
# and no other module can change it.
|
||||||
|
# o OptRenegotiate:
|
||||||
|
# This enables optimized SSL connection renegotiation handling when SSL
|
||||||
|
# directives are used in per-directory context.
|
||||||
|
SSLOptions +StdEnvVars
|
||||||
|
|
||||||
|
# The following client headers allow the same configuration to work with Pound.
|
||||||
|
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
|
||||||
|
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
|
||||||
|
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
|
||||||
|
|
||||||
|
<Location />
|
||||||
|
SetHandler balancer-manager
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
ProxyPass / balancer://puppetmaster:8140/ timeout=180
|
||||||
|
ProxyPassReverse / balancer://puppetmaster:8140/
|
||||||
|
ProxyPreserveHost on
|
||||||
|
SetEnv force-proxy-request-1.0 1
|
||||||
|
SetEnv proxy-nokeepalive 1
|
||||||
|
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
Loading…
Add table
Reference in a new issue