Created
November 22, 2013 05:09
-
-
Save thwarted/7595151 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -x | |
| set -e | |
| rm -rvf /srv/mypup/ /var/lib/puppetmaster/* | |
| # Where you'll deploy puppet configuration (this is what you want version controlled) | |
| # You may expect this to be /etc/puppet or /etc/puppetmasters, but deploying regularly | |
| # updated stuff to /etc makes my sysadmin sense tingle (in a bad way), and the | |
| # manifests can get kind of large | |
| # this directory and its contents should be only readable by the puppet user | |
| confdir=/srv/mypup | |
| # where everything else lives for the puppetmaster runtime storage | |
| # note that this is distinct from the puppetagent runtime storage because | |
| # presumbly you want to manage the puppetmaster machine using puppet and | |
| # if both the master and agent stuff is stored in the same place, it's a | |
| # bitch to untangle. | |
| # this directory and its contents should be owned by the puppet user | |
| runtime=/var/lib/puppetmaster | |
| function die() { | |
| echo "$0: $@" >&2 | |
| exit 1 | |
| } | |
| # do some sanity checking and set defaults | |
| which puppet >/dev/null 2>&1 || die "couldn't find puppet in PATH" | |
| [[ "$( puppet --version | cut -c1 )" -ge 3 ]] || die "at least puppet 3 is required" | |
| id puppet >/dev/null 2>&1 || die "can't find puppet user" | |
| siteidentity=$( dnsdomainname ) | |
| [[ -n "$siteidentity" ]] || die "dnsdomainname returned an empty string" | |
| mkdir -p "$confdir" | |
| mkdir -p "$runtime" | |
| # create a bare bones puppet setup | |
| # that suggests some best practices | |
| mkdir -p $confdir/manifests/nodes | |
| mkdir -p $confdir/modules/common/lib | |
| chown -R puppet:puppet "$runtime" | |
| # have to use [main] in this file so all the tools that run on the | |
| # puppetmaster that ARE NOT the agent will see the same config. | |
| cat >$confdir/puppet.conf <<EOF | |
| [main] | |
| vardir=$runtime/var | |
| rundir=$runtime/run | |
| logdir=$runtime/log | |
| ssldir=$runtime/ssl | |
| statedir=$runtime/run/state | |
| certname=puppetmaster.$( hostname --fqdn ) | |
| EOF | |
| cat >$confdir/autosign.conf <<EOF | |
| *.$siteidentity | |
| EOF | |
| # the default/builtin fileserver.conf and auth.conf should serve us fine here | |
| # create the root CA | |
| # TODO: don't do this if one is already there | |
| # TODO: figure out how to get the CA cert on other puppetmasters | |
| # TODO: suggest turning autosign off and forcing use of a specific puppetmaster that is running the CA | |
| sudo -u puppet puppet ca --confdir $confdir --ssldir $runtime/ssl --certname "$siteidentity puppet certificate authority" list | |
| # huh? the puppet master complains if it can't find the CA cert | |
| # at $ssldir/ca/ca_crt.pem so copy it there | |
| # TODO: needs to be populated on other puppetmasters | |
| install --owner=puppet --group=puppet $runtime/ssl/certs/ca.pem $runtime/ssl/ca/ca_crt.pem | |
| # create the puppetmaster's certificate | |
| # the CN should be puppet.HOSTNAME | |
| # and puppet,puppet.local,puppet.local.FQDN,HOSTNAME should be in subjectAlternativeNames | |
| # this will allow use of the --server option to the agent to pick a specific server | |
| # and not get SSL certificate warnings/errors, but run also run the agent normally using | |
| # the default name, "puppet", for the server. | |
| sudo -u puppet puppet cert generate \ | |
| --confdir $confdir \ | |
| --ssldir $runtime/ssl \ | |
| --certname puppetmaster.$( hostname --fqdn ) \ | |
| --dns_alt_names=$( hostname -s ),puppet,puppet.local,puppet.local.$siteidentity,$( hostname --fqdn ) puppetmaster.$( hostname --fqdn ) | |
| cat > $confdir/manifests/nodes/README.pp <<EOF | |
| # This file avoids erroring on the import in site.pp when nothing | |
| # has been created yet. You can remove it if yo have something | |
| # else in the nodes/ directory. | |
| EOF | |
| cat > $confdir/manifests/site.pp <<EOF | |
| # default, sample site.pp | |
| import "nodes/*.pp" | |
| node default { | |
| notify { "default node assigned": } | |
| } | |
| EOF | |
| cat >$confdir/README <<EOF | |
| * manifests/ should contain just those things that are specific to your site | |
| and shouldn't be used elsewhere, such as node definitions. | |
| * Just about everything should be a self-contained module in the modules/ | |
| directory. | |
| More information about the module directory structure can be found at | |
| http://docs.puppetlabs.com/puppet/latest/reference/modules_fundamentals.html | |
| * Common facter or puppet extensions ("plugins") should go in | |
| modules/common/lib. This is so that pluginsync can find them. So | |
| modules/common may look like a module, but it contains no other module | |
| related files. | |
| EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment