Skip to content

Instantly share code, notes, and snippets.

@thwarted
Created November 22, 2013 05:09
Show Gist options
  • Save thwarted/7595151 to your computer and use it in GitHub Desktop.
Save thwarted/7595151 to your computer and use it in GitHub Desktop.
#!/bin/bash -x
set -e
rm -rvf /srv/mypup/ /var/lib/puppetmaster/*
# Where you'll deploy puppet configuration (this is what you want version controlled)
# You may expect this to be /etc/puppet or /etc/puppetmasters, but deploying regularly
# updated stuff to /etc makes my sysadmin sense tingle (in a bad way), and the
# manifests can get kind of large
# this directory and its contents should be only readable by the puppet user
confdir=/srv/mypup
# where everything else lives for the puppetmaster runtime storage
# note that this is distinct from the puppetagent runtime storage because
# presumbly you want to manage the puppetmaster machine using puppet and
# if both the master and agent stuff is stored in the same place, it's a
# bitch to untangle.
# this directory and its contents should be owned by the puppet user
runtime=/var/lib/puppetmaster
function die() {
echo "$0: $@" >&2
exit 1
}
# do some sanity checking and set defaults
which puppet >/dev/null 2>&1 || die "couldn't find puppet in PATH"
[[ "$( puppet --version | cut -c1 )" -ge 3 ]] || die "at least puppet 3 is required"
id puppet >/dev/null 2>&1 || die "can't find puppet user"
siteidentity=$( dnsdomainname )
[[ -n "$siteidentity" ]] || die "dnsdomainname returned an empty string"
mkdir -p "$confdir"
mkdir -p "$runtime"
# create a bare bones puppet setup
# that suggests some best practices
mkdir -p $confdir/manifests/nodes
mkdir -p $confdir/modules/common/lib
chown -R puppet:puppet "$runtime"
# have to use [main] in this file so all the tools that run on the
# puppetmaster that ARE NOT the agent will see the same config.
cat >$confdir/puppet.conf <<EOF
[main]
vardir=$runtime/var
rundir=$runtime/run
logdir=$runtime/log
ssldir=$runtime/ssl
statedir=$runtime/run/state
certname=puppetmaster.$( hostname --fqdn )
EOF
cat >$confdir/autosign.conf <<EOF
*.$siteidentity
EOF
# the default/builtin fileserver.conf and auth.conf should serve us fine here
# create the root CA
# TODO: don't do this if one is already there
# TODO: figure out how to get the CA cert on other puppetmasters
# TODO: suggest turning autosign off and forcing use of a specific puppetmaster that is running the CA
sudo -u puppet puppet ca --confdir $confdir --ssldir $runtime/ssl --certname "$siteidentity puppet certificate authority" list
# huh? the puppet master complains if it can't find the CA cert
# at $ssldir/ca/ca_crt.pem so copy it there
# TODO: needs to be populated on other puppetmasters
install --owner=puppet --group=puppet $runtime/ssl/certs/ca.pem $runtime/ssl/ca/ca_crt.pem
# create the puppetmaster's certificate
# the CN should be puppet.HOSTNAME
# and puppet,puppet.local,puppet.local.FQDN,HOSTNAME should be in subjectAlternativeNames
# this will allow use of the --server option to the agent to pick a specific server
# and not get SSL certificate warnings/errors, but run also run the agent normally using
# the default name, "puppet", for the server.
sudo -u puppet puppet cert generate \
--confdir $confdir \
--ssldir $runtime/ssl \
--certname puppetmaster.$( hostname --fqdn ) \
--dns_alt_names=$( hostname -s ),puppet,puppet.local,puppet.local.$siteidentity,$( hostname --fqdn ) puppetmaster.$( hostname --fqdn )
cat > $confdir/manifests/nodes/README.pp <<EOF
# This file avoids erroring on the import in site.pp when nothing
# has been created yet. You can remove it if yo have something
# else in the nodes/ directory.
EOF
cat > $confdir/manifests/site.pp <<EOF
# default, sample site.pp
import "nodes/*.pp"
node default {
notify { "default node assigned": }
}
EOF
cat >$confdir/README <<EOF
* manifests/ should contain just those things that are specific to your site
and shouldn't be used elsewhere, such as node definitions.
* Just about everything should be a self-contained module in the modules/
directory.
More information about the module directory structure can be found at
http://docs.puppetlabs.com/puppet/latest/reference/modules_fundamentals.html
* Common facter or puppet extensions ("plugins") should go in
modules/common/lib. This is so that pluginsync can find them. So
modules/common may look like a module, but it contains no other module
related files.
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment