Puppet

#

# Make sure you set these constants properly!

#

# Set this to true if you are autosigning your certificates

AUTOSIGN = false

# Set this to the commands you need to run to stop your puppetmasterd

PUPPETMASTERD_STOP = [

  "/etc/init.d/puppetmasterd stop",

  "/etc/init.d/mongrel-puppetmasterd stop",

]

# Set this to the commands you need to start your puppetmasterd

PUPPETMASTERD_START = [

  "env SVWAIT=30 /etc/init.d/mongrel-puppetmasterd start",

  "env SVWAIT=30 /etc/init.d/puppetmasterd start",

]

# Set this to the commands you need to stop puppetd on the clients

PUPPETD_STOP = [ "/etc/init.d/puppetd stop" ]

# Set this to the commands you need to start puppetd on the clients

PUPPETD_START = [ "/etc/init.d/puppetd start" ]

# Set this to the location of your puppet SSL directories

PUPPET_SSL_LOCATION = "/etc/puppet/ssl"

# Set this to the URL of your iclassify server, if you have one

ICLASSIFY_SERVER = "https://iclassify.sfo.trusera.com"

has_iclassify = false

begin

  require '/srv/icagent/lib/iclassify'

  has_iclassify = true

rescue

end

default_run_options[:pty] = true

if has_iclassify

  set(:query, ENV["QUERY"]) if ENV.has_key?("QUERY")

  set(:query) do 

    Capistrano::CLI.ui.ask "iClassify Query: "

  end unless exists?(:query)

  set(:password, ENV["PASSWORD"]) if ENV.has_key?("PASSWORD")

  set(:ic_user, ENV["USER"]) unless exists?(:ic_user)

  if ENV.has_key?('IC_SERVER')

    set(:ic_server, ENV["IC_SERVER"])

  else

    set(:ic_server, ICLASSIFY_SERVER)

  end

  ic = IClassify::Client.new(ic_server, ic_user, password)

  ic_nodes = ic.search(query, [ 'fqdn' ])

  ic_nodes.each do |node|

    role :clients, node.attrib?('fqdn')

  end

else

  set(:clients) do

    Capistrano::CLI.ui.ask "Comma Seperated list of Clients to clean: "

  end unless exists?(:clients)

  clients.split(",").each do |c|

    role :clients, c

  end

end

# State which system the Puppet Master is

set(:master) do 

  Capistrano::CLI.ui.ask "Puppet Master FQDN:"

end unless exists?(:master)

role :master, master

default_run_options[:pty] = true

task :stop_puppetmasterd, :roles => :master do

  run_command(PUPPETMASTERD_STOP)

end

task :start_puppetmasterd, :roles => :master do

  run_command(PUPPETMASTERD_START)

end

task :stop_puppetd do

  run_command(PUPPETD_STOP)

end

task :start_puppetd do

  run_command(PUPPETD_START)

end

task :rm_certs do

  sudo("rm -rf #{PUPPET_SSL_LOCATION}")

end

# Oh, what a dirty, dirty thing this is. 

# If you are running mongrel, though, your puppetmasterd will never re-generate your certs

# So this is going to do the right thing for you

# Please forgive me.

task :generate_ca_cert, :roles => :master do

  sudo("puppetmasterd --daemonize")

  logger.info("Waiting 30 seconds for the Puppetmaster to start and generate CA") 

  sleep 30

  sudo("killall -9 puppetmasterd") 

end

task :generate_certs, :roles => :clients do

  run(%{ruby -e 'i = rand(60); puts "Sleeping " + i.to_s; sleep i'})

  sudo("sh -c 'puppetd --onetime --debug --ignorecache --no-daemonize --server #{master}; exit 0'")

end

task :sign_all, :roles => :master do

  sudo("puppetca --sign --all") if AUTOSIGN != true

end

task :rebuild_certs do

  logger.info("Stopping Puppetmasterd")

  stop_puppetmasterd

  logger.info("Stopping Puppetd")

  stop_puppetd

  logger.info("Removing Certificates")

  rm_certs

  logger.info("Regenerating CA Certificates")

  generate_ca_cert

  logger.info("Starting Puppetmasterd")

  start_puppetmasterd

  logger.info("Running puppetd to generate certificates")

  generate_certs

  logger.info("Signing all waiting requests")

  sign_all

  logger.info("Starting Puppetd")

  start_puppetd

  logger.info("Certificates regenerated!")

end

def run_command(const)

  const.each do |cmd|

    sudo(cmd)

  end

end