WIP, working on getting modules to the PE host

Provision using the ec2 hypervisor instead of docker
Docs <https://github.com/puppetlabs/beaker/blob/master/docs/hypervisors/ec2.md> Of course, it takes a bloody eternity ubuntu-14-04-master executed in 0.12 seconds Exited: 1 should be installed (FAILED - 1) Failures: 1) a simple test Package "mysql-server" should be installed Failure/Error: it { is_expected.to be_installed } expected Package "mysql-server" to be installed # ./spec/acceptance/first_spec.rb:10:in `block (4 levels) in <top (required)>' Finished in 29 minutes 59 seconds (files took 1 minute 11.13 seconds to load) 1 example, 1 failure Failed examples: rspec ./spec/acceptance/first_spec.rb:10 # a simple test Package "mysql-server" should be installed Randomized with seed 29425
2016-06-27 12:07:46 -07:00 · 2016-06-27 12:07:46 -07:00 · 2016-06-27 12:07:46 -07:00 · 2016-06-27 12:07:46 -07:00 · 2016-06-27 12:07:46 -07:00 · 2016-06-27 12:07:46 -07:00
243 changed files with 8955 additions and 292 deletions
--- a/.fixtures.yml
+++ b/.fixtures.yml
@ -1,21 +1,6 @@
 # Fixtures needed for puppetlabs_spec_helper
 fixtures:
  repositories:
-    stdlib:
-      repo: 'git://github.com/puppetlabs/puppetlabs-stdlib.git'
-      ref: '3.2.1'
-    r10k:
-      repo: 'git://github.com/acidprime/r10k.git'
-      ref: 'v1.0.2'
-    git:
-      repo: 'git://github.com/puppetlabs/puppetlabs-git.git'
-      ref: '0.0.3'
-    ruby:
-      repo: 'git://github.com/puppetlabs/puppetlabs-ruby.git'
-      ref: '0.1.1'
-    inifile:
-      repo: 'git://github.com/puppetlabs/puppetlabs-inifile.git'
-      ref: '1.0.3'
    yamlfile:
      repo: 'git://github.com/reidmv/puppet-module-yamlfile.git'
    filemapper:
@ -23,9 +8,104 @@ fixtures:
      ref: '1.1.2'
    account:
      repo: 'git://github.com/jenkins-infra/puppet-account.git'
-      ref: '03280b8'
+      ref: '6f2414c'
+    sudo:
+      repo: 'git://github.com/saz/puppet-sudo.git'
+      ref: 'v3.0.6'
+    irc:
+      repo: 'git://github.com/jenkins-infra/puppet-irc.git'
+      ref: '4e5e437'
+    docker:
+      repo: 'git://github.com/jenkins-infra/garethr-docker.git'
+      ref: '951781fbeb06fa8142e851c5746c35b302a6f427'
+    apachelogcompressor:
+      repo: 'git://github.com/jenkins-infra/puppet-apachelogcompressor.git'
+    mirrorbrain:
+      repo: 'git://github.com/jenkins-infra/puppet-mirrorbrain.git'
+      ref: '78ec0b0'
+    jenkins:
+      repo: 'git://github.com/jenkinsci/puppet-jenkins.git'
+      ref: 'd70fd6f'
+    r10k:
+      repo: 'git://github.com/acidprime/r10k.git'
+      ref: 'f270781'
+
+  forge_modules:
+    stdlib:
+      repo: 'puppetlabs/stdlib'
+      ref: '4.9.0'
+    datadog_agent:
+      repo: 'datadog/datadog_agent'
+      ref: '1.6.0'
+    ruby:
+      repo: 'puppetlabs/ruby'
+      ref: '0.4.0'
+    firewall:
+      repo: 'puppetlabs/firewall'
+      ref: '1.1.3'
+    apache:
+      repo: 'puppetlabs/apache'
+      ref: '1.8.1'
+    git:
+      repo: 'puppetlabs/git'
+      ref: '0.4.0'
+    ntp:
+      repo: 'puppetlabs/ntp'
+      ref: '4.1.2'
+    inifile:
+      repo: 'puppetlabs/inifile'
+      ref: '1.4.3'
+    apt:
+      repo: 'puppetlabs/apt'
+      ref: '2.2.2'
+    concat:
+      repo: 'puppetlabs/concat'
+      ref: '1.2.5'
+    staging:
+      repo: 'nanliu/staging'
+      ref: '0.4.0'
+    groovy:
+      repo: 'rtyler/groovy'
+      ref: '1.0.1'
+    ssh:
+      repo: 'saz/ssh'
+      ref: '2.8.1'
+    lvm:
+      repo: 'puppetlabs/lvm'
+      ref: '0.3.2'
+    gcc:
+      repo: 'puppetlabs/gcc'
+      ref: '0.3.0'
+    vcsrepo:
+      repo: 'puppetlabs/vcsrepo'
+      ref: '1.1.0'
+    puppetserver_gem:
+      repo: 'puppetlabs/puppetserver_gem'
+      ref: '0.2.0'
+    letsencrypt:
+      repo: 'danzilio/letsencrypt'
+      ref: '1.0.0'
+    openldap:
+      repo: 'camptocamp/openldap'
+      ref: '1.14.0'
+    augeasproviders_shellvar:
+      repo: 'herculesteam/augeasproviders_shellvar'
+      ref: '2.2.1'
+    augeasproviders_core:
+      repo: 'herculesteam/augeasproviders_core'
+      ref: '2.1.2'
+    java:
+      repo: 'puppetlabs/java'
+      ref: '1.5.0'
+    postgresql:
+      repo: 'puppetlabs/postgresql'
+      ref: '4.7.1'
+
+
+
 # Setting up a couple of symlinks to make it easier to treat profiles and roles
 # just as another set of "modules" in our environment
  symlinks:
    profile: "#{source_dir}/dist/profile"
    role: "#{source_dir}/dist/role"
+    sshkeyman: "#{source_dir}/dist/sshkeyman"
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,8 @@
-*.swp
+*.sw*
 .vagrant*
 .ruby-*
 spec/fixtures/
 .bundle
+vagrant2014*
+d2014*
+modules/
--- a/.rspec
+++ b/.rspec
@ -0,0 +1 @@
+--fail-fast --order random
--- a/33
+++ b/33
@ -2,21 +2,24 @@ source 'https://rubygems.org'

 gem 'rake'
 gem 'rspec-puppet'
-gem 'puppet-lint'
-gem 'puppet', '~> 3.4.0'
-gem 'puppetlabs_spec_helper', :github => 'jenkins-infra/puppetlabs_spec_helper'
+gem 'parallel_tests'
+# Needed for integration tests
+gem 'beaker'
+gem 'beaker-rspec'
+# This gem is like, never released
+gem 'puppet-lint', :github => 'rodjek/puppet-lint',
+                   :ref => '2546fed6be894bbcff15c3f48d4b6f6bc15d94d1'
+gem 'puppet', '~> 4.0.0'
+# Needed to make sure we can install modules and then run a `puppet apply` in
+# vagrant
+gem 'r10k'
+gem 'puppetlabs_spec_helper'
+gem 'pry'
+gem 'serverspec'
+gem 'hiera-eyaml'

 group :development do
-  # XXX: Shouldn't be needed anywhere by rtyler's machine, since Vagrant does'nt
-  # have proper installers for FreeBSD :(
-  gem 'vagrant', :github => 'mitchellh/vagrant', :ref => 'v1.5.4'
-
-  gem 'pry'
-  gem 'debugger', :platform => :mri
-  gem 'debugger-pry', :platform => :mri
-end
-
-# Vagrant plugins
-group :plugins do
-  gem 'vagrant-aws', :github => 'mitchellh/vagrant-aws'
+  gem 'debugger', :platform => :mri_19
+  gem 'debugger-pry', :platform => :mri_19
+  gem 'byebug', :platform => :mri_20
 end
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -1,146 +1,351 @@
 GIT
-  remote: git://github.com/jenkins-infra/puppetlabs_spec_helper.git
-  revision: 772ce0ed04edb5b58f99de6ebebe8ccc233b46be
+  remote: git://github.com/rodjek/puppet-lint.git
+  revision: 2546fed6be894bbcff15c3f48d4b6f6bc15d94d1
+  ref: 2546fed6be894bbcff15c3f48d4b6f6bc15d94d1
  specs:
-    puppetlabs_spec_helper (0.4.1.40)
-      mocha (>= 0.10.5)
-      rake
-      rspec (>= 2.9.0)
-      rspec-puppet (>= 0.1.1)
-
-GIT
-  remote: git://github.com/mitchellh/vagrant-aws.git
-  revision: d125a2f8ca5422f55f555ab921aaac968d1e6e72
-  specs:
-    vagrant-aws (0.5.0.dev)
-      fog (~> 1.18)
-
-GIT
-  remote: git://github.com/mitchellh/vagrant.git
-  revision: 285c7cdb2b3127d6dad4c2288cf9af6f15de6545
-  ref: v1.5.4
-  specs:
-    vagrant (1.5.4)
-      bundler (~> 1.5.2)
-      childprocess (~> 0.5.0)
-      erubis (~> 2.7.0)
-      i18n (~> 0.6.0)
-      listen (~> 2.7.1)
-      log4r (~> 1.1.9, < 1.1.11)
-      net-scp (~> 1.1.0)
-      net-ssh (>= 2.6.6, < 2.8.0)
-      rb-kqueue (~> 0.2.0)
-      wdm (~> 0.1.0)
+    puppet-lint (1.1.0)

 GEM
  remote: https://rubygems.org/
  specs:
+    CFPropertyList (2.2.8)
+    addressable (2.4.0)
+    aws-sdk (1.66.0)
+      aws-sdk-v1 (= 1.66.0)
+    aws-sdk-v1 (1.66.0)
+      json (~> 1.4)
+      nokogiri (>= 1.4.4)
+    beaker (2.44.0)
+      aws-sdk (~> 1.57)
+      beaker-answers (~> 0.0)
+      beaker-hiera (~> 0.0)
+      beaker-pe (~> 0.0)
+      docker-api
+      fission (~> 0.4)
+      fog (~> 1.25, < 1.35.0)
+      fog-google (~> 0.0.9)
+      google-api-client (~> 0.8, < 0.9.5)
+      hocon (~> 0.1)
+      inifile (~> 2.0)
+      json (~> 1.8)
+      mime-types (~> 2.99)
+      minitest (~> 5.4)
+      net-scp (~> 1.2)
+      net-ssh (~> 2.9)
+      open_uri_redirections (~> 0.2.1)
+      rbvmomi (~> 1.8)
+      rsync (~> 1.0.9)
+      stringify-hash (~> 0.0)
+      unf (~> 0.1)
+    beaker-answers (0.6.0)
+      hocon (~> 0.9.5)
+      require_all (~> 1.3.2)
+      stringify-hash (~> 0.0.0)
+    beaker-hiera (0.1.1)
+      stringify-hash (~> 0.0.0)
+    beaker-pe (0.5.0)
+      stringify-hash (~> 0.0.0)
+    beaker-rspec (5.3.0)
+      beaker (~> 2.0)
+      rspec
+      serverspec (~> 2)
+      specinfra (~> 2)
    builder (3.2.2)
-    celluloid (0.15.2)
-      timers (~> 1.1.0)
-    celluloid-io (0.15.0)
-      celluloid (>= 0.15.0)
-      nio4r (>= 0.5.0)
-    childprocess (0.5.3)
-      ffi (~> 1.0, >= 1.0.11)
+    byebug (8.2.1)
    coderay (1.1.0)
-    columnize (0.8.9)
-    debugger (1.6.6)
+    colored (1.2)
+    columnize (0.9.0)
+    cri (2.6.1)
+      colored (~> 1.2)
+    debugger (1.6.8)
      columnize (>= 0.3.1)
      debugger-linecache (~> 1.2.0)
-      debugger-ruby_core_source (~> 1.3.2)
+      debugger-ruby_core_source (~> 1.3.5)
    debugger-linecache (1.2.0)
    debugger-pry (0.1.1)
      debugger (~> 1)
      pry (>= 0.9.9)
-    debugger-ruby_core_source (1.3.2)
+    debugger-ruby_core_source (1.3.8)
    diff-lcs (1.2.5)
-    erubis (2.7.0)
-    excon (0.33.0)
-    facter (1.7.5)
-    ffi (1.9.3)
-    fog (1.22.0)
-      fog-brightbox
-      fog-core (~> 1.21, >= 1.21.1)
+    docker-api (1.28.0)
+      excon (>= 0.38.0)
+      json
+    excon (0.49.0)
+    facter (2.4.6)
+      CFPropertyList (~> 2.2.6)
+    faraday (0.9.2)
+      multipart-post (>= 1.2, < 3)
+    faraday_middleware (0.9.2)
+      faraday (>= 0.7.4, < 0.10)
+    faraday_middleware-multi_json (0.0.6)
+      faraday_middleware
+      multi_json
+    fission (0.5.0)
+      CFPropertyList (~> 2.2)
+    fog (1.34.0)
+      fog-atmos
+      fog-aws (>= 0.6.0)
+      fog-brightbox (~> 0.4)
+      fog-core (~> 1.32)
+      fog-dynect (~> 0.0.2)
+      fog-ecloud (~> 0.1)
+      fog-google (>= 0.0.2)
      fog-json
+      fog-local
+      fog-powerdns (>= 0.1.1)
+      fog-profitbricks
+      fog-radosgw (>= 0.0.2)
+      fog-riakcs
+      fog-sakuracloud (>= 0.0.4)
+      fog-serverlove
+      fog-softlayer
+      fog-storm_on_demand
+      fog-terremark
+      fog-vmfusion
+      fog-voxel
+      fog-xml (~> 0.1.1)
+      ipaddress (~> 0.5)
      nokogiri (~> 1.5, >= 1.5.11)
-    fog-brightbox (0.0.2)
+    fog-atmos (0.1.0)
+      fog-core
+      fog-xml
+    fog-aws (0.9.2)
+      fog-core (~> 1.27)
+      fog-json (~> 1.0)
+      fog-xml (~> 0.1)
+      ipaddress (~> 0.8)
+    fog-brightbox (0.10.1)
+      fog-core (~> 1.22)
+      fog-json
+      inflecto (~> 0.0.2)
+    fog-core (1.40.0)
+      builder
+      excon (~> 0.49)
+      formatador (~> 0.2)
+    fog-dynect (0.0.3)
      fog-core
      fog-json
-    fog-core (1.22.0)
-      builder
-      excon (~> 0.33)
-      formatador (~> 0.2)
-      mime-types
-      net-scp (~> 1.1)
-      net-ssh (>= 2.1.3)
-    fog-json (1.0.0)
-      multi_json (~> 1.0)
-    formatador (0.2.4)
-    hiera (1.3.2)
+      fog-xml
+    fog-ecloud (0.3.0)
+      fog-core
+      fog-xml
+    fog-google (0.0.9)
+      fog-core
+      fog-json
+      fog-xml
+    fog-json (1.0.2)
+      fog-core (~> 1.0)
+      multi_json (~> 1.10)
+    fog-local (0.3.0)
+      fog-core (~> 1.27)
+    fog-powerdns (0.1.1)
+      fog-core (~> 1.27)
+      fog-json (~> 1.0)
+      fog-xml (~> 0.1)
+    fog-profitbricks (0.0.5)
+      fog-core
+      fog-xml
+      nokogiri
+    fog-radosgw (0.0.5)
+      fog-core (>= 1.21.0)
+      fog-json
+      fog-xml (>= 0.0.1)
+    fog-riakcs (0.1.0)
+      fog-core
+      fog-json
+      fog-xml
+    fog-sakuracloud (1.7.5)
+      fog-core
+      fog-json
+    fog-serverlove (0.1.2)
+      fog-core
+      fog-json
+    fog-softlayer (1.1.2)
+      fog-core
+      fog-json
+    fog-storm_on_demand (0.1.1)
+      fog-core
+      fog-json
+    fog-terremark (0.1.0)
+      fog-core
+      fog-xml
+    fog-vmfusion (0.1.0)
+      fission
+      fog-core
+    fog-voxel (0.1.0)
+      fog-core
+      fog-xml
+    fog-xml (0.1.2)
+      fog-core
+      nokogiri (~> 1.5, >= 1.5.11)
+    formatador (0.2.5)
+    google-api-client (0.9.4)
+      addressable (~> 2.3)
+      googleauth (~> 0.5)
+      httpclient (~> 2.7)
+      hurley (~> 0.1)
+      memoist (~> 0.11)
+      mime-types (>= 1.6)
+      representable (~> 2.3.0)
+      retriable (~> 2.0)
+      thor (~> 0.19)
+    googleauth (0.5.1)
+      faraday (~> 0.9)
+      jwt (~> 1.4)
+      logging (~> 2.0)
+      memoist (~> 0.12)
+      multi_json (~> 1.11)
+      os (~> 0.9)
+      signet (~> 0.7)
+    hiera (2.0.0)
      json_pure
-    i18n (0.6.9)
-    json_pure (1.8.1)
-    listen (2.7.3)
-      celluloid (>= 0.15.2)
-      celluloid-io (>= 0.15.0)
-      rb-fsevent (>= 0.9.3)
-      rb-inotify (>= 0.9)
+    hiera-eyaml (2.0.8)
+      highline (~> 1.6.19)
+      trollop (~> 2.0)
+    highline (1.6.21)
+    hocon (0.9.5)
+    httpclient (2.8.0)
+    hurley (0.2)
+    inflecto (0.0.2)
+    inifile (2.0.2)
+    ipaddress (0.8.3)
+    json (1.8.3)
+    json_pure (1.8.3)
+    jwt (1.5.4)
+    little-plugger (1.1.4)
    log4r (1.1.10)
+    logging (2.1.0)
+      little-plugger (~> 1.1)
+      multi_json (~> 1.10)
+    memoist (0.14.0)
    metaclass (0.0.4)
    method_source (0.8.2)
-    mime-types (2.2)
-    mini_portile (0.5.3)
-    mocha (1.0.0)
+    mime-types (2.99.2)
+    mini_portile2 (2.1.0)
+    minitar (0.5.4)
+    minitest (5.9.0)
+    mocha (1.1.0)
      metaclass (~> 0.0.1)
-    multi_json (1.9.3)
-    net-scp (1.1.2)
+    multi_json (1.12.1)
+    multipart-post (2.0.0)
+    net-scp (1.2.1)
      net-ssh (>= 2.6.5)
-    net-ssh (2.7.0)
-    nio4r (1.0.0)
-    nokogiri (1.6.1)
-      mini_portile (~> 0.5.0)
-    pry (0.9.12.6)
-      coderay (~> 1.0)
-      method_source (~> 0.8)
+    net-ssh (2.9.4)
+    net-telnet (0.1.1)
+    nokogiri (1.6.8)
+      mini_portile2 (~> 2.1.0)
+      pkg-config (~> 1.1.7)
+    open_uri_redirections (0.2.1)
+    os (0.9.6)
+    parallel (1.6.1)
+    parallel_tests (2.2.1)
+      parallel
+    pkg-config (1.1.7)
+    pry (0.10.3)
+      coderay (~> 1.1.0)
+      method_source (~> 0.8.1)
      slop (~> 3.4)
-    puppet (3.4.3)
-      facter (~> 1.6)
-      hiera (~> 1.0)
-      rgen (~> 0.6.5)
-    puppet-lint (0.3.2)
-    rake (10.3.1)
-    rb-fsevent (0.9.4)
-    rb-inotify (0.9.4)
-      ffi (>= 0.5.0)
-    rb-kqueue (0.2.2)
-      ffi (>= 0.5.0)
-    rgen (0.6.6)
-    rspec (2.14.1)
-      rspec-core (~> 2.14.0)
-      rspec-expectations (~> 2.14.0)
-      rspec-mocks (~> 2.14.0)
-    rspec-core (2.14.8)
-    rspec-expectations (2.14.5)
-      diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.14.6)
-    rspec-puppet (1.0.1)
+    puppet (4.0.0)
+      facter (> 2.0, < 4)
+      hiera (>= 2.0, < 3)
+      json_pure
+    puppet-syntax (2.0.0)
+      rake
+    puppet_forge (2.1.1)
+      faraday (~> 0.9.0)
+      faraday_middleware (~> 0.9.0)
+      minitar
+      semantic_puppet (~> 0.1.0)
+    puppetlabs_spec_helper (1.0.1)
+      mocha
+      puppet-lint
+      puppet-syntax
+      rake
+      rspec-puppet
+    r10k (2.1.1)
+      colored (= 1.2)
+      cri (~> 2.6.1)
+      faraday (~> 0.9.0)
+      faraday_middleware (~> 0.9.0)
+      faraday_middleware-multi_json (~> 0.0.6)
+      log4r (= 1.1.10)
+      minitar
+      multi_json (~> 1.10)
+      puppet_forge (~> 2.1.1)
+      semantic_puppet (~> 0.1.0)
+    rake (10.4.2)
+    rbvmomi (1.8.2)
+      builder
+      nokogiri (>= 1.4.1)
+      trollop
+    representable (2.3.0)
+      uber (~> 0.0.7)
+    require_all (1.3.3)
+    retriable (2.1.0)
+    rspec (3.4.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+    rspec-core (3.4.4)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-its (1.2.0)
+      rspec-core (>= 3.0.0)
+      rspec-expectations (>= 3.0.0)
+    rspec-mocks (3.4.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-puppet (2.4.0)
      rspec
-    slop (3.5.0)
-    timers (1.1.0)
-    wdm (0.1.0)
+    rspec-support (3.4.1)
+    rsync (1.0.9)
+    semantic_puppet (0.1.1)
+    serverspec (2.24.3)
+      multi_json
+      rspec (~> 3.0)
+      rspec-its
+      specinfra (~> 2.43)
+    sfl (2.2)
+    signet (0.7.2)
+      addressable (~> 2.3)
+      faraday (~> 0.9)
+      jwt (~> 1.5)
+      multi_json (~> 1.10)
+    slop (3.6.0)
+    specinfra (2.44.7)
+      net-scp
+      net-ssh (~> 2.7)
+      net-telnet
+      sfl
+    stringify-hash (0.0.2)
+    thor (0.19.1)
+    trollop (2.1.2)
+    uber (0.0.15)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.7.2)

 PLATFORMS
  ruby

 DEPENDENCIES
+  beaker
+  beaker-rspec
+  byebug
  debugger
  debugger-pry
+  hiera-eyaml
+  parallel_tests
  pry
-  puppet (~> 3.4.0)
-  puppet-lint
-  puppetlabs_spec_helper!
+  puppet (~> 4.0.0)
+  puppet-lint!
+  puppetlabs_spec_helper
+  r10k
  rake
  rspec-puppet
-  vagrant!
-  vagrant-aws!
+  serverspec
+
+BUNDLED WITH
+   1.10.6
--- a/50
+++ b/50
@ -0,0 +1,50 @@
+#!groovy
+
+def nodeLabel = 'docker'
+def dockerImage = 'rtyler/jenkins-infra-builder'
+
+/* Only keep the 10 most recent builds. */
+properties([[$class: 'BuildDiscarderProperty',
+                strategy: [$class: 'LogRotator', numToKeepStr: '10']]])
+
+parallel(lint: {
+            node(nodeLabel) {
+                runInside(dockerImage) {
+                    sh 'mkdir -p vendor/gems && bundle install --without development plugins --path=vendor/gems'
+                    sh 'bundle exec rake lint'
+                }
+            }
+        },
+        verifyZoneFiles: {
+            node(nodeLabel) {
+                validateZoneFor('jenkins-ci.org', dockerImage)
+                validateZoneFor('jenkins.io', dockerImage)
+            }
+        },
+        rspec: {
+            node(nodeLabel) {
+                runInside(dockerImage) {
+                    sh 'mkdir -p vendor/gems && bundle install --without development plugins --path=vendor/gems'
+                    sh 'bundle exec rake spec'
+                }
+            }
+        },
+    )
+
+def validateZoneFor(dnsZone, dockerImage) {
+    runInside(dockerImage) {
+        sh "/usr/sbin/named-checkzone ${dnsZone} dist/profile/files/bind/${dnsZone}.zone"
+    }
+}
+
+def runInside(String dockerImage, Closure c) {
+    /* This requires the Timestamper plugin to be installed on the Jenkins */
+    wrap([$class: 'TimestamperBuildWrapper']) {
+        docker.image(dockerImage).inside {
+            checkout scm
+            c.call()
+        }
+    }
+}
+
+// vim: ft=groovy
--- a/97
+++ b/97
@ -1,42 +1,103 @@
 forge "http://forge.puppetlabs.com"

 # Install and manage r10k
-mod "zack/r10k", '1.0.2'
+mod "zack/r10k",
+      :git => 'git://github.com/acidprime/r10k.git',
+      :ref => 'f270781'

 # Deps for zack/r10k
-# We are tracking stdlib from git because the puppet module tool 
-# is getting in the way when we want to upgrade newer than the 
+# We are tracking stdlib from git because the puppet module tool
+# is getting in the way when we want to upgrade newer than the
 # supported module version
-mod "stdlib", :git => 'git@github.com:puppetlabs/puppetlabs-stdlib.git',
-  :ref => '4.1.0'
+mod "stdlib",
+        :git => 'git@github.com:puppetlabs/puppetlabs-stdlib.git',
+        :ref => '4.9.0'

-mod "puppetlabs/ruby", '0.1.0'
-mod "puppetlabs/gcc", '0.1.0'
-mod "puppetlabs/pe_gem", '0.0.1'
-mod "mhuffnagle/make", '0.0.2'
-mod "puppetlabs/inifile", '1.0.3'
-mod "puppetlabs/vcsrepo", '0.2.0'
-mod "puppetlabs/git", '0.0.3'
+mod 'puppetlabs/ruby', '0.4.0'
+mod "puppetlabs/gcc", '0.3.0'
+# Used for installing gems for the puppetserver, like with hiera-eyaml
+mod "puppetlabs/puppetserver_gem", '0.2.0'
+mod "puppetlabs/inifile", '1.4.3'
+mod "puppetlabs/vcsrepo", '1.1.0'
+mod "puppetlabs/git", '0.4.0'
 mod "gentoo/portage", '2.2.0-rc1'

-mod "puppetlabs/ntp", '3.0.3'
+# Used for setting up ntp daemons on all machines to have a correct time
+mod "puppetlabs/ntp", '4.1.2'
+
+# Module for managing sudoers across all machines
+mod 'saz/sudo', '3.0.6'
+
+# Needed for managing firewall rules
+mod 'puppetlabs/firewall', '1.1.3'

 # Needed for managing .yaml files from within Puppet
 mod 'reidmv/yamlfile'
 # Needed by `yamlfile`
 mod 'adrien/filemapper'

-mod 'garethr/docker', '0.13.0'
+mod 'docker', :git => 'git://github.com/jenkins-infra/garethr-docker.git',
+              :ref => '951781fbeb06fa8142e851c5746c35b302a6f427'

 # Deps for docker
-mod 'puppetlabs/apt', '1.4.2'
-mod 'stahnma/epel', '0.0.6'
+mod 'puppetlabs/apt', '2.2.2'
+mod 'stahnma/epel', '1.2.2'
+
+# Dependencies for the Puppet IRC report processor, using our forked version
+# which updates on any changed status
+mod 'irc', :git => 'git://github.com/jenkins-infra/puppet-irc.git',
+           :ref => '4e5e437'

 # Needed for managing our accounts in hiera, this fork contains the pull
 # request which adds support for multiple SSH keys:
 # <https://github.com/torrancew/puppet-account/pull/18>
 mod 'account', :git => 'git://github.com/jenkins-infra/puppet-account.git',
-               :ref => '03280b8'
+               :ref => '6f2414c'

 mod 'jenkins_keys',
-  :git => 'git@github.com:rtyler/jenkins-keys.git'
+  :git => 'git@github.com:jenkins-infra/jenkins-keys.git',
+  :ref => 'eeb7db7'
+
+# Apache and its dependencies
+mod "puppetlabs/apache", '1.8.1'
+# Used internally to gzip compress rotated logs
+mod 'apachelogcompressor',
+        :git => 'git://github.com/jenkins-infra/puppet-apachelogcompressor.git',
+        :ref => '0113d7b'
+
+mod "puppetlabs/concat", '1.2.5'
+
+
+mod 'rtyler/groovy', '1.0.3'
+# Dependency of `groovy
+mod 'nanliu/staging', '0.4.0'
+
+
+# For managing server-side ssh configuration options
+mod 'saz/ssh', '2.8.1'
+
+mod 'puppetlabs/lvm', '0.3.2'
+mod 'datadog/datadog_agent', '1.6.0'
+
+# Used for grabbing certificates for jenkins.io
+mod 'danzilio/letsencrypt', '1.0.0'
+
+# For managing ldap, and dependencies
+mod 'camptocamp/openldap', '1.14.0'
+mod 'herculesteam/augeasproviders_shellvar', '2.2.1'
+mod 'herculesteam/augeasproviders_core', '2.1.2'
+
+mod 'mirrorbrain',
+    :git => 'git://github.com/jenkins-infra/puppet-mirrorbrain.git',
+    :ref => '78ec0b0'
+
+# For managing Jenkins itself
+mod 'rtyler/jenkins',
+  :git => 'git://github.com/jenkinsci/puppet-jenkins.git',
+  :ref => 'd70fd6f'
+# Needed for the Jenkins module
+mod 'puppetlabs/java', '1.5.0'
+
+
+# Needed for managing pgsql behind Mirrorbrain
+mod 'puppetlabs/postgresql', '4.7.1'
--- a/README.md
+++ b/README.md
@ -7,23 +7,55 @@ This repository is the [r10k](https://github.com/adrienthebo/r10k) control
 repository for the [Jenkins](https://jenkins-ci.org) project's own
 infrastructure.

-**NOTE:** This repository and workflow are still a **work in progress**
-
 ## Local development

-The amount of testing that can be done locally is still a **work in progress**
-but thus far it's advisable that you do the following:
+The amount of testing that can be done locally is as follows:

 * `bundle install` - To get the necessary gems to run tests locally, if you're
   unfamiliar with Ruby development you may want to use [RVM](http://rvm.io/)
   to create an isolated Ruby environment
- * `bundle exec rake spec lint` - Will run the
+ * `./check` - Will run the
   [rspec-puppet](http://rspec-puppet) unit tests and the
   [puppet-lint](http://puppet-lint.com) style validation. If you intend to run
   the rspec-puppet over and over, use `rake spec_standalone` to avoid
   re-initializing the Puppet module fixtures every time.
- * Vagrant-based testing - **coming soon**

+### Vagrant-based testing
+
+#### Pre-requisites
+
+ * Import your SSH public key into a [key
+   pair](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html)
+   into the `us-west-2` region. We have an AMI in us-west-2 that has Ubuntu 12.04,
+   Puppet and a Docker-capable kernel installed for testing
+ * Make sure your `default` [security
+   group](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html)
+   allows SSH (port 22) from the outside world.
+ * Run the `./vagrant-bootstrap` script locally to make sure your local
+   environment is prepared for Vagranting
+
+#### Running server spec tests
+
+We're using [serverspec](http://serverspec.org) for on-machine acceptance
+testing. Combined with Vagrant, this allows us to create an acceptance test
+[per-role](dist/role/manifests) which provisions and tests an entire Puppet
+catalog on a VM.
+
+##### Pre-requisites
+
+* Install [Vagrant](https://www.vagrantup.com)
+* Install Vagrant plugins: `vagrant plugin install vagrant-aws  vagrant-serverspec`
+
+To launch a test instance, `vagrant up ROLE` where `ROLE` is [one of the defined roles](dist/role/manifests).
+You can rerun puppet and execute tests with `vagrant provision ROLE` repeatedly while the VM is up and running.
+To just rerun serverspect without puppet, `vagrant provision --provision-with serverspec ROLE`.
+When it's all done, deprovision the instance via `vagrant destroy ROLE`.
+
+### Updating dependencies
+For reasons that Tyler will hopefully clarify at some point, this module maintains
+the list of Puppet module dependencies in `Puppetfile` and `.fixtures.yml`. They
+need to be kept in sync. When you modify them, you can have the local environment
+reflect changes by running `bundle exec rake resolve`.

 ## Branching model

@ -55,8 +87,31 @@ When a infra project team member is happy with the code in `staging` they can
 create a merge from `staging` to `production`. Once something has been merged
 to production, it will be automatically deployed to production hosts.

+## Installing agents
+
+For installing agents refer to the [installing
+agents](http://docs.puppetlabs.com/pe/latest/install_agents.html) section of
+the PuppetLabs documentation.
+
+## Adding a new branch/environment
+
+"Dynamic environments" are in a bit of flux for the current version (3.7) of
+Puppet Enterprise that we're using. An unfortunate side-effect of this is that
+creating a branch in this repository is *not* sufficient to create a dynamic
+environment that can be used via the Puppet master.
+
+The enable an environment, add a file on the Puppet master:
+`/etc/puppetlabs/puppet/environments/my-environment-here/environment.conf` with
+the following:
+
+```conf
+modulepath = ./dist:./modules:/opt/puppet/share/puppet/modules
+manifest = ./manifests/site.pp
+```
+
 ## Contributing

 * `#jenkins-infra` on the [Freenode](http://freenode.net) IRC network
 *  [INFRA project](https://issues.jenkins-ci.org/browse/INFRA) in JIRA.
+* [infra@lists.jenkins-ci.org](http://lists.jenkins-ci.org/mailman/listinfo/jenkins-infra)

--- a/37
+++ b/37
@ -1,13 +1,38 @@
-require 'puppet-lint'
+require 'puppet-lint/tasks/puppet-lint'
 require 'puppetlabs_spec_helper/rake_tasks'

-
-PuppetLint.configuration.send('disable_80chars')
-PuppetLint.configuration.ignore_paths = ['modules/**/*.pp', 'spec/fixtures/**/*.pp']
-
 desc "Validate the Puppet syntax of all manifests"
 task :validate do
  Dir['./{dist,manifests}/**/*.pp'].each do |filename|
-    sh "puppet parser validate '#{filename}'"
+    sh "puppet parser validate --parser future '#{filename}'"
  end
 end
+
+PuppetLint::RakeTask.new :lint do |config|
+  config.disable_checks = ['80chars',
+                           'class_parameter_defaults',
+                           'names_containing_dash']
+  config.pattern = 'dist/**/*.pp'
+  config.fail_on_warnings = true
+end
+
+desc 'Resolve all the dependencies'
+task :resolve do
+  # for reasons beyond me, we list dependencies in Puppetfile and .fixtures.yml
+  # we need to keep them in sync, and when we change them we need to run two commands
+  # to reflect those changes
+
+  # this fills ./modules
+  `rm -rf ./modules/*`
+  `r10k puppetfile install`
+
+  # this fills ./spec/fixtures/modules
+  Rake::Task['spec_clean'].invoke
+  Rake::Task['spec_prep'].invoke
+end
+
+desc 'Check syntax of DNS zone file'
+task "test-zonefile" do
+  sh "docker run --rm -v $PWD:/data kohsuke/named-checkzone jenkins-ci.org dist/profile/files/bind/jenkins-ci.org.zone"
+  sh "docker run --rm -v $PWD:/data kohsuke/named-checkzone jenkins.io dist/profile/files/bind/jenkins.io.zone"
+end
--- a/92
+++ b/92
@ -0,0 +1,92 @@
+# Required plugins:
+#    vagrant-aws
+#    vagrant-serverspec
+
+Vagrant.configure("2") do |config|
+  access_key_id = ENV['AWS_ACCESS_KEY_ID'] || File.read('.vagrant_key_id').chomp
+  secret_access_key = ENV['AWS_SECRET_ACCESS_KEY'] || File.read('.vagrant_secret_access_key').chomp
+  keypair = ENV['AWS_KEYPAIR_NAME'] || File.read('.vagrant_keypair_name').chomp
+
+  # prefer aws provider over virtualbox to make it the default
+  config.vm.provider 'aws'
+  config.vm.provider 'virtualbox'
+
+  config.vm.box = 'dummy'
+  config.vm.box_url = 'https://github.com/mitchellh/vagrant-aws/raw/master/dummy.box'
+
+  # modules/account/.travis.yml has incorrect link target, and this blows up
+  # when vagrant tries to rsync files as it tries to resolves symlinks.
+  # see http://www.trilithium.com/johan/2011/09/delete-broken-symlinks/
+  `find -L . -type l -delete`
+
+  config.vm.provider(:aws) do |aws, override|
+    aws.access_key_id = access_key_id
+    aws.secret_access_key = secret_access_key
+    aws.keypair_name = keypair
+
+    # Ubuntu LTS 14.04 in us-west-2 stock
+    aws.ami = 'ami-9abea4fb'
+    aws.region = 'us-west-2'
+    aws.instance_type = 'm3.medium'
+
+    override.ssh.username = "ubuntu"
+    override.ssh.private_key_path = File.expand_path('~/.ssh/id_rsa')
+    override.nfs.functional = false   # https://github.com/mitchellh/vagrant/issues/1437
+  end
+
+  role_dir = './dist/role/manifests/'
+  Dir["#{role_dir}**/*.pp"].each do |role|
+    next if File.directory? role
+    # Turn `dist/role/manifests/spinach.pp` into `spinach`
+    veggie = role.gsub(role_dir, '').gsub('/', '::').gsub('.pp', '')
+    specfile = veggie.gsub('::', '_')
+
+
+    # If there are no serverspec files, we needn't provision a machine!
+    if Dir["./spec/server/#{specfile}/*.rb"].empty?
+      puts ">> no serverspec defined for #{veggie}"
+      next
+    end
+
+    config.vm.define(veggie) do |node|
+      node.vm.provider(:aws) do |aws, override|
+        aws.tags = {
+          :Name => veggie
+        }
+      end
+
+      bootstrap_script = <<-EOF
+if [ ! -f "/apt-cached" ]; then
+  wget -q http://apt.puppetlabs.com/puppetlabs-release-trusty.deb
+  dpkg -i puppetlabs-release-trusty.deb
+  apt-get update && apt-get install -yq puppet && touch /apt-cached;
+fi
+EOF
+
+      # This is a Vagrant-local hack to make sure we have properly udpated apt
+      # caches since AWS machines are definitely going to have stale ones
+      node.vm.provision 'shell', :inline => bootstrap_script
+
+      node.vm.provision 'puppet' do |puppet|
+        puppet.manifest_file = File.basename(role)
+        puppet.manifests_path = File.dirname(role)
+        puppet.module_path = ['modules', 'dist']
+        # Setting the work to /vagrant so our hiera configuration will resolve
+        # properly to our relative hieradata/
+        puppet.working_directory = '/vagrant'
+        puppet.facter = {
+          :vagrant => '1',
+          :veggie => veggie,
+        }
+        puppet.hiera_config_path = 'spec/fixtures/hiera.yaml'
+        puppet.options = "--parser future --verbose --execute 'include role::#{veggie}\n include profile::vagrant'"
+      end
+
+      node.vm.provision :serverspec do |spec|
+        spec.pattern = "spec/server/#{specfile}/*.rb"
+      end
+    end
+  end
+end
+
+# vim: ft=ruby
--- a/beaker/hosts.cfg
+++ b/beaker/hosts.cfg
@ -0,0 +1,10 @@
+HOSTS:
+  ubuntu-14-04:
+    platform: ubuntu-14.04-x64
+    image: ubuntu:14.04
+    hypervisor: docker
+CONFIG:
+  type: foss
+  masterless: true
+
+# vim: ft=yaml
--- a/beaker/tests/first_beaker.rb
+++ b/beaker/tests/first_beaker.rb
@ -0,0 +1,6 @@
+test_name "some test"
+
+step "Make sure the service restarts properly"
+hosts.each do |host|
+  install_pe
+end
--- a/6
+++ b/6
@ -0,0 +1,6 @@
+#!/bin/bash -ex
+bundle exec rake lint test-zonefile
+
+# this assumes that you have run `bundle exec rake spec_prep` at least once
+# to set up fixtures
+bundle exec parallel_rspec spec/classes
--- a/ci/00_setupgems.sh
+++ b/ci/00_setupgems.sh
@ -2,4 +2,9 @@

 gem install bundler --no-ri --no-rdoc

-bundle install --without development plugins
+mkdir -p vendor/gems
+
+bundle install --verbose --without development plugins --path=vendor/gems
+
+# clean out old fixtures just in case they were left there by a previous build
+bundle exec rake spec_clean || true
--- a/ci/10_lintpuppet.sh
+++ b/ci/10_lintpuppet.sh
@ -0,0 +1,3 @@
+#!/bin/sh -xe
+
+exec bundle exec rake lint
--- a/ci/10_validatepuppet.sh
+++ b/ci/10_validatepuppet.sh
@ -1,3 +0,0 @@
-#!/bin/sh -xe
-
-bundle exec rake validate lint
--- a/ci/11_rspecpuppet.sh
+++ b/ci/11_rspecpuppet.sh
@ -0,0 +1,3 @@
+#!/bin/sh -xe
+
+exec bundle exec rake spec --trace
--- a/ci/12_bindcheck.sh
+++ b/ci/12_bindcheck.sh
@ -0,0 +1,6 @@
+#!/bin/sh -xe
+#
+# Ensure our DNS zone files are correct
+# <https://issues.jenkins-ci.org/browse/INFRA-283>
+
+#exec bundle exec rake test-zonefile
--- a/ci/Dockerfile
+++ b/ci/Dockerfile
@ -0,0 +1,12 @@
+# Instance for running our tests quickly and easily
+FROM ubuntu:trusty
+MAINTAINER tyler@linux.com
+
+# Packages we need for a sane build
+#  * ruby, ruby-dev, zlib1g-dev: all to ensure `bundle install` works properly
+#  * git: duh
+#  * build-essential: make sure Ruby has some tools for building native
+#    extensions
+#  * bind9utils: ensure we can verify DNS zones
+RUN apt-get update -q && apt-get install -qy git build-essential zlib1g-dev ruby ruby-dev bind9utils && apt-get clean
+RUN gem install bundler --no-ri --no-rdoc
--- a/dist/profile/files/accountapp/http_check.yaml
+++ b/dist/profile/files/accountapp/http_check.yaml
@ -0,0 +1,5 @@
+  - name: accountapp
+    url: https://accounts.jenkins.io/
+    timeout: 1
+    threshold: 3
+    window: 5
--- a/dist/profile/files/apache/00-reverseproxy_combined.conf
+++ b/dist/profile/files/apache/00-reverseproxy_combined.conf
@ -0,0 +1,4 @@
+# MANAGED BY PUPPET. DO NOT MODIFY
+
+# define log file format
+LogFormat "\"%{X-Forwarded-For}i\" %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %I %O" reverseproxy_combined
--- a/dist/profile/files/apache/other-vhosts-access-log.conf
+++ b/dist/profile/files/apache/other-vhosts-access-log.conf
@ -0,0 +1,4 @@
+# MANAGED BY PUPPET. DO NOT MODIFY
+
+# Define an access log for VirtualHosts that don't define their own logfile
+CustomLog "|/usr/bin/rotatelogs /var/log/apache2/other/access.log.%Y%m%d%H%M%S 86400" reverseproxy_combined
--- a/dist/profile/files/apachecert/bogus-bundle.crt
+++ b/dist/profile/files/apachecert/bogus-bundle.crt
@ -0,0 +1,79 @@
+-----BEGIN CERTIFICATE-----
+MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
+MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
+CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
+EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
+BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
+K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
+cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
+pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
+eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
+AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
+HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
+9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
+b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
+b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
+CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
+MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
+91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
+RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
+DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
+GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
+LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT
+MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv
+IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx
+MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
+B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHku
+Y29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1
+dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3Fi
+CPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4H
+Tu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/
+3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+
+6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGI
+gPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G/M7E
+GwM8CetJMVxpRrPgRwIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9BUFuIMGU2g/eMB8GA1Ud
+IwQYMBaAFNLEsNKR1EwRcbNhyz2h/t2oatTjMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Ryb290LmNybDBGBgNVHSAEPzA9
+MDsGBFUdIAAwMzAxBggrBgEFBQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNv
+bS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAWQtTvZKGEacke+1bMc8d
+H2xwxbhuvk679r6XUOEwf7ooXGKUwuN+M/f7QnaF25UcjCJYdQkMiGVnOQoWCcWg
+OJekxSOTP7QYpgEGRJHjp2kntFolfzq3Ms3dhP8qOCkzpN1nsoX+oYggHFCJyNwq
+9kIDN0zmiN/VryTyscPfzLXs4Jlet0lUIDyUGAzHHFIYSaRt4bNYC8nY7NmuHDKO
+KHAN4v6mF56ED71XcLNa6R+ghlO773z/aQvgSMO3kwvIClTErF0UZzdsyqUvMQg3
+qm5vjLyb4lddJIGvl5echK1srDdMZvNhkREg5L4wn3qkKQmw4TRfZHcYQFHfjDCm
+rw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
+MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
+YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
+MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
+ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
+MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
+ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
+PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
+wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
+EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
+avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
+YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
+sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
+/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
+IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
+YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
+OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
+TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
+HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
+dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
+ReYNnyicsbkqWletNw+vHX/bvZ8=
+-----END CERTIFICATE-----
--- a/dist/profile/files/apachecert/bogus.crt
+++ b/dist/profile/files/apachecert/bogus.crt
@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIJAI0COa8Ryww1MA0GCSqGSIb3DQEBBQUAMBAxDjAMBgNV
+BAMMBWJvZ3VzMB4XDTE1MDMyODIzMjc0NFoXDTI1MDMyNTIzMjc0NFowEDEOMAwG
+A1UEAwwFYm9ndXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtd1sq
+Fiov+Z37A+oXH6zuTvykUZKFLdN/kX5miansn5KJdJpzQeJEyR0av+IBJ4ipfJey
+A//J3DpH70a4zuyCbRs1N4e1yWgZzNQQSY4VBoOGXpCENnNwub2ab9y/9NjMV4dH
+yQHd7ciaWDelT1tiiTJn2DmGO0ElU5axfclD/ODrpkyLvUiZZmpkmA5NaBJe4VR5
+zrG/DhPJEEJnHBqIiPEJZtfUGJLtG6NnLVdfHxg8SfWkbNQWV3V/8SXQ4IXO5Eze
+B0fAT8HSZBQD92YgczWaK5HBTUoxutjHCLHhkCTQ2GJaMehjPpAt4C1wShSeZDJt
+N60dfEBDlmUsbgbdAgMBAAGjUDBOMB0GA1UdDgQWBBQyo1CZFOML6oQIkerOQZGQ
+pS9jMzAfBgNVHSMEGDAWgBQyo1CZFOML6oQIkerOQZGQpS9jMzAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAdNh7GK9ekSBAhFX8vKYtiN9jjsowQRP0B
+t8iCC966jmpJm6cehMomuHqatlqKZM8llPckR+weuqRlLfaZxTnujYzl6uqqwyHa
+CLv6csKJFN9mTJ2rMLOrhnw31LjSZbDnYjPnUIOpYEg03UW9r2S5Hr989T7YcqFl
+zFxbDIUwxBCuA8yOrKQFtMKfxN17WZwHCEAg4S24VlP8+wXKclzrqZHnkQ+NJ0ci
+MsVf/UlROx/JT92w0z2AVLS8xdogROpeYSOQ433ceXyyhVTLxGFJ5OZJ5z7DFfWQ
+Kvern/eB95PdMMllttFKpCXhx2zeUWH+Mn/gNgjcLBXeQdEif/ZG
+-----END CERTIFICATE-----
--- a/dist/profile/files/apachecert/cucumber-bundle.crt
+++ b/dist/profile/files/apachecert/cucumber-bundle.crt
@ -0,0 +1,79 @@
+-----BEGIN CERTIFICATE-----
+MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
+MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
+CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
+EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
+BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
+K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
+cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
+pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
+eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
+AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
+HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
+9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
+b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
+b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
+CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
+MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
+91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
+RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
+DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
+GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
+LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT
+MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv
+IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx
+MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
+B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHku
+Y29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1
+dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3Fi
+CPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4H
+Tu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/
+3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+
+6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGI
+gPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G/M7E
+GwM8CetJMVxpRrPgRwIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9BUFuIMGU2g/eMB8GA1Ud
+IwQYMBaAFNLEsNKR1EwRcbNhyz2h/t2oatTjMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Ryb290LmNybDBGBgNVHSAEPzA9
+MDsGBFUdIAAwMzAxBggrBgEFBQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNv
+bS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAWQtTvZKGEacke+1bMc8d
+H2xwxbhuvk679r6XUOEwf7ooXGKUwuN+M/f7QnaF25UcjCJYdQkMiGVnOQoWCcWg
+OJekxSOTP7QYpgEGRJHjp2kntFolfzq3Ms3dhP8qOCkzpN1nsoX+oYggHFCJyNwq
+9kIDN0zmiN/VryTyscPfzLXs4Jlet0lUIDyUGAzHHFIYSaRt4bNYC8nY7NmuHDKO
+KHAN4v6mF56ED71XcLNa6R+ghlO773z/aQvgSMO3kwvIClTErF0UZzdsyqUvMQg3
+qm5vjLyb4lddJIGvl5echK1srDdMZvNhkREg5L4wn3qkKQmw4TRfZHcYQFHfjDCm
+rw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
+MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
+YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
+MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
+ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
+MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
+ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
+PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
+wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
+EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
+avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
+YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
+sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
+/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
+IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
+YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
+OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
+TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
+HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
+dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
+ReYNnyicsbkqWletNw+vHX/bvZ8=
+-----END CERTIFICATE-----
--- a/dist/profile/files/apachecert/cucumber.crt
+++ b/dist/profile/files/apachecert/cucumber.crt
@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFgTCCBGmgAwIBAgIJAPgPNY0nPxZxMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
+VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
+MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
+cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
+dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE1MDIwODE5NTQzOFoX
+DTE3MDIwOTAzNDEyMlowPDEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
+dGVkMRcwFQYDVQQDEw5qZW5raW5zLWNpLm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMQKctZILOefeVAaTIbD6bq8etUU9IaQcuUKkxf0AEh34cqj
+pufhzMaz5iJRYRdZDXzfaIVcn06wWV4AEz2IVllGYghpOzcwSMwjlIzLbScR/4ib
+meokVhZyiQXoN2jkjUVCKGVMruAndL1ABSMSgZL5OWJQkiP4EzeFAf5+uInme8GO
+YgYL5Rt7EjhisukAOCmXwCH5lJmcpI+eXaQMPr9X7D4L3WRLw3dH0b5r9zMlZmvX
+al8HKOue6aZVDjzERnoy4bid3JgP0xOM7GTMMFgtOHiY51L+iD1aZR3LBwKoNnY7
+KbrKEs8wZ9wu8mJbpGVZwT2eKejeBiTSGrRMBWMCAwEAAaOCAgswggIHMAwGA1Ud
+EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB
+/wQEAwIFoDA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLmdvZGFkZHkuY29t
+L2dkaWcyczEtODcuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3Bggr
+BgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0
+b3J5LzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdv
+ZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRpZmljYXRlcy5nb2Rh
+ZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSMEGDAWgBRAwr0njsw0
+gzCiM9f7bLPwtCyAzjCBggYDVR0RBHsweYIOamVua2lucy1jaS5vcmeCEnd3dy5q
+ZW5raW5zLWNpLm9yZ4IUdXNhZ2UuamVua2lucy1jaS5vcmeCEnN2bi5qZW5raW5z
+LWNpLm9yZ4IRY2kuamVua2lucy1jaS5vcmeCFnVwZGF0ZXMuamVua2lucy1jaS5v
+cmcwHQYDVR0OBBYEFDoi2BzFKa2pxSl3EppQt97qynR0MA0GCSqGSIb3DQEBCwUA
+A4IBAQBw43snveMPqYntLt0oAeGNmaoi3HexEfL+lOUzvpWHK68Cpk1HGHgbWfXk
+HP9/pW1YLmv8ZZtdwlwIdEcPVizEMskEeSvx91eKpJrohqr6XCIFdKoV46sKuBdz
+M04wMmgRjbQYX9d2DMrjBb0gtJ1AmfxkAtT8gdKpL4lDybPeFLLcydXOLC6p1urS
+LWr/HDXQWotrazUw8UUJieTwBeouNWE01sbvlbqsssmtbgjze7Y0nWJRtTjtFdI1
+5LnR5gnhcCLJUb75vXEfcq7JD2caDpxx1/L45f4UIim/AJUxtJyNxoPEbvoDz9jx
+FYH3RoOnMO6yjshFKBsSnPD0zfh6
+-----END CERTIFICATE-----
--- a/dist/profile/files/apachecert/ssl.conf
+++ b/dist/profile/files/apachecert/ssl.conf
@ -0,0 +1,11 @@
+# MANAGED BY PUPPET. DO NOT MODIFY
+
+<IfModule mod_ssl.c>
+    # put into a IfModule so that SSL can be disabled without breaking anything
+    SSLCertificateFile      /etc/apache2/certificate.crt
+    SSLCertificateChainFile /etc/apache2/bundle.crt
+    SSLCertificateKeyFile   /etc/apache2/server.key
+    # Disable SSLv2 and SSLV3 since both are insecure and force the use of TLS1
+    # or higher (INFRA-390)
+    SSLProtocol All -SSLv2 -SSLv3
+</IfModule>
--- a/dist/profile/files/apachecert/wiki-jira-bundle.crt
+++ b/dist/profile/files/apachecert/wiki-jira-bundle.crt
@ -0,0 +1,79 @@
+-----BEGIN CERTIFICATE-----
+MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
+MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
+CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
+EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
+BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
+K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
+cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
+pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
+eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
+AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
+HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
+9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
+b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
+b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
+CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
+MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
+91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
+RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
+DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
+GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
+LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT
+MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv
+IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx
+MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
+B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHku
+Y29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1
+dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3Fi
+CPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4H
+Tu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/
+3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+
+6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGI
+gPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G/M7E
+GwM8CetJMVxpRrPgRwIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9BUFuIMGU2g/eMB8GA1Ud
+IwQYMBaAFNLEsNKR1EwRcbNhyz2h/t2oatTjMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Ryb290LmNybDBGBgNVHSAEPzA9
+MDsGBFUdIAAwMzAxBggrBgEFBQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNv
+bS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAWQtTvZKGEacke+1bMc8d
+H2xwxbhuvk679r6XUOEwf7ooXGKUwuN+M/f7QnaF25UcjCJYdQkMiGVnOQoWCcWg
+OJekxSOTP7QYpgEGRJHjp2kntFolfzq3Ms3dhP8qOCkzpN1nsoX+oYggHFCJyNwq
+9kIDN0zmiN/VryTyscPfzLXs4Jlet0lUIDyUGAzHHFIYSaRt4bNYC8nY7NmuHDKO
+KHAN4v6mF56ED71XcLNa6R+ghlO773z/aQvgSMO3kwvIClTErF0UZzdsyqUvMQg3
+qm5vjLyb4lddJIGvl5echK1srDdMZvNhkREg5L4wn3qkKQmw4TRfZHcYQFHfjDCm
+rw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
+MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
+YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
+MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
+ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
+MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
+ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
+PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
+wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
+EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
+avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
+YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
+sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
+/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
+IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
+YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
+OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
+TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
+HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
+dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
+ReYNnyicsbkqWletNw+vHX/bvZ8=
+-----END CERTIFICATE-----
--- a/dist/profile/files/apachecert/wiki-jira.crt
+++ b/dist/profile/files/apachecert/wiki-jira.crt
@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFbTCCBFWgAwIBAgIJAIjgqHJGvu3QMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
+VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
+MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
+cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
+dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE2MDIyOTA0MzUzOFoX
+DTE3MDMwMTA0MzUzOFowQzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
+dGVkMR4wHAYDVQQDExVpc3N1ZXMuamVua2lucy1jaS5vcmcwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDQnPfbfsSDaYNzM30TTldIcY1laR0Di3lT4e8l
+DdBrvHR4dzyeh0A2LzrW4VhhwYDGrLg/aXfUZ5E/cD4iC2J5zZ1/tM3fuZDeEV6V
+MAMpr8SEmuZVdljeXzlbXUoSYpbRqjuexVGzgmbPigiGdetLZxpmsfZTu6UkdWIN
+NXnY2a1icHaODvPhrIkuXp0T1HcWBa49GLk8xLHLUZPQg+yXSbwjkVfjJtdQBlHq
+UPJKodNpoQuXe0s6cvz9Oa5asR9zu2My6jf6JYkH2hS+pUsVHLefXvTfQSg4TRLl
+Gz+BpJzar393X0nO7ObKrWHgwbDRWR1B4NxtqBf242xjmSyVAgMBAAGjggHwMIIB
+7DAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAO
+BgNVHQ8BAf8EBAMCBaAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC5nb2Rh
+ZGR5LmNvbS9nZGlnMnMxLTIwMS5jcmwwUwYDVR0gBEwwSjBIBgtghkgBhv1tAQcX
+ATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29t
+L3JlcG9zaXRvcnkvMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDov
+L29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8vY2VydGlmaWNh
+dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8GA1UdIwQYMBaA
+FEDCvSeOzDSDMKIz1/tss/C0LIDOMGcGA1UdEQRgMF6CFWlzc3Vlcy5qZW5raW5z
+LWNpLm9yZ4IZd3d3Lmlzc3Vlcy5qZW5raW5zLWNpLm9yZ4ITd2lraS5qZW5raW5z
+LWNpLm9yZ4IVcHVwcGV0LmplbmtpbnMtY2kub3JnMB0GA1UdDgQWBBR2es/+TuPl
+3EdUbfWCZBP5bqtUCTANBgkqhkiG9w0BAQsFAAOCAQEAo60VBFk3IzabzGkKSP+5
+Al9Kj5Uly/naTOFhpyBGqL8XTwLeomn8QaKgUc6vyvKYIEJQCNkX9y7CLr66cP8B
+xKzuq5gXfHADygg0+tjQap3bq0xDRJ6S0cndg7slTgHFOnjXNFKmnzqgOvdLQWb7
+IpfKvnATDks2i6SWaJR24lMZB78iboIcqtklT1BJSnC23r4CDiRj91hyz8zUV0B1
+Oy7r3bTIKoMkzYFwCQg0MFxlyufB7oxMwCbYCSa3Zvbu7PAF5JNuP88bUwwJs5uQ
+n2GxEKrVMwGGOZgzRf7jYF6vJJQNrVX1an29k4vxmwZdaIb+t5CCnVHEY7IZM7Zy
+Bw==
+-----END CERTIFICATE-----
--- a/dist/profile/files/apachemaintenance/maintenance.html
+++ b/dist/profile/files/apachemaintenance/maintenance.html
@ -0,0 +1,9 @@
+<html>
+<body>
+<div align=middle style="font-size:2em">
+  <img src=http://mirror.xmission.com/jenkins/art/jenkins-logo/256x256/logo.png>
+<br>
+  Our site is currently down for maintenance. Please check <a href="http://twitter.com/jenkinsci">our twitter</a> account for updates.
+</div>
+</body>
+</html>
--- a/dist/profile/files/bind/dns_check.yaml
+++ b/dist/profile/files/bind/dns_check.yaml
@ -0,0 +1,7 @@
+init_config:
+    default_timeout: 4
+
+instances:
+    - hostname: jenkins.io
+      nameserver: 127.0.0.1
+      timeout: 8
--- a/dist/profile/files/bind/jenkins-ci.org.zone
+++ b/dist/profile/files/bind/jenkins-ci.org.zone
@ -0,0 +1,132 @@
+; Domain: jenkins-ci.org
+
+; SOA Record
+JENKINS-CI.ORG.    3600    IN    SOA    ns1.jenkins-ci.org. tyler.monkeypox.org. (
+                2011122901
+                28800
+                7200
+                604800
+                3600
+                )
+
+; A Records
+@           3600    IN    A    199.193.196.24
+
+; Primary at Contegix
+cucumber    3600    IN    A    199.193.196.24
+
+; VM at Rackspace
+spinach     3600    IN    A    173.203.60.151
+celery      3600    IN    A    162.242.234.101
+celery      3600    IN    AAAA 2001:4802:7801:103:be76:4eff:fe20:357c
+okra        3600    IN    A    162.209.106.32
+okra        3600    IN    AAAA 2001:4802:7800:2:be76:4eff:fe20:7a31
+; cabbage has died of dysentery
+cabbage     3600    IN    A    104.130.167.56
+kelp        3600    IN    A    162.209.124.149
+kelp        3600    IN    AAAA 2001:4802:7801:101:be76:4eff:fe20:b252
+
+; Hosts at OSUOSL
+lettuce     3600    IN    A    140.211.9.32      ; otherwise known as jenkins-lettuce.osuosl.org
+; artichoke has died of dysentery
+artichoke   3600    IN    A    140.211.9.22      ; otherwise known as jenkins-puppet.osuosl.org
+eggplant    3600    IN    A    140.211.15.101    ; otherwise known as hudson-java.osuosl.org
+edamame     3600    IN    A    140.211.9.2       ; otherwise known as jenkins-confluence.osuosl.org
+
+lists       3600    IN    A    140.211.166.34
+ns1         3600    IN    A    140.211.9.2 ; edamame
+ns2         3600    IN    A    173.203.60.151 ; spinach (Rackspace)
+ns3         3600    IN    A    162.209.106.32 ; okra (Rackspace)
+
+
+;-----------------------------------
+
+; CNAME Records
+www         3600    IN    CNAME    @
+issues      3600    IN    CNAME    edamame
+gherkin     3600    IN    CNAME    cucumber
+drupal      3600    IN    CNAME    cucumber
+wiki        3600    IN    CNAME    lettuce
+updates     3600    IN    CNAME    updates.jenkins.io.
+downloads   3600    IN    CNAME    cucumber
+fisheye     3600    IN    CNAME    cucumber
+l10n        3600    IN    CNAME    l10n.jenkins.io.
+javadoc     3600    IN    CNAME    cucumber
+mirrors     3600    IN    CNAME    mirrors.jenkins.io.
+pkg         3600    IN    CNAME    pkg.jenkins.io.
+usage       3600    IN    CNAME    usage.jenkins.io.
+stacktrace  3600    IN    CNAME    cucumber
+sorcerer    3600    IN    CNAME    cucumber
+stats       3600    IN    CNAME    cucumber
+maven       3600    IN    CNAME    cucumber
+maven2      3600    IN    CNAME    cucumber
+ci          3600    IN    CNAME    cucumber
+svn         3600    IN    CNAME    cucumber
+meetings    3600    IN    CNAME    edamame
+javanet2    3600    IN    CNAME    cucumber
+ldap        3600    IN    CNAME    cucumber
+jekyll      3600    IN    CNAME    jenkinsci.github.io.
+git         3600    IN    CNAME    spinach
+boxes       3600    IN    CNAME    spinach
+mirrors2    3600    IN    CNAME    lettuce
+ips         3600    IN    CNAME    lettuce
+nagios      3600    IN    CNAME    lettuce
+kale        3600    IN    CNAME    ec2-184-73-58-254.compute-1.amazonaws.com.   ; contributed by Red Hat
+repo        3600    IN    CNAME    jenkinsci.jfrog.org.      ; Artifactory hosted by JFrog
+links       3600    IN    CNAME    rhs.reddit.com.           ; /r/jenkinsci
+fallback    3600    IN    CNAME    spinach
+plugin-generator    3600 IN  CNAME jpi-create.jenkins.cloudbees.net.    ; hosted app on CloudBees RUN@cloud
+goto        3600    IN    CNAME    goto.jenkins.cloudbees.net.          ; hosted app on CloudBees RUN@cloud
+recipe      3600    IN    CNAME    recipe.jenkins.cloudbees.net.        ; hosted app on CloudBees RUN@cloud
+puppet      3600    IN    CNAME    artichoke
+archives    3600    IN    CNAME    okra
+beta        3600    IN    CNAME    eggplant ; beta site for the jenkins-ci.org/jenkins.io site
+demo        3600    IN    CNAME    kelp
+accounts    3600    IN    CNAME    eggplant
+
+; MX Records
+@          3600    IN    MX    0    cucumber
+lists      3600    IN    MX    0    smtp1.osuosl.org.
+lists      3600    IN    MX    0    smtp2.osuosl.org.
+lists      3600    IN    MX    0    smtp3.osuosl.org.
+lists      3600    IN    MX    0    smtp4.osuosl.org.
+
+; NS Records
+@           3600    IN    NS    ns1
+@           3600    IN    NS    ns2
+@           3600    IN    NS    ns3
+
+; SPF
+;   this policy enables the e-mail originating from these hosts to be whitelisted.
+;    199.193.196.24     (cucumber)
+;    140.211.15.*       (eggplant and its subnet)
+;    140.211.8.*        (lettuce and its subnet)
+;    140.211.9.*        (edamame and its subnet)
+;        -> combined into 140.211.8.*/23
+;    173.203.60.151     (spinach)
+;    140.211.166.128/25 (OSUOSL mail relays)
+;    "~all" in the end makes the rest soft failures (as opposed to -all for hard failure)
+;
+;   when modifying, use http://www.kitterman.com/spf/validate.html to test
+@ 3600 IN  TXT "v=spf1 mx ip4:199.193.196.24 ip4:140.211.15.0/24 ip4:140.211.8.0/23 ip4:173.203.60.151 ip4:140.211.166.128/25 -all"
+@ 3600 IN  SPF "v=spf1 mx ip4:199.193.196.24 ip4:140.211.15.0/24 ip4:140.211.8.0/23 ip4:173.203.60.151 ip4:140.211.166.128/25 -all"
+
+; DKIM
+cucumber._domainkey     1W IN TXT ("v=DKIM1;p="
+    "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzGI3F6ZZemke1oeZLfdl"
+    "WT6bNz71CHIF74XFPkzJvPrKfCIa50KVV1FLdAbvBFFhtZB9soQphMg1g8JVvCCc"
+    "Jykf8QAnr0/zGy2CZoHGfqYem1SUgMd//jOQ4PIgypfBXHYPeFOFcKg2seIyd75Y"
+    "cR0DOWXCF1UO5K/nezfPT9RB5vBW4mXV5dn8TUwdvsu1ApQKWQj3dLYpMNlVqAgw"
+    "dc7dCifqAWvhfxrRaPzG/4aSgpwxqYt4d6NV3Jl0MB9nnBeWK3JzmPxkXwaO1D8e"
+    "3KxxIkvGTBs4BK9SIC3lY90xV5eqOlehLL9ZUYndtiQfABp2tfQkitG59N4FEfUB"
+    "vwIDAQAB"
+    )
+eggplant._domainkey     1W IN TXT ("v=DKIM1;p="
+    "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsBwtlRrZE7oYs5y3FKjt"
+    "/gXl4QR7LqdBmmQXX+l5pYE0VbTaweUlnNfSkV72sZchTikQ7X15hNgQ+hW/99tU"
+    "WGnXlAC2r444Ggl9xoFVxKhSIbkRVRszzIe5axo4BQENZ/cj7Mw8BwsB8mESG29K"
+    "YtKeMkXfLuBkWuUZ/56pu1eOOfZl4iMLiQnP7UNpAlX4L1/Le3bIaTWZUrsk/MwE"
+    "pwULsW0VB3sghu4K+Kdos1AyGP2NwkQL3CCzpwm1TaBaC0rb0sQ0m62JgPe3NzOt"
+    "U3NGXKNnpLRuhYNFU46bW/6ZVF0NskessArYAsbY54cMHTzhpvkC6b2hs5x+ps0J"
+    "3QIDAQAB"
+    )
--- a/dist/profile/files/bind/jenkins.io.zone
+++ b/dist/profile/files/bind/jenkins.io.zone
@ -0,0 +1,81 @@
+; Domain: jenkins.io
+
+; SOA Record
+@  1D  IN  SOA    ns1.jenkins-ci.org. tyler.monkeypox.org. (
+                2015122201 ; serial, todays date + todays serial #
+                28800      ; refresh, seconds
+                7200       ; retry, seconds
+                604800     ; expire, seconds
+                3600       ; minimum, seconds
+                )
+
+; A Records
+@           3600    IN    A    140.211.15.101 ; eggplant
+
+; Physical machine at Contegix
+cucumber    3600    IN    A    199.193.196.24
+; VM at Rackspace
+spinach     3600    IN    A    173.203.60.151
+celery      3600    IN    A    162.242.234.101
+celery      3600    IN    AAAA 2001:4802:7801:103:be76:4eff:fe20:357c
+okra        3600    IN    A    162.209.106.32
+okra        3600    IN    AAAA 2001:4802:7800:2:be76:4eff:fe20:7a31
+; cabbage has died of dysentery
+cabbage     3600    IN    A    104.130.167.56
+kelp        3600    IN    A    162.209.124.149
+kelp        3600    IN    AAAA 2001:4802:7801:101:be76:4eff:fe20:b252
+
+; Hosts at OSUOSL
+lettuce     3600    IN    A    140.211.9.32      ; otherwise known as jenkins-lettuce.osuosl.org
+; artichoke has died of dysentery
+artichoke   3600    IN    A    140.211.9.22      ; otherwise known as jenkins-puppet.osuosl.org
+eggplant    3600    IN    A    140.211.15.101    ; otherwise known as hudson-java.osuosl.org
+edamame     3600    IN    A    140.211.9.2       ; otherwise known as jenkins-confluence.osuosl.org
+radish      3600    IN    A    140.211.9.94      ; otherwise known as jenkins-radish.osuosl.org
+
+
+; EC2
+ldap        3600    IN    A    52.201.145.189 ; jenkins-ldap
+rating      3600    IN    A    52.23.130.110  ; jenkins-ratings
+mirrors     3600    IN    A    52.202.51.185  ; jenkins-mirrorbrain
+ci          3600    IN    A    52.71.231.250  ; jenkins-ci
+l10n        3600    IN    A    52.71.7.244    ; jenkins-l10n
+census      3600    IN    A    52.202.38.86   ; jenkins-census
+usage       3600    IN    A    52.204.62.78   ; jenkins-usage
+
+
+; CNAME Records
+www         3600    IN    CNAME    @
+pkg         3600    IN    CNAME    mirrors ; pkg and mirrors run off the same host
+beta        3600    IN    CNAME    eggplant ; beta site for the jenkins-ci.org/jenkins.io site
+puppet      3600    IN    CNAME    radish
+accounts    3600    IN    CNAME    eggplant
+updates     3600    IN    CNAME    mirrors ; updates.jenkins.io for delivering update center, etc
+archives    3600    IN    CNAME    okra ; archives.jenkins.io for delivering old releases
+fallback    3600    IN    CNAME    spinach ; fallback.jenkins.io for acting as a fallback mirror
+
+; Magical CNAME for certificate validation
+D07F852F584FA592123140354D366066.ldap.jenkins.io. 3600 IN CNAME 75E741181A7ACDBE2996804B2813E09B65970718.comodoca.com.
+
+; Amazon SES configuration to send out email from noreply@jenkins.io
+_amazonses  3600    IN    TXT   "kYNeW+b+9GnKO/LzqP/t0TzLyN86jQ9didoBAJSjezE="
+pbssnl2yyudgfdl3flznotnarnamz5su._domainkey 3600    IN  CNAME   pbssnl2yyudgfdl3flznotnarnamz5su.dkim.amazonses.com.
+6ch6fw67efpfgoqyhdhs2cy2fpkwrvsk._domainkey 3600    IN  CNAME   6ch6fw67efpfgoqyhdhs2cy2fpkwrvsk.dkim.amazonses.com.
+37qo4cqmkxeocwr2iicjop77fq52m6yh._domainkey 3600    IN  CNAME   37qo4cqmkxeocwr2iicjop77fq52m6yh.dkim.amazonses.com.
+
+; NS Records
+@           3600    IN    NS    ns1.jenkins-ci.org.
+@           3600    IN    NS    ns2.jenkins-ci.org.
+@           3600    IN    NS    ns3.jenkins-ci.org.
+
+; spam trap
+spamtrap    3600    IN    MX    10 mxa.mailgun.org.
+spamtrap    3600    IN    MX    10 mxb.mailgun.org.
+
+
+; mailgun configuration
+@   3600    IN  TXT "v=spf1 include:mailgun.org ~all"
+mailo._domainkey    3600    IN  TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpS+8K+bVvFlfTqbVbuvM9SoX0BqjW3zK7BJeCZ4GnaJTeRaurKx81hUX1wz3wKt+Qt9xI+X6mAlar2Co+B13GsNZIlYVdO/zBVtZG+R5KvMQUynNyie05oRyaTFWtNEiQVgGYgM4xkwlIWSA9EXmBMaKg7ze3kKNKUOnzKDIxMQIDAQAB"
+
+@   3600    MX  10  mxa.mailgun.org.
+@   3600    MX  10  mxb.mailgun.org.
--- a/dist/profile/files/bind/named.conf.local
+++ b/dist/profile/files/bind/named.conf.local
@ -0,0 +1,11 @@
+zone "jenkins-ci.org" {
+  type master;
+  file "/etc/bind/local/jenkins-ci.org.zone";
+  allow-transfer { 140.211.166.126; };
+};
+
+zone "jenkins.io" {
+  type master;
+  file "/etc/bind/local/jenkins.io.zone";
+  allow-transfer { 140.211.166.126; };
+};
--- a/dist/profile/files/buildmaster/idempotent-cli
+++ b/dist/profile/files/buildmaster/idempotent-cli
@ -0,0 +1,23 @@
+#!/bin/sh -x
+
+AUTH_ARGS=""
+SSH_KEY="/var/lib/jenkins/.ssh/jenkins-cli-key"
+
+if [ -f $SSH_KEY ]; then
+    mkdir -p /var/lib/jenkins/users/jenkins
+    cat > /var/lib/jenkins/users/jenkins/config.xml <<EOF
+<?xml version='1.0' encoding='UTF-8'?>
+<user>
+  <fullName>jenkins</fullName>
+  <properties>
+    <org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl>
+      <authorizedKeys>`cat ${SSH_KEY}.pub`</authorizedKeys>
+    </org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl>
+  </properties>
+</user>
+EOF
+
+    AUTH_ARGS="-i ${SSH_KEY}"
+fi;
+
+exec /usr/bin/java -jar /usr/share/jenkins/jenkins-cli.jar -s http://localhost:8080 ${AUTH_ARGS} $@
--- a/dist/profile/files/confluence/http_check.yaml
+++ b/dist/profile/files/confluence/http_check.yaml
@ -0,0 +1,16 @@
+  # This URL is supposed to be served by static cache layer
+  # But in the past sometimes we seem to lose the static cache files, and
+  # measuring the response time of this is a good test to detect that.
+  - name: Confluence
+    url: https://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin
+    timeout: 1
+    threshold: 3
+    window: 5
+
+  # URL that's not served by the static cache. This URL also requires database access,
+  # so it's a good test to watch out for starved database connections
+  - name: Confluence Backend
+    url: https://wiki.jenkins-ci.org/s/2015/1/1/_/download/superbatch/css/batch.css
+    timeout: 1
+    threshold: 3
+    window: 5
--- a/dist/profile/files/confluence/process_check.yaml
+++ b/dist/profile/files/confluence/process_check.yaml
@ -0,0 +1,6 @@
+  - name: Confluence
+    search_string: ['-Dcatalina.home=/srv/wiki']
+    exact_match: false
+    thresholds:
+      # expect exactly 1 instance
+      critical: [0, 1]
--- a/dist/profile/files/confluence/robots.txt
+++ b/dist/profile/files/confluence/robots.txt
@ -0,0 +1,2 @@
+user-agent: *
+disallow: /label
--- a/dist/profile/files/hiera.yaml
+++ b/dist/profile/files/hiera.yaml
@ -1,10 +1,12 @@
 ---
 :backends:
  - eyaml
+  - yaml

 :hierarchy:
  - "clients/%{clientcert}"
  - "env/%{environment}"
+  - "roles/%{hiera_role}"
  - common

 #:yaml:
@ -15,7 +17,7 @@
 #  :datadir: "/etc/puppetlabs/puppet/environments/%{environment}/hieradata"

 :eyaml:
-  :datadir: "/etc/puppetlabs/puppet/environments/%{environment}/hieradata"
+  :datadir: "/etc/puppetlabs/code/environments/%{environment}/hieradata"
  :extension: 'yaml'
  :pkcs7_private_key: /var/lib/puppet/keys/private_key.pkcs7.pem
  :pkcs7_public_key: /var/lib/puppet/keys/public_key.pkcs7.pem
--- a/dist/profile/files/jira/http_check.yaml
+++ b/dist/profile/files/jira/http_check.yaml
@ -0,0 +1,6 @@
+instances:
+  - name: JIRA
+    url: https://issues.jenkins-ci.org/browse/JENKINS-12345
+    timeout: 1
+    threshold: 3
+    window: 5
--- a/dist/profile/files/jira/process_check.yaml
+++ b/dist/profile/files/jira/process_check.yaml
@ -0,0 +1,6 @@
+  - name: JIRA
+    search_string: ['-Dcatalina.home=/srv/jira']
+    exact_match: false
+    thresholds:
+      # expect exactly 1 instance
+      critical: [0, 1]
--- a/dist/profile/files/ldap/process_check.yaml
+++ b/dist/profile/files/ldap/process_check.yaml
@ -0,0 +1,7 @@
+  - name: LDAP
+    search_string: ['/usr/sbin/slapd']
+    exact_match: false
+    thresholds:
+      # expect exactly 1 instance
+      critical: [0, 1]
+
--- a/dist/profile/files/mirrorbrain/geoip.conf
+++ b/dist/profile/files/mirrorbrain/geoip.conf
@ -0,0 +1,15 @@
+<IfModule mod_geoip.c>
+    GeoIPEnable On
+    GeoIPEnableUTF8 On
+    # GeoIPOutput [Notes|Env|All]
+    GeoIPOutput Env
+    GeoIPScanProxyHeaders On
+
+    <IfModule prefork.c>
+        GeoIPDBFile /usr/share/GeoIP/GeoIP.dat
+    </IfModule>
+    <IfModule !prefork>
+        GeoIPDBFile /usr/share/GeoIP/GeoIP.dat MMapCache
+    </IfModule>
+</IfModule>
+
--- a/dist/profile/files/mirrorbrain/populate-archives.sh
+++ b/dist/profile/files/mirrorbrain/populate-archives.sh
@ -0,0 +1,5 @@
+#!/bin/bash -ex
+#
+# mirror /srv/releases into archives.jenkins-ci.org
+#
+exec rsync -avz /srv/releases/jenkins/ www-data@archives.jenkins-ci.org:/srv/releases/
--- a/dist/profile/files/mirrorbrain/populate-fallback.sh
+++ b/dist/profile/files/mirrorbrain/populate-fallback.sh
@ -0,0 +1,27 @@
+#!/bin/bash -ex
+# MANAGED BY PUPPET. DO NOT MODIFY
+#
+# put the recent files in the fallback mirror (and recent files alone)
+# OSUOSL mirror system has a problem in that its behavior is asynchronous,
+# meaning we don't know exactly when it starts serving new files. this creates
+# a brief time window where files visible from http://pkg.jenkins-ci.org/ results in 404
+# (because those files aren't yet available from OSUOSL mirrors.)
+#
+# To prevent this problem, we create a fallback mirror under our control on http://fallback.jenkins-ci.org/
+# where we can synchronously push files. Because this fallback mirror is only expected to serve
+# very new files, this script only copies those files that are created within last 7 days.
+# In this way, we keep the disk consumption in check
+#
+cd /srv/releases/jenkins
+rsync -avz --delete-during --delete-excluded --prune-empty-dirs --include-from=<(
+  # no .htaccess
+  echo '- .htaccess'
+  # files that are modified within the last 7 days
+  (find . -type f -mtime -7) | sed -e 's#\./#+ /#g'
+  # skip updates/ directory
+  echo '- updates/'
+  # visit all directories
+  echo '+ */'
+  # exclude everything else
+  echo '- *'
+) . www-data@fallback.jenkins-ci.org:/var/www/fallback.jenkins-ci.org/
--- a/dist/profile/files/mirrorbrain/rsync.filter
+++ b/dist/profile/files/mirrorbrain/rsync.filter
@ -0,0 +1,15 @@
+# the way these filters work is that for each file/dir,
+# rsync matches it against the list, and the first match
+# decides the fate
+ *.zip
+ *.rpm
+ *.deb
+ *.pkg
+ *.war
+ *.hpi
+ *.jpi
+
+# we recurse into directories
+ */
+# any file that doesn't match the above extensions aren't pushed to the mirror
+- *
--- a/dist/profile/files/mirrorbrain/sync.sh
+++ b/dist/profile/files/mirrorbrain/sync.sh
@ -0,0 +1,81 @@
+#!/bin/bash -xe
+HOST=jenkins@ftp-osl.osuosl.org
+BASE_DIR=/srv/releases/jenkins
+UPDATES_DIR=/var/www/updates.jenkins.io
+REMOTE_BASE_DIR=data/
+RSYNC_ARGS="-rlpgoDvz"
+SCRIPT_DIR=$PWD
+
+pushd $BASE_DIR
+  rsync ${RSYNC_ARGS} --delete-during --delete-excluded --prune-empty-dirs --include-from=<(
+    # keep all the plugins
+    echo '+ plugins/**'
+    echo '+ updates/**'
+    echo '+ art/**'
+    echo '+ podcast/**'
+    # I think this is a file we create on OSUOSL so dont let that be deleted
+    echo '+ TIME'
+    # copy all the symlinks
+    find . -type l | sed -e 's#\./#+ /#g'
+    # files that are older than last one year is removed from the mirror
+    find . -type f -mtime +365 | sed -e 's#\./#- /#g'
+    # the rest of the rules come from rsync.filter
+    cat $SCRIPT_DIR/rsync.filter
+  ) . $HOST:jenkins/
+popd
+
+echo ">> Syncing the update center to our local mirror"
+
+pushd ${UPDATES_DIR}
+    # Note: this used to exist in the old script, but we have these
+    # symbolic links in the destination tree, no need to copy them again
+    #
+    #rsync ${RSYNC_ARGS}  *.json* ${BASE_DIR}/updates
+    for uc_version in */update-center.json; do
+      echo ">> Syncing UC version ${uc_version}"
+      uc_version=$(dirname $uc_version)
+      rsync ${RSYNC_ARGS} $uc_version/*.json* ${BASE_DIR}/updates/${uc_version}
+    done;
+
+    # Ensure that our tool installers get synced
+    rsync ${RSYNC_ARGS}  updates ${BASE_DIR}/updates/
+
+    echo ">> Syncing UC to primarily OSUOSL mirror"
+    rsync ${RSYNC_ARGS} --delete ${BASE_DIR}/updates/ ${HOST}:jenkins/updates
+popd
+
+echo ">> Delivering bits to fallback"
+/srv/releases/populate-archives.sh
+/srv/releases/populate-fallback.sh
+
+echo ">> Updating the latest symlink for weekly"
+/srv/releases/update-latest-symlink.sh
+echo ">> Updating the latest symlink for weekly RC"
+/srv/releases/update-latest-symlink.sh "-rc"
+echo ">> Updating the latest symlink for LTS"
+/srv/releases/update-latest-symlink.sh "-stable"
+echo ">> Updating the latest symlink for LTS RC"
+/srv/releases/update-latest-symlink.sh "-stable-rc"
+
+echo ">> Triggering remote mirroring script"
+ssh $HOST "sh trigger-jenkins"
+
+echo ">> move index from staging to production"
+(cd /var/www && rsync --omit-dir-times -av pkg.jenkins.io.staging/ pkg.jenkins.io/)
+
+# This section of the script aims to ensure that at least one of our primary mirrors has the
+# "big" archives before we complete execution. This will help prevent users from unexpectedly
+# hitting fallback mirrors when our primary mirrors *have* the data and we simply haven't updated
+# our indexes
+#
+# https://issues.jenkins-ci.org/browse/INFRA-483
+echo ">> Sleeping to allow the OSUOSL to propogate some bits"
+sleep 120
+
+echo ">> attempting to update indexes with released archive"
+for f in debian debian-stable redhat redhat-stable war war-stable opensuse opensuse-stable osx osx-stable windows windows-stable updates; do
+  echo ">>>> updating index for ${f}/"
+  mb scan -j 2 -v -d $f -e ftp-chi.osuosl.org;
+done
+
+
--- a/dist/profile/files/mirrorbrain/update-latest-symlink.sh
+++ b/dist/profile/files/mirrorbrain/update-latest-symlink.sh
@ -0,0 +1,21 @@
+#!/bin/bash -ex
+cd $(dirname $0)
+releaseLine=$1
+pushd jenkins/war${releaseLine}
+  v=$(ls -d ?.* | sort -V | tail -1)
+  rm -f latest
+  ln -sf $v latest
+popd
+pushd jenkins/windows${releaseLine}
+  cat > .htaccess << EOF
+# generated by http://ci.jenkins-ci.org/view/Infrastructure/job/infra_mirroring
+Redirect /windows${releaseLine}/latest /windows${releaseLine}/jenkins-$v.zip
+EOF
+popd
+pushd jenkins/osx${releaseLine}
+  cat > .htaccess << EOF
+# generated by http://ci.jenkins-ci.org/view/Infrastructure/job/infra_mirroring
+Redirect /osx${releaseLine}/latest /osx${releaseLine}/jenkins-$v.pkg
+EOF
+popd
+echo -n $v > jenkins/version${releaseLine}.txt
--- a/dist/profile/files/pkgrepo/jenkins-ci.org.key
+++ b/dist/profile/files/pkgrepo/jenkins-ci.org.key
@ -0,0 +1,112 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+mQGiBEmFQG0RBACXScOxb6BTV6rQE/tcJopAEWsdvmE0jNIRWjDDzB7HovX6Anrq
+n7+Vq4spAReSFbBVaYiiOx2cGDymj2dyx2i9NAI/9/cQXJOU+RPdDzHVlO1Edksp
+5rKn0cGPWY5sLxRf8s/tO5oyKgwCVgTaB5a8gBHaoGms3nNC4YYf+lqlpwCgjbti
+3u1iMIx6Rs+dG0+xw1oi5FUD/2tLJMx7vCUQHhPRupeYFPoD8vWpcbGb5nHfHi4U
+8/x4qZspAIwvXtGw0UBHildGpqe9onp22Syadn/7JgMWhHoFw5Ke/rTMlxREL7pa
+TiXuagD2G84tjJ66oJP1FigslJzrnG61y85V7THL61OFqDg6IOP4onbsdqHby4VD
+zZj9A/9uQxIn5250AGLNpARStAcNPJNJbHOQuv0iF3vnG8uO7/oscB0TYb8/juxr
+hs9GdSN0U0BxENR+8KWy5lttpqLMKlKRknQYy34UstQiyFgAQ9Epncu9uIbVDgWt
+y7utnqXN033EyYkcWx5EhLAgHkC7wSzeSWABV3JSXN7CeeOif7QiS29oc3VrZSBL
+YXdhZ3VjaGkgPGtrQGtvaHN1a2Uub3JnPohjBBMRAgAjAhsDBgsJCAcDAgQVAggD
+BBYCAwECHgECF4AFAko/7vYCGQEACgkQm30y8tUFguabhgCgi54IQR4rpJZ/uUHe
+ZB879zUWTQwAniQDBO+Zly7Fsvm0Mcvqvl02UzxCtC1Lb2hzdWtlIEthd2FndWNo
+aSA8a29oc3VrZS5rYXdhZ3VjaGlAc3VuLmNvbT6IYAQTEQIAIAUCSj/qbQIbAwYL
+CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEJt9MvLVBYLm38gAoIGR2+TQeJaCeEa8
+CQhZYzDoiJkQAJ0cpmD+0VA+leOAr5LEccNVd70Z/dHNy83JARAAAQEAAAAAAAAA
+AAAAAAD/2P/gABBKRklGAAEBAQBgAGAAAP/hAGBFeGlmAABJSSoACAAAAAQAMQEC
+ABkAAAA+AAAAEFEBAAEAAAABQ5AAEVEEAAEAAAASCwAAElEEAAEAAAASCwAAAAAA
+AE1hY3JvbWVkaWEgRmlyZXdvcmtzIDQuMAAA/9sAQwAIBgYHBgUIBwcHCQkICgwU
+DQwLCwwZEhMPFB0aHx4dGhwcICQuJyAiLCMcHCg3KSwwMTQ0NB8nOT04MjwuMzQy
+/9sAQwEJCQkMCwwYDQ0YMiEcITIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy
+MjIyMjIyMjIyMjIyMjIyMjIyMjIy/8AAEQgArgCWAwEiAAIRAQMRAf/EAB8AAAEF
+AQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC//EALUQAAIBAwMCBAMFBQQEAAABfQEC
+AwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkq
+NDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqS
+k5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk
+5ebn6Onq8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkK
+C//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUhMQYSQVEHYXETIjKBCBRCkaGx
+wQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFla
+Y2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2
+t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAAwDAQAC
+EQMRAD8A9wEj/wB9vzpfMf8Avt+dRinCpGSeY398/nS72/vH86YKBQBJvb+8fzpd
+7f3j+dMFLQA/e394/nS7j6n86ZSimA7cfU07cfU1HnFOFADtx9aXJ9TTKUUxD8n1
+pc+9Mp1AC5ozSUtAC0maKKADNFJ2ooAoCnCmilzWZQ6lFJSimAopaQUtAC54rOvN
+dsLCTZPPGrdwXAry/wCKHxXfRppND0Mq16Bie5PIi9lHdv5V8/X+rXt/O8tzcyyy
+MclnYkk0avYdl1PqPxT8VtH8NwqwzdXEuSkaHoB61wjftCXhlzHosBjHZpSCa8PW
+O7uhuAkcDueaaYbhOqMMe1L5lcvWx9U+FPjJ4f8AEU0dpdhtLvXOFWdgY3PoH6fg
+cV6MrZGa+EklIOJOPqK9i+G3xem0TytI8QSSXGnHCQXJO57f2Pqn6indrclq+x9G
+5pwNVoLiO4hSaGRZIpFDKynIYHuKmBqyB+aWmg0uaAFopKKAFoozRQBQFLSUorMo
+UUtJSigB1ZHijWovD/hu+1KZlUQxErnu3YfnWsK8k+Pt60PhaxtAxAnuOQO4UE0P
+YaWp8/Xd1LeTz3Mzl5pnLuxPJJNa+i+HDclZZ1yp5C1Q0axa+1BEx8i8mvS7S3WG
+NQo6elcWLxDprljuelgsOp+/IgtdCiVFVYx07CnXHhyNgflA/Ct+1BwOKmkVq8xS
+m9bnr2S0sec6n4UVo2KKNw6Vx9xby2U3lSAj617NcR5J4zmua1/Q4r+1JVQJU5Ui
+uzD4qUXyz2OHFYWM1zR3Ol+CHj0xXX/CKajMTHKd1g7H7r94/oeo9wR3r3tWr4ht
+pZtNv4bmElZ7eVZUIOPmU5/pX2dpOpR6tpFnqMQxHdQpMoz03DOK9ePY8OaszUDU
+oFNSg0yUOopKWgAoo6mikBRpwptLWZY4UoptLTELXin7QbD7PoiFv45Gx+Ar2uv
+FP2g7dfsejXOfm8x48evGf6UmNbnm3hCBls57sJuYnYg9TXSyW2uIgNpJbs5GWDj
+gewrP8EJu0XIHKyNV2+j1txM0MzIQV8oIQN3POSenHTg15VSV6z2+Z7dGNqKt26G
+hpeo6rC3lajZxKOgdG6/hW5NcoIC4HOOhrmbJb1IokuZWkfbmUsQQGz2xW5OAbAE
+Y3d/es5TtJo6oRbjcx7uXVryXbblIIv723JqN9PuUdLhJ2aQf6xW6OP6VBqS6jcQ
+sLS4aOQHCqH2qVx64znP8verWn2d/DKrPOzxbFBWQ5O7HJyOxParv7t7oxcfeasz
+z3xBaC01uZV4RxvAr6X+F0rv8NdCMj7iICAfQBjgV87+NYzHr6jHHlA/rX0H8LFa
+P4baLu3DMTHDDtvOPwr1sM7xR4mK0m/U7lTUyniqyGp1NbtHOmSUuaaDS1JQuaKS
+ikBTpaQUVmUOpabS0xC15f8AF7wxc+IEsJI3VI4Nyrkfxtjn6YH616hWL4ptDd6B
+cBTh0+cH0xUVL8j5dzSk0prm2PD/AAnYvp+ltazDbNHM6yD3BrpEiWToOKzPLktr
+mRiSwlO7J9atQ3bFsCvGnJSlzM+gpLlXKJcpDAegGT+ZqYgPYAgVnz3DpKW8pJW6
+AM2MUranci38vy4gBz/9alGF3dG0ppKzZYs0ilB4BwauOixggVlW9w8sivsWJuhC
+nOanmun83bimtNCZPS5g6/osOta3Zq8giRImMjeoyMAe5Oa940SxTStFsbCM/JbQ
+JGv0AryTTLRLzXIwwDOWVAvfGecCvZx19q9fAttPyPBzCyatuyyhqZTxVdDU612M
+4ESg04GowacDUFjqKQc0UDKlLSUtZFC0UUCmAtMmiSeF4pBlHBVh7U6imI878Y+G
+rbTbGC7tFf5WKyFmz1rimZoy2wZJGQBXter2C6lpc9qw++vy/XtXiMoe3upLeTiS
+Nipry8XSUJJpaHq4Os5JpvUoC4uJr1rYIkJC7vMuGCgj2rZ/4Ry/aHzvtdltO4Ei
+TPTH+NUrhFlUB1yQODVB8RjyRboR6hiAfqM4rCLTPR6aSt8rktzJc2l7HZgRXLOu
+4SQPkKPU1fUtu3SHJUc/WqlvGIULKo3kdhgCr+lwfb9ZtLItxLIAx9upp25pKKMq
+klFN3PTfDenR2mjWbtEvnsm8sVG4buevXpit1aiUAcAYHapVr6GMVGKij5iUnKTk
+ydKnU1ClSikwRIKcD60wU4GpLQ7PpRSUUhlaikpc1kWLRSUUxC5ozSZozTA5Txn8
+QtF8DxRDUDLPeTDdFaQAFyucbiTwo+vXsK8huNZHiVJddtbY2/mysfJL7iAD0JwM
+1h/F+X7V8RtUKybzEUj5PTCjj8KseD2S304WbzxPJ9/CsDjcM4/DvXLjF+6TXc7M
+F/EafY1YNThkVcttccMpqY3trtx8ufeoJbK3acrLECPcUsmj2EUYfyw27kcmvOjY
+9NuS6kc+pxp8seWc8Koq7pWox+HLiHWdQSR0gO90jALYxjAzjnmsxbnTbCXMssMK
+r6nk/h1rH17xLY3lpJa25dw4wWxgfrW9KnOU04owqziotSZ7r4S8daT4xFwunpcR
+S24DPHOoBweMjBOa6pDXzn8JNej0nxdFbSKqwX6/ZtzHG1s5U59yMfjX0SpwcGvc
+Wp4MlZltDUoNV42qYGpYIlFOzUYNOBqSx4opBzRSArUtNqrqWqWOj2D32pXcVrap
+96WVsDPoO5PsOayNC5TXkWKJpZHVI0GWd2AVR7k9K8Z8R/HTazweHNPBHQXd4Ovu
+sY/9mP4V5Trvi7XPETltW1S4uVzkRM2I1+iDCj8qtRYWPfvEXxh8L6GJIrWZ9Vu1
+48u1/wBWD7yHj8s15Jr/AMYfFGtyOlvdDS7c5xFZnace7n5j+n0rz1n3Hmmk4zzV
+KKFcdNPI7s0jM7sxZmY5LE9ST61CsrI25SQR3BwacWzwRUZX0qiblgaheq25bucH
+18w086tqDrta9uCvp5hqng56UDmp5I9iueXcmDsxyzEn1JqROvNQKD7VKCqDJOas
+kuRuMgjp711+n/FHxVpyIsWqNPHEAojukWQEe5PP61wvnEj0B4ApykZJJ7UDPfvD
+Hxp0+/dLfXbYWMp4E8RLxH6jqv616laXtve26XFrPFPC/KyRsGU/iK+MBICcDitn
+QPFWseHbvztMv5YM/eTOUb6qeDRcXKj7CV8ing1434V+NtpezR2niC3W0Y8fa4cm
+PP8AtL1H1Ga9atrqG6gSe3mjmhcZSSNgysPYikTZouCiow4xRRYLmRr+tW/h7Qrv
+Vbkbo7dCwQHBdugUfU4r5Y8TeKtV8Tak15qlwztk+XEDiOFf7qL2H6nvXr3x01n7
+Po2n6SjfNcymaQf7K8D9T+leBzPuT3H8qiC0NHoNeYnvURc4phPNITmrJuLu5pSa
+Z3pRyKYhM80oOaaetAoAkzwKTd6Cm5pBQA8EnqTijOSeOKaT2oHSgY7cTTg1Rilp
+AS7/AGpc4UA96iHJApXbk0wJ0kOeDXTeGPGer+GbtZNOunWMnLwscxv9V/ya5T7q
+D1NOEhQYHU9/Siw0z7A8KeJ7XxToceo2ymNs7JoicmNx1HuOcg0V5j8A9RQnWNKl
+lVARHcruOOfut/7LRTViJaPQ5b42agbrx29uGytrAiAehPJ/nXmrNu2H14NdD481
+A6j401S6zkPMQPoOP6VzQOcj0OaiGxctxpNA5obqfrQKokSlWkzQDzQAMOaSnN1F
+JQAtFFFAAKKKO9AC0UlGaBj0HemjlvrTkOEY03vQIe7YJP4CkTBfn6mkbkA/Wkzg
+YHU9aYGtpl7Pau8kEzxMwwShwcUVUtWIU4oqbXLTFv3M0jSkksWJP481SU/Pk1Ym
+b7/1FViMY96diWKwy5+tITTm+7mo6BC0DrR2oHWgB7dBTac3SmUALS0lKOtACUua
+KKACm0vSk70ASLxF9TSYzznrQf8AVqKTPH40wHHHQfjTM55pTwp9+KQdKALEL7Is
+poph4Cr6Cigdz//2YhgBBMRAgAgBQJKP/cgAhsDBgsJCAcDAgQVAggDBBYCAwEC
+HgECF4AACgkQm30y8tUFgua3awCdFQlChLgn/n4tb4jLe1RgxOxHxosAn2Cn2oNh
+sZ91wUb4d5JuH88TCupsuQINBEmFQG0QCADqAXWgiis4yi96os3QZmK5809ojjTT
+nlICgbztrT55cMVTDBc9SneyRQlC0cS+M1z4Do6lj81sNJdJiBPqTYYA1+exTFvs
+5zCxPInDP3hvqXxHTP142XN1hdzt53R7smn8O0wyO+RCBUb44e9NkusvBd5UP3Je
+449hnpXJ4WO3cVMFm4ghxs7ERlpAi5NTEsVVdM8dqHbZJtk8gbzdAHH0ybiAXmWy
+LFGZDuuKiFAkqm/Wled7id6N+cPx107dwBclwPxzfEYKEqJ1YDDHoDlyfx4012y1
+53e5sGyah/IPBYrrLMfG+Wmiwr5nCX0tmwOcyukuE94hbzJCX2wBdbWLAAMGCACz
+l3cuM4lGt/wr5liM4gotXpZAopY+EnbLIBuOHFXXR7HnyAgST1jH/AUbafvPjyDh
+EkFDyUP14XtHNIAqsN1UpuyYbM90bMPAWXJxrazMsSF+Tv5yIxHiy4cc1pjoqHA2
+kwqIGHmTxYzOPOS19ZWQAtevoTE6pCARphY0dzpscCWaXGs/ZqNAhjL96WLYV1Oo
+Ut+9mTnOcs6Vuxaxp2wN2S5DK1S9gdIxWEc8wMUPiQe8CYk0OySdORIblMs3bGqD
+FoM5HcBAZP1YlXitPH2nIRv0DtOQGMQOCkqUWmQuQAUgKV+YO86lO4S7EhTET/GP
+sQb6P7efm/Cs8wbq/wyIiEkEGBECAAkFAkmFQG0CGwwACgkQm30y8tUFgua2mACe
+JNBW4snDC4OzjKU6QT386/GA9ssAn3vLzSwn8N1xv5MihWGr5kVzvaE2
+=cjdq
+-----END PGP PUBLIC KEY BLOCK-----
--- a/dist/profile/files/r10k/r10k.yaml
+++ b/dist/profile/files/r10k/r10k.yaml
@ -0,0 +1,12 @@
+---
+#
+# THIS FILE IS MANAGED BY PUPPET
+
+sources:
+  infra:
+    remote: 'https://github.com/jenkins-infra/jenkins-infra.git'
+    basedir: '/etc/puppetlabs/code/environments'
+
+git:
+  provider: 'rugged'
+  private_key: '/var/lib/puppet/keys/r10k'
--- a/dist/profile/files/staticsite/deploy-site
+++ b/dist/profile/files/staticsite/deploy-site
@ -0,0 +1,104 @@
+#!/usr/bin/env ruby
+
+require 'fileutils'
+
+provided_file = ARGV.first
+
+module Deployer
+  # Simple method to ensure that two invocations of this don't overlap
+  def self.use_lock(&block)
+    lock_file = '/tmp/deploy-site.lockfile'
+
+    if File.exists? lock_file
+      puts '> The lock exists, exiting'
+      exit 0
+    end
+
+    File.open(lock_file, 'w+') do |f|
+      f.write "#{Process.pid}\n"
+    end
+
+    begin
+      block.call
+    ensure
+      File.unlink(lock_file)
+    end
+  end
+
+  def self.update_deployment(deploy_dir, dir_name)
+    unless File.readlink(deploy_dir) == dir_name
+      FileUtils.rm_f deploy_dir
+      FileUtils.ln_sf(dir_name, deploy_dir)
+      puts "Updated the #{deploy_dir} symbolic link"
+    end
+  end
+
+  def self.deploy!(provided_file, into)
+    use_lock do
+      dir_name = File.basename(provided_file, File.extname(provided_file))
+
+      unless File.exists? dir_name
+        puts "Processing #{provided_file} into #{dir_name}"
+        # Unzip it!
+        `unzip -qo #{provided_file}`
+
+        if $? != 0
+          puts "Something went wrong unzipping #{provided_file}"
+          exit 1
+        end
+      end
+
+      update_deployment(into, dir_name)
+    end
+  end
+end
+
+# If we don't have an argument, let's look in the CWD/archives directory for
+# the last file available
+if ARGV.size != 1
+  base_dir = File.dirname($0)
+  archives_dir = File.join(base_dir, 'archives')
+  unless File.exists? archives_dir
+    puts "> Please provide a zip file generated from the jenkins.io build process"
+    exit 1
+  end
+
+  version_regex = /.*jenkins.io-(\d+).(\d+).(\d+).*/
+  archives = Dir.glob("#{archives_dir}/*.zip").sort do |a, b|
+    # Make sure that we're always sorting on the patch number for now, that's
+    # the only thing we really care about right now (BUILD_NUMBER)
+    a.match(version_regex)[3].to_i <=> b.match(version_regex)[3].to_i
+  end
+
+  [
+    ['current', archives.reject { |f| f =~ /beta/ }.last],
+    ['beta', archives.select { |f| f =~ /beta/ }.last],
+  ].each do |deploy_dir, archive|
+    next if archive.nil?
+    Deployer.deploy! archive, deploy_dir
+  end
+
+  # Once we've deployed successfully, we can clean up some legacy stuff
+  current = File.readlink(File.join(base_dir, 'current'))
+  beta = File.readlink(File.join(base_dir, 'beta'))
+
+  if archives.size > 5
+    # Let's walk through each archive except the 5 and delete them
+    archives[0 ... -5].each do |archive|
+      FileUtils.rm_f archive
+    end
+  end
+
+  Dir.glob(File.join(base_dir, '*')).each do |path|
+    # Don't bother looking at non-directories
+    next unless File.directory? path
+    # Don't both with anything that isn't a jenkins.io type directory
+    next unless path.match version_regex
+
+    # Skip our currently deployed sites
+    next if path.end_with? current
+    next if path.end_with? beta
+
+    FileUtils.rm_rf(path)
+  end
+end
--- a/dist/profile/manifests/accountapp.pp
+++ b/dist/profile/manifests/accountapp.pp
@ -0,0 +1,113 @@
+#
+# Profile defining the necessary resources to provision our LDAP-based
+# accountapp
+class profile::accountapp(
+  # all injected from hiera
+  $image_tag,
+  $ldap_url = 'ldap://localhost:389/',
+  $ldap_password = '',
+  $smtp_server = 'localhost',
+  $recaptcha_key = '',
+  $app_url = 'https://accounts.jenkins.io/',
+  $jira_url = 'https://issues.jenkins-ci.org/',
+  $jira_username = accountapp,
+  $jira_password = '',
+) {
+  include ::firewall
+  include profile::docker
+  include profile::letsencrypt
+  include profile::apachemisc
+
+  validate_string($image_tag)
+  validate_string($ldap_url)
+  validate_string($ldap_password)
+  validate_string($smtp_server)
+  validate_string($recaptcha_key)
+
+  file { '/etc/accountapp' :
+    ensure => directory,
+    # Don't allow anything not declared in Puppet to be dropped in there
+    purge  => true,
+  }
+
+  file { '/etc/accountapp/config.properties':
+    ensure  => file,
+    content => template("${module_name}/accountapp/config.properties.erb"),
+    require => File['/etc/accountapp'],
+  }
+
+  docker::image { 'jenkinsciinfra/account-app':
+    image_tag => $image_tag,
+  }
+
+  docker::run { 'account-app':
+    command          => undef,
+    image            => "jenkinsciinfra/account-app:${image_tag}",
+    volumes          => ['/etc/accountapp:/etc/accountapp'],
+    require          => File['/etc/accountapp/config.properties'],
+    env              => [
+      "LDAP_URL=${ldap_url}",
+      "LDAP_PASSWORD=${ldap_password}",
+      "JIRA_URL=${jira_url}",
+      "JIRA_USERNAME=${jira_username}",
+      "JIRA_PASSWORD=${jira_password}",
+    ],
+    extra_parameters => ['--net=host'],
+    use_name         => true,
+  }
+
+  profile::datadog_check { 'accountapp-http-check':
+    checker => 'http_check',
+    source  => 'puppet:///modules/profile/accountapp/http_check.yaml',
+  }
+
+
+  # docroot is required for apache::vhost but should never be used because
+  # we're proxying everything here
+  $docroot = '/var/www/html'
+
+  apache::vhost { 'accounts.jenkins.io':
+    serveraliases => [
+      'accounts.jenkins-ci.org',
+    ],
+    port          => '443',
+    ssl           => true,
+    docroot       => $docroot,
+    proxy_pass    => [
+      {
+        path         => '/',
+        url          => 'http://localhost:8080/',
+        reverse_urls => 'http://localhost:8080/',
+      },
+    ],
+  }
+
+  apache::vhost { 'accounts.jenkins.io unsecured':
+    servername      => 'accounts.jenkins.io',
+    serveraliases   => [
+      'accounts.jenkins-ci.org',
+    ],
+    port            => '80',
+    docroot         => $docroot,
+    redirect_status => 'permanent',
+    redirect_dest   => $app_url,
+  }
+
+  # We can only acquire certs in production due to the way the letsencrypt
+  # challenge process works
+  if (($::environment == 'production') and ($::vagrant != '1')) {
+    letsencrypt::certonly { 'accounts.jenkins.io':
+        domains     => ['accounts.jenkins.io', 'accounts.jenkins-ci.org'],
+        plugin      => 'apache',
+        manage_cron => true,
+    }
+
+    Apache::Vhost <| title == 'accounts.jenkins.io' |> {
+      ssl_key       => '/etc/letsencrypt/live/accounts.jenkins.io/privkey.pem',
+      # When Apache is upgraded to >= 2.4.8 this should be changed to
+      # fullchain.pem
+      ssl_cert      => '/etc/letsencrypt/live/accounts.jenkins.io/cert.pem',
+      ssl_chain     => '/etc/letsencrypt/live/accounts.jenkins.io/chain.pem',
+    }
+  }
+}
--- a/dist/profile/manifests/accounts.pp
+++ b/dist/profile/manifests/accounts.pp
@ -2,6 +2,10 @@
 # Profile defining all the `account` resources with all our important account
 # information
 class profile::accounts {
+  group { 'atlassian-admins':
+    ensure => present,
+  }
+
  $accounts = hiera_hash('accounts')
  create_resources('account', $accounts)
 }
--- a/dist/profile/manifests/apachecert.pp
+++ b/dist/profile/manifests/apachecert.pp
@ -0,0 +1,35 @@
+#
+# SSL certificates staged for Apache
+#
+class profile::apachecert (
+  # all injected from hiera
+  $id,  # identify which private key / certificate pair we should use. This usually comes from hieradata/clients/*.yaml
+        # see dist/profile/files/apache-cert/$id{,-bundle}.crt and profile::apache-cert::secret-key-$id
+) {
+  include apache
+  include apache::mod::ssl
+
+  # certificates and apache config to let Apache recognize this file
+  file { '/etc/apache2/certificate.crt':
+    source  => "puppet:///modules/${module_name}/apachecert/${id}.crt",
+    require => Package['httpd'],
+    notify  => Service['httpd'],
+  }
+  file { '/etc/apache2/bundle.crt':
+    source  => "puppet:///modules/${module_name}/apachecert/${id}-bundle.crt",
+    require => Package['httpd'],
+    notify  => Service['httpd'],
+  }
+  file { '/etc/apache2/conf.d/ssl.conf':
+    source  => "puppet:///modules/${module_name}/apachecert/ssl.conf",
+    require => Package['httpd'],
+    notify  => Service['httpd'],
+  }
+
+  file { '/etc/apache2/server.key':
+    content => hiera("profile::apachecert::secret-key-${id}"),
+    mode    => '0600',
+    require => Package['httpd'],
+    notify  => Service['httpd'],
+  }
+}
--- a/dist/profile/manifests/apachemaintenance.pp
+++ b/dist/profile/manifests/apachemaintenance.pp
@ -0,0 +1,22 @@
+# Generates the apache virtual host config file for the maintenance mode
+#
+# This puts a file under /etc/apache2/sites-available/SITENAME.maintenance
+# and you can manually symlink this from sites-enabled to put the maintenance mode UI
+define profile::apachemaintenance {
+  # $name refers to the site name
+
+  # Template uses: $addr_port
+  file { '/var/www/maintenance':
+    ensure => directory,
+  }
+
+  file { '/var/www/maintenance/maintenance.html':
+    ensure => present,
+    source => "puppet:///modules/${module_name}/apachemaintenance/maintenance.html",
+  }
+
+  file { "/etc/apache2/sites-available/${name}.maintenance.conf":
+    ensure  => present,
+    content => template("${module_name}/apachemaintenance/maintenance.conf.erb"),
+  }
+}
--- a/dist/profile/manifests/apachemisc.pp
+++ b/dist/profile/manifests/apachemisc.pp
@ -0,0 +1,63 @@
+#
+# Misc. apache settings
+#
+class profile::apachemisc(
+  $ssh_enabled = false,
+) {
+  include ::apache
+  # log rotation setting lives in another module
+  include apachelogcompressor
+
+  # enable mod_status for local interface and allow datadog to monitor this
+  include apache::mod::status
+  include datadog_agent::integrations::apache
+
+  include apache::mod::proxy
+  include apache::mod::proxy_http
+  include apache::mod::ssl
+
+  file { '/etc/apache2/conf.d/00-reverseproxy_combined':
+    ensure  => present,
+    source  => "puppet:///modules/${module_name}/apache/00-reverseproxy_combined.conf",
+    mode    => '0444',
+    require => Package['apache2-utils'],
+    notify  => Service['apache2'],
+  }
+
+  file { '/etc/apache2/conf.d/other-vhosts-access-log':
+    ensure  => present,
+    source  => "puppet:///modules/${module_name}/apache/other-vhosts-access-log.conf",
+    mode    => '0444',
+    require => Package['apache2-utils'],
+    notify  => Service['apache2'],
+  }
+
+  # /usr/bin/rotatelogs is (as of 14.04) located in apache2-utils
+  package { 'apache2-utils' :
+    ensure => present,
+  }
+
+  # allow Jenkins to login as www-data to populate some web content
+  if $ssh_enabled {
+    ssh_authorized_key { 'hudson@cucumber':
+      ensure => present,
+      user   => 'www-data',
+      type   => 'ssh-rsa',
+      key    => 'AAAAB3NzaC1yc2EAAAABIwAAAQEA1l3oZpCJlFspsf6cfa7hovv6NqMB5eAn/+z4SSiaKt9Nsm22dg9xw3Et5MczH0JxHDw4Sdcre7JItecltq0sLbxK6wMEhrp67y0lMujAbcMu7qnp5ZLv9lKSxncOow42jBlzfdYoNSthoKhBtVZ/N30Q8upQQsEXNr+a5fFdj3oLGr8LSj9aRxh0o+nLLL3LPJdY/NeeOYJopj9qNxyP/8VdF2Uh9GaOglWBx1sX3wmJDmJFYvrApE4omxmIHI2nQ0gxKqMVf6M10ImgW7Rr4GJj7i1WIKFpHiRZ6B8C/Ds1PJ2otNLnQGjlp//bCflAmC3Vs7InWcB3CTYLiGnjrw==',
+    }
+  }
+
+  firewall {
+    '200 allow http':
+      proto  => 'tcp',
+      port   => 80,
+      action => 'accept',
+  }
+
+  firewall {
+    '201 allow https':
+      proto  => 'tcp',
+      port   => 443,
+      action => 'accept',
+  }
+}
--- a/dist/profile/manifests/apt.pp
+++ b/dist/profile/manifests/apt.pp
@ -0,0 +1,12 @@
+#
+# Class for ensuring some basic state around the apt repositories on a machine,
+# i.e. that it's updated daily
+class profile::apt {
+
+  cron { 'update the apt cache':
+    command => 'apt-get update',
+    hour    => 2,
+    minute  => 20,
+  }
+
+}
--- a/dist/profile/manifests/archives.pp
+++ b/dist/profile/manifests/archives.pp
@ -0,0 +1,63 @@
+#
+# Defines an archive server for serving all the archived historical releases
+#
+class profile::archives {
+  include ::stdlib
+  # volume configuration is in hiera
+  include ::lvm
+  include profile::apachemisc
+
+  $archives_dir = '/srv/releases'
+
+  if str2bool($::vagrant) {
+    # during serverspec test, fake /dev/xvdb by a loopback device
+    exec { 'create /tmp/xvdb':
+      command => 'dd if=/dev/zero of=/tmp/xvdb bs=1M count=16; losetup /dev/loop0; losetup /dev/loop0 /tmp/xvdb',
+      unless  => 'test -f /tmp/xvdb',
+      path    => '/usr/bin:/usr/sbin:/bin:/sbin',
+      before  => Physical_volume['/dev/loop0'],
+    }
+  }
+
+
+  package { 'lvm2':
+    ensure => present,
+  }
+
+  package { 'libapache2-mod-bw':
+    ensure => present,
+  }
+
+
+  file { $archives_dir:
+    ensure  => directory,
+    owner   => 'www-data',
+    require => [Package['httpd'],
+                Mount[$archives_dir]],
+  }
+
+
+  file { '/var/log/apache2/archives.jenkins-ci.org':
+    ensure => directory,
+  }
+
+  apache::mod { 'bw':
+    require => Package['libapache2-mod-bw'],
+  }
+
+  apache::vhost { 'archives.jenkins-ci.org':
+    servername      => 'archives.jenkins-ci.org',
+    vhost_name      => '*',
+    port            => '80',
+    docroot         => $archives_dir,
+    access_log      => false,
+    error_log_file  => 'archives.jenkins-ci.org/error.log',
+    log_level       => 'warn',
+    custom_fragment => template("${module_name}/archives/vhost.conf"),
+    options         => ['FollowSymLinks', 'MultiViews', 'Indexes'],
+    notify          => Service['apache2'],
+    require         => [File['/var/log/apache2/archives.jenkins-ci.org'],
+                        Mount[$archives_dir],
+                        Apache::Mod['bw']],
+  }
+}
--- a/dist/profile/manifests/atlassian.pp
+++ b/dist/profile/manifests/atlassian.pp
@ -0,0 +1,19 @@
+#
+# Profile containing the basics to support an Atlassian product in our
+# infrastructure
+#
+
+class profile::atlassian {
+  include apache
+  include firewall
+  include profile::docker
+  include sudo
+
+  $group_name = 'atlassian-admins'
+
+  sudo::conf { $group_name:
+    priority => 10,
+    content  => "%${group_name} ALL=(ALL) NOPASSWD: /usr/sbin/service,/usr/bin/docker",
+    require  => Group[$group_name],
+  }
+}
--- a/dist/profile/manifests/base.pp
+++ b/dist/profile/manifests/base.pp
@ -0,0 +1,23 @@
+#
+# Basic profile included in each node
+class profile::base {
+
+  include profile::accounts
+  include profile::compliance
+
+  if $::kernel == 'Linux' {
+    include profile::apt
+    # None of these modules support anything other than Linux (apparently)
+    include profile::firewall
+    include profile::ntp
+    include profile::sudo
+    include profile::diagnostics
+
+    include ssh::server
+    include ssh::client
+  }
+
+  # Collect all our exported host keys, this way we know about every machine
+  # properly
+  Sshkey <<| 'type' == 'ecdsa-sha2-nistp256' |>>
+}
--- a/dist/profile/manifests/bind.pp
+++ b/dist/profile/manifests/bind.pp
@ -0,0 +1,73 @@
+# Run containerized BIND9 to serve both jenkins-ci.org and the jenkins.io zone
+class profile::bind (
+  # all injected from hiera
+  $image_tag,
+) {
+
+  include ::firewall
+  include profile::docker
+
+  # /etc/bind/local is hard-coded into the Dockerfile here:
+  # <https://github.com/jenkins-infra/bind/blob/master/Dockerfile>
+  $conf_dir = '/etc/bind/local'
+
+  file { ['/etc/bind', $conf_dir]:
+    ensure => directory,
+    purge  => true,
+  }
+
+  file { "${conf_dir}/jenkins-ci.org.zone":
+    ensure  => present,
+    notify  => Service['docker-bind'],
+    source  => "puppet:///modules/${module_name}/bind/jenkins-ci.org.zone",
+    require => File[$conf_dir],
+  }
+
+  file { "${conf_dir}/jenkins.io.zone":
+    ensure  => present,
+    notify  => Service['docker-bind'],
+    source  => "puppet:///modules/${module_name}/bind/jenkins.io.zone",
+    require => File[$conf_dir],
+  }
+
+  file { "${conf_dir}/named.conf.local":
+    ensure  => present,
+    notify  => Service['docker-bind'],
+    source  => "puppet:///modules/${module_name}/bind/named.conf.local",
+    require => File[$conf_dir],
+  }
+
+  file { 'datadog-dns-check-config':
+    ensure => present,
+    path   => "${::datadog_agent::params::conf_dir}/dns_check.yaml",
+    source => "puppet:///modules/${module_name}/bind/dns_check.yaml",
+    notify => Service['datadog-agent'],
+  }
+
+  docker::image { 'jenkinsciinfra/bind':
+    image_tag => $image_tag,
+  }
+
+  docker::run { 'bind':
+    command  => undef,
+    ports    => ['53:53', '53:53/udp'],
+    image    => "jenkinsciinfra/bind:${image_tag}",
+    volumes  => ['/etc/bind/local:/etc/bind/local'],
+    require  => [File["${conf_dir}/named.conf.local"],
+      File["${conf_dir}/jenkins-ci.org.zone"],
+    ],
+    use_name => true,
+  }
+
+  firewall { '900 accept tcp DNS queries':
+    proto  => 'tcp',
+    port   => 53,
+    action => 'accept',
+  }
+
+  firewall { '901 accept udp DNS queries':
+    proto  => 'udp',
+    port   => 53,
+    action => 'accept',
+  }
+}
--- a/dist/profile/manifests/buildmaster.pp
+++ b/dist/profile/manifests/buildmaster.pp
@ -0,0 +1,189 @@
+#
+# Profile for configuring the bare necessities to running a Jenkins master
+#
+# Parameters
+# ----------
+#
+# ci_fqdn = 'ci.jenkins.io' (Default)
+#   Define the fully-qualified domain name for this Jenkins master. This value
+#   will be used for Jenkins' own configuration as well as Apache virtual hosts
+#   and certificates
+#
+# letsencrypt = true (Default)
+#   Enable letsencrypt configuration, for this to work the Jenkins host has to
+#   be on the public internet
+#
+class profile::buildmaster(
+  $ci_fqdn     = 'ci.jenkins.io',
+  $letsencrypt = true,
+  $plugins     = undef,
+  $proxy_port  = 443,
+) {
+  include ::stdlib
+  include ::apache
+  include apache::mod::proxy
+  include apache::mod::headers
+
+  validate_string($ci_fqdn)
+  validate_bool($letsencrypt)
+  validate_array($plugins)
+
+  include profile::apachemisc
+  include profile::firewall
+
+  if $letsencrypt {
+    include profile::letsencrypt
+  }
+
+  $ldap_url    = hiera('ldap_url')
+  $ldap_dn     = hiera('ldap_dn')
+  $ldap_admin_dn = hiera('ldap_admin_dn')
+  $ldap_admin_password = hiera('ldap_admin_password')
+
+  class { '::jenkins':
+    lts       => true,
+  }
+
+
+  $script_dir = '/usr/share/jenkins'
+  exec { 'jenkins-script-mkdirp':
+    command => "/bin/mkdir -p ${script_dir}",
+    creates => $script_dir,
+  }
+
+  $ssh_dir = '/var/lib/jenkins/.ssh'
+  $ssh_cli_key = 'jenkins-cli-key'
+  exec { 'jenkins-ssh-mkdirp':
+    command => "/bin/mkdir -p ${ssh_dir}",
+    creates => $ssh_dir,
+  }
+  exec { 'generate-cli-ssh-key':
+    require => Exec['jenkins-ssh-mkdirp'],
+    creates => "${ssh_dir}/${ssh_cli_key}",
+    command => "/usr/bin/ssh-keygen -b 4096 -q -f ${ssh_dir}/${ssh_cli_key} -N ''",
+  }
+
+  $cli_script = "${script_dir}/idempotent-cli"
+  file { $cli_script:
+    ensure  => present,
+    require => Exec['jenkins-script-mkdirp'],
+    source  => "puppet:///modules/${module_name}/buildmaster/idempotent-cli",
+    mode    => '0755',
+  }
+
+  $lockbox_script = "${script_dir}/lockbox.groovy"
+
+  file { $lockbox_script :
+    ensure  => present,
+    require => Exec['jenkins-script-mkdirp'],
+    content =>template("${module_name}/buildmaster/lockbox.groovy.erb"),
+  }
+  profile::jenkinsgroovy { 'lock-down-jenkins':
+    path    => $lockbox_script,
+    require => [
+      File[$lockbox_script],
+      File[$cli_script],
+    ],
+  }
+
+  profile::jenkinsplugin { $plugins:
+    # Only install plugins after we've secured Jenkins, that seems reasonable
+    require => [
+      File[$cli_script],
+      Profile::Jenkinsgroovy['lock-down-jenkins'],
+    ],
+  }
+
+
+  $docroot = "/var/www/${ci_fqdn}"
+  $apache_log_dir = "/var/log/apache2/${ci_fqdn}"
+
+  file { [$apache_log_dir, $docroot,]:
+    ensure  => directory,
+    require => Package['httpd'],
+  }
+
+  apache::vhost { $ci_fqdn:
+    require               => [
+      File[$docroot],
+      # We need our installation to be secure before we allow access
+      Profile::Jenkinsgroovy['lock-down-jenkins'],
+    ],
+    port                  => 443,
+    override              => 'All',
+    ssl                   => true,
+    docroot               => $docroot,
+    error_log_file        => "${ci_fqdn}/error.log",
+    access_log_pipe       => "|/usr/bin/rotatelogs ${apache_log_dir}/access.log.%Y%m%d%H%M%S 604800",
+    proxy_preserve_host   => true,
+    allow_encoded_slashes => 'on',
+    custom_fragment       => "
+RequestHeader set X-Forwarded-Proto \"https\"
+RequestHeader set X-Forwarded-Port \"${proxy_port}\"
+",
+    proxy_pass            => [
+      {
+        path         => '/',
+        url          => 'http://localhost:8080/',
+        keywords     => ['nocanon'],
+        reverse_urls => ['http://localhost:8080/'],
+      },
+    ],
+  }
+
+  apache::vhost { "${ci_fqdn} unsecured":
+    servername      => $ci_fqdn,
+    port            => 80,
+    docroot         => $docroot,
+    redirect_status => 'permanent',
+    redirect_dest   => "https://${ci_fqdn}/",
+    error_log_file  => "${ci_fqdn}/error_nonssl.log",
+    access_log_pipe => "|/usr/bin/rotatelogs ${apache_log_dir}/access_nonssl.log.%Y%m%d%H%M%S 604800",
+    require         => Apache::Vhost[$ci_fqdn],
+  }
+
+
+  # This is a legacy role imported from infra-puppet, thus the goofy numbering
+  firewall { '108 Jenkins CLI port' :
+    proto  => 'tcp',
+    port   => 47278,
+    action => 'accept',
+  }
+
+  firewall { '801 Allow Jenkins web access only on localhost':
+    proto   => 'tcp',
+    port    => 8080,
+    action  => 'accept',
+    iniface => 'lo',
+  }
+
+  firewall { '802 Block external Jenkins web access':
+    proto  => 'tcp',
+    port   => 8080,
+    action => 'drop',
+  }
+
+  firewall { '810 Jenkins CLI SSH':
+    proto  => 'tcp',
+    port   => 22222,
+    action => 'accept',
+  }
+
+  # We can only acquire certs in production due to the way the letsencrypt
+  # challenge process works
+  if (($letsencrypt == true) and ($::environment == 'production') and ($::vagrant != '1')) {
+    letsencrypt::certonly { $ci_fqdn:
+      domains     => [$ci_fqdn],
+      plugin      => 'apache',
+      manage_cron => true,
+    }
+
+    Apache::Vhost <| title == $ci_fqdn |> {
+      ssl_key       => "/etc/letsencrypt/live/${ci_fqdn}/privkey.pem",
+      # When Apache is upgraded to >= 2.4.8 this should be changed to
+      # fullchain.pem
+      ssl_cert      => "/etc/letsencrypt/live/${ci_fqdn}/cert.pem",
+      ssl_chain     => "/etc/letsencrypt/live/${ci_fqdn}/chain.pem",
+    }
+  }
+}
--- a/dist/profile/manifests/buildslave.pp
+++ b/dist/profile/manifests/buildslave.pp
@ -0,0 +1,114 @@
+# Jenkins build slave connectable via SSH
+class profile::buildslave(
+  $home_dir         = '/home/jenkins',
+  $docker           = true,
+  $ruby             = true,
+  $trusted_agent    = false,
+  $ssh_keys         = undef,
+) {
+  include ::stdlib
+  include git
+
+  $user = 'jenkins'
+
+  if $ruby {
+    # Make sure our Ruby class is properly contained so we can require it in a
+    # Package resource
+    contain('ruby')
+  }
+
+  if $docker {
+    include profile::docker
+    $groups = [$user, 'docker']
+    $account_requires = Package['docker']
+  }
+  else {
+    $groups = [$user]
+  }
+
+  account { $user:
+    home_dir => $home_dir,
+    groups   => $groups,
+    ssh_keys => {
+                  'cucumber' => {
+                    'key' => 'AAAAB3NzaC1yc2EAAAABIwAAAQEA1l3oZpCJlFspsf6cfa7hovv6NqMB5eAn/+z4SSiaKt9Nsm22dg9xw3Et5MczH0JxHDw4Sdcre7JItecltq0sLbxK6wMEhrp67y0lMujAbcMu7qnp5ZLv9lKSxncOow42jBlzfdYoNSthoKhBtVZ/N30Q8upQQsEXNr+a5fFdj3oLGr8LSj9aRxh0o+nLLL3LPJdY/NeeOYJopj9qNxyP/8VdF2Uh9GaOglWBx1sX3wmJDmJFYvrApE4omxmIHI2nQ0gxKqMVf6M10ImgW7Rr4GJj7i1WIKFpHiRZ6B8C/Ds1PJ2otNLnQGjlp//bCflAmC3Vs7InWcB3CTYLiGnjrw==',
+                  },
+                  'celery'   => {
+                    'key' => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCzBrEqC3IwdKOptY4SUi/RI0+plMVRhs+xrm1ZUizC4qK7UHW3fk/412zb5dkC1FJHFUUJh/Aa7P/OFLxfaf/nVPQ4Nv5ZIMC8g3b7yAWLHrZb7qLpPA8viG1dXXrHMdPLz2uFa2OKtrzlLe4jtyqRtnN8W+dTAWPorkZ9ia1wpD/wdPoKdDtzktBv7gXHpA/jb2arxYWkd560KtQnUbr+LDzrCkeWj2z3BtEGqKxdOtjJMWbLRU9tIkv809VaQJowEs/acwAno/5O7ejYdRzsIicX6GaiHksS6W6vBV4eEn0mA/cX0qFeo1rcGgnXbn4IyglJiwlqm3YSGpKGVJZn',
+                  },
+                },
+    comment  => 'Jenkins build node user',
+    require  => $account_requires,
+  }
+
+  if $docker {
+    file { "${home_dir}/.docker":
+      ensure  => directory,
+      owner   => $user,
+      require => Account[$user],
+    }
+
+    if $trusted_agent {
+      $docker_config_presence = 'file'
+    }
+    else {
+      $docker_config_presence = 'absent'
+    }
+
+    file { "${home_dir}/.docker/config.json":
+      ensure  => $docker_config_presence,
+      content => hiera('docker_hub_key'),
+      owner   => $user,
+      require => File["${home_dir}/.docker"],
+    }
+  }
+
+  if $ruby {
+    package { 'bundler':
+      ensure   => installed,
+      provider => 'gem',
+      require  => Class['ruby'],
+    }
+
+    ensure_packages([
+      'libxml2-dev',          # for Ruby apps that require nokogiri
+      'libxslt1-dev',         # for Ruby apps that require nokogiri
+      'libcurl4-openssl-dev', # for curb gem
+      'libruby',              # for net/https
+    ])
+  }
+
+  if $::kernel == 'Linux' {
+    ensure_packages([
+      'subversion',
+      'make',
+      'build-essential',
+      'unzip',
+    ])
+  }
+
+
+  # https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/
+  sshkey { 'github-rsa':
+    ensure       => present,
+    host_aliases => ['github.com'],
+    type         => 'ssh-rsa',
+    key          => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==',
+  }
+
+  sshkey { 'github-dsa':
+    ensure => absent,
+  }
+
+  if $ssh_keys {
+    validate_hash($ssh_keys)
+    $private_keys_defaults = {
+      'type'  => 'ssh-rsa',
+      'owner' => $user,
+    }
+
+    create_resources('sshkeyman::key', $ssh_keys, $private_keys_defaults)
+  }
+}
+
+# vim: nowrap
--- a/dist/profile/manifests/census.pp
+++ b/dist/profile/manifests/census.pp
@ -0,0 +1,74 @@
+#
+# Defines an census server for serving census datasets
+#
+class profile::census(
+  $home_dir = '/srv/census',
+  $user     = 'census',
+  $group    = 'census',
+) {
+  include ::stdlib
+  # volume configuration is in hiera
+  include ::lvm
+  include profile::apachemisc
+
+  $docroot = "${home_dir}/census"
+
+  if str2bool($::vagrant) {
+    # during serverspec test, fake /dev/xvdb by a loopback device
+    exec { 'create /tmp/xvdb':
+      command => 'dd if=/dev/zero of=/tmp/xvdb bs=1M count=16; losetup /dev/loop0; losetup /dev/loop0 /tmp/xvdb',
+      unless  => 'test -f /tmp/xvdb',
+      path    => '/usr/bin:/usr/sbin:/bin:/sbin',
+      before  => Physical_volume['/dev/loop0'],
+    }
+  }
+
+  package { 'lvm2':
+    ensure => present,
+  }
+
+  group { $group:
+    ensure => present,
+  }
+
+  account { $user:
+    manage_home    => true,
+    create_group   => false,
+    home_dir_perms => '0755',
+    home_dir       => $home_dir,
+    gid            => $group,
+    require        => Group[$group],
+  }
+
+  file { $docroot:
+    ensure  => directory,
+    owner   => $user,
+    mode    => '0755',
+    require => Account[$user],
+  }
+
+  ssh_authorized_key { 'usage':
+    type    => 'ssh-rsa',
+    user    => $user,
+    key     => hiera('usage_ssh_pubkey'),
+    require => File["${home_dir}/.ssh"],
+  }
+
+  file { '/var/log/apache2/census.jenkins.io':
+    ensure => directory,
+  }
+
+  apache::vhost { 'census.jenkins.io':
+    vhost_name      => '*',
+    port            => '80',
+    docroot         => $docroot,
+    access_log_pipe => '|/usr/bin/rotatelogs /var/log/apache2/census.jenkins.io/access.log.%Y%m%d%H%M%S 604800',
+    error_log_file  => 'census.jenkins.io/error.log',
+    options         => ['FollowSymLinks', 'MultiViews', 'Indexes'],
+    override        => ['All'],
+    notify          => Service['apache2'],
+    require         => [File['/var/log/apache2/census.jenkins.io'],
+                        File[$docroot],
+                        Mount[$home_dir]],
+  }
+}
--- a/dist/profile/manifests/census/agent.pp
+++ b/dist/profile/manifests/census/agent.pp
@ -0,0 +1,44 @@
+#
+
+# A machine capable of processing census information
+class profile::census::agent(
+  $user = undef,
+  $home_dir = undef,
+) {
+  include ::stdlib
+
+  validate_string($user)
+  validate_string($home_dir)
+
+  ssh_authorized_key { 'usage':
+    type    => 'ssh-rsa',
+    user    => $user,
+    key     => hiera('usage_ssh_pubkey'),
+    require => File["${home_dir}/.ssh"],
+  }
+
+  ::ssh::client::config::user { $user :
+    ensure              => present,
+    user_home_dir       => $home_dir,
+    manage_user_ssh_dir => false,
+    options             => {
+      'Host usage.jenkins.io'  => {
+        'User'         => 'usagestats',
+        'IdentityFile' => "${home_dir}/.ssh/usage",
+      },
+      'Host census.jenkins.io' => {
+        'User'         => 'census',
+        'IdentityFile' => "${home_dir}/.ssh/usage",
+      },
+    },
+    require             => File["${home_dir}/.ssh"],
+  }
+
+  file { "${home_dir}/.ssh/usage" :
+    ensure  => file,
+    owner   => $user,
+    mode    => '0600',
+    content => hiera('usage_ssh_privkey'),
+    require => Ssh::Client::Config::User[$user],
+  }
+}
--- a/dist/profile/manifests/compliance.pp
+++ b/dist/profile/manifests/compliance.pp
@ -0,0 +1,15 @@
+#
+# Enforce various security compliance settings
+#
+# This profile is intentionally a kind of grab-bag to at least codify
+# /somewhere/ some of the security measures and package versions we need to
+# have in place.
+class profile::compliance {
+
+  # http://www.ubuntu.com/usn/usn-2959-1/
+  if $::lsbdistid == 'Ubuntu' and $::lsbdistrelease == '14.04' {
+    package { 'libssl1.0.0':
+      ensure => '1.0.1f-1ubuntu2.19',
+    }
+  }
+}
--- a/dist/profile/manifests/confluence.pp
+++ b/dist/profile/manifests/confluence.pp
@ -0,0 +1,145 @@
+# Run containerized Confluence to serve wiki.jenkins-ci.org
+# see https://github.com/jenkins-infra/confluence for how the container is put together
+#
+# this class puts apache virtual host for wiki.jenkins-ci.org, which forwards requests to
+#
+class profile::confluence (
+  $image_tag,         # tag of confluence container
+  $cache_image_tag,   # tag of confluence cache container
+  $database_url,      # JDBC URL that represents the database backend
+) {
+  # as a preparation, deploying mock-webapp and not the real confluence
+
+  include profile::atlassian
+  include apache::mod::rewrite
+  include profile::apachemisc
+
+  account { 'wiki':
+    home_dir => '/srv/wiki',
+    groups   => [ 'sudo', 'users' ],
+    uid      => 2000,   # this value must match what's in the 'confluence' docker container
+    gid      => 2000,
+    comment  => 'Runs confluence',
+  }
+
+  file { '/var/log/apache2/wiki.jenkins-ci.org':
+    ensure => directory,
+    group  => $profile::atlassian::group_name,
+  }
+
+  file { '/srv/wiki/home':
+    ensure => directory,
+    # confluence container is baked with UID=1000 & GID=1001
+    owner  => 'wiki',
+    group  => $profile::atlassian::group_name,
+  }
+
+  file { '/srv/wiki/docroot':
+    ensure => directory,
+    group  => $profile::atlassian::group_name,
+  }
+
+  file { '/srv/wiki/docroot/robots.txt':
+    ensure => directory,
+    owner  => 'wiki',
+    group  => $profile::atlassian::group_name,
+    source => 'puppet:///modules/profile/confluence/robots.txt',
+  }
+
+  $ldap_password = hiera('profile::ldap::admin_password')
+  file { '/srv/wiki/container.env':
+    content => join([
+        'LDAP_HOST=ldap.jenkins.io',
+        "LDAP_PASSWORD=${ldap_password}",
+        "DATABASE_URL=${database_url}"
+      ], "\n"),
+    mode    => '0600',
+  }
+
+  docker::image { 'jenkinsciinfra/confluence':
+    image_tag => $image_tag,
+  }
+
+  docker::run { 'confluence':
+    command         => undef,
+    ports           => ['8081:8080'],
+    image           => "jenkinsciinfra/confluence:${image_tag}",
+    volumes         => ['/srv/wiki/home:/srv/wiki/home', '/srv/wiki/cache:/srv/wiki/cache'],
+    env_file        => '/srv/wiki/container.env',
+    restart_service => true,
+    use_name        => true,
+    require         => File['/srv/wiki/container.env'],
+  }
+
+  docker::image { 'jenkinsciinfra/confluence-cache':
+    image_tag => $cache_image_tag,
+  }
+
+  docker::run { 'confluence-cache':
+    command         => undef,
+    ports           => ['127.0.0.1:8009:8080'],
+    image           => "jenkinsciinfra/confluence-cache:${cache_image_tag}",
+    volumes         => ['/srv/wiki/cache:/cache'],
+    links           => ['confluence'],
+    # The hostname `confluence` should be ensured by the --link option passed
+    # to the docker run command
+    env             => ['TARGET=http://confluence:8080'],
+    restart_service => true,
+    use_name        => true,
+  }
+
+  # If the configuration changes, containers have to be kicked & restarted
+  # due to the dependency between those two, change in confluence forces restart of both
+  File <| title == '/etc/init/docker-confluence.conf' |> {
+    notify  => [Service['docker-confluence'],Service['docker-confluence-cache']]
+  }
+  File <| title == '/etc/init/docker-confluence-cache.conf' |> {
+    notify  => Service['docker-confluence-cache'],
+  }
+
+  ### to put maintenance screen up, comment out the following and comment in the apache::vhost for https://jenkins-ci.org
+  ### #if
+  #file { '/etc/apache2/sites-enabled/25-wiki.jenkins-ci.org.conf':
+  #  ensure => 'link',
+  #  target => '/etc/apache2/sites-available/wiki.jenkins-ci.org.maintenance.conf',
+  #}
+  ### #else
+  apache::vhost { 'wiki.jenkins-ci.org':
+    port            => '443',
+    docroot         => '/srv/wiki/docroot',
+    access_log      => false,
+    error_log_file  => 'wiki.jenkins-ci.org/error.log',
+    log_level       => 'warn',
+    custom_fragment => template("${module_name}/confluence/vhost.conf"),
+
+    notify          => Service['apache2'],
+    require         => File['/var/log/apache2/wiki.jenkins-ci.org'],
+  }
+  ### #endif
+
+  apache::vhost { 'wiki.jenkins-ci.org non-ssl':
+    # redirect non-SSL to SSL
+    servername      => 'wiki.jenkins-ci.org',
+    port            => '80',
+    docroot         => '/srv/wiki/docroot',
+    redirect_status => 'temp',
+    redirect_dest   => 'https://wiki.jenkins-ci.org/'
+  }
+
+  profile::apachemaintenance { 'wiki.jenkins-ci.org':
+  }
+
+  profile::datadog_check { 'confluence-http-check':
+    checker => 'http_check',
+    source  => 'puppet:///modules/profile/confluence/http_check.yaml',
+  }
+
+  profile::datadog_check { 'confluence-process-check':
+    checker => 'process',
+    source  => 'puppet:///modules/profile/confluence/process_check.yaml',
+  }
+
+  host { 'wiki.jenkins-ci.org':
+    ip => '127.0.0.1',
+  }
+}
--- a/dist/profile/manifests/datadog_check.pp
+++ b/dist/profile/manifests/datadog_check.pp
@ -0,0 +1,34 @@
+# Assemble fragments into datadog checker configuration files
+#
+define profile::datadog_check(
+  $checker,
+  $source    = undef,
+  $content   = undef,
+) {
+  $target ="${datadog_agent::params::conf_dir}/${checker}.yaml"
+
+  include datadog_agent
+
+  # define the header section
+  if !defined(Concat[$target]) {
+    concat { $target:
+      owner => 'root',
+      group => 'root',
+    }
+
+    concat::fragment { "${target}-header":
+      target  => $target,
+      content => "init_config:\n\ninstances:\n",
+      order   => '00',
+    }
+
+    # when the file in question is updated, we need to restart datadog agent
+    Exec["concat_${target}"] ~> Service[$datadog_agent::params::service_name]
+  }
+
+  concat::fragment { $name:
+    target  => $target,
+    source  => $source,
+    content => $content,
+  }
+}
--- a/dist/profile/manifests/debian_repo.pp
+++ b/dist/profile/manifests/debian_repo.pp
@ -0,0 +1,19 @@
+# This defined type is just to make our template a little bit easier to manage,
+# see also:
+# https://ask.puppet.com/question/3216/passing-parameters-to-templates/
+define profile::debian_repo(
+  $ensure,
+  $docroot,
+  $direct_root,
+  $mirror_fqdn) {
+
+  file { "${docroot}/${name}/.htaccess":
+    ensure  => $ensure,
+    content => template("${module_name}/pkgrepo/debian_htaccess.erb"),
+  }
+
+  file { "${docroot}/${name}/direct":
+    ensure => link,
+    target => "${direct_root}/${name}",
+  }
+}
--- a/dist/profile/manifests/demo.pp
+++ b/dist/profile/manifests/demo.pp
@ -0,0 +1,72 @@
+#
+# Run a demo instance of Jenkins in a Docker container
+class profile::demo(
+$image_tag = '2.10'
+) {
+  include profile::docker
+  include profile::apachemisc
+
+  $image = 'jenkinsci/jenkins'
+  $user  = 'demo'
+  $site  = 'demo'
+  $uid   = '2002'
+
+  docker::image { $image:
+    image_tag => $image_tag,
+  }
+
+  docker::run { $site:
+    username        => $uid,
+    volumes         => ['/srv/demo:/var/jenkins_home','/srv/demo/passwd:/etc/passwd'],
+    image           => "${image}:${image_tag}",
+    ports           => ['8080:8080'],
+    restart_service => true,
+    use_name        => true,
+    require         => [
+      Class['::docker'],
+      Docker::Image[$image],
+      File['/srv/demo/passwd'],
+      User[$user],
+    ],
+  }
+
+  # The File[/etc/init/docker-demo.conf] resource is declared by the
+  # module, but we still need to punt the container if the config changes
+  File <| title == '/etc/init/docker-demo.conf' |> {
+    notify  => Service['docker-demo'],
+  }
+
+  account { $user:
+    home_dir => '/srv/demo',
+    uid      => $uid,
+    comment  => 'Runs demo',
+  }
+
+  file { "/var/log/apache2/${site}.jenkins-ci.org":
+    ensure => directory,
+  }
+
+  file { '/srv/demo/passwd':
+    ensure  => present,
+    content => template("${module_name}/demo/passwd.erb"),
+  }
+
+  apache::vhost { "${site}.jenkins-ci.org":
+    servername      => "${site}.jenkins-ci.org",
+    port            => '80',
+    docroot         => '/srv/demo/userContent',  # bous
+    access_log      => false,
+    error_log_file  => "${site}.jenkins-ci.org/error.log",
+    log_level       => 'warn',
+    custom_fragment => template("${module_name}/demo/vhost.conf"),
+
+    notify          => Service['apache2'],
+    require         => [File["/var/log/apache2/${site}.jenkins-ci.org"],
+                        Docker::Run[$site]
+    ],
+  }
+
+  host { "${site}.jenkins-ci.org":
+    ip => '127.0.0.1',
+  }
+}
--- a/dist/profile/manifests/diagnostics.pp
+++ b/dist/profile/manifests/diagnostics.pp
@ -0,0 +1,10 @@
+#
+# The diagnostics profile will add some diagnostics tools for our internal use
+# where ever this profile is applied
+#
+class profile::diagnostics {
+  include ::stdlib
+  include ::datadog_agent
+
+  ensure_packages(['htop', 'strace'])
+}
--- a/dist/profile/manifests/docker.pp
+++ b/dist/profile/manifests/docker.pp
@ -0,0 +1,25 @@
+#
+# Profile for managing basics of docker installation/configuration
+class profile::docker {
+  class { '::docker':
+    version       => '1.9.1',
+    # Disabling the management of the kernel, since we have to pre-install
+    # kernel modules on Ubuntu 12.04 LTS and restart the host machine anyways
+    manage_kernel => false,
+  }
+
+  include datadog_agent::integrations::docker
+
+  # Ensure that the datadog user has the right group to access docker
+  user { $datadog_agent::params::dd_user:
+    ensure  => present,
+    groups  => ['docker'],
+    require => Class['::docker'],
+  }
+
+  firewall { '010 allow inter-docker traffic':
+    # traffic within docker is OK
+    iniface => 'docker0',
+    action  => 'accept',
+  }
+}
--- a/dist/profile/manifests/docker/run_tombstone.pp
+++ b/dist/profile/manifests/docker/run_tombstone.pp
@ -0,0 +1,16 @@
+#
+# A define that cleans up the left over from docker::run
+#
+define profile::docker::run_tombstone {
+
+  $initscript = "/etc/init/docker-${title}.conf"
+
+  file { $initscript:
+    ensure  => absent,
+  }
+
+  service { "docker-${title}":
+    ensure     => stopped,
+  }
+}
+
--- a/dist/profile/manifests/firewall.pp
+++ b/dist/profile/manifests/firewall.pp
@ -0,0 +1,34 @@
+#
+# Class containing basic profile information for setting up the basic firewall
+# rules that every role should contain
+class profile::firewall {
+  include ::firewall
+
+  firewall { '000 accept icmp traffic':
+    proto  => 'icmp',
+    action => 'accept',
+  }
+
+  firewall { '001 accept ssh traffic':
+    proto  => 'tcp',
+    port   => 22,
+    action => 'accept',
+  }
+
+  firewall { '002 accept local traffic':
+    # traffic within localhost is OK
+    iniface => 'lo',
+    action  => 'accept',
+  }
+
+  firewall { '003 accept established connections':
+    # this is needed to make outbound connections work, such as database connection
+    state  => ['RELATED','ESTABLISHED'],
+    action => 'accept',
+  }
+
+  firewall {
+    '999 drop all other requests':
+      action => 'drop',
+  }
+}
--- a/dist/profile/manifests/groovy.pp
+++ b/dist/profile/manifests/groovy.pp
@ -0,0 +1,6 @@
+#
+# Simple profile to manage Groovy installation on machines
+class profile::groovy {
+  # see <https://github.com/jenkins-infra/puppet-groovy>
+  include ::groovy
+}
--- a/dist/profile/manifests/jenkinsadmin.pp
+++ b/dist/profile/manifests/jenkinsadmin.pp
@ -0,0 +1,68 @@
+#
+# IRC bot that runs most project related tasks
+# containerized in https://github.com/jenkins-infra/ircbot
+class profile::jenkinsadmin (
+  # Parameters supplied by Hiera
+  $github_login,
+  $github_password,
+  $jira_login,
+  $jira_password,
+  $nick_password,
+  $image_tag = undef,
+) {
+  include profile::docker
+
+  validate_string($image_tag)
+  $user = 'ircbot'
+
+  docker::image { 'jenkinsciinfra/ircbot':
+    image_tag => $image_tag,
+  }
+
+  docker::run { 'ircbot':
+    # The entrypoint in the container allows passing the nick password through
+    # to the invocation of the Java command, since the IRC bot .jar file
+    # requires:
+    #    java -jar /home/ircbot/*.jar $NICKPASSWORD
+    command  => $nick_password,
+    volumes  => ['/home/ircbot/.github:/home/ircbot/.github',
+                '/home/ircbot/.jenkins-ci.org:/home/ircbot/.jenkins-ci.org',
+    ],
+    username => 'ircbot',
+    image    => "jenkinsciinfra/ircbot:${image_tag}",
+    require  => [Docker::Image['jenkinsciinfra/ircbot'],
+                File['/home/ircbot/.github'],
+                File['/home/ircbot/.jenkins-ci.org'],
+    ],
+    use_name => true,
+  }
+
+  # The File[/etc/init/docker-ircbot.conf] resource is declared by the
+  # module, but we still need to punt the container if the config changes
+  File <| title == '/etc/init/docker-ircbot.conf' |> {
+    notify  => Service['docker-ircbot'],
+  }
+
+  user { $user:
+    shell      => '/bin/false',
+    # hard-coding because this is what we already have on spinach
+    uid        => '1013',
+    managehome => true,
+  }
+
+  file { '/home/ircbot/.github':
+    owner   => $user,
+    require => User[$user],
+    content => template("${module_name}/jenkinsadmin/dot-github.erb"),
+    mode    => '0600',
+    notify  => Service['docker-ircbot'],
+  }
+
+  file { '/home/ircbot/.jenkins-ci.org':
+    owner   => $user,
+    require => User[$user],
+    content => template("${module_name}/jenkinsadmin/dot-jenkins.erb"),
+    mode    => '0600',
+    notify  => Service['docker-ircbot'],
+  }
+}
--- a/dist/profile/manifests/jenkinsgroovy.pp
+++ b/dist/profile/manifests/jenkinsgroovy.pp
@ -0,0 +1,19 @@
+# Use the Jenkins CLI to invoke an arbitrary groovy script
+#
+define profile::jenkinsgroovy (
+  $path = $name,
+) {
+  include ::jenkins::cli
+
+  validate_string($name)
+  validate_string($path)
+
+  # (ab)using unless to make this exec seem a like it's idempotent. blech
+  exec { "jenkins-groovy-exec ${name}":
+    command   => 'echo "Something is wrong"',
+    tries     => $::jenkins::cli_tries,
+    try_sleep => $::jenkins::cli_try_sleep,
+    unless    => "/usr/share/jenkins/idempotent-cli groovy ${path}",
+    path      => ['/bin', '/usr/bin'],
+  }
+}
--- a/dist/profile/manifests/jenkinsplugin.pp
+++ b/dist/profile/manifests/jenkinsplugin.pp
@ -0,0 +1,19 @@
+#
+# Use the Jenkins CLI to install plugins. This will handle dependencies, since
+# it's using the Jenkins CLI
+#
+define profile::jenkinsplugin (
+) {
+  include ::jenkins::cli
+
+  validate_string($name)
+
+  exec { "install-plugin-${name}":
+    command   => "/usr/share/jenkins/idempotent-cli install-plugin ${name}",
+    tries     => $::jenkins::cli_tries,
+    try_sleep => $::jenkins::cli_try_sleep,
+    path      => ['/bin', '/usr/bin'],
+    unless    => "/usr/bin/test -f /var/lib/jenkins/plugins/${name}.jpi",
+    notify    => Exec['safe-restart-jenkins'],
+  }
+}
--- a/dist/profile/manifests/jira.pp
+++ b/dist/profile/manifests/jira.pp
@ -0,0 +1,121 @@
+# Run containerized JIRA to serve issues.jenkins-ci.org
+# see https://github.com/jenkins-infra/jira for how the container is put together
+class profile::jira (
+  # all injected from hiera
+  $image_tag,
+  $database_url,  # JDBC URL that represents that database backend
+) {
+  # as a preparation, deploying mock-webapp and not the real jira
+
+  include profile::atlassian
+  include apache::mod::rewrite
+  include profile::apachemisc
+
+  account { 'jira':
+    home_dir => '/srv/jira',
+    groups   => ['sudo', 'users'],
+    uid      => 2001,   # this value must match what's in the 'jira' docker container
+    gid      => 2001,
+    comment  => 'Runs JIRA',
+  }
+
+  file { '/var/log/apache2/issues.jenkins-ci.org':
+    ensure => directory,
+    group  => $profile::atlassian::group_name,
+  }
+
+  file { '/srv/jira/home':
+    ensure  => directory,
+    require => File['/srv/jira'],
+    owner   => 'jira',
+    group   => $profile::atlassian::group_name,
+  }
+
+  file { '/srv/jira/docroot':
+    ensure  => directory,
+    require => File['/srv/jira'],
+    group   => $profile::atlassian::group_name,
+  }
+
+  # JIRA stores LDAP access information in database, not in file
+  file { '/srv/jira/container.env':
+    content => join([
+        "DATABASE_URL=${database_url}"
+      ], '\n'),
+    mode    => '0600',
+  }
+
+  if $::vagrant { # only for testing
+    docker::run { 'jiradb':
+      image           => 'mariadb',
+      env             => ['MYSQL_ROOT_PASSWORD=s3cr3t','MYSQL_USER=jira','MYSQL_PASSWORD=raji','MYSQL_DATABASE=jiradb'],
+      restart_service => true,
+      use_name        => true,
+      command         => undef,
+    }
+    $jira_links = ['jiradb:db']
+  } else {
+    $jira_links = undef
+  }
+
+  docker::image { 'jenkinsciinfra/jira':
+    image_tag => $image_tag,
+  }
+
+  docker::run { 'jira':
+    command         => undef,
+    ports           => ['8080:8080'],
+    image           => "jenkinsciinfra/jira:${image_tag}",
+    volumes         => ['/srv/jira/home:/srv/jira/home'],
+    env_file        => '/srv/jira/container.env',
+    restart_service => true,
+    use_name        => true,
+    require         => File['/srv/jira/container.env'],
+    links           => $jira_links,
+  }
+
+  ### to put maintenance screen up, comment out the following and comment in the apache::vhost for https://jenkins-ci.org
+  ### #if
+  #file { '/etc/apache2/sites-enabled/25-issues.jenkins-ci.org.conf':
+  #  ensure => 'link',
+  #  target => '/etc/apache2/sites-available/issues.jenkins-ci.org.maintenance.conf',
+  #}
+  ### #else
+  apache::vhost { 'issues.jenkins-ci.org':
+    port            => '443',
+    docroot         => '/srv/jira/docroot',
+    access_log      => false,
+    error_log_file  => 'issues.jenkins-ci.org/error.log',
+    log_level       => 'warn',
+    custom_fragment => template("${module_name}/jira/vhost.conf"),
+
+    notify          => Service['apache2'],
+    require         => File['/var/log/apache2/issues.jenkins-ci.org'],
+  }
+  ### #endif
+  apache::vhost { 'issues.jenkins-ci.org non-ssl':
+    # redirect non-SSL to SSL
+    servername      => 'issues.jenkins-ci.org',
+    port            => '80',
+    docroot         => '/srv/jira/docroot',
+    redirect_status => 'temp',
+    redirect_dest   => 'https://issues.jenkins-ci.org/'
+  }
+
+  profile::apachemaintenance { 'issues.jenkins-ci.org':
+  }
+
+  profile::datadog_check { 'jira-http-check':
+    checker => 'http_check',
+    source  => 'puppet:///modules/profile/jira/http_check.yaml',
+  }
+
+  profile::datadog_check { 'jira-process-check':
+    checker => 'process',
+    source  => 'puppet:///modules/profile/jira/process_check.yaml',
+  }
+
+  host { 'issues.jenkins-ci.org':
+    ip => '127.0.0.1',
+  }
+}
--- a/dist/profile/manifests/l10n_server.pp
+++ b/dist/profile/manifests/l10n_server.pp
@ -0,0 +1,63 @@
+#
+# Accept submissions from the translation plugin
+# containerized in https://github.com/jenkins-infra/l10n-server
+class profile::l10n_server (
+  # Parameters supplied by Hiera
+  $image_tag = 'latest',
+) {
+  include profile::docker
+  include profile::apachemisc
+
+  validate_string($image_tag)
+  $user = 'l10n'
+  $dir = "/srv/${user}"
+  $uid = '2003'
+  $image = 'jenkinsciinfra/l10n-server'
+
+  docker::image { $image:
+    image_tag => $image_tag,
+  }
+
+  docker::run { 'l10n':
+    volumes  => ["${dir}:/var/l10n"
+    ],
+    ports    => ['8082:8080'],
+    username => $uid,
+    image    => "${image}:${image_tag}",
+    require  => [Docker::Image[$image],
+    ],
+    use_name => true,
+  }
+
+  # The File[/etc/init/docker-ircbot.conf] resource is declared by the
+  # module, but we still need to punt the container if the config changes
+  File <| title == '/etc/init/docker-l10n.conf' |> {
+    notify  => Service['docker-l10n'],
+  }
+
+  user { $user:
+    shell      => '/bin/false',
+    home       => $dir,
+    uid        => $uid,
+    managehome => true,
+  }
+
+  # docroot is required for apache::vhost but should never be used because
+  # we're proxying everything here
+  $docroot = '/var/www/html'
+
+  apache::vhost { 'l10n.jenkins.io':
+    serveraliases => [
+      'l10n.jenkins-ci.org',
+    ],
+    port          => '80',
+    docroot       => $docroot,
+    proxy_pass    => [
+      {
+        path         => '/',
+        url          => 'http://localhost:8082/',
+        reverse_urls => 'http://localhost:8082/',
+      },
+    ],
+  }
+}
--- a/dist/profile/manifests/l10n_server_tombstone.pp
+++ b/dist/profile/manifests/l10n_server_tombstone.pp
@ -0,0 +1,26 @@
+#
+# Used to clean up l10n_server
+class profile::l10n_server_tombstone {
+  $user = 'l10n'
+  $dir = "/srv/${user}"
+
+  profile::docker::run_tombstone { 'l10n':
+  }
+
+  user { $user:
+    ensure => absent,
+  }
+
+  # docroot is required for apache::vhost but should never be used because
+  # we're proxying everything here
+  $docroot = '/var/www/html'
+
+  apache::vhost { 'l10n.jenkins.io':
+    ensure  => absent,
+    docroot => $docroot,
+  }
+
+  file { $dir:
+    ensure => absent,
+  }
+}
--- a/dist/profile/manifests/ldap.pp
+++ b/dist/profile/manifests/ldap.pp
@ -0,0 +1,239 @@
+#
+# Manage an OpenLDAP authentication service
+#
+class profile::ldap(
+  $database       = 'dc=jenkins-ci,dc=org',
+  $admin_dn       = 'cn=admin,dc=jenkins-ci,dc=org',
+  $admin_password = undef,
+  $ssl_key        = undef,
+  $ssl_cert       = undef,
+  $ssl_chain      = undef,
+) {
+  # Not including profile::firewall intentionally here to avoid introducing
+  # redundant iptables rules for the same patterns but with different names
+  # between jenkins-infra and infra-puppet.
+  #
+  # If this is to be applied on any role other than cucumber, the caller should
+  # expect to include profile::firewall themselves
+  include ::firewall
+  include ::datadog_agent
+
+  $ssl_dir = '/etc/ldap/ssl'
+  $ssl_key_path =   "${ssl_dir}/slap.key"
+  $ssl_cert_path =  "${ssl_dir}/slap.crt"
+  $ssl_chain_path = "${ssl_dir}/bundle.crt"
+
+  ensure_packages([
+      'libaugeas-ruby',          # for augeas based puppet providers
+  ])
+
+  class { 'openldap::server':
+    ldap_ifs  => ['127.0.0.1'],
+    ldapi_ifs => ['/'],
+    ldaps_ifs => ['/'],
+    ssl_cert  => $ssl_cert_path,
+    ssl_key   => $ssl_key_path,
+    ssl_ca    => $ssl_chain_path,
+    require   => [File[$ssl_key_path],File[$ssl_cert_path],File[$ssl_chain_path]]
+  }
+
+  openldap::server::database { $database:
+    directory => '/var/lib/ldap',
+    rootdn    => $admin_dn,
+    rootpw    => $admin_password,
+  }
+
+
+  # Access grants
+  ###############
+  openldap::server::access {
+    "to attrs=userPassword,shadowLastChange by dn=\"${admin_dn}\" on ${database}":
+      access => 'write',
+  }
+
+  openldap::server::access {
+    "to attrs=userPassword,shadowLastChange by anonymous on ${database}":
+      access => 'auth',
+  }
+
+  openldap::server::access {
+    "to attrs=userPassword,shadowLastChange by self on ${database}":
+      access => 'write',
+  }
+
+  openldap::server::access {
+    "to attrs=userPassword,shadowLastChange by * on ${database}":
+      access => 'none',
+  }
+  ###############
+
+  # Indices
+  ###############
+  $ldap_attr_indices = 'eq,pres,sub'
+
+  openldap::server::dbindex { 'cn index':
+    ensure    => present,
+    suffix    => $database,
+    attribute => 'cn',
+    indices   => $ldap_attr_indices,
+  }
+
+  openldap::server::dbindex { 'mail index':
+    ensure    => present,
+    suffix    => $database,
+    attribute => 'mail',
+    indices   => $ldap_attr_indices,
+  }
+
+  openldap::server::dbindex { 'surname index':
+    ensure    => present,
+    suffix    => $database,
+    attribute => 'surname',
+    indices   => $ldap_attr_indices,
+  }
+
+  openldap::server::dbindex { 'givenname index':
+    ensure    => present,
+    suffix    => $database,
+    attribute => 'givenname',
+    indices   => $ldap_attr_indices,
+  }
+
+  openldap::server::dbindex { 'ou index':
+    ensure    => present,
+    suffix    => $database,
+    attribute => 'ou',
+    indices   => $ldap_attr_indices,
+  }
+
+  openldap::server::dbindex { 'uniqueMember index':
+    ensure    => present,
+    suffix    => $database,
+    attribute => 'uniqueMember',
+    indices   => 'eq',
+  }
+  ###############
+  ###############
+
+  # SSL Certificates
+  file { $ssl_dir:
+    ensure  => directory,
+    mode    => '0700',
+    owner   => $openldap::params::server_owner,
+    require => Class['::openldap::server::install'],
+  }
+  file { $ssl_key_path:
+    content => $ssl_key,
+    mode    => '0600',
+    owner   => $openldap::params::server_owner,
+    notify  => Service['slapd'],
+    before  => Class['::openldap::server::service'],
+  }
+  file { $ssl_cert_path:
+    content => $ssl_cert,
+    mode    => '0644',
+    owner   => $openldap::params::server_owner,
+    notify  => Service['slapd'],
+    before  => Class['::openldap::server::service'],
+  }
+  file { $ssl_chain_path:
+    content => $ssl_chain,
+    mode    => '0644',
+    owner   => $openldap::params::server_owner,
+    notify  => Service['slapd'],
+    before  => Class['::openldap::server::service'],
+  }
+
+  profile::datadog_check { 'ldap-process-check':
+    checker => 'process',
+    source  => 'puppet:///modules/profile/ldap/process_check.yaml',
+  }
+
+  # Legacy firewall rules from infra-puppet which are copied and
+  # pasted here so infra-puppet and jenkins-infra are not clobbering
+  # each others' firewall declarations
+  firewall { '106 accept inbound LDAPS request from hosted Artifactory by JFrog':
+    proto  => 'tcp',
+    source => '50.19.229.208',
+    port   => 636,
+    action => 'accept',
+  }
+
+  # It appears that puppetlabs-firewall doesn't understand an Array as an
+  # option for the source argument. In fact, as far as I know, iptables can
+  # only lump multiple IPs into a single rule if they're in a contiguous
+  # range, this will have to do
+  firewall { '106 accept inbound LDAPS request from hosted Artifactory by JFrog (second IP)':
+    proto  => 'tcp',
+    source => '50.16.203.43',
+    port   => 636,
+    action => 'accept',
+  }
+
+  firewall { '106 accept inbound LDAPS request from hosted Artifactory by JFrog (third IP)':
+    proto  => 'tcp',
+    source => '54.236.124.56',
+    port   => 636,
+    action => 'accept',
+  }
+
+  firewall { '106 accept inbound LDAPS request from spambot':
+    proto  => 'tcp',
+    source => 'home.kohsuke.org',
+    port   => 636,
+    action => 'accept',
+  }
+
+  firewall { '107 accept inbound LDAPS request from accounts app':
+    proto  => 'tcp',
+    source => 'accounts.jenkins.io',
+    port   => 636,
+    action => 'accept',
+  }
+
+  firewall { '107 accept inbound LDAPS request from puppet.jenkins.io':
+    proto  => 'tcp',
+    source => 'puppet.jenkins.io',
+    port   => 636,
+    action => 'accept',
+  }
+
+  firewall { '107 accept inbound LDAPS request from Confluence':
+    proto  => 'tcp',
+    source => 'wiki.jenkins-ci.org',
+    port   => 636,
+    action => 'accept',
+  }
+
+  firewall { '107 accept inbound LDAPS request from JIRA':
+    proto  => 'tcp',
+    source => 'issues.jenkins-ci.org',
+    port   => 636,
+    action => 'accept',
+  }
+
+  firewall { '107 accept inbound LDAPS from trusted-ci':
+    proto  => 'tcp',
+    source => '52.91.48.6',
+    port   => 636,
+    action => 'accept',
+  }
+
+  firewall { '107 accept inbound LDAPS from ci':
+    proto  => 'tcp',
+    source => 'ci.jenkins.io',
+    port   => 636,
+    action => 'accept',
+  }
+
+
+
+  # normally nobody listens on this port, but when we need to find the
+  # source IP address JFrog is using to connect us, run 'stone -d -d
+  # localhost:636 9636' and watch the log
+  firewall { '106 debugging the LDAPS connection (necessary to report source IP address)':
+    proto  => 'tcp',
+    port   => 9636,
+    action => 'accept',
+  }
+}
--- a/dist/profile/manifests/letsencrypt.pp
+++ b/dist/profile/manifests/letsencrypt.pp
@ -0,0 +1,11 @@
+#
+# This profile configures letsencrypt on the host it's applied to
+class profile::letsencrypt {
+  class { '::letsencrypt':
+    config => {
+        email  => hiera('letsencrypt::config::email'),
+        server => hiera('letsencrypt::config::server'),
+    }
+  }
+
+}
--- a/dist/profile/manifests/mirrorbrain.pp
+++ b/dist/profile/manifests/mirrorbrain.pp
@ -0,0 +1,345 @@
+#
+# Configure the mirrorbrain service
+class profile::mirrorbrain (
+  $pg_host      = 'localhost',
+  $pg_database  = 'mirrorbrain',
+  $pg_username  = 'mirrorbrain',
+  $pg_password  = 'mirrorbrain',
+  $manage_pgsql = true, # Install and manage PostgreSQL on this node
+  $user         = 'mirrorbrain',
+  $group        = 'mirrorbrain',
+  $groups       = ['www-data'],
+  $home_dir     = '/srv/releases',
+  $docroot      = '/srv/releases/jenkins',
+  $ssh_keys     = undef,
+) {
+  include ::mirrorbrain
+  include ::mirrorbrain::apache
+
+  include profile::apachemisc
+  include profile::firewall
+  include profile::letsencrypt
+
+  $server_name = 'mirrors.jenkins.io'
+  $apache_log_dir = "/var/log/apache2/${server_name}"
+  $mirrorbrain_conf = '/etc/mirrorbrain.conf'
+  $mirmon_conf = '/etc/mirmon.conf'
+
+  File {
+    ensure => present,
+  }
+
+  group { $group:
+    ensure => present,
+  }
+
+  # We use the mirrorbrain user for interactive things like rsyncing for
+  # completing releases and updating the updates site
+  account { $user:
+    manage_home    => true,
+    # Ensure that our homedir is world-readable, since it's full of public
+    # files :)
+    home_dir_perms => '0755',
+    create_group   => false,
+    home_dir       => $home_dir,
+    gid            => $group,
+    groups         => $groups,
+    ssh_keys       => $ssh_keys,
+    require        => Group[$group],
+  }
+
+  ::ssh::client::config::user { $user :
+    ensure              => present,
+    user_home_dir       => $home_dir,
+    manage_user_ssh_dir => false,
+    options             => {
+        'Host ftp-osl.osuosl.org'      => {
+            'IdentityFile' => "${home_dir}/.ssh/osuosl_mirror",
+        },
+        'Host archives.jenkins-ci.org' => {
+            'IdentityFile' => "${home_dir}/.ssh/archives",
+        },
+        'Host fallback.jenkins-ci.org' => {
+            'IdentityFile' => "${home_dir}/.ssh/archives",
+        },
+    },
+  }
+
+  file { 'osuosl_mirror':
+    path    => "${home_dir}/.ssh/osuosl_mirror",
+    owner   => $user,
+    group   => $group,
+    mode    => '0600',
+    content => hiera('osuosl_mirroring_privkey'),
+    require => Account[$user],
+  }
+
+  file { $docroot:
+    ensure => directory,
+    owner  => $user,
+    group  => $group,
+  }
+
+  ## Files needed to release
+  ##########################
+  ## These files are necessary to create and sync releases to and from this host
+  ##########################
+  file { "${home_dir}/rsync.filter":
+    owner  => $user,
+    group  => $group,
+    source => "puppet:///modules/${module_name}/mirrorbrain/rsync.filter",
+  }
+
+  file { "${home_dir}/sync.sh":
+    owner  => $user,
+    group  => $group,
+    source => "puppet:///modules/${module_name}/mirrorbrain/sync.sh",
+  }
+
+  file { "${home_dir}/populate-archives.sh":
+    owner  => $user,
+    group  => $group,
+    source => "puppet:///modules/${module_name}/mirrorbrain/populate-archives.sh",
+  }
+
+  file { "${home_dir}/populate-fallback.sh":
+    owner  => $user,
+    group  => $group,
+    source => "puppet:///modules/${module_name}/mirrorbrain/populate-fallback.sh",
+  }
+
+  file { "${home_dir}/update-latest-symlink.sh":
+    owner  => $user,
+    group  => $group,
+    source => "puppet:///modules/${module_name}/mirrorbrain/update-latest-symlink.sh",
+  }
+  ##########################
+
+
+
+  ## Managing PostgreSQL
+  ##########################
+  ## 
+  ##########################
+  if $manage_pgsql {
+    class { 'postgresql::server':
+    }
+
+    postgresql::server::db { $pg_database:
+      user     => $pg_username,
+      password => $pg_password,
+    }
+
+    postgresql::server::role { 'datadog':
+      password_hash => postgresql_password('datadog', $pg_password),
+    }
+
+    postgresql::server::grant { "datadog_${pg_database}":
+      privilege   => 'SELECT',
+      object_type => 'ALL TABLES IN SCHEMA',
+      db          => $pg_database,
+      role        => 'datadog',
+    }
+
+    class { 'datadog_agent::integrations::postgres':
+      host     => 'localhost',
+      dbname   => $pg_database,
+      username => 'datadog',
+      password => $pg_password,
+      require  => [
+        Class['postgresql::server'],
+        Postgresql::Server::Grant["datadog_${pg_database}"],
+      ],
+    }
+  }
+  ##########################
+
+
+  file { $mirrorbrain_conf:
+    owner   => $user,
+    group   => $group,
+    content => template("${module_name}/mirrorbrain/mirrorbrain.conf.erb"),
+  }
+
+  file { $mirmon_conf:
+    owner   => $user,
+    group   => $group,
+    content => template("${module_name}/mirrorbrain/mirmon.conf.erb"),
+  }
+
+  # Updating our TIME file allows us to easily tell how far mirrors have drived
+  file { '/usr/local/bin/mirmon-time-update':
+    owner   => 'root',
+    mode    => '0755',
+    content => "#!/bin/sh
+date \"+%s\" > /srv/releases/jenkins/TIME
+",
+    require => File[$docroot],
+  }
+
+  ## Cron tasks
+  #############
+  cron { 'mirrorbrain-time-update':
+    command => '/usr/local/bin/mirmon-time-update',
+    user    => 'root',
+    minute  => 2,
+    require => File['/usr/local/bin/mirmon-time-update'],
+  }
+
+  cron { 'mirmon-status-page':
+    command => "/usr/bin/mirmon -q -get update -c ${mirmon_conf}",
+    user    => 'root',
+    minute  => '15',
+    require => File[$mirmon_conf],
+  }
+
+  cron { 'mirrorbrain-ping-mirrors':
+    command => '/usr/bin/mirrorprobe',
+    user    => 'root',
+    minute  => '*/30',
+    require => File[$mirrorbrain_conf],
+  }
+
+  # Scan our mirrors, will run as many concurrent jobs as their are processors
+  # on the machine
+  cron { 'mirrorbrain-scan':
+    command => "/usr/bin/mb scan --quiet --jobs ${::processorcount} --all",
+    user    => 'root',
+    # See < https://issues.jenkins-ci.org/browse/INFRA-671>
+    minute  => '0',
+    require => File[$mirrorbrain_conf],
+  }
+
+  # perform regular clean up of our postgresql database
+  cron { 'mirrorbrain-db-cleanup':
+    command => '/usr/bin/mb db vacuum',
+    user    => 'root',
+    hour    => 2,
+    minute  => 42,
+    require => File[$mirrorbrain_conf],
+  }
+
+  cron { 'mirmon-update-mirror-list':
+    command => '/usr/bin/mb export --format=mirmon > /srv/releases/mirror_list',
+    user    => 'root',
+    minute  => '30',
+    hour    => '4',
+    require => File[$mirrorbrain_conf],
+  }
+
+  # Sync all our Jenkins releases to our dependent mirrors
+  # See <https://issues.jenkins-ci.org/browse/INFRA-694>
+  cron { 'mirrorbrain-sync-releases':
+    command => "cd ${home_dir} && ./sync.sh",
+    minute  => '0',
+    user    => $user,
+    require => File["${home_dir}/sync.sh"],
+  }
+  #############
+
+  # dbd-pgsql is required to allow mod_dbd to communicate with PostgreSQL
+  package { 'libaprutil1-dbd-pgsql':
+    ensure  => present,
+    require => Class['apache'],
+  }
+
+  $dbd_conf = '/etc/apache2/mods-available/dbd.conf'
+  $geoip_conf = '/etc/apache2/mods-available/geoip.conf'
+
+  file { $dbd_conf:
+    owner   => 'root',
+    group   => 'root',
+    content => template("${module_name}/mirrorbrain/dbd.conf.erb"),
+  }
+
+  file { '/etc/apache2/mods-enabled/dbd.conf':
+    ensure  => link,
+    target  => $dbd_conf,
+    require => [
+        File[$dbd_conf],
+        Package['libaprutil1-dbd-pgsql'],
+    ],
+    notify  => Service['apache2'],
+  }
+
+  file { $geoip_conf:
+    owner   => 'root',
+    group   => 'root',
+    require => Apache::Mod['geoip'],
+    source  => "puppet:///modules/${module_name}/mirrorbrain/geoip.conf",
+  }
+
+  file { '/etc/apache2/mods-enabled/geoip.conf':
+    ensure  => link,
+    target  => $geoip_conf,
+    require => [
+        File[$geoip_conf],
+    ],
+    notify  => Service['apache2'],
+  }
+
+  file { $apache_log_dir:
+    ensure => directory,
+  }
+
+  # This is dumb.
+  exec { 'mirrorbrain-mkdirp':
+    command => "/bin/mkdir -p ${docroot}",
+    creates => $docroot,
+  }
+
+  apache::vhost { $server_name:
+    serveraliases     => [
+      'mirrors.jenkins-ci.org',
+    ],
+    port              => 80,
+    serveradmin       => 'infra@lists.jenkins-ci.org',
+    docroot           => $docroot,
+    access_log_format =>  '\"%{X-Forwarded-For}i\" %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" want:%{WANT}e give:%{GIVE}e r:%{MB_REALM}e %{X-MirrorBrain-Mirror}o %{MB_CONTINENT_CODE}e:%{MB_COUNTRY_CODE}e ASN:%{ASN}e P:%{PFX}e size:%{MB_FILESIZE}e %{Range}i forw:%{x-forwarded-for}i',
+    access_log_pipe   => "|/usr/bin/rotatelogs ${apache_log_dir}/access.log.%Y%m%d%H%M%S 604800",
+    error_log_file    => "${server_name}/error.log",
+    require           => [
+        File[$apache_log_dir],
+        Package['apache2-utils'], # For log rotation
+        Exec['mirrorbrain-mkdirp'],
+    ],
+    override          => ['All'],
+    aliases           => [
+      {
+        alias => '/mirmon/icons',
+        path  => '/usr/share/mirmon/icons',
+      },
+    ],
+    directories       => [
+      {
+        path            => $docroot,
+        options         => 'FollowSymLinks Indexes',
+        allow_override  => ['All'],
+        custom_fragment => '
+            MirrorBrainEngine On
+            MirrorBrainDebug Off
+            FormGET On
+            MirrorBrainHandleHEADRequestLocally Off
+
+            # we serve most files from mirrors, but as a fallback,
+            # this slow server has everything.
+            MirrorBrainFallback na us http://archives.jenkins-ci.org/
+
+            # Do not redirect for files smaller than 4096 bytes
+            MirrorBrainMinSize 4096
+            ## NOTE: Re-enabling these exclude rules will kill our bandwidth allocation.
+            #MirrorBrainExcludeUserAgent rpm/4.4.2*
+            #MirrorBrainExcludeUserAgent *APT-HTTP*
+
+            MirrorBrainExcludeMimeType application/pgp-keys
+            MirrorBrainExcludeMimeType text/html
+        ',
+      },
+      {
+        path           => '/usr/share/mirmon/icons',
+        options        => 'None',
+        allow_override => ['None'],
+      },
+    ],
+  }
+}
--- a/dist/profile/manifests/nolegacy.pp
+++ b/dist/profile/manifests/nolegacy.pp
@ -0,0 +1,23 @@
+#
+# This profile is a simple profile to ensure the removal of the legacy
+# "infra-puppet" code which ran masterless puppet
+class profile::nolegacy {
+  cron { 'pull puppet updates':
+    ensure => absent,
+  }
+
+  cron { 'clean up old puppet logs':
+    ensure => absent,
+  }
+
+  cron { 'clean the repo-update cache':
+    ensure => absent,
+  }
+
+  # Clean up the infra-puppet checkout from the disk
+  file { '/root/infra-puppet':
+    ensure  => absent,
+    recurse => true,
+    force   => true,
+  }
+}
--- a/dist/profile/manifests/ntp.pp
+++ b/dist/profile/manifests/ntp.pp
@ -0,0 +1,5 @@
+#
+# Profile defining the NTP configuration
+class profile::ntp {
+  include ::ntp
+}
--- a/dist/profile/manifests/opensuse_repo.pp
+++ b/dist/profile/manifests/opensuse_repo.pp
@ -0,0 +1,12 @@
+# This defined type is just to make our template a little bit easier to manage,
+# see also:
+# https://ask.puppet.com/question/3216/passing-parameters-to-templates/
+define profile::opensuse_repo (
+  $ensure,
+  $docroot,
+  $mirror_fqdn) {
+
+  file { "${docroot}/${name}/repodata":
+    ensure  => directory,
+  }
+}
--- a/dist/profile/manifests/pkgrepo.pp
+++ b/dist/profile/manifests/pkgrepo.pp
@ -0,0 +1,146 @@
+#
+# Manage yum and apt repositories for Jenkins
+class profile::pkgrepo (
+  $docroot      = '/var/www/pkg.jenkins.io',
+  $release_root = '/srv/releases/jenkins',
+  $repo_fqdn    = 'pkg.jenkins.io',
+  $mirror_fqdn  = 'mirrors.jenkins.io',
+) {
+  include ::stdlib
+  include ::apache
+  include ::apache::mod::rewrite
+
+  validate_string($docroot)
+  validate_string($release_root)
+
+  include profile::apachemisc
+  include profile::firewall
+  include profile::letsencrypt
+
+  # Needed so we can generate repodata on the machine
+  package { 'createrepo':
+    ensure => present,
+  }
+
+  $apache_log_dir = "/var/log/apache2/${repo_fqdn}"
+
+  file { $apache_log_dir:
+    ensure => directory,
+  }
+
+  file { $docroot:
+    ensure  => directory,
+    owner   => 'www-data',
+    # We need group writes on this directory for pushing a release
+    mode    => '0775',
+    require => File[$apache_log_dir],
+  }
+
+  $repos = [
+    "${docroot}/debian",
+    "${docroot}/debian-rc",
+    "${docroot}/debian-stable",
+    "${docroot}/debian-stable-rc",
+    "${docroot}/redhat",
+    "${docroot}/redhat-rc",
+    "${docroot}/redhat-stable",
+    "${docroot}/redhat-stable-rc",
+    "${docroot}/opensuse",
+    "${docroot}/opensuse-rc",
+    "${docroot}/opensuse-stable",
+    "${docroot}/opensuse-stable-rc",
+  ]
+
+  file { $repos:
+    ensure  => directory,
+    require => File[$docroot],
+  }
+
+  file { suffix($repos, '/jenkins-ci.org.key'):
+    ensure  => present,
+    source  => "puppet:///modules/${module_name}/pkgrepo/jenkins-ci.org.key",
+    require => File[$docroot],
+  }
+
+  file { suffix($repos, '/jenkins.io.key'):
+    ensure  => present,
+    source  => "puppet:///modules/${module_name}/pkgrepo/jenkins-ci.org.key",
+    require => File[$docroot],
+  }
+
+  profile::redhat_repo { ['redhat', 'redhat-stable', 'redhat-rc', 'redhat-stable-rc']:
+    ensure    => present,
+    docroot   => $docroot,
+    repo_fqdn => $repo_fqdn,
+    require   => File[$repos],
+  }
+
+  profile::debian_repo { ['debian', 'debian-stable', 'debian-rc', 'debian-stable-rc']:
+    ensure      => present,
+    docroot     => $docroot,
+    direct_root => $release_root,
+    mirror_fqdn => $mirror_fqdn,
+    require     => File[$repos],
+  }
+
+  profile::opensuse_repo { ['opensuse', 'opensuse-stable', 'opensuse-rc', 'opensuse-stable-rc']:
+    ensure      => present,
+    docroot     => $docroot,
+    mirror_fqdn => $mirror_fqdn,
+    require     => File[$repos],
+  }
+
+  apache::vhost { $repo_fqdn:
+    serveraliases   => [
+      'pkg.jenkins-ci.org',
+    ],
+    port            => 443,
+    # We need FollowSymLinks to ensure our fallback for old APT clients works
+    # properly, see debian's htaccess file for more
+    options         => 'Indexes FollowSymLinks MultiViews',
+    override        => ['All'],
+    ssl             => true,
+    docroot         => $docroot,
+    error_log_file  => "${repo_fqdn}/error.log",
+    access_log_pipe => "|/usr/bin/rotatelogs ${apache_log_dir}/access.log.%Y%m%d%H%M%S 604800",
+    require         => File[$docroot],
+  }
+
+  apache::vhost { "${repo_fqdn} unsecured":
+    servername      => $repo_fqdn,
+    port            => 80,
+    override        => ['All'],
+    docroot         => $docroot,
+    error_log_file  => "${repo_fqdn}/error_nonssl.log",
+    access_log_pipe => "|/usr/bin/rotatelogs ${apache_log_dir}/access_nonssl.log.%Y%m%d%H%M%S 604800",
+  }
+
+  apache::vhost { 'pkg.jenkins-ci.org':
+    port            => 80,
+    docroot         => $docroot,
+    override        => ['All'],
+    options         => 'Indexes FollowSymLinks MultiViews',
+    error_log_file  => "${repo_fqdn}/legacy_nonssl.log",
+    access_log_pipe => "|/usr/bin/rotatelogs ${apache_log_dir}/access_legacy_nonssl.log.%Y%m%d%H%M%S 604800",
+    require         => Apache::Vhost[$repo_fqdn],
+  }
+
+
+  # We can only acquire certs in production due to the way the letsencrypt
+  # challenge process works
+  if (($::environment == 'production') and ($::vagrant != '1')) {
+    letsencrypt::certonly { $repo_fqdn:
+      domains     => [$repo_fqdn],
+      plugin      => 'apache',
+      manage_cron => true,
+    }
+
+    Apache::Vhost <| title == $repo_fqdn |> {
+      ssl_key         => '/etc/letsencrypt/live/pkg.jenkins.io/privkey.pem',
+      # When Apache is upgraded to >= 2.4.8 this should be changed to
+      # fullchain.pem
+      ssl_cert        => '/etc/letsencrypt/live/pkg.jenkins.io/cert.pem',
+      ssl_chain       => '/etc/letsencrypt/live/pkg.jenkins.io/chain.pem',
+    }
+  }
+}
--- a/dist/profile/manifests/puppetmaster.pp
+++ b/dist/profile/manifests/puppetmaster.pp
@ -2,24 +2,96 @@
 # profile::puppetmaster is a governing what a Jenkins puppetmaster should look
 # like
 class profile::puppetmaster {
-  # Mange hiera.yaml
+  # pull in all our secret stuff, and install eyaml
+  include ::jenkins_keys
+
+  include profile::r10k
+  # Set up our IRC reporter
+  include ::irc
+  include datadog_agent
+
+
+  # If we're inside of Vagrant we don't have the Service[pe-puppetserver]
+  # resource defined since that comes with Puppet Enterprise. We'll define a
+  # simple one just to make things 'work'
+  if str2bool($::vagrant) {
+    service { 'pe-puppetserver':
+    }
+  }
+
+  # Manage hiera.yaml
  file { '/etc/puppetlabs/puppet/hiera.yaml':
    ensure => file,
    owner  => 'root',
    group  => 'root',
    mode   => '0644',
    source => "puppet:///modules/${module_name}/hiera.yaml",
-    notify => Service['pe-httpd'],
+    notify => Service['pe-puppetserver'],
  }

-  ## Ensure we're setting the right SMTP server
-  yaml_setting { 'console smtp server':
-    target => '/etc/puppetlabs/console-auth/config.yml',
-    key    => 'smtp/address',
-    value  => 'smtp.osuosl.org',
-    notify => Service['pe-httpd'],
+  ini_setting { 'update report handlers':
+    ensure  => present,
+    path    => '/etc/puppetlabs/puppet/puppet.conf',
+    section => 'master',
+    setting => 'reports',
+    value   => 'console,puppetdb,irc,datadog_reports',
+    notify  => Service['pe-puppetserver'],
+    # We really can't use datadog_reports until we have our datadog.yaml in
+    # place
+    require => File['/etc/dd-agent/datadog.yaml'],
  }

-  # pull in all our secret stuff, and install eyaml
-  include ::jenkins_keys
+  ini_setting { 'enable master pluginsync':
+    ensure  => present,
+    path    => '/etc/puppetlabs/puppet/puppet.conf',
+    section => 'master',
+    setting => 'pluginsync',
+    value   => true,
+    notify  => Service['pe-puppetserver'],
+  }
+
+  firewall { '010 allow dashboard traffic':
+    proto  => 'tcp',
+    port   => 443,
+    action => 'accept',
+  }
+
+  firewall { '012 allow puppet agents':
+    proto  => 'tcp',
+    port   => 8140,
+    action => 'accept',
+  }
+
+  firewall { '013 allow mcollective':
+    proto  => 'tcp',
+    port   => 61613,
+    action => 'accept',
+  }
+
+  # This puppet enterprise special casing logic cribbed directly from the
+  # puppet-irc module which also needs to install gems
+  if $::pe_server_version {
+    $gem_provider = 'puppetserver_gem'
+  }
+  else {
+    $gem_provider = 'gem'
+  }
+
+  # The "datadog_agent::reports" module doesn't really handle puppet enterprise
+  # very well at all, in order to make things easier on myself I've decided to
+  # just bring in the *two* resources it defines myself
+  package { 'dogapi':
+    ensure   => present,
+    provider => $gem_provider,
+  }
+
+  $api_key = $::datadog_agent::api_key
+  file { '/etc/dd-agent/datadog.yaml':
+    ensure  => file,
+    content => template('datadog_agent/datadog.yaml.erb'),
+    owner   => 'pe-puppet',
+    group   => 'root',
+    mode    => '0640',
+    require => File['/etc/dd-agent'],
+  }
 }
--- a/dist/profile/manifests/r10k.pp
+++ b/dist/profile/manifests/r10k.pp
@ -1,87 +1,28 @@
+#
+# The r10k profile manages the deploy hooks and r10k environment settings on
+# the puppet master.
+#
+# Deploying r10k is a bit of a chicken-and-egg problem, so this code exists to
+# ensure that the configuration that was manually set up is codified.
 class profile::r10k {
-
-  # Here we get our config for r10k from hiera.
-  # currently this hash is only used by the templates below
-  $r10k_options = hiera('r10k_options')
-
-  class { '::r10k':
-    remote            => 'https://github.com/jenkins-infra/jenkins-infra.git',
-    version           => '1.2.1',
-    modulepath        => '/etc/puppetlabs/puppet/environments/$environment/dist:/etc/puppetlabs/puppet/environments/$environment/modules:/opt/puppet/share/puppet/modules',
-    manage_modulepath => true,
-    mcollective       => true,
-  }
-
-  ini_setting { 'Update manifest in puppet.conf':
-    ensure  => present,
-    path    => '/etc/puppetlabs/puppet/puppet.conf',
-    section => 'main',
-    setting => 'manifest',
-    value   => '/etc/puppetlabs/puppet/environments/$environment/manifests/site.pp',
-  }
-
-  case $::osfamily {
-    'redhat': {
-      file { '/etc/init.d/r10k_deployhook.init':
-        ensure  => file,
-        owner   => root,
-        group   => root,
-        mode    => '0755',
-        content => template("${module_name}/r10k_deployhook.init.erb"),
-        notify  => Service['r10k_deployhook'],
-      }
-    }
-
-    'debian': {
-      file { '/etc/init/r10k_deployhook.conf':
-        ensure  => file,
-        owner   => root,
-        group   => root,
-        mode    => '0644',
-        content => template("${module_name}/r10k_deployhook.upstart.erb"),
-        alias   => 'deployhook_init',
-      }
-    }
-
-    default: { fail("${module_name} is not supported on ${::osfamily}") }
-  }
-
-  file { "${r10k_options['deployhooks_logdir']}/deployhooks":
+  file { '/etc/puppetlabs/r10k/r10k.yaml' :
    ensure => file,
-    owner  => peadmin,
-    group  => peadmin,
-    mode   => '0660',
+    owner  => 'root',
+    mode   => '0744',
+    source => "puppet:///modules/${module_name}/r10k/r10k.yaml",
  }

-  file { "${r10k_options['deployhooks_logdir']}/mco":
-    ensure => file,
-    owner  => peadmin,
-    group  => peadmin,
-    mode   => '0660',
+  include ::r10k::webhook::config
+
+  class { 'r10k::webhook':
+    use_mcollective => false,
+    user            => 'root',
+    require         => Class['r10k::webhook::config'],
  }

-  package { 'sinatra':
-    ensure   => present,
-    provider => pe_gem,
-  }
-
-  package { 'webrick':
-    ensure   => present,
-    provider => pe_gem,
-  }
-
-  file { '/usr/local/bin/r10k_deployhook':
-    ensure  => file,
-    owner   => root,
-    group   => root,
-    mode    => '0755',
-    content => template("${module_name}/r10k_deployhook.erb"),
-    require => [ Package['sinatra'], Package['webrick'] ],
-    notify  => Service['r10k_deployhook'],
-  }
-
-  service { 'r10k_deployhook':
-    ensure    => running,
-    enable    => true,
+  firewall { '011 allow r10k webhooks':
+    proto  => 'tcp',
+    port   => 8088,
+    action => 'accept',
  }
 }
--- a/dist/profile/manifests/rating.pp
+++ b/dist/profile/manifests/rating.pp
@ -0,0 +1,88 @@
+#
+# Server side of the community rating data
+# containerized in https://github.com/jenkins-infra/infra-rating
+class profile::rating (
+  # Parameters supplied by Hiera
+  $image_tag = 'latest',
+) {
+  include profile::docker
+  include profile::apachemisc
+  include profile::letsencrypt
+
+  validate_string($image_tag)
+  $image = 'jenkinsciinfra/rating'
+  $config = '/etc/rating.conf'
+
+  docker::image { $image:
+    image_tag => $image_tag,
+  }
+
+  docker::run { 'rating':
+    image    => "${image}:${image_tag}",
+    volumes  => ["${config}:/config/dbconfig.php"
+    ],
+    ports    => ['8083:80'],
+    require  => [Docker::Image[$image],
+                File[$config],
+    ],
+    use_name => true,
+  }
+
+  # The File[/etc/init/docker-ircbot.conf] resource is declared by the
+  # module, but we still need to punt the container if the config changes
+  File <| title == '/etc/init/docker-rating.conf' |> {
+    notify  => Service['docker-rating'],
+  }
+
+  file { $config:
+    content => hiera('profile::rating::dbconfig'),
+    mode    => '0644',
+    notify  => Service['docker-rating'],
+  }
+
+  # convenient to interact with database
+  package { 'postgresql-client':
+    ensure => present,
+  }
+
+
+  # docroot is required for apache::vhost but should never be used because
+  # we're proxying everything here
+  $docroot = '/var/www/html'
+
+  apache::vhost { 'rating.jenkins.io':
+    port       => '443',
+    ssl        => true,
+    ssl_key    => '/etc/letsencrypt/live/rating.jenkins.io/privkey.pem',
+    # When Apache is upgraded to >= 2.4.8 this should be changed to
+    # fullchain.pem
+    ssl_cert   => '/etc/letsencrypt/live/rating.jenkins.io/cert.pem',
+    ssl_chain  => '/etc/letsencrypt/live/rating.jenkins.io/chain.pem',
+    docroot    => $docroot,
+    proxy_pass => [
+      {
+        path         => '/',
+        url          => 'http://localhost:8083/',
+        reverse_urls => 'http://localhost:8083/',
+      },
+    ],
+  }
+
+  apache::vhost { 'rating.jenkins.io unsecured':
+    servername      => 'rating.jenkins.io',
+    port            => '80',
+    docroot         => $docroot,
+    redirect_status => 'permanent',
+    redirect_dest   => 'https://rating.jenkins.io/',
+  }
+
+  # We can only acquire certs in production due to the way the letsencrypt
+  # challenge process works
+  if (($::environment == 'production') and ($::vagrant != '1')) {
+    letsencrypt::certonly { 'rating.jenkins.io':
+        domains     => ['rating.jenkins.io'],
+        plugin      => 'apache',
+        manage_cron => true,
+    }
+  }
+}
--- a/dist/profile/manifests/redhat_repo.pp
+++ b/dist/profile/manifests/redhat_repo.pp
@ -0,0 +1,17 @@
+# This defined type is just to make our template a little bit easier to manage,
+# see also:
+# https://ask.puppet.com/question/3216/passing-parameters-to-templates/
+define profile::redhat_repo (
+  $ensure,
+  $docroot,
+  $repo_fqdn) {
+
+  file { "${docroot}/${name}/jenkins.repo":
+    ensure  => $ensure,
+    content => template("${module_name}/pkgrepo/jenkins.repo.erb"),
+  }
+
+  file { "${docroot}/${name}/repodata":
+    ensure  => directory,
+  }
+}
--- a/dist/profile/manifests/robobutler.pp
+++ b/dist/profile/manifests/robobutler.pp
@ -0,0 +1,82 @@
+#
+# IRC bot that runs project meeting
+# containerized in https://github.com/jenkins-infra/robobutler
+#
+class profile::robobutler (
+  # all injected from hiera
+  $nick,
+  $password,
+  $logdir = '/var/www/meetings.jenkins-ci.org'
+) {
+  include profile::apachemisc
+  include profile::docker
+
+  # Tag is the docker container image tag from our build process
+  $tag = 'build12'
+  $user = 'butlerbot'
+
+  user { $user:
+    # butlerbot user id. hard-coded into butlerbot image
+    uid   => '500',
+    shell => '/bin/false',
+  }
+
+  file { $logdir:
+    ensure => directory,
+    owner  => $user,
+    mode   => '0755',
+  }
+
+  file { '/etc/butlerbot':
+    ensure => directory,
+    owner  => $user,
+  }
+
+  file { '/etc/butlerbot/main.conf':
+    owner   => $user,
+    mode    => '0600',
+    content => "export NICK=${nick}\nexport PASSWORD=${password}\nexport HTML_DIR=${logdir}",
+    require => File['/etc/butlerbot'],
+    notify  => Service['docker-butlerbot'],
+  }
+
+  docker::image { 'jenkinsciinfra/butlerbot':
+    image_tag => $tag,
+  }
+
+  docker::run { 'butlerbot':
+    command  => undef,
+    image    => "jenkinsciinfra/butlerbot:${tag}",
+    volumes  => ["${logdir}:${logdir}", '/etc/butlerbot:/etc/butlerbot'],
+    require  => File['/etc/butlerbot/main.conf'],
+    use_name => true,
+  }
+
+  # 'restart docker-butlerbot' won't do because it will not reload the configuration
+  exec { 'restart-butlerbot':
+    refreshonly => true,
+    command     => '/sbin/stop docker-butlerbot; /sbin/start docker-butlerbot',
+  }
+
+  # The File[/etc/init/docker-butlerbot.conf] resource is declared by the
+  # module, but we still need to punt the container if the config changes
+  File <| title == '/etc/init/docker-butlerbot.conf' |> {
+    notify  => Exec['restart-butlerbot'],
+  }
+
+
+  file { '/var/log/apache2/meetings.jenkins-ci.org':
+    ensure => directory,
+  }
+
+  apache::vhost { 'meetings.jenkins-ci.org':
+      docroot         => $logdir,
+      port            => '80',
+      access_log      => false,
+      error_log_file  => 'meetings.jenkins-ci.org/error.log',
+      log_level       => 'warn',
+      custom_fragment => 'CustomLog "|/usr/bin/rotatelogs /var/log/apache2/meetings.jenkins-ci.org/access.log.%Y%m%d%H%M%S 604800" reverseproxy_combined',
+      notify          => Service['apache2'],
+      require         => File['/var/log/apache2/meetings.jenkins-ci.org'],
+  }
+}
--- a/dist/profile/manifests/staticsite.pp
+++ b/dist/profile/manifests/staticsite.pp
@ -0,0 +1,150 @@
+#
+# The staticsite profile ensures that the right resources are present to host
+# the jenkins.io static site.
+#
+# context: <https://issues.jenkins-ci.org/browse/INFRA-506>
+class profile::staticsite(
+  $site_root = '/srv/jenkins.io',
+  $deployer_user = 'site-deployer',
+  $deployer_ssh_key = undef,
+) {
+
+  include ::apache
+  include profile::letsencrypt
+  # The apache-misc profile includes a number of other important monitoring and
+  # apache configuration settings
+  include profile::apachemisc
+
+  validate_string($deployer_user)
+  validate_string($deployer_ssh_key)
+  validate_absolute_path($site_root)
+
+  ensure_packages(['zip'])
+
+  # This shell is very important to ensure that this user cannot do much else
+  # other than upload some data
+  $deployer_shell = '/usr/lib/sftp-server'
+  $deployer_group = 'www-data'
+  $site_docroot = "${site_root}/current"
+  $beta_docroot = "${site_root}/beta"
+
+  account { $deployer_user:
+    home_dir     => $site_root,
+    ssh_key      => $deployer_ssh_key,
+    gid          => $deployer_group,
+    create_group => false,
+    shell        => $deployer_shell,
+    comment      => 'Static Site Deployer role account',
+    notify       => Exec['chown staticsite'],
+  }
+
+
+  # Make sure our deployer's shell is listed as a valid shell
+  file_line { 'sftp-server shell':
+    path => '/etc/shells',
+    line => $deployer_shell,
+  }
+
+  file { "${site_root}/archives":
+    ensure  => directory,
+    mode    => '0644',
+    owner   => $deployer_user,
+    group   => $deployer_group,
+    require => Account[$deployer_user],
+    notify  => Exec['chown staticsite'],
+  }
+
+  # The deploy-site script ensures that we can unzip an archive properly, it
+  # does not ensure that the archive gets placed in the appropriate location on
+  # the machine
+  file { "${site_root}/deploy-site":
+    ensure  => present,
+    owner   => $deployer_user,
+    group   => $deployer_group,
+    mode    => '0700',
+    source  => "puppet:///modules/${module_name}/staticsite/deploy-site",
+    require => Account[$deployer_user],
+  }
+
+  # To simplify permissions and keep the site-deployer's shell restricted to
+  # just SFTP, the `deploy-site` script is idempotent and can be run repeatedly
+  # without any issue
+  cron { 'deploy-site':
+    ensure  => present,
+    user    => $deployer_user,
+    command => "${site_root}/deploy-site",
+    minute  => '*',
+    require => File["${site_root}/deploy-site"],
+  }
+
+
+  # Setting up this symlink ahead of time even though archives/ isn't the right
+  # place for it to go. This prevents apache::vhost from making current/ a
+  # directory
+  file { $site_docroot:
+    ensure  => link,
+    replace => false,
+    owner   => $deployer_user,
+    group   => $deployer_group,
+    target  => "${site_root}/archives",
+    require => File["${site_root}/archives"],
+  }
+
+  file { $beta_docroot:
+    ensure  => link,
+    replace => false,
+    owner   => $deployer_user,
+    group   => $deployer_group,
+    target  => "${site_root}/archives",
+    require => File["${site_root}/archives"],
+  }
+
+  exec { 'chown staticsite':
+    command     => "/bin/chown -R ${deployer_user}:${deployer_group} ${site_root}",
+    refreshonly => true,
+  }
+
+  apache::vhost { 'beta.jenkins-ci.org':
+    port    => '80',
+    docroot => $site_docroot,
+    require => File[$site_docroot],
+  }
+
+  apache::vhost { 'jenkins.io':
+    serveraliases => [
+      'beta.jenkins.io',
+      'www.jenkins.io',
+    ],
+    port          => '443',
+    ssl           => true,
+    ssl_key       => '/etc/letsencrypt/live/jenkins.io/privkey.pem',
+    # When Apache is upgraded to >= 2.4.8 this should be changed to
+    # fullchain.pem
+    ssl_cert      => '/etc/letsencrypt/live/jenkins.io/cert.pem',
+    ssl_chain     => '/etc/letsencrypt/live/jenkins.io/chain.pem',
+    docroot       => $beta_docroot,
+    require       => File[$beta_docroot],
+  }
+
+  apache::vhost { 'jenkins.io unsecured':
+    servername      => 'jenkins.io',
+    serveraliases   => [
+      'beta.jenkins.io',
+      'www.jenkins.io',
+    ],
+    port            => '80',
+    docroot         => $beta_docroot,
+    redirect_status => 'permanent',
+    redirect_dest   => 'https://jenkins.io/',
+  }
+
+  # We can only acquire certs in production due to the way the letsencrypt
+  # challenge process works
+  if (($::environment == 'production') and ($::vagrant != '1')) {
+    letsencrypt::certonly { 'jenkins.io':
+        domains     => ['jenkins.io', 'www.jenkins.io'],
+        plugin      => 'apache',
+        manage_cron => true,
+    }
+  }
+}
--- a/dist/profile/manifests/sudo.pp
+++ b/dist/profile/manifests/sudo.pp
@ -0,0 +1,27 @@
+#
+# Main sudo management profile
+class profile::sudo {
+  include ::sudo
+
+  sudo::conf { 'env-defaults':
+    content => 'Defaults        env_reset',
+  }
+
+  sudo::conf { 'secure-path':
+    content => 'Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"',
+  }
+
+  sudo::conf { 'root':
+    content  => 'root ALL=(ALL) ALL',
+  }
+
+  sudo::conf { 'admins':
+    priority => '10',
+    content  => '%admin ALL=(ALL) ALL',
+  }
+
+  sudo::conf { 'sudo':
+    priority => '10',
+    content  => '%sudo ALL=(ALL) NOPASSWD: ALL',
+  }
+}
--- a/dist/profile/manifests/sudo/osu.pp
+++ b/dist/profile/manifests/sudo/osu.pp
@ -0,0 +1,10 @@
+#
+# profile to define the additional sudoer requirements for machines in the
+# OSUOSL which have an `osuadmin` role account on them
+class profile::sudo::osu {
+  include profile::sudo
+
+  sudo::conf { 'osuadmin':
+      content => 'osuadmin  ALL=(ALL) ALL',
+  }
+}
--- a/dist/profile/manifests/updatesite.pp
+++ b/dist/profile/manifests/updatesite.pp
@ -0,0 +1,157 @@
+#
+# This updatesite profile is responsible for provisioning what is generally
+# know as updates.jenkins.io and allows for the publication of our
+# update-center generation, see:
+# <https://github.com/jenkinsci/backend-update-center2>
+#
+class profile::updatesite (
+  $docroot = '/var/www/updates.jenkins.io',
+  $ssh_pubkey = undef,
+) {
+  include ::stdlib
+  include ::apache
+
+  include profile::apachemisc
+  include profile::firewall
+  include profile::letsencrypt
+
+  $update_fqdn = 'updates.jenkins.io'
+  $apache_log_dir = "/var/log/apache2/${update_fqdn}"
+  $apache_legacy_log_dir = '/var/log/apache2/updates.jenkins-ci.org'
+
+  # We need a shell for now
+  # https://issues.jenkins-ci.org/browse/INFRA-657
+  User <| title == 'www-data' |> {
+    shell => '/bin/bash',
+  }
+  file { '/var/www':
+    ensure => directory,
+    mode   => '0755',
+  }
+
+  file { [$apache_log_dir, $docroot, $apache_legacy_log_dir, ]:
+    ensure => directory,
+  }
+
+  apache::vhost { $update_fqdn:
+    require         => [
+      File[$docroot],
+    ],
+    port            => 443,
+    override        => ['All'],
+    ssl             => true,
+    docroot         => $docroot,
+    error_log_file  => "${update_fqdn}/error.log",
+    access_log_pipe => "|/usr/bin/rotatelogs ${apache_log_dir}/access.log.%Y%m%d%H%M%S 604800",
+  }
+
+  apache::vhost { "${update_fqdn} unsecured":
+    servername      => $update_fqdn,
+    port            => 80,
+    docroot         => $docroot,
+    override        => ['All'],
+    error_log_file  => "${update_fqdn}/error_nonssl.log",
+    access_log_pipe => "|/usr/bin/rotatelogs ${apache_log_dir}/access_nonssl.log.%Y%m%d%H%M%S 604800",
+    require         => Apache::Vhost[$update_fqdn],
+  }
+
+  # Legacy update site compatibility
+  ##################################
+  # Some versions of the JDK do not support letsencrypt ccertificates, so
+  # instead of using the new updates.jenkins.io as a redirect target, we're
+  # going to continue to service updates.jenkins-ci.org with the legacy
+  # (GoDaddy) certificate
+  ##################################
+  file { '/etc/apache2/legacy_cert.key':
+    ensure  => present,
+    content => hiera('ssl_legacy_key'),
+    require => Package['httpd'],
+  }
+
+  file { '/etc/apache2/legacy_chain.crt':
+    ensure  => present,
+    content => hiera('ssl_legacy_chain'),
+    require => Package['httpd'],
+  }
+  file { '/etc/apache2/legacy_cert.crt':
+    ensure  => present,
+    content => hiera('ssl_legacy_cert'),
+    require => Package['httpd'],
+  }
+
+  apache::vhost { 'updates.jenkins-ci.org':
+    docroot         => $docroot,
+    port            => 443,
+    ssl             => true,
+    ssl_key         => '/etc/apache2/legacy_cert.key',
+    ssl_chain       => '/etc/apache2/legacy_chain.crt',
+    ssl_cert        => '/etc/apache2/legacy_cert.crt',
+    override        => ['All'],
+    error_log_file  => 'updates.jenkins-ci.org/error.log',
+    access_log_pipe => "|/usr/bin/rotatelogs ${apache_legacy_log_dir}/access.log.%Y%m%d%H%M%S 604800",
+    require         => [
+      File['/etc/apache2/legacy_cert.crt'],
+      File['/etc/apache2/legacy_cert.key'],
+      File['/etc/apache2/legacy_chain.crt'],
+      File[$apache_legacy_log_dir],
+    ],
+  }
+
+  apache::vhost { 'updates.jenkins-ci.org unsecured':
+    servername      => 'updates.jenkins-ci.org',
+    docroot         => $docroot,
+    port            => 80,
+    override        => ['All'],
+    error_log_file  => 'updates.jenkins-ci.org/error_nonssl.log',
+    access_log_pipe => "|/usr/bin/rotatelogs ${apache_legacy_log_dir}/access_nonssl.log.%Y%m%d%H%M%S 604800",
+    require         => Apache::Vhost['updates.jenkins-ci.org'],
+  }
+
+  ##################################
+  ##################################
+
+  if $ssh_pubkey {
+    validate_string($ssh_pubkey)
+
+    file { '/var/www/.ssh':
+      ensure => directory,
+      mode   => '0700',
+      owner  => 'www-data',
+      group  => 'www-data',
+    }
+
+    ssh_authorized_key { 'updatesite-key':
+        ensure  => present,
+        user    => 'www-data',
+        type    => 'ssh-rsa',
+        key     => $ssh_pubkey,
+        require => File['/var/www/.ssh'],
+    }
+
+    # If we're managing an ssh_authorized_key, then we should purge anything
+    # else for safety's sake
+    User <| title == 'www-data' |> {
+        managehome     => true,
+        home           => '/var/www',
+        purge_ssh_keys => true,
+    }
+  }
+
+  # We can only acquire certs in production due to the way the letsencrypt
+  # challenge process works
+  if (($::environment == 'production') and ($::vagrant != '1')) {
+    letsencrypt::certonly { $update_fqdn:
+      domains     => [$update_fqdn],
+      plugin      => 'apache',
+      manage_cron => true,
+    }
+
+    Apache::Vhost <| title == $update_fqdn |> {
+      ssl_key   => "/etc/letsencrypt/live/${update_fqdn}/privkey.pem",
+      # When Apache is upgraded to >= 2.4.8 this should be changed to
+      # fullchain.pem
+      ssl_cert  => "/etc/letsencrypt/live/${update_fqdn}/cert.pem",
+      ssl_chain => "/etc/letsencrypt/live/${update_fqdn}/chain.pem",
+    }
+  }
+}
--- a/dist/profile/manifests/usage.pp
+++ b/dist/profile/manifests/usage.pp
@ -0,0 +1,257 @@
+#
+# Profile to provision the necessary "usage" host setup
+#
+# A "usage" host is one that will receive anonymized and encrypted usage data
+# from active and cnofigured Jenkins installations around the world.
+#
+# This usage information is then processed and ultimately finds its way into
+# our "census" data
+class profile::usage(
+  $docroot    = '/var/www/usage.jenkins.io',
+  $usage_fqdn = 'usage.jenkins.io',
+  $user       = 'usagestats',
+  $group      = 'usagestats',
+  $ssh_keys   = undef,
+) {
+  include ::stdlib
+  include ::apache
+  # volume configuration is in hiera
+  include ::lvm
+  include profile::accounts
+  include profile::apachemisc
+  include profile::firewall
+  include profile::letsencrypt
+
+  validate_string($docroot)
+  validate_string($usage_fqdn)
+  validate_string($user)
+  validate_string($group)
+
+  if $ssh_keys != undef {
+    validate_hash($ssh_keys)
+  }
+
+  # This path hard-coded in hiera
+  $home_dir = '/srv/usage'
+
+  ## Volume setup
+  ############################
+  if str2bool($::vagrant) {
+    # during serverspec test, fake /dev/xvdb by a loopback device
+    exec { 'create /tmp/xvdb':
+      command => 'dd if=/dev/zero of=/tmp/xvdb bs=1M count=16; losetup /dev/loop0; losetup /dev/loop0 /tmp/xvdb',
+      unless  => 'test -f /tmp/xvdb',
+      path    => '/usr/bin:/usr/sbin:/bin:/sbin',
+      before  => Physical_volume['/dev/loop0'],
+    }
+  }
+
+  package { 'lvm2':
+    ensure => present,
+  }
+
+  $mounted_logs_dir = "${home_dir}/apache-logs"
+  $mounted_stats_dir = "${home_dir}/usage-stats"
+
+  file { [$mounted_logs_dir, $mounted_stats_dir]:
+    ensure  => directory,
+    owner   => $user,
+    group   => $group,
+    mode    => '0775',
+    require => Mount[$home_dir],
+  }
+  ############################
+
+
+  ## Download/Upload usage data permissions
+  ############################
+  ## The usage stats are (currently) downloaded by a machine at Kohsuke's house
+  ## where they are decrypted and then re-uploaded to this host for processing
+  ############################
+
+  # This wrapper script will not be necessary after Kohsuke's scripts migrate
+  # away from using his own user
+  file { '/home/kohsuke/sudo-rsync':
+    ensure  => file,
+    mode    => '0755',
+    content => '#!/bin/sh
+exec rsync "$@"',
+    require => User['kohsuke'],
+  }
+
+  group { $group :
+    ensure => present,
+  }
+
+  account { $user:
+    manage_home    => true,
+    create_group   => false,
+    home_dir_perms => '0755',
+    home_dir       => $home_dir,
+    gid            => $group,
+    ssh_keys       => $ssh_keys,
+    require        => Group[$group],
+  }
+
+  ssh_authorized_key { 'usage':
+    type    => 'ssh-rsa',
+    user    => $user,
+    key     => hiera('usage_ssh_pubkey'),
+    require => Account[$user],
+  }
+
+  exec { 'add-kohsuke-to-usage-group':
+    unless  => 'grep -q "usagestats\\S*kohsuke" /etc/group',
+    command => "usermod -aG ${group} kohsuke",
+    path    => ['/sbin', '/bin', '/usr/sbin'],
+    require => [
+      Group[$group],
+      User['kohsuke'],
+    ],
+  }
+  ##
+
+  $apache_log_dir = "/var/log/apache2/${usage_fqdn}"
+
+  file { $docroot:
+    ensure  => directory,
+    owner   => 'www-data',
+    group   => $group,
+    mode    => '0775',
+    require => Package['httpd'],
+  }
+
+  file { 'usage-stats.js':
+    ensure  => file,
+    path    => "${docroot}/usage-stats.js",
+    content => '// usage statistics submission comes to this URL',
+    owner   => 'www-data',
+    group   => $group,
+    mode    => '0775',
+    require => File[$docroot],
+  }
+
+  file { $apache_log_dir:
+    ensure  => link,
+    group   => $group,
+    target  => $mounted_logs_dir,
+    require => [
+      Package['httpd'],
+      File[$mounted_logs_dir],
+    ],
+  }
+
+  ## Legacy mappings
+  ############################
+  file { '/var/log/apache2/usage.jenkins-ci.org':
+    ensure  => link,
+    group   => $group,
+    target  => $apache_log_dir,
+    require => File[$apache_log_dir],
+  }
+
+  file { '/var/log/usage-stats':
+    ensure  => link,
+    target  => $mounted_stats_dir,
+    require => File[$mounted_stats_dir],
+  }
+  ############################
+
+
+  apache::vhost { $usage_fqdn:
+    port            => 443,
+    # We need FollowSymLinks to ensure our fallback for old APT clients works
+    # properly, see debian's htaccess file for more
+    options         => 'Indexes FollowSymLinks MultiViews',
+    override        => ['All'],
+    ssl             => true,
+    docroot         => $docroot,
+    error_log_file  => "${usage_fqdn}/error.log",
+    access_log_pipe => "|/usr/bin/rotatelogs ${apache_log_dir}/access.log.%Y%m%d%H%M%S 604800",
+    require         => [
+        File[$docroot],
+        File[$apache_log_dir],
+    ],
+  }
+
+  apache::vhost { "${usage_fqdn} unsecured":
+    servername      => $usage_fqdn,
+    serveraliases   => [
+      'usage.jenkins-ci.org',
+    ],
+    port            => 80,
+    # We need FollowSymLinks to ensure our fallback for old APT clients works
+    # properly, see debian's htaccess file for more
+    options         => 'Indexes FollowSymLinks MultiViews',
+    override        => ['All'],
+    docroot         => $docroot,
+    error_log_file  => "${usage_fqdn}/error_nonssl.log",
+    access_log_pipe => "|/usr/bin/rotatelogs ${apache_log_dir}/access_nonssl.log.%Y%m%d%H%M%S 604800",
+    require         => [
+        File[$docroot],
+        File[$apache_log_dir],
+    ],
+  }
+
+  # Legacy (usage.jenkins-ci.org) SSL host with the legacy SSL key
+  file { '/etc/apache2/legacy_cert.key':
+    ensure  => present,
+    content => hiera('ssl_legacy_key'),
+    require => Package['httpd'],
+  }
+
+  file { '/etc/apache2/legacy_chain.crt':
+    ensure  => present,
+    content => hiera('ssl_legacy_chain'),
+    require => Package['httpd'],
+  }
+  file { '/etc/apache2/legacy_cert.crt':
+    ensure  => present,
+    content => hiera('ssl_legacy_cert'),
+    require => Package['httpd'],
+  }
+
+  # Since usage stats are reported via the browser instead of the Jenkins
+  # master itself, we can just redirect from usage.jenkins-ci.org to
+  # usage.jenkins.io and let usage.jenkins.io log the access
+  # https://github.com/jenkinsci/jenkins/blob/5416411/core/src/main/resources/hudson/model/UsageStatistics/footer.jelly
+  apache::vhost { 'usage.jenkins-ci.org':
+    docroot         => $docroot,
+    port            => 443,
+    ssl             => true,
+    ssl_key         => '/etc/apache2/legacy_cert.key',
+    ssl_chain       => '/etc/apache2/legacy_chain.crt',
+    ssl_cert        => '/etc/apache2/legacy_cert.crt',
+    override        => ['All'],
+    redirect_status => 'permanent',
+    redirect_dest   => 'https://usage.jenkins.io/',
+    # Blackhole all these redirect logs https://issues.jenkins-ci.org/browse/INFRA-739
+
+    access_log_file => '/dev/null',
+    require         => [
+      File['/etc/apache2/legacy_cert.crt'],
+      File['/etc/apache2/legacy_cert.key'],
+      File['/etc/apache2/legacy_chain.crt'],
+      Apache::Vhost[$usage_fqdn],
+    ],
+  }
+
+
+  # We can only acquire certs in production due to the way the letsencrypt
+  # challenge process works
+  if (($::environment == 'production') and ($::vagrant != '1')) {
+    letsencrypt::certonly { $usage_fqdn:
+      domains     => [$usage_fqdn],
+      plugin      => 'apache',
+      manage_cron => true,
+    }
+
+    Apache::Vhost <| title == $usage_fqdn |> {
+      ssl_key   => "/etc/letsencrypt/live/${usage_fqdn}/privkey.pem",
+      # When Apache is upgraded to >= 2.4.8 this should be changed to
+      # fullchain.pem
+      ssl_cert  => "/etc/letsencrypt/live/${usage_fqdn}/cert.pem",
+      ssl_chain => "/etc/letsencrypt/live/${usage_fqdn}/chain.pem",
+    }
+  }
+}
--- a/dist/profile/manifests/vagrant.pp
+++ b/dist/profile/manifests/vagrant.pp
@ -0,0 +1,13 @@
+#
+# Vagrant profile for capturing some of the spceifics we need for Vagrant boxes
+# to pvoision cleanly
+class profile::vagrant {
+  include sudo
+
+  # AWS Ubuntu images have an `ubuntu` default user which Vagrant will use for
+  # provisioning
+  sudo::conf { 'ubuntu':
+    priority => '10',
+    content  => 'ubuntu ALL=(ALL) NOPASSWD: ALL',
+  }
+}
--- a/dist/profile/templates/accountapp/config.properties.erb
+++ b/dist/profile/templates/accountapp/config.properties.erb
@ -0,0 +1,23 @@
+# This file configures the Jenkins project's accounts management application.
+#
+# See: <https://github.com/jenkins-infra/account-app>
+server=<%= @ldap_url %>
+managerDN=cn=admin,dc=jenkins-ci,dc=org
+managerPassword=<%= @ldap_password %>
+
+newUserBaseDN=ou=people,dc=jenkins-ci,dc=org
+
+# Host which accountapp can use for sending out password reset and other emails
+smtpServer=<%= @smtp_server %>
+
+# recaptcha v2 keys from rtyler's google account
+recaptchaPublicKey=6Le4HxYTAAAAACmLvcV8H4rki8HOWRdcU8HqnSFR
+recaptchaPrivateKey=<%= @recaptcha_key %>
+
+url=<%= @app_url %>
+
+# Create this file on the host machine in order to temporarily disable account
+# creation
+circuitBreakerFile=/etc/accountapp/circuitBreaker
+
+# vim: ft=conf
--- a/Show More
+++ b/Show More