Change to a new host and username for rating app

Need to whitelist puppet

.fixtures.yml

@@ -1,21 +1,6 @@
 # Fixtures needed for puppetlabs_spec_helper
 fixtures:
   repositories:
-    stdlib:
-      repo: 'git://github.com/puppetlabs/puppetlabs-stdlib.git'
-      ref: '3.2.1'
-    r10k:
-      repo: 'git://github.com/acidprime/r10k.git'
-      ref: 'v1.0.2'
-    git:
-      repo: 'git://github.com/puppetlabs/puppetlabs-git.git'
-      ref: '0.0.3'
-    ruby:
-      repo: 'git://github.com/puppetlabs/puppetlabs-ruby.git'
-      ref: '0.1.1'
-    inifile:
-      repo: 'git://github.com/puppetlabs/puppetlabs-inifile.git'
-      ref: '1.0.3'
     yamlfile:
       repo: 'git://github.com/reidmv/puppet-module-yamlfile.git'
     filemapper:
@@ -23,7 +8,88 @@ fixtures:
       ref: '1.1.2'
     account:
       repo: 'git://github.com/jenkins-infra/puppet-account.git'
-      ref: '03280b8'
+      ref: '0d949ae'
+    sudo:
+      repo: 'git://github.com/saz/puppet-sudo.git'
+      ref: 'v3.0.6'
+    irc:
+      repo: 'git://github.com/jenkins-infra/puppet-irc.git'
+      ref: '4e5e437'
+    docker:
+      repo: 'git://github.com/jenkins-infra/garethr-docker.git'
+      ref: '951781fbeb06fa8142e851c5746c35b302a6f427'
+    apachelogcompressor:
+      repo: 'git://github.com/jenkins-infra/puppet-apachelogcompressor.git'
+
+  forge_modules:
+    stdlib:
+      repo: 'puppetlabs/stdlib'
+      ref: '4.9.0'
+    datadog_agent:
+      repo: 'datadog/datadog_agent'
+      ref: '1.6.0'
+    r10k:
+      repo: 'zack/r10k'
+      ref: '3.1.1'
+    ruby:
+      repo: 'puppetlabs/ruby'
+      ref: '0.4.0'
+    firewall:
+      repo: 'puppetlabs/firewall'
+      ref: '1.1.3'
+    apache:
+      repo: 'puppetlabs/apache'
+      ref: '1.8.1'
+    git:
+      repo: 'puppetlabs/git'
+      ref: '0.4.0'
+    ntp:
+      repo: 'puppetlabs/ntp'
+      ref: '4.1.2'
+    inifile:
+      repo: 'puppetlabs/inifile'
+      ref: '1.4.3'
+    apt:
+      repo: 'puppetlabs/apt'
+      ref: '1.6.0'
+    concat:
+      repo: 'puppetlabs/concat'
+      ref: '1.2.5'
+    staging:
+      repo: 'nanliu/staging'
+      ref: '0.4.0'
+    groovy:
+      repo: 'rtyler/groovy'
+      ref: '1.0.1'
+    ssh:
+      repo: 'saz/ssh'
+      ref: '2.3.6'
+    lvm:
+      repo: 'puppetlabs/lvm'
+      ref: '0.3.2'
+    gcc:
+      repo: 'puppetlabs/gcc'
+      ref: '0.3.0'
+    vcsrepo:
+      repo: 'puppetlabs/vcsrepo'
+      ref: '1.1.0'
+    puppetserver_gem:
+      repo: 'puppetlabs/puppetserver_gem'
+      ref: '0.2.0'
+    letsencrypt:
+      repo: 'danzilio/letsencrypt'
+      ref: '1.0.0'
+    openldap:
+      repo: 'camptocamp/openldap'
+      ref: '1.14.0'
+    augeasproviders_shellvar:
+      repo: 'herculesteam/augeasproviders_shellvar'
+      ref: '2.2.1'
+    augeasproviders_core:
+      repo: 'herculesteam/augeasproviders_core'
+      ref: '2.1.2'
+
+
 # Setting up a couple of symlinks to make it easier to treat profiles and roles
 # just as another set of "modules" in our environment
   symlinks:

.gitignore

@@ -1,5 +1,8 @@
-*.swp
+*.sw*
 .vagrant*
 .ruby-*
 spec/fixtures/
 .bundle
+vagrant2014*
+d2014*
+modules/

.rspec

@@ -0,0 +1 @@
+--fail-fast --order random

Gemfile

@@ -2,21 +2,23 @@ source 'https://rubygems.org'
 
 gem 'rake'
 gem 'rspec-puppet'
-gem 'puppet-lint'
-gem 'puppet', '~> 3.4.0'
-gem 'puppetlabs_spec_helper', :github => 'jenkins-infra/puppetlabs_spec_helper'
+gem 'parallel_tests'
+# Needed for integration tests
+gem 'beaker'
+# This gem is like, never released
+gem 'puppet-lint', :github => 'rodjek/puppet-lint',
+                   :ref => '2546fed6be894bbcff15c3f48d4b6f6bc15d94d1'
+gem 'puppet', '~> 4.0.0'
+# Needed to make sure we can install modules and then run a `puppet apply` in
+# vagrant
+gem 'r10k'
+gem 'puppetlabs_spec_helper'
+gem 'pry'
+gem 'serverspec'
+gem 'hiera-eyaml'
 
 group :development do
-  # XXX: Shouldn't be needed anywhere by rtyler's machine, since Vagrant does'nt
-  # have proper installers for FreeBSD :(
-  gem 'vagrant', :github => 'mitchellh/vagrant', :ref => 'v1.5.4'
-
-  gem 'pry'
-  gem 'debugger', :platform => :mri
-  gem 'debugger-pry', :platform => :mri
-end
-
-# Vagrant plugins
-group :plugins do
-  gem 'vagrant-aws', :github => 'mitchellh/vagrant-aws'
+  gem 'debugger', :platform => :mri_19
+  gem 'debugger-pry', :platform => :mri_19
+  gem 'byebug', :platform => :mri_20
 end

Gemfile.lock

@@ -1,146 +1,342 @@
 GIT
-  remote: git://github.com/jenkins-infra/puppetlabs_spec_helper.git
-  revision: 772ce0ed04edb5b58f99de6ebebe8ccc233b46be
+  remote: git://github.com/rodjek/puppet-lint.git
+  revision: 2546fed6be894bbcff15c3f48d4b6f6bc15d94d1
+  ref: 2546fed6be894bbcff15c3f48d4b6f6bc15d94d1
   specs:
-    puppetlabs_spec_helper (0.4.1.40)
-      mocha (>= 0.10.5)
-      rake
-      rspec (>= 2.9.0)
-      rspec-puppet (>= 0.1.1)
-
-GIT
-  remote: git://github.com/mitchellh/vagrant-aws.git
-  revision: d125a2f8ca5422f55f555ab921aaac968d1e6e72
-  specs:
-    vagrant-aws (0.5.0.dev)
-      fog (~> 1.18)
-
-GIT
-  remote: git://github.com/mitchellh/vagrant.git
-  revision: 285c7cdb2b3127d6dad4c2288cf9af6f15de6545
-  ref: v1.5.4
-  specs:
-    vagrant (1.5.4)
-      bundler (~> 1.5.2)
-      childprocess (~> 0.5.0)
-      erubis (~> 2.7.0)
-      i18n (~> 0.6.0)
-      listen (~> 2.7.1)
-      log4r (~> 1.1.9, < 1.1.11)
-      net-scp (~> 1.1.0)
-      net-ssh (>= 2.6.6, < 2.8.0)
-      rb-kqueue (~> 0.2.0)
-      wdm (~> 0.1.0)
+    puppet-lint (1.1.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
+    CFPropertyList (2.2.8)
+    addressable (2.4.0)
+    aws-sdk (1.66.0)
+      aws-sdk-v1 (= 1.66.0)
+    aws-sdk-v1 (1.66.0)
+      json (~> 1.4)
+      nokogiri (>= 1.4.4)
+    beaker (2.39.0)
+      aws-sdk (~> 1.57)
+      beaker-answers (~> 0.0)
+      beaker-hiera (~> 0.0)
+      beaker-pe (~> 0.0)
+      docker-api
+      fission (~> 0.4)
+      fog (~> 1.25, < 1.35.0)
+      fog-google (~> 0.0.9)
+      google-api-client (~> 0.8)
+      hocon (~> 0.1)
+      inifile (~> 2.0)
+      json (~> 1.8)
+      mime-types (~> 2.99)
+      minitest (~> 5.4)
+      net-scp (~> 1.2)
+      net-ssh (~> 2.9)
+      open_uri_redirections (~> 0.2.1)
+      rbvmomi (~> 1.8)
+      rsync (~> 1.0.9)
+      stringify-hash (~> 0.0)
+      unf (~> 0.1)
+    beaker-answers (0.4.0)
+      require_all (~> 1.3.2)
+      stringify-hash (~> 0.0.0)
+    beaker-hiera (0.1.1)
+      stringify-hash (~> 0.0.0)
+    beaker-pe (0.1.2)
+      stringify-hash (~> 0.0.0)
     builder (3.2.2)
-    celluloid (0.15.2)
-      timers (~> 1.1.0)
-    celluloid-io (0.15.0)
-      celluloid (>= 0.15.0)
-      nio4r (>= 0.5.0)
-    childprocess (0.5.3)
-      ffi (~> 1.0, >= 1.0.11)
+    byebug (8.2.1)
     coderay (1.1.0)
-    columnize (0.8.9)
-    debugger (1.6.6)
+    colored (1.2)
+    columnize (0.9.0)
+    cri (2.6.1)
+      colored (~> 1.2)
+    debugger (1.6.8)
       columnize (>= 0.3.1)
       debugger-linecache (~> 1.2.0)
-      debugger-ruby_core_source (~> 1.3.2)
+      debugger-ruby_core_source (~> 1.3.5)
     debugger-linecache (1.2.0)
     debugger-pry (0.1.1)
       debugger (~> 1)
       pry (>= 0.9.9)
-    debugger-ruby_core_source (1.3.2)
+    debugger-ruby_core_source (1.3.8)
     diff-lcs (1.2.5)
-    erubis (2.7.0)
-    excon (0.33.0)
-    facter (1.7.5)
-    ffi (1.9.3)
-    fog (1.22.0)
-      fog-brightbox
-      fog-core (~> 1.21, >= 1.21.1)
+    docker-api (1.28.0)
+      excon (>= 0.38.0)
+      json
+    excon (0.49.0)
+    facter (2.4.6)
+      CFPropertyList (~> 2.2.6)
+    faraday (0.9.2)
+      multipart-post (>= 1.2, < 3)
+    faraday_middleware (0.9.2)
+      faraday (>= 0.7.4, < 0.10)
+    faraday_middleware-multi_json (0.0.6)
+      faraday_middleware
+      multi_json
+    fission (0.5.0)
+      CFPropertyList (~> 2.2)
+    fog (1.34.0)
+      fog-atmos
+      fog-aws (>= 0.6.0)
+      fog-brightbox (~> 0.4)
+      fog-core (~> 1.32)
+      fog-dynect (~> 0.0.2)
+      fog-ecloud (~> 0.1)
+      fog-google (>= 0.0.2)
       fog-json
+      fog-local
+      fog-powerdns (>= 0.1.1)
+      fog-profitbricks
+      fog-radosgw (>= 0.0.2)
+      fog-riakcs
+      fog-sakuracloud (>= 0.0.4)
+      fog-serverlove
+      fog-softlayer
+      fog-storm_on_demand
+      fog-terremark
+      fog-vmfusion
+      fog-voxel
+      fog-xml (~> 0.1.1)
+      ipaddress (~> 0.5)
       nokogiri (~> 1.5, >= 1.5.11)
-    fog-brightbox (0.0.2)
+    fog-atmos (0.1.0)
+      fog-core
+      fog-xml
+    fog-aws (0.9.2)
+      fog-core (~> 1.27)
+      fog-json (~> 1.0)
+      fog-xml (~> 0.1)
+      ipaddress (~> 0.8)
+    fog-brightbox (0.10.1)
+      fog-core (~> 1.22)
+      fog-json
+      inflecto (~> 0.0.2)
+    fog-core (1.37.0)
+      builder
+      excon (~> 0.45)
+      formatador (~> 0.2)
+    fog-dynect (0.0.3)
       fog-core
       fog-json
-    fog-core (1.22.0)
-      builder
-      excon (~> 0.33)
-      formatador (~> 0.2)
-      mime-types
-      net-scp (~> 1.1)
-      net-ssh (>= 2.1.3)
-    fog-json (1.0.0)
-      multi_json (~> 1.0)
-    formatador (0.2.4)
-    hiera (1.3.2)
+      fog-xml
+    fog-ecloud (0.3.0)
+      fog-core
+      fog-xml
+    fog-google (0.0.9)
+      fog-core
+      fog-json
+      fog-xml
+    fog-json (1.0.2)
+      fog-core (~> 1.0)
+      multi_json (~> 1.10)
+    fog-local (0.3.0)
+      fog-core (~> 1.27)
+    fog-powerdns (0.1.1)
+      fog-core (~> 1.27)
+      fog-json (~> 1.0)
+      fog-xml (~> 0.1)
+    fog-profitbricks (0.0.5)
+      fog-core
+      fog-xml
+      nokogiri
+    fog-radosgw (0.0.5)
+      fog-core (>= 1.21.0)
+      fog-json
+      fog-xml (>= 0.0.1)
+    fog-riakcs (0.1.0)
+      fog-core
+      fog-json
+      fog-xml
+    fog-sakuracloud (1.7.5)
+      fog-core
+      fog-json
+    fog-serverlove (0.1.2)
+      fog-core
+      fog-json
+    fog-softlayer (1.1.0)
+      fog-core
+      fog-json
+    fog-storm_on_demand (0.1.1)
+      fog-core
+      fog-json
+    fog-terremark (0.1.0)
+      fog-core
+      fog-xml
+    fog-vmfusion (0.1.0)
+      fission
+      fog-core
+    fog-voxel (0.1.0)
+      fog-core
+      fog-xml
+    fog-xml (0.1.2)
+      fog-core
+      nokogiri (~> 1.5, >= 1.5.11)
+    formatador (0.2.5)
+    google-api-client (0.9.4)
+      addressable (~> 2.3)
+      googleauth (~> 0.5)
+      httpclient (~> 2.7)
+      hurley (~> 0.1)
+      memoist (~> 0.11)
+      mime-types (>= 1.6)
+      representable (~> 2.3.0)
+      retriable (~> 2.0)
+      thor (~> 0.19)
+    googleauth (0.5.1)
+      faraday (~> 0.9)
+      jwt (~> 1.4)
+      logging (~> 2.0)
+      memoist (~> 0.12)
+      multi_json (~> 1.11)
+      os (~> 0.9)
+      signet (~> 0.7)
+    hiera (2.0.0)
       json_pure
-    i18n (0.6.9)
-    json_pure (1.8.1)
-    listen (2.7.3)
-      celluloid (>= 0.15.2)
-      celluloid-io (>= 0.15.0)
-      rb-fsevent (>= 0.9.3)
-      rb-inotify (>= 0.9)
+    hiera-eyaml (2.0.8)
+      highline (~> 1.6.19)
+      trollop (~> 2.0)
+    highline (1.6.21)
+    hocon (0.9.5)
+    httpclient (2.7.1)
+    hurley (0.2)
+    inflecto (0.0.2)
+    inifile (2.0.2)
+    ipaddress (0.8.3)
+    json (1.8.3)
+    json_pure (1.8.3)
+    jwt (1.5.4)
+    little-plugger (1.1.4)
     log4r (1.1.10)
+    logging (2.1.0)
+      little-plugger (~> 1.1)
+      multi_json (~> 1.10)
+    memoist (0.14.0)
     metaclass (0.0.4)
     method_source (0.8.2)
-    mime-types (2.2)
-    mini_portile (0.5.3)
-    mocha (1.0.0)
+    mime-types (2.99.1)
+    mini_portile2 (2.0.0)
+    minitar (0.5.4)
+    minitest (5.8.4)
+    mocha (1.1.0)
       metaclass (~> 0.0.1)
-    multi_json (1.9.3)
-    net-scp (1.1.2)
+    multi_json (1.11.2)
+    multipart-post (2.0.0)
+    net-scp (1.2.1)
       net-ssh (>= 2.6.5)
-    net-ssh (2.7.0)
-    nio4r (1.0.0)
-    nokogiri (1.6.1)
-      mini_portile (~> 0.5.0)
-    pry (0.9.12.6)
-      coderay (~> 1.0)
-      method_source (~> 0.8)
+    net-ssh (2.9.4)
+    net-telnet (0.1.1)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
+    open_uri_redirections (0.2.1)
+    os (0.9.6)
+    parallel (1.6.1)
+    parallel_tests (2.2.1)
+      parallel
+    pry (0.10.3)
+      coderay (~> 1.1.0)
+      method_source (~> 0.8.1)
       slop (~> 3.4)
-    puppet (3.4.3)
-      facter (~> 1.6)
-      hiera (~> 1.0)
-      rgen (~> 0.6.5)
-    puppet-lint (0.3.2)
-    rake (10.3.1)
-    rb-fsevent (0.9.4)
-    rb-inotify (0.9.4)
-      ffi (>= 0.5.0)
-    rb-kqueue (0.2.2)
-      ffi (>= 0.5.0)
-    rgen (0.6.6)
-    rspec (2.14.1)
-      rspec-core (~> 2.14.0)
-      rspec-expectations (~> 2.14.0)
-      rspec-mocks (~> 2.14.0)
-    rspec-core (2.14.8)
-    rspec-expectations (2.14.5)
-      diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.14.6)
-    rspec-puppet (1.0.1)
+    puppet (4.0.0)
+      facter (> 2.0, < 4)
+      hiera (>= 2.0, < 3)
+      json_pure
+    puppet-syntax (2.0.0)
+      rake
+    puppet_forge (2.1.1)
+      faraday (~> 0.9.0)
+      faraday_middleware (~> 0.9.0)
+      minitar
+      semantic_puppet (~> 0.1.0)
+    puppetlabs_spec_helper (1.0.1)
+      mocha
+      puppet-lint
+      puppet-syntax
+      rake
+      rspec-puppet
+    r10k (2.1.1)
+      colored (= 1.2)
+      cri (~> 2.6.1)
+      faraday (~> 0.9.0)
+      faraday_middleware (~> 0.9.0)
+      faraday_middleware-multi_json (~> 0.0.6)
+      log4r (= 1.1.10)
+      minitar
+      multi_json (~> 1.10)
+      puppet_forge (~> 2.1.1)
+      semantic_puppet (~> 0.1.0)
+    rake (10.4.2)
+    rbvmomi (1.8.2)
+      builder
+      nokogiri (>= 1.4.1)
+      trollop
+    representable (2.3.0)
+      uber (~> 0.0.7)
+    require_all (1.3.3)
+    retriable (2.1.0)
+    rspec (3.4.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+    rspec-core (3.4.1)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-its (1.2.0)
+      rspec-core (>= 3.0.0)
+      rspec-expectations (>= 3.0.0)
+    rspec-mocks (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-puppet (2.2.0)
       rspec
-    slop (3.5.0)
-    timers (1.1.0)
-    wdm (0.1.0)
+    rspec-support (3.4.1)
+    rsync (1.0.9)
+    semantic_puppet (0.1.1)
+    serverspec (2.24.3)
+      multi_json
+      rspec (~> 3.0)
+      rspec-its
+      specinfra (~> 2.43)
+    sfl (2.2)
+    signet (0.7.2)
+      addressable (~> 2.3)
+      faraday (~> 0.9)
+      jwt (~> 1.5)
+      multi_json (~> 1.10)
+    slop (3.6.0)
+    specinfra (2.44.7)
+      net-scp
+      net-ssh (~> 2.7)
+      net-telnet
+      sfl
+    stringify-hash (0.0.2)
+    thor (0.19.1)
+    trollop (2.1.2)
+    uber (0.0.15)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.7.2)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
+  beaker
+  byebug
   debugger
   debugger-pry
+  hiera-eyaml
+  parallel_tests
   pry
-  puppet (~> 3.4.0)
-  puppet-lint
-  puppetlabs_spec_helper!
+  puppet (~> 4.0.0)
+  puppet-lint!
+  puppetlabs_spec_helper
+  r10k
   rake
   rspec-puppet
-  vagrant!
-  vagrant-aws!
+  serverspec
+
+BUNDLED WITH
+   1.10.6

Jenkinsfile

@@ -0,0 +1,46 @@
+#!groovy
+
+def nodeLabel = 'docker'
+def dockerImage = 'rtyler/jenkins-infra-builder'
+
+parallel(lint: {
+            node(nodeLabel) {
+                runInside(dockerImage) {
+                    sh 'mkdir -p vendor/gems && bundle install --without development plugins --path=vendor/gems'
+                    sh 'bundle exec rake lint'
+                }
+            }
+        },
+        verifyZoneFiles: {
+            node(nodeLabel) {
+                validateZoneFor('jenkins-ci.org', dockerImage)
+                validateZoneFor('jenkins.io', dockerImage)
+            }
+        },
+        rspec: {
+            node(nodeLabel) {
+                runInside(dockerImage) {
+                    sh 'mkdir -p vendor/gems && bundle install --without development plugins --path=vendor/gems'
+                    sh 'bundle exec rake spec'
+                }
+            }
+        },
+    )
+
+def validateZoneFor(dnsZone, dockerImage) {
+    runInside(dockerImage) {
+        sh "/usr/sbin/named-checkzone ${dnsZone} dist/profile/files/bind/${dnsZone}.zone"
+    }
+}
+
+def runInside(String dockerImage, Closure c) {
+    /* This requires the Timestamper plugin to be installed on the Jenkins */
+    wrap([$class: 'TimestamperBuildWrapper']) {
+        docker.image(dockerImage).inside {
+            checkout scm
+            c.call()
+        }
+    }
+}
+
+// vim: ft=groovy

Puppetfile

@@ -1,42 +1,86 @@
 forge "http://forge.puppetlabs.com"
 
 # Install and manage r10k
-mod "zack/r10k", '1.0.2'
+mod "zack/r10k", '3.1.1'
 
 # Deps for zack/r10k
-# We are tracking stdlib from git because the puppet module tool 
-# is getting in the way when we want to upgrade newer than the 
+# We are tracking stdlib from git because the puppet module tool
+# is getting in the way when we want to upgrade newer than the
 # supported module version
-mod "stdlib", :git => 'git@github.com:puppetlabs/puppetlabs-stdlib.git',
-  :ref => '4.1.0'
+mod "stdlib",
+        :git => 'git@github.com:puppetlabs/puppetlabs-stdlib.git',
+        :ref => '4.9.0'
 
-mod "puppetlabs/ruby", '0.1.0'
-mod "puppetlabs/gcc", '0.1.0'
-mod "puppetlabs/pe_gem", '0.0.1'
-mod "mhuffnagle/make", '0.0.2'
-mod "puppetlabs/inifile", '1.0.3'
-mod "puppetlabs/vcsrepo", '0.2.0'
-mod "puppetlabs/git", '0.0.3'
+mod 'puppetlabs/ruby', '0.4.0'
+mod "puppetlabs/gcc", '0.3.0'
+# Used for installing gems for the puppetserver, like with hiera-eyaml
+mod "puppetlabs/puppetserver_gem", '0.2.0'
+mod "puppetlabs/inifile", '1.4.3'
+mod "puppetlabs/vcsrepo", '1.1.0'
+mod "puppetlabs/git", '0.4.0'
 mod "gentoo/portage", '2.2.0-rc1'
 
-mod "puppetlabs/ntp", '3.0.3'
+# Used for setting up ntp daemons on all machines to have a correct time
+mod "puppetlabs/ntp", '4.1.2'
+
+# Module for managing sudoers across all machines
+mod 'saz/sudo', '3.0.6'
+
+# Needed for managing firewall rules
+mod 'puppetlabs/firewall', '1.1.3'
 
 # Needed for managing .yaml files from within Puppet
 mod 'reidmv/yamlfile'
 # Needed by `yamlfile`
 mod 'adrien/filemapper'
 
-mod 'garethr/docker', '0.13.0'
+mod 'docker', :git => 'git://github.com/jenkins-infra/garethr-docker.git',
+              :ref => '951781fbeb06fa8142e851c5746c35b302a6f427'
 
 # Deps for docker
-mod 'puppetlabs/apt', '1.4.2'
-mod 'stahnma/epel', '0.0.6'
+mod 'puppetlabs/apt', '1.6.0'
+mod 'stahnma/epel', '1.2.2'
+
+# Dependencies for the Puppet IRC report processor, using our forked version
+# which updates on any changed status
+mod 'irc', :git => 'git://github.com/jenkins-infra/puppet-irc.git',
+           :ref => '4e5e437'
 
 # Needed for managing our accounts in hiera, this fork contains the pull
 # request which adds support for multiple SSH keys:
 # <https://github.com/torrancew/puppet-account/pull/18>
 mod 'account', :git => 'git://github.com/jenkins-infra/puppet-account.git',
-               :ref => '03280b8'
+               :ref => '0d949ae'
 
 mod 'jenkins_keys',
-  :git => 'git@github.com:rtyler/jenkins-keys.git'
+  :git => 'git@github.com:jenkins-infra/jenkins-keys.git',
+  :ref => 'eeb7db7'
+
+# Apache and its dependencies
+mod "puppetlabs/apache", '1.8.1'
+# Used internally to gzip compress rotated logs
+mod 'apachelogcompressor',
+        :git => 'git://github.com/jenkins-infra/puppet-apachelogcompressor.git',
+        :ref => '0113d7b'
+
+mod "puppetlabs/concat", '1.2.5'
+
+
+mod 'rtyler/groovy', '1.0.3'
+# Dependency of `groovy
+mod 'nanliu/staging', '0.4.0'
+
+
+# For managing server-side ssh configuration options
+mod 'saz/ssh', '2.3.6'
+
+mod 'puppetlabs/lvm', '0.3.2'
+mod 'datadog/datadog_agent', '1.6.0'
+
+# Used for grabbing certificates for jenkins.io
+mod 'danzilio/letsencrypt', '1.0.0'
+
+# For managing ldap, and dependencies
+mod 'camptocamp/openldap', '1.14.0'
+mod 'herculesteam/augeasproviders_shellvar', '2.2.1'
+mod 'herculesteam/augeasproviders_core', '2.1.2'

README.md

@@ -7,23 +7,55 @@ This repository is the [r10k](https://github.com/adrienthebo/r10k) control
 repository for the [Jenkins](https://jenkins-ci.org) project's own
 infrastructure.
 
-**NOTE:** This repository and workflow are still a **work in progress**
-
 ## Local development
 
-The amount of testing that can be done locally is still a **work in progress**
-but thus far it's advisable that you do the following:
+The amount of testing that can be done locally is as follows:
 
  * `bundle install` - To get the necessary gems to run tests locally, if you're
    unfamiliar with Ruby development you may want to use [RVM](http://rvm.io/)
    to create an isolated Ruby environment
- * `bundle exec rake spec lint` - Will run the
+ * `./check` - Will run the
    [rspec-puppet](http://rspec-puppet) unit tests and the
    [puppet-lint](http://puppet-lint.com) style validation. If you intend to run
    the rspec-puppet over and over, use `rake spec_standalone` to avoid
    re-initializing the Puppet module fixtures every time.
- * Vagrant-based testing - **coming soon**
 
+### Vagrant-based testing
+
+#### Pre-requisites
+
+ * Import your SSH public key into a [key
+   pair](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html)
+   into the `us-west-2` region. We have an AMI in us-west-2 that has Ubuntu 12.04,
+   Puppet and a Docker-capable kernel installed for testing
+ * Make sure your `default` [security
+   group](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html)
+   allows SSH (port 22) from the outside world.
+ * Run the `./vagrant-bootstrap` script locally to make sure your local
+   environment is prepared for Vagranting
+
+#### Running server spec tests
+
+We're using [serverspec](http://serverspec.org) for on-machine acceptance
+testing. Combined with Vagrant, this allows us to create an acceptance test
+[per-role](dist/role/manifests) which provisions and tests an entire Puppet
+catalog on a VM.
+
+##### Pre-requisites
+
+* Install [Vagrant](https://www.vagrantup.com)
+* Install Vagrant plugins: `vagrant plugin install vagrant-aws  vagrant-serverspec`
+
+To launch a test instance, `vagrant up ROLE` where `ROLE` is [one of the defined roles](dist/role/manifests).
+You can rerun puppet and execute tests with `vagrant provision ROLE` repeatedly while the VM is up and running.
+To just rerun serverspect without puppet, `vagrant provision --provision-with serverspec ROLE`.
+When it's all done, deprovision the instance via `vagrant destroy ROLE`.
+
+### Updating dependencies
+For reasons that Tyler will hopefully clarify at some point, this module maintains
+the list of Puppet module dependencies in `Puppetfile` and `.fixtures.yml`. They
+need to be kept in sync. When you modify them, you can have the local environment
+reflect changes by running `bundle exec rake resolve`.
 
 ## Branching model
 
@@ -55,8 +87,31 @@ When a infra project team member is happy with the code in `staging` they can
 create a merge from `staging` to `production`. Once something has been merged
 to production, it will be automatically deployed to production hosts.
 
+## Installing agents
+
+For installing agents refer to the [installing
+agents](http://docs.puppetlabs.com/pe/latest/install_agents.html) section of
+the PuppetLabs documentation.
+
+## Adding a new branch/environment
+
+"Dynamic environments" are in a bit of flux for the current version (3.7) of
+Puppet Enterprise that we're using. An unfortunate side-effect of this is that
+creating a branch in this repository is *not* sufficient to create a dynamic
+environment that can be used via the Puppet master.
+
+The enable an environment, add a file on the Puppet master:
+`/etc/puppetlabs/puppet/environments/my-environment-here/environment.conf` with
+the following:
+
+```conf
+modulepath = ./dist:./modules:/opt/puppet/share/puppet/modules
+manifest = ./manifests/site.pp
+```
+
 ## Contributing
 
 * `#jenkins-infra` on the [Freenode](http://freenode.net) IRC network
 *  [INFRA project](https://issues.jenkins-ci.org/browse/INFRA) in JIRA.
+* [infra@lists.jenkins-ci.org](http://lists.jenkins-ci.org/mailman/listinfo/jenkins-infra)
 

Rakefile

@@ -1,13 +1,38 @@
-require 'puppet-lint'
+require 'puppet-lint/tasks/puppet-lint'
 require 'puppetlabs_spec_helper/rake_tasks'
 
-
-PuppetLint.configuration.send('disable_80chars')
-PuppetLint.configuration.ignore_paths = ['modules/**/*.pp', 'spec/fixtures/**/*.pp']
-
 desc "Validate the Puppet syntax of all manifests"
 task :validate do
   Dir['./{dist,manifests}/**/*.pp'].each do |filename|
-    sh "puppet parser validate '#{filename}'"
+    sh "puppet parser validate --parser future '#{filename}'"
   end
 end
+
+PuppetLint::RakeTask.new :lint do |config|
+  config.disable_checks = ['80chars',
+                           'class_parameter_defaults',
+                           'names_containing_dash']
+  config.pattern = 'dist/**/*.pp'
+  config.fail_on_warnings = true
+end
+
+desc 'Resolve all the dependencies'
+task :resolve do
+  # for reasons beyond me, we list dependencies in Puppetfile and .fixtures.yml
+  # we need to keep them in sync, and when we change them we need to run two commands
+  # to reflect those changes
+
+  # this fills ./modules
+  `rm -rf ./modules/*`
+  `r10k puppetfile install`
+
+  # this fills ./spec/fixtures/modules
+  Rake::Task['spec_clean'].invoke
+  Rake::Task['spec_prep'].invoke
+end
+
+desc 'Check syntax of DNS zone file'
+task "test-zonefile" do
+  sh "docker run --rm -v $PWD:/data kohsuke/named-checkzone jenkins-ci.org dist/profile/files/bind/jenkins-ci.org.zone"
+  sh "docker run --rm -v $PWD:/data kohsuke/named-checkzone jenkins.io dist/profile/files/bind/jenkins.io.zone"
+end

Vagrantfile

@@ -0,0 +1,87 @@
+# Required plugins:
+#    vagrant-aws
+#    vagrant-serverspec
+
+Vagrant.configure("2") do |config|
+  access_key_id = ENV['AWS_ACCESS_KEY_ID'] || File.read('.vagrant_key_id').chomp
+  secret_access_key = ENV['AWS_SECRET_ACCESS_KEY'] || File.read('.vagrant_secret_access_key').chomp
+  keypair = ENV['AWS_KEYPAIR_NAME'] || File.read('.vagrant_keypair_name').chomp
+
+  # prefer aws provider over virtualbox to make it the default
+  config.vm.provider 'aws'
+  config.vm.provider 'virtualbox'
+
+  config.vm.box = 'dummy'
+  config.vm.box_url = 'https://github.com/mitchellh/vagrant-aws/raw/master/dummy.box'
+
+  # modules/account/.travis.yml has incorrect link target, and this blows up
+  # when vagrant tries to rsync files as it tries to resolves symlinks.
+  # see http://www.trilithium.com/johan/2011/09/delete-broken-symlinks/
+  `find -L . -type l -delete`
+
+  config.vm.provider(:aws) do |aws, override|
+    aws.access_key_id = access_key_id
+    aws.secret_access_key = secret_access_key
+    aws.keypair_name = keypair
+
+    # Ubuntu LTS 14.04 in us-west-2 stock
+    aws.ami = 'ami-9abea4fb'
+    aws.region = 'us-west-2'
+    aws.instance_type = 'm3.medium'
+
+    override.ssh.username = "ubuntu"
+    override.ssh.private_key_path = File.expand_path('~/.ssh/id_rsa')
+  end
+
+  Dir['./dist/role/manifests/**/*.pp'].each do |role|
+    next if File.directory? role
+    # Turn `dist/role/manifests/spinach.pp` into `spinach`
+    veggie = File.basename(role).gsub('.pp', '')
+
+    # If there are no serverspec files, we needn't provision a machine!
+    if Dir["./spec/server/#{veggie}/*.rb"].empty?
+      puts ">> no serverspec defined for #{veggie}"
+      next
+    end
+
+    config.vm.define(veggie) do |node|
+      node.vm.provider(:aws) do |aws, override|
+        aws.tags = {
+          :Name => veggie
+        }
+      end
+
+      bootstrap_script = <<-EOF
+if [ ! -f "/apt-cached" ]; then
+  wget -q http://apt.puppetlabs.com/puppetlabs-release-trusty.deb
+  dpkg -i puppetlabs-release-trusty.deb
+  apt-get update && apt-get install -yq puppet && touch /apt-cached;
+fi
+EOF
+
+      # This is a Vagrant-local hack to make sure we have properly udpated apt
+      # caches since AWS machines are definitely going to have stale ones
+      node.vm.provision 'shell', :inline => bootstrap_script
+
+      node.vm.provision 'puppet' do |puppet|
+        puppet.manifest_file = File.basename(role)
+        puppet.manifests_path = File.dirname(role)
+        puppet.module_path = ['modules', 'dist']
+        # Setting the work to /vagrant so our hiera configuration will resolve
+        # properly to our relative hieradata/
+        puppet.working_directory = '/vagrant'
+        puppet.facter = {
+          :vagrant => '1',
+        }
+        puppet.hiera_config_path = 'spec/fixtures/hiera.yaml'
+        puppet.options = "--verbose --execute 'include role::#{veggie}\n include profile::vagrant'"
+      end
+
+      node.vm.provision :serverspec do |spec|
+        spec.pattern = "spec/server/#{veggie}/*.rb"
+      end
+    end
+  end
+end
+
+# vim: ft=ruby

check

@@ -0,0 +1,6 @@
+#!/bin/bash -ex
+bundle exec rake lint test-zonefile
+
+# this assumes that you have run `bundle exec rake spec_prep` at least once
+# to set up fixtures
+bundle exec parallel_rspec spec/classes

ci/00_setupgems.sh

@@ -2,4 +2,9 @@
 
 gem install bundler --no-ri --no-rdoc
 
-bundle install --without development plugins
+mkdir -p vendor/gems
+
+bundle install --verbose --without development plugins --path=vendor/gems
+
+# clean out old fixtures just in case they were left there by a previous build
+bundle exec rake spec_clean || true

ci/10_lintpuppet.sh

@@ -0,0 +1,3 @@
+#!/bin/sh -xe
+
+exec bundle exec rake lint

ci/10_validatepuppet.sh

@@ -1,3 +0,0 @@
-#!/bin/sh -xe
-
-bundle exec rake validate lint

ci/11_rspecpuppet.sh

@@ -0,0 +1,3 @@
+#!/bin/sh -xe
+
+exec bundle exec rake spec --trace

ci/12_bindcheck.sh

@@ -0,0 +1,6 @@
+#!/bin/sh -xe
+#
+# Ensure our DNS zone files are correct
+# <https://issues.jenkins-ci.org/browse/INFRA-283>
+
+#exec bundle exec rake test-zonefile

ci/Dockerfile

@@ -0,0 +1,12 @@
+# Instance for running our tests quickly and easily
+FROM ubuntu:trusty
+MAINTAINER tyler@linux.com
+
+# Packages we need for a sane build
+#  * ruby, ruby-dev, zlib1g-dev: all to ensure `bundle install` works properly
+#  * git: duh
+#  * build-essential: make sure Ruby has some tools for building native
+#    extensions
+#  * bind9utils: ensure we can verify DNS zones
+RUN apt-get update -q && apt-get install -qy git build-essential zlib1g-dev ruby ruby-dev bind9utils && apt-get clean
+RUN gem install bundler --no-ri --no-rdoc

dist/profile/files/apache/00-reverseproxy_combined.conf

@@ -0,0 +1,4 @@
+# MANAGED BY PUPPET. DO NOT MODIFY
+
+# define log file format
+LogFormat "\"%{X-Forwarded-For}i\" %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %I %O" reverseproxy_combined

dist/profile/files/apache/other-vhosts-access-log.conf

@@ -0,0 +1,4 @@
+# MANAGED BY PUPPET. DO NOT MODIFY
+
+# Define an access log for VirtualHosts that don't define their own logfile
+CustomLog "|/usr/bin/rotatelogs /var/log/apache2/other/access.log.%Y%m%d%H%M%S 86400" reverseproxy_combined

dist/profile/files/apachecert/bogus-bundle.crt

@@ -0,0 +1,79 @@
+-----BEGIN CERTIFICATE-----
+MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
+MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
+CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
+EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
+BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
+K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
+cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
+pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
+eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
+AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
+HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
+9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
+b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
+b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
+CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
+MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
+91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
+RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
+DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
+GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
+LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT
+MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv
+IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx
+MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
+B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHku
+Y29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1
+dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3Fi
+CPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4H
+Tu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/
+3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+
+6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGI
+gPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G/M7E
+GwM8CetJMVxpRrPgRwIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9BUFuIMGU2g/eMB8GA1Ud
+IwQYMBaAFNLEsNKR1EwRcbNhyz2h/t2oatTjMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Ryb290LmNybDBGBgNVHSAEPzA9
+MDsGBFUdIAAwMzAxBggrBgEFBQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNv
+bS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAWQtTvZKGEacke+1bMc8d
+H2xwxbhuvk679r6XUOEwf7ooXGKUwuN+M/f7QnaF25UcjCJYdQkMiGVnOQoWCcWg
+OJekxSOTP7QYpgEGRJHjp2kntFolfzq3Ms3dhP8qOCkzpN1nsoX+oYggHFCJyNwq
+9kIDN0zmiN/VryTyscPfzLXs4Jlet0lUIDyUGAzHHFIYSaRt4bNYC8nY7NmuHDKO
+KHAN4v6mF56ED71XcLNa6R+ghlO773z/aQvgSMO3kwvIClTErF0UZzdsyqUvMQg3
+qm5vjLyb4lddJIGvl5echK1srDdMZvNhkREg5L4wn3qkKQmw4TRfZHcYQFHfjDCm
+rw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
+MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
+YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
+MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
+ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
+MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
+ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
+PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
+wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
+EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
+avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
+YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
+sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
+/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
+IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
+YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
+OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
+TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
+HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
+dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
+ReYNnyicsbkqWletNw+vHX/bvZ8=
+-----END CERTIFICATE-----

dist/profile/files/apachecert/bogus.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIJAI0COa8Ryww1MA0GCSqGSIb3DQEBBQUAMBAxDjAMBgNV
+BAMMBWJvZ3VzMB4XDTE1MDMyODIzMjc0NFoXDTI1MDMyNTIzMjc0NFowEDEOMAwG
+A1UEAwwFYm9ndXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtd1sq
+Fiov+Z37A+oXH6zuTvykUZKFLdN/kX5miansn5KJdJpzQeJEyR0av+IBJ4ipfJey
+A//J3DpH70a4zuyCbRs1N4e1yWgZzNQQSY4VBoOGXpCENnNwub2ab9y/9NjMV4dH
+yQHd7ciaWDelT1tiiTJn2DmGO0ElU5axfclD/ODrpkyLvUiZZmpkmA5NaBJe4VR5
+zrG/DhPJEEJnHBqIiPEJZtfUGJLtG6NnLVdfHxg8SfWkbNQWV3V/8SXQ4IXO5Eze
+B0fAT8HSZBQD92YgczWaK5HBTUoxutjHCLHhkCTQ2GJaMehjPpAt4C1wShSeZDJt
+N60dfEBDlmUsbgbdAgMBAAGjUDBOMB0GA1UdDgQWBBQyo1CZFOML6oQIkerOQZGQ
+pS9jMzAfBgNVHSMEGDAWgBQyo1CZFOML6oQIkerOQZGQpS9jMzAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAdNh7GK9ekSBAhFX8vKYtiN9jjsowQRP0B
+t8iCC966jmpJm6cehMomuHqatlqKZM8llPckR+weuqRlLfaZxTnujYzl6uqqwyHa
+CLv6csKJFN9mTJ2rMLOrhnw31LjSZbDnYjPnUIOpYEg03UW9r2S5Hr989T7YcqFl
+zFxbDIUwxBCuA8yOrKQFtMKfxN17WZwHCEAg4S24VlP8+wXKclzrqZHnkQ+NJ0ci
+MsVf/UlROx/JT92w0z2AVLS8xdogROpeYSOQ433ceXyyhVTLxGFJ5OZJ5z7DFfWQ
+Kvern/eB95PdMMllttFKpCXhx2zeUWH+Mn/gNgjcLBXeQdEif/ZG
+-----END CERTIFICATE-----

dist/profile/files/apachecert/cucumber-bundle.crt

@@ -0,0 +1,79 @@
+-----BEGIN CERTIFICATE-----
+MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
+MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
+CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
+EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
+BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
+K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
+cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
+pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
+eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
+AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
+HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
+9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
+b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
+b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
+CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
+MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
+91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
+RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
+DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
+GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
+LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT
+MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv
+IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx
+MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
+B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHku
+Y29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1
+dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3Fi
+CPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4H
+Tu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/
+3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+
+6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGI
+gPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G/M7E
+GwM8CetJMVxpRrPgRwIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9BUFuIMGU2g/eMB8GA1Ud
+IwQYMBaAFNLEsNKR1EwRcbNhyz2h/t2oatTjMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Ryb290LmNybDBGBgNVHSAEPzA9
+MDsGBFUdIAAwMzAxBggrBgEFBQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNv
+bS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAWQtTvZKGEacke+1bMc8d
+H2xwxbhuvk679r6XUOEwf7ooXGKUwuN+M/f7QnaF25UcjCJYdQkMiGVnOQoWCcWg
+OJekxSOTP7QYpgEGRJHjp2kntFolfzq3Ms3dhP8qOCkzpN1nsoX+oYggHFCJyNwq
+9kIDN0zmiN/VryTyscPfzLXs4Jlet0lUIDyUGAzHHFIYSaRt4bNYC8nY7NmuHDKO
+KHAN4v6mF56ED71XcLNa6R+ghlO773z/aQvgSMO3kwvIClTErF0UZzdsyqUvMQg3
+qm5vjLyb4lddJIGvl5echK1srDdMZvNhkREg5L4wn3qkKQmw4TRfZHcYQFHfjDCm
+rw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
+MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
+YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
+MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
+ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
+MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
+ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
+PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
+wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
+EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
+avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
+YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
+sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
+/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
+IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
+YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
+OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
+TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
+HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
+dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
+ReYNnyicsbkqWletNw+vHX/bvZ8=
+-----END CERTIFICATE-----

dist/profile/files/apachecert/cucumber.crt

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFgTCCBGmgAwIBAgIJAPgPNY0nPxZxMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
+VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
+MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
+cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
+dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE1MDIwODE5NTQzOFoX
+DTE3MDIwOTAzNDEyMlowPDEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
+dGVkMRcwFQYDVQQDEw5qZW5raW5zLWNpLm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMQKctZILOefeVAaTIbD6bq8etUU9IaQcuUKkxf0AEh34cqj
+pufhzMaz5iJRYRdZDXzfaIVcn06wWV4AEz2IVllGYghpOzcwSMwjlIzLbScR/4ib
+meokVhZyiQXoN2jkjUVCKGVMruAndL1ABSMSgZL5OWJQkiP4EzeFAf5+uInme8GO
+YgYL5Rt7EjhisukAOCmXwCH5lJmcpI+eXaQMPr9X7D4L3WRLw3dH0b5r9zMlZmvX
+al8HKOue6aZVDjzERnoy4bid3JgP0xOM7GTMMFgtOHiY51L+iD1aZR3LBwKoNnY7
+KbrKEs8wZ9wu8mJbpGVZwT2eKejeBiTSGrRMBWMCAwEAAaOCAgswggIHMAwGA1Ud
+EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB
+/wQEAwIFoDA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLmdvZGFkZHkuY29t
+L2dkaWcyczEtODcuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3Bggr
+BgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0
+b3J5LzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdv
+ZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRpZmljYXRlcy5nb2Rh
+ZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSMEGDAWgBRAwr0njsw0
+gzCiM9f7bLPwtCyAzjCBggYDVR0RBHsweYIOamVua2lucy1jaS5vcmeCEnd3dy5q
+ZW5raW5zLWNpLm9yZ4IUdXNhZ2UuamVua2lucy1jaS5vcmeCEnN2bi5qZW5raW5z
+LWNpLm9yZ4IRY2kuamVua2lucy1jaS5vcmeCFnVwZGF0ZXMuamVua2lucy1jaS5v
+cmcwHQYDVR0OBBYEFDoi2BzFKa2pxSl3EppQt97qynR0MA0GCSqGSIb3DQEBCwUA
+A4IBAQBw43snveMPqYntLt0oAeGNmaoi3HexEfL+lOUzvpWHK68Cpk1HGHgbWfXk
+HP9/pW1YLmv8ZZtdwlwIdEcPVizEMskEeSvx91eKpJrohqr6XCIFdKoV46sKuBdz
+M04wMmgRjbQYX9d2DMrjBb0gtJ1AmfxkAtT8gdKpL4lDybPeFLLcydXOLC6p1urS
+LWr/HDXQWotrazUw8UUJieTwBeouNWE01sbvlbqsssmtbgjze7Y0nWJRtTjtFdI1
+5LnR5gnhcCLJUb75vXEfcq7JD2caDpxx1/L45f4UIim/AJUxtJyNxoPEbvoDz9jx
+FYH3RoOnMO6yjshFKBsSnPD0zfh6
+-----END CERTIFICATE-----

dist/profile/files/apachecert/ssl.conf

@@ -0,0 +1,11 @@
+# MANAGED BY PUPPET. DO NOT MODIFY
+
+<IfModule mod_ssl.c>
+    # put into a IfModule so that SSL can be disabled without breaking anything
+    SSLCertificateFile      /etc/apache2/certificate.crt
+    SSLCertificateChainFile /etc/apache2/bundle.crt
+    SSLCertificateKeyFile   /etc/apache2/server.key
+    # Disable SSLv2 and SSLV3 since both are insecure and force the use of TLS1
+    # or higher (INFRA-390)
+    SSLProtocol All -SSLv2 -SSLv3
+</IfModule>

dist/profile/files/apachecert/wiki-jira-bundle.crt

@@ -0,0 +1,79 @@
+-----BEGIN CERTIFICATE-----
+MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
+MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
+CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
+EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
+BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
+K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
+cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
+pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
+eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
+AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
+HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
+9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
+b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
+b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
+CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
+MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
+91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
+RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
+DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
+GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
+LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT
+MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv
+IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx
+MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
+B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHku
+Y29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1
+dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3Fi
+CPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4H
+Tu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/
+3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+
+6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGI
+gPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G/M7E
+GwM8CetJMVxpRrPgRwIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9BUFuIMGU2g/eMB8GA1Ud
+IwQYMBaAFNLEsNKR1EwRcbNhyz2h/t2oatTjMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMDIGA1UdHwQrMCkwJ6Al
+oCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Ryb290LmNybDBGBgNVHSAEPzA9
+MDsGBFUdIAAwMzAxBggrBgEFBQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNv
+bS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAWQtTvZKGEacke+1bMc8d
+H2xwxbhuvk679r6XUOEwf7ooXGKUwuN+M/f7QnaF25UcjCJYdQkMiGVnOQoWCcWg
+OJekxSOTP7QYpgEGRJHjp2kntFolfzq3Ms3dhP8qOCkzpN1nsoX+oYggHFCJyNwq
+9kIDN0zmiN/VryTyscPfzLXs4Jlet0lUIDyUGAzHHFIYSaRt4bNYC8nY7NmuHDKO
+KHAN4v6mF56ED71XcLNa6R+ghlO773z/aQvgSMO3kwvIClTErF0UZzdsyqUvMQg3
+qm5vjLyb4lddJIGvl5echK1srDdMZvNhkREg5L4wn3qkKQmw4TRfZHcYQFHfjDCm
+rw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
+MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
+YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
+MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
+ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
+MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
+ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
+PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
+wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
+EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
+avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
+YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
+sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
+/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
+IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
+YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
+OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
+TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
+HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
+dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
+ReYNnyicsbkqWletNw+vHX/bvZ8=
+-----END CERTIFICATE-----

dist/profile/files/apachecert/wiki-jira.crt

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFbTCCBFWgAwIBAgIJAIjgqHJGvu3QMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
+VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
+MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
+cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
+dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE2MDIyOTA0MzUzOFoX
+DTE3MDMwMTA0MzUzOFowQzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
+dGVkMR4wHAYDVQQDExVpc3N1ZXMuamVua2lucy1jaS5vcmcwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDQnPfbfsSDaYNzM30TTldIcY1laR0Di3lT4e8l
+DdBrvHR4dzyeh0A2LzrW4VhhwYDGrLg/aXfUZ5E/cD4iC2J5zZ1/tM3fuZDeEV6V
+MAMpr8SEmuZVdljeXzlbXUoSYpbRqjuexVGzgmbPigiGdetLZxpmsfZTu6UkdWIN
+NXnY2a1icHaODvPhrIkuXp0T1HcWBa49GLk8xLHLUZPQg+yXSbwjkVfjJtdQBlHq
+UPJKodNpoQuXe0s6cvz9Oa5asR9zu2My6jf6JYkH2hS+pUsVHLefXvTfQSg4TRLl
+Gz+BpJzar393X0nO7ObKrWHgwbDRWR1B4NxtqBf242xjmSyVAgMBAAGjggHwMIIB
+7DAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAO
+BgNVHQ8BAf8EBAMCBaAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC5nb2Rh
+ZGR5LmNvbS9nZGlnMnMxLTIwMS5jcmwwUwYDVR0gBEwwSjBIBgtghkgBhv1tAQcX
+ATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29t
+L3JlcG9zaXRvcnkvMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDov
+L29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8vY2VydGlmaWNh
+dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8GA1UdIwQYMBaA
+FEDCvSeOzDSDMKIz1/tss/C0LIDOMGcGA1UdEQRgMF6CFWlzc3Vlcy5qZW5raW5z
+LWNpLm9yZ4IZd3d3Lmlzc3Vlcy5qZW5raW5zLWNpLm9yZ4ITd2lraS5qZW5raW5z
+LWNpLm9yZ4IVcHVwcGV0LmplbmtpbnMtY2kub3JnMB0GA1UdDgQWBBR2es/+TuPl
+3EdUbfWCZBP5bqtUCTANBgkqhkiG9w0BAQsFAAOCAQEAo60VBFk3IzabzGkKSP+5
+Al9Kj5Uly/naTOFhpyBGqL8XTwLeomn8QaKgUc6vyvKYIEJQCNkX9y7CLr66cP8B
+xKzuq5gXfHADygg0+tjQap3bq0xDRJ6S0cndg7slTgHFOnjXNFKmnzqgOvdLQWb7
+IpfKvnATDks2i6SWaJR24lMZB78iboIcqtklT1BJSnC23r4CDiRj91hyz8zUV0B1
+Oy7r3bTIKoMkzYFwCQg0MFxlyufB7oxMwCbYCSa3Zvbu7PAF5JNuP88bUwwJs5uQ
+n2GxEKrVMwGGOZgzRf7jYF6vJJQNrVX1an29k4vxmwZdaIb+t5CCnVHEY7IZM7Zy
+Bw==
+-----END CERTIFICATE-----

dist/profile/files/apachemaintenance/maintenance.html

@@ -0,0 +1,9 @@
+<html>
+<body>
+<div align=middle style="font-size:2em">
+  <img src=http://mirror.xmission.com/jenkins/art/jenkins-logo/256x256/logo.png>
+<br>
+  Our site is currently down for maintenance. Please check <a href="http://twitter.com/jenkinsci">our twitter</a> account for updates.
+</div>
+</body>
+</html>

dist/profile/files/bind/jenkins-ci.org.zone

@@ -0,0 +1,131 @@
+; Domain: jenkins-ci.org
+
+; SOA Record
+JENKINS-CI.ORG.    3600    IN    SOA    ns1.jenkins-ci.org. tyler.monkeypox.org. (
+                2011122901
+                28800
+                7200
+                604800
+                3600
+                )
+
+; A Records
+@           3600    IN    A    199.193.196.24
+
+; Primary at Contegix
+cucumber    3600    IN    A    199.193.196.24
+
+; VM at Rackspace
+spinach     3600    IN    A    173.203.60.151
+celery      3600    IN    A    162.242.234.101
+celery      3600    IN    AAAA 2001:4802:7801:103:be76:4eff:fe20:357c
+okra        3600    IN    A    162.209.106.32
+okra        3600    IN    AAAA 2001:4802:7800:2:be76:4eff:fe20:7a31
+; cabbage has died of dysentery
+cabbage     3600    IN    A    104.130.167.56
+kelp        3600    IN    A    162.209.124.149
+kelp        3600    IN    AAAA 2001:4802:7801:101:be76:4eff:fe20:b252
+
+; Hosts at OSUOSL
+lettuce     3600    IN    A    140.211.9.32      ; otherwise known as jenkins-lettuce.osuosl.org
+artichoke   3600    IN    A    140.211.9.22      ; otherwise known as jenkins-puppet.osuosl.org
+eggplant    3600    IN    A    140.211.15.101    ; otherwise known as hudson-java.osuosl.org
+edamame     3600    IN    A    140.211.9.2       ; otherwise known as jenkins-confluence.osuosl.org
+
+lists       3600    IN    A    140.211.166.34
+ns1         3600    IN    A    140.211.9.2 ; edamame
+ns2         3600    IN    A    173.203.60.151 ; spinach (Rackspace)
+ns3         3600    IN    A    162.209.106.32 ; okra (Rackspace)
+
+
+;-----------------------------------
+
+; CNAME Records
+www         3600    IN    CNAME    @
+issues      3600    IN    CNAME    edamame
+gherkin     3600    IN    CNAME    cucumber
+drupal      3600    IN    CNAME    cucumber
+wiki        3600    IN    CNAME    lettuce
+updates     3600    IN    CNAME    cucumber
+downloads   3600    IN    CNAME    cucumber
+fisheye     3600    IN    CNAME    cucumber
+l10n        3600    IN    CNAME    l10n.jenkins.io.
+javadoc     3600    IN    CNAME    cucumber
+mirrors     3600    IN    CNAME    cucumber
+pkg         3600    IN    CNAME    cucumber
+usage       3600    IN    CNAME    cucumber
+stacktrace  3600    IN    CNAME    cucumber
+sorcerer    3600    IN    CNAME    cucumber
+stats       3600    IN    CNAME    cucumber
+maven       3600    IN    CNAME    cucumber
+maven2      3600    IN    CNAME    cucumber
+ci          3600    IN    CNAME    cucumber
+svn         3600    IN    CNAME    cucumber
+meetings    3600    IN    CNAME    edamame
+javanet2    3600    IN    CNAME    cucumber
+ldap        3600    IN    CNAME    cucumber
+jekyll      3600    IN    CNAME    jenkinsci.github.io.
+git         3600    IN    CNAME    spinach
+boxes       3600    IN    CNAME    spinach
+mirrors2    3600    IN    CNAME    lettuce
+ips         3600    IN    CNAME    lettuce
+nagios      3600    IN    CNAME    lettuce
+kale        3600    IN    CNAME    ec2-184-73-58-254.compute-1.amazonaws.com.   ; contributed by Red Hat
+repo        3600    IN    CNAME    jenkinsci.jfrog.org.      ; Artifactory hosted by JFrog
+links       3600    IN    CNAME    rhs.reddit.com.           ; /r/jenkinsci
+fallback    3600    IN    CNAME    spinach
+plugin-generator    3600 IN  CNAME jpi-create.jenkins.cloudbees.net.    ; hosted app on CloudBees RUN@cloud
+goto        3600    IN    CNAME    goto.jenkins.cloudbees.net.          ; hosted app on CloudBees RUN@cloud
+recipe      3600    IN    CNAME    recipe.jenkins.cloudbees.net.        ; hosted app on CloudBees RUN@cloud
+puppet      3600    IN    CNAME    artichoke
+archives    3600    IN    CNAME    okra
+beta        3600    IN    CNAME    eggplant ; beta site for the jenkins-ci.org/jenkins.io site
+demo        3600    IN    CNAME    kelp
+accounts    3600    IN    CNAME    eggplant
+
+; MX Records
+@          3600    IN    MX    0    cucumber
+lists      3600    IN    MX    0    smtp1.osuosl.org.
+lists      3600    IN    MX    0    smtp2.osuosl.org.
+lists      3600    IN    MX    0    smtp3.osuosl.org.
+lists      3600    IN    MX    0    smtp4.osuosl.org.
+
+; NS Records
+@           3600    IN    NS    ns1
+@           3600    IN    NS    ns2
+@           3600    IN    NS    ns3
+
+; SPF
+;   this policy enables the e-mail originating from these hosts to be whitelisted.
+;    199.193.196.24     (cucumber)
+;    140.211.15.*       (eggplant and its subnet)
+;    140.211.8.*        (lettuce and its subnet)
+;    140.211.9.*        (edamame and its subnet)
+;        -> combined into 140.211.8.*/23
+;    173.203.60.151     (spinach)
+;    140.211.166.128/25 (OSUOSL mail relays)
+;    "~all" in the end makes the rest soft failures (as opposed to -all for hard failure)
+;
+;   when modifying, use http://www.kitterman.com/spf/validate.html to test
+@ 3600 IN  TXT "v=spf1 mx ip4:199.193.196.24 ip4:140.211.15.0/24 ip4:140.211.8.0/23 ip4:173.203.60.151 ip4:140.211.166.128/25 -all"
+@ 3600 IN  SPF "v=spf1 mx ip4:199.193.196.24 ip4:140.211.15.0/24 ip4:140.211.8.0/23 ip4:173.203.60.151 ip4:140.211.166.128/25 -all"
+
+; DKIM
+cucumber._domainkey     1W IN TXT ("v=DKIM1;p="
+    "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzGI3F6ZZemke1oeZLfdl"
+    "WT6bNz71CHIF74XFPkzJvPrKfCIa50KVV1FLdAbvBFFhtZB9soQphMg1g8JVvCCc"
+    "Jykf8QAnr0/zGy2CZoHGfqYem1SUgMd//jOQ4PIgypfBXHYPeFOFcKg2seIyd75Y"
+    "cR0DOWXCF1UO5K/nezfPT9RB5vBW4mXV5dn8TUwdvsu1ApQKWQj3dLYpMNlVqAgw"
+    "dc7dCifqAWvhfxrRaPzG/4aSgpwxqYt4d6NV3Jl0MB9nnBeWK3JzmPxkXwaO1D8e"
+    "3KxxIkvGTBs4BK9SIC3lY90xV5eqOlehLL9ZUYndtiQfABp2tfQkitG59N4FEfUB"
+    "vwIDAQAB"
+    )
+eggplant._domainkey     1W IN TXT ("v=DKIM1;p="
+    "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsBwtlRrZE7oYs5y3FKjt"
+    "/gXl4QR7LqdBmmQXX+l5pYE0VbTaweUlnNfSkV72sZchTikQ7X15hNgQ+hW/99tU"
+    "WGnXlAC2r444Ggl9xoFVxKhSIbkRVRszzIe5axo4BQENZ/cj7Mw8BwsB8mESG29K"
+    "YtKeMkXfLuBkWuUZ/56pu1eOOfZl4iMLiQnP7UNpAlX4L1/Le3bIaTWZUrsk/MwE"
+    "pwULsW0VB3sghu4K+Kdos1AyGP2NwkQL3CCzpwm1TaBaC0rb0sQ0m62JgPe3NzOt"
+    "U3NGXKNnpLRuhYNFU46bW/6ZVF0NskessArYAsbY54cMHTzhpvkC6b2hs5x+ps0J"
+    "3QIDAQAB"
+    )

dist/profile/files/bind/jenkins.io.zone

@@ -0,0 +1,64 @@
+; Domain: jenkins.io
+
+; SOA Record
+@  1D  IN  SOA    ns1.jenkins-ci.org. tyler.monkeypox.org. (
+                2015122201 ; serial, todays date + todays serial #
+                28800      ; refresh, seconds
+                7200       ; retry, seconds
+                604800     ; expire, seconds
+                3600       ; minimum, seconds
+                )
+
+; A Records
+@           3600    IN    A    140.211.15.101 ; eggplant
+
+; Physical machine at Contegix
+cucumber    3600    IN    A    199.193.196.24
+; VM at Rackspace
+spinach     3600    IN    A    173.203.60.151
+celery      3600    IN    A    162.242.234.101
+celery      3600    IN    AAAA 2001:4802:7801:103:be76:4eff:fe20:357c
+okra        3600    IN    A    162.209.106.32
+okra        3600    IN    AAAA 2001:4802:7800:2:be76:4eff:fe20:7a31
+; cabbage has died of dysentery
+cabbage     3600    IN    A    104.130.167.56
+kelp        3600    IN    A    162.209.124.149
+kelp        3600    IN    AAAA 2001:4802:7801:101:be76:4eff:fe20:b252
+
+; Hosts at OSUOSL
+lettuce     3600    IN    A    140.211.9.32      ; otherwise known as jenkins-lettuce.osuosl.org
+; artichoke has died of dysentery
+artichoke   3600    IN    A    140.211.9.22      ; otherwise known as jenkins-puppet.osuosl.org
+eggplant    3600    IN    A    140.211.15.101    ; otherwise known as hudson-java.osuosl.org
+edamame     3600    IN    A    140.211.9.2       ; otherwise known as jenkins-confluence.osuosl.org
+radish      3600    IN    A    140.211.9.94      ; otherwise known as jenkins-radish.osuosl.org
+
+
+; EC2
+ldap        3600    IN    A    52.23.244.165  ; jenkins-ldap
+rating      3600    IN    A    52.90.42.37    ; jenkins-ratings
+mirrors     3600    IN    A    52.91.151.148  ; jenkins-mirrorbrain
+ci          3600    IN    A    54.173.158.235 ; jenkins-ci
+l10n        3600    IN    A    54.88.79.38    ; jenkins-l10n
+
+
+; CNAME Records
+www         3600    IN    CNAME    @
+pkg         3600    IN    CNAME    mirrors ; pkg and mirrors run off the same host
+beta        3600    IN    CNAME    eggplant ; beta site for the jenkins-ci.org/jenkins.io site
+puppet      3600    IN    CNAME    radish
+accounts    3600    IN    CNAME    eggplant
+
+; Magical CNAME for certificate validation
+D07F852F584FA592123140354D366066.ldap.jenkins.io. 3600 IN CNAME 75E741181A7ACDBE2996804B2813E09B65970718.comodoca.com.
+
+
+; NS Records
+@           3600    IN    NS    ns1.jenkins-ci.org.
+@           3600    IN    NS    ns2.jenkins-ci.org.
+@           3600    IN    NS    ns3.jenkins-ci.org.
+
+; spam trap
+spamtrap    3600    IN    MX    10 mxa.mailgun.org.
+spamtrap    3600    IN    MX    10 mxb.mailgun.org.
+

dist/profile/files/bind/named.conf.local

@@ -0,0 +1,11 @@
+zone "jenkins-ci.org" {
+  type master;
+  file "/etc/bind/local/jenkins-ci.org.zone";
+  allow-transfer { 140.211.166.126; };
+};
+
+zone "jenkins.io" {
+  type master;
+  file "/etc/bind/local/jenkins.io.zone";
+  allow-transfer { 140.211.166.126; };
+};

dist/profile/files/confluence/http_check.yaml

@@ -0,0 +1,16 @@
+  # This URL is supposed to be served by static cache layer
+  # But in the past sometimes we seem to lose the static cache files, and
+  # measuring the response time of this is a good test to detect that.
+  - name: Confluence
+    url: https://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin
+    timeout: 1
+    threshold: 3
+    window: 5
+
+  # URL that's not served by the static cache. This URL also requires database access,
+  # so it's a good test to watch out for starved database connections
+  - name: Confluence Backend
+    url: https://wiki.jenkins-ci.org/s/2015/1/1/_/download/superbatch/css/batch.css
+    timeout: 1
+    threshold: 3
+    window: 5

dist/profile/files/confluence/process_check.yaml

@@ -0,0 +1,6 @@
+  - name: Confluence
+    search_string: ['-Dcatalina.home=/srv/wiki']
+    exact_match: false
+    thresholds:
+      # expect exactly 1 instance
+      critical: [0, 1]

dist/profile/files/confluence/robots.txt

@@ -0,0 +1,2 @@
+user-agent: *
+disallow: /label

dist/profile/files/hiera.yaml

@@ -1,6 +1,7 @@
 ---
 :backends:
   - eyaml
+  - yaml
 
 :hierarchy:
   - "clients/%{clientcert}"
@@ -15,7 +16,7 @@
 #  :datadir: "/etc/puppetlabs/puppet/environments/%{environment}/hieradata"
 
 :eyaml:
-  :datadir: "/etc/puppetlabs/puppet/environments/%{environment}/hieradata"
+  :datadir: "/etc/puppetlabs/code/environments/%{environment}/hieradata"
   :extension: 'yaml'
   :pkcs7_private_key: /var/lib/puppet/keys/private_key.pkcs7.pem
   :pkcs7_public_key: /var/lib/puppet/keys/public_key.pkcs7.pem

dist/profile/files/jira/http_check.yaml

@@ -0,0 +1,6 @@
+instances:
+  - name: JIRA
+    url: https://issues.jenkins-ci.org/browse/JENKINS-12345
+    timeout: 1
+    threshold: 3
+    window: 5

dist/profile/files/jira/process_check.yaml

@@ -0,0 +1,6 @@
+  - name: JIRA
+    search_string: ['-Dcatalina.home=/srv/jira']
+    exact_match: false
+    thresholds:
+      # expect exactly 1 instance
+      critical: [0, 1]

dist/profile/files/ldap/process_check.yaml

@@ -0,0 +1,7 @@
+  - name: LDAP
+    search_string: ['/usr/bin/slapd']
+    exact_match: false
+    thresholds:
+      # expect exactly 1 instance
+      critical: [0, 1]
+

dist/profile/files/r10k/r10k.yaml

@@ -0,0 +1,12 @@
+---
+#
+# THIS FILE IS MANAGED BY PUPPET
+
+sources:
+  infra:
+    remote: 'https://github.com/jenkins-infra/jenkins-infra.git'
+    basedir: '/etc/puppetlabs/code/environments'
+
+git:
+  provider: 'rugged'
+  private_key: '/var/lib/puppet/keys/r10k'

dist/profile/files/staticsite/deploy-site

@@ -0,0 +1,104 @@
+#!/usr/bin/env ruby
+
+require 'fileutils'
+
+provided_file = ARGV.first
+
+module Deployer
+  # Simple method to ensure that two invocations of this don't overlap
+  def self.use_lock(&block)
+    lock_file = '/tmp/deploy-site.lockfile'
+
+    if File.exists? lock_file
+      puts '> The lock exists, exiting'
+      exit 0
+    end
+
+    File.open(lock_file, 'w+') do |f|
+      f.write "#{Process.pid}\n"
+    end
+
+    begin
+      block.call
+    ensure
+      File.unlink(lock_file)
+    end
+  end
+
+  def self.update_deployment(deploy_dir, dir_name)
+    unless File.readlink(deploy_dir) == dir_name
+      FileUtils.rm_f deploy_dir
+      FileUtils.ln_sf(dir_name, deploy_dir)
+      puts "Updated the #{deploy_dir} symbolic link"
+    end
+  end
+
+  def self.deploy!(provided_file, into)
+    use_lock do
+      dir_name = File.basename(provided_file, File.extname(provided_file))
+
+      unless File.exists? dir_name
+        puts "Processing #{provided_file} into #{dir_name}"
+        # Unzip it!
+        `unzip -qo #{provided_file}`
+
+        if $? != 0
+          puts "Something went wrong unzipping #{provided_file}"
+          exit 1
+        end
+      end
+
+      update_deployment(into, dir_name)
+    end
+  end
+end
+
+# If we don't have an argument, let's look in the CWD/archives directory for
+# the last file available
+if ARGV.size != 1
+  base_dir = File.dirname($0)
+  archives_dir = File.join(base_dir, 'archives')
+  unless File.exists? archives_dir
+    puts "> Please provide a zip file generated from the jenkins.io build process"
+    exit 1
+  end
+
+  version_regex = /.*jenkins.io-(\d+).(\d+).(\d+).*/
+  archives = Dir.glob("#{archives_dir}/*.zip").sort do |a, b|
+    # Make sure that we're always sorting on the patch number for now, that's
+    # the only thing we really care about right now (BUILD_NUMBER)
+    a.match(version_regex)[3].to_i <=> b.match(version_regex)[3].to_i
+  end
+
+  [
+    ['current', archives.reject { |f| f =~ /beta/ }.last],
+    ['beta', archives.select { |f| f =~ /beta/ }.last],
+  ].each do |deploy_dir, archive|
+    next if archive.nil?
+    Deployer.deploy! archive, deploy_dir
+  end
+
+  # Once we've deployed successfully, we can clean up some legacy stuff
+  current = File.readlink(File.join(base_dir, 'current'))
+  beta = File.readlink(File.join(base_dir, 'beta'))
+
+  if archives.size > 5
+    # Let's walk through each archive except the 5 and delete them
+    archives[0 ... -5].each do |archive|
+      FileUtils.rm_f archive
+    end
+  end
+
+  Dir.glob(File.join(base_dir, '*')).each do |path|
+    # Don't bother looking at non-directories
+    next unless File.directory? path
+    # Don't both with anything that isn't a jenkins.io type directory
+    next unless path.match version_regex
+
+    # Skip our currently deployed sites
+    next if path.end_with? current
+    next if path.end_with? beta
+
+    FileUtils.rm_rf(path)
+  end
+end

dist/profile/manifests/accountapp.pp

@@ -0,0 +1,103 @@
+#
+# Profile defining the necessary resources to provision our LDAP-based
+# accountapp
+class profile::accountapp(
+  # all injected from hiera
+  $image_tag,
+  $ldap_url = 'ldap://localhost:389/',
+  $ldap_password = '',
+  $smtp_server = 'localhost',
+  $recaptcha_key = '',
+  $app_url = 'https://accounts.jenkins.io/',
+  $jira_url = 'http://issues.jenkins-ci.org/rpc/soap/jirasoapservice-v2',
+  $jira_username = accountapp,
+  $jira_password = '',
+) {
+  include ::firewall
+  include profile::docker
+  include profile::letsencrypt
+  include profile::apachemisc
+
+  validate_string($image_tag)
+  validate_string($ldap_url)
+  validate_string($ldap_password)
+  validate_string($smtp_server)
+  validate_string($recaptcha_key)
+
+  file { '/etc/accountapp' :
+    ensure => directory,
+    # Don't allow anything not declared in Puppet to be dropped in there
+    purge  => true,
+  }
+
+  file { '/etc/accountapp/config.properties':
+    ensure  => file,
+    content => template("${module_name}/accountapp/config.properties.erb"),
+    require => File['/etc/accountapp'],
+  }
+
+  docker::image { 'jenkinsciinfra/account-app':
+    image_tag => $image_tag,
+  }
+
+  docker::run { 'account-app':
+    command          => undef,
+    image            => "jenkinsciinfra/account-app:${image_tag}",
+    volumes          => ['/etc/accountapp:/etc/accountapp'],
+    require          => File['/etc/accountapp/config.properties'],
+    env              => [
+      "LDAP_URL=${ldap_url}",
+      "LDAP_PASSWORD=${ldap_password}",
+      "JIRA_URL=${jira_url}",
+      "JIRA_USERNAME=${jira_username}",
+      "JIRA_PASSWORD=${jira_password}",
+    ],
+    extra_parameters => ['--net=host'],
+  }
+
+  # docroot is required for apache::vhost but should never be used because
+  # we're proxying everything here
+  $docroot = '/var/www/html'
+
+  apache::vhost { 'accounts.jenkins.io':
+    serveraliases => [
+      'accounts.jenkins-ci.org',
+    ],
+    port          => '443',
+    ssl           => true,
+    ssl_key       => '/etc/letsencrypt/live/accounts.jenkins.io/privkey.pem',
+    # When Apache is upgraded to >= 2.4.8 this should be changed to
+    # fullchain.pem
+    ssl_cert      => '/etc/letsencrypt/live/accounts.jenkins.io/cert.pem',
+    ssl_chain     => '/etc/letsencrypt/live/accounts.jenkins.io/chain.pem',
+    docroot       => $docroot,
+    proxy_pass    => [
+      {
+        path         => '/',
+        url          => 'http://localhost:8080/',
+        reverse_urls => 'http://localhost:8080/',
+      },
+    ],
+  }
+
+  apache::vhost { 'accounts.jenkins.io unsecured':
+    servername      => 'accounts.jenkins.io',
+    serveraliases   => [
+      'accounts.jenkins-ci.org',
+    ],
+    port            => '80',
+    docroot         => $docroot,
+    redirect_status => 'permanent',
+    redirect_dest   => $app_url,
+  }
+
+  # We can only acquire certs in production due to the way the letsencrypt
+  # challenge process works
+  if (($::environment == 'production') and ($::vagrant != '1')) {
+    letsencrypt::certonly { 'accounts.jenkins.io':
+        domains     => ['accounts.jenkins.io', 'accounts.jenkins-ci.org'],
+        plugin      => 'apache',
+        manage_cron => true,
+    }
+  }
+}

dist/profile/manifests/accounts.pp

@@ -2,6 +2,10 @@
 # Profile defining all the `account` resources with all our important account
 # information
 class profile::accounts {
+  group { 'atlassian-admins':
+    ensure => present,
+  }
+
   $accounts = hiera_hash('accounts')
   create_resources('account', $accounts)
 }

dist/profile/manifests/apachecert.pp

@@ -0,0 +1,35 @@
+#
+# SSL certificates staged for Apache
+#
+class profile::apachecert (
+  # all injected from hiera
+  $id,  # identify which private key / certificate pair we should use. This usually comes from hieradata/clients/*.yaml
+        # see dist/profile/files/apache-cert/$id{,-bundle}.crt and profile::apache-cert::secret-key-$id
+) {
+  include apache
+  include apache::mod::ssl
+
+  # certificates and apache config to let Apache recognize this file
+  file { '/etc/apache2/certificate.crt':
+    source  => "puppet:///modules/${module_name}/apachecert/${id}.crt",
+    require => Package['httpd'],
+    notify  => Service['httpd'],
+  }
+  file { '/etc/apache2/bundle.crt':
+    source  => "puppet:///modules/${module_name}/apachecert/${id}-bundle.crt",
+    require => Package['httpd'],
+    notify  => Service['httpd'],
+  }
+  file { '/etc/apache2/conf.d/ssl.conf':
+    source  => "puppet:///modules/${module_name}/apachecert/ssl.conf",
+    require => Package['httpd'],
+    notify  => Service['httpd'],
+  }
+
+  file { '/etc/apache2/server.key':
+    content => hiera("profile::apachecert::secret-key-${id}"),
+    mode    => '0600',
+    require => Package['httpd'],
+    notify  => Service['httpd'],
+  }
+}

dist/profile/manifests/apachemaintenance.pp

@@ -0,0 +1,22 @@
+# Generates the apache virtual host config file for the maintenance mode
+#
+# This puts a file under /etc/apache2/sites-available/SITENAME.maintenance
+# and you can manually symlink this from sites-enabled to put the maintenance mode UI
+define profile::apachemaintenance {
+  # $name refers to the site name
+
+  # Template uses: $addr_port
+  file { '/var/www/maintenance':
+    ensure => directory,
+  }
+
+  file { '/var/www/maintenance/maintenance.html':
+    ensure => present,
+    source => "puppet:///modules/${module_name}/apachemaintenance/maintenance.html",
+  }
+
+  file { "/etc/apache2/sites-available/${name}.maintenance.conf":
+    ensure  => present,
+    content => template("${module_name}/apachemaintenance/maintenance.conf.erb"),
+  }
+}

dist/profile/manifests/apachemisc.pp

@@ -0,0 +1,61 @@
+#
+# Misc. apache settings
+#
+class profile::apachemisc(
+  $ssh_enabled = false,
+) {
+  include ::apache
+  # log rotation setting lives in another module
+  include apachelogcompressor
+
+  # enable mod_status for local interface and allow datadog to monitor this
+  include apache::mod::status
+  include datadog_agent::integrations::apache
+
+  include apache::mod::proxy
+  include apache::mod::proxy_http
+  include apache::mod::ssl
+
+  file { '/etc/apache2/conf.d/00-reverseproxy_combined':
+    ensure => present,
+    source => "puppet:///modules/${module_name}/apache/00-reverseproxy_combined.conf",
+    mode   => '0444',
+  }
+
+  file { '/etc/apache2/conf.d/other-vhosts-access-log':
+    ensure => present,
+    source => "puppet:///modules/${module_name}/apache/other-vhosts-access-log.conf",
+    mode   => '0444',
+  }
+
+  # /usr/bin/rotatelogs is (as of 14.04) located in apache2-utils
+  package { 'apache2-utils' :
+    ensure => present,
+  }
+
+  # allow Jenkins to login as www-data to populate some web content
+  if $ssh_enabled {
+    file { '/var/www/.ssh':
+      ensure => directory,
+    }
+
+    file { '/var/www/.ssh/authorized_keys':
+      ensure  => present,
+      content => 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1l3oZpCJlFspsf6cfa7hovv6NqMB5eAn/+z4SSiaKt9Nsm22dg9xw3Et5MczH0JxHDw4Sdcre7JItecltq0sLbxK6wMEhrp67y0lMujAbcMu7qnp5ZLv9lKSxncOow42jBlzfdYoNSthoKhBtVZ/N30Q8upQQsEXNr+a5fFdj3oLGr8LSj9aRxh0o+nLLL3LPJdY/NeeOYJopj9qNxyP/8VdF2Uh9GaOglWBx1sX3wmJDmJFYvrApE4omxmIHI2nQ0gxKqMVf6M10ImgW7Rr4GJj7i1WIKFpHiRZ6B8C/Ds1PJ2otNLnQGjlp//bCflAmC3Vs7InWcB3CTYLiGnjrw== hudson@cucumber',
+    }
+  }
+
+  firewall {
+    '200 allow http':
+      proto  => 'tcp',
+      port   => 80,
+      action => 'accept',
+  }
+
+  firewall {
+    '201 allow https':
+      proto  => 'tcp',
+      port   => 443,
+      action => 'accept',
+  }
+}

dist/profile/manifests/apt.pp

@@ -0,0 +1,12 @@
+#
+# Class for ensuring some basic state around the apt repositories on a machine,
+# i.e. that it's updated daily
+class profile::apt {
+
+  cron { 'update the apt cache':
+    command => 'apt-get update',
+    hour    => 2,
+    minute  => 20,
+  }
+
+}

dist/profile/manifests/archives.pp

@@ -0,0 +1,63 @@
+#
+# Defines an archive server for serving all the archived historical releases
+#
+class profile::archives {
+  include ::stdlib
+  # volume configuration is in hiera
+  include ::lvm
+  include profile::apachemisc
+
+  $archives_dir = '/srv/releases'
+
+  if str2bool($::vagrant) {
+    # during serverspec test, fake /dev/xvdb by a loopback device
+    exec { 'create /tmp/xvdb':
+      command => 'dd if=/dev/zero of=/tmp/xvdb bs=1M count=16; losetup /dev/loop0; losetup /dev/loop0 /tmp/xvdb',
+      unless  => 'test -f /tmp/xvdb',
+      path    => '/usr/bin:/usr/sbin:/bin:/sbin',
+      before  => Physical_volume['/dev/loop0'],
+    }
+  }
+
+
+  package { 'lvm2':
+    ensure => present,
+  }
+
+  package { 'libapache2-mod-bw':
+    ensure => present,
+  }
+
+
+  file { $archives_dir:
+    ensure  => directory,
+    owner   => 'www-data',
+    require => [Package['httpd'],
+                Mount[$archives_dir]],
+  }
+
+
+  file { '/var/log/apache2/archives.jenkins-ci.org':
+    ensure => directory,
+  }
+
+  apache::mod { 'bw':
+    require => Package['libapache2-mod-bw'],
+  }
+
+  apache::vhost { 'archives.jenkins-ci.org':
+    servername      => 'archives.jenkins-ci.org',
+    vhost_name      => '*',
+    port            => '80',
+    docroot         => $archives_dir,
+    access_log      => false,
+    error_log_file  => 'archives.jenkins-ci.org/error.log',
+    log_level       => 'warn',
+    custom_fragment => template("${module_name}/archives/vhost.conf"),
+    options         => ['FollowSymLinks', 'MultiViews', 'Indexes'],
+    notify          => Service['apache2'],
+    require         => [File['/var/log/apache2/archives.jenkins-ci.org'],
+                        Mount[$archives_dir],
+                        Apache::Mod['bw']],
+  }
+}

dist/profile/manifests/atlassian.pp

@@ -0,0 +1,19 @@
+#
+# Profile containing the basics to support an Atlassian product in our
+# infrastructure
+#
+
+class profile::atlassian {
+  include apache
+  include firewall
+  include profile::docker
+  include sudo
+
+  $group_name = 'atlassian-admins'
+
+  sudo::conf { $group_name:
+    priority => 10,
+    content  => "%${group_name} ALL=(ALL) NOPASSWD: /usr/sbin/service,/usr/bin/docker",
+    require  => Group[$group_name],
+  }
+}

dist/profile/manifests/base.pp

@@ -0,0 +1,29 @@
+#
+# Basic profile included in each node
+class profile::base {
+
+  include profile::accounts
+
+  if $::kernel == 'Linux' {
+    include profile::apt
+    # None of these modules support anything other than Linux (apparently)
+    include profile::firewall
+    include profile::ntp
+    include profile::sudo
+    include profile::diagnostics
+
+    class { 'ssh::server':
+      storeconfigs_enabled => false,
+      options              => {
+        'PasswordAuthentication' => 'no',
+        'PubkeyAuthentication'   => 'yes',
+      },
+    }
+
+    class { 'ssh::client':
+      options => {
+        'UseRoaming' => 'no',
+      },
+    }
+  }
+}

dist/profile/manifests/bind.pp

@@ -0,0 +1,65 @@
+# Run containerized BIND9 to serve both jenkins-ci.org and the jenkins.io zone
+class profile::bind (
+  # all injected from hiera
+  $image_tag,
+) {
+
+  include ::firewall
+  include profile::docker
+
+  # /etc/bind/local is hard-coded into the Dockerfile here:
+  # <https://github.com/jenkins-infra/bind/blob/master/Dockerfile>
+  $conf_dir = '/etc/bind/local'
+
+  file { ['/etc/bind', $conf_dir]:
+    ensure => directory,
+    purge  => true,
+  }
+
+  file { "${conf_dir}/jenkins-ci.org.zone":
+    ensure  => present,
+    notify  => Service['docker-bind'],
+    source  => "puppet:///modules/${module_name}/bind/jenkins-ci.org.zone",
+    require => File[$conf_dir],
+  }
+
+  file { "${conf_dir}/jenkins.io.zone":
+    ensure  => present,
+    notify  => Service['docker-bind'],
+    source  => "puppet:///modules/${module_name}/bind/jenkins.io.zone",
+    require => File[$conf_dir],
+  }
+
+  file { "${conf_dir}/named.conf.local":
+    ensure  => present,
+    notify  => Service['docker-bind'],
+    source  => "puppet:///modules/${module_name}/bind/named.conf.local",
+    require => File[$conf_dir],
+  }
+
+  docker::image { 'jenkinsciinfra/bind':
+    image_tag => $image_tag,
+  }
+
+  docker::run { 'bind':
+    command => undef,
+    ports   => ['53:53', '53:53/udp'],
+    image   => "jenkinsciinfra/bind:${image_tag}",
+    volumes => ['/etc/bind/local:/etc/bind/local'],
+    require => [File["${conf_dir}/named.conf.local"],
+      File["${conf_dir}/jenkins-ci.org.zone"],
+    ],
+  }
+
+  firewall { '900 accept tcp DNS queries':
+    proto  => 'tcp',
+    port   => 53,
+    action => 'accept',
+  }
+
+  firewall { '901 accept udp DNS queries':
+    proto  => 'udp',
+    port   => 53,
+    action => 'accept',
+  }
+}

dist/profile/manifests/buildslave.pp

@@ -0,0 +1,102 @@
+# Jenkins build slave connectable via SSH
+class profile::buildslave(
+  $home_dir        = '/home/jenkins',
+  $ssh_private_key = undef,
+  $docker          = true,
+  $ruby            = true,
+) {
+  include ::stdlib
+  include git
+
+  $user = 'jenkins'
+
+  if $ruby {
+    # Make sure our Ruby class is properly contained so we can require it in a
+    # Package resource
+    contain('ruby')
+  }
+
+  if $docker {
+    include profile::docker
+    $groups = [$user, 'docker']
+    $account_requires = Package['docker']
+  }
+  else {
+    $groups = [$user]
+  }
+
+  account { $user:
+    home_dir => $home_dir,
+    groups   => $groups,
+    ssh_keys => {
+                  'cucumber' => {
+                    'key' => 'AAAAB3NzaC1yc2EAAAABIwAAAQEA1l3oZpCJlFspsf6cfa7hovv6NqMB5eAn/+z4SSiaKt9Nsm22dg9xw3Et5MczH0JxHDw4Sdcre7JItecltq0sLbxK6wMEhrp67y0lMujAbcMu7qnp5ZLv9lKSxncOow42jBlzfdYoNSthoKhBtVZ/N30Q8upQQsEXNr+a5fFdj3oLGr8LSj9aRxh0o+nLLL3LPJdY/NeeOYJopj9qNxyP/8VdF2Uh9GaOglWBx1sX3wmJDmJFYvrApE4omxmIHI2nQ0gxKqMVf6M10ImgW7Rr4GJj7i1WIKFpHiRZ6B8C/Ds1PJ2otNLnQGjlp//bCflAmC3Vs7InWcB3CTYLiGnjrw==',
+                  },
+                  'celery'   => {
+                    'key' => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCzBrEqC3IwdKOptY4SUi/RI0+plMVRhs+xrm1ZUizC4qK7UHW3fk/412zb5dkC1FJHFUUJh/Aa7P/OFLxfaf/nVPQ4Nv5ZIMC8g3b7yAWLHrZb7qLpPA8viG1dXXrHMdPLz2uFa2OKtrzlLe4jtyqRtnN8W+dTAWPorkZ9ia1wpD/wdPoKdDtzktBv7gXHpA/jb2arxYWkd560KtQnUbr+LDzrCkeWj2z3BtEGqKxdOtjJMWbLRU9tIkv809VaQJowEs/acwAno/5O7ejYdRzsIicX6GaiHksS6W6vBV4eEn0mA/cX0qFeo1rcGgnXbn4IyglJiwlqm3YSGpKGVJZn',
+                  },
+                },
+    comment  => 'Jenkins build node user',
+    require  => $account_requires,
+  }
+
+  file { "${home_dir}/.ssh/id_rsa":
+    ensure  => file,
+    content => $ssh_private_key,
+    require => Account[$user],
+  }
+
+
+  if $docker {
+    file { "${home_dir}/.docker":
+      ensure  => directory,
+      owner   => $user,
+      require => Account[$user],
+    }
+
+    file { "${home_dir}/.docker/config.json":
+      ensure  => file,
+      content => hiera('docker_hub_key'),
+      owner   => $user,
+      require => File["${home_dir}/.docker"],
+    }
+  }
+
+  if $ruby {
+    package { 'bundler':
+      ensure   => installed,
+      provider => 'gem',
+      require  => Class['ruby'],
+    }
+
+    ensure_packages([
+      'libxml2-dev',          # for Ruby apps that require nokogiri
+      'libxslt1-dev',         # for Ruby apps that require nokogiri
+      'libcurl4-openssl-dev', # for curb gem
+      'libruby',              # for net/https
+    ])
+  }
+
+  if $::kernel == 'Linux' {
+    ensure_packages([
+      'subversion',
+      'make',
+      'build-essential',
+    ])
+  }
+
+
+  # https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/
+  sshkey { 'github-rsa':
+    ensure       => present,
+    host_aliases => ['github.com'],
+    type         => 'ssh-rsa',
+    key          => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==',
+  }
+
+  sshkey { 'github-dsa':
+    ensure => absent,
+  }
+}
+
+# vim: nowrap

dist/profile/manifests/confluence.pp

@@ -0,0 +1,135 @@
+# Run containerized Confluence to serve wiki.jenkins-ci.org
+# see https://github.com/jenkins-infra/confluence for how the container is put together
+#
+# this class puts apache virtual host for wiki.jenkins-ci.org, which forwards requests to
+#
+class profile::confluence (
+  $image_tag,         # tag of confluence container
+  $cache_image_tag,   # tag of confluence cache container
+  $database_url,      # JDBC URL that represents the database backend
+) {
+  # as a preparation, deploying mock-webapp and not the real confluence
+
+  include profile::atlassian
+  include apache::mod::rewrite
+  include profile::apachemisc
+
+  account { 'wiki':
+    home_dir => '/srv/wiki',
+    groups   => [ 'sudo', 'users' ],
+    uid      => 2000,   # this value must match what's in the 'confluence' docker container
+    gid      => 2000,
+    comment  => 'Runs confluence',
+  }
+
+  file { '/var/log/apache2/wiki.jenkins-ci.org':
+    ensure => directory,
+    group  => $profile::atlassian::group_name,
+  }
+
+  file { '/srv/wiki/home':
+    ensure => directory,
+    # confluence container is baked with UID=1000 & GID=1001
+    owner  => 'wiki',
+    group  => $profile::atlassian::group_name,
+  }
+
+  file { '/srv/wiki/docroot':
+    ensure => directory,
+    group  => $profile::atlassian::group_name,
+  }
+
+  file { '/srv/wiki/docroot/robots.txt':
+    ensure => directory,
+    owner  => 'wiki',
+    group  => $profile::atlassian::group_name,
+    source => 'puppet:///modules/profile/confluence/robots.txt',
+  }
+
+  $ldap_password = hiera('profile::ldap::admin_password')
+  file { '/srv/wiki/container.env':
+    content => join([
+        "LDAP_PASSWORD=${ldap_password}",
+        "DATABASE_URL=${database_url}"
+      ], "\n"),
+    mode    => '0600',
+  }
+
+  docker::image { 'jenkinsciinfra/confluence':
+    image_tag => $image_tag,
+  }
+
+  docker::run { 'confluence':
+    command         => undef,
+    ports           => ['8081:8080'],
+    image           => "jenkinsciinfra/confluence:${image_tag}",
+    volumes         => ['/srv/wiki/home:/srv/wiki/home', '/srv/wiki/cache:/srv/wiki/cache'],
+    env_file        => '/srv/wiki/container.env',
+    restart_service => true,
+    use_name        => true,
+    require         => File['/srv/wiki/container.env'],
+  }
+
+  docker::image { 'jenkinsciinfra/confluence-cache':
+    image_tag => $cache_image_tag,
+  }
+
+  docker::run { 'confluence-cache':
+    command         => undef,
+    ports           => ['127.0.0.1:8009:8080'],
+    image           => "jenkinsciinfra/confluence-cache:${cache_image_tag}",
+    volumes         => ['/srv/wiki/cache:/cache'],
+    links           => ['confluence'],
+    # The hostname `confluence` should be ensured by the --link option passed
+    # to the docker run command
+    env             => ['TARGET=http://confluence:8080'],
+    restart_service => true,
+    use_name        => true,
+  }
+
+  ### to put maintenance screen up, comment out the following and comment in the apache::vhost for https://jenkins-ci.org
+  ### #if
+  #file { '/etc/apache2/sites-enabled/25-wiki.jenkins-ci.org.conf':
+  #  ensure => 'link',
+  #  target => '/etc/apache2/sites-available/wiki.jenkins-ci.org.maintenance.conf',
+  #}
+  ### #else
+  apache::vhost { 'wiki.jenkins-ci.org':
+    port            => '443',
+    docroot         => '/srv/wiki/docroot',
+    access_log      => false,
+    error_log_file  => 'wiki.jenkins-ci.org/error.log',
+    log_level       => 'warn',
+    custom_fragment => template("${module_name}/confluence/vhost.conf"),
+
+    notify          => Service['apache2'],
+    require         => File['/var/log/apache2/wiki.jenkins-ci.org'],
+  }
+  ### #endif
+
+  apache::vhost { 'wiki.jenkins-ci.org non-ssl':
+    # redirect non-SSL to SSL
+    servername      => 'wiki.jenkins-ci.org',
+    port            => '80',
+    docroot         => '/srv/wiki/docroot',
+    redirect_status => 'temp',
+    redirect_dest   => 'https://wiki.jenkins-ci.org/'
+  }
+
+  profile::apachemaintenance { 'wiki.jenkins-ci.org':
+  }
+
+  profile::datadog_check { 'confluence-http-check':
+    checker => 'http_check',
+    source  => 'puppet:///modules/profile/confluence/http_check.yaml',
+  }
+
+  profile::datadog_check { 'confluence-process-check':
+    checker => 'process',
+    source  => 'puppet:///modules/profile/confluence/process_check.yaml',
+  }
+
+  host { 'wiki.jenkins-ci.org':
+    ip => '127.0.0.1',
+  }
+}

dist/profile/manifests/datadog_check.pp

@@ -0,0 +1,34 @@
+# Assemble fragments into datadog checker configuration files
+#
+define profile::datadog_check(
+  $checker,
+  $source    = undef,
+  $content   = undef,
+) {
+  $target ="${datadog_agent::params::conf_dir}/${checker}.yaml"
+
+  include datadog_agent
+
+  # define the header section
+  if !defined(Concat[$target]) {
+    concat { $target:
+      owner => 'root',
+      group => 'root',
+    }
+
+    concat::fragment { "${target}-header":
+      target  => $target,
+      content => "init_config:\n\ninstances:\n",
+      order   => '00',
+    }
+
+    # when the file in question is updated, we need to restart datadog agent
+    Exec["concat_${target}"] ~> Service[$datadog_agent::params::service_name]
+  }
+
+  concat::fragment { $name:
+    target  => $target,
+    source  => $source,
+    content => $content,
+  }
+}

dist/profile/manifests/demo.pp

@@ -0,0 +1,67 @@
+#
+# Run a demo instance of Jenkins in a Docker container
+class profile::demo(
+$image_tag = '2.0-alpha-2',
+) {
+  include profile::docker
+  include profile::apachemisc
+
+  $image = 'jenkinsci/jenkins'
+  $user  = 'demo'
+  $site  = 'demo'
+  $uid   = '2002'
+
+  docker::image { $image:
+    image_tag => $image_tag,
+  }
+
+  docker::run { $site:
+    username        => $uid,
+    volumes         => ['/srv/demo:/var/jenkins_home'],
+    image           => "${image}:${image_tag}",
+    ports           => ['8080:8080'],
+    restart_service => true,
+    use_name        => true,
+    require         => [
+      Class['::docker'],
+      Docker::Image[$image],
+      File['/srv/demo'],
+      User[$user],
+    ],
+  }
+
+  # The File[/etc/init/docker-demo.conf] resource is declared by the
+  # module, but we still need to punt the container if the config changes
+  File <| title == '/etc/init/docker-demo.conf' |> {
+    notify  => Service['docker-demo'],
+  }
+
+  account { $user:
+    home_dir => '/srv/demo',
+    uid      => $uid,
+    comment  => 'Runs demo',
+  }
+
+  file { "/var/log/apache2/${site}.jenkins-ci.org":
+    ensure => directory,
+  }
+
+  apache::vhost { "${site}.jenkins-ci.org":
+    servername      => "${site}.jenkins-ci.org",
+    port            => '80',
+    docroot         => '/srv/demo/userContent',  # bous
+    access_log      => false,
+    error_log_file  => "${site}.jenkins-ci.org/error.log",
+    log_level       => 'warn',
+    custom_fragment => template("${module_name}/demo/vhost.conf"),
+
+    notify          => Service['apache2'],
+    require         => [File["/var/log/apache2/${site}.jenkins-ci.org"],
+                        Docker::Run[$site]
+    ],
+  }
+
+  host { "${site}.jenkins-ci.org":
+    ip => '127.0.0.1',
+  }
+}

dist/profile/manifests/diagnostics.pp

@@ -0,0 +1,10 @@
+#
+# The diagnostics profile will add some diagnostics tools for our internal use
+# where ever this profile is applied
+#
+class profile::diagnostics {
+  include ::stdlib
+  include ::datadog_agent
+
+  ensure_packages(['htop', 'strace'])
+}

dist/profile/manifests/docker.pp

@@ -0,0 +1,25 @@
+#
+# Profile for managing basics of docker installation/configuration
+class profile::docker {
+  class { '::docker':
+    version       => '1.9.1',
+    # Disabling the management of the kernel, since we have to pre-install
+    # kernel modules on Ubuntu 12.04 LTS and restart the host machine anyways
+    manage_kernel => false,
+  }
+
+  include datadog_agent::integrations::docker
+
+  # Ensure that the datadog user has the right group to access docker
+  user { $datadog_agent::params::dd_user:
+    ensure  => present,
+    groups  => ['docker'],
+    require => Class['::docker'],
+  }
+
+  firewall { '010 allow inter-docker traffic':
+    # traffic within docker is OK
+    iniface => 'docker0',
+    action  => 'accept',
+  }
+}

dist/profile/manifests/docker/run_tombstone.pp

@@ -0,0 +1,16 @@
+#
+# A define that cleans up the left over from docker::run
+#
+define profile::docker::run_tombstone {
+
+  $initscript = "/etc/init/docker-${title}.conf"
+
+  file { $initscript:
+    ensure  => absent,
+  }
+
+  service { "docker-${title}":
+    ensure     => stopped,
+  }
+}
+

dist/profile/manifests/firewall.pp

@@ -0,0 +1,34 @@
+#
+# Class containing basic profile information for setting up the basic firewall
+# rules that every role should contain
+class profile::firewall {
+  include ::firewall
+
+  firewall { '000 accept icmp traffic':
+    proto  => 'icmp',
+    action => 'accept',
+  }
+
+  firewall { '001 accept ssh traffic':
+    proto  => 'tcp',
+    port   => 22,
+    action => 'accept',
+  }
+
+  firewall { '002 accept local traffic':
+    # traffic within localhost is OK
+    iniface => 'lo',
+    action  => 'accept',
+  }
+
+  firewall { '003 accept established connections':
+    # this is needed to make outbound connections work, such as database connection
+    state  => ['RELATED','ESTABLISHED'],
+    action => 'accept',
+  }
+
+  firewall {
+    '999 drop all other requests':
+      action => 'drop',
+  }
+}

dist/profile/manifests/groovy.pp

@@ -0,0 +1,6 @@
+#
+# Simple profile to manage Groovy installation on machines
+class profile::groovy {
+  # see <https://github.com/jenkins-infra/puppet-groovy>
+  include ::groovy
+}

dist/profile/manifests/jenkins.pp

@@ -0,0 +1,31 @@
+#
+# Profile for managing a Jenkins master installation
+class profile::jenkins {
+  include profile::firewall
+
+  # This is a legacy role imported from infra-puppet, thus the goofy numbering
+  firewall { '108 Jenkins CLI port' :
+    proto  => 'tcp',
+    port   => 47278,
+    action => 'accept',
+  }
+
+  firewall { '801 Allow Jenkins web access only on localhost':
+    proto   => 'tcp',
+    port    => 8080,
+    action  => 'accept',
+    iniface => 'lo',
+  }
+
+  firewall { '802 Block external Jenkins web access':
+    proto  => 'tcp',
+    port   => 8080,
+    action => 'drop',
+  }
+
+  firewall { '810 Jenkins CLI SSH':
+    proto  => 'tcp',
+    port   => 22222,
+    action => 'accept',
+  }
+}

dist/profile/manifests/jenkinsadmin.pp

@@ -0,0 +1,67 @@
+#
+# IRC bot that runs most project related tasks
+# containerized in https://github.com/jenkins-infra/ircbot
+class profile::jenkinsadmin (
+  # Parameters supplied by Hiera
+  $github_login,
+  $github_password,
+  $jira_login,
+  $jira_password,
+  $nick_password,
+  $image_tag = undef,
+) {
+  include profile::docker
+
+  validate_string($image_tag)
+  $user = 'ircbot'
+
+  docker::image { 'jenkinsciinfra/ircbot':
+    image_tag => $image_tag,
+  }
+
+  docker::run { 'ircbot':
+    # The entrypoint in the container allows passing the nick password through
+    # to the invocation of the Java command, since the IRC bot .jar file
+    # requires:
+    #    java -jar /home/ircbot/*.jar $NICKPASSWORD
+    command  => $nick_password,
+    volumes  => ['/home/ircbot/.github:/home/ircbot/.github',
+                '/home/ircbot/.jenkins-ci.org:/home/ircbot/.jenkins-ci.org',
+    ],
+    username => 'ircbot',
+    image    => "jenkinsciinfra/ircbot:${image_tag}",
+    require  => [Docker::Image['jenkinsciinfra/ircbot'],
+                File['/home/ircbot/.github'],
+                File['/home/ircbot/.jenkins-ci.org'],
+    ],
+  }
+
+  # The File[/etc/init/docker-ircbot.conf] resource is declared by the
+  # module, but we still need to punt the container if the config changes
+  File <| title == '/etc/init/docker-ircbot.conf' |> {
+    notify  => Service['docker-ircbot'],
+  }
+
+  user { $user:
+    shell      => '/bin/false',
+    # hard-coding because this is what we already have on spinach
+    uid        => '1013',
+    managehome => true,
+  }
+
+  file { '/home/ircbot/.github':
+    owner   => $user,
+    require => User[$user],
+    content => template("${module_name}/jenkinsadmin/dot-github.erb"),
+    mode    => '0600',
+    notify  => Service['docker-ircbot'],
+  }
+
+  file { '/home/ircbot/.jenkins-ci.org':
+    owner   => $user,
+    require => User[$user],
+    content => template("${module_name}/jenkinsadmin/dot-jenkins.erb"),
+    mode    => '0600',
+    notify  => Service['docker-ircbot'],
+  }
+}

dist/profile/manifests/jira.pp

@@ -0,0 +1,121 @@
+# Run containerized JIRA to serve issues.jenkins-ci.org
+# see https://github.com/jenkins-infra/jira for how the container is put together
+class profile::jira (
+  # all injected from hiera
+  $image_tag,
+  $database_url,  # JDBC URL that represents that database backend
+) {
+  # as a preparation, deploying mock-webapp and not the real jira
+
+  include profile::atlassian
+  include apache::mod::rewrite
+  include profile::apachemisc
+
+  account { 'jira':
+    home_dir => '/srv/jira',
+    groups   => ['sudo', 'users'],
+    uid      => 2001,   # this value must match what's in the 'jira' docker container
+    gid      => 2001,
+    comment  => 'Runs JIRA',
+  }
+
+  file { '/var/log/apache2/issues.jenkins-ci.org':
+    ensure => directory,
+    group  => $profile::atlassian::group_name,
+  }
+
+  file { '/srv/jira/home':
+    ensure  => directory,
+    require => File['/srv/jira'],
+    owner   => 'jira',
+    group   => $profile::atlassian::group_name,
+  }
+
+  file { '/srv/jira/docroot':
+    ensure  => directory,
+    require => File['/srv/jira'],
+    group   => $profile::atlassian::group_name,
+  }
+
+  # JIRA stores LDAP access information in database, not in file
+  file { '/srv/jira/container.env':
+    content => join([
+        "DATABASE_URL=${database_url}"
+      ], '\n'),
+    mode    => '0600',
+  }
+
+  if $::vagrant { # only for testing
+    docker::run { 'jiradb':
+      image           => 'mariadb',
+      env             => ['MYSQL_ROOT_PASSWORD=s3cr3t','MYSQL_USER=jira','MYSQL_PASSWORD=raji','MYSQL_DATABASE=jiradb'],
+      restart_service => true,
+      use_name        => true,
+      command         => undef,
+    }
+    $jira_links = ['jiradb:db']
+  } else {
+    $jira_links = undef
+  }
+
+  docker::image { 'jenkinsciinfra/jira':
+    image_tag => $image_tag,
+  }
+
+  docker::run { 'jira':
+    command         => undef,
+    ports           => ['8080:8080'],
+    image           => "jenkinsciinfra/jira:${image_tag}",
+    volumes         => ['/srv/jira/home:/srv/jira/home'],
+    env_file        => '/srv/jira/container.env',
+    restart_service => true,
+    use_name        => true,
+    require         => File['/srv/jira/container.env'],
+    links           => $jira_links,
+  }
+
+  ### to put maintenance screen up, comment out the following and comment in the apache::vhost for https://jenkins-ci.org
+  ### #if
+  #file { '/etc/apache2/sites-enabled/25-issues.jenkins-ci.org.conf':
+  #  ensure => 'link',
+  #  target => '/etc/apache2/sites-available/issues.jenkins-ci.org.maintenance.conf',
+  #}
+  ### #else
+  apache::vhost { 'issues.jenkins-ci.org':
+    port            => '443',
+    docroot         => '/srv/jira/docroot',
+    access_log      => false,
+    error_log_file  => 'issues.jenkins-ci.org/error.log',
+    log_level       => 'warn',
+    custom_fragment => template("${module_name}/jira/vhost.conf"),
+
+    notify          => Service['apache2'],
+    require         => File['/var/log/apache2/issues.jenkins-ci.org'],
+  }
+  ### #endif
+  apache::vhost { 'issues.jenkins-ci.org non-ssl':
+    # redirect non-SSL to SSL
+    servername      => 'issues.jenkins-ci.org',
+    port            => '80',
+    docroot         => '/srv/jira/docroot',
+    redirect_status => 'temp',
+    redirect_dest   => 'https://issues.jenkins-ci.org/'
+  }
+
+  profile::apachemaintenance { 'issues.jenkins-ci.org':
+  }
+
+  profile::datadog_check { 'jira-http-check':
+    checker => 'http_check',
+    source  => 'puppet:///modules/profile/jira/http_check.yaml',
+  }
+
+  profile::datadog_check { 'jira-process-check':
+    checker => 'process',
+    source  => 'puppet:///modules/profile/jira/process_check.yaml',
+  }
+
+  host { 'issues.jenkins-ci.org':
+    ip => '127.0.0.1',
+  }
+}

dist/profile/manifests/l10n_server.pp

@@ -0,0 +1,63 @@
+#
+# Accept submissions from the translation plugin
+# containerized in https://github.com/jenkins-infra/l10n-server
+class profile::l10n_server (
+  # Parameters supplied by Hiera
+  $image_tag = 'latest',
+) {
+  include profile::docker
+  include profile::apachemisc
+
+  validate_string($image_tag)
+  $user = 'l10n'
+  $dir = "/srv/${user}"
+  $uid = '2003'
+  $image = 'jenkinsciinfra/l10n-server'
+
+  docker::image { $image:
+    image_tag => $image_tag,
+  }
+
+  docker::run { 'l10n':
+    volumes  => ["${dir}:/var/l10n"
+    ],
+    ports    => ['8082:8080'],
+    username => $uid,
+    image    => "${image}:${image_tag}",
+    require  => [Docker::Image[$image],
+    ],
+    use_name => true,
+  }
+
+  # The File[/etc/init/docker-ircbot.conf] resource is declared by the
+  # module, but we still need to punt the container if the config changes
+  File <| title == '/etc/init/docker-l10n.conf' |> {
+    notify  => Service['docker-l10n'],
+  }
+
+  user { $user:
+    shell      => '/bin/false',
+    home       => $dir,
+    uid        => $uid,
+    managehome => true,
+  }
+
+  # docroot is required for apache::vhost but should never be used because
+  # we're proxying everything here
+  $docroot = '/var/www/html'
+
+  apache::vhost { 'l10n.jenkins.io':
+    serveraliases => [
+      'l10n.jenkins-ci.org',
+    ],
+    port          => '80',
+    docroot       => $docroot,
+    proxy_pass    => [
+      {
+        path         => '/',
+        url          => 'http://localhost:8082/',
+        reverse_urls => 'http://localhost:8082/',
+      },
+    ],
+  }
+}

dist/profile/manifests/l10n_server_tombstone.pp

@@ -0,0 +1,26 @@
+#
+# Used to clean up l10n_server
+class profile::l10n_server_tombstone {
+  $user = 'l10n'
+  $dir = "/srv/${user}"
+
+  profile::docker::run_tombstone { 'l10n':
+  }
+
+  user { $user:
+    ensure => absent,
+  }
+
+  # docroot is required for apache::vhost but should never be used because
+  # we're proxying everything here
+  $docroot = '/var/www/html'
+
+  apache::vhost { 'l10n.jenkins.io':
+    ensure  => absent,
+    docroot => $docroot,
+  }
+
+  file { $dir:
+    ensure => absent,
+  }
+}

dist/profile/manifests/ldap.pp

@@ -0,0 +1,162 @@
+#
+# Manage an OpenLDAP authentication service
+#
+class profile::ldap(
+  $database       = 'dc=jenkins-ci,dc=org',
+  $admin_dn       = 'cn=admin,dc=jenkins-ci,dc=org',
+  $admin_password = undef,
+  $ssl_key        = undef,
+  $ssl_cert       = undef,
+  $ssl_chain      = undef,
+) {
+  # Not including profile::firewall intentionally here to avoid introducing
+  # redundant iptables rules for the same patterns but with different names
+  # between jenkins-infra and infra-puppet.
+  #
+  # If this is to be applied on any role other than cucumber, the caller should
+  # expect to include profile::firewall themselves
+  include ::firewall
+  include ::datadog_agent
+
+  $ssl_dir = '/etc/ldap/ssl'
+  $ssl_key_path =   "${ssl_dir}/slap.key"
+  $ssl_cert_path =  "${ssl_dir}/slap.crt"
+  $ssl_chain_path = "${ssl_dir}/bundle.crt"
+
+  ensure_packages([
+      'libaugeas-ruby',          # for augeas based puppet providers
+  ])
+
+  class { 'openldap::server':
+    ldap_ifs  => ['127.0.0.1'],
+    ldapi_ifs => ['/'],
+    ldaps_ifs => ['/'],
+    ssl_cert  => $ssl_cert_path,
+    ssl_key   => $ssl_key_path,
+    ssl_ca    => $ssl_chain_path,
+    require   => [File[$ssl_key_path],File[$ssl_cert_path],File[$ssl_chain_path]]
+  }
+
+  openldap::server::database { $database:
+    directory => '/var/lib/ldap',
+    rootdn    => $admin_dn,
+    rootpw    => $admin_password,
+  }
+
+
+  # Access grants
+  ###############
+  openldap::server::access {
+    "to attrs=userPassword,shadowLastChange by dn=\"${admin_dn}\" on ${database}":
+      access => 'write',
+  }
+
+  openldap::server::access {
+    "to attrs=userPassword,shadowLastChange by anonymous on ${database}":
+      access => 'auth',
+  }
+
+  openldap::server::access {
+    "to attrs=userPassword,shadowLastChange by self on ${database}":
+      access => 'write',
+  }
+
+  openldap::server::access {
+    "to attrs=userPassword,shadowLastChange by * on ${database}":
+      access => 'none',
+  }
+  ###############
+
+
+  # SSL Certificates
+  file { $ssl_dir:
+    ensure  => directory,
+    mode    => '0700',
+    owner   => $openldap::params::server_owner,
+    require => Class['::openldap::server::install'],
+  }
+  file { $ssl_key_path:
+    content => $ssl_key,
+    mode    => '0600',
+    owner   => $openldap::params::server_owner,
+    notify  => Service['slapd'],
+    before  => Class['::openldap::server::service'],
+  }
+  file { $ssl_cert_path:
+    content => $ssl_cert,
+    mode    => '0644',
+    owner   => $openldap::params::server_owner,
+    notify  => Service['slapd'],
+    before  => Class['::openldap::server::service'],
+  }
+  file { $ssl_chain_path:
+    content => $ssl_chain,
+    mode    => '0644',
+    owner   => $openldap::params::server_owner,
+    notify  => Service['slapd'],
+    before  => Class['::openldap::server::service'],
+  }
+
+  profile::datadog_check { 'ldap-process-check':
+    checker => 'process',
+    source  => 'puppet:///modules/profile/ldap/process_check.yaml',
+  }
+
+  # Legacy firewall rules from infra-puppet which are copied and
+  # pasted here so infra-puppet and jenkins-infra are not clobbering
+  # each others' firewall declarations
+  firewall { '106 accept inbound LDAPS request from hosted Artifactory by JFrog':
+    proto  => 'tcp',
+    source => '50.19.229.208',
+    port   => 636,
+    action => 'accept',
+  }
+
+  # It appears that puppetlabs-firewall doesn't understand an Array as an
+  # option for the source argument. In fact, as far as I know, iptables can
+  # only lump multiple IPs into a single rule if they're in a contiguous
+  # range, this will have to do
+  firewall { '106 accept inbound LDAPS request from hosted Artifactory by JFrog (second IP)':
+    proto  => 'tcp',
+    source => '50.16.203.43',
+    port   => 636,
+    action => 'accept',
+  }
+
+  firewall { '106 accept inbound LDAPS request from hosted Artifactory by JFrog (third IP)':
+    proto  => 'tcp',
+    source => '54.236.124.56',
+    port   => 636,
+    action => 'accept',
+  }
+
+  firewall { '106 accept inbound LDAPS request from spambot':
+    proto  => 'tcp',
+    source => 'home.kohsuke.org',
+    port   => 636,
+    action => 'accept',
+  }
+
+  firewall { '107 accept inbound LDAPS request from accounts app':
+    proto  => 'tcp',
+    source => 'accounts.jenkins.io',
+    port   => 636,
+    action => 'accept',
+  }
+
+  firewall { '107 accept inbound LDAPS request from puppet.jenkins.io':
+    proto  => 'tcp',
+    source => 'puppet.jenkins.io',
+    port   => 636,
+    action => 'accept',
+  }
+
+  # normally nobody listens on this port, but when we need to find the
+  # source IP address JFrog is using to connect us, run 'stone -d -d
+  # localhost:636 9636' and watch the log
+  firewall { '106 debugging the LDAPS connection (necessary to report source IP address)':
+    proto  => 'tcp',
+    port   => 9636,
+    action => 'accept',
+  }
+}

dist/profile/manifests/letsencrypt.pp

@@ -0,0 +1,11 @@
+#
+# This profile configures letsencrypt on the host it's applied to
+class profile::letsencrypt {
+  class { '::letsencrypt':
+    config => {
+        email  => hiera('letsencrypt::config::email'),
+        server => hiera('letsencrypt::config::server'),
+    }
+  }
+
+}

dist/profile/manifests/nolegacy.pp

@@ -0,0 +1,23 @@
+#
+# This profile is a simple profile to ensure the removal of the legacy
+# "infra-puppet" code which ran masterless puppet
+class profile::nolegacy {
+  cron { 'pull puppet updates':
+    ensure => absent,
+  }
+
+  cron { 'clean up old puppet logs':
+    ensure => absent,
+  }
+
+  cron { 'clean the repo-update cache':
+    ensure => absent,
+  }
+
+  # Clean up the infra-puppet checkout from the disk
+  file { '/root/infra-puppet':
+    ensure  => absent,
+    recurse => true,
+    force   => true,
+  }
+}

dist/profile/manifests/ntp.pp

@@ -0,0 +1,5 @@
+#
+# Profile defining the NTP configuration
+class profile::ntp {
+  include ::ntp
+}

dist/profile/manifests/puppetmaster.pp

@@ -2,24 +2,93 @@
 # profile::puppetmaster is a governing what a Jenkins puppetmaster should look
 # like
 class profile::puppetmaster {
-  # Mange hiera.yaml
+  # pull in all our secret stuff, and install eyaml
+  include ::jenkins_keys
+
+  include profile::r10k
+  # Set up our IRC reporter
+  include ::irc
+  include datadog_agent
+
+  # Manage hiera.yaml
   file { '/etc/puppetlabs/puppet/hiera.yaml':
     ensure => file,
     owner  => 'root',
     group  => 'root',
     mode   => '0644',
     source => "puppet:///modules/${module_name}/hiera.yaml",
-    notify => Service['pe-httpd'],
+    notify => Service['pe-puppetserver'],
   }
 
-  ## Ensure we're setting the right SMTP server
-  yaml_setting { 'console smtp server':
-    target => '/etc/puppetlabs/console-auth/config.yml',
-    key    => 'smtp/address',
-    value  => 'smtp.osuosl.org',
-    notify => Service['pe-httpd'],
+  ini_setting { 'update report handlers':
+    ensure  => present,
+    path    => '/etc/puppetlabs/puppet/puppet.conf',
+    section => 'master',
+    setting => 'reports',
+    value   => 'console,puppetdb,irc,datadog_reports',
+    notify  => Service['pe-puppetserver'],
+    # We really can't use datadog_reports until we have our datadog.yaml in
+    # place
+    require => File['/etc/dd-agent/datadog.yaml'],
   }
 
-  # pull in all our secret stuff, and install eyaml
-  include ::jenkins_keys
+  ini_setting { 'enable master pluginsync':
+    ensure  => present,
+    path    => '/etc/puppetlabs/puppet/puppet.conf',
+    section => 'master',
+    setting => 'pluginsync',
+    value   => true,
+    notify  => Service['pe-puppetserver'],
+  }
+
+  firewall { '010 allow dashboard traffic':
+    proto  => 'tcp',
+    port   => 443,
+    action => 'accept',
+  }
+
+  firewall { '011 allow r10k webhooks':
+    proto  => 'tcp',
+    port   => 9013,
+    action => 'accept',
+  }
+
+  firewall { '012 allow puppet agents':
+    proto  => 'tcp',
+    port   => 8140,
+    action => 'accept',
+  }
+
+  firewall { '013 allow mcollective':
+    proto  => 'tcp',
+    port   => 61613,
+    action => 'accept',
+  }
+
+  # This puppet enterprise special casing logic cribbed directly from the
+  # puppet-irc module which also needs to install gems
+  if $::pe_server_version {
+    $gem_provider = 'puppetserver_gem'
+  }
+  else {
+    $gem_provider = 'gem'
+  }
+
+  # The "datadog_agent::reports" module doesn't really handle puppet enterprise
+  # very well at all, in order to make things easier on myself I've decided to
+  # just bring in the *two* resources it defines myself
+  package { 'dogapi':
+    ensure   => present,
+    provider => $gem_provider,
+  }
+
+  $api_key = $::datadog_agent::api_key
+  file { '/etc/dd-agent/datadog.yaml':
+    ensure  => file,
+    content => template('datadog_agent/datadog.yaml.erb'),
+    owner   => 'pe-puppet',
+    group   => 'root',
+    mode    => '0640',
+    require => File['/etc/dd-agent'],
+  }
 }

dist/profile/manifests/r10k.pp

@@ -1,87 +1,14 @@
+#
+# The r10k profile manages the deploy hooks and r10k environment settings on
+# the puppet master.
+#
+# Deploying r10k is a bit of a chicken-and-egg problem, so this code exists to
+# ensure that the configuration that was manually set up is codified.
 class profile::r10k {
-
-  # Here we get our config for r10k from hiera.
-  # currently this hash is only used by the templates below
-  $r10k_options = hiera('r10k_options')
-
-  class { '::r10k':
-    remote            => 'https://github.com/jenkins-infra/jenkins-infra.git',
-    version           => '1.2.1',
-    modulepath        => '/etc/puppetlabs/puppet/environments/$environment/dist:/etc/puppetlabs/puppet/environments/$environment/modules:/opt/puppet/share/puppet/modules',
-    manage_modulepath => true,
-    mcollective       => true,
-  }
-
-  ini_setting { 'Update manifest in puppet.conf':
-    ensure  => present,
-    path    => '/etc/puppetlabs/puppet/puppet.conf',
-    section => 'main',
-    setting => 'manifest',
-    value   => '/etc/puppetlabs/puppet/environments/$environment/manifests/site.pp',
-  }
-
-  case $::osfamily {
-    'redhat': {
-      file { '/etc/init.d/r10k_deployhook.init':
-        ensure  => file,
-        owner   => root,
-        group   => root,
-        mode    => '0755',
-        content => template("${module_name}/r10k_deployhook.init.erb"),
-        notify  => Service['r10k_deployhook'],
-      }
-    }
-
-    'debian': {
-      file { '/etc/init/r10k_deployhook.conf':
-        ensure  => file,
-        owner   => root,
-        group   => root,
-        mode    => '0644',
-        content => template("${module_name}/r10k_deployhook.upstart.erb"),
-        alias   => 'deployhook_init',
-      }
-    }
-
-    default: { fail("${module_name} is not supported on ${::osfamily}") }
-  }
-
-  file { "${r10k_options['deployhooks_logdir']}/deployhooks":
+  file { '/etc/puppetlabs/r10k/r10k.yaml' :
     ensure => file,
-    owner  => peadmin,
-    group  => peadmin,
-    mode   => '0660',
-  }
-
-  file { "${r10k_options['deployhooks_logdir']}/mco":
-    ensure => file,
-    owner  => peadmin,
-    group  => peadmin,
-    mode   => '0660',
-  }
-
-  package { 'sinatra':
-    ensure   => present,
-    provider => pe_gem,
-  }
-
-  package { 'webrick':
-    ensure   => present,
-    provider => pe_gem,
-  }
-
-  file { '/usr/local/bin/r10k_deployhook':
-    ensure  => file,
-    owner   => root,
-    group   => root,
-    mode    => '0755',
-    content => template("${module_name}/r10k_deployhook.erb"),
-    require => [ Package['sinatra'], Package['webrick'] ],
-    notify  => Service['r10k_deployhook'],
-  }
-
-  service { 'r10k_deployhook':
-    ensure    => running,
-    enable    => true,
+    owner  => 'root',
+    mode   => '0744',
+    source => "puppet:///modules/${module_name}/r10k/r10k.yaml",
   }
 }

dist/profile/manifests/rating.pp

@@ -0,0 +1,88 @@
+#
+# Server side of the community rating data
+# containerized in https://github.com/jenkins-infra/infra-rating
+class profile::rating (
+  # Parameters supplied by Hiera
+  $image_tag = 'latest',
+) {
+  include profile::docker
+  include profile::apachemisc
+  include profile::letsencrypt
+
+  validate_string($image_tag)
+  $image = 'jenkinsciinfra/rating'
+  $config = '/etc/rating.conf'
+
+  docker::image { $image:
+    image_tag => $image_tag,
+  }
+
+  docker::run { 'rating':
+    image    => "${image}:${image_tag}",
+    volumes  => ["${config}:/config/dbconfig.php"
+    ],
+    ports    => ['8083:80'],
+    require  => [Docker::Image[$image],
+                File[$config],
+    ],
+    use_name => true,
+  }
+
+  # The File[/etc/init/docker-ircbot.conf] resource is declared by the
+  # module, but we still need to punt the container if the config changes
+  File <| title == '/etc/init/docker-rating.conf' |> {
+    notify  => Service['docker-rating'],
+  }
+
+  file { $config:
+    content => hiera('profile::rating::dbconfig'),
+    mode    => '0644',
+    notify  => Service['docker-rating'],
+  }
+
+  # convenient to interact with database
+  package { 'postgresql-client':
+    ensure => present,
+  }
+
+
+  # docroot is required for apache::vhost but should never be used because
+  # we're proxying everything here
+  $docroot = '/var/www/html'
+
+  apache::vhost { 'rating.jenkins.io':
+    port       => '443',
+    ssl        => true,
+    ssl_key    => '/etc/letsencrypt/live/rating.jenkins.io/privkey.pem',
+    # When Apache is upgraded to >= 2.4.8 this should be changed to
+    # fullchain.pem
+    ssl_cert   => '/etc/letsencrypt/live/rating.jenkins.io/cert.pem',
+    ssl_chain  => '/etc/letsencrypt/live/rating.jenkins.io/chain.pem',
+    docroot    => $docroot,
+    proxy_pass => [
+      {
+        path         => '/',
+        url          => 'http://localhost:8083/',
+        reverse_urls => 'http://localhost:8083/',
+      },
+    ],
+  }
+
+  apache::vhost { 'rating.jenkins.io unsecured':
+    servername      => 'rating.jenkins.io',
+    port            => '80',
+    docroot         => $docroot,
+    redirect_status => 'permanent',
+    redirect_dest   => 'https://rating.jenkins.io/',
+  }
+
+  # We can only acquire certs in production due to the way the letsencrypt
+  # challenge process works
+  if (($::environment == 'production') and ($::vagrant != '1')) {
+    letsencrypt::certonly { 'rating.jenkins.io':
+        domains     => ['rating.jenkins.io'],
+        plugin      => 'apache',
+        manage_cron => true,
+    }
+  }
+}

dist/profile/manifests/robobutler.pp

@@ -0,0 +1,81 @@
+#
+# IRC bot that runs project meeting
+# containerized in https://github.com/jenkins-infra/robobutler
+#
+class profile::robobutler (
+  # all injected from hiera
+  $nick,
+  $password,
+  $logdir = '/var/www/meetings.jenkins-ci.org'
+) {
+  include profile::apachemisc
+  include profile::docker
+
+  # Tag is the docker container image tag from our build process
+  $tag = 'build12'
+  $user = 'butlerbot'
+
+  user { $user:
+    # butlerbot user id. hard-coded into butlerbot image
+    uid   => '500',
+    shell => '/bin/false',
+  }
+
+  file { $logdir:
+    ensure => directory,
+    owner  => $user,
+    mode   => '0755',
+  }
+
+  file { '/etc/butlerbot':
+    ensure => directory,
+    owner  => $user,
+  }
+
+  file { '/etc/butlerbot/main.conf':
+    owner   => $user,
+    mode    => '0600',
+    content => "export NICK=${nick}\nexport PASSWORD=${password}\nexport HTML_DIR=${logdir}",
+    require => File['/etc/butlerbot'],
+    notify  => Service['docker-butlerbot'],
+  }
+
+  docker::image { 'jenkinsciinfra/butlerbot':
+    image_tag => $tag,
+  }
+
+  docker::run { 'butlerbot':
+    command => undef,
+    image   => "jenkinsciinfra/butlerbot:${tag}",
+    volumes => ["${logdir}:${logdir}", '/etc/butlerbot:/etc/butlerbot'],
+    require => File['/etc/butlerbot/main.conf'],
+  }
+
+  # 'restart docker-butlerbot' won't do because it will not reload the configuration
+  exec { 'restart-butlerbot':
+    refreshonly => true,
+    command     => '/sbin/stop docker-butlerbot; /sbin/start docker-butlerbot',
+  }
+
+  # The File[/etc/init/docker-butlerbot.conf] resource is declared by the
+  # module, but we still need to punt the container if the config changes
+  File <| title == '/etc/init/docker-butlerbot.conf' |> {
+    notify  => Exec['restart-butlerbot'],
+  }
+
+
+  file { '/var/log/apache2/meetings.jenkins-ci.org':
+    ensure => directory,
+  }
+
+  apache::vhost { 'meetings.jenkins-ci.org':
+      docroot         => $logdir,
+      port            => '80',
+      access_log      => false,
+      error_log_file  => 'meetings.jenkins-ci.org/error.log',
+      log_level       => 'warn',
+      custom_fragment => 'CustomLog "|/usr/bin/rotatelogs /var/log/apache2/meetings.jenkins-ci.org/access.log.%Y%m%d%H%M%S 604800" reverseproxy_combined',
+      notify          => Service['apache2'],
+      require         => File['/var/log/apache2/meetings.jenkins-ci.org'],
+  }
+}

dist/profile/manifests/staticsite.pp

@@ -0,0 +1,156 @@
+#
+# The staticsite profile ensures that the right resources are present to host
+# the jenkins.io static site.
+#
+# context: <https://issues.jenkins-ci.org/browse/INFRA-506>
+class profile::staticsite(
+  $site_root = '/srv/jenkins.io',
+  $deployer_user = 'site-deployer',
+  $deployer_ssh_key = undef,
+) {
+
+  # Debian defaults to the 'worker' module which doesn't handle HackerNews hugs
+  # of death as well as I would like. the mpm_event module is much less
+  # resource intensive
+  class { 'apache':
+    mpm_module => 'event',
+  }
+
+  include profile::letsencrypt
+  # The apache-misc profile includes a number of other important monitoring and
+  # apache configuration settings
+  include profile::apachemisc
+
+  validate_string($deployer_user)
+  validate_string($deployer_ssh_key)
+  validate_absolute_path($site_root)
+
+  ensure_packages(['zip'])
+
+  # This shell is very important to ensure that this user cannot do much else
+  # other than upload some data
+  $deployer_shell = '/usr/lib/sftp-server'
+  $deployer_group = 'www-data'
+  $site_docroot = "${site_root}/current"
+  $beta_docroot = "${site_root}/beta"
+
+  account { $deployer_user:
+    home_dir     => $site_root,
+    ssh_key      => $deployer_ssh_key,
+    gid          => $deployer_group,
+    create_group => false,
+    shell        => $deployer_shell,
+    comment      => 'Static Site Deployer role account',
+    notify       => Exec['chown staticsite'],
+  }
+
+
+  # Make sure our deployer's shell is listed as a valid shell
+  file_line { 'sftp-server shell':
+    path => '/etc/shells',
+    line => $deployer_shell,
+  }
+
+  file { "${site_root}/archives":
+    ensure  => directory,
+    mode    => '0644',
+    owner   => $deployer_user,
+    group   => $deployer_group,
+    require => Account[$deployer_user],
+    notify  => Exec['chown staticsite'],
+  }
+
+  # The deploy-site script ensures that we can unzip an archive properly, it
+  # does not ensure that the archive gets placed in the appropriate location on
+  # the machine
+  file { "${site_root}/deploy-site":
+    ensure  => present,
+    owner   => $deployer_user,
+    group   => $deployer_group,
+    mode    => '0700',
+    source  => "puppet:///modules/${module_name}/staticsite/deploy-site",
+    require => Account[$deployer_user],
+  }
+
+  # To simplify permissions and keep the site-deployer's shell restricted to
+  # just SFTP, the `deploy-site` script is idempotent and can be run repeatedly
+  # without any issue
+  cron { 'deploy-site':
+    ensure  => present,
+    user    => $deployer_user,
+    command => "${site_root}/deploy-site",
+    minute  => '*',
+    require => File["${site_root}/deploy-site"],
+  }
+
+
+  # Setting up this symlink ahead of time even though archives/ isn't the right
+  # place for it to go. This prevents apache::vhost from making current/ a
+  # directory
+  file { $site_docroot:
+    ensure  => link,
+    replace => false,
+    owner   => $deployer_user,
+    group   => $deployer_group,
+    target  => "${site_root}/archives",
+    require => File["${site_root}/archives"],
+  }
+
+  file { $beta_docroot:
+    ensure  => link,
+    replace => false,
+    owner   => $deployer_user,
+    group   => $deployer_group,
+    target  => "${site_root}/archives",
+    require => File["${site_root}/archives"],
+  }
+
+  exec { 'chown staticsite':
+    command     => "/bin/chown -R ${deployer_user}:${deployer_group} ${site_root}",
+    refreshonly => true,
+  }
+
+  apache::vhost { 'beta.jenkins-ci.org':
+    port    => '80',
+    docroot => $site_docroot,
+    require => File[$site_docroot],
+  }
+
+  apache::vhost { 'jenkins.io':
+    serveraliases => [
+      'beta.jenkins.io',
+      'www.jenkins.io',
+    ],
+    port          => '443',
+    ssl           => true,
+    ssl_key       => '/etc/letsencrypt/live/jenkins.io/privkey.pem',
+    # When Apache is upgraded to >= 2.4.8 this should be changed to
+    # fullchain.pem
+    ssl_cert      => '/etc/letsencrypt/live/jenkins.io/cert.pem',
+    ssl_chain     => '/etc/letsencrypt/live/jenkins.io/chain.pem',
+    docroot       => $beta_docroot,
+    require       => File[$beta_docroot],
+  }
+
+  apache::vhost { 'jenkins.io unsecured':
+    servername      => 'jenkins.io',
+    serveraliases   => [
+      'beta.jenkins.io',
+      'www.jenkins.io',
+    ],
+    port            => '80',
+    docroot         => $beta_docroot,
+    redirect_status => 'permanent',
+    redirect_dest   => 'https://jenkins.io/',
+  }
+
+  # We can only acquire certs in production due to the way the letsencrypt
+  # challenge process works
+  if (($::environment == 'production') and ($::vagrant != '1')) {
+    letsencrypt::certonly { 'jenkins.io':
+        domains     => ['jenkins.io', 'www.jenkins.io'],
+        plugin      => 'apache',
+        manage_cron => true,
+    }
+  }
+}

dist/profile/manifests/sudo.pp

@@ -0,0 +1,27 @@
+#
+# Main sudo management profile
+class profile::sudo {
+  include ::sudo
+
+  sudo::conf { 'env-defaults':
+    content => 'Defaults        env_reset',
+  }
+
+  sudo::conf { 'secure-path':
+    content => 'Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"',
+  }
+
+  sudo::conf { 'root':
+    content  => 'root ALL=(ALL) ALL',
+  }
+
+  sudo::conf { 'admins':
+    priority => '10',
+    content  => '%admin ALL=(ALL) ALL',
+  }
+
+  sudo::conf { 'sudo':
+    priority => '10',
+    content  => '%sudo ALL=(ALL) NOPASSWD: ALL',
+  }
+}

dist/profile/manifests/sudo/osu.pp

@@ -0,0 +1,10 @@
+#
+# profile to define the additional sudoer requirements for machines in the
+# OSUOSL which have an `osuadmin` role account on them
+class profile::sudo::osu {
+  include profile::sudo
+
+  sudo::conf { 'osuadmin':
+      content => 'osuadmin  ALL=(ALL) ALL',
+  }
+}

dist/profile/manifests/vagrant.pp

@@ -0,0 +1,13 @@
+#
+# Vagrant profile for capturing some of the spceifics we need for Vagrant boxes
+# to pvoision cleanly
+class profile::vagrant {
+  include sudo
+
+  # AWS Ubuntu images have an `ubuntu` default user which Vagrant will use for
+  # provisioning
+  sudo::conf { 'ubuntu':
+    priority => '10',
+    content  => 'ubuntu ALL=(ALL) NOPASSWD: ALL',
+  }
+}

dist/profile/templates/accountapp/config.properties.erb

@@ -0,0 +1,23 @@
+# This file configures the Jenkins project's accounts management application.
+#
+# See: <https://github.com/jenkins-infra/account-app>
+server=<%= @ldap_url %>
+managerDN=cn=admin,dc=jenkins-ci,dc=org
+managerPassword=<%= @ldap_password %>
+
+newUserBaseDN=ou=people,dc=jenkins-ci,dc=org
+
+# Host which accountapp can use for sending out password reset and other emails
+smtpServer=<%= @smtp_server %>
+
+# recaptcha v2 keys from rtyler's google account
+recaptchaPublicKey=6Le4HxYTAAAAACmLvcV8H4rki8HOWRdcU8HqnSFR
+recaptchaPrivateKey=<%= @recaptcha_key %>
+
+url=<%= @app_url %>
+
+# Create this file on the host machine in order to temporarily disable account
+# creation
+circuitBreakerFile=/etc/accountapp/circuitBreaker
+
+# vim: ft=conf

dist/profile/templates/apachemaintenance/maintenance.conf.erb

@@ -0,0 +1,33 @@
+# MANAGED BY PUPPET. DO NOT MODIFY.
+# used during the maintenance outage
+Listen 443
+
+<VirtualHost *:443>
+	ServerName <%= @name %>
+
+	SSLEngine On
+
+	ErrorDocument 503 /maintenance.html
+	## uncomment below to enter maintenance mode
+	RedirectMatch 503 ^/(?!maintenance)
+
+	#RewriteEngine on
+	#RewriteCond %{REQUEST_URI} !/maintenance.html$
+	#RewriteRule $ /maintenance.html [R=302,L]
+
+	DocumentRoot /var/www/maintenance
+
+	Customlog /dev/null combined
+	ErrorLog /var/log/apache2/error.log
+
+	# Possible values include: debug, info, notice, warn, error, crit,
+	# alert, emerg.
+	LogLevel warn
+
+</VirtualHost>
+<VirtualHost *:80>
+	ServerName <%= @name %>
+	Redirect temp / https://<%= @name %>/
+
+	Customlog /dev/null combined
+</VirtualHost>

dist/profile/templates/archives/vhost.conf

@@ -0,0 +1,15 @@
+CustomLog "|/usr/bin/rotatelogs /var/log/apache2/archives.jenkins-ci.org/access.log.%Y%m%d%H%M%S 604800" reverseproxy_combined
+
+
+# see http://bwmod.sourceforge.net/files/mod_bw-0.7.txt
+# allocate the combined total of N KB/sec bandwidth to this service,
+# all the concurrent users will share this bandwidth pool, so if 10 people download
+# at the same time, they get tenth the bandwidth each.
+#
+# 1000KB/sec constant transfer is equivalent of 2600GB/month transfer.
+# At $0.12/GB, that costs about $300/month
+
+BandwidthModule On
+ForceBandWidthModule On
+Bandwidth all 1024000
+MinBandwidth all 0

dist/profile/templates/confluence/vhost.conf

@@ -0,0 +1,25 @@
+SSLEngine On
+
+# Ultimate htaccess Blacklist 2 from Perishable Press
+# Deny domain access to spammers and other scumbags
+RewriteEngine on
+RewriteCond %{HTTP_USER_AGENT} ADSARobot|ah-ha|AhrefsBot|almaden|aktuelles|Anarchie|amzn_assoc|ASPSeek|ASSORT|ATHENS|Atomz|attach|attache|autoemailspider|BackWeb|Bandit|BatchFTP|bdfetch|big.brother|BlackWidow|bmclient|Boston\ Project|BravoBrian\ SpiderEngine\ MarcoPolo|Bot\ mailto:craftbot@yahoo.com|Buddy|Bullseye|bumblebee|capture|CherryPicker|ChinaClaw|CICC|clipping|Collector|Copier|Crescent|Crescent\ Internet\ ToolPak|Custo|cyberalert|DA$|Deweb|diagem|Digger|Digimarc|DIIbot|DISCo|DISCo\ Pump|DISCoFinder|Download\ Demon|Download\ Wonder|Downloader|Drip|DSurf15a|DTS.Agent|EasyDL|eCatch|ecollector|efp@gmx\.net|Email\ Extractor|EirGrabber|email|EmailCollector|EmailSiphon|EmailWolf|Express\ WebPictures|ExtractorPro|EyeNetIE|FavOrg|fastlwspider|Favorites\ Sweeper|Fetch|FEZhead|FileHound|FlashGet\ WebWasher|FlickBot|fluffy|FrontPage|GalaxyBot|Generic|Getleft|GetRight|GetSmart|GetWeb!|GetWebPage|gigabaz|Girafabot|Go\!Zilla|Go!Zilla|Go-Ahead-Got-It|GornKer|gotit|Grabber|GrabNet|Grafula|Green\ Research|grub-client|Harvest|hhjhj@yahoo|hloader|HMView|HomePageSearch|http\ generic|HTTrack|httpdown|httrack|ia_archiver|IBM_Planetwide|Image\ Stripper|Image\ Sucker|imagefetch|IncyWincy|Indy*Library|Indy\ Library|informant|Ingelin|InterGET|Internet\ Ninja|InternetLinkagent|Internet\ Ninja|InternetSeer\.com|Iria|Irvine|JBH*agent|JetCar|JOC|JOC\ Web\ Spider|JustView|KWebGet|Lachesis|larbin|LeechFTP|LexiBot|lftp|libwww|likse|Link|Link*Sleuth|LINKS\ ARoMATIZED|LinkWalker|LWP|lwp-trivial|Mag-Net|Magnet|Mac\ Finder|Mag-Net|Mass\ Downloader|MCspider|Memo|Microsoft.URL|MIDown\ tool|Mirror|Missigua\ Locator|Mister\ PiX|MMMtoCrawl\/UrlDispatcherLLL|^Mozilla$|Mozilla.*Indy|Mozilla.*NEWT|Mozilla*MSIECrawler|MS\ FrontPage*|MSFrontPage|MSIECrawler|MSProxy|multithreaddb|nationaldirectory|Navroad|NearSite|NetAnts|NetCarta|NetMechanic|netprospector|NetResearchServer|NetSpider|Net\ Vampire|NetZIP|NetZip\ Downloader|NetZippy|NEWT|NICErsPRO|Ninja|NPBot|Octopus|Offline\ Explorer|Offline\ Navigator|OpaL|Openfind|OpenTextSiteCrawler|OrangeBot|PageGrabber|Papa\ Foto|PackRat|pavuk|pcBrowser|PersonaPilot|Ping|PingALink|Pockey|Proxy|psbot|PSurf|puf|Pump|PushSite|QRVA|RealDownload|Reaper|Recorder|ReGet|replacer|RepoMonkey|Robozilla|Rover|RPT-HTTPClient|Rsync|Scooter|SearchExpress|searchhippo|searchterms\.it|Second\ Street\ Research|Seeker|Shai|Siphon|sitecheck|sitecheck.internetseer.com|SiteSnagger|SlySearch|SmartDownload|snagger|Snake|SpaceBison|Spegla|SpiderBot|sproose|SqWorm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|SurfWalker|Szukacz|tAkeOut|tarspider|Teleport\ Pro|Templeton|TrueRobot|TV33_Mercator|UIowaCrawler|UtilMind|URLSpiderPro|URL_Spider_Pro|Vacuum|vagabondo|vayala|visibilitygap|VoidEYE|vspider|Web\ Downloader|w3mir|Web\ Data\ Extractor|Web\ Image\ Collector|Web\ Sucker|Wweb|WebAuto|WebBandit|web\.by\.mail|Webclipping|webcollage|webcollector|WebCopier|webcraft@bea|webdevil|webdownloader|Webdup|WebEMailExtrac|WebFetch|WebGo\ IS|WebHook|Webinator|WebLeacher|WEBMASTERS|WebMiner|WebMirror|webmole|WebReaper|WebSauger|Website|Website\ eXtractor|Website\ Quester|WebSnake|Webster|WebStripper|websucker|webvac|webwalk|webweasel|WebWhacker|WebZIP|Wget|Whacker|whizbang|WhosTalking|Widow|WISEbot|WWWOFFLE|x-Tractor|^Xaldon\ WebSpider|WUMPUS|Xenu|XGET|Zeus.*Webster|Zeus [NC]
+RewriteRule ^.* - [F,L]
+
+<Proxy *>
+    Order allow,deny
+    Allow from all
+</Proxy>
+
+RedirectMatch ^/display/HUDSON/(.+) /display/JENKINS/$1
+Redirect /signup.action https://jenkins-ci.org/account
+Redirect /forgotuserpassword.action https://jenkins-ci.org/account
+
+ProxyPass /display/HUDSON !
+ProxyPass /signup.action !
+ProxyPass /robots.txt !
+ProxyPass /forgotuserpassword.action !
+ProxyPass        / http://localhost:8009/
+ProxyPassReverse / http://localhost:8009/
+
+CustomLog "|/usr/bin/rotatelogs /var/log/apache2/wiki.jenkins-ci.org/access.log.%Y%m%d%H%M%S 86400" combined

dist/profile/templates/demo/vhost.conf

@@ -0,0 +1,9 @@
+<Proxy *>
+    Order allow,deny
+    Allow from all
+</Proxy>
+
+ProxyPass        / http://localhost:8080/
+ProxyPassReverse / http://localhost:8080/
+
+CustomLog "|/usr/bin/rotatelogs /var/log/apache2/demo.jenkins-ci.org/access.log.%Y%m%d%H%M%S 86400" combined

dist/profile/templates/jenkinsadmin/dot-github.erb

@@ -0,0 +1,2 @@
+login=<%= @github_login %>
+password=<%= @github_password %>

dist/profile/templates/jenkinsadmin/dot-jenkins.erb

@@ -0,0 +1,2 @@
+userName=<%= @jira_login %>
+password=<%= @jira_password %>

dist/profile/templates/jira/vhost.conf

@@ -0,0 +1,26 @@
+SSLEngine On
+
+# Ultimate htaccess Blacklist 2 from Perishable Press
+# Deny domain access to spammers and other scumbags
+RewriteEngine on
+RewriteCond %{HTTP_USER_AGENT} ADSARobot|ah-ha|AhrefsBot|almaden|aktuelles|Anarchie|amzn_assoc|ASPSeek|ASSORT|ATHENS|Atomz|attach|attache|autoemailspider|BackWeb|Bandit|BatchFTP|bdfetch|big.brother|BlackWidow|bmclient|Boston\ Project|BravoBrian\ SpiderEngine\ MarcoPolo|Bot\ mailto:craftbot@yahoo.com|Buddy|Bullseye|bumblebee|capture|CherryPicker|ChinaClaw|CICC|clipping|Collector|Copier|Crescent|Crescent\ Internet\ ToolPak|Custo|cyberalert|DA$|Deweb|diagem|Digger|Digimarc|DIIbot|DISCo|DISCo\ Pump|DISCoFinder|Download\ Demon|Download\ Wonder|Downloader|Drip|DSurf15a|DTS.Agent|EasyDL|eCatch|ecollector|efp@gmx\.net|Email\ Extractor|EirGrabber|email|EmailCollector|EmailSiphon|EmailWolf|Express\ WebPictures|ExtractorPro|EyeNetIE|FavOrg|fastlwspider|Favorites\ Sweeper|Fetch|FEZhead|FileHound|FlashGet\ WebWasher|FlickBot|fluffy|FrontPage|GalaxyBot|Generic|Getleft|GetRight|GetSmart|GetWeb!|GetWebPage|gigabaz|Girafabot|Go\!Zilla|Go!Zilla|Go-Ahead-Got-It|GornKer|gotit|Grabber|GrabNet|Grafula|Green\ Research|grub-client|Harvest|hhjhj@yahoo|hloader|HMView|HomePageSearch|http\ generic|HTTrack|httpdown|httrack|ia_archiver|IBM_Planetwide|Image\ Stripper|Image\ Sucker|imagefetch|IncyWincy|Indy*Library|Indy\ Library|informant|Ingelin|InterGET|Internet\ Ninja|InternetLinkagent|Internet\ Ninja|InternetSeer\.com|Iria|Irvine|JBH*agent|JetCar|JOC|JOC\ Web\ Spider|JustView|KWebGet|Lachesis|larbin|LeechFTP|LexiBot|lftp|libwww|likse|Link|Link*Sleuth|LINKS\ ARoMATIZED|LinkWalker|LWP|lwp-trivial|Mag-Net|Magnet|Mac\ Finder|Mag-Net|Mass\ Downloader|MCspider|Memo|Microsoft.URL|MIDown\ tool|Mirror|Missigua\ Locator|Mister\ PiX|MMMtoCrawl\/UrlDispatcherLLL|^Mozilla$|Mozilla.*Indy|Mozilla.*NEWT|Mozilla*MSIECrawler|MS\ FrontPage*|MSFrontPage|MSIECrawler|MSProxy|multithreaddb|nationaldirectory|Navroad|NearSite|NetAnts|NetCarta|NetMechanic|netprospector|NetResearchServer|NetSpider|Net\ Vampire|NetZIP|NetZip\ Downloader|NetZippy|NEWT|NICErsPRO|Ninja|NPBot|Octopus|Offline\ Explorer|Offline\ Navigator|OpaL|Openfind|OpenTextSiteCrawler|OrangeBot|PageGrabber|Papa\ Foto|PackRat|pavuk|pcBrowser|PersonaPilot|Ping|PingALink|Pockey|Proxy|psbot|PSurf|puf|Pump|PushSite|QRVA|RealDownload|Reaper|Recorder|ReGet|replacer|RepoMonkey|Robozilla|Rover|RPT-HTTPClient|Rsync|Scooter|SearchExpress|searchhippo|searchterms\.it|Second\ Street\ Research|Seeker|Shai|Siphon|sitecheck|sitecheck.internetseer.com|SiteSnagger|SlySearch|SmartDownload|snagger|Snake|SpaceBison|Spegla|SpiderBot|sproose|SqWorm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|SurfWalker|Szukacz|tAkeOut|tarspider|Teleport\ Pro|Templeton|TrueRobot|TV33_Mercator|UIowaCrawler|UtilMind|URLSpiderPro|URL_Spider_Pro|Vacuum|vagabondo|vayala|visibilitygap|VoidEYE|vspider|Web\ Downloader|w3mir|Web\ Data\ Extractor|Web\ Image\ Collector|Web\ Sucker|Wweb|WebAuto|WebBandit|web\.by\.mail|Webclipping|webcollage|webcollector|WebCopier|webcraft@bea|webdevil|webdownloader|Webdup|WebEMailExtrac|WebFetch|WebGo\ IS|WebHook|Webinator|WebLeacher|WEBMASTERS|WebMiner|WebMirror|webmole|WebReaper|WebSauger|Website|Website\ eXtractor|Website\ Quester|WebSnake|Webster|WebStripper|websucker|webvac|webwalk|webweasel|WebWhacker|WebZIP|Wget|Whacker|whizbang|WhosTalking|Widow|WISEbot|WWWOFFLE|x-Tractor|^Xaldon\ WebSpider|WUMPUS|Xenu|XGET|Zeus.*Webster|Zeus [NC]
+RewriteRule ^.* - [F,L]
+
+# Redirect from old project key
+RedirectMatch /browse/HUDSON-(.+)       /browse/JENKINS-$1
+Redirect /secure/Signup!default.jspa	https://jenkins-ci.org/account
+Redirect /secure/ForgotLoginDetails.jspa	https://jenkins-ci.org/account
+
+<Proxy *>
+    Order allow,deny
+    Allow from all
+</Proxy>
+
+ProxyPassMatch	^/browse/HUDSON-	!
+ProxyPass	/secure/Signup!default.jspa	!
+ProxyPass	/secure/ForgotLoginDetails.jspa	!
+ProxyPass	 / http://localhost:8080/
+ProxyPassReverse / http://localhost:8080/
+ProxyPreserveHost On
+
+CustomLog "|/usr/bin/rotatelogs /var/log/apache2/issues.jenkins-ci.org/access.log.%Y%m%d%H%M%S 86400" combined

dist/profile/templates/r10k_deployhook.erb

@@ -12,7 +12,7 @@ require 'openssl'
 require 'resolv'
 require 'json'
 
-DEPLOYCMD = '/opt/puppet/bin/mco r10k deploy_all --np >> <%= @r10k_options['deployhooks_logdir'] %>/mco 2>&1'
+DEPLOYCMD = '/opt/puppet/bin/mco r10k synchronize --np >> <%= @r10k_options['deployhooks_logdir'] %>/mco 2>&1'
 LOGFILE   = '<%= @r10k_options['deployhooks_logdir'] %>/deployhooks'
 USER      = '<%= @r10k_options['deployhooks_user'] %>'
 PASS      = '<%= @r10k_options['deployhooks_pass'] %>'

dist/role/manifests/buildnode.pp

@@ -0,0 +1,4 @@
+#
+#
+class role::buildnode {
+}

dist/role/manifests/buildnode/mac.pp

@@ -0,0 +1,10 @@
+#
+# Provision a simple, SSH-able Mac OS X based Jenkins build node
+class role::buildnode::mac {
+  include profile::base
+
+  class { 'profile::buildslave':
+    docker => false,
+    ruby   => false,
+  }
+}

dist/role/manifests/celery.pp

@@ -0,0 +1,7 @@
+#
+# Celery is a Rackspace "Performance 1 - 8GB" class VM with 8x CPUs and 8GB of RAM
+# Disk is small and at 40GB system + 80GB data
+class role::celery {
+  include profile::base
+  include profile::buildslave
+}

dist/role/manifests/cucumber.pp

@@ -0,0 +1,7 @@
+#
+# Cucumber is an old machine based in a Contegix datacenter
+class role::cucumber {
+  include profile::diagnostics
+  include profile::ldap
+  include profile::jenkins
+}

dist/role/manifests/edamame.pp

@@ -0,0 +1,10 @@
+#
+# Edamame is a VM with 2x CPUs and 4GB of RAM at the OSUOSL
+class role::edamame {
+  include profile::base
+  include profile::robobutler
+  include profile::sudo::osu
+  include profile::bind
+  include profile::apachecert
+  include profile::jira
+}

dist/role/manifests/eggplant.pp

@@ -0,0 +1,8 @@
+#
+# Eggplant is a VM with 2vCPUs and 2GB RAM at the OSUOSL
+class role::eggplant {
+  include profile::base
+  include profile::sudo::osu
+  include profile::staticsite
+  include profile::accountapp
+}

dist/role/manifests/kelp.pp

@@ -0,0 +1,9 @@
+#
+# Kelp is a build slave on Rackspace with 8vCPUs and 30GB RAM
+#
+# This node also has a massive (300GB) data disk mounted as /home/jenkins
+class role::kelp {
+  include profile::base
+  include profile::buildslave
+  include profile::demo
+}

dist/role/manifests/l10n.pp

@@ -0,0 +1,5 @@
+# EC2
+class role::l10n {
+  include profile::base
+  include profile::l10n_server
+}

dist/role/manifests/ldapserver.pp

@@ -0,0 +1,5 @@
+# A server to host openldap
+class role::ldapserver {
+  include profile::base
+  include profile::ldap
+}

dist/role/manifests/lettuce.pp

@@ -0,0 +1,8 @@
+#
+# Lettuce is a 2vCPU/8GB KVM-based VM at the OSUOSL
+class role::lettuce {
+  include profile::base
+  include profile::sudo::osu
+  include profile::apachecert
+  include profile::confluence
+}

dist/role/manifests/okra.pp

@@ -0,0 +1,7 @@
+#
+# Okra is a tiny VM (1vCPU/4GB RAM) on Rackspace
+class role::okra {
+  include profile::base
+  include profile::archives
+  include profile::bind
+}

dist/role/manifests/puppetmaster.pp

@@ -1,7 +1,7 @@
 #
 # role::puppetmaster defines what a node role that should look like
 class role::puppetmaster {
-  include profile::accounts
+  include profile::base
   include profile::puppetmaster
-  include profile::r10k
+  include profile::sudo::osu
 }

dist/role/manifests/rating.pp

@@ -0,0 +1,5 @@
+# A server to host openldap
+class role::rating {
+  include profile::base
+  include profile::rating
+}

dist/role/manifests/spinach.pp

@@ -0,0 +1,14 @@
+#
+# spinach is an Ubuntu VM in the Rackspace Cloud
+#
+# this machine was donated long time ago and it appears to belong to a then Rackspace employee
+# that's no longer with the company. We do not have direct access to this machine, so we need
+# to be ready to lose this machine any time
+#
+class role::spinach {
+  include profile::base
+  include profile::groovy
+  include profile::bind
+  include profile::jenkinsadmin
+  include profile::buildslave
+}

environment.conf

@@ -0,0 +1,3 @@
+modulepath = ./dist:./modules:$basemodulepath
+# <https://docs.puppetlabs.com/puppet/3.8/reference/configuration.html#environmenttimeout>
+environment_timeout = 0

hieradata/README.md

@@ -0,0 +1,5 @@
+### Hieradata
+
+The yaml contained here uses the hiera-eyaml gem to store sensative information.
+
+You must be granted access to the jenkins-keys repository to get the keys required to edit the encrypted information.  Further details on eyaml are avialable in the README of that repo.