changelog | [dw-ops] Deploy Puppet for configuration management

[commit: http://hg.dwscoalition.org/dw-ops/rev/23b2c43efb45]

http://bugs.dwscoalition.org/show_bug.cgi?id=431

Initial commit of Puppet configuration. (Puppet is the configuration
management system we will be using to keep the production farm configured
correctly.)

Patch by
xenacryst.

Files modified:
puppet/INSTALLATION
puppet/README
puppet/etc/puppet.conf
puppet/etc/puppetd.conf
puppet/etc/puppetmasterd.conf
puppet/manifests/serverclass/dreamwidth.pp
puppet/manifests/serverclass/nonwebserver.pp
puppet/manifests/serverclass/webserver.pp
puppet/manifests/site.pp
puppet/modules/apache2/LICENSE
puppet/modules/apache2/README
puppet/modules/apache2/README.dreamwidth
puppet/modules/apache2/files/apache2.conf
puppet/modules/apache2/manifests/basic.pp
puppet/modules/apache2/manifests/debian.pp
puppet/modules/apache2/manifests/dreamwidth.pp
puppet/modules/apache2/manifests/init.pp
puppet/modules/apache2/templates/base.conf.erb
puppet/modules/apache2/templates/browser_fixes.conf.erb
puppet/modules/apache2/templates/debian.conf.erb
puppet/modules/apache2/templates/directory_indexes.conf.erb
puppet/modules/apache2/templates/dw.conf.erb
puppet/modules/apache2/templates/logging-errorlog.conf.erb
puppet/modules/apache2/templates/logging-syslog.conf.erb
puppet/modules/apache2/templates/mime-extras.conf.erb
puppet/modules/apache2/templates/mime-minimal.conf.erb
puppet/modules/apache2/templates/mpm-prefork.conf.erb
puppet/modules/apache2/templates/mpm-worker.conf.erb
puppet/modules/apache2/templates/mpm-worker.erb
puppet/modules/apache2/templates/ports.conf.erb
puppet/modules/apache2/templates/security.conf.erb
puppet/modules/apache2/templates/server-status.erb
puppet/modules/apt/README
puppet/modules/apt/manifests/default.pp
puppet/modules/apt/manifests/dreamwidth.pp
puppet/modules/apt/manifests/init.pp
puppet/modules/apt/templates/default.erb
puppet/modules/apt/templates/dreamwidth.erb
puppet/modules/iptables/README
puppet/modules/iptables/files/iptables
puppet/modules/iptables/manifests/dreamwidth.pp
puppet/modules/iptables/manifests/init.pp
puppet/modules/iptables/templates/dreamwidth.erb
puppet/modules/puppet/README
puppet/modules/puppet/files/puppetd.conf
puppet/modules/puppet/files/puppetmasterd.conf
puppet/modules/puppet/manifests/init.pp
--------------------------------------------------------------------------------
diff -r 000000000000 -r 23b2c43efb45 puppet/INSTALLATION
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/INSTALLATION	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,33 @@
+Boostrapping the Puppet service:
+
+Note: this assumes that the Puppet master is running on a host with a name
+(or CNAME) of puppet.$domainname (e.g.: puppet.dreamwidth.org).  If this is
+not the case, the client will need to be told where the Puppet server is
+before the service will start and request a certificate from the master.
+
+For the Puppet master node, the following must be done:
+
+  * Install puppetmaster ("apt-get install puppetmaster").
+  * Copy etc/puppetmasterd.conf to /etc/puppet/puppetmasterd.conf.
+  * Copy the manifests directory to /etc/puppet/manifests.
+  * Copy the modules directory to /var/lib/puppet/modules.
+  * Restart the puppetmaster service ("/etc/init.d/puppetmaster restart").
+
+Ideally, the manifests and modules directories will be kept in revision
+control and installed via a checkout/update procedure.  Note that on the
+puppet master node, the puppetmasterd.conf file will be reloaded from
+puppet after the system is set up and that node added (see notes in
+manifests/site.pp).
+
+Once the Puppet master is running, new nodes can be added with the
+following procedure:
+
+  * Add the new node name to manifests/site.pp on the master
+  * apt-get update (to get the latest package information)
+  * apt-get dist-upgrade (to upgrade packages)
+  * apt-get install puppet
+  * On the puppet master, sign the new certificate
+    ("puppetca --sign newnode.dreamwidth.org")
+  * restart the puppet service ("/etc/init.d/puppet restart") -- this
+    should load the manifest for the node, installing any new packages and
+    configuring the rest of the system.
diff -r 000000000000 -r 23b2c43efb45 puppet/README
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/README	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,54 @@
+Initial Puppet configuration for Dreamwidth
+Xenacryst, 16-MAR-2009
+
+For puppetmaster installation/bootstrapping, see INSTALLATION.
+
+This Puppet specification does basic initialization of a new Dreamwidth
+node.  The original node bootstrapping procedure is defined in the wiki
+notes:
+
+http://wiki.dwscoalition.org/notes/Production_Puppet
+
+This specification encodes that procedure in a Puppet configuration, with
+the following notes:
+
+"dw" user:
+  * The "dw" user is set up using UID 1000 and GID 1000 (group "dw")
+  * The sudo line is appended to /etc/sudoers if not present
+
+apt:
+  * The /etc/apt/sources.list file is installed as noted.
+  * The apt module is written to allow for alternate source hosts and port
+    numbers as well as different Ubuntu distributions (e.g. "hardy",
+    "intrepid").  See the module documentation for details.
+
+system update/upgrade:
+  * Not performed.  This should be done by hand at installation.
+
+package installation:
+  * Performed as part of the serverclass::dreamwidth base server.
+  * Note that apache2 and the MPM package are installed with the apache2
+    module and should NOT be specified in the serverclass modules
+    (duplicate package specifications throws an error in Puppet).
+
+Apache configuration:
+  * Performed in the apache2 module, which is only included in the
+    "webserver" server class.
+  * Note that this module puts configuration snippets in
+    /etc/apache2/conf.d rather than building a single apache2.conf file.
+    The apache2::dreamwidth class duplicates the stock Ubuntu installation
+    along with the changes noted in the wiki for Dreamwidth in this style.
+    See the module documentation for details.
+
+iptables:
+  * The /etc/iptables.up.rules file is installed as specified.
+  * Rather than add a line to /etc/network/interfaces, we put a short
+    script in /etc/network/if-pre-up.d that loads the iptables rules.
+  * iptables is reloaded when new rules are pushed out; see the module
+    documentation on how to change the rules.
+
+See the documentation in manifests/site.pp for instructions on how to add
+new hosts (nodes).  If a node is not found in site.pp, a default node
+definition will be applied: this is the "nonwebserver" server class node
+(Dreamwidth definitions as above, but without Apache configuration and the
+apache2 service disabled).
diff -r 000000000000 -r 23b2c43efb45 puppet/etc/puppet.conf
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/etc/puppet.conf	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,8 @@
+[main]
+    confdir = /etc/puppet
+    logdir = /var/log/puppet
+    vardir = /var/lib/puppet
+    ssldir = /var/lib/puppet/ssl
+    rundir = /var/run/puppet
+    modulepath = /var/lib/puppet/modules:/usr/share/puppet/modules
+    pluginsync = true
diff -r 000000000000 -r 23b2c43efb45 puppet/etc/puppetd.conf
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/etc/puppetd.conf	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,8 @@
+[main]
+    confdir = /etc/puppet
+    logdir = /var/log/puppet
+    vardir = /var/lib/puppet
+    ssldir = /var/lib/puppet/ssl
+    rundir = /var/run/puppet
+    modulepath = /var/lib/puppet/modules:/usr/share/puppet/modules
+    pluginsync = true
diff -r 000000000000 -r 23b2c43efb45 puppet/etc/puppetmasterd.conf
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/etc/puppetmasterd.conf	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,8 @@
+[main]
+    confdir = /etc/puppet
+    logdir = /var/log/puppet
+    vardir = /var/lib/puppet
+    ssldir = /var/lib/puppet/ssl
+    rundir = /var/run/puppet
+    modulepath = /var/lib/puppet/modules:/usr/share/puppet/modules
+    pluginsync = true
diff -r 000000000000 -r 23b2c43efb45 puppet/manifests/serverclass/dreamwidth.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/manifests/serverclass/dreamwidth.pp	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,96 @@
+###############################################################################
+# General Dreamwidth server class
+# Xenacryst, 10-MAR-2009
+###############################################################################
+
+###############################################################################
+# Base class for all Dreamwidth servers managed by Puppet
+class serverclass::dreamwidth {
+    # APT module
+    include apt::dreamwidth
+
+    # IPTABLES module
+    include iptables::dreamwidth
+
+    # PUPPET module (client)
+    include puppet
+    puppet::client { $hostname: ensure => present }
+
+    # Local "dw" user and group
+    group { dw:
+	ensure => present,
+	gid => 1000
+    }
+    user { dw:
+	ensure => present,
+	comment => "Dreamwidth",
+	home => "/home/dw",
+	managehome => true,
+	uid => 1000,
+	gid => "dw",
+	shell => "/bin/bash",
+	require => Group["dw"]
+    }
+
+    # Ensure that "dw" user can run sudo
+    line { sudo_dw:
+	file => "/etc/sudoers",
+	line => "dw ALL=NOPASSWD: ALL",
+	ensure => present
+    }
+
+    # Packages to install
+    # (Apache2 and mpm packages are installed in the apache2 module)
+    package {
+	dh-make-perl:;
+	libapache2-mod-perl2:;
+	libapache2-request-perl:;
+	libcaptcha-recaptcha-perl:;
+	libclass-accessor-perl:;
+	libclass-autouse-perl:;
+	libclass-data-inheritable-perl:;
+	libclass-trigger-perl:;
+	libcompress-zlib-perl:;
+	libcrypt-dh-perl:;
+	libdatetime-perl:;
+	libdbd-mysql-perl:;
+	libdbi-perl:;
+	libdigest-hmac-perl:;
+	libdigest-sha1-perl:;
+	libgd-gd2-perl:;
+	libgd-graph-perl:;
+	libgnupg-interface-perl:;
+	libgtop2-dev:;
+	libhtml-parser-perl:;
+	libhtml-tagset-perl:;
+	libhtml-template-perl:;
+	libimage-size-perl:;
+	libio-stringy-perl:;
+	libmail-gnupg-perl:;
+	libmailtools-perl:;
+	libmath-bigint-gmp-perl:;
+	libmd5-perl:;
+	libmime-lite-perl:;
+	libmime-perl:;
+	libnet-dns-perl:;
+	libproc-process-perl:;
+	librpc-xml-perl:;
+	libsoap-lite-perl:;
+	libstring-crc32-perl:;
+	libtext-vcard-perl:;
+	libunicode-maputf8-perl:;
+	liburi-fetch-perl:;
+	liburi-perl:;
+	libwww-perl:;
+	libxml-atom-perl:;
+	libxml-rss-perl:;
+	libxml-simple-perl:;
+	mercurial:;
+	mysql-client:;
+	perlmagick:;
+	puppet:;
+	screen:;
+	subversion:;
+	vim-perl:;
+    }
+}
diff -r 000000000000 -r 23b2c43efb45 puppet/manifests/serverclass/nonwebserver.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/manifests/serverclass/nonwebserver.pp	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,16 @@
+###############################################################################
+# Dreamwidth server class for servers that are *not* webservers
+# Xenacryst, 10-MAR-2009
+#
+# All this does is ensure that the apache2 service is stopped
+###############################################################################
+
+class serverclass::nonwebserver inherits serverclass::dreamwidth {
+    # make sure Apache is not running
+    service { "apache2":
+	ensure => stopped,
+	pattern => "/usr/sbin/apache2",
+	hasstatus => true,
+	hasrestart => true
+    }
+}
diff -r 000000000000 -r 23b2c43efb45 puppet/manifests/serverclass/webserver.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/manifests/serverclass/webserver.pp	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,9 @@
+###############################################################################
+# Dreamwidth webserver class
+# Xenacryst, 10-MAR-2009
+###############################################################################
+
+class serverclass::webserver inherits serverclass::dreamwidth {
+    # APACHE2 module
+    include apache2::dreamwidth
+}
diff -r 000000000000 -r 23b2c43efb45 puppet/manifests/site.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/manifests/site.pp	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,74 @@
+###############################################################################
+# Puppet site configuration for Dreamwidth
+# Xenacryst, 10-MAR-2009
+###############################################################################
+
+###############################################################################
+# Function: line()
+# Decription: ensures that a line in a text file is present or absent
+#  by appending the line to the end of the file or removing it as required.
+# Arguments:
+#  file: the text file to modify
+#  line: the exact text of the line
+#  ensure: "present" (default) or "absent"
+#  Other standard arguments (require, notify, etc.) can be present
+# Usage:
+#   line { description:
+# 	file => "filename",
+# 	line => "content",
+# 	ensure => {absent,*present*}
+#   }
+#
+define line($file, $line, $ensure = 'present') {
+    case $ensure {
+	default : { err ( "unknown ensure value '${ensure}'" ) }
+	present: {
+ 	    exec { "/bin/echo '${line}' >> '${file}'":
+		unless => "/bin/grep -qFx '${line}' '${file}'"
+	    }
+	}
+	absent: {
+	    exec { "/usr/bin/perl -ni -e 'print if \$_ ne \"${line}\n\";' '${file}'":
+		onlyif => "/bin/grep -qFx '${line}' '${file}'"
+	    }
+	}
+    }
+}
+###############################################################################
+
+
+###############################################################################
+# DREAMWIDTH SITE SPECIFICATION
+#
+# Import the standard Dreamwidth server classes
+import "serverclass/*"
+
+# NODE SPECIFICATION
+# There are two main server classes: webserver and nonwebserver.  The
+# webserver class loads the apache2 class with Dreamwidth specific configs
+# and makes sure that Apache is running.  The nonwebserver class makes sure
+# that Apache is not running.  Both inherit the packages, apt settings, and
+# iptables configuration from the main dreamwidth class.
+#
+# node nodename { include serverclass::webserver }
+#  -OR-
+# node nodename { include serverclass::nonwebserver }
+
+node example {include serverclass::webserver }
+node dh01 {include serverclass::webserver }
+
+# A special case exists for the node that will run the Puppet master service.
+# This node can be specified as following:
+#
+#  node puppetmaster {
+#    include serverclass::whatever
+#    puppet::server { $hostname: ensure => present }
+#  }
+#
+# This will distribute the puppetmasterd.conf file and start the puppetmaster
+# service to that node.
+
+# If the node is not found, the "default" node will be used, as below, which
+# loads the nonwebserver class.
+node default { include serverclass::nonwebserver }
+###############################################################################
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/LICENSE
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/LICENSE	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,13 @@
+Copyright 2007 Wesabe, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
\ No newline at end of file
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/README
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/README	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,112 @@
+# Apache2 Recipe #
+apache2 -- v0.4 by Sam Quigley <sq@wesabe.com>
+
+Basic module for configuring apache via puppet.  Debian/Ubuntu-specific at
+the moment, but patches are welcome.
+
+Based in part on code by Tim Stoop <tim.stoop@gmail.com> and 
+David Schmitt <david@schmitt.edv-bus.at>
+
+## Configuration ##
+
+This module installs apache2 from packages and promptly overwrites the default
+configuration with one that does nothing other than include various 
+directories:
+
+* /etc/apache2/mods-enabled/
+* /etc/apache2/conf.d
+* /etc/apache2/sites-enabled/
+
+Defines are provided to allow recipes and child classes to interact with these
+directories -- see below.
+
+An additional class, `apache2_debian`, is provided which attempts to mimic
+the default configuration of a freshly-installed debian apache2 package.
+
+A single global configuration variable is available, `$apache2_mpm`, which
+controls which of the mpm packages are installed.  Its possible values are:
+
+* 'event':  Use the event driven model (experimental)
+* 'prefork':  Traditional 
+* 'worker': High speed threaded model
+
+'worker' is the default.
+
+See the apache2::debian and apache2::basic subclasses for examples of how to 
+use and configure this class.  Note that these do *NOT* install site 
+definitions -- so simply including them in a node definition won't work...
+
+### `apache2::config` ###
+
+`apache2::config` installs a configuration snippet in conf.d.  Takes the following options:
+
+* `name`: the name of the config snipppet  [namevar]
+* `ensure`: typically set to "present" or "absent", but any value legal 
+for a file resource can be used.  Defaults to "present"
+* `content`: set this to the text of the snippet -- eg, through 
+template().  Defaults to `template("apache2/$name.conf.erb")`, which is
+unlikely to be what you want.
+* `order`: specifies the load order for this config snippet.  the snippet 
+will end up in `/etc/apache2/conf.d/$order-$name.conf`, and apache will load 
+files in alphanumeric order.  Defaults to "500"
+* `require`: if set, this will require that a package of the given name exists
+before evaluating the rest of the config definition.  It does not currently
+remove the package, even if ensure is set to absent.
+
+### `apache2::module` ###
+
+`apache2::module` enables an apache module.  It does *NOT* currently install
+one for you, except through the "require" argument -- see below.  
+Options are:
+
+* `name`: name of the module.  A file with the name 
+`mods-available/$name.load` is expected to exist in the apache2 directory
+* `ensure`: can be "present" or "absent"
+* `require`: if set, this will require that a package of the given name exists
+before evaluating the rest of the module definition.  It does not currently
+remove the package, even if ensure is set to absent.
+
+### `apache2::site` ###
+
+`apache2::site` enables an apache site.  Options are:
+
+* `name`: name of the site.  A file with the name 
+`sites-available/$name` is expected to exist in the apache2 directory
+* `ensure`: can be "present", "installed", or "absent"
+* `require`: if set, this will require that a package of the given name exists
+before evaluating the rest of the site definition.  It does not currently
+remove the package, even if ensure is set to absent.
+* `content`: set this to the text of the site definition -- eg, through 
+template().  If unset, the module will simply ensure that a file named 
+"/etc/apache2/sites-available/$name" exists
+
+## Example ##
+
+See the code for the apache2_debian subclass for an example of how to use
+this module.
+
+## To Do ##
+
+* apache2::{module,config,site} should really be native types.
+* The configuration of apache2::basic is essentially arbitrary, based on 
+what I needed to override at the moment. Some logic would probably be 
+helpful.
+
+## Changes ##
+
+* stop explicitly importing stuff from manifests/classes; rely on autoload instead
+* add `site_include` definition, similar to `site`
+* add content property to site definition, similar to config
+* allow ensure=>installed for sites -- required moving site installation code 
+to a new definition.
+* added apache2::debian and apache2::basic subclasses
+* added `config` definition, similar to the existing `site` and `module` defs,
+which will include given config snippets
+* Removed port configuration (via /etc/apache2/ports.conf) -- Listen 
+directives make more sense in the individual site definitions, at least for
+SSL, load-balanced, and proxied environments...
+* Removed DavidS' nagios and munin stuff; will probably re-add later.
+* Removed the `no_default_site` subclass and made it the default behavior.  No
+one _really_ wants to serve their distro's default page...
+* Removed the `apache2_ssl business` -- with Listen configured in the site
+defs themselves, it's not really necessary
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/README.dreamwidth
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/README.dreamwidth	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,37 @@
+This module is copied with minimal modification from the public module for
+Debian/Ubuntu-based Apache2 installations (v0.4).  That module is available
+here:
+
+  http://code.google.com/p/wesabe/
+
+Changes from the wesabe module:
+
+  * Change the base.conf.erb file to be more like Ubuntu (using
+    environment variables for user, group, pid file).
+  * Add the mpm-prefork.conf.erb config file, copied from stock
+    Ubuntu Apache2 installation.
+  * Add ports.conf.erb for Listen directives, copied from stock
+    Ubuntu Apache2 installation.
+  * Add sercurity.conf.erb for a copy of stock Ubuntu Apache2
+    security directives
+  * Add dw.conf.erb that contains the default Dreamwidth configuration
+    snippet.
+
+Differences from stock Ubuntu Apache2:
+
+The default Apache2 installation on Ubuntu (Intrepid, at least) specifies
+everything in /etc/apache2/apache2.conf and then includes all files in
+/etc/apache2/conf.d as configuration snippets.  This changes that behavior
+to specify a very minimal apache2.conf which includes files in conf.d that
+are named *.conf.  Base configurations are then loaded in order as they
+appear in that directory:
+
+  NNN-name.conf
+
+Within the apache2::dreamwidth class, we mimic the default installation of
+Apache2 on Intrepid with these configuration snippets, and then add the
+Dreamwidth specific snippet as 999-dw.conf so that it is loaded last.
+
+The sites-enabled/available and mods-enabled/available directories are
+managed as usuale, with a2{en,dis}site and a2{en,dis}mod called to enable
+and disable sites and modules.
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/files/apache2.conf
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/files/apache2.conf	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,14 @@
+# apache2.conf -- version for puppet-controlled installations
+#
+# this config file merely includes other files; all the truly important stuff
+# is configured in one of these directories.  
+
+# Include module configuration:
+Include /etc/apache2/mods-enabled/*.load
+Include /etc/apache2/mods-enabled/*.conf
+
+# Include generic snippets of statements
+Include /etc/apache2/conf.d/*.conf
+
+# Include the virtual host configurations:
+Include /etc/apache2/sites-enabled/
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/manifests/basic.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/manifests/basic.pp	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,34 @@
+# apache2/manifests/classes/apache2_basic.pp
+# by Sam Quigley <sq@wesabe.com>
+
+# implements a basic, no-frills apache.  
+
+class apache2::basic inherits apache2 {
+  apache2::config { "base":
+    order => "000",
+    ensure => present,
+    content => template("apache2/base.conf.erb"),
+  }
+  apache2::module { "dir": ensure => present } # provides DirectoryIndex
+
+  apache2::config { "mpm":
+    order => "010",
+    ensure => present,
+    content => template("apache2/mpm-$real_apache2_mpm.conf.erb"),
+  }
+
+  apache2::config { "mime":
+    order => "020",
+    ensure => present,
+    content => template("apache2/mime-minimal.conf.erb"),
+  }
+  apache2::module { "mime": ensure => present }
+
+  apache2::config { "browser_fixes":
+    order => "030",
+    ensure => present,
+    content => template("apache2/browser_fixes.conf.erb"),
+  }
+  apache2::module { "setenvif": ensure => present }
+  
+}
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/manifests/debian.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/manifests/debian.pp	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,19 @@
+# apache2/manifests/classes/apache2_debian.pp
+# by Sam Quigley <sq@wesabe.com>
+
+# this class attempts to mimic the default configuration of the debian
+# apache2 package
+
+class apache2::debian inherits apache2 {
+  apache2::config { "debian.conf":
+    order => "000",
+    ensure => present,
+  }
+
+  apache2::module { ["alias", "auth_basic", "authn_file", 
+    "authz_default", "authz_groupfile", "authz_host", 
+    "authz_user", "autoindex", "cgid", "dir", "env", "mime", 
+    "negotiation", "setenvif", "status"]:
+    ensure=> present,
+  }
+}
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/manifests/dreamwidth.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/manifests/dreamwidth.pp	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,30 @@
+###############################################################################
+# Dreamwidth apache2 class
+# Xenacryst, 13-MAR-2009
+#
+# Similar to debian class, except it:
+#  - uses the dw.conf file
+#  - adds the apreq module (required by Dreamwidth)
+#  - adds the deflate module (default in Ubuntu)
+#  - disables the "default" site
+#
+# Note: the default site installed by Apache2 is disabled in init.pp.
+###############################################################################
+
+class apache2::dreamwidth inherits apache2 {
+  $apache2_mpm = "prefork"
+
+  apache2::config { "base": order => "000", ensure => present }
+  apache2::config { "security": order => "010", ensure => present }
+  apache2::config { "mpm-prefork": order => "020", ensure => present }
+  apache2::config { "logging-errorlog": order => "030", ensure => present }
+  apache2::config { "ports": order => "040", ensure => present }
+  apache2::config { "dw": order => "900", ensure => present }
+
+  apache2::module { ["alias", "apreq", "auth_basic", "authn_file", 
+    "authz_default", "authz_groupfile", "authz_host", 
+    "authz_user", "autoindex", "cgid", "deflate", "dir", "env", "mime", 
+    "negotiation", "perl", "setenvif", "status"]:
+    ensure=> present,
+  }
+}
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/manifests/init.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/manifests/init.pp	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,244 @@
+# apache2 module for puppet
+# by Sam Quigley <sq@wesabe.com>
+#
+# based in part on code by Tim Stoop <tim.stoop@gmail.com> and 
+# David Schmitt <david@schmitt.edv-bus.at>
+
+# this file defines the base apache2 class, and does most of the heavy
+# lifting.  see the other subclasses for friendlier versions.
+
+class apache2 {
+  # note: this code is currently very deb/ubuntu-specific
+  $apache_sites = "/etc/apache2/sites"
+  $apache_includes = "/etc/apache2/site-includes"
+  $apache_mods = "/etc/apache2/mods"
+  $apache_conf = "/etc/apache2/conf.d"
+
+  $real_apache2_mpm = $apache2_mpm ? { '' => 'worker', default => $apache2_mpm }
+  
+  case $real_apache2_mpm {
+    'event': {
+      package { "apache2-mpm-event": 
+        ensure => installed,
+        alias => apache2_mpm_provider
+      }
+      package { ["apache2-mpm-perchild", "apache2-mpm-prefork",
+        "apache2-mpm-worker"]:
+        ensure => absent,
+      }
+    }
+    
+    'prefork': {
+      package { "apache2-mpm-prefork": 
+        ensure => installed,
+        alias => apache2_mpm_provider
+      }
+      package { ["apache2-mpm-event", "apache2-mpm-perchild",
+        "apache2-mpm-worker"]:
+        ensure => absent,
+      }
+    }
+
+    'worker': {
+      package { "apache2-mpm-worker": 
+        ensure => installed,
+        alias => apache2_mpm_provider
+      }
+      package { ["apache2-mpm-event", "apache2-mpm-perchild",
+        "apache2-mpm-prefork"]:
+        ensure => absent,
+      }
+    }
+  }
+	package { apache2:
+		ensure => installed,
+	  require => Package[apache2_mpm_provider],
+	}
+
+	service { apache2:
+		ensure => running,
+		pattern => "/usr/sbin/apache2",
+		hasrestart => true,
+		require => Package[apache2]
+	}
+
+  # using checksum => mtime and notify ensures that any changes to this dir 
+  # will result in an apache reload
+	file { $apache_conf:
+		ensure => directory, checksum => mtime,
+		mode => 644, owner => root, group => root,
+		require => Package[apache2],
+		notify => Exec["reload-apache2"];
+	}
+
+  # as above
+	file { $apache_includes:
+		ensure => directory, checksum => mtime,
+		mode => 644, owner => root, group => root,
+		require => Package[apache2],
+		notify => Exec["reload-apache2"];
+	}
+	
+	# this overwrites the default distro config with one that just includes
+	# $apache_conf and friends
+	file { "/etc/apache2/apache2.conf":
+	  ensure => present,
+	  mode => 644,
+	  owner => root,
+	  group => root,
+	  source => "puppet://$servername/apache2/apache2.conf",
+	  require => File[$apache_conf],
+	}
+
+  # nuke the package-provided ports.conf
+  file {"/etc/apache2/ports.conf": ensure => absent }
+
+  # make sure the default site isn't present.
+	exec { "/usr/sbin/a2dissite default":
+		onlyif => "/usr/bin/test -L /etc/apache2/sites-enabled/000-default",
+		notify => Exec["reload-apache2"],
+	}
+
+	# Notify this when apache needs a reload. This is only needed when
+	# sites are added or removed, since a full restart then would be
+	# a waste of time. When the module-config changes, a force-reload is
+	# needed.
+	exec { "reload-apache2":
+		command => "/etc/init.d/apache2 reload",
+		refreshonly => true,
+		before => [ Service["apache2"], Exec["force-reload-apache2"] ]
+	}
+
+	exec { "force-reload-apache2":
+		command => "/etc/init.d/apache2 force-reload",
+		refreshonly => true,
+		before => Service["apache2"],
+	}
+	
+  # Define an apache2 config snippet. Places all config snippets into
+  # /etc/apache2/conf.d, where they will be automatically loaded
+	define config ( $ensure = 'present', $content = '', $order="500") {
+	  $real_content = $content ? { '' => template("apache2/${name}.conf.erb"), 
+	    default => $content,
+	  }
+	  
+	  file { "${apache_conf}/${order}-${name}.conf":
+      ensure => $ensure,
+      content => $content,
+      mode => 644,
+  	  owner => root,
+  	  group => root,
+		# given the way File[$apache_conf] is defined, this might lead to 
+		# multiple restarts.  not sure.
+			notify => Exec["reload-apache2"], 
+    }
+	}
+  
+
+  # Define an apache2 site. Place all site configs into
+  # /etc/apache2/sites-available and en-/disable them with this type.
+  #
+  # You can add a custom require (string) if the site depends on packages
+  # that aren't part of the default apache2 package. Because of the
+  # package dependencies, apache2 will automagically be included.
+  define site ( $ensure = 'present', $content = '' ) {
+  	case $ensure {
+  		'present' : {
+        apache2::install_site { $name:
+          content => $content
+        }
+  		}
+  		'installed' : {
+        apache2::install_site { $name:
+          content => $content
+        }
+  		}
+  		'absent' : {
+  			exec { "/usr/sbin/a2dissite $name":
+  				onlyif => "/bin/sh -c '[ -L ${apache_sites}-enabled/$name ] \\
+  							&& [ ${apache_sites}-enabled/$name -ef ${apache_sites}-available/$name ]'",
+  				notify => Exec["reload-apache2"],
+  				require => Package["apache2"],
+  			}
+  		}
+  		default: { err ( "Unknown ensure value: '$ensure'" ) }
+  	}
+  }
+
+  # helper method to actually install a site -- called by site()
+  define install_site ($content = '' ) {
+	  # first, make sure the site config exists
+    case $content {
+      '': {
+        file { "${apache_sites}-available/${name}":
+          mode => 644,
+      	  owner => root,
+      	  group => root,
+    	    ensure => present,
+    	    alias => "site-$name",
+        }
+      }
+
+      default: {
+    	  file { "${apache_sites}-available/${name}":
+          content => $content,
+          mode => 644,
+      	  owner => root,
+      	  group => root,
+  	      ensure => present,
+  	      alias => "site-$name",  
+        }        
+      }
+    }
+	  
+	  # now, enable it.
+		exec { "/usr/sbin/a2ensite $name":
+			unless => "/bin/sh -c '[ -L ${apache_sites}-enabled/$name ] \\
+						&& [ ${apache_sites}-enabled/$name -ef ${apache_sites}-available/$name ]'",
+			notify => Exec["reload-apache2"],
+			require => File["site-$name"],
+		}
+	}
+
+  # Define a site config fragment
+  define site_include ( $ensure = 'present', $content = '' ) {
+	  file { "${apache_includes}/${name}.inc":
+      content => $content,
+      mode => 644,
+  	  owner => root,
+  	  group => root,
+      ensure => $ensure,
+      require => File[$apache_includes],
+    }    
+  }
+
+  # Define an apache2 module. Debian packages place the module config
+  # into /etc/apache2/mods-available.
+  #
+  # You can add a custom require (string) if the module depends on 
+  # packages that aren't part of the default apache2 package. Because of 
+  # the package dependencies, apache2 will automagically be included.
+  #
+  # REVIEW: 20070901 <sq@wesabe.com> -- when facts can be distributed 
+  # within modules (see puppet trac ticket #803), the unless/onlyif clauses
+  # below should get rewritten to use custom facter facts
+  define module ( $ensure = 'present') {
+  	case $ensure {
+  		'present' : {
+  			exec { "/usr/sbin/a2enmod $name":
+  				unless => "/bin/sh -c '[ -L ${apache_mods}-enabled/${name}.load ] \\
+  					&& [ ${apache_mods}-enabled/${name}.load -ef ${apache_mods}-available/${name}.load ]'",
+  				notify => Exec["force-reload-apache2"],
+  			}
+  		}
+  		'absent': {
+  			exec { "/usr/sbin/a2dismod $name":
+  				onlyif => "/bin/sh -c '[ -L ${apache_mods}-enabled/${name}.load ] \\
+  					&& [ ${apache_mods}-enabled/${name}.load -ef ${apache_mods}-available/${name}.load ]'",
+  				notify => Exec["force-reload-apache2"],
+  			}
+  		}
+  		default: { err ( "Unknown ensure value: '$ensure'" ) }
+  	}
+  }
+}
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/templates/base.conf.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/templates/base.conf.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,156 @@
+#
+# Based upon the NCSA server configuration files originally by Rob McCool.
+#
+# This is the main Apache server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://httpd.apache.org/docs-2.1/> for detailed information about
+# the directives.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do.  They're here only as hints or reminders.  If you are unsure
+# consult the online docs. You have been warned.  
+#
+# The configuration directives are grouped into three basic sections:
+#  1. Directives that control the operation of the Apache server process as a
+#     whole (the 'global environment').
+#  2. Directives that define the parameters of the 'main' or 'default' server,
+#     which responds to requests that aren't handled by a virtual host.
+#     These directives also provide default values for the settings
+#     of all virtual hosts.
+#  3. Settings for virtual hosts, which allow Web requests to be sent to
+#     different IP addresses or hostnames and have them handled by the
+#     same Apache server process.
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path.  If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log"
+# with ServerRoot set to "" will be interpreted by the
+# server as "//var/log/apache2/foo.log".
+#
+
+### Section 1: Global Environment
+#
+# The directives in this section affect the overall operation of Apache,
+# such as the number of concurrent requests it can handle or where it
+# can find its configuration files.
+#
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE!  If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the LockFile documentation (available
+# at <URL:http://httpd.apache.org/docs-2.1/mod/mpm_common.html#lockfile>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+ServerRoot "/etc/apache2"
+
+#
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#
+#<IfModule !mpm_winnt.c>
+#<IfModule !mpm_netware.c>
+LockFile /var/lock/apache2/accept.lock
+#</IfModule>
+#</IfModule>
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+#
+PidFile ${APACHE_PID_FILE}
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 300
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+KeepAliveTimeout 15
+
+
+User ${APACHE_RUN_USER}
+Group ${APACHE_RUN_GROUP}
+
+#
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives.  See also the AllowOverride
+# directive.
+#
+
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being 
+# viewed by Web clients. 
+#
+<Files ~ "^\.ht">
+    Order allow,deny
+    Deny from all
+</Files>
+
+TypesConfig /etc/mime.types
+
+#
+# DefaultType is the default MIME type the server will use for a document
+# if it cannot otherwise determine one, such as from filename extensions.
+# If your server contains mostly text or HTML documents, "text/plain" is
+# a good value.  If most of your content is binary, such as applications
+# or images, you may want to use "application/octet-stream" instead to
+# keep browsers from trying to display binary files as though they are
+# text.
+#
+DefaultType text/plain
+
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
+# where Full conveys the most information, and Prod the least.
+#
+ServerTokens Prod
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory 
+# listings, mod_status and mod_info output etc., but not CGI generated 
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+#
+ServerSignature Off
+
+DirectoryIndex index.html
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/templates/browser_fixes.conf.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/templates/browser_fixes.conf.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,26 @@
+<IfModule mod_setenvif.c>
+    #
+    # The following directives modify normal HTTP response behavior to
+    # handle known problems with browser implementations.
+    #
+    BrowserMatch "Mozilla/2" nokeepalive
+    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+    BrowserMatch "RealPlayer 4\.0" force-response-1.0
+    BrowserMatch "Java/1\.0" force-response-1.0
+    BrowserMatch "JDK/1\.0" force-response-1.0
+
+    #
+    # The following directive disables redirects on non-GET requests for
+    # a directory that does not include the trailing slash.  This fixes a 
+    # problem with Microsoft WebFolders which does not appropriately handle 
+    # redirects for folders with DAV methods.
+    # Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
+    #
+    BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+    BrowserMatch "MS FrontPage" redirect-carefully
+    BrowserMatch "^WebDrive" redirect-carefully
+    BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
+    BrowserMatch "^gnome-vfs/1.0" redirect-carefully
+    BrowserMatch "^XML Spy" redirect-carefully
+    BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
+</IfModule>
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/templates/debian.conf.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/templates/debian.conf.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,677 @@
+# 000-debian.conf -- this reproduces the default debian configuration
+
+#
+# Based upon the NCSA server configuration files originally by Rob McCool.
+#
+# This is the main Apache server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://httpd.apache.org/docs-2.1/> for detailed information about
+# the directives.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do.  They're here only as hints or reminders.  If you are unsure
+# consult the online docs. You have been warned.  
+#
+# The configuration directives are grouped into three basic sections:
+#  1. Directives that control the operation of the Apache server process as a
+#     whole (the 'global environment').
+#  2. Directives that define the parameters of the 'main' or 'default' server,
+#     which responds to requests that aren't handled by a virtual host.
+#     These directives also provide default values for the settings
+#     of all virtual hosts.
+#  3. Settings for virtual hosts, which allow Web requests to be sent to
+#     different IP addresses or hostnames and have them handled by the
+#     same Apache server process.
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path.  If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log"
+# with ServerRoot set to "" will be interpreted by the
+# server as "//var/log/apache2/foo.log".
+#
+
+### Section 1: Global Environment
+#
+# The directives in this section affect the overall operation of Apache,
+# such as the number of concurrent requests it can handle or where it
+# can find its configuration files.
+#
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE!  If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the LockFile documentation (available
+# at <URL:http://httpd.apache.org/docs-2.1/mod/mpm_common.html#lockfile>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+ServerRoot "/etc/apache2"
+
+#
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#
+#<IfModule !mpm_winnt.c>
+#<IfModule !mpm_netware.c>
+LockFile /var/lock/apache2/accept.lock
+#</IfModule>
+#</IfModule>
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+#
+PidFile /var/run/apache2.pid
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 300
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+KeepAliveTimeout 15
+
+##
+## Server-Pool Size Regulation (MPM specific)
+## 
+
+# prefork MPM
+# StartServers: number of server processes to start
+# MinSpareServers: minimum number of server processes which are kept spare
+# MaxSpareServers: maximum number of server processes which are kept spare
+# MaxClients: maximum number of server processes allowed to start
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_prefork_module>
+    StartServers          5
+    MinSpareServers       5
+    MaxSpareServers      10
+    MaxClients          150
+    MaxRequestsPerChild   0
+</IfModule>
+
+# worker MPM
+# StartServers: initial number of server processes to start
+# MaxClients: maximum number of simultaneous client connections
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# ThreadsPerChild: constant number of worker threads in each server process
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_worker_module>
+    StartServers          2
+    MaxClients          150
+    MinSpareThreads      25
+    MaxSpareThreads      75 
+    ThreadsPerChild      25
+    MaxRequestsPerChild   0
+</IfModule>
+
+User www-data
+Group www-data
+
+#
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives.  See also the AllowOverride
+# directive.
+#
+
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being 
+# viewed by Web clients. 
+#
+<Files ~ "^\.ht">
+    Order allow,deny
+    Deny from all
+</Files>
+
+TypesConfig /etc/mime.types
+
+#
+# DefaultType is the default MIME type the server will use for a document
+# if it cannot otherwise determine one, such as from filename extensions.
+# If your server contains mostly text or HTML documents, "text/plain" is
+# a good value.  If most of your content is binary, such as applications
+# or images, you may want to use "application/octet-stream" instead to
+# keep browsers from trying to display binary files as though they are
+# text.
+#
+DefaultType text/plain
+
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog /var/log/apache2/error.log
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+# the apache2 puppet config already does this stuff:
+## Include module configuration:
+#Include /etc/apache2/mods-enabled/*.load
+#Include /etc/apache2/mods-enabled/*.conf
+#
+## Include all the user configurations:
+#Include /etc/apache2/httpd.conf
+#
+## Include ports listing
+#Include /etc/apache2/ports.conf
+#
+## Include generic snippets of statements
+#Include /etc/apache2/conf.d/
+
+# the apache2 puppet config removes ports.conf, which would have been 
+# included above, and which contains (by default) the following line:
+Listen 80
+
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive (see below).
+#
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
+# where Full conveys the most information, and Prod the least.
+#
+ServerTokens Full
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory 
+# listings, mod_status and mod_info output etc., but not CGI generated 
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+#
+ServerSignature On
+
+<IfModule alias_module>
+    #
+    # Aliases: Add here as many aliases as you need (with no limit). The format is 
+    # Alias fakename realname
+    #
+    # Note that if you include a trailing / on fakename then the server will
+    # require it to be present in the URL.  So "/icons" isn't aliased in this
+    # example, only "/icons/".  If the fakename is slash-terminated, then the 
+    # realname must also be slash terminated, and if the fakename omits the 
+    # trailing slash, the realname must also omit it.
+    #
+    # We include the /icons/ alias for FancyIndexed directory listings.  If
+    # you do not use FancyIndexing, you may comment this out.
+    #
+    Alias /icons/ "/usr/share/apache2/icons/"
+
+    <Directory "/usr/share/apache2/icons">
+        Options Indexes MultiViews
+        AllowOverride None
+        Order allow,deny
+        Allow from all
+    </Directory>
+
+</IfModule>
+
+#
+# Directives controlling the display of server-generated directory listings.
+#
+<IfModule mod_autoindex.c>
+
+    #
+    # IndexOptions: Controls the appearance of server-generated directory
+    # listings.
+    #
+    IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=*
+
+    #
+    # AddIcon* directives tell the server which icon to show for different
+    # files or filename extensions.  These are only displayed for
+    # FancyIndexed directories.
+    #
+    AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
+
+    AddIconByType (TXT,/icons/text.gif) text/*
+    AddIconByType (IMG,/icons/image2.gif) image/*
+    AddIconByType (SND,/icons/sound2.gif) audio/*
+    AddIconByType (VID,/icons/movie.gif) video/*
+
+    AddIcon /icons/binary.gif .bin .exe
+    AddIcon /icons/binhex.gif .hqx
+    AddIcon /icons/tar.gif .tar
+    AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
+    AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
+    AddIcon /icons/a.gif .ps .ai .eps
+    AddIcon /icons/layout.gif .html .shtml .htm .pdf
+    AddIcon /icons/text.gif .txt
+    AddIcon /icons/c.gif .c
+    AddIcon /icons/p.gif .pl .py
+    AddIcon /icons/f.gif .for
+    AddIcon /icons/dvi.gif .dvi
+    AddIcon /icons/uuencoded.gif .uu
+    AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+    AddIcon /icons/tex.gif .tex
+    AddIcon /icons/bomb.gif core
+
+    AddIcon /icons/back.gif ..
+    AddIcon /icons/hand.right.gif README
+    AddIcon /icons/folder.gif ^^DIRECTORY^^
+    AddIcon /icons/blank.gif ^^BLANKICON^^
+
+    #
+    # DefaultIcon is which icon to show for files which do not have an icon
+    # explicitly set.
+    #
+    DefaultIcon /icons/unknown.gif
+
+    #
+    # AddDescription allows you to place a short description after a file in
+    # server-generated indexes.  These are only displayed for FancyIndexed
+    # directories.
+    # Format: AddDescription "description" filename
+    #
+    #AddDescription "GZIP compressed document" .gz
+    #AddDescription "tar archive" .tar
+    #AddDescription "GZIP compressed tar archive" .tgz
+
+    #
+    # ReadmeName is the name of the README file the server will look for by
+    # default, and append to directory listings.
+    #
+    # HeaderName is the name of a file which should be prepended to
+    # directory indexes. 
+    ReadmeName README.html
+    HeaderName HEADER.html
+
+    #
+    # IndexIgnore is a set of filenames which directory indexing should ignore
+    # and not include in the listing.  Shell-style wildcarding is permitted.
+    #
+    IndexIgnore .??* *~ *# RCS CVS *,v *,t 
+</IfModule>
+
+<IfModule mod_mime.c>
+
+    #
+    # AddType allows you to add to or override the MIME configuration
+    # file mime.types for specific file types.
+    #
+    #AddType application/x-gzip .tgz
+    #
+    # AddEncoding allows you to have certain browsers uncompress
+    # information on the fly. Note: Not all browsers support this.
+    # Despite the name similarity, the following Add* directives have
+    # nothing to do with the FancyIndexing customization directives above.
+    #
+    #AddEncoding x-compress .Z
+    #AddEncoding x-gzip .gz .tgz
+    #
+    # If the AddEncoding directives above are commented-out, then you
+    # probably should define those extensions to indicate media types:
+    #
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+
+    #
+    # DefaultLanguage and AddLanguage allows you to specify the language of 
+    # a document. You can then use content negotiation to give a browser a 
+    # file in a language the user can understand.
+    #
+    # Specify a default language. This means that all data
+    # going out without a specific language tag (see below) will 
+    # be marked with this one. You probably do NOT want to set
+    # this unless you are sure it is correct for all cases.
+    #
+    # * It is generally better to not mark a page as 
+    # * being a certain language than marking it with the wrong
+    # * language!
+    #
+    # DefaultLanguage nl
+    #
+    # Note 1: The suffix does not have to be the same as the language
+    # keyword --- those with documents in Polish (whose net-standard
+    # language code is pl) may wish to use "AddLanguage pl .po" to
+    # avoid the ambiguity with the common suffix for perl scripts.
+    #
+    # Note 2: The example entries below illustrate that in some cases 
+    # the two character 'Language' abbreviation is not identical to 
+    # the two character 'Country' code for its country,
+    # E.g. 'Danmark/dk' versus 'Danish/da'.
+    #
+    # Note 3: In the case of 'ltz' we violate the RFC by using a three char
+    # specifier. There is 'work in progress' to fix this and get
+    # the reference data for rfc1766 cleaned up.
+    #
+    # Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
+    # English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
+    # Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
+    # Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
+    # Norwegian (no) - Polish (pl) - Portugese (pt)
+    # Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
+    # Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
+    #
+    AddLanguage ca .ca
+    AddLanguage cs .cz .cs
+    AddLanguage da .dk
+    AddLanguage de .de
+    AddLanguage el .el
+    AddLanguage en .en
+    AddLanguage eo .eo
+    AddLanguage es .es
+    AddLanguage et .et
+    AddLanguage fr .fr
+    AddLanguage he .he
+    AddLanguage hr .hr
+    AddLanguage it .it
+    AddLanguage ja .ja
+    AddLanguage ko .ko
+    AddLanguage ltz .ltz
+    AddLanguage nl .nl
+    AddLanguage nn .nn
+    AddLanguage no .no
+    AddLanguage pl .po
+    AddLanguage pt .pt
+    AddLanguage pt-BR .pt-br
+    AddLanguage ru .ru
+    AddLanguage sv .sv
+    AddLanguage zh-CN .zh-cn
+    AddLanguage zh-TW .zh-tw
+</IfModule>
+
+<IfModule mod_negotiation.c>
+    #
+    # LanguagePriority allows you to give precedence to some languages
+    # in case of a tie during content negotiation.
+    #
+    # Just list the languages in decreasing order of preference. We have
+    # more or less alphabetized them here. You probably want to change this.
+    #
+    LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW
+
+    #
+    # ForceLanguagePriority allows you to serve a result page rather than
+    # MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)
+    # [in case no accepted languages matched the available variants]
+    #
+    ForceLanguagePriority Prefer Fallback
+
+</IfModule>
+
+<IfModule mod_mime.c>
+    #
+    # Specify a default charset for all pages sent out. This is
+    # always a good idea and opens the door for future internationalisation
+    # of your web site, should you ever want it. Specifying it as
+    # a default does little harm; as the standard dictates that a page
+    # is in iso-8859-1 (latin1) unless specified otherwise i.e. you
+    # are merely stating the obvious. There are also some security
+    # reasons in browsers, related to javascript and URL parsing
+    # which encourage you to always set a default char set.
+    #
+    #AddDefaultCharset ISO-8859-1
+
+    #
+    # Commonly used filename extensions to character sets. You probably
+    # want to avoid clashes with the language extensions, unless you
+    # are good at carefully testing your setup after each change.
+    # See http://www.iana.org/assignments/character-sets for the
+    # official list of charset names and their respective RFCs.
+    #
+    AddCharset us-ascii    .ascii .us-ascii
+    AddCharset ISO-8859-1  .iso8859-1  .latin1
+    AddCharset ISO-8859-2  .iso8859-2  .latin2 .cen
+    AddCharset ISO-8859-3  .iso8859-3  .latin3
+    AddCharset ISO-8859-4  .iso8859-4  .latin4
+    AddCharset ISO-8859-5  .iso8859-5  .cyr .iso-ru
+    AddCharset ISO-8859-6  .iso8859-6  .arb .arabic
+    AddCharset ISO-8859-7  .iso8859-7  .grk .greek
+    AddCharset ISO-8859-8  .iso8859-8  .heb .hebrew
+    AddCharset ISO-8859-9  .iso8859-9  .latin5 .trk
+    AddCharset ISO-8859-10  .iso8859-10  .latin6
+    AddCharset ISO-8859-13  .iso8859-13
+    AddCharset ISO-8859-14  .iso8859-14  .latin8
+    AddCharset ISO-8859-15  .iso8859-15  .latin9
+    AddCharset ISO-8859-16  .iso8859-16  .latin10
+    AddCharset ISO-2022-JP .iso2022-jp .jis
+    AddCharset ISO-2022-KR .iso2022-kr .kis
+    AddCharset ISO-2022-CN .iso2022-cn .cis
+    AddCharset Big5        .Big5       .big5 .b5
+    AddCharset cn-Big5     .cn-big5
+    # For russian, more than one charset is used (depends on client, mostly):
+    AddCharset WINDOWS-1251 .cp-1251   .win-1251
+    AddCharset CP866       .cp866
+    AddCharset KOI8      .koi8
+    AddCharset KOI8-E      .koi8-e
+    AddCharset KOI8-r      .koi8-r .koi8-ru
+    AddCharset KOI8-U      .koi8-u
+    AddCharset KOI8-ru     .koi8-uk .ua
+    AddCharset ISO-10646-UCS-2 .ucs2
+    AddCharset ISO-10646-UCS-4 .ucs4
+    AddCharset UTF-7       .utf7
+    AddCharset UTF-8       .utf8
+    AddCharset UTF-16      .utf16
+    AddCharset UTF-16BE    .utf16be
+    AddCharset UTF-16LE    .utf16le
+    AddCharset UTF-32      .utf32
+    AddCharset UTF-32BE    .utf32be
+    AddCharset UTF-32LE    .utf32le
+    AddCharset euc-cn      .euc-cn
+    AddCharset euc-gb      .euc-gb
+    AddCharset euc-jp      .euc-jp
+    AddCharset euc-kr      .euc-kr
+    #Not sure how euc-tw got in - IANA doesn't list it???
+    AddCharset EUC-TW      .euc-tw
+    AddCharset gb2312      .gb2312 .gb
+    AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2
+    AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4
+    AddCharset shift_jis   .shift_jis .sjis
+
+    #
+    # AddHandler allows you to map certain file extensions to "handlers":
+    # actions unrelated to filetype. These can be either built into the server
+    # or added with the Action directive (see below)
+    #
+    # To use CGI scripts outside of ScriptAliased directories:
+    # (You will also need to add "ExecCGI" to the "Options" directive.)
+    #
+    #AddHandler cgi-script .cgi
+
+    #
+    # For files that include their own HTTP headers:
+    #
+    #AddHandler send-as-is asis
+
+    #
+    # For server-parsed imagemap files:
+    #
+    #AddHandler imap-file map
+
+    #
+    # For type maps (negotiated resources):
+    # (This is enabled by default to allow the Apache "It Worked" page
+    #  to be distributed in multiple languages.)
+    #
+    AddHandler type-map var
+
+    #
+    # Filters allow you to process content before it is sent to the client.
+    #
+    # To parse .shtml files for server-side includes (SSI):
+    # (You will also need to add "Includes" to the "Options" directive.)
+    #
+    AddType text/html .shtml
+    AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+#
+# Action lets you define media types that will execute a script whenever
+# a matching file is called. This eliminates the need for repeated URL
+# pathnames for oft-used CGI file processors.
+# Format: Action media/type /cgi-script/location
+# Format: Action handler-name /cgi-script/location
+#
+
+#
+# Customizable error responses come in three flavors:
+# 1) plain text 2) local redirects 3) external redirects
+#
+# Some examples:
+#ErrorDocument 500 "The server made a boo boo."
+#ErrorDocument 404 /missing.html
+#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+#ErrorDocument 402 http://www.example.com/subscription_info.html
+#
+
+#
+# Putting this all together, we can internationalize error responses.
+#
+# We use Alias to redirect any /error/HTTP_<error>.html.var response to
+# our collection of by-error message multi-language collections.  We use 
+# includes to substitute the appropriate text.
+#
+# You can modify the messages' appearance without changing any of the
+# default HTTP_<error>.html.var files by adding the line:
+#
+#   Alias /error/include/ "/your/include/path/"
+#
+# which allows you to create your own set of files by starting with the
+# /usr/share/apache2/error/include/ files and copying them to /your/include/path/, 
+# even on a per-VirtualHost basis.  The default include files will display
+# your Apache version number and your ServerAdmin email address regardless
+# of the setting of ServerSignature.
+#
+# The internationalized error documents require mod_alias, mod_include
+# and mod_negotiation.  To activate them, uncomment the following 30 lines.
+
+#    Alias /error/ "/usr/share/apache2/error/"
+#
+#    <Directory "/usr/share/apache2/error">
+#        AllowOverride None
+#        Options IncludesNoExec
+#        AddOutputFilter Includes html
+#        AddHandler type-map var
+#        Order allow,deny
+#        Allow from all
+#        LanguagePriority en cs de es fr it nl sv pt-br ro
+#        ForceLanguagePriority Prefer Fallback
+#    </Directory>
+#
+#    ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
+#    ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
+#    ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
+#    ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
+#    ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
+#    ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
+#    ErrorDocument 410 /error/HTTP_GONE.html.var
+#    ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
+#    ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
+#    ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
+#    ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
+#    ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
+#    ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
+#    ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
+#    ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
+#    ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
+#    ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
+
+<IfModule mod_setenvif.c>
+    #
+    # The following directives modify normal HTTP response behavior to
+    # handle known problems with browser implementations.
+    #
+    BrowserMatch "Mozilla/2" nokeepalive
+    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+    BrowserMatch "RealPlayer 4\.0" force-response-1.0
+    BrowserMatch "Java/1\.0" force-response-1.0
+    BrowserMatch "JDK/1\.0" force-response-1.0
+
+    #
+    # The following directive disables redirects on non-GET requests for
+    # a directory that does not include the trailing slash.  This fixes a 
+    # problem with Microsoft WebFolders which does not appropriately handle 
+    # redirects for folders with DAV methods.
+    # Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
+    #
+    BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+    BrowserMatch "MS FrontPage" redirect-carefully
+    BrowserMatch "^WebDrive" redirect-carefully
+    BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
+    BrowserMatch "^gnome-vfs/1.0" redirect-carefully
+    BrowserMatch "^XML Spy" redirect-carefully
+    BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
+</IfModule>
+
+#<IfModule mod_status.c>
+    #
+    # Allow server status reports generated by mod_status,
+    # with the URL of http://servername/server-status
+    # Change the ".example.com" to match your domain to enable.
+    #
+    #<Location /server-status>
+    #    SetHandler server-status
+    #    Order deny,allow
+    #    Deny from all
+    #    Allow from .example.com
+    #</Location>
+#</IfModule>
+
+#<IfModule mod_info.c>
+    #
+    # Allow remote server configuration reports, with the URL of
+    #  http://servername/server-info (requires that mod_info.c be loaded).
+    # Change the ".example.com" to match your domain to enable.
+    #
+    #<Location /server-info>
+    #    SetHandler server-info
+    #    Order deny,allow
+    #    Deny from all
+    #    Allow from .example.com
+    #</Location>
+#</IfModule>
+
+# the puppet apache2 module does this already:
+## Include the virtual host configurations:
+#Include /etc/apache2/sites-enabled/
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/templates/directory_indexes.conf.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/templates/directory_indexes.conf.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,101 @@
+<IfModule alias_module>
+    #
+    # Aliases: Add here as many aliases as you need (with no limit). The format is 
+    # Alias fakename realname
+    #
+    # Note that if you include a trailing / on fakename then the server will
+    # require it to be present in the URL.  So "/icons" isn't aliased in this
+    # example, only "/icons/".  If the fakename is slash-terminated, then the 
+    # realname must also be slash terminated, and if the fakename omits the 
+    # trailing slash, the realname must also omit it.
+    #
+    # We include the /icons/ alias for FancyIndexed directory listings.  If
+    # you do not use FancyIndexing, you may comment this out.
+    #
+    Alias /icons/ "/usr/share/apache2/icons/"
+
+    <Directory "/usr/share/apache2/icons">
+        Options Indexes MultiViews
+        AllowOverride None
+        Order allow,deny
+        Allow from all
+    </Directory>
+
+</IfModule>
+
+#
+# Directives controlling the display of server-generated directory listings.
+#
+<IfModule mod_autoindex.c>
+
+    #
+    # IndexOptions: Controls the appearance of server-generated directory
+    # listings.
+    #
+    IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=*
+
+    #
+    # AddIcon* directives tell the server which icon to show for different
+    # files or filename extensions.  These are only displayed for
+    # FancyIndexed directories.
+    #
+    AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
+
+    AddIconByType (TXT,/icons/text.gif) text/*
+    AddIconByType (IMG,/icons/image2.gif) image/*
+    AddIconByType (SND,/icons/sound2.gif) audio/*
+    AddIconByType (VID,/icons/movie.gif) video/*
+
+    AddIcon /icons/binary.gif .bin .exe
+    AddIcon /icons/binhex.gif .hqx
+    AddIcon /icons/tar.gif .tar
+    AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
+    AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
+    AddIcon /icons/a.gif .ps .ai .eps
+    AddIcon /icons/layout.gif .html .shtml .htm .pdf
+    AddIcon /icons/text.gif .txt
+    AddIcon /icons/c.gif .c
+    AddIcon /icons/p.gif .pl .py
+    AddIcon /icons/f.gif .for
+    AddIcon /icons/dvi.gif .dvi
+    AddIcon /icons/uuencoded.gif .uu
+    AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+    AddIcon /icons/tex.gif .tex
+    AddIcon /icons/bomb.gif core
+
+    AddIcon /icons/back.gif ..
+    AddIcon /icons/hand.right.gif README
+    AddIcon /icons/folder.gif ^^DIRECTORY^^
+    AddIcon /icons/blank.gif ^^BLANKICON^^
+
+    #
+    # DefaultIcon is which icon to show for files which do not have an icon
+    # explicitly set.
+    #
+    DefaultIcon /icons/unknown.gif
+
+    #
+    # AddDescription allows you to place a short description after a file in
+    # server-generated indexes.  These are only displayed for FancyIndexed
+    # directories.
+    # Format: AddDescription "description" filename
+    #
+    #AddDescription "GZIP compressed document" .gz
+    #AddDescription "tar archive" .tar
+    #AddDescription "GZIP compressed tar archive" .tgz
+
+    #
+    # ReadmeName is the name of the README file the server will look for by
+    # default, and append to directory listings.
+    #
+    # HeaderName is the name of a file which should be prepended to
+    # directory indexes. 
+    ReadmeName README.html
+    HeaderName HEADER.html
+
+    #
+    # IndexIgnore is a set of filenames which directory indexing should ignore
+    # and not include in the listing.  Shell-style wildcarding is permitted.
+    #
+    IndexIgnore .??* *~ *# RCS CVS *,v *,t 
+</IfModule>
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/templates/dw.conf.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/templates/dw.conf.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,18 @@
+###############################################################################
+# Dreamwidth Apache2 site configuration
+###############################################################################
+
+User dw
+Group dw
+UseCanonicalName off
+
+StartServers 3
+MaxSpareServers 5
+MinSpareServers 1
+MaxClients 2
+MaxRequestsPerChild 200
+
+DocumentRoot /home/dw/current/htdocs
+PerlSetEnv  LJHOME /home/dw/current
+PerlPassEnv LJHOME
+PerlRequire  /home/dw/current/cgi-bin/modperl.pl
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/templates/logging-errorlog.conf.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/templates/logging-errorlog.conf.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,43 @@
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog /var/log/apache2/error.log
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive (see below).
+#
+# NOTE: using %a instead of %h seems to save a full DNS lookup for every
+# connection...
+#
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%a %l %u %t \"%r\" %>s %b" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+#
+# This will send the access log messages to syslog
+#
+CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined
+
+#
+# The BufferedLogs directive causes mod_log_config to store several log 
+# entries in memory and write them together to disk, rather than writing 
+# them after each request. On some systems, this may result in more 
+# efficient disk access and hence higher performance. It may be set only 
+# once for the entire server; it cannot be configured per virtual-host.
+# This directive is experimental and should be used with caution.
+
+BufferedLogs On
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/templates/logging-syslog.conf.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/templates/logging-syslog.conf.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,42 @@
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog syslog:local7
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive (see below).
+#
+# NOTE: using %a instead of %h seems to save a full DNS lookup for every
+# connection...
+#
+LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%a %l %u %t \"%r\" %>s %b" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+#
+# This will send the access log messages to syslog
+#
+CustomLog "|/usr/bin/logger -p local7.info -t apache" combined
+
+#
+# The BufferedLogs directive causes mod_log_config to store several log 
+# entries in memory and write them together to disk, rather than writing 
+# them after each request. On some systems, this may result in more 
+# efficient disk access and hence higher performance. It may be set only 
+# once for the entire server; it cannot be configured per virtual-host.
+# This directive is experimental and should be used with caution.
+
+BufferedLogs On
\ No newline at end of file
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/templates/mime-extras.conf.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/templates/mime-extras.conf.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,211 @@
+<IfModule mod_mime.c>    
+    #
+    # AddType allows you to add to or override the MIME configuration
+    # file mime.types for specific file types.
+    #
+    #AddType application/x-gzip .tgz
+    #
+    # AddEncoding allows you to have certain browsers uncompress
+    # information on the fly. Note: Not all browsers support this.
+    # Despite the name similarity, the following Add* directives have
+    # nothing to do with the FancyIndexing customization directives above.
+    #
+    #AddEncoding x-compress .Z
+    #AddEncoding x-gzip .gz .tgz
+    #
+    # If the AddEncoding directives above are commented-out, then you
+    # probably should define those extensions to indicate media types:
+    #
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+
+    #
+    # DefaultLanguage and AddLanguage allows you to specify the language of 
+    # a document. You can then use content negotiation to give a browser a 
+    # file in a language the user can understand.
+    #
+    # Specify a default language. This means that all data
+    # going out without a specific language tag (see below) will 
+    # be marked with this one. You probably do NOT want to set
+    # this unless you are sure it is correct for all cases.
+    #
+    # * It is generally better to not mark a page as 
+    # * being a certain language than marking it with the wrong
+    # * language!
+    #
+    # DefaultLanguage nl
+    #
+    # Note 1: The suffix does not have to be the same as the language
+    # keyword --- those with documents in Polish (whose net-standard
+    # language code is pl) may wish to use "AddLanguage pl .po" to
+    # avoid the ambiguity with the common suffix for perl scripts.
+    #
+    # Note 2: The example entries below illustrate that in some cases 
+    # the two character 'Language' abbreviation is not identical to 
+    # the two character 'Country' code for its country,
+    # E.g. 'Danmark/dk' versus 'Danish/da'.
+    #
+    # Note 3: In the case of 'ltz' we violate the RFC by using a three char
+    # specifier. There is 'work in progress' to fix this and get
+    # the reference data for rfc1766 cleaned up.
+    #
+    # Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
+    # English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
+    # Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
+    # Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
+    # Norwegian (no) - Polish (pl) - Portugese (pt)
+    # Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
+    # Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
+    #
+#    AddLanguage ca .ca
+#    AddLanguage cs .cz .cs
+#    AddLanguage da .dk
+#    AddLanguage de .de
+#    AddLanguage el .el
+#    AddLanguage en .en
+#    AddLanguage eo .eo
+#    AddLanguage es .es
+#    AddLanguage et .et
+#    AddLanguage fr .fr
+#    AddLanguage he .he
+#    AddLanguage hr .hr
+#    AddLanguage it .it
+#    AddLanguage ja .ja
+#    AddLanguage ko .ko
+#    AddLanguage ltz .ltz
+#    AddLanguage nl .nl
+#    AddLanguage nn .nn
+#    AddLanguage no .no
+#    AddLanguage pl .po
+#    AddLanguage pt .pt
+#    AddLanguage pt-BR .pt-br
+#    AddLanguage ru .ru
+#    AddLanguage sv .sv
+#    AddLanguage zh-CN .zh-cn
+#    AddLanguage zh-TW .zh-tw
+</IfModule>
+
+<IfModule mod_negotiation.c>
+    #
+    # LanguagePriority allows you to give precedence to some languages
+    # in case of a tie during content negotiation.
+    #
+    # Just list the languages in decreasing order of preference. We have
+    # more or less alphabetized them here. You probably want to change this.
+    #
+    LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW
+
+    #
+    # ForceLanguagePriority allows you to serve a result page rather than
+    # MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)
+    # [in case no accepted languages matched the available variants]
+    #
+    ForceLanguagePriority Prefer Fallback
+
+</IfModule>
+
+<IfModule mod_mime.c>
+    #
+    # Specify a default charset for all pages sent out. This is
+    # always a good idea and opens the door for future internationalisation
+    # of your web site, should you ever want it. Specifying it as
+    # a default does little harm; as the standard dictates that a page
+    # is in iso-8859-1 (latin1) unless specified otherwise i.e. you
+    # are merely stating the obvious. There are also some security
+    # reasons in browsers, related to javascript and URL parsing
+    # which encourage you to always set a default char set.
+    #
+    #AddDefaultCharset ISO-8859-1
+
+    #
+    # Commonly used filename extensions to character sets. You probably
+    # want to avoid clashes with the language extensions, unless you
+    # are good at carefully testing your setup after each change.
+    # See http://www.iana.org/assignments/character-sets for the
+    # official list of charset names and their respective RFCs.
+    #
+    AddCharset us-ascii    .ascii .us-ascii
+    AddCharset ISO-8859-1  .iso8859-1  .latin1
+    AddCharset ISO-8859-2  .iso8859-2  .latin2 .cen
+    AddCharset ISO-8859-3  .iso8859-3  .latin3
+    AddCharset ISO-8859-4  .iso8859-4  .latin4
+    AddCharset ISO-8859-5  .iso8859-5  .cyr .iso-ru
+    AddCharset ISO-8859-6  .iso8859-6  .arb .arabic
+    AddCharset ISO-8859-7  .iso8859-7  .grk .greek
+    AddCharset ISO-8859-8  .iso8859-8  .heb .hebrew
+    AddCharset ISO-8859-9  .iso8859-9  .latin5 .trk
+    AddCharset ISO-8859-10  .iso8859-10  .latin6
+    AddCharset ISO-8859-13  .iso8859-13
+    AddCharset ISO-8859-14  .iso8859-14  .latin8
+    AddCharset ISO-8859-15  .iso8859-15  .latin9
+    AddCharset ISO-8859-16  .iso8859-16  .latin10
+    AddCharset ISO-2022-JP .iso2022-jp .jis
+    AddCharset ISO-2022-KR .iso2022-kr .kis
+    AddCharset ISO-2022-CN .iso2022-cn .cis
+    AddCharset Big5        .Big5       .big5 .b5
+    AddCharset cn-Big5     .cn-big5
+    # For russian, more than one charset is used (depends on client, mostly):
+    AddCharset WINDOWS-1251 .cp-1251   .win-1251
+    AddCharset CP866       .cp866
+    AddCharset KOI8      .koi8
+    AddCharset KOI8-E      .koi8-e
+    AddCharset KOI8-r      .koi8-r .koi8-ru
+    AddCharset KOI8-U      .koi8-u
+    AddCharset KOI8-ru     .koi8-uk .ua
+    AddCharset ISO-10646-UCS-2 .ucs2
+    AddCharset ISO-10646-UCS-4 .ucs4
+    AddCharset UTF-7       .utf7
+    AddCharset UTF-8       .utf8
+    AddCharset UTF-16      .utf16
+    AddCharset UTF-16BE    .utf16be
+    AddCharset UTF-16LE    .utf16le
+    AddCharset UTF-32      .utf32
+    AddCharset UTF-32BE    .utf32be
+    AddCharset UTF-32LE    .utf32le
+    AddCharset euc-cn      .euc-cn
+    AddCharset euc-gb      .euc-gb
+    AddCharset euc-jp      .euc-jp
+    AddCharset euc-kr      .euc-kr
+    #Not sure how euc-tw got in - IANA doesn't list it???
+    AddCharset EUC-TW      .euc-tw
+    AddCharset gb2312      .gb2312 .gb
+    AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2
+    AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4
+    AddCharset shift_jis   .shift_jis .sjis
+
+    #
+    # AddHandler allows you to map certain file extensions to "handlers":
+    # actions unrelated to filetype. These can be either built into the server
+    # or added with the Action directive (see below)
+    #
+    # To use CGI scripts outside of ScriptAliased directories:
+    # (You will also need to add "ExecCGI" to the "Options" directive.)
+    #
+    #AddHandler cgi-script .cgi
+
+    #
+    # For files that include their own HTTP headers:
+    #
+    #AddHandler send-as-is asis
+
+    #
+    # For server-parsed imagemap files:
+    #
+    #AddHandler imap-file map
+
+    #
+    # For type maps (negotiated resources):
+    # (This is enabled by default to allow the Apache "It Worked" page
+    #  to be distributed in multiple languages.)
+    #
+    AddHandler type-map var
+
+    #
+    # Filters allow you to process content before it is sent to the client.
+    #
+    # To parse .shtml files for server-side includes (SSI):
+    # (You will also need to add "Includes" to the "Options" directive.)
+    #
+    AddType text/html .shtml
+    AddOutputFilter INCLUDES .shtml
+</IfModule>
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/templates/mime-minimal.conf.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/templates/mime-minimal.conf.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,15 @@
+# this is a very minimal mime configuration -- in particular, all
+# of the magical language/negotiation stuff that apache can do.  
+# has been stripped out, because we don't use apache for that.
+
+<IfModule mod_mime.c>
+
+    # Lookup mime types in the system-wide mime.types file first
+    TypesConfig /etc/mime.types
+
+    # for firefox extensions:
+    # this is in more recent mime.types files (feisty) but not older ones
+    # (sarge).  explicitly include it just to be safe.
+    AddType application/x-xpinstall .xpi
+    
+</IfModule>
\ No newline at end of file
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/templates/mpm-prefork.conf.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/templates/mpm-prefork.conf.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,17 @@
+##
+## Server-Pool Size Regulation (MPM specific)
+## 
+
+# prefork MPM
+# StartServers: number of server processes to start
+# MinSpareServers: minimum number of server processes which are kept spare
+# MaxSpareServers: maximum number of server processes which are kept spare
+# MaxClients: maximum number of server processes allowed to start
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_prefork_module>
+    StartServers          5
+    MinSpareServers       5
+    MaxSpareServers      10
+    MaxClients          150
+    MaxRequestsPerChild   0
+</IfModule>
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/templates/mpm-worker.conf.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/templates/mpm-worker.conf.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,20 @@
+##
+## Server-Pool Size Regulation (MPM specific)
+## 
+
+# worker MPM
+# StartServers: initial number of server processes to start
+# MaxClients: maximum number of simultaneous client connections
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# ThreadsPerChild: constant number of worker threads in each server process
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_worker_module>
+    StartServers          5
+    MaxClients          300
+    MinSpareThreads      25
+    MaxSpareThreads      75 
+    ThreadsPerChild      25
+    MaxRequestsPerChild   0
+</IfModule>
+
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/templates/mpm-worker.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/templates/mpm-worker.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,20 @@
+##
+## Server-Pool Size Regulation (MPM specific)
+## 
+
+# worker MPM
+# StartServers: initial number of server processes to start
+# MaxClients: maximum number of simultaneous client connections
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# ThreadsPerChild: constant number of worker threads in each server process
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_worker_module>
+    StartServers          2
+    MaxClients          500
+    MinSpareThreads      25
+    MaxSpareThreads      75 
+    ThreadsPerChild      25
+    MaxRequestsPerChild   0
+</IfModule>
+
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/templates/ports.conf.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/templates/ports.conf.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,12 @@
+# If you just change the port or add more ports here, you will likely also
+# have to change the VirtualHost statement in
+# /etc/apache2/sites-enabled/000-default
+
+NameVirtualHost *:80
+Listen 80
+
+<IfModule mod_ssl.c>
+    # SSL name based virtual hosts are not yet supported, therefore no
+    # NameVirtualHost statement here
+    Listen 443
+</IfModule>
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/templates/security.conf.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/templates/security.conf.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,50 @@
+#
+# Disable access to the entire file system except for the directories that
+# are explicitly allowed later.
+#
+# This currently breaks the configurations that come with some web application
+# Debian packages. It will be made the default for the release after lenny.
+#
+#<Directory />
+#	AllowOverride None
+#	Order Deny,Allow
+#	Deny from all
+#</Directory>
+
+
+# Changing the following options will not really affect the security of the
+# server, but might make attacks slightly more difficult in some cases.
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
+# where Full conveys the most information, and Prod the least.
+#
+#ServerTokens Minimal
+ServerTokens Full
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+#
+#ServerSignature Off
+ServerSignature On
+
+#
+# Allow TRACE method
+#
+# Set to "extended" to also reflect the request body (only for testing and
+# diagnostic purposes).
+#
+# Set to one of:  On | Off | extended
+#
+#TraceEnable Off
+TraceEnable On
+
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apache2/templates/server-status.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apache2/templates/server-status.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,19 @@
+# create a virtual host which provides statistics
+ExtendedStatus on
+NameVirtualHost <%= 127.0.0.1 %>
+<VirtualHost <%= 127.0.0.1 %>>
+	# hide this a little bit from "normal" accesses
+	# This expects that external users only use the fqdn to access a service
+	ServerName <%= hostname %>
+	<Directory />
+		Order deny,allow
+		Deny from all
+	</Directory>
+	<Location /server-status>
+		SetHandler server-status
+		Order deny,allow
+		Deny from all
+		Allow from <%= 127.0.0.1 %>
+	</Location>
+</VirtualHost>
+
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apt/README
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apt/README	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,31 @@
+This is a very simple module that installs /etc/apt/sources.list.  The
+default class replicates the Ubuntu Intrepid contents.
+
+How to use
+
+  * Create a class that inherits from "apt".
+  * Use the apt::sources function to specify contents for sources.list
+
+apt::sources
+  Arguments:
+    host: the hostname portion of the URL to load packages from (required)
+    port: an alternate port to access for loading packages from the
+      specified host (if not present, none is used)
+    release: the Ubuntu release name, e.g.: "hardy", "intrepid" (required)
+    content: alternate specification for the file contents.
+
+  This loads the $name.erb template, replacing the template values with
+  those given by host, port, and release and saves it as
+  /etc/apt/sources.list.
+
+Example:
+
+# This uses the standard Ubuntu sources.list template, but points it at a
+# local cache host running on port 8080, and requests the Hardy release.
+class apt::mysources inherits apt {
+    apt::sources { "default":
+	host => "localcache.example.org",
+	port => "8080",
+	release => "hardy"
+    }
+}
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apt/manifests/default.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apt/manifests/default.pp	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,13 @@
+###############################################################################
+# Default apt sources.list
+# Recreates Intrepid sources for a US-based archive
+# Xenacryst, 15-MAR-2009
+###############################################################################
+
+class apt::default inherits apt {
+    apt::sources { "default":
+	ensure => present,
+	host => 'us.archive.ubuntu.com',
+	release => 'intrepid'
+    }
+}
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apt/manifests/dreamwidth.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apt/manifests/dreamwidth.pp	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,16 @@
+###############################################################################
+# Dreamwidth sources.list
+# Xenacryst, 15-MAR-2009
+#
+# Use the local Dreamwidth package cache, available on port 9999, using
+# Ubuntu Hardy.
+###############################################################################
+
+class apt::dreamwidth inherits apt {
+    apt::sources { "dreamwidth":
+	ensure => present,
+	host => 'dw-lb01',
+	port => '9999',
+	release => 'hardy'
+    }
+}
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apt/manifests/init.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apt/manifests/init.pp	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,36 @@
+###############################################################################
+# apt sources class
+# Xenacryst, 14-MAR-2009
+#
+# This installs /etc/apt/sources.list with the given template and values
+###############################################################################
+
+class apt {
+    define sources (
+	$ensure = 'present',
+	$host = 'us.archive.ubuntu.com',
+	$port = '',
+	$release,
+	$content = ''
+    ) {
+	$apt_uri = $port ? {
+	    '' => $host,
+	    default => "$host:$port"
+	}
+
+	$ubuntu_release = $release
+
+	$real_content = $content ? {
+	    '' => template ("apt/$name.erb"),
+	    default => $content
+	}
+
+	file { "/etc/apt/sources.list":
+	    ensure => $ensure,
+	    content => $real_content,
+	    mode => 444,
+	    owner => root,
+	    group => root
+	}
+    }
+}
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apt/templates/default.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apt/templates/default.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,54 @@
+###############################################################################
+# Default apt sources.list, copied from Ubuntu Intrepid, with Puppet
+# template statements replacing the URL and release.
+# The URL for security updates is hardcoded.
+
+deb http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %> main restricted
+deb-src http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %> main
+
+## Major bug fix updates produced after the final release of the
+## distribution.
+deb http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %>-updates main restricted
+deb-src http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %>-updates main
+
+## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
+## team. Also, please note that software in universe WILL NOT receive any
+## review or updates from the Ubuntu security team.
+deb http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %> universe
+deb-src http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %> universe
+deb http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %>-updates universe
+deb-src http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %>-updates universe
+
+## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu 
+## team, and may not be under a free licence. Please satisfy yourself as to 
+## your rights to use the software. Also, please note that software in 
+## multiverse WILL NOT receive any review or updates from the Ubuntu
+## security team.
+deb http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %> multiverse
+deb-src http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %> multiverse
+deb http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %>-updates multiverse
+deb-src http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %>-updates multiverse
+
+## Uncomment the following two lines to add software from the 'backports'
+## repository.
+## N.B. software from this repository may not have been tested as
+## extensively as that contained in the main release, although it includes
+## newer versions of some applications which may provide useful features.
+## Also, please note that software in backports WILL NOT receive any review
+## or updates from the Ubuntu security team.
+# deb http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %>-backports main restricted universe multiverse
+# deb-src http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %>-backports main restricted universe multiverse
+
+## Uncomment the following two lines to add software from Canonical's
+## 'partner' repository. This software is not part of Ubuntu, but is
+## offered by Canonical and the respective vendors as a service to Ubuntu
+## users.
+# deb http://archive.canonical.com/ubuntu <%= ubuntu_release %> partner
+# deb-src http://archive.canonical.com/ubuntu <%= ubuntu_release %> partner
+
+deb http://security.ubuntu.com/ubuntu <%= ubuntu_release %>-security main restricted
+deb-src http://security.ubuntu.com/ubuntu <%= ubuntu_release %>-security main
+deb http://security.ubuntu.com/ubuntu <%= ubuntu_release %>-security universe
+deb-src http://security.ubuntu.com/ubuntu <%= ubuntu_release %>-security universe
+deb http://security.ubuntu.com/ubuntu <%= ubuntu_release %>-security multiverse
+deb-src http://security.ubuntu.com/ubuntu <%= ubuntu_release %>-security multiverse
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/apt/templates/dreamwidth.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/apt/templates/dreamwidth.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,8 @@
+deb http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %> main restricted universe
+deb-src http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %> main restricted universe
+
+deb http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %>-updates main restricted universe
+deb-src http://<%= apt_uri %>/ubuntu/ <%= ubuntu_release %>-updates main restricted universe
+
+deb http://<%= apt_uri %>/ubuntu <%= ubuntu_release %>-security main restricted universe
+deb-src http://<%= apt_uri %>/ubuntu <%= ubuntu_release %>-security main restricted universe
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/iptables/README
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/iptables/README	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,19 @@
+Simple management of iptables rules
+
+This module does the following:
+
+  * Installs an iptables rule set as /etc/iptables.up.rules.
+  * Installs a script /etc/network/if-pre-up.d/iptables that loads the
+    former file at network initialization.
+  * Runs /sbin/iptables-restore to load the iptables rules any time
+    iptables.up.rules changes.
+
+To modify the rules:
+
+  * Modify the template file in the templates directory that includes the
+    iptables rules (for Dreamwidth, this is templates/dreamwidth.erb).
+
+To extend:
+
+  * Create a class that inherits from iptables.
+  * Use the rules() function as indicated in init.pp
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/iptables/files/iptables
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/iptables/files/iptables	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,8 @@
+#!/bin/sh
+# Load iptables rules
+# Xenacryst, 10-MAR-2009
+
+if [ -f /etc/iptables.up.rules ]; then
+    /sbin/iptables-restore < /etc/iptables.up.rules
+    exit 0
+fi
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/iptables/manifests/dreamwidth.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/iptables/manifests/dreamwidth.pp	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,8 @@
+###############################################################################
+# Dreamwidth iptables specification
+# Xenacryst, 16-MAR-2009
+###############################################################################
+
+class iptables::dreamwidth inherits iptables {
+    iptables::rules { "dreamwidth": ensure => present }
+}
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/iptables/manifests/init.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/iptables/manifests/init.pp	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,53 @@
+###############################################################################
+# Class for managing iptables rule files
+# Xenacryst, 14-MAR-2009
+#
+# Actions:
+#  * install /etc/network/if-pre-up.d/iptables script
+#  * install /etc/iptables.up.rules as directed by rules()
+#  * run iptables-restore whenever rules change
+#
+# To use the rules() function:
+# Arguments (both optional):
+#  ensure: present (default) absent
+#  content: alternate content specification
+# This function searches for a template called $name.erb and writes the
+# /etc/iptables.up.rules file from that.  If the template includes any
+# variables, you can specify them before calling the rules() function.
+###############################################################################
+
+class iptables {
+    # ensure that the iptables network initialization script is present
+    file { "/etc/network/if-pre-up.d/iptables":
+	ensure => present,
+	mode => 755,
+	owner => root,
+	group => root,
+	source => "puppet://$servername/iptables/iptables"
+    }
+
+    # run the iptables-restore program to reload the rules
+    # only run this when requested (refreshonly)
+    exec { "iptables-restore":
+	command => "/sbin/iptables-restore < /etc/iptables.up.rules",
+	refreshonly => true
+    }
+
+    # Load the iptables rules, write the file, and notify the iptables-restore
+    # exec to reload the rules
+    define rules ( $ensure = 'present', $content = '' ) {
+	$real_content = $content ? {
+		'' => template ("iptables/${name}.erb"),
+		default => $content
+	}
+
+	file { "/etc/iptables.up.rules":
+	    ensure => $ensure,
+	    content => $real_content,
+	    mode => 444,
+	    owner => root,
+	    group => root,
+	    notify => Exec["iptables-restore"]
+	}
+    }
+}
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/iptables/templates/dreamwidth.erb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/iptables/templates/dreamwidth.erb	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,35 @@
+###############################################################################
+# Dreamwidth iptables rules
+# Note: this must be changed whenever a new host is added
+# Initially copied from Mark's notes.
+###############################################################################
+
+*filter
+
+# Allows all loopback (lo0) traffic and drop all 
+# traffic to 127/8 that doesn't use lo0
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
+
+# Accept inbound private traffic from one of our servers
+-A INPUT -s 172.19.1.5 -j ACCEPT
+-A INPUT -s 172.19.1.84 -j ACCEPT
+-A INPUT -s 172.19.1.85 -j ACCEPT
+-A INPUT -s 172.19.1.86 -j ACCEPT
+-A INPUT -s 172.19.1.87 -j ACCEPT
+-A INPUT -s 172.19.1.88 -j ACCEPT
+-A INPUT -s 172.19.1.89 -j ACCEPT
+-A INPUT -s 172.19.1.90 -j ACCEPT
+-A INPUT -s 172.19.1.91 -j ACCEPT
+
+# Accepts all established inbound connections
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Allows all outbound traffic
+-A OUTPUT -j ACCEPT
+
+# Reject all other inbound - default deny unless explicitly allowed policy
+-A INPUT -j REJECT
+-A FORWARD -j REJECT
+
+COMMIT
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/puppet/README
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/puppet/README	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,21 @@
+This module provides very simple management of the Puppet client and server
+systems.
+
+Puppet Client:
+  * Installs /etc/puppet/puppetd.conf
+  * Ensures that the puppet client service is running
+
+Puppet Server:
+  * Installs /etc/puppet/puppetmasterd.conf
+  * Creates (if necessary) various Puppet directories
+  * Ensures that the puppetmaster service is running
+
+How to use:
+
+include puppet
+puppet::client { $hostname: ensure => present } # for a puppet client
+puppet::server { $hostname: ensure => present } # for a puppet server
+
+How to modify:
+
+Modify the puppetd.conf or puppetmasterd.conf files in the files directory.
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/puppet/files/puppetd.conf
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/puppet/files/puppetd.conf	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,10 @@
+[main]
+    confdir = /etc/puppet
+    logdir = /var/log/puppet
+    vardir = /var/lib/puppet
+    ssldir = /var/lib/puppet/ssl
+    rundir = /var/run/puppet
+    factpath = $vardir/lib/facter
+    modulepath = /var/lib/puppet/modules:/usr/share/puppet/modules
+    templatedir = /var/lib/puppet/templates
+    pluginsync = true
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/puppet/files/puppetmasterd.conf
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/puppet/files/puppetmasterd.conf	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,10 @@
+[main]
+    confdir = /etc/puppet
+    logdir = /var/log/puppet
+    vardir = /var/lib/puppet
+    ssldir = /var/lib/puppet/ssl
+    rundir = /var/run/puppet
+    factpath = $vardir/lib/facter
+    modulepath = /var/lib/puppet/modules:/usr/share/puppet/modules
+    templatedir = /var/lib/puppet/templates
+    pluginsync = true
diff -r 000000000000 -r 23b2c43efb45 puppet/modules/puppet/manifests/init.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/modules/puppet/manifests/init.pp	Mon Mar 23 20:03:16 2009 +0000
@@ -0,0 +1,92 @@
+###############################################################################
+# Puppet configuration file class
+# Xenacryst, 16-MAR-2009
+###############################################################################
+
+class puppet {
+
+    ################################################################
+    # Puppet client definition:
+    #   * Installs /etc/puppet/puppetd.conf
+    #   * Starts the puppet service
+    define client (
+	$ensure = 'present',
+	$source = ''
+    ) {
+	$real_source = $source ? {
+	    '' => "puppet://$servername/puppet/puppetd.conf",
+	    default => $source
+	}
+
+	service { puppet:
+	    ensure => running,
+	    require => File["/etc/puppet/puppetd.conf"]
+	}
+
+	file { "/etc/puppet/puppetd.conf":
+	    ensure => $ensure,
+	    source => $real_source,
+	    mode => 444,
+	    owner => root,
+	    group => root,
+	    notify => Service[puppetd]
+	}
+    }
+    ################################################################
+
+    ################################################################
+    # Puppet server definition
+    #  * Installs /etc/puppet/puppetmasterd.conf
+    #  * Ensures necessary directories exist
+    #  * Starts puppetmasterd service
+    define master (
+	$ensure = 'present',
+	$source = ''
+    ) {
+	$real_source = $source ? {
+	    '' => "puppet://$servername/puppet/puppetmasterd.conf",
+	    default => $source
+	}
+
+	service { puppetmaster:
+	    ensure => running,
+	    require => File["/etc/puppet/puppetmasterd.conf"]
+	}
+
+	file { "/var/lib/puppet":
+	    ensure => directory,
+	    owner => puppet,
+	    group => puppet
+	}
+	file { "/var/lib/puppet/modules":
+	    ensure => directory,
+	    owner => puppet,
+	    group => puppet
+	}
+	file { "/var/lib/puppet/ssl":
+	    ensure => directory,
+	    owner => puppet,
+	    group => puppet
+	}
+	file { "/var/log/puppet":
+	    ensure => directory,
+	    owner => puppet,
+	    group => puppet
+	}
+	file { "/var/run/puppet":
+	    ensure => directory,
+	    owner => puppet,
+	    group => puppet
+	}
+
+	file { "/etc/puppet/puppetmasterd.conf":
+	    ensure => $ensure,
+	    source => $real_source,
+	    mode => 444,
+	    owner => root,
+	    group => root,
+	    notify => Service[puppetmaster]
+	}
+    }
+    ################################################################
+}
--------------------------------------------------------------------------------