Denis Savitskiy sadfuzzy

The problem

There's enough trouble with puppet's ssl model (mandatory client certs) that people go and do odd things to get around it. The primary problem is that for lab/preproduction environments, if you reinstall machines frequently, you lose access to the private key that generated the original cert but (absent some puppet cert --clean [node] operation) the cert still exists, leading to the dreaded Retrieved certificate doesn't match private key error.

A solution

Generate a single client certificate which all your nodes use, and have the master determine node names from facter rather than the SSL DN. This way you can re-install nodes with impunity and as long as your bootstrap plops down the correct config and the cert+key, you don't have any more SSL issues.

The caveats

If you have autosign turned on, this change represents a shift in security tradeoffs: you can turn off autosign and therefore more tightly control which clients can talk to your server because they need to have your clie

	require 'gollum/frontend/app'
	require 'digest/sha1'

	class App < Precious::App
	User = Struct.new(:name, :email, :password_hash, :can_write)

	before { authenticate! }
	before /^\/(edit\|create\|delete\|livepreview\|revert)/ do authorize_write! ; end

	helpers do

	# As root user
	sudo su

	# Update the OS
	sudo apt-get update -y

	# Add this to ~/.bashrc to remove timezone warnings
	echo 'export LC_ALL="en_US.UTF-8"' >> ~/.bashrc
	source ~/.bashrc

	Jbuilder.encode do \|json\|
	json.content format_content(@message.content)
	json.(@message, :created_at, :updated_at)

	json.author do \|json\|
	json.name @message.creator.name.familiar
	json.email_address @message.creator.email_address_with_name
	json.url url_for(@message.creator, format: :json)
	end

	## Prepare ###################################################################

	# Remove RVM
	rvm implode

	# Ensure your homebrew is working properly and up to date
	brew doctor
	brew update

	## Install ###################################################################

	# http://docs.rubygems.org/read/chapter/11
	---
	gem: --no-ri --no-rdoc
	benchmark: false
	verbose: true
	update_sources: true
	sources:
	- http://gems.rubyforge.org/
	- http://rubygems.org/
	backtrace: true

	# Simple and Stupid Ruby API for Coderwall.com
	# Vivien Didelot <[email protected]>

	require "open-uri"
	require "json"

	module CoderWall
	class Achievement
	attr_reader :name, :badge, :description

	iwlist wlan0 scan \| sed -n 's/.* Address: //p;T;s/ //g;q' \|
	sed 's/./{version:1.1.0,host:maps.google.com,request_address:true,address_language:'${LANG/./}',wifi_towers:[{mac_address:"&",signal_strength:8,age:0}]}/' \|
	curl -sX POST -d @- www.google.com/loc/json \|
	sed -e 'h;s/.latitude":\([^,]\)./\1/;G;s/\n[^\n]longitude":\([^,]\)./,\1\n/;s\|^\|http://maps.google.com/maps?q=\|;x;s/[,{]/\n/g;s/["}]//g;s/:/\t/g;s/\n//;G'

	#require 'rubygems'
	require 'pp'
	#require 'ap' # Awesome Print

	class Object
	# expects [ [ symbol, *args ], ... ]
	def recursive_send(*args)
	args.inject(self) { \|obj, m\| obj.send(m.shift, *m) }
	end
	end

	class AdminController < ApplicationController
	before_filter do \|controller\|
	controller.redirect_to login_path unless logged_in?
	end
	end