merge the firewall poking and CA generation in bootstrap (#32914)

The rationale here is we remove one more step in the installer: instead of going back and forth between the master and client, we run one command on both, simultaneously, and only transfer the SHA256 checksum between the two. This could eventually be automated in such a way that we can do this unattended if we have SSH access on both machines.

merge the firewall poking and CA generation in bootstrap (#32914)
c7ca61cc · anarcat · 1ff771d9 · c7ca61cc
Unverified Commit c7ca61cc authored 5 years ago by anarcat
--- a/tsa/howto/new-machine.mdwn
+++ b/tsa/howto/new-machine.mdwn
@@ -90,17 +90,14 @@ All commands to be run as root unless otherwise noted.
        sudo -H ud-replicate

 * set up puppet:
-  * on pauli:
-
-        ( puppet agent -t || true ) && \
-        ud-replicate && \
-        sudo -H -u puppet make -C /srv/puppet.torproject.org/auto-ca install
+  * on the Puppetmaster (currently `pauli`), run the
+    `tpa-puppet-sign-client` script, which will stop to prompt you for
+    a checksum. it is generated in the next step

  * on the new machine run the `installer/puppet-bootstrap-client`
-    from the `tsa-misc` git repo cloned above
-
-  * on pauli, run the `tpa-puppet-sign-client` script, pasting the
-    above SHA-256 checksum literally (including the filename)
+    from the `tsa-misc` git repo cloned earlier. copy-paste the
+    generated checksum literally (including the filename) into the
+    script waiting on the Puppetmaster above.

 * do more puppet runs, and run a ud-replicate to get ldap users, then
  more puppet runs since we now have more users: