diff --git a/servers/install-server b/servers/install-server
index 286074ffab..cad95e570e 100755
--- a/servers/install-server
+++ b/servers/install-server
@@ -54,6 +54,8 @@ EOF
 # Stupid hack because humbug-self-signed.key isn't in git
 scp -i ~/humbug/humbug.pem ~/humbug/certs/humbug-self-signed.key root@"$server":/root/humbug/certs/humbug-self-signed.key
 
+# TODO: Copy the real certs into place for prod servers
+
 ssh "$server" -t -i ~/humbug/humbug.pem -lroot <<EOF
 cp -a /root/humbug/servers/puppet/puppet.conf /etc/puppet/
 # HACK: run puppet twice to workaround bug in apache module handling
@@ -61,6 +63,7 @@ puppet apply /root/humbug/servers/puppet/manifests/site.pp || true
 puppet apply /root/humbug/servers/puppet/manifests/site.pp
 # The last bit should be moveable into puppet-land, ideally
 service apache2 restart
+apt-get upgrade
 EOF
 
 set +x
diff --git a/servers/puppet/files/mysql/my.cnf b/servers/puppet/files/mysql/my.cnf
new file mode 100644
index 0000000000..78b5ce3586
--- /dev/null
+++ b/servers/puppet/files/mysql/my.cnf
@@ -0,0 +1,160 @@
+#
+# The MySQL database server configuration file.
+#
+# You can copy this to one of:
+# - "/etc/mysql/my.cnf" to set global options,
+# - "~/.my.cnf" to set user-specific options.
+# 
+# One can use all long options that the program supports.
+# Run program with --help to get a list of available options and with
+# --print-defaults to see which it would actually understand and use.
+#
+# For explanations see
+# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
+
+# This will be passed to all mysql clients
+# It has been reported that passwords should be enclosed with ticks/quotes
+# escpecially if they contain "#" chars...
+# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
+[client]
+port		= 3306
+socket		= /var/run/mysqld/mysqld.sock
+
+# Here is entries for some specific programs
+# The following values assume you have at least 32M ram
+
+# This was formally known as [safe_mysqld]. Both versions are currently parsed.
+[mysqld_safe]
+socket		= /var/run/mysqld/mysqld.sock
+nice		= 0
+
+[mysqld]
+#
+# * Basic Settings
+#
+user		= mysql
+pid-file	= /var/run/mysqld/mysqld.pid
+socket		= /var/run/mysqld/mysqld.sock
+port		= 3306
+basedir		= /usr
+datadir		= /var/lib/mysql
+tmpdir		= /tmp
+language	= /usr/share/mysql/english
+lc-messages-dir	= /usr/share/mysql
+skip-external-locking
+#
+# Instead of skip-networking the default is now to listen only on
+# localhost which is more compatible and is not less secure.
+bind-address		= 127.0.0.1
+#
+# * Fine Tuning
+#
+key_buffer		= 16M
+max_allowed_packet	= 16M
+thread_stack		= 192K
+# This replaces the startup script and checks MyISAM tables if needed
+# the first time they are touched
+myisam-recover         = BACKUP
+#table_cache            = 64
+#thread_concurrency     = 10
+
+
+# SUGGESTED BY PERCONA:
+tmp_table_size          = 32M
+max_heap_table_size     = 32M
+max_connections         = 500
+thread_cache_size       = 50
+open_files_limit        = 65535
+table_definition_cache  = 1024
+table_open_cache        = 2048
+max_allowed_packet	= 16M
+max_connect_errors      = 1000000
+skip_name_resolve
+sql_mode                = STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY
+sysdate_is_now          = 1
+innodb                  = FORCE
+innodb_strict_mode      = 1
+
+
+# INNODB #
+innodb_flush_method            = O_DIRECT
+innodb_log_files_in_group      = 2
+innodb_log_file_size           = 128M
+innodb_flush_log_at_trx_commit = 1
+innodb_file_per_table          = 1
+innodb_buffer_pool_size        = 2G
+
+# END SUGGESTED BY PERCONA
+
+#
+# * Query Cache Configuration
+#
+query_cache_limit	= 1M
+query_cache_size        = 16M
+#
+# * Logging and Replication
+#
+# Both location gets rotated by the cronjob.
+# Be aware that this log type is a performance killer.
+# As of 5.1 you can enable the log at runtime!
+#general_log_file        = /var/log/mysql/mysql.log
+#general_log             = 1
+#
+# Error logging goes to syslog due to /etc/mysql/conf.d/mysqld_safe_syslog.cnf.
+#
+# Here you can see queries with especially long duration
+log_slow_queries        = /var/log/mysql/mysql-slow.log
+long_query_time         = 2
+log-queries-not-using-indexes = 1
+#
+# The following can be used as easy to replay backup logs or for replication.
+# note: if you are setting up a replication slave, see README.Debian about
+#       other settings you may need to change.
+#server-id		= 1
+log_bin			= /var/log/mysql/mysql-bin.log
+expire_logs_days	= 10
+max_binlog_size         = 100M
+sync_binlog             = 1
+#binlog_do_db		= include_database_name
+#binlog_ignore_db	= include_database_name
+#
+# * InnoDB
+#
+# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
+# Read the manual for more InnoDB related options. There are many!
+#
+# * Security Features
+#
+# Read the manual, too, if you want chroot!
+# chroot = /var/lib/mysql/
+#
+# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
+#
+# ssl-ca=/etc/mysql/cacert.pem
+# ssl-cert=/etc/mysql/server-cert.pem
+# ssl-key=/etc/mysql/server-key.pem
+
+
+
+[mysqldump]
+quick
+quote-names
+max_allowed_packet	= 16M
+
+[mysql]
+#no-auto-rehash	# faster start of mysql but no tab completition
+
+[isamchk]
+key_buffer		= 16M
+
+#
+# * IMPORTANT: Additional settings that can override those from this file!
+#   The files must end with '.cnf', otherwise they'll be ignored.
+#
+!includedir /etc/mysql/conf.d/
+
+[client]
+database = humbug
+user = root
+password = yuly7unbiHaw3UgTeemif3
+
diff --git a/servers/puppet/manifests/site.pp b/servers/puppet/manifests/site.pp
index 3b451c5843..3ccee88b8d 100644
--- a/servers/puppet/manifests/site.pp
+++ b/servers/puppet/manifests/site.pp
@@ -34,6 +34,20 @@ class humbug_base {
                 "python-django", "openssh-server", "python-pip", "puppet-el", ]
   package { $packages: ensure => "installed" }
 
+  # FIXME: Stop using pip since it is insecure
+  exec {"pip":
+    command  => "pip install django-jstemplate",
+    onlyif   => "test ! -d /usr/local/lib/python2.6/dist-packages/jstemplate"
+  }
+  exec {"pip2":
+    command  => "pip install markdown",
+    onlyif   => "test ! -d /usr/local/lib/python2.6/dist-packages/markdown"
+  }
+  exec {"pip3":
+    command  => "pip install requests",
+    onlyif   => "test ! -d /usr/local/lib/python2.6/dist-packages/requests"
+  }
+
   group { 'humbug':
     ensure     => present,
     gid        => '1000',
@@ -90,8 +104,8 @@ class humbug_base {
   }
 }
 
-class humbug_web_base {
-  $web_packages = [ "apache2", "gitit", "libapache2-mod-wsgi", ]
+class humbug_apache_base {
+  $apache_packages = [ "apache2", "libapache2-mod-wsgi", ]
   package { $web_packages: ensure => "installed" }
 
   apache2mod { [ "headers", "proxy", "proxy_http", "rewrite", "auth_digest", ]:
@@ -103,20 +117,6 @@ class humbug_web_base {
     ensure => present,
   }
 
-  # FIXME: Stop using pip since it is insecure
-  exec {"pip":
-    command  => "pip install django-jstemplate",
-    onlyif   => "test ! -d /usr/local/lib/python2.6/dist-packages/jstemplate"
-  }
-  exec {"pip2":
-    command  => "pip install markdown",
-    onlyif   => "test ! -d /usr/local/lib/python2.6/dist-packages/markdown"
-  }
-  exec {"pip3":
-    command  => "pip install requests",
-    onlyif   => "test ! -d /usr/local/lib/python2.6/dist-packages/requests"
-  }
-
   file { "/etc/apache2/users/":
     ensure   => directory,
     owner    => "www-data",
@@ -185,15 +185,37 @@ class humbug_web_base {
 }
 
 class humbug_app_frontend {
-  apache2site { 'app':
-    require => [File['/etc/apache2/sites-available/'],
-                Apache2mod['headers'], Apache2mod['ssl'],
-                ],
-    ensure => present,
+  $web_packages = [ "nginx", ]
+  package { $web_packages: ensure => "installed" }
+  file { "/etc/nginx/sites-available/humbug":
+    require => Package[nginx],
+    ensure => file,
+    owner  => "root",
+    group  => "root",
+    mode => 644,
+    source => "/root/humbug/servers/puppet/files/nginx/sites-available/humbug",
+  }
+}
+
+# TODO: Setup dotdeb repository for this, including apt preferences to
+# only get the database from dotdeb.
+class humbug_database {
+  $db_packages = [ "mysql-server-5.5", ]
+  package { $db_packages: ensure => "installed" }
+  file { "/etc/mysql/my.cnf":
+    require => Package["mysql-server-5.5"],
+    ensure => file,
+    owner  => "root",
+    group  => "root",
+    mode => 644,
+    source => "/root/humbug/servers/puppet/files/mysql/my.cnf",
   }
 }
 
 class humbug_wiki {
+  $wiki_packages = [ "gitit", ]
+  package { $wiki_packages: ensure => "installed" }
+
   group { 'wiki':
     ensure     => present,
     gid        => '1100',
@@ -224,13 +246,34 @@ class humbug_wiki {
   }
 }
 
-## TODO: Add a Nagios class -- needs to:
-# (a2ensite nagios, apt-get install nagios3 -t squeeze-backports, put in _our_ nagios config)
+class humbug_trac {
+  $trac_packages = [ "trac", ]
+  package { $wiki_packages: ensure => "installed" }
 
-## TODO: Add a trac class -- needs to:
-# (a2ensite trac, apt-get install trac -t squeeze-backports, put in _our_ trac.ini from git)
+  apache2site { 'trac':
+    require => [File['/etc/apache2/sites-available/'],
+                Apache2mod['headers'], Apache2mod['ssl'],
+                ],
+    ensure => present,
+  }
+  #TODO: Need to install our trac config
+}
+
+class humbug_nagios {
+  $nagios_packages = [ "nagios3", ]
+  package { $nagios_packages: ensure => "installed" }
+
+  apache2site { 'nagios':
+    require => [File['/etc/apache2/sites-available/'],
+                Apache2mod['headers'], Apache2mod['ssl'],
+                ],
+    ensure => present,
+  }
+  #TODO: Need to install our Nagios config
+}
 
 class { "humbug_base": }
-class { "humbug_web_base": }
+#class { "humbug_apache_base": }
 #class { "humbug_wiki": }
-#class { "humbug_app_frontend": }
+class { "humbug_app_frontend": }
+class { "humbug_database": }