I'm fairly certain that this will be the first scap3 deployment into the labs support vlan. We need to investigate what network changes will be needed to allow the ssh command-and-control connection from tin to californium and the subsequent http(s?) git fetch to californium from tin.
It looks like this should "just work" once all of the puppet rules are in place. service::uwsgi includes scap::target which in turn includes scap::ferm. scap::ferm opens up ssh from $DEPLOYMENT_SERVERS.
With some help from @yuvipanda I verified that ssh gets from tin to californium once californium accepts the connection.