change routes to json

Auto-merge for build 116

See merge request puppet/puppet_cd!110

.vscode/settings.json

@@ -1,11 +1,40 @@
 {
     "cSpell.words": [
         "appender",
+        "asctime",
+        "basedirt",
+        "cachedir",
+        "Changeme",
+        "devel",
+        "fastapi",
+        "getenv",
+        "Gitea",
+        "hashlib",
+        "hmac",
+        "httpx",
+        "isoformat",
         "kahadb",
+        "levelname",
         "logappender",
+        "NOFILE",
+        "operatingsystemrelease",
+        "pptd",
+        "pptdb",
+        "Puppetfile",
+        "pydantic",
+        "pylint",
+        "pytest",
+        "refreshonly",
+        "repolist",
         "requestlogging",
+        "rubygems",
         "springframework",
+        "startswith",
         "Supress",
-        "trapperkeeper"
+        "sysconfig",
+        "trapperkeeper",
+        "utcnow",
+        "uvicorn",
+        "webrick"
     ]
 }

Jenkinsfile

@@ -25,10 +25,16 @@ pipeline {
       stage('pull master') {
         steps {
           sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
-            sh '''git config user.name "Jenkins Server"
-                  git config user.email jenkins@confdroid.com
-                  git pull origin master
-                  git checkout -b jenkins '''
+            sh '''
+                git config user.name "Jenkins Server"
+                git config user.email jenkins@confdroid.com
+                # Ensure we're on the development branch (triggered by push)
+                git checkout development
+                # Create jenkins branch from development
+                git checkout -b jenkins-build-$BUILD_NUMBER
+                # Optionally merge master into jenkins to ensure compatibility
+                git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; }
+            '''
         }
       }
     }
@@ -53,20 +59,23 @@ pipeline {
         steps {
           sh '''/usr/local/bin/puppet-lint . \\
                 --no-variable_scope-check \\
+                || { echo "Puppet lint failed"; exit 1; }
             '''
           }
         }
 
       stage('SonarScan') {
          steps {
-             sh '''
-             /opt/sonar-scanner/bin/sonar-scanner \
-              -Dsonar.projectKey=puppet_cd \
-              -Dsonar.sources=. \
-              -Dsonar.host.url=https://sonarqube.confdroid.com \
-              -Dsonar.token=sqa_aca21cc41336d0f31987ed196ccfb9be55ded774
-              '''
-             }
+            withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) {
+              sh '''
+              /opt/sonar-scanner/bin/sonar-scanner \
+                -Dsonar.projectKey=confdroid_puppet \
+                -Dsonar.sources=. \
+                -Dsonar.host.url=https://sonarqube.confdroid.com \
+                -Dsonar.token=$SONAR_TOKEN
+                '''
+              }
+            }
           }
 
       stage('create Puppet documentation') {
@@ -78,12 +87,41 @@ pipeline {
       stage('update repo') {
         steps {
           sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
-            sh '''git config user.name "Jenkins Server"
-                  git config user.email jenkins@confdroid.com
-                  echo `git add -A && git commit -am "recommit for updates in build $BUILD_NUMBER"`
-                  git push origin HEAD:master'''
+            sh '''
+                git config user.name "Jenkins Server"
+                git config user.email jenkins@confdroid.com
+                git rm -r --cached .vscode || echo "No .vscode to remove from git"
+                git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
+                git push origin HEAD:master
+
+            '''
         }
       }
     }
+
+    stage('Mirror to Gitea') {
+          steps {
+            withCredentials([usernamePassword(
+              credentialsId: 'Jenkins-gitea',
+              usernameVariable: 'GITEA_USER',
+              passwordVariable: 'GITEA_TOKEN')]) {
+              script {
+                  // Checkout from GitLab (already done implicitly)
+                  sh '''
+                    git checkout master
+                    git pull origin master
+                    git branch -D development
+                    git branch -D jenkins-build-$BUILD_NUMBER
+                    git rm -f Jenkinsfile
+                    git rm -r --cached .vscode || echo "No .vscode to remove from git"
+                    git commit --amend --no-edit --allow-empty
+                    git remote add master https://gitea.confdroid.com/confdroid/confdroid_puppet.git
+                    git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
+                    push master --mirror
+                  '''
+              }
+            }
+          }
+    }
   }
 }

README.md

@@ -1,14 +1,42 @@
 # Readme
 
-[![Build Status](https://pipelines.confdroid.com/buildStatus/icon?job=puppet_cd)](https://pipelines.confdroid.com/job/puppet_cd/)|
+[![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_puppet)](https://jenkins.confdroid.com/job/confdroid_puppet/)
+[![Security Hotspots](https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_puppet&metric=security_hotspots&token=sqb_97a025b42213e7290a4f6e3d459957ee96c49db8)](https://sonarqube.confdroid.com/dashboard?id=confdroid_puppet)
+
+- [Readme](#readme)
+  - [Synopsis](#synopsis)
+  - [WARNING](#warning)
+  - [Features](#features)
+    - [Puppet server and agent](#puppet-server-and-agent)
+    - [Firewall](#firewall)
+    - [Directories, Files and Services,](#directories-files-and-services)
+    - [Optional](#optional)
+      - [R10k service](#r10k-service)
+      - [R10k Web hook](#r10k-web-hook)
+      - [Puppetdb](#puppetdb)
+  - [Support](#support)
+  - [Parameter Inheritance](#parameter-inheritance)
+  - [Module Deployment](#module-deployment)
+    - [native Puppet deployment: via site.pp or nodes.pp](#native-puppet-deployment-via-sitepp-or-nodespp)
+    - [through Foreman](#through-foreman)
+  - [Tests](#tests)
+  - [Contact Us](#contact-us)
+  - [Documentation](#documentation)
+  - [Disclaimer](#disclaimer)
 
-[[_TOC_]]
 
 ## Synopsis
 
-This Puppet module configures settings for Puppet master and agents, PuppetDB and R10k, the full bundle.
-The syntax etc is specifically for Puppet Core 8 and Rocky 9, although might work elsewhere as well.
-This module is also designed to work with External Node Classifiers (ENC), for instance Foreman.
+This Puppet module configures settings a full Puppet environment, i.e. Puppet master, Puppet agents pointed to the master.
+
+Optionally:
+* R10k to connect to a control repo and manage
+puppet modules
+* webhook listener to trigger r10k when a puppet module has been updated.
+* PuppetDB for exporting and storing resources.
+
+The syntax is specifically for Puppet Core 8 and Rocky 9, although might work elsewhere as well.
+This module is also designed to work with [Foreman][def]  as External Node Classifier (ENC), although it does not install Foreman.
 
 ## WARNING
 
@@ -16,11 +44,35 @@ This module is also designed to work with External Node Classifiers (ENC), for i
 
 ## Features
 
-* install packages depending on whether the host fqdn equals either master fqdn, db fqdn or none (agent).
-* open firewall ports depending on fqdn choices
+### Puppet server and agent
+
+* if the host FQDN matches your specified Puppet master via `$pt_pm_fqdn`, it installs and configures a puppetmaster ready for serving with Foreman as ENC (Foreman not yet included). It specifically rewrites the puppet.conf with values taken from parameters.
+* Any other system becomes a puppet agent.
+
+### Firewall
+
+* open firewall ports depending on choices above
+
+### Directories, Files and Services,
+* manage directories and required files including
+  permissions and selinux context (todo)
 * start services as required
-* manage directories
-* manage user settings (optional)
+
+### Optional
+
+#### R10k service
+
+* install r10k service on your puppetmaster.
+  If you set `$pt_use_r10k`to `true`, it also installs r10k to connect to  a control repo and manage the code available to clients via Puppetfile.
+
+#### R10k Web hook
+
+* installs a webhook listener
+  If you set `$pt_use_r10k_webhook`to `true`, it also installs a simple webhook listener to watch for post_hooks from gitlab, and triggers the r10k deployment.
+
+#### Puppetdb
+* installs and configures Puppetdb on the node specified with `pt_puppetdb_fqdn`, which can be the puppetmaster or any other node (recommended for performance reasons)
+* the logrotation can be set in max days via `pt_pptdb_log_max_age`
 
 ## Support
 
@@ -33,7 +85,18 @@ All parameters are listed in `params.pp` and inherited from there.  Variable par
 
 ## Module Deployment
 
-ALmost every puppet setup is done in very custom ways, and hence the way the modules are deployed to nodes are different. This module assumes [Foreman][def] as ENC, so the modules just have to be present on the master node and Foreman will take care for it.
+### native Puppet deployment: via site.pp or nodes.pp
+
+```ruby
+include cd_puppet
+
+```
+### through Foreman
+
+* ensure the module is present on the puppetmaster running Foreman in the module path, i.e. /etc/puppetlabs/code/environments/production/ . use r10k or clone the module there through git
+* import the module in Foreman
+* assign `confdroid_puppet::params` to the nodes in question, typically a host group.
+* overwrite the value for `$pt_pm_fqdn`to match your puppetmaster's fqdn.  **This will overwrite the puppet.conf with the settings set in params.pp. It is highly recommended to  use a test system first to see and fine tune those settings!**  Any node not matching this fqdn will become an agent.
 
 ## Tests
 
@@ -46,7 +109,12 @@ ALmost every puppet setup is done in very custom ways, and hence the way the mod
 
 ## Contact Us
 
-[contact Us](https://confdroid.com/contact/)
+* [contact form](https://confdroid.com/contact/)
+* [feedback portal](https://feedback.confdroid.com/)
+
+## Documentation
+
+Additional documentation like FAQ can be found in the [**member wiki**](https://3for.me/x1mar).
 
 ## Disclaimer
 

manifests/firewall/iptables.pp

@@ -1,11 +1,11 @@
-## puppet_cd::firewall::iptables.pp
-# Module name: puppet_cd
+## confdroid_puppet::firewall::iptables.pp
+# Module name: confdroid_puppet
 # Author: Arne Teuke (arne_teuke@confdroid)
-# @summary  Class manages firewall settings for the puppet_cd module.
+# @summary  Class manages firewall settings for the confdroid_puppet module.
 ###############################################################################
-class puppet_cd::firewall::iptables (
+class confdroid_puppet::firewall::iptables (
 
-) inherits puppet_cd::params {
+) inherits confdroid_puppet::params {
   if $fqdn == $pt_pm_fqdn {
     firewall { '38140 open port 8140':
       proto => 'tcp',
@@ -17,28 +17,20 @@ class puppet_cd::firewall::iptables (
       dport => '8443',
       jump  => 'accept',
     }
-  }
-
-  if $fqdn == $pt_db_fqdn {
-    if $pt_use_ssl_only != true {
-      firewall { "3${pt_no_ssl_port} open port ${pt_no_ssl_port}":
-        proto => 'tcp',
-        dport => $pt_no_ssl_port,
-        jump  => 'accept',
-      }
-      firewall { "3${pt_ssl_port} open port ${pt_ssl_port}":
-        proto => 'tcp',
-        dport => $pt_ssl_port,
-        jump  => 'accept',
+    if $pt_use_r10k_webhook == true {
+      firewall { "3${pt_r10k_webhook_port} open port ${pt_r10k_webhook_port}":
+        proto  => 'tcp',
+        source => '10.0.1.0/24',
+        dport  => $pt_r10k_webhook_port,
+        jump   => 'accept',
       }
     }
-
-    if $pt_use_ssl_only == true {
-      firewall { "3${pt_ssl_port} open port ${pt_ssl_port}":
-        proto => 'tcp',
-        dport => $pt_ssl_port,
-        jump  => 'accept',
-      }
+  }
+  if ($pt_puppetdb_fqdn == $fqdn) and ($pt_use_puppetdb == true) {
+    firewall { "3${pt_https_port} open port ${pt_https_port}":
+      proto => 'tcp',
+      dport => $pt_https_port,
+      jump  => 'accept',
     }
   }
 }

manifests/init.pp

@@ -1,8 +1,8 @@
-## puppet_cd::init.pp
-# Module name: puppet_cd
+## confdroid_puppet::init.pp
+# Module name: confdroid_puppet
 # Author: Arne Teuke (arne_teuke@confdroid)
-# @summary  Class initialize the puppet_cd module.
+# @summary  Class initialize the confdroid_puppet module.
 ###############################################################################
-class puppet_cd {
-  include puppet_cd::params
+class confdroid_puppet {
+  include confdroid_puppet::params
 }

manifests/main/config.pp

@@ -1,14 +1,14 @@
-## puppet_cd::main::config.pp
-# Module name: puppet_cd
+## confdroid_puppet::main::config.pp
+# Module name: confdroid_puppet
 # Author: Arne Teuke (arne_teuke@confdroid)
-# @summary  Class manages main logic for the puppet_cd module.
+# @summary  Class manages main logic for the confdroid_puppet module.
 ###############################################################################
-class puppet_cd::main::config (
+class confdroid_puppet::main::config (
 
-) inherits puppet_cd::params {
-  include puppet_cd::server::service
+) inherits confdroid_puppet::params {
+  include confdroid_puppet::server::service
 
-  if $pt_use_puppetdb == true {
-    include puppet_cd::puppetdb::service
+  if $pt_use_r10k == true {
+    include confdroid_puppet::r10k::install
   }
 }

manifests/main/dirs.pp

@@ -1,12 +1,12 @@
-## puppet_cd::main::dirs.pp
-# Module name: puppet_cd
+## confdroid_puppet::main::dirs.pp
+# Module name: confdroid_puppet
 # Author: Arne Teuke (arne_teuke@confdroid)
-# @summary  Class manages directories for the puppet_cd module.
+# @summary  Class manages directories for the confdroid_puppet module.
 ###############################################################################
-class puppet_cd::main::dirs (
+class confdroid_puppet::main::dirs (
 
-) inherits puppet_cd::params {
-  require puppet_cd::main::install
+) inherits confdroid_puppet::params {
+  require confdroid_puppet::main::install
 
   file { $pt_main_dir:
     ensure   => directory,

manifests/main/files.pp

@@ -1,46 +1,109 @@
-## puppet_cd::main::files.pp
-# Module name: puppet_cd
+## confdroid_puppet::main::files.pp
+# Module name: confdroid_puppet
 # Author: Arne Teuke (arne_teuke@confdroid)
-# @summary  Class manages config files for the puppet_cd module.
+# @summary  Class manages config files for the confdroid_puppet module.
 ###############################################################################
-class puppet_cd::main::files (
+class confdroid_puppet::main::files (
 
-) inherits puppet_cd::params {
-  require puppet_cd::main::dirs
+) inherits confdroid_puppet::params {
+  require confdroid_puppet::main::dirs
 
   if $fqdn != $pt_pm_fqdn {
     file { $pt_puppet_conf_file:
-      ensure  => file,
-      path    => $pt_puppet_conf_file,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0644',
-      content => template($pt_puppet_conf_erb),
-      notify  => Service[$pt_agent_service],
+      ensure   => file,
+      path     => $pt_puppet_conf_file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_puppet_conf_erb),
+      notify   => Service[$pt_agent_service],
+    }
+    if $pt_use_puppetdb == true {
+      file { $pt_node_rb_file:
+        ensure  => file,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0550',
+        selrole => object_r,
+        seltype => puppet_etc_t,
+        seluser => system_u,
+        content => template($pt_node_rb_erb),
+      }
+    }
+    if $pt_use_puppetdb != true {
+      file { $pt_node_rb_file:
+        ensure => absent,
+      }
     }
   }
 
   if $fqdn == $pt_pm_fqdn {
     file { $pt_puppet_conf_file:
-      ensure  => file,
-      path    => $pt_puppet_conf_file,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0644',
-      content => template($pt_puppet_conf_erb),
-      notify  => Service[$pt_agent_service,$pt_server_service],
+      ensure   => file,
+      path     => $pt_puppet_conf_file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_puppet_conf_erb),
+      notify   => Service[$pt_agent_service,$pt_server_service],
     }
-  }
 
-  if $pt_use_puppetdb == true {
-    file { $pt_puppetdb_conf_file:
-      ensure  => filet,
-      path    => $pt_puppetdb_conf_file,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0644',
-      content => template($pt_puppetdb_conf_erb),
-      notify  => Service[$pt_agent_service,$pt_server_service],
+    if $pt_use_puppetdb == true {
+      # puppetdb
+      file { $pt_puppetdb_conf_file:
+        ensure   => file,
+        path     => $pt_puppetdb_conf_file,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0644',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => puppet_etc_t,
+        seluser  => system_u,
+        content  => template($pt_puppetdb_conf_erb),
+        notify   => Service[$pt_agent_service,$pt_server_service],
+      }
+      # routes.yaml
+      file { $pt_routes_file:
+        ensure   => file,
+        path     => $pt_routes_file,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0644',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => puppet_etc_t,
+        seluser  => system_u,
+        content  => template($pt_routes_erb),
+        notify   => Service[$pt_server_service],
+      }
+      file { $pt_node_rb_file:
+        ensure   => file,
+        owner    => 'puppet',
+        group    => 'puppet',
+        mode     => '0550',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => foreman_enc_t,
+        seluser  => system_u,
+        content  => template($pt_node_rb_erb),
+      }
+    }
+    if $pt_use_puppetdb != true {
+      file { $pt_puppetdb_conf_file:
+        ensure => absent,
+      }
+      file { $pt_routes_file:
+        ensure => absent,
+      }
     }
   }
 }

manifests/main/install.pp

@@ -1,24 +1,25 @@
-## puppet_cd::main::install.pp
-# Module name: puppet_cd
+## confdroid_puppet::main::install.pp
+# Module name: confdroid_puppet
 # Author: Arne Teuke (arne_teuke@confdroid)
-# @summary  Class manages package installation for the puppet_cd module.
+# @summary  Class manages package installation for the confdroid_puppet module.
 ###############################################################################
-class puppet_cd::main::install (
+class confdroid_puppet::main::install (
 
-) inherits puppet_cd::params {
-  package { $pt_agent_pkg:
-    ensure => $pt_pkg_ensure,
+) inherits confdroid_puppet::params {
+  if $fqdn != $pt_pm_fqdn {
+    package { $pt_agent_pkg:
+      ensure => $pt_pkg_ensure,
+    }
   }
 
   if $fqdn == $pt_pm_fqdn {
     package { $pt_server_pkg:
       ensure => $pt_pkg_ensure,
     }
-  }
-
-  if $fqdn == $pt_db_fqdn {
-    package { $pt_db_pkg:
-      ensure  => $pt_pkg_ensure,
+    if $pt_use_puppetdb == true {
+      package { $pt_puppetdb_pkg:
+        ensure => $pt_pkg_ensure,
+      }
     }
   }
 }

manifests/main/user.pp

@@ -1,46 +0,0 @@
-## puppet_cd::main::user.pp
-# Module name: puppet_cd
-# Author: Arne Teuke (arne_teuke@confdroid)
-# @summary  Class manages user settings for the puppet_cd module.
-###############################################################################
-class puppet_cd::main::user (
-
-) inherits puppet_cd::params {
-  if ($fqdn == $pt_pm_fqdn) and ($pt_manage_user == true) {
-    user { $pt_user:
-      ensure     => present,
-      name       => $pt_user,
-      allowdupe  => false,
-      comment    => $pt_user_comment,
-      gid        => $pt_user,
-      managehome => true,
-      home       => $pt_user_home,
-      shell      => $pt_user_shell,
-    }
-
-    group { $pt_user:
-      ensure    => present,
-      name      => $pt_user,
-      allowdupe => false,
-    }
-  }
-
-  if ($fqdn == $pt_db_fqdn) and ($pt_manage_db_user == true) {
-    user { $pt_db_user:
-      ensure     => present,
-      name       => $pt_db_user,
-      allowdupe  => false,
-      comment    => $pt_db_user_comment,
-      gid        => $pt_db_user,
-      managehome => true,
-      home       => $pt_db_user_home,
-      shell      => $pt_db_user_shell,
-    }
-
-    group { $pt_db_user:
-      ensure    => present,
-      name      => $pt_db_user,
-      allowdupe => false,
-    }
-  }
-}

manifests/params.pp

@@ -1,29 +1,17 @@
-## puppet_cd::params.pp
-# Module name: puppet_cd
+## confdroid_puppet::params.pp
+# Module name: confdroid_puppet
 # Author: Arne Teuke (arne_teuke@confdroid)
-# @summary  Class manages parameters for the puppet_cd module.
+# @summary  Class manages parameters for the confdroid_puppet module.
 # @param [Boolean] pt_manage_fw whether to manage firewall settings
+# @param [Boolean] pt_use_puppetdb whether to use puppetdb
 # @param [String] pt_pm_fqdn the fqdn for the puppetmaster and master
-# settings are applied. any other fqdn # will be considered a puppet agent.
-# @param [String] pt_db_fqdn  the fqdn for the puppetdb host.
+#   settings are applied. any other fqdn # will be considered a puppet agent.
+# @param [String] pt_puppetdb_fqdn the fqdn for the puppetdb node.
 # @param [String] pt_pkg_ensure valid: "present", "latest", "v1.2.3"
 # @param [String] pt_agent_pkg the packages for agents to install
 # @param [String] pt_server_pkg the server packages to install
-# @param [Array] pt_db_pkg the packages for puppetdb
-# @param [String] pt_no_ssl_port non-ssl port number for puppetdb
-# @param [String] pt_ssl_port ssl port for puppetdb
-# @param [Boolean] pt_use_ssl_only whether to use ssl only.
-# @param [Boolean] pt_manage_user whether to manage the puppet user
-# @param [String] pt_user the puppet user
-# @param [String] pt_user_comment the user comment
-# @param [String] pt_user_home the user home
-# @param [String] pt_user_shell the user shell
-# @param [Boolean] pt_manage_db_user whether to manage the user for puppetdb
-# @param [String] pt_db_user the puppetdb user
-# @param [String] pt_db_user_comment the user comment for puppetdb user
-# @param [String] pt_db_user_home the user home for the puppetdb user
-# @param [String] pt_db_user_shell the shell for the puppetdb user
-# @param [Boolean] pt_use_puppetdb whether to use puppetdb on host
+# @param [String] pt_puppetdb_pkg the puppetdb packages to install
+# @param [Array] pt_r10k_pkg the packages for r10k to install
 # @param [String] pt_environment the environment
 # @param [Boolean] pt_basemodulepath the base module path
 # @param [String] pt_logdir the log directory
@@ -53,56 +41,46 @@
 # @param [String] pt_storeconfigs_backend where to store client configs
 # @param [String] pt_parser which parser version to use
 # @param [Boolean] pt_cert_revocation whether to check for cert revocations
-# @param [String] pt_logging_max_file_size max file size for puppetdb logging
-# @param [String] pt_logging_max_history max logging history
-# @param [String] pt_logging_total_size  total size of logging file
-# @param [String] pt_com_proc_threads number of processing threads
-# @param [String] pt_concurrent_writes  max concurrent writes
-# @param [String] pt_db_subname the db name
-# @param [String] pt_db_username the db username
-# @param [String] pt_db_password the db password
-# @param [String] pt_gc_interval garbage collection interval (Java)
-# @param [String] pt_log_slow_statements number of seconds before an SQL query
-#   is considered "slow."
-# @param [String] pt_puppetdb_source_lan the source lan for puppetdb clients
-# @param [Boolean] pt_soft_write_failure allows the PuppetDB-termini to fail
-#   softly if PuppetDB is not accessible for command submission.
-# @param [String] pt_no_ssl_host ip range for non-ssl hosts
-# @param [String] pt_ssl_host ip range for SSL hosts
-# @param [String] pt_ssl_key location of the private key
-# @param [String] pt_ssl_cert location of the ssl cert
-# @param [String] pt_ssl_ca_cert location of the ssl ca cert
-# @param [Boolean] pt_log_access whether to configure log access
-# @param [String] pt_access_log_config the location of the access log config
-# @param [Boolean] pt_enable_repl whether to allow puppetdb replication
-# @param [String] pt_repl_port the replication port
-# @param [String] pt_repl_host the replication host
+# @param [Boolean] pt_use_r10k whether to use r10k service
+# @param [Boolean] pt_use_r10k_webhook whether to use r10k webhook service
+# @param [String] pt_r10k_remote the remote url for the r10k control repo
+# @param [Boolean] pt_r10k_prefix the r10k prefix. defaults to false
+# @param [String] pt_r10k_basedir the base directory for r10k.yaml
+# @param [Array] pt_r10k_webhook_pkg the packages for the r10k webhook
+# @param [String] pt_r10k_webhook_port the port for the webhook listener
+# @param [String] pt_ssl_port the port for the puppetdb ssl port
+# @param [Boolean] pt_soft_write_failure whether to allow soft_write_failure
+# @param [String] pt_db_subname the url for the database connection
+# @param [String] pt_db_username the username for the database connection
+# @param [String] pt_db_password the password for the database connection
+# @param [String] pt_gc_interval How often (in minutes) to compact the database
+# @param [String] pt_http_port Port to listen on for clear-text HTTP.
+# @param [String] pt_https_port Port to listen on for HTTPs connections.
+# @param [String] pt_ssl_host IP address to listen on for HTTPS connections
+# @param [Boolean] pt_repl_on toggle the remote repl true false
+# @param [String] pt_repl_port What port the REPL should listen on
+# @param [String] pt_repl_host IP address to listen on
+# @param [Boolean] pt_enable_tls whether to use tls encryption for the backend
+# @param [String] pt_pptdb_ca_crt placeholder for the ca.crt
+# @param [String] pt_pptdb_server_crt placeholder for the server.crt
+# @param [String] pt_pptdb_server_key placeholder for the server.crt
+# @param [String] pt_pptdb_log_max_age the max age for puppetdb logs in days
 ###############################################################################
-class puppet_cd::params (
+class confdroid_puppet::params (
 
   Boolean $pt_manage_fw             = true,
   String $pt_pm_fqdn                = 'puppetmaster.example.net',
-  String $pt_db_fqdn                = 'puppetdb.example.net',
+  String $pt_puppetdb_fqdn          = 'puppetdb.example.net',
+  Boolean $pt_use_puppetdb          = false,
 
   # installation
   String $pt_pkg_ensure             = 'present',
   String $pt_agent_pkg              = 'puppet-agent',
   String $pt_server_pkg             = 'puppetserver',
-  Array $pt_db_pkg                  = ['puppetdb','puppetdb-termini'],
+  Array $pt_puppetdb_pkg            = ['puppetdb-termini', 'puppetdb'],
+  Array $pt_r10k_pkg                = ['ruby','ruby-devel','rubygems','gcc','make'],
+  Array $pt_r10k_webhook_pkg        = ['webrick', 'r10k_gitlab_webhook'],
 
-  # user settings
-  ## puppet user
-  Boolean $pt_manage_user           = true,
-  String $pt_user                   = 'puppet',
-  String $pt_user_comment           = 'puppetserver daemon',
-  String $pt_user_home              = '/opt/puppetlabs/server/data/puppetserver',
-  String $pt_user_shell             = '/sbin/nologin',
-  ## puppetdb user
-  Boolean $pt_manage_db_user        = true,
-  String $pt_db_user                = 'puppetdb',
-  String $pt_db_user_comment        = 'PuppetDB daemon',
-  String $pt_db_user_home           = '/opt/puppetlabs/server/data/puppetdb',
-  String $pt_db_user_shell          = '/sbin/nologin',
   # templates
   ## puppet
   String $pt_environment            = 'production',
@@ -132,36 +110,43 @@ class puppet_cd::params (
   String $pt_storeconfigs_backend   = 'puppetdb',
   String $pt_parser                 = 'current',
   Boolean $pt_cert_revocation       = true,
-## puppetdb
-  Boolean $pt_use_puppetdb          = false,
-  String $pt_logging_max_file_size  = '200MB',
-  String $pt_logging_max_history     = '90',
-  String $pt_logging_total_size     = '1GB',
-  String $pt_com_proc_threads       = '4',
-  String $pt_concurrent_writes      = '4',
+
+# puppetdb
+  String $pt_ssl_port               = '8081',
+  Boolean $pt_soft_write_failure    = false,
   String $pt_db_subname             = '//localhost:5432/puppetdb',
   String $pt_db_username            = 'foobar',
   String $pt_db_password            = 'foobar',
   String $pt_gc_interval            = '60',
-  String $pt_log_slow_statements    = '10',
-  String $pt_no_ssl_port            = '8080',
-  String $pt_ssl_port               = '8081',
-  Boolean $pt_use_ssl_only          = true,
-  String $pt_puppetdb_source_lan    = '0.0.0.0/0',
-  Boolean $pt_soft_write_failure    = false,
-  String $pt_no_ssl_host            = '0.0.0.0',
+  Boolean $pt_enable_tls            = false,
+  String $pt_pptdb_ca_crt           = 'Changeme',
+  String $pt_pptdb_server_crt       = 'Changeme',
+  String $pt_pptdb_server_key       = 'Changeme',
+  String $pt_pptdb_log_max_age      = '30',
+
+  ## jetty
+  String $pt_http_port              = '8080',
+  String $pt_https_port             = '8081',
   String $pt_ssl_host               = '0.0.0.0',
-  String $pt_ssl_key                = '/etc/puppetlabs/puppetdb/ssl/private.pem',
-  String $pt_ssl_cert               = '/etc/puppetlabs/puppetdb/ssl/public.pem',
-  String $pt_ssl_ca_cert            = '/etc/puppetlabs/puppetdb/ssl/ca.pem',
-  Boolean $pt_log_access            = false,
-  String $pt_access_log_config      = '/etc/puppetlabs/puppetdb/request-logging.xml',
-  Boolean $pt_enable_repl           = false,
+  ## repl
+  Boolean $pt_repl_on               = false,
   String $pt_repl_port              = '8082',
   String $pt_repl_host              = '127.0.0.1',
 
+# r10k
+  Boolean $pt_use_r10k              = false,
+  Boolean $pt_use_r10k_webhook      = false,
+  String $pt_r10k_remote            = 'git@gitlab.example.net/repo.git',
+  Boolean $pt_r10k_prefix           = false,
+  String $pt_r10k_basedir           = '/etc/puppetlabs/code/environments',
+  String $pt_r10k_webhook_port      = '8085',
+
 ) {
+# facts
   $fqdn                             = $facts['networking']['fqdn']
+  $domain                           = $facts['networking']['domain']
+  $os_name                          = $facts['os']['name']
+  $os_release                       = $facts['os']['release']['major']
 
 # directories
 ## puppet
@@ -175,44 +160,63 @@ class puppet_cd::params (
   $pt_rundir_master                 = '/var/run/puppetlabs/puppetserver'
   $pt_vardir                        = '/opt/puppetlabs/puppet/cache'
   $pt_vardir_master                 = '/opt/puppetlabs/server/data/puppetserver'
+## r10k
+  $pt_r10k_dir                      = "${pt_main_dir}/r10k"
+  $pt_r10k_webhook_dir              = '/etc/r10k-webhook'
 ## puppetdb
-  $pt_puppetdb_main                 = '/etc/puppetlabs/puppetdb'
-  $pt_puppetdb_conf_d               = "${pt_puppetdb_main}/conf.d"
-  $pt_puppetdb_ssl                  = "${pt_puppetdb_main}/ssl"
-  $pt_puppetdb_log                  = '/var/log/puppetlabs/puppetdb'
-  $pt_puppetdb_var_dir              = '/opt/puppetlabs/server/data/puppetdb'
+  $pt_puppetdb_dir                  = '/etc/puppetlabs/puppetdb'
+  $pt_puppetdb_conf_dir             = "${pt_puppetdb_dir}/conf.d"
+  $pt_pptdb_ssldir                  = "${pt_puppetdb_dir}/ssl"
 
 # files
 ## puppet
   $pt_puppet_conf_file              = "${pt_puppetdir}/puppet.conf"
-  $pt_puppet_conf_erb               = 'puppet_cd/puppet.conf.erb'
-  $pt_agent_conf_erb                = 'puppet_cd/agent.conf.erb'
+  $pt_puppet_conf_erb               = 'confdroid_puppet/puppet.conf.erb'
   $pt_hiera_config                  = "${pt_puppetdir}/hiera.yaml"
-## puppetdb
-  $pt_bootstrap_conf                = "${pt_puppetdb_main}/bootstrap.cfg"
-  $pt_bootstrap_erb                 = 'cd_puppet/puppetdb/bootstrap.cfg.erb'
-  $pt_puppetdb_access_log           = "${pt_puppetdb_log}/puppetdb-access"
-  $pt_request_logging_conf          = "${pt_puppetdb_main}/request-logging.xml"
-  $pt_request_logging_erb           = 'cd_puppet/puppetdb/request_logging.xml.erb'
-  $pt_logback_conf                  = "${pt_puppetdb_main}/logback.xml"
-  $pt_logback_erb                   = 'cd_puppet/puppetdb/logback.xml.erb'
-  $pt_puppetdb_config_ini           = "${pt_puppetdb_conf_d}/config.ini"
-  $pt_puppetdb_config_erb           = 'cd_puppet/puppetdb/config.ini.erb'
-  $pt_puppetdb_database_ini         = "${pt_puppetdb_conf_d}/database.ini"
-  $pt_puppetdb_database_erb         = 'cd_puppet/puppetdb/database.ini.erb'
-  $pt_puppetdb_jetty_ini            = "${pt_puppetdb_conf_d}/jetty.ini"
-  $pt_puppetdb_jetty_erb            = 'cd_puppet/puppetdb/jetty.ini.erb'
   $pt_puppetdb_conf_file            = "${pt_puppetdir}/puppetdb.conf"
-  $pt_puppetdb_conf_erb             = 'cd_puppet/puppetdb/puppetdb.conf.erb'
-  $pt_puppetdb_repl_ini             = "${pt_puppetdb_conf_d}/repl.ini"
-  $pt_puppetdb_repl_erb             = 'cd_puppet/puppetdb/repl.ini.erb'
+  $pt_puppetdb_conf_erb             = 'confdroid_puppet/puppetdb/puppetdb.conf.erb'
+  $pt_routes_file                   = "${pt_puppetdir}/routes.yaml"
+  $pt_routes_erb                    = 'confdroid_puppet/puppetdb/routes.yaml.erb'
+  $pt_node_rb_file                  = "${pt_puppetdir}/node.rb"
+  $pt_node_rb_erb                   = 'confdroid_puppet/puppetdb/node.rb.erb'
+## r10k
+  $pt_r10k_file                     = "${pt_r10k_dir}/r10k.yaml"
+  $pt_r10k_erb                      = 'confdroid_puppet/r10k/r10k.yaml.erb'
+  $pt_webhook_link                  = 'ln -sf  /usr/local/share/gems/gems/r10k_gitlab_webhook-0.1.3/bin/r10k_gitlab_webhook /usr/bin/'
+  $pt_webhook_service_file          = '/etc/systemd/system/r10k_gitlab_webhook.service'
+  $pt_webhook_service_erb           = 'confdroid_puppet/r10k/r10k_webhook_service.erb'
+## puppetdb
+  $pt_bootstrap_conf_file   = "${pt_puppetdb_dir}/bootstrap.cfg"
+  $pt_bootstrap_conf_erb    = 'confdroid_puppet/puppetdb/bootstrap.cfg.erb'
+  $pt_logback_conf_file     = "${pt_puppetdb_dir}/logback.xml"
+  $pt_logback_conf_erb      = 'confdroid_puppet/puppetdb/logback.xml.erb'
+  $pt_logging_conf_file     = "${pt_puppetdb_dir}/request-logging.xml"
+  $pt_logging_conf_erb      = 'confdroid_puppet/puppetdb/request_logging.xml.erb'
+  $pt_auth_conf_file        = "${pt_puppetdb_conf_dir}/auth.conf"
+  $pt_auth_conf_erb         = 'confdroid_puppet/puppetdb/auth.conf.erb'
+  $pt_config_ini_file       = "${pt_puppetdb_conf_dir}/config.ini"
+  $pt_config_ini_erb        = 'confdroid_puppet/puppetdb/config.ini.erb'
+  $pt_db_ini_file           = "${pt_puppetdb_conf_dir}/database.ini"
+  $pt_db_ini_erb            = 'confdroid_puppet/puppetdb/database.ini.erb'
+  $pt_jetty_ini_file        = "${pt_puppetdb_conf_dir}/jetty.ini"
+  $pt_jetty_ini_erb         = 'confdroid_puppet/puppetdb/jetty.ini.erb'
+  $pt_repl_ini_file         = "${pt_puppetdb_conf_dir}/repl.ini"
+  $pt_repl_ini_erb          = 'confdroid_puppet/puppetdb/repl.ini.erb'
+  $pt_service_conf_file     = '/usr/lib/systemd/system/puppetdb.service'
+  $pt_service_conf_erb      = 'confdroid_puppet/puppetdb/service.conf.erb'
+  $pt_ca_crt_file           = "${pt_pptdb_ssldir}/ca.crt"
+  $pt_ca_crt_erb            = 'confdroid_puppet/puppetdb/ca.crt.erb'
+  $pt_server_crt_file       = "${pt_pptdb_ssldir}/server.crt"
+  $pt_server_crt_erb        = 'confdroid_puppet/puppetdb/server.crt.erb'
+  $pt_server_key_file       = "${pt_pptdb_ssldir}/server.key"
+  $pt_server_key_erb        = 'confdroid_puppet/puppetdb/server.key.erb'
 
 # service
   $pt_server_service                = 'puppetserver'
   $pt_agent_service                 = 'puppet'
+  $pt_r10k_webhook_service          = 'r10k_gitlab_webhook'
   $pt_db_service                    = 'puppetdb'
-
 #
   # includes must be last
-  include puppet_cd::main::config
+  include confdroid_puppet::main::config
 }

manifests/puppetdb/dirs.pp

@@ -1,63 +1,33 @@
-## puppet_cd::puppetdb::dirs.pp
-# Module name: puppet_cd
+## confdroid_puppet::puppetdb::dirs.pp
+# Module name: confdroid_puppet
 # Author: Arne Teuke (arne_teuke@confdroid)
-# @summary  Class manages puppetdb directories
+# @summary  Class manages directories for the puppetdb section
 ###############################################################################
-class puppet_cd::puppetdb::dirs (
+class confdroid_puppet::puppetdb::dirs (
 
-) inherits puppet_cd::params {
-  if ($fqdn == $pt_puppetdb_server) and ($pt_use_puppetdb == true) {
-    require puppet_cd::main::install
+) inherits confdroid_puppet::params {
+  if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) {
+    require confdroid_puppet::main::install
 
-    # main directory
-    file { $pt_puppetdb_main:
+    file { $pt_puppetdb_dir:
       ensure   => directory,
-      path     => $pt_puppetdb_main,
-      owner    => $pt_puppetdb_user,
-      group    => $pt_puppetdb_user,
+      owner    => 'puppetdb',
+      group    => 'puppetdb',
       mode     => '0750',
       selrange => s0,
       selrole  => object_r,
-      seltype  => etc_t,
+      seltype  => puppet_etc_t,
       seluser  => system_u,
     }
 
-    # conf.d directory
-    file { $pt_puppetdb_conf_d:
+    file { $pt_puppetdb_conf_dir:
       ensure   => directory,
-      path     => $pt_puppetdb_conf_d,
-      owner    => $pt_puppetdb_user,
-      group    => $pt_puppetdb_user,
-      mode     => '0750',
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0755',
       selrange => s0,
       selrole  => object_r,
-      seltype  => etc_t,
-      seluser  => system_u,
-    }
-
-    # ssl directory
-    file { $pt_puppetdb_ssl:
-      ensure   => directory,
-      path     => $pt_puppetdb_ssl,
-      owner    => $pt_puppetdb_user,
-      group    => $pt_puppetdb_user,
-      mode     => '0750',
-      selrange => s0,
-      selrole  => object_r,
-      seltype  => etc_t,
-      seluser  => system_u,
-    }
-
-    # log dir
-    file { $pt_puppetdb_log:
-      ensure   => directory,
-      path     => $pt_puppetdb_log,
-      owner    => $pt_puppetdb_user,
-      group    => $pt_puppetdb_user,
-      mode     => '0700',
-      selrange => s0,
-      selrole  => object_r,
-      seltype  => var_log_t,
+      seltype  => puppet_etc_t,
       seluser  => system_u,
     }
   }

manifests/puppetdb/files.pp

@@ -1,18 +1,17 @@
-## puppet_cd::puppetdb::files.pp
-# Module name: puppet_cd
+## confdroid_puppet::puppetdb::files.pp
+# Module name: confdroid_puppet
 # Author: Arne Teuke (arne_teuke@confdroid)
-# @summary  Class manages puppetdb files
+# @summary  Class manages config files for the puppetdb section
 ###############################################################################
-class puppet_cd::puppetdb::files (
+class confdroid_puppet::puppetdb::files (
 
-) inherits puppet_cd::params {
-  if ($fqdn == $pt_puppetdb_server) and ($pt_use_puppetdb == true) {
-    require puppet_cd::puppetdb::dirs
+) inherits confdroid_puppet::params {
+  if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) {
+    require confdroid_puppet::puppetdb::dirs
 
     # bootstrap.cfg
-    file { $pt_bootstrap_conf:
+    file { $pt_bootstrap_conf_file:
       ensure   => file,
-      path     => $pt_bootstrap_conf,
       owner    => 'root',
       group    => 'root',
       mode     => '0644',
@@ -20,29 +19,12 @@ class puppet_cd::puppetdb::files (
       selrole  => object_r,
       seltype  => puppet_etc_t,
       seluser  => system_u,
-      content  => template($pt_bootstrap_erb),
-      notify   => Service[$pt_puppetdb],
+      content  => template($pt_bootstrap_conf_erb),
+      notify   => Service[$pt_db_service],
     }
-
-    # requestlogging.xml
-    file { $pt_request_logging_conf:
-      ensure   => file,
-      path     => $pt_request_logging_conf,
-      owner    => 'root',
-      group    => 'root',
-      mode     => '0644',
-      selrange => s0,
-      selrole  => object_r,
-      seltype  => puppet_etc_t,
-      seluser  => system_u,
-      content  => template($pt_request_logging_erb),
-      notify   => Service[$pt_puppetdb],
-    }
-
     # logback.xml
-    file { $pt_logback_conf:
+    file { $pt_logback_conf_file:
       ensure   => file,
-      path     => $pt_logback_conf,
       owner    => 'root',
       group    => 'root',
       mode     => '0644',
@@ -50,68 +32,142 @@ class puppet_cd::puppetdb::files (
       selrole  => object_r,
       seltype  => puppet_etc_t,
       seluser  => system_u,
-      content  => template($pt_logback_erb),
-      notify   => Service[$pt_puppetdb],
+      content  => template($pt_logback_conf_erb),
+      notify   => Service[$pt_db_service],
+    }
+    # request-logging.xml
+    file { $pt_logging_conf_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_logging_conf_erb),
+      notify   => Service[$pt_db_service],
+    }
+    # service config
+    file { $pt_service_conf_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => systemd_unit_file_t,
+      seluser  => system_u,
+      content  => template($pt_service_conf_erb),
+      notify   => Service[$pt_db_service],
+    }
+    # conf.d files
+    ## auth.conf
+    file { $pt_auth_conf_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_auth_conf_erb),
+      notify   => Service[$pt_db_service],
     }
-
     # config.ini
-    file { $pt_puppetdb_config_ini:
+    file { $pt_config_ini_file:
       ensure   => file,
-      path     => $pt_puppetdb_config_ini,
-      owner    => $pt_puppetdb_user,
-      group    => $pt_puppetdb_user,
-      mode     => '0640',
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
       selrange => s0,
       selrole  => object_r,
       seltype  => puppet_etc_t,
       seluser  => system_u,
-      content  => template($pt_puppetdb_config_erb),
-      notify   => Service[$pt_puppetdb],
+      content  => template($pt_config_ini_erb),
+      notify   => Service[$pt_db_service],
     }
-
     # database.ini
-    file { $pt_puppetdb_database_ini:
+    file { $pt_db_ini_file:
       ensure   => file,
-      path     => $pt_puppetdb_database_ini,
-      owner    => $pt_puppetdb_user,
-      group    => $pt_puppetdb_user,
-      mode     => '0640',
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
       selrange => s0,
       selrole  => object_r,
       seltype  => puppet_etc_t,
       seluser  => system_u,
-      content  => template($pt_puppetdb_database_erb),
-      notify   => Service[$pt_puppetdb],
+      content  => template($pt_db_ini_erb),
+      notify   => Service[$pt_db_service],
     }
-
     # jetty.ini
-    file { $pt_puppetdb_jetty_ini :
+    file { $pt_jetty_ini_file:
       ensure   => file,
-      path     => $pt_puppetdb_jetty_ini ,
-      owner    => $pt_puppetdb_user,
-      group    => $pt_puppetdb_user,
-      mode     => '0640',
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
       selrange => s0,
       selrole  => object_r,
       seltype  => puppet_etc_t,
       seluser  => system_u,
-      content  => template($pt_puppetdb_jetty_erb),
-      notify   => Service[$pt_puppetdb],
+      content  => template($pt_jetty_ini_erb),
+      notify   => Service[$pt_db_service],
     }
-
     # repl.ini
-    file { $pt_puppetdb_repl_ini:
+    file { $pt_repl_ini_file:
       ensure   => file,
-      path     => $pt_puppetdb_repl_ini,
-      owner    => $pt_puppetdb_user,
-      group    => $pt_puppetdb_user,
-      mode     => '0640',
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
       selrange => s0,
       selrole  => object_r,
       seltype  => puppet_etc_t,
       seluser  => system_u,
-      content  => template($pt_puppetdb_repl_erb),
-      notify   => Service[$pt_puppetdb],
+      content  => template($pt_repl_ini_erb),
+      notify   => Service[$pt_db_service],
+    }
+    if $pt_enable_tls == true {
+      # create tls certs
+      ## ca.crt
+      file { $pt_ca_crt_file:
+        ensure   => file,
+        owner    => 'puppetdb',
+        group    => 'puppetdb',
+        mode     => '0440',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => puppet_etc_t,
+        seluser  => system_u,
+        content  => template($pt_ca_crt_erb),
+        notify   => Service[$pt_db_service],
+      }
+      ## server.crt
+      file { $pt_server_crt_file:
+        ensure   => file,
+        owner    => 'puppetdb',
+        group    => 'puppetdb',
+        mode     => '0440',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => puppet_etc_t,
+        seluser  => system_u,
+        content  => template($pt_server_crt_erb),
+        notify   => Service[$pt_db_service],
+      }
+      ## server.key
+      file { $pt_server_key_file:
+        ensure   => file,
+        owner    => 'puppetdb',
+        group    => 'puppetdb',
+        mode     => '0440',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => puppet_etc_t,
+        seluser  => system_u,
+        content  => template($pt_server_key_erb),
+        notify   => Service[$pt_db_service],
+      }
     }
   }
 }

manifests/puppetdb/service.pp

@@ -1,19 +0,0 @@
-## puppet_cd::puppetdb::service.pp
-# Module name: puppet_cd
-# Author: Arne Teuke (arne_teuke@confdroid)
-# @summary  Class manages puppetdb service
-###############################################################################
-class puppet_cd::puppetdb::service (
-
-) inherits puppet_cd::params {
-  if ($fqdn == $pt_puppetdb_server) and ($pt_use_puppetdb == true) {
-    require puppet_cd::puppetdb::files
-
-    service { $pt_puppetdb:
-      ensure     => running,
-      hasstatus  => true,
-      hasrestart => true,
-      enable     => true,
-    }
-  }
-}

manifests/r10k/install.pp

@@ -0,0 +1,91 @@
+## confdroid_puppet::r10k::install.pp
+# Module name: confdroid_puppet
+# Author: Arne Teuke (arne_teuke@confdroid)
+# @summary  Class manages r10k installation for the confdroid_puppet module.
+###############################################################################
+class confdroid_puppet::r10k::install (
+
+) inherits confdroid_puppet::params {
+  if ($pt_pm_fqdn == $fqdn) and ($pt_use_r10k == true) {
+    # enable CRB
+    exec { 'enable_crb':
+      command => 'dnf config-manager --set-enabled crb',
+      unless  => 'dnf repolist --disabled | grep -qE "crb|CodeReady"',
+      path    => ['/usr/bin', '/bin'],
+    }
+
+    # install required packages
+    package { $pt_r10k_pkg:
+      ensure  => $pt_pkg_ensure,
+      before  => Package['r10k'],
+      require => Exec['enable_crb'],
+    }
+
+    # install r10k via gem
+    package { 'r10k':
+      ensure   => $pt_pkg_ensure,
+      provider => gem,
+      require  => Package[$pt_r10k_pkg],
+    }
+
+    # create r10k dir
+    file { 'r10k_dir':
+      ensure   => directory,
+      path     => $pt_r10k_dir,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0755',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => unconfined_u,
+    }
+
+    # configure r10k.yaml
+    file { $pt_r10k_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => unconfined_u,
+      require  => File['r10k_dir'],
+      content  => template($pt_r10k_erb),
+    }
+
+    if $pt_use_r10k_webhook == true {
+      package { $pt_r10k_webhook_pkg:
+        ensure   => present,
+        provider => gem,
+        require  => Package[$pt_r10k_pkg],
+      }
+
+      exec { 'create symlink':
+        command => $pt_webhook_link,
+        creates => '/usr/bin/r10k_gitlab_webhook',
+        path    => ['/bin', '/usr/bin'],
+        require => Package[$pt_r10k_webhook_pkg],
+      }
+
+      file { $pt_webhook_service_file:
+        ensure   => file,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0644',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => puppet_etc_t,
+        seluser  => unconfined_u,
+        content  => template($pt_webhook_service_erb),
+        notify   => [Service[$pt_r10k_webhook_service],Exec['systemctl-daemon-reload']],
+      }
+
+      exec { 'systemctl-daemon-reload':
+        command     => '/bin/systemctl daemon-reload',
+        refreshonly => true,
+      }
+    }
+  }
+}

manifests/server/service.pp

@@ -1,12 +1,12 @@
-## puppet_cd::server::service.pp
-# Module name: puppet_cd
+## confdroid_puppet::server::service.pp
+# Module name: confdroid_puppet
 # Author: Arne Teuke (arne_teuke@confdroid)
-# @summary  Class manages the puppet server service for the puppet_cd module.
+# @summary  Class manages the puppet server service for the confdroid_puppet module.
 ###############################################################################
-class puppet_cd::server::service (
+class confdroid_puppet::server::service (
 
-) inherits puppet_cd::params {
-  require puppet_cd::main::files
+) inherits confdroid_puppet::params {
+  require confdroid_puppet::main::files
 
   # manage agent service on all nodes
   service { $pt_agent_service:
@@ -18,8 +18,7 @@ class puppet_cd::server::service (
 
   # manage puppet server service
   if $fqdn == $pt_pm_fqdn {
-    require puppet_cd::firewall::iptables
-    require puppet_cd::main::user
+    require confdroid_puppet::firewall::iptables
 
     service { $pt_server_service:
       ensure     => running,
@@ -27,11 +26,22 @@ class puppet_cd::server::service (
       hasrestart => true,
       enable     => true,
     }
+    # manage webhook service
+    if $pt_use_r10k_webhook == true {
+      require confdroid_puppet::r10k::install
+
+      service { $pt_r10k_webhook_service:
+        ensure     => running,
+        hasstatus  => true,
+        hasrestart => true,
+        enable     => true,
+      }
+    }
   }
 
-  # manage puppetdb service
-  if $fqdn == $pt_db_fqdn {
-    require puppet_cd::firewall::iptables
+  if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) {
+    require confdroid_puppet::firewall::iptables
+    require confdroid_puppet::puppetdb::files
 
     service { $pt_db_service:
       ensure     => running,

templates/puppet.conf.erb

@@ -46,11 +46,11 @@
     ssldir                  = <%= @pt_ssldir %>
     strict_variables        = <%= @pt_strict_variables %>
     vardir                  = <%= @pt_vardir_master %>
-  <% if @pt_use_puppetdb != true %>
-    storeconfigs            = false
+  <% if @pt_use_puppetdb != true -%>
+  storeconfigs            = false
   <% end -%>
-    <% if @pt_use_puppetdb == true %>
-    storeconfigs            = true
+  <% if @pt_use_puppetdb == true -%>
+  storeconfigs            = true
     storeconfigs_backend    = <%= @pt_storeconfigs_backend %>
 <% end end -%>
 <% if @fqdn != @pt_pm_fqdn  -%>
@@ -68,4 +68,4 @@
     splaylimit              = <%= @pt_splaylimit %>
     usecacheonfailure       = <%= @pt_usecacheonfailure %>
     certificate_revocation  = <%= @pt_cert_revocation %>
-<% end %>
+<% end %>

templates/puppetdb/auth.conf.erb

@@ -0,0 +1,50 @@
+authorization: {
+    version: 1
+    rules: [
+        {
+            # Allow unauthenticated access to the status service endpoint
+            match-request: {
+                path: "/status/v1/services"
+                type: path
+                method: get
+            }
+            allow-unauthenticated: true
+            sort-order: 500
+            name: "puppetlabs status service - full"
+        },
+        {
+            match-request: {
+                path: "/status/v1/simple"
+                type: path
+                method: get
+            }
+            allow-unauthenticated: true
+            sort-order: 500
+            name: "puppetlabs status service - simple"
+        },
+        {
+            # Allow nodes to access the metrics service
+            # for puppetdb, the metrics service is the only
+            # service using the authentication service
+            match-request: {
+                path: "/metrics"
+                type: path
+                method: [get, post]
+            }
+            allow: "*"
+            sort-order: 500
+            name: "puppetlabs puppetdb metrics"
+        },
+        {
+            # Deny everything else. This ACL is not strictly
+            # necessary, but illustrates the default policy
+            match-request: {
+                path: "/"
+                type: path
+            }
+            deny: "*"
+            sort-order: 999
+            name: "puppetlabs deny all"
+        }
+    ]
+}

templates/puppetdb/bootstrap.cfg.erb

@@ -1,5 +1,5 @@
 ###############################################################################
-##########        bootstrap.cfg  managed by puppet agent             ##########
+######### File created by Puppet - manual changes will be overwritten #########
 ###############################################################################
 
 # This file is used by the application framework (trapperkeeper) to
@@ -8,13 +8,15 @@
 #  https://github.com/puppetlabs/trapperkeeper/wiki/Bootstrapping
 
 # Web Server
-puppetlabs.trapperkeeper.services.webserver.jetty9-service/jetty9-service
+puppetlabs.trapperkeeper.services.webserver.jetty10-service/jetty10-service
 
 # Webrouting
 puppetlabs.trapperkeeper.services.webrouting.webrouting-service/webrouting-service
 
-# TK status
+# TK metrics - the authorization service is currently only used by the metrics service
+puppetlabs.trapperkeeper.services.authorization.authorization-service/authorization-service
 puppetlabs.trapperkeeper.services.metrics.metrics-service/metrics-webservice
+# TK status
 puppetlabs.trapperkeeper.services.status.status-service/status-service
 puppetlabs.trapperkeeper.services.scheduler.scheduler-service/scheduler-service
 
@@ -28,5 +30,5 @@ puppetlabs.puppetdb.config/config-service
 # NREPL
 puppetlabs.trapperkeeper.services.nrepl.nrepl-service/nrepl-service
 
-# Dashboard redirect: remove to disable
-puppetlabs.puppetdb.dashboard/dashboard-redirect-service
+# Dashboard redirect for "/" (not "/pdb"): remove to disable
+puppetlabs.puppetdb.dashboard/dashboard-redirect-service

templates/puppetdb/ca.crt.erb

@@ -0,0 +1 @@
+<%= @pt_pptdb_ca_crt %>

templates/puppetdb/config.ini.erb

@@ -1,11 +1,20 @@
 ###############################################################################
-##########            config.ini  managed by puppet agent            ##########
+######### File created by Puppet - manual changes will be overwritten #########
 ###############################################################################
 
+# See README.md for more thorough explanations of each section and
+# option.
+
 [global]
-vardir            = <%= @pt_puppetdb_var_dir %>
-logging-config    = <%= @pt_logback_conf %>
+# Store mq/db data in a custom directory
+vardir = /opt/puppetlabs/server/data/puppetdb
+
+# Use an external logback config file
+logging-config = /etc/puppetlabs/puppetdb/logback.xml
 
 [command-processing]
-threads           = <%= @pt_com_proc_threads %>
-concurrent-writes = <%= @pt_concurrent_writes %>
+# How many command-processing threads to use, defaults to (CPUs / 2)
+# threads = 4
+
+# How many threads can write to disk at once, defaults to min(CPUs / 2, 4)
+# concurrent-writes = 4

templates/puppetdb/database.ini.erb

@@ -1,10 +1,17 @@
 ###############################################################################
-##########          database.ini  managed by puppet agent            ##########
+######### File created by Puppet - manual changes will be overwritten #########
 ###############################################################################
 
 [database]
-subname             = <%= @pt_db_subname %>
-username            = <%= @pt_db_username %>
-password            = <%= @pt_db_password %>
 
-gc-interval         = <%= @pt_gc_interval %>
+# The database address, i.e. //HOST:PORT/DATABASE_NAME
+subname = <%= @pt_db_subname %>
+
+# Connect as a specific user
+username = <%= @pt_db_username %>
+
+# Use a specific password
+password = <%= @pt_db_password %>
+
+# How often (in minutes) to compact the database
+gc-interval = <%= @pt_gc_interval %>

templates/puppetdb/jetty.ini.erb

@@ -1,31 +1,37 @@
 ###############################################################################
-##########             jetty.ini  managed by puppet agent            ##########
+######### File created by Puppet - manual changes will be overwritten #########
 ###############################################################################
 
 [jetty]
-<% if @pt_use_ssl_only != true %>
-host        = <%= @pt_no_ssl_host %>
-port        = <%= @pt_no_ssl_port %>
+# IP address or hostname to listen for clear-text HTTP. To avoid resolution
+# issues, IP addresses are recommended over hostnames.
+# Default is `localhost`.
+# host = <host>
 
-# ssl
-ssl-host    = <%= @pt_ssl_host %>
-ssl-port    = <%= @pt_ssl_port %>
-ssl-key     = <%= @pt_ssl_key %>
-ssl-cert    = <%= @pt_ssl_cert %>
-ssl-ca-cert = <%= @pt_ssl_ca_cert %>
+# Port to listen on for clear-text HTTP.
+port = <%= @pt_http_port %>
 
-<% if @pt_log_access == true %>
-access-log-config = <%= @pt_access_log_config %>
-<% end end %>
+# The following are SSL specific settings. They can be configured
+# automatically with the tool `puppetdb ssl-setup`, which is normally
+# ran during package installation.
 
+# IP address to listen on for HTTPS connections. Hostnames can also be used
+# but are not recommended to avoid DNS resolution issues. To listen on all
+# interfaces, use `0.0.0.0`.
+ssl-host = 0.0.0.0
 
-<% if @pt_use_ssl_only == true %>
-ssl-host    = <%= @pt_ssl_host %>
-ssl-port    = <%= @pt_ssl_port %>
-ssl-key     = <%= @pt_ssl_key %>
-ssl-cert    = <%= @pt_ssl_cert %>
-ssl-ca-cert = <%= @pt_ssl_ca_cert %>
+# The port to listen on for HTTPS connections
+ssl-port = <%= @pt_https_port %>
 
-<% if @pt_log_access == true %>
-access-log-config = <%= @pt_access_log_config %>
-<% end end %>
+# Private key path
+ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem
+
+# Public certificate path
+ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem
+
+# Certificate authority path
+ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem
+
+# Access logging configuration path. To turn off access logging
+# comment out the line with `access-log-config=...`
+access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml

templates/puppetdb/logback.xml.erb

@@ -1,7 +1,7 @@
-<configuration scan="true">
+<configuration scan="true" scanPeriod="60 seconds">
     <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
         <encoder>
-            <pattern>%d %-5p [%c{2}] %m%n</pattern>
+            <pattern>%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{2}] %m%n</pattern>
         </encoder>
     </appender>
 
@@ -16,20 +16,13 @@
             <totalSizeCap>1GB</totalSizeCap>
         </rollingPolicy>
         <encoder>
-            <pattern>%d %-5p [%c{2}] %m%n</pattern>
+            <pattern>%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{2}] %m%n</pattern>
         </encoder>
     </appender>
 
-    <!-- Suppress internal ActiveMQ logging -->
-    <logger name="org.apache.activemq" level="warn"/>
-
-    <!-- Suppress internal Spring Framework logging -->
+    <!-- Supress internal Spring Framework logging -->
     <logger name="org.springframework.jms.connection" level="warn"/>
 
-    <!-- Lower the log level for ActiveMQ KahaDB MessageDatabase -->
-    <logger name="org.apache.activemq.store.kahadb.MessageDatabase"
-        level="info"/>
-
     <appender name="STATUS" class="ch.qos.logback.core.rolling.RollingFileAppender">
         <file>/var/log/puppetlabs/puppetdb/puppetdb-status.log</file>
         <append>true</append>
@@ -38,7 +31,7 @@
             <fileNamePattern>/var/log/puppetlabs/puppetdb/puppetdb-status-%d{yyyy-MM-dd}.%i.log.gz</fileNamePattern>
             <!-- each file should be at most 200MB, keep 90 days worth of history, but at most 1GB total-->
             <maxFileSize>200MB</maxFileSize>
-            <maxHistory>90</maxHistory>
+            <maxHistory><%= @pt_pptdb_log_max_age %></maxHistory>
             <totalSizeCap>1GB</totalSizeCap>
         </rollingPolicy>
         <encoder>

templates/puppetdb/node.rb.erb

@@ -0,0 +1,463 @@
+#!/usr/bin/env ruby
+
+# Script usually acts as an ENC for a single host, with the certname supplied as argument
+#   if 'facts' is true, the YAML facts for the host are uploaded
+#   ENC output is printed and cached
+#
+# If --push-facts is given as the only arg, it uploads facts for all hosts and then exits.
+# Useful in scenarios where the ENC isn't used.
+
+require 'rbconfig'
+require 'yaml'
+
+if RbConfig::CONFIG['host_os'] =~ /freebsd|dragonfly/i
+  $settings_file ||= '/usr/local/etc/puppet/foreman.yaml'
+else
+  $settings_file ||= File.exist?('/etc/puppetlabs/puppet/foreman.yaml') ? '/etc/puppetlabs/puppet/foreman.yaml' : '/etc/puppet/foreman.yaml'
+end
+
+SETTINGS = YAML.load_file($settings_file)
+
+# Default external encoding
+if defined?(Encoding)
+  Encoding.default_external = Encoding::UTF_8
+end
+
+def url
+  SETTINGS[:url] || raise("Must provide URL in #{$settings_file}")
+end
+
+def puppetdir
+  SETTINGS[:puppetdir] || raise("Must provide puppet base directory in #{$settings_file}")
+end
+
+def puppetuser
+  SETTINGS[:puppetuser] || 'puppet'
+end
+
+def fact_extension
+  SETTINGS[:fact_extension] || 'yaml'
+end
+
+def fact_directory
+  data_dir = fact_extension == 'yaml' ? 'yaml' : 'server_data'
+  File.join(puppetdir, data_dir, 'facts')
+end
+
+def fact_file(certname)
+  File.join(fact_directory, "#{certname}.#{fact_extension}")
+end
+
+def fact_files
+  Dir[File.join(fact_directory, "*.#{fact_extension}")]
+end
+
+def certname_from_filename(filename)
+  File.basename(filename, ".#{fact_extension}")
+end
+
+def stat_file(certname)
+  FileUtils.mkdir_p "#{puppetdir}/yaml/foreman/"
+  "#{puppetdir}/yaml/foreman/#{certname}.yaml"
+end
+
+def tsecs
+  SETTINGS[:timeout] || 10
+end
+
+def thread_count
+  return SETTINGS[:threads].to_i if not SETTINGS[:threads].nil? and SETTINGS[:threads].to_i > 0
+  require 'facter'
+  processors = Facter.value(:processorcount).to_i
+  processors > 0 ? processors : 1
+end
+
+class Http_Fact_Requests
+  include Enumerable
+
+  def initialize
+    @results_array = []
+  end
+
+  def <<(val)
+    @results_array << val
+  end
+
+  def each(&block)
+    @results_array.each(&block)
+  end
+
+  def pop
+    @results_array.pop
+  end
+end
+
+class FactUploadError < StandardError; end
+class NodeRetrievalError < StandardError; end
+
+require 'etc'
+require 'net/http'
+require 'net/https'
+require 'fileutils'
+require 'timeout'
+begin
+  require 'json'
+rescue LoadError
+  # Debian packaging guidelines state to avoid needing rubygems, so
+  # we only try to load it if the first require fails (for RPMs)
+  begin
+    require 'rubygems' rescue nil
+    require 'json'
+  rescue LoadError => e
+    puts "You need the `json` gem to use the Foreman ENC script"
+    # code 1 is already used below
+    exit 2
+  end
+end
+
+def parse_file(filename)
+  case File.extname(filename)
+  when '.yaml'
+    data = File.read(filename)
+    YAML.safe_load(data.gsub(/\!ruby\/object.*$/,''), permitted_classes: [Symbol, Time])
+  when '.json'
+    JSON.parse(File.read(filename))
+  else
+    raise "Unknown extension for file '#{filename}'"
+  end
+end
+
+def empty_values_hash?(facts_file)
+  puppet_facts = parse_file(facts_file)
+  puppet_facts['values'].empty?
+end
+
+def process_host_facts(certname)
+  f = fact_file(certname)
+  if File.size(f) != 0
+    if empty_values_hash?(f)
+      puts "Empty values hash in fact file #{f}, not uploading"
+      return 0
+    end
+
+    req = generate_fact_request(certname, f)
+    begin
+      upload_facts(certname, req) if req
+      return 0
+    rescue => e
+      $stderr.puts "During fact upload occurred an exception: #{e}"
+      return 1
+    end
+  else
+    $stderr.puts "Fact file #{f} does not contain any facts"
+    return 2
+  end
+end
+
+def process_all_facts(http_requests)
+  fact_files.each do |f|
+    # Skip empty host fact files
+    if File.size(f) != 0
+      if empty_values_hash?(f)
+        puts "Empty values hash in fact file #{f}, not uploading"
+        next
+      end
+
+      certname = certname_from_filename(f)
+      req = generate_fact_request(certname, f)
+      if http_requests
+        http_requests << [certname, req]
+      elsif req
+        upload_facts(certname, req)
+      end
+    else
+      $stderr.puts "Fact file #{f} does not contain any fact"
+    end
+  end
+end
+
+def build_body(certname,filename)
+  puppet_facts = parse_file(filename)
+  hostname     = puppet_facts['values']['fqdn'] || certname
+
+  # if there is no environment in facts
+  # get it from node file ({puppetdir}/yaml/node/
+  unless puppet_facts['values'].key?('environment') || puppet_facts['values'].key?('agent_specified_environment')
+    node_filename = filename.sub('/facts/', '/node/')
+    if File.exist?(node_filename)
+      node_data = parse_file(node_filename)
+
+      if node_data.key?('environment')
+        puppet_facts['values']['environment'] = node_data['environment']
+      end
+    end
+  end
+
+  begin
+    require 'facter'
+    puppet_facts['values']['puppetmaster_fqdn'] = Facter.value('networking.fqdn').to_s
+  rescue LoadError
+    puppet_facts['values']['puppetmaster_fqdn'] = `hostname -f`.strip
+  end
+
+  # filter any non-printable char from the value, if it is a String
+  puppet_facts['values'].each do |key, val|
+    if val.is_a? String
+      puppet_facts['values'][key] = val.scan(/[[:print:]]/).join
+    end
+  end
+
+  {'facts' => puppet_facts['values'], 'name' => hostname, 'certname' => certname}
+end
+
+def initialize_http(uri)
+  res              = Net::HTTP.new(uri.host, uri.port)
+  res.open_timeout = SETTINGS[:timeout]
+  res.read_timeout = SETTINGS[:timeout]
+  res.use_ssl      = uri.scheme == 'https'
+  if res.use_ssl?
+    if SETTINGS[:ssl_ca] && !SETTINGS[:ssl_ca].empty?
+      res.ca_file = SETTINGS[:ssl_ca]
+      res.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    else
+      res.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    end
+    if SETTINGS[:ssl_cert] && !SETTINGS[:ssl_cert].empty? && SETTINGS[:ssl_key] && !SETTINGS[:ssl_key].empty?
+      res.cert = OpenSSL::X509::Certificate.new(File.read(SETTINGS[:ssl_cert]))
+      res.key  = OpenSSL::PKey::RSA.new(File.read(SETTINGS[:ssl_key]), nil)
+    end
+  end
+  res
+end
+
+def generate_fact_request(certname, filename)
+  # Temp file keeping the last run time
+  stat = stat_file("#{certname}-push-facts")
+  last_run = File.exist?(stat) ? File.stat(stat).mtime.utc : Time.now - 365*24*60*60
+  last_fact = File.exist?(filename) ? File.stat(filename).mtime.utc : Time.at(0)
+  if last_fact > last_run
+    begin
+      uri = URI.parse("#{url}/api/hosts/facts")
+      req = Net::HTTP::Post.new(uri.request_uri)
+      req.add_field('Accept', 'application/json,version=2' )
+      req.content_type = 'application/json'
+      req.body         = build_body(certname, filename).to_json
+      req
+    rescue => e
+      raise "Could not generate facts for Foreman: #{e}"
+    end
+  end
+end
+
+def cache(certname, result)
+  File.open(stat_file(certname), 'w') {|f| f.write(result) }
+end
+
+def read_cache(certname)
+  File.read(stat_file(certname))
+rescue => e
+  raise "Unable to read from Cache file: #{e}"
+end
+
+def enc(certname)
+  uri = URI.parse("#{url}/node/#{certname}?format=yml")
+  req = Net::HTTP::Get.new(uri.request_uri)
+  initialize_http(uri).start do |http|
+    response = http.request(req)
+
+    unless response.code == "200"
+      raise NodeRetrievalError, "Error retrieving node #{certname}: #{response.class}\nCheck Foreman's /var/log/foreman/production.log for more information."
+    end
+    response.body
+  end
+end
+
+def upload_facts(certname, req)
+  return nil if req.nil?
+  uri = URI.parse("#{url}/api/hosts/facts")
+  begin
+    initialize_http(uri).start do |http|
+      response = http.request(req)
+      if response.code.start_with?('2')
+        cache("#{certname}-push-facts", "Facts from this host were last pushed to #{uri} at #{Time.now}\n")
+      else
+        $stderr.puts "#{certname}: During the fact upload the server responded with: #{response.code} #{response.message}. Error is ignored and the execution continues."
+        $stderr.puts response.body
+      end
+    end
+  rescue => e
+    $stderr.puts "During fact upload occured an exception: #{e}"
+    raise FactUploadError, "Could not send facts to Foreman: #{e}"
+  end
+end
+
+def upload_facts_parallel(http_fact_requests, wait = true)
+  t = thread_count.times.map {
+    Thread.new(http_fact_requests) do |fact_requests|
+    while factref = fact_requests.pop
+      certname         = factref[0]
+      httpobj          = factref[1]
+      if httpobj
+        upload_facts(certname, httpobj)
+      end
+    end
+    end
+  }
+  if wait
+    t.each(&:join)
+  end
+end
+
+def watch_and_send_facts(parallel)
+  begin
+    require 'inotify'
+  rescue LoadError
+    puts "You need the `ruby-inotify` (not inotify!) gem to watch for fact updates"
+    exit 2
+  end
+
+  watch_descriptors = []
+  pending = []
+  threads = thread_count
+  last_send = Time.now
+
+  inotify_limit = `sysctl fs.inotify.max_user_watches`.gsub(/[^\d]/, '').to_i
+
+  inotify = Inotify.new
+
+  fact_dir = fact_directory
+
+  # actually we need only MOVED_TO events because puppet uses File.rename after tmp file created and flushed.
+  # see lib/puppet/util.rb near line 469
+  inotify.add_watch(fact_dir, Inotify::CREATE | Inotify::MOVED_TO )
+
+  files = fact_files
+
+  if files.length > inotify_limit
+    puts "Looks like your inotify watch limit is #{inotify_limit} but you are asking to watch at least #{files.length} fact files."
+    puts "Increase the watch limit via the system tunable fs.inotify.max_user_watches, exiting."
+    exit 2
+  end
+
+  files.each do |f|
+    begin
+      watch_descriptors[inotify.add_watch(f, Inotify::CLOSE_WRITE)] = f
+    end
+  end
+
+  inotify.each_event do |ev|
+    fn = watch_descriptors[ev.wd]
+    add_watch = false
+
+    unless fn
+      # inotify returns basename for renamed file as ev.name
+      # but we need full path
+      fn = File.join(fact_dir, ev.name)
+      add_watch = true
+    end
+
+    if File.extname(fn) != ".#{fact_extension}"
+      next
+    end
+
+    if add_watch || (ev.mask & Inotify::ONESHOT)
+      watch_descriptors[inotify.add_watch(fn, Inotify::CLOSE_WRITE)] = fn
+    end
+
+    if fn
+      certname = certname_from_filename(fn)
+      req = generate_fact_request certname, fn
+      if parallel
+        pending << [certname,req]
+      else
+        upload_facts(certname,req)
+      end
+    end
+    if parallel && (pending.length >= threads || ((last_send + 5) < Time.now))
+      if pending.length > 0
+        upload_facts_parallel(pending, false)
+        pending = []
+      end
+      last_send = Time.now
+    end
+  end
+end
+
+# Actual code starts here
+
+if __FILE__ == $0 then
+  # Setuid to puppet user if we can
+  begin
+    Process::GID.change_privilege(Etc.getgrnam(puppetuser).gid) unless Etc.getpwuid.name == puppetuser
+    Process::UID.change_privilege(Etc.getpwnam(puppetuser).uid) unless Etc.getpwuid.name == puppetuser
+    # Facter (in thread_count) tries to read from $HOME, which is still /root after the UID change
+    ENV['HOME'] = Etc.getpwnam(puppetuser).dir
+    # Change CWD to the determined home directory before continuing to make
+    # sure we don't reside in /root or anywhere else we don't have access
+    # permissions
+    Dir.chdir ENV['HOME']
+  rescue
+    $stderr.puts "cannot switch to user #{puppetuser}, continuing as '#{Etc.getpwuid.name}'"
+  end
+
+  begin
+    no_env = ARGV.delete("--no-environment")
+    watch = ARGV.delete("--watch-facts")
+    push_facts_parallel = ARGV.delete("--push-facts-parallel")
+    push_facts = ARGV.delete("--push-facts")
+    if watch && ! ( push_facts || push_facts_parallel )
+        raise "Cannot watch for facts without specifying --push-facts or --push-facts-parallel"
+    end
+    if push_facts
+      # push all facts files to Foreman and don't act as an ENC
+      if ARGV.empty?
+        process_all_facts(false)
+      else
+        process_host_facts(ARGV[0])
+      end
+    elsif push_facts_parallel
+      http_fact_requests = Http_Fact_Requests.new
+      process_all_facts(http_fact_requests)
+      upload_facts_parallel(http_fact_requests)
+    else
+      certname = ARGV[0] || raise("Must provide certname as an argument")
+      #
+      # query External node
+      begin
+        result = ""
+        Timeout.timeout(tsecs) do
+          # send facts to Foreman - enable 'facts' setting to activate
+          # if you use this option below, make sure that you don't send facts to foreman via the rake task or push facts alternatives.
+          #
+          if SETTINGS[:facts]
+            req = generate_fact_request(certname, fact_file(certname))
+            upload_facts(certname, req)
+          end
+
+          result = enc(certname)
+          cache(certname, result)
+        end
+      rescue Timeout::Error, SocketError, Errno::EHOSTUNREACH, Errno::ECONNREFUSED, NodeRetrievalError, FactUploadError => e
+        $stderr.puts "Serving cached ENC: #{e}"
+        # Read from cache, we got some sort of an error.
+        result = read_cache(certname)
+      end
+
+      if no_env
+        require 'yaml'
+        yaml = YAML.safe_load(result)
+        yaml.delete('environment')
+        # Always reset the result to back to clean yaml on our end
+        puts yaml.to_yaml
+      else
+        puts result
+      end
+    end
+  rescue => e
+    warn e
+    exit 1
+  end
+  if watch
+    watch_and_send_facts(push_facts_parallel)
+  end
+end

templates/puppetdb/puppetdb.conf.erb

@@ -1,7 +1,6 @@
 ###############################################################################
 ##########          puppetdb.conf managed by puppet agent            ##########
 ###############################################################################
-
 [main]
-server_urls         = https://<%= @pt_puppetdb_server%>:<%= @pt_ssl_port %>
+server_urls         = https://<%= @pt_puppetdb_fqdn %>:<%= @pt_ssl_port %>
 soft_write_failure  = <%= @pt_soft_write_failure %>

templates/puppetdb/repl.ini.erb

@@ -1,13 +1,13 @@
 ###############################################################################
-##########              repl.ini  managed by puppet agent            ##########
+######### File created by Puppet - manual changes will be overwritten #########
 ###############################################################################
 
 [nrepl]
-<% if @pt_enable_repl == true %>
-enabled   = <%= @pt_enable_repl %>
-port      = <% @pt_repl_port %>
-host      = <%= @pt_repl_host %>
-<% else %>
-# REPL is disabled for security reasons and not normally not required.
-# To enable it, set  `$pt_enable_repl` to `true`.
-<% end %>
+# Set to true to enable the remote REPL
+enabled = <%= @pt_repl_on %>
+
+# What port the REPL should listen on
+port = <%= @pt_repl_port %>
+
+# IP address to listen on
+host = <%= @pt_repl_host %>

templates/puppetdb/request_logging.xml.erb

@@ -1,16 +1,16 @@
 <configuration debug="false">
     <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
-        <file><%= @pt_puppetdb_access_log %>.log</file>
+        <file>/var/log/puppetlabs/puppetdb/puppetdb-access.log</file>
         <append>true</append>
         <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
-            <fileNamePattern><%= @pt_puppetdb_access_log %>-%d{yyyy-MM-dd}.%i.log.gz</fileNamePattern>
+            <fileNamePattern>/var/log/puppetlabs/puppetdb/puppetdb-access-%d{yyyy-MM-dd}.%i.log.gz</fileNamePattern>
             <!-- each file should be at most 200MB, keep 90 days worth of history, but at most 1GB total-->
-            <maxFileSize><%= @pt_logging_max_file_size %></maxFileSize>
-            <maxHistory><%= @pt_loging_max_history %></maxHistory>
-            <totalSizeCap><%= @pt_logging_total_size %></totalSizeCap>
+            <maxFileSize>200MB</maxFileSize>
+            <maxHistory>90</maxHistory>
+            <totalSizeCap>1GB</totalSizeCap>
         </rollingPolicy>
         <encoder>
-            <pattern>%h %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}" %D</pattern>
+            <pattern>%h %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}" %D %header{X-Uncompressed-Length}</pattern>
         </encoder>
     </appender>
     <appender-ref ref="FILE" />

templates/puppetdb/routes.yaml.erb

@@ -0,0 +1,5 @@
+---
+master:
+  facts:
+    terminus: puppetdb
+    cache: json

templates/puppetdb/server.crt.erb

@@ -0,0 +1 @@
+<%= @pt_pptdb_server_crt %>

templates/puppetdb/server.key.erb

@@ -0,0 +1 @@
+<%= @pt_pptdb_server_key %>

templates/puppetdb/service.conf.erb

@@ -0,0 +1,51 @@
+###############################################################################
+######### File created by Puppet - manual changes will be overwritten #########
+###############################################################################
+#
+# Local settings can be configured without being overwritten by package upgrades, for example
+# if you want to increase puppetdb open-files-limit to 10000,
+# you need to increase systemd's LimitNOFILE setting, so create a file named
+# "/etc/systemd/system/puppetdb.service.d/limits.conf" containing:
+#	[Service]
+#	LimitNOFILE=10000
+# You can confirm it worked by running systemctl daemon-reload
+# then running systemctl show puppetdb | grep LimitNOFILE
+#
+[Unit]
+Description=puppetdb Service
+After=syslog.target network.target nss-lookup.target
+
+[Service]
+Type=forking
+EnvironmentFile=/etc/sysconfig/puppetdb
+User=puppetdb
+TimeoutStartSec=14400
+TimeoutStopSec=60
+Restart=on-failure
+StartLimitBurst=5
+PIDFile=/run/puppetlabs/puppetdb/puppetdb.pid
+
+# https://tickets.puppetlabs.com/browse/EZ-129
+# Prior to systemd v228, TasksMax was unset by default, and unlimited. Starting in 228 a default of '512'
+# was implemented. This is low enough to cause problems for certain applications. In systemd 231, the
+# default was changed to be 15% of the default kernel limit. This explicitly sets TasksMax to 4915,
+# which should match the default in systemd 231 and later.
+# See https://github.com/systemd/systemd/issues/3211#issuecomment-233676333
+TasksMax=4915
+
+#set default privileges to -rw-r-----
+UMask=027
+
+
+ExecReload=/opt/puppetlabs/server/apps/puppetdb/bin/puppetdb reload
+ExecStart=/opt/puppetlabs/server/apps/puppetdb/bin/puppetdb start
+ExecStop=/opt/puppetlabs/server/apps/puppetdb/bin/puppetdb stop
+
+KillMode=process
+
+SuccessExitStatus=143
+
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target

templates/r10k/r10k.yaml.erb

@@ -0,0 +1,7 @@
+:cachedir: /var/cache/r10k
+
+:sources:
+  :puppet:
+    remote: <%= @pt_r10k_remote %>
+    prefix: <%= @pt_r10k_prefix %>
+    basedir: '<%= @pt_r10k_basedir %>'

templates/r10k/r10k_webhook_service.erb

@@ -0,0 +1,12 @@
+[Unit]
+    Description=r10k GitLab Webhook
+    After=network.target
+
+    [Service]
+    ExecStart=/usr/bin/r10k_gitlab_webhook <%= @pt_r10k_webhook_port %>
+    Restart=always
+    User=root
+    WorkingDirectory=/etc/puppetlabs/code
+
+    [Install]
+    WantedBy=multi-user.target