configuring hieradata for puppet server role

data/common.yaml

@@ -1,2 +1,3 @@
 ---
 message: "This node is using common data"
+profiles::base::dns::nameservers: 8.8.8.8

data/nodes/puppet.home.yaml

@@ -0,0 +1,4 @@
+---
+profile::puppetserver::authority: true
+profile::puppetserver::authority::jwt_secret: "koHc5pzVSVpJhijthem3zT8WXN8="
+profile::puppetserver::authority::validity: 7200

hiera.yaml

@@ -5,8 +5,18 @@ defaults:
   datadir: "data"
 
 hierarchy:
-  - name: "Yaml backend"
+  - name: "Secret data: per-node, common"
+    lookup_key: eyaml_lookup_key # eyaml backend
+    paths:
+      - "secrets/node/%{trusted.certname}.eyaml"
+      - "secrets/role/%{trusted.extensions.pp_role}.eyaml"
+      - "common.eyaml"
+    options:
+      pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem
+      pkcs7_public_key:  /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem
+  - name: "Yaml backend Data"
     data_hash: yaml_data
     paths:
       - "nodes/%{trusted.certname}.yaml"
+      - "role/%{trusted.extensions.pp_role}.yaml"
       - "common.yaml"

site-modules/profile/manifests/puppet.pp

@@ -1,11 +0,0 @@
-class profile::puppet (
-  Boolean $puppetserver = true,
-  Boolean $authority    = true,
-) {
-  if $puppetserver {
-    class { '::profile::puppet::puppetserver': }
-  }
-  if $authority {
-    class { '::profile::puppet::authority': }
-  }
-}

site-modules/profile/manifests/puppetserver.pp

@@ -0,0 +1,11 @@
+class profile::puppetserver (
+  Boolean $puppetserver = true,
+  Boolean $authority    = false,
+) {
+  if $puppetserver {
+    class { '::profile::puppetserver::bootstrap': }
+  }
+  if $authority {
+    class { '::profile::puppetserver::authority': }
+  }
+}

site-modules/profile/manifests/puppetserver/authority.pp

@@ -1,5 +1,12 @@
-class profile::puppet::authority {
+class profile::puppetserver::authority (
 
+  String $jwt_secret = 'undef',
+  String $loglevel   = 'info',
+  Integer $validity  = '0',
+  String $ensure     = 'latest',
+  Hash $config       = {},
+  Hash $jwt_token    = {},
+) {
   ini_setting { 'policy-based autosigning':
     setting => 'autosign',
     path    => "${settings::confdir}/puppet.conf",
@@ -9,14 +16,14 @@ class profile::puppet::authority {
   }
 
   class { ::autosign:
-    ensure => 'latest',
+    ensure => "$ensure",
     config => {
       'general' => {
-        'loglevel' => 'INFO',
+        'loglevel' => "$loglevel",
       },
       'jwt_token' => {
-        'secret'   => 'koHc5pzVSVpJhijthem3zT8WXN8=',
+        'secret'   => "$jwt_secret",
-        'validity' => '0',
+        'validity' => "$validity",
       }
     },
   }

site-modules/profile/manifests/puppetserver/bootstrap.pp

@@ -1,4 +1,4 @@
-class profile::puppet::puppetserver {
+class profile::puppetserver::bootstrap {
 
   ini_setting { 'hiera_config':
     ensure => present,

site-modules/role/manifests/puppetserver.pp

@@ -1,6 +1,6 @@
 class role::puppetserver {
 
   include profile::base
-  include profile::puppet
+  include profile::puppetserver
 
 }