diff --git a/Jenkinsfile b/Jenkinsfile
deleted file mode 100644
index 95f82d8..0000000
--- a/Jenkinsfile
+++ /dev/null
@@ -1,125 +0,0 @@
-pipeline {
-    agent {
-      label 'puppet'
-    }
-
-    post {
-        always {
-            deleteDir() /* clean up our workspace */
-        }
-        success {
-            updateGitlabCommitStatus state: 'success'
-        }
-        failure {
-            updateGitlabCommitStatus state: 'failed'
-            step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'support@confdroid.com', sendToIndividuals: true])
-        }
-    }
-
-    options {
-          gitLabConnection('gitlab.confdroid.com')
-    }
-
-    stages {
-
-      stage('pull master') {
-        steps {
-          sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
-            sh '''
-                git config user.name "Jenkins Server"
-                git config user.email jenkins@confdroid.com
-                # Ensure we're on the development branch (triggered by push)
-                git checkout development
-                # Create jenkins branch from development
-                git checkout -b jenkins-build-$BUILD_NUMBER
-                # Optionally merge master into jenkins to ensure compatibility
-                git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; }
-            '''
-        }
-      }
-    }
-
-      stage('puppet parser') {
-        steps {
-          sh '''for file in $(find . -iname \'*.pp\'); do
-            /opt/puppetlabs/bin/puppet parser validate --color false --render-as s --modulepath=modules $file || exit 1;
-            done;'''
-          }
-        }
-
-      stage('check templates') {
-        steps{
-          sh '''for file in $(find . -iname \'*.erb\');
-            do erb -P -x -T "-" $file | ruby -c || exit 1;
-            done;'''
-        }
-      }
-
-      stage('puppet-lint') {
-        steps {
-          sh '''/usr/local/bin/puppet-lint . \\
-                --no-variable_scope-check \\
-                || { echo "Puppet lint failed"; exit 1; }
-            '''
-          }
-        }
-
-      stage('SonarScan') {
-         steps {
-            withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) {
-              sh '''
-              /opt/sonar-scanner/bin/sonar-scanner \
-                -Dsonar.projectKey=puppet_cd \
-                -Dsonar.sources=. \
-                -Dsonar.host.url=https://sonarqube.confdroid.com \
-                -Dsonar.token=$SONAR_TOKEN
-                '''
-              }
-            }
-          }
-
-      stage('create Puppet documentation') {
-        steps {
-          sh '/opt/puppetlabs/bin/puppet strings'
-        }
-      }
-
-      stage('update repo') {
-        steps {
-          sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
-            sh '''
-                git config user.name "Jenkins Server"
-                git config user.email jenkins@confdroid.com
-                git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
-                git push origin HEAD:master
-
-            '''
-        }
-      }
-    }
-
-    stage('Mirror to Gitea') {
-          steps {
-            withCredentials([usernamePassword(
-              credentialsId: 'Jenkins-gitea',
-              usernameVariable: 'GITEA_USER',
-              passwordVariable: 'GITEA_TOKEN')]) {
-              script {
-                  // Checkout from GitLab (already done implicitly)
-                  sh '''
-                    git checkout master
-                    git pull origin master
-                    git branch -D development
-                    git branch -D jenkins-build-$BUILD_NUMBER
-                    git rm -f Jenkinsfile
-                    git commit --amend --no-edit --allow-empty
-                    git remote add master https://gitea.confdroid.com/confdroid/puppet_cd.git
-                    git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
-                    push master --mirror
-                  '''
-              }
-            }
-          }
-    }
-  }
-}
diff --git a/doc/file.README.html b/doc/file.README.html
index 079b7bf..8507e40 100644
--- a/doc/file.README.html
+++ b/doc/file.README.html
@@ -62,8 +62,6 @@
 
 <p><a href="https://jenkins.confdroid.com/job/puppet_cd/"><img src="https://jenkins.confdroid.com/buildStatus/icon?job=puppet_cd"></a>|</p>
 
-<p>[[<em>TOC</em>]]</p>
-
 <h2 id="label-Synopsis">Synopsis</h2>
 
 <p>This Puppet module configures settings a full Puppet environment, i.e. Puppet master, Puppet agents pointed to the master.</p>
diff --git a/doc/index.html b/doc/index.html
index 31e6f5e..d4d0781 100644
--- a/doc/index.html
+++ b/doc/index.html
@@ -62,8 +62,6 @@
 
 <p><a href="https://jenkins.confdroid.com/job/puppet_cd/"><img src="https://jenkins.confdroid.com/buildStatus/icon?job=puppet_cd"></a>|</p>
 
-<p>[[<em>TOC</em>]]</p>
-
 <h2 id="label-Synopsis">Synopsis</h2>
 
 <p>This Puppet module configures settings a full Puppet environment, i.e. Puppet master, Puppet agents pointed to the master.</p>
diff --git a/doc/puppet_classes/puppet_cd_3A_3Aparams.html b/doc/puppet_classes/puppet_cd_3A_3Aparams.html
index a853cb2..a84709f 100644
--- a/doc/puppet_classes/puppet_cd_3A_3Aparams.html
+++ b/doc/puppet_classes/puppet_cd_3A_3Aparams.html
@@ -1100,6 +1100,78 @@
         &mdash;
         <div class='inline'>
 <p>IP address to listen on</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>pt_enable_tls</span>
+      
+      
+        <span class='type'>(<tt>Boolean</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>false</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>whether to use tls encryption for the backend</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>pt_pptdb_ca_crt</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;Changeme&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>placeholder for the ca.crt</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>pt_pptdb_server_crt</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;Changeme&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>placeholder for the server.crt</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>pt_pptdb_server_key</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;Changeme&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>placeholder for the server.crt</p>
 </div>
       
     </li>
@@ -1115,10 +1187,6 @@
         <pre class="lines">
 
 
-64
-65
-66
-67
 68
 69
 70
@@ -1255,10 +1323,26 @@
 201
 202
 203
-204</pre>
+204
+205
+206
+207
+208
+209
+210
+211
+212
+213
+214
+215
+216
+217
+218
+219
+220</pre>
       </td>
       <td>
-        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 64</span>
+        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 68</span>
 
 class puppet_cd::params (
 
@@ -1312,6 +1396,11 @@ class puppet_cd::params (
   String $pt_db_username            = &#39;foobar&#39;,
   String $pt_db_password            = &#39;foobar&#39;,
   String $pt_gc_interval            = &#39;60&#39;,
+  Boolean $pt_enable_tls            = false,
+  String $pt_pptdb_ca_crt           = &#39;Changeme&#39;,
+  String $pt_pptdb_server_crt       = &#39;Changeme&#39;,
+  String $pt_pptdb_server_key       = &#39;Changeme&#39;,
+
   ## jetty
   String $pt_http_port              = &#39;8080&#39;,
   String $pt_https_port             = &#39;8081&#39;,
@@ -1354,6 +1443,7 @@ class puppet_cd::params (
 ## puppetdb
   $pt_puppetdb_dir                  = &#39;/etc/puppetlabs/puppetdb&#39;
   $pt_puppetdb_conf_dir             = &quot;${pt_puppetdb_dir}/conf.d&quot;
+  $pt_pptdb_ssldir                  = &quot;${pt_puppetdb_dir}/ssl&quot;
 
 # files
 ## puppet
@@ -1391,6 +1481,12 @@ class puppet_cd::params (
   $pt_repl_ini_erb          = &#39;puppet_cd/puppetdb/repl.ini.erb&#39;
   $pt_service_conf_file     = &#39;/usr/lib/systemd/system/puppetdb.service&#39;
   $pt_service_conf_erb      = &#39;puppet_cd/puppetdb/service.conf.erb&#39;
+  $pt_ca_crt_file           = &quot;${pt_pptdb_ssldir}/ca.crt&quot;
+  $pt_ca_crt_erb            = &#39;puppet_cd/puppetdb/ca.crt.erb&#39;
+  $pt_server_crt_file       = &quot;${pt_pptdb_ssldir}/server.crt&quot;
+  $pt_server_crt_erb        = &#39;puppet_cd/puppetdb/server.crt.erb&#39;
+  $pt_server_key_file       = &quot;${pt_pptdb_ssldir}/server.key&quot;
+  $pt_server_key_erb        = &#39;puppet_cd/puppetdb/server.key.erb&#39;
 
 # service
   $pt_server_service                = &#39;puppetserver&#39;
diff --git a/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Afiles.html b/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Afiles.html
index e2cd136..e51476c 100644
--- a/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Afiles.html
+++ b/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Afiles.html
@@ -226,7 +226,49 @@
 128
 129
 130
-131</pre>
+131
+132
+133
+134
+135
+136
+137
+138
+139
+140
+141
+142
+143
+144
+145
+146
+147
+148
+149
+150
+151
+152
+153
+154
+155
+156
+157
+158
+159
+160
+161
+162
+163
+164
+165
+166
+167
+168
+169
+170
+171
+172
+173</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/puppetdb/files.pp', line 6</span>
@@ -355,6 +397,48 @@ class puppet_cd::puppetdb::files (
       content  =&gt; template($pt_repl_ini_erb),
       notify   =&gt; Service[$pt_db_service],
     }
+    if $pt_enable_tls == true {
+      # create tls certs
+      ## ca.crt
+      file { $pt_ca_crt_file:
+        ensure   =&gt; file,
+        owner    =&gt; &#39;puppetdb&#39;,
+        group    =&gt; &#39;puppetdb&#39;,
+        mode     =&gt; &#39;0440&#39;,
+        selrange =&gt; s0,
+        selrole  =&gt; object_r,
+        seltype  =&gt; puppet_etc_t,
+        seluser  =&gt; system_u,
+        content  =&gt; template($pt_ca_crt_erb),
+        notify   =&gt; Service[$pt_db_service],
+      }
+      ## server.crt
+      file { $pt_server_crt_file:
+        ensure   =&gt; file,
+        owner    =&gt; &#39;puppetdb&#39;,
+        group    =&gt; &#39;puppetdb&#39;,
+        mode     =&gt; &#39;0440&#39;,
+        selrange =&gt; s0,
+        selrole  =&gt; object_r,
+        seltype  =&gt; puppet_etc_t,
+        seluser  =&gt; system_u,
+        content  =&gt; template($pt_server_crt_erb),
+        notify   =&gt; Service[$pt_db_service],
+      }
+      ## server.key
+      file { $pt_server_key_file:
+        ensure   =&gt; file,
+        owner    =&gt; &#39;puppetdb&#39;,
+        group    =&gt; &#39;puppetdb&#39;,
+        mode     =&gt; &#39;0440&#39;,
+        selrange =&gt; s0,
+        selrole  =&gt; object_r,
+        seltype  =&gt; puppet_etc_t,
+        seluser  =&gt; system_u,
+        content  =&gt; template($pt_server_key_erb),
+        notify   =&gt; Service[$pt_db_service],
+      }
+    }
   }
 }</pre>
       </td>