diff --git a/doc/_index.html b/doc/_index.html
index 6b8c1d8..000fb3b 100644
--- a/doc/_index.html
+++ b/doc/_index.html
@@ -103,6 +103,16 @@
       
             </li>
     
+            <li>
+      <span class='object_link'><a href="puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Adirs.html" title="puppet_classes::puppet_cd::puppetdb::dirs (puppet_class)">puppet_cd::puppetdb::dirs</a></span>
+      
+            </li>
+    
+            <li>
+      <span class='object_link'><a href="puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Afiles.html" title="puppet_classes::puppet_cd::puppetdb::files (puppet_class)">puppet_cd::puppetdb::files</a></span>
+      
+            </li>
+    
             <li>
       <span class='object_link'><a href="puppet_classes/puppet_cd_3A_3Ar10k_3A_3Ainstall.html" title="puppet_classes::puppet_cd::r10k::install (puppet_class)">puppet_cd::r10k::install</a></span>
       
diff --git a/doc/puppet_class_list.html b/doc/puppet_class_list.html
index 1549083..50e835a 100644
--- a/doc/puppet_class_list.html
+++ b/doc/puppet_class_list.html
@@ -85,6 +85,20 @@
     </li>
     
 
+    <li id="object_puppet_classes::puppet_cd::puppetdb::dirs" class="even">
+      <div class="item">
+        <span class='object_link'><a href="puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Adirs.html" title="puppet_classes::puppet_cd::puppetdb::dirs (puppet_class)">puppet_cd::puppetdb::dirs</a></span>
+      </div>
+    </li>
+    
+
+    <li id="object_puppet_classes::puppet_cd::puppetdb::files" class="odd">
+      <div class="item">
+        <span class='object_link'><a href="puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Afiles.html" title="puppet_classes::puppet_cd::puppetdb::files (puppet_class)">puppet_cd::puppetdb::files</a></span>
+      </div>
+    </li>
+    
+
     <li id="object_puppet_classes::puppet_cd::r10k::install" class="even">
       <div class="item">
         <span class='object_link'><a href="puppet_classes/puppet_cd_3A_3Ar10k_3A_3Ainstall.html" title="puppet_classes::puppet_cd::r10k::install (puppet_class)">puppet_cd::r10k::install</a></span>
diff --git a/doc/puppet_classes/puppet_cd_3A_3Aparams.html b/doc/puppet_classes/puppet_cd_3A_3Aparams.html
index f0bae5f..a853cb2 100644
--- a/doc/puppet_classes/puppet_cd_3A_3Aparams.html
+++ b/doc/puppet_classes/puppet_cd_3A_3Aparams.html
@@ -77,6 +77,10 @@
       
       <span class='object_link'><a href="puppet_cd_3A_3Ar10k_3A_3Ainstall.html" title="puppet_classes::puppet_cd::r10k::install (puppet_class)">puppet_cd::r10k::install</a></span><br/>
       
+      <span class='object_link'><a href="puppet_cd_3A_3Apuppetdb_3A_3Adirs.html" title="puppet_classes::puppet_cd::puppetdb::dirs (puppet_class)">puppet_cd::puppetdb::dirs</a></span><br/>
+      
+      <span class='object_link'><a href="puppet_cd_3A_3Apuppetdb_3A_3Afiles.html" title="puppet_classes::puppet_cd::puppetdb::files (puppet_class)">puppet_cd::puppetdb::files</a></span><br/>
+      
       <span class='object_link'><a href="puppet_cd_3A_3Aserver_3A_3Aservice.html" title="puppet_classes::puppet_cd::server::service (puppet_class)">puppet_cd::server::service</a></span><br/>
       
       <span class='object_link'><a href="puppet_cd_3A_3Afirewall_3A_3Aiptables.html" title="puppet_classes::puppet_cd::firewall::iptables (puppet_class)">puppet_cd::firewall::iptables</a></span><br/>
@@ -1231,7 +1235,27 @@
 181
 182
 183
-184</pre>
+184
+185
+186
+187
+188
+189
+190
+191
+192
+193
+194
+195
+196
+197
+198
+199
+200
+201
+202
+203
+204</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/params.pp', line 64</span>
@@ -1307,10 +1331,10 @@ class puppet_cd::params (
 
 ) {
 # facts
-  $fqdn                   = $facts[&#39;networking&#39;][&#39;fqdn&#39;]
-  $domain                 = $facts[&#39;networking&#39;][&#39;domain&#39;]
-  $os_name                = $facts[&#39;os&#39;][&#39;name&#39;]
-  $os_release             = $facts[&#39;os&#39;][&#39;release&#39;][&#39;major&#39;]
+  $fqdn                             = $facts[&#39;networking&#39;][&#39;fqdn&#39;]
+  $domain                           = $facts[&#39;networking&#39;][&#39;domain&#39;]
+  $os_name                          = $facts[&#39;os&#39;][&#39;name&#39;]
+  $os_release                       = $facts[&#39;os&#39;][&#39;release&#39;][&#39;major&#39;]
 
 # directories
 ## puppet
@@ -1324,10 +1348,12 @@ class puppet_cd::params (
   $pt_rundir_master                 = &#39;/var/run/puppetlabs/puppetserver&#39;
   $pt_vardir                        = &#39;/opt/puppetlabs/puppet/cache&#39;
   $pt_vardir_master                 = &#39;/opt/puppetlabs/server/data/puppetserver&#39;
-
 ## r10k
   $pt_r10k_dir                      = &quot;${pt_main_dir}/r10k&quot;
   $pt_r10k_webhook_dir              = &#39;/etc/r10k-webhook&#39;
+## puppetdb
+  $pt_puppetdb_dir                  = &#39;/etc/puppetlabs/puppetdb&#39;
+  $pt_puppetdb_conf_dir             = &quot;${pt_puppetdb_dir}/conf.d&quot;
 
 # files
 ## puppet
@@ -1340,13 +1366,31 @@ class puppet_cd::params (
   $pt_routes_erb                    = &#39;puppet_cd/puppetdb/routes.yaml.erb&#39;
   $pt_node_rb_file                  = &quot;${pt_puppetdir}/node.rb&quot;
   $pt_node_rb_erb                   = &#39;puppet_cd/puppetdb/node.rb.erb&#39;
-
 ## r10k
   $pt_r10k_file                     = &quot;${pt_r10k_dir}/r10k.yaml&quot;
   $pt_r10k_erb                      = &#39;puppet_cd/r10k/r10k.yaml.erb&#39;
   $pt_webhook_link                  = &#39;ln -sf  /usr/local/share/gems/gems/r10k_gitlab_webhook-0.1.3/bin/r10k_gitlab_webhook /usr/bin/&#39;
   $pt_webhook_service_file          = &#39;/etc/systemd/system/r10k_gitlab_webhook.service&#39;
   $pt_webhook_service_erb           = &#39;puppet_cd/r10k/r10k_webhook_service.erb&#39;
+## puppetdb
+  $pt_bootstrap_conf_file   = &quot;${pt_puppetdb_dir}/bootstrap.cfg&quot;
+  $pt_bootstrap_conf_erb    = &#39;puppet_cd/puppetdb/bootstrap.cfg.erb&#39;
+  $pt_logback_conf_file     = &quot;${pt_puppetdb_dir}/logback.xml&quot;
+  $pt_logback_conf_erb      = &#39;puppet_cd/puppetdb/logback.xml.erb&#39;
+  $pt_logging_conf_file     = &quot;${pt_puppetdb_dir}/request-logging.xml&quot;
+  $pt_logging_conf_erb      = &#39;puppet_cd/puppetdb/request_logging.xml.erb&#39;
+  $pt_auth_conf_file        = &quot;${pt_puppetdb_conf_dir}/auth.conf&quot;
+  $pt_auth_conf_erb         = &#39;puppet_cd/puppetdb/auth.conf.erb&#39;
+  $pt_config_ini_file       = &quot;${pt_puppetdb_conf_dir}/config.ini&quot;
+  $pt_config_ini_erb        = &#39;puppet_cd/puppetdb/config.ini.erb&#39;
+  $pt_db_ini_file           = &quot;${pt_puppetdb_conf_dir}/database.ini&quot;
+  $pt_db_ini_erb            = &#39;puppet_cd/puppetdb/database.ini.erb&#39;
+  $pt_jetty_ini_file        = &quot;${pt_puppetdb_conf_dir}/jetty.ini&quot;
+  $pt_jetty_ini_erb         = &#39;puppet_cd/puppetdb/jetty.ini.erb&#39;
+  $pt_repl_ini_file         = &quot;${pt_puppetdb_conf_dir}/repl.ini&quot;
+  $pt_repl_ini_erb          = &#39;puppet_cd/puppetdb/repl.ini.erb&#39;
+  $pt_service_conf_file     = &#39;/usr/lib/systemd/system/puppetdb.service&#39;
+  $pt_service_conf_erb      = &#39;puppet_cd/puppetdb/service.conf.erb&#39;
 
 # service
   $pt_server_service                = &#39;puppetserver&#39;
diff --git a/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Adirs.html b/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Adirs.html
index 8b56273..31a2ebd 100644
--- a/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Adirs.html
+++ b/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Adirs.html
@@ -77,7 +77,7 @@
 </div>
 
   <h2>Summary</h2>
-  Class manages puppetdb directories
+  Class manages directories for the puppetdb section
 
 <h2>Overview</h2>
 <div class="docstring">
@@ -129,37 +129,7 @@
 31
 32
 33
-34
-35
-36
-37
-38
-39
-40
-41
-42
-43
-44
-45
-46
-47
-48
-49
-50
-51
-52
-53
-54
-55
-56
-57
-58
-59
-60
-61
-62
-63
-64</pre>
+34</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/puppetdb/dirs.pp', line 6</span>
@@ -167,58 +137,28 @@
 class puppet_cd::puppetdb::dirs (
 
 ) inherits puppet_cd::params {
-  if ($fqdn == $pt_db_fqdn) and ($pt_use_puppetdb == true) {
+  if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) {
     require puppet_cd::main::install
 
-    # main directory
-    file { $pt_puppetdb_main:
+    file { $pt_puppetdb_dir:
       ensure   =&gt; directory,
-      path     =&gt; $pt_puppetdb_main,
-      owner    =&gt; $pt_db_user,
-      group    =&gt; $pt_db_user,
+      owner    =&gt; &#39;puppetdb&#39;,
+      group    =&gt; &#39;puppetdb&#39;,
       mode     =&gt; &#39;0750&#39;,
       selrange =&gt; s0,
       selrole  =&gt; object_r,
-      seltype  =&gt; etc_t,
+      seltype  =&gt; puppet_etc_t,
       seluser  =&gt; system_u,
     }
 
-    # conf.d directory
-    file { $pt_puppetdb_conf_d:
+    file { $pt_puppetdb_conf_dir:
       ensure   =&gt; directory,
-      path     =&gt; $pt_puppetdb_conf_d,
-      owner    =&gt; $pt_db_user,
-      group    =&gt; $pt_db_user,
-      mode     =&gt; &#39;0750&#39;,
+      owner    =&gt; &#39;root&#39;,
+      group    =&gt; &#39;root&#39;,
+      mode     =&gt; &#39;0755&#39;,
       selrange =&gt; s0,
       selrole  =&gt; object_r,
-      seltype  =&gt; etc_t,
-      seluser  =&gt; system_u,
-    }
-
-    # ssl directory
-    file { $pt_puppetdb_ssl:
-      ensure   =&gt; directory,
-      path     =&gt; $pt_puppetdb_ssl,
-      owner    =&gt; $pt_db_user,
-      group    =&gt; $pt_db_user,
-      mode     =&gt; &#39;0750&#39;,
-      selrange =&gt; s0,
-      selrole  =&gt; object_r,
-      seltype  =&gt; etc_t,
-      seluser  =&gt; system_u,
-    }
-
-    # log dir
-    file { $pt_puppetdb_log:
-      ensure   =&gt; directory,
-      path     =&gt; $pt_puppetdb_log,
-      owner    =&gt; $pt_db_user,
-      group    =&gt; $pt_db_user,
-      mode     =&gt; &#39;0700&#39;,
-      selrange =&gt; s0,
-      selrole  =&gt; object_r,
-      seltype  =&gt; var_log_t,
+      seltype  =&gt; puppet_etc_t,
       seluser  =&gt; system_u,
     }
   }
diff --git a/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Afiles.html b/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Afiles.html
index cbb07c9..e2cd136 100644
--- a/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Afiles.html
+++ b/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Afiles.html
@@ -77,7 +77,7 @@
 </div>
 
   <h2>Summary</h2>
-  Class manages puppetdb files
+  Class manages config files for the puppetdb section
 
 <h2>Overview</h2>
 <div class="docstring">
@@ -212,7 +212,21 @@
 114
 115
 116
-117</pre>
+117
+118
+119
+120
+121
+122
+123
+124
+125
+126
+127
+128
+129
+130
+131</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/puppetdb/files.pp', line 6</span>
@@ -220,13 +234,12 @@
 class puppet_cd::puppetdb::files (
 
 ) inherits puppet_cd::params {
-  if ($fqdn == $pt_db_fqdn) and ($pt_use_puppetdb == true) {
+  if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) {
     require puppet_cd::puppetdb::dirs
 
     # bootstrap.cfg
-    file { $pt_bootstrap_conf:
+    file { $pt_bootstrap_conf_file:
       ensure   =&gt; file,
-      path     =&gt; $pt_bootstrap_conf,
       owner    =&gt; &#39;root&#39;,
       group    =&gt; &#39;root&#39;,
       mode     =&gt; &#39;0644&#39;,
@@ -234,29 +247,12 @@ class puppet_cd::puppetdb::files (
       selrole  =&gt; object_r,
       seltype  =&gt; puppet_etc_t,
       seluser  =&gt; system_u,
-      content  =&gt; template($pt_bootstrap_erb),
+      content  =&gt; template($pt_bootstrap_conf_erb),
       notify   =&gt; Service[$pt_db_service],
     }
-
-    # requestlogging.xml
-    file { $pt_request_logging_conf:
-      ensure   =&gt; file,
-      path     =&gt; $pt_request_logging_conf,
-      owner    =&gt; &#39;root&#39;,
-      group    =&gt; &#39;root&#39;,
-      mode     =&gt; &#39;0644&#39;,
-      selrange =&gt; s0,
-      selrole  =&gt; object_r,
-      seltype  =&gt; puppet_etc_t,
-      seluser  =&gt; system_u,
-      content  =&gt; template($pt_request_logging_erb),
-      notify   =&gt; Service[$pt_db_service],
-    }
-
     # logback.xml
-    file { $pt_logback_conf:
+    file { $pt_logback_conf_file:
       ensure   =&gt; file,
-      path     =&gt; $pt_logback_conf,
       owner    =&gt; &#39;root&#39;,
       group    =&gt; &#39;root&#39;,
       mode     =&gt; &#39;0644&#39;,
@@ -264,14 +260,52 @@ class puppet_cd::puppetdb::files (
       selrole  =&gt; object_r,
       seltype  =&gt; puppet_etc_t,
       seluser  =&gt; system_u,
-      content  =&gt; template($pt_logback_erb),
+      content  =&gt; template($pt_logback_conf_erb),
+      notify   =&gt; Service[$pt_db_service],
+    }
+    # request-logging.xml
+    file { $pt_logging_conf_file:
+      ensure   =&gt; file,
+      owner    =&gt; &#39;root&#39;,
+      group    =&gt; &#39;root&#39;,
+      mode     =&gt; &#39;0644&#39;,
+      selrange =&gt; s0,
+      selrole  =&gt; object_r,
+      seltype  =&gt; puppet_etc_t,
+      seluser  =&gt; system_u,
+      content  =&gt; template($pt_logging_conf_erb),
+      notify   =&gt; Service[$pt_db_service],
+    }
+    # service config
+    file { $pt_service_conf_file:
+      ensure   =&gt; file,
+      owner    =&gt; &#39;root&#39;,
+      group    =&gt; &#39;root&#39;,
+      mode     =&gt; &#39;0644&#39;,
+      selrange =&gt; s0,
+      selrole  =&gt; object_r,
+      seltype  =&gt; systemd_unit_file_t,
+      seluser  =&gt; system_u,
+      content  =&gt; template($pt_service_conf_erb),
+      notify   =&gt; Service[$pt_db_service],
+    }
+    # conf.d files
+    ## auth.conf
+    file { $pt_auth_conf_file:
+      ensure   =&gt; file,
+      owner    =&gt; &#39;root&#39;,
+      group    =&gt; &#39;root&#39;,
+      mode     =&gt; &#39;0644&#39;,
+      selrange =&gt; s0,
+      selrole  =&gt; object_r,
+      seltype  =&gt; puppet_etc_t,
+      seluser  =&gt; system_u,
+      content  =&gt; template($pt_auth_conf_erb),
       notify   =&gt; Service[$pt_db_service],
     }
-
     # config.ini
-    file { $pt_puppetdb_config_ini:
+    file { $pt_config_ini_file:
       ensure   =&gt; file,
-      path     =&gt; $pt_puppetdb_config_ini,
       owner    =&gt; &#39;root&#39;,
       group    =&gt; &#39;root&#39;,
       mode     =&gt; &#39;0644&#39;,
@@ -279,14 +313,12 @@ class puppet_cd::puppetdb::files (
       selrole  =&gt; object_r,
       seltype  =&gt; puppet_etc_t,
       seluser  =&gt; system_u,
-      content  =&gt; template($pt_puppetdb_config_erb),
+      content  =&gt; template($pt_config_ini_erb),
       notify   =&gt; Service[$pt_db_service],
     }
-
     # database.ini
-    file { $pt_puppetdb_database_ini:
+    file { $pt_db_ini_file:
       ensure   =&gt; file,
-      path     =&gt; $pt_puppetdb_database_ini,
       owner    =&gt; &#39;root&#39;,
       group    =&gt; &#39;root&#39;,
       mode     =&gt; &#39;0644&#39;,
@@ -294,14 +326,12 @@ class puppet_cd::puppetdb::files (
       selrole  =&gt; object_r,
       seltype  =&gt; puppet_etc_t,
       seluser  =&gt; system_u,
-      content  =&gt; template($pt_puppetdb_database_erb),
+      content  =&gt; template($pt_db_ini_erb),
       notify   =&gt; Service[$pt_db_service],
     }
-
     # jetty.ini
-    file { $pt_puppetdb_jetty_ini :
+    file { $pt_jetty_ini_file:
       ensure   =&gt; file,
-      path     =&gt; $pt_puppetdb_jetty_ini ,
       owner    =&gt; &#39;root&#39;,
       group    =&gt; &#39;root&#39;,
       mode     =&gt; &#39;0644&#39;,
@@ -309,14 +339,12 @@ class puppet_cd::puppetdb::files (
       selrole  =&gt; object_r,
       seltype  =&gt; puppet_etc_t,
       seluser  =&gt; system_u,
-      content  =&gt; template($pt_puppetdb_jetty_erb),
+      content  =&gt; template($pt_jetty_ini_erb),
       notify   =&gt; Service[$pt_db_service],
     }
-
     # repl.ini
-    file { $pt_puppetdb_repl_ini:
+    file { $pt_repl_ini_file:
       ensure   =&gt; file,
-      path     =&gt; $pt_puppetdb_repl_ini,
       owner    =&gt; &#39;root&#39;,
       group    =&gt; &#39;root&#39;,
       mode     =&gt; &#39;0644&#39;,
@@ -324,7 +352,7 @@ class puppet_cd::puppetdb::files (
       selrole  =&gt; object_r,
       seltype  =&gt; puppet_etc_t,
       seluser  =&gt; system_u,
-      content  =&gt; template($pt_puppetdb_repl_erb),
+      content  =&gt; template($pt_repl_ini_erb),
       notify   =&gt; Service[$pt_db_service],
     }
   }
diff --git a/doc/puppet_classes/puppet_cd_3A_3Aserver_3A_3Aservice.html b/doc/puppet_classes/puppet_cd_3A_3Aserver_3A_3Aservice.html
index c1af0f2..7b90692 100644
--- a/doc/puppet_classes/puppet_cd_3A_3Aserver_3A_3Aservice.html
+++ b/doc/puppet_classes/puppet_cd_3A_3Aserver_3A_3Aservice.html
@@ -147,7 +147,8 @@
 49
 50
 51
-52</pre>
+52
+53</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/server/service.pp', line 6</span>
@@ -190,6 +191,7 @@ class puppet_cd::server::service (
 
   if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) {
     require puppet_cd::firewall::iptables
+    require puppet_cd::puppetdb::files
 
     service { $pt_db_service:
       ensure     =&gt; running,
diff --git a/manifests/params.pp b/manifests/params.pp
index c3039b8..6ccb6ae 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -132,10 +132,10 @@ class puppet_cd::params (
 
 ) {
 # facts
-  $fqdn                   = $facts['networking']['fqdn']
-  $domain                 = $facts['networking']['domain']
-  $os_name                = $facts['os']['name']
-  $os_release             = $facts['os']['release']['major']
+  $fqdn                             = $facts['networking']['fqdn']
+  $domain                           = $facts['networking']['domain']
+  $os_name                          = $facts['os']['name']
+  $os_release                       = $facts['os']['release']['major']
 
 # directories
 ## puppet
@@ -149,10 +149,12 @@ class puppet_cd::params (
   $pt_rundir_master                 = '/var/run/puppetlabs/puppetserver'
   $pt_vardir                        = '/opt/puppetlabs/puppet/cache'
   $pt_vardir_master                 = '/opt/puppetlabs/server/data/puppetserver'
-
 ## r10k
   $pt_r10k_dir                      = "${pt_main_dir}/r10k"
   $pt_r10k_webhook_dir              = '/etc/r10k-webhook'
+## puppetdb
+  $pt_puppetdb_dir                  = '/etc/puppetlabs/puppetdb'
+  $pt_puppetdb_conf_dir             = "${pt_puppetdb_dir}/conf.d"
 
 # files
 ## puppet
@@ -165,13 +167,31 @@ class puppet_cd::params (
   $pt_routes_erb                    = 'puppet_cd/puppetdb/routes.yaml.erb'
   $pt_node_rb_file                  = "${pt_puppetdir}/node.rb"
   $pt_node_rb_erb                   = 'puppet_cd/puppetdb/node.rb.erb'
-
 ## r10k
   $pt_r10k_file                     = "${pt_r10k_dir}/r10k.yaml"
   $pt_r10k_erb                      = 'puppet_cd/r10k/r10k.yaml.erb'
   $pt_webhook_link                  = 'ln -sf  /usr/local/share/gems/gems/r10k_gitlab_webhook-0.1.3/bin/r10k_gitlab_webhook /usr/bin/'
   $pt_webhook_service_file          = '/etc/systemd/system/r10k_gitlab_webhook.service'
   $pt_webhook_service_erb           = 'puppet_cd/r10k/r10k_webhook_service.erb'
+## puppetdb
+  $pt_bootstrap_conf_file   = "${pt_puppetdb_dir}/bootstrap.cfg"
+  $pt_bootstrap_conf_erb    = 'puppet_cd/puppetdb/bootstrap.cfg.erb'
+  $pt_logback_conf_file     = "${pt_puppetdb_dir}/logback.xml"
+  $pt_logback_conf_erb      = 'puppet_cd/puppetdb/logback.xml.erb'
+  $pt_logging_conf_file     = "${pt_puppetdb_dir}/request-logging.xml"
+  $pt_logging_conf_erb      = 'puppet_cd/puppetdb/request_logging.xml.erb'
+  $pt_auth_conf_file        = "${pt_puppetdb_conf_dir}/auth.conf"
+  $pt_auth_conf_erb         = 'puppet_cd/puppetdb/auth.conf.erb'
+  $pt_config_ini_file       = "${pt_puppetdb_conf_dir}/config.ini"
+  $pt_config_ini_erb        = 'puppet_cd/puppetdb/config.ini.erb'
+  $pt_db_ini_file           = "${pt_puppetdb_conf_dir}/database.ini"
+  $pt_db_ini_erb            = 'puppet_cd/puppetdb/database.ini.erb'
+  $pt_jetty_ini_file        = "${pt_puppetdb_conf_dir}/jetty.ini"
+  $pt_jetty_ini_erb         = 'puppet_cd/puppetdb/jetty.ini.erb'
+  $pt_repl_ini_file         = "${pt_puppetdb_conf_dir}/repl.ini"
+  $pt_repl_ini_erb          = 'puppet_cd/puppetdb/repl.ini.erb'
+  $pt_service_conf_file     = '/usr/lib/systemd/system/puppetdb.service'
+  $pt_service_conf_erb      = 'puppet_cd/puppetdb/service.conf.erb'
 
 # service
   $pt_server_service                = 'puppetserver'
diff --git a/manifests/puppetdb/dirs.pp b/manifests/puppetdb/dirs.pp
new file mode 100644
index 0000000..16748af
--- /dev/null
+++ b/manifests/puppetdb/dirs.pp
@@ -0,0 +1,34 @@
+## puppet_cd::puppetdb::dirs.pp
+# Module name: puppet_cd
+# Author: Arne Teuke (arne_teuke@confdroid)
+# @summary  Class manages directories for the puppetdb section
+###############################################################################
+class puppet_cd::puppetdb::dirs (
+
+) inherits puppet_cd::params {
+  if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) {
+    require puppet_cd::main::install
+
+    file { $pt_puppetdb_dir:
+      ensure   => directory,
+      owner    => 'puppetdb',
+      group    => 'puppetdb',
+      mode     => '0750',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+    }
+
+    file { $pt_puppetdb_conf_dir:
+      ensure   => directory,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0755',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+    }
+  }
+}
diff --git a/manifests/puppetdb/files.pp b/manifests/puppetdb/files.pp
new file mode 100644
index 0000000..e09d55a
--- /dev/null
+++ b/manifests/puppetdb/files.pp
@@ -0,0 +1,131 @@
+## puppet_cd::puppetdb::files.pp
+# Module name: puppet_cd
+# Author: Arne Teuke (arne_teuke@confdroid)
+# @summary  Class manages config files for the puppetdb section
+###############################################################################
+class puppet_cd::puppetdb::files (
+
+) inherits puppet_cd::params {
+  if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) {
+    require puppet_cd::puppetdb::dirs
+
+    # bootstrap.cfg
+    file { $pt_bootstrap_conf_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_bootstrap_conf_erb),
+      notify   => Service[$pt_db_service],
+    }
+    # logback.xml
+    file { $pt_logback_conf_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_logback_conf_erb),
+      notify   => Service[$pt_db_service],
+    }
+    # request-logging.xml
+    file { $pt_logging_conf_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_logging_conf_erb),
+      notify   => Service[$pt_db_service],
+    }
+    # service config
+    file { $pt_service_conf_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => systemd_unit_file_t,
+      seluser  => system_u,
+      content  => template($pt_service_conf_erb),
+      notify   => Service[$pt_db_service],
+    }
+    # conf.d files
+    ## auth.conf
+    file { $pt_auth_conf_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_auth_conf_erb),
+      notify   => Service[$pt_db_service],
+    }
+    # config.ini
+    file { $pt_config_ini_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_config_ini_erb),
+      notify   => Service[$pt_db_service],
+    }
+    # database.ini
+    file { $pt_db_ini_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_db_ini_erb),
+      notify   => Service[$pt_db_service],
+    }
+    # jetty.ini
+    file { $pt_jetty_ini_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_jetty_ini_erb),
+      notify   => Service[$pt_db_service],
+    }
+    # repl.ini
+    file { $pt_repl_ini_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_repl_ini_erb),
+      notify   => Service[$pt_db_service],
+    }
+  }
+}
diff --git a/manifests/server/service.pp b/manifests/server/service.pp
index cd31493..5e6e1b7 100644
--- a/manifests/server/service.pp
+++ b/manifests/server/service.pp
@@ -41,6 +41,7 @@ class puppet_cd::server::service (
 
   if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) {
     require puppet_cd::firewall::iptables
+    require puppet_cd::puppetdb::files
 
     service { $pt_db_service:
       ensure     => running,
diff --git a/templates/puppetdb/auth.conf.erb b/templates/puppetdb/auth.conf.erb
new file mode 100644
index 0000000..b1535b2
--- /dev/null
+++ b/templates/puppetdb/auth.conf.erb
@@ -0,0 +1,50 @@
+authorization: {
+    version: 1
+    rules: [
+        {
+            # Allow unauthenticated access to the status service endpoint
+            match-request: {
+                path: "/status/v1/services"
+                type: path
+                method: get
+            }
+            allow-unauthenticated: true
+            sort-order: 500
+            name: "puppetlabs status service - full"
+        },
+        {
+            match-request: {
+                path: "/status/v1/simple"
+                type: path
+                method: get
+            }
+            allow-unauthenticated: true
+            sort-order: 500
+            name: "puppetlabs status service - simple"
+        },
+        {
+            # Allow nodes to access the metrics service
+            # for puppetdb, the metrics service is the only
+            # service using the authentication service
+            match-request: {
+                path: "/metrics"
+                type: path
+                method: [get, post]
+            }
+            allow: "*"
+            sort-order: 500
+            name: "puppetlabs puppetdb metrics"
+        },
+        {
+            # Deny everything else. This ACL is not strictly
+            # necessary, but illustrates the default policy
+            match-request: {
+                path: "/"
+                type: path
+            }
+            deny: "*"
+            sort-order: 999
+            name: "puppetlabs deny all"
+        }
+    ]
+}
diff --git a/templates/puppetdb/bootstrap.cfg.erb b/templates/puppetdb/bootstrap.cfg.erb
new file mode 100644
index 0000000..280aa9f
--- /dev/null
+++ b/templates/puppetdb/bootstrap.cfg.erb
@@ -0,0 +1,34 @@
+###############################################################################
+######### File created by Puppet - manual changes will be overwritten #########
+###############################################################################
+
+# This file is used by the application framework (trapperkeeper) to
+# determine what services should be loaded at boot time.
+# For more info, see:
+#  https://github.com/puppetlabs/trapperkeeper/wiki/Bootstrapping
+
+# Web Server
+puppetlabs.trapperkeeper.services.webserver.jetty10-service/jetty10-service
+
+# Webrouting
+puppetlabs.trapperkeeper.services.webrouting.webrouting-service/webrouting-service
+
+# TK metrics - the authorization service is currently only used by the metrics service
+puppetlabs.trapperkeeper.services.authorization.authorization-service/authorization-service
+puppetlabs.trapperkeeper.services.metrics.metrics-service/metrics-webservice
+# TK status
+puppetlabs.trapperkeeper.services.status.status-service/status-service
+puppetlabs.trapperkeeper.services.scheduler.scheduler-service/scheduler-service
+
+# PuppetDB Services
+puppetlabs.puppetdb.cli.services/puppetdb-service
+puppetlabs.puppetdb.command/command-service
+puppetlabs.puppetdb.pdb-routing/maint-mode-service
+puppetlabs.puppetdb.pdb-routing/pdb-routing-service
+puppetlabs.puppetdb.config/config-service
+
+# NREPL
+puppetlabs.trapperkeeper.services.nrepl.nrepl-service/nrepl-service
+
+# Dashboard redirect for "/" (not "/pdb"): remove to disable
+puppetlabs.puppetdb.dashboard/dashboard-redirect-service
\ No newline at end of file
diff --git a/templates/puppetdb/config.ini.erb b/templates/puppetdb/config.ini.erb
new file mode 100644
index 0000000..ae15dc6
--- /dev/null
+++ b/templates/puppetdb/config.ini.erb
@@ -0,0 +1,20 @@
+###############################################################################
+######### File created by Puppet - manual changes will be overwritten #########
+###############################################################################
+
+# See README.md for more thorough explanations of each section and
+# option.
+
+[global]
+# Store mq/db data in a custom directory
+vardir = /opt/puppetlabs/server/data/puppetdb
+
+# Use an external logback config file
+logging-config = /etc/puppetlabs/puppetdb/logback.xml
+
+[command-processing]
+# How many command-processing threads to use, defaults to (CPUs / 2)
+# threads = 4
+
+# How many threads can write to disk at once, defaults to min(CPUs / 2, 4)
+# concurrent-writes = 4
diff --git a/templates/puppetdb/database.ini.erb b/templates/puppetdb/database.ini.erb
new file mode 100644
index 0000000..fccd220
--- /dev/null
+++ b/templates/puppetdb/database.ini.erb
@@ -0,0 +1,17 @@
+###############################################################################
+######### File created by Puppet - manual changes will be overwritten #########
+###############################################################################
+
+[database]
+
+# The database address, i.e. //HOST:PORT/DATABASE_NAME
+subname = <%= @pt_db_subname %>
+
+# Connect as a specific user
+username = <%= @pt_db_username %>
+
+# Use a specific password
+password = <%= @pt_db_password %>
+
+# How often (in minutes) to compact the database
+gc-interval = <%= @pt_gc_interval %>
diff --git a/templates/puppetdb/jetty.ini.erb b/templates/puppetdb/jetty.ini.erb
new file mode 100644
index 0000000..174c9b3
--- /dev/null
+++ b/templates/puppetdb/jetty.ini.erb
@@ -0,0 +1,37 @@
+###############################################################################
+######### File created by Puppet - manual changes will be overwritten #########
+###############################################################################
+
+[jetty]
+# IP address or hostname to listen for clear-text HTTP. To avoid resolution
+# issues, IP addresses are recommended over hostnames.
+# Default is `localhost`.
+# host = <host>
+
+# Port to listen on for clear-text HTTP.
+port = <%= @pt_http_port %>
+
+# The following are SSL specific settings. They can be configured
+# automatically with the tool `puppetdb ssl-setup`, which is normally
+# ran during package installation.
+
+# IP address to listen on for HTTPS connections. Hostnames can also be used
+# but are not recommended to avoid DNS resolution issues. To listen on all
+# interfaces, use `0.0.0.0`.
+ssl-host = 0.0.0.0
+
+# The port to listen on for HTTPS connections
+ssl-port = <%= @pt_https_port %>
+
+# Private key path
+ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem
+
+# Public certificate path
+ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem
+
+# Certificate authority path
+ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem
+
+# Access logging configuration path. To turn off access logging
+# comment out the line with `access-log-config=...`
+access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml
diff --git a/templates/puppetdb/logback.xml.erb b/templates/puppetdb/logback.xml.erb
new file mode 100644
index 0000000..fb31aad
--- /dev/null
+++ b/templates/puppetdb/logback.xml.erb
@@ -0,0 +1,52 @@
+<configuration scan="true" scanPeriod="60 seconds">
+    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder>
+            <pattern>%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{2}] %m%n</pattern>
+        </encoder>
+    </appender>
+
+    <appender name="F1" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <file>/var/log/puppetlabs/puppetdb/puppetdb.log</file>
+        <append>true</append>
+        <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
+            <fileNamePattern>/var/log/puppetlabs/puppetdb/puppetdb-%d{yyyy-MM-dd}.%i.log.gz</fileNamePattern>
+            <!-- each file should be at most 200MB, keep 90 days worth of history, but at most 1GB total-->
+            <maxFileSize>200MB</maxFileSize>
+            <maxHistory>90</maxHistory>
+            <totalSizeCap>1GB</totalSizeCap>
+        </rollingPolicy>
+        <encoder>
+            <pattern>%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{2}] %m%n</pattern>
+        </encoder>
+    </appender>
+
+    <!-- Supress internal Spring Framework logging -->
+    <logger name="org.springframework.jms.connection" level="warn"/>
+
+    <appender name="STATUS" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <file>/var/log/puppetlabs/puppetdb/puppetdb-status.log</file>
+        <append>true</append>
+        <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
+            <!-- rollover daily -->
+            <fileNamePattern>/var/log/puppetlabs/puppetdb/puppetdb-status-%d{yyyy-MM-dd}.%i.log.gz</fileNamePattern>
+            <!-- each file should be at most 200MB, keep 90 days worth of history, but at most 1GB total-->
+            <maxFileSize>200MB</maxFileSize>
+            <maxHistory>90</maxHistory>
+            <totalSizeCap>1GB</totalSizeCap>
+        </rollingPolicy>
+        <encoder>
+            <!-- note that this will only log the JSON message (%m) and a newline (%n)-->
+            <pattern>%m%n</pattern>
+        </encoder>
+    </appender>
+
+    <!-- without additivity="false", the status log messages will be sent to every other appender as well-->
+    <logger name="puppetlabs.trapperkeeper.services.status.status-debug-logging" level="debug" additivity="false">
+        <appender-ref ref="STATUS"/>
+    </logger>
+
+    <root level="info">
+        <appender-ref ref="${logappender:-DUMMY}" />
+        <appender-ref ref="F1" />
+    </root>
+</configuration>
diff --git a/templates/puppetdb/repl.ini.erb b/templates/puppetdb/repl.ini.erb
new file mode 100644
index 0000000..c6bcd40
--- /dev/null
+++ b/templates/puppetdb/repl.ini.erb
@@ -0,0 +1,13 @@
+###############################################################################
+######### File created by Puppet - manual changes will be overwritten #########
+###############################################################################
+
+[nrepl]
+# Set to true to enable the remote REPL
+enabled = <%= @pt_repl_on %>
+
+# What port the REPL should listen on
+port = <%= @pt_repl_port %>
+
+# IP address to listen on
+host = <%= @pt_repl_host %>
diff --git a/templates/puppetdb/request_logging.xml.erb b/templates/puppetdb/request_logging.xml.erb
new file mode 100644
index 0000000..10c8a47
--- /dev/null
+++ b/templates/puppetdb/request_logging.xml.erb
@@ -0,0 +1,17 @@
+<configuration debug="false">
+    <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <file>/var/log/puppetlabs/puppetdb/puppetdb-access.log</file>
+        <append>true</append>
+        <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
+            <fileNamePattern>/var/log/puppetlabs/puppetdb/puppetdb-access-%d{yyyy-MM-dd}.%i.log.gz</fileNamePattern>
+            <!-- each file should be at most 200MB, keep 90 days worth of history, but at most 1GB total-->
+            <maxFileSize>200MB</maxFileSize>
+            <maxHistory>90</maxHistory>
+            <totalSizeCap>1GB</totalSizeCap>
+        </rollingPolicy>
+        <encoder>
+            <pattern>%h %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}" %D %header{X-Uncompressed-Length}</pattern>
+        </encoder>
+    </appender>
+    <appender-ref ref="FILE" />
+</configuration>
diff --git a/templates/puppetdb/service.conf.erb b/templates/puppetdb/service.conf.erb
new file mode 100644
index 0000000..9f3c5cd
--- /dev/null
+++ b/templates/puppetdb/service.conf.erb
@@ -0,0 +1,51 @@
+###############################################################################
+######### File created by Puppet - manual changes will be overwritten #########
+###############################################################################
+#
+# Local settings can be configured without being overwritten by package upgrades, for example
+# if you want to increase puppetdb open-files-limit to 10000,
+# you need to increase systemd's LimitNOFILE setting, so create a file named
+# "/etc/systemd/system/puppetdb.service.d/limits.conf" containing:
+#	[Service]
+#	LimitNOFILE=10000
+# You can confirm it worked by running systemctl daemon-reload
+# then running systemctl show puppetdb | grep LimitNOFILE
+#
+[Unit]
+Description=puppetdb Service
+After=syslog.target network.target nss-lookup.target
+
+[Service]
+Type=forking
+EnvironmentFile=/etc/sysconfig/puppetdb
+User=puppetdb
+TimeoutStartSec=14400
+TimeoutStopSec=60
+Restart=on-failure
+StartLimitBurst=5
+PIDFile=/run/puppetlabs/puppetdb/puppetdb.pid
+
+# https://tickets.puppetlabs.com/browse/EZ-129
+# Prior to systemd v228, TasksMax was unset by default, and unlimited. Starting in 228 a default of '512'
+# was implemented. This is low enough to cause problems for certain applications. In systemd 231, the
+# default was changed to be 15% of the default kernel limit. This explicitly sets TasksMax to 4915,
+# which should match the default in systemd 231 and later.
+# See https://github.com/systemd/systemd/issues/3211#issuecomment-233676333
+TasksMax=4915
+
+#set default privileges to -rw-r-----
+UMask=027
+
+
+ExecReload=/opt/puppetlabs/server/apps/puppetdb/bin/puppetdb reload
+ExecStart=/opt/puppetlabs/server/apps/puppetdb/bin/puppetdb start
+ExecStop=/opt/puppetlabs/server/apps/puppetdb/bin/puppetdb stop
+
+KillMode=process
+
+SuccessExitStatus=143
+
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target