From 9fb5422b4bdc06e2d2a4d1e8c77fb824366c8496 Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Sat, 1 Nov 2025 17:34:23 +0100 Subject: [PATCH 1/2] add dirs and files - https://gitlab.confdroid.com/internal/confdroid_management/-/issues/292 --- manifests/params.pp | 32 ++++- manifests/puppetdb/dirs.pp | 34 ++++++ manifests/puppetdb/files.pp | 131 +++++++++++++++++++++ manifests/server/service.pp | 1 + templates/puppetdb/auth.conf.erb | 50 ++++++++ templates/puppetdb/bootstrap.cfg.erb | 34 ++++++ templates/puppetdb/config.ini.erb | 20 ++++ templates/puppetdb/database.ini.erb | 17 +++ templates/puppetdb/jetty.ini.erb | 37 ++++++ templates/puppetdb/logback.xml.erb | 52 ++++++++ templates/puppetdb/repl.ini.erb | 13 ++ templates/puppetdb/request_logging.xml.erb | 17 +++ templates/puppetdb/service.conf.erb | 51 ++++++++ 13 files changed, 483 insertions(+), 6 deletions(-) create mode 100644 manifests/puppetdb/dirs.pp create mode 100644 manifests/puppetdb/files.pp create mode 100644 templates/puppetdb/auth.conf.erb create mode 100644 templates/puppetdb/bootstrap.cfg.erb create mode 100644 templates/puppetdb/config.ini.erb create mode 100644 templates/puppetdb/database.ini.erb create mode 100644 templates/puppetdb/jetty.ini.erb create mode 100644 templates/puppetdb/logback.xml.erb create mode 100644 templates/puppetdb/repl.ini.erb create mode 100644 templates/puppetdb/request_logging.xml.erb create mode 100644 templates/puppetdb/service.conf.erb diff --git a/manifests/params.pp b/manifests/params.pp index c3039b8..6ccb6ae 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -132,10 +132,10 @@ class puppet_cd::params ( ) { # facts - $fqdn = $facts['networking']['fqdn'] - $domain = $facts['networking']['domain'] - $os_name = $facts['os']['name'] - $os_release = $facts['os']['release']['major'] + $fqdn = $facts['networking']['fqdn'] + $domain = $facts['networking']['domain'] + $os_name = $facts['os']['name'] + $os_release = $facts['os']['release']['major'] # directories ## puppet @@ -149,10 +149,12 @@ class puppet_cd::params ( $pt_rundir_master = '/var/run/puppetlabs/puppetserver' $pt_vardir = '/opt/puppetlabs/puppet/cache' $pt_vardir_master = '/opt/puppetlabs/server/data/puppetserver' - ## r10k $pt_r10k_dir = "${pt_main_dir}/r10k" $pt_r10k_webhook_dir = '/etc/r10k-webhook' +## puppetdb + $pt_puppetdb_dir = '/etc/puppetlabs/puppetdb' + $pt_puppetdb_conf_dir = "${pt_puppetdb_dir}/conf.d" # files ## puppet @@ -165,13 +167,31 @@ class puppet_cd::params ( $pt_routes_erb = 'puppet_cd/puppetdb/routes.yaml.erb' $pt_node_rb_file = "${pt_puppetdir}/node.rb" $pt_node_rb_erb = 'puppet_cd/puppetdb/node.rb.erb' - ## r10k $pt_r10k_file = "${pt_r10k_dir}/r10k.yaml" $pt_r10k_erb = 'puppet_cd/r10k/r10k.yaml.erb' $pt_webhook_link = 'ln -sf /usr/local/share/gems/gems/r10k_gitlab_webhook-0.1.3/bin/r10k_gitlab_webhook /usr/bin/' $pt_webhook_service_file = '/etc/systemd/system/r10k_gitlab_webhook.service' $pt_webhook_service_erb = 'puppet_cd/r10k/r10k_webhook_service.erb' +## puppetdb + $pt_bootstrap_conf_file = "${pt_puppetdb_dir}/bootstrap.cfg" + $pt_bootstrap_conf_erb = 'puppet_cd/puppetdb/bootstrap.cfg.erb' + $pt_logback_conf_file = "${pt_puppetdb_dir}/logback.xml" + $pt_logback_conf_erb = 'puppet_cd/puppetdb/logback.xml.erb' + $pt_logging_conf_file = "${pt_puppetdb_dir}/request-logging.xml" + $pt_logging_conf_erb = 'puppet_cd/puppetdb/request_logging.xml.erb' + $pt_auth_conf_file = "${pt_puppetdb_conf_dir}/auth.conf" + $pt_auth_conf_erb = 'puppet_cd/puppetdb/auth.conf.erb' + $pt_config_ini_file = "${pt_puppetdb_conf_dir}/config.ini" + $pt_config_ini_erb = 'puppet_cd/puppetdb/config.ini.erb' + $pt_db_ini_file = "${pt_puppetdb_conf_dir}/database.ini" + $pt_db_ini_erb = 'puppet_cd/puppetdb/database.ini.erb' + $pt_jetty_ini_file = "${pt_puppetdb_conf_dir}/jetty.ini" + $pt_jetty_ini_erb = 'puppet_cd/puppetdb/jetty.ini.erb' + $pt_repl_ini_file = "${pt_puppetdb_conf_dir}/repl.ini" + $pt_repl_ini_erb = 'puppet_cd/puppetdb/repl.ini.erb' + $pt_service_conf_file = '/usr/lib/systemd/system/puppetdb.service' + $pt_service_conf_erb = 'puppet_cd/puppetdb/service.conf.erb' # service $pt_server_service = 'puppetserver' diff --git a/manifests/puppetdb/dirs.pp b/manifests/puppetdb/dirs.pp new file mode 100644 index 0000000..16748af --- /dev/null +++ b/manifests/puppetdb/dirs.pp @@ -0,0 +1,34 @@ +## puppet_cd::puppetdb::dirs.pp +# Module name: puppet_cd +# Author: Arne Teuke (arne_teuke@confdroid) +# @summary Class manages directories for the puppetdb section +############################################################################### +class puppet_cd::puppetdb::dirs ( + +) inherits puppet_cd::params { + if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) { + require puppet_cd::main::install + + file { $pt_puppetdb_dir: + ensure => directory, + owner => 'puppetdb', + group => 'puppetdb', + mode => '0750', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + } + + file { $pt_puppetdb_conf_dir: + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + } + } +} diff --git a/manifests/puppetdb/files.pp b/manifests/puppetdb/files.pp new file mode 100644 index 0000000..e09d55a --- /dev/null +++ b/manifests/puppetdb/files.pp @@ -0,0 +1,131 @@ +## puppet_cd::puppetdb::files.pp +# Module name: puppet_cd +# Author: Arne Teuke (arne_teuke@confdroid) +# @summary Class manages config files for the puppetdb section +############################################################################### +class puppet_cd::puppetdb::files ( + +) inherits puppet_cd::params { + if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) { + require puppet_cd::puppetdb::dirs + + # bootstrap.cfg + file { $pt_bootstrap_conf_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_bootstrap_conf_erb), + notify => Service[$pt_db_service], + } + # logback.xml + file { $pt_logback_conf_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_logback_conf_erb), + notify => Service[$pt_db_service], + } + # request-logging.xml + file { $pt_logging_conf_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_logging_conf_erb), + notify => Service[$pt_db_service], + } + # service config + file { $pt_service_conf_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => systemd_unit_file_t, + seluser => system_u, + content => template($pt_service_conf_erb), + notify => Service[$pt_db_service], + } + # conf.d files + ## auth.conf + file { $pt_auth_conf_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_auth_conf_erb), + notify => Service[$pt_db_service], + } + # config.ini + file { $pt_config_ini_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_config_ini_erb), + notify => Service[$pt_db_service], + } + # database.ini + file { $pt_db_ini_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_db_ini_erb), + notify => Service[$pt_db_service], + } + # jetty.ini + file { $pt_jetty_ini_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_jetty_ini_erb), + notify => Service[$pt_db_service], + } + # repl.ini + file { $pt_repl_ini_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_repl_ini_erb), + notify => Service[$pt_db_service], + } + } +} diff --git a/manifests/server/service.pp b/manifests/server/service.pp index cd31493..5e6e1b7 100644 --- a/manifests/server/service.pp +++ b/manifests/server/service.pp @@ -41,6 +41,7 @@ class puppet_cd::server::service ( if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) { require puppet_cd::firewall::iptables + require puppet_cd::puppetdb::files service { $pt_db_service: ensure => running, diff --git a/templates/puppetdb/auth.conf.erb b/templates/puppetdb/auth.conf.erb new file mode 100644 index 0000000..b1535b2 --- /dev/null +++ b/templates/puppetdb/auth.conf.erb @@ -0,0 +1,50 @@ +authorization: { + version: 1 + rules: [ + { + # Allow unauthenticated access to the status service endpoint + match-request: { + path: "/status/v1/services" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs status service - full" + }, + { + match-request: { + path: "/status/v1/simple" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs status service - simple" + }, + { + # Allow nodes to access the metrics service + # for puppetdb, the metrics service is the only + # service using the authentication service + match-request: { + path: "/metrics" + type: path + method: [get, post] + } + allow: "*" + sort-order: 500 + name: "puppetlabs puppetdb metrics" + }, + { + # Deny everything else. This ACL is not strictly + # necessary, but illustrates the default policy + match-request: { + path: "/" + type: path + } + deny: "*" + sort-order: 999 + name: "puppetlabs deny all" + } + ] +} diff --git a/templates/puppetdb/bootstrap.cfg.erb b/templates/puppetdb/bootstrap.cfg.erb new file mode 100644 index 0000000..280aa9f --- /dev/null +++ b/templates/puppetdb/bootstrap.cfg.erb @@ -0,0 +1,34 @@ +############################################################################### +######### File created by Puppet - manual changes will be overwritten ######### +############################################################################### + +# This file is used by the application framework (trapperkeeper) to +# determine what services should be loaded at boot time. +# For more info, see: +# https://github.com/puppetlabs/trapperkeeper/wiki/Bootstrapping + +# Web Server +puppetlabs.trapperkeeper.services.webserver.jetty10-service/jetty10-service + +# Webrouting +puppetlabs.trapperkeeper.services.webrouting.webrouting-service/webrouting-service + +# TK metrics - the authorization service is currently only used by the metrics service +puppetlabs.trapperkeeper.services.authorization.authorization-service/authorization-service +puppetlabs.trapperkeeper.services.metrics.metrics-service/metrics-webservice +# TK status +puppetlabs.trapperkeeper.services.status.status-service/status-service +puppetlabs.trapperkeeper.services.scheduler.scheduler-service/scheduler-service + +# PuppetDB Services +puppetlabs.puppetdb.cli.services/puppetdb-service +puppetlabs.puppetdb.command/command-service +puppetlabs.puppetdb.pdb-routing/maint-mode-service +puppetlabs.puppetdb.pdb-routing/pdb-routing-service +puppetlabs.puppetdb.config/config-service + +# NREPL +puppetlabs.trapperkeeper.services.nrepl.nrepl-service/nrepl-service + +# Dashboard redirect for "/" (not "/pdb"): remove to disable +puppetlabs.puppetdb.dashboard/dashboard-redirect-service \ No newline at end of file diff --git a/templates/puppetdb/config.ini.erb b/templates/puppetdb/config.ini.erb new file mode 100644 index 0000000..ae15dc6 --- /dev/null +++ b/templates/puppetdb/config.ini.erb @@ -0,0 +1,20 @@ +############################################################################### +######### File created by Puppet - manual changes will be overwritten ######### +############################################################################### + +# See README.md for more thorough explanations of each section and +# option. + +[global] +# Store mq/db data in a custom directory +vardir = /opt/puppetlabs/server/data/puppetdb + +# Use an external logback config file +logging-config = /etc/puppetlabs/puppetdb/logback.xml + +[command-processing] +# How many command-processing threads to use, defaults to (CPUs / 2) +# threads = 4 + +# How many threads can write to disk at once, defaults to min(CPUs / 2, 4) +# concurrent-writes = 4 diff --git a/templates/puppetdb/database.ini.erb b/templates/puppetdb/database.ini.erb new file mode 100644 index 0000000..fccd220 --- /dev/null +++ b/templates/puppetdb/database.ini.erb @@ -0,0 +1,17 @@ +############################################################################### +######### File created by Puppet - manual changes will be overwritten ######### +############################################################################### + +[database] + +# The database address, i.e. //HOST:PORT/DATABASE_NAME +subname = <%= @pt_db_subname %> + +# Connect as a specific user +username = <%= @pt_db_username %> + +# Use a specific password +password = <%= @pt_db_password %> + +# How often (in minutes) to compact the database +gc-interval = <%= @pt_gc_interval %> diff --git a/templates/puppetdb/jetty.ini.erb b/templates/puppetdb/jetty.ini.erb new file mode 100644 index 0000000..174c9b3 --- /dev/null +++ b/templates/puppetdb/jetty.ini.erb @@ -0,0 +1,37 @@ +############################################################################### +######### File created by Puppet - manual changes will be overwritten ######### +############################################################################### + +[jetty] +# IP address or hostname to listen for clear-text HTTP. To avoid resolution +# issues, IP addresses are recommended over hostnames. +# Default is `localhost`. +# host = + +# Port to listen on for clear-text HTTP. +port = <%= @pt_http_port %> + +# The following are SSL specific settings. They can be configured +# automatically with the tool `puppetdb ssl-setup`, which is normally +# ran during package installation. + +# IP address to listen on for HTTPS connections. Hostnames can also be used +# but are not recommended to avoid DNS resolution issues. To listen on all +# interfaces, use `0.0.0.0`. +ssl-host = 0.0.0.0 + +# The port to listen on for HTTPS connections +ssl-port = <%= @pt_https_port %> + +# Private key path +ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem + +# Public certificate path +ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem + +# Certificate authority path +ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem + +# Access logging configuration path. To turn off access logging +# comment out the line with `access-log-config=...` +access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml diff --git a/templates/puppetdb/logback.xml.erb b/templates/puppetdb/logback.xml.erb new file mode 100644 index 0000000..fb31aad --- /dev/null +++ b/templates/puppetdb/logback.xml.erb @@ -0,0 +1,52 @@ + + + + %d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{2}] %m%n + + + + + /var/log/puppetlabs/puppetdb/puppetdb.log + true + + /var/log/puppetlabs/puppetdb/puppetdb-%d{yyyy-MM-dd}.%i.log.gz + + 200MB + 90 + 1GB + + + %d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{2}] %m%n + + + + + + + + /var/log/puppetlabs/puppetdb/puppetdb-status.log + true + + + /var/log/puppetlabs/puppetdb/puppetdb-status-%d{yyyy-MM-dd}.%i.log.gz + + 200MB + 90 + 1GB + + + + %m%n + + + + + + + + + + + + + diff --git a/templates/puppetdb/repl.ini.erb b/templates/puppetdb/repl.ini.erb new file mode 100644 index 0000000..c6bcd40 --- /dev/null +++ b/templates/puppetdb/repl.ini.erb @@ -0,0 +1,13 @@ +############################################################################### +######### File created by Puppet - manual changes will be overwritten ######### +############################################################################### + +[nrepl] +# Set to true to enable the remote REPL +enabled = <%= @pt_repl_on %> + +# What port the REPL should listen on +port = <%= @pt_repl_port %> + +# IP address to listen on +host = <%= @pt_repl_host %> diff --git a/templates/puppetdb/request_logging.xml.erb b/templates/puppetdb/request_logging.xml.erb new file mode 100644 index 0000000..10c8a47 --- /dev/null +++ b/templates/puppetdb/request_logging.xml.erb @@ -0,0 +1,17 @@ + + + /var/log/puppetlabs/puppetdb/puppetdb-access.log + true + + /var/log/puppetlabs/puppetdb/puppetdb-access-%d{yyyy-MM-dd}.%i.log.gz + + 200MB + 90 + 1GB + + + %h %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}" %D %header{X-Uncompressed-Length} + + + + diff --git a/templates/puppetdb/service.conf.erb b/templates/puppetdb/service.conf.erb new file mode 100644 index 0000000..9f3c5cd --- /dev/null +++ b/templates/puppetdb/service.conf.erb @@ -0,0 +1,51 @@ +############################################################################### +######### File created by Puppet - manual changes will be overwritten ######### +############################################################################### +# +# Local settings can be configured without being overwritten by package upgrades, for example +# if you want to increase puppetdb open-files-limit to 10000, +# you need to increase systemd's LimitNOFILE setting, so create a file named +# "/etc/systemd/system/puppetdb.service.d/limits.conf" containing: +# [Service] +# LimitNOFILE=10000 +# You can confirm it worked by running systemctl daemon-reload +# then running systemctl show puppetdb | grep LimitNOFILE +# +[Unit] +Description=puppetdb Service +After=syslog.target network.target nss-lookup.target + +[Service] +Type=forking +EnvironmentFile=/etc/sysconfig/puppetdb +User=puppetdb +TimeoutStartSec=14400 +TimeoutStopSec=60 +Restart=on-failure +StartLimitBurst=5 +PIDFile=/run/puppetlabs/puppetdb/puppetdb.pid + +# https://tickets.puppetlabs.com/browse/EZ-129 +# Prior to systemd v228, TasksMax was unset by default, and unlimited. Starting in 228 a default of '512' +# was implemented. This is low enough to cause problems for certain applications. In systemd 231, the +# default was changed to be 15% of the default kernel limit. This explicitly sets TasksMax to 4915, +# which should match the default in systemd 231 and later. +# See https://github.com/systemd/systemd/issues/3211#issuecomment-233676333 +TasksMax=4915 + +#set default privileges to -rw-r----- +UMask=027 + + +ExecReload=/opt/puppetlabs/server/apps/puppetdb/bin/puppetdb reload +ExecStart=/opt/puppetlabs/server/apps/puppetdb/bin/puppetdb start +ExecStop=/opt/puppetlabs/server/apps/puppetdb/bin/puppetdb stop + +KillMode=process + +SuccessExitStatus=143 + +StandardOutput=journal + +[Install] +WantedBy=multi-user.target From 29fbfa2f8c230d6a7c0386c3c67475cfb7c682f5 Mon Sep 17 00:00:00 2001 From: Jenkins Server Date: Sat, 1 Nov 2025 17:35:47 +0100 Subject: [PATCH 2/2] Recommit for updates in build 104 --- doc/_index.html | 10 ++ doc/puppet_class_list.html | 14 +++ doc/puppet_classes/puppet_cd_3A_3Aparams.html | 58 +++++++-- .../puppet_cd_3A_3Apuppetdb_3A_3Adirs.html | 84 ++----------- .../puppet_cd_3A_3Apuppetdb_3A_3Afiles.html | 110 +++++++++++------- .../puppet_cd_3A_3Aserver_3A_3Aservice.html | 4 +- 6 files changed, 159 insertions(+), 121 deletions(-) diff --git a/doc/_index.html b/doc/_index.html index 6b8c1d8..000fb3b 100644 --- a/doc/_index.html +++ b/doc/_index.html @@ -103,6 +103,16 @@ +
  • + puppet_cd::puppetdb::dirs + +
    • + +
  • + puppet_cd::puppetdb::files + +
    • +
  • puppet_cd::r10k::install diff --git a/doc/puppet_class_list.html b/doc/puppet_class_list.html index 1549083..50e835a 100644 --- a/doc/puppet_class_list.html +++ b/doc/puppet_class_list.html @@ -85,6 +85,20 @@
    • +
  • +
    + puppet_cd::puppetdb::dirs +
    +
    • + + +
  • +
    + puppet_cd::puppetdb::files +
    +
    • + +
  • puppet_cd::r10k::install diff --git a/doc/puppet_classes/puppet_cd_3A_3Aparams.html b/doc/puppet_classes/puppet_cd_3A_3Aparams.html index f0bae5f..a853cb2 100644 --- a/doc/puppet_classes/puppet_cd_3A_3Aparams.html +++ b/doc/puppet_classes/puppet_cd_3A_3Aparams.html @@ -77,6 +77,10 @@ puppet_cd::r10k::install
    + puppet_cd::puppetdb::dirs
    + + puppet_cd::puppetdb::files
    + puppet_cd::server::service
    puppet_cd::firewall::iptables
    @@ -1231,7 +1235,27 @@ 181 182 183 -184 +184 +185 +186 +187 +188 +189 +190 +191 +192 +193 +194 +195 +196 +197 +198 +199 +200 +201 +202 +203 +204 
    # File 'manifests/params.pp', line 64
@@ -1307,10 +1331,10 @@ class puppet_cd::params (
 
 ) {
 # facts
-  $fqdn                   = $facts['networking']['fqdn']
-  $domain                 = $facts['networking']['domain']
-  $os_name                = $facts['os']['name']
-  $os_release             = $facts['os']['release']['major']
+  $fqdn                             = $facts['networking']['fqdn']
+  $domain                           = $facts['networking']['domain']
+  $os_name                          = $facts['os']['name']
+  $os_release                       = $facts['os']['release']['major']
 
 # directories
 ## puppet
@@ -1324,10 +1348,12 @@ class puppet_cd::params (
   $pt_rundir_master                 = '/var/run/puppetlabs/puppetserver'
   $pt_vardir                        = '/opt/puppetlabs/puppet/cache'
   $pt_vardir_master                 = '/opt/puppetlabs/server/data/puppetserver'
-
 ## r10k
   $pt_r10k_dir                      = "${pt_main_dir}/r10k"
   $pt_r10k_webhook_dir              = '/etc/r10k-webhook'
+## puppetdb
+  $pt_puppetdb_dir                  = '/etc/puppetlabs/puppetdb'
+  $pt_puppetdb_conf_dir             = "${pt_puppetdb_dir}/conf.d"
 
 # files
 ## puppet
@@ -1340,13 +1366,31 @@ class puppet_cd::params (
   $pt_routes_erb                    = 'puppet_cd/puppetdb/routes.yaml.erb'
   $pt_node_rb_file                  = "${pt_puppetdir}/node.rb"
   $pt_node_rb_erb                   = 'puppet_cd/puppetdb/node.rb.erb'
-
 ## r10k
   $pt_r10k_file                     = "${pt_r10k_dir}/r10k.yaml"
   $pt_r10k_erb                      = 'puppet_cd/r10k/r10k.yaml.erb'
   $pt_webhook_link                  = 'ln -sf  /usr/local/share/gems/gems/r10k_gitlab_webhook-0.1.3/bin/r10k_gitlab_webhook /usr/bin/'
   $pt_webhook_service_file          = '/etc/systemd/system/r10k_gitlab_webhook.service'
   $pt_webhook_service_erb           = 'puppet_cd/r10k/r10k_webhook_service.erb'
+## puppetdb
+  $pt_bootstrap_conf_file   = "${pt_puppetdb_dir}/bootstrap.cfg"
+  $pt_bootstrap_conf_erb    = 'puppet_cd/puppetdb/bootstrap.cfg.erb'
+  $pt_logback_conf_file     = "${pt_puppetdb_dir}/logback.xml"
+  $pt_logback_conf_erb      = 'puppet_cd/puppetdb/logback.xml.erb'
+  $pt_logging_conf_file     = "${pt_puppetdb_dir}/request-logging.xml"
+  $pt_logging_conf_erb      = 'puppet_cd/puppetdb/request_logging.xml.erb'
+  $pt_auth_conf_file        = "${pt_puppetdb_conf_dir}/auth.conf"
+  $pt_auth_conf_erb         = 'puppet_cd/puppetdb/auth.conf.erb'
+  $pt_config_ini_file       = "${pt_puppetdb_conf_dir}/config.ini"
+  $pt_config_ini_erb        = 'puppet_cd/puppetdb/config.ini.erb'
+  $pt_db_ini_file           = "${pt_puppetdb_conf_dir}/database.ini"
+  $pt_db_ini_erb            = 'puppet_cd/puppetdb/database.ini.erb'
+  $pt_jetty_ini_file        = "${pt_puppetdb_conf_dir}/jetty.ini"
+  $pt_jetty_ini_erb         = 'puppet_cd/puppetdb/jetty.ini.erb'
+  $pt_repl_ini_file         = "${pt_puppetdb_conf_dir}/repl.ini"
+  $pt_repl_ini_erb          = 'puppet_cd/puppetdb/repl.ini.erb'
+  $pt_service_conf_file     = '/usr/lib/systemd/system/puppetdb.service'
+  $pt_service_conf_erb      = 'puppet_cd/puppetdb/service.conf.erb'
 
 # service
   $pt_server_service                = 'puppetserver'
diff --git a/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Adirs.html b/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Adirs.html
index 8b56273..31a2ebd 100644
--- a/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Adirs.html
+++ b/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Adirs.html
@@ -77,7 +77,7 @@

    Summary

    - Class manages puppetdb directories + Class manages directories for the puppetdb section

    Overview

    @@ -129,37 +129,7 @@ 31 32 33 -34 -35 -36 -37 -38 -39 -40 -41 -42 -43 -44 -45 -46 -47 -48 -49 -50 -51 -52 -53 -54 -55 -56 -57 -58 -59 -60 -61 -62 -63 -64 +34 
    # File 'manifests/puppetdb/dirs.pp', line 6
@@ -167,58 +137,28 @@
 class puppet_cd::puppetdb::dirs (
 
 ) inherits puppet_cd::params {
-  if ($fqdn == $pt_db_fqdn) and ($pt_use_puppetdb == true) {
+  if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) {
     require puppet_cd::main::install
 
-    # main directory
-    file { $pt_puppetdb_main:
+    file { $pt_puppetdb_dir:
       ensure   => directory,
-      path     => $pt_puppetdb_main,
-      owner    => $pt_db_user,
-      group    => $pt_db_user,
+      owner    => 'puppetdb',
+      group    => 'puppetdb',
       mode     => '0750',
       selrange => s0,
       selrole  => object_r,
-      seltype  => etc_t,
+      seltype  => puppet_etc_t,
       seluser  => system_u,
     }
 
-    # conf.d directory
-    file { $pt_puppetdb_conf_d:
+    file { $pt_puppetdb_conf_dir:
       ensure   => directory,
-      path     => $pt_puppetdb_conf_d,
-      owner    => $pt_db_user,
-      group    => $pt_db_user,
-      mode     => '0750',
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0755',
       selrange => s0,
       selrole  => object_r,
-      seltype  => etc_t,
-      seluser  => system_u,
-    }
-
-    # ssl directory
-    file { $pt_puppetdb_ssl:
-      ensure   => directory,
-      path     => $pt_puppetdb_ssl,
-      owner    => $pt_db_user,
-      group    => $pt_db_user,
-      mode     => '0750',
-      selrange => s0,
-      selrole  => object_r,
-      seltype  => etc_t,
-      seluser  => system_u,
-    }
-
-    # log dir
-    file { $pt_puppetdb_log:
-      ensure   => directory,
-      path     => $pt_puppetdb_log,
-      owner    => $pt_db_user,
-      group    => $pt_db_user,
-      mode     => '0700',
-      selrange => s0,
-      selrole  => object_r,
-      seltype  => var_log_t,
+      seltype  => puppet_etc_t,
       seluser  => system_u,
     }
   }
diff --git a/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Afiles.html b/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Afiles.html
index cbb07c9..e2cd136 100644
--- a/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Afiles.html
+++ b/doc/puppet_classes/puppet_cd_3A_3Apuppetdb_3A_3Afiles.html
@@ -77,7 +77,7 @@

    Summary

    - Class manages puppetdb files + Class manages config files for the puppetdb section

    Overview

    @@ -212,7 +212,21 @@ 114 115 116 -117 +117 +118 +119 +120 +121 +122 +123 +124 +125 +126 +127 +128 +129 +130 +131 
    # File 'manifests/puppetdb/files.pp', line 6
@@ -220,13 +234,12 @@
 class puppet_cd::puppetdb::files (
 
 ) inherits puppet_cd::params {
-  if ($fqdn == $pt_db_fqdn) and ($pt_use_puppetdb == true) {
+  if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) {
     require puppet_cd::puppetdb::dirs
 
     # bootstrap.cfg
-    file { $pt_bootstrap_conf:
+    file { $pt_bootstrap_conf_file:
       ensure   => file,
-      path     => $pt_bootstrap_conf,
       owner    => 'root',
       group    => 'root',
       mode     => '0644',
@@ -234,29 +247,12 @@ class puppet_cd::puppetdb::files (
       selrole  => object_r,
       seltype  => puppet_etc_t,
       seluser  => system_u,
-      content  => template($pt_bootstrap_erb),
+      content  => template($pt_bootstrap_conf_erb),
       notify   => Service[$pt_db_service],
     }
-
-    # requestlogging.xml
-    file { $pt_request_logging_conf:
-      ensure   => file,
-      path     => $pt_request_logging_conf,
-      owner    => 'root',
-      group    => 'root',
-      mode     => '0644',
-      selrange => s0,
-      selrole  => object_r,
-      seltype  => puppet_etc_t,
-      seluser  => system_u,
-      content  => template($pt_request_logging_erb),
-      notify   => Service[$pt_db_service],
-    }
-
     # logback.xml
-    file { $pt_logback_conf:
+    file { $pt_logback_conf_file:
       ensure   => file,
-      path     => $pt_logback_conf,
       owner    => 'root',
       group    => 'root',
       mode     => '0644',
@@ -264,14 +260,52 @@ class puppet_cd::puppetdb::files (
       selrole  => object_r,
       seltype  => puppet_etc_t,
       seluser  => system_u,
-      content  => template($pt_logback_erb),
+      content  => template($pt_logback_conf_erb),
+      notify   => Service[$pt_db_service],
+    }
+    # request-logging.xml
+    file { $pt_logging_conf_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_logging_conf_erb),
+      notify   => Service[$pt_db_service],
+    }
+    # service config
+    file { $pt_service_conf_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => systemd_unit_file_t,
+      seluser  => system_u,
+      content  => template($pt_service_conf_erb),
+      notify   => Service[$pt_db_service],
+    }
+    # conf.d files
+    ## auth.conf
+    file { $pt_auth_conf_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_auth_conf_erb),
       notify   => Service[$pt_db_service],
     }
-
     # config.ini
-    file { $pt_puppetdb_config_ini:
+    file { $pt_config_ini_file:
       ensure   => file,
-      path     => $pt_puppetdb_config_ini,
       owner    => 'root',
       group    => 'root',
       mode     => '0644',
@@ -279,14 +313,12 @@ class puppet_cd::puppetdb::files (
       selrole  => object_r,
       seltype  => puppet_etc_t,
       seluser  => system_u,
-      content  => template($pt_puppetdb_config_erb),
+      content  => template($pt_config_ini_erb),
       notify   => Service[$pt_db_service],
     }
-
     # database.ini
-    file { $pt_puppetdb_database_ini:
+    file { $pt_db_ini_file:
       ensure   => file,
-      path     => $pt_puppetdb_database_ini,
       owner    => 'root',
       group    => 'root',
       mode     => '0644',
@@ -294,14 +326,12 @@ class puppet_cd::puppetdb::files (
       selrole  => object_r,
       seltype  => puppet_etc_t,
       seluser  => system_u,
-      content  => template($pt_puppetdb_database_erb),
+      content  => template($pt_db_ini_erb),
       notify   => Service[$pt_db_service],
     }
-
     # jetty.ini
-    file { $pt_puppetdb_jetty_ini :
+    file { $pt_jetty_ini_file:
       ensure   => file,
-      path     => $pt_puppetdb_jetty_ini ,
       owner    => 'root',
       group    => 'root',
       mode     => '0644',
@@ -309,14 +339,12 @@ class puppet_cd::puppetdb::files (
       selrole  => object_r,
       seltype  => puppet_etc_t,
       seluser  => system_u,
-      content  => template($pt_puppetdb_jetty_erb),
+      content  => template($pt_jetty_ini_erb),
       notify   => Service[$pt_db_service],
     }
-
     # repl.ini
-    file { $pt_puppetdb_repl_ini:
+    file { $pt_repl_ini_file:
       ensure   => file,
-      path     => $pt_puppetdb_repl_ini,
       owner    => 'root',
       group    => 'root',
       mode     => '0644',
@@ -324,7 +352,7 @@ class puppet_cd::puppetdb::files (
       selrole  => object_r,
       seltype  => puppet_etc_t,
       seluser  => system_u,
-      content  => template($pt_puppetdb_repl_erb),
+      content  => template($pt_repl_ini_erb),
       notify   => Service[$pt_db_service],
     }
   }
diff --git a/doc/puppet_classes/puppet_cd_3A_3Aserver_3A_3Aservice.html b/doc/puppet_classes/puppet_cd_3A_3Aserver_3A_3Aservice.html
index c1af0f2..7b90692 100644
--- a/doc/puppet_classes/puppet_cd_3A_3Aserver_3A_3Aservice.html
+++ b/doc/puppet_classes/puppet_cd_3A_3Aserver_3A_3Aservice.html
@@ -147,7 +147,8 @@
 49
 50
 51
-52
    +52 +53 
    # File 'manifests/server/service.pp', line 6
@@ -190,6 +191,7 @@ class puppet_cd::server::service (
 
   if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) {
     require puppet_cd::firewall::iptables
+    require puppet_cd::puppetdb::files
 
     service { $pt_db_service:
       ensure     => running,