/!\ Note: make sure to read the coding style guidelines before committing to the Puppet repository. Running puppet-lint on the manifest files you modified is also suggested


As per Wikipedia: Puppet is a tool for managing the configuration of Unix-like systems, declaratively. The developer provides puppet templates for describing parts of the system, and, when these templates are deployed, the runtime puts the managed systems into the declared state.

Puppet consists of a custom declarative language to describe system configuration, distributed using the client-server paradigm (using XML-RPC protocol), and a library to realize the configuration. The resource abstraction layer enables administrators to describe the configuration in high-level terms, such as users, services and packages.

How it works

The Puppet repository currently lives on GitLab at https://gitlab.gnome.org/Infrastructure/puppet.

To change the configuration:

git clone git@gitlab.gnome.org:Infrastructure/puppet.git
vim $some_file
git commit -a
git push

If the configuration changes aren't applied, use the following command on the target machine to see debug output:

puppet agent -t


All hosts should be configured using puppet. This ensures all configuration changes can are logged and benefit from version control. Further, eases disaster recovery.

Login access to the Puppet Master server

The puppet masters currently don't have a public IP.

  1. puppetmaster01.gnome.org (Puppet 3.X series)
  2. puppetmaster02.gnome.org (Puppet 3.X series)

Make sure you read Bastion before connecting.

Adding passwords or secret keys on Puppet

Note: DO NOT include plain text passwords on the Puppet repository, use this procedure instead!

Hiera-Eyaml-GPG has been configured for safely looking up passwords (but generally node-specific configurations and values too!) from a GPG-Encrypted Eyaml file.

The file is located under /etc/puppet/hieradata/secrets.eyaml on vpn.puppetmaster01.gnome.org. Modifying the file can be done by using the eyaml command. The eyaml command will pick up puppet-back's private keys by default for decrypting/encrypting the relevant file. Using your own GPG Key is totally legit. Make sure to first add the needed recipient under /etc/puppet/hieradata/hiera-eyaml-gpg.recipients though and make sure your key is ultimately trusted by the default key or you'll need the eyaml's --gpg-always-trust flag in place.

Editing the file:

sudo -u puppet eyaml edit /etc/puppet/hieradata/secrets.eyaml

Your preferred editor will be fired up, the file decrypted for you to add new values. Once done close the editor, eyaml will automatically encrypt the file again.

Referencing a Hiera lookup on a Puppet manifest:

$variable_name = hiera('class_name::variable_name')

And then on a template file:

<%= @variable_name %>

Infrastructure/Archive/Puppet (last edited 2022-09-16 09:53:52 by AndreaVeri)