ConfDroid Puppet Modules - Puppet
Source: Dev.to
Deep Dive into confdroid_puppet: The Core Module for Your Puppet Setup
In this ongoing series on the ConfDroid Puppet modules, we’re taking a closer look at confdroid_puppet — the foundational piece that powers the entire ecosystem. If you’re building or managing a Puppet environment on modern Linux systems, this module simplifies the setup of Puppet masters, agents, and essential supporting tools. Let’s explore what it does, how it works, and why it’s a must‑have for streamlined automation.
What is confdroid_puppet?
The confdroid_puppet module is designed to handle the core infrastructure for a Puppet environment. It focuses on configuring Puppet servers (masters) and agents, while integrating seamlessly with Foreman as your External Node Classifier (ENC). Built specifically for Puppet Core 8 and Rocky Linux 9 (or similar Enterprise Linux 9 derivatives like AlmaLinux or RHEL), it ensures a reliable, secure setup right out of the box.
Important Note – Always test this module in a lab environment first. It rewrites configurations like
puppet.confbased on parameters, so it could overwrite existing manual setups. Production caution is key!
The module does not install Foreman itself — it assumes you already have it running (see our earlier post on Installing Puppet with Foreman). It only takes care of the Puppet side, making sure everything communicates smoothly.
Key Features
Core Components (Always Included)
| Component | What it does |
|---|---|
| Puppet Server (Master) | If the node’s FQDN matches the value of pt_pm_fqdn, the module installs Puppet Server, rewrites puppet.conf with optimized settings, manages code environments, handles SSL certificates, starts the puppetserver service, and configures Foreman integration (node_terminus = exec). |
| Puppet Agent | Installs the agent packages on all nodes (including the master), points puppet.conf to the master, manages certificate signing, sets run intervals (default 1800 s), and ensures the puppet service is running. |
| Firewall Rules | Opens required ports (e.g., TCP 8140 on the master). Controlled by manage_firewall (default true). Requires the puppetlabs/firewall module. |
| SELinux Management | Applies proper SELinux contexts (puppet_etc_t for /etc/puppetlabs/, puppet_log_t for logs, etc.). Toggle with manage_selinux (default true). |
| Directories, Files & Services | Creates and manages all necessary paths, files (with correct permissions), and services for a smooth operation. |
Optional Add‑Ons
- PuppetDB – Enable with
enable_puppetdb(defaultfalse). Sets up a centralized store for facts, catalogs, and reports on the node defined bypt_puppetdb_fqdn. Supports PostgreSQL as a backend (external DB setup required) and includes log‑rotation (pt_pptdb_log_max_age). - r10k Service – Enable with
enable_r10k(defaultfalse). Installs r10k, creates/etc/puppetlabs/r10k/r10k.yaml, and uses aPuppetfileto pull modules from a Git repo (r10k_remote). Ideal for managing multiple environments dynamically. - r10k Webhook Listener – Enable with
enable_webhook(defaultfalse). Adds a listener for Git push events (e.g., from GitLab), validates signatures, and triggersr10k deploy. Supports HTTP/HTTPS and fits GitOps workflows.
These features make confdroid_puppet the backbone for all other ConfDroid modules, ensuring shared resources like firewalls and SELinux are handled consistently.
How to Use It
Via site.pp or nodes.pp
include confdroid_puppet # Note: The module uses underscores in its name to avoid issues with r10kThrough Foreman
- Add the module to your Puppet master’s module path (e.g., via r10k or a Git clone).
- Import it into Foreman.
- Assign
confdroid_puppet::paramsto your nodes or host groups. - Override parameters such as
pt_pm_fqdnto designate your master – nodes matching this become servers; all others become agents.
Once deployed:
- Agents connect securely via SSL/TLS (you’ll need to sign them manually once at the master or configure autosign – see Puppet with Foreman Host Registration).
- Masters compile catalogs and serve them.
- Optional tools like r10k automate module updates.
Security and Troubleshooting Tips
Built‑in Security
- SSL/TLS for all communications, with Puppet CA handling certificates.
- Restricted firewall access (managed automatically).
- SELinux isolation to prevent unauthorized access.
Common Issues & Fixes
| Symptom | Possible Cause | Fix |
|---|---|---|
| Agent connections fail | Port 8140 blocked or manage_firewall disabled | Verify the port is open on the master and enable manage_firewall. |
| Certificate problems | CA directory missing or corrupted (/etc/puppetlabs/puppet/ssl/ca/) | Re‑initialize the CA or clean up stale certificates. |
| ENC errors | Foreman unreachable or SSL certs invalid | Check Foreman URL, network connectivity, and certificate validity. |
| r10k failures | Git access/credentials incorrect | Confirm the Git remote URL, SSH keys, or HTTP credentials. |
| SELinux denials | Missing contexts on Puppet files | Run restorecon -R /etc/puppetlabs or adjust SELinux policies. |
| Log locations | Unsure where to look | Master logs: /var/log/puppetlabs/puppetserver/ |
Agent logs: /var/log/puppetlabs/puppet/ |
Happy automating!
Why Choose confdroid_puppet?
This module keeps things opinionated, secure, and efficient — tailored for Rocky 9 and Puppet 8, with Foreman in mind. It’s the perfect starting point for the ConfDroid Forge ecosystem, where all modules are tested, documented, and community‑driven.
- Source code:
- Deepwiki documentation:
What’s next?
We’ll explore another ConfDroid module and see how it builds on this foundation.
Got questions or ideas?
Head to the feedback portal: . Let’s keep automating smarter! 🚀
Support the Author
If you found this post helpful, you can support me:
