Deep Dive into confdroid_puppet: The Core Module for Your Puppet Setup
In this ongoing series on the ConfDroid Puppet modules, we’re taking a closer look at confdroid_puppet — the foundational piece that powers the entire ecosystem. If you’re building or managing a Puppet environment on modern Linux systems, this module simplifies the setup of Puppet masters, agents, and essential supporting tools. Let’s explore what it does, how it works, and why it’s a must-have for streamlined automation.
What is confdroid_puppet?
The confdroid_puppet module is designed to handle the core infrastructure for a Puppet environment. It focuses on configuring Puppet servers (masters) and agents, while integrating seamlessly with Foreman as your External Node Classifier (ENC). Built specifically for Puppet Core 8 and Rocky Linux 9 (or similar Enterprise Linux 9 derivatives like AlmaLinux or RHEL), it ensures a reliable, secure setup right out of the box.
This module doesn’t install Foreman itself — it assumes you already have it running (as covered in our earlier post on Installing Puppet with Foreman). Instead, it takes care of the Puppet side, making sure everything communicates smoothly.
Important Note: Always test this module in a lab environment first. It rewrites configurations like puppet.conf based on parameters, so it could overwrite existing manual setups. Production caution is key!
Key Features
Here’s what makes confdroid_puppet stand out:
Core Components (Always Included)
- Puppet Server (Master): If the node’s FQDN matches your defined Puppet master (via the pt_pm_fqdn parameter), it sets up the server role. This includes installing Puppet Server, rewriting puppet.conf with optimized settings, managing code environments, handling SSL certificates, and starting the puppetserver service. It also configures Foreman integration using
node_terminus = execfor node classification. - Puppet Agent: For all other nodes (including the master), it installs the agent packages, configures puppet.conf to point to the master, manages certificate signing, sets run intervals (default 1800 seconds), and handles the puppet service. Agents report facts and apply catalogs automatically.
- Firewall Rules: Automatically opens necessary ports, like TCP 8140 on the master for agent connections. You can toggle this with the
manage_firewallparameter (default:true). This feature requires currently the puppetlabs/firewall in the catalogue. - SELinux Management: Applies proper SELinux contexts to Puppet directories and files (e.g.,
puppet_etc_tfor/etc/puppetlabs/andpuppet_log_tfor logs). Toggle withmanage_selinux(default: true) to ensure security without denials. - Directories, Files, and Services: Creates and manages required paths, files (with correct permissions), and services for a smooth operation.
Optional Add-Ons
- PuppetDB: Enable with
enable_puppetdb(default:false). This sets up centralized storage for facts, catalogs, and reports on a specified node (viapt_puppetdb_fqdn). It supports PostgreSQL as a backend (requires external DB setup), enables querying and exported resources, and even handles log rotation (configurable viapt_pptdb_log_max_age). - r10k Service: Turn on with
enable_r10k(default:false). It installs r10k, configures/etc/puppetlabs/r10k/r10k.yaml, and uses a Puppetfile to pull modules from a Git control repo (set viar10k_remote). Great for managing multiple environments dynamically. - r10k Webhook Listener: Activate with
enable_webhook(default:false). This adds a listener for Git push events (e.g., from GitLab), validates signatures, and triggersr10k deployautomatically. It supports HTTP/HTTPS and ties into GitOps workflows.
These features make confdroid_puppet the backbone for all other ConfDroid modules, ensuring shared resources like firewalls and SELinux are handled consistently.
How to Use It
Via site.pp or nodes.pp
Simply include the module:
include confdroid_puppet # Note: The module uses underscores in its name to avoid issues with r10kThrough Foreman
- Add the module to your Puppet master’s module path (e.g., via r10k or Git clone). Import it into Foreman.
- Assign confdroid_puppet::params to your nodes or host groups.
- Override parameters like pt_pm_fqdn to set your master — nodes matching this become servers; others become agents.
Once deployed:
- Agents connect securely via SSL/TLS. (requires once to manually sign them at the puppet master or configure autosign)
- Masters compile catalogs and serve them.
- Optional tools like r10k automate module updates.
Security and Troubleshooting Tips
Security is baked in:
- SSL/TLS for all communications, with Puppet CA handling certificates.
- Restricted firewall access.
- SELinux isolation to prevent unauthorized access.
Common issues and fixes:
- Agent Connections Fail: Verify port 8140 is open and manage_firewall is enabled. Certificate Problems: Check the CA directory (/etc/puppetlabs/puppet/ssl/ca/).
- ENC Errors: Ensure Foreman is reachable and SSL certs are valid.
- r10k Issues: Confirm Git access and credentials.
- SELinux Denials: Run restorecon -R /etc/puppetlabs.
- Logs: Master in /var/log/puppetlabs/puppetserver/, Agent in /var/log/puppetlabs/puppet/, etc.
Why Choose confdroid_puppet?
This module keeps things opinionated, secure, and efficient — tailored for Rocky 9 and Puppet 8, with Foreman in mind. It’s the perfect starting point for the ConfDroid Forge ecosystem, where all modules are tested, documented, and community-driven. Browse the source at https://sourcecode.confdroid.com/confdroid/confdroid_puppet, or dive into the deepwiki for more: https://deepwiki.com/grizzlycoda/puppet_collection/4.1-confdroid_puppet. Next in the series: We’ll explore another ConfDroid module and how it builds on this foundation. Got questions or ideas? Head to the feedback portal at https://feedback.confdroid.com. Let’s keep automating smarter! 🚀
Did you find this post helpful? You can support me.
Related posts
Author Profile
Latest entries
blog11.02.2026ConfDroid Puppet Modules – confdroid_resources- blog11.02.2026ConfDroid Puppet Modules – Puppet
- blog07.02.2026Puppet with Foreman – Host Registration
blog02.02.2026Publishing Pipeline – LinkedIn Support
