PuppetDB in Debian
==================

1. Differences from upstream PuppetDB
-------------------------------------

 - To comply with the Debian Policy Manual, PuppetDB's default paths are
   different from those shipped by upstream (Puppetlabs). Rather than paths
   under /opt/puppetlabs, PuppetDB in Debian uses the following:

   * config: /etc/puppetdb
   * logdir: /var/log/puppetdb
   * vardir: /var/lib/puppetdb

 - Automatic checks for newer upstream versions are disabled by default, as
   they are using a call-home HTTP request to request update availability. If
   you wish to re-enable them, set "disable-update-checking = false" in the
   [puppetdb] section of the configuration.

2. Setting up TLS
-----------------

Out-of-the-box, PuppetDB will listen on localhost, port 8080 for plain HTTP
requests. The puppet terminus requires HTTPS to work, with the Puppet Server
and PuppetDB performing mutual authentication via TLS. For this to work you
will need to install a certificate issued by your Puppet CA; the easiest way to
do so is to use the PuppetDB host's Puppet certificate. Running this command
will attempt to do this for you:

    puppetdb ssl-setup

If you prefer to make the required changes manually, follow these steps:

  1. Add the 'puppetdb' user account to the 'puppet' group:

    adduser puppetdb puppet

  2. Insert the necessary configuration statements in PuppetDB's [jetty] config
     section located in '/etc/puppetdb/conf.d/jetty.ini':

    echo "ssl-host = 0.0.0.0" >> /etc/puppetdb/conf.d/jetty.ini
    echo "ssl-port = 8081" >> /etc/puppetdb/conf.d/jetty.ini
    echo "ssl-key = $(puppet config print hostprivkey)" >> /etc/puppetdb/conf.d/jetty.ini
    echo "ssl-cert = $(puppet config print hostcert)" >> /etc/puppetdb/conf.d/jetty.ini
    echo "ssl-ca-cert = $(puppet config print cacert)" >> /etc/puppetdb/conf.d/jetty.ini

  3. Restart PuppetDB:

    systemctl restart puppetdb.service