feat: move puppetca role

- move puppetca from vm to lxd
- remove old ca host hieradata
- ensure this new ca (and all new ca's) can revoke certificates

hieradata/nodes/ausyd1nxvm2097.main.unkin.net.yaml

@@ -13,9 +13,3 @@ profiles::ssh::sign::principals:
 
 profiles::puppet::puppetca::is_puppetca: true
 profiles::puppet::puppetca::allow_subject_alt_names: true
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.46
-networking::routes:
-  default:
-    gateway: 198.18.13.254

site/profiles/manifests/puppet/server.pp

@@ -31,6 +31,9 @@ class profiles::puppet::server (
   Integer $facts_soft_limit       = 4096,
 ) {
 
+  # add a bool for if this host is a ca, used in the auth.conf file
+  $is_ca = hiera('profiles::puppet::puppetca::is_puppetca', false)
+
   file { '/etc/puppetlabs/puppet/puppet.conf':
     ensure  => file,
     owner   => 'root',

site/profiles/templates/puppet/server/auth.conf.erb

@@ -69,7 +69,9 @@ authorization: {
                   pp_cli_auth: "true"
                 }
               },
-              terraform
+              terraform<% if @is_ca -%>,
+              <%= scope['trusted']['certname'] %>
+              <%- end -%>
             ]
             sort-order: 500
             name: "puppetlabs cert status"