From 83205d7c144dd9d59b1170c703798133a5854922 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Wed, 9 Jul 2025 20:06:07 +1000
Subject: [PATCH] feat: move puppetca role

- move puppetca from vm to lxd
- remove old ca host hieradata
- ensure this new ca (and all new ca's) can revoke certificates
---
 ...in.unkin.net.yaml => ausyd1nxvm2097.main.unkin.net.yaml} | 6 ------
 site/profiles/manifests/puppet/server.pp                    | 3 +++
 site/profiles/templates/puppet/server/auth.conf.erb         | 4 +++-
 3 files changed, 6 insertions(+), 7 deletions(-)
 rename hieradata/nodes/{ausyd1nxvm1036.main.unkin.net.yaml => ausyd1nxvm2097.main.unkin.net.yaml} (76%)

diff --git a/hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2097.main.unkin.net.yaml
similarity index 76%
rename from hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml
rename to hieradata/nodes/ausyd1nxvm2097.main.unkin.net.yaml
index e496390..2666d73 100644
--- a/hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm2097.main.unkin.net.yaml
@@ -13,9 +13,3 @@ profiles::ssh::sign::principals:
 
 profiles::puppet::puppetca::is_puppetca: true
 profiles::puppet::puppetca::allow_subject_alt_names: true
-networking::interfaces:
-  eth0:
-    ipaddress: 198.18.13.46
-networking::routes:
-  default:
-    gateway: 198.18.13.254
diff --git a/site/profiles/manifests/puppet/server.pp b/site/profiles/manifests/puppet/server.pp
index 94753ab..e2afae5 100644
--- a/site/profiles/manifests/puppet/server.pp
+++ b/site/profiles/manifests/puppet/server.pp
@@ -31,6 +31,9 @@ class profiles::puppet::server (
   Integer $facts_soft_limit       = 4096,
 ) {
 
+  # add a bool for if this host is a ca, used in the auth.conf file
+  $is_ca = hiera('profiles::puppet::puppetca::is_puppetca', false)
+
   file { '/etc/puppetlabs/puppet/puppet.conf':
     ensure  => file,
     owner   => 'root',
diff --git a/site/profiles/templates/puppet/server/auth.conf.erb b/site/profiles/templates/puppet/server/auth.conf.erb
index 9f36063..b34f5f7 100644
--- a/site/profiles/templates/puppet/server/auth.conf.erb
+++ b/site/profiles/templates/puppet/server/auth.conf.erb
@@ -69,7 +69,9 @@ authorization: {
                   pp_cli_auth: "true"
                 }
               },
-              terraform
+              terraform<% if @is_ca -%>,
+              <%= scope['trusted']['certname'] %>
+              <%- end -%>
             ]
             sort-order: 500
             name: "puppetlabs cert status"
-- 
2.47.3