puppet-prod/site/profiles/manifests/yum/global.pp

# Class: profiles::yum::global
class profiles::yum::global (
  Hash     $repos = {},
  Boolean  $purge = true,
){
  class { 'yum':
    keep_kernel_devel => true,
    clean_old_kernels => true,
    config_options    => {
      gpgcheck   => true,
    },
  }

  # purge all yum repos not defined by puppet
  resources { 'yumrepo':
    purge => $purge,
  }

  # el9 needs to rpmdb rebuild after crypto-policies
  if $facts['os']['release']['major'] == '9' {
    exec { 'rebuild_rpmdb':
      command => '/usr/bin/rpmdb --rebuilddb && /usr/bin/touch /root/almalinux9_upgrade_rebuilddb_flag',
      unless  => '/usr/bin/test -f /root/almalinux9_upgrade_rebuilddb_flag',
      timeout => 180,
      require => Class['crypto_policies'],
    }
  }

  # download all gpg keys if a repo defines it
  $repos.each |$name, $repo| {
    if $repo['gpgkey'] {
      $key_url = $repo['gpgkey']
      $key_file = "/etc/pki/rpm-gpg/${name}-gpg-key"

      # only download the key if the repo is present
      if $repo['ensure'] == 'present' {
        exec { "download_gpg_key_${name}":
          command => "curl -s -o ${key_file} ${key_url} && rpm --import ${key_file}",
          path    => ['/bin', 'usr/bin'],
          creates => $key_file,
          before  => Yumrepo[$name],
        }
      }
    }
    # create the repo
    yumrepo { $name:
      * => $repo,
    }
  }

  # makecache if changes made to repos
  exec {'dnf_makecache':
    command     => 'dnf makecache -q',
    path        => ['/usr/bin', '/bin'],
    refreshonly => true,
  }

  # setup dnf-autoupdate
  include profiles::yum::autoupdater

  # ensure dnf makecache runs before packages
  Yumrepo <| |> -> Exec['dnf_makecache'] -> Package <| |>

}