module-puppetdb/manifests/server/puppetdb.pp

# PRIVATE CLASS - do not use directly
class puppetdb::server::puppetdb (
  $certificate_whitelist_file = $puppetdb::params::certificate_whitelist_file,
  $certificate_whitelist      = $puppetdb::params::certificate_whitelist,
  $confdir                    = $puppetdb::params::confdir,
) inherits puppetdb::params {

  # Set the defaults
  Ini_setting {
    path    => "${confdir}/puppetdb.ini",
    ensure  => present,
    section => 'puppetdb',
  }

  $certificate_whitelist_setting_ensure = empty($certificate_whitelist) ? {
    true    => 'absent',
    default => 'present',
  }

  # accept connections only from puppet master
  ini_setting {'puppetdb-connections-from-master-only':
    ensure  => $certificate_whitelist_setting_ensure,
    path    => "${confdir}/puppetdb.ini",
    section => 'puppetdb',
    setting => 'certificate-whitelist',
    value   => $certificate_whitelist_file,
  }

  file { $certificate_whitelist_file:
    ensure  => $certificate_whitelist_setting_ensure,
    content => template('puppetdb/certificate-whitelist.erb'),
    mode    => '0644',
    owner   => 0,
    group   => 0,
  }
}