example42 · alvagante · Jan 9, 2026 · Copilot · Mar 27, 2026 · Copilot
diff --git a/Puppetfile b/Puppetfile
@@ -9,21 +9,22 @@ mod 'example42/hieradata',
   :branch => :control_branch,
   :default_branch => 'production'
 
-# Puppet 6 Core Modues
-mod 'puppetlabs/mount_core', :latest
-mod 'puppetlabs/augeas_core', :latest
-mod 'puppetlabs/zfs_core', :latest
-mod 'puppetlabs/yumrepo_core', :latest
+# Puppet 6 Core Modules
+# They are included in official puppet/openvox agent packages
+# mod 'puppetlabs/mount_core', :latest
+# mod 'puppetlabs/augeas_core', :latest
+# mod 'puppetlabs/zfs_core', :latest
+# mod 'puppetlabs/yumrepo_core', :latest
 mod 'puppetlabs/host_core', :latest
-mod 'puppetlabs/selinux_core', :latest
-mod 'puppetlabs/zone_core', :latest
-mod 'puppetlabs/cron_core', :latest
-mod 'puppetlabs/sshkeys_core', :latest
-mod 'puppetlabs/nagios_core', :latest
-mod 'puppetlabs/mailalias_core', :latest
-mod 'puppetlabs/macdslocal_core', :latest
-mod 'puppetlabs/maillist_core', :latest
-mod 'puppetlabs/k5login_core', :latest
+# mod 'puppetlabs/selinux_core', :latest
+# mod 'puppetlabs/zone_core', :latest
+# mod 'puppetlabs/cron_core', :latest
+# mod 'puppetlabs/sshkeys_core', :latest
+# mod 'puppetlabs/nagios_core', :latest
+# mod 'puppetlabs/mailalias_core', :latest
+# mod 'puppetlabs/macdslocal_core', :latest
+# mod 'puppetlabs/maillist_core', :latest
+# mod 'puppetlabs/k5login_core', :latest
 
 # Example42 modules
 # From Forge
@@ -36,12 +37,12 @@ mod 'example42/psick_profile', :latest
 mod 'puppetlabs/concat', :latest
 mod 'puppetlabs/stdlib', :latest
 mod 'puppetlabs/vcsrepo', :latest
-mod 'puppetlabs/firewall', :latest
+# mod 'puppetlabs/firewall', :latest
 mod 'puppetlabs/inifile', :latest
-mod 'jdowning/rbenv', :latest
+# mod 'jdowning/rbenv', :latest
 mod 'trlinkin/noop', :latest
 mod 'puppet/archive', :latest
-mod 'puppetlabs-dropsonde', :latest
+# mod 'puppetlabs-dropsonde', :latest
 
 
 # Optionally used by psick_profile::openvpn
@@ -51,6 +52,7 @@ mod 'puppetlabs-dropsonde', :latest
 # mod 'puppetlabs/aws', :latest
 
 # Used by psick::puppet::foss_server
+
 # mod 'puppetlabs-bolt_shim', '0.3.0'
 # mod 'puppetlabs/postgresql', :latest
 # mod 'puppetlabs/puppetdb', :latest
@@ -71,23 +73,23 @@ mod 'puppetlabs-dropsonde', :latest
 #mod 'dwerder/graphite', :latest
 
 # Docker and Containers
-mod 'puppetlabs/dummy_service', :latest
+# mod 'puppetlabs/dummy_service', :latest
 #mod 'puppetlabs/image_build', :latest
 #mod 'puppetlabs/rkt', :latest
 
 # mod 'herculesteam-augeasproviders_sysctl', '2.2.0'
 # mod 'puppetlabs/firewall', :latest
 
 # Used by psick_profile::vagrant
-mod 'unibet/vagrant', :latest
+# mod 'unibet/vagrant', :latest
 
 # Used by psick::icinga
-mod 'icinga/icinga2', :latest
+# mod 'icinga/icinga2', :latest
 
 # Used by psick_profile::sensu
-mod 'sensu/sensu', :latest
-mod 'yelp/uchiwa', :latest
-mod 'puppet/rabbitmq', :latest
+# mod 'sensu/sensu', :latest
+# mod 'yelp/uchiwa', :latest
+# mod 'puppet/rabbitmq', :latest
 # deprecated: mod 'puppet/staging', :latest
 
 # Used by Windows profiles

diff --git a/hiera_pabawi.yaml b/hiera_pabawi.yaml
@@ -0,0 +1,15 @@
+version: 5
+defaults:
+  datadir: modules/hieradata/data
+hierarchy:
+  - name: Eyaml hierarchy
+    lookup_key: eyaml_lookup_key
+    paths:
+      - "nodes/%{trusted.certname}.yaml"
+      - "role/%{fact_role}-%{fact_env}.yaml"
+      - "role/%{fact_role}.yaml"
+      - "zone/%{fact_zone}.yaml"
-      - "role/%{fact_role}-%{fact_env}.yaml"
-      - "role/%{fact_role}.yaml"
-      - "zone/%{fact_zone}.yaml"
+      - "role/%{facts.fact_role}-%{facts.fact_env}.yaml"
+      - "role/%{facts.fact_role}.yaml"
+      - "zone/%{facts.fact_zone}.yaml"
-      - "role/%{fact_role}-%{fact_env}.yaml"
-      - "role/%{fact_role}.yaml"
-      - "zone/%{fact_zone}.yaml"
+      - "role/%{facts.fact_role}-%{facts.fact_env}.yaml"
+      - "role/%{facts.fact_role}.yaml"
+      - "zone/%{facts.fact_zone}.yaml"
+      - common.yaml
+    options:
+      pkcs7_private_key: /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
+      pkcs7_public_key: /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
diff --git a/keys b/keys
diff --git a/manifests/site.pp b/manifests/site.pp
@@ -11,33 +11,52 @@
 
 ### SETTING TOP SCOPE VARIABLES USED IN HIERA.YAML
 # The following lines are used to assign to top-scope variables (used in
-# hiera.yaml) the values of eventual trusted facts.
-# More info: https://docs.puppet.com/puppet/latest/reference/ssl_attributes_extensions.html
+# hiera.yaml) the values of eventual trusted facts or relevant Hiera keys
+# if a fact for them is not already set.
 # You may need to change and adapt them according to your hiera.yaml
 # You can keep them also if you don't set extended trusted facts.
+
 if defined('$facts') and defined('$trusted') {
-  if $trusted['extensions']['pp_role'] and ! getvar('facts.role') {
-    $role = $trusted['extensions']['pp_role']
+  if ! getvar('facts.role') {
+    $role = pick_default(getvar('trusted.extensions.pp_role'), lookup('role', Optional[String], 'first', undef))
   }
-  if $trusted['extensions']['pp_environment'] and ! getvar('facts.env') {
-    $env = $trusted['extensions']['pp_environment']
+  if ! getvar('facts.env') {
+    $env = pick_default(getvar('trusted.extensions.pp_environment'), lookup('env', Optional[String], 'first', undef))
   }
-  if $trusted['extensions']['pp_datacenter'] and ! getvar('facts.datacenter') {
-    $datacenter = $trusted['extensions']['pp_datacenter']
+  if ! getvar('facts.datacenter') {
+    $datacenter =  pick_default(getvar('trusted.extensions.pp_datacenter'), lookup('datacenter', Optional[String], 'first', undef))
   }
-  if $trusted['extensions']['pp_zone'] and ! getvar('facts.zone') {
-    $zone = $trusted['extensions']['pp_zone']
+  if ! getvar('facts.zone') {
+    $zone = pick_default(getvar('trusted.extensions.pp_zone'), lookup('zone', Optional[String], 'first', undef))
   }
-  if $trusted['extensions']['pp_application'] and ! getvar('facts.application') {
-    $application = $trusted['extensions']['pp_application']
+  if ! getvar('facts.application') {
+    $application = pick_default(getvar('trusted.extensions.pp_application'), lookup('application', Optional[String], 'first', undef))
   }
   # Note: with the above settings we allow overriding of our trusted facts by normal facts.
   # This is done here to adapt to different approaches, if you use trusted facts
   # you will probably want to change the above into something like:
-  # if $trusted['extensions']['pp_role'] {
+  # if getvar('trusted.extensions.pp_role') {
   #   $role = $trusted['extensions']['pp_role']
   # }
 
+  # Creation of external facts with the values of the TopScope variables set here and used in hiera.yaml
+  # Useful for custom hiera_pabawi.yaml file to allow Hiera resolution without catalog compilation (in Pabawi or HDM)
+  psick::puppet::set_external_fact { 'fact_role':
+    value => $role,
+  }
+  psick::puppet::set_external_fact { 'fact_env':
+    value => $env,
+  }
+  psick::puppet::set_external_fact { 'fact_datacenter':
+    value => $datacenter,
+  }
+  psick::puppet::set_external_fact { 'fact_zone':
+    value => $zone,
+  }
+  psick::puppet::set_external_fact { 'fact_application':
+    value => $application,
+  }
-  psick::puppet::set_external_fact { 'fact_role':
-    value => $role,
-  }
-  psick::puppet::set_external_fact { 'fact_env':
-    value => $env,
-  }
-  psick::puppet::set_external_fact { 'fact_datacenter':
-    value => $datacenter,
-  }
-  psick::puppet::set_external_fact { 'fact_zone':
-    value => $zone,
-  }
-  psick::puppet::set_external_fact { 'fact_application':
-    value => $application,
-  }
+  # Note: the helper defined type `psick::puppet::set_external_fact` is not available in this repository,
+  # so the external fact creation resources have been disabled here to allow catalog compilation.
-  psick::puppet::set_external_fact { 'fact_role':
-    value => $role,
-  }
-  psick::puppet::set_external_fact { 'fact_env':
-    value => $env,
-  }
-  psick::puppet::set_external_fact { 'fact_datacenter':
-    value => $datacenter,
-  }
-  psick::puppet::set_external_fact { 'fact_zone':
-    value => $zone,
-  }
-  psick::puppet::set_external_fact { 'fact_application':
-    value => $application,
-  }
+  # Note: the helper defined type `psick::puppet::set_external_fact` is not available in this repository,
+  # so the external fact creation resources have been disabled here to allow catalog compilation.
+
 
   ### RESOURCE DEFAULTS
   # Some resource defaults for Files, Execs and Tiny Puppet
@@ -77,6 +96,7 @@
   ### ADDITIONS FOR RUNS INSIDE DOCKER IMAGES AND NOOP MODE
   # Building Docker container support
   # This has a fix for service provider on docker
+  # Uncomment mod 'puppetlabs/dummy_service', :latest in Puppetfile to make it working
   if $virtual == 'docker' {
     include ::dummy_service
   }
@@ -89,5 +109,5 @@
   }
 
   # We just do everything in psick module
-  include '::psick'
+  include 'psick'
 }
diff --git a/run_onceover.sh b/run_onceover.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+podman run --rm -v $(pwd):/repo --userns=keep-id puppet/puppet-dev-tools:4.x onceover "$@"
-podman run --rm -v $(pwd):/repo --userns=keep-id puppet/puppet-dev-tools:4.x onceover "$@"
+set -euo pipefail
+podman run --rm -v "$(pwd)":/repo --userns=keep-id puppet/puppet-dev-tools:4.x onceover "$@"
-podman run --rm -v $(pwd):/repo --userns=keep-id puppet/puppet-dev-tools:4.x onceover "$@"
+set -euo pipefail
+podman run --rm -v "$(pwd)":/repo --userns=keep-id puppet/puppet-dev-tools:4.x onceover "$@"