OpenVoxProject · rwaffen · Apr 2, 2026
@@ -7,7 +7,7 @@ set -e
 # default
 TEMPLATES=/var/tmp/puppet
 
-cd "$(puppet config print confdir)"
+cd /etc/puppetlabs/puppet
 for f in auth.conf hiera.yaml puppet.conf puppetdb.conf; do
   [ -f "$TEMPLATES/$f" ] && [ ! -f "$f" ] && {
     echo "Copying template $f from $TEMPLATES"

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -e
+
+chown -R puppet:puppet /etc/puppetlabs/puppet/
+chown -R puppet:puppet /opt/puppetlabs/server/data/puppetserver/
+chown -R puppet:puppet /etc/puppetlabs/puppetserver/
+chown -R puppet:puppet /var/log/puppetlabs/puppetserver/
@@ -3,5 +3,5 @@
 set -e
 
 if test -n "${OPENVOXDB_SERVER_URLS}" ; then
-  sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" $(puppet config print confdir)/puppetdb.conf
+  sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" /etc/puppetlabs/puppet/puppetdb.conf
 fi
@@ -9,7 +9,7 @@ config_section=main
 # an existing certificate on the /etc/puppetlabs/puppet volume
 if [ -n "${DNS_ALT_NAMES}" ]; then
     certname=$(puppet config print certname)
-    if test ! -f "$(puppet config print ssldir)/certs/$certname.pem" ; then
+    if test ! -f "${SSLDIR}/certs/$certname.pem" ; then
         puppet config set dns_alt_names "${DNS_ALT_NAMES}" --section "${config_section}"
     else
         actual=$(puppet config print dns_alt_names --section "${config_section}")

@@ -7,19 +7,9 @@ readonly SCRIPT_FILENAME=$(readlink -f "${BASH_SOURCE[0]}")
 readonly SCRIPT_PATH=$(dirname "$SCRIPT_FILENAME")
 
 if [[ "$OPENVOXSERVER_GRAPHITE_EXPORTER_ENABLED" == "true" ]]; then
-  # Only check for CERTNAME if graphite exporter is enabled
-  if [[ -z "$CERTNAME" ]]; then
-    echo "ERROR: CERTNAME environment variable is not set, and is required for the graphite exporter configuration."
-    exit 1
-  fi
-
   if [[ -n "$OPENVOXSERVER_GRAPHITE_HOST" && -n "$OPENVOXSERVER_GRAPHITE_PORT" ]]; then
     echo "Enabling graphite exporter"
-    # Use multiple -e flags to perform multiple substitutions in a single pass
-    sed -e "s/GRAPHITE_HOST/$OPENVOXSERVER_GRAPHITE_HOST/" \
-        -e "s/GRAPHITE_PORT/$OPENVOXSERVER_GRAPHITE_PORT/" \
-        -e "s/server-id: localhost/server-id: $CERTNAME/" \
-        "$SCRIPT_PATH/84-metrics.conf.tmpl" > /etc/puppetlabs/puppetserver/conf.d/metrics.conf
+    sed -e "s/GRAPHITE_HOST/$OPENVOXSERVER_GRAPHITE_HOST/" -e "s/GRAPHITE_PORT/$OPENVOXSERVER_GRAPHITE_PORT/" "$SCRIPT_PATH/84-metrics.conf.tmpl" > /etc/puppetlabs/puppetserver/conf.d/metrics.conf
   else
     echo "ERROR: no OPENVOXSERVER_GRAPHITE_HOST or OPENVOXSERVER_GRAPHITE_PORT set."
     exit 99

@@ -3,10 +3,9 @@
 require 'json'
 require 'yaml'
 
-target_path = ARGV[0] || '/etc/puppetlabs/puppet/csr_attributes.yaml'
 begin
   csr_yaml = YAML.dump(JSON.load(ENV['CSR_ATTRIBUTES']))
-  File.write(target_path, csr_yaml)
+  File.write('/etc/puppetlabs/puppet/csr_attributes.yaml', csr_yaml)
 rescue => error
   puts "Error on reading JSON env. Terminating"
   puts "Malformed JSON: #{ENV['CSR_ATTRIBUTES']}"

@@ -5,9 +5,8 @@ set -e
 # determine script location
 readonly SCRIPT_FILENAME=$(readlink -f "${BASH_SOURCE[0]}")
 readonly SCRIPT_PATH=$(dirname "$SCRIPT_FILENAME")
-readonly CSR_PATH=$(puppet config print csr_attributes)
 
 if [ -n "${CSR_ATTRIBUTES}" ]; then
     echo "CSR Attributes: ${CSR_ATTRIBUTES}"
-    /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb" "$CSR_PATH"
+    /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb"
 fi
@@ -59,8 +59,7 @@ else
       exit 99
     fi
 
-    ca_cert=$(puppet config print cacert)
-    if [[ -f "$ca_cert" ]]; then
+    if [[ -f /etc/puppetlabs/puppetserver/ca/ca_crt.pem ]]; then
       echo "CA already imported."
     else
       puppetserver ca import \
@@ -69,10 +68,9 @@ else
         --private-key $INTERMEDIATE_CA_KEY
     fi
   else
-    new_cadir=$(puppet config print cadir)
-    ssl_dir=$(puppet config print ssldir)
+    new_cadir=/etc/puppetlabs/puppetserver/ca
 
-    if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$ssl_dir/ca/ca_crt.pem" ]; then
+    if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$SSLDIR/ca/ca_crt.pem" ]; then
         # There is no existing CA
 
         # Append user-supplied DNS Alt Names
@@ -89,11 +87,13 @@ else
 
         # See puppet.conf file for relevant settings
         puppetserver ca setup \
-            --ca-name "$ca_name" 
+            --ca-name "$ca_name" \
+            --config /etc/puppetlabs/puppet/puppet.conf
 
-    elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$ssl_dir/ca/ca_crt.pem" ]; then
+    elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$SSLDIR/ca/ca_crt.pem" ]; then
         # Legacy CA upgrade
-        puppetserver ca migrate     
-        fi
+        puppetserver ca migrate \
+            --config /etc/puppetlabs/puppet/puppet.conf
+    fi
   fi
 fi
@@ -8,43 +8,41 @@ echo "System configuration values:"
 echo "* HOSTNAME: '${HOSTNAME}'"
 echo "* hostname -f: '$(hostname -f)'"
 
-ssl_dir=$(puppet config print ssldir)
-
 if [ -n "${CERTNAME}" ]; then
   echo "* CERTNAME: '${CERTNAME}'"
   certname=${CERTNAME}.pem
 else
   echo "* CERTNAME: unset, try to use the oldest certificate in the certs directory, because this might be the one that was used initially."
-  if [ ! -d "${ssl_dir}/certs" ]; then
+  if [ ! -d "${SSLDIR}/certs" ]; then
     certname="Not-Found"
-    echo "WARNING: No certificates directory found in ${ssl_dir}!"
+    echo "WARNING: No certificates directory found in ${SSLDIR}!"
   else
-    certname=$(cd "${ssl_dir}/certs" && find * -type f -name '*.pem' ! -name ca.pem -print0 | xargs -0 ls -1tr | head -n 1)
+    certname=$(cd "${SSLDIR}/certs" && find * -type f -name '*.pem' ! -name ca.pem -print0 | xargs -0 ls -1tr | head -n 1)
     if [ -z "${certname}" ]; then
-      echo "WARNING: No certificates found in ${ssl_dir}/certs! Please set CERTNAME!"
+      echo "WARNING: No certificates found in ${SSLDIR}/certs! Please set CERTNAME!"
     fi
   fi
 fi
 
 echo "* OPENVOXSERVER_PORT: '${OPENVOXSERVER_PORT:-8140}'"
 echo "* Certname: '${certname}'"
 echo "* DNS_ALT_NAMES: '${DNS_ALT_NAMES}'"
-echo "* SSLDIR: '${ssl_dir}'"
+echo "* SSLDIR: '${SSLDIR}'"
 
 altnames="-certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux"
 
-if [ -f "${ssl_dir}/certs/ca.pem" ]; then
+if [ -f "${SSLDIR}/certs/ca.pem" ]; then
   echo "CA Certificate:"
   # shellcheck disable=SC2086 # $altnames shouldn't be quoted
-  openssl x509 -subject -issuer -text -noout -in "${ssl_dir}/certs/ca.pem" $altnames
+  openssl x509 -subject -issuer -text -noout -in "${SSLDIR}/certs/ca.pem" $altnames
 fi
 
 if [ -n "${certname}" ]; then
-  if [ -f "${ssl_dir}/certs/${certname}" ]; then
+  if [ -f "${SSLDIR}/certs/${certname}" ]; then
     echo "Certificate ${certname}:"
     # shellcheck disable=SC2086 # $altnames shouldn't be quoted
-    openssl x509 -subject -issuer -text -noout -in "${ssl_dir}/certs/${certname}" $altnames
+    openssl x509 -subject -issuer -text -noout -in "${SSLDIR}/certs/${certname}" $altnames
   else
-    echo "WARNING: Certificate ${certname} not found in ${ssl_dir}/certs!"
+    echo "WARNING: Certificate ${certname} not found in ${SSLDIR}/certs!"
   fi
 fi