OpenVoxProject · MirandaStreeter · Jun 16, 2026 · Jun 17, 2026 · Jun 19, 2026 · Jun 19, 2026
@@ -2,12 +2,14 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 # During build, pristine config files get copied to this directory. If
 # they are not in the current container, use these templates as the
 # default
 TEMPLATES=/var/tmp/puppet
 
-cd "$(puppet config print confdir)"
+cd "$(config_get confdir)"
 for f in auth.conf hiera.yaml puppet.conf puppetdb.conf; do
   [ -f "$TEMPLATES/$f" ] && [ ! -f "$f" ] && {
     echo "Copying template $f from $TEMPLATES"

@@ -2,9 +2,12 @@
 
 set -e
 
-puppet config set confdir /etc/puppetlabs/puppet
-puppet config set vardir /opt/puppetlabs/puppet/cache
-puppet config set logdir /var/log/puppetlabs/puppet
-puppet config set codedir /etc/puppetlabs/code
-puppet config set rundir /var/run/puppetlabs
-puppet config set manage_internal_file_permissions false
+source /usr/local/share/openvox/config_lib.sh
+
+config_set main \
+  confdir /etc/puppetlabs/puppet \
+  vardir /opt/puppetlabs/puppet/cache \
+  logdir /var/log/puppetlabs/puppet \
+  codedir /etc/puppetlabs/code \
+  rundir /var/run/puppetlabs \
+  manage_internal_file_permissions false
@@ -2,6 +2,8 @@
 
 set -e
 
-if test -n "${OPENVOXDB_SERVER_URLS}" ; then
-  sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" $(puppet config print confdir)/puppetdb.conf
+source /usr/local/share/openvox/config_lib.sh
+
+if test -n "${OPENVOXDB_SERVER_URLS}"; then
+  sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" $(config_get confdir)/puppetdb.conf
 fi
@@ -2,10 +2,12 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 if [ -n "${OPENVOXSERVER_HOSTNAME}" ]; then
-  puppet config set server "$OPENVOXSERVER_HOSTNAME"
+  config_set main server "$OPENVOXSERVER_HOSTNAME"
 fi
 
 if [ -n "${CERTNAME}" ]; then
-  puppet config set certname "$CERTNAME"
+  config_set main certname "$CERTNAME"
 fi
@@ -2,9 +2,11 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 if test -n "$OPENVOXSERVER_PORT"; then
   cd /etc/puppetlabs/puppetserver/conf.d/
   hocon -f webserver.conf set webserver.ssl-port $OPENVOXSERVER_PORT
   cd /
-  puppet config set serverport $OPENVOXSERVER_PORT --section main
+  config_set main serverport $OPENVOXSERVER_PORT
 fi
@@ -2,4 +2,6 @@
 
 set -e
 
-puppet config set --section server environmentpath $ENVIRONMENTPATH
+source /usr/local/share/openvox/config_lib.sh
+
+config_set server environmentpath $ENVIRONMENTPATH
@@ -2,4 +2,6 @@
 
 set -e
 
-puppet config set --section server hiera_config $HIERACONFIG
+source /usr/local/share/openvox/config_lib.sh
+
+config_set server hiera_config $HIERACONFIG
@@ -2,8 +2,10 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 # Configure puppet to use a certificate autosign script (if it exists)
 # AUTOSIGN=true|false|path_to_autosign.conf
-if test -n "${AUTOSIGN}" ; then
-  puppet config set autosign "$AUTOSIGN" --section server
+if test -n "${AUTOSIGN}"; then
+  config_set server autosign "$AUTOSIGN"
 fi
@@ -2,20 +2,22 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 config_section=main
 
 # Allow setting dns_alt_names for the compilers certificate. This
 # setting will only have an effect when the container is started without
 # an existing certificate on the /etc/puppetlabs/puppet volume
 if [ -n "${DNS_ALT_NAMES}" ]; then
-    certname=$(puppet config print certname)
-    if test ! -f "$(puppet config print ssldir)/certs/$certname.pem" ; then
-        puppet config set dns_alt_names "${DNS_ALT_NAMES}" --section "${config_section}"
-    else
-        actual=$(puppet config print dns_alt_names --section "${config_section}")
-        if test "${DNS_ALT_NAMES}" != "${actual}" ; then
-            echo "Warning: DNS_ALT_NAMES has been changed from the value in puppet.conf"
-            echo "         Remove/revoke the old certificate for this to become effective"
-        fi
+  certname=$(config_get certname)
+  if test ! -f "$(config_get ssldir)/certs/$certname.pem"; then
+    config_set "${config_section}" dns_alt_names "${DNS_ALT_NAMES}"
+  else
+    actual=$(config_get dns_alt_names)
+    if test "${DNS_ALT_NAMES}" != "${actual}"; then
+      echo "Warning: DNS_ALT_NAMES has been changed from the value in puppet.conf"
+      echo "         Remove/revoke the old certificate for this to become effective"
     fi
+  fi
 fi
@@ -2,10 +2,12 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 if [ -n "$OPENVOXSERVER_ENVIRONMENT_TIMEOUT" ]; then
   echo "Settings environment_timeout to ${OPENVOXSERVER_ENVIRONMENT_TIMEOUT}"
-  puppet config set --section server environment_timeout $OPENVOXSERVER_ENVIRONMENT_TIMEOUT
+  config_set server environment_timeout $OPENVOXSERVER_ENVIRONMENT_TIMEOUT
 else
   echo "Removing environment_timeout"
-  puppet config delete --section server environment_timeout
+  config_delete server environment_timeout
 fi
@@ -1,26 +1,28 @@
-#!/bin/sh
+#!/bin/bash
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 if [ -n "$OPENVOX_STORECONFIGS_BACKEND" ]; then
-  puppet config set storeconfigs_backend $OPENVOX_STORECONFIGS_BACKEND --section server
+  config_set server storeconfigs_backend $OPENVOX_STORECONFIGS_BACKEND
 fi
 
 if [ -n "$OPENVOX_STORECONFIGS" ]; then
-  puppet config set storeconfigs $OPENVOX_STORECONFIGS --section server
+  config_set server storeconfigs $OPENVOX_STORECONFIGS
 fi
 
 if [ -n "$OPENVOX_REPORTS" ]; then
-  puppet config set reports $OPENVOX_REPORTS --section server
+  config_set server reports $OPENVOX_REPORTS
 fi
 
 # reset defaults if USE_OPENVOXDB is false, but don't overwrite custom settings
 if [ "$USE_OPENVOXDB" = 'false' ]; then
   if [ "$OPENVOX_REPORTS" = 'puppetdb' ]; then
-    puppet config set reports log --section server
+    config_set server reports log
   fi
 
   if [ "$OPENVOX_STORECONFIGS_BACKEND" = 'puppetdb' ]; then
-    puppet config set storeconfigs false --section server
+    config_set server storeconfigs false
   fi
 fi
@@ -2,12 +2,14 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 # determine script location
 readonly SCRIPT_FILENAME=$(readlink -f "${BASH_SOURCE[0]}")
 readonly SCRIPT_PATH=$(dirname "$SCRIPT_FILENAME")
-readonly CSR_PATH=$(puppet config print csr_attributes)
+readonly CSR_PATH=$(config_get csr_attributes)
 
 if [ -n "${CSR_ATTRIBUTES}" ]; then
-    echo "CSR Attributes: ${CSR_ATTRIBUTES}"
-    /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb" "$CSR_PATH"
+  echo "CSR Attributes: ${CSR_ATTRIBUTES}"
+  /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb" "$CSR_PATH"
 fi
@@ -2,6 +2,8 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 ca_running() {
   status=$(curl --silent --fail --insecure "https://${CA_HOSTNAME}:${CA_PORT:-8140}/status/v1/simple")
   test "$status" = "running"
@@ -10,16 +12,15 @@ ca_running() {
 if [[ "$CA_ENABLED" != "true" ]]; then
   # we are just an ordinary compiler
   echo "turning off CA"
-  cat > /etc/puppetlabs/puppetserver/services.d/ca.cfg <<EOF
+  cat >/etc/puppetlabs/puppetserver/services.d/ca.cfg <<EOF
 puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service
 puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service
 EOF
 
-  ssl_cert=$(puppet config print hostcert)
-  ssl_key=$(puppet config print hostprivkey)
-  ssl_ca_cert=$(puppet config print localcacert)
-  ssl_crl_path=$(puppet config print hostcrl)
-
+  ssl_cert=$(config_get hostcert)
+  ssl_key=$(config_get hostprivkey)
+  ssl_ca_cert=$(config_get localcacert)
+  ssl_crl_path=$(config_get hostcrl)
 
   cd /etc/puppetlabs/puppetserver/conf.d/
   hocon -f webserver.conf set webserver.ssl-cert $ssl_cert
@@ -38,9 +39,7 @@ EOF
   fi
 else
   # we are the CA
-  puppet config set --section server ca_ttl "${CA_TTL}"
-  puppet config set --section server ca_server "${CA_HOSTNAME}"
-  puppet config set --section server ca_port "${CA_PORT}"
+  config_set server ca_ttl "${CA_TTL}" ca_server "${CA_HOSTNAME}" ca_port "${CA_PORT}"
   hocon -f /etc/puppetlabs/puppetserver/conf.d/ca.conf \
     set certificate-authority.allow-subject-alt-names "${CA_ALLOW_SUBJECT_ALT_NAMES}"
 
@@ -59,7 +58,7 @@ else
       exit 99
     fi
 
-    ca_cert=$(puppet config print cacert)
+    ca_cert=$(config_get cacert)
     if [[ -f "$ca_cert" ]]; then
       echo "CA already imported."
     else
@@ -69,31 +68,31 @@ else
         --private-key $INTERMEDIATE_CA_KEY
     fi
   else
-    new_cadir=$(puppet config print cadir)
-    ssl_dir=$(puppet config print ssldir)
+    new_cadir=$(config_get cadir)
+    ssl_dir=$(config_get ssldir)
 
     if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$ssl_dir/ca/ca_crt.pem" ]; then
-        # There is no existing CA
+      # There is no existing CA
 
-        # Append user-supplied DNS Alt Names
-        if [ -n "$DNS_ALT_NAMES" ]; then
-            current="$(puppet config print --section main dns_alt_names)"
-            # shell parameter expansion to remove trailing comma if there is one
-            updated="${DNS_ALT_NAMES%,}"
-            if [ -n "$current" ]; then updated="$current","$updated"; fi
-            puppet config set --section main dns_alt_names "$updated"
-        fi
+      # Append user-supplied DNS Alt Names
+      if [ -n "$DNS_ALT_NAMES" ]; then
+        current="$(config_get dns_alt_names)"
+        # shell parameter expansion to remove trailing comma if there is one
+        updated="${DNS_ALT_NAMES%,}"
+        if [ -n "$current" ]; then updated="$current","$updated"; fi
+        config_set main dns_alt_names "$updated"
+      fi
 
-        timestamp="$(date '+%Y-%m-%d %H:%M:%S %z')"
-        ca_name="Puppet CA generated on ${HOSTNAME} at $timestamp"
+      timestamp="$(date '+%Y-%m-%d %H:%M:%S %z')"
+      ca_name="Puppet CA generated on ${HOSTNAME} at $timestamp"
 
-        # See puppet.conf file for relevant settings
-        puppetserver ca setup \
-            --ca-name "$ca_name"
+      # See puppet.conf file for relevant settings
+      puppetserver ca setup \
+        --ca-name "$ca_name"
 
     elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$ssl_dir/ca/ca_crt.pem" ]; then
-        # Legacy CA upgrade
-        puppetserver ca migrate
-        fi
+      # Legacy CA upgrade
+      puppetserver ca migrate
+    fi
   fi
 fi
@@ -1,14 +1,16 @@
-#! /bin/sh
+#!/bin/bash
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 ### Print configuration for troubleshooting
 echo "System configuration values:"
 # shellcheck disable=SC2039 # Docker injects $HOSTNAME
 echo "* HOSTNAME: '${HOSTNAME}'"
 echo "* hostname -f: '$(hostname -f)'"
 
-ssl_dir=$(puppet config print ssldir)
+ssl_dir=$(config_get ssldir)
 
 if [ -n "${CERTNAME}" ]; then
   echo "* CERTNAME: '${CERTNAME}'"

@@ -3,19 +3,21 @@
 set -x
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 timeout=10
 
 if [ "$#" -gt 0 ]; then
   timeout=$1
 fi
 
 curl --fail \
-    --no-progress-meter \
-    --max-time ${timeout} \
-    --resolve "${HOSTNAME}:${OPENVOXSERVER_PORT:-8140}:127.0.0.1" \
-    --cert     $(puppet config print hostcert) \
-    --key      $(puppet config print hostprivkey) \
-    --cacert   $(puppet config print localcacert) \
-    "https://${HOSTNAME}:${OPENVOXSERVER_PORT:-8140}/status/v1/simple" \
-    |  grep -q '^running$' \
-    || exit 1
+  --no-progress-meter \
+  --max-time ${timeout} \
+  --resolve "${HOSTNAME}:${OPENVOXSERVER_PORT:-8140}:127.0.0.1" \
+  --cert $(config_get hostcert) \
+  --key $(config_get hostprivkey) \
+  --cacert $(config_get localcacert) \
+  "https://${HOSTNAME}:${OPENVOXSERVER_PORT:-8140}/status/v1/simple" |
+  grep -q '^running$' ||
+  exit 1
@@ -0,0 +1,28 @@
+#!/opt/puppetlabs/puppet/bin/ruby
+
+# Helper script using Puppet's own INI manipulator in place of `pupppet config`.
+# See /usr/local/share/openvox/config_lib.sh for the companion script.
+
+module Puppet
+  class Settings
+  end
+end
+require 'puppet/settings/ini_file'
+
+command = ARGV.shift
+section = ARGV.shift
+
+# This bit is largely referencing openvox's lib/puppet/face/config.rb
+File.open('/etc/puppetlabs/puppet/puppet.conf', 'r+') do |file|
+  Puppet::Settings::IniFile.update(file) do |config|
+    if command == 'set'
+      ARGV.each_slice(2) do |key, value|
+        config.set(section, key, value)
+      end
+    else
+      ARGV.each do |key|
+        config.delete(section, key)
+      end
+    end
+  end
+end