DEV Community: puppet

ConfDroid Puppet Modules - java

12ww1160 — Sat, 18 Apr 2026 16:24:20 +0000

Introducing confdroid_java: A Lightweight Helper for Reliable Java Installations

We’re continuing the ConfDroid Puppet modules series with a small but essential addition: confdroid_java.

This module does exactly one thing—and does it well. It installs and configures a specified Java version so that other Puppet modules can simply rely on it being there. No more guessing, no more manual setup, and no more version conflicts when you spin up Java-based services.

Think of it as the Java counterpart to our popular confdroid_php module. Just as confdroid_php prepares a clean PHP environment for applications like WordPress or Nagios, confdroid_java sets up the exact Java runtime that tools like confdroid_jenkins (and any future Java-dependent modules) expect. It keeps everything consistent, reproducible, and ready for automation.

What confdroid_java actually does

Installs the Java binaries you specify through parameters
Places all necessary configuration files in the correct locations
Automatically applies the right SELinux contexts (and gracefully ignores them on systems where SELinux is disabled)
Stays deliberately lightweight—no unnecessary features, no external module dependencies

It is designed to be a silent foundation. You include it once, and every Java-needing module that follows can simply assume a working Java environment is already in place. Confdroid modules which rely on it like confdroid_jenkins automatically add it, as long as it is in the Puppet catalogue.

Supported platforms

Fully tested and validated on Rocky Linux 9
Expected to work on all RHEL 9-based distributions
Requires Puppet 8

How to use it

The simplest way is just to include the class:

node 'example.example.net' {
  include confdroid_java
}

Or, if you manage your nodes with Foreman, simply set the desired parameters (Java version, installation source, etc.) directly in the host or host-group configuration. No extra code required.

Important note: This module is meant for fresh systems. If Java has already been installed or configured manually on a server, applying confdroid_java could overwrite those changes. Always test in a lab environment first.

Where to get it

The full module, complete documentation, and parameter reference are available right now in the Confdroid Forge:

You’ll also find the generated documentation in the doc/ folder inside the repository.

Why this module matters

In larger Puppet environments, helper modules like confdroid_java (and its PHP sibling) are the glue that makes everything else click. They remove duplication, enforce consistency, and let the bigger application modules focus on what they do best—managing Jenkins, application servers, or any other Java workload—without reinventing the Java installation wheel every time.
If you’re already running other ConfDroid modules on Rocky 9, adding confdroid_java is a quick win that will make your Java-based services even more reliable and easier to maintain.
Happy automating!
As always, feedback and pull requests are welcome in the repository.

Did you find this post helpful? You can support me.

ConfDroid Puppet Modules - SSH

12ww1160 — Sat, 18 Apr 2026 15:33:33 +0000

Introducing confdroid_ssh: Reliable and Hardened SSH Access for Your Rocky 9 Servers

SSH is the primary way we access and manage Linux servers. When SSH stops working, everything else grinds to a halt — troubleshooting becomes painful, and automation pipelines can fail.

To solve this, I created confdroid_ssh, a new Puppet 8 module that ensures the SSH daemon (sshd) is always installed, properly configured, running, and reachable.

The module provides a hardened, consistent SSH setup across your entire infrastructure while making it easy to apply custom security policies.

Why This Module Matters

Guarantees SSH access is always available.
Applies secure defaults for ciphers, MAC algorithms, and other important settings
Manages the main sshd_config safely through drop-in files in /etc/ssh/sshd_config.d/
Handles SELinux contexts automatically (works great together with confdroid_selinux)
Optionally manages firewall rules to keep the SSH port open
Prevents configuration drift and manual overrides that often cause problems

It fits perfectly into the Confdroid collection alongside confdroid_selinux (for global SELinux enforcement) and confdroid_fail2ban (for brute-force protection on SSH).

Key Features

Installs the SSH server packages and required binaries
Manages the sshd service (ensures it is enabled and running)
Supports custom configuration snippets via the confdroid_ssh::custom::custom_config define
Automatically applies correct SELinux contexts
Optionally opens the SSH port in the firewall (iptables/nftables)
Designed for Rocky 9 (and other RHEL 9-based systems)

Example: Adding Custom Configuration

You can easily add your own secure settings without touching the main config file:

confdroid_ssh::custom::custom_config { '30-my-hardening':
  config_name    => '30-my-hardening',
  config_content => [
    'PasswordAuthentication no',
    'PermitRootLogin no',
    'MaxAuthTries 3',
  ],
}

This creates a cleanly managed file /etc/ssh/sshd_config.d/30-my-hardening.conf, overriding default settings from the main configuration file.

How It Fits in the Confdroid Ecosystem

confdroid_ssh works hand-in-hand with the rest of the collection:

confdroid_selinux ensures the global SELinux mode is set correctly
confdroid_fail2ban protects SSH against brute-force attacks All other modules benefit from reliable SSH access for management and deployment.

Important Notes

Warning: This module overwrites SSH configuration. Do not use it right on systems that have heavy manual SSH customizations. Always test first in a non-production environment, and move your manual configuration into the module via the provided define see example. It is likely best practice to use small snippets depending on various conditions only when they apply. Not every Linux system follows the same pattern depending on the applications it hosts.
The module follows the Confdroid “ENC-first” philosophy — configure everything comfortably through Foreman smart class parameters.

You can find the full module, source code, parameter reference, and documentation here: https://sourcecode.confdroid.com/confdroid/confdroid_ssh

Final Thoughts

With confdroid_ssh, you no longer have to worry about SSH breaking after updates or configuration changes. It provides a solid, hardened, and fully automated foundation for secure remote access across your Rocky 9 fleet.

Combined with confdroid_selinux and confdroid_fail2ban, it forms a strong security layer that keeps your servers accessible to you — but not to attackers.
Have you ever lost SSH access due to a misconfiguration or update? How do you currently manage SSH hardening across your servers? Share your experiences or questions in the comments — I’d love to hear them!

Did you find this post helpful? You can support me.

Security Compliance Management 3.7.0 Is Now Available

Jason St-Cyr — Wed, 15 Apr 2026 14:56:44 +0000

Security Compliance Management (SCM) 3.7.0 helps teams assess systems against recognized security benchmarks. This release supports evolving baselines and improves audit readiness, operational reliability, and overall governance by giving administrators tighter control over platform performance, user access, and API security within the Puppet Enterprise platform.

What's new in this release

Expanded benchmark coverage for evolving environments

SCM 3.7.0 updates CIS-CAT Pro Assessor benchmark coverage to support newer operating systems and standards. This helps ensure compliance reporting remains current as teams adopt new platforms.

Highlights include:

New CIS benchmarks for numerous Linux distributions and macOS.
An updated benchmark for Microsoft Windows 11 Enterprise.

More predictable performance during compliance scans

Administrators can now control JVM memory allocation for the CIS Assessor, allowing performance tuning based on environment size and available resources. This results in more reliable scans and fewer disruptions during compliance assessments.

Greater control over user access and session behavior

New centralized session management options allow administrators to better align SCM authentication behavior with corporate security and identity policies. The outcome is reduced risk from long-lived sessions and improved governance.

Improved API governance and security posture

Additional GraphQL controls help limit exposure and enforce request limits in regulated or security-sensitive environments. The smaller API attack surface provides stronger API governance.

Security fixes and dependency updates

This release addresses multiple known vulnerabilities across core dependencies, helping reduce inherited risk and support ongoing vulnerability management.

For a complete list of addressed CVEs and detailed configuration guidance, see the release notes.

Why Upgrade to SCM 3.7.0

Organizations should consider upgrading to SCM 3.7.0 to reduce compliance gaps, stabilize large-scale assessments, and strengthen security controls as environments grow more complex.

With this release, teams can:

Maintain audit readiness as new operating systems and benchmarks are adopted.
Improve scan reliability and performance in large-scale environments managed through Puppet Enterprise.
Centralize and standardize user session and API behavior across the platform.
Reduce exposure to known vulnerabilities through updated dependencies and security fixes.

Next Steps

Review the release notes for technical details and configuration information.
Upgrade to SCM 3.7.0 to take advantage of expanded coverage and new governance controls.

Generate a Puppet Module Using GitHub Copilot and VS Code

Jason St-Cyr — Mon, 13 Apr 2026 13:23:29 +0000

This tutorial shows how to use GitHub Copilot with the Puppet Model Context Protocol (MCP) server to generate, validate, and refine a Puppet module—even if you’re new to Puppet development.

What You’ll Learn

How to configure GitHub Copilot with the Puppet MCP server
How AI agents can use the Puppet Development Kit (PDK) to generate Puppet modules
How AI agents can use the PDK to validate and iterate on generated Puppet code

The Challenge: Overcoming the Puppet Module Learning Curve

When you start automating infrastructure with Puppet, you might face an initial learning curve. You will begin to learn Puppet syntax, best practices around module structure and Puppet Domain-Specific Language (DSL), and even what tools are available to you.

To help DevOps practitioners get started, Puppet first released an MCP server to accelerate development when using the new Puppet EdgeOps module for working with network devices. Starting with Puppet Enterprise Advanced 2025.7, tools are available to provide even more guidance and information for working with agents on Puppet code in control repos, tasks, and modules. Traditional module development demanded deep domain expertise that teams often lack, but using modern AI-assisted development flows can help you bridge the knowledge gap.

Puppet's MCP server can be used with your favorite Integrated Development Environment (IDE) and code assist agent so that you can describe your requirements in natural language and work with your agent to get validated Puppet code and architecture. This tutorial demonstrates the use of Visual Studio (VS) Code and GitHub Copilot to generate a Puppet module with minimal Puppet expertise, helping you get started faster!

⚠️ Important: AI tools make mistakes, just like people. For this reason, your process should always involve review and testing as part of the end-to-end process. Use these tools to augment yourself and the team, but make those tools earn your trust.

Time to get started!

Tech Stack Overview: VS Code, GitHub Copilot, and Puppet MCP

For this tutorial, the Puppet development workflow will combine three key technologies:

Visual Studio Code: Serves as the IDE where all coding (and code generation) happens.
GitHub Copilot: Acts as the AI coding assistant that provides intelligent code suggestions and executes autonomous tasks.
Puppet MCP server: Exposes Puppet-specific intelligence through MCP, enabling GitHub Copilot to better generate Puppet solutions.

The MCP server provides several tools to provide Puppet language guides, information about Puppet environment entities, Puppet documentation, and networking info. This integration eliminates context switching between documentation, terminal windows, and code editors and provides the information required by AI agents to support smooth transitions from one step to the next.

Authentication to the Puppet MCP server happens via Puppet Enterprise (PE) API keys with secure token storage in VS Code. The MCP architecture follows a client-server model where VS Code instantiates client connections to the Puppet MCP server running in your Puppet Enterprise environment.

Prerequisites and Required Software Installation

This brief tutorial is based on the assumption that you have met several prerequisites. Plan time to go through this checklist before starting:

Obtain your authentication credentials to download Perforce Puppet applications. The credentials are either your Forge API key or your Puppet Enterprise license ID.
Install Puppet Enterprise Advanced 2025.7+.
Enable the Infra Assistant feature on your PE server. You do not have to configure the Infra Assistant OpenAI settings, but the Infra Assistant must be turned on in order for the MCP server to accept requests from your agent.
Generate a valid Puppet Enterprise API key from the console for a user with the infrastructure_assistant:use permission. (The API key is sometimes called a token.)
Install Visual Studio Code on your development machine and complete configuration tasks:
Configure the GitHub Copilot extension in Visual Studio Code.
Configure GitHub Copilot to use MCP servers in VS Code.
Ensure that your developer machine has network access to the PE console host.
Verify that your developer machine trusts the PE console CA certificate.

Tutorial Walkthrough: From Empty Repository to Generated Module

These steps walk through how you can take a completely empty repository to a validated Puppet module by using an AI-assisted flow in Visual Studio with a code assistant. Remember to meet the previously listed prerequisites! The following steps use GitHub Copilot, but if you happen to use a different stack (like Claude Code or Cursor), the process is mostly the same.

Tip: In this tutorial, “agent chat” refers to the GitHub Copilot Agent chat window in Visual Studio Code.

Using your favorite source control tool, create a blank repository to begin working.
Clone the repository and open it in Visual Studio Code.
To support the use of Puppet tools, install GitHub Copilot instructions in your solution. Sample instructions are available on GitHub. Tip: Some models cannot easily find instructions in subfolders and search only in the root directory. Some models look only for the copilot-instructions.md file. The example provides a README.md and a copilot-instructions.md file that help lead the model toward the custom Puppet instructions file.
Add the Puppet MCP server to your mcp.json file.
Start the Puppet MCP server, either by clicking Start in your mcp.json file or through the MCP Servers – Installed list in the Extensions view.
Open an agent chat window for GitHub Copilot.
Run a prompt to generate a new module. For example: “I want to create a new Puppet module to automate the provisioning of new AWS VMs. Please follow best practices for Puppet module creation.”

Note that this is a simple prompt example. To follow context engineering best practices, you would provide much more detail to get your desired output. For tutorial purposes, the prompt is intentionally lightweight. By using a simple prompt, you can recognize the extra context and benefits provided by Puppet tools to accelerate your progress.

Installing Puppet Development Kit (PDK)

At this point, your agent should be running and attempting to solve the problem. The agent will quickly detect the need for additional information from the Puppet MCP server. In addition, the agent will determine that the Puppet Development Kit (PDK) must be used to create modules. In my model testing, the GitHub Copilot agent undertook the following tasks, which required minimal input from the user:

Processed the provided Puppet instructions and determined that the Puppet MCP server should be connected to retrieve guidelines.
Attempted to connect to the Puppet MCP server for the get_puppet_guide tool and augmented the context with information from the Puppet MCP server.
Recognized that the PDK is required and attempted to check whether PDK was installed (by running pdk --version).
If PDK was not detected, attempted to fetch the PDK installation instructions.

Tip: The agent may use different URLs to search for the PDK installation instructions. Eventually, the agent will find the correct installation instructions for the operating system.
After the agent discovered the installation instructions, the agent determined that authentication credentials are required to download the software. At this point, the user would be prompted for Forge credentials or Puppet Enterprise credentials. At the prompt, you will specify the type of credentials. For example: “Here is my license ID: abcdefghizjklmnopzrstuvwxyz1”. This sample prompt informs the agent to use a Puppet Enterprise license ID, instead of a Forge API key, as the authentication method.
Submit the prompt and the agent will begin to download and install the PDK.

The agent typically installs the PDK as part of its setup routine. In practice, the agent might run incorrect commands or fail to use elevated privileges on the first attempt. When that happens, allow the agent to iterate until the installation succeeds.

💡 Tip: This is a huge boost for new users because the agent can search for instructions and quickly iterate through installation failures, while you focus on reviewing the results.

After the agent successfully completes the PDK download and installation on your behalf, the agent continues with module generation.

Generating the Module

With the PDK installed, it’s time to create the first steps of a module that will accomplish your goals. Only minimal context is provided in the tutorial example for provisioning new AWS VMs. The models will attempt to create the functionality you require based on their training data, the context from the Puppet MCP server, and the context you provide. The better your prompting, the more accurate the output will be. For this tutorial, however, assume that you are not trying to generate the module in one step and will follow up with further prompting to refine the module. During this tutorial step, the agent will generate the basics of the module.

At this stage, GitHub Copilot typically performs the following actions without requiring additional prompts:

After completing installation, validates the installation by running pdk --version.
If successful, creates a module with a PDK command like pdk new module aws_provisioning --skip-interview.
After the PDK module creation logic completes processing, creates profile classes for AWS VM provisioning. This command might be pdk new class aws_provisioning or similar.
Creates additional supporting classes. In my testing, the agent ran these additional commands:
1. pdk new class aws_provisioning::config
2. pdk new class aws_provisioning::instance
After the basic structure of the classes is in place, begins implementing Puppet code for the classes. The actions resemble typical code generation steps, creating and editing a variety of files and patching them with new implementation logic.
When the initial code generation is completed on top of the PDK skeleton implementations, updates documentation such as the metadata.json file and the README file to match the needs of the generated code.

When documentation updates are completed, a typical agent might stop without validating further. However, by setting the context for the agent with knowledge of PDK and its capabilities as well as the best practices from the Puppet MCP server, the agent knows that validation of modules is an important next step.

Validating the Module

PDK supports validation of a module to ensure that it meets specific standards. Even with the best practices and instructions that were provided to the agent, along with its training, agents can make mistakes. With validation, you can catch some of these mistakes up front. Augmenting with tools is a key strategy for agentic workflows. Using the agent as an automation process to leverage the tools you have is a great way to take advantage of more deterministic capabilities along with the non-deterministic nature of the agentic automation.

For validation, the agent should attempt to use the PDK: pdk validate
PDK should find issues, even if they are only indentation issues in YAML files. The agent should then attempt to correct the issues with code assist using the output of the PDK validation.
When the patch edits are complete, the agent should run PDK validation again (pdk validate).

If more issues are found, the agent should circle back and try to resolve them, looping until no more issues are found, but typically the first run of validation should find all issues.

You can now continue your own testing and building out the module with a solid base that follows Puppet best practices! This workflow compresses the traditional learning curve and gets you to the interesting bits of your development much faster.

Key Benefits of Agent-Assisted Module Creation

This AI-assisted approach offers several key advantages over manual development:

Agent-led requirements detection and installation help you get started so that your system achieves a correct state.
Autonomous error detection and correction reduce debugging time significantly.
The agent's ability to reference the Puppet MCP server and official Puppet documentation helps to ensure that generated code follows best practices and coding standards.
Integration with PDK tooling provides deterministic automation and continuous quality checks throughout the development process.
Structured instruction files create a consistent and repeatable development experience across different projects and team members.

By building your AI-assisted flow on top of solid DevOps tools and practices, you’ll be equipped to avoid the typical challenges faced by generic coding models.

“DevOps is not dying. It is becoming the economic and operational foundation for AI at scale.

The data shows the same pattern across every domain: AI succeeds when delivery systems are standardized, centralized, automated, and measurable. Where those foundations are weak, AI magnifies existing gaps in coordination, governance, auditability, cost, and outcomes.”

- State of DevOps Report 2026

Challenges and Solutions in AI-Assisted Puppet Development

You might encounter a few common challenges when using AI agents for Puppet module generation:

According to a recent evaluation by Vercel, coding agents ignore available skills in 56% of cases, choosing not to invoke skills even when relevant documentation exists. The solution involves using instruction files that force context loading rather than relying on agent decisions. In the evaluation, Vercel found that directly embedding a compressed 8 KB docs index into an AGENTS.md file helped coding agents achieve 100% pass rates compared to 79% with skills combined with explicit instructions. In my own tests with GitHub Copilot, references from the README.md file to other instruction files helped the agent, with less sophisticated models, to find the correct instructions and load them.
Agents sometimes refuse to use PDK or read proper installation instructions, requiring iterative prompt refinement. The solution involves adding explicit installation commands, troubleshooting steps, and URL references to your copilot-instructions.md file. Ensure that you follow best practices for instructions files to keep them lean. Getting GitHub Copilot to consistently read instruction files requires understanding that passive context (always-loaded files) outperforms active retrieval (on-demand skills). Instruction files should be concise (fewer than 1,000 lines), structured with headings and bullet points, and use imperative rules rather than long paragraphs.
AI agents can get stuck in validation and fixing loops. For linting and validation errors that agents struggle to fix, adding error-specific guidance to instruction files helps GitHub Copilot learn from mistakes. The goal is to eliminate decision points by providing persistent context rather than making agents decide when to look up information.

Table 1: Common challenges in AI-assisted Puppet module development and recommended solutions

Challenge	Impact	Solution
Agents ignore MCP tools (56% of cases)	Skills documentation not invoked when needed	Use .github/copilot-instructions.md for passive context loading (achieves 100% pass rate versus 79% with on-demand skills).
PDK installation issues	Agents fail to use PDK or read installation instructions	Add explicit installation commands and troubleshooting steps to copilot-instructions.md.
Inconsistent reading of instruction files	Agent decisions create unpredictable behavior	Provide persistent context (always-loaded files) rather than relying on agent retrieval decisions.
Incorrect Puppet code or missing namespaces or invalid spacing	Generated configurations fail validation	Include specific vendor configuration examples in instruction files and use PDK validation for testing modules.
Validation errors agents can't fix	Repeated mistakes across generations	Document error-specific guidance in instruction files so agents learn from past failures.
File structure guidelines	Keep instruction files concise (fewer than 1,000 lines) with clear structure	Use headings, bullet points, and imperative rules instead of long paragraphs.

Should You Use Agent Skills or Instructions?

Vercel's research on AI agent instruction approaches provides compelling evidence to show why instruction files are essential for effective AI-assisted development. Their evaluation tested Next.js 16 API generation using four configurations:

No documentation: 53% pass rate
Skills with default behavior: 53% pass rate, same as no documentation
Skills with explicit trigger instructions: 79% pass rate
A compressed 8 KB docs index in AGENTS.md: 100% pass rate

The static markdown file outperformed sophisticated retrieval systems because the file eliminated decision points where agents must choose whether to invoke tools. In 56% of eval cases, skills were never invoked despite being available, producing no improvement over the baseline.

Although these findings were focused on web development frameworks like Next.js, similar issues occur with agents across language frameworks and IDEs. For Puppet development, my testing found that combining instructions, PDK tooling, and the Puppet MCP server gave agents the best chance to have the correct context information.

AI-assisted development is still evolving but is expected to become an important part of many DevOps team processes. The Model Context Protocol is establishing itself as an enterprise-wide standard enabling vendor interoperability, with companies like Figma, Notion, Linear, Atlassian, and MongoDB building MCP servers that work seamlessly together.

For infrastructure-as-code specifically, the shift toward “vibe coding” is opening up the opportunity for developers to express intentions in natural language rather than memorizing command-line syntax or the specifics of the Puppet Desired State Language (DSL). Given a solid base of DevOps tools across the lifecycle, from development to testing to operations, coding assistants are well positioned to take advantage of these tools, thus unlocking opportunities for more practitioners to achieve greater efficiency across the entire workflow.

References

Check out the following sources, some of which were referenced in the document, and some of which provide a deeper dive if this topic is of interest to you!

Sample instructions for GitHub Copilot and Puppet MCP server (github.com/jst-cyr)
Installing Puppet Enterprise (PE) (help.puppet.com)
Infra Assistant: code assist (help.puppet.com)
Infra Assistant: Enable the Infra Assistant (help.puppet.com)
Infra Assistant - code assist: Available MCP tools (help.puppet.com)
Infra Assistant - code assist: Configuring your client to use the MCP server (help.puppet.com)
Infra Assistant - code assist: Add the Puppet MCP server (help.puppet.com)
SAML authentication: Generate a token in the console (help.puppet.com)
View your license details | Puppet Enterprise (help.puppet.com)
Get the Puppet CA certificate chain in Puppet Enterprise (portal.perforce.com)
Build Tasks for Network Devices Faster with Code Assistance and Puppet Edge (puppet.com)
The State of DevOps Report 2026 (perforce.com)
AGENTS.md outperforms skills in our agent evals (vercel.com)
GitHub Copilot: Use MCP servers in VS Code (code.visualstudio.com)
GitHub Copilot in VS Code (code.visualstudio.com)
Using custom instructions to unlock the power of Copilot code review (docs.github.com)
Bridging the Gap: A Deep Dive into the Model Context Protocol (MCP) (dev.to)

Installing PDK on a Linux Workstation (Manual Edition)

Matthew Stone — Sat, 11 Apr 2026 19:05:38 +0000

Getting PDK installed and updated can be a bit...weird these days, and after running into a few bumps I thought I'd share my compiled notes that streamlined a few different pages in the Puppet help documentation. Note: this is for manual setup. At some point I'll add the super fun Puppet version of this to make it simple and automated.

Prerequisites

One of the following: a Puppet Core license, a Puppet Enterprise License, a Puppet Core development license.
a Linux workstation. In this example I'm working with Fedora 33.

Steps

1. Gather Your Credentials

First things first, let's get our credentials in order.

For Puppet Enterprise users:

The username is license-id. The password can be found via the PE console. Log into the console, click on License in the left side menus and then click Copy license id.

For Puppet Core users:

The username is forge-key. The password can be found and/or created by logging into the Puppet Forge. Click on your account at the upper right corner and select View Profile. On the left side, select API Keys. Generate an API key and copy the key. That is your password. Make a note to save this for future use as once you leave that page you'll have to create a new one if you forget it.

2. Download and Setup the Repository File

First, let's grab the repository. You can find the relevant RPM or DEB from either yum-puppetcore.puppet.com/public or apt-puppetcore.puppet.com/public. Once you've found the right one, let's download and install!

wget https://yum-puppetcore.puppet.com/public/puppet8-release-el-9.noarch.rpm

sudo rpm -ivh puppet8-release-el-8-noarch.rpm

Once you've done the above, you'll be able to edit the repo file at /etc/yum.repos.d/puppet8-release.repo. Let's take a look at the contents:

[puppet8]
name=Puppet 8 Repository el 8 - $basearch
baseurl=https://yum-puppetcore.puppet.com/puppet8/el/8/$basearch
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet8-release
enabled=1
gpgcheck=1

## Add authentication here by uncommenting and filling in values

#username=<api_user>
#password=<api_key>

It's pretty straightforward here. Remove the # from username and password, then copy your username and password from above into the <api_user> and <api_key> spaces, respectively. Save and quit editing the file.

3. Update and Install

At this point we have our repo file, we have our credentials configured and we just need to update the repos and install pdk. a simple yum update followed by yum install pdk should get us there.

root@choplifter:/home/matthew# yum update
Updating and loading repositories:
 Puppet 8 Repository el 8 - x86_64            100% |  14.2 KiB/s |  14.1 KiB |  00m01s
Repositories loaded.
Nothing to do.
root@choplifter:/home/matthew# yum install pdk
Updating and loading repositories:
Repositories loaded.
Package                   Arch     Version                    Repository          Size
Installing:
 pdk                      x86_64   3.6.1.1-1.el9              puppet8        223.8 MiB

Transaction Summary:
 Installing:         1 package

Total size of inbound packages is 57 MiB. Need to download 57 MiB.
After this operation, 224 MiB extra will be used (install 224 MiB, remove 0 B).
Is this ok [y/N]: Y
[1/1] pdk-0:3.6.1.1-1.el9.x86_64              100% |  15.8 MiB/s |  57.0 MiB |  00m04s
--------------------------------------------------------------------------------------
[1/1] Total                                   100% |  15.8 MiB/s |  57.0 MiB |  00m04s
Running transaction
Importing OpenPGP key 0x9E61EF26:
 UserID     : "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>"
 Fingerprint: D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26
 From       : file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet8-release
Is this ok [y/N]: Y
The key was successfully imported.
[1/3] Verify package files                    100% |   5.0   B/s |   1.0   B |  00m00s
[2/3] Prepare transaction                     100% |   3.0   B/s |   1.0   B |  00m00s
[3/3] Installing pdk-0:3.6.1.1-1.el9.x86_64   100% |  72.0 MiB/s | 228.5 MiB |  00m03s
Complete!

root@choplifter:/home/matthew# pdk --version
3.6.1

That's all there is to it! As an added bonus, this is the same repo for Bolt and all the Puppet Core bits, so if you need the agent on your box it's as easy as another yum install.

Or dnf. Whatever.

ConfDroid Puppet Modules - Selinux

12ww1160 — Sat, 11 Apr 2026 10:04:51 +0000

Introducing confdroid_selinux: Declarative SELinux Management for Your Rocky 9 Servers

Security-Enhanced Linux (SELinux) is one of the most powerful built-in defenses on modern Linux systems. Unlike traditional permission-based security (user/group/other), SELinux adds mandatory access control (MAC) at the kernel level. It labels every process, file, directory, and network port with a security context and enforces strict policies that say exactly what each subject is allowed to do with each object — no matter what the file permissions say.

This means even if an attacker gains root or tricks a service into writing a malicious file, SELinux can still block the attack because the file simply doesn’t have the right context.
Many enterprise Linux distributions enable SELinux by default in enforcing mode on fresh installs:

Rocky Linux 9
AlmaLinux 9
Red Hat Enterprise Linux (RHEL) 9
Fedora

On these systems, SELinux is not an afterthought — it’s a core part of the security model.

How SELinux Stops Real-World Attacks

Imagine an attacker sends a phishing email with a malicious script disguised as a legitimate configuration file. The user (or a compromised service) downloads and places the file in /tmp or a web directory.

Without SELinux:

If the file has execute permissions, the attacker might be able to run it.

With SELinux (enforcing mode):

The file gets created with the wrong security context (for example, user_tmp_t instead of httpd_exec_t).
Even if the attacker somehow makes the file executable, SELinux denies execution or access because the policy doesn’t allow it.
The attack is stopped cold, and an audit log entry is generated.

SELinux turns potential disasters into harmless denied operations.

The Problem with Manual SELinux Management

While SELinux is powerful, managing it consistently across many servers is painful:

Forgetting to run restorecon after placing files
Accidentally setting the wrong mode (setenforce)
Configuration drift between hosts

That’s exactly why I built confdroid_selinux.

What confdroid_selinux Does

This new Puppet 8 module (tested on Rocky 9) gives you full declarative control over SELinux:

Installs all required SELinux tools and binaries
Manages the main configuration file /etc/sysconfig/selinux with correct permissions and SELinux contexts
Controls the global SELinux mode (enforcing or permissive) — the Puppet equivalent of setenforce
Ensures every file and directory managed by other Confdroid modules receives the proper SELinux context
Works cleanly on enforcing-mode systems

All other Confdroid modules (see the full collection overview) already include proper SELinux context handling:

and many more.

They work even better when **confdroid_selinux** is present, because the global policy and mode are managed in one place.

SELinux Management Flow with the Module

Here’s how the module turns your Puppet run into reliable SELinux enforcement:

Easy Deployment

Simple inclusion: in your site.pp or nodes.pp:

include confdroid_selinux

with Foreman (recommended):

Add the confdroid_selinux::params class to the host or host group and override parameters (mode, etc.) as smart class parameters.

Important notes:
Test in a non-production environment first.
If you are switching from disabled to enforcing mode, a reboot is required (the module does not reboot automatically to avoid surprises).

You can find the full module, source code, and parameter reference here:
→

Final Thoughts

SELinux is no longer optional on modern enterprise Linux. With confdroid_selinux, you get consistent, version-controlled, and fully automated SELinux management that works hand-in-hand with the rest of the Confdroid collection.
Your servers stay secure by default — even when things go wrong elsewhere.
Have you been running SELinux in enforcing mode across your fleet, or are you still in permissive because of management headaches? Would you like to see more advanced features (custom Booleans, custom modules, etc.) in a future version? Let me know in the comments!

Did you find this post helpful? You can support me.

Puppet Core 8.18.0 is out: macOS 15 support and key security updates

Jason St-Cyr — Thu, 09 Apr 2026 12:06:38 +0000

You can now download Puppet Core 8.18.0! This update adds support for macOS 15 and includes several important security updates to help keep your infrastructure protected.

As always, Puppet Core releases focus on stability, platform support, and staying ahead of reported vulnerabilities.

👉 Official Puppet Core 8.18 release notes

What’s new in Puppet Core 8.18.0

Support for macOS 15: Puppet Core now supports macOS 15 on both x86_64 and ARM architectures. This enables continued management of macOS systems using the same automation controls and policies you already rely on.

Security focused dependency updates

Security remains a top priority in every Puppet Core release. This release includes updates to several bundled components to address recently disclosed security vulnerabilities. By delivering these updates as part of hardened Puppet Core builds, you reduce dependency risk without tracking, validating, or rebuilding components independently.

🔐 libxml2 updated

libxml2 has been updated to version 2.15.2
Addresses the following CVEs:
- CVE-2026-0989
- CVE-2026-0990
- CVE-2026-0992
- CVE-2026-1757

🔐 zlib gem updated

zlib gem updated to version 3.0.1
Addresses:
- CVE-2026-27820

🔐 curl updated

curl updated to version 8.19.0
Addresses:
- CVE-2026-1965
- CVE-2026-3783
- CVE-2026-3784
- CVE-2026-3805

If you rely on Puppet Core in security‑sensitive or regulated environments, this release is strongly recommended.

Getting Puppet Core 8.18.0

You can upgrade to Puppet Core 8.18.0 using your existing Puppet Core repositories and standard upgrade workflows. Upgrading to Puppet Core 8.18.0 helps you take advantage of the latest platform support, reduce exposure to dependency related security risk, and rely on vendor-tested packages instead of managing updates yourself.

As always:

Test upgrades in a staging environment first
Review the full release notes for platform‑specific details
Roll out broadly once validated

📄 Puppet Core Installation Docs:

Let us know how it goes

If you’re upgrading to 8.18.0, running Puppet Core on macOS 15, or have feedback on this release, let us know in the comments. Your input helps shape future updates.

Happy puppeting!

Puppet Enterprise - Neue Releases und Upgrade Zyklen

Martin Alfke — Wed, 08 Apr 2026 13:59:44 +0000

Bisher gab es bei Puppet Enterprise 2 unterschiedliche Support Releases:

LTS - Long Term Support und
STS - Standard (oder Short) Term Support

Die LTS Releases hatten üblicherweise 2 bis 3 Jahre Support, bevor man ein Upgrade durchführen musste.
Bei STS Releases bezog sich der Support nur auf das jeweils letzte Release.

Mit Puppet Enterprise 2026 (Release ist angekündigt für August 2026) hat Perforce die Support Matrix überarbeitet.
Der neue Support Zyklus wird als Latest / Latest-1 bezeichnet.

In diesem Posting werden die wesentlichen Unterschiede dargestellt und was man in Zukunft bei der Nutzung von Puppet Enterprise berücksichtigen sollte.

Latest

Mit Latest wird das jeweils aktuelle Puppet Enterprise Major Release bezeichnet.
Aktuell ist dies das letzte Release von PE 2025.

Mit dem Release von PE 2026, wird PE 2026 das Latest Support Release.

Latest Releases haben einen vollständigen Support über einen Zeitraum von 12 Monaten.
Innerhalb dieses Zeitraumes sind neue Features und Verbesserungen, Sicherheitsupdates und Fehlerkorrekturen im Support verfügbar.

Danach gibt es in der Folge Minor Releases, die vierteljährlich zur Verfügung gestellt werden.

Latest-1

Als Latest-1 wird das jeweilige vorherige Release bezeichnet, nachdem eine neue Major Version veröffentlicht wurde.

Wenn PE 2026 released wird, wird das PE 2025 Release zu Latest-1.

Latest-1 Releases haben einen eingeschränkten Support über einen Zeitraum von 12 Monaten.
Innerhalb dieses Zeitraumes sind nur Sicherheitsupdates und Fehlerkorrekturen im Support verfügbar.

aktuelles LTS Releases

Das aktuelle LTS Release von Puppet Enterprise ist die Version 2023.8.
Mit dem Release von PE 2026 wird diese Version nicht mehr unterstützt.

Alle anderen älteren Puppet Enterprise Releases sind nicht mehr im Support enthalten.
Wenn eine ältere Puppet Enterprise Version als PE 2025 im Einsatz ist, sollte unbedingt ein Upgrade geplant und durchgeführt werden. Welche Upgrades möglich sind, ist in der Dokumentation zu Puppet Enterprise Upgrades hinterlegt.

Releases und Support Zeitraum

Stand 08.04.2026

PE Version	Support Beginn	Support Name	Support Umfang	Support Ende
2023.8.x	aktuell	LTS	Vollständiger Support	08/2026
2023.8.x	08/2026	LTS	eingeschränkter Support	02/2027
2025.x	aktuell	Latest	Vollständiger Support	08/2026
2025.x	08/2026	Latest-1	eingeschränkter Support	08/2027
2026.x	08/2026	Latest	Vollständiger Support	??/2027
2026.x	??/2027	Latest-1	eingeschränkter Support	??/2028
2027.x	??/2027	Latest	Vollständiger Support	??/2028
2027.x	??/2028	Latest-1	eingeschränkter Support	??/2029
2028.x	??/2028	Latest	Vollständiger Support	??/2029

Zusammenfassung

Perforce entwirrt und standardisiert die Support Zyklen.
Mit den jährliche Major Releases und definierten Zeiträumen für den eingeschränkten Support können Kunden innerhalb von 24 Monaten ein Update durchführen, ohne den Support zu verlieren.

Bei der Vorbereitung und Durchführung von Updates unterstützen wir unsere Kunden gern.

Building a Compliance-First Digital Entertainment Platform: Lessons from BLCTX Global's Asia Launch

BLCTX Global — Tue, 07 Apr 2026 12:23:43 +0000

Most write-ups about gaming platforms focus on the front-end — the UX, the animations, the payment flow. I want to talk about the part of the stack that doesn't get enough attention: compliance architecture.
The launch of BLCTX Global — the international brand of Singapore Pools, now expanding into Malaysia, India, Thailand, and Vietnam — is a useful case study in what it actually means to build a regulated digital platform from the ground up.

The Core Engineering Challenge
When you operate across multiple jurisdictions, "compliance" stops being a checkbox and becomes a system design problem. Each market has its own rules around:

Age verification (KYC thresholds vary)
Payment processing and AML monitoring
Data residency and user privacy
Responsible-play tooling (deposit limits, cool-off periods, self-exclusion)
Audit logging and regulatory reporting

A platform like BLCTX Global, backed by 57 years of Singapore Pools' operating discipline, has to encode all of this into a system that still feels seamless to the end user.
Architectural Principles Worth Borrowing
Whether you're building in regtech, fintech, or any high-trust domain, there are takeaways here:

Compliance as a service, not a feature. Treat KYC, AML, and responsible-use tooling as core platform services that every product surface consumes — not as bolt-ons per feature.
Per-jurisdiction configuration. Avoid hardcoding rules. Use a policy engine so a single deployment can serve multiple markets with different rule sets.
Transparency by design. Every transaction, every account action, every payout should be auditable end-to-end. If a regulator asks "what happened on April 7 at 2:13pm for user X," the answer should take seconds to produce.
User protection defaults. Default limits are stricter than the maximum allowed. Users can opt up — but they have to actively choose to. Why This Matters Beyond Gaming The principles BLCTX Global is operationalizing — institutional compliance, transparency, user protection — are exactly the principles every high-trust digital platform needs, whether you're shipping payments, healthcare, or identity infrastructure. The lesson: compliance architecture is product architecture. Treat it that way from day one and your platform earns trust as a feature, not a marketing claim.

What compliance challenges are you tackling in your own platform builds? Drop a comment — I'd love to compare notes.

ConfDroid Puppet Modules - Automatic

12ww1160 — Tue, 07 Apr 2026 10:59:02 +0000

Introducing confdroid_automatic: Hands-Off OS Updates for Your Rocky 9 Servers

Keeping operating systems patched is one of the most important — yet often neglected — parts of server maintenance. Security updates arrive regularly, and manually applying them across dozens or hundreds of machines quickly becomes a burden and a source of risk.

That’s why I’m happy to release confdroid_automatic, the latest addition to the Confdroid Puppet collection.

This module brings reliable, automated OS updates to Rocky 9 (and other RHEL 9-based) systems by managing dnf-automatic declaratively with Puppet 8. It installs the necessary packages, configures update behavior, applies correct SELinux contexts, and ensures the systemd timer runs as expected.

Why Automated Updates Matter

Security patches close vulnerabilities before attackers can exploit them. dnf-automatic already does most of the heavy lifting out of the box — it can download and apply updates on a schedule, send notifications, and even reboot when needed. The challenge is managing it consistently across your entire fleet without configuration drift.

Additionally, production systems may need a different set of policies for updates than development or staging system, i.e. only security updates, while other stages use fully updated systems.

confdroid_automatic solves that by turning dnf-automatic into a fully Puppet-controlled service.

Key Features

Installs and configures the dnf-automatic package
Manages the main configuration file (/etc/dnf/automatic.conf) with proper permissions and SELinux contexts
Controls the dnf-automatic.timer systemd service
Supports flexible parameters you can override via Foreman ENC or Hiera
Includes sensible defaults for production use while allowing fine-tuning

Main tunable parameters include:

ac_upgrade_type- 'default', 'security', 'minimal' or 'all'
ac_apply_updates — whether to actually install updates (or just download them)
ac_download_updates — enable downloading of available packages
ac_random_sleep — add a random delay (in seconds) to prevent all servers from updating at the exact same moment
ac_reboot - when to reboot after applied updates
ac_email_to - which email address to notify

Automatic Update Flow

Here’s how the module turns Puppet configuration into real-world automated patching:

The flow ensures updates are applied safely and predictably. The optional random sleep helps avoid “thundering herd” problems in larger environments.

How to Use It

Import the module via r10k (Puppetfile).

The simplest way to enable automatic updates on a node is in site.pp:

include confdroid_automatic

To apply via Foreman:

Assign confdroid_automatic::params to the host or hostgroup in Question and override parameters as required.

Important Notes

Test thoroughly in a non-production environment first. Automatic updates can cause reboots or service restarts.
If you already have a manual dnf-automatic configuration, the module will overwrite it — start clean or review the generated config carefully.
The module handles SELinux contexts automatically, so it works smoothly on enforcing-mode Rocky 9 systems.

You can find the full module, source code, and parameter reference here: https://sourcecode.confdroid.com/confdroid/confdroid_automatic

Final Thoughts

With confdroid_automatic, keeping your Rocky 9 fleet patched becomes a truly hands-off process. Combined with the rest of the Confdroid collection (including monitoring via confdroid_nagios), you get a consistent, secure, and maintainable update strategy.

Automated patching is no longer a nice-to-have — it’s a baseline security requirement. This module makes it simple, repeatable, and fully integrated into your Puppet workflow.

Have you been managing OS updates manually or with scripts? Would you like automatic reboots enabled or prefer a download-only approach? Drop your thoughts or questions in the comments — I’d love to hear how you handle patching in your environment.

Did you find this post helpful? You can support me.

Puppetlabs Modules Roundup – March 2026

Jason St-Cyr — Mon, 06 Apr 2026 14:24:03 +0000

March 2026 brought 4 Puppetlabs module releases in the Puppetlabs Forge catalog. Read along to see what changed this month!

Across the month, the clearest themes were compatibility updates across Puppet Enterprise (PE), supported platforms, and operational hardening and troubleshooting improvements.

Highlighted Updates

Compatibility updates across PE and supported platforms

March releases leaned toward version-alignment work, with updates for newer Puppet Enterprise releases, Ubuntu 24.04 benchmark coverage, and dependency ranges that allow newer supporting modules.

Added support for PE 2023.8.9 and 2025.9.0.
Added CIS Benchmark support for Ubuntu 24.04 Server Levels 1 and 2.

Operational hardening and troubleshooting improvements

Several releases focused on making "Day Two" operations safer and easier to debug through better validation, more useful logging, and targeted runtime fixes.

Added installer untar checks and deduplicated hosts in the legacy compiler group.
Moved most SCE-specific logging into the Puppet agent run log for easier debugging.

What Updates Happened to Puppetlabs Modules in March 2026?

The following is an alphabetical listing of modules which received updates in March 2026. If a module had multiple versions released, the updates are collected together, numbered with the "latest" version available.

cd4pe 3.4.0

📅 Latest release: 2026-03-04 (🌐 View on the Forge)

This release focuses on updated puppetlabs-docker and puppetlabs-hocon dependencies to allow usage of newer versions while also addressing updated module with PDK 3.6.1.

Updated puppetlabs-docker and puppetlabs-hocon dependencies to allow usage of newer versions
Updated module with PDK 3.6.1

peadm 3.36.0

📅 Latest release: 2026-03-25 (🌐 View on the Forge)

This release focuses on adding support for PE 2023.8.9 and 2025.9.0 while also addressing deduplicate hosts in legacy compiler group.

Adding support for PE 2023.8.9 and 2025.9.0 #657 (Jade2153)
(PE-43572) deduplicate hosts in legacy compiler group #658 (davidmalloncares)
(PE-42686) Add checks to installer untar command #654 (davidmalloncares)

sce_linux 2.6.0

📅 Latest release: 2026-03-17 (🌐 View on the Forge)

This release focuses on support for Ubuntu 24.04. You can use Security Compliance Enforcement (SCE) to enforce the Center for Internet Security (CIS) Benchmark for Ubuntu Linux 24.04, v1.0.0, Server Levels 1 and 2 while also addressing support for Puppet module dependencies.

Check the official release notes for sce_linux 2.6.0

sqlserver 5.1.1

📅 Latest release: 2026-03-04 (🌐 View on the Forge)

Small change this month to ensure permission the variable is set.

(MODULES-11613) Set permission variable in permission sql EPP #500 (shubhamshinde360)

Until Next Time!

That wraps up the March 2026 roundup. If any of the modules overlap with your environment, the linked Forge pages and release notes are worth a closer look.

Feedback on the series is always useful, especially if there are module families or release-note patterns that deserve more attention in future editions.

More updates coming next month when the April 2026 releases land.

Cybersecurity 2026: Identity, Autonomy, and the Collapse of Passive Control

Eldor Zufarov — Thu, 02 Apr 2026 06:03:58 +0000

Cybersecurity 2026: Identity, Autonomy, and the Collapse of Passive Control

The latest industry discussions around AI governance reinforce a reality many engineering teams are already experiencing: identity governance was designed for humans — but the majority of identities executing code today are not.

AI agents, CI/CD pipelines, service accounts, and ephemeral workloads now authenticate, act, and mutate infrastructure faster than traditional controls can observe.

We are moving from a world of User Access to a world of Machine Execution.

This shift is not philosophical. It is architectural.

1. Non‑Human Identities Operate at Machine Speed

In July 2025, a widely discussed incident described how an autonomous AI agent deleted 1,206 database records in seconds, ignoring an active code freeze. The example was highlighted in a Cloud Security Alliance industry roundup on AI and identity governance.

The lesson was not about "AI intelligence failure." The agent behaved according to its permissions.

The problem was privilege without boundary enforcement.

Autonomous systems inherit the scope we assign to them. If that scope is excessive, autonomy becomes amplification.

Traditional IAM models assume:

Human pacing
Manual review windows
Observable change cycles

Agentic systems violate all three assumptions.

Engineering Implication

Security controls must operate at the same velocity as execution. Detection after commit is too late when mutation happens in seconds.

Architectural Response: Pre‑Commit Enforcement

Instead of relying purely on runtime detection or post‑merge scanning, enforcement can shift closer to developer intent:

Intercept commits before merge
Validate secrets and tokens
Analyze infrastructure changes semantically
Block unsafe mutations deterministically

This model replaces passive observation with active boundary control.

Sentinel Core implements this pattern by operating as a real‑time enforcement layer in the development workflow, preventing unsafe commits before they enter the repository history.

2. Offboarding Is No Longer a Human Problem

In high‑pressure transitions or rapid restructuring events, disabling Slack or email access is insufficient.

Machine identities persist:

Long‑lived service tokens
CI runners with inherited permissions
Infrastructure‑as‑Code with embedded credentials
Kubernetes service accounts with cluster‑wide scope

If infrastructure state is not continuously validated against declared intent, drift accumulates silently.

Drift plus stale privilege equals latent risk.

Engineering Implication

Governance must expand beyond user access revocation into verifiable infrastructure integrity.

Architectural Response: Immutable Audit + IaC Guardrails

Embedding enforcement directly into Infrastructure as Code workflows ensures:

Terraform plans are validated before merge
Kubernetes manifests are policy‑checked pre‑deployment
Docker configurations are scanned for privilege escalation

Each blocked violation can be logged as an immutable artifact tied to:

Commit hash
Machine identity
User mapping

This creates an auditable chain of intent, not just activity.

Sentinel Core integrates this enforcement into repository workflows, generating traceable records for every rejected mutation.

3. Compliance Must Become Computable

Static documentation cannot keep pace with dynamic AI‑driven systems.

With evolving updates to ISO 27701 and SOC 2 guidance, compliance cannot rely solely on narrative evidence or spreadsheet tracking.

It must be derived from system state.

Engineering Implication

Technical findings must map deterministically to governance frameworks.

A vulnerability or misconfiguration should:

Be machine‑detectable
Map to a specific control requirement
Produce reproducible evidence
Generate tamper‑evident reporting

Architectural Response: Compliance as Code

Auditor Core transforms raw technical signals into structured audit evidence by mapping findings to:

SOC 2 Trust Services Criteria
ISO/IEC 27001:2022
CIS Controls v8

Findings are aggregated into a derived posture score and packaged into integrity‑sealed reports using SHA‑256 hashing to provide tamper‑evident verification.

This shifts compliance from documentation theater to computational integrity.

The Structural Reality

Agentic AI does not introduce new security principles.

It exposes weaknesses in our existing ones.

Identity without scope discipline becomes privilege escalation.
Automation without integrity guarantees becomes systemic risk.
Compliance without computation becomes performance art.

Organizations that adapt will not simply add more policies.

They will redefine trust boundaries around execution itself.

References

Cloud Security Alliance Industry Roundup on AI, Identity, and Governance: CSA Roundup
https://github.com/DataWizual/auditor-core-technical-overview
https://github.com/DataWizual/sentinel-core-technical-overview

DEV Community: puppet

ConfDroid Puppet Modules - java

Introducing confdroid_java: A Lightweight Helper for Reliable Java Installations

What confdroid_java actually does

Supported platforms

How to use it

Where to get it

Why this module matters

Related posts

ConfDroid Puppet Modules - SSH

Introducing confdroid_ssh: Reliable and Hardened SSH Access for Your Rocky 9 Servers

Why This Module Matters

Key Features

Example: Adding Custom Configuration

How It Fits in the Confdroid Ecosystem

Important Notes

Final Thoughts

Related posts

Security Compliance Management 3.7.0 Is Now Available

What's new in this release

Expanded benchmark coverage for evolving environments

More predictable performance during compliance scans

Greater control over user access and session behavior

Improved API governance and security posture

Security fixes and dependency updates

Why Upgrade to SCM 3.7.0

Next Steps

Generate a Puppet Module Using GitHub Copilot and VS Code

What You’ll Learn

The Challenge: Overcoming the Puppet Module Learning Curve

Tech Stack Overview: VS Code, GitHub Copilot, and Puppet MCP

Prerequisites and Required Software Installation

Tutorial Walkthrough: From Empty Repository to Generated Module

Installing Puppet Development Kit (PDK)

Generating the Module

Validating the Module

Key Benefits of Agent-Assisted Module Creation

Challenges and Solutions in AI-Assisted Puppet Development

Table 1: Common challenges in AI-assisted Puppet module development and recommended solutions

Should You Use Agent Skills or Instructions?

References

Installing PDK on a Linux Workstation (Manual Edition)

Prerequisites

Steps

1. Gather Your Credentials

For Puppet Enterprise users:

For Puppet Core users:

2. Download and Setup the Repository File

3. Update and Install

ConfDroid Puppet Modules - Selinux

Introducing confdroid_selinux: Declarative SELinux Management for Your Rocky 9 Servers

How SELinux Stops Real-World Attacks

The Problem with Manual SELinux Management

What confdroid_selinux Does

SELinux Management Flow with the Module

Easy Deployment

Final Thoughts

Related posts

Puppet Core 8.18.0 is out: macOS 15 support and key security updates

What’s new in Puppet Core 8.18.0

Security focused dependency updates

🔐 libxml2 updated

🔐 zlib gem updated

🔐 curl updated

Getting Puppet Core 8.18.0

Let us know how it goes

Puppet Enterprise - Neue Releases und Upgrade Zyklen

Latest

Latest-1

aktuelles LTS Releases

Releases und Support Zeitraum

Zusammenfassung

Building a Compliance-First Digital Entertainment Platform: Lessons from BLCTX Global's Asia Launch

ConfDroid Puppet Modules - Automatic

Introducing confdroid_automatic: Hands-Off OS Updates for Your Rocky 9 Servers

Why Automated Updates Matter

Key Features

Automatic Update Flow

How to Use It

Important Notes