class profiles::puppetdb {
  exec { '/opt/puppetlabs/bin/puppetdb ssl-setup':
    creates => '/etc/puppetlabs/puppetdb/ssl/ca.pem'
  }

  class { 'puppetdb':
    listen_address        => '::', # Just accept insecure connections
    disable_ssl           => false,
    # This sohuld in theory allow full access to the database, but it
    # doesn't seem to do that. See [AUTH]
    certificate_whitelist => [ $::facts['fqdn'], ],
  }

  # [AUTH] Innstead, in /etc/puppetlabs/puppetdb/conf.d/auth.conf
  # i changed the rule
  #     match-request: /metrics
  # to allow anything:
  #     - allow: "*"
  #     + allow-unauthenticated: true

  # This is "requried", and is recommended to be included in this way
  # (presumably to later allow setting parameters)
  class { 'puppetdb::master::config':
    # Puppetdb sets up the puppetserver resource, to be able to
    # trigger a refresh, and contains a defined(Service[$puppet_service_name])
    # check beforehand, but for some reason it just doesn't work. So
    # we just disable it expliticly, and assume that
    # profiles::puppetserver is also pulled in.
    create_puppet_service_resource => false,
  }
}