Hiera & encrypted data
Separate data from code; eyaml secrets.
Hiera is Puppet’s data-separation system: instead of hard-coding values in manifests, you look them up from a hierarchy of YAML (or JSON/eyaml) data files, ordered from most specific (this node) to most general (defaults). Puppet even does automatic parameter lookup — a class parameter is filled from Hiera by the key module::param — so manifests stay generic code and all the environment-specific values live in data.
version: 5hierarchy:- name: 'Per-node'path: 'nodes/%{trusted.certname}.yaml'- name: 'Per-OS'path: 'os/%{facts.os.family}.yaml'- name: 'Common'path: 'common.yaml'
nginx::workers: 4nginx::port: 80---# data/nodes/web1.acme.internal.yaml overrides just for that node:nginx::port: 8080
Encrypted secrets with eyaml
Secrets in Hiera use hiera-eyaml, which encrypts individual values with a public/private key pair — the ciphertext lives safely in Git, and the Puppet master decrypts at catalog-compile time with the private key. So a database password sits in your data repo as an ENC[...] blob, readable to Puppet but not to anyone browsing the repo. It is the Puppet equivalent of Ansible Vault or SOPS.
db::password: >ENC[PKCS7,MIIBiQYJKoZIhvcN...] # encrypted; safe in version control# eyaml encrypt -l 'db::password' -s 'S3cr3t!' produces this# the master decrypts with its private key at compile time