From 5a2de12fb6660a3d40e7548cf6f071f9b0ce170f Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Sat, 26 Sep 2015 15:04:34 -0300
Subject: New hiera scheme for secrets storage

---
 .../node/puppet-bootstrap.example.org.yaml         |  7 -------
 hiera/hiera.yaml                                   | 22 +++++++++++++++++-----
 hiera/node/puppet-bootstrap.example.org.yaml       |  7 +++++++
 3 files changed, 24 insertions(+), 12 deletions(-)
 delete mode 100644 hiera/domain/example.org/node/puppet-bootstrap.example.org.yaml
 create mode 100644 hiera/node/puppet-bootstrap.example.org.yaml

diff --git a/hiera/domain/example.org/node/puppet-bootstrap.example.org.yaml b/hiera/domain/example.org/node/puppet-bootstrap.example.org.yaml
deleted file mode 100644
index deec4fa..0000000
--- a/hiera/domain/example.org/node/puppet-bootstrap.example.org.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-#
-# MySQL
-#
-# The following password is public information and therefore
-# shall not be user on production.
-mysql::server::rootpw: '9pRfteNbSFFyrHhackme'
diff --git a/hiera/hiera.yaml b/hiera/hiera.yaml
index 96cfb87..7e541b1 100644
--- a/hiera/hiera.yaml
+++ b/hiera/hiera.yaml
@@ -10,12 +10,24 @@
   # See http://docs.vagrantup.com/v2/provisioning/puppet_apply.html
   :datadir: hiera
 :hierarchy:
-  - 'domain/%{::domain}/node/%{::clientcert}'
-  - 'domain/%{::domain}/role/%{::role}'
-  - 'domain/%{::domain}/location/%{::location}'
-  - 'domain/%{::domain}/%{::domain}'
+  #
+  # Put in the secrets folder all sensitive information that
+  # wont be spread into every system if you're using the Hydra Suite.
+  #
+  # We also recommend to leave only encrypted data in your hiera config.
+  #
+  - 'secrets/node/%{::clientcert}'
+  - 'secrets/domain/%{::domain}'
+  - 'secrets/role/%{::role}'
+  - 'secrets/location/%{::location}'
+
+  #
+  # All other stuff goes in regular YAML files.
+  #
+  - 'node/%{::clientcert}'
+  - 'domain/%{::domain}'
+  - 'role/%{::role}'
   - 'location/%{::location}'
   - 'virtual/%{::virtual}'
-  - 'role/%{::role}'
   - bootstrap
   - common
diff --git a/hiera/node/puppet-bootstrap.example.org.yaml b/hiera/node/puppet-bootstrap.example.org.yaml
new file mode 100644
index 0000000..deec4fa
--- /dev/null
+++ b/hiera/node/puppet-bootstrap.example.org.yaml
@@ -0,0 +1,7 @@
+---
+#
+# MySQL
+#
+# The following password is public information and therefore
+# shall not be user on production.
+mysql::server::rootpw: '9pRfteNbSFFyrHhackme'
-- 
cgit v1.2.3