migrate to puppetserver and Puppet 6 before EOL
our current puppetmaster configuration ("apache + passenger") is deprecated and will be removed in Puppet 6. we need to switch to the alternative, which is "puppetserver", a daemon written in Clojure especially for that purpose.
the tool is not yet in Debian, so this can wait until then. otherwise we could also use the upstream puppet debian repositories.
our "old" passenger configuration lead to at least one security issue (legacy/trac#33587 (moved)) which was due to how complex that configuration is.
puppet 5, as a whole, is EOL in november 2020, so we should consider an upgrade path to Puppet 6 by then. the packaging work is happening in bts #950182.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information