document new tor-puppet-hiera-enc split (team#41819)

update references to the ENC which was moved from tor-puppet.git into
its own, separate, repository

howto/puppet.md

@@ -1506,12 +1506,39 @@ started with the vocabulary used in this document.
 
 ### File layout
 
-The Puppet master runs on `pauli.torproject.org`. That is where the main git
-repository (`tor-puppet`) lives, in
-`/srv/puppet.torproject.org/git/tor-puppet`. That repository has hooks to
-populate `/etc/puppet` which is the live checkout from which the Puppet server
-compiles its catalogs.
-  
+The Puppet server runs on `pauli.torproject.org`.
+
+Two git repositories live there:
+
+- `tor-puppet-hiera-enc`, at
+`/srv/puppet.torproject.org/git/tor-puppet-hiera-enc.git`: That repository has
+hooks that deploy to `/etc/puppet/hiera-enc`. See the "External node
+classifier" section below.
+
+- `tor-puppet`, at `/srv/puppet.torproject.org/git/tor-puppet.git`: That repository
+has hooks that deploy to `/etc/puppet/code/environments/production`. See the
+"Environments" section below.
+
+#### External node classifier
+
+Before catalog compilation occurs, each node is assigned an environment
+(`production`, by default) and a "role" through the ENC, which is configured
+using the `tor-puppet-hiera-enc.git` repository. The node definitions at
+`nodes/$FQDN.yaml` are merged with the defaults defined in
+`nodes/default.yaml`.
+
+To be more accurate, the ENC assigns top-scope `$role` variable to each node,
+which is in turn used to include a `role::$rolename` class on each node. This
+occurs in the default node definition in `manifests/site.pp` in `tor-puppet.git`.
+
+Some nodes include a list of classes, inherited from the previous Hiera-based
+setup, but we're in the process of transitioning all nodes to single role
+classes, see [issue 40030][] for progress on this work.
+
+[issue 40030]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40030
+
+#### Environments
+
 All paths below are relative to the root of that git repository.
 
 - `3rdparty/modules` include modules that are shared publicly and do
@@ -1525,21 +1552,6 @@ All paths below are relative to the root of that git repository.
 - `modules` includes roles, profiles, and classes that make the bulk
   of our configuration.
 
-- each node is assigned a "role" through the ENC, in
-  `hiera-enc/nodes/$FQDN.yaml`
-
-  To be more accurate, the ENC assigns top-scope `$role` variable to
-  each node, which is in turn used to include a `role::$rolename`
-  class on each node. This occurs in the default node definition in
-  `manifests/site.pp`.
-
-  Some nodes include a list of classes, inherited from the previous
-  Hiera-based setup, but we're in the process of transitioning all
-  nodes to single role classes, see [issue 40030][] for progress on
-  this work.
-
-[issue 40030]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40030
-
 - The `torproject_org` module
   (`modules/torproject_org/manifests/init.pp`) performs basic host
   initialisation, like configuring Debian mirrors and APT sources,
@@ -1632,8 +1644,8 @@ The Puppet server pulls three elements about nodes from the ENC:
    parameter and unique role classes.
 
 For a given node named `$fqdn`, these elements are defined in
-`tor-puppet.git/hiera-enc/nodes/$fqdn.yaml`. Defaults can also be set
-in `tor-puppet.git/hiera-enc/nodes/default.yaml`.
+`tor-puppet-hiera-enc.git/nodes/$fqdn.yaml`. Defaults can also be set
+in `tor-puppet-hiera-enc.git/nodes/default.yaml`.
 
 #### Role classes
 

howto/rename-a-host.md

@@ -13,7 +13,8 @@ Start by stopping the `puppet-run` timer and disabling Puppet on the machine:
     puppet agent --disable "renaming in progress"
 
 Then, in `tor-puppet`, remove references to the host. At the very least the
-node's classification yaml should be removed for `hiera-enc/nodes`.
+node's classification yaml should be removed from
+`tor-puppet-hiera-enc.git/nodes`.
 
 Revoke its certificates from the Puppet server using the retirement script:
 

service/donate.md

@@ -452,7 +452,7 @@ To setup a new donate-review server
 
 1. bootstrap a new virtual machine (see [new-machine](howto/new-machine) up to Puppet
 1. add the `role: donate_review` parameter to the new machine in
-   `hiera-enc` on `tor-puppet.git`
+   `tor-puppet-hiera-enc.git`
 1. run puppet on the machine
 
 This should register a new runner in GitLab and start processing jobs.