From de7296406152b5aeef881c2eef5c989bb53785c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Wed, 12 Feb 2025 11:23:03 -0500
Subject: [PATCH] add LDAP-enc alternative

---
 howto/puppet.md | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/howto/puppet.md b/howto/puppet.md
index 1ec07ae8..a6f59b04 100644
--- a/howto/puppet.md
+++ b/howto/puppet.md
@@ -2381,7 +2381,13 @@ alternatives. [This talk](https://www.youtube.com/watch?v=RdIyStATgFE) is a good
 librarian and r10k. Based on that talk and [these slide](https://arlimus.github.io/slides/librarian.and.r10k/), I've made
 the following observations:
 
-### monorepo
+### ENCs
+
+- [LDAP-enc](https://github.com/oftc/oftc-puppet/blob/1b94c8254eee491602ebeda2599b8214c101d6bb/ldap-enc): OFTC uses LDAP to store classes to load for a given host
+
+### repository management
+
+#### monorepo
 
 This is our current approach, which is that all code is committed in
 one monolithic repository. This effectively makes it impossible to
@@ -2401,7 +2407,7 @@ good stopgap solution. A better solution would need to solve the
 "double-commit" problem and still allow us to have smaller
 repositories that we can collaborate on outside of our main tree.
 
-### submodules
+#### submodules
 
 The talk partially covers how difficult `git submodules` work and how
 hard they are to deal with. I say partially because submodules are
@@ -2428,7 +2434,7 @@ Others have *strong* opinions about submodules, with one Debian
 developer suggesting to [Never use git submodules](https://diziet.dreamwidth.org/14666.html) and instead
 recommending `git subtree`, a monorepo, `myrepos`, or ad-hoc scripts.
 
-### librarian
+#### librarian
 
 Librarian is written in ruby. It's built on top of [another library
 called librarian](https://github.com/applicationsonline/librarian) that is used by Ruby's [bundler](https://gembundler.com/). At the time
@@ -2455,7 +2461,7 @@ gives a huge surface area for arbitrary code injection in the entire
 puppet infrastructure (e.g. MITM, forge compromise, hostile upstream
 attacks)
 
-### r10k
+#### r10k
 
 r10k was written because librarian was too slow for large
 deployments. But it covers more than just managing code: it also
@@ -2485,7 +2491,7 @@ that reformats librarian output](https://github.com/dharmabruce/lp2r10k/blob/mas
 also a [go rewrite called g10k](https://github.com/xorpaul/g10k) that is much faster, but with
 similar limitations.)
 
-### git subtree
+#### git subtree
 
 [This article](https://web.archive.org/web/20171107082413/http://somethingsinistral.net/blog/scaling-puppet-environment-deployment/) mentions git subtrees from the point of view of
 Puppet management quickly. It outline how it's cool that the history
@@ -2497,7 +2503,7 @@ some of the disadvantages of the monorepo in the all the code is
 actually committed in the parent repo and you *do* have to commit
 twice as well.
 
-### subrepo
+#### subrepo
 
 The [git-subrepo](https://github.com/ingydotnet/git-subrepo) is "an improvement from `git-submodule` and
 `git-subtree`". It is a mix between a monorepo and a submodule system,
@@ -2525,7 +2531,7 @@ Still, its feature set is impressive and could be the perfect mix
 between the "submodules" and "subtree" approach of still keeping a
 monorepo while avoiding the double-commit issue.
 
-### myrepos
+#### myrepos
 
 [myrepos](https://myrepos.branchable.com/) is one of many solutions to manage multiple git
 repositories. It has been used in the past at my old workplace
@@ -2543,7 +2549,7 @@ esoteric to people. It also has weird failure modes, but could be used
 in parallel with a monorepo. For example, it might allow us to setup
 specific remotes in subdirectories of the monorepo automatically.
 
-### Summary table
+#### Summary table
 
 | Approach   | Pros                       | Cons                                     | Summary                           |
 |------------|----------------------------|------------------------------------------|-----------------------------------|
@@ -2555,7 +2561,7 @@ specific remotes in subdirectories of the monorepo automatically.
 | Subrepo    | subtree + optional         | Unusual, new commands to learn           | To evaluate further               |
 | myrepos    | Flexible                   | Esoteric                                 | might be useful with our monorepo |
 
-### Best practices survey
+#### Best practices survey
 
 I made a survey of the community (mostly the [shared puppet
 modules](https://gitlab.com/shared-puppet-modules-group/) and [Voxpupuli](https://voxpupuli.org/) groups) to find out what the best
@@ -2615,7 +2621,7 @@ transport by having the Puppetfile chase a branch name instead of a
 checksum, during development. In production, of course, a checksum can
 then be pinned again, but that is the biggest flaw in that workflow.
 
-### Other alternatives
+#### Other alternatives
 
  * [josh](https://github.com/josh-project/josh): "Combine the advantages of a monorepo with those of
    multirepo setups by leveraging a blazingly-fast, incremental, and
-- 
GitLab