notes about metrics, logging and PII in puppet

howto/puppet.md

@@ -1365,6 +1365,25 @@ code is directly pushed to the Puppet server without validation. Work
 is being done to [implement automated checks](https://gitlab.torproject.org/tpo/tpa/team/-/issues/31226) but that is only
 being deployed on some clients for now.
 
+Note that PuppetDB itself holds performance information about the
+Puppet agent runs, which are called "reports". Those reports contain
+information about changes operated on each server, how long the agent
+runs take and so on. Those metrics could be made more visible by using
+a dashboard, but that has not been implemented yet (see [issue
+31969][]).
+
+[issue 31969]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/31969
+
+The Puppet server, Puppet agents and PuppetDB keep logs of their
+operations. The latter keeps its logs in `/var/log/puppetdb/` for a
+maximum of 90 days or 1GB, whichever comes first (configured in
+`/etc/puppetdb/request-logging.xml` and
+`/etc/puppetdb/logback.xml`). The other logs are sent to `syslog`, and
+usually end up in `daemon.log`.
+
+Puppet should hold minimal personnally idenfiable information, like
+user names, user public keys and project names.
+
 # Discussion
 
 This section goes more in depth into how Puppet is setup, why it was