Discovered when building a TFTP only server (no puppet proxy or any other proxies) on EL7.

Prior to puppet 4 (AIO packaging), the 'puppet' package created a puppet user and group. This now only happens if the puppetserver package is installed.

I ended up with this failure...

Error: Could not set groups on user[foreman-proxy]: Execution of '/sbin/usermod -G puppet foreman-proxy' returned 6: usermod: group 'puppet' does not exist
Error: /Stage[main]/Foreman_proxy::Config/User[foreman-proxy]/groups: change from  to puppet failed: Could not set groups on user[foreman-proxy]: Execution of '/sbin/usermod -G puppet foreman-proxy' returned 6: usermod: group 'puppet' does not exist

I can easily enough workaround this by creating the group in my profile, but I guess it should probably be fixed in the module?

Perhaps skip the group membership if $puppet is disabled.

what about $puppetca? If a CA is running, they'll be a group, but perhaps the proxy doesn't need to be a member of it?

Unfortunately, the proxy refuses to start as it can't read /etc/puppetlabs/puppet/ssl/private_keys/${::fqdn}.pem which is owned by root:root.

It's the puppetserver RPM that chowns the keys...
https://github.com/puppetlabs/puppetserver/blob/master/resources/ext/ezbake.conf#L28

I've been working on a fix and hopefully will submit a PR for consideration shortly.

#261 is what I've got so far.

#261 got merged