puppet: Let r10k deploy private repo with rugged

.gitignore

 .bundle/
 Gemfile.lock
 vendor/
+modules/nest_private

data/node/puppet.yaml

@@ -22,3 +22,7 @@ nest::package_keywords:
   dev-ruby/puppet_forge: {}
   dev-ruby/rash_alt: {}
   dev-ruby/simple_oauth: {}
+
+  # For rugged
+  dev-libs/libgit2:
+    version: '~1.1.0'

data/private

+../modules/nest_private/data
\ No newline at end of file

files/puppet/hiera.yaml

@@ -10,14 +10,26 @@ defaults:
 
 hierarchy:
   - name: 'Nodes'
-    path: "node/%{::trusted.certname}.yaml"
+    paths:
+      - "private/node/%{::trusted.certname}.yaml"
+      - "node/%{::trusted.certname}.yaml"
   - name: 'Roles'
-    path: "role/%{::role}.yaml"
+    paths:
+      - "private/role/%{::role}.yaml"
+      - "role/%{::role}.yaml"
   - name: 'Platforms'
-    path: "platform/%{::platform}.yaml"
+    paths:
+      - "private/platform/%{::platform}.yaml"
+      - "platform/%{::platform}.yaml"
   - name: 'Architectures'
-    path: "arch/%{::architecture}.yaml"
+    paths:
+      - "private/arch/%{::architecture}.yaml"
+      - "arch/%{::architecture}.yaml"
   - name: 'Operating Systems'
-    path: "os/%{::facts.osfamily}.yaml"
+    paths:
+      - "private/os/%{::facts.osfamily}.yaml"
+      - "os/%{::facts.osfamily}.yaml"
   - name: 'Common'
-    path: 'common.yaml'
+    paths:
+      - 'private/common.yaml'
+      - 'common.yaml'

files/puppet/r10k.yaml

 ---
 cachedir: '/var/cache/r10k'
+
+git:
+  provider: 'rugged'
+  private_key: '/etc/puppetlabs/r10k/id_rsa'
+
 sources:
-  main:
+  nest:
     remote: 'https://gitlab.james.tl/nest/puppet-nest.git'
     basedir: '/etc/puppetlabs/code/environments'

manifests/node/puppet.pp

-class nest::node::puppet {
+class nest::node::puppet (
+  String[1] $r10k_deploy_key,
+) {
   nest::lib::srv { 'puppetserver': }
 
   file { '/srv/puppetserver/hiera.yaml':
@@ -6,22 +8,41 @@ class nest::node::puppet {
     require => Nest::Lib::Srv['puppetserver'],
   }
 
-  package { 'r10k':
+  package { 'libgit2':
     ensure => installed,
   }
 
-  file { '/etc/puppetlabs/r10k':
-    ensure => directory,
-    mode   => '0755',
-    owner  => 'root',
-    group  => 'root',
+  package { 'rugged':
+    ensure          => installed,
+    install_options => ['--use-system-libraries'],
+    provider        => gem,
+    require         => Package['libgit2'],
   }
 
-  file { '/etc/puppetlabs/r10k/r10k.yaml':
-    mode   => '0644',
-    owner  => 'root',
-    group  => 'root',
-    source => 'puppet:///modules/nest/puppet/r10k.yaml',
+  package { 'r10k':
+    ensure => installed,
+  }
+
+  file {
+    default:
+      owner  => 'root',
+      group  => 'root',
+    ;
+
+    '/etc/puppetlabs/r10k':
+      mode   => '0755',
+      ensure => directory,
+    ;
+
+    '/etc/puppetlabs/r10k/r10k.yaml':
+      mode   => '0644',
+      source => 'puppet:///modules/nest/puppet/r10k.yaml',
+    ;
+
+    '/etc/puppetlabs/r10k/id_rsa':
+      mode    => '0600',
+      content => $r10k_deploy_key,
+    ;
   }
 
   file { '/etc/eyaml':