diff --git a/data/common/common.yaml b/data/common/common.yaml
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -699,7 +699,9 @@
 
 puppet::master::hostname: pergamon.internal.softwareheritage.org
 puppet::master::puppetdb: pergamon.internal.softwareheritage.org
+puppet::master::codedir: /etc/puppet/code
 puppetdb::master::config::terminus_package: puppet-terminus-puppetdb
+puppet::master::manage_puppetdb: false
 
 strict_transport_security::max_age: 15768000
 
diff --git a/data/subnets/vagrant.yaml b/data/subnets/vagrant.yaml
--- a/data/subnets/vagrant.yaml
+++ b/data/subnets/vagrant.yaml
@@ -18,6 +18,8 @@
 
 internal_network: 10.168.128.0/16
 
+puppet::master::codedir: /tmp/puppet
+
 networks::private_routes: {}
 
 smtp::relay_hostname: 'none'
@@ -49,6 +51,22 @@
 
 kafka::cluster::public_network: 10.168.130.0/24
 
+puppet::master::manage_puppetdb: true
+puppetdb::listen_address: 0.0.0.0
+swh::puppetdb::etcdir: /etc/puppetdb
+puppetdb::confdir: "%{lookup('swh::puppetdb::etcdir')}/conf.d"
+puppetdb::ssl_dir: "%{lookup('swh::puppetdb::etcdir')}/ssl"
+swh::puppetdb::ssl_key_path: "%{lookup('puppetdb::ssl_dir')}/key.pem"
+swh::puppetdb::ssl_key: "%{::puppet_vardir}/ssl/private_keys/pergamon.softwareheritage.org.pem"
+swh::puppetdb::ssl_cert: "%{::puppet_vardir}/ssl/certs/pergamon.softwareheritage.org.pem"
+swh::puppetdb::ssl_cert_path: "%{lookup('puppetdb::ssl_dir')}/cert.pem"
+swh::puppetdb::ssl_ca_cert: "%{::puppet_vardir}/ssl/ca/ca_crt.pem"
+swh::puppetdb::ssl_ca_cert_path: "%{lookup('puppetdb::ssl_dir')}/ca_crt.pem"
+puppet::autosign_entries:
+  - '*.softwareheritage.org'
+  - '*.staging.swh.network'
+  - '*.admin.swh.network'
+
 static_hostnames:
   10.168.50.10:
     host: bardo.internal.admin.swh.network
@@ -68,6 +86,7 @@
   10.168.100.29:
     host: pergamon.internal.softwareheritage.org
     aliases:
+      - pergamon.softwareheritage.org
       - icinga.internal.softwareheritage.org
       - grafana.softwareheritage.org
       - stats.export.softwareheritage
diff --git a/site-modules/profile/manifests/annex_web.pp b/site-modules/profile/manifests/annex_web.pp
--- a/site-modules/profile/manifests/annex_web.pp
+++ b/site-modules/profile/manifests/annex_web.pp
@@ -16,6 +16,12 @@
 
   include ::profile::apache::common
 
+  exec {"create ${annex_vhost_docroot}":
+    creates => $annex_vhost_docroot,
+    command => "mkdir -p ${annex_vhost_docroot}",
+    path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+  }
+
   ::apache::vhost {"${annex_vhost_name}_non-ssl":
     servername      => $annex_vhost_name,
     port            => '80',
@@ -87,7 +93,6 @@
     content => "$annex_vhost_provenance_basic_auth_content",
   }
 
-
   $icinga_checks_file = lookup('icinga2::exported_checks::filename')
 
   @@::icinga2::object::service {"annex http redirect on ${::fqdn}":
diff --git a/site-modules/profile/manifests/bitbucket_archive_web.pp b/site-modules/profile/manifests/bitbucket_archive_web.pp
--- a/site-modules/profile/manifests/bitbucket_archive_web.pp
+++ b/site-modules/profile/manifests/bitbucket_archive_web.pp
@@ -10,6 +10,12 @@
 
   include ::profile::apache::common
 
+  exec {"create ${vhost_docroot}":
+    creates => $vhost_docroot,
+    command => "mkdir -p ${vhost_docroot}",
+    path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+  }
+
   ::apache::vhost {"${vhost_name}_non-ssl":
     servername      => $vhost_name,
     port            => '80',
diff --git a/site-modules/profile/manifests/docs_web.pp b/site-modules/profile/manifests/docs_web.pp
--- a/site-modules/profile/manifests/docs_web.pp
+++ b/site-modules/profile/manifests/docs_web.pp
@@ -15,6 +15,12 @@
 
   include ::profile::apache::common
 
+  exec {"create ${docs_vhost_docroot}":
+    creates => $docs_vhost_docroot,
+    command => "mkdir -p ${docs_vhost_docroot}",
+    path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+  }
+
   ::apache::vhost {"${docs_vhost_name}_non-ssl":
     servername      => $docs_vhost_name,
     port            => '80',
diff --git a/site-modules/profile/manifests/export_archive_counters.pp b/site-modules/profile/manifests/export_archive_counters.pp
--- a/site-modules/profile/manifests/export_archive_counters.pp
+++ b/site-modules/profile/manifests/export_archive_counters.pp
@@ -22,7 +22,14 @@
   }
 
   $history_data_name = 'history-counters.munin.json'
-  $history_data_path = "/usr/local/share/swh-data/${history_data_name}"
+  $history_data_dir = "/usr/local/share/swh-data"
+  $history_data_path = "${history_data_dir}/${history_data_name}"
+  file {$history_data_dir:
+    ensure  => 'directory',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755'
+  } ->
   file {$history_data_path:
     ensure  => present,
     owner   => 'root',
diff --git a/site-modules/profile/manifests/puppet/master.pp b/site-modules/profile/manifests/puppet/master.pp
--- a/site-modules/profile/manifests/puppet/master.pp
+++ b/site-modules/profile/manifests/puppet/master.pp
@@ -1,6 +1,49 @@
 # Puppet master profile
 class profile::puppet::master {
   $puppetdb = lookup('puppet::master::puppetdb')
+  $codedir = lookup('puppet::master::codedir')
+
+  $manage_puppetdb = lookup('puppet::master::manage_puppetdb')
+
+  # Pergamon installation was done manually, we ensure nothing
+  # is touched in production
+  if $manage_puppetdb {
+    # $puppetdb_listen_address = lookup('puppetdb::listen_address')
+    $puppetdb_etcdir = lookup('swh::puppetdb::etcdir')
+    $puppetdb_ssl_cert_path = lookup('swh::puppetdb::ssl_cert_path')
+    $puppetdb_ssl_key_path = lookup('swh::puppetdb::ssl_key_path')
+    $puppetdb_ssl_ca_cert_path = lookup('swh::puppetdb::ssl_ca_cert_path')
+
+    $puppetdb_ssl_cert = lookup('swh::puppetdb::ssl_cert')
+    $puppetdb_ssl_key = lookup('swh::puppetdb::ssl_key')
+    $puppetdb_ssl_ca_cert = lookup('swh::puppetdb::ssl_ca_cert')
+
+    file { $puppetdb_etcdir:
+      ensure => directory,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0775'
+    }
+
+    class { '::puppetdb':
+      # confdir             => '/etc/puppetdb/conf.d',
+      vardir              => '/var/lib/puppetdb',
+      manage_firewall     => false,
+      ssl_set_cert_paths  => true,
+      # ssl_dir             => '/etc/puppetdb/ssl',
+      ssl_cert_path       => $puppetdb_ssl_cert_path,
+      ssl_key_path        => $puppetdb_ssl_key_path,
+      ssl_ca_cert_path    => $puppetdb_ssl_ca_cert_path,
+      ssl_cert            => file($puppetdb_ssl_cert),
+      ssl_key             => file($puppetdb_ssl_key),
+      ssl_ca_cert         => file($puppetdb_ssl_ca_cert),
+      manage_package_repo => false, # already manage by swh::apt_config
+      postgres_version    => '11',
+      ssl_deploy_certs    => true,
+      require             => [Class['Profile::Swh::Apt_config'],
+          File[$puppetdb_etcdir]],
+    }
+  }
 
   class { '::puppet':
     server                      => true,
@@ -12,6 +55,7 @@
     server_puppetdb_host        => $puppetdb,
     server_reports              => 'store,puppetdb',
     server_storeconfigs_backend => 'puppetdb',
+    codedir                     => $codedir,
 
     *                           => $::profile::puppet::agent_config,
   }
diff --git a/site-modules/role/manifests/swh_sysadmin.pp b/site-modules/role/manifests/swh_sysadmin.pp
--- a/site-modules/role/manifests/swh_sysadmin.pp
+++ b/site-modules/role/manifests/swh_sysadmin.pp
@@ -5,14 +5,19 @@
   include profile::prometheus::sql
 
   include profile::puppet::master
-  include profile::letsencrypt
+
+  if $::subnet == 'vagrant' {
+    notice("Vagrant environment detected, deactivate let's encrypt and bind_server")
+  } else {
+    include profile::letsencrypt
+    include profile::bind_server::primary
+  }
 
   include profile::icinga2::icingaweb2
 
   include profile::apache::simple_server
   include ::apache::mod::rewrite
 
-  include profile::bind_server::primary
 
   include profile::annex_web
   include profile::stats_web