diff --git a/data/subnets/vagrant.yaml b/data/subnets/vagrant.yaml
index cebddf8c..0682c9d0 100644
--- a/data/subnets/vagrant.yaml
+++ b/data/subnets/vagrant.yaml
@@ -1,188 +1,189 @@
 ---
 # forwarder for :
 # - swh network
 # - Inria network
 # - external network
 dns::forwarders:
   - 192.168.100.29
   - 192.168.200.22
   - 128.93.77.234
   - 1.1.1.1
 dns::forwarder_insecure: true
 
 ntp::servers:
   - sesi-ntp1.inria.fr
   - sesi-ntp2.inria.fr
 
 networks::manage_interfaces: false
 
 internal_network: 10.168.128.0/16
 
 puppet::master::codedir: /tmp/puppet
 
 networks::private_routes: {}
 
 smtp::relay_hostname: 'none'
 
 swh::postgresql::network_accesses:
   - 10.168.100.0/24
 
 swh::deploy::worker::instances:
   - checker_deposit
   - lister
   - loader_archive
   - loader_cran
   - loader_debian
   - loader_deposit
   - loader_git
   - loader_mercurial
   - loader_nixguix
   - loader_npm
   - loader_pypi
   - loader_svn
   - loader_high_priority
 
 dns::forward_zones: { }
 
 netbox::vhost::letsencrypt_cert: inventory-vagrant
 netbox::vhost::name: inventory-vagrant.internal.softwareheritage.org
 netbox::mail::from: inventory+vagrant@softwareheritage.org
 netbox::admin::email: sysop+vagrant@softwareheritage.org
 
 kafka::cluster::public_network: 10.168.130.0/24
 
 puppet::master::manage_puppetdb: true
 puppetdb::listen_address: 0.0.0.0
-puppetdb::confdir: /etc/puppetdb/conf.d
-puppetdb::ssl_dir: '/etc/puppetdb/ssl'
+swh::puppetdb::etcdir: /etc/puppetdb
+puppetdb::confdir: "%{lookup('swh::puppetdb::etcdir')}/conf.d"
+puppetdb::ssl_dir: "%{lookup('swh::puppetdb::etcdir')}/ssl"
 swh::puppetdb::ssl_key_path: "%{lookup('puppetdb::ssl_dir')}/key.pem"
 swh::puppetdb::ssl_key: "%{::puppet_vardir}/ssl/private_keys/pergamon.softwareheritage.org.pem"
 swh::puppetdb::ssl_cert: "%{::puppet_vardir}/ssl/certs/pergamon.softwareheritage.org.pem"
 swh::puppetdb::ssl_cert_path: "%{lookup('puppetdb::ssl_dir')}/cert.pem"
 swh::puppetdb::ssl_ca_cert: "%{::puppet_vardir}/ssl/ca/ca_crt.pem"
 swh::puppetdb::ssl_ca_cert_path: "%{lookup('puppetdb::ssl_dir')}/ca_crt.pem"
 
 static_hostnames:
   10.168.50.10:
     host: bardo.internal.admin.swh.network
   10.168.50.20:
     host: rp1.internal.admin.swh.network
     aliases:
       - hedgedoc.softwareheritage.org
   10.168.100.18:
     host: banco.internal.softwareheritage.org
     aliases:
       - backup.internal.softwareheritage.org
       - kibana.internal.softwareheritage.org
   10.168.100.19:
     host: logstash0.internal.softwareheritage.org
     aliases:
       - logstash.internal.softwareheritage.org
   10.168.100.29:
     host: pergamon.internal.softwareheritage.org
     aliases:
       - pergamon.softwareheritage.org
       - icinga.internal.softwareheritage.org
       - grafana.softwareheritage.org
       - stats.export.softwareheritage
   10.168.100.30:
     host: jenkins.softwareheritage.org
   10.168.100.31:
     host: moma.internal.softwareheritage.org
     aliases:
       - archive.internal.softwareheritage.org
       - deposit.internal.softwareheritage.org
   10.168.100.52:
     host: riverside.internal.softwareheritage.org
     aliases:
       - sentry.softwareheritage.org
   10.168.100.61:
     host: esnode1.internal.softwareheritage.org
   10.168.100.62:
     host: esnode2.internal.softwareheritage.org
   10.168.100.63:
     host: esnode3.internal.softwareheritage.org
   10.168.100.71:
     host: webapp1.internal.softwareheritage.org
   10.168.100.81:
     host: search-esnode1.internal.softwareheritage.org
   10.168.100.82:
     host: search-esnode2.internal.softwareheritage.org
   10.168.100.83:
     host: search-esnode3.internal.softwareheritage.org
   10.168.100.85:
     host: search1.internal.softwareheritage.org
   10.168.100.95:
     host: counters1.internal.softwareheritage.org
   10.168.100.104:
     host: saatchi.internal.softwareheritage.org
     aliases:
       - rabbitmq.internal.softwareheritage.org
   10.168.100.106:
     host: kelvingrove.internal.softwareheritage.org
     aliases:
       - auth.softwareheritage.org
   10.168.100.109:
     host: saam.internal.softwareheritage.org
   10.168.100.131:
     host: zookeeper1.internal.softwareheritage.org
   10.168.100.132:
     host: zookeeper2.internal.softwareheritage.org
   10.168.100.133:
     host: zookeeper3.internal.softwareheritage.org
   10.168.100.210:
     host: belvedere.internal.softwareheritage.org
     aliases:
       - db.internal.softwareheritage.org
   10.168.100.199:
     host: bojimans.internal.softwareheritage.org
     aliases:
       - inventory.internal.softwareheritage.org
   10.168.100.201:
     host: kafka1.internal.softwareheritage.org
   10.168.100.202:
     host: kafka2.internal.softwareheritage.org
   10.168.100.203:
     host: kafka3.internal.softwareheritage.org
   10.168.100.204:
     host: kafka4.internal.softwareheritage.org
   10.168.130.11:
     host: db1.internal.staging.swh.network
   10.168.130.20:
     host: rp1.internal.staging.swh.network
     aliases:
       - webapp.staging.swh.network
       - deposit.staging.swh.network
       - objstorage.staging.swh.network
   10.168.130.30:
     host: webapp.internal.staging.swh.network
   10.168.130.31:
     host: deposit.internal.staging.swh.network
   10.168.130.41:
     host: storage1.internal.staging.swh.network
   10.168.130.50:
     host: scheduler0.internal.staging.swh.network
   10.168.130.60:
     host: vault.internal.staging.swh.network
   10.168.130.70:
     host: journal0.internal.staging.swh.network
     aliases:
       - broker0.journal.staging.swh.network
   10.168.130.80:
     host: search-esnode0.internal.staging.swh.network
   10.168.130.90:
     host: search0.internal.staging.swh.network
   10.168.130.95:
     host: counters0.internal.staging.swh.network
   10.168.130.100:
     host: worker0.internal.staging.swh.network
   10.168.130.101:
     host: worker1.internal.staging.swh.network
   10.168.130.102:
     host: worker2.internal.staging.swh.network
   10.168.130.103:
     host: worker3.internal.staging.swh.network
   10.168.130.110:
     host: objstorage0.internal.staging.swh.network
   10.168.130.160:
     host: mirror-test.internal.staging.swh.network
diff --git a/site-modules/profile/manifests/puppet/master.pp b/site-modules/profile/manifests/puppet/master.pp
index 677631c4..7c8a6cab 100644
--- a/site-modules/profile/manifests/puppet/master.pp
+++ b/site-modules/profile/manifests/puppet/master.pp
@@ -1,98 +1,107 @@
 # Puppet master profile
 class profile::puppet::master {
   $puppetdb = lookup('puppet::master::puppetdb')
   $codedir = lookup('puppet::master::codedir')
 
   $manage_puppetdb = lookup('puppet::master::manage_puppetdb')
 
   # Pergamon installation was done manually, we ensure nothing
   # is touched in production
   if $manage_puppetdb {
     # $puppetdb_listen_address = lookup('puppetdb::listen_address')
+    $puppetdb_etcdir = lookup('swh::puppetdb::etcdir')
     $puppetdb_ssl_cert_path = lookup('swh::puppetdb::ssl_cert_path')
     $puppetdb_ssl_key_path = lookup('swh::puppetdb::ssl_key_path')
     $puppetdb_ssl_ca_cert_path = lookup('swh::puppetdb::ssl_ca_cert_path')
 
     $puppetdb_ssl_cert = lookup('swh::puppetdb::ssl_cert')
     $puppetdb_ssl_key = lookup('swh::puppetdb::ssl_key')
     $puppetdb_ssl_ca_cert = lookup('swh::puppetdb::ssl_ca_cert')
 
+    file { $puppetdb_etcdir:
+      ensure => directory,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0775'
+    }
+
     class { '::puppetdb':
       # confdir             => '/etc/puppetdb/conf.d',
       vardir              => '/var/lib/puppetdb',
       manage_firewall     => false,
       ssl_set_cert_paths  => true,
       # ssl_dir             => '/etc/puppetdb/ssl',
       ssl_cert_path       => $puppetdb_ssl_cert_path,
       ssl_key_path        => $puppetdb_ssl_key_path,
       ssl_ca_cert_path    => $puppetdb_ssl_ca_cert_path,
       ssl_cert            => file($puppetdb_ssl_cert),
       ssl_key             => file($puppetdb_ssl_key),
       ssl_ca_cert         => file($puppetdb_ssl_ca_cert),
       manage_package_repo => false, # already manage by swh::apt_config
       postgres_version    => '11',
       ssl_deploy_certs    => true,
-      require             => [Class['Profile::Swh::Apt_config']],
+      require             => [Class['Profile::Swh::Apt_config'],
+          File[$puppetdb_etcdir]],
     }
   }
 
   class { '::puppet':
     server                      => true,
     server_common_modules_path  => '',
     server_environments         => [],
     server_external_nodes       => '',
     server_foreman              => false,
     server_passenger            => true,
     server_puppetdb_host        => $puppetdb,
     server_reports              => 'store,puppetdb',
     server_storeconfigs_backend => 'puppetdb',
     codedir                     => $codedir,
 
     *                           => $::profile::puppet::agent_config,
   }
 
   # Extra configuration for fileserver
   $letsencrypt_export_dir = lookup('letsencrypt::certificates::exported_directory')
   file { '/etc/puppet/fileserver.conf':
     ensure  => present,
     owner   => 'root',
     group   => 'root',
     mode    => '0644',
     content => template('profile/puppet/fileserver.conf.erb')
   }
 
   file { '/usr/local/sbin/swh-puppet-master-deploy':
     ensure  => 'file',
     owner   => 'root',
     group   => 'root',
     mode    => '0755',
     content => template('profile/puppet/swh-puppet-master-deploy.sh.erb'),
   }
 
   file {'/usr/local/sbin/swh-puppet-master-clean-certificate':
     ensure => absent,
   }
 
   file { '/usr/local/sbin/swh-puppet-master-decomission':
     ensure  => 'file',
     owner   => 'root',
     group   => 'root',
     mode    => '0755',
     content => template('profile/puppet/swh-puppet-master-decomission.sh.erb'),
   }
 
   profile::cron::d {'gzip-puppet-reports':
     target  => 'puppet',
     command => 'find /var/lib/puppet/reports -type f -not -name *.gz -exec gzip {} \+',
     minute  => 'fqdn_rand',
     hour    => 'fqdn_rand/4',
   }
 
   profile::cron::d {'purge-puppet-reports':
     target  => 'puppet',
     command => 'find /var/lib/puppet/reports -type f -mtime +30 -delete',
     minute  => 'fqdn_rand',
     hour    => 'fqdn_rand',
   }
 
 }