diff --git a/site-modules/profile/manifests/puppet/base.pp b/site-modules/profile/manifests/puppet.pp
similarity index 57%
rename from site-modules/profile/manifests/puppet/base.pp
rename to site-modules/profile/manifests/puppet.pp
index 4be3c34b..dccc8d35 100644
--- a/site-modules/profile/manifests/puppet/base.pp
+++ b/site-modules/profile/manifests/puppet.pp
@@ -1,60 +1,44 @@
-# Base puppet configuration for all hosts.
+# Puppet configuration
+class profile::puppet {
+  include ::profile::puppet::apt_config
 
-class profile::puppet::base {
   $puppetmaster = lookup('puppet::master::hostname')
 
   $agent_config = {
     runmode             => 'none',
     pluginsync          => true,
     puppetmaster        => $puppetmaster,
   }
 
+  $is_puppetmaster = $puppetmaster in values($::swh_hostname)
+
+  if $is_puppetmaster {
+    include ::profile::puppet::master
+  } else {
+    class {'::puppet':
+      * => $agent_config,
+    }
+  }
+
   file { '/usr/local/sbin/swh-puppet-test':
     ensure  => 'file',
     owner   => 'root',
     group   => 'root',
     mode    => '0755',
     content => template('profile/puppet/swh-puppet-test.sh.erb'),
   }
 
   file { '/usr/local/sbin/swh-puppet-apply':
     ensure  => 'file',
     owner   => 'root',
     group   => 'root',
     mode    => '0755',
     content => template('profile/puppet/swh-puppet-apply.sh.erb'),
   }
 
   profile::cron::d {'puppet-agent':
     target  => 'puppet',
     command => 'puppet agent --onetime --no-daemonize --no-splay --verbose --logdest syslog',
     minute =>  'fqdn_rand/30',
   }
-
-  # Backported packages
-  if $::lsbdistcodename == 'stretch' {
-    $pinned_packages = [
-      'facter',
-      'libfacter*',
-      'libleatherman*',
-      'libleatherman-data',
-      'libcpp-hocon*',
-    ]
-  }
-  else {
-    $pinned_packages = undef
-  }
-
-  if $pinned_packages {
-    ::apt::pin {'puppet':
-      explanation => 'Pin puppet dependencies to backports',
-      codename    => "${::lsbdistcodename}-backports",
-      packages    => $pinned_packages,
-      priority    => 990,
-    }
-  } else {
-    ::apt::pin {'puppet':
-      ensure => 'absent',
-    }
-  }
 }
diff --git a/site-modules/profile/manifests/puppet/agent.pp b/site-modules/profile/manifests/puppet/agent.pp
deleted file mode 100644
index a6eb399b..00000000
--- a/site-modules/profile/manifests/puppet/agent.pp
+++ /dev/null
@@ -1,8 +0,0 @@
-# Puppet agent profile
-class profile::puppet::agent {
-  include ::profile::puppet::base
-
-  class { '::puppet':
-    * => $::profile::puppet::base::agent_config,
-  }
-}
diff --git a/site-modules/profile/manifests/puppet/apt_config.pp b/site-modules/profile/manifests/puppet/apt_config.pp
new file mode 100644
index 00000000..ec64fac6
--- /dev/null
+++ b/site-modules/profile/manifests/puppet/apt_config.pp
@@ -0,0 +1,29 @@
+# Apt configuration for puppet
+class profile::puppet::apt_config {
+  # Backported packages
+  if $::lsbdistcodename == 'stretch' {
+    $pinned_packages = [
+      'facter',
+      'libfacter*',
+      'libleatherman*',
+      'libleatherman-data',
+      'libcpp-hocon*',
+    ]
+  }
+  else {
+    $pinned_packages = undef
+  }
+
+  if $pinned_packages {
+    ::apt::pin {'puppet':
+      explanation => 'Pin puppet dependencies to backports',
+      codename    => "${::lsbdistcodename}-backports",
+      packages    => $pinned_packages,
+      priority    => 990,
+    }
+  } else {
+    ::apt::pin {'puppet':
+      ensure => 'absent',
+    }
+  }
+}
diff --git a/site-modules/profile/manifests/puppet/master.pp b/site-modules/profile/manifests/puppet/master.pp
index a611565f..e1ee8b72 100644
--- a/site-modules/profile/manifests/puppet/master.pp
+++ b/site-modules/profile/manifests/puppet/master.pp
@@ -1,47 +1,45 @@
 # Puppet master profile
 class profile::puppet::master {
   $puppetdb = lookup('puppet::master::puppetdb')
 
-  include ::profile::puppet::base
-
   class { '::puppet':
     server                      => true,
     server_common_modules_path  => '',
     server_environments         => [],
     server_external_nodes       => '',
     server_foreman              => false,
     server_passenger            => true,
     server_puppetdb_host        => $puppetdb,
     server_reports              => 'store,puppetdb',
     server_storeconfigs_backend => 'puppetdb',
 
-    *                           => $::profile::puppet::base::agent_config,
+    *                           => $::profile::puppet::agent_config,
   }
 
   # Extra configuration for fileserver
   $letsencrypt_export_dir = lookup('letsencrypt::certificates::exported_directory')
   file { '/etc/puppet/fileserver.conf':
     ensure  => present,
     owner   => 'root',
     group   => 'root',
     mode    => '0644',
     content => template('profile/puppet/fileserver.conf.erb')
   }
 
   file { '/usr/local/sbin/swh-puppet-master-deploy':
     ensure  => 'file',
     owner   => 'root',
     group   => 'root',
     mode    => '0755',
     content => template('profile/puppet/swh-puppet-master-deploy.sh.erb'),
   }
 
   file { '/usr/local/sbin/swh-puppet-master-clean-certificate':
     ensure  => 'file',
     owner   => 'root',
     group   => 'root',
     mode    => '0755',
     content => template('profile/puppet/swh-puppet-master-clean-certificate.sh.erb'),
   }
 
 }
diff --git a/site-modules/role/manifests/swh_backup.pp b/site-modules/role/manifests/swh_backup.pp
index 05dd090b..91354129 100644
--- a/site-modules/role/manifests/swh_backup.pp
+++ b/site-modules/role/manifests/swh_backup.pp
@@ -1,7 +1,6 @@
 class role::swh_backup inherits role::swh_server {
-  include profile::puppet::agent
   include profile::swh::deploy::objstorage
   include profile::swh::deploy::objstorage_ceph
   include profile::megacli
   include profile::borg::repository_server
 }
diff --git a/site-modules/role/manifests/swh_base.pp b/site-modules/role/manifests/swh_base.pp
index fd2d6354..33f889db 100644
--- a/site-modules/role/manifests/swh_base.pp
+++ b/site-modules/role/manifests/swh_base.pp
@@ -1,15 +1,15 @@
 class role::swh_base {
   include profile::base
   include profile::ssh::server
   include profile::unbound
   include profile::systemd_journal
   include profile::resolv_conf
-  include profile::munin::node
+  include profile::puppet
   include profile::prometheus::node
   include profile::prometheus::statsd
   include profile::icinga2
   include profile::rsyslog
 
 
   include profile::swh
 }
diff --git a/site-modules/role/manifests/swh_base_api.pp b/site-modules/role/manifests/swh_base_api.pp
index 91bfb93b..245b13a7 100644
--- a/site-modules/role/manifests/swh_base_api.pp
+++ b/site-modules/role/manifests/swh_base_api.pp
@@ -1,10 +1,8 @@
 class role::swh_base_api inherits role::swh_server {
-  include profile::puppet::agent
-
   # Web UI
   include profile::memcached
   include profile::swh::deploy::webapp
 
   # Apache logs
   include profile::filebeat
 }
diff --git a/site-modules/role/manifests/swh_base_database.pp b/site-modules/role/manifests/swh_base_database.pp
index 6f5f0c4c..06492720 100644
--- a/site-modules/role/manifests/swh_base_database.pp
+++ b/site-modules/role/manifests/swh_base_database.pp
@@ -1,4 +1,3 @@
 class role::swh_base_database inherits role::swh_server {
-  include profile::puppet::agent
   include profile::prometheus::sql
 }
diff --git a/site-modules/role/manifests/swh_base_storage.pp b/site-modules/role/manifests/swh_base_storage.pp
index 40a53b46..5dc4a6a6 100644
--- a/site-modules/role/manifests/swh_base_storage.pp
+++ b/site-modules/role/manifests/swh_base_storage.pp
@@ -1,6 +1,5 @@
 class role::swh_base_storage inherits role::swh_server {
-  include profile::puppet::agent
   include profile::swh::deploy::storage
   include profile::swh::deploy::indexer_storage
   include profile::swh::deploy::objstorage
 }
diff --git a/site-modules/role/manifests/swh_cassandra_node.pp b/site-modules/role/manifests/swh_cassandra_node.pp
index 7f1bf147..82152fcf 100644
--- a/site-modules/role/manifests/swh_cassandra_node.pp
+++ b/site-modules/role/manifests/swh_cassandra_node.pp
@@ -1,6 +1,4 @@
 # Deployment of a cassandra node
 class role::swh_cassandra_node inherits role::swh_base {
-  include profile::puppet::agent
-
   include profile::cassandra::node
 }
diff --git a/site-modules/role/manifests/swh_ceph.pp b/site-modules/role/manifests/swh_ceph.pp
index 2a9c2a76..b3022497 100644
--- a/site-modules/role/manifests/swh_ceph.pp
+++ b/site-modules/role/manifests/swh_ceph.pp
@@ -1,3 +1,2 @@
 class role::swh_ceph inherits role::swh_base {
-  include profile::puppet::agent
 }
diff --git a/site-modules/role/manifests/swh_ci.pp b/site-modules/role/manifests/swh_ci.pp
index 516aaedf..811e6692 100644
--- a/site-modules/role/manifests/swh_ci.pp
+++ b/site-modules/role/manifests/swh_ci.pp
@@ -1,4 +1,3 @@
 # doesn't inherit swh_server to avoid backups by default
 class role::swh_ci inherits role::swh_base {
-  include profile::puppet::agent
 }
diff --git a/site-modules/role/manifests/swh_deposit.pp b/site-modules/role/manifests/swh_deposit.pp
index 52572cb0..37193939 100644
--- a/site-modules/role/manifests/swh_deposit.pp
+++ b/site-modules/role/manifests/swh_deposit.pp
@@ -1,10 +1,9 @@
 class role::swh_deposit inherits role::swh_server {
-  include profile::puppet::agent
   include profile::network
 
   # Web UI
   include profile::swh::deploy::deposit
 
   # Apache logs
   include profile::filebeat
 }
diff --git a/site-modules/role/manifests/swh_desktop.pp b/site-modules/role/manifests/swh_desktop.pp
index 610a8d2b..a7eb60cb 100644
--- a/site-modules/role/manifests/swh_desktop.pp
+++ b/site-modules/role/manifests/swh_desktop.pp
@@ -1,6 +1,5 @@
 class role::swh_desktop inherits role::swh_base {
-  include profile::puppet::agent
   include profile::desktop
   include profile::devel
   include profile::postgresql
 }
diff --git a/site-modules/role/manifests/swh_elasticsearch.pp b/site-modules/role/manifests/swh_elasticsearch.pp
index b6d687fe..a02de07a 100644
--- a/site-modules/role/manifests/swh_elasticsearch.pp
+++ b/site-modules/role/manifests/swh_elasticsearch.pp
@@ -1,6 +1,5 @@
 class role::swh_elasticsearch inherits role::swh_base {
-  include profile::puppet::agent
   include profile::elasticsearch
 
   include profile::kafka::broker
 }
diff --git a/site-modules/role/manifests/swh_forge.pp b/site-modules/role/manifests/swh_forge.pp
index 73c6c00e..a1de3860 100644
--- a/site-modules/role/manifests/swh_forge.pp
+++ b/site-modules/role/manifests/swh_forge.pp
@@ -1,10 +1,9 @@
 class role::swh_forge inherits role::swh_server {
   include profile::network
-  include profile::puppet::agent
 
   include profile::apache::rewrite_domains
 
   include profile::phabricator
   include profile::mediawiki
   include profile::jenkins::reverse_proxy
 }
diff --git a/site-modules/role/manifests/swh_gateway.pp b/site-modules/role/manifests/swh_gateway.pp
index 0f8a9097..780550b6 100644
--- a/site-modules/role/manifests/swh_gateway.pp
+++ b/site-modules/role/manifests/swh_gateway.pp
@@ -1,4 +1,3 @@
 class role::swh_gateway inherits role::swh_base {
   include profile::network
-  include profile::puppet::agent
 }
diff --git a/site-modules/role/manifests/swh_graph_backend.pp b/site-modules/role/manifests/swh_graph_backend.pp
index 4b6116c5..0ce186f5 100644
--- a/site-modules/role/manifests/swh_graph_backend.pp
+++ b/site-modules/role/manifests/swh_graph_backend.pp
@@ -1,6 +1,4 @@
 # SWH graph backend server
 class role::swh_graph_backend inherits role::swh_base {
-  include profile::puppet::agent
-
   include profile::docker
 }
diff --git a/site-modules/role/manifests/swh_hypervisor.pp b/site-modules/role/manifests/swh_hypervisor.pp
index 797366be..32262d58 100644
--- a/site-modules/role/manifests/swh_hypervisor.pp
+++ b/site-modules/role/manifests/swh_hypervisor.pp
@@ -1,4 +1,3 @@
 class role::swh_hypervisor inherits role::swh_server {
-  include profile::puppet::agent
   include profile::megacli
 }
diff --git a/site-modules/role/manifests/swh_kafka_broker.pp b/site-modules/role/manifests/swh_kafka_broker.pp
index 0e3bc57d..b1915f6a 100644
--- a/site-modules/role/manifests/swh_kafka_broker.pp
+++ b/site-modules/role/manifests/swh_kafka_broker.pp
@@ -1,4 +1,3 @@
 class role::swh_kafka_broker inherits role::swh_base {
-  include profile::puppet::agent
   include profile::kafka::broker
 }
diff --git a/site-modules/role/manifests/swh_kibana_instance.pp b/site-modules/role/manifests/swh_kibana_instance.pp
index 29f1ee60..ad208ae1 100644
--- a/site-modules/role/manifests/swh_kibana_instance.pp
+++ b/site-modules/role/manifests/swh_kibana_instance.pp
@@ -1,4 +1,3 @@
 class role::swh_kibana_instance inherits role::swh_base {
-  include profile::puppet::agent
   include profile::kibana
 }
diff --git a/site-modules/role/manifests/swh_logstash_instance.pp b/site-modules/role/manifests/swh_logstash_instance.pp
index f80ca2f3..10b51e56 100644
--- a/site-modules/role/manifests/swh_logstash_instance.pp
+++ b/site-modules/role/manifests/swh_logstash_instance.pp
@@ -1,4 +1,3 @@
 class role::swh_logstash_instance inherits role::swh_base {
-  include profile::puppet::agent
   include profile::logstash
 }
diff --git a/site-modules/role/manifests/swh_nameserver_secondary.pp b/site-modules/role/manifests/swh_nameserver_secondary.pp
index 02e90719..ccbc8397 100644
--- a/site-modules/role/manifests/swh_nameserver_secondary.pp
+++ b/site-modules/role/manifests/swh_nameserver_secondary.pp
@@ -1,4 +1,3 @@
 class role::swh_nameserver_secondary inherits role::swh_base {
   include profile::bind_server::secondary
-  include profile::puppet::agent
 }
diff --git a/site-modules/role/manifests/swh_remote_objstorage.pp b/site-modules/role/manifests/swh_remote_objstorage.pp
index 37374829..7fb935ae 100644
--- a/site-modules/role/manifests/swh_remote_objstorage.pp
+++ b/site-modules/role/manifests/swh_remote_objstorage.pp
@@ -1,4 +1,3 @@
 class role::swh_remote_objstorage inherits role::swh_base {
-  include profile::puppet::agent
   include profile::swh::deploy::objstorage
 }
diff --git a/site-modules/role/manifests/swh_scheduler.pp b/site-modules/role/manifests/swh_scheduler.pp
index 7f9ec26a..6427f1fa 100644
--- a/site-modules/role/manifests/swh_scheduler.pp
+++ b/site-modules/role/manifests/swh_scheduler.pp
@@ -1,7 +1,5 @@
 class role::swh_scheduler inherits role::swh_server {
-  include profile::puppet::agent
-
   # Scheduler
   include profile::rabbitmq
   include profile::swh::deploy::scheduler
 }
diff --git a/site-modules/role/manifests/swh_sentry.pp b/site-modules/role/manifests/swh_sentry.pp
index 5c1db92b..1ab1dcc3 100644
--- a/site-modules/role/manifests/swh_sentry.pp
+++ b/site-modules/role/manifests/swh_sentry.pp
@@ -1,5 +1,4 @@
 # Sentry server (no backups)
 class role::swh_sentry inherits role::swh_base {
-  include profile::puppet::agent
   include profile::sentry
 }
diff --git a/site-modules/role/manifests/swh_vault.pp b/site-modules/role/manifests/swh_vault.pp
index 41c9c7e7..06bdbc5e 100644
--- a/site-modules/role/manifests/swh_vault.pp
+++ b/site-modules/role/manifests/swh_vault.pp
@@ -1,4 +1,3 @@
 class role::swh_vault inherits role::swh_server {
-  include profile::puppet::agent
   include profile::swh::deploy::vault
 }
diff --git a/site-modules/role/manifests/swh_vault_test.pp b/site-modules/role/manifests/swh_vault_test.pp
index a259e2c5..139e7ee4 100644
--- a/site-modules/role/manifests/swh_vault_test.pp
+++ b/site-modules/role/manifests/swh_vault_test.pp
@@ -1,10 +1,8 @@
 class role::swh_vault_test inherits role::swh_server {
-  include profile::puppet::agent
-
   include profile::swh::deploy::vault
   include profile::swh::deploy::worker
 
   include profile::postgresql
 
   include profile::swh::deploy::objstorage
 }
diff --git a/site-modules/role/manifests/swh_worker.pp b/site-modules/role/manifests/swh_worker.pp
index 5f440993..73df5646 100644
--- a/site-modules/role/manifests/swh_worker.pp
+++ b/site-modules/role/manifests/swh_worker.pp
@@ -1,5 +1,4 @@
 class role::swh_worker inherits role::swh_base {
-  include profile::puppet::agent
   include profile::swh::deploy::worker
   include profile::mountpoints
 }