handled in puppet (read the puppet config to understand what we are doing)
leverages git for revision control
remote git repositories (master branch) on config.tombstones (fronted by gitea) are the source of truth
cloned to /var/lib/puppet/manifests
run from roots crontab