Currently people commit to the private repo on puppetmaster1001. We should move this to puppetserver1001.
Cergen certs can only be generated on puppetmaster1001, but most use cases have been moved to cfssl already (T357750), but that doesn't need to block the switch of the private repo; in the unlikely case that we still need to update a cergen-issued cert, we can still run the commands on puppetmaster1001 and then copy them to puppetserver1001 for commiting.