100 lines
3.3 KiB
Puppet
100 lines
3.3 KiB
Puppet
# IDP proxy used in SUNET Drive
|
|
class sunetdrive::satosa($dehydrated_name=undef,$image='docker.sunet.se/satosa',$tag=undef) {
|
|
|
|
$proxy_conf = hiera('satosa_proxy_conf')
|
|
$default_conf = {
|
|
'STATE_ENCRYPTION_KEY' => hiera('satosa_state_encryption_key'),
|
|
'USER_ID_HASH_SALT' => hiera('satosa_user_id_hash_salt'),
|
|
'CUSTOM_PLUGIN_MODULE_PATHS' => ['plugins'],
|
|
'COOKIE_STATE_NAME' => 'SATOSA_STATE'
|
|
}
|
|
$merged_conf = merge($proxy_conf,$default_conf)
|
|
|
|
ensure_resource('file','/etc', { ensure => directory } )
|
|
ensure_resource('file','/etc/satosa', { ensure => directory } )
|
|
ensure_resource('file','/etc/satosa/', { ensure => directory } )
|
|
ensure_resource('file','/etc/satosa/run', { ensure => directory } )
|
|
ensure_resource('file','/etc/satosa/plugins', { ensure => directory } )
|
|
ensure_resource('file','/etc/satosa/metadata', { ensure => directory } )
|
|
|
|
['backend','frontend','metadata'].each |$id| {
|
|
if hiera("satosa_${id}_key",undef) != undef {
|
|
sunet::snippets::secret_file { "/etc/satosa/${id}.key": hiera_key => "satosa_${id}_key" }
|
|
# assume cert is in cosmos repo
|
|
} else {
|
|
# make key pair
|
|
sunet::snippets::keygen {"satosa_${id}":
|
|
key_file => "/etc/satosa/${id}.key",
|
|
cert_file => "/etc/satosa/${id}.crt"
|
|
}
|
|
}
|
|
}
|
|
sunet::docker_run {'satosa':
|
|
image => $image,
|
|
imagetag => $tag,
|
|
volumes => ['/etc/satosa:/etc/satosa','/etc/dehydrated:/etc/dehydrated'],
|
|
ports => ['443:8000'],
|
|
env => ['METADATA_DIR=/etc/satosa/metadata', 'WORKER_TIMEOUT=120']
|
|
}
|
|
file {'/etc/satosa/proxy_conf.yaml':
|
|
content => inline_template("<%= @merged_conf.to_yaml %>\n"),
|
|
notify => Sunet::Docker_run['satosa']
|
|
}
|
|
$plugins = hiera('satosa_config')
|
|
sort(keys($plugins)).each |$n| {
|
|
$conf = hiera($n)
|
|
$fn = $plugins[$n]
|
|
file { $fn:
|
|
content => inline_template("<%= @conf.to_yaml %>\n"),
|
|
notify => Sunet::Docker_run['satosa']
|
|
}
|
|
}
|
|
sunet::misc::ufw_allow { 'satosa-allow-https':
|
|
ip => 'any',
|
|
port => '443'
|
|
}
|
|
$dehydrated_status = $dehydrated_name ? {
|
|
undef => 'absent',
|
|
default => 'present'
|
|
}
|
|
sunet::docker_run {'alwayshttps':
|
|
ensure => $dehydrated_status,
|
|
image => 'docker.sunet.se/always-https',
|
|
ports => ['80:80'],
|
|
env => ['ACME_URL=http://acme-c.sunet.se']
|
|
}
|
|
sunet::misc::ufw_allow { 'satosa-allow-http':
|
|
ensure => $dehydrated_status,
|
|
ip => 'any',
|
|
port => '80'
|
|
}
|
|
if ($dehydrated_name) {
|
|
file { '/etc/satosa/https.key': ensure => link, target => "/etc/dehydrated/certs/${dehydrated_name}.key" }
|
|
file { '/etc/satosa/https.crt': ensure => link, target => "/etc/dehydrated/certs/${dehydrated_name}/fullchain.pem" }
|
|
} else {
|
|
sunet::snippets::keygen {'satosa_https':
|
|
key_file => '/etc/satosa/https.key',
|
|
cert_file => '/etc/satosa/https.crt'
|
|
}
|
|
}
|
|
file { '/opt/satosa':
|
|
ensure => directory,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0755',
|
|
}
|
|
-> file { '/opt/satosa/restart.sh':
|
|
ensure => file,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0700',
|
|
content => template('sunetdrive/satosa/restart.erb.sh'),
|
|
}
|
|
-> cron { 'restart_satosa':
|
|
command => '/opt/satosa/restart.sh',
|
|
user => 'root',
|
|
minute => '15',
|
|
hour => '*/8',
|
|
}
|
|
}
|