net-ops/global/overlay/etc/puppet/modules/net/manifests/cisoassistant.pp

class net::cisoassistant {
  $nftables_rules = {
    'allow_access_to_cisoassistant' => {
      from  => 'any',
      port  => 8443,
      to    => 'any',
      proto => 'tcp',
    },
    'allow_access_to_cisoassistant_api' => {
      from  => 'any',
      port  => 9443,
      to    => 'any',
      proto => 'tcp',
    },
    'allow_access_to_always_https_acme_c' => {
      from  => 'any',
      port  => 80,
      to    => 'any',
      proto => 'tcp',
    },
  }
  $nftables_rules.each |$name, $params| {
    sunet::nftables::allow { $name:
      * => $params,
    }
  }
#  file { '/etc/docker/daemon.json':
#    mode    => '0744',
#    owner   => 'root',
#    group   => 'root',
#    content => file('net/cisoassistant/daemon.json'),
#  }
#  file { '/opt/cisoas/ciso-assistant-community/enterprise/docker-compose.yml':
#    mode    => '0744',
#    owner   => 'root',
#    group   => 'root',
#    content => file('net/cisoassistant/docker-compose.yml'),
#  }
  file { '/opt/cisoas/ciso-assistant-community/enterprise/update-cisoas-enterprise.sh':
    mode    => '0744',
    owner   => 'root',
    group   => 'root',
    content => file('net/cisoassistant/update-cisoas-enterprise.sh'),
  }
  sunet::scriptherder::cronjob { 'Upgrade cisoassistant images':
    cmd         => '/opt/cisoas/ciso-assistant-community/enterprise/update-cisoas-enterprise.sh',
    weekday     => 'Saturday',
    ok_criteria => ['exit_status=0', 'max_age=10d'],
  }
  file { '/opt/cisoas/ciso-assistant-community/enterprise/rotate-certs.sh':
    mode    => '0744',
    owner   => 'root',
    group   => 'root',
    content => file('net/cisoassistant/rotate-certs.sh'),
  }
  sunet::scriptherder::cronjob { 'Rotate le certificates':
    cmd         => '/opt/cisoas/ciso-assistant-community/enterprise/rotate-certs.sh',
    hour        => '1',
    ok_criteria => ['exit_status=0', 'max_age=48h'],
  }
#  file { '/opt/cisoas/ciso-assistant-community/enterprise/Caddyfile':
#    mode    => '0744',
#    owner   => 'root',
#    group   => 'root',
#    content => file('net/cisoassistant/Caddyfile'),
#  }
#  file { "/etc/systemd/system/sunet-cisoas.service":
#    mode    => '0644',
#    owner   => 'root',
#    group   => 'root',
#    content => file('net/cisoassistant/sunet-cisoas.service'),
#    notify  => [Class['sunet::systemd_reload']],
#  }
#  service { 'sunet-cisoas' :
#    ensure   => 'running',
#    enable   => true,
#    require  => File['/etc/systemd/system/sunet-cisoas.service'],
#    provider => 'systemd',
#  }
}
first draft of cisoassistant manifest 2025-01-31 13:19:49 +01:00			`class net::cisoassistant {`
			`$nftables_rules = {`
			`'allow_access_to_cisoassistant' => {`
			`from => 'any',`
			`port => 8443,`
			`to => 'any',`
			`proto => 'tcp',`
			`},`
			`'allow_access_to_cisoassistant_api' => {`
			`from => 'any',`
			`port => 9443,`
			`to => 'any',`
			`proto => 'tcp',`
			`},`
			`'allow_access_to_always_https_acme_c' => {`
			`from => 'any',`
cisoas manifest removal of funs 2025-01-31 14:18:39 +01:00			`port => 80,`
first draft of cisoassistant manifest 2025-01-31 13:19:49 +01:00			`to => 'any',`
			`proto => 'tcp',`
			`},`
			`}`
			`$nftables_rules.each \|$name, $params\| {`
			`sunet::nftables::allow { $name:`
			`* => $params,`
			`}`
			`}`
cisoas manifest removal of funs 2025-01-31 14:12:11 +01:00			`# file { '/etc/docker/daemon.json':`
			`# mode => '0744',`
			`# owner => 'root',`
			`# group => 'root',`
			`# content => file('net/cisoassistant/daemon.json'),`
			`# }`
			`# file { '/opt/cisoas/ciso-assistant-community/enterprise/docker-compose.yml':`
			`# mode => '0744',`
			`# owner => 'root',`
			`# group => 'root',`
			`# content => file('net/cisoassistant/docker-compose.yml'),`
			`# }`
restored some files in cisoas 2025-01-31 16:08:29 +01:00			`file { '/opt/cisoas/ciso-assistant-community/enterprise/update-cisoas-enterprise.sh':`
			`mode => '0744',`
			`owner => 'root',`
			`group => 'root',`
			`content => file('net/cisoassistant/update-cisoas-enterprise.sh'),`
			`}`
first draft of cisoassistant manifest 2025-01-31 13:19:49 +01:00			`sunet::scriptherder::cronjob { 'Upgrade cisoassistant images':`
			`cmd => '/opt/cisoas/ciso-assistant-community/enterprise/update-cisoas-enterprise.sh',`
			`weekday => 'Saturday',`
			`ok_criteria => ['exit_status=0', 'max_age=10d'],`
			`}`
restored some files in cisoas 2025-01-31 16:08:29 +01:00			`file { '/opt/cisoas/ciso-assistant-community/enterprise/rotate-certs.sh':`
			`mode => '0744',`
			`owner => 'root',`
			`group => 'root',`
			`content => file('net/cisoassistant/rotate-certs.sh'),`
			`}`
			`sunet::scriptherder::cronjob { 'Rotate le certificates':`
			`cmd => '/opt/cisoas/ciso-assistant-community/enterprise/rotate-certs.sh',`
			`hour => '1',`
			`ok_criteria => ['exit_status=0', 'max_age=48h'],`
			`}`
cisoas manifest removal of funs 2025-01-31 14:12:11 +01:00			`# file { '/opt/cisoas/ciso-assistant-community/enterprise/Caddyfile':`
			`# mode => '0744',`
			`# owner => 'root',`
			`# group => 'root',`
			`# content => file('net/cisoassistant/Caddyfile'),`
			`# }`
			`# file { "/etc/systemd/system/sunet-cisoas.service":`
			`# mode => '0644',`
			`# owner => 'root',`
			`# group => 'root',`
			`# content => file('net/cisoassistant/sunet-cisoas.service'),`
			`# notify => [Class['sunet::systemd_reload']],`
			`# }`
			`# service { 'sunet-cisoas' :`
			`# ensure => 'running',`
			`# enable => true,`
			`# require => File['/etc/systemd/system/sunet-cisoas.service'],`
			`# provider => 'systemd',`
			`# }`
cisoas manifest removal of funs 2025-01-31 14:13:10 +01:00			`}`