move tug-lb-1.sunet.se to net-ops

global/overlay/etc/puppet/cosmos-modules/sunet

@@ -0,0 +1 @@
+/Users/mariahaider/Git Repositories/puppet-sunet

global/overlay/etc/puppet/cosmos-rules.yaml

@@ -121,6 +121,12 @@ lb-tug-test-1.sunet.se:
   sunet::lb::load_balancer:
     interface: 'ens3'
 
+tug-lb-1.sunet.se:
+   sunet::dockerhost2:
+   sunet::lb::load_balancer:
+      interface: 'enp67s0f0np0'
+   sunet::fleetlock_client:
+
 nifrontend-sto1-prod-1.sunet.se:
   autoupdate:
   sunet::dockerhost2:

lb-common/overlay/etc/hiera/data/group.yaml

@@ -0,0 +1,691 @@
+---
+sunet_frontend:
+
+  load_balancer:
+    haproxy_imagetag: '20230228-stable'
+    api_imagetag: 'stable'
+    exabgp_imagetag: 'stable'
+
+    peers:
+      se-tug-rs-2.sunet.se:
+        as: '65434'
+        remote_ip: '192.36.171.71'
+      se-tug-rs-2.sunet.se_v6:
+        as: '65434'
+        remote_ip: '2001:6b0:8:7::71'
+      se-sthb-rs-1.sunet.se:
+        as: '65434'
+        remote_ip: '192.36.171.130'
+      se-sthb-rs-1.sunet.se_v6:
+        as: '65434'
+        remote_ip: '2001:6b0:8:1::130'
+
+    websites:
+      'edusealapit':
+        site_name: 'test-api.eduseal.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.18', '2001:6b0:60:c0::18']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.19', '2001:6b0:60:c0::19']
+        backends:
+          default:
+            'car-test-1.eduseal.sunet.se':
+              ips: ['89.45.237.159']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 80
+          - 443
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'edusealapi':
+        site_name: 'api.eduseal.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.104', '2001:6b0:60:c0::104']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.105', '2001:6b0:60:c0::105']
+        backends:
+          default:
+            'car-prod-1.eduseal.sunet.se':
+              ips: ['89.45.236.85']
+              server_args: 'ssl check verify none'
+            'car-prod-2.eduseal.sunet.se':
+              ips: ['89.45.237.154']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 80
+          - 443
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'geteduroam':
+        site_name: 'geteduroam.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.108', '2001:6b0:60:c0::108']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.109', '2001:6b0:60:c0::109']
+        backends:
+          default:
+            'internal-sto1-prod-app-1.geteduroam.sunet.se':
+              ips: ['89.47.184.239', '2001:6b0:5a:4020::41d']
+              server_args: 'ssl check verify none'
+            'internal-dco-prod-app-2.geteduroam.sunet.se':
+              ips: ['89.47.191.96', '2001:6b0:7d:40::19c']
+              server_args: 'ssl check verify none'
+            'internal-sto3-prod-app-3.geteduroam.sunet.se':
+              ips: ['89.45.236.66', '2001:6b0:40::3f']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 80
+          - 443
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'scdemwqa':
+        site_name: 'qa.demw.eidas.swedenconnect.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.42', '2001:6b0:60:c0::42']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.43', '2001:6b0:60:c0::43']
+        backends:
+          default:
+            'demw-1.qa.sveidas.se':
+              ips: ['89.47.184.66']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'artisanidp':
+        site_name: 'artisan-idp-proxy.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.3', '2001:6b0:60:c0::3']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.4', '2001:6b0:60:c0::4']
+        backends:
+          default:
+            'artisan-saas-idp-proxy-1.sunet.se':
+              ips: ['89.47.185.109']
+              server_args: 'ssl check verify none'
+            'artisan-saas-idp-proxy-3.sunet.se':
+              ips: ['89.46.21.236']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'outscan':
+        site_name: 'outscan-idp-proxy.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.68', '2001:6b0:60:c0::68']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.69', '2001:6b0:60:c0::69']
+        backends:
+          default:
+            'outscan-idp-proxy-1.sunet.se':
+              ips: ['89.45.236.70']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'forum':
+        site_name: 'forum.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.15', '2001:6b0:60:c0::15']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.16', '2001:6b0:60:c0::16']
+        backends:
+          default:
+            'forum-1.sunet.se':
+              ips: ['89.45.236.168']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'humhubidp':
+        site_name: 'humhub-idp-proxy.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.13', '2001:6b0:60:c0::13']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.14', '2001:6b0:60:c0::14']
+        backends:
+          default:
+            'humhub-idp-proxy-1.sunet.se':
+              ips: ['89.45.236.42']
+              server_args: 'ssl check verify none'
+            'humhub-idp-proxy-2.sunet.se':
+              ips: ['89.47.185.213']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'sunetidp':
+        site_name: 'idp.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.20', '2001:6b0:60:c0::20']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.21', '2001:6b0:60:c0::21']
+        backends:
+          default:
+            'idp-2.sunet.se':
+              ips: ['192.36.171.241']
+              server_args: 'ssl check verify none cookie idp2'
+            'idp-3.sunet.se':
+              ips: ['89.45.237.76']
+              server_args: 'ssl check verify none cookie idp3'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'zoomidp':
+        site_name: 'zoom-saas-idp-proxy.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.26', '2001:6b0:60:c0::26']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.27', '2001:6b0:60:c0::27']
+        backends:
+          default:
+            'zoom-saas-idp-proxy-3.sunet.se':
+              ips: ['192.36.171.243']
+              server_args: 'ssl check verify none'
+            'zoomproxy-sto1-prod-1.sunet.se':
+              ips: ['89.47.184.173']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'driveidp':
+        site_name: 'drive-idp-proxy.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.9', '2001:6b0:60:c0::9']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.10', '2001:6b0:60:c0::10']
+        backends:
+          default:
+            'drive-idp-proxy-1.sunet.se':
+              ips: ['89.45.237.92']
+              server_args: 'ssl check verify none'
+            'drive-idp-proxy-2.sunet.se':
+              ips: ['89.46.20.165']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'kubetest':
+        site_name: 'kubetest.streams.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.38', '2001:6b0:60:c0::38']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.39', '2001:6b0:60:c0::39']
+        backends:
+          default:
+            'internal-dco-test-k8sc-1.streams.sunet.se':
+              ips: ['89.47.191.134']
+              haproxy_config: '  server SERVER_v4 REMOTE_IP:PORT'
+              server_args: 'check inter 1s rise 30 fall 3'
+            'internal-dco-test-k8sc-2.streams.sunet.se':
+              ips: ['89.47.191.169']
+              haproxy_config: '  server SERVER_v4 REMOTE_IP:PORT'
+              server_args: 'check inter 1s rise 30 fall 3'
+            'internal-dco-test-k8sc-3.streams.sunet.se':
+              ips: ['89.47.190.18']
+              haproxy_config: '  server SERVER_v4 REMOTE_IP:PORT'
+              server_args: 'check inter 1s rise 30 fall 3'
+        allow_ports:
+          - 16443
+          - 443
+          - 80
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'sveidas1':
+        site_name: 'qa.proxy.eidas.swedenconnect.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.30', '2001:6b0:60:c0::30']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.31', '2001:6b0:60:c0::31']
+        backends:
+          default:
+            'eidas-proxy-1.qa.sveidas.se':
+              ips: ['89.47.184.111']
+              haproxy_config: '  server SERVER_v4 REMOTE_IP:PORT'
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'sveidas2':
+        site_name: 'qa.connector.eidas.swedenconnect.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.32', '2001:6b0:60:c0::32']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.33', '2001:6b0:60:c0::33']
+        backends:
+          default:
+            'eidas-node-1.qa.sveidas.se':
+              ips: ['89.47.185.69']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'sweconn1':
+        site_name: 'qa.md.swedenconnect.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.34', '2001:6b0:60:c0::34']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.35', '2001:6b0:60:c0::35']
+        backends:
+          default:
+            'p1.komreg.net':
+              ips: ['89.47.185.233']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'sweconn2':
+        site_name: 'qa.md.eidas.swedenconnect.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.36', '2001:6b0:60:c0::36']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.37', '2001:6b0:60:c0::37']
+        backends:
+          default:
+            'p2.qa.komreg.net':
+              ips: ['89.47.184.153']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'scapi':
+        site_name: 'api.swedenconnect.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.11', '2001:6b0:60:c0::11']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.12', '2001:6b0:60:c0::12']
+        backends:
+          default:
+            'eidastest-1.qa.sveidas.se':
+              ips: ['89.47.185.83']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'sctestqa':
+        site_name: 'qa.test.swedenconnect.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.40', '2001:6b0:60:c0::40']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.41', '2001:6b0:60:c0::41']
+        backends:
+          default:
+            'test-1.qa.sveidas.se':
+              ips: ['89.47.184.60']
+              server_args: 'ssl check verify none'
+          refidp:
+            'refidp-1.qa.sveidas.se':
+              ips: ['89.47.184.213']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'idmqa':
+        site_name: 'qa.idm.eidas.swedenconnect.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.96', '2001:6b0:60:c0::96']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.97', '2001:6b0:60:c0::97']
+        backends:
+          default:
+            'idm-sto1-qa-app-1.komreg.net':
+              ips: ['89.47.184.15']
+              server_args: 'ssl check verify none'
+            'idm-sto3-qa-app-2.komreg.net':
+              ips: ['89.45.236.223']
+              server_args: 'ssl check verify none'
+            'idm-sto1-qa-app-3.komreg.net':
+              ips: ['89.47.184.233']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 80
+          - 443
+        letsencrypt_server: 'acme-c.sunet.se'
+        eidas_proxy_auth: 'cianMiShreldajOoburiryeuGroyld'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'sunetse':
+        site_name: 'sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.50', '2001:6b0:60:c0::50']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.51', '2001:6b0:60:c0::51']
+        backends:
+          default:
+            'web-b1.sunet.se':
+              ips: ['89.47.185.81']
+              server_args: 'ssl check verify none'
+            'web-b2.sunet.se':
+              ips: ['89.47.185.150']
+              server_args: 'ssl check verify none'
+            'web-b3.sunet.se':
+              ips: ['192.36.171.85']
+              server_args: 'ssl check verify none'
+            'web-sb1.sunet.se':
+              ips: ['192.36.171.160']
+              server_args: 'ssl check verify none backup'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'ers':
+        site_name: 'ers.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.92', '2001:6b0:60:c0::92']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.93', '2001:6b0:60:c0::93']
+        backends:
+          default:
+            'projecttool-prod-1.sunet.se':
+              ips: ['89.47.184.234']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'fidusmd':
+        site_name: 'md.fidus.skolverket.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.46', '2001:6b0:60:c0::46']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.47', '2001:6b0:60:c0::47']
+        backends:
+          default:
+            'pub-1.fidus.sunet.se':
+              ips: ['130.242.132.147']
+              server_args: 'ssl check verify none'
+            'pub-2.fidus.sunet.se':
+              ips: ['130.242.132.19']
+              server_args: 'ssl check verify none'
+          test:
+            'p-test-1.fidus.sunet.se':
+              ips: ['89.45.236.10']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'fidusds':
+        haproxy_volumes:
+          - "/opt/frontend/config/common/robots.txt:/opt/frontend/config/common/robots.txt:ro"
+        site_name: 'ds.fidus.skolverket.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.48', '2001:6b0:60:c0::48']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.49', '2001:6b0:60:c0::49']
+        backends:
+          default:
+            'dsi-3.fidus.sunet.se':
+              ips: ['130.242.132.149']
+              server_args: 'ssl check verify none'
+            'dsi-4.fidus.sunet.se':
+              ips: ['130.242.132.21']
+              server_args: 'ssl check verify none'
+          test:
+            'dsi-test-2.fidus.sunet.se':
+              ips: ['89.45.236.191']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'signgnt':
+        site_name: 'edusign.geant.org'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.78', '2001:6b0:60:c0::78']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.79', '2001:6b0:60:c0::79']
+        backends:
+          default:
+            'signapp-geant-sthb-1.edusign.sunet.se':
+              ips: ['130.242.113.24']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'sigsvcgnt':
+        site_name: 'signservice-geant.edusign.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.90', '2001:6b0:60:c0::90']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.91', '2001:6b0:60:c0::91']
+        backends:
+          default:
+            'signservice-sthb-1.edusign.sunet.se':
+              ips: ['130.242.113.22']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80 
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'apignt':
+        site_name: 'apignt.edusign.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.44', '2001:6b0:60:c0::44']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.45', '2001:6b0:60:c0::45']
+        backends:
+          default:
+            'signapi-sthb-1.edusign.sunet.se':
+              ips: ['130.242.113.23']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'edusign':
+        site_name: 'edusign.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.56', '2001:6b0:60:c0::56']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.57', '2001:6b0:60:c0::57']
+        backends:
+          default:
+            'signapp-tug-1.edusign.sunet.se':
+              ips: ['130.242.113.4']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'edusignapi':
+        site_name: 'api.edusign.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.24', '2001:6b0:60:c0::24']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.25', '2001:6b0:60:c0::25']
+        backends:
+          default:
+            'signapp-sthb-1.edusign.sunet.se':
+              ips: ['130.242.113.21']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+## cannot be migrated due to "ssl handshake failure". Probably too old version of signservice.
+#      'signservice':
+#        site_name: 'signservice.edusign.sunet.se'
+#        frontends:
+#          'tug-lb-1.sunet.se':
+#            ips: ['37.156.192.58', '2001:6b0:60:c0::58']
+#          'sthb-lb-1.sunet.se':
+#            ips: ['37.156.192.59', '2001:6b0:60:c0::59']
+#        backends:
+#          default:
+#            'signservice-tug-1.edusign.sunet.se':
+#              ips: ['130.242.113.5']
+#              server_args: 'ssl check verify none'
+#        allow_ports:
+#          - 443
+#          - 80
+#        letsencrypt_server: 'acme-c.sunet.se'
+#        haproxy_imagetag: '20230228-stable'
+#        frontendtools_imagetag: '20230228'
+
+      'validator':
+        site_name: 'validator.edusign.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.7', '2001:6b0:60:c0::7']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.8', '2001:6b0:60:c0::8']
+        backends:
+          default:
+            'validator-sthb-1.edusign.sunet.se':
+              ips: ['130.242.113.20']
+              server_args: 'ssl check verify none'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
+
+      'rutprod':
+        site_name: 'kubeprod.rut.sunet.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.94', '2001:6b0:60:c0::94']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.95', '2001:6b0:60:c0::95']
+        backends:
+          default:
+            'internal-sto4-prod-k8sc-0.rut.sunet.se':
+              ips: ['2001:6b0:6c::1dd', '89.46.21.223']
+            'internal-sto4-prod-k8sc-1.rut.sunet.se':
+              ips: ['2001:6b0:6c::27f', '89.46.21.87']
+            'internal-sto4-prod-k8sc-2.rut.sunet.se':
+              ips: ['2001:6b0:6c::3b7', '89.46.20.39']
+        allow_ports:
+          - 80
+          - 443
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'

lb-common/overlay/etc/sunet-machine-healthy/health-checks.d/lb_healthcheck.py.check

@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+
+import yaml
+import subprocess
+import time
+import sys
+
+groupyaml = '/etc/hiera/data/group.yaml'
+
+def get_frontends(data):
+  try:
+    return list(data['sunet_frontend']['load_balancer']['websites'].keys())
+  except KeyError:
+    return []
+
+def check_docker_instance_status(instance):
+  cmd = f"docker inspect -f {r'{{.State.Status}}'} {instance}"
+  result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
+  return result.stdout.strip() == 'running'
+
+def is_exabgp_running():
+  cmd = ["systemctl", "is-active", "exabgp.service"]
+  result = subprocess.run(cmd, capture_output=True, text=True)
+  return result.stdout.strip() == 'active'
+
+def check_docker_instances(instances, max_retries=3, initial_wait=10):
+  for instance in instances:
+    retries = 0
+    while retries < max_retries:
+      if check_docker_instance_status(instance):
+        print(f"Instance: {instance} is running!")
+        break
+      else:
+        print(f"Instance: {instance} is not running! Will try again in {initial_wait * (2**retries)} seconds.")
+        time.sleep(initial_wait * (2**retries))
+        retries += 1
+    if retries == max_retries:
+      print(f"Max retries reached for instance: {instance}, exiting!")
+      sys.exit(1)
+
+def check_exabgp_running(max_retries=3, initial_wait=10):
+  retries = 0
+  while retries < max_retries:
+    if is_exabgp_running():
+      print("ExaBGP service is running!")
+      break
+    else:
+      print(f"Exabgp is not running! Will try again in {initial_wait * (2**retries)} seconds.")
+      time.sleep(initial_wait * (2**retries))
+      retries += 1
+  if retries == max_retries:
+    print(f"Max retries reached for checking if exabgp is running, exiting!")
+    sys.exit(1)
+
+with open(groupyaml, 'r') as f:
+  data = yaml.safe_load(f)
+
+frontends = get_frontends(data)
+instances = []
+
+for frontend in frontends:
+  instances.append(frontend + '-haproxy-1')
+  instances.append(frontend + '-monitor-1')
+  instances.append(frontend + '-config-1')
+
+instances.append('frontend-api-1')
+instances.append('frontend-telegraf-1')
+
+check_exabgp_running()
+check_docker_instances(instances)
+sys.exit(0)

lb-common/overlay/opt/frontend/config/apignt/haproxy.j2

@@ -0,0 +1,20 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/artisanidp/haproxy.j2

@@ -0,0 +1,21 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
+
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/bankidp/haproxy.j2

@@ -0,0 +1,28 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{%- macro bind_ip_tls_extra(bind_ips, port, tls_cert, extra) -%}
+{%- for ip in bind_ips %}
+    bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }}  {{ extra }}
+{%- endfor %}
+{%- endmacro %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls_extra(bind_ips, 443, tls_certificate_bundle, "verify optional  crt-ignore-err all  ca-file /etc/ssl/certs/ca-certificates.crt") }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+    http-request set-header client-cert %{+Q}[ssl_c_der,base64]
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
+
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/common/haproxy_22_tcp_mode.j2

@@ -0,0 +1,122 @@
+# haproxy for SUNET frontend load balancer nodes.
+#
+{% from "common/haproxy_macros.j2" import output_backends %}
+
+{% block global %}
+global
+    log stdout  format raw  local0  debug
+
+    daemon
+    maxconn 256
+    stats socket /haproxy_control/stats mode 660
+    #server-state-file /tmp/server_state
+    hard-stop-after 10s
+
+    # whole container is started as non-root
+    #user haproxy
+    #group haproxy
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    # Mozilla Guideline v5.7 intermediate configuration
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+    # end Mozilla config
+
+    tune.ssl.default-dh-param 2048
+
+    max-spread-checks 10s
+    spread-checks 5
+{% endblock global %}
+
+
+{% block defaults %}
+defaults
+    log global
+    mode http
+    option httplog
+    option dontlognull
+    option redispatch
+    option forwardfor
+    # funny looking values because recommendation is to have these slightly
+    # above mulitples of three seconds to play nice with TCP resend timers
+    timeout check 5s
+    timeout connect 4s
+    timeout client 17s
+    timeout server 17s
+    timeout http-request 5s
+    balance roundrobin
+
+    # never fail on address resolution
+    default-server init-addr libc,none
+{% endblock defaults %}
+
+{% block stats %}
+frontend LB-http
+    # expose stats info over HTTP to exabgp
+    bind 127.0.0.1:9000
+    http-request set-log-level silent
+    default_backend LB
+
+backend LB
+    stats enable
+    #stats hide-version
+    stats uri /haproxy_stats
+{% endblock stats %}
+
+#
+# Frontend section
+#
+{% block frontend_80 %}
+{% endblock frontend_80 %}
+{% block frontend %}
+{% endblock frontend %}
+
+
+#
+# Backend section
+#
+{% block pre_backend %}
+{% endblock pre_backend %}
+
+{% block backend %}
+{% if backends is defined %}
+{%- for this in backends %}
+backend {{ this.name }}
+mode tcp
+  {{ config|join('\n  ') }}
+  {%- for server in this.servers %}
+  {%- if server.server_args is defined %}
+  {%-   set server_args = server.server_args %}
+  {%- endif %}
+  {% if server is defined %}
+  server {{ server.server }}_{{ server.address_family }} {{ server.ip }}:{{ server.port }} {{ server_args }}
+  {%- endif %}
+  {%- endfor %}
+{%- endfor %}
+
+{%- for this in backends %}
+backend {{ this.name | replace("__default","__port80") }}
+mode tcp
+  {{ config|join('\n  ') }}
+  {%- for server in this.servers %}
+  {%- if server.server_args is defined %}
+  {%-   set server_args = server.server_args %}
+  {%- endif %}
+  {% if server is defined %}
+  server {{ server.server }}_{{ server.address_family }} {{ server.ip }}:80 {{ server_args }}
+  {%- endif %}
+  {%- endfor %}
+{%- endfor %}
+{% else %}
+# No backends found in context
+{% endif %}
+
+{% endblock backend %}

lb-common/overlay/opt/frontend/config/common/haproxy_base.j2

@@ -0,0 +1,116 @@
+# haproxy for SUNET frontend load balancer nodes.
+#
+{% from "common/haproxy_macros.j2" import output_backends %}
+
+{% block global %}
+global
+    log stdout  format raw  local0  debug
+
+    daemon
+    maxconn 256
+    stats socket /haproxy_control/stats mode 660
+    #server-state-file /tmp/server_state
+
+    # whole container is started as non-root
+    #user haproxy
+    #group haproxy
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    # Mozilla Guideline v5.7 intermediate configuration
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+    # end Mozilla config
+
+    tune.ssl.default-dh-param 2048
+
+    spread-checks 20
+
+
+
+{% endblock global %}
+
+
+{% block defaults %}
+defaults
+    log global
+    mode http
+    option httplog
+    option dontlognull
+    option redispatch
+    option forwardfor
+    # funny looking values because recommendation is to have these slightly
+    # above mulitples of three seconds to play nice with TCP resend timers
+    timeout check 5s
+    timeout connect 4s
+    timeout client 17s
+    timeout server 17s
+    timeout http-request 5s
+
+    # never fail on address resolution
+    default-server init-addr libc,none
+    balance roundrobin
+{% endblock defaults %}
+
+{% block stats %}
+frontend LB-http
+    # expose stats info over HTTP to exabgp
+    bind 127.0.0.1:9000
+    http-request set-log-level silent
+    default_backend LB
+
+backend LB
+    stats enable
+    #stats hide-version
+    stats uri /haproxy_stats
+{% endblock stats %}
+
+
+{% block global_backends %}
+{% if letsencrypt_server is defined %}
+backend letsencrypt_{{ letsencrypt_server }}
+  server letsencrypt_{{ letsencrypt_server }} {{ letsencrypt_server }}:80
+{% else %}
+# letsencrypt_backend not defined
+{% endif %}
+{% endblock global_backends %}
+
+
+{% block https_everything %}
+#
+# Redirect _everything_ to HTTPS
+frontend http-frontend
+    bind 0.0.0.0:80
+    bind :::80
+
+    redirect scheme https code 301 if !{ ssl_fc } ! { path_beg /.well-known/acme-challenge/ }
+{% if letsencrypt_server is defined %}
+    use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ }
+{% else %}
+    # letsencrypt_backend not defined
+{% endif %}
+{% endblock https_everything %}
+
+#
+# Frontend section
+#
+{% block frontend %}
+{% endblock frontend %}
+
+
+#
+# Backend section
+#
+{% block pre_backend %}
+{% endblock pre_backend %}
+
+{% block backend %}
+{{ output_backends(backends, config=[]) }}
+{% endblock backend %}

lb-common/overlay/opt/frontend/config/common/haproxy_eidas.j2

@@ -0,0 +1,31 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+    http-request set-header X-Proxy-Authenticate "{{ eidas_proxy_auth }}"
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
+
+    {{ csp(["default-src "               + ["'self'"]|join(' '),
+	    "font-src "                  + ["'self'", "fonts.googleapis.com", "fonts.gstatic.com"]|join(' '),
+	    "script-src "                + ["'self'", "'unsafe-inline'", "swedenconnect.status.io", "api.status.io", "www.google-analytics.com", "ajax.googleapis.com"]|join(' '),
+	    "connect-src "               + ["'self'","api.status.io"]|join(' '),
+	    "img-src "                   + ["*", "data:", "'self'"]|join(' '),
+	    "style-src "                 + ["'self'", "'unsafe-inline'", "fonts.googleapis.com"]|join(' '),
+	    ]) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    {% block usebackend %}
+    use_backend {{ site_name }}__default
+    {% endblock usebackend %}
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/common/haproxy_fidus.j2

@@ -0,0 +1,32 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['hsts', 'no_sniff', 'no_cache']) }}
+
+    {{ csp(["default-src "               + ["'self'"]|join(' '),
+            "frame-src "		 + ["ds.fidus.skolverket.se"]|join(' '),
+	    "font-src "                  + ["'self'", "fonts.googleapis.com", "ds.fidus.skolverket.se", "bootstrapcdn.com", "fonts.gstatic.com"]|join(' '),
+	    "script-src "                + ["'self'", "'unsafe-inline'", "'unsafe-eval'", "fidus.status.io", "ds.fidus.skolverket.se", "stackpath.bootstrapcdn.com", "api.status.io", "www.google-analytics.com", "ajax.googleapis.com"]|join(' '),
+	    "connect-src "               + ["'self'","api.status.io"]|join(' '),
+	    "img-src "                   + ["*", "data:", "'self'"]|join(' '),
+	    "style-src "                 + ["'self'", "'unsafe-inline'", "ds.fidus.skolverket.se", "stackpath.bootstrapcdn.com", "fonts.googleapis.com"]|join(' '),
+            "object-src "                + ["'none'"]|join(' '),
+	    ]) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    {% block usebackend %}
+    use_backend {{ site_name }}__default
+    {% endblock usebackend %}
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/common/haproxy_fidus_ds.j2

@@ -0,0 +1,35 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+
+    http-request return status 200 content-type "text/plain" file "/opt/frontend/config/common/robots.txt" hdr "cache-control" "no-cache"  if { path /robots.txt }
+
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['hsts', 'no_sniff', 'no_cache']) }}
+
+    {{ csp(["default-src "               + ["'self'"]|join(' '),
+            "frame-src "		 + ["ds.fidus.skolverket.se"]|join(' '),
+	    "font-src "                  + ["data:", "'self'", "ds.fidus.skolverket.se"]|join(' '),
+	    "script-src "                + ["'self'", "'unsafe-inline'", "'unsafe-eval'", "ds.fidus.skolverket.se"]|join(' '),
+	    "connect-src "               + ["'self'"]|join(' '),
+	    "img-src "                   + ["*", "data:", "'self'"]|join(' '),
+	    "style-src "                 + ["'self'", "'unsafe-inline'", "ds.fidus.skolverket.se"]|join(' '),
+            "object-src "                + ["'none'"]|join(' '),
+	    ]) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    {% block usebackend %}
+    use_backend {{ site_name }}__default
+    {% endblock usebackend %}
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/common/haproxy_idp.j2

@@ -0,0 +1,24 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
+
+    {{ csp(["default-src "               + [csp_app_src]|join(' '),
+	    "script-src "                + [csp_script_src]|join(' '),
+	    ]) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/common/haproxy_macros.j2

@@ -0,0 +1,77 @@
+#
+# Macros
+#
+
+{%- macro bind_ip_tls(bind_ips, port, tls_cert) -%}
+{%- for ip in bind_ips %}
+    bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }}
+{%- endfor %}
+{%- endmacro %}
+
+
+{%- macro web_security_options(list) -%}
+{%- for this in list %}
+{%- if this == 'no_frames' %}
+    # Do not allow rendering the site within an frame, which prevents clickjacking.
+    http-response set-header X-Frame-Options "DENY"
+
+{% endif %}
+{%- if this == 'block_xss' %}
+    # Enable browser supplied XSS-protection, even if has been turned off.
+    # If XSS is detected by the browser, block it instead of trying to sanitize it.
+    http-response set-header X-XSS-Protection "1; mode=block"
+
+{% endif %}
+{%- if this == 'hsts' %}
+    # 20 years in seconds is 630720000 (86400 * 365 * 20)
+    http-response set-header Strict-Transport-Security "max-age=630720000"
+
+{% endif %}
+{%- if this == 'no_sniff' %}
+    # Prevent MIME-confusion attacks that can lead to e.g. XSS
+    http-response set-header X-Content-Type-Options "nosniff"
+
+{% endif %}
+{%- if this == 'no_cache' %}
+    # The information is intended for a single user and must not
+    # be cached by a shared cache and should always be revalidated.
+    http-response set-header Cache-Control "no-cache, no-store, must-revalidate"
+    http-response set-header Pragma "no-cache"
+    http-response set-header Expires "0"
+
+{% endif %}
+{%- endfor %}
+{%- endmacro %}
+
+
+{%- macro acme_challenge(letsencrypt_server) -%}
+{%- if letsencrypt_server is defined %}
+    use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ }
+{%- else %}
+    # No letsencrypt_server specified
+{%- endif %}
+{%- endmacro %}
+
+{%- macro csp(data) -%}
+    # Content Security Policy
+    http-response set-header Content-Security-Policy "{{ data|join('; ') }}"
+{%- endmacro %}
+
+{%- macro output_backends(backends, config=[], server_args='') -%}
+{% if backends is defined %}
+{%- for this in backends %}
+backend {{ this.name }}
+  {{ config|join('\n  ') }}
+  {%- for server in this.servers %}
+  {%- if server.server_args is defined %}
+  {%-   set server_args = server.server_args %}
+  {%- endif %}
+  {% if server is defined %}
+  server {{ server.server }}_{{ server.address_family }} {{ server.ip }}:{{ server.port }} {{ server_args }}
+  {%- endif %}
+  {%- endfor %}
+{%- endfor %}
+{% else %}
+# No backends found in context
+{% endif %}
+{%- endmacro %}

lb-common/overlay/opt/frontend/config/common/robots.txt

@@ -0,0 +1,2 @@
+User-Agent: *
+Disallow: /

lb-common/overlay/opt/frontend/config/driveidp/haproxy.j2

@@ -0,0 +1,21 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
+
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/edusealapi/haproxy.j2

@@ -0,0 +1,20 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/edusealapit/haproxy.j2

@@ -0,0 +1,20 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/edusign/haproxy.j2

@@ -0,0 +1,25 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+    option forwardfor header X-Real-IP
+    http-request set-header X-Real-IP %[src]
+
+    {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    ## acl user_eudsign hdr(user-agent) -i edusign
+    ## http-request redirect location https://www.sunet.se/maintenance/edusign/ if ! user_eudsign
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/edusignapi/haproxy.j2

@@ -0,0 +1,20 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/ers/haproxy.j2

@@ -0,0 +1,20 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/fidusds/haproxy.j2

@@ -0,0 +1,6 @@
+{% extends 'common/haproxy_fidus_ds.j2' %}
+
+{% block usebackend %}
+    use_backend {{ site_name }}__test if { path_beg /test/ }
+    use_backend {{ site_name }}__default
+{% endblock usebackend %}

lb-common/overlay/opt/frontend/config/fidusmd/haproxy.j2

@@ -0,0 +1,7 @@
+{% extends 'common/haproxy_fidus.j2' %}
+
+{% block usebackend %}
+    use_backend {{ site_name }}__test if { path_beg /test/ }
+    use_backend {{ site_name }}__default
+{% endblock usebackend %}
+

lb-common/overlay/opt/frontend/config/forum/haproxy.j2

@@ -0,0 +1,20 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/geteduroam/haproxy.j2

@@ -0,0 +1,32 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{%- macro bind_ip_tls_extra(bind_ips, port, tls_cert, extra) -%}
+{%- for ip in bind_ips %}
+    bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }}  {{ extra }}
+{%- endfor %}
+{%- endmacro %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls_extra(bind_ips, 443, tls_certificate_bundle, "verify optional  crt-ignore-err all  ca-file /etc/ssl/certs/ca-certificates.crt") }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+    http-request set-header client-cert %{+Q}[ssl_c_der,base64]
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
+
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}
+{% block backend %}
+{{ output_backends(backends, config=['cookie SERVERID insert indirect nocache
+']) }}
+{% endblock backend %}

lb-common/overlay/opt/frontend/config/humhubidp/haproxy.j2

@@ -0,0 +1,21 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
+
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/idmqa/haproxy.j2

@@ -0,0 +1 @@
+{% extends 'common/haproxy_eidas.j2' %}

lb-common/overlay/opt/frontend/config/kubemtx/haproxy.j2

@@ -0,0 +1,39 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{%- macro bind_ip_tls_extra(bind_ips, port, tls_cert, extra) -%}
+{%- for ip in bind_ips %}
+    bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }}  {{ extra }}
+{%- endfor %}
+{%- endmacro %}
+
+{% block frontend_80 %}
+frontend {{ site_name }}_port80
+{%- for ip in bind_ips %}
+    bind {{ ip }}:80
+{%- endfor %}
+    mode tcp 
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+
+    use_backend {{ site_name }}__port80
+{% endblock frontend_80 %}
+
+{% block frontend %}
+frontend {{ site_name }}
+{%- for ip in bind_ips %}
+    bind {{ ip }}:443
+{%- endfor %}
+    mode tcp 
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/kubetest/haproxy.j2

@@ -0,0 +1,105 @@
+global
+    log stdout  format raw  local0  debug
+
+    daemon
+    maxconn 256
+    stats socket /haproxy_control/stats mode 660
+    #server-state-file /tmp/server_state
+
+    # whole container is started as non-root
+    #user haproxy
+    #group haproxy
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    # Mozilla Guideline v5.7 intermediate configuration
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+    # end Mozilla config
+
+    tune.ssl.default-dh-param 2048
+
+    spread-checks 20
+
+defaults
+    log global
+    mode http
+    option httplog
+    option dontlognull
+    option redispatch
+    option forwardfor
+    # funny looking values because recommendation is to have these slightly
+    # above mulitples of three seconds to play nice with TCP resend timers
+    timeout check 5s
+    timeout connect 4s
+    timeout client 17s
+    timeout server 17s
+    timeout http-request 5s
+
+    # never fail on address resolution
+    default-server init-addr libc,none
+    balance roundrobin
+
+frontend LB-http
+    # expose stats info over HTTP to exabgp
+    bind 127.0.0.1:9000
+    http-request set-log-level silent
+    default_backend LB
+
+backend LB
+    stats enable
+    #stats hide-version
+    stats uri /haproxy_stats
+
+{% block frontend %}
+frontend http-frontend
+    bind 0.0.0.0:80
+    bind :::80
+
+    use_backend {{site_name}}__letsencrypt
+
+frontend {{ site_name }}
+    log stdout format raw local0 debug
+    mode tcp
+    bind 0.0.0.0:443
+    bind :::443
+
+    stats enable
+
+    use_backend {{ site_name }}__default
+
+frontend {{ site_name }}__16443
+    mode tcp
+    bind 0.0.0.0:16443
+    bind :::16443
+
+    use_backend {{ site_name }}__16443
+{% endblock frontend %}
+
+{% block backend %}
+backend {{ site_name }}__16443
+    mode tcp
+    balance leastconn
+    server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:16443 check inter 1s rise 30 fall 3
+    server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:16443 check inter 1s rise 30 fall 3
+    server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:16443 check inter 1s rise 30 fall 3
+backend {{ site_name }}__default
+    mode tcp
+    balance leastconn
+    server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:443 check inter 1s rise 30 fall 3
+    server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:443 check inter 1s rise 30 fall 3
+    server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:443 check inter 1s rise 30 fall 3
+backend {{ site_name }}__letsencrypt
+    mode http
+    balance leastconn
+    server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:80 check inter 1s rise 30 fall 3
+    server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:80 check inter 1s rise 30 fall 3
+    server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:80 check inter 1s rise 30 fall 3
+{% endblock backend %}

lb-common/overlay/opt/frontend/config/outscan/haproxy.j2

@@ -0,0 +1,20 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
+
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/rutprod/haproxy.j2

@@ -0,0 +1,37 @@
+{% extends 'common/haproxy_22_tcp_mode.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{%- macro bind_ip_tls_extra(bind_ips, port, tls_cert, extra) -%}
+{%- for ip in bind_ips %}
+    bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }}  {{ extra }}
+{%- endfor %}
+{%- endmacro %}
+
+{% block frontend_80 %}
+frontend {{ site_name }}_port80
+{%- for ip in bind_ips %}
+    bind {{ ip }}:80
+{%- endfor %}
+    mode tcp 
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+
+    use_backend {{ site_name }}__port80
+{% endblock frontend_80 %}
+
+{% block frontend %}
+frontend {{ site_name }}
+{%- for ip in bind_ips %}
+    bind {{ ip }}:443
+{%- endfor %}
+    mode tcp 
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/scapi/haproxy.j2

@@ -0,0 +1,7 @@
+{% extends 'common/haproxy_eidas.j2' %}
+
+{% block usebackend %}
+    http-response set-header Access-Control-Allow-Origin "*"
+    use_backend {{ site_name }}__default if { path_beg /testid/ }
+{% endblock usebackend %}
+

lb-common/overlay/opt/frontend/config/scdemwqa/haproxy.j2

@@ -0,0 +1 @@
+{% extends 'common/haproxy_eidas.j2' %}

lb-common/overlay/opt/frontend/config/sctestqa/haproxy.j2

@@ -0,0 +1,6 @@
+{% extends 'common/haproxy_eidas.j2' %}
+
+{% block usebackend %}
+    use_backend {{ site_name }}__refidp if { path_beg /idp/ }
+    use_backend {{ site_name }}__default
+{% endblock usebackend %}

lb-common/overlay/opt/frontend/config/signgnt/haproxy.j2

@@ -0,0 +1,22 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+    option forwardfor header X-Real-IP
+    http-request set-header X-Real-IP %[src]
+
+    {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/signservice/haproxy.j2

@@ -0,0 +1,19 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    timeout http-request 300s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/sigsvcgnt/haproxy.j2

@@ -0,0 +1,20 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/sunetidp/haproxy.j2

@@ -0,0 +1,20 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
+
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/sunetse/haproxy.j2

@@ -0,0 +1,361 @@
+{% extends 'sunetse/haproxy_sunetse_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+
+    ## defines for hosts
+    acl host_swamid hdr_reg(host) -i ^(www\.)?swamid\.se$
+    acl host_wiki_swamid hdr_reg(host) -i ^wiki\.swamid\.se$
+    acl host_eduroam hdr_reg(host) -i ^(www\.)?eduroam\.se$
+    acl host_sunet hdr_reg(host) -i ^(www\.)?sunet\.se$
+    acl host_lms_sunet hdr_reg(host) -i ^lms\.sunet\.se$
+    acl host_sunetdagarna hdr_reg(host) -i ^(www\.)?sunetdagarna\.se$
+
+    ## General redirects
+
+    acl url_ping path /ping
+    acl url_root path /
+    acl req_head method HEAD
+
+    # dos with specific user-agent
+    acl user_adam hdr(user-agent) -i snapchat.com/add/adam.kindvall
+    http-request deny deny_status 200 if user_adam
+
+    # /ping
+    http-request deny deny_status 200 if host_sunet url_ping
+
+    # rate limiting for head requests
+    stick-table  type ip  size 100k  expire 30s  store http_req_rate(10s)
+    http-request track-sc0 src
+    acl too_many_requests sc_http_req_rate(0) gt 50
+
+    http-request deny deny_status 429 if url_root req_head too_many_requests
+
+    # deny (200) all head request for /
+    http-request deny deny_status 200 if url_root req_head
+
+
+    ## Redirects for eduroam
+
+    acl url_eduroam path_beg /eduroam
+
+    http-request redirect location https://www.sunet.se/services/nat/eduroam if host_eduroam
+
+    http-request redirect location https://www.sunet.se/services/nat/eduroam if host_sunet url_eduroam
+
+    ## Redirects for swamid
+
+    acl url_swamid_incident path_beg /incident
+    acl url_swamid_community path_beg /community-consultation
+    acl url_swamid_getting_started path_beg /getting-started
+    acl	url_swamid_policy path_beg /policy
+    acl	url_swamid_policy_eduroam path_beg /policy/technology/eduroam
+    acl url_swamid_policy_saml path_beg /policy/technology/saml
+    acl url_swamid_policy_al1 path_beg /policy/assurance/al1
+    acl url_swamid_policy_al2 path_beg /policy/assurance/al2
+    acl url_swamid_policy_al3 path_beg /policy/assurance/al3
+    acl url_swamid_policy_mdrps path_beg /policy/mdrps
+    acl url_swamid path_beg /swamid
+    acl url_swamid_kontakt path_beg /swamid/kontakt
+
+    http-request redirect location https://wiki.sunet.se/display/SWAMID/SWAMID+Incident+Management+Procedures if host_swamid url_swamid_incident
+    http-request redirect location https://wiki.sunet.se/display/SWAMID/SWAMID+Consultations if host_swamid url_swamid_community
+    http-request redirect location https://wiki.sunet.se/display/SWAMID/Getting+Started+with+SWAMID if host_swamid url_swamid_getting_started
+    http-request redirect location https://wiki.sunet.se/display/SWAMID/eduroam+Technology+Profile if host_swamid url_swamid_policy_eduroam
+    http-request redirect location https://wiki.sunet.se/display/SWAMID/SAML+WebSSO+Technology+Profile if host_swamid url_swamid_policy_saml
+    http-request redirect location https://wiki.sunet.se/display/SWAMID/Identity+Assurance+Level+1+Profile if host_swamid url_swamid_policy_al1
+    http-request redirect location https://wiki.sunet.se/display/SWAMID/Identity+Assurance+Level+2+Profile if host_swamid url_swamid_policy_al2
+    http-request redirect location https://wiki.sunet.se/display/SWAMID/Identity+Assurance+Level+3+Profile if host_swamid url_swamid_policy_al3
+    http-request redirect location https://wiki.sunet.se/display/SWAMID/SWAMID+eduGAIN+Metadata+Registration+Practice+Statement if host_swamid url_swamid_policy_mdrps
+
+    http-request redirect location https://wiki.sunet.se/display/SWAMID/SWAMID+Policy if host_swamid url_swamid_policy
+
+    http-request redirect location https://wiki.sunet.se/display/SWAMID if host_swamid
+    http-request redirect location https://wiki.sunet.se/display/SWAMID if host_wiki_swamid
+
+    http-request redirect location https://wiki.sunet.se/display/SWAMID/Contact+SWAMID if host_sunet url_swamid_kontakt
+    http-request redirect location https://wiki.sunet.se/display/SWAMID if host_sunet url_swamid
+
+
+    ## Redirects for sunet
+
+    acl url_sunet_net_policy path_beg /policy-for-tillaten-anvandning
+    acl url_sunet_cert_2350 path_beg /sunet-cert-rfc-2350-profile
+    acl url_sunet_portalpriser path_beg /portalpriser.pdf
+    acl url_sunet_molnet_policy path_beg /tjanster/molnportal
+    acl url_sunet_snc path_beg /snc
+
+    http-request redirect location https://wiki.sunet.se/pages/viewpage.action?pageId=59572260 if host_lms_sunet
+
+    #http-request redirect location https://eu01events.zoom.us/ev/Am3l_EqP5rTwqgwT_GPlwpThTY9DFKP8HgwDLEwAVFSXrjrF5Eg8~AggLXsr32QYFjq8BlYLZ5I06Dg if host_sunetdagarna
+    #http-request redirect location https://registration.invajo.com/2d97d036-e9cf-49be-bf6a-ba2aca5b99a5 if host_sunetdagarna
+    http-request redirect location  https://wiki.sunet.se/pages/viewpage.action?pageId=229814010 if host_sunetdagarna
+
+    http-request redirect location https://sunet.se/services/molnbaserade-tjanster/virtuella-servrar if host_sunet url_sunet_molnet_policy
+    http-request redirect location https://www.sunet.se/om-sunet/policy-for-tillaten-anvandning-och-etiska-regler if host_sunet url_sunet_net_policy
+    http-request redirect location https://wiki.sunet.se/display/OperativtSakerhetscenter/SUNET+CERT+RFC+2350+PROFILE if host_sunet url_sunet_cert_2350
+    http-request redirect location https://sunet.se/wp-content/uploads/2019/09/Prislista-Molntja%%CC%%88nster.pdf if host_sunet url_sunet_portalpriser
+    http-request redirect location https://sunet.se/om-sunet/snc-project/ if host_sunet url_sunet_snc 
+
+    # Redirects for old sunet blog
+
+    acl url_sunet_blog_1 path_beg /case/praktikfall-ett-radioteleskop-kommer-sallan-ensamt
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Praktikfall-Ett-radioteleskop-kommer-sa%%CC%%88llan-ensamt-SUNET-2018-04-18.pdf if host_sunet url_sunet_blog_1
+
+    acl	url_sunet_blog_2 path_beg /case/det-svenska-tidslagret-och-varfor-du-behover-det
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Praktikfall-Det-svenska-tidslagret-och-varfo%%CC%%88r-du-beho%%CC%%88ver-det-SUNET-2018-02-08.pdf if host_sunet url_sunet_blog_2
+
+    acl url_sunet_blog_3 path_beg /case/praktikfall-tradlosa-nat-as-pa-su
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Praktikfall-Tra%%CC%%8Adlo%%CC%%88sa-na%%CC%%88t-%%E2%%80%%93-AS-pa%%CC%%8A-SU-SUNET-2017-11-29.pdf if host_sunet url_sunet_blog_3
+
+    acl url_sunet_blog_4 path_beg /blogg/dns-och-dnssec-utan-facksnack
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/DNS-och-DNSSEC-utan-facksnack-SUNET-2018-01-30.pdf if host_sunet url_sunet_blog_4
+
+    acl url_sunet_blog_6 path_beg /blogg/sunet-i-hongkong
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/SUNET-i-Hongkong-SUNET-2017-09-20.pdf if host_sunet url_sunet_blog_6
+
+    acl url_sunet_blog_5 path_beg /blogg/sa-arbetar-noc
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Sa%%CC%%8A-arbetar-NOC-SUNET-2017-11-13.pdf if host_sunet url_sunet_blog_5
+
+    acl url_sunet_blog_7 path_beg /blogg/sunets-handbok-i-informations-och-it-sakerhet/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/SUNETs-handbok-i-informations-och-IT-sa%%CC%%88kerhet-SUNET-2017-09-01.pdf if host_sunet url_sunet_blog_7
+
+
+    acl url_sunet_blog_8 path_beg /blogg/den-okanda-hasten-fran-troja/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Den-o%%CC%%88ka%%CC%%88nda-ha%%CC%%88sten-fra%%CC%%8An-Troja-SUNET-2017-07-31.pdf if host_sunet url_sunet_blog_8
+
+
+    acl url_sunet_blog_9 path_beg /blogg/redundans-ar-allt/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Redundans-a%%CC%%88r-allt-SUNET-2017-07-03.pdf if host_sunet url_sunet_blog_9
+
+
+    acl url_sunet_blog_10 path_beg /blogg/snic-snack/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/SNIC-snack-SUNET-2017-06-02.pdf if host_sunet url_sunet_blog_10
+
+
+    acl url_sunet_blog_11 path_beg /blogg/we-are-at-the-forefront/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Maria-Ha%%CC%%88ll-We-are-at-the-Forefront-SUNET-2017-04-13.pdf if host_sunet url_sunet_blog_11
+
+
+    acl url_sunet_blog_12 path_beg /blogg/we-have-liftoff-del-5-av-2/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/We-have-liftoff-Del-5-av-2-SUNET-2017-05-03.pdf if host_sunet url_sunet_blog_12
+
+
+    acl url_sunet_blog_13 path_beg /blogg/we-have-liftoff-del-4-av-2/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/We-have-liftoff-Del-4-av-2-SUNET-2017-02-22.pdf if host_sunet url_sunet_blog_13
+
+
+    acl url_sunet_blog_14 path_beg /blogg/we-have-liftoff-del-3-av-2/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/We-have-liftoff-Del-3-av-2-SUNET-2017-01-30.pdf if host_sunet url_sunet_blog_14
+
+
+    acl url_sunet_blog_15 path_beg /blogg/we-have-liftoff-del-2-av-2/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/We-have-liftoff-Del-2-av-2-SUNET-2017-01-09.pdf if host_sunet url_sunet_blog_15
+
+
+    acl url_sunet_blog_16 path_beg /blogg/we-have-liftoff-del-1-av-2/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/We-have-liftoff-Del-1-av-2-SUNET-2016-12-16.pdf if host_sunet url_sunet_blog_16
+
+
+    acl url_sunet_blog_17 path_beg /blogg/long-read-cleanliness-is-a-virtue/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Long-Read-%%E2%%80%%93-Cleanliness-is-a-Virtue-SUNET-2016-09-20.pdf if host_sunet url_sunet_blog_17
+
+
+    acl url_sunet_blog_18 path_beg /blogg/langlasning-folja-fiber-fran-tulegatan-till-stockholms-universitet/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/La%%CC%%8Angla%%CC%%88sning-Fo%%CC%%88lja-fiber-%%E2%%80%%93-fra%%CC%%8An-Tulegatan-till-Stockholms-universitet-SUNET-2016-08-26.pdf if host_sunet url_sunet_blog_18
+
+
+    acl url_sunet_blog_19 path_beg /blogg/topologier/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Topologier-One-ring-to-rule-them-all-SUNET-2016-05-24.pdf if host_sunet url_sunet_blog_19
+
+
+    acl url_sunet_blog_20 path_beg /blogg/long-read-how-to-design-a-fibre-optic-network/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Long-read-How-to-Design-a-Fibre-Optic-Network-SUNET-2016-05-05.pdf if host_sunet url_sunet_blog_20
+
+
+    acl url_sunet_blog_21 path_beg /blogg/forsta-dellanken-i-nya-sunet-ar-igang/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Fo%%CC%%88rsta-della%%CC%%88nken-i-Nya-SUNET-a%%CC%%88r-iga%%CC%%8Ang-SUNET-2016-02-19.pdf if host_sunet url_sunet_blog_21
+
+
+    acl url_sunet_blog_22 path_beg /blogg/spektrumanalysatorn-grundlaggande-om/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-spektrumanalysatorn-SUNET-2016-02-17.pdf if host_sunet url_sunet_blog_22
+
+
+    acl url_sunet_blog_23 path_beg /blogg/otdr-grundlaggande-om/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-OTDR-SUNET-2016-02-15.pdf if host_sunet url_sunet_blog_23
+
+
+    acl url_sunet_blog_24 path_beg /blogg/distribuerad-forstarkning-grundlaggande-om/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-distribuerad-fo%%CC%%88rsta%%CC%%88rkning-SUNET-2017-01-15.pdf if host_sunet url_sunet_blog_24
+
+
+    acl url_sunet_blog_25 path_beg /blogg/dampning-och-forstarkning-grundlaggande-om/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-da%%CC%%88mpning-och-fo%%CC%%88rsta%%CC%%88rkning-SUNET-2016-01-14.pdf if host_sunet url_sunet_blog_25
+
+
+    acl url_sunet_blog_26 path_beg /blogg/l-bandet-grundlaggande-om/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-L-bandet-SUNET-2016-01-14.pdf if host_sunet url_sunet_blog_26
+
+
+    acl url_sunet_blog_27 path_beg /blogg/c-bandet-grundlaggande-om/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-C-bandet-SUNET-2016-01-14.pdf if host_sunet url_sunet_blog_27
+
+
+    acl url_sunet_blog_28 path_beg /blogg/cern-krossen-som-slar-sonder-materiens-minsta-byggstenar/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/CERN-%%E2%%80%%93-krossen-som-sla%%CC%%8Ar-so%%CC%%88nder-materiens-minsta-byggstenar-SUNET-2016-01-12.pdf if host_sunet url_sunet_blog_28
+
+
+    acl url_sunet_blog_29 path_beg /blogg/belastningsdiagram-grundlaggande-om/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-belastningsdiagram-SUNET-2015-12-19.pdf if host_sunet url_sunet_blog_29
+
+
+    acl url_sunet_blog_30 path_beg /blogg/atomur-grundlaggande-om/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-atomur-SUNET-2015-12-19.pdf if host_sunet url_sunet_blog_30
+
+
+    acl url_sunet_blog_31 path_beg /blogg/fiberkontakter-en-hel-massa-standarder/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Fiberkontakter-%%E2%%80%%93-en-hel-massa-standarder-SUNET-2015-12-04.pdf if host_sunet url_sunet_blog_31
+
+
+    acl url_sunet_blog_32 path_beg /blogg/geant-grundlaggande-om/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-GE%%CC%%81ANT-SUNET-2015-11-26.pdf if host_sunet url_sunet_blog_32
+
+
+    acl url_sunet_blog_33 path_beg /blogg/decibel-grundlaggande-om/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-decibel-SUNET-2016-01-14.pdf if host_sunet url_sunet_blog_33
+
+
+    acl url_sunet_blog_34 path_beg /blogg/switch-grundlaggande-om/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-switch-SUNET-2015-11-10.pdf if host_sunet url_sunet_blog_34
+
+
+    acl url_sunet_blog_35 path_beg /blogg/router-grundlaggande-om/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-router-SUNET-2015-11-10.pdf if host_sunet url_sunet_blog_35
+
+
+    acl url_sunet_blog_36 path_beg /blogg/kvarts-grundlaggande-om/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-kvarts-SUNET-2015-11-10.pdf if host_sunet url_sunet_blog_36
+
+
+    acl url_sunet_blog_37 path_beg /blogg/foton-grundlaggande-om/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Grundla%%CC%%88ggande-om-foton-SUNET-2015-11-10.pdf if host_sunet url_sunet_blog_37
+
+
+    acl url_sunet_blog_38 path_beg /blogg/i-morkret-ar-alla-katter-infraroda/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/I-mo%%CC%%88rkret-a%%CC%%88r-alla-katter-infraro%%CC%%88da-SUNET-2015-11-04.pdf if host_sunet url_sunet_blog_38
+
+
+    acl url_sunet_blog_39 path_beg /blogg/fibertyperna-i-natet-och-deras-optiska-felaktigheter/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Fibertyperna-i-na%%CC%%88tet-och-deras-optiska-felaktigheter-SUNET-2015-10-29.pdf if host_sunet url_sunet_blog_39
+
+
+    acl url_sunet_blog_40 path_beg /blogg/vad-ar-klockan-egentligen/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Vad-a%%CC%%88r-klockan-egentligen-SUNET-2015-10-21.pdf if host_sunet url_sunet_blog_40
+
+
+    acl url_sunet_blog_41 path_beg /blogg/natets-centrum/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Na%%CC%%88tets-centrum-SUNET-2015-10-20.pdf if host_sunet url_sunet_blog_41
+
+
+    acl url_sunet_blog_42 path_beg /blogg/den-optiska-transceivern/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Den-optiska-transceivern-SUNET-2015-10-17.pdf if host_sunet url_sunet_blog_42
+
+
+    acl url_sunet_blog_43 path_beg /blogg/polarisation-och-informationsoverforing/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Polarisation-och-informationso%%CC%%88verfo%%CC%%88ring-SUNET-2015-10-01.pdf if host_sunet url_sunet_blog_43
+
+
+    acl url_sunet_blog_44 path_beg /blogg/laserns-historia/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Laserns-historia-SUNET-2015-09-30.pdf if host_sunet url_sunet_blog_44
+
+
+    acl url_sunet_blog_45 path_beg /blogg/koherent-ljus-vad-ar-det/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Koherent-ljus-vad-a%%CC%%88r-det-SUNET-2015-09-28.pdf if host_sunet url_sunet_blog_45
+
+
+    acl url_sunet_blog_46 path_beg /blogg/sunet-nu-annu-battre/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/SUNET-%%E2%%80%%93-nu-a%%CC%%88nnu-ba%%CC%%88ttre-SUNET-2015-09-16.pdf if host_sunet url_sunet_blog_46
+
+
+    acl url_sunet_blog_47 path_beg /blogg/fibern-fruktar-fukten/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Fibern-fruktar-fukten-SUNET-2015-09-11.pdf if host_sunet url_sunet_blog_47
+
+
+    acl url_sunet_blog_48 path_beg /blogg/att-fa-kontakt/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Att-fa%%CC%%8A-kontakt-SUNET-2015-09-11.pdf if host_sunet url_sunet_blog_48
+
+
+    acl url_sunet_blog_49 path_beg /blogg/sa-tillverkas-optisk-fiber/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Sa%%CC%%8A-tillverkas-optisk-fiber-SUNET-2015-08-31.pdf if host_sunet url_sunet_blog_49
+
+
+    acl url_sunet_blog_50 path_beg /blogg/artikel-emc-emi-emp/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/EMC-%%E2%%80%%93-EMI-%%E2%%80%%93-EMP-SUNET-2015-09-31.pdf if host_sunet url_sunet_blog_50
+
+
+    acl url_sunet_blog_51 path_beg /blogg/glasbiten-som-gav-nobelpris/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Glasbiten-som-gav-nobelpris-SUNET-2015-08-21.pdf if host_sunet url_sunet_blog_51
+
+
+    acl url_sunet_blog_52 path_beg /blogg/megabit-pa-langden-och-tvaren/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Megabit-pa%%CC%%8A-la%%CC%%88ngden-och-tva%%CC%%88ren-SUNET-2015-09-21.pdf if host_sunet url_sunet_blog_52
+
+
+    acl url_sunet_blog_53 path_beg /blogg/langartikel-fibern-fran-frostmofjallet/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Fibern-fra%%CC%%8An-Frostmofja%%CC%%88llet-SUNET-2015-08-21.pdf if host_sunet url_sunet_blog_53
+
+
+    acl url_sunet_blog_54 path_beg /blogg/upphandling-av-optiskt-nat-nar-allt-bara-flyter-pa/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Upphandling-av-optiskt-na%%CC%%88t-%%E2%%80%%93-na%%CC%%88r-allt-bara-flyter-pa%%CC%%8A-SUNET-2015-07-25.pdf if host_sunet url_sunet_blog_54
+
+
+    acl url_sunet_blog_55 path_beg /blogg/optasense-nar-fiber-blir-sensorer/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/OptaSense-%%E2%%80%%93-na%%CC%%88r-fiber-blir-sensorer-SUNET-2015-07-03.pdf if host_sunet url_sunet_blog_55
+
+
+    acl url_sunet_blog_56 path_beg /blogg/teknisk-djupdykning-optisk-magi-med-ramanforstarkare/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Teknisk-djupdykning-Optisk-magi-med-ramanfo%%CC%%88rsta%%CC%%88rkare-SUNET-2015-07-02.pdf if host_sunet url_sunet_blog_56
+
+
+    acl url_sunet_blog_57 path_beg /blogg/teknisk-utvikning-130-000-fibrer-som-i-en-liten-ask/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Teknisk-utvikning-130.000-fibrer-som-i-en-liten-ask-SUNET-2015-07-01.pdf if host_sunet url_sunet_blog_57
+
+
+    acl url_sunet_blog_58 path_beg /blogg/nocen-spekulerar-2-felrapporter/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/NOCen-spekulerar-2-Felrapporter-SUNET-2015-06-27.pdf if host_sunet url_sunet_blog_58
+
+
+    acl url_sunet_blog_59 path_beg /blogg/nocen-spekulerar-1-hog-belastning/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/NOCen-spekulerar-1-ho%%CC%%88g-belastning-SUNET-2015-06-26.pdf if host_sunet url_sunet_blog_59
+
+
+    acl url_sunet_blog_60 path_beg /blogg/teknisk-djupdykning-optisk-magi-med-edfa/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Teknisk-djupdykning-Optisk-magi-med-EDFA-SUNET-2015-06-22.pdf if host_sunet url_sunet_blog_60
+
+
+    acl url_sunet_blog_61 path_beg /blogg/sa-designar-man-ett-fiberoptiskt-nat/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/La%%CC%%8Angartikel-Sa%%CC%%8A-designar-man-ett-fiberoptiskt-na%%CC%%88t-SUNET-2015-06-11.pdf if host_sunet url_sunet_blog_61
+
+
+    acl url_sunet_blog_62 path_beg /blogg/1249/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/La%%CC%%8Angartikel-Vad-som-har-varit-och-vad-som-komma-skall-SUNET-2015-05-19.pdf if host_sunet url_sunet_blog_62
+
+
+    acl url_sunet_blog_63 path_beg /blogg/teknisk-djupdykning-den-mystiska-routerkraschen/
+    http-request redirect location https://sunet.se/wp-content/uploads/2020/11/Teknisk-djupdykning-den-mystiska-routerkraschen-SUNET-2006-06-11.pdf if host_sunet url_sunet_blog_63
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/sunetse/haproxy_sunetse_base.j2

@@ -0,0 +1,117 @@
+# haproxy for SUNET frontend load balancer nodes.
+#
+{% from "common/haproxy_macros.j2" import output_backends %}
+
+{% block global %}
+global
+    log stdout  format raw  local0  debug
+
+    daemon
+    maxconn 256
+    stats socket /haproxy_control/stats mode 660
+    #server-state-file /tmp/server_state
+
+    # whole container is started as non-root
+    #user haproxy
+    #group haproxy
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    # Mozilla Guideline v5.7 intermediate configuration
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+    # end Mozilla config
+
+    tune.ssl.default-dh-param 2048
+
+    spread-checks 20
+
+
+
+{% endblock global %}
+
+
+{% block defaults %}
+defaults
+    log global
+    mode http
+    option httplog
+    option dontlognull
+    option redispatch
+    option forwardfor
+    # funny looking values because recommendation is to have these slightly
+    # above mulitples of three seconds to play nice with TCP resend timers
+    timeout check 5s
+    timeout connect 4s
+    timeout client 17s
+    timeout server 17s
+    timeout http-request 5s
+
+    # never fail on address resolution
+    default-server init-addr libc,none
+    balance roundrobin
+{% endblock defaults %}
+
+{% block stats %}
+frontend LB-http
+    # expose stats info over HTTP to exabgp
+    bind 127.0.0.1:9000
+    http-request set-log-level silent
+    default_backend LB
+
+backend LB
+    stats enable
+    #stats hide-version
+    stats uri /haproxy_stats
+{% endblock stats %}
+
+
+{% block global_backends %}
+{% if letsencrypt_server is defined %}
+backend letsencrypt_{{ letsencrypt_server }}
+  server letsencrypt_{{ letsencrypt_server }} {{ letsencrypt_server }}:80
+{% else %}
+# letsencrypt_backend not defined
+{% endif %}
+{% endblock global_backends %}
+
+
+{% block https_everything %}
+#
+# Redirect _everything_ to HTTPS
+frontend http-frontend
+    bind 0.0.0.0:80
+    bind :::80
+
+    redirect scheme https code 301 if !{ ssl_fc } ! { path_beg /.well-known/acme-challenge/ } ! { hdr(host) -i ip.sunet.se }
+    use_backend {{ site_name }}__default if { hdr(host) -i ip.sunet.se } ! { path_beg /.well-known/acme-challenge/ }
+{% if letsencrypt_server is defined %}
+    use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ }
+{% else %}
+    # letsencrypt_backend not defined
+{% endif %}
+{% endblock https_everything %}
+
+#
+# Frontend section
+#
+{% block frontend %}
+{% endblock frontend %}
+
+
+#
+# Backend section
+#
+{% block pre_backend %}
+{% endblock pre_backend %}
+
+{% block backend %}
+{{ output_backends(backends, config=[]) }}
+{% endblock backend %}

lb-common/overlay/opt/frontend/config/sveidas1/haproxy.j2

@@ -0,0 +1 @@
+{% extends 'common/haproxy_eidas.j2' %}

lb-common/overlay/opt/frontend/config/sveidas2/haproxy.j2

@@ -0,0 +1 @@
+{% extends 'common/haproxy_eidas.j2' %}

lb-common/overlay/opt/frontend/config/sweconn1/haproxy.j2

@@ -0,0 +1 @@
+{% extends 'common/haproxy_eidas.j2' %}

lb-common/overlay/opt/frontend/config/sweconn2/haproxy.j2

@@ -0,0 +1 @@
+{% extends 'common/haproxy_eidas.j2' %}

lb-common/overlay/opt/frontend/config/validator/haproxy.j2

@@ -0,0 +1,19 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_cache', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

lb-common/overlay/opt/frontend/config/zoomidp/haproxy.j2

@@ -0,0 +1,20 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
+
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}

tug-lb-1.sunet.se/README

@@ -0,0 +1,4 @@
+
+The system documentation is in the docs directory of the multiverse repository.
+
+- type make upgrade to run ubuntu/debian upgrade on all boxes

tug-lb-1.sunet.se/overlay/etc/hiera/data/local.eyaml

@@ -0,0 +1,32 @@
+
+
+
+acme_c_ssh_key: >
+    ENC[PKCS7,MIIEeQYJKoZIhvcNAQcDoIIEajCCBGYCAQAxggJ9MIICeQIBAD
+    BhMEkxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRV
+    lBTUwxGjAYBgNVBAMMEXR1Zy1sYi0xLnN1bmV0LnNlAhRGbgvGqNZzUuYMy5
+    +AuzDsP6l1pDANBgkqhkiG9w0BAQEFAASCAgABMA5DtkCFFelPWYvHHW+7y0
+    hGG+iJarmJhamv72/Yig0v/5OiTFpSVa6DvzNe1OPvO9RHvufFoPQlksR8Jo
+    J1YaXtVrUsRtPQwt7S29ymj356HuLe4e230tl7LNoubMJGpA1F54aX3QcFO6
+    /JO5DG+/3EJMAD4LE/LgiyvD4cIpj5f8gJBQp8rywlsLFBA2Nrsl7mSY9MUn
+    MPzb4wpByOt7a/zWIRjgyF/y2zTCoqFvuigKejBACx3GkXzutzry4jzBAQsN
+    Qi2bfdNWWXEKFPOQO7x8zpJ2nh4iP/uNG5TNfGooTsnMv21zmD/nHnWo8dE+
+    hYmWQ2uoIW4XqRFLeUPg/u4hKcSDFNsF5YqA8MLGs6MHSZrQqzSIExgruiKU
+    DwDG144q6E1uEny21BdM84z1DrDZDWP4UqnT8uQWU56Z2j8kSyFscig7oUeR
+    2ihgmNo11YobH/SMn36tFvQ7u74IrSnH9wSNtL0Ml/IssShmIys6ZvFBtByM
+    yzUpiTJYlHY+hEnKncMPTri/iRdghNG7kZyFMsdHNBnR1P5a8oNzD6756TdY
+    6rOMEQG2SDrcodx7nKIOUrE5wPIdLeN9ZhFuEK7hBVlJPxBu2/lVcEykrDI6
+    /t/106mz3GYDllPzWKLUv8rZSpsroh36Tr/LQaU9rEVuN5DnzUMMzfae7IZj
+    CCAd4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEP+hDktlSD+Eld1OebGMiV
+    eAggGw79qzPfz43WZFqt8dkyXhuxvSACbbdfi27KagltOwiI7HSBatRdUv09
+    3yhEPgbt6Wcfj/M47ScYOKqSobPc/Z+HxgnvhXhrzMwnTq6Phz3jYRxRkulj
+    zbbe60pWbDh1zDBdk1Kj6H2Drw9m7NP0bDtmJ0Tr6it6eLmT9OXeaTXjW52L
+    Xs5wcZl5bNAxaTY6mwjaJIwOsM/Y1v+ADKaKlkor0q27OcevKo7UlERqE1px
+    m4dF0R21s5Ee37yjHHtjLket4mm6Ek3KhrIekBJh5QOzg083U1DK0JFJzW0A
+    P8eXzAAheZpRck7nYtBwZMAwIL5vUkQ51KdwAMVN4D2ZT/AM4P9KtNHRbEcb
+    NBBOMNCOsxOuKZsSJsMBnI+QL30ngVNvzz2QMyidhJ5YFPV0voFj17/vibWC
+    140bTetiJFNFFhkICB5SLGaq8OEe5zN5mGUCU2cWMBhbKaBE/HUv9c10oSVA
+    6V3593t7s4mZmUa1oTylliuO3AchUD5pi562DxklJqCCair9J24nVCNvwt5F
+    aNMUAWHrjdlhSiCge7CfUAS+r7C3KDBBuJbPNMxkFL]
+
+fleetlock_password: ENC[PKCS7,MIIC5QYJKoZIhvcNAQcDoIIC1jCCAtICAQAxggJ9MIICeQIBADBhMEkxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxGjAYBgNVBAMMEXR1Zy1sYi0xLnN1bmV0LnNlAhRGbgvGqNZzUuYMy5+AuzDsP6l1pDANBgkqhkiG9w0BAQEFAASCAgCEEKZvmD6FsRfpqKazFi3pZQuk5XjUfplsAExuDlzdCNKFKjXqbTogXRqVG6LL57xquzavLgqC3bXGps0kcN6ahOSAJziBgLAePQ4NAtBBiuLvXYGJ6FXf1llbWV2YlruAzUfHnCZ6n1/NJrHIQz8IwAVEhiwhcV0L2DK6a3e2KmvZiaNkuVCiKS+UNsi8ry5Fl2oLn4h/SwZdFgOldlrCsLRlk+06B8icZukeVJC232HBYDhubdFSUy149lzA2J8lbuLQ7haRwanyATh/mQs2XQi3l32B0yPnDsmuUXyEwORZ+2eOMPpXNrUT2r0Waj/nVtdqhT2pqSNBzy0tvr8Urcij9tYdKdLZzubkNXPMDjaFI0wEqpd/QW/a44QE0myYsACDjc2sZPiCdb4GCM57YXzP2sVulYuKVr4lRbGEThszZDvz4osEQ+Bo5r7dz13Yq+N7E/kEwedIEb85/Snfu/QM4QhMNkM2Qs8XUqrxT89Bk8LuJ3JS3nEK6HV0MaNkKmX9jI6qiWuxp1sXdoFmW+afvgyNPRNHTrttE0yTcPA//aRqlDQ7czxyR+UMthhFHA+5XfmIHo/eLgDFwC9gsXB5eMRTvjb8l2yumiIbSjpfiwms0MLe/8F8Y5TQPg599/DCba3dU9sIaWPG9JOra98P4MtkbhrAw4/e6ZCVXDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBD8IbrfUQLJmXACUGllcvhjgCBNFkhZ3CKV8dMUDY9mWhb0MI6UzMBZWwnK0pbHE8KEmg==]

tug-lb-1.sunet.se/overlay/etc/netplan/00-installer-config.yaml

@@ -0,0 +1,41 @@
+# This file is manged by puppet.
+network:
+    version: 2
+    ethernets:
+        enp67s0f0np0:
+            addresses: []
+            dhcp4: false
+            dhcp6: false
+            accept-ra: no
+        enp67s0f1np1:
+            addresses: []
+            dhcp4: false
+            dhcp6: false
+            accept-ra: no
+        switchports:
+            match: {name: "bond0"}
+    bonds:
+        bond0:
+            addresses:
+            - 130.242.126.195/31
+            - 2001:6b0:8:a::2/64
+            routes:
+              - to: default
+                via: 130.242.126.194
+              - to: default
+                via: 2001:6b0:8:a::1
+                on-link: true
+            nameservers:
+                addresses:
+                - 89.32.32.32
+            interfaces:
+            - enp67s0f0np0
+            - enp67s0f1np1
+            dhcp4: false
+            dhcp6: false
+            accept-ra: no
+            parameters:
+                mode: active-backup
+                mii-monitor-interval: 1
+                gratuitious-arp: 5
+                primary-reselect-policy: failure

tug-lb-1.sunet.se/overlay/etc/ssl/tug-lb-1.sunet.se_infra.pem

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGKjCCBBKgAwIBAgIIbZCsL+IJlogwDQYJKoZIhvcNAQELBQAwPzEgMB4GA1UE
+AxMXU1VORVQgSW5mcmFzdHJ1Y3R1cmUgQ0ExDjAMBgNVBAoTBVNVTkVUMQswCQYD
+VQQGEwJTRTAeFw0yNDA2MjgwODM1MDhaFw0yNTA2MjgwODM1MDhaMDkxCzAJBgNV
+BAYTAlNFMQ4wDAYDVQQKEwVTVU5FVDEaMBgGA1UEAxMRdHVnLWxiLTEuc3VuZXQu
+c2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDnTfQHQm8tIFj0fbM4
+V3pvuB3wMrQoPcX6Ln4Pb+uHy1wcePX9FRtxV31TiW3oiZxomH5DL0t209/XKTzo
+cjuj7fI8KuWsq0fYWiEoc+O7vAWPVnlRs1e1btaPsuYtytUkPNK7kVSyaMedEOub
+vjyi062MMCfBSPrZEAtftWRc1IRz0XO0IEfwcCwBVadjNteZp2kZ8QO62THWBJJU
+GNgIF3yPrybY+nAfD4olcpkAobmQhONzPP6JJ7KpWaIImuNuUwmhMk4UexVXx3Nr
+eWZ0TMCRU+6WtF2mTr4W910zQMsyvuQS4BcwRU6GsoXA64Ur9YUEYWiBL6ce3aXG
+B8987LfWRNmlNeV2oExFAK7yWr4fZQMTIiMjKoKhzqK5FqGIM4g/2lXgMF0QmK6y
+oLpSH5kp2rMRgrbc4bga/FOC2MJDV/M2SZJDiiH1O4gc1B9HWdrk3UjLK2TW0qQI
+dBXFlL4H3XsLvpLbyistR6nTVBXpmkcMZDg9PxDJaTc4ZgKhQ6EafM2aPL+aIYwe
+wyAucpK9CwxkWsHSEneV9ZY2FlnWaX/cJC5l23Xb3/7YDa6FlSnmQeTHQU3rbLVM
+po0wmc8H9ZBDwDNCP18cyr5COGMs+C7UmPAq9qYXIKWGbZhUHniABU4CTxS6skwU
+pemi38xae4K28zzpPSKr3rhUiQIDAQABo4IBLjCCASowHQYDVR0OBBYEFHNT/SG7
+8bexN/XTiLVEhZfjdp/tMB8GA1UdIwQYMBaAFOcsnlEasB0BHeZCtCcaNZNwwG3X
+MDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovL2NhLnN1bmV0LnNl
+L2luZnJhL2NhLmNydDAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY2Euc3VuZXQu
+c2UvaW5mcmEvY3JsLnBlbTAjBgNVHRIEHDAahhhodHRwOi8vY2Euc3VuZXQuc2Uv
+aW5mcmEwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMBwGA1UdEQQVMBOCEXR1Zy1sYi0xLnN1bmV0LnNlMA0GCSqG
+SIb3DQEBCwUAA4ICAQBBzHfnpUAnyd4+ix4BlzMAC2O06LuopbS3eCBDskE6PFU5
+gxYxuvJpWq3aoZ3ymKdY4vh/RjsAeEWTT9PvVGZffNBqHYfEtApxzM6179xIu/rv
+z7Ch9VZE6CBdArJ75lt9YUrs5Nv4JRmgLBQdczRCRFohnaVGMqMsYaeQWp3nkZ0x
+I+kuWIVZwuYee6dArmLvAwFWD5ECn84yKCY8whFABn2i2VivukY1d98kDuJ+KcDs
+SP3aahsMDTO6fkz1AE8r03YFU6E/lxqIfSKWS7sZ7oycJGSQaT8y3QtfOdIGLLos
+tjJvurAxZ6XH2AV+r9Ewx7uP8gPeUtymx4cKx+CEewjxCBHm6q2qgMWm0p9/8Mxe
+x6NOdBIm08bscrhAIgFHWUsoOiS+4m2ZcQFgh9g0JQ9q/Ypid6J6W16YxxP3lpJX
+IcrMDu87pDzECM0VDb/kkLhhbVyqIchnyewaP/pmz2zYjW4IRMnsoEXIT7wCuECA
+1g/yTHWVLh7jWtMtVDYWBu2Bx6ofUQ0dfXqKE1jIuhT2fXpzdUegSO6D1+An/j2U
+OjR4gl8StGo7O7mHhLDYpRHl6CpkSjoSfEjVgrlIcMUY3HbYuIEJS4QjmTqJ8ftl
+vvlkkQFXf92wHnmLUOY2bY2i81RVyBUUtyt4fyShTesKAwZt9dTFPdPtEpaSag==
+-----END CERTIFICATE-----