From 40f02554d2cd1aeb929e8d43686db51bfde0364d Mon Sep 17 00:00:00 2001 From: Maria Haider Date: Sun, 4 May 2025 16:15:07 +0200 Subject: [PATCH] cisoas related changes --- global/overlay/etc/puppet/cosmos-rules.yaml | 1 + .../files/cisoassistant/docker-compose.yml | 50 ------------------- .../files/cisoassistant/sunet-cisoas.service | 18 ------- .../net/manifests/cisoassistant_test.pp | 49 ++++++++++++++++++ .../cisoassistant/docker-compose.yml.erb | 12 +++++ 5 files changed, 62 insertions(+), 68 deletions(-) delete mode 100644 global/overlay/etc/puppet/modules/net/files/cisoassistant/docker-compose.yml delete mode 100644 global/overlay/etc/puppet/modules/net/files/cisoassistant/sunet-cisoas.service create mode 100644 global/overlay/etc/puppet/modules/net/manifests/cisoassistant_test.pp create mode 100644 global/overlay/etc/puppet/modules/net/templates/cisoassistant/docker-compose.yml.erb diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml index 3440478..784e9bf 100644 --- a/global/overlay/etc/puppet/cosmos-rules.yaml +++ b/global/overlay/etc/puppet/cosmos-rules.yaml @@ -174,6 +174,7 @@ cisoas-sto4-prod-1.sunet.se: cisoas-sto4-test-1.sunet.se: autoupdate: sunet::dockerhost2: + net::cisoassistant_test: ni-sto1-test-1.sunet.se: autoupdate: diff --git a/global/overlay/etc/puppet/modules/net/files/cisoassistant/docker-compose.yml b/global/overlay/etc/puppet/modules/net/files/cisoassistant/docker-compose.yml deleted file mode 100644 index 9c78ea7..0000000 --- a/global/overlay/etc/puppet/modules/net/files/cisoassistant/docker-compose.yml +++ /dev/null @@ -1,50 +0,0 @@ -services: - always-https: - container_name: always-https - image: docker.sunet.se/always-https - restart: always - ports: - - 80:80 - environment: - - ACME_URL=http://acme-c.sunet.se/ - - backend: - container_name: backend - image: ghcr.io/intuitem/ciso-assistant-enterprise-backend:latest - restart: always - environment: - - ALLOWED_HOSTS=backend,cisoas.sunet.se - - CISO_ASSISTANT_URL=https://cisoas.sunet.se:8443 - - DJANGO_DEBUG=True - - AUTH_TOKEN_TTL=7200 - volumes: - - ./db:/code/db - - /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se:/certs - - frontend: - container_name: frontend - restart: always - environment: - - PUBLIC_BACKEND_API_URL=http://backend:8000/api - - PROTOCOL_HEADER=x-forwarded-proto - - HOST_HEADER=x-forwarded-host - - image: ghcr.io/intuitem/ciso-assistant-enterprise-frontend:latest - depends_on: - - backend - volumes: - - /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se:/certs - - caddy: - container_name: caddy - image: caddy:2.8.4 - depends_on: - - frontend - restart: always - ports: - - 8443:8443 - - 9443:9443 - volumes: - - ./caddy_data:/data - - ./Caddyfile:/etc/caddy/Caddyfile - - /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se:/certs diff --git a/global/overlay/etc/puppet/modules/net/files/cisoassistant/sunet-cisoas.service b/global/overlay/etc/puppet/modules/net/files/cisoassistant/sunet-cisoas.service deleted file mode 100644 index 1e847d4..0000000 --- a/global/overlay/etc/puppet/modules/net/files/cisoassistant/sunet-cisoas.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=Jenkins CI application -After=docker.service -BindsTo=docker.service -Conflicts=shutdown.target reboot.target halt.target - -[Service] -TimeoutStartSec=0 -TimeoutStopSec=30 -Restart=always -RestartSec=10 -SyslogIdentifier=sunet-jenkins -WorkingDirectory=/opt/cisoas/ciso-assistant-community/enterprise -ExecStart=/usr/local/bin/docker-compose up -d -ExecStop=/usr/local/bin/docker-compose stop - -[Install] -WantedBy=multi-user.target diff --git a/global/overlay/etc/puppet/modules/net/manifests/cisoassistant_test.pp b/global/overlay/etc/puppet/modules/net/manifests/cisoassistant_test.pp new file mode 100644 index 0000000..03249e2 --- /dev/null +++ b/global/overlay/etc/puppet/modules/net/manifests/cisoassistant_test.pp @@ -0,0 +1,49 @@ +class net::cisoassistant_test { + $nftables_rules = { + 'allow_access_to_cisoassistant' => { + from => 'any', + port => 443, + to => 'any', + proto => 'tcp', + }, + 'allow_access_to_cisoassistant_api' => { + from => 'any', + port => 9443, + to => 'any', + proto => 'tcp', + }, + 'allow_access_to_always_https_acme_c' => { + from => 'any', + port => 80, + to => 'any', + proto => 'tcp', + }, + } + $nftables_rules.each |$name, $params| { + sunet::nftables::allow { $name: + * => $params, + } + } + + ensure_resource('file','/opt/cisoas', { ensure => directory } ) + ensure_resource('file','/opt/cisoas/compose', { ensure => directory } ) + + sunet::docker_compose {'cisoas': + service_name => 'cisoas', + description => 'CISO Assistant', + compose_dir => '/opt/cisoas/compose', + content => template('net/cisoassistant/docker-compose.yml.erb'), + } + } + file { '/opt/cisoas/update-cisoas-enterprise.sh': + mode => '0744', + owner => 'root', + group => 'root', + content => file('net/cisoassistant/update-cisoas-enterprise.sh'), + } + sunet::scriptherder::cronjob { 'Upgrade cisoassistant images': + cmd => '/opt/cisoas/update-cisoas-enterprise.sh', + weekday => 'Saturday', + ok_criteria => ['exit_status=0', 'max_age=10d'], + } +} diff --git a/global/overlay/etc/puppet/modules/net/templates/cisoassistant/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/net/templates/cisoassistant/docker-compose.yml.erb new file mode 100644 index 0000000..0da567f --- /dev/null +++ b/global/overlay/etc/puppet/modules/net/templates/cisoassistant/docker-compose.yml.erb @@ -0,0 +1,12 @@ +--- +services: + + always-https: + image: docker.sunet.se/always-https:latest + restart: always + network_mode: host + ports: + - 80:80 + environment: + - ACME_URL=http://acme-c.sunet.se/ +