SUNET/net-ops
9
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

cisoas related changes

Browse source
This commit is contained in:
Maria Haider 2025-05-04 16:15:07 +02:00
parent b86c0802b2
commit 40f02554d2
Signed by: mariah
GPG key ID: 6EF520A1829E8B1D
5 changed files with 62 additions and 68 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
global/overlay/etc/puppet/cosmos-rules.yaml
View file

@ -174,6 +174,7 @@ cisoas-sto4-prod-1.sunet.se:
cisoas-sto4-test-1.sunet.se: cisoas-sto4-test-1.sunet.se:
autoupdate: autoupdate:
sunet::dockerhost2: sunet::dockerhost2:
net::cisoassistant_test:
ni-sto1-test-1.sunet.se: ni-sto1-test-1.sunet.se:
autoupdate: autoupdate:

50
global/overlay/etc/puppet/modules/net/files/cisoassistant/docker-compose.yml
View file

@ -1,50 +0,0 @@
services:
always-https:
container_name: always-https
image: docker.sunet.se/always-https
restart: always
ports:
- 80:80
environment:
- ACME_URL=http://acme-c.sunet.se/
backend:
container_name: backend
image: ghcr.io/intuitem/ciso-assistant-enterprise-backend:latest
restart: always
environment:
- ALLOWED_HOSTS=backend,cisoas.sunet.se
- CISO_ASSISTANT_URL=https://cisoas.sunet.se:8443
- DJANGO_DEBUG=True
- AUTH_TOKEN_TTL=7200
volumes:
- ./db:/code/db
- /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se:/certs
frontend:
container_name: frontend
restart: always
environment:
- PUBLIC_BACKEND_API_URL=http://backend:8000/api
- PROTOCOL_HEADER=x-forwarded-proto
- HOST_HEADER=x-forwarded-host
image: ghcr.io/intuitem/ciso-assistant-enterprise-frontend:latest
depends_on:
- backend
volumes:
- /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se:/certs
caddy:
container_name: caddy
image: caddy:2.8.4
depends_on:
- frontend
restart: always
ports:
- 8443:8443
- 9443:9443
volumes:
- ./caddy_data:/data
- ./Caddyfile:/etc/caddy/Caddyfile
- /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se:/certs

18
global/overlay/etc/puppet/modules/net/files/cisoassistant/sunet-cisoas.service
View file

@ -1,18 +0,0 @@
[Unit]
Description=Jenkins CI application
After=docker.service
BindsTo=docker.service
Conflicts=shutdown.target reboot.target halt.target
[Service]
TimeoutStartSec=0
TimeoutStopSec=30
Restart=always
RestartSec=10
SyslogIdentifier=sunet-jenkins
WorkingDirectory=/opt/cisoas/ciso-assistant-community/enterprise
ExecStart=/usr/local/bin/docker-compose up -d
ExecStop=/usr/local/bin/docker-compose stop
[Install]
WantedBy=multi-user.target

49
global/overlay/etc/puppet/modules/net/manifests/cisoassistant_test.pp Normal file
View file

@ -0,0 +1,49 @@
class net::cisoassistant_test {
$nftables_rules = {
'allow_access_to_cisoassistant' => {
from => 'any',
port => 443,
to => 'any',
proto => 'tcp',
},
'allow_access_to_cisoassistant_api' => {
from => 'any',
port => 9443,
to => 'any',
proto => 'tcp',
},
'allow_access_to_always_https_acme_c' => {
from => 'any',
port => 80,
to => 'any',
proto => 'tcp',
},
}
$nftables_rules.each |$name, $params| {
sunet::nftables::allow { $name:
* => $params,
}
}
ensure_resource('file','/opt/cisoas', { ensure => directory } )
ensure_resource('file','/opt/cisoas/compose', { ensure => directory } )
sunet::docker_compose {'cisoas':
service_name => 'cisoas',
description => 'CISO Assistant',
compose_dir => '/opt/cisoas/compose',
content => template('net/cisoassistant/docker-compose.yml.erb'),
}
}
file { '/opt/cisoas/update-cisoas-enterprise.sh':
mode => '0744',
owner => 'root',
group => 'root',
content => file('net/cisoassistant/update-cisoas-enterprise.sh'),
}
sunet::scriptherder::cronjob { 'Upgrade cisoassistant images':
cmd => '/opt/cisoas/update-cisoas-enterprise.sh',
weekday => 'Saturday',
ok_criteria => ['exit_status=0', 'max_age=10d'],
}
}

12
global/overlay/etc/puppet/modules/net/templates/cisoassistant/docker-compose.yml.erb Normal file
View file

@ -0,0 +1,12 @@
---
services:
always-https:
image: docker.sunet.se/always-https:latest
restart: always
network_mode: host
ports:
- 80:80
environment:
- ACME_URL=http://acme-c.sunet.se/