first draft of cisoassistant manifest

2025-01-31 13:19:49 +01:00 · 2025-01-31 13:19:49 +01:00 · 6b03e058d3
commit 6b03e058d3
parent efc1c46fc0
10 changed files with 172 additions and 22 deletions
--- a/cisoas-sto4-prod-1.sunet.se/overlay/etc/hiera/data/local.yaml
+++ b/cisoas-sto4-prod-1.sunet.se/overlay/etc/hiera/data/local.yaml
@ -1,11 +0,0 @@
-sunet::nftables::allow::rules:
-  allow_access_to_cisoassistant:
-    from: 'any'
-    port: 8443
-    to: 'any'
-    proto: 'tcp'
-  allow_access_to_cisoassistant_api:
-    from: 'any'
-    port: 9443
-    to: 'any'
-    proto: 'tcp'
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@ -146,7 +146,7 @@ nifrontend-sto1-prod-1.sunet.se:
          port: '443'

 cisoas-sto4-prod-1.sunet.se:
-  net::nftables:
+  net::cisoassistant:
  sunet::dehydrated::client:
    domain: cisoas-sto4-prod-1.sunet.se

--- a/global/overlay/etc/puppet/modules/net/files/cisoassistant/Caddyfile
+++ b/global/overlay/etc/puppet/modules/net/files/cisoassistant/Caddyfile
@ -0,0 +1,8 @@
+cisoas.sunet.se:8443 {
+    reverse_proxy frontend:3000
+    tls /certs/cert.pem /certs/key.pem
+}
+cisoas-api.sunet.se:9443 {
+    reverse_proxy backend:8000
+    tls /certs/cert.pem /certs/key.pem
+}
--- a/global/overlay/etc/puppet/modules/net/files/cisoassistant/daemon.json
+++ b/global/overlay/etc/puppet/modules/net/files/cisoassistant/daemon.json
@ -0,0 +1,3 @@
+{
+  "iptables": false
+}
--- a/global/overlay/etc/puppet/modules/net/files/cisoassistant/docker-compose.yml
+++ b/global/overlay/etc/puppet/modules/net/files/cisoassistant/docker-compose.yml
@ -0,0 +1,41 @@
+services:
+  backend:
+    container_name: backend
+    image: ghcr.io/intuitem/ciso-assistant-enterprise-backend:latest
+    restart: always
+    environment:
+      - ALLOWED_HOSTS=backend,cisoas.sunet.se
+      - CISO_ASSISTANT_URL=https://cisoas.sunet.se:8443
+      - DJANGO_DEBUG=True
+      - AUTH_TOKEN_TTL=7200
+    volumes:
+      - ./db:/code/db
+      - /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se:/certs
+
+  frontend:
+    container_name: frontend
+    restart: always
+    environment:
+      - PUBLIC_BACKEND_API_URL=http://backend:8000/api
+      - PROTOCOL_HEADER=x-forwarded-proto
+      - HOST_HEADER=x-forwarded-host
+
+    image: ghcr.io/intuitem/ciso-assistant-enterprise-frontend:latest
+    depends_on:
+      - backend
+    volumes:
+      - /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se:/certs
+
+  caddy:
+    container_name: caddy
+    image: caddy:2.8.4
+    depends_on:
+      - frontend
+    restart: always
+    ports:
+      - 8443:8443
+      - 9443:9443
+    volumes:
+      - ./caddy_data:/data
+      - ./Caddyfile:/etc/caddy/Caddyfile
+      - /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se:/certs
--- a/global/overlay/etc/puppet/modules/net/files/cisoassistant/rotate-certs.sh
+++ b/global/overlay/etc/puppet/modules/net/files/cisoassistant/rotate-certs.sh
@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se
+
+latest_csr=$(ls -t cert-*.csr | head -n 1)
+latest_cert=$(ls -t cert-*.pem | head -n 1)
+latest_key=$(ls -t privkey-*.pem | head -n 1)
+
+ln -sf "$latest_csr" cert.csr
+ln -sf "$latest_cert" cert.pem
+ln -sf "$latest_key" key.pem
--- a/global/overlay/etc/puppet/modules/net/files/cisoassistant/sunet-cisoas.service
+++ b/global/overlay/etc/puppet/modules/net/files/cisoassistant/sunet-cisoas.service
@ -0,0 +1,18 @@
+[Unit]
+Description=Jenkins CI application
+After=docker.service
+BindsTo=docker.service
+Conflicts=shutdown.target reboot.target halt.target
+
+[Service]
+TimeoutStartSec=0
+TimeoutStopSec=30
+Restart=always
+RestartSec=10
+SyslogIdentifier=sunet-jenkins
+WorkingDirectory=/opt/cisoas/ciso-assistant-community/enterprise
+ExecStart=/usr/local/bin/docker-compose up -d 
+ExecStop=/usr/local/bin/docker-compose stop
+
+[Install]
+WantedBy=multi-user.target
--- a/global/overlay/etc/puppet/modules/net/files/cisoassistant/update-cisoas-enterprise.sh
+++ b/global/overlay/etc/puppet/modules/net/files/cisoassistant/update-cisoas-enterprise.sh
@ -0,0 +1,5 @@
+#! /usr/bin/env bash
+cd /opt/cisoas/ciso-assistant-community/enterprise
+pushd ..
+./update-ciso-assistant.sh enterprise
+popd
--- a/global/overlay/etc/puppet/modules/net/manifests/cisoassistant.pp
+++ b/global/overlay/etc/puppet/modules/net/manifests/cisoassistant.pp
@ -0,0 +1,85 @@
+class net::cisoassistant {
+  $nftables_rules = {
+    'allow_access_to_cisoassistant' => {
+      from  => 'any',
+      port  => 8443,
+      to    => 'any',
+      proto => 'tcp',
+    },
+    'allow_access_to_cisoassistant_api' => {
+      from  => 'any',
+      port  => 9443,
+      to    => 'any',
+      proto => 'tcp',
+    },
+    'allow_access_to_always_https_acme_c' => {
+      from  => 'any',
+      port  => 9443,
+      to    => 'any',
+      proto => 'tcp',
+    },
+  }
+  $nftables_rules.each |$name, $params| {
+    sunet::nftables::allow { $name:
+      * => $params,
+    }
+  }
+  sunet::docker_compose { 'always-https':
+    image => 'docker.sunet.se/always-https',
+    ports => ['80:80'],
+    env   => ['ACME_URL=http://acme-c.sunet.se/'],
+  }
+  file { '/etc/docker/daemon.json':
+    mode    => '0744',
+    owner   => 'root',
+    group   => 'root',
+    content => file('cisoassistant/daemon.json'),
+  }
+  file { '/opt/cisoas/ciso-assistant-community/enterprise/docker-compose.yml':
+    mode    => '0744',
+    owner   => 'root',
+    group   => 'root',
+    content => file('cisoassistant/docker-compose.yml'),
+  }
+  file { '/opt/cisoas/ciso-assistant-community/enterprise/update-cisoas-enterprise.sh':
+    mode    => '0744',
+    owner   => 'root',
+    group   => 'root',
+    content => file('cisoassistant/update-cisoas-enterprise.sh'),
+  }
+  sunet::scriptherder::cronjob { 'Upgrade cisoassistant images':
+    cmd         => '/opt/cisoas/ciso-assistant-community/enterprise/update-cisoas-enterprise.sh',
+    weekday     => 'Saturday',
+    ok_criteria => ['exit_status=0', 'max_age=10d'],
+  }
+  file { '/opt/cisoas/ciso-assistant-community/enterprise/rotate-certs.sh':
+    mode    => '0744',
+    owner   => 'root',
+    group   => 'root',
+    content => file('cisoassistant/rotate-certs.sh'),
+  }
+  sunet::scriptherder::cronjob { 'Rotate le certificates':
+    cmd         => '/opt/cisoas/ciso-assistant-community/enterprise/rotate-certs.sh',
+    hour        => '1',
+    ok_criteria => ['exit_status=0', 'max_age=48h'],
+  }
+  file { '/opt/cisoas/ciso-assistant-community/enterprise/Caddyfile':
+    mode    => '0744',
+    owner   => 'root',
+    group   => 'root',
+    content => file('cisoassistant/Caddyfile'),
+  }
+  file { "/etc/systemd/system/sunet-cisoas.service":
+    mode    => '0644',
+    owner   => 'root',
+    group   => 'root',
+    content => file('cisoassistant/sunet-cisoas.service'),
+    notify  => [Class['sunet::systemd_reload']],
+  }
+  service { 'sunet-cisoas' :
+    ensure   => 'running',
+    enable   => true,
+    require  => File['/etc/systemd/system/sunet-cisoas.service'],
+    provider => 'systemd',
+  }
+}
--- a/global/overlay/etc/puppet/modules/net/manifests/nftables.pp
+++ b/global/overlay/etc/puppet/modules/net/manifests/nftables.pp
@ -1,10 +0,0 @@
-class net::nftables {
-  $nftables_rules = lookup('sunet::nftables::allow::rules', Hash, 'deep', {})
-
-  $nftables_rules.each |$name, $params| {
-    sunet::nftables::allow { $name:
-      * => $params,
-    }
-  }
-
-}