From 6b03e058d31552502c714da262feb609cc8462b2 Mon Sep 17 00:00:00 2001
From: Rasmus Thorslund <thorslund@sunet.se>
Date: Fri, 31 Jan 2025 13:19:49 +0100
Subject: [PATCH] first draft of cisoassistant manifest

---
 .../overlay/etc/hiera/data/local.yaml         | 11 ---
 global/overlay/etc/puppet/cosmos-rules.yaml   |  2 +-
 .../modules/net/files/cisoassistant/Caddyfile |  8 ++
 .../net/files/cisoassistant/daemon.json       |  3 +
 .../files/cisoassistant/docker-compose.yml    | 41 +++++++++
 .../net/files/cisoassistant/rotate-certs.sh   | 11 +++
 .../files/cisoassistant/sunet-cisoas.service  | 18 ++++
 .../cisoassistant/update-cisoas-enterprise.sh |  5 ++
 .../modules/net/manifests/cisoassistant.pp    | 85 +++++++++++++++++++
 .../puppet/modules/net/manifests/nftables.pp  | 10 ---
 10 files changed, 172 insertions(+), 22 deletions(-)
 delete mode 100644 cisoas-sto4-prod-1.sunet.se/overlay/etc/hiera/data/local.yaml
 create mode 100644 global/overlay/etc/puppet/modules/net/files/cisoassistant/Caddyfile
 create mode 100644 global/overlay/etc/puppet/modules/net/files/cisoassistant/daemon.json
 create mode 100644 global/overlay/etc/puppet/modules/net/files/cisoassistant/docker-compose.yml
 create mode 100644 global/overlay/etc/puppet/modules/net/files/cisoassistant/rotate-certs.sh
 create mode 100644 global/overlay/etc/puppet/modules/net/files/cisoassistant/sunet-cisoas.service
 create mode 100644 global/overlay/etc/puppet/modules/net/files/cisoassistant/update-cisoas-enterprise.sh
 create mode 100644 global/overlay/etc/puppet/modules/net/manifests/cisoassistant.pp
 delete mode 100644 global/overlay/etc/puppet/modules/net/manifests/nftables.pp

diff --git a/cisoas-sto4-prod-1.sunet.se/overlay/etc/hiera/data/local.yaml b/cisoas-sto4-prod-1.sunet.se/overlay/etc/hiera/data/local.yaml
deleted file mode 100644
index 88b5d02..0000000
--- a/cisoas-sto4-prod-1.sunet.se/overlay/etc/hiera/data/local.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-sunet::nftables::allow::rules:
-  allow_access_to_cisoassistant:
-    from: 'any'
-    port: 8443
-    to: 'any'
-    proto: 'tcp'
-  allow_access_to_cisoassistant_api:
-    from: 'any'
-    port: 9443
-    to: 'any'
-    proto: 'tcp'
diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index 6b44da1..8470c13 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -146,7 +146,7 @@ nifrontend-sto1-prod-1.sunet.se:
           port: '443'
 
 cisoas-sto4-prod-1.sunet.se:
-  net::nftables:
+  net::cisoassistant:
   sunet::dehydrated::client:
     domain: cisoas-sto4-prod-1.sunet.se
 
diff --git a/global/overlay/etc/puppet/modules/net/files/cisoassistant/Caddyfile b/global/overlay/etc/puppet/modules/net/files/cisoassistant/Caddyfile
new file mode 100644
index 0000000..f22a7b4
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/net/files/cisoassistant/Caddyfile
@@ -0,0 +1,8 @@
+cisoas.sunet.se:8443 {
+    reverse_proxy frontend:3000
+    tls /certs/cert.pem /certs/key.pem
+}
+cisoas-api.sunet.se:9443 {
+    reverse_proxy backend:8000
+    tls /certs/cert.pem /certs/key.pem
+}
diff --git a/global/overlay/etc/puppet/modules/net/files/cisoassistant/daemon.json b/global/overlay/etc/puppet/modules/net/files/cisoassistant/daemon.json
new file mode 100644
index 0000000..63f418f
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/net/files/cisoassistant/daemon.json
@@ -0,0 +1,3 @@
+{
+  "iptables": false
+}
diff --git a/global/overlay/etc/puppet/modules/net/files/cisoassistant/docker-compose.yml b/global/overlay/etc/puppet/modules/net/files/cisoassistant/docker-compose.yml
new file mode 100644
index 0000000..8355c27
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/net/files/cisoassistant/docker-compose.yml
@@ -0,0 +1,41 @@
+services:
+  backend:
+    container_name: backend
+    image: ghcr.io/intuitem/ciso-assistant-enterprise-backend:latest
+    restart: always
+    environment:
+      - ALLOWED_HOSTS=backend,cisoas.sunet.se
+      - CISO_ASSISTANT_URL=https://cisoas.sunet.se:8443
+      - DJANGO_DEBUG=True
+      - AUTH_TOKEN_TTL=7200
+    volumes:
+      - ./db:/code/db
+      - /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se:/certs
+
+  frontend:
+    container_name: frontend
+    restart: always
+    environment:
+      - PUBLIC_BACKEND_API_URL=http://backend:8000/api
+      - PROTOCOL_HEADER=x-forwarded-proto
+      - HOST_HEADER=x-forwarded-host
+
+    image: ghcr.io/intuitem/ciso-assistant-enterprise-frontend:latest
+    depends_on:
+      - backend
+    volumes:
+      - /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se:/certs
+
+  caddy:
+    container_name: caddy
+    image: caddy:2.8.4
+    depends_on:
+      - frontend
+    restart: always
+    ports:
+      - 8443:8443
+      - 9443:9443
+    volumes:
+      - ./caddy_data:/data
+      - ./Caddyfile:/etc/caddy/Caddyfile
+      - /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se:/certs
diff --git a/global/overlay/etc/puppet/modules/net/files/cisoassistant/rotate-certs.sh b/global/overlay/etc/puppet/modules/net/files/cisoassistant/rotate-certs.sh
new file mode 100644
index 0000000..53cd9d8
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/net/files/cisoassistant/rotate-certs.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se
+
+latest_csr=$(ls -t cert-*.csr | head -n 1)
+latest_cert=$(ls -t cert-*.pem | head -n 1)
+latest_key=$(ls -t privkey-*.pem | head -n 1)
+
+ln -sf "$latest_csr" cert.csr
+ln -sf "$latest_cert" cert.pem
+ln -sf "$latest_key" key.pem
diff --git a/global/overlay/etc/puppet/modules/net/files/cisoassistant/sunet-cisoas.service b/global/overlay/etc/puppet/modules/net/files/cisoassistant/sunet-cisoas.service
new file mode 100644
index 0000000..1e847d4
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/net/files/cisoassistant/sunet-cisoas.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=Jenkins CI application
+After=docker.service
+BindsTo=docker.service
+Conflicts=shutdown.target reboot.target halt.target
+
+[Service]
+TimeoutStartSec=0
+TimeoutStopSec=30
+Restart=always
+RestartSec=10
+SyslogIdentifier=sunet-jenkins
+WorkingDirectory=/opt/cisoas/ciso-assistant-community/enterprise
+ExecStart=/usr/local/bin/docker-compose up -d 
+ExecStop=/usr/local/bin/docker-compose stop
+
+[Install]
+WantedBy=multi-user.target
diff --git a/global/overlay/etc/puppet/modules/net/files/cisoassistant/update-cisoas-enterprise.sh b/global/overlay/etc/puppet/modules/net/files/cisoassistant/update-cisoas-enterprise.sh
new file mode 100644
index 0000000..d234a63
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/net/files/cisoassistant/update-cisoas-enterprise.sh
@@ -0,0 +1,5 @@
+#! /usr/bin/env bash
+cd /opt/cisoas/ciso-assistant-community/enterprise
+pushd ..
+./update-ciso-assistant.sh enterprise
+popd
diff --git a/global/overlay/etc/puppet/modules/net/manifests/cisoassistant.pp b/global/overlay/etc/puppet/modules/net/manifests/cisoassistant.pp
new file mode 100644
index 0000000..9a72688
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/net/manifests/cisoassistant.pp
@@ -0,0 +1,85 @@
+class net::cisoassistant {
+  $nftables_rules = {
+    'allow_access_to_cisoassistant' => {
+      from  => 'any',
+      port  => 8443,
+      to    => 'any',
+      proto => 'tcp',
+    },
+    'allow_access_to_cisoassistant_api' => {
+      from  => 'any',
+      port  => 9443,
+      to    => 'any',
+      proto => 'tcp',
+    },
+    'allow_access_to_always_https_acme_c' => {
+      from  => 'any',
+      port  => 9443,
+      to    => 'any',
+      proto => 'tcp',
+    },
+  }
+  $nftables_rules.each |$name, $params| {
+    sunet::nftables::allow { $name:
+      * => $params,
+    }
+  }
+  sunet::docker_compose { 'always-https':
+    image => 'docker.sunet.se/always-https',
+    ports => ['80:80'],
+    env   => ['ACME_URL=http://acme-c.sunet.se/'],
+  }
+  file { '/etc/docker/daemon.json':
+    mode    => '0744',
+    owner   => 'root',
+    group   => 'root',
+    content => file('cisoassistant/daemon.json'),
+  }
+  file { '/opt/cisoas/ciso-assistant-community/enterprise/docker-compose.yml':
+    mode    => '0744',
+    owner   => 'root',
+    group   => 'root',
+    content => file('cisoassistant/docker-compose.yml'),
+  }
+  file { '/opt/cisoas/ciso-assistant-community/enterprise/update-cisoas-enterprise.sh':
+    mode    => '0744',
+    owner   => 'root',
+    group   => 'root',
+    content => file('cisoassistant/update-cisoas-enterprise.sh'),
+  }
+  sunet::scriptherder::cronjob { 'Upgrade cisoassistant images':
+    cmd         => '/opt/cisoas/ciso-assistant-community/enterprise/update-cisoas-enterprise.sh',
+    weekday     => 'Saturday',
+    ok_criteria => ['exit_status=0', 'max_age=10d'],
+  }
+  file { '/opt/cisoas/ciso-assistant-community/enterprise/rotate-certs.sh':
+    mode    => '0744',
+    owner   => 'root',
+    group   => 'root',
+    content => file('cisoassistant/rotate-certs.sh'),
+  }
+  sunet::scriptherder::cronjob { 'Rotate le certificates':
+    cmd         => '/opt/cisoas/ciso-assistant-community/enterprise/rotate-certs.sh',
+    hour        => '1',
+    ok_criteria => ['exit_status=0', 'max_age=48h'],
+  }
+  file { '/opt/cisoas/ciso-assistant-community/enterprise/Caddyfile':
+    mode    => '0744',
+    owner   => 'root',
+    group   => 'root',
+    content => file('cisoassistant/Caddyfile'),
+  }
+  file { "/etc/systemd/system/sunet-cisoas.service":
+    mode    => '0644',
+    owner   => 'root',
+    group   => 'root',
+    content => file('cisoassistant/sunet-cisoas.service'),
+    notify  => [Class['sunet::systemd_reload']],
+  }
+  service { 'sunet-cisoas' :
+    ensure   => 'running',
+    enable   => true,
+    require  => File['/etc/systemd/system/sunet-cisoas.service'],
+    provider => 'systemd',
+  }
+}
diff --git a/global/overlay/etc/puppet/modules/net/manifests/nftables.pp b/global/overlay/etc/puppet/modules/net/manifests/nftables.pp
deleted file mode 100644
index ff06af8..0000000
--- a/global/overlay/etc/puppet/modules/net/manifests/nftables.pp
+++ /dev/null
@@ -1,10 +0,0 @@
-class net::nftables {
-  $nftables_rules = lookup('sunet::nftables::allow::rules', Hash, 'deep', {})
-
-  $nftables_rules.each |$name, $params| {
-    sunet::nftables::allow { $name:
-      * => $params,
-    }
-  }
-
-}