SUNET/net-ops
9
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

first draft of cisoassistant manifest

Browse source
This commit is contained in:
Rasmus Thorslund 2025-01-31 13:19:49 +01:00
parent efc1c46fc0
commit 6b03e058d3
No known key found for this signature in database
GPG key ID: 502D33332E9E305D
10 changed files with 172 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
cisoas-sto4-prod-1.sunet.se/overlay/etc/hiera/data/local.yaml
View file

@ -1,11 +0,0 @@
sunet::nftables::allow::rules:
allow_access_to_cisoassistant:
from: 'any'
port: 8443
to: 'any'
proto: 'tcp'
allow_access_to_cisoassistant_api:
from: 'any'
port: 9443
to: 'any'
proto: 'tcp'

2
global/overlay/etc/puppet/cosmos-rules.yaml
View file

@ -146,7 +146,7 @@ nifrontend-sto1-prod-1.sunet.se:
port: '443' port: '443'
cisoas-sto4-prod-1.sunet.se: cisoas-sto4-prod-1.sunet.se:
net::nftables: net::cisoassistant:
sunet::dehydrated::client: sunet::dehydrated::client:
domain: cisoas-sto4-prod-1.sunet.se domain: cisoas-sto4-prod-1.sunet.se

8
global/overlay/etc/puppet/modules/net/files/cisoassistant/Caddyfile Normal file
View file

@ -0,0 +1,8 @@
cisoas.sunet.se:8443 {
reverse_proxy frontend:3000
tls /certs/cert.pem /certs/key.pem
}
cisoas-api.sunet.se:9443 {
reverse_proxy backend:8000
tls /certs/cert.pem /certs/key.pem
}

3
global/overlay/etc/puppet/modules/net/files/cisoassistant/daemon.json Normal file
View file

@ -0,0 +1,3 @@
{
"iptables": false
}

41
global/overlay/etc/puppet/modules/net/files/cisoassistant/docker-compose.yml Normal file
View file

@ -0,0 +1,41 @@
services:
backend:
container_name: backend
image: ghcr.io/intuitem/ciso-assistant-enterprise-backend:latest
restart: always
environment:
- ALLOWED_HOSTS=backend,cisoas.sunet.se
- CISO_ASSISTANT_URL=https://cisoas.sunet.se:8443
- DJANGO_DEBUG=True
- AUTH_TOKEN_TTL=7200
volumes:
- ./db:/code/db
- /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se:/certs
frontend:
container_name: frontend
restart: always
environment:
- PUBLIC_BACKEND_API_URL=http://backend:8000/api
- PROTOCOL_HEADER=x-forwarded-proto
- HOST_HEADER=x-forwarded-host
image: ghcr.io/intuitem/ciso-assistant-enterprise-frontend:latest
depends_on:
- backend
volumes:
- /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se:/certs
caddy:
container_name: caddy
image: caddy:2.8.4
depends_on:
- frontend
restart: always
ports:
- 8443:8443
- 9443:9443
volumes:
- ./caddy_data:/data
- ./Caddyfile:/etc/caddy/Caddyfile
- /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se:/certs

11
global/overlay/etc/puppet/modules/net/files/cisoassistant/rotate-certs.sh Normal file
View file

@ -0,0 +1,11 @@
#!/bin/bash
cd /etc/dehydrated/certs/cisoas-sto4-prod-1.sunet.se
latest_csr=$(ls -t cert-*.csr | head -n 1)
latest_cert=$(ls -t cert-*.pem | head -n 1)
latest_key=$(ls -t privkey-*.pem | head -n 1)
ln -sf "$latest_csr" cert.csr
ln -sf "$latest_cert" cert.pem
ln -sf "$latest_key" key.pem

18
global/overlay/etc/puppet/modules/net/files/cisoassistant/sunet-cisoas.service Normal file
View file

@ -0,0 +1,18 @@
[Unit]
Description=Jenkins CI application
After=docker.service
BindsTo=docker.service
Conflicts=shutdown.target reboot.target halt.target
[Service]
TimeoutStartSec=0
TimeoutStopSec=30
Restart=always
RestartSec=10
SyslogIdentifier=sunet-jenkins
WorkingDirectory=/opt/cisoas/ciso-assistant-community/enterprise
ExecStart=/usr/local/bin/docker-compose up -d
ExecStop=/usr/local/bin/docker-compose stop
[Install]
WantedBy=multi-user.target

5
global/overlay/etc/puppet/modules/net/files/cisoassistant/update-cisoas-enterprise.sh Normal file
View file

@ -0,0 +1,5 @@
#! /usr/bin/env bash
cd /opt/cisoas/ciso-assistant-community/enterprise
pushd ..
./update-ciso-assistant.sh enterprise
popd

85
global/overlay/etc/puppet/modules/net/manifests/cisoassistant.pp Normal file
View file

@ -0,0 +1,85 @@
class net::cisoassistant {
$nftables_rules = {
'allow_access_to_cisoassistant' => {
from => 'any',
port => 8443,
to => 'any',
proto => 'tcp',
},
'allow_access_to_cisoassistant_api' => {
from => 'any',
port => 9443,
to => 'any',
proto => 'tcp',
},
'allow_access_to_always_https_acme_c' => {
from => 'any',
port => 9443,
to => 'any',
proto => 'tcp',
},
}
$nftables_rules.each |$name, $params| {
sunet::nftables::allow { $name:
* => $params,
}
}
sunet::docker_compose { 'always-https':
image => 'docker.sunet.se/always-https',
ports => ['80:80'],
env => ['ACME_URL=http://acme-c.sunet.se/'],
}
file { '/etc/docker/daemon.json':
mode => '0744',
owner => 'root',
group => 'root',
content => file('cisoassistant/daemon.json'),
}
file { '/opt/cisoas/ciso-assistant-community/enterprise/docker-compose.yml':
mode => '0744',
owner => 'root',
group => 'root',
content => file('cisoassistant/docker-compose.yml'),
}
file { '/opt/cisoas/ciso-assistant-community/enterprise/update-cisoas-enterprise.sh':
mode => '0744',
owner => 'root',
group => 'root',
content => file('cisoassistant/update-cisoas-enterprise.sh'),
}
sunet::scriptherder::cronjob { 'Upgrade cisoassistant images':
cmd => '/opt/cisoas/ciso-assistant-community/enterprise/update-cisoas-enterprise.sh',
weekday => 'Saturday',
ok_criteria => ['exit_status=0', 'max_age=10d'],
}
file { '/opt/cisoas/ciso-assistant-community/enterprise/rotate-certs.sh':
mode => '0744',
owner => 'root',
group => 'root',
content => file('cisoassistant/rotate-certs.sh'),
}
sunet::scriptherder::cronjob { 'Rotate le certificates':
cmd => '/opt/cisoas/ciso-assistant-community/enterprise/rotate-certs.sh',
hour => '1',
ok_criteria => ['exit_status=0', 'max_age=48h'],
}
file { '/opt/cisoas/ciso-assistant-community/enterprise/Caddyfile':
mode => '0744',
owner => 'root',
group => 'root',
content => file('cisoassistant/Caddyfile'),
}
file { "/etc/systemd/system/sunet-cisoas.service":
mode => '0644',
owner => 'root',
group => 'root',
content => file('cisoassistant/sunet-cisoas.service'),
notify => [Class['sunet::systemd_reload']],
}
service { 'sunet-cisoas' :
ensure => 'running',
enable => true,
require => File['/etc/systemd/system/sunet-cisoas.service'],
provider => 'systemd',
}
}

10
global/overlay/etc/puppet/modules/net/manifests/nftables.pp
View file

@ -1,10 +0,0 @@
class net::nftables {
$nftables_rules = lookup('sunet::nftables::allow::rules', Hash, 'deep', {})
$nftables_rules.each |$name, $params| {
sunet::nftables::allow { $name:
* => $params,
}
}
}