cisoassitant stuffs

global/overlay/etc/puppet/modules/net/files/cisoassistant/update-ciso-assistant.sh

@@ -0,0 +1,22 @@
+#! /usr/bin/env bash
+set -euo pipefail
+
+DB_FILE="db/ciso-assistant.sqlite3"
+BACKUP_FILE="ciso-assistant-backup.sqlite3"
+
+# Backup the database
+if [ ! -f "$DB_FILE" ]; then
+  echo "Error: No database found, please initialize CISO Assistant first"
+  exit 1
+else
+  cp "$DB_FILE" "$BACKUP_FILE"
+  echo "Backup of the database created in $BACKUP_FILE"
+fi
+
+# Stop and clean the containers
+docker compose rm -fs
+
+# note: the rmi trick is not needed anymore since we move to always pull policy
+# Start the containers
+docker compose up -d
+echo "CISO assistant updated successfully"

global/overlay/etc/puppet/modules/net/files/cisoassistant/update-cisoas-enterprise_test.sh

@@ -0,0 +1,4 @@
+cd /opt/cisoas/
+pushd ..
+./update-ciso-assistant.sh enterprise
+popd

global/overlay/etc/puppet/modules/net/manifests/cisoassistant_test.pp

@@ -1,8 +1,8 @@
-class net::cisoassistant_test {
+class net::cisoassistant_test ($ciso_service_name='') {
   $nftables_rules = {
     'allow_access_to_cisoassistant' => {
       from  => 'any',
-      port  => 443,
+      port  => 8443,
       to    => 'any',
       proto => 'tcp',
     },
@@ -39,8 +39,22 @@ class net::cisoassistant_test {
     mode    => '0744',
     owner   => 'root',
     group   => 'root',
-    content => file('net/cisoassistant/update-cisoas-enterprise.sh'),
+    content => file('net/cisoassistant/update-cisoas-enterprise_test.sh'),
   }
+
+  file { '/opt/cisoas/update-ciso-assistant.sh':
+    mode    => '0744',
+    owner   => 'root',
+    group   => 'root',
+    content => file('net/cisoassistant/update-ciso-assistant.sh'),
+  }
+
+  file { '/opt/cisoas/Caddyfile':
+    owner   => 'root',
+    group   => 'root',
+    content => template('net/cisoassistant/Caddyfile.erb'),
+  }
+
   sunet::scriptherder::cronjob { 'Upgrade cisoassistant images':
     cmd         => '/opt/cisoas/update-cisoas-enterprise.sh',
     weekday     => 'Saturday',

global/overlay/etc/puppet/modules/net/templates/cisoassistant/Caddyfile.erb

@@ -0,0 +1,8 @@
+<%= @ciso_service_name %>:8443 {
+    reverse_proxy frontend:3000
+    tls /certs/cert.pem /certs/key.pem
+}
+cisoas-api.sunet.se:9443 {
+    reverse_proxy backend:8000
+    tls /certs/cert.pem /certs/key.pem
+}

global/overlay/etc/puppet/modules/net/templates/cisoassistant/docker-compose.yml.erb

@@ -10,3 +10,49 @@ services:
     environment:
       - ACME_URL=http://acme-c.sunet.se/
 
+  backend:
+    container_name: backend
+    image: ghcr.io/intuitem/ciso-assistant-enterprise-backend:latest
+    restart: always
+    environment:
+      - ALLOWED_HOSTS=backend,<%= @ciso_service_name %>
+      - CISO_ASSISTANT_URL=https://<%= @ciso_service_name %>:8443
+      - DJANGO_DEBUG=True
+      - AUTH_TOKEN_TTL=7200
+      - LICENSE_SEATS=3000
+    volumes:
+      - ./db:/code/db
+      - /etc/dehydrated/certs/<%= @ciso_service_name %>pem:/certs/cert.pem
+      - /etc/dehydrated/certs/<%= @ciso_service_name %>.key:/certs/key.pem
+
+  frontend:
+    container_name: frontend
+    restart: always
+    environment:
+      - PUBLIC_BACKEND_API_URL=http://backend:8000/api
+      - PUBLIC_BACKEND_API_EXPOSED_URL=https://<%= @ciso_service_name %>:9443/api
+      - PROTOCOL_HEADER=x-forwarded-proto
+      - HOST_HEADER=x-forwarded-host
+
+    image: ghcr.io/intuitem/ciso-assistant-enterprise-frontend:latest
+    depends_on:
+      - backend
+    volumes: 
+      - /etc/dehydrated/certs/<%= @ciso_service_name %>.pem:/certs/cert.pem
+      - /etc/dehydrated/certs/<%= @ciso_service_name %>.key:/certs/key.pem
+
+  caddy:
+    container_name: caddy
+    image: caddy:2.8.4
+    depends_on:
+      - frontend
+        #    restart: always
+    ports:
+      - 8443:8443
+      - 9443:9443
+    volumes:
+      - ./caddy_data:/data
+      - ./Caddyfile:/etc/caddy/Caddyfile
+      - /etc/dehydrated/certs/<%= @ciso_service_name %>.pem:/certs/cert.pem
+      - /etc/dehydrated/certs/<%= @ciso_service_name %>.key:/certs/key.pem
+