net-ops/global/overlay/etc/puppet/modules/net/manifests/cisoassistant_test.pp

class net::cisoassistant_test ($ciso_service_name='',
                               $ciso_api_service_name='',
                               $postgres_docker_tag='' ) {
  $nftables_rules = {
    'allow_access_to_cisoassistant' => {
      from  => 'any',
      port  => 443,
      to    => 'any',
      proto => 'tcp',
    },
    'allow_access_to_cisoassistant_api' => {
      from  => 'any',
      port  => 9443,
      to    => 'any',
      proto => 'tcp',
    },
    'allow_access_to_always_https_acme_c' => {
      from  => 'any',
      port  => 80,
      to    => 'any',
      proto => 'tcp',
    },
    'allow_access_to_postgres' => {
      from  => 'any',
      port  => 5432,
      to    => 'any',
      proto => 'tcp',
    },
  }
  $nftables_rules.each |$name, $params| {
    sunet::nftables::allow { $name:
      * => $params,
    }
  }

  $postgres_admin_password = safe_hiera('postgres_admin_password')
  $postgres_user_password = safe_hiera('postgres_user_password')

  if $postgres_docker_tag {

    sunet::docker_compose {'cisoas':
      service_name => 'cisoas',
      description  => 'CISO Assistant',
      compose_dir  => '/opt',
      compose_filename => 'docker-compose.yml',
      content => template('net/cisoassistant/docker-compose.yml.erb'),
    }
  }

  sunet::misc::create_dir { "/opt/cisoas/postgresql/": owner => 'root', group => 'root', mode => '0755', }
  sunet::misc::create_dir { "/opt/cisoas/postgresql/init/": owner => 'root', group => 'root', mode => '0755', }
  sunet::misc::create_dir { "/opt/cisoas/backup/postgres/": owner => 'root', group => 'root', mode => '0777', }

  sunet::misc::create_cfgfile { "/opt/cisoas/postgresql/init/init-db.sh":
    content => template('net/cisoassistant/init-db.sh.erb'),
    group   => 'root',
    mode    => '0755',
  } ->

  file { '/opt/cisoas/update-cisoas-enterprise.sh':
    mode    => '0744',
    owner   => 'root',
    group   => 'root',
    content => file('net/cisoassistant/update-cisoas-enterprise_test.sh'),
  } ->

  file { '/opt/cisoas/update-ciso-assistant.sh':
    mode    => '0744',
    owner   => 'root',
    group   => 'root',
    content => file('net/cisoassistant/update-ciso-assistant.sh'),
  } ->

  file { '/opt/cisoas/Caddyfile':
    owner   => 'root',
    group   => 'root',
    content => template('net/cisoassistant/Caddyfile.erb'),
  } ->

  sunet::scriptherder::cronjob { 'upgrade cisoassistant images':
    cmd         => '/opt/cisoas/update-cisoas-enterprise.sh',
    minute        => '10',
    hour          => '7',
    weekday     => 'Saturday',
    ok_criteria => ['exit_status=0', 'max_age=10d'],
  }

}