# Class to run Satosa in docker-compose class soc::satosa( Optional[String] $ext_cert = undef, Optional[String] $ext_cert_key = undef, Optional[String] $ext_cert_vol = undef, Optional[String] $dehydrated_name = undef, String $image = 'docker.sunet.se/satosa', String $interface = $::facts['interface_default'], String $satosa_tag = '8.4.0', Optional[String] $redirect_uri = lookup('redirect_uri', Optional[String], undef, ''), Boolean $enable_oidc = false, ) { if ($::facts['sunet_satosa_exists'] == 'yes') { $service_to_notify = Service['sunet-satosa'] } else { $service_to_notify = undef } $proxy_conf = lookup('satosa_proxy_conf', undef, undef, undef) $default_conf = { 'STATE_ENCRYPTION_KEY' => lookup('satosa_state_encryption_key', undef, undef, undef), 'USER_ID_HASH_SALT' => lookup('satosa_user_id_hash_salt', undef, undef, undef), 'CUSTOM_PLUGIN_MODULE_PATHS' => ['plugins'], 'COOKIE_STATE_NAME' => 'SATOSA_STATE' } $merged_conf = merge($proxy_conf,$default_conf) ensure_resource('file','/etc', { ensure => directory } ) ensure_resource('file','/etc/satosa', { ensure => directory } ) ensure_resource('file','/etc/satosa/', { ensure => directory } ) ensure_resource('file','/etc/satosa/run', { ensure => directory } ) ensure_resource('file','/etc/satosa/plugins', { ensure => directory } ) ensure_resource('file','/etc/satosa/metadata', { ensure => directory } ) ensure_resource('file','/etc/satosa/md-signer2.crt', { content => file('sunet/md-signer2.crt') }) ['backend','frontend','metadata'].each |$id| { if lookup("satosa_${id}_key", undef, undef, undef) != undef { sunet::snippets::secret_file { "/etc/satosa/${id}.key": hiera_key => "satosa_${id}_key" } # assume cert is in cosmos repo } else { # make key pair sunet::snippets::keygen {"satosa_${id}": key_file => "/etc/satosa/${id}.key", cert_file => "/etc/satosa/${id}.crt" } } } file {'/etc/satosa/proxy_conf.yaml': content => inline_template("<%= @merged_conf.to_yaml %>\n"), notify => $service_to_notify, } $plugins = lookup('satosa_config', undef, undef, undef) sort(keys($plugins)).each |$n| { $conf = lookup($n) $fn = $plugins[$n] file { $fn: content => inline_template("<%= @conf.to_yaml %>\n"), notify => $service_to_notify, } } $json_configs = lookup('satosa_json_config', undef, undef, {}) sort(keys($json_configs)).each |$n| { $conf = lookup($n) $fn = $json_configs[$n] file { $fn: content => inline_template("<%= @conf.to_json %>\n"), notify => $service_to_notify, } } if $::facts['sunet_nftables_enabled'] == 'yes' { sunet::nftables::docker_expose { 'allow_https' : iif => $interface, allow_clients => 'any', port => 443, } } else { sunet::misc::ufw_allow { 'allow-https': from => 'any', port => '443' } } $dehydrated_status = $dehydrated_name ? { undef => 'absent', default => 'present' } if ($dehydrated_name) { class { 'sunet::dehydrated::client': domain => $dehydrated_name, ssl_links => true, } if $::facts['sunet_nftables_enabled'] == 'yes' { sunet::nftables::docker_expose { 'allow_http' : iif => $interface, allow_clients => 'any', port => 80, } } else { sunet::misc::ufw_allow { 'allow-http': from => 'any', port => '80' } } file { '/etc/satosa/https.key': ensure => link, target => "/etc/dehydrated/certs/${dehydrated_name}.key" } file { '/etc/satosa/https.crt': ensure => link, target => "/etc/dehydrated/certs/${dehydrated_name}/fullchain.pem" } } elsif ($ext_cert) and ($ext_cert_key) { file { '/etc/satosa/https.key': ensure => link, target => $ext_cert_key } file { '/etc/satosa/https.crt': ensure => link, target => $ext_cert } } else { sunet::snippets::keygen {'satosa_https': key_file => '/etc/satosa/https.key', cert_file => '/etc/satosa/https.crt' } } service {'docker-satosa.service': ensure => 'stopped', enable => false, } service {'docker-alwayshttps.service': ensure => 'stopped', enable => false, } sunet::docker_compose { 'satosa_compose': content => template('soc/satosa/docker-compose.yml.erb'), service_name => 'satosa', compose_dir => '/opt/', compose_filename => 'docker-compose.yml', description => 'Satosa', } }