addhost

@@ -13,12 +13,12 @@ function usage() {
    echo "  <host> can be an IP number, or something that resolves to one"
 }
 
-while getopts "bhn:p:" this; do
+while getopts "bhnp:" this; do
    case "${this}" in
       h) usage; exit 0;;
       b) cmd_do_bootstrap="yes" ;;
-      n) cmd_fqdn="${OPTARG}" ;;
-      p) cmd_proxy="${OPTARG}" ;;
+      n) cmd_fqdn="${OPTARG}" ; shift ;;
+      p) cmd_proxy="${OPTARG}" ; shift ;;
       *) echo "Unknown option ${this}"; echo ""; usage; exit 1;;
    esac
 done

edit-secrets

@@ -67,39 +67,6 @@ function patch_broken_eyaml {
                next if @@plugins.include? spec
 
                dependency = spec.dependencies.find { |d| d.name == "hiera-eyaml" }
-EOF
-            fi
-        fi
-    fi
-
-    #
-    # Ubuntu 24.04 (noble) has a hiera-eyaml version that is incompatible with ruby 3.2+ (default in ubuntu24).
-    # This is fixed in hiera-eyaml version 3.3.0: https://github.com/voxpupuli/hiera-eyaml/pull/340/files
-    # https://github.com/voxpupuli/hiera-eyaml/blob/master/CHANGELOG.md
-    # But there is no modern version of hiera-eyaml packaged in debian or ubuntu.
-    # https://github.com/puppetlabs/puppet/wiki/Puppet-8-Compatibility#filedirexists-removed
-    #
-
-    . /etc/os-release
-    if [ "${VERSION_CODENAME}" == "noble" ]; then
-        plugins_file="/usr/share/rubygems-integration/all/gems/hiera-eyaml-3.3.0/lib/hiera/backend/eyaml/subcommands/edit.rb"
-        if [ -f $plugins_file ]; then
-            # We only want to try patching the file if it is the known broken version
-            bad_sum="59c6eb910ab2eb44f8c75aeaa79bff097038feb673b5c6bdccde23d9b2a393e2"
-            sum=$(sha256sum $plugins_file | awk '{print $1}')
-            if [ "$sum" == "$bad_sum" ]; then
-                patch --fuzz=0 --directory=/ --strip=0 <<'EOF'
---- /usr/share/rubygems-integration/all/gems/hiera-eyaml-3.3.0/lib/hiera/backend/eyaml/subcommands/edit.rb.orig	2022-06-11 16:30:10.000000000 +0000
-+++ /usr/share/rubygems-integration/all/gems/hiera-eyaml-3.3.0/lib/hiera/backend/eyaml/subcommands/edit.rb	2024-09-09 14:13:19.306342025 +0000
-@@ -59,7 +59,7 @@
-             Optimist::die "You must specify an eyaml file" if ARGV.empty?
-             options[:source] = :eyaml
-             options[:eyaml] = ARGV.shift
--            if File.exists? options[:eyaml]
-+            if File.exist? options[:eyaml]
-               begin
-                 options[:input_data] = File.read options[:eyaml]
-               rescue
 EOF
             fi
         fi

global/overlay/etc/cosmos/keys/mifr-12EC78B529FCAD13353D7FA81467F9D69135C236.pub

@@ -81,6 +81,19 @@ ATNboq9+1hFENfSHDP9NExHqzTLZUGjAd5JRcZIpbvEO1itthdeO6er2iZNlZzUm
 qZDkO6vJP0UnKRdaVuG6TYej05FfxPY/ZvGqZbrFsDcaMXbCXMjGJJ9dEggP18Z4
 hLxIRDKfW64TvA0w2sPTunlcRKfNNnW2MHnQv2lWQy/oHxnlQh2Zzkn77k2AMtw6
 QCCzgEALdJiIefDGyoMILOpIb4mPtqWnhjvPhuytch1JW1H5YulZyVr0T1whuCRs
-2pjl5gUpzn/SjFENwHC9Dd0ZDv2+z5ibNXfKavlKay+m/c1gd2tNj6YAV5w=
-=zQCG
+2pjl5gUpzn/SjFENwHC9Dd0ZDv2+z5ibNXfKavlKay+m/c1gd2tNj6YAV5yYUgRl
+AwTkEwgqhkjOPQMBBwIDBB6SMfzxHqr+rG85SRcNMPrZsnOJvVLdCijKy6ZGNHW3
+ZVCunBAcfC5j9KkTV7R4YOH8l4XtRFqnYbJhZ2+VQBC0GkJhY2t1cCBLZXkgPG1p
+ZnJAc3VuZXQuc2U+iHIEExMKABoECwkIBwIVCgIWAQIZAQWCZQME5AKeAQKbAwAK
+CRCpbwwbuJXMNqZfAQDrZnyTcTFlVQmy6JBeA0CO2V8c1Getz5xhUjHbYHRlSAEA
+/SAiszn3Ds+WX41IAcAa1oZGx9ivJ/O+cnQG5mfqzNK4VgRlAwTkEggqhkjOPQMB
+BwIDBCJsT2oP3pehS3ClnQww1xAKgkCaQASwy1U6liGUTecZbY6nWt9Kd2GWiUKi
+w3f3sKNTXJMjyhR2OTSWckG+pAgDAQgHiGAEGBMKAAkFgmUDBOQCmwwACgkQqW8M
+G7iVzDYSpgD4qvfD3h5FnNxRJ9tF2Wd1eIxKALI2xQawJz59GqpRjQD8DFlSO8Mk
+yRmtphqL7dY+HuU273hkQtEoszAVPy/ZB7+4UgRlAwTkEwgqhkjOPQMBBwIDBH7K
+FxRRCUm1vgAJiY5sviMZYt1qkbUXTHzqaglm9OeJ5p2lZVuUqF9T/HDRvPcH0UXv
+1Uh4Ev29BesJMedjUKiIYQQYEwoACQWCZQME5AKbIAAKCRCpbwwbuJXMNhUlAP9t
+igTIXTqXQ/6oL/RT8HOtsuWhZ9J0/xGPSAinHRGfvQEAxDTdW5XgnhZNZjoaMgeO
+dUUP1SI9AE9TBLNixv+L/Ic=
+=epUM
 -----END PGP PUBLIC KEY BLOCK-----

global/overlay/etc/cosmos/keys/patlu-CF978102AD0631FB083A1338A0A812BA2249F294.pub

@@ -12,19 +12,19 @@ aIOMt+76RePoQ8G5Be1fcB+M1wd2fSA1jyhc6Xa4da7o23dC4y7+gsAcfx4lFbfn
 5JoeN3+arJHtFgFNGpVwVhhHKuubNwyNn9V8XoRiWGACFa3BHeCTnI+ZNhaN/CmI
 CPwxnUTTh1Ow5yTs/hTq2oA1XOL+4LYuA+W1WkrXAtsb8nyBSGe77tBpfQARAQAB
 tB5QYXRyaWsgTHVuZGluIDxwYXRsdUBzdW5ldC5zZT6JAlQEEwEKAD4CGwMFCwkI
-BwMFFQoJCAsFFgIDAQACHgUCF4AWIQTPl4ECrQYx+wg6EzigqBK6IknylAUCaBII
-1QUJCMeoxgAKCRCgqBK6IknylKiyD/9aseKVYYXuRKL9vZO1reRnt+EXUIKPivFt
-EZ3+HGvgivR8mJPsuZomi7WQkQ6HlJU/JxwXJPJGMYJg3st5CcQ4/ove08Vt9mZV
-h5XAzcc9RdVhQ/0yKdQ1kDSuPH8neH4iPTpwwoocRjmKShiiH4Bwc1AY6kJISQ1U
-/kjj89gQS9Nzb21IS3CeSBa3E1XQQBThre90EBmYUPleTau2Hiem38KbZzmE4m7k
-6A7brdeh3vvCiN2Ms5o5RUI3sWkzrXPs1pAR3cvnCymymA1EsBdGDuhP7q7P8D8i
-SFM63pYE/fUB1iYVhaoLi/y0lbwYHi5MpRID/QkbJSKkau2AEtkSLiVO/5Jcs7sw
-uuuSip8NL10hQAabH7T0fQi2RgFXqA2bpSJTkf6b7WjJkGMiXYliibuNo7ri78Pk
-5hJe3QF1pwmZGJOhyhLbdX2ubWN27dFv3GtCAWHcb+OZJTkXTJfxL7oKZOcgRqz8
-7bhueUNPgUKuPYwvJuswE7/LkTBS0WfrwLfb2FAItQdvw5I3rueL3tkIQhfRaoGR
-R/FIOrd1JDTqtuRdlUo+ZbsLEqc/IYkiGWTyHe6wxSl2unh33t5ioHjCSmihzW4/
-nwT2InRyvvOu194yj2Z24tx7D01xgiDJUCwP03fPC5r1seXPFsYFXcWQp5lt3ua3
-vK2DR71bdbkCDQRjDMcPARAAyJ4o0694O1xM9HvkdBJZ8fsi1oiB/ciVv+TVHoTd
+BwMFFQoJCAsFFgIDAQACHgUCF4AWIQTPl4ECrQYx+wg6EzigqBK6IknylAUCZGIR
+IwUJBRexFAAKCRCgqBK6IknylJAZD/917PTIdJCdy2CHovVUIWr5MI+YiCpd3ndO
+cmlikMTW1N6sX/cw1Mmf77RcodfyAaf7DdcasNedEJ6AsYo5V3S2xx/PBueHY3Rb
+7fpVraq0ksokaoAltUeWfD7yx0/HoxYjSG0EIx18J7tPSJklERp0wwu+1y5kXle3
+KyN4R1Tg5miLAnQvQx316EOQ4prRnfOUS87KZXRa3stCLyxznbOolSLnV156gBEj
+6hV0oo3rkLcFiPm6EdmcfV007EipF4/zPIz4AtJFEbaYuX6aNCS2L8X1shOB0V1R
+5bdy68liDtCRCetp/jabOxVuIcXUHzBQUp+la99vJpvCLP9I+oYBcmpeHmno6UeR
+t87nmtBJY+nM1oajZiOswZnscMV7/UfyzSFzG5brjeRc4WkbuC9L4UFYOi1EHQtj
+o8TyHpFFWm0H/ZNcCbzxEW6H0TEi+iV39p1wTzoRWAqJZl1RdKvjuSyEyRdqrO+k
+RaBD2HfTzdHDqV9ZLkOhHMA4XD+h0x8dPn8g/cx1zK+asCGSLUztepLIyq5MHX0q
+m3bDiHNys2F2VkVh9rekWSWz3EAXOYz0sDNJqM+kn+9iyKJaPErtaYYehPucyCoj
+d9w+c8sn69a0KDIvxEBBmxWVcGqWFtCPzMezuQy6Bq3b4sQQCedg9w3gj/eUMHwu
+PP9jQ77UsrkCDQRjDMcPARAAyJ4o0694O1xM9HvkdBJZ8fsi1oiB/ciVv+TVHoTd
 MAzKK9J7z52X69tdPPuHvGCel+2RdEPyyFC5+4+D9Y4nmaGf1SrUcd/75kbNPZS2
 ZGr4OM4hJdU2mYUoBCOjunsWTTt6tOkGjZDmVYK9BgdUQ03S1y8JJuUzPzsbpahD
 JH69Eohmy/1cQ/RTAVTKdyMGgC3O/QKtSNP8fwpHgwsdEEiJ0t9BGhec1ZQeNYyi
@@ -35,19 +35,19 @@ nEEM4shWW1oPlT6LRiCYo4NFi2hIrd3T8JUDjxwkLwO4wLhLxAakb3s5i15u9CYs
 xLgseZscNdzXm20BwAknp9sR+GyAiIjK4iz9kxJybWcdgQNBTce6ZLTQV8zFvTzL
 kah1lq1pVm5WcgJYX7zBtoR3iBNJPPRyNjPfzhZcflKSVUummp6tfM0ZO0t6WiPR
 8d9TBsK8nyvSGMDwl3eiC+Mwp2TI1MJSk+dvJvXysGl+vldbP06BEwqmLF2eBo+a
-w+cAEQEAAYkCPAQYAQoAJgIbDBYhBM+XgQKtBjH7CDoTOKCoEroiSfKUBQJoEgji
-BQkIx6jTAAoJEKCoEroiSfKUCfMP/iQrDlidtXf9AtUJ2GpcP41BlrDc/vVYXkIN
-uOWAJRU7hKP1C1nZMpLfSegmcsuW7kDQgMBYtUcONdI8hr2BGe/NNIrW3gSJwkvv
-lie5qtzamK0roJthOBzNd92JOKOVIhevRgKTTa/sOjBrSBue+VqDafV38Cq01RGc
-YzzUxtkGXyuhi2/DQDUBcHD4+bWVwLQ482RtQfVoSpQlbkTwKAsNZxcvJbqIexJD
-Cq4qP6oCRnLXT+Fl97G0Nh5CA5fQSDgpQ/7WKxRfrA5QhbYctWs3PDtVQMl8x7in
-9TarugmA6R0sGQnYQma0Pak5cUbDsBhzozjK7qRx9wzhSQY3Xm//qJUaqSGGB4W5
-VVa5EMQ3cZ7fuDbe0zzgENpIt17Ca/T7l0yoIj1hNSD8aNkzT9WmL1Uf4yG5P3XG
-Qr0TysYi72hkdreYotGoS0w9LzHhpcK3OebtYnUliKjyDZ1odAyA5cxiCrDjjzNg
-5oAi2ylYsalckDNcdXKBAN/5SHaDtzlxIMeU0Y98aGqRuRI6017mfL2vqjOaFGoe
-i5oh/hMlbgAwnCjvY/z2GAVNITFARHaw4/4cz/ViB0FcuJMgyK+xZWqDL86/WXc2
-EcmdRywqGznJ/UHOsKE2m8t/lvkFVFbqoKFbhF+OAAx35h0kEzShd3uUab7AG1aG
-NCnO2vN5uQINBGMMx3IBEACquMY5L5QIVq2QjLpfitlS1dSitYThlYxCxyhUG7Hl
+w+cAEQEAAYkCPAQYAQoAJgIbDBYhBM+XgQKtBjH7CDoTOKCoEroiSfKUBQJkYhFW
+BQkFF7FHAAoJEKCoEroiSfKUrNUQAJta8xaUFvQEoez14xyRI6TDk+9hQz64GZND
+QK/1VcLqx20KroWsi72EMZibBslWGn4O3GPmfxHJX6iMjQflIMqmddKtIatC0FGF
+B+aq167ujZkj+4wIKXy+Z9l0zZS/gtEUc/q3NeLEswG9b4w0x6IoP4v5y/Eppezp
+oE/kNrqen4fHCNWm5aUP2yWOwGDPUTfOThTRowuGqgW7lJ+XSLm97O7Hu7OOCBFD
+oQvlVaGDqSra8wQHc9vnMSFJ4DJMACgw7iD+gucLHiiuSli482w0s8eZQH0ZSi61
+zNsn7wvsia7+llc6UcKcWpQmWreaEsWn+KluVkDUNvaDoH5vbGYsPrjilI2Ip3+A
+0kK8WuOV8klc5j+stz+NBgcOEtTDZFMSW/jRrR1JE5kqVeeQsYYG7QHIDo1ix5u/
+EL6MGb6BEEUAv/IEcZlGKAe7Acuk+XdXcHM2bEJYQdbCyGjmvis+NDPJPRqtbftL
+wekmFY/qPitdv5eF8Qq6GfvVdAfRQ9GjA/+yavZiMeDs9sC2wGV7yGSaDqgHZFAY
+h4oIIJZ1J6GLkrjXj6hp3ThWPoHm+1pj42oHcPuQFGVdpDbmp8UrpjYlzSYoujvb
+rsjkXP6I1qNAneTD5KUJgdPsCnVL4rJBIbXEmXXD2M09H97CIOaM95XKJFhexmHR
+wZOdW1sAuQINBGMMx3IBEACquMY5L5QIVq2QjLpfitlS1dSitYThlYxCxyhUG7Hl
 5IdM5w+PAm45hb/ensn8e/oWXk/W4NoYTlP22KzFwkEeUNlEq21AdYAcb+MwJdCq
 F/iLP0qpKsznWio7OU3gBn1XqsdVrpewnXIEH9rkin1YIa+m263lrvLKWOhWiu9d
 GyZYlbA3fIivBTad6gplWfMwjfbeS2uxPoLdN1lP7UYWefe9iVXvgVi19omA836f
@@ -58,18 +58,18 @@ FfCvpfz257VAZkVjN8IEfw/WhFxSOwL00pUmTLA/DxVFyHuYvdvEs+FANgXX81v1
 eniExslCcHp9HiOK3odVM1eE02V6O1Kwxyp7cooUEDZ610x0eePhvx20ssTm3qSX
 dWS1rgZ+ZTzhkwxm8OpSFGDrCgxdUs4tmTtjwcUDeOfTu77ef5t3XTqP9QoCz9Cu
 Si3ZfKM9G1FXTcgU9ApEgCqeUA/56RgUjFvwt9TTnC6I71/0E2olIrp3O5B8l1kL
-XQARAQABiQI8BBgBCgAmAhsgFiEEz5eBAq0GMfsIOhM4oKgSuiJJ8pQFAmgSCP4F
-CQjHqIwACgkQoKgSuiJJ8pQUzBAAr2CJXVz6XAEgLDDfIXWZEbdXPRZdKusReCFT
-hucZX1dmI+rELavhV9DMnxStIqG5IbBSf3V4DJx1mFU0Eh9qCB8J9nxFsjW3lRYy
-dgljMPKMBT3s+X2i3X+kPLvTBp3qG7eujxYKWVTCG1CSY8dn0TjvItPlKqKOOtKJ
-QOaXmNarVa06GQx61bFYtWRP8gNut9yuxZqu+aE96TMZQlQUhCAHSah9mCYs5h+N
-BNhEs/hj3kalbqMU+s7nmztJDd4wEgcZv58vjHL8wdgN8tlRlt0cxXg1U2fVVUSy
-7mTxk4wpw68YjIRhcYypNlgFvU4NU2lEBK7kfWa/BMU/WEtqKCK4VuyYPABHaOhw
-AM4yEhfWQhHY7TW+hlMfdtcfPuEjWWOoofXrLMxshlyojBcIBJpu6yBLdqsAumf6
-mb6TDuAd83oMYRObExUjha3S77/zuJ5dU9eyCmV8ZEUVQ8s8ofUI3OlPfH5kYSnx
-WXw7uhTJDM8gvw+0h0XAmlrHFwAjkxlTNONil7ICJEQXuQqKTDFkx3u2e7sSdg6k
-HWcg9rxCgLWCoBAqI6wofqlKa+B0MjUNu++xhyzZsxs9A5GUOk/+q2ZOWCzYIZY2
-Z0PyeE7AKok80h6NAjtWArpC3YJgZMJLruKMOirynmUXZ8az+I6SklJ9PLhOLS3z
-YujjM/4=
-=b/bw
+XQARAQABiQI8BBgBCgAmAhsgFiEEz5eBAq0GMfsIOhM4oKgSuiJJ8pQFAmRiEVgF
+CQUXsOQACgkQoKgSuiJJ8pQ5tg//XbScKgnNbgSR5+jiTIhRbKB9xX060GEhq7Q9
+65zAVO5RthUxo8VN4qMEazntggt/HTDMfK54fuZfKT/aLotiuWBAOgVYM/31unGi
+FeQir+/47E6SB0FoZEWfCO5jMPdkfvpDZ1rdLkJ2ow666ktR2fwkQsMZ1QPPu5xf
+k1oPy1ouuGusx7mQga0jAqJ6uKy/s1Dw0ndYIFiHMYn7Z5C759O/folBeaXs+AlP
+il54rSetCTwmQ959Ma0o+RpjLPaOMLOtI1jDB3n8BPRa5bcKaKFUtX9j7AJ3j8P9
+UySaKoHZ79/aTnYudstM5r9EpYVuJpGO0/AjrIrQIxci8yl5BUljSVQC03L5KJZ3
+frJNyoZne2odmowLe8O6536gqX+nfqdJUiyt3+Q0qheHZvwqq0Tgge8G75DBm6wD
+QgYPRXcTDCerEco4M/MC/d8Df/8L/pUSz6GeIoUqWx6jkpiqWZq7OC/ULhi1Os+T
+kIMxDwOyGAPhkZ+dH+tT1MMOs40o7fbiK//JAdMD/R0S5d4gSUhmFjS57Ar1OI4F
+CnXiJ2mzl065r1doxAhb5vYnj7pOCn1GM0WknZgb519+cfc2nimFC/V3pAVcLf5N
+MTbLyd/uVw9516jAymB6NZWucz1RNZFbGTGUZfCyeJQcOqoQvF9znby45HqctFNP
+r5A3scw=
+=k+1S
 -----END PGP PUBLIC KEY BLOCK-----

global/overlay/etc/cosmos/keys/richir-C09A4F9E76BAD8E9690931C9584D2AA2FA669135.pub

@@ -1,75 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBGdO0N8BEACsHj4Km1T9DpBZiUXULpq/cRRq0Y+sFJaezjfVP+eIAvDzcb6I
-r6DbcTLkrYNONUdt9yzztkU6PigyunGoIUovvuqQoUU0iWrcJRDsEq9LX39tAkiu
-pud7qpuYSts2n6ymhrHQOitKICgltqyydWmDGCcQyS/wD/1E/RiEqG5+wsJdhd44
-vIycRh7phgJF8+SQ4qyosykVBVNi8fuJBm81Yj6HSRypxOPWb7PwoE1ABI8uwrCh
-QmtfVDqs/cCxtdgoyuzigH10FERd4ty17yojgAcWw350HdtAjeBKw7EGOm/YDGM2
-ly8K2XZjlJFu84fU/h2XLFYlHDYXQAKx3zdvQkkHM3UzK1s5OsvweiIJAgvBy1s2
-FH7rWzqx0iZYurdgRClIRDd6yyqOZQt9DHbQoC1aeQtv5T1T3ODnGFju/ofyh78r
-/ZsLDVCKwtK0A1JPIbBkEbiwc33bmfVTYeJ0OASZOq1A5QDovGZMl4AwrV8GvdcO
-ky7ltn9lmdYVBobxmbhMLufTist1UDijUs9OuzPG02McXK510tLLhDBOhlaljsUe
-K03cthn/cfQUfSRA/mv+26oVRd4u1tecWdWXj/ZOCyjHTW659zrZMQ2NXbPvqMUr
-IiOSauwq4amx6sntQ7o5DYPnR5HjNb6ZEngYvn2ImSUJLgmvIpREyhL7dwARAQAB
-tCNSaWthcmQgRGFuaWVsc3NvbiA8cmljaGlyQHN1bmV0LnNlPokCVAQTAQoAPhYh
-BMCaT552utjpaQkxyVhNKqL6ZpE1BQJnTtDfAhsDBQkB4TOABQsJCAcDBRUKCQgL
-BRYCAwEAAh4FAheAAAoJEFhNKqL6ZpE1xxYP/jWmnsX223C81GyWYbyT+oucXcGI
-wVjjH1dsSg/GRrs63QI7vCHbhxxVkWo4kwTVFcoprJbd7K6xgt739ul197KZYXLM
-+uKvh3DhmmuB1o2M/pggJ3hcDXnGRPM+dYw0YQ4PdeDQ5fmQQC4mGbwkCR+iAUkl
-GDTNghoZntSDiI9501uvol3L7FwpDUH+0PNIPhtn6RxpN2Tqf5vFFIVkBAIRImr7
-8I6GjFBhMkDsDC9BsRPOjWZbqzlDwDrLTN5xQ5P2rrvyEmCXrD4UvFiYGkxEx3JR
-YYydhu5zimV2a0PnoEEkX0FXvt3JO6CqbeMVyGyi66aslWyEwMeCb+XhVs6VZ/Zc
-6xOx5AbyzT0v55wR7c0OaiafJ5tbymfhdCGxIhWiRbwx112X1N9l3UZYyBuDT14E
-JWhEtS4n04wLKIjFh2wFh11Bb7nFndYSwEXKr2VFAxskespzBBn6lF7AO8aFzLpR
-SZ65djal1/DZR+/jZSNZ0Mc0I1ij2+8rhytsn0XfEN9Cb2cQXFpL6XcjaKC2MCMt
-5NYZXq8FRF1id7AtJGTJeBs7BgBfePzpbN8lACVZu9aUEGp4NAJHxHpiQCyQIqVd
-e3CB4Jp4mKARVpuSNcidRLptliNU16gdHSSLJtSjTSE5P8fqLOMMoaPSWAVpsqs3
-vW5pJOU+Ds7cqZgmuQINBGdO0N8BEAC5vPfDEEM6bfwQXzBIoiOqVQY9WtbEkwcY
-0kDjgfSZ5R1bTcImqdo+q8IYx4Dw05KWnlX+00NpqmelXiiG87nOcxzOyQiq3Na+
-NmiWIIzbuAHdpJKGBkIXCHwLk4u9Bfeqm05gCjXCn9kCtUbvoDJJQUoxAtBpDIkH
-EZSlx2M4VONXZNaxPRniKWHv9yraZOM2xopl+GjjHFv0VWHKX+ptQbPlH5nm1CFk
-64NjTk+PP7gxIo7EhJf9k5sWqsduDS35IfNAuBelL8Sp8FaD7sN1aUmDNM4ztAQN
-RPDikaHiSj9CfW8kpLm1pZvnSw0rK+B2d5BZPJDBB9r/cDXUdezBQhuB0AvE+8CM
-4g3Am633Lth/gnzfbLGk7tK9OgzCSdbioBlvtLEpZaW6qhQDmKSWG0vFFoujJs4e
-PP4ovCzf1yIN/GQO/tCGPNJA2MsXTgoIVspJYnnWZc3GrEJ8qXohdwxF4lNXR/I2
-uOWEk+X2+dnHWRQ+v3uU4mVscx4kdSJHR9TtRZ1D8KbxRFuYDBR3SSiuzUnY5DyI
-4G/LwhdOXN8ZnXX0D47bYkNlVx8bT8pwAio+6phCb0IILKFR1zx2Lmm410iSSSL9
-65MqKTo2zbOjmp/p9cHs5pitvTYHOSkVE53LyLO4+53DtCT5yuSwTj5N54obzNdg
-jMk4xJ5DGQARAQABiQI8BBgBCgAmFiEEwJpPnna62OlpCTHJWE0qovpmkTUFAmdO
-0N8CGwwFCQHhM4AACgkQWE0qovpmkTW0kQ//ZzArp3xhD8F/vK8qDiK0UKMLKpB8
-D95Z7kcTuqb1p+ivcpGDU4MbhpqJJEbFNOkvOss7J8tBy+Liw+Vw7bWq+YvqGRGR
-3MkVe0XbhW4a51EY13SSU7MmRXeZSvFjw5FDHGtc+GIRI6dfYU2plLYkwGehUPXD
-4sq+V9BaS7679241gn7xWeKJLqGJhLeE4NPaiMEZSCb4mxP/1i7hwuyirPFGxHBV
-kHuAMMLNsbXwBriNOiUaQeJ0eCE2olCnO/3kFFECxst0Or8m/EpGBGo9DtybDS1J
-qscN6o3SSo/+7AKLy4XLoe+NjOenojQILab7K1RgyekSwLN679mR46bHn/XpBviL
-zkmkmDfzjHMEX0P0+HA4t2EuRY8nLz2lGtI8GFtwzJ7fEf6YPHMTaH8fVwYKi9o+
-JXo8W6Da53g5xYnjhCNHbmq8xPw4kd+/Ixwi5cxQgmz1z4k1cto4GSC7G2xF5c5W
-BF2/1BTuf5PkmPnxJl90hOSLNWi2jK95lZoY7ZHHjEGT2IAkx3V0Q5EKPLOU2Cep
-c+5eM2Rl5S+xiF6XlPQ7GsG9nnBoJTNLg6bHFu4OorWnJ5MoXVcBqDFPzQCH2yIu
-OcI6JI7pT4HRbHJIdZ7zSP8VlMY8fIDOQicfWXTBq9SgZn2/0t/i2YczCL72jvxx
-/cMSMJ4hSvOIWnS5Ag0EZ07RWAEQAKxQ05Xq64MSr9MOZZBfeweFvMvVTNEG/WpM
-WvGtaEN9ymLRM40zWKFABQtrIEP/obtz/xrnzhAXDGuEmoooV0rhJRL4sqUjohNU
-8DjiHqA3nIyBMgIzby2I/krO8rlO34+xWodv7VIv63mWuz7k2AtwltHJ8XRzjMrt
-0uw4S4O973AMp9jh079nTTo8jaT9hmrGkX/cgNDqMDHD5KMYOEMtUMX4XBkygNNw
-1sfR0IS3NkasvnvlE7yiOirdkXVJ6DB5fBbLDOfjkks9Tvsscb9TEISdwU7TnYo4
-w4OzT9xYURNQyY60AEq+6swmbc4+9uFK60IoyTFYlAB654Mv5VOG5vSv+4+DMViA
-PmJZBDvDaBnn682G8vsOa+ELm2yQahg5M11PERq5tiQAayLm+GTb3ZsKMRnN1tAd
-yCMHwc9wudNkvINLaChmcsxWmyWam4Q1XlZpFI8/S9LoFgUH6pFQlfkOQ4eow2qK
-sbZRH76R/PV+LqrevJm/+O7A5jeEvKW0CKdwY5Hcx68QuBBxA71KCdyCoLJLZiGk
-VNiteDnTgZnXZ/zP2HApmr1LQJ6NFPpaaUVRcYpToP4zX9ySnfySOkBUrjrkZUjK
-KANx7OhfYTl9eRtjY2Fq9PUg0opDXRiCJrwLZ5GmCPvCeogMzmCMVSu2hcnyMa3x
-g9I0+lLZABEBAAGJAjMEGAEKACcWIQTAmk+edrrY6WkJMclYTSqi+maRNQUCZ07R
-WAMbIAQFCQHhM4AAAHGED/0RS4geTiwF3fuCTFceDqjX9KSqHD9yrX150rbZXPi1
-F0QEHLrJgIeuWVP+8Dii+MBkXfD5/x3H4uHe+zEjt/4djeIFigRLK5ojbBMljzTC
-1Mk9R7ZI7Iwz5gaezdRb6g1TzKI1mJWevyP0TCpsqkBLzXH+gC/9QMyhkCEuFczb
-xuXAN30zvXWAc6b8RSolUTZ3DFYoMx7SiFXMLpdWdvmIWsKcs4UjV0NzE30f1sIU
-GlVoj234TZ98yYGB425uhrhSI2tvfvpEuOMPZVM4ExViXaiq24t8HAYfpYk+46iz
-xcBgkVyt2rmZEdnFj+nTeP48VPJWXeyoKs4z5J9CZw8Q+WQJGSwZzHstcQyWeoZd
-TJYlsV4AGfTfAhLI7eveMZDvkdh+cTappNWgo6xhSm1KaTmC6+67X81hAzE6z18b
-zHeJqPqJTkG/z0ECavtptOzPT/Pz+athwfeDySu/hXKMpTKWZQJd4u89xPPW4iGH
-+smyYlWUYrVgShFJyNHorqDP5+qWULTQjA27l5Wc4wg84Z/5bG78tIufkVTlrMAz
-qzc3fR4WfLaXWaxWKJlZon1/j1UI9uT/aC3bjm6p217CjERUbTU674ro/Am8EWJC
-l93U399CNleQ/5xTvKA6BzcWCWirsBtZVOVmvTT4AyDv2IcWjuHBfXM8TcrrBFEG
-dw==
-=6jkN
------END PGP PUBLIC KEY BLOCK-----

global/overlay/etc/facter/facter.conf

@@ -1,5 +0,0 @@
-# No need to call EC2 every 15 minutes since we don't use metadata from there.
-# The calls made the metadata API slow and non responsive. Complaints from SafeSpring.
-facts : {
-  blocklist : [ "EC2" ],
-}

global/overlay/etc/puppet/cosmos-rules.yaml

@@ -37,7 +37,3 @@
 '^internal-.+-test-cs-[0-9]+\.cdn\.sunet\.se$':
   sunet::certbot::acmed:
   sunet::certbot::sync::server:
-
-'^internal-.+-test-db-[0-9]+\.cdn\.sunet\.se$':
-  sunet::dockerhost2:
-  cdn::db:

global/overlay/etc/puppet/modules/cdn/files/db/init-cdn-db.sh

@@ -1,25 +0,0 @@
-#!/bin/bash
-set -e
-
-# shellcheck source=/dev/null
-. /conf/init-cdn-db.conf
-
-# Create database named after user, then create a schema named the same as the
-# user which is also owned by that user. Because search_path (SHOW
-# search_path;) starts with "$user" by default this means any tables will be
-# created in that user-specific SCHEMA by default instead of falling back to
-# "public". This follows the "secure schema usage pattern" summarized as
-# "Constrain ordinary users to user-private schemas" from
-# https://www.postgresql.org/docs/current/ddl-schemas.html#DDL-SCHEMAS-PATTERNS
-#
-# "In PostgreSQL 15 and later, the default configuration supports this usage
-# pattern. In prior versions, or when using a database that has been upgraded
-# from a prior version, you will need to remove the public CREATE privilege
-# from the public schema"
-psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-	CREATE USER cdn WITH PASSWORD '${cdn_password:?}';
-	CREATE DATABASE cdn;
-	GRANT ALL PRIVILEGES ON DATABASE cdn TO cdn;
-	\c cdn;
-	CREATE SCHEMA cdn AUTHORIZATION cdn;
-EOSQL

global/overlay/etc/puppet/modules/cdn/files/l4lb/sunet-l4lb-namespace

@@ -13,9 +13,7 @@ pylint sunet-l4lb-namespace
 mypy --strict sunet-l4lb-namespace
 """
 
-import ipaddress
 import json
-import os
 import shlex
 import subprocess
 import sys
@@ -23,7 +21,6 @@ import sys
 
 def run_command(cmd: str) -> subprocess.CompletedProcess[str]:
     """Execute subprocess command"""
-    print(f"{cmd}")
     args = shlex.split(cmd)
     try:
         proc = subprocess.run(args, capture_output=True, check=True, encoding="utf-8")
@@ -38,15 +35,12 @@ def run_command(cmd: str) -> subprocess.CompletedProcess[str]:
     return proc
 
 
-def configure_interfaces(  # pylint: disable=too-many-locals,too-many-branches
+def configure_interfaces(
     namespace: str, if_data: dict[str, dict[str, list[str]]]
 ) -> None:
     """Configure interfaces"""
-    proc = run_command(f"ip netns exec {namespace} ip -j addr show")
+    proc = run_command("ip netns exec l4lb ip -j addr show")
     namespace_ifs = json.loads(proc.stdout)
-
-    ipv4_key = "ipv4"
-    ipv6_key = "ipv6"
     for if_name, data in if_data.items():
         if_exists = next(
             (True for interface in namespace_ifs if interface["ifname"] == if_name),
@@ -60,73 +54,38 @@ def configure_interfaces(  # pylint: disable=too-many-locals,too-many-branches
             else:
                 run_command(f"ip link set {if_name} netns {namespace}")
 
-            run_command(f"ip netns exec {namespace} ip link set {if_name} up")
-
         proc = run_command(f"ip netns exec {namespace} ip -j addr show dev {if_name}")
         if_conf = json.loads(proc.stdout)
-
-        # Add missing addresses from config
-        if ipv4_key in data:
-            for configured_ipv4_cidr in data[ipv4_key]:
-                ip4, prefix = configured_ipv4_cidr.split("/")
-                v4_addr_exists = next(
-                    (
-                        True
-                        for addr in if_conf[0]["addr_info"]
-                        if addr["local"] == ip4 and addr["prefixlen"] == int(prefix)
-                    ),
-                    False,
-                )
-                if not v4_addr_exists:
-                    run_command(
-                        f"ip netns exec {namespace} ip addr add {configured_ipv4_cidr} dev {if_name}"  # pylint: disable=line-too-long
-                    )
-        if ipv6_key in data:
-            for ipv6_cidr in data[ipv6_key]:
-                ip6, prefix = ipv6_cidr.split("/")
-                v6_addr_exists = next(
-                    (
-                        True
-                        for addr in if_conf[0]["addr_info"]
-                        if addr["local"] == ip6 and addr["prefixlen"] == int(prefix)
-                    ),
-                    False,
-                )
-                if not v6_addr_exists:
-                    run_command(
-                        f"ip netns exec {namespace} ip addr add {ipv6_cidr} dev {if_name}"
-                    )
-
-        # Remove no longer configured addresseses
-        for addr_info in if_conf[0]["addr_info"]:
-            # Ignore addresses like fe80
-            if addr_info["scope"] != "global":
-                continue
-
-            cidr = "/".join((addr_info["local"], str(addr_info["prefixlen"])))
-
-            # We need strict=False because otherwise ip_network() gets angry if
-            # there are host bits set in the address (which of course there is
-            # because we are parsing actual interface configs, not pure
-            # "networks")
-            cidr_net = ipaddress.ip_network(cidr, strict=False)
-
-            needs_removal = False
-            if cidr_net.version == 4:
-                if ipv4_key not in data or cidr not in data[ipv4_key]:
-                    needs_removal = True
-            elif cidr_net.version == 6:
-                if ipv6_key not in data or cidr not in data[ipv6_key]:
-                    needs_removal = True
-            else:
-                raise ValueError(
-                    f"Expected IPv4 or IPv6, got something else: {cidr_net.version}"
-                )
-
-            if needs_removal:
+        for ipv4_cidr in data["ipv4"]:
+            ip4, prefix = ipv4_cidr.split("/")
+            v4_addr_exists = next(
+                (
+                    True
+                    for addr in if_conf[0]["addr_info"]
+                    if addr["local"] == ip4 and addr["prefixlen"] == int(prefix)
+                ),
+                False,
+            )
+            if not v4_addr_exists:
                 run_command(
-                    f"ip netns exec {namespace} ip addr del {cidr} dev {if_name}"
+                    f"ip netns exec {namespace} ip addr add {ipv4_cidr} dev {if_name}"
                 )
+        for ipv6_cidr in data["ipv6"]:
+            ip6, prefix = ipv6_cidr.split("/")
+            v6_addr_exists = next(
+                (
+                    True
+                    for addr in if_conf[0]["addr_info"]
+                    if addr["local"] == ip6 and addr["prefixlen"] == int(prefix)
+                ),
+                False,
+            )
+            if not v6_addr_exists:
+                run_command(
+                    f"ip netns exec {namespace} ip addr add {ipv6_cidr} dev {if_name}"
+                )
+
+        run_command(f"ip netns exec {namespace} ip link set {if_name} up")
 
 
 def setup_namespaces(netns_data: dict[str, dict[str, dict[str, list[str]]]]) -> None:
@@ -140,17 +99,8 @@ def setup_namespaces(netns_data: dict[str, dict[str, dict[str, list[str]]]]) ->
         if not netns_exists:
             run_command(f"ip netns add {namespace}")
 
-            # Make localhost available
-            run_command(f"ip netns exec {namespace} ip link set lo up")
-
-        # (Re)load the nft ruleset for the given namespace
-        nft_ruleset = f"/opt/sunet-cdn/l4lb/conf/nft-{namespace}.conf"
-        if os.path.isfile(nft_ruleset):
-            run_command(f"ip netns exec {namespace} nft -f {nft_ruleset}")
-        else:
-            print(
-                f"WARNING: no nft ruleset found for namespace '{namespace}' ({nft_ruleset}), the namespace will not be firewalled"  # pylint: disable=line-too-long
-            )
+        # Make localhost available
+        run_command(f"ip netns exec {namespace} ip link set lo up")
 
         configure_interfaces(namespace, if_data)
 
@@ -179,30 +129,10 @@ def main() -> None:
     #    }
     #  }
     # }
+    with open("/opt/sunet-cdn/l4lb/conf/netns.json", encoding="utf-8") as f:
+        netns_data = json.load(f)
 
-    input_files = [
-        "/opt/sunet-cdn/l4lb/conf/netns-base.json",
-        "/opt/sunet-cdn/l4lb/conf/netns-sunet-cdn-agent.json",
-    ]
-
-    merged_netns_data: dict[str, dict[str, dict[str, list[str]]]] = {}
-    for input_file in input_files:
-        try:
-            with open(input_file, encoding="utf-8") as f:
-                netns_data = json.load(f)
-
-            # Combine interface config from multiple files belonging to the same namespace
-            for ns, ns_data in netns_data.items():
-                if ns in merged_netns_data:
-                    merged_netns_data[ns].update(ns_data)
-                else:
-                    merged_netns_data[ns] = ns_data
-
-        except FileNotFoundError:
-            print(f"skipping nonexistant file '{input_file}'")
-            continue
-
-    setup_namespaces(merged_netns_data)
+    setup_namespaces(netns_data)
 
 
 if __name__ == "__main__":

global/overlay/etc/puppet/modules/cdn/manifests/cache.pp

@@ -1,7 +1,9 @@
 # Configure a SUNET CDN CA server
 class cdn::cache(
-  String $sunet_cdn_agent_version = '0.0.8',
-  String $sunet_cdn_purger_version = '0.0.9',
+  Hash[String, Integer] $customers = {
+    customer1 => 1000000000,
+  },
+  String $sunet_cdnp_version = '0.0.3',
   Hash[String, String] $acme_url = {
     test => 'https://internal-sto3-test-ca-1.cdn.sunet.se:9000/acme/acme/directory'
   },
@@ -25,6 +27,13 @@ class cdn::cache(
     mode   => '0755',
   }
 
+  file { '/opt/sunet-cdn/customers':
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
   file { '/opt/sunet-cdn/conf':
     ensure => directory,
     owner  => 'root',
@@ -48,6 +57,14 @@ class cdn::cache(
     content => template('cdn/cache/10-cdn-dummy.netdev.erb'),
   }
 
+  file { '/etc/systemd/network/10-cdn-dummy.network':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('cdn/cache/10-cdn-dummy.network.erb'),
+  }
+
   file { '/etc/systemd/network/10-cdn-ipip.netdev':
     ensure  => file,
     owner   => 'root',
@@ -82,7 +99,7 @@ class cdn::cache(
 
   # Reload the network config if it has changed
   exec { 'networkctl reload':
-    subscribe   => File['/etc/systemd/network/10-cdn-ipip.network'],
+    subscribe   => [File['/etc/systemd/network/10-cdn-dummy.network'], File['/etc/systemd/network/10-cdn-ipip.network']],
     refreshonly => true,
   }
 
@@ -138,118 +155,137 @@ class cdn::cache(
     creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem"
   }
 
-  if $cache_secrets {
-    $sunet_cdn_agent_dir = '/var/lib/sunet-cdn-agent'
-    $sunet_cdn_agent_file = "sunet-cdn-agent_${sunet_cdn_agent_version}_linux_${facts[os][architecture]}.tar.gz"
-    $sunet_cdn_agent_url = "https://github.com/SUNET/sunet-cdn-agent/releases/download/v${sunet_cdn_agent_version}/${sunet_cdn_agent_file}"
-    # Create directory for managing CDN agent
-    file { $sunet_cdn_agent_dir:
-      ensure => directory,
-      owner  => 'root',
-      group  => 'root',
-      mode   => '0755',
-    }
-
-    exec { "curl -LO ${sunet_cdn_agent_url}":
-      creates => "${sunet_cdn_agent_dir}/${sunet_cdn_agent_file}",
-      cwd     => $sunet_cdn_agent_dir,
-      notify  => Exec['extract sunet-cdn-agent'],
-    }
-
-    exec { 'extract sunet-cdn-agent':
-      command     => "tar -xzf ${sunet_cdn_agent_file} sunet-cdn-agent",
-      cwd         => $sunet_cdn_agent_dir,
-      refreshonly => true,
-      notify      => Service['sunet-cdn-agent'],
-    }
-
-    file { "${sunet_cdn_agent_dir}/sunet-cdn-agent":
-      owner => 'root',
-      group => 'root',
-      mode  => '0755',
-    }
-
-    file { '/usr/local/bin/sunet-cdn-agent':
-      ensure => link,
-      target => "${sunet_cdn_agent_dir}/sunet-cdn-agent",
-    }
-
-    file { '/etc/sunet-cdn-agent':
-      ensure => directory,
-      owner  => 'root',
-      group  => 'root',
-      mode   => '0750',
-    }
-
-    file { '/etc/sunet-cdn-agent/sunet-cdn-agent.toml':
-      ensure  => file,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0640',
-      content => template('cdn/cache/sunet-cdn-agent.toml.erb'),
-    }
-
-    file { '/etc/systemd/system/sunet-cdn-agent.service':
-      ensure  => file,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0644',
-      content => template('cdn/cache/sunet-cdn-agent.service.erb'),
-      notify  => [Class['sunet::systemd_reload']],
-    }
-
-    service { 'sunet-cdn-agent':
-      ensure => 'running',
-      enable => true,
-    }
-  }
-
-  $sunet_cdn_purger_dir = '/var/lib/sunet-cdn-purger'
-  $sunet_cdn_purger_file = "sunet-cdn-purger_${sunet_cdn_purger_version}_linux_${facts[os][architecture]}.tar.gz"
-  $sunet_cdn_purger_url = "https://github.com/SUNET/sunet-cdn-purger/releases/download/v${sunet_cdn_purger_version}/${sunet_cdn_purger_file}"
-  # Create directory for managing CDN purger
-  file { $sunet_cdn_purger_dir:
+  $sunet_cdnp_dir = '/var/lib/sunet-cdnp'
+  $sunet_cdnp_file = "sunet-cdnp_${sunet_cdnp_version}_linux_${facts[os][architecture]}.tar.gz"
+  $sunet_cdnp_url = "https://github.com/SUNET/sunet-cdnp/releases/download/v${sunet_cdnp_version}/${sunet_cdnp_file}"
+  # Create directory for managing CDP purger
+  file { $sunet_cdnp_dir:
     ensure => directory,
     owner  => 'root',
     group  => 'root',
     mode   => '0755',
   }
 
-  exec { "curl -LO ${sunet_cdn_purger_url}":
-    creates => "${sunet_cdn_purger_dir}/${sunet_cdn_purger_file}",
-    cwd     => $sunet_cdn_purger_dir,
-    notify  => Exec['extract sunet-cdn-purger'],
+  exec { "curl -LO ${sunet_cdnp_url}":
+    creates => "${sunet_cdnp_dir}/${sunet_cdnp_file}",
+    cwd     => $sunet_cdnp_dir,
+    notify  => Exec['extract sunet-cdnp'],
   }
 
-  exec { 'extract sunet-cdn-purger':
-    command     => "tar -xzf ${sunet_cdn_purger_file} sunet-cdn-purger",
-    cwd         => $sunet_cdn_purger_dir,
+  exec { 'extract sunet-cdnp':
+    command     => "tar -xzf ${sunet_cdnp_file} sunet-cdnp",
+    cwd         => $sunet_cdnp_dir,
     refreshonly => true,
-    notify      => Service['sunet-cdn-purger'],
   }
 
-  file { "${sunet_cdn_purger_dir}/sunet-cdn-purger":
+  file { "${sunet_cdnp_dir}/sunet-cdnp":
     owner => 'root',
     group => 'root',
     mode  => '0755',
   }
 
-  file { '/usr/local/bin/sunet-cdn-purger':
+  file { '/usr/local/bin/sunet-cdnp':
     ensure => link,
-    target => "${sunet_cdn_purger_dir}/sunet-cdn-purger",
+    target => "${sunet_cdnp_dir}/sunet-cdnp",
   }
 
-  file { '/etc/systemd/system/sunet-cdn-purger.service':
+  file { '/etc/systemd/system/sunet-cdnp.service':
     ensure  => file,
     owner   => 'root',
     group   => 'root',
     mode    => '0644',
-    content => template('cdn/cache/sunet-cdn-purger.service.erb'),
+    content => template('cdn/cache/sunet-cdnp.service.erb'),
     notify  => [Class['sunet::systemd_reload']],
   }
 
-  service { 'sunet-cdn-purger':
+  service { 'sunet-cdnp':
     ensure => 'running',
     enable => true,
   }
+
+  if $cache_secrets {
+    $customers.each |String $customer, Integer $customer_uid| {
+      if $cache_secrets['customers'][$customer] {
+        file { "/opt/sunet-cdn/customers/${customer}":
+          ensure => directory,
+          owner  => $customer_uid,
+          group  => $customer_uid,
+          mode   => '0750',
+        }
+
+        file { "/opt/sunet-cdn/customers/${customer}/conf":
+          ensure => directory,
+          owner  => $customer_uid,
+          group  => $customer_uid,
+          mode   => '0750',
+        }
+
+        file { "/opt/sunet-cdn/customers/${customer}/shared":
+          ensure => directory,
+          owner  => $customer_uid,
+          group  => $customer_uid,
+          mode   => '0750',
+        }
+
+        file { "/opt/sunet-cdn/customers/${customer}/cache":
+          ensure => directory,
+          owner  => $customer_uid,
+          group  => $customer_uid,
+          mode   => '0750',
+        }
+
+        file { "/opt/sunet-cdn/customers/${customer}/certs-private":
+          ensure => directory,
+          owner  => $customer_uid,
+          group  => $customer_uid,
+          mode   => '0750',
+        }
+
+        $combined_pem = "/opt/sunet-cdn/customers/${customer}/certs-private/combined.pem"
+
+        concat { $combined_pem:
+          ensure => present,
+          owner  => $customer_uid,
+          group  => $customer_uid,
+          mode   => '0640',
+        }
+
+        concat::fragment { "${customer}-fullchain-${cache_secrets['customers'][$customer]['host']}":
+          target => $combined_pem,
+          source => "/opt/certbot-sync/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/fullchain.pem",
+          order  => '01',
+        }
+
+        concat::fragment { "${customer}-privkey-${cache_secrets['customers'][$customer]['host']}":
+          target => $combined_pem,
+          source => "/opt/certbot-sync/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/privkey.pem",
+          order  => '02',
+        }
+
+        file { "/opt/sunet-cdn/customers/${customer}/conf/haproxy.cfg":
+          ensure  => file,
+          owner   => $customer_uid,
+          group   => $customer_uid,
+          mode    => '0440',
+          content => template('cdn/cache/haproxy.cfg.erb'),
+        }
+
+        file { "/opt/sunet-cdn/customers/${customer}/conf/varnish.vcl":
+          ensure  => file,
+          owner   => $customer_uid,
+          group   => $customer_uid,
+          mode    => '0440',
+          content => template('cdn/cache/varnish.vcl.erb'),
+        }
+
+        sunet::docker_compose { "sunet-cdn-cache-${customer}":
+          content          => template('cdn/cache/docker-compose.yml.erb'),
+          service_name     => "cdn-cache-${customer}",
+          compose_dir      => "/opt/sunet-cdn/compose/${customer}",
+          compose_filename => 'docker-compose.yml',
+          description      => "SUNET CDN CA ${customer}",
+        }
+      }
+    }
+  }
 }

global/overlay/etc/puppet/modules/cdn/manifests/db.pp

@@ -1,76 +0,0 @@
-# Configure a SUNET CDN DB server
-class cdn::db(
-  String $postgres_version = '17.0-bookworm',
-)
-{
-
-  $db_secrets = lookup({ 'name' => 'cdn::db-secrets', 'default_value' => undef })
-
-  if $db_secrets {
-    file { '/opt/sunet-cdn':
-      ensure => directory,
-      owner  => 'root',
-      group  => 'root',
-      mode   => '0755',
-    }
-
-    file { '/opt/sunet-cdn/compose':
-      ensure => directory,
-      owner  => 'root',
-      group  => 'root',
-      mode   => '0750',
-    }
-
-    file { '/opt/sunet-cdn/db':
-      ensure => directory,
-      owner  => 'root',
-      group  => 'root',
-      mode   => '0750',
-    }
-
-    # User/group 999 matches postgres user in container
-    file { '/opt/sunet-cdn/db/conf':
-      ensure => directory,
-      owner  => '999',
-      group  => '999',
-      mode   => '0750',
-    }
-
-    file { '/opt/sunet-cdn/db/docker-entrypoint-initdb.d':
-      ensure => directory,
-      owner  => '999',
-      group  => '999',
-      mode   => '0750',
-    }
-
-    file { '/opt/sunet-cdn/db/conf/init-cdn-db.conf':
-      ensure => file,
-      owner  => '999',
-      group  => '999',
-      mode   => '0640',
-      content => template('cdn/db/init-cdn-db.conf.erb'),
-    }
-
-    file { '/opt/sunet-cdn/db/docker-entrypoint-initdb.d/init-cdn-db.sh':
-      ensure => file,
-      owner  => '999',
-      group  => '999',
-      mode   => '0750',
-      content => file('cdn/db/init-cdn-db.sh'),
-    }
-
-    sunet::nftables::docker_expose { 'postgres-db' :
-      allow_clients => '127.0.0.1',
-      port          => 5432,
-      iif           => $facts['networking']['primary'],
-    }
-
-    sunet::docker_compose { 'sunet-cdn-db':
-      content          => template('cdn/db/docker-compose.yml.erb'),
-      service_name     => 'cdn-db',
-      compose_dir      => '/opt/sunet-cdn/compose',
-      compose_filename => 'docker-compose.yml',
-      description      => 'SUNET CDN DB',
-    }
-  }
-}

global/overlay/etc/puppet/modules/cdn/manifests/l4lb.pp

@@ -17,8 +17,6 @@ class cdn::l4lb(
 
   include sunet::systemd_reload
 
-  package {'conntrack': ensure => installed }
-
   package {'bird2': ensure => installed }
 
   file { '/opt/sunet-cdn':
@@ -56,20 +54,12 @@ class cdn::l4lb(
     mode   => '0640',
   }
 
-  file { '/opt/sunet-cdn/l4lb/conf/netns-base.json':
+  file { '/opt/sunet-cdn/l4lb/conf/netns.json':
     ensure  => file,
     owner   => 'root',
     group   => 'root',
     mode    => '0644',
-    content => template('cdn/l4lb/netns-base.json.erb'),
-  }
-
-  file { '/opt/sunet-cdn/l4lb/conf/nft-l4lb.conf':
-    ensure  => file,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => template('cdn/l4lb/nft-l4lb.conf.erb'),
+    content => template('cdn/l4lb/netns.json.erb'),
   }
 
   file { '/usr/local/bin/sunet-l4lb-namespace':

global/overlay/etc/puppet/modules/cdn/templates/cache/10-cdn-dummy.network.erb

@@ -0,0 +1,10 @@
+[Match]
+Name=dummy0
+
+[Network]
+<% @cache_secrets['customers'].each do |customer, customer_settings| -%>
+# <%= customer %>
+Address=<%= customer_settings['ip4'] %>/32
+Address=<%= customer_settings['ip6'] %>/128
+
+<% end -%>

global/overlay/etc/puppet/modules/cdn/templates/cache/docker-compose.yml.erb

@@ -40,7 +40,7 @@ services:
     # We build our own varnish with the slash vmod present. We use the slash
     # "fellow" storage backend to be able to persist cached content to disk, so
     # it is retained in case of a restart of the container or machine.
-    image: "platform.sunet.se/sunet-cdn/cdn-varnish@sha256:248b1ca861f1a8bb548845b656526210ef7015ba71c0e264dc4619da16407b40"
+    image: "platform.sunet.se/sunet-cdn/cdn-varnish:af7f7d11e61acf9f6113811615d1baa46daf3bd1"
     # Use the same custom user as is used for haproxy.
     user: <%= @customer_uid %>:<%= @customer_uid %>
     volumes:

global/overlay/etc/puppet/modules/cdn/templates/cache/sunet-cdn-agent.service.erb

@@ -1,15 +0,0 @@
-# This service file is generated by Puppet. Do not edit.
-[Unit]
-Description=SUNET CDN Agent
-Wants=docker.service
-After=docker.service
-
-[Service]
-Type=simple
-ExecStart=/usr/local/bin/sunet-cdn-agent \
-  --config /etc/sunet-cdn-agent/sunet-cdn-agent.toml \
-  run \
-  --cache-node
-
-[Install]
-WantedBy=multi-user.target

global/overlay/etc/puppet/modules/cdn/templates/cache/sunet-cdn-agent.toml.erb

@@ -1,14 +0,0 @@
-[manager]
-username = "<%= @cache_secrets['sunet-cdn-agent']['username'] %>"
-password = "<%= @cache_secrets['sunet-cdn-agent']['password'] %>"
-url = "<%= @cache_secrets['sunet-cdn-agent']['url'] %>"
-
-[confwriter]
-root_dir = "/var/lib/sunet-cdn-agent"
-cert_dir = "/opt/certbot-sync/letsencrypt/live"
-systemd_system_dir = "/etc/systemd/system"
-systemd_network_dir = "/etc/systemd/network"
-
-[l4lb-node]
-netns = "l4lb"
-netns_conf_dir = "/opt/sunet-cdn/l4lb/conf"

global/overlay/etc/puppet/modules/cdn/templates/cache/sunet-cdnp.service.erb

@@ -6,7 +6,7 @@ After=docker.service
 
 [Service]
 Type=simple
-ExecStart=/usr/local/bin/sunet-cdn-purger \
+ExecStart=/usr/local/bin/sunet-cdnp \
   -mqtt-ca-file /usr/local/share/ca-certificates/step_ca_root.crt \
   -mqtt-client-key-file /etc/letsencrypt/live/<%= @networking['fqdn'] %>/privkey.pem \
   -mqtt-client-cert-file /etc/letsencrypt/live/<%= @networking['fqdn'] %>/fullchain.pem \

global/overlay/etc/puppet/modules/cdn/templates/db/docker-compose.yml.erb

@@ -1,13 +0,0 @@
-services:
-  db:
-    image: "postgres:<%= @postgres_version %>"
-    environment:
-      - POSTGRES_PASSWORD=<%= @db_secrets['postgres_password'] %>
-    ports:
-      - "5432:5432"
-    volumes:
-      - postgres_data:/var/lib/postgresql/data
-      - /opt/sunet-cdn/db/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
-      - /opt/sunet-cdn/db/conf:/conf
-volumes:
-  postgres_data:

global/overlay/etc/puppet/modules/cdn/templates/db/init-cdn-db.conf.erb

@@ -1,2 +0,0 @@
-# File sourced by init-cdn-db.sh
-cdn_password="<%= @db_secrets['cdn_password'] %>"

global/overlay/etc/puppet/modules/cdn/templates/l4lb/netns.json.erb

@@ -15,6 +15,14 @@
       "ipv6": [
         "2001:6b0:2006:75::1/127"
       ]
+    },
+    "dummy0": {
+      "ipv4": [
+        "188.240.152.1/32"
+      ],
+      "ipv6": [
+        "2001:6b0:2100::1/128"
+      ]
     }
   }
 }

global/overlay/etc/puppet/modules/cdn/templates/l4lb/nft-l4lb.conf.erb

@@ -1,40 +0,0 @@
-#!/usr/sbin/nft -f
-
-flush ruleset
-
-table inet filter {
-        chain input {
-                type filter hook input priority 0; policy drop;
-
-                # accept any localhost traffic
-                iif lo counter accept
-
-                # accept icmp
-                ip protocol icmp counter accept
-                ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded,
-                                                 parameter-problem, echo-request, mld-listener-query,
-                                                 nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
-                                                 nd-neighbor-advert } counter accept
-
-                # accept traffic originated from us
-                ct state established counter accept
-                # silently drop invalid packets
-                ct state invalid counter drop
-        }
-        chain forward {
-                type filter hook forward priority 0; policy drop;
-        }
-        chain output {
-                type filter hook output priority 0;
-        }
-}
-
-# HTTP and HTTPS
-add rule inet filter input tcp dport 80 counter accept comment "l4lb HTTP"
-add rule inet filter input tcp dport 443 counter accept comment "l4lb HTTPS"
-
-# BGP
-add rule inet filter input ip saddr { 130.242.64.232 } tcp dport 179 counter accept comment "tug-r11-v4"
-add rule inet filter input ip saddr { 130.242.64.234 } tcp dport 179 counter accept comment "tug-r12-v4"
-add rule inet filter input ip6 saddr { 2001:6b0:2006:74:: } tcp dport 179 counter accept comment "tug-r11-v6"
-add rule inet filter input ip6 saddr { 2001:6b0:2006:75:: } tcp dport 179 counter accept comment "tug-r12-v6"

global/overlay/etc/puppet/setup_cosmos_modules

@@ -83,7 +83,7 @@ def main():
         "sunet": {
             "repo": "https://github.com/SUNET/puppet-sunet.git",
             "upgrade": "yes",
-            "tag": "stable-2023v1-2*",
+            "tag": "patlu-dockerhost2-ipv6-nat-2*",
         },
         "augeas": {
             "repo": "https://github.com/SUNET/puppet-augeas.git",

global/overlay/usr/local/bin/run-cosmos

@@ -3,8 +3,6 @@
 # Simplify running cosmos, with serialization if flock is available.
 #
 
-set -e
-
 readonly PROGNAME=$(basename "$0")
 readonly LOCKFILE_DIR=/tmp
 readonly LOCK_FD=200
@@ -124,14 +122,6 @@ machine_is_healthy() {
 }
 
 main () {
-    if [[ $1 == '--random-sleep' ]]; then
-        shift
-        sleep=$((RANDOM % 300))
-
-        echo "$0: Sleeping for ${sleep} seconds before attempting to run cosmos"
-        sleep $sleep
-    fi
-
     lock "$PROGNAME" || eexit "Only one instance of $PROGNAME can run at one time."
     fleetlock_lock || eexit "Unable to acquire fleetlock lock."
     cosmos "$@" update

global/overlay/usr/local/libexec/cosmos-cron-wrapper

@@ -2,7 +2,7 @@
 
 test -f /etc/no-automatic-cosmos && exit 0
 
-RUN_COSMOS='/usr/local/bin/run-cosmos --random-sleep'
+RUN_COSMOS='/usr/local/bin/run-cosmos'
 SCRIPTHERDER_CMD=''
 
 if [ -x /usr/local/bin/scriptherder ]; then

global/post-tasks.d/015cosmos-trust

@@ -1,10 +1,10 @@
 #!/bin/bash
 
-gnupg_show_options=("--import" "--import-options" "show-only,import-minimal")
-if [[ $(lsb_release -si) = "Ubuntu" ]] && [[ $(lsb_release -sr | awk -F . '{ print $1 }') -le 16 ]]; then
+gnupg_show_options='--import --import-options show-only,import-minimal'
+if [[ $(lsb_release -sr | awk -F . '{ print $1 }') -le 16 ]]; then
     # gpg on Ubuntu 16 and less is gnupg < 2, which doesn't have --import-options show-only
     # but on the other hand defaults to this mode (https://dev.gnupg.org/T2943)
-    gnupg_show_options=("--dry-run")
+    gnupg_show_options='--dry-run'
 fi
 
 if [ -z "$COSMOS_KEYS" ]; then
@@ -18,59 +18,61 @@ red='\033[01;31m'
 # Associative array of fingerprints in the GPG keyring
 declare -A KEYRING
 
+# Associative array with expired keys in the GPG keyring
+declare -A EXPIRED
+
 # associative array with non-expired keys found in $COSMOS_KEYS directory
 declare -A SEEN
 
-# Make sure we have a fresh view of all previously accepted keys
-for k in "$COSMOS_KEYS"/*.pub; do
+# Load information about all keys present in the GPG keyring
+for line in $(cosmos gpg --with-colons --fingerprint | awk -F: '$1 == "pub" { print $2 ":" $5 }'); do
+    IFS=':' read -r expired fp <<< $line
+    KEYRING[$fp]='1'
+    if [[ $expired == 'e' ]]; then
+	EXPIRED[$fp]=1
+    fi
+done
+
+# Install new keys discovered in the $COSMOS_KEYS directory
+for k in $COSMOS_KEYS/*.pub; do
     if [[ ! -s $k ]]; then
 	# Silently ignore empty files
 	continue
     fi
-    pubkeys_in_file=$(cosmos gpg "${gnupg_show_options[@]}" \
-			     --with-colons --with-fingerprint --quiet < "$k" \
+    pubkeys_in_file=$(cosmos gpg ${gnupg_show_options} \
+			     --with-colons --with-fingerprint --quiet < $k \
 			  | grep "^pub:")
-
-    # We only support files with one key in them
-    num_pub_keys=$(echo "$pubkeys_in_file" | wc -l)
-    if [ "$num_pub_keys" -ne 1 ]; then
-        echo -e "$0: ${red}Ignoring file that does not have exactly one pubkey (found $num_pub_keys): ${k}${reset}"
-        continue
-    fi
-
-    expired_pubkey_in_file=$(echo "${pubkeys_in_file}" | awk -F: '$2 == "e" { print $0 }')
-    if [[ $expired_pubkey_in_file ]]; then
+    non_expired_pubkeys_in_file=$(echo ${pubkeys_in_file} | awk -F: '$2 != "e" { print $0 }')
+    if [[ ! $non_expired_pubkeys_in_file ]]; then
 	echo -e "$0: ${red}Ignoring file with expired pubkey: ${k}${reset}"
 	continue
     fi
 
-    fp=$(echo "${pubkeys_in_file}" | awk -F: '{print $5}')
+    fp=$(echo ${pubkeys_in_file} | awk -F: '{print $5}')
 
     # Remember that we saw fingerprint $fp in file $k
     SEEN[$fp]=$k
 
-    # Always import a non-expired file since it may have been updated
-    gpg_output=$(cosmos gpg --no-tty --import < "$k" 2>&1)
-    # Only print output if a key is changed
-    echo "$gpg_output" | grep -q " not changed$" || echo "$gpg_output"
+    if [[ ! ${KEYRING[$fp]} ]]; then
+	echo -e "$0: ${bold}Importing new key ${fp}${reset} from ${k}"
+	cosmos gpg --no-tty --import < $k
+    elif [[ ${EXPIRED[$fp]} ]]; then
+	echo -e "$0: ${bold}Re-importing expired key ${fp}${reset} from ${k}"
+	cosmos gpg --no-tty --import < $k
+    fi
 done
 
-# Load information about all keys present in the GPG keyring
-for fp in $(cosmos gpg --with-colons --fingerprint | awk -F: '$1 == "pub" { print $5 }'); do
-    KEYRING[$fp]='1'
-done
-
-if (( ${#SEEN[@]} == 0 )); then
-    echo -e "$0: ${red}NO trusted keys found in directory ${COSMOS_KEYS} - aborting${reset}"
+if [[ ! ${#SEEN[@]} ]]; then
+    echo "$0: ${red}NO trusted keys found in directory ${COSMOS_KEYS} - aborting${reset}"
     echo "(this is probably a syntax problem with the gpg commands in this script)"
     exit 1
 fi
 
 # Delete keys no longer present (or expired) in $COSMOS_KEYS directory
-for fp in "${!KEYRING[@]}"; do
+for fp in ${!KEYRING[@]}; do
     if [[ ! ${SEEN[$fp]} ]]; then
 	echo -e "$0: ${bold}Deleting key${reset} ${fp} not present (or expired) in ${COSMOS_KEYS}"
-	cosmos gpg --fingerprint "$fp"
-	cosmos gpg --yes --batch --delete-key "$fp" || true
+	cosmos gpg --fingerprint $fp
+	cosmos gpg --yes --batch --delete-key $fp || true
     fi
 done

global/pre-tasks.d/020common-tools

@@ -8,7 +8,7 @@ set -e
 stamp="$COSMOS_BASE/stamps/common-tools-v01.stamp"
 
 if ! test -f $stamp; then
-    apt-get -y install vim traceroute tcpdump molly-guard less rsync git-core unattended-upgrades
+    apt-get -y install vim traceroute tcpdump molly-guard less rsync git-core unattended-upgrades ntp
     update-alternatives --set editor /usr/bin/vim.basic
 
     mkdir -p `dirname $stamp`

internal-sto3-test-cache-2.cdn.sunet.se/overlay/etc/hiera/data/local.eyaml

@@ -1,9 +1,13 @@
 ---
 cdn::cache-secrets:
-  sunet-cdn-agent:
-    username: ENC[PKCS7,MIIC6wYJKoZIhvcNAQcDoIIC3DCCAtgCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIAhaGwyCYZXagexYIi7GKQ78zXGurxDf8pCC+kvMarfxImiBiL06I3JE8xZ20msgY220fKeJ0EfTT6ZkfSFWo0SmIRVBpESFMx20a/gTdwngI+ZLeCHhEPzOZX/pNOC2JJ85FJiPBIEbebbVSqTV3x6urGgktI1fl1tL/yFAJd0xjxnWCswPbR/0M4EYumdM8rthy3yuCAB9pIF8l5tMvSVGG6+GPHvm8vPDC8Cy2qYMKNNhf9cLEAUdnIH7o0dQCIUoacAVihv05h34hfl5PhAD0Cla/BOYmQzScB+dglmXmUs9NLt6/a/Z+qRqltZAojpy6yYJ1MdwITZ45jmhW4yA6NU9iR3aPhu//nGvxozdSHDlpDyVaCesrXq1fJyNuFh96iSUkTvem6qmU3d7tn3/zo6dVdmohsN8qdZFaskw+wnyTkMBshqGfMEIjc1hdDbZyUnIpx4Em98cy8edS9AZE3GkoVb6UPfoYm5MvmDoCFdSeBYg2lJDbFPdx5CkoUBf/x4wr8Aera9DbkLS1MNJyvgARZ339T5joGaangSEk3xvhN5DqTWZSKfgYBE1/f2iMmDgseMD5nZyRUX5vNK3qwlqwhaXTW3xVscMovQ4pJueftl1cFeEUoWSpgx7hbXbuggF9PLGVduzTwgfY8g6kHHkby+1zKOSxKiBrvMnAwPAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQWe5knFV2o7xqT2HesFl0iIAQUx29rsXmi2uxECrhcC7jZw==]
-    password: ENC[PKCS7,MIIC+wYJKoZIhvcNAQcDoIIC7DCCAugCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIAQqWL7jtFS3M0lzw5K2xuWwL4h9hf9NXsRwFgf3/wmlOVQLTv1mciMiEYyUly/hiy0T5AtdxnpbjdMZqVY9YW4sMbykqQy/sqMtRpsFn26oSMOU1vpiwKx4BVCxIc+nbz/VQEA8Hi0vB5jAH9d1zdjOJ74LCcqI8WuUDIVOBkOAxv/4+B8dBRZ0rDuMaxOCy4BQ6kjv9VRNq1QcTsUGY9faonw9W1gmmuf4wbiWdV+hlb4Kq/DAoZGy0dEYR9SLhLK5uXDhysvggZjboM/R0OcN9Zee0OxyAhfJXLggLdCK8M38U6VtIjjfhgqwBTUwoxfWL96/TskxawK3YRbp1c0N4PbCWu3MCYOGMjk76svY8GcBteDNHxpc7CBbQF4BpLhMDQzY4mPTIF5E3MiEGF3Yex6qbhjXA1aN23P0hq0McXRDMR6tGdmua9xxgumAVtaoen+0XbXMKmCDyu0cP2Nw1BeG0L3l8csJdhFKmM5JKDrHb639sFcIUu/qaM5EY7JibHB47CmBnRBpW50rZ+N9TR8Q+9xPvQIXnmr/c8done6frhQvgiztzAhVVoUw8KYiK8WvTLHTUP38Zf0flj00yjLg7auXqv9+HrxBrma5ZeXfHOlrv9eaSRJSI2vQSuAUClRi2IN3LxRfuvLPo3BhIhr6NvimwBK61Wy7wRCAIwTAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ+qQxQsrWAMHrNGmgE+JlL4AgfpYwz4qjxAoGeHeI3JC73ArW2xay23EE8VYrClSzbTc=]
-    url: ENC[PKCS7,MIIC+wYJKoZIhvcNAQcDoIIC7DCCAugCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIAnAoDGBH9NFNccefbcpA7SchD4C+7HI2AL4qccUYzdXcqdyJXUMH6I3p8qM35l1g3Ndwy5ruv5FrbRIvFsgynYanKCqOVGnwx8Zi3v0BQXyCldQJpKORApSVvrU4PwWh+ZZO1GuIPZslO+OFgLOeUTzZjcqb1+esWbKfsupvJSVwIGRbeolgEfSSzvyVlw/ufzTQPO0fPM8m2TjQaPY0M5/eXx9ixAXe37i6j41zRxUUAS71ysXQNdhiMOAR5I44W9z7dzQjzi94WGVQlqSvr21PLSC5xeYry0+vMX3fALg339l54No5dmnLW00s3Ck8iGdfxDeUg2gMdD14kWQW5ENnYY86tLWEKXqB00YxQand0iLcgsRZjByBsKFKnDi5roF+gYadiXLGFIFrQGcSOivmjao0jqEvqv+uFSTSc14Zf86Gt3UWDWotxzFaHQDdD/xGDh9BaXlvH1pWS22ldk1O+I2f5LV3im1oFEDEcmYRAbdyUsG5W08H0zMCrTq6J9MEIVNXfzQ8+CZ9qALs1KJ9CIW3w+wqEHjjzIsEJIc32BL17hzYFvOYceCmbXQpY9ZmfWoSIuioblrB47XgNraIy+Rf3xRoXVLG2HGE7pCIWIo1R6PDLLKl7C4Aig6QhLhZ7piAxCGmZw8O+fL1VWz5a2xC56257T8/w8s7iF7IwTAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQnOR7eknIPwxOTt0YVKhcUoAggyq2h3cUjvt75aVnmTr3SRQGIUnbkc/GNUG4dfZTvtY=]
+  customers:
+    customer1:
+      key: ENC[PKCS7,MIIDCwYJKoZIhvcNAQcDoIIC/DCCAvgCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIAI1BuG1SsQnLmrCgY+Sy2Vl0DslfUWntWhgmy+VNiN+DsGqJM1u46LY7KHCUstssofwafq8OFaSFRc22L63VQaHgY/LYMV/6OwvNWsNb7H4h6giXKTYbqVDwU6+sSvbGA34Yk/YdodPTHmMu+fJVXNAiVIcmUJ2KvPBboiD89lLwwyREP98hFF5tjJm91EuuS4q8msatrw7hB2R/Us1SWp+Jb4Yqh2h4hvkXtVMjrzbjDzZYSdgBm/3uJAvFaEkI5f43DLcv5I9ZZS+eX/Yame7YMheR8Kcc67RfTqiAmqFCNltLQ1yMTMDHICuCay+chuah/SYVrXilbalBxqtiTtUBkJ8LW2DwvHfQXvhtcpkQ/4wMXsSIHO4qLvUbIgze/T+zreUSgJYcqOSymYJPGM66G7mfsva5FDlEfIz15Cia9+uF7LQcw6e1vJitSy7bbL+I8HHoX+KhlfGC7I21+OBTF8j7Ju+Qj11zUa4WmZYRQxdirhJCKaD1djA+oYOffqMZ3zFD8CQidJ+uxGLTCrCR5A2zs4Z4gasWvETmrRwg6Gv4wBcx3908euruHJ7scYk4pTJWCySa5INsD6uNLWBPcspfXd/PEmFgp8SjR8lCkmoGcDgzx6AkuT/wf0w9dUmdmbG6p+pBfXWR2ROhWHOHvj/C8vHZJb8XivMuHyTowXAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQN81EZkXnsIsb1Lrj4J8Hd4AwdJUyG/D8DCU8fMySPfIHTHk6f5EFMDNPYhyO71d0zeDusHXuNWF9dxBjtGhezG4k]
+      host: ENC[PKCS7,MIIC+wYJKoZIhvcNAQcDoIIC7DCCAugCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIAn6fTKq6YOMlpahab4milaa/CYsIv9sWj2hTLeVtfRo0VaFTI2BVIu/2w/1Rk2JAYSPo3M97ToNOA09ZdmsgFnLwBXt54QeSrYQ1qzN8XLvcZrp+1FHvrmjSlB4VnKCq/Kp0Z0XzNVJ5pDLniJyXSV2efhzKqifWP9feMFvsCXgdpbJXc0+arFHBRN8CcBJvlJde6Nq5LzTWHN2NXrIOr3m8vLcPnsQEX9SFKy7tS9l6YXnxBmLmkvHciJHgFNzuIu2gfpuDfRpNjo5UGTeEhv8tMqyhYqPBNE/OtmycacGS4fd3juab4XMfT+HM7WV84khQyejJCDdhxvIIT8XM5mDYVS2z+qhnkqRugJEqo149jAtnXYQRSQgS4Cebj7oYaYFjhpxdALUrK4sPxxFqPewmpIJdtVUpmU8UjiwdZA3yQnnKGQby2hgOZN2mekbqWvzaNdxRwCakqeTESHJ/J0aedUz1fPNzaydbIJWK68oxmzHU2XQgQE1D3B1NJWldKvt4FOkzQYyouBltoyzcpRAScQUF5ty+mvfI14+omKDiecWwJMdzColjKML9X76aPdsSgbq5jw8tjjI4D+VXSGLU6xP1DCPZjLlj0TP1yhVxxOPkt+VtxO40jzM/HJ/yHDuS/BWP4z6KxOQRJnpGUFg0AFQk0tinQ1IUmG8EuDxIwTAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ3ky0SRUp0ChVrTTCkWAKKoAgkFfDRY4ia37Jc55b18VfTvayazimefkS6sq7Pp7TlHg=]
+      ip4: ENC[PKCS7,MIIC6wYJKoZIhvcNAQcDoIIC3DCCAtgCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIA4DpAdWaE1EvqEpHG03q+F4lc69CY5T93xZ/DGzr82aMbU2DyP0UJ9eKxkdn6Qak0wHFfIl2C1qy/RXw9T8/6YABGop4VL2Jlu74Qz+Jv+9hbiBIfLvmLYfY+s5MhkcLGtKmcdTwVKHGuki7NWPHp3iX9LFggJhWlQSdEuoJ/OFwzEiK3H5DxxitvBURPoicomgWKbRM0iAqV1iM3nNFUB/6cbTAb/WHwuA+K/AWBhTIhuB4M5lTfBqPoGBUDkHepZQJ7dXdax90y9Avgrx5rxnLtzhXcdsuJ+lPLbHYrEfOvImncf4l/Px51pT3FxkwZJpF0qgUqHgnioGb2KXpL1pIDL3ePtLTsFcM8gMSbG/d04BZ2HGHzK09e95fgF9HgTN6GZo4PHP+eWpdyR3UGNylWH6PVMuzyEA+UgrxcGMmqXNsMWgT8hjVDj5D5GUxaGmS4DnbgoWY7QKSHsKQCP2EN+h2nUDWai8AJ7jyjRs2eJ0yoKtobmgcMkrfh4osnaQpjNiBxfE/D8l/VSWCvKmv8/ETG5c7nRSztaUAtvq8ysEBNaAyPuB8g8Nu7z3s2Hr/p7hfMzM0VNZY4b7DlvGmPqs5Av0lZV+IWK/t69DMyjlWplKqNoMZ87f6t7WxtGjvbUXhHYUwGQZMXWuaLiAtmaMYxYwhqQtbLykbPIRYwPAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ1TMTF9KdFFxqTTCw01QcuYAQz26QlHGb4gPFOaByg8YpyQ==]
+      ip6: ENC[PKCS7,MIIC+wYJKoZIhvcNAQcDoIIC7DCCAugCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIAP2FzvJqxJUktd4ydtawRbHZmbgQ0Db9k6E09c3YC9VgSBfBd5IhUjsf7smoPRGoHywoqW8MthPZxH/QQ7iwTAZuDCLRZ6SOlyrF6lfuH4QSUltrERjn2xntdyCiZTTL8p18mdwVK4cwyYv+aG7ztpC4aP+SahJ56pCwWSl9dA/695r9MI6a2Objf6E+biu92s5l5i8fPMleZU3en39lJ8XfiqG/z1u/Vf0f3HoGrsVeOt9rRuN6jFHRPomiFnz89kx2/UypcNU1P5MoC/q0t4dO2BcoTjcmDTwHuPzNWc8ukmW1JNNgZX2AAmjuOR2XHHOU2FijPiIni5opISFPi8lc1QNu1ptPn1OqruR5deSMJiDF/jRNZSk3RSBhoG4SXpxuStW/jmmMWdUILSn1GnYIqA0sPJvXqpeGDRRsqft+crRFnh13z8Uw/QDmQY+voRVRjRrGBD2uGnyX7QE+Ju+FP20fwdhLGdCOoi0Ea9RCJxFFWfLtZVAkmkUDbUI4xUww+Mkv8ITvbr73agBEPaoCdBc5hjzmaj+e/ZatH51p+WtY6rG+IWG441kpW4B1E5et2MQWqxCSEY82IrnliQ1LBOut9jjFLfe/UuoiddmOeBmYtsiCR7vxURDn8kG+wHvmfnAr2n+EDkf+2ojWkP9N07R8pSM+yBKCB9tTrZ38wTAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQj7eyNfGf3w8lSc1fh6PG0YAgWEtO8a6fOZPuxD6o/C5XJDmQHewD7NykrK1qiF5Tjdo=]
+      origins:
+        - ENC[PKCS7,MIIC6wYJKoZIhvcNAQcDoIIC3DCCAtgCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIAwrENSsgv+k4c96RjXy2Ps5p+l0qgiCouAgVMNQg3Tusrr1kbjnhsb0NpKE46Yiulm1Zw7aBpeXQzR2BVIgGo9uWu/7TF2P7CbMzZAKW5YEu53ccAwN/BRcunNlJTptxwaSRsHcv8nrO3Jo7vcfxN40pZDpWSlFcSu5xHHPwWHyKrERvjwl2wDjbBvRtDIfv8OJAx68J2kMrC1PcZ3WBK/tgO9IMJIFp+lKq+qwBx5Sbtckuyjz1L95iynIjQfetWqrF8SB0Svv80BRbdx4ONSrpgHH1hwplmWI+HlIYtMOkOZisQYdzWu39XloQHYq42fn6nt22lTx7ZTAR913ZFgH7KvUY9VRmq5zwYD10veY2QqelOhE6OE4BBmF0nRDzLRY+QZl8ancCkWNkbKlThNqtsoNzm9A6pKXlsJw/MdwDPxm0WE/m75BjXzObovisWp7yY9zLqJv2CdGtWuaXDQIXLPaCntXX8ZaEidSpcgnjXF9sfnknzvqvPibws3TQcyzTaemPYFScGX1Dp8wzQB72TJhusNUB1NyzRHApPlXB8PKLBlwR+hxogIaoq5HSmLmtkyi9wT2Gs8aC3dbvZA+OBgEdEi5Z2WcurUI4dFcyiKiSUDdRCjHWwiOii6BYvxZ7FCwifqeyRap0MvOstKGE47TsUSxwVS4zB/l3hZTswPAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQd3iYJWuQ0pbXRzv0mca4+4AQ8aZp4Ri24FUXRut6lhxkNw==]
 certbot_sync_client_ssh_key: >
   ENC[PKCS7,MIIEnwYJKoZIhvcNAQcDoIIEkDCCBIwCAQAxggKTMIICjwIBAD
   B3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRV

internal-sto3-test-db-1.cdn.sunet.se/README

@@ -1,3 +0,0 @@
-
-The system documentation is in the docs directory of the multiverse repository.
-

internal-sto3-test-db-1.cdn.sunet.se/overlay/etc/hiera/data/local.eyaml

@@ -1,4 +0,0 @@
----
-cdn::db-secrets:
-  postgres_password: ENC[PKCS7,MIIDCAYJKoZIhvcNAQcDoIIC+TCCAvUCAQAxggKQMIICjAIBADB0MFwxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLTArBgNVBAMMJGludGVybmFsLXN0bzMtdGVzdC1kYi0xLmNkbi5zdW5ldC5zZQIUbbUXduFvDLw3OUVWiGrIvFBkkJMwDQYJKoZIhvcNAQEBBQAEggIAGKLk12OT5zsVKd04qsLkFtawdauLYUERXUC3d9FtZNVpwCFDNMnSsruUfasOvyvdaRbm8AUk/nAGuBNjD9HJj8J45KfQUEAPstnZPHndkF51LwU1twFrZvcSnvFANvxh61MzccMz6NVQL5CXsw4IWMDNhUbkhO5cRfxc0SOVugeTZ74BWwpEww9uKVPtfPRKCgJayBq1o/fyQblGsjJbmu/dRCm32gcdZu1lqfDU0DLsnjk14GJpqpP5h6sEfSrdXyFcWzFzdjtLZLL6TfUWYNYX6CnjjRMv1zZ73877DPXt+vvi0Nvqld5CDTXM9ggDWwZKvluVGn7sTyZdwtWLvs1qK4nui7NLfENtBrUi/GOWsxoFa9tmfeeX/cticzzQcUdDNkfaDgmBa/C7lyjlkwyDGvhYdBHycSEJJ8rxncjBGKl79mpWlK0YTsppgD5eXWZSK7gC3PecRqQ7Jri3aBAWymlM7wfJYP8Z5ocEEq7+BLKSk0Z+Npj8PqJkQ0mw96QC5kNY2LfnGTPbBPpyBZRfZh3F2x1fLN+JQN+IgMpzLW2Oce5HWlPn9iTgCiZU/7mRDJKe8wI4gSg+Mf6hWqlC+NIcMOdAcrfvobzx3PVDHletTd0xgdgGEJpOvtpkYCqcdDbFX4kyEntMaMmp32XBcgsUy1b09uHMB2klzncwXAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQereGW4ZbKx3BV6f/PqkgSYAwcqDeq645K3JJOx9su/j9qDcAGxJN1CqIJjkYFBI+/2euykTaCvIqUMhljoDjeJeE]
-  cdn_password: ENC[PKCS7,MIIDCAYJKoZIhvcNAQcDoIIC+TCCAvUCAQAxggKQMIICjAIBADB0MFwxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLTArBgNVBAMMJGludGVybmFsLXN0bzMtdGVzdC1kYi0xLmNkbi5zdW5ldC5zZQIUbbUXduFvDLw3OUVWiGrIvFBkkJMwDQYJKoZIhvcNAQEBBQAEggIAC2YvfQOuluAonjkj0iM5DABoSNLXLyjlXfkltBOtAWzlFAQfQNlKd9cArL0qthcge+4AYun9edbyrmKjBAqVYIjPZXMaUjN9HXa07vBwUaHUXUP/rSxL6JYWKAvZTUCnSS+rb/nUM8BAAodk2xNnDrd0H/VN2oBQMkFvWJbCX2/NS9zejr4BpcGTTLjr1GXOuRMwORXwNTHVYZBbZzltnXMRClcdUe9oeIfC2W0BJDTlvAsqVN4DAz985hP8b5vch3uTd59Qzr7pIqpdno8hoI75zdVZ+xeH31rYw5/wqHmsvQK3gvVTtp5zmO4lSWwhiyGfICsX1w/8Fa8j/qR17dfqzkWVWJVN4DN2O/iT1muMtP4WP4j5xvWusE1viW4qGnoFlheo9YVTCP08FLMn0BMyO/7r1AZNG0oDNhTw/DcGYRc0q1bF8L6LjprJrl8Ou7fZbxWcIuQ8UMC+aJPOI0vingTip7/nKhGIBSiplxxKPH3jB2G7NXnimi4sxgAXsXwSSHGTMZH6q46Kc7YrtzT6Vur0W8onQgqFw6Hg5kgybyrdU68skxqAHIQEV3bZ68e5f3MyKY5HxSse8IIngAQdF6mOvOf6JB3zQ98m/JXDDV9FvaMLXSu4iUMGmoHJDO6xmMLaPUamJobM7SFA+0gPa3hAV7fejDdzhh6bLFYwXAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQCT1soHO5e0vaqTWVkkyhS4Awdqh/mowa1LW46di/aaHZp0wPie3eEZnaDsKrIAo4yMFi/Sd0QCXF8YjicLFt0vK5]