sunet-cdn/cdn-ops
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

..

No commits in common. "main" and "cdn-ops-2025-03-31-v02" have entirely different histories.
main ... cdn-ops-20

14 changed files with 151 additions and 219 deletions

6
addhost
View file

@ -13,12 +13,12 @@ function usage() {
echo " <host> can be an IP number, or something that resolves to one" echo " <host> can be an IP number, or something that resolves to one"
} }
while getopts "bhn:p:" this; do while getopts "bhnp:" this; do
case "${this}" in case "${this}" in
h) usage; exit 0;; h) usage; exit 0;;
b) cmd_do_bootstrap="yes" ;; b) cmd_do_bootstrap="yes" ;;
n) cmd_fqdn="${OPTARG}" ;; n) cmd_fqdn="${OPTARG}" ; shift ;;
p) cmd_proxy="${OPTARG}" ;; p) cmd_proxy="${OPTARG}" ; shift ;;
*) echo "Unknown option ${this}"; echo ""; usage; exit 1;; *) echo "Unknown option ${this}"; echo ""; usage; exit 1;;
esac esac
done done

75
global/overlay/etc/cosmos/keys/richir-C09A4F9E76BAD8E9690931C9584D2AA2FA669135.pub
View file

@ -1,75 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGdO0N8BEACsHj4Km1T9DpBZiUXULpq/cRRq0Y+sFJaezjfVP+eIAvDzcb6I
r6DbcTLkrYNONUdt9yzztkU6PigyunGoIUovvuqQoUU0iWrcJRDsEq9LX39tAkiu
pud7qpuYSts2n6ymhrHQOitKICgltqyydWmDGCcQyS/wD/1E/RiEqG5+wsJdhd44
vIycRh7phgJF8+SQ4qyosykVBVNi8fuJBm81Yj6HSRypxOPWb7PwoE1ABI8uwrCh
QmtfVDqs/cCxtdgoyuzigH10FERd4ty17yojgAcWw350HdtAjeBKw7EGOm/YDGM2
ly8K2XZjlJFu84fU/h2XLFYlHDYXQAKx3zdvQkkHM3UzK1s5OsvweiIJAgvBy1s2
FH7rWzqx0iZYurdgRClIRDd6yyqOZQt9DHbQoC1aeQtv5T1T3ODnGFju/ofyh78r
/ZsLDVCKwtK0A1JPIbBkEbiwc33bmfVTYeJ0OASZOq1A5QDovGZMl4AwrV8GvdcO
ky7ltn9lmdYVBobxmbhMLufTist1UDijUs9OuzPG02McXK510tLLhDBOhlaljsUe
K03cthn/cfQUfSRA/mv+26oVRd4u1tecWdWXj/ZOCyjHTW659zrZMQ2NXbPvqMUr
IiOSauwq4amx6sntQ7o5DYPnR5HjNb6ZEngYvn2ImSUJLgmvIpREyhL7dwARAQAB
tCNSaWthcmQgRGFuaWVsc3NvbiA8cmljaGlyQHN1bmV0LnNlPokCVAQTAQoAPhYh
BMCaT552utjpaQkxyVhNKqL6ZpE1BQJnTtDfAhsDBQkB4TOABQsJCAcDBRUKCQgL
BRYCAwEAAh4FAheAAAoJEFhNKqL6ZpE1xxYP/jWmnsX223C81GyWYbyT+oucXcGI
wVjjH1dsSg/GRrs63QI7vCHbhxxVkWo4kwTVFcoprJbd7K6xgt739ul197KZYXLM
+uKvh3DhmmuB1o2M/pggJ3hcDXnGRPM+dYw0YQ4PdeDQ5fmQQC4mGbwkCR+iAUkl
GDTNghoZntSDiI9501uvol3L7FwpDUH+0PNIPhtn6RxpN2Tqf5vFFIVkBAIRImr7
8I6GjFBhMkDsDC9BsRPOjWZbqzlDwDrLTN5xQ5P2rrvyEmCXrD4UvFiYGkxEx3JR
YYydhu5zimV2a0PnoEEkX0FXvt3JO6CqbeMVyGyi66aslWyEwMeCb+XhVs6VZ/Zc
6xOx5AbyzT0v55wR7c0OaiafJ5tbymfhdCGxIhWiRbwx112X1N9l3UZYyBuDT14E
JWhEtS4n04wLKIjFh2wFh11Bb7nFndYSwEXKr2VFAxskespzBBn6lF7AO8aFzLpR
SZ65djal1/DZR+/jZSNZ0Mc0I1ij2+8rhytsn0XfEN9Cb2cQXFpL6XcjaKC2MCMt
5NYZXq8FRF1id7AtJGTJeBs7BgBfePzpbN8lACVZu9aUEGp4NAJHxHpiQCyQIqVd
e3CB4Jp4mKARVpuSNcidRLptliNU16gdHSSLJtSjTSE5P8fqLOMMoaPSWAVpsqs3
vW5pJOU+Ds7cqZgmuQINBGdO0N8BEAC5vPfDEEM6bfwQXzBIoiOqVQY9WtbEkwcY
0kDjgfSZ5R1bTcImqdo+q8IYx4Dw05KWnlX+00NpqmelXiiG87nOcxzOyQiq3Na+
NmiWIIzbuAHdpJKGBkIXCHwLk4u9Bfeqm05gCjXCn9kCtUbvoDJJQUoxAtBpDIkH
EZSlx2M4VONXZNaxPRniKWHv9yraZOM2xopl+GjjHFv0VWHKX+ptQbPlH5nm1CFk
64NjTk+PP7gxIo7EhJf9k5sWqsduDS35IfNAuBelL8Sp8FaD7sN1aUmDNM4ztAQN
RPDikaHiSj9CfW8kpLm1pZvnSw0rK+B2d5BZPJDBB9r/cDXUdezBQhuB0AvE+8CM
4g3Am633Lth/gnzfbLGk7tK9OgzCSdbioBlvtLEpZaW6qhQDmKSWG0vFFoujJs4e
PP4ovCzf1yIN/GQO/tCGPNJA2MsXTgoIVspJYnnWZc3GrEJ8qXohdwxF4lNXR/I2
uOWEk+X2+dnHWRQ+v3uU4mVscx4kdSJHR9TtRZ1D8KbxRFuYDBR3SSiuzUnY5DyI
4G/LwhdOXN8ZnXX0D47bYkNlVx8bT8pwAio+6phCb0IILKFR1zx2Lmm410iSSSL9
65MqKTo2zbOjmp/p9cHs5pitvTYHOSkVE53LyLO4+53DtCT5yuSwTj5N54obzNdg
jMk4xJ5DGQARAQABiQI8BBgBCgAmFiEEwJpPnna62OlpCTHJWE0qovpmkTUFAmdO
0N8CGwwFCQHhM4AACgkQWE0qovpmkTW0kQ//ZzArp3xhD8F/vK8qDiK0UKMLKpB8
D95Z7kcTuqb1p+ivcpGDU4MbhpqJJEbFNOkvOss7J8tBy+Liw+Vw7bWq+YvqGRGR
3MkVe0XbhW4a51EY13SSU7MmRXeZSvFjw5FDHGtc+GIRI6dfYU2plLYkwGehUPXD
4sq+V9BaS7679241gn7xWeKJLqGJhLeE4NPaiMEZSCb4mxP/1i7hwuyirPFGxHBV
kHuAMMLNsbXwBriNOiUaQeJ0eCE2olCnO/3kFFECxst0Or8m/EpGBGo9DtybDS1J
qscN6o3SSo/+7AKLy4XLoe+NjOenojQILab7K1RgyekSwLN679mR46bHn/XpBviL
zkmkmDfzjHMEX0P0+HA4t2EuRY8nLz2lGtI8GFtwzJ7fEf6YPHMTaH8fVwYKi9o+
JXo8W6Da53g5xYnjhCNHbmq8xPw4kd+/Ixwi5cxQgmz1z4k1cto4GSC7G2xF5c5W
BF2/1BTuf5PkmPnxJl90hOSLNWi2jK95lZoY7ZHHjEGT2IAkx3V0Q5EKPLOU2Cep
c+5eM2Rl5S+xiF6XlPQ7GsG9nnBoJTNLg6bHFu4OorWnJ5MoXVcBqDFPzQCH2yIu
OcI6JI7pT4HRbHJIdZ7zSP8VlMY8fIDOQicfWXTBq9SgZn2/0t/i2YczCL72jvxx
/cMSMJ4hSvOIWnS5Ag0EZ07RWAEQAKxQ05Xq64MSr9MOZZBfeweFvMvVTNEG/WpM
WvGtaEN9ymLRM40zWKFABQtrIEP/obtz/xrnzhAXDGuEmoooV0rhJRL4sqUjohNU
8DjiHqA3nIyBMgIzby2I/krO8rlO34+xWodv7VIv63mWuz7k2AtwltHJ8XRzjMrt
0uw4S4O973AMp9jh079nTTo8jaT9hmrGkX/cgNDqMDHD5KMYOEMtUMX4XBkygNNw
1sfR0IS3NkasvnvlE7yiOirdkXVJ6DB5fBbLDOfjkks9Tvsscb9TEISdwU7TnYo4
w4OzT9xYURNQyY60AEq+6swmbc4+9uFK60IoyTFYlAB654Mv5VOG5vSv+4+DMViA
PmJZBDvDaBnn682G8vsOa+ELm2yQahg5M11PERq5tiQAayLm+GTb3ZsKMRnN1tAd
yCMHwc9wudNkvINLaChmcsxWmyWam4Q1XlZpFI8/S9LoFgUH6pFQlfkOQ4eow2qK
sbZRH76R/PV+LqrevJm/+O7A5jeEvKW0CKdwY5Hcx68QuBBxA71KCdyCoLJLZiGk
VNiteDnTgZnXZ/zP2HApmr1LQJ6NFPpaaUVRcYpToP4zX9ySnfySOkBUrjrkZUjK
KANx7OhfYTl9eRtjY2Fq9PUg0opDXRiCJrwLZ5GmCPvCeogMzmCMVSu2hcnyMa3x
g9I0+lLZABEBAAGJAjMEGAEKACcWIQTAmk+edrrY6WkJMclYTSqi+maRNQUCZ07R
WAMbIAQFCQHhM4AAAHGED/0RS4geTiwF3fuCTFceDqjX9KSqHD9yrX150rbZXPi1
F0QEHLrJgIeuWVP+8Dii+MBkXfD5/x3H4uHe+zEjt/4djeIFigRLK5ojbBMljzTC
1Mk9R7ZI7Iwz5gaezdRb6g1TzKI1mJWevyP0TCpsqkBLzXH+gC/9QMyhkCEuFczb
xuXAN30zvXWAc6b8RSolUTZ3DFYoMx7SiFXMLpdWdvmIWsKcs4UjV0NzE30f1sIU
GlVoj234TZ98yYGB425uhrhSI2tvfvpEuOMPZVM4ExViXaiq24t8HAYfpYk+46iz
xcBgkVyt2rmZEdnFj+nTeP48VPJWXeyoKs4z5J9CZw8Q+WQJGSwZzHstcQyWeoZd
TJYlsV4AGfTfAhLI7eveMZDvkdh+cTappNWgo6xhSm1KaTmC6+67X81hAzE6z18b
zHeJqPqJTkG/z0ECavtptOzPT/Pz+athwfeDySu/hXKMpTKWZQJd4u89xPPW4iGH
+smyYlWUYrVgShFJyNHorqDP5+qWULTQjA27l5Wc4wg84Z/5bG78tIufkVTlrMAz
qzc3fR4WfLaXWaxWKJlZon1/j1UI9uT/aC3bjm6p217CjERUbTU674ro/Am8EWJC
l93U399CNleQ/5xTvKA6BzcWCWirsBtZVOVmvTT4AyDv2IcWjuHBfXM8TcrrBFEG
dw==
=6jkN
-----END PGP PUBLIC KEY BLOCK-----

5
global/overlay/etc/facter/facter.conf
View file

@ -1,5 +0,0 @@
# No need to call EC2 every 15 minutes since we don't use metadata from there.
# The calls made the metadata API slow and non responsive. Complaints from SafeSpring.
facts : {
blocklist : [ "EC2" ],
}

2
global/overlay/etc/puppet/hiera.yaml
View file

@ -24,4 +24,4 @@ hierarchy:
path: "dist_%{facts.os.distro.codename}_override.yaml" path: "dist_%{facts.os.distro.codename}_override.yaml"
- name: "Data common to whole environment" - name: "Data common to whole environment"
path: "common.yaml" path: "common.yaml"

213
global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
View file

@ -1,7 +1,9 @@
# Configure a SUNET CDN CA server # Configure a SUNET CDN CA server
class cdn::cache( class cdn::cache(
String $sunet_cdn_agent_version = '0.0.4', Hash[String, Integer] $customers = {
String $sunet_cdn_purger_version = '0.0.8', customer1 => 1000000000,
},
String $sunet_cdnp_version = '0.0.7',
Hash[String, String] $acme_url = { Hash[String, String] $acme_url = {
test => 'https://internal-sto3-test-ca-1.cdn.sunet.se:9000/acme/acme/directory' test => 'https://internal-sto3-test-ca-1.cdn.sunet.se:9000/acme/acme/directory'
}, },
@ -25,6 +27,13 @@ class cdn::cache(
mode => '0755', mode => '0755',
} }
file { '/opt/sunet-cdn/customers':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/opt/sunet-cdn/conf': file { '/opt/sunet-cdn/conf':
ensure => directory, ensure => directory,
owner => 'root', owner => 'root',
@ -48,6 +57,14 @@ class cdn::cache(
content => template('cdn/cache/10-cdn-dummy.netdev.erb'), content => template('cdn/cache/10-cdn-dummy.netdev.erb'),
} }
file { '/etc/systemd/network/10-cdn-dummy.network':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template('cdn/cache/10-cdn-dummy.network.erb'),
}
file { '/etc/systemd/network/10-cdn-ipip.netdev': file { '/etc/systemd/network/10-cdn-ipip.netdev':
ensure => file, ensure => file,
owner => 'root', owner => 'root',
@ -82,7 +99,7 @@ class cdn::cache(
# Reload the network config if it has changed # Reload the network config if it has changed
exec { 'networkctl reload': exec { 'networkctl reload':
subscribe => File['/etc/systemd/network/10-cdn-ipip.network'], subscribe => [File['/etc/systemd/network/10-cdn-dummy.network'], File['/etc/systemd/network/10-cdn-ipip.network']],
refreshonly => true, refreshonly => true,
} }
@ -138,118 +155,138 @@ class cdn::cache(
creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem" creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem"
} }
if $cache_secrets { $sunet_cdnp_dir = '/var/lib/sunet-cdnp'
$sunet_cdn_agent_dir = '/var/lib/sunet-cdn-agent' $sunet_cdnp_file = "sunet-cdnp_${sunet_cdnp_version}_linux_${facts[os][architecture]}.tar.gz"
$sunet_cdn_agent_file = "sunet-cdn-agent_${sunet_cdn_agent_version}_linux_${facts[os][architecture]}.tar.gz" $sunet_cdnp_url = "https://github.com/SUNET/sunet-cdnp/releases/download/v${sunet_cdnp_version}/${sunet_cdnp_file}"
$sunet_cdn_agent_url = "https://github.com/SUNET/sunet-cdn-agent/releases/download/v${sunet_cdn_agent_version}/${sunet_cdn_agent_file}" # Create directory for managing CDP purger
# Create directory for managing CDN agent file { $sunet_cdnp_dir:
file { $sunet_cdn_agent_dir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
exec { "curl -LO ${sunet_cdn_agent_url}":
creates => "${sunet_cdn_agent_dir}/${sunet_cdn_agent_file}",
cwd => $sunet_cdn_agent_dir,
notify => Exec['extract sunet-cdn-agent'],
}
exec { 'extract sunet-cdn-agent':
command => "tar -xzf ${sunet_cdn_agent_file} sunet-cdn-agent",
cwd => $sunet_cdn_agent_dir,
refreshonly => true,
notify => Service['sunet-cdn-agent'],
}
file { "${sunet_cdn_agent_dir}/sunet-cdn-agent":
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/usr/local/bin/sunet-cdn-agent':
ensure => link,
target => "${sunet_cdn_agent_dir}/sunet-cdn-agent",
}
file { '/etc/sunet-cdn-agent':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0750',
}
file { '/etc/sunet-cdn-agent/sunet-cdn-agent.toml':
ensure => file,
owner => 'root',
group => 'root',
mode => '0640',
content => template('cdn/cache/sunet-cdn-agent.toml.erb'),
}
file { '/etc/systemd/system/sunet-cdn-agent.service':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template('cdn/cache/sunet-cdn-agent.service.erb'),
notify => [Class['sunet::systemd_reload']],
}
service { 'sunet-cdn-agent':
ensure => 'running',
enable => true,
}
}
$sunet_cdn_purger_dir = '/var/lib/sunet-cdn-purger'
$sunet_cdn_purger_file = "sunet-cdn-purger_${sunet_cdn_purger_version}_linux_${facts[os][architecture]}.tar.gz"
$sunet_cdn_purger_url = "https://github.com/SUNET/sunet-cdn-purger/releases/download/v${sunet_cdn_purger_version}/${sunet_cdn_purger_file}"
# Create directory for managing CDN purger
file { $sunet_cdn_purger_dir:
ensure => directory, ensure => directory,
owner => 'root', owner => 'root',
group => 'root', group => 'root',
mode => '0755', mode => '0755',
} }
exec { "curl -LO ${sunet_cdn_purger_url}": exec { "curl -LO ${sunet_cdnp_url}":
creates => "${sunet_cdn_purger_dir}/${sunet_cdn_purger_file}", creates => "${sunet_cdnp_dir}/${sunet_cdnp_file}",
cwd => $sunet_cdn_purger_dir, cwd => $sunet_cdnp_dir,
notify => Exec['extract sunet-cdn-purger'], notify => Exec['extract sunet-cdnp'],
} }
exec { 'extract sunet-cdn-purger': exec { 'extract sunet-cdnp':
command => "tar -xzf ${sunet_cdn_purger_file} sunet-cdn-purger", command => "tar -xzf ${sunet_cdnp_file} sunet-cdnp",
cwd => $sunet_cdn_purger_dir, cwd => $sunet_cdnp_dir,
refreshonly => true, refreshonly => true,
notify => Service['sunet-cdn-purger'], notify => Service['sunet-cdnp'],
} }
file { "${sunet_cdn_purger_dir}/sunet-cdn-purger": file { "${sunet_cdnp_dir}/sunet-cdnp":
owner => 'root', owner => 'root',
group => 'root', group => 'root',
mode => '0755', mode => '0755',
} }
file { '/usr/local/bin/sunet-cdn-purger': file { '/usr/local/bin/sunet-cdnp':
ensure => link, ensure => link,
target => "${sunet_cdn_purger_dir}/sunet-cdn-purger", target => "${sunet_cdnp_dir}/sunet-cdnp",
} }
file { '/etc/systemd/system/sunet-cdn-purger.service': file { '/etc/systemd/system/sunet-cdnp.service':
ensure => file, ensure => file,
owner => 'root', owner => 'root',
group => 'root', group => 'root',
mode => '0644', mode => '0644',
content => template('cdn/cache/sunet-cdn-purger.service.erb'), content => template('cdn/cache/sunet-cdnp.service.erb'),
notify => [Class['sunet::systemd_reload']], notify => [Class['sunet::systemd_reload']],
} }
service { 'sunet-cdn-purger': service { 'sunet-cdnp':
ensure => 'running', ensure => 'running',
enable => true, enable => true,
} }
if $cache_secrets {
$customers.each |String $customer, Integer $customer_uid| {
if $cache_secrets['customers'][$customer] {
file { "/opt/sunet-cdn/customers/${customer}":
ensure => directory,
owner => $customer_uid,
group => $customer_uid,
mode => '0750',
}
file { "/opt/sunet-cdn/customers/${customer}/conf":
ensure => directory,
owner => $customer_uid,
group => $customer_uid,
mode => '0750',
}
file { "/opt/sunet-cdn/customers/${customer}/shared":
ensure => directory,
owner => $customer_uid,
group => $customer_uid,
mode => '0750',
}
file { "/opt/sunet-cdn/customers/${customer}/cache":
ensure => directory,
owner => $customer_uid,
group => $customer_uid,
mode => '0750',
}
file { "/opt/sunet-cdn/customers/${customer}/certs-private":
ensure => directory,
owner => $customer_uid,
group => $customer_uid,
mode => '0750',
}
$combined_pem = "/opt/sunet-cdn/customers/${customer}/certs-private/combined.pem"
concat { $combined_pem:
ensure => present,
owner => $customer_uid,
group => $customer_uid,
mode => '0640',
}
concat::fragment { "${customer}-fullchain-${cache_secrets['customers'][$customer]['host']}":
target => $combined_pem,
source => "/opt/certbot-sync/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/fullchain.pem",
order => '01',
}
concat::fragment { "${customer}-privkey-${cache_secrets['customers'][$customer]['host']}":
target => $combined_pem,
source => "/opt/certbot-sync/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/privkey.pem",
order => '02',
}
file { "/opt/sunet-cdn/customers/${customer}/conf/haproxy.cfg":
ensure => file,
owner => $customer_uid,
group => $customer_uid,
mode => '0440',
content => template('cdn/cache/haproxy.cfg.erb'),
}
file { "/opt/sunet-cdn/customers/${customer}/conf/varnish.vcl":
ensure => file,
owner => $customer_uid,
group => $customer_uid,
mode => '0440',
content => template('cdn/cache/varnish.vcl.erb'),
}
sunet::docker_compose { "sunet-cdn-cache-${customer}":
content => template('cdn/cache/docker-compose.yml.erb'),
service_name => "cdn-cache-${customer}",
compose_dir => "/opt/sunet-cdn/compose/${customer}",
compose_filename => 'docker-compose.yml',
description => "SUNET CDN CA ${customer}",
}
}
}
}
} }

10
global/overlay/etc/puppet/modules/cdn/templates/cache/10-cdn-dummy.network.erb vendored Normal file
View file

@ -0,0 +1,10 @@
[Match]
Name=dummy0
[Network]
<% @cache_secrets['customers'].each do |customer, customer_settings| -%>
# <%= customer %>
Address=<%= customer_settings['ip4'] %>/32
Address=<%= customer_settings['ip6'] %>/128
<% end -%>

2
global/overlay/etc/puppet/modules/cdn/templates/cache/docker-compose.yml.erb vendored
View file

@ -40,7 +40,7 @@ services:
# We build our own varnish with the slash vmod present. We use the slash # We build our own varnish with the slash vmod present. We use the slash
# "fellow" storage backend to be able to persist cached content to disk, so # "fellow" storage backend to be able to persist cached content to disk, so
# it is retained in case of a restart of the container or machine. # it is retained in case of a restart of the container or machine.
image: "platform.sunet.se/sunet-cdn/cdn-varnish@sha256:248b1ca861f1a8bb548845b656526210ef7015ba71c0e264dc4619da16407b40" image: "platform.sunet.se/sunet-cdn/cdn-varnish:af7f7d11e61acf9f6113811615d1baa46daf3bd1"
# Use the same custom user as is used for haproxy. # Use the same custom user as is used for haproxy.
user: <%= @customer_uid %>:<%= @customer_uid %> user: <%= @customer_uid %>:<%= @customer_uid %>
volumes: volumes:

15
global/overlay/etc/puppet/modules/cdn/templates/cache/sunet-cdn-agent.service.erb vendored
View file

@ -1,15 +0,0 @@
# This service file is generated by Puppet. Do not edit.
[Unit]
Description=SUNET CDN Agent
Wants=docker.service
After=docker.service
[Service]
Type=simple
ExecStart=/usr/local/bin/sunet-cdn-agent \
--config /etc/sunet-cdn-agent/sunet-cdn-agent.toml \
run \
--cache-node
[Install]
WantedBy=multi-user.target

14
global/overlay/etc/puppet/modules/cdn/templates/cache/sunet-cdn-agent.toml.erb vendored
View file

@ -1,14 +0,0 @@
[manager]
username = "<%= @cache_secrets['sunet-cdn-agent']['username'] %>"
password = "<%= @cache_secrets['sunet-cdn-agent']['password'] %>"
url = "<%= @cache_secrets['sunet-cdn-agent']['url'] %>"
[confwriter]
root_dir = "/var/lib/sunet-cdn-agent"
cert_dir = "/opt/certbot-sync/letsencrypt/live"
systemd_system_dir = "/etc/systemd/system"
systemd_network_dir = "/etc/systemd/network"
[l4lb-node]
netns = "l4lb"
netns_conf_dir = "/opt/sunet-cdn/l4lb/conf"

2
global/overlay/etc/puppet/modules/cdn/templates/cache/sunet-cdn-purger.service.erb → global/overlay/etc/puppet/modules/cdn/templates/cache/sunet-cdnp.service.erb vendored
View file

@ -6,7 +6,7 @@ After=docker.service
[Service] [Service]
Type=simple Type=simple
ExecStart=/usr/local/bin/sunet-cdn-purger \ ExecStart=/usr/local/bin/sunet-cdnp \
-mqtt-ca-file /usr/local/share/ca-certificates/step_ca_root.crt \ -mqtt-ca-file /usr/local/share/ca-certificates/step_ca_root.crt \
-mqtt-client-key-file /etc/letsencrypt/live/<%= @networking['fqdn'] %>/privkey.pem \ -mqtt-client-key-file /etc/letsencrypt/live/<%= @networking['fqdn'] %>/privkey.pem \
-mqtt-client-cert-file /etc/letsencrypt/live/<%= @networking['fqdn'] %>/fullchain.pem \ -mqtt-client-cert-file /etc/letsencrypt/live/<%= @networking['fqdn'] %>/fullchain.pem \

2
global/overlay/etc/puppet/setup_cosmos_modules
View file

@ -83,7 +83,7 @@ def main():
"sunet": { "sunet": {
"repo": "https://github.com/SUNET/puppet-sunet.git", "repo": "https://github.com/SUNET/puppet-sunet.git",
"upgrade": "yes", "upgrade": "yes",
"tag": "stable-2023v1-2*", "tag": "patlu-dockerhost2-ipv6-nat-2*",
}, },
"augeas": { "augeas": {
"repo": "https://github.com/SUNET/puppet-augeas.git", "repo": "https://github.com/SUNET/puppet-augeas.git",

10
global/overlay/usr/local/bin/run-cosmos
View file

@ -3,8 +3,6 @@
# Simplify running cosmos, with serialization if flock is available. # Simplify running cosmos, with serialization if flock is available.
# #
set -e
readonly PROGNAME=$(basename "$0") readonly PROGNAME=$(basename "$0")
readonly LOCKFILE_DIR=/tmp readonly LOCKFILE_DIR=/tmp
readonly LOCK_FD=200 readonly LOCK_FD=200
@ -124,14 +122,6 @@ machine_is_healthy() {
} }
main () { main () {
if [[ $1 == '--random-sleep' ]]; then
shift
sleep=$((RANDOM % 300))
echo "$0: Sleeping for ${sleep} seconds before attempting to run cosmos"
sleep $sleep
fi
lock "$PROGNAME" || eexit "Only one instance of $PROGNAME can run at one time." lock "$PROGNAME" || eexit "Only one instance of $PROGNAME can run at one time."
fleetlock_lock || eexit "Unable to acquire fleetlock lock." fleetlock_lock || eexit "Unable to acquire fleetlock lock."
cosmos "$@" update cosmos "$@" update

2
global/overlay/usr/local/libexec/cosmos-cron-wrapper
View file

@ -2,7 +2,7 @@
test -f /etc/no-automatic-cosmos && exit 0 test -f /etc/no-automatic-cosmos && exit 0
RUN_COSMOS='/usr/local/bin/run-cosmos --random-sleep' RUN_COSMOS='/usr/local/bin/run-cosmos'
SCRIPTHERDER_CMD='' SCRIPTHERDER_CMD=''
if [ -x /usr/local/bin/scriptherder ]; then if [ -x /usr/local/bin/scriptherder ]; then

12
internal-sto3-test-cache-2.cdn.sunet.se/overlay/etc/hiera/data/local.eyaml
View file

@ -1,9 +1,13 @@
--- ---
cdn::cache-secrets: cdn::cache-secrets:
sunet-cdn-agent: customers:
username: ENC[PKCS7,MIIC6wYJKoZIhvcNAQcDoIIC3DCCAtgCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIAhaGwyCYZXagexYIi7GKQ78zXGurxDf8pCC+kvMarfxImiBiL06I3JE8xZ20msgY220fKeJ0EfTT6ZkfSFWo0SmIRVBpESFMx20a/gTdwngI+ZLeCHhEPzOZX/pNOC2JJ85FJiPBIEbebbVSqTV3x6urGgktI1fl1tL/yFAJd0xjxnWCswPbR/0M4EYumdM8rthy3yuCAB9pIF8l5tMvSVGG6+GPHvm8vPDC8Cy2qYMKNNhf9cLEAUdnIH7o0dQCIUoacAVihv05h34hfl5PhAD0Cla/BOYmQzScB+dglmXmUs9NLt6/a/Z+qRqltZAojpy6yYJ1MdwITZ45jmhW4yA6NU9iR3aPhu//nGvxozdSHDlpDyVaCesrXq1fJyNuFh96iSUkTvem6qmU3d7tn3/zo6dVdmohsN8qdZFaskw+wnyTkMBshqGfMEIjc1hdDbZyUnIpx4Em98cy8edS9AZE3GkoVb6UPfoYm5MvmDoCFdSeBYg2lJDbFPdx5CkoUBf/x4wr8Aera9DbkLS1MNJyvgARZ339T5joGaangSEk3xvhN5DqTWZSKfgYBE1/f2iMmDgseMD5nZyRUX5vNK3qwlqwhaXTW3xVscMovQ4pJueftl1cFeEUoWSpgx7hbXbuggF9PLGVduzTwgfY8g6kHHkby+1zKOSxKiBrvMnAwPAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQWe5knFV2o7xqT2HesFl0iIAQUx29rsXmi2uxECrhcC7jZw==] customer1:
password: ENC[PKCS7,MIIC+wYJKoZIhvcNAQcDoIIC7DCCAugCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIAQqWL7jtFS3M0lzw5K2xuWwL4h9hf9NXsRwFgf3/wmlOVQLTv1mciMiEYyUly/hiy0T5AtdxnpbjdMZqVY9YW4sMbykqQy/sqMtRpsFn26oSMOU1vpiwKx4BVCxIc+nbz/VQEA8Hi0vB5jAH9d1zdjOJ74LCcqI8WuUDIVOBkOAxv/4+B8dBRZ0rDuMaxOCy4BQ6kjv9VRNq1QcTsUGY9faonw9W1gmmuf4wbiWdV+hlb4Kq/DAoZGy0dEYR9SLhLK5uXDhysvggZjboM/R0OcN9Zee0OxyAhfJXLggLdCK8M38U6VtIjjfhgqwBTUwoxfWL96/TskxawK3YRbp1c0N4PbCWu3MCYOGMjk76svY8GcBteDNHxpc7CBbQF4BpLhMDQzY4mPTIF5E3MiEGF3Yex6qbhjXA1aN23P0hq0McXRDMR6tGdmua9xxgumAVtaoen+0XbXMKmCDyu0cP2Nw1BeG0L3l8csJdhFKmM5JKDrHb639sFcIUu/qaM5EY7JibHB47CmBnRBpW50rZ+N9TR8Q+9xPvQIXnmr/c8done6frhQvgiztzAhVVoUw8KYiK8WvTLHTUP38Zf0flj00yjLg7auXqv9+HrxBrma5ZeXfHOlrv9eaSRJSI2vQSuAUClRi2IN3LxRfuvLPo3BhIhr6NvimwBK61Wy7wRCAIwTAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ+qQxQsrWAMHrNGmgE+JlL4AgfpYwz4qjxAoGeHeI3JC73ArW2xay23EE8VYrClSzbTc=] key: ENC[PKCS7,MIIDCwYJKoZIhvcNAQcDoIIC/DCCAvgCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIAI1BuG1SsQnLmrCgY+Sy2Vl0DslfUWntWhgmy+VNiN+DsGqJM1u46LY7KHCUstssofwafq8OFaSFRc22L63VQaHgY/LYMV/6OwvNWsNb7H4h6giXKTYbqVDwU6+sSvbGA34Yk/YdodPTHmMu+fJVXNAiVIcmUJ2KvPBboiD89lLwwyREP98hFF5tjJm91EuuS4q8msatrw7hB2R/Us1SWp+Jb4Yqh2h4hvkXtVMjrzbjDzZYSdgBm/3uJAvFaEkI5f43DLcv5I9ZZS+eX/Yame7YMheR8Kcc67RfTqiAmqFCNltLQ1yMTMDHICuCay+chuah/SYVrXilbalBxqtiTtUBkJ8LW2DwvHfQXvhtcpkQ/4wMXsSIHO4qLvUbIgze/T+zreUSgJYcqOSymYJPGM66G7mfsva5FDlEfIz15Cia9+uF7LQcw6e1vJitSy7bbL+I8HHoX+KhlfGC7I21+OBTF8j7Ju+Qj11zUa4WmZYRQxdirhJCKaD1djA+oYOffqMZ3zFD8CQidJ+uxGLTCrCR5A2zs4Z4gasWvETmrRwg6Gv4wBcx3908euruHJ7scYk4pTJWCySa5INsD6uNLWBPcspfXd/PEmFgp8SjR8lCkmoGcDgzx6AkuT/wf0w9dUmdmbG6p+pBfXWR2ROhWHOHvj/C8vHZJb8XivMuHyTowXAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQN81EZkXnsIsb1Lrj4J8Hd4AwdJUyG/D8DCU8fMySPfIHTHk6f5EFMDNPYhyO71d0zeDusHXuNWF9dxBjtGhezG4k]
url: ENC[PKCS7,MIIC+wYJKoZIhvcNAQcDoIIC7DCCAugCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIAnAoDGBH9NFNccefbcpA7SchD4C+7HI2AL4qccUYzdXcqdyJXUMH6I3p8qM35l1g3Ndwy5ruv5FrbRIvFsgynYanKCqOVGnwx8Zi3v0BQXyCldQJpKORApSVvrU4PwWh+ZZO1GuIPZslO+OFgLOeUTzZjcqb1+esWbKfsupvJSVwIGRbeolgEfSSzvyVlw/ufzTQPO0fPM8m2TjQaPY0M5/eXx9ixAXe37i6j41zRxUUAS71ysXQNdhiMOAR5I44W9z7dzQjzi94WGVQlqSvr21PLSC5xeYry0+vMX3fALg339l54No5dmnLW00s3Ck8iGdfxDeUg2gMdD14kWQW5ENnYY86tLWEKXqB00YxQand0iLcgsRZjByBsKFKnDi5roF+gYadiXLGFIFrQGcSOivmjao0jqEvqv+uFSTSc14Zf86Gt3UWDWotxzFaHQDdD/xGDh9BaXlvH1pWS22ldk1O+I2f5LV3im1oFEDEcmYRAbdyUsG5W08H0zMCrTq6J9MEIVNXfzQ8+CZ9qALs1KJ9CIW3w+wqEHjjzIsEJIc32BL17hzYFvOYceCmbXQpY9ZmfWoSIuioblrB47XgNraIy+Rf3xRoXVLG2HGE7pCIWIo1R6PDLLKl7C4Aig6QhLhZ7piAxCGmZw8O+fL1VWz5a2xC56257T8/w8s7iF7IwTAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQnOR7eknIPwxOTt0YVKhcUoAggyq2h3cUjvt75aVnmTr3SRQGIUnbkc/GNUG4dfZTvtY=] host: ENC[PKCS7,MIIC+wYJKoZIhvcNAQcDoIIC7DCCAugCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIAn6fTKq6YOMlpahab4milaa/CYsIv9sWj2hTLeVtfRo0VaFTI2BVIu/2w/1Rk2JAYSPo3M97ToNOA09ZdmsgFnLwBXt54QeSrYQ1qzN8XLvcZrp+1FHvrmjSlB4VnKCq/Kp0Z0XzNVJ5pDLniJyXSV2efhzKqifWP9feMFvsCXgdpbJXc0+arFHBRN8CcBJvlJde6Nq5LzTWHN2NXrIOr3m8vLcPnsQEX9SFKy7tS9l6YXnxBmLmkvHciJHgFNzuIu2gfpuDfRpNjo5UGTeEhv8tMqyhYqPBNE/OtmycacGS4fd3juab4XMfT+HM7WV84khQyejJCDdhxvIIT8XM5mDYVS2z+qhnkqRugJEqo149jAtnXYQRSQgS4Cebj7oYaYFjhpxdALUrK4sPxxFqPewmpIJdtVUpmU8UjiwdZA3yQnnKGQby2hgOZN2mekbqWvzaNdxRwCakqeTESHJ/J0aedUz1fPNzaydbIJWK68oxmzHU2XQgQE1D3B1NJWldKvt4FOkzQYyouBltoyzcpRAScQUF5ty+mvfI14+omKDiecWwJMdzColjKML9X76aPdsSgbq5jw8tjjI4D+VXSGLU6xP1DCPZjLlj0TP1yhVxxOPkt+VtxO40jzM/HJ/yHDuS/BWP4z6KxOQRJnpGUFg0AFQk0tinQ1IUmG8EuDxIwTAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ3ky0SRUp0ChVrTTCkWAKKoAgkFfDRY4ia37Jc55b18VfTvayazimefkS6sq7Pp7TlHg=]
ip4: ENC[PKCS7,MIIC6wYJKoZIhvcNAQcDoIIC3DCCAtgCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIA4DpAdWaE1EvqEpHG03q+F4lc69CY5T93xZ/DGzr82aMbU2DyP0UJ9eKxkdn6Qak0wHFfIl2C1qy/RXw9T8/6YABGop4VL2Jlu74Qz+Jv+9hbiBIfLvmLYfY+s5MhkcLGtKmcdTwVKHGuki7NWPHp3iX9LFggJhWlQSdEuoJ/OFwzEiK3H5DxxitvBURPoicomgWKbRM0iAqV1iM3nNFUB/6cbTAb/WHwuA+K/AWBhTIhuB4M5lTfBqPoGBUDkHepZQJ7dXdax90y9Avgrx5rxnLtzhXcdsuJ+lPLbHYrEfOvImncf4l/Px51pT3FxkwZJpF0qgUqHgnioGb2KXpL1pIDL3ePtLTsFcM8gMSbG/d04BZ2HGHzK09e95fgF9HgTN6GZo4PHP+eWpdyR3UGNylWH6PVMuzyEA+UgrxcGMmqXNsMWgT8hjVDj5D5GUxaGmS4DnbgoWY7QKSHsKQCP2EN+h2nUDWai8AJ7jyjRs2eJ0yoKtobmgcMkrfh4osnaQpjNiBxfE/D8l/VSWCvKmv8/ETG5c7nRSztaUAtvq8ysEBNaAyPuB8g8Nu7z3s2Hr/p7hfMzM0VNZY4b7DlvGmPqs5Av0lZV+IWK/t69DMyjlWplKqNoMZ87f6t7WxtGjvbUXhHYUwGQZMXWuaLiAtmaMYxYwhqQtbLykbPIRYwPAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ1TMTF9KdFFxqTTCw01QcuYAQz26QlHGb4gPFOaByg8YpyQ==]
ip6: ENC[PKCS7,MIIC+wYJKoZIhvcNAQcDoIIC7DCCAugCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIAP2FzvJqxJUktd4ydtawRbHZmbgQ0Db9k6E09c3YC9VgSBfBd5IhUjsf7smoPRGoHywoqW8MthPZxH/QQ7iwTAZuDCLRZ6SOlyrF6lfuH4QSUltrERjn2xntdyCiZTTL8p18mdwVK4cwyYv+aG7ztpC4aP+SahJ56pCwWSl9dA/695r9MI6a2Objf6E+biu92s5l5i8fPMleZU3en39lJ8XfiqG/z1u/Vf0f3HoGrsVeOt9rRuN6jFHRPomiFnz89kx2/UypcNU1P5MoC/q0t4dO2BcoTjcmDTwHuPzNWc8ukmW1JNNgZX2AAmjuOR2XHHOU2FijPiIni5opISFPi8lc1QNu1ptPn1OqruR5deSMJiDF/jRNZSk3RSBhoG4SXpxuStW/jmmMWdUILSn1GnYIqA0sPJvXqpeGDRRsqft+crRFnh13z8Uw/QDmQY+voRVRjRrGBD2uGnyX7QE+Ju+FP20fwdhLGdCOoi0Ea9RCJxFFWfLtZVAkmkUDbUI4xUww+Mkv8ITvbr73agBEPaoCdBc5hjzmaj+e/ZatH51p+WtY6rG+IWG441kpW4B1E5et2MQWqxCSEY82IrnliQ1LBOut9jjFLfe/UuoiddmOeBmYtsiCR7vxURDn8kG+wHvmfnAr2n+EDkf+2ojWkP9N07R8pSM+yBKCB9tTrZ38wTAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQj7eyNfGf3w8lSc1fh6PG0YAgWEtO8a6fOZPuxD6o/C5XJDmQHewD7NykrK1qiF5Tjdo=]
origins:
- ENC[PKCS7,MIIC6wYJKoZIhvcNAQcDoIIC3DCCAtgCAQAxggKTMIICjwIBADB3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxMDAuBgNVBAMMJ2ludGVybmFsLXN0bzMtdGVzdC1jYWNoZS0yLmNkbi5zdW5ldC5zZQIUdz1N+zcs0PBGXqzkGwE/CGSTG5MwDQYJKoZIhvcNAQEBBQAEggIAwrENSsgv+k4c96RjXy2Ps5p+l0qgiCouAgVMNQg3Tusrr1kbjnhsb0NpKE46Yiulm1Zw7aBpeXQzR2BVIgGo9uWu/7TF2P7CbMzZAKW5YEu53ccAwN/BRcunNlJTptxwaSRsHcv8nrO3Jo7vcfxN40pZDpWSlFcSu5xHHPwWHyKrERvjwl2wDjbBvRtDIfv8OJAx68J2kMrC1PcZ3WBK/tgO9IMJIFp+lKq+qwBx5Sbtckuyjz1L95iynIjQfetWqrF8SB0Svv80BRbdx4ONSrpgHH1hwplmWI+HlIYtMOkOZisQYdzWu39XloQHYq42fn6nt22lTx7ZTAR913ZFgH7KvUY9VRmq5zwYD10veY2QqelOhE6OE4BBmF0nRDzLRY+QZl8ancCkWNkbKlThNqtsoNzm9A6pKXlsJw/MdwDPxm0WE/m75BjXzObovisWp7yY9zLqJv2CdGtWuaXDQIXLPaCntXX8ZaEidSpcgnjXF9sfnknzvqvPibws3TQcyzTaemPYFScGX1Dp8wzQB72TJhusNUB1NyzRHApPlXB8PKLBlwR+hxogIaoq5HSmLmtkyi9wT2Gs8aC3dbvZA+OBgEdEi5Z2WcurUI4dFcyiKiSUDdRCjHWwiOii6BYvxZ7FCwifqeyRap0MvOstKGE47TsUSxwVS4zB/l3hZTswPAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQd3iYJWuQ0pbXRzv0mca4+4AQ8aZp4Ri24FUXRut6lhxkNw==]
certbot_sync_client_ssh_key: > certbot_sync_client_ssh_key: >
ENC[PKCS7,MIIEnwYJKoZIhvcNAQcDoIIEkDCCBIwCAQAxggKTMIICjwIBAD ENC[PKCS7,MIIEnwYJKoZIhvcNAQcDoIIEkDCCBIwCAQAxggKTMIICjwIBAD
B3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRV B3MF8xCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRV