eid-ops/global/overlay/etc/puppet/manifests/cosmos-site.pp

# This manifest is managed using cosmos

Exec {
  path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
}

include sunet

class mailclient ($domain) {
   sunet::preseed_package {"postfix": ensure => present, options => {domain => $domain}}
}

class autoupdate {
   class { 'sunet::updater': cron => true, cosmos_automatic_reboot => true }
}

class jumphosts {}

class infra_ca_rp (Boolean $monitor_infra_cert = true,){
   sunet::ici_ca::rp { 'infra': monitor_infra_cert => $monitor_infra_cert}
}

# you need a default node, all nodes need ssh + ufw
node default {
}

class site_alias($alias_name=undef) {
   file { "/var/www/$alias_name":
      ensure => link,
      target => $name
   }
}

class common {
  include sunet::tools
  include sunet::motd
  include sunet::ntp

  if $::sunet_nftables_opt_in != 'yes' and ! ( $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '22.04') >= 0 ) {
    warning('Enabling UFW')
    include ufw
  } else {
    warning('Enabling nftables')
    ensure_resource ('class','sunet::nftables::init', { })
  }

  include apt
  # Only import appaprmor for ubuntu22 and older
  if ($facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '22.04') <= 0 ){
   include apparmor
  }
  include sunet::packages::jq
  package { 'needrestart': ensure => installed}
  package {'lshw': ensure => 'latest'}

  # change git repo from gitops.sunet.se to platform.sunet.se
  exec { 'git_repo_sunet':
    cwd     => '/var/cache/cosmos/repo',
    command => '/usr/bin/git remote set-url origin https://platform.sunet.se/swedenconnect/eid-ops.git git://gitops.sunet.se/eid-ops',
    onlyif  => '/usr/bin/git remote get-url origin | grep -qi gitops.sunet.se/eid-ops',
  }
}

class dhcp6_client {
  ufw::allow { "allow-dhcp6-546":
      ip    => 'any',
      port  => '546',
      proto => 'udp',
  }
  ufw::allow { "allow-dhcp6-547":
      ip    => 'any',
      port  => '547',
      proto => 'udp'
  }
}

class entropyclient {
   # Entropy is not needed on modern kernels, we should remove this class when done with SC-2522
   if ($facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '22.04') <= 0 ){
      include sunet::simple_entropy
      sunet::ucrandom {'random.nordu.net': ensure => absent }
      sunet::nagios::nrpe_check_process { 'haveged': }
   }
}

class openstack_dockerhost {
   class { 'sunet::dockerhost':
      docker_version            => '17.12.0~ce-0~ubuntu',
      docker_package_name       => 'docker-ce',
      storage_driver            => "aufs",
      run_docker_cleanup        => true,
      manage_dockerhost_unbound => true,
      docker_network            => true
   }
}

class sunet_iaas_cloud {
   sunet::cloud_init::config { 'disable_datasources':
      config => { datasource_list => [ 'None' ] }
   }
   sunet::cloud_init::config { 'keep_root_enabled':
      config => { disable_root => 'false' }
   }
}

class webserver($enabled=true) {
   if $enabled {
      ufw::allow { "allow-http":
         ip   => 'any',
         port => '80'
      }
      ufw::allow { "allow-https":
         ip   => 'any',
         port => '443'
      }
   } else {
      ufw::deny { "allow-http":
         ip   => 'any',
         port => '80'
      }
      ufw::deny { "allow-https":
         ip   => 'any',
         port => '443'
      }
   }
}

class webserver_new {
  sunet::misc::ufw_allow { 'http':
    from => 'any',
    port => '80',
  }
  sunet::misc::ufw_allow { 'https':
    from => 'any',
    port => '443',
  }
}

class servicemonitor {
   $nagios_ip_v4 = hiera_array('nagios_ip_v4',[]);
   sunet::misc::ufw_allow { "allow-servicemonitor-from-nagios":
      from   => $nagios_ip_v4,
      port => '444',
   }
}

class https_server {

}

class fe_servers {
}

class eidas_log {
   ensure_resource('file','/etc/logrotate.d',{
      ensure => 'directory',
      mode   => '0755'
   })
   file {'/etc/logrotate.d/eidas_logs':
      ensure  => file,
      path    => '/etc/logrotate.d/eidas_logs',
      mode    => '0644',
      content => template('eid/eidas_logs/eidas_logs.erb')
   }
}

class swamid_metadata($filename=undef) {
  sunet::metadata::swamid { "$filename": }
}

class saml_metadata($filename=undef, $cert=undef, $url=undef) {
  sunet::metadata { "$filename": url => $url, cert => $cert }
}

class md_repo_client {
   sunet::snippets::reinstall::keep {['/etc/metadata','/root/.ssh']: } ->
   sunet::ssh_git_repo {'/var/cache/metadata_r1':
      username    => 'root',
      group       => 'root',
      hostname    => 'r1.komreg.net',
      url         => 'git@r1.komreg.net:komreg-metadata.git',
      id          => 'komreg',
      manage_user => false
   } ->
   package { ['make']: ensure => latest } ->
   sunet::scriptherder::cronjob { 'verify_and_update':
      cmd           => '/var/cache/metadata_r1/scripts/do-update.sh',
      minute        => '*/5',
      ok_criteria   => ['exit_status=0', 'max_age=15m'],
      warn_criteria => ['exit_status=0', 'max_age=1h'],
   }
}

class eidas_metadata_key {
   sunet::snippets::secret_file {"/etc/credentials/metadata.key":
      hiera_key => 'eidas_metadata_key',
      base64    => true
   }
}

class eidas_hsm_client($luna_version="7.4-dev") {
   $pkcs11pin = hiera('pkcs11pin',"")
   sunet::snippets::reinstall::keep {['/etc/luna','/etc/Chrystoki.conf.d']: } ->
   file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
   sunet::docker_run {"${name}_hsmproxy":
      hostname => "${::fqdn}",
      image    => 'docker.sunet.se/luna-client',
      imagetag => $luna_version,
      volumes  => ['/dev/log:/dev/log','/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d','/etc/luna/cert:/usr/safenet/lunaclient/cert'],
      env      => ["PKCS11PIN=${pkcs11pin}"],
      extra_parameters => ["--log-driver=syslog"]
   }
   sunet::scriptherder::cronjob { "${name}_restart_hsmproxy":
     cmd           => "/usr/sbin/service docker-${name}_hsmproxy restart",
     minute        => '9',
     hour          => '0',
     ok_criteria   => ['exit_status=0','max_age=48h'],
     warn_criteria => ['exit_status=1','max_age=50h'],
   }
}

class md_signer($dest_host=undef,$dest_dir="",$version="eidas") {
   package { ['xsltproc','libxml2-utils','attr']: ensure => latest } ->
   sunet::pyff {$name:
      version           => $version,
      pound_and_varnish => false,
      pipeline          => "${name}.fd",
      volumes           => ["/etc/credentials:/etc/credentials"],
      docker_run_extra_parameters => ["--log-driver=syslog"]
   }
   if ($dest_host) {
      sunet::ssh_host_credential { "${name}-publish-credential":
         hostname          => $dest_host,
         username          => 'root',
         group             => 'root',
         manage_user       => false,
         ssh_privkey       => safe_hiera("publisher_ssh_privkey")
      } ->
      sunet::scriptherder::cronjob { "${name}-publish":
         cmd               => "env RSYNC_ARGS='--chown=www-data:www-data --chmod=D0755,F0664 --xattrs' /usr/local/bin/mirror-mdq.sh http://localhost root@${dest_host}:${dest_dir}",
         minute            => '*/5',
         ok_criteria       => ['exit_status=0'],
         warn_criteria     => ['max_age=30m']
      }
   }
}

class md_publisher(Array $allow_clients=['any'], $keyname=undef, String $dir="/var/www/html", $signer_ip_adress=undef) {
   $_keyname = $keyname ? {
      undef   => $::fqdn,
      default => $keyname
   }
   # this allows fileage check to work wo sudo
   file { '/var/www': ensure => directory, mode => '0755' } ->
   file { '/var/www/html': ensure => directory, mode => '0755', owner => 'www-data', group =>'www-data' } ->
   sunet::ssh_keys { 'publisher-keys':
     config => safe_hiera('publisher_ssh_keys_mapping', {}),
     key_database_name => 'publisher_ssh_keys_db'
   } ->
   package {['lighttpd','attr']: ensure => latest } ->
   exec {'enable-ssl':
      command => "/usr/sbin/lighttpd-enable-mod ssl",
      onlyif  => "test ! -h /etc/lighttpd/conf-enabled/*ssl*"
   } ->
   file {'/etc/lighttpd/server.pem':
      ensure => 'link',
      target => "/etc/ssl/private/${_keyname}.pem"
   } ->
   if ($::operatingsystemrelease < '20.04') {
     apparmor::profile { 'usr.sbin.lighttpd': source => '/etc/apparmor-cosmos/usr.sbin.lighttpd' }
     }
   else {
     apparmor::profile { 'usr.sbin.lighttpd': source => '/etc/apparmor-cosmos/usr.sbin.lighttpd.upgraded' }
     }
   file {'/etc/lighttpd/conf-enabled/99-mime-xattr.conf':
      ensure  => file,
      mode    => '0640',
      owner   => 'root',
      group   => 'root',
      content => inline_template("mimetype.use-xattr = \"enable\"\n")
   } ->
   service {'lighttpd': ensure => running } ->
   sunet::misc::ufw_allow {'allow-lighttpd':
      from   => $allow_clients,
      port   => 443
   } ->
   sunet::nagios::nrpe_check_fileage {"metadata_aggregate":
      filename => "/var/www/html/entities/index.html", # yes this is correct
      warning_age => '1800',
      critical_age => '86400'
   }
   sunet::misc::ufw_allow { "allow_ssh":
    from => $signer_ip_adress,
    port => '22',
  }
}

class mdsl_publisher() {
   sunet::nagios::nrpe_check_fileage {"mdsl_aggregate":
      filename => "/var/www/html/mdservicelist-aggregate.xml", # yes this is correct
      warning_age => '600',
      critical_age => '86400'
   }
   sunet::nagios::nrpe_check_fileage {"mdsl_se":
      filename => "/var/www/html/mdservicelist-se.xml", # yes this is correct
      warning_age => '600',
      critical_age => '86400'
   }
}

class proxy_eidas_metadata() {
   sunet::nagios::nrpe_check_fileage {"proxy_eidas_metadata_cache":
      filename => "/etc/eidas-proxy/se/ps-mdcache/metadata-cache.xml",
      warning_age => '600',
      critical_age => '172800'
   }
}

class md_repo_server($hostname) {
   ensure_resource('sunet::system_user', 'www-data', {
      username   => 'www-data',
      group      => 'www-data',
      managehome => false,
      shell      => '/bin/bash'
   })
   class {'sunet::gitolite': save_private_admin_key_on_server=>false }
   sunet::snippets::add_user_to_group { 'add_www_data_to_git':
      username => 'www-data',
      group    => 'git'
   } ->
   sunet::docker_run {'gitweb':
      image    => 'docker.sunet.se/gitweb',
      imagetag => 'latest',
      volumes  => ['/etc/dehydrated:/etc/dehydrated','/home/git:/home/git'],
      ports    => ['443:443','80:80'],
      env      => ["HOSTNAME=$hostname","ACMEDIR=/etc/dehydrated","KEYDIR=/etc/dehydrated"],
      extra_parameters => ["--log-driver=syslog"]
   }
   ensure_resource('class','webserver',{})
   ensure_resource('class','https_server',{})
   $md_signers_ip = hiera_array('md_signers',[])
   sunet::misc::ufw_allow { 'allow_ssh_md_signers':
      from => $md_signers_ip,
      port => '22',
    }
}

class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost') {
   $_version = safe_hiera('eidas_demw_version',$version)
   $_hostname = safe_hiera('eidas_demw_hostname',$hostname)
   $poseidas_admin_hashed_password = safe_hiera('poseidas_admin_hashed_password')
   $spring_datasource_password = safe_hiera('spring_datasource_password')
   $pkcs11_pin = safe_hiera('pkcs11_pin')

   #saved directly in admin inteface from version 3.0.0 onwards
   $demw_tls_client_key = safe_hiera('demw_tls_client_key')
   $demw_tls_client_cert = safe_hiera('demw_tls_client_cert')
   $demw_tls_server_cert = safe_hiera('demw_tls_server_cert')

   file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database', '/opt/eidas-middleware/database/hsql']: ensure => directory } ->
   file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
   sunet::docker_run {'eidas-demw':
      image    => 'docker.sunet.se/eidas-demw',
      imagetag => $_version,
      hostname => "${::fqdn}",
      ports    => ['443:8443','10000:10000'],
      volumes  => ['/var/log/eidas-middleware:/var/log/eidas-middleware',
                   '/opt/eidas-middleware/configuration:/opt/eidas-middleware/configuration',
                   '/opt/eidas-middleware/database:/opt/eidas-middleware/database',
                   '/dev/log:/dev/log',
                   '/etc/luna/cert:/usr/safenet/lunaclient/cert',
                   '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d',
                   '/etc/ssl:/etc/ssl'],
      env      => ["CERTNAME=${::fqdn}_infra",
                   "LOGGING_LEVEL_DE_GOVERNIKUS_EUMW_POSEIDAS_SERVER_IDPROVIDER_CONFIG=DEBUG",
                   "SC_HSM.P11_PIN=$pkcs11_pin",
                   "SC_HSM_P11_CONFIG_FILE=/opt/eidas-middleware/configuration/hsm/demw-sunpkcs11-config",
                   "SC_HSM.P11_ALIAS=sc_eidas_sign",
                   'JAVA_OPTS="-DformatMsgNoLookups=true -Dlog4j2.formatMsgNoLookups=true"',
                   "SPRING_DATASOURCE_PASSWORD=$spring_datasource_password"],
      extra_parameters => ["--log-driver=syslog"]
   }
}

class eidas_de_middleware_hsm_test($version="110-fixes-sc-p11",$hostname='localhost') {
   $_version = safe_hiera('eidas_demw_version',$version)
   $_hostname = safe_hiera('eidas_demw_hostname',$hostname)
   $spring_datasource_password = safe_hiera('spring_datasource_password')
   $pkcs11_pin = safe_hiera('pkcs11_pin')

   #saved directly in admin inteface from version 3.0.0 onwards
   $demw_tls_client_key = safe_hiera('demw_tls_client_key')
   $demw_tls_client_cert = safe_hiera('demw_tls_client_cert')
   $demw_tls_server_cert = safe_hiera('demw_tls_server_cert')

   file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database','/opt/eidas-middleware/database/hsql']: ensure => directory } ->
   file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
   sunet::docker_run {'eidas-demw':
      image    => 'docker.sunet.se/eidas-demw',
      imagetag => $_version,
      hostname => "${::fqdn}",
      ports    => ['443:8443','10000:10000'],
      volumes  => ['/var/log/eidas-middleware:/var/log/eidas-middleware',
                   '/opt/eidas-middleware/configuration:/opt/eidas-middleware/configuration',
                   '/opt/eidas-middleware/database:/opt/eidas-middleware/database',
                   '/dev/log:/dev/log',
                   '/etc/luna/cert:/usr/safenet/lunaclient/cert',
                   '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d',
                   '/etc/ssl:/etc/ssl'],
      env      => ["CERTNAME=${::fqdn}_infra",
                   "LOGGING_LEVEL_DE_GOVERNIKUS_EUMW_POSEIDAS_SERVER_IDPROVIDER_CONFIG=DEBUG",
                   "SC_HSM.P11_PIN=$pkcs11_pin",
                   "SC_HSM_P11_CONFIG_FILE=/opt/eidas-middleware/configuration/hsm/demw-sunpkcs11-config",
                   "SC_HSM.P11_ALIAS=sc_eidas_sign",
                   'JAVA_OPTS="-DformatMsgNoLookups=true -Dlog4j2.formatMsgNoLookups=true"',
                   "SPRING_DATASOURCE_PASSWORD=$spring_datasource_password"],
      extra_parameters => ["--log-driver=syslog"]
   }
   sunet::nftables::docker_expose { 'https' :
      allow_clients => 'any',
      port          => '443',
      iif           => "${interface_default}",
    }
   sunet::nftables::docker_expose { 'admin_gui' :
      allow_clients => 'any',
      port          => '10000',
      iif           => "${interface_default}",
    }
}

class eidas_de_middleware($version="106-rs",$hostname='localhost') {
   $_version = safe_hiera('eidas_demw_version',$version)
   $_hostname = safe_hiera('eidas_demw_hostname',$hostname)
   $poseidas_admin_hashed_password = safe_hiera('poseidas_admin_hashed_password')
   $spring_datasource_password = safe_hiera('spring_datasource_password')

   #saved directly in admin inteface from version 3.0.0 onwards
   $middleware_crypt_pin = safe_hiera('middleware_crypt_pin')
   $middleware_sign_pin = safe_hiera('middleware_sign_pin')
   $demw_tls_client_key = safe_hiera('demw_tls_client_key')
   $demw_tls_client_cert = safe_hiera('demw_tls_client_cert')
   $demw_tls_server_cert = safe_hiera('demw_tls_server_cert')

   file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database','/opt/eidas-middleware/database/hsql']: ensure => directory } ->

   #saved directly in admin interface from version 3.0.0 onwards
   sunet::snippets::secret_file {"/opt/eidas-middleware/configuration/eidasmw-signature-keystore.jks":
      hiera_key => 'eidasmw-signature-keystore',
      base64    => true
   } ->
   #no longer needed in version 3.0.0 onwards
   file { '/opt/eidas-middleware/configuration/POSeIDAS.xml.sh':
      ensure  => present,
      content => template('eid/demw/POSeIDAS.xml.sh.erb'),
      mode    => '0744',
      }
   #saved directly in admin interface from version 3.0.0 onwards
   sunet::snippets::secret_file {"/opt/eidas-middleware/configuration/eidasmw-crypto-keystore.jks":
      hiera_key => 'eidasmw-crypto-keystore',
      base64    => true
   }
   sunet::docker_run {'eidas-demw':
      image    => 'docker.sunet.se/eidas-demw',
      imagetag => $_version,
      hostname => "${::fqdn}",
      ports    => ['443:8443','127.0.0.1:10000:10000'],
      volumes  => ['/var/log/eidas-middleware:/var/log/eidas-middleware',
                   '/opt/eidas-middleware/configuration:/opt/eidas-middleware/configuration',
                   '/opt/eidas-middleware/database:/opt/eidas-middleware/database',
                   '/dev/log:/dev/log',
                   '/etc/ssl:/etc/ssl'],
      env      => ["CERTNAME=${::fqdn}_infra",
                   "PUBLIC_HOSTNAME=$_hostname",
                   "SPRING_DATASOURCE_PASSWORD=$spring_datasource_password",
                   'JAVA_OPTS="-DformatMsgNoLookups=true -Dlog4j2.formatMsgNoLookups=true"'],
      extra_parameters => ["--log-driver=syslog"]
   }
}

class eidas_sp($version="1.0.0",$hostname='localhost',$environment='qa') {
   $_version = safe_hiera('eidas_sp_version',$version)
   $_hostname = safe_hiera('eidas_sp_hostname',$hostname)
   file {['/etc/eidas-sp','/var/log/eidas-sp','/etc/ssl']: ensure => directory } ->
   sunet::docker_run {'eidas-sp':
      image    => 'docker.sunet.se/eidas-sp',
      imagetag => $_version,
      hostname => "${::fqdn}",
      ports    => ['443:8443','127.0.0.1:444:8444'],
      volumes  => ['/var/log/eidas-sp:/var/log/eidas-sp',
                   '/etc/eidas-sp:/etc/eidas-sp',
                   '/dev/log:/dev/log',
                   '/etc/ssl:/etc/ssl'],
      env      => ["SERVER_SERVLET_CONTEXT_PATH=/",
                   "SP_USE_SC_LOGO=false",
                   "SP_ENTITY_ID=https://$_hostname/sp",
                   "SPRING_PROFILES_ACTIVE=$environment",
                   "SP_BASE_URI=https://$_hostname"],
      extra_parameters => ["--log-driver=syslog"]
   }
   ensure_resource('class','webserver',{})
   ensure_resource('class','https_server',{})
}

class test_my_eid($version="1.0.1",$hostname='localhost',$environment='qa') {
   $_version = safe_hiera('test_my_eid_version',$version)
   $_hostname = safe_hiera('test_my_eid_hostname',$hostname)
   file {['/etc/test-my-eid','/var/log/test-my-eid','/etc/ssl']: ensure => directory } ->
   if ($environment== 'default') {
     sunet::docker_run {'test-my-eid':
       image    => 'docker.sunet.se/test-my-eid',
       imagetag => $_version,
       hostname => "${::fqdn}",
       ports    => ['443:8443','127.0.0.1:444:8444'],
       volumes  => ['/var/log/test-my-eid:/var/log/test-my-eid',
                    '/etc/test-my-eid:/etc/test-my-eid',
                    '/dev/log:/dev/log',
                    '/etc/ssl:/etc/ssl'],
       env      => ["SERVER_SERVLET_CONTEXT_PATH=/",
                    "SP_ENTITY_ID=https://$_hostname/sp",
                    "SIGN_SP_ENTITY_ID=https://$_hostname/sp-sign",
                    "SPRING_PROFILES_ACTIVE=$environment",
                    "SP_BASE_URI=https://$_hostname",
                    "SP_DISCOVERY_STATIC_IDP_CONFIGURATION=file:/etc/test-my-eid/idp-disco-test.properties",
		    "SP_FEDERATION_METADATA_URL=https://test.md.swedenconnect.se/role/idp.xml",
                    "SP_FEDERATION_METADATA_VALIDATION_CERTIFICATE=file:/etc/test-my-eid/test-metadata-signer.crt",
		    "SP_EIDAS_CONNECTOR_ENTITY_ID=https://test.connector.eidas.swedenconnect.se/eidas"],
       extra_parameters => ["--log-driver=syslog"]
     }
   } else {
     sunet::docker_run {'test-my-eid':
       image    => 'docker.sunet.se/test-my-eid',
       imagetag => $_version,
       hostname => "${::fqdn}",
       ports    => ['443:8443','127.0.0.1:444:8444'],
       volumes  => ['/var/log/test-my-eid:/var/log/test-my-eid',
                    '/etc/test-my-eid:/etc/test-my-eid',
                    '/dev/log:/dev/log',
                    '/etc/ssl:/etc/ssl'],
       env      => ["SERVER_SERVLET_CONTEXT_PATH=/",
                    "SP_ENTITY_ID=https://$_hostname/sp",
                    "SIGN_SP_ENTITY_ID=https://$_hostname/sp-sign",
                    "SPRING_PROFILES_ACTIVE=$environment",
                    "SP_BASE_URI=https://$_hostname",
                    "SP_DISCOVERY_STATIC_IDP_CONFIGURATION=file:/etc/test-my-eid/idp-disco-$environment.properties"],
       extra_parameters => ["--log-driver=syslog"]
     }
   }
   ensure_resource('class','webserver',{})
   ensure_resource('class','https_server',{})
}

class eidastest($version="1.0.0", $hostname="locahost") {
   $_version  = safe_hiera('eidastest_version',$version)
   $_hostname = safe_hiera('eidastest_hostname',$hostname)
   $home      = '/etc/eidastest'
   file { "${home}":
      ensure  => directory,
      owner   => 'root',
      group   => 'root',
      path    => "${home}",
      mode    => '0755',
   }
   file { "${home}/eidastest/config.ini":
      content =>  template('eid/eidastest/config.ini.erb'),
      owner   => 'root',
      group   => 'root',
      mode    => '0755',
   }
   file { "${home}/eidastest/supervise_firefox_processes.sh":
      content =>  template('eid/eidastest/supervise_firefox_processes.sh.erb'),
      owner   => 'root',
      group   => 'root',
      mode    => '0755',
   }
   $compose   = hiera("eidastest_compose")
   sunet::docker_compose {'eidastest_docker_compose':
      service_name => 'eidastest',
      description  => 'eidastest service',
      compose_dir  => "${home}",
      content => inline_template("<%= @compose.to_yaml %>\n")
   }
   ensure_resource('class','webserver',{})
   ensure_resource('class','https_server',{})
}

class swedenconnect_refidp($version="1.0.3",$hostname='localhost',$env=undef) {
  $_version = safe_hiera('swedenconnect_refidp_version',$version)
  $_hostname = safe_hiera('swedenconnect_refidp_hostname',$hostname)
  $idp_persistent_id_salt = safe_hiera('idp_persistent_id_salt');
  $idp_fticks_salt = safe_hiera('idp_fticks_salt');
  $proxy_header_secret = safe_hiera('proxy_header_secret');
  file { ["/etc/swedenconnect-idp","/etc/swedenconnect-idp/credentials"]: ensure => directory } ->
  sunet::docker_run {'swedenconnect-idp':
      image    => 'docker.sunet.se/swedenconnect-idp',
      imagetag => $_version,
      hostname => "${::fqdn}",
      ports    => ['443:8443'],
      volumes  => ['/var/log/swedenconnect-idp:/var/log/swedenconnect-idp',
                   '/etc/swedenconnect-idp:/etc/swedenconnect-idp',
                   '/dev/log:/dev/log',
                   '/etc/ssl:/etc/ssl'],
      env      => ["IDP_SERVER_HOSTNAME=$_hostname",
                   "TOMCAT_HOSTNAME=$_hostname",
                   "IDP_FEDERATION_METADATA_URL=https://${env}.md.swedenconnect.se/entities/",
                   "IDP_FEDERATION_METADATA_VALIDATION_CERT=/etc/swedenconnect-idp/credentials/trust/sc-${env}-metadata-validation-cert.crt",
                   "TOMCAT_TLS_SERVER_KEY=/etc/ssl/private/${::fqdn}_infra.key",
                   "TOMCAT_TLS_SERVER_CERTIFICATE=/etc/ssl/certs/${::fqdn}_infra.crt",
                   "TOMCAT_PROXY_SHARED_SECRET=$proxy_header_secret",
                   "IDP_PERSISTENT_ID_SALT=$idp_persistent_id_salt",
                   "IDP_FTICKS_SALT=$idp_fticks_salt"],
      extra_parameters => ["--log-driver=syslog"]
   }
   ensure_resource('class','webserver',{})
   ensure_resource('class','https_server',{})
}

class eidas_connector($version="1.0.6",$hostname='localhost',$luna_debug='no') {
   $_version = safe_hiera('eidas_connector_version',$version)
   $_hostname = safe_hiera('eidas_connector_hostname',$hostname)
   $prid_service = safe_hiera('eidas_prid_service')
   $idp_fticks_salt = safe_hiera('idp_fticks_salt');
   $pkcs11_pin = safe_hiera('pkcs11_pin');
   $idp_persistent_id_salt = safe_hiera('idp_persistent_id_salt');
   $idp_sealer_password = safe_hiera('idp_sealer_password');
   $proxy_header_secret = safe_hiera('proxy_header_secret');
   file {['/etc/eidas-connector','/etc/eidas-connector/credentials','/etc/eidas-connector/credentials/sp','/etc/eidas-connector/credentials/idp','/etc/eidas-connector/credentials/tomcat','/var/log/eidas-connector']: ensure => directory } ->
   sunet::snippets::secret_file {"/etc/eidas-connector/credentials/sealer.jks":
      hiera_key => 'eidas_connector_sealer_jks',
      base64    => true
   } ->
   sunet::snippets::secret_file {"/etc/eidas-connector/credentials/connector.key":
      hiera_key => 'eidas_connector_key',
      base64    => true
   } ->
   sunet::snippets::secret_file {"/etc/eidas-connector/credentials/metadata.key":
      hiera_key => 'eidas_metadata_key',
      base64    => true
   } ->
   sunet::snippets::secret_file {"/etc/eidas-connector/credentials/tomcat/tomcat-key.pem":
      hiera_key => 'eidas_connector_tomcat_key',
      base64    => true
   } ->
   file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
   sunet::docker_run {'eidas-connector':
      image    => 'docker.sunet.se/eidas-connector',
      imagetag => $_version,
      hostname => "${::fqdn}",
      ports    => ['443:8443'],
      volumes  => ['/var/log/eidas-connector:/var/log/eidas-connector',
                   '/etc/eidas-connector:/etc/eidas-connector',
                   '/dev/log:/dev/log',
                   '/etc/luna/cert:/usr/safenet/lunaclient/cert',
                   '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d',
                   '/etc/ssl:/etc/ssl'],
      env      => ["IDP_SERVER_HOSTNAME=$_hostname",
                   "TOMCAT_HOSTNAME=$_hostname",
                   "TOMCAT_PROXY_SHARED_SECRET=$proxy_header_secret",
                   "EIDAS_METADATA_IGNORE_SIGNATURE_VALIDATION=false",
                   "PKCS11_PIN=$pkcs11_pin",
                   "LUNA_DEBUG=$luna_debug",
                   "IDP_ENTITY_ID=https://$_hostname/eidas",
                   "SP_ENTITY_ID=https://$_hostname/idp/metadata/sp",
                   "IDP_PERSISTENT_ID_SALT=$idp_persistent_id_salt",
                   "IDP_SEALER_PASSWORD=$idp_sealer_password",
                   "IDP_FTICKS_SALT=$idp_fticks_salt",
                   "IDP_PRID_SERVICE_URL=$prid_service"],
      extra_parameters => ["--log-driver=syslog"]
   }
   sunet::scriptherder::cronjob { "${name}_clean_logs":
     cmd           => "/usr/bin/find /var/log/eidas-connector -ctime +180 -type f -name *.log -delete",
     minute        => '2',
     hour          => '0',
     ok_criteria   => ['exit_status=0','max_age=48h'],
     warn_criteria => ['exit_status=1','max_age=50h'],
   }
   ensure_resource('class','webserver',{})
   ensure_resource('class','https_server',{})
}

class eidas_proxy($version='1.0.0',$country='se',$hostname='localhost', $spring_config_param='SPRING_CONFIG_LOCATION') {
   $_version = safe_hiera('eidas_proxy_version',$version)
   $_hostname = safe_hiera('eidas_proxy_hostname',$hostname);
   $_country = safe_hiera('eidas_proxy_country',$country);
   $_pkcs11pin = safe_hiera('pkcs11_pin');
   $_eidas_proxy_oidc_rp_jks = safe_hiera('eidas_proxy_oidc_rp_jks','');
   $proxy_service_cookie_encrypt_pw = safe_hiera('proxy_service_cookie_encrypt_pw');
   file {['/etc/eidas-proxy/',"/etc/eidas-proxy/$_country"]: ensure => directory } ->
   file {["/etc/eidas-proxy/$_country/keystore"]: ensure => directory } ->
   sunet::snippets::secret_file {"/etc/eidas-proxy/$_country/metadata.p12":
      hiera_key => 'eidas_metadata_key',
      base64    => true
   } ->
   sunet::snippets::secret_file {"/etc/eidas-proxy/$_country/proxy.p12":
      hiera_key => 'eidas_proxy_key',
      base64    => true
   } ->
   file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
   sunet::docker_run {'eidas-proxy':
      image    => 'docker.sunet.se/eidas-proxy',
      imagetag => $_version,
      hostname => "${::fqdn}",
      ports    => ['443:8443','127.0.0.1:444:8444'],
      volumes  => ['/var/log/eidas-proxy:/var/log/eidas-proxy',
                   '/etc/eidas-proxy:/etc/eidas-proxy',
                   '/dev/log:/dev/log',
                   '/etc/luna/cert:/usr/safenet/lunaclient/cert',
                   '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d',
                   '/etc/ssl:/etc/ssl'],
      env      => ["PROXY_SERVICE_DOMAIN_PREFIX=https://$_hostname/eidas-ps",
                   "SPRING_PROFILES_ACTIVE=se",
                   "CERTNAME=${::fqdn}_infra",
                   "PKCS11_PIN=${_pkcs11pin}",
                   "$spring_config_param=/etc/eidas-proxy/$_country/cfg/",
                   "PROXY_SERVICE_COOKIEENCRYPTPW=$proxy_service_cookie_encrypt_pw"],
      extra_parameters => ["--log-driver=syslog"]
   }
   ensure_resource('class','webserver',{})
   ensure_resource('class','https_server',{})

   if $_eidas_proxy_oidc_rp_jks != '' {
      sunet::snippets::secret_file {"/etc/eidas-proxy/$_country/keystore/oidc-rp.jks":
         hiera_key => 'eidas_proxy_oidc_rp_jks',
         base64    => true
      }
   }
}

class prid($version="1.0.0",$clients="",$mdsl="") {
   $_version  = safe_hiera('eidas_prid_version',$version)
   $_mdsl     = safe_hiera('eidas_prid_mdsl',$mdsl)
   $hostname  = $::fqdn
   $_allow_clients = safe_hiera($clients)
   sunet::docker_run {'prid':
      image     => 'docker.sunet.se/prid-service',
      imagetag  => $_version,
      hostname  => "$hostname",
      ports     => ['443:8443','127.0.0.1:444:8444'],
      volumes   => ['/etc/prid-service:/etc/prid-service',
                    '/etc/ssl:/etc/ssl'],
      env       => ["PRID_SERVICE_POLICY_CONFIGURATION=file:///etc/prid-service/policy.properties",
                    "PRID_SERVICE_METADATA_SERVICELIST_URL=$_mdsl",
                    "CERTNAME=${hostname}_infra"],
      extra_parameters => ["--log-driver=syslog"]
   } ->
   sunet::misc::ufw_allow {'allow-prid':
      from   => $_allow_clients,
      port   => 443
   } ->
   class {'https_server': }
}

class prid_local($version="1.0.0",$clients="",$mdsl="") {
   $_version  = safe_hiera('eidas_prid_version',$version)
   $_mdsl     = safe_hiera('eidas_prid_mdsl',$mdsl)
   $hostname  = $::fqdn
   $_allow_clients = safe_hiera($clients)
   sunet::docker_run {'prid':
      image     => 'docker.sunet.se/prid-service',
      imagetag  => $_version,
      hostname  => "$hostname",
      ports     => ['127.0.0.1:80:8080','127.0.0.1:444:8444'],
      volumes   => ['/etc/prid-service:/etc/prid-service',
                    '/etc/ssl:/etc/ssl'],
      env       => ['JAVA_OPTS="-Dserver.port=8080 -Dserver.ssl.enabled=false -Dmanagement.server.port=8444 -Dmanagement.ssl.enabled=true"',
                    "PRID_SERVICE_POLICY_CONFIGURATION=file:///etc/prid-service/policy.properties",
                    "PRID_SERVICE_METADATA_SERVICELIST_URL=$_mdsl",
                    "CERTNAME=${hostname}_infra"],
      extra_parameters => ["--log-driver=syslog"]
   }
}

class validator($version="2.0.0") {
   $_version = safe_hiera('validator_version',$version)
   $hostname = $::fqdn
   sunet::docker_run {'metadata-validator':
      image     => 'docker.sunet.se/metadata-validator',
      imagetag  => $_version,
      hostname  => "$hostname",
      ports     => ['443:8443','127.0.0.1:444:8009'],
      volumes   => ['/etc/ssl:/etc/ssl',
                    '/etc/metadata-validator:/opt/webapp/mdval',
                    '/etc/localtime:/etc/localtime:ro'],
      env       => ["SPRING_CONFIG_ADDITIONAL_LOCATION=/opt/webapp/mdval/cfg/",
                    "CERTNAME=${hostname}_infra"],
      extra_parameters => ["--log-driver=syslog"]
   }
   ensure_resource('class','webserver',{})
   ensure_resource('class','https_server',{})
}

class proxy_testsp($version="1.0.1",$public_hostname=undef,$uri_path="/testps",$profile="qa") {
   $_version = safe_hiera('proxy_testsp_version',$version)
   $hostname = $::fqdn
   $_public_hostname = $public_hostname ? {
      undef   => $hostname,
      default => $public_hostname
   }
   sunet::docker_run {'eidas-ps-testsp':
      image     => 'docker.sunet.se/eidas-ps-testsp',
      imagetag  => $_version,
      hostname  => $hostname,
      ports     => ['443:8443','127.0.0.1:8444:8009'],
      volumes   => ['/etc/ssl:/etc/ssl',
                    '/etc/localtime:/etc/localtime:ro'],
      env       => ["CERTNAME=$hostname",
                    "SP_ACCESS_ALLOW_ALL=true",
                    "SP_BASE_URI=https://$_public_hostname",
                    "SERVER_SERVLET_CONTEXT_PATH=$uri_path",
                    "SPRING_PROFILES_ACTIVE=$profile"],
      extra_parameters => ["--log-driver=syslog"]
   }
}

class github_client_credential {
   sunet::ssh_host_credential { "github":
      hostname    => "github.com",
      id          => "github",
      manage_user => false
   }
}

class pages($version=undef) {
   class { 'sunet::pages': version => $version }
   sunet::docker_run {'people-sunet-se':
      image   => 'docker.sunet.se/static-vhosts',
      ports   => ['80:80'],
      volumes => ['/var/www:/usr/local/apache2/vhosts'],
      extra_parameters => ["--log-driver=syslog"]
   }
   ensure_resource('class','webserver',{})
}

class sunetops {
   sunet::ssh_keys { 'sunetops':
     config => safe_hiera('sunetops_ssh_keys', {})
   }


  # OS hardening
  # For now we skip this on ubuntu24, SC-2522
  if ($facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '22.04') <= 0 ){
    if $facts['networking']['hostname'] =~ /kvm/ {
       class {'bastion':
          fstab_fix_shm        => false,
          sysctl_net_hardening => false,
       }
    } else {
       class {'bastion':
          fstab_fix_shm     => false,
          fixperms_paranoia => true,
       }
    }
  }
}

class konsulter {
   sunet::ssh_keys { 'konsulter':
     config => safe_hiera('konsulter_ssh_keys', {})
   }
}

class nrpe {
  require apt
  class {'sunet::nagios': }
  package {'nagios-plugins-contrib': ensure => latest}

  if ($facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '22.04') >= 0 ){
    $mem_w = '90'
    $mem_c = '95'
  } else {
    $mem_w = '10'
    $mem_c = '5'
  }
  sunet::nagios::nrpe_command { 'check_memory':
    command_line => "/usr/lib/nagios/plugins/check_memory -w ${mem_w}% -c ${mem_c}%"
  }
  sunet::nagios::nrpe_command {'check_mem':
    command_line => '/usr/lib/nagios/plugins/check_memory -w 10% -c 5%'
  }
  sunet::nagios::nrpe_command {'check_boot_15_5':
    command_line => '/usr/lib/nagios/plugins/check_disk -w 15% -c 5% -p /boot'
  }
  sunet::nagios::nrpe_command {'check_entropy':
    command_line => '/usr/lib/nagios/plugins/check_entropy -w 200'
  }
  sunet::nagios::nrpe_command {'check_ntp_time':
    command_line => '/usr/lib/nagios/plugins/check_ntp_time -H localhost'
  }
  sunet::nagios::nrpe_command {'check_scriptherder':
    command_line => '/usr/local/bin/scriptherder --mode check'
  }
  sunet::nagios::nrpe_command {'check_apt':
    command_line => '/usr/lib/nagios/plugins/check_apt'
  }
  sunet::nagios::nrpe_command {'check_eidas_health':
    command_line => '/usr/lib/nagios/plugins/check_eidas_health.sh localhost'
  }
  sunet::sudoer {'nagios_run_needrestart_command':
      user_name    => 'nagios',
      collection   => 'nagios',
      command_line => "/usr/sbin/needrestart -p -l"
  }
  sunet::nagios::nrpe_command {'check_needrestart':
      command_line => "sudo /usr/sbin/needrestart -p -l"
  }
  exec { "create_${name}_service_dir":
    command => '/bin/mkdir -p /etc/systemd/system/nagios-nrpe-server.service.d/',
    unless  => '/usr/bin/test -d /etc/systemd/system/nagios-nrpe-server.service.d/',
  }
  exec { "${name}_daemon_reload":
    command     => 'systemctl daemon-reload',
    refreshonly => true,
  }

  $str = "# Some NRPE checks will get fishy results when using a PrivateTmp.
# E.g check_apt: https://askubuntu.com/questions/1415415/check-apt-issue-with-nagios
[Service]
PrivateTmp=false"

  file {
    '/etc/systemd/system/nagios-nrpe-server.service.d/privatetmp.conf':
      ensure  => file,
      mode    => '0444',
      content => $str,
      require => [Exec["create_${name}_service_dir"], Package[nagios-nrpe-server]],
      notify  =>  [Exec["${name}_daemon_reload"],Service[nagios-nrpe-server]],
  }
}

class redis_cluster_node {
    file { '/opt/redis': ensure => directory }
    sysctl { 'vm.overcommit_memory': value => '1' }
    sunet::redis::server {'redis-master':
      allow_clients => hiera_array('redis_client_ips', []),
      cluster_nodes => hiera_array('redis_sentinel_ips', []),
    }
    sunet::redis::server {'redis-sentinel':
      port            => 26379,
      sentinel_config => 'yes',
      allow_clients   => hiera_array('redis_client_ips', []),
      cluster_nodes   => hiera_array('redis_sentinel_ips', []),
    }
}

class redis_frontend_node ($hostname=undef,$ca="infra") {
    file { '/opt/redis': ensure => directory }
    sunet::redis::haproxy {'redis-haproxy':
      cluster_nodes => hiera_array('redis_sentinel_ips', []),
      client_ca     => "/etc/ssl/certs/${ca}.crt",
      certificate   => "/etc/ssl/private/${::fqdn}_${ca}.pem"
    }
}

node 'fe-tug-1.test.komreg.net' {
  # Set up Cosmos class for common sunet-frontend files. Should ideally be set up in
  # the bootstrapping phase, since setting it up here will require > 1 run
  # of 'cosmos apply' before everything is in place. Perfection will have
  # to come later.
  file_line { 'cosmos_conf_frontend1_common':
    path => '/etc/cosmos/cosmos.conf',
    line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/fe-test-common/:$COSMOS_REPO_MODELS"',
  }
}

node 'fe-fre-1.test.komreg.net' {
  # Set up Cosmos class for common sunet-frontend files. Should ideally be set up in
  # the bootstrapping phase, since setting it up here will require > 1 run
  # of 'cosmos apply' before everything is in place. Perfection will have
  # to come later.
  file_line { 'cosmos_conf_frontend1_common':
    path => '/etc/cosmos/cosmos.conf',
    line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/fe-test-common/:$COSMOS_REPO_MODELS"',
  }
}

node 'natmd-test-1.komreg.net' {
  file_line { 'cosmos_conf':
    path => '/etc/cosmos/cosmos.conf',
    line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/natmd-test-common/:$COSMOS_REPO_MODELS"',
  }
}

node 'natmd-test-2.komreg.net' {
  file_line { 'cosmos_conf':
    path => '/etc/cosmos/cosmos.conf',
    line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/natmd-test-common/:$COSMOS_REPO_MODELS"',
  }
}

node 'eumd-test-1.komreg.net' {
  file_line { 'cosmos_conf':
    path => '/etc/cosmos/cosmos.conf',
    line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/eumd-test-common/:$COSMOS_REPO_MODELS"',
  }
}

node 'eumd-test-2.komreg.net' {
  file_line { 'cosmos_conf':
    path => '/etc/cosmos/cosmos.conf',
    line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/eumd-test-common/:$COSMOS_REPO_MODELS"',
  }
}

node 'relay-1.swedenconnect.se' {
   sunet::scriptherder::cronjob { "rsync_certificate_to_relay_2":
     cmd           => "/usr/bin/rsync -av --copy-links --delete /etc/letsencrypt/live/relay.swedenconnect.se/ root@relay-2.swedenconnect.se:",
     minute        => '9',
     hour          => '0',
     ok_criteria   => ['exit_status=0','max_age=48h'],
     warn_criteria => ['exit_status=1','max_age=50h'],
   }
}
node 'eidas-proxy-1.test.sveidas.se' {
  # Set up Cosmos class for common proxy files for test. Should ideally be set up in
  # the bootstrapping phase, since setting it up here will require > 1 run
  # of 'cosmos apply' before everything is in place. Perfection will have
  # to come later.
  file_line { 'cosmos_conf_proxy_test_common':
    path => '/etc/cosmos/cosmos.conf',
    line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/eidas-test-proxy/:$COSMOS_REPO_MODELS"',
  }
}