eid-ops/global/overlay/etc/puppet/manifests/cosmos-site.pp

# This manifest is managed using cosmos

Exec {
  path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
}

include sunet

class mailclient ($domain) {
   sunet::preseed_package {"postfix": ensure => present, options => {domain => $domain}}
}

class autoupdate {
   class { 'sunet::updater': cron => true, cosmos_automatic_reboot => true }
}

class infra_ca_rp {
   sunet::ici_ca::rp { 'infra': }
}

# you need a default node, all nodes need ssh + ufw
node default {
}

class common {
  include sunet::tools
  include sunet::motd
  include sunet::ntp
  include ufw
  include apt
  include apparmor
}

class dhcp6_client {
  ufw::allow { "allow-dhcp6-546":
      ip    => 'any',
      port  => '546',
      proto => 'udp',
  }
  ufw::allow { "allow-dhcp6-547":
      ip    => 'any',
      port  => '547',
      proto => 'udp'
  }
}

class entropyclient {
   include sunet::simple_entropy
   sunet::ucrandom {'random.nordu.net': }
   sunet::nagios::nrpe_check_process { 'haveged': }
}

class openstack_ubuntu_16_04_dockerhost {
   class { 'sunet::dockerhost':
      docker_version            => '17.11.0~ce-0~ubuntu',
      docker_package_name       => 'docker-ce',
      storage_driver            => "aufs",
      run_docker_cleanup        => true,
      manage_dockerhost_unbound => true,
      docker_network            => true
   }
}

class sunet_iaas_cloud {
   sunet::cloud_init::config { 'disable_datasources':
      config => { datasource_list => [ 'None' ] }
   }
   sunet::cloud_init::config { 'keep_root_enabled':
      config => { disable_root => 'false' }
   }

   # rdrand is exposed to VMs and can therefore be used.
   package {'rng-tools': } ->
   service {'rng-tools':
     ensure => 'running'
   }

}

class webserver {
   ufw::allow { "allow-http":
      ip   => 'any',
      port => '80'
   }
   ufw::allow { "allow-https":
      ip   => 'any',
      port => '443'
   }
}

class https_server {

}


class swamid_metadata($filename=undef) {
  sunet::metadata::swamid { "$filename": }
}

class saml_metadata($filename=undef, $cert=undef, $url=undef) {
  sunet::metadata { "$filename": url => $url, cert => $cert }
}

class md_repo_client {
   sunet::ssh_git_repo {'/var/cache/metadata_r1':
      username    => 'root',
      group       => 'root',
      hostname    => 'r1.komreg.net',
      url         => 'git@r1.komreg.net:komreg-metadata.git',
      id          => 'komreg',
      manage_user => false
   } ->
   package { ['make']: ensure => latest } ->
   sunet::scriptherder::cronjob { 'verify_and_update':
      cmd           => '/var/cache/metadata_r1/scripts/do-update.sh',
      minute        => '*/5',
      ok_criteria   => ['exit_status=0', 'max_age=15m'],
      warn_criteria => ['exit_status=0', 'max_age=1h'],
   }
}

class md_signer($dest_host="localhost",$dest_dir="") {
   sunet::snippets::secret_file {"/etc/credentials/metadata.key":
      hiera_key => 'eidas_metadata_key',
      base64    => true
   } ->
   sunet::pyff {$name: 
      version           => "eidas",
      pound_and_varnish => false,
      pipeline          => "${name}.fd",
      volumes           => ["/etc/credentials:/etc/credentials"]
   } ->
   package {'jq': ensure => 'latest'} ->
   sunet::ssh_host_credential { "${name}-publish-credential":
      hostname          => $dest_host,
      username          => 'root',
      group             => 'root',
      manage_user       => false,
      ssh_privkey       => safe_hiera("publisher_ssh_privkey","NOT SET IN HIERA")
   } ->
   sunet::scriptherder::cronjob { "${name}-publish":
      cmd               => "env RSYNC_ARGS='--chown=www-data:www-data' /usr/local/bin/mirror-mdq.sh http://localhost root@${dest_host}:${dest_dir}",
      minute            => '*/5',
      ok_criteria       => ['exit_status=0'],
      warn_criteria     => ['max_age=30m']
   }
}

class md_publisher(Array $allow_clients = ['any'], String $dir = "/var/www/html") {
   sunet::rrsync {$dir:
      ro                => false,
      ssh_key           => safe_hiera('publisher_ssh_key',"NOT SET IN HIERA"),
      ssh_key_type      => safe_hiera('publisher_ssh_key_type',"HOT SET IN HIERA")
   } ->
   package {'lighttpd': ensure => latest } ->
   service {'lighttpd': ensure => running } ->
   apparmor::profile { 'usr.sbin.lighttpd': source => '/etc/apparmor-cosmos/usr.sbin.lighttpd' } ->
   sunet::misc::ufw_allow {'allow-lighttpd':
      from   => $allow_clients,
      port   => 443
   }
}

class md_repo_server($hostname) {
   class {'openstack_ubuntu_16_04_dockerhost': } ->
   class {'sunet::gitolite': } ->
   sunet::docker_run {'gitweb':
      image    => 'docker.sunet.se/gitweb',
      imagetag => 'latest',
      volumes  => ['/etc/dehydrated:/etc/dehydrated','/home/git:/home/git'],
      ports    => ['443:443','80:80'],
      env      => ["HOSTNAME=$hostname","ACMEDIR=/etc/dehydrated","KEYDIR=/etc/dehydrated"]
   } ->
   class {'webserver': } ->
   class {'https_server': }
}

class swamid_pyff_signer {
   class {'ubuntu_dockerhost': }
   class { 'swamid_metadata_repo': hostname => 'git.swamid.se'} ->
   cron {'update-swamid-metadata':
      command  => "cd /opt/swamid-metadata && git pull -q",
      user     => root,
      minute   => '*/5'
   } ->
   sunet::pyff {'swamid':
      ssl_dir       => '/etc/dehydrated',
      dir           => '/opt/swamid-metadata',
      acme_tool_uri => "http://acme-c.sunet.se/.well-known/acme-challenge/"
   }
   #sunet::exabgp::config {'swamid':
   #   local_as       => "65433",
   #   local_address  => "${::ipaddress_eth0}",
   #   remote_as      => "1653",
   #   remote_address => hiera("1653-peer-address"),
   #   route          => "130.242.125.192/32 next-hop self"
   #} ->
   #sunet::exabgp::monitor::url {'check-for-sp-swamid':
   #   url   => "localhost/metadata/%7Bsha1%7D152713cd66ffc27ec9ef42cc43c85df399f6a85e.json",
   #   match => "https://sp.swamid.se/shibboleth"
   #} ->
   sunet::exabgp { 'swamid': }
}

class eidas_connector($version="1.0.6") {
   $_version = safe_hiera('eidas_connector_version',$version)
   $hostname = safe_hiera('eidas_connector_hostname')
   $prid_service = safe_hiera('eidas_prid_service')
   $idp_fticks_salt = safe_hiera('idp_fticks_salt',NOT_SET);
   $idp_persistent_id_salt = safe_hiera('idp_persistent_id_salt',NOT_SET);
   $idp_sealer_password = safe_hiera('idp_sealer_password',NOT_SET);
   $proxy_header_secret = safe_hiera('proxy_header_secret',NOT_SET);
   file {['/etc/eidas-connector','/etc/eidas-connector/credentials','/etc/eidas-connector/credentials/sp','/etc/eidas-connector/credentials/idp','/etc/eidas-connector/credentials/tomcat','/var/log/eidas-connector']: ensure => directory } ->
   sunet::snippets::secret_file {"/etc/eidas-connector/credentials/sealer.jks":
      hiera_key => 'eidas_connector_sealer_jks',
      base64    => true
   } ->
   sunet::snippets::secret_file {"/etc/eidas-connector/credentials/connector.key":
      hiera_key => 'eidas_connector_key',
      base64    => true
   } ->
   sunet::snippets::secret_file {"/etc/eidas-connector/credentials/metadata.key":
      hiera_key => 'eidas_metadata_key',
      base64    => true
   } ->
   sunet::snippets::secret_file {"/etc/eidas-connector/credentials/tomcat/tomcat-key.pem":
      hiera_key => 'eidas_connector_tomcat_key',
      base64    => true
   } ->
   sunet::docker_run {'eidas-connector':
      image    => 'docker.sunet.se/eidas-connector',
      imagetag => $_version,
      ports    => ['443:8443'],
      volumes  => ['/var/log/eidas-connector:/var/log/eidas-connector',
                   '/etc/eidas-connector:/etc/eidas-connector',
                   '/etc/ssl:/etc/ssl'],
      env      => ["IDP_SERVER_HOSTNAME=$hostname",
                   "TOMCAT_HOSTNAME=localhost",
                   "TOMCAT_PROXY_SHARED_SECRET=$proxy_header_secret",
                   "EIDAS_METADATA_IGNORE_SIGNATURE_VALIDATION=false",
                   "IDP_ENTITY_ID=https://$hostname/eidas",
                   "SP_ENTITY_ID=https://$hostname/idp/metadata/sp",
                   "IDP_PERSISTENT_ID_SALT=$idp_persistent_id_salt",
                   "IDP_SEALER_PASSWORD=$idp_sealer_password",
                   "IDP_FTICKS_SALT=$idp_fticks_salt"]
   } ->
   class {'webserver': } ->
   class {'https_server': }
}

class eidas_proxy($version='1.0.0',$country='se') {
   $_version = safe_hiera('eidas_proxy_version',$version)
   $hostname = safe_hiera('eidas_proxy_hostname');
   $_country = safe_hiera('eidas_proxy_country',$country);
   $proxy_service_cookie_encrypt_pw = safe_hiera('proxy_service_cookie_encrypt_pw',NOT_SET);
   file {['/etc/eidas-proxy/',"/etc/eidas-proxy/$_country"]: ensure => directory } ->
   sunet::snippets::secret_file {"/etc/eidas-proxy/$_country/metadata.p12":
      hiera_key => 'eidas_metadata_key',
      base64    => true
   } ->
   sunet::snippets::secret_file {"/etc/eidas-proxy/$_country/proxy.p12":
      hiera_key => 'eidas_proxy_key',
      base64    => true
   } ->
   sunet::docker_run {'eidas-proxy':
      image    => 'docker.sunet.se/eidas-proxy',
      imagetag => $_version,
      ports    => ['443:8443'],
      volumes  => ['/var/log/eidas-proxy:/var/log/eidas-proxy',
                   '/etc/eidas-proxy:/etc/eidas-proxy',
                   '/etc/ssl:/etc/ssl'],
      env      => ["PROXY_SERVICE_DOMAIN_PREFIX=https://$hostname/eidas-ps",
                   "SPRING_PROFILES_ACTIVE=se",
                   "CERTNAME=${::fqdn}_infra",
                   "SPRING_CONFIG_LOCATION=/etc/eidas-proxy/$_country/cfg/",
                   "PROXY_SERVICE_COOKIEENCRYPTPW=$proxy_service_cookie_encrypt_pw"]
   } ->
   class {'webserver': } ->
   class {'https_server': }
}

class prid($version="1.0.0") {
   $_version = safe_hiera('eidas_prid_version',$version)
   $hostname = $::fqdn
   sunet::docker_run {'prid':
      image     => 'docker.sunet.se/prid-service',
      imagetag  => $_version,
      hostname  => "$hostname",
      ports     => ['443:8443'],
      volumes   => ['/etc/prid-service:/etc/prid-service',
                    '/etc/ssl:/etc/ssl'],
      env       => ["PRID_SERVICE_POLICY_CONFIGURATION=file:///etc/prid-service/policy.properties",
                    "CERTNAME=${hostname}_infra"]
   } ->
   class {'webserver': } ->
   class {'https_server': }
}

class konsulter {
   ssh_authorized_key {'stefan_santesson': 
      ensure => present,
      name   => 'stefan@aaa-sec.com',
      type   => 'ssh-rsa',
      key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCzUSLrRktEwMaJJ9Zna02Q/HkZ07wn5S9NnBlYarcN3SbE0Hy71YnC92Ojaa7H99a7qDFCHVL3KmarlJRYWAyCe+8nGvJUEcXZ6f9JnpEW7lvu0NykPldstYVqPCVI+rTdreggcM7JcDeZpRghAQ62Rbybl3j6BQ/tUJPexAAeWMFCsTzrtC8B8vo+2IdCytTzG+NLVGmzfN1SROElKSApcBvtBev0niZpspYd0O6VkCiTPBTgUN4wVjBivoCgA2wCT+YmK6G4NZM5Fz7uECSBfJxdlWAcHkR2DkEu57tG3Xmi74IKBFvSxELJ7mxWtDhv4yaBON2+lXXxyB0vyyCb',
      user   => 'root'
   }
   ssh_authorized_key {'martin_lindstrom':
      ensure => present,
      name   => 'martin.lindstrom@litsec.se',
      type   => 'ssh-rsa',
      key    => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCdm3dGwsfYD0ANzW9vyR9s38ffwExFtb9Yk0n2QDNx+JXsA4PIsbXSfliNmhqg9TWcC9DfUcIbvE24fG1ZJzUTLyVqV/Z5JG4qmb+kZ1cwGNvlMluaboml516nY1cGHn0bhUg6BrxG/K4+BDyRLMghGzpnyqWgMlrqGhCmhCqr9NkYpPdYQUvFsTk3Rh+GhxHFSJuI7zjciOrkoDFbSPvIvPsPzVvQvCOc40/4UBy++I9oxR4+r+NIukp14AkYrJWqD2KtDFXsCFv7FFHj2em9GMcRjcUqH/DkIKxutxBTEY3ysVuk6BcdPQjr1iLCmPj46uqdfJSbCTks5MEqTtiw38zQwvu7UR664+xX6EEiXfUmos6G0HcnAZHUALHebH35mn2EMn5ay1u7GdKrVGABe01kzOGwHmuNb/L6qqXAoiTcEh/pqMMBQTGqcP7pMRvgRL++0Voh8mpE4UUrQ5nqnerSGPGvmqNBpF/QvsPWE9NC5knDfTu7jbTsVtHTP4rEXToM1Po4e2/aev+n2U4PUbJUDf/+ndfmZeyYYKC3FLMk5G/yuvI8gOK/CTiu1A3Pr27V7K6F7W4520YXYwGVrTWwnRfcFqzckajiWyg8lifFKLB8agQ43ByEPdVB/VWMOD1KLuZV4kZHijHaVdOa9lsvTeJuxI/CP5PwWC0VZw==',
      user   => 'root'
   }
}

class sunetops {
  # Allow hosts to configure sshd as needed
  $sshd_config = $hostname ? {
    'pypi'  => false,
    default => true,
  }
  class { 'sunet::server':
    sshd_config => $sshd_config,
  }

  ssh_authorized_key {'leifj+neo':
    ensure  => present,
    name    => 'leifj+neo@mnt.se',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvB4gdJ6EWRmx8xUSxrhoUNnWxEf8ZwAqhzC1+7XBY/hSd/cbEotLB9gxgqt0CLW56VU4FPLTw8snD8tgsyZN6KH1Da7UXno8oMk8tJdwLQM0Ggx3aWuztItkDfBc3Lfvq5T07YfphqJO7rcSGbS4QQdflXuOM9JLi6NStVao0ia4aE6Tj68pVVb3++XYvqvbU6NtEICvkTxEY93YpnRSfeAi64hsbaqSTN4kpeltzoSD1Rikz2aQFtFXE03ZC48HtGGhdMFA/Ade6KWBDaXxHGARVQ9/UccfhaR2XSjVxSZ8FBNOzNsH4k9cQIb2ndkEOXZXnjF5ZjdI4ZU0F+t7',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'ft+505152DD':
    ensure  => present,
    name    => 'fredrik+505152DD@thulin.net',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCnskRpNxWJE/YgDR3o6sMWwwmbUJ8f2SJa0gHfHM+fcxxC2zQN9/9mqJSxS1E9QdeuRbbHpYxEUtHoX0vSrmia/VALDiQAMps51RBqq6YlrYqvP/Rb0hZ0Z4/YgjTosLdu1PeTzih6mwbyNNF0+gY987Ig31qXQytNF+9G1oSY9dgBAq52lu170QXTRwum4B6Gh4/pCnM6xx+7nY2oqlgvl2wYHVAOJ39W9r4y9kBhcVs51XvJqYehjaoyKYf1+PzA0FsvhJkZuG6ws5eEGSB90lAzKGyFZXedvOLmnFmqAraoLeuKajHIFJDfKNfHHbYpn8ERIfVW66nbqlXFO2g3',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'ft+4030CCAD':
    ensure  => present,
    name    => 'fredrik+4030CCAD@thulin.net',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDCb2Nkstl2A2Av34oAeugSFAUZisR44EiN3+QHCfNiv2UtMvGQsz2uVRGS0zA7j2PjcrEA1AcstriONBZF/TodARbirX7u7ibJo4gfFJctSMHMBncwSKt5BR6cuCZpW9E7f05tVc3Z1SU1XlAn0OUuAt6UwluEehEKLKXDIHWfsGejlOTpy6x+++6/o1gfMoXpxYDRK70z8jWPfN6i/tt2q+Y0gjZWQP4CHGzFEUtTpOlFoqN4TzXaJushBhdMsiKllOm9wzHFuxlU/hNbDfn00vdOTPYpHkUluQUE7NtNznpeTWpl5qYL+n4uIChxjeZRBmUgD9t8YU4t3UZNksD/',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'lundberg+9303C5DB':
     type   => 'ssh-rsa',
     key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDAHMfn9PSWjGGAkMY6rh1yffdYgnlhoIC5E5NWdc5XUlY9oNYW2zhMpyhepfoh1YYv5V1QNTuO3f0zhD+ZeqPvnnA74fBM4yvWU4Qttwv2drsFOsU7nRbGSwQdww9IDidtxRuAjW5HJ9mTOJuYrIFAEHgg1Pv8sZKzHNWuZiz4I34CN2NbaZOu4eYG6pdzvB6kfYl5iL/esfhBZfegA+7x4qXvMLHEKb7wCRBABCfWu6Yy1E0jUdRWBFdqp5zsjuQlk8minh892m2C1tFcyub5dCWgLYtiQRpIjz16lMk1cM+fgS9YM7Ev62bBpRynU2wCfg1QpYMpxIq54q/XLlYv',
     ensure => present,
     user   => 'root',
     name   => 'lundberg+9303C5DB'
  }

  ssh_authorized_key {'lundberg+8D03C7D1':
     type   => 'ssh-rsa',
     key    => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDPjXvKEL2vAngTdVu3MguEE6gfPH2UigGDPgPV5SBYm0UZ/gZBbB0CuoQjkKEIpq3gzcbLH8kG/00r8hkeBeMa+tfWBDvUXk3wQRw5fKw5StBJFC3C04atJBGlusx6C8stgdmj5SwFhHN86uzVWpqbqJ9TKId18UABgq1hEBMRRVymSXE5zAJ6nCOh2PLtRI8GAkd+Lye0MMh2zEtOIFeHZDd1AiocaLfKBKDUlTSe1+suktyzgQsxJynLlwLA8BXmOZe0/LcE6Nint1beNq/DoKNySxdFN8ebGAC/F7w+JX7hB/DZH7aZevwdDp8cuchoFDUvu3uAXwH5eulXLt+VUJbn3MzFn/rSGqbfdYRlRhAOyo5qSJ3E6DO8WVKCLpwrUXjc4fQT7FwA7JPElunuU8jKxL/PiE5cJlt2cgC6v9qn3C47n0yc7c/078a+34w1mWf2Mp/lqBIJJnOUvKzisKmpEW/t3D1iAFr2z14omPDS9Vnoo1/FrAwGPYGKCeirBDe0FwNzMpC/wC1sglTU236/13zrUzyyQSJoXmn1MkS3aPOusqEYSo65tMoB5qOB7h2/lWLSQ7kHAMVtuMEoCGx/2Aa86EvuWYd1iMPelodEQlNIjCbKz9HX7c1b640FAvU8smefwfk52msqmKvHMbjm86WAPpXThhiN/eAuxQ==',
     ensure => present,
     user   => 'root',
     name   => 'lundberg+8D03C7D1'
  }

  ssh_authorized_key {'salu+7B44FE7C':
    ensure  => present,
    name    => 'salu+7B44FE7C@sunet.se',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDepp02t6/oNnO/qKJtB+U2yLWUa+dYo4ECsbX/DGOgr1MYzhtIbP18gUAX0PN9Hj40XdmY5EtAJZamMWCLi0EijanhOLDCzw5s0hzi/gYysmEReLRxhqq4ppjZhSj2HF09a6Rq1TTkndG9mYzTYTkdOyOqmdNcmIZRRvJD0BE1UBkERrURGhA+8YPnHoxEVUqdEDMFX7nHmNl4Q5brj7pNXaBv35PsVIlzDSfltgN7yENF6dv8Fu7nxjKZ+r9Anrb5rCEiBnOkNAbwEMfMvjRRehbY9Nvz1CEn0cP8SstbLYQfBQuCeJW3w9PygLN/a0asva0ttmVhprbnSeZtKmm3',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'dennis+3EE4E6C7':
     ensure => present,
     name   => 'dennis+3EE4E6C7@nordu.net',
     key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC314jSJ575zgXl2xzwzLRLwoNaP7eXN6NlWOPq47qmoUfR1uZPPbZhvKDmMMc4WQhNPzWDFkX29tcHJar0KXVYM0zNV/hkXlh3Z9suAVFJgzdQ+VW3GsNDffYt4GHM8gUtYxdiQKhA78rIIvcvjy/e0c87lQ0zwDQjruLRw2t1mP1roVsadGnRn4H2rHnlmYqsyJrd2L/MQeKxFh0t3zKu3Hp2mGoSFpFe/5uMaHE//ZOO3tVf3fBWX3p19f6sK6kqYsSR4vMAP08cWf32xFEeNHf4ljbanQ/NIo3iPybpzGXVsPpTHXylLS+vYzDf9mOcxovhsKnJrJ3gdkqEfQyd',
     type   => 'ssh-rsa',
     user   => 'root'
  }

  ssh_authorized_key {'patrik+soft':
     ensure => absent,
     name   => 'patrik@nordu.net',
     key    => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAs0nFlZmXga5A789gFwmRVYREPNuaGvZBNAkN+fHpfzNfxSDQNlu1v4OWlU2QAs4XBMVIo5O14EuqqunSgFnX1gh9++AM1cQ8pBUeTi0l99MTl7qxc9MIHCyvHhbzra7o3MHEUuNQzbAjEUsuGV5/ymNJv4ysbncX+BiZplkydq2H/MuDQD8dzghfq6HUgf/BZDVxM3K4Ak8ll65PPPA6xnWJA4a2abgHvoBf40R6xF2dgOK3wq4xQRQSUWdw0olRSyXXZ68mt45m9fvwLnpY3xIFWEWJ6ZbEW+K8BsVT7zqbCBdpnfT8Rc2myz3cjgf7WpTHd8JXEcKk2BaEGD4y+w==',
     type   => 'ssh-rsa',
     user   => 'root'
  }

  ssh_authorized_key {'mikott+BEBCB9C0':
     ensure => present,
     name   => 'mikott+BEBCB9C0@nordu.net',
     key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC36l/Qxb+sByKKZwBOPLiqScqWg6Q9elraB4vj13MjkoGsNoCmzWDEcAE9hUVwnlprYnWNyaJZ3OliEawFJlRDF8MxgVN+jHYUCUhPoHCE4ChS9Y0EayLb+AQ2JbfI1KAADga161P+/P1ofALMnZHW2NpK1p+2eiE891c1sc+NfLCNySX/hcvkkP6zNrCmZxgFcqIBbYNNxDjU33G3StypFe/7YgmVvd/ZfY22fhWb4gm1fX/3HelxCU6FirDJHujhDm79btjR221emlqTMH3WQvgGBKhLGOoQTKTHEadBmPa16nxv01mTtHVH6tnqGrWXhSrn6WEw3qQSzKrBnHIV',
     type   => 'ssh-rsa',
     user   => 'root'
  }

  ssh_authorized_key {'john+B3337B77':
    ensure  => present,
    name    => 'john+B3337B77@nordu.net',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCv+QT4hyxx7m89a+PkdBXAlBuNVoufNoNWpZ6uhDWSKYf7+Ic/M/R1tnsHpSihNAVnaDOLpmC8H1JWaKpuLHrvTolKwFi+imekqzUZ4ajUBuFIbieeHZMTdmv946fpOpB8FpWSFC/TQWyZwq3iVFfm8r/GYGIVSH8MtNBVmfRolH6aZgmZHl67xII59RI20nUm4gzs2yDfReUGRPB/nDWIJ1CuzvzVUFOeJTi3M31TNuxnqUHH0ol0t0bX6MOlDkPGRznOFbr2LhoxvuIIHkjZkZEvAYnQ6fmhExlqge5Trwud/jeZZUhdt7qx+FfgNaTdooUgbCVszgv9CK+rNOOrHD+qIi277j36loPcb0zymb6bnBmZPTo1RJNfaOVC/uuoSTKuFjNQ2UURsu5UepOhSRvLmA1fw+69n6tj0fwd627qxG0jmYmUmzW8U7mSypEXPKLDCbcR+hvWUDaYim1UAKi4ji5AGoOWBSsPuFLtfNYtmpBii+gaglGR6YrDDkQW7Pj/12asga9TrJSqGM1MMTLwuQal1+gtchF+9leKwVf5NOXDMw8SIG0xtqNDfWzk6BMEBcwl7wMObjEwmxxnuHzk8Q7922kvvsgK1VRiO20hmDtOxW2+oBk1yY1F072AjuuXNaZpBxD3c2Iug8GWK8R5pF9fIxAmeeLeFvQCSw==',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'el-sunet':
    ensure  => present,
    name    => 'el@sunet.se',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQC4BWg9cW5fmx8C7K0UN8zzp//NWDcZosrDBl7mEf3MGNBGwrX1orEWFjTWoUZivFoC1TUlEpRP92e3kB3oayMQQz6ZfvYh4ztZBmkDOPIOMykLVsQtvWbWJ1iQuvqCC/s9bVDJmkxkH/Mw/7OyN7Jyb0vPv6JGsSJmbEFkPpzsKUEuXUOFleN7oD59YQVbzDs0ukuAsc3FQ7GSv8q28p/GbFd0ZnfAMjBz2nVJcIkAM9q4OrR90P0gLsW8QqZyVl/uTs5/8iXlkYSe26T4uM697UnD8jFM4yyOTTlS5LHKo8pwNZjqYHdIhkSWscApRqfOVPSm3diQ1nNrm/x2Io4k9GnPmho67YacTA6EisTK4mwnEeCT3tVoHPSfLlGrKOGuug5MnQd5ds+7OlfRPHUua1/sgSiDGjIVQDyktqujrcaI1eK+pT4jmJa0c7HTGSB+dZwmswDsxry3JMdZ75iqYAJGFTIbmWAQAVnRJkzjmge+qIW7joM74I5LBfb20EOVU4rh35bFTsAsK1c/Z08Zut5IgNsg8DyVhVS2PSuvirR4/+OWYZpiO6R4M2nDgtRVPq/nl1iRsZEtiLP9xSyza8TSHm842MfPUbzWPV+JNGjA46QxGprI4OSoqAI//dfBFtpta130U/mvOJsF2xq0NYTyrGqx9qy7iJb8YolFsw==',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'jac+3438F957':
    ensure  => absent,
    name    => 'jac+3438F957@nordu.net',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQC7cQCp8MJ4VX1UWb6PW4wnkQfbV8g4WB1vLO2MBUycjoXG3t9xXziy+VAxBmsMIFtpysddsU2Sz6d6Y3vlvXr9DHLvZ7Fqn2Cnyn3q+kDG677zPjGFV4DBZVnmH7dHpkTN1mYKfgV2vnKGwRJE651gwqbR0zkbQxRakLM5/Sh0bm9VtQw8iQvLrAOZGbUdSPx2u1p6XZjwkHGxRdEb06bhLDSr1DlXyVk8bfVVj5JXy+/o/6VbYQUlvotxlZnFr0k5Q84t7mkbaoQwE3gZQTBQLmxpguGKnIN9IiC1hmJGOXcMFpFvxsbJd+lg+DkM7Cl7OByPVTe+EflXctVacyg62s2WZbyH7SyUGNR3GUDQRjEXnDF4eKfk3pniMcTIRGt0eIo88hUV2Ep/EW6i06kTiPV5luAht8hVAayTfoNW+MQbKsLuRJEqEjMADZVY0PMYcLv0TWzjh6xkx/Y7Qth/DeBQYk24DqoOkLFB2HOwTN/qy5Xc0GJmu0pwiUXImSJto6Abh8S8nw95+TnFymybLfJCqm4buUGeJsG3Ej9Bo5KajW6/FDcaj4LlJV9Hq6kNdtXCFxe/DV+WpL1JEvuwyXfjBVoX9GpiquKvUiLJOpeT4Gmc7tsoAISrcZ2LOwq2JPSZUtOO5m+dd1OncGg7zMllTsjZnpebhczqODprZQ==',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'jbr+55F5842C@nordu.net':
    ensure  => absent,
    name    => 'jbr+55F5842C@nordu.net',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCb88AZ1OPH62tCbkY0Iqu4kS0iRD/HwiQU+UDoosWPMuaIrULz0FOGidEHdhGhoxiUOCj0Uu8B8PwC2sztprBqpgDm2F8lKRd86Pw1BgblnnFA6m3+N8LbVhm8ux93xLqW04TKrxfCQtVGYKdOvva4+7b1Xf3R7UsnJQJoJwW1TCiZaHSNK1e6t2iofXTInhKzh9OVdmczyczjxsJVg9EnNGSf6/B26vIJPDs0pS7t9gUZ4SN6fLdrCG+tLqx76Obvzi1TZ441ZVnRKEUF/+oWsUv7he6ZGO/b4XGVhfb/c8P9pmioet6rxo3EyEsw2978V85vJmg3DA+gqQQXj3Pa0PXn7lrY62niiIQvSm/4fCCcWPVaeTlAS0wc4r2hsVlgYQJjAXDSab2K5ZHWUux2bMZkdJKXK2wC8Q0hf9OTVCfeMgcF8HRU7PPni1vymuurLgS67Ny1ucrOwbWsWjqrOfnT03huRdOhhdik8cRX5qz6PleBiq5Jly/KcjsyahiNDE2uTLDn7+z59HaHd2qp1NDVWtxTDjP46LqGF4VYnPTOooVv+4EFF9AAjqJRVTr1WdJjWtG3R7aDnWqFKRI912stlOXRvblOvF5iJjQHCecPWcE06ZrkUSa91i2ylf16q82tdEv3Hj3hvh873aAE8YnMHAnkSbnE+7VjF9jsZQ==',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'markus+FA2CC191':
    ensure  => absent,
    name    => 'markus+FA2CC191@nordu.net',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDjBx/TbLSK9Ocf8Vefrddy62xH/gwPwT4/23xN8+ZEo7YG+0rKxFVRDFchnS9lMx+1UFubyZEui1CjRMwwFcFN/uOQ94oEPnFjyVZZ4jwXmmQu/xY1oiWg25h1WfwR9xTkOfe2CvPXjmtUwqYy+AO82YpXKpLTi/J7y3CVOxS2kRZzfe99CaB0nSzX7lSYmaq9KoThJ7VAsoyObJ2vcpuliIhNUsYL2RWHYdnSOdJoNftZkegN87so62fY7YcYWJkET9Rvydm9Qn1fDiUvGuMCitvS4OeWgJ97g3yAwdmhXExcQEzePxcx4LgR0DndzU/MqXYw2KqAVeRsjct2HFAqo0uL1jj8mb7tWYVpQTq8KNgUuA4o2wTvmKuNtWzhfb+J6TMCLrCXx9/3nH0NbO3JqUvxQxblnh3cZYIiphdIDxpXUGPXxVOtHjd2M0KaTrrhd+4ntnf0c9A0kcMCvSv/pEjy2saVpuNSjz13iO8Db7IOan4oC9ACheKAoDyBVLpmZFVMc4t2scLPqqeJjzwu/BozxPVQy8nhKdKznGmg3QGnPcrvNfGoO4huBPxlJZsLSmaPenImK4tHYDmFTjjQWSJ+gFkTlkJzDCqsDB/H+SZQEuAH/JIpzULApouVUi42dJq/MUN4SUvfuij7Zsx+jyWqOnxAkx0gpUnu8UsF5Q==',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'htj+key-from-ldap':
    ensure  => absent,
    name    => 'htj+key-from-ldap@nordu.net',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDeME6LuIRZzHh8f7wTBE1RRX8fX4DftnZambVOoGOzg5ujtVnmwBZiFFcumqRGs7o/iradUY0IB5K2tbooHJkTYh+B0sIR/5jOPJJZ+bS45bngcGq1vz++z1VSXlTGH13H8OFXHZPnjwvFzO5eauHnen4uKVKrN9A/lNhTfbjpiHRN1yfXuunlvar4Go6OLAm6tgWe93scdXiAdxd3LoZ/I91w7djfAi0SpMiTDbYchrtt9wC3l4U42wehcANU4EhEJfMrwcMcRXRSZ/3IejXp2I1PueQhiHjknAkVX/r4Y23RKT77B1OEbVXg8VizFVnHrhkGWW1JZzQWrvb/MruT',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'pettai+BD795A53':
    ensure  => present,
    name    => 'pettai+BD795A53@nordu.net',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDcvRAnhdoty3OpQnC3zYEUQijkhlg9eiU7y6EVR/rdy+HID4aRZU57EuEB17wmoP6OliXZc02R5oHwoTT42cugUPgwPyxfgofwMRhl9zHUDumvnI9apiW6TMTz8F/zg26eLHhrB9k3tmviPhPV3PQKqEOvfKMwM47aEieGRcUTRLqOAJnrfoE+JRLtql/eaFFYKnVNtMscpNnBcvl77cAG3ciGqe4FLo21Sxo5WieoKElBswZzNKt+vQSZMI8yIA/DU1XGg6Yn5hhbqhgMJLhye3JXM9qSlzXo+T5SrBF8T8uZ3LpkPoA06T7k2DBjaj3iXueJVmoibdRG3t53YfE7',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'berra+DA7C099B':
    ensure  => present,
    name    => 'berra+DA7C099B@nordu.net',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDoUEUPOtw5ZUBblnDlf03EfA8xmoOMVnoxV6nrAwPWsNOWCY39+OO5ckfv8B/n/i/JRIvokPp+YrPpOXi8fLkchiu5AFDBwN4cqS8NETLMwJhImfObIM6M1P9a4re4WuAZ4u2BQ2/Nin7WRewJfAfbvbSx6o5zRp95IotiQiXIH8LyYC7whDUjT7OKvESUwLRnK6wQ4kQRgxpgUbAZxAgPZxRzTL0jPKx5dW2pald5WWXcu9ki4uiPg5fDjHVwAJ3MFNzFfDUrJX0bKSln/ocAJFBuAKTCUHEMXo9arD6LBcj7JoXZP6ZiXlcIUG6hd93vAmL+1fxOWu3Adbtz31hxzfmTHGLwF5HyfBIpdygNBZILwICjKimocD0oevrNcJ0KmgBWnw6ZlZJjKIcxN77wEbmskQ19kj+nTHQIgDeocISfio3iJIKdAGsLo+L+d8x4vMoPgIhJUJf8vT2piTa532mumfH2buWt841Yq3fsP98AQJTPDdsXRUGkIVTIIRIqFN1thV9FaMX5wIErq3oEYNJNDhJ6g+5z6N3Zq4AivXzQnmUOeqIttP0jryO85BBGjAz6LIBTCnirKwdsKv7Bq3g3Y5QARUgL42DQ9ddMyMWud5OKrVSwhPf1tqeQEyhgctA0Ve007h9nfovKFhDyUA24HFfDHlIqIWxuOnk1sw==',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  # OS hardening
  if $::hostname =~ /kvm/ {
    class {'bastion':
      fstab_fix_shm        => false,
      sysctl_net_hardening => false,
    }
  } elsif $::hostname =~ /random/ {  # pollen requires exec on /tmp
    class {'bastion':
      fixperms_enable      => false,
      fixperms_paranoia    => false,
    }
  } else {
    class {'bastion':
      fstab_fix_shm     => false,
      fixperms_paranoia => true,
    }
  }
}

class nrpe {
   require apt
   class {'sunet::nagios': }
   if ($::operatingsystem == 'Ubuntu' and $::operatingsystemrelease == '12.04') {
      class {'apt::backports': }
   }
   package {'nagios-plugins-contrib': ensure => latest}
   package {'nagios-plugins-extra': ensure => latest}

   sunet::nagios::nrpe_command {'check_memory':
      command_line => '/usr/lib/nagios/plugins/check_memory -w 10% -c 5%'
   }
   sunet::nagios::nrpe_command {'check_mem':
      command_line => '/usr/lib/nagios/plugins/check_memory -w 10% -c 5%'
   }
   sunet::nagios::nrpe_command {'check_boot_15_5':
      command_line => '/usr/lib/nagios/plugins/check_disk -w 15% -c 5% -p /boot'
   }
   sunet::nagios::nrpe_command {'check_entropy':
      command_line => '/usr/lib/nagios/plugins/check_entropy'
   }
   sunet::nagios::nrpe_command {'check_ntp_time':
      command_line => '/usr/lib/nagios/plugins/check_ntp_time -H localhost'
   }
   sunet::nagios::nrpe_command {'check_scriptherder':
      command_line => '/usr/local/bin/scriptherder --mode check'
   }
   sunet::nagios::nrpe_command {'check_apt':
      command_line => '/usr/lib/nagios/plugins/check_apt'
   }
}

node 'monitor.sunet.se' {
   $nrpe_clients = hiera_array('nrpe_clients',[]);
   $allowed_hosts = join($nrpe_clients," ");
   class { 'ubuntu_dockerhost': }
   class { 'webserver': }
   class { 'nagioscfg':
      hostgroups      => $::roles,
      config          => 'nunoc'
   }
   file { "/var/www/nagios_config":
     ensure => directory,
     owner  => "www-data",
     group  => "www-data"
   } ->
   class {'nagioscfg::slack': domain => 'sunet.slack.com', token => safe_hiera('slack_token','') } ->
   package { 'pynag': ensure => installed } ->
   cron { "publish_nagios_config":
      command => "/usr/bin/nagios-export.py > /var/www/nagios_config/export.cfg && chown -R www-data:www-data /var/www/nagios_config",
      user    => root,
      minute  => "*/5"
   } ->
   file { "/etc/apache2/conf-available/nagios_config.conf":
      content => "Alias /nagios-config /var/www/nagios_config\n<Directory /var/www/nagios_config>\n\tDeny from all\n\tAllow from $allowed_hosts\n</Directory>",
   } ->
   exec { "enable-nagios-config-publish":
      command      => "a2enconf nagios_config",
      refreshonly  => true
   }

   class {'nagioscfg::passive': enable_notifications => '1'}
   nagioscfg::slack::channel {'nagios': } ->
   nagioscfg::contactgroup {'alerts': } ->
   nagioscfg::contact {'slack-alerts':
      host_notification_commands    => ['notify-host-to-slack-nagios'],
      service_notification_commands => ['notify-service-to-slack-nagios'],
      contact_groups                => ['alerts']
   }
   nagioscfg::slack::channel {'swamidops': } ->
   nagioscfg::contactgroup {'swamid': } ->
   nagioscfg::contact {'slack-swamid':
      host_notification_commands    => ['notify-host-to-slack-swamidops'],
      service_notification_commands => ['notify-service-to-slack-swamidops'],
      contact_groups                => ['swamid']
   }
   nagioscfg::service {'service_ping':
      hostgroup_name => ['all'],
      description    => 'PING',
      check_command  => 'check_ping!400.0,1%!500.0,2%',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'service_ssh':
      hostgroup_name => ['all'],
      description    => 'SSH',
      check_command  => 'check_ssh_4_hostname',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'check_load':
      hostgroup_name => ['nrpe'],
      check_command  => 'check_nrpe_1arg!check_load',
      description    => 'System Load',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'check_users':
      hostgroup_name => ['nrpe'],
      check_command  => 'check_nrpe_1arg!check_users',
      description    => 'Active Users',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'check_zombie_procs':
      hostgroup_name => ['nrpe'],
      check_command  => 'check_nrpe_1arg!check_zombie_procs',
      description    => 'Zombie Processes',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'check_total_procs':
      hostgroup_name => ['nrpe'],
      check_command  => 'check_nrpe_1arg!check_total_procs_lax',
      description    => 'Total Processes',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'check_root':
      hostgroup_name => ['nrpe'],
      check_command  => 'check_nrpe_1arg!check_root',
      description    => 'Root Disk',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'check_boot':
      hostgroup_name => ['nrpe'],
      check_command  => 'check_nrpe_1arg!check_boot_15_5',
      description    => 'Boot Disk',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'check_var':
      hostgroup_name => ['nrpe'],
      check_command  => 'check_nrpe_1arg!check_var',
      description    => 'Var Disk',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'check_uptime':
      hostgroup_name => ['nrpe'],
      check_command  => 'check_nrpe_1arg!check_uptime',
      description    => 'Uptime',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'check_reboot':
      hostgroup_name => ['nrpe'],
      check_command  => 'check_nrpe_1arg!check_reboot',
      description    => 'Reboot Needed',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'check_memory':
      hostgroup_name => ['nrpe'],
      check_command  => 'check_nrpe_1arg!check_memory',
      description    => 'System Memory',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'check_entropy':
      hostgroup_name => ['nrpe'],
      check_command  => 'check_nrpe_1arg!check_entropy',
      description    => 'System Entropy',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'check_ntp_time':
      hostgroup_name => ['nrpe'],
      check_command  => 'check_nrpe_1arg!check_ntp_time',
      description    => 'System NTP Time',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'check_process_haveged':
      hostgroup_name => ['entropyclient'],
      check_command  => 'check_nrpe_1arg!check_process_haveged',
      description    => 'haveged running',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'check_scriptherder':
      hostgroup_name => ['nrpe'],
      check_command  => 'check_nrpe_1arg!check_scriptherder',
      description    => 'Scriptherder Status',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'etcd_cluster_health':
      hostgroup_name => ['webcommon'],
      check_command  => 'check_nrpe_1arg!etcd_cluster_health',
      description    => 'etcd cluster health',
      contact_groups => ['alerts']
   }
   nagioscfg::service {'swamid-2.0-2-age':
      hostgroup_name => ['swamid_static_signer'],
      check_command  => 'check_nrpe_1arg!check_fileage_swamid-2.0-2',
      description    => 'swamid 2.0 2016 metadata age',
      contact_groups => ['alerts']
   }
   nagioscfg::command {'check_ssl_cert_3':
      command_line   => "/usr/lib/nagios/plugins/check_ssl_cert -A -H '\$HOSTADDRESS\$' -c '\$ARG2\$' -w '\$ARG1\$' -p '\$ARG3\$'"
   }
   nagioscfg::service {'check_ssl_cert':
      hostgroup_name => ['swamid_static_signer','swamid_pyff_signer','ds_legacy','swamid_sp_test','webfrontend','entropyserver','https_server'],
      check_command  => 'check_ssl_cert_3!30!14!443',
      description    => 'check https certificate validity on port 443',
      contact_groups => ['alerts']
   }
}