From 0b5a19ad85da5e7b1708c746062c0e76987d040e Mon Sep 17 00:00:00 2001
From: Leif Johansson <leifj@sunet.se>
Date: Thu, 7 Nov 2019 10:11:44 +0100
Subject: [PATCH] use ufw to turn on/off single instances on demand

---
 global/overlay/etc/puppet/cosmos-rules.yaml   |  9 ++++++
 .../etc/puppet/manifests/cosmos-site.pp       | 31 +++++++++++++------
 2 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index 50813f22..1b8fe64e 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -615,6 +615,7 @@ md-eu1.qa.komreg.net:
    konsulter:
    autoupdate:
    eidas_de_middleware_hsm:
+      enabled: true
       version: 110-fixes-sc-p11
       hostname: demw.eidas.swedenconnect.se
    saml_metadata:
@@ -633,11 +634,19 @@ md-eu1.qa.komreg.net:
    konsulter:
    autoupdate:
    eidas_de_middleware_hsm:
+      enabled: false
       version: 110-fixes-sc-p11
       hostname: demw.eidas.swedenconnect.se
    saml_metadata:
       filename: /opt/eidas-middleware/configuration/serviceprovider-metadata/connector-metadata.xml
       url: https://connector.eidas.swedenconnect.se/idp/metadata/sp
+   sunet::frontend::register_sites:
+     sites:
+       'demw.eidas.swedenconnect.se':
+         frontends:
+           - 'fe-fre-3.komreg.net'
+           - 'fe-tug-3.komreg.net'
+         port: '443'
 
 '^refidp-[0-9]+\.qa\.sveidas\.se$':
    sunet_iaas_cloud:
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index 5e50f6d0..20fa75b5 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -94,14 +94,25 @@ class sunet_iaas_cloud {
    }
 }
 
-class webserver {
-   ufw::allow { "allow-http":
-      ip   => 'any',
-      port => '80'
-   }
-   ufw::allow { "allow-https":
-      ip   => 'any',
-      port => '443'
+class webserver($enabled=true) {
+   if $enabled {
+      ufw::allow { "allow-http":
+         ip   => 'any',
+         port => '80'
+      }
+      ufw::allow { "allow-https":
+         ip   => 'any',
+         port => '443'
+      }
+   } else {
+      ufw::deny { "allow-http":
+         ip   => 'any',
+         port => '80'
+      }
+      ufw::deny { "allow-https":
+         ip   => 'any',
+         port => '443'
+      }
    }
 }
 
@@ -293,7 +304,7 @@ class md_repo_server($hostname) {
    ensure_resource('class','https_server',{})
 }
 
-class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost') {
+class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost',$enabled=false) {
    $_version = safe_hiera('eidas_demw_version',$version)
    $_hostname = safe_hiera('eidas_demw_hostname',$hostname)
    $poseidas_admin_hashed_password = safe_hiera('poseidas_admin_hashed_password')
@@ -329,7 +340,7 @@ class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost')
                    "SPRING_DATASOURCE_PASSWORD=$spring_datasource_password"],
       extra_parameters => ["--log-driver=syslog"]
    }
-   ensure_resource('class','webserver',{})
+   ensure_resource('class','webserver',{enabled => $enabled})
    ensure_resource('class','https_server',{})
 }