Merge branch 'master' of git.nordu.net:eid-ops

2018-06-05 13:58:07 +02:00 · 2018-06-05 13:58:07 +02:00 · 3e9892eae7
commit 3e9892eae7
parent 2d2aebb7d4 ad12faa8ef
9 changed files with 155 additions and 65 deletions
--- a/fe-common/overlay/etc/hiera/data/group.yaml
+++ b/fe-common/overlay/etc/hiera/data/group.yaml
@ -26,17 +26,17 @@ sunet_frontend:

    websites2:

-      'www':
-        site_name: 'www.komreg.net'
+      'connector':
+        site_name: 'connector.eidas.swedenconnect.se'
        frontends:
          'fe-fre-3.komreg.net':
-            ips: ['94.176.224.180']
+            ips: ['94.176.226.10']
          'fe-tug-3.komreg.net':
-            ips: ['94.176.224.181']
+            ips: ['94.176.226.11']
        backends:
          default:
-            'www-fre-1.komreg.net':
-              ips: ['94.176.224.132']
+            'eidas-connector-1.sveidas.se':
+              ips: ['94.176.224.133']
              server_args: 'ssl check verify none'
        allow_ports:
          - 443
--- a/fe-common/overlay/opt/frontend/config/common/haproxy_base.j2
+++ b/fe-common/overlay/opt/frontend/config/common/haproxy_base.j2
@ -61,7 +61,7 @@ backend LB
 {% block global_backends %}
 {% if letsencrypt_server is defined %}
 backend letsencrypt_{{ letsencrypt_server }}
-  server letsencrypt_{{ letsencrypt_server }} {{ letsencrypt_server }}:81
+  server letsencrypt_{{ letsencrypt_server }} {{ letsencrypt_server }}:80
 {% else %}
 # letsencrypt_server not defined
 {% endif %}
--- a/fe-common/overlay/opt/frontend/config/connector/haproxy.j2
+++ b/fe-common/overlay/opt/frontend/config/connector/haproxy.j2
@ -0,0 +1,22 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}
+
+    stats enable
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff']) }}
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+
+{% endblock frontend %}
+
--- a/fe-fre-3.komreg.net/overlay/etc/hiera/data/secrets.yaml.asc
+++ b/fe-fre-3.komreg.net/overlay/etc/hiera/data/secrets.yaml.asc
@ -3,20 +3,26 @@ STATUS=UPDATED
 -----BEGIN PGP MESSAGE-----
 Version: GnuPG v2

-hQEMA9/S9aKTc+kVAQf9Gg8QgRVfsUePPt9CdXHuuYu2yymILJRtHB/8vz/gZk+7
-d72QBJb2akaW6H4AtDXUqK/2ps6gee2ONQTPqkQwHKK7oWl861FVBwSdsLU/cXlC
-fcqgbi6nyJQ6msn7wOhPkYjGW1Q5/hiGVS27it4Z5YljJn7ETMLMUDqVPR7oa6Mt
-2xpcobXu+8zjdUIDJsdZe3e9/pKM8QgjrHsdKVrgS5ColusXocx5iHzZpO+pLKJ9
-/hBufWZx43XhkmwsVriirQHZBc3X415O0ooAtbpDUhmIvkRxg1JCN8On1xt1CPaF
-8RPDAS9uVqm6c8Kyk7Z9t7qHlxTE9GkC3Us5EbC9xNLAzwHYLiiUZkOE3AI9y9cS
-eV/SC+IFRJ2Li/+aGiojq6D9LR9f6u49lMcYSejrcbxT/6rvXQdIruQrwC86DNDV
-TFjXrAuaSGQgXI5JSwb61ZMJNm3dHzS/SSBtDSDaSa/1vp3rjECs1HMwFPbZaxWK
-mLDm/Gw97UlQBfy6OKEeas8vfX/NtD/kiRIdN1nCNp0goJPZZ/gOA8QmhUISis2r
-y+JdxTaEdRVoVu5cUpZxm58AAbxvjAFCCz1LaWE1Nngn+w6/5FfFutV63I/oyQAI
-Tqv++UuEkM7BnzoVUF4HYSpLq3+5zy/azXAUZvh3z3nassGaTVaYPVRodPzIvodd
-6584RixxOE+2yOW/dDySyiML065aKhQ2V3rQC6sWv7fsruvN5SojoK54wKBFXIje
-ktscoCPBMOSNPYlTK1e489pZIdkFJRxXe4AF5w67goEkScUtsNFgGMRosD/bTjYQ
-Qt0qkIM2iLJX7a90APjaDpD2AZrdpu6hTl9pawgqwqnWKhxcep02SPEMNK322VzQ
-gg==
-=gVTa
+hQEMA4Rt80zyLMP2AQgAkwGshSXoznuzSHQEEKQnOYTijU6IqvZE+zHU8mEB1m0b
+sIcwAqkgrRM7vdXiKdfLTyXHX7CN7EybgA3IQNQYgrfDfsCPwoyqwRa+IOrIp9kE
+mXDxXrC/d0254RM4MAIntb5G9Kg3FxuLaiiXNlpaLaJdLrxLgv2Keh/idBgDsYg9
+M6zeW0FPEoO4Jp5d8BBYYInMxOlPnFgm5WJ6sKQBZPkTd9w98Oztarw3qFZV2/7R
+Kf26TswYShph/osYleijViGmoeoI2ZeYIU+IiDTW3+Iusbf4s7Ez0LjoPROl5Dhh
+QiJFh9h3AMw6jAJB/N7dlTBuHvrzNAxKrGKINNlkVtLpAbwmAnAAkuPcS7Sy0oXs
+W+m12K78lZ7o3ORZQOiUSpIpxOd5mh0zINA+86ITuHnVJSbUb9rcMqowQHChVvU2
+0eF9yyefXl72P64U1OpR7Ee4Fm5FI+ZUaSCWnsurM7UsDtn9js6SmMk8RzWUB4zI
+GtbtPPqKcSo+7rHGUH4ji13IfEgOPiYPnNsi4ulZ7nUFdDxRhGTWBA6LUZPaMLcP
+Hf4kvGzcSVuoxqlS76OisQXSqcYlYwVRqQ41RI+63WHQ8wTV47Pr9tvEko5n4T6E
+pa6udm7wg3iwOsp2aIo7ZoQfBKPCGIi7mV1FQGg7wvb/YYR/7sGLjXpfeucBoGvu
+NzUUKxznBtsZB6JXKgQqO3CM+JEPEqsw9VUrvQ6vwBJhP2SaHPe2dXOLRQlMNqY+
+DX5PJ9dbScbcctifxmbcbeQdp5xeC3VQF4yJ+VvzPErjDqyeU19rq7J6jDcagJV
+uo3pV+nMT6G4lZi+1j/DNPhhN132kqtrS9JXIFI0w/enpoBEGmGqFOoBGeLXVRtZ
+I0XnxPNtXA2UREMibg3EbCouGs1EDlp+xkMZp4X0A/YWpcCMItORxkkd63s0XuEK
+cdFF6RMCIRtpIyzVInVg0FNzENY3eJXMU2DI3OU7LDk5Pw2ILKgPOhbRnO408KzN
+0dxiBsiPiWNRnPjsN/ZPb8q/VxozjtGGKSgglgqtrxFJYMEa7HBts4zyZ8KAjtUq
+ucSy7wEcV+RmUIUhs8Yu+W1iw9wqUAkueRaH3hpuqMyLPcNUMTaZheWfq8IeJ42O
+ZFYBZnxbCQ1O+RVDm5cEC9cI7Q+Swp/eEWm6eWRcj5CJZVn4HlHoaX7eo6rq1oZ/
+3unlTJEz3IXlnhexm5TnSPoYRs1xJu71uoaplslS4W0wdgv7Q46FIk5mGa3jvrvj
+zDRiAIRjFuAIGZ6uO9hpUqE=
+=i99g
 -----END PGP MESSAGE-----
--- a/fe-tug-3.komreg.net/README
+++ b/fe-tug-3.komreg.net/README
@ -0,0 +1,3 @@
+
+The system documentation is in the docs directory of the multiverse repository.
+
--- a/fe-tug-3.komreg.net/overlay/etc/hiera/data/secrets.yaml.asc
+++ b/fe-tug-3.komreg.net/overlay/etc/hiera/data/secrets.yaml.asc
@ -0,0 +1,28 @@
+STATUS=UPDATED
+
+-----BEGIN PGP MESSAGE-----
+Version: GnuPG v2
+
+hQEMA8wt/jvwBdcmAQgAjPocYDJRnCv9rOhJTPICxedWNn3wV7xG7JORPQcZUZNS
+VyJqToeAcMQzgBmmiH1cXbfzPnitiR9JnT0Ol7m8/Yl8Z8l0XBHp7Ygls67ppsF3
+1WknKomFJ7FhwsrRJD5ZUHIAhZ1b+elxGZ+zp5voaVbcHK0H+yrrK/TuzeD1P9jG
+WGzq4oL2eRWAADGhIwAUCOvAPG3XjmtfsQ85ISvP1vU6JZZM3YIGnyUnlL7eTJAN
+twJaYgzz8UPitfYpaqdYdsIjxoByAqbPwxMh65kItOz7U/b8roCzEcrALdfDTG9S
+ZGEwK3ay+1uDoUNL7CBVZEnkbI32fxoKyz/1RD8j39LpARmLsVnzQo5jmABaMdy/
+eMkpbYTWeKL8nLFfVx/Vx5dLaZjwxq6OdTJ9yiYjK/4NKe5MalJp7p1tADVWl7Ro
+2rSBkXCxPQGJ6qqsfDh0KqZlZ61lydeEffDggxZw3fAI+JPcPzfarE/tApkFSEkt
+FESPCjES/+R4FE56m4ve5lfUJHI8hRNiYSsRx/MQ3bm/sZLuejiLul7r3zEapWRa
+sbzlUXFDsz9ecjHKBC9557oBqzmdwaiwO+wIkyBy6nPdNjmT2abyjUIUuLyamrTy
+g2sldt2pzee1INXM3biOAG5j5LIsG9H1//jos9eARox0ufvLZa2qMQ3RrdEMWGN
+nnYY+jQGIEJVNyzOS2SjPj+imp7M0ufR1ki5KTtMiPgebDbw2eJwJQMu1MMYcMXw
+S50baJPTphKC3pBK9DgFq8l/vGrfVuSBWz2+7KaIG0PhlgjvQTttE2UgzNWSglTo
+d9BXaMdatoK1b9CdugGFDHK7zljAwUIVosnvly1prPaIHm0f5sOpd7GT8nRv03zX
+nHcQctTD36+TPHxZBO9jS9VmJzalTfG9tNVSlLE+3yufW+BW/hK/BTG4qx8Bbs5L
+ss4E+htsS7mFINNqCoyCxZX4cZDE66KrUL31sm2cdN1oOYleNJX3hv34X6mE81jU
+nRJT8GGMjeIBAhY33CehvDG7/5uuRTQ08rjOsgkNI08U9UQL6jH8fEX/Egg/n1Nf
+gQSByUGoZEgm8mLkC9xM4Ui47+xlQXlmFhNgiT0vpjRr/Maxc3JJ1u20jsrQkCa5
+gBL6ZWYXT9BdyutKgC+LOANgQkp1xbhBNQKA8OQKeVjLSlkTxvLiD94AbOvDnvio
+KuModCULq696jdG4W3j2EJu6gBSY5vPzBCdFCkpq2p5x64PPbun1cQoZgehC+rOm
+EnjLKSioNpsycx1EHg==
+=caob
+-----END PGP MESSAGE-----
--- a/fe-tug-3.komreg.net/overlay/etc/network/interfaces.d/eth0_ipv6.cfg
+++ b/fe-tug-3.komreg.net/overlay/etc/network/interfaces.d/eth0_ipv6.cfg
@ -0,0 +1,7 @@
+# maintained in cosmos
+#
+iface eth0 inet6 static
+      address 2001:6b0:63:2::37
+      netmask 64
+      gateway 2001:6b0:63:2::1
+      
--- a/global/overlay/etc/puppet/cosmos-db.yaml
+++ b/global/overlay/etc/puppet/cosmos-db.yaml
@ -12,10 +12,9 @@ classes:
    sunet::frontend::register_sites: &id003
      sites:
        connector.eidas.swedenconnect.se:
-          frontends: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se]
+          frontends: [fe-fre-3.komreg.net, fe-tug-3.komreg.net]
          port: '443'
    sunet::rsyslog: null
-    sunet_iaas_cloud: null
    sunetops: null
  eidas-connector-2.sveidas.se:
    autoupdate: null
@ -29,7 +28,6 @@ classes:
    nrpe: null
    sunet::frontend::register_sites: *id003
    sunet::rsyslog: null
-    sunet_iaas_cloud: null
    sunetops: null
  eidas-connector-3.sveidas.se:
    autoupdate: null
@ -43,7 +41,6 @@ classes:
    nrpe: null
    sunet::frontend::register_sites: *id003
    sunet::rsyslog: null
-    sunet_iaas_cloud: null
    sunetops: null
  eidas-connector-4.sveidas.se:
    autoupdate: null
@ -57,7 +54,6 @@ classes:
    nrpe: null
    sunet::frontend::register_sites: *id003
    sunet::rsyslog: null
-    sunet_iaas_cloud: null
    sunetops: null
  eidas-node-1.qa.sveidas.se:
    autoupdate: null
@ -114,6 +110,16 @@ classes:
    sunet::frontend::load_balancer: null
    sunet::rsyslog: null
    sunetops: null
+  fe-tug-3.komreg.net:
+    common: null
+    eid::dockerhost: null
+    entropyclient: null
+    infra_ca_rp: null
+    mailclient: *id002
+    nrpe: null
+    sunet::frontend::load_balancer: null
+    sunet::rsyslog: null
+    sunetops: null
  jmp.komreg.net:
    autoupdate: null
    common: null
@ -230,6 +236,11 @@ classes:
    sunetops: null
  kvmfe-tug-3.komreg.net:
    common: null
+    eid::kvmhost:
+      vms:
+        fe-tug-3.komreg.net: {bridge: br-fe, cpus: '4', description: eid fre frontend,
+          gateway: 94.176.224.33, ip: 94.176.224.37, mac: '52:54:20:02:01:01', memory: '4096',
+          netmask: 255.255.255.240}
    entropyclient: null
    infra_ca_rp: null
    mailclient: *id002
@ -435,9 +446,9 @@ classes:
 members:
  all: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
-    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
-    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
-    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net,
+    jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net,
+    kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md-fre-3.komreg.net,
    md1.komreg.net, monitor-fre-3.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
    prid-1.qa.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
@ -449,33 +460,33 @@ members:
    web-1.qa.sveidas.se]
  common: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
-    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
-    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
-    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net,
+    jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net,
+    kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md-fre-3.komreg.net,
    md1.komreg.net, monitor-fre-3.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
    prid-1.qa.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
  eid::dockerhost: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
-    eidas-connector-4.sveidas.se, fe-fre-3.komreg.net]
+    eidas-connector-4.sveidas.se, fe-fre-3.komreg.net, fe-tug-3.komreg.net]
  eid::kvmhost: [kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
-    kvminfra-fre-3.komreg.net, kvmmeta-fre-3.komreg.net]
+    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvmmeta-fre-3.komreg.net]
  eidas_connector: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se]
  eidas_proxy: [eidas-proxy-1.qa.sveidas.se]
  entropyclient: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
-    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
-    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
-    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net,
+    jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net,
+    kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md-fre-3.komreg.net,
    md1.komreg.net, monitor-fre-3.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
    prid-1.qa.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
  github_client_credential: [web-1.qa.sveidas.se]
  infra_ca_rp: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
-    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
-    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
-    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net,
+    jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net,
+    kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md-fre-3.komreg.net,
    md1.komreg.net, monitor-fre-3.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
    prid-1.qa.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
@ -485,9 +496,9 @@ members:
    md-fre-3.komreg.net, nic.komreg.net, prid-1.qa.sveidas.se, validator-1.qa.komreg.net]
  mailclient: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
-    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
-    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
-    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net,
+    jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net,
+    kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md-fre-3.komreg.net,
    md1.komreg.net, monitor-fre-3.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
    prid-1.qa.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
@ -498,9 +509,9 @@ members:
  nagios_monitor: [monitor-fre-3.komreg.net, nic.komreg.net]
  nrpe: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
-    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
-    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
-    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net,
+    jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net,
+    kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md-fre-3.komreg.net,
    md1.komreg.net, monitor-fre-3.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
    prid-1.qa.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
@ -511,29 +522,27 @@ members:
  prid: [prid-1.qa.sveidas.se]
  servicemonitor: [eidas-proxy-1.qa.sveidas.se, prid-1.qa.sveidas.se, validator-1.qa.komreg.net]
  sunet::dehydrated: [r1.komreg.net]
-  sunet::frontend::load_balancer: [fe-fre-3.komreg.net]
+  sunet::frontend::load_balancer: [fe-fre-3.komreg.net, fe-tug-3.komreg.net]
  sunet::frontend::register_sites: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se,
    eidas-connector-3.sveidas.se, eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se,
    eidas-proxy-1.qa.sveidas.se, p1.komreg.net, p2.qa.komreg.net, validator-1.qa.komreg.net,
    web-1.qa.sveidas.se]
  sunet::rsyslog: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
-    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
-    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
-    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net,
+    jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net,
+    kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md-fre-3.komreg.net,
    md1.komreg.net, monitor-fre-3.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
    prid-1.qa.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
-  sunet_iaas_cloud: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
-    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
-    jmp.komreg.net, md-eu1.qa.komreg.net, md-fre-3.komreg.net, nic.komreg.net, p1.komreg.net,
-    p2.qa.komreg.net, prid-1.qa.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net,
-    web-1.qa.sveidas.se]
+  sunet_iaas_cloud: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, jmp.komreg.net,
+    md-eu1.qa.komreg.net, md-fre-3.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
+    prid-1.qa.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
  sunetops: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
-    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
-    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
-    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    eidas-redis-1.sveidas.se, fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net,
+    jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net,
+    kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, md-eu1.qa.komreg.net, md-fre-3.komreg.net,
    md1.komreg.net, monitor-fre-3.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
    prid-1.qa.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@ -17,6 +17,22 @@ jmp.komreg.net:
   konsulter:
   autoupdate:

+kvmfe-tug-3.komreg.net:
+   eid::kvmhost:
+      vms:
+         fe-tug-3.komreg.net:
+            mac: '52:54:20:02:01:01'
+            ip: '94.176.224.37'
+            netmask: '255.255.255.240'
+            gateway: '94.176.224.33'
+            bridge: 'br-fe'
+            description: 'eid fre frontend'
+            cpus: '4'
+            memory: '4096'
+
+# kvminfra-fre-3.komreg.net:
+
+# kvmmeta-fre-3.komreg.net:
   
 kvmeidas-tug-3.komreg.net:
   eid::kvmhost:
@ -179,7 +195,6 @@ md-eu1.qa.komreg.net:
 '^eidas-connector-[0-9]+\.sveidas\.se$':
   eid::dockerhost:
   konsulter:
-   sunet_iaas_cloud:
   autoupdate:
   eidas_connector:
     version: 1.3.2
@ -188,8 +203,8 @@ md-eu1.qa.komreg.net:
     sites:
       'connector.eidas.swedenconnect.se':
         frontends:
-           - 'se-fre-lb-1.sunet.se'
-           - 'se-tug-lb-1.sunet.se'
+           - 'fe-fre-3.komreg.net'
+           - 'fe-tug-3.komreg.net'
         port: '443'

 '^eidas-proxy-[0-9]+\.sveidas\.se$':
@ -204,8 +219,8 @@ md-eu1.qa.komreg.net:
     sites:
       'proxy.eidas.swedenconnect.se':
         frontends:
-           - 'se-fre-lb-1.sunet.se'
-           - 'se-tug-lb-1.sunet.se'
+           - 'fe-fre-3.komreg.net'
+           - 'fe-tug-3.komreg.net'
         port: '443'

 '^eidas-node-[0-9]+\.qa\.sveidas\.se$':
				`@ -0,0 +1,3 @@`

				`The system documentation is in the docs directory of the multiverse repository.`