From 41eeccd9cb35c1c8a28fa58863337862756f96c6 Mon Sep 17 00:00:00 2001 From: Leif Johansson Date: Tue, 15 Aug 2017 11:37:45 +0200 Subject: [PATCH] initial sync with nunoc-ops --- addhost | 7 +- bump-tag | 10 +- cosmos-site.pp | 1 + cosmos.conf | 3 +- edit-secrets | 19 +- fabfile/__init__.py | 44 + fabfile/__init__.pyc | Bin 2999 -> 3526 bytes fabfile/db.py | 4 + .../etc/cosmos/apt/bootstrap-cosmos.sh | 15 +- .../etc/cosmos/apt/cosmos_1.5-1_all.deb | Bin 0 -> 11514 bytes .../cosmos/apt/puppetlabs-release-trusty.deb | Bin 0 -> 9554 bytes .../cosmos/apt/puppetlabs-release-xenial.deb | Bin 0 -> 13662 bytes global/overlay/etc/puppet/cosmos-db.yaml | 790 ++++++++++++++++++ global/overlay/etc/puppet/cosmos-modules.conf | 57 +- global/overlay/etc/puppet/cosmos-rules.yaml | 9 +- .../overlay/etc/puppet/cosmos_config_version | 11 + global/overlay/etc/puppet/facter/cosmos.rb | 22 + .../etc/puppet/manifests/cosmos-site.pp | 573 ++++++++++++- global/overlay/etc/puppet/puppet.conf | 7 +- global/post-tasks.d/015cosmos-trust | 12 +- global/post-tasks.d/018packages | 6 +- global/post-tasks.d/020reports | 4 +- global/pre-tasks.d/020common-tools | 4 +- global/pre-tasks.d/030puppet | 10 +- global/pre-tasks.d/040hiera-gpg | 7 +- host-puppet-conf-test | 43 + 26 files changed, 1555 insertions(+), 103 deletions(-) create mode 120000 cosmos-site.pp create mode 100644 global/overlay/etc/cosmos/apt/cosmos_1.5-1_all.deb create mode 100644 global/overlay/etc/cosmos/apt/puppetlabs-release-trusty.deb create mode 100644 global/overlay/etc/cosmos/apt/puppetlabs-release-xenial.deb create mode 100644 global/overlay/etc/puppet/cosmos-db.yaml create mode 100755 global/overlay/etc/puppet/cosmos_config_version create mode 100644 global/overlay/etc/puppet/facter/cosmos.rb create mode 100755 host-puppet-conf-test diff --git a/addhost b/addhost index 033c16b0..679cebd5 100755 --- a/addhost +++ b/addhost @@ -37,6 +37,11 @@ defrepo=`git remote -v | grep ${remote:="ro"} | grep fetch | awk '{print $2}'` rrepo=${repo:="$defrepo"} rtag=${tag:="changeme"} +if [ "x$rrepo" = "x" ]; then + echo "$0: repo not set in cosmos.conf and no git remote named 'ro' found" + exit 1 +fi + if [ ! -d $cmd_hostname ]; then cp -pr default $cmd_fqdn git add $cmd_fqdn @@ -45,7 +50,7 @@ if [ ! -d $cmd_hostname ]; then fi if [ "$cmd_do_bootstrap" = "yes" ]; then - scp apt/cosmos_1.2-2_all.deb apt/bootstrap-cosmos.sh root@$cmd_hostname: + scp apt/cosmos_1.5-1_all.deb apt/bootstrap-cosmos.sh root@$cmd_hostname: ssh root@$cmd_hostname ./bootstrap-cosmos.sh $cmd_fqdn $rrepo $rtag ssh root@$cmd_hostname cosmos update ssh root@$cmd_hostname cosmos apply diff --git a/bump-tag b/bump-tag index b163569b..aed35e24 100755 --- a/bump-tag +++ b/bump-tag @@ -11,8 +11,13 @@ tagpfx=${tag:="$deftag"} last_tag=`git tag -l "${tagpfx}-*"|sort|tail -1` -git tag -v $last_tag +echo "Verifying last tag $last_tag:" +(git tag -v $last_tag | grep ^gpg:) || true +# again to not mask exit status of git with grep +git tag -v $last_tag > /dev/null 2>&1 +echo "" +echo "Differences between tag $last_tag and what you are about to sign:" PAGER=cat git diff $last_tag..master iter=1 @@ -29,7 +34,8 @@ while test -z "$ok"; do esac done -echo using new tag $this_tag +echo "" +echo "Using new tag $this_tag" echo ONLY SIGN IF YOU APPROVE OF VERIFICATION AND DIFF ABOVE # GITTAGEXTRA is for putting things like "-u 2117364A" diff --git a/cosmos-site.pp b/cosmos-site.pp new file mode 120000 index 00000000..20f0c113 --- /dev/null +++ b/cosmos-site.pp @@ -0,0 +1 @@ +global/overlay/etc/puppet/manifests/cosmos-site.pp \ No newline at end of file diff --git a/cosmos.conf b/cosmos.conf index 32f286ac..21acc9a9 100644 --- a/cosmos.conf +++ b/cosmos.conf @@ -1,2 +1 @@ -tag="eduid-cosmos" -#repo=git://override-repo-URL +tag="eid-ops" diff --git a/edit-secrets b/edit-secrets index 742321fa..145255ba 100755 --- a/edit-secrets +++ b/edit-secrets @@ -11,7 +11,7 @@ if [ "x$1" = "x" ]; then fi if [ "x$1" != "x-l" ]; then - host=$1 + host=$(echo $1 | sed -e 's!/*$!!') # remove trailing slashes if [ ! -d $host ]; then echo "$0: No host-directory for '$host' found - execute in top-level cosmos dir" @@ -19,12 +19,12 @@ if [ "x$1" != "x-l" ]; then fi # Execute this very script, on a remote host - TMPFILE=$(mktemp) + TMPFILE=$(mktemp edit-secrets.$$.XXXXXXX) if [ ! -f $TMPFILE ]; then echo "$0: Failed creating temporary file" exit 1 fi - TMPFILE2=$(mktemp) + TMPFILE2=$(mktemp edit-secrets.$$.XXXXXXX) if [ ! -f $TMPFILE2 ]; then echo "$0: Failed creating temporary file" exit 1 @@ -98,8 +98,11 @@ fi trap "rm -f $TMPFILE $TMPFILE2" EXIT -if [ ! -f "$GNUPGHOME/secring.gpg" ]; then - echo "$0: Secret keyring $GNUPGHOME/secring.gpg does not exist." +if ! $GPG --list-secret-keys | grep -q ^"sec\s"; then + echo "$0: Secret key does not exist (in $GNUPGHOME)." + echo "" + echo "Generate it with /var/cache/cosmos/model/pre-tasks.d/040hiera-gpg" + echo "" exit 1 fi @@ -126,10 +129,16 @@ else # figure out this hosts gpg key id recipient=$($GPG --list-secret-key | grep ^sec | head -1 | awk '{print $2}' | cut -d / -f 2) + save_to="`hostname --fqdn`/overlay${SECRETFILE}" echo "" ( echo "STATUS=UPDATED" echo "" ) > $LAST_OUTPUT_FILENAME $GPG --output - --armor --recipient $recipient --sign --encrypt $TMPFILE >> $LAST_OUTPUT_FILENAME + echo "" + echo "GPG output saved in $LAST_OUTPUT_FILENAME - save it in Cosmos as" + echo "" + echo " $save_to" + echo "" fi diff --git a/fabfile/__init__.py b/fabfile/__init__.py index 8db5748d..ee6464c1 100644 --- a/fabfile/__init__.py +++ b/fabfile/__init__.py @@ -5,6 +5,7 @@ import yaml import re import sys from fabfile.db import cosmos_db +from fabric.api import task env.user = 'root' env.timeout = 30 @@ -12,24 +13,67 @@ env.connection_attempts = 3 env.warn_only = True env.skip_bad_hosts = True env.roledefs = cosmos_db()['members'] +env.use_ssh_config = True +def _lookup(node_name): + if os.path.exists(os.path.join(node_name,".hostname")): + with open(os.path.join(node_name,".hostname"),"r") as fd: + return fd.readline().strip() + return node_name + + +@task def all(): env.hosts = cosmos_db()['members']['all'] +@task +def h(key=None): + db = cosmos_db() + env.roledefs = db['members'] + if key is None: + key = 'all' + + _hosts = [key] + if key in env.roledefs: + _hosts = env.roledefs[key] + + env.hosts = [ _lookup(h) for h in _hosts ] + +@task def cosmos(): run("/usr/local/bin/run-cosmos"); +@task +def set_no_automatic_cosmos(): + run("touch /etc/no-automatic-cosmos") + +@task +def remove_no_automatic_cosmos(): + run("rm /etc/no-automatic-cosmos") + +@task def upgrade(): + run("apt-get -qq update && apt-get -y -q upgrade"); + +@task +def distupgrade(): run("apt-get -qq update && apt-get -y -q dist-upgrade"); +@task def facts(): get("/var/run/facts.yaml",local_path="facts/%(host)s.yaml") +@task def chassis(): run("ipmi-chassis --get-chassis-status") def newvm(fqdn,ip,domain): run("vmbuilder kvm ubuntu --domain %s --dest /var/lib/libvirt/images/%s.img --arch x86_64 --hostname %s --mem 512 --ip %s --addpkg openssh-server" % (domain,fqdn,fqdn,ip)) +@task def cp(local,remote): put(local,remote) + +@task +def synci(): + get("/etc/network/interfaces",local_path="%(host)s/global/overlay/etc/interfaces") diff --git a/fabfile/__init__.pyc b/fabfile/__init__.pyc index d66ff5d8b1c8bec51b415ccd863f689e8b755737..9c63643a95a77aa92c71a6ea167bb2bb31b6d939 100644 GIT binary patch literal 3526 zcmcImdv6;>5T83c59d**Nt)JuUL{ftm3>f^f)J`eg?}S)K`JtW)A@GoY<#cW?zy$p z{FVNR#5dq0@n!e`Ff;3`qY8;uY3{t^*|~kp<2SS0_cGH()P;cy4oO`|8jv<&(1dge21{1jfMgj4%RCSH6&S44{3;AqYrX}87V}L= z)*xMn!MdHl#CvVPU<3QhAYBMIL98%y1;i>dZID~cT&tbi2*ov;MlF12E5|%pSk3r z@)y8W=VQ)&LL}gTKd!^61FvxU5(VOTndsqj0r2C`8PGz9UDDz}lh*yCT$?OPr6EPi zE~#cn9~6`3MP!c5GBWa|(#Fb;bCvPOypWk$#gC&rRakG)4p}Z_$UD%o zBhf_)O!Sw?`A2yw{Y0wKvHv13C%&$5oxYZSR%LnI%M0y~qTxs-(hozGDHDeMV#YoU zlRTeP#WpUZNeyuBX72`(dnwxq^N&ycZ7+klelR&7E9z+@H5hm`-P=w*)V z*nv}*LX5)@J(Fc959d4zJNOO9jd7?8-~YM|rwszqs|JDUHy2I@G&Wp%+bgVTmq2jN zCFJiiPo$6|i;9ChlL3Vy*hSJMD>zFga>jrXL&j0ae#CvyqYH0d1PZ}TTI4%5dJ6mo{GJ4)%;R<%pt>{fOn=0rbgY`gDF#JlFev-#g;ty5kWB&JSVslmp zw9rE93uAyiV%Pr^SFVvjyU_FhDnGPh(IG4|>s)vkaCz4yiEk5H}(D~W_CCS#9IPpyx7T9#8;o^u-+#OLeiL}Xk$ zRl$|QDz*T`MXDwr)tP)TO`qa+77I>HfTKn#us^RNgZ{K`#M^~MI8|?Z^$BRCJ?sfw z3~bi5lxc3{2hx>Pii_`%z75)U&Bp6E*Ow;t@p8e}47|d~5_3W7fH0#UAgMFZA1C<` zPkhC4#-y= zm4I$vj3cf)Brhc&$$F;iRq0;U7ejlnQv`WJg_z_UmQkt9D`Tjb#d(&=m^KL`V`N&) zuY*68mE;@ni>S=PJWFPVj#xcWML3LvJ@5m%T(cb44iWYtE;mwRdt;#GgFPa2mIt?p z+$KWDdT@`3N8}?S9}^*9Ex^Uxg|cB4*ZU^TMU}{>gl_#9$)2-^HwpW0;a#HT)bAGE TFIL*khST0?H|w|6XgB`_4=3U9 literal 2999 zcmcIm-EJF26h7;}#Ho{}KNKppU?ftxD$Y_=DlV$3QY*n#5H3=XMYURc#`ZY-mz}Yb zNcL5@MB){A9Ug)kUV#UI@0_ul2ys)Tcs;Xc&dfP;{?Atb+TQwoa<4a})vtp03k>@Q zCWU`M2~iqQKcKWi{R#z)tx!^>v_}1!UsoxqQ@<`0fE(0rtl6`?)OZo-_(_K0b=$mg2>EiG&FzX*I}hy6;nCOM+q}G!0Mk z@+eF*w{JDSy2IS2xeZ70U}O>VJu5Qv;E zdn|?9z?2y4SQvm_fGbPE`bTk+L=&iO`3}oUQXn2`0%Dwa=uZIf&^ggkY`hFE*%y8a zsQiv#x`n{M-lt_n98xFfGToqscV|Gsp(6VJ$LuY;DxIDa3TGnaVV24ew(V|X^8b?Msqth3(0RNV!4rz&-sx;lE#RiQbE+{u?u}RY%p~3Z7 z-~_gx9sfp$$1}qJ@OVInz^+2X-hi^+dEIiBXuE$Fr-_8P1cx$1CvNGno5WZ86wdLX zlNUM@+^kTs(?Y@Y0wj5?dM&16>l*kMBefEGr4}-)<8nBW(?|Nu_Shq`5f|XBI!q{` zDWXXX3lwpX38Rtn`#D6Hd$L^VD2r3=^HPuHJxr{`A>MwIGh=cQURQ~47BVU!fYKu? zX?7173YwKha5K0bd{Su!yTM(+w=lK=iNa-`JM%FPnkuFtlkksC@DjuBV)9XlG>%Xt zPzoeD4fgnxHdjLTT* z|3wilL@WM}{zDV4*%BeQ0eJhPfuJ*;2Z8qjpE$6$Fo*NF4AGoWn1{~iwq#L~591`_ z$}h)cH{9!R6g^y(01hol$oJ?XuJ2wF0PpUhPeEmh)O3fF*ji)TU3S)b)kS-AGyA`} zWOeD|OQLg@@ZiuBmvBCNm!Jut7xO=$QH}2WD@A_6!Ff8EnMCQbeKb$ovjM&#W>87x zX>79g9;>HN)!O33#0)}=xhY*}(s-sq3qV3bKpGHrgV8u@40_ZuUI&FXT z_)FkT;W4pN#nHIUwcFZB*XnYvecSgL$qGq@8Xc=limWN5D0{&!!r>}KlOrM1C-d|P zfK?=PKH{6Xg5ooxG{gP4Fd~vKbKI#`8<4$>oyjxbGJJ#L{T}CpFO3{5qQ(pw%14DW zsm^E4abgVfEYm|~5ycK|saSQiAIh1QK5`P5S(InVnd35Nk4zB_V&%Ucq?N2IzAxsw zD0`pr-CQwy4|rlj^&axn#dKjdfv#e^O|W~G<_hilIcKTm>+Yb(wD_qstIeCuVEwcz JJB(R9{{Y*wffE1# diff --git a/fabfile/db.py b/fabfile/db.py index 129aa502..081764dd 100644 --- a/fabfile/db.py +++ b/fabfile/db.py @@ -32,6 +32,10 @@ def _load_db(): node_classes.update(cls) classes[node_name] = node_classes + # Sort member lists for a more easy to read diff + for cls in members.keys(): + members[cls].sort() + return dict(classes=classes,members=members) _db = None diff --git a/global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh b/global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh index 28cbde09..1534dc5d 100755 --- a/global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh +++ b/global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh @@ -1,6 +1,7 @@ #!/bin/sh -set -e +#set -e +# not all breakage is un-recoverable... cmd_hostname="$1" if test -z "$cmd_hostname"; then @@ -20,16 +21,20 @@ if test -z "$cmd_tags"; then exit 3 fi -set -x - -apt-get -y install rsync git-core wget -dpkg -i cosmos_1.2-2_all.deb +apt-get -y update +apt-get -y upgrade +for pkg in rsync git git-core wget; do + apt-get -y install $pkg +done +dpkg -i cosmos_1.5-1_all.deb if ! test -d /var/cache/cosmos/repo; then cosmos clone "$cmd_repo" fi hostname $cmd_hostname +short=`echo ${cmd_hostname} | awk -F. '{print $1}'` +echo "127.0.1.1 ${cmd_hostname} ${short}" >> /etc/hosts perl -pi -e "s,#COSMOS_REPO_MODELS=.*,COSMOS_REPO_MODELS=\"\\\$COSMOS_REPO/global/:\\\$COSMOS_REPO/$cmd_hostname/\"," /etc/cosmos/cosmos.conf perl -pi -e "s,#COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN=.*,COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN=\"${cmd_tags}*\"," /etc/cosmos/cosmos.conf diff --git a/global/overlay/etc/cosmos/apt/cosmos_1.5-1_all.deb b/global/overlay/etc/cosmos/apt/cosmos_1.5-1_all.deb new file mode 100644 index 0000000000000000000000000000000000000000..28cdaadecb4cc29e60287a551ce98d7ada04e972 GIT binary patch literal 11514 zcmaiaQ*b5>5M-QeZ0C!yvAHq7*c;m$+qP}nwr$(CZQOrXcUN^!*VQ#sQ#1Y8Q}Zyy zfAsAQ&G=xAj1A27t?3NRt@Z8Qh=_=oSlKx^nEoe;h#3E?|4(FMWMpS$B_jHd{~LO+ z%=C<~hBnrY_BNLEj{5fWrtbfLJr@(p|J4&lz<~TufPr5nE5sa7Adfs;%K2Tlh4ryh zM3y1gN=`Jjx;v%JKd+Lb;;HY#9YSyiQn3p`Vm(z>VK3x!`xJP>7fme z_|Ro`ZvP2PRBsdDy#84N_C?r2Xqjq_hve~A8cEukk~K;pO;eu0Gh4oV+1J)SZt}J^ zutOpe_YSO$p=KcIX?k<=OdQ`1zp>nj{&Ps9v$bGk zt6-v&9nQ%6WsM&4Y~;x=ajmQPXcW8G_7POvLu=+rr$IoksXT(cfJy!%{q6B@oo3|+ z>po`}m4D{Pv+{@Or)EZz9^eX&$4c0E$g5T&(<5jknnKoAXHdcm)6>!y++uYfe6bxu zxQeiTKK*z~c_6@r<-XHyxBIaZ15RU@aT8DYaT~sYd1zn3A4JtCX|3<8(~eMoJsWWd z2s~?dBg^!Bbo-$!Z;!%nXC(R{7_o}ch(8pQ9M>(m0{{+s;?aG;l{AgGpIpqN1vP06#gkb{ z-+k>KH2Ps+FL;Yigcsg@!NDGWV0#)Z$xp+FE@jz<%k@sh&)&Cq&dN{Z@cWNSZ>kcp zM6zibEt5hcnR>8s6|?k8JS@6ol+3>^e$`pBl+I)}W06^>Y(w>AYEl8XJZ0_O@@#_5 zXibSCxAxx6&X1=jhL?>(wF=4OMw0l%PHJpF>9FvWKa?s%x8yH5H{Ki7>2klQL`7AZ zgcwyJt5!VeM5apPzA5QHea0h6%ZJ;{Kmx`ih33a3u;t1p)$Vr0=NzzpU)~ zpOyc^|8E;GF|smp{;x?r*e?!uH4P9Dh~wo(F)$EfP|W|F?Z|LcuzT}EWugs&1=or1 z1)9`LAj#*3(LYI1pltmFDghnxg0njmcRebaO!Lcly^zJ=1|v3cNwBPmGYt;45!~xU zbGu$kA2djMGqSszieXBZem*W@QSyn!a;U%gFYf-a)NFFrg-z>*5h;oK-dYMu8i(qv z(}Wbo4>Loa#7T|L-83Cf^#kxkuvJa|O6RYwsFyWRt<_iA!|5UK%sx;*K)R8#gc-Y2 z8}jm4)7jmGfUWY`(Z9D=@x@9C6sS}O-lTq>UI%uf64pAEzU;fEaPEHRL zX`!@T1@E>R|HA9p)m6cW4MTxrHL0?Dam&j{agYu?rbQ&U+O)Uh;yfH$C$mL#A-POD z<~%0hQ5<#5$YQAM&RC7RlHy#8K48*M*bR>|{;G zOnlTBYtoFr zMM8E7MD+~UrVyEDuD+eZH+!m@*`UKJhI4N#p56H&0(aWzI!sQr56*HpUKI!1W~>=h zQSpsAQ-j9rfJoZPQ)iq3hIB`7Z5s?!t~?0F2^9v4y0s79KN^)Bh}&HucRlK#jYsfs zE?#Mj$&L09e$!7}q=Y+JKE$@+-MVPFcr7uJPe?MDV4x!e&V^G#OJjUtG?tTd6Z ze9a=a^gc(#NuQzEjTe zT~54mi1Onl(z?*)#3`Rwologe!0UA5o5)PQbT`Hfl(-&Y8wV=9!)F;)35ZPgUnxy# z6p^u@<^OJ#VgVo46`SPmv4Irn2&iFaKceJdpI|<0Vys*uI9$j5pg=X?#*;o{q0oW7!0y9zguk20|;ry)>6OqX4TMeZJ6b-(|PDb z>6bC;=P|4M{JW5kG&A<v>XWsCg@a1^y^f*EL75aZmT;ycm2oLuA~7E@Yp9ucGQ4FifP zoAc$~P+cF-uDlHX$lVmD>+mZHp(v<5ywofsmgd7{Q#aH6B-a=U0T!+fN1dwqSR8X| zFj(D0WiA{~p%x3+q8+`{sAZQwgoMN6L8n^8XI?92R;1ytp#y<5{>5b0<|v%g2(cdD z6U9n51))qOG?gYQ+3}d!!sp?dfGpGBbcphV)(B_7tmOTdgIJ&``&te3jCj zStG;|R-K1|RZIA5GP(zf9zPkD7X|MYW~bNTSVlIhJJqBDNgG84_LHRf1}W8hZ4};{ z50hfhQH4su{FDk(khwoX~&2ky^)o_B3t!rs~ z_7|rL@>T^Lch;hqDDB@pMpyBY5ioZPnS-IT<=#hf>=*UA0*02roaE}soIQq|E<-_l zBdRPbhv^vV$)!4XKISLl&3C1`@L9Me$8|)O*w#Mvbv!fBQY}O%tkI+uIYDo-k~j#!h$#wmo@YpK z#KY^po8J34#<`imel3^x3Eq|6Vb(N`wae;eW1%+2-ezJi_m6-mlja`@v&)S8y`$n` zNRo!^f4sI27E-$S4MB#Lp3E$=gpOtoLv|-X-Uv6t4oZ4PPw2JrGlQF5vb0faH_Dgl zfd*(#Ip*KPg+pnm$AR}Y%pHvd0n28XJ?9JaOG;M~gg)M_u1u0~8T9EiStT3o534Tny_eT>N!`)cINMofw!~NTMvMbO^BVs;kR$^=L7!tl`iVSrvu^w|_fU)c~Qp){;M+FJd z9MFpEOZ&?I5YopI-r(brYOl}Yn2$7sX^!ggA>1i?k613d=R|yeFVb>co0+*FEHyey z;|>?7_$w;|=lF%VdQ7KxOeA4Ai=7(CF)gX=61#AqY3ty#;zrwHEZjv*KQwCHyHshS zRPXM0Cd$d4mEokE%Rzh(sG&^2)qY0Xb}zyeOGFWLcA*Trt!t~qwUi5xeFU7ve25zb zqeMC{+fF9QRQ55J2UDDzUf7(|=qV9l?~; z$}i0g19u6!sGqNq+@#%oW2bqu;r6Gt<~7lfR6ogF;4MB|gFX`7Q|>0FPeLo<#$*@& z;JxLKi{D)+)c#e)XGW$$$zqdWVa7O4T^0e6N>$ZvSMI>qL(+CfTsNqmszhkNx3+?N z)%zwI0y2bbqklO0hc#ycI^VTK@1f>Ld;6=fmc{SrY@9K@lxm zPb?9B(RlHI4n!aN5wVeUKUTWJ2j#!vJL%B&zMZ4C21~-~yvOn!9;}vb9O6^MP8dGk z`XX1sq~9kfIgUf6znGis+wx%e@X0`fszj|qZ8xx=wx4#DYX}-;Pts_rpyiNDRH-R; zdqii4Q}62?SZqcnNPt&jOhG-&HCUUrA?;P)G77#eE8%Scs>11dH>+~?J`M61&{0a` zWWHnQ`{(Bl1!#nk;?NR1=(iAAu@x7N9;ThWlh}wC?pYO5VquMm^F7A~8wA}JSXQGB zSPvX@?CozLJL*8-vy^)es$fg1Yo=vt)HB-3y}xQm4U9*w1eY zYlx@nKC&Y_dF~7Hr*lSHqs%`@#g`sl1ZtIwNbhwxC|3dVYV&l~P6VQVwau!rG7{V7 z%hK2YsCQ~bo$vyl`j|0ei~Ay7CoZQ*H*5=lcAY1Vgk&C!hn6F?nIN%q1$kWRdC(+O z7?VD5-)wV$;>Pboo0tl3MbccvQ?pU)ARBHXxM{dWxgIpczOWjrwV)Oz)^YJG6MIx= z8wD1MzG5n@kp~-EB7#|>fabCfLu;!KTNjTWQG%TjD8v5C)Q%6*jezCEA+>^&05`P; zq10JJ5c{GKKgycV+{c?E8wpQQ?6h)YcLWZea*H~SmGb&J?V7J|+NsOk@F$l_{thF? zlu5SZ)5W=iepXeJYCWR=U&YoPNaM#y=|VG zf#z6YOqjaN8ui*|o~FL#FZ80eo>Xza@$FY86?`cib)EpFm8e!)RGJ0(kl8pp^=Ou~ z>LD?;$W`@{Cm5n8d6T_*T8hZG5;eE!>}3Zy;7YfrBSmTrv#muwrL%6t1^J@5cz1;d z1c0B7PZO_F>PH5;IgNXk8c?n`da-?Ayxe5dIzIXh;DNv+i5QWk6;C73~lQ`}uTWpuCU~VE=-dFsO zNgXz3>I2N)Vu1!VCKGWj<~8J=SoX|RY&!*Zon1yMUXf*0XqRCU%q4>6*w{tC6OK}l zO(w4^5%dYl<*|x1l$tXdPO92G8cVh;4&?W?X%yP$Vq^tDyN0*5O0gr$Q#|ed!|^{9Fo-pDPtmydRN9)NU)m z{ZIOUAG7oKY}8c(|Iov^hsH)skM5A_rtDrv;JUs8P{K3>M)DtsJyDjOtE=U|NB$>1 zF!1K?HQvHNgbmfa13;m_ZqeZ6qV@QP7t+cx@x59YNJy8 zq{XEbFiYkNGFgVm?E{%nMWtPp<0|B33J&M307^0?elufV5XK)WfUoTypuoSNJjrV9 zGU}sXXT1sQb^R4FG;zHYvU~EJR)73hTeKzIWaNb?KwVoD9!5(1LXFXrZ#YZqS^)$P zLDzrP%3$FsxBR4RuJ_N%zz!t{&&tk5ptZ@Lr7s}70?ZUj;6C~`)N>%smNLnz*i z`Tix)Am$;yL^9&0;L|_d+LfQtctg11SOY8R;|Gr4Kfp_(k^mpVc4;edQ!L_orpf1^V1aYXbyBQESGbCfGg>RvsVG;|lRw5D8UBKe>c!!J1G*h|3|B3{l zhe{F=dQXN^ea?oPNHSI&4>^&^TZ%PdiI~RVv%g+uo63zjOT>wNCf$1#s9Bsz_wRio zA}@aI%hzK$pE`d2Gb!=LXuerYT z*T^HhSxAOeI{5^a_Z`eu#to{%0;6q*g2^~g`2zAodMhKEV|IUDax0u#D*$)e;viHDa6}!AIN{nEgsJKsASlRUi0OqCT=U>fv({d zE266Pe;NG78rl1~GIo3z^Hp{%(rwW?zS>krN)r(U767`u$p{beus|awm17eApeo9G zL^eRbM)M#R&_!>v4eeppZCDBR5-@al;ZVr;+)BsR zBW+!>Q0M863#_%+y65~tT46*Z6+L_Kl69QYi?z)Ev{AJcd;E8^N*QHKs&~AW$Eb5- z$g9{Vk*^NhUa}I#7WlA>Eos7Cj^eW6a0sz45JTVlGbRyL&)q$87eqS{GN5fw#;+U3 zOcbAp(ynldZH%0@S6-kG%I)8UHojB`NjXntx^Y8;T3^9i^+`a-Z5Y&>ht9#_i|-F~ zLtOSkMH~Et|X) zO3d27{B<2&L#scYvK|A8qDPIb-M1IDY$?Oe!bay%nv!S*;nW%W~KfrP;K}8lI|euixyiFSYG7T zeUJGHZX-idW3!|dG2aU`+{;W-u{U^;e=kcOvngwwJ9ixS5s00m#A!++r7S8nItrMe zv&0HDinAHpy!|fwgk<-(y)Uz|6F6)~+62+NwN9$qO%@`rFd6@MYrs1j<$n`37wmBM zYVX*7qFNB;aSPf4y|vrr&(g48W`WjUdsd75CNj7Up<;eok=p zHk#Cdmk3?sckytYx!*H!0?knj``Dn;5Avo!y+N2haMDU;Tn~uZu~(w9ok_h zm>;x6*2zOVLn)DuJ-na*&|UbNS;S;NbzJ&jC@!gENDR33u^jbkcyCQXq5Jx4fb~@f zT>TDXajXq+aqMOBeeNpAW>s9>J~9{^gzoKf+%0*MJePWNwNa>TGt;~zX(hpWNiz4r zdi<$)aeqUOrA7I&gI5PS{1(SFD7X64ucM~Vhzg%%`9g>$>43%~&_ildNGnWIvri;l zPBdJ*a8Si7zZ$>yQaStW!!vbP^GbQ(+1gb+x=%F-v9LELq5UCjB|}$U^lwuit~oTJ zT0!cjIf>ZB`-VKcoU;HJ9(lhR)%yWT`eIt%Lbh5NoTx}O&p3MrdBxp|;z1nb7epN4 zHQ#z8yA%rv4CJv?HVL^;HM97&`r(x9y2thpWxJ;(f9G3fe3bOy8<1CyWFjdTBqUk> z(%_tl(!^f)cUE`(-t$N)vDv&{U(ZOZ`5BO}&qhZ1fdFIx2kt=@^kpIHSxhHj7Gnn- zzH}5D;pGSeK;IUfMzth5)bc-+$1{{Hc=Rw6-D71cUg zhd1WRqZh35(v~=3r#&|=t_UOt!I!j{@t}I4LyY zItN`?J9~W&@Sw&0(BFLmLbSRMccY5eO%Nq24k82Lxw38qzZbZZI*ancPB>m38kdC@ z_0x^*v!bplX7*d^mKn0{yQu((pFCRQ-OF0cF;_BQPnyqKxnGon8;MXYsN;v9>98Tq z0IPtVpTANadnmvLn^z}Sz?Qe9%OW|JhmYR-L+I@!Si!cB%WTp*9vb=he5Wc@X z%56`I6u8_#PrDRT+KaD#K<}GG(mJtP#Wu3tf3ZFSq5lkBt+m3-(>G#DlT8$LFF4HI zeO^|MsZqg{x%unl7Sj1>(ozF#H5niuwEgSIQoS_>`o*ozlr+;h#W7AhbJNfvTY0N{ zvmTrm12A9M!IL2+P4-Rs@LZ)d<;&>*p?SR4y%;4cAonJK)K#Y_ui1m+!-58trS*5B z?xCtVc_{tg3jqo`CS%X23@FNW(b?L_z>Ho~!}-Bl!OdMizD??lHM3Z-fF$9qt!!hC zKrLGeA4P(!pJLIB&%$js4$`VP?-yAnp+JG50SpUSz_YJ#^s#$YC! z#)oaHp7-^i5vZg{0oNaRlv;zc3zS_4r)WKl-*2Z*zarX`JE&<9gxJmEEK{Ju2yE9W z4`ndI$>Um=BOAyyYIgmn^5e1=(~hJ(^)|7Vr5hsVV|qSXM%}!e4{%+kQtzO|H21$f zEW1ncl*mKOxmy+o;?fA$T1P9+m%21raYn?3 z{WBuL2u6vu;nR}lq4V8e1xIO&hQu)Fk)yXD*fm?H%pUXGra^PPXBy0<(f3~eOfKl@ z(}|6k0_Qx5odr_7*w2<7*X=7r7VpTMdG>$Ig86sP^EhJ_;g`NRQy4JhL3`4xQ6jKm zIp?JuhbQUS;46-)U`jf;_j%f`jUJPCio2Pz-uA?8#%;DBTQ$^i(6->p;}h=#o5!HX zA^0B0G&+^|pkAwuWeAS7<)o4v^(tv?Cuur^^xDcD&8p|TvH=WCv?E%hOg+(Sb1gM*Onp%pY?=v`3qQj~h@N4SvHoNRkbEL~^y&otV(pcFEbBX)JxW{>4E1r0id- z;zRXSZ{>G!aXM8sK%8$al?W6ZnNVl`z`dA?Bun3*M;7k-Zy2VxlN4-D6Me7pTiQnl zL%C}-;S4K=cXX=~bGTpB|G4uq|A^K4rrXF8ycNC?+nN1})#3h?a#_=KVxQ7fHP8N_ zp@c)fN*N*IK0Ovc%2paVVFFD2pyUk!82@9?n~|n~LGh!FmRqefA4`X9FKp3ifmMP2 zrxOZUYMgN6<&=T8Iiv|uFaA=}1k#B5KxzP8;(=@j2J9H=iS44lKdnTq2{z<46}P&2?5X-?6qP3g^+(`v zE~6S=$r_cg06RwbxiE{v=*otVm?P-{{V`omhd1eMN^PH0R+H|HHRn|OO% z(;@g|^J&P+%_3gq61xQ=dhs)C7q+(6p+nnhiZCtW5y?f0`DW<`bp9Rt5X)&?-wM0_ zqpG0gb!#hcpQ&o5EwS zp))jV$pPpQv>y~8BVhq@uqNW+2TYo-L5h(bQiF0oFRaNUq z!4=Mp|1NC5R7YWrtYL^FJAQZ6w{v%A6t`u)#ku$eDAy7sBRay`Rs*6fVS5f3_EeE}n`iHS zG@5drEAkhtELx*L^^uB^mJ+i}Gl`02A|26)V$%1tBcZdzt640wd=LvBM!9Ztr9i&} zvLp_4dwvZ}3t<`9SZo|*U3RkmFsa}Lt@QRGDi40Lcr$|4GwvT_&DGT6YCYN|?;}G| zVBU(d)fVc<$)jIRN2yE#1H7%Vva#Syc59<6a-uDjc?LN!Hd_PVy-P!IuZyuTesK^l zAUa%n3^{!0xdpiF7s;)*hz3fu+Q)SB!lG9wB0%w2b%3kNytv3zB4{3Pjrfj$XBse=`hpUb87LlhnahF=?5-YNT zClsuaphzdXI%FkGqUUa;xx_xdL)tz|2>eOS$lwjfh|_|oI(y%ps5I+(`6MH zT;m4hwqR-R&QaU(u-gIR8dhJ*x)mg2sL)YMP}*rCK{GM~UNfKy>c((dj$_cg&Gs=N5@UM?0jn|^ur4f1F>GT*{ZZjYym1|mlfL9gCq43JO1yGi*U|pTl45}r z6yJ#D^%+&n$};dnJy3RZrP2OH7px|J4?fUGEGdFJ;rYTMw0#iwizPuzKvUDA!n4b; zEC2?qSD}?rM!Ss+(lBWd2c#uczw^=VcB8|PR>k)f#$r|hV>?Ebr8$1Xb!0EJC@G7t6fd1 zJ8<)Q$-@oWSR)%`%SCQN_T5>url;T-2=rH}l9=J0LLEf(7|l#_8#$|z)EQA`Fqz8x(L zn@yo9Y!$A@5jn&6o~LBrow4^i7%4NI%_X$JEP@<;)~K{wqUKMVT;Q;VT09z2p^=zU zgfRFQt1j+>Co`Us6{CCv5gS}#U%);ZiL8NczZ^e%tBe!AJ=dSxlNAeRNCEn5y4tvT z!C1)6JDud91Dj+hr(C>Sy@H+v!EO`YGL?uW{@Qa1AD1Uz;cLW@TeQ^k2jt479^K=i zb&ybqDbEf5rb|-IMEN5BeH9UMXNj2#1s!1xUGhw-0;`V@28iG*3l#DF4;5$%wVx9# zL8#BOOo3JT=jRwYs|;4$uV|}RyF*VLWhmFbzh+q;aZw*l1(cA2`$fpfQKC?cH*j7S z5bq&w?)hkdaG`@f1L&K0e{OGzeFlCqet~5`j|_4ziV^qTm4Z2U$yVGNu9BZ322uB9vvFraCA99ZSAN)bv+P0-kwD_ne5^G ztU?FbaWO8O_?r5vHM|!qg0$cuBbBiMe!r91@FA~>xAXi;cZ)UgBy!CNv&IZ8&EbMo zI50VNoEfUo0Q&nf@E*FSRKK;P+2*HEPVFMeBg^+3XFde+su`=1$ziP)I;b^B1DDYh zo8QdZ`;f5sKdvH;YG&$RPu{N7l_;vC6P279DiCq!iBm zYB%*w^qD%E0|n--ZeQ^a1DI0@Y%FpRvQ)>mCylCxq``A@SkHBEH4nnVCO(LpGp}T? zeT4?Qk!^{&I73P-f0KsR?TirktsUk`fn;Np$B;0S%A@=C){eglYlWe!59&A0rR zrIgErLJ&2E{J|~+S1M_dNj=hCjBQD{cFq3!`m9=fg&;vg+)NsRxp`U1ktoiRx{DTL}; ze2{P7@|qE(+&X)pp_IFNgT4MtLnc9bu>9j)bSVe+64`#+s*iGkFC)pe)fNn(sxW#4 z=ND*47u!izf2eLGq=#7tg#1)ClSQ%O=7R)TLtEWey$QyezmXJ6?!WdRRCV36DZaJG z#lr;g`p1vnac+*?`Is=%jK%cW87_n&7$S0LtRf#7C1h}Y2A9pajd*@ny_A;J2bF>f zJaFnsraq0Hc4#%3GC(M2ejmU8V*dNjO3dJy{A+ogb+u zy6{v8Ip6mAubs@+gLvml>4B(Meg^u}s_ciEaeabD^g-@=fg*iF1pGpz@dYBF+?0SH z7F7Kmhy7aknD?vTpl89a3aY;z#ibu7kG|57V z?dY=0T=XoOwL$k9zuQUroqRJ>#)1ILpeDhP3as`G2vrK_PA~WSgNN^-j%R&c?B=<# zy|N%?ah$02={6plBAtp-IczMw9$h%SyxY!@w#LHCxKqK%LAg0g1nX%BudU{F_mLK! zOLb8K&DMuZQYL^sw?QIkq6^Gh$3=sZ5$Go6*RJPg$wum5(+M558X4KJ8sYW(1o8H zeQwBPaEBjvggyMeAOa}t{R7yC2gE!0oID(K2w?><)MOGc^Wvm73NZhD3%i@gmiMo& zXHd~DG!F$)fFJN%*c-KOmkJ~p>sQ>=MuGG?vPVKWI^#A5iaRE;vV;FLzC}64XnqS!F`5A6~cad zES3OlAC|V40c`hS2o4M;BJkI*HzBYZM5mz-&?JcQifEIFnfg6%4%Bl5LIr~CzCe5s zosS?A@Q@q5(V_#ehTxqLZC^JDMgOLxq##<7U)DdsVlbBLx6 zVFFGMX(wEHWlnL|Kum|dHf|-wj~Jsx9fqPcobXz%uI${ z{7rPTFg_BIcb%RpLogsS32|=!8^|BZ{+ms7_e<~uw0!KU2GsVd%o7FE1H}1NgAnh9 zebGROxgUb3g&!p#5Ew9Y&s(stU<4&=`|+fxH}mfC`qA4nEvpRWmGMwCu_?k|q^*5F zzpnva_?KfP-mEJXgo_}Ysp{Z`=UHYDXty3O6pI zC+?(=U6=%7Q!VC1qI3nM(9}_Lm7Y|+#v!i61-K~aUQ_;JopDA-va$TXTZKsas}Dve zyW0!5dL(FPM`i8DMyc|qaC(o%dsIV1grn#di?=%@LxCN2W(pBt5rv&^h7VQsnN^OO z@jw2(?uXh&5k~t1U&-uj*TGk$w>zHJVoR(7JU+7Qca6KrEc7!5_Pk@(T4?r?{u*5c z^Ns95-{aA&)UdgBteu{ZAAtS>S*V52#@!E3e7l;}@oA-wE zNe4PO>4*mT!X?hZu`CATmncXoSjGP1cwq1JuG>_SWJC;O?Mj@5JT^^%1PZeozrIUU zX$*CbsxZ^ZzI?)(BB41UZ2u`~34oLgzP4~Nw2-}l*_mulKMr17BYzYxd+04EmX9_~ zXHCtJ41zt}iP7!Qi(}_i*)74}<6{mKeH#r?GQs-&N3nj!5o^_lc?{=2c%VkeNzj6KQGD{i*zWvcfU83`%6ejY&>Y9!X&^|hIW}(_Qw|Ff6zqm zyu*1cH@qaT=1_Mh(5p)j1ToBMb-q{~)NaPbqArFuN+SPLW$s4z6Yw(PA7Bs>)8@*@ zEKKF;7~ylO>J~N25dkRf2s~3ed_F+YN5$Dq-p>!J_dkASpnP)mO&XF{RjXE!cTdpd z=aR{1Fhk8;FEL%2KkYVH6~q@7=Boj||4o;EIY}yD9U~in06z#pK6s3nvJgRpSU*CD zFs}N$XD#Mf9OgEv6zXmr9O~xg>S!Hi?eA_`YVr$;3R&_C72gVX_Y&hzmrW~UZExpR zQS&rcV6&^{jy-5CGx!z*14mss-+EqY3)bd&u;+amvpRF;e!iv`T-gjvzI_*Vvo~M9 z{?w8+$lqXV;>6s8?Ir$J>P1?y#v2GP!_YL;BIte*nP)?mBh7cL5CZz z^3;B@c;h1j9MMNaaJh4Cizi-Euk)}9FX_j?ShRR@8`NSQ&Is!o$&%>$hM3t~vw5TE zI9;?e>}?sF8-GHOrEiZtNOmv2oBz?pR4JSzx0XfB)E9M2T6l^`-P5be+IERkn>^fbN5RP`T=0EkOMj%QVe3h1-m~9PvquOxk$;Qq7v7!}c6Q zm_AK@UaccmcoKQe<$GR(*%LdYTpbW9L0nxyxudkt=K5sct@g|KFOKx<^Dn5vg3VFE z39UII7&P%3_Qz~=`1BBv}v zJ6FQL6fM?-AyQukS^%%SS!~k?RuugCZyn>X_mG@1kju{9oIlttI?kc<5F9dgpTajc za`#V;2L}RCiP7uoYq@Oa_GKGeQ{lw5fB9n)K|x94Hx9!W5{HfagI+p*X`Oo+ndY5Q z%P+_eE1Wls&n7@y4nb?8)kz=aC{mt+Mu4^F=0=vH{!Hn9+zqMcdCB9V9)Sf&OLSi>fISW0|qN}eQg{1~wHpie9pG{#19t$Es_uHi9j3oX5cCp{W$ zR3m%!ii+PvJMUpQPPyA+TZ7Rbx=-N48K}g0PvnN?NImwdUs~82By{4@?^0XiIv=x0 zLbTM*Q7NO28I-Y28M#dJ)b^ZsPc5n8iW20EUvuTrq-fWNF!#Lk3Mu|BMbWX6k>o@V z9Ez2(k_uqulN+KMh+UQJ@i@%m{a$)wO{S>FHnrC+KBf$eAg7vHaCdy@tqV-RHF{ob z{{ttS8EbUYCV-Ve>aAtUSxF>fAlyA*IwSx~edP_vPeL2i-l>P428<4`N`Lj9(f{q| z8n==NUy)zYtX;wR$%<=A>v1W`?cD^Z@ch{5^O{R;@^TBSz>)tUds!nWI^tb~*0m_e z_gOmU7(+=ao*R;ub*GqCmH;Q92_3w@w!oCUR|&_IE8q#8Rx8p6iCB7n%>Deb9g?ZR za)oTPIvzJPY4ni*qp`4E4AdE6b^RS~G#Q!3Nt;}8DzKZ%Ud;6v;=(rgDNb ziiIpWqQlgIV}8In6GO)4(y^n3Hy2O!@Ore!)Fw^7UkatDg+SZG0x1Jx=YoTVeR-2t zYu9&%XU8ZbWiOp=^#|J@bI8b-o8#f5hYl=}oe2nDD~WEgI94u^ouxTO6w-h*v(2hvU4 z@0bTg@_xuD6?N;9=pDxHxqZC_y~)1zi}vy=lH3W|hVUZb zKXFm^J?~AP;~y zRSyxBJSIbdYN&HHvqF6fT`ijW6Fl|#iet{!_AVv^V$*u!j&U55UgHbz$+Q1FsIQ+K za6<0|lI!bl+rDCpkKb^Rj-p;D z4rt-J?C;VmrPRx`B(W~xmJ7tYWX)>Zzl$uIP`y}V*&=OJ;Hz2uUE+|4i4|BG&HNWj z>DDdlaH{MSXg=I8rpCf!TiyGOcKS^vn(YyTIhi0{fi_0Dej`Fd{)27nM`N@<-!@Z) zN>mbQzn*nshdK4~JE01%Lt`a(=*^XXhWwP|!S&L?K(ssl<}4rKc~W4!TzjrNiSoXy ziTIvW04>0EAjUmSzI^c)AdCj}y7=coSL92c+s2k?TaB$_)DsvQtlh<06M`i%Q$~9L zh1(Bl+x-AMJ(xi%pz|`JyFz>LteqFTAZEOjj$E!}%f1Y5s=}%#FyPx`m}cDA=M6w- zUG&9B$vpwtr~sVdPnwjaF*P-!)f#IKj5u4$PZ_vTiheeyTh>a)Zv~=Z`F2I)WIK;iLF4U zpN);kBHI_S!`rX>j04}){FZ@s`x@t?P}En>`kwV*cms#(#g$%2D1X1iu)P+N8FB6H z-P_r?(nSITt7x_(j=QPE;K8<*T4gcwHNDbYMT#t+vTn`A?+WQiPsb{=Hn<`PkUM7E z`Mdsv8+30mhqSZyA*q3aP)Etv*j3;0yo89?9gnNim$_Z5JyTGC*Zs@b&3Ry}i1?Mj zkx$+lj-eM{32?4nE}`pu#_uDsdu$=Tm&J2DE;Cwm&sPg5Y5nqmw0xT)LV#}i1ot_6 zN-+uft)>aHRE*JB@^c+kLLWQsRTx!KotHO;DmF-}QY#`lm?I{1faXAKuW0Xyw|cvl zj@pCqevjemV6rEH^$*9#M64^YJ)J6hOJlp|FMR+T%SQK& zWSD-Pj)IktQ+T)^t@$;;wtaXVDfg7JE*ZO!nE*A-cdFi)?}3M%!nX~^^L8yFVH~Tp zv;$A5?%>o2T_*32q4O2or zIAm&Q;)BqUk51T+GB#t#$~AnvQKdla@kUpwKQmI=cEhGHnw+ciX$&k&g842>t1AB_ zK5E$fG^<@4%psX&f^~lR#b7cTrEP+L$N;o*a8@RBZ19&^o=f0c1DA>f)jW)(G%n)K z20Rb4A~hV~8MqxlY&Xgf=n#U(kzNZgS%^|q^SG%U@Rg~wNf6DI#}tr>8D~rO5nW^tYT^Wh1(-J8vrh1_& zJU%B`ro0ItRvc0wODKDVgp1+(_#|_RVFajU3l;WNS*~J;*r3}MH(JOqkk-2^&Q7}{ zp%80gS>y$(4&2esYBra3e@I&0yIbv>RNt^Fy+}-N+h!tmJAr(*Pu7wWO|{j~Quo2J z?tksDOrK#$PR-WQ*7T;i=7nYhd6_#;K_=gzhqO!32T$+L7$_uIsORe&hmsPkZ4%_C z@?9&Ix#!zG&Z!`?s7+D}`8VpGMeIlbEx!v~8Pa#pi7TECuRqub_uNU)30xoJ8GkoiZ+_lM|&P^7J8It$6=lj#I`QjP}H9;mXfh zNX(_t{MZnmD7xkIID|ThGbsidA9sME>n-WYbz5_*EbYRB!`MolfFB-O@=G_baph19 z89xLQr?_GTtj;dB#S#0n;tokCplHt^nkQnqw?9StU<>bE;r;v>SF9bC4kv5n0-%;U z3}xa3*ZOO?9|*$DJQAN6ThW#T*c_o8Nkw;jM4b;6NU`r2_Eegr-pm{tgG!4HeD*U_ z0tR6h_$ID~{A)sDc)w}XG4z!f`e`h>N{4F@E&lOdafVSb{&5zHi;GXNiL^PgSHeQi z7}I%*dlftaz4ypGaQOQ6{2s=$Mf~!?+I5>E1aqLB#J+}bat8VE3*CF6jyn(w#tQ(x z^iX;yCGUp5=}5)CZV(}6;u5v%2>v{A9!V^k6-!U;NI^{Zh$bu@ z%#>7cta*7S)5$K|4Z06IhY)rAKqKxnd2h>7wLJghtScrdo!|3DU9+#=vuhoKq!i!& zSl6wLM#S3J#p?4qxrHJ|3AZqZrBMZ$O}9_#ocJ+0X6K5_LiodEsnd8s1#`#hJ*MPk z{3FNw{35jA*ux=cf)g8jWUE%I%=#nchcVPa&Px`JF4%xxOI_3A(PlAqKb z#U?TVMz?#1=XAl4S?_b+!N=8NOVSXX=sG5475MUN4t8vg;fD^W&^$}Ydlg1l31ewO z{3zBp)bsc8NJ!^5f)fd~{SP@ctJ3kfjoyRUA47o>am=|(QnqZ<<;qkmx0=dvY*0&yv8TIVPdCdY`*suogb;Fwo&TPDWH zLgB0yJV}Etnm_d0Cm%OTr&S!XoKFd2La~_Ru;VctxFVGx6W97w7?Pcp zv}CvN^9h?Dmh{msJC#=!F%e`DxII#%Ops1H%j*BT@OD{X=mJi^$gbMA%4b2>|H1uQ z%4FnFe=oK(b%Y$|c(L2-)RKT*X!q+!?faPuoX{9-D@-4is8G&T#td7kY|UuGwvtTj z>8?_~d7^iSWDJ~yc~Z7ms&Czh9&jbfzV&gb{7G5xHDqq7rw6}SHmZ`KofEqJY)3sA=Ld|Ixrp05Os}Kl>}WZ2bvs_k{{RO_0+8f z#FtYmwTX>mPfwrA-Cv-uD8Q^|XIY2|ly^aC^?l26 zJQy{7Hh6wbSsmvMM)^cQQ8oLhG-(J<)axjDau9fxjJ;}ida%>xm6r31Mnh}jnU}Uu zO0~PsjKMMoUt;_Uk|Twu(Mdw-C8;~lrrmDA?DwKboZFRJ`rWKvf}E3yj4Al0o5WVE zPp|hR;cEF;rzuBQ{(vtM;w1~Ery4^olLUw8z9O~6JU%HM z2VIrcQpW9}tUFT=&nsN5q*|UnPC$8u5x+6&22psu^5UL^ zj~|YijJYYE4AP;A6R3GP&dR`)pn|W|dLqT|OMBu<)n? z-ECG?r_(p5=miKXEu5`<)-VbhA6w%#{ABHo*kk5<)XJ*<8 z*0~v7YGj|URI+~*N9|IvTO6*@jj(7;W(5i^`gh~jT-pWb^^xCT{dihGF&_OL>=N&9 z9W)z?kK#5R8kfuG8-9B7@Jw}$QvyJqlAUbKA$U#+KHgrwLvoQd$WUSCF7bJKs&Hl) zkn+i$W0lycH?aM|DHvx!S(bj~nbV?pdSWJ`q0n8{eo|^Cp|`a4*Az7fF$?Wl>cGr+ zU()K+Trnc#cb3TFuY}X${Ry%^i=uuT>Gvj0t7a!x-yCk8aCF-8Y>7t!;He+uAN{o+v9m z&rHsuqJ34~+{xu{%8f|pIS4&geMj#0A({K^?J%38PEKLWc%Dt(V!I=C!EiIh=hW-d z*L#OT1Ott66U6lvDKQ8qeFoUq;%6=DR-lM%Iee3kY>vL3_cd6t}r|hu?Nd2VmcL0Lx^bmjDH1PJ4&4kkB}Lpbi+K$0EOIB4WR#! ziWiY-ZN52j@-$|l)$B2g(AQQ=izte*Jx;M~9wk4xz$>oaQvcYtGz6(QzQ1D7Wp>qA zA$J7_iLlMg+Pc~~y(}W>467Z*lc;3pexFd__Ro`0>oQkWmqslrfBaTWrN=A@ zfj$h>VD>f?pTTjPjTN#^h$cn;YS*crS7Kfuf4zP1su@6%yoxK;5^>YByrx+%T#?wW zE&o1~6l)+MNzu4$cWXX}N@4}(qDj{E$YB1>+>&`;>?evUptw^9Dqzn3_^_1UZ;~uu z$-ka=N&UxBK!t9EKwL8P%FxA^dzjrY)r&JY?~<}N5iR^vePYwlWq4LuT*ODNot;M#=Vk>ReU_XBhrF2n$>n?H)mQdTD;?e}9*YL`76yVKH&9zbuPK^E#PAwB0UA@*>* zFV#KCgWuP4>leS4k}8^pPD7t*Pd}9+N05&r80@+YAQQ8CTlnSn!mlLiSYMkw*}25~ z$5Ysr&tK}PB|`u?_qXr$sN9`GrRUT|6v7h-?ZWWfzk<4s7g|#qfG0~{o2sR$5P_p7VVGqViJ4}48FTb3*legjT%l-K3`|O(T&vO5dgX`=N*xmt9-@&Ru z)Xs5++B4h?_7})Pq}XKgSCG_G+K<_Y6c_63LnB};s{25R^G~oT;E56K`yhD0xzg(A z>g+smeuw_}1vW-Qmj1XUK7s6bP#l~2p(;5l2fH%XMICznr*nt=N7sElK3JD?ZA%nK zUr$f0O*mQI1Na@|@@7V+pf9sDR4bdcr%lY`Hz`Qa9&ypq`K04@_f;uA`QOn@i=DRb zh3=HM(3*AV;%Ty&pD|RZ;-1#9_drW%=lmGU)|)*{08#l zT-1Lv(#Qk&ejb;0RUiP=wkT4vGe#3yZ`k6BbSkhjphHaX8`rX?xmpx0045j+AIbH zKnRHTAB8UTC&l~je~fs#0O-)&IKF_X{kT$mo~VPZ+M57KwSrHZ!{WFN!OpCiDyMIkqYT>J za9=gp#I4OAf$27agV(@MYPUm;6>bm=HA?Vm;?FFP#53Ajjm9nW3>!IGw4*{GWQOQ^ zMo{!`#?Wem_*65AowgC^Ql@k3Y)b33Ja%+jPQ;Gn6D(7-{pY~;g%h+uZksG`$0{{% zMBL?O_!GQ=B*s!xc<(eo;1mUN9|cF6sdz>l_OK!PT}ed|4I4sMsl(}u(K9M(1(N64 z3WNr~30S)#tG#tf5b`cPd9RofntqfKPJ5of){r6$d;RJ~a0Vk|&HgKj;b^TbbxzNgk|J!Z+i?!8pDt9d4- z-o6Nb%&ldj0yoc!q3ainsrNAj)ak6vY2mPJOX>2Lk@2yZHA!mff% zzR#N|5%Oos6wyIiR+C^99mhZ5=rivOD4+Yzgp!J3GAFGftT4Xf8wcrP-Yhy(T;)m^ zoh{tiYoOvb&v!Xk{e~o@3fCCDPWbCf!QEu=@fbkP{{TmF(yX_PJDc5}0RjZrqE++h z1m7wsS{mneO7mS^Q&~+LMH(1?9FsS~86kg}T7jW2D3)|~tf4RqfJWKqU9FRyi!0rdoXN-n-U}53!^pV< zj+B&V(BY}T2&(vZjylEi{!l$&-xPt+!08yA0M@T~Drm%6d~FMKds2J$7Q)2+m@emF zglz80hfv&^po>PDDvjc168yPNd#zei1h|0l#Z?d|SWN8SP~8JL#OXGli|q$KeiLjI za%o3#i{z7!z1IWntj{1W0E|$3w zMi;NHl!o(_;OM$V%e&XKx(bXwDelM=Qio02=V^=k$-F{{4%in%Qe^zG`Lk z!S%P6pPEF0%wiRWpx0VymFujT+%NDF?#Wi8vnF@Ee7H>n)Yo^@a>&rI_V^Lct`D+~ z;b2)uelBJ%*ud~P0V2ek*B&fr@Dd=lQ`2#ibt#y@Cbe~2IG-#PXhi0aGjc!9hq%4_;$2iqr#D)7WEVj(Vq;BCu*#GG#mi+ zV~-%Ox0Q8Xlh`Oc6BL*{ahLXQihyE z^G=sGp4~7VjucS>^H80i+e%jI_Dj?CPhTNsXRh>;?XZS$-1(fA<8=$=?z#$dJ{g6M zNiNsv;S_{}fI_5z0q!>}^V`+!Sg@6t4sGPLqRp;VQvAmzJCcR|xR5BNKy!}eF@bw1 z7dL%P8+yy^nZ~nquSxC$tMNT2<9-T@iIr9H-lXnR&|MZx>&yH z+AG-2TDB@@9FI6|7BjtHE~#B@Gwxid?|tzvTQOfA6MW=$KzI7(S$iYOt&jsHsiD99 z*}uf>NK%R5Hb74~GI*>h_xD6ym9^Lo^c;OvR*zpr8KmZbDg}73{b_K|BLtKLbt3v9 zRz()BxCN?(-NvdYW4&gVc#50NxJav|pGyb}snB4n=ybPX{hb)%7dMjOmR~YfAQRvO zQ5ym=x1|a=$QADD&}t`v#3;*ev%vE~l$1pR<|>aqfi%p`e@QR4_qn`9ld8LTOv8Fl z*z+Yp&MEFJ0RdcgF!Nn32?;~Tk&?sErrkfBnI`AEdx_md8OI)?pcNUgE=4P+!TG+y z{yxO?PVqId{1N)sDbITaqiRn%WTy6FtGyL^(f^QUmGfumCxPo^NJR;%CK4&p#0l#-pCj9mj{$2M@b}Ghy|5-#`uYgUEyp zz<6+;dwJyUXXrYI`tSFwrPCEg+0JtgLP@iPn+WWd;P37N?9MwqyHKvqeE8ab^}f#B z_i0ppL?8TrGQkjIgR>%4rJg0iLrcW%i+dP=$I1wymfYsx5@Tw|raG9S zOAR0tabCNr8g+}>gUM8qcZ7m&EQ7nErm)pbuHRQUdSgdEJoMKP0aaq%WRGE)MJjd|oa(8!hG6ccKfm12Fw0mGU>O&!!+bkAwC>ubEE7lq_Vwht zrx#+jQX*B0mYfaKw%d=55_o~D&ch1Vs;#iKY2>fJahU-`7xY5gc=T~$z!aS;_A7E= zgCudHcXi8&JC?S66aD|*ATYP+nBCwDa&9+rP}ctz{5_ubox15PQ?W7^GjW6%SWm$uyWQX#SeAWSo={6PxbeUJ-V6H|A_6sn$KlOWrat>` zjjp)PQ=el#EP<@mhP5({>S#zfIt?+*wXs-P+mVV}86#G>hY3n3&MX3+-l4(DviQG`CZT@V zh&(nXFZ9`k0EPo(%m(aZ20yy0zfg;-AU0?abGH*9KT62)d0~d|%z+>Xl?Uhk_+2uW zc2?E2ogVX&D9QnnYb>`qH{msmW>sf+$w5g{M;&UFUWhABAg%IdgSwr_68@Rs%C8#o zThO^LAC+513U_Vg6%uzSN5kvSYIbPDIz|(m6s#3Yn*r!7m$t;`L}*)6md`puH4n=B zvN1nP23^Vuz#Q;yW+X?=<&HZd;MNl0k9S|3iAR_6e5~I*ONE7uMv=F;7Z1=B{VU>J zRt8}llu5Y?X^&16@V~i$IEefqG1cuXy998#699=gUN0lyt0bJ5#9h!eTvdxMl76`g zm%Nq18{A>8tzfCg%NaO1mUO{sCn@NV@hfPA3@@e4J)zs5t)FIBA9`hut8F;Z5kQvQ zpMkb+HXq>l05d?!T=7~pxJSxus%7co>^6Xrt}l&d4mpS^xU;RsHBgi^P#qg^w5c^k z>NOX2f1y3+8{7<#j3m~MB1525UWz?x-M!HDhx=(GQvmc6gLJL*XZ#dj*hVEs%(?|| z;L_6y&^UWuTJ8$%YaM@U^8z|g>t2}__Idf;MPmKhh$+?vem%?c%R#V8kwXnTaVYiz zN(}U)@WGoS0F!4oQ$AGX6gTKqt0zxQg&`2v41@rx&rU~}{c$kEM7MSFhSGw&EijTD zXJ0dCx?p2{&-F5QNAunGS@F-KF9hyZkKoO}k)(bqxtG|)qVz-qDLi~@lGcSMH z*4N1_*7Wx-kXetmO)J;At$}TiNV_DoRmun;Ge&_8Do!S!Iyc6fR zsml3z21-=Xs+qJk3GGn2$Shn7P+t3vtXzm7*l2k^f`hfSD$mTSNma!oY989)yU+#J@0kSE$by7iAk#sqA(w{ zJoNg#(8A@w6g_HYwStPe5QIBj)V4T1JDK2`mO~WjV#4?i_yV+_h1KMb+xr+}KmS-Q zpGrAp5RKs=wGb0Crij6sR&~v%pGe}x_NYrSo*A67b&w?(E;}JxnI)LIXyI(@$XiuO zOHQG>Ummcr2_X`_Qd(B#TLa$7KFaOtz|aJ?Gmypi*~<4RYE+n3gS`h~L&E9NA;Q+5 zP)~p927h|1+j?%--;Pp+{rz!c2~kU-`WFm3_mPC6D$=p(bT-V%M#w@}fpd?1{9y2R zDOmgut*T7>Mp>REhoPxDq0=>8MI76>^r_PTDAf?0e+hPh*6mgC%M+$J8$&t6SF2mx zcEzlKK1Cf)Jrxz;!F2rrqJDJniwdk6uXoeG0zZ z0F}GgBzI*F3oUI=mnxlaXXoSUB$geJQi8|33-hd`w-5a}20VkWrRwW+z4;sqV5Sp^ z{gr&c`I9{l2d2jFACM>1Kn)rmEiX7GM1nJw47OIxk@p^eascxgrJh;#ttLD7~kh~ zw(ahg9?-}`GDT{AH{kQQiD{zDCG&{EG^p@%9K>A6REYAuQ6-dsI(#^*Rclgvuh!~#6+zAeC~+&!`6nFSExpBR}l0(ch|@OiJ8;)+S}tIEylUS{oe9iANIjKkY!?B5$84} z(2gDUE~Cg_R3#&&PPtEdrXnf3qjVxx`?xG@pR{p?l_ie!+&Jae6$KLV-DdoO=G6S> z|GVxjvnVCmd=+j8X^=qdBdG?sYET9(W(+>q;3}Sk;rEf?qJV(0vEDb^{k2WP=D$QE zya$DmPD#OuRu2JZMB%gmiCle}t~9SbfJ6TopJRuFEk~}p%Xniv!5wZI0J1RFhAe?9 z)FSL6Wf|#Tj2oW>tmBJYK{Nl{XyLkAp_$+r4jIb9CKe~qp!<2VNfBzx0s%u3DuI&v zIz28y)QkfK5}v{aEi;zF20!i85n1C#&lz<|nz~BA21Aj5QO_aSNY7bT-wyHwvHP+= z%jt5&5{09h{bRPM^~VHOFR9=h%}ioiSv(XR!{{Itk?CmiS9>sgQ;j~_gfSV8kabX` zq9R^#MhE2dm~MyWq6oK>RAe>hnTYCL@FpJT;82Cf^;Cl8TM_y=LvFGN#5)x=j-riQz{NpHN{bMI zr6TKUGTEzzv20f8!1uq4)Ny`=AW$~Cvih)%ZmtPAY2?;P1yPtqr zygI^hhR#8{3F{bm+X7~c6VYSbtp(FH0ZrDke$$#AAZ4u$vIJSk!mT-c!zY}?)pvy^ zty9j}puS8>rLrueuV%|1!hre|WYGExZR^hjm~q#rZAW%ag+f^IQ?&yty6UaX%;(HiGefq zw|JqbZI~ttE28Htf8;GVORvlP;AzzZd#PA1q!mky4w^%6N;S5yQ+)(5OlnPP&6FM3 z0pPv&p^~t@M#|(w(Qw5O{6))6-2-cSE?BtZm^#2sODug}tC|_-xn1^5yUM~F@~bEz z^0nRzLx)HLw8f2f;~-@))<#Exz$iRPb?t`Y7OfVwyCS3A;N{i1^Ai0ZB*ypwsb@&HpY<_8wGLNeWlZ=lQALvIw0?~Enjfl zqw;e}Yl&5`Qncz*1u5N)l2_vOpK21+Yj?CUi~@S7STPGM-y{@_mJk_Z*gfK-8}vS^ z!Nwo#5aU+S#3!7F{PW}@;t?=wyE=%IFQ|bEQdZY(_YMpg?Th9L8^xAH$bKY90!j?0 zm4t}?F0Ny(=9B^fYiO(s{&za}mYiD{!p*Ib7@F+Os~e#1hlQm&HbUo+Rs`pK9?gZ} zl=M3rdXl~kj8>ZmpYRa_hBuW!#yr_H<1oG#&WmT3e+f@c5GBprG}~DQFZ3!CcnQkP zUBON!i=vCZQwONyxY8vsz$GZGqq$loOqcf|3moN#@%VC+I<+0+arV4}N!_4IWN~jR z7#As;R&$2@T~H=!KCgEQ+K3TwfC*CYxs*zH;!+4#PRB2`)6NvE02CCl2`rr!>t6t^U&0_M)?Rlw& zh^`&3-5eW;MfmoqbY=EobL1&PFyC`L)bBcvDdy@E@RDirNm`ZwHOZQOS#} z5KD}N3bB6Uj|FE!&W;ETbdW9!uQvtcwCE?;ESsCB_TG^H@ID)L{@n#3`LXmjBYU;k z_IpT7M=HvmAy?^GlMzn@r=(v9QY7Yd@8`2#`A@KPLn2t)#WOhd{_xcOpc(LujNc0~ zwW@$tU|tbZ>&;F-0k8zv{hL`m>{Y}`(wkxVo_KI&a(s2EPcbVuIEZA{gOGe4rE$4RI|K>Y75Ph0yUYq!|Ou@DRg1=Arm) z`Gp!o=Uq-=jS+pc!S_239@w$c$=Ew3?;xM4lV>toVPwI8>IA;G9z5GH%GPoCau`4` z{t5Izr_P`&y-+G?`DA{c6NHvp6BP7LZA0^K^U?yNoX-AtbOJ*Of2#WWgler1#j90l zMs%;;80pBLzX4gCJ9B4UFIq4t2=BU}Ch5-wKB(sU+$86fLcweoge0%^WUguYq1ETp zeJXOH0hkIjaFhw87B5<<#rHpfcm`w;{p{sPF?9O#8oO8C76LmULeBAIeqdAEkoUBI z7Sp!uzfV5~f?aJLYw=!fbo0TZ!FNt6p{&QBi#AKz)II=XD5p0f{TtU5Xj^0yEn15j zs{N5x*z+StbD9vYpxI~9$dod_B392xR*CEt#(N;n&5qSJu=k@3i#e=wqUt&}zJD?s zfZ-$0oEQ=|^!CrnQ&1LHXs>;#sWK`s+^!g3F6d8prqC|Fx@bN!@fyea+ZhdCg?%Mm z(l|R|o$A=JD5==QpPqN!Lv!^G-u$;2gxjiys^o}FBK-QtEwO^hO1O7F^9tLO^?J_V zdurMMQzc(t5BwQKvJwRuRrzA#U72&|&Cc@2Z6&I6vq0sa@uPc}9rFI!WC9mp!Kj*sCv03)Emzbn=|ohCPW1wjOV969*v(WxC6?^Vrzo zaEb2Pub=e6Ah!J=+F9{ufJ23EoqcSnH7S=}p(b6s@aXfRM{QY5ru^nHe9yziNc@n{ zA=J%MyxYej5Sjf1$=aszSwmm^M9zY3k@u=_Svn5NuQ<`2&O2pQnTExdQ}B;yex^y(95O*qpkBvE|CZ|`Pv%<= z#)f92Zx-If71DlTvrS=bSt<&eZ84DxD^(|89}8rrzZtvl!Uon+;*bIoou?&>zZ;i+*b@MC5GO3G97(DNlXv73x4}5Bg za85cxU_Ud=u;s%c!H3X1{3Zm<_G5)`r_54&>~d}ga1Qhu%ne3OEnt=bu|)RVv$IPE zq4JcXOHSLkP)P8e#L`gQ1a6b479@+;GB^MF5&N!p=QH}p3VoxJJyc6xH`WO))N|O} zPoQqmpcy(-Fnxgah)elR9gmcS2=xX&>M$>2go3d2->o~p5z@G+;H*ag9WubvIo94d zoz=ArfU}FXj)z}DHOKj}Q&Ia$qcvK7$^ofq>+!NT$zkdd%vn*R2Bm?GMmxuAprj|M zOH0IRtsKrU_Qa9?VEX`5Za3dfK=w5{g>uQGU$k5Z$y*ygqdA9izX!x$+jrl&RWKq# zYqpcyAW%4noX;*EROhBN@%c!Wt#{?s^l-sOonRQet`0!HOg6H-ee3EH=?H0FMT*7o zAG?P7*4^|a1HeXV^ZE~WSI_p)939cKJA|SYF$}(iKUSSMTe*hn-uvrZP#g*xt+WRv z17}tf6=GOy3eu>xkz^m?XP=kjMN1Dtx0&Zb69i~XBv;05J?zYk>( zAK*(SSJkubM27>0XSsJ&-jbWR3_x;q8hbaw*y%&?3&2s###!2wS=l$18< z?@P|yjJB$S;=r9>TD8C8PnD^{ye5|@V~G1%oWobQvHW>aA62#JTn-)z*fR!l$(7TD zd&zWBs&X>!M{Ukb?N*#6anoRB5;_DD0QvFM|N1077XlXhnbs%eoUd}k6D8%dCY914OSaP*=)_R*f93?TbUh&&{O?z5W)3GYxzQm z(^AGeLf|-tKk!AjQZ@Vs1K%u1>q_<`C|8b;hcQEi^MfEgE*TrV*-t%6dgWp~&=A}P z!-FNi8uw7S*`8`?O!=hR$S5!%wkJV2ro2La9B7SLv`x_l&=3sbaj{-nrzAfTdX$?w{Q#{+f)td z&e8BPmjjTL3A}|?c&mXdZK!!i;Ep%Wtx-_}+;5EvrrV@6)?6@Nb(GvUs+JHieU8~w@>l-dhDu~j<)xAU za~1++wgN0c+d9vd*64HdDD9$I=q7KmPF={OoD8BM9a&bE&W9$zqn()~VEu2y*Ij?b0q9WS~l_>cubXz_;+$EMMh4o?4?`p~q zH&^jY7w%O5NXqgujwGc8y8LyzJ`Bo4is=o~nJ=yGX@kI9;MJZytrMj*2@PAfBgFK! zZ;bOCV3rTG*tsn|^ui||>Kekh{Xp86EU$crBy6txok1BYmFk_mof(-*o{K#hopXdK%UArqyPk9HA>?x9|`K7}EyEaUFukVDhaAw~VzUbpD`P^gZ- z;N)?#g(W3aqJKhqNh2mUWPY9$;M%w|wqdP9uCQqjYjX;dsMP)Cv9k5nJv-QUI#v#;!%*~62_Y&e?~zlQe&SqV=E{iVF=o&W*Wl1Q^h z9*4FO(YcqoE4~>1xuhR+3Ck$)GkKQ#`1hE0HvahRaeXJunQ#h=Vz+@Nl?7pdIa^LE zsIY~fNwmWhC)P$>)}J{DKgqW5*p-I-T!fMNy*rIwm@z-=wzKfqbH1Z;9?5usL#*rY z>uCChPv3w~%iGYcTjVmbf3GrR)Ish5s_$VVLzKWB6_EE?6PI}sQ0HGJxle?4_jTmL zRj>kOE-h60A;4O&FBveHu35UBWtpClQhD$PFO_F>T8`2&PC}Ni-N(tx9oVcohSOM< z`G@hcMbI^`b5%q>slu2Jj5ca5rh;wUpI3I@_LhHXGR&g7y&lb#0bX9yla-ePK+I9D z$IlU8rQ#I!Fld0?X7g&aflJr7PyEq)e#}nK-WxLS>Cf%z_bDRX#pdwl&0^)a_8NJBXB8D zX!-y)LOl>&><7bT{-rLdYzNmbM{=V!|6r;#)sP)Dw>0AgzzBcnOjp1S;LLj3w?0$F zJ~FNwkrbAfBT~9kTW3BFMFSixqSeXXG^7#a`^_QPmQWp2iEjr1{E28DOEFi6WD(vr zosnR^1*s}{mLz7>;o;1ka_-Oeqw#IGyHe=?lDdjT0bcFWW^mpkBY!!=ombF(kL3*hVG6qfOlc}gIXc% zFL|K7$J!!KzVreOoy=3lIe{^G90M!~1pNKV)J#l{%0=~$BBepYJo%i$yTGM{&;l9u z{#Bo5YHf`B>0jS903=j>X5<$pR3!3zN`j{Q&D>?2?a^*d!+{HEIX@f{+}wN_glF++ z=ZuF6_}6mrw9H58(bA#ae#+~QEdrExO!l2u_m!YxNr8}%P?KxQ1GSOt9`TorqrtLz zlrCy)3R4YM&hX1ZUS5V1>e|PP**tf!S`*BAdg>1rwYX^`8+QrVsCExI`62U%-)>rr zdIsRRR7;kQG^3>q&nrT@i(LFyZ`5X@PLyv|`a$Y%R9a3P3KN;kSf~YL0`toVq}Cdb z;3@+|FIu8TL?U#nHU26pNBEdvod4ZU_pt3j?QVWaA~}Q>|4t7k3uCq!=8(`oYVe+W ztMZwBRMiBf_~U~ibsOc5CY=E{yRbQW9xT52(y3#ijX{;$z>~_^W1UnewXq0Zg3}29 zywQ)zQ8;wmZ!U?8TdEpi3N-`Dm14x^7MECZ*eML=OG^VoMQF#36lqq3*7QtY78RJKin+GKKk=GB3zpO*!aak9=oT+-`<+AH;&qRgAI$YSXj3T zq>Jt4`-6dsmrKQZMP&-KDp)W%6gCqXHMgXo<++_pCorj8>j-$!p!L(j>5ic06g1QE zg%I>B$?(gP>UB^rFIkI5>oa=a8g~Fkqtc6^*(B;mOm#VJU(wa-mJRz%(f71C z+tV8j{6v00Xg+auh+NsayIl-Yy-D>mUCGr{zIfn}sX$Ds0JWs=i2io=b#it7-npgV zH_E4-ili)CW@H*1X+}I zir$_HAtY&?ToG1HWwmBLvrMvJ0Sh3$EIQf}nTpMMK2BK}4BThQ%h+Q5F%6|!H%g_; zK>#81T@xD?d2Ec)*g#D}L_S?ynk)6VYT*0zj6@Fg)*zZ!(U5ADLP7J!`uqDHXIFfk zwZ-bIAS#eClv;4x0W-rb>;+p~TC4nYDES`uRxhsjEc==FmHy{>?ks87;tXM#kt$rO zY?y)o-I?eT-*3@b2_+^eMv(l_cDIXG#2C6_U8xl_*?BfOU6*1C!DsxeFl;T&lr8}i znkAe(RTZacz0Jj^*=oUu6*Y?|d5AOT? zbSp9A307!e-+@C?PxEAaOjbxbyu+0V`#rRm!zN}pHVcd%F)@32yM7G+7qgAC7}ce} z8Aw>@=O-<$lU#wbu;_l|^?GTGH(>+PDGLe*sys2Sy%W|*A@c*zEWO=jH00zx7GVWq zW&xASR430#hFn2hq>6@jFLKl7)`)d7=&T1*S14&o5n1dA%%UI9G`R+6Z^J@!*O`sJt~7(U z_LFl!kWse$?8&|5c%YOaMzhCG$4Z}-_LnG})g6kvFSG*;LBO3q>d*kZ7I;+T1s-iY zH2H}}Qu6T`Dd}ty4s2Ez@{r#T>9}GBX^>G=iLViu5#!Ch!f>g44zmVmzU$eLsiYzj zdJLqgOeSdi?QaSB#)g*x@QXq~auh?_8H2>#NuZDg*24Zq2$M`~zbh0KaV9AH$Xa&$ zMDHS&qu)6iiPFS;f5i(paA0tOqFpVtgS>Jq@sn8V?Uw1Vs@&J z1z$OXBPUrE_crd0*J2&@(pY_nMmR;4l?&_{17M&;fq2?}1~UCXZBv9uUT6KN49;TX z^=gv`+7WBD!@K%VyfGrE?FGRd-8iU{P~-}tyxmniAkaZGdFsK3`+rO0e0tp|V(vE# z#4d3HltW-ibyTpiN<%IaJUbWERao@U*{NVy?_@3p)*r?pif6FrZK>%fxA^ELd?Dqq z2xbC0E~)JZJF^Zp3;FPU_s(MW;2BaKnsN{d9CZjJVY^ZQ`L8CE{>bw(vQks=K-Luj z$^dYT@J1y}XFyO!jP~NJ^|46+B&m`^D-pA5%Bl2Fx!=`uXz1hqF-K*e15E|BUkfbx zAY!S=_26TuXc~w3_sXS^G(~W&U~mjv<1uNjO!#6Z{Rw`f8NIMi_=dZGkF-&A{=4S+ zjVtm1kOIF^o47y1r6_-oufpxRHpgG?D9Pxk{VP-?Mm?Vmh&#abBiw^C6BG1#$^-$D zUEW#ooDZBna?J^P^LZg4nzI(uQuJPDN;4Zjl$l)nt0OZcl-VqB`A?P=|LzDLiTa;**wMQZI3QA^_q<&g?! zu_%S(COSnnDPPoX<*CyE!KmHOGiGKUfjYlsX^-93B~exde!##LYfxA(=9xP}xJ|ZS z1A6xIZqN6{Itqucn4ib6U!2Ix`kG4yR(jh zs;LYZf}-CLUSG2E%3?asVVXM~_iY?l1j@R2RAIDG(vkTnSS(taSsa8y`0KOl9|o8a zGv8;%Knu-GYS_-ZrN(9i%6odm808OVg}0qd-46q0X$^$ZB3o7o;2An~t`3i^H>n~< zRww7pwlp+D)@T4avLjN|J2EMh6SKkFut+@x*6k)1s=UjvsBM)~Kd)tv0U8mEV zhVl%d0%bdKvQ7l^=`~)iW$tmmjA4r>P{RbW|M@c($VUxy8QxWd^T%bQU(TbCCr}S} zrtwLehMq~io({zkdGYCo`n=F8p$S^qt)>-SB+#cGf!5JF4&03iMN#(LKq>+Y1j{eG z{IT2DRgx_wUzhY^)Zrxvic`+!iL%M`Bvtso9|do9VCwRtz!&nug7}h!w%Hi1hlMu$+R&8@CnN`Um{AOP1wj&3+m zu)};a7l)xcOp|S?q@cP#+fOUM6%`s*ehFLvgnES^*~)yhoD%{t%xzFftPU86Gxi>6 zCir|G2|5==LdBN+JyW@y+Z>;9(O*txEMIMAoW}#%UTxSK@+C(cL(Rh8>cKHt$J9s29DZ z)`7s5(srgCXqJbK>MV;R_l?E-Mth)lLqChQjbW3{gt>=u4E|1HYLM{kOix7j#*qa! z@ba?Cj;zro;F7%GW6WJ_913Gy5h%p84bUJgHEuEPs{)_Yb2f3+B)2KPvcX1)M16{6 xCjYnaejD<>Gx9$lOA|1iTmXQbMgjML0Fo>YoBxK*zkvQH38Ja>zW{2kO9ub| literal 0 HcmV?d00001 diff --git a/global/overlay/etc/puppet/cosmos-db.yaml b/global/overlay/etc/puppet/cosmos-db.yaml new file mode 100644 index 00000000..e8e326dd --- /dev/null +++ b/global/overlay/etc/puppet/cosmos-db.yaml @@ -0,0 +1,790 @@ +classes: + acme-c.sunet.se: + autoupdate: null + entropyclient: null + infra_ca_rp: null + mailclient: &id001 {domain: sunet.se} + nrpe: null + nunoc: null + sunet_iaas_cloud: null + sunetops: null + artisan-saas-idp-proxy.sunet.se: + autoupdate: null + dhcp6_client: null + entropyclient: null + https_server: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + openstack_ubuntu_16_04_dockerhost: null + saml_metadata: {filename: /etc/satosa/metadata/artisan.xml, url: 'https://idp1.artologik.net/federationmetadata/2007-06/federationmetadata.xml'} + sunet::dehydrated::client: {domain: artisan-saas-idp-proxy.sunet.se} + sunet::satosa: {dehydrated_name: artisan-saas-idp-proxy.sunet.se, image: docker.sunet.se/satosa, + tag: artisan} + sunet_iaas_cloud: null + sunetops: null + swamid_metadata: {filename: /etc/satosa/metadata/swamid-2.0.xml} + ca.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + cdr1.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunet_cdr: null + sunetops: null + cdr2.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunet_cdr: null + sunetops: null + ci.nordu.net: + entropyclient: null + infra_ca_rp: null + mailclient: &id002 {domain: nordu.net} + nrpe: null + nunoc: null + sunetops: null + ci.sunet.se: + entropyclient: null + https_server: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + code.nordu.net: + entropyclient: null + infra_ca_rp: null + mailclient: *id002 + nrpe: null + nunoc: null + sunetops: null + comanage.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + crowd.sunet.se: + autoupdate: null + eduix: null + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + openstack_ubuntu_16_04_dockerhost_eduix: null + sunet::dehydrated::client: {domain: crowd.sunet.se} + sunet_iaas_cloud: null + sunetops: null + webserver: null + datasets.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + docker.sunet.se: + entropyclient: null + https_server: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + ds-legacy.sunet.se: + autoupdate: null + ds_legacy: null + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + openstack_ubuntu_16_04_dockerhost: null + sunet::dehydrated::client: {domain: ds-legacy.sunet.se, ssl_links: true} + sunet_iaas_cloud: null + sunetops: null + ds-test.swamid.se: + autoupdate: null + dhcp6_client: null + ds_test: null + entropyclient: null + infra_ca_rp: null + mailclient: &id003 {domain: sunet.se} + nrpe: null + nunoc: null + openstack_ubuntu_16_04_dockerhost: null + sunet::dehydrated::client: {domain: ds-test.swamid.se} + sunet_iaas_cloud: null + sunetops: null + swamidops: null + webserver: null + flog.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + git.swamid.se: + autoupdate: null + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + sunet::dehydrated::client: {domain: git.swamid.se} + sunetops: null + swamid_md_master: {hostname: git.swamid.se} + swamidops: null + gitlab.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + idp-test.swamid.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + sunetops: null + swamidops: null + idp.sunet.se: + autoupdate: null + entropyclient: null + https_server: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + openstack_ubuntu_16_04_dockerhost: null + sunet::dehydrated::client: {domain: idp.sunet.se} + sunet::frontend::register_sites: + sites: + idp.sunet.se: + frontends: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se] + port: '443' + sunet::satosa: {dehydrated_name: idp.sunet.se, tag: sunet-idp} + sunet_iaas_cloud: null + sunetops: null + swamid_metadata: {filename: /etc/satosa/metadata/swamid-2.0.xml} + imap2.sunet.se: + autoupdate: null + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunet::dovecot: null + sunet_iaas_cloud: null + sunetops: null + lobo2.lab.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + loke.sunet.se: + autoupdate: null + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunet::frontend::route_reflector: null + sunetops: null + md-master.reep.refeds.org: {entropyclient: null, infra_ca_rp: null, nrpe: null, + nunoc: null, swamidops: null} + mds1.swamid.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + sunet::dehydrated::client: {domain: mds.swamid.se} + sunetops: null + swamid_static_signer: null + swamidops: null + mds2.swamid.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + sunet::dehydrated::client: {domain: mds.swamid.se} + sunetops: null + swamid_static_signer: null + swamidops: null + mdx1.swamid.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + sunet::dehydrated::client: {domain: mdx.swamid.se} + sunetops: null + swamid_pyff_signer: null + swamidops: null + mdx2.swamid.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + sunet::dehydrated::client: {domain: mdx.swamid.se} + sunetops: null + swamid_pyff_signer: null + swamidops: null + meta.swamid.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + sunetops: null + swamidops: null + monitor.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + nagiosxi-kvm-lab.nordu.net: + entropyclient: null + infra_ca_rp: null + mailclient: *id002 + nrpe: null + nunoc: null + sunetops: null + nidev-consumer2.nordu.net: + entropyclient: null + infra_ca_rp: null + mailclient: *id002 + nrpe: null + nunoc: null + sunetops: null + webserver: null + people.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + pypi.sunet.se: + autoupdate: null + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + openstack_ubuntu_16_04_dockerhost: null + sunet::dehydrated::client: {domain: pypi.sunet.se} + sunet::pypi: null + sunet_iaas_cloud: null + sunetops: null + webserver: null + random1.nordu.net: + entropyserver: null + infra_ca_rp: null + mailclient: *id002 + nrpe: null + nunoc: null + sunetops: null + random2.nordu.net: + entropyserver: null + infra_ca_rp: null + mailclient: *id002 + nrpe: null + nunoc: null + sunetops: null + redis-fe-1.sunet.se: + autoupdate: null + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + openstack_ubuntu_16_04_dockerhost: null + redis_frontend_node: &id004 {hostname: jsub.sunet.se} + sunet_iaas_cloud: null + sunetops: null + redis-fe-2.sunet.se: + autoupdate: null + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + openstack_ubuntu_16_04_dockerhost: null + redis_frontend_node: *id004 + sunet_iaas_cloud: null + sunetops: null + registry-test.swamid.se: + autoupdate: null + emergya: null + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + openstack_ubuntu_16_04_dockerhost: null + sunet_iaas_cloud: null + sunetops: null + swamidops: null + registry.swamid.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + sunetops: null + swamidops: null + rt.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + saas-idp-test.swamid.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + sunetops: null + swamidops: null + ubuntu_dockerhost: null + samltest.swamid.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + sunetops: null + swamidops: null + se-east-1-infra-rs-1.sunet.se: + autoupdate: null + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunet::frontend::route_reflector: {router_id: 89.45.232.186} + sunet_iaas_cloud: null + sunetops: null + se-east-1-jsub-1.sunet.se: + autoupdate: null + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + openstack_ubuntu_16_04_dockerhost_net_host: null + redis_cluster_node: null + sunet_iaas_cloud: null + sunetops: null + se-east-1-jsub-2.sunet.se: + autoupdate: null + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + openstack_ubuntu_16_04_dockerhost_net_host: null + redis_cluster_node: null + sunet_iaas_cloud: null + sunetops: null + se-east-1-jsub-3.sunet.se: + autoupdate: null + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + openstack_ubuntu_16_04_dockerhost_net_host: null + redis_cluster_node: null + sunet_iaas_cloud: null + sunetops: null + se-fre-lb-1.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunet::dockerhost: {docker_version: 17.03.1~ce-0~ubuntu-xenial, manage_dockerhost_unbound: true} + sunet::frontend::load_balancer: null + sunetops: null + se-tug-lb-1.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunet::dockerhost: {docker_version: 17.05.0~ce-0~ubuntu-xenial, manage_dockerhost_unbound: true} + sunet::frontend::load_balancer: null + sunetops: null + sp.swamid.se: + autoupdate: null + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + openstack_ubuntu_16_04_dockerhost: null + sunet::dehydrated::client: {domain: sp.swamid.se, ssl_links: true} + sunet_iaas_cloud: null + sunetops: null + swamid_sp_test: null + swamidops: null + sto-fre-kvm1.swamid.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + sunetops: null + swamidops: null + sto-tug-kvm-lab1.swamid.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + sunetops: null + swamidops: null + sto-tug-kvm-lab2.swamid.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + sunetops: null + swamidops: null + sto-tug-kvm1.swamid.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id003 + nrpe: null + nunoc: null + sunetops: null + swamidops: null + web-a1.sunet.se: + api_sunet_se_kalturabilling: null + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + static_sunet_se: null + sunetops: null + webappserver: null + webcommon: null + www_sunet_se: null + web-a2.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + static_sunet_se: null + sunetops: null + webappserver: null + webcommon: null + www_sunet_se_master: null + web-a3.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + static_sunet_se: null + sunetops: null + webappserver: null + webcommon: null + www_sunet_se: null + web-archive.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + webserver: null + web-db1.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + webbackend: null + webcommon: null + web-db2.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + webbackend: null + webcommon: null + web-db3.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + webbackend: null + webcommon: null + web-f1.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + webcommon: null + webfrontend: null + webserver: null + web-f2.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + sunetops: null + webcommon: null + webfrontend: null + webserver: null + web.nordu.net: + entropyclient: null + https_server: null + infra_ca_rp: null + mailclient: *id002 + nrpe: null + nunoc: null + sunetops: null + wifiprobe.sunet.se: + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + openstack_ubuntu_16_04_dockerhost: null + sunet::wifiprobe: null + sunetops: null + wiki.sunet.se: + autoupdate: null + eduix: null + entropyclient: null + infra_ca_rp: null + mailclient: *id001 + nrpe: null + nunoc: null + openstack_ubuntu_16_04_dockerhost_eduix: null + sunet::dehydrated::client: {domain: wiki.sunet.se} + sunet_iaas_cloud: null + sunetops: null + webserver: null +members: + all: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, ca.sunet.se, cdr1.sunet.se, + cdr2.sunet.se, ci.nordu.net, ci.sunet.se, code.nordu.net, comanage.sunet.se, crowd.sunet.se, + datasets.sunet.se, docker.sunet.se, ds-legacy.sunet.se, ds-test.swamid.se, flog.sunet.se, + git.swamid.se, gitlab.sunet.se, idp-test.swamid.se, idp.sunet.se, imap2.sunet.se, + lobo2.lab.sunet.se, loke.sunet.se, md-master.reep.refeds.org, mds1.swamid.se, + mds2.swamid.se, mdx1.swamid.se, mdx2.swamid.se, meta.swamid.se, monitor.sunet.se, + nagiosxi-kvm-lab.nordu.net, nidev-consumer2.nordu.net, people.sunet.se, pypi.sunet.se, + random1.nordu.net, random2.nordu.net, redis-fe-1.sunet.se, redis-fe-2.sunet.se, + registry-test.swamid.se, registry.swamid.se, rt.sunet.se, saas-idp-test.swamid.se, + samltest.swamid.se, se-east-1-infra-rs-1.sunet.se, se-east-1-jsub-1.sunet.se, + se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se, se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se, + sp.swamid.se, sto-fre-kvm1.swamid.se, sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se, + sto-tug-kvm1.swamid.se, web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-archive.sunet.se, + web-db1.sunet.se, web-db2.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f2.sunet.se, + web.nordu.net, wifiprobe.sunet.se, wiki.sunet.se] + api_sunet_se_kalturabilling: [web-a1.sunet.se] + autoupdate: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, crowd.sunet.se, ds-legacy.sunet.se, + ds-test.swamid.se, git.swamid.se, idp.sunet.se, imap2.sunet.se, loke.sunet.se, + pypi.sunet.se, redis-fe-1.sunet.se, redis-fe-2.sunet.se, registry-test.swamid.se, + se-east-1-infra-rs-1.sunet.se, se-east-1-jsub-1.sunet.se, se-east-1-jsub-2.sunet.se, + se-east-1-jsub-3.sunet.se, sp.swamid.se, wiki.sunet.se] + dhcp6_client: [artisan-saas-idp-proxy.sunet.se, ds-test.swamid.se] + ds_legacy: [ds-legacy.sunet.se] + ds_test: [ds-test.swamid.se] + eduix: [crowd.sunet.se, wiki.sunet.se] + emergya: [registry-test.swamid.se] + entropyclient: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, ca.sunet.se, cdr1.sunet.se, + cdr2.sunet.se, ci.nordu.net, ci.sunet.se, code.nordu.net, comanage.sunet.se, crowd.sunet.se, + datasets.sunet.se, docker.sunet.se, ds-legacy.sunet.se, ds-test.swamid.se, flog.sunet.se, + git.swamid.se, gitlab.sunet.se, idp-test.swamid.se, idp.sunet.se, imap2.sunet.se, + lobo2.lab.sunet.se, loke.sunet.se, md-master.reep.refeds.org, mds1.swamid.se, + mds2.swamid.se, mdx1.swamid.se, mdx2.swamid.se, meta.swamid.se, monitor.sunet.se, + nagiosxi-kvm-lab.nordu.net, nidev-consumer2.nordu.net, people.sunet.se, pypi.sunet.se, + redis-fe-1.sunet.se, redis-fe-2.sunet.se, registry-test.swamid.se, registry.swamid.se, + rt.sunet.se, saas-idp-test.swamid.se, samltest.swamid.se, se-east-1-infra-rs-1.sunet.se, + se-east-1-jsub-1.sunet.se, se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se, + se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se, sp.swamid.se, sto-fre-kvm1.swamid.se, + sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se, sto-tug-kvm1.swamid.se, + web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-archive.sunet.se, web-db1.sunet.se, + web-db2.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f2.sunet.se, web.nordu.net, + wifiprobe.sunet.se, wiki.sunet.se] + entropyserver: [random1.nordu.net, random2.nordu.net] + https_server: [artisan-saas-idp-proxy.sunet.se, ci.sunet.se, docker.sunet.se, idp.sunet.se, + web.nordu.net] + infra_ca_rp: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, ca.sunet.se, cdr1.sunet.se, + cdr2.sunet.se, ci.nordu.net, ci.sunet.se, code.nordu.net, comanage.sunet.se, crowd.sunet.se, + datasets.sunet.se, docker.sunet.se, ds-legacy.sunet.se, ds-test.swamid.se, flog.sunet.se, + git.swamid.se, gitlab.sunet.se, idp-test.swamid.se, idp.sunet.se, imap2.sunet.se, + lobo2.lab.sunet.se, loke.sunet.se, md-master.reep.refeds.org, mds1.swamid.se, + mds2.swamid.se, mdx1.swamid.se, mdx2.swamid.se, meta.swamid.se, monitor.sunet.se, + nagiosxi-kvm-lab.nordu.net, nidev-consumer2.nordu.net, people.sunet.se, pypi.sunet.se, + random1.nordu.net, random2.nordu.net, redis-fe-1.sunet.se, redis-fe-2.sunet.se, + registry-test.swamid.se, registry.swamid.se, rt.sunet.se, saas-idp-test.swamid.se, + samltest.swamid.se, se-east-1-infra-rs-1.sunet.se, se-east-1-jsub-1.sunet.se, + se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se, se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se, + sp.swamid.se, sto-fre-kvm1.swamid.se, sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se, + sto-tug-kvm1.swamid.se, web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-archive.sunet.se, + web-db1.sunet.se, web-db2.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f2.sunet.se, + web.nordu.net, wifiprobe.sunet.se, wiki.sunet.se] + mailclient: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, ca.sunet.se, cdr1.sunet.se, + cdr2.sunet.se, ci.nordu.net, ci.sunet.se, code.nordu.net, comanage.sunet.se, crowd.sunet.se, + datasets.sunet.se, docker.sunet.se, ds-legacy.sunet.se, ds-test.swamid.se, flog.sunet.se, + git.swamid.se, gitlab.sunet.se, idp-test.swamid.se, idp.sunet.se, imap2.sunet.se, + lobo2.lab.sunet.se, loke.sunet.se, mds1.swamid.se, mds2.swamid.se, mdx1.swamid.se, + mdx2.swamid.se, meta.swamid.se, monitor.sunet.se, nagiosxi-kvm-lab.nordu.net, + nidev-consumer2.nordu.net, people.sunet.se, pypi.sunet.se, random1.nordu.net, + random2.nordu.net, redis-fe-1.sunet.se, redis-fe-2.sunet.se, registry-test.swamid.se, + registry.swamid.se, rt.sunet.se, saas-idp-test.swamid.se, samltest.swamid.se, + se-east-1-infra-rs-1.sunet.se, se-east-1-jsub-1.sunet.se, se-east-1-jsub-2.sunet.se, + se-east-1-jsub-3.sunet.se, se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se, sp.swamid.se, + sto-fre-kvm1.swamid.se, sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se, + sto-tug-kvm1.swamid.se, web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-archive.sunet.se, + web-db1.sunet.se, web-db2.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f2.sunet.se, + web.nordu.net, wifiprobe.sunet.se, wiki.sunet.se] + nrpe: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, ca.sunet.se, cdr1.sunet.se, + cdr2.sunet.se, ci.nordu.net, ci.sunet.se, code.nordu.net, comanage.sunet.se, crowd.sunet.se, + datasets.sunet.se, docker.sunet.se, ds-legacy.sunet.se, ds-test.swamid.se, flog.sunet.se, + git.swamid.se, gitlab.sunet.se, idp-test.swamid.se, idp.sunet.se, imap2.sunet.se, + lobo2.lab.sunet.se, loke.sunet.se, md-master.reep.refeds.org, mds1.swamid.se, + mds2.swamid.se, mdx1.swamid.se, mdx2.swamid.se, meta.swamid.se, monitor.sunet.se, + nagiosxi-kvm-lab.nordu.net, nidev-consumer2.nordu.net, people.sunet.se, pypi.sunet.se, + random1.nordu.net, random2.nordu.net, redis-fe-1.sunet.se, redis-fe-2.sunet.se, + registry-test.swamid.se, registry.swamid.se, rt.sunet.se, saas-idp-test.swamid.se, + samltest.swamid.se, se-east-1-infra-rs-1.sunet.se, se-east-1-jsub-1.sunet.se, + se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se, se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se, + sp.swamid.se, sto-fre-kvm1.swamid.se, sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se, + sto-tug-kvm1.swamid.se, web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-archive.sunet.se, + web-db1.sunet.se, web-db2.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f2.sunet.se, + web.nordu.net, wifiprobe.sunet.se, wiki.sunet.se] + nunoc: [acme-c.sunet.se, acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, artisan-saas-idp-proxy.sunet.se, + ca.sunet.se, ca.sunet.se, cdr1.sunet.se, cdr1.sunet.se, cdr1.sunet.se, cdr2.sunet.se, + cdr2.sunet.se, cdr2.sunet.se, ci.nordu.net, ci.sunet.se, ci.sunet.se, code.nordu.net, + comanage.sunet.se, comanage.sunet.se, crowd.sunet.se, crowd.sunet.se, datasets.sunet.se, + datasets.sunet.se, docker.sunet.se, docker.sunet.se, ds-legacy.sunet.se, ds-legacy.sunet.se, + ds-test.swamid.se, ds-test.swamid.se, flog.sunet.se, flog.sunet.se, git.swamid.se, + git.swamid.se, gitlab.sunet.se, gitlab.sunet.se, idp-test.swamid.se, idp-test.swamid.se, + idp.sunet.se, idp.sunet.se, imap2.sunet.se, imap2.sunet.se, lobo2.lab.sunet.se, + lobo2.lab.sunet.se, loke.sunet.se, loke.sunet.se, md-master.reep.refeds.org, mds1.swamid.se, + mds1.swamid.se, mds2.swamid.se, mds2.swamid.se, mdx1.swamid.se, mdx1.swamid.se, + mdx2.swamid.se, mdx2.swamid.se, meta.swamid.se, meta.swamid.se, monitor.sunet.se, + monitor.sunet.se, nagiosxi-kvm-lab.nordu.net, nidev-consumer2.nordu.net, people.sunet.se, + people.sunet.se, pypi.sunet.se, pypi.sunet.se, random1.nordu.net, random2.nordu.net, + redis-fe-1.sunet.se, redis-fe-1.sunet.se, redis-fe-2.sunet.se, redis-fe-2.sunet.se, + registry-test.swamid.se, registry-test.swamid.se, registry.swamid.se, registry.swamid.se, + rt.sunet.se, rt.sunet.se, saas-idp-test.swamid.se, saas-idp-test.swamid.se, samltest.swamid.se, + samltest.swamid.se, se-east-1-infra-rs-1.sunet.se, se-east-1-infra-rs-1.sunet.se, + se-east-1-jsub-1.sunet.se, se-east-1-jsub-1.sunet.se, se-east-1-jsub-2.sunet.se, + se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se, se-east-1-jsub-3.sunet.se, + se-fre-lb-1.sunet.se, se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se, se-tug-lb-1.sunet.se, + sp.swamid.se, sp.swamid.se, sto-fre-kvm1.swamid.se, sto-fre-kvm1.swamid.se, sto-tug-kvm-lab1.swamid.se, + sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se, sto-tug-kvm-lab2.swamid.se, + sto-tug-kvm1.swamid.se, sto-tug-kvm1.swamid.se, web-a1.sunet.se, web-a1.sunet.se, + web-a2.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-a3.sunet.se, web-archive.sunet.se, + web-archive.sunet.se, web-db1.sunet.se, web-db1.sunet.se, web-db2.sunet.se, web-db2.sunet.se, + web-db3.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f1.sunet.se, web-f2.sunet.se, + web-f2.sunet.se, web.nordu.net, wifiprobe.sunet.se, wifiprobe.sunet.se, wiki.sunet.se, + wiki.sunet.se] + openstack_ubuntu_16_04_dockerhost: [artisan-saas-idp-proxy.sunet.se, ds-legacy.sunet.se, + ds-test.swamid.se, idp.sunet.se, pypi.sunet.se, redis-fe-1.sunet.se, redis-fe-2.sunet.se, + registry-test.swamid.se, sp.swamid.se, wifiprobe.sunet.se] + openstack_ubuntu_16_04_dockerhost_eduix: [crowd.sunet.se, wiki.sunet.se] + openstack_ubuntu_16_04_dockerhost_net_host: [se-east-1-jsub-1.sunet.se, se-east-1-jsub-2.sunet.se, + se-east-1-jsub-3.sunet.se] + redis_cluster_node: [se-east-1-jsub-1.sunet.se, se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se] + redis_frontend_node: [redis-fe-1.sunet.se, redis-fe-2.sunet.se] + saml_metadata: [artisan-saas-idp-proxy.sunet.se] + static_sunet_se: [web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se] + sunet::dehydrated::client: [artisan-saas-idp-proxy.sunet.se, crowd.sunet.se, ds-legacy.sunet.se, + ds-test.swamid.se, git.swamid.se, idp.sunet.se, mds1.swamid.se, mds2.swamid.se, + mdx1.swamid.se, mdx2.swamid.se, pypi.sunet.se, sp.swamid.se, wiki.sunet.se] + sunet::dockerhost: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se] + sunet::dovecot: [imap2.sunet.se] + sunet::frontend::load_balancer: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se] + sunet::frontend::register_sites: [idp.sunet.se] + sunet::frontend::route_reflector: [loke.sunet.se, se-east-1-infra-rs-1.sunet.se] + sunet::pypi: [pypi.sunet.se] + sunet::satosa: [artisan-saas-idp-proxy.sunet.se, idp.sunet.se] + sunet::wifiprobe: [wifiprobe.sunet.se] + sunet_cdr: [cdr1.sunet.se, cdr2.sunet.se] + sunet_iaas_cloud: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, crowd.sunet.se, + ds-legacy.sunet.se, ds-test.swamid.se, idp.sunet.se, imap2.sunet.se, pypi.sunet.se, + redis-fe-1.sunet.se, redis-fe-2.sunet.se, registry-test.swamid.se, se-east-1-infra-rs-1.sunet.se, + se-east-1-jsub-1.sunet.se, se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se, + sp.swamid.se, wiki.sunet.se] + sunetops: [acme-c.sunet.se, artisan-saas-idp-proxy.sunet.se, ca.sunet.se, cdr1.sunet.se, + cdr1.sunet.se, cdr2.sunet.se, cdr2.sunet.se, ci.nordu.net, ci.sunet.se, code.nordu.net, + comanage.sunet.se, crowd.sunet.se, datasets.sunet.se, docker.sunet.se, ds-legacy.sunet.se, + ds-test.swamid.se, flog.sunet.se, git.swamid.se, gitlab.sunet.se, idp-test.swamid.se, + idp.sunet.se, imap2.sunet.se, lobo2.lab.sunet.se, loke.sunet.se, mds1.swamid.se, + mds2.swamid.se, mdx1.swamid.se, mdx2.swamid.se, meta.swamid.se, monitor.sunet.se, + nagiosxi-kvm-lab.nordu.net, nidev-consumer2.nordu.net, people.sunet.se, pypi.sunet.se, + random1.nordu.net, random2.nordu.net, redis-fe-1.sunet.se, redis-fe-2.sunet.se, + registry-test.swamid.se, registry.swamid.se, rt.sunet.se, saas-idp-test.swamid.se, + samltest.swamid.se, se-east-1-infra-rs-1.sunet.se, se-east-1-jsub-1.sunet.se, + se-east-1-jsub-2.sunet.se, se-east-1-jsub-3.sunet.se, se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se, + sp.swamid.se, sto-fre-kvm1.swamid.se, sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se, + sto-tug-kvm1.swamid.se, web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-archive.sunet.se, + web-db1.sunet.se, web-db2.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f2.sunet.se, + web.nordu.net, wifiprobe.sunet.se, wiki.sunet.se] + swamid_md_master: [git.swamid.se] + swamid_metadata: [artisan-saas-idp-proxy.sunet.se, idp.sunet.se] + swamid_pyff_signer: [mdx1.swamid.se, mdx2.swamid.se] + swamid_sp_test: [sp.swamid.se] + swamid_static_signer: [mds1.swamid.se, mds2.swamid.se] + swamidops: [ds-test.swamid.se, git.swamid.se, idp-test.swamid.se, md-master.reep.refeds.org, + mds1.swamid.se, mds2.swamid.se, mdx1.swamid.se, mdx2.swamid.se, meta.swamid.se, + registry-test.swamid.se, registry.swamid.se, saas-idp-test.swamid.se, samltest.swamid.se, + sp.swamid.se, sto-fre-kvm1.swamid.se, sto-tug-kvm-lab1.swamid.se, sto-tug-kvm-lab2.swamid.se, + sto-tug-kvm1.swamid.se] + ubuntu_dockerhost: [saas-idp-test.swamid.se] + webappserver: [web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se] + webbackend: [web-db1.sunet.se, web-db2.sunet.se, web-db3.sunet.se] + webcommon: [web-a1.sunet.se, web-a2.sunet.se, web-a3.sunet.se, web-db1.sunet.se, + web-db2.sunet.se, web-db3.sunet.se, web-f1.sunet.se, web-f2.sunet.se] + webfrontend: [web-f1.sunet.se, web-f2.sunet.se] + webserver: [crowd.sunet.se, ds-test.swamid.se, nidev-consumer2.nordu.net, pypi.sunet.se, + web-archive.sunet.se, web-f1.sunet.se, web-f2.sunet.se, wiki.sunet.se] + www_sunet_se: [web-a1.sunet.se, web-a3.sunet.se] + www_sunet_se_master: [web-a2.sunet.se] + diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf index e1ef0e55..981d7658 100644 --- a/global/overlay/etc/puppet/cosmos-modules.conf +++ b/global/overlay/etc/puppet/cosmos-modules.conf @@ -1,36 +1,23 @@ +# name source (puppetlabs fq name or git url) upgrade (yes/no) # -# name source (puppetlabs fq name or git url) upgrade (yes/no) tag-pattern -# -# NOTE that Git packages MUST be tagged with signatures by someone -# in the Cosmos trust list. That is why all the URLs point to forked -# versions in the SUNET github organization. -# -concat git://github.com/SUNET/puppetlabs-concat.git yes sunet-* -stdlib git://github.com/SUNET/puppetlabs-stdlib.git yes sunet-* -cosmos git://github.com/SUNET/puppet-cosmos.git yes sunet-* -ufw git://github.com/SUNET/puppet-module-ufw.git yes sunet_dev-* -apt git://github.com/SUNET/puppetlabs-apt.git yes sunet_dev-* -vcsrepo git://github.com/SUNET/puppetlabs-vcsrepo.git yes sunet-* -xinetd git://github.com/SUNET/puppetlabs-xinetd.git yes sunet-* -hiera-gpg git://github.com/SUNET/hiera-gpg.git yes sunet-* -# -# Alternate sources you might or might not want to use: -#concat puppetlabs/concat no -#stdlib puppetlabs/stdlib no -#ufw attachmentgenie/ufw no -#apt puppetlabs/apt no -#vcsrepo puppetlabs/vcsrepo no -#xinetd puppetlabs/xinetd no -#cosmos git://github.com/leifj/puppet-cosmos.git yes -#python git://github.com/SUNET/puppet-python.git yes sunet-* -#erlang git://github.com/SUNET/garethr-erlang.git yes sunet-* -#rabbitmq git://github.com/SUNET/puppetlabs-rabbitmq.git yes sunet_dev-* -#pound git://github.com/SUNET/puppet-pound.git yes sunet_dev-* -#augeas git://github.com/SUNET/puppet-augeas.git yes sunet-* -#bastion git://github.com/SUNET/puppet-bastion.git yes sunet-* -#postgresql git://github.com/SUNET/puppetlabs-postgresql.git yes sunet_dev-* -#munin git://github.com/SUNET/ssm-munin.git yes sunet-* -#nagios git://github.com/SUNET/puppet-nagios.git yes sunet-* -#staging git://github.com/SUNET/puppet-staging.git yes sunet-* -#apparmor git://github.com/SUNET/puppet-apparmor.git yes sunet-* -#docker git://github.com/SUNET/garethr-docker.git yes sunet_dev-* +concat git://github.com/SUNET/puppetlabs-concat.git yes sunet_dev-* +stdlib git://github.com/SUNET/puppetlabs-stdlib.git yes sunet-* +cosmos git://github.com/SUNET/puppet-cosmos.git yes sunet-* +ufw git://github.com/SUNET/puppet-module-ufw.git yes sunet-* +apt git://github.com/SUNET/puppetlabs-apt.git yes sunet-* +vcsrepo git://github.com/SUNET/puppetlabs-vcsrepo.git yes sunet-* +xinetd git://github.com/SUNET/puppetlabs-xinetd.git yes sunet-* +python git://github.com/SUNET/puppet-python.git yes sunet-* +hiera-gpg git://github.com/SUNET/hiera-gpg.git yes sunet-* +pound git://github.com/SUNET/puppet-pound.git yes sunet-* +augeas git://github.com/SUNET/puppet-augeas.git yes sunet-* +bastion git://github.com/SUNET/puppet-bastion.git yes sunet-* +pyff git://github.com/samlbits/puppet-pyff.git yes puppet-pyff-* +dhcp git://github.com/SUNET/puppetlabs-dhcp.git yes sunet_dev-* +varnish git://github.com/samlbits/puppet-varnish.git yes puppet-varnish-* +apparmor https://github.com/SUNET/puppet-apparmor.git yes sunet-* +docker git://github.com/SUNET/garethr-docker.git yes sunet-* +network git://github.com/SUNET/attachmentgenie-network.git yes sunet-* +sunet git://github.com/SUNET/puppet-sunet.git yes sunet-* +sysctl git://github.com/SUNET/puppet-sysctl.git yes sunet-* +nagioscfg git://github.com/SUNET/puppet-nagioscfg.git yes sunet-* diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml index d9dc495a..3f21f36c 100644 --- a/global/overlay/etc/puppet/cosmos-rules.yaml +++ b/global/overlay/etc/puppet/cosmos-rules.yaml @@ -1,2 +1,7 @@ -'ns[0-9]?.mnt.se$': - nameserver: +'.+': + common: + sunetops: + nrpe: + infra_ca_rp: + mailclient: + domain: sunet.se diff --git a/global/overlay/etc/puppet/cosmos_config_version b/global/overlay/etc/puppet/cosmos_config_version new file mode 100755 index 00000000..57786fdb --- /dev/null +++ b/global/overlay/etc/puppet/cosmos_config_version @@ -0,0 +1,11 @@ +#!/bin/sh + +set -e + +set -a +COSMOS_CONF_DIR="/etc/cosmos" +. /etc/cosmos/cosmos.conf +COSMOS_VERBOSE="yes" +set +a + +/etc/cosmos/update.d/25verify-git 2>/dev/null | grep ^"tag " | head -1 | cut -b 5- diff --git a/global/overlay/etc/puppet/facter/cosmos.rb b/global/overlay/etc/puppet/facter/cosmos.rb new file mode 100644 index 00000000..d810082f --- /dev/null +++ b/global/overlay/etc/puppet/facter/cosmos.rb @@ -0,0 +1,22 @@ +# +# Extract local Cosmos configuration +# +require 'facter' +Facter.add(:cosmos_repo) do + setcode do + Facter::Util::Resolution.exec("sh -c '. /etc/cosmos/cosmos.conf && echo $COSMOS_REPO'") + end +end + +Facter.add(:cosmos_tag_pattern) do + setcode do + Facter::Util::Resolution.exec("sh -c '. /etc/cosmos/cosmos.conf && echo $COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN'") + end +end + +Facter.add(:cosmos_repo_origin_url) do + setcode do + Facter::Util::Resolution.exec("sh -c '. /etc/cosmos/cosmos.conf && cd $COSMOS_REPO && git remote show -n origin | grep \"Fetch URL\" | awk \"{print \\$NF }\"'") + end +end + diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp index c276f847..56c31964 100644 --- a/global/overlay/etc/puppet/manifests/cosmos-site.pp +++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp @@ -4,49 +4,550 @@ Exec { path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", } -# include some of this stuff for additional features +include sunet -#include cosmos::tools -#include cosmos::motd -#include cosmos::ntp -#include cosmos::rngtools -#include cosmos::preseed -include ufw -include apt -include cosmos +class mailclient ($domain) { + sunet::preseed_package {"postfix": ensure => present, options => {domain => $domain}} +} -# you need a default node +class autoupdate { + class { 'sunet::updater': cron => true, cosmos_automatic_reboot => true } +} -node default { +class infra_ca_rp { + sunet::ici_ca::rp { 'infra': } +} + +# you need a default node, all nodes need ssh + ufw +node default { +} + +class common { + include sunet::tools + include sunet::motd + include sunet::ntp + include ufw + include apt + include apparmor +} + +class dhcp6_client { + ufw::allow { "allow-dhcp6-546": + ip => 'any', + port => '546', + proto => 'udp', + } + ufw::allow { "allow-dhcp6-547": + ip => 'any', + port => '547', + proto => 'udp' + } +} + +class entropyclient { + include sunet::simple_entropy + sunet::ucrandom {'random.nordu.net': } + sunet::nagios::nrpe_check_process { 'haveged': } +} + +class dockerhost { + class { 'sunet::dockerhost': + run_docker_cleanup => true, + manage_dockerhost_unbound => true + } +} + +class ubuntu_dockerhost { + class { 'sunet::dockerhost': + docker_version => "17.03.0~ce-0~ubuntu-${::lsbdistcodename}", + storage_driver => "aufs", + run_docker_cleanup => true, + manage_dockerhost_unbound => true, + docker_dns => '172.17.0.1' + } +} + +class openstack_ubuntu_16_04_dockerhost { + class { 'sunet::dockerhost': + docker_version => "17.03.0~ce-0~ubuntu-${::lsbdistcodename}", + storage_driver => "aufs", + run_docker_cleanup => true, + manage_dockerhost_unbound => true, + docker_dns => '172.17.0.1' + } +} + +# ONLY to be used for those that start containers with --net host. +# The only difference from openstack_ubuntu_16_04_dockerhost is that +# this class has docker_dns set to 127.0.0.1 +class openstack_ubuntu_16_04_dockerhost_net_host { + class { 'sunet::dockerhost': + docker_version => "17.03.0~ce-0~ubuntu-${::lsbdistcodename}", + storage_driver => "aufs", + run_docker_cleanup => true, + manage_dockerhost_unbound => true, + docker_dns => '127.0.0.1' + } +} + +# The only difference from openstack_ubuntu_16_04_dockerhost is that +# this class uses a eduix specific registry. +class openstack_ubuntu_16_04_dockerhost_eduix { + class { 'sunet::dockerhost': + docker_version => "17.03.0~ce-0~ubuntu-${::lsbdistcodename}", + storage_driver => "aufs", + run_docker_cleanup => true, + manage_dockerhost_unbound => true, + docker_dns => '172.17.0.1', + docker_extra_parameters => '--insecure-registry registry.lab.eduix.fi' + } +} + +class sunet_iaas_cloud { + sunet::cloud_init::config { 'disable_datasources': + config => { datasource_list => [ 'None' ] } + } + sunet::cloud_init::config { 'keep_root_enabled': + config => { disable_root => 'false' } + } + + # rdrand is exposed to VMs and can therefore be used. + package {'rng-tools': } -> + service {'rng-tools': + ensure => 'running' + } } -# edit and uncomment to manage ssh root keys in a simple way +class webserver { + ufw::allow { "allow-http": + ip => 'any', + port => '80' + } + ufw::allow { "allow-https": + ip => 'any', + port => '443' + } +} -#class { 'cosmos::access': -# keys => [ -# "ssh-rsa ..." -# ] -#} +class swamid_metadata($filename=undef) { + sunet::metadata::swamid { "$filename": } +} -# example config for the nameserver class which is matched in cosmos-rules.yaml +class saml_metadata($filename=undef, $cert=undef, $url=undef) { + sunet::metadata { "$filename": url => $url, cert => $cert } +} -#class nameserver { -# package {'bind9': -# ensure => latest -# } -# service {'bind9': -# ensure => running -# } -# ufw::allow { "allow-dns-udp": -# ip => 'any', -# port => 53, -# proto => "udp" -# } -# ufw::allow { "allow-dns-tcp": -# ip => 'any', -# port => 53, -# proto => "tcp" -# } -#} +class swamid_metadata_repo($hostname=undef) { + $host = $hostname ? { + undef => $title, + default => $hostname + } + sunet::ssh_keyscan::host {$host: } -> + vcsrepo { '/opt/swamid-metadata': + ensure => present, + provider => git, + source => "git@$host:swamid-metadata.git" + } +} +class swamid_md_master($hostname) { + class {'openstack_ubuntu_16_04_dockerhost': } -> + class {'sunet::gitolite': } -> + sunet::docker_run {'gitweb': + image => 'docker.sunet.se/gitweb', + imagetag => 'latest', + volumes => ['/etc/dehydrated:/etc/dehydrated','/home/git:/home/git'], + ports => ['443:443','80:80'], + env => ["HOSTNAME=$hostname","KEYDIR=/etc/dehydrated"] + } -> + class {'webserver': } -> + class {'https_server': } +} + +class swamid_pyff_signer { + class {'ubuntu_dockerhost': } + class { 'swamid_metadata_repo': hostname => 'git.swamid.se'} -> + cron {'update-swamid-metadata': + command => "cd /opt/swamid-metadata && git pull -q", + user => root, + minute => '*/5' + } -> + sunet::pyff {'swamid': + ssl_dir => '/etc/dehydrated', + dir => '/opt/swamid-metadata', + acme_tool_uri => "http://acme-c.sunet.se/.well-known/acme-challenge/" + } + #sunet::exabgp::config {'swamid': + # local_as => "65433", + # local_address => "${::ipaddress_eth0}", + # remote_as => "1653", + # remote_address => hiera("1653-peer-address"), + # route => "130.242.125.192/32 next-hop self" + #} -> + #sunet::exabgp::monitor::url {'check-for-sp-swamid': + # url => "localhost/metadata/%7Bsha1%7D152713cd66ffc27ec9ef42cc43c85df399f6a85e.json", + # match => "https://sp.swamid.se/shibboleth" + #} -> + sunet::exabgp { 'swamid': } +} + +class sunetops { + # Allow hosts to configure sshd as needed + $sshd_config = $hostname ? { + 'pypi' => false, + default => true, + } + class { 'sunet::server': + sshd_config => $sshd_config, + } + + ssh_authorized_key {'leifj+neo': + ensure => present, + name => 'leifj+neo@mnt.se', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvB4gdJ6EWRmx8xUSxrhoUNnWxEf8ZwAqhzC1+7XBY/hSd/cbEotLB9gxgqt0CLW56VU4FPLTw8snD8tgsyZN6KH1Da7UXno8oMk8tJdwLQM0Ggx3aWuztItkDfBc3Lfvq5T07YfphqJO7rcSGbS4QQdflXuOM9JLi6NStVao0ia4aE6Tj68pVVb3++XYvqvbU6NtEICvkTxEY93YpnRSfeAi64hsbaqSTN4kpeltzoSD1Rikz2aQFtFXE03ZC48HtGGhdMFA/Ade6KWBDaXxHGARVQ9/UccfhaR2XSjVxSZ8FBNOzNsH4k9cQIb2ndkEOXZXnjF5ZjdI4ZU0F+t7', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'ft+505152DD': + ensure => present, + name => 'fredrik+505152DD@thulin.net', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCnskRpNxWJE/YgDR3o6sMWwwmbUJ8f2SJa0gHfHM+fcxxC2zQN9/9mqJSxS1E9QdeuRbbHpYxEUtHoX0vSrmia/VALDiQAMps51RBqq6YlrYqvP/Rb0hZ0Z4/YgjTosLdu1PeTzih6mwbyNNF0+gY987Ig31qXQytNF+9G1oSY9dgBAq52lu170QXTRwum4B6Gh4/pCnM6xx+7nY2oqlgvl2wYHVAOJ39W9r4y9kBhcVs51XvJqYehjaoyKYf1+PzA0FsvhJkZuG6ws5eEGSB90lAzKGyFZXedvOLmnFmqAraoLeuKajHIFJDfKNfHHbYpn8ERIfVW66nbqlXFO2g3', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'ft+4030CCAD': + ensure => present, + name => 'fredrik+4030CCAD@thulin.net', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDCb2Nkstl2A2Av34oAeugSFAUZisR44EiN3+QHCfNiv2UtMvGQsz2uVRGS0zA7j2PjcrEA1AcstriONBZF/TodARbirX7u7ibJo4gfFJctSMHMBncwSKt5BR6cuCZpW9E7f05tVc3Z1SU1XlAn0OUuAt6UwluEehEKLKXDIHWfsGejlOTpy6x+++6/o1gfMoXpxYDRK70z8jWPfN6i/tt2q+Y0gjZWQP4CHGzFEUtTpOlFoqN4TzXaJushBhdMsiKllOm9wzHFuxlU/hNbDfn00vdOTPYpHkUluQUE7NtNznpeTWpl5qYL+n4uIChxjeZRBmUgD9t8YU4t3UZNksD/', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'lundberg+9303C5DB': + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDAHMfn9PSWjGGAkMY6rh1yffdYgnlhoIC5E5NWdc5XUlY9oNYW2zhMpyhepfoh1YYv5V1QNTuO3f0zhD+ZeqPvnnA74fBM4yvWU4Qttwv2drsFOsU7nRbGSwQdww9IDidtxRuAjW5HJ9mTOJuYrIFAEHgg1Pv8sZKzHNWuZiz4I34CN2NbaZOu4eYG6pdzvB6kfYl5iL/esfhBZfegA+7x4qXvMLHEKb7wCRBABCfWu6Yy1E0jUdRWBFdqp5zsjuQlk8minh892m2C1tFcyub5dCWgLYtiQRpIjz16lMk1cM+fgS9YM7Ev62bBpRynU2wCfg1QpYMpxIq54q/XLlYv', + ensure => present, + user => 'root', + name => 'lundberg+9303C5DB' + } + + ssh_authorized_key {'lundberg+8D03C7D1': + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDPjXvKEL2vAngTdVu3MguEE6gfPH2UigGDPgPV5SBYm0UZ/gZBbB0CuoQjkKEIpq3gzcbLH8kG/00r8hkeBeMa+tfWBDvUXk3wQRw5fKw5StBJFC3C04atJBGlusx6C8stgdmj5SwFhHN86uzVWpqbqJ9TKId18UABgq1hEBMRRVymSXE5zAJ6nCOh2PLtRI8GAkd+Lye0MMh2zEtOIFeHZDd1AiocaLfKBKDUlTSe1+suktyzgQsxJynLlwLA8BXmOZe0/LcE6Nint1beNq/DoKNySxdFN8ebGAC/F7w+JX7hB/DZH7aZevwdDp8cuchoFDUvu3uAXwH5eulXLt+VUJbn3MzFn/rSGqbfdYRlRhAOyo5qSJ3E6DO8WVKCLpwrUXjc4fQT7FwA7JPElunuU8jKxL/PiE5cJlt2cgC6v9qn3C47n0yc7c/078a+34w1mWf2Mp/lqBIJJnOUvKzisKmpEW/t3D1iAFr2z14omPDS9Vnoo1/FrAwGPYGKCeirBDe0FwNzMpC/wC1sglTU236/13zrUzyyQSJoXmn1MkS3aPOusqEYSo65tMoB5qOB7h2/lWLSQ7kHAMVtuMEoCGx/2Aa86EvuWYd1iMPelodEQlNIjCbKz9HX7c1b640FAvU8smefwfk52msqmKvHMbjm86WAPpXThhiN/eAuxQ==', + ensure => present, + user => 'root', + name => 'lundberg+8D03C7D1' + } + + ssh_authorized_key {'salu+7B44FE7C': + ensure => present, + name => 'salu+7B44FE7C@sunet.se', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDepp02t6/oNnO/qKJtB+U2yLWUa+dYo4ECsbX/DGOgr1MYzhtIbP18gUAX0PN9Hj40XdmY5EtAJZamMWCLi0EijanhOLDCzw5s0hzi/gYysmEReLRxhqq4ppjZhSj2HF09a6Rq1TTkndG9mYzTYTkdOyOqmdNcmIZRRvJD0BE1UBkERrURGhA+8YPnHoxEVUqdEDMFX7nHmNl4Q5brj7pNXaBv35PsVIlzDSfltgN7yENF6dv8Fu7nxjKZ+r9Anrb5rCEiBnOkNAbwEMfMvjRRehbY9Nvz1CEn0cP8SstbLYQfBQuCeJW3w9PygLN/a0asva0ttmVhprbnSeZtKmm3', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'dennis+3EE4E6C7': + ensure => present, + name => 'dennis+3EE4E6C7@nordu.net', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC314jSJ575zgXl2xzwzLRLwoNaP7eXN6NlWOPq47qmoUfR1uZPPbZhvKDmMMc4WQhNPzWDFkX29tcHJar0KXVYM0zNV/hkXlh3Z9suAVFJgzdQ+VW3GsNDffYt4GHM8gUtYxdiQKhA78rIIvcvjy/e0c87lQ0zwDQjruLRw2t1mP1roVsadGnRn4H2rHnlmYqsyJrd2L/MQeKxFh0t3zKu3Hp2mGoSFpFe/5uMaHE//ZOO3tVf3fBWX3p19f6sK6kqYsSR4vMAP08cWf32xFEeNHf4ljbanQ/NIo3iPybpzGXVsPpTHXylLS+vYzDf9mOcxovhsKnJrJ3gdkqEfQyd', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'patrik+soft': + ensure => present, + name => 'patrik@nordu.net', + key => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAs0nFlZmXga5A789gFwmRVYREPNuaGvZBNAkN+fHpfzNfxSDQNlu1v4OWlU2QAs4XBMVIo5O14EuqqunSgFnX1gh9++AM1cQ8pBUeTi0l99MTl7qxc9MIHCyvHhbzra7o3MHEUuNQzbAjEUsuGV5/ymNJv4ysbncX+BiZplkydq2H/MuDQD8dzghfq6HUgf/BZDVxM3K4Ak8ll65PPPA6xnWJA4a2abgHvoBf40R6xF2dgOK3wq4xQRQSUWdw0olRSyXXZ68mt45m9fvwLnpY3xIFWEWJ6ZbEW+K8BsVT7zqbCBdpnfT8Rc2myz3cjgf7WpTHd8JXEcKk2BaEGD4y+w==', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'mikott+BEBCB9C0': + ensure => present, + name => 'mikott+BEBCB9C0@nordu.net', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC36l/Qxb+sByKKZwBOPLiqScqWg6Q9elraB4vj13MjkoGsNoCmzWDEcAE9hUVwnlprYnWNyaJZ3OliEawFJlRDF8MxgVN+jHYUCUhPoHCE4ChS9Y0EayLb+AQ2JbfI1KAADga161P+/P1ofALMnZHW2NpK1p+2eiE891c1sc+NfLCNySX/hcvkkP6zNrCmZxgFcqIBbYNNxDjU33G3StypFe/7YgmVvd/ZfY22fhWb4gm1fX/3HelxCU6FirDJHujhDm79btjR221emlqTMH3WQvgGBKhLGOoQTKTHEadBmPa16nxv01mTtHVH6tnqGrWXhSrn6WEw3qQSzKrBnHIV', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'john+B3337B77': + ensure => present, + name => 'john+B3337B77@nordu.net', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCv+QT4hyxx7m89a+PkdBXAlBuNVoufNoNWpZ6uhDWSKYf7+Ic/M/R1tnsHpSihNAVnaDOLpmC8H1JWaKpuLHrvTolKwFi+imekqzUZ4ajUBuFIbieeHZMTdmv946fpOpB8FpWSFC/TQWyZwq3iVFfm8r/GYGIVSH8MtNBVmfRolH6aZgmZHl67xII59RI20nUm4gzs2yDfReUGRPB/nDWIJ1CuzvzVUFOeJTi3M31TNuxnqUHH0ol0t0bX6MOlDkPGRznOFbr2LhoxvuIIHkjZkZEvAYnQ6fmhExlqge5Trwud/jeZZUhdt7qx+FfgNaTdooUgbCVszgv9CK+rNOOrHD+qIi277j36loPcb0zymb6bnBmZPTo1RJNfaOVC/uuoSTKuFjNQ2UURsu5UepOhSRvLmA1fw+69n6tj0fwd627qxG0jmYmUmzW8U7mSypEXPKLDCbcR+hvWUDaYim1UAKi4ji5AGoOWBSsPuFLtfNYtmpBii+gaglGR6YrDDkQW7Pj/12asga9TrJSqGM1MMTLwuQal1+gtchF+9leKwVf5NOXDMw8SIG0xtqNDfWzk6BMEBcwl7wMObjEwmxxnuHzk8Q7922kvvsgK1VRiO20hmDtOxW2+oBk1yY1F072AjuuXNaZpBxD3c2Iug8GWK8R5pF9fIxAmeeLeFvQCSw==', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'el-sunet': + ensure => present, + name => 'el@sunet.se', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQC4BWg9cW5fmx8C7K0UN8zzp//NWDcZosrDBl7mEf3MGNBGwrX1orEWFjTWoUZivFoC1TUlEpRP92e3kB3oayMQQz6ZfvYh4ztZBmkDOPIOMykLVsQtvWbWJ1iQuvqCC/s9bVDJmkxkH/Mw/7OyN7Jyb0vPv6JGsSJmbEFkPpzsKUEuXUOFleN7oD59YQVbzDs0ukuAsc3FQ7GSv8q28p/GbFd0ZnfAMjBz2nVJcIkAM9q4OrR90P0gLsW8QqZyVl/uTs5/8iXlkYSe26T4uM697UnD8jFM4yyOTTlS5LHKo8pwNZjqYHdIhkSWscApRqfOVPSm3diQ1nNrm/x2Io4k9GnPmho67YacTA6EisTK4mwnEeCT3tVoHPSfLlGrKOGuug5MnQd5ds+7OlfRPHUua1/sgSiDGjIVQDyktqujrcaI1eK+pT4jmJa0c7HTGSB+dZwmswDsxry3JMdZ75iqYAJGFTIbmWAQAVnRJkzjmge+qIW7joM74I5LBfb20EOVU4rh35bFTsAsK1c/Z08Zut5IgNsg8DyVhVS2PSuvirR4/+OWYZpiO6R4M2nDgtRVPq/nl1iRsZEtiLP9xSyza8TSHm842MfPUbzWPV+JNGjA46QxGprI4OSoqAI//dfBFtpta130U/mvOJsF2xq0NYTyrGqx9qy7iJb8YolFsw==', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'jac+3438F957': + ensure => present, + name => 'jac+3438F957@nordu.net', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQC7cQCp8MJ4VX1UWb6PW4wnkQfbV8g4WB1vLO2MBUycjoXG3t9xXziy+VAxBmsMIFtpysddsU2Sz6d6Y3vlvXr9DHLvZ7Fqn2Cnyn3q+kDG677zPjGFV4DBZVnmH7dHpkTN1mYKfgV2vnKGwRJE651gwqbR0zkbQxRakLM5/Sh0bm9VtQw8iQvLrAOZGbUdSPx2u1p6XZjwkHGxRdEb06bhLDSr1DlXyVk8bfVVj5JXy+/o/6VbYQUlvotxlZnFr0k5Q84t7mkbaoQwE3gZQTBQLmxpguGKnIN9IiC1hmJGOXcMFpFvxsbJd+lg+DkM7Cl7OByPVTe+EflXctVacyg62s2WZbyH7SyUGNR3GUDQRjEXnDF4eKfk3pniMcTIRGt0eIo88hUV2Ep/EW6i06kTiPV5luAht8hVAayTfoNW+MQbKsLuRJEqEjMADZVY0PMYcLv0TWzjh6xkx/Y7Qth/DeBQYk24DqoOkLFB2HOwTN/qy5Xc0GJmu0pwiUXImSJto6Abh8S8nw95+TnFymybLfJCqm4buUGeJsG3Ej9Bo5KajW6/FDcaj4LlJV9Hq6kNdtXCFxe/DV+WpL1JEvuwyXfjBVoX9GpiquKvUiLJOpeT4Gmc7tsoAISrcZ2LOwq2JPSZUtOO5m+dd1OncGg7zMllTsjZnpebhczqODprZQ==', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'jbr+55F5842C@nordu.net': + ensure => present, + name => 'jbr+55F5842C@nordu.net', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCb88AZ1OPH62tCbkY0Iqu4kS0iRD/HwiQU+UDoosWPMuaIrULz0FOGidEHdhGhoxiUOCj0Uu8B8PwC2sztprBqpgDm2F8lKRd86Pw1BgblnnFA6m3+N8LbVhm8ux93xLqW04TKrxfCQtVGYKdOvva4+7b1Xf3R7UsnJQJoJwW1TCiZaHSNK1e6t2iofXTInhKzh9OVdmczyczjxsJVg9EnNGSf6/B26vIJPDs0pS7t9gUZ4SN6fLdrCG+tLqx76Obvzi1TZ441ZVnRKEUF/+oWsUv7he6ZGO/b4XGVhfb/c8P9pmioet6rxo3EyEsw2978V85vJmg3DA+gqQQXj3Pa0PXn7lrY62niiIQvSm/4fCCcWPVaeTlAS0wc4r2hsVlgYQJjAXDSab2K5ZHWUux2bMZkdJKXK2wC8Q0hf9OTVCfeMgcF8HRU7PPni1vymuurLgS67Ny1ucrOwbWsWjqrOfnT03huRdOhhdik8cRX5qz6PleBiq5Jly/KcjsyahiNDE2uTLDn7+z59HaHd2qp1NDVWtxTDjP46LqGF4VYnPTOooVv+4EFF9AAjqJRVTr1WdJjWtG3R7aDnWqFKRI912stlOXRvblOvF5iJjQHCecPWcE06ZrkUSa91i2ylf16q82tdEv3Hj3hvh873aAE8YnMHAnkSbnE+7VjF9jsZQ==', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'markus+FA2CC191': + ensure => present, + name => 'markus+FA2CC191@nordu.net', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDjBx/TbLSK9Ocf8Vefrddy62xH/gwPwT4/23xN8+ZEo7YG+0rKxFVRDFchnS9lMx+1UFubyZEui1CjRMwwFcFN/uOQ94oEPnFjyVZZ4jwXmmQu/xY1oiWg25h1WfwR9xTkOfe2CvPXjmtUwqYy+AO82YpXKpLTi/J7y3CVOxS2kRZzfe99CaB0nSzX7lSYmaq9KoThJ7VAsoyObJ2vcpuliIhNUsYL2RWHYdnSOdJoNftZkegN87so62fY7YcYWJkET9Rvydm9Qn1fDiUvGuMCitvS4OeWgJ97g3yAwdmhXExcQEzePxcx4LgR0DndzU/MqXYw2KqAVeRsjct2HFAqo0uL1jj8mb7tWYVpQTq8KNgUuA4o2wTvmKuNtWzhfb+J6TMCLrCXx9/3nH0NbO3JqUvxQxblnh3cZYIiphdIDxpXUGPXxVOtHjd2M0KaTrrhd+4ntnf0c9A0kcMCvSv/pEjy2saVpuNSjz13iO8Db7IOan4oC9ACheKAoDyBVLpmZFVMc4t2scLPqqeJjzwu/BozxPVQy8nhKdKznGmg3QGnPcrvNfGoO4huBPxlJZsLSmaPenImK4tHYDmFTjjQWSJ+gFkTlkJzDCqsDB/H+SZQEuAH/JIpzULApouVUi42dJq/MUN4SUvfuij7Zsx+jyWqOnxAkx0gpUnu8UsF5Q==', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'htj+key-from-ldap': + ensure => present, + name => 'htj+key-from-ldap@nordu.net', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDeME6LuIRZzHh8f7wTBE1RRX8fX4DftnZambVOoGOzg5ujtVnmwBZiFFcumqRGs7o/iradUY0IB5K2tbooHJkTYh+B0sIR/5jOPJJZ+bS45bngcGq1vz++z1VSXlTGH13H8OFXHZPnjwvFzO5eauHnen4uKVKrN9A/lNhTfbjpiHRN1yfXuunlvar4Go6OLAm6tgWe93scdXiAdxd3LoZ/I91w7djfAi0SpMiTDbYchrtt9wC3l4U42wehcANU4EhEJfMrwcMcRXRSZ/3IejXp2I1PueQhiHjknAkVX/r4Y23RKT77B1OEbVXg8VizFVnHrhkGWW1JZzQWrvb/MruT', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'pettai+BD795A53': + ensure => present, + name => 'pettai+BD795A53@nordu.net', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDcvRAnhdoty3OpQnC3zYEUQijkhlg9eiU7y6EVR/rdy+HID4aRZU57EuEB17wmoP6OliXZc02R5oHwoTT42cugUPgwPyxfgofwMRhl9zHUDumvnI9apiW6TMTz8F/zg26eLHhrB9k3tmviPhPV3PQKqEOvfKMwM47aEieGRcUTRLqOAJnrfoE+JRLtql/eaFFYKnVNtMscpNnBcvl77cAG3ciGqe4FLo21Sxo5WieoKElBswZzNKt+vQSZMI8yIA/DU1XGg6Yn5hhbqhgMJLhye3JXM9qSlzXo+T5SrBF8T8uZ3LpkPoA06T7k2DBjaj3iXueJVmoibdRG3t53YfE7', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'berra+DA7C099B': + ensure => present, + name => 'berra+DA7C099B@nordu.net', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDoUEUPOtw5ZUBblnDlf03EfA8xmoOMVnoxV6nrAwPWsNOWCY39+OO5ckfv8B/n/i/JRIvokPp+YrPpOXi8fLkchiu5AFDBwN4cqS8NETLMwJhImfObIM6M1P9a4re4WuAZ4u2BQ2/Nin7WRewJfAfbvbSx6o5zRp95IotiQiXIH8LyYC7whDUjT7OKvESUwLRnK6wQ4kQRgxpgUbAZxAgPZxRzTL0jPKx5dW2pald5WWXcu9ki4uiPg5fDjHVwAJ3MFNzFfDUrJX0bKSln/ocAJFBuAKTCUHEMXo9arD6LBcj7JoXZP6ZiXlcIUG6hd93vAmL+1fxOWu3Adbtz31hxzfmTHGLwF5HyfBIpdygNBZILwICjKimocD0oevrNcJ0KmgBWnw6ZlZJjKIcxN77wEbmskQ19kj+nTHQIgDeocISfio3iJIKdAGsLo+L+d8x4vMoPgIhJUJf8vT2piTa532mumfH2buWt841Yq3fsP98AQJTPDdsXRUGkIVTIIRIqFN1thV9FaMX5wIErq3oEYNJNDhJ6g+5z6N3Zq4AivXzQnmUOeqIttP0jryO85BBGjAz6LIBTCnirKwdsKv7Bq3g3Y5QARUgL42DQ9ddMyMWud5OKrVSwhPf1tqeQEyhgctA0Ve007h9nfovKFhDyUA24HFfDHlIqIWxuOnk1sw==', + type => 'ssh-rsa', + user => 'root' + } + + # OS hardening + if $::hostname =~ /kvm/ { + class {'bastion': + fstab_fix_shm => false, + sysctl_net_hardening => false, + } + } elsif $::hostname =~ /random/ { # pollen requires exec on /tmp + class {'bastion': + fixperms_enable => false, + fixperms_paranoia => false, + } + } else { + class {'bastion': + fstab_fix_shm => false, + fixperms_paranoia => true, + } + } +} + +class nrpe { + require apt + class {'sunet::nagios': } + if ($::operatingsystem == 'Ubuntu' and $::operatingsystemrelease == '12.04') { + class {'apt::backports': } + } + package {'nagios-plugins-contrib': ensure => latest} + package {'nagios-plugins-extra': ensure => latest} + + sunet::nagios::nrpe_command {'check_memory': + command_line => '/usr/lib/nagios/plugins/check_memory -w 10% -c 5%' + } + sunet::nagios::nrpe_command {'check_mem': + command_line => '/usr/lib/nagios/plugins/check_memory -w 10% -c 5%' + } + sunet::nagios::nrpe_command {'check_boot_15_5': + command_line => '/usr/lib/nagios/plugins/check_disk -w 15% -c 5% -p /boot' + } + sunet::nagios::nrpe_command {'check_entropy': + command_line => '/usr/lib/nagios/plugins/check_entropy' + } + sunet::nagios::nrpe_command {'check_ntp_time': + command_line => '/usr/lib/nagios/plugins/check_ntp_time -H localhost' + } + sunet::nagios::nrpe_command {'check_scriptherder': + command_line => '/usr/local/bin/scriptherder --mode check' + } + sunet::nagios::nrpe_command {'check_apt': + command_line => '/usr/lib/nagios/plugins/check_apt' + } +} + +node 'monitor.sunet.se' { + $nrpe_clients = hiera_array('nrpe_clients',[]); + $allowed_hosts = join($nrpe_clients," "); + class { 'ubuntu_dockerhost': } + class { 'webserver': } + class { 'nagioscfg': + hostgroups => $::roles, + config => 'nunoc' + } + file { "/var/www/nagios_config": + ensure => directory, + owner => "www-data", + group => "www-data" + } -> + class {'nagioscfg::slack': domain => 'sunet.slack.com', token => safe_hiera('slack_token','') } -> + package { 'pynag': ensure => installed } -> + cron { "publish_nagios_config": + command => "/usr/bin/nagios-export.py > /var/www/nagios_config/export.cfg && chown -R www-data:www-data /var/www/nagios_config", + user => root, + minute => "*/5" + } -> + file { "/etc/apache2/conf-available/nagios_config.conf": + content => "Alias /nagios-config /var/www/nagios_config\n\n\tDeny from all\n\tAllow from $allowed_hosts\n", + } -> + exec { "enable-nagios-config-publish": + command => "a2enconf nagios_config", + refreshonly => true + } + + class {'nagioscfg::passive': enable_notifications => '1'} + nagioscfg::slack::channel {'nagios': } -> + nagioscfg::contactgroup {'alerts': } -> + nagioscfg::contact {'slack-alerts': + host_notification_commands => ['notify-host-to-slack-nagios'], + service_notification_commands => ['notify-service-to-slack-nagios'], + contact_groups => ['alerts'] + } + nagioscfg::slack::channel {'swamidops': } -> + nagioscfg::contactgroup {'swamid': } -> + nagioscfg::contact {'slack-swamid': + host_notification_commands => ['notify-host-to-slack-swamidops'], + service_notification_commands => ['notify-service-to-slack-swamidops'], + contact_groups => ['swamid'] + } + nagioscfg::service {'service_ping': + hostgroup_name => ['all'], + description => 'PING', + check_command => 'check_ping!400.0,1%!500.0,2%', + contact_groups => ['alerts'] + } + nagioscfg::service {'service_ssh': + hostgroup_name => ['all'], + description => 'SSH', + check_command => 'check_ssh_4_hostname', + contact_groups => ['alerts'] + } + nagioscfg::service {'check_load': + hostgroup_name => ['nrpe'], + check_command => 'check_nrpe_1arg!check_load', + description => 'System Load', + contact_groups => ['alerts'] + } + nagioscfg::service {'check_users': + hostgroup_name => ['nrpe'], + check_command => 'check_nrpe_1arg!check_users', + description => 'Active Users', + contact_groups => ['alerts'] + } + nagioscfg::service {'check_zombie_procs': + hostgroup_name => ['nrpe'], + check_command => 'check_nrpe_1arg!check_zombie_procs', + description => 'Zombie Processes', + contact_groups => ['alerts'] + } + nagioscfg::service {'check_total_procs': + hostgroup_name => ['nrpe'], + check_command => 'check_nrpe_1arg!check_total_procs_lax', + description => 'Total Processes', + contact_groups => ['alerts'] + } + nagioscfg::service {'check_root': + hostgroup_name => ['nrpe'], + check_command => 'check_nrpe_1arg!check_root', + description => 'Root Disk', + contact_groups => ['alerts'] + } + nagioscfg::service {'check_boot': + hostgroup_name => ['nrpe'], + check_command => 'check_nrpe_1arg!check_boot_15_5', + description => 'Boot Disk', + contact_groups => ['alerts'] + } + nagioscfg::service {'check_var': + hostgroup_name => ['nrpe'], + check_command => 'check_nrpe_1arg!check_var', + description => 'Var Disk', + contact_groups => ['alerts'] + } + nagioscfg::service {'check_uptime': + hostgroup_name => ['nrpe'], + check_command => 'check_nrpe_1arg!check_uptime', + description => 'Uptime', + contact_groups => ['alerts'] + } + nagioscfg::service {'check_reboot': + hostgroup_name => ['nrpe'], + check_command => 'check_nrpe_1arg!check_reboot', + description => 'Reboot Needed', + contact_groups => ['alerts'] + } + nagioscfg::service {'check_memory': + hostgroup_name => ['nrpe'], + check_command => 'check_nrpe_1arg!check_memory', + description => 'System Memory', + contact_groups => ['alerts'] + } + nagioscfg::service {'check_entropy': + hostgroup_name => ['nrpe'], + check_command => 'check_nrpe_1arg!check_entropy', + description => 'System Entropy', + contact_groups => ['alerts'] + } + nagioscfg::service {'check_ntp_time': + hostgroup_name => ['nrpe'], + check_command => 'check_nrpe_1arg!check_ntp_time', + description => 'System NTP Time', + contact_groups => ['alerts'] + } + nagioscfg::service {'check_process_haveged': + hostgroup_name => ['entropyclient'], + check_command => 'check_nrpe_1arg!check_process_haveged', + description => 'haveged running', + contact_groups => ['alerts'] + } + nagioscfg::service {'check_scriptherder': + hostgroup_name => ['nrpe'], + check_command => 'check_nrpe_1arg!check_scriptherder', + description => 'Scriptherder Status', + contact_groups => ['alerts'] + } + nagioscfg::service {'etcd_cluster_health': + hostgroup_name => ['webcommon'], + check_command => 'check_nrpe_1arg!etcd_cluster_health', + description => 'etcd cluster health', + contact_groups => ['alerts'] + } + nagioscfg::service {'swamid-2.0-2-age': + hostgroup_name => ['swamid_static_signer'], + check_command => 'check_nrpe_1arg!check_fileage_swamid-2.0-2', + description => 'swamid 2.0 2016 metadata age', + contact_groups => ['alerts'] + } + nagioscfg::command {'check_ssl_cert_3': + command_line => "/usr/lib/nagios/plugins/check_ssl_cert -A -H '\$HOSTADDRESS\$' -c '\$ARG2\$' -w '\$ARG1\$' -p '\$ARG3\$'" + } + nagioscfg::service {'check_ssl_cert': + hostgroup_name => ['swamid_static_signer','swamid_pyff_signer','ds_legacy','swamid_sp_test','webfrontend','entropyserver','https_server'], + check_command => 'check_ssl_cert_3!30!14!443', + description => 'check https certificate validity on port 443', + contact_groups => ['alerts'] + } +} diff --git a/global/overlay/etc/puppet/puppet.conf b/global/overlay/etc/puppet/puppet.conf index 88871f04..cc9e736e 100644 --- a/global/overlay/etc/puppet/puppet.conf +++ b/global/overlay/etc/puppet/puppet.conf @@ -3,11 +3,14 @@ logdir=/var/log/puppet vardir=/var/lib/puppet ssldir=/var/lib/puppet/ssl rundir=/var/run/puppet -factpath=$vardir/lib/facter -templatedir=$confdir/templates +# factpath is supposed to be colon-delimeted, but that does not appear to work +# (tested with 'strace -f facter --puppet something' - does not split on colon in Puppet 3.4.2). +factpath=/etc/puppet/facter node_terminus = exec external_nodes = /etc/puppet/cosmos_enc.py basemodulepath = /etc/puppet/modules:/etc/puppet/cosmos-modules:/usr/share/puppet/modules +parser = future +disable_warnings = deprecations [master] # These are needed when the puppetmaster is run by passenger diff --git a/global/post-tasks.d/015cosmos-trust b/global/post-tasks.d/015cosmos-trust index 447d8755..74835e06 100755 --- a/global/post-tasks.d/015cosmos-trust +++ b/global/post-tasks.d/015cosmos-trust @@ -4,11 +4,19 @@ if [ -z "$COSMOS_KEYS" ]; then COSMOS_KEYS=/etc/cosmos/keys fi +# Install new keys discovered in the $COSMOS_KEYS directory for k in $COSMOS_KEYS/*.pub; do - fp=`cosmos gpg --with-colons --with-fingerprint < $k| awk -F: '$1 == "pub" {print $5}'` - cosmos gpg --with-colons --fingerprint | grep -q ":$fp:" || cosmos gpg --import < $k + fp=`cosmos gpg --with-colons --with-fingerprint < $k | awk -F: '$1 == "pub" {print $5}'` + fp_in_db=`cosmos gpg --with-colons --fingerprint | grep ":$fp:"` + if [ "x`echo $fp_in_db | grep '^pub:e:'`" != "x" ]; then + echo "$0: Key expired, will re-import it from $k" + cosmos gpg --fingerprint $fp + fi + # The removal of any ^pub:e: entrys means to ignore expired keys - thereby importing them again. + echo $fp_in_db | grep -v "^pub:e:" | grep -q ":$fp:" || cosmos gpg --import < $k done +# Delete keys no longer present in $COSMOS_KEYS directory for fp in `cosmos gpg --with-colons --fingerprint | awk -F: '$1 == "pub" {print $5}'`; do seen="no" for k in $COSMOS_KEYS/*.pub; do diff --git a/global/post-tasks.d/018packages b/global/post-tasks.d/018packages index 3e2e26e2..9370e102 100755 --- a/global/post-tasks.d/018packages +++ b/global/post-tasks.d/018packages @@ -24,8 +24,8 @@ if [ -f $CONFIG ]; then # First pass to clone any new modules, and update those marked for updating. grep -E -v "^#" $CONFIG | ( while read module src update pattern; do - # We only support git:// urls atm - if [ "${src:0:6}" = "git://" ]; then + # We only support git:// urls and https:// urls atm + if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "https://" ]; then if [ ! -d $CACHE_DIR/scm/$module ]; then git clone -q $src $CACHE_DIR/scm/$module elif [ -d $CACHE_DIR/scm/$module/.git ]; then @@ -63,7 +63,7 @@ if [ -f $CONFIG ]; then grep -E -v "^#" $CONFIG | ( while read module src update pattern; do # We only support git:// urls atm - if [ "${src:0:6}" = "git://" ]; then + if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "https://" ]; then # Verify git tag cd $CACHE_DIR/scm/$module TAG=$(git tag -l "${pattern:-*}" | sort | tail -1) diff --git a/global/post-tasks.d/020reports b/global/post-tasks.d/020reports index 091a236e..380f31a7 100755 --- a/global/post-tasks.d/020reports +++ b/global/post-tasks.d/020reports @@ -1,4 +1,4 @@ #!/bin/sh -rm -f /var/run/facts.json -facter -p -y > /var/run/facts.yaml +#rm -f /var/run/facts.json +#facter -p -y > /var/run/facts.yaml diff --git a/global/pre-tasks.d/020common-tools b/global/pre-tasks.d/020common-tools index eaca6ea8..563fab2b 100755 --- a/global/pre-tasks.d/020common-tools +++ b/global/pre-tasks.d/020common-tools @@ -5,10 +5,10 @@ set -e -stamp="$COSMOS_BASE/stamps/common-tools-v01.stamp" +stamp="$COSMOS_BASE/stamps/common-tools-v02.stamp" if ! test -f $stamp; then - apt-get -y install vim traceroute tcpdump molly-guard less rsync git-core unattended-upgrades ntp + apt-get -y update && apt-get -y upgrade && apt-get -y install vim traceroute tcpdump molly-guard less rsync git-core unattended-upgrades ntp wget update-alternatives --set editor /usr/bin/vim.basic mkdir -p `dirname $stamp` diff --git a/global/pre-tasks.d/030puppet b/global/pre-tasks.d/030puppet index cdc99892..ef080161 100755 --- a/global/pre-tasks.d/030puppet +++ b/global/pre-tasks.d/030puppet @@ -9,9 +9,13 @@ stamp="$COSMOS_BASE/stamps/puppet-tools-v01.stamp" if ! test -f $stamp -a -f /usr/bin/puppet; then codename=`lsb_release -c| awk '{print $2}'` - wget -c http://apt.puppetlabs.com/puppetlabs-release-${codename}.deb - dpkg -i puppetlabs-release-${codename}.deb - rm -f puppetlabs-release-${codename}.deb* + puppetdeb="$COSMOS_REPO/apt/puppetlabs-release-${codename}.deb" + if [ ! -f $puppetdeb ]; then + echo "$0: Puppet deb for release $codename not found in $COSMOS_REPO/apt/" + echo " Get it from https://apt.puppetlabs.com/ and put it in the Cosmos repo." + exit 1 + fi + dpkg -i $puppetdeb apt-get update apt-get -y install puppet-common diff --git a/global/pre-tasks.d/040hiera-gpg b/global/pre-tasks.d/040hiera-gpg index e5de6da5..0ef2d86b 100755 --- a/global/pre-tasks.d/040hiera-gpg +++ b/global/pre-tasks.d/040hiera-gpg @@ -14,8 +14,12 @@ if [ ! -f /usr/lib/ruby/vendor_ruby/gpgme.rb ]; then apt-get -y install ruby-gpgme fi +# this is useful to make the cmdline hiera tool work +if [ -f /etc/hiera/data/secrets.yaml.asc -a ! -f /etc/hiera/data/secrets.yaml.gpg ]; then + (cd /etc/hiera/data && ln -s secrets.yaml.asc secrets.yaml.gpg) +fi -if [ ! -s $GNUPGHOME/secring.gpg ]; then +if [ ! -s $GNUPGHOME/secring.gpg -a ! -s /etc/hiera/gpg/pubring.kbx ]; then if [ "x$1" != "x--force" ]; then echo "" @@ -44,6 +48,7 @@ Name-Comment: Hiera GPG key Name-Email: root@`hostname --fqdn` Expire-Date: 0 # Do a commit here, so that we can later print "done" :-) +%no-protection %commit %echo done EOF diff --git a/host-puppet-conf-test b/host-puppet-conf-test new file mode 100755 index 00000000..609eca51 --- /dev/null +++ b/host-puppet-conf-test @@ -0,0 +1,43 @@ +#!/bin/bash +set +x +HOSTNAME=$1 +PUPPET_ARGS=$2 + +if [ -z "$HOSTNAME" ]; then + echo "Usage: $0 fqdn" + exit 1 +fi + +if [ ! -d $host ]; then + echo "$0: No host-directory for '$HOSTNAME' found - execute in top-level cosmos dir" + exit 1 +fi + +PUPPET_ARGS=${PUPPET_ARGS-"--verbose"} + +# Check if cosmos or puppet is already running on host +echo "Checking if puppet or cosmos is already running..." +ssh root@$HOSTNAME ps aux | grep -ve grep -e edit-secrets | egrep -q "cosmos|puppet" + +if [ $? -eq 1 ] +then + echo "Copying files to host..." + rsync -av --exclude '*~' global/overlay/etc/puppet/cosmos-rules.yaml root@$HOSTNAME:/etc/puppet/cosmos-rules.yaml + rsync -av --exclude '*~' global/overlay/etc/puppet/manifests/cosmos-site.pp root@$HOSTNAME:/etc/puppet/manifests/cosmos-site.pp + rsync -av --exclude '*~' global/overlay/etc/puppet/cosmos-db.yaml root@$HOSTNAME:/etc/puppet/cosmos-db.yaml + + # Test if the user has symlinked puppet-sunet correctly + # by first checking if the link exits and then whether + # or not the directory contains any files. + if [ -L global/overlay/etc/puppet/cosmos-modules/sunet ] && \ + [ -n "$(ls -A global/overlay/etc/puppet/cosmos-modules/sunet/*)" ] + then + rsync -av --delete --exclude '*~' global/overlay/etc/puppet/cosmos-modules/sunet/* root@$HOSTNAME:/etc/puppet/cosmos-modules/sunet/. + fi + + echo "Running puppet apply..." + ssh root@$HOSTNAME /usr/bin/puppet apply $PUPPET_ARGS /etc/puppet/manifests/cosmos-site.pp +else + echo "Cosmos or puppet already running. Exiting." + exit 1 +fi