diff --git a/global/overlay/etc/puppet/modules/eid/manifests/proxy.pp b/global/overlay/etc/puppet/modules/eid/manifests/proxy.pp
new file mode 100644
index 00000000..eefc0280
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/eid/manifests/proxy.pp
@@ -0,0 +1,73 @@
+# This puppet manifest is used to configure Sweden Connect proxy servers
+
+# @param version Version of the docker image to use. (referenced in compose file)
+# @param service_name Name of the service, for example qa.proxy.eidas.swedenconnect.se
+# @param server_fqdn The FQDN of the server. (referenced in compose file)
+# @param proxy_directory The directory where all proxy related config and files are stored. (referenced in compose file)
+# @param contry Used while creating directories and referenced in compsose file
+class eid::proxy (
+ String $version = '',
+ String $service_name = '',
+ String $server_fqdn = $facts['networking']['fqdn'],
+ String $proxy_directory = '/opt/eidas-proxy',
+ String $spring_config_param = "SPRING_CONFIG_ADDITIONAL_LOCATION",
+ String $country = 'se',
+) {
+
+ $pkcs11_pin = safe_hiera('pkcs11_pin')
+ $eidas_proxy_oidc_rp_jks = safe_hiera('eidas_proxy_oidc_rp_jks','')
+ $proxy_service_cookie_encrypt_pw = safe_hiera('proxy_service_cookie_encrypt_pw')
+
+ if $version and $service_name and $pkcs11_pin != 'NOT_SET_IN_HIERA' and $eidas_proxy_oidc_rp_jks != 'NOT_SET_IN_HIERA' and $proxy_service_cookie_encrypt_pw != 'NOT_SET_IN_HIERA'{
+
+ sunet::nftables::allow { 'allow-http-from-any':
+ from => any,
+ port => 80,
+ }
+ sunet::nftables::allow { 'allow-https-from-any':
+ from => any,
+ port => 443,
+ }
+
+ file { ['/etc/eidas-proxy/',"/etc/eidas-proxy/${country}"]:
+ ensure => directory,
+ mode => '0755',
+ owner => 'root',
+ group => 'root',
+ }
+ file { "/etc/eidas-proxy/${country}/keystore":
+ ensure => directory,
+ mode => '0755',
+ owner => 'root',
+ group => 'root',
+ }
+ sunet::snippets::secret_file {"/etc/eidas-proxy/${country}/metadata.p12":
+ hiera_key => 'eidas_metadata_key',
+ base64 => true
+ }
+ sunet::snippets::secret_file {"/etc/eidas-proxy/${country}/proxy.p12":
+ hiera_key => 'eidas_proxy_key',
+ base64 => true
+ }
+ file { ['/etc/luna','/etc/luna/cert']:
+ ensure => directory,
+ mode => '0755',
+ owner => 'root',
+ group => 'root',
+ }
+ if $eidas_proxy_oidc_rp_jks != '' {
+ sunet::snippets::secret_file {"/etc/eidas-proxy/${country}/keystore/oidc-rp.jks":
+ hiera_key => 'eidas_proxy_oidc_rp_jks',
+ base64 => true
+ }
+ }
+
+ sunet::docker_compose { 'eidas-proxy':
+ content => template('eid/proxy/docker-compose.yml.erb'),
+ service_name => 'eidas-proxy',
+ compose_dir => '/opt/',
+ compose_filename => 'docker-compose.yml',
+ description => 'eidas proxy'
+ }
+ }
+}
diff --git a/global/overlay/etc/puppet/modules/eid/templates/proxy/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/eid/templates/proxy/docker-compose.yml.erb
new file mode 100644
index 00000000..98bbcb94
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/eid/templates/proxy/docker-compose.yml.erb
@@ -0,0 +1,26 @@
+---
+services:
+ eidas-proxy:
+ image: docker.sunet.se/eidas-proxy:<%= @version %>
+ container_name: eidas-proxy
+ environment:
+ - PROXY_SERVICE_DOMAIN_PREFIX="https://<%= @service_name %>/eidas-ps"
+ - SPRING_PROFILES_ACTIVE=<%= @country %>
+ - CERTNAME="<%= server_fqdn %>_infra",
+ - spring_config_param="<%= @connector_directory %>/<%= @country %>/cfg/"
+ - PKCS11_PIN=<%= @pkcs11_pin %>
+ - PROXY_SERVICE_COOKIEENCRYPTPW= <%= proxy_service_cookie_encrypt_pw %>
+
+ hostname: <%= @server_fqdn %>
+
+ volumes:
+ - '/var/log/eidas-proxy:/var/log/eidas-proxy'
+ - '<%= @proxy_directory %>:<%= @proxy_directory %>'
+ - '/etc/luna/cert:/usr/safenet/lunaclient/cert'
+ - '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d'
+ - '/dev/log:/dev/log'
+ - '/etc/ssl:/etc/ssl'
+
+ ports:
+ - "443:8443"
+ - "127.0.0.1:444:8444"