From 53b1fcd924a1122ef099f1fe95e3e8d9bd70bb42 Mon Sep 17 00:00:00 2001
From: Patrik Holmqvist <pahol@sunet.se>
Date: Fri, 31 Jan 2025 11:37:09 +0100
Subject: [PATCH] Add new modernised proxy class

---
 .../etc/puppet/modules/eid/manifests/proxy.pp | 73 +++++++++++++++++++
 .../templates/proxy/docker-compose.yml.erb    | 26 +++++++
 2 files changed, 99 insertions(+)
 create mode 100644 global/overlay/etc/puppet/modules/eid/manifests/proxy.pp
 create mode 100644 global/overlay/etc/puppet/modules/eid/templates/proxy/docker-compose.yml.erb

diff --git a/global/overlay/etc/puppet/modules/eid/manifests/proxy.pp b/global/overlay/etc/puppet/modules/eid/manifests/proxy.pp
new file mode 100644
index 00000000..eefc0280
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/eid/manifests/proxy.pp
@@ -0,0 +1,73 @@
+# This puppet manifest is used to configure Sweden Connect proxy servers
+
+# @param version              Version of the docker image to use. (referenced in compose file)
+# @param service_name         Name of the service, for example qa.proxy.eidas.swedenconnect.se
+# @param server_fqdn          The FQDN of the server. (referenced in compose file)
+# @param proxy_directory      The directory where all proxy related config and files are stored. (referenced in compose file)
+# @param contry               Used while creating directories and referenced in compsose file
+class eid::proxy (
+  String                     $version = '',
+  String                     $service_name = '',
+  String                     $server_fqdn = $facts['networking']['fqdn'],
+  String                     $proxy_directory = '/opt/eidas-proxy',
+  String                     $spring_config_param = "SPRING_CONFIG_ADDITIONAL_LOCATION",
+  String                     $country = 'se',
+) {
+
+  $pkcs11_pin = safe_hiera('pkcs11_pin')
+  $eidas_proxy_oidc_rp_jks = safe_hiera('eidas_proxy_oidc_rp_jks','')
+  $proxy_service_cookie_encrypt_pw = safe_hiera('proxy_service_cookie_encrypt_pw')
+
+  if $version and $service_name and $pkcs11_pin != 'NOT_SET_IN_HIERA' and $eidas_proxy_oidc_rp_jks  != 'NOT_SET_IN_HIERA' and $proxy_service_cookie_encrypt_pw != 'NOT_SET_IN_HIERA'{
+
+    sunet::nftables::allow { 'allow-http-from-any':
+      from => any,
+      port => 80,
+    }
+    sunet::nftables::allow { 'allow-https-from-any':
+      from => any,
+      port => 443,
+    }
+
+    file { ['/etc/eidas-proxy/',"/etc/eidas-proxy/${country}"]:
+      ensure => directory,
+      mode   => '0755',
+      owner  => 'root',
+      group  => 'root',
+    }
+    file { "/etc/eidas-proxy/${country}/keystore":
+      ensure => directory,
+      mode   => '0755',
+      owner  => 'root',
+      group  => 'root',
+    }
+    sunet::snippets::secret_file {"/etc/eidas-proxy/${country}/metadata.p12":
+      hiera_key => 'eidas_metadata_key',
+      base64    => true
+    }
+    sunet::snippets::secret_file {"/etc/eidas-proxy/${country}/proxy.p12":
+      hiera_key => 'eidas_proxy_key',
+      base64    => true
+    }
+    file { ['/etc/luna','/etc/luna/cert']:
+      ensure => directory,
+      mode   => '0755',
+      owner  => 'root',
+      group  => 'root',
+    }
+    if $eidas_proxy_oidc_rp_jks != '' {
+      sunet::snippets::secret_file {"/etc/eidas-proxy/${country}/keystore/oidc-rp.jks":
+          hiera_key => 'eidas_proxy_oidc_rp_jks',
+          base64    => true
+      }
+    }
+
+    sunet::docker_compose { 'eidas-proxy':
+      content          => template('eid/proxy/docker-compose.yml.erb'),
+      service_name     => 'eidas-proxy',
+      compose_dir      => '/opt/',
+      compose_filename => 'docker-compose.yml',
+      description      => 'eidas proxy'
+    }
+  }
+}
diff --git a/global/overlay/etc/puppet/modules/eid/templates/proxy/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/eid/templates/proxy/docker-compose.yml.erb
new file mode 100644
index 00000000..98bbcb94
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/eid/templates/proxy/docker-compose.yml.erb
@@ -0,0 +1,26 @@
+---
+services:
+  eidas-proxy:
+    image: docker.sunet.se/eidas-proxy:<%= @version %>
+    container_name: eidas-proxy
+    environment:
+      - PROXY_SERVICE_DOMAIN_PREFIX="https://<%= @service_name %>/eidas-ps"
+      - SPRING_PROFILES_ACTIVE=<%= @country %>
+      - CERTNAME="<%= server_fqdn %>_infra",
+      - spring_config_param="<%= @connector_directory %>/<%= @country %>/cfg/"
+      - PKCS11_PIN=<%= @pkcs11_pin %>
+      - PROXY_SERVICE_COOKIEENCRYPTPW= <%= proxy_service_cookie_encrypt_pw %>
+
+    hostname: <%= @server_fqdn %>
+
+    volumes:
+      - '/var/log/eidas-proxy:/var/log/eidas-proxy'
+      - '<%= @proxy_directory %>:<%= @proxy_directory %>'
+      - '/etc/luna/cert:/usr/safenet/lunaclient/cert'
+      - '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d'
+      - '/dev/log:/dev/log'
+      - '/etc/ssl:/etc/ssl'
+
+    ports:
+      - "443:8443"
+      - "127.0.0.1:444:8444"