diff --git a/global/overlay/etc/hiera/data/common.yaml b/global/overlay/etc/hiera/data/common.yaml index 1f984e50..4e3c1200 100644 --- a/global/overlay/etc/hiera/data/common.yaml +++ b/global/overlay/etc/hiera/data/common.yaml @@ -27,6 +27,13 @@ nrpe_clients: - 94.176.224.229 - 94.176.224.101 +mgmt_addresses: + - 94.176.224.114 # jump-tug-3.komreg.net + - 2001:6b0:64:5::114 # jump-tug-3.komreg.net + - 94.176.224.242 # jump-fre-3.komreg.net + - 2001:6b0:64:5::242 # jump-fre-3.komreg.net + - 89.45.233.82 # jmp.komreg.net + ssh_authorized_keys: 'mariah+CA747E57': diff --git a/global/overlay/etc/puppet/cosmos-db.yaml b/global/overlay/etc/puppet/cosmos-db.yaml index df3ec874..3031a7fa 100644 --- a/global/overlay/etc/puppet/cosmos-db.yaml +++ b/global/overlay/etc/puppet/cosmos-db.yaml @@ -17,96 +17,103 @@ classes: frontends: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se] port: '443' sunet::rsyslog: null + sunet::server: &id002 {sshd_config: true} sunet_iaas_cloud: null sunetops: null demw-1.sveidas.se: autoupdate: null common: null eid::dockerhost: null - eidas_de_middleware: &id002 {hostname: demw.eidas.swedenconnect.se, version: 1.1.0-qa} + eidas_de_middleware: &id003 {hostname: demw.eidas.swedenconnect.se, version: 1.1.0-qa} entropyclient: null infra_ca_rp: null konsulter: null mailclient: *id001 nrpe: null - saml_metadata: &id003 {filename: /opt/eidas-middleware/configuration/serviceprovider-metadata/connector-metadata.xml, + saml_metadata: &id004 {filename: /opt/eidas-middleware/configuration/serviceprovider-metadata/connector-metadata.xml, url: 'https://connector.eidas.swedenconnect.se/idp/metadata/sp'} - sunet::frontend::register_sites: &id004 + sunet::frontend::register_sites: &id005 sites: demw.eidas.swedenconnect.se: frontends: [fe-fre-3.komreg.net, fe-tug-3.komreg.net] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunetops: null demw-2.sveidas.se: autoupdate: null common: null eid::dockerhost: null - eidas_de_middleware: *id002 + eidas_de_middleware: *id003 entropyclient: null infra_ca_rp: null konsulter: null mailclient: *id001 nrpe: null - saml_metadata: *id003 - sunet::frontend::register_sites: *id004 + saml_metadata: *id004 + sunet::frontend::register_sites: *id005 sunet::rsyslog: null + sunet::server: *id002 sunetops: null eidas-connector-1.sveidas.se: autoupdate: null common: null eid::dockerhost: null - eidas_connector: &id005 {hostname: connector.eidas.swedenconnect.se, version: 1.5.2} + eidas_connector: &id006 {hostname: connector.eidas.swedenconnect.se, version: 1.5.2} entropyclient: null infra_ca_rp: null konsulter: null mailclient: *id001 nrpe: null - sunet::frontend::register_sites: &id006 + sunet::frontend::register_sites: &id007 sites: connector.eidas.swedenconnect.se: frontends: [fe-fre-3.komreg.net, fe-tug-3.komreg.net] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunetops: null eidas-connector-2.sveidas.se: autoupdate: null common: null eid::dockerhost: null - eidas_connector: *id005 + eidas_connector: *id006 entropyclient: null infra_ca_rp: null konsulter: null mailclient: *id001 nrpe: null - sunet::frontend::register_sites: *id006 + sunet::frontend::register_sites: *id007 sunet::rsyslog: null + sunet::server: *id002 sunetops: null eidas-connector-3.sveidas.se: autoupdate: null common: null eid::dockerhost: null - eidas_connector: *id005 + eidas_connector: *id006 entropyclient: null infra_ca_rp: null konsulter: null mailclient: *id001 nrpe: null - sunet::frontend::register_sites: *id006 + sunet::frontend::register_sites: *id007 sunet::rsyslog: null + sunet::server: *id002 sunetops: null eidas-connector-4.sveidas.se: autoupdate: null common: null eid::dockerhost: null - eidas_connector: *id005 + eidas_connector: *id006 entropyclient: null infra_ca_rp: null konsulter: null mailclient: *id001 nrpe: null - sunet::frontend::register_sites: *id006 + sunet::frontend::register_sites: *id007 sunet::rsyslog: null + sunet::server: *id002 sunetops: null eidas-node-1.qa.sveidas.se: autoupdate: null @@ -124,6 +131,7 @@ classes: frontends: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunet_iaas_cloud: null sunetops: null eidas-proxy-1.qa.sveidas.se: @@ -144,67 +152,72 @@ classes: frontends: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunet_iaas_cloud: null sunetops: null eidas-proxy-1.sveidas.se: autoupdate: null common: null eid::dockerhost: null - eidas_proxy: &id007 {hostname: proxy.eidas.swedenconnect.se, version: 1.1.15} + eidas_proxy: &id008 {hostname: proxy.eidas.swedenconnect.se, version: 1.1.15} entropyclient: null infra_ca_rp: null konsulter: null mailclient: *id001 nrpe: null servicemonitor: null - sunet::frontend::register_sites: &id008 + sunet::frontend::register_sites: &id009 sites: proxy.eidas.swedenconnect.se: frontends: [fe-fre-3.komreg.net, fe-tug-3.komreg.net] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunetops: null eidas-proxy-2.sveidas.se: autoupdate: null common: null eid::dockerhost: null - eidas_proxy: *id007 + eidas_proxy: *id008 entropyclient: null infra_ca_rp: null konsulter: null mailclient: *id001 nrpe: null servicemonitor: null - sunet::frontend::register_sites: *id008 + sunet::frontend::register_sites: *id009 sunet::rsyslog: null + sunet::server: *id002 sunetops: null eidas-proxy-3.sveidas.se: autoupdate: null common: null eid::dockerhost: null - eidas_proxy: *id007 + eidas_proxy: *id008 entropyclient: null infra_ca_rp: null konsulter: null mailclient: *id001 nrpe: null servicemonitor: null - sunet::frontend::register_sites: *id008 + sunet::frontend::register_sites: *id009 sunet::rsyslog: null + sunet::server: *id002 sunetops: null eidas-proxy-4.sveidas.se: autoupdate: null common: null eid::dockerhost: null - eidas_proxy: *id007 + eidas_proxy: *id008 entropyclient: null infra_ca_rp: null konsulter: null mailclient: *id001 nrpe: null servicemonitor: null - sunet::frontend::register_sites: *id008 + sunet::frontend::register_sites: *id009 sunet::rsyslog: null + sunet::server: *id002 sunetops: null eidas-redis-1.sveidas.se: autoupdate: null @@ -216,6 +229,7 @@ classes: nrpe: null redis_cluster_node: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null eidas-redis-2.sveidas.se: autoupdate: null @@ -227,6 +241,7 @@ classes: nrpe: null redis_cluster_node: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null eidas-redis-3.sveidas.se: autoupdate: null @@ -238,6 +253,7 @@ classes: nrpe: null redis_cluster_node: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null eidas-redis-4.sveidas.se: autoupdate: null @@ -249,6 +265,7 @@ classes: nrpe: null redis_cluster_node: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null eidas-redis-fe-1.sveidas.se: autoupdate: null @@ -258,8 +275,9 @@ classes: infra_ca_rp: null mailclient: *id001 nrpe: null - redis_frontend_node: &id009 {hostname: redis.sveidas.se} + redis_frontend_node: &id010 {hostname: redis.sveidas.se} sunet::rsyslog: null + sunet::server: *id002 sunetops: null eidas-redis-fe-2.sveidas.se: autoupdate: null @@ -269,8 +287,9 @@ classes: infra_ca_rp: null mailclient: *id001 nrpe: null - redis_frontend_node: *id009 + redis_frontend_node: *id010 sunet::rsyslog: null + sunet::server: *id002 sunetops: null eidas-test-1.sveidas.se: autoupdate: null @@ -282,14 +301,15 @@ classes: mailclient: *id001 nrpe: null servicemonitor: null - sunet::frontend::register_sites: &id010 + sunet::frontend::register_sites: &id011 sites: test.swedenconnect.se: frontends: [fe-fre-3.komreg.net, fe-tug-3.komreg.net] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunetops: null - test_my_eid: &id011 {environment: prod, hostname: test.swedenconnect.se, version: 1.2.0} + test_my_eid: &id012 {environment: prod, hostname: test.swedenconnect.se, version: 1.2.0} eidas-test-2.sveidas.se: autoupdate: null common: null @@ -300,10 +320,11 @@ classes: mailclient: *id001 nrpe: null servicemonitor: null - sunet::frontend::register_sites: *id010 + sunet::frontend::register_sites: *id011 sunet::rsyslog: null + sunet::server: *id002 sunetops: null - test_my_eid: *id011 + test_my_eid: *id012 eidastest-1.qa.sveidas.se: autoupdate: null common: null @@ -319,6 +340,7 @@ classes: frontends: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunet_iaas_cloud: null sunetops: null eumd-1.komreg.net: @@ -335,6 +357,7 @@ classes: metadatamgrs: null nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null eumd-2.komreg.net: autoupdate: null @@ -350,6 +373,7 @@ classes: metadatamgrs: null nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null eupub-1.komreg.net: autoupdate: null @@ -366,6 +390,7 @@ classes: frontends: [fe-fre-3.komreg.net, fe-tug-3.komreg.net] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunetops: null eupub-2.komreg.net: autoupdate: null @@ -382,6 +407,7 @@ classes: frontends: [fe-fre-3.komreg.net, fe-tug-3.komreg.net] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunetops: null fe-fre-3.komreg.net: common: null @@ -392,6 +418,7 @@ classes: nrpe: null sunet::frontend::load_balancer: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null fe-tug-3.komreg.net: common: null @@ -402,6 +429,7 @@ classes: nrpe: null sunet::frontend::load_balancer: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null jmp.komreg.net: autoupdate: null @@ -415,6 +443,7 @@ classes: nrpe: null sunet::auditd: null sunet::rsyslog: null + sunet::server: {ssh_allow_from_anywhere: true} sunet_iaas_cloud: null sunetops: null jump-fre-3.komreg.net: @@ -428,6 +457,7 @@ classes: metadatamgrs: null nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null jump-tug-3.komreg.net: autoupdate: null @@ -440,6 +470,7 @@ classes: metadatamgrs: null nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null kvmdemw-fre-3a.komreg.net: common: null @@ -453,6 +484,7 @@ classes: mailclient: *id001 nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null kvmdemw-fre-3b.komreg.net: common: null @@ -466,6 +498,7 @@ classes: mailclient: *id001 nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null kvmeidas-fre-3.komreg.net: common: null @@ -566,6 +599,7 @@ classes: mailclient: *id001 nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null kvmeidas-tug-3.komreg.net: common: null @@ -666,6 +700,7 @@ classes: mailclient: *id001 nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null kvmfe-fre-3.komreg.net: common: null @@ -679,6 +714,7 @@ classes: mailclient: *id001 nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null kvmfe-tug-3.komreg.net: common: null @@ -692,6 +728,7 @@ classes: mailclient: *id001 nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null kvminfra-fre-3.komreg.net: common: null @@ -715,6 +752,7 @@ classes: mailclient: *id001 nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null kvminfra-tug-3.komreg.net: common: null @@ -738,6 +776,7 @@ classes: mailclient: *id001 nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null kvmmeta-fre-3.komreg.net: common: null @@ -760,6 +799,7 @@ classes: mailclient: *id001 nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null kvmmeta-tug-3.komreg.net: common: null @@ -782,6 +822,7 @@ classes: mailclient: *id001 nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null log-1.sveidas.se: autoupdate: null @@ -792,7 +833,8 @@ classes: konsulter: null mailclient: *id001 nrpe: null - sunet::rsyslog: &id012 {udp_client: 94.176.224.0/24, udp_port: 514} + sunet::rsyslog: &id013 {udp_client: 94.176.224.0/24, udp_port: 514} + sunet::server: *id002 sunetops: null log-2.sveidas.se: autoupdate: null @@ -803,7 +845,8 @@ classes: konsulter: null mailclient: *id001 nrpe: null - sunet::rsyslog: *id012 + sunet::rsyslog: *id013 + sunet::server: *id002 sunetops: null log.qa.sveidas.se: autoupdate: null @@ -814,6 +857,7 @@ classes: mailclient: *id001 nrpe: null sunet::rsyslog: {udp_port: 514} + sunet::server: *id002 sunet_iaas_cloud: null sunetops: null md-eu1.qa.komreg.net: @@ -830,6 +874,7 @@ classes: nrpe: null openstack_dockerhost: null sunet::rsyslog: null + sunet::server: *id002 sunet_iaas_cloud: null sunetops: null md1.komreg.net: @@ -845,6 +890,7 @@ classes: nrpe: null openstack_dockerhost: null sunet::rsyslog: null + sunet::server: *id002 sunet_iaas_cloud: null sunetops: null monitor-fre-3.komreg.net: @@ -856,6 +902,7 @@ classes: nagios_monitor: null nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null monitor-tug-3.komreg.net: autoupdate: null @@ -867,6 +914,7 @@ classes: nagios_monitor: null nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null natmd-1.komreg.net: autoupdate: null @@ -882,6 +930,7 @@ classes: metadatamgrs: null nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null natmd-2.komreg.net: autoupdate: null @@ -897,6 +946,7 @@ classes: metadatamgrs: null nrpe: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null natpub-1.komreg.net: autoupdate: null @@ -912,6 +962,7 @@ classes: frontends: [fe-fre-3.komreg.net, fe-tug-3.komreg.net] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunetops: null natpub-2.komreg.net: autoupdate: null @@ -927,6 +978,7 @@ classes: frontends: [fe-fre-3.komreg.net, fe-tug-3.komreg.net] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunetops: null nic.komreg.net: autoupdate: null @@ -940,6 +992,7 @@ classes: nrpe: null sunet::nagiosapi: null sunet::rsyslog: null + sunet::server: *id002 sunet_iaas_cloud: null sunetops: null p1.komreg.net: @@ -956,6 +1009,7 @@ classes: frontends: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunet_iaas_cloud: null sunetops: null p2.qa.komreg.net: @@ -973,6 +1027,7 @@ classes: frontends: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunet_iaas_cloud: null sunetops: null prid-1.qa.sveidas.se: @@ -988,6 +1043,7 @@ classes: version: 1.0.3} servicemonitor: null sunet::rsyslog: null + sunet::server: *id002 sunet_iaas_cloud: null sunetops: null prid-1.sveidas.se: @@ -999,9 +1055,10 @@ classes: konsulter: null mailclient: *id001 nrpe: null - prid: &id013 {clients: prid_prod_clients, version: 1.0.1} + prid: &id014 {clients: prid_prod_clients, version: 1.0.1} servicemonitor: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null prid-2.sveidas.se: autoupdate: null @@ -1012,9 +1069,10 @@ classes: konsulter: null mailclient: *id001 nrpe: null - prid: *id013 + prid: *id014 servicemonitor: null sunet::rsyslog: null + sunet::server: *id002 sunetops: null r1.komreg.net: autoupdate: null @@ -1026,6 +1084,7 @@ classes: nrpe: null openstack_dockerhost: null sunet::rsyslog: null + sunet::server: *id002 sunet_iaas_cloud: null sunetops: null refidp-1.qa.sveidas.se: @@ -1043,6 +1102,7 @@ classes: frontends: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunet_iaas_cloud: null sunetops: null swedenconnect_refidp: {hostname: qa.test.swedenconnect.se, version: 1.2.0} @@ -1062,6 +1122,7 @@ classes: frontends: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunet_iaas_cloud: null sunetops: null test_my_eid: {hostname: qa.test.swedenconnect.se, version: 1.2.0} @@ -1080,6 +1141,7 @@ classes: frontends: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se] port: '443' sunet::rsyslog: null + sunet::server: *id002 sunet_iaas_cloud: null sunetops: null validator: {version: 3.0.9} @@ -1100,6 +1162,7 @@ classes: frontends: [se-fre-lb-1.sunet.se, se-tug-lb-1.sunet.se] port: '80' sunet::rsyslog: null + sunet::server: *id002 sunet_iaas_cloud: null sunetops: null members: @@ -1306,6 +1369,24 @@ members: natpub-2.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, prid-1.sveidas.se, prid-2.sveidas.se, r1.komreg.net, refidp-1.qa.sveidas.se, test-1.qa.sveidas.se, validator-1.qa.komreg.net, web-1.qa.sveidas.se] + sunet::server: [demw-1.qa.sveidas.se, demw-1.sveidas.se, demw-2.sveidas.se, eidas-connector-1.sveidas.se, + eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se, eidas-connector-4.sveidas.se, + eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, eidas-proxy-1.sveidas.se, + eidas-proxy-2.sveidas.se, eidas-proxy-3.sveidas.se, eidas-proxy-4.sveidas.se, + eidas-redis-1.sveidas.se, eidas-redis-2.sveidas.se, eidas-redis-3.sveidas.se, + eidas-redis-4.sveidas.se, eidas-redis-fe-1.sveidas.se, eidas-redis-fe-2.sveidas.se, + eidas-test-1.sveidas.se, eidas-test-2.sveidas.se, eidastest-1.qa.sveidas.se, eumd-1.komreg.net, + eumd-2.komreg.net, eupub-1.komreg.net, eupub-2.komreg.net, fe-fre-3.komreg.net, + fe-tug-3.komreg.net, jmp.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net, jump-fre-3.komreg.net, + jump-tug-3.komreg.net, jump-tug-3.komreg.net, kvmdemw-fre-3a.komreg.net, kvmdemw-fre-3b.komreg.net, + kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, + kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net, + kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, log-1.sveidas.se, log-2.sveidas.se, + log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net, monitor-fre-3.komreg.net, + monitor-tug-3.komreg.net, natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net, + natpub-2.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, + prid-1.sveidas.se, prid-2.sveidas.se, r1.komreg.net, refidp-1.qa.sveidas.se, test-1.qa.sveidas.se, + validator-1.qa.komreg.net, web-1.qa.sveidas.se] sunet_iaas_cloud: [demw-1.qa.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, eidastest-1.qa.sveidas.se, jmp.komreg.net, log.qa.sveidas.se, md-eu1.qa.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml index cd610053..ee4af3e3 100644 --- a/global/overlay/etc/puppet/cosmos-rules.yaml +++ b/global/overlay/etc/puppet/cosmos-rules.yaml @@ -7,6 +7,8 @@ mailclient: domain: sunet.se sunet::rsyslog: + sunet::server: + sshd_config: true jmp.komreg.net: konsulter: @@ -15,12 +17,16 @@ jmp.komreg.net: autoupdate: sunet::auditd: jumphosts: + sunet::server: + ssh_allow_from_anywhere: true '^jump-.+\.komreg\.net$': konsulter: metadatamgrs: autoupdate: jumphosts: + sunet::server: + ssh_allow_from_anywhere: true kvmfe-tug-3.komreg.net: eid::kvmhost: diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp index 56b647ab..2524b8e4 100644 --- a/global/overlay/etc/puppet/manifests/cosmos-site.pp +++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp @@ -658,9 +658,6 @@ class sunetops { 'pypi' => false, default => true, } - class { 'sunet::server': - sshd_config => $sshd_config, - } # SSH config, create SSH authorized keys from Hiera $ssh_authorized_keys = hiera_hash('ssh_authorized_keys', undef)