From bfbdc71640eaefe65b37ad453a956d236ad66d0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erik=20Bergstr=C3=B6m?= Date: Thu, 25 Jan 2024 13:51:43 +0100 Subject: [PATCH] rsync relay certificates to relay-2 --- .../overlay/etc/puppet/manifests/cosmos-site.pp | 10 ++++++++++ .../etc/puppet/modules/eid/manifests/relay.pp | 14 ++++++++++++++ .../overlay/etc/hiera/data/local.yaml | 15 +++++++++++++++ 3 files changed, 39 insertions(+) diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp index 7b815f65..9f70b36b 100644 --- a/global/overlay/etc/puppet/manifests/cosmos-site.pp +++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp @@ -940,3 +940,13 @@ node 'eumd-test-2.komreg.net' { line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/eumd-test-common/:$COSMOS_REPO_MODELS"', } } + +node 'relay-1.swedenconnect.se' { + sunet::scriptherder::cronjob { "rsync_certificate_to_relay_2": + cmd => "/usr/bin/rsync -av --copy-links --delete /etc/letsencrypt/live/relay.swedenconnect.se/ root@relay-2.swedenconnect.se:", + minute => '9', + hour => '0', + ok_criteria => ['exit_status=0','max_age=48h'], + warn_criteria => ['exit_status=1','max_age=50h'], + } +} diff --git a/global/overlay/etc/puppet/modules/eid/manifests/relay.pp b/global/overlay/etc/puppet/modules/eid/manifests/relay.pp index e6a581c4..1bfd0126 100644 --- a/global/overlay/etc/puppet/modules/eid/manifests/relay.pp +++ b/global/overlay/etc/puppet/modules/eid/manifests/relay.pp @@ -17,4 +17,18 @@ class eid::relay() { port => '546', proto => 'udp', } + + + $relay_ip = hiera_array('relay_ip',[]); + + if $relay_ip != '' { + sunet::misc::ufw_allow { "allow-relay-rrsync": + from => $relay_ip, + port => '22', + } + sunet::ssh_keys { 'relay-keys': + config => safe_hiera('relay_ssh_keys_mapping', {}), + key_database_name => 'relay_ssh_keys_db' + } + } } diff --git a/relay-2.swedenconnect.se/overlay/etc/hiera/data/local.yaml b/relay-2.swedenconnect.se/overlay/etc/hiera/data/local.yaml index 233261d9..6a435ce8 100644 --- a/relay-2.swedenconnect.se/overlay/etc/hiera/data/local.yaml +++ b/relay-2.swedenconnect.se/overlay/etc/hiera/data/local.yaml @@ -11,3 +11,18 @@ submission_ip: - 2001:6b0:63:4::101 # monitor-tug-3 - 89.47.184.215 # nic - 2001:6b0:5a:4020::330 # nic + +relay_ip: + - 89.47.185.206 + - 2001:6b0:5a:4020::225 + +relay_ssh_keys_db: + 'relay-1': + key : 'AAAAB3NzaC1yc2EAAAADAQABAAABgQDXlifT6X24CYGIZNm34Np7BYyOGNhTlaJphIiSpzuKwCmQP8FcLK7P/L8hU4ooqsnTNPLDD8pmkfL2hmJc9G5wkt2gxyZkAHAMalVF2Jd9MPgbslMelu9IpNqvARi9gH7YBPCspQxMNkDJFLXyi2fNFpvoz9m1Z6J6NMZ0aFPOmYzpO4Az89xSLizJhKidoi6jjp6PhMKO/uxpapJuXvc07IS9O5m3ImAyL/rNgoWVeFNKgCiQb4JOKwKJ4kLFdTgVnn/MKB5mg8NpwHskGUBK5ZkJHzXgCRgJG4gRy/vsCiexOrTl8EPR5Ibc89bvVv7Zp3CvB7qHANd+kuXjVwdVJFFFA28HPOeDRva1PTZouk9TVgoe9/Z28vAb2Ir3ET7DLYniFrjA/ku8AlnD+8BNsJIlA7s+tZl5p+r8F82xFrtOSDb6B7A20BYhPxTVYQBo8Ei5Kgj9LUFY96IjyOoPgPKOeECk9nTpgwK5ooLWM0cgQu/XibKoewzFyx9XigU=' + type : 'ssh-rsa' + name : 'relay-1' + options : 'command="/usr/bin/rrsync /etc/letsencrypt/live/relay.swedenconnect.se",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding' + +relay_ssh_keys_mapping: + 'root': + - 'relay-1'