Merge branch 'master' of ssh://git.nordu.net/eid-ops

2018-07-03 14:40:43 +02:00 · 2018-07-03 14:40:43 +02:00 · e3cbf83f7b
commit e3cbf83f7b
parent d323032d32 73a9aea348
14 changed files with 294 additions and 77 deletions
--- a/eidas-connector-common/overlay/etc/Chrystoki.conf.d/50-ha-slot.conf
+++ b/eidas-connector-common/overlay/etc/Chrystoki.conf.d/50-ha-slot.conf
@ -0,0 +1,8 @@
+VirtualToken = {
+   VirtualToken00Label = sc_ha;
+   VirtualToken00SN = 1462371088;
+   VirtualToken00Members = 462371088,462344047;
+}
+HASynchronize = {
+   sc_ha = 1;
+}
--- a/eumd-2.komreg.net/README
+++ b/eumd-2.komreg.net/README
@ -0,0 +1,3 @@
+
+The system documentation is in the docs directory of the multiverse repository.
+
--- a/eumd-2.komreg.net/overlay/etc/hiera/data/secrets.yaml.asc
+++ b/eumd-2.komreg.net/overlay/etc/hiera/data/secrets.yaml.asc
@ -0,0 +1,28 @@
+STATUS=UPDATED
+
+-----BEGIN PGP MESSAGE-----
+Version: GnuPG v2
+
+hQEMA/ni5nOCRnV1AQf8CmL02SoFvrAlqsks7MXhH5mX1ARXKj1MzufOu3hLH4Y9
+itfz/Kgc96CLh9ssDQ0F/L+Vfdx3lXbK9WFEsnJm5h3qjshr31HX50h3H8emCyAd
+SC7t+A22SyA4BfLq9ZOX3+fcfj4nsTmsEvDTgH92Rfg8dc5M7iG0ytNYG4s6Huxz
+wWK9LseHr9OPBA02aVqBYAEnWWDsQMBZudiHJf2HnvKcbnz2jz7bTBDAClBh1hIR
+xJYdU4zQ0a6d7JYn9Tw6hctFHqq+WPSuSRkzxPxf7/Z3ztdVzvKL4HNQjllxu2c1
+SA4ANK/CWYUyvXInfercrou214WoXFqPbq5yf8KQLtLpAZsuOlPl6uqn+p30NVtp
+wim+D04umHyDJbu7GZmSQUceQ+b4EDzUx1Tdy47rfaHQd/4zwSAQvGpCJ2v8cr3U
+VQUfFAz8mnkAkdywHenJocn7bfihyvYZL+krgFAUCfikdeZLEAyNQneJhN1udHmh
+8V4yyZXWfJKR0b2ln42EEqgmknNe/quYkUaEoih0L3otS+MraEeZQH9ix08zFLJQ
+QX+TQYedrgA0jZ7vVa29oNYxt2cEjh4gXcqtgSlqL25T4+rzyhDTDsBTtCFHs52+
+bZFM21xHr8qN1juiwAzv4sHbtaqEsi/Ua8iADoG4zk9ygvPV3Rb2Y2jNfFkR+Dvm
+ZE4Yc4nMgR9GygN17Er1jP+A43wRSUkRmrdVQo1g7dofOUrIiuyC2j2Fg8VhSH+s
+jGhrRvV37fDNIO6EWfsfyQgUdL4Rlo0sBFAZ8ltXtkceR+ssNjrXK6DwqSsB3hHO
+wEpC9FJLURcnjw/sQ6T3GfCWnp7tLQtr65rSuG1y8X2ti+arZE07Xaa1IwsdfKAz
+ISrBPM9Rzl/xVx7JB7Y8GibQ6WeTmZEe5jvfFSJDZxxYgRIN5BhQKiQd2OW5mGDc
+GQmja7PrLoPzneeUTLEdDT7TTQFiNZbNrC4glArZ9f97Cc+7dkSiwJLzvgGX7yQd
+qy4AOj0oYuvc9cRxLyS429fAF01shmbb+6KonKfoXjwgxWKs+yp4M1pxSMnEJzIn
+WcbxfOqBDIaibtqhgkplqT5W3NAPV1ltAJcwP5P5CG245bo0gCdfVmgP0TmjI77J
+B89kdLZSk6V4iBd39hFizs76RNIc4w48N7KuYCYQMNN0J2fGwfZMcSobjv7hgK31
+gZiBGisM1US40p/TvhgSZBWjs84Y/wuG3IAd8tix4tad4jYAi/asKrMlrgTFGDgg
+xoNGcEB1RiVdCjYJPISXCg+NhPzN+H7ZmoO2A3TmcedYAYlkns37rRwf
+=BZxq
+-----END PGP MESSAGE-----
--- a/eumd-common/overlay/etc/Chrystoki.conf.d/50-ha-slot.conf
+++ b/eumd-common/overlay/etc/Chrystoki.conf.d/50-ha-slot.conf
@ -0,0 +1,8 @@
+VirtualToken = {
+   VirtualToken00Label = sc_ha;
+   VirtualToken00SN = 1462371088;
+   VirtualToken00Members = 462371088,462344047;
+}
+HASynchronize = {
+   sc_ha = 1;
+}
--- a/eumd-common/overlay/etc/sunet-reinstall.keep
+++ b/eumd-common/overlay/etc/sunet-reinstall.keep
@ -1,3 +0,0 @@
-/etc/luna/cert
-/etc/metadata
-
--- a/eupub-2.komreg.net/README
+++ b/eupub-2.komreg.net/README
@ -0,0 +1,3 @@
+
+The system documentation is in the docs directory of the multiverse repository.
+
--- a/eupub-2.komreg.net/overlay/etc/hiera/data/local.yaml
+++ b/eupub-2.komreg.net/overlay/etc/hiera/data/local.yaml
@ -0,0 +1,3 @@
+---
+publisher_ssh_key: AAAAC3NzaC1lZDI1NTE5AAAAIH3sk7S/Wb3RIGETd6st93OFaLihyy8u/2ZJOIIhlKTQ
+publisher_ssh_key_type: ssh-ed25519
--- a/global/overlay/etc/puppet/cosmos-db.yaml
+++ b/global/overlay/etc/puppet/cosmos-db.yaml
@ -173,6 +173,21 @@ classes:
    nrpe: null
    sunet::rsyslog: null
    sunetops: null
+  eumd-2.komreg.net:
+    autoupdate: null
+    common: null
+    eid::dockerhost: null
+    eidas_hsm_client: null
+    entropyclient: null
+    infra_ca_rp: null
+    konsulter: null
+    mailclient: *id002
+    md_repo_client: null
+    md_signer: {dest_host: eupub-2.komreg.net, name: eidas-prod}
+    metadatamgrs: null
+    nrpe: null
+    sunet::rsyslog: null
+    sunetops: null
  eupub-1.komreg.net:
    autoupdate: null
    common: null
@ -188,6 +203,21 @@ classes:
          port: '443'
    sunet::rsyslog: null
    sunetops: null
+  eupub-2.komreg.net:
+    autoupdate: null
+    common: null
+    entropyclient: null
+    infra_ca_rp: null
+    mailclient: *id002
+    md_publisher: {keyname: eupub-2.komreg.net_infra}
+    nrpe: null
+    sunet::frontend::register_sites:
+      sites:
+        md.eidas.swedenconnect.se:
+          frontends: [fe-fre-3.komreg.net, fe-tug-3.komreg.net]
+          port: '443'
+    sunet::rsyslog: null
+    sunetops: null
  fe-fre-3.komreg.net:
    common: null
    eid::dockerhost: null
@ -459,8 +489,8 @@ classes:
        eumd-1.komreg.net: {bridge: br-meta, cpus: '4', description: eid fre european
            metadata signer, gateway: 94.176.224.193, ip: 94.176.224.198, mac: '52:54:20:01:01:02',
          memory: '8192', netmask: 255.255.255.240}
-        eupub-1.komreg.net: {bridge: br-meta, cpus: '4', description: eid fre european  metadata
-            publisher, gateway: 94.176.224.193, ip: 94.176.224.200, mac: '52:54:20:01:01:04',
+        eupub-1.komreg.net: {bridge: br-meta, cpus: '4', description: eid fre european
+            metadata publisher, gateway: 94.176.224.193, ip: 94.176.224.200, mac: '52:54:20:01:01:04',
          memory: '4096', netmask: 255.255.255.240}
        natmd-1.komreg.net: {bridge: br-meta, cpus: '4', description: eid fre swedish
            metadata signer, gateway: 94.176.224.193, ip: 94.176.224.197, mac: '52:54:20:01:01:01',
@ -478,9 +508,18 @@ classes:
    common: null
    eid::kvmhost:
      vms:
+        eumd-2.komreg.net: {bridge: br-meta, cpus: '4', description: eid tug european
+            metadata signer, gateway: 94.176.224.65, ip: 94.176.224.70, mac: '52:54:20:02:03:02',
+          memory: '8192', netmask: 255.255.255.240}
+        eupub-2.komreg.net: {bridge: br-meta, cpus: '4', description: eid tug european
+            metadata publisher, gateway: 94.176.224.65, ip: 94.176.224.72, mac: '52:54:20:02:03:04',
+          memory: '4096', netmask: 255.255.255.240}
        natmd-2.komreg.net: {bridge: br-meta, cpus: '4', description: eid tug swedish
            metadata signer, gateway: 94.176.224.65, ip: 94.176.224.69, mac: '52:54:20:02:03:01',
          memory: '8192', netmask: 255.255.255.240}
+        natpub-2.komreg.net: {bridge: br-meta, cpus: '4', description: eid tug swedish
+            metadata publisher, gateway: 94.176.224.65, ip: 94.176.224.71, mac: '52:54:20:02:03:03',
+          memory: '4096', netmask: 255.255.255.240}
    entropyclient: null
    infra_ca_rp: null
    mailclient: *id002
@ -572,10 +611,17 @@ classes:
    sunet::rsyslog: null
    sunetops: null
  natmd-2.komreg.net:
+    autoupdate: null
    common: null
+    eid::dockerhost: null
+    eidas_hsm_client: null
    entropyclient: null
    infra_ca_rp: null
+    konsulter: null
    mailclient: *id002
+    md_repo_client: null
+    md_signer: {dest_host: natpub-2.komreg.net, name: natmd-prod}
+    metadatamgrs: null
    nrpe: null
    sunet::rsyslog: null
    sunetops: null
@ -594,6 +640,21 @@ classes:
          port: '443'
    sunet::rsyslog: null
    sunetops: null
+  natpub-2.komreg.net:
+    autoupdate: null
+    common: null
+    entropyclient: null
+    infra_ca_rp: null
+    mailclient: *id002
+    md_publisher: {keyname: natpub-2.komreg.net_infra}
+    nrpe: null
+    sunet::frontend::register_sites:
+      sites:
+        md.swedenconnect.se:
+          frontends: [fe-fre-3.komreg.net, fe-tug-3.komreg.net]
+          port: '443'
+    sunet::rsyslog: null
+    sunetops: null
  nic.komreg.net:
    autoupdate: null
    common: null
@ -733,59 +794,64 @@ members:
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
    eidas-redis-1.sveidas.se, eidas-redis-2.sveidas.se, eidas-redis-3.sveidas.se,
    eidas-redis-4.sveidas.se, eidas-redis-fe-1.sveidas.se, eidas-redis-fe-2.sveidas.se,
-    eumd-1.komreg.net, eupub-1.komreg.net, fe-fre-3.komreg.net, fe-tug-3.komreg.net,
-    jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
-    kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
-    kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
-    log-1.sveidas.se, log-2.sveidas.se, log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net,
-    monitor-fre-3.komreg.net, natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net,
+    eumd-1.komreg.net, eumd-2.komreg.net, eupub-1.komreg.net, eupub-2.komreg.net,
+    fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
+    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
+    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, log-1.sveidas.se, log-2.sveidas.se,
+    log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net, monitor-fre-3.komreg.net,
+    natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net, natpub-2.komreg.net,
    nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, prid-1.sveidas.se,
    prid-2.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
  autoupdate: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
    eidas-redis-1.sveidas.se, eidas-redis-2.sveidas.se, eidas-redis-3.sveidas.se,
    eidas-redis-4.sveidas.se, eidas-redis-fe-1.sveidas.se, eidas-redis-fe-2.sveidas.se,
-    eumd-1.komreg.net, eupub-1.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
-    jump-tug-3.komreg.net, log-1.sveidas.se, log-2.sveidas.se, log.qa.sveidas.se,
-    md-eu1.qa.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net, monitor-fre-3.komreg.net,
-    natmd-1.komreg.net, natpub-1.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
+    eumd-1.komreg.net, eumd-2.komreg.net, eupub-1.komreg.net, eupub-2.komreg.net,
+    jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, log-1.sveidas.se,
+    log-2.sveidas.se, log.qa.sveidas.se, md-eu1.qa.komreg.net, md-eu1.qa.komreg.net,
+    md1.komreg.net, monitor-fre-3.komreg.net, natmd-1.komreg.net, natmd-2.komreg.net,
+    natpub-1.komreg.net, natpub-2.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
    prid-1.qa.sveidas.se, prid-1.sveidas.se, prid-2.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net,
    web-1.qa.sveidas.se]
  common: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
    eidas-redis-1.sveidas.se, eidas-redis-2.sveidas.se, eidas-redis-3.sveidas.se,
    eidas-redis-4.sveidas.se, eidas-redis-fe-1.sveidas.se, eidas-redis-fe-2.sveidas.se,
-    eumd-1.komreg.net, eupub-1.komreg.net, fe-fre-3.komreg.net, fe-tug-3.komreg.net,
-    jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
-    kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
-    kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
-    log-1.sveidas.se, log-2.sveidas.se, log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net,
-    monitor-fre-3.komreg.net, natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net,
+    eumd-1.komreg.net, eumd-2.komreg.net, eupub-1.komreg.net, eupub-2.komreg.net,
+    fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
+    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
+    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, log-1.sveidas.se, log-2.sveidas.se,
+    log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net, monitor-fre-3.komreg.net,
+    natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net, natpub-2.komreg.net,
    nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, prid-1.sveidas.se,
    prid-2.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
  eid::dockerhost: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-redis-1.sveidas.se, eidas-redis-2.sveidas.se,
    eidas-redis-3.sveidas.se, eidas-redis-4.sveidas.se, eidas-redis-fe-1.sveidas.se,
-    eidas-redis-fe-2.sveidas.se, eumd-1.komreg.net, fe-fre-3.komreg.net, fe-tug-3.komreg.net,
-    natmd-1.komreg.net, prid-1.sveidas.se, prid-2.sveidas.se]
+    eidas-redis-fe-2.sveidas.se, eumd-1.komreg.net, eumd-2.komreg.net, fe-fre-3.komreg.net,
+    fe-tug-3.komreg.net, natmd-1.komreg.net, natmd-2.komreg.net, prid-1.sveidas.se,
+    prid-2.sveidas.se]
  eid::kvmhost: [kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net]
  eidas_connector: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se]
-  eidas_hsm_client: [eumd-1.komreg.net, natmd-1.komreg.net]
+  eidas_hsm_client: [eumd-1.komreg.net, eumd-2.komreg.net, natmd-1.komreg.net, natmd-2.komreg.net]
  eidas_metadata_key: [md-eu1.qa.komreg.net, md1.komreg.net]
  eidas_proxy: [eidas-proxy-1.qa.sveidas.se]
  entropyclient: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
    eidas-redis-1.sveidas.se, eidas-redis-2.sveidas.se, eidas-redis-3.sveidas.se,
    eidas-redis-4.sveidas.se, eidas-redis-fe-1.sveidas.se, eidas-redis-fe-2.sveidas.se,
-    eumd-1.komreg.net, eupub-1.komreg.net, fe-fre-3.komreg.net, fe-tug-3.komreg.net,
-    jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
-    kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
-    kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
-    log-1.sveidas.se, log-2.sveidas.se, log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net,
-    monitor-fre-3.komreg.net, natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net,
+    eumd-1.komreg.net, eumd-2.komreg.net, eupub-1.komreg.net, eupub-2.komreg.net,
+    fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
+    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
+    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, log-1.sveidas.se, log-2.sveidas.se,
+    log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net, monitor-fre-3.komreg.net,
+    natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net, natpub-2.komreg.net,
    nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, prid-1.sveidas.se,
    prid-2.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
  github_client_credential: [web-1.qa.sveidas.se]
@ -793,48 +859,56 @@ members:
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
    eidas-redis-1.sveidas.se, eidas-redis-2.sveidas.se, eidas-redis-3.sveidas.se,
    eidas-redis-4.sveidas.se, eidas-redis-fe-1.sveidas.se, eidas-redis-fe-2.sveidas.se,
-    eumd-1.komreg.net, eupub-1.komreg.net, fe-fre-3.komreg.net, fe-tug-3.komreg.net,
-    jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
-    kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
-    kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
-    log-1.sveidas.se, log-2.sveidas.se, log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net,
-    monitor-fre-3.komreg.net, natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net,
+    eumd-1.komreg.net, eumd-2.komreg.net, eupub-1.komreg.net, eupub-2.komreg.net,
+    fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
+    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
+    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, log-1.sveidas.se, log-2.sveidas.se,
+    log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net, monitor-fre-3.komreg.net,
+    natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net, natpub-2.komreg.net,
    nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, prid-1.sveidas.se,
    prid-2.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
  konsulter: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
-    eumd-1.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net,
+    eumd-1.komreg.net, eumd-2.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net,
    md-eu1.qa.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net, natmd-1.komreg.net,
-    nic.komreg.net, prid-1.qa.sveidas.se, prid-1.sveidas.se, prid-2.sveidas.se, validator-1.qa.komreg.net]
+    natmd-2.komreg.net, nic.komreg.net, prid-1.qa.sveidas.se, prid-1.sveidas.se, prid-2.sveidas.se,
+    validator-1.qa.komreg.net]
  mailclient: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
    eidas-redis-1.sveidas.se, eidas-redis-2.sveidas.se, eidas-redis-3.sveidas.se,
    eidas-redis-4.sveidas.se, eidas-redis-fe-1.sveidas.se, eidas-redis-fe-2.sveidas.se,
-    eumd-1.komreg.net, eupub-1.komreg.net, fe-fre-3.komreg.net, fe-tug-3.komreg.net,
-    jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
-    kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
-    kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
-    log-1.sveidas.se, log-2.sveidas.se, log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net,
-    monitor-fre-3.komreg.net, natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net,
+    eumd-1.komreg.net, eumd-2.komreg.net, eupub-1.komreg.net, eupub-2.komreg.net,
+    fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
+    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
+    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, log-1.sveidas.se, log-2.sveidas.se,
+    log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net, monitor-fre-3.komreg.net,
+    natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net, natpub-2.komreg.net,
    nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, prid-1.sveidas.se,
    prid-2.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
-  md_publisher: [eupub-1.komreg.net, natpub-1.komreg.net, p1.komreg.net, p2.qa.komreg.net]
-  md_repo_client: [eumd-1.komreg.net, md-eu1.qa.komreg.net, natmd-1.komreg.net]
+  md_publisher: [eupub-1.komreg.net, eupub-2.komreg.net, natpub-1.komreg.net, natpub-2.komreg.net,
+    p1.komreg.net, p2.qa.komreg.net]
+  md_repo_client: [eumd-1.komreg.net, eumd-2.komreg.net, md-eu1.qa.komreg.net, natmd-1.komreg.net,
+    natmd-2.komreg.net]
  md_repo_server: [r1.komreg.net]
-  md_signer: [eumd-1.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net, natmd-1.komreg.net]
-  metadatamgrs: [eumd-1.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net,
-    md-eu1.qa.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net, natmd-1.komreg.net]
+  md_signer: [eumd-1.komreg.net, eumd-2.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net,
+    natmd-1.komreg.net, natmd-2.komreg.net]
+  metadatamgrs: [eumd-1.komreg.net, eumd-2.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
+    jump-tug-3.komreg.net, md-eu1.qa.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net,
+    natmd-1.komreg.net, natmd-2.komreg.net]
  nagios_monitor: [monitor-fre-3.komreg.net, nic.komreg.net]
  nrpe: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
    eidas-redis-1.sveidas.se, eidas-redis-2.sveidas.se, eidas-redis-3.sveidas.se,
    eidas-redis-4.sveidas.se, eidas-redis-fe-1.sveidas.se, eidas-redis-fe-2.sveidas.se,
-    eumd-1.komreg.net, eupub-1.komreg.net, fe-fre-3.komreg.net, fe-tug-3.komreg.net,
-    jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
-    kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
-    kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
-    log-1.sveidas.se, log-2.sveidas.se, log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net,
-    monitor-fre-3.komreg.net, natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net,
+    eumd-1.komreg.net, eumd-2.komreg.net, eupub-1.komreg.net, eupub-2.komreg.net,
+    fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
+    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
+    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, log-1.sveidas.se, log-2.sveidas.se,
+    log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net, monitor-fre-3.komreg.net,
+    natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net, natpub-2.komreg.net,
    nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, prid-1.sveidas.se,
    prid-2.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
  openstack_dockerhost: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
@ -852,21 +926,23 @@ members:
  sunet::frontend::load_balancer: [fe-fre-3.komreg.net, fe-tug-3.komreg.net]
  sunet::frontend::register_sites: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se,
    eidas-connector-3.sveidas.se, eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se,
-    eidas-proxy-1.qa.sveidas.se, eupub-1.komreg.net, natpub-1.komreg.net, p1.komreg.net,
-    p2.qa.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
+    eidas-proxy-1.qa.sveidas.se, eupub-1.komreg.net, eupub-2.komreg.net, natpub-1.komreg.net,
+    natpub-2.komreg.net, p1.komreg.net, p2.qa.komreg.net, validator-1.qa.komreg.net,
+    web-1.qa.sveidas.se]
  sunet::rsyslog: [eidas-connector-1.sveidas.se, eidas-connector-2.sveidas.se, eidas-connector-3.sveidas.se,
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
    eidas-redis-1.sveidas.se, eidas-redis-2.sveidas.se, eidas-redis-3.sveidas.se,
    eidas-redis-4.sveidas.se, eidas-redis-fe-1.sveidas.se, eidas-redis-fe-2.sveidas.se,
-    eumd-1.komreg.net, eupub-1.komreg.net, fe-fre-3.komreg.net, fe-tug-3.komreg.net,
-    jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
-    kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
-    kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
-    log-1.sveidas.se, log-1.sveidas.se, log-2.sveidas.se, log-2.sveidas.se, log.qa.sveidas.se,
-    log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net, monitor-fre-3.komreg.net,
-    natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net, nic.komreg.net, p1.komreg.net,
-    p2.qa.komreg.net, prid-1.qa.sveidas.se, prid-1.sveidas.se, prid-2.sveidas.se,
-    r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
+    eumd-1.komreg.net, eumd-2.komreg.net, eupub-1.komreg.net, eupub-2.komreg.net,
+    fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
+    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
+    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, log-1.sveidas.se, log-1.sveidas.se,
+    log-2.sveidas.se, log-2.sveidas.se, log.qa.sveidas.se, log.qa.sveidas.se, md-eu1.qa.komreg.net,
+    md1.komreg.net, monitor-fre-3.komreg.net, natmd-1.komreg.net, natmd-2.komreg.net,
+    natpub-1.komreg.net, natpub-2.komreg.net, nic.komreg.net, p1.komreg.net, p2.qa.komreg.net,
+    prid-1.qa.sveidas.se, prid-1.sveidas.se, prid-2.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net,
+    web-1.qa.sveidas.se]
  sunet_iaas_cloud: [eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se, jmp.komreg.net,
    log.qa.sveidas.se, md-eu1.qa.komreg.net, md-eu1.qa.komreg.net, md1.komreg.net,
    nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, r1.komreg.net,
@ -875,12 +951,13 @@ members:
    eidas-connector-4.sveidas.se, eidas-node-1.qa.sveidas.se, eidas-proxy-1.qa.sveidas.se,
    eidas-redis-1.sveidas.se, eidas-redis-2.sveidas.se, eidas-redis-3.sveidas.se,
    eidas-redis-4.sveidas.se, eidas-redis-fe-1.sveidas.se, eidas-redis-fe-2.sveidas.se,
-    eumd-1.komreg.net, eupub-1.komreg.net, fe-fre-3.komreg.net, fe-tug-3.komreg.net,
-    jmp.komreg.net, jump-fre-3.komreg.net, jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net,
-    kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net, kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net,
-    kvminfra-tug-3.komreg.net, kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net,
-    log-1.sveidas.se, log-2.sveidas.se, log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net,
-    monitor-fre-3.komreg.net, natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net,
+    eumd-1.komreg.net, eumd-2.komreg.net, eupub-1.komreg.net, eupub-2.komreg.net,
+    fe-fre-3.komreg.net, fe-tug-3.komreg.net, jmp.komreg.net, jump-fre-3.komreg.net,
+    jump-tug-3.komreg.net, kvmeidas-fre-3.komreg.net, kvmeidas-tug-3.komreg.net, kvmfe-fre-3.komreg.net,
+    kvmfe-tug-3.komreg.net, kvminfra-fre-3.komreg.net, kvminfra-tug-3.komreg.net,
+    kvmmeta-fre-3.komreg.net, kvmmeta-tug-3.komreg.net, log-1.sveidas.se, log-2.sveidas.se,
+    log.qa.sveidas.se, md-eu1.qa.komreg.net, md1.komreg.net, monitor-fre-3.komreg.net,
+    natmd-1.komreg.net, natmd-2.komreg.net, natpub-1.komreg.net, natpub-2.komreg.net,
    nic.komreg.net, p1.komreg.net, p2.qa.komreg.net, prid-1.qa.sveidas.se, prid-1.sveidas.se,
    prid-2.sveidas.se, r1.komreg.net, validator-1.qa.komreg.net, web-1.qa.sveidas.se]
  validator: [validator-1.qa.komreg.net]
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@ -59,6 +59,33 @@ kvmmeta-tug-3.komreg.net:
            description: 'eid tug swedish metadata signer'
            cpus: '4'
            memory: '8192'
+         eumd-2.komreg.net:
+            mac: '52:54:20:02:03:02'
+            ip: '94.176.224.70'
+            netmask: '255.255.255.240'
+            gateway: '94.176.224.65'
+            bridge: 'br-meta'
+            description: 'eid tug european metadata signer'
+            cpus: '4'
+            memory: '8192'
+         natpub-2.komreg.net:
+            mac: '52:54:20:02:03:03'
+            ip: '94.176.224.71'
+            netmask: '255.255.255.240'
+            gateway: '94.176.224.65'
+            bridge: 'br-meta'
+            description: 'eid tug swedish metadata publisher'
+            cpus: '4'
+            memory: '4096'
+         eupub-2.komreg.net:
+            mac: '52:54:20:02:03:04'
+            ip: '94.176.224.72'
+            netmask: '255.255.255.240'
+            gateway: '94.176.224.65'
+            bridge: 'br-meta'
+            description: 'eid tug european metadata publisher'
+            cpus: '4'
+            memory: '4096'

 kvmeidas-tug-3.komreg.net:
   eid::kvmhost:
@ -196,7 +223,7 @@ kvmmeta-fre-3.komreg.net:
            netmask: '255.255.255.240'
            gateway: '94.176.224.193'
            bridge: 'br-meta'
-            description: 'eid fre european  metadata publisher'
+            description: 'eid fre european metadata publisher'
            cpus: '4'
            memory: '4096'

@ -278,6 +305,7 @@ natmd-1.komreg.net:
   md_signer:
      name: natmd-prod
      dest_host: natpub-1.komreg.net
+   md_repo_client:

 eumd-1.komreg.net:
   autoupdate:
@ -289,6 +317,7 @@ eumd-1.komreg.net:
   md_signer:
      name: eidas-prod
      dest_host: eupub-1.komreg.net
+   md_repo_client:

 natpub-1.komreg.net:
   autoupdate:
@ -314,6 +343,54 @@ eupub-1.komreg.net:
            - 'fe-tug-3.komreg.net'
         port: '443'

+natmd-2.komreg.net:
+   autoupdate:
+   eid::dockerhost:
+   metadatamgrs:
+   konsulter:
+   eidas_hsm_client:
+   md_repo_client:
+   md_signer:
+      name: natmd-prod
+      dest_host: natpub-2.komreg.net
+   md_repo_client:
+
+eumd-2.komreg.net:
+   autoupdate:
+   eid::dockerhost:
+   metadatamgrs:
+   konsulter:
+   eidas_hsm_client:
+   md_repo_client:
+   md_signer:
+      name: eidas-prod
+      dest_host: eupub-2.komreg.net
+   md_repo_client:
+
+natpub-2.komreg.net:
+   autoupdate:
+   md_publisher:
+     keyname: natpub-2.komreg.net_infra
+   sunet::frontend::register_sites:
+     sites:
+       'md.swedenconnect.se':
+         frontends:
+            - 'fe-fre-3.komreg.net'
+            - 'fe-tug-3.komreg.net'
+         port: '443'
+
+eupub-2.komreg.net:
+   autoupdate:
+   md_publisher:
+     keyname: eupub-2.komreg.net_infra
+   sunet::frontend::register_sites:
+     sites:
+       'md.eidas.swedenconnect.se':
+         frontends:
+            - 'fe-fre-3.komreg.net'
+            - 'fe-tug-3.komreg.net'
+         port: '443'
+
 nic.komreg.net:
   sunet_iaas_cloud:
   autoupdate:
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@ -120,6 +120,7 @@ class saml_metadata($filename=undef, $cert=undef, $url=undef) {
 }

 class md_repo_client {
+   sunet::snippets::reinstall::keep {'/etc/metadata': } ->
   sunet::ssh_git_repo {'/var/cache/metadata_r1':
      username    => 'root',
      group       => 'root',
@ -146,12 +147,13 @@ class eidas_metadata_key {

 class eidas_hsm_client($luna_version="6.2") {
   $pkcs11pin = hiera('pkcs11pin',"")
+   sunet::snippets::reinstall::keep {['/etc/luna','/etc/Chrystoki.conf.d']: } ->
   file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
   sunet::docker_run {"${name}_hsmproxy":
      hostname => "${::fqdn}",
      image    => 'docker.sunet.se/luna-client',
      imagetag => $luna_version,
-      volumes  => ['/dev/log:/dev/log','/etc/luna/cert:/usr/safenet/lunaclient/cert'],
+      volumes  => ['/dev/log:/dev/log','/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d','/etc/luna/cert:/usr/safenet/lunaclient/cert'],
      env      => ["PKCS11PIN=${pkcs11pin}"]
   }
 }
--- a/natmd-common/overlay/etc/Chrystoki.conf.d/50-ha-slot.conf
+++ b/natmd-common/overlay/etc/Chrystoki.conf.d/50-ha-slot.conf
@ -0,0 +1,8 @@
+VirtualToken = {
+   VirtualToken00Label = sc_ha;
+   VirtualToken00SN = 1462371088;
+   VirtualToken00Members = 462371088,462344047;
+}
+HASynchronize = {
+   sc_ha = 1;
+}
--- a/natmd-common/overlay/etc/sunet-reinstall.keep
+++ b/natmd-common/overlay/etc/sunet-reinstall.keep
@ -1,3 +0,0 @@
-/etc/luna/cert
-/etc/metadata
-
--- a/natpub-2.komreg.net/README
+++ b/natpub-2.komreg.net/README
@ -0,0 +1,3 @@
+
+The system documentation is in the docs directory of the multiverse repository.
+
--- a/natpub-2.komreg.net/overlay/etc/hiera/data/local.yaml
+++ b/natpub-2.komreg.net/overlay/etc/hiera/data/local.yaml
@ -0,0 +1,3 @@
+---
+publisher_ssh_key: AAAAC3NzaC1lZDI1NTE5AAAAIH3sk7S/Wb3RIGETd6st93OFaLihyy8u/2ZJOIIhlKTQ
+publisher_ssh_key_type: ssh-ed25519
				`@ -0,0 +1,3 @@`

				`The system documentation is in the docs directory of the multiverse repository.`