# This manifest is managed using cosmos Exec { path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", } include sunet class mailclient ($domain) { sunet::preseed_package {"postfix": ensure => present, options => {domain => $domain}} } class autoupdate { class { 'sunet::updater': cron => true, cosmos_automatic_reboot => true } } class jumphosts {} class infra_ca_rp (Boolean $monitor_infra_cert = true,){ sunet::ici_ca::rp { 'infra': monitor_infra_cert => $monitor_infra_cert} } # you need a default node, all nodes need ssh + ufw node default { } class site_alias($alias_name=undef) { file { "/var/www/$alias_name": ensure => link, target => $name } } class common { include sunet::tools include sunet::motd include sunet::ntp if $::sunet_nftables_opt_in != 'yes' and ! ( $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '22.04') >= 0 ) { warning('Enabling UFW') include ufw } else { warning('Enabling nftables') ensure_resource ('class','sunet::nftables::init', { }) } include apt # Only import appaprmor for ubuntu22 and older if ($facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '22.04') <= 0 ){ include apparmor } include sunet::packages::jq package { 'needrestart': ensure => installed} package {'lshw': ensure => 'latest'} # change git repo from gitops.sunet.se to platform.sunet.se exec { 'git_repo_sunet': cwd => '/var/cache/cosmos/repo', command => '/usr/bin/git remote set-url origin https://platform.sunet.se/swedenconnect/eid-ops.git git://gitops.sunet.se/eid-ops', onlyif => '/usr/bin/git remote get-url origin | grep -qi gitops.sunet.se/eid-ops', } } class dhcp6_client { ufw::allow { "allow-dhcp6-546": ip => 'any', port => '546', proto => 'udp', } ufw::allow { "allow-dhcp6-547": ip => 'any', port => '547', proto => 'udp' } } class entropyclient { # Entropy is not needed on modern kernels, we should remove this class when done with SC-2522 if ($facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '22.04') <= 0 ){ include sunet::simple_entropy sunet::ucrandom {'random.nordu.net': ensure => absent } sunet::nagios::nrpe_check_process { 'haveged': } } } class openstack_dockerhost { class { 'sunet::dockerhost': docker_version => '17.12.0~ce-0~ubuntu', docker_package_name => 'docker-ce', storage_driver => "aufs", run_docker_cleanup => true, manage_dockerhost_unbound => true, docker_network => true } } class sunet_iaas_cloud { sunet::cloud_init::config { 'disable_datasources': config => { datasource_list => [ 'None' ] } } sunet::cloud_init::config { 'keep_root_enabled': config => { disable_root => 'false' } } } class webserver($enabled=true) { if $enabled { ufw::allow { "allow-http": ip => 'any', port => '80' } ufw::allow { "allow-https": ip => 'any', port => '443' } } else { ufw::deny { "allow-http": ip => 'any', port => '80' } ufw::deny { "allow-https": ip => 'any', port => '443' } } } class webserver_new { sunet::misc::ufw_allow { 'http': from => 'any', port => '80', } sunet::misc::ufw_allow { 'https': from => 'any', port => '443', } } class servicemonitor { $nagios_ip_v4 = hiera_array('nagios_ip_v4',[]); sunet::misc::ufw_allow { "allow-servicemonitor-from-nagios": from => $nagios_ip_v4, port => '444', } } class https_server { } class fe_servers { } class eidas_log { ensure_resource('file','/etc/logrotate.d',{ ensure => 'directory', mode => '0755' }) file {'/etc/logrotate.d/eidas_logs': ensure => file, path => '/etc/logrotate.d/eidas_logs', mode => '0644', content => template('eid/eidas_logs/eidas_logs.erb') } } class swamid_metadata($filename=undef) { sunet::metadata::swamid { "$filename": } } class saml_metadata($filename=undef, $cert=undef, $url=undef) { sunet::metadata { "$filename": url => $url, cert => $cert } } class md_repo_client { sunet::snippets::reinstall::keep {['/etc/metadata','/root/.ssh']: } -> sunet::ssh_git_repo {'/var/cache/metadata_r1': username => 'root', group => 'root', hostname => 'r1.komreg.net', url => 'git@r1.komreg.net:komreg-metadata.git', id => 'komreg', manage_user => false } -> package { ['make']: ensure => latest } -> sunet::scriptherder::cronjob { 'verify_and_update': cmd => '/var/cache/metadata_r1/scripts/do-update.sh', minute => '*/5', ok_criteria => ['exit_status=0', 'max_age=15m'], warn_criteria => ['exit_status=0', 'max_age=1h'], } } class eidas_metadata_key { sunet::snippets::secret_file {"/etc/credentials/metadata.key": hiera_key => 'eidas_metadata_key', base64 => true } } class eidas_hsm_client($luna_version="7.4-dev") { $pkcs11pin = hiera('pkcs11pin',"") sunet::snippets::reinstall::keep {['/etc/luna','/etc/Chrystoki.conf.d']: } -> file {['/etc/luna','/etc/luna/cert']: ensure => directory } -> sunet::docker_run {"${name}_hsmproxy": hostname => "${::fqdn}", image => 'docker.sunet.se/luna-client', imagetag => $luna_version, volumes => ['/dev/log:/dev/log','/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d','/etc/luna/cert:/usr/safenet/lunaclient/cert'], env => ["PKCS11PIN=${pkcs11pin}"], extra_parameters => ["--log-driver=syslog"] } sunet::scriptherder::cronjob { "${name}_restart_hsmproxy": cmd => "/usr/sbin/service docker-${name}_hsmproxy restart", minute => '9', hour => '0', ok_criteria => ['exit_status=0','max_age=48h'], warn_criteria => ['exit_status=1','max_age=50h'], } } class md_signer($dest_host=undef,$dest_dir="",$version="eidas") { package { ['xsltproc','libxml2-utils','attr']: ensure => latest } -> sunet::pyff {$name: version => $version, pound_and_varnish => false, pipeline => "${name}.fd", volumes => ["/etc/credentials:/etc/credentials"], docker_run_extra_parameters => ["--log-driver=syslog"] } if ($dest_host) { sunet::ssh_host_credential { "${name}-publish-credential": hostname => $dest_host, username => 'root', group => 'root', manage_user => false, ssh_privkey => safe_hiera("publisher_ssh_privkey") } -> sunet::scriptherder::cronjob { "${name}-publish": cmd => "env RSYNC_ARGS='--chown=www-data:www-data --chmod=D0755,F0664 --xattrs' /usr/local/bin/mirror-mdq.sh http://localhost root@${dest_host}:${dest_dir}", minute => '*/5', ok_criteria => ['exit_status=0'], warn_criteria => ['max_age=30m'] } } } class md_publisher(Array $allow_clients=['any'], $keyname=undef, String $dir="/var/www/html", $signer_ip_adress=undef) { $_keyname = $keyname ? { undef => $::fqdn, default => $keyname } # this allows fileage check to work wo sudo file { '/var/www': ensure => directory, mode => '0755' } -> file { '/var/www/html': ensure => directory, mode => '0755', owner => 'www-data', group =>'www-data' } -> sunet::ssh_keys { 'publisher-keys': config => safe_hiera('publisher_ssh_keys_mapping', {}), key_database_name => 'publisher_ssh_keys_db' } -> package {['lighttpd','attr']: ensure => latest } -> exec {'enable-ssl': command => "/usr/sbin/lighttpd-enable-mod ssl", onlyif => "test ! -h /etc/lighttpd/conf-enabled/*ssl*" } -> file {'/etc/lighttpd/server.pem': ensure => 'link', target => "/etc/ssl/private/${_keyname}.pem" } -> if ($::operatingsystemrelease < '20.04') { apparmor::profile { 'usr.sbin.lighttpd': source => '/etc/apparmor-cosmos/usr.sbin.lighttpd' } } else { apparmor::profile { 'usr.sbin.lighttpd': source => '/etc/apparmor-cosmos/usr.sbin.lighttpd.upgraded' } } file {'/etc/lighttpd/conf-enabled/99-mime-xattr.conf': ensure => file, mode => '0640', owner => 'root', group => 'root', content => inline_template("mimetype.use-xattr = \"enable\"\n") } -> service {'lighttpd': ensure => running } -> sunet::misc::ufw_allow {'allow-lighttpd': from => $allow_clients, port => 443 } -> sunet::nagios::nrpe_check_fileage {"metadata_aggregate": filename => "/var/www/html/entities/index.html", # yes this is correct warning_age => '1800', critical_age => '86400' } sunet::misc::ufw_allow { "allow_ssh": from => $signer_ip_adress, port => '22', } } class mdsl_publisher() { sunet::nagios::nrpe_check_fileage {"mdsl_aggregate": filename => "/var/www/html/mdservicelist-aggregate.xml", # yes this is correct warning_age => '600', critical_age => '86400' } sunet::nagios::nrpe_check_fileage {"mdsl_se": filename => "/var/www/html/mdservicelist-se.xml", # yes this is correct warning_age => '600', critical_age => '86400' } } class proxy_eidas_metadata() { sunet::nagios::nrpe_check_fileage {"proxy_eidas_metadata_cache": filename => "/etc/eidas-proxy/se/ps-mdcache/metadata-cache.xml", warning_age => '600', critical_age => '172800' } } class md_repo_server($hostname) { ensure_resource('sunet::system_user', 'www-data', { username => 'www-data', group => 'www-data', managehome => false, shell => '/bin/bash' }) class {'sunet::gitolite': save_private_admin_key_on_server=>false } sunet::snippets::add_user_to_group { 'add_www_data_to_git': username => 'www-data', group => 'git' } -> sunet::docker_run {'gitweb': image => 'docker.sunet.se/gitweb', imagetag => 'latest', volumes => ['/etc/dehydrated:/etc/dehydrated','/home/git:/home/git'], ports => ['443:443','80:80'], env => ["HOSTNAME=$hostname","ACMEDIR=/etc/dehydrated","KEYDIR=/etc/dehydrated"], extra_parameters => ["--log-driver=syslog"] } ensure_resource('class','webserver',{}) ensure_resource('class','https_server',{}) $md_signers_ip = hiera_array('md_signers',[]) sunet::misc::ufw_allow { 'allow_ssh_md_signers': from => $md_signers_ip, port => '22', } } class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost') { $_version = safe_hiera('eidas_demw_version',$version) $_hostname = safe_hiera('eidas_demw_hostname',$hostname) $poseidas_admin_hashed_password = safe_hiera('poseidas_admin_hashed_password') $spring_datasource_password = safe_hiera('spring_datasource_password') $pkcs11_pin = safe_hiera('pkcs11_pin') #saved directly in admin inteface from version 3.0.0 onwards $demw_tls_client_key = safe_hiera('demw_tls_client_key') $demw_tls_client_cert = safe_hiera('demw_tls_client_cert') $demw_tls_server_cert = safe_hiera('demw_tls_server_cert') file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database', '/opt/eidas-middleware/database/hsql']: ensure => directory } -> file {['/etc/luna','/etc/luna/cert']: ensure => directory } -> sunet::docker_run {'eidas-demw': image => 'docker.sunet.se/eidas-demw', imagetag => $_version, hostname => "${::fqdn}", ports => ['443:8443','10000:10000'], volumes => ['/var/log/eidas-middleware:/var/log/eidas-middleware', '/opt/eidas-middleware/configuration:/opt/eidas-middleware/configuration', '/opt/eidas-middleware/database:/opt/eidas-middleware/database', '/dev/log:/dev/log', '/etc/luna/cert:/usr/safenet/lunaclient/cert', '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d', '/etc/ssl:/etc/ssl'], env => ["CERTNAME=${::fqdn}_infra", "LOGGING_LEVEL_DE_GOVERNIKUS_EUMW_POSEIDAS_SERVER_IDPROVIDER_CONFIG=DEBUG", "SC_HSM.P11_PIN=$pkcs11_pin", "SC_HSM_P11_CONFIG_FILE=/opt/eidas-middleware/configuration/hsm/demw-sunpkcs11-config", "SC_HSM.P11_ALIAS=sc_eidas_sign", 'JAVA_OPTS="-DformatMsgNoLookups=true -Dlog4j2.formatMsgNoLookups=true"', "SPRING_DATASOURCE_PASSWORD=$spring_datasource_password"], extra_parameters => ["--log-driver=syslog"] } } class eidas_de_middleware_hsm_test($version="110-fixes-sc-p11",$hostname='localhost') { $_version = safe_hiera('eidas_demw_version',$version) $_hostname = safe_hiera('eidas_demw_hostname',$hostname) $spring_datasource_password = safe_hiera('spring_datasource_password') $pkcs11_pin = safe_hiera('pkcs11_pin') #saved directly in admin inteface from version 3.0.0 onwards $demw_tls_client_key = safe_hiera('demw_tls_client_key') $demw_tls_client_cert = safe_hiera('demw_tls_client_cert') $demw_tls_server_cert = safe_hiera('demw_tls_server_cert') file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database','/opt/eidas-middleware/database/hsql']: ensure => directory } -> file {['/etc/luna','/etc/luna/cert']: ensure => directory } -> sunet::docker_run {'eidas-demw': image => 'docker.sunet.se/eidas-demw', imagetag => $_version, hostname => "${::fqdn}", ports => ['443:8443','10000:10000'], volumes => ['/var/log/eidas-middleware:/var/log/eidas-middleware', '/opt/eidas-middleware/configuration:/opt/eidas-middleware/configuration', '/opt/eidas-middleware/database:/opt/eidas-middleware/database', '/dev/log:/dev/log', '/etc/luna/cert:/usr/safenet/lunaclient/cert', '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d', '/etc/ssl:/etc/ssl'], env => ["CERTNAME=${::fqdn}_infra", "LOGGING_LEVEL_DE_GOVERNIKUS_EUMW_POSEIDAS_SERVER_IDPROVIDER_CONFIG=DEBUG", "SC_HSM.P11_PIN=$pkcs11_pin", "SC_HSM_P11_CONFIG_FILE=/opt/eidas-middleware/configuration/hsm/demw-sunpkcs11-config", "SC_HSM.P11_ALIAS=sc_eidas_sign", 'JAVA_OPTS="-DformatMsgNoLookups=true -Dlog4j2.formatMsgNoLookups=true"', "SPRING_DATASOURCE_PASSWORD=$spring_datasource_password"], extra_parameters => ["--log-driver=syslog"] } sunet::nftables::docker_expose { 'https' : allow_clients => 'any', port => '443', iif => "${interface_default}", } sunet::nftables::docker_expose { 'admin_gui' : allow_clients => 'any', port => '10000', iif => "${interface_default}", } } class eidas_de_middleware($version="106-rs",$hostname='localhost') { $_version = safe_hiera('eidas_demw_version',$version) $_hostname = safe_hiera('eidas_demw_hostname',$hostname) $poseidas_admin_hashed_password = safe_hiera('poseidas_admin_hashed_password') $spring_datasource_password = safe_hiera('spring_datasource_password') #saved directly in admin inteface from version 3.0.0 onwards $middleware_crypt_pin = safe_hiera('middleware_crypt_pin') $middleware_sign_pin = safe_hiera('middleware_sign_pin') $demw_tls_client_key = safe_hiera('demw_tls_client_key') $demw_tls_client_cert = safe_hiera('demw_tls_client_cert') $demw_tls_server_cert = safe_hiera('demw_tls_server_cert') file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database','/opt/eidas-middleware/database/hsql']: ensure => directory } -> #saved directly in admin interface from version 3.0.0 onwards sunet::snippets::secret_file {"/opt/eidas-middleware/configuration/eidasmw-signature-keystore.jks": hiera_key => 'eidasmw-signature-keystore', base64 => true } -> #no longer needed in version 3.0.0 onwards file { '/opt/eidas-middleware/configuration/POSeIDAS.xml.sh': ensure => present, content => template('eid/demw/POSeIDAS.xml.sh.erb'), mode => '0744', } #saved directly in admin interface from version 3.0.0 onwards sunet::snippets::secret_file {"/opt/eidas-middleware/configuration/eidasmw-crypto-keystore.jks": hiera_key => 'eidasmw-crypto-keystore', base64 => true } sunet::docker_run {'eidas-demw': image => 'docker.sunet.se/eidas-demw', imagetag => $_version, hostname => "${::fqdn}", ports => ['443:8443','127.0.0.1:10000:10000'], volumes => ['/var/log/eidas-middleware:/var/log/eidas-middleware', '/opt/eidas-middleware/configuration:/opt/eidas-middleware/configuration', '/opt/eidas-middleware/database:/opt/eidas-middleware/database', '/dev/log:/dev/log', '/etc/ssl:/etc/ssl'], env => ["CERTNAME=${::fqdn}_infra", "PUBLIC_HOSTNAME=$_hostname", "SPRING_DATASOURCE_PASSWORD=$spring_datasource_password", 'JAVA_OPTS="-DformatMsgNoLookups=true -Dlog4j2.formatMsgNoLookups=true"'], extra_parameters => ["--log-driver=syslog"] } } class eidas_sp($version="1.0.0",$hostname='localhost',$environment='qa') { $_version = safe_hiera('eidas_sp_version',$version) $_hostname = safe_hiera('eidas_sp_hostname',$hostname) file {['/etc/eidas-sp','/var/log/eidas-sp','/etc/ssl']: ensure => directory } -> sunet::docker_run {'eidas-sp': image => 'docker.sunet.se/eidas-sp', imagetag => $_version, hostname => "${::fqdn}", ports => ['443:8443','127.0.0.1:444:8444'], volumes => ['/var/log/eidas-sp:/var/log/eidas-sp', '/etc/eidas-sp:/etc/eidas-sp', '/dev/log:/dev/log', '/etc/ssl:/etc/ssl'], env => ["SERVER_SERVLET_CONTEXT_PATH=/", "SP_USE_SC_LOGO=false", "SP_ENTITY_ID=https://$_hostname/sp", "SPRING_PROFILES_ACTIVE=$environment", "SP_BASE_URI=https://$_hostname"], extra_parameters => ["--log-driver=syslog"] } ensure_resource('class','webserver',{}) ensure_resource('class','https_server',{}) } class test_my_eid($version="1.0.1",$hostname='localhost',$environment='qa') { $_version = safe_hiera('test_my_eid_version',$version) $_hostname = safe_hiera('test_my_eid_hostname',$hostname) file {['/etc/test-my-eid','/var/log/test-my-eid','/etc/ssl']: ensure => directory } -> if ($environment== 'default') { sunet::docker_run {'test-my-eid': image => 'docker.sunet.se/test-my-eid', imagetag => $_version, hostname => "${::fqdn}", ports => ['443:8443','127.0.0.1:444:8444'], volumes => ['/var/log/test-my-eid:/var/log/test-my-eid', '/etc/test-my-eid:/etc/test-my-eid', '/dev/log:/dev/log', '/etc/ssl:/etc/ssl'], env => ["SERVER_SERVLET_CONTEXT_PATH=/", "SP_ENTITY_ID=https://$_hostname/sp", "SIGN_SP_ENTITY_ID=https://$_hostname/sp-sign", "SPRING_PROFILES_ACTIVE=$environment", "SP_BASE_URI=https://$_hostname", "SP_DISCOVERY_STATIC_IDP_CONFIGURATION=file:/etc/test-my-eid/idp-disco-test.properties", "SP_FEDERATION_METADATA_URL=https://test.md.swedenconnect.se/role/idp.xml", "SP_FEDERATION_METADATA_VALIDATION_CERTIFICATE=file:/etc/test-my-eid/test-metadata-signer.crt", "SP_EIDAS_CONNECTOR_ENTITY_ID=https://test.connector.eidas.swedenconnect.se/eidas"], extra_parameters => ["--log-driver=syslog"] } } else { sunet::docker_run {'test-my-eid': image => 'docker.sunet.se/test-my-eid', imagetag => $_version, hostname => "${::fqdn}", ports => ['443:8443','127.0.0.1:444:8444'], volumes => ['/var/log/test-my-eid:/var/log/test-my-eid', '/etc/test-my-eid:/etc/test-my-eid', '/dev/log:/dev/log', '/etc/ssl:/etc/ssl'], env => ["SERVER_SERVLET_CONTEXT_PATH=/", "SP_ENTITY_ID=https://$_hostname/sp", "SIGN_SP_ENTITY_ID=https://$_hostname/sp-sign", "SPRING_PROFILES_ACTIVE=$environment", "SP_BASE_URI=https://$_hostname", "SP_DISCOVERY_STATIC_IDP_CONFIGURATION=file:/etc/test-my-eid/idp-disco-$environment.properties"], extra_parameters => ["--log-driver=syslog"] } } ensure_resource('class','webserver',{}) ensure_resource('class','https_server',{}) } class eidastest($version="1.0.0", $hostname="locahost") { $_version = safe_hiera('eidastest_version',$version) $_hostname = safe_hiera('eidastest_hostname',$hostname) $home = '/etc/eidastest' file { "${home}": ensure => directory, owner => 'root', group => 'root', path => "${home}", mode => '0755', } file { "${home}/eidastest/config.ini": content => template('eid/eidastest/config.ini.erb'), owner => 'root', group => 'root', mode => '0755', } file { "${home}/eidastest/supervise_firefox_processes.sh": content => template('eid/eidastest/supervise_firefox_processes.sh.erb'), owner => 'root', group => 'root', mode => '0755', } $compose = hiera("eidastest_compose") sunet::docker_compose {'eidastest_docker_compose': service_name => 'eidastest', description => 'eidastest service', compose_dir => "${home}", content => inline_template("<%= @compose.to_yaml %>\n") } ensure_resource('class','webserver',{}) ensure_resource('class','https_server',{}) } class swedenconnect_refidp($version="1.0.3",$hostname='localhost',$env=undef) { $_version = safe_hiera('swedenconnect_refidp_version',$version) $_hostname = safe_hiera('swedenconnect_refidp_hostname',$hostname) $idp_persistent_id_salt = safe_hiera('idp_persistent_id_salt'); $idp_fticks_salt = safe_hiera('idp_fticks_salt'); $proxy_header_secret = safe_hiera('proxy_header_secret'); file { ["/etc/swedenconnect-idp","/etc/swedenconnect-idp/credentials"]: ensure => directory } -> sunet::docker_run {'swedenconnect-idp': image => 'docker.sunet.se/swedenconnect-idp', imagetag => $_version, hostname => "${::fqdn}", ports => ['443:8443'], volumes => ['/var/log/swedenconnect-idp:/var/log/swedenconnect-idp', '/etc/swedenconnect-idp:/etc/swedenconnect-idp', '/dev/log:/dev/log', '/etc/ssl:/etc/ssl'], env => ["IDP_SERVER_HOSTNAME=$_hostname", "TOMCAT_HOSTNAME=$_hostname", "IDP_FEDERATION_METADATA_URL=https://${env}.md.swedenconnect.se/entities/", "IDP_FEDERATION_METADATA_VALIDATION_CERT=/etc/swedenconnect-idp/credentials/trust/sc-${env}-metadata-validation-cert.crt", "TOMCAT_TLS_SERVER_KEY=/etc/ssl/private/${::fqdn}_infra.key", "TOMCAT_TLS_SERVER_CERTIFICATE=/etc/ssl/certs/${::fqdn}_infra.crt", "TOMCAT_PROXY_SHARED_SECRET=$proxy_header_secret", "IDP_PERSISTENT_ID_SALT=$idp_persistent_id_salt", "IDP_FTICKS_SALT=$idp_fticks_salt"], extra_parameters => ["--log-driver=syslog"] } ensure_resource('class','webserver',{}) ensure_resource('class','https_server',{}) } class eidas_connector($version="1.0.6",$hostname='localhost',$luna_debug='no') { $_version = safe_hiera('eidas_connector_version',$version) $_hostname = safe_hiera('eidas_connector_hostname',$hostname) $prid_service = safe_hiera('eidas_prid_service') $idp_fticks_salt = safe_hiera('idp_fticks_salt'); $pkcs11_pin = safe_hiera('pkcs11_pin'); $idp_persistent_id_salt = safe_hiera('idp_persistent_id_salt'); $idp_sealer_password = safe_hiera('idp_sealer_password'); $proxy_header_secret = safe_hiera('proxy_header_secret'); file {['/etc/eidas-connector','/etc/eidas-connector/credentials','/etc/eidas-connector/credentials/sp','/etc/eidas-connector/credentials/idp','/etc/eidas-connector/credentials/tomcat','/var/log/eidas-connector']: ensure => directory } -> sunet::snippets::secret_file {"/etc/eidas-connector/credentials/sealer.jks": hiera_key => 'eidas_connector_sealer_jks', base64 => true } -> sunet::snippets::secret_file {"/etc/eidas-connector/credentials/connector.key": hiera_key => 'eidas_connector_key', base64 => true } -> sunet::snippets::secret_file {"/etc/eidas-connector/credentials/metadata.key": hiera_key => 'eidas_metadata_key', base64 => true } -> sunet::snippets::secret_file {"/etc/eidas-connector/credentials/tomcat/tomcat-key.pem": hiera_key => 'eidas_connector_tomcat_key', base64 => true } -> file {['/etc/luna','/etc/luna/cert']: ensure => directory } -> sunet::docker_run {'eidas-connector': image => 'docker.sunet.se/eidas-connector', imagetag => $_version, hostname => "${::fqdn}", ports => ['443:8443'], volumes => ['/var/log/eidas-connector:/var/log/eidas-connector', '/etc/eidas-connector:/etc/eidas-connector', '/dev/log:/dev/log', '/etc/luna/cert:/usr/safenet/lunaclient/cert', '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d', '/etc/ssl:/etc/ssl'], env => ["IDP_SERVER_HOSTNAME=$_hostname", "TOMCAT_HOSTNAME=$_hostname", "TOMCAT_PROXY_SHARED_SECRET=$proxy_header_secret", "EIDAS_METADATA_IGNORE_SIGNATURE_VALIDATION=false", "PKCS11_PIN=$pkcs11_pin", "LUNA_DEBUG=$luna_debug", "IDP_ENTITY_ID=https://$_hostname/eidas", "SP_ENTITY_ID=https://$_hostname/idp/metadata/sp", "IDP_PERSISTENT_ID_SALT=$idp_persistent_id_salt", "IDP_SEALER_PASSWORD=$idp_sealer_password", "IDP_FTICKS_SALT=$idp_fticks_salt", "IDP_PRID_SERVICE_URL=$prid_service"], extra_parameters => ["--log-driver=syslog"] } sunet::scriptherder::cronjob { "${name}_clean_logs": cmd => "/usr/bin/find /var/log/eidas-connector -ctime +180 -type f -name *.log -delete", minute => '2', hour => '0', ok_criteria => ['exit_status=0','max_age=48h'], warn_criteria => ['exit_status=1','max_age=50h'], } ensure_resource('class','webserver',{}) ensure_resource('class','https_server',{}) } class eidas_proxy($version='1.0.0',$country='se',$hostname='localhost', $spring_config_param='SPRING_CONFIG_LOCATION') { $_version = safe_hiera('eidas_proxy_version',$version) $_hostname = safe_hiera('eidas_proxy_hostname',$hostname); $_country = safe_hiera('eidas_proxy_country',$country); $_pkcs11pin = safe_hiera('pkcs11_pin'); $_eidas_proxy_oidc_rp_jks = safe_hiera('eidas_proxy_oidc_rp_jks',''); $proxy_service_cookie_encrypt_pw = safe_hiera('proxy_service_cookie_encrypt_pw'); file {['/etc/eidas-proxy/',"/etc/eidas-proxy/$_country"]: ensure => directory } -> file {["/etc/eidas-proxy/$_country/keystore"]: ensure => directory } -> sunet::snippets::secret_file {"/etc/eidas-proxy/$_country/metadata.p12": hiera_key => 'eidas_metadata_key', base64 => true } -> sunet::snippets::secret_file {"/etc/eidas-proxy/$_country/proxy.p12": hiera_key => 'eidas_proxy_key', base64 => true } -> file {['/etc/luna','/etc/luna/cert']: ensure => directory } -> sunet::docker_run {'eidas-proxy': image => 'docker.sunet.se/eidas-proxy', imagetag => $_version, hostname => "${::fqdn}", ports => ['443:8443','127.0.0.1:444:8444'], volumes => ['/var/log/eidas-proxy:/var/log/eidas-proxy', '/etc/eidas-proxy:/etc/eidas-proxy', '/dev/log:/dev/log', '/etc/luna/cert:/usr/safenet/lunaclient/cert', '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d', '/etc/ssl:/etc/ssl'], env => ["PROXY_SERVICE_DOMAIN_PREFIX=https://$_hostname/eidas-ps", "SPRING_PROFILES_ACTIVE=se", "CERTNAME=${::fqdn}_infra", "PKCS11_PIN=${_pkcs11pin}", "$spring_config_param=/etc/eidas-proxy/$_country/cfg/", "PROXY_SERVICE_COOKIEENCRYPTPW=$proxy_service_cookie_encrypt_pw"], extra_parameters => ["--log-driver=syslog"] } ensure_resource('class','webserver',{}) ensure_resource('class','https_server',{}) if $_eidas_proxy_oidc_rp_jks != '' { sunet::snippets::secret_file {"/etc/eidas-proxy/$_country/keystore/oidc-rp.jks": hiera_key => 'eidas_proxy_oidc_rp_jks', base64 => true } } } class prid($version="1.0.0",$clients="",$mdsl="") { $_version = safe_hiera('eidas_prid_version',$version) $_mdsl = safe_hiera('eidas_prid_mdsl',$mdsl) $hostname = $::fqdn $_allow_clients = safe_hiera($clients) sunet::docker_run {'prid': image => 'docker.sunet.se/prid-service', imagetag => $_version, hostname => "$hostname", ports => ['443:8443','127.0.0.1:444:8444'], volumes => ['/etc/prid-service:/etc/prid-service', '/etc/ssl:/etc/ssl'], env => ["PRID_SERVICE_POLICY_CONFIGURATION=file:///etc/prid-service/policy.properties", "PRID_SERVICE_METADATA_SERVICELIST_URL=$_mdsl", "CERTNAME=${hostname}_infra"], extra_parameters => ["--log-driver=syslog"] } -> sunet::misc::ufw_allow {'allow-prid': from => $_allow_clients, port => 443 } -> class {'https_server': } } class prid_local($version="1.0.0",$clients="",$mdsl="") { $_version = safe_hiera('eidas_prid_version',$version) $_mdsl = safe_hiera('eidas_prid_mdsl',$mdsl) $hostname = $::fqdn $_allow_clients = safe_hiera($clients) sunet::docker_run {'prid': image => 'docker.sunet.se/prid-service', imagetag => $_version, hostname => "$hostname", ports => ['127.0.0.1:80:8080','127.0.0.1:444:8444'], volumes => ['/etc/prid-service:/etc/prid-service', '/etc/ssl:/etc/ssl'], env => ['JAVA_OPTS="-Dserver.port=8080 -Dserver.ssl.enabled=false -Dmanagement.server.port=8444 -Dmanagement.ssl.enabled=true"', "PRID_SERVICE_POLICY_CONFIGURATION=file:///etc/prid-service/policy.properties", "PRID_SERVICE_METADATA_SERVICELIST_URL=$_mdsl", "CERTNAME=${hostname}_infra"], extra_parameters => ["--log-driver=syslog"] } } class validator($version="2.0.0") { $_version = safe_hiera('validator_version',$version) $hostname = $::fqdn sunet::docker_run {'metadata-validator': image => 'docker.sunet.se/metadata-validator', imagetag => $_version, hostname => "$hostname", ports => ['443:8443','127.0.0.1:444:8009'], volumes => ['/etc/ssl:/etc/ssl', '/etc/metadata-validator:/opt/webapp/mdval', '/etc/localtime:/etc/localtime:ro'], env => ["SPRING_CONFIG_ADDITIONAL_LOCATION=/opt/webapp/mdval/cfg/", "CERTNAME=${hostname}_infra"], extra_parameters => ["--log-driver=syslog"] } ensure_resource('class','webserver',{}) ensure_resource('class','https_server',{}) } class proxy_testsp($version="1.0.1",$public_hostname=undef,$uri_path="/testps",$profile="qa") { $_version = safe_hiera('proxy_testsp_version',$version) $hostname = $::fqdn $_public_hostname = $public_hostname ? { undef => $hostname, default => $public_hostname } sunet::docker_run {'eidas-ps-testsp': image => 'docker.sunet.se/eidas-ps-testsp', imagetag => $_version, hostname => $hostname, ports => ['443:8443','127.0.0.1:8444:8009'], volumes => ['/etc/ssl:/etc/ssl', '/etc/localtime:/etc/localtime:ro'], env => ["CERTNAME=$hostname", "SP_ACCESS_ALLOW_ALL=true", "SP_BASE_URI=https://$_public_hostname", "SERVER_SERVLET_CONTEXT_PATH=$uri_path", "SPRING_PROFILES_ACTIVE=$profile"], extra_parameters => ["--log-driver=syslog"] } } class github_client_credential { sunet::ssh_host_credential { "github": hostname => "github.com", id => "github", manage_user => false } } class pages($version=undef) { class { 'sunet::pages': version => $version } sunet::docker_run {'people-sunet-se': image => 'docker.sunet.se/static-vhosts', ports => ['80:80'], volumes => ['/var/www:/usr/local/apache2/vhosts'], extra_parameters => ["--log-driver=syslog"] } ensure_resource('class','webserver',{}) } class sunetops { sunet::ssh_keys { 'sunetops': config => safe_hiera('sunetops_ssh_keys', {}) } # OS hardening # For now we skip this on ubuntu24, SC-2522 if ($facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '22.04') <= 0 ){ if $facts['networking']['hostname'] =~ /kvm/ { class {'bastion': fstab_fix_shm => false, sysctl_net_hardening => false, } } else { class {'bastion': fstab_fix_shm => false, fixperms_paranoia => true, } } } } class konsulter { sunet::ssh_keys { 'konsulter': config => safe_hiera('konsulter_ssh_keys', {}) } } class nrpe { require apt class {'sunet::nagios': } package {'nagios-plugins-contrib': ensure => latest} if ($facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '22.04') >= 0 ){ $mem_w = '90' $mem_c = '95' } else { $mem_w = '10' $mem_c = '5' } sunet::nagios::nrpe_command { 'check_memory': command_line => "/usr/lib/nagios/plugins/check_memory -w ${mem_w}% -c ${mem_c}%" } sunet::nagios::nrpe_command {'check_mem': command_line => '/usr/lib/nagios/plugins/check_memory -w 10% -c 5%' } sunet::nagios::nrpe_command {'check_boot_15_5': command_line => '/usr/lib/nagios/plugins/check_disk -w 15% -c 5% -p /boot' } sunet::nagios::nrpe_command {'check_entropy': command_line => '/usr/lib/nagios/plugins/check_entropy -w 200' } sunet::nagios::nrpe_command {'check_ntp_time': command_line => '/usr/lib/nagios/plugins/check_ntp_time -H localhost' } sunet::nagios::nrpe_command {'check_scriptherder': command_line => '/usr/local/bin/scriptherder --mode check' } sunet::nagios::nrpe_command {'check_apt': command_line => '/usr/lib/nagios/plugins/check_apt' } sunet::nagios::nrpe_command {'check_eidas_health': command_line => '/usr/lib/nagios/plugins/check_eidas_health.sh localhost' } sunet::sudoer {'nagios_run_needrestart_command': user_name => 'nagios', collection => 'nagios', command_line => "/usr/sbin/needrestart -p -l" } sunet::nagios::nrpe_command {'check_needrestart': command_line => "sudo /usr/sbin/needrestart -p -l" } exec { "create_${name}_service_dir": command => '/bin/mkdir -p /etc/systemd/system/nagios-nrpe-server.service.d/', unless => '/usr/bin/test -d /etc/systemd/system/nagios-nrpe-server.service.d/', } exec { "${name}_daemon_reload": command => 'systemctl daemon-reload', refreshonly => true, } $str = "# Some NRPE checks will get fishy results when using a PrivateTmp. # E.g check_apt: https://askubuntu.com/questions/1415415/check-apt-issue-with-nagios [Service] PrivateTmp=false" file { '/etc/systemd/system/nagios-nrpe-server.service.d/privatetmp.conf': ensure => file, mode => '0444', content => $str, require => [Exec["create_${name}_service_dir"], Package[nagios-nrpe-server]], notify => [Exec["${name}_daemon_reload"],Service[nagios-nrpe-server]], } } class redis_cluster_node { file { '/opt/redis': ensure => directory } sysctl { 'vm.overcommit_memory': value => '1' } sunet::redis::server {'redis-master': allow_clients => hiera_array('redis_client_ips', []), cluster_nodes => hiera_array('redis_sentinel_ips', []), } sunet::redis::server {'redis-sentinel': port => 26379, sentinel_config => 'yes', allow_clients => hiera_array('redis_client_ips', []), cluster_nodes => hiera_array('redis_sentinel_ips', []), } } class redis_frontend_node ($hostname=undef,$ca="infra") { file { '/opt/redis': ensure => directory } sunet::redis::haproxy {'redis-haproxy': cluster_nodes => hiera_array('redis_sentinel_ips', []), client_ca => "/etc/ssl/certs/${ca}.crt", certificate => "/etc/ssl/private/${::fqdn}_${ca}.pem" } } node 'fe-tug-1.test.komreg.net' { # Set up Cosmos class for common sunet-frontend files. Should ideally be set up in # the bootstrapping phase, since setting it up here will require > 1 run # of 'cosmos apply' before everything is in place. Perfection will have # to come later. file_line { 'cosmos_conf_frontend1_common': path => '/etc/cosmos/cosmos.conf', line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/fe-test-common/:$COSMOS_REPO_MODELS"', } } node 'fe-fre-1.test.komreg.net' { # Set up Cosmos class for common sunet-frontend files. Should ideally be set up in # the bootstrapping phase, since setting it up here will require > 1 run # of 'cosmos apply' before everything is in place. Perfection will have # to come later. file_line { 'cosmos_conf_frontend1_common': path => '/etc/cosmos/cosmos.conf', line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/fe-test-common/:$COSMOS_REPO_MODELS"', } } node 'natmd-test-1.komreg.net' { file_line { 'cosmos_conf': path => '/etc/cosmos/cosmos.conf', line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/natmd-test-common/:$COSMOS_REPO_MODELS"', } } node 'natmd-test-2.komreg.net' { file_line { 'cosmos_conf': path => '/etc/cosmos/cosmos.conf', line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/natmd-test-common/:$COSMOS_REPO_MODELS"', } } node 'eumd-test-1.komreg.net' { file_line { 'cosmos_conf': path => '/etc/cosmos/cosmos.conf', line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/eumd-test-common/:$COSMOS_REPO_MODELS"', } } node 'eumd-test-2.komreg.net' { file_line { 'cosmos_conf': path => '/etc/cosmos/cosmos.conf', line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/eumd-test-common/:$COSMOS_REPO_MODELS"', } } node 'relay-1.swedenconnect.se' { sunet::scriptherder::cronjob { "rsync_certificate_to_relay_2": cmd => "/usr/bin/rsync -av --copy-links --delete /etc/letsencrypt/live/relay.swedenconnect.se/ root@relay-2.swedenconnect.se:", minute => '9', hour => '0', ok_criteria => ['exit_status=0','max_age=48h'], warn_criteria => ['exit_status=1','max_age=50h'], } } node 'eidas-proxy-1.test.sveidas.se' { # Set up Cosmos class for common proxy files for test. Should ideally be set up in # the bootstrapping phase, since setting it up here will require > 1 run # of 'cosmos apply' before everything is in place. Perfection will have # to come later. file_line { 'cosmos_conf_proxy_test_common': path => '/etc/cosmos/cosmos.conf', line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/eidas-test-proxy/:$COSMOS_REPO_MODELS"', } }