# This manifest is managed using cosmos
Exec {
path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
}
include sunet
class mailclient ($domain) {
sunet::preseed_package {"postfix": ensure => present, options => {domain => $domain}}
}
class autoupdate {
class { 'sunet::updater': cron => true, cosmos_automatic_reboot => true }
}
class jumphosts {}
class infra_ca_rp {
sunet::ici_ca::rp { 'infra': }
}
# you need a default node, all nodes need ssh + ufw
node default {
}
class site_alias($alias_name=undef) {
file { "/var/www/$alias_name":
ensure => link,
target => $name
}
}
class common {
include sunet::tools
include sunet::motd
include sunet::ntp
if $::sunet_nftables_opt_in != 'yes' and ! ( $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '22.04') >= 0 ) {
warning('Enabling UFW')
include ufw
} else {
warning('Enabling nftables')
ensure_resource ('class','sunet::nftables::init', { })
}
include apt
include apparmor
include sunet::packages::jq
package { 'needrestart': ensure => installed}
package {'lshw': ensure => 'latest'}
# change git repo from git.nordu.net to gitops.sunet.se (for .git)
exec { 'git_repo_sunet_dot_git':
cwd => '/var/cache/cosmos/repo',
command => '/usr/bin/git remote set-url origin git://gitops.sunet.se/eid-ops git://git.nordu.net/eid-ops.git',
onlyif => '/usr/bin/git remote get-url origin | grep -qi git.nordu.net/eid-ops.git',
}
# change git repo from git.nordu.net to gitops.sunet.se (without .git)
exec { 'git_repo_sunet':
cwd => '/var/cache/cosmos/repo',
command => '/usr/bin/git remote set-url origin git://gitops.sunet.se/eid-ops git://git.nordu.net/eid-ops',
onlyif => '/usr/bin/git remote get-url origin | grep -qi git.nordu.net/eid-ops',
}
}
class dhcp6_client {
ufw::allow { "allow-dhcp6-546":
ip => 'any',
port => '546',
proto => 'udp',
}
ufw::allow { "allow-dhcp6-547":
ip => 'any',
port => '547',
proto => 'udp'
}
}
class entropyclient {
include sunet::simple_entropy
sunet::ucrandom {'random.nordu.net': ensure => absent }
sunet::nagios::nrpe_check_process { 'haveged': }
}
class openstack_dockerhost {
class { 'sunet::dockerhost':
docker_version => '17.12.0~ce-0~ubuntu',
docker_package_name => 'docker-ce',
storage_driver => "aufs",
run_docker_cleanup => true,
manage_dockerhost_unbound => true,
docker_network => true
}
}
class sunet_iaas_cloud {
sunet::cloud_init::config { 'disable_datasources':
config => { datasource_list => [ 'None' ] }
}
sunet::cloud_init::config { 'keep_root_enabled':
config => { disable_root => 'false' }
}
}
class webserver($enabled=true) {
if $enabled {
ufw::allow { "allow-http":
ip => 'any',
port => '80'
}
ufw::allow { "allow-https":
ip => 'any',
port => '443'
}
} else {
ufw::deny { "allow-http":
ip => 'any',
port => '80'
}
ufw::deny { "allow-https":
ip => 'any',
port => '443'
}
}
}
class webserver_new {
sunet::misc::ufw_allow { 'http':
from => 'any',
port => '80',
}
sunet::misc::ufw_allow { 'https':
from => 'any',
port => '443',
}
}
class servicemonitor {
$nagios_ip_v4 = hiera_array('nagios_ip_v4',[]);
sunet::misc::ufw_allow { "allow-servicemonitor-from-nagios":
from => $nagios_ip_v4,
port => '444',
}
}
class https_server {
}
class fe_servers {
}
class eidas_log {
ensure_resource('file','/etc/logrotate.d',{
ensure => 'directory',
mode => '0755'
})
file {'/etc/logrotate.d/eidas_logs':
ensure => file,
path => '/etc/logrotate.d/eidas_logs',
mode => '0644',
content => template('eid/eidas_logs/eidas_logs.erb')
}
}
class swamid_metadata($filename=undef) {
sunet::metadata::swamid { "$filename": }
}
class saml_metadata($filename=undef, $cert=undef, $url=undef) {
sunet::metadata { "$filename": url => $url, cert => $cert }
}
class md_repo_client {
sunet::snippets::reinstall::keep {['/etc/metadata','/root/.ssh']: } ->
sunet::ssh_git_repo {'/var/cache/metadata_r1':
username => 'root',
group => 'root',
hostname => 'r1.komreg.net',
url => 'git@r1.komreg.net:komreg-metadata.git',
id => 'komreg',
manage_user => false
} ->
package { ['make']: ensure => latest } ->
sunet::scriptherder::cronjob { 'verify_and_update':
cmd => '/var/cache/metadata_r1/scripts/do-update.sh',
minute => '*/5',
ok_criteria => ['exit_status=0', 'max_age=15m'],
warn_criteria => ['exit_status=0', 'max_age=1h'],
}
}
class eidas_metadata_key {
sunet::snippets::secret_file {"/etc/credentials/metadata.key":
hiera_key => 'eidas_metadata_key',
base64 => true
}
}
class eidas_hsm_client($luna_version="7.4-dev") {
$pkcs11pin = hiera('pkcs11pin',"")
sunet::snippets::reinstall::keep {['/etc/luna','/etc/Chrystoki.conf.d']: } ->
file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
sunet::docker_run {"${name}_hsmproxy":
hostname => "${::fqdn}",
image => 'docker.sunet.se/luna-client',
imagetag => $luna_version,
volumes => ['/dev/log:/dev/log','/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d','/etc/luna/cert:/usr/safenet/lunaclient/cert'],
env => ["PKCS11PIN=${pkcs11pin}"],
extra_parameters => ["--log-driver=syslog"]
}
sunet::scriptherder::cronjob { "${name}_restart_hsmproxy":
cmd => "/usr/sbin/service docker-${name}_hsmproxy restart",
minute => '9',
hour => '0',
ok_criteria => ['exit_status=0','max_age=48h'],
warn_criteria => ['exit_status=1','max_age=50h'],
}
}
class md_signer($dest_host=undef,$dest_dir="",$version="eidas") {
package { ['xsltproc','libxml2-utils','attr']: ensure => latest } ->
sunet::pyff {$name:
version => $version,
pound_and_varnish => false,
pipeline => "${name}.fd",
volumes => ["/etc/credentials:/etc/credentials"],
docker_run_extra_parameters => ["--log-driver=syslog"]
}
if ($dest_host) {
sunet::ssh_host_credential { "${name}-publish-credential":
hostname => $dest_host,
username => 'root',
group => 'root',
manage_user => false,
ssh_privkey => safe_hiera("publisher_ssh_privkey")
} ->
sunet::scriptherder::cronjob { "${name}-publish":
cmd => "env RSYNC_ARGS='--chown=www-data:www-data --chmod=D0755,F0664 --xattrs' /usr/local/bin/mirror-mdq.sh http://localhost root@${dest_host}:${dest_dir}",
minute => '*/5',
ok_criteria => ['exit_status=0'],
warn_criteria => ['max_age=30m']
}
}
}
class md_publisher(Array $allow_clients=['any'], $keyname=undef, String $dir="/var/www/html", $signer_ip_adress=undef) {
$_keyname = $keyname ? {
undef => $::fqdn,
default => $keyname
}
# this allows fileage check to work wo sudo
file { '/var/www': ensure => directory, mode => '0755' } ->
file { '/var/www/html': ensure => directory, mode => '0755', owner => 'www-data', group =>'www-data' } ->
sunet::ssh_keys { 'publisher-keys':
config => safe_hiera('publisher_ssh_keys_mapping', {}),
key_database_name => 'publisher_ssh_keys_db'
} ->
package {['lighttpd','attr']: ensure => latest } ->
exec {'enable-ssl':
command => "/usr/sbin/lighttpd-enable-mod ssl",
onlyif => "test ! -h /etc/lighttpd/conf-enabled/*ssl*"
} ->
file {'/etc/lighttpd/server.pem':
ensure => 'link',
target => "/etc/ssl/private/${_keyname}.pem"
} ->
if ($::operatingsystemrelease < '20.04') {
apparmor::profile { 'usr.sbin.lighttpd': source => '/etc/apparmor-cosmos/usr.sbin.lighttpd' }
}
else {
apparmor::profile { 'usr.sbin.lighttpd': source => '/etc/apparmor-cosmos/usr.sbin.lighttpd.upgraded' }
}
file {'/etc/lighttpd/conf-enabled/99-mime-xattr.conf':
ensure => file,
mode => '0640',
owner => 'root',
group => 'root',
content => inline_template("mimetype.use-xattr = \"enable\"\n")
} ->
service {'lighttpd': ensure => running } ->
sunet::misc::ufw_allow {'allow-lighttpd':
from => $allow_clients,
port => 443
} ->
sunet::nagios::nrpe_check_fileage {"metadata_aggregate":
filename => "/var/www/html/entities/index.html", # yes this is correct
warning_age => '1800',
critical_age => '86400'
}
sunet::misc::ufw_allow { "allow_ssh":
from => $signer_ip_adress,
port => '22',
}
}
class mdsl_publisher() {
sunet::nagios::nrpe_check_fileage {"mdsl_aggregate":
filename => "/var/www/html/mdservicelist-aggregate.xml", # yes this is correct
warning_age => '600',
critical_age => '86400'
}
sunet::nagios::nrpe_check_fileage {"mdsl_se":
filename => "/var/www/html/mdservicelist-se.xml", # yes this is correct
warning_age => '600',
critical_age => '86400'
}
}
class proxy_eidas_metadata() {
sunet::nagios::nrpe_check_fileage {"proxy_eidas_metadata":
filename => "/etc/eidas-proxy/se/ps-mdcache/metadata.xml",
warning_age => '1800',
critical_age => '172800'
}
sunet::nagios::nrpe_check_fileage {"proxy_eidas_metadata_list":
filename => "/etc/eidas-proxy/se/ps-mdcache/metadataList.xml",
warning_age => '600',
critical_age => '172800'
}
}
class md_repo_server($hostname) {
ensure_resource('sunet::system_user', 'www-data', {
username => 'www-data',
group => 'www-data',
managehome => false,
shell => '/bin/bash'
})
class {'sunet::gitolite': save_private_admin_key_on_server=>false }
sunet::snippets::add_user_to_group { 'add_www_data_to_git':
username => 'www-data',
group => 'git'
} ->
sunet::docker_run {'gitweb':
image => 'docker.sunet.se/gitweb',
imagetag => 'latest',
volumes => ['/etc/dehydrated:/etc/dehydrated','/home/git:/home/git'],
ports => ['443:443','80:80'],
env => ["HOSTNAME=$hostname","ACMEDIR=/etc/dehydrated","KEYDIR=/etc/dehydrated"],
extra_parameters => ["--log-driver=syslog"]
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
$md_signers_ip = hiera_array('md_signers',[])
sunet::misc::ufw_allow { 'allow_ssh_md_signers':
from => $md_signers_ip,
port => '22',
}
}
class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost') {
$_version = safe_hiera('eidas_demw_version',$version)
$_hostname = safe_hiera('eidas_demw_hostname',$hostname)
$poseidas_admin_hashed_password = safe_hiera('poseidas_admin_hashed_password')
$spring_datasource_password = safe_hiera('spring_datasource_password')
$pkcs11_pin = safe_hiera('pkcs11_pin')
$demw_tls_client_key = safe_hiera('demw_tls_client_key')
$demw_tls_client_cert = safe_hiera('demw_tls_client_cert')
$demw_tls_server_cert = safe_hiera('demw_tls_server_cert')
file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database']: ensure => directory } ->
file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
sunet::docker_run {'eidas-demw':
image => 'docker.sunet.se/eidas-demw',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443','127.0.0.1:10000:10000'],
volumes => ['/var/log/eidas-middleware:/var/log/eidas-middleware',
'/opt/eidas-middleware/configuration:/opt/eidas-middleware/configuration',
'/opt/eidas-middleware/database:/opt/eidas-middleware/database',
'/dev/log:/dev/log',
'/etc/luna/cert:/usr/safenet/lunaclient/cert',
'/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d',
'/etc/ssl:/etc/ssl'],
env => ["CERTNAME=${::fqdn}_infra",
"EIDAS_SIGNER_DEFAULT_HASH_ALGORITHM=SHA256",
"PUBLIC_HOSTNAME=$_hostname",
"PKCS11_PIN=$pkcs11_pin",
"PKCS11_CONFIG_LOCATION=/opt/eidas-middleware/configuration/hsm/pkcs11.properties",
"POSEIDAS_ADMIN_HASHED_PASSWORD=$poseidas_admin_hashed_password",
"DEMW_TLS_CLIENT_KEY=$demw_tls_client_key",
"DEMW_TLS_CLIENT_CERT=$demw_tls_client_cert",
"DEMW_TLS_SERVER_CERT=$demw_tls_server_cert",
'JAVA_OPTS="-DformatMsgNoLookups=true -Dlog4j2.formatMsgNoLookups=true"',
"SPRING_DATASOURCE_PASSWORD=$spring_datasource_password"],
extra_parameters => ["--log-driver=syslog --cpuset-cpus=0-3"]
}
#temp solution
sunet::scriptherder::cronjob { 'reboot_demw_application':
cmd => '/usr/sbin/service docker-eidas-demw restart',
minute => '0',
hour => '5',
ok_criteria => ['exit_status=0', 'max_age=25h'],
warn_criteria => ['exit_status=0', 'max_age=49h'],
}
}
class eidas_de_middleware($version="106-rs",$hostname='localhost') {
$_version = safe_hiera('eidas_demw_version',$version)
$_hostname = safe_hiera('eidas_demw_hostname',$hostname)
$poseidas_admin_hashed_password = safe_hiera('poseidas_admin_hashed_password')
$spring_datasource_password = safe_hiera('spring_datasource_password')
$middleware_crypt_pin = safe_hiera('middleware_crypt_pin')
$middleware_sign_pin = safe_hiera('middleware_sign_pin')
$demw_tls_client_key = safe_hiera('demw_tls_client_key')
$demw_tls_client_cert = safe_hiera('demw_tls_client_cert')
$demw_tls_server_cert = safe_hiera('demw_tls_server_cert')
file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database']: ensure => directory } ->
sunet::snippets::secret_file {"/opt/eidas-middleware/configuration/eidasmw-signature-keystore.jks":
hiera_key => 'eidasmw-signature-keystore',
base64 => true
} ->
file { '/opt/eidas-middleware/configuration/POSeIDAS.xml.sh':
ensure => present,
content => template('eid/demw/POSeIDAS.xml.sh.erb'),
mode => '0744',
}
sunet::snippets::secret_file {"/opt/eidas-middleware/configuration/eidasmw-crypto-keystore.jks":
hiera_key => 'eidasmw-crypto-keystore',
base64 => true
} ->
sunet::docker_run {'eidas-demw':
image => 'docker.sunet.se/eidas-demw',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443','127.0.0.1:10000:10000'],
volumes => ['/var/log/eidas-middleware:/var/log/eidas-middleware',
'/opt/eidas-middleware/configuration:/opt/eidas-middleware/configuration',
'/opt/eidas-middleware/database:/opt/eidas-middleware/database',
'/dev/log:/dev/log',
'/etc/ssl:/etc/ssl'],
env => ["CERTNAME=${::fqdn}_infra",
"PUBLIC_HOSTNAME=$_hostname",
"POSEIDAS_ADMIN_HASHED_PASSWORD=$poseidas_admin_hashed_password",
"SPRING_DATASOURCE_PASSWORD=$spring_datasource_password",
"MIDDLEWARE_CRYPT_PIN=$middleware_crypt_pin",
'JAVA_OPTS="-DformatMsgNoLookups=true -Dlog4j2.formatMsgNoLookups=true"',
"MIDDLEWARE_SIGN_PIN=$middleware_sign_pin"],
extra_parameters => ["--log-driver=syslog"]
}
}
class eidas_sp($version="1.0.0",$hostname='localhost',$environment='qa') {
$_version = safe_hiera('eidas_sp_version',$version)
$_hostname = safe_hiera('eidas_sp_hostname',$hostname)
file {['/etc/eidas-sp','/var/log/eidas-sp','/etc/ssl']: ensure => directory } ->
sunet::docker_run {'eidas-sp':
image => 'docker.sunet.se/eidas-sp',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443','127.0.0.1:444:8444'],
volumes => ['/var/log/eidas-sp:/var/log/eidas-sp',
'/etc/eidas-sp:/etc/eidas-sp',
'/dev/log:/dev/log',
'/etc/ssl:/etc/ssl'],
env => ["SERVER_SERVLET_CONTEXT_PATH=/",
"SP_USE_SC_LOGO=false",
"SP_ENTITY_ID=https://$_hostname/sp",
"SPRING_PROFILES_ACTIVE=$environment",
"SP_BASE_URI=https://$_hostname"],
extra_parameters => ["--log-driver=syslog"]
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
}
class test_my_eid($version="1.0.1",$hostname='localhost',$environment='qa') {
$_version = safe_hiera('test_my_eid_version',$version)
$_hostname = safe_hiera('test_my_eid_hostname',$hostname)
file {['/etc/test-my-eid','/var/log/test-my-eid','/etc/ssl']: ensure => directory } ->
if ($environment== 'default') {
sunet::docker_run {'test-my-eid':
image => 'docker.sunet.se/test-my-eid',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443','127.0.0.1:444:8444'],
volumes => ['/var/log/test-my-eid:/var/log/test-my-eid',
'/etc/test-my-eid:/etc/test-my-eid',
'/dev/log:/dev/log',
'/etc/ssl:/etc/ssl'],
env => ["SERVER_SERVLET_CONTEXT_PATH=/",
"SP_ENTITY_ID=https://$_hostname/sp",
"SIGN_SP_ENTITY_ID=https://$_hostname/sp-sign",
"SPRING_PROFILES_ACTIVE=$environment",
"SP_BASE_URI=https://$_hostname",
"SP_DISCOVERY_STATIC_IDP_CONFIGURATION=file:/etc/test-my-eid/idp-disco-test.properties",
"SP_FEDERATION_METADATA_URL=https://test.md.swedenconnect.se/role/idp.xml",
"SP_FEDERATION_METADATA_VALIDATION_CERTIFICATE=file:/etc/test-my-eid/test-metadata-signer.crt",
"SP_EIDAS_CONNECTOR_ENTITY_ID=https://test.connector.eidas.swedenconnect.se/eidas"],
extra_parameters => ["--log-driver=syslog"]
}
} else {
sunet::docker_run {'test-my-eid':
image => 'docker.sunet.se/test-my-eid',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443','127.0.0.1:444:8444'],
volumes => ['/var/log/test-my-eid:/var/log/test-my-eid',
'/etc/test-my-eid:/etc/test-my-eid',
'/dev/log:/dev/log',
'/etc/ssl:/etc/ssl'],
env => ["SERVER_SERVLET_CONTEXT_PATH=/",
"SP_ENTITY_ID=https://$_hostname/sp",
"SIGN_SP_ENTITY_ID=https://$_hostname/sp-sign",
"SPRING_PROFILES_ACTIVE=$environment",
"SP_BASE_URI=https://$_hostname",
"SP_DISCOVERY_STATIC_IDP_CONFIGURATION=file:/etc/test-my-eid/idp-disco-$environment.properties"],
extra_parameters => ["--log-driver=syslog"]
}
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
}
class eidastest($version="1.0.0", $hostname="locahost") {
$_version = safe_hiera('eidastest_version',$version)
$_hostname = safe_hiera('eidastest_hostname',$hostname)
$home = '/etc/eidastest'
file { "${home}":
ensure => directory,
owner => 'root',
group => 'root',
path => "${home}",
mode => '0755',
}
file { "${home}/eidastest/config.ini":
content => template('eid/eidastest/config.ini.erb'),
owner => 'root',
group => 'root',
mode => '0755',
}
file { "${home}/eidastest/supervise_firefox_processes.sh":
content => template('eid/eidastest/supervise_firefox_processes.sh.erb'),
owner => 'root',
group => 'root',
mode => '0755',
}
$compose = hiera("eidastest_compose")
sunet::docker_compose {'eidastest_docker_compose':
service_name => 'eidastest',
description => 'eidastest service',
compose_dir => "${home}",
content => inline_template("<%= @compose.to_yaml %>\n")
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
}
class swedenconnect_refidp($version="1.0.3",$hostname='localhost',$env=undef) {
$_version = safe_hiera('swedenconnect_refidp_version',$version)
$_hostname = safe_hiera('swedenconnect_refidp_hostname',$hostname)
$idp_persistent_id_salt = safe_hiera('idp_persistent_id_salt');
$idp_fticks_salt = safe_hiera('idp_fticks_salt');
$proxy_header_secret = safe_hiera('proxy_header_secret');
file { ["/etc/swedenconnect-idp","/etc/swedenconnect-idp/credentials"]: ensure => directory } ->
sunet::docker_run {'swedenconnect-idp':
image => 'docker.sunet.se/swedenconnect-idp',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443'],
volumes => ['/var/log/swedenconnect-idp:/var/log/swedenconnect-idp',
'/etc/swedenconnect-idp:/etc/swedenconnect-idp',
'/dev/log:/dev/log',
'/etc/ssl:/etc/ssl'],
env => ["IDP_SERVER_HOSTNAME=$_hostname",
"TOMCAT_HOSTNAME=$_hostname",
"IDP_FEDERATION_METADATA_URL=https://${env}.md.swedenconnect.se/entities/",
"IDP_FEDERATION_METADATA_VALIDATION_CERT=/etc/swedenconnect-idp/credentials/trust/sc-${env}-metadata-validation-cert.crt",
"TOMCAT_TLS_SERVER_KEY=/etc/ssl/private/${::fqdn}_infra.key",
"TOMCAT_TLS_SERVER_CERTIFICATE=/etc/ssl/certs/${::fqdn}_infra.crt",
"TOMCAT_PROXY_SHARED_SECRET=$proxy_header_secret",
"IDP_PERSISTENT_ID_SALT=$idp_persistent_id_salt",
"IDP_FTICKS_SALT=$idp_fticks_salt"],
extra_parameters => ["--log-driver=syslog"]
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
}
class eidas_connector($version="1.0.6",$hostname='localhost',$luna_debug='no') {
$_version = safe_hiera('eidas_connector_version',$version)
$_hostname = safe_hiera('eidas_connector_hostname',$hostname)
$prid_service = safe_hiera('eidas_prid_service')
$idp_fticks_salt = safe_hiera('idp_fticks_salt');
$pkcs11_pin = safe_hiera('pkcs11_pin');
$idp_persistent_id_salt = safe_hiera('idp_persistent_id_salt');
$idp_sealer_password = safe_hiera('idp_sealer_password');
$proxy_header_secret = safe_hiera('proxy_header_secret');
file {['/etc/eidas-connector','/etc/eidas-connector/credentials','/etc/eidas-connector/credentials/sp','/etc/eidas-connector/credentials/idp','/etc/eidas-connector/credentials/tomcat','/var/log/eidas-connector']: ensure => directory } ->
sunet::snippets::secret_file {"/etc/eidas-connector/credentials/sealer.jks":
hiera_key => 'eidas_connector_sealer_jks',
base64 => true
} ->
sunet::snippets::secret_file {"/etc/eidas-connector/credentials/connector.key":
hiera_key => 'eidas_connector_key',
base64 => true
} ->
sunet::snippets::secret_file {"/etc/eidas-connector/credentials/metadata.key":
hiera_key => 'eidas_metadata_key',
base64 => true
} ->
sunet::snippets::secret_file {"/etc/eidas-connector/credentials/tomcat/tomcat-key.pem":
hiera_key => 'eidas_connector_tomcat_key',
base64 => true
} ->
file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
sunet::docker_run {'eidas-connector':
image => 'docker.sunet.se/eidas-connector',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443'],
volumes => ['/var/log/eidas-connector:/var/log/eidas-connector',
'/etc/eidas-connector:/etc/eidas-connector',
'/dev/log:/dev/log',
'/etc/luna/cert:/usr/safenet/lunaclient/cert',
'/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d',
'/etc/ssl:/etc/ssl'],
env => ["IDP_SERVER_HOSTNAME=$_hostname",
"TOMCAT_HOSTNAME=$_hostname",
"TOMCAT_PROXY_SHARED_SECRET=$proxy_header_secret",
"EIDAS_METADATA_IGNORE_SIGNATURE_VALIDATION=false",
"PKCS11_PIN=$pkcs11_pin",
"LUNA_DEBUG=$luna_debug",
"IDP_ENTITY_ID=https://$_hostname/eidas",
"SP_ENTITY_ID=https://$_hostname/idp/metadata/sp",
"IDP_PERSISTENT_ID_SALT=$idp_persistent_id_salt",
"IDP_SEALER_PASSWORD=$idp_sealer_password",
"IDP_FTICKS_SALT=$idp_fticks_salt",
"IDP_PRID_SERVICE_URL=$prid_service"],
extra_parameters => ["--log-driver=syslog"]
}
sunet::scriptherder::cronjob { "${name}_clean_logs":
cmd => "/usr/bin/find /var/log/eidas-connector -ctime +180 -type f -name *.log -delete",
minute => '2',
hour => '0',
ok_criteria => ['exit_status=0','max_age=48h'],
warn_criteria => ['exit_status=1','max_age=50h'],
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
}
class eidas_proxy($version='1.0.0',$country='se',$hostname='localhost', $spring_config_param='SPRING_CONFIG_LOCATION') {
$_version = safe_hiera('eidas_proxy_version',$version)
$_hostname = safe_hiera('eidas_proxy_hostname',$hostname);
$_country = safe_hiera('eidas_proxy_country',$country);
$_pkcs11pin = safe_hiera('pkcs11_pin');
$_eidas_proxy_oidc_rp_jks = safe_hiera('eidas_proxy_oidc_rp_jks','');
$proxy_service_cookie_encrypt_pw = safe_hiera('proxy_service_cookie_encrypt_pw');
file {['/etc/eidas-proxy/',"/etc/eidas-proxy/$_country"]: ensure => directory } ->
file {["/etc/eidas-proxy/$_country/keystore"]: ensure => directory } ->
sunet::snippets::secret_file {"/etc/eidas-proxy/$_country/metadata.p12":
hiera_key => 'eidas_metadata_key',
base64 => true
} ->
sunet::snippets::secret_file {"/etc/eidas-proxy/$_country/proxy.p12":
hiera_key => 'eidas_proxy_key',
base64 => true
} ->
file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
sunet::docker_run {'eidas-proxy':
image => 'docker.sunet.se/eidas-proxy',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443','127.0.0.1:444:8444'],
volumes => ['/var/log/eidas-proxy:/var/log/eidas-proxy',
'/etc/eidas-proxy:/etc/eidas-proxy',
'/dev/log:/dev/log',
'/etc/luna/cert:/usr/safenet/lunaclient/cert',
'/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d',
'/etc/ssl:/etc/ssl'],
env => ["PROXY_SERVICE_DOMAIN_PREFIX=https://$_hostname/eidas-ps",
"SPRING_PROFILES_ACTIVE=se",
"CERTNAME=${::fqdn}_infra",
"PKCS11_PIN=${_pkcs11pin}",
"$spring_config_param=/etc/eidas-proxy/$_country/cfg/",
"PROXY_SERVICE_COOKIEENCRYPTPW=$proxy_service_cookie_encrypt_pw"],
extra_parameters => ["--log-driver=syslog"]
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
if $_eidas_proxy_oidc_rp_jks != '' {
sunet::snippets::secret_file {"/etc/eidas-proxy/$_country/keystore/oidc-rp.jks":
hiera_key => 'eidas_proxy_oidc_rp_jks',
base64 => true
}
}
}
class prid($version="1.0.0",$clients="",$mdsl="") {
$_version = safe_hiera('eidas_prid_version',$version)
$_mdsl = safe_hiera('eidas_prid_mdsl',$mdsl)
$hostname = $::fqdn
$_allow_clients = safe_hiera($clients)
sunet::docker_run {'prid':
image => 'docker.sunet.se/prid-service',
imagetag => $_version,
hostname => "$hostname",
ports => ['443:8443','127.0.0.1:444:8444'],
volumes => ['/etc/prid-service:/etc/prid-service',
'/etc/ssl:/etc/ssl'],
env => ["PRID_SERVICE_POLICY_CONFIGURATION=file:///etc/prid-service/policy.properties",
"PRID_SERVICE_METADATA_SERVICELIST_URL=$_mdsl",
"CERTNAME=${hostname}_infra"],
extra_parameters => ["--log-driver=syslog"]
} ->
sunet::misc::ufw_allow {'allow-prid':
from => $_allow_clients,
port => 443
} ->
class {'https_server': }
}
class prid_local($version="1.0.0",$clients="",$mdsl="") {
$_version = safe_hiera('eidas_prid_version',$version)
$_mdsl = safe_hiera('eidas_prid_mdsl',$mdsl)
$hostname = $::fqdn
$_allow_clients = safe_hiera($clients)
sunet::docker_run {'prid':
image => 'docker.sunet.se/prid-service',
imagetag => $_version,
hostname => "$hostname",
ports => ['127.0.0.1:80:8080','127.0.0.1:444:8444'],
volumes => ['/etc/prid-service:/etc/prid-service',
'/etc/ssl:/etc/ssl'],
env => ['JAVA_OPTS="-Dserver.port=8080 -Dserver.ssl.enabled=false -Dmanagement.server.port=8444 -Dmanagement.ssl.enabled=true"',
"PRID_SERVICE_POLICY_CONFIGURATION=file:///etc/prid-service/policy.properties",
"PRID_SERVICE_METADATA_SERVICELIST_URL=$_mdsl",
"CERTNAME=${hostname}_infra"],
extra_parameters => ["--log-driver=syslog"]
}
}
class validator($version="2.0.0") {
$_version = safe_hiera('validator_version',$version)
$hostname = $::fqdn
sunet::docker_run {'metadata-validator':
image => 'docker.sunet.se/metadata-validator',
imagetag => $_version,
hostname => "$hostname",
ports => ['443:8443','127.0.0.1:444:8009'],
volumes => ['/etc/ssl:/etc/ssl',
'/etc/metadata-validator:/opt/webapp/mdval',
'/etc/localtime:/etc/localtime:ro'],
env => ["SPRING_CONFIG_ADDITIONAL_LOCATION=/opt/webapp/mdval/cfg/",
"CERTNAME=${hostname}_infra"],
extra_parameters => ["--log-driver=syslog"]
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
}
class proxy_testsp($version="1.0.1",$public_hostname=undef,$uri_path="/testps",$profile="qa") {
$_version = safe_hiera('proxy_testsp_version',$version)
$hostname = $::fqdn
$_public_hostname = $public_hostname ? {
undef => $hostname,
default => $public_hostname
}
sunet::docker_run {'eidas-ps-testsp':
image => 'docker.sunet.se/eidas-ps-testsp',
imagetag => $_version,
hostname => $hostname,
ports => ['443:8443','127.0.0.1:8444:8009'],
volumes => ['/etc/ssl:/etc/ssl',
'/etc/localtime:/etc/localtime:ro'],
env => ["CERTNAME=$hostname",
"SP_ACCESS_ALLOW_ALL=true",
"SP_BASE_URI=https://$_public_hostname",
"SERVER_SERVLET_CONTEXT_PATH=$uri_path",
"SPRING_PROFILES_ACTIVE=$profile"],
extra_parameters => ["--log-driver=syslog"]
}
}
class github_client_credential {
sunet::ssh_host_credential { "github":
hostname => "github.com",
id => "github",
manage_user => false
}
}
class pages($version=undef) {
class { 'sunet::pages': version => $version }
sunet::docker_run {'people-sunet-se':
image => 'docker.sunet.se/static-vhosts',
ports => ['80:80'],
volumes => ['/var/www:/usr/local/apache2/vhosts'],
extra_parameters => ["--log-driver=syslog"]
}
ensure_resource('class','webserver',{})
}
class sunetops {
sunet::ssh_keys { 'sunetops':
config => safe_hiera('sunetops_ssh_keys', {})
}
# OS hardening
if $::hostname =~ /kvm/ {
class {'bastion':
fstab_fix_shm => false,
sysctl_net_hardening => false,
}
} elsif $::hostname =~ /random/ { # pollen requires exec on /tmp
class {'bastion':
fixperms_enable => false,
fixperms_paranoia => false,
}
} else {
class {'bastion':
fstab_fix_shm => false,
fixperms_paranoia => true,
}
}
}
class konsulter {
sunet::ssh_keys { 'konsulter':
config => safe_hiera('konsulter_ssh_keys', {})
}
}
class nrpe {
require apt
class {'sunet::nagios': }
if ($::operatingsystem == 'Ubuntu' and $::operatingsystemrelease == '12.04') {
class {'apt::backports': }
}
package {'nagios-plugins-contrib': ensure => latest}
if ($::operatingsystem == 'Ubuntu' and $::operatingsystemrelease < '18.04') {
package {'nagios-plugins-extra': ensure => latest}
}
if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '22.04') >= 0 ){
$mem_w = '90'
$mem_c = '95'
} else {
$mem_w = '10'
$mem_c = '5'
}
sunet::nagios::nrpe_command { 'check_memory':
command_line => "/usr/lib/nagios/plugins/check_memory -w ${mem_w}% -c ${mem_c}%"
}
sunet::nagios::nrpe_command {'check_mem':
command_line => '/usr/lib/nagios/plugins/check_memory -w 10% -c 5%'
}
sunet::nagios::nrpe_command {'check_boot_15_5':
command_line => '/usr/lib/nagios/plugins/check_disk -w 15% -c 5% -p /boot'
}
sunet::nagios::nrpe_command {'check_entropy':
command_line => '/usr/lib/nagios/plugins/check_entropy -w 200'
}
sunet::nagios::nrpe_command {'check_ntp_time':
command_line => '/usr/lib/nagios/plugins/check_ntp_time -H localhost'
}
sunet::nagios::nrpe_command {'check_scriptherder':
command_line => '/usr/local/bin/scriptherder --mode check'
}
sunet::nagios::nrpe_command {'check_apt':
command_line => '/usr/lib/nagios/plugins/check_apt'
}
sunet::nagios::nrpe_command {'check_eidas_health':
command_line => '/usr/lib/nagios/plugins/check_eidas_health.sh localhost'
}
sunet::sudoer {'nagios_run_needrestart_command':
user_name => 'nagios',
collection => 'nagios',
command_line => "/usr/sbin/needrestart -p -l"
}
sunet::nagios::nrpe_command {'check_needrestart':
command_line => "sudo /usr/sbin/needrestart -p -l"
}
}
class redis_cluster_node {
file { '/opt/redis': ensure => directory }
sysctl { 'vm.overcommit_memory': value => '1' }
sunet::redis::server {'redis-master':
allow_clients => hiera_array('redis_client_ips', []),
cluster_nodes => hiera_array('redis_sentinel_ips', []),
}
sunet::redis::server {'redis-sentinel':
port => 26379,
sentinel_config => 'yes',
allow_clients => hiera_array('redis_client_ips', []),
cluster_nodes => hiera_array('redis_sentinel_ips', []),
}
}
class redis_frontend_node ($hostname=undef,$ca="infra") {
file { '/opt/redis': ensure => directory }
sunet::redis::haproxy {'redis-haproxy':
cluster_nodes => hiera_array('redis_sentinel_ips', []),
client_ca => "/etc/ssl/certs/${ca}.crt",
certificate => "/etc/ssl/private/${::fqdn}_${ca}.pem"
}
}
node 'fe-tug-1.test.komreg.net' {
# Set up Cosmos class for common sunet-frontend files. Should ideally be set up in
# the bootstrapping phase, since setting it up here will require > 1 run
# of 'cosmos apply' before everything is in place. Perfection will have
# to come later.
file_line { 'cosmos_conf_frontend1_common':
path => '/etc/cosmos/cosmos.conf',
line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/fe-test-common/:$COSMOS_REPO_MODELS"',
}
}
node 'fe-fre-1.test.komreg.net' {
# Set up Cosmos class for common sunet-frontend files. Should ideally be set up in
# the bootstrapping phase, since setting it up here will require > 1 run
# of 'cosmos apply' before everything is in place. Perfection will have
# to come later.
file_line { 'cosmos_conf_frontend1_common':
path => '/etc/cosmos/cosmos.conf',
line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/fe-test-common/:$COSMOS_REPO_MODELS"',
}
}
node 'natmd-test-1.komreg.net' {
file_line { 'cosmos_conf':
path => '/etc/cosmos/cosmos.conf',
line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/natmd-test-common/:$COSMOS_REPO_MODELS"',
}
}
node 'natmd-test-2.komreg.net' {
file_line { 'cosmos_conf':
path => '/etc/cosmos/cosmos.conf',
line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/natmd-test-common/:$COSMOS_REPO_MODELS"',
}
}
node 'eumd-test-1.komreg.net' {
file_line { 'cosmos_conf':
path => '/etc/cosmos/cosmos.conf',
line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/eumd-test-common/:$COSMOS_REPO_MODELS"',
}
}
node 'eumd-test-2.komreg.net' {
file_line { 'cosmos_conf':
path => '/etc/cosmos/cosmos.conf',
line => 'COSMOS_REPO_MODELS="$COSMOS_REPO/eumd-test-common/:$COSMOS_REPO_MODELS"',
}
}
node 'relay-1.swedenconnect.se' {
sunet::scriptherder::cronjob { "rsync_certificate_to_relay_2":
cmd => "/usr/bin/rsync -av --copy-links --delete /etc/letsencrypt/live/relay.swedenconnect.se/ root@relay-2.swedenconnect.se:",
minute => '9',
hour => '0',
ok_criteria => ['exit_status=0','max_age=48h'],
warn_criteria => ['exit_status=1','max_age=50h'],
}
}