92 lines
3.4 KiB
Puppet
92 lines
3.4 KiB
Puppet
# This puppet manifest is used to configure Sweden Connect proxy servers
|
|
|
|
# @param environment The environment that the server belongs to. (referenced in compose file)
|
|
# @param version Version of the docker image to use. (referenced in compose file)
|
|
# @param service_name Name of the service, for example qa.proxy.eidas.swedenconnect.se
|
|
# @param server_fqdn The FQDN of the server. (referenced in compose file)
|
|
# @param proxy_directory The directory where all proxy related config and files are stored. (referenced in compose file)
|
|
# @param spring_config_param Used as parameter name in compose file
|
|
# @param country Used while creating directories and referenced in compsose file
|
|
# @param use_hsm Configure if HSM is used or not
|
|
class eid::proxy (
|
|
Enum['test', 'qa', 'prod'] $environment,
|
|
String $version = '',
|
|
String $service_name = '',
|
|
String $server_fqdn = $facts['networking']['fqdn'],
|
|
String $proxy_directory = '/opt/eidas-proxy',
|
|
String $spring_config_param = 'SPRING_CONFIG_ADDITIONAL_LOCATION',
|
|
String $country = 'se',
|
|
Boolean $use_hsm=true,
|
|
) {
|
|
|
|
if $use_hsm {
|
|
$pkcs11_pin = safe_hiera('pkcs11_pin')
|
|
}
|
|
$eidas_proxy_oidc_rp_jks = safe_hiera('eidas_proxy_oidc_rp_jks','')
|
|
$proxy_service_cookie_encrypt_pw = safe_hiera('proxy_service_cookie_encrypt_pw')
|
|
|
|
if $version and $service_name and $eidas_proxy_oidc_rp_jks != 'NOT_SET_IN_HIERA' and $proxy_service_cookie_encrypt_pw != 'NOT_SET_IN_HIERA'{
|
|
|
|
# Allow HTTP/HTTPS from load balancer servers
|
|
$lb_ips = hiera_array("lb_${environment}_servers",[])
|
|
sunet::nftables::allow { 'allow-http-from-lbs':
|
|
from => $lb_ips,
|
|
port => 80,
|
|
}
|
|
sunet::nftables::allow { 'allow-https-from-lbs':
|
|
from => $lb_ips,
|
|
port => 443,
|
|
}
|
|
|
|
sunet::docker_compose { 'eidas-proxy':
|
|
content => template('eid/proxy/docker-compose.yml.erb'),
|
|
service_name => 'eidas-proxy',
|
|
compose_dir => '/opt/',
|
|
compose_filename => 'docker-compose.yml',
|
|
description => 'eidas proxy',
|
|
mode => '0755'
|
|
}
|
|
|
|
file { "${proxy_directory}/${country}":
|
|
ensure => directory,
|
|
mode => '0755',
|
|
owner => 'root',
|
|
group => 'root',
|
|
}
|
|
file { "${proxy_directory}/${country}/keystore":
|
|
ensure => directory,
|
|
mode => '0755',
|
|
owner => 'root',
|
|
group => 'root',
|
|
}
|
|
sunet::snippets::secret_file {"${proxy_directory}/${country}/metadata.p12":
|
|
hiera_key => 'eidas_metadata_key',
|
|
base64 => true
|
|
}
|
|
sunet::snippets::secret_file {"${proxy_directory}/${country}/proxy.p12":
|
|
hiera_key => 'eidas_proxy_key',
|
|
base64 => true
|
|
}
|
|
if $eidas_proxy_oidc_rp_jks != '' {
|
|
sunet::snippets::secret_file {"${proxy_directory}/${country}/keystore/oidc-rp.jks":
|
|
hiera_key => 'eidas_proxy_oidc_rp_jks',
|
|
base64 => true
|
|
}
|
|
}
|
|
|
|
if $use_hsm {
|
|
file { ['/etc/luna','/etc/luna/cert']:
|
|
ensure => directory,
|
|
mode => '0755',
|
|
owner => 'root',
|
|
group => 'root',
|
|
}
|
|
}
|
|
|
|
sunet::nagios::nrpe_check_fileage {'proxy_eidas_metadata_cache_age':
|
|
filename => "${proxy_directory}/se/ps-mdcache/metadata-cache.xml",
|
|
warning_age => '600',
|
|
critical_age => '172800'
|
|
}
|
|
}
|
|
}
|