swedenconnect/eid-ops
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
eid-ops/global/overlay/etc/puppet/manifests/cosmos-site.pp
Maria Haider 7dd46f0536
Fixed a missing file for nagios instance
2021-05-24 15:35:41 +02:00

1244 lines
58 KiB
Puppet
Raw Blame History

# This manifest is managed using cosmos
Exec {
path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
}
include sunet
class mailclient ($domain) {
sunet::preseed_package {"postfix": ensure => present, options => {domain => $domain}}
}
class autoupdate {
class { 'sunet::updater': cron => true, cosmos_automatic_reboot => true }
}
class jumphosts {}
class infra_ca_rp {
sunet::ici_ca::rp { 'infra': }
}
# you need a default node, all nodes need ssh + ufw
node default {
}
class site_alias($alias_name=undef) {
file { "/var/www/$alias_name":
ensure => link,
target => $name
}
}
class common {
include sunet::tools
include sunet::motd
include sunet::ntp
include ufw
include apt
include apparmor
package {'jq': ensure => 'latest'}
package { 'needrestart': ensure => installed}
package {'lshw': ensure => 'latest'}
# change git repo from git.nordu.net to gitops.sunet.se (for .git)
exec { 'git_repo_sunet_dot_git':
cwd => '/var/cache/cosmos/repo',
command => '/usr/bin/git remote set-url origin git://gitops.sunet.se/eid-ops git://git.nordu.net/eid-ops.git',
onlyif => '/usr/bin/git remote get-url origin | grep -qi git.nordu.net/eid-ops.git',
}
# change git repo from git.nordu.net to gitops.sunet.se (without .git)
exec { 'git_repo_sunet':
cwd => '/var/cache/cosmos/repo',
command => '/usr/bin/git remote set-url origin git://gitops.sunet.se/eid-ops git://git.nordu.net/eid-ops',
onlyif => '/usr/bin/git remote get-url origin | grep -qi git.nordu.net/eid-ops',
}
}
class dhcp6_client {
ufw::allow { "allow-dhcp6-546":
ip => 'any',
port => '546',
proto => 'udp',
}
ufw::allow { "allow-dhcp6-547":
ip => 'any',
port => '547',
proto => 'udp'
}
}
class entropyclient {
include sunet::simple_entropy
sunet::ucrandom {'random.nordu.net': ensure => absent }
sunet::nagios::nrpe_check_process { 'haveged': }
}
class openstack_dockerhost {
class { 'sunet::dockerhost':
docker_version => '17.12.0~ce-0~ubuntu',
docker_package_name => 'docker-ce',
storage_driver => "aufs",
run_docker_cleanup => true,
manage_dockerhost_unbound => true,
docker_network => true
}
}
class sunet_iaas_cloud {
sunet::cloud_init::config { 'disable_datasources':
config => { datasource_list => [ 'None' ] }
}
sunet::cloud_init::config { 'keep_root_enabled':
config => { disable_root => 'false' }
}
}
class webserver($enabled=true) {
if $enabled {
ufw::allow { "allow-http":
ip => 'any',
port => '80'
}
ufw::allow { "allow-https":
ip => 'any',
port => '443'
}
} else {
ufw::deny { "allow-http":
ip => 'any',
port => '80'
}
ufw::deny { "allow-https":
ip => 'any',
port => '443'
}
}
}
class servicemonitor {
$nagios_ip_v4 = join(hiera('nagios_ip_v4')," ");
ufw::allow { "allow-servicemonitor-from-nagios":
ip => $nagios_ip_v4,
port => '444',
ensure => absent
}
}
class https_server {
}
class eidas_log {
ensure_resource('file','/etc/logrotate.d',{
ensure => 'directory',
mode => '0755'
})
file {'/etc/logrotate.d/eidas_logs':
ensure => file,
path => '/etc/logrotate.d/eidas_logs',
mode => '0644',
content => template('eid/eidas_logs/eidas_logs.erb')
}
}
class swamid_metadata($filename=undef) {
sunet::metadata::swamid { "$filename": }
}
class saml_metadata($filename=undef, $cert=undef, $url=undef) {
sunet::metadata { "$filename": url => $url, cert => $cert }
}
class md_repo_client {
sunet::snippets::reinstall::keep {['/etc/metadata','/root/.ssh']: } ->
sunet::ssh_git_repo {'/var/cache/metadata_r1':
username => 'root',
group => 'root',
hostname => 'r1.komreg.net',
url => 'git@r1.komreg.net:komreg-metadata.git',
id => 'komreg',
manage_user => false
} ->
package { ['make']: ensure => latest } ->
sunet::scriptherder::cronjob { 'verify_and_update':
cmd => '/var/cache/metadata_r1/scripts/do-update.sh',
minute => '*/5',
ok_criteria => ['exit_status=0', 'max_age=15m'],
warn_criteria => ['exit_status=0', 'max_age=1h'],
}
}
class eidas_metadata_key {
sunet::snippets::secret_file {"/etc/credentials/metadata.key":
hiera_key => 'eidas_metadata_key',
base64 => true
}
}
class eidas_hsm_client($luna_version="6.2") {
$pkcs11pin = hiera('pkcs11pin',"")
sunet::snippets::reinstall::keep {['/etc/luna','/etc/Chrystoki.conf.d']: } ->
file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
sunet::docker_run {"${name}_hsmproxy":
hostname => "${::fqdn}",
image => 'docker.sunet.se/luna-client',
imagetag => $luna_version,
volumes => ['/dev/log:/dev/log','/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d','/etc/luna/cert:/usr/safenet/lunaclient/cert'],
env => ["PKCS11PIN=${pkcs11pin}"],
extra_parameters => ["--log-driver=syslog"]
}
sunet::scriptherder::cronjob { "${name}_restart_hsmproxy":
cmd => "/usr/sbin/service docker-${name}_hsmproxy restart",
minute => '9',
hour => '0',
ok_criteria => ['exit_status=0','max_age=48h'],
warn_criteria => ['exit_status=1','max_age=50h'],
}
}
class md_signer($dest_host=undef,$dest_dir="",$version="eidas") {
package { ['xsltproc','libxml2-utils','attr']: ensure => latest } ->
sunet::pyff {$name:
version => $version,
pound_and_varnish => false,
pipeline => "${name}.fd",
volumes => ["/etc/credentials:/etc/credentials"],
docker_run_extra_parameters => ["--log-driver=syslog"]
}
if ($dest_host) {
sunet::ssh_host_credential { "${name}-publish-credential":
hostname => $dest_host,
username => 'root',
group => 'root',
manage_user => false,
ssh_privkey => safe_hiera("publisher_ssh_privkey")
} ->
sunet::scriptherder::cronjob { "${name}-publish":
cmd => "env RSYNC_ARGS='--chown=www-data:www-data --chmod=D0755,F0664 --xattrs' /usr/local/bin/mirror-mdq.sh http://localhost root@${dest_host}:${dest_dir}",
minute => '*/5',
ok_criteria => ['exit_status=0'],
warn_criteria => ['max_age=30m']
}
}
}
class md_publisher(Array $allow_clients=['any'], $keyname=undef, String $dir="/var/www/html") {
$_keyname = $keyname ? {
undef => $::fqdn,
default => $keyname
}
# this allows fileage check to work wo sudo
file { '/var/www': ensure => directory, mode => '0755' } ->
file { '/var/www/html': ensure => directory, mode => '0755', owner => 'www-data', group =>'www-data' } ->
sunet::rrsync {$dir:
ro => false,
ssh_key => safe_hiera('publisher_ssh_key'),
ssh_key_type => safe_hiera('publisher_ssh_key_type')
} ->
package {['lighttpd','attr']: ensure => latest } ->
exec {'enable-ssl':
command => "/usr/sbin/lighttpd-enable-mod ssl",
onlyif => "test ! -h /etc/lighttpd/conf-enabled/*ssl*"
} ->
file {'/etc/lighttpd/server.pem':
ensure => 'link',
target => "/etc/ssl/private/${_keyname}.pem"
} ->
apparmor::profile { 'usr.sbin.lighttpd': source => '/etc/apparmor-cosmos/usr.sbin.lighttpd' } ->
file {'/etc/lighttpd/conf-enabled/99-mime-xattr.conf':
ensure => file,
mode => '0640',
owner => 'root',
group => 'root',
content => inline_template("mimetype.use-xattr = \"enable\"\n")
} ->
service {'lighttpd': ensure => running } ->
sunet::misc::ufw_allow {'allow-lighttpd':
from => $allow_clients,
port => 443
} ->
sunet::nagios::nrpe_check_fileage {"metadata_aggregate":
filename => "/var/www/html/entities/index.html", # yes this is correct
warning_age => '600',
critical_age => '86400'
}
}
class mdsl_publisher() {
sunet::nagios::nrpe_check_fileage {"mdsl_aggregate":
filename => "/var/www/html/mdservicelist-aggregate.xml", # yes this is correct
warning_age => '600',
critical_age => '86400'
}
sunet::nagios::nrpe_check_fileage {"mdsl_se":
filename => "/var/www/html/mdservicelist-se.xml", # yes this is correct
warning_age => '600',
critical_age => '86400'
}
}
class md_repo_server($hostname) {
ensure_resource('sunet::system_user', 'www-data', {
username => 'www-data',
group => 'www-data',
managehome => false,
shell => '/bin/bash'
})
class {'sunet::gitolite': }
sunet::snippets::add_user_to_group { 'add_www_data_to_git':
username => 'www-data',
group => 'git'
} ->
sunet::docker_run {'gitweb':
image => 'docker.sunet.se/gitweb',
imagetag => 'latest',
volumes => ['/etc/dehydrated:/etc/dehydrated','/home/git:/home/git'],
ports => ['443:443','80:80'],
env => ["HOSTNAME=$hostname","ACMEDIR=/etc/dehydrated","KEYDIR=/etc/dehydrated"],
extra_parameters => ["--log-driver=syslog"]
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
}
class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost') {
$_version = safe_hiera('eidas_demw_version',$version)
$_hostname = safe_hiera('eidas_demw_hostname',$hostname)
$poseidas_admin_hashed_password = safe_hiera('poseidas_admin_hashed_password')
$spring_datasource_password = safe_hiera('spring_datasource_password')
$pkcs11_pin = safe_hiera('pkcs11_pin')
$demw_tls_client_key = safe_hiera('demw_tls_client_key')
$demw_tls_client_cert = safe_hiera('demw_tls_client_cert')
$demw_tls_server_cert = safe_hiera('demw_tls_server_cert')
file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database']: ensure => directory } ->
file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
sunet::docker_run {'eidas-demw':
image => 'docker.sunet.se/eidas-demw',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443','127.0.0.1:10000:10000'],
volumes => ['/var/log/eidas-middleware:/var/log/eidas-middleware',
'/opt/eidas-middleware/configuration:/opt/eidas-middleware/configuration',
'/opt/eidas-middleware/database:/opt/eidas-middleware/database',
'/dev/log:/dev/log',
'/etc/luna/cert:/usr/safenet/lunaclient/cert',
'/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d',
'/etc/ssl:/etc/ssl'],
env => ["CERTNAME=${::fqdn}_infra",
"EIDAS_SIGNER_DEFAULT_HASH_ALGORITHM=SHA256",
"PUBLIC_HOSTNAME=$_hostname",
"PKCS11_PIN=$pkcs11_pin",
"PKCS11_CONFIG_LOCATION=/opt/eidas-middleware/configuration/hsm/pkcs11.properties",
"POSEIDAS_ADMIN_HASHED_PASSWORD=$poseidas_admin_hashed_password",
"DEMW_TLS_CLIENT_KEY=$demw_tls_client_key",
"DEMW_TLS_CLIENT_CERT=$demw_tls_client_cert",
"DEMW_TLS_SERVER_CERT=$demw_tls_server_cert",
"SPRING_DATASOURCE_PASSWORD=$spring_datasource_password"],
extra_parameters => ["--log-driver=syslog"]
}
}
class eidas_de_middleware($version="106-rs",$hostname='localhost') {
$_version = safe_hiera('eidas_demw_version',$version)
$_hostname = safe_hiera('eidas_demw_hostname',$hostname)
$poseidas_admin_hashed_password = safe_hiera('poseidas_admin_hashed_password')
$spring_datasource_password = safe_hiera('spring_datasource_password')
$middleware_crypt_pin = safe_hiera('middleware_crypt_pin')
$middleware_sign_pin = safe_hiera('middleware_sign_pin')
$demw_tls_client_key = safe_hiera('demw_tls_client_key')
$demw_tls_client_cert = safe_hiera('demw_tls_client_cert')
$demw_tls_server_cert = safe_hiera('demw_tls_server_cert')
file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database']: ensure => directory } ->
sunet::snippets::secret_file {"/opt/eidas-middleware/configuration/eidasmw-signature-keystore.jks":
hiera_key => 'eidasmw-signature-keystore',
base64 => true
} ->
sunet::snippets::secret_file {"/opt/eidas-middleware/configuration/eidasmw-crypto-keystore.jks":
hiera_key => 'eidasmw-crypto-keystore',
base64 => true
} ->
sunet::docker_run {'eidas-demw':
image => 'docker.sunet.se/eidas-demw',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443','127.0.0.1:10000:10000'],
volumes => ['/var/log/eidas-middleware:/var/log/eidas-middleware',
'/opt/eidas-middleware/configuration:/opt/eidas-middleware/configuration',
'/opt/eidas-middleware/database:/opt/eidas-middleware/database',
'/dev/log:/dev/log',
'/etc/ssl:/etc/ssl'],
env => ["CERTNAME=${::fqdn}_infra",
"PUBLIC_HOSTNAME=$_hostname",
"POSEIDAS_ADMIN_HASHED_PASSWORD=$poseidas_admin_hashed_password",
"DEMW_TLS_CLIENT_KEY=$demw_tls_client_key",
"DEMW_TLS_CLIENT_CERT=$demw_tls_client_cert",
"DEMW_TLS_SERVER_CERT=$demw_tls_server_cert",
"SPRING_DATASOURCE_PASSWORD=$spring_datasource_password",
"MIDDLEWARE_CRYPT_PIN=$middleware_crypt_pin",
"MIDDLEWARE_SIGN_PIN=$middleware_sign_pin"],
extra_parameters => ["--log-driver=syslog"]
}
}
class eidas_sp($version="1.0.0",$hostname='localhost',$environment='qa') {
$_version = safe_hiera('eidas_sp_version',$version)
$_hostname = safe_hiera('eidas_sp_hostname',$hostname)
file {['/etc/eidas-sp','/var/log/eidas-sp','/etc/ssl']: ensure => directory } ->
sunet::docker_run {'eidas-sp':
image => 'docker.sunet.se/eidas-sp',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443','127.0.0.01:444:8444'],
volumes => ['/var/log/eidas-sp:/var/log/eidas-sp',
'/etc/eidas-sp:/etc/eidas-sp',
'/dev/log:/dev/log',
'/etc/ssl:/etc/ssl'],
env => ["SERVER_SERVLET_CONTEXT_PATH=/",
"SP_USE_SC_LOGO=false",
"SP_ENTITY_ID=https://$_hostname/sp",
"SPRING_PROFILES_ACTIVE=$environment",
"SP_BASE_URI=https://$_hostname"],
extra_parameters => ["--log-driver=syslog"]
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
}
class test_my_eid($version="1.0.1",$hostname='localhost',$environment='qa') {
$_version = safe_hiera('test_my_eid_version',$version)
$_hostname = safe_hiera('test_my_eid_hostname',$hostname)
file {['/etc/test-my-eid','/var/log/test-my-eid','/etc/ssl']: ensure => directory } ->
sunet::docker_run {'test-my-eid':
image => 'docker.sunet.se/test-my-eid',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443','127.0.0.01:444:8444'],
volumes => ['/var/log/test-my-eid:/var/log/test-my-eid',
'/etc/test-my-eid:/etc/test-my-eid',
'/dev/log:/dev/log',
'/etc/ssl:/etc/ssl'],
env => ["SERVER_SERVLET_CONTEXT_PATH=/",
"SP_ENTITY_ID=https://$_hostname/sp",
"SIGN_SP_ENTITY_ID=https://$_hostname/sp-sign",
"SPRING_PROFILES_ACTIVE=$environment",
"SP_BASE_URI=https://$_hostname",
"SP_DISCOVERY_STATIC_IDP_CONFIGURATION=file:/etc/test-my-eid/idp-disco-$environment.properties"],
extra_parameters => ["--log-driver=syslog"]
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
}
class eidastest($version="1.0.0", $hostname="locahost") {
$_version = safe_hiera('eidastest_version',$version)
$_hostname = safe_hiera('eidastest_hostname',$hostname)
$home = '/etc/eidastest'
file { "${home}":
ensure => directory,
owner => 'root',
group => 'root',
path => "${home}",
mode => '0755',
}
file { "${home}/eidastest/config.ini":
content => template('eid/eidastest/config.ini.erb'),
owner => 'root',
group => 'root',
mode => '0755',
}
file { "${home}/eidastest/supervise_chrome_processes.sh":
content => template('eid/eidastest/supervise_chrome_processes.sh.erb'),
owner => 'root',
group => 'root',
mode => '0755',
}
$compose = hiera("eidastest_compose")
sunet::docker_compose {'eidastest_docker_compose':
service_name => 'eidastest',
description => 'eidastest service',
compose_dir => "${home}",
content => inline_template("<%= @compose.to_yaml %>\n")
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
}
class swedenconnect_refidp($version="1.0.3",$hostname='localhost') {
$_version = safe_hiera('swedenconnect_refidp_version',$version)
$_hostname = safe_hiera('swedenconnect_refidp_hostname',$hostname)
$idp_persistent_id_salt = safe_hiera('idp_persistent_id_salt');
$idp_fticks_salt = safe_hiera('idp_fticks_salt');
$proxy_header_secret = safe_hiera('proxy_header_secret');
file { ["/etc/swedenconnect-idp","/etc/swedenconnect-idp/credentials"]: ensure => directory } ->
sunet::docker_run {'swedenconnect-idp':
image => 'docker.sunet.se/swedenconnect-idp',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443'],
volumes => ['/var/log/swedenconnect-idp:/var/log/swedenconnect-idp',
'/etc/swedenconnect-idp:/etc/swedenconnect-idp',
'/dev/log:/dev/log',
'/etc/ssl:/etc/ssl'],
env => ["IDP_SERVER_HOSTNAME=$_hostname",
"TOMCAT_HOSTNAME=$_hostname",
"TOMCAT_TLS_SERVER_KEY=/etc/ssl/private/${::fqdn}_infra.key",
"TOMCAT_TLS_SERVER_CERTIFICATE=/etc/ssl/certs/${::fqdn}_infra.crt",
"TOMCAT_PROXY_SHARED_SECRET=$proxy_header_secret",
"IDP_PERSISTENT_ID_SALT=$idp_persistent_id_salt",
"IDP_FTICKS_SALT=$idp_fticks_salt"],
extra_parameters => ["--log-driver=syslog"]
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
}
class eidas_connector($version="1.0.6",$hostname='localhost',$luna_debug='no') {
$_version = safe_hiera('eidas_connector_version',$version)
$_hostname = safe_hiera('eidas_connector_hostname',$hostname)
$prid_service = safe_hiera('eidas_prid_service')
$idp_fticks_salt = safe_hiera('idp_fticks_salt',NOT_SET);
$pkcs11_pin = safe_hiera('pkcs11_pin');
$idp_persistent_id_salt = safe_hiera('idp_persistent_id_salt',NOT_SET);
$idp_sealer_password = safe_hiera('idp_sealer_password',NOT_SET);
$proxy_header_secret = safe_hiera('proxy_header_secret',NOT_SET);
file {['/etc/eidas-connector','/etc/eidas-connector/credentials','/etc/eidas-connector/credentials/sp','/etc/eidas-connector/credentials/idp','/etc/eidas-connector/credentials/tomcat','/var/log/eidas-connector']: ensure => directory } ->
sunet::snippets::secret_file {"/etc/eidas-connector/credentials/sealer.jks":
hiera_key => 'eidas_connector_sealer_jks',
base64 => true
} ->
sunet::snippets::secret_file {"/etc/eidas-connector/credentials/connector.key":
hiera_key => 'eidas_connector_key',
base64 => true
} ->
sunet::snippets::secret_file {"/etc/eidas-connector/credentials/metadata.key":
hiera_key => 'eidas_metadata_key',
base64 => true
} ->
sunet::snippets::secret_file {"/etc/eidas-connector/credentials/tomcat/tomcat-key.pem":
hiera_key => 'eidas_connector_tomcat_key',
base64 => true
} ->
file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
sunet::docker_run {'eidas-connector':
image => 'docker.sunet.se/eidas-connector',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443'],
volumes => ['/var/log/eidas-connector:/var/log/eidas-connector',
'/etc/eidas-connector:/etc/eidas-connector',
'/dev/log:/dev/log',
'/etc/luna/cert:/usr/safenet/lunaclient/cert',
'/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d',
'/etc/ssl:/etc/ssl'],
env => ["IDP_SERVER_HOSTNAME=$_hostname",
"TOMCAT_HOSTNAME=$_hostname",
"TOMCAT_PROXY_SHARED_SECRET=$proxy_header_secret",
"EIDAS_METADATA_IGNORE_SIGNATURE_VALIDATION=false",
"PKCS11_PIN=$pkcs11_pin",
"LUNA_DEBUG=$luna_debug",
"IDP_ENTITY_ID=https://$_hostname/eidas",
"SP_ENTITY_ID=https://$_hostname/idp/metadata/sp",
"IDP_PERSISTENT_ID_SALT=$idp_persistent_id_salt",
"IDP_SEALER_PASSWORD=$idp_sealer_password",
"IDP_FTICKS_SALT=$idp_fticks_salt",
"IDP_PRID_SERVICE_URL=$prid_service"],
extra_parameters => ["--log-driver=syslog"]
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
}
class eidas_proxy($version='1.0.0',$country='se',$hostname='localhost', $spring_config_param='SPRING_CONFIG_LOCATION') {
$_version = safe_hiera('eidas_proxy_version',$version)
$_hostname = safe_hiera('eidas_proxy_hostname',$hostname);
$_country = safe_hiera('eidas_proxy_country',$country);
$_pkcs11pin = safe_hiera('pkcs11_pin');
$proxy_service_cookie_encrypt_pw = safe_hiera('proxy_service_cookie_encrypt_pw');
file {['/etc/eidas-proxy/',"/etc/eidas-proxy/$_country"]: ensure => directory } ->
sunet::snippets::secret_file {"/etc/eidas-proxy/$_country/metadata.p12":
hiera_key => 'eidas_metadata_key',
base64 => true
} ->
sunet::snippets::secret_file {"/etc/eidas-proxy/$_country/proxy.p12":
hiera_key => 'eidas_proxy_key',
base64 => true
} ->
file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
sunet::docker_run {'eidas-proxy':
image => 'docker.sunet.se/eidas-proxy',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443','127.0.0.01:444:8444'],
volumes => ['/var/log/eidas-proxy:/var/log/eidas-proxy',
'/etc/eidas-proxy:/etc/eidas-proxy',
'/dev/log:/dev/log',
'/etc/luna/cert:/usr/safenet/lunaclient/cert',
'/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d',
'/etc/ssl:/etc/ssl'],
env => ["PROXY_SERVICE_DOMAIN_PREFIX=https://$_hostname/eidas-ps",
"SPRING_PROFILES_ACTIVE=se",
"CERTNAME=${::fqdn}_infra",
"PKCS11_PIN=${_pkcs11pin}",
"$spring_config_param=/etc/eidas-proxy/$_country/cfg/",
"PROXY_SERVICE_COOKIEENCRYPTPW=$proxy_service_cookie_encrypt_pw"],
extra_parameters => ["--log-driver=syslog"]
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
}
class prid($version="1.0.0",$clients="",$mdsl="") {
$_version = safe_hiera('eidas_prid_version',$version)
$_mdsl = safe_hiera('eidas_prid_mdsl',$mdsl)
$hostname = $::fqdn
$_allow_clients = safe_hiera($clients)
sunet::docker_run {'prid':
image => 'docker.sunet.se/prid-service',
imagetag => $_version,
hostname => "$hostname",
ports => ['443:8443','127.0.0.1:444:8444'],
volumes => ['/etc/prid-service:/etc/prid-service',
'/etc/ssl:/etc/ssl'],
env => ["PRID_SERVICE_POLICY_CONFIGURATION=file:///etc/prid-service/policy.properties",
"PRID_SERVICE_METADATA_SERVICELIST_URL=$_mdsl",
"CERTNAME=${hostname}_infra"],
extra_parameters => ["--log-driver=syslog"]
} ->
sunet::misc::ufw_allow {'allow-prid':
from => $_allow_clients,
port => 443
} ->
class {'https_server': }
}
class validator($version="2.0.0") {
$_version = safe_hiera('validator_version',$version)
$hostname = $::fqdn
sunet::docker_run {'metadata-validator':
image => 'docker.sunet.se/metadata-validator',
imagetag => $_version,
hostname => "$hostname",
ports => ['443:8443','127.0.0.1:444:8009'],
volumes => ['/etc/ssl:/etc/ssl',
'/etc/metadata-validator:/opt/webapp/mdval',
'/etc/localtime:/etc/localtime:ro'],
env => ["SPRING_CONFIG_LOCATION=/opt/webapp/mdval/cfg/",
"CERTNAME=${hostname}_infra"],
extra_parameters => ["--log-driver=syslog"]
}
ensure_resource('class','webserver',{})
ensure_resource('class','https_server',{})
}
class proxy_testsp($version="1.0.1",$public_hostname=undef,$uri_path="/testps",$profile="qa") {
$_version = safe_hiera('proxy_testsp_version',$version)
$hostname = $::fqdn
$_public_hostname = $public_hostname ? {
undef => $hostname,
default => $public_hostname
}
sunet::docker_run {'eidas-ps-testsp':
image => 'docker.sunet.se/eidas-ps-testsp',
imagetag => $_version,
hostname => $hostname,
ports => ['443:8443','127.0.0.1:8444:8009'],
volumes => ['/etc/ssl:/etc/ssl',
'/etc/localtime:/etc/localtime:ro'],
env => ["CERTNAME=$hostname",
"SP_ACCESS_ALLOW_ALL=true",
"SP_BASE_URI=https://$_public_hostname",
"SERVER_SERVLET_CONTEXT_PATH=$uri_path",
"SPRING_PROFILES_ACTIVE=$profile"],
extra_parameters => ["--log-driver=syslog"]
}
}
class github_client_credential {
sunet::ssh_host_credential { "github":
hostname => "github.com",
id => "github",
manage_user => false
}
}
class pages($version=undef) {
class { 'sunet::pages': version => $version }
sunet::docker_run {'people-sunet-se':
image => 'docker.sunet.se/static-vhosts',
ports => ['80:80'],
volumes => ['/var/www:/usr/local/apache2/vhosts'],
extra_parameters => ["--log-driver=syslog"]
}
ensure_resource('class','webserver',{})
}
class metadatamgrs {
ssh_authorized_key {'bjorn_mattsson+000606447540':
ensure => absent,
name => 'bjorn.mattsson@bth.se-cardno:000606447540',
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDEWat69rLNIV4CXzsYKJwfT57vZJPLAiJE6jEdSWkl4yTHHl/d/fPzcCPH7FRl4O56xS0WwDn6HDeUvUBFMMH+1Jto98jhlTEcRjdn/BR9VA2nIfuEpvhZ7/m12nUeDDKISJOT9/vMZBWD3x3E4YscJm+gbyImhQ8iERTjur3eC4O4o7l9t0Uy6+wn37CwoyGCsxUVOBoptZOtA6pJ+BTEfzbt8hW2udTqg0pvSpKFQfP87Ioi1mfhRXBbvjS53sbmD/CMj8X6cs8n6zXriggaB2Iy0jfDsgLQHqUxaP2qKR4O76I1ewzkt0OXpanbgljjsDBA+cHWe1A5ViITika7Wf9qiIPKYQdknmKuuckg5c+3K+HRokwSH/2gDjIx1Ziw9eRvF3g3wctGwjAqmu+7CQmXEAlRBeMEGzj9plXOeUbo/a7VJiBIMdfs/gVUTvfnCjq1P/Wz4VO6DhWsC7GFiW7Df2El1kjKDIRwO5KypHSBOleagSLZIt3yn+mEQE+gBfoMin/KJ6C0dnWaA398AZ/pLyjL2C5ZHArt/1MwmVzHbG7JGseHXMcrLPzDUmfB0J1pmrJfEStfwmenynG+xE7ZLf6HrSjEKT+6nzxBNC7C6v4oNlwEkS/EccQQK3STO4fbfYWiY9FhSNidAFZmcNVU5roaeyx5rJ7nt+X/uw==',
user => 'root'
}
ssh_authorized_key {'bjorn_mattsson+000606484562':
ensure => present,
name => 'bjorn.mattsson@bth.se-cardno:000604539918',
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDgsv4gJdi9oaylsrCC/F5fVa67jpAy8WMJPsjYUq1QkVwO+ZuN0ozTqslJf7tATw9YA8jOKahzfc+x1NFOCNkkmW+YaKtF7i8UYjGxRmwDSRCLWSSeXUuQUqz7NBRgPYu/6r/VjqrbHATpHftoAB5RkfzBPUTiLetqC8PHBorM/zrWj2CpBP6vQ4XveCq5GSBh4q4bi0SOaFKOJ+pPJR6L3PiVr76u3ryB5ZQZBZHG0gHI9wXFZcbEOzsSWHU/FKcHDI2QSWXaPtgk+sxHOoL1ZFuUS6i79sV4AFD/VaQAB+3P/QJf6seIM5AcC5fqrfBcVQe5RzC9mypbGuXim325DQBaNTtz3IZhH1IbJpA3b4x06fgjpp+2Z9qKtAZaZzNQPk+bguvyqtEZmI99l/Pa+qNTIe3x8W1960xO/jiyansd5uTBAq1+CGq5ccmVlvPlBuHPLNoV0WY4fnv8yTBj2LNYCvC9SWzmYkQ2ihZD/xauvdoV05A3iKBwxDT/LxPGfBY8YAGF5Cj3KpdTYFlUTOT3BHi3YXhcm4nzdhO4h1NP3HeEQGKPevx/POYADHUA3U7+uSkZxlT5lUl7mdHqNc+zVVHpz7PUBmdq3qVGG72K+X1G8ETtNrkfv/r7Mg7oXEjh5pkSUw8Yj1cQUcHE4js4PRqeC4n1/5hH90sweQ==',
user => 'root'
}
ssh_authorized_key {'paul_scott':
ensure => present,
name => 'paul.scott@kau.se',
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQD3zTpDifYHWlsg3sIAOFKbseiHl/8CllfJS1KwqzDt3jZlIUgCN9KhEyQxldFI2qKRubltLK6b/L8oN4yMrBsXxrfLZThP4RDhhy+IVCnTt489Kg2E2lHqp0DC8pZrtIwS1E50G+Y1p0nS/MYpcxKX/SthDr5cRvNBZXm3C8Pii3BmFPWKy5nLcqQDsK3JeL1D6ss73Tn5XhUWjJTqo2OsU6XuYWyGpbjjMwf+T15ubJJOXztJLN9HLb9QdmZQxM2kKU6JIo2DW01lcGGmsSVdFLbmDfx9y9csNgn/C0QVyo6t9IV8jbbW4Qo6QsrL04ngHhxXkBv2HO5aWZvVTR5mZAuyXKOumbKSqGcU1nXNzNErO0bcK4jlQOtDvACEOUV5BJEAgcq0s943EGSgvPUaOKlp1PZauHBMQVAhWnguEUmytiVPbPN+kGy8H0zqoQaHtzdqNAw1F9pvy5AGwrCquWfNgqKP1heTMSUgbxJh5xET/QrgiFUpGpS7wOUvrp2TP//vkiLdy7wriwF1INxRN/rTrr4p3KMFoNkLGrSZc9EYv1J2o/csbO8LIs0oOKqZw98LOLi4qsWBOYAx9hSHBiej+Jj0mRIyGDt9GHPCscJ0yBJMaGy3+o3luIGfIiQpQkQqoiSz5fVIsh3IYd1RiSkO1Hm73PCEjbbhXGWJFQ==',
user => 'root'
}
}
class konsulter {
ssh_authorized_key {'stefan_santesson':
ensure => present,
name => 'stefan@aaa-sec.com',
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCzUSLrRktEwMaJJ9Zna02Q/HkZ07wn5S9NnBlYarcN3SbE0Hy71YnC92Ojaa7H99a7qDFCHVL3KmarlJRYWAyCe+8nGvJUEcXZ6f9JnpEW7lvu0NykPldstYVqPCVI+rTdreggcM7JcDeZpRghAQ62Rbybl3j6BQ/tUJPexAAeWMFCsTzrtC8B8vo+2IdCytTzG+NLVGmzfN1SROElKSApcBvtBev0niZpspYd0O6VkCiTPBTgUN4wVjBivoCgA2wCT+YmK6G4NZM5Fz7uECSBfJxdlWAcHkR2DkEu57tG3Xmi74IKBFvSxELJ7mxWtDhv4yaBON2+lXXxyB0vyyCb',
user => 'root'
}
ssh_authorized_key {'martin_lindstrom':
ensure => present,
name => 'martin.lindstrom@litsec.se',
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCdm3dGwsfYD0ANzW9vyR9s38ffwExFtb9Yk0n2QDNx+JXsA4PIsbXSfliNmhqg9TWcC9DfUcIbvE24fG1ZJzUTLyVqV/Z5JG4qmb+kZ1cwGNvlMluaboml516nY1cGHn0bhUg6BrxG/K4+BDyRLMghGzpnyqWgMlrqGhCmhCqr9NkYpPdYQUvFsTk3Rh+GhxHFSJuI7zjciOrkoDFbSPvIvPsPzVvQvCOc40/4UBy++I9oxR4+r+NIukp14AkYrJWqD2KtDFXsCFv7FFHj2em9GMcRjcUqH/DkIKxutxBTEY3ysVuk6BcdPQjr1iLCmPj46uqdfJSbCTks5MEqTtiw38zQwvu7UR664+xX6EEiXfUmos6G0HcnAZHUALHebH35mn2EMn5ay1u7GdKrVGABe01kzOGwHmuNb/L6qqXAoiTcEh/pqMMBQTGqcP7pMRvgRL++0Voh8mpE4UUrQ5nqnerSGPGvmqNBpF/QvsPWE9NC5knDfTu7jbTsVtHTP4rEXToM1Po4e2/aev+n2U4PUbJUDf/+ndfmZeyYYKC3FLMk5G/yuvI8gOK/CTiu1A3Pr27V7K6F7W4520YXYwGVrTWwnRfcFqzckajiWyg8lifFKLB8agQ43ByEPdVB/VWMOD1KLuZV4kZHijHaVdOa9lsvTeJuxI/CP5PwWC0VZw==',
user => 'root'
}
}
class sunetops {
# Allow hosts to configure sshd as needed
$sshd_config = $hostname ? {
'pypi' => false,
default => true,
}
# SSH config, create SSH authorized keys from Hiera
$ssh_authorized_keys = hiera_hash('ssh_authorized_keys', undef)
if is_hash($ssh_authorized_keys) {
create_resources('ssh_authorized_key', $ssh_authorized_keys)
}
ssh_authorized_key {'leifj+neo':
ensure => present,
name => 'leifj+neo@mnt.se',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvB4gdJ6EWRmx8xUSxrhoUNnWxEf8ZwAqhzC1+7XBY/hSd/cbEotLB9gxgqt0CLW56VU4FPLTw8snD8tgsyZN6KH1Da7UXno8oMk8tJdwLQM0Ggx3aWuztItkDfBc3Lfvq5T07YfphqJO7rcSGbS4QQdflXuOM9JLi6NStVao0ia4aE6Tj68pVVb3++XYvqvbU6NtEICvkTxEY93YpnRSfeAi64hsbaqSTN4kpeltzoSD1Rikz2aQFtFXE03ZC48HtGGhdMFA/Ade6KWBDaXxHGARVQ9/UccfhaR2XSjVxSZ8FBNOzNsH4k9cQIb2ndkEOXZXnjF5ZjdI4ZU0F+t7',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'ft+505152DD':
ensure => present,
name => 'fredrik+505152DD@thulin.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCnskRpNxWJE/YgDR3o6sMWwwmbUJ8f2SJa0gHfHM+fcxxC2zQN9/9mqJSxS1E9QdeuRbbHpYxEUtHoX0vSrmia/VALDiQAMps51RBqq6YlrYqvP/Rb0hZ0Z4/YgjTosLdu1PeTzih6mwbyNNF0+gY987Ig31qXQytNF+9G1oSY9dgBAq52lu170QXTRwum4B6Gh4/pCnM6xx+7nY2oqlgvl2wYHVAOJ39W9r4y9kBhcVs51XvJqYehjaoyKYf1+PzA0FsvhJkZuG6ws5eEGSB90lAzKGyFZXedvOLmnFmqAraoLeuKajHIFJDfKNfHHbYpn8ERIfVW66nbqlXFO2g3',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'ft+4030CCAD':
ensure => present,
name => 'fredrik+4030CCAD@thulin.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDCb2Nkstl2A2Av34oAeugSFAUZisR44EiN3+QHCfNiv2UtMvGQsz2uVRGS0zA7j2PjcrEA1AcstriONBZF/TodARbirX7u7ibJo4gfFJctSMHMBncwSKt5BR6cuCZpW9E7f05tVc3Z1SU1XlAn0OUuAt6UwluEehEKLKXDIHWfsGejlOTpy6x+++6/o1gfMoXpxYDRK70z8jWPfN6i/tt2q+Y0gjZWQP4CHGzFEUtTpOlFoqN4TzXaJushBhdMsiKllOm9wzHFuxlU/hNbDfn00vdOTPYpHkUluQUE7NtNznpeTWpl5qYL+n4uIChxjeZRBmUgD9t8YU4t3UZNksD/',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'lundberg+9303C5DB':
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDAHMfn9PSWjGGAkMY6rh1yffdYgnlhoIC5E5NWdc5XUlY9oNYW2zhMpyhepfoh1YYv5V1QNTuO3f0zhD+ZeqPvnnA74fBM4yvWU4Qttwv2drsFOsU7nRbGSwQdww9IDidtxRuAjW5HJ9mTOJuYrIFAEHgg1Pv8sZKzHNWuZiz4I34CN2NbaZOu4eYG6pdzvB6kfYl5iL/esfhBZfegA+7x4qXvMLHEKb7wCRBABCfWu6Yy1E0jUdRWBFdqp5zsjuQlk8minh892m2C1tFcyub5dCWgLYtiQRpIjz16lMk1cM+fgS9YM7Ev62bBpRynU2wCfg1QpYMpxIq54q/XLlYv',
ensure => present,
user => 'root',
name => 'lundberg+9303C5DB'
}
ssh_authorized_key {'lundberg+8D03C7D1':
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDPjXvKEL2vAngTdVu3MguEE6gfPH2UigGDPgPV5SBYm0UZ/gZBbB0CuoQjkKEIpq3gzcbLH8kG/00r8hkeBeMa+tfWBDvUXk3wQRw5fKw5StBJFC3C04atJBGlusx6C8stgdmj5SwFhHN86uzVWpqbqJ9TKId18UABgq1hEBMRRVymSXE5zAJ6nCOh2PLtRI8GAkd+Lye0MMh2zEtOIFeHZDd1AiocaLfKBKDUlTSe1+suktyzgQsxJynLlwLA8BXmOZe0/LcE6Nint1beNq/DoKNySxdFN8ebGAC/F7w+JX7hB/DZH7aZevwdDp8cuchoFDUvu3uAXwH5eulXLt+VUJbn3MzFn/rSGqbfdYRlRhAOyo5qSJ3E6DO8WVKCLpwrUXjc4fQT7FwA7JPElunuU8jKxL/PiE5cJlt2cgC6v9qn3C47n0yc7c/078a+34w1mWf2Mp/lqBIJJnOUvKzisKmpEW/t3D1iAFr2z14omPDS9Vnoo1/FrAwGPYGKCeirBDe0FwNzMpC/wC1sglTU236/13zrUzyyQSJoXmn1MkS3aPOusqEYSo65tMoB5qOB7h2/lWLSQ7kHAMVtuMEoCGx/2Aa86EvuWYd1iMPelodEQlNIjCbKz9HX7c1b640FAvU8smefwfk52msqmKvHMbjm86WAPpXThhiN/eAuxQ==',
ensure => present,
user => 'root',
name => 'lundberg+8D03C7D1'
}
ssh_authorized_key {'jonas+6CB01A0F':
ensure => present,
name => 'jonas+6CB01A0F@sunet.se',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDvuL8XCorTZ1VP5cgbcdN5gNumnZ8RkrS8Hs5b0QKLRwwBNFsl98xMKxzQfBYR610vMnW30iDt3dRnqhfp75yakvt5fvrnk11gSwGoEOeBr5T7jgnJQK/kBIikXfpqsvH/40cSkX3Lx86VzDps/8j5sVYmgWiRk7BKG2/aSVY22RdPliITy2N60BUdZE3blz/I2bpJ1gDzAlJJk/xYHluou7mUuEEMT681hhAC+D32ofTAFSUtvP2PfsOTJxfJ2Iy22cRpR5aA5OCImEmBim4T1vAJUn6xSbeGI4RDHURYveLUT46gE5diWDTmdRKp8P7IpEYhJ1QQtdbsjnt9N6xJUI9ZcujD7yH1Drt0mJH23UhmNtliPeC8nO+58iM9MIgvnqw01wmWG5YnOBJVFWPC90LNGwm29Y6kjxDyVmDXglyx5mBymiEt8l2twi8xVbv6rKAUCUxHpcdsThvyZ75YWpAj0Rpvm5+y76xKqqJ8tK8YUUlD/g/L8gGYsg9GcHdxkUHNF+NMkbzbARM11eALYFdRCM7Kzgf49xMtOcs4s1IcM6u1YX51FvdyWlHHmDTGazz6k/AnF4jqdD4+SBdo7BPdh+FTfNbA1AtOyV1YNLCFrhnSBoUgt+IJ4LZFiRuyak1uxM8zdz5iikzEY+ClEe0GolmG7qtY12DVPy+b+w==',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'salu+7B44FE7C':
ensure => present,
name => 'salu+7B44FE7C@sunet.se',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDepp02t6/oNnO/qKJtB+U2yLWUa+dYo4ECsbX/DGOgr1MYzhtIbP18gUAX0PN9Hj40XdmY5EtAJZamMWCLi0EijanhOLDCzw5s0hzi/gYysmEReLRxhqq4ppjZhSj2HF09a6Rq1TTkndG9mYzTYTkdOyOqmdNcmIZRRvJD0BE1UBkERrURGhA+8YPnHoxEVUqdEDMFX7nHmNl4Q5brj7pNXaBv35PsVIlzDSfltgN7yENF6dv8Fu7nxjKZ+r9Anrb5rCEiBnOkNAbwEMfMvjRRehbY9Nvz1CEn0cP8SstbLYQfBQuCeJW3w9PygLN/a0asva0ttmVhprbnSeZtKmm3',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'dennis+3EE4E6C7':
ensure => absent,
name => 'dennis+3EE4E6C7@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC314jSJ575zgXl2xzwzLRLwoNaP7eXN6NlWOPq47qmoUfR1uZPPbZhvKDmMMc4WQhNPzWDFkX29tcHJar0KXVYM0zNV/hkXlh3Z9suAVFJgzdQ+VW3GsNDffYt4GHM8gUtYxdiQKhA78rIIvcvjy/e0c87lQ0zwDQjruLRw2t1mP1roVsadGnRn4H2rHnlmYqsyJrd2L/MQeKxFh0t3zKu3Hp2mGoSFpFe/5uMaHE//ZOO3tVf3fBWX3p19f6sK6kqYsSR4vMAP08cWf32xFEeNHf4ljbanQ/NIo3iPybpzGXVsPpTHXylLS+vYzDf9mOcxovhsKnJrJ3gdkqEfQyd',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'patrik+soft':
ensure => absent,
name => 'patrik@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAs0nFlZmXga5A789gFwmRVYREPNuaGvZBNAkN+fHpfzNfxSDQNlu1v4OWlU2QAs4XBMVIo5O14EuqqunSgFnX1gh9++AM1cQ8pBUeTi0l99MTl7qxc9MIHCyvHhbzra7o3MHEUuNQzbAjEUsuGV5/ymNJv4ysbncX+BiZplkydq2H/MuDQD8dzghfq6HUgf/BZDVxM3K4Ak8ll65PPPA6xnWJA4a2abgHvoBf40R6xF2dgOK3wq4xQRQSUWdw0olRSyXXZ68mt45m9fvwLnpY3xIFWEWJ6ZbEW+K8BsVT7zqbCBdpnfT8Rc2myz3cjgf7WpTHd8JXEcKk2BaEGD4y+w==',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'john+B3337B77':
ensure => present,
name => 'john+B3337B77@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCv+QT4hyxx7m89a+PkdBXAlBuNVoufNoNWpZ6uhDWSKYf7+Ic/M/R1tnsHpSihNAVnaDOLpmC8H1JWaKpuLHrvTolKwFi+imekqzUZ4ajUBuFIbieeHZMTdmv946fpOpB8FpWSFC/TQWyZwq3iVFfm8r/GYGIVSH8MtNBVmfRolH6aZgmZHl67xII59RI20nUm4gzs2yDfReUGRPB/nDWIJ1CuzvzVUFOeJTi3M31TNuxnqUHH0ol0t0bX6MOlDkPGRznOFbr2LhoxvuIIHkjZkZEvAYnQ6fmhExlqge5Trwud/jeZZUhdt7qx+FfgNaTdooUgbCVszgv9CK+rNOOrHD+qIi277j36loPcb0zymb6bnBmZPTo1RJNfaOVC/uuoSTKuFjNQ2UURsu5UepOhSRvLmA1fw+69n6tj0fwd627qxG0jmYmUmzW8U7mSypEXPKLDCbcR+hvWUDaYim1UAKi4ji5AGoOWBSsPuFLtfNYtmpBii+gaglGR6YrDDkQW7Pj/12asga9TrJSqGM1MMTLwuQal1+gtchF+9leKwVf5NOXDMw8SIG0xtqNDfWzk6BMEBcwl7wMObjEwmxxnuHzk8Q7922kvvsgK1VRiO20hmDtOxW2+oBk1yY1F072AjuuXNaZpBxD3c2Iug8GWK8R5pF9fIxAmeeLeFvQCSw==',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'el-sunet':
ensure => absent,
name => 'el@sunet.se',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQC4BWg9cW5fmx8C7K0UN8zzp//NWDcZosrDBl7mEf3MGNBGwrX1orEWFjTWoUZivFoC1TUlEpRP92e3kB3oayMQQz6ZfvYh4ztZBmkDOPIOMykLVsQtvWbWJ1iQuvqCC/s9bVDJmkxkH/Mw/7OyN7Jyb0vPv6JGsSJmbEFkPpzsKUEuXUOFleN7oD59YQVbzDs0ukuAsc3FQ7GSv8q28p/GbFd0ZnfAMjBz2nVJcIkAM9q4OrR90P0gLsW8QqZyVl/uTs5/8iXlkYSe26T4uM697UnD8jFM4yyOTTlS5LHKo8pwNZjqYHdIhkSWscApRqfOVPSm3diQ1nNrm/x2Io4k9GnPmho67YacTA6EisTK4mwnEeCT3tVoHPSfLlGrKOGuug5MnQd5ds+7OlfRPHUua1/sgSiDGjIVQDyktqujrcaI1eK+pT4jmJa0c7HTGSB+dZwmswDsxry3JMdZ75iqYAJGFTIbmWAQAVnRJkzjmge+qIW7joM74I5LBfb20EOVU4rh35bFTsAsK1c/Z08Zut5IgNsg8DyVhVS2PSuvirR4/+OWYZpiO6R4M2nDgtRVPq/nl1iRsZEtiLP9xSyza8TSHm842MfPUbzWPV+JNGjA46QxGprI4OSoqAI//dfBFtpta130U/mvOJsF2xq0NYTyrGqx9qy7iJb8YolFsw==',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'el+424CCD7B':
ensure => absent,
name => 'el+424CCD7B@sunet.se',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDEjaBnFluF+U9fE+6PFGSJbke+wK3HuwvuMKnmDHBv5PmFE5ZH9mEdERsPxTsaK+Y73AMJB3BUtnpZiQ7xDi0u5H4C4Xcv48gO2+Ljph99g05IR+yF6R/qmj6UU6s/Ta41vxNJcKWepN/WXBQI1ufPjUUL5qKwCMOrYvSXgeps5pgSlPb2hCq1kauRcS7yAqnpZE3yx/mFyP4DdZ8EiyXSqUPlVPqxnZhfeXQbZCwPlZG/ivvKS5WLeyQwDWDf/Im/hYKL5YMUSz7960LmzM0Wv+1hOuuDQN5mi8LGwpFeDF+rMC1joc52OpVGE5bLFUeg29K6CQRMeVt+G7VJH5J7EglqK6fDSEK9c+d3Y/OaHxA24j7inycODVCZaaWrBHNLjHjUJ7Ckr6FO2e+Z3PeMo3i2KgU7OnDilNiiEXAL9F2UWo+Q2jxNY8M8etewkkQrNJFbdtpT0C/cg++D4cZqWn0UQJKPRs8eZ7cG4TlpfR+X9Vq+uep3SwEE40eTKXLpQdQy9HsZK3h/pCUwT3TK8/MjyF0awL5JE+SHvFqGFwXgRBMxtkjg8pSU3i/ND7ig5ZC+pirGT90KMEltlcS9aJQ4LL5wWlMDsVlv6vv/tjXTvP0Qg0IrwekKrRKJCzF1Em/c7yg3svwLS229Qa/EAWJVbqSGdO6oBm611u13CQ==',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'jac+3438F957':
ensure => absent,
name => 'jac+3438F957@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQC7cQCp8MJ4VX1UWb6PW4wnkQfbV8g4WB1vLO2MBUycjoXG3t9xXziy+VAxBmsMIFtpysddsU2Sz6d6Y3vlvXr9DHLvZ7Fqn2Cnyn3q+kDG677zPjGFV4DBZVnmH7dHpkTN1mYKfgV2vnKGwRJE651gwqbR0zkbQxRakLM5/Sh0bm9VtQw8iQvLrAOZGbUdSPx2u1p6XZjwkHGxRdEb06bhLDSr1DlXyVk8bfVVj5JXy+/o/6VbYQUlvotxlZnFr0k5Q84t7mkbaoQwE3gZQTBQLmxpguGKnIN9IiC1hmJGOXcMFpFvxsbJd+lg+DkM7Cl7OByPVTe+EflXctVacyg62s2WZbyH7SyUGNR3GUDQRjEXnDF4eKfk3pniMcTIRGt0eIo88hUV2Ep/EW6i06kTiPV5luAht8hVAayTfoNW+MQbKsLuRJEqEjMADZVY0PMYcLv0TWzjh6xkx/Y7Qth/DeBQYk24DqoOkLFB2HOwTN/qy5Xc0GJmu0pwiUXImSJto6Abh8S8nw95+TnFymybLfJCqm4buUGeJsG3Ej9Bo5KajW6/FDcaj4LlJV9Hq6kNdtXCFxe/DV+WpL1JEvuwyXfjBVoX9GpiquKvUiLJOpeT4Gmc7tsoAISrcZ2LOwq2JPSZUtOO5m+dd1OncGg7zMllTsjZnpebhczqODprZQ==',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'jbr+55F5842C@nordu.net':
ensure => absent,
name => 'jbr+55F5842C@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCb88AZ1OPH62tCbkY0Iqu4kS0iRD/HwiQU+UDoosWPMuaIrULz0FOGidEHdhGhoxiUOCj0Uu8B8PwC2sztprBqpgDm2F8lKRd86Pw1BgblnnFA6m3+N8LbVhm8ux93xLqW04TKrxfCQtVGYKdOvva4+7b1Xf3R7UsnJQJoJwW1TCiZaHSNK1e6t2iofXTInhKzh9OVdmczyczjxsJVg9EnNGSf6/B26vIJPDs0pS7t9gUZ4SN6fLdrCG+tLqx76Obvzi1TZ441ZVnRKEUF/+oWsUv7he6ZGO/b4XGVhfb/c8P9pmioet6rxo3EyEsw2978V85vJmg3DA+gqQQXj3Pa0PXn7lrY62niiIQvSm/4fCCcWPVaeTlAS0wc4r2hsVlgYQJjAXDSab2K5ZHWUux2bMZkdJKXK2wC8Q0hf9OTVCfeMgcF8HRU7PPni1vymuurLgS67Ny1ucrOwbWsWjqrOfnT03huRdOhhdik8cRX5qz6PleBiq5Jly/KcjsyahiNDE2uTLDn7+z59HaHd2qp1NDVWtxTDjP46LqGF4VYnPTOooVv+4EFF9AAjqJRVTr1WdJjWtG3R7aDnWqFKRI912stlOXRvblOvF5iJjQHCecPWcE06ZrkUSa91i2ylf16q82tdEv3Hj3hvh873aAE8YnMHAnkSbnE+7VjF9jsZQ==',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'markus+FA2CC191':
ensure => absent,
name => 'markus+FA2CC191@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDjBx/TbLSK9Ocf8Vefrddy62xH/gwPwT4/23xN8+ZEo7YG+0rKxFVRDFchnS9lMx+1UFubyZEui1CjRMwwFcFN/uOQ94oEPnFjyVZZ4jwXmmQu/xY1oiWg25h1WfwR9xTkOfe2CvPXjmtUwqYy+AO82YpXKpLTi/J7y3CVOxS2kRZzfe99CaB0nSzX7lSYmaq9KoThJ7VAsoyObJ2vcpuliIhNUsYL2RWHYdnSOdJoNftZkegN87so62fY7YcYWJkET9Rvydm9Qn1fDiUvGuMCitvS4OeWgJ97g3yAwdmhXExcQEzePxcx4LgR0DndzU/MqXYw2KqAVeRsjct2HFAqo0uL1jj8mb7tWYVpQTq8KNgUuA4o2wTvmKuNtWzhfb+J6TMCLrCXx9/3nH0NbO3JqUvxQxblnh3cZYIiphdIDxpXUGPXxVOtHjd2M0KaTrrhd+4ntnf0c9A0kcMCvSv/pEjy2saVpuNSjz13iO8Db7IOan4oC9ACheKAoDyBVLpmZFVMc4t2scLPqqeJjzwu/BozxPVQy8nhKdKznGmg3QGnPcrvNfGoO4huBPxlJZsLSmaPenImK4tHYDmFTjjQWSJ+gFkTlkJzDCqsDB/H+SZQEuAH/JIpzULApouVUi42dJq/MUN4SUvfuij7Zsx+jyWqOnxAkx0gpUnu8UsF5Q==',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'htj+key-from-ldap':
ensure => absent,
name => 'htj+key-from-ldap@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDeME6LuIRZzHh8f7wTBE1RRX8fX4DftnZambVOoGOzg5ujtVnmwBZiFFcumqRGs7o/iradUY0IB5K2tbooHJkTYh+B0sIR/5jOPJJZ+bS45bngcGq1vz++z1VSXlTGH13H8OFXHZPnjwvFzO5eauHnen4uKVKrN9A/lNhTfbjpiHRN1yfXuunlvar4Go6OLAm6tgWe93scdXiAdxd3LoZ/I91w7djfAi0SpMiTDbYchrtt9wC3l4U42wehcANU4EhEJfMrwcMcRXRSZ/3IejXp2I1PueQhiHjknAkVX/r4Y23RKT77B1OEbVXg8VizFVnHrhkGWW1JZzQWrvb/MruT',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'pettai+BD795A53':
ensure => absent,
name => 'pettai+BD795A53@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDcvRAnhdoty3OpQnC3zYEUQijkhlg9eiU7y6EVR/rdy+HID4aRZU57EuEB17wmoP6OliXZc02R5oHwoTT42cugUPgwPyxfgofwMRhl9zHUDumvnI9apiW6TMTz8F/zg26eLHhrB9k3tmviPhPV3PQKqEOvfKMwM47aEieGRcUTRLqOAJnrfoE+JRLtql/eaFFYKnVNtMscpNnBcvl77cAG3ciGqe4FLo21Sxo5WieoKElBswZzNKt+vQSZMI8yIA/DU1XGg6Yn5hhbqhgMJLhye3JXM9qSlzXo+T5SrBF8T8uZ3LpkPoA06T7k2DBjaj3iXueJVmoibdRG3t53YfE7',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'mikott+BEBCB9C0':
ensure => absent,
name => 'mikott+BEBCB9C0@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC36l/Qxb+sByKKZwBOPLiqScqWg6Q9elraB4vj13MjkoGsNoCmzWDEcAE9hUVwnlprYnWNyaJZ3OliEawFJlRDF8MxgVN+jHYUCUhPoHCE4ChS9Y0EayLb+AQ2JbfI1KAADga161P+/P1ofALMnZHW2NpK1p+2eiE891c1sc+NfLCNySX/hcvkkP6zNrCmZxgFcqIBbYNNxDjU33G3StypFe/7YgmVvd/ZfY22fhWb4gm1fX/3HelxCU6FirDJHujhDm79btjR221emlqTMH3WQvgGBKhLGOoQTKTHEadBmPa16nxv01mTtHVH6tnqGrWXhSrn6WEw3qQSzKrBnHIV',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'berra+DA7C099B':
ensure => present,
name => 'berra+DA7C099B@nordu.net',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDoUEUPOtw5ZUBblnDlf03EfA8xmoOMVnoxV6nrAwPWsNOWCY39+OO5ckfv8B/n/i/JRIvokPp+YrPpOXi8fLkchiu5AFDBwN4cqS8NETLMwJhImfObIM6M1P9a4re4WuAZ4u2BQ2/Nin7WRewJfAfbvbSx6o5zRp95IotiQiXIH8LyYC7whDUjT7OKvESUwLRnK6wQ4kQRgxpgUbAZxAgPZxRzTL0jPKx5dW2pald5WWXcu9ki4uiPg5fDjHVwAJ3MFNzFfDUrJX0bKSln/ocAJFBuAKTCUHEMXo9arD6LBcj7JoXZP6ZiXlcIUG6hd93vAmL+1fxOWu3Adbtz31hxzfmTHGLwF5HyfBIpdygNBZILwICjKimocD0oevrNcJ0KmgBWnw6ZlZJjKIcxN77wEbmskQ19kj+nTHQIgDeocISfio3iJIKdAGsLo+L+d8x4vMoPgIhJUJf8vT2piTa532mumfH2buWt841Yq3fsP98AQJTPDdsXRUGkIVTIIRIqFN1thV9FaMX5wIErq3oEYNJNDhJ6g+5z6N3Zq4AivXzQnmUOeqIttP0jryO85BBGjAz6LIBTCnirKwdsKv7Bq3g3Y5QARUgL42DQ9ddMyMWud5OKrVSwhPf1tqeQEyhgctA0Ve007h9nfovKFhDyUA24HFfDHlIqIWxuOnk1sw==',
type => 'ssh-rsa',
user => 'root'
}
ssh_authorized_key {'bjorn+8E2DA8EB05F646D7':
ensure => present,
name => 'bjorn+8E2DA8EB05F646D7',
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDO1nktCA7fWcbmXAlcSEAeAxqlo2bobQblqqhvbjzmDfZdvhUYRXNjc2R4GjAU60yB/qqODE2km1z2xcIojlT/uHIXPx7jkSXvDZQFVDWplGiWKbOZS/apvva2vHBtfDBPSQnDSxr3sINAqehG58gL1coP95uWXodXSfv+BzGqQfYomlqU9f5qjXT2vFA+0XzoGTT9yG2utD3uhYd1k9EN+ED6NCXyCsUoihtEI8M8fF0Sps/QYpdyR34yP98lL+8DwZCtq0eQRMhF6mTcRcTDFdYdgS8jL+lSbw9DaPrWhGll0ie/Xk/v9RC+d3FGE6av0e8YDboNlduwy2iUbA1w1ll/VUOmXy6gudIZ91Edl+sOOyDVfLY3+Dz+RnmoSuCoWyJ00KovBIfgDOUDKe0QMHyVZ9ccMMihTUMUfJ7kYQ9EuidBLsy9GO+ar7FFPHYyVKiWYoxFBafAtIVDM79v9KvQeF2PAfuhSM3yIXeSb+8cp2ANVLX5dncoMPEgdfFRVie5HMwMct+BFwkyIuQ8++kCInGxbM5X1B3uhYTlkYyT3eAR3jHiwZoiBssCPXtmkXjJ0CFB1BcBlGSZktFoBRstGlEb/nEpTH/71JdA60a1eNwbhslNpAWfi3Jco3QPKBoRdwbeIsmDrK1hpJZG9Ke/jZxr3WSv39tu0l4JAw==',
user => 'root'
}
# OS hardening
if $::hostname =~ /kvm/ {
class {'bastion':
fstab_fix_shm => false,
sysctl_net_hardening => false,
}
} elsif $::hostname =~ /random/ { # pollen requires exec on /tmp
class {'bastion':
fixperms_enable => false,
fixperms_paranoia => false,
}
} else {
class {'bastion':
fstab_fix_shm => false,
fixperms_paranoia => true,
}
}
}
class nrpe {
require apt
class {'sunet::nagios': }
if ($::operatingsystem == 'Ubuntu' and $::operatingsystemrelease == '12.04') {
class {'apt::backports': }
}
package {'nagios-plugins-contrib': ensure => latest}
if ($::operatingsystem == 'Ubuntu' and $::operatingsystemrelease < '18.04') {
package {'nagios-plugins-extra': ensure => latest}
}
sunet::nagios::nrpe_command {'check_memory':
command_line => '/usr/lib/nagios/plugins/check_memory -w 10% -c 5%'
}
sunet::nagios::nrpe_command {'check_mem':
command_line => '/usr/lib/nagios/plugins/check_memory -w 10% -c 5%'
}
sunet::nagios::nrpe_command {'check_boot_15_5':
command_line => '/usr/lib/nagios/plugins/check_disk -w 15% -c 5% -p /boot'
}
sunet::nagios::nrpe_command {'check_entropy':
command_line => '/usr/lib/nagios/plugins/check_entropy'
}
sunet::nagios::nrpe_command {'check_ntp_time':
command_line => '/usr/lib/nagios/plugins/check_ntp_time -H localhost'
}
sunet::nagios::nrpe_command {'check_scriptherder':
command_line => '/usr/local/bin/scriptherder --mode check'
}
sunet::nagios::nrpe_command {'check_apt':
command_line => '/usr/lib/nagios/plugins/check_apt'
}
sunet::nagios::nrpe_command {'check_eidas_health':
command_line => '/usr/lib/nagios/plugins/check_eidas_health.sh localhost'
}
sunet::sudoer {'nagios_run_needrestart_command':
user_name => 'nagios',
collection => 'nagios',
command_line => "/usr/sbin/needrestart -p -l"
}
sunet::nagios::nrpe_command {'check_needrestart':
command_line => "sudo /usr/sbin/needrestart -p -l"
}
}
class nagios_monitor {
$nrpe_clients = hiera_array('nrpe_clients',[]);
$allowed_hosts = join($nrpe_clients," ");
$web_admin_pw = safe_hiera('nagios_nagiosadmin_password');
$web_admin_user = 'nagiosadmin';
package { 'xsltproc': ensure => installed}
class { 'webserver': }
class { 'nagioscfg':
hostgroups => $::roles,
config => 'eid'
}
class {'nagioscfg::slack': domain => 'sunet.slack.com', token => safe_hiera('slack_token','') } ->
class {'nagioscfg::passive': enable_notifications => '0', obsess_over_services => '0', obsess_over_hosts => '0'}
sunet::misc::htpasswd_user { $web_admin_user :
filename => "/etc/nagios3/htpasswd.users",
password => $web_admin_pw,
group => 'www-data',
}
file {
'/root/MONITOR_WEB_PASSWORD':
content => sprintf("%s\n%s\n", $web_admin_user, $web_admin_pw),
group => 'root',
mode => '0600',
;
}
#definition for check_nrpe_1arg
file { '/etc/nagios-plugins/config/check_nrpe.cfg':
ensure => file,
mode => '0644',
content => template('eid/monitor/check_nrpe.cfg.erb'),
}
nagioscfg::slack::channel {'eln': } ->
nagioscfg::contactgroup {'alerts': } ->
nagioscfg::contact {'slack-alerts':
host_notification_commands => ['notify-host-to-slack-eln'],
service_notification_commands => ['notify-service-to-slack-eln'],
contact_groups => ['alerts']
}
nagioscfg::service {'service_ping':
hostgroup_name => ['all'],
description => 'PING',
check_command => 'check_ping!400.0,1%!500.0,2%',
contact_groups => ['alerts']
}
nagioscfg::service {'service_ssh':
hostgroup_name => ['jumphosts'],
description => 'SSH',
check_command => 'check_ssh_4_hostname',
contact_groups => ['alerts']
}
nagioscfg::service {'check_load':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_load',
description => 'System Load',
contact_groups => ['alerts']
}
nagioscfg::service {'check_users':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_users',
description => 'Active Users',
contact_groups => ['alerts']
}
nagioscfg::service {'check_zombie_procs':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_zombie_procs',
description => 'Zombie Processes',
contact_groups => ['alerts']
}
nagioscfg::service {'check_total_procs':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_total_procs_lax',
description => 'Total Processes',
contact_groups => ['alerts']
}
nagioscfg::service {'check_root':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_root',
description => 'Root Disk',
contact_groups => ['alerts']
}
nagioscfg::service {'check_boot':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_boot_15_5',
description => 'Boot Disk',
contact_groups => ['alerts']
}
nagioscfg::service {'check_var':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_var',
description => 'Var Disk',
contact_groups => ['alerts']
}
nagioscfg::service {'check_uptime':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_uptime',
description => 'Uptime',
contact_groups => ['alerts']
}
nagioscfg::service {'check_reboot':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_reboot',
description => 'Reboot Needed',
contact_groups => ['alerts']
}
nagioscfg::service {'check_memory':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_memory',
description => 'System Memory',
contact_groups => ['alerts']
}
nagioscfg::service {'check_entropy':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_entropy',
description => 'System Entropy',
contact_groups => ['alerts']
}
nagioscfg::service {'check_ntp_time':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_ntp_time',
description => 'System NTP Time',
contact_groups => ['alerts']
}
nagioscfg::service {'check_process_haveged':
hostgroup_name => ['entropyclient'],
check_command => 'check_nrpe_1arg!check_process_haveged',
description => 'haveged running',
contact_groups => ['alerts']
}
nagioscfg::service {'check_scriptherder':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_scriptherder',
description => 'Scriptherder Status',
contact_groups => ['alerts']
}
nagioscfg::service {'check_apt':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_apt',
description => 'Packages available for upgrade',
contact_groups => ['alerts']
}
nagioscfg::service {'metadata_aggregate_age':
hostgroup_name => ['md_publisher'],
check_command => 'check_nrpe_1arg!check_fileage_metadata_aggregate',
description => 'metadata aggregate age',
contact_groups => ['alerts']
}
nagioscfg::service {'mdsl_aggregate_age':
hostgroup_name => ['mdsl_publisher'],
check_command => 'check_nrpe_1arg!check_fileage_mdsl_aggregate',
description => 'mdsl aggregate age',
contact_groups => ['alerts']
}
nagioscfg::service {'mdsl_se_age':
hostgroup_name => ['mdsl_publisher'],
check_command => 'check_nrpe_1arg!check_fileage_mdsl_se',
description => 'mdsl se age',
contact_groups => ['alerts']
}
nagioscfg::service {'check_eidas_health':
hostgroup_name => ['servicemonitor'],
check_command => 'check_nrpe_1arg!check_eidas_health',
description => 'eidas component healthcheck',
contact_groups => ['alerts']
}
nagioscfg::service {'check_needrestart':
hostgroup_name => ['nrpe'],
check_command => 'check_nrpe_1arg!check_needrestart',
description => 'Processes need restart',
contact_groups => ['alerts']
}
nagioscfg::command {'check_ssl_cert_3':
command_line => "/usr/lib/nagios/plugins/check_ssl_cert -A -H '\$HOSTADDRESS\$' -c '\$ARG2\$' -w '\$ARG1\$' -p '\$ARG3\$'"
}
$public_hosts = ['prid.sveidas.se', 'demw.eidas.swedenconnect.se','swedenconnect.se','qa.test.swedenconnect.se','qa.md.swedenconnect.se','md.swedenconnect.se','md.eidas.swedenconnect.se','qa.md.eidas.swedenconnect.se','qa.connector.eidas.swedenconnect.se','qa.proxy.eidas.swedenconnect.se','connector.eidas.swedenconnect.se']
nagioscfg::host {$public_hosts: }
nagioscfg::service {'check_public_ssl_cert':
host_name => $public_hosts,
check_command => 'check_ssl_cert_3!30!14!443',
description => 'check https certificate validity on port 443',
contact_groups => ['alerts']
}
nagioscfg::command {'check_ssl_cert_altname':
command_line => "/usr/lib/nagios/plugins/check_ssl_cert -n '\$ARG4\$' --altnames -H '\$HOSTADDRESS\$' -c '\$ARG2\$' -w '\$ARG1\$' -p '\$ARG3\$'"
}
nagioscfg::service {'check_public_ssl_cert_altname':
host_name => ['prid.sveidas.se'],
check_command => 'check_ssl_cert_altname!30!14!443!prid.sveidas.se',
description => 'check https certificate validity on port 443 with SAN',
contact_groups => ['alerts']
}
$infra_hosts = ['prid-1.qa.sveidas.se','prid-1.sveidas.se,','prid-2.sveidas.se']
nagioscfg::service {'check_infra_ssl_cert':
host_name => $infra_hosts,
check_command => 'check_ssl_cert_3!30!14!443',
description => 'check https certificate validity on port 443',
contact_groups => ['alerts']
}
nagioscfg::command {'check_website':
command_line => "/usr/lib/nagios/plugins/check_http -H '\$HOSTNAME\$' -S -u '\$ARG1\$'"
}
nagioscfg::service {'check_metadata_eIDAS':
host_name => ['md.eidas.swedenconnect.se'],
check_command => 'check_website!https://md.eidas.swedenconnect.se/',
description => 'check metadata for eIDAS',
contact_groups => ['alerts'],
}
nagioscfg::service {'check_metadata_swedenconnect':
host_name => ['md.swedenconnect.se'],
check_command => 'check_website!https://md.swedenconnect.se/',
description => 'check metadata for Sweden Connect',
contact_groups => ['alerts'],
}
nagioscfg::service {'check_connector':
host_name => ['connector.eidas.swedenconnect.se'],
check_command => 'check_website!https://connector.eidas.swedenconnect.se/idp/metadata/sp',
description => 'check metadata for Sweden Connect',
contact_groups => ['alerts'],
}
nagioscfg::service {'check_metadata_DE_middleware':
host_name => ['demw.eidas.swedenconnect.se'],
check_command => 'check_website!https://demw.eidas.swedenconnect.se/eidas-middleware/Metadata',
description => 'check metadata for DE middleware',
contact_groups => ['alerts'],
}
nagioscfg::command {'check_country_count':
command_line => "/usr/lib/nagios/plugins/check_eidas_country_count.sh '\$ARG1\$' '\$ARG2\$' '\$ARG3\$' '\$ARG4\$'"
}
nagioscfg::service {'check_country_eIDAS_QA':
host_name => ['qa.md.eidas.swedenconnect.se'],
check_command => 'check_country_count!qa.md.eidas.swedenconnect.se!PT LU IT ES HR LV DE EE BE IS XB CY PL SK XC LT NO DK CZ SE GR XA MT SI!1!3',
description => 'check number of countries in eIDAS QA',
contact_groups => ['alerts'],
}
nagioscfg::service {'check_country_eIDAS':
host_name => ['md.eidas.swedenconnect.se'],
check_command => 'check_country_count!md.eidas.swedenconnect.se!LU IT ES HR DE EE BE PT SK CZ LV!1!3',
description => 'check number of countries in eIDAS',
contact_groups => ['alerts'],
}
nagioscfg::command {'check_metadata_age':
command_line => "/usr/lib/nagios/plugins/check_eidas_metadata_age.sh '\$ARG1\$' '\$ARG2\$' '\$ARG3\$'"
}
$hosts_md = ['qa.md.swedenconnect.se', 'md.swedenconnect.se']
$hosts_md.each |$host|{
nagioscfg::service {"check_metadata_age_${host}":
host_name => ["${host}"],
check_command => "check_metadata_age!https://${host}/entities!691200!172800",
description => "check metadata for ${host}",
contact_groups => ['alerts'],
}
}
$hosts_md_eidas = ['md.eidas.swedenconnect.se', 'qa.md.eidas.swedenconnect.se']
$hosts_md_eidas.each |$host|{
nagioscfg::service {"check_metadata_age_${host}":
host_name => ["${host}"],
check_command => "check_metadata_age!https://${host}/entities!432000!86400",
description => "check metadata for ${host}",
contact_groups => ['alerts'],
}
}
}
class redis_cluster_node {
file { '/opt/redis': ensure => directory }
sysctl { 'vm.overcommit_memory': value => '1' }
sunet::redis::server {'redis-master':
allow_clients => hiera_array('redis_client_ips', []),
cluster_nodes => hiera_array('redis_sentinel_ips', []),
}
sunet::redis::server {'redis-sentinel':
port => 26379,
sentinel_config => 'yes',
allow_clients => hiera_array('redis_client_ips', []),
cluster_nodes => hiera_array('redis_sentinel_ips', []),
}
}
class redis_frontend_node ($hostname=undef,$ca="infra") {
file { '/opt/redis': ensure => directory }
sunet::redis::haproxy {'redis-haproxy':
cluster_nodes => hiera_array('redis_sentinel_ips', []),
client_ca => "/etc/ssl/certs/${ca}.crt",
certificate => "/etc/ssl/private/${::fqdn}_${ca}.pem"
}
}
Reference in a new issue View git blame Copy permalink