eid-ops/global/overlay/etc/puppet/modules/eid/manifests/connector.pp

# This puppet manifest is used to configure Sweden Connect connector servers

# @param environment          The environment that the server belongs to. (referenced in compose file)
# @param session_backend      Choose if it should run with a "redis" cluster (session synk) or "memory" (without session synk)
# @param version              Version of the docker image to use. (referenced in compose file)
# @param server_fqdn          The FQDN of the server. (referenced in compose file)
# @param connector_directory  The directory where all connector related config and files are stored. (referenced in compose file)
# @param use_hsm              Configure if HSM is used or not
class eid::connector (
  Enum['test', 'qa', 'prod'] $environment,
  Enum['redis', 'memory']    $session_backend = 'redis',
  String                     $version = '',
  String                     $server_fqdn = $facts['networking']['fqdn'],
  String                     $connector_directory = '/opt/eidas-connector',
  Boolean                    $use_hsm=true,
) {

  if $use_hsm {
    $pkcs11_pin = safe_hiera('pkcs11_pin')
  }

  if $version {

    # Allow HTTPS from load balancer servers
    $lb_ips = hiera_array("lb_${environment}_servers",[])
    sunet::nftables::allow { 'allow-https-from-lbs':
      from => $lb_ips,
      port => 443,
    }

    # Make sure we create backup directory referenced in compose file
    file { "${connector_directory}/backup":
      ensure => directory,
      mode   => '0755',
      owner  => 'root',
      group  => 'root',
    }

    # Create the environment specific config file from template
    file { "${connector_directory}/application-${environment}.yml":
      ensure  => 'file',
      content => template("eid/connector/application-${environment}.yml.erb")
    }

    # If we dont use HSM, we need the keys on disk
    unless ($use_hsm) {
      sunet::snippets::secret_file {"${connector_directory}/credentials/connector-${environment}-sign.key":
        hiera_key => 'connector_sign_key',
      }
      sunet::snippets::secret_file {"${connector_directory}/credentials/connector-${environment}-enc.key":
        hiera_key => 'connector_enc_key',
      }
    }

    sunet::docker_compose { 'eidas-connector':
      content          => template('eid/connector/docker-compose.yml.erb'),
      service_name     => 'eidas-connector',
      compose_dir      => '/opt/',
      compose_filename => 'docker-compose.yml',
      description      => 'eidas connector'
    }
  }
}