feat: use env-file templating instead of composefile

use the same composefile as in the repo, passing configuration options
by using a templated env file instead of templating a custom composefile.

global/overlay/etc/puppet/cosmos-rules.yaml

@@ -36,6 +36,7 @@
     proxy: 'https://test-sso-proxy1.cert.sunet.se/idp'
     entityID: 'https://test-sso-proxy.cert.sunet.se/idp'
   soc::vuln_dashboard:
+    docker_network: 'sso'
 
 test-sso-proxy1.cert.sunet.se:
   sunet::dockerhost2:

global/overlay/etc/puppet/modules/soc/manifests/vuln_dashboard.pp

@@ -1,5 +1,6 @@
 class soc::vuln_dashboard(
   String            $allowed_hosts    = $facts['networking']['fqdn'],
+  String            $docker_network   = 'default',
   String            $docker_tag       = 'latest',
   String            $db_datadir       = '/opt/vuln-dashboard/dbdata',
   String            $pocs_storage_dir = '/opt/vuln-dashboard/pocsdata',
@@ -24,13 +25,26 @@ file {
   $pocs_storage_dir:
     ensure => directory,
     ;
+  '/opt/vuln-dashboard/docker-compose.yml':
+    ensure => file,
+    mode => '0600',
+    ;
+  '/opt/vuln-dashboard/docker.env':
+    ensure => file,
+    mode => '0600',
+    content => template('soc/vuln-dashboard/docker.env.erb'),
+    ;
 }
 
-sunet::docker_compose { 'vuln-dashboard':
+utils::docker_compose_service_env { 'vuln-dashboard':
-  service_name => 'vuln-dashboard',
+  compose_file  => '/opt/vuln-dashboard/docker-compose.yml',
   description  => 'SOC vuln dashboard',
-  compose_dir  => '/opt/vuln-dashboard',
+  envfile => '/opt/vuln-dashboard/docker.env',
-  content      => template('soc/vuln-dashboard/docker-compose.yml.erb'),
+  docker_svc_names => 'dev postgres',
-}
+  service_name => 'vuln-dashboard',
+
+}
+
+
 
 }

global/overlay/etc/puppet/modules/soc/templates/vuln-dashboard/docker-compose.yml.erb

@@ -1,59 +0,0 @@
----
-services:
-
-  # copy that's run locally in docker,
-  # app files are mounted for quick-reload and fast iterations
-  dev:
-    container_name: <%= @sso_service_name %>
-    depends_on:
-      - postgres
-    image: dashboard-dev:<%= @docker_tag %>
-    pull_policy: never
-    environment:
-      DB_NAME: <%= @db_name %>
-      DB_USER: <%= @db_user %>
-      DB_PW: <%= @db_pass %>
-      DB_HOST: <%= @db_host %>
-      DB_PORT: <%= @db_port %>
-      CENSYS_API_ID: <%= @censys_api_id %>
-      CENSYS_API_SECRET: <%= @censys_api_secret %>
-      DJANGO_ALLOWED_HOSTS: <%= @allowed_hosts %>
-    ports:
-      - "127.0.0.1:8000:8000"
-    init: true
-    volumes:
-      - pocs-data:/app/stored_pocs
-    networks:
-      - default
-      - sso
-
-  postgres:
-    container_name: postgres
-    image: postgres:latest
-    environment:
-      POSTGRES_DB: <%= @db_name %>
-      POSTGRES_USER: <%= @db_user %>
-      POSTGRES_PASSWORD: <%= @db_pass %>
-    volumes:
-      - postgres-data:/var/lib/postgresql/data  # Maps local folder to the container's data folder
-    restart: always  # Ensures that the container restarts if it crashes or is stopped
-    networks:
-      - default
-
-volumes:
-  postgres-data:
-    driver: local
-    driver_opts:
-      device: <%= @db_datadir %>
-      o: bind
-      type: none
-  pocs-data:
-    driver: local
-    driver_opts:
-      device: <%= @pocs_storage_dir %>
-      o: bind
-      type: none
-
-networks:
-  sso:
-    external: true

global/overlay/etc/puppet/modules/soc/templates/vuln-dashboard/docker.env.erb

@@ -0,0 +1,11 @@
+DB_NAME='<%= @db_name %>'
+DB_USER='<%= @db_user %>'
+DB_PW='<%= @db_pass %>'
+DB_PORT='<%= @db_port %>'
+DB_HOST='<%= @db_host %>'
+DB_DATA_DIR='<%= @db_datadir %>'
+POCS_STORAGE_DIR='<%= @pocs_storage_dir %>'
+DJANGO_ALLOWED_HOSTS='<%= @allowed_hosts %>'
+CENSYS_API_ID='<%= @censys_api_id %>'
+CENSYS_API_SECRET='<%= @censys_api_secret %>'
+DOCKER_PROXY_NETWORK='<%= @docker_network %>'

global/overlay/etc/puppet/modules/utils/manifests/docker_compose_service_env.pp

@@ -0,0 +1,37 @@
+# Manage a service using docker-compose with an env file
+define utils::docker_compose_service_env(
+  String           $compose_file,
+  String           $description,
+  String           $envfile = '/dev/null',
+  String           $docker_svc_names = '', # empty should bring up everything in compose file
+  Optional[String] $service_name = undef,
+  Boolean          $pull_on_start = false,
+  Array[String]    $service_extras = [],
+  Optional[String] $service_alias = undef,
+  Optional[String] $start_command = undef,
+) {
+  include sunet::systemd_reload
+
+  $_service_name = $service_name ? {
+    undef => $name,
+    default => $service_name,
+  }
+
+  $_template = 'utils/dockerhost_env/compose2.service.erb'
+
+  file {
+    "/etc/systemd/system/${_service_name}.service":
+      content => template($_template),
+      notify  => [Class['sunet::systemd_reload'],
+                  ],
+      ;
+  }
+
+
+  service { $_service_name :
+    ensure   => 'running',
+    enable   => true,
+    require  => File["/etc/systemd/system/${_service_name}.service"],
+    provider => 'systemd',  # puppet is really bad at figuring this out
+  }
+}

global/overlay/etc/puppet/modules/utils/templates/dockerhost_env/compose2.service.erb

@@ -0,0 +1,50 @@
+# This service file is generated by Puppet. Do not edit.
+#
+# This information is used by check_docker_containers to monitor the started containers:
+# COMPOSE_FILE=<%= @compose_file %>
+#
+[Unit]
+Description=<%= @description %>
+After=docker.service
+BindsTo=docker.service
+Conflicts=shutdown.target reboot.target halt.target
+
+[Service]
+TimeoutStartSec=0
+TimeoutStopSec=30
+Restart=always
+RestartSec=10
+
+SyslogIdentifier=<%= @_service_name %>
+
+WorkingDirectory=/
+
+# To make docker pull work with basic-auth credentials
+Environment="HOME=/root"
+
+#ExecStartPre=-/usr/bin/docker compose -f <%= @compose_file %> rm -f --stop
+<% if @pull_on_start != true -%>#<% end -%>ExecStartPre=-/usr/bin/docker compose -f <%= @compose_file %> pull
+
+<% if @start_command -%>
+ExecStart=<%= @start_command %>
+<% else %>
+  ExecStart=/usr/bin/docker compose -f <%= @compose_file %> --env-file <%= @envfile %> up --force-recreate --no-deps <%= @docker_svc_names %>
+<% end -%>
+
+ExecStop=/usr/bin/docker compose -f <%= @compose_file %> --env-file <%= @envfile %> down <%= @docker_svc_names %>
+
+NotifyAccess=all
+
+<% if @service_extras.is_a? Array -%>
+# service_extras :
+<% @service_extras.each do |this| -%>
+<%= this %>
+<% end -%>
+<% end -%>
+
+
+[Install]
+WantedBy=multi-user.target
+<% if @service_alias -%>
+Alias=<%= @service_alias %>.service
+<% end -%>