fix runner command shell line ends

Reviewed-on: SUNET/soc-ops#2
Reviewed-by: Johan Björklund <bjorklund@sunet.se>

cosmos.conf

@@ -1,2 +1,2 @@
 tag="soc-ops"
-repo=https://platform.sunet.se/SUNET/soc-ops.git
+repo=https://platform.sunet.se/sunet-cert/soc-ops.git

global/overlay/etc/cosmos/keys/pettai-820E4E151A5370474619E77AD536054C16A6F808.pub

@@ -0,0 +1,108 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: 820E 4E15 1A53 7047 4619  E77A D536 054C 16A6 F808
+Comment: Fredrik Pettai <pettai@sunet.se>
+
+mQINBGeei+MBEACpsiLtn2bN4h9e1cTLc2evWacacamXKdm0Eg6VN2C/TSQvTzyf
+xrOtt8gfRoSNUfn4MEFXY2Pe/M+j69oRNmkyiULV4kZj9kbERnY5VVwLJOORECYN
+oE+/SQvMMbW5XrcS2206IYZYs4t5tOkyP20pGZwab43UQ2HzOV5MRlWWG3sa/6a2
+MszPO8fhVWwwqnOuzs6fSefTO/Iv+oE0/aOOSc/uv7fG0Zf+md77AlqkoP9ZyNzd
+1Kngeal5nNyzWlxfPUka3me334mSVbKNa1BbcwfvpFbEQhAnuZT9pydkIRzkBSc+
+Mh3fiselYrA0lQL0JaYQMXvR/Iu7Ah8BqNdzZcBbV2K+SR3V2UdVEv2SAmWDlRNI
+rewwmdXRN4Apm+PhXJSFU4d3qLmxe/lFpq197EZdwXQwX4DcVBDNQu2lkC6gtfZ4
+nUoQeMJlN3DE+IGj+YjYJ/3TDGt7zUZdk2IkNkQOwCYnGBYfzsfrdPRwmLn9697f
+qm9TlqOXbPzPQSwIYftXckdoyv9o+TYTQv0jwmEZn0PaD3sKG0dKQ47os4tmZM1j
+5SxhStUOhw43+NKslQ0lu6W/SND+mBtqBnaCYEf4h75mrXZzMzIBlZg8SkhCY3h+
+hDVebzqDNjS53X86ApviLfMHeIgS9e6IZaNQdTLe0vewH/N9BcV8QT4RkQARAQAB
+iQKPBB8BCgCDBYJnnovjBYkB4TOAAwsJBwkQ1TYFTBam+AhHFAAAAAAAHgAgc2Fs
+dEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JncEMLdmr65PzmhSb/DfX80W3A3kKn
+6TZZx2jkxLGuYt4DFQoIApsDAh4BFiEEgg5OFRpTcEdGGed61TYFTBam+AgAABHM
+D/4qBztdFzC3Ly9e4DJxGl4ri5A6H6uZKvo2jlrW2EeRylCL/V7FVnIWbDySJIFZ
+qKUkfNq7xCjb1SToTKakNbKStxGkJfdUiy5okz2iZ6QVCMJlW3+5U4bWyKhnpx4W
+EVjHTcaMY1bQmrLcOs66YbgZtnxZdX5suFbUZ8RgdyK+ukZ4NJxVb/tJiUNu6v/A
+OddQsY24h93WXC85lFPgTiKkZK0r60DgTqsF/RWdBdeK4AtwkZeZfvPNDybgD7wG
+s4X4XSJeff67rNEOAUgEjb5nGbIy6+Ixsr4YQSHPS6Nw5Ge2/ro0w1qLvCXk78OI
+LeulOH/q1pnN3wHb/bIthArnUeLMNGeED9WAXR35qtGJRoZMc9QMsQ6Wg5zP3RGL
+2lLEVX4XM8ndgnYIWVFbgEGVFZngLIqDHp0wkO6WiwlUmI5Vc8r+AxDw3M02j3Ja
+Ps1BcKXnF0BY++5oB5IIl3r+CSJswEnHE0hD6ZDHduEu6yqZlLIGE7AHmag73JBd
+rfTiBzwIh72KhiRK6pr6IOr39z2zjoTJQw6XlBw58EA610+v+M/sFal08DaNesHZ
+sGTuPYw5ogGcspVit38GvTIlbPOwli8qjoRzMwi3rxRY6vYhB8RIGxQwz/+s3Uco
+QMAwIdlZbB19GO3auoOAJ2ucMQ0bG3kJEvW5HaqtRGFlZbQgRnJlZHJpayBQZXR0
+YWkgPHBldHRhaUBzdW5ldC5zZT6JApIEEwEKAIYFgmeei+MFiQHhM4ADCwkHCRDV
+NgVMFqb4CEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcQ
+GLrBoG3bn+P2EJjXB0auZXX2XZUxgh6761ZzTIQE7gMVCggCmQECmwMCHgEWIQSC
+Dk4VGlNwR0YZ53rVNgVMFqb4CAAAsSwP/iuUw0slPPF2s5ctOcdWdIByRbsEYyj4
+zNeIWWYc8leNzT9e0XxcjhwD+tZUGAmHeERM9RawNId9+2rzLH+kH0tsLbO/2Pfv
+dJ4o/bC1nE3Mor1KBaq8n/Ek0koQv3JgcqCwx1+Vl1QzZP7ehNCaXnkZ9zHWsOnL
+eU8iOnRnJSr4PwcCanYI1Vykqlq7O9wCMcVOSk5wnnQgnOG3Nkn4yzTYDdoTI+Cg
+piNEEtskRRCBUFXb1MGRS9Nwi11ProFn0dqzZgjGNDK4gDEiBw3TrTW2duWoTeqb
+Z6WsAloK9tZddjGJcTsvif1yQeTLY+vpjqed+8XSDEOu53s7dpqBg0SkdRPT0cST
+tbkH3Qi4OLRiyeJhNYbgDkUExo+cInT+VdBg6qgHO8X4i9F+YKpObh5k5H552buV
+xRN686boQX3EVDYm1wOlGVXsa/30dCsFF6VD8jdVVtuEoLO9AbfYhY2y/Fnj/vsM
+uTstR9DzGwkMyhfFcC+QiGWOC5Zj07a8tRa126DfwJgB1YWEElb6266p/eXFl524
+spND4sFLCy5Xs8Q+odrolV7/63KUnMExobSutI3NNz8iOqAaYFq971sU90fYsJeb
+8SQBDXOPzd4aE1j4ypVS7GOTJHnZgGLDtZr6XIGJoX0WE+7TsWU6MXTkNAip37Mm
+cLUv1QmptiRLuQINBGeei+MBEADEd4cSKSbvWkvDO07oVCR0SguclZp+epA8gDOS
+hdPYoa4sX/2xVRv6ueaq/GtMv/G7TexdZnYyAGhyK76r9WzMOLDtCROuAXRxC4Ju
+fvs+7lj1+UHR7x8RvHl5zNmKFaALs5MBd9iNBjbGD1byVWm56OBusZ7lV5WDMWYv
+Wd6uFw6cx0esl//SCspFroFXgvim3zVomSuQFaac6Zff7mxRvpoG1Yzl3VKWhoBa
+DBxiWWXemJy6vco1ULgT7XLnexUS7f2JJgkEnB9pBoDrAdW4ESZM9FBbdo2+dQZv
+U7LgJN8M/Y7CntiLmTUN/nvAEZpwXJS9AgWckFbuS/sNH2Bvz2M3JdgFDGN8AM0G
+M/JSijvLsFD2Wljh6eGN5pwWBcKl1qFujdqLRpIMYVUoT8kfMFTtYCQy6DiC0RP2
+BjVyrY3pPJZjHCVTaInO2xcfmD3iqDmXKbczYdxYDLJ1cIZcIyrpFzpcMbKApPLm
+ff/XXtLyUvAv1ODfFegQV6Z92HgHaB7Ld3j9eLZJFuCOKcL2+tI9LZlEJ5wEjsAv
+8/dopVHo547Ofr8DvDmhI59j7Q/Z+YMY+aQQtV1JfF4V1yoASEIwcpwLrbC/dC5l
+5pSUl0I8FhqjjnR9kNtNznhHdoYcxglkbo9OXCrWUCLwIaZpKJ2KEu+PTV8tdi9N
+sFdZ9QARAQABiQKEBBgBCgB4BYJnnovjBYkB4TOACRDVNgVMFqb4CEcUAAAAAAAe
+ACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmeA8+gtT2fLUQ5WyLjBb98y
+FOwu8Y8bK2v1OLwqeQJEAwKbDBYhBIIOThUaU3BHRhnnetU2BUwWpvgIAAD6qg//
+RZF13Gyz1rDkrHbCZSYd5hv4XvRyFGk4dzdbk3QkxfSoB38CCSuUAeNObVhEFgF3
+Hswu2kJmTTtmt0E9cxgvWfsqAVzbUx53yu2tKM0M1WZLTWHkjXdLZA48uMKg3nnp
++Qdl/xMLDrmD/lPlnQus8VCytEhP8XPADGr3OX/YLDeqBcrp98USyPkC6xiNxdeZ
+ABsb+Ac2r+tdXI9wIDj6awmdgjjNmaTZ+D9UBm3kApLJk8s3rX1Kp8FY9eEEdniz
+gfQabaaA8GjpyxShAVwMK6rXf/pvtsfGQD8ZGnBP56hms2cY95nU6XnvlGgTrwVF
+F/bvsN3pQ188LKT+P9AVesfa+bTdiaJbemQ1J315ioqE6e0+HdPlk0tI6oJaeppu
+MNmNAdVKFAqqh8OodvZk9REasokjl3dOMcoFgtJ4BVNj0cXEMNHSRedcB0l7YNWS
+fZkk/QRFTgvwhx08aK6+k86EOdxz31TIr4GCZkAYxbitIXr8Tnux4sm433biwi1+
+UOSUA6VhiwD408NU5g3kevyK72xKsvdXD1OUBx7q59CzcsujyD3gq2KDmaXHFOMl
+OI+lS5o4CAmXHE7vrEXRxv2yjzPXSVofrWqqSTKndiWn1wopqc2sakuT98AbOAaJ
+WvDlggfnCN7jnE3HK2k6uEXlwIiN99tP/86JB0MqkQq5Ag0EZ56L4wEQANvp3sPX
+ZDtdDVB7Pis72IBgbLB3vbKMaTUO9VWQu2z7YB2ndCS48eRaXGlI3oOCI/bipODY
+mxgMhY59GhenzbuQM9+SJT3auUWcSIA5QfbvbXwxh8U7Y1DBdY9cBNzGLrFEvxmD
+obe80ns9azYYbK2Xws4OtJzpF8q8rXS3TMLCFYtJ1bk/RnEzyBK4FGCF37iJC/3a
+yrpKoGrBu8UoM3MbXbCL0s8cslufI4G2b2sha6NFY/AGoUsIWAlX8jVxClc1QYnL
+6p6zGeKieKcXiX/U7GltnpdeaDleH/eJ2Psxkx7w+DxCUkhuaVK9lyTdlveYg9mR
+xXrLQPU+iPNyfq8kxUf7LfbU3RLfQqZJCoD7akAEpJxuAnx/xQzR9wBMbRgit0nG
+X7b32m6K5915oR3yYRhMUN1vDCKbOIg4w74IhI6+NDQ0d39zwMl6g/zuZFSHnECH
+gAShHJzbfgSghy8xLvrepn6x5q3C+xpV4TrDjsqkSRjr8+Mwe3Bjfss0CVUAHP79
+6YskvU5Uf9KKfRTxzilVRB1dx/6usI6vfGnCckovFW1GPCGckn2XzL/73QZtx9yk
+tyrLsJVrZIZJDsRRPmSHgdkKZOKU8vh4K7kormuSvN6pINzORt6n+S1Pa2KPWqZJ
+bqX3ArkibNCmhZLg/hND8/ip1mbia0KiPKHdABEBAAGJBQIEGAEKAvYFgmeei+MF
+iQHhM4AJENU2BUwWpvgIRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt
+cGdwLm9yZ0zilRLFb6vv6Zt+GsLiQtSi8xXhGo0RFA9heYYDA0bKApsgwbygBBkB
+CgBvBYJnnovjCRAXzHaKBJTcHUcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1
+b2lhLXBncC5vcmcMFQG+bWxoyBfpLptEiyspMrn0leLhbTw11UQ8WH+gLxYhBL+I
+NUUer14Tp4Z1XxfMdooElNwdAAC+txAA1Aq0pl2YSypxos93eyZ1qLB4HnQOgXHy
+9YvAn5WBswyf5Wva58CVmGyd3PaZId0QrK/u0B9plGSBfZ5OoC4oKbVWWW1kxEV+
+PcZ3+Xv7klIDouUo7ivacFyNPfIeMzwuiodQDEtGlEsgJ/jnymgJJNoGRQVjqP4R
+4nT0NO5qzKmmabGcrzSUR0iZUig/qJ54Ek+fhVehabQlXy1paWiPKV9eoM2RxSYK
+SczUvb/wADck+E5a68G/5ZZuRafGoywe7xRVpUjf8Ai+D9LRQM0H5eVK3kaGGC8i
+tyae8BX0JGtyqY/yQW7SnOhYu6hz7BL+DNYfZRFBdi0293mL4F89NYDhn7Wlj7Ug
+aFMq9IijPv78i+Zxdz6nsRWf0PrOwWPmKgZ5OzNii/+rY2LYL6cnI69zdWsMI/6B
+vjJZIejHtiJQS63vGVH881pVdzre506ZWeprzcBJyAf8RAOQ19VKgcE78MdztpTv
+mSxrbpGIDKnbwk4lvBilKsHqoHo/zgf39JlWddRsXtOu/Ac29ZVuFUw2IQ3BP61+
+H87IcEPndoe4m+bSYUa9yw7fqXSp2IK+pJyAXdhYecIc8Y3Hl8cCv3rg8+RQbadq
+OoZjzEAQGr2qmLqW2wPrwtcxSWqdH1jOQBJAqAtkM2I4zdyf53AyZIwW4lXBMQf6
+YVQrd8C2HeQWIQSCDk4VGlNwR0YZ53rVNgVMFqb4CAAAI7AP/AiNHafRXUf9JbNd
+9FmZGgWNk4XcW2wQITLSIryxJZQQYA4RaRyEATkXRbkEMJXyMGmU602JMF9TB3gz
+Sp51C3lZd/O2q8m/vNDGvO70KKErYYhzaonfQOjLmVwX/8TFCgO1C94qVcVnAtXU
+SnG07DrxZh5hZKqiwBgOyTpC0wJJL4ghYtvlBWDoOe4s8jplmO6ZZDUZTqaSLsE3
+WTT7elCqiFUpGrD8zFwXLLq79tE4QStCBjGYW23xdanFXk51uEJBGQMWLG+7IsDO
+XvLxvPZZUfooIki22LseCm9tRy45a59d/6Cs68LlnH+QhMNgLU6yamx9pUSth+lc
+idrufqLtr/UeBY2HQCcg8W0BwCtPtoE9Di7zPLjJGSah4hS//JV8sf9Dqc4ipWON
+3vt7nUMq0vwhdaulXRc5i5O7ddMHQ1GJOzwjh+NeDLF5KmojsjFxz6EYXorMsXdw
+lZHJyTyUE6NRvcSyaBd7NrgDOPb2qktvdsHvYT56rcL7sCvLReZSpTs3/p5IsTa8
+FJDxBjDASoo9VcAfCLm9fuetEIA5wuiZyHtkx7UjL30sxQ9+tFPET6nbRSX4hGk4
+7630+KnqE4XGJr0pX3XOdSuHtaKIXqnc0l3G+ZWA2c+yCet43dC0TaMsPHc+V1Wu
+QqFL9FagOBDJIZd3gNShqrZhetcO
+=75u9
+-----END PGP PUBLIC KEY BLOCK-----

global/overlay/etc/hiera/data/common.yaml

@@ -28,10 +28,25 @@ sunet_ssh_keys:
       biiuR/FQ5d4Me515niAtXD2XbpNLMyIT1qMKsCkcCdVrzBgGZe+D+PVdgIgCPPk8p+fXCX50\
       xw=="
 
+  'pettai+820E4E151A5370474619E77AD536054C16A6F808':
+    name   : 'pettai+820E4E151A5370474619E77AD536054C16A6F808'
+    key    : "AAAAB3NzaC1yc2EAAAADAQABAAACAQDb6d7D12Q7XQ1Qez4rO9iAYGywd72yjGk1\
+      DvVVkLts+2Adp3QkuPHkWlxpSN6DgiP24qTg2JsYDIWOfRoXp827kDPfkiU92rlFnEiAOUH2\
+      7218MYfFO2NQwXWPXATcxi6xRL8Zg6G3vNJ7PWs2GGytl8LODrSc6RfKvK10t0zCwhWLSdW5\
+      P0ZxM8gSuBRghd+4iQv92sq6SqBqwbvFKDNzG12wi9LPHLJbnyOBtm9rIWujRWPwBqFLCFgJ\
+      V/I1cQpXNUGJy+qesxnioninF4l/1OxpbZ6XXmg5Xh/3idj7MZMe8Pg8QlJIbmlSvZck3Zb3\
+      mIPZkcV6y0D1Pojzcn6vJMVH+y321N0S30KmSQqA+2pABKScbgJ8f8UM0fcATG0YIrdJxl+2\
+      99puiufdeaEd8mEYTFDdbwwimziIOMO+CISOvjQ0NHd/c8DJeoP87mRUh5xAh4AEoRyc234E\
+      oIcvMS763qZ+seatwvsaVeE6w47KpEkY6/PjMHtwY37LNAlVABz+/emLJL1OVH/Sin0U8c4p\
+      VUQdXcf+rrCOr3xpwnJKLxVtRjwhnJJ9l8y/+90GbcfcpLcqy7CVa2SGSQ7EUT5kh4HZCmTi\
+      lPL4eCu5KK5rkrzeqSDczkbep/ktT2tij1qmSW6l9wK5ImzQpoWS4P4TQ/P4qdZm4mtCojyh\
+      3Q=="
+
 soc_ssh_keys:
   'root':
     - 'bjorklund+29642588'
     - 'valerio-52462AE5'
+    - 'pettai+820E4E151A5370474619E77AD536054C16A6F808'
 
 mgmt_addresses:
     - 130.242.125.68    # hoppjerka.sunet.se

global/overlay/etc/puppet/cosmos-rules.yaml

@@ -37,23 +37,16 @@
     entityID: 'https://test-sso-proxy.cert.sunet.se/idp'
 #  soc::vuln_dashboard:
 
+'^internal-sto3-dev-ci-1.cert.sunet.se$':
+  sunet::dockerhost2:
+  soc::runner:
+
 test-sso-proxy1.cert.sunet.se:
   sunet::dockerhost2:
   sunet::certbot::acmed:
   soc::satosa:
     certprovider: 'certbot'
 
-intelmq-dev.cert.sunet.se:
-  soc::intelmq:
-    use_snakeoil: true
-    use_shib: true
-  soc::sso:
-    ssotype: 'apache'
-    groups:
-      - 'sunet-cert'
-    satosa: true
-    entityID: 'https://test-sso-proxy.cert.sunet.se/idp'
-
 monitor-dev.cert.sunet.se:
   sunet::dockerhost2:
   soc::naemon_monitor:

global/overlay/etc/puppet/modules/soc/manifests/runner.pp

@@ -0,0 +1,44 @@
+# Configure a forgejo runner
+# taken from cdn-ops
+class soc::runner(
+)
+{
+  $runner_token = lookup({ 'name' => 'runner_token.vuln_management_repo', 'default_value' => undef })
+  $runner_labels = join([
+	  "python:docker://nikolaik/python3.12-nodejs23",
+	  "ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04",
+  ], ',')
+
+  if $runner_token {
+
+    file { '/opt/forgejo-runner':
+      ensure  => directory,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0750',
+    }
+
+    # The owner/group matches 'user' in compose file for runner
+    file { '/opt/forgejo-runner/data':
+      ensure  => directory,
+      owner   => '1001',
+      group   => '1001',
+      mode    => '0750',
+    }
+
+    file { '/opt/forgejo-runner/docker_certs':
+      ensure  => directory,
+      owner   => 'root',
+      group   => '1001',
+      mode    => '0750',
+    }
+
+    sunet::docker_compose { 'soc-action-runner':
+      content          => template('soc/runner/docker-compose.yml.erb'),
+      service_name     => 'soc-runner',
+      compose_dir      => '/opt/compose/runner',
+      compose_filename => 'docker-compose.yml',
+      description      => 'SUNET SOC forgejo runner',
+    }
+  }
+}

global/overlay/etc/puppet/modules/soc/templates/runner/docker-compose.yml.erb

@@ -0,0 +1,61 @@
+version: '3.8'
+
+# Taken from cdn-ops
+# Based on combination of https://forgejo.org/docs/latest/admin/actions/ and
+# https://code.forgejo.org/forgejo/runner/src/branch/main/examples/docker-compose/compose-forgejo-and-runner.yml
+
+services:
+  docker-in-docker:
+    image: docker:dind
+    hostname: docker # Must set hostname as TLS certificates are only valid for docker or localhost
+    privileged: 'true'
+    environment:
+      DOCKER_TLS_CERTDIR: /certs
+      DOCKER_HOST: docker-in-docker
+    volumes:
+      - /opt/forgejo-runner/docker_certs:/certs
+
+  runner-register:
+    image: 'code.forgejo.org/forgejo/runner:3.5.0'
+    depends_on:
+      docker-in-docker:
+        condition: service_started
+    # User without root privileges, but with access to `./data`.
+    user: 1001:1001
+    volumes:
+      - /opt/forgejo-runner/data:/data
+    command: >-
+      bash -ec '
+      while : ; do
+        if [ -f .runner ]; then echo "runner already registered, exiting"; exit; fi ;
+        forgejo-runner register --no-interactive --name <%= @networking['fqdn'] %> --instance https://platform.sunet.se --token <%= @runner_token %> --labels <%= @runner_labels %> && break ;
+        sleep 1 ;
+      done ;
+      forgejo-runner generate-config > config.yml ;
+      sed -i -e "s|network: .*|network: host|" config.yml ;
+      sed -i -e "s|^  envs:$$|  envs:\n    DOCKER_HOST: tcp://docker:2376\n    DOCKER_TLS_VERIFY: 1\n    DOCKER_CERT_PATH: /certs/client|" config.yml ;
+      sed -i -e "s|  valid_volumes: \[\]$$|  valid_volumes:\n    - /certs/client|" config.yml ;
+      '
+
+  runner-daemon:
+    image: code.forgejo.org/forgejo/runner:3.5.0
+    user: 1001:1001
+    links:
+      - docker-in-docker
+    depends_on:
+      runner-register:
+        condition: service_completed_successfully
+    environment:
+      DOCKER_HOST: tcp://docker:2376
+      DOCKER_CERT_PATH: /certs/client
+      DOCKER_TLS_VERIFY: "1"
+    volumes:
+      - /opt/forgejo-runner/data:/data
+      - /opt/forgejo-runner/docker_certs:/certs
+    command: >-
+      bash -ec '
+      if ! grep "--mount type=bind,source=/certs/client,target=/certs/client,readonly" config.yml > /dev/null; then
+        sed -i "\|options:| a \ \ \ \ --mount type=bind,source=/certs/client,target=/certs/client,readonly" config.yml ;
+      fi ;
+      forgejo-runner --config config.yml daemon ;
+      '

intelmq-dev.cert.sunet.se/README

@@ -1,3 +0,0 @@
-
-The system documentation is in the docs directory of the multiverse repository.
-

intelmq-dev.cert.sunet.se/overlay/etc/shibboleth/sp-cert.pem

@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEHTCCAoWgAwIBAgIUYbc4zgZXq4ZVFtMg+THPT2mTV1cwDQYJKoZIhvcNAQEL
-BQAwJDEiMCAGA1UEAxMZaW50ZWxtcS1kZXYuY2VydC5zdW5ldC5zZTAeFw0yNDEx
-MTkxMzU3MTVaFw0zNDExMTcxMzU3MTVaMCQxIjAgBgNVBAMTGWludGVsbXEtZGV2
-LmNlcnQuc3VuZXQuc2UwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCT
-UrRbu54TUDzeYDp2IdAnLfy1KOhzMSLtAVDzyz6vVUV9cUlVxpZnqMjVXRLotD8F
-lFO0E8fWVUcN8Zb9KTWPNyLDXk9mHouXBdlrw32TOJuXUNfsPU20RJRtoFT1M4OL
-lLgL0DHJyeC8vi44r9J8eNCfaN9dUe2OW/VEAB6LpS7zIG5cCxjfQu1uUXT4aPk0
-5E11BWCuUW+SQhaQ4IG9GjazD11rDpbJXGAhFBGHYD5z4Z+y+vz12a+HxPEt6RAh
-GSxSWAFcRU/dmgn4DNiHQgyKm9fjqkyENLN9PFTPrfL28P6W1xiTjmzduWJaZYHP
-zLm/0gbhHpRGeMfAGcxhvPsuHtOydDfIILODYbOK2FsriAHlc/BLB7m09Ea2WMmv
-0fY/P5LFtij2Xdg2Ek7gYUXH4KEijNttfIXvV7IGA3Go57iFF5MAHczQh/tggPzI
-Pvjxj/hAha9Z43mb/aMbLmbUE/Vv4u0dHbRu0AT5egFoFE3WUJpQ3kh96srgUBcC
-AwEAAaNHMEUwJAYDVR0RBB0wG4IZaW50ZWxtcS1kZXYuY2VydC5zdW5ldC5zZTAd
-BgNVHQ4EFgQUYJUm2bW++1j/3sTV05Ee4aeKetEwDQYJKoZIhvcNAQELBQADggGB
-ACzzV76G24GAY43mAp22rNT7uYvGMLK4Hiy/0N6eERkJKOZbfa5BC8my6B1xISIN
-Gz+Ruzc6XOhgPaCwFqu6S/ae/3QZCA85Mu1X9yBgTw5kEBMkp6IgOdIE7RvJDe7k
-QQ/f8KCawOHiQds07dsbImXT+TfTlXu5zkppUSuPS6gpWWZCAfIAyZYUGCF7q8EF
-iCYHiXPCkkEEa8W5xzP48XDtkN9EX7sjw96SSZ3mjGFkzBVSQ59C+BOB2gvy6qVP
-mNm3DZo9ECStXGCvPDQ+mCoCZpOfMgl2inO3zdVuuZp95NzxhXC0VF+trTey9gQJ
-n8x2Cj48N4egtdm965dS6ot4a6SQ+n6kR5+WOw0OtyYdOA6rekIR6SDc/YGN0vHe
-8RSXgHPIiq9BXACVGPck95JDBCIqaOVDVtY4TvRpQZKziql+UwtCIjkhf6oM0YoT
-Tn5GG/Cb4NlAWPTKqmLt2dI8mGdSCC1gzafC7+s0xxCYRsBlXT3roYE8TDYRVhAo
-PA==
------END CERTIFICATE-----

internal-sto3-dev-ci-1.cert.sunet.se/README.md

@@ -0,0 +1,2 @@
+Forgejo action runner for platform.sunet.se
+Used by soc projects

internal-sto3-dev-ci-1.cert.sunet.se/overlay/etc/hiera/data/local.eyaml

@@ -0,0 +1,3 @@
+---
+runner_token:
+  vuln_management_repo: ENC[PKCS7,MIIDCAYJKoZIhvcNAQcDoIIC+TCCAvUCAQAxggKQMIICjAIBADB0MFwxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLTArBgNVBAMMJGludGVybmFsLXN0bzMtZGV2LWNpLTEuY2VydC5zdW5ldC5zZQIUVVgphqarTmxaqEYcFm8NX4LTKEowDQYJKoZIhvcNAQEBBQAEggIAcbAHEbLSo2rwi64C4a1u2Li0/M/aNkKgujvBpCASUZKHb45RDvgU4BGktSilmtixD0tt8UCt9FkiWe/kKiAYV1n6YBIzETkn8KrhtDpujtJ1s+0mu3fzoAdCVaCFcg6h+rCEO+C5cPJfKWFeaL3kt9tz7A8YciCqq3PyVXA34Z3uoIDv2FMG8GbBOjijXJtVHiEopd0a7EZVCIAuVIP8XRJiEErPc/4cX7qMwjHS1skouL/Irx5WZ79nyFKQXDTnzcNjBSBw5FZ1RQRPIGa39/ozyQO5TPjlGFDEoGsudk4y2wgXTxqNgIdSQR7sIq64IHsA6wyNzib7VhsPrGS5onqhRsDs1qBLJgT2PSdJtrwYFWrCTl9oOlmFkrVrPdcWuOyDurhVoq7UFiuP1HvstK7HY0aMkw0QOwDIc9KQ/Q+kWPG2whVPkkoRDAAmA9hI3fTq2JeUMNIVZW3wYUUWc+u5NlghQzio4SYtaYrJ0AIBJiy+Kq7QqzLtTd7Uq/w4OkAqYVBRIhdQLu8KcVNOzYFQRLm4lzWHH8tMxWjXwSFB+nPoARdwk0Ykv+420VljzRAEWt9UzowM+eXYTXoQif4FvWOCCzvdf3hRsQPpMd5lfAMzimW6j+cZD+Ew6vgcOuEo5Bn+tszlHBaSo3lSR98XOIJn6QXSP1Ue0/GuxBIwXAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQUFl1txCRbujqq03hb3FepIAwVLn2CkoqtAaME0KXLfKjO17/wWTr11tPFcenCXo969tHSPwt7zzZrleKO2wmahsx]

test-sso-proxy1.cert.sunet.se/overlay/etc/hiera/data/local.yaml

@@ -100,7 +100,6 @@ saml2_frontend:
       metadata:
         local:
           - metadata/vul-dashboard-test.xml
-          - metadata/intelmq-dev.xml
           - metadata/intelmq-test.xml
           - metadata/intelmq.xml
           - metadata/monitor-dev.xml
@@ -109,6 +108,7 @@ saml2_frontend:
           - metadata/zammad-test.xml
           - metadata/zammad-app.xml
           - metadata/dashboard.xml
+          - metadata/keyserver.xml
       entityid: https://test-sso-proxy.cert.sunet.se/idp
       service:
         idp:

test-sso-proxy1.cert.sunet.se/overlay/etc/satosa/metadata/keyserver.xml

@@ -2,7 +2,7 @@
 This is example metadata only. Do *NOT* supply it as is without review,
 and do *NOT* provide it in real time to your partners.
  -->
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_b861d1e1135cb80370b99b5cebb59cd7f33c27b4" entityID="https://intelmq-dev.cert.sunet.se">
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_7ac332ec794a51953c9e869a742d6b8a56b400bc" entityID="https://keyserver.cert.sunet.se/shibboleth">
 
   <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
     <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
@@ -25,36 +25,35 @@ and do *NOT* provide it in real time to your partners.
 
   <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <md:Extensions>
-      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://intelmq-dev.cert.sunet.se/Shibboleth.sso/satosa"/>
+      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://keyserver.cert.sunet.se/Shibboleth.sso/satosa"/>
     </md:Extensions>
     <md:KeyDescriptor>
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-        <ds:KeyName>intelmq-dev.cert.sunet.se</ds:KeyName>
+        <ds:KeyName>keyserver.cert.sunet.se</ds:KeyName>
         <ds:X509Data>
-          <ds:X509SubjectName>CN=intelmq-dev.cert.sunet.se</ds:X509SubjectName>
-          <ds:X509Certificate>MIIEHTCCAoWgAwIBAgIUYbc4zgZXq4ZVFtMg+THPT2mTV1cwDQYJKoZIhvcNAQEL
-BQAwJDEiMCAGA1UEAxMZaW50ZWxtcS1kZXYuY2VydC5zdW5ldC5zZTAeFw0yNDEx
-MTkxMzU3MTVaFw0zNDExMTcxMzU3MTVaMCQxIjAgBgNVBAMTGWludGVsbXEtZGV2
-LmNlcnQuc3VuZXQuc2UwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCT
-UrRbu54TUDzeYDp2IdAnLfy1KOhzMSLtAVDzyz6vVUV9cUlVxpZnqMjVXRLotD8F
-lFO0E8fWVUcN8Zb9KTWPNyLDXk9mHouXBdlrw32TOJuXUNfsPU20RJRtoFT1M4OL
-lLgL0DHJyeC8vi44r9J8eNCfaN9dUe2OW/VEAB6LpS7zIG5cCxjfQu1uUXT4aPk0
-5E11BWCuUW+SQhaQ4IG9GjazD11rDpbJXGAhFBGHYD5z4Z+y+vz12a+HxPEt6RAh
-GSxSWAFcRU/dmgn4DNiHQgyKm9fjqkyENLN9PFTPrfL28P6W1xiTjmzduWJaZYHP
-zLm/0gbhHpRGeMfAGcxhvPsuHtOydDfIILODYbOK2FsriAHlc/BLB7m09Ea2WMmv
-0fY/P5LFtij2Xdg2Ek7gYUXH4KEijNttfIXvV7IGA3Go57iFF5MAHczQh/tggPzI
-Pvjxj/hAha9Z43mb/aMbLmbUE/Vv4u0dHbRu0AT5egFoFE3WUJpQ3kh96srgUBcC
-AwEAAaNHMEUwJAYDVR0RBB0wG4IZaW50ZWxtcS1kZXYuY2VydC5zdW5ldC5zZTAd
-BgNVHQ4EFgQUYJUm2bW++1j/3sTV05Ee4aeKetEwDQYJKoZIhvcNAQELBQADggGB
-ACzzV76G24GAY43mAp22rNT7uYvGMLK4Hiy/0N6eERkJKOZbfa5BC8my6B1xISIN
-Gz+Ruzc6XOhgPaCwFqu6S/ae/3QZCA85Mu1X9yBgTw5kEBMkp6IgOdIE7RvJDe7k
-QQ/f8KCawOHiQds07dsbImXT+TfTlXu5zkppUSuPS6gpWWZCAfIAyZYUGCF7q8EF
-iCYHiXPCkkEEa8W5xzP48XDtkN9EX7sjw96SSZ3mjGFkzBVSQ59C+BOB2gvy6qVP
-mNm3DZo9ECStXGCvPDQ+mCoCZpOfMgl2inO3zdVuuZp95NzxhXC0VF+trTey9gQJ
-n8x2Cj48N4egtdm965dS6ot4a6SQ+n6kR5+WOw0OtyYdOA6rekIR6SDc/YGN0vHe
-8RSXgHPIiq9BXACVGPck95JDBCIqaOVDVtY4TvRpQZKziql+UwtCIjkhf6oM0YoT
-Tn5GG/Cb4NlAWPTKqmLt2dI8mGdSCC1gzafC7+s0xxCYRsBlXT3roYE8TDYRVhAo
-PA==
+          <ds:X509SubjectName>CN=keyserver.cert.sunet.se</ds:X509SubjectName>
+          <ds:X509Certificate>MIIEFzCCAn+gAwIBAgIUNbx9LI00dWhPes0ZdQsW2Jr3FIIwDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAxMXa2V5c2VydmVyLmNlcnQuc3VuZXQuc2UwHhcNMjUwMjEx
+MTMzMTE5WhcNMzUwMjA5MTMzMTE5WjAiMSAwHgYDVQQDExdrZXlzZXJ2ZXIuY2Vy
+dC5zdW5ldC5zZTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALux8ExF
+2dlhibEt1QRaPY9eE3R/GqUTh7R7AgntN6erkVl2iFGseEQSo9wxpEa8S2n4TWIN
+5zjJiMYSZQNln64/CoTyxKNjmB40Gia+Lsh0N+l/pkOv8kBcH1PIJP1k8oQOo3r6
+nYTNYZP2hV+yVL7BbMqG8pdWgTl63dMqKYegGaSu5hyC0VwDF63HeGTx++vO9rtL
+ek/Q616mipvzYmi5IHYol8RGEpGSZ/SJFeKvZlkkW6BrNTGwleGbPLKxbEB/CMTY
+2r0PBcr3/8fLnd1pSgCnfiuF1bweDdX4MjX385uc/FHR+s8BammtM0BP8Z8JAaFy
+ZN2gkAZ0usBBlS6SukUvtahFsMrkg6PTnJpgejS+qfn851v1v++ON3fHOqF8cIe9
+NjHi/8d0XAnsk6szfpQbdrhwiUXNml81yWeCbo/3yiToCYLFd0kwmFM7mzWEWM0n
+2QTjivW5iI43aUnIxvEb42E/UNws7YlM5zyaJoRBRP0EU50Cv8OIHtw+lQIDAQAB
+o0UwQzAiBgNVHREEGzAZghdrZXlzZXJ2ZXIuY2VydC5zdW5ldC5zZTAdBgNVHQ4E
+FgQUZ76LSO7ZeZI+JygC8tOTTso0k8gwDQYJKoZIhvcNAQELBQADggGBACUd3fnY
+nPYAwipiQzI4o/k+termLv/CQnrr6PUYz78T60PY8opLLRnwVuIRNe/F6w6JULfF
+HZ8NE1qcSvSjKtlyFyV5ZuCfC3aOzjhvMc5QK5yTq/wxTnYUUHkSoZWV3JgSK8tt
+5kjf8DvUmP7Wmzz5YpI7cL6IF/ovwa+cR0/SZH/PK32bzc1AdotFNfpfT/QI2siA
+1BW9xW2s73vkwRxa8q8AZfo9g1giiKgmRhjoIUAC30pAGqwGSah5pU7NRJ2qx7jK
+s0C/mJgjVN73MfSLoWNzqYvvJQtMTviIwXh/4O4RG7gigaKlm+JEmqwhPkl6tuSa
+atuTxabaD/qn6MghbYyeXnumPlgaFdou8CX0l0flRpSFnKt5bQgb4+7RzJbXm5L1
+GJPgxItu0X09xPYrjr28E/sh7EPnjRVW8FIwi5q9Mrca1H+d4Qfj1CzmGJCoWv0M
+9wW9f9ZuNqxSD7GOWkW2vlcswG4Wofn9e3ZcQDwIkE/uoU3HWQ3ldBo5Rw==
 </ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>
@@ -68,12 +67,12 @@ PA==
       <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
       <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
     </md:KeyDescriptor>
-    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://intelmq-dev.cert.sunet.se/Shibboleth.sso/Artifact/SOAP" index="1"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://intelmq-dev.cert.sunet.se/Shibboleth.sso/SLO/SOAP"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://intelmq-dev.cert.sunet.se/Shibboleth.sso/SLO/Redirect"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://intelmq-dev.cert.sunet.se/Shibboleth.sso/SLO/POST"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://intelmq-dev.cert.sunet.se/Shibboleth.sso/SLO/Artifact"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://intelmq-dev.cert.sunet.se/Shibboleth.sso/SAML2/POST" index="1"/>
+    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keyserver.cert.sunet.se/Shibboleth.sso/Artifact/SOAP" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keyserver.cert.sunet.se/Shibboleth.sso/SLO/SOAP"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keyserver.cert.sunet.se/Shibboleth.sso/SLO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keyserver.cert.sunet.se/Shibboleth.sso/SLO/POST"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keyserver.cert.sunet.se/Shibboleth.sso/SLO/Artifact"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keyserver.cert.sunet.se/Shibboleth.sso/SAML2/POST" index="1"/>
   </md:SPSSODescriptor>
 
 </md:EntityDescriptor>