internal-sto3-dev-ci-1.cert.sunet.se added

addhost

@@ -3,22 +3,27 @@
 cmd_hostname=""
 cmd_do_bootstrap="no"
 cmd_fqdn=""
+cmd_prepare=""
 
 function usage() {
-   echo "Usage: $0 [-h] [-b] [-n fqdn] [--] [<host>]"
+   echo "Usage: $0 [-h] [-b] [-n <fqdn>] [-p <proxy host>] [-r debian|ubuntu] [--] [<host>]"
    echo "  -h  show help"
    echo "  -b  bootstrap <host> (using ssh)"
    echo "  -n  specify FQDN (if not the same as <host>)"
+   echo "  -p  specify proxyjump host (used for bootstrap)"
+   echo "  -r  run prepare-iaas script (implies -b), supports debian and ubuntu"
    echo ""
    echo "  <host> can be an IP number, or something that resolves to one"
 }
 
-while getopts "bhnp:" this; do
+
+while getopts "bhn:p:r:" this; do
    case "${this}" in
       h) usage; exit 0;;
       b) cmd_do_bootstrap="yes" ;;
-      n) cmd_fqdn="${OPTARG}" ; shift ;;
-      p) cmd_proxy="${OPTARG}" ; shift ;;
+      n) cmd_fqdn="${OPTARG}" ;;
+      p) cmd_proxy="${OPTARG}" ;;
+	  r) cmd_prepare="${OPTARG}" ; cmd_do_bootstrap="yes" ;;
       *) echo "Unknown option ${this}"; echo ""; usage; exit 1;;
    esac
 done
@@ -32,15 +37,24 @@ if [[ ! $cmd_fqdn ]]; then
    cmd_fqdn="$cmd_hostname"
 fi
 
+
 if test -z "$cmd_hostname"; then
     usage
     exit 1
 fi
 
+
 if [[ -n $cmd_proxy ]]; then
   proxyjump="-o ProxyJump=${cmd_proxy}"
 fi
 
+case "$cmd_prepare" in
+	""| "debian" | "ubuntu" ) ;; # valid value
+	*) echo "$0: don't know how to prepare '$cmd_prepare', only 'debian' and 'ubuntu' supported"
+	   usage
+	   exit 1;;
+esac
+
 test -f cosmos.conf && . ./cosmos.conf
 
 _remote=${remote:='ro'}
@@ -60,7 +74,17 @@ if [ ! -d "$cmd_fqdn" ]; then
    ./bump-tag
 fi
 
+
 if [ "$cmd_do_bootstrap" = "yes" ]; then
+	echo "Bootstrapping $cmd_hostname"
+	if [ -n "$cmd_prepare" ]; then
+		if ! ./prepare-iaas-$cmd_prepare $cmd_hostname $cmd_proxy ; then
+			echo "Failed to prepare $cmd_prepare host, check that the setup is correct"
+			echo "Aborting"
+			exit 1
+		fi
+	fi
+
    cosmos_deb=$(find apt/ -maxdepth 1 -name 'cosmos_*.deb' | sort -V | tail -1)
    scp $proxyjump "$cosmos_deb" apt/bootstrap-cosmos.sh root@"$cmd_hostname":
    ssh root@"$cmd_hostname" $proxyjump ./bootstrap-cosmos.sh "$cmd_fqdn" "$rrepo" "$rtag"

cosmos.conf

@@ -1,2 +1,2 @@
 tag="soc-ops"
-repo=https://platform.sunet.se/sunet-cert/soc-ops.git
+repo=https://platform.sunet.se/SUNET/soc-ops.git

global/overlay/etc/cosmos/keys/pettai-820E4E151A5370474619E77AD536054C16A6F808.pub

@@ -1,108 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Comment: 820E 4E15 1A53 7047 4619  E77A D536 054C 16A6 F808
-Comment: Fredrik Pettai <pettai@sunet.se>
-
-mQINBGeei+MBEACpsiLtn2bN4h9e1cTLc2evWacacamXKdm0Eg6VN2C/TSQvTzyf
-xrOtt8gfRoSNUfn4MEFXY2Pe/M+j69oRNmkyiULV4kZj9kbERnY5VVwLJOORECYN
-oE+/SQvMMbW5XrcS2206IYZYs4t5tOkyP20pGZwab43UQ2HzOV5MRlWWG3sa/6a2
-MszPO8fhVWwwqnOuzs6fSefTO/Iv+oE0/aOOSc/uv7fG0Zf+md77AlqkoP9ZyNzd
-1Kngeal5nNyzWlxfPUka3me334mSVbKNa1BbcwfvpFbEQhAnuZT9pydkIRzkBSc+
-Mh3fiselYrA0lQL0JaYQMXvR/Iu7Ah8BqNdzZcBbV2K+SR3V2UdVEv2SAmWDlRNI
-rewwmdXRN4Apm+PhXJSFU4d3qLmxe/lFpq197EZdwXQwX4DcVBDNQu2lkC6gtfZ4
-nUoQeMJlN3DE+IGj+YjYJ/3TDGt7zUZdk2IkNkQOwCYnGBYfzsfrdPRwmLn9697f
-qm9TlqOXbPzPQSwIYftXckdoyv9o+TYTQv0jwmEZn0PaD3sKG0dKQ47os4tmZM1j
-5SxhStUOhw43+NKslQ0lu6W/SND+mBtqBnaCYEf4h75mrXZzMzIBlZg8SkhCY3h+
-hDVebzqDNjS53X86ApviLfMHeIgS9e6IZaNQdTLe0vewH/N9BcV8QT4RkQARAQAB
-iQKPBB8BCgCDBYJnnovjBYkB4TOAAwsJBwkQ1TYFTBam+AhHFAAAAAAAHgAgc2Fs
-dEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JncEMLdmr65PzmhSb/DfX80W3A3kKn
-6TZZx2jkxLGuYt4DFQoIApsDAh4BFiEEgg5OFRpTcEdGGed61TYFTBam+AgAABHM
-D/4qBztdFzC3Ly9e4DJxGl4ri5A6H6uZKvo2jlrW2EeRylCL/V7FVnIWbDySJIFZ
-qKUkfNq7xCjb1SToTKakNbKStxGkJfdUiy5okz2iZ6QVCMJlW3+5U4bWyKhnpx4W
-EVjHTcaMY1bQmrLcOs66YbgZtnxZdX5suFbUZ8RgdyK+ukZ4NJxVb/tJiUNu6v/A
-OddQsY24h93WXC85lFPgTiKkZK0r60DgTqsF/RWdBdeK4AtwkZeZfvPNDybgD7wG
-s4X4XSJeff67rNEOAUgEjb5nGbIy6+Ixsr4YQSHPS6Nw5Ge2/ro0w1qLvCXk78OI
-LeulOH/q1pnN3wHb/bIthArnUeLMNGeED9WAXR35qtGJRoZMc9QMsQ6Wg5zP3RGL
-2lLEVX4XM8ndgnYIWVFbgEGVFZngLIqDHp0wkO6WiwlUmI5Vc8r+AxDw3M02j3Ja
-Ps1BcKXnF0BY++5oB5IIl3r+CSJswEnHE0hD6ZDHduEu6yqZlLIGE7AHmag73JBd
-rfTiBzwIh72KhiRK6pr6IOr39z2zjoTJQw6XlBw58EA610+v+M/sFal08DaNesHZ
-sGTuPYw5ogGcspVit38GvTIlbPOwli8qjoRzMwi3rxRY6vYhB8RIGxQwz/+s3Uco
-QMAwIdlZbB19GO3auoOAJ2ucMQ0bG3kJEvW5HaqtRGFlZbQgRnJlZHJpayBQZXR0
-YWkgPHBldHRhaUBzdW5ldC5zZT6JApIEEwEKAIYFgmeei+MFiQHhM4ADCwkHCRDV
-NgVMFqb4CEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcQ
-GLrBoG3bn+P2EJjXB0auZXX2XZUxgh6761ZzTIQE7gMVCggCmQECmwMCHgEWIQSC
-Dk4VGlNwR0YZ53rVNgVMFqb4CAAAsSwP/iuUw0slPPF2s5ctOcdWdIByRbsEYyj4
-zNeIWWYc8leNzT9e0XxcjhwD+tZUGAmHeERM9RawNId9+2rzLH+kH0tsLbO/2Pfv
-dJ4o/bC1nE3Mor1KBaq8n/Ek0koQv3JgcqCwx1+Vl1QzZP7ehNCaXnkZ9zHWsOnL
-eU8iOnRnJSr4PwcCanYI1Vykqlq7O9wCMcVOSk5wnnQgnOG3Nkn4yzTYDdoTI+Cg
-piNEEtskRRCBUFXb1MGRS9Nwi11ProFn0dqzZgjGNDK4gDEiBw3TrTW2duWoTeqb
-Z6WsAloK9tZddjGJcTsvif1yQeTLY+vpjqed+8XSDEOu53s7dpqBg0SkdRPT0cST
-tbkH3Qi4OLRiyeJhNYbgDkUExo+cInT+VdBg6qgHO8X4i9F+YKpObh5k5H552buV
-xRN686boQX3EVDYm1wOlGVXsa/30dCsFF6VD8jdVVtuEoLO9AbfYhY2y/Fnj/vsM
-uTstR9DzGwkMyhfFcC+QiGWOC5Zj07a8tRa126DfwJgB1YWEElb6266p/eXFl524
-spND4sFLCy5Xs8Q+odrolV7/63KUnMExobSutI3NNz8iOqAaYFq971sU90fYsJeb
-8SQBDXOPzd4aE1j4ypVS7GOTJHnZgGLDtZr6XIGJoX0WE+7TsWU6MXTkNAip37Mm
-cLUv1QmptiRLuQINBGeei+MBEADEd4cSKSbvWkvDO07oVCR0SguclZp+epA8gDOS
-hdPYoa4sX/2xVRv6ueaq/GtMv/G7TexdZnYyAGhyK76r9WzMOLDtCROuAXRxC4Ju
-fvs+7lj1+UHR7x8RvHl5zNmKFaALs5MBd9iNBjbGD1byVWm56OBusZ7lV5WDMWYv
-Wd6uFw6cx0esl//SCspFroFXgvim3zVomSuQFaac6Zff7mxRvpoG1Yzl3VKWhoBa
-DBxiWWXemJy6vco1ULgT7XLnexUS7f2JJgkEnB9pBoDrAdW4ESZM9FBbdo2+dQZv
-U7LgJN8M/Y7CntiLmTUN/nvAEZpwXJS9AgWckFbuS/sNH2Bvz2M3JdgFDGN8AM0G
-M/JSijvLsFD2Wljh6eGN5pwWBcKl1qFujdqLRpIMYVUoT8kfMFTtYCQy6DiC0RP2
-BjVyrY3pPJZjHCVTaInO2xcfmD3iqDmXKbczYdxYDLJ1cIZcIyrpFzpcMbKApPLm
-ff/XXtLyUvAv1ODfFegQV6Z92HgHaB7Ld3j9eLZJFuCOKcL2+tI9LZlEJ5wEjsAv
-8/dopVHo547Ofr8DvDmhI59j7Q/Z+YMY+aQQtV1JfF4V1yoASEIwcpwLrbC/dC5l
-5pSUl0I8FhqjjnR9kNtNznhHdoYcxglkbo9OXCrWUCLwIaZpKJ2KEu+PTV8tdi9N
-sFdZ9QARAQABiQKEBBgBCgB4BYJnnovjBYkB4TOACRDVNgVMFqb4CEcUAAAAAAAe
-ACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmeA8+gtT2fLUQ5WyLjBb98y
-FOwu8Y8bK2v1OLwqeQJEAwKbDBYhBIIOThUaU3BHRhnnetU2BUwWpvgIAAD6qg//
-RZF13Gyz1rDkrHbCZSYd5hv4XvRyFGk4dzdbk3QkxfSoB38CCSuUAeNObVhEFgF3
-Hswu2kJmTTtmt0E9cxgvWfsqAVzbUx53yu2tKM0M1WZLTWHkjXdLZA48uMKg3nnp
-+Qdl/xMLDrmD/lPlnQus8VCytEhP8XPADGr3OX/YLDeqBcrp98USyPkC6xiNxdeZ
-ABsb+Ac2r+tdXI9wIDj6awmdgjjNmaTZ+D9UBm3kApLJk8s3rX1Kp8FY9eEEdniz
-gfQabaaA8GjpyxShAVwMK6rXf/pvtsfGQD8ZGnBP56hms2cY95nU6XnvlGgTrwVF
-F/bvsN3pQ188LKT+P9AVesfa+bTdiaJbemQ1J315ioqE6e0+HdPlk0tI6oJaeppu
-MNmNAdVKFAqqh8OodvZk9REasokjl3dOMcoFgtJ4BVNj0cXEMNHSRedcB0l7YNWS
-fZkk/QRFTgvwhx08aK6+k86EOdxz31TIr4GCZkAYxbitIXr8Tnux4sm433biwi1+
-UOSUA6VhiwD408NU5g3kevyK72xKsvdXD1OUBx7q59CzcsujyD3gq2KDmaXHFOMl
-OI+lS5o4CAmXHE7vrEXRxv2yjzPXSVofrWqqSTKndiWn1wopqc2sakuT98AbOAaJ
-WvDlggfnCN7jnE3HK2k6uEXlwIiN99tP/86JB0MqkQq5Ag0EZ56L4wEQANvp3sPX
-ZDtdDVB7Pis72IBgbLB3vbKMaTUO9VWQu2z7YB2ndCS48eRaXGlI3oOCI/bipODY
-mxgMhY59GhenzbuQM9+SJT3auUWcSIA5QfbvbXwxh8U7Y1DBdY9cBNzGLrFEvxmD
-obe80ns9azYYbK2Xws4OtJzpF8q8rXS3TMLCFYtJ1bk/RnEzyBK4FGCF37iJC/3a
-yrpKoGrBu8UoM3MbXbCL0s8cslufI4G2b2sha6NFY/AGoUsIWAlX8jVxClc1QYnL
-6p6zGeKieKcXiX/U7GltnpdeaDleH/eJ2Psxkx7w+DxCUkhuaVK9lyTdlveYg9mR
-xXrLQPU+iPNyfq8kxUf7LfbU3RLfQqZJCoD7akAEpJxuAnx/xQzR9wBMbRgit0nG
-X7b32m6K5915oR3yYRhMUN1vDCKbOIg4w74IhI6+NDQ0d39zwMl6g/zuZFSHnECH
-gAShHJzbfgSghy8xLvrepn6x5q3C+xpV4TrDjsqkSRjr8+Mwe3Bjfss0CVUAHP79
-6YskvU5Uf9KKfRTxzilVRB1dx/6usI6vfGnCckovFW1GPCGckn2XzL/73QZtx9yk
-tyrLsJVrZIZJDsRRPmSHgdkKZOKU8vh4K7kormuSvN6pINzORt6n+S1Pa2KPWqZJ
-bqX3ArkibNCmhZLg/hND8/ip1mbia0KiPKHdABEBAAGJBQIEGAEKAvYFgmeei+MF
-iQHhM4AJENU2BUwWpvgIRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt
-cGdwLm9yZ0zilRLFb6vv6Zt+GsLiQtSi8xXhGo0RFA9heYYDA0bKApsgwbygBBkB
-CgBvBYJnnovjCRAXzHaKBJTcHUcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1
-b2lhLXBncC5vcmcMFQG+bWxoyBfpLptEiyspMrn0leLhbTw11UQ8WH+gLxYhBL+I
-NUUer14Tp4Z1XxfMdooElNwdAAC+txAA1Aq0pl2YSypxos93eyZ1qLB4HnQOgXHy
-9YvAn5WBswyf5Wva58CVmGyd3PaZId0QrK/u0B9plGSBfZ5OoC4oKbVWWW1kxEV+
-PcZ3+Xv7klIDouUo7ivacFyNPfIeMzwuiodQDEtGlEsgJ/jnymgJJNoGRQVjqP4R
-4nT0NO5qzKmmabGcrzSUR0iZUig/qJ54Ek+fhVehabQlXy1paWiPKV9eoM2RxSYK
-SczUvb/wADck+E5a68G/5ZZuRafGoywe7xRVpUjf8Ai+D9LRQM0H5eVK3kaGGC8i
-tyae8BX0JGtyqY/yQW7SnOhYu6hz7BL+DNYfZRFBdi0293mL4F89NYDhn7Wlj7Ug
-aFMq9IijPv78i+Zxdz6nsRWf0PrOwWPmKgZ5OzNii/+rY2LYL6cnI69zdWsMI/6B
-vjJZIejHtiJQS63vGVH881pVdzre506ZWeprzcBJyAf8RAOQ19VKgcE78MdztpTv
-mSxrbpGIDKnbwk4lvBilKsHqoHo/zgf39JlWddRsXtOu/Ac29ZVuFUw2IQ3BP61+
-H87IcEPndoe4m+bSYUa9yw7fqXSp2IK+pJyAXdhYecIc8Y3Hl8cCv3rg8+RQbadq
-OoZjzEAQGr2qmLqW2wPrwtcxSWqdH1jOQBJAqAtkM2I4zdyf53AyZIwW4lXBMQf6
-YVQrd8C2HeQWIQSCDk4VGlNwR0YZ53rVNgVMFqb4CAAAI7AP/AiNHafRXUf9JbNd
-9FmZGgWNk4XcW2wQITLSIryxJZQQYA4RaRyEATkXRbkEMJXyMGmU602JMF9TB3gz
-Sp51C3lZd/O2q8m/vNDGvO70KKErYYhzaonfQOjLmVwX/8TFCgO1C94qVcVnAtXU
-SnG07DrxZh5hZKqiwBgOyTpC0wJJL4ghYtvlBWDoOe4s8jplmO6ZZDUZTqaSLsE3
-WTT7elCqiFUpGrD8zFwXLLq79tE4QStCBjGYW23xdanFXk51uEJBGQMWLG+7IsDO
-XvLxvPZZUfooIki22LseCm9tRy45a59d/6Cs68LlnH+QhMNgLU6yamx9pUSth+lc
-idrufqLtr/UeBY2HQCcg8W0BwCtPtoE9Di7zPLjJGSah4hS//JV8sf9Dqc4ipWON
-3vt7nUMq0vwhdaulXRc5i5O7ddMHQ1GJOzwjh+NeDLF5KmojsjFxz6EYXorMsXdw
-lZHJyTyUE6NRvcSyaBd7NrgDOPb2qktvdsHvYT56rcL7sCvLReZSpTs3/p5IsTa8
-FJDxBjDASoo9VcAfCLm9fuetEIA5wuiZyHtkx7UjL30sxQ9+tFPET6nbRSX4hGk4
-7630+KnqE4XGJr0pX3XOdSuHtaKIXqnc0l3G+ZWA2c+yCet43dC0TaMsPHc+V1Wu
-QqFL9FagOBDJIZd3gNShqrZhetcO
-=75u9
------END PGP PUBLIC KEY BLOCK-----

global/overlay/etc/hiera/data/common.yaml

@@ -28,25 +28,10 @@ sunet_ssh_keys:
       biiuR/FQ5d4Me515niAtXD2XbpNLMyIT1qMKsCkcCdVrzBgGZe+D+PVdgIgCPPk8p+fXCX50\
       xw=="
 
-  'pettai+820E4E151A5370474619E77AD536054C16A6F808':
-    name   : 'pettai+820E4E151A5370474619E77AD536054C16A6F808'
-    key    : "AAAAB3NzaC1yc2EAAAADAQABAAACAQDb6d7D12Q7XQ1Qez4rO9iAYGywd72yjGk1\
-      DvVVkLts+2Adp3QkuPHkWlxpSN6DgiP24qTg2JsYDIWOfRoXp827kDPfkiU92rlFnEiAOUH2\
-      7218MYfFO2NQwXWPXATcxi6xRL8Zg6G3vNJ7PWs2GGytl8LODrSc6RfKvK10t0zCwhWLSdW5\
-      P0ZxM8gSuBRghd+4iQv92sq6SqBqwbvFKDNzG12wi9LPHLJbnyOBtm9rIWujRWPwBqFLCFgJ\
-      V/I1cQpXNUGJy+qesxnioninF4l/1OxpbZ6XXmg5Xh/3idj7MZMe8Pg8QlJIbmlSvZck3Zb3\
-      mIPZkcV6y0D1Pojzcn6vJMVH+y321N0S30KmSQqA+2pABKScbgJ8f8UM0fcATG0YIrdJxl+2\
-      99puiufdeaEd8mEYTFDdbwwimziIOMO+CISOvjQ0NHd/c8DJeoP87mRUh5xAh4AEoRyc234E\
-      oIcvMS763qZ+seatwvsaVeE6w47KpEkY6/PjMHtwY37LNAlVABz+/emLJL1OVH/Sin0U8c4p\
-      VUQdXcf+rrCOr3xpwnJKLxVtRjwhnJJ9l8y/+90GbcfcpLcqy7CVa2SGSQ7EUT5kh4HZCmTi\
-      lPL4eCu5KK5rkrzeqSDczkbep/ktT2tij1qmSW6l9wK5ImzQpoWS4P4TQ/P4qdZm4mtCojyh\
-      3Q=="
-
 soc_ssh_keys:
   'root':
     - 'bjorklund+29642588'
     - 'valerio-52462AE5'
-    - 'pettai+820E4E151A5370474619E77AD536054C16A6F808'
 
 mgmt_addresses:
     - 130.242.125.68    # hoppjerka.sunet.se

global/overlay/etc/puppet/cosmos-rules.yaml

@@ -37,16 +37,23 @@
     entityID: 'https://test-sso-proxy.cert.sunet.se/idp'
 #  soc::vuln_dashboard:
 
-'^internal-sto3-dev-ci-1.cert.sunet.se$':
-  sunet::dockerhost2:
-  soc::runner:
-
 test-sso-proxy1.cert.sunet.se:
   sunet::dockerhost2:
   sunet::certbot::acmed:
   soc::satosa:
     certprovider: 'certbot'
 
+intelmq-dev.cert.sunet.se:
+  soc::intelmq:
+    use_snakeoil: true
+    use_shib: true
+  soc::sso:
+    ssotype: 'apache'
+    groups:
+      - 'sunet-cert'
+    satosa: true
+    entityID: 'https://test-sso-proxy.cert.sunet.se/idp'
+
 monitor-dev.cert.sunet.se:
   sunet::dockerhost2:
   soc::naemon_monitor:

global/overlay/etc/puppet/modules/soc/manifests/runner.pp

@@ -1,44 +0,0 @@
-# Configure a forgejo runner
-# taken from cdn-ops
-class soc::runner(
-)
-{
-  $runner_token = lookup({ 'name' => 'runner_token.vuln_management_repo', 'default_value' => undef })
-  $runner_labels = join([
-	  "python:docker://nikolaik/python3.12-nodejs23",
-	  "ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04",
-  ], ',')
-
-  if $runner_token {
-
-    file { '/opt/forgejo-runner':
-      ensure  => directory,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0750',
-    }
-
-    # The owner/group matches 'user' in compose file for runner
-    file { '/opt/forgejo-runner/data':
-      ensure  => directory,
-      owner   => '1001',
-      group   => '1001',
-      mode    => '0750',
-    }
-
-    file { '/opt/forgejo-runner/docker_certs':
-      ensure  => directory,
-      owner   => 'root',
-      group   => '1001',
-      mode    => '0750',
-    }
-
-    sunet::docker_compose { 'soc-action-runner':
-      content          => template('soc/runner/docker-compose.yml.erb'),
-      service_name     => 'soc-runner',
-      compose_dir      => '/opt/compose/runner',
-      compose_filename => 'docker-compose.yml',
-      description      => 'SUNET SOC forgejo runner',
-    }
-  }
-}

global/overlay/etc/puppet/modules/soc/templates/runner/docker-compose.yml.erb

@@ -1,61 +0,0 @@
-version: '3.8'
-
-# Taken from cdn-ops
-# Based on combination of https://forgejo.org/docs/latest/admin/actions/ and
-# https://code.forgejo.org/forgejo/runner/src/branch/main/examples/docker-compose/compose-forgejo-and-runner.yml
-
-services:
-  docker-in-docker:
-    image: docker:dind
-    hostname: docker # Must set hostname as TLS certificates are only valid for docker or localhost
-    privileged: 'true'
-    environment:
-      DOCKER_TLS_CERTDIR: /certs
-      DOCKER_HOST: docker-in-docker
-    volumes:
-      - /opt/forgejo-runner/docker_certs:/certs
-
-  runner-register:
-    image: 'code.forgejo.org/forgejo/runner:3.5.0'
-    depends_on:
-      docker-in-docker:
-        condition: service_started
-    # User without root privileges, but with access to `./data`.
-    user: 1001:1001
-    volumes:
-      - /opt/forgejo-runner/data:/data
-    command: >-
-      bash -ec '
-      while : ; do
-        if [ -f .runner ]; then echo "runner already registered, exiting"; exit; fi ;
-        forgejo-runner register --no-interactive --name <%= @networking['fqdn'] %> --instance https://platform.sunet.se --token <%= @runner_token %> --labels <%= @runner_labels %> && break ;
-        sleep 1 ;
-      done ;
-      forgejo-runner generate-config > config.yml ;
-      sed -i -e "s|network: .*|network: host|" config.yml ;
-      sed -i -e "s|^  envs:$$|  envs:\n    DOCKER_HOST: tcp://docker:2376\n    DOCKER_TLS_VERIFY: 1\n    DOCKER_CERT_PATH: /certs/client|" config.yml ;
-      sed -i -e "s|  valid_volumes: \[\]$$|  valid_volumes:\n    - /certs/client|" config.yml ;
-      '
-
-  runner-daemon:
-    image: code.forgejo.org/forgejo/runner:3.5.0
-    user: 1001:1001
-    links:
-      - docker-in-docker
-    depends_on:
-      runner-register:
-        condition: service_completed_successfully
-    environment:
-      DOCKER_HOST: tcp://docker:2376
-      DOCKER_CERT_PATH: /certs/client
-      DOCKER_TLS_VERIFY: "1"
-    volumes:
-      - /opt/forgejo-runner/data:/data
-      - /opt/forgejo-runner/docker_certs:/certs
-    command: >-
-      bash -ec '
-      if ! grep "--mount type=bind,source=/certs/client,target=/certs/client,readonly" config.yml > /dev/null; then
-        sed -i "\|options:| a \ \ \ \ --mount type=bind,source=/certs/client,target=/certs/client,readonly" config.yml ;
-      fi ;
-      forgejo-runner --config config.yml daemon ;
-      '

intelmq-dev.cert.sunet.se/README

@@ -0,0 +1,3 @@
+
+The system documentation is in the docs directory of the multiverse repository.
+

intelmq-dev.cert.sunet.se/overlay/etc/shibboleth/sp-cert.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHTCCAoWgAwIBAgIUYbc4zgZXq4ZVFtMg+THPT2mTV1cwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAxMZaW50ZWxtcS1kZXYuY2VydC5zdW5ldC5zZTAeFw0yNDEx
+MTkxMzU3MTVaFw0zNDExMTcxMzU3MTVaMCQxIjAgBgNVBAMTGWludGVsbXEtZGV2
+LmNlcnQuc3VuZXQuc2UwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCT
+UrRbu54TUDzeYDp2IdAnLfy1KOhzMSLtAVDzyz6vVUV9cUlVxpZnqMjVXRLotD8F
+lFO0E8fWVUcN8Zb9KTWPNyLDXk9mHouXBdlrw32TOJuXUNfsPU20RJRtoFT1M4OL
+lLgL0DHJyeC8vi44r9J8eNCfaN9dUe2OW/VEAB6LpS7zIG5cCxjfQu1uUXT4aPk0
+5E11BWCuUW+SQhaQ4IG9GjazD11rDpbJXGAhFBGHYD5z4Z+y+vz12a+HxPEt6RAh
+GSxSWAFcRU/dmgn4DNiHQgyKm9fjqkyENLN9PFTPrfL28P6W1xiTjmzduWJaZYHP
+zLm/0gbhHpRGeMfAGcxhvPsuHtOydDfIILODYbOK2FsriAHlc/BLB7m09Ea2WMmv
+0fY/P5LFtij2Xdg2Ek7gYUXH4KEijNttfIXvV7IGA3Go57iFF5MAHczQh/tggPzI
+Pvjxj/hAha9Z43mb/aMbLmbUE/Vv4u0dHbRu0AT5egFoFE3WUJpQ3kh96srgUBcC
+AwEAAaNHMEUwJAYDVR0RBB0wG4IZaW50ZWxtcS1kZXYuY2VydC5zdW5ldC5zZTAd
+BgNVHQ4EFgQUYJUm2bW++1j/3sTV05Ee4aeKetEwDQYJKoZIhvcNAQELBQADggGB
+ACzzV76G24GAY43mAp22rNT7uYvGMLK4Hiy/0N6eERkJKOZbfa5BC8my6B1xISIN
+Gz+Ruzc6XOhgPaCwFqu6S/ae/3QZCA85Mu1X9yBgTw5kEBMkp6IgOdIE7RvJDe7k
+QQ/f8KCawOHiQds07dsbImXT+TfTlXu5zkppUSuPS6gpWWZCAfIAyZYUGCF7q8EF
+iCYHiXPCkkEEa8W5xzP48XDtkN9EX7sjw96SSZ3mjGFkzBVSQ59C+BOB2gvy6qVP
+mNm3DZo9ECStXGCvPDQ+mCoCZpOfMgl2inO3zdVuuZp95NzxhXC0VF+trTey9gQJ
+n8x2Cj48N4egtdm965dS6ot4a6SQ+n6kR5+WOw0OtyYdOA6rekIR6SDc/YGN0vHe
+8RSXgHPIiq9BXACVGPck95JDBCIqaOVDVtY4TvRpQZKziql+UwtCIjkhf6oM0YoT
+Tn5GG/Cb4NlAWPTKqmLt2dI8mGdSCC1gzafC7+s0xxCYRsBlXT3roYE8TDYRVhAo
+PA==
+-----END CERTIFICATE-----

internal-sto3-dev-ci-1.cert.sunet.se/README

@@ -0,0 +1 @@
+../README

internal-sto3-dev-ci-1.cert.sunet.se/README.md

@@ -1,2 +0,0 @@
-Forgejo action runner for platform.sunet.se
-Used by soc projects

internal-sto3-dev-ci-1.cert.sunet.se/overlay/etc/hiera/data/local.eyaml

@@ -1,3 +0,0 @@
----
-runner_token:
-  vuln_management_repo: ENC[PKCS7,MIIDCAYJKoZIhvcNAQcDoIIC+TCCAvUCAQAxggKQMIICjAIBADB0MFwxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLTArBgNVBAMMJGludGVybmFsLXN0bzMtZGV2LWNpLTEuY2VydC5zdW5ldC5zZQIUVVgphqarTmxaqEYcFm8NX4LTKEowDQYJKoZIhvcNAQEBBQAEggIAcbAHEbLSo2rwi64C4a1u2Li0/M/aNkKgujvBpCASUZKHb45RDvgU4BGktSilmtixD0tt8UCt9FkiWe/kKiAYV1n6YBIzETkn8KrhtDpujtJ1s+0mu3fzoAdCVaCFcg6h+rCEO+C5cPJfKWFeaL3kt9tz7A8YciCqq3PyVXA34Z3uoIDv2FMG8GbBOjijXJtVHiEopd0a7EZVCIAuVIP8XRJiEErPc/4cX7qMwjHS1skouL/Irx5WZ79nyFKQXDTnzcNjBSBw5FZ1RQRPIGa39/ozyQO5TPjlGFDEoGsudk4y2wgXTxqNgIdSQR7sIq64IHsA6wyNzib7VhsPrGS5onqhRsDs1qBLJgT2PSdJtrwYFWrCTl9oOlmFkrVrPdcWuOyDurhVoq7UFiuP1HvstK7HY0aMkw0QOwDIc9KQ/Q+kWPG2whVPkkoRDAAmA9hI3fTq2JeUMNIVZW3wYUUWc+u5NlghQzio4SYtaYrJ0AIBJiy+Kq7QqzLtTd7Uq/w4OkAqYVBRIhdQLu8KcVNOzYFQRLm4lzWHH8tMxWjXwSFB+nPoARdwk0Ykv+420VljzRAEWt9UzowM+eXYTXoQif4FvWOCCzvdf3hRsQPpMd5lfAMzimW6j+cZD+Ew6vgcOuEo5Bn+tszlHBaSo3lSR98XOIJn6QXSP1Ue0/GuxBIwXAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQUFl1txCRbujqq03hb3FepIAwVLn2CkoqtAaME0KXLfKjO17/wWTr11tPFcenCXo969tHSPwt7zzZrleKO2wmahsx]

test-sso-proxy1.cert.sunet.se/overlay/etc/hiera/data/local.yaml

@@ -100,6 +100,7 @@ saml2_frontend:
       metadata:
         local:
           - metadata/vul-dashboard-test.xml
+          - metadata/intelmq-dev.xml
           - metadata/intelmq-test.xml
           - metadata/intelmq.xml
           - metadata/monitor-dev.xml
@@ -108,7 +109,6 @@ saml2_frontend:
           - metadata/zammad-test.xml
           - metadata/zammad-app.xml
           - metadata/dashboard.xml
-          - metadata/keyserver.xml
       entityid: https://test-sso-proxy.cert.sunet.se/idp
       service:
         idp:

test-sso-proxy1.cert.sunet.se/overlay/etc/satosa/metadata/intelmq-dev.xml

@@ -2,7 +2,7 @@
 This is example metadata only. Do *NOT* supply it as is without review,
 and do *NOT* provide it in real time to your partners.
  -->
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_7ac332ec794a51953c9e869a742d6b8a56b400bc" entityID="https://keyserver.cert.sunet.se/shibboleth">
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_b861d1e1135cb80370b99b5cebb59cd7f33c27b4" entityID="https://intelmq-dev.cert.sunet.se">
 
   <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
     <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
@@ -25,35 +25,36 @@ and do *NOT* provide it in real time to your partners.
 
   <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <md:Extensions>
-      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://keyserver.cert.sunet.se/Shibboleth.sso/satosa"/>
+      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://intelmq-dev.cert.sunet.se/Shibboleth.sso/satosa"/>
     </md:Extensions>
     <md:KeyDescriptor>
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-        <ds:KeyName>keyserver.cert.sunet.se</ds:KeyName>
+        <ds:KeyName>intelmq-dev.cert.sunet.se</ds:KeyName>
         <ds:X509Data>
-          <ds:X509SubjectName>CN=keyserver.cert.sunet.se</ds:X509SubjectName>
-          <ds:X509Certificate>MIIEFzCCAn+gAwIBAgIUNbx9LI00dWhPes0ZdQsW2Jr3FIIwDQYJKoZIhvcNAQEL
-BQAwIjEgMB4GA1UEAxMXa2V5c2VydmVyLmNlcnQuc3VuZXQuc2UwHhcNMjUwMjEx
-MTMzMTE5WhcNMzUwMjA5MTMzMTE5WjAiMSAwHgYDVQQDExdrZXlzZXJ2ZXIuY2Vy
-dC5zdW5ldC5zZTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALux8ExF
-2dlhibEt1QRaPY9eE3R/GqUTh7R7AgntN6erkVl2iFGseEQSo9wxpEa8S2n4TWIN
-5zjJiMYSZQNln64/CoTyxKNjmB40Gia+Lsh0N+l/pkOv8kBcH1PIJP1k8oQOo3r6
-nYTNYZP2hV+yVL7BbMqG8pdWgTl63dMqKYegGaSu5hyC0VwDF63HeGTx++vO9rtL
-ek/Q616mipvzYmi5IHYol8RGEpGSZ/SJFeKvZlkkW6BrNTGwleGbPLKxbEB/CMTY
-2r0PBcr3/8fLnd1pSgCnfiuF1bweDdX4MjX385uc/FHR+s8BammtM0BP8Z8JAaFy
-ZN2gkAZ0usBBlS6SukUvtahFsMrkg6PTnJpgejS+qfn851v1v++ON3fHOqF8cIe9
-NjHi/8d0XAnsk6szfpQbdrhwiUXNml81yWeCbo/3yiToCYLFd0kwmFM7mzWEWM0n
-2QTjivW5iI43aUnIxvEb42E/UNws7YlM5zyaJoRBRP0EU50Cv8OIHtw+lQIDAQAB
-o0UwQzAiBgNVHREEGzAZghdrZXlzZXJ2ZXIuY2VydC5zdW5ldC5zZTAdBgNVHQ4E
-FgQUZ76LSO7ZeZI+JygC8tOTTso0k8gwDQYJKoZIhvcNAQELBQADggGBACUd3fnY
-nPYAwipiQzI4o/k+termLv/CQnrr6PUYz78T60PY8opLLRnwVuIRNe/F6w6JULfF
-HZ8NE1qcSvSjKtlyFyV5ZuCfC3aOzjhvMc5QK5yTq/wxTnYUUHkSoZWV3JgSK8tt
-5kjf8DvUmP7Wmzz5YpI7cL6IF/ovwa+cR0/SZH/PK32bzc1AdotFNfpfT/QI2siA
-1BW9xW2s73vkwRxa8q8AZfo9g1giiKgmRhjoIUAC30pAGqwGSah5pU7NRJ2qx7jK
-s0C/mJgjVN73MfSLoWNzqYvvJQtMTviIwXh/4O4RG7gigaKlm+JEmqwhPkl6tuSa
-atuTxabaD/qn6MghbYyeXnumPlgaFdou8CX0l0flRpSFnKt5bQgb4+7RzJbXm5L1
-GJPgxItu0X09xPYrjr28E/sh7EPnjRVW8FIwi5q9Mrca1H+d4Qfj1CzmGJCoWv0M
-9wW9f9ZuNqxSD7GOWkW2vlcswG4Wofn9e3ZcQDwIkE/uoU3HWQ3ldBo5Rw==
+          <ds:X509SubjectName>CN=intelmq-dev.cert.sunet.se</ds:X509SubjectName>
+          <ds:X509Certificate>MIIEHTCCAoWgAwIBAgIUYbc4zgZXq4ZVFtMg+THPT2mTV1cwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAxMZaW50ZWxtcS1kZXYuY2VydC5zdW5ldC5zZTAeFw0yNDEx
+MTkxMzU3MTVaFw0zNDExMTcxMzU3MTVaMCQxIjAgBgNVBAMTGWludGVsbXEtZGV2
+LmNlcnQuc3VuZXQuc2UwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCT
+UrRbu54TUDzeYDp2IdAnLfy1KOhzMSLtAVDzyz6vVUV9cUlVxpZnqMjVXRLotD8F
+lFO0E8fWVUcN8Zb9KTWPNyLDXk9mHouXBdlrw32TOJuXUNfsPU20RJRtoFT1M4OL
+lLgL0DHJyeC8vi44r9J8eNCfaN9dUe2OW/VEAB6LpS7zIG5cCxjfQu1uUXT4aPk0
+5E11BWCuUW+SQhaQ4IG9GjazD11rDpbJXGAhFBGHYD5z4Z+y+vz12a+HxPEt6RAh
+GSxSWAFcRU/dmgn4DNiHQgyKm9fjqkyENLN9PFTPrfL28P6W1xiTjmzduWJaZYHP
+zLm/0gbhHpRGeMfAGcxhvPsuHtOydDfIILODYbOK2FsriAHlc/BLB7m09Ea2WMmv
+0fY/P5LFtij2Xdg2Ek7gYUXH4KEijNttfIXvV7IGA3Go57iFF5MAHczQh/tggPzI
+Pvjxj/hAha9Z43mb/aMbLmbUE/Vv4u0dHbRu0AT5egFoFE3WUJpQ3kh96srgUBcC
+AwEAAaNHMEUwJAYDVR0RBB0wG4IZaW50ZWxtcS1kZXYuY2VydC5zdW5ldC5zZTAd
+BgNVHQ4EFgQUYJUm2bW++1j/3sTV05Ee4aeKetEwDQYJKoZIhvcNAQELBQADggGB
+ACzzV76G24GAY43mAp22rNT7uYvGMLK4Hiy/0N6eERkJKOZbfa5BC8my6B1xISIN
+Gz+Ruzc6XOhgPaCwFqu6S/ae/3QZCA85Mu1X9yBgTw5kEBMkp6IgOdIE7RvJDe7k
+QQ/f8KCawOHiQds07dsbImXT+TfTlXu5zkppUSuPS6gpWWZCAfIAyZYUGCF7q8EF
+iCYHiXPCkkEEa8W5xzP48XDtkN9EX7sjw96SSZ3mjGFkzBVSQ59C+BOB2gvy6qVP
+mNm3DZo9ECStXGCvPDQ+mCoCZpOfMgl2inO3zdVuuZp95NzxhXC0VF+trTey9gQJ
+n8x2Cj48N4egtdm965dS6ot4a6SQ+n6kR5+WOw0OtyYdOA6rekIR6SDc/YGN0vHe
+8RSXgHPIiq9BXACVGPck95JDBCIqaOVDVtY4TvRpQZKziql+UwtCIjkhf6oM0YoT
+Tn5GG/Cb4NlAWPTKqmLt2dI8mGdSCC1gzafC7+s0xxCYRsBlXT3roYE8TDYRVhAo
+PA==
 </ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>
@@ -67,12 +68,12 @@ GJPgxItu0X09xPYrjr28E/sh7EPnjRVW8FIwi5q9Mrca1H+d4Qfj1CzmGJCoWv0M
       <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
       <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
     </md:KeyDescriptor>
-    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keyserver.cert.sunet.se/Shibboleth.sso/Artifact/SOAP" index="1"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keyserver.cert.sunet.se/Shibboleth.sso/SLO/SOAP"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keyserver.cert.sunet.se/Shibboleth.sso/SLO/Redirect"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keyserver.cert.sunet.se/Shibboleth.sso/SLO/POST"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keyserver.cert.sunet.se/Shibboleth.sso/SLO/Artifact"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keyserver.cert.sunet.se/Shibboleth.sso/SAML2/POST" index="1"/>
+    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://intelmq-dev.cert.sunet.se/Shibboleth.sso/Artifact/SOAP" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://intelmq-dev.cert.sunet.se/Shibboleth.sso/SLO/SOAP"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://intelmq-dev.cert.sunet.se/Shibboleth.sso/SLO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://intelmq-dev.cert.sunet.se/Shibboleth.sso/SLO/POST"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://intelmq-dev.cert.sunet.se/Shibboleth.sso/SLO/Artifact"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://intelmq-dev.cert.sunet.se/Shibboleth.sso/SAML2/POST" index="1"/>
   </md:SPSSODescriptor>
 
 </md:EntityDescriptor>