summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ca.sunet.se/overlay/var/lib/ca/infra/requests/client/linus.csr50
-rw-r--r--ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-a1.sunet.se.csr44
-rw-r--r--ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-a2.sunet.se.csr27
-rw-r--r--ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-db1.sunet.se.csr27
-rw-r--r--ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-db2.sunet.se.csr27
-rw-r--r--ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-db3.sunet.se.csr27
-rw-r--r--ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-f1.sunet.se.csr27
-rw-r--r--fabfile/__init__.py3
-rw-r--r--global/overlay/etc/cosmos/keys/lundberg-9303C5DB.pub112
-rw-r--r--global/overlay/etc/puppet/cosmos-db.yaml19
-rw-r--r--global/overlay/etc/puppet/cosmos-modules.conf2
-rw-r--r--global/overlay/etc/puppet/cosmos-rules.yaml2
-rw-r--r--global/overlay/etc/puppet/manifests/cosmos-site.pp83
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp4
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp44
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp14
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp49
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/server.pp4
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp16
-rwxr-xr-xglobal/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_reboot.erb37
-rwxr-xr-xglobal/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_uptime.pl.erb721
-rw-r--r--global/overlay/etc/puppet/modules/sunet/templates/nagioshost/nrpe.cfg.erb262
-rw-r--r--global/overlay/etc/ssl/certs/infra.crt34
-rwxr-xr-xglobal/overlay/usr/local/bin/ping-check21
-rwxr-xr-xscripts/mkreq1
-rw-r--r--sto-tug-kvm2.swamid.se/overlay/etc/cron.d/flog_daily2
-rw-r--r--sto-tug-kvm2.swamid.se/overlay/etc/nagios/nrpe.d/cosmos_nrpe.cfg17
-rwxr-xr-xsto-tug-kvm2.swamid.se/overlay/usr/lib/nagios/plugins/check_reboot37
-rwxr-xr-xsto-tug-kvm2.swamid.se/overlay/usr/lib/nagios/plugins/check_uptime.pl721
-rwxr-xr-xsto-tug-kvm2.swamid.se/overlay/usr/local/bin/postgres_backup31
-rwxr-xr-xsto-tug-kvm2.swamid.se/overlay/usr/local/etc/docker.d/30flog21
l---------templates1
-rw-r--r--web-a1.sunet.se/overlay/etc/ssl/certs/web-a1.sunet.se_infra.crt35
-rw-r--r--web-a2.sunet.se/overlay/etc/ssl/certs/web-a2.sunet.se_infra.crt35
-rw-r--r--web-db1.sunet.se/overlay/etc/network/interfaces17
-rw-r--r--web-db1.sunet.se/overlay/etc/ssl/certs/web-db1.sunet.se_infra.crt35
-rw-r--r--web-db2.sunet.se/overlay/etc/network/interfaces18
-rw-r--r--web-db2.sunet.se/overlay/etc/ssl/certs/web-db2.sunet.se_infra.crt35
l---------web-db3.sunet.se/README1
-rw-r--r--web-db3.sunet.se/overlay/etc/network/interfaces17
-rw-r--r--web-db3.sunet.se/overlay/etc/ssl/certs/web-db3.sunet.se_infra.crt35
-rw-r--r--web-f1.sunet.se/overlay/etc/ssl/certs/web-f1.sunet.se_infra.crt35
42 files changed, 2558 insertions, 192 deletions
diff --git a/ca.sunet.se/overlay/var/lib/ca/infra/requests/client/linus.csr b/ca.sunet.se/overlay/var/lib/ca/infra/requests/client/linus.csr
index 20cea93..f9021c0 100644
--- a/ca.sunet.se/overlay/var/lib/ca/infra/requests/client/linus.csr
+++ b/ca.sunet.se/overlay/var/lib/ca/infra/requests/client/linus.csr
@@ -1,27 +1,27 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIIElTCCAn0CAQAwLTELMAkGA1UEBhMCU0UxDjAMBgNVBAoMBVNVTkVUMQ4wDAYD
-VQQDDAVsaW51czCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN3txFTu
-xrZQtqDGZRft9HDZoENOdUlFiUmns//dmpwtzKbCiYFz3xHF/xQRpWg4poAR9dG2
-cMiBxkSlKzqo3sGtJO4awjtcEUQZK+eKybdsn9s3jUnRXsUpN+f6l3qElLvVnhNk
-+I4btSVsHdBrmJJNmQ0WxaDaydd3bRcjkVENz47ZLBY+xsg6/19DZaJsLRWPr3jj
-pSoOWGyG8JEM/ymdVhwh+PYD17V6v0h6BhqM9RH7k23PCJglVCAeDG7h33cjZK1k
-WAm0PMBtvbTpXkQU7sQx4DASlEe75wCX6XD5PEz01z1Z+I9eb2mZ/x+ofy9kRl0c
-aWr8oWiBa9fgYfAa3ASz1mzFpzNL3b8CbPfW4pfvwTAorWRAbU4OUoeETj3adgZj
-4glKq4/ce2/wovXae6O6biyMFdFUuaxIlsqxylJB7dQK8vFAdpwSV8LijI3eR0su
-6xYccFvXtp1y/m3wGgcC7OTV70lnCwaHZw5+3kNcQqwBUKrCjamRuR/pDSxlC58w
-+IGt4iE19ZDYHDYvLKDALOQnWTxyEWqz5F/Z6fFgXzuCWBh3YdGqiHPyq/KK0v4K
-k2iou/uFkg4SZn78kn5I+91TUQPB8d2omUXRZ0tuuTWc+6VmK9hnnMhVzYpjyEt+
-dlYF5XO6yuX92Msrjk5NNQ/l6SC/dkCd9kYLAgMBAAGgIzAhBgkqhkiG9w0BCQ4x
-FDASMBAGA1UdEQQJMAeCBWxpbnVzMA0GCSqGSIb3DQEBCwUAA4ICAQBTQYhmjkOa
-94t4I4iqkCxt6trUxc4uEr46VCxAkCp2zIFubCGzwRq6TpDV4UJffNNZeHTZRYJF
-btr6iINuD/+HOQU+hODI3PAKlMLM9rkTWIesVEQ1p1sRFWfsyEuVb28CPFiMQ3hp
-DHcqXk+0ZzMLc/80xmR3ESrU3irQENRpi4xjaETZNrJ3yXQW/IWUC1IfEuotDV3v
-9ZcvawXo2a93tP+3tr+pv0V/LNkm7QjByzVL2glJlf+yPPH6sgWro8eHszNTC1Po
-uo+na2uxzKz0gmPCh4+hfM8beUkcxKdn4LylAJ268NGMsWiugR9/zGAT4y3nXaZm
-dlWjxXbPnzwnperjh9950Bi2Sw2DC6A/2103JFf6umA1wwY/5sf56PMgYFhglX2/
-er0HQTODtWEu2BoV3mVfKPp3ggjx+nhcOa5GbR8H5bGmFqQ+2+LO1FLxJFXUtloz
-h6adzIHCo5/s9Ioi3hyVovpvFsGbvQSNTFH++vsD+SkQezLzqp3BZfCArjFVIofv
-N04KD4Vvi+Udfa9vY7ay8hwOceKtnzxF2/ID5L7mEFZyUHfuGNTZe0vSBDqvoB1K
-qIcWH1KkKlbcmhexJno2iu+QhZ7EIzyBpTkp+LOTjevZAkCOoBERVaRA3vGpHkN8
-mbHbfb+c9ipx/7Ik+mowZSHolo5gqtnlCw==
+MIIElTCCAn0CAQAwLTELMAkGA1UEBhMCU0UxDjAMBgNVBAoTBVNVTkVUMQ4wDAYD
+VQQDEwVsaW51czCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM9PBNnE
+WqGbbjKH9De2Wg8LCIucAXWdcjgah2Mv6Rt1X+d9JmfNEKNFM//TzaK53iNFR0Re
+eD3MSI+synev1RSge8iPgQGCVl7VdfwRb7blSAW5zToPO/JnmkKwxmc+B2YoypLl
++/czEr7P47HoJo1on5GgLc7GdzELDLu44pmui9OXM3wnzz3hQwZPfbKUy1IQhvbG
+8GvOeHcb0aSCToLAJL+W4ZRjZ+pTl+g/OZ+2+fgU+hDzmidasnMuExHg+adHnaPb
+erzI2ASHbinickGb1PExAM/TPEaDifj44B84PxKhhklFiAgYwfuEZfT2iYaFJVYt
+Jky4IiI5DDhgBLq2ztAjL4DFPby2ti3YpPeTsJFfL3jA+5dPqCKGqFuWzzZOOu7a
+tw21+akRfBkoWdYnTLOufANDteiiYWSmiWNLd/gnU/Z8axu+9ufAof1fMQNKd4jC
+qhwjz4XoLmCA8S4s7xmKIpso8UWq4XF6AUl9/o+V8JTUQ7LOBh+CPqYxk7SgFgXt
+6NABXjlmzWIiqSRMK4N/sylvi5wVRj608Am1avfxoz458Bq1YbGP4irUH5Fi8CV/
+YyhIiaXlvD5B4U+U55Y6cb4+1YQ0c2ALJ2wyEVWmi4dpqmOijARXE1+vFhcTGYBM
+DrSWBmU5HBmP2gy00/3MKy3wYMh6CfWyx9zlAgMBAAGgIzAhBgkqhkiG9w0BCQ4x
+FDASMBAGA1UdEQQJMAeCBWxpbnVzMA0GCSqGSIb3DQEBCwUAA4ICAQA5ol0kydSW
+5ixvJNRJcnTydsH1uiK1H2fDzP4DGzg0Eh7HJuHwxNWWdFZICF54CFc7XktgdV9e
+bxLWmGx2Z8JlQXlEy/tq92AZlRi+K92O1niVynmHC5oh1Am6U3b2lJvXM51Fr8Gm
+FowjIWLs1j3RvGIRsjF6siQt7Rbrc7DMrzMoQhezNJwjviqRcqLedw/CpUCRl/Jy
+ggmxC0ehtLVwx6jEKGjwGDrwTBYRa9U2TdlQ26LYQ2p8/wUUr+JeuTRUFm9NSN0Z
+fszvazuiNACxqqbB0iVwFwRZEKkIuZHofKy7KAD5GyK06cT5HHOd9tAfupFumiTv
+/ucmEG+7DanL9jhOpWzb5tUw6NjXWENvMbsl7CJIA9hL5ZE93Ma1Bpp2o0JTz47x
+9FwR/BbFEmVrCt+V8NkQJVlY1dlkgebIh4r7r/9zlnVeAW0bCKgx7RhKTBlbpsfR
+4qMon8XR4yAeAl0MIk8E59bD7N71aOi5DrWWXZOgjdbtqwa2Kn0mIchXQapL50cZ
+3yXtdAWh5vWN1nkPHKPv5rThsN9niXcq86oV0mBO4h4E3qLzgYTBCZe+RmaL3q3P
+Tls+LniDJz7fhgpL3UcQtl4Z6nHi2U8FCz+uDBYWysPr4amOdsn1RxKRmrJZFiGS
+7jDgGSt9PZgj25JboVXvIr8U3Ni87fD8Yw==
-----END CERTIFICATE REQUEST-----
diff --git a/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-a1.sunet.se.csr b/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-a1.sunet.se.csr
index 7b54703..fb7e311 100644
--- a/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-a1.sunet.se.csr
+++ b/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-a1.sunet.se.csr
@@ -1,27 +1,27 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIEqTCCApECAQAwNzELMAkGA1UEBhMCU0UxDjAMBgNVBAoTBVNVTkVUMRgwFgYD
VQQDEw93ZWItYTEuc3VuZXQuc2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
-AoICAQC3Sa7MgalFU9YbGwCfR3Bz+a5/Nv4gkuF3vY0fMA5Q7Rh1QfvRoDXLx77z
-6xy57SzAH/lkS0HFfs994zuspzbJT8B3n1PA/BANtJM/frLzZqaq0/BDCvQKWO1b
-8w03IzOR73H/vim7Hrc0cSj1rO49oD/BaM81oW45BeGJBwxniXX/MbknBjC+iSr+
-hlDW05iNOjtcQudS/YpZQ0YVozWBntpCgzPiv+yWDSYWrs3049TH4Uvh6QlrNeN1
-Ji17Al3j/B7Wf16CLCwJ1urTx/jGLUABkVfJDwjE/kipHvryzrRfb/8Qs1jDmxyL
-kCLlCPscv1PXfd2pOKcTVyP7mTVWfeYsW/FwBDSdA3xXkOaeB3GjHmULS3X/2APC
-Sy4crtsvn9mlCXHxKrAq9wI/UBHMaW5MqnZNU5VLJ/EpNju5OBdAtypMmNtYuivS
-e+lKVJJDYl915Licq6k8o5sX0b3y9EEJpwnx9cMRxx37C395cd9FvKheqdS3hXAY
-iEBYsUZ3dZ4RWA3R/IeiTSCUn3xY0OFqWE34owTk9cOYbtpAlIoOb9IU2q+bwTRQ
-UVp7qWE5K/rlR8qf4qsjEdIKb4suXc3poVJfq0em/LWIfmXF1CIU7F0nL0tQf+Tu
-aXjoWco7M3f3X1+OitV6fkx6rkNxVQFBFwUBw1TY3E8LomdR0QIDAQABoC0wKwYJ
+AoICAQDaukzcey9CbAza2icp0YTk2uCSKJjIoW3nf0yyP3d1DCGWlYTce0H1X1+j
+Pc0zoV9v55Wi4JgalNhq07WtsvbAfwHnSF8KMptTIp3dGi0GaXTQbsxZgBQ3cFRi
+2w0sH8ThcPk1Gqw2WZCODFO3H/VK+wWqF36ZI4eofVSggLIGMbV68f2m9Z6NrEH4
+he4LjPj5PUQCSpFIIkaTsxm1MehOT5umhD9A6OHmSNDFOMOoPX4+WP0+Pk8yORKh
+zosnglA/Nf8HJa4lQhphf/w5ss2zpjBoSVXi4CzG8F0PcqSzOSWsmazYTg+j6yJf
+iULjjYGgTzrg0VJ0IR31ygwYscZT31+U3YU+nMCCrYEOeZo+gWzczmrhDUk30+ck
+lOGNMUIXiWZ1i5G7qK0lGziFKwyUDoIEskAseAmlK6DcfXT/c6ZJZh4/IzIGOsQm
+I8ow1aRpcL9nPateg+kP18nQUZh+ht24z0VRNFbeMoRYd3yvPz1JKGV69jGC/Rtz
+zY2wnizwNHS2Pf59D/ilXT74rq2i2RTHa4tUgTAtnDD8hmzESuV/Ay9+sVux0uSI
+55XuHxL8LvErmq9MhuV0ljwwjMQE26plKNVr0OyYtR/AaNnVechM8LJfSvoqmzyg
+wC2l2bR63n1apgRPBcGMdJB/wT9sFAn0HFHZM0bVRp9merULQQIDAQABoC0wKwYJ
KoZIhvcNAQkOMR4wHDAaBgNVHREEEzARgg93ZWItYTEuc3VuZXQuc2UwDQYJKoZI
-hvcNAQELBQADggIBAI3czCXuI0tTFM3k9wxlRFZmwHTeTPHEBsD5/yjYcmC+FCQP
-tr2wRbkY8Y26vfTByeOvgzr2Hn4DDW16L0WhoL9bM257oq+l7V71kMbKquWTnj8O
-edXF3REWeF+2DSCT1opvsi2LgNAtrNoKn9f8OHW1BiZ7+PRiNy4wxg65TqzUB2fC
-STVdv1blLfg4hijGHNEqQZM3ad3iMAJ8B3kC4Mex5T7ISEv+2+ha1/+yjPgn1P+9
-8KxJfvCu24PEY+EqtKFD4khUWv9zoa+xChQCbbKA00BqD1hJRbomLnM0ANFA4rDs
-xrKE8BVtVYSglt/w/57iWhSUGa0tJvtldHzqFSnPnrPt5SvKEDu631Jey+8w8Zfj
-XkSCbRqZftyPpcMbgbb9AKNL2FNy8sPEnkxVD6NtTiPImUHj5xVJXjm0KA6j8NOf
-hD1ZFVn1h+BRwy3PqvcCV5mMazXyOttupYUuntjrVV/xJRoySMaKNmj1B6YrAIlb
-JXybNKVPT8HIWdi0dn+pzT2r/ymIGEmzpFF0IYOtWGGKKFa9m1qFiYR0iYxBe0GK
-veH6C64JaABZGaIKWAuwAf1TnyF+B9kyiKCu75MDj8P8y28harGXCyy2Iq3MipbC
-kLBg9xC8QT7U9Jyl9TgZxpbM4Bh7qxXeryn0FIIvgfXoPrwIKXqQyrXfa6U8
+hvcNAQELBQADggIBAEIiRXkR1jni08FiISwGGqnXnAWQs1KEKOQEsjwLU8XqDm8s
+6MSPm8Q+pTPhee9WOMDvEhZ5G4qI8xq+rjMvoLAwiaZYnb25izFYCORy/hMC/gBA
+6dgWG5ltDqCVMXHpsAdtKeoTnYG3zHidDNGRaaF/s8aMI7QFNwSV4GKG9LLKZw2C
+JsXBpvm8ffoVFXw4UWNbG/za2+8INjjUgOXrYvu3X+iNjuWAxnnXq1vkYmdM01lB
+QXdG8znkN6yEtaCag06ObwdSVo2FYEBqBbwmNL+Ud0ygIEz0zaisUDC/gnPp0XRZ
+9ugL+1z9sNC/GRp/G+5JOQ7/zEvoxcvd1smYguAXWEnsXdbqOvPxxJS6++Zq2GwS
+eM2Ttwe8wVhkINpT4/AuHR3dYNKt0zxsQbcdWOq1BWFitZf6dZ9NzeCxSLtVyXVY
+X4Vo4e307d02dNw/99/zkBFFEOW4M68YMcRdBh/ASd07fHuWGppZf8/0TsPaWNzN
+qWP2uGU1blyBpBdS8t0Py5f+4RZK+u6l1cKaxD1AVuOvI0qafPyXZOmw9eIW859B
+VwlOOUEcLm8o5TZRJATtP9trKo1whUI4duR/sdpsk81iHR1KAhoKj9/MBiXU4RWn
+0I/UBxnEycup94/3ssesWPH33BpbQ0GJoxixtNgTIbuuCbs8rHptLe26mrIv
-----END CERTIFICATE REQUEST-----
diff --git a/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-a2.sunet.se.csr b/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-a2.sunet.se.csr
new file mode 100644
index 0000000..c3337e6
--- /dev/null
+++ b/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-a2.sunet.se.csr
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEqTCCApECAQAwNzELMAkGA1UEBhMCU0UxDjAMBgNVBAoTBVNVTkVUMRgwFgYD
+VQQDEw93ZWItYTIuc3VuZXQuc2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQDBbNpvBdEzUfeoU/S/P14/6U/Sn0UNWqAGhCwBIi2YnHVxqYKuhnlD/aPt
+cIHkaVZ5EuM/GEd0QDMO0ih3n9Gab8b1lFwqv0JxZGyTxczA74asb5Ct+IJs53h0
+X7naXJ6ka2J7xKoRW4/JlEGbdH9EF0HzDp+49OK23zR55q0ulO2hmxhZVfuepgv/
+/OYChacdo/voiAQmM0DJkTGPlslh1Dn72hIn2wvfujlzI9Dvsd6NZmMbfgxoHY4Y
+LmLATZ24XEztxuOiTOUWpX8MdlQ2TSYQEiAxMbQNjkbYkG9LAV8ipygF/mNOf/cn
+tsu5u76c/iYWoRor4uEpgrtwxFo5X1lv4yJbzO6fuWOJcNANfTNTj4xogXn6ScYb
+GE8/oWzEwokLFfdlDZY05okdzZ3uVZNoGyojMAmmx5gO+3Y9qisJpLeH0xK3jCDi
+a2X8IV3olg3mlx8M9XsHjwYSOh57sfUMA2Nm9RXroWFIPDDmhvQPJiXmM61NKB3p
+6aIwiscbCfwQmjrhxQUr8ND7M0wpJB9gJYdcUP/IN/pwIfsiHUy159Vx7dwNePpL
+qbFndkmdnJAUSKa80/+JV+8Jn5IeUbMCFt0eJPUpI3EC12yv50HFBDjt44GJSpcZ
+5qbswPH5i01dWKlbERss+4p4rd+Ry76esjQaAuqN01erhwASQwIDAQABoC0wKwYJ
+KoZIhvcNAQkOMR4wHDAaBgNVHREEEzARgg93ZWItYTIuc3VuZXQuc2UwDQYJKoZI
+hvcNAQELBQADggIBALR35edYdRVtnB+6XrEf+pBfm2Mn9cDKRF/rBx6vYgYPMlpw
+oporTVJajsMfkQp3aO3gX0w2VmnCXI40xuv5rry8LWLAZ9hgfjQ6cKpIspebSwvy
++MR/lzgUmrgowCGNCky7O8bb7U1jOryR2inOMTR6RlVpg2Gfu+EWgeQTze6LNHJk
+NV+k/NNplfRxxSDO9wthGcoTN3miNOs8YAqjJc8ApcGHcWcPkI80Hv40dlCA4+8o
+8r7BTGkotKWa9pVzQ/oYCBw3b+D6/dj57B3idRe2qkAtAO9Yf3HWhQKDFK7R0FAq
+nFWeu+aw2ZJplu+1KLLZuCXL8l/BeoXlaCiUxxUpDLI1jnNmiw20DeQw+l94EgOF
+xdA9FsHddaaHaltqIsNRBw7PupvxVGpe8y4VcCx0kCpFKETnDgRPRQ21FHOdli2+
+A7V2JdN2cEM/2obUqYrhL3Zi7fuGpZ2QC09hwnux6iKuJ8MKfQZVA8zNQAPQidxc
+UCeC/6wcwpIU4pYLmqrPgIANhq7n4VkDHJaa5nnoP7WcgjlFUNwUP5YAIjxo3XB5
+uCSg4Rx08IVAnMwzOkyO9kwtfYDqq+0SUyY73XgbYJYY5mnExYu2iEqlMdbYj9mr
+YHHHeM1YNjzcCysUlB0VaIQWPPAdgyarOn2sJ3sqEw7wY5rzIIWUD5gF0D8I
+-----END CERTIFICATE REQUEST-----
diff --git a/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-db1.sunet.se.csr b/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-db1.sunet.se.csr
new file mode 100644
index 0000000..5d30aef
--- /dev/null
+++ b/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-db1.sunet.se.csr
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEqzCCApMCAQAwODELMAkGA1UEBhMCU0UxDjAMBgNVBAoTBVNVTkVUMRkwFwYD
+VQQDExB3ZWItZGIxLnN1bmV0LnNlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAqdotYGUt23JojRMz77JCKa9SU1uIIN+BPuv/k3xDjjUGNfCXo1J4Hndb
+AbZHnbE53MUNk1o3n6xa8me3B+ORVQeSfMLZMnZiFpGCFV6BLoD0BHMSVN26wef9
+mcXXdR/rpFbKM1fm8DiYOkD978/l+Zy9fIlJa+k6DBqxOXFYeKo6iYs+zejo1puK
+81oUhSY3By7H6lRDM8Ch9G07dT66aAIcIsTULhWMn0aEj3XjreQiIIfqI5rTCcDD
+iRuipbX42hXewXXwHc1WGuQjTgb691tzz3k1lJ8Q5CGRy3+m6Lqjmo0llTJl/9H3
+XgfoQEnlXYrwCsYeSfcU93sA/o0O/Sl3RkswY0bQZ1K2vvpa1its5DzVfMrOMhht
+oKI/de+A/t9i95hGGEQ7yRtvJAOuCTe4t2v8XeyHg0ZvyLQ0pSSRbLv2mpSjN5L/
+TMXBaLB3d3/vm/IwNYU3IbbAU0ZnjnsJCT5vt6Tn3gco2iBp17bcublfuhHI34jb
+owD0S3R46OJphjRIYp/Xvp5PjUQGbQmSpbAW32FbPl67zf0h9a1dIe7MyI0OeoxU
++EWCsaz5vbe5vhOnYpmC2mPUASDR/VVPBmjTmyYO96qHzuCD3Kx+u/e7C4XA9U0t
+G+st9/Wgbd/u1pvCPEsG0gXwJwfPfX8Lx3lPfeBRVt570dI2CQsCAwEAAaAuMCwG
+CSqGSIb3DQEJDjEfMB0wGwYDVR0RBBQwEoIQd2ViLWRiMS5zdW5ldC5zZTANBgkq
+hkiG9w0BAQsFAAOCAgEAB9a1S49oA6HFliQlswNOiIoZ549R52p5X7bz1lFlU/lx
+INGqyjMpB3bvXuTlFkeldFliOM4TNI5TuoC0XcbVIrKxXjpG0g283oRjECJQN6n2
+2aeGgek1VAMwZ4P3mDrJccf4oe/Mixsi+FiASxoyevqzZ6iZ7MC8f/Hs9GKcIhID
+w/adby8J98SvLDgT5zzmQ9eWpbyGJPZsQ3d9oFDsDauf/CdQpe1V9LE+vB/9wn0+
+ec0eylzx0zL2y10Hg/ipdF3NgJ/eQNIk8sQ9mZvwqvAvX6p/7Jp15vB7Mlmn8ORU
+6DRxZEJ090iXAwE/RqgyZhdqoCS7Gg/VIZNDqH3rs9HnjB4n6Xo28VIkAdifrARL
+d5rdVZIGkDcaNbREp6993SCFQcSY2XN9xx9c7zAbJPLUjKF8ha4jO4NFqmyRafuB
+eUdeiTq99P1eXETiK/EcppVOcfXgoXaucCs5GaKWsMfjPQjzK57wHWIgdfj4Z8+1
+U7/FuMozEkD5TwrCep8+CDG4iFO26U1qqSrfwwwDBe1Gy5N+FJNqd+DEyG7c7x2g
+kLTrr4cjr26oB9RoLMG7pVjdiMZIoxz4H174OTm4QtZ1smybABvJUaF+Y7RbYnHa
+oLZr1O8yik9275cPmD3+hVrYTvHrKROj9YRoaadZZadMt778PG+KVjt3hFsl3Kg=
+-----END CERTIFICATE REQUEST-----
diff --git a/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-db2.sunet.se.csr b/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-db2.sunet.se.csr
new file mode 100644
index 0000000..5ba69c4
--- /dev/null
+++ b/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-db2.sunet.se.csr
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEqzCCApMCAQAwODELMAkGA1UEBhMCU0UxDjAMBgNVBAoTBVNVTkVUMRkwFwYD
+VQQDExB3ZWItZGIyLnN1bmV0LnNlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAvDebhuKPwe4ZOHjUf+v2LDqwsMCQMWkGIM7/iy0/qDIYKhbMYC3LKiAd
+jqc8fXifcseOtRjKhswV0KCMNPEaeDlM8qb0qBbLj4/3kXIHOhYEVj7DiKKIkHZd
+hztk5Ryig4pZnB10P0yXSkspe25jGz8YUE7qATUXg2dWMNDwghks5rFSw5UaFhPB
+aG/NkwZgyoUr/a0jJKMOzK3HFB1GgbdXnXr70ye+FOED98IBgJaX+8HHdYhIXAZw
+N0jWdvAzvA6/X6UqvMmPokHkrDh8ExNjxNKevz/U/ajbijt9F8aDDlXquaIoYZnl
+AYcvdg8HskqhK/8tSZ5lz2isrE8ul1b7Y4x8xlZH9ymZQq1/GvvAT/AbUZJrxjhT
+c1FNb7ukFhQzLePQHV4AZZ4DahfcUSTZUMUg2BK2GowdBViLLMKHrweI0JbqILub
+ug7xrWIVtbckXgflBvgkxUe6Y5ykUv4Wac339yFkoQF9/ZqfU5VR1pAkBgbTUnAf
+u3V0ssqRzOleMNwosY6VbPfCT7aZKiLI1PhH9z06HaYp3oHcJR3CtE1PNEu3u15T
+lpG2+ecvlzuxXNTS0lmnkxnEWrYtJesNSa5x7ue36dWmoHEfCtRN/qXGO249SAH/
+rXU9zcw6SmqomWqamvBvyAZvPUdo0r699+jJFvdl6rlP13QcnIcCAwEAAaAuMCwG
+CSqGSIb3DQEJDjEfMB0wGwYDVR0RBBQwEoIQd2ViLWRiMi5zdW5ldC5zZTANBgkq
+hkiG9w0BAQsFAAOCAgEACBpEPHm8Eqd7kkXHLuINStKTDidf2aKy8n9pm/42Uaiu
+8Bia2qn0TNVhl1vgXAxpI54bGdh3rmMmLabM+scnB3m9bK7Pb4tL5tyoSNx5dCKY
+0AcLtw2Ml8d4iGh3u5mbCFjBOgZLHc2af3QF8MSG51yBZ15ojrQ+nqiujzgtZvk2
+LtSxQy1CDOKwSGafXoX1xlX4BVvbNFmk4xT04Im/GUrAMXZr3tZ1HLX9VcRyg8pB
+oV2Bz7Y+BvQuKjxy+RHx6r9gZsTCsOoYGE6sKElvXMJfRmYAg0VTa5BT5IX0WtNz
+LTc1kAthIh/BPIrAzW8i4mwTBhzDyJwoSZoYIJmk4PL+4QR5AeEjOdyRclP5IOMx
+3ycySbPJONCbDBNqE1or1r0lQFUqMUKb6T2pK47WoLIe669mvx6h95I4u5vx2St1
+ryYHudGA5o2HrKSCGWjDYnyhd3QsbID+uO0/8QkM6ujYNQfBIqSXb6bTl+Jo8mJ1
+hDm+eNDRi8Hdd111CyiDwEBMPtvEucG3GOErJ9zD55QaOcZZ7hD1DYcTsey8LDSX
+npmyY8t0GgKGCzC4xneScxVu8+VBk9FxoGnYhsVsSKjhmGGCTGEJfjLagn2uQc/X
+DFQLuFijfnKZiG9kFgxPCQJ6dogNvL4HY++/MOPYxNtCtIyxNEkxeVFMYEJT2Y4=
+-----END CERTIFICATE REQUEST-----
diff --git a/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-db3.sunet.se.csr b/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-db3.sunet.se.csr
new file mode 100644
index 0000000..1913a23
--- /dev/null
+++ b/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-db3.sunet.se.csr
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEqzCCApMCAQAwODELMAkGA1UEBhMCU0UxDjAMBgNVBAoTBVNVTkVUMRkwFwYD
+VQQDExB3ZWItZGIzLnN1bmV0LnNlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEA4zEoc2z4/lZSbMt+jiCIRf+4OBcLP6C9GuPN6fGJqVmjR1Azv1o62J50
+CSkUmGLa+213XXxNlhr9wcWHApE68LWrf03iCo0hrT/o38KavpoX7Gp+5d0V7+Uy
+NyirKvyJAVQ3+uemYtajgRf18sF5xL2cdvIc7D872Of1Qct4fgy9pT7wjAafrjeI
+0w5ZDS3/jUwTTbp77ibVqyQ9zJYWH7I3F/f2/jVvo6s59HivjOo4wfdUBgvz95P/
+N6lKXuKq0HSQOezDlSAPYXcgCkQ0Bn8LYNGgRaLj4zHZ40rIXucB5A94lUUqx0/z
+7nZUz3t1h9odj5WiOEkqY/ugDAt8RNL9e8c/a5Eex/1eHm3VeoLGEAP6zTqusQ97
+I6iDFmuhBdc3VWuEu3EGwLiHVyYTtSW9kuf4l/iN9dp26dNxq52Equd1N39nP59n
+wfSgFTErqBPpBZMCwdoJyYqXAMaUPD6DysmSfgJX1w6aypxRbW1eG/bv2kjGbOai
+fM8arxGZizPXpeBUZhw+dxNHrYqZNV0sW5Kk17ptYHuE4dTxXN8jxuLqn7tUGRtX
+Nk9SOS2rBp6OnxiX/TSBuhkWz1EAWvZu0B4BdM4jVm1NEYIBWHpszbjQifaUUSaL
++nmtAienihH4Rf/Ax1SZ7KlAzdPTGUcv5C9T+rpTVSQv/1P5kFkCAwEAAaAuMCwG
+CSqGSIb3DQEJDjEfMB0wGwYDVR0RBBQwEoIQd2ViLWRiMy5zdW5ldC5zZTANBgkq
+hkiG9w0BAQsFAAOCAgEAIQlSeJHRe1QmhyvKAwV0lJMiRza2DlDBJfNbK8l317lB
+3mI3XCD5oif4l4rPnLfHEbxkhJUIvFFkG3jKJveyD3r+pQvZYUw4WeILjbdI5sWF
+6Ahhs+1xXgwSN/AY3rA87wOBPIMzv4pG+b1p+4sqbwVpR6Jv38uBvXJd76YlUmhW
+5B8r85FflShGFPvAN/D3kqo52c4UAzV+xm652arZumSA0SCT0NdiN0Ca8/Km0aHr
++ibpslyv1ehxRVY0ysBEH75D4Fhirta56B2XIug0BBg0b9sURckdDlgYjUtbytSE
+etusCmbFlAqivhbnZtsaNCm1D4RO38LQe2o3COCTBebzX0k0JMThMt6/vpbbvkeT
+8AgfHx039Cr8/en95+BDzZMM5umYZtbMsmu8x7/ZTCZZ4teFA4qnFCGnKZ63h+2H
+4TvG78N4XFO0VBweTGBDr6kj4lB8Bys7eL1kt6BkozDNKMGQP3W1m9ZPoD2hwRQn
+6B9EjpTHkCIZrj2dw4+2MLoumIJF+q58zTKE+erPJLHDSriYb0zQxDb6cnWRCBKF
+b91gM1NHXdvP4Fgt1woOzTa5bKrMzZMzSn1/LKe23xrhaHqifmp21L/XcsxlCCyU
+z2Q79uHTi39t+iNasItrMrF/3FCk9VfRRcnYM3VsPkN3rmqbhJJPTMQaIb4HQzE=
+-----END CERTIFICATE REQUEST-----
diff --git a/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-f1.sunet.se.csr b/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-f1.sunet.se.csr
new file mode 100644
index 0000000..07ccc11
--- /dev/null
+++ b/ca.sunet.se/overlay/var/lib/ca/infra/requests/server/web-f1.sunet.se.csr
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEqTCCApECAQAwNzELMAkGA1UEBhMCU0UxDjAMBgNVBAoTBVNVTkVUMRgwFgYD
+VQQDEw93ZWItZjEuc3VuZXQuc2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQC2WVo/PI5wlhDUesyX27Xu0YwwsEb/R+m2+IRFGe14I77nHoY9yfVjakPK
+V3MW0AZXomv/EdcJ2OBsCViJQYmHZ91N3qjFPNHvBc+3Oy3+PLFad4BmD3yLXSmy
+xuYlEJxJB7BNyT0AeZi19pPTSD3QZ23Yhhk2hfzJVRteLQE1hTW68vdEHvMp25qY
+grsbvhqUhFOMpNAfoGNN/cpmLTAeO7jWp1MGwwlMyfFpEa1jZS8xKylfn93a2NY1
+znI22R8XHXuMiwTK/fYTPzp+PP48ga+ABnH8y+p6uy74vni+CfnY0XviiSAlwWoZ
+/BkyRjlXar2RYCSmEwZdV8ptbSeStv+AT8SQqnCItmZ0eeu1pc9gbt9mFwY1pLfn
+GqZ2y5Ew5Y1BJirGjBlHsvjsL2b57EQsc06SmDIDX7zmUVxdfBMD7dnQ0TFIZoP7
+J8o6NdtGvDhQoGIzUgg+Y2PpoQ7ZoC+5UWq/hD2l/3Je8losaxkM2POfpl2ujhuJ
+SaZr0IJnUS56EKVVp1em6On2oD2fUav0VhKyIDnWitm8fx1jUzDIahcQjiRBQulZ
+bDHsJH4K+gYCbjzYfgcJKaXOe8XYOEqHTZyboMGwM84ZGnE539VGoRJDEM9SVnRb
+VZb5s0A8fj6pGoQcmapwNGnVUtpYc8Rz6R/Jn5YgI06INLNZrwIDAQABoC0wKwYJ
+KoZIhvcNAQkOMR4wHDAaBgNVHREEEzARgg93ZWItZjEuc3VuZXQuc2UwDQYJKoZI
+hvcNAQELBQADggIBAGHIyt5tEqWJCFgZilTJywyhXBwG2I+CzUxvyvWiofYJVgCM
+aiZwFb1A0HW8uVHRKm+LkN3urOyRaLw1D7yeHK1UIZFYyFpSfozhmrvx6KFk87gu
+MlEpKkj6iCeC26q1YrK81QUNW63swkcXJDh2B6R094JBq4RHc/ZOR5P0+EYM/fX4
+AaQGXdibwnKowRA23A7N7uX2WxoCMKDLa+ONNlHW0YqUsysTkDCRib2Baxkvovrp
+JKuUDvAFij3dOnjIwIqBX6dWSHc+5pBpROfFOxzDPNYj+ZWCmfA0YXtj0C8S8MWE
+4TuQKXREsQfgjCxFmuvQ6I+2433AQGoxD3mA5FQtVvWQZcMqfRNJdzjO1qROYL1M
+3Idcc6P71C0/uE5uwASg1ufBmiMN6MU0WABJVd/VOTz0xG82P67tDMrH28QKaWkl
+owHgxSK0DHhWT0jXVsQmbM3Le1whDEwXRLPuDAB01nsyx2osNS48gPd1pX/6/nhQ
+sQWukhdi1nmZxD+F1jUrXBh95L5uBOcF9aGWksU/2OxvuMYybrcDX6hFRmWAiPwq
+PMUweg9z0tEqzpmjlr94tznh0ZAPh9lNngJc+lGLZSRx2tBP6Mhq0sDhuTC/NjL9
+zJ57KFweFhyVyS+BXV4vyRTPZS+z2cmummOO08Zcpz5PogHsrYn7XSTxWYtT
+-----END CERTIFICATE REQUEST-----
diff --git a/fabfile/__init__.py b/fabfile/__init__.py
index 8db5748..0a79308 100644
--- a/fabfile/__init__.py
+++ b/fabfile/__init__.py
@@ -33,3 +33,6 @@ def newvm(fqdn,ip,domain):
def cp(local,remote):
put(local,remote)
+
+def synci():
+ get("/etc/network/interfaces",local_path="%(host)s/global/overlay/etc/interfaces")
diff --git a/global/overlay/etc/cosmos/keys/lundberg-9303C5DB.pub b/global/overlay/etc/cosmos/keys/lundberg-9303C5DB.pub
index 21bcc24..f08c5bb 100644
--- a/global/overlay/etc/cosmos/keys/lundberg-9303C5DB.pub
+++ b/global/overlay/etc/cosmos/keys/lundberg-9303C5DB.pub
@@ -7,69 +7,51 @@ mQENBFNOlK4BCADXgBIEADujBCe5Tv1aul3IUjQhXNGBjdvgK9xQKaTVrfJTRxr9
07zFFXrUHzthndt83MZdB8nd/3WUbT6ubSEYO5rtjeWO30c9p16u+ErGADR0bBSz
UfpREDHlUlJ/CcOi68DQINBOELdt+g76E+rHODeCB+ojpFwjIPyHbuhI4fF/UpWu
40nU8pnS9w8kS/4cQl72NEhrH7mEsMK0Pma7ABEBAAG0KUpvaGFuIEx1bmRiZXJn
-IDxsdW5kYmVyZy5qb2hhbkBnbWFpbC5jb20+iQE/BBMBAgApBQJTTpU1AhsDBQkB
-4TOABwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ0b7X3pMDxdsxugf/X6ZR
-qmrZq9sNyF4E3GrCE5dPGdwNKGuLr2H5GLKrBfULmqwXvacanH0qZAsteHEudv+o
-H3pqBmbt4uZoIph/VFpu7YsHSpwjtQXLeN/TJhCRSSQUiIH2gNkLdi2P2nlb6YkW
-euRPJWqL8GVQNvJgH+gaCUCsJ7mEfbcvRhjCIv5S+m9zYqDYJ5Elc6bOKnG1U39w
-FqANX/u1CBOY+fOiNYD0WcYDfvk7omWuWID0kEi4E18pPwzAZEmhOt0LZf1S1AbK
-7VFX9OMlNNEnqlmSsFc3DO8uJzelv+WpfqmKI3rbovncZNWLbiwR/eAYnNbaJujy
-V/QLGTPyB5zmg0bXjYkBHAQQAQoABgUCU2j6+gAKCRAnBzMNQDDMrdXmB/0ayjQi
-Zn4A60TpUkC3mJ6oW0bUUqWr47VuXHYwCRBCc53s27RNL2xsRcbqiQjOfSBQUvdu
-7NNT9qgvmCoPB745D3qutZ2idwJASmFrytTt8gWKiaIBUKg0/wVs8v1CW/S5EOoc
-hkujPmrofeL9K4YTOl3q27Jhdv0eKV2e2lEXeW/GBCuUje1NTcgqFDCHV9SzjBRy
-uiToEfzYyomHEmaJl4vyl+WOCFMbQav3YvjgUH6MwtXSUcerFqqnMr3MOU8ioaIV
-DipMHLSBmMG05cW4xSVo/zdgtjwyfDH5QWuwDPiRCWRmS7N1n+I9WxVhDTkIJZYw
-Ueb5qaWunWXiQWmCtCNKb2hhbiBMdW5kYmVyZyA8bHVuZGJlcmdAbm9yZHUubmV0
-PokBPgQTAQIAKAUCU06UrgIbAwUJAeEzgAYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
-F4AACgkQ0b7X3pMDxds34Qf/XdI9emOcknRsJ7WpYBjjpE+Fd+gNiJfie6Fh1/CA
-gu4keD+Vwn/2IRPLo30dnShIlUxJhdFft60QvDvQSETSoizUqPOV3VomTOA2sXI1
-g+hRNoDvzR/4EgMwX4bxzb9d2CZXt1uPR5Gos1qpuh3VGBy55JhOcp1+fsw0cAax
-lmXeVQwIRoxN+b0ml3JKGLxKsYcZiCGSpzVidrvIRYabbMUOx6KtdXL4AftoXIng
-NMiQJU2NJgTXqsQsjEnhcBLw1l9dFByYfIWMh3GZjzd98JFmvCsInRUmWN/QeuBH
-w0vHrJb3EAqj7ErWss549E6hbDZFGpbgKQlkmKt0wmDy6okBHAQQAQoABgUCU2j6
-+gAKCRAnBzMNQDDMrcYPCACc8s8PQp+QVoNXN3vV6de4i/SJcMRhJEuPxyePdiDV
-sVe+lFduP878zA/qEmBeMT9l9zC1Vxnv1AAakV5j02bfjBZsLvWP+4uG0dp+J0H5
-0BuzDbl0M0Jdbt5pnfQsqc2H26Cz7aZ05lbxAeuFPhTHgBI8DVlRIRuPwW4zo7wp
-uZs8CZXAyKITOL/HA9ZmmaAPNthMsjXc8CK/kK8XvuDr5wGo55KrUGUE6bsiYkxj
-2UGUxmQSegaL8li6uEwDmJjp5y03MEeV33VxibbnAx8F1oK2uXr/DPaZot9gB46h
-Ivy52O2ydr31U+dlaFI+yFaaiFQBA9UnYAjinBQRcqowtCJKb2hhbiBMdW5kYmVy
-ZyA8bHVuZGJlcmdAc3VuZXQuc2U+iQE/BBMBAgApBQJTTpUdAhsDBQkB4TOABwsJ
-CAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ0b7X3pMDxdthWwf+ISF1EgZuIMWL
-HfhNQrpWDJiTZ03ofehso/W+GkKcWoia/RpTxitmY4Hl8C3v5CfUvHYy2ThVfcvw
-FrhnZS6ln7WGGzkS2ir9NsA2xJzbXzKW+dxa+sXQ1SsgzUkI8K4oMWhzrnffn7cX
-Ze8qEv4ng72ZX5gDfA8T2mPNYyWPycGv2sroWU4T1hwiTvtaVdjGVqBF3jajitTg
-svsY0y9n1n9mTlxjYiFnBeiGn1I/eUNALAUzK/VIuAPsHeDrA8WPLjAAs7dQRD/X
-uCAMddvyHbtC0FNq/sJZHIQfVnyE4Gqo6IoMRxKYZo3eNS4wF3wp3VGJFBkxVccE
-W8k0EZi3VYkBHAQQAQoABgUCU2j6+gAKCRAnBzMNQDDMrSzrB/464DKt30CnEXMM
-8LX0FB5ywMVrTNPd4AtQ4t9LfXoTCaZICgb2VvBhyu+iT/t37jeFg1LzViHvyHcx
-G2fe2zmIDDsaakbq/7Ptn00sisscQrRYbqThFoTZZxT3LtxbJRT7gS6dOPXSpDAO
-2mYnUDylXwLieZ3TBwEOqMAJnqAOOg4rxuHF7oum+FgkcM0i/zyhuM2IXRmEVrvb
-j9qH3EOZmU9q5uymy86QK3tNirDxl4Kc7nnIEsUVH4qxfF0mjuDtGpTYLj0BMI70
-6UzIyYB2w42XNaUwOovOUsfB77UxNHOBnp4TlWc/U6S1SDAdbBOXdHjHKoiyVisA
-ZzqKjUiVuQENBFNOlK4BCADv5oNT5bxMoi2g847SzQEp306Kg5hsKmKdjXp3vFfB
-Fqp1Suj9BphBflyTo9Ci4F5ZyxiH3uVDglzR09ccOo+zgFaJvOU9waP7+PJayBtM
-U8lZ+dYtm5agST8aXzQ5gvJj5uASuHZGQwiBV2MIn70ejIPhL2rkUT3nSj8C+YH6
-8WJgIk5qlN1VbAsoGyAE0dGIRouRYV/JMN9rFB8kcPF4RWZRq9rqk9jAFLec4MNJ
-O4hs7QEijq4Klp2jW+3v9R52lPPeiz0xjBB+v9DHIxN6HG3RNTcGpklLzvzJb+wQ
-AecFCyRizKObMYQpGXJRpiiwYOipo3smiA8XfITY7u9dABEBAAGJASUEGAECAA8F
-AlNOlK4CGwwFCQHhM4AACgkQ0b7X3pMDxdthrwgApS7EHZNMRUd2/JpozhuJlv3k
-Iz5H5cYABSXAox9GZNGdNLgCzEVNsKyJtj55nqk1eN8rTwdyDyu+d/9QX6HrhVgM
-QdURSN87LHlcl4bRnaqu8E9Kh6L6OyWu9zIgY9KahJF83CvileV1ULqmy7qGSb9N
-ejf4leLEUjZvXObYx2rT5OjDObmD9o6HMjwQpNj6FiYz67fhJdx4i6BryAeWk6aO
-nMANPJj31+CkpDa96hkA9B8rYE1uk1W2+IlKeiX2yRmcWZa8HC84swswDFUFqYvQ
-CXEp26vnm/Rm9JyfIAu6SaIhKI3Nn0SCX0fBBXlANnXj8QUL5H56klp7OUlBpLkB
-DQRTTpU7AQgAwBzH5/T0loxhgJDGOq4dcn33WIJ5YaCAuROTVnXOV1JWPaDWFts4
-TKcoXqX6IdWGL+VdUDU7jt39M4Q/mXqj755wO+HwTOMr1lOELbcL9na7BTrFO50W
-xksEHcMPSA4nbcUbgI1uRyfZkzibmKyBQBB4INT7/LGSsxzVrmYs+CN+AjdjW2mT
-ruHmBuqXc7wepH2JeYi/3rH4QWX3oAPu8eKl7zCxxCm+8AkQQAQn1rumMtRNI1HU
-VgRXaqec7I7kJZPJop4fPdptgtbRXMrm+XQloC2LYkEaSI89epTJNXDPn4EvWDOx
-L+tmwaUcp1NsAn4NUKWDKcSKueKv1y5WLwARAQABiQElBBgBAgAPBQJTTpU7Ahsg
-BQkB4TOAAAoJENG+196TA8Xb7sUH/jJWNiUJPWcc0NZHaoCbXrRqHlJR3Zhk3dLr
-1WGQubfkKk4tXZtQzs3q3qCHY6wsz5xd52IQmYZ7zeKm8C4VuNjJcPwsGHF9//Bc
-6/oVqi5fXcjGG3aWPU99QfSlCDBxz9j5+aeAdyyarPfD0i1IDJ/vPncnYB8Tt0PW
-QswGvSnWfhYNM3anoraapv6vbwnrCaBHkPJwdMg6Ru/QIuddxl/aW94yZs8MbyA7
-wKoFpvjXHuxaihF955IPE/TQc37yLV4UZ50osDFRTE26f3HwRNSoxQkGvkvO4hFD
-8wGrZ1izT6q37uTZTDMpxCGLcRzVmYr5gGB16S3bSyWhn7rkzV4=
-=AiT9
+IDxsdW5kYmVyZy5qb2hhbkBnbWFpbC5jb20+iQE/BBMBAgApAhsDBwsJCAcDAgEG
+FQgCCQoLBBYCAwECHgECF4AFAlUv2gwFCQPCeNcACgkQ0b7X3pMDxdtCdwgAgiDc
+YCvC8xyj9I6zcP1i/ZrON5vrwhch+xolRuR2d3hc6ElsgCbkUFhNk+a+Okf7aA6R
+TdxFLEP+bG/eEYXRg7BawM1Hw8XZWPtDzutbmYwa31KgQL0Zr55U45kSQXjlG7vF
+6LkC9RT6tRUb/KXxtubT4nXLa0VnQYo5D8BmEOHsF+vxLJedmW2Mz7SIXRW4rACa
+TOxll8HGI3mu12sT8nq00mRb9fBkBLIsHHK76LYOHC6oR37+wpf0wERxQAM2cXEw
+hIK0xyHQFtbnzBzhFYF3jLWcPWJw34rJjz37DYlsSUtbnHbSVB7oaFBPKSp/GSR/
+RCxNiWIKTPfnhHvDELQjSm9oYW4gTHVuZGJlcmcgPGx1bmRiZXJnQG5vcmR1Lm5l
+dD6JAT4EEwECACgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJVL9oVBQkD
+wnjXAAoJENG+196TA8XbFyQIAJg02gKy88JZsTv6AqUvyWgeuiU3GJbuthns55uy
+i+sWB/jFCzESd8Mwi/rJg0N/YaJakRD/S46c35FyEQ/iJiSpkwvq8WBmfjCtfA8u
+kh7tlbTLBrexYXiUfXFwpnutuoMaGRYuq7ir3NzQKX4VLdiWFMRkT4ugizs6RR2P
+lRCpXdajTmBha6XQxm3ZetO56TADEo7OBLH0K51XRJH1LeGEaXZv9KLTywJcW8Co
+vfPLSzxFM8JT5VHyV19++Up4gUJbLeAt2D4ya0EX/AkxvVDqn+fcsQse6gQ8OMGy
+9mB8T1mC+nrJ4aWgJLwaxMtQ//vaR56k1GvYFuXBmn+LHie0IkpvaGFuIEx1bmRi
+ZXJnIDxsdW5kYmVyZ0BzdW5ldC5zZT6JAT8EEwECACkCGwMHCwkIBwMCAQYVCAIJ
+CgsEFgIDAQIeAQIXgAUCVS/aHQUJA8J41wAKCRDRvtfekwPF2/DnB/9ULJLwiL1z
+FjA1hCxOZtf+PSoif/unBnyPERoNDO7dyrR4+H4qiPV6LQKoD8pPZz6tXeu+l5L3
+Sps890RD1zqwZwm9PHdT7Xu8YYndcnfUsXpgNDZHS4G0CsuhB+Vc0ir7O9XYsMBx
+T6TiH5G8bOxtFdSQgg1sii12TTtPzuo/C8GxZbXy7I48nc11IrnbiYxxAnCpBIuz
+g6XRuTaxRkEAfg6g90RV+o06XbUju9sW2BSXg51etCYA5MLmbjQYQporArPHL9rv
+y4aTPGCu4vJoLDK5hj2ZK9YzJ6zGFnCMYNFk16uxWc/45SXQrr8FQAgSReMuB0C4
+OzRACdx0UqLvuQENBFNOlK4BCADv5oNT5bxMoi2g847SzQEp306Kg5hsKmKdjXp3
+vFfBFqp1Suj9BphBflyTo9Ci4F5ZyxiH3uVDglzR09ccOo+zgFaJvOU9waP7+PJa
+yBtMU8lZ+dYtm5agST8aXzQ5gvJj5uASuHZGQwiBV2MIn70ejIPhL2rkUT3nSj8C
++YH68WJgIk5qlN1VbAsoGyAE0dGIRouRYV/JMN9rFB8kcPF4RWZRq9rqk9jAFLec
+4MNJO4hs7QEijq4Klp2jW+3v9R52lPPeiz0xjBB+v9DHIxN6HG3RNTcGpklLzvzJ
+b+wQAecFCyRizKObMYQpGXJRpiiwYOipo3smiA8XfITY7u9dABEBAAGJASUEGAEC
+AA8CGwwFAlUv2NIFCQPCd4oACgkQ0b7X3pMDxducewgAxiSllwGR7pGee2auKVDr
+/Gc3gaLNjyRRaQtRByE6tlxXcAYzpUMm/+xvHuLTjr7hMXZYW13ZjhlIoYJ9RYw6
+AzJcc2A8R2kwv5kVpqKeDL2r1ODUWo982QoRoujfosrgIzFmcDw0FOzKwyJ27V7r
+oV/UHJjxzlOPItQ14oeoEX4eXd0cwFzARvHoCQ/j45nyHQJU87ghVThdqcysB4qb
++kd+p8hf21uJ7pyRdI5UhE0r79c+nfXoOLOHJ1865uvgptQFjWeJvS3INPCTYLqK
+O6acXEC6cdBlsNCSzsI1vfVX843io0jGML9KKpKCCn+TknYqo8F8a4GzhaFMT70g
+xLkBDQRTTpU7AQgAwBzH5/T0loxhgJDGOq4dcn33WIJ5YaCAuROTVnXOV1JWPaDW
+Fts4TKcoXqX6IdWGL+VdUDU7jt39M4Q/mXqj755wO+HwTOMr1lOELbcL9na7BTrF
+O50WxksEHcMPSA4nbcUbgI1uRyfZkzibmKyBQBB4INT7/LGSsxzVrmYs+CN+Ajdj
+W2mTruHmBuqXc7wepH2JeYi/3rH4QWX3oAPu8eKl7zCxxCm+8AkQQAQn1rumMtRN
+I1HUVgRXaqec7I7kJZPJop4fPdptgtbRXMrm+XQloC2LYkEaSI89epTJNXDPn4Ev
+WDOxL+tmwaUcp1NsAn4NUKWDKcSKueKv1y5WLwARAQABiQElBBgBAgAPAhsgBQJV
+L9nrBQkDwngsAAoJENG+196TA8XbH3MH/2pUrGZmRJxUKHFcC9gKNa09VjVs/c+j
+2n8VDS9QOnj0iE44zSXTln9CbY7Dmt9zVNAjoZc51U/9gojhDR+KFVgu7sIqr2PM
+6bkcIZ2NO0RJ5ciHWb7cBbrPNmR7GMloXPx4r4b1VjNnssYTKCCBjYLez6NbuZ2R
+QHs0NZWa6gE/Hf77Ml4+ZieydXJx9TLh3KiPuKKjzNL++n/TydjoxhMouNpjJAKc
+Gs+iQeha1xVATpa8c6b6EaSyr95bqfbNTRemd6rIzxwjbkX6VP9c8FmV6E1AWrns
+lQIgDvNHOR2NpiXhO+X6xccA9nQwsrQFZSV5IdopI7cVjqZhCSIZ1CU=
+=PaZi
-----END PGP PUBLIC KEY BLOCK-----
diff --git a/global/overlay/etc/puppet/cosmos-db.yaml b/global/overlay/etc/puppet/cosmos-db.yaml
index a66bc05..53d3200 100644
--- a/global/overlay/etc/puppet/cosmos-db.yaml
+++ b/global/overlay/etc/puppet/cosmos-db.yaml
@@ -116,11 +116,19 @@ classes:
sshaccess: null
sunet::dockerhost: null
sunetops: null
+ webbackend: null
web-db2.sunet.se:
mailclient: *id001
sshaccess: null
sunet::dockerhost: null
sunetops: null
+ webbackend: null
+ web-db3.sunet.se:
+ mailclient: *id001
+ sshaccess: null
+ sunet::dockerhost: null
+ sunetops: null
+ webbackend: null
web-f1.sunet.se:
mailclient: *id001
sshaccess: null
@@ -139,7 +147,7 @@ members:
cdr2.sunet.se, web-db1.sunet.se, web-db2.sunet.se, mdx1.swamid.se, web-f1.sunet.se,
meta.swamid.se, registry.swamid.se, dane.lab.sunet.se, mdx2.swamid.se, samltest.swamid.se,
wp.sunet.se, docker.sunet.se, lobo2.lab.sunet.se, sto-tug-kvm-lab1.swamid.se,
- sto-fre-kvm1.swamid.se, web-a1.sunet.se]
+ sto-fre-kvm1.swamid.se, web-db3.sunet.se, web-a1.sunet.se]
docker_signer: [mdx2.swamid.se]
dockerhost: [datasets.sunet.se, reep.tid.isoc.org, www2.eduid.se, mdx1.swamid.se,
registry.swamid.se, mdx2.swamid.se, docker.sunet.se]
@@ -149,7 +157,7 @@ members:
web-db1.sunet.se, web-db2.sunet.se, mdx1.swamid.se, web-f1.sunet.se, meta.swamid.se,
registry.swamid.se, dane.lab.sunet.se, mdx2.swamid.se, samltest.swamid.se, wp.sunet.se,
docker.sunet.se, lobo2.lab.sunet.se, sto-tug-kvm-lab1.swamid.se, sto-fre-kvm1.swamid.se,
- web-a1.sunet.se]
+ web-db3.sunet.se, web-a1.sunet.se]
quantis: [random1.nordu.net, random2.nordu.net]
signer: [mdx1.swamid.se]
sshaccess: [cdr1.sunet.se, cdr1.sunet.se, sto-tug-kvm2.swamid.se, sto-tug-kvm2.swamid.se,
@@ -158,21 +166,22 @@ members:
cdr2.sunet.se, web-db1.sunet.se, web-db2.sunet.se, mdx1.swamid.se, web-f1.sunet.se,
meta.swamid.se, registry.swamid.se, dane.lab.sunet.se, mdx2.swamid.se, samltest.swamid.se,
wp.sunet.se, docker.sunet.se, lobo2.lab.sunet.se, sto-tug-kvm-lab1.swamid.se,
- sto-fre-kvm1.swamid.se, web-a1.sunet.se]
+ sto-fre-kvm1.swamid.se, web-db3.sunet.se, web-a1.sunet.se]
sunet-cdr: [cdr1.sunet.se, cdr2.sunet.se]
sunet::dockerhost: [sto-tug-kvm2.swamid.se, web-a2.sunet.se, web-db1.sunet.se, web-db2.sunet.se,
- web-f1.sunet.se, web-a1.sunet.se]
+ web-f1.sunet.se, web-db3.sunet.se, web-a1.sunet.se]
sunetops: [cdr1.sunet.se, cdr1.sunet.se, sto-tug-kvm2.swamid.se, datasets.sunet.se,
sto-tug-kvm-lab2.swamid.se, sto-tug-kvm1.swamid.se, ca.sunet.se, web-a2.sunet.se,
loke.sunet.se, cdr2.sunet.se, cdr2.sunet.se, web-db1.sunet.se, web-db2.sunet.se,
mdx1.swamid.se, web-f1.sunet.se, meta.swamid.se, registry.swamid.se, dane.lab.sunet.se,
mdx2.swamid.se, samltest.swamid.se, wp.sunet.se, docker.sunet.se, lobo2.lab.sunet.se,
- sto-tug-kvm-lab1.swamid.se, sto-fre-kvm1.swamid.se, web-a1.sunet.se]
+ sto-tug-kvm-lab1.swamid.se, sto-fre-kvm1.swamid.se, web-db3.sunet.se, web-a1.sunet.se]
swamidops: [sto-tug-kvm2.swamid.se, reep.tid.isoc.org, md-master.reep.refeds.org,
sto-tug-kvm-lab2.swamid.se, sto-tug-kvm1.swamid.se, mdx1.swamid.se, meta.swamid.se,
registry.swamid.se, mdx2.swamid.se, samltest.swamid.se, sto-tug-kvm-lab1.swamid.se,
sto-fre-kvm1.swamid.se]
webappserver: [web-a2.sunet.se, web-a1.sunet.se]
+ webbackend: [web-db1.sunet.se, web-db2.sunet.se, web-db3.sunet.se]
webfrontend: [web-f1.sunet.se]
webserver: [sto-tug-kvm2.swamid.se, datasets.sunet.se, registry.swamid.se, docker.sunet.se]
diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf
index 911ebc1..e796979 100644
--- a/global/overlay/etc/puppet/cosmos-modules.conf
+++ b/global/overlay/etc/puppet/cosmos-modules.conf
@@ -13,7 +13,7 @@ pound git://github.com/SUNET/puppet-pound.git yes sunet-*
augeas git://github.com/SUNET/puppet-augeas.git yes sunet-*
bastion git://github.com/SUNET/puppet-bastion.git yes sunet-*
pyff git://github.com/samlbits/puppet-pyff.git yes puppet-pyff-*
-#postgresql git://github.com/SUNET/puppetlabs-postgresql.git yes sunet-*
dhcp git://github.com/SUNET/puppetlabs-dhcp.git yes sunet-*
varnish git://github.com/samlbits/puppet-varnish.git yes puppet-varnish-*
docker git://github.com/SUNET/garethr-docker.git yes sunet-*
+network git://github.com/SUNET/attachmentgenie-network.git yes sunet-*
diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index 5035639..cea844e 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -50,3 +50,5 @@ www2.eduid.se:
webappserver:
'^web-f[0-9]+\.sunet\.se$':
webfrontend:
+'^web-db[0-9]+\.sunet\.se$':
+ webbackend:
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index 2713ea3..b7b1601 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -128,6 +128,7 @@ node 'datasets.sunet.se' {
}
node 'docker.sunet.se' {
+ class { 'sunet::nagios': }
docker::image {'registry': }
docker::image {'leifj/pound': }
docker::run {'sunetregistry':
@@ -375,7 +376,7 @@ class sunet-dhcp-hosts {
dhcp::host { 'mq-tug-3': mac => "52:54:00:03:00:22", ip => "130.242.130.22"; }
dhcp::host { 'worker-tug-3': mac => "52:54:00:03:00:23", ip => "130.242.130.23"; }
dhcp::host { 'signup-tug-3': mac => "52:54:00:03:00:24", ip => "130.242.130.24"; }
- dhcp::host { 'helpdesk-tug-3': mac => "52:54:00:03:00:25", ip => "130.242.130.25"; }
+ dhcp::host { 'dashboard-tug-3': mac => "52:54:00:03:00:25", ip => "130.242.130.25"; }
dhcp::host { 'www-tug-3': mac => "52:54:00:03:00:26", ip => "130.242.130.26"; }
dhcp::host { 'monitor-tug-3': mac => "52:54:00:03:00:27", ip => "130.242.130.27"; }
@@ -536,7 +537,6 @@ class sunet-dhcp-hosts {
dhcp::host { 'registry.swamid': mac => "52:54:00:52:53:0b", ip => "130.242.125.90" }
dhcp::host { 'mdx1.swamid': mac => "52:54:00:fe:bc:09", ip => "130.242.125.91" }
dhcp::host { 'mdx2.swamid': mac => "52:54:00:30:be:dd", ip => "130.242.125.92" }
-
}
class sshaccess {
@@ -697,7 +697,7 @@ node 'cdr1.sunet.se' {
}
node 'sto-tug-kvm2.swamid.se' {
- #class { 'fail2ban': }
+ class { 'sunet::nagios': }
file {'/var/docker':
ensure => 'directory',
} ->
@@ -713,6 +713,10 @@ node 'sto-tug-kvm2.swamid.se' {
username => 'www-data',
group => 'www-data',
} ->
+ sunet::system_user {'memcache-system-user':
+ username => 'memcache',
+ group => 'memcache',
+ } ->
file {'/var/docker/postgresql_data':
ensure => 'directory',
owner => 'postgres',
@@ -751,10 +755,13 @@ node 'sto-tug-kvm2.swamid.se' {
image => 'docker.sunet.se/flog/flog_app',
volumes => ['/opt/flog/dotenv:/opt/flog/.env','/var/log/flog/:/opt/flog/logs/'],
} ->
+ sunet::docker_run {'memcached':
+ image => 'docker.sunet.se/library/memcached',
+ } ->
sunet::docker_run {'flog_nginx':
- image => 'docker.sunet.se/flog/nginx',
- ports => ['80:80', '443:443'],
- volumes => ['/opt/flog/nginx/sites-enabled/:/etc/nginx/sites-enabled/','/opt/flog/nginx/certs/:/etc/nginx/certs', '/var/log/flog_nginx/:/var/log/nginx'],
+ image => 'docker.sunet.se/flog/nginx',
+ ports => ['80:80', '443:443'],
+ volumes => ['/opt/flog/nginx/sites-enabled/:/etc/nginx/sites-enabled/','/opt/flog/nginx/certs/:/etc/nginx/certs', '/var/log/flog_nginx/:/var/log/nginx'],
}
}
@@ -806,54 +813,50 @@ class entropyserver {
}
}
-class fail2ban {
-
- include augeas
-
- package {'fail2ban': ensure => 'latest'}
- augeas { "fail2ban_defaults":
- incl => "/etc/fail2ban/jail.conf",
- lens => "Shellvars.lns",
- changes => [
- 'set bantime "604800"',
- ],
- notify => Service['fail2ban'],
- }
-}
-
-define etcd_node($peers_file=undef,$cluster_name="etcd") {
- file { ["/data","/data/${cluster_name}","/data/${cluster_name}/${name}"]: ensure => 'directory' }
- sunet::docker_run { 'etcd_${name}':
- image => 'quay.io/coreos/etcd',
- extra_parameters => ["-initial-advertise-peer-urls http://${::ipaddress_eth1}:8001",
- "-listen-peer-urls http://${::ipaddress_eth1}:8001",
- "-advertise-client-urls http://${::ipaddress_eth1}:5001",
- "-listen-client-urls http://${::ipaddress_eth1}:5001",
- "-name ${::hostname}",
- "-data-dir /data/${cluster_name}/${name}",
- "-initial-cluster-token ${cluster_name}",
- "-peers-file ${peers_file}"],
- ports => ["8001:8001","5001:5001"]
-
-
- }
-}
-
class quantis {
apt::ppa {'ppa:ndn/quantispci': }
package {'quantispci-dkms': }
}
class webcommon {
+ file {"/data": ensure => directory }
+ sunet::docker_run{"web_registrator":
+ image => "gliderlabs/registrator",
+ imagetag => "latest",
+ hostname => "${::fqdn}",
+ volumes => ["/var/run/docker.sock:/tmp/docker.sock"],
+ command => "etcd://etcd_sunetweb.docker:4001/services"
+ }
}
class webfrontend {
class { 'webcommon': }
docker::image {'docker.sunet.se/pound': }
- docker::image {'docker.sunet.se/varnish': }
+ sunet::etcd_node {'sunetweb':
+ disco_url => 'https://discovery.etcd.io/877f25988ea1e8bb8c9a49f2ad5f5f6a',
+ proxy => true
+ } ->
+ sunet::docker_run{"varnish":
+ image => "docker.sunet.se/varnish-auto",
+ imagetag => "latest",
+ env => ["ETCD_URL=http://etcd_sunetweb.docker:4001"],
+ ports => ["80:80"],
+ }
}
class webappserver {
+ sunet::etcd_node {'sunetweb':
+ disco_url => 'https://discovery.etcd.io/877f25988ea1e8bb8c9a49f2ad5f5f6a',
+ proxy => true
+ }
+ class { 'webcommon': }
+}
+
+class webbackend {
+ sunet::etcd_node {'sunetweb':
+ disco_url => 'https://discovery.etcd.io/877f25988ea1e8bb8c9a49f2ad5f5f6a',
+ proxy => false
+ }
class { 'webcommon': }
}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
index 8df416b..4b56a03 100644
--- a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
@@ -7,6 +7,8 @@ define sunet::docker_run(
$env = [],
$net = 'bridge',
$extra_parameters = [],
+ $command = "",
+ $hostname = undef,
) {
# Make container use unbound resolver on dockerhost
@@ -26,6 +28,7 @@ define sunet::docker_run(
'/etc/passwd:/etc/passwd:ro', # uid consistency
'/etc/group:/etc/group:ro', # gid consistency
]),
+ hostname => $hostname,
ports => $ports,
env => $env,
net => $net,
@@ -34,6 +37,7 @@ define sunet::docker_run(
]),
dns => $dns,
verify_checksum => false, # Rely on registry security for now. eduID risk #31.
+ command => $command,
pre_start => 'run-parts /usr/local/etc/docker.d',
post_start => 'run-parts /usr/local/etc/docker.d',
pre_stop => 'run-parts /usr/local/etc/docker.d',
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp b/global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp
new file mode 100644
index 0000000..a80d355
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp
@@ -0,0 +1,44 @@
+define sunet::etcd_node(
+ $disco_url = undef,
+ $etcd_version = 'v2.0.8',
+ $proxy = true
+)
+{
+ include stdlib
+
+ file { ["/data/${name}","/data/${name}/${::hostname}"]: ensure => 'directory' }
+ $common_args = ["--discovery ${disco_url}",
+ "--name ${::hostname}",
+ "--data-dir /data",
+ "--key-file /etc/ssl/private/${::fqdn}_infra.key",
+ "--ca-file /etc/ssl/certs/infra.crt",
+ "--cert-file /etc/ssl/certs/${::fqdn}_infra.crt"]
+ if $proxy {
+ $args = concat($common_args,["--proxy on","--listen-client-urls http://0.0.0.0:4001,http://0.0.0.0:2379"])
+ } else {
+ $args = concat($common_args,["--initial-advertise-peer-urls http://${::ipaddress_eth1}:2380",
+ "--advertise-client-urls http://${::ipaddress_eth1}:2379",
+ "--listen-peer-urls http://0.0.0.0:2380",
+ "--listen-client-urls http://0.0.0.0:4001,http://0.0.0.0:2379",
+ "--peer-key-file /etc/ssl/private/${::fqdn}_infra.key",
+ "--peer-ca-file /etc/ssl/certs/infra.crt",
+ "--peer-cert-file /etc/ssl/certs/${::fqdn}_infra.crt"])
+ }
+ sunet::docker_run { "etcd_${name}":
+ image => 'quay.io/coreos/etcd',
+ imagetag => $etcd_version,
+ volumes => ["/data/${name}:/data","/etc/ssl:/etc/ssl"],
+ command => join($args," "),
+ ports => ["${::ipaddress_eth1}:2380:2380","${::ipaddress_eth1}:2379:2379","${::ipaddress_docker0}:4001:2379"]
+ }
+ if !$proxy {
+ ufw::allow { "allow-etcd-peer":
+ ip => "${::ipaddress_eth1}",
+ port => 2380
+ }
+ ufw::allow { "allow-etcd-client":
+ ip => "${::ipaddress_eth1}",
+ port => 2379
+ }
+ }
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp b/global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp
new file mode 100644
index 0000000..01a9662
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp
@@ -0,0 +1,14 @@
+class sunet::fail2ban {
+
+ package {'fail2ban':
+ ensure => 'latest'
+ } ->
+ service {'fail2ban':
+ ensure => 'running'
+ }
+ exec {"fail2ban_defaults":
+ refreshonly => true,
+ subscribe => Service['fail2ban'],
+ command => "sleep 5; /usr/bin/fail2ban-client set ssh bantime 600800"
+ }
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp b/global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp
new file mode 100644
index 0000000..91ccf6c
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp
@@ -0,0 +1,49 @@
+class sunet::nagios {
+
+ $nagios_ip_v4 = hiera('nagios_ip_v4', '109.105.111.111')
+ $nagios_ip_v6 = hiera('nagios_ip_v6', '2001:948:4:6::111')
+ $allowed_hosts = "${nagios_ip_v4},${nagios_ip_v6}"
+
+ package {'nagios-nrpe-server':
+ ensure => 'installed',
+ }
+ service {'nagios-nrpe-server':
+ ensure => 'running',
+ enable => 'true',
+ require => Package['nagios-nrpe-server'],
+ }
+ file { "/etc/nagios/nrpe.cfg" :
+ notify => Service['nagios-nrpe-server'],
+ ensure => 'file',
+ mode => '0640',
+ group => 'nagios',
+ require => Package['nagios-nrpe-server'],
+ content => template('sunet/nagioshost/nrpe.cfg.erb'),
+ }
+ file { "/usr/lib/nagios/plugins/check_uptime.pl" :
+ ensure => 'file',
+ mode => '0751',
+ group => 'nagios',
+ require => Package['nagios-nrpe-server'],
+ content => template('sunet/nagioshost/check_uptime.pl.erb'),
+ }
+ file { "/usr/lib/nagios/plugins/check_reboot" :
+ ensure => 'file',
+ mode => '0751',
+ group => 'nagios',
+ require => Package['nagios-nrpe-server'],
+ content => template('sunet/nagioshost/check_reboot.erb'),
+ }
+ ufw::allow { "allow-nrpe-v4":
+ from => "${nagios_ip_v4}",
+ ip => 'any',
+ proto => 'tcp',
+ port => 5666
+ }
+ ufw::allow { "allow-nrpe-v6":
+ from => "${nagios_ip_v6}",
+ ip => 'any',
+ proto => 'tcp',
+ port => 5666
+ }
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp
index 14df323..d89302f 100644
--- a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp
@@ -1,5 +1,8 @@
define sunet::server() {
+ # fail2ban
+ class { 'sunet::fail2ban': }
+
# Set up encrypted swap
sunet::encrypted_swap { 'sunet_encrypted_swap': }
@@ -84,4 +87,5 @@ define line($file, $line, $ensure = 'present') {
}
}
}
+
}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp b/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp
index 8daef2e..6f6abed 100644
--- a/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp
@@ -5,12 +5,12 @@ $db_host = undef,
$wordpress_version = "4.1.1",
$myqsl_version = "5.7")
{
+ include augeas
$db_hostname = $db_host ? {
undef => "${name}_mysql.docker",
default => $db_host
}
$pwd = hiera("${name}_db_password",'NOT_SET_IN_HIERA')
- file {"/data": ensure => directory } ->
file {"/data/${name}": ensure => directory } ->
file {"/data/${name}/html": ensure => directory } ->
sunet::docker_run { "${name}_wordpress":
@@ -18,7 +18,8 @@ $myqsl_version = "5.7")
imagetag => $wordpress_version,
volumes => ["/data/${name}/html:/var/www/html"],
ports => ["8080:80"],
- env => [ "WORDPRESS_DB_HOST=${db_hostname}",
+ env => [ "SERVICE_NAME=${name}",
+ "WORDPRESS_DB_HOST=${db_hostname}",
"WORDPRESS_DB_USER=${name}",
"WORDPRESS_DB_NAME=${name}",
"WORDPRESS_DB_PASSWORD=${pwd}" ]
@@ -37,5 +38,16 @@ $myqsl_version = "5.7")
"MYSQL_ROOT_PASSWORD=${pwd}",
"MYSQL_DATABASE=${name}"]
}
+ package {'automysqlbackup': ensure => latest } ->
+ augeas { 'automysqlbackup_settings':
+ incl => "/etc/default/automysqlbackup",
+ lens => "Shellvars.lns",
+ changes => [
+ "set USERNAME ${name}",
+ "set PASSWORD ${pwd}",
+ "set DBHOST ${db_hostname}",
+ "set DBNAMES ${name}"
+ ]
+ }
}
}
diff --git a/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_reboot.erb b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_reboot.erb
new file mode 100755
index 0000000..aa0bd5d
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_reboot.erb
@@ -0,0 +1,37 @@
+#!/bin/bash
+declare -rx PROGNAME=${0##*/}
+declare -rx PROGPATH=${0%/*}/
+
+function cleanup {
+ #if [ -e "$TMPFILE" ] ; then
+ #rm "$TMPFILE"
+ #fi
+ exit $1
+}
+
+if [ -r "${PROGPATH}utils.sh" ] ; then
+ source "${PROGPATH}utils.sh"
+else
+ echo "Can't find utils.sh."
+ printf "Currently being run from %s\n" "$PROGPATH"
+ # since we couldn't define STATE_UNKNOWN since reading utils.sh failed, we use 3 here but everywhere else after this use cleanup $STATE
+ cleanup 3
+fi
+
+STATE=$STATE_UNKNOWN
+
+
+if [ -f /var/run/reboot-required.pkgs ]
+then
+ pkg=`cat /var/run/reboot-required.pkgs`
+fi
+
+if [ -f /var/run/reboot-required ]
+then
+ echo "Reboot WARNING: System reboot required by package $pkg"
+ cleanup $STATE_WARNING;
+fi
+ echo "Reboot OK: No reboot required"
+ cleanup $STATE_OK;
+cleanup $STATE;
+
diff --git a/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_uptime.pl.erb b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_uptime.pl.erb
new file mode 100755
index 0000000..dda05e4
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_uptime.pl.erb
@@ -0,0 +1,721 @@
+#!/usr/bin/perl -w
+#
+# ============================== SUMMARY =====================================
+#
+# Program : check_uptime.pl
+# Version : 0.52
+# Date : June 19, 2012
+# Authors : William Leibzon - william@leibzon.org
+# Licence : GPL - summary below, full text at http://www.fsf.org/licenses/gpl.txt
+#
+# =========================== PROGRAM LICENSE =================================
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# ===================== INFORMATION ABOUT THIS PLUGIN =========================
+#
+# This plugin returns uptime of the system returning data in text (readable)
+# format as well as in minutes for performance graphing. The plugin can either
+# run on local system unix system (that supports standard 'uptime' command
+# or check remote system by SNMP. The plugin can report one CRITICAL or
+# WARNING alert if system has been rebooted since last check.
+#
+# ====================== SETUP AND PLUGIN USE NOTES =========================
+#
+# The plugin can either retrieve information from local system (when you
+# run it through check_nrpe for example) or by SNMP from remote system.
+#
+# On local system it will execute standard unix 'uptime' and 'uname -a'.
+#
+# On a remote system it'll retrieve data from sysSystem for system type
+# and use that to decide if further data should be retrieved from
+# sysUptime (OID 1.3.6.1.2.1.1.3.0) for windows or
+# hostUptime (OID 1.3.6.1.2.1.25.1.1.0) for unix system or
+# snmpEngineTime (OID 1.3.6.1.6.3.10.2.1.3) for cisco switches
+#
+# For information on available options please execute it with --help i.e:
+# check_uptime.pl --help
+#
+# As I dont have time for extensive documentation below is all very brief:
+#
+# 1. You can also specify warning and critical thresholds which will
+# give warning or critical alert if system has been up for lees then
+# specified number of minutes. Example:
+# check_uptime.pl -w 5
+# Will give warning alert if system has been up for less then 5 minutes
+#
+# 2. For performance data results you can use '-f' option which will give
+# total number of minutes the system has been up.
+#
+# 3. A special case is use of performance to feed data from previous run
+# back into the plugin. This is used to cache results about what type
+# of system it is (you can also directly specify this with -T option)
+# and also means -w and -c threshold values are ignored and instead
+# plugin will issue ONE alert (warning or critical) if system uptime
+# changes from highier value to lower
+#
+# ============================ EXAMPLES =======================================
+#
+# 1. Local server (use with NRPE or on nagios host), warning on < 5 minutes:
+#
+# define command {
+# command_name check_uptime
+# command_line $USER1$/check_uptime.pl -f -w 5
+# }
+#
+# 2. Local server (use with NRPE or on nagios host),
+# one critical alert on reboot:
+#
+# define command {
+# command_name check_uptime
+# command_line $USER1$/check_uptime.pl -f -c -P "SERVICEPERFDATA$"
+# }
+#
+# 3. Remote server SNMP v2, one warning alert on reboot,
+# autodetect and cache type of server:
+#
+# define command {
+# command_name check_snmp_uptime_v2
+# command_line $USER1$/check_uptime.pl -2 -f -w -H $HOSTADDRESS$ -C $_HOSTSNMP_COMMUNITY$ -P "$SERVICEPERFDATA$"
+# }
+#
+# 4. Remote server SNMP v3, rest as above
+#
+#define command {
+# command_name check_snmp_uptime_v3
+# command_line $USER1$/check_uptime.pl -f -w -H $HOSTADDRESS$ -l $_HOSTSNMP_V3_USER$ -x $_HOSTSNMP_V3_AUTH$ -X $_HOSTSNMP_V3_PRIV$ -L sha,aes -P "$SERVICEPERFDATA$"
+# }
+#
+# 5. Example of service definition using above
+#
+# define service{
+# use std-service
+# hostgroup_name all_snmp_hosts
+# service_description SNMP Uptime
+# max_check_attempts 1
+# check_command check_snmp_uptime
+# }
+#
+# 6. And this is optional dependency definition for above which makes
+# every SNMP service (service beloning to SNMP servicegroup) on
+# same host dependent on this SNMP Uptime check. Then if SNMP
+# daemon goes down you only receive one alert
+#
+# define servicedependency{
+# service_description SNMP Uptime
+# dependent_servicegroup_name snmp
+# }
+#
+# ============================= VERSION HISTORY ==============================
+#
+# 0.1 - sometime 2006 : Simple script for tracking local system uptime
+# 0.2 - sometime 2008 : Update to get uptime by SNMP, its now alike my other plugins
+# 0.3 - Nov 14, 2009 : Added getting system info line and using that to decide
+# format of uptime line and how to process it. Added support
+# for getting uptime with SNMP from windows systems.
+# Added documentation header alike my other plugins.
+# Planned to release it to public, but forgot.
+# 0.4 - Dec 19, 2011 : Update to support SNMP v3, released to public
+# 0.41 - Jan 13, 2012 : Added bug fix by Rom_UA posted as comment on Nagios Exchange
+# Added version history you're reading right now.
+# 0.42 - Feb 13, 2012 : Bug fix to not report WARNING if uptime is not correct output
+# 0.5 - Feb 29, 2012 : Added support for "netswitch" engine type that retrieves
+# snmpEngineTime. Added proper support for sysUpTime interpreting
+# it as 1/100s of a second and converting to days,hours,minutes
+# Changed internal processing structure, now reported uptime
+# info text is based on uptime_minutes and not separate.
+# 0.51 - Jun 05, 2012 : Bug fixed for case when when snmp system info is < 3 words.
+# 0.52 - Jun 19, 2012 : For switches if snmpEngineTime OID is not available,
+# the plugin will revert back to checking hostUptime and
+# then sysUptime. Entire logic has in fact been changed
+# to support trying more than just two OIDs. Also added
+# support to specify filename to '-v' option for debug
+# output to go to instead of console and for '--debug'
+# option as an alias to '--verbose'.
+#
+# TODO:
+# 0) Add '--extra-opts' to allow to read options from a file as specified
+# at http://nagiosplugins.org/extra-opts. This is TODO for all my plugins
+# 1) Add support for ">", "<" and other threshold qualifiers
+# as done in check_snmp_temperature.pl or check_mysqld.pl
+# 2) Support for more types, in particular network equipment such as cisco: [DONE]
+# sysUpTime is a 32-bit counter in 1/100 of a second, it rolls over after 496 days
+# snmpEngineTime (.1.3.6.1.6.3.10.2.1.3) returns the uptime in seconds and will not
+# roll over, however some cisco switches (29xx) are buggy and it gets reset too.
+# Routers running 12.0(3)T or higher can use the snmpEngineTime object from
+# the SNMP-FRAMEWORK-MIB. This keeps track of seconds since SNMP engine started.
+# 3) Add threshold into perfout as ';warn;crit'
+#
+# ========================== START OF PROGRAM CODE ===========================
+
+use strict;
+use Getopt::Long;
+
+# Nagios specific
+our $TIMEOUT;
+our %ERRORS;
+eval 'use utils qw(%ERRORS $TIMEOUT)';
+if ($@) {
+ $TIMEOUT = 10;
+ %ERRORS = ('OK'=>0,'WARNING'=>1,'CRITICAL'=>2,'UNKNOWN'=>3,'DEPENDENT'=>4);
+}
+
+our $no_snmp=0;
+eval 'use Net::SNMP';
+if ($@) {
+ $no_snmp=1;
+}
+
+# Version
+my $Version='0.52';
+
+# SNMP OID
+my $oid_sysSystem = '1.3.6.1.2.1.1.1.0'; # windows and some unix
+my $oid_hostUptime = '1.3.6.1.2.1.25.1.1.0'; # hostUptime, usually unix systems
+my $oid_sysUptime = '1.3.6.1.2.1.1.3.0'; # sysUpTime, windows
+my $oid_engineTime = '1.3.6.1.6.3.10.2.1.3'; # SNMP-FRAMEWORK-MIB
+
+my @oid_uptime_types = ( ['', '', ''], # type 0 is reserved
+ [ 'local', '', ''], # type 1 is local
+ [ 'win', 'sysUpTime', $oid_sysUptime ], # type 2 is windows
+ [ 'unix-host', 'hostUpTime', $oid_hostUptime ], # type 3 is unix-host
+ [ 'unix-sys', 'sysUpTime', $oid_sysUptime ], # type 4 is unix-sys
+ [ 'net', 'engineTime', $oid_engineTime ]); # type 5 is netswitch
+
+# Not used, but perhaps later
+my $oid_hrLoad = '1.3.6.1.2.1.25.3.3.1.2.1';
+my $oid_sysLoadInt1 = '1.3.6.1.4.1.2021.10.1.5.1';
+my $oid_sysLoadInt5 = '1.3.6.1.4.1.2021.10.1.5.2';
+my $oid_sysLoadInt15 = '1.3.6.1.4.1.2021.10.1.5.3';
+
+# Standard options
+my $o_host = undef; # hostname
+my $o_timeout= undef; # Timeout (Default 10)
+my $o_help= undef; # wan't some help ?
+my $o_verb= undef; # verbose mode
+my $o_version= undef; # print version
+my $o_label= undef; # change label instead of printing uptime
+my $o_perf= undef; # Output performance data (uptime in minutes)
+my $o_prevperf= undef; # performance data given with $SERVICEPERFDATA$ macro
+my $o_warn= undef; # WARNING alert if system has been up for < specified number of minutes
+my $o_crit= undef; # CRITICAL alert if system has been up for < specified number of minutes
+my $o_type= undef; # type of check (local, auto, unix, win)
+
+# Login and other options specific to SNMP
+my $o_port = 161; # SNMP port
+my $o_community = undef; # community
+my $o_version2 = undef; # use snmp v2c
+my $o_login= undef; # Login for snmpv3
+my $o_passwd= undef; # Pass for snmpv3
+my $v3protocols= undef; # V3 protocol list.
+my $o_authproto= 'md5'; # Auth protocol
+my $o_privproto= 'des'; # Priv protocol
+my $o_privpass= undef; # priv password
+
+## Additional global variables
+my %prev_perf= (); # array that is populated with previous performance data
+my $check_type = 0;
+
+sub p_version { print "check_uptime version : $Version\n"; }
+
+sub print_usage {
+ print "Usage: $0 [-v [debugfilename]] [-T local|unix-host|unix-sys|win|net] [-H <host> (-C <snmp_community>) [-2] | (-l login -x passwd [-X pass -L <authp>,<privp>) [-p <port>]] [-w <warn minutes> -s <crit minutes>] [-f] [-P <previous perf data from nagios \$SERVICEPERFDATA\$>] [-t <timeout>] | [-V] [--label <string>]\n";
+}
+
+sub isnnum { # Return true if arg is not a number
+ my $num = shift;
+ if ( $num =~ /^(\d+\.?\d*)|(^\.\d+)$/ ) { return 0 ;}
+ return 1;
+}
+
+sub div_mod { return int( $_[0]/$_[1]) , ($_[0] % $_[1]); }
+
+sub help {
+ print "\nUptime Plugin for Nagios (check_uptime) v. ",$Version,"\n";
+ print "GPL licence, (c) 2008-2012 William Leibzon\n\n";
+ print_usage();
+ print <<EOT;
+
+Debug & Console Options:
+ -v, --verbose[=FILENAME], --debug[=FILENAME]
+ print extra debugging information.
+ if filename is specified instead of STDOUT the debug data is written to that file
+ -h, --help
+ print this help message
+ -V, --version
+ prints version number
+
+Standard Options:
+ -T, --type=auto|local|unix-host|unis-sys|windows|netswitch
+ Type of system:
+ local : localhost (executes 'uptime' command), default if no -C or -l
+ unix-host : SNMP check from hostUptime ($oid_hostUptime) OID
+ unix-sys : SNMP check from sysUptime ($oid_sysUptime) OID
+ win | windows : SNMP check from sysUptime ($oid_sysUptime) OID
+ net | netswitch : SNMP check from snmpEngineTime ($oid_engineTime) OID
+ auto : Autodetect what system by checking sysSystem OID first, default
+ -w, --warning[=minutes]
+ Report nagios WARNING alert if system has been up for less then specified
+ number of minutes. If no minutes are specified but previous preformance
+ data is fed back with -P option then alert is sent ONLY ONCE when
+ uptime changes from greater value to smaller
+ -c, --critical[=minutes]
+ Report nagios CRITICAL alert if system has been up for less then
+ specified number of minutes or ONE ALERT if -P option is used and
+ system's previous uptime is larger then current on
+ -f, --perfparse
+ Perfparse compatible output
+ -P, --prev_perfdata
+ Previous performance data (normally put '-P \$SERVICEPERFDATA\$' in
+ nagios command definition). This is recommended if you dont specify
+ type of system with -T so that previously checked type of system info
+ is reused. This is also used to decide on warning/critical condition
+ if number of seconds is not specified with -w or -c.
+ --label=[string]
+ Optional custom label before results prefixed to results
+ -t, --timeout=INTEGER
+ timeout for SNMP in seconds (Default: 15)
+
+SNMP Access Options:
+ -H, --hostname=HOST
+ name or IP address of host to check (if not localhost)
+ -C, --community=COMMUNITY NAME
+ community name for the SNMP agent (used with v1 or v2c protocols)
+ -2, --v2c
+ use snmp v2c (can not be used with -l, -x)
+ -l, --login=LOGIN ; -x, --passwd=PASSWD
+ Login and auth password for snmpv3 authentication
+ If no priv password exists, implies AuthNoPriv
+ -X, --privpass=PASSWD
+ Priv password for snmpv3 (AuthPriv protocol)
+ -L, --protocols=<authproto>,<privproto>
+ <authproto> : Authentication protocol (md5|sha : default md5)
+ <privproto> : Priv protocols (des|aes : default des)
+ -p, --port=PORT
+ SNMP port (Default 161)
+EOT
+}
+
+# For verbose output (updated 06/06/12 to write to debug file if specified)
+sub verb {
+ my $t=shift;
+ if (defined($o_verb)) {
+ if ($o_verb eq "") {
+ print $t,"\n";
+ }
+ else {
+ if (!open(DEBUGFILE, ">>$o_verb")) {
+ print $t, "\n";
+ }
+ else {
+ print DEBUGFILE $t,"\n";
+ close DEBUGFILE;
+ }
+ }
+ }
+}
+
+# load previous performance data
+sub process_perf {
+ my %pdh;
+ my ($nm,$dt);
+ foreach (split(' ',$_[0])) {
+ if (/(.*)=(.*)/) {
+ ($nm,$dt)=($1,$2);
+ verb("prev_perf: $nm = $dt");
+ # in some of my plugins time_ is to profile how long execution takes for some part of plugin
+ # $pdh{$nm}=$dt if $nm !~ /^time_/;
+ $pdh{$nm}=$dt;
+ }
+ }
+ return %pdh;
+}
+
+sub type_from_name {
+ my $type=shift;
+ for(my $i=1; $i<scalar(@oid_uptime_types); $i++) {
+ if ($oid_uptime_types[$i][0] eq $type) {
+ return $i;
+ }
+ }
+ return -1;
+}
+
+
+sub check_options {
+ Getopt::Long::Configure ("bundling");
+ GetOptions(
+ 'v:s' => \$o_verb, 'verbose:s' => \$o_verb, "debug:s" => \$o_verb,
+ 'h' => \$o_help, 'help' => \$o_help,
+ 'H:s' => \$o_host, 'hostname:s' => \$o_host,
+ 'p:i' => \$o_port, 'port:i' => \$o_port,
+ 'C:s' => \$o_community, 'community:s' => \$o_community,
+ '2' => \$o_version2, 'v2c' => \$o_version2,
+ 'l:s' => \$o_login, 'login:s' => \$o_login,
+ 'x:s' => \$o_passwd, 'passwd:s' => \$o_passwd,
+ 'X:s' => \$o_privpass, 'privpass:s' => \$o_privpass,
+ 'L:s' => \$v3protocols, 'protocols:s' => \$v3protocols,
+ 't:i' => \$o_timeout, 'timeout:i' => \$o_timeout,
+ 'V' => \$o_version, 'version' => \$o_version,
+ 'f' => \$o_perf, 'perfparse' => \$o_perf,
+ 'w:i' => \$o_warn, 'warning:i' => \$o_warn,
+ 'c:i' => \$o_crit, 'critical:i' => \$o_crit,
+ 'label:s' => \$o_label,
+ 'P:s' => \$o_prevperf, 'prev_perfdata:s' => \$o_prevperf,
+ 'T:s' => \$o_type, 'type:s' => \$o_type,
+ );
+ if (defined ($o_help) ) { help(); exit $ERRORS{"UNKNOWN"}};
+ if (defined($o_version)) { p_version(); exit $ERRORS{"UNKNOWN"}};
+
+ $o_type = "win" if defined($o_type) && $o_type eq 'windows';
+ $o_type = "net" if defined($o_type) && $o_type eq 'netswitch';
+ if (defined($o_type) && $o_type ne 'auto' && type_from_name($o_type)==-1) {
+ print "Invalid system type specified\n"; print_usage(); exit $ERRORS{"UNNKNOWN"};
+ }
+
+ if (!defined($o_community) && (!defined($o_login) || !defined($o_passwd)) ) {
+ $o_type='local' if !defined($o_type) || $o_type eq 'auto';
+ if ($o_type ne 'local') {
+ print "Put snmp login info!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}
+ }
+ if (defined($o_host)) {
+ print "Why are you specifying hostname without SNMP parameters?\n"; print_usage(); exit $ERRORS{"UNKNOWN"};
+ }
+ }
+ else {
+ $o_type='auto' if !defined($o_type);
+ if ($o_type eq 'local' ) {
+ print "Why are you specifying SNMP login for local system???\n"; print_usage(); exit $ERRORS{"UNKNOWN"}
+ }
+ if (!defined($o_host)) {
+ print "Hostname required for SNMP check.\n"; print_usage(); exit $ERRORS{"UNKNOWN"};
+ }
+ if ($no_snmp) {
+ print "Can't locate Net/SNMP.pm\n"; print_usage(); exit $ERRORS{"UNKNOWN"};
+ }
+ }
+
+ # check snmp information
+ if ((defined($o_login) || defined($o_passwd)) && (defined($o_community) || defined($o_version2)) )
+ { print "Can't mix snmp v1,2c,3 protocols!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
+ if (defined ($v3protocols)) {
+ if (!defined($o_login)) { print "Put snmp V3 login info with protocols!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
+ my @v3proto=split(/,/,$v3protocols);
+ if ((defined ($v3proto[0])) && ($v3proto[0] ne "")) {$o_authproto=$v3proto[0]; } # Auth protocol
+ if (defined ($v3proto[1])) {$o_privproto=$v3proto[1]; } # Priv protocol
+ if ((defined ($v3proto[1])) && (!defined($o_privpass)))
+ { print "Put snmp V3 priv login info with priv protocols!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
+ }
+
+ if (defined($o_timeout) && (isnnum($o_timeout) || ($o_timeout < 2) || ($o_timeout > 60)))
+ { print "Timeout must be >1 and <60 !\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
+ if (!defined($o_timeout)) {$o_timeout=$TIMEOUT+5;}
+
+ if (defined($o_prevperf)) {
+ if (defined($o_perf)) {
+ %prev_perf=process_perf($o_prevperf);
+ $check_type = $prev_perf{type} if $o_type eq 'auto' && exists($prev_perf{tye}) && exists($oid_uptime_types[$prev_perf{type}][0]);
+ }
+ else {
+ print "need -f option first \n"; print_usage(); exit $ERRORS{"UNKNOWN"};
+ }
+ }
+
+ if ($o_type eq 'auto') {
+ $check_type=0;
+ }
+ else {
+ $check_type = type_from_name($o_type);
+ }
+}
+
+sub create_snmp_session {
+ my ($session,$error);
+
+ if ( defined($o_login) && defined($o_passwd)) {
+ # SNMPv3 login
+ if (!defined ($o_privpass)) {
+ verb("SNMPv3 AuthNoPriv login : $o_login, $o_authproto");
+ ($session, $error) = Net::SNMP->session(
+ -hostname => $o_host,
+ -version => '3',
+ -port => $o_port,
+ -username => $o_login,
+ -authpassword => $o_passwd,
+ -authprotocol => $o_authproto,
+ -timeout => $o_timeout
+ );
+ } else {
+ verb("SNMPv3 AuthPriv login : $o_login, $o_authproto, $o_privproto");
+ ($session, $error) = Net::SNMP->session(
+ -hostname => $o_host,
+ -version => '3',
+ -username => $o_login,
+ -port => $o_port,
+ -authpassword => $o_passwd,
+ -authprotocol => $o_authproto,
+ -privpassword => $o_privpass,
+ -privprotocol => $o_privproto,
+ -timeout => $o_timeout
+ );
+ }
+ } else {
+ if (defined ($o_version2)) {
+ # SNMPv2c Login
+ verb("SNMP v2c login");
+ ($session, $error) = Net::SNMP->session(
+ -hostname => $o_host,
+ -version => 2,
+ -community => $o_community,
+ -port => $o_port,
+ -timeout => $o_timeout
+ );
+ } else {
+ # SNMPV1 login
+ verb("SNMP v1 login");
+ ($session, $error) = Net::SNMP->session(
+ -hostname => $o_host,
+ -community => $o_community,
+ -port => $o_port,
+ -timeout => $o_timeout
+ );
+ }
+ }
+ if (!defined($session)) {
+ printf("ERROR opening session: %s.\n", $error);
+ exit $ERRORS{"UNKNOWN"};
+ }
+
+ return $session;
+}
+
+$SIG{'ALRM'} = sub {
+ print "Alarm timeout\n";
+ exit $ERRORS{"UNKNOWN"};
+};
+
+########## MAIN #######
+my $system_info="";
+my $uptime_info=undef;
+my $uptime_minutes=undef;
+my $perf_out="";
+my $status=0;
+my $uptime_output;
+my ($days, $hrs, $mins);
+
+check_options();
+
+# Check gobal timeout if snmp screws up
+if (defined($o_timeout)) {
+ verb("Alarm at $o_timeout + 5");
+ alarm($o_timeout+5);
+}
+
+if ($check_type==1) { # local
+ # Process unix uptime command output
+ $uptime_output=`uptime`;
+ verb("Local Uptime Result is: $uptime_output");
+ if ($uptime_output =~ /(\d+)\s+days?,\s+(\d+)\:(\d+)/) {
+ ($days, $hrs, $mins) = ($1, $2, $3);
+ }
+ elsif ($uptime_output =~ /up\s+(\d+)\shours?\s+(\d+)/) {
+ ($days, $hrs, $mins) = (0, $1, $2);
+ }
+ elsif ($uptime_output =~ /up\s+(\d+)\:(\d+)/) {
+ ($days, $hrs, $mins) = (0, $1, $2);
+ }
+ elsif ($uptime_output =~ /up\s+(\d+)\s+min/) {
+ ($days, $hrs, $mins) = (0,0,$1);
+ }
+ elsif ($uptime_output =~ /up\s+(d+)s+days?,s+(d+)s+min/) {
+ ($days, $hrs, $mins) = ($1,0,$2);
+ }
+ else {
+ $uptime_info = "up ".$uptime_output;
+ }
+ if (defined($days) && defined($hrs) && defined($mins)) {
+ $uptime_minutes = $days*24*60+$hrs*60+$mins;
+ }
+ my @temp=split(' ',`uname -a`);
+ if (scalar(@temp)<3) {
+ $system_info=`uname -a`;
+ }
+ else {
+ $system_info=join(' ',$temp[0],$temp[1],$temp[2]);
+ }
+}
+else {
+ # SNMP connection
+ my $session=create_snmp_session();
+ my $result=undef;
+ my $oid="";
+ my $guessed_check_type=0;
+
+ if ($check_type==0){
+ $result = $session->get_request(-varbindlist=>[$oid_sysSystem]);
+ if (!defined($result)) {
+ printf("ERROR: Can not retrieve $oid_sysSystem table: %s.\n", $session->error);
+ $session->close;
+ exit $ERRORS{"UNKNOWN"};
+ }
+ verb("$o_host SysInfo Result from OID $oid_sysSystem: $result->{$oid_sysSystem}");
+ if ($result->{$oid_sysSystem} =~ /Windows/) {
+ $guessed_check_type=2;
+ verb('Guessing Type: 2 = windows');
+ }
+ if ($result->{$oid_sysSystem} =~ /Cisco/) {
+ $guessed_check_type=5;
+ verb('Guessing Type: 5 = netswitch');
+ }
+ if ($guessed_check_type==0) {
+ $guessed_check_type=3; # will try hostUptime first
+ }
+ $oid=$oid_uptime_types[$guessed_check_type][2];
+ }
+ else {
+ $oid=$oid_uptime_types[$check_type][2];
+ }
+
+ do {
+ $result = $session->get_request(-varbindlist=>[$oid,$oid_sysSystem]);
+ if (!defined($result)) {
+ if ($check_type!=0) {
+ printf("ERROR: Can not retrieve uptime OID table $oid: %s.\n", $session->error);
+ $session->close;
+ exit $ERRORS{"UNKNOWN"};
+ }
+ else {
+ if ($session->error =~ /noSuchName/) {
+ if ($guessed_check_type==4) {
+ verb("Received noSuchName error for sysUpTime OID $oid. Giving up.");
+ $guessed_check_type=0;
+ }
+ if ($guessed_check_type==3) {
+ verb("Received noSuchName error for hostUpTime OID $oid, will now try sysUpTime");
+ $guessed_check_type=4;
+ }
+ else {
+ verb("Received noSuchName error for OID $oid, will now try hostUpTime");
+ $guessed_check_type=3;
+ }
+ if ($guessed_check_type!=0) {
+ $oid=$oid_uptime_types[$guessed_check_type][2];
+ }
+ }
+ else {
+ printf("ERROR: Can not retrieve uptime OID table $oid: %s.\n", $session->error);
+ $session->close;
+ exit $ERRORS{"UNKNOWN"};
+ }
+ }
+ }
+ else {
+ if ($check_type==0) {
+ $check_type=$guessed_check_type;
+ }
+ }
+ }
+ while (!defined($result) && $guessed_check_type!=0);
+
+ $session->close;
+ if ($check_type==0 && $guessed_check_type==0) {
+ printf("ERROR: Can not autodetermine proper uptime OID table. Giving up.\n");
+ exit $ERRORS{"UNKNOWN"};
+ }
+
+ my ($days, $hrs, $mins);
+ $uptime_output=$result->{$oid};
+ verb("$o_host Uptime Result from OID $oid: $uptime_output");
+
+ if ($uptime_output =~ /(\d+)\s+days?,\s+(\d+)\:(\d+)/) {
+ ($days, $hrs, $mins) = ($1, $2, $3);
+ }
+ elsif ($uptime_output =~ /(\d+)\s+hours?,\s+(\d+)\:(\d+)/) {
+ ($days, $hrs, $mins) = (0, $1, $2);
+ }
+ elsif ($uptime_output =~ /(\d+)\s+min/) {
+ ($days, $hrs, $mins) = (0, 0, $1);
+ }
+ if (defined($days) && defined($hrs) && defined($mins)) {
+ $uptime_minutes = $days*24*60+$hrs*60+$mins;
+ }
+ elsif ($uptime_output =~ /^(\d+)$/) {
+ my $upnum = $1;
+ if ($oid eq $oid_sysUptime) {
+ $uptime_minutes = $upnum/100/60;
+ }
+ elsif ($oid eq $oid_engineTime) {
+ $uptime_minutes = $upnum/60;
+ }
+ }
+ else {
+ $uptime_info = "up ".$uptime_output;
+ }
+ my @temp=split(' ',$result->{$oid_sysSystem});
+ if (scalar(@temp)<3) {
+ $system_info=$result->{$oid_sysSystem};
+ }
+ else {
+ $system_info=join(' ',$temp[0],$temp[1],$temp[2]);
+ }
+}
+
+if (defined($uptime_minutes) && !defined($uptime_info)) {
+ ($hrs,$mins) = div_mod($uptime_minutes,60);
+ ($days,$hrs) = div_mod($hrs,24);
+ $uptime_info = "up ";
+ $uptime_info .= "$days days " if $days>0;
+ $uptime_info .= "$hrs hours " if $hrs>0;
+ $uptime_info .= "$mins minutes";
+}
+
+verb("System Type: $check_type (".$oid_uptime_types[$check_type][0].")");
+verb("System Info: $system_info") if $system_info;
+verb("Uptime Text: $uptime_info") if defined($uptime_info);
+verb("Uptime Minutes: $uptime_minutes") if defined($uptime_minutes);
+
+if (!defined($uptime_info)) {
+ $uptime_info = "Can not determine uptime";
+ $status = 3;
+}
+
+if (defined($o_perf)) {
+ $perf_out = "type=$check_type";
+ $perf_out .= " uptime_minutes=$uptime_minutes" if defined($uptime_minutes);
+}
+
+if (defined($uptime_minutes)) {
+ if (defined($o_prevperf)) {
+ $status = 1 if defined($o_warn) && exists($prev_perf{uptime_minutes}) && $prev_perf{uptime_minutes} > $uptime_minutes;
+ $status = 2 if defined($o_crit) && exists($prev_perf{uptime_minutes}) && $prev_perf{uptime_minutes} > $uptime_minutes;
+ }
+ else {
+ $status = 1 if defined($o_warn) && !isnnum($o_warn) && $o_warn >= $uptime_minutes;
+ $status = 2 if defined($o_crit) && !isnnum($o_crit) && $o_crit >= $uptime_minutes;
+ }
+}
+alarm(0);
+
+my $exit_status="UNKNOWN";
+$exit_status="OK" if $status==0;
+$exit_status="WARNING" if $status==1;
+$exit_status="CRITICAL" if $status==2;
+$exit_status="UNKNOWN" if $status==3;
+$exit_status="$o_label $exit_status" if defined($o_label);
+print "$exit_status: $system_info";
+print " - $uptime_info";
+print " | ",$perf_out if $perf_out;
+print "\n";
+exit $status;
diff --git a/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/nrpe.cfg.erb b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/nrpe.cfg.erb
new file mode 100644
index 0000000..960dd61
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/nrpe.cfg.erb
@@ -0,0 +1,262 @@
+<%# nrpe.cfg %>
+
+# ###################################################
+# # #
+# # # This file is managed with
+# # #
+# # # ##### # # ##### ##### ###### #####
+# # # # # # # # # # # # #
+# # # # # # # # # # # ##### #
+# # # ##### # # ##### ##### # #
+# # # # # # # # # #
+# # # # #### # # ###### #
+# # #
+# # # ... so you can't just change it locally.
+# # #
+# # ###################################################
+
+#############################################################################
+# Sample NRPE Config File
+# Written by: Ethan Galstad (nagios@nagios.org)
+#
+# Last Modified: 11-23-2007
+#
+# NOTES:
+# This is a sample configuration file for the NRPE daemon. It needs to be
+# located on the remote host that is running the NRPE daemon, not the host
+# from which the check_nrpe client is being executed.
+#############################################################################
+
+
+# LOG FACILITY
+# The syslog facility that should be used for logging purposes.
+
+log_facility=daemon
+
+
+
+# PID FILE
+# The name of the file in which the NRPE daemon should write it's process ID
+# number. The file is only written if the NRPE daemon is started by the root
+# user and is running in standalone mode.
+
+pid_file=/var/run/nagios/nrpe.pid
+
+
+
+# PORT NUMBER
+# Port number we should wait for connections on.
+# NOTE: This must be a non-priviledged port (i.e. > 1024).
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+server_port=5666
+
+
+
+# SERVER ADDRESS
+# Address that nrpe should bind to in case there are more than one interface
+# and you do not want nrpe to bind on all interfaces.
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+#server_address=127.0.0.1
+
+
+
+# NRPE USER
+# This determines the effective user that the NRPE daemon should run as.
+# You can either supply a username or a UID.
+#
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+nrpe_user=nagios
+
+
+
+# NRPE GROUP
+# This determines the effective group that the NRPE daemon should run as.
+# You can either supply a group name or a GID.
+#
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+nrpe_group=nagios
+
+
+
+# ALLOWED HOST ADDRESSES
+# This is an optional comma-delimited list of IP address or hostnames
+# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask
+# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently
+# supported.
+#
+# Note: The daemon only does rudimentary checking of the client's IP
+# address. I would highly recommend adding entries in your /etc/hosts.allow
+# file to allow only the specified host to connect to the port
+# you are running this daemon on.
+#
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+allowed_hosts= <%= @allowed_hosts %>
+
+# COMMAND ARGUMENT PROCESSING
+# This option determines whether or not the NRPE daemon will allow clients
+# to specify arguments to commands that are executed. This option only works
+# if the daemon was configured with the --enable-command-args configure script
+# option.
+#
+# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
+# Read the SECURITY file for information on some of the security implications
+# of enabling this variable.
+#
+# Values: 0=do not allow arguments, 1=allow command arguments
+
+dont_blame_nrpe=0
+
+
+
+# BASH COMMAND SUBTITUTION
+# This option determines whether or not the NRPE daemon will allow clients
+# to specify arguments that contain bash command substitutions of the form
+# $(...). This option only works if the daemon was configured with both
+# the --enable-command-args and --enable-bash-command-substitution configure
+# script options.
+#
+# *** ENABLING THIS OPTION IS A HIGH SECURITY RISK! ***
+# Read the SECURITY file for information on some of the security implications
+# of enabling this variable.
+#
+# Values: 0=do not allow bash command substitutions,
+# 1=allow bash command substitutions
+
+allow_bash_command_substitution=0
+
+
+
+# COMMAND PREFIX
+# This option allows you to prefix all commands with a user-defined string.
+# A space is automatically added between the specified prefix string and the
+# command line from the command definition.
+#
+# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
+# Usage scenario:
+# Execute restricted commmands using sudo. For this to work, you need to add
+# the nagios user to your /etc/sudoers. An example entry for alllowing
+# execution of the plugins from might be:
+#
+# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
+#
+# This lets the nagios user run all commands in that directory (and only them)
+# without asking for a password. If you do this, make sure you don't give
+# random users write access to that directory or its contents!
+
+# command_prefix=/usr/bin/sudo
+
+
+
+# DEBUGGING OPTION
+# This option determines whether or not debugging messages are logged to the
+# syslog facility.
+# Values: 0=debugging off, 1=debugging on
+
+debug=0
+
+
+
+# COMMAND TIMEOUT
+# This specifies the maximum number of seconds that the NRPE daemon will
+# allow plugins to finish executing before killing them off.
+
+command_timeout=60
+
+
+
+# CONNECTION TIMEOUT
+# This specifies the maximum number of seconds that the NRPE daemon will
+# wait for a connection to be established before exiting. This is sometimes
+# seen where a network problem stops the SSL being established even though
+# all network sessions are connected. This causes the nrpe daemons to
+# accumulate, eating system resources. Do not set this too low.
+
+connection_timeout=300
+
+
+
+# WEEK RANDOM SEED OPTION
+# This directive allows you to use SSL even if your system does not have
+# a /dev/random or /dev/urandom (on purpose or because the necessary patches
+# were not applied). The random number generator will be seeded from a file
+# which is either a file pointed to by the environment valiable $RANDFILE
+# or $HOME/.rnd. If neither exists, the pseudo random number generator will
+# be initialized and a warning will be issued.
+# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness
+
+#allow_weak_random_seed=1
+
+
+
+# INCLUDE CONFIG FILE
+# This directive allows you to include definitions from an external config file.
+
+#include=<somefile.cfg>
+
+
+
+# INCLUDE CONFIG DIRECTORY
+# This directive allows you to include definitions from config files (with a
+# .cfg extension) in one or more directories (with recursion).
+
+#include_dir=<somedirectory>
+#include_dir=<someotherdirectory>
+
+
+
+# COMMAND DEFINITIONS
+# Command definitions that this daemon will run. Definitions
+# are in the following format:
+#
+# command[<command_name>]=<command_line>
+#
+# When the daemon receives a request to return the results of <command_name>
+# it will execute the command specified by the <command_line> argument.
+#
+# Unlike Nagios, the command line cannot contain macros - it must be
+# typed exactly as it should be executed.
+#
+# Note: Any plugins that are used in the command lines must reside
+# on the machine that this daemon is running on! The examples below
+# assume that you have plugins installed in a /usr/local/nagios/libexec
+# directory. Also note that you will have to modify the definitions below
+# to match the argument format the plugins expect. Remember, these are
+# examples only!
+
+
+# The following examples use hardcoded command arguments...
+
+command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
+command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
+command[check_root]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /
+command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
+command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200
+command[check_uptime]=/usr/lib/nagios/plugins/check_uptime.pl -f
+command[check_reboot]=/usr/lib/nagios/plugins/check_reboot
+
+# The following examples allow user-supplied arguments and can
+# only be used if the NRPE daemon was compiled with support for
+# command arguments *AND* the dont_blame_nrpe directive in this
+# config file is set to '1'. This poses a potential security risk, so
+# make sure you read the SECURITY file before doing this.
+
+#command[check_users]=/usr/lib/nagios/plugins/check_users -w $ARG1$ -c $ARG2$
+#command[check_load]=/usr/lib/nagios/plugins/check_load -w $ARG1$ -c $ARG2$
+#command[check_disk]=/usr/lib/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
+#command[check_procs]=/usr/lib/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
+
+#
+# local configuration:
+# if you'd prefer, you can instead place directives here
+include=/etc/nagios/nrpe_local.cfg
+
+#
+# you can place your config snipplets into nrpe.d/
+# only snipplets ending in .cfg will get included
+include_dir=/etc/nagios/nrpe.d/
+
diff --git a/global/overlay/etc/ssl/certs/infra.crt b/global/overlay/etc/ssl/certs/infra.crt
new file mode 100644
index 0000000..a34ba57
--- /dev/null
+++ b/global/overlay/etc/ssl/certs/infra.crt
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF8zCCA9ugAwIBAgIBADANBgkqhkiG9w0BAQsFADA/MSAwHgYDVQQDExdTVU5F
+VCBJbmZyYXN0cnVjdHVyZSBDQTEOMAwGA1UEChMFU1VORVQxCzAJBgNVBAYTAlNF
+MB4XDTE1MDMyNDIyMDA0M1oXDTI1MDMyMTIyMDA0M1owPzEgMB4GA1UEAxMXU1VO
+RVQgSW5mcmFzdHJ1Y3R1cmUgQ0ExDjAMBgNVBAoTBVNVTkVUMQswCQYDVQQGEwJT
+RTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANX8E3tAkO2lm7aU18ND
+hJtMARHObom9b+SpwrfgEI6dsnIqsrjzrZ1X+bv3AhlmWMS7aPr0BuvtsKxwcRaD
+TRdfM7ik7L40vXAkBwVWvXJvjdF5d+AZI750S5G1jSh/v8Nz+zHsai1mtdnx7FT6
+Pg1BJbwf0IyIHZClcnO/OmwElNnGVB5uNp3e/67KCqI4IhjAt+4G30mRfIpZ1KoU
+vexZsz++cZErCXEe0eWnhlnCjfobMKmEHhvX6RzvTbB80AL/tfrqnOEwD6y7iUOp
+N9FSTiHvHxRiD80WglLrh2qHzSn3it91RA1OvfY0HoIgdz1F/l07Nlm8a6WrrbRZ
+Pg+HzlZ31iy0/sqduj2fPrDuDDQn87Bu3ohsZPg1t700ZW+YMUWtmh9PHK04a2fI
+f9ET7llJPYzyOQ1apoiAgPRf4pnxOSOgjUhVDBY20ppTKxFJ7WY9JSKRPj92A6Ht
+2/uAfUapKPOPSaASIruVz7sZ7DqiWvq67uvRtwr5yytRoZ82HG1Z36DxSNUcJ2X8
+MmELT/ONQHolu8hiZCLDCienYWZUPBnaI9jblCqvmBrdlJzKdrWzb1zKEQNsducs
+Klwgh5hZ6tJLca3v/sDx7odUK4MF+vuhEyRZyXUQBZ3+m7iII+2mHLyZ2EUpfBjZ
+hlOERIttFErkPP5CsPkf8uvDAgMBAAGjgfkwgfYwHQYDVR0OBBYEFOcsnlEasB0B
+HeZCtCcaNZNwwG3XMB8GA1UdIwQYMBaAFOcsnlEasB0BHeZCtCcaNZNwwG3XMDsG
+CCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovL2NhLnN1bmV0LnNlL2lu
+ZnJhL2NhLmNydDAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY2Euc3VuZXQuc2Uv
+aW5mcmEvY3JsLnBlbTAjBgNVHRIEHDAahhhodHRwOi8vY2Euc3VuZXQuc2UvaW5m
+cmEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEL
+BQADggIBAHUlygRL3d5DEBKWVvsuWhWNq5O7QHqWYyRSEMbncHSsZJhryJvmI/4Z
+KI0UpBC6KBJDRGnKWnTfNUsNa6ZC/hPb+9RTdVV7ODq5T1xCp9bueVmf2x/CQEIK
+Rexwlv6+nMdUmFioxtTdKOCSkXu4L+dmIpzsbkUrl0wNSIeTga0StGyJZcbFq/cp
+qur89YaiDSZ490C7UrQSaMRmBYTqmISmtlLzpGEPR3e6xoJbxws3zKeUYfF4Fzzi
+t424jpgd+FHh7eEyNNqNqKP+kr/G4/BnJBzyr1uP+1/LSzJRHj/hNJV7R/8zr9KY
+hZxjP7YKLmRxfEaRIFcjDJOKEYzpN3MNWOWVKMduUEbk65sbTFIlY1wCDzV9rHeY
+81G82FQVmOMYc5RQI5ZcEqEUhOTv85bMF3rVpGR+tA8gfQWs0w8sa9wcEo/HfjXa
+wgu67cJe2grg9iaoh40cOUIbVFaHbkvOG3ZMJPOkye+nBuOJncWhpuxGRxgEvW/O
+gj5WnDwZ4J8hfGchaBSi5ZVEvUWpmx+NPzIp5YhHBRA5zadmd2fGIui/22fmJuDq
+syNaWN5Ncka6Ud5NSnuYJDZauC/3ftdwe5awkuQFon3qg0fiVprM+DOUNgakVGyF
+5G6c17lavZgC3xqdXYbnNkBTeaTgYYUdOxcT7WXARVw9ak5OhSw0
+-----END CERTIFICATE-----
diff --git a/global/overlay/usr/local/bin/ping-check b/global/overlay/usr/local/bin/ping-check
new file mode 100755
index 0000000..57d533c
--- /dev/null
+++ b/global/overlay/usr/local/bin/ping-check
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+#
+# Ping until reply or MAX_TRIES. One try == 1s.
+#
+
+MAX_TRIES=60
+LOGTAG="sunet_docker_ping_check"
+
+count=1
+until ping -c1 $1 &> /dev/null
+do
+ if [ $count -gt $MAX_TRIES ]
+ then
+ logger -t "$LOGTAG" "No response from $1 after $MAX_TRIES tries."
+ exit 1
+ fi
+ sleep 1
+ count=$[$count+1]
+done
+logger -t "$LOGTAG" "IP lookup of $1 succeeded after $count tries."
+
diff --git a/scripts/mkreq b/scripts/mkreq
index 44aaddc..76b6c4c 100755
--- a/scripts/mkreq
+++ b/scripts/mkreq
@@ -88,6 +88,7 @@ default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_extensions
prompt = no
+string_mask = nombstr
[ req_distinguished_name ]
C = SE
diff --git a/sto-tug-kvm2.swamid.se/overlay/etc/cron.d/flog_daily b/sto-tug-kvm2.swamid.se/overlay/etc/cron.d/flog_daily
index 0759dca..5878023 100644
--- a/sto-tug-kvm2.swamid.se/overlay/etc/cron.d/flog_daily
+++ b/sto-tug-kvm2.swamid.se/overlay/etc/cron.d/flog_daily
@@ -1,6 +1,6 @@
# m h dom mon dow user command
0 23 * * * root /usr/local/bin/scriptherder --mode wrap --name flog_update_institutions -- /usr/bin/curl https://meta.eduroam.se/institution.xml -so /opt/flog/institution.xml
-1 0 * * * root /usr/local/bin/scriptherder --mode wrap --syslog --name flog_db_backup -- /usr/local/bin/postgres_backup
+1 0 * * * root /usr/local/bin/scriptherder --mode wrap --syslog --name flog_db_backup -- docker exec flog_db /usr/local/bin/backup
# Run aggregation and caching for eduroam data
20 0 * * * root /usr/local/bin/scriptherder --mode wrap --name flog_daily_eduroam -- /usr/bin/docker run --rm -it -a stdout -a stderr -v /opt/flog/dotenv:/opt/flog/.env -v /var/log/flog_cron/:/opt/flog/logs/ -v /opt/flog/institution.xml:/opt/flog/institution.xml -v /opt/flog/dotenv:/opt/flog/.env -v /etc/passwd:/etc/passwd:ro -v /etc/group:/etc/group:ro --link flog_db:flog_db.docker docker.sunet.se/flog/flog_app /bin/sh -e /usr/local/bin/daily_eduroam
# Run aggregation and caching for sso data
diff --git a/sto-tug-kvm2.swamid.se/overlay/etc/nagios/nrpe.d/cosmos_nrpe.cfg b/sto-tug-kvm2.swamid.se/overlay/etc/nagios/nrpe.d/cosmos_nrpe.cfg
new file mode 100644
index 0000000..40dc7b1
--- /dev/null
+++ b/sto-tug-kvm2.swamid.se/overlay/etc/nagios/nrpe.d/cosmos_nrpe.cfg
@@ -0,0 +1,17 @@
+# ###################################################
+# # This file is maintained in
+# #
+# # #### #### #### # # #### ####
+# # # # # # # ## ## # # #
+# # # # # #### # ## # # # ####
+# # # # # # # # # # #
+# # # # # # # # # # # # # #
+# # #### #### #### # # #### ####
+# #
+# # ... so you can't just change it locally.
+# #
+# ###################################################
+
+command[check_uptime]=/usr/lib/nagios/plugins/check_uptime.pl -f
+command[check_reboot]=/usr/lib/nagios/plugins/check_reboot
+command[check_root]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /
diff --git a/sto-tug-kvm2.swamid.se/overlay/usr/lib/nagios/plugins/check_reboot b/sto-tug-kvm2.swamid.se/overlay/usr/lib/nagios/plugins/check_reboot
new file mode 100755
index 0000000..4cb9df3
--- /dev/null
+++ b/sto-tug-kvm2.swamid.se/overlay/usr/lib/nagios/plugins/check_reboot
@@ -0,0 +1,37 @@
+#!/bin/bash
+declare -rx PROGNAME=${0##*/}
+declare -rx PROGPATH=${0%/*}/
+
+function cleanup {
+ #if [ -e "$TMPFILE" ] ; then
+ #rm "$TMPFILE"
+ #fi
+ exit $1
+}
+
+if [ -r "${PROGPATH}utils.sh" ] ; then
+ source "${PROGPATH}utils.sh"
+else
+ echo "Can't find utils.sh."
+ printf "Currently being run from %s\n" "$PROGPATH"
+ # since we couldn't define STATE_UNKNOWN since reading utils.sh failed, we use 3 here but everywhere else after this use cleanup $STATE
+ cleanup 3
+fi
+
+STATE=$STATE_UNKNOWN
+
+
+if [ -f /var/run/reboot-required.pkgs ]
+then
+ pkg=`cat /var/run/reboot-required.pkgs`
+fi
+
+if [ -f /var/run/reboot-required ]
+then
+ echo "Reboot WARNING: System reboot required by package $pkg"
+ cleanup $STATE_WARNING;
+fi
+ echo "Reboot OK: No reboot required"
+ cleanup $STATE_OK;
+cleanup $STATE;
+
diff --git a/sto-tug-kvm2.swamid.se/overlay/usr/lib/nagios/plugins/check_uptime.pl b/sto-tug-kvm2.swamid.se/overlay/usr/lib/nagios/plugins/check_uptime.pl
new file mode 100755
index 0000000..dda05e4
--- /dev/null
+++ b/sto-tug-kvm2.swamid.se/overlay/usr/lib/nagios/plugins/check_uptime.pl
@@ -0,0 +1,721 @@
+#!/usr/bin/perl -w
+#
+# ============================== SUMMARY =====================================
+#
+# Program : check_uptime.pl
+# Version : 0.52
+# Date : June 19, 2012
+# Authors : William Leibzon - william@leibzon.org
+# Licence : GPL - summary below, full text at http://www.fsf.org/licenses/gpl.txt
+#
+# =========================== PROGRAM LICENSE =================================
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# ===================== INFORMATION ABOUT THIS PLUGIN =========================
+#
+# This plugin returns uptime of the system returning data in text (readable)
+# format as well as in minutes for performance graphing. The plugin can either
+# run on local system unix system (that supports standard 'uptime' command
+# or check remote system by SNMP. The plugin can report one CRITICAL or
+# WARNING alert if system has been rebooted since last check.
+#
+# ====================== SETUP AND PLUGIN USE NOTES =========================
+#
+# The plugin can either retrieve information from local system (when you
+# run it through check_nrpe for example) or by SNMP from remote system.
+#
+# On local system it will execute standard unix 'uptime' and 'uname -a'.
+#
+# On a remote system it'll retrieve data from sysSystem for system type
+# and use that to decide if further data should be retrieved from
+# sysUptime (OID 1.3.6.1.2.1.1.3.0) for windows or
+# hostUptime (OID 1.3.6.1.2.1.25.1.1.0) for unix system or
+# snmpEngineTime (OID 1.3.6.1.6.3.10.2.1.3) for cisco switches
+#
+# For information on available options please execute it with --help i.e:
+# check_uptime.pl --help
+#
+# As I dont have time for extensive documentation below is all very brief:
+#
+# 1. You can also specify warning and critical thresholds which will
+# give warning or critical alert if system has been up for lees then
+# specified number of minutes. Example:
+# check_uptime.pl -w 5
+# Will give warning alert if system has been up for less then 5 minutes
+#
+# 2. For performance data results you can use '-f' option which will give
+# total number of minutes the system has been up.
+#
+# 3. A special case is use of performance to feed data from previous run
+# back into the plugin. This is used to cache results about what type
+# of system it is (you can also directly specify this with -T option)
+# and also means -w and -c threshold values are ignored and instead
+# plugin will issue ONE alert (warning or critical) if system uptime
+# changes from highier value to lower
+#
+# ============================ EXAMPLES =======================================
+#
+# 1. Local server (use with NRPE or on nagios host), warning on < 5 minutes:
+#
+# define command {
+# command_name check_uptime
+# command_line $USER1$/check_uptime.pl -f -w 5
+# }
+#
+# 2. Local server (use with NRPE or on nagios host),
+# one critical alert on reboot:
+#
+# define command {
+# command_name check_uptime
+# command_line $USER1$/check_uptime.pl -f -c -P "SERVICEPERFDATA$"
+# }
+#
+# 3. Remote server SNMP v2, one warning alert on reboot,
+# autodetect and cache type of server:
+#
+# define command {
+# command_name check_snmp_uptime_v2
+# command_line $USER1$/check_uptime.pl -2 -f -w -H $HOSTADDRESS$ -C $_HOSTSNMP_COMMUNITY$ -P "$SERVICEPERFDATA$"
+# }
+#
+# 4. Remote server SNMP v3, rest as above
+#
+#define command {
+# command_name check_snmp_uptime_v3
+# command_line $USER1$/check_uptime.pl -f -w -H $HOSTADDRESS$ -l $_HOSTSNMP_V3_USER$ -x $_HOSTSNMP_V3_AUTH$ -X $_HOSTSNMP_V3_PRIV$ -L sha,aes -P "$SERVICEPERFDATA$"
+# }
+#
+# 5. Example of service definition using above
+#
+# define service{
+# use std-service
+# hostgroup_name all_snmp_hosts
+# service_description SNMP Uptime
+# max_check_attempts 1
+# check_command check_snmp_uptime
+# }
+#
+# 6. And this is optional dependency definition for above which makes
+# every SNMP service (service beloning to SNMP servicegroup) on
+# same host dependent on this SNMP Uptime check. Then if SNMP
+# daemon goes down you only receive one alert
+#
+# define servicedependency{
+# service_description SNMP Uptime
+# dependent_servicegroup_name snmp
+# }
+#
+# ============================= VERSION HISTORY ==============================
+#
+# 0.1 - sometime 2006 : Simple script for tracking local system uptime
+# 0.2 - sometime 2008 : Update to get uptime by SNMP, its now alike my other plugins
+# 0.3 - Nov 14, 2009 : Added getting system info line and using that to decide
+# format of uptime line and how to process it. Added support
+# for getting uptime with SNMP from windows systems.
+# Added documentation header alike my other plugins.
+# Planned to release it to public, but forgot.
+# 0.4 - Dec 19, 2011 : Update to support SNMP v3, released to public
+# 0.41 - Jan 13, 2012 : Added bug fix by Rom_UA posted as comment on Nagios Exchange
+# Added version history you're reading right now.
+# 0.42 - Feb 13, 2012 : Bug fix to not report WARNING if uptime is not correct output
+# 0.5 - Feb 29, 2012 : Added support for "netswitch" engine type that retrieves
+# snmpEngineTime. Added proper support for sysUpTime interpreting
+# it as 1/100s of a second and converting to days,hours,minutes
+# Changed internal processing structure, now reported uptime
+# info text is based on uptime_minutes and not separate.
+# 0.51 - Jun 05, 2012 : Bug fixed for case when when snmp system info is < 3 words.
+# 0.52 - Jun 19, 2012 : For switches if snmpEngineTime OID is not available,
+# the plugin will revert back to checking hostUptime and
+# then sysUptime. Entire logic has in fact been changed
+# to support trying more than just two OIDs. Also added
+# support to specify filename to '-v' option for debug
+# output to go to instead of console and for '--debug'
+# option as an alias to '--verbose'.
+#
+# TODO:
+# 0) Add '--extra-opts' to allow to read options from a file as specified
+# at http://nagiosplugins.org/extra-opts. This is TODO for all my plugins
+# 1) Add support for ">", "<" and other threshold qualifiers
+# as done in check_snmp_temperature.pl or check_mysqld.pl
+# 2) Support for more types, in particular network equipment such as cisco: [DONE]
+# sysUpTime is a 32-bit counter in 1/100 of a second, it rolls over after 496 days
+# snmpEngineTime (.1.3.6.1.6.3.10.2.1.3) returns the uptime in seconds and will not
+# roll over, however some cisco switches (29xx) are buggy and it gets reset too.
+# Routers running 12.0(3)T or higher can use the snmpEngineTime object from
+# the SNMP-FRAMEWORK-MIB. This keeps track of seconds since SNMP engine started.
+# 3) Add threshold into perfout as ';warn;crit'
+#
+# ========================== START OF PROGRAM CODE ===========================
+
+use strict;
+use Getopt::Long;
+
+# Nagios specific
+our $TIMEOUT;
+our %ERRORS;
+eval 'use utils qw(%ERRORS $TIMEOUT)';
+if ($@) {
+ $TIMEOUT = 10;
+ %ERRORS = ('OK'=>0,'WARNING'=>1,'CRITICAL'=>2,'UNKNOWN'=>3,'DEPENDENT'=>4);
+}
+
+our $no_snmp=0;
+eval 'use Net::SNMP';
+if ($@) {
+ $no_snmp=1;
+}
+
+# Version
+my $Version='0.52';
+
+# SNMP OID
+my $oid_sysSystem = '1.3.6.1.2.1.1.1.0'; # windows and some unix
+my $oid_hostUptime = '1.3.6.1.2.1.25.1.1.0'; # hostUptime, usually unix systems
+my $oid_sysUptime = '1.3.6.1.2.1.1.3.0'; # sysUpTime, windows
+my $oid_engineTime = '1.3.6.1.6.3.10.2.1.3'; # SNMP-FRAMEWORK-MIB
+
+my @oid_uptime_types = ( ['', '', ''], # type 0 is reserved
+ [ 'local', '', ''], # type 1 is local
+ [ 'win', 'sysUpTime', $oid_sysUptime ], # type 2 is windows
+ [ 'unix-host', 'hostUpTime', $oid_hostUptime ], # type 3 is unix-host
+ [ 'unix-sys', 'sysUpTime', $oid_sysUptime ], # type 4 is unix-sys
+ [ 'net', 'engineTime', $oid_engineTime ]); # type 5 is netswitch
+
+# Not used, but perhaps later
+my $oid_hrLoad = '1.3.6.1.2.1.25.3.3.1.2.1';
+my $oid_sysLoadInt1 = '1.3.6.1.4.1.2021.10.1.5.1';
+my $oid_sysLoadInt5 = '1.3.6.1.4.1.2021.10.1.5.2';
+my $oid_sysLoadInt15 = '1.3.6.1.4.1.2021.10.1.5.3';
+
+# Standard options
+my $o_host = undef; # hostname
+my $o_timeout= undef; # Timeout (Default 10)
+my $o_help= undef; # wan't some help ?
+my $o_verb= undef; # verbose mode
+my $o_version= undef; # print version
+my $o_label= undef; # change label instead of printing uptime
+my $o_perf= undef; # Output performance data (uptime in minutes)
+my $o_prevperf= undef; # performance data given with $SERVICEPERFDATA$ macro
+my $o_warn= undef; # WARNING alert if system has been up for < specified number of minutes
+my $o_crit= undef; # CRITICAL alert if system has been up for < specified number of minutes
+my $o_type= undef; # type of check (local, auto, unix, win)
+
+# Login and other options specific to SNMP
+my $o_port = 161; # SNMP port
+my $o_community = undef; # community
+my $o_version2 = undef; # use snmp v2c
+my $o_login= undef; # Login for snmpv3
+my $o_passwd= undef; # Pass for snmpv3
+my $v3protocols= undef; # V3 protocol list.
+my $o_authproto= 'md5'; # Auth protocol
+my $o_privproto= 'des'; # Priv protocol
+my $o_privpass= undef; # priv password
+
+## Additional global variables
+my %prev_perf= (); # array that is populated with previous performance data
+my $check_type = 0;
+
+sub p_version { print "check_uptime version : $Version\n"; }
+
+sub print_usage {
+ print "Usage: $0 [-v [debugfilename]] [-T local|unix-host|unix-sys|win|net] [-H <host> (-C <snmp_community>) [-2] | (-l login -x passwd [-X pass -L <authp>,<privp>) [-p <port>]] [-w <warn minutes> -s <crit minutes>] [-f] [-P <previous perf data from nagios \$SERVICEPERFDATA\$>] [-t <timeout>] | [-V] [--label <string>]\n";
+}
+
+sub isnnum { # Return true if arg is not a number
+ my $num = shift;
+ if ( $num =~ /^(\d+\.?\d*)|(^\.\d+)$/ ) { return 0 ;}
+ return 1;
+}
+
+sub div_mod { return int( $_[0]/$_[1]) , ($_[0] % $_[1]); }
+
+sub help {
+ print "\nUptime Plugin for Nagios (check_uptime) v. ",$Version,"\n";
+ print "GPL licence, (c) 2008-2012 William Leibzon\n\n";
+ print_usage();
+ print <<EOT;
+
+Debug & Console Options:
+ -v, --verbose[=FILENAME], --debug[=FILENAME]
+ print extra debugging information.
+ if filename is specified instead of STDOUT the debug data is written to that file
+ -h, --help
+ print this help message
+ -V, --version
+ prints version number
+
+Standard Options:
+ -T, --type=auto|local|unix-host|unis-sys|windows|netswitch
+ Type of system:
+ local : localhost (executes 'uptime' command), default if no -C or -l
+ unix-host : SNMP check from hostUptime ($oid_hostUptime) OID
+ unix-sys : SNMP check from sysUptime ($oid_sysUptime) OID
+ win | windows : SNMP check from sysUptime ($oid_sysUptime) OID
+ net | netswitch : SNMP check from snmpEngineTime ($oid_engineTime) OID
+ auto : Autodetect what system by checking sysSystem OID first, default
+ -w, --warning[=minutes]
+ Report nagios WARNING alert if system has been up for less then specified
+ number of minutes. If no minutes are specified but previous preformance
+ data is fed back with -P option then alert is sent ONLY ONCE when
+ uptime changes from greater value to smaller
+ -c, --critical[=minutes]
+ Report nagios CRITICAL alert if system has been up for less then
+ specified number of minutes or ONE ALERT if -P option is used and
+ system's previous uptime is larger then current on
+ -f, --perfparse
+ Perfparse compatible output
+ -P, --prev_perfdata
+ Previous performance data (normally put '-P \$SERVICEPERFDATA\$' in
+ nagios command definition). This is recommended if you dont specify
+ type of system with -T so that previously checked type of system info
+ is reused. This is also used to decide on warning/critical condition
+ if number of seconds is not specified with -w or -c.
+ --label=[string]
+ Optional custom label before results prefixed to results
+ -t, --timeout=INTEGER
+ timeout for SNMP in seconds (Default: 15)
+
+SNMP Access Options:
+ -H, --hostname=HOST
+ name or IP address of host to check (if not localhost)
+ -C, --community=COMMUNITY NAME
+ community name for the SNMP agent (used with v1 or v2c protocols)
+ -2, --v2c
+ use snmp v2c (can not be used with -l, -x)
+ -l, --login=LOGIN ; -x, --passwd=PASSWD
+ Login and auth password for snmpv3 authentication
+ If no priv password exists, implies AuthNoPriv
+ -X, --privpass=PASSWD
+ Priv password for snmpv3 (AuthPriv protocol)
+ -L, --protocols=<authproto>,<privproto>
+ <authproto> : Authentication protocol (md5|sha : default md5)
+ <privproto> : Priv protocols (des|aes : default des)
+ -p, --port=PORT
+ SNMP port (Default 161)
+EOT
+}
+
+# For verbose output (updated 06/06/12 to write to debug file if specified)
+sub verb {
+ my $t=shift;
+ if (defined($o_verb)) {
+ if ($o_verb eq "") {
+ print $t,"\n";
+ }
+ else {
+ if (!open(DEBUGFILE, ">>$o_verb")) {
+ print $t, "\n";
+ }
+ else {
+ print DEBUGFILE $t,"\n";
+ close DEBUGFILE;
+ }
+ }
+ }
+}
+
+# load previous performance data
+sub process_perf {
+ my %pdh;
+ my ($nm,$dt);
+ foreach (split(' ',$_[0])) {
+ if (/(.*)=(.*)/) {
+ ($nm,$dt)=($1,$2);
+ verb("prev_perf: $nm = $dt");
+ # in some of my plugins time_ is to profile how long execution takes for some part of plugin
+ # $pdh{$nm}=$dt if $nm !~ /^time_/;
+ $pdh{$nm}=$dt;
+ }
+ }
+ return %pdh;
+}
+
+sub type_from_name {
+ my $type=shift;
+ for(my $i=1; $i<scalar(@oid_uptime_types); $i++) {
+ if ($oid_uptime_types[$i][0] eq $type) {
+ return $i;
+ }
+ }
+ return -1;
+}
+
+
+sub check_options {
+ Getopt::Long::Configure ("bundling");
+ GetOptions(
+ 'v:s' => \$o_verb, 'verbose:s' => \$o_verb, "debug:s" => \$o_verb,
+ 'h' => \$o_help, 'help' => \$o_help,
+ 'H:s' => \$o_host, 'hostname:s' => \$o_host,
+ 'p:i' => \$o_port, 'port:i' => \$o_port,
+ 'C:s' => \$o_community, 'community:s' => \$o_community,
+ '2' => \$o_version2, 'v2c' => \$o_version2,
+ 'l:s' => \$o_login, 'login:s' => \$o_login,
+ 'x:s' => \$o_passwd, 'passwd:s' => \$o_passwd,
+ 'X:s' => \$o_privpass, 'privpass:s' => \$o_privpass,
+ 'L:s' => \$v3protocols, 'protocols:s' => \$v3protocols,
+ 't:i' => \$o_timeout, 'timeout:i' => \$o_timeout,
+ 'V' => \$o_version, 'version' => \$o_version,
+ 'f' => \$o_perf, 'perfparse' => \$o_perf,
+ 'w:i' => \$o_warn, 'warning:i' => \$o_warn,
+ 'c:i' => \$o_crit, 'critical:i' => \$o_crit,
+ 'label:s' => \$o_label,
+ 'P:s' => \$o_prevperf, 'prev_perfdata:s' => \$o_prevperf,
+ 'T:s' => \$o_type, 'type:s' => \$o_type,
+ );
+ if (defined ($o_help) ) { help(); exit $ERRORS{"UNKNOWN"}};
+ if (defined($o_version)) { p_version(); exit $ERRORS{"UNKNOWN"}};
+
+ $o_type = "win" if defined($o_type) && $o_type eq 'windows';
+ $o_type = "net" if defined($o_type) && $o_type eq 'netswitch';
+ if (defined($o_type) && $o_type ne 'auto' && type_from_name($o_type)==-1) {
+ print "Invalid system type specified\n"; print_usage(); exit $ERRORS{"UNNKNOWN"};
+ }
+
+ if (!defined($o_community) && (!defined($o_login) || !defined($o_passwd)) ) {
+ $o_type='local' if !defined($o_type) || $o_type eq 'auto';
+ if ($o_type ne 'local') {
+ print "Put snmp login info!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}
+ }
+ if (defined($o_host)) {
+ print "Why are you specifying hostname without SNMP parameters?\n"; print_usage(); exit $ERRORS{"UNKNOWN"};
+ }
+ }
+ else {
+ $o_type='auto' if !defined($o_type);
+ if ($o_type eq 'local' ) {
+ print "Why are you specifying SNMP login for local system???\n"; print_usage(); exit $ERRORS{"UNKNOWN"}
+ }
+ if (!defined($o_host)) {
+ print "Hostname required for SNMP check.\n"; print_usage(); exit $ERRORS{"UNKNOWN"};
+ }
+ if ($no_snmp) {
+ print "Can't locate Net/SNMP.pm\n"; print_usage(); exit $ERRORS{"UNKNOWN"};
+ }
+ }
+
+ # check snmp information
+ if ((defined($o_login) || defined($o_passwd)) && (defined($o_community) || defined($o_version2)) )
+ { print "Can't mix snmp v1,2c,3 protocols!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
+ if (defined ($v3protocols)) {
+ if (!defined($o_login)) { print "Put snmp V3 login info with protocols!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
+ my @v3proto=split(/,/,$v3protocols);
+ if ((defined ($v3proto[0])) && ($v3proto[0] ne "")) {$o_authproto=$v3proto[0]; } # Auth protocol
+ if (defined ($v3proto[1])) {$o_privproto=$v3proto[1]; } # Priv protocol
+ if ((defined ($v3proto[1])) && (!defined($o_privpass)))
+ { print "Put snmp V3 priv login info with priv protocols!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
+ }
+
+ if (defined($o_timeout) && (isnnum($o_timeout) || ($o_timeout < 2) || ($o_timeout > 60)))
+ { print "Timeout must be >1 and <60 !\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
+ if (!defined($o_timeout)) {$o_timeout=$TIMEOUT+5;}
+
+ if (defined($o_prevperf)) {
+ if (defined($o_perf)) {
+ %prev_perf=process_perf($o_prevperf);
+ $check_type = $prev_perf{type} if $o_type eq 'auto' && exists($prev_perf{tye}) && exists($oid_uptime_types[$prev_perf{type}][0]);
+ }
+ else {
+ print "need -f option first \n"; print_usage(); exit $ERRORS{"UNKNOWN"};
+ }
+ }
+
+ if ($o_type eq 'auto') {
+ $check_type=0;
+ }
+ else {
+ $check_type = type_from_name($o_type);
+ }
+}
+
+sub create_snmp_session {
+ my ($session,$error);
+
+ if ( defined($o_login) && defined($o_passwd)) {
+ # SNMPv3 login
+ if (!defined ($o_privpass)) {
+ verb("SNMPv3 AuthNoPriv login : $o_login, $o_authproto");
+ ($session, $error) = Net::SNMP->session(
+ -hostname => $o_host,
+ -version => '3',
+ -port => $o_port,
+ -username => $o_login,
+ -authpassword => $o_passwd,
+ -authprotocol => $o_authproto,
+ -timeout => $o_timeout
+ );
+ } else {
+ verb("SNMPv3 AuthPriv login : $o_login, $o_authproto, $o_privproto");
+ ($session, $error) = Net::SNMP->session(
+ -hostname => $o_host,
+ -version => '3',
+ -username => $o_login,
+ -port => $o_port,
+ -authpassword => $o_passwd,
+ -authprotocol => $o_authproto,
+ -privpassword => $o_privpass,
+ -privprotocol => $o_privproto,
+ -timeout => $o_timeout
+ );
+ }
+ } else {
+ if (defined ($o_version2)) {
+ # SNMPv2c Login
+ verb("SNMP v2c login");
+ ($session, $error) = Net::SNMP->session(
+ -hostname => $o_host,
+ -version => 2,
+ -community => $o_community,
+ -port => $o_port,
+ -timeout => $o_timeout
+ );
+ } else {
+ # SNMPV1 login
+ verb("SNMP v1 login");
+ ($session, $error) = Net::SNMP->session(
+ -hostname => $o_host,
+ -community => $o_community,
+ -port => $o_port,
+ -timeout => $o_timeout
+ );
+ }
+ }
+ if (!defined($session)) {
+ printf("ERROR opening session: %s.\n", $error);
+ exit $ERRORS{"UNKNOWN"};
+ }
+
+ return $session;
+}
+
+$SIG{'ALRM'} = sub {
+ print "Alarm timeout\n";
+ exit $ERRORS{"UNKNOWN"};
+};
+
+########## MAIN #######
+my $system_info="";
+my $uptime_info=undef;
+my $uptime_minutes=undef;
+my $perf_out="";
+my $status=0;
+my $uptime_output;
+my ($days, $hrs, $mins);
+
+check_options();
+
+# Check gobal timeout if snmp screws up
+if (defined($o_timeout)) {
+ verb("Alarm at $o_timeout + 5");
+ alarm($o_timeout+5);
+}
+
+if ($check_type==1) { # local
+ # Process unix uptime command output
+ $uptime_output=`uptime`;
+ verb("Local Uptime Result is: $uptime_output");
+ if ($uptime_output =~ /(\d+)\s+days?,\s+(\d+)\:(\d+)/) {
+ ($days, $hrs, $mins) = ($1, $2, $3);
+ }
+ elsif ($uptime_output =~ /up\s+(\d+)\shours?\s+(\d+)/) {
+ ($days, $hrs, $mins) = (0, $1, $2);
+ }
+ elsif ($uptime_output =~ /up\s+(\d+)\:(\d+)/) {
+ ($days, $hrs, $mins) = (0, $1, $2);
+ }
+ elsif ($uptime_output =~ /up\s+(\d+)\s+min/) {
+ ($days, $hrs, $mins) = (0,0,$1);
+ }
+ elsif ($uptime_output =~ /up\s+(d+)s+days?,s+(d+)s+min/) {
+ ($days, $hrs, $mins) = ($1,0,$2);
+ }
+ else {
+ $uptime_info = "up ".$uptime_output;
+ }
+ if (defined($days) && defined($hrs) && defined($mins)) {
+ $uptime_minutes = $days*24*60+$hrs*60+$mins;
+ }
+ my @temp=split(' ',`uname -a`);
+ if (scalar(@temp)<3) {
+ $system_info=`uname -a`;
+ }
+ else {
+ $system_info=join(' ',$temp[0],$temp[1],$temp[2]);
+ }
+}
+else {
+ # SNMP connection
+ my $session=create_snmp_session();
+ my $result=undef;
+ my $oid="";
+ my $guessed_check_type=0;
+
+ if ($check_type==0){
+ $result = $session->get_request(-varbindlist=>[$oid_sysSystem]);
+ if (!defined($result)) {
+ printf("ERROR: Can not retrieve $oid_sysSystem table: %s.\n", $session->error);
+ $session->close;
+ exit $ERRORS{"UNKNOWN"};
+ }
+ verb("$o_host SysInfo Result from OID $oid_sysSystem: $result->{$oid_sysSystem}");
+ if ($result->{$oid_sysSystem} =~ /Windows/) {
+ $guessed_check_type=2;
+ verb('Guessing Type: 2 = windows');
+ }
+ if ($result->{$oid_sysSystem} =~ /Cisco/) {
+ $guessed_check_type=5;
+ verb('Guessing Type: 5 = netswitch');
+ }
+ if ($guessed_check_type==0) {
+ $guessed_check_type=3; # will try hostUptime first
+ }
+ $oid=$oid_uptime_types[$guessed_check_type][2];
+ }
+ else {
+ $oid=$oid_uptime_types[$check_type][2];
+ }
+
+ do {
+ $result = $session->get_request(-varbindlist=>[$oid,$oid_sysSystem]);
+ if (!defined($result)) {
+ if ($check_type!=0) {
+ printf("ERROR: Can not retrieve uptime OID table $oid: %s.\n", $session->error);
+ $session->close;
+ exit $ERRORS{"UNKNOWN"};
+ }
+ else {
+ if ($session->error =~ /noSuchName/) {
+ if ($guessed_check_type==4) {
+ verb("Received noSuchName error for sysUpTime OID $oid. Giving up.");
+ $guessed_check_type=0;
+ }
+ if ($guessed_check_type==3) {
+ verb("Received noSuchName error for hostUpTime OID $oid, will now try sysUpTime");
+ $guessed_check_type=4;
+ }
+ else {
+ verb("Received noSuchName error for OID $oid, will now try hostUpTime");
+ $guessed_check_type=3;
+ }
+ if ($guessed_check_type!=0) {
+ $oid=$oid_uptime_types[$guessed_check_type][2];
+ }
+ }
+ else {
+ printf("ERROR: Can not retrieve uptime OID table $oid: %s.\n", $session->error);
+ $session->close;
+ exit $ERRORS{"UNKNOWN"};
+ }
+ }
+ }
+ else {
+ if ($check_type==0) {
+ $check_type=$guessed_check_type;
+ }
+ }
+ }
+ while (!defined($result) && $guessed_check_type!=0);
+
+ $session->close;
+ if ($check_type==0 && $guessed_check_type==0) {
+ printf("ERROR: Can not autodetermine proper uptime OID table. Giving up.\n");
+ exit $ERRORS{"UNKNOWN"};
+ }
+
+ my ($days, $hrs, $mins);
+ $uptime_output=$result->{$oid};
+ verb("$o_host Uptime Result from OID $oid: $uptime_output");
+
+ if ($uptime_output =~ /(\d+)\s+days?,\s+(\d+)\:(\d+)/) {
+ ($days, $hrs, $mins) = ($1, $2, $3);
+ }
+ elsif ($uptime_output =~ /(\d+)\s+hours?,\s+(\d+)\:(\d+)/) {
+ ($days, $hrs, $mins) = (0, $1, $2);
+ }
+ elsif ($uptime_output =~ /(\d+)\s+min/) {
+ ($days, $hrs, $mins) = (0, 0, $1);
+ }
+ if (defined($days) && defined($hrs) && defined($mins)) {
+ $uptime_minutes = $days*24*60+$hrs*60+$mins;
+ }
+ elsif ($uptime_output =~ /^(\d+)$/) {
+ my $upnum = $1;
+ if ($oid eq $oid_sysUptime) {
+ $uptime_minutes = $upnum/100/60;
+ }
+ elsif ($oid eq $oid_engineTime) {
+ $uptime_minutes = $upnum/60;
+ }
+ }
+ else {
+ $uptime_info = "up ".$uptime_output;
+ }
+ my @temp=split(' ',$result->{$oid_sysSystem});
+ if (scalar(@temp)<3) {
+ $system_info=$result->{$oid_sysSystem};
+ }
+ else {
+ $system_info=join(' ',$temp[0],$temp[1],$temp[2]);
+ }
+}
+
+if (defined($uptime_minutes) && !defined($uptime_info)) {
+ ($hrs,$mins) = div_mod($uptime_minutes,60);
+ ($days,$hrs) = div_mod($hrs,24);
+ $uptime_info = "up ";
+ $uptime_info .= "$days days " if $days>0;
+ $uptime_info .= "$hrs hours " if $hrs>0;
+ $uptime_info .= "$mins minutes";
+}
+
+verb("System Type: $check_type (".$oid_uptime_types[$check_type][0].")");
+verb("System Info: $system_info") if $system_info;
+verb("Uptime Text: $uptime_info") if defined($uptime_info);
+verb("Uptime Minutes: $uptime_minutes") if defined($uptime_minutes);
+
+if (!defined($uptime_info)) {
+ $uptime_info = "Can not determine uptime";
+ $status = 3;
+}
+
+if (defined($o_perf)) {
+ $perf_out = "type=$check_type";
+ $perf_out .= " uptime_minutes=$uptime_minutes" if defined($uptime_minutes);
+}
+
+if (defined($uptime_minutes)) {
+ if (defined($o_prevperf)) {
+ $status = 1 if defined($o_warn) && exists($prev_perf{uptime_minutes}) && $prev_perf{uptime_minutes} > $uptime_minutes;
+ $status = 2 if defined($o_crit) && exists($prev_perf{uptime_minutes}) && $prev_perf{uptime_minutes} > $uptime_minutes;
+ }
+ else {
+ $status = 1 if defined($o_warn) && !isnnum($o_warn) && $o_warn >= $uptime_minutes;
+ $status = 2 if defined($o_crit) && !isnnum($o_crit) && $o_crit >= $uptime_minutes;
+ }
+}
+alarm(0);
+
+my $exit_status="UNKNOWN";
+$exit_status="OK" if $status==0;
+$exit_status="WARNING" if $status==1;
+$exit_status="CRITICAL" if $status==2;
+$exit_status="UNKNOWN" if $status==3;
+$exit_status="$o_label $exit_status" if defined($o_label);
+print "$exit_status: $system_info";
+print " - $uptime_info";
+print " | ",$perf_out if $perf_out;
+print "\n";
+exit $status;
diff --git a/sto-tug-kvm2.swamid.se/overlay/usr/local/bin/postgres_backup b/sto-tug-kvm2.swamid.se/overlay/usr/local/bin/postgres_backup
deleted file mode 100755
index ebf052c..0000000
--- a/sto-tug-kvm2.swamid.se/overlay/usr/local/bin/postgres_backup
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-#
-# Simplistic postgres backup
-#
-
-BACKUPROOT="/var/docker/postgresql_data/backup"
-DBCONTAINER="flog_db"
-
-if [ ! -d ${BACKUPROOT} ]; then
- echo "$0: Directory ${BACKUPROOT} does not exist - aborting."
- exit 1
-fi
-
-set -e
-
-# keep seven days worth of dumps
-rm -rf ${BACKUPROOT}/postgres-dumpall-flogdb.gz.7
-test -f ${BACKUPROOT}/postgres-dumpall-flogdb.gz.6 && mv ${BACKUPROOT}/postgres-dumpall-flogdb.gz.6 ${BACKUPROOT}/postgres-dumpall-flogdb.gz.7
-test -f ${BACKUPROOT}/postgres-dumpall-flogdb.gz.5 && mv ${BACKUPROOT}/postgres-dumpall-flogdb.gz.5 ${BACKUPROOT}/postgres-dumpall-flogdb.gz.6
-test -f ${BACKUPROOT}/postgres-dumpall-flogdb.gz.4 && mv ${BACKUPROOT}/postgres-dumpall-flogdb.gz.4 ${BACKUPROOT}/postgres-dumpall-flogdb.gz.5
-test -f ${BACKUPROOT}/postgres-dumpall-flogdb.gz.3 && mv ${BACKUPROOT}/postgres-dumpall-flogdb.gz.3 ${BACKUPROOT}/postgres-dumpall-flogdb.gz.4
-test -f ${BACKUPROOT}/postgres-dumpall-flogdb.gz.2 && mv ${BACKUPROOT}/postgres-dumpall-flogdb.gz.2 ${BACKUPROOT}/postgres-dumpall-flogdb.gz.3
-test -f ${BACKUPROOT}/postgres-dumpall-flogdb.gz.1 && mv ${BACKUPROOT}/postgres-dumpall-flogdb.gz.1 ${BACKUPROOT}/postgres-dumpall-flogdb.gz.2
-
-echo "Running postgres pg_dumpall..."
-
-cd ${BACKUPROOT}
-/usr/bin/docker exec ${DBCONTAINER} sudo -u postgres /usr/bin/pg_dumpall | /bin/gzip > postgres-dumpall-flogdb.gz
-
-mv ${BACKUPROOT}/postgres-dumpall-flogdb.gz ${BACKUPROOT}/postgres-dumpall-flogdb.gz.1
-
diff --git a/sto-tug-kvm2.swamid.se/overlay/usr/local/etc/docker.d/30flog b/sto-tug-kvm2.swamid.se/overlay/usr/local/etc/docker.d/30flog
new file mode 100755
index 0000000..2b477a2
--- /dev/null
+++ b/sto-tug-kvm2.swamid.se/overlay/usr/local/etc/docker.d/30flog
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# Wait for dependent flog docker containers to be registered in local DNS.
+#
+
+PING_CHECK="/usr/local/bin/ping-check"
+
+logtag="flog_docker_pre-post[$ACTION]"
+logger -t "${logtag}" "$NAME ($IMAGE), CID: '$CID'"
+
+if [ "x$ACTION" = "xpre-start" ]; then
+ if [ "x$NAME" = "xflog_app" ]; then
+ ${PING_CHECK} flog_db.docker
+ exit $?
+ fi
+ if [ "x$NAME" = "xflog_nginx" ]; then
+ ${PING_CHECK} flog_app.docker
+ exit $?
+ fi
+ exit 0
+fi
diff --git a/templates b/templates
new file mode 120000
index 0000000..3365074
--- /dev/null
+++ b/templates
@@ -0,0 +1 @@
+./global/overlay/etc/puppet/modules/sunet/templates/ \ No newline at end of file
diff --git a/web-a1.sunet.se/overlay/etc/ssl/certs/web-a1.sunet.se_infra.crt b/web-a1.sunet.se/overlay/etc/ssl/certs/web-a1.sunet.se_infra.crt
new file mode 100644
index 0000000..4066236
--- /dev/null
+++ b/web-a1.sunet.se/overlay/etc/ssl/certs/web-a1.sunet.se_infra.crt
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGHTCCBAWgAwIBAgIJAL9FQ4sMNbylMA0GCSqGSIb3DQEBCwUAMD8xIDAeBgNV
+BAMTF1NVTkVUIEluZnJhc3RydWN0dXJlIENBMQ4wDAYDVQQKEwVTVU5FVDELMAkG
+A1UEBhMCU0UwHhcNMTUwNDE0MTA1MDAxWhcNMTUwNTE0MTA1MDAxWjA3MQswCQYD
+VQQGEwJTRTEOMAwGA1UEChMFU1VORVQxGDAWBgNVBAMTD3dlYi1hMS5zdW5ldC5z
+ZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANq6TNx7L0JsDNraJynR
+hOTa4JIomMihbed/TLI/d3UMIZaVhNx7QfVfX6M9zTOhX2/nlaLgmBqU2GrTta2y
+9sB/AedIXwoym1Mind0aLQZpdNBuzFmAFDdwVGLbDSwfxOFw+TUarDZZkI4MU7cf
+9Ur7BaoXfpkjh6h9VKCAsgYxtXrx/ab1no2sQfiF7guM+Pk9RAJKkUgiRpOzGbUx
+6E5Pm6aEP0Do4eZI0MU4w6g9fj5Y/T4+TzI5EqHOiyeCUD81/wclriVCGmF//Dmy
+zbOmMGhJVeLgLMbwXQ9ypLM5JayZrNhOD6PrIl+JQuONgaBPOuDRUnQhHfXKDBix
+xlPfX5TdhT6cwIKtgQ55mj6BbNzOauENSTfT5ySU4Y0xQheJZnWLkbuorSUbOIUr
+DJQOggSyQCx4CaUroNx9dP9zpklmHj8jMgY6xCYjyjDVpGlwv2c9q16D6Q/XydBR
+mH6G3bjPRVE0Vt4yhFh3fK8/PUkoZXr2MYL9G3PNjbCeLPA0dLY9/n0P+KVdPviu
+raLZFMdri1SBMC2cMPyGbMRK5X8DL36xW7HS5Ijnle4fEvwu8Suar0yG5XSWPDCM
+xATbqmUo1WvQ7Ji1H8Bo2dV5yEzwsl9K+iqbPKDALaXZtHrefVqmBE8FwYx0kH/B
+P2wUCfQcUdkzRtVGn2Z6tQtBAgMBAAGjggEiMIIBHjAdBgNVHQ4EFgQU9H+BhwwQ
+zEhGUruehLQzpwrBEYEwHwYDVR0jBBgwFoAU5yyeURqwHQEd5kK0Jxo1k3DAbdcw
+OwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzAChh9odHRwOi8vY2Euc3VuZXQuc2Uv
+aW5mcmEvY2EuY3J0MDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jYS5zdW5ldC5z
+ZS9pbmZyYS9jcmwucGVtMCMGA1UdEgQcMBqGGGh0dHA6Ly9jYS5zdW5ldC5zZS9p
+bmZyYTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcD
+ATAaBgNVHREEEzARgg93ZWItYTEuc3VuZXQuc2UwDQYJKoZIhvcNAQELBQADggIB
+AFJ+FnDa1pHKcQ6wYK2bfKQzxSHChTY6dnQs8S8N2O+Up8xapM8CZV9tBrSH22j4
+bRwXpkhDPVFLo+rqgoQdIcbC37XiEhOHjc8TVay+drvzpnG9Rr174lbFK5IfzSmW
+bwARXwphbx5wDBlEQa/gg/uFChRjdZ47OHu1LNXzCZXcyX3XDvgHoNvQI1ne2uZ4
+GuMKwe1LZaFgksSG+zjmi62QSyX/WeLQUIdesDbOwCGiPgU/y9D+efMta7+pWj+B
+M9YP0lvpGGSNXLoqF8b+CO51Bx39Ng/TKlbV+uFzC3xUmz3Px7hlnvQo3T5H1Y9d
+Mm2HlLbd7MEb8WSIvBQRG4A8NBzCbgYuzwBwvssSu+zqj6Ge7Ge++20rbleyeXbu
+yvcdQ9ybllwin0GjznrJr290ppadVSdEa5WPq0IHYuu+WMFwLnn9wZ2hQx9dQBuZ
+1Ug7OAacKxkdqkqvqgDAedaoFgG/l6XDxV5NYb9OEuwmhWL7lnxA/6KmyQjb2l5b
+bfvTkb7uN6F/Kq2Q3/B1GWeU9bORx3oaml0r9m5PSIBrrsrQyhe3V0c1ATxT87Ru
+Coa1OK1Ru2mEcBeSgmWDma7gPiUqH5ylgfhP/IhdT+WCh2MfE4To1m5cU83LrBXJ
+K6XsN1n0DOJcvfiB9yXjTvTu4GFbOLfL32Fh+BQYL0kj
+-----END CERTIFICATE-----
diff --git a/web-a2.sunet.se/overlay/etc/ssl/certs/web-a2.sunet.se_infra.crt b/web-a2.sunet.se/overlay/etc/ssl/certs/web-a2.sunet.se_infra.crt
new file mode 100644
index 0000000..90eebbd
--- /dev/null
+++ b/web-a2.sunet.se/overlay/etc/ssl/certs/web-a2.sunet.se_infra.crt
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGHTCCBAWgAwIBAgIJAOQrdeNVC7O8MA0GCSqGSIb3DQEBCwUAMD8xIDAeBgNV
+BAMTF1NVTkVUIEluZnJhc3RydWN0dXJlIENBMQ4wDAYDVQQKEwVTVU5FVDELMAkG
+A1UEBhMCU0UwHhcNMTUwNDE0MTA1MDAxWhcNMTUwNTE0MTA1MDAxWjA3MQswCQYD
+VQQGEwJTRTEOMAwGA1UEChMFU1VORVQxGDAWBgNVBAMTD3dlYi1hMi5zdW5ldC5z
+ZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMFs2m8F0TNR96hT9L8/
+Xj/pT9KfRQ1aoAaELAEiLZicdXGpgq6GeUP9o+1wgeRpVnkS4z8YR3RAMw7SKHef
+0ZpvxvWUXCq/QnFkbJPFzMDvhqxvkK34gmzneHRfudpcnqRrYnvEqhFbj8mUQZt0
+f0QXQfMOn7j04rbfNHnmrS6U7aGbGFlV+56mC//85gKFpx2j++iIBCYzQMmRMY+W
+yWHUOfvaEifbC9+6OXMj0O+x3o1mYxt+DGgdjhguYsBNnbhcTO3G46JM5Ralfwx2
+VDZNJhASIDExtA2ORtiQb0sBXyKnKAX+Y05/9ye2y7m7vpz+JhahGivi4SmCu3DE
+WjlfWW/jIlvM7p+5Y4lw0A19M1OPjGiBefpJxhsYTz+hbMTCiQsV92UNljTmiR3N
+ne5Vk2gbKiMwCabHmA77dj2qKwmkt4fTEreMIOJrZfwhXeiWDeaXHwz1ewePBhI6
+Hnux9QwDY2b1FeuhYUg8MOaG9A8mJeYzrU0oHenpojCKxxsJ/BCaOuHFBSvw0Psz
+TCkkH2Alh1xQ/8g3+nAh+yIdTLXn1XHt3A14+kupsWd2SZ2ckBRIprzT/4lX7wmf
+kh5RswIW3R4k9SkjcQLXbK/nQcUEOO3jgYlKlxnmpuzA8fmLTV1YqVsRGyz7init
+35HLvp6yNBoC6o3TV6uHABJDAgMBAAGjggEiMIIBHjAdBgNVHQ4EFgQUe75ZrIFC
+7oqc48jmtMDLtS+V1okwHwYDVR0jBBgwFoAU5yyeURqwHQEd5kK0Jxo1k3DAbdcw
+OwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzAChh9odHRwOi8vY2Euc3VuZXQuc2Uv
+aW5mcmEvY2EuY3J0MDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jYS5zdW5ldC5z
+ZS9pbmZyYS9jcmwucGVtMCMGA1UdEgQcMBqGGGh0dHA6Ly9jYS5zdW5ldC5zZS9p
+bmZyYTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcD
+ATAaBgNVHREEEzARgg93ZWItYTIuc3VuZXQuc2UwDQYJKoZIhvcNAQELBQADggIB
+AJtigUsmB1l/d7DbLLPEKhYZPIfEFci/9+gz+sBeedg4Nv/UYYVdMKwVBnAja5Yu
+gOFQQNw75XlkHyW3euG08//lKxr/JYWUZy8PV9Vfs6STuRq8EgmTn6adJQNVn7XW
+mZ14pOZPBBUyIbn7KCih0V8osvs//9r32YZKSfuNXBnRC9uhZtPpkqcaFYGSDVdA
+7+WKKAhD7ByYiivDPm4JVasssYrsO4LKe5imhP7pynwV231V0NlzszwcHbYciflU
+0Jlz+MHEPfv7BDxHGX3LtMUeOhW39Uunvc+YRBojbu5tK1Ps8qx+NBJNzaBxRoDQ
+pz44vxbwOHCju60Du/Ayp1PFXqfKQqp+kREiT6Mids+kGGiuehPTz3os2obOC12H
+Mjob9jbXWpo223GCwiGu70KZnLlsqBMVbYy92rjkEy9bJzFoQscwkIIqT6om8Jv5
+rYJKqMszQQPVeM/bBMDva9UIi1U1g3i3j/jSgDDtpzEi9U5VcivE94rksVbHMMQA
+y09Av0K5K7/sScIcU+kMrzVDHwoc/0VaBzjBrWqvx1U6Oy40JHyGGstKziiX3u6J
+dAZSYLh2fVLlmxLev9a2m2Ds2fNFVYxyVO2hDuavHeTt9pDHWxHlAPoy/unf/HBA
+0RQLkF65wFSohtKdcU9lcFjiccRHpeyO8D2fjKZU6uQf
+-----END CERTIFICATE-----
diff --git a/web-db1.sunet.se/overlay/etc/network/interfaces b/web-db1.sunet.se/overlay/etc/network/interfaces
new file mode 100644
index 0000000..b8f4bfa
--- /dev/null
+++ b/web-db1.sunet.se/overlay/etc/network/interfaces
@@ -0,0 +1,17 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+auto eth0
+iface eth0 inet static
+ address 192.36.171.68
+ netmask 255.255.255.192
+ network 192.36.171.64
+ broadcast 192.36.171.127
+ gateway 192.36.171.65
+
+ dns-nameservers 130.242.80.14 130.242.80.99
diff --git a/web-db1.sunet.se/overlay/etc/ssl/certs/web-db1.sunet.se_infra.crt b/web-db1.sunet.se/overlay/etc/ssl/certs/web-db1.sunet.se_infra.crt
new file mode 100644
index 0000000..e589716
--- /dev/null
+++ b/web-db1.sunet.se/overlay/etc/ssl/certs/web-db1.sunet.se_infra.crt
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGHzCCBAegAwIBAgIJAIphYRwko2yMMA0GCSqGSIb3DQEBCwUAMD8xIDAeBgNV
+BAMTF1NVTkVUIEluZnJhc3RydWN0dXJlIENBMQ4wDAYDVQQKEwVTVU5FVDELMAkG
+A1UEBhMCU0UwHhcNMTUwNDE0MDkzNTAyWhcNMTUwNTE0MDkzNTAyWjA4MQswCQYD
+VQQGEwJTRTEOMAwGA1UEChMFU1VORVQxGTAXBgNVBAMTEHdlYi1kYjEuc3VuZXQu
+c2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCp2i1gZS3bcmiNEzPv
+skIpr1JTW4gg34E+6/+TfEOONQY18JejUnged1sBtkedsTncxQ2TWjefrFryZ7cH
+45FVB5J8wtkydmIWkYIVXoEugPQEcxJU3brB5/2Zxdd1H+ukVsozV+bwOJg6QP3v
+z+X5nL18iUlr6ToMGrE5cVh4qjqJiz7N6OjWm4rzWhSFJjcHLsfqVEMzwKH0bTt1
+PrpoAhwixNQuFYyfRoSPdeOt5CIgh+ojmtMJwMOJG6KltfjaFd7BdfAdzVYa5CNO
+Bvr3W3PPeTWUnxDkIZHLf6bouqOajSWVMmX/0fdeB+hASeVdivAKxh5J9xT3ewD+
+jQ79KXdGSzBjRtBnUra++lrWK2zkPNV8ys4yGG2goj9174D+32L3mEYYRDvJG28k
+A64JN7i3a/xd7IeDRm/ItDSlJJFsu/aalKM3kv9MxcFosHd3f++b8jA1hTchtsBT
+RmeOewkJPm+3pOfeByjaIGnXtty5uV+6EcjfiNujAPRLdHjo4mmGNEhin9e+nk+N
+RAZtCZKlsBbfYVs+XrvN/SH1rV0h7szIjQ56jFT4RYKxrPm9t7m+E6dimYLaY9QB
+INH9VU8GaNObJg73qofO4IPcrH6797sLhcD1TS0b6y339aBt3+7Wm8I8SwbSBfAn
+B899fwvHeU994FFW3nvR0jYJCwIDAQABo4IBIzCCAR8wHQYDVR0OBBYEFOS/ytQU
+7Y0Ot+c/IrfVK25XQqsFMB8GA1UdIwQYMBaAFOcsnlEasB0BHeZCtCcaNZNwwG3X
+MDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovL2NhLnN1bmV0LnNl
+L2luZnJhL2NhLmNydDAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY2Euc3VuZXQu
+c2UvaW5mcmEvY3JsLnBlbTAjBgNVHRIEHDAahhhodHRwOi8vY2Euc3VuZXQuc2Uv
+aW5mcmEwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUH
+AwEwGwYDVR0RBBQwEoIQd2ViLWRiMS5zdW5ldC5zZTANBgkqhkiG9w0BAQsFAAOC
+AgEAbBJO78R7bz+TFh5R4Wc56WSIekLIGS4FTGH/x3hocH6wqwih8Grn7ZgzeVHp
+z/n58izTcL5prKh29v9x0BZC3ED5AK3ydf8Al+VVeyd++FAAjFuf5mqgN7XPKSMS
+1fwPrN+rWR2vDmHG0zK776RiEbboWY/eXPJSS36P2g3CJ4zOpj+u5kS2AKioEcoK
+BGUvwZHjqRRetgeinGWqjaRiUUmVlTtG2Xo+s6WeHbPSp/IdnDQ1xdbq8jgOIhZg
+dqZnFaFU2VW+1hunNoFR+6ssWIKiTSHs2IIiODQjRZ8gDQpD1BcVjayHqG7MqeEi
+JN3I86veakmWDreocebe/99gbQqPy/JkHLZ/dcrGCjWvQ9r2C6L3m/yMqU0HrpHl
+mr2DEldB5Jepb0/BpGV5q5ERj3sSpKveCAjqBZqc+FOaYtuE5bHZQmxmDGHlWEdp
+FZXleTVUIrIw7m87Kfq3kdG7nfX8ev70RVAS0n2Os2yTtOn1+OiDUYXP/Ss85RjG
+qwd53Cc5jDDsmp9dNXNlK+OySBUsCnjQQc15cvueey1VkfTXfwJBGpc3zdoCDIfC
+Fmu9jTL3+5d+C0iFvn3WSwN3doLoJdhce4yAmqwGLiqFQ/K0chw7Ths2H5caF4+g
+/2hIp72NdeScdATdDluoEk130HCWNNWHdrZB/ZP6W8zBvrU=
+-----END CERTIFICATE-----
diff --git a/web-db2.sunet.se/overlay/etc/network/interfaces b/web-db2.sunet.se/overlay/etc/network/interfaces
new file mode 100644
index 0000000..2130d6a
--- /dev/null
+++ b/web-db2.sunet.se/overlay/etc/network/interfaces
@@ -0,0 +1,18 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+auto eth0
+iface eth0 inet static
+ address 192.36.171.69
+ netmask 255.255.255.192
+ network 192.36.171.64
+ broadcast 192.36.171.127
+ gateway 192.36.171.65
+
+ dns-nameservers 130.242.80.14 130.242.80.99
+
diff --git a/web-db2.sunet.se/overlay/etc/ssl/certs/web-db2.sunet.se_infra.crt b/web-db2.sunet.se/overlay/etc/ssl/certs/web-db2.sunet.se_infra.crt
new file mode 100644
index 0000000..17d5ce3
--- /dev/null
+++ b/web-db2.sunet.se/overlay/etc/ssl/certs/web-db2.sunet.se_infra.crt
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGHjCCBAagAwIBAgIIKIyvcnAuRyUwDQYJKoZIhvcNAQELBQAwPzEgMB4GA1UE
+AxMXU1VORVQgSW5mcmFzdHJ1Y3R1cmUgQ0ExDjAMBgNVBAoTBVNVTkVUMQswCQYD
+VQQGEwJTRTAeFw0xNTA0MTQwOTM1MDJaFw0xNTA1MTQwOTM1MDJaMDgxCzAJBgNV
+BAYTAlNFMQ4wDAYDVQQKEwVTVU5FVDEZMBcGA1UEAxMQd2ViLWRiMi5zdW5ldC5z
+ZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALw3m4bij8HuGTh41H/r
+9iw6sLDAkDFpBiDO/4stP6gyGCoWzGAtyyogHY6nPH14n3LHjrUYyobMFdCgjDTx
+Gng5TPKm9KgWy4+P95FyBzoWBFY+w4iiiJB2XYc7ZOUcooOKWZwddD9Ml0pLKXtu
+Yxs/GFBO6gE1F4NnVjDQ8IIZLOaxUsOVGhYTwWhvzZMGYMqFK/2tIySjDsytxxQd
+RoG3V516+9MnvhThA/fCAYCWl/vBx3WISFwGcDdI1nbwM7wOv1+lKrzJj6JB5Kw4
+fBMTY8TSnr8/1P2o24o7fRfGgw5V6rmiKGGZ5QGHL3YPB7JKoSv/LUmeZc9orKxP
+LpdW+2OMfMZWR/cpmUKtfxr7wE/wG1GSa8Y4U3NRTW+7pBYUMy3j0B1eAGWeA2oX
+3FEk2VDFINgSthqMHQVYiyzCh68HiNCW6iC7m7oO8a1iFbW3JF4H5Qb4JMVHumOc
+pFL+FmnN9/chZKEBff2an1OVUdaQJAYG01JwH7t1dLLKkczpXjDcKLGOlWz3wk+2
+mSoiyNT4R/c9Oh2mKd6B3CUdwrRNTzRLt7teU5aRtvnnL5c7sVzU0tJZp5MZxFq2
+LSXrDUmuce7nt+nVpqBxHwrUTf6lxjtuPUgB/611Pc3MOkpqqJlqmprwb8gGbz1H
+aNK+vffoyRb3Zeq5T9d0HJyHAgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUJd5TgQiu
+zD9caUaVhwl4f5/bjjUwHwYDVR0jBBgwFoAU5yyeURqwHQEd5kK0Jxo1k3DAbdcw
+OwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzAChh9odHRwOi8vY2Euc3VuZXQuc2Uv
+aW5mcmEvY2EuY3J0MDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jYS5zdW5ldC5z
+ZS9pbmZyYS9jcmwucGVtMCMGA1UdEgQcMBqGGGh0dHA6Ly9jYS5zdW5ldC5zZS9p
+bmZyYTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcD
+ATAbBgNVHREEFDASghB3ZWItZGIyLnN1bmV0LnNlMA0GCSqGSIb3DQEBCwUAA4IC
+AQDJjNAF5L8FS/kJpxG66yIEv/3OmcR1PRUQX6hnwWXRdwNkd+PrZtzXUKJrdSlt
+Tg2tcYCRZ1Bz1evuz+IJd+hRGOMxIvnB8uAZUgWsUg26je2yghtSPbdGeZ3Xizv8
+QbHP/WKaD+JZGhtbumUyGdSYOTrDxLCbgtvnByrB0MEv7IbnD/a4PuvjTyFnZ5Jw
+g+Z+JYn3xaMy18Ns/rE1gnIstBLN0ogeXsa3ujk7csRJukpJnTGuGOMS9MYBl4Md
+ujs6DCDvnGo6N0Q6gHDjGWAsV632EdCECHsWo0jHiMCwe2beXpcX05FEB6K4GUdT
+z7K4dKPHSzsHw88SuSFnHQrFJXh89T2O78KOOB4e5o296h/StI+NA+k30O5rkTKe
+g0Q3WdEvdh3zcXMCvbFDv6NxdoEpK/X7IS4tQ0xVAsQ7sY36llrG2Sj2TQo8V/1O
+0xoMLVnaWIjZy7hJyGFmlM9uelgee1l6XcDWfMqRuFj/yne1qiGU8B9hhJ4OW14/
+8yfiHJCOrJRE3/14Gk3cXIb2fdCkfcvB9PGR9IudFhYfMt+Dql7L1W3ULgE5GepU
+9EWpzbxejDbyXNVBV9LJnbaDIRAaSWJiqep/O1vVf00neDGQh4YGn2/Tgjkci+L2
+9V3Xx+yvnilKPoWk8le9UjACRFL66HArVzbE41H1VVKzBw==
+-----END CERTIFICATE-----
diff --git a/web-db3.sunet.se/README b/web-db3.sunet.se/README
new file mode 120000
index 0000000..59a23c4
--- /dev/null
+++ b/web-db3.sunet.se/README
@@ -0,0 +1 @@
+../README \ No newline at end of file
diff --git a/web-db3.sunet.se/overlay/etc/network/interfaces b/web-db3.sunet.se/overlay/etc/network/interfaces
new file mode 100644
index 0000000..86c5081
--- /dev/null
+++ b/web-db3.sunet.se/overlay/etc/network/interfaces
@@ -0,0 +1,17 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+auto eth0
+iface eth0 inet static
+ address 192.36.171.70
+ netmask 255.255.255.192
+ network 192.36.171.64
+ broadcast 192.36.171.127
+ gateway 192.36.171.65
+
+ dns-nameservers 130.242.80.14 130.242.80.99
diff --git a/web-db3.sunet.se/overlay/etc/ssl/certs/web-db3.sunet.se_infra.crt b/web-db3.sunet.se/overlay/etc/ssl/certs/web-db3.sunet.se_infra.crt
new file mode 100644
index 0000000..60472ff
--- /dev/null
+++ b/web-db3.sunet.se/overlay/etc/ssl/certs/web-db3.sunet.se_infra.crt
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGHzCCBAegAwIBAgIJAP7jYOUsktGuMA0GCSqGSIb3DQEBCwUAMD8xIDAeBgNV
+BAMTF1NVTkVUIEluZnJhc3RydWN0dXJlIENBMQ4wDAYDVQQKEwVTVU5FVDELMAkG
+A1UEBhMCU0UwHhcNMTUwNDE0MDkzNTAyWhcNMTUwNTE0MDkzNTAyWjA4MQswCQYD
+VQQGEwJTRTEOMAwGA1UEChMFU1VORVQxGTAXBgNVBAMTEHdlYi1kYjMuc3VuZXQu
+c2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDjMShzbPj+VlJsy36O
+IIhF/7g4Fws/oL0a483p8YmpWaNHUDO/WjrYnnQJKRSYYtr7bXddfE2WGv3BxYcC
+kTrwtat/TeIKjSGtP+jfwpq+mhfsan7l3RXv5TI3KKsq/IkBVDf656Zi1qOBF/Xy
+wXnEvZx28hzsPzvY5/VBy3h+DL2lPvCMBp+uN4jTDlkNLf+NTBNNunvuJtWrJD3M
+lhYfsjcX9/b+NW+jqzn0eK+M6jjB91QGC/P3k/83qUpe4qrQdJA57MOVIA9hdyAK
+RDQGfwtg0aBFouPjMdnjSshe5wHkD3iVRSrHT/PudlTPe3WH2h2PlaI4SSpj+6AM
+C3xE0v17xz9rkR7H/V4ebdV6gsYQA/rNOq6xD3sjqIMWa6EF1zdVa4S7cQbAuIdX
+JhO1Jb2S5/iX+I312nbp03GrnYSq53U3f2c/n2fB9KAVMSuoE+kFkwLB2gnJipcA
+xpQ8PoPKyZJ+AlfXDprKnFFtbV4b9u/aSMZs5qJ8zxqvEZmLM9el4FRmHD53E0et
+ipk1XSxbkqTXum1ge4Th1PFc3yPG4uqfu1QZG1c2T1I5LasGno6fGJf9NIG6GRbP
+UQBa9m7QHgF0ziNWbU0RggFYemzNuNCJ9pRRJov6ea0CJ6eKEfhF/8DHVJnsqUDN
+09MZRy/kL1P6ulNVJC//U/mQWQIDAQABo4IBIzCCAR8wHQYDVR0OBBYEFENC4c7a
+KKYu5OvxW5OufCnj5OjQMB8GA1UdIwQYMBaAFOcsnlEasB0BHeZCtCcaNZNwwG3X
+MDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovL2NhLnN1bmV0LnNl
+L2luZnJhL2NhLmNydDAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY2Euc3VuZXQu
+c2UvaW5mcmEvY3JsLnBlbTAjBgNVHRIEHDAahhhodHRwOi8vY2Euc3VuZXQuc2Uv
+aW5mcmEwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUH
+AwEwGwYDVR0RBBQwEoIQd2ViLWRiMy5zdW5ldC5zZTANBgkqhkiG9w0BAQsFAAOC
+AgEAWtZWETvhMvB73HCaY46YSrJ71Lp7nq/Ypz8sInxx16DtaE0WsOqbGMJSAw4w
+6RfH6XyzmTH2u9kH06K72aATLXFBT2fgTj7R7a9J1wM1i43SEgMrhCtOxBpGYsqU
+w/Yg8ZsRewMmq0YhNWbuqF0+zUIyb5H5gUygTGFCSxdiUu6o1B26tMp0Xlm9rGo8
+asvMiXe/yPm9H3oIE8GebthgoTimYX0x7dtP2sb2lOKMg+cgh+3nZHXURXfEmFYm
+JZFEcyAaRP13/P3xkN/inm4RZ89cK4YHPTPU/ptNrPPfV7BLe4+w54O2cxlmroSQ
+wh54ucJ8kgYi9UWhBIpPI/eYtgBXCt2oOCxXvT3JowT5Qv9KCm9x5uEfIzHcMkav
+xOqsPc6Z6iOlEZJjmDb758F2MfeHl0zfiAjjcQs4NYut0u0ffkF6BX3VfU65zC9c
+97x6ftGRXBzHvddjSHWfApuIohDrLx1x3y1EU6cBXnfY8nBJgOiEgh+oJm34GjZ5
+qzHqLiaPc7b7UdH6jGKjbksRr6dti7Llafn+WQ2R6mTv+XIQyd41g5E8fTojY4Bj
+1Ozm2l4szm/R0SQV0BGF3p3faDMMn6Azvyvv4g2WjYiPyIk3D9GKe4zO92k/cl06
+K3/ZuSqXq6KgN7ujslijow3TBif4ZDlILgOIPKsrIxpjVeM=
+-----END CERTIFICATE-----
diff --git a/web-f1.sunet.se/overlay/etc/ssl/certs/web-f1.sunet.se_infra.crt b/web-f1.sunet.se/overlay/etc/ssl/certs/web-f1.sunet.se_infra.crt
new file mode 100644
index 0000000..17b1b40
--- /dev/null
+++ b/web-f1.sunet.se/overlay/etc/ssl/certs/web-f1.sunet.se_infra.crt
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGHTCCBAWgAwIBAgIJAK32qhI0uUb6MA0GCSqGSIb3DQEBCwUAMD8xIDAeBgNV
+BAMTF1NVTkVUIEluZnJhc3RydWN0dXJlIENBMQ4wDAYDVQQKEwVTVU5FVDELMAkG
+A1UEBhMCU0UwHhcNMTUwNDE0MTA1MDAxWhcNMTUwNTE0MTA1MDAxWjA3MQswCQYD
+VQQGEwJTRTEOMAwGA1UEChMFU1VORVQxGDAWBgNVBAMTD3dlYi1mMS5zdW5ldC5z
+ZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALZZWj88jnCWENR6zJfb
+te7RjDCwRv9H6bb4hEUZ7Xgjvucehj3J9WNqQ8pXcxbQBleia/8R1wnY4GwJWIlB
+iYdn3U3eqMU80e8Fz7c7Lf48sVp3gGYPfItdKbLG5iUQnEkHsE3JPQB5mLX2k9NI
+PdBnbdiGGTaF/MlVG14tATWFNbry90Qe8ynbmpiCuxu+GpSEU4yk0B+gY039ymYt
+MB47uNanUwbDCUzJ8WkRrWNlLzErKV+f3drY1jXOcjbZHxcde4yLBMr99hM/On48
+/jyBr4AGcfzL6nq7Lvi+eL4J+djRe+KJICXBahn8GTJGOVdqvZFgJKYTBl1Xym1t
+J5K2/4BPxJCqcIi2ZnR567Wlz2Bu32YXBjWkt+capnbLkTDljUEmKsaMGUey+Owv
+ZvnsRCxzTpKYMgNfvOZRXF18EwPt2dDRMUhmg/snyjo120a8OFCgYjNSCD5jY+mh
+DtmgL7lRar+EPaX/cl7yWixrGQzY85+mXa6OG4lJpmvQgmdRLnoQpVWnV6bo6fag
+PZ9Rq/RWErIgOdaK2bx/HWNTMMhqFxCOJEFC6VlsMewkfgr6BgJuPNh+Bwkppc57
+xdg4SodNnJugwbAzzhkacTnf1UahEkMQz1JWdFtVlvmzQDx+PqkahByZqnA0adVS
+2lhzxHPpH8mfliAjTog0s1mvAgMBAAGjggEiMIIBHjAdBgNVHQ4EFgQU4GQ8FhVe
+KtZIsgxGWdqnefCjrucwHwYDVR0jBBgwFoAU5yyeURqwHQEd5kK0Jxo1k3DAbdcw
+OwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzAChh9odHRwOi8vY2Euc3VuZXQuc2Uv
+aW5mcmEvY2EuY3J0MDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jYS5zdW5ldC5z
+ZS9pbmZyYS9jcmwucGVtMCMGA1UdEgQcMBqGGGh0dHA6Ly9jYS5zdW5ldC5zZS9p
+bmZyYTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcD
+ATAaBgNVHREEEzARgg93ZWItZjEuc3VuZXQuc2UwDQYJKoZIhvcNAQELBQADggIB
+ADTn3RRVUivj/cAN07Ri1vHxO6qtIc9/odgQY4vZNAH1QkMO/ZJWknw5kMNsPnaG
+It/zspgSlVpBjIfFwqnrSFQrmneh5PWpP7m1QajJWLtwQtujtXvXcGa9fsuwizcr
+J2HiTFRH0RWPB+brh6r4Y2spxleccv3B9+Dg4hDdbS+f82gbJ959OAD+77kF4PUT
+GF7DpypsuQmmEkDZZF+NS/4hkR1blYUkxqC4otWCalNrPljOfL9PJPkdpkVcVyBG
+5G0CD/X8zkjsHSt6+UoJYT6U3lOc0jVVejhr7bvnv4k4YXJEDLOjPhuF4RljMP4e
+fprC9OXOaWFzE+XYeXIbgd7B/5QhwBaxal2urpXhNIg8eQGvXRdBt/cDqnLFVcN0
+DVbj5WSwPTsK0sIVnwtwQH6qEBuyLrd1rCZLqhex0dBVdNSL8h753TA+mSSQGXj7
+dxygTpGtxCKgWpuwki0ltRf9zHwyUzohLLl99hHos6NYstP63aVthWGZojgNgKJH
+DgNl7/B91q80F5ZHTA+8ajm3A0Z8lKbhGgA3YJrV8OiLKB9XBSQ3qmxJZwTbM76s
+FbkMRsmJXP2nsgP4dnOPm75OcdM+H0lEZyw6u/ndEj0GXtlTv4gtex9/O/m/yBIV
+pghnO57od+5ULt3dPEYEjJ0px0YeVA+E1/nO1dkty/sB
+-----END CERTIFICATE-----