summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ca.sunet.se/overlay/var/lib/ca/infra/requests/client/ft-c.csr27
-rw-r--r--global/overlay/etc/puppet/cosmos-db.yaml6
-rw-r--r--global/overlay/etc/puppet/cosmos-rules.yaml2
-rw-r--r--global/overlay/etc/puppet/manifests/cosmos-site.pp63
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/add_user_to_group.pp7
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/system_user.pp22
-rwxr-xr-xscripts/mkreq36
-rw-r--r--sto-tug-kvm2.swamid.se/overlay/etc/cron.d/update_eduroam_realm_data1
-rw-r--r--sto-tug-kvm2.swamid.se/overlay/etc/network/interfaces11
-rw-r--r--sto-tug-kvm2.swamid.se/overlay/opt/docker/README1
10 files changed, 149 insertions, 27 deletions
diff --git a/ca.sunet.se/overlay/var/lib/ca/infra/requests/client/ft-c.csr b/ca.sunet.se/overlay/var/lib/ca/infra/requests/client/ft-c.csr
new file mode 100644
index 0000000..4ea75a7
--- /dev/null
+++ b/ca.sunet.se/overlay/var/lib/ca/infra/requests/client/ft-c.csr
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEjzCCAncCAQAwKjELMAkGA1UEBhMCU0UxDjAMBgNVBAoTBVNVTkVUMQswCQYD
+VQQDEwItYzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKlfTop49pE1
+XANMzZ5/vB9RoQrCoVSWY8BTT5t+s4sprq5oeumZ5utrjT/B9jMLASUKFz4OhC48
+3TKDxWTLQ/KGxptPhZDguVgxn/kxruP7rtH9HuIlT+B5TyIw3FhBPqhBV/jtXCsa
+2H22k0HNVrbNLju+VNpKYZo/yrWddyBeLo3inxtK6bSUSEaAH/4WaE9r0NyAzjCq
+Wd1JfKuPOEkis/87NhYcD3gAOpDSfDilb4vs/IQ3FFNHnD4VCAiH9EwPgf5E8Fxm
+ZDc55HGIbx6XSaztQ52w9pKBwncCor/tjYimDuKmI9hnOHo8e8pZezlA7i6i/04r
+R5WXkxWq1zCscN+Y57jTYaO1Z5yynMAtV2ZsE+AmldTW1pt7wOCah7OHvVkepaCi
+2pWKBQMsBF636jREtorc9YbZABX80ai3NoWfwTB/VlqIlc0qaDwjsUJaMkEv+EJY
+MNpmtdqQ9Q2om814MXZrmKv1W2AqCXaG2w2kCfcxXz0McapVmi2S6uhmOwGoJrDc
+3oAiebHA5gmKvYEhrBVmAKgaA64koWOvv9t4FbKHVTE2B0VEZiQ5uFbsn5hn2w2r
+Ahm/HbsjWZAK+ozxZOLcqm6KCz3brjqnn6p04mJh7Xl8of4L4MdsD3ewc+vYYhsR
+o3Q3YD/iV89G4MdY8MRAALdjAMwzCwgxAgMBAAGgIDAeBgkqhkiG9w0BCQ4xETAP
+MA0GA1UdEQQGMASCAi1jMA0GCSqGSIb3DQEBCwUAA4ICAQChsvCaJGYXuVgIB55w
+9wdIBio1GVP76j0ZGhxTSNx1zR+lXsCYnc1Hct2Le2UoZ1VEneHTl92vzHRM+5Nf
+sBcCvWKgpxWWUp0tQ6sSKyuO/ziJyfh23B3wvjMipFcBAnEgU5ika7nVh3rtKBDo
+xR9zprvJ+vu18VNbLuWrs6hfGA+0gR8zWX9st/v1RAADDEqaCugjwPceXOu81Tg8
+5Mo25kdiC6MjVKmeICl1xA/TqsO5nhD3tNdvoNIgr4hroN/j7oVVFyfAIL0xGNLf
+oBnShDtVKrY9tvQd89u9iQbDWyPichEIohqpdNPqsViNroeggwRdGC1D7frToSor
+x0j3RZCTKlM6F7+OLYD8pxLEgiOg5tEyPYQQQBMkPeqA0qZLrm9zqvSwsHAXz4Nq
+i0mmIa/L1267DEweJTQwWuKGD10oHUHTxNRsEpuDcHAYPRjs1bMqd1gyCEBtr7ps
+y83S218IKGRC7JFJpqDWYvRr+qZ65XxQu/gXgUtc7DPRQ8EJjGiQ8iaxS1AKET7X
+mJz/DtUw5ZNBWQxYWunv5IarVG/InPoO4eaKGD+kBSvwc/QLUUzPzlULffbaqPv3
+6pyUulOWtYz10d4WToyJSKsUK6VCYom85K0dU5Ypw8lsAAeD/7iyfnK1zpXpPtIu
+Y4ioMulh2YHZcxkYRByopQLFZg==
+-----END CERTIFICATE REQUEST-----
diff --git a/global/overlay/etc/puppet/cosmos-db.yaml b/global/overlay/etc/puppet/cosmos-db.yaml
index d8a83ca..a84fd5f 100644
--- a/global/overlay/etc/puppet/cosmos-db.yaml
+++ b/global/overlay/etc/puppet/cosmos-db.yaml
@@ -89,9 +89,9 @@ classes:
sunetops: null
swamidops: null
sto-tug-kvm2.swamid.se:
- dockerhost: null
mailclient: *id002
sshaccess: null
+ sunet::dockerhost: null
sunetops: null
swamidops: null
webserver: null
@@ -138,7 +138,7 @@ members:
lobo2.lab.sunet.se]
docker_signer: [mdx2.swamid.se]
dockerhost: [www2.eduid.se, reep.tid.isoc.org, datasets.sunet.se, mdx1.swamid.se,
- mdx2.swamid.se, sto-tug-kvm2.swamid.se, docker.sunet.se, registry.swamid.se]
+ mdx2.swamid.se, docker.sunet.se, registry.swamid.se]
entropyserver: [random1.nordu.net, random2.nordu.net]
mailclient: [ca.sunet.se, cdr1.sunet.se, web-f1.sunet.se, web-db2.sunet.se, sto-tug-kvm-lab2.swamid.se,
datasets.sunet.se, mdx1.swamid.se, sto-tug-kvm-lab1.swamid.se, web-a1.sunet.se,
@@ -156,7 +156,7 @@ members:
lobo2.lab.sunet.se]
sunet-cdr: [cdr1.sunet.se, cdr2.sunet.se]
sunet::dockerhost: [web-f1.sunet.se, web-db2.sunet.se, web-a1.sunet.se, web-db1.sunet.se,
- web-a2.sunet.se]
+ sto-tug-kvm2.swamid.se, web-a2.sunet.se]
sunetops: [ca.sunet.se, cdr1.sunet.se, cdr1.sunet.se, web-f1.sunet.se, web-db2.sunet.se,
sto-tug-kvm-lab2.swamid.se, datasets.sunet.se, mdx1.swamid.se, sto-tug-kvm-lab1.swamid.se,
web-a1.sunet.se, wp.sunet.se, mdx2.swamid.se, samltest.swamid.se, web-db1.sunet.se,
diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index dc2b9c0..5035639 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -31,7 +31,7 @@ mdx2.swamid.se:
sto-tug-kvm2.swamid.se:
sshaccess:
webserver:
- dockerhost:
+ sunet::dockerhost:
reep.tid.isoc.org:
sshaccess:
swamidops:
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index a519ccf..92e3804 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -697,17 +697,64 @@ node 'cdr1.sunet.se' {
}
node 'sto-tug-kvm2.swamid.se' {
- docker::image {'docker.sunet.se/flog/postgresql-9.3': }
- file {'/opt/docker/postgresql_data':
- ensure => 'directory',
- }
+ #class { 'fail2ban': }
+ file {'/var/docker':
+ ensure => 'directory',
+ } ->
+ sunet::system_user {'postgres-system-user':
+ username => 'postgres',
+ group => 'postgres',
+ } ->
+ sunet::add_user_to_group { 'postgres_ssl_cert_access':
+ username => 'postgres',
+ group => 'ssl-cert',
+ } ->
+ sunet::system_user {'www-data-system-user':
+ username => 'www-data',
+ group => 'www-data',
+ } ->
+ file {'/var/docker/postgresql_data':
+ ensure => 'directory',
+ owner => 'postgres',
+ group => 'postgres',
+ mode => '0700',
+ } ->
file {'/var/log/flog_db':
ensure => 'directory',
- }
- docker::run {'flog_db':
+ owner => 'root',
+ group => 'postgres',
+ mode => '1775',
+ } ->
+ file {'/var/postgresbackup':
+ ensure => 'directory',
+ owner => 'root',
+ group => 'postgres',
+ mode => '1775',
+ } ->
+ file {'/var/log/flog_app':
+ ensure => 'directory',
+ owner => 'root',
+ group => 'www-data',
+ mode => '1775',
+ } ->
+ file {'/var/log/flog_cron':
+ ensure => 'directory',
+ owner => 'root',
+ group => 'www-data',
+ mode => '1775',
+ } ->
+ sunet::docker_run {'flog_db':
image => 'docker.sunet.se/flog/postgresql-9.3',
- use_name => true,
- volumes => ['/opt/docker/postgresql_data/:/var/lib/postgresql/','/var/log/flog_db/:/var/log/postgresql/'],
+ volumes => ['/opt/flog/postgres/ssl:/etc/ssl', '/var/docker/postgresql_data/:/var/lib/postgresql/','/var/log/flog_db/:/var/log/postgresql/'],
+ } ->
+ sunet::docker_run {'flog_app':
+ image => 'docker.sunet.se/flog/flog_app',
+ volumes => ['/opt/flog/dotenv:/opt/flog/.env','/var/log/flog/:/opt/flog/logs/'],
+ } ->
+ sunet::docker_run {'flog_nginx':
+ image => 'docker.sunet.se/flog/nginx',
+ ports => ['80:80', '443:443'],
+ volumes => ['/opt/flog/nginx/sites-enabled/:/etc/nginx/sites-enabled/','/opt/flog/nginx/certs/:/etc/nginx/certs', '/var/log/flog_nginx/:/var/log/nginx'],
}
}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/add_user_to_group.pp b/global/overlay/etc/puppet/modules/sunet/manifests/add_user_to_group.pp
new file mode 100644
index 0000000..348d9c5
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/add_user_to_group.pp
@@ -0,0 +1,7 @@
+# Add a user to a group
+define sunet::add_user_to_group($username, $group) {
+ exec {"add_user_${username}_to_group_${group}_exec":
+ command => "adduser --quiet $username $group",
+ path => ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin', '/bin', ],
+ }
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/system_user.pp b/global/overlay/etc/puppet/modules/sunet/manifests/system_user.pp
new file mode 100644
index 0000000..819ef4a
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/system_user.pp
@@ -0,0 +1,22 @@
+define sunet::system_user(
+ $username,
+ $group,
+ $system = true,
+ $shell = '/bin/false'
+ ) {
+
+ user { $username :
+ ensure => present,
+ name => $username,
+ membership => minimum,
+ system => $system,
+ require => Group[ $group ],
+ shell => $shell,
+ }
+
+ group { $group :
+ ensure => present,
+ name => $group,
+ }
+
+}
diff --git a/scripts/mkreq b/scripts/mkreq
index 4493867..44aaddc 100755
--- a/scripts/mkreq
+++ b/scripts/mkreq
@@ -1,6 +1,5 @@
#!/bin/sh
-host="$1"; shift
ca_host="ca.sunet.se"
ca_name="infra"
type=""
@@ -16,20 +15,27 @@ Usage: mkreq [-v] [-s*] [-c] [-C <ca host>] [-N <ca name>] [--] <fqdn>
-c request client cert
-C ca host (ca.sunet.se)
-N ca name (infra)
-
+
<fqdn> fully qualified name of host
" 1>&2
}
+if [ "x$1" = "x" ]; then
+ usage
+ exit 1
+fi
+
{
while test $# -gt 0; do
case "$1" in
-s)
type="server"
+ shift
;;
-c)
type="client"
+ shift
;;
-C)
ca_host="$2"
@@ -46,19 +52,33 @@ Usage: mkreq [-v] [-s*] [-c] [-C <ca host>] [-N <ca name>] [--] <fqdn>
--)
break
;;
+ *)
+ echo $1 | grep -q '^-' || break # found the fqdn
+ echo "$0: Unknown option $1"
+ echo ""
+ usage
+ exit 1
esac
- shift
done
}
+host="$1"
+
+if [ "x$host" = "x" ]; then
+ echo "$0: No fqdn supplied"
+ echo ""
+ usage
+ exit 1
+fi
+
if [ -d $host -a -z $type ]; then
type="server"
fi
cfg=`mktemp`
-key="/tmp/$host.key"
-csr="/tmp/$host.csr"
+key=`mktemp`
+csr=`mktemp`
trap 'rm -f $cfg' EXIT
@@ -90,6 +110,12 @@ git add "$reqs/$host.csr" && git commit -m "certification request for $host from
if [ -d $host ]; then
ssh root@$host mkdir -p /etc/ssl/private && scp "$key" "root@$host:/etc/ssl/private/${host}_${ca_name}.key" && rm -f "$key" && echo "** private key given to $host" || echo "** private key left in $key - should be in root@$host:/etc/ssl/private/${host}_${ca_name}.key"
+else
+ echo ""
+ echo "** Generated the following RSA key, keep it safe:"
+ cat $key
+ rm -f $key
+ echo ""
fi
echo "** successfully generated key and certification request for $host from $ca_host:$ca_name"
diff --git a/sto-tug-kvm2.swamid.se/overlay/etc/cron.d/update_eduroam_realm_data b/sto-tug-kvm2.swamid.se/overlay/etc/cron.d/update_eduroam_realm_data
deleted file mode 100644
index f1dd8e1..0000000
--- a/sto-tug-kvm2.swamid.se/overlay/etc/cron.d/update_eduroam_realm_data
+++ /dev/null
@@ -1 +0,0 @@
-0 23 * * * root curl https://meta.eduroam.se/institution.xml -so /opt/flog/institution.xml
diff --git a/sto-tug-kvm2.swamid.se/overlay/etc/network/interfaces b/sto-tug-kvm2.swamid.se/overlay/etc/network/interfaces
index 10cdcf5..8d4bf0b 100644
--- a/sto-tug-kvm2.swamid.se/overlay/etc/network/interfaces
+++ b/sto-tug-kvm2.swamid.se/overlay/etc/network/interfaces
@@ -18,8 +18,7 @@ iface em1 inet static
dns-search swamid.se
iface em1 inet6 static
- address 2001:6b0:7::9
- netmask 64
+ address 2001:6b0:7::9/64
gateway 2001:6b0:7::1
dns-nameservers 2001:6b0:1e:14 2001:6b0:1e:99
@@ -33,9 +32,5 @@ iface em1:0 inet static
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 130.242.80.14 130.242.80.99
dns-search sunet.se
-
-iface em1:0 inet6 static
- address 2001:6b0:7::10
- netmask 64
- gateway 2001:6b0:7::1
- dns-nameservers 2001:6b0:1e:14 2001:6b0:1e:99
+ up ip addr add 2001:6b0:7::10/64 dev em1:0
+ down ip addr del 2001:6b0:7::10/64 dev em1:0
diff --git a/sto-tug-kvm2.swamid.se/overlay/opt/docker/README b/sto-tug-kvm2.swamid.se/overlay/opt/docker/README
deleted file mode 100644
index 9a5cb2a..0000000
--- a/sto-tug-kvm2.swamid.se/overlay/opt/docker/README
+++ /dev/null
@@ -1 +0,0 @@
-This is a directory to mount persistent Docker volumes to/from.
generated by cgit v1.1 at 2024-12-29 19:57:36 +0000