# This manifest is managed using cosmos Exec { path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", } include cosmos::tools include cosmos::motd include cosmos::ntp include cosmos::rngtools include cosmos::preseed include ufw include apt include cosmos # you need a default node node default { } class dockerhost { apt::source {'docker_official': location => 'https://get.docker.com/ubuntu', release => 'docker', repos => 'main', key => 'A88D21E9', include_src => false } package {'lxc-docker': ensure => latest } class {'docker': manage_package => false } } class webserver { ufw::allow { "allow-http": ip => 'any', port => 80 } ufw::allow { "allow-https": ip => 'any', port => 443 } } class mailclient ($domain) { cosmos::preseed::preseed_package {"postfix": ensure => present, domain => $domain} } node 'sto-tug-kvm1.swamid.se' { package {'python-vm-builder': ensure => 'installed', } -> cosmos::dhcp_kvm { 'registry.swamid.se': mac => '52:54:00:52:53:0b', repo => 'git://git.nordu.net/sunet-ops.git', tagpattern => 'sunet-ops', cpus => '1', memory => '2048', } cosmos::dhcp_kvm { 'mdx1.swamid.se': mac => '52:54:00:fe:bc:09', repo => 'git://git.nordu.net/sunet-ops.git', tagpattern => 'sunet-ops', cpus => '1', memory => '2048', } cosmos::dhcp_kvm { 'md-master.reep.refeds.org': mac => '52:54:00:39:8d:ac', repo => 'git://git.nordu.net/sunet-ops.git', tagpattern => 'sunet-ops', cpus => '1', memory => '2048', } } node 'sto-fre-kvm1.swamid.se' { package {'python-vm-builder': ensure => 'installed', } -> cosmos::dhcp_kvm { 'mdx2.swamid.se': mac => '52:54:00:30:be:dd', repo => 'git://git.nordu.net/sunet-ops.git', tagpattern => 'sunet-ops', cpus => '1', memory => '2048', } } node 'reep.tid.isoc.org' { } node 'datasets.sunet.se' { docker::image {'dockerfile/redis': } docker::image {'docker.sunet.se/datasets': } file {'/opt/lobo2-redis-data': ensure => 'directory', } file {'/etc/ssl': ensure => 'directory', } docker::run {'redis': image => 'dockerfile/redis', use_name => true, volumes => ['/opt/lobo2-redis-data:/data','/var/log:/var/log'], verify_checksum => false, } docker::run {'datasets': image => 'docker.sunet.se/datasets', use_name => true, env => ['BASE_URL=https://datasets.sunet.se'], volumes => ['/etc/ssl:/etc/ssl','/var/log:/var/log'], ports => ['80:80','443:443'], links => ['redis:redis'], start_on => 'docker-redis', verify_checksum => false, } } node 'docker.sunet.se' { docker::image {'registry': } docker::image {'leifj/pound': } docker::run {'sunetregistry': use_name => true, image => 'registry', ports => ['80:5000'], volumes => ['/opt/registry:/tmp/registry'] } docker::run {'pound': image => 'leifj/pound', links => ['sunetregistry:backend'], volumes => ['/etc/ssl:/etc/ssl'], ports => ['443:443'] } } class docker_signer { docker::image {'docker.samlbits.net/varnish': } docker::image {'docker.samlbits.net/pyff': } docker::run {'pyff': image => 'docker.samlbits.net/pyff', volumes => ['/opt/swamid-metadata:/opt/swamid-metadata'], env => ['DATADIR=/opt/swamid-metadata','LOGLEVEL=INFO'] } docker::run {'varnish': image => 'docker.samlbits.net/varnish', links => ['pyff:backend'], ports => ['80:80'] } cron {'update-swamid-metadata': command => "cd /opt/swamid-metadata && git pull -q", user => root, minute => '*/5' } } class signer { include cosmos::httpsproxy class {'varnish': domain => 'swamid.se', backends => { mdx => 'http://localhost:8000/' }, vhosts => { mdx => 'mdx.swamid.se' } } class {'pyff': load => ["/opt/metadata"], port => 8000, address => '0.0.0.0', validUntil => 'P10D', cacheDuration => 'PT5H', replace => false } cron {'update-swamid-metadata': command => "cd /opt/swamid-metadata && git pull -q", user => root, minute => '*/5' } } node 'md-master.reep.refeds.org' { #include cosmos::httpsproxy class {'pyff': load => ['/opt/peer/vf_repo'], validUntil => 'P10D', cacheDuration => 'PT5H' } } node 'registry.swamid.se' { class {'pyff': load => ['/opt/peer/media/vf_repo'], validUntil => 'P30D', cacheDuration => 'PT24H', replace => false, port => 8000, address => '127.0.0.1' } $peerpkg = ['xmlsec1','libxmlsec1-openssl','libpq-dev','postgresql','postgresql-client'] package { $peerpkg: ensure => installed } python::virtualenv { '/opt/peer': ensure => present } python::pip { 'peer==0.13.0': pkgname => 'peer==0.13.0', virtualenv => '/opt/peer' } #class { 'postgresql::server': } #postgresql::server::db { 'peer': # encoding => 'utf-8', # user => 'peer', # password => postgresql_password('peer', hiera('peer_db_password')), #} } node 'sto-tug-kvm-lab1.swamid.se' { package {'python-vm-builder': ensure => 'installed', } -> cosmos::dhcp_kvm { 'samltest.swamid.se': mac => '52:54:00:3a:0a:e4', repo => 'git://git.nordu.net/sunet-ops.git', tagpattern => 'sunet-ops', cpus => '1', memory => '1024', } cosmos::dhcp_kvm { 'dane.lab.sunet.se': mac => '52:54:00:8d:88:5f', repo => 'git://git.nordu.net/sunet-ops.git', tagpattern => 'sunet-ops', cpus => '1', memory => '1024', } cosmos::dhcp_kvm { 'lobo2.lab.sunet.se': mac => '52:54:00:5e:72:91', repo => 'git://git.nordu.net/sunet-ops.git', tagpattern => 'sunet-ops', cpus => '1', memory => '1024', } cosmos::dhcp_kvm { 'ca.sunet.se': mac => '52:54:00:4a:45:01', repo => 'git://git.nordu.net/sunet-ops.git', tagpattern => 'sunet-ops', cpus => '1', memory => '1024', } cosmos::dhcp_kvm { 'meta.swamid.se': mac => '52:54:00:1c:72:1a', repo => 'git://git.nordu.net/sunet-ops.git', tagpattern => 'sunet-ops', cpus => '1', memory => '1024', } } class sunet-dhcp-hosts { dhcp::pool {'sunet-servernet-tug-130.242.125.64/26': network => '130.242.125.64', mask => '255.255.255.192', gateway => '130.242.125.65', range => '' } dhcp::pool {'sunet-servernet-fre-130.242.125.128/26': network => '130.242.125.128', mask => '255.255.255.192', gateway => '130.242.125.129', range => '' } dhcp::pool {'install': network => '130.242.125.0', mask => '255.255.255.192', gateway => '130.242.125.1', range => '' } dhcp::pool {'eduid-tug-IdP': network => '130.242.130.0', mask => '255.255.255.248', gateway => '130.242.130.1', range => '' } dhcp::pool {'eduid-tug-auth': network => '130.242.130.8', mask => '255.255.255.248', gateway => '130.242.130.9', range => '' } dhcp::pool {'eduid-tug-other': network => '130.242.130.16', mask => '255.255.255.240', gateway => '130.242.130.17', range => '' } dhcp::pool {'eduid-fre-IdP': network => '130.242.130.64', mask => '255.255.255.248', gateway => '130.242.130.65', range => '' } dhcp::pool {'eduid-fre-auth': network => '130.242.130.72', mask => '255.255.255.248', gateway => '130.242.130.73', range => '' } dhcp::pool {'eduid-fre-other': network => '130.242.130.80', mask => '255.255.255.240', gateway => '130.242.130.81', range => '' } dhcp::pool {'eduid-lla-other': network => '130.242.130.144', mask => '255.255.255.240', gateway => '130.242.130.145', range => '' } dhcp::pool {'eduid-lla-auth': network => '130.242.130.136', mask => '255.255.255.248', gateway => '130.242.130.137', range => '' } # eduID TUG hosts dhcp::host { 'kvmidp-tug-3_eth0': mac => "24:b6:fd:fe:fa:51", ip => "130.242.130.4", hostname => 'kvmidp-tug-3'; } dhcp::host { 'kvmidp-tug-3_eth1': mac => "24:b6:fd:fe:fa:52", ip => "130.242.130.4", hostname => 'kvmidp-tug-3'; } dhcp::host { 'idp-tug-3a': mac => "52:54:00:01:00:01", ip => "130.242.130.5"; } dhcp::host { 'idp-tug-3b': mac => "52:54:00:01:00:02", ip => "130.242.130.6"; } dhcp::host { 'auth-tug-3_eth0': mac => "f0:4d:a2:73:4e:9b", ip => "130.242.130.12", hostname => 'auth-tug-3'; } dhcp::host { 'auth-tug-3_eth1': mac => "f0:4d:a2:73:4e:9c", ip => "130.242.130.12", hostname => 'auth-tug-3'; } dhcp::host { 'kvm-tug-3_eth0': mac => "f0:4d:a2:73:4f:82", ip => "130.242.130.20", hostname => 'kvm-tug-3'; } dhcp::host { 'kvm-tug-3_eth1': mac => "f0:4d:a2:73:4f:83", ip => "130.242.130.20", hostname => 'kvm-tug-3'; } dhcp::host { 'db-tug-3_eth0': mac => "24:b6:fd:fe:fa:f0", ip => "130.242.130.21", hostname => 'db-tug-3'; } dhcp::host { 'db-tug-3_eth1': mac => "24:b6:fd:fe:fa:f1", ip => "130.242.130.21", hostname => 'db-tug-3'; } dhcp::host { 'mq-tug-3': mac => "52:54:00:03:00:22", ip => "130.242.130.22"; } dhcp::host { 'worker-tug-3': mac => "52:54:00:03:00:23", ip => "130.242.130.23"; } dhcp::host { 'signup-tug-3': mac => "52:54:00:03:00:24", ip => "130.242.130.24"; } dhcp::host { 'helpdesk-tug-3': mac => "52:54:00:03:00:25", ip => "130.242.130.25"; } dhcp::host { 'www-tug-3': mac => "52:54:00:03:00:26", ip => "130.242.130.26"; } dhcp::host { 'monitor-tug-3': mac => "52:54:00:03:00:27", ip => "130.242.130.27"; } dhcp::host { 'kvmapp-tug-3_eth0': mac => "f0:4d:a2:73:4f:0d", ip => "130.242.130.30", hostname => 'kvmapp-tug-3'; } dhcp::host { 'kvmapp-tug-3_eth1': mac => "f0:4d:a2:73:4f:0e", ip => "130.242.130.30", hostname => 'kvmapp-tug-3'; } # eduID FRE hosts dhcp::host { 'kvmidp-fre-3_eth0': mac => "18:03:73:41:f3:e8", ip => "130.242.130.68", hostname => 'kvmidp-fre-3'; } dhcp::host { 'kvmidp-fre-3_eth1': mac => "18:03:73:41:f3:e9", ip => "130.242.130.68", hostname => 'kvmidp-fre-3'; } dhcp::host { 'idp-fre-3a': mac => "52:54:00:04:00:01", ip => "130.242.130.69"; } dhcp::host { 'idp-fre-3b': mac => "52:54:00:04:00:02", ip => "130.242.130.70"; } dhcp::host { 'auth-fre-3_eth0': mac => "18:03:73:0f:41:3c", ip => "130.242.130.76", hostname => 'auth-fre-3'; } dhcp::host { 'auth-fre-3_eth1': mac => "18:03:73:0f:41:3d", ip => "130.242.130.76", hostname => 'auth-fre-3'; } dhcp::host { 'kvm-fre-3_eth0': mac => "f0:4d:a2:73:4b:e3", ip => "130.242.130.84", hostname => 'kvm-fre-3'; } dhcp::host { 'kvm-fre-3_eth1': mac => "f0:4d:a2:73:4b:e4", ip => "130.242.130.84", hostname => 'kvm-fre-3'; } dhcp::host { 'www-fre-3': mac => "52:54:00:06:00:01", ip => "130.242.130.86"; } dhcp::host { 'dashboard-fre-3': mac => "52:54:00:06:00:57", ip => "130.242.130.87"; } dhcp::host { 'signup-fre-3': mac => "52:54:00:06:00:58", ip => "130.242.130.88"; } dhcp::host { 'worker-fre-3': mac => "52:54:00:06:00:59", ip => "130.242.130.89"; } dhcp::host { 'mq-fre-3': mac => "52:54:00:06:00:5a", ip => "130.242.130.90"; } dhcp::host { 'monitor-fre-3': mac => "52:54:00:06:00:5b", ip => "130.242.130.91"; } dhcp::host { 'db-fre-3_eth0': mac => "f0:4d:a2:73:4f:19", ip => "130.242.130.85", hostname => 'db-fre-3'; } dhcp::host { 'db-fre-3_eth1': mac => "f0:4d:a2:73:4f:1a", ip => "130.242.130.85", hostname => 'db-fre-3'; } dhcp::host { 'kvmapp-fre-3_eth0': mac => "78:45:c4:f7:90:ec", ip => "130.242.130.94", hostname => 'kvmapp-fre-3'; } dhcp::host { 'kvmapp-fre-3_eth1': mac => "78:45:c4:f7:90:ed", ip => "130.242.130.94", hostname => 'kvmapp-fre-3'; } # eduID LLA hosts dhcp::host { 'db-lla-3_eth0': mac => "b0:83:fe:e2:27:4c", ip => "130.242.130.148", hostname => 'db-lla-3'; } dhcp::host { 'db-lla-3_eth1': mac => "b0:83:fe:e2:27:4d", ip => "130.242.130.148", hostname => 'db-lla-3'; } dhcp::host { 'auth-lla-3_eth0': mac => "b0:83:fe:e2:27:c6", ip => "130.242.130.140", hostname => 'auth-lla-3'; } dhcp::host { 'auth-lla-3_eth1': mac => "b0:83:fe:e2:27:c7", ip => "130.242.130.140", hostname => 'auth-lla-3'; } # eduID Development subnets #dhcp::pool {'eduid-tug-dev': # network => '194.68.13.128', # mask => '255.255.255.224', # gateway => '194.68.13.129', # range => '', # options => 'domain-name-servers 109.105.111.31, 109.105.110.31', #} #dhcp::pool {'eduid-fre-dev': # network => '194.68.13.160', # mask => '255.255.255.224', # gateway => '194.68.13.161', # range => '', # options => 'domain-name-servers 109.105.111.31, 109.105.110.31', #} dhcp::pool {'eduid-dev-tug': network => '130.242.130.192', mask => '255.255.255.224', gateway => '130.242.130.193', range => '' } # One big subnet used for now #dhcp::pool {'eduid-dev-tug-IdP': # network => '130.242.130.192', # mask => '255.255.255.248', # gateway => '130.242.130.201', # range => '' #} # One big subnet used for now #dhcp::pool {'eduid-dev-tug-auth': # network => '130.242.130.200', # mask => '255.255.255.248', # gateway => '130.242.130.201', # range => '' #} # One big subnet used for now #dhcp::pool {'eduid-dev-tug-other': # network => '130.242.130.208', # mask => '255.255.255.240', # gateway => '130.242.130.209', # range => '' #} # eduID TUG development hosts dhcp::host { 'worker-fre-1': mac => "52:54:00:a0:01:c4", ip => "130.242.130.196" } dhcp::host { 'actions-tug-1': mac => "52:54:00:a0:01:c5", ip => "130.242.130.197" } dhcp::host { 'mq-tug-1': mac => "52:54:00:a0:01:c6", ip => "130.242.130.198" } dhcp::host { 'proxy-tug-1': mac => "52:54:00:a0:01:c7", ip => "130.242.130.199" } dhcp::host { 'auth-fre-1_eth0': mac => "78:45:c4:f7:91:67", ip => "130.242.130.204", hostname => 'auth-fre-1'; } dhcp::host { 'auth-fre-1_eth1': mac => "78:45:c4:f7:91:68", ip => "130.242.130.204", hostname => 'auth-fre-1'; } dhcp::host { 'auth-tug-1_eth0': mac => "78:45:c4:f8:43:c5", ip => "130.242.130.205", hostname => 'auth-tug-1'; } dhcp::host { 'auth-tug-1_eth1': mac => "78:45:c4:f8:43:c6", ip => "130.242.130.205", hostname => 'auth-tug-1'; } dhcp::host { 'signup-tug-1': mac => "52:54:00:a0:01:d4", ip => "130.242.130.212" } dhcp::host { 'dash-fre-1': mac => "52:54:00:a0:01:d5", ip => "130.242.130.213" } dhcp::host { 'idp-fre-1': mac => "52:54:00:a0:01:d6", ip => "130.242.130.214" } dhcp::host { 'idp-tug-1': mac => "52:54:00:a0:01:d7", ip => "130.242.130.215" } dhcp::host { 'kvm-fre-1_eth0': mac => "78:45:c4:f8:45:15", ip => "130.242.130.216", hostname => 'kvm-fre-1'; } dhcp::host { 'kvm-fre-1_eth1': mac => "78:45:c4:f8:45:16", ip => "130.242.130.216", hostname => 'kvm-fre-1'; } dhcp::host { 'kvm-tug-1_eth0': mac => "78:45:c4:f8:47:be", ip => "130.242.130.217", hostname => 'kvm-tug-1'; } dhcp::host { 'kvm-tug-1_eth1': mac => "78:45:c4:f8:47:bf", ip => "130.242.130.217", hostname => 'kvm-tug-1'; } dhcp::host { 'monitor-fre-1': mac => "52:54:00:a0:01:da", ip => "130.242.130.218" } dhcp::host { 'mq-fre-1': mac => "52:54:00:a0:01:db", ip => "130.242.130.219" } dhcp::host { 'userdb-fre-1': mac => "52:54:00:a0:01:dc", ip => "130.242.130.220" } dhcp::host { 'userdb-tug-1': mac => "52:54:00:a0:01:dd", ip => "130.242.130.221" } dhcp::host { 'userdb-tug-2': mac => "52:54:00:a0:01:de", ip => "130.242.130.222" } #dhcp::host { 'idp-tug-1': mac => "52:54:00:a0:00:92", ip => "194.68.13.146" } #dhcp::host { 'testvm-tug-1': mac => "52:54:00:11:22:33", ip => "194.68.13.136" } #dhcp::host { 'userdb-tug-1': mac => "52:54:00:93:22:29", ip => "194.68.13.132" } #dhcp::host { 'userdb-tug-2': mac => "52:54:00:17:13:ff", ip => "194.68.13.133" } # eduID FRE development hosts #dhcp::host { 'idp-fre-1': mac => "52:54:00:a1:00:b2", ip => "194.68.13.178" } #dhcp::host { 'dash-fre-1': mac => "52:54:00:a2:00:a7", ip => "194.68.13.167" } #dhcp::host { 'userdb-fre-1': mac => "52:54:00:17:13:f6", ip => "194.68.13.164" } # SUNET TUG hosts dhcp::host { 'samltest': mac => "52:54:00:3a:0a:e4", ip => "130.242.125.80" } dhcp::host { 'dane.lab': mac => "52:54:00:8d:88:5f", ip => "130.242.125.81" } dhcp::host { 'meta.swamid': mac => "52:54:00:1c:72:1a", ip => "130.242.125.82" } dhcp::host { 'md-master.reep': mac => "52:54:00:39:8d:ac", ip => "130.242.125.83" } dhcp::host { 'lobo2.lab': mac => "52:54:00:5e:72:91", ip => "130.242.125.86" } dhcp::host { 'ca': mac => "52:54:00:4a:45:01", ip => "130.242.125.87" } # SUNET TUG eduID hosts (KVM host cdr1.sunet.se) dhcp::host { 'backup-tug-3': mac => "52:54:00:f2:7d:54", ip => "130.242.125.84" } dhcp::host { 'proxy-tug-3': mac => "52:54:00:f2:7d:55", ip => "130.242.125.85" } # SWAMID production dhcp::host { 'registry.swamid': mac => "52:54:00:52:53:0b", ip => "130.242.125.90" } dhcp::host { 'mdx1.swamid': mac => "52:54:00:fe:bc:09", ip => "130.242.125.91" } dhcp::host { 'mdx2.swamid': mac => "52:54:00:30:be:dd", ip => "130.242.125.92" } } class sshaccess { package { ['openssh-server', 'emacs23-nox']: ensure => 'installed' } ufw::allow { 'allow-ssh-sunet': port => '22', ip => 'any', # both IPv4 and IPv6 proto => 'tcp' } -> service { 'ssh': ensure => 'running', } } class sunetops { sunet::server { 'sunet_server': } ssh_authorized_key {'leifj+neo': ensure => present, name => 'leifj+neo@mnt.se', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvB4gdJ6EWRmx8xUSxrhoUNnWxEf8ZwAqhzC1+7XBY/hSd/cbEotLB9gxgqt0CLW56VU4FPLTw8snD8tgsyZN6KH1Da7UXno8oMk8tJdwLQM0Ggx3aWuztItkDfBc3Lfvq5T07YfphqJO7rcSGbS4QQdflXuOM9JLi6NStVao0ia4aE6Tj68pVVb3++XYvqvbU6NtEICvkTxEY93YpnRSfeAi64hsbaqSTN4kpeltzoSD1Rikz2aQFtFXE03ZC48HtGGhdMFA/Ade6KWBDaXxHGARVQ9/UccfhaR2XSjVxSZ8FBNOzNsH4k9cQIb2ndkEOXZXnjF5ZjdI4ZU0F+t7', type => 'ssh-rsa', user => 'root' } ssh_authorized_key {'ft+505152DD': ensure => present, name => 'fredrik+505152DD@thulin.net', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCnskRpNxWJE/YgDR3o6sMWwwmbUJ8f2SJa0gHfHM+fcxxC2zQN9/9mqJSxS1E9QdeuRbbHpYxEUtHoX0vSrmia/VALDiQAMps51RBqq6YlrYqvP/Rb0hZ0Z4/YgjTosLdu1PeTzih6mwbyNNF0+gY987Ig31qXQytNF+9G1oSY9dgBAq52lu170QXTRwum4B6Gh4/pCnM6xx+7nY2oqlgvl2wYHVAOJ39W9r4y9kBhcVs51XvJqYehjaoyKYf1+PzA0FsvhJkZuG6ws5eEGSB90lAzKGyFZXedvOLmnFmqAraoLeuKajHIFJDfKNfHHbYpn8ERIfVW66nbqlXFO2g3', type => 'ssh-rsa', user => 'root' } ssh_authorized_key {'ft+4030CCAD': ensure => present, name => 'fredrik+4030CCAD@thulin.net', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDCb2Nkstl2A2Av34oAeugSFAUZisR44EiN3+QHCfNiv2UtMvGQsz2uVRGS0zA7j2PjcrEA1AcstriONBZF/TodARbirX7u7ibJo4gfFJctSMHMBncwSKt5BR6cuCZpW9E7f05tVc3Z1SU1XlAn0OUuAt6UwluEehEKLKXDIHWfsGejlOTpy6x+++6/o1gfMoXpxYDRK70z8jWPfN6i/tt2q+Y0gjZWQP4CHGzFEUtTpOlFoqN4TzXaJushBhdMsiKllOm9wzHFuxlU/hNbDfn00vdOTPYpHkUluQUE7NtNznpeTWpl5qYL+n4uIChxjeZRBmUgD9t8YU4t3UZNksD/', type => 'ssh-rsa', user => 'root' } ssh_authorized_key {'swold+neo': ensure => absent, name => 'swold+neo@sunet.se', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEH/7KWri49NdhCjXW8VEdDxFl3IfIFT6QjJ47TkhCZCPZdgFl8NLKUOBE1P4jrwB+f+G+ScQ9EYN2Mnf0VhjZ3twPq2S1fosu3jmA56qhQ2J6ZNG1SvVDkgT69HZ+yoxEzbkmWuhhlb7WWVzC3h1K5Rxs8Yr9GJzIpgqH5PzI73pMAS89MYOjkhqS8NOi4onB3llFnyFZeWDB+rXj8/Q6k1u2F9KN1fPxe3EiskaJPOkPn8dEe3pOAiu+FwWyinHxO9Z4gzf55XVE8oFd36LRpoJGr32vdScSPeCksrARluEHnkEHqg6cVLcDkKnHrPITuXKj54i/jYeYGetigEuV', type => 'ssh-rsa', user => 'root' } ssh_authorized_key {'lundberg+9303C5DB': type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDAHMfn9PSWjGGAkMY6rh1yffdYgnlhoIC5E5NWdc5XUlY9oNYW2zhMpyhepfoh1YYv5V1QNTuO3f0zhD+ZeqPvnnA74fBM4yvWU4Qttwv2drsFOsU7nRbGSwQdww9IDidtxRuAjW5HJ9mTOJuYrIFAEHgg1Pv8sZKzHNWuZiz4I34CN2NbaZOu4eYG6pdzvB6kfYl5iL/esfhBZfegA+7x4qXvMLHEKb7wCRBABCfWu6Yy1E0jUdRWBFdqp5zsjuQlk8minh892m2C1tFcyub5dCWgLYtiQRpIjz16lMk1cM+fgS9YM7Ev62bBpRynU2wCfg1QpYMpxIq54q/XLlYv', ensure => present, user => 'root', name => 'lundberg+9303C5DB' } ssh_authorized_key {'salu+82A313B2': ensure => present, name => 'salu+82A313B2@nordu.net', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDeqxYSykQRs9Wbh+uRCYqRUjsFfdlc4//bs3dbedE/8kZWvvSmBlcqizXKVSlABrwyqGDpxW9bD+lRC53zArDMaqYUQbkzYs0NYYeE1bA4HUI/f4SgDn7PKicJLcbIOFTEjdOAqoi+KXji6Y5kxmcNYcU/XbyUln7FCItIFTXLF6VJBR1edokXAtsQBeD+H+xJA34Ha4TkBPKSeYjt+OoCZSjW0cz9g/+T59WsLZ/uJPZNqTgP5QOnBBmqURXDosXhjfPRrUQAyySM9D0riqMY4gtUgVvvnSXZqgquk0/79JjR10QAFmauxRdYmTBG7NU8EM7bXqUeuEFQIl9aiIe3', type => 'ssh-rsa', user => 'root' } ssh_authorized_key {'dennis+3EE4E6C7': ensure => present, name => 'dennis+3EE4E6C7@nordu.net', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC314jSJ575zgXl2xzwzLRLwoNaP7eXN6NlWOPq47qmoUfR1uZPPbZhvKDmMMc4WQhNPzWDFkX29tcHJar0KXVYM0zNV/hkXlh3Z9suAVFJgzdQ+VW3GsNDffYt4GHM8gUtYxdiQKhA78rIIvcvjy/e0c87lQ0zwDQjruLRw2t1mP1roVsadGnRn4H2rHnlmYqsyJrd2L/MQeKxFh0t3zKu3Hp2mGoSFpFe/5uMaHE//ZOO3tVf3fBWX3p19f6sK6kqYsSR4vMAP08cWf32xFEeNHf4ljbanQ/NIo3iPybpzGXVsPpTHXylLS+vYzDf9mOcxovhsKnJrJ3gdkqEfQyd', type => 'ssh-rsa', user => 'root' } # OS hardening if $::hostname =~ /kvm/ { class {'bastion': fstab_fix_shm => false, sysctl_net_hardening => false, } } elsif $::hostname =~ /random/ { # pollen requires exec on /tmp class {'bastion': fixperms_enable => false, fixperms_paranoia => false, } } else { class {'bastion': fstab_fix_shm => false, fixperms_paranoia => true, } } } node 'samltest.swamid.se' { ssh_authorized_key {'hans-its-umu': name => 'haho0032@its-admins-MacBook-Pro.local', ensure => present, key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCo3A5CG7fKLBLw8vhJL6Q8iweADu7qyDUokAvKR1SUitBnYw0pnd3cv3T32S/mps51YIoyKwhv2q2UGW5kYMeZtH0YjBy+l93nVBjUCLlNkz0T5gq+ePVayiqv0hUy5VMDEqLmUOquYr3ao7FBRu34HxlEj26O6Ckvk5YTImGmGqMw6kQ4aI0oIkwk3VwO2vMWSD6lgT6YCsE9g7wkD4nJpkV1PEDOx8yxwFr0kUbL3/DpudBFew/FZa4Dq4H2brExa3Q/rrnoo1GAKLzHW/V8oa8eHbRQXwchgX63UbnzQjGiaLUc5bHZwEehp2TkLYx6encctIUGi447DVCfOTsz', type => 'ssh-rsa', user => 'root' } } class swamidops { ssh_authorized_key {'roland-umu': type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC+tLFDNA7UXr3ZXgp6qQq7pKsTStHb+8UIEO3Act7Va3c/dz9P8Bi4+y8h33t2SACsQHXXUXAgSfmgPi+tijZ/rJrKGZJkA5LPbntca40ePU/zNWKVKGylbdnv9vz2urrr3xOmcV7yD/91k+JLwzTWiNWF6IXQC0p43EvE6BdZnLGdGAU9DPj/5rtyxWlX9Lul516dmVD2+nI8UR5bnDNl83a3lLkQyEDZMIC8QujNV8fR3pgYeRKdC7WtPcaPGv5NaF9UweBDK+7QwHTJAuIZw6S7ArA7KgOF64evOuVL0tTEyuwMHGrlE+ylxN+zOAfDvEMrxnTATR6RMcvLmTJB', ensure => present, user => 'root', name => 'roland.hedberg@adm.umu.se' } ssh_authorized_key {'lordahl-hig': type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCJ9ab81Sm3NUoOFjgM9F9HrKKTVc0sEVqUCLeWPfp6yHPuxFrejJDZVkASfGj/1XsjUQ60TrvwzYn1rsSeEwdGKFexfrQJ2SfugOWOAsPiYCZ3o3xa8ki951HYy2aeVCedlLRoVagn2iUP1uqVmwImxrV8CydaaQYUJgP/qD0Iy5MWxAJGRIVMKnnACs+F8dgULq0P/pID85QXAZkSuGl4urkp2+tCHxAiMxscbtDtsoV71ILZ+OQQJe4kDb5si6rE730JXeBuEPU1k//+5HbGspoI7SuZUeiFfoKLXppoFkHS+ShI4oC3PIbe76f+tpwbUBGrJw/9vzBWOBiVrSnR', ensure => present, user => 'root', name => 'anders@merlin' } ssh_authorized_key {'aslund-umu': type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCZMok+obrCgHY0atsLp777lBrxvMYEHmHK0+DXHBnRBH9CK9gjquH3fmv/Eq1bHm4UUOOJ0zk67mVdFcOwX4p7XbxHolURLFPu1QBWgiT6vRGrWOthcDa1I5iSJ0ez7SBrtD4Si5juKq1T6mNVEbHn9NlOoGR4NVGQI1v90bywnhdT9m12Y487e4HYyjDE3G/S0v6Pkj4uaehrWHAbrgXYEkleuhGJesNQrfxDx31BZbqJs8wqZ9csgHaBgiiN/lplsZlL7GuHqytoSPKwVJ7EK/ZvFLir3IoP5G9IR0eUY4+SZUEjmxJL+JyBXGQJPJx1qIPiQZSb+38tBT2742Fx', ensure => present, user => 'root', name => 'fredrik.aslund@umu.se-yubikey-neo' } } node 'cdr1.sunet.se' { package {'python-vm-builder': ensure => 'installed', } -> cosmos::dhcp_kvm { 'backup-tug-3.eduid.se': mac => '52:54:00:f2:7d:54', repo => 'git://git.nordu.net/eduid-ops.git', tagpattern => 'eduid-v3', cpus => '1', memory => '512', suite => 'trusty', extras => '--addpkg linux-image-generic --tmpfs -', } cosmos::dhcp_kvm { 'proxy-tug-3.eduid.se': mac => '52:54:00:f2:7d:55', repo => 'git://git.nordu.net/eduid-ops.git', tagpattern => 'eduid-v3', cpus => '1', memory => '512', suite => 'trusty', extras => '--addpkg linux-image-generic --tmpfs -', } } node 'sto-tug-kvm2.swamid.se' { class { 'fail2ban': } package {'nagios-nrpe-server': ensure => 'installed', } -> ufw::allow { "allow-nrpe-v4": from => '109.105.111.111', ip => 'any', proto => 'tcp', port => 5666 } ufw::allow { "allow-nrpe-v6": from => '2001:948:4:6::111', ip => 'any', proto => 'tcp', port => 5666 } file {'/var/docker': ensure => 'directory', } -> sunet::system_user {'postgres-system-user': username => 'postgres', group => 'postgres', } -> sunet::add_user_to_group { 'postgres_ssl_cert_access': username => 'postgres', group => 'ssl-cert', } -> sunet::system_user {'www-data-system-user': username => 'www-data', group => 'www-data', } -> file {'/var/docker/postgresql_data': ensure => 'directory', owner => 'postgres', group => 'root', mode => '0770', } -> file {'/var/docker/postgresql_data/backup': ensure => 'directory', owner => 'postgres', group => 'root', mode => '0770', } -> file {'/var/log/flog_db': ensure => 'directory', owner => 'root', group => 'postgres', mode => '1775', } -> file {'/var/log/flog_app': ensure => 'directory', owner => 'root', group => 'www-data', mode => '1775', } -> file {'/var/log/flog_cron': ensure => 'directory', owner => 'root', group => 'www-data', mode => '1775', } -> sunet::docker_run {'flog_db': image => 'docker.sunet.se/flog/postgresql-9.3', volumes => ['/opt/flog/postgres/ssl:/etc/ssl', '/var/docker/postgresql_data/:/var/lib/postgresql/','/var/log/flog_db/:/var/log/postgresql/'], } -> sunet::docker_run {'flog_app': image => 'docker.sunet.se/flog/flog_app', volumes => ['/opt/flog/dotenv:/opt/flog/.env','/var/log/flog/:/opt/flog/logs/'], } -> sunet::docker_run {'flog_nginx': image => 'docker.sunet.se/flog/nginx', ports => ['80:80', '443:443'], volumes => ['/opt/flog/nginx/sites-enabled/:/etc/nginx/sites-enabled/','/opt/flog/nginx/certs/:/etc/nginx/certs', '/var/log/flog_nginx/:/var/log/nginx'], } } class sunet-cdr { # Listen on br0 if it exists (cdr1), otherwise bond0 (cdr2). $interface = $::ipaddress_br0 ? { undef => 'bond0', default => 'br0', } class { 'dhcp': dnsdomain => [ 'eduid.se','sunet.se','swamid.se' ], nameservers => ['130.242.80.14','130.242.80.99'], ntpservers => ['ntp1.nordu.net','ntp2.nordu.net','Time1.Stupi.SE'], interfaces => [$interface], #pxeserver => '130.242.125.5', #pxefilename => 'pxelinux.0' } class { 'sunet-dhcp-hosts': } } class entropyserver { include augeas apt::ppa {'ppa:ndn/pollen': } -> package {'pollen': } -> service {'pollen': ensure => 'running' } augeas { "pollen_defaults": incl => "/etc/default/pollen", lens => "Shellvars.lns", changes => [ 'set DEVICE "/dev/qrandom0"', ], notify => Service['pollen'], } -> ufw::allow { "allow-pollen-http-tcp": ip => 'any', port => 80 } ufw::allow { "allow-pollen-https-tcp": ip => 'any', port => 443 } } class fail2ban { include augeas package {'fail2ban': ensure => 'latest' } -> service {'fail2ban': ensure => 'running' } augeas { "fail2ban_defaults": incl => "/etc/fail2ban/jail.conf", lens => "Shellvars.lns", changes => [ 'set bantime "600800"', ], notify => Service['fail2ban'], } } class quantis { apt::ppa {'ppa:ndn/quantispci': } package {'quantispci-dkms': } } class webcommon { } class webfrontend { class { 'webcommon': } docker::image {'docker.sunet.se/pound': } docker::image {'docker.sunet.se/varnish': } } class webappserver { class { 'webcommon': } class { 'fail2ban': } } class webbackend { sunet::etcd_node {'sunetweb': disco_url => 'https://discovery.etcd.io/18a9395c6190ecf075d419e2c13c199b' } class { 'webcommon': } } node 'web-a1.sunet.se' { sunet::wordpress {'www_sunet_se': } } node 'ca.sunet.se' { file { ["/var/www","/var/www/html","/var/lib/ca","/var/lib/ca/infra","/var/lib/ca/infra/requests","/var/lib/ca/infra/requests/client","/var/lib/ca/infra/requests/server"]: ensure => directory } -> class { 'sunet::dockerhost': } -> sunet::docker_run { "ca.sunet.se_apache": image => 'httpd', imagetag => '2.4', ports => ["80:80"], volumes => ["/var/www/html:/usr/local/apache2/htdocs"] } sunet::ici_ca{"infra_ca": pkcs11_pin => hiera('ca_infra_pkcs11_pin'), public_repo_url => "http://ca.sunet.se/infra", public_repo_dir => "/var/www/html/infra" } sunet::ici_ca::autosign{"infra_ca_clients": ca => "infra_ca", autosign_dir => "/var/lib/ca/infra/requests/client", autosign_type => "client", } sunet::ici_ca::autosign{"infra_ca_servers": ca => "infra_ca", autosign_dir => "/var/lib/ca/infra/requests/server", autosign_type => "server", } class { 'webserver': } }