# This manifest is managed using cosmos

Exec {
  path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
}

include sunet

class sshaccess {
  package { ['openssh-server', 'emacs23-nox']:
    ensure => 'installed'
  }

  ufw::allow { 'allow-ssh-sunet':
    port  => '22',
    ip    => 'any',    # both IPv4 and IPv6
    proto => 'tcp'
  } ->
  service { 'ssh':
    ensure    => 'running',
  }
}

class mailclient ($domain) {
   sunet::preseed_package {"postfix": ensure => present, options => {domain => $domain}}
}

# you need a default node, all nodes need ssh + ufw
node default {
}

class nunoc {
  include sshaccess
  if $::hostname !~ /random/ {
     include sunet::simple_entropy
  }
  include sunet::tools
  include sunet::motd
  include sunet::ntp
  include ufw
  include apt
}

class dockerhost {
  apt::source {'docker_official':
     location => 'https://get.docker.com/ubuntu',
     release  => 'docker',
     repos    => 'main',
     key      => 'A88D21E9',
     include_src => false
  }
  package {'lxc-docker':
     ensure   => latest
  }
  class {'docker':
     manage_package => false
  }
}

class webserver {
   ufw::allow { "allow-http":
      ip   => 'any',
      port => 80
   }
   ufw::allow { "allow-https":
      ip   => 'any',
      port => 443
   }
}

node 'sto-tug-kvm1.swamid.se' {

   package {'python-vm-builder':
     ensure    => 'installed',
   } ->

   sunet::dhcp_kvm { 'registry.swamid.se':
     mac        => '52:54:00:52:53:0b',
     repo       => 'git://git.nordu.net/sunet-ops.git',
     tagpattern => 'sunet-ops',
     cpus       => '1',
     memory     => '2048',
   }

   sunet::dhcp_kvm { 'mdx1.swamid.se':
     mac        => '52:54:00:fe:bc:09',
     repo       => 'git://git.nordu.net/sunet-ops.git',
     tagpattern => 'sunet-ops',
     cpus       => '1',
     memory     => '2048',
   }
 
   sunet::dhcp_kvm { 'md-master.reep.refeds.org':
     mac        => '52:54:00:39:8d:ac',
     repo       => 'git://git.nordu.net/sunet-ops.git',
     tagpattern => 'sunet-ops',
     cpus       => '1',
     memory     => '2048',
   }
}

node 'sto-fre-kvm1.swamid.se' {
   package {'python-vm-builder':
     ensure    => 'installed',
   } ->

   sunet::dhcp_kvm { 'mdx2.swamid.se':
     mac        => '52:54:00:30:be:dd',
     repo       => 'git://git.nordu.net/sunet-ops.git',
     tagpattern => 'sunet-ops',
     cpus       => '1',
     memory     => '2048',
   }

}

node 'reep.tid.isoc.org' {
   
}

node 'datasets.sunet.se' {
   class {'sunet::dockerhost': } ->
   file {'/opt/lobo2-redis-data':
      ensure => 'directory',
   } ->
   file {'/etc/ssl':
      ensure => 'directory',
   } ->
   user { 'redis': ensure => exists, system => true } ->
   sunet::docker_run {'datasets-redis':
      image    => 'redis',
      imagetag => 'latest',
      volumes  => ['/opt/lobo2-redis-data:/data','/var/log:/var/log'],
   } ->
   sunet::docker_run {'datasets':
      image    => 'docker.sunet.se/datasets',
      imagetag => 'latest',
      volumes  => ['/etc/ssl:/etc/ssl','/var/log:/var/log'],
      ports    => ['80:80','443:443'],
      env      => ["REDIS_PORT=tcp://datasets-redis.docker:6379",'BASE_URL=https://datasets.sunet.se'],
      start_on => 'docker-datasets-redis'
   }
}

node 'docker.sunet.se' {
   class { 'sunet::nagios': }
   docker::image {'registry': }
   docker::image {'docker.sunet.se/registry-auth': }
   docker::run {'sunetregistry':
      use_name        => true,
      image           => 'registry',
      ports           => ['80:5000'],
      volumes         => ['/opt/registry:/tmp/registry'],
      verify_checksum => false
   }
   docker::run {'registry-auth':
      use_name => true,
      image   => 'docker.sunet.se/registry-auth',
      links   => ['sunetregistry:backend'],
      volumes => ['/etc/ssl:/etc/ssl'],
      ports   => ['443:443'],
      env     => ['PUBLIC_HOSTNAME=docker.sunet.se'],
      verify_checksum => false
   }
}

class docker_signer {
   docker::image {'docker.samlbits.net/varnish': }
   docker::image {'docker.samlbits.net/pyff': }
   docker::run {'pyff':
      image => 'docker.samlbits.net/pyff',
      volumes  => ['/opt/swamid-metadata:/opt/swamid-metadata'],
      env      => ['DATADIR=/opt/swamid-metadata','LOGLEVEL=INFO']
   }
   docker::run {'varnish':
      image => 'docker.samlbits.net/varnish',
      links => ['pyff:backend'],
      ports => ['80:80']
   }
   cron {'update-swamid-metadata':
      command => "cd /opt/swamid-metadata && git pull -q",
      user    => root,
      minute  => '*/5'
   }
}

class signer {
   include cosmos::httpsproxy
   class {'varnish': 
      domain => 'swamid.se',
      backends => {
         mdx => 'http://localhost:8000/'
      },
      vhosts => {
         mdx => 'mdx.swamid.se'
      }
   }
   class {'pyff':
      load => ["/opt/metadata"],
      port => 8000,
      address => '0.0.0.0',
      validUntil => 'P10D',
      cacheDuration => 'PT5H',
      replace => false
   }
   cron {'update-swamid-metadata':
      command => "cd /opt/swamid-metadata && git pull -q",
      user    => root,
      minute  => '*/5'
   }
}

node 'md-master.reep.refeds.org' {
   #include cosmos::httpsproxy
   class {'pyff':
      load => ['/opt/peer/vf_repo'],
      validUntil => 'P10D',
      cacheDuration => 'PT5H'
   }
}

node 'registry.swamid.se' {
   class {'pyff':
      load => ['/opt/peer/media/vf_repo'],
      validUntil => 'P30D',
      cacheDuration => 'PT24H',
      replace => false,
      port => 8000,
      address => '127.0.0.1'
   }
   $peerpkg = ['xmlsec1','libxmlsec1-openssl','libpq-dev','postgresql','postgresql-client']
   package { $peerpkg: ensure => installed }
   python::virtualenv { '/opt/peer':
     ensure => present
   } 
   python::pip { 'peer==0.13.0':
     pkgname => 'peer==0.13.0',
     virtualenv => '/opt/peer'
   }

   #class { 'postgresql::server': }

   #postgresql::server::db { 'peer':
   #  encoding => 'utf-8',
   #  user     => 'peer',
   #  password => postgresql_password('peer', hiera('peer_db_password')),
   #}
}

node 'sto-tug-kvm-lab1.swamid.se' {

   package {'python-vm-builder':
     ensure    => 'installed',
   } ->

   sunet::dhcp_kvm { 'samltest.swamid.se':
     mac        => '52:54:00:3a:0a:e4',
     repo       => 'git://git.nordu.net/sunet-ops.git',
     tagpattern => 'sunet-ops',
     cpus       => '1',
     memory     => '1024',
   }

   sunet::dhcp_kvm { 'dane.lab.sunet.se':
     mac        => '52:54:00:8d:88:5f',
     repo       => 'git://git.nordu.net/sunet-ops.git',
     tagpattern => 'sunet-ops',
     cpus       => '1',
     memory     => '1024',
   }

   sunet::dhcp_kvm { 'lobo2.lab.sunet.se':
     mac        => '52:54:00:5e:72:91',
     repo       => 'git://git.nordu.net/sunet-ops.git',
     tagpattern => 'sunet-ops',
     cpus       => '1',
     memory     => '1024',
   }

   sunet::dhcp_kvm { 'ca.sunet.se':
     mac        => '52:54:00:4a:45:01',
     repo       => 'git://git.nordu.net/sunet-ops.git',
     tagpattern => 'sunet-ops',
     cpus       => '1',
     memory     => '1024',
   }

   sunet::dhcp_kvm { 'meta.swamid.se':
     mac        => '52:54:00:1c:72:1a',
     repo       => 'git://git.nordu.net/sunet-ops.git',
     tagpattern => 'sunet-ops',
     cpus       => '1',
     memory     => '1024',
   }

   #sunet::cloudimage { 'test.sunet.se':
   #  dhcp       => false,
   #  repo       => 'git://git.nordu.net/sunet-ops.git',
   #  tagpattern => 'sunet-ops',
   #  cpus       => '1',
   #  memory     => '1024',
   #  ip         => '130.242.125.88',
   #  netmask    => '255.255.255.192',
   #  gateway    => '130.242.125.65',
   #  resolver   => '130.242.80.14 130.242.80.99'
   #}
}

node 'sto-tug-kvm-lab2.swamid.se' {
   sunet::cloudimage { 'met.swamid.se':
     dhcp       => false,
     repo       => 'git://git.nordu.net/sunet-ops.git',
     tagpattern => 'sunet-ops',
     cpus       => '2',
     memory     => '8192',
     ip         => '130.242.125.88',
     netmask    => '255.255.255.192',
     gateway    => '130.242.125.65',
     resolver   => '130.242.80.14 130.242.80.99'
   }
}

class sunet-dhcp-hosts {

   dhcp::pool {'sunet-servernet-tug-130.242.125.64/26':
      network => '130.242.125.64',
      mask => '255.255.255.192',
      gateway => '130.242.125.65',
      range => ''
   }

   dhcp::pool {'sunet-servernet-fre-130.242.125.128/26':
      network => '130.242.125.128',
      mask => '255.255.255.192',
      gateway => '130.242.125.129',
      range => ''
   }

   dhcp::pool {'install':
      network => '130.242.125.0',
      mask => '255.255.255.192',
      gateway => '130.242.125.1',
      range => ''
   }

   dhcp::pool {'eduid-tug-IdP':
      network => '130.242.130.0',
      mask => '255.255.255.248',
      gateway => '130.242.130.1',
      range => ''
   }

   dhcp::pool {'eduid-tug-auth':
      network => '130.242.130.8',
      mask => '255.255.255.248',
      gateway => '130.242.130.9',
      range => ''
   }

   dhcp::pool {'eduid-tug-other':
      network => '130.242.130.16',
      mask => '255.255.255.240',
      gateway => '130.242.130.17',
      range => ''
   }

   dhcp::pool {'eduid-fre-IdP':
      network => '130.242.130.64',
      mask => '255.255.255.248',
      gateway => '130.242.130.65',
      range => ''
   }

   dhcp::pool {'eduid-fre-auth':
      network => '130.242.130.72',
      mask => '255.255.255.248',
      gateway => '130.242.130.73',
      range => ''
   }

   dhcp::pool {'eduid-fre-other':
      network => '130.242.130.80',
      mask => '255.255.255.240',
      gateway => '130.242.130.81',
      range => ''
   }

   dhcp::pool {'eduid-lla-other':
      network => '130.242.130.144',
      mask => '255.255.255.240',
      gateway => '130.242.130.145',
      range => ''
   }

   dhcp::pool {'eduid-lla-auth':
      network => '130.242.130.136',
      mask => '255.255.255.248',
      gateway => '130.242.130.137',
      range => ''
   }


   # eduID TUG hosts

   dhcp::host { 'kvmidp-tug-3_eth0':    mac => "24:b6:fd:fe:fa:51", ip => "130.242.130.4", hostname => 'kvmidp-tug-3'; }
   dhcp::host { 'kvmidp-tug-3_eth1':    mac => "24:b6:fd:fe:fa:52", ip => "130.242.130.4", hostname => 'kvmidp-tug-3'; }

   dhcp::host { 'idp-tug-3a':           mac => "52:54:00:01:00:01", ip => "130.242.130.5"; }

   dhcp::host { 'idp-tug-3b':           mac => "52:54:00:01:00:02", ip => "130.242.130.6"; }

   dhcp::host { 'auth-tug-3_eth0':      mac => "f0:4d:a2:73:4e:9b", ip => "130.242.130.12", hostname => 'auth-tug-3'; }
   dhcp::host { 'auth-tug-3_eth1':      mac => "f0:4d:a2:73:4e:9c", ip => "130.242.130.12", hostname => 'auth-tug-3'; }

   dhcp::host { 'kvm-tug-3_eth0':       mac => "f0:4d:a2:73:4f:82", ip => "130.242.130.20", hostname => 'kvm-tug-3'; }
   dhcp::host { 'kvm-tug-3_eth1':       mac => "f0:4d:a2:73:4f:83", ip => "130.242.130.20", hostname => 'kvm-tug-3'; }

   dhcp::host { 'db-tug-3_eth0':        mac => "24:b6:fd:fe:fa:f0", ip => "130.242.130.21", hostname => 'db-tug-3'; }
   dhcp::host { 'db-tug-3_eth1':        mac => "24:b6:fd:fe:fa:f1", ip => "130.242.130.21", hostname => 'db-tug-3'; }

   dhcp::host { 'mq-tug-3':             mac => "52:54:00:03:00:22", ip => "130.242.130.22"; }
   dhcp::host { 'worker-tug-3':         mac => "52:54:00:03:00:23", ip => "130.242.130.23"; }
   dhcp::host { 'signup-tug-3':         mac => "52:54:00:03:00:24", ip => "130.242.130.24"; }
   dhcp::host { 'dashboard-tug-3':      mac => "52:54:00:03:00:25", ip => "130.242.130.25"; }
   dhcp::host { 'www-tug-3':            mac => "52:54:00:03:00:26", ip => "130.242.130.26"; }
   dhcp::host { 'monitor-tug-3':        mac => "52:54:00:03:00:27", ip => "130.242.130.27"; }

   dhcp::host { 'kvmapp-tug-3_eth0':    mac => "f0:4d:a2:73:4f:0d", ip => "130.242.130.30", hostname => 'kvmapp-tug-3'; }
   dhcp::host { 'kvmapp-tug-3_eth1':    mac => "f0:4d:a2:73:4f:0e", ip => "130.242.130.30", hostname => 'kvmapp-tug-3'; }


   # eduID FRE hosts

   dhcp::host { 'kvmidp-fre-3_eth0':    mac => "18:03:73:41:f3:e8", ip => "130.242.130.68", hostname => 'kvmidp-fre-3'; }
   dhcp::host { 'kvmidp-fre-3_eth1':    mac => "18:03:73:41:f3:e9", ip => "130.242.130.68", hostname => 'kvmidp-fre-3'; }

   dhcp::host { 'idp-fre-3a':           mac => "52:54:00:04:00:01", ip => "130.242.130.69"; }

   dhcp::host { 'idp-fre-3b':           mac => "52:54:00:04:00:02", ip => "130.242.130.70"; }

   dhcp::host { 'auth-fre-3_eth0':      mac => "18:03:73:0f:41:3c", ip => "130.242.130.76", hostname => 'auth-fre-3'; }
   dhcp::host { 'auth-fre-3_eth1':      mac => "18:03:73:0f:41:3d", ip => "130.242.130.76", hostname => 'auth-fre-3'; }

   dhcp::host { 'kvm-fre-3_eth0':       mac => "f0:4d:a2:73:4b:e3", ip => "130.242.130.84", hostname => 'kvm-fre-3'; }
   dhcp::host { 'kvm-fre-3_eth1':       mac => "f0:4d:a2:73:4b:e4", ip => "130.242.130.84", hostname => 'kvm-fre-3'; }

   dhcp::host { 'www-fre-3':            mac => "52:54:00:06:00:01", ip => "130.242.130.86"; }
   dhcp::host { 'dashboard-fre-3':      mac => "52:54:00:06:00:57", ip => "130.242.130.87"; }
   dhcp::host { 'signup-fre-3':         mac => "52:54:00:06:00:58", ip => "130.242.130.88"; }
   dhcp::host { 'worker-fre-3':         mac => "52:54:00:06:00:59", ip => "130.242.130.89"; }
   dhcp::host { 'mq-fre-3':             mac => "52:54:00:06:00:5a", ip => "130.242.130.90"; }
   dhcp::host { 'monitor-fre-3':        mac => "52:54:00:06:00:5b", ip => "130.242.130.91"; }

   dhcp::host { 'db-fre-3_eth0':        mac => "f0:4d:a2:73:4f:19", ip => "130.242.130.85", hostname => 'db-fre-3'; }
   dhcp::host { 'db-fre-3_eth1':        mac => "f0:4d:a2:73:4f:1a", ip => "130.242.130.85", hostname => 'db-fre-3'; }

   dhcp::host { 'kvmapp-fre-3_eth0':    mac => "78:45:c4:f7:90:ec", ip => "130.242.130.94", hostname => 'kvmapp-fre-3'; }
   dhcp::host { 'kvmapp-fre-3_eth1':    mac => "78:45:c4:f7:90:ed", ip => "130.242.130.94", hostname => 'kvmapp-fre-3'; }

   # eduID LLA hosts

   dhcp::host { 'db-lla-3_eth0':        mac => "b0:83:fe:e2:27:4c", ip => "130.242.130.148", hostname => 'db-lla-3'; }
   dhcp::host { 'db-lla-3_eth1':        mac => "b0:83:fe:e2:27:4d", ip => "130.242.130.148", hostname => 'db-lla-3'; }

   dhcp::host { 'auth-lla-3_eth0':      mac => "b0:83:fe:e2:27:c6", ip => "130.242.130.140", hostname => 'auth-lla-3'; }
   dhcp::host { 'auth-lla-3_eth1':      mac => "b0:83:fe:e2:27:c7", ip => "130.242.130.140", hostname => 'auth-lla-3'; }


   # eduID Development subnets
   #dhcp::pool {'eduid-tug-dev':
   #   network => '194.68.13.128',
   #   mask    => '255.255.255.224',
   #   gateway => '194.68.13.129',
   #   range   => '',
   #   options => 'domain-name-servers 109.105.111.31, 109.105.110.31',
   #}

   #dhcp::pool {'eduid-fre-dev':
   #   network => '194.68.13.160',
   #   mask    => '255.255.255.224',
   #   gateway => '194.68.13.161',
   #   range   => '',
   #   options => 'domain-name-servers 109.105.111.31, 109.105.110.31',
   #}

   dhcp::pool {'eduid-dev-tug':
     network => '130.242.130.192',
     mask    => '255.255.255.224',
     gateway => '130.242.130.193',
     range   => ''
   }

   # One big subnet used for now
   #dhcp::pool {'eduid-dev-tug-IdP':
   #  network => '130.242.130.192',
   #  mask    => '255.255.255.248',
   #  gateway => '130.242.130.201',
   #  range   => ''
   #}

   # One big subnet used for now
   #dhcp::pool {'eduid-dev-tug-auth':
   #  network => '130.242.130.200',
   #  mask    => '255.255.255.248',
   #  gateway => '130.242.130.201',
   #  range   => ''
   #}

   # One big subnet used for now
   #dhcp::pool {'eduid-dev-tug-other':
   #  network => '130.242.130.208',
   #  mask    => '255.255.255.240',
   #  gateway => '130.242.130.209',
   #  range   => ''
   #}

   # eduID TUG development hosts
   dhcp::host { 'worker-fre-1':         mac => "52:54:00:a0:01:c4", ip => "130.242.130.196" }
   dhcp::host { 'dash-tug-1':           mac => "52:54:00:a0:01:c5", ip => "130.242.130.197" }
   dhcp::host { 'mq-tug-1':             mac => "52:54:00:a0:01:c6", ip => "130.242.130.198" }
   dhcp::host { 'proxy-tug-1':          mac => "52:54:00:a0:01:c7", ip => "130.242.130.199" }

   dhcp::host { 'auth-fre-1_eth0':      mac => "78:45:c4:f7:91:67", ip => "130.242.130.204", hostname => 'auth-fre-1'; }
   dhcp::host { 'auth-fre-1_eth1':      mac => "78:45:c4:f7:91:68", ip => "130.242.130.204", hostname => 'auth-fre-1'; }

   dhcp::host { 'auth-tug-1_eth0':      mac => "78:45:c4:f8:43:c5", ip => "130.242.130.205", hostname => 'auth-tug-1'; }
   dhcp::host { 'auth-tug-1_eth1':      mac => "78:45:c4:f8:43:c6", ip => "130.242.130.205", hostname => 'auth-tug-1'; }

   dhcp::host { 'signup-tug-1':          mac => "52:54:00:a0:01:d4", ip => "130.242.130.212" }

   dhcp::host { 'dash-fre-1':           mac => "52:54:00:a0:01:d5", ip => "130.242.130.213" }

   dhcp::host { 'idp-fre-1':            mac => "52:54:00:a0:01:d6", ip => "130.242.130.214" }

   dhcp::host { 'idp-tug-1':            mac => "52:54:00:a0:01:d7", ip => "130.242.130.215" }

   dhcp::host { 'kvm-fre-1_eth0':       mac => "78:45:c4:f8:45:15", ip => "130.242.130.216", hostname => 'kvm-fre-1'; }
   dhcp::host { 'kvm-fre-1_eth1':       mac => "78:45:c4:f8:45:16", ip => "130.242.130.216", hostname => 'kvm-fre-1'; }

   dhcp::host { 'kvm-tug-1_eth0':       mac => "78:45:c4:f8:47:be", ip => "130.242.130.217", hostname => 'kvm-tug-1'; }
   dhcp::host { 'kvm-tug-1_eth1':       mac => "78:45:c4:f8:47:bf", ip => "130.242.130.217", hostname => 'kvm-tug-1'; }

   dhcp::host { 'monitor-fre-1':        mac => "52:54:00:a0:01:da", ip => "130.242.130.218" }

   dhcp::host { 'mq-fre-1':             mac => "52:54:00:a0:01:db", ip => "130.242.130.219" }

   dhcp::host { 'userdb-fre-1':         mac => "52:54:00:a0:01:dc", ip => "130.242.130.220" }

   dhcp::host { 'userdb-tug-1':         mac => "52:54:00:a0:01:dd", ip => "130.242.130.221" }

   dhcp::host { 'userdb-tug-2':         mac => "52:54:00:a0:01:de", ip => "130.242.130.222" }


   #dhcp::host { 'idp-tug-1':    mac => "52:54:00:a0:00:92", ip => "194.68.13.146" }

   #dhcp::host { 'testvm-tug-1': mac => "52:54:00:11:22:33", ip => "194.68.13.136" }

   #dhcp::host { 'userdb-tug-1': mac => "52:54:00:93:22:29", ip => "194.68.13.132" }
   #dhcp::host { 'userdb-tug-2': mac => "52:54:00:17:13:ff", ip => "194.68.13.133" }

   # eduID FRE development hosts
   #dhcp::host { 'idp-fre-1':    mac => "52:54:00:a1:00:b2", ip => "194.68.13.178" }

   #dhcp::host { 'dash-fre-1':   mac => "52:54:00:a2:00:a7", ip => "194.68.13.167" }

   #dhcp::host { 'userdb-fre-1': mac => "52:54:00:17:13:f6", ip => "194.68.13.164" }

   # SUNET TUG hosts

   dhcp::host { 'samltest':            mac => "52:54:00:3a:0a:e4", ip => "130.242.125.80" }
   dhcp::host { 'dane.lab':	       mac => "52:54:00:8d:88:5f", ip => "130.242.125.81" }
   dhcp::host { 'meta.swamid':         mac => "52:54:00:1c:72:1a", ip => "130.242.125.82" }
   dhcp::host { 'md-master.reep':      mac => "52:54:00:39:8d:ac", ip => "130.242.125.83" }
   dhcp::host { 'lobo2.lab':           mac => "52:54:00:5e:72:91", ip => "130.242.125.86" }
   dhcp::host { 'ca':                  mac => "52:54:00:4a:45:01", ip => "130.242.125.87" }

   # SUNET TUG eduID hosts (KVM host cdr1.sunet.se)
   dhcp::host { 'backup-tug-3':        mac => "52:54:00:f2:7d:54", ip => "130.242.125.84" }
   dhcp::host { 'proxy-tug-3':         mac => "52:54:00:f2:7d:55", ip => "130.242.125.85" }

   # SWAMID production
   dhcp::host { 'registry.swamid':     mac => "52:54:00:52:53:0b", ip => "130.242.125.90" }
   dhcp::host { 'mdx1.swamid':         mac => "52:54:00:fe:bc:09", ip => "130.242.125.91" }
   dhcp::host { 'mdx2.swamid':         mac => "52:54:00:30:be:dd", ip => "130.242.125.92" }
}

class sunetops {

  sunet::server { 'sunet_server': }

  ssh_authorized_key {'leifj+neo':
    ensure  => present,
    name    => 'leifj+neo@mnt.se',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvB4gdJ6EWRmx8xUSxrhoUNnWxEf8ZwAqhzC1+7XBY/hSd/cbEotLB9gxgqt0CLW56VU4FPLTw8snD8tgsyZN6KH1Da7UXno8oMk8tJdwLQM0Ggx3aWuztItkDfBc3Lfvq5T07YfphqJO7rcSGbS4QQdflXuOM9JLi6NStVao0ia4aE6Tj68pVVb3++XYvqvbU6NtEICvkTxEY93YpnRSfeAi64hsbaqSTN4kpeltzoSD1Rikz2aQFtFXE03ZC48HtGGhdMFA/Ade6KWBDaXxHGARVQ9/UccfhaR2XSjVxSZ8FBNOzNsH4k9cQIb2ndkEOXZXnjF5ZjdI4ZU0F+t7',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'ft+505152DD':
    ensure  => present,
    name    => 'fredrik+505152DD@thulin.net',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCnskRpNxWJE/YgDR3o6sMWwwmbUJ8f2SJa0gHfHM+fcxxC2zQN9/9mqJSxS1E9QdeuRbbHpYxEUtHoX0vSrmia/VALDiQAMps51RBqq6YlrYqvP/Rb0hZ0Z4/YgjTosLdu1PeTzih6mwbyNNF0+gY987Ig31qXQytNF+9G1oSY9dgBAq52lu170QXTRwum4B6Gh4/pCnM6xx+7nY2oqlgvl2wYHVAOJ39W9r4y9kBhcVs51XvJqYehjaoyKYf1+PzA0FsvhJkZuG6ws5eEGSB90lAzKGyFZXedvOLmnFmqAraoLeuKajHIFJDfKNfHHbYpn8ERIfVW66nbqlXFO2g3',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'ft+4030CCAD':
    ensure  => present,
    name    => 'fredrik+4030CCAD@thulin.net',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDCb2Nkstl2A2Av34oAeugSFAUZisR44EiN3+QHCfNiv2UtMvGQsz2uVRGS0zA7j2PjcrEA1AcstriONBZF/TodARbirX7u7ibJo4gfFJctSMHMBncwSKt5BR6cuCZpW9E7f05tVc3Z1SU1XlAn0OUuAt6UwluEehEKLKXDIHWfsGejlOTpy6x+++6/o1gfMoXpxYDRK70z8jWPfN6i/tt2q+Y0gjZWQP4CHGzFEUtTpOlFoqN4TzXaJushBhdMsiKllOm9wzHFuxlU/hNbDfn00vdOTPYpHkUluQUE7NtNznpeTWpl5qYL+n4uIChxjeZRBmUgD9t8YU4t3UZNksD/',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'swold+neo':
    ensure => absent,
    name   => 'swold+neo@sunet.se',
    key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEH/7KWri49NdhCjXW8VEdDxFl3IfIFT6QjJ47TkhCZCPZdgFl8NLKUOBE1P4jrwB+f+G+ScQ9EYN2Mnf0VhjZ3twPq2S1fosu3jmA56qhQ2J6ZNG1SvVDkgT69HZ+yoxEzbkmWuhhlb7WWVzC3h1K5Rxs8Yr9GJzIpgqH5PzI73pMAS89MYOjkhqS8NOi4onB3llFnyFZeWDB+rXj8/Q6k1u2F9KN1fPxe3EiskaJPOkPn8dEe3pOAiu+FwWyinHxO9Z4gzf55XVE8oFd36LRpoJGr32vdScSPeCksrARluEHnkEHqg6cVLcDkKnHrPITuXKj54i/jYeYGetigEuV',
    type   => 'ssh-rsa',
    user   => 'root'
  }

  ssh_authorized_key {'lundberg+9303C5DB':
     type   => 'ssh-rsa',
     key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDAHMfn9PSWjGGAkMY6rh1yffdYgnlhoIC5E5NWdc5XUlY9oNYW2zhMpyhepfoh1YYv5V1QNTuO3f0zhD+ZeqPvnnA74fBM4yvWU4Qttwv2drsFOsU7nRbGSwQdww9IDidtxRuAjW5HJ9mTOJuYrIFAEHgg1Pv8sZKzHNWuZiz4I34CN2NbaZOu4eYG6pdzvB6kfYl5iL/esfhBZfegA+7x4qXvMLHEKb7wCRBABCfWu6Yy1E0jUdRWBFdqp5zsjuQlk8minh892m2C1tFcyub5dCWgLYtiQRpIjz16lMk1cM+fgS9YM7Ev62bBpRynU2wCfg1QpYMpxIq54q/XLlYv',
     ensure => present,
     user   => 'root',
     name   => 'lundberg+9303C5DB'
  }

  ssh_authorized_key {'lundberg+8D03C7D1':
     type   => 'ssh-rsa',
     key    => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDPjXvKEL2vAngTdVu3MguEE6gfPH2UigGDPgPV5SBYm0UZ/gZBbB0CuoQjkKEIpq3gzcbLH8kG/00r8hkeBeMa+tfWBDvUXk3wQRw5fKw5StBJFC3C04atJBGlusx6C8stgdmj5SwFhHN86uzVWpqbqJ9TKId18UABgq1hEBMRRVymSXE5zAJ6nCOh2PLtRI8GAkd+Lye0MMh2zEtOIFeHZDd1AiocaLfKBKDUlTSe1+suktyzgQsxJynLlwLA8BXmOZe0/LcE6Nint1beNq/DoKNySxdFN8ebGAC/F7w+JX7hB/DZH7aZevwdDp8cuchoFDUvu3uAXwH5eulXLt+VUJbn3MzFn/rSGqbfdYRlRhAOyo5qSJ3E6DO8WVKCLpwrUXjc4fQT7FwA7JPElunuU8jKxL/PiE5cJlt2cgC6v9qn3C47n0yc7c/078a+34w1mWf2Mp/lqBIJJnOUvKzisKmpEW/t3D1iAFr2z14omPDS9Vnoo1/FrAwGPYGKCeirBDe0FwNzMpC/wC1sglTU236/13zrUzyyQSJoXmn1MkS3aPOusqEYSo65tMoB5qOB7h2/lWLSQ7kHAMVtuMEoCGx/2Aa86EvuWYd1iMPelodEQlNIjCbKz9HX7c1b640FAvU8smefwfk52msqmKvHMbjm86WAPpXThhiN/eAuxQ==',
     ensure => present,
     user   => 'root',
     name   => 'lundberg+8D03C7D1'
  }

  ssh_authorized_key {'salu+82A313B2':
     ensure => absent,
     name   => 'salu+82A313B2@nordu.net',
     key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDeqxYSykQRs9Wbh+uRCYqRUjsFfdlc4//bs3dbedE/8kZWvvSmBlcqizXKVSlABrwyqGDpxW9bD+lRC53zArDMaqYUQbkzYs0NYYeE1bA4HUI/f4SgDn7PKicJLcbIOFTEjdOAqoi+KXji6Y5kxmcNYcU/XbyUln7FCItIFTXLF6VJBR1edokXAtsQBeD+H+xJA34Ha4TkBPKSeYjt+OoCZSjW0cz9g/+T59WsLZ/uJPZNqTgP5QOnBBmqURXDosXhjfPRrUQAyySM9D0riqMY4gtUgVvvnSXZqgquk0/79JjR10QAFmauxRdYmTBG7NU8EM7bXqUeuEFQIl9aiIe3',
     type   => 'ssh-rsa',
     user   => 'root'
  }

  ssh_authorized_key {'salu+7B44FE7C':
    ensure  => present,
    name    => 'salu+7B44FE7C@sunet.se',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDepp02t6/oNnO/qKJtB+U2yLWUa+dYo4ECsbX/DGOgr1MYzhtIbP18gUAX0PN9Hj40XdmY5EtAJZamMWCLi0EijanhOLDCzw5s0hzi/gYysmEReLRxhqq4ppjZhSj2HF09a6Rq1TTkndG9mYzTYTkdOyOqmdNcmIZRRvJD0BE1UBkERrURGhA+8YPnHoxEVUqdEDMFX7nHmNl4Q5brj7pNXaBv35PsVIlzDSfltgN7yENF6dv8Fu7nxjKZ+r9Anrb5rCEiBnOkNAbwEMfMvjRRehbY9Nvz1CEn0cP8SstbLYQfBQuCeJW3w9PygLN/a0asva0ttmVhprbnSeZtKmm3',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'dennis+3EE4E6C7':
     ensure => present,
     name   => 'dennis+3EE4E6C7@nordu.net',
     key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC314jSJ575zgXl2xzwzLRLwoNaP7eXN6NlWOPq47qmoUfR1uZPPbZhvKDmMMc4WQhNPzWDFkX29tcHJar0KXVYM0zNV/hkXlh3Z9suAVFJgzdQ+VW3GsNDffYt4GHM8gUtYxdiQKhA78rIIvcvjy/e0c87lQ0zwDQjruLRw2t1mP1roVsadGnRn4H2rHnlmYqsyJrd2L/MQeKxFh0t3zKu3Hp2mGoSFpFe/5uMaHE//ZOO3tVf3fBWX3p19f6sK6kqYsSR4vMAP08cWf32xFEeNHf4ljbanQ/NIo3iPybpzGXVsPpTHXylLS+vYzDf9mOcxovhsKnJrJ3gdkqEfQyd',
     type   => 'ssh-rsa',
     user   => 'root'
  }

  ssh_authorized_key {'mikott+BEBCB9C0':
     ensure => present,
     name   => 'mikott+BEBCB9C0@nordu.net',
     key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC36l/Qxb+sByKKZwBOPLiqScqWg6Q9elraB4vj13MjkoGsNoCmzWDEcAE9hUVwnlprYnWNyaJZ3OliEawFJlRDF8MxgVN+jHYUCUhPoHCE4ChS9Y0EayLb+AQ2JbfI1KAADga161P+/P1ofALMnZHW2NpK1p+2eiE891c1sc+NfLCNySX/hcvkkP6zNrCmZxgFcqIBbYNNxDjU33G3StypFe/7YgmVvd/ZfY22fhWb4gm1fX/3HelxCU6FirDJHujhDm79btjR221emlqTMH3WQvgGBKhLGOoQTKTHEadBmPa16nxv01mTtHVH6tnqGrWXhSrn6WEw3qQSzKrBnHIV',
     type   => 'ssh-rsa',
     user   => 'root'
  }

  ssh_authorized_key {'john+DEF87F3F':
    ensure  => present,
    name    => 'john+DEF87F3F@nordu.net',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDG8iFmY/p/20Pnu1pwAKl56Xy05gTs8krUJx6npdB+jqBMNw4jRFOiInHoQwUqxr3ZhKj4RILgc7z3XVRFEqDCqj4j7AWidBnpBEtARECU8LPrb+UZVYa5+uuHzY+FKLT4P5Aa5NOYPLrX4c7etiHFQDman+AP98s/FCwgp+CsuXAUOz5+ZmjlUyD4BxNI9neqK4VqtqTMiBzhCkZaFJs+2lkYbXIwOU/6eVJ6O4iuKyglMjiT91ok05TvUkYgIIq6jJHFDnfkPFYutwTDKg8sDsChJ1Gb5C+wYHug5yc3NplYQ05zbztUm9JhB697/XtQypXiQ34fUjhR0glP/9h1',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  ssh_authorized_key {'jonas-F58F53E7':
    ensure  => present,
    name    => 'jonas-F58F53E7@nordu.net',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC/zcftxOkFRSSSaF9pTUwyWDz6bwf2QK+l0zGke5fFrD0wLMUR+hu77YArCB3jzvQJIe3/tAUDy6hJ+Xh/z1r6K+YXIt7Bc9woY5+60mk+gXAiyMzBHFBXSwNW3MVGzjJevv54YhgK9SyXLAtkaYL8G5QRJH19/TnRQwHAd6Le7Jj7IJ2MWIYdmuEPH0+Y37zAISoriLTxcXa3xC4LU7qR9+Plc4iVeZq9sJUic2q1gbspYkK4fnPj5cdH+BQUkdYKg1NjDegldibpH08X+wjqCnd72WLSiN9+qL4CFwt4umMXUCoubqRQI899fuVwIX+9HKxZY/3X3J0+5PDVhLgT',
    type    => 'ssh-rsa',
    user    => 'root'
  }

  # OS hardening
  if $::hostname =~ /kvm/ {
    class {'bastion':
      fstab_fix_shm        => false,
      sysctl_net_hardening => false,
    }
  } elsif $::hostname =~ /random/ {  # pollen requires exec on /tmp
    class {'bastion':
      fixperms_enable      => false,
      fixperms_paranoia    => false,
    }
  } else {
    class {'bastion':
      fstab_fix_shm     => false,
      fixperms_paranoia => true,
    }
  }
}

node 'samltest.swamid.se' {

  ssh_authorized_key {'hans-its-umu':
    name    => 'haho0032@its-admins-MacBook-Pro.local',
    ensure  => present,
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCo3A5CG7fKLBLw8vhJL6Q8iweADu7qyDUokAvKR1SUitBnYw0pnd3cv3T32S/mps51YIoyKwhv2q2UGW5kYMeZtH0YjBy+l93nVBjUCLlNkz0T5gq+ePVayiqv0hUy5VMDEqLmUOquYr3ao7FBRu34HxlEj26O6Ckvk5YTImGmGqMw6kQ4aI0oIkwk3VwO2vMWSD6lgT6YCsE9g7wkD4nJpkV1PEDOx8yxwFr0kUbL3/DpudBFew/FZa4Dq4H2brExa3Q/rrnoo1GAKLzHW/V8oa8eHbRQXwchgX63UbnzQjGiaLUc5bHZwEehp2TkLYx6encctIUGi447DVCfOTsz',
    type    => 'ssh-rsa',
    user    => 'root'
  }
}

class swamidops {
   ssh_authorized_key {'roland-umu':
     type   => 'ssh-rsa',
     key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC+tLFDNA7UXr3ZXgp6qQq7pKsTStHb+8UIEO3Act7Va3c/dz9P8Bi4+y8h33t2SACsQHXXUXAgSfmgPi+tijZ/rJrKGZJkA5LPbntca40ePU/zNWKVKGylbdnv9vz2urrr3xOmcV7yD/91k+JLwzTWiNWF6IXQC0p43EvE6BdZnLGdGAU9DPj/5rtyxWlX9Lul516dmVD2+nI8UR5bnDNl83a3lLkQyEDZMIC8QujNV8fR3pgYeRKdC7WtPcaPGv5NaF9UweBDK+7QwHTJAuIZw6S7ArA7KgOF64evOuVL0tTEyuwMHGrlE+ylxN+zOAfDvEMrxnTATR6RMcvLmTJB',
     ensure => present,
     user   => 'root',
     name   => 'roland.hedberg@adm.umu.se'
  }
  ssh_authorized_key {'lordahl-hig':
     type   => 'ssh-rsa',
     key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCJ9ab81Sm3NUoOFjgM9F9HrKKTVc0sEVqUCLeWPfp6yHPuxFrejJDZVkASfGj/1XsjUQ60TrvwzYn1rsSeEwdGKFexfrQJ2SfugOWOAsPiYCZ3o3xa8ki951HYy2aeVCedlLRoVagn2iUP1uqVmwImxrV8CydaaQYUJgP/qD0Iy5MWxAJGRIVMKnnACs+F8dgULq0P/pID85QXAZkSuGl4urkp2+tCHxAiMxscbtDtsoV71ILZ+OQQJe4kDb5si6rE730JXeBuEPU1k//+5HbGspoI7SuZUeiFfoKLXppoFkHS+ShI4oC3PIbe76f+tpwbUBGrJw/9vzBWOBiVrSnR',
     ensure => present,
     user   => 'root',
     name   => 'anders@merlin'
  }
  ssh_authorized_key {'aslund-umu':
     type   => 'ssh-rsa',
     key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCZMok+obrCgHY0atsLp777lBrxvMYEHmHK0+DXHBnRBH9CK9gjquH3fmv/Eq1bHm4UUOOJ0zk67mVdFcOwX4p7XbxHolURLFPu1QBWgiT6vRGrWOthcDa1I5iSJ0ez7SBrtD4Si5juKq1T6mNVEbHn9NlOoGR4NVGQI1v90bywnhdT9m12Y487e4HYyjDE3G/S0v6Pkj4uaehrWHAbrgXYEkleuhGJesNQrfxDx31BZbqJs8wqZ9csgHaBgiiN/lplsZlL7GuHqytoSPKwVJ7EK/ZvFLir3IoP5G9IR0eUY4+SZUEjmxJL+JyBXGQJPJx1qIPiQZSb+38tBT2742Fx',
     ensure => present,
     user   => 'root',
     name   => 'fredrik.aslund@umu.se-yubikey-neo'
  }
  ssh_authorized_key {'aslund-umu-2':
     type   => 'ssh-rsa',
     key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCEZrzlhpmsmgK9zQjCmaU7IhNFfxeQuNsR1ONA78KD/Mey1XiS09/UEsymVJiFHq45X5pG2Ano8oPYiJb6vpKbwF+/B55R1g/atqbrU+s8XPAYJoswGAJFG1FnWRjXqEd/GoricHMCIE0+AbqTkaFwYP/+B0tiY6jVWdAN0hBmStZDM97S/mcmAmqmuUauIQcF2m/0NfaBm+ou07beP6uSosufYs2NQDWCWSkIgS6y7OD+EAo9Wyo4HZigWAX6ASMX7CR6YHSN8BcdzZJE4SEneuFR5bVwqYO/nB2oqYj5FpQhMNiBJyZVe1a+BvQ1qh2kUMkE28DIyeW+Fg0paajZ',
     ensure => present,
     user   => 'root',
     name   => 'fredrik.aslund@umu.se-yubikey-neo-n'
  }
}

node 'cdr1.sunet.se' {

   package {'python-vm-builder':
     ensure    => 'installed',
   } ->

   sunet::dhcp_kvm { 'backup-tug-3.eduid.se':
     mac        => '52:54:00:f2:7d:54',
     repo       => 'git://git.nordu.net/eduid-ops.git',
     tagpattern => 'eduid-v3',
     cpus       => '1',
     memory     => '512',
     suite      => 'trusty',
     extras     => '--addpkg linux-image-generic --tmpfs -',
   }

   sunet::dhcp_kvm { 'proxy-tug-3.eduid.se':
     mac        => '52:54:00:f2:7d:55',
     repo       => 'git://git.nordu.net/eduid-ops.git',
     tagpattern => 'eduid-v3',
     cpus       => '1',
     memory     => '512',
     suite      => 'trusty',
     extras     => '--addpkg linux-image-generic --tmpfs -',
   }

}

node 'sto-tug-kvm2.swamid.se' {
   class { 'sunet::nagios': }
   class { 'sunet::flog':  }
}

class sunet-cdr {

  # Listen on br0 if it exists (cdr1), otherwise bond0 (cdr2).
  $interface = $::ipaddress_br0 ? {
    undef   => 'bond0',
    default => 'br0',
  }

  class { 'dhcp':
      dnsdomain    => [ 'eduid.se','sunet.se','swamid.se' ],
      nameservers  => ['130.242.80.14','130.242.80.99'],
      ntpservers   => ['ntp1.nordu.net','ntp2.nordu.net','Time1.Stupi.SE'],
      interfaces   => [$interface],
      #pxeserver    => '130.242.125.5',
      #pxefilename  => 'pxelinux.0'
   }

   class { 'sunet-dhcp-hosts': }

}

class entropyserver {

   include augeas

   apt::ppa {'ppa:ndn/pollen': } ->
   package {'pollen': } ->
   service {'pollen':
     ensure => 'running'
   }
   augeas { "pollen_defaults":
     incl => "/etc/default/pollen",
     lens => "Shellvars.lns",
     changes => [
      'set DEVICE "/dev/qrandom0"',
     ],
    notify => Service['pollen'],
   } ->
   ufw::allow { "allow-pollen-http-tcp":
      ip   => 'any',
      port => 80
   }
   ufw::allow { "allow-pollen-https-tcp":
      ip   => 'any',
      port => 443
   }
}

class quantis {
   apt::ppa {'ppa:ndn/quantispci': }
   package {'quantispci-dkms': }
}

class webcommon {
   class {'sunet::dockerhost': } ->
   file {"/data": ensure => directory } ->
   sunet::docker_run{"web_registrator":
       image    => "gliderlabs/registrator",
       imagetag => "latest",
       hostname => "${::fqdn}",
       volumes  => ["/var/run/docker.sock:/tmp/docker.sock"],
       command  => "etcd://etcd_sunetweb.docker:4001/services"
   }
}

class webfrontend {
   class { 'sunet::vrrphttp': }
   sunet::docker_run{"pound":
      image    => "docker.sunet.se/pound",
      imagetag => "latest",
      volumes  => ["/etc/ssl:/etc/ssl"],
      env      => ["BACKEND_PORT=tcp://varnish.docker:80","REWRITE_LOCATION=0"],
      ports    => ["443:443"],
      start_on => "docker-varnish"
   }
   sunet::etcd_node {'sunetweb':
      disco_url => 'https://discovery.etcd.io/877f25988ea1e8bb8c9a49f2ad5f5f6a',
      proxy => true
   } ->
   sunet::docker_run{"varnish":
      image    => "docker.sunet.se/varnish-auto",
      imagetag => "latest",
      env      => ["ETCD_URL=http://etcd_sunetweb.docker:4001"],
   }
   sunet::docker_run{"always-https":
      image    => "docker.sunet.se/always-https",
      ports    => ["80:80"],
      start_on => "docker-pound"
   }
}

class webappserver {
   sunet::etcd_node {'sunetweb':
      disco_url => 'https://discovery.etcd.io/877f25988ea1e8bb8c9a49f2ad5f5f6a',
      proxy => true 
   }
}

class webbackend {
   sunet::etcd_node {'sunetweb':
      disco_url => 'https://discovery.etcd.io/877f25988ea1e8bb8c9a49f2ad5f5f6a',
      proxy => false
   }
}

node 'web-a1.sunet.se' {
   sunet::wordpress {'www_sunet_se': 
      wordpress_image   => 'docker.sunet.se/shib-wordpress',
      wordpress_version => 'latest',
      sp_hostname       => 'www.test.sunet.se'
   } ->
   file { '/data/kalturabilling': ensure => directory } ->
   sunet::docker_run {'kalturabilling':
      image   => 'docker.sunet.se/kalturabilling',
      ports   => ['8001:5000'],
      volumes => ['/data/kalturabilling/kalturausers.csv:/kalturausers.csv'],
      env     => ['KALTURA_CUSTOMERS=/kalturausers.csv','SCRIPT_NAME=/kalturabilling']
   }
}

node 'web-a2.sunet.se' {
   sunet::wordpress {'www_sunet_se_prod':
      wordpress_image   => 'docker.sunet.se/shib-wordpress',
      wordpress_version => 'latest',
      sp_hostname       => 'www.sunet.se',
      mysql_user        => 'wordpress'
   }
}

node 'ca.sunet.se' {
   file { ["/var/www","/var/www/html","/var/lib/ca","/var/lib/ca/infra","/var/lib/ca/infra/requests","/var/lib/ca/infra/requests/client","/var/lib/ca/infra/requests/server"]: ensure => directory } ->
   class { 'sunet::dockerhost': } ->
   sunet::docker_run { "ca.sunet.se_apache": 
      image    => 'httpd',
      imagetag => '2.4',
      ports    => ["80:80"],
      volumes  => ["/var/www/html:/usr/local/apache2/htdocs"]
   }
   sunet::ici_ca{"infra_ca": 
	pkcs11_pin      => hiera('ca_infra_pkcs11_pin'),
        public_repo_url => "http://ca.sunet.se/infra",
        public_repo_dir => "/var/www/html/infra"
   }
   sunet::ici_ca::autosign{"infra_ca_clients": 
        ca              => "infra_ca",
        autosign_dir    => "/var/lib/ca/infra/requests/client",
        autosign_type   => "client",
   }
   sunet::ici_ca::autosign{"infra_ca_servers":
        ca              => "infra_ca",
        autosign_dir    => "/var/lib/ca/infra/requests/server",
        autosign_type   => "server",
   }
   class { 'webserver': }
}