- $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} }
-
- $cf_pg_user = "cryptoportfolio"
- $cf_pg_user_replication = "cryptoportfolio_replication"
- $cf_pg_db = "cryptoportfolio"
- $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
- $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
- $cf_pg_hostname = "localhost"
- $cf_pg_port = "5432"
- $cf_pg_host = "${cf_pg_hostname}:${cf_pg_port}"
-
- $cf_user = "cryptoportfolio"
- $cf_group = "cryptoportfolio"
- $cf_home = "/opt/cryptoportfolio"
- $cf_env = "prod"
- $cf_front_app_host = "cryptoportfolio.immae.eu"
- $cf_front_app_port = ""
- $cf_front_app_ssl = "true"
- $cf_front_app = "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front"
- $cf_front_app_api_workdir = "${cf_front_app}/cmd/app"
- $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app"
- $cf_front_app_api_conf = "${cf_home}/conf.toml"
- $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret")
-
- $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"
-
- $cf_bot_app = "${cf_home}/bot"
- $cf_bot_app_conf = "${cf_home}/bot_config.ini"
- $cf_bot_app_reports = "${cf_home}/bot_reports"
-
- file { "/var/lib/postgres/data/certs":
- ensure => directory,
- mode => "0700",
- owner => $::profile::postgresql::pg_user,
- group => $::profile::postgresql::pg_user,
- require => File["/var/lib/postgres"],
- }
-
- file { "/var/lib/postgres/data/certs/cert.pem":
- source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem",
- mode => "0600",
- links => "follow",
- owner => $::profile::postgresql::pg_user,
- group => $::profile::postgresql::pg_user,
- require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
- }
-
- file { "/var/lib/postgres/data/certs/privkey.pem":
- source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
- mode => "0600",
- links => "follow",
- owner => $::profile::postgresql::pg_user,
- group => $::profile::postgresql::pg_user,
- require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
- }
-
- postgresql::server::config_entry { "wal_level":
- value => "logical",
- }
-
- postgresql::server::config_entry { "ssl":
- value => "on",
- require => Letsencrypt::Certonly[$cf_front_app_host],
- }
-
- postgresql::server::config_entry { "ssl_cert_file":
- value => "/var/lib/postgres/data/certs/cert.pem",
- require => Letsencrypt::Certonly[$cf_front_app_host],
- }
-
- postgresql::server::config_entry { "ssl_key_file":
- value => "/var/lib/postgres/data/certs/privkey.pem",
- require => Letsencrypt::Certonly[$cf_front_app_host],
- }
-
- postgresql::server::db { $cf_pg_db:
- user => $cf_pg_user,
- password => postgresql_password($cf_pg_user, $cf_pg_password),
- }
- ->
- postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES":
- db => $cf_pg_db,
- unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'",
- }
- ->
- postgresql::server::role { $cf_pg_user_replication:
- db => $cf_pg_db,
- replication => true,
- password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password),
- }
- ->
- postgresql::server::database_grant { $cf_pg_user_replication:
- db => $cf_pg_db,
- privilege => "CONNECT",
- role => $cf_pg_user_replication,
- }
- ->
- postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication":
- db => $cf_pg_db,
- role => $cf_pg_user_replication,
- privilege => "SELECT",
- object_type => "ALL TABLES IN SCHEMA",
- object_name => "public",
- }
- ->
- postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication":
- db => $cf_pg_db,
- role => $cf_pg_user_replication,
- privilege => "SELECT",
- object_type => "ALL SEQUENCES IN SCHEMA",
- object_name => "public",
- }
-
- postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
- type => 'host',
- database => $cf_pg_db,
- user => $cf_pg_user,
- address => '127.0.0.1/32',
- auth_method => 'md5',
- order => "b0",
- }
- postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
- type => 'host',
- database => $cf_pg_db,
- user => $cf_pg_user,
- address => '::1/128',
- auth_method => 'md5',
- order => "b0",
- }
-
- postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
- type => 'hostssl',
- database => $cf_pg_db,
- user => $cf_pg_user_replication,
- address => 'immae.eu',
- auth_method => 'md5',
- order => "b0",
- }
-
- letsencrypt::certonly { $cf_front_app_host: ;
- default: * => $::profile::apache::letsencrypt_certonly_default;
- }
-
- class { 'apache::mod::headers': }
- apache::vhost { $cf_front_app_host:
- port => '443',
- docroot => false,
- manage_docroot => false,
- proxy_dest => "http://localhost:8000",
- request_headers => 'set X-Forwarded-Proto "https"',
- ssl => true,
- ssl_cert => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem",
- ssl_key => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
- ssl_chain => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem",
- require => Letsencrypt::Certonly[$cf_front_app_host],
- proxy_preserve_host => true;
- default: * => $::profile::apache::apache_vhost_default;
- }
-
- user { $cf_user:
- name => $cf_user,
- ensure => "present",
- managehome => true,
- home => $cf_home,
- system => true,
- password => '!!',
- }