class role::cryptoportfolio {
+ ensure_resource('exec', 'systemctl daemon-reload', {
+ command => '/usr/bin/systemctl daemon-reload',
+ refreshonly => true
+ })
+
include "base_installation"
+ include "profile::tools"
include "profile::postgresql"
+ include "profile::apache"
+ include "profile::xmr_stak"
$password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} }
- postgresql::server::db { 'cryptoportfolio':
- user => 'cryptoportfolio',
- password => postgresql_password('cryptoportfolio', generate_password(24, $password_seed, "postgres_cryptoportfolio")),
+ $cf_pg_user = "cryptoportfolio"
+ $cf_pg_user_replication = "cryptoportfolio_replication"
+ $cf_pg_db = "cryptoportfolio"
+ $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
+ $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
+ $cf_pg_host = "localhost:5432"
+
+ $cf_user = "cryptoportfolio"
+ $cf_group = "cryptoportfolio"
+ $cf_home = "/opt/cryptoportfolio"
+ $cf_env = "prod"
+ $cf_front_app_host = "cryptoportfolio.immae.eu"
+ $cf_front_app_port = ""
+ $cf_front_app_ssl = "true"
+ $cf_front_app = "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front"
+ $cf_front_app_api_workdir = "${cf_front_app}/cmd/app"
+ $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app"
+ $cf_front_app_api_conf = "${cf_home}/conf.toml"
+ $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret")
+
+ $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"
+
+ file { "/var/lib/postgres/data/certs":
+ ensure => directory,
+ mode => "0700",
+ owner => $::profile::postgresql::pg_user,
+ group => $::profile::postgresql::pg_user,
+ require => File["/var/lib/postgres"],
+ }
+
+ file { "/var/lib/postgres/data/certs/cert.pem":
+ source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem",
+ mode => "0600",
+ links => "follow",
+ owner => $::profile::postgresql::pg_user,
+ group => $::profile::postgresql::pg_user,
+ require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
+ }
+
+ file { "/var/lib/postgres/data/certs/privkey.pem":
+ source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
+ mode => "0600",
+ links => "follow",
+ owner => $::profile::postgresql::pg_user,
+ group => $::profile::postgresql::pg_user,
+ require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
+ }
+
+ postgresql::server::config_entry { "wal_level":
+ value => "logical",
+ }
+
+ postgresql::server::config_entry { "ssl":
+ value => "on",
+ require => Letsencrypt::Certonly[$cf_front_app_host],
+ }
+
+ postgresql::server::config_entry { "ssl_cert_file":
+ value => "/var/lib/postgres/data/certs/cert.pem",
+ require => Letsencrypt::Certonly[$cf_front_app_host],
+ }
+
+ postgresql::server::config_entry { "ssl_key_file":
+ value => "/var/lib/postgres/data/certs/privkey.pem",
+ require => Letsencrypt::Certonly[$cf_front_app_host],
+ }
+
+ postgresql::server::db { $cf_pg_db:
+ user => $cf_pg_user,
+ password => postgresql_password($cf_pg_user, $cf_pg_password),
+ }
+ ->
+ postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES":
+ db => $cf_pg_db,
+ unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'",
+ }
+ ->
+ postgresql::server::role { $cf_pg_user_replication:
+ db => $cf_pg_db,
+ replication => true,
+ password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password),
+ }
+ ->
+ postgresql::server::database_grant { $cf_pg_user_replication:
+ db => $cf_pg_db,
+ privilege => "CONNECT",
+ role => $cf_pg_user_replication,
+ }
+ ->
+ postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication":
+ db => $cf_pg_db,
+ role => $cf_pg_user_replication,
+ privilege => "SELECT",
+ object_type => "ALL TABLES IN SCHEMA",
+ object_name => "public",
+ }
+ ->
+ postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication":
+ db => $cf_pg_db,
+ role => $cf_pg_user_replication,
+ privilege => "SELECT",
+ object_type => "ALL SEQUENCES IN SCHEMA",
+ object_name => "public",
}
postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
type => 'host',
- database => 'cryptoportfolio',
- user => 'cryptoportfolio',
+ database => $cf_pg_db,
+ user => $cf_pg_user,
address => '127.0.0.1/32',
auth_method => 'md5',
order => "b0",
}
postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
type => 'host',
- database => 'cryptoportfolio',
- user => 'cryptoportfolio',
+ database => $cf_pg_db,
+ user => $cf_pg_user,
address => '::1/128',
auth_method => 'md5',
order => "b0",
}
- class { 'nginx': }
+ postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
+ type => 'hostssl',
+ database => $cf_pg_db,
+ user => $cf_pg_user_replication,
+ address => 'immae.eu',
+ auth_method => 'md5',
+ order => "b0",
+ }
- nginx::resource::server { 'cryptoportfolio.immae.eu':
- listen_port => 80,
- proxy => 'http://localhost:8000',
+ letsencrypt::certonly { $cf_front_app_host: ;
+ default: * => $::profile::apache::letsencrypt_certonly_default;
}
- ensure_packages(["go", "npm", "nodejs", "yarn"])
+ class { 'apache::mod::headers': }
+ apache::vhost { $cf_front_app_host:
+ port => '443',
+ docroot => false,
+ manage_docroot => false,
+ proxy_dest => "http://localhost:8000",
+ request_headers => 'set X-Forwarded-Proto "https"',
+ ssl => true,
+ ssl_cert => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem",
+ ssl_key => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
+ ssl_chain => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem",
+ require => Letsencrypt::Certonly[$cf_front_app_host],
+ proxy_preserve_host => true;
+ default: * => $::profile::apache::apache_vhost_default;
+ }
- user { "cryptoportfolio":
- name => "cryptoportfolio",
+ user { $cf_user:
+ name => $cf_user,
ensure => "present",
managehome => true,
- home => "/opt/cryptoportfolio",
+ home => $cf_home,
system => true,
password => '!!',
}
$front_sha256 = lookup("cryptoportfolio::front_sha256") |$key| { {} }
unless empty($front_version) {
- file { "/opt/cryptoportfolio/front":
- ensure => directory,
- mode => "0700",
- owner => "cryptoportfolio",
- group => "cryptoportfolio",
- }
+ ensure_packages(["go", "npm", "nodejs", "yarn"])
- file { "/opt/cryptoportfolio/front/${front_version}":
- ensure => directory,
+ file { [
+ "${cf_home}/go/",
+ "${cf_home}/go/src",
+ "${cf_home}/go/src/immae.eu",
+ "${cf_home}/go/src/immae.eu/Immae",
+ "${cf_home}/go/src/immae.eu/Immae/Projets",
+ "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies",
+ "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio",
+ $cf_front_app]:
+ ensure => "directory",
mode => "0700",
- owner => "cryptoportfolio",
- group => "cryptoportfolio",
- require => File["/opt/cryptoportfolio/front"],
+ owner => $cf_user,
+ group => $cf_group,
+ require => User[$cf_user],
}
- archive { "/opt/cryptoportfolio/front/${front_version}.tar.gz":
- path => "/opt/cryptoportfolio/front/${front_version}.tar.gz",
+ archive { "${cf_home}/${front_version}.tar.gz":
+ path => "${cf_home}/${front_version}.tar.gz",
source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz",
- creates => "/opt/cryptoportfolio/front/${front_version}/README.md",
checksum_type => "sha256",
checksum => $front_sha256,
cleanup => false,
extract => true,
- extract_path => "/opt/cryptoportfolio/front/${front_version}",
- require => File["/opt/cryptoportfolio/front/${front_version}"],
+ user => "cryptoportfolio",
+ username => $facts["ec2_metadata"]["hostname"],
+ password => generate_password(24, $password_seed, "ldap"),
+ extract_path => $cf_front_app,
+ require => [User[$cf_user], File[$cf_front_app]],
}
- file { "/opt/cryptoportfolio/front/current":
+ file { "${cf_home}/front":
ensure => "link",
- target => "/opt/cryptoportfolio/front/${front_version}",
- require => Archive["/opt/cryptoportfolio/front/${front_version}.tar.gz"]
+ target => $cf_front_app,
+ before => File[$cf_front_app],
+ } ~>
+ exec { "remove old ${cf_front_app} directory":
+ refreshonly => true,
+ user => $cf_user,
+ command => "/usr/bin/rm -rf ${cf_front_app}",
+ before => File[$cf_front_app],
+ }
+
+ exec { "go-get-dep":
+ user => $cf_user,
+ environment => ["HOME=${cf_home}"],
+ creates => "${cf_home}/go/bin/dep",
+ command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep",
+ require => User[$cf_user],
+ }
+
+ exec { "go-cryptoportfolio-dependencies":
+ cwd => $cf_front_app,
+ user => $cf_user,
+ environment => ["HOME=${cf_home}"],
+ creates => "${cf_front_app}/vendor",
+ command => "${cf_home}/go/bin/dep ensure",
+ require => [Exec["go-get-dep"], Archive["${cf_home}/${front_version}.tar.gz"]],
+ }
+
+ exec { "go-cryptoportfolio-app":
+ cwd => $cf_front_app_api_workdir,
+ user => $cf_user,
+ environment => ["HOME=${cf_home}"],
+ creates => $cf_front_app_api_bin,
+ command => "/usr/bin/make build",
+ require => Exec["go-cryptoportfolio-dependencies"],
+ }
+
+ file { "/etc/systemd/system/cryptoportfolio-app.service":
+ mode => "0644",
+ owner => "root",
+ group => "root",
+ content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"),
+ notify => Exec["systemctl daemon-reload"],
}
- }
+ service { 'cryptoportfolio-app':
+ enable => true,
+ ensure => "running",
+ subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]],
+ require => [
+ File["/etc/systemd/system/cryptoportfolio-app.service"],
+ Postgresql::Server::Db[$cf_pg_db]
+ ],
+ } ~>
+ exec { "dump $cf_pg_db structure":
+ refreshonly => true,
+ user => $::profile::postgresql::pg_user,
+ group => $::profile::postgresql::pg_user,
+ command => "/usr/bin/pg_dump --schema-only --clean --no-publications $cf_pg_db > /var/lib/postgres/${cf_pg_db}.schema",
+ }
+
+ file { $cf_front_app_api_conf:
+ owner => $cf_user,
+ group => $cf_group,
+ mode => "0600",
+ content => template("role/cryptoportfolio/api_conf.toml.erb"),
+ }
+
+ file { $cf_front_app_static_conf:
+ owner => $cf_user,
+ group => $cf_group,
+ mode => "0600",
+ content => template("role/cryptoportfolio/static_conf.env.erb"),
+ notify => Exec["remove build ${cf_front_app}/cmd/web/build/"],
+ }
+
+ exec { "web-cryptoportfolio-dependencies":
+ cwd => "${cf_front_app}/cmd/web",
+ environment => ["HOME=${cf_home}"],
+ command => "/usr/bin/make install",
+ creates => "${cf_front_app}/cmd/web/node_modules",
+ notify => Exec["remove build ${cf_front_app}/cmd/web/build/"],
+ require => [Package["npm"], Package["nodejs"], Package["yarn"]]
+ }
+
+ exec { "remove build ${cf_front_app}/cmd/web/build/":
+ command => "/usr/bin/rm -rf '${cf_front_app}/cmd/web/build/'",
+ refreshonly => true,
+ before => Exec["web-cryptoportfolio-build"]
+ }
+
+ exec { "web-cryptoportfolio-build":
+ cwd => "${cf_front_app}/cmd/web",
+ environment => ["HOME=${cf_home}"],
+ path => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"],
+ command => "/usr/bin/make static ENV=${cf_env}",
+ creates => "${cf_front_app}/cmd/web/build/static",
+ require => [File[$cf_front_app_static_conf], Exec["web-cryptoportfolio-dependencies"]]
+ }
+ }
}