X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Frole%2Fmanifests%2Fcryptoportfolio.pp;h=8b4a63b649b0dd46968446f2bc358e54f90582ce;hb=0a21fb6c2c52ca5cc2dfdfc41ca0a51c0d81296c;hp=16c2f960a47fabe31604842a65274b4f933b12c3;hpb=0a4ec3790f89873bf37a1362a6f7e70b103e9bc2;p=perso%2FImmae%2FProjets%2FPuppet.git diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index 16c2f96..8b4a63b 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp @@ -1,38 +1,415 @@ -class role::cryptoportfolio { +class role::cryptoportfolio ( + String $user, + String $group, + String $home, + Optional[String] $env = "prod", + Optional[String] $webhook_url = undef, + String $pg_user, + String $pg_user_replication, + String $pg_db, + Optional[String] $pg_hostname = "localhost", + Optional[String] $pg_port = "5432", + Optional[String] $web_host = undef, + Optional[String] $web_port = "", + Optional[Boolean] $web_ssl = true, + Optional[String] $front_version = undef, + Optional[String] $front_sha256 = undef, + Optional[String] $bot_version = undef, + Optional[String] $bot_sha256 = undef, +) { + ensure_resource('exec', 'systemctl daemon-reload', { + command => '/usr/bin/systemctl daemon-reload', + refreshonly => true + }) + include "base_installation" + include "profile::tools" include "profile::postgresql" + include "profile::apache" + include "profile::xmr_stak" + + $password_seed = lookup("base_installation::puppet_pass_seed") + + $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") + $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") + $pg_host = "${pg_hostname}:${pg_port}" + + $cf_front_app = "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front" + $cf_front_app_api_workdir = "${cf_front_app}/cmd/app" + $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app" + $cf_front_app_api_conf = "${home}/conf.toml" + $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret") + + $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" + + $cf_bot_app = "${home}/bot" + $cf_bot_app_conf = "${home}/bot_config.ini" + $cf_bot_app_reports = "${home}/bot_reports" + + file { "/var/lib/postgres/data/certs": + ensure => directory, + mode => "0700", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => File["/var/lib/postgres"], + } + + file { "/var/lib/postgres/data/certs/cert.pem": + source => "file:///etc/letsencrypt/live/$web_host/cert.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] + } + + file { "/var/lib/postgres/data/certs/privkey.pem": + source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] + } - $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } + postgresql::server::config_entry { "wal_level": + value => "logical", + } + + postgresql::server::config_entry { "ssl": + value => "on", + require => Letsencrypt::Certonly[$web_host], + } + + postgresql::server::config_entry { "ssl_cert_file": + value => "/var/lib/postgres/data/certs/cert.pem", + require => Letsencrypt::Certonly[$web_host], + } + + postgresql::server::config_entry { "ssl_key_file": + value => "/var/lib/postgres/data/certs/privkey.pem", + require => Letsencrypt::Certonly[$web_host], + } - postgresql::server::db { 'cryptoportfolio': - user => 'cryptoportfolio', - password => postgresql_password('cryptoportfolio', generate_password(24, $password_seed, "postgres_cryptoportfolio")), + postgresql::server::db { $pg_db: + user => $pg_user, + password => postgresql_password($pg_user, $pg_password), + } + -> + postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES": + db => $pg_db, + unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", + } + -> + postgresql::server::role { $pg_user_replication: + db => $pg_db, + replication => true, + password_hash => postgresql_password($pg_user_replication, $pg_replication_password), + } + -> + postgresql::server::database_grant { $pg_user_replication: + db => $pg_db, + privilege => "CONNECT", + role => $pg_user_replication, + } + -> + postgresql::server::grant { "all tables in schema:public:$pg_user_replication": + db => $pg_db, + role => $pg_user_replication, + privilege => "SELECT", + object_type => "ALL TABLES IN SCHEMA", + object_name => "public", + } + -> + postgresql::server::grant { "all sequences in schema:public:$pg_user_replication": + db => $pg_db, + role => $pg_user_replication, + privilege => "SELECT", + object_type => "ALL SEQUENCES IN SCHEMA", + object_name => "public", } postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': type => 'host', - database => 'cryptoportfolio', - user => 'cryptoportfolio', + database => $pg_db, + user => $pg_user, address => '127.0.0.1/32', auth_method => 'md5', order => "b0", } postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': type => 'host', - database => 'cryptoportfolio', - user => 'cryptoportfolio', + database => $pg_db, + user => $pg_user, address => '::1/128', auth_method => 'md5', order => "b0", } - ensure_packages("go") + postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': + type => 'hostssl', + database => $pg_db, + user => $pg_user_replication, + address => 'immae.eu', + auth_method => 'md5', + order => "b0", + } + + class { 'apache::mod::headers': } + apache::vhost { $web_host: + port => '443', + docroot => false, + manage_docroot => false, + proxy_dest => "http://localhost:8000", + request_headers => 'set X-Forwarded-Proto "https"', + ssl => true, + ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem", + ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem", + ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem", + require => Letsencrypt::Certonly[$web_host], + proxy_preserve_host => true; + default: * => $::profile::apache::apache_vhost_default; + } + + file { "/usr/local/bin/slack-notify": + mode => "0755", + source => "puppet:///modules/role/cryptoportfolio/slack-notify.py", + } + + unless empty($bot_version) { + ensure_packages(["python", "python-pip"]) + + file { $cf_bot_app: + ensure => "directory", + mode => "0700", + owner => $user, + group => $group, + require => User["$user:"], + } + + archive { "${home}/trader_${bot_version}.tar.gz": + path => "${home}/trader_${bot_version}.tar.gz", + source => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz", + checksum_type => "sha256", + checksum => $bot_sha256, + cleanup => false, + extract => true, + user => $user, + username => $facts["ec2_metadata"]["hostname"], + password => generate_password(24, $password_seed, "ldap"), + extract_path => $cf_bot_app, + require => [User["$user:"], File[$cf_bot_app]], + } ~> + exec { "py-cryptoportfolio-dependencies": + cwd => $cf_bot_app, + user => $user, + environment => ["HOME=${home}"], + command => "/usr/bin/make install", + require => User["$user:"], + refreshonly => true, + before => [ + File[$cf_bot_app_conf], + Cron["py-cryptoportfolio-before"], + Cron["py-cryptoportfolio-after"], + ] + } + + file { $cf_bot_app_conf: + owner => $user, + group => $group, + mode => "0600", + content => template("role/cryptoportfolio/bot_config.ini.erb"), + require => [ + User["$user:"], + Archive["${home}/trader_${bot_version}.tar.gz"], + ], + } + + cron { "py-cryptoportfolio-before": + ensure => present, + command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before", + user => $user, + weekday => 7, # Sunday + hour => 22, + minute => 30, + environment => ["HOME=${home}","PATH=/usr/bin/"], + require => [ + File[$cf_bot_app_conf], + Archive["${home}/trader_${bot_version}.tar.gz"] + ], + } + + cron { "py-cryptoportfolio-after": + ensure => present, + command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after", + user => $user, + weekday => 1, # Monday + hour => 1, + minute => 0, + environment => ["HOME=${home}","PATH=/usr/bin/"], + require => [ + File[$cf_bot_app_conf], + Archive["${home}/trader_${bot_version}.tar.gz"] + ], + } + + unless empty($webhook_url) { + exec { "bot-slack-notify": + refreshonly => true, + environment => [ + "P_PROJECT=Trader", + "P_WEBHOOK=${webhook_url}", + "P_VERSION=${bot_version}", + "P_HOST=${web_host}", + "P_HTTPS=${web_ssl}", + ], + command => "/usr/local/bin/slack-notify", + require => File["/usr/local/bin/slack-notify"], + subscribe => Exec["py-cryptoportfolio-dependencies"], + } + } + } + + # FIXME: restore backup + unless empty($front_version) { + ensure_packages(["go", "npm", "nodejs", "yarn"]) + + file { [ + "${home}/go/", + "${home}/go/src", + "${home}/go/src/immae.eu", + "${home}/go/src/immae.eu/Immae", + "${home}/go/src/immae.eu/Immae/Projets", + "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies", + "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio", + $cf_front_app]: + ensure => "directory", + mode => "0700", + owner => $user, + group => $group, + require => User["$user:"], + } + + file { "${home}/front": + ensure => "link", + target => $cf_front_app, + before => File[$cf_front_app], + } + + file { "/etc/systemd/system/cryptoportfolio-app.service": + mode => "0644", + owner => "root", + group => "root", + content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"), + notify => Exec["systemctl daemon-reload"], + } + + service { 'cryptoportfolio-app': + enable => true, + ensure => "running", + subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], + require => [ + File["/etc/systemd/system/cryptoportfolio-app.service"], + Postgresql::Server::Db[$pg_db] + ], + } ~> + exec { "dump $pg_db structure": + refreshonly => true, + user => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + command => "/usr/bin/pg_dump --schema-only --clean --no-publications $pg_db > /var/lib/postgres/${pg_db}.schema", + } + + archive { "${home}/front_${front_version}.tar.gz": + path => "${home}/front_${front_version}.tar.gz", + source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz", + checksum_type => "sha256", + checksum => $front_sha256, + cleanup => false, + extract => true, + user => $user, + username => $facts["ec2_metadata"]["hostname"], + password => generate_password(24, $password_seed, "ldap"), + extract_path => $cf_front_app, + require => [User["$user:"], File[$cf_front_app]], + notify => [ + Exec["web-cryptoportfolio-dependencies"], + Exec["go-get-dep"], + ] + } + + # Api + file { $cf_front_app_api_conf: + owner => $user, + group => $group, + mode => "0600", + content => template("role/cryptoportfolio/api_conf.toml.erb"), + before => Exec["go-cryptoportfolio-app"], + } + + exec { "go-get-dep": + user => $user, + environment => ["HOME=${home}"], + creates => "${home}/go/bin/dep", + command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep", + refreshonly => true, + } ~> + exec { "go-cryptoportfolio-dependencies": + cwd => $cf_front_app, + user => $user, + environment => ["HOME=${home}"], + command => "${home}/go/bin/dep ensure", + refreshonly => true, + } ~> + exec { "go-cryptoportfolio-app": + cwd => $cf_front_app_api_workdir, + user => $user, + environment => ["HOME=${home}"], + command => "/usr/bin/make build", + refreshonly => true, + } + + # Static pages + file { $cf_front_app_static_conf: + owner => $user, + group => $group, + mode => "0600", + content => template("role/cryptoportfolio/static_conf.env.erb"), + before => Exec["web-cryptoportfolio-build"], + } - class { 'nginx': } + exec { "web-cryptoportfolio-dependencies": + cwd => "${cf_front_app}/cmd/web", + user => $user, + environment => ["HOME=${home}"], + command => "/usr/bin/make install", + refreshonly => true, + require => [Package["npm"], Package["nodejs"], Package["yarn"]] + } ~> + exec { "web-cryptoportfolio-build": + cwd => "${cf_front_app}/cmd/web", + user => $user, + environment => ["HOME=${home}"], + path => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"], + command => "/usr/bin/make static ENV=${env}", + refreshonly => true, + } - nginx::resource::server { 'cryptoportfolio.immae.eu': - listen_port => 80, - proxy => 'http://localhost:8000', + unless empty($webhook_url) { + exec { "front-slack-notify": + refreshonly => true, + environment => [ + "P_PROJECT=Front", + "P_WEBHOOK=${webhook_url}", + "P_VERSION=${front_version}", + "P_HOST=${web_host}", + "P_HTTPS=${web_ssl}", + ], + command => "/usr/local/bin/slack-notify", + require => File["/usr/local/bin/slack-notify"], + subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], + } + } } }