X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Frole%2Fmanifests%2Fcryptoportfolio.pp;h=d670486362adf528e0a91a4a4225b005f7b306fb;hb=6d512d3fc73ece6aba5842e73b3b662cd904433d;hp=05f2c595753d658c2b556d46322aad09ca03343e;hpb=e17078be2c92c88e0fc8ecc88a626cdb99d0d09a;p=perso%2FImmae%2FProjets%2FPuppet.git

diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp
index 05f2c59..d670486 100644
--- a/modules/role/manifests/cryptoportfolio.pp
+++ b/modules/role/manifests/cryptoportfolio.pp
@@ -1,15 +1,23 @@
 class role::cryptoportfolio {
+  ensure_resource('exec', 'systemctl daemon-reload', {
+    command     => '/usr/bin/systemctl daemon-reload',
+    refreshonly =>  true
+  })
+
   include "base_installation"
 
   include "profile::tools"
   include "profile::postgresql"
   include "profile::apache"
+  include "profile::xmr_stak"
 
   $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} }
 
   $cf_pg_user = "cryptoportfolio"
+  $cf_pg_user_replication = "cryptoportfolio_replication"
   $cf_pg_db = "cryptoportfolio"
   $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
+  $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
   $cf_pg_host = "localhost:5432"
 
   $cf_user = "cryptoportfolio"
@@ -27,9 +35,87 @@ class role::cryptoportfolio {
 
   $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"
 
+  file { "/var/lib/postgres/data/certs":
+    ensure  => directory,
+    mode    => "0700",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => File["/var/lib/postgres"],
+  }
+
+  file { "/var/lib/postgres/data/certs/cert.pem":
+    source  => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem",
+    mode    => "0600",
+    links   => "follow",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
+  }
+
+  file { "/var/lib/postgres/data/certs/privkey.pem":
+    source  => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
+    mode    => "0600",
+    links   => "follow",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
+  }
+
+  postgresql::server::config_entry { "wal_level":
+    value   => "logical",
+  }
+
+  postgresql::server::config_entry { "ssl":
+    value   => "on",
+    require => Letsencrypt::Certonly[$cf_front_app_host],
+  }
+
+  postgresql::server::config_entry { "ssl_cert_file":
+    value   => "/var/lib/postgres/data/certs/cert.pem",
+    require => Letsencrypt::Certonly[$cf_front_app_host],
+  }
+
+  postgresql::server::config_entry { "ssl_key_file":
+    value   => "/var/lib/postgres/data/certs/privkey.pem",
+    require => Letsencrypt::Certonly[$cf_front_app_host],
+  }
+
   postgresql::server::db { $cf_pg_db:
     user     =>  $cf_pg_user,
-    password =>  postgresql_password($cf_pg_user, $cf_pg_password)
+    password =>  postgresql_password($cf_pg_user, $cf_pg_password),
+  }
+  ->
+  postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES":
+    db     => $cf_pg_db,
+    unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'",
+  }
+  ->
+  postgresql::server::role { $cf_pg_user_replication:
+    db            => $cf_pg_db,
+    replication   => true,
+    password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password),
+  }
+  ->
+  postgresql::server::database_grant { $cf_pg_user_replication:
+    db        => $cf_pg_db,
+    privilege => "CONNECT",
+    role      => $cf_pg_user_replication,
+  }
+  ->
+  postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication":
+    db          => $cf_pg_db,
+    role        => $cf_pg_user_replication,
+    privilege   => "SELECT",
+    object_type => "ALL TABLES IN SCHEMA",
+    object_name => "public",
+  }
+  ->
+  postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication":
+    db          => $cf_pg_db,
+    role        => $cf_pg_user_replication,
+    privilege   => "SELECT",
+    object_type => "ALL SEQUENCES IN SCHEMA",
+    object_name => "public",
   }
 
   postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
@@ -49,6 +135,15 @@ class role::cryptoportfolio {
     order       => "b0",
   }
 
+  postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
+    type        => 'hostssl',
+    database    => $cf_pg_db,
+    user        => $cf_pg_user_replication,
+    address     => 'immae.eu',
+    auth_method => 'md5',
+    order       => "b0",
+  }
+
   letsencrypt::certonly { $cf_front_app_host: ;
     default: * => $::profile::apache::letsencrypt_certonly_default;
   }
@@ -108,6 +203,8 @@ class role::cryptoportfolio {
       cleanup       => false,
       extract       => true,
       user          => "cryptoportfolio",
+      username      => $facts["ec2_metadata"]["hostname"],
+      password      => generate_password(24, $password_seed, "ldap"),
       extract_path  => $cf_front_app,
       require       => [User[$cf_user], File[$cf_front_app]],
     }
@@ -115,7 +212,13 @@ class role::cryptoportfolio {
     file { "${cf_home}/front":
       ensure  => "link",
       target  => $cf_front_app,
-      require => Archive["/opt/cryptoportfolio/${front_version}.tar.gz"]
+      before => File[$cf_front_app],
+    } ~>
+    exec { "remove old ${cf_front_app} directory":
+      refreshonly => true,
+      user        => $cf_user,
+      command     => "/usr/bin/rm -rf ${cf_front_app}",
+      before      => File[$cf_front_app],
     }
 
     exec { "go-get-dep":
@@ -149,15 +252,23 @@ class role::cryptoportfolio {
       owner   => "root",
       group   => "root",
       content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"),
-    } ~> exec { 'systemctl deamon-reload':
-      command     => '/usr/bin/systemctl daemon-reload',
-      refreshonly => true
+      notify  => Exec["systemctl daemon-reload"],
     }
 
     service { 'cryptoportfolio-app':
-      enable  => true,
-      ensure  => "running",
-      require => [File["/etc/systemd/system/cryptoportfolio-app.service"]],
+      enable    => true,
+      ensure    => "running",
+      subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]],
+      require   => [
+        File["/etc/systemd/system/cryptoportfolio-app.service"],
+        Postgresql::Server::Db[$cf_pg_db]
+      ],
+    } ~>
+    exec { "dump $cf_pg_db structure":
+      refreshonly => true,
+      user        => $::profile::postgresql::pg_user,
+      group       => $::profile::postgresql::pg_user,
+      command     => "/usr/bin/pg_dump --schema-only --clean --no-publications $cf_pg_db > /var/lib/postgres/${cf_pg_db}.schema",
     }
 
     file { $cf_front_app_api_conf:
@@ -193,10 +304,10 @@ class role::cryptoportfolio {
     exec { "web-cryptoportfolio-build":
       cwd         => "${cf_front_app}/cmd/web",
       environment => ["HOME=${cf_home}"],
+      path        => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"],
       command     => "/usr/bin/make static ENV=${cf_env}",
       creates     => "${cf_front_app}/cmd/web/build/static",
       require     => [File[$cf_front_app_static_conf], Exec["web-cryptoportfolio-dependencies"]]
     }
   }
-
 }