From: Ismaƫl Bouya Date: Tue, 13 Mar 2018 19:04:52 +0000 (+0100) Subject: Move cryptoporfolio module to sub-parts X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;ds=sidebyside;h=39e05b4ec79c5dc07417a6cb1f0e1b2dcd111a1a;p=perso%2FImmae%2FProjets%2FPuppet.git Move cryptoporfolio module to sub-parts --- diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index 503620b..799e297 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp @@ -17,11 +17,6 @@ class role::cryptoportfolio ( Optional[String] $bot_version = undef, Optional[String] $bot_sha256 = undef, ) { - ensure_resource('exec', 'systemctl daemon-reload', { - command => '/usr/bin/systemctl daemon-reload', - refreshonly => true - }) - include "base_installation" include "profile::tools" @@ -29,387 +24,17 @@ class role::cryptoportfolio ( include "profile::apache" include "profile::xmr_stak" - $password_seed = lookup("base_installation::puppet_pass_seed") - - $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") - $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") - $pg_host = "${pg_hostname}:${pg_port}" - - $cf_front_app = "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front" - $cf_front_app_api_workdir = "${cf_front_app}/cmd/app" - $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app" - $cf_front_app_api_conf = "${home}/conf.toml" - $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret") - - $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" - - $cf_bot_app = "${home}/bot" - $cf_bot_app_conf = "${home}/bot_config.ini" - $cf_bot_app_reports = "${home}/bot_reports" - - file { "/var/lib/postgres/data/certs": - ensure => directory, - mode => "0700", - owner => $::profile::postgresql::pg_user, - group => $::profile::postgresql::pg_user, - require => File["/var/lib/postgres"], - } - - file { "/var/lib/postgres/data/certs/cert.pem": - source => "file:///etc/letsencrypt/live/$web_host/cert.pem", - mode => "0600", - links => "follow", - owner => $::profile::postgresql::pg_user, - group => $::profile::postgresql::pg_user, - require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] - } - - file { "/var/lib/postgres/data/certs/privkey.pem": - source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", - mode => "0600", - links => "follow", - owner => $::profile::postgresql::pg_user, - group => $::profile::postgresql::pg_user, - require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] - } - - postgresql::server::config_entry { "wal_level": - value => "logical", - } - - postgresql::server::config_entry { "ssl": - value => "on", - require => Letsencrypt::Certonly[$web_host], - } - - postgresql::server::config_entry { "ssl_cert_file": - value => "/var/lib/postgres/data/certs/cert.pem", - require => Letsencrypt::Certonly[$web_host], - } - - postgresql::server::config_entry { "ssl_key_file": - value => "/var/lib/postgres/data/certs/privkey.pem", - require => Letsencrypt::Certonly[$web_host], - } - - postgresql::server::db { $pg_db: - user => $pg_user, - password => postgresql_password($pg_user, $pg_password), - } - -> - postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES": - db => $pg_db, - unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", - } - -> - postgresql::server::role { $pg_user_replication: - db => $pg_db, - replication => true, - password_hash => postgresql_password($pg_user_replication, $pg_replication_password), - } - -> - postgresql::server::database_grant { $pg_user_replication: - db => $pg_db, - privilege => "CONNECT", - role => $pg_user_replication, - } - -> - postgresql::server::grant { "all tables in schema:public:$pg_user_replication": - db => $pg_db, - role => $pg_user_replication, - privilege => "SELECT", - object_type => "ALL TABLES IN SCHEMA", - object_name => "public", - } - -> - postgresql::server::grant { "all sequences in schema:public:$pg_user_replication": - db => $pg_db, - role => $pg_user_replication, - privilege => "SELECT", - object_type => "ALL SEQUENCES IN SCHEMA", - object_name => "public", - } - - postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': - type => 'host', - database => $pg_db, - user => $pg_user, - address => '127.0.0.1/32', - auth_method => 'md5', - order => "05-01", - } - postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': - type => 'host', - database => $pg_db, - user => $pg_user, - address => '::1/128', - auth_method => 'md5', - order => "05-01", - } + contain "role::cryptoportfolio::postgresql" + contain "role::cryptoportfolio::apache" - postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': - type => 'hostssl', - database => $pg_db, - user => $pg_user_replication, - address => 'immae.eu', - auth_method => 'md5', - order => "05-01", - } - - class { 'apache::mod::headers': } - apache::vhost { $web_host: - port => '443', - docroot => false, - manage_docroot => false, - proxy_dest => "http://localhost:8000", - request_headers => 'set X-Forwarded-Proto "https"', - ssl => true, - ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem", - ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem", - ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem", - require => Letsencrypt::Certonly[$web_host], - proxy_preserve_host => true; - default: * => $::profile::apache::apache_vhost_default; - } - - file { "/usr/local/bin/slack-notify": - mode => "0755", - source => "puppet:///modules/role/cryptoportfolio/slack-notify.py", - } + contain "role::cryptoportfolio::notify" unless empty($bot_version) { - ensure_packages(["python", "python-pip"]) - - file { $cf_bot_app: - ensure => "directory", - mode => "0700", - owner => $user, - group => $group, - require => User["$user:"], - } - - archive { "${home}/trader_${bot_version}.tar.gz": - path => "${home}/trader_${bot_version}.tar.gz", - source => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz", - checksum_type => "sha256", - checksum => $bot_sha256, - cleanup => false, - extract => true, - user => $user, - username => lookup("base_installation::ldap_cn"), - password => generate_password(24, $password_seed, "ldap"), - extract_path => $cf_bot_app, - require => [User["$user:"], File[$cf_bot_app]], - } ~> - exec { "py-cryptoportfolio-dependencies": - cwd => $cf_bot_app, - user => $user, - environment => ["HOME=${home}"], - command => "/usr/bin/make install", - require => User["$user:"], - refreshonly => true, - before => [ - File[$cf_bot_app_conf], - Cron["py-cryptoportfolio-before"], - Cron["py-cryptoportfolio-after"], - ] - } - - file { $cf_bot_app_conf: - owner => $user, - group => $group, - mode => "0600", - content => template("role/cryptoportfolio/bot_config.ini.erb"), - require => [ - User["$user:"], - Archive["${home}/trader_${bot_version}.tar.gz"], - ], - } - - cron { "py-cryptoportfolio-before": - ensure => present, - command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before", - user => $user, - weekday => 7, # Sunday - hour => 22, - minute => 30, - environment => ["HOME=${home}","PATH=/usr/bin/"], - require => [ - File[$cf_bot_app_conf], - Archive["${home}/trader_${bot_version}.tar.gz"] - ], - } - - cron { "py-cryptoportfolio-after": - ensure => present, - command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after", - user => $user, - weekday => 1, # Monday - hour => 1, - minute => 0, - environment => ["HOME=${home}","PATH=/usr/bin/"], - require => [ - File[$cf_bot_app_conf], - Archive["${home}/trader_${bot_version}.tar.gz"] - ], - } - - unless empty($webhook_url) { - exec { "bot-slack-notify": - refreshonly => true, - environment => [ - "P_PROJECT=Trader", - "P_WEBHOOK=${webhook_url}", - "P_VERSION=${bot_version}", - "P_HOST=${web_host}", - "P_HTTPS=${web_ssl}", - ], - command => "/usr/local/bin/slack-notify", - require => File["/usr/local/bin/slack-notify"], - subscribe => Exec["py-cryptoportfolio-dependencies"], - } - } + contain "role::cryptoportfolio::bot" } # FIXME: restore backup unless empty($front_version) { - ensure_packages(["go", "npm", "nodejs", "yarn"]) - - file { [ - "${home}/go/", - "${home}/go/src", - "${home}/go/src/immae.eu", - "${home}/go/src/immae.eu/Immae", - "${home}/go/src/immae.eu/Immae/Projets", - "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies", - "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio", - $cf_front_app]: - ensure => "directory", - mode => "0700", - owner => $user, - group => $group, - require => User["$user:"], - } - - file { "${home}/front": - ensure => "link", - target => $cf_front_app, - before => File[$cf_front_app], - } - - file { "/etc/systemd/system/cryptoportfolio-app.service": - mode => "0644", - owner => "root", - group => "root", - content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"), - notify => Exec["systemctl daemon-reload"], - } - - service { 'cryptoportfolio-app': - enable => true, - ensure => "running", - subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], - require => [ - File["/etc/systemd/system/cryptoportfolio-app.service"], - Postgresql::Server::Db[$pg_db] - ], - } ~> - exec { "dump $pg_db structure": - refreshonly => true, - user => $::profile::postgresql::pg_user, - group => $::profile::postgresql::pg_user, - command => "/usr/bin/pg_dump --schema-only --clean --no-publications $pg_db > /var/lib/postgres/${pg_db}.schema", - } - - archive { "${home}/front_${front_version}.tar.gz": - path => "${home}/front_${front_version}.tar.gz", - source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz", - checksum_type => "sha256", - checksum => $front_sha256, - cleanup => false, - extract => true, - user => $user, - username => lookup("base_installation::ldap_cn"), - password => generate_password(24, $password_seed, "ldap"), - extract_path => $cf_front_app, - require => [User["$user:"], File[$cf_front_app]], - notify => [ - Exec["web-cryptoportfolio-dependencies"], - Exec["go-get-dep"], - ] - } - - # Api - file { $cf_front_app_api_conf: - owner => $user, - group => $group, - mode => "0600", - content => template("role/cryptoportfolio/api_conf.toml.erb"), - before => Exec["go-cryptoportfolio-app"], - } - - exec { "go-get-dep": - user => $user, - environment => ["HOME=${home}"], - creates => "${home}/go/bin/dep", - command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep", - refreshonly => true, - } ~> - exec { "go-cryptoportfolio-dependencies": - cwd => $cf_front_app, - user => $user, - environment => ["HOME=${home}"], - command => "${home}/go/bin/dep ensure", - refreshonly => true, - } ~> - exec { "go-cryptoportfolio-app": - cwd => $cf_front_app_api_workdir, - user => $user, - environment => ["HOME=${home}"], - command => "/usr/bin/make build", - refreshonly => true, - } - - # Static pages - file { $cf_front_app_static_conf: - owner => $user, - group => $group, - mode => "0600", - content => template("role/cryptoportfolio/static_conf.env.erb"), - before => Exec["web-cryptoportfolio-build"], - } - - exec { "web-cryptoportfolio-dependencies": - cwd => "${cf_front_app}/cmd/web", - user => $user, - environment => ["HOME=${home}"], - command => "/usr/bin/make install", - refreshonly => true, - require => [Package["npm"], Package["nodejs"], Package["yarn"]] - } ~> - exec { "web-cryptoportfolio-build": - cwd => "${cf_front_app}/cmd/web", - user => $user, - environment => ["HOME=${home}"], - path => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"], - command => "/usr/bin/make static ENV=${env}", - refreshonly => true, - } - - unless empty($webhook_url) { - exec { "front-slack-notify": - refreshonly => true, - environment => [ - "P_PROJECT=Front", - "P_WEBHOOK=${webhook_url}", - "P_VERSION=${front_version}", - "P_HOST=${web_host}", - "P_HTTPS=${web_ssl}", - ], - command => "/usr/local/bin/slack-notify", - require => File["/usr/local/bin/slack-notify"], - subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], - } - } + contain "role::cryptoportfolio::front" } } diff --git a/modules/role/manifests/cryptoportfolio/apache.pp b/modules/role/manifests/cryptoportfolio/apache.pp new file mode 100644 index 0000000..62d5447 --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/apache.pp @@ -0,0 +1,17 @@ +class role::cryptoportfolio::apache inherits role::cryptoportfolio { + class { 'apache::mod::headers': } + apache::vhost { $web_host: + port => '443', + docroot => false, + manage_docroot => false, + proxy_dest => "http://localhost:8000", + request_headers => 'set X-Forwarded-Proto "https"', + ssl => true, + ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem", + ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem", + ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem", + require => Letsencrypt::Certonly[$web_host], + proxy_preserve_host => true; + default: * => $::profile::apache::apache_vhost_default; + } +} diff --git a/modules/role/manifests/cryptoportfolio/bot.pp b/modules/role/manifests/cryptoportfolio/bot.pp new file mode 100644 index 0000000..a15c779 --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/bot.pp @@ -0,0 +1,101 @@ +class role::cryptoportfolio::bot inherits role::cryptoportfolio { + $password_seed = lookup("base_installation::puppet_pass_seed") + + $cf_bot_app = "${home}/bot" + $cf_bot_app_conf = "${home}/bot_config.ini" + $cf_bot_app_reports = "${home}/bot_reports" + + ensure_packages(["python", "python-pip"]) + + file { $cf_bot_app: + ensure => "directory", + mode => "0700", + owner => $user, + group => $group, + require => User["$user:"], + } + + archive { "${home}/trader_${bot_version}.tar.gz": + path => "${home}/trader_${bot_version}.tar.gz", + source => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz", + checksum_type => "sha256", + checksum => $bot_sha256, + cleanup => false, + extract => true, + user => $user, + username => lookup("base_installation::ldap_cn"), + password => generate_password(24, $password_seed, "ldap"), + extract_path => $cf_bot_app, + require => [User["$user:"], File[$cf_bot_app]], + } ~> + exec { "py-cryptoportfolio-dependencies": + cwd => $cf_bot_app, + user => $user, + environment => ["HOME=${home}"], + command => "/usr/bin/make install", + require => User["$user:"], + refreshonly => true, + before => [ + File[$cf_bot_app_conf], + Cron["py-cryptoportfolio-before"], + Cron["py-cryptoportfolio-after"], + ] + } + + $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") + file { $cf_bot_app_conf: + owner => $user, + group => $group, + mode => "0600", + content => template("role/cryptoportfolio/bot_config.ini.erb"), + require => [ + User["$user:"], + Archive["${home}/trader_${bot_version}.tar.gz"], + ], + } + + cron { "py-cryptoportfolio-before": + ensure => present, + command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before", + user => $user, + weekday => 7, # Sunday + hour => 22, + minute => 30, + environment => ["HOME=${home}","PATH=/usr/bin/"], + require => [ + File[$cf_bot_app_conf], + Archive["${home}/trader_${bot_version}.tar.gz"] + ], + } + + cron { "py-cryptoportfolio-after": + ensure => present, + command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after", + user => $user, + weekday => 1, # Monday + hour => 1, + minute => 0, + environment => ["HOME=${home}","PATH=/usr/bin/"], + require => [ + File[$cf_bot_app_conf], + Archive["${home}/trader_${bot_version}.tar.gz"] + ], + } + + unless empty($webhook_url) { + exec { "bot-slack-notify": + refreshonly => true, + environment => [ + "P_PROJECT=Trader", + "P_WEBHOOK=${webhook_url}", + "P_VERSION=${bot_version}", + "P_HOST=${web_host}", + "P_HTTPS=${web_ssl}", + ], + command => "/usr/local/bin/slack-notify", + require => File["/usr/local/bin/slack-notify"], + subscribe => Exec["py-cryptoportfolio-dependencies"], + } + } +} + diff --git a/modules/role/manifests/cryptoportfolio/front.pp b/modules/role/manifests/cryptoportfolio/front.pp new file mode 100644 index 0000000..280ef8b --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/front.pp @@ -0,0 +1,158 @@ +class role::cryptoportfolio::front inherits role::cryptoportfolio { + ensure_resource('exec', 'systemctl daemon-reload', { + command => '/usr/bin/systemctl daemon-reload', + refreshonly => true + }) + + $password_seed = lookup("base_installation::puppet_pass_seed") + + $cf_front_app = "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front" + $cf_front_app_api_workdir = "${cf_front_app}/cmd/app" + $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app" + $cf_front_app_api_conf = "${home}/conf.toml" + $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret") + + $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" + + ensure_packages(["go", "npm", "nodejs", "yarn"]) + + file { [ + "${home}/go/", + "${home}/go/src", + "${home}/go/src/immae.eu", + "${home}/go/src/immae.eu/Immae", + "${home}/go/src/immae.eu/Immae/Projets", + "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies", + "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio", + $cf_front_app]: + ensure => "directory", + mode => "0700", + owner => $user, + group => $group, + require => User["$user:"], + } + + file { "${home}/front": + ensure => "link", + target => $cf_front_app, + before => File[$cf_front_app], + } + + file { "/etc/systemd/system/cryptoportfolio-app.service": + mode => "0644", + owner => "root", + group => "root", + content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"), + notify => Exec["systemctl daemon-reload"], + } + + service { 'cryptoportfolio-app': + enable => true, + ensure => "running", + subscribe => [File[$cf_front_app_api_conf], Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], + require => [ + File["/etc/systemd/system/cryptoportfolio-app.service"], + Postgresql::Server::Db[$pg_db] + ], + } ~> + exec { "dump $pg_db structure": + refreshonly => true, + user => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + command => "/usr/bin/pg_dump --schema-only --clean --no-publications $pg_db > /var/lib/postgres/${pg_db}.schema", + } + + archive { "${home}/front_${front_version}.tar.gz": + path => "${home}/front_${front_version}.tar.gz", + source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz", + checksum_type => "sha256", + checksum => $front_sha256, + cleanup => false, + extract => true, + user => $user, + username => lookup("base_installation::ldap_cn"), + password => generate_password(24, $password_seed, "ldap"), + extract_path => $cf_front_app, + require => [User["$user:"], File[$cf_front_app]], + notify => [ + Exec["web-cryptoportfolio-dependencies"], + Exec["go-get-dep"], + ] + } + + # Api + $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") + $pg_host = "${pg_hostname}:${pg_port}" + file { $cf_front_app_api_conf: + owner => $user, + group => $group, + mode => "0600", + content => template("role/cryptoportfolio/api_conf.toml.erb"), + before => Exec["go-cryptoportfolio-app"], + } + + exec { "go-get-dep": + user => $user, + environment => ["HOME=${home}"], + creates => "${home}/go/bin/dep", + command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep", + refreshonly => true, + } ~> + exec { "go-cryptoportfolio-dependencies": + cwd => $cf_front_app, + user => $user, + environment => ["HOME=${home}"], + command => "${home}/go/bin/dep ensure", + refreshonly => true, + } ~> + exec { "go-cryptoportfolio-app": + cwd => $cf_front_app_api_workdir, + user => $user, + environment => ["HOME=${home}"], + command => "/usr/bin/make build", + refreshonly => true, + } + + # Static pages + file { $cf_front_app_static_conf: + owner => $user, + group => $group, + mode => "0600", + content => template("role/cryptoportfolio/static_conf.env.erb"), + before => Exec["web-cryptoportfolio-build"], + } + + exec { "web-cryptoportfolio-dependencies": + cwd => "${cf_front_app}/cmd/web", + user => $user, + environment => ["HOME=${home}"], + command => "/usr/bin/make install", + refreshonly => true, + require => [Package["npm"], Package["nodejs"], Package["yarn"]] + } ~> + exec { "web-cryptoportfolio-build": + cwd => "${cf_front_app}/cmd/web", + user => $user, + environment => ["HOME=${home}"], + path => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"], + command => "/usr/bin/make static ENV=${env}", + refreshonly => true, + } + + unless empty($webhook_url) { + exec { "front-slack-notify": + refreshonly => true, + environment => [ + "P_PROJECT=Front", + "P_WEBHOOK=${webhook_url}", + "P_VERSION=${front_version}", + "P_HOST=${web_host}", + "P_HTTPS=${web_ssl}", + ], + command => "/usr/local/bin/slack-notify", + require => File["/usr/local/bin/slack-notify"], + subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], + } + } + +} diff --git a/modules/role/manifests/cryptoportfolio/notify.pp b/modules/role/manifests/cryptoportfolio/notify.pp new file mode 100644 index 0000000..218312c --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/notify.pp @@ -0,0 +1,6 @@ +class role::cryptoportfolio::notify inherits role::cryptoportfolio { + file { "/usr/local/bin/slack-notify": + mode => "0755", + source => "puppet:///modules/role/cryptoportfolio/slack-notify.py", + } +} diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp new file mode 100644 index 0000000..cc4d2a9 --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/postgresql.pp @@ -0,0 +1,116 @@ +class role::cryptoportfolio::postgresql inherits role::cryptoportfolio { + $password_seed = lookup("base_installation::puppet_pass_seed") + + $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") + $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") + + file { "/var/lib/postgres/data/certs": + ensure => directory, + mode => "0700", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => File["/var/lib/postgres"], + } + + file { "/var/lib/postgres/data/certs/cert.pem": + source => "file:///etc/letsencrypt/live/$web_host/cert.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] + } + + file { "/var/lib/postgres/data/certs/privkey.pem": + source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] + } + + postgresql::server::config_entry { "wal_level": + value => "logical", + } + + postgresql::server::config_entry { "ssl": + value => "on", + require => Letsencrypt::Certonly[$web_host], + } + + postgresql::server::config_entry { "ssl_cert_file": + value => "/var/lib/postgres/data/certs/cert.pem", + require => Letsencrypt::Certonly[$web_host], + } + + postgresql::server::config_entry { "ssl_key_file": + value => "/var/lib/postgres/data/certs/privkey.pem", + require => Letsencrypt::Certonly[$web_host], + } + + postgresql::server::db { $pg_db: + user => $pg_user, + password => postgresql_password($pg_user, $pg_password), + } + -> + postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES": + db => $pg_db, + unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", + } + -> + postgresql::server::role { $pg_user_replication: + db => $pg_db, + replication => true, + password_hash => postgresql_password($pg_user_replication, $pg_replication_password), + } + -> + postgresql::server::database_grant { $pg_user_replication: + db => $pg_db, + privilege => "CONNECT", + role => $pg_user_replication, + } + -> + postgresql::server::grant { "all tables in schema:public:$pg_user_replication": + db => $pg_db, + role => $pg_user_replication, + privilege => "SELECT", + object_type => "ALL TABLES IN SCHEMA", + object_name => "public", + } + -> + postgresql::server::grant { "all sequences in schema:public:$pg_user_replication": + db => $pg_db, + role => $pg_user_replication, + privilege => "SELECT", + object_type => "ALL SEQUENCES IN SCHEMA", + object_name => "public", + } + + postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': + type => 'host', + database => $pg_db, + user => $pg_user, + address => '127.0.0.1/32', + auth_method => 'md5', + order => "05-01", + } + postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': + type => 'host', + database => $pg_db, + user => $pg_user, + address => '::1/128', + auth_method => 'md5', + order => "05-01", + } + + postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': + type => 'hostssl', + database => $pg_db, + user => $pg_user_replication, + address => 'immae.eu', + auth_method => 'md5', + order => "05-01", + } + +}