[perso/Immae/Projets/Puppet.git] / modules / role / manifests / caldance.pp

class role::caldance (
  String           $user,
  String           $group,
  String           $home,
  String           $web_host,
  String           $pg_user,
  String           $pg_db,
  String           $mail_from,
  String           $smtp_host,
  String           $smtp_port,
  Optional[String] $pg_hostname      = "/run/postgresql",
  Optional[String] $pg_port          = "5432",
  Optional[String] $caldance_version = undef,
  Optional[String] $caldance_sha256  = undef,
  Optional[Array]  $cron_pip         = [],
) {
  $password_seed = lookup("base_installation::puppet_pass_seed")
  include "base_installation"

  include "profile::mail"
  include "profile::tools"
  include "profile::postgresql"
  include "profile::apache"
  include "profile::redis"
  include "profile::monitoring"

  ensure_packages(["python-pip", "python-virtualenv", "python-django"])

  $caldance_app = "${home}/app"
  $pg_password = generate_password(24, $password_seed, "postgres_caldance")
  $secret_key = generate_password(24, $password_seed, "secret_key_caldance")

  $environment = {
    "DB_NAME"     => $pg_db,
    "DB_USER"     => $pg_user,
    "DB_PASSWORD" => $pg_password,
    "DB_HOST"     => $pg_hostname,
    "DB_PORT"     => $pg_port,
    "SECRET_KEY"  => $secret_key,
    "DEBUG"       => "False",
    "LOG_FILE"    => "$home/caldev_django.log",
    "FROM_EMAIL"  => $mail_from,
    "EMAIL_HOST"  => $smtp_host,
    "EMAIL_PORT"  => $smtp_port,
  }
  $shell_env = $environment.map |$key, $value| { "$key=$value" }
  $apache_env = $environment.map |$key, $value| { "CALDANCE_$key   $value" }

  file { $home:
    mode => "0755",
  }
  file { "${home}/caldev_django.log":
    mode    => "0664",
    owner   => $user,
    group   => "http",
  }

  file { $caldance_app:
    ensure  => "directory",
    mode    => "0755",
    owner   => $user,
    group   => $group,
    require => User["$user:"],
  } ->
  file { "${home}/media":
    ensure => "directory",
    mode   => "0755",
    owner  => "http",
    group  => "http",
  }

  exec { "initialize_venv":
    user    => $user,
    require => User["$user:"],
    command => "/usr/bin/virtualenv ${home}/virtualenv",
    creates => "${home}/virtualenv",
  }
  ->
  archive { "${home}/caldance_${caldance_version}.tar.gz":
    path          => "${home}/caldance_${caldance_version}.tar.gz",
    source        => "https://release.immae.eu/caldance/caldance_${caldance_version}.tar.gz",
    checksum_type => "sha256",
    checksum      => $caldance_sha256,
    cleanup       => false,
    extract       => true,
    user          => $user,
    username      => lookup("base_installation::ldap_cn"),
    password      => generate_password(24, $password_seed, "ldap"),
    extract_path  => $caldance_app,
    require       => [User["$user:"], File[$caldance_app]],
  } ~>
  exec { "py-requirements":
    cwd         => $caldance_app,
    user        => $user,
    environment => concat(["HOME=${home}"], $shell_env),
    command     => "/usr/bin/sed -i -e '/GDAL/d' requirements.txt && ${home}/virtualenv/bin/pip install -r requirements.txt --upgrade",
    require     => User["$user:"],
    refreshonly => true,
  } ~>
  exec { "py-migrate":
    cwd         => $caldance_app,
    user        => $user,
    environment => concat(["HOME=${home}"], $shell_env),
    command     => "$caldance_app/manage.py migrate",
    require     => [User["$user:"], File["$caldance_app/manage.py"]],
    refreshonly => true,
  } ~>
  exec { "py-static":
    cwd         => $caldance_app,
    user        => $user,
    environment => concat(["HOME=${home}"], $shell_env),
    command     => "$caldance_app/manage.py collectstatic --no-input",
    require     => [User["$user:"], File["$caldance_app/manage.py"]],
    refreshonly => true,
  } ~>
  exec { "py-symlink-file":
    cwd         => $caldance_app,
    user        => $user,
    environment => concat(["HOME=${home}"], $shell_env),
    command     => "/usr/bin/ln -sf ${home}/media www/media",
    require     => [User["$user:"], File["$caldance_app/manage.py"]],
    refreshonly => true,
  } ~>
  exec { "reload httpd":
    command     => "/usr/bin/systemctl reload httpd",
    require     => [User["$user:"], File["$caldance_app/manage.py"]],
    refreshonly => true,
  }

  $python_path = "${home}/virtualenv/bin/python"
  file { "$caldance_app/manage.py":
    owner   => $user,
    group   => $group,
    mode    => "0755",
    content => template("role/caldance/manage.py.erb"),
    require => [
      User["$user:"],
      Archive[ "${home}/caldance_${caldance_version}.tar.gz"],
    ],
  }

  profile::postgresql::master { "postgresql master for caldance":
    letsencrypt_host => $web_host,
    backup_hosts     => ["backup-1"],
  }

  postgresql::server::db { $pg_db:
    user     =>  $pg_user,
    password =>  postgresql_password($pg_user, $pg_password),
  }

  # pour le script de génération de mdp
  ensure_packages(["perl-digest-sha1"])

  ensure_packages(["postgis", "python-gdal", "ripgrep"])
  file { "/usr/local/bin/ldap_ssha":
    owner   => "root",
    group   => "root",
    mode    => "0755",
    source  => "puppet:///modules/base_installation/scripts/ldap_ssha",
    require => Package["perl-digest-sha1"],
  }

  sudo::conf { 'wheel_nopasswd':
    priority => 99,
    content  => "%wheel ALL=(ALL) NOPASSWD: ALL",
    require  => Package["sudo"],
  }

  ensure_packages(["mod_wsgi"])
  class { 'apache::mod::wsgi':
    wsgi_python_home => "${home}/virtualenv",
    wsgi_python_path => $caldance_app,
    require          => Package["mod_wsgi"],
  }
  class { 'apache::mod::authn_file': }
  class { 'apache::mod::authn_core': }
  class { 'apache::mod::authz_user': }
  class { 'apache::mod::auth_basic': }

  apache::vhost { $web_host:
    port                => '443',
    docroot             => false,
    manage_docroot      => false,
    ssl                 => true,
    ssl_cert            => "/etc/letsencrypt/live/$web_host/cert.pem",
    ssl_key             => "/etc/letsencrypt/live/$web_host/privkey.pem",
    ssl_chain           => "/etc/letsencrypt/live/$web_host/chain.pem",
    require             => Letsencrypt::Certonly[$web_host],
    directories         => [
      {
        path    => "$caldance_app/main_app",
        require => "all granted",
      },
      {
        path    => "$caldance_app/www/static",
        require => "all granted",
      },
      {
        path           => "/",
        provider       => "location",
        require        => "valid-user",
        auth_type      => "Basic",
        auth_name      => "Authentification requise",
        auth_user_file => "$home/htpasswd",
      },
    ],
    aliases             => [
      {
        alias => "/static/",
        path => "$caldance_app/www/static/",
      },
    ],
    setenv              => $apache_env,
    wsgi_script_aliases => { "/" => "$caldance_app/main_app/wsgi.py" };
    default: *          => $::profile::apache::apache_vhost_default;
  }

  $mailtos = join($cron_pip, ",")
  cron::job { "list_outdated_pip_packages":
    ensure      => present,
    user        => $user,
    environment => concat(["HOME=${home}","MAILTO=${mailtos}"], $shell_env),
    command     => "${home}/virtualenv/bin/pip list --outdated",
    minute      => "15",
    hour        => "0",
    require     => Exec["initialize_venv"],
  }
}
Commit	Line	Data
851ca3c6	1	class role::caldance (
a25b5f82 IB	2	String $user,
	3	String $group,
	4	String $home,
	5	String $web_host,
	6	String $pg_user,
	7	String $pg_db,
	8	String $mail_from,
	9	String $smtp_host,
	10	String $smtp_port,
	11	Optional[String] $pg_hostname = "/run/postgresql",
	12	Optional[String] $pg_port = "5432",
	13	Optional[String] $caldance_version = undef,
	14	Optional[String] $caldance_sha256 = undef,
01d9e644	15	Optional[Array] $cron_pip = [],
851ca3c6	16	) {
a25b5f82	17	$password_seed = lookup("base_installation::puppet_pass_seed")
851ca3c6 IB	18	include "base_installation"
851ca3c6 IB	19
01d9e644	20	include "profile::mail"
851ca3c6 IB	21	include "profile::tools"
	22	include "profile::postgresql"
	23	include "profile::apache"
	24	include "profile::redis"
d8f933bd	25	include "profile::monitoring"
851ca3c6 IB	26
851ca3c6 IB	27	ensure_packages(["python-pip", "python-virtualenv", "python-django"])
b3ac23bb	28
a25b5f82	29	$caldance_app = "${home}/app"
d3948290 IB	30	$pg_password = generate_password(24, $password_seed, "postgres_caldance")
	31	$secret_key = generate_password(24, $password_seed, "secret_key_caldance")
	32
	33	$environment = {
	34	"DB_NAME" => $pg_db,
	35	"DB_USER" => $pg_user,
	36	"DB_PASSWORD" => $pg_password,
	37	"DB_HOST" => $pg_hostname,
	38	"DB_PORT" => $pg_port,
	39	"SECRET_KEY" => $secret_key,
	40	"DEBUG" => "False",
	41	"LOG_FILE" => "$home/caldev_django.log",
	42	"FROM_EMAIL" => $mail_from,
	43	"EMAIL_HOST" => $smtp_host,
	44	"EMAIL_PORT" => $smtp_port,
	45	}
	46	$shell_env = $environment.map \|$key, $value\| { "$key=$value" }
	47	$apache_env = $environment.map \|$key, $value\| { "CALDANCE_$key $value" }
	48
	49	file { $home:
	50	mode => "0755",
	51	}
	52	file { "${home}/caldev_django.log":
	53	mode => "0664",
	54	owner => $user,
	55	group => "http",
d3948290	56	}
a25b5f82 IB	57
	58	file { $caldance_app:
	59	ensure => "directory",
	60	mode => "0755",
	61	owner => $user,
	62	group => $group,
	63	require => User["$user:"],
459e12d0 IB	64	} ->
	65	file { "${home}/media":
	66	ensure => "directory",
	67	mode => "0755",
	68	owner => "http",
	69	group => "http",
a25b5f82 IB	70	}
	71
	72	exec { "initialize_venv":
	73	user => $user,
	74	require => User["$user:"],
	75	command => "/usr/bin/virtualenv ${home}/virtualenv",
	76	creates => "${home}/virtualenv",
	77	}
	78	->
	79	archive { "${home}/caldance_${caldance_version}.tar.gz":
	80	path => "${home}/caldance_${caldance_version}.tar.gz",
	81	source => "https://release.immae.eu/caldance/caldance_${caldance_version}.tar.gz",
	82	checksum_type => "sha256",
	83	checksum => $caldance_sha256,
	84	cleanup => false,
	85	extract => true,
	86	user => $user,
	87	username => lookup("base_installation::ldap_cn"),
	88	password => generate_password(24, $password_seed, "ldap"),
	89	extract_path => $caldance_app,
	90	require => [User["$user:"], File[$caldance_app]],
	91	} ~>
	92	exec { "py-requirements":
	93	cwd => $caldance_app,
	94	user => $user,
d3948290	95	environment => concat(["HOME=${home}"], $shell_env),
f22a16c8	96	command => "/usr/bin/sed -i -e '/GDAL/d' requirements.txt && ${home}/virtualenv/bin/pip install -r requirements.txt --upgrade",
a25b5f82 IB	97	require => User["$user:"],
	98	refreshonly => true,
	99	} ~>
	100	exec { "py-migrate":
	101	cwd => $caldance_app,
	102	user => $user,
d3948290	103	environment => concat(["HOME=${home}"], $shell_env),
a25b5f82	104	command => "$caldance_app/manage.py migrate",
d3948290	105	require => [User["$user:"], File["$caldance_app/manage.py"]],
a25b5f82 IB	106	refreshonly => true,
	107	} ~>
	108	exec { "py-static":
	109	cwd => $caldance_app,
	110	user => $user,
d3948290	111	environment => concat(["HOME=${home}"], $shell_env),
a25b5f82	112	command => "$caldance_app/manage.py collectstatic --no-input",
d3948290	113	require => [User["$user:"], File["$caldance_app/manage.py"]],
a25b5f82 IB	114	refreshonly => true,
a25b5f82 IB	115	} ~>
459e12d0 IB	116	exec { "py-symlink-file":
	117	cwd => $caldance_app,
	118	user => $user,
	119	environment => concat(["HOME=${home}"], $shell_env),
	120	command => "/usr/bin/ln -sf ${home}/media www/media",
	121	require => [User["$user:"], File["$caldance_app/manage.py"]],
	122	refreshonly => true,
	123	} ~>
a25b5f82 IB	124	exec { "reload httpd":
a25b5f82 IB	125	command => "/usr/bin/systemctl reload httpd",
d3948290	126	require => [User["$user:"], File["$caldance_app/manage.py"]],
a25b5f82 IB	127	refreshonly => true,
	128	}
	129
a25b5f82 IB	130	$python_path = "${home}/virtualenv/bin/python"
	131	file { "$caldance_app/manage.py":
	132	owner => $user,
	133	group => $group,
	134	mode => "0755",
	135	content => template("role/caldance/manage.py.erb"),
	136	require => [
	137	User["$user:"],
	138	Archive[ "${home}/caldance_${caldance_version}.tar.gz"],
	139	],
	140	}
	141
	142	profile::postgresql::master { "postgresql master for caldance":
	143	letsencrypt_host => $web_host,
	144	backup_hosts => ["backup-1"],
	145	}
	146
	147	postgresql::server::db { $pg_db:
	148	user => $pg_user,
	149	password => postgresql_password($pg_user, $pg_password),
	150	}
	151
b3ac23bb IB	152	# pour le script de génération de mdp
	153	ensure_packages(["perl-digest-sha1"])
	154
a25b5f82	155	ensure_packages(["postgis", "python-gdal", "ripgrep"])
b3ac23bb IB	156	file { "/usr/local/bin/ldap_ssha":
	157	owner => "root",
	158	group => "root",
	159	mode => "0755",
	160	source => "puppet:///modules/base_installation/scripts/ldap_ssha",
	161	require => Package["perl-digest-sha1"],
	162	}
a25b5f82 IB	163
	164	sudo::conf { 'wheel_nopasswd':
	165	priority => 99,
	166	content => "%wheel ALL=(ALL) NOPASSWD: ALL",
	167	require => Package["sudo"],
	168	}
	169
	170	ensure_packages(["mod_wsgi"])
	171	class { 'apache::mod::wsgi':
d3948290 IB	172	wsgi_python_home => "${home}/virtualenv",
d3948290 IB	173	wsgi_python_path => $caldance_app,
a25b5f82 IB	174	require => Package["mod_wsgi"],
	175	}
	176	class { 'apache::mod::authn_file': }
	177	class { 'apache::mod::authn_core': }
	178	class { 'apache::mod::authz_user': }
	179	class { 'apache::mod::auth_basic': }
	180
	181	apache::vhost { $web_host:
	182	port => '443',
	183	docroot => false,
	184	manage_docroot => false,
	185	ssl => true,
	186	ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem",
	187	ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem",
	188	ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem",
	189	require => Letsencrypt::Certonly[$web_host],
	190	directories => [
	191	{
d3948290	192	path => "$caldance_app/main_app",
a25b5f82 IB	193	require => "all granted",
	194	},
	195	{
d3948290	196	path => "$caldance_app/www/static",
a25b5f82 IB	197	require => "all granted",
	198	},
	199	{
	200	path => "/",
	201	provider => "location",
	202	require => "valid-user",
	203	auth_type => "Basic",
	204	auth_name => "Authentification requise",
b1072a47	205	auth_user_file => "$home/htpasswd",
a25b5f82 IB	206	},
	207	],
	208	aliases => [
	209	{
	210	alias => "/static/",
d3948290	211	path => "$caldance_app/www/static/",
a25b5f82 IB	212	},
a25b5f82 IB	213	],
d3948290 IB	214	setenv => $apache_env,
d3948290 IB	215	wsgi_script_aliases => { "/" => "$caldance_app/main_app/wsgi.py" };
a25b5f82 IB	216	default: * => $::profile::apache::apache_vhost_default;
a25b5f82 IB	217	}
01d9e644 IB	218
	219	$mailtos = join($cron_pip, ",")
	220	cron::job { "list_outdated_pip_packages":
	221	ensure => present,
	222	user => $user,
	223	environment => concat(["HOME=${home}","MAILTO=${mailtos}"], $shell_env),
	224	command => "${home}/virtualenv/bin/pip list --outdated",
	225	minute => "15",
	226	hour => "0",
	227	require => Exec["initialize_venv"],
	228	}
851ca3c6	229	}