[perso/Immae/Projets/Puppet.git] / modules / role / manifests / caldance.pp

class role::caldance (
  String           $user,
  String           $group,
  String           $home,
  String           $web_host,
  String           $pg_user,
  String           $pg_db,
  String           $mail_from,
  String           $smtp_host,
  String           $smtp_port,
  Optional[String] $pg_hostname      = "/run/postgresql",
  Optional[String] $pg_port          = "5432",
  Optional[String] $caldance_version = undef,
  Optional[String] $caldance_sha256  = undef,
  Optional[Array]  $cron_pip         = [],
) {
  $password_seed = lookup("base_installation::puppet_pass_seed")
  include "base_installation"

  include "profile::mail"
  include "profile::tools"
  include "profile::postgresql"
  include "profile::apache"
  include "profile::redis"
  include "profile::monitoring"

  ensure_packages(["python-pip", "python-virtualenv", "python-django", "uwsgi-plugin-python"])

  $caldance_app = "${home}/app"
  $caldance_app_old = "${home}/app_old"
  $caldance_app_tmp = "${home}/app_tmp"
  $pg_password = generate_password(24, $password_seed, "postgres_caldance")
  $secret_key = generate_password(24, $password_seed, "secret_key_caldance")
  $socket = "/run/caldance/app.sock"

  $uwsgi_path = "${home}/virtualenv/bin/uwsgi"
  $python_path = "${home}/virtualenv/bin/python"

  $environment = {
    "DB_NAME"     => $pg_db,
    "DB_USER"     => $pg_user,
    "DB_PASSWORD" => $pg_password,
    "DB_HOST"     => $pg_hostname,
    "DB_PORT"     => $pg_port,
    "SECRET_KEY"  => $secret_key,
    "DEBUG"       => "False",
    "LOG_FILE"    => "$home/caldance.log",
    "MEDIA_ROOT"  => "$home/media",
  }

  file { $home:
    mode => "0755",
  }

  file { $caldance_app_tmp:
    ensure  => "directory",
    mode    => "0755",
    owner   => $user,
    group   => $group,
    require => User["$user:"],
  }
  file { $caldance_app:
    ensure  => "directory",
    mode    => "0755",
    owner   => $user,
    group   => $group,
    require => User["$user:"],
  } ->
  file { "${home}/media":
    ensure => "directory",
    mode   => "0755",
    owner  => $user,
    group  => $group,
  }

  exec { "initialize_venv":
    user    => $user,
    require => User["$user:"],
    command => "/usr/bin/virtualenv ${home}/virtualenv",
    creates => "${home}/virtualenv",
  }
  ->
  archive { "${home}/caldance_${caldance_version}.tar.gz":
    path          => "${home}/caldance_${caldance_version}.tar.gz",
    source        => "https://release.immae.eu/caldance/caldance_${caldance_version}.tar.gz",
    checksum_type => "sha256",
    checksum      => $caldance_sha256,
    cleanup       => false,
    extract       => true,
    user          => $user,
    username      => lookup("base_installation::ldap_cn"),
    password      => generate_password(24, $password_seed, "ldap"),
    extract_path  => $caldance_app_tmp,
    require       => [User["$user:"], File[$caldance_app_tmp]],
  } ~>
  exec { "py-requirements":
    cwd         => $caldance_app_tmp,
    user        => $user,
    environment => ["HOME=${home}"],
    command     => "/usr/bin/sed -i -e '/GDAL/d' requirements.txt && ${home}/virtualenv/bin/pip install -r requirements.txt --upgrade",
    require     => User["$user:"],
    refreshonly => true,
  } ~>
  exec { "stop uwsgi application":
    command     => "/usr/bin/systemctl stop caldance-app.service || /usr/bin/true",
    require     => [User["$user:"]],
    refreshonly => true,
  } ~>
  exec { "mv app_tmp":
    cwd         => $home,
    user        => $user,
    environment => ["HOME=${home}"],
    command     => "/usr/bin/rm -rf $caldance_app_old && /usr/bin/mv $caldance_app $caldance_app_old && /usr/bin/mv $caldance_app_tmp $caldance_app && /usr/bin/mkdir $caldance_app_tmp",
    require     => [User["$user:"]],
    refreshonly => true,
  } ~>
  file { "$caldance_app/manage.py":
    owner   => $user,
    group   => $group,
    mode    => "0755",
    content => template("role/caldance/manage.py.erb"),
    require => [
      User["$user:"],
      Archive[ "${home}/caldance_${caldance_version}.tar.gz"],
    ],
  } ~>
  file { "$caldance_app/manage":
    owner   => $user,
    group   => $group,
    mode    => "0755",
    content => template("role/caldance/manage.sh.erb"),
    require => [
      User["$user:"],
      File["$caldance_app/manage.py"],
      Archive[ "${home}/caldance_${caldance_version}.tar.gz"],
    ],
  } ~>
  file { "$caldance_app/app.ini":
    owner   => $user,
    group   => $group,
    mode    => "0644",
    content => template("role/caldance/app.ini.erb"),
    require => [
      User["$user:"],
      Archive[ "${home}/caldance_${caldance_version}.tar.gz"],
    ],
  } ~>
  exec { "py-migrate":
    cwd         => $caldance_app,
    user        => $user,
    environment => ["HOME=${home}"],
    command     => "$caldance_app/manage migrate",
    require     => [User["$user:"], File["$caldance_app/manage"]],
    refreshonly => true,
  } ~>
  exec { "py-static":
    cwd         => $caldance_app,
    user        => $user,
    environment => ["HOME=${home}"],
    command     => "$caldance_app/manage collectstatic --no-input",
    require     => [User["$user:"], File["$caldance_app/manage"]],
    refreshonly => true,
  } ~>
  exec { "restart uwsgi application":
    command     => "/usr/bin/systemctl restart caldance-app.service",
    require     => [User["$user:"], File["$caldance_app/app.ini"]],
    refreshonly => true,
  }

  profile::postgresql::master { "postgresql master for caldance":
    letsencrypt_host => $web_host,
    backup_hosts     => [],
  }

  postgresql::server::db { $pg_db:
    user     =>  $pg_user,
    password =>  postgresql_password($pg_user, $pg_password),
  }

  # pour le script de génération de mdp
  ensure_packages(["perl-digest-sha1"])

  ensure_packages(["postgis", "python-gdal", "ripgrep"])
  file { "/usr/local/bin/ldap_ssha":
    owner   => "root",
    group   => "root",
    mode    => "0755",
    source  => "puppet:///modules/base_installation/scripts/ldap_ssha",
    require => Package["perl-digest-sha1"],
  }

  sudo::conf { 'wheel_nopasswd':
    priority => 99,
    content  => "%wheel ALL=(ALL) NOPASSWD: ALL",
    require  => Package["sudo"],
  }

  ensure_packages(["mod_wsgi"])
  class { 'apache::mod::wsgi':
    wsgi_python_home => "${home}/virtualenv",
    wsgi_python_path => $caldance_app,
    require          => Package["mod_wsgi"],
  }
  class { 'apache::mod::authn_file': }
  class { 'apache::mod::authn_core': }
  class { 'apache::mod::authz_user': }
  class { 'apache::mod::auth_basic': }
  class { 'apache::mod::proxy': }
  apache::mod { 'proxy_uwsgi': }

  apache::vhost { $web_host:
    port                 => '443',
    docroot              => false,
    manage_docroot       => false,
    ssl                  => true,
    ssl_cert             => "/etc/letsencrypt/live/$web_host/cert.pem",
    ssl_key              => "/etc/letsencrypt/live/$web_host/privkey.pem",
    ssl_chain            => "/etc/letsencrypt/live/$web_host/chain.pem",
    require              => Letsencrypt::Certonly[$web_host],
    proxy_preserve_host  => true,
    proxy_pass           => [
      {
        path          => "/",
        url           => "unix:$socket|uwsgi://caldance-app/",
        reverse_urls  => [],
        no_proxy_uris => [ "/media/", "/static/" ],
      }
    ],
    directories          => [
      {
        path    => "$caldance_app/main_app",
        require => "all granted",
      },
      {
        path    => "$caldance_app/www/static",
        require => "all granted",
      },
      {
        path    => "$home/media",
        require => "all granted",
        options => ["-Indexes"],
      },
      {
        path           => "/",
        provider       => "location",
        require        => "valid-user",
        auth_type      => "Basic",
        auth_name      => "Authentification requise",
        auth_user_file => "$home/htpasswd",
      },
    ],
    aliases              => [
      {
        alias => "/static/",
        path => "$caldance_app/www/static/",
      },
      {
        alias => "/media/",
        path => "$home/media/",
      },
    ];
    default: *           => $::profile::apache::apache_vhost_default;
  }

  file { "/etc/systemd/system/caldance-app.service":
    mode    => "0644",
    owner   => "root",
    group   => "root",
    content => template("role/caldance/caldance-app.service.erb"),
    require => File["$caldance_app/app.ini"],
  } ->
  service { "caldance-app":
    ensure => "running",
    enable => true
  }

  cron::job { "list_outdated_pip_packages":
    ensure => absent
  }
}
Commit	Line	Data
851ca3c6	1	class role::caldance (
a25b5f82 IB	2	String $user,
	3	String $group,
	4	String $home,
	5	String $web_host,
	6	String $pg_user,
	7	String $pg_db,
	8	String $mail_from,
	9	String $smtp_host,
	10	String $smtp_port,
	11	Optional[String] $pg_hostname = "/run/postgresql",
	12	Optional[String] $pg_port = "5432",
	13	Optional[String] $caldance_version = undef,
	14	Optional[String] $caldance_sha256 = undef,
01d9e644	15	Optional[Array] $cron_pip = [],
851ca3c6	16	) {
a25b5f82	17	$password_seed = lookup("base_installation::puppet_pass_seed")
851ca3c6 IB	18	include "base_installation"
851ca3c6 IB	19
01d9e644	20	include "profile::mail"
851ca3c6 IB	21	include "profile::tools"
	22	include "profile::postgresql"
	23	include "profile::apache"
	24	include "profile::redis"
d8f933bd	25	include "profile::monitoring"
851ca3c6	26
98ee93b9	27	ensure_packages(["python-pip", "python-virtualenv", "python-django", "uwsgi-plugin-python"])
b3ac23bb	28
a25b5f82	29	$caldance_app = "${home}/app"
76fd3abc IB	30	$caldance_app_old = "${home}/app_old"
76fd3abc IB	31	$caldance_app_tmp = "${home}/app_tmp"
d3948290 IB	32	$pg_password = generate_password(24, $password_seed, "postgres_caldance")
d3948290 IB	33	$secret_key = generate_password(24, $password_seed, "secret_key_caldance")
98ee93b9	34	$socket = "/run/caldance/app.sock"
d3948290	35
76fd3abc IB	36	$uwsgi_path = "${home}/virtualenv/bin/uwsgi"
	37	$python_path = "${home}/virtualenv/bin/python"
	38
d3948290 IB	39	$environment = {
	40	"DB_NAME" => $pg_db,
	41	"DB_USER" => $pg_user,
	42	"DB_PASSWORD" => $pg_password,
	43	"DB_HOST" => $pg_hostname,
	44	"DB_PORT" => $pg_port,
	45	"SECRET_KEY" => $secret_key,
	46	"DEBUG" => "False",
76fd3abc	47	"LOG_FILE" => "$home/caldance.log",
3f485c9e	48	"MEDIA_ROOT" => "$home/media",
d3948290	49	}
d3948290 IB	50
	51	file { $home:
	52	mode => "0755",
	53	}
76fd3abc IB	54
	55	file { $caldance_app_tmp:
	56	ensure => "directory",
	57	mode => "0755",
d3948290	58	owner => $user,
76fd3abc IB	59	group => $group,
76fd3abc IB	60	require => User["$user:"],
d3948290	61	}
a25b5f82 IB	62	file { $caldance_app:
	63	ensure => "directory",
	64	mode => "0755",
	65	owner => $user,
	66	group => $group,
	67	require => User["$user:"],
459e12d0 IB	68	} ->
	69	file { "${home}/media":
	70	ensure => "directory",
	71	mode => "0755",
78df3a44 IB	72	owner => $user,
78df3a44 IB	73	group => $group,
a25b5f82 IB	74	}
	75
	76	exec { "initialize_venv":
	77	user => $user,
	78	require => User["$user:"],
	79	command => "/usr/bin/virtualenv ${home}/virtualenv",
	80	creates => "${home}/virtualenv",
	81	}
	82	->
	83	archive { "${home}/caldance_${caldance_version}.tar.gz":
	84	path => "${home}/caldance_${caldance_version}.tar.gz",
	85	source => "https://release.immae.eu/caldance/caldance_${caldance_version}.tar.gz",
	86	checksum_type => "sha256",
	87	checksum => $caldance_sha256,
	88	cleanup => false,
	89	extract => true,
	90	user => $user,
	91	username => lookup("base_installation::ldap_cn"),
	92	password => generate_password(24, $password_seed, "ldap"),
76fd3abc IB	93	extract_path => $caldance_app_tmp,
76fd3abc IB	94	require => [User["$user:"], File[$caldance_app_tmp]],
a25b5f82 IB	95	} ~>
a25b5f82 IB	96	exec { "py-requirements":
76fd3abc	97	cwd => $caldance_app_tmp,
a25b5f82	98	user => $user,
931dddda	99	environment => ["HOME=${home}"],
f22a16c8	100	command => "/usr/bin/sed -i -e '/GDAL/d' requirements.txt && ${home}/virtualenv/bin/pip install -r requirements.txt --upgrade",
a25b5f82 IB	101	require => User["$user:"],
	102	refreshonly => true,
	103	} ~>
76fd3abc IB	104	exec { "stop uwsgi application":
	105	command => "/usr/bin/systemctl stop caldance-app.service \|\| /usr/bin/true",
	106	require => [User["$user:"]],
a25b5f82 IB	107	refreshonly => true,
a25b5f82 IB	108	} ~>
76fd3abc IB	109	exec { "mv app_tmp":
76fd3abc IB	110	cwd => $home,
a25b5f82	111	user => $user,
931dddda	112	environment => ["HOME=${home}"],
76fd3abc IB	113	command => "/usr/bin/rm -rf $caldance_app_old && /usr/bin/mv $caldance_app $caldance_app_old && /usr/bin/mv $caldance_app_tmp $caldance_app && /usr/bin/mkdir $caldance_app_tmp",
76fd3abc IB	114	require => [User["$user:"]],
a25b5f82 IB	115	refreshonly => true,
a25b5f82 IB	116	} ~>
76fd3abc IB	117	file { "$caldance_app/manage.py":
	118	owner => $user,
	119	group => $group,
	120	mode => "0755",
	121	content => template("role/caldance/manage.py.erb"),
	122	require => [
	123	User["$user:"],
	124	Archive[ "${home}/caldance_${caldance_version}.tar.gz"],
	125	],
	126	} ~>
931dddda IB	127	file { "$caldance_app/manage":
	128	owner => $user,
	129	group => $group,
	130	mode => "0755",
	131	content => template("role/caldance/manage.sh.erb"),
	132	require => [
	133	User["$user:"],
76fd3abc	134	File["$caldance_app/manage.py"],
931dddda IB	135	Archive[ "${home}/caldance_${caldance_version}.tar.gz"],
931dddda IB	136	],
76fd3abc	137	} ~>
98ee93b9 IB	138	file { "$caldance_app/app.ini":
	139	owner => $user,
	140	group => $group,
	141	mode => "0644",
	142	content => template("role/caldance/app.ini.erb"),
	143	require => [
	144	User["$user:"],
	145	Archive[ "${home}/caldance_${caldance_version}.tar.gz"],
	146	],
76fd3abc IB	147	} ~>
	148	exec { "py-migrate":
	149	cwd => $caldance_app,
	150	user => $user,
	151	environment => ["HOME=${home}"],
	152	command => "$caldance_app/manage migrate",
	153	require => [User["$user:"], File["$caldance_app/manage"]],
	154	refreshonly => true,
	155	} ~>
	156	exec { "py-static":
	157	cwd => $caldance_app,
	158	user => $user,
	159	environment => ["HOME=${home}"],
	160	command => "$caldance_app/manage collectstatic --no-input",
	161	require => [User["$user:"], File["$caldance_app/manage"]],
	162	refreshonly => true,
	163	} ~>
	164	exec { "restart uwsgi application":
	165	command => "/usr/bin/systemctl restart caldance-app.service",
	166	require => [User["$user:"], File["$caldance_app/app.ini"]],
	167	refreshonly => true,
98ee93b9 IB	168	}
98ee93b9 IB	169
a25b5f82 IB	170	profile::postgresql::master { "postgresql master for caldance":
a25b5f82 IB	171	letsencrypt_host => $web_host,
c5465178	172	backup_hosts => [],
a25b5f82 IB	173	}
	174
	175	postgresql::server::db { $pg_db:
	176	user => $pg_user,
	177	password => postgresql_password($pg_user, $pg_password),
	178	}
	179
b3ac23bb IB	180	# pour le script de génération de mdp
	181	ensure_packages(["perl-digest-sha1"])
	182
a25b5f82	183	ensure_packages(["postgis", "python-gdal", "ripgrep"])
b3ac23bb IB	184	file { "/usr/local/bin/ldap_ssha":
	185	owner => "root",
	186	group => "root",
	187	mode => "0755",
	188	source => "puppet:///modules/base_installation/scripts/ldap_ssha",
	189	require => Package["perl-digest-sha1"],
	190	}
a25b5f82 IB	191
	192	sudo::conf { 'wheel_nopasswd':
	193	priority => 99,
	194	content => "%wheel ALL=(ALL) NOPASSWD: ALL",
	195	require => Package["sudo"],
	196	}
	197
	198	ensure_packages(["mod_wsgi"])
	199	class { 'apache::mod::wsgi':
d3948290 IB	200	wsgi_python_home => "${home}/virtualenv",
d3948290 IB	201	wsgi_python_path => $caldance_app,
a25b5f82 IB	202	require => Package["mod_wsgi"],
	203	}
	204	class { 'apache::mod::authn_file': }
	205	class { 'apache::mod::authn_core': }
	206	class { 'apache::mod::authz_user': }
	207	class { 'apache::mod::auth_basic': }
98ee93b9 IB	208	class { 'apache::mod::proxy': }
98ee93b9 IB	209	apache::mod { 'proxy_uwsgi': }
a25b5f82 IB	210
a25b5f82 IB	211	apache::vhost { $web_host:
98ee93b9 IB	212	port => '443',
	213	docroot => false,
	214	manage_docroot => false,
	215	ssl => true,
	216	ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem",
	217	ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem",
	218	ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem",
	219	require => Letsencrypt::Certonly[$web_host],
	220	proxy_preserve_host => true,
	221	proxy_pass => [
	222	{
	223	path => "/",
02a6bcd1	224	url => "unix:$socket\|uwsgi://caldance-app/",
98ee93b9 IB	225	reverse_urls => [],
	226	no_proxy_uris => [ "/media/", "/static/" ],
	227	}
	228	],
	229	directories => [
a25b5f82	230	{
d3948290	231	path => "$caldance_app/main_app",
a25b5f82 IB	232	require => "all granted",
	233	},
	234	{
d3948290	235	path => "$caldance_app/www/static",
a25b5f82 IB	236	require => "all granted",
a25b5f82 IB	237	},
83341b3c IB	238	{
	239	path => "$home/media",
	240	require => "all granted",
	241	options => ["-Indexes"],
	242	},
a25b5f82 IB	243	{
	244	path => "/",
	245	provider => "location",
	246	require => "valid-user",
	247	auth_type => "Basic",
	248	auth_name => "Authentification requise",
b1072a47	249	auth_user_file => "$home/htpasswd",
a25b5f82 IB	250	},
a25b5f82 IB	251	],
98ee93b9	252	aliases => [
a25b5f82 IB	253	{
a25b5f82 IB	254	alias => "/static/",
d3948290	255	path => "$caldance_app/www/static/",
a25b5f82	256	},
83341b3c IB	257	{
	258	alias => "/media/",
	259	path => "$home/media/",
	260	},
98ee93b9 IB	261	];
	262	default: * => $::profile::apache::apache_vhost_default;
	263	}
	264
	265	file { "/etc/systemd/system/caldance-app.service":
	266	mode => "0644",
	267	owner => "root",
	268	group => "root",
	269	content => template("role/caldance/caldance-app.service.erb"),
	270	require => File["$caldance_app/app.ini"],
	271	} ->
	272	service { "caldance-app":
	273	ensure => "running",
	274	enable => true
a25b5f82	275	}
01d9e644	276
01d9e644	277	cron::job { "list_outdated_pip_packages":
441b866a	278	ensure => absent
01d9e644	279	}
851ca3c6	280	}