]>
Commit | Line | Data |
---|---|---|
57ae81ea IB |
1 | class role::cryptoportfolio { |
2 | include "base_installation" | |
3 | ||
8af3ea1e | 4 | include "profile::tools" |
57ae81ea | 5 | include "profile::postgresql" |
2bb35074 | 6 | include "profile::apache" |
57ae81ea IB |
7 | |
8 | $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } | |
9 | ||
159df176 | 10 | $cf_pg_user = "cryptoportfolio" |
b3015828 | 11 | $cf_pg_user_replication = "cryptoportfolio_replication" |
159df176 IB |
12 | $cf_pg_db = "cryptoportfolio" |
13 | $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | |
b3015828 | 14 | $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") |
159df176 IB |
15 | $cf_pg_host = "localhost:5432" |
16 | ||
17 | $cf_user = "cryptoportfolio" | |
18 | $cf_group = "cryptoportfolio" | |
19 | $cf_home = "/opt/cryptoportfolio" | |
20 | $cf_env = "prod" | |
21 | $cf_front_app_host = "cryptoportfolio.immae.eu" | |
22 | $cf_front_app_port = "" | |
e17078be | 23 | $cf_front_app_ssl = "true" |
159df176 IB |
24 | $cf_front_app = "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front" |
25 | $cf_front_app_api_workdir = "${cf_front_app}/cmd/app" | |
26 | $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app" | |
27 | $cf_front_app_api_conf = "${cf_home}/conf.toml" | |
28 | $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret") | |
29 | ||
30 | $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" | |
31 | ||
b3015828 IB |
32 | file { "/var/lib/postgres/data/certs": |
33 | ensure => directory, | |
34 | mode => "0700", | |
35 | owner => $::profile::postgresql::pg_user, | |
36 | group => $::profile::postgresql::pg_user, | |
37 | require => File["/var/lib/postgres"], | |
38 | } | |
39 | ||
40 | file { "/var/lib/postgres/data/certs/cert.pem": | |
41 | source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem", | |
42 | mode => "0600", | |
43 | links => "follow", | |
44 | owner => $::profile::postgresql::pg_user, | |
45 | group => $::profile::postgresql::pg_user, | |
46 | require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] | |
47 | } | |
48 | ||
49 | file { "/var/lib/postgres/data/certs/privkey.pem": | |
50 | source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem", | |
51 | mode => "0600", | |
52 | links => "follow", | |
53 | owner => $::profile::postgresql::pg_user, | |
54 | group => $::profile::postgresql::pg_user, | |
55 | require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] | |
56 | } | |
57 | ||
58 | postgresql::server::config_entry { "wal_level": | |
59 | value => "logical", | |
60 | } | |
61 | ||
62 | postgresql::server::config_entry { "ssl": | |
63 | value => "on", | |
64 | require => Letsencrypt::Certonly[$cf_front_app_host], | |
65 | } | |
66 | ||
67 | postgresql::server::config_entry { "ssl_cert_file": | |
68 | value => "/var/lib/postgres/data/certs/cert.pem", | |
69 | require => Letsencrypt::Certonly[$cf_front_app_host], | |
70 | } | |
71 | ||
72 | postgresql::server::config_entry { "ssl_key_file": | |
73 | value => "/var/lib/postgres/data/certs/privkey.pem", | |
74 | require => Letsencrypt::Certonly[$cf_front_app_host], | |
75 | } | |
76 | ||
159df176 IB |
77 | postgresql::server::db { $cf_pg_db: |
78 | user => $cf_pg_user, | |
b3015828 IB |
79 | password => postgresql_password($cf_pg_user, $cf_pg_password), |
80 | } | |
81 | -> | |
82 | postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES": | |
83 | db => $cf_pg_db, | |
84 | unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'", | |
85 | } | |
86 | -> | |
87 | postgresql::server::role { $cf_pg_user_replication: | |
88 | db => $cf_pg_db, | |
89 | replication => true, | |
90 | password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password), | |
91 | } | |
92 | -> | |
93 | postgresql::server::database_grant { $cf_pg_user_replication: | |
94 | db => $cf_pg_db, | |
95 | privilege => "CONNECT", | |
96 | role => $cf_pg_user_replication, | |
97 | } | |
98 | -> | |
99 | postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication": | |
100 | db => $cf_pg_db, | |
101 | role => $cf_pg_user_replication, | |
102 | privilege => "SELECT", | |
103 | object_type => "ALL TABLES IN SCHEMA", | |
104 | object_name => "public", | |
105 | } | |
106 | -> | |
107 | postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication": | |
108 | db => $cf_pg_db, | |
109 | role => $cf_pg_user_replication, | |
110 | privilege => "SELECT", | |
111 | object_type => "ALL SEQUENCES IN SCHEMA", | |
112 | object_name => "public", | |
57ae81ea IB |
113 | } |
114 | ||
6a919776 IB |
115 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': |
116 | type => 'host', | |
159df176 IB |
117 | database => $cf_pg_db, |
118 | user => $cf_pg_user, | |
6a919776 IB |
119 | address => '127.0.0.1/32', |
120 | auth_method => 'md5', | |
121 | order => "b0", | |
122 | } | |
123 | postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': | |
124 | type => 'host', | |
159df176 IB |
125 | database => $cf_pg_db, |
126 | user => $cf_pg_user, | |
6a919776 IB |
127 | address => '::1/128', |
128 | auth_method => 'md5', | |
129 | order => "b0", | |
130 | } | |
0a4ec379 | 131 | |
b3015828 IB |
132 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': |
133 | type => 'hostssl', | |
134 | database => $cf_pg_db, | |
135 | user => $cf_pg_user_replication, | |
136 | address => 'immae.eu', | |
137 | auth_method => 'md5', | |
138 | order => "b0", | |
139 | } | |
140 | ||
e345248b IB |
141 | letsencrypt::certonly { $cf_front_app_host: ; |
142 | default: * => $::profile::apache::letsencrypt_certonly_default; | |
143 | } | |
144 | ||
145 | class { 'apache::mod::headers': } | |
2bb35074 | 146 | apache::vhost { $cf_front_app_host: |
e345248b | 147 | port => '443', |
2bb35074 IB |
148 | docroot => false, |
149 | manage_docroot => false, | |
150 | proxy_dest => "http://localhost:8000", | |
e345248b IB |
151 | request_headers => 'set X-Forwarded-Proto "https"', |
152 | ssl => true, | |
153 | ssl_cert => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem", | |
154 | ssl_key => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem", | |
155 | ssl_chain => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem", | |
156 | require => Letsencrypt::Certonly[$cf_front_app_host], | |
157 | proxy_preserve_host => true; | |
158 | default: * => $::profile::apache::apache_vhost_default; | |
0a4ec379 | 159 | } |
f67c5285 | 160 | |
159df176 IB |
161 | user { $cf_user: |
162 | name => $cf_user, | |
76a321e1 IB |
163 | ensure => "present", |
164 | managehome => true, | |
159df176 | 165 | home => $cf_home, |
76a321e1 IB |
166 | system => true, |
167 | password => '!!', | |
168 | } | |
169 | ||
170 | $front_version = lookup("cryptoportfolio::front_version") |$key| { {} } | |
171 | $front_sha256 = lookup("cryptoportfolio::front_sha256") |$key| { {} } | |
172 | ||
173 | unless empty($front_version) { | |
159df176 | 174 | ensure_packages(["go", "npm", "nodejs", "yarn"]) |
76a321e1 | 175 | |
159df176 IB |
176 | file { [ |
177 | "${cf_home}/go/", | |
178 | "${cf_home}/go/src", | |
179 | "${cf_home}/go/src/immae.eu", | |
180 | "${cf_home}/go/src/immae.eu/Immae", | |
181 | "${cf_home}/go/src/immae.eu/Immae/Projets", | |
182 | "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies", | |
183 | "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio", | |
184 | $cf_front_app]: | |
185 | ensure => "directory", | |
76a321e1 | 186 | mode => "0700", |
159df176 IB |
187 | owner => $cf_user, |
188 | group => $cf_group, | |
189 | require => User[$cf_user], | |
76a321e1 IB |
190 | } |
191 | ||
159df176 IB |
192 | archive { "${cf_home}/${front_version}.tar.gz": |
193 | path => "${cf_home}/${front_version}.tar.gz", | |
76a321e1 | 194 | source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz", |
76a321e1 IB |
195 | checksum_type => "sha256", |
196 | checksum => $front_sha256, | |
197 | cleanup => false, | |
198 | extract => true, | |
159df176 IB |
199 | user => "cryptoportfolio", |
200 | extract_path => $cf_front_app, | |
201 | require => [User[$cf_user], File[$cf_front_app]], | |
76a321e1 IB |
202 | } |
203 | ||
159df176 | 204 | file { "${cf_home}/front": |
76a321e1 | 205 | ensure => "link", |
159df176 | 206 | target => $cf_front_app, |
f099c453 IB |
207 | before => File[$cf_front_app], |
208 | } ~> | |
43c4ee4e | 209 | exec { "remove old ${cf_front_app} directory": |
f099c453 IB |
210 | refreshonly => true, |
211 | user => $cf_user, | |
212 | command => "/usr/bin/rm -rf ${cf_front_app}", | |
213 | before => File[$cf_front_app], | |
159df176 IB |
214 | } |
215 | ||
216 | exec { "go-get-dep": | |
217 | user => $cf_user, | |
218 | environment => ["HOME=${cf_home}"], | |
219 | creates => "${cf_home}/go/bin/dep", | |
220 | command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep", | |
221 | require => User[$cf_user], | |
222 | } | |
223 | ||
224 | exec { "go-cryptoportfolio-dependencies": | |
225 | cwd => $cf_front_app, | |
226 | user => $cf_user, | |
227 | environment => ["HOME=${cf_home}"], | |
228 | creates => "${cf_front_app}/vendor", | |
229 | command => "${cf_home}/go/bin/dep ensure", | |
230 | require => [Exec["go-get-dep"], Archive["${cf_home}/${front_version}.tar.gz"]], | |
231 | } | |
232 | ||
233 | exec { "go-cryptoportfolio-app": | |
234 | cwd => $cf_front_app_api_workdir, | |
235 | user => $cf_user, | |
236 | environment => ["HOME=${cf_home}"], | |
237 | creates => $cf_front_app_api_bin, | |
238 | command => "/usr/bin/make build", | |
239 | require => Exec["go-cryptoportfolio-dependencies"], | |
240 | } | |
241 | ||
242 | file { "/etc/systemd/system/cryptoportfolio-app.service": | |
243 | mode => "0644", | |
244 | owner => "root", | |
245 | group => "root", | |
246 | content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"), | |
247 | } ~> exec { 'systemctl deamon-reload': | |
248 | command => '/usr/bin/systemctl daemon-reload', | |
249 | refreshonly => true | |
250 | } | |
251 | ||
252 | service { 'cryptoportfolio-app': | |
f099c453 IB |
253 | enable => true, |
254 | ensure => "running", | |
255 | subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], | |
256 | require => [ | |
b3015828 IB |
257 | File["/etc/systemd/system/cryptoportfolio-app.service"], |
258 | Postgresql::Server::Db[$cf_pg_db] | |
259 | ], | |
43c4ee4e IB |
260 | } ~> |
261 | exec { "dump $cf_pg_db structure": | |
262 | refreshonly => true, | |
263 | user => $::profile::postgresql::pg_user, | |
264 | group => $::profile::postgresql::pg_user, | |
265 | command => "/usr/bin/pg_dump --schema-only --clean --no-publications $cf_pg_db > /var/lib/postgres/${cf_pg_db}.schema", | |
159df176 IB |
266 | } |
267 | ||
268 | file { $cf_front_app_api_conf: | |
269 | owner => $cf_user, | |
270 | group => $cf_group, | |
271 | mode => "0600", | |
272 | content => template("role/cryptoportfolio/api_conf.toml.erb"), | |
273 | } | |
274 | ||
275 | file { $cf_front_app_static_conf: | |
276 | owner => $cf_user, | |
277 | group => $cf_group, | |
278 | mode => "0600", | |
279 | content => template("role/cryptoportfolio/static_conf.env.erb"), | |
e17078be | 280 | notify => Exec["remove build ${cf_front_app}/cmd/web/build/"], |
159df176 IB |
281 | } |
282 | ||
283 | exec { "web-cryptoportfolio-dependencies": | |
284 | cwd => "${cf_front_app}/cmd/web", | |
285 | environment => ["HOME=${cf_home}"], | |
286 | command => "/usr/bin/make install", | |
287 | creates => "${cf_front_app}/cmd/web/node_modules", | |
e17078be | 288 | notify => Exec["remove build ${cf_front_app}/cmd/web/build/"], |
159df176 IB |
289 | require => [Package["npm"], Package["nodejs"], Package["yarn"]] |
290 | } | |
291 | ||
e17078be IB |
292 | exec { "remove build ${cf_front_app}/cmd/web/build/": |
293 | command => "/usr/bin/rm -rf '${cf_front_app}/cmd/web/build/'", | |
294 | refreshonly => true, | |
295 | before => Exec["web-cryptoportfolio-build"] | |
296 | } | |
297 | ||
159df176 IB |
298 | exec { "web-cryptoportfolio-build": |
299 | cwd => "${cf_front_app}/cmd/web", | |
300 | environment => ["HOME=${cf_home}"], | |
301 | command => "/usr/bin/make static ENV=${cf_env}", | |
302 | creates => "${cf_front_app}/cmd/web/build/static", | |
303 | require => [File[$cf_front_app_static_conf], Exec["web-cryptoportfolio-dependencies"]] | |
76a321e1 IB |
304 | } |
305 | } | |
306 | ||
b3015828 | 307 | # TODO: xmr_stack |
57ae81ea | 308 | } |