class role::cryptoportfolio { ensure_resource('exec', 'systemctl daemon-reload', { command => '/usr/bin/systemctl daemon-reload', refreshonly => true }) include "base_installation" include "profile::tools" include "profile::postgresql" include "profile::apache" include "profile::xmr_stak" $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } $cf_pg_user = "cryptoportfolio" $cf_pg_user_replication = "cryptoportfolio_replication" $cf_pg_db = "cryptoportfolio" $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") $cf_pg_hostname = "localhost" $cf_pg_port = "5432" $cf_pg_host = "${cf_pg_hostname}:${cf_pg_port}" $cf_user = "cryptoportfolio" $cf_group = "cryptoportfolio" $cf_home = "/opt/cryptoportfolio" $cf_env = "prod" $cf_front_app_host = lookup("base_installation::system_hostname") |$key| { "example.com" } $cf_front_app_port = "" $cf_front_app_ssl = "true" $cf_front_app = "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front" $cf_front_app_api_workdir = "${cf_front_app}/cmd/app" $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app" $cf_front_app_api_conf = "${cf_home}/conf.toml" $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret") $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" $cf_bot_app = "${cf_home}/bot" $cf_bot_app_conf = "${cf_home}/bot_config.ini" $cf_bot_app_reports = "${cf_home}/bot_reports" $cf_webhook_url = lookup("cryptoportfolio::slack_webhook") |$key| { "" } file { "/var/lib/postgres/data/certs": ensure => directory, mode => "0700", owner => $::profile::postgresql::pg_user, group => $::profile::postgresql::pg_user, require => File["/var/lib/postgres"], } file { "/var/lib/postgres/data/certs/cert.pem": source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem", mode => "0600", links => "follow", owner => $::profile::postgresql::pg_user, group => $::profile::postgresql::pg_user, require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] } file { "/var/lib/postgres/data/certs/privkey.pem": source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem", mode => "0600", links => "follow", owner => $::profile::postgresql::pg_user, group => $::profile::postgresql::pg_user, require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] } postgresql::server::config_entry { "wal_level": value => "logical", } postgresql::server::config_entry { "ssl": value => "on", require => Letsencrypt::Certonly[$cf_front_app_host], } postgresql::server::config_entry { "ssl_cert_file": value => "/var/lib/postgres/data/certs/cert.pem", require => Letsencrypt::Certonly[$cf_front_app_host], } postgresql::server::config_entry { "ssl_key_file": value => "/var/lib/postgres/data/certs/privkey.pem", require => Letsencrypt::Certonly[$cf_front_app_host], } postgresql::server::db { $cf_pg_db: user => $cf_pg_user, password => postgresql_password($cf_pg_user, $cf_pg_password), } -> postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES": db => $cf_pg_db, unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'", } -> postgresql::server::role { $cf_pg_user_replication: db => $cf_pg_db, replication => true, password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password), } -> postgresql::server::database_grant { $cf_pg_user_replication: db => $cf_pg_db, privilege => "CONNECT", role => $cf_pg_user_replication, } -> postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication": db => $cf_pg_db, role => $cf_pg_user_replication, privilege => "SELECT", object_type => "ALL TABLES IN SCHEMA", object_name => "public", } -> postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication": db => $cf_pg_db, role => $cf_pg_user_replication, privilege => "SELECT", object_type => "ALL SEQUENCES IN SCHEMA", object_name => "public", } postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': type => 'host', database => $cf_pg_db, user => $cf_pg_user, address => '127.0.0.1/32', auth_method => 'md5', order => "b0", } postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': type => 'host', database => $cf_pg_db, user => $cf_pg_user, address => '::1/128', auth_method => 'md5', order => "b0", } postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': type => 'hostssl', database => $cf_pg_db, user => $cf_pg_user_replication, address => 'immae.eu', auth_method => 'md5', order => "b0", } letsencrypt::certonly { $cf_front_app_host: ; default: * => $::profile::apache::letsencrypt_certonly_default; } class { 'apache::mod::headers': } apache::vhost { $cf_front_app_host: port => '443', docroot => false, manage_docroot => false, proxy_dest => "http://localhost:8000", request_headers => 'set X-Forwarded-Proto "https"', ssl => true, ssl_cert => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem", ssl_key => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem", ssl_chain => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem", require => Letsencrypt::Certonly[$cf_front_app_host], proxy_preserve_host => true; default: * => $::profile::apache::apache_vhost_default; } user { $cf_user: name => $cf_user, ensure => "present", managehome => true, home => $cf_home, system => true, password => '!!', } file { "/usr/local/bin/slack-notify": mode => "0755", source => "puppet:///modules/role/cryptoportfolio/slack-notify.py", } $front_version = lookup("cryptoportfolio::front_version") |$key| { {} } $front_sha256 = lookup("cryptoportfolio::front_sha256") |$key| { {} } $bot_version = lookup("cryptoportfolio::bot_version") |$key| { {} } $bot_sha256 = lookup("cryptoportfolio::bot_sha256") |$key| { {} } unless empty($bot_version) { ensure_packages(["python", "python-pip"]) file { $cf_bot_app: ensure => "directory", mode => "0700", owner => $cf_user, group => $cf_group, require => User[$cf_user], } archive { "${cf_home}/trader_${bot_version}.tar.gz": path => "${cf_home}/trader_${bot_version}.tar.gz", source => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz", checksum_type => "sha256", checksum => $bot_sha256, cleanup => false, extract => true, user => $cf_user, username => $facts["ec2_metadata"]["hostname"], password => generate_password(24, $password_seed, "ldap"), extract_path => $cf_bot_app, require => [User[$cf_user], File[$cf_bot_app]], } ~> exec { "py-cryptoportfolio-dependencies": cwd => $cf_bot_app, user => $cf_user, environment => ["HOME=${cf_home}"], command => "/usr/bin/make install", require => User[$cf_user], refreshonly => true, before => [ File[$cf_bot_app_conf], Cron["py-cryptoportfolio-before"], Cron["py-cryptoportfolio-after"], ] } file { $cf_bot_app_conf: owner => $cf_user, group => $cf_group, mode => "0600", content => template("role/cryptoportfolio/bot_config.ini.erb"), require => [ User[$cf_user], Archive["${cf_home}/trader_${bot_version}.tar.gz"], ], } cron { "py-cryptoportfolio-before": ensure => present, command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before", user => "cryptoportfolio", weekday => 7, # Sunday hour => 22, minute => 30, environment => ["HOME=${cf_home}","PATH=/usr/bin/"], require => [ File[$cf_bot_app_conf], Archive["${cf_home}/trader_${bot_version}.tar.gz"] ], } cron { "py-cryptoportfolio-after": ensure => present, command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after", user => "cryptoportfolio", weekday => 1, # Monday hour => 1, minute => 0, environment => ["HOME=${cf_home}","PATH=/usr/bin/"], require => [ File[$cf_bot_app_conf], Archive["${cf_home}/trader_${bot_version}.tar.gz"] ], } unless empty($cf_webhook_url) { exec { "bot-slack-notify": refreshonly => true, command => "/usr/local/bin/slack-notify Trader '${cf_webhook_url}' '${bot_version}'", require => File["/usr/local/bin/slack-notify"], subscribe => Exec["py-cryptoportfolio-dependencies"], } } } # FIXME: restore backup unless empty($front_version) { ensure_packages(["go", "npm", "nodejs", "yarn"]) file { [ "${cf_home}/go/", "${cf_home}/go/src", "${cf_home}/go/src/immae.eu", "${cf_home}/go/src/immae.eu/Immae", "${cf_home}/go/src/immae.eu/Immae/Projets", "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies", "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio", $cf_front_app]: ensure => "directory", mode => "0700", owner => $cf_user, group => $cf_group, require => User[$cf_user], } file { "${cf_home}/front": ensure => "link", target => $cf_front_app, before => File[$cf_front_app], } file { "/etc/systemd/system/cryptoportfolio-app.service": mode => "0644", owner => "root", group => "root", content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"), notify => Exec["systemctl daemon-reload"], } service { 'cryptoportfolio-app': enable => true, ensure => "running", subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], require => [ File["/etc/systemd/system/cryptoportfolio-app.service"], Postgresql::Server::Db[$cf_pg_db] ], } ~> exec { "dump $cf_pg_db structure": refreshonly => true, user => $::profile::postgresql::pg_user, group => $::profile::postgresql::pg_user, command => "/usr/bin/pg_dump --schema-only --clean --no-publications $cf_pg_db > /var/lib/postgres/${cf_pg_db}.schema", } archive { "${cf_home}/front_${front_version}.tar.gz": path => "${cf_home}/front_${front_version}.tar.gz", source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz", checksum_type => "sha256", checksum => $front_sha256, cleanup => false, extract => true, user => $cf_user, username => $facts["ec2_metadata"]["hostname"], password => generate_password(24, $password_seed, "ldap"), extract_path => $cf_front_app, require => [User[$cf_user], File[$cf_front_app]], notify => [ Exec["web-cryptoportfolio-dependencies"], Exec["go-get-dep"], ] } # Api file { $cf_front_app_api_conf: owner => $cf_user, group => $cf_group, mode => "0600", content => template("role/cryptoportfolio/api_conf.toml.erb"), before => Exec["go-cryptoportfolio-app"], } exec { "go-get-dep": user => $cf_user, environment => ["HOME=${cf_home}"], creates => "${cf_home}/go/bin/dep", command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep", refreshonly => true, } ~> exec { "go-cryptoportfolio-dependencies": cwd => $cf_front_app, user => $cf_user, environment => ["HOME=${cf_home}"], command => "${cf_home}/go/bin/dep ensure", refreshonly => true, } ~> exec { "go-cryptoportfolio-app": cwd => $cf_front_app_api_workdir, user => $cf_user, environment => ["HOME=${cf_home}"], command => "/usr/bin/make build", refreshonly => true, } # Static pages file { $cf_front_app_static_conf: owner => $cf_user, group => $cf_group, mode => "0600", content => template("role/cryptoportfolio/static_conf.env.erb"), before => Exec["web-cryptoportfolio-build"], } exec { "web-cryptoportfolio-dependencies": cwd => "${cf_front_app}/cmd/web", user => $cf_user, environment => ["HOME=${cf_home}"], command => "/usr/bin/make install", refreshonly => true, require => [Package["npm"], Package["nodejs"], Package["yarn"]] } ~> exec { "web-cryptoportfolio-build": cwd => "${cf_front_app}/cmd/web", user => $cf_user, environment => ["HOME=${cf_home}"], path => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"], command => "/usr/bin/make static ENV=${cf_env}", refreshonly => true, } unless empty($cf_webhook_url) { exec { "front-slack-notify": refreshonly => true, command => "/usr/local/bin/slack-notify Front '${cf_webhook_url}' '${front_version}'", require => File["/usr/local/bin/slack-notify"], subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], } } } }