-class role::cryptoportfolio {
+class role::cryptoportfolio (
+ String $user,
+ String $group,
+ String $home,
+ Optional[String] $env = "prod",
+ Optional[String] $webhook_url = undef,
+ String $pg_user,
+ String $pg_user_replication,
+ String $pg_db,
+ Optional[String] $pg_hostname = "localhost",
+ Optional[String] $pg_port = "5432",
+ Optional[String] $web_host = undef,
+ Optional[String] $web_port = "",
+ Optional[Boolean] $web_ssl = true,
+ Optional[String] $front_version = undef,
+ Optional[String] $front_sha256 = undef,
+ Optional[String] $bot_version = undef,
+ Optional[String] $bot_sha256 = undef,
+) {
ensure_resource('exec', 'systemctl daemon-reload', {
command => '/usr/bin/systemctl daemon-reload',
refreshonly => true
include "profile::apache"
include "profile::xmr_stak"
- $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} }
-
- $cf_pg_user = "cryptoportfolio"
- $cf_pg_user_replication = "cryptoportfolio_replication"
- $cf_pg_db = "cryptoportfolio"
- $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
- $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
- $cf_pg_hostname = "localhost"
- $cf_pg_port = "5432"
- $cf_pg_host = "${cf_pg_hostname}:${cf_pg_port}"
-
- $cf_user = "cryptoportfolio"
- $cf_group = "cryptoportfolio"
- $cf_home = "/opt/cryptoportfolio"
- $cf_env = "prod"
- $cf_front_app_host = lookup("base_installation::system_hostname") |$key| { "example.com" }
- $cf_front_app_port = ""
- $cf_front_app_ssl = "true"
- $cf_front_app = "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front"
+ $password_seed = lookup("base_installation::puppet_pass_seed")
+
+ $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
+ $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
+ $pg_host = "${pg_hostname}:${pg_port}"
+
+ $cf_front_app = "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front"
$cf_front_app_api_workdir = "${cf_front_app}/cmd/app"
$cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app"
- $cf_front_app_api_conf = "${cf_home}/conf.toml"
+ $cf_front_app_api_conf = "${home}/conf.toml"
$cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret")
$cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"
- $cf_bot_app = "${cf_home}/bot"
- $cf_bot_app_conf = "${cf_home}/bot_config.ini"
- $cf_bot_app_reports = "${cf_home}/bot_reports"
-
- $cf_webhook_url = lookup("cryptoportfolio::slack_webhook") |$key| { "" }
+ $cf_bot_app = "${home}/bot"
+ $cf_bot_app_conf = "${home}/bot_config.ini"
+ $cf_bot_app_reports = "${home}/bot_reports"
file { "/var/lib/postgres/data/certs":
ensure => directory,
}
file { "/var/lib/postgres/data/certs/cert.pem":
- source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem",
+ source => "file:///etc/letsencrypt/live/$web_host/cert.pem",
mode => "0600",
links => "follow",
owner => $::profile::postgresql::pg_user,
group => $::profile::postgresql::pg_user,
- require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
+ require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
}
file { "/var/lib/postgres/data/certs/privkey.pem":
- source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
+ source => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
mode => "0600",
links => "follow",
owner => $::profile::postgresql::pg_user,
group => $::profile::postgresql::pg_user,
- require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
+ require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
}
postgresql::server::config_entry { "wal_level":
postgresql::server::config_entry { "ssl":
value => "on",
- require => Letsencrypt::Certonly[$cf_front_app_host],
+ require => Letsencrypt::Certonly[$web_host],
}
postgresql::server::config_entry { "ssl_cert_file":
value => "/var/lib/postgres/data/certs/cert.pem",
- require => Letsencrypt::Certonly[$cf_front_app_host],
+ require => Letsencrypt::Certonly[$web_host],
}
postgresql::server::config_entry { "ssl_key_file":
value => "/var/lib/postgres/data/certs/privkey.pem",
- require => Letsencrypt::Certonly[$cf_front_app_host],
+ require => Letsencrypt::Certonly[$web_host],
}
- postgresql::server::db { $cf_pg_db:
- user => $cf_pg_user,
- password => postgresql_password($cf_pg_user, $cf_pg_password),
+ postgresql::server::db { $pg_db:
+ user => $pg_user,
+ password => postgresql_password($pg_user, $pg_password),
}
->
- postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES":
- db => $cf_pg_db,
- unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'",
+ postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
+ db => $pg_db,
+ unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
}
->
- postgresql::server::role { $cf_pg_user_replication:
- db => $cf_pg_db,
+ postgresql::server::role { $pg_user_replication:
+ db => $pg_db,
replication => true,
- password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password),
+ password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
}
->
- postgresql::server::database_grant { $cf_pg_user_replication:
- db => $cf_pg_db,
+ postgresql::server::database_grant { $pg_user_replication:
+ db => $pg_db,
privilege => "CONNECT",
- role => $cf_pg_user_replication,
+ role => $pg_user_replication,
}
->
- postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication":
- db => $cf_pg_db,
- role => $cf_pg_user_replication,
+ postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
+ db => $pg_db,
+ role => $pg_user_replication,
privilege => "SELECT",
object_type => "ALL TABLES IN SCHEMA",
object_name => "public",
}
->
- postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication":
- db => $cf_pg_db,
- role => $cf_pg_user_replication,
+ postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
+ db => $pg_db,
+ role => $pg_user_replication,
privilege => "SELECT",
object_type => "ALL SEQUENCES IN SCHEMA",
object_name => "public",
postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
type => 'host',
- database => $cf_pg_db,
- user => $cf_pg_user,
+ database => $pg_db,
+ user => $pg_user,
address => '127.0.0.1/32',
auth_method => 'md5',
order => "b0",
}
postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
type => 'host',
- database => $cf_pg_db,
- user => $cf_pg_user,
+ database => $pg_db,
+ user => $pg_user,
address => '::1/128',
auth_method => 'md5',
order => "b0",
postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
type => 'hostssl',
- database => $cf_pg_db,
- user => $cf_pg_user_replication,
+ database => $pg_db,
+ user => $pg_user_replication,
address => 'immae.eu',
auth_method => 'md5',
order => "b0",
}
- letsencrypt::certonly { $cf_front_app_host: ;
- default: * => $::profile::apache::letsencrypt_certonly_default;
- }
-
class { 'apache::mod::headers': }
- apache::vhost { $cf_front_app_host:
+ apache::vhost { $web_host:
port => '443',
docroot => false,
manage_docroot => false,
proxy_dest => "http://localhost:8000",
request_headers => 'set X-Forwarded-Proto "https"',
ssl => true,
- ssl_cert => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem",
- ssl_key => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
- ssl_chain => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem",
- require => Letsencrypt::Certonly[$cf_front_app_host],
+ ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem",
+ ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem",
+ ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem",
+ require => Letsencrypt::Certonly[$web_host],
proxy_preserve_host => true;
default: * => $::profile::apache::apache_vhost_default;
}
- user { $cf_user:
- name => $cf_user,
- ensure => "present",
- managehome => true,
- home => $cf_home,
- system => true,
- password => '!!',
- }
-
file { "/usr/local/bin/slack-notify":
mode => "0755",
source => "puppet:///modules/role/cryptoportfolio/slack-notify.py",
}
- $front_version = lookup("cryptoportfolio::front_version") |$key| { {} }
- $front_sha256 = lookup("cryptoportfolio::front_sha256") |$key| { {} }
-
- $bot_version = lookup("cryptoportfolio::bot_version") |$key| { {} }
- $bot_sha256 = lookup("cryptoportfolio::bot_sha256") |$key| { {} }
-
unless empty($bot_version) {
ensure_packages(["python", "python-pip"])
file { $cf_bot_app:
ensure => "directory",
mode => "0700",
- owner => $cf_user,
- group => $cf_group,
- require => User[$cf_user],
+ owner => $user,
+ group => $group,
+ require => User["$user:"],
}
- archive { "${cf_home}/trader_${bot_version}.tar.gz":
- path => "${cf_home}/trader_${bot_version}.tar.gz",
+ archive { "${home}/trader_${bot_version}.tar.gz":
+ path => "${home}/trader_${bot_version}.tar.gz",
source => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz",
checksum_type => "sha256",
checksum => $bot_sha256,
cleanup => false,
extract => true,
- user => $cf_user,
+ user => $user,
username => $facts["ec2_metadata"]["hostname"],
password => generate_password(24, $password_seed, "ldap"),
extract_path => $cf_bot_app,
- require => [User[$cf_user], File[$cf_bot_app]],
+ require => [User["$user:"], File[$cf_bot_app]],
} ~>
exec { "py-cryptoportfolio-dependencies":
cwd => $cf_bot_app,
- user => $cf_user,
- environment => ["HOME=${cf_home}"],
+ user => $user,
+ environment => ["HOME=${home}"],
command => "/usr/bin/make install",
- require => User[$cf_user],
+ require => User["$user:"],
refreshonly => true,
before => [
File[$cf_bot_app_conf],
}
file { $cf_bot_app_conf:
- owner => $cf_user,
- group => $cf_group,
+ owner => $user,
+ group => $group,
mode => "0600",
content => template("role/cryptoportfolio/bot_config.ini.erb"),
require => [
- User[$cf_user],
- Archive["${cf_home}/trader_${bot_version}.tar.gz"],
+ User["$user:"],
+ Archive["${home}/trader_${bot_version}.tar.gz"],
],
}
cron { "py-cryptoportfolio-before":
ensure => present,
command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before",
- user => "cryptoportfolio",
+ user => $user,
weekday => 7, # Sunday
hour => 22,
minute => 30,
- environment => ["HOME=${cf_home}","PATH=/usr/bin/"],
+ environment => ["HOME=${home}","PATH=/usr/bin/"],
require => [
File[$cf_bot_app_conf],
- Archive["${cf_home}/trader_${bot_version}.tar.gz"]
+ Archive["${home}/trader_${bot_version}.tar.gz"]
],
}
cron { "py-cryptoportfolio-after":
ensure => present,
command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after",
- user => "cryptoportfolio",
+ user => $user,
weekday => 1, # Monday
hour => 1,
minute => 0,
- environment => ["HOME=${cf_home}","PATH=/usr/bin/"],
+ environment => ["HOME=${home}","PATH=/usr/bin/"],
require => [
File[$cf_bot_app_conf],
- Archive["${cf_home}/trader_${bot_version}.tar.gz"]
+ Archive["${home}/trader_${bot_version}.tar.gz"]
],
}
- unless empty($cf_webhook_url) {
+ unless empty($webhook_url) {
exec { "bot-slack-notify":
refreshonly => true,
environment => [
"P_PROJECT=Trader",
- "P_WEBHOOK=${cf_webhook_url}",
+ "P_WEBHOOK=${webhook_url}",
"P_VERSION=${bot_version}",
- "P_HOST=${cf_front_app_host}",
- "P_HTTPS=${cf_front_app_ssl}",
+ "P_HOST=${web_host}",
+ "P_HTTPS=${web_ssl}",
],
command => "/usr/local/bin/slack-notify",
require => File["/usr/local/bin/slack-notify"],
ensure_packages(["go", "npm", "nodejs", "yarn"])
file { [
- "${cf_home}/go/",
- "${cf_home}/go/src",
- "${cf_home}/go/src/immae.eu",
- "${cf_home}/go/src/immae.eu/Immae",
- "${cf_home}/go/src/immae.eu/Immae/Projets",
- "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies",
- "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio",
+ "${home}/go/",
+ "${home}/go/src",
+ "${home}/go/src/immae.eu",
+ "${home}/go/src/immae.eu/Immae",
+ "${home}/go/src/immae.eu/Immae/Projets",
+ "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies",
+ "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio",
$cf_front_app]:
ensure => "directory",
mode => "0700",
- owner => $cf_user,
- group => $cf_group,
- require => User[$cf_user],
+ owner => $user,
+ group => $group,
+ require => User["$user:"],
}
- file { "${cf_home}/front":
+ file { "${home}/front":
ensure => "link",
target => $cf_front_app,
before => File[$cf_front_app],
subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]],
require => [
File["/etc/systemd/system/cryptoportfolio-app.service"],
- Postgresql::Server::Db[$cf_pg_db]
+ Postgresql::Server::Db[$pg_db]
],
} ~>
- exec { "dump $cf_pg_db structure":
+ exec { "dump $pg_db structure":
refreshonly => true,
user => $::profile::postgresql::pg_user,
group => $::profile::postgresql::pg_user,
- command => "/usr/bin/pg_dump --schema-only --clean --no-publications $cf_pg_db > /var/lib/postgres/${cf_pg_db}.schema",
+ command => "/usr/bin/pg_dump --schema-only --clean --no-publications $pg_db > /var/lib/postgres/${pg_db}.schema",
}
- archive { "${cf_home}/front_${front_version}.tar.gz":
- path => "${cf_home}/front_${front_version}.tar.gz",
+ archive { "${home}/front_${front_version}.tar.gz":
+ path => "${home}/front_${front_version}.tar.gz",
source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz",
checksum_type => "sha256",
checksum => $front_sha256,
cleanup => false,
extract => true,
- user => $cf_user,
+ user => $user,
username => $facts["ec2_metadata"]["hostname"],
password => generate_password(24, $password_seed, "ldap"),
extract_path => $cf_front_app,
- require => [User[$cf_user], File[$cf_front_app]],
+ require => [User["$user:"], File[$cf_front_app]],
notify => [
Exec["web-cryptoportfolio-dependencies"],
Exec["go-get-dep"],
# Api
file { $cf_front_app_api_conf:
- owner => $cf_user,
- group => $cf_group,
+ owner => $user,
+ group => $group,
mode => "0600",
content => template("role/cryptoportfolio/api_conf.toml.erb"),
before => Exec["go-cryptoportfolio-app"],
}
exec { "go-get-dep":
- user => $cf_user,
- environment => ["HOME=${cf_home}"],
- creates => "${cf_home}/go/bin/dep",
+ user => $user,
+ environment => ["HOME=${home}"],
+ creates => "${home}/go/bin/dep",
command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep",
refreshonly => true,
} ~>
exec { "go-cryptoportfolio-dependencies":
cwd => $cf_front_app,
- user => $cf_user,
- environment => ["HOME=${cf_home}"],
- command => "${cf_home}/go/bin/dep ensure",
+ user => $user,
+ environment => ["HOME=${home}"],
+ command => "${home}/go/bin/dep ensure",
refreshonly => true,
} ~>
exec { "go-cryptoportfolio-app":
cwd => $cf_front_app_api_workdir,
- user => $cf_user,
- environment => ["HOME=${cf_home}"],
+ user => $user,
+ environment => ["HOME=${home}"],
command => "/usr/bin/make build",
refreshonly => true,
}
# Static pages
file { $cf_front_app_static_conf:
- owner => $cf_user,
- group => $cf_group,
+ owner => $user,
+ group => $group,
mode => "0600",
content => template("role/cryptoportfolio/static_conf.env.erb"),
before => Exec["web-cryptoportfolio-build"],
exec { "web-cryptoportfolio-dependencies":
cwd => "${cf_front_app}/cmd/web",
- user => $cf_user,
- environment => ["HOME=${cf_home}"],
+ user => $user,
+ environment => ["HOME=${home}"],
command => "/usr/bin/make install",
refreshonly => true,
require => [Package["npm"], Package["nodejs"], Package["yarn"]]
} ~>
exec { "web-cryptoportfolio-build":
cwd => "${cf_front_app}/cmd/web",
- user => $cf_user,
- environment => ["HOME=${cf_home}"],
+ user => $user,
+ environment => ["HOME=${home}"],
path => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"],
- command => "/usr/bin/make static ENV=${cf_env}",
+ command => "/usr/bin/make static ENV=${env}",
refreshonly => true,
}
- unless empty($cf_webhook_url) {
+ unless empty($webhook_url) {
exec { "front-slack-notify":
refreshonly => true,
environment => [
"P_PROJECT=Front",
- "P_WEBHOOK=${cf_webhook_url}",
+ "P_WEBHOOK=${webhook_url}",
"P_VERSION=${front_version}",
- "P_HOST=${cf_front_app_host}",
- "P_HTTPS=${cf_front_app_ssl}",
+ "P_HOST=${web_host}",
+ "P_HTTPS=${web_ssl}",
],
command => "/usr/local/bin/slack-notify",
require => File["/usr/local/bin/slack-notify"],
projects / perso / Immae / Projets / Puppet.git / blobdiff