From 0a21fb6c2c52ca5cc2dfdfc41ca0a51c0d81296c Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 13 Mar 2018 13:23:17 +0100 Subject: [PATCH] Start to cleanup the files --- environments/global/common.yaml | 4 + .../global/roles/cryptoportfolio.yaml | 17 +- environments/global/types/s1-2.yaml | 2 +- environments/global/types/vps-ovhssd-1.yaml | 2 +- .../integration/roles/cryptoportfolio.yaml | 6 +- .../production/roles/cryptoportfolio.yaml | 8 +- manifests/site.pp | 2 +- modules/base_installation/manifests/puppet.pp | 2 +- .../base_installation/manifests/services.pp | 2 +- modules/base_installation/manifests/users.pp | 20 +- modules/profile/manifests/apache.pp | 15 +- modules/role/manifests/cryptoportfolio.pp | 273 +++++++++--------- .../cryptoportfolio/api_conf.toml.erb | 12 +- .../cryptoportfolio/bot_config.ini.erb | 10 +- .../cryptoportfolio-app.service.erb | 4 +- .../cryptoportfolio/static_conf.env.erb | 6 +- 16 files changed, 199 insertions(+), 186 deletions(-) diff --git a/environments/global/common.yaml b/environments/global/common.yaml index 5b21dca..05d12ad 100644 --- a/environments/global/common.yaml +++ b/environments/global/common.yaml @@ -6,6 +6,8 @@ lookup_options: merge: deep base_installation::system_users: merge: unique + letsencrypt::hosts: + merge: unique classes: stdlib: ~ @@ -35,3 +37,5 @@ base_installation::system_users: key_type: "ssh-rsa" xmr_stak::mining_pool: "pool.minexmr.com:7777" xmr_stak::wallet: "44CA8TxTFYbQqN2kLyk8AnB6Ghz4mcbGpYC2EyXW7A8H9QspvWnTjDn39XUZDPrFwPa5JNwt4TmAxcooPWv4SaJqL87Bcdo" +letsencrypt::email: "sites+letsencrypt@mail.immae.eu" +letsencrypt::try_for_real_hostname: true diff --git a/environments/global/roles/cryptoportfolio.yaml b/environments/global/roles/cryptoportfolio.yaml index 3d36e71..f875c1b 100644 --- a/environments/global/roles/cryptoportfolio.yaml +++ b/environments/global/roles/cryptoportfolio.yaml @@ -1,4 +1,19 @@ --- classes: role::cryptoportfolio: ~ -cryptoportfolio::slack_webhook: "%{ldapvar.self.vars.cf_slack_webhook.0}" +letsencrypt::hosts: "%{lookup('base_installation::system_hostname')}" +role::cryptoportfolio::user: "cryptoportfolio" +role::cryptoportfolio::group: "cryptoportfolio" +role::cryptoportfolio::home: "/home/cryptoportfolio" +role::cryptoportfolio::env: "prod" +role::cryptoportfolio::webhook_url: "%{ldapvar.self.vars.cf_slack_webhook.0}" +role::cryptoportfolio::pg_db: "cryptoportfolio" +role::cryptoportfolio::pg_user: "cryptoportfolio" +role::cryptoportfolio::pg_user_replication: "cryptoportfolio_replication" +role::cryptoportfolio::web_host: "%{lookup('base_installation::system_hostname')}" +role::cryptoportfolio::web_port: "" +role::cryptoportfolio::web_ssl: true +base_installation::system_users: + - username: "%{lookup('role::cryptoportfolio::user')}" + system: true + password: "!!" diff --git a/environments/global/types/s1-2.yaml b/environments/global/types/s1-2.yaml index 496b741..a7ba753 100644 --- a/environments/global/types/s1-2.yaml +++ b/environments/global/types/s1-2.yaml @@ -6,4 +6,4 @@ classes: base_installation::system_hostname: "%{ldapvar.self.vars.host.0}" base_installation::real_hostname: "%{facts.ec2_metadata.hostname}.v.immae.eu" base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt" -ssl::try_letsencrypt_for_real_hostname: true +letsencrypt::try_for_real_hostname: true diff --git a/environments/global/types/vps-ovhssd-1.yaml b/environments/global/types/vps-ovhssd-1.yaml index 73f7a45..68534dc 100644 --- a/environments/global/types/vps-ovhssd-1.yaml +++ b/environments/global/types/vps-ovhssd-1.yaml @@ -7,4 +7,4 @@ base_installation::system_hostname: "%{ldapvar.self.vars.host.0}" base_installation::real_hostname: "%{facts.ec2_metadata.hostname}.ovh.net" base_installation::grub_device: "/dev/sdb" base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt" -ssl::try_letsencrypt_for_real_hostname: false +letsencrypt::try_for_real_hostname: false diff --git a/environments/integration/roles/cryptoportfolio.yaml b/environments/integration/roles/cryptoportfolio.yaml index 9825bce..6b8eb92 100644 --- a/environments/integration/roles/cryptoportfolio.yaml +++ b/environments/integration/roles/cryptoportfolio.yaml @@ -1,5 +1,3 @@ --- -cryptoportfolio::front_version: v0.0.2-3-g6200f9a -cryptoportfolio::front_sha256: 69d31251ecd4fcea46d93dfee0184b1171019a765b6744b84f6eec6b10e5818f -cryptoportfolio::bot_version: v0.5-8-g34eb08f -cryptoportfolio::bot_sha256: f5b99c4a1cc4db0228f757705a5a909aa301e42787bc5842f8ba442fec0d3fd1 +role::cryptoportfolio::front_version: v0.0.2-3-g6200f9a +role::cryptoportfolio::front_sha256: 69d31251ecd4fcea46d93dfee0184b1171019a765b6744b84f6eec6b10e5818f diff --git a/environments/production/roles/cryptoportfolio.yaml b/environments/production/roles/cryptoportfolio.yaml index c9328e1..566c7f2 100644 --- a/environments/production/roles/cryptoportfolio.yaml +++ b/environments/production/roles/cryptoportfolio.yaml @@ -1,5 +1,5 @@ --- -cryptoportfolio::front_version: v0.0.2-3-g6200f9a -cryptoportfolio::front_sha256: 69d31251ecd4fcea46d93dfee0184b1171019a765b6744b84f6eec6b10e5818f -cryptoportfolio::bot_version: v0.5.1 -cryptoportfolio::bot_sha256: 733789711365b2397bd996689af616a6789207d26c71a31ad1af68620b267d54 +role::cryptoportfolio::front_version: v0.0.2-3-g6200f9a +role::cryptoportfolio::front_sha256: 69d31251ecd4fcea46d93dfee0184b1171019a765b6744b84f6eec6b10e5818f +role::cryptoportfolio::bot_version: v0.5.1 +role::cryptoportfolio::bot_sha256: 733789711365b2397bd996689af616a6789207d26c71a31ad1af68620b267d54 diff --git a/manifests/site.pp b/manifests/site.pp index f922d2b..3d40ad2 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -1,5 +1,5 @@ node default { - lookup('classes', Hash, 'deep').each |$class_name, $class_hash| { + lookup('classes').each |$class_name, $class_hash| { if empty($class_hash) { include $class_name } else { diff --git a/modules/base_installation/manifests/puppet.pp b/modules/base_installation/manifests/puppet.pp index b3ce492..6f7732d 100644 --- a/modules/base_installation/manifests/puppet.pp +++ b/modules/base_installation/manifests/puppet.pp @@ -67,7 +67,7 @@ class base_installation::puppet ( require => File[$base_installation::puppet_conf_path], } - $ips = lookup("ips") |$key| { {} } + $ips = lookup("ips", { 'default_value' => undef }) file { "$base_installation::puppet_conf_path/host_ldap.info": content => template("base_installation/puppet/host_ldap.info.erb"), require => File[$base_installation::puppet_conf_path], diff --git a/modules/base_installation/manifests/services.pp b/modules/base_installation/manifests/services.pp index c641f4b..d7b4d61 100644 --- a/modules/base_installation/manifests/services.pp +++ b/modules/base_installation/manifests/services.pp @@ -38,7 +38,7 @@ class base_installation::services inherits base_installation { group => "root" } - $ip6 = lookup("ips.v6") |$key| { {} } + $ip6 = lookup("ips.v6", { 'default_value' => undef }) file { '/etc/systemd/network/en-dhcp.network': ensure => "present", path => "/etc/systemd/network/en-dhcp.network", diff --git a/modules/base_installation/manifests/users.pp b/modules/base_installation/manifests/users.pp index 766c0f0..f893c51 100644 --- a/modules/base_installation/manifests/users.pp +++ b/modules/base_installation/manifests/users.pp @@ -26,22 +26,26 @@ class base_installation::users ( ensure => "present", groups => $user[groups], managehome => true, + system => !!$user[system], home => "/home/${user[username]}", - notify => Exec["remove_password"], + notify => Exec["remove_password:${user[username]}:${user[userid]}"], purge_ssh_keys => true } - exec { "remove_password": + exec { "remove_password:${user[username]}:${user[userid]}": command => "/usr/bin/chage -d 0 ${user[username]} && /usr/bin/passwd -d ${user[username]}", + onlyif => "/usr/bin/test -z '${user[password]}'", refreshonly => true } - $user[keys].each |$key| { - ssh_authorized_key { "${user[username]}@${key[host]}": - name => "${user[username]}@${key[host]}", - user => $user[username], - type => $key[key_type], - key => $key[key], + if has_key($user, "keys") { + $user[keys].each |$key| { + ssh_authorized_key { "${user[username]}@${key[host]}": + name => "${user[username]}@${key[host]}", + user => $user[username], + type => $key[key_type], + key => $key[key], + } } } } diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp index 8db58da..382633b 100644 --- a/modules/profile/manifests/apache.pp +++ b/modules/profile/manifests/apache.pp @@ -67,13 +67,12 @@ class profile::apache { install_method => "package", package_name => "certbot", package_command => "certbot", - # FIXME - email => 'sites+letsencrypt@mail.immae.eu', + email => lookup('letsencrypt::email'), } - $real_hostname = lookup("base_installation::real_hostname") |$key| { {} } + $real_hostname = lookup("base_installation::real_hostname", { "default_value" => undef }) unless empty($real_hostname) { - if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) { + if (lookup("letsencrypt::try_for_real_hostname", { "default_value" => true })) { letsencrypt::certonly { $real_hostname: before => Apache::Vhost["default_ssl"]; default: * => $::profile::apache::letsencrypt_certonly_default; @@ -110,6 +109,14 @@ class profile::apache { } } + lookup("letsencrypt::hosts", { "default_value" => [] }).each |$host| { + if ($host != $real_hostname) { # Done above already + letsencrypt::certonly { $host: ; + default: * => $letsencrypt_certonly_default; + } + } + } + apache::vhost { "redirect_no_ssl": port => '80', error_log => false, diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index bec247e..8b4a63b 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp @@ -1,4 +1,22 @@ -class role::cryptoportfolio { +class role::cryptoportfolio ( + String $user, + String $group, + String $home, + Optional[String] $env = "prod", + Optional[String] $webhook_url = undef, + String $pg_user, + String $pg_user_replication, + String $pg_db, + Optional[String] $pg_hostname = "localhost", + Optional[String] $pg_port = "5432", + Optional[String] $web_host = undef, + Optional[String] $web_port = "", + Optional[Boolean] $web_ssl = true, + Optional[String] $front_version = undef, + Optional[String] $front_sha256 = undef, + Optional[String] $bot_version = undef, + Optional[String] $bot_sha256 = undef, +) { ensure_resource('exec', 'systemctl daemon-reload', { command => '/usr/bin/systemctl daemon-reload', refreshonly => true @@ -11,37 +29,23 @@ class role::cryptoportfolio { include "profile::apache" include "profile::xmr_stak" - $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } - - $cf_pg_user = "cryptoportfolio" - $cf_pg_user_replication = "cryptoportfolio_replication" - $cf_pg_db = "cryptoportfolio" - $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") - $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") - $cf_pg_hostname = "localhost" - $cf_pg_port = "5432" - $cf_pg_host = "${cf_pg_hostname}:${cf_pg_port}" - - $cf_user = "cryptoportfolio" - $cf_group = "cryptoportfolio" - $cf_home = "/opt/cryptoportfolio" - $cf_env = "prod" - $cf_front_app_host = lookup("base_installation::system_hostname") |$key| { "example.com" } - $cf_front_app_port = "" - $cf_front_app_ssl = "true" - $cf_front_app = "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front" + $password_seed = lookup("base_installation::puppet_pass_seed") + + $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") + $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") + $pg_host = "${pg_hostname}:${pg_port}" + + $cf_front_app = "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front" $cf_front_app_api_workdir = "${cf_front_app}/cmd/app" $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app" - $cf_front_app_api_conf = "${cf_home}/conf.toml" + $cf_front_app_api_conf = "${home}/conf.toml" $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret") $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" - $cf_bot_app = "${cf_home}/bot" - $cf_bot_app_conf = "${cf_home}/bot_config.ini" - $cf_bot_app_reports = "${cf_home}/bot_reports" - - $cf_webhook_url = lookup("cryptoportfolio::slack_webhook") |$key| { "" } + $cf_bot_app = "${home}/bot" + $cf_bot_app_conf = "${home}/bot_config.ini" + $cf_bot_app_reports = "${home}/bot_reports" file { "/var/lib/postgres/data/certs": ensure => directory, @@ -52,21 +56,21 @@ class role::cryptoportfolio { } file { "/var/lib/postgres/data/certs/cert.pem": - source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem", + source => "file:///etc/letsencrypt/live/$web_host/cert.pem", mode => "0600", links => "follow", owner => $::profile::postgresql::pg_user, group => $::profile::postgresql::pg_user, - require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] + require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] } file { "/var/lib/postgres/data/certs/privkey.pem": - source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem", + source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", mode => "0600", links => "follow", owner => $::profile::postgresql::pg_user, group => $::profile::postgresql::pg_user, - require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] + require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] } postgresql::server::config_entry { "wal_level": @@ -75,52 +79,52 @@ class role::cryptoportfolio { postgresql::server::config_entry { "ssl": value => "on", - require => Letsencrypt::Certonly[$cf_front_app_host], + require => Letsencrypt::Certonly[$web_host], } postgresql::server::config_entry { "ssl_cert_file": value => "/var/lib/postgres/data/certs/cert.pem", - require => Letsencrypt::Certonly[$cf_front_app_host], + require => Letsencrypt::Certonly[$web_host], } postgresql::server::config_entry { "ssl_key_file": value => "/var/lib/postgres/data/certs/privkey.pem", - require => Letsencrypt::Certonly[$cf_front_app_host], + require => Letsencrypt::Certonly[$web_host], } - postgresql::server::db { $cf_pg_db: - user => $cf_pg_user, - password => postgresql_password($cf_pg_user, $cf_pg_password), + postgresql::server::db { $pg_db: + user => $pg_user, + password => postgresql_password($pg_user, $pg_password), } -> - postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES": - db => $cf_pg_db, - unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'", + postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES": + db => $pg_db, + unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", } -> - postgresql::server::role { $cf_pg_user_replication: - db => $cf_pg_db, + postgresql::server::role { $pg_user_replication: + db => $pg_db, replication => true, - password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password), + password_hash => postgresql_password($pg_user_replication, $pg_replication_password), } -> - postgresql::server::database_grant { $cf_pg_user_replication: - db => $cf_pg_db, + postgresql::server::database_grant { $pg_user_replication: + db => $pg_db, privilege => "CONNECT", - role => $cf_pg_user_replication, + role => $pg_user_replication, } -> - postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication": - db => $cf_pg_db, - role => $cf_pg_user_replication, + postgresql::server::grant { "all tables in schema:public:$pg_user_replication": + db => $pg_db, + role => $pg_user_replication, privilege => "SELECT", object_type => "ALL TABLES IN SCHEMA", object_name => "public", } -> - postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication": - db => $cf_pg_db, - role => $cf_pg_user_replication, + postgresql::server::grant { "all sequences in schema:public:$pg_user_replication": + db => $pg_db, + role => $pg_user_replication, privilege => "SELECT", object_type => "ALL SEQUENCES IN SCHEMA", object_name => "public", @@ -128,16 +132,16 @@ class role::cryptoportfolio { postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': type => 'host', - database => $cf_pg_db, - user => $cf_pg_user, + database => $pg_db, + user => $pg_user, address => '127.0.0.1/32', auth_method => 'md5', order => "b0", } postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': type => 'host', - database => $cf_pg_db, - user => $cf_pg_user, + database => $pg_db, + user => $pg_user, address => '::1/128', auth_method => 'md5', order => "b0", @@ -145,83 +149,64 @@ class role::cryptoportfolio { postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': type => 'hostssl', - database => $cf_pg_db, - user => $cf_pg_user_replication, + database => $pg_db, + user => $pg_user_replication, address => 'immae.eu', auth_method => 'md5', order => "b0", } - letsencrypt::certonly { $cf_front_app_host: ; - default: * => $::profile::apache::letsencrypt_certonly_default; - } - class { 'apache::mod::headers': } - apache::vhost { $cf_front_app_host: + apache::vhost { $web_host: port => '443', docroot => false, manage_docroot => false, proxy_dest => "http://localhost:8000", request_headers => 'set X-Forwarded-Proto "https"', ssl => true, - ssl_cert => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem", - ssl_key => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem", - ssl_chain => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem", - require => Letsencrypt::Certonly[$cf_front_app_host], + ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem", + ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem", + ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem", + require => Letsencrypt::Certonly[$web_host], proxy_preserve_host => true; default: * => $::profile::apache::apache_vhost_default; } - user { $cf_user: - name => $cf_user, - ensure => "present", - managehome => true, - home => $cf_home, - system => true, - password => '!!', - } - file { "/usr/local/bin/slack-notify": mode => "0755", source => "puppet:///modules/role/cryptoportfolio/slack-notify.py", } - $front_version = lookup("cryptoportfolio::front_version") |$key| { {} } - $front_sha256 = lookup("cryptoportfolio::front_sha256") |$key| { {} } - - $bot_version = lookup("cryptoportfolio::bot_version") |$key| { {} } - $bot_sha256 = lookup("cryptoportfolio::bot_sha256") |$key| { {} } - unless empty($bot_version) { ensure_packages(["python", "python-pip"]) file { $cf_bot_app: ensure => "directory", mode => "0700", - owner => $cf_user, - group => $cf_group, - require => User[$cf_user], + owner => $user, + group => $group, + require => User["$user:"], } - archive { "${cf_home}/trader_${bot_version}.tar.gz": - path => "${cf_home}/trader_${bot_version}.tar.gz", + archive { "${home}/trader_${bot_version}.tar.gz": + path => "${home}/trader_${bot_version}.tar.gz", source => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz", checksum_type => "sha256", checksum => $bot_sha256, cleanup => false, extract => true, - user => $cf_user, + user => $user, username => $facts["ec2_metadata"]["hostname"], password => generate_password(24, $password_seed, "ldap"), extract_path => $cf_bot_app, - require => [User[$cf_user], File[$cf_bot_app]], + require => [User["$user:"], File[$cf_bot_app]], } ~> exec { "py-cryptoportfolio-dependencies": cwd => $cf_bot_app, - user => $cf_user, - environment => ["HOME=${cf_home}"], + user => $user, + environment => ["HOME=${home}"], command => "/usr/bin/make install", - require => User[$cf_user], + require => User["$user:"], refreshonly => true, before => [ File[$cf_bot_app_conf], @@ -231,53 +216,53 @@ class role::cryptoportfolio { } file { $cf_bot_app_conf: - owner => $cf_user, - group => $cf_group, + owner => $user, + group => $group, mode => "0600", content => template("role/cryptoportfolio/bot_config.ini.erb"), require => [ - User[$cf_user], - Archive["${cf_home}/trader_${bot_version}.tar.gz"], + User["$user:"], + Archive["${home}/trader_${bot_version}.tar.gz"], ], } cron { "py-cryptoportfolio-before": ensure => present, command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before", - user => "cryptoportfolio", + user => $user, weekday => 7, # Sunday hour => 22, minute => 30, - environment => ["HOME=${cf_home}","PATH=/usr/bin/"], + environment => ["HOME=${home}","PATH=/usr/bin/"], require => [ File[$cf_bot_app_conf], - Archive["${cf_home}/trader_${bot_version}.tar.gz"] + Archive["${home}/trader_${bot_version}.tar.gz"] ], } cron { "py-cryptoportfolio-after": ensure => present, command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after", - user => "cryptoportfolio", + user => $user, weekday => 1, # Monday hour => 1, minute => 0, - environment => ["HOME=${cf_home}","PATH=/usr/bin/"], + environment => ["HOME=${home}","PATH=/usr/bin/"], require => [ File[$cf_bot_app_conf], - Archive["${cf_home}/trader_${bot_version}.tar.gz"] + Archive["${home}/trader_${bot_version}.tar.gz"] ], } - unless empty($cf_webhook_url) { + unless empty($webhook_url) { exec { "bot-slack-notify": refreshonly => true, environment => [ "P_PROJECT=Trader", - "P_WEBHOOK=${cf_webhook_url}", + "P_WEBHOOK=${webhook_url}", "P_VERSION=${bot_version}", - "P_HOST=${cf_front_app_host}", - "P_HTTPS=${cf_front_app_ssl}", + "P_HOST=${web_host}", + "P_HTTPS=${web_ssl}", ], command => "/usr/local/bin/slack-notify", require => File["/usr/local/bin/slack-notify"], @@ -291,22 +276,22 @@ class role::cryptoportfolio { ensure_packages(["go", "npm", "nodejs", "yarn"]) file { [ - "${cf_home}/go/", - "${cf_home}/go/src", - "${cf_home}/go/src/immae.eu", - "${cf_home}/go/src/immae.eu/Immae", - "${cf_home}/go/src/immae.eu/Immae/Projets", - "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies", - "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio", + "${home}/go/", + "${home}/go/src", + "${home}/go/src/immae.eu", + "${home}/go/src/immae.eu/Immae", + "${home}/go/src/immae.eu/Immae/Projets", + "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies", + "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio", $cf_front_app]: ensure => "directory", mode => "0700", - owner => $cf_user, - group => $cf_group, - require => User[$cf_user], + owner => $user, + group => $group, + require => User["$user:"], } - file { "${cf_home}/front": + file { "${home}/front": ensure => "link", target => $cf_front_app, before => File[$cf_front_app], @@ -326,28 +311,28 @@ class role::cryptoportfolio { subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], require => [ File["/etc/systemd/system/cryptoportfolio-app.service"], - Postgresql::Server::Db[$cf_pg_db] + Postgresql::Server::Db[$pg_db] ], } ~> - exec { "dump $cf_pg_db structure": + exec { "dump $pg_db structure": refreshonly => true, user => $::profile::postgresql::pg_user, group => $::profile::postgresql::pg_user, - command => "/usr/bin/pg_dump --schema-only --clean --no-publications $cf_pg_db > /var/lib/postgres/${cf_pg_db}.schema", + command => "/usr/bin/pg_dump --schema-only --clean --no-publications $pg_db > /var/lib/postgres/${pg_db}.schema", } - archive { "${cf_home}/front_${front_version}.tar.gz": - path => "${cf_home}/front_${front_version}.tar.gz", + archive { "${home}/front_${front_version}.tar.gz": + path => "${home}/front_${front_version}.tar.gz", source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz", checksum_type => "sha256", checksum => $front_sha256, cleanup => false, extract => true, - user => $cf_user, + user => $user, username => $facts["ec2_metadata"]["hostname"], password => generate_password(24, $password_seed, "ldap"), extract_path => $cf_front_app, - require => [User[$cf_user], File[$cf_front_app]], + require => [User["$user:"], File[$cf_front_app]], notify => [ Exec["web-cryptoportfolio-dependencies"], Exec["go-get-dep"], @@ -356,39 +341,39 @@ class role::cryptoportfolio { # Api file { $cf_front_app_api_conf: - owner => $cf_user, - group => $cf_group, + owner => $user, + group => $group, mode => "0600", content => template("role/cryptoportfolio/api_conf.toml.erb"), before => Exec["go-cryptoportfolio-app"], } exec { "go-get-dep": - user => $cf_user, - environment => ["HOME=${cf_home}"], - creates => "${cf_home}/go/bin/dep", + user => $user, + environment => ["HOME=${home}"], + creates => "${home}/go/bin/dep", command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep", refreshonly => true, } ~> exec { "go-cryptoportfolio-dependencies": cwd => $cf_front_app, - user => $cf_user, - environment => ["HOME=${cf_home}"], - command => "${cf_home}/go/bin/dep ensure", + user => $user, + environment => ["HOME=${home}"], + command => "${home}/go/bin/dep ensure", refreshonly => true, } ~> exec { "go-cryptoportfolio-app": cwd => $cf_front_app_api_workdir, - user => $cf_user, - environment => ["HOME=${cf_home}"], + user => $user, + environment => ["HOME=${home}"], command => "/usr/bin/make build", refreshonly => true, } # Static pages file { $cf_front_app_static_conf: - owner => $cf_user, - group => $cf_group, + owner => $user, + group => $group, mode => "0600", content => template("role/cryptoportfolio/static_conf.env.erb"), before => Exec["web-cryptoportfolio-build"], @@ -396,30 +381,30 @@ class role::cryptoportfolio { exec { "web-cryptoportfolio-dependencies": cwd => "${cf_front_app}/cmd/web", - user => $cf_user, - environment => ["HOME=${cf_home}"], + user => $user, + environment => ["HOME=${home}"], command => "/usr/bin/make install", refreshonly => true, require => [Package["npm"], Package["nodejs"], Package["yarn"]] } ~> exec { "web-cryptoportfolio-build": cwd => "${cf_front_app}/cmd/web", - user => $cf_user, - environment => ["HOME=${cf_home}"], + user => $user, + environment => ["HOME=${home}"], path => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"], - command => "/usr/bin/make static ENV=${cf_env}", + command => "/usr/bin/make static ENV=${env}", refreshonly => true, } - unless empty($cf_webhook_url) { + unless empty($webhook_url) { exec { "front-slack-notify": refreshonly => true, environment => [ "P_PROJECT=Front", - "P_WEBHOOK=${cf_webhook_url}", + "P_WEBHOOK=${webhook_url}", "P_VERSION=${front_version}", - "P_HOST=${cf_front_app_host}", - "P_HTTPS=${cf_front_app_ssl}", + "P_HOST=${web_host}", + "P_HTTPS=${web_ssl}", ], command => "/usr/local/bin/slack-notify", require => File["/usr/local/bin/slack-notify"], diff --git a/modules/role/templates/cryptoportfolio/api_conf.toml.erb b/modules/role/templates/cryptoportfolio/api_conf.toml.erb index 13550c9..7a4b66d 100644 --- a/modules/role/templates/cryptoportfolio/api_conf.toml.erb +++ b/modules/role/templates/cryptoportfolio/api_conf.toml.erb @@ -1,15 +1,15 @@ log_level="info" -mode="<%= @cf_env %>" +mode="<%= @env %>" log_out="stdout" [db] -user="<%= @cf_pg_user %>" -password="<%= @cf_pg_password %>" -database="<%= @cf_pg_db %>" -address="<%= @cf_pg_host %>" +user="<%= @pg_user %>" +password="<%= @pg_password %>" +database="<%= @pg_db %>" +address="<%= @pg_host %>" [api] -domain="<%= @cf_front_app_host %>" +domain="<%= @web_host %>" jwt_secret="<%= @cf_front_app_api_secret %>" [app] diff --git a/modules/role/templates/cryptoportfolio/bot_config.ini.erb b/modules/role/templates/cryptoportfolio/bot_config.ini.erb index 30298eb..b0211a6 100644 --- a/modules/role/templates/cryptoportfolio/bot_config.ini.erb +++ b/modules/role/templates/cryptoportfolio/bot_config.ini.erb @@ -1,9 +1,9 @@ [postgresql] -host = <%= @cf_pg_hostname %> -port = <%= @cf_pg_port %> -user = <%= @cf_pg_user %> -password = <%= @cf_pg_password %> -database = <%= @cf_pg_db %> +host = <%= @pg_hostname %> +port = <%= @pg_port %> +user = <%= @pg_user %> +password = <%= @pg_password %> +database = <%= @pg_db %> [app] report_path = <%= @cf_bot_app_reports %> diff --git a/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb b/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb index a521c0e..ed2b908 100644 --- a/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb +++ b/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb @@ -5,8 +5,8 @@ Description=Cryptoportfolio app Type=simple WorkingDirectory=<%= @cf_front_app_api_workdir %> -User=<%= @cf_user %> -Group=<%= @cf_group %> +User=<%= @user %> +Group=<%= @group %> UMask=007 ExecStart=<%= @cf_front_app_api_bin %> -conf <%= @cf_front_app_api_conf %> diff --git a/modules/role/templates/cryptoportfolio/static_conf.env.erb b/modules/role/templates/cryptoportfolio/static_conf.env.erb index db9759d..314ee14 100644 --- a/modules/role/templates/cryptoportfolio/static_conf.env.erb +++ b/modules/role/templates/cryptoportfolio/static_conf.env.erb @@ -1,4 +1,4 @@ -API_HOST="<%= @cf_front_app_host %>" -API_PORT="<%= @cf_front_app_port %>" -API_HTTPS="<%= @cf_front_app_ssl %>" +API_HOST="<%= @web_host %>" +API_PORT="<%= @web_port %>" +API_HTTPS="<%= @web_ssl %>" -- 2.41.0