path: root/modules/role/manifests/caldance.pp

class role::caldance (
  String           $user,
  String           $group,
  String           $home,
  String           $web_host,
  String           $pg_user,
  String           $pg_db,
  String           $mail_from,
  String           $smtp_host,
  String           $smtp_port,
  Optional[String] $pg_hostname      = "/run/postgresql",
  Optional[String] $pg_port          = "5432",
  Optional[String] $caldance_version = undef,
  Optional[String] $caldance_sha256  = undef,
  Optional[Array]  $cron_pip         = [],
) {
  $password_seed = lookup("base_installation::puppet_pass_seed")
  include "base_installation"

  include "profile::mail"
  include "profile::tools"
  include "profile::postgresql"
  include "profile::apache"
  include "profile::redis"
  include "profile::monitoring"

  ensure_packages(["python-pip", "python-virtualenv", "python-django", "uwsgi-plugin-python"])

  $caldance_app = "${home}/app"
  $pg_password = generate_password(24, $password_seed, "postgres_caldance")
  $secret_key = generate_password(24, $password_seed, "secret_key_caldance")
  $socket = "/run/caldance/app.sock"

  $environment = {
    "DB_NAME"     => $pg_db,
    "DB_USER"     => $pg_user,
    "DB_PASSWORD" => $pg_password,
    "DB_HOST"     => $pg_hostname,
    "DB_PORT"     => $pg_port,
    "SECRET_KEY"  => $secret_key,
    "DEBUG"       => "False",
    "LOG_FILE"    => "$home/caldev_django.log",
    "MEDIA_ROOT"  => "$home/media",
  }
  $shell_env = $environment.map |$key, $value| { "$key=$value" }

  file { $home:
    mode => "0755",
  }
  file { "${home}/caldev_django.log":
    mode    => "0664",
    owner   => $user,
    group   => "http",
  }

  file { $caldance_app:
    ensure  => "directory",
    mode    => "0755",
    owner   => $user,
    group   => $group,
    require => User["$user:"],
  } ->
  file { "${home}/media":
    ensure => "directory",
    mode   => "0755",
    owner  => "http",
    group  => "http",
  }

  exec { "initialize_venv":
    user    => $user,
    require => User["$user:"],
    command => "/usr/bin/virtualenv ${home}/virtualenv",
    creates => "${home}/virtualenv",
  }
  ->
  archive { "${home}/caldance_${caldance_version}.tar.gz":
    path          => "${home}/caldance_${caldance_version}.tar.gz",
    source        => "https://release.immae.eu/caldance/caldance_${caldance_version}.tar.gz",
    checksum_type => "sha256",
    checksum      => $caldance_sha256,
    cleanup       => false,
    extract       => true,
    user          => $user,
    username      => lookup("base_installation::ldap_cn"),
    password      => generate_password(24, $password_seed, "ldap"),
    extract_path  => $caldance_app,
    require       => [User["$user:"], File[$caldance_app]],
  } ~>
  exec { "py-requirements":
    cwd         => $caldance_app,
    user        => $user,
    environment => concat(["HOME=${home}"], $shell_env),
    command     => "/usr/bin/sed -i -e '/GDAL/d' requirements.txt && ${home}/virtualenv/bin/pip install -r requirements.txt --upgrade",
    require     => User["$user:"],
    refreshonly => true,
  } ~>
  exec { "py-migrate":
    cwd         => $caldance_app,
    user        => $user,
    environment => concat(["HOME=${home}"], $shell_env),
    command     => "$caldance_app/manage.py migrate",
    require     => [User["$user:"], File["$caldance_app/manage.py"]],
    refreshonly => true,
  } ~>
  exec { "py-static":
    cwd         => $caldance_app,
    user        => $user,
    environment => concat(["HOME=${home}"], $shell_env),
    command     => "$caldance_app/manage.py collectstatic --no-input",
    require     => [User["$user:"], File["$caldance_app/manage.py"]],
    refreshonly => true,
  } ~>
  exec { "restart uwsgi application":
    command     => "/usr/bin/systemctl restart caldance-app.service",
    require     => [User["$user:"], File["$caldance_app/app.ini"]],
    refreshonly => true,
  }

  $uwsgi_path = "${home}/virtualenv/bin/uwsgi"
  $python_path = "${home}/virtualenv/bin/python"
  file { "$caldance_app/manage.py":
    owner   => $user,
    group   => $group,
    mode    => "0755",
    content => template("role/caldance/manage.py.erb"),
    require => [
      User["$user:"],
      Archive[ "${home}/caldance_${caldance_version}.tar.gz"],
    ],
  }

  file { "$caldance_app/app.ini":
    owner   => $user,
    group   => $group,
    mode    => "0644",
    content => template("role/caldance/app.ini.erb"),
    require => [
      User["$user:"],
      Archive[ "${home}/caldance_${caldance_version}.tar.gz"],
    ],
  }

  profile::postgresql::master { "postgresql master for caldance":
    letsencrypt_host => $web_host,
    backup_hosts     => ["backup-1"],
  }

  postgresql::server::db { $pg_db:
    user     =>  $pg_user,
    password =>  postgresql_password($pg_user, $pg_password),
  }

  # pour le script de génération de mdp
  ensure_packages(["perl-digest-sha1"])

  ensure_packages(["postgis", "python-gdal", "ripgrep"])
  file { "/usr/local/bin/ldap_ssha":
    owner   => "root",
    group   => "root",
    mode    => "0755",
    source  => "puppet:///modules/base_installation/scripts/ldap_ssha",
    require => Package["perl-digest-sha1"],
  }

  sudo::conf { 'wheel_nopasswd':
    priority => 99,
    content  => "%wheel ALL=(ALL) NOPASSWD: ALL",
    require  => Package["sudo"],
  }

  ensure_packages(["mod_wsgi"])
  class { 'apache::mod::wsgi':
    wsgi_python_home => "${home}/virtualenv",
    wsgi_python_path => $caldance_app,
    require          => Package["mod_wsgi"],
  }
  class { 'apache::mod::authn_file': }
  class { 'apache::mod::authn_core': }
  class { 'apache::mod::authz_user': }
  class { 'apache::mod::auth_basic': }
  class { 'apache::mod::proxy': }
  apache::mod { 'proxy_uwsgi': }

  apache::vhost { $web_host:
    port                 => '443',
    docroot              => false,
    manage_docroot       => false,
    ssl                  => true,
    ssl_cert             => "/etc/letsencrypt/live/$web_host/cert.pem",
    ssl_key              => "/etc/letsencrypt/live/$web_host/privkey.pem",
    ssl_chain            => "/etc/letsencrypt/live/$web_host/chain.pem",
    require              => Letsencrypt::Certonly[$web_host],
    proxy_preserve_host  => true,
    proxy_pass           => [
      {
        path          => "/",
        url           => "unix:$socket|uwsgi://caldance-app/",
        reverse_urls  => [],
        no_proxy_uris => [ "/media/", "/static/" ],
      }
    ],
    directories          => [
      {
        path    => "$caldance_app/main_app",
        require => "all granted",
      },
      {
        path    => "$caldance_app/www/static",
        require => "all granted",
      },
      {
        path    => "$home/media",
        require => "all granted",
        options => ["-Indexes"],
      },
      {
        path           => "/",
        provider       => "location",
        require        => "valid-user",
        auth_type      => "Basic",
        auth_name      => "Authentification requise",
        auth_user_file => "$home/htpasswd",
      },
    ],
    aliases              => [
      {
        alias => "/static/",
        path => "$caldance_app/www/static/",
      },
      {
        alias => "/media/",
        path => "$home/media/",
      },
    ];
    default: *           => $::profile::apache::apache_vhost_default;
  }

  file { "/etc/systemd/system/caldance-app.service":
    mode    => "0644",
    owner   => "root",
    group   => "root",
    content => template("role/caldance/caldance-app.service.erb"),
    require => File["$caldance_app/app.ini"],
  } ->
  service { "caldance-app":
    ensure => "running",
    enable => true
  }

  $mailtos = join($cron_pip, ",")
  cron::job { "list_outdated_pip_packages":
    ensure      => present,
    user        => $user,
    environment => concat(["HOME=${home}","MAILTO=${mailtos}"], $shell_env),
    command     => "${home}/virtualenv/bin/pip list --outdated",
    minute      => "15",
    hour        => "0",
    require     => Exec["initialize_venv"],
  }
}