diff options
23 files changed, 507 insertions, 470 deletions
diff --git a/environments/global/common.yaml b/environments/global/common.yaml index 5b21dca..4536b83 100644 --- a/environments/global/common.yaml +++ b/environments/global/common.yaml | |||
@@ -6,6 +6,8 @@ lookup_options: | |||
6 | merge: deep | 6 | merge: deep |
7 | base_installation::system_users: | 7 | base_installation::system_users: |
8 | merge: unique | 8 | merge: unique |
9 | letsencrypt::hosts: | ||
10 | merge: unique | ||
9 | 11 | ||
10 | classes: | 12 | classes: |
11 | stdlib: ~ | 13 | stdlib: ~ |
@@ -33,5 +35,7 @@ base_installation::system_users: | |||
33 | - host: "immae.eu" | 35 | - host: "immae.eu" |
34 | key: "AAAAB3NzaC1yc2EAAAADAQABAAABAQDi5PgLBwMRyRwzJPnSgUyRAuB9AAxMijsw1pR/t/wmxQne1O5fIPOleHx+D8dyZbwm+XkzlcJpgT0Qy3qC9J8BPhshJvO/tA/8CI/oS/FE0uWsyACH1DMO2dk4gRRZGSE9IuzDMRPlnfZ3n0tdsPzzv3GH4It/oPIgsvkTowKztGLQ7Xmjr5BxzAhXcIQymqA0U3XWHSdWvnSRDaOFG0PDoVMS85IdwlviVKLnV5Sstb4NC/P28LFfgvW8DO/XrOqujgDomqTmR41dK/AyrGGOb2cQUMO4l8Oa+74aOyKaB61rr/rJkr+wCbEttkTvgFa6zZygSk3edfiWE2rgn4+v" | 36 | key: "AAAAB3NzaC1yc2EAAAADAQABAAABAQDi5PgLBwMRyRwzJPnSgUyRAuB9AAxMijsw1pR/t/wmxQne1O5fIPOleHx+D8dyZbwm+XkzlcJpgT0Qy3qC9J8BPhshJvO/tA/8CI/oS/FE0uWsyACH1DMO2dk4gRRZGSE9IuzDMRPlnfZ3n0tdsPzzv3GH4It/oPIgsvkTowKztGLQ7Xmjr5BxzAhXcIQymqA0U3XWHSdWvnSRDaOFG0PDoVMS85IdwlviVKLnV5Sstb4NC/P28LFfgvW8DO/XrOqujgDomqTmR41dK/AyrGGOb2cQUMO4l8Oa+74aOyKaB61rr/rJkr+wCbEttkTvgFa6zZygSk3edfiWE2rgn4+v" |
35 | key_type: "ssh-rsa" | 37 | key_type: "ssh-rsa" |
36 | xmr_stak::mining_pool: "pool.minexmr.com:7777" | 38 | profile::xmr_stak::mining_pool: "pool.minexmr.com:7777" |
37 | xmr_stak::wallet: "44CA8TxTFYbQqN2kLyk8AnB6Ghz4mcbGpYC2EyXW7A8H9QspvWnTjDn39XUZDPrFwPa5JNwt4TmAxcooPWv4SaJqL87Bcdo" | 39 | profile::xmr_stak::wallet: "44CA8TxTFYbQqN2kLyk8AnB6Ghz4mcbGpYC2EyXW7A8H9QspvWnTjDn39XUZDPrFwPa5JNwt4TmAxcooPWv4SaJqL87Bcdo" |
40 | letsencrypt::email: "sites+letsencrypt@mail.immae.eu" | ||
41 | letsencrypt::try_for_real_hostname: true | ||
diff --git a/environments/global/roles/cryptoportfolio.yaml b/environments/global/roles/cryptoportfolio.yaml index 3d36e71..f875c1b 100644 --- a/environments/global/roles/cryptoportfolio.yaml +++ b/environments/global/roles/cryptoportfolio.yaml | |||
@@ -1,4 +1,19 @@ | |||
1 | --- | 1 | --- |
2 | classes: | 2 | classes: |
3 | role::cryptoportfolio: ~ | 3 | role::cryptoportfolio: ~ |
4 | cryptoportfolio::slack_webhook: "%{ldapvar.self.vars.cf_slack_webhook.0}" | 4 | letsencrypt::hosts: "%{lookup('base_installation::system_hostname')}" |
5 | role::cryptoportfolio::user: "cryptoportfolio" | ||
6 | role::cryptoportfolio::group: "cryptoportfolio" | ||
7 | role::cryptoportfolio::home: "/home/cryptoportfolio" | ||
8 | role::cryptoportfolio::env: "prod" | ||
9 | role::cryptoportfolio::webhook_url: "%{ldapvar.self.vars.cf_slack_webhook.0}" | ||
10 | role::cryptoportfolio::pg_db: "cryptoportfolio" | ||
11 | role::cryptoportfolio::pg_user: "cryptoportfolio" | ||
12 | role::cryptoportfolio::pg_user_replication: "cryptoportfolio_replication" | ||
13 | role::cryptoportfolio::web_host: "%{lookup('base_installation::system_hostname')}" | ||
14 | role::cryptoportfolio::web_port: "" | ||
15 | role::cryptoportfolio::web_ssl: true | ||
16 | base_installation::system_users: | ||
17 | - username: "%{lookup('role::cryptoportfolio::user')}" | ||
18 | system: true | ||
19 | password: "!!" | ||
diff --git a/environments/global/types/s1-2.yaml b/environments/global/types/s1-2.yaml index 496b741..a7ba753 100644 --- a/environments/global/types/s1-2.yaml +++ b/environments/global/types/s1-2.yaml | |||
@@ -6,4 +6,4 @@ classes: | |||
6 | base_installation::system_hostname: "%{ldapvar.self.vars.host.0}" | 6 | base_installation::system_hostname: "%{ldapvar.self.vars.host.0}" |
7 | base_installation::real_hostname: "%{facts.ec2_metadata.hostname}.v.immae.eu" | 7 | base_installation::real_hostname: "%{facts.ec2_metadata.hostname}.v.immae.eu" |
8 | base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt" | 8 | base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt" |
9 | ssl::try_letsencrypt_for_real_hostname: true | 9 | letsencrypt::try_for_real_hostname: true |
diff --git a/environments/global/types/vps-ovhssd-1.yaml b/environments/global/types/vps-ovhssd-1.yaml index 73f7a45..68534dc 100644 --- a/environments/global/types/vps-ovhssd-1.yaml +++ b/environments/global/types/vps-ovhssd-1.yaml | |||
@@ -7,4 +7,4 @@ base_installation::system_hostname: "%{ldapvar.self.vars.host.0}" | |||
7 | base_installation::real_hostname: "%{facts.ec2_metadata.hostname}.ovh.net" | 7 | base_installation::real_hostname: "%{facts.ec2_metadata.hostname}.ovh.net" |
8 | base_installation::grub_device: "/dev/sdb" | 8 | base_installation::grub_device: "/dev/sdb" |
9 | base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt" | 9 | base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt" |
10 | ssl::try_letsencrypt_for_real_hostname: false | 10 | letsencrypt::try_for_real_hostname: false |
diff --git a/environments/integration/roles/cryptoportfolio.yaml b/environments/integration/roles/cryptoportfolio.yaml index 9825bce..6b8eb92 100644 --- a/environments/integration/roles/cryptoportfolio.yaml +++ b/environments/integration/roles/cryptoportfolio.yaml | |||
@@ -1,5 +1,3 @@ | |||
1 | --- | 1 | --- |
2 | cryptoportfolio::front_version: v0.0.2-3-g6200f9a | 2 | role::cryptoportfolio::front_version: v0.0.2-3-g6200f9a |
3 | cryptoportfolio::front_sha256: 69d31251ecd4fcea46d93dfee0184b1171019a765b6744b84f6eec6b10e5818f | 3 | role::cryptoportfolio::front_sha256: 69d31251ecd4fcea46d93dfee0184b1171019a765b6744b84f6eec6b10e5818f |
4 | cryptoportfolio::bot_version: v0.5-8-g34eb08f | ||
5 | cryptoportfolio::bot_sha256: f5b99c4a1cc4db0228f757705a5a909aa301e42787bc5842f8ba442fec0d3fd1 | ||
diff --git a/environments/production/roles/cryptoportfolio.yaml b/environments/production/roles/cryptoportfolio.yaml index c9328e1..566c7f2 100644 --- a/environments/production/roles/cryptoportfolio.yaml +++ b/environments/production/roles/cryptoportfolio.yaml | |||
@@ -1,5 +1,5 @@ | |||
1 | --- | 1 | --- |
2 | cryptoportfolio::front_version: v0.0.2-3-g6200f9a | 2 | role::cryptoportfolio::front_version: v0.0.2-3-g6200f9a |
3 | cryptoportfolio::front_sha256: 69d31251ecd4fcea46d93dfee0184b1171019a765b6744b84f6eec6b10e5818f | 3 | role::cryptoportfolio::front_sha256: 69d31251ecd4fcea46d93dfee0184b1171019a765b6744b84f6eec6b10e5818f |
4 | cryptoportfolio::bot_version: v0.5.1 | 4 | role::cryptoportfolio::bot_version: v0.5.1 |
5 | cryptoportfolio::bot_sha256: 733789711365b2397bd996689af616a6789207d26c71a31ad1af68620b267d54 | 5 | role::cryptoportfolio::bot_sha256: 733789711365b2397bd996689af616a6789207d26c71a31ad1af68620b267d54 |
diff --git a/manifests/site.pp b/manifests/site.pp index f922d2b..3d40ad2 100644 --- a/manifests/site.pp +++ b/manifests/site.pp | |||
@@ -1,5 +1,5 @@ | |||
1 | node default { | 1 | node default { |
2 | lookup('classes', Hash, 'deep').each |$class_name, $class_hash| { | 2 | lookup('classes').each |$class_name, $class_hash| { |
3 | if empty($class_hash) { | 3 | if empty($class_hash) { |
4 | include $class_name | 4 | include $class_name |
5 | } else { | 5 | } else { |
diff --git a/modules/base_installation/manifests/puppet.pp b/modules/base_installation/manifests/puppet.pp index b3ce492..6f7732d 100644 --- a/modules/base_installation/manifests/puppet.pp +++ b/modules/base_installation/manifests/puppet.pp | |||
@@ -67,7 +67,7 @@ class base_installation::puppet ( | |||
67 | require => File[$base_installation::puppet_conf_path], | 67 | require => File[$base_installation::puppet_conf_path], |
68 | } | 68 | } |
69 | 69 | ||
70 | $ips = lookup("ips") |$key| { {} } | 70 | $ips = lookup("ips", { 'default_value' => undef }) |
71 | file { "$base_installation::puppet_conf_path/host_ldap.info": | 71 | file { "$base_installation::puppet_conf_path/host_ldap.info": |
72 | content => template("base_installation/puppet/host_ldap.info.erb"), | 72 | content => template("base_installation/puppet/host_ldap.info.erb"), |
73 | require => File[$base_installation::puppet_conf_path], | 73 | require => File[$base_installation::puppet_conf_path], |
diff --git a/modules/base_installation/manifests/services.pp b/modules/base_installation/manifests/services.pp index c641f4b..d7b4d61 100644 --- a/modules/base_installation/manifests/services.pp +++ b/modules/base_installation/manifests/services.pp | |||
@@ -38,7 +38,7 @@ class base_installation::services inherits base_installation { | |||
38 | group => "root" | 38 | group => "root" |
39 | } | 39 | } |
40 | 40 | ||
41 | $ip6 = lookup("ips.v6") |$key| { {} } | 41 | $ip6 = lookup("ips.v6", { 'default_value' => undef }) |
42 | file { '/etc/systemd/network/en-dhcp.network': | 42 | file { '/etc/systemd/network/en-dhcp.network': |
43 | ensure => "present", | 43 | ensure => "present", |
44 | path => "/etc/systemd/network/en-dhcp.network", | 44 | path => "/etc/systemd/network/en-dhcp.network", |
diff --git a/modules/base_installation/manifests/users.pp b/modules/base_installation/manifests/users.pp index 766c0f0..f893c51 100644 --- a/modules/base_installation/manifests/users.pp +++ b/modules/base_installation/manifests/users.pp | |||
@@ -26,22 +26,26 @@ class base_installation::users ( | |||
26 | ensure => "present", | 26 | ensure => "present", |
27 | groups => $user[groups], | 27 | groups => $user[groups], |
28 | managehome => true, | 28 | managehome => true, |
29 | system => !!$user[system], | ||
29 | home => "/home/${user[username]}", | 30 | home => "/home/${user[username]}", |
30 | notify => Exec["remove_password"], | 31 | notify => Exec["remove_password:${user[username]}:${user[userid]}"], |
31 | purge_ssh_keys => true | 32 | purge_ssh_keys => true |
32 | } | 33 | } |
33 | 34 | ||
34 | exec { "remove_password": | 35 | exec { "remove_password:${user[username]}:${user[userid]}": |
35 | command => "/usr/bin/chage -d 0 ${user[username]} && /usr/bin/passwd -d ${user[username]}", | 36 | command => "/usr/bin/chage -d 0 ${user[username]} && /usr/bin/passwd -d ${user[username]}", |
37 | onlyif => "/usr/bin/test -z '${user[password]}'", | ||
36 | refreshonly => true | 38 | refreshonly => true |
37 | } | 39 | } |
38 | 40 | ||
39 | $user[keys].each |$key| { | 41 | if has_key($user, "keys") { |
40 | ssh_authorized_key { "${user[username]}@${key[host]}": | 42 | $user[keys].each |$key| { |
41 | name => "${user[username]}@${key[host]}", | 43 | ssh_authorized_key { "${user[username]}@${key[host]}": |
42 | user => $user[username], | 44 | name => "${user[username]}@${key[host]}", |
43 | type => $key[key_type], | 45 | user => $user[username], |
44 | key => $key[key], | 46 | type => $key[key_type], |
47 | key => $key[key], | ||
48 | } | ||
45 | } | 49 | } |
46 | } | 50 | } |
47 | } | 51 | } |
diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp index 8db58da..382633b 100644 --- a/modules/profile/manifests/apache.pp +++ b/modules/profile/manifests/apache.pp | |||
@@ -67,13 +67,12 @@ class profile::apache { | |||
67 | install_method => "package", | 67 | install_method => "package", |
68 | package_name => "certbot", | 68 | package_name => "certbot", |
69 | package_command => "certbot", | 69 | package_command => "certbot", |
70 | # FIXME | 70 | email => lookup('letsencrypt::email'), |
71 | email => 'sites+letsencrypt@mail.immae.eu', | ||
72 | } | 71 | } |
73 | 72 | ||
74 | $real_hostname = lookup("base_installation::real_hostname") |$key| { {} } | 73 | $real_hostname = lookup("base_installation::real_hostname", { "default_value" => undef }) |
75 | unless empty($real_hostname) { | 74 | unless empty($real_hostname) { |
76 | if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) { | 75 | if (lookup("letsencrypt::try_for_real_hostname", { "default_value" => true })) { |
77 | letsencrypt::certonly { $real_hostname: | 76 | letsencrypt::certonly { $real_hostname: |
78 | before => Apache::Vhost["default_ssl"]; | 77 | before => Apache::Vhost["default_ssl"]; |
79 | default: * => $::profile::apache::letsencrypt_certonly_default; | 78 | default: * => $::profile::apache::letsencrypt_certonly_default; |
@@ -110,6 +109,14 @@ class profile::apache { | |||
110 | } | 109 | } |
111 | } | 110 | } |
112 | 111 | ||
112 | lookup("letsencrypt::hosts", { "default_value" => [] }).each |$host| { | ||
113 | if ($host != $real_hostname) { # Done above already | ||
114 | letsencrypt::certonly { $host: ; | ||
115 | default: * => $letsencrypt_certonly_default; | ||
116 | } | ||
117 | } | ||
118 | } | ||
119 | |||
113 | apache::vhost { "redirect_no_ssl": | 120 | apache::vhost { "redirect_no_ssl": |
114 | port => '80', | 121 | port => '80', |
115 | error_log => false, | 122 | error_log => false, |
diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp index 1024c66..2cd1bcc 100644 --- a/modules/profile/manifests/postgresql.pp +++ b/modules/profile/manifests/postgresql.pp | |||
@@ -1,5 +1,5 @@ | |||
1 | class profile::postgresql { | 1 | class profile::postgresql { |
2 | $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } | 2 | $password_seed = lookup("base_installation::puppet_pass_seed") |
3 | 3 | ||
4 | class { '::postgresql::globals': | 4 | class { '::postgresql::globals': |
5 | encoding => 'UTF-8', | 5 | encoding => 'UTF-8', |
@@ -32,7 +32,7 @@ class profile::postgresql { | |||
32 | database => 'all', | 32 | database => 'all', |
33 | user => $pg_user, | 33 | user => $pg_user, |
34 | auth_method => 'ident', | 34 | auth_method => 'ident', |
35 | order => "a1", | 35 | order => "00-01", |
36 | } | 36 | } |
37 | postgresql::server::pg_hba_rule { 'localhost access as postgres user': | 37 | postgresql::server::pg_hba_rule { 'localhost access as postgres user': |
38 | description => 'Allow localhost access to postgres user', | 38 | description => 'Allow localhost access to postgres user', |
@@ -41,7 +41,7 @@ class profile::postgresql { | |||
41 | user => $pg_user, | 41 | user => $pg_user, |
42 | address => "127.0.0.1/32", | 42 | address => "127.0.0.1/32", |
43 | auth_method => 'md5', | 43 | auth_method => 'md5', |
44 | order => "a2", | 44 | order => "00-02", |
45 | } | 45 | } |
46 | postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user': | 46 | postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user': |
47 | description => 'Allow localhost access to postgres user', | 47 | description => 'Allow localhost access to postgres user', |
@@ -50,7 +50,7 @@ class profile::postgresql { | |||
50 | user => $pg_user, | 50 | user => $pg_user, |
51 | address => "::1/128", | 51 | address => "::1/128", |
52 | auth_method => 'md5', | 52 | auth_method => 'md5', |
53 | order => "a3", | 53 | order => "00-03", |
54 | } | 54 | } |
55 | postgresql::server::pg_hba_rule { 'deny access to postgresql user': | 55 | postgresql::server::pg_hba_rule { 'deny access to postgresql user': |
56 | description => 'Deny remote access to postgres user', | 56 | description => 'Deny remote access to postgres user', |
@@ -59,7 +59,7 @@ class profile::postgresql { | |||
59 | user => $pg_user, | 59 | user => $pg_user, |
60 | address => "0.0.0.0/0", | 60 | address => "0.0.0.0/0", |
61 | auth_method => 'reject', | 61 | auth_method => 'reject', |
62 | order => "a4", | 62 | order => "00-04", |
63 | } | 63 | } |
64 | 64 | ||
65 | postgresql::server::pg_hba_rule { 'local access': | 65 | postgresql::server::pg_hba_rule { 'local access': |
@@ -68,7 +68,7 @@ class profile::postgresql { | |||
68 | database => 'all', | 68 | database => 'all', |
69 | user => 'all', | 69 | user => 'all', |
70 | auth_method => 'md5', | 70 | auth_method => 'md5', |
71 | order => "b1", | 71 | order => "10-01", |
72 | } | 72 | } |
73 | 73 | ||
74 | postgresql::server::pg_hba_rule { 'local access with same name': | 74 | postgresql::server::pg_hba_rule { 'local access with same name': |
@@ -77,7 +77,7 @@ class profile::postgresql { | |||
77 | database => 'all', | 77 | database => 'all', |
78 | user => 'all', | 78 | user => 'all', |
79 | auth_method => 'ident', | 79 | auth_method => 'ident', |
80 | order => "b2", | 80 | order => "10-02", |
81 | } | 81 | } |
82 | 82 | ||
83 | } | 83 | } |
diff --git a/modules/profile/manifests/xmr_stak.pp b/modules/profile/manifests/xmr_stak.pp index e5582eb..c8bbcdd 100644 --- a/modules/profile/manifests/xmr_stak.pp +++ b/modules/profile/manifests/xmr_stak.pp | |||
@@ -1,4 +1,8 @@ | |||
1 | class profile::xmr_stak { | 1 | class profile::xmr_stak ( |
2 | String $mining_pool, | ||
3 | String $wallet, | ||
4 | Optional[String] $password = "x", | ||
5 | ) { | ||
2 | ensure_resource('exec', 'systemctl daemon-reload', { | 6 | ensure_resource('exec', 'systemctl daemon-reload', { |
3 | command => '/usr/bin/systemctl daemon-reload', | 7 | command => '/usr/bin/systemctl daemon-reload', |
4 | refreshonly => true | 8 | refreshonly => true |
@@ -26,10 +30,7 @@ class profile::xmr_stak { | |||
26 | notify => Exec["systemctl daemon-reload"] | 30 | notify => Exec["systemctl daemon-reload"] |
27 | } | 31 | } |
28 | 32 | ||
29 | $mining_pool = lookup("xmr_stak::mining_pool") |$key| { {} } | 33 | $instance = regsubst(lookup("base_installation::ldap_cn"), '\.', "_", "G") |
30 | $wallet = lookup("xmr_stak::wallet") |$key| { {} } | ||
31 | $password = lookup("xmr_stak::password") |$key| { "x" } | ||
32 | $instance = regsubst($facts["ec2_metadata"]["hostname"], '\.', "_", "G") | ||
33 | 34 | ||
34 | file { "/var/lib/xmr_stak/xmr-stak.conf": | 35 | file { "/var/lib/xmr_stak/xmr-stak.conf": |
35 | mode => "0644", | 36 | mode => "0644", |
diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index bec247e..799e297 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp | |||
@@ -1,9 +1,22 @@ | |||
1 | class role::cryptoportfolio { | 1 | class role::cryptoportfolio ( |
2 | ensure_resource('exec', 'systemctl daemon-reload', { | 2 | String $user, |
3 | command => '/usr/bin/systemctl daemon-reload', | 3 | String $group, |
4 | refreshonly => true | 4 | String $home, |
5 | }) | 5 | Optional[String] $env = "prod", |
6 | 6 | Optional[String] $webhook_url = undef, | |
7 | String $pg_user, | ||
8 | String $pg_user_replication, | ||
9 | String $pg_db, | ||
10 | Optional[String] $pg_hostname = "localhost", | ||
11 | Optional[String] $pg_port = "5432", | ||
12 | Optional[String] $web_host = undef, | ||
13 | Optional[String] $web_port = "", | ||
14 | Optional[Boolean] $web_ssl = true, | ||
15 | Optional[String] $front_version = undef, | ||
16 | Optional[String] $front_sha256 = undef, | ||
17 | Optional[String] $bot_version = undef, | ||
18 | Optional[String] $bot_sha256 = undef, | ||
19 | ) { | ||
7 | include "base_installation" | 20 | include "base_installation" |
8 | 21 | ||
9 | include "profile::tools" | 22 | include "profile::tools" |
@@ -11,420 +24,17 @@ class role::cryptoportfolio { | |||
11 | include "profile::apache" | 24 | include "profile::apache" |
12 | include "profile::xmr_stak" | 25 | include "profile::xmr_stak" |
13 | 26 | ||
14 | $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } | 27 | contain "role::cryptoportfolio::postgresql" |
15 | 28 | contain "role::cryptoportfolio::apache" | |
16 | $cf_pg_user = "cryptoportfolio" | ||
17 | $cf_pg_user_replication = "cryptoportfolio_replication" | ||
18 | $cf_pg_db = "cryptoportfolio" | ||
19 | $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | ||
20 | $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") | ||
21 | $cf_pg_hostname = "localhost" | ||
22 | $cf_pg_port = "5432" | ||
23 | $cf_pg_host = "${cf_pg_hostname}:${cf_pg_port}" | ||
24 | |||
25 | $cf_user = "cryptoportfolio" | ||
26 | $cf_group = "cryptoportfolio" | ||
27 | $cf_home = "/opt/cryptoportfolio" | ||
28 | $cf_env = "prod" | ||
29 | $cf_front_app_host = lookup("base_installation::system_hostname") |$key| { "example.com" } | ||
30 | $cf_front_app_port = "" | ||
31 | $cf_front_app_ssl = "true" | ||
32 | $cf_front_app = "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front" | ||
33 | $cf_front_app_api_workdir = "${cf_front_app}/cmd/app" | ||
34 | $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app" | ||
35 | $cf_front_app_api_conf = "${cf_home}/conf.toml" | ||
36 | $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret") | ||
37 | |||
38 | $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" | ||
39 | |||
40 | $cf_bot_app = "${cf_home}/bot" | ||
41 | $cf_bot_app_conf = "${cf_home}/bot_config.ini" | ||
42 | $cf_bot_app_reports = "${cf_home}/bot_reports" | ||
43 | |||
44 | $cf_webhook_url = lookup("cryptoportfolio::slack_webhook") |$key| { "" } | ||
45 | |||
46 | file { "/var/lib/postgres/data/certs": | ||
47 | ensure => directory, | ||
48 | mode => "0700", | ||
49 | owner => $::profile::postgresql::pg_user, | ||
50 | group => $::profile::postgresql::pg_user, | ||
51 | require => File["/var/lib/postgres"], | ||
52 | } | ||
53 | 29 | ||
54 | file { "/var/lib/postgres/data/certs/cert.pem": | 30 | contain "role::cryptoportfolio::notify" |
55 | source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem", | ||
56 | mode => "0600", | ||
57 | links => "follow", | ||
58 | owner => $::profile::postgresql::pg_user, | ||
59 | group => $::profile::postgresql::pg_user, | ||
60 | require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] | ||
61 | } | ||
62 | |||
63 | file { "/var/lib/postgres/data/certs/privkey.pem": | ||
64 | source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem", | ||
65 | mode => "0600", | ||
66 | links => "follow", | ||
67 | owner => $::profile::postgresql::pg_user, | ||
68 | group => $::profile::postgresql::pg_user, | ||
69 | require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] | ||
70 | } | ||
71 | |||
72 | postgresql::server::config_entry { "wal_level": | ||
73 | value => "logical", | ||
74 | } | ||
75 | |||
76 | postgresql::server::config_entry { "ssl": | ||
77 | value => "on", | ||
78 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
79 | } | ||
80 | |||
81 | postgresql::server::config_entry { "ssl_cert_file": | ||
82 | value => "/var/lib/postgres/data/certs/cert.pem", | ||
83 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
84 | } | ||
85 | |||
86 | postgresql::server::config_entry { "ssl_key_file": | ||
87 | value => "/var/lib/postgres/data/certs/privkey.pem", | ||
88 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
89 | } | ||
90 | |||
91 | postgresql::server::db { $cf_pg_db: | ||
92 | user => $cf_pg_user, | ||
93 | password => postgresql_password($cf_pg_user, $cf_pg_password), | ||
94 | } | ||
95 | -> | ||
96 | postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES": | ||
97 | db => $cf_pg_db, | ||
98 | unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'", | ||
99 | } | ||
100 | -> | ||
101 | postgresql::server::role { $cf_pg_user_replication: | ||
102 | db => $cf_pg_db, | ||
103 | replication => true, | ||
104 | password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password), | ||
105 | } | ||
106 | -> | ||
107 | postgresql::server::database_grant { $cf_pg_user_replication: | ||
108 | db => $cf_pg_db, | ||
109 | privilege => "CONNECT", | ||
110 | role => $cf_pg_user_replication, | ||
111 | } | ||
112 | -> | ||
113 | postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication": | ||
114 | db => $cf_pg_db, | ||
115 | role => $cf_pg_user_replication, | ||
116 | privilege => "SELECT", | ||
117 | object_type => "ALL TABLES IN SCHEMA", | ||
118 | object_name => "public", | ||
119 | } | ||
120 | -> | ||
121 | postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication": | ||
122 | db => $cf_pg_db, | ||
123 | role => $cf_pg_user_replication, | ||
124 | privilege => "SELECT", | ||
125 | object_type => "ALL SEQUENCES IN SCHEMA", | ||
126 | object_name => "public", | ||
127 | } | ||
128 | |||
129 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': | ||
130 | type => 'host', | ||
131 | database => $cf_pg_db, | ||
132 | user => $cf_pg_user, | ||
133 | address => '127.0.0.1/32', | ||
134 | auth_method => 'md5', | ||
135 | order => "b0", | ||
136 | } | ||
137 | postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': | ||
138 | type => 'host', | ||
139 | database => $cf_pg_db, | ||
140 | user => $cf_pg_user, | ||
141 | address => '::1/128', | ||
142 | auth_method => 'md5', | ||
143 | order => "b0", | ||
144 | } | ||
145 | |||
146 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': | ||
147 | type => 'hostssl', | ||
148 | database => $cf_pg_db, | ||
149 | user => $cf_pg_user_replication, | ||
150 | address => 'immae.eu', | ||
151 | auth_method => 'md5', | ||
152 | order => "b0", | ||
153 | } | ||
154 | |||
155 | letsencrypt::certonly { $cf_front_app_host: ; | ||
156 | default: * => $::profile::apache::letsencrypt_certonly_default; | ||
157 | } | ||
158 | |||
159 | class { 'apache::mod::headers': } | ||
160 | apache::vhost { $cf_front_app_host: | ||
161 | port => '443', | ||
162 | docroot => false, | ||
163 | manage_docroot => false, | ||
164 | proxy_dest => "http://localhost:8000", | ||
165 | request_headers => 'set X-Forwarded-Proto "https"', | ||
166 | ssl => true, | ||
167 | ssl_cert => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem", | ||
168 | ssl_key => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem", | ||
169 | ssl_chain => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem", | ||
170 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
171 | proxy_preserve_host => true; | ||
172 | default: * => $::profile::apache::apache_vhost_default; | ||
173 | } | ||
174 | |||
175 | user { $cf_user: | ||
176 | name => $cf_user, | ||
177 | ensure => "present", | ||
178 | managehome => true, | ||
179 | home => $cf_home, | ||
180 | system => true, | ||
181 | password => '!!', | ||
182 | } | ||
183 | |||
184 | file { "/usr/local/bin/slack-notify": | ||
185 | mode => "0755", | ||
186 | source => "puppet:///modules/role/cryptoportfolio/slack-notify.py", | ||
187 | } | ||
188 | |||
189 | $front_version = lookup("cryptoportfolio::front_version") |$key| { {} } | ||
190 | $front_sha256 = lookup("cryptoportfolio::front_sha256") |$key| { {} } | ||
191 | |||
192 | $bot_version = lookup("cryptoportfolio::bot_version") |$key| { {} } | ||
193 | $bot_sha256 = lookup("cryptoportfolio::bot_sha256") |$key| { {} } | ||
194 | 31 | ||
195 | unless empty($bot_version) { | 32 | unless empty($bot_version) { |
196 | ensure_packages(["python", "python-pip"]) | 33 | contain "role::cryptoportfolio::bot" |
197 | |||
198 | file { $cf_bot_app: | ||
199 | ensure => "directory", | ||
200 | mode => "0700", | ||
201 | owner => $cf_user, | ||
202 | group => $cf_group, | ||
203 | require => User[$cf_user], | ||
204 | } | ||
205 | |||
206 | archive { "${cf_home}/trader_${bot_version}.tar.gz": | ||
207 | path => "${cf_home}/trader_${bot_version}.tar.gz", | ||
208 | source => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz", | ||
209 | checksum_type => "sha256", | ||
210 | checksum => $bot_sha256, | ||
211 | cleanup => false, | ||
212 | extract => true, | ||
213 | user => $cf_user, | ||
214 | username => $facts["ec2_metadata"]["hostname"], | ||
215 | password => generate_password(24, $password_seed, "ldap"), | ||
216 | extract_path => $cf_bot_app, | ||
217 | require => [User[$cf_user], File[$cf_bot_app]], | ||
218 | } ~> | ||
219 | exec { "py-cryptoportfolio-dependencies": | ||
220 | cwd => $cf_bot_app, | ||
221 | user => $cf_user, | ||
222 | environment => ["HOME=${cf_home}"], | ||
223 | command => "/usr/bin/make install", | ||
224 | require => User[$cf_user], | ||
225 | refreshonly => true, | ||
226 | before => [ | ||
227 | File[$cf_bot_app_conf], | ||
228 | Cron["py-cryptoportfolio-before"], | ||
229 | Cron["py-cryptoportfolio-after"], | ||
230 | ] | ||
231 | } | ||
232 | |||
233 | file { $cf_bot_app_conf: | ||
234 | owner => $cf_user, | ||
235 | group => $cf_group, | ||
236 | mode => "0600", | ||
237 | content => template("role/cryptoportfolio/bot_config.ini.erb"), | ||
238 | require => [ | ||
239 | User[$cf_user], | ||
240 | Archive["${cf_home}/trader_${bot_version}.tar.gz"], | ||
241 | ], | ||
242 | } | ||
243 | |||
244 | cron { "py-cryptoportfolio-before": | ||
245 | ensure => present, | ||
246 | command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before", | ||
247 | user => "cryptoportfolio", | ||
248 | weekday => 7, # Sunday | ||
249 | hour => 22, | ||
250 | minute => 30, | ||
251 | environment => ["HOME=${cf_home}","PATH=/usr/bin/"], | ||
252 | require => [ | ||
253 | File[$cf_bot_app_conf], | ||
254 | Archive["${cf_home}/trader_${bot_version}.tar.gz"] | ||
255 | ], | ||
256 | } | ||
257 | |||
258 | cron { "py-cryptoportfolio-after": | ||
259 | ensure => present, | ||
260 | command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after", | ||
261 | user => "cryptoportfolio", | ||
262 | weekday => 1, # Monday | ||
263 | hour => 1, | ||
264 | minute => 0, | ||
265 | environment => ["HOME=${cf_home}","PATH=/usr/bin/"], | ||
266 | require => [ | ||
267 | File[$cf_bot_app_conf], | ||
268 | Archive["${cf_home}/trader_${bot_version}.tar.gz"] | ||
269 | ], | ||
270 | } | ||
271 | |||
272 | unless empty($cf_webhook_url) { | ||
273 | exec { "bot-slack-notify": | ||
274 | refreshonly => true, | ||
275 | environment => [ | ||
276 | "P_PROJECT=Trader", | ||
277 | "P_WEBHOOK=${cf_webhook_url}", | ||
278 | "P_VERSION=${bot_version}", | ||
279 | "P_HOST=${cf_front_app_host}", | ||
280 | "P_HTTPS=${cf_front_app_ssl}", | ||
281 | ], | ||
282 | command => "/usr/local/bin/slack-notify", | ||
283 | require => File["/usr/local/bin/slack-notify"], | ||
284 | subscribe => Exec["py-cryptoportfolio-dependencies"], | ||
285 | } | ||
286 | } | ||
287 | } | 34 | } |
288 | 35 | ||
289 | # FIXME: restore backup | 36 | # FIXME: restore backup |
290 | unless empty($front_version) { | 37 | unless empty($front_version) { |
291 | ensure_packages(["go", "npm", "nodejs", "yarn"]) | 38 | contain "role::cryptoportfolio::front" |
292 | |||
293 | file { [ | ||
294 | "${cf_home}/go/", | ||
295 | "${cf_home}/go/src", | ||
296 | "${cf_home}/go/src/immae.eu", | ||
297 | "${cf_home}/go/src/immae.eu/Immae", | ||
298 | "${cf_home}/go/src/immae.eu/Immae/Projets", | ||
299 | "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies", | ||
300 | "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio", | ||
301 | $cf_front_app]: | ||
302 | ensure => "directory", | ||
303 | mode => "0700", | ||
304 | owner => $cf_user, | ||
305 | group => $cf_group, | ||
306 | require => User[$cf_user], | ||
307 | } | ||
308 | |||
309 | file { "${cf_home}/front": | ||
310 | ensure => "link", | ||
311 | target => $cf_front_app, | ||
312 | before => File[$cf_front_app], | ||
313 | } | ||
314 | |||
315 | file { "/etc/systemd/system/cryptoportfolio-app.service": | ||
316 | mode => "0644", | ||
317 | owner => "root", | ||
318 | group => "root", | ||
319 | content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"), | ||
320 | notify => Exec["systemctl daemon-reload"], | ||
321 | } | ||
322 | |||
323 | service { 'cryptoportfolio-app': | ||
324 | enable => true, | ||
325 | ensure => "running", | ||
326 | subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], | ||
327 | require => [ | ||
328 | File["/etc/systemd/system/cryptoportfolio-app.service"], | ||
329 | Postgresql::Server::Db[$cf_pg_db] | ||
330 | ], | ||
331 | } ~> | ||
332 | exec { "dump $cf_pg_db structure": | ||
333 | refreshonly => true, | ||
334 | user => $::profile::postgresql::pg_user, | ||
335 | group => $::profile::postgresql::pg_user, | ||
336 | command => "/usr/bin/pg_dump --schema-only --clean --no-publications $cf_pg_db > /var/lib/postgres/${cf_pg_db}.schema", | ||
337 | } | ||
338 | |||
339 | archive { "${cf_home}/front_${front_version}.tar.gz": | ||
340 | path => "${cf_home}/front_${front_version}.tar.gz", | ||
341 | source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz", | ||
342 | checksum_type => "sha256", | ||
343 | checksum => $front_sha256, | ||
344 | cleanup => false, | ||
345 | extract => true, | ||
346 | user => $cf_user, | ||
347 | username => $facts["ec2_metadata"]["hostname"], | ||
348 | password => generate_password(24, $password_seed, "ldap"), | ||
349 | extract_path => $cf_front_app, | ||
350 | require => [User[$cf_user], File[$cf_front_app]], | ||
351 | notify => [ | ||
352 | Exec["web-cryptoportfolio-dependencies"], | ||
353 | Exec["go-get-dep"], | ||
354 | ] | ||
355 | } | ||
356 | |||
357 | # Api | ||
358 | file { $cf_front_app_api_conf: | ||
359 | owner => $cf_user, | ||
360 | group => $cf_group, | ||
361 | mode => "0600", | ||
362 | content => template("role/cryptoportfolio/api_conf.toml.erb"), | ||
363 | before => Exec["go-cryptoportfolio-app"], | ||
364 | } | ||
365 | |||
366 | exec { "go-get-dep": | ||
367 | user => $cf_user, | ||
368 | environment => ["HOME=${cf_home}"], | ||
369 | creates => "${cf_home}/go/bin/dep", | ||
370 | command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep", | ||
371 | refreshonly => true, | ||
372 | } ~> | ||
373 | exec { "go-cryptoportfolio-dependencies": | ||
374 | cwd => $cf_front_app, | ||
375 | user => $cf_user, | ||
376 | environment => ["HOME=${cf_home}"], | ||
377 | command => "${cf_home}/go/bin/dep ensure", | ||
378 | refreshonly => true, | ||
379 | } ~> | ||
380 | exec { "go-cryptoportfolio-app": | ||
381 | cwd => $cf_front_app_api_workdir, | ||
382 | user => $cf_user, | ||
383 | environment => ["HOME=${cf_home}"], | ||
384 | command => "/usr/bin/make build", | ||
385 | refreshonly => true, | ||
386 | } | ||
387 | |||
388 | # Static pages | ||
389 | file { $cf_front_app_static_conf: | ||
390 | owner => $cf_user, | ||
391 | group => $cf_group, | ||
392 | mode => "0600", | ||
393 | content => template("role/cryptoportfolio/static_conf.env.erb"), | ||
394 | before => Exec["web-cryptoportfolio-build"], | ||
395 | } | ||
396 | |||
397 | exec { "web-cryptoportfolio-dependencies": | ||
398 | cwd => "${cf_front_app}/cmd/web", | ||
399 | user => $cf_user, | ||
400 | environment => ["HOME=${cf_home}"], | ||
401 | command => "/usr/bin/make install", | ||
402 | refreshonly => true, | ||
403 | require => [Package["npm"], Package["nodejs"], Package["yarn"]] | ||
404 | } ~> | ||
405 | exec { "web-cryptoportfolio-build": | ||
406 | cwd => "${cf_front_app}/cmd/web", | ||
407 | user => $cf_user, | ||
408 | environment => ["HOME=${cf_home}"], | ||
409 | path => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"], | ||
410 | command => "/usr/bin/make static ENV=${cf_env}", | ||
411 | refreshonly => true, | ||
412 | } | ||
413 | |||
414 | unless empty($cf_webhook_url) { | ||
415 | exec { "front-slack-notify": | ||
416 | refreshonly => true, | ||
417 | environment => [ | ||
418 | "P_PROJECT=Front", | ||
419 | "P_WEBHOOK=${cf_webhook_url}", | ||
420 | "P_VERSION=${front_version}", | ||
421 | "P_HOST=${cf_front_app_host}", | ||
422 | "P_HTTPS=${cf_front_app_ssl}", | ||
423 | ], | ||
424 | command => "/usr/local/bin/slack-notify", | ||
425 | require => File["/usr/local/bin/slack-notify"], | ||
426 | subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], | ||
427 | } | ||
428 | } | ||
429 | } | 39 | } |
430 | } | 40 | } |
diff --git a/modules/role/manifests/cryptoportfolio/apache.pp b/modules/role/manifests/cryptoportfolio/apache.pp new file mode 100644 index 0000000..62d5447 --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/apache.pp | |||
@@ -0,0 +1,17 @@ | |||
1 | class role::cryptoportfolio::apache inherits role::cryptoportfolio { | ||
2 | class { 'apache::mod::headers': } | ||
3 | apache::vhost { $web_host: | ||
4 | port => '443', | ||
5 | docroot => false, | ||
6 | manage_docroot => false, | ||
7 | proxy_dest => "http://localhost:8000", | ||
8 | request_headers => 'set X-Forwarded-Proto "https"', | ||
9 | ssl => true, | ||
10 | ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem", | ||
11 | ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem", | ||
12 | ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem", | ||
13 | require => Letsencrypt::Certonly[$web_host], | ||
14 | proxy_preserve_host => true; | ||
15 | default: * => $::profile::apache::apache_vhost_default; | ||
16 | } | ||
17 | } | ||
diff --git a/modules/role/manifests/cryptoportfolio/bot.pp b/modules/role/manifests/cryptoportfolio/bot.pp new file mode 100644 index 0000000..a15c779 --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/bot.pp | |||
@@ -0,0 +1,101 @@ | |||
1 | class role::cryptoportfolio::bot inherits role::cryptoportfolio { | ||
2 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
3 | |||
4 | $cf_bot_app = "${home}/bot" | ||
5 | $cf_bot_app_conf = "${home}/bot_config.ini" | ||
6 | $cf_bot_app_reports = "${home}/bot_reports" | ||
7 | |||
8 | ensure_packages(["python", "python-pip"]) | ||
9 | |||
10 | file { $cf_bot_app: | ||
11 | ensure => "directory", | ||
12 | mode => "0700", | ||
13 | owner => $user, | ||
14 | group => $group, | ||
15 | require => User["$user:"], | ||
16 | } | ||
17 | |||
18 | archive { "${home}/trader_${bot_version}.tar.gz": | ||
19 | path => "${home}/trader_${bot_version}.tar.gz", | ||
20 | source => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz", | ||
21 | checksum_type => "sha256", | ||
22 | checksum => $bot_sha256, | ||
23 | cleanup => false, | ||
24 | extract => true, | ||
25 | user => $user, | ||
26 | username => lookup("base_installation::ldap_cn"), | ||
27 | password => generate_password(24, $password_seed, "ldap"), | ||
28 | extract_path => $cf_bot_app, | ||
29 | require => [User["$user:"], File[$cf_bot_app]], | ||
30 | } ~> | ||
31 | exec { "py-cryptoportfolio-dependencies": | ||
32 | cwd => $cf_bot_app, | ||
33 | user => $user, | ||
34 | environment => ["HOME=${home}"], | ||
35 | command => "/usr/bin/make install", | ||
36 | require => User["$user:"], | ||
37 | refreshonly => true, | ||
38 | before => [ | ||
39 | File[$cf_bot_app_conf], | ||
40 | Cron["py-cryptoportfolio-before"], | ||
41 | Cron["py-cryptoportfolio-after"], | ||
42 | ] | ||
43 | } | ||
44 | |||
45 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | ||
46 | file { $cf_bot_app_conf: | ||
47 | owner => $user, | ||
48 | group => $group, | ||
49 | mode => "0600", | ||
50 | content => template("role/cryptoportfolio/bot_config.ini.erb"), | ||
51 | require => [ | ||
52 | User["$user:"], | ||
53 | Archive["${home}/trader_${bot_version}.tar.gz"], | ||
54 | ], | ||
55 | } | ||
56 | |||
57 | cron { "py-cryptoportfolio-before": | ||
58 | ensure => present, | ||
59 | command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before", | ||
60 | user => $user, | ||
61 | weekday => 7, # Sunday | ||
62 | hour => 22, | ||
63 | minute => 30, | ||
64 | environment => ["HOME=${home}","PATH=/usr/bin/"], | ||
65 | require => [ | ||
66 | File[$cf_bot_app_conf], | ||
67 | Archive["${home}/trader_${bot_version}.tar.gz"] | ||
68 | ], | ||
69 | } | ||
70 | |||
71 | cron { "py-cryptoportfolio-after": | ||
72 | ensure => present, | ||
73 | command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after", | ||
74 | user => $user, | ||
75 | weekday => 1, # Monday | ||
76 | hour => 1, | ||
77 | minute => 0, | ||
78 | environment => ["HOME=${home}","PATH=/usr/bin/"], | ||
79 | require => [ | ||
80 | File[$cf_bot_app_conf], | ||
81 | Archive["${home}/trader_${bot_version}.tar.gz"] | ||
82 | ], | ||
83 | } | ||
84 | |||
85 | unless empty($webhook_url) { | ||
86 | exec { "bot-slack-notify": | ||
87 | refreshonly => true, | ||
88 | environment => [ | ||
89 | "P_PROJECT=Trader", | ||
90 | "P_WEBHOOK=${webhook_url}", | ||
91 | "P_VERSION=${bot_version}", | ||
92 | "P_HOST=${web_host}", | ||
93 | "P_HTTPS=${web_ssl}", | ||
94 | ], | ||
95 | command => "/usr/local/bin/slack-notify", | ||
96 | require => File["/usr/local/bin/slack-notify"], | ||
97 | subscribe => Exec["py-cryptoportfolio-dependencies"], | ||
98 | } | ||
99 | } | ||
100 | } | ||
101 | |||
diff --git a/modules/role/manifests/cryptoportfolio/front.pp b/modules/role/manifests/cryptoportfolio/front.pp new file mode 100644 index 0000000..280ef8b --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/front.pp | |||
@@ -0,0 +1,158 @@ | |||
1 | class role::cryptoportfolio::front inherits role::cryptoportfolio { | ||
2 | ensure_resource('exec', 'systemctl daemon-reload', { | ||
3 | command => '/usr/bin/systemctl daemon-reload', | ||
4 | refreshonly => true | ||
5 | }) | ||
6 | |||
7 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
8 | |||
9 | $cf_front_app = "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front" | ||
10 | $cf_front_app_api_workdir = "${cf_front_app}/cmd/app" | ||
11 | $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app" | ||
12 | $cf_front_app_api_conf = "${home}/conf.toml" | ||
13 | $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret") | ||
14 | |||
15 | $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" | ||
16 | |||
17 | ensure_packages(["go", "npm", "nodejs", "yarn"]) | ||
18 | |||
19 | file { [ | ||
20 | "${home}/go/", | ||
21 | "${home}/go/src", | ||
22 | "${home}/go/src/immae.eu", | ||
23 | "${home}/go/src/immae.eu/Immae", | ||
24 | "${home}/go/src/immae.eu/Immae/Projets", | ||
25 | "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies", | ||
26 | "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio", | ||
27 | $cf_front_app]: | ||
28 | ensure => "directory", | ||
29 | mode => "0700", | ||
30 | owner => $user, | ||
31 | group => $group, | ||
32 | require => User["$user:"], | ||
33 | } | ||
34 | |||
35 | file { "${home}/front": | ||
36 | ensure => "link", | ||
37 | target => $cf_front_app, | ||
38 | before => File[$cf_front_app], | ||
39 | } | ||
40 | |||
41 | file { "/etc/systemd/system/cryptoportfolio-app.service": | ||
42 | mode => "0644", | ||
43 | owner => "root", | ||
44 | group => "root", | ||
45 | content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"), | ||
46 | notify => Exec["systemctl daemon-reload"], | ||
47 | } | ||
48 | |||
49 | service { 'cryptoportfolio-app': | ||
50 | enable => true, | ||
51 | ensure => "running", | ||
52 | subscribe => [File[$cf_front_app_api_conf], Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], | ||
53 | require => [ | ||
54 | File["/etc/systemd/system/cryptoportfolio-app.service"], | ||
55 | Postgresql::Server::Db[$pg_db] | ||
56 | ], | ||
57 | } ~> | ||
58 | exec { "dump $pg_db structure": | ||
59 | refreshonly => true, | ||
60 | user => $::profile::postgresql::pg_user, | ||
61 | group => $::profile::postgresql::pg_user, | ||
62 | command => "/usr/bin/pg_dump --schema-only --clean --no-publications $pg_db > /var/lib/postgres/${pg_db}.schema", | ||
63 | } | ||
64 | |||
65 | archive { "${home}/front_${front_version}.tar.gz": | ||
66 | path => "${home}/front_${front_version}.tar.gz", | ||
67 | source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz", | ||
68 | checksum_type => "sha256", | ||
69 | checksum => $front_sha256, | ||
70 | cleanup => false, | ||
71 | extract => true, | ||
72 | user => $user, | ||
73 | username => lookup("base_installation::ldap_cn"), | ||
74 | password => generate_password(24, $password_seed, "ldap"), | ||
75 | extract_path => $cf_front_app, | ||
76 | require => [User["$user:"], File[$cf_front_app]], | ||
77 | notify => [ | ||
78 | Exec["web-cryptoportfolio-dependencies"], | ||
79 | Exec["go-get-dep"], | ||
80 | ] | ||
81 | } | ||
82 | |||
83 | # Api | ||
84 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | ||
85 | $pg_host = "${pg_hostname}:${pg_port}" | ||
86 | file { $cf_front_app_api_conf: | ||
87 | owner => $user, | ||
88 | group => $group, | ||
89 | mode => "0600", | ||
90 | content => template("role/cryptoportfolio/api_conf.toml.erb"), | ||
91 | before => Exec["go-cryptoportfolio-app"], | ||
92 | } | ||
93 | |||
94 | exec { "go-get-dep": | ||
95 | user => $user, | ||
96 | environment => ["HOME=${home}"], | ||
97 | creates => "${home}/go/bin/dep", | ||
98 | command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep", | ||
99 | refreshonly => true, | ||
100 | } ~> | ||
101 | exec { "go-cryptoportfolio-dependencies": | ||
102 | cwd => $cf_front_app, | ||
103 | user => $user, | ||
104 | environment => ["HOME=${home}"], | ||
105 | command => "${home}/go/bin/dep ensure", | ||
106 | refreshonly => true, | ||
107 | } ~> | ||
108 | exec { "go-cryptoportfolio-app": | ||
109 | cwd => $cf_front_app_api_workdir, | ||
110 | user => $user, | ||
111 | environment => ["HOME=${home}"], | ||
112 | command => "/usr/bin/make build", | ||
113 | refreshonly => true, | ||
114 | } | ||
115 | |||
116 | # Static pages | ||
117 | file { $cf_front_app_static_conf: | ||
118 | owner => $user, | ||
119 | group => $group, | ||
120 | mode => "0600", | ||
121 | content => template("role/cryptoportfolio/static_conf.env.erb"), | ||
122 | before => Exec["web-cryptoportfolio-build"], | ||
123 | } | ||
124 | |||
125 | exec { "web-cryptoportfolio-dependencies": | ||
126 | cwd => "${cf_front_app}/cmd/web", | ||
127 | user => $user, | ||
128 | environment => ["HOME=${home}"], | ||
129 | command => "/usr/bin/make install", | ||
130 | refreshonly => true, | ||
131 | require => [Package["npm"], Package["nodejs"], Package["yarn"]] | ||
132 | } ~> | ||
133 | exec { "web-cryptoportfolio-build": | ||
134 | cwd => "${cf_front_app}/cmd/web", | ||
135 | user => $user, | ||
136 | environment => ["HOME=${home}"], | ||
137 | path => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"], | ||
138 | command => "/usr/bin/make static ENV=${env}", | ||
139 | refreshonly => true, | ||
140 | } | ||
141 | |||
142 | unless empty($webhook_url) { | ||
143 | exec { "front-slack-notify": | ||
144 | refreshonly => true, | ||
145 | environment => [ | ||
146 | "P_PROJECT=Front", | ||
147 | "P_WEBHOOK=${webhook_url}", | ||
148 | "P_VERSION=${front_version}", | ||
149 | "P_HOST=${web_host}", | ||
150 | "P_HTTPS=${web_ssl}", | ||
151 | ], | ||
152 | command => "/usr/local/bin/slack-notify", | ||
153 | require => File["/usr/local/bin/slack-notify"], | ||
154 | subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], | ||
155 | } | ||
156 | } | ||
157 | |||
158 | } | ||
diff --git a/modules/role/manifests/cryptoportfolio/notify.pp b/modules/role/manifests/cryptoportfolio/notify.pp new file mode 100644 index 0000000..218312c --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/notify.pp | |||
@@ -0,0 +1,6 @@ | |||
1 | class role::cryptoportfolio::notify inherits role::cryptoportfolio { | ||
2 | file { "/usr/local/bin/slack-notify": | ||
3 | mode => "0755", | ||
4 | source => "puppet:///modules/role/cryptoportfolio/slack-notify.py", | ||
5 | } | ||
6 | } | ||
diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp new file mode 100644 index 0000000..cc4d2a9 --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/postgresql.pp | |||
@@ -0,0 +1,116 @@ | |||
1 | class role::cryptoportfolio::postgresql inherits role::cryptoportfolio { | ||
2 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
3 | |||
4 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | ||
5 | $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") | ||
6 | |||
7 | file { "/var/lib/postgres/data/certs": | ||
8 | ensure => directory, | ||
9 | mode => "0700", | ||
10 | owner => $::profile::postgresql::pg_user, | ||
11 | group => $::profile::postgresql::pg_user, | ||
12 | require => File["/var/lib/postgres"], | ||
13 | } | ||
14 | |||
15 | file { "/var/lib/postgres/data/certs/cert.pem": | ||
16 | source => "file:///etc/letsencrypt/live/$web_host/cert.pem", | ||
17 | mode => "0600", | ||
18 | links => "follow", | ||
19 | owner => $::profile::postgresql::pg_user, | ||
20 | group => $::profile::postgresql::pg_user, | ||
21 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | ||
22 | } | ||
23 | |||
24 | file { "/var/lib/postgres/data/certs/privkey.pem": | ||
25 | source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", | ||
26 | mode => "0600", | ||
27 | links => "follow", | ||
28 | owner => $::profile::postgresql::pg_user, | ||
29 | group => $::profile::postgresql::pg_user, | ||
30 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | ||
31 | } | ||
32 | |||
33 | postgresql::server::config_entry { "wal_level": | ||
34 | value => "logical", | ||
35 | } | ||
36 | |||
37 | postgresql::server::config_entry { "ssl": | ||
38 | value => "on", | ||
39 | require => Letsencrypt::Certonly[$web_host], | ||
40 | } | ||
41 | |||
42 | postgresql::server::config_entry { "ssl_cert_file": | ||
43 | value => "/var/lib/postgres/data/certs/cert.pem", | ||
44 | require => Letsencrypt::Certonly[$web_host], | ||
45 | } | ||
46 | |||
47 | postgresql::server::config_entry { "ssl_key_file": | ||
48 | value => "/var/lib/postgres/data/certs/privkey.pem", | ||
49 | require => Letsencrypt::Certonly[$web_host], | ||
50 | } | ||
51 | |||
52 | postgresql::server::db { $pg_db: | ||
53 | user => $pg_user, | ||
54 | password => postgresql_password($pg_user, $pg_password), | ||
55 | } | ||
56 | -> | ||
57 | postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES": | ||
58 | db => $pg_db, | ||
59 | unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", | ||
60 | } | ||
61 | -> | ||
62 | postgresql::server::role { $pg_user_replication: | ||
63 | db => $pg_db, | ||
64 | replication => true, | ||
65 | password_hash => postgresql_password($pg_user_replication, $pg_replication_password), | ||
66 | } | ||
67 | -> | ||
68 | postgresql::server::database_grant { $pg_user_replication: | ||
69 | db => $pg_db, | ||
70 | privilege => "CONNECT", | ||
71 | role => $pg_user_replication, | ||
72 | } | ||
73 | -> | ||
74 | postgresql::server::grant { "all tables in schema:public:$pg_user_replication": | ||
75 | db => $pg_db, | ||
76 | role => $pg_user_replication, | ||
77 | privilege => "SELECT", | ||
78 | object_type => "ALL TABLES IN SCHEMA", | ||
79 | object_name => "public", | ||
80 | } | ||
81 | -> | ||
82 | postgresql::server::grant { "all sequences in schema:public:$pg_user_replication": | ||
83 | db => $pg_db, | ||
84 | role => $pg_user_replication, | ||
85 | privilege => "SELECT", | ||
86 | object_type => "ALL SEQUENCES IN SCHEMA", | ||
87 | object_name => "public", | ||
88 | } | ||
89 | |||
90 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': | ||
91 | type => 'host', | ||
92 | database => $pg_db, | ||
93 | user => $pg_user, | ||
94 | address => '127.0.0.1/32', | ||
95 | auth_method => 'md5', | ||
96 | order => "05-01", | ||
97 | } | ||
98 | postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': | ||
99 | type => 'host', | ||
100 | database => $pg_db, | ||
101 | user => $pg_user, | ||
102 | address => '::1/128', | ||
103 | auth_method => 'md5', | ||
104 | order => "05-01", | ||
105 | } | ||
106 | |||
107 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': | ||
108 | type => 'hostssl', | ||
109 | database => $pg_db, | ||
110 | user => $pg_user_replication, | ||
111 | address => 'immae.eu', | ||
112 | auth_method => 'md5', | ||
113 | order => "05-01", | ||
114 | } | ||
115 | |||
116 | } | ||
diff --git a/modules/role/templates/cryptoportfolio/api_conf.toml.erb b/modules/role/templates/cryptoportfolio/api_conf.toml.erb index 13550c9..7a4b66d 100644 --- a/modules/role/templates/cryptoportfolio/api_conf.toml.erb +++ b/modules/role/templates/cryptoportfolio/api_conf.toml.erb | |||
@@ -1,15 +1,15 @@ | |||
1 | log_level="info" | 1 | log_level="info" |
2 | mode="<%= @cf_env %>" | 2 | mode="<%= @env %>" |
3 | log_out="stdout" | 3 | log_out="stdout" |
4 | 4 | ||
5 | [db] | 5 | [db] |
6 | user="<%= @cf_pg_user %>" | 6 | user="<%= @pg_user %>" |
7 | password="<%= @cf_pg_password %>" | 7 | password="<%= @pg_password %>" |
8 | database="<%= @cf_pg_db %>" | 8 | database="<%= @pg_db %>" |
9 | address="<%= @cf_pg_host %>" | 9 | address="<%= @pg_host %>" |
10 | 10 | ||
11 | [api] | 11 | [api] |
12 | domain="<%= @cf_front_app_host %>" | 12 | domain="<%= @web_host %>" |
13 | jwt_secret="<%= @cf_front_app_api_secret %>" | 13 | jwt_secret="<%= @cf_front_app_api_secret %>" |
14 | 14 | ||
15 | [app] | 15 | [app] |
diff --git a/modules/role/templates/cryptoportfolio/bot_config.ini.erb b/modules/role/templates/cryptoportfolio/bot_config.ini.erb index 30298eb..b0211a6 100644 --- a/modules/role/templates/cryptoportfolio/bot_config.ini.erb +++ b/modules/role/templates/cryptoportfolio/bot_config.ini.erb | |||
@@ -1,9 +1,9 @@ | |||
1 | [postgresql] | 1 | [postgresql] |
2 | host = <%= @cf_pg_hostname %> | 2 | host = <%= @pg_hostname %> |
3 | port = <%= @cf_pg_port %> | 3 | port = <%= @pg_port %> |
4 | user = <%= @cf_pg_user %> | 4 | user = <%= @pg_user %> |
5 | password = <%= @cf_pg_password %> | 5 | password = <%= @pg_password %> |
6 | database = <%= @cf_pg_db %> | 6 | database = <%= @pg_db %> |
7 | 7 | ||
8 | [app] | 8 | [app] |
9 | report_path = <%= @cf_bot_app_reports %> | 9 | report_path = <%= @cf_bot_app_reports %> |
diff --git a/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb b/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb index a521c0e..ed2b908 100644 --- a/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb +++ b/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb | |||
@@ -5,8 +5,8 @@ Description=Cryptoportfolio app | |||
5 | Type=simple | 5 | Type=simple |
6 | 6 | ||
7 | WorkingDirectory=<%= @cf_front_app_api_workdir %> | 7 | WorkingDirectory=<%= @cf_front_app_api_workdir %> |
8 | User=<%= @cf_user %> | 8 | User=<%= @user %> |
9 | Group=<%= @cf_group %> | 9 | Group=<%= @group %> |
10 | UMask=007 | 10 | UMask=007 |
11 | 11 | ||
12 | ExecStart=<%= @cf_front_app_api_bin %> -conf <%= @cf_front_app_api_conf %> | 12 | ExecStart=<%= @cf_front_app_api_bin %> -conf <%= @cf_front_app_api_conf %> |
diff --git a/modules/role/templates/cryptoportfolio/static_conf.env.erb b/modules/role/templates/cryptoportfolio/static_conf.env.erb index db9759d..314ee14 100644 --- a/modules/role/templates/cryptoportfolio/static_conf.env.erb +++ b/modules/role/templates/cryptoportfolio/static_conf.env.erb | |||
@@ -1,4 +1,4 @@ | |||
1 | API_HOST="<%= @cf_front_app_host %>" | 1 | API_HOST="<%= @web_host %>" |
2 | API_PORT="<%= @cf_front_app_port %>" | 2 | API_PORT="<%= @web_port %>" |
3 | API_HTTPS="<%= @cf_front_app_ssl %>" | 3 | API_HTTPS="<%= @web_ssl %>" |
4 | 4 | ||