aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--environments/global/common.yaml8
-rw-r--r--environments/global/roles/cryptoportfolio.yaml17
-rw-r--r--environments/global/types/s1-2.yaml2
-rw-r--r--environments/global/types/vps-ovhssd-1.yaml2
-rw-r--r--environments/integration/roles/cryptoportfolio.yaml6
-rw-r--r--environments/production/roles/cryptoportfolio.yaml8
-rw-r--r--manifests/site.pp2
-rw-r--r--modules/base_installation/manifests/puppet.pp2
-rw-r--r--modules/base_installation/manifests/services.pp2
-rw-r--r--modules/base_installation/manifests/users.pp20
-rw-r--r--modules/profile/manifests/apache.pp15
-rw-r--r--modules/profile/manifests/postgresql.pp14
-rw-r--r--modules/profile/manifests/xmr_stak.pp11
-rw-r--r--modules/role/manifests/cryptoportfolio.pp438
-rw-r--r--modules/role/manifests/cryptoportfolio/apache.pp17
-rw-r--r--modules/role/manifests/cryptoportfolio/bot.pp101
-rw-r--r--modules/role/manifests/cryptoportfolio/front.pp158
-rw-r--r--modules/role/manifests/cryptoportfolio/notify.pp6
-rw-r--r--modules/role/manifests/cryptoportfolio/postgresql.pp116
-rw-r--r--modules/role/templates/cryptoportfolio/api_conf.toml.erb12
-rw-r--r--modules/role/templates/cryptoportfolio/bot_config.ini.erb10
-rw-r--r--modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb4
-rw-r--r--modules/role/templates/cryptoportfolio/static_conf.env.erb6
23 files changed, 507 insertions, 470 deletions
diff --git a/environments/global/common.yaml b/environments/global/common.yaml
index 5b21dca..4536b83 100644
--- a/environments/global/common.yaml
+++ b/environments/global/common.yaml
@@ -6,6 +6,8 @@ lookup_options:
6 merge: deep 6 merge: deep
7 base_installation::system_users: 7 base_installation::system_users:
8 merge: unique 8 merge: unique
9 letsencrypt::hosts:
10 merge: unique
9 11
10classes: 12classes:
11 stdlib: ~ 13 stdlib: ~
@@ -33,5 +35,7 @@ base_installation::system_users:
33 - host: "immae.eu" 35 - host: "immae.eu"
34 key: "AAAAB3NzaC1yc2EAAAADAQABAAABAQDi5PgLBwMRyRwzJPnSgUyRAuB9AAxMijsw1pR/t/wmxQne1O5fIPOleHx+D8dyZbwm+XkzlcJpgT0Qy3qC9J8BPhshJvO/tA/8CI/oS/FE0uWsyACH1DMO2dk4gRRZGSE9IuzDMRPlnfZ3n0tdsPzzv3GH4It/oPIgsvkTowKztGLQ7Xmjr5BxzAhXcIQymqA0U3XWHSdWvnSRDaOFG0PDoVMS85IdwlviVKLnV5Sstb4NC/P28LFfgvW8DO/XrOqujgDomqTmR41dK/AyrGGOb2cQUMO4l8Oa+74aOyKaB61rr/rJkr+wCbEttkTvgFa6zZygSk3edfiWE2rgn4+v" 36 key: "AAAAB3NzaC1yc2EAAAADAQABAAABAQDi5PgLBwMRyRwzJPnSgUyRAuB9AAxMijsw1pR/t/wmxQne1O5fIPOleHx+D8dyZbwm+XkzlcJpgT0Qy3qC9J8BPhshJvO/tA/8CI/oS/FE0uWsyACH1DMO2dk4gRRZGSE9IuzDMRPlnfZ3n0tdsPzzv3GH4It/oPIgsvkTowKztGLQ7Xmjr5BxzAhXcIQymqA0U3XWHSdWvnSRDaOFG0PDoVMS85IdwlviVKLnV5Sstb4NC/P28LFfgvW8DO/XrOqujgDomqTmR41dK/AyrGGOb2cQUMO4l8Oa+74aOyKaB61rr/rJkr+wCbEttkTvgFa6zZygSk3edfiWE2rgn4+v"
35 key_type: "ssh-rsa" 37 key_type: "ssh-rsa"
36xmr_stak::mining_pool: "pool.minexmr.com:7777" 38profile::xmr_stak::mining_pool: "pool.minexmr.com:7777"
37xmr_stak::wallet: "44CA8TxTFYbQqN2kLyk8AnB6Ghz4mcbGpYC2EyXW7A8H9QspvWnTjDn39XUZDPrFwPa5JNwt4TmAxcooPWv4SaJqL87Bcdo" 39profile::xmr_stak::wallet: "44CA8TxTFYbQqN2kLyk8AnB6Ghz4mcbGpYC2EyXW7A8H9QspvWnTjDn39XUZDPrFwPa5JNwt4TmAxcooPWv4SaJqL87Bcdo"
40letsencrypt::email: "sites+letsencrypt@mail.immae.eu"
41letsencrypt::try_for_real_hostname: true
diff --git a/environments/global/roles/cryptoportfolio.yaml b/environments/global/roles/cryptoportfolio.yaml
index 3d36e71..f875c1b 100644
--- a/environments/global/roles/cryptoportfolio.yaml
+++ b/environments/global/roles/cryptoportfolio.yaml
@@ -1,4 +1,19 @@
1--- 1---
2classes: 2classes:
3 role::cryptoportfolio: ~ 3 role::cryptoportfolio: ~
4cryptoportfolio::slack_webhook: "%{ldapvar.self.vars.cf_slack_webhook.0}" 4letsencrypt::hosts: "%{lookup('base_installation::system_hostname')}"
5role::cryptoportfolio::user: "cryptoportfolio"
6role::cryptoportfolio::group: "cryptoportfolio"
7role::cryptoportfolio::home: "/home/cryptoportfolio"
8role::cryptoportfolio::env: "prod"
9role::cryptoportfolio::webhook_url: "%{ldapvar.self.vars.cf_slack_webhook.0}"
10role::cryptoportfolio::pg_db: "cryptoportfolio"
11role::cryptoportfolio::pg_user: "cryptoportfolio"
12role::cryptoportfolio::pg_user_replication: "cryptoportfolio_replication"
13role::cryptoportfolio::web_host: "%{lookup('base_installation::system_hostname')}"
14role::cryptoportfolio::web_port: ""
15role::cryptoportfolio::web_ssl: true
16base_installation::system_users:
17 - username: "%{lookup('role::cryptoportfolio::user')}"
18 system: true
19 password: "!!"
diff --git a/environments/global/types/s1-2.yaml b/environments/global/types/s1-2.yaml
index 496b741..a7ba753 100644
--- a/environments/global/types/s1-2.yaml
+++ b/environments/global/types/s1-2.yaml
@@ -6,4 +6,4 @@ classes:
6base_installation::system_hostname: "%{ldapvar.self.vars.host.0}" 6base_installation::system_hostname: "%{ldapvar.self.vars.host.0}"
7base_installation::real_hostname: "%{facts.ec2_metadata.hostname}.v.immae.eu" 7base_installation::real_hostname: "%{facts.ec2_metadata.hostname}.v.immae.eu"
8base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt" 8base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt"
9ssl::try_letsencrypt_for_real_hostname: true 9letsencrypt::try_for_real_hostname: true
diff --git a/environments/global/types/vps-ovhssd-1.yaml b/environments/global/types/vps-ovhssd-1.yaml
index 73f7a45..68534dc 100644
--- a/environments/global/types/vps-ovhssd-1.yaml
+++ b/environments/global/types/vps-ovhssd-1.yaml
@@ -7,4 +7,4 @@ base_installation::system_hostname: "%{ldapvar.self.vars.host.0}"
7base_installation::real_hostname: "%{facts.ec2_metadata.hostname}.ovh.net" 7base_installation::real_hostname: "%{facts.ec2_metadata.hostname}.ovh.net"
8base_installation::grub_device: "/dev/sdb" 8base_installation::grub_device: "/dev/sdb"
9base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt" 9base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt"
10ssl::try_letsencrypt_for_real_hostname: false 10letsencrypt::try_for_real_hostname: false
diff --git a/environments/integration/roles/cryptoportfolio.yaml b/environments/integration/roles/cryptoportfolio.yaml
index 9825bce..6b8eb92 100644
--- a/environments/integration/roles/cryptoportfolio.yaml
+++ b/environments/integration/roles/cryptoportfolio.yaml
@@ -1,5 +1,3 @@
1--- 1---
2cryptoportfolio::front_version: v0.0.2-3-g6200f9a 2role::cryptoportfolio::front_version: v0.0.2-3-g6200f9a
3cryptoportfolio::front_sha256: 69d31251ecd4fcea46d93dfee0184b1171019a765b6744b84f6eec6b10e5818f 3role::cryptoportfolio::front_sha256: 69d31251ecd4fcea46d93dfee0184b1171019a765b6744b84f6eec6b10e5818f
4cryptoportfolio::bot_version: v0.5-8-g34eb08f
5cryptoportfolio::bot_sha256: f5b99c4a1cc4db0228f757705a5a909aa301e42787bc5842f8ba442fec0d3fd1
diff --git a/environments/production/roles/cryptoportfolio.yaml b/environments/production/roles/cryptoportfolio.yaml
index c9328e1..566c7f2 100644
--- a/environments/production/roles/cryptoportfolio.yaml
+++ b/environments/production/roles/cryptoportfolio.yaml
@@ -1,5 +1,5 @@
1--- 1---
2cryptoportfolio::front_version: v0.0.2-3-g6200f9a 2role::cryptoportfolio::front_version: v0.0.2-3-g6200f9a
3cryptoportfolio::front_sha256: 69d31251ecd4fcea46d93dfee0184b1171019a765b6744b84f6eec6b10e5818f 3role::cryptoportfolio::front_sha256: 69d31251ecd4fcea46d93dfee0184b1171019a765b6744b84f6eec6b10e5818f
4cryptoportfolio::bot_version: v0.5.1 4role::cryptoportfolio::bot_version: v0.5.1
5cryptoportfolio::bot_sha256: 733789711365b2397bd996689af616a6789207d26c71a31ad1af68620b267d54 5role::cryptoportfolio::bot_sha256: 733789711365b2397bd996689af616a6789207d26c71a31ad1af68620b267d54
diff --git a/manifests/site.pp b/manifests/site.pp
index f922d2b..3d40ad2 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -1,5 +1,5 @@
1node default { 1node default {
2 lookup('classes', Hash, 'deep').each |$class_name, $class_hash| { 2 lookup('classes').each |$class_name, $class_hash| {
3 if empty($class_hash) { 3 if empty($class_hash) {
4 include $class_name 4 include $class_name
5 } else { 5 } else {
diff --git a/modules/base_installation/manifests/puppet.pp b/modules/base_installation/manifests/puppet.pp
index b3ce492..6f7732d 100644
--- a/modules/base_installation/manifests/puppet.pp
+++ b/modules/base_installation/manifests/puppet.pp
@@ -67,7 +67,7 @@ class base_installation::puppet (
67 require => File[$base_installation::puppet_conf_path], 67 require => File[$base_installation::puppet_conf_path],
68 } 68 }
69 69
70 $ips = lookup("ips") |$key| { {} } 70 $ips = lookup("ips", { 'default_value' => undef })
71 file { "$base_installation::puppet_conf_path/host_ldap.info": 71 file { "$base_installation::puppet_conf_path/host_ldap.info":
72 content => template("base_installation/puppet/host_ldap.info.erb"), 72 content => template("base_installation/puppet/host_ldap.info.erb"),
73 require => File[$base_installation::puppet_conf_path], 73 require => File[$base_installation::puppet_conf_path],
diff --git a/modules/base_installation/manifests/services.pp b/modules/base_installation/manifests/services.pp
index c641f4b..d7b4d61 100644
--- a/modules/base_installation/manifests/services.pp
+++ b/modules/base_installation/manifests/services.pp
@@ -38,7 +38,7 @@ class base_installation::services inherits base_installation {
38 group => "root" 38 group => "root"
39 } 39 }
40 40
41 $ip6 = lookup("ips.v6") |$key| { {} } 41 $ip6 = lookup("ips.v6", { 'default_value' => undef })
42 file { '/etc/systemd/network/en-dhcp.network': 42 file { '/etc/systemd/network/en-dhcp.network':
43 ensure => "present", 43 ensure => "present",
44 path => "/etc/systemd/network/en-dhcp.network", 44 path => "/etc/systemd/network/en-dhcp.network",
diff --git a/modules/base_installation/manifests/users.pp b/modules/base_installation/manifests/users.pp
index 766c0f0..f893c51 100644
--- a/modules/base_installation/manifests/users.pp
+++ b/modules/base_installation/manifests/users.pp
@@ -26,22 +26,26 @@ class base_installation::users (
26 ensure => "present", 26 ensure => "present",
27 groups => $user[groups], 27 groups => $user[groups],
28 managehome => true, 28 managehome => true,
29 system => !!$user[system],
29 home => "/home/${user[username]}", 30 home => "/home/${user[username]}",
30 notify => Exec["remove_password"], 31 notify => Exec["remove_password:${user[username]}:${user[userid]}"],
31 purge_ssh_keys => true 32 purge_ssh_keys => true
32 } 33 }
33 34
34 exec { "remove_password": 35 exec { "remove_password:${user[username]}:${user[userid]}":
35 command => "/usr/bin/chage -d 0 ${user[username]} && /usr/bin/passwd -d ${user[username]}", 36 command => "/usr/bin/chage -d 0 ${user[username]} && /usr/bin/passwd -d ${user[username]}",
37 onlyif => "/usr/bin/test -z '${user[password]}'",
36 refreshonly => true 38 refreshonly => true
37 } 39 }
38 40
39 $user[keys].each |$key| { 41 if has_key($user, "keys") {
40 ssh_authorized_key { "${user[username]}@${key[host]}": 42 $user[keys].each |$key| {
41 name => "${user[username]}@${key[host]}", 43 ssh_authorized_key { "${user[username]}@${key[host]}":
42 user => $user[username], 44 name => "${user[username]}@${key[host]}",
43 type => $key[key_type], 45 user => $user[username],
44 key => $key[key], 46 type => $key[key_type],
47 key => $key[key],
48 }
45 } 49 }
46 } 50 }
47 } 51 }
diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp
index 8db58da..382633b 100644
--- a/modules/profile/manifests/apache.pp
+++ b/modules/profile/manifests/apache.pp
@@ -67,13 +67,12 @@ class profile::apache {
67 install_method => "package", 67 install_method => "package",
68 package_name => "certbot", 68 package_name => "certbot",
69 package_command => "certbot", 69 package_command => "certbot",
70 # FIXME 70 email => lookup('letsencrypt::email'),
71 email => 'sites+letsencrypt@mail.immae.eu',
72 } 71 }
73 72
74 $real_hostname = lookup("base_installation::real_hostname") |$key| { {} } 73 $real_hostname = lookup("base_installation::real_hostname", { "default_value" => undef })
75 unless empty($real_hostname) { 74 unless empty($real_hostname) {
76 if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) { 75 if (lookup("letsencrypt::try_for_real_hostname", { "default_value" => true })) {
77 letsencrypt::certonly { $real_hostname: 76 letsencrypt::certonly { $real_hostname:
78 before => Apache::Vhost["default_ssl"]; 77 before => Apache::Vhost["default_ssl"];
79 default: * => $::profile::apache::letsencrypt_certonly_default; 78 default: * => $::profile::apache::letsencrypt_certonly_default;
@@ -110,6 +109,14 @@ class profile::apache {
110 } 109 }
111 } 110 }
112 111
112 lookup("letsencrypt::hosts", { "default_value" => [] }).each |$host| {
113 if ($host != $real_hostname) { # Done above already
114 letsencrypt::certonly { $host: ;
115 default: * => $letsencrypt_certonly_default;
116 }
117 }
118 }
119
113 apache::vhost { "redirect_no_ssl": 120 apache::vhost { "redirect_no_ssl":
114 port => '80', 121 port => '80',
115 error_log => false, 122 error_log => false,
diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp
index 1024c66..2cd1bcc 100644
--- a/modules/profile/manifests/postgresql.pp
+++ b/modules/profile/manifests/postgresql.pp
@@ -1,5 +1,5 @@
1class profile::postgresql { 1class profile::postgresql {
2 $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } 2 $password_seed = lookup("base_installation::puppet_pass_seed")
3 3
4 class { '::postgresql::globals': 4 class { '::postgresql::globals':
5 encoding => 'UTF-8', 5 encoding => 'UTF-8',
@@ -32,7 +32,7 @@ class profile::postgresql {
32 database => 'all', 32 database => 'all',
33 user => $pg_user, 33 user => $pg_user,
34 auth_method => 'ident', 34 auth_method => 'ident',
35 order => "a1", 35 order => "00-01",
36 } 36 }
37 postgresql::server::pg_hba_rule { 'localhost access as postgres user': 37 postgresql::server::pg_hba_rule { 'localhost access as postgres user':
38 description => 'Allow localhost access to postgres user', 38 description => 'Allow localhost access to postgres user',
@@ -41,7 +41,7 @@ class profile::postgresql {
41 user => $pg_user, 41 user => $pg_user,
42 address => "127.0.0.1/32", 42 address => "127.0.0.1/32",
43 auth_method => 'md5', 43 auth_method => 'md5',
44 order => "a2", 44 order => "00-02",
45 } 45 }
46 postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user': 46 postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user':
47 description => 'Allow localhost access to postgres user', 47 description => 'Allow localhost access to postgres user',
@@ -50,7 +50,7 @@ class profile::postgresql {
50 user => $pg_user, 50 user => $pg_user,
51 address => "::1/128", 51 address => "::1/128",
52 auth_method => 'md5', 52 auth_method => 'md5',
53 order => "a3", 53 order => "00-03",
54 } 54 }
55 postgresql::server::pg_hba_rule { 'deny access to postgresql user': 55 postgresql::server::pg_hba_rule { 'deny access to postgresql user':
56 description => 'Deny remote access to postgres user', 56 description => 'Deny remote access to postgres user',
@@ -59,7 +59,7 @@ class profile::postgresql {
59 user => $pg_user, 59 user => $pg_user,
60 address => "0.0.0.0/0", 60 address => "0.0.0.0/0",
61 auth_method => 'reject', 61 auth_method => 'reject',
62 order => "a4", 62 order => "00-04",
63 } 63 }
64 64
65 postgresql::server::pg_hba_rule { 'local access': 65 postgresql::server::pg_hba_rule { 'local access':
@@ -68,7 +68,7 @@ class profile::postgresql {
68 database => 'all', 68 database => 'all',
69 user => 'all', 69 user => 'all',
70 auth_method => 'md5', 70 auth_method => 'md5',
71 order => "b1", 71 order => "10-01",
72 } 72 }
73 73
74 postgresql::server::pg_hba_rule { 'local access with same name': 74 postgresql::server::pg_hba_rule { 'local access with same name':
@@ -77,7 +77,7 @@ class profile::postgresql {
77 database => 'all', 77 database => 'all',
78 user => 'all', 78 user => 'all',
79 auth_method => 'ident', 79 auth_method => 'ident',
80 order => "b2", 80 order => "10-02",
81 } 81 }
82 82
83} 83}
diff --git a/modules/profile/manifests/xmr_stak.pp b/modules/profile/manifests/xmr_stak.pp
index e5582eb..c8bbcdd 100644
--- a/modules/profile/manifests/xmr_stak.pp
+++ b/modules/profile/manifests/xmr_stak.pp
@@ -1,4 +1,8 @@
1class profile::xmr_stak { 1class profile::xmr_stak (
2 String $mining_pool,
3 String $wallet,
4 Optional[String] $password = "x",
5) {
2 ensure_resource('exec', 'systemctl daemon-reload', { 6 ensure_resource('exec', 'systemctl daemon-reload', {
3 command => '/usr/bin/systemctl daemon-reload', 7 command => '/usr/bin/systemctl daemon-reload',
4 refreshonly => true 8 refreshonly => true
@@ -26,10 +30,7 @@ class profile::xmr_stak {
26 notify => Exec["systemctl daemon-reload"] 30 notify => Exec["systemctl daemon-reload"]
27 } 31 }
28 32
29 $mining_pool = lookup("xmr_stak::mining_pool") |$key| { {} } 33 $instance = regsubst(lookup("base_installation::ldap_cn"), '\.', "_", "G")
30 $wallet = lookup("xmr_stak::wallet") |$key| { {} }
31 $password = lookup("xmr_stak::password") |$key| { "x" }
32 $instance = regsubst($facts["ec2_metadata"]["hostname"], '\.', "_", "G")
33 34
34 file { "/var/lib/xmr_stak/xmr-stak.conf": 35 file { "/var/lib/xmr_stak/xmr-stak.conf":
35 mode => "0644", 36 mode => "0644",
diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp
index bec247e..799e297 100644
--- a/modules/role/manifests/cryptoportfolio.pp
+++ b/modules/role/manifests/cryptoportfolio.pp
@@ -1,9 +1,22 @@
1class role::cryptoportfolio { 1class role::cryptoportfolio (
2 ensure_resource('exec', 'systemctl daemon-reload', { 2 String $user,
3 command => '/usr/bin/systemctl daemon-reload', 3 String $group,
4 refreshonly => true 4 String $home,
5 }) 5 Optional[String] $env = "prod",
6 6 Optional[String] $webhook_url = undef,
7 String $pg_user,
8 String $pg_user_replication,
9 String $pg_db,
10 Optional[String] $pg_hostname = "localhost",
11 Optional[String] $pg_port = "5432",
12 Optional[String] $web_host = undef,
13 Optional[String] $web_port = "",
14 Optional[Boolean] $web_ssl = true,
15 Optional[String] $front_version = undef,
16 Optional[String] $front_sha256 = undef,
17 Optional[String] $bot_version = undef,
18 Optional[String] $bot_sha256 = undef,
19) {
7 include "base_installation" 20 include "base_installation"
8 21
9 include "profile::tools" 22 include "profile::tools"
@@ -11,420 +24,17 @@ class role::cryptoportfolio {
11 include "profile::apache" 24 include "profile::apache"
12 include "profile::xmr_stak" 25 include "profile::xmr_stak"
13 26
14 $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } 27 contain "role::cryptoportfolio::postgresql"
15 28 contain "role::cryptoportfolio::apache"
16 $cf_pg_user = "cryptoportfolio"
17 $cf_pg_user_replication = "cryptoportfolio_replication"
18 $cf_pg_db = "cryptoportfolio"
19 $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
20 $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
21 $cf_pg_hostname = "localhost"
22 $cf_pg_port = "5432"
23 $cf_pg_host = "${cf_pg_hostname}:${cf_pg_port}"
24
25 $cf_user = "cryptoportfolio"
26 $cf_group = "cryptoportfolio"
27 $cf_home = "/opt/cryptoportfolio"
28 $cf_env = "prod"
29 $cf_front_app_host = lookup("base_installation::system_hostname") |$key| { "example.com" }
30 $cf_front_app_port = ""
31 $cf_front_app_ssl = "true"
32 $cf_front_app = "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front"
33 $cf_front_app_api_workdir = "${cf_front_app}/cmd/app"
34 $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app"
35 $cf_front_app_api_conf = "${cf_home}/conf.toml"
36 $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret")
37
38 $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"
39
40 $cf_bot_app = "${cf_home}/bot"
41 $cf_bot_app_conf = "${cf_home}/bot_config.ini"
42 $cf_bot_app_reports = "${cf_home}/bot_reports"
43
44 $cf_webhook_url = lookup("cryptoportfolio::slack_webhook") |$key| { "" }
45
46 file { "/var/lib/postgres/data/certs":
47 ensure => directory,
48 mode => "0700",
49 owner => $::profile::postgresql::pg_user,
50 group => $::profile::postgresql::pg_user,
51 require => File["/var/lib/postgres"],
52 }
53 29
54 file { "/var/lib/postgres/data/certs/cert.pem": 30 contain "role::cryptoportfolio::notify"
55 source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem",
56 mode => "0600",
57 links => "follow",
58 owner => $::profile::postgresql::pg_user,
59 group => $::profile::postgresql::pg_user,
60 require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
61 }
62
63 file { "/var/lib/postgres/data/certs/privkey.pem":
64 source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
65 mode => "0600",
66 links => "follow",
67 owner => $::profile::postgresql::pg_user,
68 group => $::profile::postgresql::pg_user,
69 require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
70 }
71
72 postgresql::server::config_entry { "wal_level":
73 value => "logical",
74 }
75
76 postgresql::server::config_entry { "ssl":
77 value => "on",
78 require => Letsencrypt::Certonly[$cf_front_app_host],
79 }
80
81 postgresql::server::config_entry { "ssl_cert_file":
82 value => "/var/lib/postgres/data/certs/cert.pem",
83 require => Letsencrypt::Certonly[$cf_front_app_host],
84 }
85
86 postgresql::server::config_entry { "ssl_key_file":
87 value => "/var/lib/postgres/data/certs/privkey.pem",
88 require => Letsencrypt::Certonly[$cf_front_app_host],
89 }
90
91 postgresql::server::db { $cf_pg_db:
92 user => $cf_pg_user,
93 password => postgresql_password($cf_pg_user, $cf_pg_password),
94 }
95 ->
96 postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES":
97 db => $cf_pg_db,
98 unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'",
99 }
100 ->
101 postgresql::server::role { $cf_pg_user_replication:
102 db => $cf_pg_db,
103 replication => true,
104 password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password),
105 }
106 ->
107 postgresql::server::database_grant { $cf_pg_user_replication:
108 db => $cf_pg_db,
109 privilege => "CONNECT",
110 role => $cf_pg_user_replication,
111 }
112 ->
113 postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication":
114 db => $cf_pg_db,
115 role => $cf_pg_user_replication,
116 privilege => "SELECT",
117 object_type => "ALL TABLES IN SCHEMA",
118 object_name => "public",
119 }
120 ->
121 postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication":
122 db => $cf_pg_db,
123 role => $cf_pg_user_replication,
124 privilege => "SELECT",
125 object_type => "ALL SEQUENCES IN SCHEMA",
126 object_name => "public",
127 }
128
129 postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
130 type => 'host',
131 database => $cf_pg_db,
132 user => $cf_pg_user,
133 address => '127.0.0.1/32',
134 auth_method => 'md5',
135 order => "b0",
136 }
137 postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
138 type => 'host',
139 database => $cf_pg_db,
140 user => $cf_pg_user,
141 address => '::1/128',
142 auth_method => 'md5',
143 order => "b0",
144 }
145
146 postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
147 type => 'hostssl',
148 database => $cf_pg_db,
149 user => $cf_pg_user_replication,
150 address => 'immae.eu',
151 auth_method => 'md5',
152 order => "b0",
153 }
154
155 letsencrypt::certonly { $cf_front_app_host: ;
156 default: * => $::profile::apache::letsencrypt_certonly_default;
157 }
158
159 class { 'apache::mod::headers': }
160 apache::vhost { $cf_front_app_host:
161 port => '443',
162 docroot => false,
163 manage_docroot => false,
164 proxy_dest => "http://localhost:8000",
165 request_headers => 'set X-Forwarded-Proto "https"',
166 ssl => true,
167 ssl_cert => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem",
168 ssl_key => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
169 ssl_chain => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem",
170 require => Letsencrypt::Certonly[$cf_front_app_host],
171 proxy_preserve_host => true;
172 default: * => $::profile::apache::apache_vhost_default;
173 }
174
175 user { $cf_user:
176 name => $cf_user,
177 ensure => "present",
178 managehome => true,
179 home => $cf_home,
180 system => true,
181 password => '!!',
182 }
183
184 file { "/usr/local/bin/slack-notify":
185 mode => "0755",
186 source => "puppet:///modules/role/cryptoportfolio/slack-notify.py",
187 }
188
189 $front_version = lookup("cryptoportfolio::front_version") |$key| { {} }
190 $front_sha256 = lookup("cryptoportfolio::front_sha256") |$key| { {} }
191
192 $bot_version = lookup("cryptoportfolio::bot_version") |$key| { {} }
193 $bot_sha256 = lookup("cryptoportfolio::bot_sha256") |$key| { {} }
194 31
195 unless empty($bot_version) { 32 unless empty($bot_version) {
196 ensure_packages(["python", "python-pip"]) 33 contain "role::cryptoportfolio::bot"
197
198 file { $cf_bot_app:
199 ensure => "directory",
200 mode => "0700",
201 owner => $cf_user,
202 group => $cf_group,
203 require => User[$cf_user],
204 }
205
206 archive { "${cf_home}/trader_${bot_version}.tar.gz":
207 path => "${cf_home}/trader_${bot_version}.tar.gz",
208 source => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz",
209 checksum_type => "sha256",
210 checksum => $bot_sha256,
211 cleanup => false,
212 extract => true,
213 user => $cf_user,
214 username => $facts["ec2_metadata"]["hostname"],
215 password => generate_password(24, $password_seed, "ldap"),
216 extract_path => $cf_bot_app,
217 require => [User[$cf_user], File[$cf_bot_app]],
218 } ~>
219 exec { "py-cryptoportfolio-dependencies":
220 cwd => $cf_bot_app,
221 user => $cf_user,
222 environment => ["HOME=${cf_home}"],
223 command => "/usr/bin/make install",
224 require => User[$cf_user],
225 refreshonly => true,
226 before => [
227 File[$cf_bot_app_conf],
228 Cron["py-cryptoportfolio-before"],
229 Cron["py-cryptoportfolio-after"],
230 ]
231 }
232
233 file { $cf_bot_app_conf:
234 owner => $cf_user,
235 group => $cf_group,
236 mode => "0600",
237 content => template("role/cryptoportfolio/bot_config.ini.erb"),
238 require => [
239 User[$cf_user],
240 Archive["${cf_home}/trader_${bot_version}.tar.gz"],
241 ],
242 }
243
244 cron { "py-cryptoportfolio-before":
245 ensure => present,
246 command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before",
247 user => "cryptoportfolio",
248 weekday => 7, # Sunday
249 hour => 22,
250 minute => 30,
251 environment => ["HOME=${cf_home}","PATH=/usr/bin/"],
252 require => [
253 File[$cf_bot_app_conf],
254 Archive["${cf_home}/trader_${bot_version}.tar.gz"]
255 ],
256 }
257
258 cron { "py-cryptoportfolio-after":
259 ensure => present,
260 command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after",
261 user => "cryptoportfolio",
262 weekday => 1, # Monday
263 hour => 1,
264 minute => 0,
265 environment => ["HOME=${cf_home}","PATH=/usr/bin/"],
266 require => [
267 File[$cf_bot_app_conf],
268 Archive["${cf_home}/trader_${bot_version}.tar.gz"]
269 ],
270 }
271
272 unless empty($cf_webhook_url) {
273 exec { "bot-slack-notify":
274 refreshonly => true,
275 environment => [
276 "P_PROJECT=Trader",
277 "P_WEBHOOK=${cf_webhook_url}",
278 "P_VERSION=${bot_version}",
279 "P_HOST=${cf_front_app_host}",
280 "P_HTTPS=${cf_front_app_ssl}",
281 ],
282 command => "/usr/local/bin/slack-notify",
283 require => File["/usr/local/bin/slack-notify"],
284 subscribe => Exec["py-cryptoportfolio-dependencies"],
285 }
286 }
287 } 34 }
288 35
289 # FIXME: restore backup 36 # FIXME: restore backup
290 unless empty($front_version) { 37 unless empty($front_version) {
291 ensure_packages(["go", "npm", "nodejs", "yarn"]) 38 contain "role::cryptoportfolio::front"
292
293 file { [
294 "${cf_home}/go/",
295 "${cf_home}/go/src",
296 "${cf_home}/go/src/immae.eu",
297 "${cf_home}/go/src/immae.eu/Immae",
298 "${cf_home}/go/src/immae.eu/Immae/Projets",
299 "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies",
300 "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio",
301 $cf_front_app]:
302 ensure => "directory",
303 mode => "0700",
304 owner => $cf_user,
305 group => $cf_group,
306 require => User[$cf_user],
307 }
308
309 file { "${cf_home}/front":
310 ensure => "link",
311 target => $cf_front_app,
312 before => File[$cf_front_app],
313 }
314
315 file { "/etc/systemd/system/cryptoportfolio-app.service":
316 mode => "0644",
317 owner => "root",
318 group => "root",
319 content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"),
320 notify => Exec["systemctl daemon-reload"],
321 }
322
323 service { 'cryptoportfolio-app':
324 enable => true,
325 ensure => "running",
326 subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]],
327 require => [
328 File["/etc/systemd/system/cryptoportfolio-app.service"],
329 Postgresql::Server::Db[$cf_pg_db]
330 ],
331 } ~>
332 exec { "dump $cf_pg_db structure":
333 refreshonly => true,
334 user => $::profile::postgresql::pg_user,
335 group => $::profile::postgresql::pg_user,
336 command => "/usr/bin/pg_dump --schema-only --clean --no-publications $cf_pg_db > /var/lib/postgres/${cf_pg_db}.schema",
337 }
338
339 archive { "${cf_home}/front_${front_version}.tar.gz":
340 path => "${cf_home}/front_${front_version}.tar.gz",
341 source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz",
342 checksum_type => "sha256",
343 checksum => $front_sha256,
344 cleanup => false,
345 extract => true,
346 user => $cf_user,
347 username => $facts["ec2_metadata"]["hostname"],
348 password => generate_password(24, $password_seed, "ldap"),
349 extract_path => $cf_front_app,
350 require => [User[$cf_user], File[$cf_front_app]],
351 notify => [
352 Exec["web-cryptoportfolio-dependencies"],
353 Exec["go-get-dep"],
354 ]
355 }
356
357 # Api
358 file { $cf_front_app_api_conf:
359 owner => $cf_user,
360 group => $cf_group,
361 mode => "0600",
362 content => template("role/cryptoportfolio/api_conf.toml.erb"),
363 before => Exec["go-cryptoportfolio-app"],
364 }
365
366 exec { "go-get-dep":
367 user => $cf_user,
368 environment => ["HOME=${cf_home}"],
369 creates => "${cf_home}/go/bin/dep",
370 command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep",
371 refreshonly => true,
372 } ~>
373 exec { "go-cryptoportfolio-dependencies":
374 cwd => $cf_front_app,
375 user => $cf_user,
376 environment => ["HOME=${cf_home}"],
377 command => "${cf_home}/go/bin/dep ensure",
378 refreshonly => true,
379 } ~>
380 exec { "go-cryptoportfolio-app":
381 cwd => $cf_front_app_api_workdir,
382 user => $cf_user,
383 environment => ["HOME=${cf_home}"],
384 command => "/usr/bin/make build",
385 refreshonly => true,
386 }
387
388 # Static pages
389 file { $cf_front_app_static_conf:
390 owner => $cf_user,
391 group => $cf_group,
392 mode => "0600",
393 content => template("role/cryptoportfolio/static_conf.env.erb"),
394 before => Exec["web-cryptoportfolio-build"],
395 }
396
397 exec { "web-cryptoportfolio-dependencies":
398 cwd => "${cf_front_app}/cmd/web",
399 user => $cf_user,
400 environment => ["HOME=${cf_home}"],
401 command => "/usr/bin/make install",
402 refreshonly => true,
403 require => [Package["npm"], Package["nodejs"], Package["yarn"]]
404 } ~>
405 exec { "web-cryptoportfolio-build":
406 cwd => "${cf_front_app}/cmd/web",
407 user => $cf_user,
408 environment => ["HOME=${cf_home}"],
409 path => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"],
410 command => "/usr/bin/make static ENV=${cf_env}",
411 refreshonly => true,
412 }
413
414 unless empty($cf_webhook_url) {
415 exec { "front-slack-notify":
416 refreshonly => true,
417 environment => [
418 "P_PROJECT=Front",
419 "P_WEBHOOK=${cf_webhook_url}",
420 "P_VERSION=${front_version}",
421 "P_HOST=${cf_front_app_host}",
422 "P_HTTPS=${cf_front_app_ssl}",
423 ],
424 command => "/usr/local/bin/slack-notify",
425 require => File["/usr/local/bin/slack-notify"],
426 subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]],
427 }
428 }
429 } 39 }
430} 40}
diff --git a/modules/role/manifests/cryptoportfolio/apache.pp b/modules/role/manifests/cryptoportfolio/apache.pp
new file mode 100644
index 0000000..62d5447
--- /dev/null
+++ b/modules/role/manifests/cryptoportfolio/apache.pp
@@ -0,0 +1,17 @@
1class role::cryptoportfolio::apache inherits role::cryptoportfolio {
2 class { 'apache::mod::headers': }
3 apache::vhost { $web_host:
4 port => '443',
5 docroot => false,
6 manage_docroot => false,
7 proxy_dest => "http://localhost:8000",
8 request_headers => 'set X-Forwarded-Proto "https"',
9 ssl => true,
10 ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem",
11 ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem",
12 ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem",
13 require => Letsencrypt::Certonly[$web_host],
14 proxy_preserve_host => true;
15 default: * => $::profile::apache::apache_vhost_default;
16 }
17}
diff --git a/modules/role/manifests/cryptoportfolio/bot.pp b/modules/role/manifests/cryptoportfolio/bot.pp
new file mode 100644
index 0000000..a15c779
--- /dev/null
+++ b/modules/role/manifests/cryptoportfolio/bot.pp
@@ -0,0 +1,101 @@
1class role::cryptoportfolio::bot inherits role::cryptoportfolio {
2 $password_seed = lookup("base_installation::puppet_pass_seed")
3
4 $cf_bot_app = "${home}/bot"
5 $cf_bot_app_conf = "${home}/bot_config.ini"
6 $cf_bot_app_reports = "${home}/bot_reports"
7
8 ensure_packages(["python", "python-pip"])
9
10 file { $cf_bot_app:
11 ensure => "directory",
12 mode => "0700",
13 owner => $user,
14 group => $group,
15 require => User["$user:"],
16 }
17
18 archive { "${home}/trader_${bot_version}.tar.gz":
19 path => "${home}/trader_${bot_version}.tar.gz",
20 source => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz",
21 checksum_type => "sha256",
22 checksum => $bot_sha256,
23 cleanup => false,
24 extract => true,
25 user => $user,
26 username => lookup("base_installation::ldap_cn"),
27 password => generate_password(24, $password_seed, "ldap"),
28 extract_path => $cf_bot_app,
29 require => [User["$user:"], File[$cf_bot_app]],
30 } ~>
31 exec { "py-cryptoportfolio-dependencies":
32 cwd => $cf_bot_app,
33 user => $user,
34 environment => ["HOME=${home}"],
35 command => "/usr/bin/make install",
36 require => User["$user:"],
37 refreshonly => true,
38 before => [
39 File[$cf_bot_app_conf],
40 Cron["py-cryptoportfolio-before"],
41 Cron["py-cryptoportfolio-after"],
42 ]
43 }
44
45 $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
46 file { $cf_bot_app_conf:
47 owner => $user,
48 group => $group,
49 mode => "0600",
50 content => template("role/cryptoportfolio/bot_config.ini.erb"),
51 require => [
52 User["$user:"],
53 Archive["${home}/trader_${bot_version}.tar.gz"],
54 ],
55 }
56
57 cron { "py-cryptoportfolio-before":
58 ensure => present,
59 command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before",
60 user => $user,
61 weekday => 7, # Sunday
62 hour => 22,
63 minute => 30,
64 environment => ["HOME=${home}","PATH=/usr/bin/"],
65 require => [
66 File[$cf_bot_app_conf],
67 Archive["${home}/trader_${bot_version}.tar.gz"]
68 ],
69 }
70
71 cron { "py-cryptoportfolio-after":
72 ensure => present,
73 command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after",
74 user => $user,
75 weekday => 1, # Monday
76 hour => 1,
77 minute => 0,
78 environment => ["HOME=${home}","PATH=/usr/bin/"],
79 require => [
80 File[$cf_bot_app_conf],
81 Archive["${home}/trader_${bot_version}.tar.gz"]
82 ],
83 }
84
85 unless empty($webhook_url) {
86 exec { "bot-slack-notify":
87 refreshonly => true,
88 environment => [
89 "P_PROJECT=Trader",
90 "P_WEBHOOK=${webhook_url}",
91 "P_VERSION=${bot_version}",
92 "P_HOST=${web_host}",
93 "P_HTTPS=${web_ssl}",
94 ],
95 command => "/usr/local/bin/slack-notify",
96 require => File["/usr/local/bin/slack-notify"],
97 subscribe => Exec["py-cryptoportfolio-dependencies"],
98 }
99 }
100}
101
diff --git a/modules/role/manifests/cryptoportfolio/front.pp b/modules/role/manifests/cryptoportfolio/front.pp
new file mode 100644
index 0000000..280ef8b
--- /dev/null
+++ b/modules/role/manifests/cryptoportfolio/front.pp
@@ -0,0 +1,158 @@
1class role::cryptoportfolio::front inherits role::cryptoportfolio {
2 ensure_resource('exec', 'systemctl daemon-reload', {
3 command => '/usr/bin/systemctl daemon-reload',
4 refreshonly => true
5 })
6
7 $password_seed = lookup("base_installation::puppet_pass_seed")
8
9 $cf_front_app = "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front"
10 $cf_front_app_api_workdir = "${cf_front_app}/cmd/app"
11 $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app"
12 $cf_front_app_api_conf = "${home}/conf.toml"
13 $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret")
14
15 $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"
16
17 ensure_packages(["go", "npm", "nodejs", "yarn"])
18
19 file { [
20 "${home}/go/",
21 "${home}/go/src",
22 "${home}/go/src/immae.eu",
23 "${home}/go/src/immae.eu/Immae",
24 "${home}/go/src/immae.eu/Immae/Projets",
25 "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies",
26 "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio",
27 $cf_front_app]:
28 ensure => "directory",
29 mode => "0700",
30 owner => $user,
31 group => $group,
32 require => User["$user:"],
33 }
34
35 file { "${home}/front":
36 ensure => "link",
37 target => $cf_front_app,
38 before => File[$cf_front_app],
39 }
40
41 file { "/etc/systemd/system/cryptoportfolio-app.service":
42 mode => "0644",
43 owner => "root",
44 group => "root",
45 content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"),
46 notify => Exec["systemctl daemon-reload"],
47 }
48
49 service { 'cryptoportfolio-app':
50 enable => true,
51 ensure => "running",
52 subscribe => [File[$cf_front_app_api_conf], Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]],
53 require => [
54 File["/etc/systemd/system/cryptoportfolio-app.service"],
55 Postgresql::Server::Db[$pg_db]
56 ],
57 } ~>
58 exec { "dump $pg_db structure":
59 refreshonly => true,
60 user => $::profile::postgresql::pg_user,
61 group => $::profile::postgresql::pg_user,
62 command => "/usr/bin/pg_dump --schema-only --clean --no-publications $pg_db > /var/lib/postgres/${pg_db}.schema",
63 }
64
65 archive { "${home}/front_${front_version}.tar.gz":
66 path => "${home}/front_${front_version}.tar.gz",
67 source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz",
68 checksum_type => "sha256",
69 checksum => $front_sha256,
70 cleanup => false,
71 extract => true,
72 user => $user,
73 username => lookup("base_installation::ldap_cn"),
74 password => generate_password(24, $password_seed, "ldap"),
75 extract_path => $cf_front_app,
76 require => [User["$user:"], File[$cf_front_app]],
77 notify => [
78 Exec["web-cryptoportfolio-dependencies"],
79 Exec["go-get-dep"],
80 ]
81 }
82
83 # Api
84 $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
85 $pg_host = "${pg_hostname}:${pg_port}"
86 file { $cf_front_app_api_conf:
87 owner => $user,
88 group => $group,
89 mode => "0600",
90 content => template("role/cryptoportfolio/api_conf.toml.erb"),
91 before => Exec["go-cryptoportfolio-app"],
92 }
93
94 exec { "go-get-dep":
95 user => $user,
96 environment => ["HOME=${home}"],
97 creates => "${home}/go/bin/dep",
98 command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep",
99 refreshonly => true,
100 } ~>
101 exec { "go-cryptoportfolio-dependencies":
102 cwd => $cf_front_app,
103 user => $user,
104 environment => ["HOME=${home}"],
105 command => "${home}/go/bin/dep ensure",
106 refreshonly => true,
107 } ~>
108 exec { "go-cryptoportfolio-app":
109 cwd => $cf_front_app_api_workdir,
110 user => $user,
111 environment => ["HOME=${home}"],
112 command => "/usr/bin/make build",
113 refreshonly => true,
114 }
115
116 # Static pages
117 file { $cf_front_app_static_conf:
118 owner => $user,
119 group => $group,
120 mode => "0600",
121 content => template("role/cryptoportfolio/static_conf.env.erb"),
122 before => Exec["web-cryptoportfolio-build"],
123 }
124
125 exec { "web-cryptoportfolio-dependencies":
126 cwd => "${cf_front_app}/cmd/web",
127 user => $user,
128 environment => ["HOME=${home}"],
129 command => "/usr/bin/make install",
130 refreshonly => true,
131 require => [Package["npm"], Package["nodejs"], Package["yarn"]]
132 } ~>
133 exec { "web-cryptoportfolio-build":
134 cwd => "${cf_front_app}/cmd/web",
135 user => $user,
136 environment => ["HOME=${home}"],
137 path => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"],
138 command => "/usr/bin/make static ENV=${env}",
139 refreshonly => true,
140 }
141
142 unless empty($webhook_url) {
143 exec { "front-slack-notify":
144 refreshonly => true,
145 environment => [
146 "P_PROJECT=Front",
147 "P_WEBHOOK=${webhook_url}",
148 "P_VERSION=${front_version}",
149 "P_HOST=${web_host}",
150 "P_HTTPS=${web_ssl}",
151 ],
152 command => "/usr/local/bin/slack-notify",
153 require => File["/usr/local/bin/slack-notify"],
154 subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]],
155 }
156 }
157
158}
diff --git a/modules/role/manifests/cryptoportfolio/notify.pp b/modules/role/manifests/cryptoportfolio/notify.pp
new file mode 100644
index 0000000..218312c
--- /dev/null
+++ b/modules/role/manifests/cryptoportfolio/notify.pp
@@ -0,0 +1,6 @@
1class role::cryptoportfolio::notify inherits role::cryptoportfolio {
2 file { "/usr/local/bin/slack-notify":
3 mode => "0755",
4 source => "puppet:///modules/role/cryptoportfolio/slack-notify.py",
5 }
6}
diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp
new file mode 100644
index 0000000..cc4d2a9
--- /dev/null
+++ b/modules/role/manifests/cryptoportfolio/postgresql.pp
@@ -0,0 +1,116 @@
1class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
2 $password_seed = lookup("base_installation::puppet_pass_seed")
3
4 $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
5 $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
6
7 file { "/var/lib/postgres/data/certs":
8 ensure => directory,
9 mode => "0700",
10 owner => $::profile::postgresql::pg_user,
11 group => $::profile::postgresql::pg_user,
12 require => File["/var/lib/postgres"],
13 }
14
15 file { "/var/lib/postgres/data/certs/cert.pem":
16 source => "file:///etc/letsencrypt/live/$web_host/cert.pem",
17 mode => "0600",
18 links => "follow",
19 owner => $::profile::postgresql::pg_user,
20 group => $::profile::postgresql::pg_user,
21 require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
22 }
23
24 file { "/var/lib/postgres/data/certs/privkey.pem":
25 source => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
26 mode => "0600",
27 links => "follow",
28 owner => $::profile::postgresql::pg_user,
29 group => $::profile::postgresql::pg_user,
30 require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
31 }
32
33 postgresql::server::config_entry { "wal_level":
34 value => "logical",
35 }
36
37 postgresql::server::config_entry { "ssl":
38 value => "on",
39 require => Letsencrypt::Certonly[$web_host],
40 }
41
42 postgresql::server::config_entry { "ssl_cert_file":
43 value => "/var/lib/postgres/data/certs/cert.pem",
44 require => Letsencrypt::Certonly[$web_host],
45 }
46
47 postgresql::server::config_entry { "ssl_key_file":
48 value => "/var/lib/postgres/data/certs/privkey.pem",
49 require => Letsencrypt::Certonly[$web_host],
50 }
51
52 postgresql::server::db { $pg_db:
53 user => $pg_user,
54 password => postgresql_password($pg_user, $pg_password),
55 }
56 ->
57 postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
58 db => $pg_db,
59 unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
60 }
61 ->
62 postgresql::server::role { $pg_user_replication:
63 db => $pg_db,
64 replication => true,
65 password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
66 }
67 ->
68 postgresql::server::database_grant { $pg_user_replication:
69 db => $pg_db,
70 privilege => "CONNECT",
71 role => $pg_user_replication,
72 }
73 ->
74 postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
75 db => $pg_db,
76 role => $pg_user_replication,
77 privilege => "SELECT",
78 object_type => "ALL TABLES IN SCHEMA",
79 object_name => "public",
80 }
81 ->
82 postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
83 db => $pg_db,
84 role => $pg_user_replication,
85 privilege => "SELECT",
86 object_type => "ALL SEQUENCES IN SCHEMA",
87 object_name => "public",
88 }
89
90 postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
91 type => 'host',
92 database => $pg_db,
93 user => $pg_user,
94 address => '127.0.0.1/32',
95 auth_method => 'md5',
96 order => "05-01",
97 }
98 postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
99 type => 'host',
100 database => $pg_db,
101 user => $pg_user,
102 address => '::1/128',
103 auth_method => 'md5',
104 order => "05-01",
105 }
106
107 postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
108 type => 'hostssl',
109 database => $pg_db,
110 user => $pg_user_replication,
111 address => 'immae.eu',
112 auth_method => 'md5',
113 order => "05-01",
114 }
115
116}
diff --git a/modules/role/templates/cryptoportfolio/api_conf.toml.erb b/modules/role/templates/cryptoportfolio/api_conf.toml.erb
index 13550c9..7a4b66d 100644
--- a/modules/role/templates/cryptoportfolio/api_conf.toml.erb
+++ b/modules/role/templates/cryptoportfolio/api_conf.toml.erb
@@ -1,15 +1,15 @@
1log_level="info" 1log_level="info"
2mode="<%= @cf_env %>" 2mode="<%= @env %>"
3log_out="stdout" 3log_out="stdout"
4 4
5[db] 5[db]
6user="<%= @cf_pg_user %>" 6user="<%= @pg_user %>"
7password="<%= @cf_pg_password %>" 7password="<%= @pg_password %>"
8database="<%= @cf_pg_db %>" 8database="<%= @pg_db %>"
9address="<%= @cf_pg_host %>" 9address="<%= @pg_host %>"
10 10
11[api] 11[api]
12domain="<%= @cf_front_app_host %>" 12domain="<%= @web_host %>"
13jwt_secret="<%= @cf_front_app_api_secret %>" 13jwt_secret="<%= @cf_front_app_api_secret %>"
14 14
15[app] 15[app]
diff --git a/modules/role/templates/cryptoportfolio/bot_config.ini.erb b/modules/role/templates/cryptoportfolio/bot_config.ini.erb
index 30298eb..b0211a6 100644
--- a/modules/role/templates/cryptoportfolio/bot_config.ini.erb
+++ b/modules/role/templates/cryptoportfolio/bot_config.ini.erb
@@ -1,9 +1,9 @@
1[postgresql] 1[postgresql]
2host = <%= @cf_pg_hostname %> 2host = <%= @pg_hostname %>
3port = <%= @cf_pg_port %> 3port = <%= @pg_port %>
4user = <%= @cf_pg_user %> 4user = <%= @pg_user %>
5password = <%= @cf_pg_password %> 5password = <%= @pg_password %>
6database = <%= @cf_pg_db %> 6database = <%= @pg_db %>
7 7
8[app] 8[app]
9report_path = <%= @cf_bot_app_reports %> 9report_path = <%= @cf_bot_app_reports %>
diff --git a/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb b/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb
index a521c0e..ed2b908 100644
--- a/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb
+++ b/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb
@@ -5,8 +5,8 @@ Description=Cryptoportfolio app
5Type=simple 5Type=simple
6 6
7WorkingDirectory=<%= @cf_front_app_api_workdir %> 7WorkingDirectory=<%= @cf_front_app_api_workdir %>
8User=<%= @cf_user %> 8User=<%= @user %>
9Group=<%= @cf_group %> 9Group=<%= @group %>
10UMask=007 10UMask=007
11 11
12ExecStart=<%= @cf_front_app_api_bin %> -conf <%= @cf_front_app_api_conf %> 12ExecStart=<%= @cf_front_app_api_bin %> -conf <%= @cf_front_app_api_conf %>
diff --git a/modules/role/templates/cryptoportfolio/static_conf.env.erb b/modules/role/templates/cryptoportfolio/static_conf.env.erb
index db9759d..314ee14 100644
--- a/modules/role/templates/cryptoportfolio/static_conf.env.erb
+++ b/modules/role/templates/cryptoportfolio/static_conf.env.erb
@@ -1,4 +1,4 @@
1API_HOST="<%= @cf_front_app_host %>" 1API_HOST="<%= @web_host %>"
2API_PORT="<%= @cf_front_app_port %>" 2API_PORT="<%= @web_port %>"
3API_HTTPS="<%= @cf_front_app_ssl %>" 3API_HTTPS="<%= @web_ssl %>"
4 4