6 files changed, 403 insertions, 380 deletions

diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp
index 503620b..799e297 100644
--- a/modules/role/manifests/cryptoportfolio.pp
+++ b/modules/role/manifests/cryptoportfolio.pp
@@ -17,11 +17,6 @@ class role::cryptoportfolio (
   Optional[String]  $bot_version          = undef,
   Optional[String]  $bot_sha256           = undef,
 ) {
-  ensure_resource('exec', 'systemctl daemon-reload', {
-    command     => '/usr/bin/systemctl daemon-reload',
-    refreshonly =>  true
-  })
-
   include "base_installation"
 
   include "profile::tools"
@@ -29,387 +24,17 @@ class role::cryptoportfolio (
   include "profile::apache"
   include "profile::xmr_stak"
 
-  $password_seed = lookup("base_installation::puppet_pass_seed")
-
-  $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
-  $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
-  $pg_host = "${pg_hostname}:${pg_port}"
-
-  $cf_front_app = "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front"
-  $cf_front_app_api_workdir = "${cf_front_app}/cmd/app"
-  $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app"
-  $cf_front_app_api_conf = "${home}/conf.toml"
-  $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret")
-
-  $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"
-
-  $cf_bot_app = "${home}/bot"
-  $cf_bot_app_conf = "${home}/bot_config.ini"
-  $cf_bot_app_reports = "${home}/bot_reports"
-
-  file { "/var/lib/postgres/data/certs":
-    ensure  => directory,
-    mode    => "0700",
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => File["/var/lib/postgres"],
-  }
-
-  file { "/var/lib/postgres/data/certs/cert.pem":
-    source  => "file:///etc/letsencrypt/live/$web_host/cert.pem",
-    mode    => "0600",
-    links   => "follow",
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
-  }
-
-  file { "/var/lib/postgres/data/certs/privkey.pem":
-    source  => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
-    mode    => "0600",
-    links   => "follow",
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
-  }
-
-  postgresql::server::config_entry { "wal_level":
-    value   => "logical",
-  }
-
-  postgresql::server::config_entry { "ssl":
-    value   => "on",
-    require => Letsencrypt::Certonly[$web_host],
-  }
-
-  postgresql::server::config_entry { "ssl_cert_file":
-    value   => "/var/lib/postgres/data/certs/cert.pem",
-    require => Letsencrypt::Certonly[$web_host],
-  }
-
-  postgresql::server::config_entry { "ssl_key_file":
-    value   => "/var/lib/postgres/data/certs/privkey.pem",
-    require => Letsencrypt::Certonly[$web_host],
-  }
-
-  postgresql::server::db { $pg_db:
-    user     =>  $pg_user,
-    password =>  postgresql_password($pg_user, $pg_password),
-  }
-  ->
-  postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
-    db     => $pg_db,
-    unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
-  }
-  ->
-  postgresql::server::role { $pg_user_replication:
-    db            => $pg_db,
-    replication   => true,
-    password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
-  }
-  ->
-  postgresql::server::database_grant { $pg_user_replication:
-    db        => $pg_db,
-    privilege => "CONNECT",
-    role      => $pg_user_replication,
-  }
-  ->
-  postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
-    db          => $pg_db,
-    role        => $pg_user_replication,
-    privilege   => "SELECT",
-    object_type => "ALL TABLES IN SCHEMA",
-    object_name => "public",
-  }
-  ->
-  postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
-    db          => $pg_db,
-    role        => $pg_user_replication,
-    privilege   => "SELECT",
-    object_type => "ALL SEQUENCES IN SCHEMA",
-    object_name => "public",
-  }
-
-  postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
-    type        => 'host',
-    database    => $pg_db,
-    user        => $pg_user,
-    address     => '127.0.0.1/32',
-    auth_method => 'md5',
-    order       => "05-01",
-  }
-  postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
-    type        => 'host',
-    database    => $pg_db,
-    user        => $pg_user,
-    address     => '::1/128',
-    auth_method => 'md5',
-    order       => "05-01",
-  }
+  contain "role::cryptoportfolio::postgresql"
+  contain "role::cryptoportfolio::apache"
 
-  postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
-    type        => 'hostssl',
-    database    => $pg_db,
-    user        => $pg_user_replication,
-    address     => 'immae.eu',
-    auth_method => 'md5',
-    order       => "05-01",
-  }
-
-  class { 'apache::mod::headers': }
-  apache::vhost { $web_host:
-    port                => '443',
-    docroot             => false,
-    manage_docroot      => false,
-    proxy_dest          => "http://localhost:8000",
-    request_headers     => 'set X-Forwarded-Proto "https"',
-    ssl                 => true,
-    ssl_cert            => "/etc/letsencrypt/live/$web_host/cert.pem",
-    ssl_key             => "/etc/letsencrypt/live/$web_host/privkey.pem",
-    ssl_chain           => "/etc/letsencrypt/live/$web_host/chain.pem",
-    require             => Letsencrypt::Certonly[$web_host],
-    proxy_preserve_host => true;
-    default: *          => $::profile::apache::apache_vhost_default;
-  }
-
-  file { "/usr/local/bin/slack-notify":
-    mode   => "0755",
-    source => "puppet:///modules/role/cryptoportfolio/slack-notify.py",
-  }
+  contain "role::cryptoportfolio::notify"
 
   unless empty($bot_version) {
-    ensure_packages(["python", "python-pip"])
-
-    file { $cf_bot_app:
-      ensure  => "directory",
-      mode    => "0700",
-      owner   => $user,
-      group   => $group,
-      require => User["$user:"],
-    }
-
-    archive { "${home}/trader_${bot_version}.tar.gz":
-      path          => "${home}/trader_${bot_version}.tar.gz",
-      source        => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz",
-      checksum_type => "sha256",
-      checksum      => $bot_sha256,
-      cleanup       => false,
-      extract       => true,
-      user          => $user,
-      username      => lookup("base_installation::ldap_cn"),
-      password      => generate_password(24, $password_seed, "ldap"),
-      extract_path  => $cf_bot_app,
-      require       => [User["$user:"], File[$cf_bot_app]],
-    } ~>
-    exec { "py-cryptoportfolio-dependencies":
-      cwd         => $cf_bot_app,
-      user        => $user,
-      environment => ["HOME=${home}"],
-      command     => "/usr/bin/make install",
-      require     => User["$user:"],
-      refreshonly => true,
-      before      => [
-        File[$cf_bot_app_conf],
-        Cron["py-cryptoportfolio-before"],
-        Cron["py-cryptoportfolio-after"],
-      ]
-    }
-
-    file { $cf_bot_app_conf:
-      owner   => $user,
-      group   => $group,
-      mode    => "0600",
-      content => template("role/cryptoportfolio/bot_config.ini.erb"),
-      require => [
-        User["$user:"],
-        Archive["${home}/trader_${bot_version}.tar.gz"],
-      ],
-    }
-
-    cron { "py-cryptoportfolio-before":
-      ensure      => present,
-      command     => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before",
-      user        => $user,
-      weekday     => 7, # Sunday
-      hour        => 22,
-      minute      => 30,
-      environment => ["HOME=${home}","PATH=/usr/bin/"],
-      require     => [
-        File[$cf_bot_app_conf],
-        Archive["${home}/trader_${bot_version}.tar.gz"]
-      ],
-    }
-
-    cron { "py-cryptoportfolio-after":
-      ensure      => present,
-      command     => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after",
-      user        => $user,
-      weekday     => 1, # Monday
-      hour        => 1,
-      minute      => 0,
-      environment => ["HOME=${home}","PATH=/usr/bin/"],
-      require     => [
-        File[$cf_bot_app_conf],
-        Archive["${home}/trader_${bot_version}.tar.gz"]
-      ],
-    }
-
-    unless empty($webhook_url) {
-      exec { "bot-slack-notify":
-        refreshonly => true,
-        environment => [
-          "P_PROJECT=Trader",
-          "P_WEBHOOK=${webhook_url}",
-          "P_VERSION=${bot_version}",
-          "P_HOST=${web_host}",
-          "P_HTTPS=${web_ssl}",
-        ],
-        command     => "/usr/local/bin/slack-notify",
-        require     => File["/usr/local/bin/slack-notify"],
-        subscribe   => Exec["py-cryptoportfolio-dependencies"],
-      }
-    }
+    contain "role::cryptoportfolio::bot"
   }
 
   # FIXME: restore backup
   unless empty($front_version) {
-    ensure_packages(["go", "npm", "nodejs", "yarn"])
-
-    file { [
-        "${home}/go/",
-        "${home}/go/src",
-        "${home}/go/src/immae.eu",
-        "${home}/go/src/immae.eu/Immae",
-        "${home}/go/src/immae.eu/Immae/Projets",
-        "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies",
-        "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio",
-        $cf_front_app]:
-      ensure  => "directory",
-      mode    => "0700",
-      owner   => $user,
-      group   => $group,
-      require => User["$user:"],
-    }
-
-    file { "${home}/front":
-      ensure  => "link",
-      target  => $cf_front_app,
-      before => File[$cf_front_app],
-    }
-
-    file { "/etc/systemd/system/cryptoportfolio-app.service":
-      mode    => "0644",
-      owner   => "root",
-      group   => "root",
-      content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"),
-      notify  => Exec["systemctl daemon-reload"],
-    }
-
-    service { 'cryptoportfolio-app':
-      enable    => true,
-      ensure    => "running",
-      subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]],
-      require   => [
-        File["/etc/systemd/system/cryptoportfolio-app.service"],
-        Postgresql::Server::Db[$pg_db]
-      ],
-    } ~>
-    exec { "dump $pg_db structure":
-      refreshonly => true,
-      user        => $::profile::postgresql::pg_user,
-      group       => $::profile::postgresql::pg_user,
-      command     => "/usr/bin/pg_dump --schema-only --clean --no-publications $pg_db > /var/lib/postgres/${pg_db}.schema",
-    }
-
-    archive { "${home}/front_${front_version}.tar.gz":
-      path          => "${home}/front_${front_version}.tar.gz",
-      source        => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz",
-      checksum_type => "sha256",
-      checksum      => $front_sha256,
-      cleanup       => false,
-      extract       => true,
-      user          => $user,
-      username      => lookup("base_installation::ldap_cn"),
-      password      => generate_password(24, $password_seed, "ldap"),
-      extract_path  => $cf_front_app,
-      require       => [User["$user:"], File[$cf_front_app]],
-      notify        => [
-        Exec["web-cryptoportfolio-dependencies"],
-        Exec["go-get-dep"],
-      ]
-    }
-
-    # Api
-    file { $cf_front_app_api_conf:
-      owner   => $user,
-      group   => $group,
-      mode    => "0600",
-      content => template("role/cryptoportfolio/api_conf.toml.erb"),
-      before  => Exec["go-cryptoportfolio-app"],
-    }
-
-    exec { "go-get-dep":
-      user        => $user,
-      environment => ["HOME=${home}"],
-      creates     => "${home}/go/bin/dep",
-      command     => "/usr/bin/go get -u github.com/golang/dep/cmd/dep",
-      refreshonly => true,
-    } ~>
-    exec { "go-cryptoportfolio-dependencies":
-      cwd         => $cf_front_app,
-      user        => $user,
-      environment => ["HOME=${home}"],
-      command     => "${home}/go/bin/dep ensure",
-      refreshonly => true,
-    } ~>
-    exec { "go-cryptoportfolio-app":
-      cwd         => $cf_front_app_api_workdir,
-      user        => $user,
-      environment => ["HOME=${home}"],
-      command     => "/usr/bin/make build",
-      refreshonly => true,
-    }
-
-    # Static pages
-    file { $cf_front_app_static_conf:
-      owner   => $user,
-      group   => $group,
-      mode    => "0600",
-      content => template("role/cryptoportfolio/static_conf.env.erb"),
-      before  => Exec["web-cryptoportfolio-build"],
-    }
-
-    exec { "web-cryptoportfolio-dependencies":
-      cwd         => "${cf_front_app}/cmd/web",
-      user        => $user,
-      environment => ["HOME=${home}"],
-      command     => "/usr/bin/make install",
-      refreshonly => true,
-      require     => [Package["npm"], Package["nodejs"], Package["yarn"]]
-    } ~>
-    exec { "web-cryptoportfolio-build":
-      cwd         => "${cf_front_app}/cmd/web",
-      user        => $user,
-      environment => ["HOME=${home}"],
-      path        => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"],
-      command     => "/usr/bin/make static ENV=${env}",
-      refreshonly => true,
-    }
-
-    unless empty($webhook_url) {
-      exec { "front-slack-notify":
-        refreshonly => true,
-        environment => [
-          "P_PROJECT=Front",
-          "P_WEBHOOK=${webhook_url}",
-          "P_VERSION=${front_version}",
-          "P_HOST=${web_host}",
-          "P_HTTPS=${web_ssl}",
-        ],
-        command     => "/usr/local/bin/slack-notify",
-        require     => File["/usr/local/bin/slack-notify"],
-        subscribe   => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]],
-      }
-    }
+    contain "role::cryptoportfolio::front"
   }
 }
diff --git a/modules/role/manifests/cryptoportfolio/apache.pp b/modules/role/manifests/cryptoportfolio/apache.pp
new file mode 100644
index 0000000..62d5447
--- /dev/null
+++ b/modules/role/manifests/cryptoportfolio/apache.pp
@@ -0,0 +1,17 @@
+class role::cryptoportfolio::apache inherits role::cryptoportfolio {
+  class { 'apache::mod::headers': }
+  apache::vhost { $web_host:
+    port                => '443',
+    docroot             => false,
+    manage_docroot      => false,
+    proxy_dest          => "http://localhost:8000",
+    request_headers     => 'set X-Forwarded-Proto "https"',
+    ssl                 => true,
+    ssl_cert            => "/etc/letsencrypt/live/$web_host/cert.pem",
+    ssl_key             => "/etc/letsencrypt/live/$web_host/privkey.pem",
+    ssl_chain           => "/etc/letsencrypt/live/$web_host/chain.pem",
+    require             => Letsencrypt::Certonly[$web_host],
+    proxy_preserve_host => true;
+    default: *          => $::profile::apache::apache_vhost_default;
+  }
+}
diff --git a/modules/role/manifests/cryptoportfolio/bot.pp b/modules/role/manifests/cryptoportfolio/bot.pp
new file mode 100644
index 0000000..a15c779
--- /dev/null
+++ b/modules/role/manifests/cryptoportfolio/bot.pp
@@ -0,0 +1,101 @@
+class role::cryptoportfolio::bot inherits role::cryptoportfolio {
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+
+  $cf_bot_app = "${home}/bot"
+  $cf_bot_app_conf = "${home}/bot_config.ini"
+  $cf_bot_app_reports = "${home}/bot_reports"
+
+  ensure_packages(["python", "python-pip"])
+
+  file { $cf_bot_app:
+    ensure  => "directory",
+    mode    => "0700",
+    owner   => $user,
+    group   => $group,
+    require => User["$user:"],
+  }
+
+  archive { "${home}/trader_${bot_version}.tar.gz":
+    path          => "${home}/trader_${bot_version}.tar.gz",
+    source        => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz",
+    checksum_type => "sha256",
+    checksum      => $bot_sha256,
+    cleanup       => false,
+    extract       => true,
+    user          => $user,
+    username      => lookup("base_installation::ldap_cn"),
+    password      => generate_password(24, $password_seed, "ldap"),
+    extract_path  => $cf_bot_app,
+    require       => [User["$user:"], File[$cf_bot_app]],
+  } ~>
+  exec { "py-cryptoportfolio-dependencies":
+    cwd         => $cf_bot_app,
+    user        => $user,
+    environment => ["HOME=${home}"],
+    command     => "/usr/bin/make install",
+    require     => User["$user:"],
+    refreshonly => true,
+    before      => [
+      File[$cf_bot_app_conf],
+      Cron["py-cryptoportfolio-before"],
+      Cron["py-cryptoportfolio-after"],
+    ]
+  }
+
+  $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
+  file { $cf_bot_app_conf:
+    owner   => $user,
+    group   => $group,
+    mode    => "0600",
+    content => template("role/cryptoportfolio/bot_config.ini.erb"),
+    require => [
+      User["$user:"],
+      Archive["${home}/trader_${bot_version}.tar.gz"],
+    ],
+  }
+
+  cron { "py-cryptoportfolio-before":
+    ensure      => present,
+    command     => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before",
+    user        => $user,
+    weekday     => 7, # Sunday
+    hour        => 22,
+    minute      => 30,
+    environment => ["HOME=${home}","PATH=/usr/bin/"],
+    require     => [
+      File[$cf_bot_app_conf],
+      Archive["${home}/trader_${bot_version}.tar.gz"]
+    ],
+  }
+
+  cron { "py-cryptoportfolio-after":
+    ensure      => present,
+    command     => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after",
+    user        => $user,
+    weekday     => 1, # Monday
+    hour        => 1,
+    minute      => 0,
+    environment => ["HOME=${home}","PATH=/usr/bin/"],
+    require     => [
+      File[$cf_bot_app_conf],
+      Archive["${home}/trader_${bot_version}.tar.gz"]
+    ],
+  }
+
+  unless empty($webhook_url) {
+    exec { "bot-slack-notify":
+      refreshonly => true,
+      environment => [
+        "P_PROJECT=Trader",
+        "P_WEBHOOK=${webhook_url}",
+        "P_VERSION=${bot_version}",
+        "P_HOST=${web_host}",
+        "P_HTTPS=${web_ssl}",
+      ],
+      command     => "/usr/local/bin/slack-notify",
+      require     => File["/usr/local/bin/slack-notify"],
+      subscribe   => Exec["py-cryptoportfolio-dependencies"],
+    }
+  }
+}
+
diff --git a/modules/role/manifests/cryptoportfolio/front.pp b/modules/role/manifests/cryptoportfolio/front.pp
new file mode 100644
index 0000000..280ef8b
--- /dev/null
+++ b/modules/role/manifests/cryptoportfolio/front.pp
@@ -0,0 +1,158 @@
+class role::cryptoportfolio::front inherits role::cryptoportfolio {
+  ensure_resource('exec', 'systemctl daemon-reload', {
+    command     => '/usr/bin/systemctl daemon-reload',
+    refreshonly =>  true
+  })
+
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+
+  $cf_front_app = "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front"
+  $cf_front_app_api_workdir = "${cf_front_app}/cmd/app"
+  $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app"
+  $cf_front_app_api_conf = "${home}/conf.toml"
+  $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret")
+
+  $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"
+
+  ensure_packages(["go", "npm", "nodejs", "yarn"])
+
+  file { [
+      "${home}/go/",
+      "${home}/go/src",
+      "${home}/go/src/immae.eu",
+      "${home}/go/src/immae.eu/Immae",
+      "${home}/go/src/immae.eu/Immae/Projets",
+      "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies",
+      "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio",
+      $cf_front_app]:
+    ensure  => "directory",
+    mode    => "0700",
+    owner   => $user,
+    group   => $group,
+    require => User["$user:"],
+  }
+
+  file { "${home}/front":
+    ensure  => "link",
+    target  => $cf_front_app,
+    before => File[$cf_front_app],
+  }
+
+  file { "/etc/systemd/system/cryptoportfolio-app.service":
+    mode    => "0644",
+    owner   => "root",
+    group   => "root",
+    content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"),
+    notify  => Exec["systemctl daemon-reload"],
+  }
+
+  service { 'cryptoportfolio-app':
+    enable    => true,
+    ensure    => "running",
+    subscribe => [File[$cf_front_app_api_conf], Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]],
+    require   => [
+      File["/etc/systemd/system/cryptoportfolio-app.service"],
+      Postgresql::Server::Db[$pg_db]
+    ],
+  } ~>
+  exec { "dump $pg_db structure":
+    refreshonly => true,
+    user        => $::profile::postgresql::pg_user,
+    group       => $::profile::postgresql::pg_user,
+    command     => "/usr/bin/pg_dump --schema-only --clean --no-publications $pg_db > /var/lib/postgres/${pg_db}.schema",
+  }
+
+  archive { "${home}/front_${front_version}.tar.gz":
+    path          => "${home}/front_${front_version}.tar.gz",
+    source        => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz",
+    checksum_type => "sha256",
+    checksum      => $front_sha256,
+    cleanup       => false,
+    extract       => true,
+    user          => $user,
+    username      => lookup("base_installation::ldap_cn"),
+    password      => generate_password(24, $password_seed, "ldap"),
+    extract_path  => $cf_front_app,
+    require       => [User["$user:"], File[$cf_front_app]],
+    notify        => [
+      Exec["web-cryptoportfolio-dependencies"],
+      Exec["go-get-dep"],
+    ]
+  }
+
+  # Api
+  $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
+  $pg_host = "${pg_hostname}:${pg_port}"
+  file { $cf_front_app_api_conf:
+    owner   => $user,
+    group   => $group,
+    mode    => "0600",
+    content => template("role/cryptoportfolio/api_conf.toml.erb"),
+    before  => Exec["go-cryptoportfolio-app"],
+  }
+
+  exec { "go-get-dep":
+    user        => $user,
+    environment => ["HOME=${home}"],
+    creates     => "${home}/go/bin/dep",
+    command     => "/usr/bin/go get -u github.com/golang/dep/cmd/dep",
+    refreshonly => true,
+  } ~>
+  exec { "go-cryptoportfolio-dependencies":
+    cwd         => $cf_front_app,
+    user        => $user,
+    environment => ["HOME=${home}"],
+    command     => "${home}/go/bin/dep ensure",
+    refreshonly => true,
+  } ~>
+  exec { "go-cryptoportfolio-app":
+    cwd         => $cf_front_app_api_workdir,
+    user        => $user,
+    environment => ["HOME=${home}"],
+    command     => "/usr/bin/make build",
+    refreshonly => true,
+  }
+
+  # Static pages
+  file { $cf_front_app_static_conf:
+    owner   => $user,
+    group   => $group,
+    mode    => "0600",
+    content => template("role/cryptoportfolio/static_conf.env.erb"),
+    before  => Exec["web-cryptoportfolio-build"],
+  }
+
+  exec { "web-cryptoportfolio-dependencies":
+    cwd         => "${cf_front_app}/cmd/web",
+    user        => $user,
+    environment => ["HOME=${home}"],
+    command     => "/usr/bin/make install",
+    refreshonly => true,
+    require     => [Package["npm"], Package["nodejs"], Package["yarn"]]
+  } ~>
+  exec { "web-cryptoportfolio-build":
+    cwd         => "${cf_front_app}/cmd/web",
+    user        => $user,
+    environment => ["HOME=${home}"],
+    path        => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"],
+    command     => "/usr/bin/make static ENV=${env}",
+    refreshonly => true,
+  }
+
+  unless empty($webhook_url) {
+    exec { "front-slack-notify":
+      refreshonly => true,
+      environment => [
+        "P_PROJECT=Front",
+        "P_WEBHOOK=${webhook_url}",
+        "P_VERSION=${front_version}",
+        "P_HOST=${web_host}",
+        "P_HTTPS=${web_ssl}",
+      ],
+      command     => "/usr/local/bin/slack-notify",
+      require     => File["/usr/local/bin/slack-notify"],
+      subscribe   => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]],
+    }
+  }
+
+}
diff --git a/modules/role/manifests/cryptoportfolio/notify.pp b/modules/role/manifests/cryptoportfolio/notify.pp
new file mode 100644
index 0000000..218312c
--- /dev/null
+++ b/modules/role/manifests/cryptoportfolio/notify.pp
@@ -0,0 +1,6 @@
+class role::cryptoportfolio::notify inherits role::cryptoportfolio {
+  file { "/usr/local/bin/slack-notify":
+    mode   => "0755",
+    source => "puppet:///modules/role/cryptoportfolio/slack-notify.py",
+  }
+}
diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp
new file mode 100644
index 0000000..cc4d2a9
--- /dev/null
+++ b/modules/role/manifests/cryptoportfolio/postgresql.pp
@@ -0,0 +1,116 @@
+class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+
+  $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
+  $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
+
+  file { "/var/lib/postgres/data/certs":
+    ensure  => directory,
+    mode    => "0700",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => File["/var/lib/postgres"],
+  }
+
+  file { "/var/lib/postgres/data/certs/cert.pem":
+    source  => "file:///etc/letsencrypt/live/$web_host/cert.pem",
+    mode    => "0600",
+    links   => "follow",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
+  }
+
+  file { "/var/lib/postgres/data/certs/privkey.pem":
+    source  => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
+    mode    => "0600",
+    links   => "follow",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
+  }
+
+  postgresql::server::config_entry { "wal_level":
+    value   => "logical",
+  }
+
+  postgresql::server::config_entry { "ssl":
+    value   => "on",
+    require => Letsencrypt::Certonly[$web_host],
+  }
+
+  postgresql::server::config_entry { "ssl_cert_file":
+    value   => "/var/lib/postgres/data/certs/cert.pem",
+    require => Letsencrypt::Certonly[$web_host],
+  }
+
+  postgresql::server::config_entry { "ssl_key_file":
+    value   => "/var/lib/postgres/data/certs/privkey.pem",
+    require => Letsencrypt::Certonly[$web_host],
+  }
+
+  postgresql::server::db { $pg_db:
+    user     =>  $pg_user,
+    password =>  postgresql_password($pg_user, $pg_password),
+  }
+  ->
+  postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
+    db     => $pg_db,
+    unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
+  }
+  ->
+  postgresql::server::role { $pg_user_replication:
+    db            => $pg_db,
+    replication   => true,
+    password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
+  }
+  ->
+  postgresql::server::database_grant { $pg_user_replication:
+    db        => $pg_db,
+    privilege => "CONNECT",
+    role      => $pg_user_replication,
+  }
+  ->
+  postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
+    db          => $pg_db,
+    role        => $pg_user_replication,
+    privilege   => "SELECT",
+    object_type => "ALL TABLES IN SCHEMA",
+    object_name => "public",
+  }
+  ->
+  postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
+    db          => $pg_db,
+    role        => $pg_user_replication,
+    privilege   => "SELECT",
+    object_type => "ALL SEQUENCES IN SCHEMA",
+    object_name => "public",
+  }
+
+  postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
+    type        => 'host',
+    database    => $pg_db,
+    user        => $pg_user,
+    address     => '127.0.0.1/32',
+    auth_method => 'md5',
+    order       => "05-01",
+  }
+  postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
+    type        => 'host',
+    database    => $pg_db,
+    user        => $pg_user,
+    address     => '::1/128',
+    auth_method => 'md5',
+    order       => "05-01",
+  }
+
+  postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
+    type        => 'hostssl',
+    database    => $pg_db,
+    user        => $pg_user_replication,
+    address     => 'immae.eu',
+    auth_method => 'md5',
+    order       => "05-01",
+  }
+
+}