diff options
-rw-r--r-- | environments/global/roles/caldance.yaml | 8 | ||||
-rw-r--r-- | environments/integration/roles/caldance.yaml | 8 | ||||
-rw-r--r-- | modules/role/manifests/caldance.pp | 165 | ||||
-rw-r--r-- | modules/role/templates/caldance/local_settings.py.erb | 25 | ||||
-rw-r--r-- | modules/role/templates/caldance/manage.py.erb | 9 |
5 files changed, 215 insertions, 0 deletions
diff --git a/environments/global/roles/caldance.yaml b/environments/global/roles/caldance.yaml index 1dc7fa8..98382bf 100644 --- a/environments/global/roles/caldance.yaml +++ b/environments/global/roles/caldance.yaml | |||
@@ -2,3 +2,11 @@ | |||
2 | classes: | 2 | classes: |
3 | role::caldance: ~ | 3 | role::caldance: ~ |
4 | letsencrypt::hosts: "%{lookup('base_installation::system_hostname')}" | 4 | letsencrypt::hosts: "%{lookup('base_installation::system_hostname')}" |
5 | role::caldance::user: "caldance" | ||
6 | role::caldance::group: "caldance" | ||
7 | role::caldance::home: "/home/caldance" | ||
8 | role::caldance::web_host: "%{lookup('base_installation::system_hostname')}" | ||
9 | base_installation::system_users: | ||
10 | - username: "%{lookup('role::caldance::user')}" | ||
11 | system: true | ||
12 | password: "!!" | ||
diff --git a/environments/integration/roles/caldance.yaml b/environments/integration/roles/caldance.yaml new file mode 100644 index 0000000..6a8ef9a --- /dev/null +++ b/environments/integration/roles/caldance.yaml | |||
@@ -0,0 +1,8 @@ | |||
1 | --- | ||
2 | role::caldance::caldance_version: ~ # Overriden in LDAP | ||
3 | role::caldance::caldance_sha256: ~ | ||
4 | role::caldance::pg_db: "caldev" | ||
5 | role::caldance::pg_user: "caldev" | ||
6 | role::caldance::mail_from: "caldev-nepasrepondre@mail.immae.eu" | ||
7 | role::caldance::smtp_host: "mail.immae.eu" | ||
8 | role::caldance::smtp_port: "465" | ||
diff --git a/modules/role/manifests/caldance.pp b/modules/role/manifests/caldance.pp index 63dda1f..1cda69c 100644 --- a/modules/role/manifests/caldance.pp +++ b/modules/role/manifests/caldance.pp | |||
@@ -1,5 +1,20 @@ | |||
1 | class role::caldance ( | 1 | class role::caldance ( |
2 | String $user, | ||
3 | String $group, | ||
4 | String $home, | ||
5 | String $web_host, | ||
6 | String $pg_user, | ||
7 | String $pg_db, | ||
8 | String $mail_from, | ||
9 | String $smtp_host, | ||
10 | String $smtp_port, | ||
11 | Optional[String] $pg_hostname = "/run/postgresql", | ||
12 | Optional[String] $pg_port = "5432", | ||
13 | Optional[String] $caldance_version = undef, | ||
14 | Optional[String] $caldance_sha256 = undef, | ||
2 | ) { | 15 | ) { |
16 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
17 | $web_home = "/home/simon_descarpentries" | ||
3 | include "base_installation" | 18 | include "base_installation" |
4 | 19 | ||
5 | include "profile::tools" | 20 | include "profile::tools" |
@@ -10,9 +25,105 @@ class role::caldance ( | |||
10 | 25 | ||
11 | ensure_packages(["python-pip", "python-virtualenv", "python-django"]) | 26 | ensure_packages(["python-pip", "python-virtualenv", "python-django"]) |
12 | 27 | ||
28 | $caldance_app = "${home}/app" | ||
29 | |||
30 | file { $caldance_app: | ||
31 | ensure => "directory", | ||
32 | mode => "0755", | ||
33 | owner => $user, | ||
34 | group => $group, | ||
35 | require => User["$user:"], | ||
36 | } | ||
37 | |||
38 | exec { "initialize_venv": | ||
39 | user => $user, | ||
40 | require => User["$user:"], | ||
41 | command => "/usr/bin/virtualenv ${home}/virtualenv", | ||
42 | creates => "${home}/virtualenv", | ||
43 | } | ||
44 | -> | ||
45 | archive { "${home}/caldance_${caldance_version}.tar.gz": | ||
46 | path => "${home}/caldance_${caldance_version}.tar.gz", | ||
47 | source => "https://release.immae.eu/caldance/caldance_${caldance_version}.tar.gz", | ||
48 | checksum_type => "sha256", | ||
49 | checksum => $caldance_sha256, | ||
50 | cleanup => false, | ||
51 | extract => true, | ||
52 | user => $user, | ||
53 | username => lookup("base_installation::ldap_cn"), | ||
54 | password => generate_password(24, $password_seed, "ldap"), | ||
55 | extract_path => $caldance_app, | ||
56 | require => [User["$user:"], File[$caldance_app]], | ||
57 | } ~> | ||
58 | exec { "py-requirements": | ||
59 | cwd => $caldance_app, | ||
60 | user => $user, | ||
61 | environment => ["HOME=${home}"], | ||
62 | command => "${home}/virtualenv/bin/pip install -r requirements.txt", | ||
63 | require => User["$user:"], | ||
64 | refreshonly => true, | ||
65 | } ~> | ||
66 | exec { "py-migrate": | ||
67 | cwd => $caldance_app, | ||
68 | user => $user, | ||
69 | environment => ["HOME=${home}"], | ||
70 | command => "$caldance_app/manage.py migrate", | ||
71 | require => [User["$user:"], File["$caldance_app/manage.py"], File["$caldance_app/main_app/local_settings.py"]], | ||
72 | refreshonly => true, | ||
73 | } ~> | ||
74 | exec { "py-static": | ||
75 | cwd => $caldance_app, | ||
76 | user => $user, | ||
77 | environment => ["HOME=${home}"], | ||
78 | command => "$caldance_app/manage.py collectstatic --no-input", | ||
79 | require => [User["$user:"], File["$caldance_app/manage.py"], File["$caldance_app/main_app/local_settings.py"]], | ||
80 | refreshonly => true, | ||
81 | } ~> | ||
82 | exec { "reload httpd": | ||
83 | command => "/usr/bin/systemctl reload httpd", | ||
84 | require => [User["$user:"], File["$caldance_app/manage.py"], File["$caldance_app/main_app/local_settings.py"]], | ||
85 | refreshonly => true, | ||
86 | } | ||
87 | |||
88 | $pg_password = generate_password(24, $password_seed, "postgres_caldance") | ||
89 | $secret_key = generate_password(24, $password_seed, "secret_key_caldance") | ||
90 | file { "$caldance_app/main_app/local_settings.py": | ||
91 | owner => $user, | ||
92 | group => $group, | ||
93 | mode => "0644", | ||
94 | content => template("role/caldance/local_settings.py.erb"), | ||
95 | require => [ | ||
96 | User["$user:"], | ||
97 | Archive[ "${home}/caldance_${caldance_version}.tar.gz"], | ||
98 | ], | ||
99 | } | ||
100 | |||
101 | $python_path = "${home}/virtualenv/bin/python" | ||
102 | file { "$caldance_app/manage.py": | ||
103 | owner => $user, | ||
104 | group => $group, | ||
105 | mode => "0755", | ||
106 | content => template("role/caldance/manage.py.erb"), | ||
107 | require => [ | ||
108 | User["$user:"], | ||
109 | Archive[ "${home}/caldance_${caldance_version}.tar.gz"], | ||
110 | ], | ||
111 | } | ||
112 | |||
113 | profile::postgresql::master { "postgresql master for caldance": | ||
114 | letsencrypt_host => $web_host, | ||
115 | backup_hosts => ["backup-1"], | ||
116 | } | ||
117 | |||
118 | postgresql::server::db { $pg_db: | ||
119 | user => $pg_user, | ||
120 | password => postgresql_password($pg_user, $pg_password), | ||
121 | } | ||
122 | |||
13 | # pour le script de génération de mdp | 123 | # pour le script de génération de mdp |
14 | ensure_packages(["perl-digest-sha1"]) | 124 | ensure_packages(["perl-digest-sha1"]) |
15 | 125 | ||
126 | ensure_packages(["postgis", "python-gdal", "ripgrep"]) | ||
16 | file { "/usr/local/bin/ldap_ssha": | 127 | file { "/usr/local/bin/ldap_ssha": |
17 | owner => "root", | 128 | owner => "root", |
18 | group => "root", | 129 | group => "root", |
@@ -20,4 +131,58 @@ class role::caldance ( | |||
20 | source => "puppet:///modules/base_installation/scripts/ldap_ssha", | 131 | source => "puppet:///modules/base_installation/scripts/ldap_ssha", |
21 | require => Package["perl-digest-sha1"], | 132 | require => Package["perl-digest-sha1"], |
22 | } | 133 | } |
134 | |||
135 | sudo::conf { 'wheel_nopasswd': | ||
136 | priority => 99, | ||
137 | content => "%wheel ALL=(ALL) NOPASSWD: ALL", | ||
138 | require => Package["sudo"], | ||
139 | } | ||
140 | |||
141 | ensure_packages(["mod_wsgi"]) | ||
142 | class { 'apache::mod::wsgi': | ||
143 | wsgi_python_home => "$web_home/caldev_virtualenv", | ||
144 | wsgi_python_path => "$web_home/caldev/www.cal-dance.com/", | ||
145 | require => Package["mod_wsgi"], | ||
146 | } | ||
147 | class { 'apache::mod::authn_file': } | ||
148 | class { 'apache::mod::authn_core': } | ||
149 | class { 'apache::mod::authz_user': } | ||
150 | class { 'apache::mod::auth_basic': } | ||
151 | |||
152 | apache::vhost { $web_host: | ||
153 | port => '443', | ||
154 | docroot => false, | ||
155 | manage_docroot => false, | ||
156 | ssl => true, | ||
157 | ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem", | ||
158 | ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem", | ||
159 | ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem", | ||
160 | require => Letsencrypt::Certonly[$web_host], | ||
161 | directories => [ | ||
162 | { | ||
163 | path => "$web_home/caldev/www.cal-dance.com/main_app", | ||
164 | require => "all granted", | ||
165 | }, | ||
166 | { | ||
167 | path => "$web_home/caldev/www.cal-dance.com/www/static", | ||
168 | require => "all granted", | ||
169 | }, | ||
170 | { | ||
171 | path => "/", | ||
172 | provider => "location", | ||
173 | require => "valid-user", | ||
174 | auth_type => "Basic", | ||
175 | auth_name => "Authentification requise", | ||
176 | auth_user_file => "$web_home/caldev/.htpasswd", | ||
177 | }, | ||
178 | ], | ||
179 | aliases => [ | ||
180 | { | ||
181 | alias => "/static/", | ||
182 | path => "$web_home/caldev/www.cal-dance.com/www/static/", | ||
183 | }, | ||
184 | ], | ||
185 | wsgi_script_aliases => { "/" => "$web_home/caldev/www.cal-dance.com/main_app/wsgi.py" }; | ||
186 | default: * => $::profile::apache::apache_vhost_default; | ||
187 | } | ||
23 | } | 188 | } |
diff --git a/modules/role/templates/caldance/local_settings.py.erb b/modules/role/templates/caldance/local_settings.py.erb new file mode 100644 index 0000000..4da53f6 --- /dev/null +++ b/modules/role/templates/caldance/local_settings.py.erb | |||
@@ -0,0 +1,25 @@ | |||
1 | import os | ||
2 | DATABASES = { | ||
3 | 'default': { | ||
4 | 'ENGINE': 'django.contrib.gis.db.backends.postgis', | ||
5 | 'NAME': '<%= @pg_db %>', | ||
6 | 'USER': '<%= @pg_user %>', | ||
7 | 'PASSWORD': u'<%= @pg_password %>', | ||
8 | 'HOST': '<%= @pg_hostname %>', | ||
9 | 'PORT': '<%= @pg_port %>', | ||
10 | } | ||
11 | } | ||
12 | |||
13 | # SECURITY WARNING: keep the secret key used in production secret! | ||
14 | SECRET_KEY = os.environ.get('SECRET_KEY', '<%= @secret_key %>') | ||
15 | DEBUG = False | ||
16 | SECURE_HSTS_PRELOAD = True # moved from local settings as local runserver don't do SSL | ||
17 | SECURE_HSTS_SECONDS = 1 | ||
18 | SECURE_SSL_REDIRECT = True | ||
19 | LOG_FILE = '<%= @home %>/caldev_django.log' | ||
20 | |||
21 | DEFAULT_FROM_EMAIL = '<%= @mail_from %>' | ||
22 | EMAIL_USE_SSL = True | ||
23 | EMAIL_HOST = "<%= @smtp_host %>" | ||
24 | EMAIL_PORT = <%= @smtp_port %> | ||
25 | |||
diff --git a/modules/role/templates/caldance/manage.py.erb b/modules/role/templates/caldance/manage.py.erb new file mode 100644 index 0000000..dc06eab --- /dev/null +++ b/modules/role/templates/caldance/manage.py.erb | |||
@@ -0,0 +1,9 @@ | |||
1 | #!<%= @python_path %> -O | ||
2 | import os | ||
3 | import sys | ||
4 | |||
5 | if __name__ == "__main__": | ||
6 | os.environ.setdefault("DJANGO_SETTINGS_MODULE", "main_app.settings") | ||
7 | |||
8 | from django.core.management import execute_from_command_line | ||
9 | execute_from_command_line(sys.argv) | ||