diff options
Diffstat (limited to 'modules/role')
19 files changed, 728 insertions, 430 deletions
diff --git a/modules/role/manifests/backup.pp b/modules/role/manifests/backup.pp new file mode 100644 index 0000000..7a0c275 --- /dev/null +++ b/modules/role/manifests/backup.pp | |||
| @@ -0,0 +1,125 @@ | |||
| 1 | class role::backup ( | ||
| 2 | String $user, | ||
| 3 | String $group, | ||
| 4 | String $mailto, | ||
| 5 | Optional[Array] $backups = [], | ||
| 6 | Optional[String] $mountpoint = "/backup1", | ||
| 7 | Optional[String] $backup_script = "/usr/local/bin/backup.sh", | ||
| 8 | ) { | ||
| 9 | include "base_installation" | ||
| 10 | |||
| 11 | include "profile::fstab" | ||
| 12 | include "profile::mail" | ||
| 13 | include "profile::tools" | ||
| 14 | include "profile::xmr_stak" | ||
| 15 | include "profile::known_hosts" | ||
| 16 | |||
| 17 | ensure_packages(["rsync"]) | ||
| 18 | |||
| 19 | ssh_keygen { $user: | ||
| 20 | notify => Notify_refresh["notify-backup-sshkey-change"] | ||
| 21 | } | ||
| 22 | |||
| 23 | $hosts = $backups.map |$backup| { $backup["host"] } | ||
| 24 | |||
| 25 | notify_refresh { "notify-backup-sshkey-change": | ||
| 26 | message => template("role/backup/ssh_key_changed.info.erb"), | ||
| 27 | refreshonly => true | ||
| 28 | } | ||
| 29 | |||
| 30 | $hosts.each |$host| { | ||
| 31 | notify_refresh { "notify-backup-sshhost-$host-changed": | ||
| 32 | message => template("role/backup/ssh_host_changed.info.erb"), | ||
| 33 | refreshonly => true, | ||
| 34 | subscribe => Sshkey[$host], | ||
| 35 | } | ||
| 36 | } | ||
| 37 | |||
| 38 | concat { $backup_script: | ||
| 39 | ensure => "present", | ||
| 40 | ensure_newline => true, | ||
| 41 | mode => "0755", | ||
| 42 | } | ||
| 43 | |||
| 44 | cron { "backup": | ||
| 45 | ensure => present, | ||
| 46 | command => $backup_script, | ||
| 47 | user => $user, | ||
| 48 | minute => 25, | ||
| 49 | hour => 3, | ||
| 50 | require => Concat[$backup_script], | ||
| 51 | } | ||
| 52 | |||
| 53 | concat::fragment { "backup_head": | ||
| 54 | target => $backup_script, | ||
| 55 | content => template("role/backup/backup_head.sh.erb"), | ||
| 56 | order => "01-50", | ||
| 57 | } | ||
| 58 | |||
| 59 | concat::fragment { "backup_tail": | ||
| 60 | target => $backup_script, | ||
| 61 | content => template("role/backup/backup_tail.sh.erb"), | ||
| 62 | order => "99-50", | ||
| 63 | } | ||
| 64 | |||
| 65 | $backups.each |$infos| { | ||
| 66 | $dirname = $infos["name"] | ||
| 67 | $login = $infos["login"] | ||
| 68 | $host = $infos["host"] | ||
| 69 | $dest = "$login@$host" | ||
| 70 | $base = "$mountpoint/$dirname" | ||
| 71 | $nbr = $infos["nbr"] | ||
| 72 | $order_dirname = $infos["order"] | ||
| 73 | |||
| 74 | file { $base: | ||
| 75 | ensure => "directory", | ||
| 76 | owner => $user, | ||
| 77 | group => $group, | ||
| 78 | require => Mount[$mountpoint], | ||
| 79 | } -> | ||
| 80 | file { "$base/older": | ||
| 81 | ensure => "directory", | ||
| 82 | owner => $user, | ||
| 83 | group => $group, | ||
| 84 | } -> | ||
| 85 | file { "$base/rsync_output": | ||
| 86 | ensure => "directory", | ||
| 87 | owner => $user, | ||
| 88 | group => $group, | ||
| 89 | } | ||
| 90 | |||
| 91 | concat::fragment { "backup_${dirname}_head": | ||
| 92 | target => $backup_script, | ||
| 93 | content => template("role/backup/backup_dirname_head.sh.erb"), | ||
| 94 | order => "$order_dirname-01", | ||
| 95 | } | ||
| 96 | |||
| 97 | concat::fragment { "backup_${dirname}_tail": | ||
| 98 | target => $backup_script, | ||
| 99 | content => template("role/backup/backup_dirname_tail.sh.erb"), | ||
| 100 | order => "$order_dirname-99", | ||
| 101 | } | ||
| 102 | |||
| 103 | $infos["parts"].each |$part| { | ||
| 104 | $local_folder = $part["local_folder"] | ||
| 105 | $remote_folder = $part["remote_folder"] | ||
| 106 | $exclude_from = $part["exclude_from"] | ||
| 107 | $files_from = $part["files_from"] | ||
| 108 | $args = $part["args"] | ||
| 109 | $order_part = $part["order"] | ||
| 110 | |||
| 111 | file { "$base/$local_folder": | ||
| 112 | ensure => "directory", | ||
| 113 | owner => $user, | ||
| 114 | group => $group, | ||
| 115 | require => File[$base], | ||
| 116 | } | ||
| 117 | |||
| 118 | concat::fragment { "backup_${dirname}_${local_folder}": | ||
| 119 | target => $backup_script, | ||
| 120 | content => template("role/backup/backup_dirname_part.sh.erb"), | ||
| 121 | order => "$order_dirname-$order_part", | ||
| 122 | } | ||
| 123 | } | ||
| 124 | } | ||
| 125 | } | ||
diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index bec247e..799e297 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp | |||
| @@ -1,9 +1,22 @@ | |||
| 1 | class role::cryptoportfolio { | 1 | class role::cryptoportfolio ( |
| 2 | ensure_resource('exec', 'systemctl daemon-reload', { | 2 | String $user, |
| 3 | command => '/usr/bin/systemctl daemon-reload', | 3 | String $group, |
| 4 | refreshonly => true | 4 | String $home, |
| 5 | }) | 5 | Optional[String] $env = "prod", |
| 6 | 6 | Optional[String] $webhook_url = undef, | |
| 7 | String $pg_user, | ||
| 8 | String $pg_user_replication, | ||
| 9 | String $pg_db, | ||
| 10 | Optional[String] $pg_hostname = "localhost", | ||
| 11 | Optional[String] $pg_port = "5432", | ||
| 12 | Optional[String] $web_host = undef, | ||
| 13 | Optional[String] $web_port = "", | ||
| 14 | Optional[Boolean] $web_ssl = true, | ||
| 15 | Optional[String] $front_version = undef, | ||
| 16 | Optional[String] $front_sha256 = undef, | ||
| 17 | Optional[String] $bot_version = undef, | ||
| 18 | Optional[String] $bot_sha256 = undef, | ||
| 19 | ) { | ||
| 7 | include "base_installation" | 20 | include "base_installation" |
| 8 | 21 | ||
| 9 | include "profile::tools" | 22 | include "profile::tools" |
| @@ -11,420 +24,17 @@ class role::cryptoportfolio { | |||
| 11 | include "profile::apache" | 24 | include "profile::apache" |
| 12 | include "profile::xmr_stak" | 25 | include "profile::xmr_stak" |
| 13 | 26 | ||
| 14 | $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } | 27 | contain "role::cryptoportfolio::postgresql" |
| 15 | 28 | contain "role::cryptoportfolio::apache" | |
| 16 | $cf_pg_user = "cryptoportfolio" | ||
| 17 | $cf_pg_user_replication = "cryptoportfolio_replication" | ||
| 18 | $cf_pg_db = "cryptoportfolio" | ||
| 19 | $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | ||
| 20 | $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") | ||
| 21 | $cf_pg_hostname = "localhost" | ||
| 22 | $cf_pg_port = "5432" | ||
| 23 | $cf_pg_host = "${cf_pg_hostname}:${cf_pg_port}" | ||
| 24 | |||
| 25 | $cf_user = "cryptoportfolio" | ||
| 26 | $cf_group = "cryptoportfolio" | ||
| 27 | $cf_home = "/opt/cryptoportfolio" | ||
| 28 | $cf_env = "prod" | ||
| 29 | $cf_front_app_host = lookup("base_installation::system_hostname") |$key| { "example.com" } | ||
| 30 | $cf_front_app_port = "" | ||
| 31 | $cf_front_app_ssl = "true" | ||
| 32 | $cf_front_app = "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front" | ||
| 33 | $cf_front_app_api_workdir = "${cf_front_app}/cmd/app" | ||
| 34 | $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app" | ||
| 35 | $cf_front_app_api_conf = "${cf_home}/conf.toml" | ||
| 36 | $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret") | ||
| 37 | |||
| 38 | $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" | ||
| 39 | |||
| 40 | $cf_bot_app = "${cf_home}/bot" | ||
| 41 | $cf_bot_app_conf = "${cf_home}/bot_config.ini" | ||
| 42 | $cf_bot_app_reports = "${cf_home}/bot_reports" | ||
| 43 | |||
| 44 | $cf_webhook_url = lookup("cryptoportfolio::slack_webhook") |$key| { "" } | ||
| 45 | |||
| 46 | file { "/var/lib/postgres/data/certs": | ||
| 47 | ensure => directory, | ||
| 48 | mode => "0700", | ||
| 49 | owner => $::profile::postgresql::pg_user, | ||
| 50 | group => $::profile::postgresql::pg_user, | ||
| 51 | require => File["/var/lib/postgres"], | ||
| 52 | } | ||
| 53 | 29 | ||
| 54 | file { "/var/lib/postgres/data/certs/cert.pem": | 30 | contain "role::cryptoportfolio::notify" |
| 55 | source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem", | ||
| 56 | mode => "0600", | ||
| 57 | links => "follow", | ||
| 58 | owner => $::profile::postgresql::pg_user, | ||
| 59 | group => $::profile::postgresql::pg_user, | ||
| 60 | require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] | ||
| 61 | } | ||
| 62 | |||
| 63 | file { "/var/lib/postgres/data/certs/privkey.pem": | ||
| 64 | source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem", | ||
| 65 | mode => "0600", | ||
| 66 | links => "follow", | ||
| 67 | owner => $::profile::postgresql::pg_user, | ||
| 68 | group => $::profile::postgresql::pg_user, | ||
| 69 | require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] | ||
| 70 | } | ||
| 71 | |||
| 72 | postgresql::server::config_entry { "wal_level": | ||
| 73 | value => "logical", | ||
| 74 | } | ||
| 75 | |||
| 76 | postgresql::server::config_entry { "ssl": | ||
| 77 | value => "on", | ||
| 78 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
| 79 | } | ||
| 80 | |||
| 81 | postgresql::server::config_entry { "ssl_cert_file": | ||
| 82 | value => "/var/lib/postgres/data/certs/cert.pem", | ||
| 83 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
| 84 | } | ||
| 85 | |||
| 86 | postgresql::server::config_entry { "ssl_key_file": | ||
| 87 | value => "/var/lib/postgres/data/certs/privkey.pem", | ||
| 88 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
| 89 | } | ||
| 90 | |||
| 91 | postgresql::server::db { $cf_pg_db: | ||
| 92 | user => $cf_pg_user, | ||
| 93 | password => postgresql_password($cf_pg_user, $cf_pg_password), | ||
| 94 | } | ||
| 95 | -> | ||
| 96 | postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES": | ||
| 97 | db => $cf_pg_db, | ||
| 98 | unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'", | ||
| 99 | } | ||
| 100 | -> | ||
| 101 | postgresql::server::role { $cf_pg_user_replication: | ||
| 102 | db => $cf_pg_db, | ||
| 103 | replication => true, | ||
| 104 | password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password), | ||
| 105 | } | ||
| 106 | -> | ||
| 107 | postgresql::server::database_grant { $cf_pg_user_replication: | ||
| 108 | db => $cf_pg_db, | ||
| 109 | privilege => "CONNECT", | ||
| 110 | role => $cf_pg_user_replication, | ||
| 111 | } | ||
| 112 | -> | ||
| 113 | postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication": | ||
| 114 | db => $cf_pg_db, | ||
| 115 | role => $cf_pg_user_replication, | ||
| 116 | privilege => "SELECT", | ||
| 117 | object_type => "ALL TABLES IN SCHEMA", | ||
| 118 | object_name => "public", | ||
| 119 | } | ||
| 120 | -> | ||
| 121 | postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication": | ||
| 122 | db => $cf_pg_db, | ||
| 123 | role => $cf_pg_user_replication, | ||
| 124 | privilege => "SELECT", | ||
| 125 | object_type => "ALL SEQUENCES IN SCHEMA", | ||
| 126 | object_name => "public", | ||
| 127 | } | ||
| 128 | |||
| 129 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': | ||
| 130 | type => 'host', | ||
| 131 | database => $cf_pg_db, | ||
| 132 | user => $cf_pg_user, | ||
| 133 | address => '127.0.0.1/32', | ||
| 134 | auth_method => 'md5', | ||
| 135 | order => "b0", | ||
| 136 | } | ||
| 137 | postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': | ||
| 138 | type => 'host', | ||
| 139 | database => $cf_pg_db, | ||
| 140 | user => $cf_pg_user, | ||
| 141 | address => '::1/128', | ||
| 142 | auth_method => 'md5', | ||
| 143 | order => "b0", | ||
| 144 | } | ||
| 145 | |||
| 146 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': | ||
| 147 | type => 'hostssl', | ||
| 148 | database => $cf_pg_db, | ||
| 149 | user => $cf_pg_user_replication, | ||
| 150 | address => 'immae.eu', | ||
| 151 | auth_method => 'md5', | ||
| 152 | order => "b0", | ||
| 153 | } | ||
| 154 | |||
| 155 | letsencrypt::certonly { $cf_front_app_host: ; | ||
| 156 | default: * => $::profile::apache::letsencrypt_certonly_default; | ||
| 157 | } | ||
| 158 | |||
| 159 | class { 'apache::mod::headers': } | ||
| 160 | apache::vhost { $cf_front_app_host: | ||
| 161 | port => '443', | ||
| 162 | docroot => false, | ||
| 163 | manage_docroot => false, | ||
| 164 | proxy_dest => "http://localhost:8000", | ||
| 165 | request_headers => 'set X-Forwarded-Proto "https"', | ||
| 166 | ssl => true, | ||
| 167 | ssl_cert => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem", | ||
| 168 | ssl_key => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem", | ||
| 169 | ssl_chain => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem", | ||
| 170 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
| 171 | proxy_preserve_host => true; | ||
| 172 | default: * => $::profile::apache::apache_vhost_default; | ||
| 173 | } | ||
| 174 | |||
| 175 | user { $cf_user: | ||
| 176 | name => $cf_user, | ||
| 177 | ensure => "present", | ||
| 178 | managehome => true, | ||
| 179 | home => $cf_home, | ||
| 180 | system => true, | ||
| 181 | password => '!!', | ||
| 182 | } | ||
| 183 | |||
| 184 | file { "/usr/local/bin/slack-notify": | ||
| 185 | mode => "0755", | ||
| 186 | source => "puppet:///modules/role/cryptoportfolio/slack-notify.py", | ||
| 187 | } | ||
| 188 | |||
| 189 | $front_version = lookup("cryptoportfolio::front_version") |$key| { {} } | ||
| 190 | $front_sha256 = lookup("cryptoportfolio::front_sha256") |$key| { {} } | ||
| 191 | |||
| 192 | $bot_version = lookup("cryptoportfolio::bot_version") |$key| { {} } | ||
| 193 | $bot_sha256 = lookup("cryptoportfolio::bot_sha256") |$key| { {} } | ||
| 194 | 31 | ||
| 195 | unless empty($bot_version) { | 32 | unless empty($bot_version) { |
| 196 | ensure_packages(["python", "python-pip"]) | 33 | contain "role::cryptoportfolio::bot" |
| 197 | |||
| 198 | file { $cf_bot_app: | ||
| 199 | ensure => "directory", | ||
| 200 | mode => "0700", | ||
| 201 | owner => $cf_user, | ||
| 202 | group => $cf_group, | ||
| 203 | require => User[$cf_user], | ||
| 204 | } | ||
| 205 | |||
| 206 | archive { "${cf_home}/trader_${bot_version}.tar.gz": | ||
| 207 | path => "${cf_home}/trader_${bot_version}.tar.gz", | ||
| 208 | source => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz", | ||
| 209 | checksum_type => "sha256", | ||
| 210 | checksum => $bot_sha256, | ||
| 211 | cleanup => false, | ||
| 212 | extract => true, | ||
| 213 | user => $cf_user, | ||
| 214 | username => $facts["ec2_metadata"]["hostname"], | ||
| 215 | password => generate_password(24, $password_seed, "ldap"), | ||
| 216 | extract_path => $cf_bot_app, | ||
| 217 | require => [User[$cf_user], File[$cf_bot_app]], | ||
| 218 | } ~> | ||
| 219 | exec { "py-cryptoportfolio-dependencies": | ||
| 220 | cwd => $cf_bot_app, | ||
| 221 | user => $cf_user, | ||
| 222 | environment => ["HOME=${cf_home}"], | ||
| 223 | command => "/usr/bin/make install", | ||
| 224 | require => User[$cf_user], | ||
| 225 | refreshonly => true, | ||
| 226 | before => [ | ||
| 227 | File[$cf_bot_app_conf], | ||
| 228 | Cron["py-cryptoportfolio-before"], | ||
| 229 | Cron["py-cryptoportfolio-after"], | ||
| 230 | ] | ||
| 231 | } | ||
| 232 | |||
| 233 | file { $cf_bot_app_conf: | ||
| 234 | owner => $cf_user, | ||
| 235 | group => $cf_group, | ||
| 236 | mode => "0600", | ||
| 237 | content => template("role/cryptoportfolio/bot_config.ini.erb"), | ||
| 238 | require => [ | ||
| 239 | User[$cf_user], | ||
| 240 | Archive["${cf_home}/trader_${bot_version}.tar.gz"], | ||
| 241 | ], | ||
| 242 | } | ||
| 243 | |||
| 244 | cron { "py-cryptoportfolio-before": | ||
| 245 | ensure => present, | ||
| 246 | command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before", | ||
| 247 | user => "cryptoportfolio", | ||
| 248 | weekday => 7, # Sunday | ||
| 249 | hour => 22, | ||
| 250 | minute => 30, | ||
| 251 | environment => ["HOME=${cf_home}","PATH=/usr/bin/"], | ||
| 252 | require => [ | ||
| 253 | File[$cf_bot_app_conf], | ||
| 254 | Archive["${cf_home}/trader_${bot_version}.tar.gz"] | ||
| 255 | ], | ||
| 256 | } | ||
| 257 | |||
| 258 | cron { "py-cryptoportfolio-after": | ||
| 259 | ensure => present, | ||
| 260 | command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after", | ||
| 261 | user => "cryptoportfolio", | ||
| 262 | weekday => 1, # Monday | ||
| 263 | hour => 1, | ||
| 264 | minute => 0, | ||
| 265 | environment => ["HOME=${cf_home}","PATH=/usr/bin/"], | ||
| 266 | require => [ | ||
| 267 | File[$cf_bot_app_conf], | ||
| 268 | Archive["${cf_home}/trader_${bot_version}.tar.gz"] | ||
| 269 | ], | ||
| 270 | } | ||
| 271 | |||
| 272 | unless empty($cf_webhook_url) { | ||
| 273 | exec { "bot-slack-notify": | ||
| 274 | refreshonly => true, | ||
| 275 | environment => [ | ||
| 276 | "P_PROJECT=Trader", | ||
| 277 | "P_WEBHOOK=${cf_webhook_url}", | ||
| 278 | "P_VERSION=${bot_version}", | ||
| 279 | "P_HOST=${cf_front_app_host}", | ||
| 280 | "P_HTTPS=${cf_front_app_ssl}", | ||
| 281 | ], | ||
| 282 | command => "/usr/local/bin/slack-notify", | ||
| 283 | require => File["/usr/local/bin/slack-notify"], | ||
| 284 | subscribe => Exec["py-cryptoportfolio-dependencies"], | ||
| 285 | } | ||
| 286 | } | ||
| 287 | } | 34 | } |
| 288 | 35 | ||
| 289 | # FIXME: restore backup | 36 | # FIXME: restore backup |
| 290 | unless empty($front_version) { | 37 | unless empty($front_version) { |
| 291 | ensure_packages(["go", "npm", "nodejs", "yarn"]) | 38 | contain "role::cryptoportfolio::front" |
| 292 | |||
| 293 | file { [ | ||
| 294 | "${cf_home}/go/", | ||
| 295 | "${cf_home}/go/src", | ||
| 296 | "${cf_home}/go/src/immae.eu", | ||
| 297 | "${cf_home}/go/src/immae.eu/Immae", | ||
| 298 | "${cf_home}/go/src/immae.eu/Immae/Projets", | ||
| 299 | "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies", | ||
| 300 | "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio", | ||
| 301 | $cf_front_app]: | ||
| 302 | ensure => "directory", | ||
| 303 | mode => "0700", | ||
| 304 | owner => $cf_user, | ||
| 305 | group => $cf_group, | ||
| 306 | require => User[$cf_user], | ||
| 307 | } | ||
| 308 | |||
| 309 | file { "${cf_home}/front": | ||
| 310 | ensure => "link", | ||
| 311 | target => $cf_front_app, | ||
| 312 | before => File[$cf_front_app], | ||
| 313 | } | ||
| 314 | |||
| 315 | file { "/etc/systemd/system/cryptoportfolio-app.service": | ||
| 316 | mode => "0644", | ||
| 317 | owner => "root", | ||
| 318 | group => "root", | ||
| 319 | content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"), | ||
| 320 | notify => Exec["systemctl daemon-reload"], | ||
| 321 | } | ||
| 322 | |||
| 323 | service { 'cryptoportfolio-app': | ||
| 324 | enable => true, | ||
| 325 | ensure => "running", | ||
| 326 | subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], | ||
| 327 | require => [ | ||
| 328 | File["/etc/systemd/system/cryptoportfolio-app.service"], | ||
| 329 | Postgresql::Server::Db[$cf_pg_db] | ||
| 330 | ], | ||
| 331 | } ~> | ||
| 332 | exec { "dump $cf_pg_db structure": | ||
| 333 | refreshonly => true, | ||
| 334 | user => $::profile::postgresql::pg_user, | ||
| 335 | group => $::profile::postgresql::pg_user, | ||
| 336 | command => "/usr/bin/pg_dump --schema-only --clean --no-publications $cf_pg_db > /var/lib/postgres/${cf_pg_db}.schema", | ||
| 337 | } | ||
| 338 | |||
| 339 | archive { "${cf_home}/front_${front_version}.tar.gz": | ||
| 340 | path => "${cf_home}/front_${front_version}.tar.gz", | ||
| 341 | source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz", | ||
| 342 | checksum_type => "sha256", | ||
| 343 | checksum => $front_sha256, | ||
| 344 | cleanup => false, | ||
| 345 | extract => true, | ||
| 346 | user => $cf_user, | ||
| 347 | username => $facts["ec2_metadata"]["hostname"], | ||
| 348 | password => generate_password(24, $password_seed, "ldap"), | ||
| 349 | extract_path => $cf_front_app, | ||
| 350 | require => [User[$cf_user], File[$cf_front_app]], | ||
| 351 | notify => [ | ||
| 352 | Exec["web-cryptoportfolio-dependencies"], | ||
| 353 | Exec["go-get-dep"], | ||
| 354 | ] | ||
| 355 | } | ||
| 356 | |||
| 357 | # Api | ||
| 358 | file { $cf_front_app_api_conf: | ||
| 359 | owner => $cf_user, | ||
| 360 | group => $cf_group, | ||
| 361 | mode => "0600", | ||
| 362 | content => template("role/cryptoportfolio/api_conf.toml.erb"), | ||
| 363 | before => Exec["go-cryptoportfolio-app"], | ||
| 364 | } | ||
| 365 | |||
| 366 | exec { "go-get-dep": | ||
| 367 | user => $cf_user, | ||
| 368 | environment => ["HOME=${cf_home}"], | ||
| 369 | creates => "${cf_home}/go/bin/dep", | ||
| 370 | command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep", | ||
| 371 | refreshonly => true, | ||
| 372 | } ~> | ||
| 373 | exec { "go-cryptoportfolio-dependencies": | ||
| 374 | cwd => $cf_front_app, | ||
| 375 | user => $cf_user, | ||
| 376 | environment => ["HOME=${cf_home}"], | ||
| 377 | command => "${cf_home}/go/bin/dep ensure", | ||
| 378 | refreshonly => true, | ||
| 379 | } ~> | ||
| 380 | exec { "go-cryptoportfolio-app": | ||
| 381 | cwd => $cf_front_app_api_workdir, | ||
| 382 | user => $cf_user, | ||
| 383 | environment => ["HOME=${cf_home}"], | ||
| 384 | command => "/usr/bin/make build", | ||
| 385 | refreshonly => true, | ||
| 386 | } | ||
| 387 | |||
| 388 | # Static pages | ||
| 389 | file { $cf_front_app_static_conf: | ||
| 390 | owner => $cf_user, | ||
| 391 | group => $cf_group, | ||
| 392 | mode => "0600", | ||
| 393 | content => template("role/cryptoportfolio/static_conf.env.erb"), | ||
| 394 | before => Exec["web-cryptoportfolio-build"], | ||
| 395 | } | ||
| 396 | |||
| 397 | exec { "web-cryptoportfolio-dependencies": | ||
| 398 | cwd => "${cf_front_app}/cmd/web", | ||
| 399 | user => $cf_user, | ||
| 400 | environment => ["HOME=${cf_home}"], | ||
| 401 | command => "/usr/bin/make install", | ||
| 402 | refreshonly => true, | ||
| 403 | require => [Package["npm"], Package["nodejs"], Package["yarn"]] | ||
| 404 | } ~> | ||
| 405 | exec { "web-cryptoportfolio-build": | ||
| 406 | cwd => "${cf_front_app}/cmd/web", | ||
| 407 | user => $cf_user, | ||
| 408 | environment => ["HOME=${cf_home}"], | ||
| 409 | path => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"], | ||
| 410 | command => "/usr/bin/make static ENV=${cf_env}", | ||
| 411 | refreshonly => true, | ||
| 412 | } | ||
| 413 | |||
| 414 | unless empty($cf_webhook_url) { | ||
| 415 | exec { "front-slack-notify": | ||
| 416 | refreshonly => true, | ||
| 417 | environment => [ | ||
| 418 | "P_PROJECT=Front", | ||
| 419 | "P_WEBHOOK=${cf_webhook_url}", | ||
| 420 | "P_VERSION=${front_version}", | ||
| 421 | "P_HOST=${cf_front_app_host}", | ||
| 422 | "P_HTTPS=${cf_front_app_ssl}", | ||
| 423 | ], | ||
| 424 | command => "/usr/local/bin/slack-notify", | ||
| 425 | require => File["/usr/local/bin/slack-notify"], | ||
| 426 | subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], | ||
| 427 | } | ||
| 428 | } | ||
| 429 | } | 39 | } |
| 430 | } | 40 | } |
diff --git a/modules/role/manifests/cryptoportfolio/apache.pp b/modules/role/manifests/cryptoportfolio/apache.pp new file mode 100644 index 0000000..62d5447 --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/apache.pp | |||
| @@ -0,0 +1,17 @@ | |||
| 1 | class role::cryptoportfolio::apache inherits role::cryptoportfolio { | ||
| 2 | class { 'apache::mod::headers': } | ||
| 3 | apache::vhost { $web_host: | ||
| 4 | port => '443', | ||
| 5 | docroot => false, | ||
| 6 | manage_docroot => false, | ||
| 7 | proxy_dest => "http://localhost:8000", | ||
| 8 | request_headers => 'set X-Forwarded-Proto "https"', | ||
| 9 | ssl => true, | ||
| 10 | ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem", | ||
| 11 | ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem", | ||
| 12 | ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem", | ||
| 13 | require => Letsencrypt::Certonly[$web_host], | ||
| 14 | proxy_preserve_host => true; | ||
| 15 | default: * => $::profile::apache::apache_vhost_default; | ||
| 16 | } | ||
| 17 | } | ||
diff --git a/modules/role/manifests/cryptoportfolio/bot.pp b/modules/role/manifests/cryptoportfolio/bot.pp new file mode 100644 index 0000000..a15c779 --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/bot.pp | |||
| @@ -0,0 +1,101 @@ | |||
| 1 | class role::cryptoportfolio::bot inherits role::cryptoportfolio { | ||
| 2 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
| 3 | |||
| 4 | $cf_bot_app = "${home}/bot" | ||
| 5 | $cf_bot_app_conf = "${home}/bot_config.ini" | ||
| 6 | $cf_bot_app_reports = "${home}/bot_reports" | ||
| 7 | |||
| 8 | ensure_packages(["python", "python-pip"]) | ||
| 9 | |||
| 10 | file { $cf_bot_app: | ||
| 11 | ensure => "directory", | ||
| 12 | mode => "0700", | ||
| 13 | owner => $user, | ||
| 14 | group => $group, | ||
| 15 | require => User["$user:"], | ||
| 16 | } | ||
| 17 | |||
| 18 | archive { "${home}/trader_${bot_version}.tar.gz": | ||
| 19 | path => "${home}/trader_${bot_version}.tar.gz", | ||
| 20 | source => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz", | ||
| 21 | checksum_type => "sha256", | ||
| 22 | checksum => $bot_sha256, | ||
| 23 | cleanup => false, | ||
| 24 | extract => true, | ||
| 25 | user => $user, | ||
| 26 | username => lookup("base_installation::ldap_cn"), | ||
| 27 | password => generate_password(24, $password_seed, "ldap"), | ||
| 28 | extract_path => $cf_bot_app, | ||
| 29 | require => [User["$user:"], File[$cf_bot_app]], | ||
| 30 | } ~> | ||
| 31 | exec { "py-cryptoportfolio-dependencies": | ||
| 32 | cwd => $cf_bot_app, | ||
| 33 | user => $user, | ||
| 34 | environment => ["HOME=${home}"], | ||
| 35 | command => "/usr/bin/make install", | ||
| 36 | require => User["$user:"], | ||
| 37 | refreshonly => true, | ||
| 38 | before => [ | ||
| 39 | File[$cf_bot_app_conf], | ||
| 40 | Cron["py-cryptoportfolio-before"], | ||
| 41 | Cron["py-cryptoportfolio-after"], | ||
| 42 | ] | ||
| 43 | } | ||
| 44 | |||
| 45 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | ||
| 46 | file { $cf_bot_app_conf: | ||
| 47 | owner => $user, | ||
| 48 | group => $group, | ||
| 49 | mode => "0600", | ||
| 50 | content => template("role/cryptoportfolio/bot_config.ini.erb"), | ||
| 51 | require => [ | ||
| 52 | User["$user:"], | ||
| 53 | Archive["${home}/trader_${bot_version}.tar.gz"], | ||
| 54 | ], | ||
| 55 | } | ||
| 56 | |||
| 57 | cron { "py-cryptoportfolio-before": | ||
| 58 | ensure => present, | ||
| 59 | command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before", | ||
| 60 | user => $user, | ||
| 61 | weekday => 7, # Sunday | ||
| 62 | hour => 22, | ||
| 63 | minute => 30, | ||
| 64 | environment => ["HOME=${home}","PATH=/usr/bin/"], | ||
| 65 | require => [ | ||
| 66 | File[$cf_bot_app_conf], | ||
| 67 | Archive["${home}/trader_${bot_version}.tar.gz"] | ||
| 68 | ], | ||
| 69 | } | ||
| 70 | |||
| 71 | cron { "py-cryptoportfolio-after": | ||
| 72 | ensure => present, | ||
| 73 | command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after", | ||
| 74 | user => $user, | ||
| 75 | weekday => 1, # Monday | ||
| 76 | hour => 1, | ||
| 77 | minute => 0, | ||
| 78 | environment => ["HOME=${home}","PATH=/usr/bin/"], | ||
| 79 | require => [ | ||
| 80 | File[$cf_bot_app_conf], | ||
| 81 | Archive["${home}/trader_${bot_version}.tar.gz"] | ||
| 82 | ], | ||
| 83 | } | ||
| 84 | |||
| 85 | unless empty($webhook_url) { | ||
| 86 | exec { "bot-slack-notify": | ||
| 87 | refreshonly => true, | ||
| 88 | environment => [ | ||
| 89 | "P_PROJECT=Trader", | ||
| 90 | "P_WEBHOOK=${webhook_url}", | ||
| 91 | "P_VERSION=${bot_version}", | ||
| 92 | "P_HOST=${web_host}", | ||
| 93 | "P_HTTPS=${web_ssl}", | ||
| 94 | ], | ||
| 95 | command => "/usr/local/bin/slack-notify", | ||
| 96 | require => File["/usr/local/bin/slack-notify"], | ||
| 97 | subscribe => Exec["py-cryptoportfolio-dependencies"], | ||
| 98 | } | ||
| 99 | } | ||
| 100 | } | ||
| 101 | |||
diff --git a/modules/role/manifests/cryptoportfolio/front.pp b/modules/role/manifests/cryptoportfolio/front.pp new file mode 100644 index 0000000..280ef8b --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/front.pp | |||
| @@ -0,0 +1,158 @@ | |||
| 1 | class role::cryptoportfolio::front inherits role::cryptoportfolio { | ||
| 2 | ensure_resource('exec', 'systemctl daemon-reload', { | ||
| 3 | command => '/usr/bin/systemctl daemon-reload', | ||
| 4 | refreshonly => true | ||
| 5 | }) | ||
| 6 | |||
| 7 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
| 8 | |||
| 9 | $cf_front_app = "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front" | ||
| 10 | $cf_front_app_api_workdir = "${cf_front_app}/cmd/app" | ||
| 11 | $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app" | ||
| 12 | $cf_front_app_api_conf = "${home}/conf.toml" | ||
| 13 | $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret") | ||
| 14 | |||
| 15 | $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" | ||
| 16 | |||
| 17 | ensure_packages(["go", "npm", "nodejs", "yarn"]) | ||
| 18 | |||
| 19 | file { [ | ||
| 20 | "${home}/go/", | ||
| 21 | "${home}/go/src", | ||
| 22 | "${home}/go/src/immae.eu", | ||
| 23 | "${home}/go/src/immae.eu/Immae", | ||
| 24 | "${home}/go/src/immae.eu/Immae/Projets", | ||
| 25 | "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies", | ||
| 26 | "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio", | ||
| 27 | $cf_front_app]: | ||
| 28 | ensure => "directory", | ||
| 29 | mode => "0700", | ||
| 30 | owner => $user, | ||
| 31 | group => $group, | ||
| 32 | require => User["$user:"], | ||
| 33 | } | ||
| 34 | |||
| 35 | file { "${home}/front": | ||
| 36 | ensure => "link", | ||
| 37 | target => $cf_front_app, | ||
| 38 | before => File[$cf_front_app], | ||
| 39 | } | ||
| 40 | |||
| 41 | file { "/etc/systemd/system/cryptoportfolio-app.service": | ||
| 42 | mode => "0644", | ||
| 43 | owner => "root", | ||
| 44 | group => "root", | ||
| 45 | content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"), | ||
| 46 | notify => Exec["systemctl daemon-reload"], | ||
| 47 | } | ||
| 48 | |||
| 49 | service { 'cryptoportfolio-app': | ||
| 50 | enable => true, | ||
| 51 | ensure => "running", | ||
| 52 | subscribe => [File[$cf_front_app_api_conf], Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], | ||
| 53 | require => [ | ||
| 54 | File["/etc/systemd/system/cryptoportfolio-app.service"], | ||
| 55 | Postgresql::Server::Db[$pg_db] | ||
| 56 | ], | ||
| 57 | } ~> | ||
| 58 | exec { "dump $pg_db structure": | ||
| 59 | refreshonly => true, | ||
| 60 | user => $::profile::postgresql::pg_user, | ||
| 61 | group => $::profile::postgresql::pg_user, | ||
| 62 | command => "/usr/bin/pg_dump --schema-only --clean --no-publications $pg_db > /var/lib/postgres/${pg_db}.schema", | ||
| 63 | } | ||
| 64 | |||
| 65 | archive { "${home}/front_${front_version}.tar.gz": | ||
| 66 | path => "${home}/front_${front_version}.tar.gz", | ||
| 67 | source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz", | ||
| 68 | checksum_type => "sha256", | ||
| 69 | checksum => $front_sha256, | ||
| 70 | cleanup => false, | ||
| 71 | extract => true, | ||
| 72 | user => $user, | ||
| 73 | username => lookup("base_installation::ldap_cn"), | ||
| 74 | password => generate_password(24, $password_seed, "ldap"), | ||
| 75 | extract_path => $cf_front_app, | ||
| 76 | require => [User["$user:"], File[$cf_front_app]], | ||
| 77 | notify => [ | ||
| 78 | Exec["web-cryptoportfolio-dependencies"], | ||
| 79 | Exec["go-get-dep"], | ||
| 80 | ] | ||
| 81 | } | ||
| 82 | |||
| 83 | # Api | ||
| 84 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | ||
| 85 | $pg_host = "${pg_hostname}:${pg_port}" | ||
| 86 | file { $cf_front_app_api_conf: | ||
| 87 | owner => $user, | ||
| 88 | group => $group, | ||
| 89 | mode => "0600", | ||
| 90 | content => template("role/cryptoportfolio/api_conf.toml.erb"), | ||
| 91 | before => Exec["go-cryptoportfolio-app"], | ||
| 92 | } | ||
| 93 | |||
| 94 | exec { "go-get-dep": | ||
| 95 | user => $user, | ||
| 96 | environment => ["HOME=${home}"], | ||
| 97 | creates => "${home}/go/bin/dep", | ||
| 98 | command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep", | ||
| 99 | refreshonly => true, | ||
| 100 | } ~> | ||
| 101 | exec { "go-cryptoportfolio-dependencies": | ||
| 102 | cwd => $cf_front_app, | ||
| 103 | user => $user, | ||
| 104 | environment => ["HOME=${home}"], | ||
| 105 | command => "${home}/go/bin/dep ensure", | ||
| 106 | refreshonly => true, | ||
| 107 | } ~> | ||
| 108 | exec { "go-cryptoportfolio-app": | ||
| 109 | cwd => $cf_front_app_api_workdir, | ||
| 110 | user => $user, | ||
| 111 | environment => ["HOME=${home}"], | ||
| 112 | command => "/usr/bin/make build", | ||
| 113 | refreshonly => true, | ||
| 114 | } | ||
| 115 | |||
| 116 | # Static pages | ||
| 117 | file { $cf_front_app_static_conf: | ||
| 118 | owner => $user, | ||
| 119 | group => $group, | ||
| 120 | mode => "0600", | ||
| 121 | content => template("role/cryptoportfolio/static_conf.env.erb"), | ||
| 122 | before => Exec["web-cryptoportfolio-build"], | ||
| 123 | } | ||
| 124 | |||
| 125 | exec { "web-cryptoportfolio-dependencies": | ||
| 126 | cwd => "${cf_front_app}/cmd/web", | ||
| 127 | user => $user, | ||
| 128 | environment => ["HOME=${home}"], | ||
| 129 | command => "/usr/bin/make install", | ||
| 130 | refreshonly => true, | ||
| 131 | require => [Package["npm"], Package["nodejs"], Package["yarn"]] | ||
| 132 | } ~> | ||
| 133 | exec { "web-cryptoportfolio-build": | ||
| 134 | cwd => "${cf_front_app}/cmd/web", | ||
| 135 | user => $user, | ||
| 136 | environment => ["HOME=${home}"], | ||
| 137 | path => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"], | ||
| 138 | command => "/usr/bin/make static ENV=${env}", | ||
| 139 | refreshonly => true, | ||
| 140 | } | ||
| 141 | |||
| 142 | unless empty($webhook_url) { | ||
| 143 | exec { "front-slack-notify": | ||
| 144 | refreshonly => true, | ||
| 145 | environment => [ | ||
| 146 | "P_PROJECT=Front", | ||
| 147 | "P_WEBHOOK=${webhook_url}", | ||
| 148 | "P_VERSION=${front_version}", | ||
| 149 | "P_HOST=${web_host}", | ||
| 150 | "P_HTTPS=${web_ssl}", | ||
| 151 | ], | ||
| 152 | command => "/usr/local/bin/slack-notify", | ||
| 153 | require => File["/usr/local/bin/slack-notify"], | ||
| 154 | subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], | ||
| 155 | } | ||
| 156 | } | ||
| 157 | |||
| 158 | } | ||
diff --git a/modules/role/manifests/cryptoportfolio/notify.pp b/modules/role/manifests/cryptoportfolio/notify.pp new file mode 100644 index 0000000..218312c --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/notify.pp | |||
| @@ -0,0 +1,6 @@ | |||
| 1 | class role::cryptoportfolio::notify inherits role::cryptoportfolio { | ||
| 2 | file { "/usr/local/bin/slack-notify": | ||
| 3 | mode => "0755", | ||
| 4 | source => "puppet:///modules/role/cryptoportfolio/slack-notify.py", | ||
| 5 | } | ||
| 6 | } | ||
diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp new file mode 100644 index 0000000..cc4d2a9 --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/postgresql.pp | |||
| @@ -0,0 +1,116 @@ | |||
| 1 | class role::cryptoportfolio::postgresql inherits role::cryptoportfolio { | ||
| 2 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
| 3 | |||
| 4 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | ||
| 5 | $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") | ||
| 6 | |||
| 7 | file { "/var/lib/postgres/data/certs": | ||
| 8 | ensure => directory, | ||
| 9 | mode => "0700", | ||
| 10 | owner => $::profile::postgresql::pg_user, | ||
| 11 | group => $::profile::postgresql::pg_user, | ||
| 12 | require => File["/var/lib/postgres"], | ||
| 13 | } | ||
| 14 | |||
| 15 | file { "/var/lib/postgres/data/certs/cert.pem": | ||
| 16 | source => "file:///etc/letsencrypt/live/$web_host/cert.pem", | ||
| 17 | mode => "0600", | ||
| 18 | links => "follow", | ||
| 19 | owner => $::profile::postgresql::pg_user, | ||
| 20 | group => $::profile::postgresql::pg_user, | ||
| 21 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | ||
| 22 | } | ||
| 23 | |||
| 24 | file { "/var/lib/postgres/data/certs/privkey.pem": | ||
| 25 | source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", | ||
| 26 | mode => "0600", | ||
| 27 | links => "follow", | ||
| 28 | owner => $::profile::postgresql::pg_user, | ||
| 29 | group => $::profile::postgresql::pg_user, | ||
| 30 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | ||
| 31 | } | ||
| 32 | |||
| 33 | postgresql::server::config_entry { "wal_level": | ||
| 34 | value => "logical", | ||
| 35 | } | ||
| 36 | |||
| 37 | postgresql::server::config_entry { "ssl": | ||
| 38 | value => "on", | ||
| 39 | require => Letsencrypt::Certonly[$web_host], | ||
| 40 | } | ||
| 41 | |||
| 42 | postgresql::server::config_entry { "ssl_cert_file": | ||
| 43 | value => "/var/lib/postgres/data/certs/cert.pem", | ||
| 44 | require => Letsencrypt::Certonly[$web_host], | ||
| 45 | } | ||
| 46 | |||
| 47 | postgresql::server::config_entry { "ssl_key_file": | ||
| 48 | value => "/var/lib/postgres/data/certs/privkey.pem", | ||
| 49 | require => Letsencrypt::Certonly[$web_host], | ||
| 50 | } | ||
| 51 | |||
| 52 | postgresql::server::db { $pg_db: | ||
| 53 | user => $pg_user, | ||
| 54 | password => postgresql_password($pg_user, $pg_password), | ||
| 55 | } | ||
| 56 | -> | ||
| 57 | postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES": | ||
| 58 | db => $pg_db, | ||
| 59 | unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", | ||
| 60 | } | ||
| 61 | -> | ||
| 62 | postgresql::server::role { $pg_user_replication: | ||
| 63 | db => $pg_db, | ||
| 64 | replication => true, | ||
| 65 | password_hash => postgresql_password($pg_user_replication, $pg_replication_password), | ||
| 66 | } | ||
| 67 | -> | ||
| 68 | postgresql::server::database_grant { $pg_user_replication: | ||
| 69 | db => $pg_db, | ||
| 70 | privilege => "CONNECT", | ||
| 71 | role => $pg_user_replication, | ||
| 72 | } | ||
| 73 | -> | ||
| 74 | postgresql::server::grant { "all tables in schema:public:$pg_user_replication": | ||
| 75 | db => $pg_db, | ||
| 76 | role => $pg_user_replication, | ||
| 77 | privilege => "SELECT", | ||
| 78 | object_type => "ALL TABLES IN SCHEMA", | ||
| 79 | object_name => "public", | ||
| 80 | } | ||
| 81 | -> | ||
| 82 | postgresql::server::grant { "all sequences in schema:public:$pg_user_replication": | ||
| 83 | db => $pg_db, | ||
| 84 | role => $pg_user_replication, | ||
| 85 | privilege => "SELECT", | ||
| 86 | object_type => "ALL SEQUENCES IN SCHEMA", | ||
| 87 | object_name => "public", | ||
| 88 | } | ||
| 89 | |||
| 90 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': | ||
| 91 | type => 'host', | ||
| 92 | database => $pg_db, | ||
| 93 | user => $pg_user, | ||
| 94 | address => '127.0.0.1/32', | ||
| 95 | auth_method => 'md5', | ||
| 96 | order => "05-01", | ||
| 97 | } | ||
| 98 | postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': | ||
| 99 | type => 'host', | ||
| 100 | database => $pg_db, | ||
| 101 | user => $pg_user, | ||
| 102 | address => '::1/128', | ||
| 103 | auth_method => 'md5', | ||
| 104 | order => "05-01", | ||
| 105 | } | ||
| 106 | |||
| 107 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': | ||
| 108 | type => 'hostssl', | ||
| 109 | database => $pg_db, | ||
| 110 | user => $pg_user_replication, | ||
| 111 | address => 'immae.eu', | ||
| 112 | auth_method => 'md5', | ||
| 113 | order => "05-01", | ||
| 114 | } | ||
| 115 | |||
| 116 | } | ||
diff --git a/modules/role/templates/backup/backup_dirname_head.sh.erb b/modules/role/templates/backup/backup_dirname_head.sh.erb new file mode 100644 index 0000000..e20cfd3 --- /dev/null +++ b/modules/role/templates/backup/backup_dirname_head.sh.erb | |||
| @@ -0,0 +1,27 @@ | |||
| 1 | ##### <%= @dirname %> ##### | ||
| 2 | DEST="<%= @dest %>" | ||
| 3 | BASE="<%= @base %>" | ||
| 4 | OLD_BAK_BASE=$BASE/older/j | ||
| 5 | BAK_BASE=${OLD_BAK_BASE}0 | ||
| 6 | RSYNC_OUTPUT=$BASE/rsync_output | ||
| 7 | NBR=<%= @nbr %> | ||
| 8 | |||
| 9 | if ! ssh \ | ||
| 10 | -o PreferredAuthentications=publickey \ | ||
| 11 | -o StrictHostKeyChecking=yes \ | ||
| 12 | -o ClearAllForwardings=yes \ | ||
| 13 | $DEST backup; then | ||
| 14 | echo "Fichier de verrouillage backup sur $DEST ou impossible de se connecter" >&2 | ||
| 15 | skip=$DEST | ||
| 16 | fi | ||
| 17 | |||
| 18 | rm -rf ${OLD_BAK_BASE}${NBR} | ||
| 19 | for j in `seq -w $(($NBR-1)) -1 0`; do | ||
| 20 | [ ! -d ${OLD_BAK_BASE}$j ] && continue | ||
| 21 | mv ${OLD_BAK_BASE}$j ${OLD_BAK_BASE}$(($j+1)) | ||
| 22 | done | ||
| 23 | mkdir $BAK_BASE | ||
| 24 | mv $RSYNC_OUTPUT $BAK_BASE | ||
| 25 | mkdir $RSYNC_OUTPUT | ||
| 26 | |||
| 27 | if [ "$skip" != "$DEST" ]; then | ||
diff --git a/modules/role/templates/backup/backup_dirname_part.sh.erb b/modules/role/templates/backup/backup_dirname_part.sh.erb new file mode 100644 index 0000000..ec662c4 --- /dev/null +++ b/modules/role/templates/backup/backup_dirname_part.sh.erb | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | ### <%= @dirname %> <%= @local_folder %> ### | ||
| 2 | LOCAL="<%= @local_folder %>" | ||
| 3 | REMOTE="<%= @remote_folder %>" | ||
| 4 | |||
| 5 | cd $BASE/$LOCAL | ||
| 6 | cat > $EXCL_FROM <<EOF | ||
| 7 | <%= @exclude_from.join("\n") %> | ||
| 8 | EOF | ||
| 9 | cat > $FILES_FROM <<EOF | ||
| 10 | <%= @files_from.join("\n") %> | ||
| 11 | EOF | ||
| 12 | |||
| 13 | OUT=$RSYNC_OUTPUT/$LOCAL | ||
| 14 | rsync -XAavbrz --fake-super -e ssh --numeric-ids --delete \ | ||
| 15 | --backup-dir=$BAK_BASE/$LOCAL \ | ||
| 16 | <%- unless @args.empty? -%> | ||
| 17 | <%= @args %>\ | ||
| 18 | <% end -%> | ||
| 19 | <%- unless @exclude_from.empty? -%> | ||
| 20 | --exclude-from=$EXCL_FROM \ | ||
| 21 | <% end -%> | ||
| 22 | <%- unless @files_from.empty? -%> | ||
| 23 | --files-from=$FILES_FROM \ | ||
| 24 | <% end -%> | ||
| 25 | $DEST:$REMOTE . > $OUT || true | ||
| 26 | ### End <%= @dirname %> <%= @local_folder %> ### | ||
diff --git a/modules/role/templates/backup/backup_dirname_tail.sh.erb b/modules/role/templates/backup/backup_dirname_tail.sh.erb new file mode 100644 index 0000000..6b16c9d --- /dev/null +++ b/modules/role/templates/backup/backup_dirname_tail.sh.erb | |||
| @@ -0,0 +1,4 @@ | |||
| 1 | |||
| 2 | ssh $DEST sh -c "date > .last_backup" | ||
| 3 | fi # [ "$skip" != "$DEST" ] | ||
| 4 | ##### End <%= @dirname %> ##### | ||
diff --git a/modules/role/templates/backup/backup_head.sh.erb b/modules/role/templates/backup/backup_head.sh.erb new file mode 100644 index 0000000..be9f5bf --- /dev/null +++ b/modules/role/templates/backup/backup_head.sh.erb | |||
| @@ -0,0 +1,20 @@ | |||
| 1 | #!/bin/bash | ||
| 2 | MAILTO="<%= @mailto %>" | ||
| 3 | |||
| 4 | EXCL_FROM=`mktemp` | ||
| 5 | FILES_FROM=`mktemp` | ||
| 6 | TMP_STDERR=`mktemp` | ||
| 7 | |||
| 8 | on_exit() { | ||
| 9 | if [ -s "$TMP_STDERR" ]; then | ||
| 10 | cat "$TMP_STDERR" | mail -Ssendwait -s "save_distant rsync error" "$MAILTO" | ||
| 11 | fi | ||
| 12 | rm -f $TMP_STDERR $EXCL_FROM $FILES_FROM | ||
| 13 | } | ||
| 14 | |||
| 15 | trap "on_exit" EXIT | ||
| 16 | |||
| 17 | exec 2> "$TMP_STDERR" | ||
| 18 | exec < /dev/null | ||
| 19 | |||
| 20 | set -e | ||
diff --git a/modules/role/templates/backup/backup_immae_eu.sh.erb b/modules/role/templates/backup/backup_immae_eu.sh.erb new file mode 100644 index 0000000..4fab30e --- /dev/null +++ b/modules/role/templates/backup/backup_immae_eu.sh.erb | |||
| @@ -0,0 +1,79 @@ | |||
| 1 | #!/bin/bash | ||
| 2 | DEST="<%= @dest %>" | ||
| 3 | MAILTO="<%= @mailto %>" | ||
| 4 | BASE="<%= @base %>" | ||
| 5 | OLD_BAK_BASE=$BASE/older/j | ||
| 6 | BAK_BASE=${OLD_BAK_BASE}0 | ||
| 7 | RSYNC_OUTPUT=$BASE/rsync_output | ||
| 8 | NBR=7 | ||
| 9 | |||
| 10 | TMP=`mktemp` | ||
| 11 | TMP_STDERR=`mktemp` | ||
| 12 | |||
| 13 | trap "rm -f $TMP $TMP_STDERR" EXIT | ||
| 14 | |||
| 15 | exec 2> "$TMP_STDERR" | ||
| 16 | |||
| 17 | set -e | ||
| 18 | if ! `ssh -o ClearAllForwardings=yes $DEST backup`; then | ||
| 19 | echo "Fichier de verrouillage backup sur $DEST" | ||
| 20 | exit 1 | ||
| 21 | fi | ||
| 22 | |||
| 23 | rm -rf ${OLD_BAK_BASE}${NBR} | ||
| 24 | for j in `seq -w $(($NBR-1)) -1 0`; do | ||
| 25 | [ ! -d ${OLD_BAK_BASE}$j ] && continue | ||
| 26 | mv ${OLD_BAK_BASE}$j ${OLD_BAK_BASE}$(($j+1)) | ||
| 27 | done | ||
| 28 | mkdir $BAK_BASE | ||
| 29 | mv $RSYNC_OUTPUT $BAK_BASE | ||
| 30 | mkdir $RSYNC_OUTPUT | ||
| 31 | |||
| 32 | ############## | ||
| 33 | NAME="home" | ||
| 34 | FOLDER="/home/immae" | ||
| 35 | |||
| 36 | cd $BASE/$NAME | ||
| 37 | cat > $TMP <<EOF | ||
| 38 | /.no_backup/ | ||
| 39 | /hosts/florian/nobackup/ | ||
| 40 | /hosts/connexionswing.com/ | ||
| 41 | /hosts/connexionswing.immae.eu/ | ||
| 42 | /hosts/ludivine.immae.eu/ | ||
| 43 | /hosts/ludivinecassal.com/ | ||
| 44 | /hosts/piedsjaloux.fr/ | ||
| 45 | /hosts/piedsjaloux.immae.eu/ | ||
| 46 | /hosts/spip/sites/*/ | ||
| 47 | /hosts/spip/spip* | ||
| 48 | EOF | ||
| 49 | OUT=$RSYNC_OUTPUT/$NAME | ||
| 50 | rsync -XAavbrz --fake-super -e ssh --numeric-ids --delete \ | ||
| 51 | --backup-dir=$BAK_BASE/$NAME --exclude-from=$TMP \ | ||
| 52 | $DEST:$FOLDER . > $OUT || true | ||
| 53 | |||
| 54 | ############## | ||
| 55 | NAME="system" | ||
| 56 | FOLDER="/" | ||
| 57 | |||
| 58 | cd $BASE/$NAME | ||
| 59 | cat > $TMP <<EOF | ||
| 60 | /etc/ | ||
| 61 | /srv/ | ||
| 62 | /var/lib/ | ||
| 63 | /var/spool/ | ||
| 64 | /var/named/ | ||
| 65 | /usr/local/ | ||
| 66 | EOF | ||
| 67 | OUT=$RSYNC_OUTPUT/$NAME | ||
| 68 | rsync -XAavbrz -R --fake-super -e ssh --numeric-ids --delete \ | ||
| 69 | --rsync-path='sudo rsync' \ | ||
| 70 | --backup-dir=$BAK_BASE/$NAME \ | ||
| 71 | --files-from=$TMP \ | ||
| 72 | $DEST:$FOLDER . > $OUT || true | ||
| 73 | |||
| 74 | ############## | ||
| 75 | ssh $DEST sh -c "date > .last_backup" | ||
| 76 | |||
| 77 | if [ -s "$TMP_STDERR" ]; then | ||
| 78 | cat "$TMP_STDERR" | mail -Ssendwait -s "save_distant rsync error" "$MAILTO" | ||
| 79 | fi | ||
diff --git a/modules/role/templates/backup/backup_tail.sh.erb b/modules/role/templates/backup/backup_tail.sh.erb new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/modules/role/templates/backup/backup_tail.sh.erb | |||
diff --git a/modules/role/templates/backup/ssh_host_changed.info.erb b/modules/role/templates/backup/ssh_host_changed.info.erb new file mode 100644 index 0000000..ebf202e --- /dev/null +++ b/modules/role/templates/backup/ssh_host_changed.info.erb | |||
| @@ -0,0 +1,4 @@ | |||
| 1 | Host <%= @host %> added, please send <%= @user %> key if necessary. | ||
| 2 | <%- if File.exist?("/home/#{@user}/.ssh/id_rsa.pub") %> | ||
| 3 | <%= File.read("/home/#{@user}/.ssh/id_rsa.pub") %> | ||
| 4 | <% end -%> | ||
diff --git a/modules/role/templates/backup/ssh_key_changed.info.erb b/modules/role/templates/backup/ssh_key_changed.info.erb new file mode 100644 index 0000000..43fd2ec --- /dev/null +++ b/modules/role/templates/backup/ssh_key_changed.info.erb | |||
| @@ -0,0 +1,5 @@ | |||
| 1 | ssh key of <%= @user %> changed, | ||
| 2 | please update hosts: | ||
| 3 | <%- @hosts.each do |host| %> | ||
| 4 | - <%= host %> | ||
| 5 | <% end -%> | ||
diff --git a/modules/role/templates/cryptoportfolio/api_conf.toml.erb b/modules/role/templates/cryptoportfolio/api_conf.toml.erb index 13550c9..7a4b66d 100644 --- a/modules/role/templates/cryptoportfolio/api_conf.toml.erb +++ b/modules/role/templates/cryptoportfolio/api_conf.toml.erb | |||
| @@ -1,15 +1,15 @@ | |||
| 1 | log_level="info" | 1 | log_level="info" |
| 2 | mode="<%= @cf_env %>" | 2 | mode="<%= @env %>" |
| 3 | log_out="stdout" | 3 | log_out="stdout" |
| 4 | 4 | ||
| 5 | [db] | 5 | [db] |
| 6 | user="<%= @cf_pg_user %>" | 6 | user="<%= @pg_user %>" |
| 7 | password="<%= @cf_pg_password %>" | 7 | password="<%= @pg_password %>" |
| 8 | database="<%= @cf_pg_db %>" | 8 | database="<%= @pg_db %>" |
| 9 | address="<%= @cf_pg_host %>" | 9 | address="<%= @pg_host %>" |
| 10 | 10 | ||
| 11 | [api] | 11 | [api] |
| 12 | domain="<%= @cf_front_app_host %>" | 12 | domain="<%= @web_host %>" |
| 13 | jwt_secret="<%= @cf_front_app_api_secret %>" | 13 | jwt_secret="<%= @cf_front_app_api_secret %>" |
| 14 | 14 | ||
| 15 | [app] | 15 | [app] |
diff --git a/modules/role/templates/cryptoportfolio/bot_config.ini.erb b/modules/role/templates/cryptoportfolio/bot_config.ini.erb index 30298eb..b0211a6 100644 --- a/modules/role/templates/cryptoportfolio/bot_config.ini.erb +++ b/modules/role/templates/cryptoportfolio/bot_config.ini.erb | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | [postgresql] | 1 | [postgresql] |
| 2 | host = <%= @cf_pg_hostname %> | 2 | host = <%= @pg_hostname %> |
| 3 | port = <%= @cf_pg_port %> | 3 | port = <%= @pg_port %> |
| 4 | user = <%= @cf_pg_user %> | 4 | user = <%= @pg_user %> |
| 5 | password = <%= @cf_pg_password %> | 5 | password = <%= @pg_password %> |
| 6 | database = <%= @cf_pg_db %> | 6 | database = <%= @pg_db %> |
| 7 | 7 | ||
| 8 | [app] | 8 | [app] |
| 9 | report_path = <%= @cf_bot_app_reports %> | 9 | report_path = <%= @cf_bot_app_reports %> |
diff --git a/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb b/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb index a521c0e..ed2b908 100644 --- a/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb +++ b/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb | |||
| @@ -5,8 +5,8 @@ Description=Cryptoportfolio app | |||
| 5 | Type=simple | 5 | Type=simple |
| 6 | 6 | ||
| 7 | WorkingDirectory=<%= @cf_front_app_api_workdir %> | 7 | WorkingDirectory=<%= @cf_front_app_api_workdir %> |
| 8 | User=<%= @cf_user %> | 8 | User=<%= @user %> |
| 9 | Group=<%= @cf_group %> | 9 | Group=<%= @group %> |
| 10 | UMask=007 | 10 | UMask=007 |
| 11 | 11 | ||
| 12 | ExecStart=<%= @cf_front_app_api_bin %> -conf <%= @cf_front_app_api_conf %> | 12 | ExecStart=<%= @cf_front_app_api_bin %> -conf <%= @cf_front_app_api_conf %> |
diff --git a/modules/role/templates/cryptoportfolio/static_conf.env.erb b/modules/role/templates/cryptoportfolio/static_conf.env.erb index db9759d..314ee14 100644 --- a/modules/role/templates/cryptoportfolio/static_conf.env.erb +++ b/modules/role/templates/cryptoportfolio/static_conf.env.erb | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | API_HOST="<%= @cf_front_app_host %>" | 1 | API_HOST="<%= @web_host %>" |
| 2 | API_PORT="<%= @cf_front_app_port %>" | 2 | API_PORT="<%= @web_port %>" |
| 3 | API_HTTPS="<%= @cf_front_app_ssl %>" | 3 | API_HTTPS="<%= @web_ssl %>" |
| 4 | 4 | ||