diff options
Diffstat (limited to 'modules/role')
19 files changed, 728 insertions, 430 deletions
diff --git a/modules/role/manifests/backup.pp b/modules/role/manifests/backup.pp new file mode 100644 index 0000000..7a0c275 --- /dev/null +++ b/modules/role/manifests/backup.pp | |||
@@ -0,0 +1,125 @@ | |||
1 | class role::backup ( | ||
2 | String $user, | ||
3 | String $group, | ||
4 | String $mailto, | ||
5 | Optional[Array] $backups = [], | ||
6 | Optional[String] $mountpoint = "/backup1", | ||
7 | Optional[String] $backup_script = "/usr/local/bin/backup.sh", | ||
8 | ) { | ||
9 | include "base_installation" | ||
10 | |||
11 | include "profile::fstab" | ||
12 | include "profile::mail" | ||
13 | include "profile::tools" | ||
14 | include "profile::xmr_stak" | ||
15 | include "profile::known_hosts" | ||
16 | |||
17 | ensure_packages(["rsync"]) | ||
18 | |||
19 | ssh_keygen { $user: | ||
20 | notify => Notify_refresh["notify-backup-sshkey-change"] | ||
21 | } | ||
22 | |||
23 | $hosts = $backups.map |$backup| { $backup["host"] } | ||
24 | |||
25 | notify_refresh { "notify-backup-sshkey-change": | ||
26 | message => template("role/backup/ssh_key_changed.info.erb"), | ||
27 | refreshonly => true | ||
28 | } | ||
29 | |||
30 | $hosts.each |$host| { | ||
31 | notify_refresh { "notify-backup-sshhost-$host-changed": | ||
32 | message => template("role/backup/ssh_host_changed.info.erb"), | ||
33 | refreshonly => true, | ||
34 | subscribe => Sshkey[$host], | ||
35 | } | ||
36 | } | ||
37 | |||
38 | concat { $backup_script: | ||
39 | ensure => "present", | ||
40 | ensure_newline => true, | ||
41 | mode => "0755", | ||
42 | } | ||
43 | |||
44 | cron { "backup": | ||
45 | ensure => present, | ||
46 | command => $backup_script, | ||
47 | user => $user, | ||
48 | minute => 25, | ||
49 | hour => 3, | ||
50 | require => Concat[$backup_script], | ||
51 | } | ||
52 | |||
53 | concat::fragment { "backup_head": | ||
54 | target => $backup_script, | ||
55 | content => template("role/backup/backup_head.sh.erb"), | ||
56 | order => "01-50", | ||
57 | } | ||
58 | |||
59 | concat::fragment { "backup_tail": | ||
60 | target => $backup_script, | ||
61 | content => template("role/backup/backup_tail.sh.erb"), | ||
62 | order => "99-50", | ||
63 | } | ||
64 | |||
65 | $backups.each |$infos| { | ||
66 | $dirname = $infos["name"] | ||
67 | $login = $infos["login"] | ||
68 | $host = $infos["host"] | ||
69 | $dest = "$login@$host" | ||
70 | $base = "$mountpoint/$dirname" | ||
71 | $nbr = $infos["nbr"] | ||
72 | $order_dirname = $infos["order"] | ||
73 | |||
74 | file { $base: | ||
75 | ensure => "directory", | ||
76 | owner => $user, | ||
77 | group => $group, | ||
78 | require => Mount[$mountpoint], | ||
79 | } -> | ||
80 | file { "$base/older": | ||
81 | ensure => "directory", | ||
82 | owner => $user, | ||
83 | group => $group, | ||
84 | } -> | ||
85 | file { "$base/rsync_output": | ||
86 | ensure => "directory", | ||
87 | owner => $user, | ||
88 | group => $group, | ||
89 | } | ||
90 | |||
91 | concat::fragment { "backup_${dirname}_head": | ||
92 | target => $backup_script, | ||
93 | content => template("role/backup/backup_dirname_head.sh.erb"), | ||
94 | order => "$order_dirname-01", | ||
95 | } | ||
96 | |||
97 | concat::fragment { "backup_${dirname}_tail": | ||
98 | target => $backup_script, | ||
99 | content => template("role/backup/backup_dirname_tail.sh.erb"), | ||
100 | order => "$order_dirname-99", | ||
101 | } | ||
102 | |||
103 | $infos["parts"].each |$part| { | ||
104 | $local_folder = $part["local_folder"] | ||
105 | $remote_folder = $part["remote_folder"] | ||
106 | $exclude_from = $part["exclude_from"] | ||
107 | $files_from = $part["files_from"] | ||
108 | $args = $part["args"] | ||
109 | $order_part = $part["order"] | ||
110 | |||
111 | file { "$base/$local_folder": | ||
112 | ensure => "directory", | ||
113 | owner => $user, | ||
114 | group => $group, | ||
115 | require => File[$base], | ||
116 | } | ||
117 | |||
118 | concat::fragment { "backup_${dirname}_${local_folder}": | ||
119 | target => $backup_script, | ||
120 | content => template("role/backup/backup_dirname_part.sh.erb"), | ||
121 | order => "$order_dirname-$order_part", | ||
122 | } | ||
123 | } | ||
124 | } | ||
125 | } | ||
diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index bec247e..799e297 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp | |||
@@ -1,9 +1,22 @@ | |||
1 | class role::cryptoportfolio { | 1 | class role::cryptoportfolio ( |
2 | ensure_resource('exec', 'systemctl daemon-reload', { | 2 | String $user, |
3 | command => '/usr/bin/systemctl daemon-reload', | 3 | String $group, |
4 | refreshonly => true | 4 | String $home, |
5 | }) | 5 | Optional[String] $env = "prod", |
6 | 6 | Optional[String] $webhook_url = undef, | |
7 | String $pg_user, | ||
8 | String $pg_user_replication, | ||
9 | String $pg_db, | ||
10 | Optional[String] $pg_hostname = "localhost", | ||
11 | Optional[String] $pg_port = "5432", | ||
12 | Optional[String] $web_host = undef, | ||
13 | Optional[String] $web_port = "", | ||
14 | Optional[Boolean] $web_ssl = true, | ||
15 | Optional[String] $front_version = undef, | ||
16 | Optional[String] $front_sha256 = undef, | ||
17 | Optional[String] $bot_version = undef, | ||
18 | Optional[String] $bot_sha256 = undef, | ||
19 | ) { | ||
7 | include "base_installation" | 20 | include "base_installation" |
8 | 21 | ||
9 | include "profile::tools" | 22 | include "profile::tools" |
@@ -11,420 +24,17 @@ class role::cryptoportfolio { | |||
11 | include "profile::apache" | 24 | include "profile::apache" |
12 | include "profile::xmr_stak" | 25 | include "profile::xmr_stak" |
13 | 26 | ||
14 | $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } | 27 | contain "role::cryptoportfolio::postgresql" |
15 | 28 | contain "role::cryptoportfolio::apache" | |
16 | $cf_pg_user = "cryptoportfolio" | ||
17 | $cf_pg_user_replication = "cryptoportfolio_replication" | ||
18 | $cf_pg_db = "cryptoportfolio" | ||
19 | $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | ||
20 | $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") | ||
21 | $cf_pg_hostname = "localhost" | ||
22 | $cf_pg_port = "5432" | ||
23 | $cf_pg_host = "${cf_pg_hostname}:${cf_pg_port}" | ||
24 | |||
25 | $cf_user = "cryptoportfolio" | ||
26 | $cf_group = "cryptoportfolio" | ||
27 | $cf_home = "/opt/cryptoportfolio" | ||
28 | $cf_env = "prod" | ||
29 | $cf_front_app_host = lookup("base_installation::system_hostname") |$key| { "example.com" } | ||
30 | $cf_front_app_port = "" | ||
31 | $cf_front_app_ssl = "true" | ||
32 | $cf_front_app = "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front" | ||
33 | $cf_front_app_api_workdir = "${cf_front_app}/cmd/app" | ||
34 | $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app" | ||
35 | $cf_front_app_api_conf = "${cf_home}/conf.toml" | ||
36 | $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret") | ||
37 | |||
38 | $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" | ||
39 | |||
40 | $cf_bot_app = "${cf_home}/bot" | ||
41 | $cf_bot_app_conf = "${cf_home}/bot_config.ini" | ||
42 | $cf_bot_app_reports = "${cf_home}/bot_reports" | ||
43 | |||
44 | $cf_webhook_url = lookup("cryptoportfolio::slack_webhook") |$key| { "" } | ||
45 | |||
46 | file { "/var/lib/postgres/data/certs": | ||
47 | ensure => directory, | ||
48 | mode => "0700", | ||
49 | owner => $::profile::postgresql::pg_user, | ||
50 | group => $::profile::postgresql::pg_user, | ||
51 | require => File["/var/lib/postgres"], | ||
52 | } | ||
53 | 29 | ||
54 | file { "/var/lib/postgres/data/certs/cert.pem": | 30 | contain "role::cryptoportfolio::notify" |
55 | source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem", | ||
56 | mode => "0600", | ||
57 | links => "follow", | ||
58 | owner => $::profile::postgresql::pg_user, | ||
59 | group => $::profile::postgresql::pg_user, | ||
60 | require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] | ||
61 | } | ||
62 | |||
63 | file { "/var/lib/postgres/data/certs/privkey.pem": | ||
64 | source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem", | ||
65 | mode => "0600", | ||
66 | links => "follow", | ||
67 | owner => $::profile::postgresql::pg_user, | ||
68 | group => $::profile::postgresql::pg_user, | ||
69 | require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] | ||
70 | } | ||
71 | |||
72 | postgresql::server::config_entry { "wal_level": | ||
73 | value => "logical", | ||
74 | } | ||
75 | |||
76 | postgresql::server::config_entry { "ssl": | ||
77 | value => "on", | ||
78 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
79 | } | ||
80 | |||
81 | postgresql::server::config_entry { "ssl_cert_file": | ||
82 | value => "/var/lib/postgres/data/certs/cert.pem", | ||
83 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
84 | } | ||
85 | |||
86 | postgresql::server::config_entry { "ssl_key_file": | ||
87 | value => "/var/lib/postgres/data/certs/privkey.pem", | ||
88 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
89 | } | ||
90 | |||
91 | postgresql::server::db { $cf_pg_db: | ||
92 | user => $cf_pg_user, | ||
93 | password => postgresql_password($cf_pg_user, $cf_pg_password), | ||
94 | } | ||
95 | -> | ||
96 | postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES": | ||
97 | db => $cf_pg_db, | ||
98 | unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'", | ||
99 | } | ||
100 | -> | ||
101 | postgresql::server::role { $cf_pg_user_replication: | ||
102 | db => $cf_pg_db, | ||
103 | replication => true, | ||
104 | password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password), | ||
105 | } | ||
106 | -> | ||
107 | postgresql::server::database_grant { $cf_pg_user_replication: | ||
108 | db => $cf_pg_db, | ||
109 | privilege => "CONNECT", | ||
110 | role => $cf_pg_user_replication, | ||
111 | } | ||
112 | -> | ||
113 | postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication": | ||
114 | db => $cf_pg_db, | ||
115 | role => $cf_pg_user_replication, | ||
116 | privilege => "SELECT", | ||
117 | object_type => "ALL TABLES IN SCHEMA", | ||
118 | object_name => "public", | ||
119 | } | ||
120 | -> | ||
121 | postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication": | ||
122 | db => $cf_pg_db, | ||
123 | role => $cf_pg_user_replication, | ||
124 | privilege => "SELECT", | ||
125 | object_type => "ALL SEQUENCES IN SCHEMA", | ||
126 | object_name => "public", | ||
127 | } | ||
128 | |||
129 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': | ||
130 | type => 'host', | ||
131 | database => $cf_pg_db, | ||
132 | user => $cf_pg_user, | ||
133 | address => '127.0.0.1/32', | ||
134 | auth_method => 'md5', | ||
135 | order => "b0", | ||
136 | } | ||
137 | postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': | ||
138 | type => 'host', | ||
139 | database => $cf_pg_db, | ||
140 | user => $cf_pg_user, | ||
141 | address => '::1/128', | ||
142 | auth_method => 'md5', | ||
143 | order => "b0", | ||
144 | } | ||
145 | |||
146 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': | ||
147 | type => 'hostssl', | ||
148 | database => $cf_pg_db, | ||
149 | user => $cf_pg_user_replication, | ||
150 | address => 'immae.eu', | ||
151 | auth_method => 'md5', | ||
152 | order => "b0", | ||
153 | } | ||
154 | |||
155 | letsencrypt::certonly { $cf_front_app_host: ; | ||
156 | default: * => $::profile::apache::letsencrypt_certonly_default; | ||
157 | } | ||
158 | |||
159 | class { 'apache::mod::headers': } | ||
160 | apache::vhost { $cf_front_app_host: | ||
161 | port => '443', | ||
162 | docroot => false, | ||
163 | manage_docroot => false, | ||
164 | proxy_dest => "http://localhost:8000", | ||
165 | request_headers => 'set X-Forwarded-Proto "https"', | ||
166 | ssl => true, | ||
167 | ssl_cert => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem", | ||
168 | ssl_key => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem", | ||
169 | ssl_chain => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem", | ||
170 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
171 | proxy_preserve_host => true; | ||
172 | default: * => $::profile::apache::apache_vhost_default; | ||
173 | } | ||
174 | |||
175 | user { $cf_user: | ||
176 | name => $cf_user, | ||
177 | ensure => "present", | ||
178 | managehome => true, | ||
179 | home => $cf_home, | ||
180 | system => true, | ||
181 | password => '!!', | ||
182 | } | ||
183 | |||
184 | file { "/usr/local/bin/slack-notify": | ||
185 | mode => "0755", | ||
186 | source => "puppet:///modules/role/cryptoportfolio/slack-notify.py", | ||
187 | } | ||
188 | |||
189 | $front_version = lookup("cryptoportfolio::front_version") |$key| { {} } | ||
190 | $front_sha256 = lookup("cryptoportfolio::front_sha256") |$key| { {} } | ||
191 | |||
192 | $bot_version = lookup("cryptoportfolio::bot_version") |$key| { {} } | ||
193 | $bot_sha256 = lookup("cryptoportfolio::bot_sha256") |$key| { {} } | ||
194 | 31 | ||
195 | unless empty($bot_version) { | 32 | unless empty($bot_version) { |
196 | ensure_packages(["python", "python-pip"]) | 33 | contain "role::cryptoportfolio::bot" |
197 | |||
198 | file { $cf_bot_app: | ||
199 | ensure => "directory", | ||
200 | mode => "0700", | ||
201 | owner => $cf_user, | ||
202 | group => $cf_group, | ||
203 | require => User[$cf_user], | ||
204 | } | ||
205 | |||
206 | archive { "${cf_home}/trader_${bot_version}.tar.gz": | ||
207 | path => "${cf_home}/trader_${bot_version}.tar.gz", | ||
208 | source => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz", | ||
209 | checksum_type => "sha256", | ||
210 | checksum => $bot_sha256, | ||
211 | cleanup => false, | ||
212 | extract => true, | ||
213 | user => $cf_user, | ||
214 | username => $facts["ec2_metadata"]["hostname"], | ||
215 | password => generate_password(24, $password_seed, "ldap"), | ||
216 | extract_path => $cf_bot_app, | ||
217 | require => [User[$cf_user], File[$cf_bot_app]], | ||
218 | } ~> | ||
219 | exec { "py-cryptoportfolio-dependencies": | ||
220 | cwd => $cf_bot_app, | ||
221 | user => $cf_user, | ||
222 | environment => ["HOME=${cf_home}"], | ||
223 | command => "/usr/bin/make install", | ||
224 | require => User[$cf_user], | ||
225 | refreshonly => true, | ||
226 | before => [ | ||
227 | File[$cf_bot_app_conf], | ||
228 | Cron["py-cryptoportfolio-before"], | ||
229 | Cron["py-cryptoportfolio-after"], | ||
230 | ] | ||
231 | } | ||
232 | |||
233 | file { $cf_bot_app_conf: | ||
234 | owner => $cf_user, | ||
235 | group => $cf_group, | ||
236 | mode => "0600", | ||
237 | content => template("role/cryptoportfolio/bot_config.ini.erb"), | ||
238 | require => [ | ||
239 | User[$cf_user], | ||
240 | Archive["${cf_home}/trader_${bot_version}.tar.gz"], | ||
241 | ], | ||
242 | } | ||
243 | |||
244 | cron { "py-cryptoportfolio-before": | ||
245 | ensure => present, | ||
246 | command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before", | ||
247 | user => "cryptoportfolio", | ||
248 | weekday => 7, # Sunday | ||
249 | hour => 22, | ||
250 | minute => 30, | ||
251 | environment => ["HOME=${cf_home}","PATH=/usr/bin/"], | ||
252 | require => [ | ||
253 | File[$cf_bot_app_conf], | ||
254 | Archive["${cf_home}/trader_${bot_version}.tar.gz"] | ||
255 | ], | ||
256 | } | ||
257 | |||
258 | cron { "py-cryptoportfolio-after": | ||
259 | ensure => present, | ||
260 | command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after", | ||
261 | user => "cryptoportfolio", | ||
262 | weekday => 1, # Monday | ||
263 | hour => 1, | ||
264 | minute => 0, | ||
265 | environment => ["HOME=${cf_home}","PATH=/usr/bin/"], | ||
266 | require => [ | ||
267 | File[$cf_bot_app_conf], | ||
268 | Archive["${cf_home}/trader_${bot_version}.tar.gz"] | ||
269 | ], | ||
270 | } | ||
271 | |||
272 | unless empty($cf_webhook_url) { | ||
273 | exec { "bot-slack-notify": | ||
274 | refreshonly => true, | ||
275 | environment => [ | ||
276 | "P_PROJECT=Trader", | ||
277 | "P_WEBHOOK=${cf_webhook_url}", | ||
278 | "P_VERSION=${bot_version}", | ||
279 | "P_HOST=${cf_front_app_host}", | ||
280 | "P_HTTPS=${cf_front_app_ssl}", | ||
281 | ], | ||
282 | command => "/usr/local/bin/slack-notify", | ||
283 | require => File["/usr/local/bin/slack-notify"], | ||
284 | subscribe => Exec["py-cryptoportfolio-dependencies"], | ||
285 | } | ||
286 | } | ||
287 | } | 34 | } |
288 | 35 | ||
289 | # FIXME: restore backup | 36 | # FIXME: restore backup |
290 | unless empty($front_version) { | 37 | unless empty($front_version) { |
291 | ensure_packages(["go", "npm", "nodejs", "yarn"]) | 38 | contain "role::cryptoportfolio::front" |
292 | |||
293 | file { [ | ||
294 | "${cf_home}/go/", | ||
295 | "${cf_home}/go/src", | ||
296 | "${cf_home}/go/src/immae.eu", | ||
297 | "${cf_home}/go/src/immae.eu/Immae", | ||
298 | "${cf_home}/go/src/immae.eu/Immae/Projets", | ||
299 | "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies", | ||
300 | "${cf_home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio", | ||
301 | $cf_front_app]: | ||
302 | ensure => "directory", | ||
303 | mode => "0700", | ||
304 | owner => $cf_user, | ||
305 | group => $cf_group, | ||
306 | require => User[$cf_user], | ||
307 | } | ||
308 | |||
309 | file { "${cf_home}/front": | ||
310 | ensure => "link", | ||
311 | target => $cf_front_app, | ||
312 | before => File[$cf_front_app], | ||
313 | } | ||
314 | |||
315 | file { "/etc/systemd/system/cryptoportfolio-app.service": | ||
316 | mode => "0644", | ||
317 | owner => "root", | ||
318 | group => "root", | ||
319 | content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"), | ||
320 | notify => Exec["systemctl daemon-reload"], | ||
321 | } | ||
322 | |||
323 | service { 'cryptoportfolio-app': | ||
324 | enable => true, | ||
325 | ensure => "running", | ||
326 | subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], | ||
327 | require => [ | ||
328 | File["/etc/systemd/system/cryptoportfolio-app.service"], | ||
329 | Postgresql::Server::Db[$cf_pg_db] | ||
330 | ], | ||
331 | } ~> | ||
332 | exec { "dump $cf_pg_db structure": | ||
333 | refreshonly => true, | ||
334 | user => $::profile::postgresql::pg_user, | ||
335 | group => $::profile::postgresql::pg_user, | ||
336 | command => "/usr/bin/pg_dump --schema-only --clean --no-publications $cf_pg_db > /var/lib/postgres/${cf_pg_db}.schema", | ||
337 | } | ||
338 | |||
339 | archive { "${cf_home}/front_${front_version}.tar.gz": | ||
340 | path => "${cf_home}/front_${front_version}.tar.gz", | ||
341 | source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz", | ||
342 | checksum_type => "sha256", | ||
343 | checksum => $front_sha256, | ||
344 | cleanup => false, | ||
345 | extract => true, | ||
346 | user => $cf_user, | ||
347 | username => $facts["ec2_metadata"]["hostname"], | ||
348 | password => generate_password(24, $password_seed, "ldap"), | ||
349 | extract_path => $cf_front_app, | ||
350 | require => [User[$cf_user], File[$cf_front_app]], | ||
351 | notify => [ | ||
352 | Exec["web-cryptoportfolio-dependencies"], | ||
353 | Exec["go-get-dep"], | ||
354 | ] | ||
355 | } | ||
356 | |||
357 | # Api | ||
358 | file { $cf_front_app_api_conf: | ||
359 | owner => $cf_user, | ||
360 | group => $cf_group, | ||
361 | mode => "0600", | ||
362 | content => template("role/cryptoportfolio/api_conf.toml.erb"), | ||
363 | before => Exec["go-cryptoportfolio-app"], | ||
364 | } | ||
365 | |||
366 | exec { "go-get-dep": | ||
367 | user => $cf_user, | ||
368 | environment => ["HOME=${cf_home}"], | ||
369 | creates => "${cf_home}/go/bin/dep", | ||
370 | command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep", | ||
371 | refreshonly => true, | ||
372 | } ~> | ||
373 | exec { "go-cryptoportfolio-dependencies": | ||
374 | cwd => $cf_front_app, | ||
375 | user => $cf_user, | ||
376 | environment => ["HOME=${cf_home}"], | ||
377 | command => "${cf_home}/go/bin/dep ensure", | ||
378 | refreshonly => true, | ||
379 | } ~> | ||
380 | exec { "go-cryptoportfolio-app": | ||
381 | cwd => $cf_front_app_api_workdir, | ||
382 | user => $cf_user, | ||
383 | environment => ["HOME=${cf_home}"], | ||
384 | command => "/usr/bin/make build", | ||
385 | refreshonly => true, | ||
386 | } | ||
387 | |||
388 | # Static pages | ||
389 | file { $cf_front_app_static_conf: | ||
390 | owner => $cf_user, | ||
391 | group => $cf_group, | ||
392 | mode => "0600", | ||
393 | content => template("role/cryptoportfolio/static_conf.env.erb"), | ||
394 | before => Exec["web-cryptoportfolio-build"], | ||
395 | } | ||
396 | |||
397 | exec { "web-cryptoportfolio-dependencies": | ||
398 | cwd => "${cf_front_app}/cmd/web", | ||
399 | user => $cf_user, | ||
400 | environment => ["HOME=${cf_home}"], | ||
401 | command => "/usr/bin/make install", | ||
402 | refreshonly => true, | ||
403 | require => [Package["npm"], Package["nodejs"], Package["yarn"]] | ||
404 | } ~> | ||
405 | exec { "web-cryptoportfolio-build": | ||
406 | cwd => "${cf_front_app}/cmd/web", | ||
407 | user => $cf_user, | ||
408 | environment => ["HOME=${cf_home}"], | ||
409 | path => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"], | ||
410 | command => "/usr/bin/make static ENV=${cf_env}", | ||
411 | refreshonly => true, | ||
412 | } | ||
413 | |||
414 | unless empty($cf_webhook_url) { | ||
415 | exec { "front-slack-notify": | ||
416 | refreshonly => true, | ||
417 | environment => [ | ||
418 | "P_PROJECT=Front", | ||
419 | "P_WEBHOOK=${cf_webhook_url}", | ||
420 | "P_VERSION=${front_version}", | ||
421 | "P_HOST=${cf_front_app_host}", | ||
422 | "P_HTTPS=${cf_front_app_ssl}", | ||
423 | ], | ||
424 | command => "/usr/local/bin/slack-notify", | ||
425 | require => File["/usr/local/bin/slack-notify"], | ||
426 | subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], | ||
427 | } | ||
428 | } | ||
429 | } | 39 | } |
430 | } | 40 | } |
diff --git a/modules/role/manifests/cryptoportfolio/apache.pp b/modules/role/manifests/cryptoportfolio/apache.pp new file mode 100644 index 0000000..62d5447 --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/apache.pp | |||
@@ -0,0 +1,17 @@ | |||
1 | class role::cryptoportfolio::apache inherits role::cryptoportfolio { | ||
2 | class { 'apache::mod::headers': } | ||
3 | apache::vhost { $web_host: | ||
4 | port => '443', | ||
5 | docroot => false, | ||
6 | manage_docroot => false, | ||
7 | proxy_dest => "http://localhost:8000", | ||
8 | request_headers => 'set X-Forwarded-Proto "https"', | ||
9 | ssl => true, | ||
10 | ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem", | ||
11 | ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem", | ||
12 | ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem", | ||
13 | require => Letsencrypt::Certonly[$web_host], | ||
14 | proxy_preserve_host => true; | ||
15 | default: * => $::profile::apache::apache_vhost_default; | ||
16 | } | ||
17 | } | ||
diff --git a/modules/role/manifests/cryptoportfolio/bot.pp b/modules/role/manifests/cryptoportfolio/bot.pp new file mode 100644 index 0000000..a15c779 --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/bot.pp | |||
@@ -0,0 +1,101 @@ | |||
1 | class role::cryptoportfolio::bot inherits role::cryptoportfolio { | ||
2 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
3 | |||
4 | $cf_bot_app = "${home}/bot" | ||
5 | $cf_bot_app_conf = "${home}/bot_config.ini" | ||
6 | $cf_bot_app_reports = "${home}/bot_reports" | ||
7 | |||
8 | ensure_packages(["python", "python-pip"]) | ||
9 | |||
10 | file { $cf_bot_app: | ||
11 | ensure => "directory", | ||
12 | mode => "0700", | ||
13 | owner => $user, | ||
14 | group => $group, | ||
15 | require => User["$user:"], | ||
16 | } | ||
17 | |||
18 | archive { "${home}/trader_${bot_version}.tar.gz": | ||
19 | path => "${home}/trader_${bot_version}.tar.gz", | ||
20 | source => "https://git.immae.eu/releases/cryptoportfolio/trader/trader_${bot_version}.tar.gz", | ||
21 | checksum_type => "sha256", | ||
22 | checksum => $bot_sha256, | ||
23 | cleanup => false, | ||
24 | extract => true, | ||
25 | user => $user, | ||
26 | username => lookup("base_installation::ldap_cn"), | ||
27 | password => generate_password(24, $password_seed, "ldap"), | ||
28 | extract_path => $cf_bot_app, | ||
29 | require => [User["$user:"], File[$cf_bot_app]], | ||
30 | } ~> | ||
31 | exec { "py-cryptoportfolio-dependencies": | ||
32 | cwd => $cf_bot_app, | ||
33 | user => $user, | ||
34 | environment => ["HOME=${home}"], | ||
35 | command => "/usr/bin/make install", | ||
36 | require => User["$user:"], | ||
37 | refreshonly => true, | ||
38 | before => [ | ||
39 | File[$cf_bot_app_conf], | ||
40 | Cron["py-cryptoportfolio-before"], | ||
41 | Cron["py-cryptoportfolio-after"], | ||
42 | ] | ||
43 | } | ||
44 | |||
45 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | ||
46 | file { $cf_bot_app_conf: | ||
47 | owner => $user, | ||
48 | group => $group, | ||
49 | mode => "0600", | ||
50 | content => template("role/cryptoportfolio/bot_config.ini.erb"), | ||
51 | require => [ | ||
52 | User["$user:"], | ||
53 | Archive["${home}/trader_${bot_version}.tar.gz"], | ||
54 | ], | ||
55 | } | ||
56 | |||
57 | cron { "py-cryptoportfolio-before": | ||
58 | ensure => present, | ||
59 | command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --before", | ||
60 | user => $user, | ||
61 | weekday => 7, # Sunday | ||
62 | hour => 22, | ||
63 | minute => 30, | ||
64 | environment => ["HOME=${home}","PATH=/usr/bin/"], | ||
65 | require => [ | ||
66 | File[$cf_bot_app_conf], | ||
67 | Archive["${home}/trader_${bot_version}.tar.gz"] | ||
68 | ], | ||
69 | } | ||
70 | |||
71 | cron { "py-cryptoportfolio-after": | ||
72 | ensure => present, | ||
73 | command => "cd $cf_bot_app ; python main.py --config $cf_bot_app_conf --after", | ||
74 | user => $user, | ||
75 | weekday => 1, # Monday | ||
76 | hour => 1, | ||
77 | minute => 0, | ||
78 | environment => ["HOME=${home}","PATH=/usr/bin/"], | ||
79 | require => [ | ||
80 | File[$cf_bot_app_conf], | ||
81 | Archive["${home}/trader_${bot_version}.tar.gz"] | ||
82 | ], | ||
83 | } | ||
84 | |||
85 | unless empty($webhook_url) { | ||
86 | exec { "bot-slack-notify": | ||
87 | refreshonly => true, | ||
88 | environment => [ | ||
89 | "P_PROJECT=Trader", | ||
90 | "P_WEBHOOK=${webhook_url}", | ||
91 | "P_VERSION=${bot_version}", | ||
92 | "P_HOST=${web_host}", | ||
93 | "P_HTTPS=${web_ssl}", | ||
94 | ], | ||
95 | command => "/usr/local/bin/slack-notify", | ||
96 | require => File["/usr/local/bin/slack-notify"], | ||
97 | subscribe => Exec["py-cryptoportfolio-dependencies"], | ||
98 | } | ||
99 | } | ||
100 | } | ||
101 | |||
diff --git a/modules/role/manifests/cryptoportfolio/front.pp b/modules/role/manifests/cryptoportfolio/front.pp new file mode 100644 index 0000000..280ef8b --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/front.pp | |||
@@ -0,0 +1,158 @@ | |||
1 | class role::cryptoportfolio::front inherits role::cryptoportfolio { | ||
2 | ensure_resource('exec', 'systemctl daemon-reload', { | ||
3 | command => '/usr/bin/systemctl daemon-reload', | ||
4 | refreshonly => true | ||
5 | }) | ||
6 | |||
7 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
8 | |||
9 | $cf_front_app = "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio/Front" | ||
10 | $cf_front_app_api_workdir = "${cf_front_app}/cmd/app" | ||
11 | $cf_front_app_api_bin = "${cf_front_app_api_workdir}/cryptoportfolio-app" | ||
12 | $cf_front_app_api_conf = "${home}/conf.toml" | ||
13 | $cf_front_app_api_secret = generate_password(24, $password_seed, "cryptoportfolio_api_secret") | ||
14 | |||
15 | $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" | ||
16 | |||
17 | ensure_packages(["go", "npm", "nodejs", "yarn"]) | ||
18 | |||
19 | file { [ | ||
20 | "${home}/go/", | ||
21 | "${home}/go/src", | ||
22 | "${home}/go/src/immae.eu", | ||
23 | "${home}/go/src/immae.eu/Immae", | ||
24 | "${home}/go/src/immae.eu/Immae/Projets", | ||
25 | "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies", | ||
26 | "${home}/go/src/immae.eu/Immae/Projets/Cryptomonnaies/Cryptoportfolio", | ||
27 | $cf_front_app]: | ||
28 | ensure => "directory", | ||
29 | mode => "0700", | ||
30 | owner => $user, | ||
31 | group => $group, | ||
32 | require => User["$user:"], | ||
33 | } | ||
34 | |||
35 | file { "${home}/front": | ||
36 | ensure => "link", | ||
37 | target => $cf_front_app, | ||
38 | before => File[$cf_front_app], | ||
39 | } | ||
40 | |||
41 | file { "/etc/systemd/system/cryptoportfolio-app.service": | ||
42 | mode => "0644", | ||
43 | owner => "root", | ||
44 | group => "root", | ||
45 | content => template("role/cryptoportfolio/cryptoportfolio-app.service.erb"), | ||
46 | notify => Exec["systemctl daemon-reload"], | ||
47 | } | ||
48 | |||
49 | service { 'cryptoportfolio-app': | ||
50 | enable => true, | ||
51 | ensure => "running", | ||
52 | subscribe => [File[$cf_front_app_api_conf], Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], | ||
53 | require => [ | ||
54 | File["/etc/systemd/system/cryptoportfolio-app.service"], | ||
55 | Postgresql::Server::Db[$pg_db] | ||
56 | ], | ||
57 | } ~> | ||
58 | exec { "dump $pg_db structure": | ||
59 | refreshonly => true, | ||
60 | user => $::profile::postgresql::pg_user, | ||
61 | group => $::profile::postgresql::pg_user, | ||
62 | command => "/usr/bin/pg_dump --schema-only --clean --no-publications $pg_db > /var/lib/postgres/${pg_db}.schema", | ||
63 | } | ||
64 | |||
65 | archive { "${home}/front_${front_version}.tar.gz": | ||
66 | path => "${home}/front_${front_version}.tar.gz", | ||
67 | source => "https://git.immae.eu/releases/cryptoportfolio/front/front_${front_version}.tar.gz", | ||
68 | checksum_type => "sha256", | ||
69 | checksum => $front_sha256, | ||
70 | cleanup => false, | ||
71 | extract => true, | ||
72 | user => $user, | ||
73 | username => lookup("base_installation::ldap_cn"), | ||
74 | password => generate_password(24, $password_seed, "ldap"), | ||
75 | extract_path => $cf_front_app, | ||
76 | require => [User["$user:"], File[$cf_front_app]], | ||
77 | notify => [ | ||
78 | Exec["web-cryptoportfolio-dependencies"], | ||
79 | Exec["go-get-dep"], | ||
80 | ] | ||
81 | } | ||
82 | |||
83 | # Api | ||
84 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | ||
85 | $pg_host = "${pg_hostname}:${pg_port}" | ||
86 | file { $cf_front_app_api_conf: | ||
87 | owner => $user, | ||
88 | group => $group, | ||
89 | mode => "0600", | ||
90 | content => template("role/cryptoportfolio/api_conf.toml.erb"), | ||
91 | before => Exec["go-cryptoportfolio-app"], | ||
92 | } | ||
93 | |||
94 | exec { "go-get-dep": | ||
95 | user => $user, | ||
96 | environment => ["HOME=${home}"], | ||
97 | creates => "${home}/go/bin/dep", | ||
98 | command => "/usr/bin/go get -u github.com/golang/dep/cmd/dep", | ||
99 | refreshonly => true, | ||
100 | } ~> | ||
101 | exec { "go-cryptoportfolio-dependencies": | ||
102 | cwd => $cf_front_app, | ||
103 | user => $user, | ||
104 | environment => ["HOME=${home}"], | ||
105 | command => "${home}/go/bin/dep ensure", | ||
106 | refreshonly => true, | ||
107 | } ~> | ||
108 | exec { "go-cryptoportfolio-app": | ||
109 | cwd => $cf_front_app_api_workdir, | ||
110 | user => $user, | ||
111 | environment => ["HOME=${home}"], | ||
112 | command => "/usr/bin/make build", | ||
113 | refreshonly => true, | ||
114 | } | ||
115 | |||
116 | # Static pages | ||
117 | file { $cf_front_app_static_conf: | ||
118 | owner => $user, | ||
119 | group => $group, | ||
120 | mode => "0600", | ||
121 | content => template("role/cryptoportfolio/static_conf.env.erb"), | ||
122 | before => Exec["web-cryptoportfolio-build"], | ||
123 | } | ||
124 | |||
125 | exec { "web-cryptoportfolio-dependencies": | ||
126 | cwd => "${cf_front_app}/cmd/web", | ||
127 | user => $user, | ||
128 | environment => ["HOME=${home}"], | ||
129 | command => "/usr/bin/make install", | ||
130 | refreshonly => true, | ||
131 | require => [Package["npm"], Package["nodejs"], Package["yarn"]] | ||
132 | } ~> | ||
133 | exec { "web-cryptoportfolio-build": | ||
134 | cwd => "${cf_front_app}/cmd/web", | ||
135 | user => $user, | ||
136 | environment => ["HOME=${home}"], | ||
137 | path => ["${cf_front_app}/cmd/web/node_modules/.bin/", "/usr/bin"], | ||
138 | command => "/usr/bin/make static ENV=${env}", | ||
139 | refreshonly => true, | ||
140 | } | ||
141 | |||
142 | unless empty($webhook_url) { | ||
143 | exec { "front-slack-notify": | ||
144 | refreshonly => true, | ||
145 | environment => [ | ||
146 | "P_PROJECT=Front", | ||
147 | "P_WEBHOOK=${webhook_url}", | ||
148 | "P_VERSION=${front_version}", | ||
149 | "P_HOST=${web_host}", | ||
150 | "P_HTTPS=${web_ssl}", | ||
151 | ], | ||
152 | command => "/usr/local/bin/slack-notify", | ||
153 | require => File["/usr/local/bin/slack-notify"], | ||
154 | subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], | ||
155 | } | ||
156 | } | ||
157 | |||
158 | } | ||
diff --git a/modules/role/manifests/cryptoportfolio/notify.pp b/modules/role/manifests/cryptoportfolio/notify.pp new file mode 100644 index 0000000..218312c --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/notify.pp | |||
@@ -0,0 +1,6 @@ | |||
1 | class role::cryptoportfolio::notify inherits role::cryptoportfolio { | ||
2 | file { "/usr/local/bin/slack-notify": | ||
3 | mode => "0755", | ||
4 | source => "puppet:///modules/role/cryptoportfolio/slack-notify.py", | ||
5 | } | ||
6 | } | ||
diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp new file mode 100644 index 0000000..cc4d2a9 --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/postgresql.pp | |||
@@ -0,0 +1,116 @@ | |||
1 | class role::cryptoportfolio::postgresql inherits role::cryptoportfolio { | ||
2 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
3 | |||
4 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | ||
5 | $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") | ||
6 | |||
7 | file { "/var/lib/postgres/data/certs": | ||
8 | ensure => directory, | ||
9 | mode => "0700", | ||
10 | owner => $::profile::postgresql::pg_user, | ||
11 | group => $::profile::postgresql::pg_user, | ||
12 | require => File["/var/lib/postgres"], | ||
13 | } | ||
14 | |||
15 | file { "/var/lib/postgres/data/certs/cert.pem": | ||
16 | source => "file:///etc/letsencrypt/live/$web_host/cert.pem", | ||
17 | mode => "0600", | ||
18 | links => "follow", | ||
19 | owner => $::profile::postgresql::pg_user, | ||
20 | group => $::profile::postgresql::pg_user, | ||
21 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | ||
22 | } | ||
23 | |||
24 | file { "/var/lib/postgres/data/certs/privkey.pem": | ||
25 | source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", | ||
26 | mode => "0600", | ||
27 | links => "follow", | ||
28 | owner => $::profile::postgresql::pg_user, | ||
29 | group => $::profile::postgresql::pg_user, | ||
30 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | ||
31 | } | ||
32 | |||
33 | postgresql::server::config_entry { "wal_level": | ||
34 | value => "logical", | ||
35 | } | ||
36 | |||
37 | postgresql::server::config_entry { "ssl": | ||
38 | value => "on", | ||
39 | require => Letsencrypt::Certonly[$web_host], | ||
40 | } | ||
41 | |||
42 | postgresql::server::config_entry { "ssl_cert_file": | ||
43 | value => "/var/lib/postgres/data/certs/cert.pem", | ||
44 | require => Letsencrypt::Certonly[$web_host], | ||
45 | } | ||
46 | |||
47 | postgresql::server::config_entry { "ssl_key_file": | ||
48 | value => "/var/lib/postgres/data/certs/privkey.pem", | ||
49 | require => Letsencrypt::Certonly[$web_host], | ||
50 | } | ||
51 | |||
52 | postgresql::server::db { $pg_db: | ||
53 | user => $pg_user, | ||
54 | password => postgresql_password($pg_user, $pg_password), | ||
55 | } | ||
56 | -> | ||
57 | postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES": | ||
58 | db => $pg_db, | ||
59 | unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", | ||
60 | } | ||
61 | -> | ||
62 | postgresql::server::role { $pg_user_replication: | ||
63 | db => $pg_db, | ||
64 | replication => true, | ||
65 | password_hash => postgresql_password($pg_user_replication, $pg_replication_password), | ||
66 | } | ||
67 | -> | ||
68 | postgresql::server::database_grant { $pg_user_replication: | ||
69 | db => $pg_db, | ||
70 | privilege => "CONNECT", | ||
71 | role => $pg_user_replication, | ||
72 | } | ||
73 | -> | ||
74 | postgresql::server::grant { "all tables in schema:public:$pg_user_replication": | ||
75 | db => $pg_db, | ||
76 | role => $pg_user_replication, | ||
77 | privilege => "SELECT", | ||
78 | object_type => "ALL TABLES IN SCHEMA", | ||
79 | object_name => "public", | ||
80 | } | ||
81 | -> | ||
82 | postgresql::server::grant { "all sequences in schema:public:$pg_user_replication": | ||
83 | db => $pg_db, | ||
84 | role => $pg_user_replication, | ||
85 | privilege => "SELECT", | ||
86 | object_type => "ALL SEQUENCES IN SCHEMA", | ||
87 | object_name => "public", | ||
88 | } | ||
89 | |||
90 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': | ||
91 | type => 'host', | ||
92 | database => $pg_db, | ||
93 | user => $pg_user, | ||
94 | address => '127.0.0.1/32', | ||
95 | auth_method => 'md5', | ||
96 | order => "05-01", | ||
97 | } | ||
98 | postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': | ||
99 | type => 'host', | ||
100 | database => $pg_db, | ||
101 | user => $pg_user, | ||
102 | address => '::1/128', | ||
103 | auth_method => 'md5', | ||
104 | order => "05-01", | ||
105 | } | ||
106 | |||
107 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': | ||
108 | type => 'hostssl', | ||
109 | database => $pg_db, | ||
110 | user => $pg_user_replication, | ||
111 | address => 'immae.eu', | ||
112 | auth_method => 'md5', | ||
113 | order => "05-01", | ||
114 | } | ||
115 | |||
116 | } | ||
diff --git a/modules/role/templates/backup/backup_dirname_head.sh.erb b/modules/role/templates/backup/backup_dirname_head.sh.erb new file mode 100644 index 0000000..e20cfd3 --- /dev/null +++ b/modules/role/templates/backup/backup_dirname_head.sh.erb | |||
@@ -0,0 +1,27 @@ | |||
1 | ##### <%= @dirname %> ##### | ||
2 | DEST="<%= @dest %>" | ||
3 | BASE="<%= @base %>" | ||
4 | OLD_BAK_BASE=$BASE/older/j | ||
5 | BAK_BASE=${OLD_BAK_BASE}0 | ||
6 | RSYNC_OUTPUT=$BASE/rsync_output | ||
7 | NBR=<%= @nbr %> | ||
8 | |||
9 | if ! ssh \ | ||
10 | -o PreferredAuthentications=publickey \ | ||
11 | -o StrictHostKeyChecking=yes \ | ||
12 | -o ClearAllForwardings=yes \ | ||
13 | $DEST backup; then | ||
14 | echo "Fichier de verrouillage backup sur $DEST ou impossible de se connecter" >&2 | ||
15 | skip=$DEST | ||
16 | fi | ||
17 | |||
18 | rm -rf ${OLD_BAK_BASE}${NBR} | ||
19 | for j in `seq -w $(($NBR-1)) -1 0`; do | ||
20 | [ ! -d ${OLD_BAK_BASE}$j ] && continue | ||
21 | mv ${OLD_BAK_BASE}$j ${OLD_BAK_BASE}$(($j+1)) | ||
22 | done | ||
23 | mkdir $BAK_BASE | ||
24 | mv $RSYNC_OUTPUT $BAK_BASE | ||
25 | mkdir $RSYNC_OUTPUT | ||
26 | |||
27 | if [ "$skip" != "$DEST" ]; then | ||
diff --git a/modules/role/templates/backup/backup_dirname_part.sh.erb b/modules/role/templates/backup/backup_dirname_part.sh.erb new file mode 100644 index 0000000..ec662c4 --- /dev/null +++ b/modules/role/templates/backup/backup_dirname_part.sh.erb | |||
@@ -0,0 +1,26 @@ | |||
1 | ### <%= @dirname %> <%= @local_folder %> ### | ||
2 | LOCAL="<%= @local_folder %>" | ||
3 | REMOTE="<%= @remote_folder %>" | ||
4 | |||
5 | cd $BASE/$LOCAL | ||
6 | cat > $EXCL_FROM <<EOF | ||
7 | <%= @exclude_from.join("\n") %> | ||
8 | EOF | ||
9 | cat > $FILES_FROM <<EOF | ||
10 | <%= @files_from.join("\n") %> | ||
11 | EOF | ||
12 | |||
13 | OUT=$RSYNC_OUTPUT/$LOCAL | ||
14 | rsync -XAavbrz --fake-super -e ssh --numeric-ids --delete \ | ||
15 | --backup-dir=$BAK_BASE/$LOCAL \ | ||
16 | <%- unless @args.empty? -%> | ||
17 | <%= @args %>\ | ||
18 | <% end -%> | ||
19 | <%- unless @exclude_from.empty? -%> | ||
20 | --exclude-from=$EXCL_FROM \ | ||
21 | <% end -%> | ||
22 | <%- unless @files_from.empty? -%> | ||
23 | --files-from=$FILES_FROM \ | ||
24 | <% end -%> | ||
25 | $DEST:$REMOTE . > $OUT || true | ||
26 | ### End <%= @dirname %> <%= @local_folder %> ### | ||
diff --git a/modules/role/templates/backup/backup_dirname_tail.sh.erb b/modules/role/templates/backup/backup_dirname_tail.sh.erb new file mode 100644 index 0000000..6b16c9d --- /dev/null +++ b/modules/role/templates/backup/backup_dirname_tail.sh.erb | |||
@@ -0,0 +1,4 @@ | |||
1 | |||
2 | ssh $DEST sh -c "date > .last_backup" | ||
3 | fi # [ "$skip" != "$DEST" ] | ||
4 | ##### End <%= @dirname %> ##### | ||
diff --git a/modules/role/templates/backup/backup_head.sh.erb b/modules/role/templates/backup/backup_head.sh.erb new file mode 100644 index 0000000..be9f5bf --- /dev/null +++ b/modules/role/templates/backup/backup_head.sh.erb | |||
@@ -0,0 +1,20 @@ | |||
1 | #!/bin/bash | ||
2 | MAILTO="<%= @mailto %>" | ||
3 | |||
4 | EXCL_FROM=`mktemp` | ||
5 | FILES_FROM=`mktemp` | ||
6 | TMP_STDERR=`mktemp` | ||
7 | |||
8 | on_exit() { | ||
9 | if [ -s "$TMP_STDERR" ]; then | ||
10 | cat "$TMP_STDERR" | mail -Ssendwait -s "save_distant rsync error" "$MAILTO" | ||
11 | fi | ||
12 | rm -f $TMP_STDERR $EXCL_FROM $FILES_FROM | ||
13 | } | ||
14 | |||
15 | trap "on_exit" EXIT | ||
16 | |||
17 | exec 2> "$TMP_STDERR" | ||
18 | exec < /dev/null | ||
19 | |||
20 | set -e | ||
diff --git a/modules/role/templates/backup/backup_immae_eu.sh.erb b/modules/role/templates/backup/backup_immae_eu.sh.erb new file mode 100644 index 0000000..4fab30e --- /dev/null +++ b/modules/role/templates/backup/backup_immae_eu.sh.erb | |||
@@ -0,0 +1,79 @@ | |||
1 | #!/bin/bash | ||
2 | DEST="<%= @dest %>" | ||
3 | MAILTO="<%= @mailto %>" | ||
4 | BASE="<%= @base %>" | ||
5 | OLD_BAK_BASE=$BASE/older/j | ||
6 | BAK_BASE=${OLD_BAK_BASE}0 | ||
7 | RSYNC_OUTPUT=$BASE/rsync_output | ||
8 | NBR=7 | ||
9 | |||
10 | TMP=`mktemp` | ||
11 | TMP_STDERR=`mktemp` | ||
12 | |||
13 | trap "rm -f $TMP $TMP_STDERR" EXIT | ||
14 | |||
15 | exec 2> "$TMP_STDERR" | ||
16 | |||
17 | set -e | ||
18 | if ! `ssh -o ClearAllForwardings=yes $DEST backup`; then | ||
19 | echo "Fichier de verrouillage backup sur $DEST" | ||
20 | exit 1 | ||
21 | fi | ||
22 | |||
23 | rm -rf ${OLD_BAK_BASE}${NBR} | ||
24 | for j in `seq -w $(($NBR-1)) -1 0`; do | ||
25 | [ ! -d ${OLD_BAK_BASE}$j ] && continue | ||
26 | mv ${OLD_BAK_BASE}$j ${OLD_BAK_BASE}$(($j+1)) | ||
27 | done | ||
28 | mkdir $BAK_BASE | ||
29 | mv $RSYNC_OUTPUT $BAK_BASE | ||
30 | mkdir $RSYNC_OUTPUT | ||
31 | |||
32 | ############## | ||
33 | NAME="home" | ||
34 | FOLDER="/home/immae" | ||
35 | |||
36 | cd $BASE/$NAME | ||
37 | cat > $TMP <<EOF | ||
38 | /.no_backup/ | ||
39 | /hosts/florian/nobackup/ | ||
40 | /hosts/connexionswing.com/ | ||
41 | /hosts/connexionswing.immae.eu/ | ||
42 | /hosts/ludivine.immae.eu/ | ||
43 | /hosts/ludivinecassal.com/ | ||
44 | /hosts/piedsjaloux.fr/ | ||
45 | /hosts/piedsjaloux.immae.eu/ | ||
46 | /hosts/spip/sites/*/ | ||
47 | /hosts/spip/spip* | ||
48 | EOF | ||
49 | OUT=$RSYNC_OUTPUT/$NAME | ||
50 | rsync -XAavbrz --fake-super -e ssh --numeric-ids --delete \ | ||
51 | --backup-dir=$BAK_BASE/$NAME --exclude-from=$TMP \ | ||
52 | $DEST:$FOLDER . > $OUT || true | ||
53 | |||
54 | ############## | ||
55 | NAME="system" | ||
56 | FOLDER="/" | ||
57 | |||
58 | cd $BASE/$NAME | ||
59 | cat > $TMP <<EOF | ||
60 | /etc/ | ||
61 | /srv/ | ||
62 | /var/lib/ | ||
63 | /var/spool/ | ||
64 | /var/named/ | ||
65 | /usr/local/ | ||
66 | EOF | ||
67 | OUT=$RSYNC_OUTPUT/$NAME | ||
68 | rsync -XAavbrz -R --fake-super -e ssh --numeric-ids --delete \ | ||
69 | --rsync-path='sudo rsync' \ | ||
70 | --backup-dir=$BAK_BASE/$NAME \ | ||
71 | --files-from=$TMP \ | ||
72 | $DEST:$FOLDER . > $OUT || true | ||
73 | |||
74 | ############## | ||
75 | ssh $DEST sh -c "date > .last_backup" | ||
76 | |||
77 | if [ -s "$TMP_STDERR" ]; then | ||
78 | cat "$TMP_STDERR" | mail -Ssendwait -s "save_distant rsync error" "$MAILTO" | ||
79 | fi | ||
diff --git a/modules/role/templates/backup/backup_tail.sh.erb b/modules/role/templates/backup/backup_tail.sh.erb new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/modules/role/templates/backup/backup_tail.sh.erb | |||
diff --git a/modules/role/templates/backup/ssh_host_changed.info.erb b/modules/role/templates/backup/ssh_host_changed.info.erb new file mode 100644 index 0000000..ebf202e --- /dev/null +++ b/modules/role/templates/backup/ssh_host_changed.info.erb | |||
@@ -0,0 +1,4 @@ | |||
1 | Host <%= @host %> added, please send <%= @user %> key if necessary. | ||
2 | <%- if File.exist?("/home/#{@user}/.ssh/id_rsa.pub") %> | ||
3 | <%= File.read("/home/#{@user}/.ssh/id_rsa.pub") %> | ||
4 | <% end -%> | ||
diff --git a/modules/role/templates/backup/ssh_key_changed.info.erb b/modules/role/templates/backup/ssh_key_changed.info.erb new file mode 100644 index 0000000..43fd2ec --- /dev/null +++ b/modules/role/templates/backup/ssh_key_changed.info.erb | |||
@@ -0,0 +1,5 @@ | |||
1 | ssh key of <%= @user %> changed, | ||
2 | please update hosts: | ||
3 | <%- @hosts.each do |host| %> | ||
4 | - <%= host %> | ||
5 | <% end -%> | ||
diff --git a/modules/role/templates/cryptoportfolio/api_conf.toml.erb b/modules/role/templates/cryptoportfolio/api_conf.toml.erb index 13550c9..7a4b66d 100644 --- a/modules/role/templates/cryptoportfolio/api_conf.toml.erb +++ b/modules/role/templates/cryptoportfolio/api_conf.toml.erb | |||
@@ -1,15 +1,15 @@ | |||
1 | log_level="info" | 1 | log_level="info" |
2 | mode="<%= @cf_env %>" | 2 | mode="<%= @env %>" |
3 | log_out="stdout" | 3 | log_out="stdout" |
4 | 4 | ||
5 | [db] | 5 | [db] |
6 | user="<%= @cf_pg_user %>" | 6 | user="<%= @pg_user %>" |
7 | password="<%= @cf_pg_password %>" | 7 | password="<%= @pg_password %>" |
8 | database="<%= @cf_pg_db %>" | 8 | database="<%= @pg_db %>" |
9 | address="<%= @cf_pg_host %>" | 9 | address="<%= @pg_host %>" |
10 | 10 | ||
11 | [api] | 11 | [api] |
12 | domain="<%= @cf_front_app_host %>" | 12 | domain="<%= @web_host %>" |
13 | jwt_secret="<%= @cf_front_app_api_secret %>" | 13 | jwt_secret="<%= @cf_front_app_api_secret %>" |
14 | 14 | ||
15 | [app] | 15 | [app] |
diff --git a/modules/role/templates/cryptoportfolio/bot_config.ini.erb b/modules/role/templates/cryptoportfolio/bot_config.ini.erb index 30298eb..b0211a6 100644 --- a/modules/role/templates/cryptoportfolio/bot_config.ini.erb +++ b/modules/role/templates/cryptoportfolio/bot_config.ini.erb | |||
@@ -1,9 +1,9 @@ | |||
1 | [postgresql] | 1 | [postgresql] |
2 | host = <%= @cf_pg_hostname %> | 2 | host = <%= @pg_hostname %> |
3 | port = <%= @cf_pg_port %> | 3 | port = <%= @pg_port %> |
4 | user = <%= @cf_pg_user %> | 4 | user = <%= @pg_user %> |
5 | password = <%= @cf_pg_password %> | 5 | password = <%= @pg_password %> |
6 | database = <%= @cf_pg_db %> | 6 | database = <%= @pg_db %> |
7 | 7 | ||
8 | [app] | 8 | [app] |
9 | report_path = <%= @cf_bot_app_reports %> | 9 | report_path = <%= @cf_bot_app_reports %> |
diff --git a/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb b/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb index a521c0e..ed2b908 100644 --- a/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb +++ b/modules/role/templates/cryptoportfolio/cryptoportfolio-app.service.erb | |||
@@ -5,8 +5,8 @@ Description=Cryptoportfolio app | |||
5 | Type=simple | 5 | Type=simple |
6 | 6 | ||
7 | WorkingDirectory=<%= @cf_front_app_api_workdir %> | 7 | WorkingDirectory=<%= @cf_front_app_api_workdir %> |
8 | User=<%= @cf_user %> | 8 | User=<%= @user %> |
9 | Group=<%= @cf_group %> | 9 | Group=<%= @group %> |
10 | UMask=007 | 10 | UMask=007 |
11 | 11 | ||
12 | ExecStart=<%= @cf_front_app_api_bin %> -conf <%= @cf_front_app_api_conf %> | 12 | ExecStart=<%= @cf_front_app_api_bin %> -conf <%= @cf_front_app_api_conf %> |
diff --git a/modules/role/templates/cryptoportfolio/static_conf.env.erb b/modules/role/templates/cryptoportfolio/static_conf.env.erb index db9759d..314ee14 100644 --- a/modules/role/templates/cryptoportfolio/static_conf.env.erb +++ b/modules/role/templates/cryptoportfolio/static_conf.env.erb | |||
@@ -1,4 +1,4 @@ | |||
1 | API_HOST="<%= @cf_front_app_host %>" | 1 | API_HOST="<%= @web_host %>" |
2 | API_PORT="<%= @cf_front_app_port %>" | 2 | API_PORT="<%= @web_port %>" |
3 | API_HTTPS="<%= @cf_front_app_ssl %>" | 3 | API_HTTPS="<%= @web_ssl %>" |
4 | 4 | ||