From b3015828f95acd3f239ab7a614418918f21fb8d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 20 Feb 2018 15:54:25 +0100 Subject: Replication --- modules/profile/manifests/postgresql.pp | 3 +- modules/profile/manifests/tools.pp | 2 +- modules/role/manifests/cryptoportfolio.pp | 97 ++++++++++++++++++++++++++++++- 3 files changed, 98 insertions(+), 4 deletions(-) (limited to 'modules') diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp index 8dcc4cb..1024c66 100644 --- a/modules/profile/manifests/postgresql.pp +++ b/modules/profile/manifests/postgresql.pp @@ -22,7 +22,8 @@ class profile::postgresql { } class { '::postgresql::server': - postgres_password => generate_password(24, $password_seed, "postgres") + postgres_password => generate_password(24, $password_seed, "postgres"), + listen_addresses => "*", } postgresql::server::pg_hba_rule { 'local access as postgres user': diff --git a/modules/profile/manifests/tools.pp b/modules/profile/manifests/tools.pp index 52e3cea..0b0ab46 100644 --- a/modules/profile/manifests/tools.pp +++ b/modules/profile/manifests/tools.pp @@ -1,3 +1,3 @@ class profile::tools { - ensure_packages(['vim', 'bash-completion']) + ensure_packages(['vim', 'bash-completion', 'net-tools']) } diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index 05f2c59..e14d43d 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp @@ -8,8 +8,10 @@ class role::cryptoportfolio { $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } $cf_pg_user = "cryptoportfolio" + $cf_pg_user_replication = "cryptoportfolio_replication" $cf_pg_db = "cryptoportfolio" $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") + $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") $cf_pg_host = "localhost:5432" $cf_user = "cryptoportfolio" @@ -27,9 +29,87 @@ class role::cryptoportfolio { $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" + file { "/var/lib/postgres/data/certs": + ensure => directory, + mode => "0700", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => File["/var/lib/postgres"], + } + + file { "/var/lib/postgres/data/certs/cert.pem": + source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] + } + + file { "/var/lib/postgres/data/certs/privkey.pem": + source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] + } + + postgresql::server::config_entry { "wal_level": + value => "logical", + } + + postgresql::server::config_entry { "ssl": + value => "on", + require => Letsencrypt::Certonly[$cf_front_app_host], + } + + postgresql::server::config_entry { "ssl_cert_file": + value => "/var/lib/postgres/data/certs/cert.pem", + require => Letsencrypt::Certonly[$cf_front_app_host], + } + + postgresql::server::config_entry { "ssl_key_file": + value => "/var/lib/postgres/data/certs/privkey.pem", + require => Letsencrypt::Certonly[$cf_front_app_host], + } + postgresql::server::db { $cf_pg_db: user => $cf_pg_user, - password => postgresql_password($cf_pg_user, $cf_pg_password) + password => postgresql_password($cf_pg_user, $cf_pg_password), + } + -> + postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES": + db => $cf_pg_db, + unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'", + } + -> + postgresql::server::role { $cf_pg_user_replication: + db => $cf_pg_db, + replication => true, + password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password), + } + -> + postgresql::server::database_grant { $cf_pg_user_replication: + db => $cf_pg_db, + privilege => "CONNECT", + role => $cf_pg_user_replication, + } + -> + postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication": + db => $cf_pg_db, + role => $cf_pg_user_replication, + privilege => "SELECT", + object_type => "ALL TABLES IN SCHEMA", + object_name => "public", + } + -> + postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication": + db => $cf_pg_db, + role => $cf_pg_user_replication, + privilege => "SELECT", + object_type => "ALL SEQUENCES IN SCHEMA", + object_name => "public", } postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': @@ -49,6 +129,15 @@ class role::cryptoportfolio { order => "b0", } + postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': + type => 'hostssl', + database => $cf_pg_db, + user => $cf_pg_user_replication, + address => 'immae.eu', + auth_method => 'md5', + order => "b0", + } + letsencrypt::certonly { $cf_front_app_host: ; default: * => $::profile::apache::letsencrypt_certonly_default; } @@ -157,7 +246,10 @@ class role::cryptoportfolio { service { 'cryptoportfolio-app': enable => true, ensure => "running", - require => [File["/etc/systemd/system/cryptoportfolio-app.service"]], + require => [ + File["/etc/systemd/system/cryptoportfolio-app.service"], + Postgresql::Server::Db[$cf_pg_db] + ], } file { $cf_front_app_api_conf: @@ -199,4 +291,5 @@ class role::cryptoportfolio { } } + # TODO: xmr_stack } -- cgit v1.2.3 From f099c453f79d1df1b77dd8508345568feef35178 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 21 Feb 2018 14:31:42 +0100 Subject: Handle version changes --- modules/role/manifests/cryptoportfolio.pp | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'modules') diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index e14d43d..a1cfde3 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp @@ -204,7 +204,13 @@ class role::cryptoportfolio { file { "${cf_home}/front": ensure => "link", target => $cf_front_app, - require => Archive["/opt/cryptoportfolio/${front_version}.tar.gz"] + before => File[$cf_front_app], + } ~> + exec { "remove old directory": + refreshonly => true, + user => $cf_user, + command => "/usr/bin/rm -rf ${cf_front_app}", + before => File[$cf_front_app], } exec { "go-get-dep": @@ -244,9 +250,10 @@ class role::cryptoportfolio { } service { 'cryptoportfolio-app': - enable => true, - ensure => "running", - require => [ + enable => true, + ensure => "running", + subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], + require => [ File["/etc/systemd/system/cryptoportfolio-app.service"], Postgresql::Server::Db[$cf_pg_db] ], -- cgit v1.2.3 From 43c4ee4e2fd1c7ed992a420d6d478375475194dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 21 Feb 2018 14:44:41 +0100 Subject: Dump cryptoportfolio schema --- modules/role/manifests/cryptoportfolio.pp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index a1cfde3..9a2bfd2 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp @@ -206,7 +206,7 @@ class role::cryptoportfolio { target => $cf_front_app, before => File[$cf_front_app], } ~> - exec { "remove old directory": + exec { "remove old ${cf_front_app} directory": refreshonly => true, user => $cf_user, command => "/usr/bin/rm -rf ${cf_front_app}", @@ -257,6 +257,12 @@ class role::cryptoportfolio { File["/etc/systemd/system/cryptoportfolio-app.service"], Postgresql::Server::Db[$cf_pg_db] ], + } ~> + exec { "dump $cf_pg_db structure": + refreshonly => true, + user => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + command => "/usr/bin/pg_dump --schema-only --clean --no-publications $cf_pg_db > /var/lib/postgres/${cf_pg_db}.schema", } file { $cf_front_app_api_conf: -- cgit v1.2.3