#Resource type for SUNET-Drive-Application
define sunetdrive::app_type (
$bootstrap = undef,
$location = undef,
$override_config = undef,
$override_compose = undef
) {
include sunet::packages::netcat_openbsd
# Config from group.yaml and customer specific conf
$environment = sunetdrive::get_environment()
$customer = sunetdrive::get_customer()
$nodenumber = sunetdrive::get_node_number()
$is_multinode = (($override_config != undef) and ($override_compose != undef))
if $is_multinode {
# The config used
$config = $override_config
# Other settings
$admin_password = $config[ 'admin_password' ]
$dbhost = $config[ 'dbhost' ]
$dbname = $config[ 'dbname' ]
$dbuser = $config[ 'dbuser' ]
$instanceid = $config[ 'instanceid' ]
$mysql_user_password = $config[ 'mysql_user_password' ]
$passwordsalt = $config[ 'passwordsalt' ]
$redis_host_password = $config[ 'redis_host_password' ]
$s3_key = $config[ 's3_key' ]
$s3_secret = $config[ 's3_secret' ]
$secret = $config[ 'secret' ]
} else {
# The config used
$config = hiera_hash($environment)
$skeletondirectory = $config['skeletondirectory']
# Other settings
$admin_password = safe_hiera('admin_password')
$dbhost = 'proxysql_proxysql_1'
$dbname = 'nextcloud'
$dbuser = 'nextcloud'
$instanceid = safe_hiera('instanceid')
$mysql_user_password = safe_hiera('mysql_user_password')
$passwordsalt = safe_hiera('passwordsalt')
$redis_host_password = safe_hiera('redis_host_password')
$redis_cluster_password = safe_hiera('redis_cluster_password')
$s3_key = safe_hiera('s3_key')
$s3_secret = safe_hiera('s3_secret')
$secret = safe_hiera('secret')
}
$twofactor_enforced_groups = $config['twofactor_enforced_groups']
$twofactor_enforced_excluded_groups = $config['twofactor_enforced_excluded_groups']
$nextcloud_version = hiera("nextcloud_version_${environment}")
$nextcloud_version_string = split($nextcloud_version, '[-]')[0]
# Common settings for multinode and full nodes
$nextcloud_ip = $config['app']
$redis_host = $config['redis_host']
$s3_bucket = $config['s3_bucket']
$s3_host = $config['s3_host']
$site_name = $config['site_name']
$trusted_domains = $config['trusted_domains']
$trusted_proxies = $config['trusted_proxies']
if $location == 'kau-prod' {
$php_memory_limit_mb = 2048
} else {
$php_memory_limit_mb = 512
}
if $::facts['dockerhost2'] == 'yes' {
$hostnet = true
}
# These are encrypted values from local.eyaml
$gss_jwt_key = safe_hiera('gss_jwt_key')
$smtppassword = safe_hiera('smtp_password')
#These are global values from common.yaml
$gs_enabled = hiera('gs_enabled')
$gs_federation = hiera('gs_federation')
$gss_master_admin = hiera_array('gss_master_admin')
$gss_master_url = hiera("gss_master_url_${environment}")
$lookup_server = hiera("lookup_server_${environment}")
$mail_domain = hiera("mail_domain_${environment}")
$mail_smtphost = hiera("mail_smtphost_${environment}")
$mail_from_address = hiera("mail_from_address_${environment}")
$s3_usepath = hiera('s3_usepath')
$smtpuser = hiera("smtp_user_${environment}")
$tug_office = hiera_array('tug_office')
# This is a global value from common.yaml but overridden in the gss-servers local.yaml
$gss_mode = hiera('gss_mode')
# These are global values from common.yaml but can be overridden in group.yaml
$drive_email_template_text_left = $config['drive_email_template_text_left']
$drive_email_template_plain_text_left = $config['drive_email_template_plain_text_left']
$drive_email_template_url_left = $config['drive_email_template_url_left']
$lb_servers = hiera_hash($environment)['lb_servers']
$document_servers = hiera_hash($environment)['document_servers']
unless $is_multinode{
user { 'www-data': ensure => present, system => true }
file { '/opt/nextcloud/cron.sh':
ensure => file,
owner => 'root',
group => 'root',
mode => '0700',
content => template('sunetdrive/application/cron.erb.sh'),
}
cron { 'cron.sh':
command => '/opt/nextcloud/cron.sh',
user => 'root',
minute => '*/5',
}
file { '/opt/nextcloud/user-sync.sh':
ensure => file,
owner => 'root',
group => 'root',
mode => '0700',
content => template('sunetdrive/application/user-sync.erb.sh'),
}
-> cron { 'gss_user_sync':
command => '/opt/nextcloud/user-sync.sh',
user => 'root',
minute => '*/5',
}
file { '/usr/local/bin/occ':
ensure => present,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/application/occ.erb'),
mode => '0740',
}
file { '/etc/sudoers.d/99-occ':
ensure => file,
content => "script ALL=(root) NOPASSWD: /usr/local/bin/occ\n",
mode => '0440',
owner => 'root',
group => 'root',
}
file { '/usr/local/bin/upgrade23-25.sh':
ensure => present,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/application/upgrade23-25.erb.sh'),
mode => '0744',
}
file { '/opt/rotate/conf.d/nextcloud.conf':
ensure => file,
force => true,
owner => 'root',
group => 'root',
content => "#This file is managed by puppet
#filename:retention days:maxsize mb\n/opt/nextcloud/nextcloud.log:180:256\n/opt/nextcloud/audit.log:180:256\n",
mode => '0644',
}
file { '/opt/rotate/conf.d/redis.conf':
ensure => file,
force => true,
owner => 'root',
group => 'root',
content => "#This file is managed by puppet
#filename:retention days:maxsize mb\n/opt/redis/server/server.log:180:256\n/opt/redis/sentinel/sentinel.log:180:256\n",
mode => '0644',
}
file { '/opt/nextcloud/000-default.conf':
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/000-default.conf.erb'),
mode => '0644',
}
file { '/opt/nextcloud/mpm_prefork.conf':
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/mpm_prefork.conf.erb'),
mode => '0644',
}
file { '/opt/nextcloud/404.html':
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/404.html.erb'),
mode => '0644',
}
file { '/opt/nextcloud/config.php':
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/config.php.erb'),
mode => '0644',
}
file { '/opt/nextcloud/nextcloud.log':
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
mode => '0640',
}
file { '/opt/nextcloud/audit.log':
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
mode => '0640',
}
file { '/opt/nextcloud/audit.log':
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
mode => '0644',
}
file { '/opt/nextcloud/rclone.conf':
ensure => file,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/rclone.conf.erb'),
mode => '0644',
}
file { '/opt/nextcloud/apache.php.ini':
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/apache.php.ini.erb'),
mode => '0644',
}
file { '/opt/nextcloud/apcu.ini':
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/apcu.ini.erb'),
mode => '0644',
}
file { '/opt/nextcloud/cli.php.ini':
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/cli.php.ini.erb'),
mode => '0644',
}
file { '/usr/local/bin/migrate_external_mounts':
ensure => file,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/application/migrate_external_mounts.erb'),
mode => '0744',
}
file { '/opt/nextcloud/complete_reinstall.sh':
ensure => file,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/application/complete_reinstall.erb.sh'),
mode => '0744',
}
file { '/etc/sudoers.d/99-run-cosmos':
ensure => file,
content => "script ALL=(root) NOPASSWD: /usr/local/bin/run-cosmos\n",
mode => '0440',
owner => 'root',
group => 'root',
}
file { '/usr/local/bin/redis-cli':
ensure => present,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/application/redis-cli.erb'),
mode => '0740',
}
file { '/etc/sudoers.d/99-redis-cli':
ensure => file,
content => "script ALL=(root) NOPASSWD: /usr/local/bin/redis-cli\n",
mode => '0440',
owner => 'root',
group => 'root',
}
file { '/usr/local/bin/add_admin_user':
ensure => present,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/application/add_admin_user.erb'),
mode => '0744',
}
file { '/etc/sudoers.d/99-no_mysql_servers':
ensure => file,
content => "script ALL=(root) NOPASSWD: /home/script/bin/get_no_mysql_servers.sh\n",
mode => '0440',
owner => 'root',
group => 'root',
}
file { '/home/script/bin/get_no_mysql_servers.sh':
ensure => present,
force => true,
owner => 'script',
group => 'script',
content => template('sunetdrive/application/get_no_mysql_servers.erb.sh'),
mode => '0744',
}
}
if $location =~ /^gss-test/ {
file { '/opt/nextcloud/mappingfile.json':
ensure => present,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/mappingfile-test.json.erb'),
mode => '0644',
}
} elsif $location =~ /^gss/ {
file { '/opt/nextcloud/mappingfile.json':
ensure => present,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/mappingfile-prod.json.erb'),
mode => '0644',
}
} elsif $location =~ /^kau/ {
file { '/mnt':
ensure => directory,
owner => 'www-data',
group => 'www-data',
mode => '0755',
}
}
if $skeletondirectory {
file { '/opt/nextcloud/skeleton':
ensure => directory,
owner => 'www-data',
group => 'www-data',
mode => '0755',
}
}
if $customer == 'mdu' {
file { '/opt/nextcloud/skeleton/README.md':
ensure => present,
require => File['/opt/nextcloud/skeleton'],
owner => 'www-data',
group => 'www-data',
content => template('sunetdrive/application/MDU-README.md.erb'),
mode => '0644',
}
}
if $is_multinode {
$compose = $override_compose
} else {
$compose = sunet::docker_compose { 'drive_application_docker_compose':
content => template('sunetdrive/application/docker-compose_nextcloud.yml.erb'),
service_name => 'nextcloud',
compose_dir => '/opt/',
compose_filename => 'docker-compose.yml',
description => 'Nextcloud application',
}
if $::facts['sunet_nftables_enabled'] == 'yes' {
sunet::nftables::docker_expose { 'https':
allow_clients => ['any'],
port => 443,
iif => 'ens3',
}
} else {
sunet::misc::ufw_allow { 'https':
from => '0.0.0.0/0',
port => 443,
}
}
}
}