sunetdrive/manifests/multinode.pp

409 lines
14 KiB
Puppet

# This class uses all the other classes to create a multinode server
class sunetdrive::multinode (
$bootstrap = undef,
$location = undef
)
{
include sunet::packages::yq
$myname = $facts['hostname']
$is_multinode = true;
$environment = sunetdrive::get_environment()
$lb_servers = hiera_hash($environment)['lb_servers']
$document_servers = hiera_hash($environment)['document_servers']
$nextcloud_ip = hiera_hash($environment)['app']
$db_ip = hiera_hash($environment)['db']
$admin_password = hiera('admin_password')
$cluster_admin_password = hiera('cluster_admin_password')
# This is a global value from common.yaml but overridden in the gss-servers local.yaml
$gss_mode = hiera('gss_mode')
$twofactor_enforced_groups = []
$twofactor_enforced_excluded_groups = []
$allcustomers = hiera_hash('multinode_mapping')
$allnames = $allcustomers.keys
$tempcustomers = $allnames.map | $index, $potential | {
if $myname =~ $allcustomers[$potential]['server'] {
$potential
}
else {
nil
}
}
$php_memory_limit_mb = 512
$nodenumber = $::fqdn[9,1]
$customers = $tempcustomers - nil
$passwords = $allnames.map | $index, $customer | {
hiera("${customer}_mysql_user_password")
}
$transaction_persistent = 1
$monitor_password = hiera('proxysql_password')
user { 'www-data': ensure => present, system => true }
sunet::system_user {'mysql': username => 'mysql', group => 'mysql' }
ensure_resource('file', '/opt/nextcloud' , { ensure => directory, recurse => true } )
file { '/usr/local/bin/occ':
ensure => present,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/application/occ.erb'),
mode => '0740',
}
file { '/etc/sudoers.d/99-occ':
ensure => file,
content => "script ALL=(root) NOPASSWD: /usr/local/bin/occ\n",
mode => '0440',
owner => 'root',
group => 'root',
}
file { '/usr/local/bin/upgrade23-25.sh':
ensure => absent,
}
file { '/usr/local/bin/get_paying_customers':
ensure => present,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/multinode/get_paying_customers.erb.sh'),
mode => '0744',
}
file { '/usr/local/bin/get_non_paying_customers':
ensure => present,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/multinode/get_non_paying_customers.erb.sh'),
mode => '0744',
}
file { '/usr/local/bin/get_containers':
ensure => present,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/multinode/get_containers'),
mode => '0744',
}
file { '/usr/local/bin/restart_and_prune':
ensure => present,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/multinode/restart_and_prune.erb.sh'),
mode => '0744',
}
file { '/usr/local/bin/add_admin_user':
ensure => present,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/application/add_admin_user.erb'),
mode => '0744',
}
file { '/opt/nextcloud/prune.sh':
ensure => file,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/multinode/prune.erb.sh'),
mode => '0744',
}
file { '/opt/proxysql/proxysql.cnf':
ensure => file,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/multinode/proxysql.cnf.erb'),
mode => '0644',
}
sunet::scriptherder::cronjob { 'prune_non_paying':
cmd => '/usr/local/bin/restart_and_prune',
weekday => '1-6',
hour => '2',
minute => '45',
ok_criteria => ['exit_status=0','max_age=3d'],
warn_criteria => ['exit_status=1','max_age=5d'],
}
sunet::scriptherder::cronjob { 'prune_all_paying':
cmd => '/usr/local/bin/restart_and_prune include_paying',
weekday => '0',
hour => '2',
minute => '45',
ok_criteria => ['exit_status=0','max_age=7d'],
warn_criteria => ['exit_status=1','max_age=9d'],
}
file { '/opt/nextcloud/apache.php.ini':
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/apache.php.ini.erb'),
mode => '0644',
}
file { '/opt/nextcloud/apcu.ini':
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/apcu.ini.erb'),
mode => '0644',
}
file { '/opt/nextcloud/cli.php.ini':
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/cli.php.ini.erb'),
mode => '0644',
}
file { '/opt/nextcloud/cron.sh':
ensure => file,
owner => 'root',
group => 'root',
mode => '0700',
content => template('sunetdrive/application/cron.erb.sh'),
}
file { '/opt/nextcloud/000-default.conf':
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/000-default.conf.erb'),
mode => '0644',
}
file { '/opt/nextcloud/404.html':
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/404.html.erb'),
mode => '0644',
}
$link_content = '[Match]
Driver=bridge veth
[Link]
MACAddressPolicy=none'
file { '/etc/systemd/network/98-default.link':
ensure => file,
force => true,
owner => 'root',
group => 'root',
content => $link_content,
mode => '0744',
}
file { '/opt/nextcloud/compress-logs.sh':
ensure => file,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/multinode/compress-logs.erb.sh'),
mode => '0744',
}
cron { 'multinode_compress_logs':
command => '/opt/nextcloud/compress-logs.sh',
require => File['/opt/nextcloud/compress-logs.sh'],
user => 'root',
minute => '10',
hour => '0',
weekday => '0',
}
# if $nodenumber == '2' {
# cron { 'add_back_bucket_for_karin_nordgren':
# command => '(/usr/local/bin/occ nextcloud-kmh_app_1 files_external:list karin_nordgren@kmh.se && /home/script/bin/create_bucket.sh nextcloud-kmh_app_1 karin_nordgren@kmh.se karin-nordgren-drive-sunet-se) || /bin/true',
# user => 'root',
# minute => '*/10',
# }
# }
$customers.each | $index, $customer | {
$customer_config_full = hiera_hash($customer)
$customer_config = $customer_config_full[$environment]
cron { "multinode_cron_${customer}":
command => "/opt/nextcloud/cron.sh nextcloud-${customer}_app_1",
require => File['/opt/nextcloud/cron.sh'],
user => 'root',
minute => '*/10',
}
if $environment == 'prod' {
if 'primary_bucket' in $customer_config.keys() {
$s3_bucket = $customer_config['primary_bucket']
} else {
$s3_bucket = "primary-${customer}-drive.sunet.se"
}
$site_name = "${customer}.drive.sunet.se"
$trusted_proxies = ['lb1.drive.sunet.se','lb2.drive.sunet.se', 'lb3.drive.sunet.se', 'lb4.drive.sunet.se']
} else {
if 'primary_bucket' in $customer_config.keys() {
$s3_bucket = $customer_config['primary_bucket']
} else {
$s3_bucket = "primary-${customer}-${environment}.sunet.se"
}
$site_name = "${customer}.drive.${environment}.sunet.se"
$trusted_proxies = ["lb1.drive.${environment}.sunet.se","lb2.drive.${environment}.sunet.se",
"lb3.drive.${environment}.sunet.se","lb4.drive.${environment}.sunet.se"]
}
$apache_default_path = "/opt/multinode/${customer}/000-default.conf"
$apache_error_path = "/opt/multinode/${customer}/404.html"
$config_php_path = "/opt/multinode/${customer}/config.php"
$cron_log_path ="/opt/multinode/${customer}/cron.log"
$dbhost = 'proxysql_proxysql_1'
$dbname = "nextcloud_${customer}"
$dbuser = "nextcloud_${customer}"
$gs_enabled = hiera('gs_enabled')
$gs_federation = hiera('gs_federation')
$gss_master_admin = hiera_array('gss_master_admin')
$gss_master_url = hiera("gss_master_url_${environment}")
$https_port = hiera_hash('multinode_mapping')[$customer]['port']
$lookup_server = hiera("lookup_server_${environment}")
$mail_domain = hiera("mail_domain_${environment}")
$mail_from_address = hiera("mail_from_address_${environment}")
$mail_smtphost = hiera("mail_smtphost_${environment}")
$nextcloud_log_path ="/opt/multinode/${customer}/nextcloud.log"
if $customer_config['nextcloud_version'] {
$nextcloud_version = $customer_config['nextcloud_version']
} else {
$nextcloud_version = hiera("nextcloud_version_${environment}")
}
$nextcloud_version_string = split($nextcloud_version, '[-]')[0]
$rclone_conf_path = "/opt/multinode/${customer}/rclone.conf"
$redis_conf_dir = "/opt/multinode/${customer}/server"
$redis_conf_path = "${redis_conf_dir}/redis.conf"
$redis_host= "redis-${customer}_redis-server_1"
$s3_host = $customer_config['s3_host']
$s3_usepath = hiera('s3_usepath')
$smtpuser = hiera("smtp_user_${environment}")
$trusted_domains = [$site_name, $facts['fqdn'], 'localhost']
$tug_office = hiera_array('tug_office')
if $customer_config['twofactor_enforced_groups'] {
$twofactor_enforced_groups = $customer_config['twofactor_enforced_groups']
}
if $customer_config['twofactor_enforced_excluded_groups'] {
$twofactor_enforced_excluded_groups = $customer_config['twofactor_enforced_excluded_groups']
}
# Secrets from local.eyaml
$admin_password = safe_hiera("${customer}_admin_password")
$instanceid = safe_hiera("${customer}_instanceid")
$mysql_root_password = safe_hiera("${customer}_mysql_root_password")
$backup_password = safe_hiera("${customer}_backup_password")
$mysql_user_password = safe_hiera("${customer}_mysql_user_password")
$s3_key = safe_hiera("${customer}_s3_key")
$s3_secret = safe_hiera("${customer}_s3_secret")
$secret = safe_hiera("${customer}_secret")
$passwordsalt= safe_hiera("${customer}_passwordsalt")
$redis_host_password = safe_hiera("${customer}_redis_host_password")
$gss_jwt_key = safe_hiera('gss_jwt_key')
$smtppassword = safe_hiera('smtp_password')
$extra_config = {
admin_password => $admin_password,
backup_password => $backup_password,
dbhost => $dbhost,
dbname => $dbname,
dbuser => $dbuser,
drive_email_template_plain_text_left => hiera($environment)['drive_email_template_plain_text_left'],
drive_email_template_text_left => hiera($environment)['drive_email_template_text_left'],
drive_email_template_url_left => hiera($environment)['drive_email_template_url_left'],
mariadb_dir => "/opt/multinode/${customer}/mariadb-${customer}",
mycnf_path => 'sunetdrive/multinode/my.cnf.erb',
mysql_root_password => $mysql_root_password,
mysql_user_password => $mysql_user_password,
trusted_domains => $trusted_domains,
trusted_proxies => $trusted_proxies,
}
$config = deep_merge($customer_config, $extra_config)
ensure_resource('file', "/opt/multinode/${customer}" , { ensure => directory, recurse => true } )
# Use the other sunetdrive classes with overridden config
$db_ip = ['127.0.0.1']
$app_compose = sunet::docker_compose { "drive_${customer}_app_docker_compose":
content => template('sunetdrive/multinode/docker-compose_nextcloud.yml.erb'),
service_name => "nextcloud-${customer}",
compose_dir => "/opt/multinode/${customer}",
compose_filename => 'docker-compose.yml',
description => "Nextcloud application for ${customer}",
require => File[$config_php_path,
'/opt/nextcloud/apache.php.ini',
'/opt/nextcloud/cli.php.ini',
"/opt/multinode/${customer}/complete_reinstall.sh",
],
}
$cache_compose = sunet::docker_compose { "drive_${customer}_redis_docker_compose":
content => template('sunetdrive/multinode/docker-compose_cache.yml.erb'),
service_name => "redis-${customer}",
compose_dir => "/opt/multinode/${customer}",
compose_filename => 'docker-compose.yml',
description => "Redis cache server for ${customer}",
require => File[$redis_conf_path],
}
sunetdrive::app_type { "app_${customer}":
location => $location,
override_config => $config,
override_compose => $app_compose,
}
file { $redis_conf_dir:
ensure => directory,
recurse => true,
}
$redis_config = file { $redis_conf_path:
ensure => present,
content => template('sunetdrive/multinode/redis.conf.erb'),
mode => '0666',
require => [ File[$redis_conf_dir]]
}
sunetdrive::cache_type { "cache_${customer}":
location => $location,
override_config => $config,
override_compose => $cache_compose,
override_redis_conf => $redis_config,
require => File[$redis_conf_path],
}
file { $config_php_path:
ensure => present,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/application/config.php.erb'),
mode => '0644',
}
file { $cron_log_path:
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
mode => '0644',
}
file { $nextcloud_log_path:
ensure => file,
force => true,
owner => 'www-data',
group => 'root',
mode => '0644',
}
file { $rclone_conf_path:
ensure => present,
owner => 'www-data',
group => 'root',
content => template('sunetdrive/multinode/rclone.conf.erb'),
mode => '0644',
}
file { "/opt/multinode/${customer}/complete_reinstall.sh":
ensure => file,
force => true,
owner => 'root',
group => 'root',
content => template('sunetdrive/multinode/complete_reinstall.erb.sh'),
mode => '0744',
}
# Open ports
sunet::misc::ufw_allow { "https_port_${customer}":
from => '0.0.0.0',
port => $https_port,
}
}
}