summaryrefslogtreecommitdiff
path: root/manifests/mu4web.pp
blob: 7881b1caf25bd5e75567b4f3170f9a8298cfa362 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

# @summary Sets up mu4web
#
# Instanciates an nginx server, and a gunicorn instance.
#
# @param package_name
#   Name of system package for mu4web
# @param server_name
#   Where mu4web should be made available
#   TODO Will currently CNAME that domain to gandalf.adrift.space
# @param wsgi_server
#   Address to use for wsgi (gunicorn) instance
# @param wsgi_port
#   Port to use for wsgi (gunicorn) instance
# @param wsgi_address
#   *Actuall* address used by wsgi instance. Should be possible to
#   change this to a unix socket.
# @param secret_key
#   Secret key for flask instance.
class profiles::mu4web (
  String $package_name = 'mu4web',
  String $server_name = 'mail.adrift.space',
  String $wsgi_server = 'localhost',
  Stdlib::Port $wsgi_port = 8095,
  String $wsgi_address = "${wsgi_server}:${wsgi_port}",
  Sensitive[String] $secret_key = Sensitive(extlib::cache_data('mu4web', 'mu4web_secret_key', extlib::random_password(24))),
) {
  include ::nginx
  include ::profiles::certificate

  letsencrypt::domain { $server_name:
    cert_name => $profiles::certificate::cert_name,
  }

  ensure_packages([$package_name])

  gunicorn::instance { 'mu4web':
    app     => 'mu4web.main:app',
    # TODO generalize this.
    user    => 'hugo',
    group   => 'nobody',
    address => $wsgi_address,
  }

  # https://flask.palletsprojects.com/en/2.2.x/config/#instance-folders
  # TODO directories
  # TODO don't show secret in diffs
  file { '/usr/var/mu4web.main-instance/settings.py':
    content => epp("${module_name}/mu4web.py.epp"),
  }

  nginx::resource::server { $server_name:
    ipv6_enable          => true,
    ipv6_listen_options  => '',
    www_root             => '/',
    use_default_location => false,
    access_log           => absent,
    error_log            => absent,
    *                    => letsencrypt::conf::nginx($server_name),
  }

  # TODO generalize this
  @@dns::record { $server_name:
    key   => 'mail',
    value => 'gandalf',
    type  => 'CNAME',
    zone  => "${facts['domain']}.",
  }

  if $facts['letsencrypt_directory'][$server_name] {
    nginx::resource::location {
    default:
      server      => $server_name,
      ssl         => true,
      ssl_only    => true,
      index_files => [],
      ;
    "${server_name} - mu4web /":
      location  => '/',
      try_files => ['$uri', '@gunicorn',],
      ;
    "${server_name} - mu4web @gunicorn":
      location => '@gunicorn',
      proxy    => "http://${wsgi_address}",
    }
  }
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-16 18:41:11 +0200