# @summary
# Message broker for the communication module.
#
# Sets up the message broker for the communication module in the
# new exam system.
#
#
class aes::broker {
$broker_user = broker
$broker_group = $broker_user
$broker_home = "/srv/${broker_user}"
$broker_service = 'aes_broker'
case fact('os.family') {
'RedHat': {
package {
[
'boost',
'boost-devel',
]:
ensure => installed,
}
firewalld_custom_service { 'aes-broker':
description => 'Authentic Examination System server',
ports => [
{ port => '31337', protocol => 'tcp' },
],
}
@firewalld_rich_rule {
default:
service => 'aes-broker',
log => false;
'Accept aes-broker in LiU networks without logging IPv4':
zone => 'liu',
family => 'ipv4',
action => 'accept';
'Accept aes-broker in LiU networks without logging IPv6':
zone => 'liu',
family => 'ipv6',
action => 'accept';
}
}
'CentOS': {
# Sadly, it does not seem like we can not only install asio, so we need
# to install the Boost as a whole.
package {
[
'boost169',
'boost169-devel',
]:
ensure => installed,
}
::server_firewall::rules_file { '45-permit_aes_broker.rules':
# lint:ignore:strict_indent heredoc failing...
content => @(EOF),
service aesbroker is tcp/31337
policy chain INPUT is
accept service:aesbroker from class:liu-nets
end policy
|-EOF
# lint:endignore:strict_indent
}
}
default: {
fail("${module_name} - Not supported for family ${fact('os.family')}.")
}
}
# Figure out which certificate to use based on the hostname.
if $facts[networking][fqdn] == 'aes.edu.liu.se' {
$server_type = 'production'
} elsif $facts[networking][fqdn] == 'aes-devel.edu.liu.se' {
$server_type = 'devel'
} else {
$server_type = undef
}
user { $broker_user :
ensure => present,
home => $broker_home,
comment => 'Message broker for AES',
managehome => false,
membership => inclusive,
system => true,
shell => '/sbin/nologin',
}
file { $broker_home :
ensure => directory,
owner => $broker_user,
group => $broker_group,
mode => '0755',
}
file { "/etc/systemd/system/${broker_service}.service" :
ensure => file,
owner => root,
group => root,
mode => '0644',
source => "puppet:///modules/${module_name}/broker/broker.service",
}
file { "${broker_home}/on_update.sh" :
ensure => file,
owner => $broker_user,
group => $broker_group,
mode => '0755',
source => "puppet:///modules/${module_name}/broker/on_update.sh",
}
file { "${broker_home}/ssl" :
ensure => directory,
owner => $broker_user,
group => $broker_group,
mode => '0700',
}
file { "${broker_home}/ssl/cert.pem" :
ensure => file,
owner => $broker_user,
group => $broker_group,
mode => '0700',
source => "puppet:///modules/${module_name}/broker/cert/${server_type}_cert.pem",
}
file { "${broker_home}/ssl/key.pem" :
ensure => file,
owner => $broker_user,
group => $broker_group,
mode => '0700',
source => "puppet:///modules/${module_name}/broker/cert/${server_type}_key.pem",
}
file { "${broker_home}/ssl/password" :
ensure => file,
owner => $broker_user,
group => $broker_group,
mode => '0700',
source => "puppet:///modules/${module_name}/broker/cert/${server_type}_password",
}
vcsrepo { "${broker_home}/src":
ensure => latest,
provider => git,
source => 'https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git',
revision => $server_type,
owner => $broker_user,
group => $broker_group,
notify => Exec['compile-broker-repo'],
}
exec { 'compile-broker-repo':
user => $broker_user,
group => $broker_group,
cwd => $broker_home,
path => '/bin:/usr/bin',
environment => ["HOME=${broker_home}"],
command => "${broker_home}/on_update.sh",
require => File["${broker_home}/on_update.sh"],
creates => "${broker_home}/bin/broker",
notify => Service[$broker_service],
}
service { $broker_service :
ensure => 'running',
enable => true,
}
}