diff --git a/manifests/foliofront.pp b/manifests/foliofront.pp
index d27b4f62da463e1a18a6adba26f7a4430ffe586d..a3aecff6e68e7a7c1668cfa5a62316e6d6c31b3d 100644
--- a/manifests/foliofront.pp
+++ b/manifests/foliofront.pp
@@ -1,8 +1,192 @@
-# @summary A short summary of the purpose of this class
-#
-# A description of what this class does
-#
-# @example
-# include folioscripts::foliofront
+# @summary Setup a front facing node for folio
class folioscripts::foliofront {
+ include profiles::letsencrypt
+ include apache
+ include apache::mod::proxy
+
+ package { 'nodejs':
+ ensure => 'installed',
+ }
+
+ exec {
+ default:
+ path => ['/usr/local/bin', '/bin', '/usr/bin', '/sbin'],
+ refreshonly => true;
+ 'n-from-npm':
+ command => 'npm install n -g',
+ require => Package['nodejs'];
+ 'nodejs-lts':
+ command => 'n lts',
+ require => Exec['n-from-npm'];
+ }
+
+ file { '/usr/bin/node':
+ ensure => 'link',
+ source => '/usr/local/bin/node', # lint:ignore:source_without_rights
+ require => Exec['nodejs-lts'],
+ }
+
+ exec { 'install pm2':
+ command => '/bin/npm install pm2 -g',
+ unless => '/bin/test -d /usr/local/lib/node_modules/pm2',
+ require => Package['nodejs'],
+ }
+
+ user { 'pm2runner':
+ ensure => 'present',
+ comment => 'pm2 owner',
+ system => 'yes',
+ }
+ group {
+ default:
+ ensure => 'present';
+ 'api':
+ members => ['andfa93', 'hakan95', 'hakjo91', 'folio-cron'];
+ 'pm2':
+ members => ['andfa93', 'hakan95', 'hakjo91', 'pm2runner'];
+ }
+
+ Group <| title == 'ssl-cert' |> { members +> ['andfa93', 'pm2runner', 'hakan95', 'hakjo91'] }
+
+ file { '/opt/liu/foliofront':
+ ensure => directory,
+ owner => 'andfa93',
+ group => 'api',
+ mode => '0775',
+ }
+
+ vcsrepo { '/opt/liu/foliofront/foliofront-node-root':
+ ensure => latest,
+ provider => git,
+ source => 'https://git:glpat-F5y74GSXSm6FrQBD5wM5@gitlab.liu.se/ub-utveckling/webb/folio-projekt/foliofront-node-root.git',
+ notify => [Exec['do npm install of foliofront'],],
+ }
+
+ exec { 'do npm install of foliofront':
+ command => '/bin/npm install',
+ refreshonly => true,
+ cwd => '/opt/liu/foliofront/foliofront-node-root',
+ }
+
+ file { '/opt/liu/foliofront/foliofront-node-root/logs':
+ ensure => directory,
+ group => 'api',
+ mode => '0770',
+ require => [Vcsrepo['/opt/liu/foliofront/foliofront-node-root'],],
+ }
+
+ systemd::manage_unit { 'foliofront.service':
+ unit_entry => {
+ 'Description' => 'Run the foliofront node application',
+ },
+ service_entry => {
+ 'Type' => 'simple',
+ 'ExecStart' => '',
+ 'User' => 'postgres',
+ },
+ }
+
+ user { 'folio-cron':
+ ensure => present,
+ expiry => absent,
+ managehome => true,
+ password => '*',
+ }
+
+ file { '/etc/sudoers.d/folio-cron':
+ ensure => file,
+ owner => 'root',
+ mode => '0440',
+ source => "puppet:///modules/${module_name}/folio-cron",
+ }
+ #vcsrepo { '/opt/liu/folio_scripts':
+ # ensure => latest,
+ # provider => git,
+ # source => 'https://git:glpat-F5y74GSXSm6FrQBD5wM5@gitlab.liu.se/ub-utveckling/skript/folio-projekt/folio_scripts.git',
+ #}
+
+ apache::vhost { 'default:80':
+ servername => fact('networking.fqdn'),
+ default_vhost => true,
+ port => 80,
+ docroot => '/var/www/html',
+ redirect_status => 'permanent',
+ redirect_dest => "https://${fact('networking.fqdn')}/",
+ }
+
+ apache::vhost { "${fact('networking.fqdn')}:443":
+ servername => fact('networking.fqdn'),
+ port => 443,
+ docroot => '/var/www/html',
+ options => ['FollowSymLinks',],
+ docroot_owner => 'apache',
+ ssl => true,
+ ssl_cert => fact("letsencrypt_certs.\"${fact('networking.fqdn')}\".files.cert"),
+ ssl_chain => fact("letsencrypt_certs.\"${fact('networking.fqdn')}\".files.chain"),
+ ssl_key => fact("letsencrypt_certs.\"${fact('networking.fqdn')}\".files.key"),
+ headers => ['Set Strict-Transport-Security "max-age=315536000"',],
+ proxy_preserve_host => true,
+ allow_encoded_slashes => 'on',
+ proxy_pass => [
+ {
+ 'path' => '/',
+ 'url' => 'http://localhost:3000/',
+ },
+ ],
+ # lint:ignore:140chars
+ custom_fragment => '
+ <Location />
+ Order deny,allow
+ Allow from all
+ </Location>
+',
+ # lint:endignore
+ }
+
+ if fact('server_firewall_provider') == 'firewalld' {
+ server_firewall::address_set { 'vpn':
+ addresses => [
+ '130.236.110.0/24',
+ '10.240.0.0/12',
+ ],
+ }
+
+ firewalld_rich_rule { 'Access ssh from VPN':
+ service => 'ssh',
+ family => 'ipv4',
+ zone => 'liu',
+ action => 'accept',
+ source => { 'ipset' => 'vpn_v4', },
+ }
+
+ firewalld_service {
+ default:
+ ensure => present,
+ zone => 'public';
+ 'Apache web http public access':
+ service => 'http';
+ 'Apache web https public access':
+ service => 'https';
+ }
+
+ firewalld_service {
+ default:
+ ensure => present,
+ zone => 'liu';
+ 'Apache web http liu access':
+ service => 'http';
+ 'Apache web https liu access':
+ service => 'https';
+ }
+ } else {
+ server_firewall::rules_file { '59-permit_vpn_ssh.rules':
+ content => file("${module_name}/permit_vpn_ssh.rules"),
+ }
+ server_firewall::rules_file { '58-permit_api.rules':
+ content => file("${module_name}/permit_api.rules"),
+ }
+ server_firewall::rules_file { '57-permit_www.rules':
+ content => file("${module_name}/permit_www.rules"),
+ }
+ }
}
diff --git a/metadata.json b/metadata.json
index 7ae93a3f2775b93f720abbb9bbb4a7c855e7beac..fadfd532ace26f7d6df314edd2b0941efa980692 100644
--- a/metadata.json
+++ b/metadata.json
@@ -6,6 +6,14 @@
"license": "Apache-2.0",
"source": "",
"dependencies": [
+ {
+ "name": "liuit-profiles",
+ "version_requirement": ">= 0.0.0 < 1.0.0"
+ },
+ {
+ "name": "puppetlabs-apache",
+ "version_requirement": ">= 5.0.0 < 11.0.0"
+ },
],
"operatingsystem_support": [