add code from folianter

manifests/foliofront.pp

-# @summary A short summary of the purpose of this class
-#
-# A description of what this class does
-#
-# @example
-#   include folioscripts::foliofront
+# @summary Setup a front facing node for folio
 class folioscripts::foliofront {
+  include profiles::letsencrypt
+  include apache
+  include apache::mod::proxy
+
+  package { 'nodejs':
+    ensure => 'installed',
+  }
+
+  exec {
+    default:
+      path        => ['/usr/local/bin', '/bin', '/usr/bin', '/sbin'],
+      refreshonly => true;
+    'n-from-npm':
+      command => 'npm install n -g',
+      require => Package['nodejs'];
+    'nodejs-lts':
+      command => 'n lts',
+      require => Exec['n-from-npm'];
+  }
+
+  file { '/usr/bin/node':
+    ensure  => 'link',
+    source  => '/usr/local/bin/node', # lint:ignore:source_without_rights
+    require => Exec['nodejs-lts'],
+  }
+
+  exec { 'install pm2':
+    command => '/bin/npm install pm2 -g',
+    unless  => '/bin/test -d /usr/local/lib/node_modules/pm2',
+    require => Package['nodejs'],
+  }
+
+  user { 'pm2runner':
+    ensure  => 'present',
+    comment => 'pm2 owner',
+    system  => 'yes',
+  }
+  group {
+    default:
+      ensure  => 'present';
+    'api':
+      members => ['andfa93', 'hakan95', 'hakjo91', 'folio-cron'];
+    'pm2':
+      members => ['andfa93', 'hakan95', 'hakjo91', 'pm2runner'];
+  }
+
+  Group <| title == 'ssl-cert' |> { members +> ['andfa93', 'pm2runner', 'hakan95', 'hakjo91'] }
+
+  file { '/opt/liu/foliofront':
+    ensure => directory,
+    owner  => 'andfa93',
+    group  => 'api',
+    mode   => '0775',
+  }
+
+  vcsrepo { '/opt/liu/foliofront/foliofront-node-root':
+    ensure   => latest,
+    provider => git,
+    source   => 'https://git:glpat-F5y74GSXSm6FrQBD5wM5@gitlab.liu.se/ub-utveckling/webb/folio-projekt/foliofront-node-root.git',
+    notify   => [Exec['do npm install of foliofront'],],
+  }
+
+  exec { 'do npm install of foliofront':
+    command     => '/bin/npm install',
+    refreshonly => true,
+    cwd         => '/opt/liu/foliofront/foliofront-node-root',
+  }
+
+  file { '/opt/liu/foliofront/foliofront-node-root/logs':
+    ensure  => directory,
+    group   => 'api',
+    mode    => '0770',
+    require => [Vcsrepo['/opt/liu/foliofront/foliofront-node-root'],],
+  }
+
+  systemd::manage_unit { 'foliofront.service':
+    unit_entry    => {
+      'Description' => 'Run the foliofront node application',
+    },
+    service_entry => {
+      'Type'      => 'simple',
+      'ExecStart' => '',
+      'User'      => 'postgres',
+    },
+  }
+
+  user { 'folio-cron':
+    ensure     => present,
+    expiry     => absent,
+    managehome => true,
+    password   => '*',
+  }
+
+  file { '/etc/sudoers.d/folio-cron':
+    ensure => file,
+    owner  => 'root',
+    mode   => '0440',
+    source => "puppet:///modules/${module_name}/folio-cron",
+  }
+  #vcsrepo { '/opt/liu/folio_scripts':
+  #  ensure   => latest,
+  #  provider => git,
+  #  source   => 'https://git:glpat-F5y74GSXSm6FrQBD5wM5@gitlab.liu.se/ub-utveckling/skript/folio-projekt/folio_scripts.git',
+  #}
+
+  apache::vhost { 'default:80':
+    servername      => fact('networking.fqdn'),
+    default_vhost   => true,
+    port            => 80,
+    docroot         => '/var/www/html',
+    redirect_status => 'permanent',
+    redirect_dest   => "https://${fact('networking.fqdn')}/",
+  }
+
+  apache::vhost { "${fact('networking.fqdn')}:443":
+    servername            => fact('networking.fqdn'),
+    port                  => 443,
+    docroot               => '/var/www/html',
+    options               => ['FollowSymLinks',],
+    docroot_owner         => 'apache',
+    ssl                   => true,
+    ssl_cert              => fact("letsencrypt_certs.\"${fact('networking.fqdn')}\".files.cert"),
+    ssl_chain             => fact("letsencrypt_certs.\"${fact('networking.fqdn')}\".files.chain"),
+    ssl_key               => fact("letsencrypt_certs.\"${fact('networking.fqdn')}\".files.key"),
+    headers               => ['Set Strict-Transport-Security "max-age=315536000"',],
+    proxy_preserve_host   => true,
+    allow_encoded_slashes => 'on',
+    proxy_pass            => [
+      {
+        'path' => '/',
+        'url'  => 'http://localhost:3000/',
+      },
+    ],
+    # lint:ignore:140chars
+    custom_fragment       => '
+  <Location />
+    Order deny,allow
+    Allow from all
+  </Location>
+',
+    # lint:endignore
+  }
+
+  if fact('server_firewall_provider') == 'firewalld' {
+    server_firewall::address_set { 'vpn':
+      addresses => [
+        '130.236.110.0/24',
+        '10.240.0.0/12',
+      ],
+    }
+
+    firewalld_rich_rule { 'Access ssh from VPN':
+      service => 'ssh',
+      family  => 'ipv4',
+      zone    => 'liu',
+      action  => 'accept',
+      source  => { 'ipset' => 'vpn_v4', },
+    }
+
+    firewalld_service {
+      default:
+        ensure => present,
+        zone   => 'public';
+      'Apache web http public access':
+        service => 'http';
+      'Apache web https public access':
+        service => 'https';
+    }
+
+    firewalld_service {
+      default:
+        ensure => present,
+        zone   => 'liu';
+      'Apache web http liu access':
+        service => 'http';
+      'Apache web https liu access':
+        service => 'https';
+    }
+  } else {
+    server_firewall::rules_file { '59-permit_vpn_ssh.rules':
+      content => file("${module_name}/permit_vpn_ssh.rules"),
+    }
+    server_firewall::rules_file { '58-permit_api.rules':
+      content => file("${module_name}/permit_api.rules"),
+    }
+    server_firewall::rules_file { '57-permit_www.rules':
+      content => file("${module_name}/permit_www.rules"),
+    }
+  }
 }

metadata.json

@@ -6,6 +6,14 @@
   "license": "Apache-2.0",
   "source": "",
   "dependencies": [
+    {
+      "name": "liuit-profiles",
+      "version_requirement": ">= 0.0.0 < 1.0.0"
+    },
+    {
+      "name": "puppetlabs-apache",
+      "version_requirement": ">= 5.0.0 < 11.0.0"
+    },
 
   ],
   "operatingsystem_support": [