diff --git a/manifests/fail2ban.pp b/manifests/fail2ban.pp new file mode 100644 index 0000000..73cefba --- /dev/null +++ b/manifests/fail2ban.pp @@ -0,0 +1,55 @@ +# == Define: redmine::fail2ban +# +# Fail2ban configuration for redmine. NOTE: name of the resource is +# restricted to 29 - len(fail2ban-rm-) characters => 17 +# characters. This is due to a limit on iptable chain names. +# +# === Parameters +# +# [*root_dir*] +# root directory +# [*ports*] +# optional port list - defaults to standard http and https +# [*bantime*] +# see fail2ban::jail +# [*maxretry*] +# see fail2ban::jail +# +# === Examples +# +# redmine::fail2ban { 'redmine.example': +# root_dir => '/srv/www/redmine.example.net', +# } +# +# === Authors +# +# Braiins Systems s.r.o. +# +# === Copyright +# +# Copyright 2015 Braiins Systems s.r.o. +# +define redmine::fail2ban( + $port=['80', '443'], + $bantime=15, + $maxretry=3, + $serveraliases=[], + $root_dir, +) { + $fail2ban_name = "rm-${title}" + # Check the supplied title to prevent exceeding the iptables chain name limit + if size($title) > 17 { + fail("redmine::fail2ban - title '${title}' longer than 17 characters, iptables chain name: '${fail2ban_name}' would exceed iptables limit, make the resource name shorter!") + } + fail2ban::filter { $fail2ban_name: + filterfailregex => 'Failed login for \'.*\' from .*$', + } -> + # The jail uses the default iptables multiport ban action + fail2ban::jail { $fail2ban_name: + logpath => "${root_dir}/current/log/production.log", + bantime => $bantime, + maxretry => $maxretry, + port => $port, + filter => $fail2ban_name, + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 8d15594..4c71476 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -23,7 +23,8 @@ $app_root = '/srv/redmine', $redmine_source = 'https://github.com/redmine/redmine.git', $redmine_revision = 'origin/2.3-stable', - $redmine_user = 'deployment', + $redmine_user = 'redmine', + $maintain_db = false, $db_adapter = 'mysql', $db_name = 'redminedb', $db_user = 'redminedbu', @@ -31,13 +32,13 @@ $db_host = 'localhost', $db_port = '3306', $mail_delivery_method = 'sendmail', - $mail_starttls = undefined, - $mail_address = undefined, - $mail_port = undefined, - $mail_domain = undefined, - $mail_authentication = undefined, - $mail_username = undefined, - $mail_password = undefined, + $mail_starttls = undef, + $mail_address = undef, + $mail_port = undef, + $mail_domain = undef, + $mail_authentication = undef, + $mail_username = undef, + $mail_password = undef, $rvm_ruby = '', ) { if $rvm_ruby != '' { @@ -51,52 +52,75 @@ pgsql => 'development test mysql' } + case $::osfamily { 'Debian': { - case $db_adapter { - 'mysql': { - if !defined(Package['libmysql++-dev']) { - package { 'libmysql++-dev': - ensure => installed, - before => Exec['redmine-bundle'], + if $maintain_db { + case $db_adapter { + 'mysql': { + if !defined(Package['libmysql++-dev']) { + package { 'libmysql++-dev': + ensure => installed, + before => Exec['redmine-bundle'], + } } - } - if !defined(Package['libmysqlclient-dev']) { - package { 'libmysqlclient-dev': - ensure => installed, - before => Exec['redmine-bundle'], + if !defined(Package['libmysqlclient-dev']) { + package { 'libmysqlclient-dev': + ensure => installed, + before => Exec['redmine-bundle'], + } } } - } - 'pgsql': { - if !defined(Package['libpq-dev']) { - package { 'libpq-dev': - ensure => installed, - before => Exec['redmine-bundle'], + + 'pgsql': { + if !defined(Package['libpq-dev']) { + package { 'libpq-dev': + ensure => installed, + before => Exec['redmine-bundle'], + } } - } - if !defined(Package['postgresql-client']) { - package { 'postgresql-client': - ensure => installed, - before => Exec['redmine-bundle'], + if !defined(Package['postgresql-client']) { + package { 'postgresql-client': + ensure => installed, + before => Exec['redmine-bundle'], + } } } } } + if !defined(Package['bundler']) { + package { 'bundler': + ensure => latest, + provider => 'gem', + before => Exec['redmine-bundle'], + } + } + if !defined(Package['imagemagick']) { + package { 'imagemagick': + ensure => present, + before => Exec['redmine-bundle'], + } + } + if !defined(Package['ruby-all-dev']) { + package { 'ruby-all-dev': + ensure => present, + before => Exec['redmine-bundle'], + } + } if !defined(Package['libmagickcore-dev']) { package { 'libmagickcore-dev': - ensure => latest, + ensure => present, before => Exec['redmine-bundle'], } } if !defined(Package['libmagickwand-dev']) { package { 'libmagickwand-dev': - ensure => latest, + ensure => present, before => Exec['redmine-bundle'], } } - } # Debian pre-requists + } # Redhat pre-requists 'Redhat': { $db_packages = $db_adapter ? { mysql => ['mysql-devel'], @@ -129,12 +153,15 @@ before => Exec['redmine-bundle'], } } - } # Redhat pre-requists + } # Default OS pre-requists default: { err "${::osfamily} not supported yet" } } + class { 'puma': + require => Package['ruby-all-dev'], + } -> puma::app { 'redmine': app_root => $app_root, app_user => $redmine_user, @@ -143,6 +170,7 @@ db_password => $db_password, db_host => $db_host, db_port => $db_port, + db_name => $db_name, rvm_ruby => $rvm_ruby, } @@ -203,10 +231,10 @@ } exec { 'redmine-bundle': - path => '/bin:/usr/bin', - command => "bash -c '${rvm_prefix}cd ${app_root}/current; bundle --without ${without_gems}'", + path => '/usr/local/bin:/bin:/usr/bin', + command => "bash -c '${rvm_prefix}cd ${app_root}/current; bundle install --path ~/.gem --without ${without_gems}'", unless => "bash -c '${rvm_prefix}cd ${app_root}/current; bundle check'", - require => Vcsrepo["${app_root}/current"], + require => [ Vcsrepo["${app_root}/current"], File["${app_root}/current/config/database.yml"] ], notify => Service['redmine'], user => $redmine_user, group => $redmine_user, @@ -214,10 +242,10 @@ } exec { "redmine-migrate": - path => "/bin:/usr/bin", - unless => "bash -c '${rvm_prefix}cd ${app_root}/current; RAILS_ENV=production bundle exec rake db:abort_if_pending_migrations'", + path => "/usr/local/bin:/bin:/usr/bin", command => "bash -c '${rvm_prefix}cd ${app_root}/current; RAILS_ENV=production bundle exec rake db:migrate'", - require => [ Exec['redmine-bundle'], File["${app_root}/current/config/database.yml"] ], + unless => "bash -c '${rvm_prefix}cd ${app_root}/current; RAILS_ENV=production bundle exec rake db:abort_if_pending_migrations'", + require => Exec['redmine-bundle'], notify => Service["redmine"], user => $redmine_user, group => $redmine_user, @@ -225,10 +253,11 @@ } exec { "redmine-configure": - require => Exec['redmine-migrate'], - path => "/bin:/usr/bin", + path => "/usr/local/bin:/bin:/usr/bin", command => "bash -c '${rvm_prefix}cd ${app_root}/current; RAILS_ENV=production bundle exec rake generate_secret_token; REDMINE_LANG=en RAILS_ENV=production bundle exec rake redmine:load_default_data'; touch ${app_root}/.configured", unless => "[ -f ${app_root}/.configured ]", + require => Exec['redmine-migrate'], + notify => Service["redmine"], user => $redmine_user, group => $redmine_user, timeout => 600, diff --git a/manifests/plugin.pp b/manifests/plugin.pp index 4679991..aa6677a 100644 --- a/manifests/plugin.pp +++ b/manifests/plugin.pp @@ -16,11 +16,12 @@ define redmine::plugin ( - $provider = 'git', - $source = undef, - $revision = "origin/master", - $migrate = false, - $rake = [], + $provider = 'git', + $source = undef, + $revision = 'origin/master', + $install_command = undef, + $migrate = false, + $rake = [], ) { $rvm_ruby = $redmine::rvm_ruby @@ -49,9 +50,10 @@ -> exec { "bundle-${name}-plugin": - path => '/bin:/usr/bin', - command => "bash -c '${rvm_prefix}cd ${app_root}/current; bundle --without ${redmine::without_gems}'", - unless => "bash -c '${rvm_prefix}cd ${app_root}/current; bundle check'", + path => '/usr/local/bin:/bin:/usr/bin', + command => install_command ? { undef => '/bin/true', + default => "bash -c '${rvm_prefix}cd ${app_root}/current; ${install_command}'", + }, notify => Service['redmine'], user => $redmine_user, group => $redmine_user, @@ -61,7 +63,7 @@ -> exec { "migrate-${name}-plugin": - path => "/usr/bin:/bin", + path => '/usr/local/bin:/usr/bin:/bin', user => $redmine_user, command => $migrate ? { true => "bash -c '${rvm_prefix}cd ${redmine_dir}; RAILS_ENV=production bundle exec rake db:migrate'", diff --git a/manifests/vhost_nginx.pp b/manifests/vhost_nginx.pp new file mode 100644 index 0000000..cda349e --- /dev/null +++ b/manifests/vhost_nginx.pp @@ -0,0 +1,52 @@ +# == Define: redmine::vhost_nginx +# +# Generates a vhost for redmine in nginx web server configuration +# +# === Parameters +# +# [*port*] +# port where this vhost should listen +# [*priority*] +# priority of the site configuration file +# [*serveraliases*] +# list of aliases of the vhost +# [*root_dir*] +# root directory of the redmine installation +# [*max_attachment_size*] +# maximum size of the attachment +# +# === Examples +# +# redmine::vhost_nginx { 'redmine.example.net': +# root_dir => '/srv/www/redmine.example.net', +# } +# +# === Authors +# +# Braiins Systems s.r.o. +# +# === Copyright +# +# Copyright 2015 Braiins Systems s.r.o. +# +define redmine::vhost_nginx( + $port='80', + $priority='50', + $max_attachment_size='20M', + $serveraliases=[], + $root_dir, +) { + nginx::vhost { $title: + port => $port, + priority => $priority, + docroot => undef, + create_docroot => false, + template => 'redmine/nginx_redmine_site.conf.erb', + options => { + 'serveraliases' => $serveraliases, + 'upstream_web' => "upstream-web-puma-redmine-${title}", + 'upstream_socket_path' => "${root_dir}/current/tmp/sockets/puma.socket", + 'client_max_body_size' => $max_attachment_size, + } + } +} diff --git a/templates/configuration.yml.erb b/templates/configuration.yml.erb index 0815f83..542c726 100644 --- a/templates/configuration.yml.erb +++ b/templates/configuration.yml.erb @@ -1,6 +1,12 @@ production: email_delivery: delivery_method: :<%= @mail_delivery_method %> +<% if @mail_delivery_method = 'sendmail' -%> + sendmail_settings: +<% if @operatingsystem = 'Debian' -%> + arguments: "-i" +<% end %> +<% else %> smtp_settings: <% unless @mail_starttls.nil? -%> enable_starttls_auto: <%= @mail_starttls ? 'true' : 'false' %> @@ -23,3 +29,4 @@ production: <% if @mail_password -%> password: <%= @mail_password %> <% end -%> +<% end -%> diff --git a/templates/nginx_redmine_site.conf.erb b/templates/nginx_redmine_site.conf.erb new file mode 100644 index 0000000..da3ad49 --- /dev/null +++ b/templates/nginx_redmine_site.conf.erb @@ -0,0 +1,25 @@ +# Virtual host <%= @name %> +# This file has been provided by puppet for <%= @fqdn %>. +# DON'T EDIT it manually, any changes will be lost +# + +upstream <%= @options['upstream_web'] %> { + server unix:<%= @options['upstream_socket_path'] %>; +} + +server { + listen <%= @port %>; + server_name <%= @name %> <%= @options['serveraliases'].join(" ") %>; + + access_log <%= scope.lookupvar('nginx::log_dir')%>/<%= @title %>.access.log; + error_log <%= scope.lookupvar('nginx::log_dir')%>/<%= @title %>.error.log; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://<%= @options['upstream_web'] %>; + client_max_body_size <%= @options['client_max_body_size'] %>; + client_body_buffer_size 128k; + } +}