velaluqa · janbraiins · Jun 10, 2015 · Jun 10, 2015 · Jun 10, 2015 · Jun 10, 2015
diff --git a/manifests/fail2ban.pp b/manifests/fail2ban.pp
@@ -0,0 +1,55 @@
+# == Define: redmine::fail2ban
+#
+# Fail2ban configuration for redmine. NOTE: name of the resource is
+# restricted to 29 - len(fail2ban-rm-) characters => 17
+# characters. This is due to a limit on iptable chain names.
+#
+# === Parameters
+#
+# [*root_dir*]
+#   root directory
+# [*ports*]
+#    optional port list - defaults to standard http and https
+# [*bantime*]
+#    see fail2ban::jail
+# [*maxretry*]
+#    see fail2ban::jail
+#
+# === Examples
+#
+# redmine::fail2ban { 'redmine.example':
+#   root_dir => '/srv/www/redmine.example.net',
+# }
+#
+# === Authors
+#
+# Braiins Systems s.r.o.
+#
+# === Copyright
+#
+# Copyright 2015 Braiins Systems s.r.o.
+#
+define redmine::fail2ban(
+  $port=['80', '443'],
+  $bantime=15,
+  $maxretry=3,
+  $serveraliases=[],
+  $root_dir,
+) {
+  $fail2ban_name = "rm-${title}"
+  # Check the supplied title to prevent exceeding the iptables chain name limit
+  if size($title) > 17 {
+    fail("redmine::fail2ban - title '${title}' longer than 17 characters, iptables chain name: '${fail2ban_name}' would exceed iptables limit, make the resource name shorter!")
+  }
+  fail2ban::filter { $fail2ban_name:
+    filterfailregex => 'Failed login for \'.*\' from <HOST> .*$',
+  } ->
+  # The jail uses the default iptables multiport ban action
+  fail2ban::jail { $fail2ban_name:
+    logpath  => "${root_dir}/current/log/production.log",
+    bantime  => $bantime,
+    maxretry => $maxretry,
+    port     => $port,
+    filter   => $fail2ban_name,
+  }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -23,21 +23,22 @@
   $app_root             = '/srv/redmine',
   $redmine_source       = 'https://github.com/redmine/redmine.git',
   $redmine_revision     = 'origin/2.3-stable',
-  $redmine_user         = 'deployment',
+  $redmine_user         = 'redmine',
+  $maintain_db          = false,
   $db_adapter           = 'mysql',
   $db_name              = 'redminedb',
   $db_user              = 'redminedbu',
   $db_password          = 'changeme',
   $db_host              = 'localhost',
   $db_port              = '3306',
   $mail_delivery_method = 'sendmail',
-  $mail_starttls        = undefined,
-  $mail_address         = undefined,
-  $mail_port            = undefined,
-  $mail_domain          = undefined,
-  $mail_authentication  = undefined,
-  $mail_username        = undefined,
-  $mail_password        = undefined,
+  $mail_starttls        = undef,
+  $mail_address         = undef,
+  $mail_port            = undef,
+  $mail_domain          = undef,
+  $mail_authentication  = undef,
+  $mail_username        = undef,
+  $mail_password        = undef,
   $rvm_ruby             = '',
 ) {
   if $rvm_ruby != '' {
@@ -51,52 +52,75 @@
     pgsql => 'development test mysql'
   }
 
+
   case $::osfamily {
     'Debian': {
-      case $db_adapter {
-        'mysql': {
-          if !defined(Package['libmysql++-dev']) {
-            package { 'libmysql++-dev':
-              ensure => installed,
-              before => Exec['redmine-bundle'],
+      if $maintain_db {
+        case $db_adapter {
+          'mysql': {
+            if !defined(Package['libmysql++-dev']) {
+              package { 'libmysql++-dev':
+                ensure => installed,
+                before => Exec['redmine-bundle'],
+              }
             }
-          }
-          if !defined(Package['libmysqlclient-dev']) {
-            package { 'libmysqlclient-dev':
-              ensure => installed,
-              before => Exec['redmine-bundle'],
+            if !defined(Package['libmysqlclient-dev']) {
+              package { 'libmysqlclient-dev':
+                ensure => installed,
+                before => Exec['redmine-bundle'],
+              }
             }
           }
-        }
-        'pgsql': {
-          if !defined(Package['libpq-dev']) {
-            package { 'libpq-dev':
-              ensure => installed,
-              before => Exec['redmine-bundle'],
+
+          'pgsql': {
+            if !defined(Package['libpq-dev']) {
+              package { 'libpq-dev':
+                ensure => installed,
+                before => Exec['redmine-bundle'],
+              }
             }
-          }
-          if !defined(Package['postgresql-client']) {
-            package { 'postgresql-client':
-              ensure => installed,
-              before => Exec['redmine-bundle'],
+            if !defined(Package['postgresql-client']) {
+              package { 'postgresql-client':
+                ensure => installed,
+                before => Exec['redmine-bundle'],
+              }
             }
           }
         }
       }
 
+      if !defined(Package['bundler']) {
+        package { 'bundler':
+          ensure => latest,
+          provider => 'gem',
+          before => Exec['redmine-bundle'],
+        }
+      }
+      if !defined(Package['imagemagick']) {
+        package { 'imagemagick':
+          ensure => present,
+          before => Exec['redmine-bundle'],
+        }
+      }
+      if !defined(Package['ruby-all-dev']) {
+        package { 'ruby-all-dev':
+          ensure => present,
+          before => Exec['redmine-bundle'],
+        }
+      }
       if !defined(Package['libmagickcore-dev']) {
         package { 'libmagickcore-dev':
-          ensure => latest,
+          ensure => present,
           before => Exec['redmine-bundle'],
         }
       }
       if !defined(Package['libmagickwand-dev']) {
         package { 'libmagickwand-dev':
-          ensure => latest,
+          ensure => present,
           before => Exec['redmine-bundle'],
         }
       }
-    } # Debian pre-requists
+    } # Redhat pre-requists
     'Redhat': {
       $db_packages = $db_adapter ? {
         mysql => ['mysql-devel'],
@@ -129,12 +153,15 @@
           before   => Exec['redmine-bundle'],
         }
       }
-    } # Redhat pre-requists
+    } # Default OS pre-requists
     default: {
       err "${::osfamily} not supported yet"
     }
   }
 
+  class { 'puma':
+    require => Package['ruby-all-dev'],
+  } ->
   puma::app { 'redmine':
     app_root    => $app_root,
     app_user    => $redmine_user,
@@ -143,6 +170,7 @@
     db_password => $db_password,
     db_host     => $db_host,
     db_port     => $db_port,
+    db_name     => $db_name,
     rvm_ruby    => $rvm_ruby,
   }
 
@@ -203,32 +231,33 @@
   }
 
   exec { 'redmine-bundle':
-    path    => '/bin:/usr/bin',
-    command => "bash -c '${rvm_prefix}cd ${app_root}/current; bundle --without ${without_gems}'",
+    path    => '/usr/local/bin:/bin:/usr/bin',
+    command => "bash -c '${rvm_prefix}cd ${app_root}/current; bundle install --path ~/.gem --without ${without_gems}'",
     unless  => "bash -c '${rvm_prefix}cd ${app_root}/current; bundle check'",
-    require => Vcsrepo["${app_root}/current"],
+    require => [ Vcsrepo["${app_root}/current"], File["${app_root}/current/config/database.yml"] ],
     notify  => Service['redmine'],
     user    => $redmine_user,
     group   => $redmine_user,
     timeout => 600,
   }
 
   exec { "redmine-migrate":
-    path    => "/bin:/usr/bin",
-    unless  => "bash -c '${rvm_prefix}cd ${app_root}/current; RAILS_ENV=production bundle exec rake db:abort_if_pending_migrations'",
+    path    => "/usr/local/bin:/bin:/usr/bin",
     command => "bash -c '${rvm_prefix}cd ${app_root}/current; RAILS_ENV=production bundle exec rake db:migrate'",
-    require => [ Exec['redmine-bundle'], File["${app_root}/current/config/database.yml"] ],
+    unless  => "bash -c '${rvm_prefix}cd ${app_root}/current; RAILS_ENV=production bundle exec rake db:abort_if_pending_migrations'",
+    require => Exec['redmine-bundle'],
     notify  => Service["redmine"],
     user    => $redmine_user,
     group   => $redmine_user,
     timeout => 600,
   }
 
   exec { "redmine-configure":
-    require => Exec['redmine-migrate'],
-    path    => "/bin:/usr/bin",
+    path    => "/usr/local/bin:/bin:/usr/bin",
     command => "bash -c '${rvm_prefix}cd ${app_root}/current; RAILS_ENV=production bundle exec rake generate_secret_token; REDMINE_LANG=en RAILS_ENV=production bundle exec rake redmine:load_default_data'; touch ${app_root}/.configured",
     unless  => "[ -f ${app_root}/.configured ]",
+    require => Exec['redmine-migrate'],
+    notify  => Service["redmine"],
     user    => $redmine_user,
     group   => $redmine_user,
     timeout => 600,

diff --git a/manifests/plugin.pp b/manifests/plugin.pp
@@ -16,11 +16,12 @@
 
 define redmine::plugin
 (
-  $provider = 'git',
-  $source   = undef,
-  $revision = "origin/master",
-  $migrate  = false,
-  $rake     = [],
+  $provider        = 'git',
+  $source          = undef,
+  $revision        = 'origin/master',
+  $install_command = undef,
+  $migrate         = false,
+  $rake            = [],
 )
 {
   $rvm_ruby = $redmine::rvm_ruby
@@ -49,9 +50,10 @@
   ->
 
   exec { "bundle-${name}-plugin":
-    path    => '/bin:/usr/bin',
-    command => "bash -c '${rvm_prefix}cd ${app_root}/current; bundle --without ${redmine::without_gems}'",
-    unless  => "bash -c '${rvm_prefix}cd ${app_root}/current; bundle check'",
+    path    => '/usr/local/bin:/bin:/usr/bin',
+    command => install_command ? { undef   => '/bin/true',
+                                   default => "bash -c '${rvm_prefix}cd ${app_root}/current; ${install_command}'",
+                                 },
     notify  => Service['redmine'],
     user    => $redmine_user,
     group   => $redmine_user,
@@ -61,7 +63,7 @@
   ->
 
   exec { "migrate-${name}-plugin":
-    path        => "/usr/bin:/bin",
+    path        => '/usr/local/bin:/usr/bin:/bin',
     user        => $redmine_user,
     command     => $migrate ? {
       true  => "bash -c '${rvm_prefix}cd ${redmine_dir}; RAILS_ENV=production bundle exec rake db:migrate'",

diff --git a/manifests/vhost_nginx.pp b/manifests/vhost_nginx.pp
@@ -0,0 +1,52 @@
+# == Define: redmine::vhost_nginx
+#
+# Generates a vhost for redmine in nginx web server configuration
+#
+# === Parameters
+#
+# [*port*]
+#    port where this vhost should listen
+# [*priority*]
+#    priority of the site configuration file
+# [*serveraliases*]
+#    list of aliases of the vhost
+# [*root_dir*]
+#    root directory of the redmine installation
+# [*max_attachment_size*]
+#    maximum size of the attachment
+#
+# === Examples
+#
+# redmine::vhost_nginx { 'redmine.example.net':
+#   root_dir => '/srv/www/redmine.example.net',
+# }
+#
+# === Authors
+#
+# Braiins Systems s.r.o.
+#
+# === Copyright
+#
+# Copyright 2015 Braiins Systems s.r.o.
+#
+define redmine::vhost_nginx(
+  $port='80',
+  $priority='50',
+  $max_attachment_size='20M',
+  $serveraliases=[],
+  $root_dir,
+) {
+  nginx::vhost { $title:
+    port           => $port,
+    priority       => $priority,
+    docroot        => undef,
+    create_docroot => false,
+    template       => 'redmine/nginx_redmine_site.conf.erb',
+    options        => {
+      'serveraliases'        => $serveraliases,
+      'upstream_web'         => "upstream-web-puma-redmine-${title}",
+      'upstream_socket_path' => "${root_dir}/current/tmp/sockets/puma.socket",
+      'client_max_body_size' => $max_attachment_size,
+    }
+  }
+}
diff --git a/templates/configuration.yml.erb b/templates/configuration.yml.erb
@@ -1,6 +1,12 @@
 production:
   email_delivery:
     delivery_method: :<%= @mail_delivery_method %>
+<% if @mail_delivery_method = 'sendmail' -%>
+    sendmail_settings:
+<% if @operatingsystem = 'Debian' -%>
+      arguments: "-i"
+<% end %>
+<% else %>
     smtp_settings:
 <% unless @mail_starttls.nil? -%>
       enable_starttls_auto: <%= @mail_starttls ? 'true' : 'false' %>
@@ -23,3 +29,4 @@ production:
 <% if @mail_password -%>
       password: <%= @mail_password %>
 <% end -%>
+<% end -%>
diff --git a/templates/nginx_redmine_site.conf.erb b/templates/nginx_redmine_site.conf.erb
@@ -0,0 +1,25 @@
+# Virtual host <%= @name %>
+# This file has been provided by puppet for <%= @fqdn %>.
+# DON'T EDIT it manually, any changes will be lost
+#
+
+upstream <%= @options['upstream_web'] %> {
+    server unix:<%= @options['upstream_socket_path'] %>;
+}
+
+server {
+  listen <%= @port %>;
+  server_name <%= @name %> <%= @options['serveraliases'].join(" ") %>;
+
+  access_log  <%= scope.lookupvar('nginx::log_dir')%>/<%= @title %>.access.log;
+  error_log  <%= scope.lookupvar('nginx::log_dir')%>/<%= @title %>.error.log;
+
+  location / {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_pass http://<%= @options['upstream_web'] %>;
+    client_max_body_size <%= @options['client_max_body_size'] %>;
+    client_body_buffer_size 128k;
+  }
+}