Test->production

manifests/foliofront.pp

 # @summary Setup a front facing node for folio
-class folioscripts::foliofront {
+class ub_folio::foliofront {
   include profiles::letsencrypt
   include apache
   include apache::mod::proxy
 
-  package { 'nodejs':
+  $basedir='/opt/liu/foliofront'
+
+  exec { 'create private key for':
+    creates => "${$basedir}/privatekey.pem",
+    command => "/bin/openssl genrsa -out ${$basedir}/privatekey.pem 2048",
+  }
+
+  exec { 'create cert for':
+    creates => "${$basedir}/saml-cert.pem",
+    command => "/bin/openssl req -new -x509 -key ${$basedir}/privatekey.pem -out ${$basedir}/saml-cert.pem -days 3650 -subj '/C=SE/ST=Östergotland/L=Linköping/O=library.liu/OU=library/CN=saml.${$trusted['certname']}'",
+    require => [Exec['create private key for'],],
+  }
+
+  package { ['nodejs','nano']:
     ensure => 'installed',
   }
 
@@ -20,12 +33,6 @@ class folioscripts::foliofront {
       require => Exec['n-from-npm'];
   }
 
-  file { '/usr/bin/node':
-    ensure  => 'link',
-    source  => '/usr/local/bin/node', # lint:ignore:source_without_rights
-    require => Exec['nodejs-lts'],
-  }
-
   exec { 'install pm2':
     command => '/bin/npm install pm2 -g',
     unless  => '/bin/test -d /usr/local/lib/node_modules/pm2',
@@ -33,10 +40,12 @@ class folioscripts::foliofront {
   }
 
   user { 'pm2runner':
-    ensure  => 'present',
-    comment => 'pm2 owner',
-    system  => 'yes',
+    ensure     => 'present',
+    comment    => 'pm2 owner',
+    system     => 'yes',
+    managehome => 'yes',
   }
+
   group {
     default:
       ensure  => 'present';
@@ -48,17 +57,24 @@ class folioscripts::foliofront {
 
   Group <| title == 'ssl-cert' |> { members +> ['andfa93', 'pm2runner', 'hakan95', 'hakjo91'] }
 
-  file { '/opt/liu/foliofront':
-    ensure => directory,
-    owner  => 'andfa93',
-    group  => 'api',
-    mode   => '0775',
+  file {
+    [
+      $basedir,
+      "${$basedir}/data",
+      "${$basedir}/data/logs",
+      "${$basedir}/data/resetpintokens",
+    ]:
+      ensure => directory,
+      owner  => 'andfa93',
+      group  => 'api',
+      mode   => '0775',
   }
 
   vcsrepo { '/opt/liu/foliofront/foliofront-node-root':
     ensure   => latest,
     provider => git,
     source   => 'https://git:glpat-F5y74GSXSm6FrQBD5wM5@gitlab.liu.se/ub-utveckling/webb/folio-projekt/foliofront-node-root.git',
+    revision => 'develop',
     notify   => [Exec['do npm install of foliofront'],],
   }
 
@@ -75,15 +91,36 @@ class folioscripts::foliofront {
     require => [Vcsrepo['/opt/liu/foliofront/foliofront-node-root'],],
   }
 
+  file { '/opt/liu/foliofront/foliofront-node-root/.env':
+    ensure  => file,
+    group   => 'api',
+    mode    => '0750',
+    content => lookup('ub_folio::foliofront.env',undef,undef,'"env" key not found in hiera data'),
+    require => [Vcsrepo['/opt/liu/foliofront/foliofront-node-root'],],
+  }
+
   systemd::manage_unit { 'foliofront.service':
     unit_entry    => {
       'Description' => 'Run the foliofront node application',
     },
     service_entry => {
-      'Type'      => 'simple',
-      'ExecStart' => '',
-      'User'      => 'postgres',
+      'Type'             => 'simple',
+      'User'             => 'pm2runner',
+      'ExecStart'        => 'npm run start development',
+      'WorkingDirectory' => '/opt/liu/foliofront/foliofront-node-root',
     },
+    install_entry => {
+      'WantedBy' => 'multi-user.target',
+    },
+    enable        => true,
+    active        => true,
+    require       => [Vcsrepo['/opt/liu/foliofront/foliofront-node-root'],],
+  }
+
+  service { 'foliofront':
+    ensure  => 'running',
+    enable  => true,
+    require => [Systemd::Manage_unit['foliofront.service'],],
   }
 
   user { 'folio-cron':
@@ -143,50 +180,38 @@ class folioscripts::foliofront {
     # lint:endignore
   }
 
-  if fact('server_firewall_provider') == 'firewalld' {
-    server_firewall::address_set { 'vpn':
-      addresses => [
-        '130.236.110.0/24',
-        '10.240.0.0/12',
-      ],
-    }
-
-    firewalld_rich_rule { 'Access ssh from VPN':
-      service => 'ssh',
-      family  => 'ipv4',
-      zone    => 'liu',
-      action  => 'accept',
-      source  => { 'ipset' => 'vpn_v4', },
-    }
-
-    firewalld_service {
-      default:
-        ensure => present,
-        zone   => 'public';
-      'Apache web http public access':
-        service => 'http';
-      'Apache web https public access':
-        service => 'https';
-    }
-
-    firewalld_service {
-      default:
-        ensure => present,
-        zone   => 'liu';
-      'Apache web http liu access':
-        service => 'http';
-      'Apache web https liu access':
-        service => 'https';
-    }
-  } else {
-    server_firewall::rules_file { '59-permit_vpn_ssh.rules':
-      content => file("${module_name}/permit_vpn_ssh.rules"),
-    }
-    server_firewall::rules_file { '58-permit_api.rules':
-      content => file("${module_name}/permit_api.rules"),
-    }
-    server_firewall::rules_file { '57-permit_www.rules':
-      content => file("${module_name}/permit_www.rules"),
-    }
+  server_firewall::address_set { 'vpn':
+    addresses => [
+      '130.236.110.0/24',
+      '10.240.0.0/12',
+    ],
+  }
+
+  firewalld_rich_rule { 'Access ssh from VPN':
+    service => 'ssh',
+    family  => 'ipv4',
+    zone    => 'liu',
+    action  => 'accept',
+    source  => { 'ipset' => 'vpn_v4', },
+  }
+
+  firewalld_service {
+    default:
+      ensure => present,
+      zone   => 'public';
+    'Apache web http public access':
+      service => 'http';
+    'Apache web https public access':
+      service => 'https';
+  }
+
+  firewalld_service {
+    default:
+      ensure => present,
+      zone   => 'liu';
+    'Apache web http liu access':
+      service => 'http';
+    'Apache web https liu access':
+      service => 'https';
   }
 }