Issue 2471 - Update our Discourse instance

modules/discourse/manifests/init.pp

Index: modules/discourse/manifests/init.pp
===================================================================
--- a/modules/discourse/manifests/init.pp
+++ b/modules/discourse/manifests/init.pp
@@ -1,62 +1,92 @@
 class discourse(
     $domain,
     $certificate,
     $private_key,
     $is_default = false
   ) inherits private::discourse {
 
+  $hg_revision = 'd31d28147381'
+  $git_revision = '8a3a02421a39f53b6adf3ca9a6fdba73f42bc932'
+  $ruby_version = '2.1.2'
+  $postgresql_version = '9.3'
+
+  class { 'postgresql::globals':
+    manage_package_repo => true,
+    version => $postgresql_version,
+  }->
   class {"postgresql::server":}
 
+  class {"postgresql::server::contrib":
+    package_ensure => 'present',
+  }
+
   postgresql::server::database {'discourse':}
 
   postgresql::server::role {'discourse':
     password_hash => postgresql_password('discourse', $database_password),
     db => 'discourse',
     login => true,
     superuser => true,
     require => Postgresql::Server::Database['discourse']
   }
 
-  $basic_dependencies = ['postgresql-contrib', 'redis-server', 'ruby1.9.1',
-      'libjemalloc1', 'curl']
-  $gem_dependencies = ['git', 'build-essential', 'ruby1.9.1-dev', 'libxml2-dev',
-      'libxslt-dev', 'libpq-dev']
+  $rvm_dependencies = ['curl', 'git-core', 'patch', 'build-essential', 'bison',
+      'zlib1g-dev', 'libssl-dev', 'libxml2-dev', 'sqlite3', 'libsqlite3-dev',
+      'autotools-dev', 'libxslt1-dev', 'libyaml-0-2', 'autoconf', 'automake',
+      'libreadline6-dev', 'libyaml-dev', 'libtool', 'libgdbm-dev',
+      'libncurses5-dev', 'libffi-dev', 'pkg-config', 'gawk']
+  $discourse_dependencies = ['redis-server', 'libjemalloc1']
+  $gem_dependencies = ['libpq-dev']
   $image_optim_dependencies = ['advancecomp', 'gifsicle', 'jhead', 'jpegoptim',
       'libjpeg-progs', 'optipng', 'pngcrush']
   $image_sorcery_dependencies = 'imagemagick'
 
-  package {[$basic_dependencies, $gem_dependencies, $image_optim_dependencies, $image_sorcery_dependencies]:
+  package {[$rvm_dependencies, $discourse_dependencies, $gem_dependencies, $image_optim_dependencies, $image_sorcery_dependencies]:
     ensure => present
   }
 
-  Exec {path => '/bin:/usr/bin:/usr/sbin:/usr/local/bin'}
-
-  exec {'update-alternatives --set ruby "/usr/bin/ruby1.9.1"':
-    unless => 'test $(readlink "/etc/alternatives/ruby") == "/usr/bin/ruby1.9.1"',
-    require => Package['ruby1.9.1']
+  Exec <| tag == 'rvm' |> {
+    path => '/home/discourse/.rvm/bin:/usr/local/bin:/usr/bin:/bin',
+    user => discourse,
+    group => www-data,
+    environment => ['HOME=/home/discourse'],
   }
 
-  exec {'update-alternatives --set gem "/usr/bin/gem1.9.1"':
-    unless => 'test $(readlink "/etc/alternatives/gem") == "/usr/bin/gem1.9.1"',
-    require => Package['ruby1.9.1'],
-    before => Exec['update_gem']
+  exec {'install-rvm-key':
+    command => 'gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3',
+    tag => 'rvm',
+    unless => 'gpg --list-keys | grep D39DC0E3',
   }
 
-  exec {'update_gem':
-    command => '/usr/bin/gem update --system 1.8.25',
-    unless => 'test $(gem -v) == "1.8.25"',
-    environment => 'REALLY_GEM_UPDATE_SYSTEM=1',
+  exec {'install-rvm':
+    command => 'curl -sSL https://get.rvm.io | bash -s stable',
+    tag => 'rvm',
+    creates => '/home/discourse/.rvm',
+    timeout => 0,
+    logoutput => true,
+    require => [Exec['install-rvm-key'], Package[$rvm_dependencies]],
   }
 
-  package {'bundler':
-    ensure => present,
-    provider => gem,
-    require => Exec['update_gem']
+  exec {'install-ruby':
+    command => "rvm install $ruby_version && rvm default do rvm --default use $ruby_version",
+    tag => 'rvm',
+    unless => "rvm list | grep $ruby_version",

[mathias, 2015/05/26 10:02:16]

Please use shellquote() to ensure $ruby_version cannot break anything here --

[Wladimir Palant, 2015/05/26 10:41:17]

Given that $ruby_version is a constant set above, do you consider that
necessary? Also, if we do it for $ruby_version then we should do it for
$hg_revision as well.

[mathias, 2015/05/26 10:54:36]

Indeed, it should be done there as well.

And yes I believe it's necessary. One should always assume the next programmer
to be less careful and wise than oneself (even if it will be oneself most
likely). And such a guy may forget to check for the use of $ruby_version when
migrating it to become a parameter one day (for example, but not even unlikely),
which can also easily be overseen in a code-review.

However, please note that we agreed last year on making use of shell_escape()
wherever it may make sense - just to have an easy but secure guideline that does
not require the same decision ("is it necessary?") over and over again..

+    timeout => 0,
+    logoutput => true,
+    notify => Exec['init-discourse'],
+    require => Exec['install-rvm'],
+  }
+
+  exec {'install-bundler':
+    command => 'rvm default do gem install bundler',
+    tag => 'rvm',
+    unless => 'rvm default do gem list | grep "^bundler "',
+    require => Exec['install-ruby'],
   }
 
   file {'/opt/discourse':
     ensure => directory,
     mode => 755,
     owner => discourse,
     group => www-data
   }
@@ -70,17 +100,17 @@ class discourse(
   }
 
   file {'/opt/discourse/config/discourse.conf':
     mode => 600,
     owner => discourse,
     group => www-data,
     content => template('discourse/discourse.conf.erb'),
     notify => Service['discourse'],
-    require => Exec['fetch-discourse']
+    require => Exec['update-discourse']
   }
 
   file {'/usr/local/bin/init-discourse':
     mode => 0755,
     owner => root,
     group => root,
     source => 'puppet:///modules/discourse/init-discourse'
   }
@@ -99,42 +129,64 @@ class discourse(
     owner => root,
     group => root,
     mode => 0440,
     source => 'puppet:///modules/discourse/sudoers',
     require => User['discourse']
   }
 
   exec {'fetch-discourse':
-    command => "hg clone https://hg.adblockplus.org/discourse /opt/discourse",
+    command => 'hg clone --noupdate https://hg.adblockplus.org/discourse /opt/discourse',
     path => ["/usr/bin/", "/bin/"],
     user => discourse,
     group => www-data,
+    timeout => 0,
     require => [Package['mercurial'], File['/opt/discourse']],
-    notify => Exec['/usr/local/bin/init-discourse'],
     onlyif => "test ! -d /opt/discourse/.hg"
   }
 
-  exec {'/usr/local/bin/init-discourse':
+  exec {'update-discourse':
+    command => "hg update -R /opt/discourse --clean -r $hg_revision",
+    unless => "hg id -R /opt/discourse | grep $hg_revision",
+    path => ["/usr/bin/", "/bin/"],
+    user => discourse,
+    group => www-data,
+    notify => Exec['init-discourse'],
+    require => Exec['fetch-discourse'],
+  }
+
+  file {'/opt/discourse/config/version.rb':
+    ensure => present,
+    owner => discourse,
+    group => www-data,
+
+    # This is hardcoded here so that Discourse doesn't try to extract it from
+    # the repository. Ideally, we should update it when updating Discourse.
+    content => "\$git_version = '$git_revision'",
+    require => Exec['update-discourse'],
+    before => Exec['init-discourse'],
+  }
+
+  exec {'init-discourse':
+    command => 'rvm default do /usr/local/bin/init-discourse',
+    tag => 'rvm',
     subscribe => File['/usr/local/bin/init-discourse'],
     refreshonly => true,
-    environment => ["AIRBRAKE_KEY=${airbrake_key}"],
-    user => discourse,
-    group => www-data,
     timeout => 0,
     logoutput => true,
-    require => [Package['bundler', $gem_dependencies],
+    require => [Exec['install-bundler'],
+                Package[$discourse_dependencies, $gem_dependencies],
                 User['discourse'], File['/etc/sudoers.d/discourse'],
-                Exec['fetch-discourse'],
+                Exec['update-discourse'],
                 File['/opt/discourse/config/discourse.conf'],
                 Postgresql::Server::Role['discourse']]
   }
 
   Discourse::Sitesetting <| |> {
-    require => Exec['/usr/local/bin/init-discourse']
+    require => Exec['init-discourse']
   }
 
   discourse::sitesetting {'title':
     ensure => present,
     type => 1,
     value => 'Adblock Plus internal discussions'
   }
 
@@ -211,16 +263,40 @@ class discourse(
   }
 
   discourse::sitesetting {'enable_local_account_create':
     ensure => present,
     type => 5,
     value => 'f'
   }
 
+  discourse::sitesetting {'enable_google_logins':
+    ensure => present,
+    type => 5,
+    value => 'f'
+  }
+
+  discourse::sitesetting {'enable_google_oauth2_logins':
+    ensure => present,
+    type => 5,
+    value => 't'
+  }
+
+  discourse::sitesetting {'google_oauth2_client_id':
+    ensure => present,
+    type => 1,
+    value => $google_client_id
+  }
+
+  discourse::sitesetting {'google_oauth2_client_secret':
+    ensure => present,
+    type => 1,
+    value => $google_client_secret
+  }
+
   discourse::sitesetting {'enable_facebook_logins':
     ensure => present,
     type => 5,
     value => 'f'
   }
 
   discourse::sitesetting {'enable_twitter_logins':
     ensure => present,
@@ -264,26 +340,26 @@ class discourse(
     value => '50',
   }
 
   Discourse::Customservice <| |> {
     user => 'discourse',
     workdir => '/opt/discourse',
     env => ['RAILS_ENV=production', 'RUBY_GC_MALLOC_LIMIT=90000000',
       'UNICORN_WORKERS=2', 'LD_PRELOAD=/usr/lib/libjemalloc.so.1'],
-    require => Exec['/usr/local/bin/init-discourse']
+    require => Exec['init-discourse']
   }
 
   discourse::customservice {'discourse':
-    command => 'bundle exec config/unicorn_launcher -c config/unicorn.conf.rb',
+    command => '/home/discourse/.rvm/bin/rvm default do bundle exec config/unicorn_launcher -c config/unicorn.conf.rb',
     require => File['/opt/discourse/tmp/pids'],
   }
 
   discourse::customservice {'sidekiq':
-    command => 'bundle exec sidekiq'
+    command => '/home/discourse/.rvm/bin/rvm default do bundle exec sidekiq'
   }
 
   class {'nginx':
     worker_processes => 1,
     worker_connections => 500
   }
 
   nginx::hostconfig{$domain: