search: install and configure typesense

hieradata/roles/search.yaml

@@ -0,0 +1,6 @@
+profile::certbot::certificates:
+  search:
+    domains:
+      - "%{::facts.fqdn}"
+
+profile::typesense::tls_key_name: search

modules/profile/manifests/typesense.pp

@@ -0,0 +1,22 @@
+# @summary Install Typesense and exposes it via TLS
+class profile::typesense (
+  String[1] $tls_key_name = lookup('profile::typesense::tls_key_name'),
+  String[1] $api_key = lookup('profile::typesense::api_key'),
+) {
+  class { 'typesense':
+    api_key => $api_key,
+  }
+
+  nftables::allow { 'typesense-https':
+    proto => 'tcp',
+    dport => 443,
+  }
+
+  $backend_port = 8108
+  $tls_config = nginx::tls_config()
+
+  nginx::site { 'typesense':
+    content => template('profile/typesense/site.nginx.erb'),
+    require => Letsencrypt::Certificate[$tls_key_name],
+  }
+}

modules/profile/templates/typesense/site.nginx.erb

@@ -0,0 +1,18 @@
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+
+  ssl_certificate /etc/letsencrypt/live/<%= @tls_key_name %>/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/<%= @tls_key_name %>/privkey.pem;
+  <%= @tls_config.join("\n  ") %>
+
+  access_log    off;
+  error_log     /var/log/nginx/error.log crit;
+  server_tokens off;
+
+  location / {
+    proxy_pass http://localhost:<%= @backend_port %>;
+    proxy_redirect off;
+    proxy_buffering off;
+  }
+}

modules/role/manifests/search.pp

@@ -1,4 +1,6 @@
 # @summary Search suggestion service for docs sites
 class role::search {
   include profile::base
+  include profile::certbot
+  include profile::typesense
 }

modules/typesense/manifests/init.pp

@@ -0,0 +1,57 @@
+# @summary Install Typesense
+class typesense (
+  String[1] $api_key,
+  String[1] $version = '0.24.0',
+) {
+
+  file { '/usr/share/typesense-dl':
+    ensure  => directory,
+    owner   => 'root',
+    group   => 'root',
+    recurse => true,
+    purge   => true,
+    force   => true,
+  }
+
+  $deb = "/usr/share/typesense-dl/typesense-server-${version}-amd64.deb"
+
+  exec { 'typesense-download':
+    command => "/usr/bin/curl -L -o ${deb} https://dl.typesense.org/releases/${version}/typesense-server-${version}-amd64.deb",
+    creates => $deb,
+    require => Package['curl'], # from the base profile
+  }
+
+  # The package takes care of the following following:
+  #
+  # - create /etc/typesense/typesense-server.ini (with random $API_KEY)
+  # - create /usr/bin/typesense-server
+  # - create /var/lib/typesense (database)
+  # - create /var/log/typesense
+  # - create "typesense-server" service
+  # - run `systemctl start typesense-server` (starts HTTP server on port 8108)
+  #
+  # Docs:
+  #   https://typesense.org/docs/guide/install-typesense.html
+  # Source:
+  #   https://github.com/typesense/typesense/tree/0ac4feb68cf/debian-pkg/typesense-server
+  #
+  package { 'typesense-server':
+    ensure => $version,
+    source => $deb,
+  }
+
+  # The service should be restarted after an upgrade.
+  # TODO: Does this happen automatically?
+  # https://typesense.org/docs/guide/updating-typesense.html#updating-deb-package
+
+  service { 'typesense-server':
+    ensure => running,
+    enable => true,
+  }
+
+  file { '/etc/typesense/typesense-server.ini':
+    ensure  => file,
+    content => template('typesense/server.ini.erb'),
+    notify  => Service['typesense-server'],
+  }
+}

modules/typesense/templates/server.ini.erb

@@ -0,0 +1,10 @@
+; This file is managed by Puppet
+; Typesense Configuration
+; https://typesense.org/docs/0.24.0/api/server-configuration.html
+
+[server]
+api-address = 0.0.0.0
+api-port = 8108
+data-dir = /var/lib/typesense
+api-key = <%= @api_key %>
+log-dir = /var/log/typesense

test_data/private/hieradata/common.yaml

@@ -18,5 +18,7 @@ profile::wordpress::docs::db_password_seed: 'fakeseed'
 profile::wordpress::docs::admin_password: 'fakepass'
 docs_builder_password_seed: 'fakeseed'
 
+profile::typesense::api_key: 'fakekey'
+
 # hacks
 jqlib::secret::use_fake_private: true