diff --git a/modules/openstack_project/manifests/static.pp b/modules/openstack_project/manifests/static.pp
index fd6fd30045..2b68d9bb6e 100644
--- a/modules/openstack_project/manifests/static.pp
+++ b/modules/openstack_project/manifests/static.pp
@@ -49,6 +49,10 @@ class openstack_project::static (
}
}
+ if ! defined(Httpd::Mod['alias']) {
+ httpd::mod { 'alias': ensure => present }
+ }
+
if ! defined(File['/srv/static']) {
file { '/srv/static':
ensure => directory,
@@ -252,23 +256,33 @@ class openstack_project::static (
}
###########################################################
- # Governance
+ # Governance & Election
+
+ # Extra aliases and directories needed for vhost template:
+ $governance_aliases = {
+ '/election/' => '/srv/static/election/'
+ }
+ # One of these must also be the docroot
+ $governance_directories = [
+ '/srv/static/election',
+ '/srv/static/governance',
+ ]
::httpd::vhost { 'governance.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/srv/static/governance',
priority => '50',
ssl => true,
- template => 'openstack_project/static-http-and-https.vhost.erb',
+ template => 'openstack_project/static-governance.vhost.erb',
vhost_name => 'governance.openstack.org',
require => [
- File['/srv/static/governance'],
+ File[$governance_directories],
File[$cert_file],
File[$key_file],
],
}
- file { '/srv/static/governance':
+ file { $governance_directories:
ensure => directory,
owner => 'jenkins',
group => 'jenkins',
diff --git a/modules/openstack_project/templates/static-governance.vhost.erb b/modules/openstack_project/templates/static-governance.vhost.erb
new file mode 100644
index 0000000000..5e8024a8f6
--- /dev/null
+++ b/modules/openstack_project/templates/static-governance.vhost.erb
@@ -0,0 +1,69 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+
+ ServerName <%= @vhost_name %>
+<% if @serveraliases.is_a? Array -%>
+ # Permanently redirect these ServerAlias entries to ServerName
+<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
+<% elsif @serveraliases != '' -%>
+<%= " ServerAlias #{@serveraliases}" %>
+ RewriteEngine On
+ RewriteCond %{HTTP_HOST} !<%= @vhost_name %>$ [NC]
+ RewriteRule ^/(.*)$ http://<%= @vhost_name %>/$1 [L,R=301]
+<% end -%>
+ DocumentRoot <%= @docroot %>
+
+ # Alias other folders
+ <% scope.lookupvar('openstack_project::static::governance_aliases').each do |a, d| -%>
+ Alias "<%= a %>" "<%= d %>"
+ <% end -%>
+ <% scope.lookupvar('openstack_project::static::governance_directories').each do |dirname| -%>
+ >
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ Satisfy Any
+ Require all granted
+
+ <% end -%>
+ LogLevel warn
+ ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+ CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+ ServerSignature Off
+
+
+
+
+ ServerName <%= @vhost_name %>
+ DocumentRoot <%= @docroot %>
+ SSLEngine on
+ SSLProtocol All -SSLv2 -SSLv3
+ # Once the machine is using something to terminate TLS that supports ECDHE
+ # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+ # only is guarenteed.
+ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+ SSLHonorCipherOrder on
+ SSLCertificateFile <%= scope['openstack_project::static::cert_file'] %>
+ SSLCertificateKeyFile <%= scope['openstack_project::static::key_file'] %>
+<% if scope['openstack_project::static::chain_file'] != '' %>
+ SSLCertificateChainFile <%= scope['openstack_project::static::chain_file'] %>
+<% end %>
+ # Alias other folders
+ <% scope.lookupvar('openstack_project::static::governance_aliases').each do |a, d| -%>
+ Alias "<%= a %>" "<%= d %>"
+ <% end -%>
+ <% scope.lookupvar('openstack_project::static::governance_directories').each do |dirname| -%>
+ >
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ Satisfy Any
+ Require all granted
+
+ <% end -%>
+ LogLevel warn
+ ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+ CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+ ServerSignature Off
+
+