opendev/system-config
Code Issues Proposed changes

Merge "Use LE certs for Apache"

Browse Source
This commit is contained in:
Zuul 2020-02-14 19:08:51 +00:00 committed by Gerrit Code Review
commit 5f80e934c4
7 changed files with 52 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
playbooks/host_vars/review-dev01.opendev.org.yaml
View File

@ -9,5 +9,4 @@ letsencrypt_certs:
letsencrypt_gid: 3001 letsencrypt_gid: 3001
gerrit_storyboard_url: https://storyboard-dev.openstack.org gerrit_storyboard_url: https://storyboard-dev.openstack.org
gerrit_vhost_name: review-dev.opendev.org gerrit_vhost_name: review-dev.opendev.org
gerrit_ssl_cert_file: /etc/letsencrypt-certs/review-dev.opendev.org/review-dev.opendev.org.cer gerrit_redirect_vhost: review-dev.openstack.org
gerrit_ssl_key_file: /etc/letsencrypt-certs/review-dev.opendev.org/review-dev.opendev.org.key

1
playbooks/host_vars/review01.opendev.org.yaml
View File

@ -72,6 +72,7 @@ gerrit_replication:
mirror: true mirror: true
gerrit_storyboard_url: https://storyboard.openstack.org gerrit_storyboard_url: https://storyboard.openstack.org
gerrit_vhost_name: review.opendev.org gerrit_vhost_name: review.opendev.org
gerrit_redirect_vhost: review.openstack.org
letsencrypt_certs: letsencrypt_certs:
review01-opendev-org-main: review01-opendev-org-main:
- review.opendev.org - review.opendev.org

10
playbooks/roles/gerrit/tasks/main.yaml
View File

@ -256,6 +256,16 @@
mode: 0644 mode: 0644
notify: gerrit Reload apache2 notify: gerrit Reload apache2
- name: Copy redirect config
template:
src: redirect.vhost.j2
dest: "/etc/apache2/sites-enabled/010-{{ gerrit_redirect_vhost }}.conf"
owner: root
group: root
mode: 0644
when: gerrit_redirect_vhost is defined
notify: gerrit Reload apache2
- name: Install podman-compose - name: Install podman-compose
pip: pip:
name: podman-compose name: podman-compose

8
playbooks/roles/gerrit/templates/gerrit.vhost.j2
View File

@ -31,11 +31,9 @@
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on SSLHonorCipherOrder on
SSLCertificateFile {{ gerrit_ssl_cert_file }} SSLCertificateFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.cer
SSLCertificateKeyFile {{ gerrit_ssl_key_file }} SSLCertificateKeyFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.key
{% if gerrit_ssl_chain_file is defined %} SSLCertificateChainFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/ca.cer
SSLCertificateChainFile {{ gerrit_ssl_chain_file }}
{% endif %}
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars SSLOptions +StdEnvVars

37
playbooks/roles/gerrit/templates/redirect.vhost.j2 Normal file
View File

@ -0,0 +1,37 @@
# ************************************
# Managed by Ansible
# ************************************
<VirtualHost *:80>
ServerName {{ gerrit_redirect_vhost }}
LogLevel warn
ErrorLog /var/log/apache2/{{ gerrit_redirect_vhost }}_error.log
CustomLog /var/log/apache2/{{ gerrit_redirect_vhost }}_access.log combined
ServerSignature Off
Redirect / https://{{ gerrit_vhost_name }}/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName {{ gerrit_redirect_vhost }}
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Note: this list should ensure ciphers that provide forward secrecy
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.cer
SSLCertificateKeyFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.key
SSLCertificateChainFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/ca.cer
LogLevel warn
ErrorLog /var/log/apache2/{{ gerrit_redirect_vhost }}_error.log
CustomLog /var/log/apache2/{{ gerrit_redirect_vhost }}_access.log combined
ServerSignature Off
Redirect / https://{{ gerrit_vhost_name }}/
</VirtualHost>
</IfModule>

1
playbooks/zuul/run-base.yaml
View File

@ -92,7 +92,6 @@
- host_vars/mirror-update01.opendev.org.yaml - host_vars/mirror-update01.opendev.org.yaml
- host_vars/backup-test01.opendev.org.yaml - host_vars/backup-test01.opendev.org.yaml
- host_vars/backup-test02.opendev.org.yaml - host_vars/backup-test02.opendev.org.yaml
- host_vars/review01.opendev.org.yaml
- name: Display group membership - name: Display group membership
command: ansible localhost -m debug -a 'var=groups' command: ansible localhost -m debug -a 'var=groups'
- name: Run base.yaml - name: Run base.yaml

3
playbooks/zuul/templates/host_vars/review01.opendev.org.yaml.j2
View File

@ -1,3 +0,0 @@
# TODO(mordred) Replace this with LE certs
gerrit_ssl_cert_file: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
gerrit_ssl_key_file: '/etc/ssl/private/ssl-cert-snakeoil.key'