Add website hosting infrastructure

And the zuul-ci.org website. Note changes like this need ssl certs added to private hiera before merging. Creating the AFS volume would also be a good idea. The SSL certs are in hiera, and the AFS volume is mounted. Change-Id: I1eccee119bf169fea265c53af4c8c016c13c03ec Depends-On: Ic92726dc341af5802ad803d239bd547ef5068043 Story: 2001382 Task: 6093
2017-12-12 16:19:18 -08:00 · 2017-12-12 16:19:18 -08:00 · 7f014a0c3f
commit 7f014a0c3f
parent fe92742558
3 changed files with 128 additions and 0 deletions
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -695,6 +695,15 @@ node /^files\d*\.openstack\.org$/ {
    docs_chain_file_contents      => hiera('docs_chain_file_contents'),
    require                       => Class['Openstack_project::Server'],
  }
+
+  openstack_project::website { 'zuul-ci.org':
+    aliases          => ['www.zuul-ci.org'],
+    ssl_cert         => hiera('zuul-ci_org_ssl_cert'),
+    ssl_key          => hiera('zuul-ci_org_ssl_key'),
+    ssl_intermediate => hiera('zuul-ci_org_ssl_intermediate'),
+    require          => Class['openstack_project::files'],
+  }
+
 }

 # Node-OS: trusty
--- a/modules/openstack_project/manifests/website.pp
+++ b/modules/openstack_project/manifests/website.pp
@ -0,0 +1,59 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+define openstack_project::website (
+  $aliases = undef,
+  $ssl_cert = undef,
+  $ssl_key = undef,
+  $ssl_intermediate = undef,
+  $template = 'openstack_project/website.vhost.erb',
+) {
+
+  $afs_root = '/afs/openstack.org/'
+
+  ::httpd::vhost { $name:
+    serveraliases => $aliases,
+    port          => 443, # Is required despite not being used.
+    docroot       => "${afs_root}/project/${name}/www",
+    priority      => '50',
+    template      => $template,
+  }
+
+  file { "/etc/ssl/certs/$name.pem":
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => $ssl_cert,
+    require => File['/etc/ssl/certs'],
+  }
+
+  file { "/etc/ssl/private/$name.key":
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
+    content => $ssl_key,
+    require => File['/etc/ssl/private'],
+  }
+
+  file { "/etc/ssl/certs/$name_intermediate.pem":
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => $ssl_intermediate,
+    require => File['/etc/ssl/certs'],
+  }
+}
--- a/modules/openstack_project/templates/website.vhost.erb
+++ b/modules/openstack_project/templates/website.vhost.erb
@ -0,0 +1,60 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+<VirtualHost *:80>
+    ServerName <%= @srvname %>
+    <% if @serveraliases.is_a? Array -%>
+      <% @serveraliases.each do |name| -%><%= "  ServerAlias #{name}\n" %><% end -%>
+    <% elsif @serveraliases != nil -%>
+      <%= "  ServerAlias #{@serveraliases}" -%>
+    <% end -%>
+
+    RewriteEngine on
+    RewriteRule ^/(.*) https://<%= @srvname %>/$1 [last,redirect=permanent]
+
+    ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
+    LogLevel warn
+    CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
+    ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName <%= @srvname %>
+    <% if @serveraliases.is_a? Array -%>
+      <% @serveraliases.each do |name| -%><%= "  ServerAlias #{name}\n" %><% end -%>
+    <% elsif @serveraliases != nil -%>
+      <%= "  ServerAlias #{@serveraliases}" -%>
+    <% end -%>
+
+    RewriteEngine on
+
+    SSLEngine on
+    SSLProtocol All -SSLv2 -SSLv3
+    # Once the machine is using something to terminate TLS that supports ECDHE
+    # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+    # only is guarenteed.
+    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+    SSLHonorCipherOrder on
+    SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
+    SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key
+    SSLCertificateChainFile /etc/ssl/certs/<%= @name %>_intermediate.pem
+
+    DocumentRoot <%= @docroot %>
+    <Directory <%= @docroot %>>
+        Options Indexes FollowSymLinks MultiViews
+        Satisfy any
+        Require all granted
+        AllowOverride None
+        # Allow mod_rewrite rules
+        AllowOverrideList Redirect RedirectMatch
+        ErrorDocument 404 /errorpage.html
+    </Directory>
+
+    ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
+    LogLevel warn
+    CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
+    ServerSignature Off
+</VirtualHost>
+</IfModule>