diff --git a/playbooks/host_vars/review-dev01.openstack.org.yaml b/playbooks/host_vars/review-dev01.openstack.org.yaml
index 0ee38440ed..6059aa27fd 100644
--- a/playbooks/host_vars/review-dev01.openstack.org.yaml
+++ b/playbooks/host_vars/review-dev01.openstack.org.yaml
@@ -1 +1,4 @@
gerrit_storyboard_url: https://storyboard-dev.openstack.org
+gerrit_vhost_name: review-dev.openstack.org
+gerrit_ssl_cert_file: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+gerrit_ssl_key_file: '/etc/ssl/private/ssl-cert-snakeoil.key'
diff --git a/playbooks/host_vars/review01.opendev.org.yaml b/playbooks/host_vars/review01.opendev.org.yaml
index 5475f8386c..8c781e4863 100644
--- a/playbooks/host_vars/review01.opendev.org.yaml
+++ b/playbooks/host_vars/review01.opendev.org.yaml
@@ -71,3 +71,4 @@ gerrit_replication:
threads: '4'
mirror: true
gerrit_storyboard_url: https://storyboard.openstack.org
+gerrit_vhost_name: review.opendev.org
diff --git a/playbooks/roles/gerrit/files/robots.txt b/playbooks/roles/gerrit/files/static/robots.txt
similarity index 100%
rename from playbooks/roles/gerrit/files/robots.txt
rename to playbooks/roles/gerrit/files/static/robots.txt
diff --git a/playbooks/roles/gerrit/handlers/main.yaml b/playbooks/roles/gerrit/handlers/main.yaml
new file mode 100644
index 0000000000..189721bb4f
--- /dev/null
+++ b/playbooks/roles/gerrit/handlers/main.yaml
@@ -0,0 +1,4 @@
+- name: gerrit Reload apache2
+ service:
+ name: apache2
+ state: reloaded
diff --git a/playbooks/roles/gerrit/tasks/main.yaml b/playbooks/roles/gerrit/tasks/main.yaml
index 5c567d96f2..fc036c4d98 100644
--- a/playbooks/roles/gerrit/tasks/main.yaml
+++ b/playbooks/roles/gerrit/tasks/main.yaml
@@ -229,6 +229,33 @@
- static
- etc
+- name: Install apache2
+ apt:
+ name:
+ - apache2
+ - apache2-utils
+ state: present
+
+- name: Apache modules
+ apache2_module:
+ state: present
+ name: "{{ item }}"
+ loop:
+ - rewrite
+ - proxy
+ - proxy_http
+ - ssl
+ - headers
+
+- name: Copy apache config
+ template:
+ src: gerrit.vhost.j2
+ dest: /etc/apache2/sites-enabled/000-default.conf
+ owner: root
+ group: root
+ mode: 0644
+ notify: gerrit Reload apache2
+
- name: Install podman-compose
pip:
name: podman-compose
diff --git a/playbooks/roles/gerrit/templates/gerrit.config b/playbooks/roles/gerrit/templates/gerrit.config
index 564f376cbd..f8ada444d9 100644
--- a/playbooks/roles/gerrit/templates/gerrit.config
+++ b/playbooks/roles/gerrit/templates/gerrit.config
@@ -3,11 +3,11 @@
[gerrit]
basePath = git
- canonicalWebUrl = https://review.opendev.org/
+ canonicalWebUrl = https://{{ gerrit_vhost_name }}/
changeScreen = OLD_UI
reportBugText = Get Help
reportBugUrl = https://docs.openstack.org/infra/system-config/project.html#contributing
- gitHttpUrl = https://review.opendev.org/
+ gitHttpUrl = https://{{ gerrit_vhost_name }}/
[database]
{% if gerrit_database_type == 'MYSQL' %}
type = MYSQL
diff --git a/playbooks/roles/gerrit/templates/gerrit.vhost.j2 b/playbooks/roles/gerrit/templates/gerrit.vhost.j2
new file mode 100644
index 0000000000..608927374b
--- /dev/null
+++ b/playbooks/roles/gerrit/templates/gerrit.vhost.j2
@@ -0,0 +1,92 @@
+
+ ServerName {{ gerrit_vhost_name }}
+ ServerAdmin webmaster@openstack.org
+
+ ErrorLog ${APACHE_LOG_DIR}/gerrit-error.log
+
+ LogLevel warn
+
+ CustomLog ${APACHE_LOG_DIR}/gerrit-access.log combined
+
+ Redirect / https://{{ gerrit_vhost_name }}/
+
+
+
+
+
+ ServerName {{ gerrit_vhost_name }}
+ ServerAdmin webmaster@openstack.org
+
+ AllowEncodedSlashes On
+
+ ErrorLog ${APACHE_LOG_DIR}/gerrit-ssl-error.log
+
+ LogLevel warn
+
+ CustomLog ${APACHE_LOG_DIR}/gerrit-ssl-access.log combined
+
+ SSLEngine on
+ SSLProtocol All -SSLv2 -SSLv3
+ # Note: this list should ensure ciphers that provide forward secrecy
+ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+ SSLHonorCipherOrder on
+
+ SSLCertificateFile {{ gerrit_ssl_cert_file }}
+ SSLCertificateKeyFile {{ gerrit_ssl_key_file }}
+{% if gerrit_ssl_chain_file is defined %}
+ SSLCertificateChainFile {{ gerrit_ssl_chain_file }}
+{% endif %}
+
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+ BrowserMatch "MSIE [2-6]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+ # MSIE 7 and newer should be able to use keepalive
+ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+ RewriteEngine on
+
+ ProxyRequests off
+ ProxyVia off
+ ProxyPreserveHost on
+ ProxyStatus On
+
+ ProxyPassMatch ^/p/ !
+ ProxyPassMatch ^/robots.txt$ !
+ ProxyPassMatch ^/server-status !
+ ProxyPass / http://localhost:8081/ nocanon
+ ProxyPassReverse / http://localhost:8081/
+
+ Alias /robots.txt /home/gerrit2/review_site/static/robots.txt
+
+ SetEnv GIT_PROJECT_ROOT /opt/lib/git
+ SetEnv GIT_HTTP_EXPORT_ALL
+
+ AliasMatch ^/p/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /opt/lib/git/$1
+ AliasMatch ^/p/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /opt/lib/git/$1
+ ScriptAlias /p/ /usr/lib/git-core/git-http-backend/
+
+
+ Require all granted
+ Order allow,deny
+ Allow from all
+
+
+ Require all granted
+ Allow from all
+ Satisfy Any
+
+
+ Require all granted
+ Allow from all
+ Satisfy Any
+
+
+
+
diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml
index 3a8d553619..7e3884fa6f 100644
--- a/playbooks/zuul/run-base.yaml
+++ b/playbooks/zuul/run-base.yaml
@@ -92,6 +92,7 @@
- host_vars/mirror-update01.opendev.org.yaml
- host_vars/backup-test01.opendev.org.yaml
- host_vars/backup-test02.opendev.org.yaml
+ - host_vars/review01.opendev.org.yaml
- name: Display group membership
command: ansible localhost -m debug -a 'var=groups'
- name: Run base.yaml
diff --git a/playbooks/zuul/templates/host_vars/review01.opendev.org.yaml.j2 b/playbooks/zuul/templates/host_vars/review01.opendev.org.yaml.j2
new file mode 100644
index 0000000000..c6441fb8bf
--- /dev/null
+++ b/playbooks/zuul/templates/host_vars/review01.opendev.org.yaml.j2
@@ -0,0 +1,3 @@
+# TODO(mordred) Replace this with LE certs
+gerrit_ssl_cert_file: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+gerrit_ssl_key_file: '/etc/ssl/private/ssl-cert-snakeoil.key'