Make a class for each type of server.

Change-Id: I520b77a4d83958a6a1c2472e87b28f6b8822d890

manifests/site.pp

@@ -9,323 +9,79 @@ node default {
 #
 # Long lived servers:
 #
-
-# Current thinking on Gerrit tuning parameters:
-
-# database.poolLimit:
-# This limit must be several units higher than the total number of
-# httpd and sshd threads as some request processing code paths may need
-# multiple connections.
-# database.poolLimit = 1 + max(sshd.threads,sshd.batchThreads) + sshd.streamThreads + sshd.commandStartThreads + httpd.acceptorThreads + httpd.maxThreads 
-# http://groups.google.com/group/repo-discuss/msg/4c2809310cd27255
-# or "2x sshd.threads"
-# http://groups.google.com/group/repo-discuss/msg/269024c966e05d6a
-
-# container.heaplimit:
-# core.packedgit*
-# http://groups.google.com/group/repo-discuss/msg/269024c966e05d6a
-
-# sshd.threads:
-# http://groups.google.com/group/repo-discuss/browse_thread/thread/b91491c185295a71
-
-# httpd.maxWait:
-# 12:07 <@spearce> httpd.maxwait defaults to 5 minutes and is how long gerrit
-#                  waits for an idle sshd.thread before aboring the http request
-# 12:08 <@spearce> ironically
-# 12:08 <@spearce> ProjectQosFilter passes this value as minutes
-# 12:08 <@spearce> to a method that accepts milliseconds
-# 12:09 <@spearce> so. you get 5 milliseconds before aborting
-# thus, set it to 5000minutes until the bug is fixed.
-
 node "review.openstack.org" {
   include openstack_project::remove_cron
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443, 29418]
-  }
-  class { 'gerrit':
-    virtual_hostname => 'review.openstack.org',
-    canonicalweburl => "https://review.openstack.org/",
-    ssl_cert_file => '/etc/ssl/certs/review.openstack.org.pem',
-    ssl_key_file => '/etc/ssl/private/review.openstack.org.key',
-    ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
-    email => 'review@openstack.org',
-    database_poollimit => '150',    # 1 + 100 + 9 + 2 + 2 + 25 = 139(rounded up)
-    container_heaplimit => '8g',
-    core_packedgitopenfiles => '4096',
-    core_packedgitlimit => '400m',
-    core_packedgitwindowsize => '16k',
-    sshd_threads => '100',
-    httpd_maxwait => '5000min',
-    github_projects => $openstack_project::project_list,
-    upstream_projects => [ {
-                         name => 'openstack-ci/gerrit',
-                         remote => 'https://gerrit.googlesource.com/gerrit'
-                         } ],
-    logo => 'openstack.png',
-    war => 'http://tarballs.openstack.org/ci/gerrit-2.4.1-10-g63110fd.war',
-    script_user => 'launchpadsync',
-    script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa',
-    script_site => 'openstack',
-    enable_melody => 'true',
-    melody_session => 'true',
-    gerritbot_nick => 'openstackgerrit',
-    gerritbot_password => hiera('gerrit_gerritbot_password'),
-    gerritbot_server => 'irc.freenode.net',
-    gerritbot_user => 'gerritbot',
-    github_user => 'openstack-gerrit',
-    github_token => hiera('gerrit_github_token'),
-    mysql_password => hiera('gerrit_mysql_password'),
-    email_private_key => hiera('gerrit_email_private_key'),
-  }
+  include openstack_project::review
 }
 
 node "gerrit-dev.openstack.org", "review-dev.openstack.org" {
   include openstack_project::remove_cron
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443, 29418]
-  }
-
-  class { 'gerrit':
-    virtual_hostname => 'review-dev.openstack.org',
-    canonicalweburl => "https://review-dev.openstack.org/",
-    ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
-    ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
-    ssl_chain_file => '',
-    email => "review-dev@openstack.org",
-    github_projects => [ {
-                         name => 'gtest-org/test',
-                         close_pull => 'true'
-                         } ],
-    logo => 'openstack.png',
-    war => 'http://tarballs.openstack.org/ci/gerrit-2.4.2-10-g93ffc27.war',
-    script_user => 'update',
-    script_key_file => '/home/gerrit2/.ssh/id_rsa',
-    script_site => 'openstack',
-    enable_melody => 'true',
-    melody_session => 'true',
-    gerritbot_nick => '',
-    gerritbot_password => '',
-    gerritbot_server => '',
-    gerritbot_user => '',
-    github_user => 'openstack-gerrit-dev',
-    github_token => hiera('gerrit_dev_github_token'),
-    mysql_password => hiera('gerrit_dev_mysql_password'),
-    email_private_key => hiera('gerrit_dev_email_private_key'),
-  }
+  include openstack_project::review_dev
 }
 
 node "jenkins.openstack.org" {
   include openstack_project::remove_cron
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443, 4155]
-  }
-  class { 'jenkins_master':
-    site => 'jenkins.openstack.org',
-    serveradmin => 'webmaster@openstack.org',
-    logo => 'openstack.png',
-    ssl_cert_file => '/etc/ssl/certs/jenkins.openstack.org.pem',
-    ssl_key_file => '/etc/ssl/private/jenkins.openstack.org.key',
-    ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
-  }
-  class { "jenkins_jobs":
-    url => "https://jenkins.openstack.org/",
-    username => "gerrig",
-    password => hiera('jenkins_jobs_password'),
-    site => "openstack",
-  }
-  class { "openstack_project::zuul": }
+  include openstack_project::jenkins
 }
 
 node "jenkins-dev.openstack.org" {
   include openstack_project::remove_cron
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443, 4155]
-  } 
-  class { 'backup':
-    backup_user => 'bup-jenkins-dev',
-    backup_server => 'ci-backup-rs-ord.openstack.org'
-  }
-  class { 'jenkins_master':
-    site => 'jenkins-dev.openstack.org',
-    serveradmin => 'webmaster@openstack.org',
-    logo => 'openstack.png',
-    ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
-    ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
-    ssl_chain_file => '',
-  }
+  include openstack_project::jenkins_dev
 }
 
 node "community.openstack.org" {
   include openstack_project::remove_cron
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443, 8099, 8080]
-  }
-
-  realize (
-    User::Virtual::Localuser["smaffulli"],
-  )
+  include openstack_project::community
 }
 
 node "ci-puppetmaster.openstack.org" {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [8140]
-  }
-  cron { "updatepuppetmaster":
-    user => root,
-    minute => "*/15",
-    command => 'sleep $((RANDOM\%600)) && cd /opt/openstack-ci-puppet/production && /usr/bin/git pull -q',
-    environment => "PATH=/var/lib/gems/1.8/bin:/usr/bin:/bin:/usr/sbin:/sbin",
-  }
-
+  include openstack_project::puppet_cron
+  include openstack_project::puppetmaster
 }
 
-$sysadmins = $openstack_project::sysadmins
-
 node "lists.openstack.org" {
   include openstack_project::remove_cron
-
-  # Using openstack_project::template instead of openstack_project::server
-  # because the exim config on this machine is almost certainly
-  # going to be more complicated than normal.
-  class { 'openstack_project::template':
-    iptables_public_tcp_ports => [25, 80, 465]
-  }
-
-  $sysadmins += ['duncan@dreamhost.com']
-  class { 'exim':
-    sysadmin => $sysadmins,
-    mailman_domains => ['lists.openstack.org'],
-  }
-
-  class { 'mailman':
-    mailman_host => 'lists.openstack.org'
-  }
-
-  realize (
-    User::Virtual::Localuser["oubiwann"],
-  )
-}
-
-node "docs.openstack.org" {
-  include openstack_project::remove_cron
-  include openstack_project::server
-  include doc_server
+  include openstack_project::lists
 }
 
 node "paste.openstack.org" {
   include openstack_project::remove_cron
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80]
-  }
-  include lodgeit
-  lodgeit::site { "openstack":
-    port => "5000",
-    image => "header-bg2.png"
-  }
-
-  lodgeit::site { "drizzle":
-    port => "5001"
-  }
-
+  include openstack_project::paste
 }
 
 node "planet.openstack.org" {
   include openstack_project::remove_cron
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80]
-  }
-  include planet
-
-  planet::site { "openstack":
-    git_url => "https://github.com/openstack/openstack-planet.git"
-  }
+  include openstack_project::planet
 }
 
 node "eavesdrop.openstack.org" {
   include openstack_project::remove_cron
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80]
-  }
-  include meetbot
-
-  meetbot::site { "openstack":
-    nick => "openstack",
-    nickpass => hiera('openstack_meetbot_password'),
-    network => "FreeNode",
-    server => "chat.us.freenode.net:7000",
-    url => "eavesdrop.openstack.org",
-    channels => "#openstack #openstack-dev #openstack-meeting",
-    use_ssl => "True"
-  }
+  include openstack_project::eavesdrop
 }
 
 node "pypi.openstack.org" {
   include openstack_project::remove_cron
-
-  # include jenkins slave so that build deps are there for the pip download
-  class { 'jenkins_slave':
-    ssh_key => "",
-    user => false
-  }
-
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80]
-  }
-
-  class { "pypimirror":
-    base_url => "http://pypi.openstack.org",
-    projects => $openstack_project::project_list,
-  }
+  include openstack_project::pypi
 }
 
 node 'etherpad.openstack.org' {
   include openstack_project::remove_cron
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 443]
-  }
-
-  include etherpad_lite
-  class { 'etherpad_lite::nginx':
-    etherpad_crt => hiera('etherpad_crt'),
-    etherpad_key => hiera('etherpad_key')
-  }
-  class { 'etherpad_lite::site':
-    database_password => hiera('etherpad_db_password'),
-  }
-  class { 'etherpad_lite::mysql':
-    database_password => hiera('etherpad_db_password'),
-  }
-  include etherpad_lite::backup
+  include openstack_project::etherpad
 }
 
 node 'wiki.openstack.org' {
   include openstack_project::remove_cron
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443]
-  }
-
-  realize (
-    User::Virtual::Localuser["rlane"],
-  )
+  include openstack_project::wiki
 }
 
 # A bare machine, but with a jenkins user
 node /^.*\.template\.openstack\.org$/ {
-  class { 'openstack_project::template':
-    iptables_public_tcp_ports => []
-  }
-  class { 'jenkins_slave':
-    ssh_key => $openstack_project::jenkins_ssh_key,
-    sudo => true,
-    bare => true
-  }
+  include openstack_project::slave_template
 }
 
 # A backup machine.  Don't run cron or puppet agent on it.
 node /^ci-backup-.*\.openstack\.org$/ {
-  class { 'openstack_project::template':
-    iptables_public_tcp_ports => []
-  }
+  include openstack_project::backup_server
 }
 
 #
@@ -352,14 +108,6 @@ node /^.*\.slave\.openstack\.org$/ {
   include openstack_project::jenkins_slave
 }
 
-# bare-bones slaves spun up by jclouds. Specifically need to not set ssh
-# login limits, because it screws up jclouds provisioning
 node /^.*\.jclouds\.openstack\.org$/ {
-
-  include openstack_project::base
-
-  class { 'jenkins_slave':
-    ssh_key => "",
-    user => false
-  }
+  include openstack_project::jclouds_slave
 } 

modules/doc_server/manifests/init.pp

@@ -1,38 +0,0 @@
-import "jenkins_slave"
-
-class doc_server {
-
-  include jenkins_slave
-
-  package { 'nginx':
-    ensure => present;
-  }
-
-  package { "python-storm":
-    ensure => present
-  }
-
-  package { "python-mako":
-    ensure => present
-  }
-
-  package { "python-pychart":
-    ensure => present
-  }
-
-  package { "planet-venus":
-    ensure => present
-  }
-  
-  doc_server::site { "burrow": }
-
-  doc_server::site { "ci": }
-
-  doc_server::site { "keystone": }
-
-  doc_server::site { "glance": }
-
-  doc_server::site { "nova": }
-
-  doc_server::site { "swift": }
-}

modules/doc_server/manifests/site.pp

@@ -1,15 +0,0 @@
-define doc_server::site {
-
-  file { "/etc/nginx/sites-available/${name}":
-    ensure => 'present',
-    content => template("doc_server/nginx.erb"),
-    replace => 'true',
-    require => Package[nginx],
-  }
-
-  file { "/etc/nginx/sites-enabled/${name}":
-    ensure => link,
-    target => "/etc/nginx/sites-available/${name}",
-    require => Package[nginx],
-  }
-}

modules/doc_server/templates/nginx.erb

@@ -1,11 +0,0 @@
-server {
-  listen 80;
-  server_name <%= name %>.openstack.org;
-  root /srv/docs/<%= name %>;
-  location ^~ /docs/ {
-    alias /srv/docs/<%= name %>/trunk;
-  }
-  location ^~ /tarballs/ {
-    alias /srv/tarballs/<%= name %>;
-  }
-}

modules/meetbot/manifests/site.pp

@@ -1,4 +1,4 @@
-define meetbot::site($nick, $nickpass, $network, $server, $url, $channels, $use_ssl) {
+define meetbot::site($nick, $nickpass, $network, $server, $url=$fqdn, $channels, $use_ssl) {
 
   file { "/etc/nginx/sites-available/${name}-meetbot":
     ensure => 'present',

modules/openstack_project/manifests/backup_server.pp

@@ -0,0 +1,5 @@
+class openstack_project::backup_server {
+  class { 'openstack_project::template':
+    iptables_public_tcp_ports => []
+  }
+}

modules/openstack_project/manifests/community.pp

@@ -0,0 +1,9 @@
+class openstack_project::community {
+  class { 'openstack_project::server':
+    iptables_public_tcp_ports => [80, 443, 8099, 8080]
+  }
+
+  realize (
+    User::Virtual::Localuser["smaffulli"],
+  )
+}

modules/openstack_project/manifests/eavesdrop.pp

@@ -0,0 +1,16 @@
+class openstack_project::eavesdrop {
+  class { 'openstack_project::server':
+
+    iptables_public_tcp_ports => [80]
+  }
+  include meetbot
+
+  meetbot::site { "openstack":
+    nick => "openstack",
+    nickpass => hiera('openstack_meetbot_password'),
+    network => "FreeNode",
+    server => "chat.us.freenode.net:7000",
+    channels => "#openstack #openstack-dev #openstack-meeting",
+    use_ssl => "True"
+  }
+}

modules/openstack_project/manifests/etherpad.pp

@@ -0,0 +1,18 @@
+class openstack_project::etherpad {
+  class { 'openstack_project::server':
+    iptables_public_tcp_ports => [22, 80, 443]
+  }
+
+  include etherpad_lite
+  class { 'etherpad_lite::nginx':
+    etherpad_crt => hiera('etherpad_crt'),
+    etherpad_key => hiera('etherpad_key')
+  }
+  class { 'etherpad_lite::site':
+    database_password => hiera('etherpad_db_password'),
+  }
+  class { 'etherpad_lite::mysql':
+    database_password => hiera('etherpad_db_password'),
+  }
+  include etherpad_lite::backup
+}

modules/openstack_project/manifests/init.pp

@@ -2,11 +2,13 @@ class openstack_project {
 
   $jenkins_ssh_key = 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtioTW2wh3mBRuj+R0Jyb/mLt5sjJ8dEvYyA8zfur1dnqEt5uQNLacW4fHBDFWJoLHfhdfbvray5wWMAcIuGEiAA2WEH23YzgIbyArCSI+z7gB3SET8zgff25ukXlN+1mBSrKWxIza+tB3NU62WbtO6hmelwvSkZ3d7SDfHxrc4zEpmHDuMhxALl8e1idqYzNA+1EhZpbcaf720mX+KD3oszmY2lqD1OkKMquRSD0USXPGlH3HK11MTeCArKRHMgTdIlVeqvYH0v0Wd1w/8mbXgHxfGzMYS1Ej0fzzJ0PC5z5rOqsMqY1X2aC1KlHIFLAeSf4Cx0JNlSpYSrlZ/RoiQ== hudson@hudson'
 
-  $sysadmin = ['corvus@inaugust.com',
-               'mordred@inaugust.com',
-               'andrew@linuxjedi.co.uk',
-               'devananda.vdv@gmail.com',
-               'clark.boylan@gmail.com']
+  $sysadmin = [
+    'corvus@inaugust.com',
+    'mordred@inaugust.com',
+    'andrew@linuxjedi.co.uk',
+    'devananda.vdv@gmail.com',
+    'clark.boylan@gmail.com'
+    ]
 
   $project_list = [ {
      name => 'openstack/keystone',

modules/openstack_project/manifests/jclouds_slave.pp

@@ -0,0 +1,10 @@
+# bare-bones slaves spun up by jclouds. Specifically need to not set ssh
+# login limits, because it screws up jclouds provisioning
+class openstack_project::jclouds_slave {
+  include openstack_project::base
+
+  class { 'jenkins_slave':
+    ssh_key => "",
+    user => false
+  }
+}

modules/openstack_project/manifests/jenkins.pp

@@ -0,0 +1,20 @@
+class openstack_project::jenkins {
+  class { 'openstack_project::server':
+    iptables_public_tcp_ports => [80, 443, 4155]
+  }
+  class { 'jenkins_master':
+    site => 'jenkins.openstack.org',
+    serveradmin => 'webmaster@openstack.org',
+    logo => 'openstack.png',
+    ssl_cert_file => '/etc/ssl/certs/jenkins.openstack.org.pem',
+    ssl_key_file => '/etc/ssl/private/jenkins.openstack.org.key',
+    ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
+  }
+  class { "jenkins_jobs":
+    url => "https://jenkins.openstack.org/",
+    username => "gerrig",
+    password => hiera('jenkins_jobs_password'),
+    site => "openstack",
+  }
+  class { "openstack_project::zuul": }
+}

modules/openstack_project/manifests/jenkins_dev.pp

@@ -0,0 +1,17 @@
+class openstack_project::jenkins_dev {
+  class { 'openstack_project::server':
+    iptables_public_tcp_ports => [80, 443, 4155]
+  } 
+  class { 'backup':
+    backup_user => 'bup-jenkins-dev',
+    backup_server => 'ci-backup-rs-ord.openstack.org'
+  }
+  class { 'jenkins_master':
+    site => 'jenkins-dev.openstack.org',
+    serveradmin => 'webmaster@openstack.org',
+    logo => 'openstack.png',
+    ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
+    ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
+    ssl_chain_file => '',
+  }
+}

modules/openstack_project/manifests/lists.pp

@@ -0,0 +1,24 @@
+$sysadmins = $openstack_project::sysadmins
+
+class openstack_project::lists {
+  # Using openstack_project::template instead of openstack_project::server
+  # because the exim config on this machine is almost certainly
+  # going to be more complicated than normal.
+  class { 'openstack_project::template':
+    iptables_public_tcp_ports => [25, 80, 465]
+  }
+
+  $sysadmins += ['duncan@dreamhost.com']
+  class { 'exim':
+    sysadmin => $sysadmins,
+    mailman_domains => ['lists.openstack.org'],
+  }
+
+  class { 'mailman':
+    mailman_host => 'lists.openstack.org'
+  }
+
+  realize (
+    User::Virtual::Localuser["oubiwann"],
+  )
+}

modules/openstack_project/manifests/paste.pp

@@ -0,0 +1,14 @@
+class openstack_project::paste {
+  class { 'openstack_project::server':
+    iptables_public_tcp_ports => [80]
+  }
+  include lodgeit
+  lodgeit::site { "openstack":
+    port => "5000",
+    image => "header-bg2.png"
+  }
+
+  lodgeit::site { "drizzle":
+    port => "5001"
+  }
+}

modules/openstack_project/manifests/planet.pp

@@ -0,0 +1,10 @@
+class openstack_project::planet {
+  class { 'openstack_project::server':
+    iptables_public_tcp_ports => [80]
+  }
+  include planet
+
+  planet::site { "openstack":
+    git_url => "https://github.com/openstack/openstack-planet.git"
+  }
+}

modules/openstack_project/manifests/puppetmaster.pp

@@ -0,0 +1,11 @@
+class openstack_project::puppetmaster {
+  class { 'openstack_project::server':
+    iptables_public_tcp_ports => [8140]
+  }
+  cron { "updatepuppetmaster":
+    user => root,
+    minute => "*/15",
+    command => 'sleep $((RANDOM\%600)) && cd /opt/openstack-ci-puppet/production && /usr/bin/git pull -q',
+    environment => "PATH=/var/lib/gems/1.8/bin:/usr/bin:/bin:/usr/sbin:/sbin",
+  }
+}

modules/openstack_project/manifests/pypi.pp

@@ -0,0 +1,16 @@
+class openstack_project::pypi {
+  # include jenkins slave so that build deps are there for the pip download
+  class { 'jenkins_slave':
+    ssh_key => "",
+    user => false
+  }
+
+  class { 'openstack_project::server':
+    iptables_public_tcp_ports => [80]
+  }
+
+  class { "pypimirror":
+    base_url => "http://pypi.openstack.org",
+    projects => $openstack_project::project_list,
+  }
+}

modules/openstack_project/manifests/review.pp

@@ -0,0 +1,66 @@
+# Current thinking on Gerrit tuning parameters:
+
+# database.poolLimit:
+# This limit must be several units higher than the total number of
+# httpd and sshd threads as some request processing code paths may need
+# multiple connections.
+# database.poolLimit = 1 + max(sshd.threads,sshd.batchThreads) + sshd.streamThreads + sshd.commandStartThreads + httpd.acceptorThreads + httpd.maxThreads 
+# http://groups.google.com/group/repo-discuss/msg/4c2809310cd27255
+# or "2x sshd.threads"
+# http://groups.google.com/group/repo-discuss/msg/269024c966e05d6a
+
+# container.heaplimit:
+# core.packedgit*
+# http://groups.google.com/group/repo-discuss/msg/269024c966e05d6a
+
+# sshd.threads:
+# http://groups.google.com/group/repo-discuss/browse_thread/thread/b91491c185295a71
+
+# httpd.maxWait:
+# 12:07 <@spearce> httpd.maxwait defaults to 5 minutes and is how long gerrit
+#                  waits for an idle sshd.thread before aboring the http request
+# 12:08 <@spearce> ironically
+# 12:08 <@spearce> ProjectQosFilter passes this value as minutes
+# 12:08 <@spearce> to a method that accepts milliseconds
+# 12:09 <@spearce> so. you get 5 milliseconds before aborting
+# thus, set it to 5000minutes until the bug is fixed.
+class openstack_project::review {
+  class { 'openstack_project::server':
+    iptables_public_tcp_ports => [80, 443, 29418]
+  }
+  class { 'gerrit':
+    virtual_hostname => 'review.openstack.org',
+    canonicalweburl => "https://review.openstack.org/",
+    ssl_cert_file => '/etc/ssl/certs/review.openstack.org.pem',
+    ssl_key_file => '/etc/ssl/private/review.openstack.org.key',
+    ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
+    email => 'review@openstack.org',
+    database_poollimit => '150',    # 1 + 100 + 9 + 2 + 2 + 25 = 139(rounded up)
+    container_heaplimit => '8g',
+    core_packedgitopenfiles => '4096',
+    core_packedgitlimit => '400m',
+    core_packedgitwindowsize => '16k',
+    sshd_threads => '100',
+    httpd_maxwait => '5000min',
+    github_projects => $openstack_project::project_list,
+    upstream_projects => [ {
+                         name => 'openstack-ci/gerrit',
+                         remote => 'https://gerrit.googlesource.com/gerrit'
+                         } ],
+    logo => 'openstack.png',
+    war => 'http://tarballs.openstack.org/ci/gerrit-2.4.1-10-g63110fd.war',
+    script_user => 'launchpadsync',
+    script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa',
+    script_site => 'openstack',
+    enable_melody => 'true',
+    melody_session => 'true',
+    gerritbot_nick => 'openstackgerrit',
+    gerritbot_password => hiera('gerrit_gerritbot_password'),
+    gerritbot_server => 'irc.freenode.net',
+    gerritbot_user => 'gerritbot',
+    github_user => 'openstack-gerrit',
+    github_token => hiera('gerrit_github_token'),
+    mysql_password => hiera('gerrit_mysql_password'),
+    email_private_key => hiera('gerrit_email_private_key'),
+  }
+}

modules/openstack_project/manifests/review_dev.pp

@@ -0,0 +1,33 @@
+class openstack_project::review_dev {
+  class { 'openstack_project::server':
+    iptables_public_tcp_ports => [80, 443, 29418]
+  }
+
+  class { 'gerrit':
+    virtual_hostname => 'review-dev.openstack.org',
+    canonicalweburl => "https://review-dev.openstack.org/",
+    ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
+    ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
+    ssl_chain_file => '',
+    email => "review-dev@openstack.org",
+    github_projects => [ {
+                         name => 'gtest-org/test',
+                         close_pull => 'true'
+                         } ],
+    logo => 'openstack.png',
+    war => 'http://tarballs.openstack.org/ci/gerrit-2.4.2-10-g93ffc27.war',
+    script_user => 'update',
+    script_key_file => '/home/gerrit2/.ssh/id_rsa',
+    script_site => 'openstack',
+    enable_melody => 'true',
+    melody_session => 'true',
+    gerritbot_nick => '',
+    gerritbot_password => '',
+    gerritbot_server => '',
+    gerritbot_user => '',
+    github_user => 'openstack-gerrit-dev',
+    github_token => hiera('gerrit_dev_github_token'),
+    mysql_password => hiera('gerrit_dev_mysql_password'),
+    email_private_key => hiera('gerrit_dev_email_private_key')
+  }
+}

modules/openstack_project/manifests/slave_template.pp

@@ -0,0 +1,10 @@
+class openstack_project::slave_template {
+  class { 'openstack_project::template':
+    iptables_public_tcp_ports => []
+  }
+  class { 'jenkins_slave':
+    ssh_key => $openstack_project::jenkins_ssh_key,
+    sudo => true,
+    bare => true
+  }
+}

modules/openstack_project/manifests/wiki.pp

@@ -0,0 +1,9 @@
+class openstack_project::wiki {
+  class { 'openstack_project::server':
+    iptables_public_tcp_ports => [80, 443]
+  }
+
+  realize (
+    User::Virtual::Localuser["rlane"],
+  )
+}