Merge "This patch impliments the survey spec: I3c389596373b94459a32a4e540d514a2941acbb1"

This commit is contained in:
Zuul 2018-05-31 19:46:25 +00:00 committed by Gerrit Code Review
commit eea6c0e468
6 changed files with 340 additions and 0 deletions

View File

@ -882,6 +882,28 @@ node /^status\d*\.openstack\.org$/ {
} }
} }
# Node-OS: xenial
node /^survey\d+\.openstack\.org$/ {
$group = "survey"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::survey':
vhost_name => 'survey.openstack.org',
auth_openid => true,
ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
ssl_key_file_contents => hiera('ssl_key_file_contents'),
ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
dbpassword => hiera('dbpassword'),
dbhost => hiera('dbhost'),
adminuser => hiera('adminuser'),
adminpass => hiera('adminpass'),
adminmail => hiera('adminmail'),
}
}
# This is a hidden authoritative master nameserver, not publicly # This is a hidden authoritative master nameserver, not publicly
# accessible. # accessible.
# Node-OS: xenial # Node-OS: xenial

View File

@ -15,6 +15,7 @@ nodepool nodepool*.openstack.org:nb*.openstack.org:nl*.openstack.org
review ~review\d+\.openstack\.org review ~review\d+\.openstack\.org
review-dev ~review-dev\d*\.openstack\.org review-dev ~review-dev\d*\.openstack\.org
subunit-worker ~subunit-worker\d+\.openstack\.org subunit-worker ~subunit-worker\d+\.openstack\.org
survey ~survey\d+\.openstack\.org
translate ~translate\d+\.openstack\.org translate ~translate\d+\.openstack\.org
translate-dev ~translate-dev\d*\.openstack\.org translate-dev ~translate-dev\d*\.openstack\.org
wiki ~wiki\d+\.openstack\.org wiki ~wiki\d+\.openstack\.org

View File

@ -13,6 +13,7 @@ refstack.openstack.org 443
review.openstack.org 443 review.openstack.org 443
static.openstack.org 443 static.openstack.org 443
storyboard.openstack.org 443 storyboard.openstack.org 443
survey.openstack.org 443
translate.openstack.org 443 translate.openstack.org 443
wiki.openstack.org 443 wiki.openstack.org 443
www.openstack.org 443 www.openstack.org 443

View File

@ -0,0 +1,198 @@
class openstack_project::survey (
$vhost_name = $::fqdn,
$ssl_cert_file = '/etc/ssl/certs/survey.openstack.org.pem',
$ssl_key_file = '/etc/ssl/private/survey.openstack.org.key',
$ssl_chain_file = '/etc/ssl/certs/intermediate.pem',
$ssl_cert_file_contents = '',
$ssl_key_file_contents = '',
$ssl_chain_file_contents = '',
$dbpassword = '',
$dbhost = '',
# Table containing openid auth details. If undef not enabled
# Example dict:
# {
# banner => "Welcome",
# singleIdp => "https://openstackid.org",
# trusted => '^https://openstackid.org/.*$',
# any_valid_user => false,
# users => ['https://openstackid.org/foo',
# 'https://openstackid.org/bar'],
# }
# Note that if you care which users get access set any_valid_user to false
# and then provide an explicit list of openids in the users list. Otherwise
# set any_valid_user to true and any successfully authenticated user will
# get access.
$auth_openid = undef,
$docroot = '/var/www',
$runtime_dir_mode = '0755',
$download_url = 'https://github.com/LimeSurvey/LimeSurvey/archive/',
$version = '3.7.0+180418',
$www_group = 'www-data',
$www_user = 'www-data',
# These are required for bootstrapping, so do not have defaults.
$adminuser,
$adminpass,
$adminmail,
) {
$distro_packages = [
'libapache2-mod-php',
'php',
'php-gd',
'php-imap',
'php-ldap',
'php-mbstring',
'php-mcrypt',
'php-mysql',
'php-xml',
'php-zip',
'ssl-cert',
]
package { $distro_packages:
ensure => present,
}
exec { 'limesurvey-download':
path => '/bin:/usr/bin',
creates => "${docroot}/tmp/runtime",
command => "bash -c 'cd /tmp; wget ${download_url}${version}.tar.gz'",
require => File[$docroot],
user => $www_user,
}
exec { 'limesurvey-unzip':
path => '/bin:/usr/bin',
cwd => '/tmp',
creates => "${docroot}/tmp/runtime",
command => "bash -c 'cd /tmp; tar zxf /tmp/${version}.tar.gz -C ${docroot} --strip-components=1'",
notify => Exec['limesurvey-install'],
require => Exec['limesurvey-download'],
user => $www_user,
}
exec { 'limesurvey-install':
command => "/usr/bin/php console.php install ${adminuser} ${adminpass} 'Default Administrator' ${adminmail}",
cwd => "${docroot}/application/commands",
refreshonly => true,
require => [
File["${docroot}/application/config/config.php"],
Package[$distro_packages],
],
user => $www_user,
}
file { "/tmp/${version}.tar.gz":
ensure => absent,
require => Exec['limesurvey-unzip'],
}
file { "${docroot}/tmp/runtime/":
ensure => directory,
mode => $runtime_dir_mode,
require => Exec['limesurvey-install'],
}
file { "${docroot}/application/config/config.php":
ensure => present,
owner => $www_user,
group => $www_group,
mode => '0660',
content => template ('openstack_project/survey.config.php.erb'),
replace => true,
require => Exec['limesurvey-unzip'],
}
include ::httpd
::httpd::vhost { $vhost_name:
port => 443,
docroot => $docroot,
priority => '50',
template => 'openstack_project/survey.vhost.erb',
ssl => true,
}
if !defined(Mod['rewrite']) {
httpd::mod { 'rewrite':
ensure => present,
}
}
if ($auth_openid != undef) {
if !defined(Package['libapache2-mod-auth-openid']) {
package { 'libapache2-mod-auth-openid':
ensure => present,
}
}
if !defined(Mod['auth_openid']) {
# Workaround for https://bugs.debian.org/759209
file { '/etc/apache2/mods-available/auth_openid.load':
ensure => present,
content => 'LoadModule authopenid_module /usr/lib/apache2/modules/mod_auth_openid.so',
replace => true,
require => Package['libapache2-mod-auth-openid'],
}
httpd::mod { 'auth_openid':
ensure => present,
require => File['/etc/apache2/mods-available/auth_openid.load'],
}
}
}
file { $docroot:
ensure => directory,
owner => $www_user,
group => $www_group,
}
file { "${docroot}/robots.txt":
ensure => present,
source => 'puppet:///modules/openstack_project/disallow_robots.txt',
owner => 'root',
group => 'root',
mode => '0444',
require => File[$docroot],
}
file { '/etc/ssl/certs':
ensure => directory,
owner => 'root',
mode => '0755',
}
file { '/etc/ssl/private':
ensure => directory,
owner => 'root',
mode => '0700',
}
if $ssl_cert_file_contents != '' {
file { $ssl_cert_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_cert_file_contents,
before => Httpd::Vhost[$vhost_name],
}
}
if $ssl_key_file_contents != '' {
file { $ssl_key_file:
owner => 'root',
group => 'ssl-cert',
mode => '0640',
content => $ssl_key_file_contents,
require => Package['ssl-cert'],
before => Httpd::Vhost[$vhost_name],
}
}
if $ssl_chain_file_contents != '' {
file { $ssl_chain_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_chain_file_contents,
before => Httpd::Vhost[$vhost_name],
}
}
}

View File

@ -0,0 +1,65 @@
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
/*
| -------------------------------------------------------------------
| DATABASE CONNECTIVITY SETTINGS
| -------------------------------------------------------------------
| This file will contain the settings needed to access your database.
|
| For complete instructions please consult the 'Database Connection'
| page of the User Guide.
|
| -------------------------------------------------------------------
| EXPLANATION OF VARIABLES
| -------------------------------------------------------------------
|
| 'connectionString' Hostname, database, port and database type for
| the connection. Driver example: mysql. Currently supported:
| mysql, pgsql, mssql, sqlite, oci
| 'username' The username used to connect to the database
| 'password' The password used to connect to the database
| 'tablePrefix' You can add an optional prefix, which will be added
| to the table name when using the Active Record class
|
*/
return array(
'components' => array(
'db' => array(
'connectionString' => 'mysql:host=<%= @dbhost %>;port=3306;dbname=limesurvey;',
'emulatePrepare' => true,
'username' => 'limesurvey',
'password' => '<%= @dbpassword %>',
'charset' => 'utf8mb4',
'tablePrefix' => '',
),
// Uncomment the following line if you need table-based sessions
// 'session' => array (
// 'class' => 'application.core.web.DbHttpSession',
// 'connectionID' => 'db',
// 'sessionTableName' => '{{sessions}}',
// ),
'urlManager' => array(
'urlFormat' => 'path',
'rules' => array(
// You can add your own rules here
),
'showScriptName' => true,
),
),
// Use the following config variable to set modified optional settings copied from config-defaults.php
'config'=>array(
// debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this
// then please check your error-logs - either in your hosting provider admin panel or in some /logs directory
// on your webspace.
// LimeSurvey developers: Set this to 2 to additionally display STRICT PHP error messages and get full access to standard templates
'debug'=>0,
'debugsql'=>0, // Set this to 1 to enanble sql logging, only active when debug = 2
// Update default LimeSurvey config here
'auth_webserver'=>true,
'auth_webserver_autocreate_user'=>true,
)
);
/* End of file config.php */
/* Location: ./application/config/config.php */

View File

@ -0,0 +1,53 @@
# ************************************
# Managed by Puppet
# ************************************
<VirtualHost <%= @vhost_name %>:80>
ServerName <%= @srvname %>
ReWriteEngine On
ReWriteRule ^/(.*) https://<%= @srvname %>/$1 [last,redirect=permanent]
LogLevel warn
ErrorLog /var/log/apache2/<%= @name %>_error.log
CustomLog /var/log/apache2/<%= @name %>_access.log combined
ServerSignature Off
</VirtualHost>
<VirtualHost <%= @vhost_name %>:<%= @port %>>
ServerName <%= @srvname %>
DocumentRoot <%= @docroot %>
<Directory <%= @docroot %>>
Options <%= @options %>
AllowOverride None
Order allow,deny
allow from all
Require all granted
</Directory>
<% if @auth_openid != nil %>
<Location /index.php/admin/>
AuthType OpenID
AuthName "Welcome"
AuthOpenIDSecureCookie On
AuthOpenIDCookieLifespan 3600
AuthOpenIDTrustRoot https://survey01.openstack.org
AuthOpenIDServerName https://survey01.openstack.org
AuthOpenIDSingleIdP https://openstackid.org
AuthOpenIDTrusted ^https://openstackid.org/.*$
Require valid-user
</Location>
<% end %>
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCertificateFile <%= scope.lookupvar("openstack_project::survey::ssl_cert_file") %>
SSLCertificateKeyFile <%= scope.lookupvar("openstack_project::survey::ssl_key_file") %>
<% if scope.lookupvar("openstack_project::survey::ssl_chain_file") != "" %>
SSLCertficateChainFile <%= scope.lookupvar("openstack_project::survey::ssl_chain_file") %>
<% end %>
ErrorLog /var/log/apache2/<%= @name %>_error.log
LogLevel warn
CustomLog /var/log/apache2/<%= @name %>_access.log combined
ServerSignature Off
</VirtualHost>