From 7f014a0c3f962ad40150c601bfbf48c3e3e105a4 Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Tue, 12 Dec 2017 16:19:18 -0800 Subject: [PATCH] Add website hosting infrastructure And the zuul-ci.org website. Note changes like this need ssl certs added to private hiera before merging. Creating the AFS volume would also be a good idea. The SSL certs are in hiera, and the AFS volume is mounted. Change-Id: I1eccee119bf169fea265c53af4c8c016c13c03ec Depends-On: Ic92726dc341af5802ad803d239bd547ef5068043 Story: 2001382 Task: 6093 --- manifests/site.pp | 9 +++ .../openstack_project/manifests/website.pp | 59 ++++++++++++++++++ .../templates/website.vhost.erb | 60 +++++++++++++++++++ 3 files changed, 128 insertions(+) create mode 100644 modules/openstack_project/manifests/website.pp create mode 100644 modules/openstack_project/templates/website.vhost.erb diff --git a/manifests/site.pp b/manifests/site.pp index 0433f855fe..b0b489c825 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -695,6 +695,15 @@ node /^files\d*\.openstack\.org$/ { docs_chain_file_contents => hiera('docs_chain_file_contents'), require => Class['Openstack_project::Server'], } + + openstack_project::website { 'zuul-ci.org': + aliases => ['www.zuul-ci.org'], + ssl_cert => hiera('zuul-ci_org_ssl_cert'), + ssl_key => hiera('zuul-ci_org_ssl_key'), + ssl_intermediate => hiera('zuul-ci_org_ssl_intermediate'), + require => Class['openstack_project::files'], + } + } # Node-OS: trusty diff --git a/modules/openstack_project/manifests/website.pp b/modules/openstack_project/manifests/website.pp new file mode 100644 index 0000000000..50c1a594a8 --- /dev/null +++ b/modules/openstack_project/manifests/website.pp @@ -0,0 +1,59 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +define openstack_project::website ( + $aliases = undef, + $ssl_cert = undef, + $ssl_key = undef, + $ssl_intermediate = undef, + $template = 'openstack_project/website.vhost.erb', +) { + + $afs_root = '/afs/openstack.org/' + + ::httpd::vhost { $name: + serveraliases => $aliases, + port => 443, # Is required despite not being used. + docroot => "${afs_root}/project/${name}/www", + priority => '50', + template => $template, + } + + file { "/etc/ssl/certs/$name.pem": + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $ssl_cert, + require => File['/etc/ssl/certs'], + } + + file { "/etc/ssl/private/$name.key": + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', + content => $ssl_key, + require => File['/etc/ssl/private'], + } + + file { "/etc/ssl/certs/$name_intermediate.pem": + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $ssl_intermediate, + require => File['/etc/ssl/certs'], + } +} diff --git a/modules/openstack_project/templates/website.vhost.erb b/modules/openstack_project/templates/website.vhost.erb new file mode 100644 index 0000000000..aa99804309 --- /dev/null +++ b/modules/openstack_project/templates/website.vhost.erb @@ -0,0 +1,60 @@ +# ************************************ +# Managed by Puppet +# ************************************ + + + ServerName <%= @srvname %> + <% if @serveraliases.is_a? Array -%> + <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%> + <% elsif @serveraliases != nil -%> + <%= " ServerAlias #{@serveraliases}" -%> + <% end -%> + + RewriteEngine on + RewriteRule ^/(.*) https://<%= @srvname %>/$1 [last,redirect=permanent] + + ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log + LogLevel warn + CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined + ServerSignature Off + + + + + ServerName <%= @srvname %> + <% if @serveraliases.is_a? Array -%> + <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%> + <% elsif @serveraliases != nil -%> + <%= " ServerAlias #{@serveraliases}" -%> + <% end -%> + + RewriteEngine on + + SSLEngine on + SSLProtocol All -SSLv2 -SSLv3 + # Once the machine is using something to terminate TLS that supports ECDHE + # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS + # only is guarenteed. + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem + SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key + SSLCertificateChainFile /etc/ssl/certs/<%= @name %>_intermediate.pem + + DocumentRoot <%= @docroot %> + > + Options Indexes FollowSymLinks MultiViews + Satisfy any + Require all granted + AllowOverride None + # Allow mod_rewrite rules + AllowOverrideList Redirect RedirectMatch + ErrorDocument 404 /errorpage.html + + + ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log + LogLevel warn + CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined + ServerSignature Off + +