Merge "Add website hosting infrastructure"

2018-01-22 17:33:33 +00:00 · 2018-01-22 17:33:33 +00:00 · f3cf6085b7
commit f3cf6085b7
parent a187f1665b 7f014a0c3f
3 changed files with 128 additions and 0 deletions
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -657,6 +657,15 @@ node /^files\d*\.openstack\.org$/ {
    docs_chain_file_contents      => hiera('docs_chain_file_contents'),
    require                       => Class['Openstack_project::Server'],
  }
  openstack_project::website { 'zuul-ci.org':
    aliases          => ['www.zuul-ci.org'],
    ssl_cert         => hiera('zuul-ci_org_ssl_cert'),
    ssl_key          => hiera('zuul-ci_org_ssl_key'),
    ssl_intermediate => hiera('zuul-ci_org_ssl_intermediate'),
    require          => Class['openstack_project::files'],
  }
 }
 # Node-OS: trusty
--- a/modules/openstack_project/manifests/website.pp
+++ b/modules/openstack_project/manifests/website.pp
@ -0,0 +1,59 @@
 # Copyright 2017 Red Hat, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
 define openstack_project::website (
  $aliases = undef,
  $ssl_cert = undef,
  $ssl_key = undef,
  $ssl_intermediate = undef,
  $template = 'openstack_project/website.vhost.erb',
 ) {
  $afs_root = '/afs/openstack.org/'
  ::httpd::vhost { $name:
    serveraliases => $aliases,
    port          => 443, # Is required despite not being used.
    docroot       => "${afs_root}/project/${name}/www",
    priority      => '50',
    template      => $template,
  }
  file { "/etc/ssl/certs/$name.pem":
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => $ssl_cert,
    require => File['/etc/ssl/certs'],
  }
  file { "/etc/ssl/private/$name.key":
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0600',
    content => $ssl_key,
    require => File['/etc/ssl/private'],
  }
  file { "/etc/ssl/certs/$name_intermediate.pem":
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => $ssl_intermediate,
    require => File['/etc/ssl/certs'],
  }
 }
--- a/modules/openstack_project/templates/website.vhost.erb
+++ b/modules/openstack_project/templates/website.vhost.erb
@ -0,0 +1,60 @@
 # ************************************
 # Managed by Puppet
 # ************************************
 <VirtualHost *:80>
    ServerName <%= @srvname %>
    <% if @serveraliases.is_a? Array -%>
      <% @serveraliases.each do |name| -%><%= "  ServerAlias #{name}\n" %><% end -%>
    <% elsif @serveraliases != nil -%>
      <%= "  ServerAlias #{@serveraliases}" -%>
    <% end -%>
    RewriteEngine on
    RewriteRule ^/(.*) https://<%= @srvname %>/$1 [last,redirect=permanent]
    ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
    LogLevel warn
    CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
    ServerSignature Off
 </VirtualHost>
 <IfModule mod_ssl.c>
 <VirtualHost *:443>
    ServerName <%= @srvname %>
    <% if @serveraliases.is_a? Array -%>
      <% @serveraliases.each do |name| -%><%= "  ServerAlias #{name}\n" %><% end -%>
    <% elsif @serveraliases != nil -%>
      <%= "  ServerAlias #{@serveraliases}" -%>
    <% end -%>
    RewriteEngine on
    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    # Once the machine is using something to terminate TLS that supports ECDHE
    # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
    # only is guarenteed.
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
    SSLHonorCipherOrder on
    SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
    SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key
    SSLCertificateChainFile /etc/ssl/certs/<%= @name %>_intermediate.pem
    DocumentRoot <%= @docroot %>
    <Directory <%= @docroot %>>
        Options Indexes FollowSymLinks MultiViews
        Satisfy any
        Require all granted
        AllowOverride None
        # Allow mod_rewrite rules
        AllowOverrideList Redirect RedirectMatch
        ErrorDocument 404 /errorpage.html
    </Directory>
    ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
    LogLevel warn
    CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
    ServerSignature Off
 </VirtualHost>
 </IfModule>