f80688f0ef
Add HTTPS for trystack.openstack.org and incorporate ServerAlias support into the static-http-and-https and static-https-redirect vhost templates. Change-Id: I7c3ab22485689bf22dfe706fa7b0f6777604db25
340 lines
9.6 KiB
Puppet
340 lines
9.6 KiB
Puppet
# == Class: openstack_project::static
|
|
#
|
|
class openstack_project::static (
|
|
$swift_authurl = '',
|
|
$swift_user = '',
|
|
$swift_key = '',
|
|
$swift_tenant_name = '',
|
|
$swift_region_name = '',
|
|
$swift_default_container = '',
|
|
$project_config_repo = '',
|
|
$ssl_cert_file = '',
|
|
$ssl_cert_file_contents = '',
|
|
$ssl_key_file = '',
|
|
$ssl_key_file_contents = '',
|
|
$ssl_chain_file = '',
|
|
$ssl_chain_file_contents = '',
|
|
$jenkins_gitfullname = 'OpenStack Jenkins',
|
|
$jenkins_gitemail = 'jenkins@openstack.org',
|
|
) {
|
|
class { 'project_config':
|
|
url => $project_config_repo,
|
|
}
|
|
|
|
include openstack_project
|
|
class { 'jenkins::jenkinsuser':
|
|
ssh_key => $openstack_project::jenkins_ssh_key,
|
|
gitfullname => $jenkins_gitfullname,
|
|
gitemail => $jenkins_gitemail,
|
|
}
|
|
|
|
include ::httpd
|
|
include ::httpd::mod::wsgi
|
|
|
|
httpd_mod { 'rewrite':
|
|
ensure => present,
|
|
}
|
|
httpd_mod { 'proxy':
|
|
ensure => present,
|
|
}
|
|
httpd_mod { 'proxy_http':
|
|
ensure => present,
|
|
}
|
|
|
|
if ! defined(File['/srv/static']) {
|
|
file { '/srv/static':
|
|
ensure => directory,
|
|
}
|
|
}
|
|
|
|
file { '/etc/ssl/certs':
|
|
ensure => directory,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0755',
|
|
}
|
|
|
|
file { '/etc/ssl/private':
|
|
ensure => directory,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0700',
|
|
}
|
|
|
|
# To use the standard ssl-certs package snakeoil certificate, leave both
|
|
# $ssl_cert_file and $ssl_cert_file_contents empty. To use an existing
|
|
# certificate, specify its path for $ssl_cert_file and leave
|
|
# $ssl_cert_file_contents empty. To manage the certificate with puppet,
|
|
# provide $ssl_cert_file_contents and optionally specify the path to use for
|
|
# it in $ssl_cert_file.
|
|
if ($ssl_cert_file == '') and ($ssl_cert_file_contents == '') {
|
|
$cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
|
|
} else {
|
|
if $ssl_cert_file == '' {
|
|
$cert_file = "/etc/ssl/certs/${::fqdn}.pem"
|
|
} else {
|
|
$cert_file = $ssl_cert_file
|
|
}
|
|
if $ssl_cert_file_contents != '' {
|
|
file { $cert_file:
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $ssl_cert_file_contents,
|
|
require => File['/etc/ssl/certs'],
|
|
}
|
|
}
|
|
}
|
|
|
|
# To use the standard ssl-certs package snakeoil key, leave both
|
|
# $ssl_key_file and $ssl_key_file_contents empty. To use an existing key,
|
|
# specify its path for $ssl_key_file and leave $ssl_key_file_contents empty.
|
|
# To manage the key with puppet, provide $ssl_key_file_contents and
|
|
# optionally specify the path to use for it in $ssl_key_file.
|
|
if ($ssl_key_file == '') and ($ssl_key_file_contents == '') {
|
|
$key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
|
|
} else {
|
|
if $ssl_key_file == '' {
|
|
$key_file = "/etc/ssl/private/${::fqdn}.key"
|
|
} else {
|
|
$key_file = $ssl_key_file
|
|
}
|
|
if $ssl_key_file_contents != '' {
|
|
file { $key_file:
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0600',
|
|
content => $ssl_key_file_contents,
|
|
require => File['/etc/ssl/private'],
|
|
}
|
|
}
|
|
}
|
|
|
|
# To avoid using an intermediate certificate chain, leave both
|
|
# $ssl_chain_file and $ssl_chain_file_contents empty. To use an existing
|
|
# chain, specify its path for $ssl_chain_file and leave
|
|
# $ssl_chain_file_contents empty. To manage the chain with puppet, provide
|
|
# $ssl_chain_file_contents and optionally specify the path to use for it in
|
|
# $ssl_chain_file.
|
|
if ($ssl_chain_file == '') and ($ssl_chain_file_contents == '') {
|
|
$chain_file = ''
|
|
} else {
|
|
if $ssl_chain_file == '' {
|
|
$chain_file = "/etc/ssl/certs/${::fqdn}_intermediate.pem"
|
|
} else {
|
|
$chain_file = $ssl_chain_file
|
|
}
|
|
if $ssl_chain_file_contents != '' {
|
|
file { $chain_file:
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $ssl_chain_file_contents,
|
|
require => File['/etc/ssl/certs'],
|
|
before => File[$cert_file],
|
|
}
|
|
}
|
|
}
|
|
|
|
###########################################################
|
|
# Tarballs
|
|
|
|
::httpd::vhost { 'tarballs.openstack.org':
|
|
port => 443, # Is required despite not being used.
|
|
docroot => '/srv/static/tarballs',
|
|
priority => '50',
|
|
ssl => true,
|
|
template => 'openstack_project/static-http-and-https.vhost.erb',
|
|
vhost_name => 'tarballs.openstack.org',
|
|
require => [
|
|
File['/srv/static/tarballs'],
|
|
File[$cert_file],
|
|
File[$key_file],
|
|
],
|
|
}
|
|
|
|
file { '/srv/static/tarballs':
|
|
ensure => directory,
|
|
owner => 'jenkins',
|
|
group => 'jenkins',
|
|
require => User['jenkins'],
|
|
}
|
|
|
|
###########################################################
|
|
# legacy ci.openstack.org site redirect
|
|
|
|
::httpd::vhost { 'ci.openstack.org':
|
|
port => 80,
|
|
priority => '50',
|
|
docroot => 'MEANINGLESS_ARGUMENT',
|
|
template => 'openstack_project/ci.vhost.erb',
|
|
}
|
|
|
|
###########################################################
|
|
# Logs
|
|
class { 'openstackci::logserver':
|
|
jenkins_ssh_key => $openstack_project::jenkins_ssh_key,
|
|
domain => 'openstack.org',
|
|
swift_authurl => $swift_authurl,
|
|
swift_user => $swift_user,
|
|
swift_key => $swift_key,
|
|
swift_tenant_name => $swift_tenant_name,
|
|
swift_region_name => $swift_region_name,
|
|
swift_default_container => $swift_default_container,
|
|
}
|
|
|
|
###########################################################
|
|
# Docs-draft
|
|
|
|
::httpd::vhost { 'docs-draft.openstack.org':
|
|
port => 443, # Is required despite not being used.
|
|
docroot => '/srv/static/docs-draft',
|
|
priority => '50',
|
|
ssl => true,
|
|
template => 'openstack_project/static-http-and-https.vhost.erb',
|
|
vhost_name => 'docs-draft.openstack.org',
|
|
require => [
|
|
File['/srv/static/docs-draft'],
|
|
File[$cert_file],
|
|
File[$key_file],
|
|
],
|
|
}
|
|
|
|
file { '/srv/static/docs-draft':
|
|
ensure => directory,
|
|
owner => 'jenkins',
|
|
group => 'jenkins',
|
|
require => User['jenkins'],
|
|
}
|
|
|
|
file { '/srv/static/docs-draft/robots.txt':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0444',
|
|
source => 'puppet:///modules/openstack_project/disallow_robots.txt',
|
|
require => File['/srv/static/docs-draft'],
|
|
}
|
|
|
|
###########################################################
|
|
# Security
|
|
|
|
::httpd::vhost { 'security.openstack.org':
|
|
port => 443, # Is required despite not being used.
|
|
docroot => '/srv/static/security',
|
|
priority => '50',
|
|
ssl => true,
|
|
template => 'openstack_project/static-https-redirect.vhost.erb',
|
|
vhost_name => 'security.openstack.org',
|
|
require => [
|
|
File['/srv/static/security'],
|
|
File[$cert_file],
|
|
File[$key_file],
|
|
],
|
|
}
|
|
|
|
file { '/srv/static/security':
|
|
ensure => directory,
|
|
owner => 'jenkins',
|
|
group => 'jenkins',
|
|
require => User['jenkins'],
|
|
}
|
|
|
|
###########################################################
|
|
# Governance
|
|
|
|
::httpd::vhost { 'governance.openstack.org':
|
|
port => 443, # Is required despite not being used.
|
|
docroot => '/srv/static/governance',
|
|
priority => '50',
|
|
ssl => true,
|
|
template => 'openstack_project/static-http-and-https.vhost.erb',
|
|
vhost_name => 'governance.openstack.org',
|
|
require => [
|
|
File['/srv/static/governance'],
|
|
File[$cert_file],
|
|
File[$key_file],
|
|
],
|
|
}
|
|
|
|
file { '/srv/static/governance':
|
|
ensure => directory,
|
|
owner => 'jenkins',
|
|
group => 'jenkins',
|
|
require => User['jenkins'],
|
|
}
|
|
|
|
###########################################################
|
|
# Specs
|
|
|
|
::httpd::vhost { 'specs.openstack.org':
|
|
port => 443, # Is required despite not being used.
|
|
docroot => '/srv/static/specs',
|
|
priority => '50',
|
|
ssl => true,
|
|
template => 'openstack_project/static-http-and-https.vhost.erb',
|
|
vhost_name => 'specs.openstack.org',
|
|
require => [
|
|
File['/srv/static/specs'],
|
|
File[$cert_file],
|
|
File[$key_file],
|
|
],
|
|
}
|
|
|
|
file { '/srv/static/specs':
|
|
ensure => directory,
|
|
owner => 'jenkins',
|
|
group => 'jenkins',
|
|
require => User['jenkins'],
|
|
}
|
|
|
|
###########################################################
|
|
# legacy summit.openstack.org site redirect
|
|
|
|
::httpd::vhost { 'summit.openstack.org':
|
|
port => 80,
|
|
priority => '50',
|
|
docroot => 'MEANINGLESS_ARGUMENT',
|
|
template => 'openstack_project/summit.vhost.erb',
|
|
}
|
|
|
|
###########################################################
|
|
# legacy devstack.org site redirect
|
|
|
|
::httpd::vhost { 'devstack.org':
|
|
port => 80,
|
|
priority => '50',
|
|
docroot => 'MEANINGLESS_ARGUMENT',
|
|
serveraliases => ['*.devstack.org'],
|
|
template => 'openstack_project/devstack.vhost.erb',
|
|
}
|
|
|
|
###########################################################
|
|
# Trystack
|
|
|
|
::httpd::vhost { 'trystack.openstack.org':
|
|
port => 443, # Is required despite not being used.
|
|
docroot => '/opt/trystack',
|
|
priority => '50',
|
|
ssl => true,
|
|
template => 'openstack_project/static-http-and-https.vhost.erb',
|
|
vhost_name => 'trystack.openstack.org',
|
|
serveraliases => ['trystack.org', 'www.trystack.org'],
|
|
require => [
|
|
Vcsrepo['/opt/trystack'],
|
|
File[$cert_file],
|
|
File[$key_file],
|
|
],
|
|
}
|
|
|
|
vcsrepo { '/opt/trystack':
|
|
ensure => latest,
|
|
provider => git,
|
|
revision => 'master',
|
|
source => 'https://git.openstack.org/openstack-infra/trystack-site',
|
|
}
|
|
}
|