From d6368cf2485f7b1046cc609b24f0eaea97cb964e Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Thu, 11 Apr 2019 13:04:30 +1000
Subject: [PATCH] Add a httpd SSL template

If passed the new ssl file parameters, configure and install a SSL
version of the apache config.

For graphite.opendev.org it is intended to use the letsencrypt
certificates provisioned by the base ansible run for this.

Change-Id: Ic133e3abc09343541210c061af544f7b37480f27
---
 manifests/init.pp                | 12 ++++-
 templates/graphite.ssl.vhost.erb | 75 ++++++++++++++++++++++++++++++++
 2 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 templates/graphite.ssl.vhost.erb

diff --git a/manifests/init.pp b/manifests/init.pp
index b252ef1..1856283 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -25,6 +25,10 @@ class graphite(
   # Have statsd listen on '::' which, thanks to dual-stack,
   # gets ipv4 and ipv6 connections.
   $statsd_ipv6_listen = true,
+
+  $ssl_cert_file = '',
+  $ssl_chain_file = '',
+  $ssl_key_file = '',
 ) {
   $packages = [ 'python-django',
                 'python-django-tagging',
@@ -222,11 +226,17 @@ class graphite(
       File['/etc/graphite/admin.ini']],
   }
 
+  if $ssl_cert_file != '' {
+    $http_template = 'graphite/graphite.ssl.vhost.erb'
+  } else {
+    $http_template = 'graphite/graphite.vhost.erb'
+  }
+
   ::httpd::vhost { $vhost_name:
     port     => 80,
     priority => '50',
     docroot  => '/var/lib/graphite/webapp',
-    template => 'graphite/graphite.vhost.erb',
+    template => $http_template,
   }
 
   if !defined(Httpd::Mod['headers']) {
diff --git a/templates/graphite.ssl.vhost.erb b/templates/graphite.ssl.vhost.erb
new file mode 100644
index 0000000..ebc13b1
--- /dev/null
+++ b/templates/graphite.ssl.vhost.erb
@@ -0,0 +1,75 @@
+<VirtualHost *:80>
+  ErrorLog /var/log/apache2/graphite-error.log
+  CustomLog /var/log/apache2/graphite-access.log common
+  LogLevel warn
+  ServerSignature Off
+
+  Redirect / https://<%= scope.lookupvar("graphite::vhost_name") %>/
+</VirtualHost>
+
+<VirtualHost *:443>
+        SSLEngine on
+        SSLCertificateFile      <%= @ssl_cert_file %>
+        SSLCertificateKeyFile   <%= @ssl_key_file %>
+        <%# The original default was '' -%>
+        <%# scope.lookupvar returns nil for an undefined variable in puppet 4 -%>
+        <%# scope.lookupvar returns :undef for an undefined variable in puppet 3 -%>
+        <% unless ['', nil, :undef].include?@ssl_chain_file %>
+        SSLCertificateChainFile <%= @ssl_chain_file %>
+        <% end %>
+        SSLProtocol All -SSLv2 -SSLv3
+        # Note: this list should ensure ciphers that provide forward secrecy
+        SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+        SSLHonorCipherOrder on
+
+        DocumentRoot "/var/lib/graphite/webapp"
+        ErrorLog /var/log/apache2/graphite-error.log
+        CustomLog /var/log/apache2/graphite-access.log common
+
+        # Add CORS authorization to the header so third-party services can pull
+        # metrics data via API calls for things like vizualiation dashboards.
+        Header set Access-Control-Allow-Origin "*"
+
+        # I've found that an equal number of processes & threads tends
+        # to show the best performance for Graphite (ymmv).
+        WSGIDaemonProcess graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120
+        WSGIProcessGroup graphite
+        WSGIApplicationGroup %{GLOBAL}
+        SetEnv GRAPHITE_STORAGE_DIR /var/lib/graphite/storage
+        WSGIImportScript /etc/graphite/graphite.wsgi process-group=graphite application-group=%{GLOBAL}
+
+        # XXX You will need to create this file! There is a graphite.wsgi.example
+        # file in this directory that you can safely use, just copy it to graphite.wgsi
+        WSGIScriptAlias / /etc/graphite/graphite.wsgi
+
+        Alias /content/ /var/lib/graphite/webapp/content/
+        <Location "/content/">
+                SetHandler None
+        </Location>
+
+        # XXX In order for the django admin site media to work you
+        # must change @DJANGO_ROOT@ to be the path to your django
+        # installation, which is probably something like:
+        # /usr/lib/python2.6/site-packages/django
+        Alias /media/ "/usr/lib/python2.7/dist-packages/django/contrib/admin/media/"
+        <Location "/media/">
+                SetHandler None
+        </Location>
+
+        # The graphite.wsgi file has to be accessible by apache. It won't
+        # be visible to clients because of the DocumentRoot though.
+        <Directory /etc/graphite/>
+                <IfVersion >= 2.4>
+                    Require all granted
+                </IfVersion>
+                <IfVersion < 2.4>
+                    Order deny,allow
+                    Allow from all
+                </IfVersion>
+        </Directory>
+        <IfVersion >= 2.4>
+                <Directory /var/lib/graphite/webapp/content/>
+                        Require all granted
+                </Directory>
+        </IfVersion>
+</VirtualHost>