From 4ebafcde34164139b743c413cb8a8d643019b32c Mon Sep 17 00:00:00 2001
From: Joshua Hesketh <josh@nitrotech.org>
Date: Tue, 15 Mar 2016 12:45:22 +1100
Subject: [PATCH] Add election alias to governance.openstack.org

Add an alias for /election/ to go to /srv/static/election where
the election repo will be published to.

This is a reworked resubmission of
Ie5e783c65396e9fb74f3d739e775e51a948652fe which was reverted in
I808e654a6fb77440e7aecbde4456ddc720fe0d9a .

Change-Id: I1a8e179d26e57247322fe3ed604e838722d43334
Partially-Implements: spec publish-election-repo
Co-Authored-By: Jeremy Stanley <fungi@yuggoth.org>
---
 modules/openstack_project/manifests/static.pp | 22 ++++--
 .../templates/static-governance.vhost.erb     | 69 +++++++++++++++++++
 2 files changed, 87 insertions(+), 4 deletions(-)
 create mode 100644 modules/openstack_project/templates/static-governance.vhost.erb

diff --git a/modules/openstack_project/manifests/static.pp b/modules/openstack_project/manifests/static.pp
index fd6fd30045..2b68d9bb6e 100644
--- a/modules/openstack_project/manifests/static.pp
+++ b/modules/openstack_project/manifests/static.pp
@@ -49,6 +49,10 @@ class openstack_project::static (
     }
   }
 
+  if ! defined(Httpd::Mod['alias']) {
+    httpd::mod { 'alias': ensure => present }
+  }
+
   if ! defined(File['/srv/static']) {
     file { '/srv/static':
       ensure => directory,
@@ -252,23 +256,33 @@ class openstack_project::static (
   }
 
   ###########################################################
-  # Governance
+  # Governance & Election
+
+  # Extra aliases and directories needed for vhost template:
+  $governance_aliases = {
+    '/election/' => '/srv/static/election/'
+  }
+  # One of these must also be the docroot
+  $governance_directories = [
+    '/srv/static/election',
+    '/srv/static/governance',
+  ]
 
   ::httpd::vhost { 'governance.openstack.org':
     port       => 443, # Is required despite not being used.
     docroot    => '/srv/static/governance',
     priority   => '50',
     ssl        => true,
-    template   => 'openstack_project/static-http-and-https.vhost.erb',
+    template   => 'openstack_project/static-governance.vhost.erb',
     vhost_name => 'governance.openstack.org',
     require    => [
-      File['/srv/static/governance'],
+      File[$governance_directories],
       File[$cert_file],
       File[$key_file],
     ],
   }
 
-  file { '/srv/static/governance':
+  file { $governance_directories:
     ensure  => directory,
     owner   => 'jenkins',
     group   => 'jenkins',
diff --git a/modules/openstack_project/templates/static-governance.vhost.erb b/modules/openstack_project/templates/static-governance.vhost.erb
new file mode 100644
index 0000000000..5e8024a8f6
--- /dev/null
+++ b/modules/openstack_project/templates/static-governance.vhost.erb
@@ -0,0 +1,69 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+<VirtualHost *:80>
+  ServerName <%= @vhost_name %>
+<% if @serveraliases.is_a? Array -%>
+  # Permanently redirect these ServerAlias entries to ServerName
+<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
+<% elsif @serveraliases != '' -%>
+<%= " ServerAlias #{@serveraliases}" %>
+  RewriteEngine On
+  RewriteCond %{HTTP_HOST} !<%= @vhost_name %>$ [NC]
+  RewriteRule ^/(.*)$ http://<%= @vhost_name %>/$1 [L,R=301]
+<% end -%>
+  DocumentRoot <%= @docroot %>
+
+  # Alias other folders
+  <% scope.lookupvar('openstack_project::static::governance_aliases').each do |a, d| -%>
+    Alias "<%= a %>" "<%= d %>"
+  <% end -%>
+  <% scope.lookupvar('openstack_project::static::governance_directories').each do |dirname| -%>
+  <Directory <%= dirname %>>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Satisfy Any
+    Require all granted
+  </Directory>
+  <% end -%>
+  LogLevel warn
+  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+  ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+  ServerName <%= @vhost_name %>
+  DocumentRoot <%= @docroot %>
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  # Once the machine is using something to terminate TLS that supports ECDHE
+  # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+  # only is guarenteed.
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+  SSLCertificateFile <%= scope['openstack_project::static::cert_file'] %>
+  SSLCertificateKeyFile <%= scope['openstack_project::static::key_file'] %>
+<% if scope['openstack_project::static::chain_file'] != '' %>
+  SSLCertificateChainFile <%= scope['openstack_project::static::chain_file'] %>
+<% end %>
+  # Alias other folders
+  <% scope.lookupvar('openstack_project::static::governance_aliases').each do |a, d| -%>
+    Alias "<%= a %>" "<%= d %>"
+  <% end -%>
+  <% scope.lookupvar('openstack_project::static::governance_directories').each do |dirname| -%>
+  <Directory <%= dirname %>>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Satisfy Any
+    Require all granted
+  </Directory>
+  <% end -%>
+  LogLevel warn
+  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+  ServerSignature Off
+</VirtualHost>
+</IfModule>