Add logs.opendev.org vhost

This is a near-copy of the vhost template from puppet-openstackci.

Change-Id: I191e41b501629e2cdd82381d66daa3b850e0be81

modules/openstack_project/manifests/static.pp

@@ -217,6 +217,16 @@ class openstack_project::static (
     }
   }
 
+  ::httpd::vhost { "logs.opendev.org":
+    port       => 443,
+    priority   => '50',
+    ssl        => true,
+    docroot    => '/srv/static/logs',
+    require    => File['/srv/static/logs'],
+    vhost_name => 'logs.opendev.org',
+    template   => 'openstack_project/logs.vhost.erb',
+  }
+
   vcsrepo { '/opt/devstack-gate':
     ensure   => latest,
     provider => git,

modules/openstack_project/templates/logs.vhost.erb

@@ -0,0 +1,193 @@
+# -*- apache -*-
+# ************************************
+# Managed by Puppet
+# ************************************
+
+NameVirtualHost <%= @vhost_name %>:80
+NameVirtualHost <%= @vhost_name %>:443
+
+<VirtualHost *:80>
+  ServerName <%= @vhost_name %>
+<% if @serveraliases.is_a? Array -%>
+<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
+<% elsif ! ['', nil].include?(@serveraliases) -%>
+<%= " ServerAlias #{@serveraliases}" %>
+<% end -%>
+  RewriteEngine On
+  RewriteRule ^/(.*)$ https://<%= @vhost_name %>/$1 [L,R=301]
+  DocumentRoot <%= @docroot %>
+  <Directory <%= @docroot %>>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    AllowOverrideList Redirect RedirectMatch
+    Satisfy Any
+    Require all granted
+  </Directory>
+  LogLevel warn
+  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+  ServerSignature Off
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName <%= @vhost_name %>
+<% if @serveraliases.is_a? Array -%>
+<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
+<% elsif ! ['', nil, :undef].include?(@serveraliases) -%>
+<%= " ServerAlias #{@serveraliases}" %>
+<% end -%>
+
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  # Once the machine is using something to terminate TLS that supports ECDHE
+  # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+  # only is guarenteed.
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+  SSLCertificateFile /etc/letsencrypt-certs/logs.opendev.org/logs.opendev.org.cer
+  SSLCertificateKeyFile /etc/letsencrypt-certs/logs.opendev.org/logs.opendev.org.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/logs.opendev.org/ca.cer
+
+  DocumentRoot <%= @docroot %>
+
+  # Authorize cross request, e.g. fetch job-output from the zuul builds page
+  Header set Access-Control-Allow-Origin "*"
+
+  WSGIDaemonProcess logs2 user=www-data group=www-data processes=16 threads=1
+  WSGIProcessGroup logs2
+  WSGIApplicationGroup %{GLOBAL}
+
+  AddType text/plain .log
+  AddType text/plain .sh
+  AddType text/plain .yaml
+  AddType text/plain .yml
+
+  # use Apache to compress the results afterwards, to save on the wire
+  # it's approx 18x savings of wire traffic to compress. We need to
+  # compress by content types that htmlify can produce
+  AddOutputFilterByType DEFLATE text/plain text/html application/x-font-ttf image/svg+xml
+
+  <FilesMatch \.html\.gz$>
+    ForceType text/html
+    AddDefaultCharset UTF-8
+    AddEncoding x-gzip gz
+  </FilesMatch>
+  <FilesMatch \.css\.gz$>
+    ForceType text/css
+    AddDefaultCharset UTF-8
+    AddEncoding x-gzip gz
+  </FilesMatch>
+  <FilesMatch \.js\.gz$>
+    ForceType text/javascript
+    AddDefaultCharset UTF-8
+    AddEncoding x-gzip gz
+  </FilesMatch>
+  <FilesMatch \.ttf\.gz$>
+    ForceType application/x-font-ttf
+    AddEncoding x-gzip gz
+  </FilesMatch>
+  <FilesMatch \.svg\.gz$>
+    ForceType image/svg+xml
+    AddEncoding x-gzip gz
+  </FilesMatch>
+  <FilesMatch \.json\.gz$>
+    ForceType application/json
+    AddEncoding x-gzip gz
+  </FilesMatch>
+  <FilesMatch \.css$>
+    # mod_mime_magic is sometimes passing css files as asm sources
+    # e.g css files generated by coverage reports
+    ForceType text/css
+  </FilesMatch>
+  <Directory <%= @docroot %>>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Order allow,deny
+    allow from all
+    Satisfy Any
+    ExpiresActive On
+    # Data in the logs server is static once generated by a job
+    ExpiresDefault "access plus 2 weeks"
+  </Directory>
+  <Directory /usr/local/lib/python2.7/dist-packages/os_loganalyze>
+    Allow from all
+    Satisfy Any
+  </Directory>
+
+  <Directory /srv/static/logs/*/*/*/*/*-tempest-dsvm*/*>
+    ReadmeName /help/tempest-overview.html
+  </Directory>
+  <Directory /srv/static/logs/periodic*/*/*-tempest-dsvm*/*>
+    ReadmeName /help/tempest-overview.html
+  </Directory>
+  <Directory /srv/static/logs/*/*/*/*/*-tempest-dsvm*/*/logs/>
+    ReadmeName /help/tempest-logs.html
+  </Directory>
+  <Directory /srv/static/logs/periodic*/*/*-tempest-dsvm*/*/logs/>
+    ReadmeName /help/tempest-logs.html
+  </Directory>
+  <Directory /srv/static/logs/*/*/*/*/*tripleo-ci-*/*/logs/>
+    ReadmeName /help/tripleo-quickstart-logs.html
+  </Directory>
+
+  <Directory <%= @docroot %>/periodic*/*>
+     IndexOrderDefault Descending Date
+  </Directory>
+
+  RewriteEngine On
+  <Directory "/usr/local/bin">
+    <Files "ara-wsgi-sqlite">
+      Allow from all
+      Satisfy Any
+    </Files>
+  </Directory>
+  # ARA sqlite middleware configuration
+  # See docs for details: https://ara.readthedocs.io/en/latest/advanced.html
+  SetEnv ARA_WSGI_TMPDIR_MAX_AGE 3600
+  SetEnv ARA_WSGI_LOG_ROOT /srv/static/logs
+  SetEnv ARA_WSGI_DATABASE_DIRECTORY ara-report
+
+  # Redirect .*/ara-report to the ARA sqlite wsgi middleware
+  # This middleware automatically loads the ARA web application with the
+  # database located at .*/ara-report/ansible.sqlite.
+  # If we get a request directly to the database file, don't load the middleware
+  # so that users can download the raw database if they wish.
+  WSGIScriptAliasMatch ^.*/ara-report(?!/ansible.sqlite) /usr/local/bin/ara-wsgi-sqlite
+
+  # Everything beyond this point is rewritten to htmlify.
+  # Make sure we don't do that for dynamic ARA reports.
+  RewriteCond %{REQUEST_URI} ^.*/ara-report [NC]
+  RewriteRule .* - [L]
+
+  # If the specified file does not exist, look if there is a gzipped version
+  # If there is, serve that one instead
+  RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
+  RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.gz -f
+  RewriteRule ^/(.*)$ %{REQUEST_URI}.gz
+
+  # rewrite (txt|log).gz & console.html[.gz] files to map to our
+  # internal htmlify wsgi app
+  # PT, Pass-through:  to come back around and get picked up by the
+  #                    WSGIScriptAlias
+  # NS, No-subrequest: on coming back through, mod-autoindex may have added
+  #                    index.html which would match the !-f condition. We
+  #                    therefore ensure the rewrite doesn't trigger by
+  #                    disallowing subrequests.
+  RewriteRule ^/(.*\.(txt|log)\.gz)$ /htmlify/$1 [QSA,L,PT,NS]
+  RewriteRule ^/(.*console\.html(\.gz)?)$ /htmlify/$1 [QSA,L,PT,NS]
+
+  # Check if the request exists as a file, directory or symbolic link
+  # If not, write the request to htmlify to see if we can fetch from swift
+  RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
+  RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d
+  RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-l
+  RewriteCond %{REQUEST_FILENAME} !^/icon
+  RewriteRule ^/(.*)$ /htmlify/$1 [QSA,L,PT,NS]
+
+  WSGIScriptAlias /htmlify /usr/local/lib/python2.7/dist-packages/os_loganalyze/wsgi.py
+
+  ErrorLog /var/log/apache2/<%= @vhost_name %>_ssl_error.log
+  LogLevel warn
+  CustomLog /var/log/apache2/<%= @vhost_name %>_ssl_access.log combined
+  ServerSignature Off
+</VirtualHost>