Set MaxConnectionsPerChild 8192 for Gitea backends

When we added Apache as a filtering proxy on our Gitea backends in
order to more easily mitigate resource starvation, we did not set
any tuning to tell it when to recycle worker processes. As a result,
backends may continue serving requests with workers which pre-date
certificate rotation. This problem has also become more broadly
prevalent throughout our services with the introduction of Let's
Encrypt's 3-month certificate expirations as compared to our
previous 2-year certificates.

Add the same MaxConnectionsPerChild tuning to our Gitea backend
proxies as we use for our static sites and mirror servers.

Change-Id: I77d89385178a30f7dc5d04bedd0ab3772865c09f

playbooks/roles/gitea/files/apache-connection-tuning

@@ -0,0 +1,14 @@
+# worker MPM
+# MaxConnectionsPerChild: maximum number of requests a server process serves
+#
+# We've noticed that our mirrors occasionally have stale workers. This leads
+# to ssl certs not being refreshed properly after reload and we've also seen
+# ssl connections to round robin backend services have trouble. Restarting
+# the workers so that they load up new info seems to fix this. Try and force
+# that to happen regularly with a connections limit per worker.
+<IfModule mpm_worker_module>
+    MaxConnectionsPerChild 8192
+</IfModule>
+<IfModule mpm_event_module>
+    MaxConnectionsPerChild 8192
+</IfModule>

playbooks/roles/gitea/handlers/main.yaml

@@ -2,3 +2,8 @@
   service:
     name: apache2
     state: reloaded
+
+- name: gitea Restart apache2
+  service:
+    name: apache2
+    state: restarted

playbooks/roles/gitea/tasks/proxy.yaml

@@ -24,3 +24,12 @@
     group: root
     mode: 0644
   notify: gitea Reload apache2
+
+- name: Copy apache tuning
+  copy:
+    src: apache-connection-tuning
+    dest: /etc/apache2/conf-enabled/connection-tuning.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: gitea Restart apache2