opendev/system-config
Code Issues Proposed changes

Remove files02.openstack.org and related puppet

Browse Source 
All this has moved to static.opendev.org; the server can now be
removed.

Change-Id: I8ca5d7a206e950c28bb8372a85b6a62d6b9ba00c
This commit is contained in:
Ian Wienand 2020-02-25 11:04:32 +11:00
parent 8171dc437c
commit f55580fbf0
12 changed files with 0 additions and 895 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
inventory/groups.yaml
View File

@ -6,7 +6,6 @@ groups:
- review-dev[0-9]*.open*.org - review-dev[0-9]*.open*.org
- mirror[0-9]*.open*.org - mirror[0-9]*.open*.org
- mirror-update[0-9]*.opendev.org - mirror-update[0-9]*.opendev.org
- files[0-9]*.open*.org
- ze[0-9]*.open*.org - ze[0-9]*.open*.org
- afsdb*.open*.org - afsdb*.open*.org
- afs[0-9]*.open*.org - afs[0-9]*.open*.org
@ -45,7 +44,6 @@ groups:
ethercalc: ethercalc*.open*.org ethercalc: ethercalc*.open*.org
etherpad: etherpad[0-9]*.open*.org etherpad: etherpad[0-9]*.open*.org
etherpad-dev: etherpad-dev[0-9]*.open*.org etherpad-dev: etherpad-dev[0-9]*.open*.org
files: files[0-9]*.open*.org
firehose: firehose[0-9]*.open*.org firehose: firehose[0-9]*.open*.org
gerrit: gerrit:
- review-dev[0-9]*.open*.org - review-dev[0-9]*.open*.org
@ -124,7 +122,6 @@ groups:
- ethercalc[0-9]*.open*.org - ethercalc[0-9]*.open*.org
- etherpad-dev[0-9]*.open*.org - etherpad-dev[0-9]*.open*.org
- etherpad[0-9]*.open*.org - etherpad[0-9]*.open*.org
- files[0-9]*.open*.org
- firehose[0-9]*.open*.org - firehose[0-9]*.open*.org
- grafana[0-9]*.open*.org - grafana[0-9]*.open*.org
- graphite*.open*.org - graphite*.open*.org
@ -171,7 +168,6 @@ groups:
- ethercalc[0-9]*.open*.org - ethercalc[0-9]*.open*.org
- etherpad[0-9]*.open*.org - etherpad[0-9]*.open*.org
- etherpad-dev[0-9]*.open*.org - etherpad-dev[0-9]*.open*.org
- files[0-9]*.open*.org
- firehose[0-9]*.open*.org - firehose[0-9]*.open*.org
- grafana[0-9]*.open*.org - grafana[0-9]*.open*.org
- graphite[0-9]*.open*.org - graphite[0-9]*.open*.org
@ -242,7 +238,6 @@ groups:
- ethercalc[0-9]*.open*.org - ethercalc[0-9]*.open*.org
- etherpad-dev[0-9]*.open*.org - etherpad-dev[0-9]*.open*.org
- etherpad[0-9]*.open*.org - etherpad[0-9]*.open*.org
- files[0-9]*.open*.org
- grafana[0-9]*.open*.org - grafana[0-9]*.open*.org
- graphite*.open*.org - graphite*.open*.org
- health[0-9]*.openstack.org - health[0-9]*.openstack.org

7
inventory/openstack.yaml
View File

@ -154,13 +154,6 @@ all:
region_name: DFW region_name: DFW
public_v4: 23.253.238.66 public_v4: 23.253.238.66
public_v6: 2001:4800:7817:104:be76:4eff:fe04:8f0c public_v6: 2001:4800:7817:104:be76:4eff:fe04:8f0c
files02.openstack.org:
ansible_host: 2001:4800:7817:103:be76:4eff:fe04:e3e3
location:
cloud: openstackci-rax
region_name: DFW
public_v4: 23.253.125.17
public_v6: 2001:4800:7817:103:be76:4eff:fe04:e3e3
firehose01.openstack.org: firehose01.openstack.org:
ansible_host: 2001:4800:7818:103:be76:4eff:fe04:40aa ansible_host: 2001:4800:7818:103:be76:4eff:fe04:40aa
location: location:

83
manifests/site.pp
View File

@ -336,89 +336,6 @@ node /^mirror\d*\..*\.open.*\.org$/ {
} }
} }
# Serve static AFS content for docs and other sites.
# Node-OS: xenial
node /^files\d*\.open.*\.org$/ {
$group = "files"
class { 'openstack_project::server':
afs => true,
afs_cache_size => 10000000, # 10GB
}
class { 'openstack_project::files':
vhost_name => 'files.openstack.org',
developer_cert_file_contents => hiera('developer_cert_file_contents'),
developer_key_file_contents => hiera('developer_key_file_contents'),
developer_chain_file_contents => hiera('developer_chain_file_contents'),
docs_cert_file_contents => hiera('docs_cert_file_contents'),
docs_key_file_contents => hiera('docs_key_file_contents'),
docs_chain_file_contents => hiera('docs_chain_file_contents'),
git_airship_cert_file_contents => hiera('git_airship_cert_file_contents'),
git_airship_key_file_contents => hiera('git_airship_key_file_contents'),
git_airship_chain_file_contents => hiera('git_airship_chain_file_contents'),
git_openstack_cert_file_contents => hiera('git_openstack_cert_file_contents'),
git_openstack_key_file_contents => hiera('git_openstack_key_file_contents'),
git_openstack_chain_file_contents => hiera('git_openstack_chain_file_contents'),
git_starlingx_cert_file_contents => hiera('git_starlingx_cert_file_contents'),
git_starlingx_key_file_contents => hiera('git_starlingx_key_file_contents'),
git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),
require => Class['Openstack_project::Server'],
}
# Temporary for evaluating htaccess rules
::httpd::vhost { "git-test.openstack.org":
port => 80, # Is required despite not being used.
docroot => "/afs/openstack.org/project/git-test/www",
priority => '50',
template => 'openstack_project/git-test.vhost.erb',
}
openstack_project::website { 'docs.starlingx.io':
volume_name => 'starlingx.io',
aliases => [],
ssl_cert => hiera('docs_starlingx_io_ssl_cert'),
ssl_key => hiera('docs_starlingx_io_ssl_key'),
ssl_intermediate => hiera('docs_starlingx_io_ssl_intermediate'),
require => Class['openstack_project::files'],
}
openstack_project::website { 'docs.opendev.org':
aliases => [],
docroot => "/afs/openstack.org/project/opendev.org/docs",
ssl_cert => hiera('docs_opendev_ssl_cert'),
ssl_key => hiera('docs_opendev_ssl_key'),
ssl_intermediate => hiera('docs_opendev_ssl_intermediate'),
require => Class['openstack_project::files'],
}
openstack_project::website { 'tarballs.opendev.org':
aliases => [],
docroot => "/afs/openstack.org/project/opendev.org/tarballs",
ssl_cert_file => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.cer',
ssl_key_file => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.key',
ssl_chain_file => '/etc/letsencrypt-certs/tarballs.opendev.org/ca.cer',
require => Class['openstack_project::files'],
}
openstack_project::website { 'zuul-ci.org':
aliases => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'],
ssl_cert_file => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.cer',
ssl_key_file => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.key',
ssl_chain_file => '/etc/letsencrypt-certs/zuul-ci.org/ca.cer',
require => Class['openstack_project::files'],
}
openstack_project::website { 'git.zuul-ci.org':
docroot => "/var/www/git-redirect",
allow_override_list => "Redirect RedirectMatch RewriteEngine RewriteBase RewriteCond RewriteMap RewriteOptions RewriteRule",
ssl_cert_file => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.cer',
ssl_key_file => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.key',
ssl_chain_file => '/etc/letsencrypt-certs/git.zuul-ci.org/ca.cer',
require => Class['openstack_project::files'],
}
}
# Node-OS: trusty # Node-OS: trusty
# Node-OS: xenial # Node-OS: xenial
node /^refstack\d*\.open.*\.org$/ { node /^refstack\d*\.open.*\.org$/ {

23
modules/openstack_project/files/files/mpm_worker.conf
View File

@ -1,23 +0,0 @@
# Managed by puppet
# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
# graceful restart. ThreadLimit can only be changed by stopping
# and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestWorkers: maximum number of threads
# MaxConnectionsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxRequestWorkers 400
MaxConnectionsPerChild 0
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

186
modules/openstack_project/files/git-redirect.htaccess
View File

@ -1,186 +0,0 @@
# Unescape any slashes in the branch portion of the query string so
# that we don't have to worry about whether or not they are encoded
# later. This is a recursive rule to handle multiple slashes.
RewriteCond %{QUERY_STRING} "^(.*)h=([^&]+)%2F([^&]+)(.*)$"
RewriteRule "^(.*)$" "/$1?%1h=%2/%3%4" [N]
# Map whitelabeled project git sites with repository prefixes
RewriteCond %{HTTP_HOST} ^git\.airshipit\.org$ [NC]
RewriteRule "^(cgit/|)airship-(.*)$" "$1airship/$2" [L]
RewriteCond %{HTTP_HOST} ^git\.starlingx\.io$ [NC]
RewriteRule "^(cgit/|)stx-(.*)$" "$1starlingx/$2" [L]
RewriteCond %{HTTP_HOST} ^git\.zuul-ci\.org$ [NC]
RewriteRule "^(cgit/|)((nodepool|zuul).*)$" "$1zuul/$2" [L]
###################################
# summary
# ignore all args
RewriteRule "^cgit/([^/]+)/([^/]+)/?$" "https://opendev.org/$1/$2/" [L,QSD]
###################################
# refs tab -> branches tab
# ignore all args
# The cgit refs tab shows tags+branches, the branches tab in gitea is
# the closest linkable url
RewriteRule "^cgit/([^/]+)/([^/]+)/refs/?" "https://opendev.org/$1/$2/branches" [L,QSD]
###################################
# log tab (with file) -> commits tab
# h=
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/([^/]+)/([^/]+)/log/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
# no args
RewriteRule "^cgit/([^/]+)/([^/]+)/log/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
#####################################################
# tree tab (with file) -> tree tab
# id=
# h=&id= (id)
# if there's a commit, it takes precedence
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/commit/%1/$3" [L,QSD]
# h=
# we have a commit pointed for a head
RewriteCond %{QUERY_STRING} h=([0-9a-f]{40})
RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/commit/%1/$3" [L,QSD]
# h=
# if there's no commit, but a branch:
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/branch/%1/$3" [L,QSD]
# if there's no args:
RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/branch/master/$3" [L,QSD]
#####################################################
# plain link without file -> tree tab
# id=
# h=&id= (id)
# if there's a commit, it takes precedence
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/commit/%1/$3" [L,QSD]
# h=
# we have a commit pointed for a head
RewriteCond %{QUERY_STRING} h=([0-9a-f]{40})
RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/commit/%1/$3" [L,QSD]
# h=
# if there's no commit, but a branch:
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/branch/%1/$3" [L,QSD]
# if there's no args:
RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/branch/master/$3" [L,QSD]
#####################################################
# plain link (with file) -> raw
# same as tree
# id=
# h=&id= (id)
# if there's a commit, it takes precedence
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)" "https://opendev.org/$1/$2/raw/commit/%1/$3" [L,QSD]
# h=
# we have a commit pointed for a head
RewriteCond %{QUERY_STRING} h=([0-9a-f]{40})
RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)$" "https://opendev.org/$1/$2/raw/commit/%1/$3" [L,QSD]
# h=
# if there's no commit, but a branch:
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)" "https://opendev.org/$1/$2/raw/branch/%1/$3" [L,QSD]
# if there's no args:
RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)" "https://opendev.org/$1/$2/raw/branch/master/$3" [L,QSD]
######################
# commit tab (with file) -> commit screen (without file)
# id=
# id=&h=
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD]
# h=
# we have a commit pointed for a head
RewriteCond %{QUERY_STRING} h=([0-9a-f]{40})
RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD]
# h=
# The commit tab in cgit will show the branch-tip commit in this case.
# There is not a comprable page in gitea, so we redirect to the branch
# log (which has the branch-tip commit at the top of the list). We
# include the file if it's there to further restrict the list of
# commits
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
# no args
# Same, but with master branch
RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
######################
# diff (with file) -> commit screen (without file)
# Gitea doesn't handle arbitrary diffs, so just show the commit page for id.
# We do the same thing as for the commit tab.
# id=&id2=
# id=
# id=&h=
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD]
# h=
# we have a commit pointed for a head
RewriteCond %{QUERY_STRING} h=([0-9a-f]{40})
RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD]
# h=
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
# no args
RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
######################
# patch (with file)
# Gitea doesn't handle generating patch files, so just show the commit page.
# We do the same thing as for the commit tab.
# id=
# id=&h=
RewriteCond %{QUERY_STRING} id=([\w]+)
RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD]
# h=
# we have a commit pointed for a head
RewriteCond %{QUERY_STRING} h=([0-9a-f]{40})
RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD]
# h=
RewriteCond %{QUERY_STRING} h=([\w/]+)
RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD]
# no args
RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD]
#####################
# tag
# Gitea doesn't have a dedicated tag page, but if you click a tag in
# gitea, it takes you to the source tree view for that tag, which has
# the tagged commit at the top of the table.
RewriteCond %{QUERY_STRING} h=([\w/\.]+)
RewriteRule "^cgit/(.*?)/(.*?)/tag/?" "https://opendev.org/$1/$2/src/tag/%1" [L,QSD]
#####################
# Any other unknown cgit url, redirect to /
RewriteRule "^cgit" "https://opendev.org/" [L,QSD]
#####################
# Non cgit URLs
RewriteRule "^(.*)$" "https://opendev.org/$1" [L]

307
modules/openstack_project/manifests/files.pp
View File

@ -1,307 +0,0 @@
# == Class: openstack_project::files
#
class openstack_project::files (
$vhost_name = $::fqdn,
$developer_cert_file_contents,
$developer_key_file_contents,
$developer_chain_file_contents,
$docs_cert_file_contents,
$docs_key_file_contents,
$docs_chain_file_contents,
$git_airship_cert_file_contents,
$git_airship_key_file_contents,
$git_airship_chain_file_contents,
$git_openstack_cert_file_contents,
$git_openstack_key_file_contents,
$git_openstack_chain_file_contents,
$git_starlingx_cert_file_contents,
$git_starlingx_key_file_contents,
$git_starlingx_chain_file_contents,
) {
$afs_root = '/afs/openstack.org/'
$www_base = '/var/www'
#####################################################
# Build Apache Webroot
file { "${www_base}":
ensure => directory,
owner => root,
group => root,
}
file { "${www_base}/robots.txt":
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_project/disallow_robots.txt',
require => File["${www_base}"],
}
#####################################################
# Git Redirects Webroot
file { "${www_base}/git-redirect":
ensure => directory,
owner => root,
group => root,
require => File["${www_base}"],
}
file { "${www_base}/git-redirect/.htaccess":
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_project/git-redirect.htaccess',
require => File["${www_base}/git-redirect"],
}
#####################################################
# Set up directories needed by HTTPS certs/keys
file { '/etc/ssl/certs':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/etc/ssl/private':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0700',
}
#####################################################
# Build VHost
include ::httpd
::httpd::vhost { $vhost_name:
port => 80,
priority => '50',
docroot => "${afs_root}",
template => 'openstack_project/files.vhost.erb',
require => [
File["${www_base}"],
]
}
httpd_mod { 'rewrite':
ensure => present,
before => Service['httpd'],
}
class { '::httpd::logrotate':
options => [
'daily',
'missingok',
'rotate 7',
'compress',
'delaycompress',
'notifempty',
'create 640 root adm',
],
}
# Until Apache 2.4.24 the event MPM has some issues scalability
# bottlenecks that were seen to drop connections, especially on
# larger files; see
# https://httpd.apache.org/docs/2.4/mod/event.html
#
# The main advantage of event MPM is for keep-alive requests which
# are not really a big issue on this static file server. Therefore
# we switch to the threaded worker MPM as a workaround. This can be
# reconsidered when the apache version running is sufficient to
# avoid these problems.
httpd::mod { 'mpm_event': ensure => 'absent' }
httpd::mod { 'mpm_worker': ensure => 'present' }
file { '/etc/apache2/mods-available/mpm_worker.conf':
ensure => file,
source => 'puppet:///modules/openstack_project/files/mpm_worker.conf',
notify => Service['httpd'],
}
###########################################################
# docs.openstack.org
::httpd::vhost { 'docs.openstack.org':
port => 443, # Is required despite not being used.
docroot => "${afs_root}docs",
priority => '50',
template => 'openstack_project/docs.vhost.erb',
}
file { '/etc/ssl/certs/docs.openstack.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $docs_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/docs.openstack.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $docs_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/docs.openstack.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $docs_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/docs.openstack.org.pem'],
}
###########################################################
# developer.openstack.org
::httpd::vhost { 'developer.openstack.org':
port => 443, # Is required despite not being used.
docroot => "${afs_root}developer-docs",
priority => '50',
template => 'openstack_project/developer.vhost.erb',
}
file { '/etc/ssl/certs/developer.openstack.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $developer_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/developer.openstack.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $developer_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/developer.openstack.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $developer_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/developer.openstack.org.pem'],
}
###########################################################
# git.airshipit.org
::httpd::vhost { 'git.airshipit.org':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.airshipit.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_airship_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.airshipit.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_airship_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.airshipit.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_airship_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.airshipit.org.pem'],
}
###########################################################
# git.openstack.org
::httpd::vhost { 'git.openstack.org':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.openstack.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_openstack_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.openstack.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_openstack_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.openstack.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_openstack_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.openstack.org.pem'],
}
###########################################################
# git.starlingx.io
::httpd::vhost { 'git.starlingx.io':
port => 443, # Is required despite not being used.
docroot => "${www_base}/git-redirect",
priority => '50',
template => 'openstack_project/git-redirect.vhost.erb',
require => File["${www_base}/git-redirect"],
}
file { '/etc/ssl/certs/git.starlingx.io.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_starlingx_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/git.starlingx.io.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $git_starlingx_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/git.starlingx.io_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $git_starlingx_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/git.starlingx.io.pem'],
}
}

59
modules/openstack_project/templates/developer.vhost.erb
View File

@ -1,59 +0,0 @@
# ************************************
# Managed by Puppet
# ************************************
<VirtualHost *:80>
ServerName <%= @srvname %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif @serveraliases != nil -%>
<%= " ServerAlias #{@serveraliases}" -%>
<% end -%>
RewriteEngine on
RewriteRule ^/(.*) https://<%= @srvname %>/$1 [last,redirect=permanent]
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
LogLevel warn
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
ServerSignature Off
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <%= @srvname %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif @serveraliases != nil -%>
<%= " ServerAlias #{@serveraliases}" -%>
<% end -%>
RewriteEngine on
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/certs/developer.openstack.org.pem
SSLCertificateKeyFile /etc/ssl/private/developer.openstack.org.key
SSLCertificateChainFile /etc/ssl/certs/developer.openstack.org_intermediate.pem
DocumentRoot <%= @docroot %>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
Satisfy any
Require all granted
# Allow mod_rewrite rules
AllowOverride FileInfo
ErrorDocument 404 /errorpage.html
</Directory>
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
LogLevel warn
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
ServerSignature Off
</VirtualHost>
</IfModule>

60
modules/openstack_project/templates/docs.vhost.erb
View File

@ -1,60 +0,0 @@
# ************************************
# Managed by Puppet
# ************************************
<VirtualHost *:80>
ServerName <%= @srvname %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif @serveraliases != nil -%>
<%= " ServerAlias #{@serveraliases}" -%>
<% end -%>
RewriteEngine on
RewriteRule ^/(.*) https://<%= @srvname %>/$1 [last,redirect=permanent]
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
LogLevel warn
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
ServerSignature Off
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <%= @srvname %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif @serveraliases != nil -%>
<%= " ServerAlias #{@serveraliases}" -%>
<% end -%>
RewriteEngine on
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/certs/docs.openstack.org.pem
SSLCertificateKeyFile /etc/ssl/private/docs.openstack.org.key
SSLCertificateChainFile /etc/ssl/certs/docs.openstack.org_intermediate.pem
DocumentRoot <%= @docroot %>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
Satisfy any
Require all granted
AllowOverride None
# Allow mod_rewrite rules
AllowOverrideList Redirect RedirectMatch
ErrorDocument 404 /errorpage.html
</Directory>
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
LogLevel warn
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
ServerSignature Off
</VirtualHost>
</IfModule>

32
modules/openstack_project/templates/files.vhost.erb
View File

@ -1,32 +0,0 @@
# ************************************
# Managed by Puppet
# ************************************
NameVirtualHost <%= @vhost_name %>:<%= @port %>
<VirtualHost <%= @vhost_name %>:<%= @port %>>
ServerName <%= @srvname %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif @serveraliases != nil -%>
<%= " ServerAlias #{@serveraliases}" -%>
<% end -%>
DocumentRoot <%= @docroot %>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
Satisfy any
Require all granted
</Directory>
Alias /robots.txt /var/www/robots.txt
<Directory "/var/www/robots.txt">
Require all granted
</Directory>
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
LogLevel warn
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
ServerSignature Off
AddType text/plain .log .log.1
</VirtualHost>

49
modules/openstack_project/templates/git-redirect.vhost.erb
View File

@ -1,49 +0,0 @@
# ************************************
# Managed by Puppet
# ************************************
<VirtualHost *:80>
ServerName <%= @srvname %>
RewriteEngine On
DocumentRoot <%= @docroot %>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AllowOverrideList Redirect RedirectMatch RewriteEngine RewriteBase RewriteCond RewriteMap RewriteOptions RewriteRule
Satisfy Any
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/<%= @srvname %>_error.log
CustomLog /var/log/apache2/<%= @srvname %>_access.log combined
ServerSignature Off
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <%= @srvname %>
RewriteEngine On
DocumentRoot <%= @docroot %>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/certs/<%= @srvname %>.pem
SSLCertificateKeyFile /etc/ssl/private/<%= @srvname %>.key
SSLCertificateChainFile /etc/ssl/certs/<%= @srvname %>_intermediate.pem
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AllowOverrideList Redirect RedirectMatch RewriteEngine RewriteBase RewriteCond RewriteMap RewriteOptions RewriteRule
Satisfy Any
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/<%= @srvname %>_error.log
CustomLog /var/log/apache2/<%= @srvname %>_access.log combined
ServerSignature Off
</VirtualHost>
</IfModule>

24
modules/openstack_project/templates/git-test.vhost.erb
View File

@ -1,24 +0,0 @@
# ************************************
# Managed by Puppet
# ************************************
<VirtualHost *:80>
ServerName <%= @srvname %>
RewriteEngine on
DocumentRoot <%= @docroot %>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
Satisfy any
Require all granted
AllowOverride None
# Allow mod_rewrite rules
AllowOverrideList Redirect RedirectMatch RewriteEngine RewriteBase RewriteCond RewriteMap RewriteOptions RewriteRule
ErrorDocument 404 /errorpage.html
</Directory>
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
LogLevel warn
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
ServerSignature Off
</VirtualHost>

60
modules/openstack_project/templates/website.vhost.erb
View File

@ -1,60 +0,0 @@
# ************************************
# Managed by Puppet
# ************************************
<VirtualHost *:80>
ServerName <%= @name %>
<% if @aliases.is_a? Array -%>
<% @aliases.each do |alias_name| -%><%= " ServerAlias #{alias_name}\n" %><% end -%>
<% elsif @aliases != nil -%>
<%= " ServerAlias #{@aliases}" -%>
<% end -%>
RewriteEngine on
RewriteRule ^/(.*) https://<%= @name %>/$1 [last,redirect=permanent]
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
LogLevel warn
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
ServerSignature Off
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <%= @name %>
<% if @aliases.is_a? Array -%>
<% @aliases.each do |alias_name| -%><%= " ServerAlias #{alias_name}\n" %><% end -%>
<% elsif @aliases != nil -%>
<%= " ServerAlias #{@aliases}" -%>
<% end -%>
RewriteEngine on
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile <%= @ssl_cert_file_ %>
SSLCertificateKeyFile <%= @ssl_key_file_ %>
SSLCertificateChainFile <%= @ssl_chain_file_ %>
DocumentRoot <%= @docroot_ %>
<Directory <%= @docroot_ %>>
Options Indexes FollowSymLinks MultiViews
Satisfy any
Require all granted
AllowOverride None
# Allow mod_rewrite rules
AllowOverrideList <%= @allow_override_list_ %>
ErrorDocument 404 /errorpage.html
</Directory>
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
LogLevel warn
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
ServerSignature Off
</VirtualHost>
</IfModule>