diff --git a/.zuul.yaml b/.zuul.yaml
index d78e7a0c83..a87167d940 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -1069,6 +1069,35 @@
- playbooks/roles/gerrit/
- testinfra/test_gerrit.py
+- job:
+ name: system-config-run-static
+ parent: system-config-run
+ description: |
+ Run the playbook for a static node
+ nodeset:
+ nodes:
+ - name: bridge.openstack.org
+ label: ubuntu-bionic
+ - name: static01.opendev.org
+ label: ubuntu-bionic
+ vars:
+ run_playbooks:
+ - playbooks/service-letsencrypt.yaml
+ - playbooks/service-static.yaml
+ files:
+ - playbooks/bridge.yaml
+ - playbooks/roles/static/
+ - playbooks/roles/letsencrypt.*
+ - playbooks/service-letsencrypt.yaml
+ - playbooks/service-static.yaml
+ - testinfra/test_static.py
+ host-vars:
+ static01.opendev.org:
+ host_copy_output:
+ '/var/log/acme.sh/': logs
+ '/etc/apache2/': logs
+ '/var/log/apache2/': logs
+
- job:
name: infra-prod-playbook
description: |
@@ -1119,6 +1148,7 @@
- system-config-run-nodepool
- system-config-run-mirror-x86
- system-config-run-mirror-update
+ - system-config-run-static
- system-config-run-docker-registry
- system-config-run-gitea:
dependencies:
@@ -1188,6 +1218,7 @@
- system-config-run-nodepool
- system-config-run-mirror-x86
- system-config-run-mirror-update
+ - system-config-run-static
- system-config-run-docker-registry
- system-config-run-gitea:
dependencies:
diff --git a/inventory/groups.yaml b/inventory/groups.yaml
index b818c60c60..ba5bc1d236 100644
--- a/inventory/groups.yaml
+++ b/inventory/groups.yaml
@@ -10,6 +10,7 @@ groups:
- ze[0-9]*.open*.org
- afsdb*.open*.org
- afs[0-9]*.open*.org
+ - static[0-9]*.opendev.org
afsadmin: mirror-update[0-9]*.openstack.org
afsdb: afsdb[0-9]*.open*.org
ask: ask*.open*.org
@@ -69,6 +70,7 @@ groups:
- mirror[0-9]*.opendev.org
- files[0-9]*.open*.org
- static.openstack.org
+ - static[0-9]*.opendev.org
- gitea[0-9]*.opendev.org
- zuul[0-9]*.open*.org
logstash:
@@ -137,7 +139,7 @@ groups:
- planet[0-9]*.open*.org
- refstack*.open*.org
- review[0-9]*.open*.org
- - static*.open*.org
+ - static*.openstack.org
- status*.open*.org
- storyboard-dev[0-9]*.opendev.org
- storyboard[0-9]*.opendev.org
@@ -185,7 +187,7 @@ groups:
- planet[0-9]*.open*.org
- refstack*.open*.org
- review[0-9]*.open*.org
- - static*.open*.org
+ - static*.openstack.org
- status*.open*.org
- storyboard[0-9]*.opendev.org
- storyboard-dev[0-9]*.opendev.org
@@ -208,7 +210,11 @@ groups:
review:
- review[0-9]*.open*.org
static:
- - static*.open*.org
+ - static*.openstack.org
+ # NOTE(ianw): 2019-12 : rename below when static.openstack.org is
+ # gone
+ static_opendev:
+ - static[0-9]*.opendev.org
status:
- status*.open*.org
storyboard:
diff --git a/playbooks/host_vars/static01.opendev.org.yaml b/playbooks/host_vars/static01.opendev.org.yaml
new file mode 100644
index 0000000000..6d3e987ab5
--- /dev/null
+++ b/playbooks/host_vars/static01.opendev.org.yaml
@@ -0,0 +1,7 @@
+ansible_python_interpreter: python3
+letsencrypt_certs:
+ static01-governance-openstack-org:
+ - governance.openstack.org
+ static01-security-openstack-org:
+ - security.openstack.org
+
diff --git a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
index a6809d053f..6bb8f6312c 100644
--- a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
+++ b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
@@ -34,6 +34,13 @@
- name: letsencrypt updated insecure-ci-registry01-main
include_tasks: roles/letsencrypt-create-certs/handlers/restart_zuul_registry.yaml
+# Static
+- name: letsencrypt updated static01-governance-openstack-org
+ include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
+- name: letsencrypt updated static01-security-openstack-org
+ include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
# Mirrors
- name: letsencrypt updated mirror01-dfw-rax-main
diff --git a/playbooks/roles/static/README.rst b/playbooks/roles/static/README.rst
new file mode 100644
index 0000000000..8885ea79a8
--- /dev/null
+++ b/playbooks/roles/static/README.rst
@@ -0,0 +1,6 @@
+Configure an static webserver
+
+This role installs and configures a static webserver to serve content
+published in AFS
+
+**Role Variables**
diff --git a/playbooks/roles/static/files/50-governance.openstack.org.conf b/playbooks/roles/static/files/50-governance.openstack.org.conf
new file mode 100755
index 0000000000..50767247d4
--- /dev/null
+++ b/playbooks/roles/static/files/50-governance.openstack.org.conf
@@ -0,0 +1,95 @@
+Define AFS_ROOT /afs/openstack.org/project/governance.openstack.org
+
+
+ ServerName governance.openstack.org
+ RewriteEngine On
+ RewriteRule ^/(.*) https://governance.openstack.org/$1 [last,redirect=permanent]
+ LogLevel warn
+ ErrorLog /var/log/apache2/governance.openstack.org_error.log
+ CustomLog /var/log/apache2/governance.openstack.org_access.log combined
+ ServerSignature Off
+
+
+
+
+
+ ServerName governance.openstack.org
+
+ DocumentRoot ${AFS_ROOT}
+
+ SSLCertificateFile /etc/letsencrypt-certs/governance.openstack.org/governance.openstack.org.cer
+ SSLCertificateKeyFile /etc/letsencrypt-certs/governance.openstack.org/governance.openstack.org.key
+ SSLCertificateChainFile /etc/letsencrypt-certs/governance.openstack.org/ca.cer
+ SSLProtocol All -SSLv2 -SSLv3
+ # Note: this list should ensure ciphers that provide forward secrecy
+ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+ SSLHonorCipherOrder on
+
+ # Alias other folders
+ Alias "/election/" "${AFS_ROOT}/election/"
+ Alias "/sigs/" "${AFS_ROOT}/sigs/"
+ Alias "/tc/" "${AFS_ROOT}/tc/"
+ Alias "/uc/" "${AFS_ROOT}/uc/"
+ # keep last
+ Alias "/" "${AFS_ROOT}/governance/"
+
+ # Set up redirects
+ Redirect "/badges/" "/tc/badges/"
+ Redirect "/goals/" "/tc/goals/"
+ Redirect "/reference/" "/tc/reference/"
+ Redirect "/resolutions/" "/tc/resolutions/"
+
+
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverrideList Redirect RedirectMatch
+ Satisfy Any
+ Require all granted
+
+
+
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverrideList Redirect RedirectMatch
+ Satisfy Any
+ Require all granted
+
+
+
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverrideList Redirect RedirectMatch
+ Satisfy Any
+ Require all granted
+
+
+
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverrideList Redirect RedirectMatch
+ Satisfy Any
+ Require all granted
+
+
+
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverrideList Redirect RedirectMatch
+ Satisfy Any
+ Require all granted
+
+
+
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ Satisfy Any
+ Require all granted
+
+ Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
+ Header set Pragma "no-cache"
+
+ ErrorDocument 404 /badges/project-unofficial.svg
+
+
+ LogLevel warn
+ ErrorLog /var/log/apache2/governance.openstack.org_error.log
+ CustomLog /var/log/apache2/governance.openstack.org_access.log combined
+ ServerSignature Off
+
+
+
diff --git a/playbooks/roles/static/files/50-security.openstack.org.conf b/playbooks/roles/static/files/50-security.openstack.org.conf
new file mode 100755
index 0000000000..2805d6632b
--- /dev/null
+++ b/playbooks/roles/static/files/50-security.openstack.org.conf
@@ -0,0 +1,41 @@
+Define AFS_ROOT /afs/openstack.org/project/security.openstack.org
+
+
+ ServerName security.openstack.org
+ RewriteEngine On
+ RewriteRule ^/(.*) https://security.openstack.org/$1 [last,redirect=permanent]
+ LogLevel warn
+ ErrorLog /var/log/apache2/security.openstack.org_error.log
+ CustomLog /var/log/apache2/security.openstack.org_access.log combined
+ ServerSignature Off
+
+
+
+
+
+ ServerName security.openstack.org
+
+ DocumentRoot ${AFS_ROOT}
+
+ SSLCertificateFile /etc/letsencrypt-certs/security.openstack.org/security.openstack.org.cer
+ SSLCertificateKeyFile /etc/letsencrypt-certs/security.openstack.org/security.openstack.org.key
+ SSLCertificateChainFile /etc/letsencrypt-certs/security.openstack.org/ca.cer
+ SSLProtocol All -SSLv2 -SSLv3
+ # Note: this list should ensure ciphers that provide forward secrecy
+ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+ SSLHonorCipherOrder on
+
+
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverrideList Redirect RedirectMatch
+ Satisfy Any
+ Require all granted
+
+
+ LogLevel warn
+ ErrorLog /var/log/apache2/security.openstack.org_error.log
+ CustomLog /var/log/apache2/security.openstack.org_access.log combined
+ ServerSignature Off
+
+
+
diff --git a/playbooks/roles/static/handlers/main.yaml b/playbooks/roles/static/handlers/main.yaml
new file mode 100644
index 0000000000..4c5855ec0f
--- /dev/null
+++ b/playbooks/roles/static/handlers/main.yaml
@@ -0,0 +1,4 @@
+- name: Reload apache2
+ service:
+ name: apache2
+ state: reloaded
\ No newline at end of file
diff --git a/playbooks/roles/static/tasks/main.yaml b/playbooks/roles/static/tasks/main.yaml
new file mode 100644
index 0000000000..2d49faf4ac
--- /dev/null
+++ b/playbooks/roles/static/tasks/main.yaml
@@ -0,0 +1,88 @@
+- name: Check AFS mounted
+ stat:
+ path: "/afs/openstack.org/project"
+ register: afs_root
+
+- name: Sanity check AFS
+ assert:
+ that:
+ - afs_root.stat.exists
+
+- name: Install apache2
+ apt:
+ name:
+ - apache2
+ - apache2-utils
+ state: present
+
+- name: Rewrite module
+ apache2_module:
+ state: present
+ name: rewrite
+
+- name: Substitute module
+ apache2_module:
+ state: present
+ name: substitute
+
+- name: Cache module
+ apache2_module:
+ state: present
+ name: cache
+
+- name: Cache disk module
+ apache2_module:
+ state: present
+ name: cache_disk
+
+- name: Apache macro module
+ apache2_module:
+ state: present
+ name: macro
+
+- name: Apache 2 ssl module
+ apache2_module:
+ state: present
+ name: ssl
+
+- name: Apache 2 headers module
+ apache2_module:
+ state: present
+ name: headers
+
+- name: Make sure default site disabled
+ command: a2dissite 000-default.conf
+ args:
+ removes: /etc/apache2/sites-enabled/000-default.conf
+
+# governance.openstack.org
+- name: Install governance.openstack.org
+ copy:
+ src: 50-governance.openstack.org.conf
+ dest: /etc/apache2/sites-available/
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Enable governance.openstack.org
+ command: a2ensite 50-governance.openstack.org
+ args:
+ creates: /etc/apache2/sites-enabled/50-governance.openstack.org
+ notify:
+ - Reload apache2
+
+# security.openstack.org
+- name: Install security.openstack.org
+ copy:
+ src: 50-security.openstack.org.conf
+ dest: /etc/apache2/sites-available/
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Enable security.openstack.org
+ command: a2ensite 50-security.openstack.org
+ args:
+ creates: /etc/apache2/sites-enabled/50-security.openstack.org
+ notify:
+ - Reload apache2
diff --git a/playbooks/service-static.yaml b/playbooks/service-static.yaml
new file mode 100644
index 0000000000..a1274ca7b6
--- /dev/null
+++ b/playbooks/service-static.yaml
@@ -0,0 +1,12 @@
+- hosts: "static_opendev:!disabled"
+ name: "Static webserver"
+ roles:
+ - role: kerberos-client
+ kerberos_realm: 'OPENSTACK.ORG'
+ kerberos_admin_server: 'kdc.openstack.org'
+ kerberos_kdcs:
+ - kdc03.openstack.org
+ - kdc04.openstack.org
+ - role: openafs-client
+ openafs_client_cache_size: "{{ afs_client_cache_size | default(50000000) }}" # 50GiB
+ - role: static
diff --git a/testinfra/test_static.py b/testinfra/test_static.py
new file mode 100644
index 0000000000..c00d5b2375
--- /dev/null
+++ b/testinfra/test_static.py
@@ -0,0 +1,33 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+testinfra_hosts = ['static01.opendev.org']
+
+
+def test_apache(host):
+ apache = host.service('apache2')
+ assert apache.is_running
+
+def test_governance_openstack_org(host):
+ cmd = host.run('curl --insecure '
+ '--resolve governance.openstack.org:443:127.0.0.1 '
+ 'https://governance.openstack.org/')
+ assert 'OpenStack Governance' in cmd.stdout
+
+def test_security_openstack_org(host):
+ cmd = host.run('curl --insecure '
+ '--resolve security.openstack.org:443:127.0.0.1 '
+ 'https://security.openstack.org/')
+ assert 'OpenStack Security Project' in cmd.stdout