System configuration for OpenStack Infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

static.pp 9.8KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347
  1. # == Class: openstack_project::static
  2. #
  3. class openstack_project::static (
  4. $swift_authurl = '',
  5. $swift_user = '',
  6. $swift_key = '',
  7. $swift_tenant_name = '',
  8. $swift_region_name = '',
  9. $swift_default_container = '',
  10. $project_config_repo = '',
  11. $ssl_cert_file = '',
  12. $ssl_cert_file_contents = '',
  13. $ssl_key_file = '',
  14. $ssl_key_file_contents = '',
  15. $ssl_chain_file = '',
  16. $ssl_chain_file_contents = '',
  17. $jenkins_gitfullname = 'OpenStack Jenkins',
  18. $jenkins_gitemail = 'jenkins@openstack.org',
  19. ) {
  20. class { 'project_config':
  21. url => $project_config_repo,
  22. }
  23. include openstack_project
  24. class { 'jenkins::jenkinsuser':
  25. ssh_key => $openstack_project::jenkins_ssh_key,
  26. gitfullname => $jenkins_gitfullname,
  27. gitemail => $jenkins_gitemail,
  28. }
  29. include ::httpd
  30. include ::httpd::mod::wsgi
  31. if ! defined(Httpd::Mod['rewrite']) {
  32. httpd::mod { 'rewrite':
  33. ensure => present,
  34. }
  35. }
  36. if ! defined(Httpd::Mod['proxy']) {
  37. httpd::mod { 'proxy':
  38. ensure => present,
  39. }
  40. }
  41. if ! defined(Httpd::Mod['proxy_http']) {
  42. httpd::mod { 'proxy_http':
  43. ensure => present,
  44. }
  45. }
  46. if ! defined(File['/srv/static']) {
  47. file { '/srv/static':
  48. ensure => directory,
  49. }
  50. }
  51. file { '/etc/ssl/certs':
  52. ensure => directory,
  53. owner => 'root',
  54. group => 'root',
  55. mode => '0755',
  56. }
  57. file { '/etc/ssl/private':
  58. ensure => directory,
  59. owner => 'root',
  60. group => 'root',
  61. mode => '0700',
  62. }
  63. # To use the standard ssl-certs package snakeoil certificate, leave both
  64. # $ssl_cert_file and $ssl_cert_file_contents empty. To use an existing
  65. # certificate, specify its path for $ssl_cert_file and leave
  66. # $ssl_cert_file_contents empty. To manage the certificate with puppet,
  67. # provide $ssl_cert_file_contents and optionally specify the path to use for
  68. # it in $ssl_cert_file.
  69. if ($ssl_cert_file == '') and ($ssl_cert_file_contents == '') {
  70. $cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
  71. } else {
  72. if $ssl_cert_file == '' {
  73. $cert_file = "/etc/ssl/certs/${::fqdn}.pem"
  74. } else {
  75. $cert_file = $ssl_cert_file
  76. }
  77. if $ssl_cert_file_contents != '' {
  78. file { $cert_file:
  79. ensure => present,
  80. owner => 'root',
  81. group => 'root',
  82. mode => '0644',
  83. content => $ssl_cert_file_contents,
  84. require => File['/etc/ssl/certs'],
  85. }
  86. }
  87. }
  88. # To use the standard ssl-certs package snakeoil key, leave both
  89. # $ssl_key_file and $ssl_key_file_contents empty. To use an existing key,
  90. # specify its path for $ssl_key_file and leave $ssl_key_file_contents empty.
  91. # To manage the key with puppet, provide $ssl_key_file_contents and
  92. # optionally specify the path to use for it in $ssl_key_file.
  93. if ($ssl_key_file == '') and ($ssl_key_file_contents == '') {
  94. $key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
  95. } else {
  96. if $ssl_key_file == '' {
  97. $key_file = "/etc/ssl/private/${::fqdn}.key"
  98. } else {
  99. $key_file = $ssl_key_file
  100. }
  101. if $ssl_key_file_contents != '' {
  102. file { $key_file:
  103. ensure => present,
  104. owner => 'root',
  105. group => 'root',
  106. mode => '0600',
  107. content => $ssl_key_file_contents,
  108. require => File['/etc/ssl/private'],
  109. }
  110. }
  111. }
  112. # To avoid using an intermediate certificate chain, leave both
  113. # $ssl_chain_file and $ssl_chain_file_contents empty. To use an existing
  114. # chain, specify its path for $ssl_chain_file and leave
  115. # $ssl_chain_file_contents empty. To manage the chain with puppet, provide
  116. # $ssl_chain_file_contents and optionally specify the path to use for it in
  117. # $ssl_chain_file.
  118. if ($ssl_chain_file == '') and ($ssl_chain_file_contents == '') {
  119. $chain_file = ''
  120. } else {
  121. if $ssl_chain_file == '' {
  122. $chain_file = "/etc/ssl/certs/${::fqdn}_intermediate.pem"
  123. } else {
  124. $chain_file = $ssl_chain_file
  125. }
  126. if $ssl_chain_file_contents != '' {
  127. file { $chain_file:
  128. ensure => present,
  129. owner => 'root',
  130. group => 'root',
  131. mode => '0644',
  132. content => $ssl_chain_file_contents,
  133. require => File['/etc/ssl/certs'],
  134. before => File[$cert_file],
  135. }
  136. }
  137. }
  138. ###########################################################
  139. # Tarballs
  140. ::httpd::vhost { 'tarballs.openstack.org':
  141. port => 443, # Is required despite not being used.
  142. docroot => '/srv/static/tarballs',
  143. priority => '50',
  144. ssl => true,
  145. template => 'openstack_project/static-http-and-https.vhost.erb',
  146. vhost_name => 'tarballs.openstack.org',
  147. require => [
  148. File['/srv/static/tarballs'],
  149. File[$cert_file],
  150. File[$key_file],
  151. ],
  152. }
  153. file { '/srv/static/tarballs':
  154. ensure => directory,
  155. owner => 'jenkins',
  156. group => 'jenkins',
  157. require => User['jenkins'],
  158. }
  159. ###########################################################
  160. # legacy ci.openstack.org site redirect
  161. ::httpd::vhost { 'ci.openstack.org':
  162. port => 80,
  163. priority => '50',
  164. docroot => 'MEANINGLESS_ARGUMENT',
  165. template => 'openstack_project/ci.vhost.erb',
  166. }
  167. ###########################################################
  168. # Logs
  169. class { 'openstackci::logserver':
  170. jenkins_ssh_key => $openstack_project::jenkins_ssh_key,
  171. domain => 'openstack.org',
  172. swift_authurl => $swift_authurl,
  173. swift_user => $swift_user,
  174. swift_key => $swift_key,
  175. swift_tenant_name => $swift_tenant_name,
  176. swift_region_name => $swift_region_name,
  177. swift_default_container => $swift_default_container,
  178. }
  179. ###########################################################
  180. # Docs-draft
  181. ::httpd::vhost { 'docs-draft.openstack.org':
  182. port => 443, # Is required despite not being used.
  183. docroot => '/srv/static/docs-draft',
  184. priority => '50',
  185. ssl => true,
  186. template => 'openstack_project/static-http-and-https.vhost.erb',
  187. vhost_name => 'docs-draft.openstack.org',
  188. require => [
  189. File['/srv/static/docs-draft'],
  190. File[$cert_file],
  191. File[$key_file],
  192. ],
  193. }
  194. file { '/srv/static/docs-draft':
  195. ensure => directory,
  196. owner => 'jenkins',
  197. group => 'jenkins',
  198. require => User['jenkins'],
  199. }
  200. file { '/srv/static/docs-draft/robots.txt':
  201. ensure => present,
  202. owner => 'root',
  203. group => 'root',
  204. mode => '0444',
  205. source => 'puppet:///modules/openstack_project/disallow_robots.txt',
  206. require => File['/srv/static/docs-draft'],
  207. }
  208. ###########################################################
  209. # Security
  210. ::httpd::vhost { 'security.openstack.org':
  211. port => 443, # Is required despite not being used.
  212. docroot => '/srv/static/security',
  213. priority => '50',
  214. ssl => true,
  215. template => 'openstack_project/static-https-redirect.vhost.erb',
  216. vhost_name => 'security.openstack.org',
  217. require => [
  218. File['/srv/static/security'],
  219. File[$cert_file],
  220. File[$key_file],
  221. ],
  222. }
  223. file { '/srv/static/security':
  224. ensure => directory,
  225. owner => 'jenkins',
  226. group => 'jenkins',
  227. require => User['jenkins'],
  228. }
  229. ###########################################################
  230. # Governance
  231. ::httpd::vhost { 'governance.openstack.org':
  232. port => 443, # Is required despite not being used.
  233. docroot => '/srv/static/governance',
  234. priority => '50',
  235. ssl => true,
  236. template => 'openstack_project/static-http-and-https.vhost.erb',
  237. vhost_name => 'governance.openstack.org',
  238. require => [
  239. File['/srv/static/governance'],
  240. File[$cert_file],
  241. File[$key_file],
  242. ],
  243. }
  244. file { '/srv/static/governance':
  245. ensure => directory,
  246. owner => 'jenkins',
  247. group => 'jenkins',
  248. require => User['jenkins'],
  249. }
  250. ###########################################################
  251. # Specs
  252. ::httpd::vhost { 'specs.openstack.org':
  253. port => 443, # Is required despite not being used.
  254. docroot => '/srv/static/specs',
  255. priority => '50',
  256. ssl => true,
  257. template => 'openstack_project/static-http-and-https.vhost.erb',
  258. vhost_name => 'specs.openstack.org',
  259. require => [
  260. File['/srv/static/specs'],
  261. File[$cert_file],
  262. File[$key_file],
  263. ],
  264. }
  265. file { '/srv/static/specs':
  266. ensure => directory,
  267. owner => 'jenkins',
  268. group => 'jenkins',
  269. require => User['jenkins'],
  270. }
  271. ###########################################################
  272. # legacy summit.openstack.org site redirect
  273. ::httpd::vhost { 'summit.openstack.org':
  274. port => 80,
  275. priority => '50',
  276. docroot => 'MEANINGLESS_ARGUMENT',
  277. template => 'openstack_project/summit.vhost.erb',
  278. }
  279. ###########################################################
  280. # legacy devstack.org site redirect
  281. ::httpd::vhost { 'devstack.org':
  282. port => 80,
  283. priority => '50',
  284. docroot => 'MEANINGLESS_ARGUMENT',
  285. serveraliases => ['*.devstack.org'],
  286. template => 'openstack_project/devstack.vhost.erb',
  287. }
  288. ###########################################################
  289. # Trystack
  290. ::httpd::vhost { 'trystack.openstack.org':
  291. port => 443, # Is required despite not being used.
  292. docroot => '/opt/trystack',
  293. priority => '50',
  294. ssl => true,
  295. template => 'openstack_project/static-http-and-https.vhost.erb',
  296. vhost_name => 'trystack.openstack.org',
  297. serveraliases => ['trystack.org', 'www.trystack.org'],
  298. require => [
  299. Vcsrepo['/opt/trystack'],
  300. File[$cert_file],
  301. File[$key_file],
  302. ],
  303. }
  304. vcsrepo { '/opt/trystack':
  305. ensure => latest,
  306. provider => git,
  307. revision => 'master',
  308. source => 'https://git.openstack.org/openstack-infra/trystack-site',
  309. }
  310. }