System configuration for OpenStack Infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

static.pp 9.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339
  1. # == Class: openstack_project::static
  2. #
  3. class openstack_project::static (
  4. $swift_authurl = '',
  5. $swift_user = '',
  6. $swift_key = '',
  7. $swift_tenant_name = '',
  8. $swift_region_name = '',
  9. $swift_default_container = '',
  10. $project_config_repo = '',
  11. $ssl_cert_file = '',
  12. $ssl_cert_file_contents = '',
  13. $ssl_key_file = '',
  14. $ssl_key_file_contents = '',
  15. $ssl_chain_file = '',
  16. $ssl_chain_file_contents = '',
  17. $jenkins_gitfullname = 'OpenStack Jenkins',
  18. $jenkins_gitemail = 'jenkins@openstack.org',
  19. ) {
  20. class { 'project_config':
  21. url => $project_config_repo,
  22. }
  23. include openstack_project
  24. class { 'jenkins::jenkinsuser':
  25. ssh_key => $openstack_project::jenkins_ssh_key,
  26. gitfullname => $jenkins_gitfullname,
  27. gitemail => $jenkins_gitemail,
  28. }
  29. include ::httpd
  30. include ::httpd::mod::wsgi
  31. httpd_mod { 'rewrite':
  32. ensure => present,
  33. }
  34. httpd_mod { 'proxy':
  35. ensure => present,
  36. }
  37. httpd_mod { 'proxy_http':
  38. ensure => present,
  39. }
  40. if ! defined(File['/srv/static']) {
  41. file { '/srv/static':
  42. ensure => directory,
  43. }
  44. }
  45. file { '/etc/ssl/certs':
  46. ensure => directory,
  47. owner => 'root',
  48. group => 'root',
  49. mode => '0755',
  50. }
  51. file { '/etc/ssl/private':
  52. ensure => directory,
  53. owner => 'root',
  54. group => 'root',
  55. mode => '0700',
  56. }
  57. # To use the standard ssl-certs package snakeoil certificate, leave both
  58. # $ssl_cert_file and $ssl_cert_file_contents empty. To use an existing
  59. # certificate, specify its path for $ssl_cert_file and leave
  60. # $ssl_cert_file_contents empty. To manage the certificate with puppet,
  61. # provide $ssl_cert_file_contents and optionally specify the path to use for
  62. # it in $ssl_cert_file.
  63. if ($ssl_cert_file == '') and ($ssl_cert_file_contents == '') {
  64. $cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
  65. } else {
  66. if $ssl_cert_file == '' {
  67. $cert_file = "/etc/ssl/certs/${::fqdn}.pem"
  68. } else {
  69. $cert_file = $ssl_cert_file
  70. }
  71. if $ssl_cert_file_contents != '' {
  72. file { $cert_file:
  73. ensure => present,
  74. owner => 'root',
  75. group => 'root',
  76. mode => '0644',
  77. content => $ssl_cert_file_contents,
  78. require => File['/etc/ssl/certs'],
  79. }
  80. }
  81. }
  82. # To use the standard ssl-certs package snakeoil key, leave both
  83. # $ssl_key_file and $ssl_key_file_contents empty. To use an existing key,
  84. # specify its path for $ssl_key_file and leave $ssl_key_file_contents empty.
  85. # To manage the key with puppet, provide $ssl_key_file_contents and
  86. # optionally specify the path to use for it in $ssl_key_file.
  87. if ($ssl_key_file == '') and ($ssl_key_file_contents == '') {
  88. $key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
  89. } else {
  90. if $ssl_key_file == '' {
  91. $key_file = "/etc/ssl/private/${::fqdn}.key"
  92. } else {
  93. $key_file = $ssl_key_file
  94. }
  95. if $ssl_key_file_contents != '' {
  96. file { $key_file:
  97. ensure => present,
  98. owner => 'root',
  99. group => 'root',
  100. mode => '0600',
  101. content => $ssl_key_file_contents,
  102. require => File['/etc/ssl/private'],
  103. }
  104. }
  105. }
  106. # To avoid using an intermediate certificate chain, leave both
  107. # $ssl_chain_file and $ssl_chain_file_contents empty. To use an existing
  108. # chain, specify its path for $ssl_chain_file and leave
  109. # $ssl_chain_file_contents empty. To manage the chain with puppet, provide
  110. # $ssl_chain_file_contents and optionally specify the path to use for it in
  111. # $ssl_chain_file.
  112. if ($ssl_chain_file == '') and ($ssl_chain_file_contents == '') {
  113. $chain_file = ''
  114. } else {
  115. if $ssl_chain_file == '' {
  116. $chain_file = "/etc/ssl/certs/${::fqdn}_intermediate.pem"
  117. } else {
  118. $chain_file = $ssl_chain_file
  119. }
  120. if $ssl_chain_file_contents != '' {
  121. file { $chain_file:
  122. ensure => present,
  123. owner => 'root',
  124. group => 'root',
  125. mode => '0644',
  126. content => $ssl_chain_file_contents,
  127. require => File['/etc/ssl/certs'],
  128. before => File[$cert_file],
  129. }
  130. }
  131. }
  132. ###########################################################
  133. # Tarballs
  134. ::httpd::vhost { 'tarballs.openstack.org':
  135. port => 443, # Is required despite not being used.
  136. docroot => '/srv/static/tarballs',
  137. priority => '50',
  138. ssl => true,
  139. template => 'openstack_project/static-http-and-https.vhost.erb',
  140. vhost_name => 'tarballs.openstack.org',
  141. require => [
  142. File['/srv/static/tarballs'],
  143. File[$cert_file],
  144. File[$key_file],
  145. ],
  146. }
  147. file { '/srv/static/tarballs':
  148. ensure => directory,
  149. owner => 'jenkins',
  150. group => 'jenkins',
  151. require => User['jenkins'],
  152. }
  153. ###########################################################
  154. # legacy ci.openstack.org site redirect
  155. ::httpd::vhost { 'ci.openstack.org':
  156. port => 80,
  157. priority => '50',
  158. docroot => 'MEANINGLESS_ARGUMENT',
  159. template => 'openstack_project/ci.vhost.erb',
  160. }
  161. ###########################################################
  162. # Logs
  163. class { 'openstackci::logserver':
  164. jenkins_ssh_key => $openstack_project::jenkins_ssh_key,
  165. domain => 'openstack.org',
  166. swift_authurl => $swift_authurl,
  167. swift_user => $swift_user,
  168. swift_key => $swift_key,
  169. swift_tenant_name => $swift_tenant_name,
  170. swift_region_name => $swift_region_name,
  171. swift_default_container => $swift_default_container,
  172. }
  173. ###########################################################
  174. # Docs-draft
  175. ::httpd::vhost { 'docs-draft.openstack.org':
  176. port => 443, # Is required despite not being used.
  177. docroot => '/srv/static/docs-draft',
  178. priority => '50',
  179. ssl => true,
  180. template => 'openstack_project/static-http-and-https.vhost.erb',
  181. vhost_name => 'docs-draft.openstack.org',
  182. require => [
  183. File['/srv/static/docs-draft'],
  184. File[$cert_file],
  185. File[$key_file],
  186. ],
  187. }
  188. file { '/srv/static/docs-draft':
  189. ensure => directory,
  190. owner => 'jenkins',
  191. group => 'jenkins',
  192. require => User['jenkins'],
  193. }
  194. file { '/srv/static/docs-draft/robots.txt':
  195. ensure => present,
  196. owner => 'root',
  197. group => 'root',
  198. mode => '0444',
  199. source => 'puppet:///modules/openstack_project/disallow_robots.txt',
  200. require => File['/srv/static/docs-draft'],
  201. }
  202. ###########################################################
  203. # Security
  204. ::httpd::vhost { 'security.openstack.org':
  205. port => 443, # Is required despite not being used.
  206. docroot => '/srv/static/security',
  207. priority => '50',
  208. ssl => true,
  209. template => 'openstack_project/static-https-redirect.vhost.erb',
  210. vhost_name => 'security.openstack.org',
  211. require => [
  212. File['/srv/static/security'],
  213. File[$cert_file],
  214. File[$key_file],
  215. ],
  216. }
  217. file { '/srv/static/security':
  218. ensure => directory,
  219. owner => 'jenkins',
  220. group => 'jenkins',
  221. require => User['jenkins'],
  222. }
  223. ###########################################################
  224. # Governance
  225. ::httpd::vhost { 'governance.openstack.org':
  226. port => 443, # Is required despite not being used.
  227. docroot => '/srv/static/governance',
  228. priority => '50',
  229. ssl => true,
  230. template => 'openstack_project/static-http-and-https.vhost.erb',
  231. vhost_name => 'governance.openstack.org',
  232. require => [
  233. File['/srv/static/governance'],
  234. File[$cert_file],
  235. File[$key_file],
  236. ],
  237. }
  238. file { '/srv/static/governance':
  239. ensure => directory,
  240. owner => 'jenkins',
  241. group => 'jenkins',
  242. require => User['jenkins'],
  243. }
  244. ###########################################################
  245. # Specs
  246. ::httpd::vhost { 'specs.openstack.org':
  247. port => 443, # Is required despite not being used.
  248. docroot => '/srv/static/specs',
  249. priority => '50',
  250. ssl => true,
  251. template => 'openstack_project/static-http-and-https.vhost.erb',
  252. vhost_name => 'specs.openstack.org',
  253. require => [
  254. File['/srv/static/specs'],
  255. File[$cert_file],
  256. File[$key_file],
  257. ],
  258. }
  259. file { '/srv/static/specs':
  260. ensure => directory,
  261. owner => 'jenkins',
  262. group => 'jenkins',
  263. require => User['jenkins'],
  264. }
  265. ###########################################################
  266. # legacy summit.openstack.org site redirect
  267. ::httpd::vhost { 'summit.openstack.org':
  268. port => 80,
  269. priority => '50',
  270. docroot => 'MEANINGLESS_ARGUMENT',
  271. template => 'openstack_project/summit.vhost.erb',
  272. }
  273. ###########################################################
  274. # legacy devstack.org site redirect
  275. ::httpd::vhost { 'devstack.org':
  276. port => 80,
  277. priority => '50',
  278. docroot => 'MEANINGLESS_ARGUMENT',
  279. serveraliases => ['*.devstack.org'],
  280. template => 'openstack_project/devstack.vhost.erb',
  281. }
  282. ###########################################################
  283. # Trystack
  284. ::httpd::vhost { 'trystack.openstack.org':
  285. port => 443, # Is required despite not being used.
  286. docroot => '/opt/trystack',
  287. priority => '50',
  288. ssl => true,
  289. template => 'openstack_project/static-http-and-https.vhost.erb',
  290. vhost_name => 'trystack.openstack.org',
  291. serveraliases => ['trystack.org', 'www.trystack.org'],
  292. require => [
  293. Vcsrepo['/opt/trystack'],
  294. File[$cert_file],
  295. File[$key_file],
  296. ],
  297. }
  298. vcsrepo { '/opt/trystack':
  299. ensure => latest,
  300. provider => git,
  301. revision => 'master',
  302. source => 'https://git.openstack.org/openstack-infra/trystack-site',
  303. }
  304. }