Pull in people.d.o apache config
authorJulien Cristau <jcristau@debian.org>
Tue, 24 Sep 2019 09:54:04 +0000 (11:54 +0200)
committerJulien Cristau <jcristau@debian.org>
Tue, 24 Sep 2019 09:57:53 +0000 (11:57 +0200)
data/nodes/paradis.debian.org.yaml
modules/roles/manifests/people.pp
modules/roles/templates/apache-people-ports.conf.erb [new file with mode: 0644]
modules/roles/templates/apache-people.debian.org.conf.erb [new file with mode: 0644]

index f22e5b7..642bf1a 100644 (file)
@@ -1,3 +1,5 @@
 ---
 classes:
   - roles::people
 ---
 classes:
   - roles::people
+
+roles::people::listen_addr: ['209.87.16.67', '2607:f8f0:614:1::1274:67']
index 713f1a1..0ab4969 100644 (file)
@@ -1,5 +1,28 @@
-class roles::people {
+# @param listen_addr IP addresses to have apache listen on port 443
+class roles::people (
+  Array[Stdlib::IP::Address] $listen_addr = [],
+) {
   include apache2
   include apache2
+  apache2::module { 'userdir': }
   ssl::service { 'people.debian.org': notify  => Exec['service apache2 reload'], key => true, }
   onion::service { 'people.debian.org': port => 80, target_address => 'people.debian.org', target_port => 80, direct => true }
   ssl::service { 'people.debian.org': notify  => Exec['service apache2 reload'], key => true, }
   onion::service { 'people.debian.org': port => 80, target_address => 'people.debian.org', target_port => 80, direct => true }
+
+  $ports = empty($listen_addr) ? {
+    true => ['443'],
+    default => enclose_ipv6($listen_addr).map |$a| { "${a}:443" },
+  }
+  file { '/etc/apache2/ports.conf':
+    content => template('roles/apache-people-ports.conf.erb'),
+  }
+
+  $_enclosed_addresses = empty($listen_addr) ? {
+    true => ['*'],
+    default => enclose_ipv6($listen_addr),
+  }
+  $vhost_listen = $_enclosed_addresses.map |$a| { "${a}:443" } . join(' ')
+  $onion_hn = onion_tor_service_hostname('people.debian.org')
+  apache2::site { 'people.debian.org':
+    site => 'people.debian.org.conf',
+    content => template('roles/apache-people.debian.org.conf.erb'),
+  }
 }
 }
diff --git a/modules/roles/templates/apache-people-ports.conf.erb b/modules/roles/templates/apache-people-ports.conf.erb
new file mode 100644 (file)
index 0000000..433df37
--- /dev/null
@@ -0,0 +1,9 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://git@ubergit.debian.org/dsa/dsa-puppet.git
+##
+
+Listen 80
+<% @ports.each do |port| -%>
+Listen <%= port %>
+<% end -%>
diff --git a/modules/roles/templates/apache-people.debian.org.conf.erb b/modules/roles/templates/apache-people.debian.org.conf.erb
new file mode 100644 (file)
index 0000000..831c9dd
--- /dev/null
@@ -0,0 +1,45 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://git@ubergit.debian.org/dsa/dsa-puppet.git
+##
+
+Use common-debian-service-https-redirect * people.debian.org
+
+<Macro vhost-inner-people.debian.org>
+       ServerAdmin debian-admin@debian.org
+       DocumentRoot /srv/people.debian.org/htdocs
+
+       ErrorLog /var/log/apache2/people.debian.org-error.log
+       CustomLog /var/log/apache2/people.debian.org-access.log privacy
+
+       HostnameLookups Off
+       UseCanonicalName Off
+       ServerSignature On
+
+       UserDir public_html
+
+       IndexOptions FancyIndexing NameWidth=*
+       ReadmeName README.txt
+
+       RedirectMatch ^/$ https://db.debian.org/
+</Macro>
+
+<VirtualHost <%= @vhost_listen %> >
+       ServerName people.debian.org
+
+       Use common-debian-service-ssl people.debian.org
+       Use common-ssl-HSTS
+       Use http-pkp-people.debian.org
+       Use vhost-inner-people.debian.org
+</VirtualHost>
+
+<VirtualHost *:80>
+       ServerName nossl.people.debian.org
+       Use vhost-inner-people.debian.org
+</VirtualHost>
+
+<VirtualHost *:80>
+       ServerName <%= @onion_hn %>
+       Use vhost-inner-people.debian.org
+</VirtualHost>
+