apache config for wafertest.debconf.org

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 09070d9..dbe8981 100644 (file)
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -322,3 +322,5 @@ roles:
   ipsec:
     - fasolo.debian.org
     - storace.debian.org
+  debconf_wafer:
+    - debussy.debian.org

diff --git a/modules/roles/files/debconf_wafer/wafertest.debconf.org b/modules/roles/files/debconf_wafer/wafertest.debconf.org
new file mode 100644 (file)
index 0000000..66e9b51
--- /dev/null
+++ b/modules/roles/files/debconf_wafer/wafertest.debconf.org
@@ -0,0 +1,62 @@
+AddType application/font-woff2 .woff2
+
+Use common-debian-service-https-redirect * wafertest.debconf.org
+
+WSGIDaemonProcess wafertest \
+  processes=3 threads=2 \
+  user=www-data group=www-data maximum-requests=750 umask=0007 display-name=wsgi-wafertest.debconf.org \
+  python-path=/srv/debconf-web/wafertest.debconf.org/dc18.dc.o/:/srv/debconf-web/wafertest.debconf.org/dc18.dc.o/ve/lib/python3.5/site-packages/
+
+<VirtualHost *:443>
+  ServerAdmin admin@debconf.org
+  ServerName wafertest.debconf.org
+
+  ErrorLog  /var/log/apache2/wafertest.debconf.org-error.log
+  CustomLog /var/log/apache2/wafertest.debconf.org-access.log combined
+
+  Use common-debian-service-ssl wafertest.debconf.org
+  Use common-ssl-HSTS
+
+  Header always set X-Content-Type-Options nosniff
+  Header always set X-XSS-Protection "1; mode=block"
+#  Header always set Access-Control-Allow-Origin: "*"
+
+  # Debian SSO
+  SSLCACertificateFile /var/lib/dsa/sso/ca.crt
+  SSLCARevocationCheck chain
+  SSLCARevocationFile /var/lib/dsa/sso/ca.crl
+  SSLVerifyClient optional
+
+  WSGIProcessGroup wafertest
+  WSGIScriptAlias / /srv/debconf-web/wafertest.debconf.org/dc18.dc.o/wsgi.py
+  <Directory /srv/debconf-web/wafertest.debconf.org/dc18.dc.o>
+    <Files wsgi.py>
+      Require all granted
+    </Files>
+  </Directory>
+
+  Alias /static/ /srv/debconf-web/wafertest.debconf.org/dc18.dc.o/localstatic/
+  Alias /favicon.ico /srv/debconf-web/wafertest.debconf.org/dc18.dc.o/localstatic/img/favicon/favicon.ico
+  <Directory /srv/debconf-web/wafertest.debconf.org/dc18.dc.o/localstatic/>
+    Require all granted
+
+    # A little hacky, but it means we won't accidentally catch non-hashed filenames
+    <FilesMatch ".*\.[0-9a-f]{12}\.[a-z0-9]{2,5}$">
+      ExpiresActive on
+      ExpiresDefault "access plus 1 year"
+    </FilesMatch>
+  </Directory>
+
+  Alias /media/ /srv/debconf-web/wafertest.debconf.org/dc18.dc.o/media/
+  <Directory /srv/debconf-web/wafertest.debconf.org/dc18.dc.o/media/>
+    Require all granted
+  </Directory>
+
+  <Location /accounts/debian-login>
+    SSLOptions +StdEnvVars
+    # Allow access if one does not have a valid certificate
+    SSLVerifyClient optional
+  </Location>
+</VirtualHost>
+
+# vim: set ft=apache:

diff --git a/modules/roles/manifests/debconf_wafer.pp b/modules/roles/manifests/debconf_wafer.pp
new file mode 100644 (file)
index 0000000..92223d9
--- /dev/null
+++ b/modules/roles/manifests/debconf_wafer.pp
@@ -0,0 +1,17 @@
+class roles::debconf_wafer {
+       include apache2::ssl
+
+       package { 'libapache2-mod-wsgi-py3': ensure => installed, }
+       apache2::module { 'wsgi': require => Package['libapache2-mod-wsgi-py3'] }
+
+       ssl::service { 'wafertest.debconf.org':
+               notify  => Exec['service apache2 reload'],
+               key => true,
+       }
+
+       apache2::site { '010-wafertest.debconf.org':
+               site    => 'wafertest.debconf.org',
+               source => 'puppet:///modules/roles/debconf_wafer/wafertest.debconf.org',
+       }
+}
+

diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp
index 101058d..8a91339 100644 (file)
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -371,4 +371,8 @@ class roles {
        if has_role('ipsec') {
                include ipsec
        }
+
+       if has_role('debconf_wafer') {
+               include debconf_wafer
+       }
 }