debconf20.dc.o vhost

diff --git a/modules/roles/files/debconf_wafer/debconf20.debconf.org b/modules/roles/files/debconf_wafer/debconf20.debconf.org
new file mode 100644 (file)
index 0000000..8b15b66
--- /dev/null
+++ b/modules/roles/files/debconf_wafer/debconf20.debconf.org
@@ -0,0 +1,66 @@
+# do not modify - this file is maintained via puppet
+
+AddType application/font-woff2 .woff2
+
+Use common-debian-service-https-redirect * debconf20.debconf.org
+
+WSGIDaemonProcess debconf20 \
+  processes=3 threads=2 \
+  user=www-data group=debconf-web maximum-requests=750 umask=0007 display-name=wsgi-debconf20.debconf.org \
+  python-path=/srv/debconf-web/debconf20.debconf.org/dc20/:/srv/debconf-web/debconf20.debconf.org/dc20/ve/lib/python3.5/site-packages/
+
+<VirtualHost *:443>
+  ServerAdmin admin@debconf.org
+  ServerName debconf20.debconf.org
+
+  ErrorLog  /var/log/apache2/debconf20.debconf.org-error.log
+  CustomLog /var/log/apache2/debconf20.debconf.org-access.log combined
+
+  Use common-debian-service-ssl debconf20.debconf.org
+  Use common-ssl-HSTS
+
+  Header always set Referrer-Policy "same-origin"
+  Header always set X-Content-Type-Options nosniff
+  Header always set X-XSS-Protection "1; mode=block"
+#  Header always set Access-Control-Allow-Origin: "*"
+
+  # Debian SSO
+  SSLCACertificateFile /var/lib/dsa/sso/ca.crt
+  SSLCARevocationCheck chain
+  SSLCARevocationFile /var/lib/dsa/sso/ca.crl
+
+  WSGIProcessGroup debconf20
+  WSGIScriptAlias / /srv/debconf-web/debconf20.debconf.org/dc20/wsgi.py
+  WSGIPassAuthorization On
+
+  <Directory /srv/debconf-web/debconf20.debconf.org/dc20>
+    <Files wsgi.py>
+      Require all granted
+    </Files>
+  </Directory>
+
+  Alias /static/ /srv/debconf-web/debconf20.debconf.org/dc20/localstatic/
+  Alias /favicon.ico /srv/debconf-web/debconf20.debconf.org/dc20/localstatic/img/favicon/favicon.ico
+  <Directory /srv/debconf-web/debconf20.debconf.org/dc20/localstatic/>
+    Require all granted
+
+    # A little hacky, but it means we won't accidentally catch non-hashed filenames
+    <FilesMatch ".*\.[0-9a-f]{12}\.[a-z0-9]{2,5}$">
+      ExpiresActive on
+      ExpiresDefault "access plus 1 year"
+    </FilesMatch>
+  </Directory>
+
+  Alias /media/ /srv/debconf-web/debconf20.debconf.org/dc20/media/
+  <Directory /srv/debconf-web/debconf20.debconf.org/dc20/media/>
+    Require all granted
+  </Directory>
+
+  <Location /accounts/debian-login>
+    SSLOptions +StdEnvVars
+    # Allow access if one does not have a valid certificate
+    SSLVerifyClient optional
+  </Location>
+</VirtualHost>
+
+# vim: set ft=apache:

diff --git a/modules/roles/manifests/debconf_wafer.pp b/modules/roles/manifests/debconf_wafer.pp
index d03bafc..95c369a 100644 (file)
--- a/modules/roles/manifests/debconf_wafer.pp
+++ b/modules/roles/manifests/debconf_wafer.pp
@@ -31,5 +31,14 @@ class roles::debconf_wafer {
                site    => 'debconf19.debconf.org',
                source => 'puppet:///modules/roles/debconf_wafer/debconf19.debconf.org',
        }
+
+       ssl::service { 'debconf20.debconf.org':
+               notify  => Exec['service apache2 reload'],
+               key => true,
+       }
+       apache2::site { '010-debconf20.debconf.org':
+               site    => 'debconf20.debconf.org',
+               source => 'puppet:///modules/roles/debconf_wafer/debconf20.debconf.org',
+       }
 }