From: Stefano Rivera <stefanor@debian.org>
Date: Tue, 30 Jul 2019 14:50:06 +0000 (-0300)
Subject: debconf20.dc.o vhost
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=e75d5b45b1a474f4b96e8914219b6edde163983b;p=mirror%2Fdsa-puppet.git

debconf20.dc.o vhost
---

diff --git a/modules/roles/files/debconf_wafer/debconf20.debconf.org b/modules/roles/files/debconf_wafer/debconf20.debconf.org
new file mode 100644
index 000000000..8b15b6669
--- /dev/null
+++ b/modules/roles/files/debconf_wafer/debconf20.debconf.org
@@ -0,0 +1,66 @@
+# do not modify - this file is maintained via puppet
+
+AddType application/font-woff2 .woff2
+
+Use common-debian-service-https-redirect * debconf20.debconf.org
+
+WSGIDaemonProcess debconf20 \
+  processes=3 threads=2 \
+  user=www-data group=debconf-web maximum-requests=750 umask=0007 display-name=wsgi-debconf20.debconf.org \
+  python-path=/srv/debconf-web/debconf20.debconf.org/dc20/:/srv/debconf-web/debconf20.debconf.org/dc20/ve/lib/python3.5/site-packages/
+
+<VirtualHost *:443>
+  ServerAdmin admin@debconf.org
+  ServerName debconf20.debconf.org
+
+  ErrorLog  /var/log/apache2/debconf20.debconf.org-error.log
+  CustomLog /var/log/apache2/debconf20.debconf.org-access.log combined
+
+  Use common-debian-service-ssl debconf20.debconf.org
+  Use common-ssl-HSTS
+
+  Header always set Referrer-Policy "same-origin"
+  Header always set X-Content-Type-Options nosniff
+  Header always set X-XSS-Protection "1; mode=block"
+#  Header always set Access-Control-Allow-Origin: "*"
+
+  # Debian SSO
+  SSLCACertificateFile /var/lib/dsa/sso/ca.crt
+  SSLCARevocationCheck chain
+  SSLCARevocationFile /var/lib/dsa/sso/ca.crl
+
+  WSGIProcessGroup debconf20
+  WSGIScriptAlias / /srv/debconf-web/debconf20.debconf.org/dc20/wsgi.py
+  WSGIPassAuthorization On
+
+  <Directory /srv/debconf-web/debconf20.debconf.org/dc20>
+    <Files wsgi.py>
+      Require all granted
+    </Files>
+  </Directory>
+
+  Alias /static/ /srv/debconf-web/debconf20.debconf.org/dc20/localstatic/
+  Alias /favicon.ico /srv/debconf-web/debconf20.debconf.org/dc20/localstatic/img/favicon/favicon.ico
+  <Directory /srv/debconf-web/debconf20.debconf.org/dc20/localstatic/>
+    Require all granted
+
+    # A little hacky, but it means we won't accidentally catch non-hashed filenames
+    <FilesMatch ".*\.[0-9a-f]{12}\.[a-z0-9]{2,5}$">
+      ExpiresActive on
+      ExpiresDefault "access plus 1 year"
+    </FilesMatch>
+  </Directory>
+
+  Alias /media/ /srv/debconf-web/debconf20.debconf.org/dc20/media/
+  <Directory /srv/debconf-web/debconf20.debconf.org/dc20/media/>
+    Require all granted
+  </Directory>
+
+  <Location /accounts/debian-login>
+    SSLOptions +StdEnvVars
+    # Allow access if one does not have a valid certificate
+    SSLVerifyClient optional
+  </Location>
+</VirtualHost>
+
+# vim: set ft=apache:
diff --git a/modules/roles/manifests/debconf_wafer.pp b/modules/roles/manifests/debconf_wafer.pp
index d03bafc12..95c369adb 100644
--- a/modules/roles/manifests/debconf_wafer.pp
+++ b/modules/roles/manifests/debconf_wafer.pp
@@ -31,5 +31,14 @@ class roles::debconf_wafer {
 		site    => 'debconf19.debconf.org',
 		source => 'puppet:///modules/roles/debconf_wafer/debconf19.debconf.org',
 	}
+
+	ssl::service { 'debconf20.debconf.org':
+		notify  => Exec['service apache2 reload'],
+		key => true,
+	}
+	apache2::site { '010-debconf20.debconf.org':
+		site    => 'debconf20.debconf.org',
+		source => 'puppet:///modules/roles/debconf_wafer/debconf20.debconf.org',
+	}
 }