From 594ba45a0aaf7be0ad8e74089342611fd56042f1 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Tue, 30 Jan 2018 11:05:55 +0100 Subject: [PATCH] apache config for wafertest.debconf.org --- hieradata/common.yaml | 2 + .../files/debconf_wafer/wafertest.debconf.org | 62 +++++++++++++++++++ modules/roles/manifests/debconf_wafer.pp | 17 +++++ modules/roles/manifests/init.pp | 4 ++ 4 files changed, 85 insertions(+) create mode 100644 modules/roles/files/debconf_wafer/wafertest.debconf.org create mode 100644 modules/roles/manifests/debconf_wafer.pp diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 09070d999..dbe8981e1 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -322,3 +322,5 @@ roles: ipsec: - fasolo.debian.org - storace.debian.org + debconf_wafer: + - debussy.debian.org diff --git a/modules/roles/files/debconf_wafer/wafertest.debconf.org b/modules/roles/files/debconf_wafer/wafertest.debconf.org new file mode 100644 index 000000000..66e9b5102 --- /dev/null +++ b/modules/roles/files/debconf_wafer/wafertest.debconf.org @@ -0,0 +1,62 @@ +AddType application/font-woff2 .woff2 + +Use common-debian-service-https-redirect * wafertest.debconf.org + +WSGIDaemonProcess wafertest \ + processes=3 threads=2 \ + user=www-data group=www-data maximum-requests=750 umask=0007 display-name=wsgi-wafertest.debconf.org \ + python-path=/srv/debconf-web/wafertest.debconf.org/dc18.dc.o/:/srv/debconf-web/wafertest.debconf.org/dc18.dc.o/ve/lib/python3.5/site-packages/ + + + ServerAdmin admin@debconf.org + ServerName wafertest.debconf.org + + ErrorLog /var/log/apache2/wafertest.debconf.org-error.log + CustomLog /var/log/apache2/wafertest.debconf.org-access.log combined + + Use common-debian-service-ssl wafertest.debconf.org + Use common-ssl-HSTS + + Header always set X-Content-Type-Options nosniff + Header always set X-XSS-Protection "1; mode=block" +# Header always set Access-Control-Allow-Origin: "*" + + # Debian SSO + SSLCACertificateFile /var/lib/dsa/sso/ca.crt + SSLCARevocationCheck chain + SSLCARevocationFile /var/lib/dsa/sso/ca.crl + SSLVerifyClient optional + + WSGIProcessGroup wafertest + WSGIScriptAlias / /srv/debconf-web/wafertest.debconf.org/dc18.dc.o/wsgi.py + + + Require all granted + + + + Alias /static/ /srv/debconf-web/wafertest.debconf.org/dc18.dc.o/localstatic/ + Alias /favicon.ico /srv/debconf-web/wafertest.debconf.org/dc18.dc.o/localstatic/img/favicon/favicon.ico + + Require all granted + + # A little hacky, but it means we won't accidentally catch non-hashed filenames + + ExpiresActive on + ExpiresDefault "access plus 1 year" + + + + Alias /media/ /srv/debconf-web/wafertest.debconf.org/dc18.dc.o/media/ + + Require all granted + + + + SSLOptions +StdEnvVars + # Allow access if one does not have a valid certificate + SSLVerifyClient optional + + + +# vim: set ft=apache: diff --git a/modules/roles/manifests/debconf_wafer.pp b/modules/roles/manifests/debconf_wafer.pp new file mode 100644 index 000000000..92223d91d --- /dev/null +++ b/modules/roles/manifests/debconf_wafer.pp @@ -0,0 +1,17 @@ +class roles::debconf_wafer { + include apache2::ssl + + package { 'libapache2-mod-wsgi-py3': ensure => installed, } + apache2::module { 'wsgi': require => Package['libapache2-mod-wsgi-py3'] } + + ssl::service { 'wafertest.debconf.org': + notify => Exec['service apache2 reload'], + key => true, + } + + apache2::site { '010-wafertest.debconf.org': + site => 'wafertest.debconf.org', + source => 'puppet:///modules/roles/debconf_wafer/wafertest.debconf.org', + } +} + diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp index 101058d15..8a91339d8 100644 --- a/modules/roles/manifests/init.pp +++ b/modules/roles/manifests/init.pp @@ -371,4 +371,8 @@ class roles { if has_role('ipsec') { include ipsec } + + if has_role('debconf_wafer') { + include debconf_wafer + } } -- 2.20.1