From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 15 Sep 2019 16:57:09 +0000 (+0200)
Subject: Retire sso_rp (SSO, relying party) role for hosts
X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fdsa-puppet.git;a=commitdiff_plain;h=b1555d788f0e43564fbdb4b9825e6bf6b7dd423b

Retire sso_rp (SSO, relying party) role for hosts

Instead, relying services should include roles::sso_rp.
---

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index cd148b242..ca24dd664 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -60,8 +60,6 @@ roles:
     - quantz.debian.org
   popcon:
     - pinel.debian.org
-  qamaster:
-    - quantz.debian.org
   rtmaster:
     - reger.debian.org
   security_master:
@@ -103,17 +101,6 @@ roles:
       fastly-backend: true
   security_tracker:
     - soriano.debian.org
-  # single sign on relying party (host) - also required apache2 module enabled on that host via other means
-  sso_rp:
-    - debussy.debian.org
-    - diabelli.debian.org
-    - jerea.debian.org
-    - nono.debian.org
-    - quantz.debian.org
-    - tate.debian.org
-    - ticharich.debian.org
-    - wilder.debian.org
-    - wuiet.debian.org
   static_mirror_onion:
     - klecker.debian.org
     - mirror-isc.debian.org
diff --git a/hieradata/nodes/quantz.debian.org.yaml b/hieradata/nodes/quantz.debian.org.yaml
new file mode 100644
index 000000000..bc15a43fe
--- /dev/null
+++ b/hieradata/nodes/quantz.debian.org.yaml
@@ -0,0 +1,6 @@
+---
+classes:
+  - roles::qamaster
+
+# qa scripts sometimes needs a lot of memory.  raise the limit to 300 MB
+apache2::rlimitmem: 314572800
diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp
index d998e8818..1d9d23617 100644
--- a/modules/apache2/manifests/init.pp
+++ b/modules/apache2/manifests/init.pp
@@ -58,8 +58,6 @@ class apache2(
     $memlimit = 512 * 1024 * 1024
   } elsif has_role('popcon') {
     $memlimit = 512 * 1024 * 1024
-  } elsif has_role('qamaster') {
-    $memlimit = 300 * 1024 * 1024
   } else {
     $memlimit = $rlimitmem
   }
diff --git a/modules/roles/manifests/buildd_master.pp b/modules/roles/manifests/buildd_master.pp
index d4d163ceb..c2c8dd60e 100644
--- a/modules/roles/manifests/buildd_master.pp
+++ b/modules/roles/manifests/buildd_master.pp
@@ -1,7 +1,10 @@
 class roles::buildd_master {
+  include apache2
+  include roles::sso_rp
+
   ssl::service { 'buildd.debian.org':
-    notify  => Exec['service apache2 reload'],
-    key => true,
+    notify => Exec['service apache2 reload'],
+    key    => true,
   }
 
   ssh::authorized_key_collect { 'buildd-master':
diff --git a/modules/roles/manifests/contributors.pp b/modules/roles/manifests/contributors.pp
index 6750e059e..fa1add1b9 100644
--- a/modules/roles/manifests/contributors.pp
+++ b/modules/roles/manifests/contributors.pp
@@ -1,5 +1,7 @@
 class roles::contributors {
   include apache2
+  include roles::sso_rp
+
   ssl::service { 'contributors.debian.org':
     notify => Exec['service apache2 reload'],
     key    => true,
diff --git a/modules/roles/manifests/debconf_wafer.pp b/modules/roles/manifests/debconf_wafer.pp
index f464d185a..e799875b6 100644
--- a/modules/roles/manifests/debconf_wafer.pp
+++ b/modules/roles/manifests/debconf_wafer.pp
@@ -3,6 +3,8 @@ class roles::debconf_wafer {
   include apache2::ssl
   include apache2::expires
 
+  include roles::sso_rp
+
   package { 'libapache2-mod-wsgi-py3': ensure => installed, }
   apache2::module { 'wsgi': require => Package['libapache2-mod-wsgi-py3'] }
 
diff --git a/modules/roles/manifests/debtags.pp b/modules/roles/manifests/debtags.pp
index 8e350c6eb..263de7c4e 100644
--- a/modules/roles/manifests/debtags.pp
+++ b/modules/roles/manifests/debtags.pp
@@ -1,6 +1,7 @@
 class roles::debtags {
   include apache2
   include apache2::ssl
+  include roles::sso_rp
 
   package { 'libapache2-mod-wsgi-py3': ensure => installed, }
   apache2::module { 'wsgi': require => Package['libapache2-mod-wsgi-py3'] }
diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp
index 0abfd9baa..0633b43fe 100644
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -86,10 +86,6 @@ class roles {
 	}
 
 
-	if has_role('qamaster') {
-		ssl::service { 'qa.debian.org': notify  => Exec['service apache2 reload'], key => true, }
-	}
-
 	if has_role('packagesqamaster') {
 		ssl::service { 'packages.qa.debian.org': notify  => Exec['service apache2 reload'], key => true, }
 	}
diff --git a/modules/roles/manifests/jenkins.pp b/modules/roles/manifests/jenkins.pp
index 34038e3c3..b4e085fad 100644
--- a/modules/roles/manifests/jenkins.pp
+++ b/modules/roles/manifests/jenkins.pp
@@ -1,15 +1,18 @@
 class roles::jenkins {
+  include apache2
+  include roles::sso_rp
+
   include apache2::ssl
   apache2::module { 'proxy_http': }
 
   apache2::site { '010-jenkins.debian.org':
-    site    => 'jenkins.debian.org',
+    site   => 'jenkins.debian.org',
     source => 'puppet:///modules/roles/jenkins/jenkins.debian.org',
   }
 
   ssl::service { 'jenkins.debian.org':
-    notify  => Exec['service apache2 reload'],
-    key => true,
+    notify => Exec['service apache2 reload'],
+    key    => true,
   }
 
   dsa_systemd::linger { 'jenkins': }
diff --git a/modules/roles/manifests/nm.pp b/modules/roles/manifests/nm.pp
index 96951e877..dd026bfdf 100644
--- a/modules/roles/manifests/nm.pp
+++ b/modules/roles/manifests/nm.pp
@@ -1,5 +1,7 @@
 class roles::nm {
   include apache2
+  include roles::sso_rp
+
   ssl::service { 'nm.debian.org':
     notify => Exec['service apache2 reload'],
     key    => true,
diff --git a/modules/roles/manifests/qamaster.pp b/modules/roles/manifests/qamaster.pp
new file mode 100644
index 000000000..d10c1a466
--- /dev/null
+++ b/modules/roles/manifests/qamaster.pp
@@ -0,0 +1,6 @@
+class roles::qamaster {
+  include apache2
+  include roles::sso_rp
+
+  ssl::service { 'qa.debian.org': notify  => Exec['service apache2 reload'], key => true, }
+}
diff --git a/modules/roles/manifests/sso.pp b/modules/roles/manifests/sso.pp
index 6cda237e6..147c5ff1e 100644
--- a/modules/roles/manifests/sso.pp
+++ b/modules/roles/manifests/sso.pp
@@ -1,5 +1,6 @@
 class roles::sso {
   include apache2
+  include roles::sso_rp
 
   ssl::service { 'sso.debian.org':
     notify => Exec['service apache2 reload'],
diff --git a/modules/roles/manifests/tracker.pp b/modules/roles/manifests/tracker.pp
index 930e1640d..807b38535 100644
--- a/modules/roles/manifests/tracker.pp
+++ b/modules/roles/manifests/tracker.pp
@@ -1,5 +1,7 @@
 class roles::tracker {
   include apache2
+  include roles::sso_rp
+
   package { 'libapache2-mod-wsgi-py3': ensure => installed, }
   apache2::module { 'wsgi': require => Package['libapache2-mod-wsgi-py3'] }
   ssl::service { 'tracker.debian.org':
diff --git a/modules/roles/manifests/wiki.pp b/modules/roles/manifests/wiki.pp
index 0299aef1c..37009deb3 100644
--- a/modules/roles/manifests/wiki.pp
+++ b/modules/roles/manifests/wiki.pp
@@ -1,5 +1,7 @@
 class roles::wiki {
   include apache2
+  include roles::sso_rp
+
   ssl::service { 'wiki.debian.org':
     notify => Exec['service apache2 reload'],
     key    => true,