From: Julien Cristau <jcristau@debian.org>
Date: Tue, 24 Sep 2019 09:54:04 +0000 (+0200)
Subject: Pull in people.d.o apache config
X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fdsa-puppet.git;a=commitdiff_plain;h=c79637cd42547cd212a0e033485dc8af2d05bd38

Pull in people.d.o apache config
---

diff --git a/data/nodes/paradis.debian.org.yaml b/data/nodes/paradis.debian.org.yaml
index f22e5b7a5..642bf1a04 100644
--- a/data/nodes/paradis.debian.org.yaml
+++ b/data/nodes/paradis.debian.org.yaml
@@ -1,3 +1,5 @@
 ---
 classes:
   - roles::people
+
+roles::people::listen_addr: ['209.87.16.67', '2607:f8f0:614:1::1274:67']
diff --git a/modules/roles/manifests/people.pp b/modules/roles/manifests/people.pp
index 713f1a170..0ab496987 100644
--- a/modules/roles/manifests/people.pp
+++ b/modules/roles/manifests/people.pp
@@ -1,5 +1,28 @@
-class roles::people {
+# @param listen_addr IP addresses to have apache listen on port 443
+class roles::people (
+  Array[Stdlib::IP::Address] $listen_addr = [],
+) {
   include apache2
+  apache2::module { 'userdir': }
   ssl::service { 'people.debian.org': notify  => Exec['service apache2 reload'], key => true, }
   onion::service { 'people.debian.org': port => 80, target_address => 'people.debian.org', target_port => 80, direct => true }
+
+  $ports = empty($listen_addr) ? {
+    true => ['443'],
+    default => enclose_ipv6($listen_addr).map |$a| { "${a}:443" },
+  }
+  file { '/etc/apache2/ports.conf':
+    content => template('roles/apache-people-ports.conf.erb'),
+  }
+
+  $_enclosed_addresses = empty($listen_addr) ? {
+    true => ['*'],
+    default => enclose_ipv6($listen_addr),
+  }
+  $vhost_listen = $_enclosed_addresses.map |$a| { "${a}:443" } . join(' ')
+  $onion_hn = onion_tor_service_hostname('people.debian.org')
+  apache2::site { 'people.debian.org':
+    site => 'people.debian.org.conf',
+    content => template('roles/apache-people.debian.org.conf.erb'),
+  }
 }
diff --git a/modules/roles/templates/apache-people-ports.conf.erb b/modules/roles/templates/apache-people-ports.conf.erb
new file mode 100644
index 000000000..433df378c
--- /dev/null
+++ b/modules/roles/templates/apache-people-ports.conf.erb
@@ -0,0 +1,9 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://git@ubergit.debian.org/dsa/dsa-puppet.git
+##
+
+Listen 80
+<% @ports.each do |port| -%>
+Listen <%= port %>
+<% end -%>
diff --git a/modules/roles/templates/apache-people.debian.org.conf.erb b/modules/roles/templates/apache-people.debian.org.conf.erb
new file mode 100644
index 000000000..831c9dd16
--- /dev/null
+++ b/modules/roles/templates/apache-people.debian.org.conf.erb
@@ -0,0 +1,45 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://git@ubergit.debian.org/dsa/dsa-puppet.git
+##
+
+Use common-debian-service-https-redirect * people.debian.org
+
+<Macro vhost-inner-people.debian.org>
+	ServerAdmin debian-admin@debian.org
+	DocumentRoot /srv/people.debian.org/htdocs
+
+	ErrorLog /var/log/apache2/people.debian.org-error.log
+	CustomLog /var/log/apache2/people.debian.org-access.log privacy
+
+	HostnameLookups Off
+	UseCanonicalName Off
+	ServerSignature On
+
+	UserDir public_html
+
+	IndexOptions FancyIndexing NameWidth=*
+	ReadmeName README.txt
+
+	RedirectMatch ^/$ https://db.debian.org/
+</Macro>
+
+<VirtualHost <%= @vhost_listen %> >
+	ServerName people.debian.org
+
+	Use common-debian-service-ssl people.debian.org
+	Use common-ssl-HSTS
+	Use http-pkp-people.debian.org
+	Use vhost-inner-people.debian.org
+</VirtualHost>
+
+<VirtualHost *:80>
+	ServerName nossl.people.debian.org
+	Use vhost-inner-people.debian.org
+</VirtualHost>
+
+<VirtualHost *:80>
+	ServerName <%= @onion_hn %>
+	Use vhost-inner-people.debian.org
+</VirtualHost>
+