From eaa82961a2a558a03fe37bc9a4b95513267c89f5 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 6 Jul 2018 10:53:32 +0200
Subject: [PATCH] move apache config for security-tracker.debian.org.conf to
 puppet

---
 modules/roles/manifests/security_tracker.pp   |  9 ++++
 ...pache-security-tracker.debian.org.conf.erb | 49 +++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 modules/roles/templates/apache-security-tracker.debian.org.conf.erb

diff --git a/modules/roles/manifests/security_tracker.pp b/modules/roles/manifests/security_tracker.pp
index 4c7ee44e7..6319fbd8e 100644
--- a/modules/roles/manifests/security_tracker.pp
+++ b/modules/roles/manifests/security_tracker.pp
@@ -1,6 +1,15 @@
 class roles::security_tracker {
+	include apache2::ssl
+	include apache2::proxy_http
+	include apache2::expires
+
 	ssl::service { 'security-tracker.debian.org':
 		notify  => Exec['service apache2 reload'],
 		key => true,
 	}
+
+	apache2::site { 'security-tracker.debian.org':
+		site   => 'security-tracker.debian.org',
+		content => template('roles/apache-security-tracker.debian.org.conf.erb')
+	}
 }
diff --git a/modules/roles/templates/apache-security-tracker.debian.org.conf.erb b/modules/roles/templates/apache-security-tracker.debian.org.conf.erb
new file mode 100644
index 000000000..e08815893
--- /dev/null
+++ b/modules/roles/templates/apache-security-tracker.debian.org.conf.erb
@@ -0,0 +1,49 @@
+Use common-debian-service-https-redirect * security-tracker.debian.org
+
+<VirtualHost *:443>
+	ServerAdmin team@security.debian.org
+	ServerName security-tracker.debian.org
+
+	Use common-debian-service-ssl security-tracker.debian.org
+	Use common-ssl-HSTS
+	Use http-pkp-security-tracker.debian.org
+
+	<IfModule mod_userdir.c>
+		UserDir disabled
+	</IfModule>
+
+	LogLevel warn
+	ErrorLog /var/log/apache2/security-tracker.debian.org-error.log
+	CustomLog /var/log/apache2/security-tracker.debian.org-access.log privacyssl
+	ServerSignature On
+
+	RewriteEngine on
+	RewriteRule ^/tracker(?:/|$)			-				[L]
+	# The next rule matches favicon.ico, robots.txt etc.
+	RewriteRule ^/[^./]+[.][a-z]{3}$ 		-				[L]
+	RewriteRule ^/((?:TEMP|CVE)[^/]+)$		/tracker/$1			[R]
+	RewriteRule ^/((?:old|un)?stable|testing)$	/tracker/status/release/$1	[R]
+	RewriteRule ^/((?:old)?stable-backports)$	/tracker/status/release/$1	[R]
+	RewriteRule ^/([a-z0-9.+-]+)$			/tracker/$1			[R]
+	RewriteRule ^/+$				/tracker/			[R]
+
+	DocumentRoot /srv/security-tracker.debian.org/htdocs/security-tracker
+	<Directory /srv/security-tracker.debian.org/htdocs/security-tracker>
+		AllowOverride none
+		Options +Indexes
+		Require all granted
+	</Directory>
+
+	<DirectoryMatch "\.svn" >
+		Require all denied
+	</DirectoryMatch>
+
+	<Location /tracker/data/json>
+		SetOutputFilter DEFLATE
+	</Location>
+
+	ProxyRequests off
+	ProxyPass /tracker http://localhost:25648/tracker retry=1
+	ProxyPassReverse /tracker http://localhost:25648/tracker
+</VirtualHost>
+# vim: set filetype=apache:
-- 
2.20.1