diff options
Diffstat (limited to 'puppet/modules/site_static')
| -rw-r--r-- | puppet/modules/site_static/README | 3 | ||||
| -rw-r--r-- | puppet/modules/site_static/manifests/domain.pp | 33 | ||||
| -rw-r--r-- | puppet/modules/site_static/manifests/init.pp | 72 | ||||
| -rw-r--r-- | puppet/modules/site_static/manifests/location.pp | 36 | ||||
| -rw-r--r-- | puppet/modules/site_static/templates/amber.erb | 13 | ||||
| -rw-r--r-- | puppet/modules/site_static/templates/apache.conf.erb | 88 | ||||
| -rw-r--r-- | puppet/modules/site_static/templates/rack.erb | 19 |
7 files changed, 264 insertions, 0 deletions
diff --git a/puppet/modules/site_static/README b/puppet/modules/site_static/README new file mode 100644 index 00000000..bc719782 --- /dev/null +++ b/puppet/modules/site_static/README @@ -0,0 +1,3 @@ +Deploy one or more static websites to a node. + +For now, it only supports `amber` based static sites. Should support plain html and jekyll in the future. diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp new file mode 100644 index 00000000..b26cc9e3 --- /dev/null +++ b/puppet/modules/site_static/manifests/domain.pp @@ -0,0 +1,33 @@ +# configure static service for domain +define site_static::domain ( + $ca_cert, + $key, + $cert, + $tls_only=true, + $locations=undef, + $aliases=undef, + $apache_config=undef) { + + $domain = $name + $base_dir = '/srv/static' + + $cafile = "${cert}\n${ca_cert}" + + if is_hash($locations) { + create_resources(site_static::location, $locations) + } + + x509::cert { $domain: + content => $cafile, + notify => Service[apache] + } + x509::key { $domain: + content => $key, + notify => Service[apache] + } + + apache::vhost::file { $domain: + content => template('site_static/apache.conf.erb') + } + +} diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp new file mode 100644 index 00000000..4a722d62 --- /dev/null +++ b/puppet/modules/site_static/manifests/init.pp @@ -0,0 +1,72 @@ +# deploy static service +class site_static { + tag 'leap_service' + + include site_config::default + include site_config::x509::cert + include site_config::x509::key + include site_config::x509::ca_bundle + + $static = hiera('static') + $domains = $static['domains'] + $formats = $static['formats'] + $bootstrap = $static['bootstrap_files'] + $tor = hiera('tor', false) + + if $bootstrap['enabled'] { + $bootstrap_domain = $bootstrap['domain'] + $bootstrap_client = $bootstrap['client_version'] + file { '/srv/leap/provider.json': + content => $bootstrap['provider_json'], + owner => 'www-data', + group => 'www-data', + mode => '0444'; + } + # It is important to always touch provider.json: the client needs to check x-min-client-version header, + # but this is only sent when the file has been modified (otherwise 304 is sent by apache). The problem + # is that changing min client version won't alter the content of provider.json, so we must touch it. + exec { '/bin/touch /srv/leap/provider.json': + require => File['/srv/leap/provider.json']; + } + } + + include apache::module::headers + include apache::module::alias + include apache::module::expires + include apache::module::removeip + include apache::module::dir + include apache::module::negotiation + include site_apache::common + include site_config::ruby::dev + + if (member($formats, 'rack')) { + include site_apt::preferences::passenger + class { 'passenger': + use_munin => false, + require => Class['site_apt::preferences::passenger'] + } + } + + if (member($formats, 'amber')) { + rubygems::gem{'amber-0.3.8': + require => Package['zlib1g-dev'] + } + + package { 'zlib1g-dev': + ensure => installed + } + } + + create_resources(site_static::domain, $domains) + + if $tor { + $hidden_service = $tor['hidden_service'] + if $hidden_service['active'] { + include site_webapp::hidden_service + } + } + + include site_shorewall::defaults + include site_shorewall::service::http + include site_shorewall::service::https +} diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp new file mode 100644 index 00000000..d116de2f --- /dev/null +++ b/puppet/modules/site_static/manifests/location.pp @@ -0,0 +1,36 @@ +# configure static service for location +define site_static::location($path, $format, $source) { + + $file_path = "/srv/static/${name}" + $allowed_formats = ['amber','rack'] + + if $format == undef { + fail("static_site location `${path}` is missing `format` field.") + } + + if ! member($allowed_formats, $format) { + $formats_str = join($allowed_formats, ', ') + fail("Unsupported static_site location format `${format}`. Supported formats include ${formats_str}.") + } + + if ($format == 'amber') { + exec {"amber_build_${name}": + cwd => $file_path, + command => 'amber rebuild', + user => 'www-data', + timeout => 600, + subscribe => Vcsrepo[$file_path] + } + } + + vcsrepo { $file_path: + ensure => present, + force => true, + revision => $source['revision'], + provider => $source['type'], + source => $source['repo'], + owner => 'www-data', + group => 'www-data' + } + +} diff --git a/puppet/modules/site_static/templates/amber.erb b/puppet/modules/site_static/templates/amber.erb new file mode 100644 index 00000000..694f1136 --- /dev/null +++ b/puppet/modules/site_static/templates/amber.erb @@ -0,0 +1,13 @@ +<%- if @location_path != '' -%> + AliasMatch ^/[a-z]{2}/<%=@location_path%>(/.+|/|)$ "<%=@directory%>/$1" + Alias /<%=@location_path%> "<%=@directory%>/" +<%- end -%> + <Directory "<%=@directory%>/"> + AllowOverride FileInfo Indexes Options=All,MultiViews +<% if scope.function_guess_apache_version([]) == '2.4' %> + Require all granted +<% else %> + Order deny,allow + Allow from all +<% end %> + </Directory> diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb new file mode 100644 index 00000000..6b969d1c --- /dev/null +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -0,0 +1,88 @@ +<%- + ## + ## An apache config for static websites. + ## + + def location_directory(name, location) + if ['amber', 'rack'].include?(location['format']) + File.join(@base_dir, name, 'public') + else + File.join(@base_dir, name) + end + end + + @document_root = begin + root = '/var/www' + @locations && @locations.each do |name, location| + root = location_directory(name, location) if location['path'] == '/' + end + root.gsub(%r{^/|/$}, '') + end + + bootstrap_domain = scope.lookupvar('site_static::bootstrap_domain') + bootstrap_client = scope.lookupvar('site_static::bootstrap_client') +-%> + +<VirtualHost *:80> + ServerName <%= @domain %> + ServerAlias www.<%= @domain %> +<%- @aliases && @aliases.each do |domain_alias| -%> + ServerAlias <%= domain_alias %> +<%- end -%> +<%- if @tls_only -%> + RewriteEngine On + RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] +<%- end -%> +</VirtualHost> + +<VirtualHost *:443> + ServerName <%= @domain %> + ServerAlias www.<%= @domain %> +<%- @aliases && @aliases.each do |domain_alias| -%> + ServerAlias <%= domain_alias %> +<%- end -%> + + #RewriteLog "/var/log/apache2/rewrite.log" + #RewriteLogLevel 3 + + Include include.d/ssl_common.inc + +<%- if @tls_only -%> + Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains" +<%- end -%> + Header set X-Frame-Options "deny" + Header always unset X-Powered-By + Header always unset X-Runtime + + SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key + SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt + + RequestHeader set X_FORWARDED_PROTO 'https' + + DocumentRoot "/<%= @document_root %>/" + AccessFileName .htaccess + +<%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> + Alias /provider.json /srv/leap/provider.json + <Location /provider.json> + Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> + </Location> +<%- end -%> + +<%- if @apache_config -%> +<%= @apache_config.gsub(':percent:','%') %> +<%- end -%> + +<%- @locations && @locations.each do |name, location| -%> +<%- location_path = location['path'].gsub(%r{^/|/$}, '') -%> +<%- directory = location_directory(name, location) -%> +<%- local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%> +<%- template_path = File.join(File.dirname(__FILE__), location['format']) + '.erb' -%> +<%- break unless File.exists?(template_path) -%> + ## + ## <%= name %> (<%= location['format'] %>) + ## +<%= scope.function_templatewlv([template_path, local_vars]) %> +<%- end -%> + +</VirtualHost> diff --git a/puppet/modules/site_static/templates/rack.erb b/puppet/modules/site_static/templates/rack.erb new file mode 100644 index 00000000..431778bb --- /dev/null +++ b/puppet/modules/site_static/templates/rack.erb @@ -0,0 +1,19 @@ + #PassengerLogLevel 1 + #PassengerAppEnv production + #PassengerFriendlyErrorPages on +<%- if @location_path != '' -%> + Alias /<%=@location_path%> "<%=@directory%>" + <Location /<%=@location_path%>> + PassengerBaseURI /<%=@location_path%> + PassengerAppRoot "<%=File.dirname(@directory)%>" + </Location> +<%- end -%> + <Directory "<%=@directory%>"> + Options -MultiViews +<% if scope.function_guess_apache_version([]) == '2.4' %> + Require all granted +<% else %> + Order deny,allow + Allow from all +<% end %> + </Directory> |