diff options
Diffstat (limited to 'puppet/modules/site_static')
| -rw-r--r-- | puppet/modules/site_static/README | 3 | ||||
| -rw-r--r-- | puppet/modules/site_static/manifests/domain.pp | 33 | ||||
| -rw-r--r-- | puppet/modules/site_static/manifests/init.pp | 72 | ||||
| -rw-r--r-- | puppet/modules/site_static/manifests/location.pp | 36 | ||||
| -rw-r--r-- | puppet/modules/site_static/templates/amber.erb | 13 | ||||
| -rw-r--r-- | puppet/modules/site_static/templates/apache.conf.erb | 88 | ||||
| -rw-r--r-- | puppet/modules/site_static/templates/rack.erb | 19 | 
7 files changed, 264 insertions, 0 deletions
| diff --git a/puppet/modules/site_static/README b/puppet/modules/site_static/README new file mode 100644 index 00000000..bc719782 --- /dev/null +++ b/puppet/modules/site_static/README @@ -0,0 +1,3 @@ +Deploy one or more static websites to a node. + +For now, it only supports `amber` based static sites. Should support plain html and jekyll in the future. diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp new file mode 100644 index 00000000..b26cc9e3 --- /dev/null +++ b/puppet/modules/site_static/manifests/domain.pp @@ -0,0 +1,33 @@ +# configure static service for domain +define site_static::domain ( +  $ca_cert, +  $key, +  $cert, +  $tls_only=true, +  $locations=undef, +  $aliases=undef, +  $apache_config=undef) { + +  $domain = $name +  $base_dir = '/srv/static' + +  $cafile = "${cert}\n${ca_cert}" + +  if is_hash($locations) { +    create_resources(site_static::location, $locations) +  } + +  x509::cert { $domain: +    content => $cafile, +    notify  => Service[apache] +  } +  x509::key { $domain: +    content => $key, +    notify  => Service[apache] +  } + +  apache::vhost::file { $domain: +    content => template('site_static/apache.conf.erb') +  } + +} diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp new file mode 100644 index 00000000..4a722d62 --- /dev/null +++ b/puppet/modules/site_static/manifests/init.pp @@ -0,0 +1,72 @@ +# deploy static service +class site_static { +  tag 'leap_service' + +  include site_config::default +  include site_config::x509::cert +  include site_config::x509::key +  include site_config::x509::ca_bundle + +  $static        = hiera('static') +  $domains       = $static['domains'] +  $formats       = $static['formats'] +  $bootstrap     = $static['bootstrap_files'] +  $tor           = hiera('tor', false) + +  if $bootstrap['enabled'] { +    $bootstrap_domain  = $bootstrap['domain'] +    $bootstrap_client  = $bootstrap['client_version'] +    file { '/srv/leap/provider.json': +      content => $bootstrap['provider_json'], +      owner   => 'www-data', +      group   => 'www-data', +      mode    => '0444'; +    } +    # It is important to always touch provider.json: the client needs to check x-min-client-version header, +    # but this is only sent when the file has been modified (otherwise 304 is sent by apache). The problem +    # is that changing min client version won't alter the content of provider.json, so we must touch it. +    exec { '/bin/touch /srv/leap/provider.json': +      require => File['/srv/leap/provider.json']; +    } +  } + +  include apache::module::headers +  include apache::module::alias +  include apache::module::expires +  include apache::module::removeip +  include apache::module::dir +  include apache::module::negotiation +  include site_apache::common +  include site_config::ruby::dev + +  if (member($formats, 'rack')) { +    include site_apt::preferences::passenger +    class { 'passenger': +      use_munin => false, +      require   => Class['site_apt::preferences::passenger'] +    } +  } + +  if (member($formats, 'amber')) { +    rubygems::gem{'amber-0.3.8': +      require =>  Package['zlib1g-dev'] +    } + +    package { 'zlib1g-dev': +        ensure => installed +    } +  } + +  create_resources(site_static::domain, $domains) + +  if $tor { +    $hidden_service = $tor['hidden_service'] +    if $hidden_service['active'] { +      include site_webapp::hidden_service +    } +  } + +  include site_shorewall::defaults +  include site_shorewall::service::http +  include site_shorewall::service::https +} diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp new file mode 100644 index 00000000..d116de2f --- /dev/null +++ b/puppet/modules/site_static/manifests/location.pp @@ -0,0 +1,36 @@ +# configure static service for location +define site_static::location($path, $format, $source) { + +  $file_path = "/srv/static/${name}" +  $allowed_formats = ['amber','rack'] + +  if $format == undef { +    fail("static_site location `${path}` is missing `format` field.") +  } + +  if ! member($allowed_formats, $format) { +    $formats_str = join($allowed_formats, ', ') +    fail("Unsupported static_site location format `${format}`. Supported formats include ${formats_str}.") +  } + +  if ($format == 'amber') { +    exec {"amber_build_${name}": +      cwd       => $file_path, +      command   => 'amber rebuild', +      user      => 'www-data', +      timeout   => 600, +      subscribe => Vcsrepo[$file_path] +    } +  } + +  vcsrepo { $file_path: +    ensure   => present, +    force    => true, +    revision => $source['revision'], +    provider => $source['type'], +    source   => $source['repo'], +    owner    => 'www-data', +    group    => 'www-data' +  } + +} diff --git a/puppet/modules/site_static/templates/amber.erb b/puppet/modules/site_static/templates/amber.erb new file mode 100644 index 00000000..694f1136 --- /dev/null +++ b/puppet/modules/site_static/templates/amber.erb @@ -0,0 +1,13 @@ +<%- if @location_path != '' -%> +  AliasMatch ^/[a-z]{2}/<%=@location_path%>(/.+|/|)$ "<%=@directory%>/$1" +  Alias /<%=@location_path%> "<%=@directory%>/" +<%- end -%> +  <Directory "<%=@directory%>/"> +    AllowOverride FileInfo Indexes Options=All,MultiViews +<% if scope.function_guess_apache_version([]) == '2.4' %> +    Require all granted +<% else %> +    Order deny,allow +    Allow from all +<% end %> +  </Directory> diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb new file mode 100644 index 00000000..6b969d1c --- /dev/null +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -0,0 +1,88 @@ +<%- +  ## +  ## An apache config for static websites. +  ## + +  def location_directory(name, location) +    if ['amber', 'rack'].include?(location['format']) +      File.join(@base_dir, name, 'public') +    else +      File.join(@base_dir, name) +    end +  end + +  @document_root = begin +    root = '/var/www' +    @locations && @locations.each do |name, location| +      root = location_directory(name, location) if location['path'] == '/' +    end +    root.gsub(%r{^/|/$}, '') +  end + +  bootstrap_domain = scope.lookupvar('site_static::bootstrap_domain') +  bootstrap_client = scope.lookupvar('site_static::bootstrap_client') +-%> + +<VirtualHost *:80> +  ServerName <%= @domain %> +  ServerAlias www.<%= @domain %> +<%- @aliases && @aliases.each do |domain_alias| -%> +  ServerAlias <%= domain_alias %> +<%- end -%> +<%- if @tls_only -%> +  RewriteEngine On +  RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] +<%- end -%> +</VirtualHost> + +<VirtualHost *:443> +  ServerName <%= @domain %> +  ServerAlias www.<%= @domain %> +<%- @aliases && @aliases.each do |domain_alias| -%> +  ServerAlias <%= domain_alias %> +<%- end -%> + +  #RewriteLog "/var/log/apache2/rewrite.log" +  #RewriteLogLevel 3 + +  Include include.d/ssl_common.inc +   +<%- if @tls_only -%> +  Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains" +<%- end -%> +  Header set X-Frame-Options "deny" +  Header always unset X-Powered-By +  Header always unset X-Runtime + +  SSLCertificateKeyFile    /etc/x509/keys/<%= @domain %>.key +  SSLCertificateFile       /etc/x509/certs/<%= @domain %>.crt + +  RequestHeader set X_FORWARDED_PROTO 'https' + +  DocumentRoot "/<%= @document_root %>/" +  AccessFileName .htaccess + +<%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> +  Alias /provider.json /srv/leap/provider.json +  <Location /provider.json> +    Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> +  </Location> +<%- end -%> + +<%- if @apache_config -%> +<%=   @apache_config.gsub(':percent:','%') %> +<%- end -%> + +<%- @locations && @locations.each do |name, location| -%> +<%-   location_path = location['path'].gsub(%r{^/|/$}, '') -%> +<%-   directory = location_directory(name, location) -%> +<%-   local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%> +<%-   template_path = File.join(File.dirname(__FILE__), location['format']) + '.erb' -%> +<%-   break unless File.exists?(template_path) -%> +  ## +  ## <%= name %> (<%= location['format'] %>) +  ## +<%=   scope.function_templatewlv([template_path, local_vars]) %> +<%- end -%> + +</VirtualHost> diff --git a/puppet/modules/site_static/templates/rack.erb b/puppet/modules/site_static/templates/rack.erb new file mode 100644 index 00000000..431778bb --- /dev/null +++ b/puppet/modules/site_static/templates/rack.erb @@ -0,0 +1,19 @@ +  #PassengerLogLevel 1 +  #PassengerAppEnv production +  #PassengerFriendlyErrorPages on +<%- if @location_path != '' -%> +  Alias /<%=@location_path%> "<%=@directory%>" +  <Location /<%=@location_path%>> +    PassengerBaseURI /<%=@location_path%> +    PassengerAppRoot "<%=File.dirname(@directory)%>" +  </Location> +<%- end -%> +  <Directory "<%=@directory%>"> +    Options -MultiViews +<% if scope.function_guess_apache_version([]) == '2.4' %> +    Require all granted +<% else %> +    Order deny,allow +    Allow from all +<% end %> +  </Directory> | 
