diff --git a/data/deployments/staging/common.yaml b/data/deployments/staging/common.yaml --- a/data/deployments/staging/common.yaml +++ b/data/deployments/staging/common.yaml @@ -3,6 +3,10 @@ swh::deploy::worker::loader_nixguix::loglevel: debug +swh::deploy::reverse_proxy::services: + - deposit + - webapp + swh::deploy::storage::db::host: db1.internal.staging.swh.network swh::deploy::storage::db::user: swh swh::deploy::storage::db::dbname: swh @@ -215,3 +219,11 @@ client_id: "swh.storage.journal_writer.%{::swh_hostname.short}" producer_config: message.max.bytes: 1000000000 + +## Reverse-proxy and frontend + +hitch::frontend: "[*]:443" +hitch::proxy_support: true + +varnish::http_port: 80 + diff --git a/data/hostname/deposit.internal.staging.swh.network.yaml b/data/hostname/deposit.internal.staging.swh.network.yaml --- a/data/hostname/deposit.internal.staging.swh.network.yaml +++ b/data/hostname/deposit.internal.staging.swh.network.yaml @@ -4,12 +4,6 @@ netmask: 255.255.255.0 gateway: 192.168.130.1 -## frontend - -hitch::frontend: "[*]:443" -hitch::proxy_support: true - -varnish::http_port: 80 apache::http_port: 9080 # Disable default vhost on port 80 diff --git a/data/hostname/webapp.internal.staging.swh.network.yaml b/data/hostname/webapp.internal.staging.swh.network.yaml --- a/data/hostname/webapp.internal.staging.swh.network.yaml +++ b/data/hostname/webapp.internal.staging.swh.network.yaml @@ -4,10 +4,6 @@ netmask: 255.255.255.0 gateway: 192.168.130.1 -hitch::frontend: "[*]:443" -hitch::proxy_support: true - -varnish::http_port: 80 apache::http_port: 9080 # Disable default vhost on port 80 diff --git a/manifests/site.pp b/manifests/site.pp --- a/manifests/site.pp +++ b/manifests/site.pp @@ -172,6 +172,10 @@ include role::swh_vault } +node /^rp\d\.internal\.staging\.swh\.network$/ { + include role::swh_reverse_proxy +} + node 'journal0.internal.staging.swh.network' { include role::swh_journal_allinone } diff --git a/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp b/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp new file mode 100644 --- /dev/null +++ b/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp @@ -0,0 +1,46 @@ +# Reverse proxy to expose staging services +# https://forge.softwareheritage.org/T2747 +class profile::swh::deploy::reverse_proxy { + include ::profile::hitch + include ::profile::varnish + + $service_names = lookup('swh::deploy::reverse_proxy::services') + $varnish_http_port = lookup('varnish::http_port') + + each($service_names) |$service_name| { + # Retrieve certificate name + $cert_name = lookup("swh::deploy::${service_name}::vhost::letsencrypt_cert") + + # Retrieve the list of vhosts + $vhosts = lookup('letsencrypt::certificates')[$cert_name]['domains'] + if $swh_hostname['fqdn'] in $vhosts { + $vhost_name = $swh_hostname['fqdn'] + } else { + $vhost_name = $vhosts[0] + } + # Compute aliases, removing the main vhost from the list + $vhost_aliases = delete($vhosts, $vhost_name) + + realize(::Profile::Hitch::Ssl_cert[$cert_name]) + ::profile::varnish::vhost {$vhost_name: + aliases => $vhost_aliases, + hsts_max_age => lookup('strict_transport_security::max_age'), + } + + # icinga alerts + # @@::icinga2::object::service {"${service_name} http redirect on ${::fqdn}": + # service_name => 'swh webapp http redirect', + # import => ['generic-service'], + # host_name => $::fqdn, + # check_command => 'http', + # vars => { + # http_address => $vhost_name, + # http_vhost => $vhost_name, + # http_port => $varnish_http_port, + # http_uri => '/', + # }, + # target => $icinga_checks_file, + # tag => 'icinga2::exported', + # } + } +} diff --git a/site-modules/role/manifests/swh_reverse_proxy.pp b/site-modules/role/manifests/swh_reverse_proxy.pp new file mode 100644 --- /dev/null +++ b/site-modules/role/manifests/swh_reverse_proxy.pp @@ -0,0 +1,3 @@ +class role::swh_reverse_proxy inherits role::swh_server { + include profile::swh::deploy::reverse_proxy +}