Page Menu
Home
Software Heritage
Search
Configure Global Search
Log In
Files
F9697443
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
10 KB
Subscribers
None
View Options
diff --git a/site-modules/profile/manifests/swh/deploy/deposit.pp b/site-modules/profile/manifests/swh/deploy/deposit.pp
index 99d9c261..b16af739 100644
--- a/site-modules/profile/manifests/swh/deploy/deposit.pp
+++ b/site-modules/profile/manifests/swh/deploy/deposit.pp
@@ -1,275 +1,276 @@
# Deployment of the swh.deposit server
class profile::swh::deploy::deposit {
$config_directory = lookup('swh::deploy::deposit::config_directory')
$config_file = lookup('swh::deploy::deposit::config_file')
$user = lookup('swh::deploy::deposit::user')
$group = lookup('swh::deploy::deposit::group')
$conf_hiera = lookup('swh::deploy::deposit::config')
$static_dir = '/usr/lib/python3/dist-packages/swh/deposit/static'
$backend_listen_host = lookup('swh::deploy::deposit::backend::listen::host')
$backend_listen_port = lookup('swh::deploy::deposit::backend::listen::port')
$backend_listen_address = "${backend_listen_host}:${backend_listen_port}"
$backend_workers = lookup('swh::deploy::deposit::backend::workers')
$backend_http_keepalive = lookup('swh::deploy::deposit::backend::http_keepalive')
$backend_http_timeout = lookup('swh::deploy::deposit::backend::http_timeout')
$backend_reload_mercy = lookup('swh::deploy::deposit::backend::reload_mercy')
$vhost_url = lookup('swh::deploy::deposit::url')
$cert_name = lookup('swh::deploy::deposit::vhost::letsencrypt_cert')
$vhosts = lookup('letsencrypt::certificates')[$cert_name]['domains']
$full_conf = $conf_hiera + {allowed_hosts => $vhosts}
if $swh_hostname['fqdn'] in $vhosts {
$vhost_name = $swh_hostname['fqdn']
} else {
$vhost_name = $vhosts[0]
}
$vhost_aliases = delete($vhosts, $vhost_name)
$vhost_port = lookup('apache::http_port')
$vhost_docroot = "/var/www/${vhost_name}"
$vhost_basic_auth_file = "${config_directory}/http_auth"
# swh::deploy::deposit::vhost::basic_auth_content in private
$vhost_basic_auth_content = lookup('swh::deploy::deposit::vhost::basic_auth_content')
$vhost_ssl_port = lookup('apache::https_port')
$vhost_ssl_protocol = lookup('swh::deploy::deposit::vhost::ssl_protocol')
$vhost_ssl_honorcipherorder = lookup('swh::deploy::deposit::vhost::ssl_honorcipherorder')
$vhost_ssl_cipher = lookup('swh::deploy::deposit::vhost::ssl_cipher')
$locked_endpoints = lookup('swh::deploy::deposit::locked_endpoints', Array, 'unique')
$media_root_directory = lookup('swh::deploy::deposit::media_root_directory')
include ::gunicorn
# Install the necessary deps
::profile::swh::deploy::install_web_deps { 'swh-deposit':
services => ['gunicorn-swh-deposit'],
backport_list => 'swh::deploy::deposit::backported_packages',
swh_packages => ['python3-swh.deposit'],
+ ensure => present,
}
file {$config_directory:
ensure => directory,
owner => 'root',
group => $group,
mode => '0755',
}
# swh's configuration part (upload size, etc...)
file {$config_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
content => inline_template("<%= @full_conf.to_yaml %>\n"),
notify => Service['gunicorn-swh-deposit'],
}
file {$media_root_directory:
ensure => directory,
owner => $user,
group => $group,
mode => '2750',
}
$sentry_dsn = lookup("swh::deploy::deposit::sentry_dsn", Optional[String], 'first', undef)
$sentry_environment = lookup("swh::deploy::deposit::sentry_environment", Optional[String], 'first', undef)
$sentry_swh_package = lookup("swh::deploy::deposit::sentry_swh_package", Optional[String], 'first', undef)
::gunicorn::instance {'swh-deposit':
ensure => enabled,
user => $user,
group => $group,
executable => 'django.core.wsgi:get_wsgi_application()',
environment => {
'SWH_CONFIG_FILENAME' => $config_file,
'DJANGO_SETTINGS_MODULE' => 'swh.deposit.settings.production',
'SWH_SENTRY_DSN' => $sentry_dsn,
'SWH_SENTRY_ENVIRONMENT' => $sentry_environment,
'SWH_MAIN_PACKAGE' => $sentry_swh_package,
},
settings => {
bind => $backend_listen_address,
workers => $backend_workers,
worker_class => 'sync',
timeout => $backend_http_timeout,
graceful_timeout => $backend_reload_mercy,
keepalive => $backend_http_keepalive,
}
}
$endpoint_directories = $locked_endpoints.map |$endpoint| {
{ path => "^${endpoint}",
provider => 'locationmatch',
auth_type => 'Basic',
auth_name => 'Software Heritage Deposit',
auth_user_file => $vhost_basic_auth_file,
auth_require => 'valid-user',
}
}
include ::profile::apache::common
include ::apache::mod::proxy
include ::apache::mod::headers
::apache::vhost {"${vhost_name}_non-ssl":
servername => $vhost_name,
serveraliases => $vhost_aliases,
port => $vhost_port,
docroot => $vhost_docroot,
proxy_pass => [
{ path => '/static',
url => '!',
},
{ path => '/robots.txt',
url => '!',
},
{ path => '/favicon.ico',
url => '!',
},
{ path => '/',
url => "http://${backend_listen_address}/",
},
],
directories => [
{ path => '/1',
provider => 'location',
allow => 'from all',
satisfy => 'Any',
headers => ['add Access-Control-Allow-Origin "*"'],
},
{ path => $static_dir,
options => ['-Indexes'],
},
] + $endpoint_directories,
aliases => [
{ alias => '/static',
path => $static_dir,
},
{ alias => '/robots.txt',
path => "${static_dir}/robots.txt",
},
],
require => [
File[$vhost_basic_auth_file],
]
}
include ::profile::hitch
realize(::Profile::Hitch::Ssl_cert[$cert_name])
include ::profile::varnish
$url_scheme = split($vhost_url, ':')[0]
if $url_scheme == 'https' {
::profile::varnish::vhost {$vhost_name:
aliases => $vhost_aliases,
hsts_max_age => lookup('strict_transport_security::max_age'),
}
}
file {$vhost_basic_auth_file:
ensure => present,
owner => 'root',
group => 'www-data',
mode => '0640',
content => $vhost_basic_auth_content,
}
$icinga_checks_file = lookup('icinga2::exported_checks::filename')
@@::icinga2::object::service {"swh-deposit api (localhost on ${::fqdn})":
service_name => 'swh-deposit api (localhost)',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
command_endpoint => $::fqdn,
vars => {
http_address => '127.0.0.1',
http_port => $backend_listen_port,
http_uri => '/',
http_string => 'The Software Heritage Deposit',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
if $backend_listen_host != '127.0.0.1' {
@@::icinga2::object::service {"swh-deposit api (remote on ${::fqdn})":
service_name => 'swh-deposit api (remote)',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_port => $backend_listen_port,
http_uri => '/',
http_string => 'The Software Heritage Deposit',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
@@::icinga2::object::service {"swh-deposit http redirect on ${::fqdn}":
service_name => 'swh deposit http redirect',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_port => $vhost_port,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"swh-deposit https on ${::fqdn}":
service_name => 'swh deposit',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_port => $vhost_ssl_port,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"swh-deposit https certificate ${::fqdn}":
service_name => 'swh deposit https certificate',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_port => $vhost_ssl_port,
http_ssl => true,
http_sni => true,
http_certificate => 15,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
include profile::filebeat
profile::filebeat::log_input { 'deposit-non-ssl-access':
paths => [ '/var/log/apache2/deposit.softwareheritage.org_non-ssl_access.log' ],
fields => { 'apache_log_type' => 'access_log', },
}
}
diff --git a/site-modules/profile/manifests/swh/deploy/install_web_deps.pp b/site-modules/profile/manifests/swh/deploy/install_web_deps.pp
index b53a6e7b..58cd7932 100644
--- a/site-modules/profile/manifests/swh/deploy/install_web_deps.pp
+++ b/site-modules/profile/manifests/swh/deploy/install_web_deps.pp
@@ -1,29 +1,30 @@
# Install web dependencies (eventually backporting some packages)
define profile::swh::deploy::install_web_deps (
Array $services = [],
String $pin_name = $name,
String $backport_list = 'swh::deploy::webapp::backported_packages',
Array $swh_packages = ['python3-swh.web'],
+ String $ensure = latest,
) {
$task_backported_packages = lookup($backport_list)
$pinned_packages = $task_backported_packages[$::lsbdistcodename]
if $pinned_packages {
::apt::pin {$pin_name:
explanation => "Pin ${pin_name} dependencies to backports",
codename => "${::lsbdistcodename}-backports",
packages => $pinned_packages,
priority => 990,
}
-> package {$swh_packages:
- ensure => latest,
+ ensure => $ensure,
require => Apt::Source['softwareheritage'],
notify => Service[$services],
}
} else {
package {$swh_packages:
- ensure => latest,
+ ensure => $ensure,
require => Apt::Source['softwareheritage'],
notify => Service[$services],
}
}
}
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Mon, Aug 18, 11:46 PM (1 w, 6 d ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3268400
Attached To
rSPSITE puppet-swh-site
Event Timeline
Log In to Comment