Page Menu
Home
Software Heritage
Search
Configure Global Search
Log In
Files
F9313923
annex_web.pp
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
5 KB
Subscribers
None
annex_web.pp
View Options
# Deployment of web-facing public Git-annex
class
profile
::
annex_web
{
$annex_basepath
=
lookup
(
'annex::basepath'
)
$annex_vhost_name
=
lookup
(
'annex::vhost::name'
)
$annex_vhost_docroot
=
lookup
(
'annex::vhost::docroot'
)
$annex_vhost_basic_auth_file
=
"${annex_basepath}/http_auth"
$annex_vhost_provenance_basic_auth_file
=
"${annex_basepath}/http_auth_provenance"
$annex_vhost_basic_auth_content
=
lookup
(
'annex::vhost::basic_auth_content'
)
$annex_vhost_provenance_basic_auth_content
=
lookup
(
'annex::vhost::provenance::basic_auth_content'
)
$annex_vhost_ssl_protocol
=
lookup
(
'annex::vhost::ssl_protocol'
)
$annex_vhost_ssl_honorcipherorder
=
lookup
(
'annex::vhost::ssl_honorcipherorder'
)
$annex_vhost_ssl_cipher
=
lookup
(
'annex::vhost::ssl_cipher'
)
$annex_vhost_hsts_header
=
lookup
(
'annex::vhost::hsts_header'
)
include
::
profile
::
ssl
include
::
profile
::
apache
::
common
::
apache
::
vhost
{
"${annex_vhost_name}_non-ssl"
:
servername
=>
$annex_vhost_name,
port
=>
'80'
,
docroot
=>
$annex_vhost_docroot,
redirect_status
=>
'permanent'
,
redirect_dest
=>
"https://${annex_vhost_name}/"
,
}
$ssl_cert_name
=
'star_softwareheritage_org'
$ssl_cert
=
$::profile::ssl::certificate_paths
[
$ssl_cert_name
]
$ssl_chain
=
$::profile::ssl::chain_paths
[
$ssl_cert_name
]
$ssl_key
=
$::profile::ssl::private_key_paths
[
$ssl_cert_name
]
::
apache
::
vhost
{
"${annex_vhost_name}_ssl"
:
servername
=>
$annex_vhost_name,
port
=>
'443'
,
ssl
=>
true
,
ssl_protocol
=>
$annex_vhost_ssl_protocol,
ssl_honorcipherorder
=>
$annex_vhost_ssl_honorcipherorder,
ssl_cipher
=>
$annex_vhost_ssl_cipher,
ssl_cert
=>
$ssl_cert,
ssl_chain
=>
$ssl_chain,
ssl_key
=>
$ssl_key,
headers
=>
[
$annex_vhost_hsts_header],
docroot
=>
$annex_vhost_docroot,
directories
=>
[{
'path'
=>
$annex_vhost_docroot,
'require'
=>
'all granted'
,
'options'
=>
[
'Indexes'
,
'FollowSymLinks'
,
'MultiViews'
],
custom_fragment
=>
'IndexIgnore private provenance-index'
,
},
{
# hide (annex) .git directory
'path'
=>
'.*/\.git/?$'
,
'provider'
=>
'directorymatch'
,
'require'
=>
'all denied'
,
},
{
# 'basic' provenance-index authentication
'path'
=>
"$annex_vhost_docroot/provenance-index"
,
'auth_type'
=>
'basic'
,
'auth_name'
=>
'SWH - Password Required'
,
'auth_user_file'
=>
$annex_vhost_provenance_basic_auth_file,
'auth_require'
=>
'valid-user'
,
'index_options'
=>
'FancyIndexing'
,
custom_fragment
=>
'ReadmeName readme.txt'
,
},
],
require
=>
[
File
[
$ssl_cert],
File
[
$ssl_chain],
File
[
$ssl_key],
],
}
file
{
"${annex_vhost_docroot}/public"
:
ensure
=>
link
,
target
=>
"../annexroot/public"
,
require
=>
File
[
$annex_vhost_docroot],
}
file
{
$annex_vhost_basic_auth_file:
ensure
=>
present
,
owner
=>
'root'
,
group
=>
'www-data'
,
mode
=>
'0640'
,
# FIXME: this seems wrong, should be double quote to expand the variable
# don't want to break existing behavior though
content
=>
'$annex_vhost_basic_auth_content'
,
}
file
{
$annex_vhost_provenance_basic_auth_file:
ensure
=>
present
,
owner
=>
'root'
,
group
=>
'www-data'
,
mode
=>
'0640'
,
content
=>
"$annex_vhost_provenance_basic_auth_content"
,
}
$icinga_checks_file
=
lookup
(
'icinga2::exported_checks::filename'
)
@@
::
icinga2
::
object
::
service
{
"annex http redirect on ${::fqdn}"
:
service_name
=>
'annex http redirect'
,
import
=>
[
'generic-service'
],
host_name
=>
$::fqdn,
check_command
=>
'http'
,
vars
=>
{
http_address
=>
$annex_vhost_name,
http_vhost
=>
$annex_vhost_name,
http_uri
=>
'/'
,
},
target
=>
$icinga_checks_file,
tag
=>
'icinga2::exported'
,
}
@@
::
icinga2
::
object
::
service
{
"annex https on ${::fqdn}"
:
service_name
=>
'annex https'
,
import
=>
[
'generic-service'
],
host_name
=>
$::fqdn,
check_command
=>
'http'
,
vars
=>
{
http_address
=>
$annex_vhost_name,
http_vhost
=>
$annex_vhost_name,
http_ssl
=>
true
,
http_sni
=>
true
,
http_uri
=>
'/'
,
http_onredirect
=>
sticky
},
target
=>
$icinga_checks_file,
tag
=>
'icinga2::exported'
,
}
@@
::
icinga2
::
object
::
service
{
"annex https certificate ${::fqdn}"
:
service_name
=>
'annex https certificate'
,
import
=>
[
'generic-service'
],
host_name
=>
$::fqdn,
check_command
=>
'http'
,
vars
=>
{
http_address
=>
$annex_vhost_name,
http_vhost
=>
$annex_vhost_name,
http_ssl
=>
true
,
http_sni
=>
true
,
http_certificate
=>
60
,
},
target
=>
$icinga_checks_file,
tag
=>
'icinga2::exported'
,
}
}
File Metadata
Details
Attached
Mime Type
text/x-c++
Expires
Thu, Jul 3, 12:01 PM (2 d, 15 h ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3338534
Attached To
rSPSITE puppet-swh-site
Event Timeline
Log In to Comment