diff --git a/manifests/swh/deploy/webapp.pp b/manifests/swh/deploy/webapp.pp index a903a05..9a5aca7 100644 --- a/manifests/swh/deploy/webapp.pp +++ b/manifests/swh/deploy/webapp.pp @@ -1,179 +1,184 @@ # WebApp deployment class profile::swh::deploy::webapp { $conf_directory = hiera('swh::deploy::webapp::conf_directory') $conf_file = hiera('swh::deploy::webapp::conf_file') $user = hiera('swh::deploy::webapp::user') $group = hiera('swh::deploy::webapp::group') $conf_storage_class = hiera('swh::deploy::webapp::conf::storage_class') $conf_storage_args = hiera('swh::deploy::webapp::conf::storage_args') $conf_log_dir = hiera('swh::deploy::webapp::conf::log_dir') $conf_secret_key = hiera('swh::deploy::webapp::conf::secret_key') $uwsgi_listen_address = hiera('swh::deploy::webapp::uwsgi::listen') $uwsgi_protocol = hiera('swh::deploy::webapp::uwsgi::protocol') $uwsgi_workers = hiera('swh::deploy::webapp::uwsgi::workers') $uwsgi_max_requests = hiera('swh::deploy::webapp::uwsgi::max_requests') $uwsgi_max_requests_delta = hiera('swh::deploy::webapp::uwsgi::max_requests_delta') $uwsgi_reload_mercy = hiera('swh::deploy::webapp::uwsgi::reload_mercy') $swh_packages = ['python3-swh.web.ui'] $vhost_name = hiera('swh::deploy::webapp::vhost::name') $vhost_aliases = hiera('swh::deploy::webapp::vhost::aliases') $vhost_docroot = hiera('swh::deploy::webapp::vhost::docroot') $vhost_basic_auth_file = "${conf_directory}/http_auth" $vhost_basic_auth_content = hiera('swh::deploy::webapp::vhost::basic_auth_content') $vhost_ssl_protocol = hiera('swh::deploy::webapp::vhost::ssl_protocol') $vhost_ssl_honorcipherorder = hiera('swh::deploy::webapp::vhost::ssl_honorcipherorder') $vhost_ssl_cipher = hiera('swh::deploy::webapp::vhost::ssl_cipher') + $open_endpoints = hiera_array('swh::deploy::webapp::open_endpoints') + + $endpoint_directories = $open_endpoints.map |$endpoint| { + { path => $endpoint, + provider => 'location', + allow => 'from all', + satisfy => 'Any', + headers => ['add Access-Control-Allow-Origin "*"'], + } + } + include ::uwsgi package {$swh_packages: ensure => latest, require => Apt::Source['softwareheritage'], notify => [ Service['uwsgi'], Exec['update-static'], ], } file {$conf_directory: ensure => directory, owner => 'root', group => $group, mode => '0755', } file {$conf_log_dir: ensure => directory, owner => 'root', group => $group, mode => '0770', } file {$vhost_docroot: ensure => directory, owner => 'root', group => $group, mode => '0755', } file {$conf_file: ensure => present, owner => 'root', group => $group, mode => '0640', content => template('profile/swh/deploy/webapp/webapp.ini.erb'), notify => Service['uwsgi'], } ::uwsgi::site {'swh-webapp': ensure => enabled, settings => { plugin => 'python3', protocol => $uwsgi_protocol, socket => $uwsgi_listen_address, workers => $uwsgi_workers, max_requests => $uwsgi_max_requests, max_requests_delta => $uwsgi_max_requests_delta, worker_reload_mercy => $uwsgi_reload_mercy, reload_mercy => $uwsgi_reload_mercy, uid => $user, gid => $user, umask => '022', module => 'swh.web.ui.main', callable => 'run_from_webserver', } } exec {'update-static': path => ['/bin', '/usr/bin'], command => "rsync -az --delete /usr/lib/python3/dist-packages/swh/web/ui/static/ ${vhost_docroot}/static/", refreshonly => true, require => [ File[$vhost_docroot], Package[$swh_packages], ], } include ::profile::ssl include ::apache include ::apache::mod::proxy include ::apache::mod::headers ::apache::mod {'proxy_uwsgi':} ::apache::vhost {"${vhost_name}_non-ssl": servername => $vhost_name, serveraliases => $vhost_aliases, port => '80', docroot => $vhost_docroot, redirect_status => 'permanent', redirect_dest => "https://${vhost_name}/", } $ssl_cert_name = 'star_softwareheritage_org' $ssl_cert = $::profile::ssl::certificate_paths[$ssl_cert_name] $ssl_ca = $::profile::ssl::ca_paths[$ssl_cert_name] $ssl_key = $::profile::ssl::private_key_paths[$ssl_cert_name] ::apache::vhost {"${vhost_name}_ssl": servername => $vhost_name, serveraliases => $vhost_aliases, port => '443', ssl => true, ssl_protocol => $vhost_ssl_protocol, ssl_honorcipherorder => $vhost_ssl_honorcipherorder, ssl_cipher => $vhost_ssl_cipher, ssl_cert => $ssl_cert, ssl_ca => $ssl_ca, ssl_key => $ssl_key, docroot => $vhost_docroot, proxy_pass => [ { path => '/static', url => '!', }, { path => '/favicon.ico', url => '!', }, { path => '/', url => "uwsgi://${uwsgi_listen_address}/", }, ], directories => [ { path => '/', provider => 'location', auth_type => 'Basic', auth_name => 'Software Heritage development', auth_user_file => $vhost_basic_auth_file, auth_require => 'valid-user', }, - { path => '/api', - provider => 'location', - allow => 'from all', - satisfy => 'Any', - headers => ['add Access-Control-Allow-Origin "*"'], - }, { path => "${vhost_docroot}/static", options => ['-Indexes'], }, - ], + ] + $endpoint_directories, require => [ File[$vhost_basic_auth_file], File[$ssl_cert], File[$ssl_ca], File[$ssl_key], Exec['update-static'], ], } file {$vhost_basic_auth_file: ensure => present, owner => 'root', group => 'www-data', mode => '0640', content => $vhost_basic_auth_content, } }