riverside (but cannot octo-diff it as the fqdn changes)
pergamon (reverse-proxy, dns) impacted:
- as the reverse proxy vhost is changed to temporarily redirect to the new vhost on
rp1.admin
- Add a cname from riverside.i.s.a.n to sentry.i.s.a.n (internal use to clarify
riverside is sentry from a naming standpoint)
```
$ $SWH_PUPPET_ENVIRONMENT_HOME/bin/octocatalog-diff --octocatalog-diff-args --no-truncate-details --to staging pergamon
Found host pergamon.softwareheritage.org
WARN -> Environment "staging-add-prometheus-metrics" contained non-word characters, correcting name to staging_add_prometheus_metrics
WARN -> Environment "staging-bullseye-rabbitmq-plugin" contained non-word characters, correcting name to staging_bullseye_rabbitmq_plugin
WARN -> Environment "staging-check-journal-client" contained non-word characters, correcting name to staging_check_journal_client
WARN -> Environment "staging-check-journal-client-2nd-implementation" contained non-word characters, correcting name to staging_check_journal_client_2nd_implementation
WARN -> Environment "staging-check-journal-client-first-implem" contained non-word characters, correcting name to staging_check_journal_client_first_implem
WARN -> Environment "staging-pin" contained non-word characters, correcting name to staging_pin
Cloning into '/tmp/swh-ocd.HthsszKa/environments/production/data/private'...
done.
Cloning into '/tmp/swh-ocd.HthsszKa/environments/staging/data/private'...
done.
*** Running octocatalog-diff on host pergamon.softwareheritage.org
I, [2022-01-27T11:52:23.753680 #653081] INFO -- : Catalogs compiled for pergamon.softwareheritage.org
W, [2022-01-27T11:52:25.405374 #653081] WARN -- : Resource File[/tmp/ocd-ipc-20220127-653081-m8nif9/ocd-builddir-20220127-653083-onau6k/routes.yaml] appears to depend on catalog compilation directory. Suppressed from results.
W, [2022-01-27T11:52:25.405854 #653081] WARN -- : Resource File[/tmp/ocd-ipc-20220127-653081-m8nif9/ocd-builddir-20220127-653082-aa5alc/routes.yaml] appears to depend on catalog compilation directory. Suppressed from results.
W, [2022-01-27T11:52:25.406822 #653081] WARN -- : Resource key Ini_setting[puppetdbserver_urls] parameters => path may depend on catalog compilation directory, but there may be differences. This is included in results for now, but please verify.
W, [2022-01-27T11:52:25.406846 #653081] WARN -- : Resource key Ini_setting[puppetdbserver_urls] parameters => path appears to depend on catalog compilation directory. Suppressed from results.
W, [2022-01-27T11:52:25.406902 #653081] WARN -- : Resource key Ini_setting[soft_write_failure] parameters => path may depend on catalog compilation directory, but there may be differences. This is included in results for now, but please verify.
W, [2022-01-27T11:52:25.406943 #653081] WARN -- : Resource key Ini_setting[soft_write_failure] parameters => path appears to depend on catalog compilation directory. Suppressed from results.
I, [2022-01-27T11:52:25.408260 #653081] INFO -- : Diffs computed for pergamon.softwareheritage.org
diff origin/production/pergamon.softwareheritage.org current/pergamon.softwareheritage.org
*******************************************
- Apache::Mod[proxy]
*******************************************
- Apache::Mod[proxy_http]
*******************************************
Apache::Vhost[sentry.softwareheritage.org_non-ssl] =>
parameters =>
docroot =>
- /var/www/html
+ /var/www
manage_docroot =>
- false
+ true
*******************************************
Apache::Vhost[sentry.softwareheritage.org_ssl] =>
parameters =>
docroot =>
- /var/www/html
+ /var/www
manage_docroot =>
- false
+ true
proxy_pass =>
- [{"path"=>"/", "url"=>"http://riverside.internal.softwareheritage.org:9000/"}]
proxy_preserve_host =>
- true
+ false
request_headers =>
- ["set X-Forwarded-Proto \"https\"", "set X-Forwarded-Port \"443\""]
rewrites =>
+ [{"rewrite_rule"=>["^.*$ http://riverside.internal.admin.swh.network"]}]
ssl_cert =>
- /etc/ssl/certs/letsencrypt/sentry/cert.pem
+ /etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem
ssl_chain =>
- /etc/ssl/certs/letsencrypt/sentry/chain.pem
+ /etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem
ssl_key =>
- /etc/ssl/certs/letsencrypt/sentry/privkey.pem
+ /etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem
*******************************************
Concat::Fragment[sentry.softwareheritage.org_non-ssl-directories] =>
parameters =>
content =>
@@ -1,6 +1,6 @@
_
- ## Directories, there should at least be a declaration for /var/www/html
+ ## Directories, there should at least be a declaration for /var/www
_
- <Directory "/var/www/html">
+ <Directory "/var/www">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
*******************************************
Concat::Fragment[sentry.softwareheritage.org_non-ssl-docroot] =>
parameters =>
content =>
@@ -1,3 +1,3 @@
_
## Vhost docroot
- DocumentRoot "/var/www/html"
+ DocumentRoot "/var/www"
*******************************************
Concat::Fragment[sentry.softwareheritage.org_ssl-directories] =>
parameters =>
content =>
@@ -1,6 +1,6 @@
_
- ## Directories, there should at least be a declaration for /var/www/html
+ ## Directories, there should at least be a declaration for /var/www
_
- <Directory "/var/www/html">
+ <Directory "/var/www">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
*******************************************
Concat::Fragment[sentry.softwareheritage.org_ssl-docroot] =>
parameters =>
content =>
@@ -1,3 +1,3 @@
_
## Vhost docroot
- DocumentRoot "/var/www/html"
+ DocumentRoot "/var/www"
*******************************************
- Concat::Fragment[sentry.softwareheritage.org_ssl-proxy]
*******************************************
- Concat::Fragment[sentry.softwareheritage.org_ssl-requestheader]
*******************************************
+ Concat::Fragment[sentry.softwareheritage.org_ssl-rewrite] =>
parameters =>
"order": 190
"target": "25-sentry.softwareheritage.org_ssl.conf"
"content": >>>
## Rewrite rules
RewriteEngine On
RewriteRule ^.*$ http://riverside.internal.admin.swh.network
<<<
*******************************************
Concat::Fragment[sentry.softwareheritage.org_ssl-ssl] =>
parameters =>
content =>
@@ -2,7 +2,7 @@
## SSL directives
SSLEngine on
- SSLCertificateFile "/etc/ssl/certs/letsencrypt/sentry/cert.pem"
- SSLCertificateKeyFile "/etc/ssl/certs/letsencrypt/sentry/privkey.pem"
- SSLCertificateChainFile "/etc/ssl/certs/letsencrypt/sentry/chain.pem"
+ SSLCertificateFile "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem"
+ SSLCertificateKeyFile "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem"
+ SSLCertificateChainFile "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem"
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
*******************************************
Concat_fragment[sentry.softwareheritage.org_non-ssl-directories] =>
parameters =>
content =>
@@ -1,6 +1,6 @@
_
- ## Directories, there should at least be a declaration for /var/www/html
+ ## Directories, there should at least be a declaration for /var/www
_
- <Directory "/var/www/html">
+ <Directory "/var/www">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
*******************************************
Concat_fragment[sentry.softwareheritage.org_non-ssl-docroot] =>
parameters =>
content =>
@@ -1,3 +1,3 @@
_
## Vhost docroot
- DocumentRoot "/var/www/html"
+ DocumentRoot "/var/www"
*******************************************
Concat_fragment[sentry.softwareheritage.org_ssl-directories] =>
parameters =>
content =>
@@ -1,6 +1,6 @@
_
- ## Directories, there should at least be a declaration for /var/www/html
+ ## Directories, there should at least be a declaration for /var/www
_
- <Directory "/var/www/html">
+ <Directory "/var/www">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
*******************************************
Concat_fragment[sentry.softwareheritage.org_ssl-docroot] =>
parameters =>
content =>
@@ -1,3 +1,3 @@
_
## Vhost docroot
- DocumentRoot "/var/www/html"
+ DocumentRoot "/var/www"
*******************************************
- Concat_fragment[sentry.softwareheritage.org_ssl-proxy]
*******************************************
- Concat_fragment[sentry.softwareheritage.org_ssl-requestheader]
*******************************************
+ Concat_fragment[sentry.softwareheritage.org_ssl-rewrite] =>
parameters =>
"order": 190
"tag": "25-sentry.softwareheritage.org_ssl.conf"
"target": "25-sentry.softwareheritage.org_ssl.conf"
"content": >>>
## Rewrite rules
RewriteEngine On
RewriteRule ^.*$ http://riverside.internal.admin.swh.network
<<<
*******************************************
Concat_fragment[sentry.softwareheritage.org_ssl-ssl] =>
parameters =>
content =>
@@ -2,7 +2,7 @@
## SSL directives
SSLEngine on
- SSLCertificateFile "/etc/ssl/certs/letsencrypt/sentry/cert.pem"
- SSLCertificateKeyFile "/etc/ssl/certs/letsencrypt/sentry/privkey.pem"
- SSLCertificateChainFile "/etc/ssl/certs/letsencrypt/sentry/chain.pem"
+ SSLCertificateFile "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem"
+ SSLCertificateKeyFile "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem"
+ SSLCertificateChainFile "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem"
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
*******************************************
+ Exec[letsencrypt certonly sentry.softwareheritage.org] =>
parameters =>
"command": "certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 --cert-name 'sentry.softwareheritage.org' -d 'sentry.softwareheritage.org' --authenticator manual --preferred-challenges dns --manual-public-ip-logging-ok --manual-auth-hook '/usr/local/bin/letsencrypt_gandi_livedns auth' --manual-cleanup-hook '/usr/local/bin/letsencrypt_gandi_livedns cleanup' --deploy-hook '/usr/local/bin/letsencrypt_puppet_export'"
"environment": []
"path": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
"provider": "shell"
"unless": "/usr/local/sbin/letsencrypt-domain-validation /etc/letsencrypt/live/sentry.softwareheritage.org/cert.pem 'sentry.softwareheritage.org'"
*******************************************
- Exec[letsencrypt certonly sentry]
*******************************************
- File[/etc/apache2/mods-available/proxy.conf]
*******************************************
- File[/etc/apache2/mods-available/proxy.load]
*******************************************
- File[/etc/apache2/mods-available/proxy_http.load]
*******************************************
- File[/etc/apache2/mods-enabled/proxy.conf]
*******************************************
- File[/etc/apache2/mods-enabled/proxy.load]
*******************************************
- File[/etc/apache2/mods-enabled/proxy_http.load]
*******************************************
File[/etc/bind/keys/local-update] =>
parameters =>
content =>
@@ -2,4 +2,4 @@
key local-update {
algorithm hmac-sha256;
- secret "qL6avkdLD8qFJ8yaOyImvIW9uoZZZAeKfxMNVUVUctyegR/gTlED++D8LKMB5ERmMK7Po1z0TUDb/JDH5a9SNA==";
+ secret "CX1JUFOSsZKzNzNR11vdNsGNaMgCmcmhmxYONlnQHYlhm36z0c1DlE5RLQbHNszufWrODyZqY91HKdIpEnIf5w==";
};
*******************************************
File[/etc/bind/rndc.key] =>
parameters =>
content =>
@@ -2,4 +2,4 @@
key rndc-key {
algorithm hmac-md5;
- secret "CMetm5NLwRyk41SjM0ktHhBc5D5a4m6sqs/maI6A0NUIqDdtw605hcPiTeC1KMxQMSn8ZtSocl0/jCQFMsarmw==";
+ secret "PlPPnlJxnpApHdi4zxauG7xPBBYqB7txs+k4fiouThqjBS/YaGZMnm4h16sWhmDNGwDima0CSvyShjsZj430nQ==";
};
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0644"
"notify": ["Class[Apache::Service]"]
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/cert.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0644"
"notify": ["Class[Apache::Service]"]
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/chain.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/fullchain.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0644"
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/fullchain.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0600"
"notify": ["Class[Apache::Service]"]
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/privkey.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org] =>
parameters =>
"ensure": "directory"
"group": "root"
"mode": "0755"
"owner": "root"
*******************************************
- File[/etc/ssl/certs/letsencrypt/sentry/cert.pem]
*******************************************
- File[/etc/ssl/certs/letsencrypt/sentry/chain.pem]
*******************************************
- File[/etc/ssl/certs/letsencrypt/sentry/fullchain.pem]
*******************************************
- File[/etc/ssl/certs/letsencrypt/sentry/privkey.pem]
*******************************************
- File[/etc/ssl/certs/letsencrypt/sentry]
*******************************************
+ File[/var/www] =>
parameters =>
"ensure": "directory"
"group": "root"
"owner": "root"
*******************************************
+ Letsencrypt::Certonly[sentry.softwareheritage.org] =>
parameters =>
"additional_args": ["--authenticator manual", "--preferred-challenges dns", "--manual-public-ip-logging-ok", "--manual-auth-hook '/usr/local/bin/letsencrypt_gandi_livedns auth'", "--manual-cleanup-hook '/usr/local/bin/letsencrypt_gandi_livedns cleanup'", "--deploy-hook '/usr/local/bin/letsencrypt_puppet_export'"]
"cert_name": "sentry.softwareheritage.org"
"config_dir": "/etc/letsencrypt"
"cron_hour": 4
"cron_minute": 15
"cron_monthday": ["*"]
"custom_plugin": true
"deploy_hook_commands": []
"domains": ["sentry.softwareheritage.org"]
"ensure": "present"
"environment": []
"key_size": 4096
"letsencrypt_command": "certbot"
"manage_cron": false
"plugin": "standalone"
"post_hook_commands": []
"pre_hook_commands": []
"suppress_cron_output": false
"webroot_paths": []
*******************************************
- Letsencrypt::Certonly[sentry]
*******************************************
+ Profile::Letsencrypt::Certificate[sentry.softwareheritage.org] =>
parameters =>
"basename": "sentry.softwareheritage.org"
"privkey_group": "root"
"privkey_mode": "0600"
"privkey_owner": "root"
*******************************************
- Profile::Letsencrypt::Certificate[sentry]
*******************************************
- Profile::Reverse_proxy[sentry]
*******************************************
*** End octocatalog-diff on pergamon.softwareheritage.org
```
rp1:
```
$ $SWH_PUPPET_ENVIRONMENT_HOME/bin/octocatalog-diff --octocatalog-diff-args --no-truncate-details --to staging rp1.internal.admin.swh.network
Found host rp1.internal.admin.swh.network
WARN -> Environment "staging-add-prometheus-metrics" contained non-word characters, correcting name to staging_add_prometheus_metrics
WARN -> Environment "staging-bullseye-rabbitmq-plugin" contained non-word characters, correcting name to staging_bullseye_rabbitmq_plugin
WARN -> Environment "staging-check-journal-client" contained non-word characters, correcting name to staging_check_journal_client
WARN -> Environment "staging-check-journal-client-2nd-implementation" contained non-word characters, correcting name to staging_check_journal_client_2nd_implementation
WARN -> Environment "staging-check-journal-client-first-implem" contained non-word characters, correcting name to staging_check_journal_client_first_implem
WARN -> Environment "staging-pin" contained non-word characters, correcting name to staging_pin
Cloning into '/tmp/swh-ocd.TDFGLwFC/environments/production/data/private'...
done.
Cloning into '/tmp/swh-ocd.TDFGLwFC/environments/staging/data/private'...
done.
*** Running octocatalog-diff on host rp1.internal.admin.swh.network
I, [2022-01-27T11:52:13.235412 #651395] INFO -- : Catalogs compiled for rp1.internal.admin.swh.network
I, [2022-01-27T11:52:13.847654 #651395] INFO -- : Diffs computed for rp1.internal.admin.swh.network
diff origin/production/rp1.internal.admin.swh.network current/rp1.internal.admin.swh.network
*******************************************
+ Concat::Fragment[/etc/varnish/includes.vcl:sentry] =>
parameters =>
"content": "include \"includes/01_sentry.vcl\";"
"order": "01"
"target": "/etc/varnish/includes.vcl"
*******************************************
+ Concat::Fragment[/etc/varnish/includes.vcl:vhost_sentry.softwareheritage.org] =>
parameters =>
"content": "include \"includes/50_vhost_sentry.softwareheritage.org.vcl\";"
"order": "50"
"target": "/etc/varnish/includes.vcl"
*******************************************
+ Concat::Fragment[hitch::domain sentry.softwareheritage.org] =>
parameters =>
"notify": "Class[Hitch::Service]"
"order": "10"
"target": "/etc/hitch/hitch.conf"
"content": >>>
pem-file = "/etc/hitch/sentry.softwareheritage.org.pem"
<<<
*******************************************
+ Concat::Fragment[sentry.softwareheritage.org cacert] =>
parameters =>
"notify": "Class[Hitch::Service]"
"order": "03"
"source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ Concat::Fragment[sentry.softwareheritage.org cert] =>
parameters =>
"notify": "Class[Hitch::Service]"
"order": "02"
"source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ Concat::Fragment[sentry.softwareheritage.org dhparams] =>
parameters =>
"notify": "Class[Hitch::Service]"
"order": "04"
"source": "/etc/hitch/dhparams.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ Concat::Fragment[sentry.softwareheritage.org key] =>
parameters =>
"notify": "Class[Hitch::Service]"
"order": "01"
"source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ Concat[/etc/hitch/sentry.softwareheritage.org.pem] =>
parameters =>
"backup": "puppet"
"ensure": "present"
"ensure_newline": false
"force": false
"format": "plain"
"group": "_hitch"
"mode": "0640"
"notify": "Class[Hitch::Service]"
"order": "alpha"
"owner": "root"
"path": "/etc/hitch/sentry.softwareheritage.org.pem"
"replace": true
"show_diff": true
"warn": false
*******************************************
+ Concat_file[/etc/hitch/sentry.softwareheritage.org.pem] =>
parameters =>
"backup": "puppet"
"ensure_newline": false
"force": false
"format": "plain"
"group": "_hitch"
"mode": "0640"
"order": "alpha"
"owner": "root"
"replace": true
"show_diff": true
"tag": "_etc_hitch_sentry.softwareheritage.org.pem"
*******************************************
+ Concat_fragment[/etc/varnish/includes.vcl:sentry] =>
parameters =>
"content": "include \"includes/01_sentry.vcl\";"
"order": "01"
"tag": "_etc_varnish_includes.vcl"
"target": "/etc/varnish/includes.vcl"
*******************************************
+ Concat_fragment[/etc/varnish/includes.vcl:vhost_sentry.softwareheritage.org] =>
parameters =>
"content": "include \"includes/50_vhost_sentry.softwareheritage.org.vcl\";"
"order": "50"
"tag": "_etc_varnish_includes.vcl"
"target": "/etc/varnish/includes.vcl"
*******************************************
+ Concat_fragment[hitch::domain sentry.softwareheritage.org] =>
parameters =>
"order": "10"
"tag": "_etc_hitch_hitch.conf"
"target": "/etc/hitch/hitch.conf"
"content": >>>
pem-file = "/etc/hitch/sentry.softwareheritage.org.pem"
<<<
*******************************************
+ Concat_fragment[sentry.softwareheritage.org cacert] =>
parameters =>
"order": "03"
"source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem"
"tag": "_etc_hitch_sentry.softwareheritage.org.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ Concat_fragment[sentry.softwareheritage.org cert] =>
parameters =>
"order": "02"
"source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem"
"tag": "_etc_hitch_sentry.softwareheritage.org.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ Concat_fragment[sentry.softwareheritage.org dhparams] =>
parameters =>
"order": "04"
"source": "/etc/hitch/dhparams.pem"
"tag": "_etc_hitch_sentry.softwareheritage.org.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ Concat_fragment[sentry.softwareheritage.org key] =>
parameters =>
"order": "01"
"source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem"
"tag": "_etc_hitch_sentry.softwareheritage.org.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0644"
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/cert.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0644"
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/chain.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/fullchain.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0644"
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/fullchain.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0600"
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/privkey.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org] =>
parameters =>
"ensure": "directory"
"group": "root"
"mode": "0755"
"owner": "root"
*******************************************
+ File[/etc/varnish/includes/01_sentry.vcl] =>
parameters =>
"group": "root"
"mode": "0644"
"notify": "Exec[vcl_reload]"
"owner": "root"
"content": >>>
# backend_default.vcl
#
# Default backend definition.
#
# File managed by puppet. All modifications will be lost.
backend sentry
{
.host = "sentry.internal.admin.swh.network";
.port = "80";
}
<<<
*******************************************
+ File[/etc/varnish/includes/50_vhost_sentry.softwareheritage.org.vcl] =>
parameters =>
"group": "root"
"mode": "0644"
"notify": "Exec[vcl_reload]"
"owner": "root"
"content": >>>
# vhost_sentry.softwareheritage.org.vcl
#
# Settings for the sentry.softwareheritage.org vhost
#
# File managed by puppet. All modifications will be lost.
sub vcl_recv {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
var.set("known-vhost", "yes");
if (std.port(server.ip) == 80) {
set req.http.x-redir = "https://" + req.http.host + req.url;
return(synth(850, "Moved permanently"));
} else {
set req.http.X-Forwarded-Proto = "https";
set req.backend_hint = sentry;
}
}
}
sub vcl_deliver {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
if (std.port(server.ip) != 80) {
set resp.http.Strict-Transport-Security = "max-age=15768000;";
}
}
}
sub vcl_synth {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
if (resp.status == 401) {
set resp.http.WWW-Authenticate = "Basic";
return(deliver);
}
}
}
<<<
*******************************************
+ Hitch::Domain[sentry.softwareheritage.org] =>
parameters =>
"cacert_source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem"
"cert_source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem"
"default": false
"ensure": "present"
"key_source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem"
*******************************************
+ Profile::Hitch::Ssl_cert[sentry.softwareheritage.org] =>
parameters =>
"ssl_cert_name": "sentry.softwareheritage.org"
*******************************************
+ Profile::Letsencrypt::Certificate[sentry.softwareheritage.org] =>
parameters =>
"basename": "sentry.softwareheritage.org"
"privkey_group": "root"
"privkey_mode": "0600"
"privkey_owner": "root"
*******************************************
+ Profile::Varnish::Vcl_include[sentry] =>
parameters =>
"basename": "sentry"
"order": "01"
"content": >>>
# backend_default.vcl
#
# Default backend definition.
#
# File managed by puppet. All modifications will be lost.
backend sentry
{
.host = "sentry.internal.admin.swh.network";
.port = "80";
}
<<<
*******************************************
+ Profile::Varnish::Vcl_include[vhost_sentry.softwareheritage.org] =>
parameters =>
"basename": "vhost_sentry.softwareheritage.org"
"order": "50"
"content": >>>
# vhost_sentry.softwareheritage.org.vcl
#
# Settings for the sentry.softwareheritage.org vhost
#
# File managed by puppet. All modifications will be lost.
sub vcl_recv {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
var.set("known-vhost", "yes");
if (std.port(server.ip) == 80) {
set req.http.x-redir = "https://" + req.http.host + req.url;
return(synth(850, "Moved permanently"));
} else {
set req.http.X-Forwarded-Proto = "https";
set req.backend_hint = sentry;
}
}
}
sub vcl_deliver {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
if (std.port(server.ip) != 80) {
set resp.http.Strict-Transport-Security = "max-age=15768000;";
}
}
}
sub vcl_synth {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
if (resp.status == 401) {
set resp.http.WWW-Authenticate = "Basic";
return(deliver);
}
}
}
<<<
*******************************************
+ Profile::Varnish::Vhost[sentry.softwareheritage.org] =>
parameters =>
"aliases": []
"backend_http_host": "sentry.internal.admin.swh.network"
"backend_http_port": "80"
"backend_name": "sentry"
"basic_auth": false
"hsts_max_age": 15768000
"order": "50"
"servername": "sentry.softwareheritage.org"
"websocket_support": false
*******************************************
+ Varnish::Vcl[/etc/varnish/includes/01_sentry.vcl] =>
parameters =>
"file": "/etc/varnish/includes/01_sentry.vcl"
"content": >>>
# backend_default.vcl
#
# Default backend definition.
#
# File managed by puppet. All modifications will be lost.
backend sentry
{
.host = "sentry.internal.admin.swh.network";
.port = "80";
}
<<<
*******************************************
+ Varnish::Vcl[/etc/varnish/includes/50_vhost_sentry.softwareheritage.org.vcl] =>
parameters =>
"file": "/etc/varnish/includes/50_vhost_sentry.softwareheritage.org.vcl"
"content": >>>
# vhost_sentry.softwareheritage.org.vcl
#
# Settings for the sentry.softwareheritage.org vhost
#
# File managed by puppet. All modifications will be lost.
sub vcl_recv {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
var.set("known-vhost", "yes");
if (std.port(server.ip) == 80) {
set req.http.x-redir = "https://" + req.http.host + req.url;
return(synth(850, "Moved permanently"));
} else {
set req.http.X-Forwarded-Proto = "https";
set req.backend_hint = sentry;
}
}
}
sub vcl_deliver {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
if (std.port(server.ip) != 80) {
set resp.http.Strict-Transport-Security = "max-age=15768000;";
}
}
}
sub vcl_synth {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
if (resp.status == 401) {
set resp.http.WWW-Authenticate = "Basic";
return(deliver);
}
}
}
<<<
*******************************************
*** End octocatalog-diff on rp1.internal.admin.swh.network
```