Puppet Class: profile::gerrit

Defined in:
modules/profile/manifests/gerrit.pp

Overview

modules/profile/manifests/gerrit/server.pp

Parameters:

  • ldap_config (Hash) (defaults to: lookup('ldap'))
  • ipv4 (Stdlib::IP::Address::V4) (defaults to: lookup('profile::gerrit::ipv4'))
  • ipv6 (Optional[Stdlib::IP::Address::V6]) (defaults to: lookup('profile::gerrit::ipv6'))
  • host (Stdlib::Fqdn) (defaults to: lookup('profile::gerrit::host'))
  • backups_enabled (Boolean) (defaults to: lookup('profile::gerrit::backups_enabled'))
  • backup_set (String) (defaults to: lookup('profile::gerrit::backup_set'))
  • ssh_allowed_hosts (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::gerrit::ssh_allowed_hosts'))
  • config (String) (defaults to: lookup('profile::gerrit::config'))
  • use_acmechief (Boolean) (defaults to: lookup('profile::gerrit::use_acmechief'))
  • replica_hosts (Optional[Array[Stdlib::Fqdn]]) (defaults to: lookup('profile::gerrit::replica_hosts'))
  • daemon_user (Optional[String]) (defaults to: lookup('profile::gerrit::daemon_user'))
  • gerrit_site (Stdlib::Unixpath) (defaults to: lookup('profile::gerrit::gerrit_site'))
  • scap_user (Optional[String]) (defaults to: lookup('profile::gerrit::scap_user'))
  • manage_scap_user (Optional[Boolean]) (defaults to: lookup('profile::gerrit::manage_scap_user'))
  • scap_key_name (Optional[String]) (defaults to: lookup('profile::gerrit::scap_key_name'))
  • enable_monitoring (Boolean) (defaults to: lookup('profile::gerrit::enable_monitoring'))
  • replication (Hash[String, Hash]) (defaults to: lookup('profile::gerrit::replication'))
  • ssh_host_key (String) (defaults to: lookup('profile::gerrit::ssh_host_key'))
  • git_dir (Stdlib::Unixpath) (defaults to: lookup('profile::gerrit::git_dir'))
  • java_home (Stdlib::Unixpath) (defaults to: lookup('profile::gerrit::java_home'))
  • mask_service (Boolean) (defaults to: lookup('profile::gerrit::mask_service'))
  • active_host (Stdlib::Fqdn) (defaults to: lookup('profile::gerrit::active_host'))
  • lfs_replica_sync (Boolean) (defaults to: lookup('profile::gerrit::lfs_replica_sync'))
  • lfs_sync_dest (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::gerrit::lfs_sync_dest'))


3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# File 'modules/profile/manifests/gerrit.pp', line 3

class profile::gerrit(
    Hash                              $ldap_config       = lookup('ldap'),
    Stdlib::IP::Address::V4           $ipv4              = lookup('profile::gerrit::ipv4'),
    Optional[Stdlib::IP::Address::V6] $ipv6              = lookup('profile::gerrit::ipv6'),
    Stdlib::Fqdn                      $host              = lookup('profile::gerrit::host'),
    Boolean                           $backups_enabled   = lookup('profile::gerrit::backups_enabled'),
    String                            $backup_set        = lookup('profile::gerrit::backup_set'),
    Array[Stdlib::Fqdn]               $ssh_allowed_hosts = lookup('profile::gerrit::ssh_allowed_hosts'),
    String                            $config            = lookup('profile::gerrit::config'),
    Boolean                           $use_acmechief     = lookup('profile::gerrit::use_acmechief'),
    Optional[Array[Stdlib::Fqdn]]     $replica_hosts     = lookup('profile::gerrit::replica_hosts'),
    Optional[String]                  $daemon_user       = lookup('profile::gerrit::daemon_user'),
    Stdlib::Unixpath                  $gerrit_site       = lookup('profile::gerrit::gerrit_site'),
    Optional[String]                  $scap_user         = lookup('profile::gerrit::scap_user'),
    Optional[Boolean]                 $manage_scap_user  = lookup('profile::gerrit::manage_scap_user'),
    Optional[String]                  $scap_key_name     = lookup('profile::gerrit::scap_key_name'),
    Boolean                           $enable_monitoring = lookup('profile::gerrit::enable_monitoring'),
    Hash[String, Hash]                $replication       = lookup('profile::gerrit::replication'),
    String                            $ssh_host_key      = lookup('profile::gerrit::ssh_host_key'),
    Stdlib::Unixpath                  $git_dir           = lookup('profile::gerrit::git_dir'),
    Stdlib::Unixpath                  $java_home         = lookup('profile::gerrit::java_home'),
    Boolean                           $mask_service      = lookup('profile::gerrit::mask_service'),
    Stdlib::Fqdn                      $active_host       = lookup('profile::gerrit::active_host'),
    Boolean                           $lfs_replica_sync  = lookup('profile::gerrit::lfs_replica_sync'),
    Array[Stdlib::Fqdn]               $lfs_sync_dest     = lookup('profile::gerrit::lfs_sync_dest'),
) {
    require ::profile::java

    $is_replica = $facts['fqdn'] != $active_host

    interface::alias { 'gerrit server':
        ipv4 => $ipv4,
        ipv6 => $ipv6,
    }

    if !$is_replica and $enable_monitoring {
        prometheus::blackbox::check::tcp { 'gerrit-ssh':
            team     => 'collaboration-services-releng',
            severity => 'critical',
            port     => 29418,
        }
    }

    # ssh from users to gerrit
    firewall::service { 'gerrit_ssh_users':
        proto  => 'tcp',
        port   => 29418,
        drange => [$ipv4, $ipv6],
    }

    # ssh between gerrit servers for cluster support
    firewall::service { 'gerrit_ssh_cluster':
        port   => 22,
        proto  => 'tcp',
        srange => $ssh_allowed_hosts,
    }

    firewall::service { 'gerrit_http':
        proto  => 'tcp',
        port   => 80,
        drange => [$ipv4, $ipv6],
    }

    firewall::service { 'gerrit_https':
        proto  => 'tcp',
        port   => 443,
        drange => [$ipv4, $ipv6],
    }

    if $backups_enabled and $backup_set != undef {
        backup::set { $backup_set:
            jobdefaults => "Hourly-${profile::backup::host::day}-${profile::backup::host::pool}"
        }
        backup::set { 'home': }
    }

    if $use_acmechief {
        class { 'sslcert::dhparam': }
        acme_chief::cert { 'gerrit':
            puppet_svc => 'apache2',
        }
    } else {
        ensure_packages('certbot')
        systemd::timer::job { 'certbot-renew':
            ensure      => present,
            user        => 'root',
            description => 'renew TLS certificate using certbot',
            command     => "/usr/bin/certbot -q renew --post-hook \"systemctl reload apache\"",
            interval    => {'start' => 'OnCalendar', 'interval' => '*-*-* 04:04:00'},
        }
    }

    class { 'gerrit':
        host              => $host,
        ipv4              => $ipv4,
        ipv6              => $ipv6,
        replica           => $is_replica,
        replica_hosts     => $replica_hosts,
        config            => $config,
        use_acmechief     => $use_acmechief,
        ldap_config       => $ldap_config,
        daemon_user       => $daemon_user,
        scap_user         => $scap_user,
        gerrit_site       => $gerrit_site,
        manage_scap_user  => $manage_scap_user,
        scap_key_name     => $scap_key_name,
        enable_monitoring => $enable_monitoring,
        replication       => $replication,
        ssh_host_key      => $ssh_host_key,
        git_dir           => $git_dir,
        java_home         => $java_home,
        mask_service      => $mask_service,
        active_host       => $active_host,
        lfs_replica_sync  => $lfs_replica_sync,
        lfs_sync_dest     => $lfs_sync_dest,
    }

    class { 'gerrit::replication_key':
        user    => $daemon_user,
        require => Class['gerrit'],
    }

    profile::gerrit::sshkey { 'gerrit.wikimedia.org':
        exported => true,
    }
    # Ship Gerrit built-in logs to ELK
    rsyslog::input::file { 'gerrit-json':
        path => '/var/log/gerrit/*_log.json',
    }

    # Apache reverse proxies to jetty
    rsyslog::input::file { 'gerrit-apache2-error':
        path => '/var/log/apache2/*error*.log',
    }
    rsyslog::input::file { 'gerrit-apache2-access':
        path => '/var/log/apache2/*access*.log',
    }
}