Puppet Class: profile::gerrit::proxy

Defined in:
modules/profile/manifests/gerrit/proxy.pp

Overview

sets up a TLS proxy for Gerrit

Parameters:

  • ipv4 (Stdlib::IP::Address::V4) (defaults to: lookup('profile::gerrit::ipv4'))
  • ipv6 (Optional[Stdlib::IP::Address::V6]) (defaults to: lookup('profile::gerrit::ipv6'))
  • host (Stdlib::Fqdn) (defaults to: lookup('profile::gerrit::host'))
  • daemon_user (String) (defaults to: lookup('profile::gerrit::daemon_user'))
  • is_replica (Boolean) (defaults to: lookup('profile::gerrit::is_replica'))
  • use_acmechief (Boolean) (defaults to: lookup('profile::gerrit::use_acmechief'))
  • replica_hosts (Optional[Array[Stdlib::Fqdn]]) (defaults to: lookup('profile::gerrit::replica_hosts'))
  • enable_monitoring (Boolean) (defaults to: lookup('profile::gerrit::enable_monitoring'))
  • maint_mode (Boolean) (defaults to: lookup('profile::gerrit::maint_mode', {'default_value' => false}))


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# File 'modules/profile/manifests/gerrit/proxy.pp', line 2

class profile::gerrit::proxy(
    Stdlib::IP::Address::V4           $ipv4              = lookup('profile::gerrit::ipv4'),
    Optional[Stdlib::IP::Address::V6] $ipv6              = lookup('profile::gerrit::ipv6'),
    Stdlib::Fqdn                      $host              = lookup('profile::gerrit::host'),
    String                            $daemon_user       = lookup('profile::gerrit::daemon_user'),
    Boolean                           $is_replica        = lookup('profile::gerrit::is_replica'),
    Boolean                           $use_acmechief     = lookup('profile::gerrit::use_acmechief'),
    Optional[Array[Stdlib::Fqdn]]     $replica_hosts     = lookup('profile::gerrit::replica_hosts'),
    Boolean                           $enable_monitoring = lookup('profile::gerrit::enable_monitoring'),
    Boolean                           $maint_mode        = lookup('profile::gerrit::maint_mode', {'default_value' => false}),
) {

    $gerrit_site = "/var/lib/${daemon_user}/review_site"

    if $is_replica {
        $tls_host = $replica_hosts[0]
    } else {
        $tls_host = $host
    }

    if $enable_monitoring {
        monitoring::service { 'https':
            description   => 'HTTPS',
            check_command => "check_ssl_on_host_port_letsencrypt!${tls_host}!${tls_host}!443",
            contact_group => 'admins,gerrit',
            notes_url     => 'https://phabricator.wikimedia.org/project/view/330/',
        }
    }

    $ssl_settings = ssl_ciphersuite('apache', 'strong', true)
    class { 'httpd':
        remove_default_ports => true,
        modules              => ['rewrite', 'headers', 'proxy', 'proxy_http', 'remoteip', 'ssl'],

    }

    httpd::site { $tls_host:
        content => template('profile/gerrit/apache.erb'),
    }

    # Let apache only listen on the service IP
    httpd::conf{ 'gerrit_listen_service_ip':
        ensure   => present,
        priority => 0,
        content  => template('profile/gerrit/apache.ports.conf.erb')
    }

    $robots = ['User-Agent: *', 'Disallow: /g', 'Disallow: /r/plugins/gitiles', 'Crawl-delay: 1']
    file { '/var/www/robots.txt':
        ensure  => present,
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        content => inline_template("<%= @robots.join('\n') %>"),
    }

    # Error page stuff
    file { '/var/www/error.html':
        ensure  => present,
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        content => template('gerrit/error.html.erb'),
    }
    file { '/var/www/page-bkg.cache.jpg':
        ensure => 'link',
        owner  => 'root',
        group  => 'root',
        mode   => '0444',
        target => "${gerrit_site}/static/page-bkg.cache.jpg",
    }
    file { '/var/www/wikimedia-codereview-logo.cache.png':
        ensure => 'link',
        owner  => 'root',
        group  => 'root',
        mode   => '0444',
        source => "${gerrit_site}/static/wikimedia-codereview-logo.cache.png",
    }
}