Puppet Class: profile::microsites::peopleweb

Defined in:
modules/profile/manifests/microsites/peopleweb.pp

Overview

SPDX-License-Identifier: Apache-2.0 people.wikimedia.org lets shells users publish their own files (apache2, mod_userdir) e.g. people.wikimedia.org/~username/

Parameters:

  • deployment_server (Stdlib::Host) (defaults to: lookup('deployment_server'))
  • sitename (Stdlib::Host) (defaults to: lookup('profile::microsites::peopleweb::sitename'))
  • docroot (Stdlib::Unixpath) (defaults to: lookup('profile::microsites::peopleweb::docroot'))
  • rsync_src_host (Stdlib::Host) (defaults to: lookup('profile::microsites::peopleweb::rsync_src_host'))
  • rsync_dst_host (Stdlib::Host) (defaults to: lookup('profile::microsites::peopleweb::rsync_dst_host'))


5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# File 'modules/profile/manifests/microsites/peopleweb.pp', line 5

class profile::microsites::peopleweb (
    Stdlib::Host     $deployment_server = lookup('deployment_server'),
    Stdlib::Host     $sitename          = lookup('profile::microsites::peopleweb::sitename'),
    Stdlib::Unixpath $docroot           = lookup('profile::microsites::peopleweb::docroot'),
    Stdlib::Host     $rsync_src_host    = lookup('profile::microsites::peopleweb::rsync_src_host'),
    Stdlib::Host     $rsync_dst_host    = lookup('profile::microsites::peopleweb::rsync_dst_host'),
){

    # firewall: allow caching layer to talk to http backend
    ferm::service { 'people-http':
        proto  => 'tcp',
        port   => '80',
        srange => '$CACHES',
    }

    # firewall: allow http from deployment servers for testing
    ferm::service { 'people-http-deployment':
        proto  => 'tcp',
        port   => '80',
        srange => "(@resolve((${deployment_server})) @resolve((${deployment_server}), AAAA))"
    }

    # httpd (apache2)
    class { '::httpd':
        modules => ['userdir', 'rewrite', 'headers'],
    }

    class { '::httpd::mpm':
        mpm => 'prefork'
    }

    profile::auto_restarts::service { 'apache2': }

    rsyslog::input::file { 'apache2-error':
        path => '/var/log/apache2/*error*.log',
    }

    wmflib::dir::mkdir_p($docroot)

    # the index page shown at https://people.wikimedia.org/
    file { "${docroot}/index.html":
        content => template('profile/microsites/peopleweb/index.html.erb'),
        mode    => '0444',
        owner   => 'root',
        group   => 'root',
    }

    # Wikimedia single sign-on portal (idp.wikimedia.org)
    # allows users to password protect files
    include profile::idp::client::httpd

    # Icinga alerting, crit but not paging
    # TODO: only do this ONCE and not for each node using this
    monitoring::service { 'https-peopleweb':
        description   => 'HTTPS-peopleweb',
        check_command => "check_https_url!${sitename}!https://${sitename}",
        notes_url     => 'https://wikitech.wikimedia.org/wiki/People.wikimedia.org',
    }

    monitoring::service { 'https-peopleweb-expiry':
        description   => 'HTTPS-peopleweb SSL expiry',
        check_command => "check_https_expiry!${sitename}!443",
        notes_url     => 'https://wikitech.wikimedia.org/wiki/People.wikimedia.org',
    }

    # warn users on servers that are NOT the active backend and source of rsync
    if $::fqdn == $rsync_src_host {
        $motd_content = "#!/bin/sh\necho '\nThis is people.wikimedia.org.\nFiles you put in 'public_html' in your home dir will be accessible on the web.\nMore info on https://wikitech.wikimedia.org/wiki/People.wikimedia.org.\n'"
    } else {
        $motd_content = "#!/bin/sh\necho '\nThis is NOT the active backend for people.wikimedia.org. DO NOT USE THIS. Please go to ${rsync_src_host} instead.\n'"
    }

    motd::script { 'people-motd':
        ensure  => present,
        content => $motd_content,
    }

    # ensure each user home automatically gets a public_html dir (when useradd runs)
    file { '/etc/skel/public_html':
        ensure => directory,
    }

    # people's entire home dirs (not just public_html) are backed up in Bacula
    backup::set {'home': }

    # allow copying /home from one server to another for migrations
    ensure_packages(['rsync'])
    rsync::quickdatacopy { 'people-home':
        ensure      => present,
        auto_sync   => false,
        source_host => $rsync_src_host,
        dest_host   => $rsync_dst_host,
        module_path => '/home',
    }
}