Alexandros Kosiaris has submitted this change and it was merged. Change subject: etherpad: convert into a module ......................................................................
etherpad: convert into a module Some heavy refactoring to achieve this. Use the new ::apache module definitions Reorganize into a module and role class Drop server alias support Update to the latest coding standards Change-Id: I4826098f875045e10f1e0a5a69c9ea972dc8e9d8 --- D manifests/misc/etherpad.pp A manifests/role/etherpad.pp M manifests/site.pp R modules/etherpad/files/etherpad-robots.txt A modules/etherpad/manifests/init.pp R modules/etherpad/templates/settings.json.erb R templates/misc/etherpad.wikimedia.org.erb 7 files changed, 130 insertions(+), 136 deletions(-) Approvals: Alexandros Kosiaris: Looks good to me, approved jenkins-bot: Verified diff --git a/manifests/misc/etherpad.pp b/manifests/misc/etherpad.pp deleted file mode 100644 index cf8d0dc..0000000 --- a/manifests/misc/etherpad.pp +++ /dev/null @@ -1,110 +0,0 @@ -# Etherpad - -class misc::etherpad_lite { - - include passwords::etherpad_lite - - $etherpad_db_user = $passwords::etherpad_lite::etherpad_db_user - $etherpad_db_host = $passwords::etherpad_lite::etherpad_db_host - $etherpad_db_name = $passwords::etherpad_lite::etherpad_db_name - $etherpad_db_pass = $passwords::etherpad_lite::etherpad_db_pass - - if $::realm == 'labs' { - $etherpad_host = $fqdn - $etherpad_ssl_cert = '/etc/ssl/certs/ssl-cert-snakeoil.pem' - $etherpad_ssl_key = '/etc/ssl/private/ssl-cert-snakeoil.key' - } else { - $etherpad_host = 'etherpad.wikimedia.org' - $etherpad_serveraliases = 'epl.wikimedia.org' - install_certificate{ 'etherpad.wikimedia.org': ca => 'RapidSSL_CA.pem' } - $etherpad_ssl_cert = '/etc/ssl/certs/etherpad.wikimedia.org.pem' - $etherpad_ssl_key = '/etc/ssl/private/etherpad.wikimedia.org.key' - } - - $etherpad_ip = '127.0.0.1' - $etherpad_port = '9001' - - system::role { 'misc::etherpad_lite': description => 'Etherpad-lite server' } - - file { - '/etc/apache2/sites-enabled/etherpad.wikimedia.org': - ensure => present, - mode => '0444', - owner => 'root', - group => 'root', - notify => Service['apache2'], - content => template('apache/sites/etherpad_lite.wikimedia.org.erb'), - } - file { - '/usr/share/etherpad-lite/src/static/robots.txt': - ensure => present, - mode => '0444', - owner => 'root', - group => 'root', - source => 'puppet:///files/misc/etherpad-robots.txt', - } - - - # FIX ME - move this to a common role to avoid duplicate defs - include ::apache::mod::rewrite - include ::apache::mod::proxy - include ::apache::mod::proxy_http - include ::apache::mod::ssl - - package { 'etherpad-lite': - ensure => latest; - } - service { 'etherpad-lite': - ensure => running, - require => Package['etherpad-lite'], - subscribe => File['/etc/etherpad-lite/settings.json'], - enable => true; - } - - # Icinga process monitoring, RT #5790 - monitor_service { 'etherpad-lite-proc': - description => 'etherpad_lite_process_running', - check_command => 'nrpe_check_etherpad_lite'; - } - - monitor_service { 'etherpad-lite-http': - description => 'etherpad.wikimedia.org', - check_command => 'check_http_url!etherpad.wikimedia.org!/', - } - - monitor_service { 'etherpad-lite-https': - description => 'https.etherpad.wikimedia.org', - check_command => 'check_https_url_for_string!etherpad.wikimedia.org!/p/Etherpad!\'<title>Etherpad\'', - } - - - - - #FIXME - #service { apache2: - # enable => true, - # ensure => running; - #} - - file { - '/etc/etherpad-lite/settings.json': - require => Package['etherpad-lite'], - owner => 'root', - group => 'root', - mode => '0444', - content => template('etherpad_lite/settings.json.erb'); - } - - ferm::service { 'etherpad_http': - proto => 'tcp', - port => '80', - } - - ferm::service { 'etherpad_https': - proto => 'tcp', - port => '443', - } - - -} - diff --git a/manifests/role/etherpad.pp b/manifests/role/etherpad.pp new file mode 100644 index 0000000..6900174 --- /dev/null +++ b/manifests/role/etherpad.pp @@ -0,0 +1,73 @@ +class role::etherpad{ + + include passwords::etherpad_lite + include webserver::apache + + system::role { 'etherpad': + description => 'Etherpad-lite server' + } + + $etherpad_ip = '127.0.0.1' + $etherpad_port = '9001' + + case $::realm { + 'labs': { + $etherpad_host = $::fqdn + $etherpad_ssl_cert = '/etc/ssl/certs/ssl-cert-snakeoil.pem' + $etherpad_ssl_key = '/etc/ssl/private/ssl-cert-snakeoil.key' + } + 'production': { + $etherpad_host = 'etherpad.wikimedia.org' + install_certificate{ 'etherpad.wikimedia.org': } + $etherpad_ssl_cert = '/etc/ssl/certs/etherpad.wikimedia.org.pem' + $etherpad_ssl_key = '/etc/ssl/private/etherpad.wikimedia.org.key' + } + 'default': { + fail('unknown realm, should be labs or production') + } + } + + class { '::etherpad': + etherpad_host => $etherpad_host, + etherpad_ip => $etherpad_ip, + etherpad_port => $etherpad_port, + etherpad_db_user => $passwords::etherpad_lite::etherpad_db_user, + etherpad_db_host => $passwords::etherpad_lite::etherpad_db_host, + etherpad_db_name => $passwords::etherpad_lite::etherpad_db_name, + etherpad_db_pass => $passwords::etherpad_lite::etherpad_db_pass, + } + + include ::apache::mod::rewrite + include ::apache::mod::proxy + include ::apache::mod::proxy_http + include ::apache::mod::ssl + + ::apache::site { 'etherpad.wikimedia.org': + content => template('misc/etherpad.wikimedia.org.erb'), + } + + # Icinga process monitoring, RT #5790 + nrpe::monitor_service { 'etherpad-lite-proc': + description => 'etherpad_lite_process_running', + nrpe_command => "/usr/lib/nagios/plugins/check_procs -c 1:1 --ereg-argument-array='^node node_modules/ep_etherpad-lite/node/server.js'", + } + + monitor_service { 'etherpad-lite-http': + description => 'etherpad.wikimedia.org', + check_command => 'check_http_url!etherpad.wikimedia.org!/', + } + monitor_service { 'etherpad-lite-https': + description => 'etherpad.wikimedia.org', + check_command => 'check_https_url_for_string!etherpad.wikimedia.org!//p/Etherpad!\'<title>Etherpad\'', + } + + ferm::service { 'etherpad_http': + proto => 'tcp', + port => 'http', + } + + ferm::service { 'etherpad_https': + proto => 'tcp', + port => 'https', + } +} diff --git a/manifests/site.pp b/manifests/site.pp index fbb2905..baedc34 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -2884,7 +2884,7 @@ include admin include role::planet include misc::outreach::civicrm # contacts.wikimedia.org - include misc::etherpad_lite + include role::etherpad include role::wikimania_scholarships include role::bugzilla diff --git a/files/misc/etherpad-robots.txt b/modules/etherpad/files/etherpad-robots.txt similarity index 100% rename from files/misc/etherpad-robots.txt rename to modules/etherpad/files/etherpad-robots.txt diff --git a/modules/etherpad/manifests/init.pp b/modules/etherpad/manifests/init.pp new file mode 100644 index 0000000..e66393b --- /dev/null +++ b/modules/etherpad/manifests/init.pp @@ -0,0 +1,36 @@ +# Install and manage Etherpad Lite + +class etherpad( + $etherpad_host, + $etherpad_ip, + $etherpad_port, + $etherpad_db_user, + $etherpad_db_host, + $etherpad_db_name, + $etherpad_db_pass, + ){ + + package { 'etherpad-lite': + ensure => 'latest', + } + + service { 'etherpad-lite': + ensure => running, + enable => true, + require => Package['etherpad-lite'], + subscribe => File['/etc/etherpad-lite/settings.json'], + } + + file { '/etc/etherpad-lite/settings.json': + require => Package['etherpad-lite'], + content => template('etherpad/settings.json.erb'), + } + + file { '/usr/share/etherpad-lite/src/static/robots.txt': + ensure => present, + owner => 'root', + group => 'root', + mode => '0444', + source => 'puppet:///modules/etherpad/etherpad-robots.txt', + } +} diff --git a/templates/etherpad_lite/settings.json.erb b/modules/etherpad/templates/settings.json.erb similarity index 71% rename from templates/etherpad_lite/settings.json.erb rename to modules/etherpad/templates/settings.json.erb index 6bf99e9..81ebf2f 100644 --- a/templates/etherpad_lite/settings.json.erb +++ b/modules/etherpad/templates/settings.json.erb @@ -1,15 +1,15 @@ { "title": "Etherpad", "favicon": "favicon.ico", - "ip": "<%= etherpad_ip %>", - "port": <%= etherpad_port %>, + "ip": "<%= @etherpad_ip %>", + "port": <%= @etherpad_port %>, "dbType": "mysql", "dbSettings": { - "user": "<%= etherpad_db_user %>", - "host": "<%= etherpad_db_host %>", - "password": "<%= etherpad_db_pass %>", - "database": "<%= etherpad_db_name %>" + "user": "<%= @etherpad_db_user %>", + "host": "<%= @etherpad_db_host %>", + "password": "<%= @etherpad_db_pass %>", + "database": "<%= @etherpad_db_name %>" }, "defaultPadText": "", diff --git a/templates/apache/sites/etherpad_lite.wikimedia.org.erb b/templates/misc/etherpad.wikimedia.org.erb similarity index 70% rename from templates/apache/sites/etherpad_lite.wikimedia.org.erb rename to templates/misc/etherpad.wikimedia.org.erb index 91944a1..9cb608f 100644 --- a/templates/apache/sites/etherpad_lite.wikimedia.org.erb +++ b/templates/misc/etherpad.wikimedia.org.erb @@ -1,15 +1,12 @@ ##################################################################### -### THIS FILE IS MANAGED BY PUPPET -### puppet:///templates/apache/sites/etherpad_lite.wikimedia.org.erb -##################################################################### +#### THIS FILE IS MANAGED BY PUPPET +#### puppet:///templates/etherpad.wikimedia.org.erb +###################################################################### # vim: filetype=apache <VirtualHost *:80> ServerName <%= @etherpad_host %> -<% if @etherpad_serveraliases -%> - ServerAlias <%= @etherpad_serveraliases %> -<% end -%> RewriteEngine on ProxyVia On @@ -17,7 +14,7 @@ ProxyPass / http://<%= @etherpad_ip %>:<%= @etherpad_port %>/ retry=15 ProxyPassReverse / http://<%= @etherpad_ip %>:<%= @etherpad_port %>/ ProxyPreserveHost On - RewriteRule /p/*$ https://etherpad.wikimedia.org/ [NC,L] + RewriteRule /p/*$ https://<%= @etherpad_host %>/ [NC,L] RewriteCond %{REQUEST_URI} !^/locales/ RewriteCond %{REQUEST_URI} !^/locales.json RewriteCond %{REQUEST_URI} !^/admin @@ -34,10 +31,10 @@ RewriteCond %{REQUEST_URI} !^/jserror RewriteCond %{REQUEST_URI} !/favicon.ico RewriteCond %{REQUEST_URI} !/robots.txt - RewriteRule ^/+(.+)$ https://etherpad.wikimedia.org/p/$1 [L] + RewriteRule ^/+(.+)$ https://<%= @etherpad_host %>/p/$1 [L] - RewriteCond %{HTTP_HOST} !etherpad.wikimedia.org - RewriteRule ^/+(.+)$ https://etherpad.wikimedia.org/$1 [R=301,L] + RewriteCond %{HTTP_HOST} !<%= @etherpad_host %> + RewriteRule ^/+(.+)$ https://<%= @etherpad_host %>/$1 [R=301,L] <Proxy *> Options FollowSymLinks MultiViews @@ -48,16 +45,14 @@ </VirtualHost> -<VirtualHost *:443> + +<VirtualHost *:80> ServerName <%= @etherpad_host %> -<% if @etherpad_serveraliases -%> - ServerAlias <%= @etherpad_serveraliases %> -<% end -%> SSLEngine on SSLProtocol +ALL -SSLv2 - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH SSLHonorCipherOrder on SSLCertificateFile <%= @etherpad_ssl_cert %> SSLCertificateKeyFile <%= @etherpad_ssl_key %> @@ -69,7 +64,7 @@ ProxyPass / http://<%= @etherpad_ip %>:<%= @etherpad_port %>/ retry=15 ProxyPassReverse / http://<%= @etherpad_ip %>:<%= @etherpad_port %>/ ProxyPreserveHost On - RewriteRule /p/*$ https://etherpad.wikimedia.org/ [NC,L] + RewriteRule /p/*$ https://<%= @etherpad_host %>/ [NC,L] RewriteCond %{REQUEST_URI} !^/locales/ RewriteCond %{REQUEST_URI} !^/locales.json RewriteCond %{REQUEST_URI} !^/admin @@ -86,10 +81,10 @@ RewriteCond %{REQUEST_URI} !^/jserror RewriteCond %{REQUEST_URI} !/favicon.ico RewriteCond %{REQUEST_URI} !/robots.txt - RewriteRule ^/+(.+)$ https://etherpad.wikimedia.org/p/$1 [L] + RewriteRule ^/+(.+)$ https://<%= @etherpad_host %>/p/$1 [L] - RewriteCond %{HTTP_HOST} !etherpad.wikimedia.org - RewriteRule ^/+(.+)$ https://etherpad.wikimedia.org/$1 [R=301,L] + RewriteCond %{HTTP_HOST} !<%= @etherpad_host %> + RewriteRule ^/+(.+)$ https://<%= @etherpad_host %>/$1 [R=301,L] <Proxy *> Options FollowSymLinks MultiViews -- To view, visit https://gerrit.wikimedia.org/r/107567 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I4826098f875045e10f1e0a5a69c9ea972dc8e9d8 Gerrit-PatchSet: 27 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Matanya <mata...@foss.co.il> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org> Gerrit-Reviewer: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Mark Bergsma <m...@wikimedia.org> Gerrit-Reviewer: Matanya <mata...@foss.co.il> Gerrit-Reviewer: Ori.livneh <o...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits