From 30318d9bc2334604a499a08cd0ca14d1f2e36e03 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Nov 08 2021 21:18:36 +0000 Subject: Merge branch 'pagure' into 'production' Let pagure listen on IPv6 and enable HTTPS See merge request infra/salt!512 --- diff --git a/pillar/role/pagure.sls b/pillar/role/pagure.sls index 56f7391..1f4fcb1 100644 --- a/pillar/role/pagure.sls +++ b/pillar/role/pagure.sls @@ -31,13 +31,28 @@ nginx: ng: servers: managed: - code.opensuse.org.conf: + redirhttp.conf: config: - server: - - server_name: code.opensuse.org + - server_name: '_' - listen: - 80 - default_server + - location /: + - return: '301 https://$host$request_uri' + enabled: True + code.opensuse.org.conf: + config: + - server: + - server_name: code.opensuse.org + - listen: + - 443 + - ssl + - listen: + - '[::]:443' + - ssl + - ssl_certificate: /etc/dehydrated/certs/code.opensuse.org/fullchain.crt + - ssl_certificate_key: /etc/dehydrated/certs/code.opensuse.org/privkey.key - location @pagure: - client_max_body_size: 0 - proxy_set_header: Host $http_host @@ -56,7 +71,13 @@ nginx: - server: - server_name: releases.opensuse.org - listen: - - 80 + - 443 + - ssl + - listen: + - '[::]:443' + - ssl + - ssl_certificate: /etc/dehydrated/certs/code.opensuse.org/fullchain.crt + - ssl_certificate_key: /etc/dehydrated/certs/code.opensuse.org/privkey.key - location /: - alias: /srv/www/pagure-releases/ - autoindex: 'on' @@ -66,7 +87,13 @@ nginx: - server: - server_name: ev.opensuse.org - listen: - - 80 + - 443 + - ssl + - listen: + - '[::]:443' + - ssl + - ssl_certificate: /etc/dehydrated/certs/code.opensuse.org/fullchain.crt + - ssl_certificate_key: /etc/dehydrated/certs/code.opensuse.org/privkey.key - location @pagure_ev: - proxy_set_header: Host $http_host - proxy_set_header: X-Real-IP $remote_addr @@ -81,7 +108,13 @@ nginx: - server: - server_name: pages.opensuse.org - listen: - - 80 + - 443 + - ssl + - listen: + - '[::]:443' + - ssl + - ssl_certificate: /etc/dehydrated/certs/code.opensuse.org/fullchain.crt + - ssl_certificate_key: /etc/dehydrated/certs/code.opensuse.org/privkey.key - location @pagure_docs: - proxy_set_header: Host $http_host - proxy_set_header: X-Real-IP $remote_addr diff --git a/salt/profile/crtmgr/dehydrated.sls b/salt/profile/crtmgr/dehydrated.sls index 7bfdc80..b69115a 100644 --- a/salt/profile/crtmgr/dehydrated.sls +++ b/salt/profile/crtmgr/dehydrated.sls @@ -2,3 +2,15 @@ dehydrated: pkg.installed: - pkgs: - dehydrated + +/etc/dehydrated/postrun-hooks.d/reloadhttpd.sh: + file.managed: + - mode: 755 + - contents: | + #!/bin/sh + if [ -e /usr/lib/systemd/system/apache2.service ] ; then + systemctl reload apache2 + fi + if [ -e /usr/lib/systemd/system/nginx.service ] ; then + systemctl reload nginx + fi diff --git a/salt/profile/pagure/init.sls b/salt/profile/pagure/init.sls index 90f2789..e23945c 100644 --- a/salt/profile/pagure/init.sls +++ b/salt/profile/pagure/init.sls @@ -1,4 +1,5 @@ include: + - profile.crtmgr - profile.pagure.redis pagure_pgks: