data/nodes/gitbox.apache.org.yaml - infrastructure-puppet - Git at Google

 ---
 classes:
   - apache
   - apache::mod::geoip
   - apache::mod::headers
   - apache::mod::perl
   - gitbox
   - gitbox::roleaccount
   - gitbox_mailer
   - gitbox_syncer
   - blocky
   - kif
   - loggy
   - rootbin_asf
   - rsync_asf
   - ssl::name::wildcard_apache_org
   - vhosts_asf::modules

 rsync_asf::cron_hour: 20
 rsync_asf::cron_minute: 07

 rsync_asf::fslist:
   - /x1

 apache::keepalive:          'On'
 apache::keepalive_timeout:  '30'
 apache::default_vhost:      true
 apache::docroot:            '/x1/gitbox/htdocs'
 apache::docroot_owner:      'git'

 apache::serveradmin:        'users@infra.apache.org'

 apache::mpm_module:         'event'
 apache::mod::event::listenbacklog: '511'
 apache::mod::event::maxclients: '250'
 apache::mod::event::maxconnectionsperchild: '250000'
 apache::mod::event::maxrequestworkers: '500'
 apache::mod::event::maxsparethreads: '250'
 apache::mod::event::minsparethreads: '150'
 apache::mod::event::serverlimit: '10'
 apache::mod::event::startservers: '5'
 apache::mod::event::threadlimit: '500'
 apache::mod::event::threadsperchild: '50'

 apache::mod::ssl::ssl_cipher: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4'
 apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3']

 cron:
   # MFA: Collate MFA status for org members
   mfa:
     user: 'root'
     minute: [15]
     hour: '*'
     command: 'cd /x1/gitbox/matt/tools/ && python mfa.py'
   # Grouper: invite gitbox members to their repos/teams
   grouper:
     user: 'root'
     minute: [30]
     hour: '*'
     command: 'cd /x1/gitbox/matt/tools/ && python grouper.py'
   # GHAdd: Invite people to ASF GH Org based on LDAP
   ghadd:
     user: 'root'
     minute: [0]
     hour: '*'
     command: 'cd /x1/gitbox/matt/tools/ && python ghadd.py'
   # JSONStats: collect traffic stats from GH
   jsonstats:
     user: 'root'
     minute: [10]
     hour: '0'
     command: 'cd /x1/gitbox/matt/tools/ && python json-stats.py'


 base::gempackages:
   - 'r10k'
   - 'puppet-lint'

 python::python_pips:
   ezt:
     ensure: present


 logrotate::rule:
   apache2:
     ensure: 'present'
   grouper:
     ensure: 'present'
     path: '/x1/gitbox/matt/tools/grouper.log'
     copytruncate: true
     compress: true
     ifempty: true
     rotate: 7
     missingok: true
     rotate_every: 'day'

 vhosts_asf::modules::modules:
   sed:
     name: 'sed'
   cgi:
     name: 'cgi'
   lua:
     name: 'lua'

 gitbox::custom_fragment_80: |
       ServerAlias git-wip-us.apache.org
       <Directory /x1/git/htdocs>
        Require all granted
       </Directory>
       # Rewrite git.a.o repos to github
       RewriteEngine On
       RewriteCond "%%{}{HTTP_HOST}"  "^git\.apache\.org"
       RewriteRule ^/([^/]+\.git.*)$ https://github.com/apache/$1 [R=302]
       Redirect Permanent / https://gitbox.apache.org/

 gitbox::custom_fragment_443: |
       ServerName gitbox.apache.org
       Timeout 1200
       LuaScope conn
       LuaQuickHandler /var/www/rate-limit.lua before
       LuaHookLog /var/www/rate-limit.lua after
       SetEnv PATH /bin:/usr/bin:/usr/local/bin
       SetEnv ASFGIT_ADMIN /x1/gitbox/
       SetEnv WRITE_LOCK /etc/nocommit
       SetEnv AUTH_FILE /x1/gitbox/conf/auth.cfg
       SetEnv GIT_REPOS_ROOT /x1/repos
       Header set Access-Control-Allow-Origin "*"
       Header set Access-Control-Allow-Methods "POST, GET, OPTIONS"
       Header set Access-Control-Allow-Headers "X-PINGOTHER"
       Header set Access-Control-Max-Age "1728000"
       # Rewrite git.a.o repos to github
       RewriteEngine On
       RewriteCond "%%{}{HTTP_HOST}"  "^git\.apache\.org"
       RewriteRule ^/([^/]+\.git.*)$ https://github.com/apache/$1 [R=302]
       <Location /repos/>
           SetEnv WEB_HOST https://gitbox.apache.org
       </Location>
       <Location /stats/>
         AuthType Basic
         AuthName "ASF Committers"
         AuthBasicProvider ldap
         AuthLDAPUrl "ldaps://ldap-us-ro.apache.org/ou=people,dc=apache,dc=org?uid"
         AuthLDAPGroupAttribute memberUid
         AuthLDAPGroupAttributeIsDN off
         Require ldap-attribute gidNumber=5000
         Require ldap-group cn=committers,ou=groups,dc=apache,dc=org
         Require valid-user
       </Location>
       RewriteEngine On
       <LocationMatch "^/repos/asf">
         Require all denied
         <If "%%{}{QUERY_STRING} =~ /service=git-receive-pack/ || %%{}{REQUEST_URI} =~ /git-receive-pack$/">
           AuthType Basic
           AuthName "ASF Committers"
           AuthBasicProvider file ldap
           AuthLDAPUrl "ldaps://ldap-us-ro.apache.org/ou=people,dc=apache,dc=org?uid"
           AuthLDAPGroupAttribute memberUid
           AuthLDAPGroupAttributeIsDN off
           # Fall back to auth file for role accounts
           AuthUserFile /x1/gitbox/auth/roleaccounts
           <RequireAny>
             <RequireAll>
               Require ldap-attribute gidNumber=5000
               Require ldap-group cn=committers,ou=groups,dc=apache,dc=org
               Require valid-user
             </RequireAll>
             Require valid-user
           </RequireAny>
         </If>
         <Else>
                 Require all granted
         </Else>
       </LocationMatch>
       AliasMatch ^/logs/asf/(.+?)(?:\.git)?$ /x1/repos/asf/$1.git/ref-updates.log
       # Handlers for Github web hooks
       ScriptAliasMatch ^/([^/]+)\.cgi.*$ /x1/gitbox/cgi-bin/$1.cgi
       AcceptPathInfo On
       <Directory /x1/gitbox/cgi-bin>
           require all granted
           Options ExecCGI FollowSymlinks
           SetHandler cgi-script
       </Directory>
       # Perms for gitweb
       <Directory /usr/lib/cgi-bin>
           AllowOverride FileInfo
           require all granted
           Options ExecCGI FollowSymlinks
           SetHandler perl-script
           PerlResponseHandler ModPerl::Registry
           PerlOptions +ParseHeaders
       </Directory>
       AliasMatch /static/([^/]+) /usr/share/gitweb/static/$1
       AliasMatch ^/repos/(asf|svn)/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /x1/repos/$1/$2
       AliasMatch ^/repos/(asf|svn)/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /x1/repos/$1/$2
       # Block script kiddies
       RewriteCond %%{}{QUERY_STRING} (<|>|%3C|%3E)
       RewriteRule .* - [F,L,END]
       ScriptAliasMatch \
           "(?x)^/repos/([^/]+)/(.*/(HEAD | \
               info/refs | \
               objects/(info/[^/]+ | \
                   [0-9a-f]{2}/[0-9a-f]{38} | \
                   pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
                   git-(upload|receive)-pack))$" \
           /usr/lib/git-core/git-http-backend/$2
       AliasMatch /repos/([^/]+/?)([^/<>]+) /usr/lib/cgi-bin/gitweb.cgi
       RewriteRule ^/repos/([^/]+)/$ /repos/$1 [R]
       RewriteRule ^/repos/([^/]+)/([^/]+?)(?:\.git)?$ /repos/$1?p=$2.git [R]
       RewriteRule ^/repos/([^/]+)/([^/]+?)(?:\.git)?/commit/(.*)$ /repos/$1?p=$2.git;a=commit;h=$3 [R,NE]
       RewriteRule ^/repos/([^/]+)/([^/]+?)(?:\.git)?/tree/(.*)$ /repos/$1?p=$2.git;a=tree;hb=$3 [R,NE]
       RewriteRule ^/repos/([^/]+)/([^/]+?)(?:\.git)?/diff/(.*)$ /repos/$1?p=$2.git;a=commitdiff;h=$3 [R,NE]
       RewriteRule ^/repos/([^/]+)/([^/]+?)(?:\.git)?/blob/([^/]+)/(.*) /repos/$1?p=$2.git;a=blob;f=$4;hb=$3 [R,NE]

       # Bunch of rewrites for INFRA-17956
       RewriteCond %%{}{QUERY_STRING} p=([^;.]+)\.git;a=commitdiff.*?h=([a-f0-9]+)
       RewriteRule .* https://github.com/apache/%1/commit/%2/ [QSD]

       RewriteCond %%{}{QUERY_STRING} p=([^;.]+)\.git;a=history.*?;f=([^*].*?);.*?hb=([a-f0-9]+)
       RewriteRule .* https://github.com/apache/%1/commits/%3/%2/ [QSD]

       RewriteCond %%{}{QUERY_STRING} p=([^;.]+)\.git;a=blobdiff.*?hb=([a-f0-9]+)
       RewriteRule .* https://github.com/apache/%1/commit/%2/ [QSD]

       RewriteCond %%{}{QUERY_STRING} p=([^;.]+)\.git;a=tree.*?;h=([a-f0-9]+);hb=([a-f0-9]+)
       RewriteRule .* https://github.com/apache/%1/tree/%3/ [QSD]

       RewriteCond %%{}{QUERY_STRING} p=([^;.]+)\.git;a=patch.*?h=(.*)
       RewriteRule .* https://github.com/apache/%1/commit/%2.patch/ [QSD]

       # Redirect to static index when /repos/asf is requested
       RewriteCond %%{}{QUERY_STRING} ^$
       RewriteRule ^/repos/asf/?$ /x1/gitbox/htdocs/repos.html [L,END]
       SetEnv GIT_HTTP_EXPORT_ALL
       <Location /repos/asf>
           SetEnv GIT_PROJECT_ROOT /x1/repos/asf
           SetEnv GITWEB_CONFIG /x1/gitbox/conf/httpd/gitweb.asf.pl
       </Location>
       <Directory /x1/pushlogs>
           require all granted
       </Directory>
       Alias /logs/ /x1/pushlogs/
       # MATT UI
       <Directory /x1/gitbox/matt/site>
         Require all granted
       </Directory>
       Alias /setup /x1/gitbox/matt/site/
       <Location /setup>
           Options +ExecCGI
           AddHandler cgi-script .cgi
       </Location>
       # Mergebot GH Mappings file - mergebot-vm|vm2 only!!
       <Location /setup/ghmap.json>
         Require ip 62.210.60.243
       </Location>
       <LocationMatch "^/setup/(newrepo.*|resync.cgi)">
           AuthType Basic
           AuthName "ASF Committers"
           AuthBasicProvider ldap
           AuthLDAPUrl "ldaps://ldap-us-ro.apache.org/ou=people,dc=apache,dc=org?uid"
           AuthLDAPGroupAttribute memberUid
           AuthLDAPGroupAttributeIsDN off
           Require ldap-attribute gidNumber=5000
           Require ldap-group cn=committers,ou=groups,dc=apache,dc=org
           Require valid-user
       </LocationMatch>
       # Infra private area
       <Location /repos/private>
           SetEnv GIT_PROJECT_ROOT /x1/repos/private/
           SetEnv GITWEB_CONFIG /x1/gitbox/conf/httpd/gitweb.private.pl
           AuthType Basic
           AuthName "ASF Private Repos"
           AuthBasicProvider ldap
           AuthLDAPUrl "ldaps://ldap-us-ro.apache.org/ou=people,dc=apache,dc=org?uid"
           AuthLDAPGroupAttribute member
           AuthLDAPGroupAttributeIsDN on
           Require ldap-group cn=infrastructure,ou=groups,ou=services,dc=apache,dc=org
       </Location>
	---
	classes:
	- apache
	- apache::mod::geoip
	- apache::mod::headers
	- apache::mod::perl
	- gitbox
	- gitbox::roleaccount
	- gitbox_mailer
	- gitbox_syncer
	- blocky
	- kif
	- loggy
	- rootbin_asf
	- rsync_asf
	- ssl::name::wildcard_apache_org
	- vhosts_asf::modules

	rsync_asf::cron_hour: 20
	rsync_asf::cron_minute: 07

	rsync_asf::fslist:
	- /x1

	apache::keepalive: 'On'
	apache::keepalive_timeout: '30'
	apache::default_vhost: true
	apache::docroot: '/x1/gitbox/htdocs'
	apache::docroot_owner: 'git'

	apache::serveradmin: 'users@infra.apache.org'

	apache::mpm_module: 'event'
	apache::mod::event::listenbacklog: '511'
	apache::mod::event::maxclients: '250'
	apache::mod::event::maxconnectionsperchild: '250000'
	apache::mod::event::maxrequestworkers: '500'
	apache::mod::event::maxsparethreads: '250'
	apache::mod::event::minsparethreads: '150'
	apache::mod::event::serverlimit: '10'
	apache::mod::event::startservers: '5'
	apache::mod::event::threadlimit: '500'
	apache::mod::event::threadsperchild: '50'

	apache::mod::ssl::ssl_cipher: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4'
	apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3']

	cron:
	# MFA: Collate MFA status for org members
	mfa:
	user: 'root'
	minute: [15]
	hour: '*'
	command: 'cd /x1/gitbox/matt/tools/ && python mfa.py'
	# Grouper: invite gitbox members to their repos/teams
	grouper:
	user: 'root'
	minute: [30]
	hour: '*'
	command: 'cd /x1/gitbox/matt/tools/ && python grouper.py'
	# GHAdd: Invite people to ASF GH Org based on LDAP
	ghadd:
	user: 'root'
	minute: [0]
	hour: '*'
	command: 'cd /x1/gitbox/matt/tools/ && python ghadd.py'
	# JSONStats: collect traffic stats from GH
	jsonstats:
	user: 'root'
	minute: [10]
	hour: '0'
	command: 'cd /x1/gitbox/matt/tools/ && python json-stats.py'



	base::gempackages:
	- 'r10k'
	- 'puppet-lint'

	python::python_pips:
	ezt:
	ensure: present


	logrotate::rule:
	apache2:
	ensure: 'present'
	grouper:
	ensure: 'present'
	path: '/x1/gitbox/matt/tools/grouper.log'
	copytruncate: true
	compress: true
	ifempty: true
	rotate: 7
	missingok: true
	rotate_every: 'day'

	vhosts_asf::modules::modules:
	sed:
	name: 'sed'
	cgi:
	name: 'cgi'
	lua:
	name: 'lua'

	gitbox::custom_fragment_80: \|
	ServerAlias git-wip-us.apache.org
	<Directory /x1/git/htdocs>
	Require all granted
	</Directory>
	# Rewrite git.a.o repos to github
	RewriteEngine On
	RewriteCond "%%{}{HTTP_HOST}" "^git\.apache\.org"
	RewriteRule ^/([^/]+\.git.*)$ https://github.com/apache/$1 [R=302]
	Redirect Permanent / https://gitbox.apache.org/

	gitbox::custom_fragment_443: \|
	ServerName gitbox.apache.org
	Timeout 1200
	LuaScope conn
	LuaQuickHandler /var/www/rate-limit.lua before
	LuaHookLog /var/www/rate-limit.lua after
	SetEnv PATH /bin:/usr/bin:/usr/local/bin
	SetEnv ASFGIT_ADMIN /x1/gitbox/
	SetEnv WRITE_LOCK /etc/nocommit
	SetEnv AUTH_FILE /x1/gitbox/conf/auth.cfg
	SetEnv GIT_REPOS_ROOT /x1/repos
	Header set Access-Control-Allow-Origin "*"
	Header set Access-Control-Allow-Methods "POST, GET, OPTIONS"
	Header set Access-Control-Allow-Headers "X-PINGOTHER"
	Header set Access-Control-Max-Age "1728000"
	# Rewrite git.a.o repos to github
	RewriteEngine On
	RewriteCond "%%{}{HTTP_HOST}" "^git\.apache\.org"
	RewriteRule ^/([^/]+\.git.*)$ https://github.com/apache/$1 [R=302]
	<Location /repos/>
	SetEnv WEB_HOST https://gitbox.apache.org
	</Location>
	<Location /stats/>
	AuthType Basic
	AuthName "ASF Committers"
	AuthBasicProvider ldap
	AuthLDAPUrl "ldaps://ldap-us-ro.apache.org/ou=people,dc=apache,dc=org?uid"
	AuthLDAPGroupAttribute memberUid
	AuthLDAPGroupAttributeIsDN off
	Require ldap-attribute gidNumber=5000
	Require ldap-group cn=committers,ou=groups,dc=apache,dc=org
	Require valid-user
	</Location>
	RewriteEngine On
	<LocationMatch "^/repos/asf">
	Require all denied
	<If "%%{}{QUERY_STRING} =~ /service=git-receive-pack/ \|\| %%{}{REQUEST_URI} =~ /git-receive-pack$/">
	AuthType Basic
	AuthName "ASF Committers"
	AuthBasicProvider file ldap
	AuthLDAPUrl "ldaps://ldap-us-ro.apache.org/ou=people,dc=apache,dc=org?uid"
	AuthLDAPGroupAttribute memberUid
	AuthLDAPGroupAttributeIsDN off
	# Fall back to auth file for role accounts
	AuthUserFile /x1/gitbox/auth/roleaccounts
	<RequireAny>
	<RequireAll>
	Require ldap-attribute gidNumber=5000
	Require ldap-group cn=committers,ou=groups,dc=apache,dc=org
	Require valid-user
	</RequireAll>
	Require valid-user
	</RequireAny>
	</If>
	<Else>
	Require all granted
	</Else>
	</LocationMatch>
	AliasMatch ^/logs/asf/(.+?)(?:\.git)?$ /x1/repos/asf/$1.git/ref-updates.log
	# Handlers for Github web hooks
	ScriptAliasMatch ^/([^/]+)\.cgi.*$ /x1/gitbox/cgi-bin/$1.cgi
	AcceptPathInfo On
	<Directory /x1/gitbox/cgi-bin>
	require all granted
	Options ExecCGI FollowSymlinks
	SetHandler cgi-script
	</Directory>
	# Perms for gitweb
	<Directory /usr/lib/cgi-bin>
	AllowOverride FileInfo
	require all granted
	Options ExecCGI FollowSymlinks
	SetHandler perl-script
	PerlResponseHandler ModPerl::Registry
	PerlOptions +ParseHeaders
	</Directory>
	AliasMatch /static/([^/]+) /usr/share/gitweb/static/$1
	AliasMatch ^/repos/(asf\|svn)/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /x1/repos/$1/$2
	AliasMatch ^/repos/(asf\|svn)/(.*/objects/pack/pack-[0-9a-f]{40}.(pack\|idx))$ /x1/repos/$1/$2
	# Block script kiddies
	RewriteCond %%{}{QUERY_STRING} (<\|>\|%3C\|%3E)
	RewriteRule .* - [F,L,END]
	ScriptAliasMatch \
	"(?x)^/repos/([^/]+)/(.*/(HEAD \| \
	info/refs \| \
	objects/(info/[^/]+ \| \
	[0-9a-f]{2}/[0-9a-f]{38} \| \
	pack/pack-[0-9a-f]{40}\.(pack\|idx)) \| \
	git-(upload\|receive)-pack))$" \
	/usr/lib/git-core/git-http-backend/$2
	AliasMatch /repos/([^/]+/?)([^/<>]+) /usr/lib/cgi-bin/gitweb.cgi
	RewriteRule ^/repos/([^/]+)/$ /repos/$1 [R]
	RewriteRule ^/repos/([^/]+)/([^/]+?)(?:\.git)?$ /repos/$1?p=$2.git [R]
	RewriteRule ^/repos/([^/]+)/([^/]+?)(?:\.git)?/commit/(.*)$ /repos/$1?p=$2.git;a=commit;h=$3 [R,NE]
	RewriteRule ^/repos/([^/]+)/([^/]+?)(?:\.git)?/tree/(.*)$ /repos/$1?p=$2.git;a=tree;hb=$3 [R,NE]
	RewriteRule ^/repos/([^/]+)/([^/]+?)(?:\.git)?/diff/(.*)$ /repos/$1?p=$2.git;a=commitdiff;h=$3 [R,NE]
	RewriteRule ^/repos/([^/]+)/([^/]+?)(?:\.git)?/blob/([^/]+)/(.*) /repos/$1?p=$2.git;a=blob;f=$4;hb=$3 [R,NE]

	# Bunch of rewrites for INFRA-17956
	RewriteCond %%{}{QUERY_STRING} p=([^;.]+)\.git;a=commitdiff.*?h=([a-f0-9]+)
	RewriteRule .* https://github.com/apache/%1/commit/%2/ [QSD]

	RewriteCond %%{}{QUERY_STRING} p=([^;.]+)\.git;a=history.?;f=([^].?);.?hb=([a-f0-9]+)
	RewriteRule .* https://github.com/apache/%1/commits/%3/%2/ [QSD]

	RewriteCond %%{}{QUERY_STRING} p=([^;.]+)\.git;a=blobdiff.*?hb=([a-f0-9]+)
	RewriteRule .* https://github.com/apache/%1/commit/%2/ [QSD]

	RewriteCond %%{}{QUERY_STRING} p=([^;.]+)\.git;a=tree.*?;h=([a-f0-9]+);hb=([a-f0-9]+)
	RewriteRule .* https://github.com/apache/%1/tree/%3/ [QSD]

	RewriteCond %%{}{QUERY_STRING} p=([^;.]+)\.git;a=patch.?h=(.)
	RewriteRule .* https://github.com/apache/%1/commit/%2.patch/ [QSD]

	# Redirect to static index when /repos/asf is requested
	RewriteCond %%{}{QUERY_STRING} ^$
	RewriteRule ^/repos/asf/?$ /x1/gitbox/htdocs/repos.html [L,END]
	SetEnv GIT_HTTP_EXPORT_ALL
	<Location /repos/asf>
	SetEnv GIT_PROJECT_ROOT /x1/repos/asf
	SetEnv GITWEB_CONFIG /x1/gitbox/conf/httpd/gitweb.asf.pl
	</Location>
	<Directory /x1/pushlogs>
	require all granted
	</Directory>
	Alias /logs/ /x1/pushlogs/
	# MATT UI
	<Directory /x1/gitbox/matt/site>
	Require all granted
	</Directory>
	Alias /setup /x1/gitbox/matt/site/
	<Location /setup>
	Options +ExecCGI
	AddHandler cgi-script .cgi
	</Location>
	# Mergebot GH Mappings file - mergebot-vm\|vm2 only!!
	<Location /setup/ghmap.json>
	Require ip 62.210.60.243
	</Location>
	<LocationMatch "^/setup/(newrepo.*\|resync.cgi)">
	AuthType Basic
	AuthName "ASF Committers"
	AuthBasicProvider ldap
	AuthLDAPUrl "ldaps://ldap-us-ro.apache.org/ou=people,dc=apache,dc=org?uid"
	AuthLDAPGroupAttribute memberUid
	AuthLDAPGroupAttributeIsDN off
	Require ldap-attribute gidNumber=5000
	Require ldap-group cn=committers,ou=groups,dc=apache,dc=org
	Require valid-user
	</LocationMatch>
	# Infra private area
	<Location /repos/private>
	SetEnv GIT_PROJECT_ROOT /x1/repos/private/
	SetEnv GITWEB_CONFIG /x1/gitbox/conf/httpd/gitweb.private.pl
	AuthType Basic
	AuthName "ASF Private Repos"
	AuthBasicProvider ldap
	AuthLDAPUrl "ldaps://ldap-us-ro.apache.org/ou=people,dc=apache,dc=org?uid"
	AuthLDAPGroupAttribute member
	AuthLDAPGroupAttributeIsDN on
	Require ldap-group cn=infrastructure,ou=groups,ou=services,dc=apache,dc=org
	</Location>