blob: 9da0eee5b92ea353689b8d7451157957a111050b [file] [log] [blame]
---
classes:
- apache
- apache::mod::geoip
- apache::mod::headers
- apache::mod::perl
- gitbox
- gitbox::roleaccount
- gitbox_mailer
- gitbox_syncer
- blocky
- kif
- loggy
- rootbin_asf
- rsync_asf
- ssl::name::wildcard_apache_org
- vhosts_asf::modules
rsync_asf::cron_hour: 20
rsync_asf::cron_minute: 07
rsync_asf::fslist:
- /x1
apache::keepalive: 'On'
apache::keepalive_timeout: '30'
apache::default_vhost: true
apache::docroot: '/x1/gitbox/htdocs'
apache::docroot_owner: 'git'
apache::serveradmin: 'users@infra.apache.org'
apache::mpm_module: 'event'
apache::mod::event::listenbacklog: '511'
apache::mod::event::maxclients: '250'
apache::mod::event::maxconnectionsperchild: '250000'
apache::mod::event::maxrequestworkers: '500'
apache::mod::event::maxsparethreads: '250'
apache::mod::event::minsparethreads: '150'
apache::mod::event::serverlimit: '10'
apache::mod::event::startservers: '5'
apache::mod::event::threadlimit: '500'
apache::mod::event::threadsperchild: '50'
apache::mod::ssl::ssl_cipher: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4'
apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3']
cron:
# MFA: Collate MFA status for org members
mfa:
user: 'root'
minute: [15]
hour: '*'
command: 'cd /x1/gitbox/matt/tools/ && python mfa.py'
# Grouper: invite gitbox members to their repos/teams
grouper:
user: 'root'
minute: [30]
hour: '*'
command: 'cd /x1/gitbox/matt/tools/ && python grouper.py'
# GHAdd: Invite people to ASF GH Org based on LDAP
ghadd:
user: 'root'
minute: [0]
hour: '*'
command: 'cd /x1/gitbox/matt/tools/ && python ghadd.py'
# JSONStats: collect traffic stats from GH
jsonstats:
user: 'root'
minute: [10]
hour: '0'
command: 'cd /x1/gitbox/matt/tools/ && python json-stats.py'
base::gempackages:
- 'r10k'
- 'puppet-lint'
python::python_pips:
ezt:
ensure: present
logrotate::rule:
apache2:
ensure: 'present'
grouper:
ensure: 'present'
path: '/x1/gitbox/matt/tools/grouper.log'
copytruncate: true
compress: true
ifempty: true
rotate: 7
missingok: true
rotate_every: 'day'
vhosts_asf::modules::modules:
sed:
name: 'sed'
cgi:
name: 'cgi'
lua:
name: 'lua'
gitbox::custom_fragment_80: |
ServerAlias git-wip-us.apache.org
<Directory /x1/git/htdocs>
Require all granted
</Directory>
# Rewrite git.a.o repos to github
RewriteEngine On
RewriteCond "%%{}{HTTP_HOST}" "^git\.apache\.org"
RewriteRule ^/([^/]+\.git.*)$ https://github.com/apache/$1 [R=302]
Redirect Permanent / https://gitbox.apache.org/
gitbox::custom_fragment_443: |
ServerName gitbox.apache.org
Timeout 1200
LuaScope conn
LuaQuickHandler /var/www/rate-limit.lua before
LuaHookLog /var/www/rate-limit.lua after
SetEnv PATH /bin:/usr/bin:/usr/local/bin
SetEnv ASFGIT_ADMIN /x1/gitbox/
SetEnv WRITE_LOCK /etc/nocommit
SetEnv AUTH_FILE /x1/gitbox/conf/auth.cfg
SetEnv GIT_REPOS_ROOT /x1/repos
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "POST, GET, OPTIONS"
Header set Access-Control-Allow-Headers "X-PINGOTHER"
Header set Access-Control-Max-Age "1728000"
# Rewrite git.a.o repos to github
RewriteEngine On
RewriteCond "%%{}{HTTP_HOST}" "^git\.apache\.org"
RewriteRule ^/([^/]+\.git.*)$ https://github.com/apache/$1 [R=302]
<Location /repos/>
SetEnv WEB_HOST https://gitbox.apache.org
</Location>
<Location /stats/>
AuthType Basic
AuthName "ASF Committers"
AuthBasicProvider ldap
AuthLDAPUrl "ldaps://ldap-us-ro.apache.org/ou=people,dc=apache,dc=org?uid"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-attribute gidNumber=5000
Require ldap-group cn=committers,ou=groups,dc=apache,dc=org
Require valid-user
</Location>
RewriteEngine On
<LocationMatch "^/repos/asf">
Require all denied
<If "%%{}{QUERY_STRING} =~ /service=git-receive-pack/ || %%{}{REQUEST_URI} =~ /git-receive-pack$/">
AuthType Basic
AuthName "ASF Committers"
AuthBasicProvider file ldap
AuthLDAPUrl "ldaps://ldap-us-ro.apache.org/ou=people,dc=apache,dc=org?uid"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
# Fall back to auth file for role accounts
AuthUserFile /x1/gitbox/auth/roleaccounts
<RequireAny>
<RequireAll>
Require ldap-attribute gidNumber=5000
Require ldap-group cn=committers,ou=groups,dc=apache,dc=org
Require valid-user
</RequireAll>
Require valid-user
</RequireAny>
</If>
<Else>
Require all granted
</Else>
</LocationMatch>
AliasMatch ^/logs/asf/(.+?)(?:\.git)?$ /x1/repos/asf/$1.git/ref-updates.log
# Handlers for Github web hooks
ScriptAliasMatch ^/([^/]+)\.cgi.*$ /x1/gitbox/cgi-bin/$1.cgi
AcceptPathInfo On
<Directory /x1/gitbox/cgi-bin>
require all granted
Options ExecCGI FollowSymlinks
SetHandler cgi-script
</Directory>
# Perms for gitweb
<Directory /usr/lib/cgi-bin>
AllowOverride FileInfo
require all granted
Options ExecCGI FollowSymlinks
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
PerlOptions +ParseHeaders
</Directory>
AliasMatch /static/([^/]+) /usr/share/gitweb/static/$1
AliasMatch ^/repos/(asf|svn)/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /x1/repos/$1/$2
AliasMatch ^/repos/(asf|svn)/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /x1/repos/$1/$2
# Block script kiddies
RewriteCond %%{}{QUERY_STRING} (<|>|%3C|%3E)
RewriteRule .* - [F,L,END]
ScriptAliasMatch \
"(?x)^/repos/([^/]+)/(.*/(HEAD | \
info/refs | \
objects/(info/[^/]+ | \
[0-9a-f]{2}/[0-9a-f]{38} | \
pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
git-(upload|receive)-pack))$" \
/usr/lib/git-core/git-http-backend/$2
AliasMatch /repos/([^/]+/?)([^/<>]+) /usr/lib/cgi-bin/gitweb.cgi
RewriteRule ^/repos/([^/]+)/$ /repos/$1 [R]
RewriteRule ^/repos/([^/]+)/([^/]+?)(?:\.git)?$ /repos/$1?p=$2.git [R]
RewriteRule ^/repos/([^/]+)/([^/]+?)(?:\.git)?/commit/(.*)$ /repos/$1?p=$2.git;a=commit;h=$3 [R,NE]
RewriteRule ^/repos/([^/]+)/([^/]+?)(?:\.git)?/tree/(.*)$ /repos/$1?p=$2.git;a=tree;hb=$3 [R,NE]
RewriteRule ^/repos/([^/]+)/([^/]+?)(?:\.git)?/diff/(.*)$ /repos/$1?p=$2.git;a=commitdiff;h=$3 [R,NE]
RewriteRule ^/repos/([^/]+)/([^/]+?)(?:\.git)?/blob/([^/]+)/(.*) /repos/$1?p=$2.git;a=blob;f=$4;hb=$3 [R,NE]
# Bunch of rewrites for INFRA-17956
RewriteCond %%{}{QUERY_STRING} p=([^;.]+)\.git;a=commitdiff.*?h=([a-f0-9]+)
RewriteRule .* https://github.com/apache/%1/commit/%2 [QSD]
RewriteCond %%{}{QUERY_STRING} p=([^;.]+)\.git;a=history.*?;f=([^*].*?);.*?hb=([a-f0-9]+)
RewriteRule .* https://github.com/apache/%1/commits/%3/%2 [QSD]
RewriteCond %%{}{QUERY_STRING} p=([^;.]+)\.git;a=blobdiff.*?hb=([a-f0-9]+)
RewriteRule .* https://github.com/apache/%1/commit/%2 [QSD]
RewriteCond %%{}{QUERY_STRING} p=([^;.]+)\.git;a=tree.*?;h=([a-f0-9]+);hb=([a-f0-9]+)
RewriteRule .* https://github.com/apache/%1/tree/%3 [QSD]
RewriteCond %%{}{QUERY_STRING} p=([^;.]+)\.git;a=patch.*?h=(.*)
RewriteRule .* https://github.com/apache/%1/commit/%2.patch [QSD]
# Redirect to static index when /repos/asf is requested
RewriteCond %%{}{QUERY_STRING} ^$
RewriteRule ^/repos/asf/?$ /x1/gitbox/htdocs/repos.html [L,END]
SetEnv GIT_HTTP_EXPORT_ALL
<Location /repos/asf>
SetEnv GIT_PROJECT_ROOT /x1/repos/asf
SetEnv GITWEB_CONFIG /x1/gitbox/conf/httpd/gitweb.asf.pl
</Location>
<Directory /x1/pushlogs>
require all granted
</Directory>
Alias /logs/ /x1/pushlogs/
# MATT UI
<Directory /x1/gitbox/matt/site>
Require all granted
</Directory>
Alias /setup /x1/gitbox/matt/site/
<Location /setup>
Options +ExecCGI
AddHandler cgi-script .cgi
</Location>
# Mergebot GH Mappings file - mergebot-vm|vm2 only!!
<Location /setup/ghmap.json>
Require ip 62.210.60.243
</Location>
<LocationMatch "^/setup/(newrepo.*|resync.cgi)">
AuthType Basic
AuthName "ASF Committers"
AuthBasicProvider ldap
AuthLDAPUrl "ldaps://ldap-us-ro.apache.org/ou=people,dc=apache,dc=org?uid"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-attribute gidNumber=5000
Require ldap-group cn=committers,ou=groups,dc=apache,dc=org
Require valid-user
</LocationMatch>
# Infra private area
<Location /repos/private>
SetEnv GIT_PROJECT_ROOT /x1/repos/private/
SetEnv GITWEB_CONFIG /x1/gitbox/conf/httpd/gitweb.private.pl
AuthType Basic
AuthName "ASF Private Repos"
AuthBasicProvider ldap
AuthLDAPUrl "ldaps://ldap-us-ro.apache.org/ou=people,dc=apache,dc=org?uid"
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
Require ldap-group cn=infrastructure,ou=groups,ou=services,dc=apache,dc=org
</Location>