diff --git a/manifests/site.pp b/manifests/site.pp
index 0433f855fe..b0b489c825 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -695,6 +695,15 @@ node /^files\d*\.openstack\.org$/ {
docs_chain_file_contents => hiera('docs_chain_file_contents'),
require => Class['Openstack_project::Server'],
}
+
+ openstack_project::website { 'zuul-ci.org':
+ aliases => ['www.zuul-ci.org'],
+ ssl_cert => hiera('zuul-ci_org_ssl_cert'),
+ ssl_key => hiera('zuul-ci_org_ssl_key'),
+ ssl_intermediate => hiera('zuul-ci_org_ssl_intermediate'),
+ require => Class['openstack_project::files'],
+ }
+
}
# Node-OS: trusty
diff --git a/modules/openstack_project/manifests/website.pp b/modules/openstack_project/manifests/website.pp
new file mode 100644
index 0000000000..50c1a594a8
--- /dev/null
+++ b/modules/openstack_project/manifests/website.pp
@@ -0,0 +1,59 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+define openstack_project::website (
+ $aliases = undef,
+ $ssl_cert = undef,
+ $ssl_key = undef,
+ $ssl_intermediate = undef,
+ $template = 'openstack_project/website.vhost.erb',
+) {
+
+ $afs_root = '/afs/openstack.org/'
+
+ ::httpd::vhost { $name:
+ serveraliases => $aliases,
+ port => 443, # Is required despite not being used.
+ docroot => "${afs_root}/project/${name}/www",
+ priority => '50',
+ template => $template,
+ }
+
+ file { "/etc/ssl/certs/$name.pem":
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $ssl_cert,
+ require => File['/etc/ssl/certs'],
+ }
+
+ file { "/etc/ssl/private/$name.key":
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0600',
+ content => $ssl_key,
+ require => File['/etc/ssl/private'],
+ }
+
+ file { "/etc/ssl/certs/$name_intermediate.pem":
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $ssl_intermediate,
+ require => File['/etc/ssl/certs'],
+ }
+}
diff --git a/modules/openstack_project/templates/website.vhost.erb b/modules/openstack_project/templates/website.vhost.erb
new file mode 100644
index 0000000000..aa99804309
--- /dev/null
+++ b/modules/openstack_project/templates/website.vhost.erb
@@ -0,0 +1,60 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+
+ ServerName <%= @srvname %>
+ <% if @serveraliases.is_a? Array -%>
+ <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
+ <% elsif @serveraliases != nil -%>
+ <%= " ServerAlias #{@serveraliases}" -%>
+ <% end -%>
+
+ RewriteEngine on
+ RewriteRule ^/(.*) https://<%= @srvname %>/$1 [last,redirect=permanent]
+
+ ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
+ LogLevel warn
+ CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
+ ServerSignature Off
+
+
+
+
+ ServerName <%= @srvname %>
+ <% if @serveraliases.is_a? Array -%>
+ <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
+ <% elsif @serveraliases != nil -%>
+ <%= " ServerAlias #{@serveraliases}" -%>
+ <% end -%>
+
+ RewriteEngine on
+
+ SSLEngine on
+ SSLProtocol All -SSLv2 -SSLv3
+ # Once the machine is using something to terminate TLS that supports ECDHE
+ # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+ # only is guarenteed.
+ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+ SSLHonorCipherOrder on
+ SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
+ SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key
+ SSLCertificateChainFile /etc/ssl/certs/<%= @name %>_intermediate.pem
+
+ DocumentRoot <%= @docroot %>
+ >
+ Options Indexes FollowSymLinks MultiViews
+ Satisfy any
+ Require all granted
+ AllowOverride None
+ # Allow mod_rewrite rules
+ AllowOverrideList Redirect RedirectMatch
+ ErrorDocument 404 /errorpage.html
+
+
+ ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
+ LogLevel warn
+ CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
+ ServerSignature Off
+
+