Ori.livneh has submitted this change and it was merged.
Change subject: Provision a "staging" microsite for the transparency report
......................................................................
Provision a "staging" microsite for the transparency report
Provision a private microsite of the transparency report, served under /private
from files in the private transparency report Gerrit repository.
Bug: T138197
Change-Id: If35ba69c2c295c29b24b81f023e8954ae29e4e89
---
M modules/role/manifests/microsites/transparency.pp
M templates/apache/sites/transparency.wikimedia.org.erb
2 files changed, 43 insertions(+), 0 deletions(-)
Approvals:
Ori.livneh: Verified; Looks good to me, approved
diff --git a/modules/role/manifests/microsites/transparency.pp
b/modules/role/manifests/microsites/transparency.pp
index e031b8a..221ab5a 100644
--- a/modules/role/manifests/microsites/transparency.pp
+++ b/modules/role/manifests/microsites/transparency.pp
@@ -5,18 +5,48 @@
#
class role::microsites::transparency {
include ::apache
+ include ::apache::mod::authnz_ldap
include ::apache::mod::rewrite
include ::apache::mod::headers
+
+ include ::passwords::misc::private_static_site
+ include ::passwords::ldap::production
+
include base::firewall
$repo_dir = '/srv/org/wikimedia/TransparencyReport'
$docroot = "${repo_dir}/build"
+ $private_repo_dir = "${repo_dir}-private"
+ $private_docroot = "${private_repo_dir}/build"
+
git::clone { 'wikimedia/TransparencyReport':
ensure => latest,
directory => $repo_dir,
}
+ $user = $passwords::misc::private_static_site::user
+ $pass = $passwords::misc::private_static_site::pass
+
+ git::clone { 'wikimedia/TransparencyReport-private':
+ ensure => latest,
+ origin =>
"https://${user}:${pass}@gerrit.wikimedia.org/r/wikimedia/TransparencyReport-private";,
+ directory => $private_repo_dir,
+ }
+
+ # LDAP configuration. Interpolated into the Apache site template
+ # to provide mod_authnz_ldap-based user authentication.
+ $auth_ldap = {
+ name => 'ops/wmf',
+ bind_dn => 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org',
+ bind_password => $passwords::ldap::production::proxypass,
+ url => 'ldaps://ldap-labs.eqiad.wikimedia.org
ldap-labs.codfw.wikimedia.org/ou=people,dc=wikimedia,dc=org?cn',
+ groups => [
+ 'cn=ops,ou=groups,dc=wikimedia,dc=org',
+ 'cn=wmf,ou=groups,dc=wikimedia,dc=org',
+ ],
+ }
+
apache::site { 'transparency.wikimedia.org':
content => template('apache/sites/transparency.wikimedia.org.erb'),
}
diff --git a/templates/apache/sites/transparency.wikimedia.org.erb
b/templates/apache/sites/transparency.wikimedia.org.erb
index b733ee2..ad38f28 100644
--- a/templates/apache/sites/transparency.wikimedia.org.erb
+++ b/templates/apache/sites/transparency.wikimedia.org.erb
@@ -4,8 +4,21 @@
<VirtualHost *:80>
ServerName transparency.wikimedia.org
DocumentRoot <%= @docroot %>
+ Alias /private <%= @private_docroot %>
<Directory <%= @docroot %>>
Require all granted
</Directory>
+
+ <Directory <%= @private_docroot%>>
+ AuthName "<%= @auth_ldap['name'] %>"
+ AuthType Basic
+ AuthBasicProvider ldap
+ AuthLDAPBindDN <%= @auth_ldap['bind_dn'] %>
+ AuthLDAPBindPassword <%= @auth_ldap['bind_password'] %>
+ AuthLDAPURL "<%= @auth_ldap['url'] %>"
+ <% @auth_ldap['groups'].each do |group| -%>
+ Require ldap-group <%= group %>
+ <% end -%>
+ </Directory>
</VirtualHost>
--
To view, visit https://gerrit.wikimedia.org/r/295192
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: If35ba69c2c295c29b24b81f023e8954ae29e4e89
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ori.livneh <[email protected]>
Gerrit-Reviewer: Ori.livneh <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
