Proxy config for gather-easyfix and fedmsg-crl.

2 files changed, 50 insertions, 0 deletions

diff --git a/roles/fedmsg/crl/tasks/main.yml b/roles/fedmsg/crl/tasks/main.yml
new file mode 100644
index 000000000..965065f06
--- /dev/null
+++ b/roles/fedmsg/crl/tasks/main.yml
@@ -0,0 +1,44 @@
+# fedmsg has a relatively static CRL (certificate revocation list) that  
+# needs to be publicly accessible.  We pull it here from the private     
+# repo and throw it into fedoraproject.org/fedmsg/crl.pem                
+# See http://infrastructure.fedoraproject.org/infra/docs/fedmsg-certs.txt
+
+- name: Ensure dir for content exists
+  file: dest=/srv/web/fedmsg owner=root group=root mode=0755 state=directory
+  tags:
+  - fedmsg
+  - fedmsg/crl
+  - fedmsg/proxy
+
+- name: Copy over our crl from the private repo
+  copy: >
+    src={{private}}/fedmsg-certs/keys/crl.pem dest=/srv/web/fedmsg/crl.pem
+    owner=root group=root mode=0644
+  tags:
+  - fedmsg
+  - fedmsg/crl
+  - fedmsg/proxy
+
+# Also expose the ca cert.  Everybody gets this and can read it.  Public!
+# End users (fedmsg-notify) need it to be able to validate our outbound  
+# messages.                                                              
+- name: Copy over our crl from the private repo
+  copy: >
+    src={{private}}/fedmsg-certs/keys/crl.pem dest=/srv/web/fedmsg/crl.pem
+    owner=root group=root mode=0644
+  tags:
+  - fedmsg
+  - fedmsg/crl
+  - fedmsg/proxy
+
+- name: Put the proxy config in place
+  template: >
+    src=fedmsg.conf
+    dest=/etc/httpd/conf.d/{{website}}/fedmsg.conf
+    owner=root group=root mode=0644
+  notify:
+  - restart httpd
+  tags:
+  - fedmsg
+  - fedmsg/crl
+  - fedmsg/proxy
diff --git a/roles/fedmsg/crl/templates/fedmsg.conf b/roles/fedmsg/crl/templates/fedmsg.conf
new file mode 100644
index 000000000..39f1bb56b
--- /dev/null
+++ b/roles/fedmsg/crl/templates/fedmsg.conf
@@ -0,0 +1,6 @@
+Alias {{path}} /srv/web/fedmsg
+
+<Directory /srv/web/fedmsg>
+  Options Indexes
+  AllowOverride None
+</Directory>