From 52c9e9a08da9a9106b1bd8ee62896346f70a904b Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 24 Apr 2014 20:37:51 +0000
Subject: [PATCH] Move keyserver to a role. Thanks misc!

---
 handlers/restart_services.yml                 |  6 --
 playbooks/groups/keyserver.yml                |  2 +-
 .../keyserver/files}/css.css                  |  0
 .../keyserver/files}/index.html               |  0
 .../keyserver/files}/membership               |  0
 roles/keyserver/files/sks.conf                | 83 +++++++++++++++++++
 .../keyserver/files}/sksconf                  |  0
 .../keyserver/files}/ssl.conf                 |  0
 roles/keyserver/handlers/main.yml             |  6 ++
 .../keyserver/tasks/main.yml                  | 26 +++---
 10 files changed, 103 insertions(+), 20 deletions(-)
 rename {files/keyserver => roles/keyserver/files}/css.css (100%)
 rename {files/keyserver => roles/keyserver/files}/index.html (100%)
 rename {files/keyserver => roles/keyserver/files}/membership (100%)
 create mode 100644 roles/keyserver/files/sks.conf
 rename {files/keyserver => roles/keyserver/files}/sksconf (100%)
 rename {files/keyserver => roles/keyserver/files}/ssl.conf (100%)
 create mode 100644 roles/keyserver/handlers/main.yml
 rename tasks/keyserver.yml => roles/keyserver/tasks/main.yml (59%)

diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml
index 10fa661e17..90cfb67a41 100644
--- a/handlers/restart_services.yml
+++ b/handlers/restart_services.yml
@@ -80,12 +80,6 @@
 - name: restart rsyslog
   action: service name=rsyslog state=restarted
 
-- name: restart sks-db
-  action: service name=sks-db state=restarted
-
-- name: restart sks-recon
-  action: service name=sks-recon state=restarted
-
 - name: restart sshd
   action: service name=sshd state=restarted
 
diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml
index ef2fb9c7d0..4bc06fc9de 100644
--- a/playbooks/groups/keyserver.yml
+++ b/playbooks/groups/keyserver.yml
@@ -38,6 +38,7 @@
   - nagios_client
   - fas_client
   - fedmsg/base
+  - keyserver  
 
   tasks:
   - include: "{{ tasks }}/hosts.yml"
@@ -47,7 +48,6 @@
   - include: "{{ tasks }}/motd.yml"
   - include: "{{ tasks }}/sudo.yml"
   - include: "{{ tasks }}/apache.yml"
-  - include: "{{ tasks }}/keyserver.yml"
 
   handlers:
   - include: "{{ handlers }}/restart_services.yml"
diff --git a/files/keyserver/css.css b/roles/keyserver/files/css.css
similarity index 100%
rename from files/keyserver/css.css
rename to roles/keyserver/files/css.css
diff --git a/files/keyserver/index.html b/roles/keyserver/files/index.html
similarity index 100%
rename from files/keyserver/index.html
rename to roles/keyserver/files/index.html
diff --git a/files/keyserver/membership b/roles/keyserver/files/membership
similarity index 100%
rename from files/keyserver/membership
rename to roles/keyserver/files/membership
diff --git a/roles/keyserver/files/sks.conf b/roles/keyserver/files/sks.conf
new file mode 100644
index 0000000000..2b87b46b55
--- /dev/null
+++ b/roles/keyserver/files/sks.conf
@@ -0,0 +1,83 @@
+ServerName keys.fedoraproject.org
+Listen 80.239.156.219:11371
+NameVirtualHost *:443
+
+<ifModule !mod_proxy.c>
+    LoadModule proxy_module modules/mod_proxy.so
+</IfModule>
+
+<IfModule !mod_proxy_http.c>
+    LoadModule proxy_http_module modules/mod_proxy_http.so
+</IfModule>
+
+<IfModule !mod_proxy_balancer.c>
+    LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
+</IfModule>
+
+<IfModule !mod_headers.c>
+    LoadModule headers_module modules/mod_headers.so
+</IfModule>
+
+<IfModule !mod_authz_host.c>
+    LoadModule authz_host_module modules/mod_authz_host.so
+</IfModule>
+
+<IfModule !mod_log_config.c>
+    LoadModule log_config_module modules/mod_log_config.so
+</IfModule>
+
+<IfModule !mod_env.c>
+    LoadModule env_module modules/mod_env.so
+</IfModule>
+
+<Directory />
+    Options FollowSymLinks
+    AllowOverride None
+    Order deny,allow
+    Deny from all
+</Directory>
+
+<VirtualHost *:80>
+        ServerAdmin sysadmin-keys-members@fedoraproject.org
+        ServerName keys.fedoraproject.org
+        ProxyPass / http://127.0.0.1:11371/
+        ProxyPassReverse / http://127.0.0.1:11371/
+        SetEnv proxy-nokeepalive 1
+	ProxyVia Full
+</VirtualHost>
+<VirtualHost *:443>
+        ServerAdmin sysadmin-keys-members@fedoraproject.org
+        ServerName keys.fedoraproject.org
+	ServerAlias keys01.fedoraproject.org
+
+        SSLEngine on
+        SSLCertificateFile /etc/pki/tls/wildcard-2013.fedoraproject.org.cert
+	SSLCertificateChainFile /etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert
+        SSLCertificateKeyFile /etc/pki/tls/wildcard-2013.fedoraproject.org.key
+	ProxyPass / http://localhost:11371/
+	ProxyPassReverse / http://localhost:11371/
+        SetEnv proxy-nokeepalive 1
+	ProxyVia Full
+</VirtualHost>
+<VirtualHost *:443>
+        ServerAdmin sysadmin-keys-members@fedoraproject.org
+        ServerName pool.sks-keyservers.net
+        ServerAlias sks-keyservers.net
+	ServerAlias *.sks-keyservers.net
+
+        SSLEngine on
+        SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem
+        SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key
+        ProxyPass / http://localhost:11371/
+        ProxyPassReverse / http://localhost:11371/
+        SetEnv proxy-nokeepalive 1
+	ProxyVia Full
+</VirtualHost>
+<VirtualHost *:11371>
+	ServerAdmin sysadmin-keys-members@fedoraproject.org
+	ServerName keys.fedoraproject.org
+	ProxyPass / http://127.0.0.1:11371/
+	ProxyPassReverse / http://127.0.0.1:11371/
+	SetEnv proxy-nokeepalive 1
+	ProxyVia Full
+</VirtualHost>
diff --git a/files/keyserver/sksconf b/roles/keyserver/files/sksconf
similarity index 100%
rename from files/keyserver/sksconf
rename to roles/keyserver/files/sksconf
diff --git a/files/keyserver/ssl.conf b/roles/keyserver/files/ssl.conf
similarity index 100%
rename from files/keyserver/ssl.conf
rename to roles/keyserver/files/ssl.conf
diff --git a/roles/keyserver/handlers/main.yml b/roles/keyserver/handlers/main.yml
new file mode 100644
index 0000000000..eee9214e54
--- /dev/null
+++ b/roles/keyserver/handlers/main.yml
@@ -0,0 +1,6 @@
+- name: restart sks-db
+  action: service name=sks-db state=restarted
+
+- name: restart sks-recon
+  action: service name=sks-recon state=restarted
+
diff --git a/tasks/keyserver.yml b/roles/keyserver/tasks/main.yml
similarity index 59%
rename from tasks/keyserver.yml
rename to roles/keyserver/tasks/main.yml
index 3ed3dff007..af7c67256e 100644
--- a/tasks/keyserver.yml
+++ b/roles/keyserver/tasks/main.yml
@@ -16,12 +16,12 @@
     owner=sks group=sks mode=0755
 
 - name: /srv/sks/membership
-  copy: src="{{ files }}/keyserver/membership" dest=/srv/sks/membership owner=sks group=sks mode=0644
+  copy: src="membership" dest=/srv/sks/membership owner=sks group=sks mode=0644
   tags:
   - config
 
 - name: /srv/sks/sksconf
-  copy: src="{{ files }}/keyserver/sksconf" dest=/srv/sks/sksconf owner=sks group=sks mode=0644
+  copy: src="sksconf" dest=/srv/sks/sksconf owner=sks group=sks mode=0644
   tags:
   - config
 
@@ -32,37 +32,37 @@
     owner=sks group=sks mode=0755
 
 - name: /srv/sks/web/index.html
-  copy: src="{{ files }}/keyserver/index.html" dest=/srv/sks/web/index.html owner=sks group=sks mode=0644
+  copy: src="index.html" dest=/srv/sks/web/index.html owner=sks group=sks mode=0644
   tags:
   - config
-
+  with_items:
 - name: /srv/sks/web/css.css
-  copy: src="{{ files }}/keyserver/css.css" dest=/srv/sks/web/css.css owner=sks group=sks mode=0644
+  copy: src="css.css" dest=/srv/sks/web/css.css owner=sks group=sks mode=0644
   tags:
   - config
 
 - name: /etc/httpd/conf.d/sks.conf
-  copy: src="{{ files }}/keyserver/sks.conf" dest=/etc/httpd/conf.d/sks.conf owner=root group=root mode=0644
+  copy: src="sks.conf" dest=/etc/httpd/conf.d/sks.conf owner=root group=root mode=0644
   tags:
   - config
 
 - name: /etc/httpd/conf.d/ssl.conf
-  copy: src="{{ files }}/keyserver/ssl.conf" dest=/etc/httpd/conf.d/ssl.conf owner=root group=root mode=0644
+  copy: src="ssl.conf" dest=/etc/httpd/conf.d/ssl.conf owner=root group=root mode=0644
   tags:
   - config
 
-- name: /etc/pki/tls/wildcard-2014.fedoraproject.org.cert
-  copy: src="{{ puppet_private }}/httpd/wildcard-2014.fedoraproject.org.cert" dest=/etc/pki/tls/wildcard-2014.fedoraproject.org.cert owner=root group=root mode=0600
+- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.cert
+  copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.cert" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.cert owner=root group=root mode=0600
   tags:
   - config
 
-- name: /etc/pki/tls/wildcard-2014.fedoraproject.org.key
-  copy: src="{{ puppet_private }}/httpd/wildcard-2014.fedoraproject.org.key" dest=/etc/pki/tls/wildcard-2014.fedoraproject.org.key owner=root group=root mode=0600
+- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.key
+  copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.key" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.key owner=root group=root mode=0600
   tags:
   - config
 
-- name: /etc/pki/tls/wildcard-2014.fedoraproject.org.intermediate.cert
-  copy: src="{{ puppet_private }}/httpd/wildcard-2014.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/wildcard-2014.fedoraproject.org.intermediate.cert owner=root group=root mode=0600
+- name: /etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert
+  copy: src="{{ puppet_private }}/httpd/wildcard-2013.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/wildcard-2013.fedoraproject.org.intermediate.cert owner=root group=root mode=0600
   tags:
   - config