Commit 982906d2 authored by intrigeri's avatar intrigeri
Browse files

Decommission Redmine and buse.tails.boum.org

refs: tails/sysadmin#17719
parent 88bc27cd
......@@ -37,10 +37,3 @@ object ServiceGroup "memory" {
assign where match("mem", service.check_command)
}
object ServiceGroup "redmine" {
display_name = "Redmine Checks"
assign where match("buse.tails.boum.org", return_servicegroup_host(service))
assign where match("redmine.tails.boum.org", service.vars.http_vhost)
}
# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
# graceful restart. ThreadLimit can only be changed by stopping
# and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestWorkers: maximum number of threads
# MaxConnectionsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxRequestWorkers 300
MaxConnectionsPerChild 0
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<IfModule qos_module>
# minimum request rate (bytes/sec at request reading):
#QS_SrvRequestRate 120
# limits the connections for this virtual host:
#QS_SrvMaxConn 100
# allows keep-alive support till the server reaches 600 connections:
#QS_SrvMaxConnClose 600
# allows max 20 connections from a single ip address:
QS_SrvMaxConnPerIP 20
</IfModule>
<IfModule reqtimeout_module>
# mod_reqtimeout limits the time waiting on the client to prevent an
# attacker from causing a denial of service by opening many connections
# but not sending requests. This file tries to give a sensible default
# configuration, but it may be necessary to tune the timeout values to
# the actual situation. Note that it is also possible to configure
# mod_reqtimeout per virtual host.
# Wait max 5 seconds for the first byte of the request line+headers
# From then, require a minimum data rate of 500 bytes/s, but don't
# wait longer than 10 seconds in total.
# Note: Lower timeouts may make sense on non-ssl virtual hosts but can
# cause problem with ssl enabled virtual hosts: This timeout includes
# the time a browser may need to fetch the CRL for the certificate. If
# the CRL server is not reachable, it may take more than 10 seconds
# until the browser gives up.
RequestReadTimeout header=5-10,minrate=500
# Wait max 5 seconds for the first byte of the request body (if any)
# From then, require a minimum data rate of 500 bytes/s
RequestReadTimeout body=5,minrate=500
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
# Keep track of extended status information for each request
ExtendedStatus On
# Determine if mod_status displays the first 63 characters of a request or
# the last 63, assuming the request itself is greater than 63 chars.
# Default: Off
#SeeRequestTail On
Listen 127.0.0.1:8162
<VirtualHost 127.0.0.1:8162>
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
# http://mod-qos.sourceforge.net/#statusviewer
<IfModule qos_module>
<Location /qos>
SetHandler qos-viewer
</Location>
</IfModule>
</VirtualHost>
<IfModule mod_proxy.c>
# Show Proxy LoadBalancer status in mod_status
ProxyStatus On
</IfModule>
/usr/share/redmine/log/git_hosting.log {
weekly
missingok
rotate 3
compress
delaycompress
notifempty
copytruncate
su www-data www-data
}
redmine redmine/instances/default/db/dbname string redmine
redmine redmine/instances/default/db/app-user string redmine
User-agent: SemrushBot
Disallow: /
User-agent: SemrushBot-SA
Disallow: /
User-agent: Sogou web spider
Disallow: /
User-agent: *
Disallow: /code/projects/backupninja
Disallow: /code/projects/calendar
Disallow: /code/projects/cg-core
Disallow: /code/projects/connectingclassrooms
Disallow: /code/projects/coreboot
Disallow: /code/projects/crabgrass
Disallow: /code/projects/etherpad
Disallow: /code/projects/firemole
Disallow: /code/projects/macchanger
Disallow: /code/projects/mat
Disallow: /code/projects/metche
Disallow: /code/projects/module_apt
Disallow: /code/projects/module-backupninja
Disallow: /code/projects/module-check_mk
Disallow: /code/projects/module-cron
Disallow: /code/projects/module-etherpad-lite
Disallow: /code/projects/module-lsb
Disallow: /code/projects/module-mongrel
Disallow: /code/projects/module-netboot
Disallow: /code/projects/module-munin
Disallow: /code/projects/module-nagios
Disallow: /code/projects/module-nginx
Disallow: /code/projects/module-puppet
Disallow: /code/projects/module-runlevel
Disallow: /code/projects/module-shorewall
Disallow: /code/projects/module-sshd
Disallow: /code/projects/module-stunnel
Disallow: /code/projects/module-tor
Disallow: /code/projects/module-wordpress
Disallow: /code/projects/monkeysphere
Disallow: /code/projects/pidging_otr
Disallow: /code/projects/privacy
Disallow: /code/projects/puppetmodules
Disallow: /code/projects/sharedpuppetmodules
Disallow: /code/projects/shared-apache
Disallow: /code/projects/shared-apt
Disallow: /code/projects/shared-augeas
Disallow: /code/projects/shared-backupninja
Disallow: /code/projects/shared-checkmk
Disallow: /code/projects/shared-common
Disallow: /code/projects/shared-cron
Disallow: /code/projects/shared-ekeyd
Disallow: /code/projects/shared-git
Disallow: /code/projects/shared-lsb
Disallow: /code/projects/shared-modsecurity
Disallow: /code/projects/shared-monkeysphere
Disallow: /code/projects/shared-mysql
Disallow: /code/projects/shared-nagios
Disallow: /code/projects/shared-openbsd
Disallow: /code/projects/shared-passenger
Disallow: /code/projects/shared-postfix
Disallow: /code/projects/shared-puppet
Disallow: /code/projects/shared-reprepro
Disallow: /code/projects/shared-shorewall
Disallow: /code/projects/shared-sshd
Disallow: /code/projects/shared-strongswan
Disallow: /code/projects/shared-sudo
Disallow: /code/projects/shared-webhosting
Disallow: /code/projects/sympa
Disallow: /code/projects/tls-info
Disallow: /code/projects/unido
Disallow: /code/projects/we
Disallow: /code/projects/xmpp
Disallow: /code/projects/tails/activity
Disallow: /code/projects/tails/repository
Disallow: /code/projects/tails/roadmap
Disallow: /code/activity
Disallow: /code/account
Disallow: /code/attachments
Disallow: /code/images
Disallow: /code/issues?page=
Disallow: /code/issues/calendar
Disallow: /code/issues/gantt
Disallow: /code/issues/show
Disallow: /code/javascripts
Disallow: /code/journals
Disallow: /code/login
Disallow: /code/plugin_assets/
Disallow: /code/projects/gantt
Disallow: /code/repositories
Disallow: /code/search
Disallow: /code/stylesheets
Disallow: /code/timelog
Disallow: /code/time_entries
Disallow: /code/users
Disallow: /code/wiki/history
Disallow: /code/issues/*.atom$
Disallow: /code/issues/*.pdf$
Disallow: /code/projects/*/activity.atom
Disallow: /code/projects/*/issues.atom
Disallow: /code/projects/*/issues.pdf
Disallow: /code/projects/module_*
Disallow: /code/projects/module-*
Disallow: /code/projects/shared-*
Crawl-delay: 5
/* load the default Redmine stylesheet */
@import url(../../../stylesheets/application.css);
/*
_/ _/
_/_/_/ _/_/ _/_/ _/_/_/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/
_/ _/ _/ _/_/ _/_/_/ _/_/_/ _/ _/_/_/
Theme: Modula Mojito
Updated: 10/7/09
Author: www.modula.fi
*/
@import url(../../../stylesheets/application.css);
body, #wrapper { background-color:#3c3c3c; font-family: helvetica, "microsoft sans serif", arial, sans-serif; }
a, a:link, a:visited { color: #7aa054; outline:none;}
a:hover { text-decoration: none; color: #455138;}
#sidebar label, #sidebar a:link, #sidebar a:hover, #sidebar a:active, #sidebar a:visited { color: #f0f0f0; }
#header, #top-menu { margin: 0; }
#header { background-color: #3c3c3c; padding: 8px 0 0 0; height: 6em; }
#header h1 { margin: 0 24px; }
#header #quick-search { margin: 0 24px; }
#top-menu { background-color: #2e2e2e; font-size: .9em; position: relative; margin-left: -.3em; padding: 0; height: 21px }
#top-menu ul { padding: 0 21px; }
#top-menu li, #top-menu #loggedas { color: #ddd; line-height: 21px; margin-right: 0px;}
#top-menu li a { color: #aaa; font-weight: normal; padding:4px 5px; }
#top-menu li a:hover { color: #fff; text-decoration: none; }
#main { background: #3c3c3c; margin: 0 24px 0px 24px; }
#content {
background: #fff;
width: 74.5%;
-moz-border-radius-topleft: 3px; -webkit-border-top-left-radius: 3px;
-moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 3px;
-moz-border-radius-bottomleft: 3px; -webkit-border-bottom-left-radius: 3px;
-moz-border-radius-bottomright: 3px; -webkit-border-bottom-right-radius: 3px;
}
#sidebar { width: 21.5%; }
#sidebar p { color: #f0f0f0;}
#footer { background-color:#3c3c3c; border: 0px; clear: left; color:#666666; font-size:9px; margin:4px 0 20px 20px; padding-bottom:15px; text-align:left; }
#footer a:hover { background:#666666 none repeat scroll 0 0; color:#FFFFFF !important;}
#footer a:link, #footer a:visited { color:#666666; }
p.subtitle {
font-style:normal;
}
/* Headers */
h1, h2, h3, h4 { font-family: helvetica neue, helvetica, "microsoft sans serif", arial, sans-serif; }
.wiki h1, .wiki h2, .wiki h3, .wiki h4 { font-family: helvetica neue, helvetica, "microsoft sans serif", arial, sans-serif; }
h1 { color: #cde9a7; font-size: 24px; font-weight: normal; margin:0pt 0pt 0pt 0.25em; padding:0pt 0pt 10px; text-align:left; }
h2, h3, h4, .wiki h1, .wiki h2, .wiki h3 { border-bottom: 0px;}
h2, .wiki h1 {
background-color: #cde9a7;
margin: 2px 0px 10px;
padding: 10px .7em;
font-size: 21px;
font-weight: normal;
font-family: baskerville, Times, Times New Roman, serif;
color: #455138;
border: 1px #adde6b solid;
-moz-border-radius-topleft: 3px; -webkit-border-top-left-radius: 3px;
-moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 3px;
-moz-border-radius-bottomleft: 3px; -webkit-border-bottom-left-radius: 3px;
-moz-border-radius-bottomright: 3px; -webkit-border-bottom-right-radius: 3px;
}
.wiki h1 { font-family: helvetica, "microsoft sans serif", arial, sans-serif; }
.wiki h2 { background-color: #fff; }
h3, h4 { font-weight: normal; color: #7aa054;}
#sidebar h3 { color: #cde9a7; border-bottom:1px solid #989898; padding:6px 0; }
/* Links */
#sidebar a:hover { background-color:#003399; color:#FFFFFF; text-decoration: none;}
/* Menu */
#main-menu { margin: 0 1.5em; margin-bottom: -2px;}
#main-menu li a { font-weight: normal; padding:6px 8px 8px; }
#main-menu li a:hover {
color: #FFA500;
background: transparent;
text-decoration: none;
}
#main-menu li a.selected, #main-menu li a.selected:hover {
background-color:#fff;
color: #111;
-moz-border-radius-topleft: .3em; -webkit-border-top-left-radius: .3em;
-moz-border-radius-topright: .3em; -webkit-border-top-right-radius: .3em;
}
/* Settings menu */
#content .tabs ul li a {
font-weight: normal;
font-size: .9em;
border-top: 1px #fff solid;
border-right: 1px #fff solid;
border-left: 1px #fff solid;
background: #fff;
-moz-border-radius-topleft: .3em; -webkit-border-top-left-radius: .3em;
-moz-border-radius-topright: .3em; -webkit-border-top-right-radius: .3em;
}
#content .tabs ul li a:hover {
background: #fff;
color: #FFA500;
}
#content .tabs ul li a.selected {
font-weight: normal;
color:#455138;
-moz-border-radius-topleft: .3em; -webkit-border-top-left-radius: .3em;
-moz-border-radius-topright: .3em; -webkit-border-top-right-radius: .3em;
}
/* Tables */
table.list { border: none; }
table.list th { background-color: #fff; }
table.list tbody td, table.list tbody tr td { border-bottom: solid 1px #ddd; padding:4px 10px 4px 3px; }
table.list thead th {
border: none;
border-bottom:1px solid #999999;
font-size:9px;
font-weight:normal;
padding:0pt 3px 3px;
text-transform:uppercase;
}
table.list thead th a { color: #2e2e2e; }
table.list thead th a:hover { color: #2e2e2e; }
/* Issues grid styles by priorities (provided by Wynn Netherland) */
table.list tr.issue a { color: #3c3c3c; }
tr.odd.priority-5, table.list tbody tr.odd.priority-5:hover { color: #900; font-weight: bold; }
tr.odd.priority-5 { background: #ffc4c4; }
tr.even.priority-5, table.list tbody tr.even.priority-5:hover { color: #900; font-weight: bold; }
tr.even.priority-5 { background: #ffd4d4; }
tr.priority-5 a, tr.priority-5:hover a { color: #900; }
tr.odd.priority-5 td, tr.even.priority-5 td { border-color: #ffb4b4; }
tr.odd.priority-4, table.list tbody tr.odd.priority-4:hover { color: #900; }
tr.odd.priority-4 { background: #ffc4c4; }
tr.even.priority-4, table.list tbody tr.even.priority-4:hover { color: #900; }
tr.even.priority-4 { background: #ffd4d4; }
tr.priority-4 a { color: #900; }
tr.odd.priority-4 td, tr.even.priority-4 td { border-color: #ffb4b4; }
tr.odd.priority-3, table.list tbody tr.odd.priority-3:hover { color: #900; }
tr.odd.priority-3 { background: #fee; }
tr.even.priority-3, table.list tbody tr.even.priority-3:hover { color: #900; }
tr.even.priority-3 { background: #fff2f2; }
tr.priority-3 a { color: #900; }
tr.odd.priority-3 td, tr.even.priority-3 td { border-color: #fcc; }
tr.odd.priority-1, table.list tbody tr.odd.priority-1:hover { color: #559; }
tr.odd.priority-1 { background: #eaf7ff; }
tr.even.priority-1, table.list tbody tr.even.priority-1:hover { color: #559; }
tr.even.priority-1 { background: #f2faff; }
tr.priority-1 a { color: #559; }
tr.odd.priority-1 td, tr.even.priority-1 td { border-color: #add7f3; }
p.breadcrumb {
background-color:#EEEEEE;
border-bottom:1px solid white;
font-size:0.9em;
margin:-6px -10px 6px;
padding:6px;
text-indent:15px;
}
/* Fields */
input[type='text'], input[type='password'], textarea { font-size: 13px; font-family: Andale Mono,Lucida Console,Monaco,fixed,monospace; }
input[type="text"], textarea, select { padding: 2px; }
input[type="text"]:focus, textarea:focus, select:focus { }
option { }
input#issue_subject { font-size: 200%; width: 90%; }
input#issue_subject, #project_description { width: 92.5%; }
textarea#issue_description { width: 93%;}
/* Misc */
input[type="text"], textarea, select {
border: 1px #989898 solid;
background-color: #F5F5F5;
-moz-border-radius-topleft: 3px; -webkit-border-top-left-radius: 3px;
-moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 3px;
-moz-border-radius-bottomleft: 3px; -webkit-border-bottom-left-radius: 3px;
-moz-border-radius-bottomright: 3px; -webkit-border-bottom-right-radius: 3px;
}
.nodata, #login-form table, .flash.notice {
border-width: 1px;
-moz-border-radius-topleft: 3px; -webkit-border-top-left-radius: 3px;
-moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 3px;
-moz-border-radius-bottomleft: 3px; -webkit-border-bottom-left-radius: 3px;
-moz-border-radius-bottomright: 3px; -webkit-border-bottom-right-radius: 3px;
}
.box {
background-color: #fcfcfc;
border-top: 1px #eee solid;
border-right: 1px #ccc solid;
border-bottom: 1px #ccc solid;
border-left: 1px #eee solid;
-moz-border-radius-topleft: 3px; -webkit-border-top-left-radius: 3px;
-moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 3px;
-moz-border-radius-bottomleft: 3px; -webkit-border-bottom-left-radius: 3px;
-moz-border-radius-bottomright: 3px; -webkit-border-bottom-right-radius: 3px;
}
#attachments_fields input[type="text"] {
width: 39%;
}
.jstElements { margin-right: 3.5em;}
.tabular label { font-weight: normal;}
.contextual { margin-top: 1.4em; margin-right: 1em; font-size: 0.9em;}
.contextual a{ color:#455138;}
table.list thead th {
font-size:.8em;
}
tr.message td.last_message {
font-size:.9em;
}
div#activity dl, #search-results {
margin-left:0em;
}
div#activity dd, #search-results dd {
font-size:1em;
}
span.description { margin: .5em 0;}
hr { background:#eee none repeat scroll 0% 0%; }
# Manage Tails' Redmine instance
class tails::redmine (
String $mailhandler_api_key,
String $redmine_ws_api_key = 'secret',
String $gitolite_pubkey_name = 'gitolite@puppet-git.lizard',
Stdlib::Httpsurl $url = 'https://redmine.tails.boum.org/code',
Boolean $ddosmode = false,
String $ddosmode_destination = 'sxkh7umwgc2rutlr.onion',
Hash $virtual_hosts = {
'redmine.tails.boum.org' => {
'ip' => '127.0.0.1',
'ssl' => false,
'monitoring' => false,
},
## Block Redmine access from the outside
## https://salsa.debian.org/tails-team/gitlab-migration/-/issues/43
# 'sxkh7umwgc2rutlr.onion' => {
# 'ip' => '127.0.0.1',
# 'ssl' => false,
# 'monitoring' => false,
# },
},
Hash $apache_settings = {
'KeepAlive' => 'Off',
'Timeout' => '120',
},
) {
include ::apache
include ::apache::base
include ::mysql::server
# the tails_git user owns the tails.git repository that is linked in redmine
user { 'tails_git':
ensure => present,
system => true,
shell => '/usr/bin/git-shell',
home => '/srv/repositories',
gid => 'www-data',
}
file { '/srv/repositories':
ensure => directory,
owner => 'tails_git',
group => 'www-data',
mode => '2750',
}
vcsrepo { '/srv/repositories/tails.git':
ensure => mirror,
provider => git,
source => 'https://git-tails.immerda.ch/tails',
user => 'tails_git',
group => 'www-data',
require => File['/srv/repositories'],
}
file { '/srv/repositories/tails.git/hooks/post-update':
content => template('tails/redmine/tails-post-update.hook.erb'),
mode => '0700',
owner => 'tails_git',
group => 'www-data',
require => Vcsrepo['/srv/repositories/tails.git'],
}
sshkeys::set_authorized_keys { $gitolite_pubkey_name:
user => 'tails_git',
home => '/srv/repositories',
}
file { '/var/cache/debconf/redmine.preseed':
ensure => present,
owner => root,
group => root,
mode => '0600',
source => 'puppet:///modules/tails/redmine/redmine.preseed',
}
package { 'redmine':
ensure => installed,
responsefile => '/var/cache/debconf/redmine.preseed',
require => File['/var/cache/debconf/redmine.preseed'],
}
# We need:
# - passenger for redmine
# - qos to mitigate overenthusiastic clients
# - git to link to the tails.git repo
ensure_packages([
'git',
])
$virtual_hosts.each |String $public_hostname, Hash $vhost_params| {
tails::redmine::vhost { $public_hostname:
ip => $vhost_params['ip'],
ssl => $vhost_params['ssl'],
ddosmode => $ddosmode,
ddosmode_destination => $ddosmode_destination,
monitoring => $vhost_params['monitoring'],
}
}
file { '/etc/apache2/sites-enabled/server-status.conf':
ensure => present,
owner => root,
group => root,
mode => '0644',
source => 'puppet:///modules/tails/redmine/apache/sites/server-status.conf',
notify => Service['apache'],
}
$apache_config_file = '/etc/apache2/apache2.conf'
$apache_settings.each |String $setting, String $value| {
file_line { "apache_${setting}":
path => $apache_config_file,
line => "${setting} ${value}",
match => "^${setting}\s+",
notify => Service['apache'],
}
}