Merge branch 'master' of github.com:NOAO/puppet-marsnat

NOAO · Oct 25, 2021 · ce88f72 · ce88f72
2 parents d83c69c + 993b04c
commit ce88f72
Show file tree

Hide file tree

Showing 4 changed files with 135 additions and 22 deletions.
diff --git a/files/nginx-install/install-nginx.sh b/files/nginx-install/install-nginx.sh
@@ -21,7 +21,7 @@ cd nginx-config
 #! envsubst < uwsgi.ini > /etc/nginx/uwsgi.ini
 #! cp uwsgi_params /etc/nginx/
 
-cp __dm_noao_edu.crt /etc/ssl/certs/
-cp star-dm-noao-edu.key /etc/ssl/certs/
+#cp __dm_noao_edu.crt /etc/ssl/certs/
+#cp star-dm-noao-edu.key /etc/ssl/certs/
 
 
diff --git a/files/nginx/sites-enabled/default b/files/nginx/sites-enabled/default
@@ -13,7 +13,7 @@ upstream app_server {
 server {
     listen 80;
     listen [::]:80;
-    server_name astroarchive.noirlab.edu;
+    server_name astroarchive.noirlab.edu marsnat1-stage.csdc.noirlab.edu marsnat1-pat.csdc.noirlab.edu;
     return 301 https://$host$request_uri;
 }
 
@@ -29,7 +29,7 @@ server {
     ssl_certificate_key /etc/ssl/certs/domain.key;
 
     # the domain name it will serve for
-    server_name astroarchive.noirlab.edu; # can use machine's IP or FQDN
+    server_name astroarchive.noirlab.edu marsnat1-stage.csdc.noirlab.edu marsnat1-pat.csdc.noirlab.edu; # can use machine's IP or FQDN
 
     # the domain name it will serve for
     #server_name .dm.noao.edu; # substitute your machine's IP address or FQDN

diff --git a/files/nginx/sites-enabled/stage_default b/files/nginx/sites-enabled/stage_default
@@ -0,0 +1,113 @@
+# Things that might need changing
+# - port 8080 not needed in production
+# - place SSL certs in /etc/ssl/certs
+# - server_name - default_server is less secure but used to access within VM as localhost, dev.local etc
+# - logging
+# - static file locations
+
+# app_server already defined in 'default' config
+# possibly change this name to gunicorn server
+upstream app_server {
+  server unix:/opt/mars/gunicorn.sock fail_timeout=0;
+}
+server {
+    listen 80;
+    listen [::]:80;
+    server_name marsnat1-stage.csdc.noirlab.edu;
+    return 301 https://$host$request_uri;
+}
+
+# configuration of the server
+server {
+    # the port your site will be served on, default_server indicates that this server block
+    # is the block to use if no blocks match the server_name
+    #! listen 8080;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    ssl_certificate /etc/ssl/certs/domain.crt;
+    ssl_certificate_key /etc/ssl/certs/domain.key;
+
+    # the domain name it will serve for
+    server_name astroarchive.noirlab.edu; # can use machine's IP or FQDN
+
+    # the domain name it will serve for
+    #server_name .dm.noao.edu; # substitute your machine's IP address or FQDN
+    charset     utf-8;
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+
+    # max upload size
+    client_max_body_size 75M;   # adjust to taste
+
+    # Django media
+    location /media  {
+        alias /opt/mars/marssite/static/;  # your Django project's media files - amend as required
+    }
+
+    location /static {
+        expires 10d;
+        sendfile on;
+        sendfile_max_chunk 1m;
+        alias /opt/mars/marssite/static/; # your Django project's static files - amend as required
+    }
+
+    location /download/zip {
+        alias /srv/ftp;
+    }
+
+    location /download/archive {
+        alias /srv/ftp/Volumes/archive;
+    }
+
+    location /hlsp {
+        alias /net/archive/hlsp;
+        autoindex on;
+        autoindex_exact_size off;
+        autoindex_format html;
+        autoindex_localtime on;
+    }
+
+
+
+    location /ops {
+      # allow anyone in 192.168.1.0/24
+      allow   127.0.0.0/8; #localhost
+      allow   172.18.0.0/16; #docker containers
+      allow   140.252.0.0/16; #NOAO intranet
+      # drop rest of the world
+      deny    all;
+      try_files $uri @proxy_to_app;
+    }
+
+    location /admin {
+      # allow anyone in 192.168.1.0/24
+      allow   127.0.0.0/8; #localhost
+      allow   172.18.0.0/16; #docker containers
+      allow   140.252.0.0/16; #NOAO intranet
+      # drop rest of the world
+      deny    all;
+      try_files $uri @proxy_to_app;
+    }
+
+
+
+    location / {
+      # checks for static file, if not found proxy to app
+      try_files $uri @proxy_to_app;
+    }
+
+    location @proxy_to_app {
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $http_host;
+      # we don't want nginx trying to do something clever with
+      # redirects, we set the Host: header above already.
+      proxy_redirect off;
+      # uses the default app_server
+      proxy_pass http://app_server;
+    }
+
+}
diff --git a/manifests/install.pp b/manifests/install.pp
@@ -9,8 +9,8 @@
 
   $ssl_domain_crt = lookup('ssl_domain_crt'),
   $ssl_domain_key = lookup('ssl_domain_key'),
-  $ssl_noao_crt = lookup('ssl_noao_crt'), # This is not used in internal servers
-  $ssl_noao_key = lookup('ssl_noao_key'),
+  #$ssl_noao_crt = lookup('ssl_noao_crt'), # This is not used in internal servers
+  #$ssl_noao_key = lookup('ssl_noao_key'),
   $noirlab_edu_nginx_config = lookup('noirlab_edu_nginx_conf'), #'puppet:///modules/marsnat/nginx/sites-enabled/internal.noirlab',
 
   $guconf = lookup('guconf'),
@@ -314,17 +314,17 @@
     replace => true,
     source  => 'puppet:///modules/marsnat/nginx.logrotate',
   }
-  file { '/etc/ssl/certs/noao_domain.crt' :
-    ensure  => 'file',      
-    replace => true,
-    source  => "${ssl_noao_crt}",
-
-    }
-  file { '/etc/ssl/certs/noao_domain.key' :
-    ensure  => 'present',      
-    replace => true,
-    source  => "${ssl_noao_key}",
-    }
+  #file { '/etc/ssl/certs/noao_domain.crt' :
+  #  ensure  => 'file',      
+  #  replace => true,
+  #  source  => "${ssl_noao_crt}",
+  #
+  #  }
+  #file { '/etc/ssl/certs/noao_domain.key' :
+  #  ensure  => 'present',      
+  #  replace => true,
+  #  source  => "${ssl_noao_key}",
+  #  }
   file { '/etc/ssl/certs/domain.crt' :
     ensure  => 'present',
     replace => true,
@@ -345,11 +345,11 @@
     replace => true,
     source  => 'puppet:///modules/marsnat/nginx/sites-enabled/default',
     } 
-  file { '/etc/nginx/sites-enabled/noao' :
-    ensure  => 'present',
-    replace => true,
-    source  => "puppet:///modules/marsnat/nginx/sites-enabled/noao",
-    }
+  #file { '/etc/nginx/sites-enabled/noao' :
+  #  ensure  => 'present',
+  #  replace => true,
+  #  source  => "puppet:///modules/marsnat/nginx/sites-enabled/noao",
+  #  }
   file { '/etc/nginx/nginx.conf' :
     ensure  => 'present',      
     replace => true,