ArmNN: setup mi.linaro.org

This change creates the armnn playbook to setup the
mi.linaro.org gerrit server and git-mi.linaro.org
cgit server

Change-Id: I69dd1711c0f4464d94181262b139caa3cccaadc9
Reviewed-on: https://review.linaro.org/28607
Reviewed-by: Benjamin Copeland <ben.copeland@linaro.org>

9 files changed, 159 insertions, 0 deletions

diff --git a/files/apache/git-mi.linaro.org.conf b/files/apache/git-mi.linaro.org.conf
new file mode 120000
index 00000000..f6fbf658
--- /dev/null
+++ b/files/apache/git-mi.linaro.org.conf
@@ -0,0 +1 @@
+git.linaro.org.conf
\ No newline at end of file
diff --git a/files/apache/git.linaro.org.conf b/files/apache/git.linaro.org.conf
index 7f700001..ee0bf9fc 100644
--- a/files/apache/git.linaro.org.conf
+++ b/files/apache/git.linaro.org.conf
@@ -52,6 +52,7 @@ ServerTokens Prod
     MaxKeepAliveRequests 150
 
     RewriteEngine On
+    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
     # Following directives removed from Apache 2.4
     # http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#logging
     #RewriteLog ${APACHE_LOG_DIR}/{{ git_host }}-rewrite.log
@@ -100,6 +101,11 @@ ServerTokens Prod
 
     ScriptAliasMatch "(?x)^/git/(.*/(HEAD | info/refs | objects/info/[^/]+ | git-(upload|receive)-pack))$" {{ apache_root }}/cgit/git-http-backend.cgi
 
+    Alias "/.well-known/acme-challenge" "/srv/certbot/.well-known/acme-challenge"
+    <Directory /srv/certbot/.well-known/acme-challenge>
+        Require all granted
+    </Directory>
+
     <Directory "{{ repo_root }}">
         AllowOverride None
         Require all granted
diff --git a/files/apache/mi.linaro.org.conf b/files/apache/mi.linaro.org.conf
new file mode 100644
index 00000000..e6e57706
--- /dev/null
+++ b/files/apache/mi.linaro.org.conf
@@ -0,0 +1,39 @@
+<VirtualHost *:80>
+	ServerName {{inventory_hostname}}
+	ServerAlias {{inventory_hostname}}
+
+    RedirectMatch permanent "^/(?!\.well-known/acme-challenge)(.*)" "https://{{hostname}}/$1"
+
+    Alias "/.well-known/acme-challenge/" "/srv/certbot/.well-known/acme-challenge/"
+    <Directory "/srv/certbot/.well-known/acme-challenge/">
+        Require all granted
+    </Directory>
+
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName {{inventory_hostname}}
+	ServerAlias {{inventory_hostname}}
+
+    SSLEngine On
+
+    SSLCertificateFile /etc/letsencrypt/live/{{gerrit_host}}/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/{{gerrit_host}}/privkey.pem
+    SSLCACertificateFile /etc/letsencrypt/live/{{gerrit_host}}/fullchain.pem
+
+	DocumentRoot /srv/gerrit
+
+    CustomLog /var/log/apache2/{{inventory_hostname}}-access.log combined
+    ErrorLog /var/log/apache2/{{inventory_hostname}}-error.log
+
+    ProxyRequests Off
+    ProxyVia Off
+    ProxyPreserveHost On
+    <Proxy *>
+        Order deny,allow
+        Allow from all
+    </Proxy>
+
+    AllowEncodedSlashes On
+    ProxyPass       /       http://127.0.0.1:8080/ nocanon
+</VirtualHost>
diff --git a/files/gerrit/mi.linaro.org b/files/gerrit/mi.linaro.org
new file mode 100644
index 00000000..fc0f7f78
--- /dev/null
+++ b/files/gerrit/mi.linaro.org
@@ -0,0 +1,72 @@
+[core]
+        streamFileThreshold = 512m
+        packedGitLimit = 1500m
+[gerrit]
+	basePath = /srv/repositories
+	canonicalWebUrl = https://{{www_host}}/
+[database]
+	type = postgresql
+	hostname = localhost
+	database = reviewdb
+	username = git
+[auth]
+	type = OAUTH
+	loginUrl = /login
+	loginText = Sign-in with GitHub
+	registerPageUrl = "/#/register"
+        gitBasicAuthPolicy = HTTP
+[oauth]
+	allowEditFullName = true
+	allowRegisterNewEmail = true
+
+[sendemail]
+	smtpServer = localhost
+	expiryDays = 15
+        includeDiff = true
+	maximumDiffSize = 512k
+[container]
+	user = git
+	javaHome = /usr/lib/jvm/java-8-openjdk-amd64/jre
+	heapLimit = 14000m
+[sshd]
+	listenAddress = *:29418
+	idleTimeout = 5m
+        loginGraceTime = 1 min
+        batchThreads = 4
+        maxAuthTries = 4
+	backend = NIO2
+[httpd]
+	listenUrl = proxy-https://127.0.0.1:8080/
+[cache]
+	directory = cache
+[cache "web_sessions"]
+	maxAge = 1 month
+[download]
+        scheme = ssh
+        scheme = anon_http
+[gitweb]
+        type = cgit
+        url = https://git-mi.linaro.org
+        revision = "/${project}.git/commit/?id=${commit}"
+[theme]
+	selectionColor = FFFEAE
+[user]
+        name = ArmNN Code Review
+        email = review@{{www_host}}
+[site]
+        enableDeprecatedQuery = false
+[commitmessage]
+        maxSubjectLength = 70
+        maxLineLength = 80
+        rejectTooLong = false
+
+# https://code.google.com/p/gerrit/issues/detail?id=2296#c2
+[receive]
+        checkReferencedObjectsAreReachable = false
+[index]
+	type = LUCENE
+[repository "*"]
+	defaultSubmitType = REBASE_IF_NECESSARY
+[plugin "gerrit-oauth-provider-github-oauth"]
+        client-id = c9573d41459955d81f3a
+        fix-legacy-user-id = false
diff --git a/gerrit.yml b/gerrit.yml
index 70a7d81d..936706c2 100644
--- a/gerrit.yml
+++ b/gerrit.yml
@@ -6,6 +6,7 @@
     - ["{{secrets_dir}}/host_vars/{{inventory_hostname}}", "vars/empty.yml"]
     - ["{{secrets_dir}}/group_vars/all"]
   roles:
+    - {role: certbot, tags: [certbot]}
     - {role: apache-site, src: "apache/{{gerrit_host}}.conf", config: "{{gerrit_host}}", tags: [apache, website-conf] }
     - {role: apache-auth, host_name: "{{gerrit_host}}", when: server_access == "private", tags: [apache-auth, website-conf]}
     - {role: git-deps}
diff --git a/host_vars/git-mi.linaro.org b/host_vars/git-mi.linaro.org
new file mode 100644
index 00000000..11b31ee3
--- /dev/null
+++ b/host_vars/git-mi.linaro.org
@@ -0,0 +1,14 @@
+server_role: git-review
+hosttype: foo
+git_host: git-mi.linaro.org
+
+certbot_host_domain: git-mi.linaro.org
+ssl_cert: /etc/letsencrypt/live/{{certbot_host_domain}}/fullchain.pem
+ssl_key: /etc/letsencrypt/live/{{certbot_host_domain}}/privkey.pem
+ssl_ca: /etc/letsencrypt/live/{{certbot_host_domain}}/fullchain.pem
+
+host_site_name: ARM MI Code Review
+host_site_desc: Git Repositories hosted by Linaro
+clone_urls:
+ - https://{{inventory_hostname}}
+cgit_strict_export: false
diff --git a/host_vars/mi.linaro.org b/host_vars/mi.linaro.org
new file mode 100644
index 00000000..37019440
--- /dev/null
+++ b/host_vars/mi.linaro.org
@@ -0,0 +1,22 @@
+hosttype: foo # Using git-review tags causes a bunch of "Linaro" stuff to get deployed which we don't want
+server_role: git-review
+git_host: git-mi.linaro.org
+db_user: git
+gerrit_host: mi.linaro.org
+host_site_name: ARM MI Code Review
+
+gerrit_managed: yes
+
+certbot_domains: ["mi.linaro.org","git-mi.linaro.org"]
+certbot_host_domain: mi.linaro.org
+
+ssl_cert: /etc/letsencrypt/live/{{certbot_host_domain}}/fullchain.pem
+ssl_key: /etc/letsencrypt/live/{{certbot_host_domain}}/privkey.pem
+ssl_ca: /etc/letsencrypt/live/{{certbot_host_domain}}/fullchain.pem
+
+postfix_relay_hostname: smtp.mailgun.org
+postfix_destinations: ["mi.linaro.org"]
+postfix_hostname: "mi.linaro.org"
+
+dovecot_user: "{{gerrit_config_dovecot_user}}"
+dovecot_password: "{{gerrit_config_dovecot_password}}"
diff --git a/hosts b/hosts
index 69b97e60..e472acf7 100644
--- a/hosts
+++ b/hosts
@@ -22,6 +22,7 @@ git-ap.linaro.org
 git-ie.linaro.org
 dev-private-git.linaro.org
 git.trustedfirmware.org
+git-mi.linaro.org
 
 [git:children]
 android-git
@@ -40,6 +41,7 @@ android-review.linaro.org
 dev-private-review.linaro.org
 lhg-review.linaro.org
 review.trustedfirmware.org
+mi.linaro.org
 
 [gerrit-mirror]
 git-us.linaro.org
@@ -114,6 +116,7 @@ mmwg-hackbox.linaro.org
 lcg-hackbox.linaro.org
 releases-us.linaro.org
 j12-qrep-01 ansible_host=10.101.16.17 # inside mlab, jumphost via jenkins-master
+mi.linaro.org
 
 [apache-auth]
 dev-private-git.linaro.org
diff --git a/postfix.yml b/postfix.yml
index d0e9cb75..85e4f261 100644
--- a/postfix.yml
+++ b/postfix.yml
@@ -4,6 +4,7 @@
     - review.trustedfirmware.org
     - developer.trustedfirmware.org
     - patches.opendataplane.org
+    - mi.linaro.org
   gather_facts: no
   become: yes
   vars_files: