commit 3225a9259abe1d39ae665cf4362d0f287d101a1e
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Jul 22 13:34:28 2016 +0200
A fedora-web and include proxies
playbooks/include/proxies-certificates.yml | 21 +++
playbooks/include/proxies-fedora-web.yml | 18 +++
playbooks/include/proxies-haproxy.yml | 22 +++
playbooks/include/proxies-redirects.yml | 39 ++++++
playbooks/include/proxies-rewrites.yml | 58 ++++++++
playbooks/include/proxies-websites.yml | 81 +++++++++++
roles/fedora-web/main/files/cache.conf | 18 +++
roles/fedora-web/main/files/cron-sync-fedora-web | 2 +
roles/fedora-web/main/files/deflate.conf | 29 ++++
roles/fedora-web/main/files/expires.conf | 17 +++
roles/fedora-web/main/files/fedora-web.conf | 24 ++++
roles/fedora-web/main/files/hotspot.conf | 1 +
roles/fedora-web/main/files/languages.conf | 144 ++++++++++++++++++++
roles/fedora-web/main/files/persona.conf | 5 +
roles/fedora-web/main/files/redirects.conf.prod | 23 +++
roles/fedora-web/main/files/redirects.conf.stg | 23 +++
roles/fedora-web/main/tasks/main.yml | 79 +++++++++++
.../main/templates/browserid.rpmfusion.org | 9 ++
roles/fedora-web/main/templates/sponsor.conf | 1 +
19 files changed, 614 insertions(+), 0 deletions(-)
---
diff --git a/playbooks/include/proxies-certificates.yml
b/playbooks/include/proxies-certificates.yml
new file mode 100644
index 0000000..ffcff93
--- /dev/null
+++ b/playbooks/include/proxies-certificates.yml
@@ -0,0 +1,21 @@
+- name: Set up those proxy certificates. Good gravy..
+ hosts: proxies-stg:proxies
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ handlers:
+ - include: "{{ handlers }}/restart_services.yml"
+
+ roles:
+
+ - role: httpd/mod_ssl
+
+ - role: httpd/certificate
+ name:
wildcard-2016.rpmfusion.org
+ SSLCertificateChainFile: wildcard-2016.rpmfusion.org.intermediate.cert
+
diff --git a/playbooks/include/proxies-fedora-web.yml
b/playbooks/include/proxies-fedora-web.yml
new file mode 100644
index 0000000..917221a
--- /dev/null
+++ b/playbooks/include/proxies-fedora-web.yml
@@ -0,0 +1,18 @@
+- name: Set up all that fedora-web goodness. What a wonder!
+ hosts: proxies-stg:proxies
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ handlers:
+ - include: "{{ handlers }}/restart_services.yml"
+
+ roles:
+
+ - role: fedora-web/main
+ website:
rpmfusion.org
+
diff --git a/playbooks/include/proxies-haproxy.yml
b/playbooks/include/proxies-haproxy.yml
new file mode 100644
index 0000000..4f5ad75
--- /dev/null
+++ b/playbooks/include/proxies-haproxy.yml
@@ -0,0 +1,22 @@
+- name: Set up all the haproxy stuff.
+ hosts: proxies-stg:proxies
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ handlers:
+ - include: "{{ handlers }}/restart_services.yml"
+
+ roles:
+
+ # The base haproxy role that sets it all up
+ - role: haproxy
+
+ # And an additional apache rewrite so we can access the web stats
+ - role: haproxy/rewrite
+ website:
admin.rpmfusion.org
+ path: /haproxy
diff --git a/playbooks/include/proxies-redirects.yml
b/playbooks/include/proxies-redirects.yml
new file mode 100644
index 0000000..87db0e1
--- /dev/null
+++ b/playbooks/include/proxies-redirects.yml
@@ -0,0 +1,39 @@
+- name: Set up those proxy redirects. Wow!
+ hosts: proxies-stg:proxies
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ handlers:
+ - include: "{{ handlers }}/restart_services.yml"
+
+ roles:
+
+ # Various app redirects
+ - role: httpd/redirect
+ name: community
+ website:
admin.rpmfusion.org
+ path: /community
+ target:
https://apps.fedoraproject.org/packages
+
+# - role: httpd/redirect
+# name: fas
+# website:
fas.rpmfusion.org
+# target:
https://admin.rpmfusion.org/accounts/
+
+ - role: httpd/redirect
+ name: fas
+ website:
admin.rpmfusion.org
+ path: /accounts
+ target:
https://fas.rpmfusion.org
+
+ - role: httpd/redirectmatch
+ name: mailman
+ website:
admin.rpmfusion.org
+ regex: /mailman/(.*)$
+ target:
https://lists.rpmfusion.org/mailman/$1
+
diff --git a/playbooks/include/proxies-rewrites.yml
b/playbooks/include/proxies-rewrites.yml
new file mode 100644
index 0000000..c72f73b
--- /dev/null
+++ b/playbooks/include/proxies-rewrites.yml
@@ -0,0 +1,58 @@
+- name: Set up some domain rewrites.
+ hosts: proxies-stg:proxies
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ handlers:
+ - include: "{{ handlers }}/restart_services.yml"
+
+ roles:
+
+ - role: httpd/domainrewrite
+ destname: admin
+ website:
admin.fedoraproject.org
+ target:
https://apps.fedoraproject.org/
+
+ - role: httpd/domainrewrite
+ destname: apache-status
+ website:
admin.fedoraproject.org
+ path: /status
+
+ - role: httpd/domainrewrite
+ destname: 00-admin
+ website:
admin.fedoraproject.org
+ path: ^/favicon.ico$
+ status: 301
+ target:
https://fedoraproject.org/static/images/favicon.ico
+
+ - role: httpd/domainrewrite
+ destname: 00-docs
+ website:
docs.fedoraproject.org
+ path: ^/favicon.ico$
+ status: 301
+ target:
https://fedoraproject.org/static/images/favicon.ico
+
+ - role: httpd/domainrewrite
+ destname: 00-start
+ website:
start.fedoraproject.org
+ path: ^/favicon.ico$
+ status: 301
+ target:
https://fedoraproject.org/static/images/favicon.ico
+
+ - role: httpd/domainrewrite
+ destname: translate
+ website:
translate.fedoraproject.org
+ # TODO - At some point, this will switch to
fedora.zanata.org
+ target:
https://fedora.transifex.net/
+
+ - role: httpd/domainrewrite
+ destname: 00-translate-icon
+ website:
translate.fedoraproject.org
+ path: ^/favicon.ico$
+ status: 301
+ target:
https://fedoraproject.org/static/images/favicon.ico
diff --git a/playbooks/include/proxies-websites.yml
b/playbooks/include/proxies-websites.yml
new file mode 100644
index 0000000..06f5ee5
--- /dev/null
+++ b/playbooks/include/proxies-websites.yml
@@ -0,0 +1,81 @@
+- name: Set up those proxy websites. My, my..
+ hosts: proxies-stg:proxies
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ handlers:
+ - include: "{{ handlers }}/restart_services.yml"
+
+
+ pre_tasks:
+ - name: Install policycoreutils-python
+ yum: pkg=policycoreutils-python state=present
+
+ - name: Create /srv/web/ for all the goodies.
+ file: >
+ dest=/srv/web state=directory
+ owner=root group=root mode=0755
+ tags:
+ - httpd
+ - httpd/website
+
+ - name: check the selinux context of webdir
+ command: matchpathcon /srv/web
+ register: webdir
+ always_run: yes
+ changed_when: "1 != 1"
+ tags:
+ - config
+ - selinux
+ - httpd
+ - httpd/website
+
+ - name: /srv/web file contexts
+ command: semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?"
+ when: webdir.stdout.find('httpd_sys_content_t') == -1
+ tags:
+ - config
+ - selinux
+ - httpd
+ - httpd/website
+
+ roles:
+
+ - role: httpd/website
+ name:
rpmfusion.org
+ server_aliases:
+ - localhost
+
+ - role: httpd/website
+ name:
admin.rpmfusion.org
+ sslonly: true
+ cert_name:
admin.rpmfusion.org
+
+ - role: httpd/website
+ name:
bugzilla.rpmfusion.org
+ sslonly: true
+ cert_name:
bugzilla.rpmfusion.org
+
+ - role: httpd/website
+ name:
fas.rpmfusion.org
+ sslonly: true
+ cert_name:
fas.rpmfusion.org
+
+ - role: httpd/website
+ name:
lists.rpmfusion.org
+ sslonly: true
+ cert_name:
lists.rpmfusion.org
+
+ - role: httpd/website
+ name:
id.rpmfusion.org
+ server_aliases:
+ - "*.id.rpmfusion.org"
+ # Must not be sslonly, because
example.id.fedoraproject.org must be reachable
+ # via plain http for openid identity support
+ cert_name:
id.rpmfusion.org
+
diff --git a/roles/fedora-web/main/files/cache.conf
b/roles/fedora-web/main/files/cache.conf
new file mode 100644
index 0000000..05e5a50
--- /dev/null
+++ b/roles/fedora-web/main/files/cache.conf
@@ -0,0 +1,18 @@
+#<IfModule mod_disk_cache.c>
+# CacheRoot /srv/cache/mod_cache
+ # Disabled for normal use, to be enabled on release days
+ # CacheEnable disk /wiki/
+
+# CacheEnable disk /static/
+# CacheEnable disk /wiki/Image:
+# CacheEnable disk /w/skins/
+
+ # This is required for nagios check
+# CacheDisable /wiki/Special:Version
+# CacheDirLevels 5
+# CacheDirLength 3
+# CacheMaxFileSize 512000
+# CacheDefaultExpire 3600
+# CacheIgnoreNoLastMod On
+#</IfModule>
+
diff --git a/roles/fedora-web/main/files/cron-sync-fedora-web
b/roles/fedora-web/main/files/cron-sync-fedora-web
new file mode 100644
index 0000000..a3c7406
--- /dev/null
+++ b/roles/fedora-web/main/files/cron-sync-fedora-web
@@ -0,0 +1,2 @@
+# TODO: Make add some locking to this.
+25 * * * * root /usr/bin/rsync --delete -a --no-owner --no-group
sundries01::fedoraproject.org/ /srv/web/fedoraproject.org/
diff --git a/roles/fedora-web/main/files/deflate.conf
b/roles/fedora-web/main/files/deflate.conf
new file mode 100644
index 0000000..76c9733
--- /dev/null
+++ b/roles/fedora-web/main/files/deflate.conf
@@ -0,0 +1,29 @@
+LoadModule deflate_module modules/mod_deflate.so
+SetOutputFilter DEFLATE
+
+<Location />
+ # Insert filter
+ SetOutputFilter DEFLATE
+
+ # Netscape 4.x has some problems...
+ BrowserMatch ^Mozilla/4 gzip-only-text/html
+
+ # Netscape 4.06-4.08 have some more problems
+ BrowserMatch ^Mozilla/4\.0[678] no-gzip
+
+ # MSIE masquerades as Netscape, but it is fine
+ # BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+
+ # NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
+ # the above regex won't work. You can use the following
+ # workaround to get the desired effect:
+ BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
+
+ # Don't compress images
+ SetEnvIfNoCase Request_URI \
+ \.(?:gif|jpe?g|png)$ no-gzip dont-vary
+
+ # Make sure proxies don't deliver the wrong content
+ Header append Vary User-Agent env=!dont-vary
+</Location>
+
diff --git a/roles/fedora-web/main/files/expires.conf
b/roles/fedora-web/main/files/expires.conf
new file mode 100644
index 0000000..4c7262d
--- /dev/null
+++ b/roles/fedora-web/main/files/expires.conf
@@ -0,0 +1,17 @@
+ExpiresActive On
+ExpiresByType image/png "access plus 1 week"
+ExpiresByType image/gif "access plus 1 week"
+ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
+<Location /static/>
+ ExpiresDefault "access plus 1 week"
+</Location>
+FileETag none
+#
+# We want this file to never cache, it's used to determine if a client is
+# behind a caching proxy of some kind.
+#
+<LocationMatch "/static/hotspot.txt$">
+ Header set Cache-Control "must-revalidate"
+ ExpiresActive On
+ ExpiresDefault "now"
+</LocationMatch>
diff --git a/roles/fedora-web/main/files/fedora-web.conf
b/roles/fedora-web/main/files/fedora-web.conf
new file mode 100644
index 0000000..8cc9b98
--- /dev/null
+++ b/roles/fedora-web/main/files/fedora-web.conf
@@ -0,0 +1,24 @@
+Alias /favicon.ico /srv/web/rpmfusion.org/static/images/favicon.ico
+DocumentRoot /srv/web/rpmfusion.org/
+
+ErrorDocument 404 /e/404
+
+FileETag MTime Size
+
+AddType image/svg+xml .svg
+AddType image/svg+xml .svgz
+AddEncoding gzip .svgz
+<FilesMatch \.svgz$>
+ <IfModule mod_gzip.c>
+ mod_gzip_on No
+ </IfModule>
+</FilesMatch>
+
+<FilesMatch \-webfont>
+ SetEnvIfNoCase Origin "https?://.*\.rpmfusion\.org" ACAO=$0
+ Header set Access-Control-Allow-Origin %{ACAO}e env=ACAO
+</FilesMatch>
+
+<Location /static/checksums/>
+ Options Indexes
+</Location>
diff --git a/roles/fedora-web/main/files/hotspot.conf
b/roles/fedora-web/main/files/hotspot.conf
new file mode 100644
index 0000000..8a52229
--- /dev/null
+++ b/roles/fedora-web/main/files/hotspot.conf
@@ -0,0 +1 @@
+Alias /static/hotspot.txt /srv/web/hotspot.txt
diff --git a/roles/fedora-web/main/files/languages.conf
b/roles/fedora-web/main/files/languages.conf
new file mode 100644
index 0000000..4db0ada
--- /dev/null
+++ b/roles/fedora-web/main/files/languages.conf
@@ -0,0 +1,144 @@
+# Define the correct MIME type for specific languages
+AddType text/html .bn
+AddType text/html .el
+AddType text/html .nb
+AddType text/html .pl
+AddType text/html .tr
+AddType text/html .es
+
+AddLanguage af .af
+AddLanguage ar .ar
+AddLanguage as .as
+AddLanguage ast .ast
+AddLanguage bal .bal
+AddLanguage bg .bg
+AddLanguage bn .bn
+AddLanguage bn-in .bn_IN
+AddLanguage br .br
+AddLanguage ca .ca
+AddLanguage cs .cs
+AddLanguage da .da
+AddLanguage de .de
+AddLanguage de-ch .de_CH
+AddLanguage el .el
+AddLanguage en .en
+AddLanguage en-gb .en_GB
+AddLanguage es .es
+AddLanguage eu .eu
+AddLanguage fa .fa
+AddLanguage fi .fi
+AddLanguage fr .fr
+AddLanguage gl .gl
+AddLanguage gu .gu
+AddLanguage he .he
+AddLanguage hi .hi
+AddLanguage hu .hu
+AddLanguage ia .ia
+AddLanguage id .id
+AddLanguage is .is
+AddLanguage it .it
+AddLanguage ja .ja
+AddLanguage ka .ka
+AddLanguage kn .kn
+AddLanguage ko .ko
+AddLanguage lv .lv
+AddLanguage ml .ml
+AddLanguage mr .mr
+AddLanguage nb .nb
+AddLanguage nl .nl
+AddLanguage or .or
+AddLanguage pa .pa
+AddLanguage pl .pl
+AddLanguage pt .pt
+AddLanguage pt-br .pt_BR
+AddLanguage ro .ro
+AddLanguage ru .ru
+AddLanguage sk .sk
+AddLanguage sq .sq
+AddLanguage sr .sr
+AddLanguage sv .sv
+AddLanguage ta .ta
+AddLanguage te .te
+AddLanguage tg .tg
+AddLanguage th .th
+AddLanguage tr .tr
+AddLanguage uk .uk
+AddLanguage vi .vi
+AddLanguage zh-cn .zh_CN
+AddLanguage zh-tw .zh_TW
+
+LanguagePriority en
+ForceLanguagePriority Prefer Fallback
+
+AddDefaultCharset utf-8
+
+RewriteEngine on
+
+RewriteCond %{QUERY_STRING}
^lang=(af|ar|as|ast|bal|bg|bn|bn_IN|br|ca|cs|da|de|de_CH|el|en|en_GB|es|eu|fa|fi|fr|gl|gu|he|hi|hu|ia|id|is|it|ja|ka|kn|ko|lv|ml|mr|nb|nl|or|pa|pl|pt|pt_BR|ro|ru|sk|sq|sr|sv|ta|te|tg|th|tr|uk|vi|zh_CN|zh_TW)$
+RewriteRule
^(?:/(?:af|ar|as|ast|bal|bg|bn|bn_IN|br|ca|cs|da|de|de_CH|el|en|en_GB|es|eu|fa|fi|fr|gl|gu|he|hi|hu|ia|id|is|it|ja|ka|kn|ko|lv|ml|mr|nb|nl|or|pa|pl|pt|pt_BR|ro|ru|sk|sq|sr|sv|ta|te|tg|th|tr|uk|vi|zh_CN|zh_TW))?(/.*)$
/%1$1? [R=301]
+AliasMatch
^(?:/(?:af|ar|as|ast|bal|bg|bn|bn_IN|br|ca|cs|da|de|de_CH|el|en|en_GB|es|eu|fa|fi|fr|gl|gu|he|hi|hu|ia|id|is|it|ja|ka|kn|ko|lv|ml|mr|nb|nl|or|pa|pl|pt|pt_BR|ro|ru|sk|sq|sr|sv|ta|te|tg|th|tr|uk|vi|zh_CN|zh_TW))(/.*)?$
/srv/web/fedoraproject.org$1
+
+<Directory /srv/web/fedoraproject.org>
+ Options MultiViews
+
+ SetEnvIf Request_URI ^/af/ prefer-language=af
+ SetEnvIf Request_URI ^/ar/ prefer-language=ar
+ SetEnvIf Request_URI ^/as/ prefer-language=as
+ SetEnvIf Request_URI ^/ast/ prefer-language=ast
+ SetEnvIf Request_URI ^/bal/ prefer-language=bal
+ SetEnvIf Request_URI ^/bg/ prefer-language=bg
+ SetEnvIf Request_URI ^/bn/ prefer-language=bn
+ SetEnvIf Request_URI ^/bn_IN/ prefer-language=bn-in
+ SetEnvIf Request_URI ^/br/ prefer-language=br
+ SetEnvIf Request_URI ^/ca/ prefer-language=ca
+ SetEnvIf Request_URI ^/cs/ prefer-language=cs
+ SetEnvIf Request_URI ^/da/ prefer-language=da
+ SetEnvIf Request_URI ^/de/ prefer-language=de
+ SetEnvIf Request_URI ^/de_CH/ prefer-language=de-ch
+ SetEnvIf Request_URI ^/el/ prefer-language=el
+ SetEnvIf Request_URI ^/en/ prefer-language=en
+ SetEnvIf Request_URI ^/en_GB/ prefer-language=en-gb
+ SetEnvIf Request_URI ^/es/ prefer-language=es
+ SetEnvIf Request_URI ^/eu/ prefer-language=eu
+ SetEnvIf Request_URI ^/fa/ prefer-language=fa
+ SetEnvIf Request_URI ^/fi/ prefer-language=fi
+ SetEnvIf Request_URI ^/fr/ prefer-language=fr
+ SetEnvIf Request_URI ^/gl/ prefer-language=gl
+ SetEnvIf Request_URI ^/gu/ prefer-language=gu
+ SetEnvIf Request_URI ^/he/ prefer-language=he
+ SetEnvIf Request_URI ^/hi/ prefer-language=hi
+ SetEnvIf Request_URI ^/hu/ prefer-language=hu
+ SetEnvIf Request_URI ^/ia/ prefer-language=ia
+ SetEnvIf Request_URI ^/id/ prefer-language=id
+ SetEnvIf Request_URI ^/is/ prefer-language=is
+ SetEnvIf Request_URI ^/it/ prefer-language=it
+ SetEnvIf Request_URI ^/ja/ prefer-language=ja
+ SetEnvIf Request_URI ^/ka/ prefer-language=ka
+ SetEnvIf Request_URI ^/kn/ prefer-language=kn
+ SetEnvIf Request_URI ^/ko/ prefer-language=ko
+ SetEnvIf Request_URI ^/lv/ prefer-language=lv
+ SetEnvIf Request_URI ^/ml/ prefer-language=ml
+ SetEnvIf Request_URI ^/mr/ prefer-language=mr
+ SetEnvIf Request_URI ^/nb/ prefer-language=nb
+ SetEnvIf Request_URI ^/nl/ prefer-language=nl
+ SetEnvIf Request_URI ^/or/ prefer-language=or
+ SetEnvIf Request_URI ^/pa/ prefer-language=pa
+ SetEnvIf Request_URI ^/pl/ prefer-language=pl
+ SetEnvIf Request_URI ^/pt/ prefer-language=pt
+ SetEnvIf Request_URI ^/pt_BR/ prefer-language=pt-br
+ SetEnvIf Request_URI ^/ro/ prefer-language=ro
+ SetEnvIf Request_URI ^/ru/ prefer-language=ru
+ SetEnvIf Request_URI ^/sk/ prefer-language=sk
+ SetEnvIf Request_URI ^/sq/ prefer-language=sq
+ SetEnvIf Request_URI ^/sr/ prefer-language=sr
+ SetEnvIf Request_URI ^/sv/ prefer-language=sv
+ SetEnvIf Request_URI ^/ta/ prefer-language=ta
+ SetEnvIf Request_URI ^/te/ prefer-language=te
+ SetEnvIf Request_URI ^/tg/ prefer-language=tg
+ SetEnvIf Request_URI ^/th/ prefer-language=th
+ SetEnvIf Request_URI ^/tr/ prefer-language=tr
+ SetEnvIf Request_URI ^/uk/ prefer-language=uk
+ SetEnvIf Request_URI ^/vi/ prefer-language=vi
+ SetEnvIf Request_URI ^/zh_CN/ prefer-language=zh-cn
+ SetEnvIf Request_URI ^/zh_TW/ prefer-language=zh-tw
+</Directory>
diff --git a/roles/fedora-web/main/files/persona.conf
b/roles/fedora-web/main/files/persona.conf
new file mode 100644
index 0000000..2f00388
--- /dev/null
+++ b/roles/fedora-web/main/files/persona.conf
@@ -0,0 +1,5 @@
+Alias /.well-known/browserid /srv/web/browserid.rpmfusion.org
+
+<Location /.well-known/browserid>
+ ForceType application/json
+</Location>
diff --git a/roles/fedora-web/main/files/redirects.conf.prod
b/roles/fedora-web/main/files/redirects.conf.prod
new file mode 100644
index 0000000..4b59472
--- /dev/null
+++ b/roles/fedora-web/main/files/redirects.conf.prod
@@ -0,0 +1,23 @@
+RewriteEngine On
+
+
+# Drop distributed web referrer hits
+RewriteCond %{HTTP_REFERER}
^http://.*/feed/index\.php\?pid2=.*&sid2=.*&mb2=.*&partnerid2=.*&redir=.*&multi=.*&aff_id=.*$
+RewriteCond %{HTTP_REFERER} ^http://playdot.net/.*$
+RewriteCond %{HTTP_REFERER} ^http://www.mailbait.info.*$
+RewriteRule .* - [F]
+
+# Drop connections from .ru site thats spawning thousands of connections at a time.
+RewriteCond %{REMOTE_ADDR} ^95\.24\.237\.122$
+RewriteRule .* - [F]
+
+# Sponsor links should go to the specific sponsor page
+RewriteRule ^(/.*)?/sponsors.*$
https://getfedora.org/sponsors [R=301,L]
+
+RewriteEngine On
+RewriteCond %{HTTPS} off
+RewriteRule ^/([^/]+/)?(keys|verify)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
+
+
+RewriteCond %{HTTP_REFERER} .*fedorproject.*
+RewriteRule .*
http://mmcgrath.fedorapeople.org/spam.html [R=301,L]
diff --git a/roles/fedora-web/main/files/redirects.conf.stg
b/roles/fedora-web/main/files/redirects.conf.stg
new file mode 100644
index 0000000..ab9f85e
--- /dev/null
+++ b/roles/fedora-web/main/files/redirects.conf.stg
@@ -0,0 +1,23 @@
+RewriteEngine On
+
+# TODO: Are these still necessary?
+RewriteRule ^/CodecBuddy
http://fedoraproject.org/wiki/CodecBuddy [NC]
+RewriteRule ^/soc.*$
http://fedoraproject.org/wiki/SummerOfCode [R=301,L]
+
+# Legal redirects
+RewriteRule ^/([^/]+/)?legal/licenses/export
https://fedoraproject.org/wiki/Legal:Export
[R=301,L]
+RewriteRule ^/([^/]+/)?legal/licenses
https://fedoraproject.org/wiki/Legal:Licenses/LicenseAgreement [R=301,L]
+RewriteRule ^/([^/]+/)?legal/trademarks
http://fedoraproject.org/wiki/Legal:Trademark_guidelines [R=301,L]
+RewriteRule ^/([^/]+/)?legal
https://fedoraproject.org/wiki/Legal:Main [R=301,L]
+
+# Comment this when there is a prerelease available
+RewriteRule ^(/.*)?/get-prerelease.*$
http://fedoramagazine.org/fedora-23-released/
[R=301,L]
+#RewriteRule ^(/.*)?/get-spin-prerelease.*$ $1/get-fedora [R=302]
+
+RewriteEngine On
+RewriteCond %{HTTPS} off
+RewriteRule ^/([^/]+/)?(keys|verify)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
+
+
+RewriteCond %{HTTP_REFERER} .*fedorproject.*
+RewriteRule .*
http://mmcgrath.fedorapeople.org/spam.html [R=301,L]
diff --git a/roles/fedora-web/main/tasks/main.yml b/roles/fedora-web/main/tasks/main.yml
new file mode 100644
index 0000000..d0c7cb3
--- /dev/null
+++ b/roles/fedora-web/main/tasks/main.yml
@@ -0,0 +1,79 @@
+- name: Copy in the sync-fedora-web cronjob
+ copy: src=cron-sync-fedora-web dest=/etc/cron.d/sync-fedora-web
+ tags:
+ - fedora-web
+ - fedora-web/main
+
+- name: Copy some config files for {{website}}
+ copy: >
+ src={{item}} dest=/etc/httpd/conf.d/{{website}}/{{item}}
+ owner=root group=root mode=0644
+ with_items:
+ - fedora-web.conf
+ - languages.conf
+ - cache.conf
+ - persona.conf
+ - hotspot.conf
+ - expires.conf
+ - deflate.conf
+ notify:
+ - reload httpd
+ tags:
+ - fedora-web
+ - fedora-web/main
+ - fedora-web/hotspot
+
+- name: And one template (for {{website}})
+ template: >
+ src={{item}} dest=/etc/httpd/conf.d/{{website}}/{{item}}
+ owner=root group=root mode=0644
+ with_items:
+ - sponsor.conf
+ notify:
+ - reload httpd
+ tags:
+ - fedora-web
+ - fedora-web/main
+
+- name: Create a file for hotspot
+ copy: dest=/srv/web/hotspot.txt content="OK"
+ owner=root group=root mode=0644
+ setype=httpd_sys_content_t
+ tags:
+ - fedora-web
+ - fedora-web/main
+ - fedora-web/hotspot
+
+- name: And, copy over a template for browserid
+ template: >
+
src=browserid.rpmfusion.org dest=/srv/web/browserid.rpmfusion.org
+ owner=root group=root mode=0644
+ notify:
+ - reload httpd
+ tags:
+ - fedora-web
+ - fedora-web/main
+
+# TODO -- turn these into redirects in playbooks/groups/proxies-redirect.yml
+- name: Copy over some miscellaneous redirects (for stg)
+ copy: >
+ src=redirects.conf.stg dest=/etc/httpd/conf.d/{{website}}/redirects.conf
+ owner=root group=root mode=0644
+ when: env == "staging"
+ notify:
+ - reload httpd
+ tags:
+ - fedora-web
+ - fedora-web/main
+
+# TODO -- turn these into redirects in playbooks/groups/proxies-redirect.yml
+- name: Copy over some miscellaneous redirects (for prod)
+ copy: >
+ src=redirects.conf.prod dest=/etc/httpd/conf.d/{{website}}/redirects.conf
+ owner=root group=root mode=0644
+ when: env != "staging"
+ notify:
+ - reload httpd
+ tags:
+ - fedora-web
+ - fedora-web/main
diff --git
a/roles/fedora-web/main/templates/browserid.rpmfusion.org
b/roles/fedora-web/main/templates/browserid.rpmfusion.org
new file mode 100644
index 0000000..7b42252
--- /dev/null
+++
b/roles/fedora-web/main/templates/browserid.rpmfusion.org
@@ -0,0 +1,9 @@
+{
+
+{% if env == "staging" %}
+ "authority": "id.stg.rpmfusion.org"
+{% else %}
+ "authority": "id.rpmfusion.org"
+{% endif %}
+
+}
diff --git a/roles/fedora-web/main/templates/sponsor.conf
b/roles/fedora-web/main/templates/sponsor.conf
new file mode 100644
index 0000000..2ee4235
--- /dev/null
+++ b/roles/fedora-web/main/templates/sponsor.conf
@@ -0,0 +1 @@
+Alias /static/js/sponsor.js /srv/web/{{website}}/static/js/sponsors/{{sponsor}}.js