[gimp-web/oscp] Add static.gnome.org

[Bartłomiej Piotrowski <bpiotrowski src gnome org>]

commit 47f59b99197312b8d7c309237197e164ecdafd57
Author: Bartłomiej Piotrowski <bpiotrowski gnome org>
Date:   Tue Mar 17 19:11:42 2020 +0100

    Add static.gnome.org

 static.gnome.org/Dockerfile                        | 19 ++++++++
 .../app_data/httpd-cfg/static.gnome.org.conf       | 55 ++++++++++++++++++++++
 2 files changed, 74 insertions(+)
---
diff --git a/static.gnome.org/Dockerfile b/static.gnome.org/Dockerfile
new file mode 100644
index 00000000..522fb484
--- /dev/null
+++ b/static.gnome.org/Dockerfile
@@ -0,0 +1,19 @@
+FROM centos:8
+RUN dnf install -y python3-pip git && \
+    pip3 install pelican bs4 pygeoip typogrify
+
+RUN git clone --depth 1 --branch migrate/py3 https://gitlab.gnome.org/Infrastructure/gimp-web && \
+    cd gimp-web && \
+    pelican content -o output -s pelicanconf.py
+
+FROM centos/httpd-24-centos7
+USER root
+
+COPY app_data /opt/app-root/src
+COPY --from=0 /gimp-web/output /opt/app-root/src/html
+RUN  chown -R 1000580000:1000580000 /opt/app-root/src
+
+EXPOSE 8080
+
+USER 1000580000
+ENTRYPOINT ["/usr/bin/run-httpd"]
diff --git a/static.gnome.org/app_data/httpd-cfg/static.gnome.org.conf 
b/static.gnome.org/app_data/httpd-cfg/static.gnome.org.conf
new file mode 100644
index 00000000..dd671b98
--- /dev/null
+++ b/static.gnome.org/app_data/httpd-cfg/static.gnome.org.conf
@@ -0,0 +1,55 @@
+<VirtualHost *:8080>
+    ServerName static.gimp.org
+
+    ServerAdmin webmaster gimp org
+    DocumentRoot /opt/app-root/src/html
+    RedirectPermanent /robots.txt /robots-testing.txt
+
+    # Disable unsafe inline/eval, only load resources from same origin
+    # except also allow OpenHub. Also disables the execution of plugins.
+    Header always set \
+           Content-Security-Policy " \
+             default-src 'none'; \
+             img-src 'self'; \
+             style-src 'self'; \
+             script-src 'self' https://www.openhub.net; \
+             font-src 'self'; \
+             child-src 'self' https://www.openhub.net https://www.youtube.com 
https://www.youtube-nocookie.co\
+m; \
+             object-src 'none'; \
+             media-src 'self' https://download.gimp.org https://www.mirrorservice.org; \
+             base-uri 'self'; \
+             form-action 'self'; \
+             frame-ancestors 'self'; \
+             "
+    Header always set \
+           Referrer-Policy: "same-origin, strict-origin-when-cross-origin"
+
+    RedirectPermanent       /downloads/Linux.html /downloads/
+    RedirectPermanent  /downloads/Mac.html /downloads/
+    RedirectPermanent       /downloads/Windows.html /downloads/
+    RedirectPermanent  /macintosh/     /downloads/
+    RedirectPermanent       /windows/     /downloads/
+    RedirectPermanent  /news/2017/02/27/an-interview-with-michael-natterer-gimp-maintainer/    
/news/2017/03/01/an-interview-with-michael-natterer-gimp-maintainer/
+    RedirectPermanent  /news/2018/03/26/gimp-2-10-rc1-released/ /news/2018/03/26/gimp-2-10-0-rc1-released/
+    RedirectPermanent  /bugs/howtos/bugzilla.html /bugs/report.html
+    RedirectPermanent  /news.rdf       /feeds/atom.xml
+
+    AddType text/html .xhtml
+    AddType text/xml .rdf
+    AddType text/xml .rss
+    AddType text/plain .md5
+    AddType text/plain .sha1
+    AddType text/plain .sha256
+    AddType application/vnd.flatpak .flatpak
+
+    ErrorDocument 404 /404.html
+</VirtualHost>
+
+<Directory "/opt/app-root/src/html">
+  Require all granted
+</Directory>
+
+<LocationMatch "^/.well-known/acme-challenge">
+  RedirectMatch ^(.*) https://letsencrypt.gnome.org$1
+</LocationMatch>