copr: create frontend-cloud role, rename stg host group to dev

inventory/inventory

@@ -1296,13 +1296,13 @@ bvirthost
 buildvmhost
 virthost-comm
 
-[copr-front-stg]
+[copr-front-dev]
 copr-fe-dev.cloud.fedoraproject.org
 
-[copr-back-stg]
+[copr-back-dev]
 copr-be-dev.cloud.fedoraproject.org
 
-[copr-keygen-stg]
+[copr-keygen-dev]
 copr-keygen-dev.cloud.fedoraproject.org
 
 [copr-keygen]
@@ -1317,7 +1317,7 @@ copr-be.cloud.fedoraproject.org
 [copr-dist-git]
 copr-dist-git.fedorainfracloud.org
 
-[copr-dist-git-stg]
+[copr-dist-git-dev]
 copr-dist-git-dev.fedorainfracloud.org
 
 [copr:children]
@@ -1326,11 +1326,11 @@ copr-back
 copr-keygen
 copr-dist-git
 
-[copr-stg:children]
-copr-front-stg
-copr-back-stg
-copr-keygen-stg
-copr-dist-git-stg
+[copr-dev:children]
+copr-front-dev
+copr-back-dev
+copr-keygen-dev
+copr-dist-git-dev
 
 [pagure]
 pagure01.fedoraproject.org

playbooks/groups/copr-backend.yml

@@ -1,6 +1,6 @@
 - name: check/create instance
   #hosts: copr-back
-  hosts: copr-back:copr-back-stg
+  hosts: copr-back:copr-back-dev
   user: root
   gather_facts: False
 
@@ -13,7 +13,7 @@
   - import_tasks: "{{ tasks_path }}/persistent_cloud.yml"
 
 - name: cloud basic setup
-  hosts: copr-back:copr-back-stg
+  hosts: copr-back:copr-back-dev
   user: root
   gather_facts: True
   vars_files:
@@ -28,7 +28,7 @@
     hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org"
 
 - name: provision instance
-  hosts: copr-back:copr-back-stg
+  hosts: copr-back:copr-back-dev
   user: root
   gather_facts: True
 

playbooks/groups/copr-dist-git.yml

@@ -1,5 +1,5 @@
 - name: check/create instance
-  hosts: copr-dist-git-stg:copr-dist-git
+  hosts: copr-dist-git-dev:copr-dist-git
   user: root
   gather_facts: False
 
@@ -13,7 +13,7 @@
   - import_tasks: "{{ tasks_path }}/persistent_cloud.yml"
 
 - name: cloud basic setup
-  hosts: copr-dist-git-stg:copr-dist-git
+  hosts: copr-dist-git-dev:copr-dist-git
   user: root
   gather_facts: True
   vars_files:
@@ -27,7 +27,7 @@
     hostname: name="{{copr_hostbase}}.fedorainfracloud.org"
 
 - name: provision instance
-  hosts: copr-dist-git-stg:copr-dist-git
+  hosts: copr-dist-git-dev:copr-dist-git
   user: root
   gather_facts: True
 

playbooks/groups/copr-frontend-cloud.yml

@@ -0,0 +1,42 @@
+- name: check/create instance
+  hosts: copr-front-dev:copr-front
+  # hosts: copr-front
+  gather_facts: False
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/fedora-cloud.yml
+   - /srv/private/ansible/files/openstack/passwords.yml
+
+  tasks:
+  - import_tasks: "{{ tasks_path }}/persistent_cloud.yml"
+
+- name: cloud basic setup
+  hosts: copr-front-dev:copr-front
+  # hosts: copr-front
+  gather_facts: True
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+
+  tasks:
+  - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
+  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
+  - name: set hostname (required by some services, at least postfix need it)
+    hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org"
+
+- name: provision instance
+  hosts: copr-front:copr-front-dev
+  # hosts: copr-front
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+   - base
+   - copr/frontend
+   - nagios_client

playbooks/groups/copr-keygen.yml

@@ -1,5 +1,5 @@
 - name: check/create instance
-  hosts: copr-keygen-stg:copr-keygen
+  hosts: copr-keygen-dev:copr-keygen
   #hosts: copr-keygen
   gather_facts: False
 
@@ -21,7 +21,7 @@
     when: facts is failed
 
 - name: cloud basic setup
-  hosts: copr-keygen-stg:copr-keygen
+  hosts: copr-keygen-dev:copr-keygen
   # hosts: copr-keygen
   gather_facts: True
   vars_files:
@@ -35,7 +35,7 @@
     hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org"
 
 - name: provision instance
-  hosts: copr-keygen:copr-keygen-stg
+  hosts: copr-keygen:copr-keygen-dev
   #hosts: copr-keygen
   gather_facts: True
 

roles/copr/frontend-cloud/files/DigiCertCA.crt

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
+YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
+4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
+Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
+itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
+4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
+sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
+bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
+MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
+dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
+L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
+BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
+UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
+aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
+aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
+E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
+/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
+xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
+0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
+cPUeybQ=
+-----END CERTIFICATE-----

roles/copr/frontend-cloud/files/banner-include.html

@@ -0,0 +1,8 @@
+<div class="page">
+<h1>
+  Warning! This is a development server.
+</h1>
+<h2>
+  Production instance: <a href="https://copr.fedoraproject.org/">https://copr.fedoraproject.org/ </a>
+</h2>
+</div>

roles/copr/frontend-cloud/files/httpd/welcome.conf

@@ -0,0 +1 @@
+#commented out so it doesn't do that stupid index page

roles/copr/frontend-cloud/files/pg/pg_hba.conf

@@ -0,0 +1,13 @@
+local coprdb copr-fe md5
+host  coprdb copr-fe 127.0.0.1/8 md5
+host  coprdb copr-fe ::1/128 md5
+local coprdb postgres  ident
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# "local" is for Unix domain socket connections only
+local   all             all                                     peer
+# IPv4 local connections:
+host    all             all             127.0.0.1/32            ident
+# IPv6 local connections:
+host    all             all             ::1/128                 ident

roles/copr/frontend-cloud/files/robots.txt

@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /

roles/copr/frontend-cloud/handlers/main.yml

@@ -0,0 +1,5 @@
+- import_tasks: "{{ handlers_path }}/restart_services.yml"
+
+- name: restart postgresql
+  service: name=postgresql
+           state=restarted

roles/copr/frontend-cloud/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: copr/base }

roles/copr/frontend-cloud/tasks/install_certs.yml

@@ -0,0 +1,14 @@
+- name: copy httpd ssl certificates (crt)
+  copy: src="{{ private }}/files/httpd/{{item}}"
+        dest="/etc/pki/tls/certs/"
+        owner=root group=root mode=0600
+  with_items:
+  - copr.fedorainfracloud.org.crt
+  - copr.fedorainfracloud.org.intermediate.crt
+  tags:
+  - config
+
+- name: copy httpd ssl certificates (key)
+  copy: src="{{ private }}/files/httpd/copr.fedorainfracloud.org.key" dest="/etc/pki/tls/private/" owner=root group=root mode=0600
+  tags:
+  - config

roles/copr/frontend-cloud/tasks/main.yml

@@ -0,0 +1,138 @@
+---
+- import_tasks: "mount_fs.yml"
+
+- command: "ls -dZ /var/lib/pgsql"
+  register: pgsql_ls
+
+- name: update selinux context for postgress db dir if it's wrong
+  command: "restorecon -vvRF /var/lib/pgsql"
+  when: pgsql_ls.stdout is defined and 'postgresql_db_t' not in  pgsql_ls.stdout
+
+- name: install copr-frontend and copr-selinux
+  dnf: state=latest name={{ item }}
+  with_items:
+  - copr-frontend
+  - copr-selinux
+  tags:
+  - packages
+
+  # we install python-alembic because https://bugzilla.redhat.com/show_bug.cgi?id=1536058
+- name: install additional pkgs for copr-frontend
+  dnf: state=present pkg={{ item }}
+  with_items:
+  - "bash-completion"
+  - "mod_ssl"
+  - redis
+  - pxz
+  - python3-alembic
+  tags:
+  - packages
+
+- name: install a newer version of xstatic-jquery-ui-common
+  command: dnf install -y https://kojipkgs.fedoraproject.org//packages/python-XStatic-jquery-ui/1.12.0.1/2.fc26/noarch/xstatic-jquery-ui-common-1.12.0.1-2.fc26.noarch.rpm
+
+- name: install copr configs
+  template: src="copr.conf" dest=/etc/copr/copr.conf mode=600
+  notify:
+  - reload httpd
+  tags:
+  - config
+
+- name: enable and start redis  # TODO: .service in copr-backend should depend on redis
+  service: name=redis enabled=yes state=started
+
+- name: enable and start pagure-events
+  service: name=pagure-events enabled=yes state=started
+
+- name: copy apache files to conf.d
+  copy: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}"
+  with_items:
+  - "welcome.conf"
+  tags:
+  - config
+
+- name: copy apache files to conf.d (templates)
+  template: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}"
+  with_items:
+  - "coprs.conf"
+  tags:
+  - config
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1535689
+- name: Allow execmem for Apache
+  seboolean:
+    name: httpd_execmem
+    state: yes
+    persistent: yes
+
+- import_tasks: "psql_setup.yml"
+
+- name: upgrade db to head
+  command: alembic-3 upgrade head
+  become: yes
+  become_user: copr-fe
+  args:
+    chdir: /usr/share/copr/coprs_frontend/
+
+- name: set up admins
+  command: ./manage.py alter_user --admin {{ item }}
+  become: yes
+  become_user: copr-fe
+  args:
+    chdir: /usr/share/copr/coprs_frontend/
+  ignore_errors: yes
+  with_items:
+  - msuchy
+  - sgallagh
+  - spot
+  - nb
+  - kevin
+
+- name: install ssl certificates for production
+  import_tasks: "install_certs.yml"
+  when: not devel
+  tags:
+  - config
+
+- name: letsencrypt cert
+  include_role: name=certbot
+  when: devel
+  tags:
+  - config
+
+- name: Check that cert file exists
+  stat:
+    path: "/etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem"
+  register: stat_cert
+
+- name: Should admin run certbot?
+  fail:
+    msg: Please see roles/certbot/README step (2) and manually run certbot
+  when:
+    - stat_cert.stat.exists == False
+    - devel
+
+- name: install copr-frontend ssl vhost
+  template: src="httpd/coprs_ssl.conf.j2" dest="/etc/httpd/conf.d/coprs_ssl.conf"
+  tags:
+  - config
+
+- name: enable services
+  service: state=started enabled=yes name={{ item }}
+  with_items:
+  - httpd
+
+- name: set dev banner for dev instance
+  when: devel
+  copy: src=banner-include.html dest=/var/lib/copr/
+
+- name: disallow robots on dev instance
+  when: devel
+  copy: src=robots.txt dest=/var/www/html/
+
+- name: rebuild indexes
+  command: ./manage.py update_indexes
+  become: yes
+  become_user: copr-fe
+  args:
+    chdir: /usr/share/copr/coprs_frontend/

roles/copr/frontend-cloud/tasks/mount_fs.yml

@@ -0,0 +1,6 @@
+- name: mount up disk of copr fe
+  mount: name=/srv/copr-fe src='LABEL=copr-fe' fstype=ext4 state=mounted
+
+- name: mount up bind mount for postgres
+  mount: src=/srv/copr-fe/pgsqldb name=/var/lib/pgsql fstype=auto opts=bind state=mounted
+

roles/copr/frontend-cloud/tasks/psql_setup.yml

@@ -0,0 +1,110 @@
+- name: install postresql
+  package: state=present pkg={{ item }}
+  with_items:
+  - "postgresql-server"
+  - "postgresql-contrib"
+
+
+- name: See if postgreSQL is installed
+  stat: path=/var/lib/pgsql/initdb.log
+  register: pgsql_installed
+
+- name: init postgresql
+  shell: "postgresql-setup initdb"
+  when: not pgsql_installed.stat.exists
+
+- name: copy pg_hba.conf
+  copy: src="pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600
+  notify:
+  - restart postgresql
+  tags:
+  - config
+
+- name: Ensure postgres has a place to backup to
+  file: dest=/backups state=directory owner=postgres
+  tags:
+  - config
+
+# TODO: I think we missing user creation, check it we do it somewhere else ...
+
+- name: Copy over backup scriplet
+  copy: src="{{ files }}/../roles/postgresql_server/files/backup-database" dest=/usr/local/bin/backup-database mode=0755
+  tags:
+  - config
+
+- name: Set up some cronjobs to backup databases as configured
+  template: >
+    src="{{ files }}/../roles/postgresql_server/templates/cron-backup-database"
+    dest="/etc/cron.d/cron-backup-database-{{ item }}"
+  with_items:
+  - "{{ dbs_to_backup }}"
+  when: dbs_to_backup != []
+  tags:
+  - config
+
+- name: enable Pg service
+  service: state=started enabled=yes name=postgresql
+
+- name: Create db
+  postgresql_db: name="coprdb" encoding='UTF-8'
+  become: yes
+  become_user: postgres
+
+- name: Create db user
+  postgresql_user: db="coprdb" name="copr-fe" password="{{ copr_database_password }}" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE
+  become: yes
+  become_user: postgres
+
+- name: set shared_buffers for PostgreSQL
+  lineinfile:
+    path: /var/lib/pgsql/data/postgresql.conf
+    regexp: '^shared_buffers ='
+    line: 'shared_buffers = 1024MB'
+  notify: restart postgresql
+  tags:
+  - config
+
+- name: set effective_cache_size for PostgreSQL
+  lineinfile:
+    path: /var/lib/pgsql/data/postgresql.conf
+    regexp: '^effective_cache_size ='
+    line: 'effective_cache_size = 2048MB'
+  notify: restart postgresql
+  tags:
+  - config
+
+- name: set work_mem for PostgreSQL
+  lineinfile:
+    path: /var/lib/pgsql/data/postgresql.conf
+    regexp: '^work_mem ='
+    line: 'work_mem = 4MB'
+  notify: restart postgresql
+  tags:
+  - config
+
+- name: set maintenance_work_mem for PostgreSQL
+  lineinfile:
+    path: /var/lib/pgsql/data/postgresql.conf
+    regexp: '^maintenance_work_mem ='
+    line: 'maintenance_work_mem = 1GB'
+  notify: restart postgresql
+  tags:
+  - config
+
+- name: set checkpoint_completion_target for PostgreSQL
+  lineinfile:
+    path: /var/lib/pgsql/data/postgresql.conf
+    regexp: '^checkpoint_completion_target ='
+    line: 'checkpoint_completion_target = 0.9'
+  notify: restart postgresql
+  tags:
+  - config
+
+- name: set log_min_duration_statement for PostgreSQL
+  lineinfile:
+    path: /var/lib/pgsql/data/postgresql.conf
+    regexp: '^log_min_duration_statement ='
+    line: 'log_min_duration_statement = 500'
+  notify: restart postgresql
+  tags:
+  - config

roles/copr/frontend-cloud/templates/copr.conf

@@ -0,0 +1,81 @@
+# Directory and files where is stored Copr database files
+DATA_DIR = '/var/lib/copr/data'
+DATABASE = '/var/lib/copr/data/copr.db'
+OPENID_STORE = '/var/lib/copr/data/openid_store'
+WHOOSHEE_DIR = '/var/lib/copr/data/whooshee'
+WHOOSHEE_MIN_STRING_LEN = 2
+WHOOSHEE_WRITER_TIMEOUT = 10
+
+SECRET_KEY = '{{ copr_secret_key }}'
+BACKEND_PASSWORD = '{{ copr_backend_password  }}'
+BACKEND_BASE_URL = '{{ backend_base_url }}'
+
+# restrict access to a set of users
+#USE_ALLOWED_USERS = False
+#ALLOWED_USERS = ['bonnie', 'clyde']
+
+SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://copr-fe:{{ copr_database_password }}@/coprdb'
+
+# Token length, defaults to 30 (max 255)
+#API_TOKEN_LENGTH = 30
+
+# Expiration of API token in days
+#API_TOKEN_EXPIRATION = 180
+
+# logging options
+#SEND_LOGS_TO = ['root@localhost']
+#LOGGING_LEVEL = logging.ERROR
+
+DEBUG = False
+SQLALCHEMY_ECHO = False
+
+CSRF_ENABLED = True
+WTF_CSRF_ENABLED = True
+
+# send emails when user's perms change in project?
+SEND_EMAILS = True
+
+PUBLIC_COPR_HOSTNAME = "{{ copr_frontend_public_hostname }}"
+
+LOG_FILENAME = "/var/log/copr-frontend/frontend.log"
+LOG_DIR = "/var/log/copr-frontend/"
+
+# to accept stat events from logstash
+INTRANET_IPS = {{ copr_backend_ips }}
+
+REPO_GPGCHECK = {% if devel %} 0 {% else %} 1 {% endif %}
+
+{% if env == 'staging' %}
+PUBLIC_COPR_BASE_URL = "http://copr-fe-dev.cloud.fedoraproject.org"
+{% else %}
+PUBLIC_COPR_BASE_URL = "https://copr.fedorainfracloud.org"
+{% endif %}
+
+{% if env == 'staging' %}
+# Staging URLs for fedmenu
+FEDMENU_URL = "https://apps.stg.fedoraproject.org/fedmenu/"
+FEDMENU_DATA_URL = "https://apps.stg.fedoraproject.org/js/data.js"
+{% else %}
+# Production URLs for fedmenu
+FEDMENU_URL = "https://apps.fedoraproject.org/fedmenu/"
+FEDMENU_DATA_URL = "https://apps.fedoraproject.org/js/data.js"
+{% endif %}
+
+# todo: check that ansible variable is used correctly
+{% if env == 'staging' %}
+ENFORCE_PROTOCOL_FOR_BACKEND_URL = "http"
+ENFORCE_PROTOCOL_FOR_FRONTEND_URL = "http"
+{% else %}
+ENFORCE_PROTOCOL_FOR_BACKEND_URL = "https"
+ENFORCE_PROTOCOL_FOR_FRONTEND_URL = "https"
+{% endif %}
+
+DIST_GIT_URL="https://{{ dist_git_base_url }}/cgit"
+DIST_GIT_CLONE_URL="https://{{ dist_git_base_url }}/git"
+COPR_DIST_GIT_LOGS_URL = "https://{{ dist_git_base_url }}/per-task-logs"
+MBS_URL = "http://localhost/module/1/module-builds/"
+
+# no need to filter cla_* groups, they are already filtered by fedora openid
+BLACKLISTED_GROUPS = ['fedorabugs', 'packager', 'provenpackager']
+
+DEFER_BUILD_SECONDS = 300

roles/copr/frontend-cloud/templates/httpd/coprs.conf

@@ -0,0 +1,56 @@
+NameVirtualHost *:80
+LoadModule wsgi_module modules/mod_wsgi.so
+WSGISocketPrefix /var/run/wsgi
+Alias /robots.txt /var/www/html/robots.txt
+
+WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe threads=15 display-name=other maximum-requests=8000 graceful-timeout=20
+WSGIDaemonProcess api user=copr-fe group=copr-fe threads=15 display-name=api maximum-requests=8000 graceful-timeout=20
+WSGIDaemonProcess backend user=copr-fe group=copr-fe threads=15 display-name=backend maximum-requests=8000 graceful-timeout=20
+WSGIDaemonProcess stats user=copr-fe group=copr-fe threads=15 display-name=stats maximum-requests=8000 graceful-timeout=20
+WSGIDaemonProcess tmp user=copr-fe group=copr-fe threads=15 display-name=tmp maximum-requests=8000 graceful-timeout=20
+WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
+
+<VirtualHost *:80>
+    ServerName copr.fedorainfracloud.org
+    ServerAlias copr-fe.cloud.fedoraproject.org
+    WSGIPassAuthorization On
+
+    <Location />
+        WSGIProcessGroup 127.0.0.1
+    </Location>
+
+    #ErrorLog logs/error_coprs
+    #CustomLog logs/access_coprs common
+
+    <Directory /usr/share/copr>
+        WSGIApplicationGroup %{GLOBAL}
+    Require all granted
+    </Directory>
+</VirtualHost>
+
+{% if devel %}
+<VirtualHost *:80>
+    RewriteEngine on
+    RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
+    RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]
+</VirtualHost>
+{% endif %}
+
+<IfModule mod_status.c>
+ExtendedStatus On
+
+<Location /server-status>
+    SetHandler server-status
+    Require all denied
+    Require host localhost .redhat.com
+</Location>
+</IfModule>
+
+<IfModule mpm_prefork_module>
+    StartServers          8
+    MinSpareServers       8
+    MaxSpareServers      20
+    MaxClients          50
+    MaxRequestsPerChild   10000
+</IfModule>
+

roles/copr/frontend-cloud/templates/httpd/coprs_ssl.conf.j2

@@ -0,0 +1,80 @@
+Listen 443 https
+
+
+<VirtualHost *:443>
+    SSLEngine on
+    SSLProtocol {{ ssl_protocols }}
+    # Use secure TLSv1.1 and TLSv1.2 ciphers
+    SSLCipherSuite {{ ssl_ciphers }}
+    SSLHonorCipherOrder on
+    Header always add Strict-Transport-Security "max-age=31536000; preload"
+
+    {% if not devel %}
+    SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
+    SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt
+    {% else %}
+    SSLCertificateFile    /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem
+    SSLCertificateKeyFile  /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem
+    SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem
+    {% endif %}
+
+    ServerName {{ copr_frontend_public_hostname }}
+
+    WSGIPassAuthorization On
+    WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
+    WSGIProcessGroup 127.0.0.1
+
+    <Location /api>
+        WSGIProcessGroup api
+    </Location>
+    <Location /backend>
+        WSGIProcessGroup backend
+    </Location>
+    <Location /stats_rcv>
+        WSGIProcessGroup stats
+    </Location>
+    <Location /tmp>
+        WSGIProcessGroup tmp
+    </Location>
+
+    #ErrorLog logs/error_coprs
+    #CustomLog logs/access_coprs common
+
+    <Directory /usr/share/copr>
+        WSGIApplicationGroup %{GLOBAL}
+        Require all granted
+    </Directory>
+
+    RewriteEngine on
+    RewriteRule ^/coprs/sgallagh/cockpit-preview/repo/(.*)/.*\.repo$ /coprs/g/cockpit/cockpit-preview/repo/$1/ [R=301]
+    RewriteRule ^/coprs/sgallagh/cockpit-preview/(.*)$ /coprs/g/cockpit/cockpit-preview/$1 [R=301]
+
+    # https://bugzilla.redhat.com/show_bug.cgi?id=1582294 - yum copr enable does not work
+    RewriteRule ^/coprs/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/$1/$2/repo/epel-$3/$5 [PT]
+    RewriteRule ^/coprs/g/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/g/$1/$2/repo/epel-$3/$5 [PT]
+</VirtualHost>
+
+<VirtualHost *:443>
+    SSLEngine on
+    SSLProtocol {{ ssl_protocols }}
+    # Use secure TLSv1.1 and TLSv1.2 ciphers
+    SSLCipherSuite {{ ssl_ciphers }}
+    SSLHonorCipherOrder on
+    Header always add Strict-Transport-Security "max-age=31536000; preload"
+
+    {% if not devel %}
+    SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
+    SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt
+    {% else %}
+    SSLCertificateFile    /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem
+    SSLCertificateKeyFile  /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem
+    SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem
+    {% endif %}
+
+    {% if not devel %}
+    ServerAlias copr.fedoraproject.org
+    Redirect 302 / https://copr.fedorainfracloud.org/
+    {% endif %}
+</VirtualHost>