diff --git a/inventory/inventory b/inventory/inventory index f9b17ede8c..ed43de9859 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1296,13 +1296,13 @@ bvirthost buildvmhost virthost-comm -[copr-front-stg] +[copr-front-dev] copr-fe-dev.cloud.fedoraproject.org -[copr-back-stg] +[copr-back-dev] copr-be-dev.cloud.fedoraproject.org -[copr-keygen-stg] +[copr-keygen-dev] copr-keygen-dev.cloud.fedoraproject.org [copr-keygen] @@ -1317,7 +1317,7 @@ copr-be.cloud.fedoraproject.org [copr-dist-git] copr-dist-git.fedorainfracloud.org -[copr-dist-git-stg] +[copr-dist-git-dev] copr-dist-git-dev.fedorainfracloud.org [copr:children] @@ -1326,11 +1326,11 @@ copr-back copr-keygen copr-dist-git -[copr-stg:children] -copr-front-stg -copr-back-stg -copr-keygen-stg -copr-dist-git-stg +[copr-dev:children] +copr-front-dev +copr-back-dev +copr-keygen-dev +copr-dist-git-dev [pagure] pagure01.fedoraproject.org diff --git a/playbooks/groups/copr-backend.yml b/playbooks/groups/copr-backend.yml index 67fe7d8772..f11a188f3e 100644 --- a/playbooks/groups/copr-backend.yml +++ b/playbooks/groups/copr-backend.yml @@ -1,6 +1,6 @@ - name: check/create instance #hosts: copr-back - hosts: copr-back:copr-back-stg + hosts: copr-back:copr-back-dev user: root gather_facts: False @@ -13,7 +13,7 @@ - import_tasks: "{{ tasks_path }}/persistent_cloud.yml" - name: cloud basic setup - hosts: copr-back:copr-back-stg + hosts: copr-back:copr-back-dev user: root gather_facts: True vars_files: @@ -28,7 +28,7 @@ hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org" - name: provision instance - hosts: copr-back:copr-back-stg + hosts: copr-back:copr-back-dev user: root gather_facts: True diff --git a/playbooks/groups/copr-dist-git.yml b/playbooks/groups/copr-dist-git.yml index fd6224cb5a..4a3dff1eb3 100644 --- a/playbooks/groups/copr-dist-git.yml +++ b/playbooks/groups/copr-dist-git.yml @@ -1,5 +1,5 @@ - name: check/create instance - hosts: copr-dist-git-stg:copr-dist-git + hosts: copr-dist-git-dev:copr-dist-git user: root gather_facts: False @@ -13,7 +13,7 @@ - import_tasks: "{{ tasks_path }}/persistent_cloud.yml" - name: cloud basic setup - hosts: copr-dist-git-stg:copr-dist-git + hosts: copr-dist-git-dev:copr-dist-git user: root gather_facts: True vars_files: @@ -27,7 +27,7 @@ hostname: name="{{copr_hostbase}}.fedorainfracloud.org" - name: provision instance - hosts: copr-dist-git-stg:copr-dist-git + hosts: copr-dist-git-dev:copr-dist-git user: root gather_facts: True diff --git a/playbooks/groups/copr-frontend-cloud.yml b/playbooks/groups/copr-frontend-cloud.yml new file mode 100644 index 0000000000..82cc92d16e --- /dev/null +++ b/playbooks/groups/copr-frontend-cloud.yml @@ -0,0 +1,42 @@ +- name: check/create instance + hosts: copr-front-dev:copr-front + # hosts: copr-front + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/fedora-cloud.yml + - /srv/private/ansible/files/openstack/passwords.yml + + tasks: + - import_tasks: "{{ tasks_path }}/persistent_cloud.yml" + +- name: cloud basic setup + hosts: copr-front-dev:copr-front + # hosts: copr-front + gather_facts: True + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + + tasks: + - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml" + - import_tasks: "{{ tasks_path }}/yumrepos.yml" + - name: set hostname (required by some services, at least postfix need it) + hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org" + +- name: provision instance + hosts: copr-front:copr-front-dev + # hosts: copr-front + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - copr/frontend + - nagios_client diff --git a/playbooks/groups/copr-keygen.yml b/playbooks/groups/copr-keygen.yml index 4ec2e5afe4..ae40ed8f5b 100644 --- a/playbooks/groups/copr-keygen.yml +++ b/playbooks/groups/copr-keygen.yml @@ -1,5 +1,5 @@ - name: check/create instance - hosts: copr-keygen-stg:copr-keygen + hosts: copr-keygen-dev:copr-keygen #hosts: copr-keygen gather_facts: False @@ -21,7 +21,7 @@ when: facts is failed - name: cloud basic setup - hosts: copr-keygen-stg:copr-keygen + hosts: copr-keygen-dev:copr-keygen # hosts: copr-keygen gather_facts: True vars_files: @@ -35,7 +35,7 @@ hostname: name="{{copr_hostbase}}.cloud.fedoraproject.org" - name: provision instance - hosts: copr-keygen:copr-keygen-stg + hosts: copr-keygen:copr-keygen-dev #hosts: copr-keygen gather_facts: True diff --git a/roles/copr/frontend-cloud/files/DigiCertCA.crt b/roles/copr/frontend-cloud/files/DigiCertCA.crt new file mode 100644 index 0000000000..d08b961f22 --- /dev/null +++ b/roles/copr/frontend-cloud/files/DigiCertCA.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j +ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL +MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 +LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy +YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2 +4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC +Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1 +itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn +4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X +sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft +bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA +MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw +NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy +dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t +L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG +BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ +UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D +aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd +aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH +E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly +/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu +xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF +0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae +cPUeybQ= +-----END CERTIFICATE----- diff --git a/roles/copr/frontend-cloud/files/banner-include.html b/roles/copr/frontend-cloud/files/banner-include.html new file mode 100644 index 0000000000..2b539819d1 --- /dev/null +++ b/roles/copr/frontend-cloud/files/banner-include.html @@ -0,0 +1,8 @@ +
+

+ Warning! This is a development server. +

+

+ Production instance: https://copr.fedoraproject.org/ +

+
diff --git a/roles/copr/frontend-cloud/files/httpd/welcome.conf b/roles/copr/frontend-cloud/files/httpd/welcome.conf new file mode 100644 index 0000000000..3b15c42b9f --- /dev/null +++ b/roles/copr/frontend-cloud/files/httpd/welcome.conf @@ -0,0 +1 @@ +#commented out so it doesn't do that stupid index page diff --git a/roles/copr/frontend-cloud/files/pg/pg_hba.conf b/roles/copr/frontend-cloud/files/pg/pg_hba.conf new file mode 100644 index 0000000000..3cf2f2cb65 --- /dev/null +++ b/roles/copr/frontend-cloud/files/pg/pg_hba.conf @@ -0,0 +1,13 @@ +local coprdb copr-fe md5 +host coprdb copr-fe 127.0.0.1/8 md5 +host coprdb copr-fe ::1/128 md5 +local coprdb postgres ident + +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all peer +# IPv4 local connections: +host all all 127.0.0.1/32 ident +# IPv6 local connections: +host all all ::1/128 ident diff --git a/roles/copr/frontend-cloud/files/robots.txt b/roles/copr/frontend-cloud/files/robots.txt new file mode 100644 index 0000000000..1f53798bb4 --- /dev/null +++ b/roles/copr/frontend-cloud/files/robots.txt @@ -0,0 +1,2 @@ +User-agent: * +Disallow: / diff --git a/roles/copr/frontend-cloud/handlers/main.yml b/roles/copr/frontend-cloud/handlers/main.yml new file mode 100644 index 0000000000..4585db853a --- /dev/null +++ b/roles/copr/frontend-cloud/handlers/main.yml @@ -0,0 +1,5 @@ +- import_tasks: "{{ handlers_path }}/restart_services.yml" + +- name: restart postgresql + service: name=postgresql + state=restarted diff --git a/roles/copr/frontend-cloud/meta/main.yml b/roles/copr/frontend-cloud/meta/main.yml new file mode 100644 index 0000000000..a774579b1d --- /dev/null +++ b/roles/copr/frontend-cloud/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: copr/base } diff --git a/roles/copr/frontend-cloud/tasks/install_certs.yml b/roles/copr/frontend-cloud/tasks/install_certs.yml new file mode 100644 index 0000000000..ea8714d423 --- /dev/null +++ b/roles/copr/frontend-cloud/tasks/install_certs.yml @@ -0,0 +1,14 @@ +- name: copy httpd ssl certificates (crt) + copy: src="{{ private }}/files/httpd/{{item}}" + dest="/etc/pki/tls/certs/" + owner=root group=root mode=0600 + with_items: + - copr.fedorainfracloud.org.crt + - copr.fedorainfracloud.org.intermediate.crt + tags: + - config + +- name: copy httpd ssl certificates (key) + copy: src="{{ private }}/files/httpd/copr.fedorainfracloud.org.key" dest="/etc/pki/tls/private/" owner=root group=root mode=0600 + tags: + - config diff --git a/roles/copr/frontend-cloud/tasks/main.yml b/roles/copr/frontend-cloud/tasks/main.yml new file mode 100644 index 0000000000..61b91f1ea0 --- /dev/null +++ b/roles/copr/frontend-cloud/tasks/main.yml @@ -0,0 +1,138 @@ +--- +- import_tasks: "mount_fs.yml" + +- command: "ls -dZ /var/lib/pgsql" + register: pgsql_ls + +- name: update selinux context for postgress db dir if it's wrong + command: "restorecon -vvRF /var/lib/pgsql" + when: pgsql_ls.stdout is defined and 'postgresql_db_t' not in pgsql_ls.stdout + +- name: install copr-frontend and copr-selinux + dnf: state=latest name={{ item }} + with_items: + - copr-frontend + - copr-selinux + tags: + - packages + + # we install python-alembic because https://bugzilla.redhat.com/show_bug.cgi?id=1536058 +- name: install additional pkgs for copr-frontend + dnf: state=present pkg={{ item }} + with_items: + - "bash-completion" + - "mod_ssl" + - redis + - pxz + - python3-alembic + tags: + - packages + +- name: install a newer version of xstatic-jquery-ui-common + command: dnf install -y https://kojipkgs.fedoraproject.org//packages/python-XStatic-jquery-ui/1.12.0.1/2.fc26/noarch/xstatic-jquery-ui-common-1.12.0.1-2.fc26.noarch.rpm + +- name: install copr configs + template: src="copr.conf" dest=/etc/copr/copr.conf mode=600 + notify: + - reload httpd + tags: + - config + +- name: enable and start redis # TODO: .service in copr-backend should depend on redis + service: name=redis enabled=yes state=started + +- name: enable and start pagure-events + service: name=pagure-events enabled=yes state=started + +- name: copy apache files to conf.d + copy: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" + with_items: + - "welcome.conf" + tags: + - config + +- name: copy apache files to conf.d (templates) + template: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" + with_items: + - "coprs.conf" + tags: + - config + +# https://bugzilla.redhat.com/show_bug.cgi?id=1535689 +- name: Allow execmem for Apache + seboolean: + name: httpd_execmem + state: yes + persistent: yes + +- import_tasks: "psql_setup.yml" + +- name: upgrade db to head + command: alembic-3 upgrade head + become: yes + become_user: copr-fe + args: + chdir: /usr/share/copr/coprs_frontend/ + +- name: set up admins + command: ./manage.py alter_user --admin {{ item }} + become: yes + become_user: copr-fe + args: + chdir: /usr/share/copr/coprs_frontend/ + ignore_errors: yes + with_items: + - msuchy + - sgallagh + - spot + - nb + - kevin + +- name: install ssl certificates for production + import_tasks: "install_certs.yml" + when: not devel + tags: + - config + +- name: letsencrypt cert + include_role: name=certbot + when: devel + tags: + - config + +- name: Check that cert file exists + stat: + path: "/etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem" + register: stat_cert + +- name: Should admin run certbot? + fail: + msg: Please see roles/certbot/README step (2) and manually run certbot + when: + - stat_cert.stat.exists == False + - devel + +- name: install copr-frontend ssl vhost + template: src="httpd/coprs_ssl.conf.j2" dest="/etc/httpd/conf.d/coprs_ssl.conf" + tags: + - config + +- name: enable services + service: state=started enabled=yes name={{ item }} + with_items: + - httpd + +- name: set dev banner for dev instance + when: devel + copy: src=banner-include.html dest=/var/lib/copr/ + +- name: disallow robots on dev instance + when: devel + copy: src=robots.txt dest=/var/www/html/ + +- name: rebuild indexes + command: ./manage.py update_indexes + become: yes + become_user: copr-fe + args: + chdir: /usr/share/copr/coprs_frontend/ diff --git a/roles/copr/frontend-cloud/tasks/mount_fs.yml b/roles/copr/frontend-cloud/tasks/mount_fs.yml new file mode 100644 index 0000000000..e355d38ff6 --- /dev/null +++ b/roles/copr/frontend-cloud/tasks/mount_fs.yml @@ -0,0 +1,6 @@ +- name: mount up disk of copr fe + mount: name=/srv/copr-fe src='LABEL=copr-fe' fstype=ext4 state=mounted + +- name: mount up bind mount for postgres + mount: src=/srv/copr-fe/pgsqldb name=/var/lib/pgsql fstype=auto opts=bind state=mounted + diff --git a/roles/copr/frontend-cloud/tasks/psql_setup.yml b/roles/copr/frontend-cloud/tasks/psql_setup.yml new file mode 100644 index 0000000000..b5116f6218 --- /dev/null +++ b/roles/copr/frontend-cloud/tasks/psql_setup.yml @@ -0,0 +1,110 @@ +- name: install postresql + package: state=present pkg={{ item }} + with_items: + - "postgresql-server" + - "postgresql-contrib" + + +- name: See if postgreSQL is installed + stat: path=/var/lib/pgsql/initdb.log + register: pgsql_installed + +- name: init postgresql + shell: "postgresql-setup initdb" + when: not pgsql_installed.stat.exists + +- name: copy pg_hba.conf + copy: src="pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600 + notify: + - restart postgresql + tags: + - config + +- name: Ensure postgres has a place to backup to + file: dest=/backups state=directory owner=postgres + tags: + - config + +# TODO: I think we missing user creation, check it we do it somewhere else ... + +- name: Copy over backup scriplet + copy: src="{{ files }}/../roles/postgresql_server/files/backup-database" dest=/usr/local/bin/backup-database mode=0755 + tags: + - config + +- name: Set up some cronjobs to backup databases as configured + template: > + src="{{ files }}/../roles/postgresql_server/templates/cron-backup-database" + dest="/etc/cron.d/cron-backup-database-{{ item }}" + with_items: + - "{{ dbs_to_backup }}" + when: dbs_to_backup != [] + tags: + - config + +- name: enable Pg service + service: state=started enabled=yes name=postgresql + +- name: Create db + postgresql_db: name="coprdb" encoding='UTF-8' + become: yes + become_user: postgres + +- name: Create db user + postgresql_user: db="coprdb" name="copr-fe" password="{{ copr_database_password }}" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE + become: yes + become_user: postgres + +- name: set shared_buffers for PostgreSQL + lineinfile: + path: /var/lib/pgsql/data/postgresql.conf + regexp: '^shared_buffers =' + line: 'shared_buffers = 1024MB' + notify: restart postgresql + tags: + - config + +- name: set effective_cache_size for PostgreSQL + lineinfile: + path: /var/lib/pgsql/data/postgresql.conf + regexp: '^effective_cache_size =' + line: 'effective_cache_size = 2048MB' + notify: restart postgresql + tags: + - config + +- name: set work_mem for PostgreSQL + lineinfile: + path: /var/lib/pgsql/data/postgresql.conf + regexp: '^work_mem =' + line: 'work_mem = 4MB' + notify: restart postgresql + tags: + - config + +- name: set maintenance_work_mem for PostgreSQL + lineinfile: + path: /var/lib/pgsql/data/postgresql.conf + regexp: '^maintenance_work_mem =' + line: 'maintenance_work_mem = 1GB' + notify: restart postgresql + tags: + - config + +- name: set checkpoint_completion_target for PostgreSQL + lineinfile: + path: /var/lib/pgsql/data/postgresql.conf + regexp: '^checkpoint_completion_target =' + line: 'checkpoint_completion_target = 0.9' + notify: restart postgresql + tags: + - config + +- name: set log_min_duration_statement for PostgreSQL + lineinfile: + path: /var/lib/pgsql/data/postgresql.conf + regexp: '^log_min_duration_statement =' + line: 'log_min_duration_statement = 500' + notify: restart postgresql + tags: + - config diff --git a/roles/copr/frontend-cloud/templates/copr.conf b/roles/copr/frontend-cloud/templates/copr.conf new file mode 100644 index 0000000000..b66f1514d1 --- /dev/null +++ b/roles/copr/frontend-cloud/templates/copr.conf @@ -0,0 +1,81 @@ +# Directory and files where is stored Copr database files +DATA_DIR = '/var/lib/copr/data' +DATABASE = '/var/lib/copr/data/copr.db' +OPENID_STORE = '/var/lib/copr/data/openid_store' +WHOOSHEE_DIR = '/var/lib/copr/data/whooshee' +WHOOSHEE_MIN_STRING_LEN = 2 +WHOOSHEE_WRITER_TIMEOUT = 10 + +SECRET_KEY = '{{ copr_secret_key }}' +BACKEND_PASSWORD = '{{ copr_backend_password }}' +BACKEND_BASE_URL = '{{ backend_base_url }}' + +# restrict access to a set of users +#USE_ALLOWED_USERS = False +#ALLOWED_USERS = ['bonnie', 'clyde'] + +SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://copr-fe:{{ copr_database_password }}@/coprdb' + +# Token length, defaults to 30 (max 255) +#API_TOKEN_LENGTH = 30 + +# Expiration of API token in days +#API_TOKEN_EXPIRATION = 180 + +# logging options +#SEND_LOGS_TO = ['root@localhost'] +#LOGGING_LEVEL = logging.ERROR + +DEBUG = False +SQLALCHEMY_ECHO = False + +CSRF_ENABLED = True +WTF_CSRF_ENABLED = True + +# send emails when user's perms change in project? +SEND_EMAILS = True + +PUBLIC_COPR_HOSTNAME = "{{ copr_frontend_public_hostname }}" + +LOG_FILENAME = "/var/log/copr-frontend/frontend.log" +LOG_DIR = "/var/log/copr-frontend/" + +# to accept stat events from logstash +INTRANET_IPS = {{ copr_backend_ips }} + +REPO_GPGCHECK = {% if devel %} 0 {% else %} 1 {% endif %} + +{% if env == 'staging' %} +PUBLIC_COPR_BASE_URL = "http://copr-fe-dev.cloud.fedoraproject.org" +{% else %} +PUBLIC_COPR_BASE_URL = "https://copr.fedorainfracloud.org" +{% endif %} + +{% if env == 'staging' %} +# Staging URLs for fedmenu +FEDMENU_URL = "https://apps.stg.fedoraproject.org/fedmenu/" +FEDMENU_DATA_URL = "https://apps.stg.fedoraproject.org/js/data.js" +{% else %} +# Production URLs for fedmenu +FEDMENU_URL = "https://apps.fedoraproject.org/fedmenu/" +FEDMENU_DATA_URL = "https://apps.fedoraproject.org/js/data.js" +{% endif %} + +# todo: check that ansible variable is used correctly +{% if env == 'staging' %} +ENFORCE_PROTOCOL_FOR_BACKEND_URL = "http" +ENFORCE_PROTOCOL_FOR_FRONTEND_URL = "http" +{% else %} +ENFORCE_PROTOCOL_FOR_BACKEND_URL = "https" +ENFORCE_PROTOCOL_FOR_FRONTEND_URL = "https" +{% endif %} + +DIST_GIT_URL="https://{{ dist_git_base_url }}/cgit" +DIST_GIT_CLONE_URL="https://{{ dist_git_base_url }}/git" +COPR_DIST_GIT_LOGS_URL = "https://{{ dist_git_base_url }}/per-task-logs" +MBS_URL = "http://localhost/module/1/module-builds/" + +# no need to filter cla_* groups, they are already filtered by fedora openid +BLACKLISTED_GROUPS = ['fedorabugs', 'packager', 'provenpackager'] + +DEFER_BUILD_SECONDS = 300 diff --git a/roles/copr/frontend-cloud/templates/httpd/coprs.conf b/roles/copr/frontend-cloud/templates/httpd/coprs.conf new file mode 100644 index 0000000000..453144a8ac --- /dev/null +++ b/roles/copr/frontend-cloud/templates/httpd/coprs.conf @@ -0,0 +1,56 @@ +NameVirtualHost *:80 +LoadModule wsgi_module modules/mod_wsgi.so +WSGISocketPrefix /var/run/wsgi +Alias /robots.txt /var/www/html/robots.txt + +WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe threads=15 display-name=other maximum-requests=8000 graceful-timeout=20 +WSGIDaemonProcess api user=copr-fe group=copr-fe threads=15 display-name=api maximum-requests=8000 graceful-timeout=20 +WSGIDaemonProcess backend user=copr-fe group=copr-fe threads=15 display-name=backend maximum-requests=8000 graceful-timeout=20 +WSGIDaemonProcess stats user=copr-fe group=copr-fe threads=15 display-name=stats maximum-requests=8000 graceful-timeout=20 +WSGIDaemonProcess tmp user=copr-fe group=copr-fe threads=15 display-name=tmp maximum-requests=8000 graceful-timeout=20 +WSGIScriptAlias / /usr/share/copr/coprs_frontend/application + + + ServerName copr.fedorainfracloud.org + ServerAlias copr-fe.cloud.fedoraproject.org + WSGIPassAuthorization On + + + WSGIProcessGroup 127.0.0.1 + + + #ErrorLog logs/error_coprs + #CustomLog logs/access_coprs common + + + WSGIApplicationGroup %{GLOBAL} + Require all granted + + + +{% if devel %} + + RewriteEngine on + RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] + RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE] + +{% endif %} + + +ExtendedStatus On + + + SetHandler server-status + Require all denied + Require host localhost .redhat.com + + + + + StartServers 8 + MinSpareServers 8 + MaxSpareServers 20 + MaxClients 50 + MaxRequestsPerChild 10000 + + diff --git a/roles/copr/frontend-cloud/templates/httpd/coprs_ssl.conf.j2 b/roles/copr/frontend-cloud/templates/httpd/coprs_ssl.conf.j2 new file mode 100644 index 0000000000..846d8d85dd --- /dev/null +++ b/roles/copr/frontend-cloud/templates/httpd/coprs_ssl.conf.j2 @@ -0,0 +1,80 @@ +Listen 443 https + + + + SSLEngine on + SSLProtocol {{ ssl_protocols }} + # Use secure TLSv1.1 and TLSv1.2 ciphers + SSLCipherSuite {{ ssl_ciphers }} + SSLHonorCipherOrder on + Header always add Strict-Transport-Security "max-age=31536000; preload" + + {% if not devel %} + SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt + SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key + SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt + {% else %} + SSLCertificateFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem + {% endif %} + + ServerName {{ copr_frontend_public_hostname }} + + WSGIPassAuthorization On + WSGIScriptAlias / /usr/share/copr/coprs_frontend/application + WSGIProcessGroup 127.0.0.1 + + + WSGIProcessGroup api + + + WSGIProcessGroup backend + + + WSGIProcessGroup stats + + + WSGIProcessGroup tmp + + + #ErrorLog logs/error_coprs + #CustomLog logs/access_coprs common + + + WSGIApplicationGroup %{GLOBAL} + Require all granted + + + RewriteEngine on + RewriteRule ^/coprs/sgallagh/cockpit-preview/repo/(.*)/.*\.repo$ /coprs/g/cockpit/cockpit-preview/repo/$1/ [R=301] + RewriteRule ^/coprs/sgallagh/cockpit-preview/(.*)$ /coprs/g/cockpit/cockpit-preview/$1 [R=301] + + # https://bugzilla.redhat.com/show_bug.cgi?id=1582294 - yum copr enable does not work + RewriteRule ^/coprs/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/$1/$2/repo/epel-$3/$5 [PT] + RewriteRule ^/coprs/g/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/g/$1/$2/repo/epel-$3/$5 [PT] + + + + SSLEngine on + SSLProtocol {{ ssl_protocols }} + # Use secure TLSv1.1 and TLSv1.2 ciphers + SSLCipherSuite {{ ssl_ciphers }} + SSLHonorCipherOrder on + Header always add Strict-Transport-Security "max-age=31536000; preload" + + {% if not devel %} + SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt + SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key + SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt + {% else %} + SSLCertificateFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem + {% endif %} + + {% if not devel %} + ServerAlias copr.fedoraproject.org + Redirect 302 / https://copr.fedorainfracloud.org/ + {% endif %} +