diff --git a/roles/robosignatory/files/fm-consumer@.service b/roles/robosignatory/files/fm-consumer@.service new file mode 100644 index 0000000000..f90991c433 --- /dev/null +++ b/roles/robosignatory/files/fm-consumer@.service @@ -0,0 +1,3 @@ +[Service] +User = robosignatory +Group = robosignatory diff --git a/roles/robosignatory/files/robosignatory.production.py b/roles/robosignatory/files/robosignatory.production.py deleted file mode 100644 index e2cbc3d488..0000000000 --- a/roles/robosignatory/files/robosignatory.production.py +++ /dev/null @@ -1,426 +0,0 @@ -config = { - 'logging': { - 'loggers': { - 'robosignatory': { - 'handlers': ['console', 'mailer'], - 'level': 'DEBUG', - 'propagate': False - }, - }, - }, - - 'robosignatory.enabled.tagsigner': True, - 'robosignatory.enabled.atomicsigner': True, - - # Any tag prefixed with "module-" will be considered a module. - 'robosignatory.module_prefixes': ['module-'], - - - 'robosignatory.signing': { - 'backend': 'sigul', - 'user': 'autopen', - 'passphrase_file': '/etc/sigul/autosign.pass', - 'config_file': '/etc/sigul/client.conf' - }, - - # The keys here need to be the same in the sigul bridge - 'robosignatory.koji_instances': { - 'primary': { - 'url': 'https://koji.fedoraproject.org/kojihub', - 'options': { - # Only ssl is supported at the moment - 'authmethod': 'kerberos', - 'principal': 'autosign/autosign01.phx2.fedoraproject.org@FEDORAPROJECT.ORG', - 'keytab': '/etc/krb5.autosign_autosign01.phx2.fedoraproject.org.keytab', - 'krb_rdns': False - }, - 'mbs_user': 'mbs/mbs.fedoraproject.org', - 'tags': [ - # Temporary tags - { - "from": "f32-python", - "to": "f32-python", - "key": "fedora-32", - "keyid": "12c944d0" - }, - { - "from": "f31-kde", - "to": "f31-kde", - "key": "fedora-31", - "keyid": "3c3359c4" - }, - { - "from": "f31-gnome", - "to": "f31-gnome", - "key": "fedora-31", - "keyid": "3c3359c4" - }, - { - "from": "f31-python", - "to": "f31-python", - "key": "fedora-31", - "keyid": "3c3359c4" - }, - { - "from": "f30-kde", - "to": "f30-kde", - "key": "fedora-30", - "keyid": "cfc659b9" - }, - { - "from": "f29-kde", - "to": "f29-kde", - "key": "fedora-29", - "keyid": "429476b4" - }, - # Infra tags - { - "from": "epel6-infra-candidate", - "to": "epel6-infra-stg", - "key": "fedora-infra", - "keyid": "47dd8ef9" - }, - { - "from": "epel7-infra-candidate", - "to": "epel7-infra-stg", - "key": "fedora-infra", - "keyid": "47dd8ef9" - }, - { - "from": "epel8-infra-candidate", - "to": "epel8-infra-stg", - "key": "fedora-infra", - "keyid": "47dd8ef9" - }, - { - "from": "f29-infra-candidate", - "to": "f29-infra-stg", - "key": "fedora-infra", - "keyid": "47dd8ef9" - }, - { - "from": "f30-infra-candidate", - "to": "f30-infra-stg", - "key": "fedora-infra", - "keyid": "47dd8ef9" - }, - { - "from": "f31-infra-candidate", - "to": "f31-infra-stg", - "key": "fedora-infra", - "keyid": "47dd8ef9" - }, - { - "from": "f32-infra-candidate", - "to": "f32-infra-stg", - "key": "fedora-infra", - "keyid": "47dd8ef9" - }, - - # Gated coreos-pool tag - { - "from": "f29-coreos-signing-pending", - "to": "coreos-pool", - "key": "fedora-29", - "keyid": "429476b4" - }, - { - "from": "f30-coreos-signing-pending", - "to": "coreos-pool", - "key": "fedora-30", - "keyid": "cfc659b9" - }, - { - "from": "f31-coreos-signing-pending", - "to": "coreos-pool", - "key": "fedora-31", - "keyid": "3c3359c4" - }, - { - "from": "f32-coreos-signing-pending", - "to": "coreos-pool", - "key": "fedora-32", - "keyid": "12c944d0" - }, - - # Gated rawhide and branched - { - "from": "f32-updates-candidate", - "to": "f32-updates-testing-pending", - "key": "fedora-32", - "keyid": "12c944d0" - }, - { - "from": "f32-pending", - "to": "f32", - "key": "fedora-32", - "keyid": "12c944d0" - }, - { - "from": "f32-modular-pending", - "to": "f32-modular", - "key": "fedora-32", - "keyid": "12c944d0", - "type": "modular" - }, - { - "from": "f32-modular-updates-candidate", - "to": "f32-modular", - "key": "fedora-32", - "keyid": "12c944d0", - "type": "modular" - }, - { - "from": "f31-signing-pending", - "to": "f31-updates-testing-pending", - "key": "fedora-31", - "keyid": "3c3359c4" - }, - { - "from": "f31-modular-signing-pending", - "to": "f31-modular-updates-testing-pending", - "key": "fedora-31", - "keyid": "3c3359c4", - "type": "modular" - }, - - # Gated bodhi updates - { - "from": "f30-signing-pending", - "to": "f30-updates-testing-pending", - "key": "fedora-30", - "keyid": "cfc659b9" - }, - { - "from": "f30-modular-signing-pending", - "to": "f30-modular-updates-testing-pending", - "key": "fedora-30", - "keyid": "cfc659b9", - "type": "modular" - }, - { - "from": "f29-modular-signing-pending", - "to": "f29-modular-updates-testing-pending", - "key": "fedora-29", - "keyid": "429476b4", - "type": "modular" - }, - { - "from": "f29-signing-pending", - "to": "f29-updates-testing-pending", - "key": "fedora-29", - "keyid": "429476b4" - }, - { - "from": "epel8-signing-pending", - "to": "epel8-testing-pending", - "key": "epel-8", - "keyid": "2f86d6a1" - }, - { - "from": "epel8-playground-pending", - "to": "epel8-playground", - "key": "epel-8", - "keyid": "2f86d6a1" - }, - { - "from": "epel7-signing-pending", - "to": "epel7-testing-pending", - "key": "epel-7", - "keyid": "352c64e5" - }, - - # Non-gated bodhi triggered - { - "from": "dist-6E-epel-testing-candidate", - "to": "dist-6E-epel-testing-candidate", - "key": "epel-6", - "keyid": "0608b895" - }, - ], - }, - }, - - 'robosignatory.ostree_refs': { - 'fedora/rawhide/x86_64/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-32' - }, - 'fedora/rawhide/aarch64/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-32' - }, - 'fedora/rawhide/armhfp/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-32' - }, - 'fedora/devel/x86_64/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-31' - }, - 'fedora/devel/aarch64/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-31' - }, - 'fedora/devel/armhfp/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-31' - }, - 'fedora/stable/x86_64/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-iot-2019' - }, - 'fedora/stable/aarch64/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-iot-2019' - }, - 'fedora/stable/armhfp/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-iot-2019' - }, - 'fedora/31/x86_64/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-31' - }, - 'fedora/31/aarch64/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-31' - }, - 'fedora/31/armhfp/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-31' - }, - 'fedora/30/x86_64/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-30' - }, - 'fedora/30/aarch64/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-30' - }, - 'fedora/30/armhfp/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-30' - }, - 'fedora/29/x86_64/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-29' - }, - 'fedora/29/aarch64/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-29' - }, - 'fedora/29/armhfp/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-29' - }, - 'fedora/29/x86_64/atomic-host': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-29' - }, - 'fedora/29/ppc64le/atomic-host': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-29' - }, - 'fedora/29/aarch64/atomic-host': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-29' - }, - 'fedora/29/x86_64/updates/atomic-host': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-29' - }, - 'fedora/29/ppc64le/updates/atomic-host': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-29' - }, - 'fedora/29/aarch64/updates/atomic-host': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-29' - }, - 'fedora/29/x86_64/testing/atomic-host': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-29' - }, - 'fedora/29/ppc64le/testing/atomic-host': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-29' - }, - 'fedora/29/aarch64/testing/atomic-host': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-29' - }, - 'fedora/29/x86_64/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-29' - }, - 'fedora/29/x86_64/updates/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-29' - }, - 'fedora/29/x86_64/testing/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-29' - }, - 'fedora/30/x86_64/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-30' - }, - 'fedora/30/x86_64/updates/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-30' - }, - 'fedora/30/x86_64/testing/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-30' - }, - 'fedora/31/x86_64/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-31' - }, - 'fedora/31/aarch64/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-31' - }, - 'fedora/31/ppc64le/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-31' - }, - 'fedora/31/x86_64/updates/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-31' - }, - 'fedora/31/x86_64/testing/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-31' - }, - 'fedora/31/aarch64/updates/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-31' - }, - 'fedora/31/aarch64/testing/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-31' - }, - 'fedora/31/ppc64le/updates/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-31' - }, - 'fedora/31/ppc64le/testing/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-31' - }, - 'fedora/rawhide/aarch64/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-32' - }, - 'fedora/rawhide/ppc64le/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-32' - }, - 'fedora/rawhide/x86_64/silverblue': { - 'directory': '/mnt/fedora_koji/koji/compose/ostree/repo/', - 'key': 'fedora-32' - }, - } -} diff --git a/roles/robosignatory/files/robosignatory.staging.py b/roles/robosignatory/files/robosignatory.staging.py deleted file mode 100644 index e8ff9dd897..0000000000 --- a/roles/robosignatory/files/robosignatory.staging.py +++ /dev/null @@ -1,99 +0,0 @@ -config = { - 'logging': { - 'loggers': { - 'robosignatory': { - 'handlers': ['console', 'mailer'], - 'level': 'DEBUG', - 'propagate': False - }, - }, - }, - - 'robosignatory.enabled.tagsigner': True, - 'robosignatory.enabled.atomicsigner': True, - - # Any tag prefixed with "module-" will be considered a module. - 'robosignatory.module_prefixes': ['module-'], - - - 'robosignatory.signing': { - 'backend': 'sigul', - 'user': 'autopen', - 'passphrase_file': '/etc/sigul/autosign.pass', - 'config_file': '/etc/sigul/client.conf' - }, - - # The keys here need to be the same in the sigul bridge - 'robosignatory.koji_instances': { - 'primary': { - 'url': 'https://koji.stg.fedoraproject.org/kojihub', - 'options': { - # Only ssl is supported at the moment - 'authmethod': 'kerberos', - 'principal': 'autosign/autosign01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG', - 'keytab': '/etc/krb5.autosign_autosign01.stg.phx2.fedoraproject.org.keytab', - 'krb_rdns': False - }, - 'mbs_user': 'mbs/mbs.stg.fedoraproject.org', - 'tags': [ - # Temporary tags - # Infra tags - # Gated coreos-pool tag - { - "from": "f29-coreos-signing-pending", - "to": "coreos-pool", - "key": "testkey", - "keyid": "d300e724" - }, - { - "from": "f30-coreos-signing-pending", - "to": "coreos-pool", - "key": "testkey", - "keyid": "d300e724" - }, - { - "from": "f31-coreos-signing-pending", - "to": "coreos-pool", - "key": "testkey", - "keyid": "d300e724" - }, - { - "from": "f32-coreos-signing-pending", - "to": "coreos-pool", - "key": "testkey", - "keyid": "d300e724" - }, - # Gated rawhide and branched - { - "from": "epel8-signing-pending", - "to": "epel8-testing-pending", - "key": "testkey", - "keyid": "d300e724" - }, - # Sign and move the builds from the default Rawhide target - # into the one used by bodhi. - { - "from": "f31-updates-candidate", - "to": "f31-updates-testing-pending", - "key": "testkey", - "keyid": "d300e724" - }, - # Gated bodhi updates - { - "from": "f30-signing-pending", - "to": "f30-updates-testing-pending", - "key": "fedora-30", - "keyid": "d300e724" - }, - # Non-gated bodhi triggered - ], - }, - }, - - 'robosignatory.ostree_refs': { - 'fedora/rawhide/x86_64/iot': { - 'directory': '/mnt/fedora_koji/koji/compose/iot/repo/', - 'key': 'fedora-31' - }, - } -} diff --git a/roles/robosignatory/tasks/main.yml b/roles/robosignatory/tasks/main.yml index 2e94e72efd..87e880ba73 100644 --- a/roles/robosignatory/tasks/main.yml +++ b/roles/robosignatory/tasks/main.yml @@ -1,7 +1,7 @@ - name: Install packages package: state=present name={{ item }} with_items: - - python-robosignatory + - python2-robosignatory - trousers - tpm-tools - sigul @@ -9,41 +9,160 @@ - packages - robosignatory +- name: Create robosignatory user + user: + name: robosignatory + state: present + group: robosignatory + system: yes + home: /etc/robosignatory + comment: Robosignatory + shell: /sbin/nologin + tags: + - config + - robosignatory + - name: Create config directory - file: path=/etc/robosignatory state=directory owner=fedmsg group=fedmsg mode=0750 + file: + path: /etc/robosignatory + state: directory + owner: robosignatory + group: robosignatory + mode: 0750 tags: - config - robosignatory - name: Create robosignatory sigul directory - file: path=/etc/robosignatory/sigul state=directory owner=fedmsg group=fedmsg mode=0750 + file: + path: /etc/robosignatory/sigul + state: directory + owner: robosignatory + group: robosignatory + mode: 0750 tags: - config - robosignatory - name: Install sigul configuration - copy: src=sigul.{{env}}.conf dest=/etc/sigul/client.conf owner=fedmsg group=fedmsg mode=0640 + copy: + src: sigul.{{env}}.conf + dest: /etc/sigul/client.conf + owner: robosignatory + group: robosignatory + mode: 0640 tags: - config - robosignatory - name: Install koji config - template: src=koji.conf dest=/etc/robosignatory/koji.config - owner=fedmsg group=fedmsg mode=0640 + template: + src: koji.conf + dest: /etc/robosignatory/koji.config + owner: robosignatory + group: robosignatory + mode: 0640 tags: - config - robosignatory - name: Install koji CA certificate - copy: src="{{ private }}/files/fedora-ca.cert" dest=/etc/robosignatory/serverca.cert - owner=fedmsg group=fedmsg mode=0640 + copy: + src: "{{ private }}/files/fedora-ca.cert" + dest: /etc/robosignatory/serverca.cert + owner: robosignatory + group: robosignatory + mode: 0640 + tags: + - config + - robosignatory + +# Fedora Messaging + +- name: Create /etc/pki/fedora-messaging + file: + dest: /etc/pki/fedora-messaging + mode: 0775 + owner: root + group: root + state: directory + tags: + - config + - robosignatory + +- name: Deploy the fedora-messaging CA + copy: + src: "{{ private }}/files/rabbitmq/{{env}}/pki/ca.crt" + dest: /etc/pki/fedora-messaging/cacert.pem + mode: 0644 + owner: root + group: root + tags: + - config + - robosignatory + +- name: Deploy the fedora-messaging cert + copy: + src: "{{ private }}/files/rabbitmq/{{env}}/pki/issued/robosignatory{{env_suffix}}.crt" + dest: /etc/pki/fedora-messaging/robosignatory-cert.pem + mode: 0644 + owner: robosignatory + group: robosignatory + tags: + - config + - robosignatory + +- name: Deploy the fedora-messaging key + copy: + src: "{{ private }}/files/rabbitmq/{{env}}/pki/private/robosignatory{{env_suffix}}.key" + dest: /etc/pki/fedora-messaging/robosignatory-key.pem + mode: 0600 + owner: robosignatory + group: robosignatory tags: - config - robosignatory - name: Setup robosignatory config - copy: src=robosignatory.{{env}}.py dest=/etc/fedmsg.d/robosignatory.py - owner=fedmsg group=fedmsg mode=0640 + template: + src: robosignatory.toml.j2 + dest: /etc/fedora-messaging/robosignatory.toml + owner: robosignatory + group: robosignatory + mode: 0640 tags: - config - robosignatory + +- name: Create /etc/systemd/system/fm-consumer@.service.d + file: + state: directory + path: /etc/systemd/system/fm-consumer@.service.d + owner: root + group: root + mode: 0755 + tags: + - config + - robosignatory + +- name: Configure fm-consumer@.service to run as robosignatory + copy: + src: fm-consumer@.service + dest: /etc/systemd/system/fm-consumer@.service.d/local.conf + owner: root + group: root + mode: 0644 + notify: + - reload systemd + tags: + - config + - robosignatory + +- name: Ensure fedora-messaging is enabled and started on the backend + service: + name: fm-consumer@robosignatory.service + enabled: yes + state: started + tags: + - config + - robosignatory \ No newline at end of file diff --git a/roles/robosignatory/templates/robosignatory.toml.j2 b/roles/robosignatory/templates/robosignatory.toml.j2 new file mode 100644 index 0000000000..e16f8a234e --- /dev/null +++ b/roles/robosignatory/templates/robosignatory.toml.j2 @@ -0,0 +1,466 @@ +amqp_url = "amqps://robosignatory{{ env_suffix }}:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub" + +publish_exchange = "amq.topic" +passive_declares = true + +callback = "robosignatory.consumer:Consumer" + +# Don't use topic_prefix, since outgoing message topics are derived from incoming messages. +# topic_prefix = "" + +# Note the double brackets below. +# To add another binding, add another [[bindings]] section. +[[bindings]] +queue = "robosignatory" +exchange = "amq.topic" +routing_keys = [ + "org.fedoraproject.*.pungi.compose.ostree", + "org.fedoraproject.*.coreos.build.request.artifacts-sign", + "org.fedoraproject.*.coreos.build.request.ostree-sign", + "org.fedoraproject.*.buildsys.tag", +] + +[tls] +ca_cert = "/etc/pki/fedora-messaging/cacert.pem" +keyfile = "/etc/pki/fedora-messaging/robosignatory-key.pem" +certfile = "/etc/pki/fedora-messaging/robosignatory-cert.pem" + +[client_properties] +app = "RoboSignatory" + +[queues.robosignatory] +durable = true +auto_delete = false +exclusive = false +arguments = {} + +[qos] +prefetch_size = 0 +prefetch_count = 25 + +[log_config] +version = 1 +disable_existing_loggers = true + +[log_config.formatters.simple] +format = "[%(name)s %(levelname)s] %(message)s" + +[log_config.handlers.console] +class = "logging.StreamHandler" +formatter = "simple" +stream = "ext://sys.stdout" + +[log_config.loggers.fedora_messaging] +level = "INFO" +propagate = false +handlers = ["console"] + +[log_config.loggers.robosignatory] +level = "INFO" +propagate = false +handlers = ["console"] + +[log_config.root] +level = "INFO" +handlers = ["console"] + + +# robosignatory consumer configuration +[consumer_config] + + # Any tag prefixed with "module-" will be considered a module. + module_prefixes = ["module-"] + + [consumer_config.signing] + backend = "sigul" + user = "autopen" + passphrase_file = "/etc/sigul/autosign.pass" + config_file = "/etc/sigul/client.conf" + + [consumer_config.koji_instances] + # The keys here need to be the same in the sigul bridge + [consumer_config.koji_instances.primary] + url = "https://koji{{ env_suffix }}.fedoraproject.org/kojihub" + mbs_user = "mbs/mbs{{ env_suffix }}.fedoraproject.org" + + [consumer_config.koji_instances.primary.options] + # Only ssl and kerberos are supported at the moment + authmethod = "kerberos" + principal = "autosign/autosign01{{ env_suffix }}.phx2.fedoraproject.org@{{ env_suffix|upper }}FEDORAPROJECT.ORG" + keytab = "/etc/krb5.autosign_autosign01{{ env_suffix }}.phx2.fedoraproject.org.keytab" + krb_rdns = false + + # Temporary tags + + [[consumer_config.koji_instances.primary.tags]] + from = "f32-python" + to = "f32-python" + key = "" + keyid = "" + key = "{{ (env == 'production')|ternary('fedora-32', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('12c944d0', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "f31-kde" + to = "f31-kde" + key = "" + keyid = "" + key = "{{ (env == 'production')|ternary('fedora-31', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('3c3359c4', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "f31-gnome" + to = "f31-gnome" + key = "" + keyid = "" + key = "{{ (env == 'production')|ternary('fedora-31', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('3c3359c4', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "f31-python" + to = "f31-python" + key = "" + keyid = "" + key = "{{ (env == 'production')|ternary('fedora-31', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('3c3359c4', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "f30-kde" + to = "f30-kde" + key = "" + keyid = "" + key = "{{ (env == 'production')|ternary('fedora-30', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('cfc659b9', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "f29-kde" + to = "f29-kde" + key = " + keyid = "" + key = "{{ (env == 'production')|ternary('fedora-29', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('429476b4', 'd300e724') }}" + + # Infra tags + + [[consumer_config.koji_instances.primary.tags]] + from = "epel6-infra-candidate" + to = "epel6-infra-stg" + key = "" + keyid = "" + key = "{{ (env == 'production')|ternary('fedora-infra', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('47dd8ef9', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "epel7-infra-candidate" + to = "epel7-infra-stg" + key = "{{ (env == 'production')|ternary('fedora-infra', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('47dd8ef9', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "epel8-infra-candidate" + to = "epel8-infra-stg" + key = "{{ (env == 'production')|ternary('fedora-infra', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('47dd8ef9', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "f29-infra-candidate" + to = "f29-infra-stg" + key = "{{ (env == 'production')|ternary('fedora-infra', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('47dd8ef9', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "f30-infra-candidate" + to = "f30-infra-stg" + key = "{{ (env == 'production')|ternary(''fedora-infra, 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('47dd8ef9', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "f31-infra-candidate" + to = "f31-infra-stg" + key = "{{ (env == 'production')|ternary('fedora-infra', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('47dd8ef9', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "f32-infra-candidate" + to = "f32-infra-stg" + key = "{{ (env == 'production')|ternary('fedora-infra', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('47dd8ef9', 'd300e724') }}" + + # Gated coreos-pool tag + + [[consumer_config.koji_instances.primary.tags]] + from = "f29-coreos-signing-pending" + to = "coreos-pool" + key = "{{ (env == 'production')|ternary('fedora-29', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('429476b4', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "f30-coreos-signing-pending" + to = "coreos-pool" + key = "{{ (env == 'production')|ternary('fedora-30', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('cfc659b9', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "f31-coreos-signing-pending" + to = "coreos-pool" + key = "{{ (env == 'production')|ternary('fedora-31', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('3c3359c4', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "f32-coreos-signing-pending" + to = "coreos-pool" + key = "{{ (env == 'production')|ternary('fedora-32', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('12c944d0', 'd300e724') }}" + + # Gated rawhide and branched + + [[consumer_config.koji_instances.primary.tags]] + from = "f32-updates-candidate" + to = "f32-updates-testing-pending" + key = "{{ (env == 'production')|ternary('fedora-32', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('12c944d0', 'd300e724') }}" + + [consumer_config.koji_instances.primary.tags.sidetags] + pattern = '-build-side-' + from = '-pending-signing' + to = '-testing' + trusted_taggers = ['bodhi'] + + [[consumer_config.koji_instances.primary.tags]] + from = "f32-pending" + to = "f32" + key = "{{ (env == 'production')|ternary('fedora-32', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('12c944d0', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "f32-modular-pending" + to = "f32-modular" + key = "{{ (env == 'production')|ternary('fedora-32', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('12c944d0', 'd300e724') }}" + type = "modular" + + [[consumer_config.koji_instances.primary.tags]] + from = "f32-modular-updates-candidate" + to = "f32-modular" + key = "{{ (env == 'production')|ternary('fedora-32', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('12c944d0', 'd300e724') }}" + type = "modular" + + [[consumer_config.koji_instances.primary.tags]] + from = "f31-signing-pending" + to = "f31-updates-testing-pending" + key = "{{ (env == 'production')|ternary('fedora-31', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('3c3359c4', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "f31-modular-signing-pending" + to = "f31-modular-updates-testing-pending" + key = "{{ (env == 'production')|ternary('fedora-31', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('3c3359c4', 'd300e724') }}" + type = "modular" + + # Gated bodhi updates + + [[consumer_config.koji_instances.primary.tags]] + from = "f30-signing-pending" + to = "f30-updates-testing-pending" + key = "{{ (env == 'production')|ternary('fedora-30', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('cfc659b9', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "f30-modular-signing-pending" + to = "f30-modular-updates-testing-pending" + key = "{{ (env == 'production')|ternary('fedora-30', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('cfc659b9', 'd300e724') }}" + type = "modular" + + [[consumer_config.koji_instances.primary.tags]] + from = "f29-modular-signing-pending" + to = "f29-modular-updates-testing-pending" + key = "{{ (env == 'production')|ternary('fedora-29', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('429476b4', 'd300e724') }}" + type = "modular" + + [[consumer_config.koji_instances.primary.tags]] + from = "f29-signing-pending" + to = "f29-updates-testing-pending" + key = "{{ (env == 'production')|ternary('fedora-29', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('429476b4', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "epel8-signing-pending" + to = "epel8-testing-pending" + key = "{{ (env == 'production')|ternary('epel-8', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('2f86d6a1', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "epel8-playground-pending" + to = "epel8-playground" + key = "{{ (env == 'production')|ternary('epel-8', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('2f86d6a1', 'd300e724') }}" + + [[consumer_config.koji_instances.primary.tags]] + from = "epel7-signing-pending" + to = "epel7-testing-pending" + key = "{{ (env == 'production')|ternary('epel-7', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('352c64e5', 'd300e724') }}" + + # Non-gated bodhi triggered + + [[consumer_config.koji_instances.primary.tags]] + from = "dist-6E-epel-testing-candidate" + to = "dist-6E-epel-testing-candidate" + key = "{{ (env == 'production')|ternary('epel-6', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('0608b895', 'd300e724') }}" + + + [consumer_config.ostree_refs] + [consumer_config.ostree_refs."fedora/rawhide/x86_64/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-32" + [consumer_config.ostree_refs."fedora/rawhide/aarch64/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-32" + [consumer_config.ostree_refs."fedora/rawhide/armhfp/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-32" + [consumer_config.ostree_refs."fedora/devel/x86_64/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-31" + [consumer_config.ostree_refs."fedora/devel/aarch64/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-31" + [consumer_config.ostree_refs."fedora/devel/armhfp/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-31" + [consumer_config.ostree_refs."fedora/stable/x86_64/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-iot-2019" + [consumer_config.ostree_refs."fedora/stable/aarch64/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-iot-2019" + [consumer_config.ostree_refs."fedora/stable/armhfp/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-iot-2019" + [consumer_config.ostree_refs."fedora/31/x86_64/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-31" + [consumer_config.ostree_refs."fedora/31/aarch64/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-31" + [consumer_config.ostree_refs."fedora/31/armhfp/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-31" + [consumer_config.ostree_refs."fedora/30/x86_64/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-30" + [consumer_config.ostree_refs."fedora/30/aarch64/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-30" + [consumer_config.ostree_refs."fedora/30/armhfp/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-30" + [consumer_config.ostree_refs."fedora/29/x86_64/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-29" + [consumer_config.ostree_refs."fedora/29/aarch64/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-29" + [consumer_config.ostree_refs."fedora/29/armhfp/iot"] + directory = "/mnt/fedora_koji/koji/compose/iot/repo/" + key = "fedora-29" + + [consumer_config.ostree_refs."fedora/29/x86_64/atomic-host"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-29" + [consumer_config.ostree_refs."fedora/29/ppc64le/atomic-host"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-29" + [consumer_config.ostree_refs."fedora/29/aarch64/atomic-host"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-29" + [consumer_config.ostree_refs."fedora/29/x86_64/updates/atomic-host"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-29" + [consumer_config.ostree_refs."fedora/29/ppc64le/updates/atomic-host"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-29" + [consumer_config.ostree_refs."fedora/29/aarch64/updates/atomic-host"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-29" + [consumer_config.ostree_refs."fedora/29/x86_64/testing/atomic-host"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-29" + [consumer_config.ostree_refs."fedora/29/ppc64le/testing/atomic-host"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-29" + [consumer_config.ostree_refs."fedora/29/aarch64/testing/atomic-host"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-29" + [consumer_config.ostree_refs."fedora/29/x86_64/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-29" + [consumer_config.ostree_refs."fedora/29/x86_64/updates/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-29" + [consumer_config.ostree_refs."fedora/29/x86_64/testing/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-29" + + [consumer_config.ostree_refs."fedora/30/x86_64/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-30" + [consumer_config.ostree_refs."fedora/30/x86_64/updates/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-30" + [consumer_config.ostree_refs."fedora/30/x86_64/testing/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-30" + + [consumer_config.ostree_refs."fedora/31/x86_64/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-31" + [consumer_config.ostree_refs."fedora/31/aarch64/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-31" + [consumer_config.ostree_refs."fedora/31/ppc64le/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-31" + [consumer_config.ostree_refs."fedora/31/x86_64/updates/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-31" + [consumer_config.ostree_refs."fedora/31/x86_64/testing/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-31" + [consumer_config.ostree_refs."fedora/31/aarch64/updates/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-31" + [consumer_config.ostree_refs."fedora/31/aarch64/testing/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-31" + [consumer_config.ostree_refs."fedora/31/ppc64le/updates/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-31" + [consumer_config.ostree_refs."fedora/31/ppc64le/testing/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-31" + + [consumer_config.ostree_refs."fedora/rawhide/aarch64/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-"32 + [consumer_config.ostree_refs."fedora/rawhide/ppc64le/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-32" + [consumer_config.ostree_refs."fedora/rawhide/x86_64/silverblue"] + directory = "/mnt/fedora_koji/koji/compose/ostree/repo/" + key = "fedora-32" + + + [consumer_config.coreos] + bucket = "robosig-dev-fcos-builds" + key = "coreos" + + [consumer_config.coreos.aws] + access_key = "{{ fcos_builds_releng_aws_access_id }}" + access_secret = "{{ fcos_builds_releng_aws_secret_key }}" + region = "us-east-1"