Blah none of this will work. Or will it?

Signed-off-by: Ricky Elrod <codeblock@fedoraproject.org>
2016-08-02 15:37:20 +00:00 · 2016-08-02 15:37:20 +00:00 · 492096088f
commit 492096088f
parent b77655b853
7 changed files with 293 additions and 12 deletions
--- a/inventory/host_vars/fas3-01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/fas3-01.stg.phx2.fedoraproject.org
@ -0,0 +1,12 @@
+---
+nm: 255.255.255.0
+gw: 10.5.126.254
+dns: 10.5.126.21
+
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+
+volgroup: /dev/vg_guests
+eth0_ip: 10.5.126.28
+vmhost: virthost20.phx2.fedoraproject.org
+datacenter: phx2
--- a/inventory/inventory
+++ b/inventory/inventory
@ -313,6 +313,9 @@ fas03.phx2.fedoraproject.org
 [fas-stg]
 fas01.stg.phx2.fedoraproject.org

+[fas3-stg]
+fas3-01.stg.phx2.fedoraproject.org
+
 [hosted]
 hosted03.fedoraproject.org

--- a/playbooks/groups/fas3.yml
+++ b/playbooks/groups/fas3.yml
@ -0,0 +1,39 @@
+# create a new fas server
+
+- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=fas3-stg"
+
+- name: make the box be real
+  hosts: fas3-stg
+  user: root
+  gather_facts: True
+
+  vars_files: 
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - base
+  - hosts
+  - rkhunter
+  #- nagios/client
+  - fas_client
+  - collectd/base
+  - rsyncd
+  - memcached
+  - apache
+  - fas3_server
+  - fedmsg/base
+  - sudo
+  #- yubikey
+  #- totpcgi
+  #- { role: openvpn/client, when: env != "staging" }
+
+  tasks:
+  - include: "{{ tasks }}/yumrepos.yml"
+  - include: "{{ tasks }}/2fa_client.yml"
+  - include: "{{ tasks }}/motd.yml"
+  - include: "{{ tasks }}/mod_wsgi.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
--- a/roles/fas3_server/files/accounts.conf
+++ b/roles/fas3_server/files/accounts.conf
@ -0,0 +1,26 @@
+# File Start
+WSGISocketPrefix run/wsgi
+
+WSGIRestrictStdout On
+WSGIPassAuthorization On
+WSGIApplicationGroup %{GLOBAL}
+
+# These are the real tunables
+#WSGIDaemonProcess daemon processes=2 threads=2 maximum-requests=1000 user=fas group=fas display-name=fas inactivity-timeout=30
+WSGIDaemonProcess fas  processes=2 threads=2 maximum-requests=1000 user=fas display-name=fas inactivity-timeout=30
+WSGIPythonOptimize 1
+
+WSGIScriptAlias /accounts /usr/sbin/fas.wsgi
+
+<Location /accounts>
+    WSGIProcessGroup fas
+    Order deny,allow
+    Allow from all
+</Location>
+
+
+  <Directory /usr/sbin>
+    Require all granted
+  </Directory>
+
+  ErrorLog logs/fas-error.log
--- a/roles/fas3_server/files/copr.repo
+++ b/roles/fas3_server/files/copr.repo
@ -0,0 +1,8 @@
+[codeblock-fas3]
+name=Copr repo for fas3 owned by codeblock
+baseurl=https://copr-be.cloud.fedoraproject.org/results/codeblock/fas3/epel-7-$basearch/
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://copr-be.cloud.fedoraproject.org/results/codeblock/fas3/pubkey.gpg
+enabled=1
+enabled_metadata=1
--- a/roles/fas3_server/tasks/main.yml
+++ b/roles/fas3_server/tasks/main.yml
@ -1,10 +1,17 @@
 ---
 # Tasks to set up fas3_server

+- name: add temporary copr repo
+  copy: src=copr.repo dest=/etc/yum.repos.d/copr.repo
+  tags:
+  - config
+  - packages
+  - yumrepos
+
 - name: install needed packages
  yum: pkg={{ item }} state=installed
  with_items:
-  - fas3
+  - fas
  - httpd
  - mod_wsgi
  tags:
@ -20,15 +27,9 @@
  - config
  - fas3

- name: setup /var/www/.python-eggs directory
-  file: path=/var/www/.python-eggs owner=apache group=apache mode=0700 state=directory
-  tags:
-  - config
-  - fas3
-
 - name: install /etc/httpd/conf.d/accounts.conf file
-  template: > 
-    src="fas-app.conf.j2" 
+  copy: > 
+    src="accounts.conf" 
    dest="/etc/httpd/conf.d/accounts.conf" 
    owner=root 
    group=root 
@ -43,9 +44,9 @@
  template: > 
    src="production.ini"
    dest="/etc/fas/production.ini"
-    owner=fas
-    group=apache
-    mode=0640
+    owner=root
+    group=root
+    mode=0644
  notify:
  - reload httpd
  tags:
--- a/roles/fas3_server/templates/production.ini
+++ b/roles/fas3_server/templates/production.ini
@ -0,0 +1,192 @@
+###
+# app configuration
+# http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/environment.html
+###
+
+[app:main]
+use = egg:fas
+
+project.name = fedoraproject
+project.organisation = Fedora Project
+project.admin = fas-admin
+project.moderator = accounts-modo
+project.group.admin = sysadmin
+project.domain.name = fedoraproject.org
+project.url = https://admin.stg.fedoraproject.org/fas3/
+project.admin.email = admin@fedoraproject.org
+project.group.cert.always_renew = false
+
+project.api.data.secret = {{fas3_stg_project_api_data_secret}}
+
+geoip.4.data.city = /usr/share/GeoIP/GeoLiteCity.dat
+geoip.6.data.city = /usr/share/GeoIP/GeoLiteCityv6.dat
+
+# Captcha - if 'captcha.secret' is not None, then it will be used for comments
+# captcha.secret must be 32 url-safe base64-encoded bytes
+# you can generate a fresh one with >>> cryptography.fernet.Fernet.generate_key()
+captcha.secret = {{fas3_captcha_secret}}
+captcha.image.width = 300
+captcha.image.height = 80
+# Any truetype font will do.
+captcha.font.path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf
+captcha.font.size = 36
+captcha.font.color = #000000
+captcha.font.padding = 5
+captcha.background.color = #ffffff
+captcha.encoding = utf-8
+# If a captcha sits around for this many seconds, it will stop working.
+captcha.ttl = 300
+
+github.organization = fedora-infra
+github.client.user-agent = Fedora Project\FAS 3.0
+github.client.id =
+github.client.secret =
+github.token =
+
+###
+# Session settings
+###
+session.max_age = 1200
+session.timeout = 120
+session.renew_time = 20
+session.secret = {{fas3_stg_session_secret}}
+session.auth.timeout = 1200
+session.auth.digest = sha512
+session.auth.secret = {{fas3_stg_session_auth_secret}}
+
+cache.max_age = 3600
+
+###
+# Log-in settings
+###
+login.failed_attempt = 3
+# Set account lock timeout in minute
+login.lock.timeout = 15
+user.security_change.timeout = 60
+
+###
+# Database settings
+###
+sqlalchemy.url = postgresql://{{fas3_stg_user}}:{{fas3_stg_pass}}@db-fas01.stg:5432/fas3
+#sqlalchemy.url = sqlite:///%(here)s/fas.sqlite
+
+
+###
+# Templates settings
+###
+mako.directories = fas:templates/fedoraproject
+mako.module_directory = /tmp
+
+
+###
+# i18n
+###
+locale.default = en
+#locale.available = en_US,en_GB,fr
+
+###
+# Blacklist items
+###
+blacklist.email.domain = fedoraproject.org
+blacklist.country = ["--", "A1", "A2", "AN", "AS", "AX", "BI", "BL", "BV", "CC", "CU", "CV", "CX", "DM", "FK", "FO", "GF", "GG", "GP", "GS", "GW", "HM", "IO", "IR", "IQ", "JE", "KI", "KP", "MF", "MP", "MS", "MW", "NF", "NR", "NU", "PM", "PN", "RE", "SB", "SD", "SH", "SJ", "SY", "TC", "TF", "TK", "TL", "TV", "UM", "VC", "VG", "WF", "YT"]
+blacklist.username = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,bin,board,bodhi2,canna,chair,chairman,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fax,fedora,fedorarewards,fesco,freemedia,ftbfs,ftp,ftpadm,ftpadmin,games,gdm,gopher,gregdek,halt,hostmaster,ident,info,ingres,jaboutboul,jan,keys,kojiadmin,ldap,legal,logo,lp,mail,mailnull,manager,marketing,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,nrpe,nscd,ntp,nut,openvideo,operator,packager,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,root,rpc,rpcuser,rpm,sales,scholarship,secalert,security,shutdown,smmsp,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
+
+###
+# OpenSSL 
+###
+# Valid TYPE value:
+# 6: RSA
+# 5: DSA
+certificate.type = 6
+certificate.digest = sha256
+certificate.size = 2048
+certificate.expiry = 15552000
+certificate.public_exponent = 65537
+# example:
+# 60*60*24*180 = 6 months
+
+# By default, the toolbar only appears for clients from IP addresses
+# '127.0.0.1' and '::1'.
+# debugtoolbar.hosts = 127.0.0.1 ::1
+
+###
+# Pyramid settings
+###
+pyramid.reload_templates = true
+pyramid.debug_authorization = false
+pyramid.debug_notfound = false
+pyramid.debug_routematch = false
+pyramid.default_locale_name = en
+pyramid.includes =
+    pyramid_mako
+    pyramid_tm
+
+###
+# Email notifications settings
+###
+
+email.smtp.server = localhost
+email.from = Fedora Account System <noreply@fedoraproject.org>
+email.subject_prefix = [Development Test]
+
+
+###
+# Fedmenu stuff
+###
+
+fedmenu.url = https://apps.fedoraproject.org/fedmenu
+fedmenu.data_url = https://apps.fedoraproject.org/js/data.js
+
+
+[app:plugins]
+
+###
+# wsgi server configuration
+###
+
+[server:main]
+use = egg:waitress#main
+host = 0.0.0.0
+port = 6543
+#port = 80
+
+###
+# logging configuration
+# http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/logging.html
+###
+
+[loggers]
+keys = root, fas, sqlalchemy
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = DEBUG
+handlers = console
+
+[logger_fas]
+level = DEBUG
+handlers =
+qualname = fas
+
+[logger_sqlalchemy]
+level = DEBUG
+handlers =
+qualname = sqlalchemy.engine
+# "level = INFO" logs SQL queries.
+# "level = DEBUG" logs SQL queries and results.
+# "level = WARN" logs neither.  (Recommended for production systems.)
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = DEBUG
+formatter = generic
+#class = rainbow_logging_handler.RainbowLoggingHandler
+
+[formatter_generic]
+format = %(asctime)s %(levelname)-5.5s [%(threadName)s:%(process)s][%(name)s:%(module)s][%(funcName)s:%(lineno)s] %(message)s