diff --git a/inventory/host_vars/fas3-01.stg.phx2.fedoraproject.org b/inventory/host_vars/fas3-01.stg.phx2.fedoraproject.org
new file mode 100644
index 0000000000..627032fe44
--- /dev/null
+++ b/inventory/host_vars/fas3-01.stg.phx2.fedoraproject.org
@@ -0,0 +1,12 @@
+---
+nm: 255.255.255.0
+gw: 10.5.126.254
+dns: 10.5.126.21
+
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+
+volgroup: /dev/vg_guests
+eth0_ip: 10.5.126.28
+vmhost: virthost20.phx2.fedoraproject.org
+datacenter: phx2
diff --git a/inventory/inventory b/inventory/inventory
index e3116c8627..4cd1c9489a 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -313,6 +313,9 @@ fas03.phx2.fedoraproject.org
[fas-stg]
fas01.stg.phx2.fedoraproject.org
+[fas3-stg]
+fas3-01.stg.phx2.fedoraproject.org
+
[hosted]
hosted03.fedoraproject.org
diff --git a/playbooks/groups/fas3.yml b/playbooks/groups/fas3.yml
new file mode 100644
index 0000000000..5609b9cdbf
--- /dev/null
+++ b/playbooks/groups/fas3.yml
@@ -0,0 +1,39 @@
+# create a new fas server
+
+- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=fas3-stg"
+
+- name: make the box be real
+ hosts: fas3-stg
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ roles:
+ - base
+ - hosts
+ - rkhunter
+ #- nagios/client
+ - fas_client
+ - collectd/base
+ - rsyncd
+ - memcached
+ - apache
+ - fas3_server
+ - fedmsg/base
+ - sudo
+ #- yubikey
+ #- totpcgi
+ #- { role: openvpn/client, when: env != "staging" }
+
+ tasks:
+ - include: "{{ tasks }}/yumrepos.yml"
+ - include: "{{ tasks }}/2fa_client.yml"
+ - include: "{{ tasks }}/motd.yml"
+ - include: "{{ tasks }}/mod_wsgi.yml"
+
+ handlers:
+ - include: "{{ handlers }}/restart_services.yml"
diff --git a/roles/fas3_server/files/accounts.conf b/roles/fas3_server/files/accounts.conf
new file mode 100644
index 0000000000..1b602f39eb
--- /dev/null
+++ b/roles/fas3_server/files/accounts.conf
@@ -0,0 +1,26 @@
+# File Start
+WSGISocketPrefix run/wsgi
+
+WSGIRestrictStdout On
+WSGIPassAuthorization On
+WSGIApplicationGroup %{GLOBAL}
+
+# These are the real tunables
+#WSGIDaemonProcess daemon processes=2 threads=2 maximum-requests=1000 user=fas group=fas display-name=fas inactivity-timeout=30
+WSGIDaemonProcess fas processes=2 threads=2 maximum-requests=1000 user=fas display-name=fas inactivity-timeout=30
+WSGIPythonOptimize 1
+
+WSGIScriptAlias /accounts /usr/sbin/fas.wsgi
+
+
+ WSGIProcessGroup fas
+ Order deny,allow
+ Allow from all
+
+
+
+
+ Require all granted
+
+
+ ErrorLog logs/fas-error.log
diff --git a/roles/fas3_server/files/copr.repo b/roles/fas3_server/files/copr.repo
new file mode 100644
index 0000000000..fe6e64c5cf
--- /dev/null
+++ b/roles/fas3_server/files/copr.repo
@@ -0,0 +1,8 @@
+[codeblock-fas3]
+name=Copr repo for fas3 owned by codeblock
+baseurl=https://copr-be.cloud.fedoraproject.org/results/codeblock/fas3/epel-7-$basearch/
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://copr-be.cloud.fedoraproject.org/results/codeblock/fas3/pubkey.gpg
+enabled=1
+enabled_metadata=1
diff --git a/roles/fas3_server/tasks/main.yml b/roles/fas3_server/tasks/main.yml
index bd47f71166..1822270aa9 100644
--- a/roles/fas3_server/tasks/main.yml
+++ b/roles/fas3_server/tasks/main.yml
@@ -1,10 +1,17 @@
---
# Tasks to set up fas3_server
+- name: add temporary copr repo
+ copy: src=copr.repo dest=/etc/yum.repos.d/copr.repo
+ tags:
+ - config
+ - packages
+ - yumrepos
+
- name: install needed packages
yum: pkg={{ item }} state=installed
with_items:
- - fas3
+ - fas
- httpd
- mod_wsgi
tags:
@@ -20,15 +27,9 @@
- config
- fas3
-- name: setup /var/www/.python-eggs directory
- file: path=/var/www/.python-eggs owner=apache group=apache mode=0700 state=directory
- tags:
- - config
- - fas3
-
- name: install /etc/httpd/conf.d/accounts.conf file
- template: >
- src="fas-app.conf.j2"
+ copy: >
+ src="accounts.conf"
dest="/etc/httpd/conf.d/accounts.conf"
owner=root
group=root
@@ -43,9 +44,9 @@
template: >
src="production.ini"
dest="/etc/fas/production.ini"
- owner=fas
- group=apache
- mode=0640
+ owner=root
+ group=root
+ mode=0644
notify:
- reload httpd
tags:
diff --git a/roles/fas3_server/templates/production.ini b/roles/fas3_server/templates/production.ini
new file mode 100644
index 0000000000..bed9837cdf
--- /dev/null
+++ b/roles/fas3_server/templates/production.ini
@@ -0,0 +1,192 @@
+###
+# app configuration
+# http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/environment.html
+###
+
+[app:main]
+use = egg:fas
+
+project.name = fedoraproject
+project.organisation = Fedora Project
+project.admin = fas-admin
+project.moderator = accounts-modo
+project.group.admin = sysadmin
+project.domain.name = fedoraproject.org
+project.url = https://admin.stg.fedoraproject.org/fas3/
+project.admin.email = admin@fedoraproject.org
+project.group.cert.always_renew = false
+
+project.api.data.secret = {{fas3_stg_project_api_data_secret}}
+
+geoip.4.data.city = /usr/share/GeoIP/GeoLiteCity.dat
+geoip.6.data.city = /usr/share/GeoIP/GeoLiteCityv6.dat
+
+# Captcha - if 'captcha.secret' is not None, then it will be used for comments
+# captcha.secret must be 32 url-safe base64-encoded bytes
+# you can generate a fresh one with >>> cryptography.fernet.Fernet.generate_key()
+captcha.secret = {{fas3_captcha_secret}}
+captcha.image.width = 300
+captcha.image.height = 80
+# Any truetype font will do.
+captcha.font.path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf
+captcha.font.size = 36
+captcha.font.color = #000000
+captcha.font.padding = 5
+captcha.background.color = #ffffff
+captcha.encoding = utf-8
+# If a captcha sits around for this many seconds, it will stop working.
+captcha.ttl = 300
+
+github.organization = fedora-infra
+github.client.user-agent = Fedora Project\FAS 3.0
+github.client.id =
+github.client.secret =
+github.token =
+
+###
+# Session settings
+###
+session.max_age = 1200
+session.timeout = 120
+session.renew_time = 20
+session.secret = {{fas3_stg_session_secret}}
+session.auth.timeout = 1200
+session.auth.digest = sha512
+session.auth.secret = {{fas3_stg_session_auth_secret}}
+
+cache.max_age = 3600
+
+###
+# Log-in settings
+###
+login.failed_attempt = 3
+# Set account lock timeout in minute
+login.lock.timeout = 15
+user.security_change.timeout = 60
+
+###
+# Database settings
+###
+sqlalchemy.url = postgresql://{{fas3_stg_user}}:{{fas3_stg_pass}}@db-fas01.stg:5432/fas3
+#sqlalchemy.url = sqlite:///%(here)s/fas.sqlite
+
+
+###
+# Templates settings
+###
+mako.directories = fas:templates/fedoraproject
+mako.module_directory = /tmp
+
+
+###
+# i18n
+###
+locale.default = en
+#locale.available = en_US,en_GB,fr
+
+###
+# Blacklist items
+###
+blacklist.email.domain = fedoraproject.org
+blacklist.country = ["--", "A1", "A2", "AN", "AS", "AX", "BI", "BL", "BV", "CC", "CU", "CV", "CX", "DM", "FK", "FO", "GF", "GG", "GP", "GS", "GW", "HM", "IO", "IR", "IQ", "JE", "KI", "KP", "MF", "MP", "MS", "MW", "NF", "NR", "NU", "PM", "PN", "RE", "SB", "SD", "SH", "SJ", "SY", "TC", "TF", "TK", "TL", "TV", "UM", "VC", "VG", "WF", "YT"]
+blacklist.username = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,bin,board,bodhi2,canna,chair,chairman,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fax,fedora,fedorarewards,fesco,freemedia,ftbfs,ftp,ftpadm,ftpadmin,games,gdm,gopher,gregdek,halt,hostmaster,ident,info,ingres,jaboutboul,jan,keys,kojiadmin,ldap,legal,logo,lp,mail,mailnull,manager,marketing,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,nrpe,nscd,ntp,nut,openvideo,operator,packager,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,root,rpc,rpcuser,rpm,sales,scholarship,secalert,security,shutdown,smmsp,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
+
+###
+# OpenSSL
+###
+# Valid TYPE value:
+# 6: RSA
+# 5: DSA
+certificate.type = 6
+certificate.digest = sha256
+certificate.size = 2048
+certificate.expiry = 15552000
+certificate.public_exponent = 65537
+# example:
+# 60*60*24*180 = 6 months
+
+# By default, the toolbar only appears for clients from IP addresses
+# '127.0.0.1' and '::1'.
+# debugtoolbar.hosts = 127.0.0.1 ::1
+
+###
+# Pyramid settings
+###
+pyramid.reload_templates = true
+pyramid.debug_authorization = false
+pyramid.debug_notfound = false
+pyramid.debug_routematch = false
+pyramid.default_locale_name = en
+pyramid.includes =
+ pyramid_mako
+ pyramid_tm
+
+###
+# Email notifications settings
+###
+
+email.smtp.server = localhost
+email.from = Fedora Account System
+email.subject_prefix = [Development Test]
+
+
+###
+# Fedmenu stuff
+###
+
+fedmenu.url = https://apps.fedoraproject.org/fedmenu
+fedmenu.data_url = https://apps.fedoraproject.org/js/data.js
+
+
+[app:plugins]
+
+###
+# wsgi server configuration
+###
+
+[server:main]
+use = egg:waitress#main
+host = 0.0.0.0
+port = 6543
+#port = 80
+
+###
+# logging configuration
+# http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/logging.html
+###
+
+[loggers]
+keys = root, fas, sqlalchemy
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = DEBUG
+handlers = console
+
+[logger_fas]
+level = DEBUG
+handlers =
+qualname = fas
+
+[logger_sqlalchemy]
+level = DEBUG
+handlers =
+qualname = sqlalchemy.engine
+# "level = INFO" logs SQL queries.
+# "level = DEBUG" logs SQL queries and results.
+# "level = WARN" logs neither. (Recommended for production systems.)
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = DEBUG
+formatter = generic
+#class = rainbow_logging_handler.RainbowLoggingHandler
+
+[formatter_generic]
+format = %(asctime)s %(levelname)-5.5s [%(threadName)s:%(process)s][%(name)s:%(module)s][%(funcName)s:%(lineno)s] %(message)s