Merge branch 'master' of /git/ansible

inventory/group_vars/ipsilon-stg

@@ -0,0 +1,15 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 1024
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 80, 443 ]
+
+# Neeed for rsync from log01 for logs.
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+
+fas_client_groups: sysadmin-main,sysadmin-accounts

inventory/host_vars/ipsilon01.stg.phx2.fedoraproject.org

@@ -0,0 +1,12 @@
+---
+nm: 255.255.255.0
+gw: 10.5.126.254
+dns: 10.5.126.21
+
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+
+volgroup: /dev/vg_guests
+eth0_ip: 10.5.126.35
+vmhost: virthost11.phx2.fedoraproject.org
+datacenter: phx2

inventory/inventory

@@ -293,6 +293,9 @@ log01.phx2.fedoraproject.org
 noc01.phx2.fedoraproject.org
 noc02.fedoraproject.org
 
+[ipsilon-stg]
+ipsilon01.stg.phx2.fedoraproject.org
+
 [dhcp]
 dhcp01.phx2.fedoraproject.org
 
@@ -466,6 +469,7 @@ hotness01.stg.phx2.fedoraproject.org
 kerneltest01.stg.phx2.fedoraproject.org
 koji01.stg.phx2.fedoraproject.org
 mailman01.stg.phx2.fedoraproject.org
+ipsilon01.stg.phx2.fedoraproject.org
 notifs-backend01.stg.phx2.fedoraproject.org
 notifs-web01.stg.phx2.fedoraproject.org
 notifs-web02.stg.phx2.fedoraproject.org
@@ -501,6 +505,8 @@ log01.phx2.fedoraproject.org
 kojipkgs01.phx2.fedoraproject.org
 ns03.phx2.fedoraproject.org
 ns04.phx2.fedoraproject.org
+db-qa01.qa.fedoraproject.org
+proxy10.phx2.fedoraproject.org
 
 [summershum]
 summershum01.phx2.fedoraproject.org

playbooks/groups/ipsilon.yml

@@ -0,0 +1,68 @@
+# create a new FedOAuth server
+# NOTE: should be used with --limit most of the time
+# NOTE: make sure there is room/space for this server on the vmhost
+# NOTE: most of these vars_path come from group_vars/ipsilon* or from hostvars
+
+- name: make ipsilon
+  hosts: ipsilon-stg
+  user: root
+  gather_facts: False
+
+  vars_files: 
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  tasks:
+  - include: "{{ tasks }}/virt_instance_create.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+- name: make the box be real
+  hosts: ipsilon-stg
+  user: root
+  gather_facts: True
+
+  vars_files: 
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - base
+  - rkhunter
+  - denyhosts
+  - nagios_client
+  - hosts
+  - fas_client
+  - rsyncd
+  - sudo
+  - { role: openvpn/client,
+      when: env != "staging" }
+
+  tasks:
+  - include: "{{ tasks }}/yumrepos.yml"
+  - include: "{{ tasks }}/2fa_client.yml"
+  - include: "{{ tasks }}/motd.yml"
+  - include: "{{ tasks }}/apache.yml"
+  - include: "{{ tasks }}/mod_wsgi.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+- name: deploy ipsilon itself
+  hosts: ipsilon-stg
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - "{{ vars_path }}/{{ ansible_distribution }}.yml"
+
+  roles:
+  - ipsilon
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"

roles/anitya/backend/files/backup-database

@@ -3,4 +3,8 @@
 
 DB=$1
 
+# Make our latest backup
 /usr/bin/pg_dump -C $DB | /usr/bin/xz > /backups/$DB-$(date +%F).dump.xz
+
+# Also, delete the backup from a few days ago.
+rm -f /backups/$DB-$(date --date="3 days ago" +%F).dump.xz

roles/anitya/backend/tasks/main.yml

@@ -45,6 +45,16 @@
   tags:
   - anitya_backend
 
+- name: Set up some cronjobs to backup databases as configured
+  template: >
+    src=cron-backup-database
+    dest=/etc/cron.d/cron-backup-database-{{ item }}
+  with_items:
+  - anitya
+  tags:
+  - cron
+  - postgresql
+
 - name: Add our postgres config file.
   copy: >
     src={{ item }}

roles/fas_server/files/export-bugzilla

@@ -0,0 +1,153 @@
+#!/usr/bin/python -t
+__requires__ = 'TurboGears'
+import pkg_resources
+pkg_resources.require('CherryPy >= 2.0, < 3.0alpha')
+
+import logging
+logging.basicConfig()
+
+import os
+import sys
+import getopt
+import xmlrpclib
+import smtplib
+from email.Message import Message
+import warnings
+
+# Ignore DeprecationWarnings.  This allows us to stop getting email
+# from the cron job.  We'll see the same warnings from the server starting up
+warnings.simplefilter('ignore', DeprecationWarning)
+
+import turbogears
+import bugzilla
+from turbogears import config
+cfgfile = '/etc/export-bugzilla.cfg'
+if os.access('./export-bugzilla.cfg', os.R_OK):
+    cfgfile = './export-bugzilla.cfg'
+turbogears.update_config(configfile=cfgfile)
+from turbogears.database import session
+from fas.model import BugzillaQueue
+
+BZSERVER = config.get('bugzilla.url', 'https://bugdev.devel.redhat.com/bugzilla-cvs/xmlrpc.cgi')
+BZUSER = config.get('bugzilla.username')
+BZPASS = config.get('bugzilla.password')
+MAILSERVER = config.get('mail.server', 'localhost')
+ADMINEMAIL = config.get('mail.admin_email', 'admin@fedoraproject.org')
+NOTIFYEMAIL = config.get('mail.notify_email', ['admin@fedoraproject.org'])
+
+if __name__ == '__main__':
+    opts, args = getopt.getopt(sys.argv[1:], '', ('usage', 'help'))
+    if len(args) != 2 or ('--usage','') in opts or ('--help','') in opts:
+        print """
+    Usage: export-bugzilla.py GROUP BUGZILLA_GROUP
+    """
+        sys.exit(1)
+    ourGroup = args[0]
+    bzGroup = args[1]
+
+    server = bugzilla.Bugzilla(url=BZSERVER, user=BZUSER, password=BZPASS,
+            cookiefile=None, tokenfile=None)
+    bugzilla_queue = BugzillaQueue.query.join('group').filter_by(
+            name=ourGroup)
+
+    no_bz_account = []
+    for entry in bugzilla_queue:
+        # Make sure we have a record for this user in bugzilla
+        if entry.action == 'r':
+            # Remove the user's bugzilla group
+            try:
+                server.updateperms(entry.email, 'rem', bzGroup)
+            except xmlrpclib.Fault, e:
+                if e.faultCode == 51:
+                    # It's okay, not having this user is equivalent to setting
+                    # them to not have this group.
+                    pass
+                else:
+                    raise
+
+        elif entry.action == 'a':
+            # Make sure the user exists
+            try:
+                server.getuser(entry.email)
+            except xmlrpclib.Fault, e:
+                if e.faultCode == 51:
+                    # This user doesn't have a bugzilla account yet
+                    # add them to a list and we'll let them know.
+                    no_bz_account.append(entry)
+                    continue
+                else:
+                    print 'Error:', e, entry.email, entry.person.human_name
+                    raise
+            server.updateperms(entry.email, 'add', bzGroup)
+        else:
+            print 'Unrecognized action code: %s %s %s %s %s' % (entry.action,
+                    entry.email, entry.person.human_name, entry.person.username, entry.group.name)
+            continue
+
+        # Remove them from the queue
+        session.delete(entry)
+        session.flush()
+
+# Mail the people without bugzilla accounts
+    if '$USER' in NOTIFYEMAIL:
+        for person in no_bz_account:
+            smtplib.SMTP(MAILSERVER)
+            msg = Message()
+            message = '''Hello %(name)s,
+
+    As a Fedora packager, we grant you permissions to make changes to bugs in
+    bugzilla to all Fedora bugs.  This lets you work together with other Fedora
+    developers in an easier fashion.  However, to enable this functionality, we
+    need to have your bugzilla email address stored in the Fedora Account System.
+    At the moment you have:
+
+        %(email)s
+
+    which bugzilla is telling us is not an account in bugzilla.  If you could
+    please set up an account in bugzilla with this address or change your email
+    address on your Fedora Account to match an existing bugzilla account this would
+    let us go forward.
+
+    Note: this message is being generated by an automated script.  You'll continue
+    getting this message until the problem is resolved.  Sorry for the
+    inconvenience.
+
+    Thank you,
+    The Fedora Account System
+    %(admin_email)s
+    ''' % {'name': person.person.human_name, 'email': person.email,
+            'admin_email': ADMINEMAIL}
+
+            msg.add_header('To', person.email)
+            msg.add_header('From', ADMINEMAIL)
+            msg.add_header('Subject', 'Fedora Account System and Bugzilla Mismatch')
+            msg.set_payload(message)
+            smtp = smtplib.SMTP(MAILSERVER)
+            smtp.sendmail(ADMINEMAIL, [person.email], msg.as_string())
+            smtp.quit()
+    recipients = [e for e in NOTIFYEMAIL if e != '$USER']
+    if recipients and no_bz_account:
+        smtplib.SMTP(MAILSERVER)
+        msg = Message()
+        people = []
+        for person in no_bz_account:
+            if person.person.status == 'Active':
+                people.append('  %(user)s  --  %(name)s  --  %(email)s' %
+                    {'name': person.person.human_name, 'email': person.email,
+                     'user': person.person.username})
+        if people:
+            people = '\n'.join(people)
+            message = '''
+The following people are in the packager group but do not have email addresses
+that are valid in bugzilla:
+%s
+
+''' % people
+
+            msg.add_header('From', ADMINEMAIL)
+            msg.add_header('To', ', '.join(recipients))
+            msg.add_header('Subject', 'Fedora Account System and Bugzilla Mismatch')
+            msg.set_payload(message)
+            smtp = smtplib.SMTP(MAILSERVER)
+            smtp.sendmail(ADMINEMAIL, recipients, msg.as_string())
+            smtp.quit()

roles/fas_server/tasks/main.yml

@@ -288,6 +288,19 @@
   tags:
   - config
 
+
+- name: HOTFIX fix the export-bugzilla cron to not store bugzilla token
+  copy: >
+    src="export-bugzilla"
+    dest="/usr/sbin/export-bugzilla"
+    owner=root
+    group=root
+    mode=0755
+  tags:
+  - config
+  - hotfix
+
+
 - name: run export-bugzilla program
   cron: >
     name="export-bugzilla"

roles/hosts/files/taskotron-stg01.qa.fedoraproject.org-hosts

@@ -0,0 +1,22 @@
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+10.5.125.63    koji.fedoraproject.org
+10.5.125.36    kojipkgs.fedoraproject.org
+10.5.126.23    infrastructure.fedoraproject.org
+10.5.125.44    pkgs.fedoraproject.org  pkgs
+#
+# This is proxy01.phx2.fedoraproject.org
+#
+10.5.126.51    mirrors.fedoraproject.org
+10.5.126.51    admin.fedoraproject.org
+# there are some firewall issues ATM that make this IP for hub not work
+# changing to a public IP as a workaround until firewall rules are changed
+# 10.5.126.51    hub.fedoraproject.org
+152.19.134.142 hub.fedoraproject.org
+
+# for VPN
+10.5.126.12    gateway.phx2.fedoraproject.org gateway bastion01.phx2.fedoraproject.org bastion01
+10.5.126.11    bastion02.phx2.fedoraproject.org bastion02
+
+# these are needed for the beaker-project repos
+74.207.232.43  beaker-project.org

roles/ipsilon/files/templates/index.html

@@ -0,0 +1,7 @@
+{% extends "layout.html" %}
+{% block toptext %}
+This is the Federated Open Authentication provider homepage.
+{% endblock %}
+{% block main %}
+You will be redirected to this application whenever another application requires you to authenticate.
+{% endblock %}

roles/ipsilon/files/templates/internalerror.html

@@ -0,0 +1,15 @@
+{% extends "layout.html" %}
+{% block toptext %}
+500 - Internal Server Error
+{% endblock %}
+{% block main %}
+  {% if message: %}
+    <p>{{ message }}</p>
+  {% else %}
+    <p>Ipsilon encountered an unexpected internal error while trying to
+       fulfill your request.</p>
+  {% endif %}
+  <p>Please retry again.</p>
+  <p>If the error persists, contact the server administrator to resolve
+     the problem.</p>
+{% endblock %}

roles/ipsilon/files/templates/layout.html

@@ -0,0 +1,35 @@
+<!doctype html>
+<html>
+    <head>
+        <meta charset="UTF-8">
+        <title>{{ title }}</title>
+
+        <link rel="shortcut icon" type="image/vnd.microsoft.icon"
+            href="//fedoraproject.org/static/images/favicon.ico"/>
+
+        <link rel="stylesheet" href="{{ basepath }}/ui/fedora/fedora.css">
+
+        <meta name="generator" content="Ipsilon">
+
+        {%- if heads %}
+          {%- for group, value in heads.items() %}
+            {%- for head in value %}
+              {{ head }}
+            {%- endfor %}
+          {%- endfor %}
+        {%- endif %}
+    </head>
+    <body>
+        <div class="header_bg">
+            <div class="body header">
+                <img id="logo" alt="logo" src="{{ basepath }}/ui/fedora/fedora-authn-logo-white.png"/>
+            </div>
+        </div>
+        <div class="body main">
+            <p id="toptext">{% block toptext %}{% endblock %}</p>
+            <div class="middlebox">
+                {% block main %}{% endblock %}
+            </div>
+        </div>
+    </body>
+</html>

roles/ipsilon/files/templates/logout.html

@@ -0,0 +1,13 @@
+{% extends "master.html" %}
+{% block toptext %}
+Logged out
+{% endblock %}
+{% block main %}
+{% if user.name %}
+    <p>Something prevented a successful logout</p>
+    <p>You are still logged in as {{ user.fullname }}</p>
+{% else %}
+    <p>Successfully logged out.</p>
+    <p>Return to <a href="{{ basepath }}/">Home</a> page</p>
+{% endif %}
+{% endblock %}

roles/ipsilon/files/templates/notfound.html

@@ -0,0 +1,13 @@
+{% extends "layout.html" %}
+{% block toptext %}
+404 - Not Found
+{% endblock %}
+{% block main %}
+  {% if message: %}
+    <p>{{ message }}</p>
+  {% else %}
+    <p>This page does not exist.</p>
+  {% endif %}
+  <p>If you think this is an error, contact the server administrator to resolve
+     the problem.</p>
+{% endblock %}

roles/ipsilon/files/templates/openid/consent_form.html

@@ -0,0 +1,36 @@
+{% extends "layout.html" %}
+{% block toptext %}
+{{trustroot}} is asking to authenticate via OpenID using FedOAuth
+{% endblock %}
+{% block main %}
+    Review the authorization details
+    <div>
+        <form method="post" action="{{action}}" enctype="application/x-www-form-urlencoded">
+            <input type="hidden" name="ipsilon_transaction_id" id="ipsilon_transaction_id" value="{{ ipsilon_transaction_id }}" />
+            <p class="form_item">
+                <table class="details">
+                    {% for entry in authz_details|dictsort %}
+                        <tr>
+                            <td>{{entry[0]}}</td>
+                            <td>{{entry[1]}}</td>
+                        </tr>
+                    {% endfor %}
+
+                    <tr>
+                        <td>Remember approval for</td>
+                        <td><select name="remember_for_days">
+                                <option value="0">never</option>
+                                <option value="3">3 days</option>
+                                <option value="7">7 days</option>
+                            </select>
+                        </td>
+                    </tr>
+                </table>
+            </p>
+            <p class="form_item">
+                <input type="submit" name="decided_deny" value="Reject">
+                <input type="submit" name="decided_allow" value="Allow">
+            </p>
+        </form>
+    </div>
+{% endblock %}

roles/ipsilon/files/templates/openid/userpage.html

@@ -0,0 +1,7 @@
+{% extends "layout.html" %}
+{% block toptext %}
+This is the OpenID page for {{username}}.
+{% endblock %}
+{% block main %}
+This page is primarily used internally
+{% endblock %}

roles/ipsilon/files/templates/openid/xrds.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
+  <XRD>
+    <Service>
+{%- for t in types %}
+      <Type>{{ t }}</Type>
+{%- endfor %}
+{%- if uri %}
+      <URI>{{ uri }}</URI>
+{%- endif %}
+{%- if localid %}
+      <LocalID>{{ localid }}</LocalID>
+{%- endif %}
+    </Service>
+  </XRD>
+</xrds:XRDS>

roles/ipsilon/files/templates/persona/provisioning.html

@@ -0,0 +1,59 @@
+{% extends "layout.html" %}
+{% block toptext %}
+This page is used internally
+{% endblock %}
+{% block main %}
+<script type="text/javascript" src="https://login.persona.org/provisioning_api.js"></script>
+<script type="text/javascript">
+    var xmlhttp = new XMLHttpRequest()
+
+    var loggedin = {{ loggedin|lower }};
+
+    xmlhttp.onreadystatechange = function()
+    {
+        if(xmlhttp.readyState == 4)
+        {
+            if(xmlhttp.status == 200)
+            {
+                navigator.id.registerCertificate(xmlhttp.responseText);
+            }
+            else if((xmlhttp.status == 401) || (xmlhttp.status == 403))
+            {
+                navigator.id.raiseProvisioningFailure('Error in provisioning!');
+            }
+            else
+            {
+                alert("Response code: " + xmlhttp.status);
+                alert("Response text: " + xmlhttp.responseText);
+            }
+        }
+    }
+
+    function generateServerSide(email, publicKey, certDuration, callback)
+    {
+        xmlhttp.open("POST", "Sign/", true);
+        xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+        xmlhttp.send("email=" + encodeURIComponent(email)
+                     + "&publicKey=" + encodeURIComponent(publicKey)
+                     + "&certDuration=" + encodeURIComponent(certDuration));
+    }
+
+    function startProvisioning()
+    {
+        navigator.id.beginProvisioning(function(email, certDuration)
+        {
+            if(loggedin)
+            {
+                navigator.id.genKeyPair(function(publicKey)
+                {
+                    generateServerSide(email, publicKey, certDuration);
+                });
+            } else {
+                navigator.id.raiseProvisioningFailure('user is not authenticated');
+            }
+        });
+    }
+
+    startProvisioning();
+</script>
+{% endblock %}

roles/ipsilon/files/templates/persona/signin_result.html

@@ -0,0 +1,19 @@
+{% extends "layout.html" %}
+{% block toptext %}
+This page is used internally
+{% endblock %}
+{% block main %}
+<script type="text/javascript" src="https://login.persona.org/authentication_api.js"></script>
+<script type="text/javascript">
+    var loggedin = {{ loggedin|lower }};
+
+    if(loggedin)
+    {
+        navigator.id.beginAuthentication(function(email) {
+            navigator.id.completeAuthentication();
+        });
+    } else {
+        navigator.id.raiseAuthenticationFailure('User cancelled signon');
+    }
+</script>
+{% endblock %}

roles/ipsilon/files/templates/unauthorized.html

@@ -0,0 +1,12 @@
+{% extends "layout.html" %}
+{% block toptext %}
+401 - Unauthorized
+{% endblock %}
+{% block main %}
+  {% if message: %}
+    <p>{{ message }}</p>
+  {% else %}
+    <p>Authentication was not succesful</p>
+  {% endif %}
+  <p><a href="{{ basepath }}/login" title="Login">Try to login again</a></p>
+{% endblock %}

roles/ipsilon/tasks/main.yml

@@ -0,0 +1,56 @@
+---
+# Configuration for the ipsilon webapp
+
+- name: clean yum metadata
+  command: yum clean all
+  tags:
+  - packages
+
+- name: install needed packages
+  yum: pkg={{ item }} state=present
+  with_items:
+  - ipsilon
+  - ipsilon-authfas
+  - ipsilon-openid
+  - ipsilon-persona
+  - python-psycopg2
+  - libsemanage-python
+  tags:
+  - packages
+
+- name: copy ipsilon templates
+  copy: src=templates
+        dest=/usr/share/ipsilon/templates-fedora
+        owner=ipsilon group=ipsilon mode=0666 
+
+- name: copy ipsilon configuration
+  template: src={{ item }}.cfg
+            dest=/etc/ipsilon/{{ item }}.cfg
+            owner=ipsilon group=ipsilon mode=0600
+  with_items:
+  - ipsilon
+  - configuration
+  tags:
+  - config
+  notify:
+  - restart apache
+
+- name: copy persona private key
+  copy: src={{ private }}/files/ipsilon/persona.key dest=/etc/ipsilon/persona.key
+        owner=ipsilon group=ipsilon mode=0600
+  when: env != "staging"
+
+- name: copy persona STG private key
+  copy: src={{ private }}/files/ipsilon/persona.stg.key dest=/etc/ipsilon/persona.stg.key
+        owner=ipsilon group=ipsilon mode=0600
+  when: env == "staging"
+
+- name: set sebooleans so ipsilon can talk to the db
+  action: seboolean name=httpd_can_network_connect_db
+                    state=true
+                    persistent=true
+
+- name: apply selinux type to the wsgi file
+  file: >
+    dest=/usr/sbin/ipsilon
+    setype=httpd_sys_content_t

roles/ipsilon/templates/configuration.cfg

@@ -0,0 +1,40 @@
+[login_config]
+global enabled=fas
+{% if env == 'staging' %}
+fas FAS url=https://admin.stg.fedoraproject.org/accounts/
+{% else %}
+fas FAS url=https://admin.fedoraproject.org/accounts/
+{% endif %}
+fas FAS Proxy client user Agent=Fedora Ipsilon
+fas FAS Insecure Auth=False
+
+
+
+
+[provider_config]
+global enabled=persona,openid
+
+{% if env == 'staging' %}
+persona allowed domains=stg.fedoraproject.org
+persona issuer domain=id.stg.fedoraproject.org
+persona idp key file=/etc/ipsilon/persona.stg.key
+{% else %}
+persona allowed domains=fedoraproject.org
+persona issuer domain=id.fedoraproject.org
+persona idp key file=/etc/ipsilon/persona.key
+{% endif %}
+
+{% if env == 'staging' %}
+openid database url="postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}.stg/{{ ipsilon_db_name }}"
+openid endpoint url=https://id.stg.fedoraproject.org/openid/
+openid identity url template=http://localhost/openid/id/%(username)s/
+openid trusted roots=
+{% else %}
+openid database url="postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_name }}"
+openid endpoint url=https://id.fedoraproject.org/openid/
+openid identity url template=http://%(username)s.id.fedoraproject.org/
+openid trusted roots=http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin,https://ask.fedoraproject.org/,https://fedorahosted.org/,https://badges.fedoraproject.org,https://apps.fedoraproject.org/tagger/,https://apps.fedoraproject.org/nuancier/,https://apps.fedoraproject.org/datagrepper/,https://apps.fedoraproject.org/calendar/,http://apps.fedoraproject.org/notifications/,http://copr.fedoraproject.org/,http://copr-fe.cloud.fedoraproject.org/,https://admin.fedoraproject.org/pkgdb/,https://admin.fedoraproject.org/voting/,https://apps.fedoraproject.org/github2fedmsg,https://admin.fedoraproject.org,https://apps.fedoraproject.org/,https://release-monitoring.org/
+{% endif %}
+openid untrusted roots=
+openid enabled extensions=Teams,Attribute Exchange,CLAs,Simple Registration
+

roles/ipsilon/templates/ipsilon.cfg

@@ -0,0 +1,22 @@
+[global]
+debug = False
+tools.log_request_response.on = False
+template_dir = "/srv/ipsilon/templates"
+
+log.screen = False
+base.mount = ""
+base.dir = "/usr/share/ipsilon"
+admin.config.db = "configfile:///etc/ipsilon/configuration.cfg"
+user.prefs.db = "configfile:///etc/ipsilon/configuration.cfg"
+{% if env == 'staging' %}
+transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}.stg/{{ ipsilon_db_name }}"
+{% else %}
+transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_name }}"
+{% endif %}
+
+tools.sessions.on = True
+tools.sessions.name = "fedora_ipsilon_session_id"
+tools.sessions.storage_type = "Sql"
+tools.sessions.timeout = 60
+tools.sessions.httponly = True
+tools.sessions.secure = True

scripts/public-db-copy

@@ -8,3 +8,4 @@ scp db-datanommer02:/backups/datanommer-$(date +%F).dump.xz /srv/web/infra/db-du
 scp db-koji01:/backups/koji-$(date +%F).dump.xz /srv/web/infra/db-dumps/koji.dump.xz
 scp db01:/backups/pkgdb2-$(date +%F).dump.xz /srv/web/infra/db-dumps/pkgdb2.dump.xz
 scp db01:/backups/fedoratagger-$(date +%F).dump.xz /srv/web/infra/db-dumps/fedoratagger.dump.xz
+scp anitya-backend01:/backups/anitya-$(date +%F).dump.xz /srv/web/infra/db-dumps/anitya.dump.xz