A start at pdc config. still need to work out saml2/mellon stuff.

roles/pdc/frontend/files/idp-metadata.xml

@@ -0,0 +1,83 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" val
+idUntil="2020-09-28T11:14:04.923891" entityID="http://id.stg.fedoraproject.org/saml2/metadata">
+  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo>
+        <ds:X509Data>
+          <ds:X509Certificate>MIIFOTCCAyGgAwIBAgIJAOtrg+MpYNUgMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNV
+ BAMMKGlkLmZlZG9yYXByb2plY3Qub3JnIFNURyBURU1QT1JBUlkgU0FNTDIwHhcN
+ MTUwOTMwMDkxMzU3WhcNMTUxMDMwMDkxMzU3WjAzMTEwLwYDVQQDDChpZC5mZWRv
+ cmFwcm9qZWN0Lm9yZyBTVEcgVEVNUE9SQVJZIFNBTUwyMIICIjANBgkqhkiG9w0B
+ AQEFAAOCAg8AMIICCgKCAgEAt1mvOsVxRm9O+dT0QIYxl0vmqQQ4MhQA3wboEeBp
+ sQYjM2te+2Q/7OOwklVdD5g/rgXuDwOH6ztt1Y6UJmMC9RQCSJ5YNFe95hOE0H+P
+ ar9/9xm6hlwqxp9S1NftO7G6x7Zad/QHURcQit2EeDJAox/LEk3FEti03Q2tSPBa
+ wpNk/AUwkXnGn+bQ142JxvfJaO8sdxPpww1955SxKnJ3ClaPw3Qs0SLbD7cQQnyu
+ gQne0jBNPS5LkXS7DKmPBXY7R7der2gx3Wr6TxHNCcqMruL/RHmGKEB/KnFqxDK1
+ zNrcUyyghHGBRtGqbJw37kQBWtuoE67iyAiHQWnn4onNHTFeP1SfpzFIM3ya8Iew
+ Awh93IH2YAAd3SxNsCE27iZej2+8OikkWp6rpG36apskwKLAmOTKATqAII49u32o
+ aYqMe3LEORzmoR45/FGmQ8fPTxIXoT9kkA8nS3Xa1f6BaGnlxPu+VNAYEQx5hzX1
+ yhjSEiIcyowIx4/Frp+XHn7USQHb0jBkBGTWlo3QRO3LDarTmcoJZIrMK1fISggv
+ KJ1jUisrboFm0hX4O0F6TAx9UbWGIpgTiEjynDbBgIWsElGaTOfafPOFAVVusW5W
+ 6na5R0sKDiaw5Ej3tMz5gTlSLk+0Vfc/tQphqIgXu1BIQ5gghyDUAEZRIe7iFEnu
+ LqUCAwEAAaNQME4wHQYDVR0OBBYEFFIneEZsGOpk6nVXammdrrRVyG5/MB8GA1Ud
+ IwQYMBaAFFIneEZsGOpk6nVXammdrrRVyG5/MAwGA1UdEwQFMAMBAf8wDQYJKoZI
+ hvcNAQELBQADggIBAGqXB//gUKBAUFHB4i45/70vWID2lYMu2nFvd7SWI1oc0n78
+ DTlqFDYDyV05V/qCnezjAb+6KUyyeyAevgZPaDswCVd2aygYGDE9RsvOy60UhZ1c
+ yfgVx2l/YLzO4bWNKllxpfbLVHTfKo8MfFa99ClN6Y+t8+fucTS2+WOq5MYd5lKS
+ /4FY7QYq645oYHAlQzOV2PHAcMDbhtaEJJ4CXh4//ArM/NE73NYaH4SGQW1xVD7D
+ 8zS/0TGYDX6MNQvRwzihtKVEtUAGj1zIZZUYFd9+mx4Ir3OBnRozSe8LkfaWYd13
+ hlRLINzOEQ3ebSGGRlgeFYXw+cTpn64KoyE56CcL//dxZS27LGBIMAul0eARoa6U
+ Y1DYkZ178QugycphmLCkxe2/Qe9xZjn0ghycxiYAlPqGFG87pW8UC162B7eklOuR
+ GO/BqcKZcO5GPyWkuslUpx8w0bOnCgXKxVzbt5BGBMvSMxe/QCw9x4sXnKGUtHaV
+ FqnKqa/sxkfQ8HltSvft8goNw13/I+J5ERHdif0EyI83ba+CyGwEjCe8uZYjp2G3
+ DqtUXjiYReHTYZr6R9Xgts0RKf44wVJ3D7Fs7P2dBGI7b/R/8HHv9HM+/HcbkRhA
+ 25vdCBgg+KF3u3bZZlUp82PkOtRFcr4kb3GwS4FAaxRC5i/8Z4qI2ICNZFPN
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:KeyDescriptor use="encryption">
+      <ds:KeyInfo>
+        <ds:X509Data>
+          <ds:X509Certificate>MIIFOTCCAyGgAwIBAgIJAOtrg+MpYNUgMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNV
+ BAMMKGlkLmZlZG9yYXByb2plY3Qub3JnIFNURyBURU1QT1JBUlkgU0FNTDIwHhcN
+ MTUwOTMwMDkxMzU3WhcNMTUxMDMwMDkxMzU3WjAzMTEwLwYDVQQDDChpZC5mZWRv
+ cmFwcm9qZWN0Lm9yZyBTVEcgVEVNUE9SQVJZIFNBTUwyMIICIjANBgkqhkiG9w0B
+ AQEFAAOCAg8AMIICCgKCAgEAt1mvOsVxRm9O+dT0QIYxl0vmqQQ4MhQA3wboEeBp
+ sQYjM2te+2Q/7OOwklVdD5g/rgXuDwOH6ztt1Y6UJmMC9RQCSJ5YNFe95hOE0H+P
+ ar9/9xm6hlwqxp9S1NftO7G6x7Zad/QHURcQit2EeDJAox/LEk3FEti03Q2tSPBa
+ wpNk/AUwkXnGn+bQ142JxvfJaO8sdxPpww1955SxKnJ3ClaPw3Qs0SLbD7cQQnyu
+ gQne0jBNPS5LkXS7DKmPBXY7R7der2gx3Wr6TxHNCcqMruL/RHmGKEB/KnFqxDK1
+ zNrcUyyghHGBRtGqbJw37kQBWtuoE67iyAiHQWnn4onNHTFeP1SfpzFIM3ya8Iew
+ Awh93IH2YAAd3SxNsCE27iZej2+8OikkWp6rpG36apskwKLAmOTKATqAII49u32o
+ aYqMe3LEORzmoR45/FGmQ8fPTxIXoT9kkA8nS3Xa1f6BaGnlxPu+VNAYEQx5hzX1
+ yhjSEiIcyowIx4/Frp+XHn7USQHb0jBkBGTWlo3QRO3LDarTmcoJZIrMK1fISggv
+ KJ1jUisrboFm0hX4O0F6TAx9UbWGIpgTiEjynDbBgIWsElGaTOfafPOFAVVusW5W
+ 6na5R0sKDiaw5Ej3tMz5gTlSLk+0Vfc/tQphqIgXu1BIQ5gghyDUAEZRIe7iFEnu
+ LqUCAwEAAaNQME4wHQYDVR0OBBYEFFIneEZsGOpk6nVXammdrrRVyG5/MB8GA1Ud
+ IwQYMBaAFFIneEZsGOpk6nVXammdrrRVyG5/MAwGA1UdEwQFMAMBAf8wDQYJKoZI
+ hvcNAQELBQADggIBAGqXB//gUKBAUFHB4i45/70vWID2lYMu2nFvd7SWI1oc0n78
+ DTlqFDYDyV05V/qCnezjAb+6KUyyeyAevgZPaDswCVd2aygYGDE9RsvOy60UhZ1c
+ yfgVx2l/YLzO4bWNKllxpfbLVHTfKo8MfFa99ClN6Y+t8+fucTS2+WOq5MYd5lKS
+ /4FY7QYq645oYHAlQzOV2PHAcMDbhtaEJJ4CXh4//ArM/NE73NYaH4SGQW1xVD7D
+ 8zS/0TGYDX6MNQvRwzihtKVEtUAGj1zIZZUYFd9+mx4Ir3OBnRozSe8LkfaWYd13
+ hlRLINzOEQ3ebSGGRlgeFYXw+cTpn64KoyE56CcL//dxZS27LGBIMAul0eARoa6U
+ Y1DYkZ178QugycphmLCkxe2/Qe9xZjn0ghycxiYAlPqGFG87pW8UC162B7eklOuR
+ GO/BqcKZcO5GPyWkuslUpx8w0bOnCgXKxVzbt5BGBMvSMxe/QCw9x4sXnKGUtHaV
+ FqnKqa/sxkfQ8HltSvft8goNw13/I+J5ERHdif0EyI83ba+CyGwEjCe8uZYjp2G3
+ DqtUXjiYReHTYZr6R9Xgts0RKf44wVJ3D7Fs7P2dBGI7b/R/8HHv9HM+/HcbkRhA
+ 25vdCBgg+KF3u3bZZlUp82PkOtRFcr4kb3GwS4FAaxRC5i/8Z4qI2ICNZFPN
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://id.stg.fedoraproject.org/saml2/SSO/POST"/>
+    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://id.stg.fedoraproject.org/saml2/SSO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://id.stg.fedoraproject.org/saml2/SLO/Redirect"/>
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
+  </md:IDPSSODescriptor>
+</md:EntityDescriptor>
+

roles/pdc/frontend/files/metadata.xml

@@ -0,0 +1,33 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" cacheDuration="P7D" entityID="https://pdc.fedorainfracloud.org/saml2">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo>
+        <ds:X509Data>
+          <ds:X509Certificate>MIIDGTCCAgGgAwIBAgIJAISFaB3/KZDhMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV
+ BAMMGHBkYy5mZWRvcmFpbmZyYWNsb3VkLm9yZzAeFw0xNTA5MzAxMDM4NTFaFw0y
+ MDA5MjgxMDM4NTFaMCMxITAfBgNVBAMMGHBkYy5mZWRvcmFpbmZyYWNsb3VkLm9y
+ ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLA2h4tYn7tAFwFZ2JB
+ xLLcpIY55/NpdQP1yLSfvD4huT3rWRLoojiEpIM61qgnJmVsZ4oPkkSmU3pWLrjw
+ ZeD5XQimtg6GPHitjIIHhUgPDncpdGsbD1J/Jv7V/gj0CvI9ak0i9d0zxaKGaejP
+ 0VL78xeaEPf53LQywqrV9iGDRpcJzQZrqwUvrSIDRn7SmUNvDYQL6voAO6la/43C
+ O8oIMiGE/qNs8sK/KupifxjN4BvZzK6ofpYqhycwJFHUTZ5mAEXspINIOr8I43Ap
+ F6+RDWyIt2G2GK7gwkLfNfb/3Lht8/oMjyiPvKuhSqaDbfcSwsU2A9k9vqV0ufL+
+ +VUCAwEAAaNQME4wHQYDVR0OBBYEFMy2MUOk6B9kN0nLDO4w7Ja/oL2dMB8GA1Ud
+ IwQYMBaAFMy2MUOk6B9kN0nLDO4w7Ja/oL2dMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+ hvcNAQELBQADggEBAHWk0SZYofIu0HP96D2RFghS7bcFGoTzG4uOK8v9cYtM3f3N
+ O5NlmMNYeLG3wbBA+7pZgmIEReZkGlGq4kR4PqulKE4yymyuzIEUYFwlHfxrWCIH
+ 7/A211WxTQRXBGT2h4+uwpqOOOUdd8KHBdRIzYKiNEBjUgbya9fObxPZK2jx7zUq
+ qa7KneEXaZ86LqPQU6+dv3i4yZE7PkeJ3Pl5wVSIJ7dxIN+81YhfuL3poknqDYmJ
+ 4QHNMcbS3gBaTTsUAUyfPXlAbWaGdypAuzxkwt9etX/bExs/0k28REwtZo9q04R4
+ 8Ejlv4ckKIOFY7aO8saseB4A/n/oLfrW+/8qBnM=
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://pdc.fedorainfracloud.org/saml2/logout"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://pdc.fedorainfracloud.org/saml2/postResponse" index="0"/>
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+

roles/pdc/frontend/files/patternfly-patternfly1-epel-7.repo

@@ -0,0 +1,8 @@
+[patternfly-patternfly1]
+name=Copr repo for patternfly1 owned by patternfly
+baseurl=https://copr-be.cloud.fedoraproject.org/results/patternfly/patternfly1/epel-7-$basearch/
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://copr-be.cloud.fedoraproject.org/results/patternfly/patternfly1/pubkey.gpg
+enabled=1
+enabled_metadata=1

roles/pdc/frontend/files/xchu-pdc-epel-7.repo

@@ -0,0 +1,7 @@
+[xchu-pdc]
+name=Copr repo for pdc owned by xchu
+baseurl=https://copr-be.cloud.fedoraproject.org/results/xchu/pdc/epel-7-$basearch/
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://copr-be.cloud.fedoraproject.org/results/xchu/pdc/pubkey.gpg
+enabled=1

roles/pdc/frontend/tasks/main.yml

@@ -0,0 +1,68 @@
+
+- name: setup the PDC copr repo
+  copy: >
+    src="xchu-pdc-epel-7.repo"
+    dest="/etc/yum.repos.d/xchu-pdc-epel-7.repo"
+    owner=root
+    group=root
+    mode=0644
+  tags:
+  - pdc
+
+- name: setup the patternfly copr repo
+  copy: >
+    src="patternfly-patternfly1-epel-7.repo"
+    dest="/etc/yum.repos.d/patternfly-patternfly1-epel-7.repo"
+    owner=root
+    group=root
+    mode=0644
+  tags:
+  - pdc
+
+- name: install needed packages
+  yum: pkg={{ item }} state=present
+  with_items:
+  - patternfly1
+  - pdc-server
+  - xmlsec1
+  tags: pdc
+
+- name: Copy over settings_local.py
+  template: src=settings_local.py dest=/usr/lib/python2.7/site-packages/pdc/settings_local.py
+  notify: reload httpd
+  tags: pdc
+
+- name: Copy over httpd config
+  template: src=pdc.conf dest=/etc/httpd/conf.d/pdc.conf
+  notify: reload httpd
+  tags: pdc
+
+- name: ensure selinux lets httpd talk to postgres
+  seboolean: name=httpd_can_network_connect_db persistent=yes state=yes
+  tags:
+  - pdc
+  - selinux
+
+- name: create /etc/httpd/saml2
+  file: state=directory
+        path=/etc/httpd/saml2
+        owner=apache group=apache mode=0775
+  tags: pdc
+
+- name: Install saml2 xml files
+  copy: >
+    src="{{ item }}" dest="/etc/httpd/saml2/{{ item }}"
+    owner="apache" group="apache" mode=0600
+  with_items:
+    - metadata.xml
+    - idp-metadata.xml
+  tags: pdc
+
+- name: Install saml2 certs
+  copy: >
+    src="{{ private}}/files/httpd/{{ item }}" dest="/etc/httpd/saml2/{{ item }}"
+    owner="apache" group="apache" mode=0600
+  with_items:
+    - pdc.fedorainfracloud.org.pem
+    - pdc.fedorainfracloud.org.key
+  tags: pdc

roles/pdc/frontend/templates/pdc.conf

@@ -0,0 +1,147 @@
+WSGISocketPrefix /var/run/wsgi
+WSGIPythonOptimize 1
+WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-name=pdc processes=2 threads=1 shutdown-timeout=10
+
+<VirtualHost *:80>
+  ServerName {{ hostname }}
+  Redirect permanent / https://{{ hostname }}/
+</VirtualHost>
+
+
+<VirtualHost *:443>
+    ServerName {{ hostname }}
+
+    CustomLog /var/log/httpd/pdc-access.log combined
+    ErrorLog /var/log/httpd/pdc-error.log
+
+    SSLEngine on
+    SSLProtocol all -SSLv2 -SSLv3
+    # Use secure TLSv1.1 and TLSv1.2 ciphers
+    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+
+    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+
+    Alias /docs/ /usr/share/doc/pdc/docs/build/html/
+    Alias /saml2protected /usr/share/ipsilon/ui/saml2sp
+
+    # Using SetEnv here will not work as expected as it does not change
+    # os.environ in the application itself. For more details see:
+    # http://stackoverflow.com/a/9017610/1576064
+    #
+    # To override settings provide wsgi.py file with your preferred settings
+    # and point the following directive to it.
+    WSGIScriptAlias /  /usr/lib/python2.7/site-packages/pdc/wsgi.py
+
+
+    RewriteEngine on
+    # First try to find the files in pdc
+    RewriteCond "/usr/lib/python2.7/site-packages/pdc/static/$1" -f
+    RewriteRule "^/static/(.*)" "/usr/lib/python2.7/site-packages/pdc/static/$1" [L]
+    # Try to find them in the patternfly files
+    RewriteRule "^/static/(.*)" "/usr/share/patternfly1/resources/$1" [L]
+
+
+    <Location "/">
+        SetHandler wsgi-script
+
+        LimitRequestBody 256000000
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
+        Require all granted
+        MellonEnable "info"
+        MellonSPPrivateKeyFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/certificate.key"
+        MellonSPCertFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/certificate.pem"
+        MellonSPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/metadata.xml"
+        MellonIdPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/idp-metadata.xml"
+        MellonEndpointPath /saml2
+        MellonVariable "saml-sesion-cookie"
+        # Comment out the next two lines if you want to allow logins on bare HTTP
+        MellonsecureCookie On
+        SSLRequireSSL
+        MellonUser "NAME_ID"
+        MellonIdP "IDP"
+        MellonSessionLength 3600
+        # MellonNoCookieErrorPage "https://idp.example.com/no-cookie-error.html"
+        # MellonPostDirectory "/var/lib/ipsilon/post_cache"
+        # MellonPostReplay On
+    </Location>
+
+    <Location /auth/saml2login>
+        WSGIProcessGroup pdc
+        MellonEnable "auth"
+        Header append Cache-Control "no-cache"
+
+        ## Kerberos authentication:
+        #AuthType Kerberos
+        #AuthName "PDC - Kerberos login"
+        #KrbMethodNegotiate on
+        #KrbMethodK5Passwd on
+        #KrbAuthoritative on
+        #KrbServiceName HTTP
+        #KrbAuthRealm EXAMPLE.COM
+        #KrbVerifyKDC on
+        #Krb5Keytab /etc/httpd/conf/httpd.keytab
+        #KrbSaveCredentials off
+        #Require valid-user
+    </Location>
+
+
+    WSGIPassAuthorization On
+    <Location /rest_api/v1/auth/token>
+        WSGIProcessGroup pdc
+
+        ## Kerberos authentication:
+        #AuthType Kerberos
+        #AuthName "PDC - Kerberos login"
+        #KrbMethodNegotiate on
+        #KrbMethodK5Passwd off
+        #KrbAuthoritative on
+        #KrbServiceName HTTP
+        #KrbAuthRealm EXAMPLE.COM
+        #KrbVerifyKDC on
+        #Krb5Keytab /etc/httpd/conf/httpd.keytab
+        #KrbSaveCredentials off
+        #Require valid-user
+    </Location>
+
+    <Location "/static">
+        SetHandler None
+
+        # Disable auth on the static content, so that we're aren't forced to
+        # use Kerberos.  Doing so would remove "Expires" headers from the static
+        # content, which would lead to poor page-load times.
+        AuthType none
+        Satisfy Any
+        Require all granted
+
+        # Many file types are likely to benefit from compression
+        # Enable gzip compression on them:
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
+
+        # Set far-future Expires headers on static content
+        # (trac 184):
+        ExpiresActive On
+        ExpiresDefault "access plus 10 years"
+    </Location>
+
+    <Location "/docs">
+        SetHandler None
+
+        # Disable auth on the static content, so that we're aren't forced to
+        # use Kerberos.  Doing so would remove "Expires" headers from the static
+        # content, which would lead to poor page-load times.
+        AuthType none
+        Satisfy Any
+        Require all granted
+
+        # Many file types are likely to benefit from compression
+        # Enable gzip compression on them:
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
+
+        # Set far-future Expires headers on static content
+        # (trac 184):
+        ExpiresActive On
+        ExpiresDefault "access plus 2 weeks"
+    </Location>
+
+</VirtualHost>

roles/pdc/frontend/templates/settings_local.py

@@ -0,0 +1,93 @@
+# Feel free to `cp settings_local.py.dist settings.local.py`
+# and customize your settings, changes here will be populated
+# automatically.
+#
+# This file only contains the minimized settings you should do,
+# please look into settings.py to see the whole avaiable settings
+# you can do for your PDC instance.
+#
+# NOTE: For developers or others who want to extend the default
+#       settings, please remember to update your settings_local.py
+#       when the items you extended got updated in settings.py.
+
+REST_FRAMEWORK = {
+    'DEFAULT_AUTHENTICATION_CLASSES': (
+        'pdc.apps.auth.authentication.TokenAuthenticationWithChangeSet',
+        'rest_framework.authentication.SessionAuthentication',
+    ),
+
+    'DEFAULT_PERMISSION_CLASSES': [
+        'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly',
+    ],
+
+    'DEFAULT_FILTER_BACKENDS': ('rest_framework.filters.DjangoFilterBackend',),
+
+    'DEFAULT_METADATA_CLASS': 'contrib.bulk_operations.metadata.BulkMetadata',
+
+    'DEFAULT_RENDERER_CLASSES': (
+        'rest_framework.renderers.JSONRenderer',
+        'pdc.apps.common.renderers.ReadOnlyBrowsableAPIRenderer',
+    ),
+
+    'EXCEPTION_HANDLER': 'pdc.apps.common.handlers.exception_handler',
+
+    'DEFAULT_PAGINATION_CLASS': 'pdc.apps.common.pagination.AutoDetectedPageNumberPagination',
+}
+
+
+import os.path
+
+BASE_DIR = os.path.dirname(os.path.dirname(__file__))
+
+DEBUG = False
+
+# NOTE: this is needed when DEGUB is False.
+#       https://docs.djangoproject.com/en/1.8/ref/settings/#allowed-hosts
+ALLOWED_HOSTS = ['{{ hostname }}']
+
+# Database settings
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.postgresql_psycopg2',
+        'NAME': '{{ pdc_db_name }}',
+        'USER': '{{ pdc_db_user }}',
+        'PASSWORD': '{{ pdc_db_pass }}',
+        'HOST': '{{ pdc_db_host }}',
+        # 'PORT': '',
+    }
+}
+
+REST_API_URL = 'rest_api/'
+REST_API_VERSION = 'v1'
+
+BROWSABLE_DOCUMENT_MACROS = {
+    # need to be rewrite with the real host name when deploy.
+    'HOST_NAME': 'http://{{ hostname }}:80',
+    # make consistent with rest api root.
+    'API_PATH': '%s%s' % (REST_API_URL, REST_API_VERSION),
+}
+
+def get_setting(setting):
+    import pdc.settings
+    return getattr(pdc.settings, setting)
+
+# ======== Email configuration =========
+# Email addresses who would like to receive email
+ADMINS = (
+    ('PDC Admins', 'rbean@redhat.com'),
+    ('PDC Admins', 'pingou@fedoraproject.org'),
+)
+MANAGERS = ADMINS
+
+# Email SMTP HOST configuration
+EMAIL_HOST = 'localhost'
+# Email sender's address
+SERVER_EMAIL = 'nobody@fedoraproject.org'
+EMAIL_SUBJECT_PREFIX = '[PDC]'
+
+# un-comment below 4 lines if enable email notification as meet any error
+#get_setting('LOGGING').get('loggers').update({'pdc.apps.common.handlers': {
+#    'handlers': ['mail_admins'],
+#    'level': 'ERROR',
+#}})
+