From dfde94e230e1bbe367ad0b36f41de2aeefdcebff Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 18 Aug 2015 19:17:57 +0000 Subject: [PATCH] Production bodhi2 settings. --- roles/bodhi2/base/templates/production.ini.j2 | 67 +++++++++++-------- 1 file changed, 40 insertions(+), 27 deletions(-) diff --git a/roles/bodhi2/base/templates/production.ini.j2 b/roles/bodhi2/base/templates/production.ini.j2 index d6147b80b7..6f0778e5da 100644 --- a/roles/bodhi2/base/templates/production.ini.j2 +++ b/roles/bodhi2/base/templates/production.ini.j2 @@ -1,5 +1,11 @@ +[filter:proxy-prefix] +use = egg:PasteDeploy#prefix +prefix = / +scheme = https + [app:main] use = egg:bodhi +filter-with = proxy-prefix ## ## Messages @@ -29,13 +35,12 @@ fedmsg_enabled = True # Captcha - if 'captcha.secret' is not None, then it will be used for comments # captcha.secret must be 32 url-safe base64-encoded bytes # you can generate afresh with >>> cryptography.fernet.Fernet.generate_key() -captcha.secret = CHANGEME +captcha.secret = {{ bodhi2CaptchaSecret }} # Dimensions captcha.image_width = 300 captcha.image_height = 80 # Any truetype font will do. -# This font lives in pcaro-hermit-fonts package -captcha.font_path = /usr/share/fonts/pcaro-hermit/Hermit-medium.otf +captcha.font_path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf captcha.font_size = 36 # Colors captcha.font_color = #000000 @@ -80,12 +85,12 @@ message_id_email_domain = admin.fedoraproject.org #masher = None # Where to initially mash repositories -mash_dir = %(here)s/masher/mash/ +mash_dir = /var/cache/bodhi/mashing # Where to symlink the latest repos by their tag name -mash_stage_dir = %(here)s/masher/ +mash_stage_dir = /var/cache/bodhi/mashed -mash_conf = /etc/mash/mash.conf +mash_conf = /etc/bodhi/mash.conf createrepo_cache_dir = /var/cache/createrepo @@ -94,19 +99,19 @@ createrepo_cache_dir = /var/cache/createrepo jobs = cache_release_data refresh_metrics approve_testing_updates ## Comps configuration -comps_dir = /usr/share/bodhi/ +comps_dir = /var/cache/bodhi/comps comps_url = git://git.fedorahosted.org/comps.git ## ## Mirror settings ## file_url = http://download.fedoraproject.org/pub/fedora/linux/updates -master_repomd = http://download.fedora.redhat.com/pub/fedora/linux/updates/%d/i386/repodata/repomd.xml -fedora_master_repomd = http://download.fedora.redhat.com/pub/fedora/linux/updates/%d/i386/repodata/repomd.xml -fedora_epel_master_repomd = http://download.fedora.redhat.com/pub/epel/%d/i386/repodata/repomd.xml +master_repomd = 'http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%s/%s/repodata/repomd.xml' +fedora_master_repomd = 'http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%s/%s/repodata/repomd.xml' +fedora_epel_master_repomd = 'http://download01.phx2.fedoraproject.org/pub/epel/%s/%s/repodata/repomd.xml' ## The base url of this application -base_address = https://bodhi.fedoraproject.org/updates/ +base_address = https://bodhi.fedoraproject.org/ ## Supported update types update_types = bugfix enhancement security newpackage @@ -194,13 +199,13 @@ exclude_mail = autoqa taskotron # What buildsystem do we want to use? For development, we'll use a fake # buildsystem that always does what we tell it to do. For production, we'll # want to use 'koji'. -buildsystem = dev +buildsystem = koji # Koji's XML-RPC hub -koji_hub = https://koji.stg.fedoraproject.org/kojihub +koji_hub = https://koji.fedoraproject.org/kojihub # Root url of the Koji instance to point to. No trailing slash -koji_url = http://koji.stg.fedoraproject.org +koji_url = http://koji.fedoraproject.org # URL of where users should go to set up their notifications fmn_url = https://apps.fedoraproject.org/notifications/ @@ -213,9 +218,9 @@ fedmenu.url = https://apps.fedoraproject.org/fedmenu fedmenu.data_url = https://apps.fedoraproject.org/js/data.js # Koji certs -#client_cert = -#clientca_cert = -#serverca_cert = +client_cert = /etc/pki/bodhi/bodhi.pem +clientca_cert = /etc/pki/bodhi/fedora-upload-ca.cert +serverca_cert = /etc/pki/bodhi/fedora-server-ca.cert ## ## ACL system @@ -346,15 +351,24 @@ updateinfo_rights = Copyright (C) 2015 Red Hat, Inc. and others. # pyramid.openid openid.success_callback = bodhi.security:remember_me openid.provider = https://id.fedoraproject.org/openid/ +openid.url = https://id.fedoraproject.org/ openid_template = {username}.id.fedoraproject.org +# CORS allowed origins for cornice services +# This can be wide-open. read-only, we don't care as much about. +cors_origins_ro = * +# This should be more locked down to avoid cross-site request forgery. +cors_origins_rw = bodhi.fedoraproject.org +cors_connect_src = https://*.fedoraproject.org/ wss://hub.fedoraproject.org:9939/ + + ## ## Pyramid settings ## -pyramid.reload_templates = true -pyramid.debug_authorization = true -pyramid.debug_notfound = true -pyramid.debug_routematch = true +pyramid.reload_templates = false +pyramid.debug_authorization = false +pyramid.debug_notfound = false +pyramid.debug_routematch = false pyramid.default_locale_name = en pyramid.includes = @@ -365,8 +379,7 @@ debugtoolbar.hosts = 127.0.0.1 ::1 ## ## Database ## -# XXX - you should really change this to postgres -sqlalchemy.url = sqlite:////var/cache/bodhi.db +sqlalchemy.url = postgresql://bodhi2:{{ bodhi2Password }}@db-bodhi/bodhi2 ## ## Templates @@ -384,9 +397,9 @@ authtkt.secure = false # pyramid_beaker session.type = file -session.data_dir = %(here)s/data/sessions/data -session.lock_dir = %(here)s/data/sessions/lock -session.key = mykey +session.data_dir = /var/cache/bodhi/sessions/data +session.lock_dir = /var/cache/bodhi/sessions/lock +session.key = {{ bodhi2SessionKey }} session.cookie_on_exception = true cache.regions = default_term, second, short_term, long_term cache.type = memory @@ -426,7 +439,7 @@ handlers = qualname = bodhi [logger_sqlalchemy] -level = INFO +level = WARN handlers = qualname = sqlalchemy.engine # "level = INFO" logs SQL queries.