diff --git a/roles/copr/frontend/files/DigiCertCA.crt b/roles/copr/frontend/files/DigiCertCA.crt deleted file mode 100644 index d08b961f22..0000000000 --- a/roles/copr/frontend/files/DigiCertCA.crt +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs -MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 -d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j -ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL -MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 -LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy -YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2 -4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC -Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1 -itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn -4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X -sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft -bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA -MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy -dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t -L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG -BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ -UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D -aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd -aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH -E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly -/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu -xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF -0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae -cPUeybQ= ------END CERTIFICATE----- diff --git a/roles/copr/frontend/files/banner-include.html b/roles/copr/frontend/files/banner-include.html index 2b539819d1..78ada661ed 100644 --- a/roles/copr/frontend/files/banner-include.html +++ b/roles/copr/frontend/files/banner-include.html @@ -1,6 +1,6 @@

- Warning! This is a development server. + Warning! This is a staging server.

Production instance: https://copr.fedoraproject.org/ diff --git a/roles/copr/frontend/files/httpd/welcome.conf b/roles/copr/frontend/files/httpd/welcome.conf deleted file mode 100644 index 3b15c42b9f..0000000000 --- a/roles/copr/frontend/files/httpd/welcome.conf +++ /dev/null @@ -1 +0,0 @@ -#commented out so it doesn't do that stupid index page diff --git a/roles/copr/frontend/files/pg/pg_hba.conf b/roles/copr/frontend/files/pg/pg_hba.conf deleted file mode 100644 index 3cf2f2cb65..0000000000 --- a/roles/copr/frontend/files/pg/pg_hba.conf +++ /dev/null @@ -1,13 +0,0 @@ -local coprdb copr-fe md5 -host coprdb copr-fe 127.0.0.1/8 md5 -host coprdb copr-fe ::1/128 md5 -local coprdb postgres ident - -# TYPE DATABASE USER ADDRESS METHOD - -# "local" is for Unix domain socket connections only -local all all peer -# IPv4 local connections: -host all all 127.0.0.1/32 ident -# IPv6 local connections: -host all all ::1/128 ident diff --git a/roles/copr/frontend/files/robots.txt b/roles/copr/frontend/files/robots.txt deleted file mode 100644 index 1f53798bb4..0000000000 --- a/roles/copr/frontend/files/robots.txt +++ /dev/null @@ -1,2 +0,0 @@ -User-agent: * -Disallow: / diff --git a/roles/copr/frontend/handlers/main.yml b/roles/copr/frontend/handlers/main.yml deleted file mode 100644 index 4585db853a..0000000000 --- a/roles/copr/frontend/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -- import_tasks: "{{ handlers_path }}/restart_services.yml" - -- name: restart postgresql - service: name=postgresql - state=restarted diff --git a/roles/copr/frontend/tasks/install_certs.yml b/roles/copr/frontend/tasks/install_certs.yml deleted file mode 100644 index ea8714d423..0000000000 --- a/roles/copr/frontend/tasks/install_certs.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: copy httpd ssl certificates (crt) - copy: src="{{ private }}/files/httpd/{{item}}" - dest="/etc/pki/tls/certs/" - owner=root group=root mode=0600 - with_items: - - copr.fedorainfracloud.org.crt - - copr.fedorainfracloud.org.intermediate.crt - tags: - - config - -- name: copy httpd ssl certificates (key) - copy: src="{{ private }}/files/httpd/copr.fedorainfracloud.org.key" dest="/etc/pki/tls/private/" owner=root group=root mode=0600 - tags: - - config diff --git a/roles/copr/frontend/tasks/main.yml b/roles/copr/frontend/tasks/main.yml index 61b91f1ea0..a302a3e7c4 100644 --- a/roles/copr/frontend/tasks/main.yml +++ b/roles/copr/frontend/tasks/main.yml @@ -1,13 +1,4 @@ --- -- import_tasks: "mount_fs.yml" - -- command: "ls -dZ /var/lib/pgsql" - register: pgsql_ls - -- name: update selinux context for postgress db dir if it's wrong - command: "restorecon -vvRF /var/lib/pgsql" - when: pgsql_ls.stdout is defined and 'postgresql_db_t' not in pgsql_ls.stdout - - name: install copr-frontend and copr-selinux dnf: state=latest name={{ item }} with_items: @@ -20,17 +11,11 @@ - name: install additional pkgs for copr-frontend dnf: state=present pkg={{ item }} with_items: - - "bash-completion" - - "mod_ssl" - redis - - pxz - python3-alembic tags: - packages -- name: install a newer version of xstatic-jquery-ui-common - command: dnf install -y https://kojipkgs.fedoraproject.org//packages/python-XStatic-jquery-ui/1.12.0.1/2.fc26/noarch/xstatic-jquery-ui-common-1.12.0.1-2.fc26.noarch.rpm - - name: install copr configs template: src="copr.conf" dest=/etc/copr/copr.conf mode=600 notify: @@ -38,19 +23,9 @@ tags: - config -- name: enable and start redis # TODO: .service in copr-backend should depend on redis - service: name=redis enabled=yes state=started - - name: enable and start pagure-events service: name=pagure-events enabled=yes state=started -- name: copy apache files to conf.d - copy: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" - with_items: - - "welcome.conf" - tags: - - config - - name: copy apache files to conf.d (templates) template: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}" with_items: @@ -65,15 +40,6 @@ state: yes persistent: yes -- import_tasks: "psql_setup.yml" - -- name: upgrade db to head - command: alembic-3 upgrade head - become: yes - become_user: copr-fe - args: - chdir: /usr/share/copr/coprs_frontend/ - - name: set up admins command: ./manage.py alter_user --admin {{ item }} become: yes @@ -88,48 +54,15 @@ - nb - kevin -- name: install ssl certificates for production - import_tasks: "install_certs.yml" - when: not devel - tags: - - config - -- name: letsencrypt cert - include_role: name=certbot - when: devel - tags: - - config - -- name: Check that cert file exists - stat: - path: "/etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem" - register: stat_cert - -- name: Should admin run certbot? - fail: - msg: Please see roles/certbot/README step (2) and manually run certbot - when: - - stat_cert.stat.exists == False - - devel - -- name: install copr-frontend ssl vhost - template: src="httpd/coprs_ssl.conf.j2" dest="/etc/httpd/conf.d/coprs_ssl.conf" - tags: - - config - - name: enable services service: state=started enabled=yes name={{ item }} with_items: - httpd -- name: set dev banner for dev instance - when: devel +- name: set staging banner for staging instance + when: when: env == 'staging' copy: src=banner-include.html dest=/var/lib/copr/ -- name: disallow robots on dev instance - when: devel - copy: src=robots.txt dest=/var/www/html/ - - name: rebuild indexes command: ./manage.py update_indexes become: yes diff --git a/roles/copr/frontend/tasks/mount_fs.yml b/roles/copr/frontend/tasks/mount_fs.yml deleted file mode 100644 index e355d38ff6..0000000000 --- a/roles/copr/frontend/tasks/mount_fs.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: mount up disk of copr fe - mount: name=/srv/copr-fe src='LABEL=copr-fe' fstype=ext4 state=mounted - -- name: mount up bind mount for postgres - mount: src=/srv/copr-fe/pgsqldb name=/var/lib/pgsql fstype=auto opts=bind state=mounted - diff --git a/roles/copr/frontend/tasks/psql_setup.yml b/roles/copr/frontend/tasks/psql_setup.yml deleted file mode 100644 index b5116f6218..0000000000 --- a/roles/copr/frontend/tasks/psql_setup.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: install postresql - package: state=present pkg={{ item }} - with_items: - - "postgresql-server" - - "postgresql-contrib" - - -- name: See if postgreSQL is installed - stat: path=/var/lib/pgsql/initdb.log - register: pgsql_installed - -- name: init postgresql - shell: "postgresql-setup initdb" - when: not pgsql_installed.stat.exists - -- name: copy pg_hba.conf - copy: src="pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600 - notify: - - restart postgresql - tags: - - config - -- name: Ensure postgres has a place to backup to - file: dest=/backups state=directory owner=postgres - tags: - - config - -# TODO: I think we missing user creation, check it we do it somewhere else ... - -- name: Copy over backup scriplet - copy: src="{{ files }}/../roles/postgresql_server/files/backup-database" dest=/usr/local/bin/backup-database mode=0755 - tags: - - config - -- name: Set up some cronjobs to backup databases as configured - template: > - src="{{ files }}/../roles/postgresql_server/templates/cron-backup-database" - dest="/etc/cron.d/cron-backup-database-{{ item }}" - with_items: - - "{{ dbs_to_backup }}" - when: dbs_to_backup != [] - tags: - - config - -- name: enable Pg service - service: state=started enabled=yes name=postgresql - -- name: Create db - postgresql_db: name="coprdb" encoding='UTF-8' - become: yes - become_user: postgres - -- name: Create db user - postgresql_user: db="coprdb" name="copr-fe" password="{{ copr_database_password }}" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE - become: yes - become_user: postgres - -- name: set shared_buffers for PostgreSQL - lineinfile: - path: /var/lib/pgsql/data/postgresql.conf - regexp: '^shared_buffers =' - line: 'shared_buffers = 1024MB' - notify: restart postgresql - tags: - - config - -- name: set effective_cache_size for PostgreSQL - lineinfile: - path: /var/lib/pgsql/data/postgresql.conf - regexp: '^effective_cache_size =' - line: 'effective_cache_size = 2048MB' - notify: restart postgresql - tags: - - config - -- name: set work_mem for PostgreSQL - lineinfile: - path: /var/lib/pgsql/data/postgresql.conf - regexp: '^work_mem =' - line: 'work_mem = 4MB' - notify: restart postgresql - tags: - - config - -- name: set maintenance_work_mem for PostgreSQL - lineinfile: - path: /var/lib/pgsql/data/postgresql.conf - regexp: '^maintenance_work_mem =' - line: 'maintenance_work_mem = 1GB' - notify: restart postgresql - tags: - - config - -- name: set checkpoint_completion_target for PostgreSQL - lineinfile: - path: /var/lib/pgsql/data/postgresql.conf - regexp: '^checkpoint_completion_target =' - line: 'checkpoint_completion_target = 0.9' - notify: restart postgresql - tags: - - config - -- name: set log_min_duration_statement for PostgreSQL - lineinfile: - path: /var/lib/pgsql/data/postgresql.conf - regexp: '^log_min_duration_statement =' - line: 'log_min_duration_statement = 500' - notify: restart postgresql - tags: - - config diff --git a/roles/copr/frontend/templates/httpd/coprs.conf b/roles/copr/frontend/templates/httpd/coprs.conf index 453144a8ac..5f992a9ca1 100644 --- a/roles/copr/frontend/templates/httpd/coprs.conf +++ b/roles/copr/frontend/templates/httpd/coprs.conf @@ -28,14 +28,6 @@ WSGIScriptAlias / /usr/share/copr/coprs_frontend/application -{% if devel %} - - RewriteEngine on - RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] - RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE] - -{% endif %} - ExtendedStatus On diff --git a/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 b/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 deleted file mode 100644 index 846d8d85dd..0000000000 --- a/roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2 +++ /dev/null @@ -1,80 +0,0 @@ -Listen 443 https - - - - SSLEngine on - SSLProtocol {{ ssl_protocols }} - # Use secure TLSv1.1 and TLSv1.2 ciphers - SSLCipherSuite {{ ssl_ciphers }} - SSLHonorCipherOrder on - Header always add Strict-Transport-Security "max-age=31536000; preload" - - {% if not devel %} - SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt - SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key - SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt - {% else %} - SSLCertificateFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem - SSLCertificateKeyFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem - SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem - {% endif %} - - ServerName {{ copr_frontend_public_hostname }} - - WSGIPassAuthorization On - WSGIScriptAlias / /usr/share/copr/coprs_frontend/application - WSGIProcessGroup 127.0.0.1 - - - WSGIProcessGroup api - - - WSGIProcessGroup backend - - - WSGIProcessGroup stats - - - WSGIProcessGroup tmp - - - #ErrorLog logs/error_coprs - #CustomLog logs/access_coprs common - - - WSGIApplicationGroup %{GLOBAL} - Require all granted - - - RewriteEngine on - RewriteRule ^/coprs/sgallagh/cockpit-preview/repo/(.*)/.*\.repo$ /coprs/g/cockpit/cockpit-preview/repo/$1/ [R=301] - RewriteRule ^/coprs/sgallagh/cockpit-preview/(.*)$ /coprs/g/cockpit/cockpit-preview/$1 [R=301] - - # https://bugzilla.redhat.com/show_bug.cgi?id=1582294 - yum copr enable does not work - RewriteRule ^/coprs/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/$1/$2/repo/epel-$3/$5 [PT] - RewriteRule ^/coprs/g/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/g/$1/$2/repo/epel-$3/$5 [PT] - - - - SSLEngine on - SSLProtocol {{ ssl_protocols }} - # Use secure TLSv1.1 and TLSv1.2 ciphers - SSLCipherSuite {{ ssl_ciphers }} - SSLHonorCipherOrder on - Header always add Strict-Transport-Security "max-age=31536000; preload" - - {% if not devel %} - SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt - SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key - SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt - {% else %} - SSLCertificateFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem - SSLCertificateKeyFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem - SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem - {% endif %} - - {% if not devel %} - ServerAlias copr.fedoraproject.org - Redirect 302 / https://copr.fedorainfracloud.org/ - {% endif %} -