diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org
index eb415612bd..ec0913d153 100644
--- a/inventory/host_vars/upstreamfirst.fedorainfracloud.org
+++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org
@@ -1,15 +1,14 @@
---
+############################################################
+# Persistent Cloud
+############################################################
+
instance_type: m1.medium
image: CentOS-7-x86_64-GenericCloud-1503
keypair: fedora-admin-20130801
security_group: default # NOTE: security_group MUST contain default.
zone: nova
-tcp_ports: [ 22, 25, 80, 443, 9418,
- # Used for the eventsource server
- 8088,
- # This is for the pagure public fedmsg relay
- 9940]
inventory_tenant: persistent
inventory_instance_name: upstreamfirst
@@ -26,25 +25,51 @@ volumes:
cloud_networks:
# persistent-net
- net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"
-#
+
+############################################################
+# General configuration
+############################################################
+
+tcp_ports: [ 22, 25, 80, 443, 9418,
+ # Used for the eventsource server
+ 8088,
+ # This is for the pagure public fedmsg relay
+ 9940]
+
+external_hostname: 'upstreamfirst.fedorainfracloud.org'
+
+############################################################
# PostgreSQL configuration
-#
+############################################################
shared_buffers: "2GB"
effective_cache_size: "6GB"
-#
-# Pagure Config
-#
-pagure_db_admin_user: "{{ upstreamfirst_pagure_db_admin_user }}"
-pagure_db_admin_pass: "{{ upstreamfirst_pagure_db_admin_pass }}"
-pagure_db_user: "{{ upstreamfirst_pagure_db_user }}"
-pagure_db_pass: "{{ upstreamfirst_pagure_db_pass }}"
-pagure_db_host: "{{ upstreamfirst_pagure_db_host }}"
-pagure_db_name: "{{ upstreamfirst_pagure_db_name }}"
-pagure_secret_key: "{{ upstreamfirst_pagure_db_admin_user }}"
-pagure_secret_salt_email: "{{ upstreamfirst_pagure_secret_salt_email }}"
+############################################################
+# Pagure Config
+############################################################
+
+
+new_pagure_db_admin_user: "{{ upstreamfirst_pagure_db_admin_user }}"
+new_pagure_db_admin_pass: "{{ upstreamfirst_pagure_db_admin_pass }}"
+new_pagure_db_user: "{{ upstreamfirst_pagure_db_user }}"
+new_pagure_db_pass: "{{ upstreamfirst_pagure_db_pass }}"
+new_pagure_db_host: "{{ upstreamfirst_pagure_db_host }}"
+new_pagure_db_name: "{{ upstreamfirst_pagure_db_name }}"
+new_pagure_secret_key: "{{ upstreamfirst_pagure_db_admin_user }}"
+new_pagure_secret_salt_email: "{{ upstreamfirst_pagure_secret_salt_email }}"
+
+pagure_admin_email: 'tflink@fedoraproject.org'
+
+pagure_ssh_host_pubkey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/bYFmX8pthJHcM2J85+mmN8pGJ/EJMcsdwoazihcooIBONcUazYF/BVV5/3nK7H3shq2nLR7vmdd2NuFHOPNsaAMK6nlADEg2tsKMC3UHHnwo1/iIO21pvf7+w2KIKCNIhiYA70W1aIxFBMZ7oo0VXjZ19PBwg6huAh0CBrLBP+XU4QN6LgLd87T5qMN/7g/QVqDforeoL8NUSQXMfzYNbxXPdRvMc5vbEMS/QNu5I8Ycu6FDqChnWc5Qd2orVCNreEMKwkgW27+FTpxzAnq3avotb0Cv1WuZjd8q402ldvp+ELcS8WHc+Mx41KaR//QTlSIYeX4OlcX/pl6C+Sdz'
+
+# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
+pagure_ssh_host_fingerprint: '2048 6b:d8:48:27:5a:11:d1:14:e0:c1:91:23:45:c7:fb:6d (RSA)'
+
+# awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64_
+pagure_ssh_host_sha256: 'SHA256:ggRdzg+ugyR6WIzeiuyASAdEHf+HG5yZqJJIu/YTtHI='
+
stunnel_service: "eventsource"
stunnel_source_port: 8088
diff --git a/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml
index fba8323e2d..b09d0fa24b 100644
--- a/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml
+++ b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml
@@ -49,21 +49,21 @@
- "/srv/private/ansible/vars.yml"
- "{{ vars_path }}/{{ ansible_distribution }}.yml"
- pre_tasks:
- - name: install fedmsg-relay
- yum: pkg=fedmsg-relay state=present
- tags:
- - pagure
- - pagure/fedmsg
- - name: and start it
- service: name=fedmsg-relay state=started
- tags:
- - pagure
- - pagure/fedmsg
-
+# pre_tasks:
+# - name: install fedmsg-relay
+# yum: pkg=fedmsg-relay state=present
+# tags:
+# - pagure
+# - pagure/fedmsg
+# - name: and start it
+# service: name=fedmsg-relay state=started
+# tags:
+# - pagure
+# - pagure/fedmsg
+#
roles:
- - pagure/frontend
- - pagure/fedmsg
+ - pagure/upstreamfirst-frontend
+ # - pagure/fedmsg
handlers:
- include: "{{ handlers_path }}/restart_services.yml"
diff --git a/roles/pagure/upstreamfirst-frontend/files/aliases b/roles/pagure/upstreamfirst-frontend/files/aliases
new file mode 100644
index 0000000000..193cf3f4a7
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/files/aliases
@@ -0,0 +1,91 @@
+#
+# Aliases in this file will NOT be expanded in the header from
+# Mail, but WILL be visible over networks or from /bin/mail.
+#
+# >>>>>>>>>> The program "newaliases" must be run after
+# >> NOTE >> this file is updated for any changes to
+# >>>>>>>>>> show through to sendmail.
+#
+
+# Basic system aliases -- these MUST be present.
+mailer-daemon: postmaster
+postmaster: sysadmin-main
+
+# General redirections for pseudo accounts.
+bin: root
+daemon: root
+adm: root
+lp: root
+sync: root
+shutdown: root
+halt: root
+mail: root
+#news: root
+uucp: root
+operator: root
+games: root
+gopher: root
+ftp: root
+#nobody: root
+radiusd: root
+nut: root
+dbus: root
+vcsa: root
+canna: root
+wnn: root
+rpm: root
+nscd: root
+pcap: root
+apache: root
+webalizer: root
+dovecot: root
+fax: root
+quagga: root
+radvd: root
+pvm: root
+amanda: root
+privoxy: root
+ident: root
+named: root
+xfs: root
+gdm: root
+mailnull: root
+postgres: root
+sshd: root
+smmsp: root
+postfix: root
+netdump: root
+ldap: root
+squid: root
+ntp: root
+mysql: root
+desktop: root
+rpcuser: root
+rpc: root
+nfsnobody: root
+notifications: root
+
+ingres: root
+system: root
+toor: root
+manager: root
+dumper: root
+abuse: root
+nagios: root
+
+newsadm: news
+newsadmin: news
+usenet: news
+ftpadm: ftp
+ftpadmin: ftp
+ftp-adm: ftp
+ftp-admin: ftp
+
+# trap decode to catch security attacks
+decode: root
+
+# Person who should get root's mail
+root: sysadmin-main
+
+pagure: /dev/null
+reply: /dev/null
diff --git a/roles/pagure/upstreamfirst-frontend/files/backup-database b/roles/pagure/upstreamfirst-frontend/files/backup-database
new file mode 100644
index 0000000000..3f6e7d8fb1
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/files/backup-database
@@ -0,0 +1,10 @@
+#!/bin/bash
+# Backup a database *locally* to /backups/.
+
+DB=$1
+
+# Make our latest backup
+/usr/bin/pg_dump -C $DB | /usr/bin/xz > /backups/$DB-$(date +%F).dump.xz
+
+# Also, delete the backup from a few days ago.
+rm -f /backups/$DB-$(date --date="3 days ago" +%F).dump.xz
diff --git a/roles/pagure/upstreamfirst-frontend/files/pagure_ev.service b/roles/pagure/upstreamfirst-frontend/files/pagure_ev.service
new file mode 100644
index 0000000000..f194b1b5cd
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/files/pagure_ev.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Pagure EventSource server (Allowing live refresh of the pages supporting it)
+After=redis.target
+Documentation=https://pagure.io/pagure
+
+[Service]
+ExecStart=/usr/libexec/pagure-ev/pagure_stream_server.py
+Type=simple
+User=git
+Group=git
+Restart=on-failure
+LimitNOFILE=40960
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/pagure/upstreamfirst-frontend/files/pg_hba.conf b/roles/pagure/upstreamfirst-frontend/files/pg_hba.conf
new file mode 100644
index 0000000000..83aca29868
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/files/pg_hba.conf
@@ -0,0 +1,78 @@
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the PostgreSQL Administrator's Guide, chapter "Client
+# Authentication" for a complete description. A short synopsis
+# follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access. Records take one of these forms:
+#
+# local DATABASE USER METHOD [OPTION]
+# host DATABASE USER CIDR-ADDRESS METHOD [OPTION]
+# hostssl DATABASE USER CIDR-ADDRESS METHOD [OPTION]
+# hostnossl DATABASE USER CIDR-ADDRESS METHOD [OPTION]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type: "local" is a Unix-domain socket,
+# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an
+# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket.
+#
+# DATABASE can be "all", "sameuser", "samerole", a database name, or
+# a comma-separated list thereof.
+#
+# USER can be "all", a user name, a group name prefixed with "+", or
+# a comma-separated list thereof. In both the DATABASE and USER fields
+# you can also write a file name prefixed with "@" to include names from
+# a separate file.
+#
+# CIDR-ADDRESS specifies the set of hosts the record matches.
+# It is made up of an IP address and a CIDR mask that is an integer
+# (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies
+# the number of significant bits in the mask. Alternatively, you can write
+# an IP address and netmask in separate columns to specify the set of hosts.
+#
+# METHOD can be "trust", "reject", "md5", "crypt", "password",
+# "krb5", "ident", or "pam". Note that "password" sends passwords
+# in clear text; "md5" is preferred since it sends encrypted passwords.
+#
+# OPTION is the ident map or the name of the PAM service, depending on METHOD.
+#
+# Database and user names containing spaces, commas, quotes and other special
+# characters must be quoted. Quoting one of the keywords "all", "sameuser" or
+# "samerole" makes the name lose its special character, and just match a
+# database or username with that name.
+#
+# This file is read on server startup and when the postmaster receives
+# a SIGHUP signal. If you edit the file on a running system, you have
+# to SIGHUP the postmaster for the changes to take effect. You can use
+# "pg_ctl reload" to do that.
+
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records. In that case you will also need to make PostgreSQL listen
+# on a non-local interface via the listen_addresses configuration parameter,
+# or via the -i or -h command line switches.
+#
+
+#@authcomment@
+
+# TYPE DATABASE USER CIDR-ADDRESS METHOD
+
+#@remove-line-for-nolocal@# "local" is for Unix domain socket connections only
+#@remove-line-for-nolocal@local all all @authmethod@
+# IPv4 local connections:
+#host all all 127.0.0.1/32 @authmethod@
+# IPv6 local connections:
+#host all all ::1/128 @authmethod@
+
+local all all ident
+host koji koji 10.5.126.61 255.255.255.255 md5
+host all all 0.0.0.0 0.0.0.0 md5
+# Note, I can't think of a reason to make this more restrictive than ipv4 but
+# only fakefas needs it so far
+host all all ::1/128 md5
diff --git a/roles/pagure/upstreamfirst-frontend/files/robots.txt b/roles/pagure/upstreamfirst-frontend/files/robots.txt
new file mode 100644
index 0000000000..a70291b52e
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/files/robots.txt
@@ -0,0 +1,5 @@
+User-agent: *
+Disallow: /api
+Disallow: /login
+Disallow: /*/raw
+Crawl-Delay: 2
diff --git a/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.fc b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.if b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.if
new file mode 100644
index 0000000000..3eb6a3057b
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.if
@@ -0,0 +1 @@
+##
diff --git a/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.pp b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.pp
new file mode 100644
index 0000000000..a6248e7014
Binary files /dev/null and b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.pp differ
diff --git a/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.te b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.te
new file mode 100644
index 0000000000..d661e611e9
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/files/selinux/pagure.te
@@ -0,0 +1,11 @@
+module pagure 1.0;
+
+require {
+ type httpd_t;
+ type gitosis_var_lib_t;
+ class dir { add_name remove_name write };
+ class file { create link setattr unlink write };
+}
+
+allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write };
+allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write };
diff --git a/roles/pagure/upstreamfirst-frontend/files/stunnel.service b/roles/pagure/upstreamfirst-frontend/files/stunnel.service
new file mode 100644
index 0000000000..8701ba266f
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/files/stunnel.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=stunnel
+After=network.target
+Documentation=https://infrastructure.fedoraproject.org/infra/docs/fedmsg-websocket.txt
+
+[Service]
+ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
+Type=forking
+User=root
+Group=root
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/pagure/upstreamfirst-frontend/handlers/main.yml b/roles/pagure/upstreamfirst-frontend/handlers/main.yml
new file mode 100644
index 0000000000..62b144e24b
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart pagure_milter
+ service: name=pagure_milter state=restarted
diff --git a/roles/pagure/upstreamfirst-frontend/tasks/main.yml b/roles/pagure/upstreamfirst-frontend/tasks/main.yml
new file mode 100644
index 0000000000..df0f438bc9
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/tasks/main.yml
@@ -0,0 +1,333 @@
+---
+# Configuration for the pagure webapp
+
+- name: install needed packages
+ yum: pkg={{ item }} state=present
+ with_items:
+ - pagure
+ - pagure-ci
+ - pagure-ev
+ - pagure-loadjson
+ - pagure-logcom
+ - pagure-milters
+ - pagure-webhook
+ - python-psycopg2
+ - redis
+ - libsemanage-python
+ - mod_ssl
+ - stunnel
+ # Use haveged to ensure the server keeps some entropy
+ - haveged
+ tags:
+ - pagure
+ - packages
+
+- name: Initialize postgres if necessary
+ command: /usr/bin/postgresql-setup initdb
+ creates=/var/lib/pgsql/data
+ notify:
+ - restart postgresql
+ tags:
+ - pagure
+
+- name: Put in robots.txt
+ copy: src=robots.txt dest=/var/www/html/robots.txt
+ tags:
+ - pagure
+
+
+# Set-up gitolite
+
+- name: install needed packages
+ yum: pkg=gitolite3 state=present
+ tags:
+ - pagure
+ - gitolite
+ - packages
+
+- name: Rename the user gitolite into git
+ command: usermod --move-home --login git --home /srv/git/ gitolite3
+ creates=/srv/git/
+ tags:
+ - gitolite
+ - pagure
+
+- name: Rename the group gitolite into git
+ command: groupmod --new-name git gitolite3
+ creates=/srv/git/.gitolite/conf
+ tags:
+ - gitolite
+ - pagure
+
+- name: create the /srv/git/.gitolite/conf folder
+ file: state=directory
+ path=/srv/git/.gitolite/conf
+ owner=git group=git mode=0775
+ tags:
+ - gitolite
+ - pagure
+
+- name: create the /srv/git/.gitolite/keydir folder
+ file: state=directory
+ path=/srv/git/.gitolite/keydir
+ owner=git group=git mode=0775
+ tags:
+ - gitolite
+ - pagure
+
+- name: create the /srv/git/.gitolite/logs folder
+ file: state=directory
+ path=/srv/git/.gitolite/logs
+ owner=git group=git mode=0775
+ tags:
+ - gitolite
+ - pagure
+
+- name: Adjust owner of /srv/git
+ file: name=/srv/git state=directory recurse=yes owner=git group=git
+ tags:
+ - gitolite
+
+- name: Adjust permissions of /srv/git/.gitolite
+ file: name=/srv/git/.gitolite state=directory recurse=yes owner=git group=git
+ tags:
+ - gitolite
+
+- name: install our own gitolite configuration
+ template: src=gitolite.rc
+ dest=/srv/git/.gitolite.rc
+ owner=git group=git mode=0755
+ tags:
+ - gitolite
+ - pagure
+
+- name: create all the directories where we store the git repos
+ file: state=directory
+ path={{ item }}
+ owner=git group=git mode=0775
+ with_items:
+ - /srv/git/repositories/
+ - /srv/git/repositories/forks
+ - /srv/git/repositories/docs
+ - /srv/git/repositories/tickets
+ - /srv/git/repositories/requests
+ - /srv/git/remotes
+ tags:
+ - gitolite
+ - pagure
+
+- name: create the /srv/tmp folder where to clone repos
+ file: state=directory
+ path=/srv/tmp
+ owner=git group=git mode=0775
+ tags:
+ - gitolite
+ - pagure
+
+
+# Set-up postfix and the milter for postfix
+
+- name: Add the /etc/aliases file
+ copy: src=aliases dest=/etc/aliases owner=root mode=644
+ tags:
+ - config
+ - pagure
+ - postfix
+ notify:
+ - restart postfix
+ - restart pagure_milter
+
+# Override pagure_ev systemd service file
+
+- name: install pagure_ev service definition
+ copy: src=pagure_ev.service
+ dest=/usr/lib/systemd/system/pagure_ev.service
+ owner=root group=root mode=0644
+ notify:
+ - reload systemd
+ - restart pagure_ev
+ tags:
+ - pagure
+ - pagure_ev
+
+# Set-up stunnel for the event source server
+
+- name: install stunnel service definition
+ copy: src=stunnel.service
+ dest=/usr/lib/systemd/system/stunnel.service
+ owner=root group=root mode=0644
+ notify:
+ - reload systemd
+ - restart stunnel
+ tags:
+ - pagure
+ - stunnel
+
+- name: ensure old stunnel init file is gone
+ file: dest=/etc/init.d/stunnel/stunnel.init state=absent
+ tags:
+ - pagure
+ - stunnel
+ - config
+
+- name: install stunnel.conf
+ template: src={{ item.file }}
+ dest={{ item.dest }}
+ owner=root group=root mode=0600
+ with_items:
+ - { file: stunnel-conf.j2, dest: /etc/stunnel/stunnel.conf }
+ notify: restart stunnel
+ tags:
+ - pagure
+ - stunnel
+ - config
+
+
+# Set-up Pagure
+
+- name: create the /var/www/releases folder
+ file: state=directory
+ path=/var/www/releases
+ owner=git group=git mode=0775
+ tags:
+ - pagure
+ - web
+
+- name: copy sundry pagure configuration
+ template: src={{ item.file }}
+ dest={{ item.location }}/{{ item.file }}
+ owner=git group=postfix mode=0640
+ with_items:
+ - { file: pagure.cfg, location: /etc/pagure }
+ - { file: alembic.ini, location: /etc/pagure }
+ changed_when: "1 != 1"
+ tags:
+ - config
+ - web
+ - pagure
+ notify:
+ - restart apache
+
+- name: create the database scheme
+ command: /usr/bin/python2 /usr/share/pagure/pagure_createdb.py
+ changed_when: "1 != 1"
+ environment:
+ PAGURE_CONFIG: /etc/pagure/pagure.cfg
+ tags:
+ - web
+ - pagure
+
+- name: Install the SSL cert so that we can use https
+ copy: >
+ src={{ private}}/files/httpd/{{ item }} dest=/etc/pki/tls/certs/{{ item }}
+ owner=root group=root mode=0600
+ notify: restart stunnel
+ with_items:
+ - pagure.io.cert
+ - pagure.io.key
+ - pagure.io.intermediate.cert
+ - docs.pagure.org.crt
+ - docs.pagure.org.intermediate.crt
+ - docs.pagure.org.key
+ tags:
+ - config
+ - pagure
+ - httpd/certificate
+
+- name: Install the configuration file to activate https
+ template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }}
+ owner=root group=root mode=0644
+ with_items:
+ - 0_pagure.conf
+ tags:
+ - files
+ - config
+ - pagure
+ notify:
+ - restart apache
+
+- name: Install the wsgi file
+ template: src={{ item }}
+ dest=/var/www/{{ item }}
+ owner=git group=git mode=0644
+ with_items:
+ - pagure.wsgi
+ - docs_pagure.wsgi
+ tags:
+ - config
+ - web
+ - pagure
+ notify:
+ - restart apache
+
+- name: Add default facl so apache can read git repos
+ acl: default=yes etype=user entity=apache permissions="rx" name=/srv/git state=present
+ register: acl_updates
+ tags:
+ - pagure
+
+- name: Manually fix current default ACLs since Ansible doesnt know recursive acls
+ when: acl_updates.changed
+ command: /usr/bin/setfacl -Rdm user:apache:rx /srv/git
+ tags:
+ - pagure
+
+- name: Manually fix current ACLs since Ansible doesnt know recursive acls
+ when: acl_updates.changed
+ command: /usr/bin/setfacl -Rm user:apache:rx /srv/git
+ tags:
+ - pagure
+
+- name: copy over our custom selinux module
+ copy: src=selinux/pagure.pp dest=/usr/local/share/pagure.pp
+ register: selinux_module
+ tags:
+ - pagure
+
+- name: install our custom selinux module
+ command: semodule -i /usr/local/share/pagure.pp
+ when: selinux_module|changed
+ tags:
+ - pagure
+
+- name: set sebooleans so pagure can talk to the network (db + redis)
+ seboolean: name=httpd_can_network_connect
+ state=true
+ persistent=true
+ tags:
+ - selinux
+ - web
+ - pagure
+
+- name: set sebooleans so apache can send emails
+ seboolean: name=httpd_can_sendmail
+ state=true
+ persistent=true
+ tags:
+ - selinux
+ - web
+ - pagure
+
+
+# Ensure all the services are up and running
+
+- name: Start and enable httpd, postfix, pagure_milter
+ service: name={{ item }} enabled=yes state=started
+ with_items:
+ - httpd
+ - postfix
+ - stunnel
+ - redis
+ - pagure_ev
+ - pagure_ci
+ - pagure_loadjon
+ - pagure_logcom
+ - pagure_milter
+ - pagure_webhook
+ - fedmsg-relay
+ - haveged
+ ignore_errors: true
+ tags:
+ - pagure
+ - service
+ - postfix
diff --git a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf
new file mode 100644
index 0000000000..dfc53adbf3
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf
@@ -0,0 +1,133 @@
+WSGISocketPrefix run/wsgi
+#WSGIRestrictStdout On
+WSGIRestrictSignal Off
+WSGIPythonOptimize 1
+WSGIPassAuthorization On
+WSGIDaemonProcess pagure user=git group=git maximum-requests=1000 display-name=pagure processes=4 threads=4 inactivity-timeout=300
+WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-name=paguredocs processes=4 threads=4 inactivity-timeout=300
+
+## Redirects http -> https
+
+
+ ServerName {{ external_hostname }}
+ Redirect permanent / https://{{ external_hostname }}/
+
+
+
+ ServerName docs.{{ external_hostname }}
+ Redirect permanent / https://docs.{{ external_hostname }}/
+
+
+
+ ServerName releases.{{ external_hostname }}
+ Redirect permanent / https://releases.{{ external_hostname }}/
+
+# Added until we can get the cert out
+ DocumentRoot "/var/www/releases"
+
+
+ Options +Indexes
+ IndexOptions NameWidth=*
+
+
+
+
+
+
+## End of redirects http -> https
+
+
+
+ ServerName {{ external_hostname }}
+
+ Alias "/robots.txt" "/var/www/html/robots.txt"
+
+ WSGIScriptAlias / /var/www/pagure.wsgi
+
+ ServerAdmin admin@fedoraproject.org
+
+ SSLEngine on
+ SSLProtocol {{ ssl_protocols }}
+ SSLCipherSuite {{ ssl_ciphers }}
+ # Use secure TLSv1.1 and TLSv1.2 ciphers
+ Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+
+ SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
+ SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
+ SSLCertificateKeyFile /etc/pki/tls/certs/pagure.io.key
+
+ Alias /static /usr/lib/python2.7/site-packages/pagure/static/
+
+ SetEnv GIT_PROJECT_ROOT /srv/git/repositories
+
+ AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/git/repositories/$1
+ AliasMatch ^/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /srv/git/repositories/$1
+ ScriptAliasMatch \
+ "(?x)^/(.*/(HEAD | \
+ info/refs | \
+ objects/info/[^/]+ | \
+ git-(upload|receive)-pack))$" \
+ /usr/libexec/git-core/git-http-backend/$1
+
+
+ WSGIProcessGroup pagure
+
+ # Apache 2.4
+ Require all granted
+
+
+ # Apache 2.2
+ Order deny,allow
+ Allow from all
+
+
+
+
+ Redirect "/releases" https://releases.{{ external_hostname }}
+
+
+
+
+
+
+ ServerName docs.{{ external_hostname }}
+
+ WSGIScriptAlias / /var/www/docs_pagure.wsgi
+
+ SSLEngine on
+ SSLProtocol {{ ssl_protocols }}
+ SSLCipherSuite {{ ssl_ciphers }}
+ # Use secure TLSv1.1 and TLSv1.2 ciphers
+ Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+
+ SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
+ SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
+ SSLCertificateKeyFile /etc/pki/tls/certs/pagure.io.key
+
+ Alias /static /usr/lib/python2.7/site-packages/pagure/static/
+
+
+ WSGIProcessGroup paguredocs
+
+ # Apache 2.4
+ Require all granted
+
+
+ # Apache 2.2
+ Order deny,allow
+ Allow from all
+
+
+
+
+
+ DocumentRoot "/var/www/releases"
+ ServerName releases.{{ external_hostname }}
+
+
+ Options +Indexes
+ IndexOptions NameWidth=*
+
+
+
+
diff --git a/roles/pagure/upstreamfirst-frontend/templates/alembic.ini b/roles/pagure/upstreamfirst-frontend/templates/alembic.ini
new file mode 100644
index 0000000000..7daf38c633
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/templates/alembic.ini
@@ -0,0 +1,50 @@
+# A generic, single database configuration.
+
+[alembic]
+# path to migration scripts
+script_location = /usr/share/pagure/alembic
+
+# template used to generate migration files
+# file_template = %%(rev)s_%%(slug)s
+
+# set to 'true' to run the environment during
+# the 'revision' command, regardless of autogenerate
+# revision_environment = false
+
+#sqlalchemy.url = postgresql://<%= pkgdb_app %>:<%= pkgdb_appPassword %>@db-pkgdb/pkgdb
+
+
+# Logging configuration
+[loggers]
+keys = root,sqlalchemy,alembic
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARN
+handlers = console
+qualname =
+
+[logger_sqlalchemy]
+level = WARN
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S
diff --git a/roles/pagure/upstreamfirst-frontend/templates/docs_pagure.wsgi b/roles/pagure/upstreamfirst-frontend/templates/docs_pagure.wsgi
new file mode 100644
index 0000000000..a9f8cea973
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/templates/docs_pagure.wsgi
@@ -0,0 +1,22 @@
+#-*- coding: utf-8 -*-
+
+# The three lines below are required to run on EL6 as EL6 has
+# two possible version of python-sqlalchemy and python-jinja2
+# These lines make sure the application uses the correct version.
+import __main__
+__main__.__requires__ = ['SQLAlchemy >= 0.8', 'jinja2 >= 2.4']
+import pkg_resources
+
+import os
+## Set the environment variable pointing to the configuration file
+os.environ['PAGURE_CONFIG'] = '/etc/pagure/pagure.cfg'
+
+## The following is only needed if you did not install pagure
+## as a python module (for example if you run it from a git clone).
+#import sys
+#sys.path.insert(0, '/path/to/pagure/')
+
+
+## The most import line to make the wsgi working
+from pagure.docs_server import APP as application
+#application.debug = True
diff --git a/roles/pagure/upstreamfirst-frontend/templates/gitolite.rc b/roles/pagure/upstreamfirst-frontend/templates/gitolite.rc
new file mode 100644
index 0000000000..1a20d4277c
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/templates/gitolite.rc
@@ -0,0 +1,195 @@
+# configuration variables for gitolite
+
+# This file is in perl syntax. But you do NOT need to know perl to edit it --
+# just mind the commas, use single quotes unless you know what you're doing,
+# and make sure the brackets and braces stay matched up!
+
+# (Tip: perl allows a comma after the last item in a list also!)
+
+# HELP for commands can be had by running the command with "-h".
+
+# HELP for all the other FEATURES can be found in the documentation (look for
+# "list of non-core programs shipped with gitolite" in the master index) or
+# directly in the corresponding source file.
+
+%RC = (
+
+ # ------------------------------------------------------------------
+
+ # default umask gives you perms of '0700'; see the rc file docs for
+ # how/why you might change this
+ UMASK => 0077,
+
+ # look for "git-config" in the documentation
+ GIT_CONFIG_KEYS => '',
+
+ # comment out if you don't need all the extra detail in the logfile
+ LOG_EXTRA => 1,
+ # syslog options
+ # 1. leave this section as is for normal gitolite logging
+ # 2. uncomment this line to log only to syslog:
+ # LOG_DEST => 'syslog',
+ # 3. uncomment this line to log to syslog and the normal gitolite log:
+ # LOG_DEST => 'syslog,normal',
+
+ # roles. add more roles (like MANAGER, TESTER, ...) here.
+ # WARNING: if you make changes to this hash, you MUST run 'gitolite
+ # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE'
+ ROLES => {
+ READERS => 1,
+ WRITERS => 1,
+ },
+
+ # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!!
+ # CACHE => 'Redis',
+
+ # ------------------------------------------------------------------
+
+ # rc variables used by various features
+
+ # the 'info' command prints this as additional info, if it is set
+ # SITE_INFO => 'Please see http://blahblah/gitolite for more help',
+
+ # the CpuTime feature uses these
+ # display user, system, and elapsed times to user after each git operation
+ # DISPLAY_CPU_TIME => 1,
+ # display a warning if total CPU times (u, s, cu, cs) crosses this limit
+ # CPU_TIME_WARN_LIMIT => 0.1,
+
+ # the Mirroring feature needs this
+ # HOSTNAME => "foo",
+
+ # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING!
+ # CACHE_TTL => 600,
+
+ # ------------------------------------------------------------------
+
+ # suggested locations for site-local gitolite code (see cust.html)
+
+ # this one is managed directly on the server
+ # LOCAL_CODE => "$ENV{HOME}/local",
+
+ # or you can use this, which lets you put everything in a subdirectory
+ # called "local" in your gitolite-admin repo. For a SECURITY WARNING
+ # on this, see http://gitolite.com/gitolite/non-core.html#pushcode
+ # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local",
+
+ # ------------------------------------------------------------------
+
+ # List of commands and features to enable
+
+ ENABLE => [
+
+ # COMMANDS
+
+ # These are the commands enabled by default
+ 'help',
+ 'desc',
+ 'info',
+ 'perms',
+ 'writable',
+
+ # Uncomment or add new commands here.
+ # 'create',
+ # 'fork',
+ # 'mirror',
+ # 'readme',
+ # 'sskm',
+ # 'D',
+
+ # These FEATURES are enabled by default.
+
+ # essential (unless you're using smart-http mode)
+ 'ssh-authkeys',
+
+ # creates git-config enties from gitolite.conf file entries like 'config foo.bar = baz'
+ 'git-config',
+
+ # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out
+ 'daemon',
+
+ # creates projects.list file; if you don't use gitweb, comment this out
+ #'gitweb',
+
+ # These FEATURES are disabled by default; uncomment to enable. If you
+ # need to add new ones, ask on the mailing list :-)
+
+ # user-visible behaviour
+
+ # prevent wild repos auto-create on fetch/clone
+ # 'no-create-on-read',
+ # no auto-create at all (don't forget to enable the 'create' command!)
+ # 'no-auto-create',
+
+ # access a repo by another (possibly legacy) name
+ # 'Alias',
+
+ # give some users direct shell access. See documentation in
+ # sts.html for details on the following two choices.
+ # "Shell $ENV{HOME}/.gitolite.shell-users",
+ # 'Shell alice bob',
+
+ # set default roles from lines like 'option default.roles-1 = ...', etc.
+ # 'set-default-roles',
+
+ # show more detailed messages on deny
+ # 'expand-deny-messages',
+
+ # show a message of the day
+ # 'Motd',
+
+ # system admin stuff
+
+ # enable mirroring (don't forget to set the HOSTNAME too!)
+ # 'Mirroring',
+
+ # allow people to submit pub files with more than one key in them
+ # 'ssh-authkeys-split',
+
+ # selective read control hack
+ # 'partial-copy',
+
+ # manage local, gitolite-controlled, copies of read-only upstream repos
+ # 'upstream',
+
+ # updates 'description' file instead of 'gitweb.description' config item
+ # 'cgit',
+
+ # allow repo-specific hooks to be added
+ # 'repo-specific-hooks',
+
+ # performance, logging, monitoring...
+
+ # be nice
+ # 'renice 10',
+
+ # log CPU times (user, system, cumulative user, cumulative system)
+ # 'CpuTime',
+
+ # syntactic_sugar for gitolite.conf and included files
+
+ # allow backslash-escaped continuation lines in gitolite.conf
+ # 'continuation-lines',
+
+ # create implicit user groups from directory names in keydir/
+ # 'keysubdirs-as-groups',
+
+ # allow simple line-oriented macros
+ # 'macros',
+
+ # Kindergarten mode
+
+ # disallow various things that sensible people shouldn't be doing anyway
+ # 'Kindergarten',
+ ],
+
+);
+
+# ------------------------------------------------------------------------------
+# per perl rules, this should be the last line in such a file:
+1;
+
+# Local variables:
+# mode: perl
+# End:
+# vim: set syn=perl:
diff --git a/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg
new file mode 100644
index 0000000000..a536202776
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/templates/pagure.cfg
@@ -0,0 +1,233 @@
+from datetime import timedelta
+
+### Set the time after which the admin session expires
+# There are two sessions on pagure, login that holds for 31 days and
+# the session defined here after which an user has to re-login.
+# This session is used when accessing all administrative parts of pagure
+# (ie: changing a project's or a user's settings)
+ADMIN_SESSION_LIFETIME = timedelta(minutes=20)
+
+# Make the CSRF token not-time limited, this way it is valid for the entire
+# duration of the session.
+WTF_CSRF_TIME_LIMIT=None
+
+### Secret key for the Flask application
+SECRET_KEY='{{ pagure_secret_key }}'
+SALT_EMAIL='{{ pagure_secret_salt_email }}'
+
+EMAIL_SEND = True
+
+# This is required so that login specifies https
+PREFERRED_URL_SCHEME='https'
+
+### url to the database server:
+#DB_URL=mysql://user:pass@host/db_name
+#DB_URL=postgres://user:pass@host/db_name
+DB_URL = 'postgresql://{{ new_pagure_db_user }}:{{ new_pagure_db_pass }}@{{ new_pagure_db_host }}/{{ new_pagure_db_name }}'
+
+### The FAS group in which the admin of pagure are
+ADMIN_GROUP = ['sysadmin-main']
+
+### The email address to which the flask.log will send the errors (tracebacks)
+EMAIL_ERROR = '{{ pagure_admin_email }}'
+
+### Default SMTP server to use for sending emails
+SMTP_SERVER = 'localhost'
+
+### Email used to sent emails
+FROM_EMAIL = 'pagure@{{ external_hostname }}'
+DOMAIN_EMAIL_NOTIFICATIONS = '{{ external_hostname }}'
+
+### The URL at which the project is available.
+APP_URL = 'https://{{ external_hostname }}/'
+DOC_APP_URL = 'https://docs.{{ external_hostname }}'
+
+### Datagrepper info for the user profile
+DATAGREPPER_URL = 'https://apps.fedoraproject.org/datagrepper'
+DATAGREPPER_CATEGORY = 'pagure'
+
+### The URL to use to clone git repositories.
+GIT_URL_SSH = 'ssh://git@{{ external_hostname }}/'
+GIT_URL_GIT = 'https://{{ external_hostname }}/'
+
+### The IP addresses allowed for the internal endpoints
+IP_ALLOWED_INTERNAL = ['127.0.0.1', 'localhost', '::1', '{{ public_ip }}']
+
+# Redis configuration
+EVENTSOURCE_SOURCE = 'https://{{ external_hostname }}:8088'
+REDIS_HOST = '0.0.0.0'
+REDIS_PORT = 6379
+REDIS_DB = 0
+
+EV_STATS_PORT = '8888'
+
+WEBHOOK = True
+
+### Folder containing to the git repos
+GIT_FOLDER = '/srv/git/repositories'
+
+### Folder containing the forks repos
+FORK_FOLDER = '/srv/git/repositories/forks'
+
+### Folder containing the docs repos
+DOCS_FOLDER = '/srv/git/repositories/docs'
+
+### Folder containing the pull-requests repos
+REQUESTS_FOLDER = '/srv/git/repositories/requests'
+
+### Folder containing the tickets repos
+TICKETS_FOLDER = '/srv/git/repositories/tickets'
+
+### Folder containing the clones of the remotes git repo
+REMOTE_GIT_FOLDER = '/srv/git/remotes'
+
+### Configuration file for gitolite
+GITOLITE_CONFIG = '/srv/git/.gitolite/conf/gitolite.conf'
+
+### Path of the release folder
+UPLOAD_FOLDER_URL = 'https://releases.{{ external_hostname }}/'
+UPLOAD_FOLDER_PATH = '/var/www/releases/'
+
+
+### Home folder of the gitolite user
+### Folder where to run gl-compile-conf from
+GITOLITE_HOME = '/srv/git/'
+
+### Folder containing all the public ssh keys for gitolite
+GITOLITE_KEYDIR = '/srv/git/.gitolite/keydir/'
+
+### Path to the gitolite.rc file
+GL_RC = '/srv/git/.gitolite.rc'
+
+### Path to the /bin directory where the gitolite tools can be found
+GL_BINDIR = '/usr/bin/'
+
+
+### Temp folder to be used to make the clones to work around bug in libgit2:
+## refs: https://github.com/libgit2/libgit2/issues/2965
+## and https://github.com/libgit2/libgit2/issues/2797
+TMP_FOLDER = '/srv/tmp'
+
+# Optional configuration
+
+### Number of items displayed per page
+# Used when listing items
+ITEM_PER_PAGE = 50
+
+### Maximum size of the uploaded content
+# Used to limit the size of file attached to a ticket for example
+MAX_CONTENT_LENGTH = 60 * 1024 * 1024 # 60 megabytes
+
+### Lenght for short commits ids or file hex
+SHORT_LENGTH = 7
+
+### List of blacklisted project names that can conflicts for pagure's URLs
+### or other
+BLACKLISTED_PROJECTS = [
+ 'static', 'pv', 'releases', 'new', 'api', 'settings',
+ 'logout', 'login', 'users', 'groups', 'projects', 'ssh_info'
+ 'issues', 'pull-requests', 'commits', 'tree', 'forks',
+]
+
+DISABLED_PLUGINS = ['IRC']
+
+
+# Authentication related configuration option
+
+### Switch the authentication method
+# Specify which authentication method to use, defaults to `fas` can be or
+# `local`
+# Default: ``fas``.
+PAGURE_AUTH = 'openid'
+
+# When this is set to True, the session cookie will only be returned to the
+# server via ssl (https). If you connect to the server via plain http, the
+# cookie will not be sent. This prevents sniffing of the cookie contents.
+# This may be set to False when testing your application but should always
+# be set to True in production.
+# Default: ``True``.
+SESSION_COOKIE_SECURE = True
+
+# The name of the cookie used to store the session id.
+# Default: ``.pagure``.
+SESSION_COOKIE_NAME = 'pagure'
+
+# Boolean specifying wether to check the user's IP address when retrieving
+# its session. This make things more secure (thus is on by default) but
+# under certain setup it might not work (for example is there are proxies
+# in front of the application).
+CHECK_SESSION_IP = True
+
+# Used by SESSION_COOKIE_PATH
+APPLICATION_ROOT = '/'
+
+# Set the SSH certs/keys
+{% if env == 'pagure-staging' %}
+SSH_KEYS = {
+ 'RSA': {
+ 'fingerprint': '2048 69:50:46:24:c7:94:44:f8:8d:83:05:5c:eb:73:fb:c4 (RSA)',
+ 'pubkey': '{{ external_hostname }},{{ public_ip }} {{ pagure_ssh_host_pubkey }}',
+ 'SHA256': '{{ pagure_ssh_host_sha256 }}',
+ }
+}
+
+# Allow the backward compatiblity endpoints for the old URLs schema to
+# see the commits of a repo. This is only interesting if you pagure instance
+# was running since before version 1.3 and if you care about backward
+# compatibility in your URLs.
+OLD_VIEW_COMMIT_ENABLED = False
+
+#PAGURE_CI_SERVICES=['jenkins']
+PAGURE_CI_SERVICES=[]
+
+LOGGING = {
+ 'version': 1,
+ 'disable_existing_loggers': False,
+ 'formatters': {
+ 'standard': {
+ 'format': '%(asctime)s [%(levelname)s] %(name)s: %(message)s'
+ },
+ },
+ 'handlers': {
+ 'console': {
+ 'level': 'INFO',
+ 'formatter': 'standard',
+ 'class': 'logging.StreamHandler',
+ 'stream': 'ext://sys.stdout',
+ },
+ },
+ # The root logger configuration; this is a catch-all configuration
+ # that applies to all log messages not handled by a different logger
+ 'root': {
+ 'level': 'INFO',
+ 'handlers': ['console'],
+ },
+ 'loggers': {
+ 'pagure': {
+ 'handlers': ['console'],
+ 'level': 'DEBUG',
+ 'propagate': True
+ },
+ 'pagure.lib.encoding_utils': {
+ 'handlers': ['console'],
+ 'level': 'WARN',
+ 'propagate': False
+ },
+ 'flask': {
+ 'handlers': ['console'],
+ 'level': 'INFO',
+ 'propagate': False
+ },
+ 'sqlalchemy': {
+ 'handlers': ['console'],
+ 'level': 'WARN',
+ 'propagate': False
+ },
+ 'binaryornot': {
+ 'handlers': ['console'],
+ 'level': 'WARN',
+ 'propagate': True
+ },
+ }
+}
+
diff --git a/roles/pagure/upstreamfirst-frontend/templates/pagure.wsgi b/roles/pagure/upstreamfirst-frontend/templates/pagure.wsgi
new file mode 100644
index 0000000000..b04abac4d8
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/templates/pagure.wsgi
@@ -0,0 +1,28 @@
+#-*- coding: utf-8 -*-
+
+# The three lines below are required to run on EL6 as EL6 has
+# two possible version of python-sqlalchemy and python-jinja2
+# These lines make sure the application uses the correct version.
+import __main__
+__main__.__requires__ = ['SQLAlchemy >= 0.8', 'jinja2 >= 2.4']
+import pkg_resources
+
+import os
+## Set the environment variable pointing to the configuration file
+os.environ['PAGURE_CONFIG'] = '/etc/pagure/pagure.cfg'
+
+## Set the environment variable if the tmp folder needs to be moved
+## Is necessary to work around bug in libgit2:
+## refs: https://github.com/libgit2/libgit2/issues/2965
+## and https://github.com/libgit2/libgit2/issues/2797
+os.environ['TEMP'] = '/srv/tmp/'
+
+## The following is only needed if you did not install pagure
+## as a python module (for example if you run it from a git clone).
+#import sys
+#sys.path.insert(0, '/path/to/pagure/')
+
+
+## The most import line to make the wsgi working
+from pagure import APP as application
+#application.debug = True
diff --git a/roles/pagure/upstreamfirst-frontend/templates/stunnel-conf.j2 b/roles/pagure/upstreamfirst-frontend/templates/stunnel-conf.j2
new file mode 100644
index 0000000000..6dcf68a09d
--- /dev/null
+++ b/roles/pagure/upstreamfirst-frontend/templates/stunnel-conf.j2
@@ -0,0 +1,8 @@
+cert = /etc/pki/tls/certs/pagure.io.cert
+key = /etc/pki/tls/certs/pagure.io.key
+pid = /var/run/stunnel.pid
+
+[{{ stunnel_service }}]
+
+accept = {{ stunnel_source_port }}
+connect = {{ stunnel_destination_port }}