Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

adding new role for upstreamfirst pagure instance

Browse source
This commit is contained in:
Tim Flink 2017-05-17 20:07:28 +00:00
parent 8eb3174bc1
commit f3bf1103b8
21 changed files with 1287 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

61
inventory/host_vars/upstreamfirst.fedorainfracloud.org
View file

@ -1,15 +1,14 @@
--- ---
############################################################
# Persistent Cloud
############################################################
instance_type: m1.medium instance_type: m1.medium
image: CentOS-7-x86_64-GenericCloud-1503 image: CentOS-7-x86_64-GenericCloud-1503
keypair: fedora-admin-20130801 keypair: fedora-admin-20130801
security_group: default # NOTE: security_group MUST contain default. security_group: default # NOTE: security_group MUST contain default.
zone: nova zone: nova
tcp_ports: [ 22, 25, 80, 443, 9418,
# Used for the eventsource server
8088,
# This is for the pagure public fedmsg relay
9940]
inventory_tenant: persistent inventory_tenant: persistent
inventory_instance_name: upstreamfirst inventory_instance_name: upstreamfirst
@ -26,25 +25,51 @@ volumes:
cloud_networks: cloud_networks:
# persistent-net # persistent-net
- net-id: "67b77354-39a4-43de-b007-bb813ac5c35f" - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"
#
############################################################
# General configuration
############################################################
tcp_ports: [ 22, 25, 80, 443, 9418,
# Used for the eventsource server
8088,
# This is for the pagure public fedmsg relay
9940]
external_hostname: 'upstreamfirst.fedorainfracloud.org'
############################################################
# PostgreSQL configuration # PostgreSQL configuration
# ############################################################
shared_buffers: "2GB" shared_buffers: "2GB"
effective_cache_size: "6GB" effective_cache_size: "6GB"
#
# Pagure Config
#
pagure_db_admin_user: "{{ upstreamfirst_pagure_db_admin_user }}" ############################################################
pagure_db_admin_pass: "{{ upstreamfirst_pagure_db_admin_pass }}" # Pagure Config
pagure_db_user: "{{ upstreamfirst_pagure_db_user }}" ############################################################
pagure_db_pass: "{{ upstreamfirst_pagure_db_pass }}"
pagure_db_host: "{{ upstreamfirst_pagure_db_host }}"
pagure_db_name: "{{ upstreamfirst_pagure_db_name }}" new_pagure_db_admin_user: "{{ upstreamfirst_pagure_db_admin_user }}"
pagure_secret_key: "{{ upstreamfirst_pagure_db_admin_user }}" new_pagure_db_admin_pass: "{{ upstreamfirst_pagure_db_admin_pass }}"
pagure_secret_salt_email: "{{ upstreamfirst_pagure_secret_salt_email }}" new_pagure_db_user: "{{ upstreamfirst_pagure_db_user }}"
new_pagure_db_pass: "{{ upstreamfirst_pagure_db_pass }}"
new_pagure_db_host: "{{ upstreamfirst_pagure_db_host }}"
new_pagure_db_name: "{{ upstreamfirst_pagure_db_name }}"
new_pagure_secret_key: "{{ upstreamfirst_pagure_db_admin_user }}"
new_pagure_secret_salt_email: "{{ upstreamfirst_pagure_secret_salt_email }}"
pagure_admin_email: 'tflink@fedoraproject.org'
pagure_ssh_host_pubkey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/bYFmX8pthJHcM2J85+mmN8pGJ/EJMcsdwoazihcooIBONcUazYF/BVV5/3nK7H3shq2nLR7vmdd2NuFHOPNsaAMK6nlADEg2tsKMC3UHHnwo1/iIO21pvf7+w2KIKCNIhiYA70W1aIxFBMZ7oo0VXjZ19PBwg6huAh0CBrLBP+XU4QN6LgLd87T5qMN/7g/QVqDforeoL8NUSQXMfzYNbxXPdRvMc5vbEMS/QNu5I8Ycu6FDqChnWc5Qd2orVCNreEMKwkgW27+FTpxzAnq3avotb0Cv1WuZjd8q402ldvp+ELcS8WHc+Mx41KaR//QTlSIYeX4OlcX/pl6C+Sdz'
# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
pagure_ssh_host_fingerprint: '2048 6b:d8:48:27:5a:11:d1:14:e0:c1:91:23:45:c7:fb:6d (RSA)'
# awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64_
pagure_ssh_host_sha256: 'SHA256:ggRdzg+ugyR6WIzeiuyASAdEHf+HG5yZqJJIu/YTtHI='
stunnel_service: "eventsource" stunnel_service: "eventsource"
stunnel_source_port: 8088 stunnel_source_port: 8088

28
playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml
View file

@ -49,21 +49,21 @@
- "/srv/private/ansible/vars.yml" - "/srv/private/ansible/vars.yml"
- "{{ vars_path }}/{{ ansible_distribution }}.yml" - "{{ vars_path }}/{{ ansible_distribution }}.yml"
pre_tasks: # pre_tasks:
- name: install fedmsg-relay # - name: install fedmsg-relay
yum: pkg=fedmsg-relay state=present # yum: pkg=fedmsg-relay state=present
tags: # tags:
- pagure # - pagure
- pagure/fedmsg # - pagure/fedmsg
- name: and start it # - name: and start it
service: name=fedmsg-relay state=started # service: name=fedmsg-relay state=started
tags: # tags:
- pagure # - pagure
- pagure/fedmsg # - pagure/fedmsg
#
roles: roles:
- pagure/frontend - pagure/upstreamfirst-frontend
- pagure/fedmsg # - pagure/fedmsg
handlers: handlers:
- include: "{{ handlers_path }}/restart_services.yml" - include: "{{ handlers_path }}/restart_services.yml"

91
roles/pagure/upstreamfirst-frontend/files/aliases Normal file
View file

@ -0,0 +1,91 @@
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /bin/mail.
#
# >>>>>>>>>> The program "newaliases" must be run after
# >> NOTE >> this file is updated for any changes to
# >>>>>>>>>> show through to sendmail.
#
# Basic system aliases -- these MUST be present.
mailer-daemon: postmaster
postmaster: sysadmin-main
# General redirections for pseudo accounts.
bin: root
daemon: root
adm: root
lp: root
sync: root
shutdown: root
halt: root
mail: root
#news: root
uucp: root
operator: root
games: root
gopher: root
ftp: root
#nobody: root
radiusd: root
nut: root
dbus: root
vcsa: root
canna: root
wnn: root
rpm: root
nscd: root
pcap: root
apache: root
webalizer: root
dovecot: root
fax: root
quagga: root
radvd: root
pvm: root
amanda: root
privoxy: root
ident: root
named: root
xfs: root
gdm: root
mailnull: root
postgres: root
sshd: root
smmsp: root
postfix: root
netdump: root
ldap: root
squid: root
ntp: root
mysql: root
desktop: root
rpcuser: root
rpc: root
nfsnobody: root
notifications: root
ingres: root
system: root
toor: root
manager: root
dumper: root
abuse: root
nagios: root
newsadm: news
newsadmin: news
usenet: news
ftpadm: ftp
ftpadmin: ftp
ftp-adm: ftp
ftp-admin: ftp
# trap decode to catch security attacks
decode: root
# Person who should get root's mail
root: sysadmin-main
pagure: /dev/null
reply: /dev/null

10
roles/pagure/upstreamfirst-frontend/files/backup-database Normal file
View file

@ -0,0 +1,10 @@
#!/bin/bash
# Backup a database *locally* to /backups/.
DB=$1
# Make our latest backup
/usr/bin/pg_dump -C $DB | /usr/bin/xz > /backups/$DB-$(date +%F).dump.xz
# Also, delete the backup from a few days ago.
rm -f /backups/$DB-$(date --date="3 days ago" +%F).dump.xz

15
roles/pagure/upstreamfirst-frontend/files/pagure_ev.service Normal file
View file

@ -0,0 +1,15 @@
[Unit]
Description=Pagure EventSource server (Allowing live refresh of the pages supporting it)
After=redis.target
Documentation=https://pagure.io/pagure
[Service]
ExecStart=/usr/libexec/pagure-ev/pagure_stream_server.py
Type=simple
User=git
Group=git
Restart=on-failure
LimitNOFILE=40960
[Install]
WantedBy=multi-user.target

78
roles/pagure/upstreamfirst-frontend/files/pg_hba.conf Normal file
View file

@ -0,0 +1,78 @@
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the PostgreSQL Administrator's Guide, chapter "Client
# Authentication" for a complete description. A short synopsis
# follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTION]
# host DATABASE USER CIDR-ADDRESS METHOD [OPTION]
# hostssl DATABASE USER CIDR-ADDRESS METHOD [OPTION]
# hostnossl DATABASE USER CIDR-ADDRESS METHOD [OPTION]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type: "local" is a Unix-domain socket,
# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an
# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket.
#
# DATABASE can be "all", "sameuser", "samerole", a database name, or
# a comma-separated list thereof.
#
# USER can be "all", a user name, a group name prefixed with "+", or
# a comma-separated list thereof. In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names from
# a separate file.
#
# CIDR-ADDRESS specifies the set of hosts the record matches.
# It is made up of an IP address and a CIDR mask that is an integer
# (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies
# the number of significant bits in the mask. Alternatively, you can write
# an IP address and netmask in separate columns to specify the set of hosts.
#
# METHOD can be "trust", "reject", "md5", "crypt", "password",
# "krb5", "ident", or "pam". Note that "password" sends passwords
# in clear text; "md5" is preferred since it sends encrypted passwords.
#
# OPTION is the ident map or the name of the PAM service, depending on METHOD.
#
# Database and user names containing spaces, commas, quotes and other special
# characters must be quoted. Quoting one of the keywords "all", "sameuser" or
# "samerole" makes the name lose its special character, and just match a
# database or username with that name.
#
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect. You can use
# "pg_ctl reload" to do that.
# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records. In that case you will also need to make PostgreSQL listen
# on a non-local interface via the listen_addresses configuration parameter,
# or via the -i or -h command line switches.
#
#@authcomment@
# TYPE DATABASE USER CIDR-ADDRESS METHOD
#@remove-line-for-nolocal@# "local" is for Unix domain socket connections only
#@remove-line-for-nolocal@local all all @authmethod@
# IPv4 local connections:
#host all all 127.0.0.1/32 @authmethod@
# IPv6 local connections:
#host all all ::1/128 @authmethod@
local all all ident
host koji koji 10.5.126.61 255.255.255.255 md5
host all all 0.0.0.0 0.0.0.0 md5
# Note, I can't think of a reason to make this more restrictive than ipv4 but
# only fakefas needs it so far
host all all ::1/128 md5

5
roles/pagure/upstreamfirst-frontend/files/robots.txt Normal file
View file

@ -0,0 +1,5 @@
User-agent: *
Disallow: /api
Disallow: /login
Disallow: /*/raw
Crawl-Delay: 2

0
roles/pagure/upstreamfirst-frontend/files/selinux/pagure.fc Normal file
View file

1
roles/pagure/upstreamfirst-frontend/files/selinux/pagure.if Normal file
View file

@ -0,0 +1 @@
## <summary></summary>

BIN
roles/pagure/upstreamfirst-frontend/files/selinux/pagure.pp Normal file
View file

Binary file not shown.

11
roles/pagure/upstreamfirst-frontend/files/selinux/pagure.te Normal file
View file

@ -0,0 +1,11 @@
module pagure 1.0;
require {
type httpd_t;
type gitosis_var_lib_t;
class dir { add_name remove_name write };
class file { create link setattr unlink write };
}
allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write };
allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write };

14
roles/pagure/upstreamfirst-frontend/files/stunnel.service Normal file
View file

@ -0,0 +1,14 @@
[Unit]
Description=stunnel
After=network.target
Documentation=https://infrastructure.fedoraproject.org/infra/docs/fedmsg-websocket.txt
[Service]
ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
Type=forking
User=root
Group=root
Restart=on-failure
[Install]
WantedBy=multi-user.target

3
roles/pagure/upstreamfirst-frontend/handlers/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
- name: restart pagure_milter
service: name=pagure_milter state=restarted

333
roles/pagure/upstreamfirst-frontend/tasks/main.yml Normal file
View file

@ -0,0 +1,333 @@
---
# Configuration for the pagure webapp
- name: install needed packages
yum: pkg={{ item }} state=present
with_items:
- pagure
- pagure-ci
- pagure-ev
- pagure-loadjson
- pagure-logcom
- pagure-milters
- pagure-webhook
- python-psycopg2
- redis
- libsemanage-python
- mod_ssl
- stunnel
# Use haveged to ensure the server keeps some entropy
- haveged
tags:
- pagure
- packages
- name: Initialize postgres if necessary
command: /usr/bin/postgresql-setup initdb
creates=/var/lib/pgsql/data
notify:
- restart postgresql
tags:
- pagure
- name: Put in robots.txt
copy: src=robots.txt dest=/var/www/html/robots.txt
tags:
- pagure
# Set-up gitolite
- name: install needed packages
yum: pkg=gitolite3 state=present
tags:
- pagure
- gitolite
- packages
- name: Rename the user gitolite into git
command: usermod --move-home --login git --home /srv/git/ gitolite3
creates=/srv/git/
tags:
- gitolite
- pagure
- name: Rename the group gitolite into git
command: groupmod --new-name git gitolite3
creates=/srv/git/.gitolite/conf
tags:
- gitolite
- pagure
- name: create the /srv/git/.gitolite/conf folder
file: state=directory
path=/srv/git/.gitolite/conf
owner=git group=git mode=0775
tags:
- gitolite
- pagure
- name: create the /srv/git/.gitolite/keydir folder
file: state=directory
path=/srv/git/.gitolite/keydir
owner=git group=git mode=0775
tags:
- gitolite
- pagure
- name: create the /srv/git/.gitolite/logs folder
file: state=directory
path=/srv/git/.gitolite/logs
owner=git group=git mode=0775
tags:
- gitolite
- pagure
- name: Adjust owner of /srv/git
file: name=/srv/git state=directory recurse=yes owner=git group=git
tags:
- gitolite
- name: Adjust permissions of /srv/git/.gitolite
file: name=/srv/git/.gitolite state=directory recurse=yes owner=git group=git
tags:
- gitolite
- name: install our own gitolite configuration
template: src=gitolite.rc
dest=/srv/git/.gitolite.rc
owner=git group=git mode=0755
tags:
- gitolite
- pagure
- name: create all the directories where we store the git repos
file: state=directory
path={{ item }}
owner=git group=git mode=0775
with_items:
- /srv/git/repositories/
- /srv/git/repositories/forks
- /srv/git/repositories/docs
- /srv/git/repositories/tickets
- /srv/git/repositories/requests
- /srv/git/remotes
tags:
- gitolite
- pagure
- name: create the /srv/tmp folder where to clone repos
file: state=directory
path=/srv/tmp
owner=git group=git mode=0775
tags:
- gitolite
- pagure
# Set-up postfix and the milter for postfix
- name: Add the /etc/aliases file
copy: src=aliases dest=/etc/aliases owner=root mode=644
tags:
- config
- pagure
- postfix
notify:
- restart postfix
- restart pagure_milter
# Override pagure_ev systemd service file
- name: install pagure_ev service definition
copy: src=pagure_ev.service
dest=/usr/lib/systemd/system/pagure_ev.service
owner=root group=root mode=0644
notify:
- reload systemd
- restart pagure_ev
tags:
- pagure
- pagure_ev
# Set-up stunnel for the event source server
- name: install stunnel service definition
copy: src=stunnel.service
dest=/usr/lib/systemd/system/stunnel.service
owner=root group=root mode=0644
notify:
- reload systemd
- restart stunnel
tags:
- pagure
- stunnel
- name: ensure old stunnel init file is gone
file: dest=/etc/init.d/stunnel/stunnel.init state=absent
tags:
- pagure
- stunnel
- config
- name: install stunnel.conf
template: src={{ item.file }}
dest={{ item.dest }}
owner=root group=root mode=0600
with_items:
- { file: stunnel-conf.j2, dest: /etc/stunnel/stunnel.conf }
notify: restart stunnel
tags:
- pagure
- stunnel
- config
# Set-up Pagure
- name: create the /var/www/releases folder
file: state=directory
path=/var/www/releases
owner=git group=git mode=0775
tags:
- pagure
- web
- name: copy sundry pagure configuration
template: src={{ item.file }}
dest={{ item.location }}/{{ item.file }}
owner=git group=postfix mode=0640
with_items:
- { file: pagure.cfg, location: /etc/pagure }
- { file: alembic.ini, location: /etc/pagure }
changed_when: "1 != 1"
tags:
- config
- web
- pagure
notify:
- restart apache
- name: create the database scheme
command: /usr/bin/python2 /usr/share/pagure/pagure_createdb.py
changed_when: "1 != 1"
environment:
PAGURE_CONFIG: /etc/pagure/pagure.cfg
tags:
- web
- pagure
- name: Install the SSL cert so that we can use https
copy: >
src={{ private}}/files/httpd/{{ item }} dest=/etc/pki/tls/certs/{{ item }}
owner=root group=root mode=0600
notify: restart stunnel
with_items:
- pagure.io.cert
- pagure.io.key
- pagure.io.intermediate.cert
- docs.pagure.org.crt
- docs.pagure.org.intermediate.crt
- docs.pagure.org.key
tags:
- config
- pagure
- httpd/certificate
- name: Install the configuration file to activate https
template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }}
owner=root group=root mode=0644
with_items:
- 0_pagure.conf
tags:
- files
- config
- pagure
notify:
- restart apache
- name: Install the wsgi file
template: src={{ item }}
dest=/var/www/{{ item }}
owner=git group=git mode=0644
with_items:
- pagure.wsgi
- docs_pagure.wsgi
tags:
- config
- web
- pagure
notify:
- restart apache
- name: Add default facl so apache can read git repos
acl: default=yes etype=user entity=apache permissions="rx" name=/srv/git state=present
register: acl_updates
tags:
- pagure
- name: Manually fix current default ACLs since Ansible doesnt know recursive acls
when: acl_updates.changed
command: /usr/bin/setfacl -Rdm user:apache:rx /srv/git
tags:
- pagure
- name: Manually fix current ACLs since Ansible doesnt know recursive acls
when: acl_updates.changed
command: /usr/bin/setfacl -Rm user:apache:rx /srv/git
tags:
- pagure
- name: copy over our custom selinux module
copy: src=selinux/pagure.pp dest=/usr/local/share/pagure.pp
register: selinux_module
tags:
- pagure
- name: install our custom selinux module
command: semodule -i /usr/local/share/pagure.pp
when: selinux_module|changed
tags:
- pagure
- name: set sebooleans so pagure can talk to the network (db + redis)
seboolean: name=httpd_can_network_connect
state=true
persistent=true
tags:
- selinux
- web
- pagure
- name: set sebooleans so apache can send emails
seboolean: name=httpd_can_sendmail
state=true
persistent=true
tags:
- selinux
- web
- pagure
# Ensure all the services are up and running
- name: Start and enable httpd, postfix, pagure_milter
service: name={{ item }} enabled=yes state=started
with_items:
- httpd
- postfix
- stunnel
- redis
- pagure_ev
- pagure_ci
- pagure_loadjon
- pagure_logcom
- pagure_milter
- pagure_webhook
- fedmsg-relay
- haveged
ignore_errors: true
tags:
- pagure
- service
- postfix

133
roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf Normal file
View file

@ -0,0 +1,133 @@
WSGISocketPrefix run/wsgi
#WSGIRestrictStdout On
WSGIRestrictSignal Off
WSGIPythonOptimize 1
WSGIPassAuthorization On
WSGIDaemonProcess pagure user=git group=git maximum-requests=1000 display-name=pagure processes=4 threads=4 inactivity-timeout=300
WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-name=paguredocs processes=4 threads=4 inactivity-timeout=300
## Redirects http -> https
<VirtualHost *:80>
ServerName {{ external_hostname }}
Redirect permanent / https://{{ external_hostname }}/
</VirtualHost>
<VirtualHost *:80>
ServerName docs.{{ external_hostname }}
Redirect permanent / https://docs.{{ external_hostname }}/
</VirtualHost>
<VirtualHost *:80>
ServerName releases.{{ external_hostname }}
Redirect permanent / https://releases.{{ external_hostname }}/
# Added until we can get the cert out
DocumentRoot "/var/www/releases"
<Directory />
Options +Indexes
IndexOptions NameWidth=*
</Directory>
</VirtualHost>
## End of redirects http -> https
<VirtualHost *:443>
ServerName {{ external_hostname }}
Alias "/robots.txt" "/var/www/html/robots.txt"
WSGIScriptAlias / /var/www/pagure.wsgi
ServerAdmin admin@fedoraproject.org
SSLEngine on
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
# Use secure TLSv1.1 and TLSv1.2 ciphers
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
SSLCertificateKeyFile /etc/pki/tls/certs/pagure.io.key
Alias /static /usr/lib/python2.7/site-packages/pagure/static/
SetEnv GIT_PROJECT_ROOT /srv/git/repositories
AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/git/repositories/$1
AliasMatch ^/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /srv/git/repositories/$1
ScriptAliasMatch \
"(?x)^/(.*/(HEAD | \
info/refs | \
objects/info/[^/]+ | \
git-(upload|receive)-pack))$" \
/usr/libexec/git-core/git-http-backend/$1
<Location />
WSGIProcessGroup pagure
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order deny,allow
Allow from all
</IfModule>
</Location>
<Location /releases>
Redirect "/releases" https://releases.{{ external_hostname }}
</Location>
</VirtualHost>
<VirtualHost *:443>
ServerName docs.{{ external_hostname }}
WSGIScriptAlias / /var/www/docs_pagure.wsgi
SSLEngine on
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
# Use secure TLSv1.1 and TLSv1.2 ciphers
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
SSLCertificateKeyFile /etc/pki/tls/certs/pagure.io.key
Alias /static /usr/lib/python2.7/site-packages/pagure/static/
<Location />
WSGIProcessGroup paguredocs
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order deny,allow
Allow from all
</IfModule>
</Location>
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "/var/www/releases"
ServerName releases.{{ external_hostname }}
<Directory />
Options +Indexes
IndexOptions NameWidth=*
</Directory>
</VirtualHost>

50
roles/pagure/upstreamfirst-frontend/templates/alembic.ini Normal file
View file

@ -0,0 +1,50 @@
# A generic, single database configuration.
[alembic]
# path to migration scripts
script_location = /usr/share/pagure/alembic
# template used to generate migration files
# file_template = %%(rev)s_%%(slug)s
# set to 'true' to run the environment during
# the 'revision' command, regardless of autogenerate
# revision_environment = false
#sqlalchemy.url = postgresql://<%= pkgdb_app %>:<%= pkgdb_appPassword %>@db-pkgdb/pkgdb
# Logging configuration
[loggers]
keys = root,sqlalchemy,alembic
[handlers]
keys = console
[formatters]
keys = generic
[logger_root]
level = WARN
handlers = console
qualname =
[logger_sqlalchemy]
level = WARN
handlers =
qualname = sqlalchemy.engine
[logger_alembic]
level = INFO
handlers =
qualname = alembic
[handler_console]
class = StreamHandler
args = (sys.stderr,)
level = NOTSET
formatter = generic
[formatter_generic]
format = %(levelname)-5.5s [%(name)s] %(message)s
datefmt = %H:%M:%S

22
roles/pagure/upstreamfirst-frontend/templates/docs_pagure.wsgi Normal file
View file

@ -0,0 +1,22 @@
#-*- coding: utf-8 -*-
# The three lines below are required to run on EL6 as EL6 has
# two possible version of python-sqlalchemy and python-jinja2
# These lines make sure the application uses the correct version.
import __main__
__main__.__requires__ = ['SQLAlchemy >= 0.8', 'jinja2 >= 2.4']
import pkg_resources
import os
## Set the environment variable pointing to the configuration file
os.environ['PAGURE_CONFIG'] = '/etc/pagure/pagure.cfg'
## The following is only needed if you did not install pagure
## as a python module (for example if you run it from a git clone).
#import sys
#sys.path.insert(0, '/path/to/pagure/')
## The most import line to make the wsgi working
from pagure.docs_server import APP as application
#application.debug = True

195
roles/pagure/upstreamfirst-frontend/templates/gitolite.rc Normal file
View file

@ -0,0 +1,195 @@
# configuration variables for gitolite
# This file is in perl syntax. But you do NOT need to know perl to edit it --
# just mind the commas, use single quotes unless you know what you're doing,
# and make sure the brackets and braces stay matched up!
# (Tip: perl allows a comma after the last item in a list also!)
# HELP for commands can be had by running the command with "-h".
# HELP for all the other FEATURES can be found in the documentation (look for
# "list of non-core programs shipped with gitolite" in the master index) or
# directly in the corresponding source file.
%RC = (
# ------------------------------------------------------------------
# default umask gives you perms of '0700'; see the rc file docs for
# how/why you might change this
UMASK => 0077,
# look for "git-config" in the documentation
GIT_CONFIG_KEYS => '',
# comment out if you don't need all the extra detail in the logfile
LOG_EXTRA => 1,
# syslog options
# 1. leave this section as is for normal gitolite logging
# 2. uncomment this line to log only to syslog:
# LOG_DEST => 'syslog',
# 3. uncomment this line to log to syslog and the normal gitolite log:
# LOG_DEST => 'syslog,normal',
# roles. add more roles (like MANAGER, TESTER, ...) here.
# WARNING: if you make changes to this hash, you MUST run 'gitolite
# compile' afterward, and possibly also 'gitolite trigger POST_COMPILE'
ROLES => {
READERS => 1,
WRITERS => 1,
},
# enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!!
# CACHE => 'Redis',
# ------------------------------------------------------------------
# rc variables used by various features
# the 'info' command prints this as additional info, if it is set
# SITE_INFO => 'Please see http://blahblah/gitolite for more help',
# the CpuTime feature uses these
# display user, system, and elapsed times to user after each git operation
# DISPLAY_CPU_TIME => 1,
# display a warning if total CPU times (u, s, cu, cs) crosses this limit
# CPU_TIME_WARN_LIMIT => 0.1,
# the Mirroring feature needs this
# HOSTNAME => "foo",
# TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING!
# CACHE_TTL => 600,
# ------------------------------------------------------------------
# suggested locations for site-local gitolite code (see cust.html)
# this one is managed directly on the server
# LOCAL_CODE => "$ENV{HOME}/local",
# or you can use this, which lets you put everything in a subdirectory
# called "local" in your gitolite-admin repo. For a SECURITY WARNING
# on this, see http://gitolite.com/gitolite/non-core.html#pushcode
# LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local",
# ------------------------------------------------------------------
# List of commands and features to enable
ENABLE => [
# COMMANDS
# These are the commands enabled by default
'help',
'desc',
'info',
'perms',
'writable',
# Uncomment or add new commands here.
# 'create',
# 'fork',
# 'mirror',
# 'readme',
# 'sskm',
# 'D',
# These FEATURES are enabled by default.
# essential (unless you're using smart-http mode)
'ssh-authkeys',
# creates git-config enties from gitolite.conf file entries like 'config foo.bar = baz'
'git-config',
# creates git-daemon-export-ok files; if you don't use git-daemon, comment this out
'daemon',
# creates projects.list file; if you don't use gitweb, comment this out
#'gitweb',
# These FEATURES are disabled by default; uncomment to enable. If you
# need to add new ones, ask on the mailing list :-)
# user-visible behaviour
# prevent wild repos auto-create on fetch/clone
# 'no-create-on-read',
# no auto-create at all (don't forget to enable the 'create' command!)
# 'no-auto-create',
# access a repo by another (possibly legacy) name
# 'Alias',
# give some users direct shell access. See documentation in
# sts.html for details on the following two choices.
# "Shell $ENV{HOME}/.gitolite.shell-users",
# 'Shell alice bob',
# set default roles from lines like 'option default.roles-1 = ...', etc.
# 'set-default-roles',
# show more detailed messages on deny
# 'expand-deny-messages',
# show a message of the day
# 'Motd',
# system admin stuff
# enable mirroring (don't forget to set the HOSTNAME too!)
# 'Mirroring',
# allow people to submit pub files with more than one key in them
# 'ssh-authkeys-split',
# selective read control hack
# 'partial-copy',
# manage local, gitolite-controlled, copies of read-only upstream repos
# 'upstream',
# updates 'description' file instead of 'gitweb.description' config item
# 'cgit',
# allow repo-specific hooks to be added
# 'repo-specific-hooks',
# performance, logging, monitoring...
# be nice
# 'renice 10',
# log CPU times (user, system, cumulative user, cumulative system)
# 'CpuTime',
# syntactic_sugar for gitolite.conf and included files
# allow backslash-escaped continuation lines in gitolite.conf
# 'continuation-lines',
# create implicit user groups from directory names in keydir/
# 'keysubdirs-as-groups',
# allow simple line-oriented macros
# 'macros',
# Kindergarten mode
# disallow various things that sensible people shouldn't be doing anyway
# 'Kindergarten',
],
);
# ------------------------------------------------------------------------------
# per perl rules, this should be the last line in such a file:
1;
# Local variables:
# mode: perl
# End:
# vim: set syn=perl:

233
roles/pagure/upstreamfirst-frontend/templates/pagure.cfg Normal file
View file

@ -0,0 +1,233 @@
from datetime import timedelta
### Set the time after which the admin session expires
# There are two sessions on pagure, login that holds for 31 days and
# the session defined here after which an user has to re-login.
# This session is used when accessing all administrative parts of pagure
# (ie: changing a project's or a user's settings)
ADMIN_SESSION_LIFETIME = timedelta(minutes=20)
# Make the CSRF token not-time limited, this way it is valid for the entire
# duration of the session.
WTF_CSRF_TIME_LIMIT=None
### Secret key for the Flask application
SECRET_KEY='{{ pagure_secret_key }}'
SALT_EMAIL='{{ pagure_secret_salt_email }}'
EMAIL_SEND = True
# This is required so that login specifies https
PREFERRED_URL_SCHEME='https'
### url to the database server:
#DB_URL=mysql://user:pass@host/db_name
#DB_URL=postgres://user:pass@host/db_name
DB_URL = 'postgresql://{{ new_pagure_db_user }}:{{ new_pagure_db_pass }}@{{ new_pagure_db_host }}/{{ new_pagure_db_name }}'
### The FAS group in which the admin of pagure are
ADMIN_GROUP = ['sysadmin-main']
### The email address to which the flask.log will send the errors (tracebacks)
EMAIL_ERROR = '{{ pagure_admin_email }}'
### Default SMTP server to use for sending emails
SMTP_SERVER = 'localhost'
### Email used to sent emails
FROM_EMAIL = 'pagure@{{ external_hostname }}'
DOMAIN_EMAIL_NOTIFICATIONS = '{{ external_hostname }}'
### The URL at which the project is available.
APP_URL = 'https://{{ external_hostname }}/'
DOC_APP_URL = 'https://docs.{{ external_hostname }}'
### Datagrepper info for the user profile
DATAGREPPER_URL = 'https://apps.fedoraproject.org/datagrepper'
DATAGREPPER_CATEGORY = 'pagure'
### The URL to use to clone git repositories.
GIT_URL_SSH = 'ssh://git@{{ external_hostname }}/'
GIT_URL_GIT = 'https://{{ external_hostname }}/'
### The IP addresses allowed for the internal endpoints
IP_ALLOWED_INTERNAL = ['127.0.0.1', 'localhost', '::1', '{{ public_ip }}']
# Redis configuration
EVENTSOURCE_SOURCE = 'https://{{ external_hostname }}:8088'
REDIS_HOST = '0.0.0.0'
REDIS_PORT = 6379
REDIS_DB = 0
EV_STATS_PORT = '8888'
WEBHOOK = True
### Folder containing to the git repos
GIT_FOLDER = '/srv/git/repositories'
### Folder containing the forks repos
FORK_FOLDER = '/srv/git/repositories/forks'
### Folder containing the docs repos
DOCS_FOLDER = '/srv/git/repositories/docs'
### Folder containing the pull-requests repos
REQUESTS_FOLDER = '/srv/git/repositories/requests'
### Folder containing the tickets repos
TICKETS_FOLDER = '/srv/git/repositories/tickets'
### Folder containing the clones of the remotes git repo
REMOTE_GIT_FOLDER = '/srv/git/remotes'
### Configuration file for gitolite
GITOLITE_CONFIG = '/srv/git/.gitolite/conf/gitolite.conf'
### Path of the release folder
UPLOAD_FOLDER_URL = 'https://releases.{{ external_hostname }}/'
UPLOAD_FOLDER_PATH = '/var/www/releases/'
### Home folder of the gitolite user
### Folder where to run gl-compile-conf from
GITOLITE_HOME = '/srv/git/'
### Folder containing all the public ssh keys for gitolite
GITOLITE_KEYDIR = '/srv/git/.gitolite/keydir/'
### Path to the gitolite.rc file
GL_RC = '/srv/git/.gitolite.rc'
### Path to the /bin directory where the gitolite tools can be found
GL_BINDIR = '/usr/bin/'
### Temp folder to be used to make the clones to work around bug in libgit2:
## refs: https://github.com/libgit2/libgit2/issues/2965
## and https://github.com/libgit2/libgit2/issues/2797
TMP_FOLDER = '/srv/tmp'
# Optional configuration
### Number of items displayed per page
# Used when listing items
ITEM_PER_PAGE = 50
### Maximum size of the uploaded content
# Used to limit the size of file attached to a ticket for example
MAX_CONTENT_LENGTH = 60 * 1024 * 1024 # 60 megabytes
### Lenght for short commits ids or file hex
SHORT_LENGTH = 7
### List of blacklisted project names that can conflicts for pagure's URLs
### or other
BLACKLISTED_PROJECTS = [
'static', 'pv', 'releases', 'new', 'api', 'settings',
'logout', 'login', 'users', 'groups', 'projects', 'ssh_info'
'issues', 'pull-requests', 'commits', 'tree', 'forks',
]
DISABLED_PLUGINS = ['IRC']
# Authentication related configuration option
### Switch the authentication method
# Specify which authentication method to use, defaults to `fas` can be or
# `local`
# Default: ``fas``.
PAGURE_AUTH = 'openid'
# When this is set to True, the session cookie will only be returned to the
# server via ssl (https). If you connect to the server via plain http, the
# cookie will not be sent. This prevents sniffing of the cookie contents.
# This may be set to False when testing your application but should always
# be set to True in production.
# Default: ``True``.
SESSION_COOKIE_SECURE = True
# The name of the cookie used to store the session id.
# Default: ``.pagure``.
SESSION_COOKIE_NAME = 'pagure'
# Boolean specifying wether to check the user's IP address when retrieving
# its session. This make things more secure (thus is on by default) but
# under certain setup it might not work (for example is there are proxies
# in front of the application).
CHECK_SESSION_IP = True
# Used by SESSION_COOKIE_PATH
APPLICATION_ROOT = '/'
# Set the SSH certs/keys
{% if env == 'pagure-staging' %}
SSH_KEYS = {
'RSA': {
'fingerprint': '2048 69:50:46:24:c7:94:44:f8:8d:83:05:5c:eb:73:fb:c4 (RSA)',
'pubkey': '{{ external_hostname }},{{ public_ip }} {{ pagure_ssh_host_pubkey }}',
'SHA256': '{{ pagure_ssh_host_sha256 }}',
}
}
# Allow the backward compatiblity endpoints for the old URLs schema to
# see the commits of a repo. This is only interesting if you pagure instance
# was running since before version 1.3 and if you care about backward
# compatibility in your URLs.
OLD_VIEW_COMMIT_ENABLED = False
#PAGURE_CI_SERVICES=['jenkins']
PAGURE_CI_SERVICES=[]
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'formatters': {
'standard': {
'format': '%(asctime)s [%(levelname)s] %(name)s: %(message)s'
},
},
'handlers': {
'console': {
'level': 'INFO',
'formatter': 'standard',
'class': 'logging.StreamHandler',
'stream': 'ext://sys.stdout',
},
},
# The root logger configuration; this is a catch-all configuration
# that applies to all log messages not handled by a different logger
'root': {
'level': 'INFO',
'handlers': ['console'],
},
'loggers': {
'pagure': {
'handlers': ['console'],
'level': 'DEBUG',
'propagate': True
},
'pagure.lib.encoding_utils': {
'handlers': ['console'],
'level': 'WARN',
'propagate': False
},
'flask': {
'handlers': ['console'],
'level': 'INFO',
'propagate': False
},
'sqlalchemy': {
'handlers': ['console'],
'level': 'WARN',
'propagate': False
},
'binaryornot': {
'handlers': ['console'],
'level': 'WARN',
'propagate': True
},
}
}

28
roles/pagure/upstreamfirst-frontend/templates/pagure.wsgi Normal file
View file

@ -0,0 +1,28 @@
#-*- coding: utf-8 -*-
# The three lines below are required to run on EL6 as EL6 has
# two possible version of python-sqlalchemy and python-jinja2
# These lines make sure the application uses the correct version.
import __main__
__main__.__requires__ = ['SQLAlchemy >= 0.8', 'jinja2 >= 2.4']
import pkg_resources
import os
## Set the environment variable pointing to the configuration file
os.environ['PAGURE_CONFIG'] = '/etc/pagure/pagure.cfg'
## Set the environment variable if the tmp folder needs to be moved
## Is necessary to work around bug in libgit2:
## refs: https://github.com/libgit2/libgit2/issues/2965
## and https://github.com/libgit2/libgit2/issues/2797
os.environ['TEMP'] = '/srv/tmp/'
## The following is only needed if you did not install pagure
## as a python module (for example if you run it from a git clone).
#import sys
#sys.path.insert(0, '/path/to/pagure/')
## The most import line to make the wsgi working
from pagure import APP as application
#application.debug = True

8
roles/pagure/upstreamfirst-frontend/templates/stunnel-conf.j2 Normal file
View file

@ -0,0 +1,8 @@
cert = /etc/pki/tls/certs/pagure.io.cert
key = /etc/pki/tls/certs/pagure.io.key
pid = /var/run/stunnel.pid
[{{ stunnel_service }}]
accept = {{ stunnel_source_port }}
connect = {{ stunnel_destination_port }}