This commit removes the old tasks to try and create a cert/intermediate
bundle file for stunnel in favor of just doing it when we renew/get the
cert. It also fixes stunnel to use the correct bundled cert.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
I'll try this in stg first and then roll to prod if all looks ok.
I don't see any reason why it wouldn't work off hand.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The current playbook assumes the old digicert ssl cert thats in private.
However, we got that in 2020 and it's expired. We switched pagure.io
over to letsencrypt a while back. Somehow we didn't change the playbook
however, or the change was lost somewhere. :(
So, this adds 2 calls to the letsencrypt role to get certs for the prod
and staging pagure instances. I think this should do the right thing
with placement of files, but more eyes welcome.
Without this playbooks runs have the chance of messing up pagure.io
certs, so I think we should fix this asap.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
In https://pagure.io/fedora-infra/ansible/pull-request/1013 change to enable
new ACLs for API tokens was introduced, unfortunately the `issue_close` ACL
don't exists and to close the issue in Pagure it needs
`issue_change_status` and `issue_update` ACLs. This commit is fixing the
previous mistake.
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
Add issue_close and pull_request_close ACLs to cross project ACLs. These ACLs
are already used in Pagure API, you can't just create API token with these ACLs.
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
ssh git@pagure.io was broken (no longer accepting ssh connection).
A quick debug show that it was caused by the helper script not working,
showing a 403 error. And the httpd logs were complaining about
authorized IPs not present in the configuration.
The root cause is in 938e63fa71 as the variables were renamed
from eth0_ip and eth0_ipv6 to eth0_ipv4_ip and eth0_ipv6_ip
Then pagure config got regenerated later and this triggered the
bug preventing people from pushing.
For some reason pagure_mirror wasn't enabled by default on boot.
We do use this service and want it on. Upstream can likely enable it,
but in the mean time we will enable it on our instances.
See https://pagure.io/fedora-infrastructure/issue/10262
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Otherwise it goes back to using sysadmin-main which is the default
value, while here we want to rely on a list of users, not a group.
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
There's no reason to not just use one letsencrypt cert for stg.pagure.
Also clean up logic in the web config and make sure all the servernames
are handled correctly.
Once this works, will roll this to production.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
