diff --git a/inventory/group_vars/people b/inventory/group_vars/people index 2115d692e9..2049109ca9 100644 --- a/inventory/group_vars/people +++ b/inventory/group_vars/people @@ -14,3 +14,18 @@ fedmsg_certs: group: planet-user can_send: - planet.post.new + +# For the MOTD +csi_security_category: Low +csi_primary_contact: Fedora admins - adminfedoraproject.org +csi_purpose: Provide hosting space for Fedora contributors and Fedora Planet + +csi_relationship: | + - shell accounts and web space for fedora contributors + - web space for personal yum repos + - shared space for small group/personal git repos + + Please be aware that this is a shared server, and you should not upload + Private/Secret SSH or GPG keys onto this system. Any such keys found + will be deleted. + diff --git a/inventory/host_vars/209.132.184.150 b/inventory/host_vars/209.132.184.150 deleted file mode 120000 index c3328866fa..0000000000 --- a/inventory/host_vars/209.132.184.150 +++ /dev/null @@ -1 +0,0 @@ -209.132.184.144 \ No newline at end of file diff --git a/playbooks/groups/jenkins-cloud.yml b/playbooks/groups/jenkins-cloud.yml index 95e033b3d2..374985cce3 100644 --- a/playbooks/groups/jenkins-cloud.yml +++ b/playbooks/groups/jenkins-cloud.yml @@ -471,21 +471,36 @@ - pwgen # Required for mpi4py - openmpi-devel # Required for mpi4py - mpich2-devel # Required for mpi4py - - python-openid # Required by Ipsilon - - python-openid-teams # Required by Ipsilon - - python-openid-cla # Required by Ipsilon - - python-cherrypy # Required by Ipsilon - - m2crypto # Required by Ipsilon - - lasso-python # Required by Ipsilon - - python-sqlalchemy # Required by Ipsilon - - python-ldap # Required by Ipsilon - - python-pam # Required by Ipsilon - - freeipa-python # Required by Ipsilon - - httpd # Required by Ipsilon - - mod_auth_mellon # Required by Ipsilon - - postgresql-server # Required by Ipsilon - - mod_wsgi # Required by Ipsilon - - python-jinja2 # Required by Ipsilon + - pylint # Required by Ipsilon + - python-pep8 + - nodejs-less + - python-openid + - python-openid-teams + - python-openid-cla + - python-cherrypy + - m2crypto + - lasso-python + - python-sqlalchemy + - python-ldap + - python-pam + - python-fedora + - freeipa-python + - httpd + - mod_auth_mellon + - postgresql-server + - openssl + - mod_wsgi + - python-jinja2 + - python-psycopg2 + - sssd + - libsss_simpleifp + - openldap-servers + - mod_auth_gssapi + - krb5-server + - socket_wrapper + - nss_wrapper + - python-requests-kerberos + - python-lesscpy # End requires for Ipsilon - libxml2-python # Required by gimp-docs - createrepo # Required by dnf tags: diff --git a/playbooks/include/proxies-redirects.yml b/playbooks/include/proxies-redirects.yml index dda36c1448..e5c6785467 100644 --- a/playbooks/include/proxies-redirects.yml +++ b/playbooks/include/proxies-redirects.yml @@ -64,6 +64,12 @@ target: http://www.flocktofedora.org/ status: 302 + - role: httpd/redirect + name: fedoramy + website: fedora.my + target: http://www.fedora.my/ + status: 302 + - role: httpd/redirect name: join-fedora website: join.fedoraproject.org diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 63691c33ec..d83a32d1fd 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -232,6 +232,12 @@ - flocktofedora.com ssl: false + - role: httpd/website + name: fedora.my + server_aliases: + - fedora.my + ssl: false + - role: httpd/website name: bugz.fedoraproject.org server_aliases: [bugz.stg.fedoraproject.org] diff --git a/roles/bodhi2/base/templates/staging.ini.j2 b/roles/bodhi2/base/templates/staging.ini.j2 index f5d26169aa..6009361aec 100644 --- a/roles/bodhi2/base/templates/staging.ini.j2 +++ b/roles/bodhi2/base/templates/staging.ini.j2 @@ -40,8 +40,7 @@ captcha.secret = {{ bodhi2CaptchaSecret }} captcha.image_width = 300 captcha.image_height = 80 # Any truetype font will do. -# This font lives in pcaro-hermit-fonts package -captcha.font_path = /usr/share/fonts/pcaro-hermit/Hermit-medium.otf +captcha.font_path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf captcha.font_size = 36 # Colors captcha.font_color = #000000 diff --git a/roles/epylog/files/merged/weed_local.cf b/roles/epylog/files/merged/weed_local.cf index d6e9f65a97..924ca50780 100644 --- a/roles/epylog/files/merged/weed_local.cf +++ b/roles/epylog/files/merged/weed_local.cf @@ -89,6 +89,7 @@ kernel:.*usb 3-3: new full-speed USB device number.*using xhci_hcd kernel:.*usb 3-3: Device not responding to set address. kernel:.*usb 3-3: Device not responding to set address. kernel:.*usb 3-3: device not accepting address.*error -71 +koschei*:.* lvm.*: Another thread is handling an event. Waiting...* nagios: Auto-save of retention data completed successfully nagios: CURRENT.* diff --git a/roles/ipsilon/files/api.py b/roles/ipsilon/files/api.py new file mode 100644 index 0000000000..dd0f8b05c0 --- /dev/null +++ b/roles/ipsilon/files/api.py @@ -0,0 +1,98 @@ +# Copyright (C) 2015 Patrick Uiterwijk, for license see COPYING + +from __future__ import absolute_import + +from ipsilon.providers.openid.extensions.common import OpenidExtensionBase +import ipsilon.root +from ipsilon.util.page import Page +from ipsilon.util.user import User + +import json +import inspect + + +class OpenidExtension(OpenidExtensionBase): + + def __init__(self, *pargs): + super(OpenidExtension, self).__init__('API') + + def enable(self): + # This is the most ugly hack in my history of python... + # But I need to find the root object, and that is not passed into + # the OpenID extension system anywhere... + root_obj = inspect.stack()[5][0].f_locals['self'] + root_obj.api = APIPage(root_obj) + + +class APIPage(Page): + def __init__(self, root_obj): + ipsilon.root.sites['api'] = dict() + ipsilon.root.sites['api']['template_env'] = \ + ipsilon.root.sites['default']['template_env'] + super(APIPage, self).__init__(ipsilon.root.sites['api']) + self.v1 = APIV1Page(root_obj) + + +class APIV1Page(Page): + def __init__(self, root_obj): + ipsilon.root.sites['api_v1'] = dict() + ipsilon.root.sites['api_v1']['template_env'] = \ + ipsilon.root.sites['default']['template_env'] + super(APIV1Page, self).__init__(ipsilon.root.sites['api_v1']) + self.root_obj = root_obj + + def root(self, *args, **kwargs): + return json.dumps(self._perform_call(kwargs)) + + def _perform_call(self, arguments): + fas = self.root_obj.login.fas.lm + openid = self.root_obj.openid + + openid_request = None + try: + openid_request = openid.cfg.server.decodeRequest(arguments) + except Exception, ex: + print 'Error during openid decoding: %s' % ex + return {'success': False, + 'status': 400, + 'message': 'Invalid request' + } + if not openid_request: + print 'No OpenID request parsed' + return {'success': False, + 'status': 400, + 'message': 'Invalid request' + } + if not arguments['auth_module'] == 'fedoauth.auth.fas.Auth_FAS': + print 'Unknown auth module selected' + return {'success': False, + 'status': 400, + 'message': 'Unknown authentication module' + } + username = arguments['username'] + password = arguments['password'] + user = None + userdata = None + try: + _, user = fas.fpc.login(username, password) + userdata = fas.page.make_userdata(user.user) + except Exception, ex: + print 'Error during auth: %s' % ex + pass + + if user is None or userdata is None: + print 'No user or data: %s, %s' % (user, userdata) + return {'success': False, + 'status': 400, + 'message': 'Authentication failed'} + + us_obj = User(username) + fake_session = lambda: None + setattr(fake_session, 'get_user', lambda *args: us_obj) + setattr(fake_session, 'get_user_attrs', lambda *args: userdata) + + openid_response = openid._response(openid_request, fake_session) + openid_response = openid.cfg.server.signatory.sign(openid_response).fields.toPostArgs() + return {'success': True, + 'response': openid_response} + diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml index 0ea6fac2c3..ad00d60565 100644 --- a/roles/ipsilon/tasks/main.yml +++ b/roles/ipsilon/tasks/main.yml @@ -18,6 +18,11 @@ tags: - packages +- name: Copy OpenID API extension + copy: src=api.py + dest=/usr/lib/python2.7/site-packages/ipsilon/providers/openid/extensions/api.py + owner=root group=root mode=0644 + - name: copy ipsilon templates copy: src=templates/ dest=/usr/share/ipsilon/templates-fedora diff --git a/roles/ipsilon/templates/configuration.conf b/roles/ipsilon/templates/configuration.conf index c64a69559d..fed2673c0e 100644 --- a/roles/ipsilon/templates/configuration.conf +++ b/roles/ipsilon/templates/configuration.conf @@ -33,7 +33,7 @@ openid endpoint url=https://id.fedoraproject.org/openid/ openid identity url template=http://%(username)s.id.fedoraproject.org/ openid trusted roots=http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin,https://ask.fedoraproject.org/,https://fedorahosted.org/,https://badges.fedoraproject.org,https://apps.fedoraproject.org/tagger/,https://apps.fedoraproject.org/nuancier/,https://apps.fedoraproject.org/datagrepper/,https://apps.fedoraproject.org/calendar/,http://apps.fedoraproject.org/notifications/,http://copr.fedoraproject.org/,http://copr-fe.cloud.fedoraproject.org/,https://admin.fedoraproject.org/pkgdb/,https://admin.fedoraproject.org/voting/,https://apps.fedoraproject.org/github2fedmsg,https://admin.fedoraproject.org,https://apps.fedoraproject.org/,https://release-monitoring.org/ {% endif %} -openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_name }} +openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} openid untrusted roots= -openid enabled extensions=Teams,Attribute Exchange,CLAs,Simple Registration +openid enabled extensions=Teams,Attribute Exchange,CLAs,Simple Registration,API diff --git a/roles/ipsilon/templates/ipsilon.conf b/roles/ipsilon/templates/ipsilon.conf index d67d0a0e0b..c8cf554cf2 100644 --- a/roles/ipsilon/templates/ipsilon.conf +++ b/roles/ipsilon/templates/ipsilon.conf @@ -6,13 +6,13 @@ template_dir = "/usr/share/ipsilon/templates-fedora" log.screen = False base.dir = "/usr/share/ipsilon" admin.config.db = "configfile:///etc/ipsilon/configuration.conf" -user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_name }}" -transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_name }}" +user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}" +transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}" tools.sessions.on = True tools.sessions.name = "fedora_ipsilon_session_id" tools.sessions.storage_type = "Sql" -tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_name }}" +tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_sessions_name }}" tools.sessions.timeout = 60 tools.sessions.httponly = True tools.sessions.secure = True diff --git a/roles/koschei/tasks/main.yml b/roles/koschei/tasks/main.yml index 62a3f4fda8..a7854dd282 100644 --- a/roles/koschei/tasks/main.yml +++ b/roles/koschei/tasks/main.yml @@ -125,3 +125,44 @@ owner=koschei group=koschei mode=0600 tags: - koschei + +- name: Create libexec/koschei dir + file: path=/usr/libexec/koschei state=directory + when: env == "production" + tags: + - koschei + - hotfix + +- name: Create symlinks to python to get specific executable names + file: path="/usr/libexec/koschei/koschei-{{ item }}" + src=/usr/bin/python + state=link + when: env == "production" + with_items: + - polling + - resolver + - scheduler + - watcher + tags: + - koschei + - hotfix + +- name: Run using specific symlinks + lineinfile: dest="/usr/lib/systemd/system/koschei-{{ item }}.service" + regexp="^ExecStart" + line="ExecStart=/usr/libexec/koschei/koschei-{{ item }} -m koschei.main {{ item }}" + when: env == "production" + with_items: + - polling + - resolver + - scheduler + - watcher + tags: + - koschei + - hotfix + notify: + - reload systemd + - restart koschei-polling + - restart koschei-resolver + - restart koschei-scheduler + - restart koschei-watcher