infrastructure/ansible
1
0
Fork 0
Code Pull requests 7 Activity Actions

[pkgs]: remove mentions of repospanner so that playbooks will set up things without it

Browse source
This commit is contained in:
Stephen Smoogen 2020-01-14 15:47:55 +00:00 committed by Pierre-Yves Chibon
parent dbdc75e762
commit ccaa519dd3
8 changed files with 3 additions and 179 deletions
Download patch file Download diff file Expand all files Collapse all files

5
roles/basessh/templates/sshd_config
View file

@ -43,11 +43,6 @@ AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
{% if sshd_keyhelper %}
# For repospanner/git
AuthorizedKeysCommandUser git
AuthorizedKeysCommand /usr/libexec/pagure/keyhelper.py "%u" "%h" "%t" "%f"
{% endif %}
{% if sshd_sftp %}
Subsystem sftp internal-sftp
{% endif %}

1
roles/batcave/tasks/main.yml
View file

@ -50,7 +50,6 @@
- ansible-lint # needed to check ansible playbooks for issues.
- atomic-openshift-clients # For convenient client access to os.fp.o
- easy-rsa # For easy copying into ansible-private for certs.
- repoSpanner # To gen repospanner certs for now.
- dnf # To get dnf reposync
- dnf-plugins-core # To get dnf reposync
tags:

27
roles/distgit/pagure/tasks/main.yml
View file

@ -110,17 +110,6 @@
notify:
- restart apache
- name: Allow repoSpanner access to Pagure config
acl: path=/etc/pagure/pagure.cfg
etype=user
entity=repoSpanner
permissions=r
state=present
tags:
- config
- pagure
when: env == "staging"
- name: pagure configuration for the hooks
template: src={{ item.file }}
dest={{ item.location }}/{{ item.file }}
@ -250,16 +239,6 @@
- web
- pagure
- name: set sebooleans so pagure can talk to repospanner
seboolean: name=httpd_can_network_connect
state=true
persistent=true
tags:
- selinux
- web
- pagure
when: env == "staging"
# HOTFIX: adjust bugzilla overrides
- name: HOTFIX - adjust bugzilla overrides
copy: src=fas2.py dest=/usr/lib/python2.7/site-packages/fedora/client/fas2.py
@ -387,17 +366,17 @@
- src: "{{private}}/files/rabbitmq/{{env}}/pki/issued/pagure{{ env_suffix }}.crt"
dest: src.fp.o.crt
owner: pagure
group: "{{ (env == 'production')|ternary('pagure', 'repoSpanner') }}"
group: "{{ (env == 'production')|ternary('pagure') }}"
mode: "444"
- src: "{{private}}/files/rabbitmq/{{env}}/pki/private/pagure{{ env_suffix }}.key"
dest: src.fp.o.key
owner: pagure
group: "{{ (env == 'production')|ternary('pagure', 'repoSpanner') }}"
group: "{{ (env == 'production')|ternary('pagure') }}"
mode: "440"
- src: "{{private}}/files/rabbitmq/{{env}}/pki/ca.crt"
dest: src.fp.o.ca
owner: pagure
group: "{{ (env == 'production')|ternary('pagure', 'repoSpanner') }}"
group: "{{ (env == 'production')|ternary('pagure') }}"
mode: "444"
tags:
- pagure

34
roles/distgit/pagure/templates/pagure_shared.cfg
View file

@ -86,16 +86,6 @@ PDC_URL = 'https://pdc{{ env_suffix }}.fedoraproject.org/rest_api/v1/'
SSH_KEYS_USERNAME_LOOKUP = True
SSH_KEYS_OPTIONS = 'restrict,command="/usr/libexec/pagure/aclchecker.py %(username)s"'
SSH_COMMAND_REPOSPANNER = ([
"/usr/libexec/repobridge",
"--extra", "username", "%(username)s",
"--extra", "repotype", "%(repotype)s",
"--extra", "project_name", "%(project_name)s",
"--extra", "project_user", "%(project_user)s",
"--extra", "project_namespace", "%(project_namespace)s",
"%(cmd)s",
"'pagure/%(repotype)s/%(reponame)s'",
], {"REPOBRIDGE_CONFIG": "/etc/repobridge/rpms.json"})
SSH_COMMAND_NON_REPOSPANNER = ([
"/usr/libexec/git-core/%(cmd)s",
"%(repopath)s",
@ -111,28 +101,4 @@ EXTERNAL_COMMITTER = {
{% if env == "staging" %}
ACL_DEBUG = True
# repoSpanner setup
# For now, repoSpanner is enabled on a per-repo basis
REPOSPANNER_NEW_REPO = None
REPOSPANNER_NEW_REPO_ADMIN_OVERRIDE = True
REPOSPANNER_NEW_FORK = True
REPOSPANNER_ADMIN_MIGRATION = True
REPOSPANNER_REGIONS = {
'rpms': {'url': 'https://fedora01.rpms.stg.fedoraproject.org:{{ repoSpanner_rpms_http }}',
'repo_prefix': 'pagure/',
{% if env == "staging" %}
'hook': '06cd5acb2d774491e02bc0dd4dc1555ab5664a6a',
{% else %}
'hook': '0000000000000000000000000000000000000000',
{% endif %}
'ca': '/etc/pagure/ca.crt',
'admin_cert': {'cert': '/etc/pagure/fedora_rpms_admin.crt',
'key': '/etc/pagure/fedora_rpms_admin.key'},
'push_cert': {'cert': '/etc/pagure/fedora_rpms_push.crt',
'key': '/etc/pagure/fedora_rpms_push.key'}
}
}
REPOSPANNER_PSEUDO_FOLDER = '/srv/git/repositories/pseudo'
{% endif %}

38
roles/distgit/tasks/main.yml
View file

@ -188,44 +188,6 @@
- distgit
- mass-branching
# -- repoSpanner certs ---....etc...
- name: Install the certificates for repoSpanner access
copy: src="{{private}}/files/repoSpanner/{{env}}/ca/{{item}}"
dest="/etc/pagure/{{item}}"
owner=pagure group=pagure mode=0600
with_items:
- ca.crt
- fedora_rpms_admin.crt
- fedora_rpms_admin.key
- fedora_rpms_push.crt
- fedora_rpms_push.key
when: env == "staging"
tags:
- config
- distgit
- name: Deploy configuration
template: src=repospanner-admin.yml
dest=/etc/pagure/repospanner-admin.yml
when: env == "staging"
tags:
- config
- distgit
- name: dumps the state of the repos in JSON
cron:
name: "dumps the state of the repos in JSON"
job: "repospanner --config /etc/pagure/repospanner-admin.yml admin repo list --json | python -m json.tool > /srv/cache/extras/repoinfo.json"
hour: "*/2"
minute: "5"
state: present
user: "root"
cron_file: "repospanner_repoinfo_dump"
when: env == "staging"
tags:
- config
- distgit
# -- Gitolite --------------------------------------------
# This is the permission management for package maintainers, using Gitolite.
- name: create the /var/log/gitolite directory

31
roles/pagure/frontend/tasks/main.yml
View file

@ -17,7 +17,6 @@
- libsemanage-python
- mod_ssl
- stunnel
- repoSpanner-bridge
# Use haveged to ensure the server keeps some entropy
- haveged
tags:
@ -216,7 +215,6 @@
with_items:
- { file: pagure.cfg, location: /etc/pagure }
- { file: alembic.ini, location: /etc/pagure }
- { file: repobridge_ansible.json, location: /etc/pagure }
tags:
- config
- web
@ -224,27 +222,6 @@
notify:
- restart apache
- name: Create the repoSpanner cert directory
file: path=/etc/pagure/repospanner state=directory mode=0750 owner=git group=git
tags:
- config
- pagure
- repospanner
- name: Copy repoSpanner certs and keys
copy: src={{private}}/files/repoSpanner/{{env}}/ca/{{item}} dest=/etc/pagure/repospanner/{{item}}
owner=git group=git mode=0640
with_items:
- ca.crt
- ansible-push.crt
- ansible-push.key
- ansible-admin.crt
- ansible-admin.key
tags:
- config
- pagure
- repospanner
when: env == "production"
- name: create the database scheme
command: /usr/bin/python2 /usr/share/pagure/pagure_createdb.py
@ -300,13 +277,6 @@
notify:
- restart apache
- name: let repospanner read the pagure config
command: /usr/bin/setfacl -m user:repoSpanner:r /etc/pagure/pagure.cfg
tags:
- pagure
- mirror
when: env != 'pagure-staging'
- name: let paguremirroring read the pagure config
command: /usr/bin/setfacl -m user:paguremirroring:rx /etc/pagure/pagure.cfg
tags:
@ -423,7 +393,6 @@
# - pagure_api_key_expire_mail.timer
- pagure_mirror_project_in
- pagure_mirror_project_in.timer
- repoSpanner@config
- fedmsg-relay
- haveged
ignore_errors: true

36
roles/pagure/frontend/templates/pagure.cfg
View file

@ -103,8 +103,6 @@ WEBHOOK = True
### Folder containing to the git repos
GIT_FOLDER = '/srv/git/repositories'
REPOSPANNER_PSEUDO_FOLDER = '/srv/git/pseudo'
### Folder containing the forks repos
FORK_FOLDER = '/srv/git/repositories/forks'
@ -333,40 +331,6 @@ MIRROR_SSHKEYS_FOLDER='/srv/mirror/ssh'
SSH_KEYS_USERNAME_EXPECT = "git"
SSH_KEYS_OPTIONS = 'restrict,command="/usr/libexec/pagure/aclchecker.py %(username)s"'
SSH_COMMAND_REPOSPANNER = ([
"/usr/libexec/repobridge",
"--extra", "username", "%(username)s",
"--extra", "repotype", "%(repotype)s",
"--extra", "project_name", "%(project_name)s",
"--extra", "project_user", "%(project_user)s",
"--extra", "project_namespace", "%(project_namespace)s",
"%(cmd)s",
"'%(repotype)s/%(reponame)s'",
], {"REPOBRIDGE_CONFIG": "/etc/pagure/repobridge_ansible.json"})
SSH_COMMAND_NON_REPOSPANNER = ([
"/usr/bin/%(cmd)s",
"/srv/git/repositories/%(reponame)s",
], {"GL_USER": "%(username)s"})
# For now, repoSpanner is enabled on a per-repo basis.
# currently, only for the ansible repo.
REPOSPANNER_NEW_REPO = None
REPOSPANNER_NEW_REPO_ADMIN_OVERRIDE = True
REPOSPANNER_NEW_FORK = None
REPOSPANNER_ADMIN_MIGRATION = True
REPOSPANNER_REGIONS = {
"ansible": {"url": "https://pagure01.ansible.fedoraproject.org:{{ repoSpanner_ansible_http }}",
"repo_prefix": "pagure/",
"hook": "06cd5acb2d774491e02bc0dd4dc1555ab5664a6a",
"ca": "/etc/pagure/repospanner/ca.crt",
"admin_cert": {"cert": "/etc/pagure/repospanner/ansible-admin.crt",
"key": "/etc/pagure/repospanner/ansible-admin.key"},
"push_cert": {"cert": "/etc/pagure/repospanner/ansible-push.crt",
"key": "/etc/pagure/repospanner/ansible-push.key"},
},
}
GIT_AUTH_BACKEND = 'pagure'
HTTP_REPO_ACCESS_GITOLITE = None

10
roles/pagure/frontend/templates/repobridge_ansible.json
View file

@ -1,10 +0,0 @@
{
"ca": "/etc/pagure/repospanner/ca.crt",
"baseurl": "https://pagure01.ansible.fedoraproject.org:{{ repoSpanner_ansible_http }}",
"certs": {
"_default_": {
"cert": "/etc/pagure/repospanner/ansible-push.crt",
"key" : "/etc/pagure/repospanner/ansible-push.key"
}
}
}