pagure-stg01 / ipsilon*.stg: split db passwords from stg and prod

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2022-09-19 13:53:15 -07:00 · 2022-09-19 13:53:15 -07:00 · f183f5262b
commit f183f5262b
parent f46a6c8f2a
6 changed files with 81 additions and 0 deletions
--- a/roles/distgit/pagure/templates/pagure.cfg
+++ b/roles/distgit/pagure/templates/pagure.cfg
@ -10,9 +10,15 @@ os.umask(0o002)
 # (ie: changing a project's or a user's settings)
 ADMIN_SESSION_LIFETIME = timedelta(minutes=20)

+{% if env == 'staging' %}
+### Secret key for the Flask application
+SECRET_KEY='{{ distgit_stg_pagure_secret_key }}'
+SALT_EMAIL='{{ distgit_stg_pagure_secret_salt_email }}'
+{% else %}
 ### Secret key for the Flask application
 SECRET_KEY='{{ distgit_pagure_secret_key }}'
 SALT_EMAIL='{{ distgit_pagure_secret_salt_email }}'
+{% endif %}

 {% if env == 'staging' %}
 EMAIL_SEND = False
@ -26,7 +32,11 @@ PREFERRED_URL_SCHEME='https'
 ### url to the database server:
 #DB_URL=mysql://user:pass@host/db_name
 #DB_URL=postgres://user:pass@host/db_name
+{% if env == 'staging' %}
+DB_URL = 'postgresql://{{ distgit_stg_pagure_db_user }}:{{ distgit_stg_pagure_db_pass }}@{{ pagure_db_host }}/{{ distgit_stg_pagure_db_name }}'
+{% else %}
 DB_URL = 'postgresql://{{ distgit_pagure_db_user }}:{{ distgit_pagure_db_pass }}@{{ pagure_db_host }}/{{ distgit_pagure_db_name }}'
+{% endif %}

 ### FAS groups of pagure admins
 ADMIN_GROUP = ['cvsadmin', 'sysadmin-main']
--- a/roles/distgit/pagure/templates/pagure_hook.cfg
+++ b/roles/distgit/pagure/templates/pagure_hook.cfg
@ -3,7 +3,11 @@ import os

 os.umask(0o002)

+{% if env == 'staging' %}
+DB_URL = 'postgresql://{{ distgit_stg_pagure_db_ro_user }}:{{ distgit_stg_pagure_db_ro_pass }}@{{ pagure_db_host }}/{{ distgit_stg_pagure_db_name }}'
+{% else %}
 DB_URL = 'postgresql://{{ distgit_pagure_db_ro_user }}:{{ distgit_pagure_db_ro_pass }}@{{ pagure_db_host }}/{{ distgit_pagure_db_name }}'
+{% endif %}

 {% include "pagure_shared.cfg" %}

--- a/roles/ipsilon/templates/configuration.conf
+++ b/roles/ipsilon/templates/configuration.conf
@ -23,7 +23,11 @@ openidc subject salt={{ ipsilon_openidc_subject_salt }}
 openidc endpoint url=https://id{{env_suffix}}.fedoraproject.org/openidc/
 openidc idp key file=/etc/ipsilon/root/openidc.key
 openidc static database url=configfile:///etc/ipsilon/root/openidc.static.cfg
+{% if env == 'staging' %}
+openidc database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
+{% else %}
 openidc database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
+{% endif %}
 openidc documentation url=https://fedoraproject.org/wiki/Infrastructure/Authentication
 openidc policy url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
 openidc tos url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
@ -38,7 +42,11 @@ openid trusted roots=
 {% else %}
 openid trusted roots=https://ask.fedoraproject.org/,https://fedorahosted.org/,https://badges.fedoraproject.org,https://apps.fedoraproject.org/nuancier/,https://apps.fedoraproject.org/datagrepper/,https://apps.fedoraproject.org/calendar/,http://apps.fedoraproject.org/notifications/,http://copr.fedoraproject.org/,https://copr.fedoraproject.org/,https://admin.fedoraproject.org/voting/,https://apps.fedoraproject.org/github2fedmsg,https://admin.fedoraproject.org,https://apps.fedoraproject.org/,https://release-monitoring.org/,http://pagure.io/,http://admin.fedoraproject.org/mirrormanager/,https://koschei.fedoraproject.org/,https://bodhi.fedoraproject.org,https://lists.fedoraproject.org/,https://openqa.fedoraproject.org/,https://src.fedoraproject.org/
 {% endif %}
+{% if env == 'staging' %}
+openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
+{% else %}
 openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
+{% endif %}
 openid untrusted roots=
 openid enabled extensions=Fedora Teams,Attribute Exchange,CLAs,Simple Registration,API
 openid default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]]
@ -55,7 +63,11 @@ saml2 idp key file=idp.key
 saml2 allow self registration=False
 saml2 default nameid=transient
 saml2 default email domain=fedoraproject.org
+{% if env == 'staging' %}
+saml2 session database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_saml2_name }}
+{% else %}
 saml2 session database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_saml2_name }}
+{% endif %}

 [saml2_data]
 {% if env == 'staging' %}
--- a/roles/ipsilon/templates/ipsilon.conf
+++ b/roles/ipsilon/templates/ipsilon.conf
@ -10,13 +10,22 @@ db.conn.log = False
 db.echo = False
 # base.mount = ""
 admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf"
+{% if env == 'staging' %}
+user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}"
+transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"
+{% else %}
 user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}"
 transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"
+{% endif %}

 tools.sessions.on = True
 tools.sessions.name = "fedora_ipsilon_session_id"
 tools.sessions.storage_type = "sql"
+{% if env == 'staging' %}
+tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_sessions_name }}"
+{% else %}
 tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_sessions_name }}"
+{% endif %}
 tools.sessions.timeout = 15
 tools.sessions.httponly = True
 tools.sessions.secure = True
--- a/roles/pagure/tasks/main.yml
+++ b/roles/pagure/tasks/main.yml
@ -42,6 +42,7 @@
  tags:
  - pagure
  - postgresql
+  when: env != 'pagure-staging'

 - name: create the pagure DB user
  become_user: postgres
@ -52,6 +53,7 @@
  tags:
  - pagure
  - postgresql
+  when: env != 'pagure-staging'

 - name: create the pagure database creation
  become_user: postgres
@ -63,6 +65,41 @@
  tags:
  - pagure
  - postgresql
+  when: env != 'pagure-staging'
+
+- name: create the pagure DB user
+  become_user: postgres
+  become: true
+  postgresql_user:
+     name: "{{ pagure_stg_db_user }}"
+     password: "{{ pagure_stg_db_pass }}"
+  tags:
+  - pagure
+  - postgresql
+  when: env == 'pagure-staging'
+
+- name: create the pagure DB user
+  become_user: postgres
+  become: true
+  postgresql_user:
+     name: "{{ pagure_stg_db_admin_user }}"
+     password: "{{ pagure_stg_db_admin_pass }}"
+  tags:
+  - pagure
+  - postgresql
+  when: env == 'pagure-staging'
+
+- name: create the pagure database creation
+  become_user: postgres
+  become: true
+  postgresql_db:
+     name: "{{ pagure_stg_db_name }}"
+     owner: "{{ pagure_stg_db_user }}"
+     encoding: UTF-8
+  tags:
+  - pagure
+  - postgresql
+  when: env == 'pagure-staging'

 - name: Put in robots.txt
  template: src=robots.txt.j2 dest=/var/www/html/robots.txt
--- a/roles/pagure/templates/pagure.cfg
+++ b/roles/pagure/templates/pagure.cfg
@ -12,8 +12,13 @@ ADMIN_SESSION_LIFETIME = timedelta(minutes=20)
 WTF_CSRF_TIME_LIMIT=None

 ### Secret key for the Flask application
+{% if env == 'staging' %}
+SECRET_KEY='{{ pagure_stg_secret_key }}'
+SALT_EMAIL='{{ pagure_stg_secret_salt_email }}'
+{% else %}
 SECRET_KEY='{{ pagure_secret_key }}'
 SALT_EMAIL='{{ pagure_secret_salt_email }}'
+{% endif %}

 EMAIL_SEND = True

@ -28,7 +33,11 @@ FAS_OPENID_ENDPOINT = 'https://id.stg.fedoraproject.org/openid/'
 ### url to the database server:
 #DB_URL=mysql://user:pass@host/db_name
 #DB_URL=postgres://user:pass@host/db_name
+{% if env == 'staging' %}
+DB_URL = 'postgresql://{{ pagure_stg_db_user }}:{{ pagure_stg_db_pass }}@{{ pagure_db_host }}/{{ pagure_stg_db_name }}'
+{% else %}
 DB_URL = 'postgresql://{{ pagure_db_user }}:{{ pagure_db_pass }}@{{ pagure_db_host }}/{{ pagure_db_name }}'
+{% endif %}

 ### The FAS group in which the admin of pagure are
 ADMIN_GROUP = None