From f183f5262b57c23585095d52dce217aa123f93bc Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 19 Sep 2022 13:53:15 -0700 Subject: [PATCH] pagure-stg01 / ipsilon*.stg: split db passwords from stg and prod Signed-off-by: Kevin Fenzi --- roles/distgit/pagure/templates/pagure.cfg | 10 +++++ .../distgit/pagure/templates/pagure_hook.cfg | 4 ++ roles/ipsilon/templates/configuration.conf | 12 ++++++ roles/ipsilon/templates/ipsilon.conf | 9 +++++ roles/pagure/tasks/main.yml | 37 +++++++++++++++++++ roles/pagure/templates/pagure.cfg | 9 +++++ 6 files changed, 81 insertions(+) diff --git a/roles/distgit/pagure/templates/pagure.cfg b/roles/distgit/pagure/templates/pagure.cfg index 6889fe6071..678ab4b1a8 100644 --- a/roles/distgit/pagure/templates/pagure.cfg +++ b/roles/distgit/pagure/templates/pagure.cfg @@ -10,9 +10,15 @@ os.umask(0o002) # (ie: changing a project's or a user's settings) ADMIN_SESSION_LIFETIME = timedelta(minutes=20) +{% if env == 'staging' %} +### Secret key for the Flask application +SECRET_KEY='{{ distgit_stg_pagure_secret_key }}' +SALT_EMAIL='{{ distgit_stg_pagure_secret_salt_email }}' +{% else %} ### Secret key for the Flask application SECRET_KEY='{{ distgit_pagure_secret_key }}' SALT_EMAIL='{{ distgit_pagure_secret_salt_email }}' +{% endif %} {% if env == 'staging' %} EMAIL_SEND = False @@ -26,7 +32,11 @@ PREFERRED_URL_SCHEME='https' ### url to the database server: #DB_URL=mysql://user:pass@host/db_name #DB_URL=postgres://user:pass@host/db_name +{% if env == 'staging' %} +DB_URL = 'postgresql://{{ distgit_stg_pagure_db_user }}:{{ distgit_stg_pagure_db_pass }}@{{ pagure_db_host }}/{{ distgit_stg_pagure_db_name }}' +{% else %} DB_URL = 'postgresql://{{ distgit_pagure_db_user }}:{{ distgit_pagure_db_pass }}@{{ pagure_db_host }}/{{ distgit_pagure_db_name }}' +{% endif %} ### FAS groups of pagure admins ADMIN_GROUP = ['cvsadmin', 'sysadmin-main'] diff --git a/roles/distgit/pagure/templates/pagure_hook.cfg b/roles/distgit/pagure/templates/pagure_hook.cfg index 3cf894525a..aaf2914fd7 100644 --- a/roles/distgit/pagure/templates/pagure_hook.cfg +++ b/roles/distgit/pagure/templates/pagure_hook.cfg @@ -3,7 +3,11 @@ import os os.umask(0o002) +{% if env == 'staging' %} +DB_URL = 'postgresql://{{ distgit_stg_pagure_db_ro_user }}:{{ distgit_stg_pagure_db_ro_pass }}@{{ pagure_db_host }}/{{ distgit_stg_pagure_db_name }}' +{% else %} DB_URL = 'postgresql://{{ distgit_pagure_db_ro_user }}:{{ distgit_pagure_db_ro_pass }}@{{ pagure_db_host }}/{{ distgit_pagure_db_name }}' +{% endif %} {% include "pagure_shared.cfg" %} diff --git a/roles/ipsilon/templates/configuration.conf b/roles/ipsilon/templates/configuration.conf index 21680bc7e5..627880e6a5 100644 --- a/roles/ipsilon/templates/configuration.conf +++ b/roles/ipsilon/templates/configuration.conf @@ -23,7 +23,11 @@ openidc subject salt={{ ipsilon_openidc_subject_salt }} openidc endpoint url=https://id{{env_suffix}}.fedoraproject.org/openidc/ openidc idp key file=/etc/ipsilon/root/openidc.key openidc static database url=configfile:///etc/ipsilon/root/openidc.static.cfg +{% if env == 'staging' %} +openidc database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} +{% else %} openidc database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} +{% endif %} openidc documentation url=https://fedoraproject.org/wiki/Infrastructure/Authentication openidc policy url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy openidc tos url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy @@ -38,7 +42,11 @@ openid trusted roots= {% else %} openid trusted roots=https://ask.fedoraproject.org/,https://fedorahosted.org/,https://badges.fedoraproject.org,https://apps.fedoraproject.org/nuancier/,https://apps.fedoraproject.org/datagrepper/,https://apps.fedoraproject.org/calendar/,http://apps.fedoraproject.org/notifications/,http://copr.fedoraproject.org/,https://copr.fedoraproject.org/,https://admin.fedoraproject.org/voting/,https://apps.fedoraproject.org/github2fedmsg,https://admin.fedoraproject.org,https://apps.fedoraproject.org/,https://release-monitoring.org/,http://pagure.io/,http://admin.fedoraproject.org/mirrormanager/,https://koschei.fedoraproject.org/,https://bodhi.fedoraproject.org,https://lists.fedoraproject.org/,https://openqa.fedoraproject.org/,https://src.fedoraproject.org/ {% endif %} +{% if env == 'staging' %} +openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} +{% else %} openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} +{% endif %} openid untrusted roots= openid enabled extensions=Fedora Teams,Attribute Exchange,CLAs,Simple Registration,API openid default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]] @@ -55,7 +63,11 @@ saml2 idp key file=idp.key saml2 allow self registration=False saml2 default nameid=transient saml2 default email domain=fedoraproject.org +{% if env == 'staging' %} +saml2 session database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_saml2_name }} +{% else %} saml2 session database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_saml2_name }} +{% endif %} [saml2_data] {% if env == 'staging' %} diff --git a/roles/ipsilon/templates/ipsilon.conf b/roles/ipsilon/templates/ipsilon.conf index a10c7b66cc..8ef51a0f2a 100644 --- a/roles/ipsilon/templates/ipsilon.conf +++ b/roles/ipsilon/templates/ipsilon.conf @@ -10,13 +10,22 @@ db.conn.log = False db.echo = False # base.mount = "" admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf" +{% if env == 'staging' %} +user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}" +transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}" +{% else %} user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}" transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}" +{% endif %} tools.sessions.on = True tools.sessions.name = "fedora_ipsilon_session_id" tools.sessions.storage_type = "sql" +{% if env == 'staging' %} +tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_stg_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_sessions_name }}" +{% else %} tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_sessions_name }}" +{% endif %} tools.sessions.timeout = 15 tools.sessions.httponly = True tools.sessions.secure = True diff --git a/roles/pagure/tasks/main.yml b/roles/pagure/tasks/main.yml index 2f58261968..9ebd71bcea 100644 --- a/roles/pagure/tasks/main.yml +++ b/roles/pagure/tasks/main.yml @@ -42,6 +42,7 @@ tags: - pagure - postgresql + when: env != 'pagure-staging' - name: create the pagure DB user become_user: postgres @@ -52,6 +53,7 @@ tags: - pagure - postgresql + when: env != 'pagure-staging' - name: create the pagure database creation become_user: postgres @@ -63,6 +65,41 @@ tags: - pagure - postgresql + when: env != 'pagure-staging' + +- name: create the pagure DB user + become_user: postgres + become: true + postgresql_user: + name: "{{ pagure_stg_db_user }}" + password: "{{ pagure_stg_db_pass }}" + tags: + - pagure + - postgresql + when: env == 'pagure-staging' + +- name: create the pagure DB user + become_user: postgres + become: true + postgresql_user: + name: "{{ pagure_stg_db_admin_user }}" + password: "{{ pagure_stg_db_admin_pass }}" + tags: + - pagure + - postgresql + when: env == 'pagure-staging' + +- name: create the pagure database creation + become_user: postgres + become: true + postgresql_db: + name: "{{ pagure_stg_db_name }}" + owner: "{{ pagure_stg_db_user }}" + encoding: UTF-8 + tags: + - pagure + - postgresql + when: env == 'pagure-staging' - name: Put in robots.txt template: src=robots.txt.j2 dest=/var/www/html/robots.txt diff --git a/roles/pagure/templates/pagure.cfg b/roles/pagure/templates/pagure.cfg index 7677308a9b..ef08911130 100644 --- a/roles/pagure/templates/pagure.cfg +++ b/roles/pagure/templates/pagure.cfg @@ -12,8 +12,13 @@ ADMIN_SESSION_LIFETIME = timedelta(minutes=20) WTF_CSRF_TIME_LIMIT=None ### Secret key for the Flask application +{% if env == 'staging' %} +SECRET_KEY='{{ pagure_stg_secret_key }}' +SALT_EMAIL='{{ pagure_stg_secret_salt_email }}' +{% else %} SECRET_KEY='{{ pagure_secret_key }}' SALT_EMAIL='{{ pagure_secret_salt_email }}' +{% endif %} EMAIL_SEND = True @@ -28,7 +33,11 @@ FAS_OPENID_ENDPOINT = 'https://id.stg.fedoraproject.org/openid/' ### url to the database server: #DB_URL=mysql://user:pass@host/db_name #DB_URL=postgres://user:pass@host/db_name +{% if env == 'staging' %} +DB_URL = 'postgresql://{{ pagure_stg_db_user }}:{{ pagure_stg_db_pass }}@{{ pagure_db_host }}/{{ pagure_stg_db_name }}' +{% else %} DB_URL = 'postgresql://{{ pagure_db_user }}:{{ pagure_db_pass }}@{{ pagure_db_host }}/{{ pagure_db_name }}' +{% endif %} ### The FAS group in which the admin of pagure are ADMIN_GROUP = None