ansible/roles/bodhi2/base/templates/production.ini.j2

[filter:proxy-prefix]
use = egg:PasteDeploy#prefix
prefix = /
scheme = https

[app:main]
use = egg:bodhi-server
filter-with = proxy-prefix

# Release status
# pre-beta enforces the 'Pre Beta' policy defined here:
# https://fedoraproject.org/wiki/Updates_Policy
f27.status = pre_beta

f27.post_beta.mandatory_days_in_testing = 7
f27.post_beta.critpath.num_admin_approvals = 0
f27.post_beta.critpath.min_karma = 2
f27.post_beta.critpath.stable_after_days_without_negative_karma = 14

f27.pre_beta.mandatory_days_in_testing = 3
f27.pre_beta.critpath.num_admin_approvals = 0
f27.pre_beta.critpath.min_karma = 1

##
## Atomic OSTree support
## This will compose Atomic OSTrees during the push process using the fedmsg-atomic-composer
## https://github.com/fedora-infra/fedmsg-atomic-composer
##
compose_atomic_trees = true

##
## Messages
##

# A notice to flash on the front page
frontpage_notice =

# A notice to flash on the New Update page
newupdate_notice =

testing_approval_msg = This update has reached %d days in testing and can be pushed to stable now if the maintainer wishes
not_yet_tested_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/Package_update_acceptance_criteria">Package Update Acceptance Criteria</a>
not_yet_tested_epel_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/EPEL_Updates_Policy">EPEL Updates Policy</a>
stablekarma_comment = This update has reached the stable karma threshold and will be pushed to the stable updates repository

testing_approval_msg_based_on_karma = This update has reached the stable karma threshold and can be pushed to stable now if the maintainer wishes.
not_yet_tested_msg_based_on_karma = This update has not reached the stable karma threshold.

# Libravatar - If this is true libravatar will work as normal. Otherwise, all
# libravatar links will be replaced with the string "libravatar.org" so that
# the tests can still pass.
libravatar_enabled = True
# Set this to true if you want to do federated dns libravatar lookup
libravatar_dns = False

# Set this to True in order to send fedmsg messages.
fedmsg_enabled = True


# Captcha - if 'captcha.secret' is not None, then it will be used for comments
# captcha.secret must be 32 url-safe base64-encoded bytes
# you can generate afresh with >>> cryptography.fernet.Fernet.generate_key()
captcha.secret = {{ bodhi2CaptchaSecret }}
# Dimensions
captcha.image_width = 300
captcha.image_height = 80
# Any truetype font will do.
captcha.font_path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf
captcha.font_size = 36
# Colors
captcha.font_color = #000000
captcha.background_color = #ffffff
# In pixels
captcha.padding = 5
# If a captcha sits around for this many seconds, it will stop working.
captcha.ttl = 300

#datagrepper_url = http://localhost:5000
datagrepper_url = https://apps.fedoraproject.org/datagrepper
badge_ids = binary-star|both-bull-and-self-transcended-tester-viii|catching-the-bull-tester-iv|corporate-drone|corporate-overlord|corporate-shill|discovery-of-the-footprints-tester-ii|in-search-of-the-bull-tester-i|is-this-thing-on-updates-testing-i|is-this-thing-on-updates-testing-ii|is-this-thing-on-updates-testing-iii|is-this-thing-on-updates-testing-iv|it-still-works!|like-a-rock-updates-stable-i|like-a-rock-updates-stable-ii|like-a-rock-updates-stable-iii|like-a-rock-updates-stable-iv|mic-check!-updates-testing-v|missed-the-train|override,-you-say|perceiving-the-bull-tester-iii|reaching-the-source-tester-ix|return-to-society-tester-x|riding-the-bull-home-tester-vi|stop-that-update!|take-this-and-call-me-in-the-morning|taming-the-bull-tester-v|tectonic!-updates-stable-v|the-bull-transcended-tester-vii|what-goes-around-comes-around-karma-i|what-goes-around-comes-around-karma-ii|what-goes-around-comes-around-karma-iii|what-goes-around-comes-around-karma-iv|white-hat|you-can-pry-it-from-my-cold,-dead-hands


##
## Wiki Test Cases
##

## Query the wiki for test cases
query_wiki_test_cases = True
wiki_url = https://fedoraproject.org/w/api.php
test_case_base_url = https://fedoraproject.org/wiki/

# Email domain to prepend usernames to
default_email_domain = fedoraproject.org

# domain for generated message IDs
message_id_email_domain = admin.fedoraproject.org

##
## Mash settings
##

# If defined, the bodhi masher will ensure that messages are signed with the given cert
{% if ansible_hostname == 'bodhi-backend01' %}
releng_fedmsg_certname = shell-bodhi-backend01.phx2.fedoraproject.org
{% else %}
releng_fedmsg_certname = shell-bodhi-backend03.phx2.fedoraproject.org
{% endif %}

# The masher is a bodhi instance that is responsible for composing the update
# repositories, regenerating metrics, sending update notices, closing bugs,
# and other costly operations.  To set an external masher, set the masher to
# the baseurl of the bodhi instance.  If set to None, this bodhi instance
# will act as a masher as well.
#masher = None

{% if 'backend' in inventory_hostname %}
mash_dir = /mnt/koji/compose/updates/
mash_stage_dir = /mnt/koji/compose/updates/
{% endif %}
pungi.basepath = /etc/bodhi
pungi.conf.rpm = pungi.rpm.conf.j2
pungi.conf.module = pungi.module.conf.j2
pungi.labeltype = Update
pungi.extracmdline = --notification-script=/usr/bin/pungi-fedmsg-notification

## Our periodic jobs
#jobs = clean_repo nagmail fix_bug_titles cache_release_data approve_testing_updates
jobs = cache_release_data refresh_metrics approve_testing_updates

## Comps configuration
comps_dir = /var/cache/bodhi/comps
comps_url = https://pagure.io/fedora-comps.git

##
## Mirror settings
##
file_url = https://download.fedoraproject.org/pub/fedora/linux/updates
master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%s/%s/repodata/repomd.xml
fedora_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%s/%s/repodata/repomd.xml
fedora_epel_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/%s/%s/repodata/repomd.xml

# {release}_{request}_master_repomd: This is used by the masher to determine when a
#     primary architecture push has been synchronized to the master mirror for a given release and
#     request. The masher will verify that the checksum of repomd.xml at the master URL matches the
#     expected value, and will poll the URL until this test passes. Substitute release and request
#     for each release id (replacing -'s with _'s) and request (stable, testing). Used for the
#     arches listed in {release}_{version}_primary_arches when it is defined, else used for all
#     arches. You must put two %s's in this setting - the first will be replaced with the release
#     version and the second will be replaced with the architecture.
fedora_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%s/%s/repodata/repomd.xml
fedora_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/testing/%s/%s/repodata/repomd.xml
fedora_epel_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/%s/%s/repodata/repomd.xml
fedora_epel_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/testing/%s/%s/repodata/repomd.xml

# {release}_{request}_alt_master_repomd: This is used by the masher to determine when a
#     secondary architecture push has been synchronized to the master mirror for a given release and
#     request. The masher will verify that the checksum of repomd.xml at the master URL matches the
#     expected value, and will poll the URL until this test passes. Substitute release and request
#     for each release id (replacing -'s with _'s) and request (stable, testing). Used for the
#     arches not listed in {release}_{version}_primary_arches if it is defined. You must put two %s's
#     in this setting - the first will be replaced with the release version and the second will be
#     replaced with the architecture.
fedora_stable_alt_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora-secondary/updates/%s/%s/repodata/repomd.xml
fedora_testing_alt_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora-secondary/updates/testing/%s/%s/repodata/repomd.xml


## The base url of this application
base_address = https://bodhi.fedoraproject.org/


## Primary architechures by release
##
## {release}_{version}_primary_arches: Releases that have alternative arches must define their
##      primary arches here. Any arches found during mashing that are not present here are asssumed
##      to be alternative arches. This is used during the wait_for_repo() step of the mash where
##      Bodhi polls the master repo to find out whether the mash has made it to the repo or not.
##      Bodhi looks for primary arches with the {release}_{request}_master_repomd setting above, and
##      for alternative arches at the {release}_{request}_alt_master_repomd setting above. If this
##      is not set, Bodhi will assume the release only has primary arches.
fedora_26_primary_arches = armhfp x86_64


## Supported update types
update_types = bugfix enhancement security newpackage

## Supported architechures
##
## To handle arch name changes between releases, you
## can also configure bodhi to support one arch *or*
## another. For example, EPEL5 mashes produce 'ppc'
## repos, where EPEL6 produces 'ppc64'. To handle this
## scenario, you can specify something like:
##
##   arches = ppc/ppc64
##
arches = x86_64 armhfp i386

##
## Email setting
##

smtp_server = bastion

# The updates system itself.  This email address is used in fetching Bugzilla
# information, as well as email notifications
bodhi_email = updates@fedoraproject.org
bodhi_password = {{ bodhiBugzillaPassword }}

# The address that gets the requests
release_team_address = bodhiadmin-members@fedoraproject.org

# The address to notify when security updates are initially added to bodhi
security_team = security_respons-members@fedoraproject.org

# Public announcement lists
fedora_announce_list = package-announce@lists.fedoraproject.org
fedora_test_announce_list = test@lists.fedoraproject.org
fedora_epel_announce_list = epel-package-announce@lists.fedoraproject.org
fedora_epel_test_announce_list = epel-devel@lists.fedoraproject.org

# Superuser groups
admin_groups = proventesters security_respons bodhiadmin sysadmin-main

# Users that we don't want to show up in the "leaderboard(s)"
stats_blacklist = bodhi anonymous autoqa taskotron

# A list of non-person users
system_users = bodhi autoqa taskotron

# The max length for an update title before we truncate it in the web ui
max_update_length_for_ui = 70

# The number of days used for calculating the 'top testers' metric
top_testers_timeframe = 900

# The email address of the proventesters
proventesters_email = proventesters-members@fedoraproject.org

# Disabled for the initial release.
stacks_enabled = False

# These are the default requirements that we apply to stacks, packages, and
# updates.  Users have free-reign to override them for each kind of entity.  At
# the end of the day, we only consider the requirements defined by single
# updates themselves when gating in the backend masher process.
site_requirements = dist.rpmdeplint dist.upgradepath
## Some day we'll have rpmgrill, and that will be cool.  Ask tflink.
#site_requirements = depcheck upgradepath rpmgrill

# Where do we send update announcements to ?
# These variables should be named per: Release.prefix_id.lower()_announce_list
#fedora_announce_list =
#fedora_test_announce_list =
#fedora_epel_announce_list =
#fedora_epel_test_announce_list =

# Cache settings
dogpile.cache.backend = dogpile.cache.dbm
dogpile.cache.expiration_time = 100
dogpile.cache.arguments.filename = /var/cache/bodhi/dogpile-cache.dbm

# Exclude sending emails to these users
exclude_mail = autoqa taskotron

##
## Buildsystem settings
##

# What buildsystem do we want to use?  For development, we'll use a fake
# buildsystem that always does what we tell it to do.  For production, we'll
# want to use 'koji'.
buildsystem = koji

# Koji's XML-RPC hub
koji_hub = https://koji.fedoraproject.org/kojihub

# Root url of the Koji instance to point to. No trailing slash
koji_url = https://koji.fedoraproject.org

# URL of where users should go to set up their notifications
fmn_url = https://apps.fedoraproject.org/notifications/

# URL of the resultsdb for integrating checks and stuff
resultsdb_url = https://taskotron.fedoraproject.org/resultsdb/
resultsdb_api_url = https://taskotron.fedoraproject.org/resultsdb_api/

fedmenu.url = https://apps.fedoraproject.org/fedmenu
fedmenu.data_url = https://apps.fedoraproject.org/js/data.js

# Koji Krb stuff
krb_ccache = /tmp/krb5cc_%{uid}
krb_principal = bodhi/bodhi{{ env_suffix }}.fedoraproject.org@{{ ipa_realm }}
krb_keytab = /etc/krb5.bodhi_bodhi{{ env_suffix }}.fedoraproject.org.keytab

# Set this to True to enable gating based on policies enforced by Greenwave. If you set this to True,
# be sure to add a cron job to run the bodhi-check-policies CLI periodically.
test_gating.required = False

# If this is set to a URL, a "More information about test gating" link will appear on update pages for users
# to click and learn more.
# test_gating.url =

# The API url of Greenwave.
greenwave_api_url = https://greenwave-web-greenwave.app.os.fedoraproject.org/api/v1.0

##
## ACL system
## Choices are 'pkgdb', which will send a JSON query to the pkgdb_url below,
## 'pagure', which will query the pagure_url below, or 'dummy', which will
## always return guest credentials (used for local development).
##
acl_system = pagure

##
## Package DB
##
pkgdb_url = https://admin.fedoraproject.org/pkgdb

##
## Pagure
##
pagure_url = https://src.fedoraproject.org/

# We used to get our package tags from pkgdb, but they come from tagger now.
# https://github.com/fedora-infra/fedora-tagger/pull/74
#pkgtags_url = https://apps.fedoraproject.org/tagger/api/v1/tag/sqlitebuildtags/

##
## Bug tracker settings
##
bugtracker = bugzilla

initial_bug_msg = %s has been submitted as an update to %s. %s
stable_bug_msg = %s has been pushed to the %s repository. If problems still persist, please make note of it in this bug report.
testing_bug_msg =
    See https://fedoraproject.org/wiki/QA:Updates_Testing for
    instructions on how to install test updates. 
    You can provide feedback for this update here: %s

testing_bug_epel_msg =
    See https://fedoraproject.org/wiki/QA:Updates_Testing for
    instructions on how to install test updates. 
    You can provide feedback for this update here: %s

##
## Bugzilla settings.
##

# The username/password for our bugzilla account comes
# from the bodhi_{email,password} fields.

bz_server = https://bugzilla.redhat.com/xmlrpc.cgi
#bz_cookie =

# Bodhi will avoid touching bugs that are not against the following products
bz_products = Fedora,Fedora EPEL

buglink = https://bugzilla.redhat.com/show_bug.cgi?id=%s

##
## Packages that should suggest a reboot
##
reboot_pkgs = kernel kernel-smp kernel-xen-hypervisor kernel-PAE kernel-xen0 kernel-xenU kernel-xen kernel-xen-guest glibc hal dbus

##
## Critical Path Packages
## https://fedoraproject.org/wiki/Critical_path_package
##

# Enable this to query the Fedora Package Database for the list of Critical
# Path Packages.  If disabled, it'll just use the hardcoded list below.
critpath.type = pkgdb

# You can hardcode a list of critical path packages instead of using the PackageDB
#critpath_pkgs = kernel

# The number of admin approvals it takes to be able to push a critical path
# update to stable for a pending release.
critpath.num_admin_approvals = 0

# The net karma required to submit a critial path update to a pending release)
critpath.min_karma = 2

# Allow critpath to submit for stable after 2 weeks with no negative karma
critpath.stable_after_days_without_negative_karma = 14

# The minimum amount of time an update must spend in testing before
# it can reach the stable repository
fedora.mandatory_days_in_testing = 7
fedora_epel.mandatory_days_in_testing = 14

##
## Release status
##

# Pre-beta enforces the Pre Beta policy defined here:
# https://fedoraproject.org/wiki/Updates_Policy
#f15.status = 'pre_beta'
#f15.pre_beta.mandatory_days_in_testing = 3
#f15.pre_beta.critpath.num_admin_approvals = 0
#f15.pre_beta.critpath.min_karma = 1

# For test cases.
f7.status = post_beta
f7.post_beta.mandatory_days_in_testing = 7
f7.post_beta.critpath.num_admin_approvals = 0
f7.post_beta.critpath.min_karma = 2

# The number of days worth of updates/comments to display
feeds.num_days_to_show = 7
feeds.max_entries = 20

##
## Buildroot Override
##

# Number of days before expiring overrides
buildroot_overrides.expire_after = 1

##
## Groups
##

# FAS Groups that we want to pay attention to
# When a user logs in, bodhi will look for any of these groups and associate #
# them with the user. They will then appear as the users effective principals in
# the format "group:groupname" and can be used in Pyramid ACE's.
important_groups = proventesters provenpackager releng-team security_respons packager bodhiadmin virtmaint-sig kde-sig eclipse-sig infra-sig gnome-sig python-sig robotics-sig qa-tools-sig nodejs-sig lxqt-sig astro-sig

# Groups that can push updates for any package
admin_packager_groups = provenpackager releng-team security_respons

# User must be a member of this group to submit updates
mandatory_packager_groups = packager

##
## updateinfo.xml configuraiton
##
updateinfo_rights = Copyright (C) 2015 Red Hat, Inc. and others.

##
## Authentication & Authorization
##

# pyramid.openid
openid.success_callback = bodhi.server.security:remember_me
openid.provider = https://id.fedoraproject.org/openid/
openid.url = https://id.fedoraproject.org/
openid_template = {username}.id.fedoraproject.org
openid.sreg_required = email

# CORS allowed origins for cornice services
# This can be wide-open.  read-only, we don't care as much about.
cors_origins_ro = *
# This should be more locked down to avoid cross-site request forgery.
cors_origins_rw = https://bodhi.fedoraproject.org
cors_connect_src = https://*.fedoraproject.org/ wss://hub.fedoraproject.org:9939/


##
## Pyramid settings
##
pyramid.reload_templates = false
pyramid.debug_authorization = false
pyramid.debug_notfound = false
pyramid.debug_routematch = false
pyramid.default_locale_name = en

pyramid.includes =
    pyramid_tm

debugtoolbar.hosts = 127.0.0.1 ::1

##
## Database
##
sqlalchemy.url = postgresql://bodhi2:{{ bodhi2Password }}@db-bodhi/bodhi2

##
## Templates
##
mako.directories = bodhi:server/templates

##
## Authentication & Sessions
##

authtkt.secret = {{ bodhi2AuthTkt }}
session.secret = {{ bodhi2SessionSecret }}
authtkt.secure = true
# How long should an authorization ticket be valid for, in seconds? Defaults to one day.
authtkt.timeout = 1209600

# pyramid_beaker
session.type = file
session.data_dir = /var/cache/bodhi/sessions/data
session.lock_dir = /var/cache/bodhi/sessions/lock
session.key = {{ bodhi2SessionKey }}
session.cookie_on_exception = true
# Tell the browser to only send the cookie over TLS
session.secure = true
# Create a cookie that is only valid for one day
session.timeout = 86400
cache.regions = default_term, second, short_term, long_term
cache.type = memory
cache.second.expire = 1
cache.short_term.expire = 60
cache.default_term.expire = 300
cache.long_term.expire = 3600

[server:main]
use = egg:waitress#main
host = 0.0.0.0
port = 6543

[pshell]
m = bodhi.server.models
#db = bodhi.server.models.DBSession
t = transaction

# Begin logging configuration

[loggers]
keys = root, bodhi, sqlalchemy

[handlers]
keys = console

[formatters]
keys = generic

[logger_root]
level = INFO
handlers = console

[logger_bodhi]
level = DEBUG
handlers =
qualname = bodhi

[logger_sqlalchemy]
level = WARN
handlers =
qualname = sqlalchemy.engine
# "level = INFO" logs SQL queries.
# "level = DEBUG" logs SQL queries and results.
# "level = WARN" logs neither.  (Recommended for production systems.)

[handler_console]
class = StreamHandler
args = (sys.stderr,)
level = NOTSET
formatter = generic

[formatter_generic]
format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s

# End logging configuration