ansible/roles/copr/frontend/templates/copr.conf

# Purpose of this instance
# Use "production", "devel", "local" or "test"
ENV="{% if devel %}devel{% else %}{{ env }}{% endif %}"

# Directory and files where is stored Copr database files
DATA_DIR = '/var/lib/copr/data'
DATABASE = '/var/lib/copr/data/copr.db'

# Stage runs against staging FAS/OpenID
OPENID_PROVIDER_URL = "https://id{% if devel %}.stg{% endif %}.fedoraproject.org"
OPENID_STORE = '/var/lib/copr/data/openid_store'

WHOOSHEE_DIR = '/var/lib/copr/data/whooshee'
WHOOSHEE_MIN_STRING_LEN = 2
WHOOSHEE_WRITER_TIMEOUT = 10

SECRET_KEY = '{{ copr_secret_key }}'
{% if env == 'production' %}
BACKEND_PASSWORD = '{{ copr_backend_password  }}'
{% elif devel %}
BACKEND_PASSWORD = '{{ copr_backend_password_dev }}'
{% else %}
BACKEND_PASSWORD = '{{ copr_backend_password_stg }}'
{% endif %}

BACKEND_BASE_URL = '{{ backend_base_url }}'

BACKEND_STATS_URI = "/stats/index.html"

RESALLOC_URL = "{{ backend_base_url }}/resalloc"

# restrict access to a set of users
#USE_ALLOWED_USERS = False
#ALLOWED_USERS = ['bonnie', 'clyde']

SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://copr-fe:{{ copr_database_password }}@/coprdb'

# Token length, defaults to 30 (max 255)
#API_TOKEN_LENGTH = 30

# Expiration of API token in days
#API_TOKEN_EXPIRATION = 180

# logging options
#SEND_LOGS_TO = ['root@localhost']
{% if devel %}
LOGGING_LEVEL = 'debug'
{% endif %}

DEBUG = False
SQLALCHEMY_ECHO = False

CSRF_ENABLED = True
WTF_CSRF_ENABLED = True

# send emails when user's perms change in project?
SEND_EMAILS = True

{% if copr_kerberos_auth_enabled %}
KRB5_LOGIN = {
   'log_text':     "gssapi-login",
   'email_domain': "fedoraproject.org",
}
{% endif %}

PUBLIC_COPR_HOSTNAME = "{{ copr_frontend_public_hostname }}"

# When running the website through apache,
# this variable is automatically set from ServerName
# in the httpd config. Setting it in this file is needed
# for manage.py purposes
SERVER_NAME = "{{ copr_frontend_public_hostname }}"


LOG_FILENAME = "/var/log/copr-frontend/frontend.log"
LOG_DIR = "/var/log/copr-frontend/"

# to accept stat events from logstash
INTRANET_IPS = {{ copr_backend_ips }}

REPO_GPGCHECK = 1

{% if env == 'staging' %}
PUBLIC_COPR_BASE_URL = "https://copr.stg.fedoraproject.org"
{% else %}
PUBLIC_COPR_BASE_URL = "https://copr.fedorainfracloud.org"
{% endif %}

{% if env == 'staging' %}
# Staging URLs for fedmenu
FEDMENU_URL = "https://apps.stg.fedoraproject.org/fedmenu/"
FEDMENU_DATA_URL = "https://apps.stg.fedoraproject.org/js/data.js"
{% else %}
# Production URLs for fedmenu
FEDMENU_URL = "https://apps.fedoraproject.org/fedmenu/"
FEDMENU_DATA_URL = "https://apps.fedoraproject.org/js/data.js"
{% endif %}

# todo: check that ansible variable is used correctly
{% if env == 'staging' %}
ENFORCE_PROTOCOL_FOR_BACKEND_URL = "https"
ENFORCE_PROTOCOL_FOR_FRONTEND_URL = "https"
{% else %}
ENFORCE_PROTOCOL_FOR_BACKEND_URL = "https"
ENFORCE_PROTOCOL_FOR_FRONTEND_URL = "https"
{% endif %}

DIST_GIT_URL="https://{{ dist_git_base_url }}/cgit"
DIST_GIT_CLONE_URL="https://{{ dist_git_base_url }}/git"
COPR_DIST_GIT_LOGS_URL = "https://{{ dist_git_base_url }}/per-task-logs"

# no need to filter cla_* groups, they are already filtered by fedora openid
GROUP_DENYLIST = ['fedorabugs', 'packager', 'provenpackager', 'ipausers', 'signed_fpca', 'fedora-contributor', 'trust admins']

DEFER_BUILD_SECONDS = 300

ENABLE_DISCUSSION = True
DISCOURSE_URL = "https://discussion.fedoraproject.org/"

# We may have a (temporary) chroot that doesn't correspond with /etc/os-release
# on a client system, e.g. "rhelbeta-8" chroots in Copr which doesn't match to
# any real system, instead it is a temporary alias for "epel-8". In such case,
# set this to {"epel-8": "rhelbeta-8"}
CHROOT_NAME_RELEASE_ALIAS = {"epel-8": "rhelbeta-8"}
{% if allowlist_emails is defined %}

ALLOWLIST_EMAILS = [
{% for recipient in allowlist_emails %}
  "{{ recipient }}",
{% endfor %}
]
{% endif %}

PAGURE_EVENTS = {
{% if copr_pagure_events is defined %}
{% for instance, url in copr_pagure_events.items() %}
{% for topic in [
  'git.receive',
  'pull-request.new',
  'pull-request.rebased',
  'pull-request.updated',
  'pull-request.comment.added'] %}
  '{{ instance }}.{{ topic }}' : '{{ url }}',
{% endfor %}
{% endfor %}
{% endif %}
}

# Increased build timeout to 50h
# Requested by @lantw44 for chromium, later by @kkleine
MAX_BUILD_TIMEOUT = 180000
{% if copr_kerberos_auth_enabled %}
API_GSSAPI_AUTH = True
{% else %}
API_GSSAPI_AUTH = False
{% endif %}

{% if env == 'production' %}
FAS_SIGNUP_URL = "https://accounts.fedoraproject.org"
{% else %}
FAS_SIGNUP_URL = "https://accounts.stg.fedoraproject.org"
{% endif %}

{% if env == 'production' %}
LOG_DETECTIVE_BUTTON = True
{% endif %}

{% if devel %}
# On stage we only ever start powerful builders in this project.  Note that we
# also start s390x instances in IBM Cloud on-demand , even without the extra
# BuildChroot tags here!  The reason is that the `arch_s390x` tag is named in
# the `tags_on_demand` section in resalloc's pools.yaml file.  But the
# difference is that `s390x` can be started by anyone.
#
# We have prepared those projects on stage:
# $ copr create @copr/measure-hypervisor   --chroot fedora-rawhide-x86_64 --chroot fedora-rawhide-ppc64le
# $ copr create @copr/measure-aws          --chroot fedora-rawhide-x86_64 --chroot fedora-rawhide-aarch64
# $ copr create @copr/measure-aws-powerful --chroot fedora-rawhide-x86_64 --chroot fedora-rawhide-aarch64
# $ copr create @copr/measure-ibm-cloud    --chroot fedora-rawhide-s390x
# $ copr create @copr/measure-hv-p08       --chroot fedora-rawhide-ppc64le
# Measure like:
# $ for project in @copr/measure-hypervisor @copr/measure-aws @copr/measure-aws-powerful @copr/measure-ibm-cloud @copr/measure-hv-p08; do
#   copr build $project https://...
# done
EXTRA_BUILDCHROOT_TAGS = [{
    "pattern": "@copr/powerful-test/fedora-rawhide-(x86_64|aarch64|s390x)/.*",
    "tags": ["on_demand_powerful"],
}, {
    "pattern": "@copr/measure-hypervisor.*/.*x86_64/.*",
    "tags": ["hypervisor"],
}, {
    "pattern": "@copr/measure-hypervisor.*/.*ppc64le/.*",
    "tags": ["hypervisor", "arch_power9"],
}, {
    "pattern": "@copr/measure-aws.*/.*/.*",
    "tags": ["aws"],
}, {
    "pattern": "@copr/measure-aws-powerful.*/.*/.*",
    "tags": ["on_demand_powerful"],
}, {
    "pattern": "@copr/measure-hv-p08.*/.*/.*",
    "tags": ["arch_power8"],
}]
{% else %}
EXTRA_BUILDCHROOT_TAGS = [{
    # https://github.com/fedora-copr/copr/issues/2966
    "pattern": "@asahi/kernel/.*(x86_64|aarch64)/kernel",
    "tags": ["on_demand_powerful"],
}, {
    # https://github.com/fedora-copr/copr/issues/2966
    "pattern": "ngompa/fedora-asahi-dev/.*(x86_64|aarch64)/kernel",
    "tags": ["on_demand_powerful"],
}, {
    # https://github.com/fedora-copr/copr/issues/2985
    "pattern": "ngompa/kernel-ark-exp-dev/.*(x86_64|aarch64)/kernel",
    "tags": ["on_demand_powerful"],
}, {
    # https://github.com/fedora-copr/copr/issues/2986
    "pattern": "@centoshyperscale/kernel/.*(x86_64|aarch64)/kernel",
    "tags": ["on_demand_powerful"],
}, {
    # https://github.com/fedora-copr/copr/issues/2987
    "pattern": "@fedora-llvm-team/llvm-snapshots[^/]*/.*x86_64/(llvm|clang)",
    "tags": ["on_demand_powerful"],
}, {
    # https://github.com/fedora-copr/copr/issues/3203
    "pattern": "jordalgo/fedora-6.8-sched_ext/.*(x86_64|aarch64|s390x)/kernel",
    "tags": ["on_demand_powerful"],
}, {
    # https://github.com/fedora-copr/copr/issues/3293
    "pattern": "ttomecek/review-2279158-python-triton-rocm/fedora-rawhide-x86_64/python-triton-rocm",
    "tags": ["on_demand_powerful"],
}, {
    # https://github.com/fedora-copr/copr/issues/3331
    "pattern": "secureblue/trivalent/.*(x86_64|aarch64)/trivalent",
    "tags": ["on_demand_powerful"],
}, {
    # https://github.com/fedora-copr/copr/issues/3353
    "pattern": "solopasha/qt6-test/.*(x86_64|aarch64)/qt6-qtwebengine",
    "tags": ["on_demand_powerful"],
}, {
    # https://github.com/fedora-copr/copr/issues/3373
    "pattern": "@rocm-packagers-sig/rocm-devel/.*x86_64/.*",
    "tags": ["on_demand_powerful"],
}, {
    # https://github.com/fedora-copr/copr/issues/3267
    "pattern": "@spot/texlive-2024-testing/.*(x86_64|aarch64|s390x)/texlive*",
    "tags": ["on_demand_powerful"],
}, {
    # https://github.com/fedora-copr/copr/issues/3512
    "pattern": "@kernel-vanilla/.*/.*(x86_64|aarch64)/.*",
    "tags": ["on_demand_powerful"],
}, {
    # https://github.com/fedora-copr/copr/issues/3603
    "pattern": "wojnilowicz/ungoogled-chromium/.*(x86_64|aarch64)/.*",
    "tags": ["on_demand_powerful"],
},{
    # https://github.com/fedora-copr/copr/issues/3718
    "pattern": "@centoshyperscale/asahi/.*(x86_64|aarch64)/kernel",
    "tags": ["on_demand_powerful"],
}]
{% endif %}


USAGE_TREEMAP_TEAMS = {
    "CPT": ["@copr", "@mock", "msuchy", "praiskup", "frostyx", "nikromen"],
    "Packit": ["packit", "packit-stg", "ttomecek"],
    "Python-team": ["@python", "thrnciar", "torsava", "encukou", "cstratak", "churchyard"],
}

PULP_CONTENT_URL = "{{ pulp_content_url }}"

# OIDC config

OIDC_LOGIN = True
OIDC_CLIENT = "copr"
OIDC_PROVIDER_NAME = "OIDC"  # used for the login button
OIDC_SCOPES = "openid profile email https://id.fedoraproject.org/scope/groups https://id.fedoraproject.org/scope/agreements"
OIDC_TOKEN_AUTH_METHOD = "client_secret_post"
OIDC_USERNAME_CLAIM = "preferred_username"

{% if env == 'production' %}
OIDC_SECRET = "{{ copr_oidc_prod_client_secret }}"
OIDC_METADATA = "https://id.fedoraproject.org/openidc/.well-known/openid-configuration"
{% else %}
OIDC_SECRET = "{{ copr_oidc_stg_client_secret }}"
OIDC_METADATA = "https://id.stg.fedoraproject.org/openidc/.well-known/openid-configuration"
{% endif %}