diff --git a/pillar/role/pagure.sls b/pillar/role/pagure.sls index d4b8bc3..98561ff 100644 --- a/pillar/role/pagure.sls +++ b/pillar/role/pagure.sls @@ -1,7 +1,9 @@ +{%- from 'macros.jinja' import redis %} + include: -{% if salt['grains.get']('include_secrets', True) %} +{%- if salt['grains.get']('include_secrets', True) %} - secrets.role.pagure -{% endif %} +{%- endif %} - role.common.nginx sshd_config: @@ -26,26 +28,16 @@ profile: database_user: pagure database_host: postgresql.infra.opensuse.org -{% set listenhttps6='[::]:443 ssl http2' %} +{%- set listenhttps6='[::]:80' %} nginx: servers: managed: - redirhttp.conf: - config: - - server: - - include: acme-challenge - - server_name: '_' - - listen: '[::]:80 default_server' - - location /: - - return: '301 https://$host$request_uri' - enabled: True code.opensuse.org.conf: config: - server: - server_name: code.opensuse.org - listen: '{{ listenhttps6 }}' - - include: ssl-config - location @pagure: - client_max_body_size: 0 - proxy_set_header: Host $http_host @@ -64,7 +56,6 @@ nginx: - server: - server_name: releases.opensuse.org - listen: '{{ listenhttps6 }}' - - include: ssl-config - location /: - alias: /srv/www/pagure-releases/ - autoindex: 'on' @@ -74,7 +65,6 @@ nginx: - server: - server_name: ev.opensuse.org - listen: '{{ listenhttps6 }}' - - include: ssl-config - location @pagure_ev: - proxy_set_header: Host $http_host - proxy_set_header: X-Real-IP $remote_addr @@ -89,7 +79,6 @@ nginx: - server: - server_name: pages.opensuse.org - listen: '{{ listenhttps6 }}' - - include: ssl-config - location @pagure_docs: - proxy_set_header: Host $http_host - proxy_set_header: X-Real-IP $remote_addr @@ -100,6 +89,13 @@ nginx: - try_files: $uri @pagure_docs enabled: True +{{ redis('pagure') }} + +groups: + redis: + members: + - git + zypper: repositories: openSUSE:infrastructure:pagure: diff --git a/salt/profile/pagure/files/alembic.ini b/salt/profile/pagure/files/alembic.ini deleted file mode 100644 index 6d4bac2..0000000 --- a/salt/profile/pagure/files/alembic.ini +++ /dev/null @@ -1,60 +0,0 @@ -# A generic, single database configuration. - -[alembic] -# path to migration scripts -script_location = /usr/share/pagure/alembic - -# template used to generate migration files -# file_template = %%(rev)s_%%(slug)s - -# max length of characters to apply to the -# "slug" field -#truncate_slug_length = 40 - -# set to 'true' to run the environment during -# the 'revision' command, regardless of autogenerate -# revision_environment = false - -# set to 'true' to allow .pyc and .pyo files without -# a source .py file to be detected as revisions in the -# versions/ directory -# sourceless = false - -#sqlalchemy.url = driver://user:pass@localhost/dbname -sqlalchemy.url = postgres://{{ pillar['profile']['pagure']['database_user'] }}:{{ pillar['postgres']['users']['pagure']['password'] }}@{{ pillar['profile']['pagure']['database_host'] }}/pagure - - -# Logging configuration -[loggers] -keys = root,sqlalchemy,alembic - -[handlers] -keys = console - -[formatters] -keys = generic - -[logger_root] -level = WARN -handlers = console -qualname = - -[logger_sqlalchemy] -level = WARN -handlers = -qualname = sqlalchemy.engine - -[logger_alembic] -level = INFO -handlers = -qualname = alembic - -[handler_console] -class = StreamHandler -args = (sys.stderr,) -level = NOTSET -formatter = generic - -[formatter_generic] -format = %(levelname)-5.5s [%(name)s] %(message)s -datefmt = %H:%M:%S diff --git a/salt/profile/pagure/files/alembic.ini.jinja b/salt/profile/pagure/files/alembic.ini.jinja new file mode 100644 index 0000000..06fd1fc --- /dev/null +++ b/salt/profile/pagure/files/alembic.ini.jinja @@ -0,0 +1,59 @@ +{{ pillar['managed_by_salt'] }} + +[alembic] +# path to migration scripts +script_location = /usr/share/pagure/alembic + +# template used to generate migration files +# file_template = %%(rev)s_%%(slug)s + +# max length of characters to apply to the +# "slug" field +#truncate_slug_length = 40 + +# set to 'true' to run the environment during +# the 'revision' command, regardless of autogenerate +# revision_environment = false + +# set to 'true' to allow .pyc and .pyo files without +# a source .py file to be detected as revisions in the +# versions/ directory +# sourceless = false + +sqlalchemy.url = postgres://{{ pillar['profile']['pagure']['database_user'] }}:{{ pillar['postgres']['users']['pagure']['password'] }}@{{ pillar['profile']['pagure']['database_host'] }}/pagure + + +# Logging configuration +[loggers] +keys = root,sqlalchemy,alembic + +[handlers] +keys = console + +[formatters] +keys = generic + +[logger_root] +level = WARN +handlers = console +qualname = + +[logger_sqlalchemy] +level = WARN +handlers = +qualname = sqlalchemy.engine + +[logger_alembic] +level = INFO +handlers = +qualname = alembic + +[handler_console] +class = StreamHandler +args = (sys.stderr,) +level = NOTSET +formatter = generic + +[formatter_generic] +format = %(levelname)-5.5s [%(name)s] %(message)s +datefmt = %H:%M:%S diff --git a/salt/profile/pagure/files/pagure.cfg b/salt/profile/pagure/files/pagure.cfg deleted file mode 100644 index a6bb1ec..0000000 --- a/salt/profile/pagure/files/pagure.cfg +++ /dev/null @@ -1,311 +0,0 @@ -import os -from datetime import timedelta - -### Set the time after which the admin session expires -# There are two sessions on pagure, login that holds for 31 days and -# the session defined here after which an user has to re-login. -# This session is used when accessing all administrative parts of pagure -# (ie: changing a project's or a user's settings) -ADMIN_SESSION_LIFETIME = timedelta(minutes=20) - -# Enable tickets and docs for all repos -ENABLE_TICKETS = True -ENABLE_DOCS = True - -# Force user namespaces for projects -USER_NAMESPACE = True - -# Enables / Disables private projects -PRIVATE_PROJECTS = False - -### Secret key for the Flask application -SECRET_KEY='{{ pillar['profile']['pagure']['secret_key'] }}' - -### url to the database server: -#DB_URL = 'mysql://user:pass@host/db_name' -#DB_URL = 'postgres://user:pass@host/db_name' -DB_URL = 'postgres://{{ pillar['profile']['pagure']['database_user'] }}:{{ pillar['postgres']['users']['pagure']['password'] }}@{{ pillar['profile']['pagure']['database_host'] }}/pagure' - -### Send FedMsg notifications of events in pagure -FEDMSG_NOTIFICATIONS = False - -### The FAS group in which the admin of pagure are -#ADMIN_GROUP = ['sysadmin-main'] - -# The publicly visible admin email address -ADMIN_EMAIL = 'admin@opensuse.org' - -### Hard-coded list of global admins -PAGURE_ADMIN_USERS = ['hellcp', 'Pharaoh_Atem'] - -### Enables sending email using SMTP credentials. -EMAIL_SEND = True - -### The email address to which the flask.log will send the errors (tracebacks) -EMAIL_ERROR = 'root@localhost' - -### SMTP settings -SMTP_SERVER = 'localhost' -SMTP_PORT = 25 -SMTP_SSL = False - -#Specify both for enabling SMTP with auth -SMTP_USERNAME = None -SMTP_PASSWORD = None - -### Information used to sent notifications -FROM_EMAIL = 'pagure@opensuse.org' -DOMAIN_EMAIL_NOTIFICATIONS = 'code.opensuse.org' -SALT_EMAIL = '{{ pillar['profile']['pagure']['salt_email'] }}' - -### Restrict outgoing emails to these domains: -## If set, adding emailaccounts that don't end with these domainnames -## will not be permitted. Mails to already existing emailaccounts -## that are not covered by this list will not get sent. -# ALLOWED_EMAIL_DOMAINS = [ 'localhost.localdomain', 'example.com' ] - -### Disallow remote pull requests -## If set, remote pull requests will be disabled and not available -## anymore as a selection in the PR dropdown menus -DISABLE_REMOTE_PR = False - -### Allow HTTP(S) pushes with local/token auth -ALLOW_HTTP_PUSH = True - -### The URL at which the project is available. -APP_URL = 'https://code.opensuse.org/' -### The URL at which the documentation of projects will be available -## This should be in a different domain to avoid XSS issues since we want -## to allow raw html to be displayed (different domain, ie not a sub-domain). -DOC_APP_URL = 'https://pages.opensuse.org' - -### The URL to use to clone git repositories. -GIT_URL_SSH = 'ssh://git@code.opensuse.org/' -GIT_URL_GIT = 'https://code.opensuse.org/' - - -### Folder containing the pagure user SSH authorized keys -SSH_FOLDER = os.path.join( - '/srv', - 'gitolite', - '.ssh' -) - -### Folder containing to the git repos -GIT_FOLDER = os.path.join( - '/srv', - 'gitolite', - 'repositories' -) - -REPOSPANNER_PSEUDO_FOLDER = os.path.join( - '/srv', - 'gitolite', - 'pseudo' -) - -### Folder containing the clones for the remote pull-requests -REMOTE_GIT_FOLDER = os.path.join( - '/srv', - 'gitolite', - 'remotes' -) - -### Folder containing out-of-git attachments cache -ATTACHMENTS_FOLDER = os.path.join( - '/srv', - 'gitolite', - 'attachments' -) - -### Whether to enable scanning for viruses in attachments -VIRUS_SCAN_ATTACHMENTS = False - -GIT_AUTH_BACKEND = "pagure" - -HTTP_REPO_ACCESS_GITOLITE = None - -SSH_KEYS_USERNAME_EXPECT = "git" - -SSH_COMMAND_NON_REPOSPANNER = ([ - "/usr/bin/%(cmd)s", - "/srv/gitolite/repositories/%(reponame)s", -], {"GL_USER": "%(username)s"}) - -# Arguments to add to the SSH keys, possible replacements: -# %(username)s: username owning this key -SSH_KEYS_OPTIONS = ( - 'restrict,command="/usr/lib/pagure/aclchecker.py %(username)s"' -) - -### Configuration file for gitolite -GITOLITE_CONFIG = os.path.join( - '/srv', - 'gitolite', - '.gitolite', - 'conf', - 'gitolite.conf' -) - - -### Home folder of the gitolite user -### Folder where to run gl-compile-conf from -GITOLITE_HOME = '/srv/gitolite' - -### Version of gitolite used: 2 or 3? -GITOLITE_VERSION = 3 - -### Folder containing all the public ssh keys for gitolite -GITOLITE_KEYDIR = os.path.join(GITOLITE_HOME, '.gitolite', 'keydir') - -### Path to the gitolite.rc file -GL_RC = None - -### Path to the /bin directory where the gitolite tools can be found -GL_BINDIR = None - - -# SSH Information - -### The ssh certificates of the git server to be provided to the user -### /!\ format is important -SSH_KEYS = { - 'RSA': { - 'fingerprint': '3072 5d:dc:89:7f:bf:02:5b:e9:ec:9d:5d:bc:ad:7e:5c:5e (RSA)', - 'pubkey': 'code.opensuse.org,195.135.221.140,2001:67c:2178:8:0:0:0:16 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXCk+ToHsNvFMO1b0FrO4wiWLPtmNNiXkupXf2hjPGWSexe1FjjjLp2/zjQb8a8srzaF5AFGUX9cOFGRpXa0j53h/q91nNcUVpaiy0I3cCXQbLwVeiPBPmDYjpTbAl0cHYfVQvF8W++VU9SABUfe+yq/OADFKCYVMjYV8gTvtFFpqbIh6YGLELZ/SwHid9HgspA9TSS6jPjDuP89xkCb14m52P47a9h5n9wEHfdOvqcV3MJd2wprJAUM9Ulz+EXydHPh8cNE1wZu5H78yKAQgAHCeMqWy/6FNmp/dU6OJ/ARfkMCXDQwrJd0fm31Zer5bcVkZdALcGOeggL7d2P7+FC7cCkPa5aeU1kpNCMoOXcR5/zra9ssaskHUXwTRODOMlK3YpJON0vx5/NLr6SrN4EQv3dBJS1qrDEpqhxZCqMk1jY1i4ixGDyIEO0ESEI/J57SqhWOvGUNRpweWg/JNKRfdJ6gF7KJsjfOyDQzdyCBZiMu61roKXsG0/FPqPEHE=', - 'SHA256': 'SHA256:1Y2KdDQqRvkv+CGKU4+m4qpkZps0s/qFB5i7FndsBDA', - }, - 'ED25519': { - 'fingerprint': '256 9e:b2:e4:09:22:f5:f7:4b:79:c7:11:9b:35:13:e3:dd (ED25519)', - 'pubkey': 'code.opensuse.org,195.135.221.140,2001:67c:2178:8:0:0:0:16 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMn/5y3F6myEL9jeiWSm3FJLAsoO2Py8U5SGKgvwUDeM', - 'SHA256': 'SHA256:KSXBssrILtPLO3xNeVl1qKu9KSCJhZLJ9+oYkm2OXBI', - } -} - - - -# Optional configuration - -### Default branch for new projects -# Used to set the default branch when the user does not specify -GIT_DEFAULT_BRANCH = "main" - -### Number of items displayed per page -# Used when listing items -ITEM_PER_PAGE = 50 - -### Maximum size of the uploaded content -# Used to limit the size of file attached to a ticket for example -MAX_CONTENT_LENGTH = 4 * 1024 * 1024 # 4 megabytes - -### Lenght for short commits ids or file hex -SHORT_LENGTH = 6 - -### List of blacklisted project names that can conflicts for pagure's URLs -### or other -BLACKLISTED_PROJECTS = [ - 'static', 'pv', 'releases', 'new', 'api', 'settings', - 'logout', 'login', 'users', 'groups', 'projects'] - -### IP addresses allowed to access the internal endpoints -### These endpoints are used by the milter and are security sensitive, thus -### the IP filter -IP_ALLOWED_INTERNAL = ['127.0.0.1', 'localhost', '::1', ''] - -### EventSource/Web-Hook/Redis configuration -# The eventsource integration is what allows pagure to refresh the content -# on your page when someone else comments on the ticket (and this without -# asking you to reload the page. -# By default it is off, ie: EVENTSOURCE_SOURCE is None, to turn it on, specify -# here what the URL of the eventsource server is, for example: -# https://ev.pagure.io or https://pagure.io:8080 or whatever you are using -# (Note: the urls sent to it start with a '/' so no need to add one yourself) -EVENTSOURCE_SOURCE = 'https://ev.opensuse.org' -# Port where the event source server is running (maybe be the same port -# as the one specified in EVENTSOURCE_SOURCE or a different one if you -# have something running in front of the server such as apache or stunnel). -EVENTSOURCE_PORT = 8080 -# If this port is specified, the event source server will run another server -# at this port and will provide information about the number of active -# connections running on the first (main) event source server -#EV_STATS_PORT = 8888 -# Web-hook can be turned on or off allowing using them for notifications, or -# not. -WEBHOOK = True - -### Redis configuration -# A redis server is required for both the Event-Source server or the web-hook -# server. -REDIS_HOST = '0.0.0.0' -REDIS_PORT = 6379 -REDIS_DB = 0 - -# Authentication related configuration option - -### Switch the authentication method -# Specify which authentication method to use. -# Available options: `fas`, `openid`, `oidc`, `local` -# Default: ``local``. -PAGURE_AUTH = 'openid' - -FAS_OPENID_ENDPOINT = 'https://www.opensuse.org/openid/' - -# When this is set to True, the session cookie will only be returned to the -# server via ssl (https). If you connect to the server via plain http, the -# cookie will not be sent. This prevents sniffing of the cookie contents. -# This may be set to False when testing your application but should always -# be set to True in production. -# Default: ``True``. -SESSION_COOKIE_SECURE = True - -# The name of the cookie used to store the session id. -# Default: ``.pagure``. -SESSION_COOKIE_NAME = 'pagure' - -# Boolean specifying whether to check the user's IP address when retrieving -# its session. This make things more secure (thus is on by default) but -# under certain setup it might not work (for example is there are proxies -# in front of the application). -CHECK_SESSION_IP = True - -# Used by SESSION_COOKIE_PATH -APPLICATION_ROOT = '/' - -# Allow the backward compatiblity endpoints for the old URLs schema to -# see the commits of a repo. This is only interesting if you pagure instance -# was running since before version 1.3 and if you care about backward -# compatibility in your URLs. -OLD_VIEW_COMMIT_ENABLED = False - -# repoSpanner integration settings -# https://repospanner.org/ -# Whether to create new repositories on repoSpanner by default. -# Either None or a region name. -REPOSPANNER_NEW_REPO = None -# Whether to allow admins to override region selection on creation. -REPOSPANNER_NEW_REPO_ADMIN_OVERRIDE = False -# Whether to create new forks on repoSpanner. -# Either None (no repoSpanner), True (same as origin project) or a region name. -REPOSPANNER_NEW_FORK = True -# Whether to allow an admin to manually migrate an individual project. -REPOSPANNER_ADMIN_MIGRATION = False -# The repoSpanner regions to be used in this Pagure instance. -# Example entry: -# 'default': {'url': 'https://nodea.regiona.repospanner.local:8444', -# 'repo_prefix': 'pagure/', -# 'hook': None, -# 'ca': '', -# 'admin_cert': {'cert': '', -# 'key': ''}, -# 'push_cert': {'cert': '', -# 'key': ''}} -REPOSPANNER_REGIONS = {} - -# Path to the plugins configuration file that is used to load plugins. Please -# look at files/plugins.cfg.sample for a configuration example. -# PAGURE_PLUGINS_CONFIG = "/etc/pagure/plugins.cfg" - -THEME = 'chameleon' - -# Ensure openid return traffic is encrypted -PREFERRED_URL_SCHEME = 'https' diff --git a/salt/profile/pagure/files/pagure.cfg.jinja b/salt/profile/pagure/files/pagure.cfg.jinja new file mode 100644 index 0000000..42fd2ea --- /dev/null +++ b/salt/profile/pagure/files/pagure.cfg.jinja @@ -0,0 +1,310 @@ +{{ pillar['managed_by_salt'] }} + +import os +from datetime import timedelta + +### Set the time after which the admin session expires +# There are two sessions on pagure, login that holds for 31 days and +# the session defined here after which an user has to re-login. +# This session is used when accessing all administrative parts of pagure +# (ie: changing a project's or a user's settings) +ADMIN_SESSION_LIFETIME = timedelta(minutes=20) + +# Enable tickets and docs for all repos +ENABLE_TICKETS = True +ENABLE_DOCS = True + +# Force user namespaces for projects +USER_NAMESPACE = True + +# Enables / Disables private projects +PRIVATE_PROJECTS = False + +### Secret key for the Flask application +SECRET_KEY='{{ pillar['profile']['pagure']['secret_key'] }}' + +### url to the database server: +DB_URL = 'postgres://{{ pillar['profile']['pagure']['database_user'] }}:{{ pillar['postgres']['users']['pagure']['password'] }}@{{ pillar['profile']['pagure']['database_host'] }}/pagure' + +### Send FedMsg notifications of events in pagure +FEDMSG_NOTIFICATIONS = False + +### The FAS group in which the admin of pagure are +#ADMIN_GROUP = ['sysadmin-main'] + +# The publicly visible admin email address +ADMIN_EMAIL = 'admin@opensuse.org' + +### Hard-coded list of global admins +PAGURE_ADMIN_USERS = ['hellcp', 'Pharaoh_Atem'] + +### Enables sending email using SMTP credentials. +EMAIL_SEND = True + +### The email address to which the flask.log will send the errors (tracebacks) +EMAIL_ERROR = 'root@localhost' + +### SMTP settings +SMTP_SERVER = 'localhost' +SMTP_PORT = 25 +SMTP_SSL = False + +#Specify both for enabling SMTP with auth +SMTP_USERNAME = None +SMTP_PASSWORD = None + +### Information used to sent notifications +FROM_EMAIL = 'pagure@opensuse.org' +DOMAIN_EMAIL_NOTIFICATIONS = 'code.opensuse.org' +SALT_EMAIL = '{{ pillar['profile']['pagure']['salt_email'] }}' + +### Restrict outgoing emails to these domains: +## If set, adding emailaccounts that don't end with these domainnames +## will not be permitted. Mails to already existing emailaccounts +## that are not covered by this list will not get sent. +# ALLOWED_EMAIL_DOMAINS = [ 'localhost.localdomain', 'example.com' ] + +### Disallow remote pull requests +## If set, remote pull requests will be disabled and not available +## anymore as a selection in the PR dropdown menus +DISABLE_REMOTE_PR = False + +### Allow HTTP(S) pushes with local/token auth +ALLOW_HTTP_PUSH = True + +### The URL at which the project is available. +APP_URL = 'https://code.opensuse.org/' +### The URL at which the documentation of projects will be available +## This should be in a different domain to avoid XSS issues since we want +## to allow raw html to be displayed (different domain, ie not a sub-domain). +DOC_APP_URL = 'https://pages.opensuse.org' + +### The URL to use to clone git repositories. +GIT_URL_SSH = 'ssh://git@code.opensuse.org/' +GIT_URL_GIT = 'https://code.opensuse.org/' + + +### Folder containing the pagure user SSH authorized keys +SSH_FOLDER = os.path.join( + '/srv', + 'gitolite', + '.ssh' +) + +### Folder containing to the git repos +GIT_FOLDER = os.path.join( + '/srv', + 'gitolite', + 'repositories' +) + +REPOSPANNER_PSEUDO_FOLDER = os.path.join( + '/srv', + 'gitolite', + 'pseudo' +) + +### Folder containing the clones for the remote pull-requests +REMOTE_GIT_FOLDER = os.path.join( + '/srv', + 'gitolite', + 'remotes' +) + +### Folder containing out-of-git attachments cache +ATTACHMENTS_FOLDER = os.path.join( + '/srv', + 'gitolite', + 'attachments' +) + +### Whether to enable scanning for viruses in attachments +VIRUS_SCAN_ATTACHMENTS = False + +GIT_AUTH_BACKEND = "pagure" + +HTTP_REPO_ACCESS_GITOLITE = None + +SSH_KEYS_USERNAME_EXPECT = "git" + +SSH_COMMAND_NON_REPOSPANNER = ([ + "/usr/bin/%(cmd)s", + "/srv/gitolite/repositories/%(reponame)s", +], {"GL_USER": "%(username)s"}) + +# Arguments to add to the SSH keys, possible replacements: +# %(username)s: username owning this key +SSH_KEYS_OPTIONS = ( + 'restrict,command="/usr/lib/pagure/aclchecker.py %(username)s"' +) + +### Configuration file for gitolite +GITOLITE_CONFIG = os.path.join( + '/srv', + 'gitolite', + '.gitolite', + 'conf', + 'gitolite.conf' +) + + +### Home folder of the gitolite user +### Folder where to run gl-compile-conf from +GITOLITE_HOME = '/srv/gitolite' + +### Version of gitolite used: 2 or 3? +GITOLITE_VERSION = 3 + +### Folder containing all the public ssh keys for gitolite +GITOLITE_KEYDIR = os.path.join(GITOLITE_HOME, '.gitolite', 'keydir') + +### Path to the gitolite.rc file +GL_RC = None + +### Path to the /bin directory where the gitolite tools can be found +GL_BINDIR = None + + +# SSH Information + +### The ssh certificates of the git server to be provided to the user +### /!\ format is important +SSH_KEYS = { + 'RSA': { + 'fingerprint': '3072 5d:dc:89:7f:bf:02:5b:e9:ec:9d:5d:bc:ad:7e:5c:5e (RSA)', + 'pubkey': 'code.opensuse.org,195.135.221.140,2001:67c:2178:8:0:0:0:16 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXCk+ToHsNvFMO1b0FrO4wiWLPtmNNiXkupXf2hjPGWSexe1FjjjLp2/zjQb8a8srzaF5AFGUX9cOFGRpXa0j53h/q91nNcUVpaiy0I3cCXQbLwVeiPBPmDYjpTbAl0cHYfVQvF8W++VU9SABUfe+yq/OADFKCYVMjYV8gTvtFFpqbIh6YGLELZ/SwHid9HgspA9TSS6jPjDuP89xkCb14m52P47a9h5n9wEHfdOvqcV3MJd2wprJAUM9Ulz+EXydHPh8cNE1wZu5H78yKAQgAHCeMqWy/6FNmp/dU6OJ/ARfkMCXDQwrJd0fm31Zer5bcVkZdALcGOeggL7d2P7+FC7cCkPa5aeU1kpNCMoOXcR5/zra9ssaskHUXwTRODOMlK3YpJON0vx5/NLr6SrN4EQv3dBJS1qrDEpqhxZCqMk1jY1i4ixGDyIEO0ESEI/J57SqhWOvGUNRpweWg/JNKRfdJ6gF7KJsjfOyDQzdyCBZiMu61roKXsG0/FPqPEHE=', + 'SHA256': 'SHA256:1Y2KdDQqRvkv+CGKU4+m4qpkZps0s/qFB5i7FndsBDA', + }, + 'ED25519': { + 'fingerprint': '256 9e:b2:e4:09:22:f5:f7:4b:79:c7:11:9b:35:13:e3:dd (ED25519)', + 'pubkey': 'code.opensuse.org,195.135.221.140,2001:67c:2178:8:0:0:0:16 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMn/5y3F6myEL9jeiWSm3FJLAsoO2Py8U5SGKgvwUDeM', + 'SHA256': 'SHA256:KSXBssrILtPLO3xNeVl1qKu9KSCJhZLJ9+oYkm2OXBI', + } +} + + + +# Optional configuration + +### Default branch for new projects +# Used to set the default branch when the user does not specify +GIT_DEFAULT_BRANCH = "main" + +### Number of items displayed per page +# Used when listing items +ITEM_PER_PAGE = 50 + +### Maximum size of the uploaded content +# Used to limit the size of file attached to a ticket for example +MAX_CONTENT_LENGTH = 4 * 1024 * 1024 # 4 megabytes + +### Lenght for short commits ids or file hex +SHORT_LENGTH = 6 + +### List of blacklisted project names that can conflicts for pagure's URLs +### or other +BLACKLISTED_PROJECTS = [ + 'static', 'pv', 'releases', 'new', 'api', 'settings', + 'logout', 'login', 'users', 'groups', 'projects'] + +### IP addresses allowed to access the internal endpoints +### These endpoints are used by the milter and are security sensitive, thus +### the IP filter +IP_ALLOWED_INTERNAL = ['127.0.0.1', 'localhost', '::1', ''] + +### EventSource/Web-Hook/Redis configuration +# The eventsource integration is what allows pagure to refresh the content +# on your page when someone else comments on the ticket (and this without +# asking you to reload the page. +# By default it is off, ie: EVENTSOURCE_SOURCE is None, to turn it on, specify +# here what the URL of the eventsource server is, for example: +# https://ev.pagure.io or https://pagure.io:8080 or whatever you are using +# (Note: the urls sent to it start with a '/' so no need to add one yourself) +EVENTSOURCE_SOURCE = 'https://ev.opensuse.org' +# Port where the event source server is running (maybe be the same port +# as the one specified in EVENTSOURCE_SOURCE or a different one if you +# have something running in front of the server such as apache or stunnel). +EVENTSOURCE_PORT = 8080 +# If this port is specified, the event source server will run another server +# at this port and will provide information about the number of active +# connections running on the first (main) event source server +#EV_STATS_PORT = 8888 +# Web-hook can be turned on or off allowing using them for notifications, or +# not. +WEBHOOK = True + +### Redis configuration +# A redis server is required for both the Event-Source server or the web-hook +# server. +REDIS_SOCKET = '/run/redis/pagure.sock' +REDIS_DB = 0 + +# Authentication related configuration option + +### Switch the authentication method +# Specify which authentication method to use. +# Available options: `fas`, `openid`, `oidc`, `local` +# Default: ``local``. +PAGURE_AUTH = 'openid' + +FAS_OPENID_ENDPOINT = 'https://www.opensuse.org/openid/' + +# When this is set to True, the session cookie will only be returned to the +# server via ssl (https). If you connect to the server via plain http, the +# cookie will not be sent. This prevents sniffing of the cookie contents. +# This may be set to False when testing your application but should always +# be set to True in production. +# Default: ``True``. +SESSION_COOKIE_SECURE = True + +# The name of the cookie used to store the session id. +# Default: ``.pagure``. +SESSION_COOKIE_NAME = 'pagure' + +# Boolean specifying whether to check the user's IP address when retrieving +# its session. This make things more secure (thus is on by default) but +# under certain setup it might not work (for example is there are proxies +# in front of the application). +CHECK_SESSION_IP = True + +# Used by SESSION_COOKIE_PATH +APPLICATION_ROOT = '/' + +# Allow the backward compatiblity endpoints for the old URLs schema to +# see the commits of a repo. This is only interesting if you pagure instance +# was running since before version 1.3 and if you care about backward +# compatibility in your URLs. +OLD_VIEW_COMMIT_ENABLED = False + +# repoSpanner integration settings +# https://repospanner.org/ +# Whether to create new repositories on repoSpanner by default. +# Either None or a region name. +REPOSPANNER_NEW_REPO = None +# Whether to allow admins to override region selection on creation. +REPOSPANNER_NEW_REPO_ADMIN_OVERRIDE = False +# Whether to create new forks on repoSpanner. +# Either None (no repoSpanner), True (same as origin project) or a region name. +REPOSPANNER_NEW_FORK = True +# Whether to allow an admin to manually migrate an individual project. +REPOSPANNER_ADMIN_MIGRATION = False +# The repoSpanner regions to be used in this Pagure instance. +# Example entry: +# 'default': {'url': 'https://nodea.regiona.repospanner.local:8444', +# 'repo_prefix': 'pagure/', +# 'hook': None, +# 'ca': '', +# 'admin_cert': {'cert': '', +# 'key': ''}, +# 'push_cert': {'cert': '', +# 'key': ''}} +REPOSPANNER_REGIONS = {} + +# Path to the plugins configuration file that is used to load plugins. Please +# look at files/plugins.cfg.sample for a configuration example. +# PAGURE_PLUGINS_CONFIG = "/etc/pagure/plugins.cfg" + +THEME = 'chameleon' + +# Ensure openid return traffic is encrypted +PREFERRED_URL_SCHEME = 'https' diff --git a/salt/profile/pagure/files/ssl-config b/salt/profile/pagure/files/ssl-config deleted file mode 100644 index 1876074..0000000 --- a/salt/profile/pagure/files/ssl-config +++ /dev/null @@ -1,19 +0,0 @@ -# This file is managed by infra/salt - ssl_certificate /etc/ssl/services/letsencrypt/code.opensuse.org.with.chain_rsa.pem; - ssl_certificate_key /etc/ssl/services/letsencrypt/code.opensuse.org.with.chain_rsa.pem; - ssl_dhparam /etc/ssl/services/letsencrypt/code.opensuse.org.with.chain_rsa.pem; - - ssl_certificate /etc/ssl/services/letsencrypt/code.opensuse.org.with.chain_ecdsa.pem; - ssl_certificate_key /etc/ssl/services/letsencrypt/code.opensuse.org.with.chain_ecdsa.pem; - - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; # about 40000 sessions - ssl_session_tickets off; - - # intermediate configuration - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; - ssl_prefer_server_ciphers off; - - # HSTS (ngx_http_headers_module is required) (63072000 seconds) - add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/salt/profile/pagure/init.sls b/salt/profile/pagure/init.sls index f740218..df7ac18 100644 --- a/salt/profile/pagure/init.sls +++ b/salt/profile/pagure/init.sls @@ -1,8 +1,4 @@ -include: - - profile.pagure.redis - - .nginx - -pagure_pgks: +pagure_packages: pkg.installed: - pkgs: - pagure @@ -16,46 +12,42 @@ pagure_pgks: - pagure-mirror - pagure-webhook -pagure_conf: +pagure_configuration: file.managed: - - name: /etc/pagure/pagure.cfg - - source: salt://profile/pagure/files/pagure.cfg + - names: + - /etc/pagure/pagure.cfg: + - source: salt://profile/pagure/files/pagure.cfg.jinja + - /etc/pagure/alembic.ini: + - source: salt://profile/pagure/files/alembic.ini.jinja - template: jinja - group: git - mode: '0640' - - require_in: - - service: pagure_web_service - watch_in: - - module: pagure_web_restart - -pagure_alembic_conf: - file.managed: - - name: /etc/pagure/alembic.ini - - source: salt://profile/pagure/files/alembic.ini - - template: jinja - - group: git - - mode: '0640' - - require_in: - service: pagure_web_service - - watch_in: - - module: pagure_web_restart pagure_database_setup: cmd.run: - name: python3 /usr/share/pagure/pagure_createdb.py -c /etc/pagure/pagure.cfg + - onchanges: + - pkg: pagure_packages + +pagure_gunicorn_override: + file.managed: + - names: + - /etc/systemd/system/pagure_web.service.d/salt.conf + - makedirs: True + - contents: + - {{ pillar['managed_by_salt'] | yaml_encode }} + - '[Service]' + - GUNICORN_CMD_ARGS=--workers=8 + - watch_in: + - service: pagure_web_service -{% set services = ['pagure_web', 'pagure_docs_web', 'pagure_worker', 'pagure_authorized_keys_worker', 'pagure_api_key_expire_mail.timer', 'pagure_mirror_project_in.timer'] %} +{%- set services = ['pagure_web', 'pagure_docs_web', 'pagure_worker', 'pagure_authorized_keys_worker', 'pagure_api_key_expire_mail.timer', 'pagure_mirror_project_in.timer'] %} -{% for service in services %} +{%- for service in services %} {{ service }}_service: service.running: - name: {{ service }} - enable: True - -{{ service }}_restart: - module.wait: - - name: service.restart - - m_name: {{ service }} - - require: - - service: {{ service }} -{% endfor %} +{%- endfor %} diff --git a/salt/profile/pagure/nginx.sls b/salt/profile/pagure/nginx.sls deleted file mode 100644 index b9c069f..0000000 --- a/salt/profile/pagure/nginx.sls +++ /dev/null @@ -1,4 +0,0 @@ -pagure_ssl_conf: - file.managed: - - name: /etc/nginx/ssl-config - - source: salt://profile/pagure/files/ssl-config diff --git a/salt/profile/pagure/redis.sls b/salt/profile/pagure/redis.sls deleted file mode 100644 index fdc5b47..0000000 --- a/salt/profile/pagure/redis.sls +++ /dev/null @@ -1,19 +0,0 @@ -redis_pgks: - pkg.installed: - - pkgs: - - redis7 - -redis_config_file: - file.managed: - - name: /etc/redis/default.conf - - source: /etc/redis/default.conf.example - - user: redis - - group: redis - - replace: False - -redis_service: - service.running: - - name: redis@default - - enable: True - - require: - - file: redis_config_file diff --git a/salt/role/pagure.sls b/salt/role/pagure.sls index b6a69a6..aef3e33 100644 --- a/salt/role/pagure.sls +++ b/salt/role/pagure.sls @@ -1,3 +1,4 @@ include: + - redis - profile.web.server.nginx - profile.pagure