copr/anubis: fix configuration on frontend to protect only /coprs (same for distgit)

Anubis was accidentally enabled for all traffic (/) instead of just
the /coprs/ web UI. This caused unnecessary bot challenges for API
clients, dnf/yum, and other automated tools.

Use Anubis BASE_PREFIX to cleanly protect only specific endpoints:
- Frontend: /coprs/ (web UI)
- Dist-git: /{{ cgit_uri }}/ (package browser)

https://anubis.techaro.lol/docs/admin/installation#using-base-prefix

roles/anubis/templates/default.env.j2

@@ -9,3 +9,9 @@ TARGET="http://127.0.0.1:8345"
 
 # Custom policies will live here once they are ready (package needs to be fixed)
 POLICY_FNAME=/etc/anubis/policies.yaml
+{% if anubis_base_prefix is defined %}
+
+# Protect only {{ anubis_base_prefix }} endpoint
+# https://anubis.techaro.lol/docs/admin/installation#using-base-prefix
+BASE_PREFIX={{ anubis_base_prefix }}
+{% endif %}

roles/anubis/templates/policies.yaml.j2.copr-infrastructure

@@ -1,5 +1,6 @@
 ---
 bots:
+{% if copr_machine_type == "frontend" %}
   - name: allow badges
     action: ALLOW
     path_regex: status_image/last_build.png$
@@ -13,17 +14,17 @@ bots:
     action: ALLOW
     path_regex: /repo/
 
-  - name: allow webhooks
-    action: ALLOW
-    path_regex: ^/webhooks/
-
-  - name: all behind coprs
+  - name: coprs-web-ui
     action: WEIGH
     weight:
       adjust: 20
     path_regex: ^/coprs
+{% elif copr_machine_type == "distgit" %}
+  - name: packages
+    action: WEIGH
+    weight:
+      adjust: 20
+    path_regex: ^/packages
+{% endif %}
 
   - import: (data)/meta/default-config.yaml
-
-# Custom allowlist of API endpoint specified by each copr instance will live here
-# - import: /etc/anubis/endpoint-allowlist.yaml

roles/copr/dist_git/templates/default.env.j2

@@ -1,11 +0,0 @@
-# most of the configuration is done in the policy file
-# https://anubis.techaro.lol/docs/admin/installation
-
-# Anubis listens to this IP:PORT
-BIND="127.0.0.1:8987"
-
-# IP:PORT of the desired web app
-TARGET="http://127.0.0.1:8345"
-
-# Custom policies will live here once they are ready (package needs to be fixed)
-# POLICY_FNAME=/etc/anubis/policies.yaml

roles/copr/dist_git/templates/policies.yaml.j2

@@ -1,9 +0,0 @@
----
-# if any custom bot policies are needed, they can be added here
-bots:
-  # these are solid defaults from
-  # https://github.com/TecharoHQ/anubis/blob/main/data/botPolicies.yaml
-  - import: (data)/botPolicies.yaml
-
-# Custom allowlist of API endpoint specified by each copr instance will live here
-# - import: /etc/anubis/endpoint-allowlist.yaml

roles/copr/dist_git/templates/ssl.conf.j2

@@ -33,10 +33,14 @@ SSLCryptoDevice builtin
     RequestHeader set X-Forwarded-Proto "https"
     RequestHeader set "X-Http-Version" "%{SERVER_PROTOCOL}s"
 
-    # BIND port
+    # /{{ cgit_uri }}/ goes through Anubis (configured with BASE_PREFIX=/{{ cgit_uri }})
     ProxyPass /{{ cgit_uri }}/ http://localhost:8987/{{ cgit_uri }}/
     ProxyPassReverse /{{ cgit_uri }}/ http://localhost:8987/{{ cgit_uri }}/
 
+    # Everything else goes directly to backend
+    ProxyPass / http://localhost:8345/
+    ProxyPassReverse / http://localhost:8345/
+
     <FilesMatch "\.(cgi|shtml|phtml|php)$">
         SSLOptions +StdEnvVars
     </FilesMatch>

roles/copr/frontend/templates/httpd/coprs.conf

@@ -85,8 +85,13 @@ WSGIApplicationGroup %{GLOBAL}
     ProxyRequests Off
     ProxyVia Off
 
-    ProxyPass / http://127.0.0.1:8987/
-    ProxyPassReverse / http://127.0.0.1:8987/
+    # /coprs/ goes through Anubis (configured with BASE_PREFIX=/coprs)
+    ProxyPass /coprs/ http://127.0.0.1:8987/coprs/
+    ProxyPassReverse /coprs/ http://127.0.0.1:8987/coprs/
+
+    # Everything else goes directly to backend
+    ProxyPass / http://127.0.0.1:8345/
+    ProxyPassReverse / http://127.0.0.1:8345/
 </VirtualHost>