diff --git a/roles/copr/dist_git/files/anubis/default.env b/roles/copr/anubis/files/anubis/default.env
similarity index 50%
rename from roles/copr/dist_git/files/anubis/default.env
rename to roles/copr/anubis/files/anubis/default.env
index 7faaf7b7d2..a3b16ffc30 100644
--- a/roles/copr/dist_git/files/anubis/default.env
+++ b/roles/copr/anubis/files/anubis/default.env
@@ -2,7 +2,10 @@
# https://anubis.techaro.lol/docs/admin/installation
# Anubis listens to this IP:PORT
-BIND="127.0.0.1:8000"
+BIND="127.0.0.1:8987"
# IP:PORT of the desired web app
-TARGET="http://127.0.0.1:8080"
+TARGET="http://127.0.0.1:8345"
+
+# Custom policies will live here once they are ready (package needs to be fixed)
+# POLICY_FNAME=/etc/anubis/policies.yaml
diff --git a/roles/copr/anubis/files/anubis/policies.yaml b/roles/copr/anubis/files/anubis/policies.yaml
new file mode 100644
index 0000000000..d6382acaf7
--- /dev/null
+++ b/roles/copr/anubis/files/anubis/policies.yaml
@@ -0,0 +1,10 @@
+---
+# if any custom bot policies are needed, they can be added here
+bots:
+ # these are solid defaults from
+ # https://github.com/TecharoHQ/anubis/blob/main/data/botPolicies.yaml
+ - import: (data)/botPolicies.yaml
+
+
+# Custom allowlist of API endpoint specified by each copr instance will live here
+# - import: /etc/anubis/endpoint-allowlist.yaml
diff --git a/roles/copr/anubis/handlers/main.yml b/roles/copr/anubis/handlers/main.yml
new file mode 100644
index 0000000000..6ad066af76
--- /dev/null
+++ b/roles/copr/anubis/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Restart anubis
+ service:
+ name: anubis@default.service
+ state: restarted
+
+- name: Reload httpd
+ service:
+ name: httpd
+ state: reloaded
diff --git a/roles/copr/anubis/httpd/00-backend-listen.conf b/roles/copr/anubis/httpd/00-backend-listen.conf
new file mode 100644
index 0000000000..a387bd003d
--- /dev/null
+++ b/roles/copr/anubis/httpd/00-backend-listen.conf
@@ -0,0 +1,23 @@
+# This is how the Anubis should be configured:
+#
+# ┌───────────────────────────┐
+# Client ──> │ Apache on port 443 (SSL) │
+# └───────────┬───────────────┘
+# │
+# ▼
+# ┌───────────────┐
+# │ Anubis on │
+# │ port 8987 │
+# │ (Filter) │
+# └─────┬─────────┘
+# │ <- Is in endpoint-allowlist.yaml?
+# ┌───────────────┴─────────────────────┐
+# │ <- ALLOW if endpoint is in │ <- FILTER
+# │ endpoint-allowlist.yaml │
+# | |
+# | ┌──────────────────┐ |
+# | │ Apache on port │ |
+# └──────> │ 8345 (App) │ <───────┘
+# └──────────────────┘
+
+Listen 127.0.0.1:8345
diff --git a/roles/copr/anubis/tasks/main.yml b/roles/copr/anubis/tasks/main.yml
new file mode 100644
index 0000000000..b545d59f9c
--- /dev/null
+++ b/roles/copr/anubis/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- name: Install Anubis Bot Blocker
+ dnf:
+ name: anubis
+ state: present
+ tags:
+ - anubis
+
+- name: Allow Apache to make network connections for proxy
+ ansible.posix.seboolean:
+ name: httpd_can_network_connect
+ state: true
+ persistent: true
+ tags:
+ - anubis
+
+- name: Ensure Anubis service is enabled and started
+ service:
+ name: anubis@default.service
+ enabled: true
+ state: started
+ tags:
+ - anubis
+
+- name: Install Anubis configuration and rules
+ ansible.builtin.copy:
+ src: "{{ item }}"
+ dest: "/etc/{{ item }}"
+ mode: '0644'
+ loop:
+ - anubis/default.env
+ - anubis/policies.yaml
+ notify:
+ - Restart anubis
+ - Reload httpd
+ tags:
+ - anubis
diff --git a/roles/copr/dist_git/files/anubis_config.env b/roles/copr/dist_git/files/anubis_config.env
new file mode 100644
index 0000000000..8264745499
--- /dev/null
+++ b/roles/copr/dist_git/files/anubis_config.env
@@ -0,0 +1,3 @@
+BIND="127.0.0.1:8987"
+TARGET="http://127.0.0.1:8345"
+BASE_PREFIX="/cgit"
diff --git a/roles/copr/dist_git/files/httpd/00-backend-listen.conf b/roles/copr/dist_git/files/httpd/00-backend-listen.conf
deleted file mode 100644
index 6e6bed507a..0000000000
--- a/roles/copr/dist_git/files/httpd/00-backend-listen.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# This is how the Anubis should be configured on dist-git:
-# ┌───────────────────────────┐
-# Client ──> │ Apache on port 443 (SSL) │
-# └───────────┬───────────────┘
-# │
-# ┌────────────────┴────────────────┐
-# │ (if the path is /git) │ (for everything else)
-# ▼ ▼
-# ┌──────────────────┐ ┌──────────────────┐
-# │ Apache on port │ <────────── │ Anubis on port │
-# │ 8080 (App) │ │ 8000 (Filter) │
-# └──────────────────┘ └──────────────────┘
-
-Listen 127.0.0.1:8080
diff --git a/roles/copr/dist_git/files/httpd/copr-dist-git.conf b/roles/copr/dist_git/files/httpd/copr-dist-git.conf
index 3a76cd2037..af79c18b50 100644
--- a/roles/copr/dist_git/files/httpd/copr-dist-git.conf
+++ b/roles/copr/dist_git/files/httpd/copr-dist-git.conf
@@ -1,11 +1,9 @@
-
- Alias /per-task-logs /var/lib/copr-dist-git/per-task-logs
-
- Options Indexes FollowSymLinks
- AllowOverride None
- Require all granted
-
-
+Alias /per-task-logs /var/lib/copr-dist-git/per-task-logs
+
+ Options Indexes FollowSymLinks
+ AllowOverride None
+ Require all granted
+
StartServers 2
diff --git a/roles/copr/dist_git/files/httpd/dist-git/lookaside-copr.conf b/roles/copr/dist_git/files/httpd/dist-git/lookaside-copr.conf
index fee8073944..c86e19d525 100644
--- a/roles/copr/dist_git/files/httpd/dist-git/lookaside-copr.conf
+++ b/roles/copr/dist_git/files/httpd/dist-git/lookaside-copr.conf
@@ -1,4 +1,2 @@
-
- AliasMatch "/repo(/.*)/md5(/.*)" "/var/lib/dist-git/cache/lookaside$1$2"
- Alias /repo/ /var/lib/dist-git/cache/lookaside/
-
+AliasMatch "/repo(/.*)/md5(/.*)" "/var/lib/dist-git/cache/lookaside$1$2"
+Alias /repo/ /var/lib/dist-git/cache/lookaside/
diff --git a/roles/copr/dist_git/handlers/main.yml b/roles/copr/dist_git/handlers/main.yml
index 516248a2f7..600a32ddc2 100644
--- a/roles/copr/dist_git/handlers/main.yml
+++ b/roles/copr/dist_git/handlers/main.yml
@@ -4,8 +4,3 @@
- name: Restart copr-dist-git
service: name="copr-dist-git" state="restarted"
-
-- name: Restart anubis
- ansible.builtin.service:
- name: anubis@default.service
- state: restarted
diff --git a/roles/copr/dist_git/tasks/main.yml b/roles/copr/dist_git/tasks/main.yml
index 9718c43844..f136434b55 100644
--- a/roles/copr/dist_git/tasks/main.yml
+++ b/roles/copr/dist_git/tasks/main.yml
@@ -176,31 +176,19 @@
- name: Install /etc/gitconfig file
ansible.builtin.copy: src="gitconfig" dest="/etc/gitconfig"
-- name: Install Anubis Bot Blocker
- dnf:
- name: anubis
- state: present
+- name: Include Anubis role for dist-git
+ include_role:
+ name: copr/anubis
+ tags:
+ - anubis
-- name: Allow Apache to make network connections for proxy
- ansible.posix.seboolean:
- name: httpd_can_network_connect
- state: true
- persistent: true
-
-- name: Ensure Anubis service is enabled and started
- service:
- name: anubis@default.service
- enabled: true
- state: started
-
-- name: Install Anubis configuration and rules
+- name: Temporary rewrite Anubis config file
ansible.builtin.copy:
- src: "{{ item }}"
- dest: "/etc/{{ item }}"
+ src: "anubis_config.env"
+ dest: "/etc/anubis/default.env"
mode: '0644'
- loop:
- # there will be more...
- - anubis/default.env
- notify:
- - Restart anubis
- - Reload httpd
+
+- name: Restart anubis
+ ansible.builtin.systemd:
+ name: anubis@default.service
+ state: restarted
diff --git a/roles/copr/dist_git/templates/ssl.conf.j2 b/roles/copr/dist_git/templates/ssl.conf.j2
index bba89443a7..712af09161 100644
--- a/roles/copr/dist_git/templates/ssl.conf.j2
+++ b/roles/copr/dist_git/templates/ssl.conf.j2
@@ -24,20 +24,18 @@ SSLCryptoDevice builtin
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
+ # Anubis config
ProxyRequests Off
ProxyPreserveHost On
+ ProxyVia Off
RequestHeader set "X-Real-Ip" expr=%{REMOTE_ADDR}
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set "X-Http-Version" "%{SERVER_PROTOCOL}s"
- # send directly to backend
- ProxyPass /git/ http://127.0.0.1:8080/git/
- ProxyPassReverse /git/ http://127.0.0.1:8080/git/
-
- # send the rest to Anubis
- ProxyPass / http://127.0.0.1:8000/
- ProxyPassReverse / http://127.0.0.1:8000/
+ # BIND port
+ ProxyPass /cgit/ http://localhost:8987/cgit/
+ ProxyPassReverse /cgit/ http://localhost:8987/cgit/
SSLOptions +StdEnvVars