This role is intended to be run on a build{vm|hw} machine that is in the
secure-boot channel in koji. It sets up the siguldry pesign-bridge that
allows builds done there to call pesign to sign artifacts by bind
mounting a socket into the mock chroot.
This then calls sigul's pesign client which sends the artifact to the
sigul vault via the sigul bridge for signing. The vault has access to
a secure token to sign the artifact with.
This should (once confirmed working) replace the roles/bkernel role that
used a secure card that was directly attached to a buildhw device.
This should allow us to add support for aarch64 as well as more easily
use different hardware or vm's as any of them could be setup to query
the sigul server.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit standardizes the regex redirection used for all Fedora Docs
sites where a language code is involved in the original site and the
redirected site. This new regex pattern matches anything between the
slashes where the language code for the Fedora Docs site appears. This
allows for greater flexibility of anything that may appear now or in the
future for the language codes, including some that use two letters and
others that use four letters.
It makes the redirect consistent across all Fedora Docs redirects, in
the general aim of promoting a common best practice for Fedora Docs
redirects for old site names to new ones.
CC: @pbokoc @pboy
Signed-off-by: Justin Wheeler <jwheel@redhat.com>
This commit adds a new redirect rule for the migration of the Fedora
Operations Architect documentation, or the Fedora Program Management
docs, into their new home as Fedora Program Operations docs. This will
fit in with the new Forgejo home for these docs, and help give a better
home and identity to the efforts around program management for Fedora,
like the release schedule and other core parts of the release program
and schedule.
I also added a `docs` tag since it is a Fedora Docs-specific redirect.
Signed-off-by: Justin Wheeler <jwheel@redhat.com>
We only have two job groups, so the front page is a bit sad and
empty. Let's show 10 builds per group, not 3.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Seems like the proxies don't want to handle port 80 nicely, I get
errors in Zabbix for them using localhost:80/apache-status (which
works elsewhere, like sundries). However using https/443 seems to
work, so we'll do that instead.
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
I mistakenly changed the port in the fedora/non el one, that was
correct.
Need to add the port in the el one for selinux to allow httpd to work.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Fixed up a few things missed and caught in testing on dl01:
* need to setup subuid/subgid files for podman
* need to allow the right port for httpd to listen in selinux
* need httpd network connect to allow it to connect to anubis
* adjust worker values, we were not using prefork for a long time
so the values were just default up them a bunch.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Looks like the scrapers are hitting the download servers now.
So, look at setting up an anubis pod there like we did for pagure.
anubis package isn't available for epel9, so we just use the container.
Will test this with dl01 and tweak until it's working.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The flatpak-indexer-build needs to run only pytest as done in upstream.
Otherwise it fails on missing commands.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
Upstream repo doesn't have staging and production branches. So let's
just go with main. In case of redis use the branch where the fix is introduced.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
Per https://pagure.io/fedora-qa/issue/859 we want to drop the QA
landing page at qa.fedoraproject.org. This should turn it back
into a redirect to the wiki page. We also drop the certificate
for qa.fp.o (since blockerbugs uses the wildcard certificate
anyway) and remove a duplicate reverseproxy entry for blockerbugs
(we had two otherwise-identical entries that were restricted to
prod and stg with `when` conditions).
Signed-off-by: Adam Williamson <awilliam@redhat.com>
