mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-03-20 03:57:02 +08:00
1e56a66d34
Fixes: https://forge.fedoraproject.org/infra/tickets/issues/13099 Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
371 lines
13 KiB
INI
371 lines
13 KiB
INI
from datetime import timedelta
|
|
import os
|
|
|
|
os.umask(0o002)
|
|
|
|
### Set the time after which the admin session expires
|
|
# There are two sessions on pagure, login that holds for 31 days and
|
|
# the session defined here after which an user has to re-login.
|
|
# This session is used when accessing all administrative parts of pagure
|
|
# (ie: changing a project's or a user's settings)
|
|
ADMIN_SESSION_LIFETIME = timedelta(minutes=20)
|
|
|
|
{% if env == 'staging' %}
|
|
### Secret key for the Flask application
|
|
SECRET_KEY='{{ distgit_stg_pagure_secret_key }}'
|
|
SALT_EMAIL='{{ distgit_stg_pagure_secret_salt_email }}'
|
|
{% else %}
|
|
### Secret key for the Flask application
|
|
SECRET_KEY='{{ distgit_pagure_secret_key }}'
|
|
SALT_EMAIL='{{ distgit_pagure_secret_salt_email }}'
|
|
{% endif %}
|
|
|
|
{% if env == 'staging' %}
|
|
EMAIL_SEND = False
|
|
{% else %}
|
|
EMAIL_SEND = True
|
|
{% endif %}
|
|
|
|
# This is required so that login specifies https
|
|
PREFERRED_URL_SCHEME='https'
|
|
|
|
### url to the database server:
|
|
#DB_URL=mysql://user:pass@host/db_name
|
|
#DB_URL=postgres://user:pass@host/db_name
|
|
{% if env == 'staging' %}
|
|
DB_URL = 'postgresql://{{ distgit_stg_pagure_db_user }}:{{ distgit_stg_pagure_db_pass }}@{{ pagure_db_host }}/{{ distgit_stg_pagure_db_name }}'
|
|
{% else %}
|
|
DB_URL = 'postgresql://{{ distgit_pagure_db_user }}:{{ distgit_pagure_db_pass }}@{{ pagure_db_host }}/{{ distgit_pagure_db_name }}'
|
|
{% endif %}
|
|
|
|
# Something breaks the database connections after a while, recycle them sooner
|
|
# https://forge.fedoraproject.org/infra/tickets/12622
|
|
DB_POOL_RECYCLE = 300
|
|
|
|
### FAS groups of pagure admins
|
|
ADMIN_GROUP = ['cvsadmin', 'sysadmin-main']
|
|
|
|
# The publicly visible admin email address
|
|
ADMIN_EMAIL = 'admin@fedoraproject.org'
|
|
|
|
### The email address to which the flask.log will send the errors (tracebacks)
|
|
EMAIL_ERROR = 'admin@fedoraproject.org'
|
|
|
|
### Default SMTP server to use for sending emails
|
|
SMTP_SERVER = 'bastion'
|
|
|
|
### Email used to sent emails
|
|
{% if env == 'staging' %}
|
|
FROM_EMAIL = 'pagure@pkgs.stg.fedoraproject.org'
|
|
DOMAIN_EMAIL_NOTIFICATIONS = 'src.stg.fedoraproject.org'
|
|
{% else %}
|
|
FROM_EMAIL = 'pagure@pkgs.fedoraproject.org'
|
|
DOMAIN_EMAIL_NOTIFICATIONS = 'src.fedoraproject.org'
|
|
{% endif %}
|
|
|
|
### Datagrepper info for the user profile
|
|
{% if env == 'staging' %}
|
|
DATAGREPPER_URL = 'https://apps.stg.fedoraproject.org/datagrepper'
|
|
{% else %}
|
|
DATAGREPPER_URL = 'https://apps.fedoraproject.org/datagrepper'
|
|
{% endif %}
|
|
DATAGREPPER_CATEGORY = 'pagure'
|
|
|
|
### The URL to use to clone git repositories.
|
|
{% if env == 'staging' %}
|
|
GIT_URL_SSH = 'ssh://{username}@pkgs.stg.fedoraproject.org/'
|
|
GIT_URL_GIT = 'https://src.stg.fedoraproject.org/'
|
|
{% else %}
|
|
GIT_URL_SSH = 'ssh://{username}@pkgs.fedoraproject.org/'
|
|
GIT_URL_GIT = 'https://src.fedoraproject.org/'
|
|
{% endif %}
|
|
|
|
### The IP addresses allowed for the internal endpoints
|
|
## This is used by a few checks from external programs like
|
|
## upload_cgi and `git clone` going through aclchecker.py where
|
|
## they do an auth request to pagure (which goes through the proxies).
|
|
# FIXME: Use ansible template names for IPs here... ###########################
|
|
{% if env == 'staging' %}
|
|
IP_ALLOWED_INTERNAL = ['127.0.0.1', 'localhost', '::1', '10.5.128.177', '10.16.166.74', '10.16.166.75']
|
|
{% else %}
|
|
IP_ALLOWED_INTERNAL = ['127.0.0.1', 'localhost', '::1', '10.5.126.51', '10.5.126.52', '10.16.163.74', '10.16.163.75']
|
|
{% endif %}
|
|
|
|
# Redis configuration
|
|
{% if env == 'staging' %}
|
|
#EVENTSOURCE_SOURCE = 'https://src.stg.fedoraproject.org:8088'
|
|
{% else %}
|
|
#EVENTSOURCE_SOURCE = 'https://src.stg.fedoraproject.org:8088'
|
|
{% endif %}
|
|
|
|
# Optional configuration
|
|
|
|
### Number of items displayed per page
|
|
# Used when listing items
|
|
ITEM_PER_PAGE = 48
|
|
|
|
### Maximum size of the uploaded content
|
|
# Used to limit the size of file attached to a ticket for example
|
|
MAX_CONTENT_LENGTH = 2 * 1024 * 1024 # 2 megabytes
|
|
|
|
### Lenght for short commits ids or file hex
|
|
SHORT_LENGTH = 7
|
|
|
|
# Authentication related configuration option
|
|
|
|
### Switch the authentication method
|
|
# Specify which authentication method to use, defaults to `fas` can be or
|
|
# `local`
|
|
# Default: ``fas``.
|
|
PAGURE_AUTH = 'oidc'
|
|
OIDC_CLIENT_SECRETS = "/etc/pagure/client_secrets.json"
|
|
OIDC_ID_TOKEN_COOKIE_SECURE = True
|
|
OIDC_SCOPES = [
|
|
'openid', 'email', 'profile',
|
|
'https://id.fedoraproject.org/scope/groups',
|
|
'https://id.fedoraproject.org/scope/agreements',
|
|
]
|
|
OIDC_PAGURE_EMAIL = 'email'
|
|
OIDC_PAGURE_FULLNAME = 'name'
|
|
OIDC_PAGURE_USERNAME = 'preferred_username'
|
|
OIDC_PAGURE_SSH_KEY = 'ssh_key'
|
|
OIDC_PAGURE_GROUPS = 'groups'
|
|
OIDC_PAGURE_USERNAME_FALLBACK = 'nickname'
|
|
|
|
# When this is set to True, the session cookie will only be returned to the
|
|
# server via ssl (https). If you connect to the server via plain http, the
|
|
# cookie will not be sent. This prevents sniffing of the cookie contents.
|
|
# This may be set to False when testing your application but should always
|
|
# be set to True in production.
|
|
# Default: ``True``.
|
|
SESSION_COOKIE_SECURE = True
|
|
|
|
# The name of the cookie used to store the session id.
|
|
# Default: ``.pagure``.
|
|
SESSION_COOKIE_NAME = 'disgit_pagure'
|
|
|
|
# Boolean specifying wether to check the user's IP address when retrieving
|
|
# its session. This make things more secure (thus is on by default) but
|
|
# under certain setup it might not work (for example is there are proxies
|
|
# in front of the application).
|
|
CHECK_SESSION_IP = True
|
|
|
|
# Used by SESSION_COOKIE_PATH
|
|
APPLICATION_ROOT = '/'
|
|
|
|
# Set the SSH certs/keys
|
|
# For the key ('pubkey'):
|
|
# ssh-keyscan pkgs.stg.fedoraproject.org
|
|
# For SHA256 fingerprint ('SHA256'):
|
|
# ssh-keyscan pkgs.stg.fedoraproject.org | ssh-keygen -lf -
|
|
# For legacy/md5 fingerprint ('fingerprint'):
|
|
# ssh-keyscan pkgs.stg.fedoraproject.org | ssh-keygen -E md5 -lf -
|
|
{% if env == 'staging' %}
|
|
SSH_KEYS = {
|
|
'RSA': {
|
|
'fingerprint': '3072 MD5:1b:9f:76:c7:f6:e6:77:a6:cf:6f:d2:d8:22:b1:50:fc (RSA)',
|
|
'pubkey': 'pkgs.stg.fedoraproject.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDv7yQxp4nCNww1pVeQv2tuvhqs5nMxVmbQJDQdJHcVcLZxtTerRvTKa6UdnxG7E33LeiiDHKe8Ys3sRJKLg5XkN627O4x6joftg1pBYuTaled5six13Z8q2SdrFcvHD6IIOoPkpwcWIpIoSzyb5WSwjyWhfZ4pH53ibF93a7IYuLkXlkxZjVLRLxTuqLHTX8UkezozvuIjWFCZ0Wi9eFAwUKC6SBb6k+mlpHtvTYbFacpEX6axq4Nwemdgzr+9k1U2qXn8UROC8WYLKIgTxSV/ZAu+7PRpczXKGfr+BybtZ/wCnMhcive2dQPM/N2Re+Nfw6FG2z6DBw8hZPGlk8Dd3nJhkOUqrM8juy4GmYGG8h1jmc/1sMbl3AzpvXXGxeqC2yoLvhU6zye0w7ve76ldGGIRQIxzeThe9RPGON42KfHyoIu3E/RKzBJtH1rqCqq5XDjrTEeoEkuF2z7lgfwJ74vzo/vN+FIM+FmanXE1/aE6/1YoUFVvQuUlCuL9uVs=',
|
|
'SHA256': 'SHA256:vP5vCRP10BqUrLDV1Hp7d2zpYeRiOVrV9ukDTJ4G13k',
|
|
}
|
|
}
|
|
{% else %}
|
|
# Production...
|
|
# ssh-keyscan pkgs.fedoraproject.org | ssh-keygen -E md5 -lf -
|
|
# ssh-keyscan pkgs.fedoraproject.org
|
|
# ssh-keyscan pkgs.fedoraproject.org | ssh-keygen -lf -
|
|
# etc.
|
|
SSH_KEYS = {
|
|
'RSA': {
|
|
'fingerprint': '3072 MD5:d6:ad:b1:cf:39:8a:b5:df:5d:37:9b:79:5b:c5:8d:f1 (RSA)',
|
|
'pubkey': 'pkgs.fedoraproject.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4ubrNT+FtwlZmXOHH2a8+IdH3ohMl61GxUExTF5TNcty8O9h3SiE8DmpihU0pezbD85FiXLmAk78hLt9LAnd3I1M8r3dUeWySnTlPuyvB07Vs7lXtOj2n1GKbk4DESjKEza791dTt+5OJRczUKXxDaztiUQemNtZFcyAo5OgBm8mwdZ7buFcR52BK+YVcXXtdMiSPqJAaKco/Rn8X9UB60813VNs0l7Lghq7bqz0dMwMhMT3BZDfV4YkGxYu4eMTiYz3ihN1BMKvbC5I++GfG8sAMQ/g5XX1n6Vg7lyu1C1xbJLdXMDo8+F90dmSGYLQG1FMBCqPol7pzwK0t2u9ySPQIFpTebby4rMznz2pxz6MSAqGqF7FSLg0sPasl9wjklqCeoMpDNUTYfvxoPQ41d5DCv8vYpAQaCcL8ReWq5MPBTQSGYvt/P67lHsKYN5e01PasgRz3vfv18qtuNo0SEOignftuPKwApVpjRNMOd8rdJsMTumHVe2sEUJWFEPc=',
|
|
'SHA256': 'SHA256:dJN0nFWBcWK7SFs2k0nnsO+XNA9+aEDY4FWO7uhxTN8',
|
|
}
|
|
}
|
|
{% endif %}
|
|
|
|
from pagure.mail_logging import ContextInjector, MSG_FORMAT
|
|
LOGGING = {
|
|
'version': 1,
|
|
'disable_existing_loggers': False,
|
|
'formatters': {
|
|
'standard': {
|
|
'format': '%(asctime)s [%(levelname)s] %(name)s: %(message)s'
|
|
},
|
|
'email_format': {
|
|
'format': MSG_FORMAT
|
|
}
|
|
},
|
|
'filters': {
|
|
'myfilter': {
|
|
'()': ContextInjector,
|
|
}
|
|
},
|
|
'handlers': {
|
|
'console': {
|
|
'formatter': 'standard',
|
|
'class': 'logging.StreamHandler',
|
|
'stream': 'ext://sys.stderr',
|
|
},
|
|
'email': {
|
|
'level': 'ERROR',
|
|
'formatter': 'email_format',
|
|
'class': 'logging.handlers.SMTPHandler',
|
|
'mailhost': 'bastion',
|
|
'fromaddr': 'pagure@src.fedoraproject.org',
|
|
'toaddrs': 'admin@fedoraproject.org',
|
|
'subject': 'ERROR on pagure - dist-git',
|
|
'filters': ['myfilter'],
|
|
},
|
|
},
|
|
# The root logger configuration; this is a catch-all configuration
|
|
# that applies to all log messages not handled by a different logger
|
|
'root': {
|
|
'level': 'WARN',
|
|
'handlers': ['console', 'email'],
|
|
},
|
|
'loggers': {
|
|
'pagure': {
|
|
'handlers': ['console'],
|
|
'level': 'WARN',
|
|
'propagate': True
|
|
},
|
|
'flask': {
|
|
'handlers': ['console'],
|
|
'level': 'WARN',
|
|
'propagate': False
|
|
},
|
|
'sqlalchemy': {
|
|
'handlers': ['console'],
|
|
'level': 'WARN',
|
|
'propagate': False
|
|
},
|
|
'binaryornot': {
|
|
'handlers': ['console'],
|
|
'level': 'WARN',
|
|
'propagate': True
|
|
},
|
|
'pagure.lib.encoding_utils': {
|
|
'handlers': ['console'],
|
|
'level': 'WARN',
|
|
'propagate': False
|
|
},
|
|
}
|
|
}
|
|
|
|
|
|
# Configuration item that are specific for this odd pagure instance
|
|
|
|
ENABLE_UI_NEW_PROJECTS = False
|
|
ALLOWED_PREFIX = ['rpms', 'modules', 'flatpaks', 'container', 'tests']
|
|
EXCLUDE_GROUP_INDEX = ['packager']
|
|
PRIVATE_PROJECTS = False
|
|
PR_TARGET_MATCHING_BRANCH = True
|
|
|
|
ACLS = {
|
|
"commit": "Commit to a git repository via http(s)",
|
|
'create_branch': 'Create a git branch on a project',
|
|
'create_project': 'Create a new project',
|
|
'fork_project': 'Fork a project',
|
|
'pull_request_create': 'Open a new pull-request',
|
|
'pull_request_close': 'Close a pull-request of this project',
|
|
'pull_request_comment': 'Comment on a pull-request of this project',
|
|
'pull_request_flag': 'Flag a pull-request of this project',
|
|
'pull_request_merge': 'Merge a pull-request of this project',
|
|
"pull_request_update": (
|
|
"Update a pull-request (title, description, assignee...)"
|
|
),
|
|
"pull_request_rebase": "Rebase a pull-request",
|
|
'modify_project': 'Modify an existing project',
|
|
'generate_acls_project': 'Generate the Gitolite ACLs on a project',
|
|
'commit_flag': 'Flag a commit',
|
|
"update_watch_status": "Update the watch status on a project",
|
|
"tag_project": "Allows adding git tags to a project",
|
|
"group_modify": "Allows removing/adding users in groups",
|
|
}
|
|
|
|
REQUIRED_GROUPS = {
|
|
'container/*': ['packager'],
|
|
'flatpaks/*': ['packager'],
|
|
'modules/*': ['packager'],
|
|
'rpms/*': ['packager'],
|
|
}
|
|
|
|
{% if env == 'staging' %}
|
|
RESULTSDB_URL = 'https://resultsdb.stg.fedoraproject.org/'
|
|
FAS_URL = 'https://accounts.stg.fedoraproject.org'
|
|
FAS_OPENID_ENDPOINT = 'https://id.stg.fedoraproject.org/openid/'
|
|
{% else %}
|
|
RESULTSDB_URL = 'https://resultsdb.fedoraproject.org/'
|
|
FAS_URL = 'https://accounts.fedoraproject.org'
|
|
{% endif %}
|
|
|
|
THEME_TEMPLATE_FOLDER = '/usr/share/pagure_dist_git/template/'
|
|
THEME = 'srcfpo'
|
|
|
|
USER_ACLS = [
|
|
'fork_project',
|
|
'pull_request_create',
|
|
'pull_request_close',
|
|
'pull_request_comment',
|
|
'pull_request_flag',
|
|
'pull_request_merge',
|
|
'pull_request_update',
|
|
'pull_request_rebase',
|
|
'modify_project',
|
|
'update_watch_status',
|
|
]
|
|
|
|
CROSS_PROJECT_ACLS = [
|
|
'fork_project',
|
|
'modify_project',
|
|
'pull_request_create',
|
|
'pull_request_close',
|
|
'pull_request_comment',
|
|
'pull_request_merge',
|
|
'pull_request_update',
|
|
'pull_request_rebase',
|
|
'pull_request_flag',
|
|
'update_watch_status',
|
|
]
|
|
|
|
ADMIN_API_ACLS = [
|
|
'pull_request_flag',
|
|
'pull_request_comment',
|
|
'pull_request_merge',
|
|
'commit',
|
|
'create_project',
|
|
'group_modify',
|
|
'modify_project',
|
|
'generate_acls_project',
|
|
'commit_flag',
|
|
'create_branch',
|
|
'tag_project',
|
|
]
|
|
|
|
PROJECT_NAME_REGEX = '^[a-zA-z0-9_][a-zA-Z0-9-_\.+]*$'
|
|
|
|
|
|
{% if env == 'staging' %}
|
|
CSP_HEADERS = (
|
|
"default-src 'self'; "
|
|
"script-src 'self' '{nonce_script}' https://apps.stg.fedoraproject.org https://mdapi.stg.fedoraproject.org https://transtats.stg.fedoraproject.org; "
|
|
"style-src 'self' '{nonce_style}'; "
|
|
"object-src 'none'; "
|
|
"base-uri 'self'; "
|
|
"img-src 'self' https:; "
|
|
"connect-src 'self' https://apps.stg.fedoraproject.org https://mdapi.stg.fedoraproject.org https://transtats.stg.fedoraproject.org https://bodhi.stg.fedoraproject.org;"
|
|
)
|
|
{% else %}
|
|
CSP_HEADERS = (
|
|
"default-src 'self'; "
|
|
"script-src 'self' '{nonce_script}' https://apps.fedoraproject.org https://mdapi.fedoraproject.org https://transtats.fedoraproject.org; "
|
|
"style-src 'self' '{nonce_style}'; "
|
|
"object-src 'none'; "
|
|
"base-uri 'self'; "
|
|
"img-src 'self' https:; "
|
|
"connect-src 'self' https://apps.fedoraproject.org https://mdapi.fedoraproject.org https://transtats.fedoraproject.org https://bodhi.fedoraproject.org;"
|
|
)
|
|
{% endif %}
|
|
|
|
{% include "pagure_shared.cfg" %}
|