-
Notifications
You must be signed in to change notification settings - Fork 2
/
main.yml
134 lines (110 loc) · 4.92 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
---
# defaults file for pagure application
pagure_mysqldb_name: pagure
pagure_mysqldb_user: pagure
pagure_mysqldb_pass: fqemfzqfjmqzeifjmzoeimzqefzq
pagure_secret_key: 'tfeqzfqezfmmjqefmoqzejfmoqzefqze'
pagure_salt_email: 'frhimiipwearewojpfeadmacmoeoezqe'
# Default path for git/gitolite user home dir, holding all the structure for git repositories
pagure_git_rootpath: /srv/git
# Which openid endpoint to use for auth
pagure_openid_endpoint: https://id.stg.centos.org/idp/openid/
# Do we need to apply some temporary patches on pagure itself ?
pagure_patches: False
pagure_patches_list:
- pagure-openid-base64-sshpubkey.patch # el7 : Needed if ssh pub key comes from IPA instead of FAS : base64 encoded so neeeds to be decoded for pagure
- pagure-alembic_commit_flag.patch # el8 : see https://pagure.io/pagure/pull-request/5280#request_diff
- pagure-mqtt-int.patch # el8 : see https://pagure.io/pagure/pull-request/5290
# List of user with admin rights in pagure (not coming from any group)
pagure_admin_users:
- root
pagure_admin_group: git-admins
# List of namespaces to be created in pagure
pagure_namespaces:
- rpms
- sig-core
# List of namespaces for which we'll enable tickets feature and disabled for the rest
pagure_tickets_namespaces:
- sig-core
# Hard-code email address to send pagure errors to
pagure_email_error: [email protected]
# For automatically computed ACLs for aclchecker (sig_prefixes + supported_sigs)
pagure_sig_prefixes:
- refs/heads/c6
- refs/heads/c7
pagure_supported_sigs:
- sig-core
- sig-cloud
# Branches that RCM group can push to (regex)
pagure_rcm_branches:
- refs/heads/c[0-9]+.*
- refs/tags/.*
# Branches that nobody can push to (regex)
pagure_blacklist_branches:
- refs/heads/f[0-9]+.*
- refs/heads/epel[0-9]+.*
- refs/heads/el[0-9]+.*
- refs/heads/olpc[0-9]+.*
- refs/heads/master
# Group with specific ACLs for aclchecker
pagure_rcm_group: yourgroup
# Specifi list of users who, without being admin, can create a repo in pagure
# and still select which repospanner region to create the repo into
pagure_rcm_users:
- youruser
# Lookaside specific variables
# Which upstream API we need to query on each call for group membership ? fas or fasjson
# FAS is "legacy" and calling fas, while fasjson is the new endpoint as portal in front of IPA. Pick *one*
lookaside_rootpath: /srv/cache
lookaside_fas_user: youruser
lookaside_fas_pass: yourpass
lookaside_fas_url: https://fas.url
# If using fasjson, which is the kerberos keytab to use to auth against fasjson and which fasjson urlendpoint
lookaside_fasjson: False
lookaside_fasson_url: https://fasjson.stg.fedoraproject.org
lookaside_fasjson_keytab: # File distributed by ansible to let upload.cgi query fasjson/IPA
# Common options for both : which CA to verify/auth TLS client against (checking that they are signed by that CA)
lookaside_fas_ca_crt: fas_ca_cert-prod.crt
lookaside_fas_ca_issuer_org: "The CentOS Project" # Varies from CA to check to ensure it's correct with IPA certs
# which specific rcm user can push through ssh instead of upload.cgi/tls auth
lookaside_ssh_users:
- login_name: pushuser
full_name: CentOS Sources push user
ssh_pub_key:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6++6IePs4kw0nCnW5HmvEDeP3LKvBjy3WMYnPpYoJP9xWnZJCc9snPGUq0n/iwR3cCXuiUOf882QewMDyNR/T10MdcyRar6ImBqUIKXK1xGqgrrzrDCwCEITXSmQgk0BnWPDSNn7IKvPDulzx+1pbwa1jh1XA4Px3Yf/4Lko9aP/9w/VBMNTVegCmcgCxGpTFlpWKDSHmTatZNK6nHWdOwprt0SJOb9EKLM7MxunTx3vyT9jB6dkNKM4rxU5b4rmvaJ8ctTqrfu9KdDy8bjZhTy+mIcFujgfFNqZeHAOdJ6gl946r6Mb/6jZA0KvZDs3kJ/9ZSZCcWDzTqargu59H"
# Do want to also push notifications to mqtt ?
pagure_mqtt: False
pagure_mqtt_host: broker.dev.centos.org #mqtt broker to push to
pagure_mqtt_port: 8883
pagure_mqtt_topic: pagure
pagure_mqtt_user:
pagure_mqtt_pass:
pagure_mqtt_tls_cacert:
pagure_mqtt_tls_cert:
pagure_mqtt_tls_key:
# Do we want to output computed ACLs on git pushes
pagure_acl_debug: False
# Do we want repospanner integration
pagure_repospanner_cluster: False
# Some httpd settings
# Ensuring that httpd/pagure worker can open multiple files (to avoid "Too many open files")
pagure_httpd_limit_nofile: 65536
sysctl_fs_inotify_max_user_watches: '1524288'
# httpd TimeOut setting (default '60' is too small for wsgi)
pagure_httpd_timeout: 120
# mod_wsgi settings, read https://modwsgi.readthedocs.io/en/master/configuration-directives/WSGIDaemonProcess.html
# default to number of cores/vcpus but can be set through inventory
pagure_httpd_wsgi_processes: "{{ ansible_processor_nproc }}"
pagure_httpd_wsgi_threads: "{{ ansible_processor_nproc }}"
pagure_httpd_wsgi_inactivity_timeout: 300
# If we want repospanner integration, we need the instances details
# see repospanner defaults
# Zabbix templates/groups (monitoring)
zabbix_pagure_templates:
- Template CentOS MySQL
- Template CentOS http server
- Template CentOS - https SSL Cert Check External
zabbix_pagure_groups:
- CentOS Pagure hosts
- CentOS HTTP servers
- CentOS HTTPS servers