diff --git a/.gitignore b/.gitignore index 8fcbf0b..0b837d0 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,9 @@ alembic.ini # Don't track the virtualenv we tell developers to use pagure_env/ + +# Ignore the Vagrantfile +Vagrantfile +.dnf-cache +*.retry +.vagrant diff --git a/README.rst b/README.rst index d895e7c..c6805c7 100644 --- a/README.rst +++ b/README.rst @@ -24,6 +24,39 @@ Playground version: https://stg.pagure.io Get it running ============== +There are several options when it comes to a development environment. Vagrant +will provide you with a virtual machine which you can develop on, or you can +install it directly on your host machine. + +Vagrant +^^^^^^^ + +For a more thorough introduction to Vagrant, see +https://fedoraproject.org/wiki/Vagrant. + +An example Vagrantfile is provided as ``Vagrantfile.example``. To use it, +just copy it and install Vagrant:: + + $ cp Vagrantfile.example Vagrantfile + $ sudo dnf install ansible libvirt vagrant-libvirt vagrant-sshfs vagrant-hostmanager + $ vagrant up + +The default ``Vagrantfile`` forwards ports from the host to the guest, +so you can interact with the application as if it were running on your +host machine. + +.. note:: + ``vagrant-hostmanager`` will automatically maintain /etc/hosts for you so you + can access the development environment from the host using its hostname, which + by default is ``pagure-dev.example.com``. You can choose not to use this + functionality by simply not installing the ``vagrant-hostmanager`` plugin, but + if you want Pagure to provide valid URLs in the UI for git repositories, you + will need to adjust Pagure's configuration found in ~/pagure.cfg on the guest. + + +Manually +^^^^^^^^ + * Install the needed system libraries:: sudo dnf install git python-virtualenv libgit2-devel \ diff --git a/Vagrantfile.example b/Vagrantfile.example new file mode 100644 index 0000000..2173e26 --- /dev/null +++ b/Vagrantfile.example @@ -0,0 +1,65 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +VAGRANTFILE_API_VERSION = "2" + +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| + config.vm.box = "fedora/24-cloud-base" + + # Forward traffic on the host to the development server on the guest + config.vm.network "forwarded_port", guest: 5000, host: 5000 + # Forward traffic on the host to Redis on the guest + config.vm.network "forwarded_port", guest: 6379, host: 6379 + # Forward traffic on the host to the SSE server on the guest + config.vm.network "forwarded_port", guest: 8080, host: 8080 + + if Vagrant.has_plugin?("vagrant-hostmanager") + config.hostmanager.enabled = true + config.hostmanager.manage_host = true + end + + # Vagrant can share the source directory using rsync, NFS, or SSHFS (with the vagrant-sshfs + # plugin). By default it rsyncs the current working directory to /vagrant. + # + # If you would prefer to use NFS to share the directory uncomment this and configure NFS + # config.vm.synced_folder ".", "/vagrant", type: "nfs", nfs_version: 4, nfs_udp: false + config.vm.synced_folder ".", "/vagrant", disabled: true + config.vm.synced_folder ".", "/home/vagrant/devel", type: "sshfs", sshfs_opts_append: "-o nonempty" + + # To cache update packages (which is helpful if frequently doing `vagrant destroy && vagrant up`) + # you can create a local directory and share it to the guest's DNF cache. The directory needs to + # exist, so create it before you uncomment the line below. + # + # config.vm.synced_folder ".dnf-cache", "/var/cache/dnf", type: "sshfs", sshfs_opts_append: "-o nonempty" + + # Comment this line if you would like to disable the automatic update during provisioning + config.vm.provision "shell", inline: "sudo dnf upgrade -y" + + # bootstrap and run with ansible + config.vm.provision "shell", inline: "sudo dnf -y install python2-dnf libselinux-python" + config.vm.provision "ansible" do |ansible| + ansible.playbook = "ansible/vagrant-playbook.yml" + end + + + # Create the "pagure" box + config.vm.define "pagure" do |pagure| + pagure.vm.host_name = "pagure-dev.example.com" + + pagure.vm.provider :libvirt do |domain| + # Season to taste + domain.cpus = 4 + domain.graphics_type = "spice" + domain.memory = 2048 + domain.video_type = "qxl" + + # Uncomment the following line if you would like to enable libvirt's unsafe cache + # mode. It is called unsafe for a reason, as it causes the virtual host to ignore all + # fsync() calls from the guest. Only do this if you are comfortable with the possibility of + # your development guest becoming corrupted (in which case you should only need to do a + # vagrant destroy and vagrant up to get a new one). + # + # domain.volume_cache = "unsafe" + end + end +end diff --git a/ansible/roles/pagure-dev/files/bashrc b/ansible/roles/pagure-dev/files/bashrc new file mode 100644 index 0000000..c27610f --- /dev/null +++ b/ansible/roles/pagure-dev/files/bashrc @@ -0,0 +1,27 @@ +# .bashrc + +# Source global definitions +if [ -f /etc/bashrc ]; then + . /etc/bashrc +fi + +# Uncomment the following line if you don't like systemctl's auto-paging feature: +# export SYSTEMD_PAGER= + +# User specific aliases and functions +# If adding new functions to this file, note that you can add help text to the function +# by defining a variable with name __help containing the help text + +export PAGURE_CONFIG=~/pagure.cfg + +pstart (){ + systemctl --user start pagure.service +} + +pstop (){ + systemctl --user stop pagure.service +} + +prestart (){ + systemctl --user restart pagure.service +} diff --git a/ansible/roles/pagure-dev/files/clamd.conf b/ansible/roles/pagure-dev/files/clamd.conf new file mode 100644 index 0000000..7e9cfa5 --- /dev/null +++ b/ansible/roles/pagure-dev/files/clamd.conf @@ -0,0 +1,684 @@ +## +## Example config file for the Clam AV daemon +## Please read the clamd.conf(5) manual before editing this file. +## + + +# Comment or remove the line below. +# Example + +# Uncomment this option to enable logging. +# LogFile must be writable for the user running daemon. +# A full path is required. +# Default: disabled +#LogFile /var/log/clamd. + +# By default the log file is locked for writing - the lock protects against +# running clamd multiple times (if want to run another clamd, please +# copy the configuration file, change the LogFile variable, and run +# the daemon with --config-file option). +# This option disables log file locking. +# Default: no +#LogFileUnlock yes + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size +# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log +# rotation (the LogRotate option) will always be enabled. +# Default: 1M +#LogFileMaxSize 2M + +# Log time with each message. +# Default: no +#LogTime yes + +# Also log clean files. Useful in debugging but drastically increases the +# log size. +# Default: no +#LogClean yes + +# Use system logger (can work together with LogFile). +# Default: no +LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# Default: LOG_LOCAL6 +#LogFacility LOG_MAIL + +# Enable verbose logging. +# Default: no +#LogVerbose yes + +# Enable log rotation. Always enabled when LogFileMaxSize is enabled. +# Default: no +#LogRotate yes + +# Log additional information about the infected file, such as its +# size and hash, together with the virus name. +#ExtendedDetectionInfo yes + +# This option allows you to save a process identifier of the listening +# daemon (main thread). +# Default: disabled +#PidFile /var/run/clamd./clamd.pid + +# Optional path to the global temporary directory. +# Default: system specific (usually /tmp or /var/tmp). +#TemporaryDirectory /var/tmp + +# Path to the database directory. +# Default: hardcoded (depends on installation options) +#DatabaseDirectory /var/lib/clamav + +# Only load the official signatures published by the ClamAV project. +# Default: no +#OfficialDatabaseOnly no + +# The daemon can work in local mode, network mode or both. +# Due to security reasons we recommend the local mode. + +# Path to a local socket file the daemon will listen on. +# Default: disabled (must be specified by a user) +LocalSocket /var/lib/clamav/clamd.sock + +# Sets the group ownership on the unix socket. +# Default: disabled (the primary group of the user running clamd) +LocalSocketGroup clamupdate + +# Sets the permissions on the unix socket to the specified mode. +# Default: disabled (socket is world accessible) +#LocalSocketMode 660 + +# Remove stale socket after unclean shutdown. +# Default: yes +#FixStaleSocket yes + +# TCP port address. +# Default: no +#TCPSocket 3310 + +# TCP address. +# By default we bind to INADDR_ANY, probably not wise. +# Enable the following to provide some degree of protection +# from the outside world. This option can be specified multiple +# times if you want to listen on multiple IPs. IPv6 is now supported. +# Default: no +#TCPAddr 127.0.0.1 + +# Maximum length the queue of pending connections may grow to. +# Default: 200 +#MaxConnectionQueueLength 30 + +# Clamd uses FTP-like protocol to receive data from remote clients. +# If you are using clamav-milter to balance load between remote clamd daemons +# on firewall servers you may need to tune the options below. + +# Close the connection when the data size limit is exceeded. +# The value should match your MTA's limit for a maximum attachment size. +# Default: 25M +#StreamMaxLength 10M + +# Limit port range. +# Default: 1024 +#StreamMinPort 30000 +# Default: 2048 +#StreamMaxPort 32000 + +# Maximum number of threads running at the same time. +# Default: 10 +#MaxThreads 20 + +# Waiting for data from a client socket will timeout after this time (seconds). +# Default: 120 +#ReadTimeout 300 + +# This option specifies the time (in seconds) after which clamd should +# timeout if a client doesn't provide any initial command after connecting. +# Default: 5 +#CommandReadTimeout 5 + +# This option specifies how long to wait (in miliseconds) if the send buffer is full. +# Keep this value low to prevent clamd hanging +# +# Default: 500 +#SendBufTimeout 200 + +# Maximum number of queued items (including those being processed by MaxThreads threads) +# It is recommended to have this value at least twice MaxThreads if possible. +# WARNING: you shouldn't increase this too much to avoid running out of file descriptors, +# the following condition should hold: +# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024) +# +# Default: 100 +#MaxQueue 200 + +# Waiting for a new job will timeout after this time (seconds). +# Default: 30 +#IdleTimeout 60 + +# Don't scan files and directories matching regex +# This directive can be used multiple times +# Default: scan all +#ExcludePath ^/proc/ +#ExcludePath ^/sys/ + +# Maximum depth directories are scanned at. +# Default: 15 +#MaxDirectoryRecursion 20 + +# Follow directory symlinks. +# Default: no +#FollowDirectorySymlinks yes + +# Follow regular file symlinks. +# Default: no +#FollowFileSymlinks yes + +# Scan files and directories on other filesystems. +# Default: yes +#CrossFilesystems yes + +# Perform a database check. +# Default: 600 (10 min) +#SelfCheck 600 + +# Execute a command when virus is found. In the command string %v will +# be replaced with the virus name. +# Default: no +#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" + +# Run as another user (clamd must be started by root for this option to work) +# Default: don't drop privileges +User clamupdate + +# Initialize supplementary group access (clamd must be started by root). +# Default: no +AllowSupplementaryGroups yes + +# Stop daemon when libclamav reports out of memory condition. +#ExitOnOOM yes + +# Don't fork into background. +# Default: no +#Foreground yes + +# Enable debug messages in libclamav. +# Default: no +#Debug yes + +# Do not remove temporary files (for debug purposes). +# Default: no +#LeaveTemporaryFiles yes + +# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject +# any ALLMATCHSCAN command as invalid. +# Default: yes +#AllowAllMatchScan no + +# Detect Possibly Unwanted Applications. +# Default: no +#DetectPUA yes + +# Exclude a specific PUA category. This directive can be used multiple times. +# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for +# the complete list of PUA categories. +# Default: Load all categories (if DetectPUA is activated) +#ExcludePUA NetTool +#ExcludePUA PWTool + +# Only include a specific PUA category. This directive can be used multiple +# times. +# Default: Load all categories (if DetectPUA is activated) +#IncludePUA Spy +#IncludePUA Scanner +#IncludePUA RAT + +# In some cases (eg. complex malware, exploits in graphic files, and others), +# ClamAV uses special algorithms to provide accurate detection. This option +# controls the algorithmic detection. +# Default: yes +#AlgorithmicDetection yes + +# This option causes memory or nested map scans to dump the content to disk. +# If you turn on this option, more data is written to disk and is available +# when the LeaveTemporaryFiles option is enabled. +#ForceToDisk yes + +# This option allows you to disable the caching feature of the engine. By +# default, the engine will store an MD5 in a cache of any files that are +# not flagged as virus or that hit limits checks. Disabling the cache will +# have a negative performance impact on large scans. +# Default: no +#DisableCache yes + +## +## Executable files +## + +# PE stands for Portable Executable - it's an executable file format used +# in all 32 and 64-bit versions of Windows operating systems. This option allows +# ClamAV to perform a deeper analysis of executable files and it's also +# required for decompression of popular executable packers such as UPX, FSG, +# and Petite. If you turn off this option, the original files will still be +# scanned, but without additional processing. +# Default: yes +#ScanPE yes + +# Certain PE files contain an authenticode signature. By default, we check +# the signature chain in the PE file against a database of trusted and +# revoked certificates if the file being scanned is marked as a virus. +# If any certificate in the chain validates against any trusted root, but +# does not match any revoked certificate, the file is marked as whitelisted. +# If the file does match a revoked certificate, the file is marked as virus. +# The following setting completely turns off authenticode verification. +# Default: no +#DisableCertCheck yes + +# Executable and Linking Format is a standard format for UN*X executables. +# This option allows you to control the scanning of ELF files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanELF yes + +# With this option clamav will try to detect broken executables (both PE and +# ELF) and mark them as Broken.Executable. +# Default: no +#DetectBrokenExecutables yes + + +## +## Documents +## + +# This option enables scanning of OLE2 files, such as Microsoft Office +# documents and .msi files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanOLE2 yes + +# With this option enabled OLE2 files with VBA macros, which were not +# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". +# Default: no +#OLE2BlockMacros no + +# This option enables scanning within PDF files. +# If you turn off this option, the original files will still be scanned, but +# without decoding and additional processing. +# Default: yes +#ScanPDF yes + +# This option enables scanning within SWF files. +# If you turn off this option, the original files will still be scanned, but +# without decoding and additional processing. +# Default: yes +#ScanSWF yes + +# This option enables scanning xml-based document files supported by libclamav. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanXMLDOCS yes + +# This option enables scanning of HWP3 files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanHWP3 yes + + +## +## Mail files +## + +# Enable internal e-mail scanner. +# If you turn off this option, the original files will still be scanned, but +# without parsing individual messages/attachments. +# Default: yes +#ScanMail yes + +# Scan RFC1341 messages split over many emails. +# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. +# WARNING: This option may open your system to a DoS attack. +# Never use it on loaded servers. +# Default: no +#ScanPartialMessages yes + +# With this option enabled ClamAV will try to detect phishing attempts by using +# signatures. +# Default: yes +#PhishingSignatures yes + +# Scan URLs found in mails for phishing attempts using heuristics. +# Default: yes +#PhishingScanURLs yes + +# Always block SSL mismatches in URLs, even if the URL isn't in the database. +# This can lead to false positives. +# +# Default: no +#PhishingAlwaysBlockSSLMismatch no + +# Always block cloaked URLs, even if URL isn't in database. +# This can lead to false positives. +# +# Default: no +#PhishingAlwaysBlockCloak no + +# Detect partition intersections in raw disk images using heuristics. +# Default: no +#PartitionIntersection no + +# Allow heuristic match to take precedence. +# When enabled, if a heuristic scan (such as phishingScan) detects +# a possible virus/phish it will stop scan immediately. Recommended, saves CPU +# scan-time. +# When disabled, virus/phish detected by heuristic scans will be reported only at +# the end of a scan. If an archive contains both a heuristically detected +# virus/phish, and a real malware, the real malware will be reported +# +# Keep this disabled if you intend to handle "*.Heuristics.*" viruses +# differently from "real" malware. +# If a non-heuristically-detected virus (signature-based) is found first, +# the scan is interrupted immediately, regardless of this config option. +# +# Default: no +#HeuristicScanPrecedence yes + + +## +## Data Loss Prevention (DLP) +## + +# Enable the DLP module +# Default: No +#StructuredDataDetection yes + +# This option sets the lowest number of Credit Card numbers found in a file +# to generate a detect. +# Default: 3 +#StructuredMinCreditCardCount 5 + +# This option sets the lowest number of Social Security Numbers found +# in a file to generate a detect. +# Default: 3 +#StructuredMinSSNCount 5 + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxx-yy-zzzz +# Default: yes +#StructuredSSNFormatNormal yes + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxxyyzzzz +# Default: no +#StructuredSSNFormatStripped yes + + +## +## HTML +## + +# Perform HTML normalisation and decryption of MS Script Encoder code. +# Default: yes +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +#ScanHTML yes + + +## +## Archives +## + +# ClamAV can scan within archives and compressed files. +# If you turn off this option, the original files will still be scanned, but +# without unpacking and additional processing. +# Default: yes +#ScanArchive yes + +# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). +# Default: no +#ArchiveBlockEncrypted no + + +## +## Limits +## + +# The options below protect your system against Denial of Service attacks +# using archive bombs. + +# This option sets the maximum amount of data to be scanned for each input file. +# Archives and other containers are recursively extracted and scanned up to this +# value. +# Value of 0 disables the limit +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 100M +#MaxScanSize 150M + +# Files larger than this limit won't be scanned. Affects the input file itself +# as well as files contained inside it (when the input file is an archive, a +# document or some other kind of container). +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 25M +#MaxFileSize 30M + +# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR +# file, all files within it will also be scanned. This options specifies how +# deeply the process should be continued. +# Note: setting this limit too high may result in severe damage to the system. +# Default: 16 +#MaxRecursion 10 + +# Number of files to be scanned within an archive, a document, or any other +# container file. +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10000 +#MaxFiles 15000 + +# Maximum size of a file to check for embedded PE. Files larger than this value +# will skip the additional analysis step. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10M +#MaxEmbeddedPE 10M + +# Maximum size of a HTML file to normalize. HTML files larger than this value +# will not be normalized or scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10M +#MaxHTMLNormalize 10M + +# Maximum size of a normalized HTML file to scan. HTML files larger than this +# value after normalization will not be scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 2M +#MaxHTMLNoTags 2M + +# Maximum size of a script file to normalize. Script content larger than this +# value will not be normalized or scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 5M +#MaxScriptNormalize 5M + +# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger +# than this value will skip the step to potentially reanalyze as PE. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 1M +#MaxZipTypeRcg 1M + +# This option sets the maximum number of partitions of a raw disk image to be scanned. +# Raw disk images with more partitions than this value will have up to the value number +# partitions scanned. Negative values are not allowed. +# Note: setting this limit too high may result in severe damage or impact performance. +# Default: 50 +#MaxPartitions 128 + +# This option sets the maximum number of icons within a PE to be scanned. +# PE files with more icons than this value will have up to the value number icons scanned. +# Negative values are not allowed. +# WARNING: setting this limit too high may result in severe damage or impact performance. +# Default: 100 +#MaxIconsPE 200 + +# This option sets the maximum recursive calls for HWP3 parsing during scanning. +# HWP3 files using more than this limit will be terminated and alert the user. +# Scans will be unable to scan any HWP3 attachments if the recursive limit is reached. +# Negative values are not allowed. +# WARNING: setting this limit too high may result in severe damage or impact performance. +# Default: 16 +#MaxRecHWP3 16 + +# This option sets the maximum calls to the PCRE match function during an instance of regex matching. +# Instances using more than this limit will be terminated and alert the user but the scan will continue. +# For more information on match_limit, see the PCRE documentation. +# Negative values are not allowed. +# WARNING: setting this limit too high may severely impact performance. +# Default: 10000 +#PCREMatchLimit 20000 + +# This option sets the maximum recursive calls to the PCRE match function during an instance of regex matching. +# Instances using more than this limit will be terminated and alert the user but the scan will continue. +# For more information on match_limit_recursion, see the PCRE documentation. +# Negative values are not allowed and values > PCREMatchLimit are superfluous. +# WARNING: setting this limit too high may severely impact performance. +# Default: 5000 +#PCRERecMatchLimit 10000 + +# This option sets the maximum filesize for which PCRE subsigs will be executed. +# Files exceeding this limit will not have PCRE subsigs executed unless a subsig is encompassed to a smaller buffer. +# Negative values are not allowed. +# Setting this value to zero disables the limit. +# WARNING: setting this limit too high or disabling it may severely impact performance. +# Default: 25M +#PCREMaxFileSize 100M + + +## +## On-access Scan Settings +## + +# Enable on-access scanning. Currently, this is supported via fanotify. +# Clamuko/Dazuko support has been deprecated. +# Default: no +#ScanOnAccess yes + +# Set the mount point to be scanned. The mount point specified, or the mount point +# containing the specified directory will be watched. If any directories are specified, +# this option will preempt the DDD system. This will notify only. It can be used multiple times. +# (On-access scan only) +# Default: disabled +#OnAccessMountPath / +#OnAccessMountPath /home/user + +# Don't scan files larger than OnAccessMaxFileSize +# Value of 0 disables the limit. +# Default: 5M +#OnAccessMaxFileSize 10M + +# Set the include paths (all files inside them will be scanned). You can have +# multiple OnAccessIncludePath directives but each directory must be added +# in a separate line. (On-access scan only) +# Default: disabled +#OnAccessIncludePath /home +#OnAccessIncludePath /students + +# Set the exclude paths. All subdirectories are also excluded. +# (On-access scan only) +# Default: disabled +#OnAccessExcludePath /home/bofh + +# With this option you can whitelist specific UIDs. Processes with these UIDs +# will be able to access all files. +# This option can be used multiple times (one per line). +# Default: disabled +#OnAccessExcludeUID 0 + +# Toggles dynamic directory determination. Allows for recursively watching include paths. +# (On-access scan only) +# Default: no +#OnAccessDisableDDD yes + +# Modifies fanotify blocking behaviour when handling permission events. +# If off, fanotify will only notify if the file scanned is a virus, +# and not perform any blocking. +# (On-access scan only) +# Default: no +#OnAccessPrevention yes + +# Toggles extra scanning and notifications when a file or directory is created or moved. +# Requires the DDD system to kick-off extra scans. +# (On-access scan only) +# Default: no +#OnAccessExtraScanning yes + +## +## Bytecode +## + +# With this option enabled ClamAV will load bytecode from the database. +# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses. +# Default: yes +#Bytecode yes + +# Bytecode mode +# +# This option has been set to 'ForceInterpreter' in Fedora due to +# security concerns by default. You might need to enable the +# 'antivirus_use_jit' SELinux boolean after setting this option to +# the more efficient 'ForceJIT' value. +# +# Default: ForceInterpreter +#ByteCodeMode ForceInterpreter + +# Set bytecode security level. +# Possible values: +# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS +# This value is only available if clamav was built with --enable-debug! +# TrustSigned - trust bytecode loaded from signed .c[lv]d files, +# insert runtime safety checks for bytecode loaded from other sources +# Paranoid - don't trust any bytecode, insert runtime checks for all +# Recommended: TrustSigned, because bytecode in .cvd files already has these checks +# Note that by default only signed bytecode is loaded, currently you can only +# load unsigned bytecode in --enable-debug mode. +# +# Default: TrustSigned +#BytecodeSecurity TrustSigned + +# Set bytecode timeout in miliseconds. +# +# Default: 5000 +# BytecodeTimeout 1000 + +## +## Statistics gathering and submitting +## + +# Enable statistical reporting. +# Default: no +#StatsEnabled yes + +# Disable submission of individual PE sections for files flagged as malware. +# Default: no +#StatsPEDisabled yes + +# HostID in the form of an UUID to use when submitting statistical information. +# Default: auto +#StatsHostID auto + +# Time in seconds to wait for the stats server to come back with a response +# Default: 10 +#StatsTimeout 10 diff --git a/ansible/roles/pagure-dev/files/gitolite3.rc b/ansible/roles/pagure-dev/files/gitolite3.rc new file mode 100644 index 0000000..1a20d42 --- /dev/null +++ b/ansible/roles/pagure-dev/files/gitolite3.rc @@ -0,0 +1,195 @@ +# configuration variables for gitolite + +# This file is in perl syntax. But you do NOT need to know perl to edit it -- +# just mind the commas, use single quotes unless you know what you're doing, +# and make sure the brackets and braces stay matched up! + +# (Tip: perl allows a comma after the last item in a list also!) + +# HELP for commands can be had by running the command with "-h". + +# HELP for all the other FEATURES can be found in the documentation (look for +# "list of non-core programs shipped with gitolite" in the master index) or +# directly in the corresponding source file. + +%RC = ( + + # ------------------------------------------------------------------ + + # default umask gives you perms of '0700'; see the rc file docs for + # how/why you might change this + UMASK => 0077, + + # look for "git-config" in the documentation + GIT_CONFIG_KEYS => '', + + # comment out if you don't need all the extra detail in the logfile + LOG_EXTRA => 1, + # syslog options + # 1. leave this section as is for normal gitolite logging + # 2. uncomment this line to log only to syslog: + # LOG_DEST => 'syslog', + # 3. uncomment this line to log to syslog and the normal gitolite log: + # LOG_DEST => 'syslog,normal', + + # roles. add more roles (like MANAGER, TESTER, ...) here. + # WARNING: if you make changes to this hash, you MUST run 'gitolite + # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE' + ROLES => { + READERS => 1, + WRITERS => 1, + }, + + # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!! + # CACHE => 'Redis', + + # ------------------------------------------------------------------ + + # rc variables used by various features + + # the 'info' command prints this as additional info, if it is set + # SITE_INFO => 'Please see http://blahblah/gitolite for more help', + + # the CpuTime feature uses these + # display user, system, and elapsed times to user after each git operation + # DISPLAY_CPU_TIME => 1, + # display a warning if total CPU times (u, s, cu, cs) crosses this limit + # CPU_TIME_WARN_LIMIT => 0.1, + + # the Mirroring feature needs this + # HOSTNAME => "foo", + + # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING! + # CACHE_TTL => 600, + + # ------------------------------------------------------------------ + + # suggested locations for site-local gitolite code (see cust.html) + + # this one is managed directly on the server + # LOCAL_CODE => "$ENV{HOME}/local", + + # or you can use this, which lets you put everything in a subdirectory + # called "local" in your gitolite-admin repo. For a SECURITY WARNING + # on this, see http://gitolite.com/gitolite/non-core.html#pushcode + # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", + + # ------------------------------------------------------------------ + + # List of commands and features to enable + + ENABLE => [ + + # COMMANDS + + # These are the commands enabled by default + 'help', + 'desc', + 'info', + 'perms', + 'writable', + + # Uncomment or add new commands here. + # 'create', + # 'fork', + # 'mirror', + # 'readme', + # 'sskm', + # 'D', + + # These FEATURES are enabled by default. + + # essential (unless you're using smart-http mode) + 'ssh-authkeys', + + # creates git-config enties from gitolite.conf file entries like 'config foo.bar = baz' + 'git-config', + + # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out + 'daemon', + + # creates projects.list file; if you don't use gitweb, comment this out + #'gitweb', + + # These FEATURES are disabled by default; uncomment to enable. If you + # need to add new ones, ask on the mailing list :-) + + # user-visible behaviour + + # prevent wild repos auto-create on fetch/clone + # 'no-create-on-read', + # no auto-create at all (don't forget to enable the 'create' command!) + # 'no-auto-create', + + # access a repo by another (possibly legacy) name + # 'Alias', + + # give some users direct shell access. See documentation in + # sts.html for details on the following two choices. + # "Shell $ENV{HOME}/.gitolite.shell-users", + # 'Shell alice bob', + + # set default roles from lines like 'option default.roles-1 = ...', etc. + # 'set-default-roles', + + # show more detailed messages on deny + # 'expand-deny-messages', + + # show a message of the day + # 'Motd', + + # system admin stuff + + # enable mirroring (don't forget to set the HOSTNAME too!) + # 'Mirroring', + + # allow people to submit pub files with more than one key in them + # 'ssh-authkeys-split', + + # selective read control hack + # 'partial-copy', + + # manage local, gitolite-controlled, copies of read-only upstream repos + # 'upstream', + + # updates 'description' file instead of 'gitweb.description' config item + # 'cgit', + + # allow repo-specific hooks to be added + # 'repo-specific-hooks', + + # performance, logging, monitoring... + + # be nice + # 'renice 10', + + # log CPU times (user, system, cumulative user, cumulative system) + # 'CpuTime', + + # syntactic_sugar for gitolite.conf and included files + + # allow backslash-escaped continuation lines in gitolite.conf + # 'continuation-lines', + + # create implicit user groups from directory names in keydir/ + # 'keysubdirs-as-groups', + + # allow simple line-oriented macros + # 'macros', + + # Kindergarten mode + + # disallow various things that sensible people shouldn't be doing anyway + # 'Kindergarten', + ], + +); + +# ------------------------------------------------------------------------------ +# per perl rules, this should be the last line in such a file: +1; + +# Local variables: +# mode: perl +# End: +# vim: set syn=perl: diff --git a/ansible/roles/pagure-dev/files/motd b/ansible/roles/pagure-dev/files/motd new file mode 100644 index 0000000..bca778c --- /dev/null +++ b/ansible/roles/pagure-dev/files/motd @@ -0,0 +1,22 @@ + +Welcome to the Pagure development environment! + +Here are some tips: + +* Pagure is installed in a Python virtualenv. Use `workon python2-pagure` to + enter the virtualenv. + +* The code for Pagure is located at ~/devel/ + +* You can populate the database with the `dev-data.py` script in the repository + +* Run `pstart` to start the development server and `pstop` to stop it. + +* Logs for the server are available with `journalctl`; the services are run + as systemd user units in ~/.config/systemd/user/ + +Once you start the server you can navigate to http://localhost:5000/ +in your browser on the host to access your Pagure development environment. + +Happy hacking! + diff --git a/ansible/roles/pagure-dev/files/pagure-docs.service b/ansible/roles/pagure-dev/files/pagure-docs.service new file mode 100644 index 0000000..2bbed4e --- /dev/null +++ b/ansible/roles/pagure-dev/files/pagure-docs.service @@ -0,0 +1,10 @@ +[Unit] +Description=Runs the Pagure documentation server +After=network.target + +[Service] +ExecStart=/home/vagrant/.virtualenvs/python2-pagure/bin/python %h/devel/rundocserver.py -c %h/pagure.cfg --host 0.0.0.0 +Type=simple + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/pagure-dev/files/pagure.cfg b/ansible/roles/pagure-dev/files/pagure.cfg new file mode 100644 index 0000000..04aa335 --- /dev/null +++ b/ansible/roles/pagure-dev/files/pagure.cfg @@ -0,0 +1,176 @@ +import os +from datetime import timedelta + +### Set the time after which the admin session expires +# There are two sessions on pagure, login that holds for 31 days and +# the session defined here after which an user has to re-login. +# This session is used when accessing all administrative parts of pagure +# (ie: changing a project's or a user's settings) +ADMIN_SESSION_LIFETIME = timedelta(minutes=20000000) + +### Secret key for the Flask application +SECRET_KEY='' + +### url to the database server: +#DB_URL=mysql://user:pass@host/db_name +#DB_URL=postgres://user:pass@host/db_name +DB_URL = 'sqlite:////home/vagrant/pagure_data/pagure_dev.sqlite' + +### The FAS group in which the admin of pagure are +ADMIN_GROUP = ['sysadmin-main'] + +### Hard-coded list of global admins +PAGURE_ADMIN_USERS = [] + +### The URL at which the project is available. +APP_URL = 'localhost' +### The URL at which the documentation of projects will be available +## This should be in a different domain to avoid XSS issues since we want +## to allow raw html to be displayed (different domain, ie not a sub-domain). +DOC_APP_URL = 'localhost' + +# Avoid sending emails while developing by default +EMAIL_SEND = False +EMAIL_ERROR = 'vagrant@localhost' + +### The URL to use to clone git repositories. +GIT_URL_SSH = 'ssh://vagrant@pagure-dev.example.com/' +GIT_URL_GIT = 'http://pagure-dev.example.com:5000/' + +### Folder containing to the git repos +STORAGE_ROOT = '/home/vagrant/pagure_data/' + +GIT_FOLDER = os.path.join(STORAGE_ROOT, 'repos') + +### Folder containing the forks repos +FORK_FOLDER = os.path.join(STORAGE_ROOT, 'forks') + +### Folder containing the docs repos +DOCS_FOLDER = os.path.join(STORAGE_ROOT, 'docs') + +### Folder containing the tickets repos +TICKETS_FOLDER = os.path.join(STORAGE_ROOT, 'tickets') + +### Folder containing the pull-requests repos +REQUESTS_FOLDER = os.path.join(STORAGE_ROOT, 'requests') + +### Folder containing the clones for the remote pull-requests +REMOTE_GIT_FOLDER = os.path.join(STORAGE_ROOT, 'remotes') + +### Whether to enable scanning for viruses in attachments +VIRUS_SCAN_ATTACHMENTS = False + +### Home folder of the gitolite user +### Folder where to run gl-compile-conf from +GITOLITE_HOME = '/home/vagrant/' + +### Configuration file for gitolite +GITOLITE_CONFIG = os.path.join(GITOLITE_HOME, '.gitolite/conf/gitolite.conf') + +### Version of gitolite used: 2 or 3? +GITOLITE_VERSION = 3 + +### Folder containing all the public ssh keys for gitolite +GITOLITE_KEYDIR = os.path.join(GITOLITE_HOME, '.gitolite/keydir/') + +### Path to the gitolite.rc file +GL_RC = '/home/vagrant/.gitolite.rc' + +### Path to the /bin directory where the gitolite tools can be found +GL_BINDIR = '/usr/bin/' + + +# SSH Information + +### The ssh certificates of the git server to be provided to the user +### /!\ format is important +# SSH_KEYS = {'RSA': {'fingerprint': '', 'pubkey': ''}} + + + +# Optional configuration + +### Number of items displayed per page +# Used when listing items +ITEM_PER_PAGE = 50 + +### Maximum size of the uploaded content +# Used to limit the size of file attached to a ticket for example +MAX_CONTENT_LENGTH = 4 * 1024 * 1024 # 4 megabytes + +### Lenght for short commits ids or file hex +SHORT_LENGTH = 6 + +### List of blacklisted project names that can conflicts for pagure's URLs +### or other +BLACKLISTED_PROJECTS = [ + 'static', 'pv', 'releases', 'new', 'api', 'settings', + 'logout', 'login', 'users', 'groups', 'projects'] + +### IP addresses allowed to access the internal endpoints +### These endpoints are used by the milter and are security sensitive, thus +### the IP filter +IP_ALLOWED_INTERNAL = ['127.0.0.1', 'localhost', '::1',] + +### EventSource/Web-Hook/Redis configuration +# The eventsource integration is what allows pagure to refresh the content +# on your page when someone else comments on the ticket (and this without +# asking you to reload the page. +# By default it is off, ie: EVENTSOURCE_SOURCE is None, to turn it on, specify +# here what the URL of the eventsource server is, for example: +# https://ev.pagure.io or https://pagure.io:8080 or whatever you are using +# (Note: the urls sent to it start with a '/' so no need to add one yourself) +EVENTSOURCE_SOURCE = 'http://localhost' +# Port where the event source server is running (maybe be the same port +# as the one specified in EVENTSOURCE_SOURCE or a different one if you +# have something running in front of the server such as apache or stunnel). +EVENTSOURCE_PORT = 8080 +# If this port is specified, the event source server will run another server +# at this port and will provide information about the number of active +# connections running on the first (main) event source server +#EV_STATS_PORT = 8888 +# Web-hook can be turned on or off allowing using them for notifications, or +# not. +WEBHOOK = True + +### Redis configuration +# A redis server is required for both the Event-Source server or the web-hook +# server. +REDIS_HOST = 'localhost' +REDIS_PORT = 6379 +REDIS_DB = 0 + +# Authentication related configuration option + +### Switch the authentication method +# Specify which authentication method to use, defaults to `fas` can be or +# `local` +# Default: ``fas``. +PAGURE_AUTH = 'fas' + +# When this is set to True, the session cookie will only be returned to the +# server via ssl (https). If you connect to the server via plain http, the +# cookie will not be sent. This prevents sniffing of the cookie contents. +# This may be set to False when testing your application but should always +# be set to True in production. +# Default: ``True``. +SESSION_COOKIE_SECURE = False + +# The name of the cookie used to store the session id. +# Default: ``.pagure``. +SESSION_COOKIE_NAME = 'pagure' + +# Boolean specifying whether to check the user's IP address when retrieving +# its session. This make things more secure (thus is on by default) but +# under certain setup it might not work (for example is there are proxies +# in front of the application). +CHECK_SESSION_IP = True + +# Used by SESSION_COOKIE_PATH +APPLICATION_ROOT = '/' + +# Allow the backward compatiblity endpoints for the old URLs schema to +# see the commits of a repo. This is only interesting if you pagure instance +# was running since before version 1.3 and if you care about backward +# compatibility in your URLs. +OLD_VIEW_COMMIT_ENABLED = False diff --git a/ansible/roles/pagure-dev/files/pagure.service b/ansible/roles/pagure-dev/files/pagure.service new file mode 100644 index 0000000..623734f --- /dev/null +++ b/ansible/roles/pagure-dev/files/pagure.service @@ -0,0 +1,10 @@ +[Unit] +Description=The Pagure web service +After=network.target + +[Service] +ExecStart=/home/vagrant/.virtualenvs/python2-pagure/bin/python %h/devel/runserver.py -c %h/pagure.cfg --host 0.0.0.0 +Type=simple + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/pagure-dev/tasks/clamav.yml b/ansible/roles/pagure-dev/tasks/clamav.yml new file mode 100644 index 0000000..537d95a --- /dev/null +++ b/ansible/roles/pagure-dev/tasks/clamav.yml @@ -0,0 +1,30 @@ +--- + +- name: Install ClamAV packages + dnf: name={{ item }} state=present + with_items: + - clamav-data-empty + - clamav-server + - clamav-server-systemd + - clamav-update + +- name: Configure freshclam + replace: + dest: /etc/freshclam.conf + regexp: "Example*" + replace: "" + +- name: Install Pagure's ClamAV configuration + copy: + src: clamd.conf + dest: /etc/clamd.d/pagure.conf + +# pyclamd expects /etc/clamd.conf +- name: Link /etc/clamd.conf to our pagure config + file: src=/etc/clamd.d/pagure.conf dest=/etc/clamd.conf state=link + +- name: Download latest ClamAV database + command: freshclam + +- name: Start ClamAV + service: name=clamd@pagure state=started enabled=yes diff --git a/ansible/roles/pagure-dev/tasks/eventsource.yml b/ansible/roles/pagure-dev/tasks/eventsource.yml new file mode 100644 index 0000000..98ee627 --- /dev/null +++ b/ansible/roles/pagure-dev/tasks/eventsource.yml @@ -0,0 +1,13 @@ +--- + +- name: Install Redis + dnf: name={{ item }} state=present + with_items: + - python-redis + - python-trollius + - python-trollius-redis + - redis + + +- name: Start Redis + service: name=redis state=started enabled=yes diff --git a/ansible/roles/pagure-dev/tasks/gitolite.yml b/ansible/roles/pagure-dev/tasks/gitolite.yml new file mode 100644 index 0000000..61080bd --- /dev/null +++ b/ansible/roles/pagure-dev/tasks/gitolite.yml @@ -0,0 +1,25 @@ +--- + +- name: Install gitolite3 + dnf: name={{ item }} state=present + with_items: + - gitolite3 + +- name: Install gitolite.rc to ~/.gitolite.rc + become_user: "{{ ansible_env.SUDO_USER }}" + copy: + src: gitolite3.rc + dest: /home/{{ ansible_env.SUDO_USER }}/.gitolite.rc + +- name: Create a key for gitolite + become_user: "{{ ansible_env.SUDO_USER }}" + command: ssh-keygen -f gitolite_rsa -t rsa -N '' + args: + chdir: /home/{{ ansible_env.SUDO_USER }} + creates: /home/{{ ansible_env.SUDO_USER }}/gitolite_rsa.pub + +- name: Setup gitolite + become_user: "{{ ansible_env.SUDO_USER }}" + command: gitolite setup -pk gitolite_rsa.pub + args: + chdir: /home/{{ ansible_env.SUDO_USER }} diff --git a/ansible/roles/pagure-dev/tasks/main.yml b/ansible/roles/pagure-dev/tasks/main.yml new file mode 100644 index 0000000..dd30f47 --- /dev/null +++ b/ansible/roles/pagure-dev/tasks/main.yml @@ -0,0 +1,159 @@ +--- + +- include: clamav.yml +- include: eventsource.yml +- include: gitolite.yml +- include: milter.yml +- include: postgres.yml + +- name: Install helpful development packages + dnf: name={{ item }} state=present + with_items: + - git + - ngrep + - nmap-ncat + - python-rpdb + - tmux + - tree + - vim-enhanced + +- name: Install Pagure development packages + dnf: name={{ item }} state=present + with_items: + - gcc + - libgit2-devel + - libffi-devel + - libjpeg-devel + - make + - python-alembic + - python-arrow + - python-binaryornot + - python-bleach + - python-blinker + - python-chardet + - python-cryptography + - python-docutils + - python-enum34 + - python-fedora-flask + - python-flask + - python-flask-wtf + - python-flask-multistatic + - python2-jinja2 + - python-markdown + - python-munch + - python-openid-cla + - python-openid-teams + - python-pip + - python-psutil + - python-pygit2 + - python-pygments + - python-redis + - python-sqlalchemy + - python-straight-plugin + - python-virtualenvwrapper + - python-wtforms + - python-devel + - python3-devel + - redhat-rpm-config + +# Add various helpful configuration files +- name: Install a custom bashrc + become_user: "{{ ansible_env.SUDO_USER }}" + copy: src=bashrc dest=/home/{{ ansible_env.SUDO_USER }}/.bashrc + +- name: Install the message of the day + copy: src=motd dest=/etc/motd + + +# Install Pagure inside a virtualenv and configure it +- name: Install Pagure Python dependencies into a virtualenv + become_user: "{{ ansible_env.SUDO_USER }}" + pip: + requirements: /home/{{ ansible_env.SUDO_USER }}/devel/{{ item }} + virtualenv: /home/{{ ansible_env.SUDO_USER }}/.virtualenvs/python2-pagure/ + virtualenv_python: python2 + with_items: + - "requirements.txt" + - "tests_requirements.txt" + +- name: Install Pagure package into a virtualenv + become_user: "{{ ansible_env.SUDO_USER }}" + pip: + name: /home/{{ ansible_env.SUDO_USER }}/devel/ + extra_args: '-e' + virtualenv: /home/{{ ansible_env.SUDO_USER }}/.virtualenvs/python2-pagure/ + +- name: Install Pagure package into /usr/lib + pip: + name: /home/{{ ansible_env.SUDO_USER }}/devel/ + extra_args: '-e' + +- name: Install the pagure configuration + become_user: "{{ ansible_env.SUDO_USER }}" + copy: src=pagure.cfg dest=/home/{{ ansible_env.SUDO_USER }}/pagure.cfg + +- name: Creates pagure data directories + become_user: "{{ ansible_env.SUDO_USER }}" + file: path=/home/{{ ansible_env.SUDO_USER }}/pagure_data/{{ item }} state=directory + with_items: + - forks + - docs + - tickets + - requests + - remotes + +- name: Link the pagure repos directory to gitolite + become_user: "{{ ansible_env.SUDO_USER }}" + file: + path: /home/{{ ansible_env.SUDO_USER }}/pagure_data/repos + src: /home/{{ ansible_env.SUDO_USER }}/repositories + state: link + +- name: Add a working copy of alembic.ini + become_user: "{{ ansible_env.SUDO_USER }}" + copy: + src: /home/{{ ansible_env.SUDO_USER }}/devel/files/alembic.ini + dest: /home/{{ ansible_env.SUDO_USER }}/alembic.ini + remote_src: True + +- name: Configure alembic to use our development database + become_user: "{{ ansible_env.SUDO_USER }}" + replace: + dest: /home/{{ ansible_env.SUDO_USER }}/alembic.ini + regexp: "sqlalchemy.url = sqlite:////var/tmp/pagure_dev.sqlite" + replace: "sqlalchemy.url = sqlite:////home/{{ ansible_env.SUDO_USER }}/pagure_data/pagure_dev.sqlite" + +- name: Configure alembic to point to the pagure migration folder + become_user: "{{ ansible_env.SUDO_USER }}" + replace: + dest: /home/{{ ansible_env.SUDO_USER }}/alembic.ini + regexp: "script_location = /usr/share/pagure/alembic" + replace: "script_location = /home/vagrant/devel/alembic/" + +- name: Create the Pagure database + become_user: "{{ ansible_env.SUDO_USER }}" + command: .virtualenvs/python2-pagure/bin/python devel/createdb.py + args: + creates: /home/{{ ansible_env.SUDO_USER }}/pagure_data/pagure_dev.sqlite + chdir: "/home/{{ ansible_env.SUDO_USER }}/" + +- name: Stamp the database with its current migration + become_user: "{{ ansible_env.SUDO_USER }}" + shell: alembic stamp $(alembic heads | awk '{ print $1 }') + args: + chdir: "/home/{{ ansible_env.SUDO_USER }}/" + +- name: Create systemd user unit directory + become_user: "{{ ansible_env.SUDO_USER }}" + file: + path: /home/{{ ansible_env.SUDO_USER }}/.config/systemd/user/ + state: directory + +- name: Install the Pagure service files for systemd + become_user: "{{ ansible_env.SUDO_USER }}" + copy: + src: "{{ item }}" + dest: /home/{{ ansible_env.SUDO_USER }}/.config/systemd/user/{{ item }} + with_items: + - pagure.service + - pagure-docs.service diff --git a/ansible/roles/pagure-dev/tasks/milter.yml b/ansible/roles/pagure-dev/tasks/milter.yml new file mode 100644 index 0000000..b18e4dc --- /dev/null +++ b/ansible/roles/pagure-dev/tasks/milter.yml @@ -0,0 +1,10 @@ +--- + +- name: Install Pagure milter packages + dnf: name={{ item }} state=present + with_items: + - postfix + - python-pymilter + +- name: Start Postfix + service: name=postfix state=started enabled=yes diff --git a/ansible/roles/pagure-dev/tasks/postgres.yml b/ansible/roles/pagure-dev/tasks/postgres.yml new file mode 100644 index 0000000..c839074 --- /dev/null +++ b/ansible/roles/pagure-dev/tasks/postgres.yml @@ -0,0 +1,38 @@ +--- + +- name: Install postgresql packages + dnf: name={{ item }} state=present + with_items: + - postgresql + - postgresql-server + - postgresql-devel # Allows pip installing psycopg2 is desired + - python-psycopg2 + +- name: Initialize PostgreSQL + command: postgresql-setup initdb + args: + creates: /var/lib/pgsql/data/pg_hba.conf + +- replace: + dest: /var/lib/pgsql/data/pg_hba.conf + regexp: "local all all peer" + replace: "local all all trust" + +- replace: + dest: /var/lib/pgsql/data/pg_hba.conf + regexp: "host all all 127.0.0.1/32 ident" + replace: "host all all 127.0.0.1/32 trust" + +- replace: + dest: /var/lib/pgsql/data/pg_hba.conf + regexp: "host all all ::1/128 ident" + replace: "host all all ::1/128 trust" + +- name: Start postgresql + service: name=postgresql state=restarted enabled=yes + +- name: Add a pagure postgres user + postgresql_user: name=pagure role_attr_flags=SUPERUSER,LOGIN + +- name: Create a database for pagure + postgresql_db: name=pagure owner=pagure diff --git a/ansible/vagrant-playbook.yml b/ansible/vagrant-playbook.yml new file mode 100644 index 0000000..e67cf8a --- /dev/null +++ b/ansible/vagrant-playbook.yml @@ -0,0 +1,7 @@ +--- +- hosts: all + become: true + become_method: sudo + vars: + roles: + - pagure-dev