separating keytabs
This commit is contained in:
nazunalika
parent
bb064e1393
commit
7503757ba4
|
|
@ -34,6 +34,7 @@ koji_theme_file: rocky.tar.gz
|
|||
koji_web_url: https://koji.rockylinux.org/koji
|
||||
koji_hub_url: https://koji.rockylinux.org/kojihub
|
||||
koji_files_url: https://koji.rockylinux.org/kojifiles
|
||||
koji_web_keytab: /etc/keytabs/koji-web.keytab
|
||||
|
||||
# This should be changed before deployment
|
||||
koji_hub_secret: cK5XCuzMSXJfgA7yFvXkGwFu
|
||||
|
|
@ -44,16 +45,20 @@ koji_web_tls_key: /etc/pki/tls/private/koji.rockylinux.org.key
|
|||
# Kojira
|
||||
koji_kojira: true
|
||||
koji_kojira_user: kojira
|
||||
koji_kojira_user_kerb: koji/kojira
|
||||
koji_kojira_principal: koji/kojira@ROCKYLINUX.ORG
|
||||
koji_kojira_keytab: /etc/koji.keytab
|
||||
koji_kojira_user_kerb: kojira/koji.rockylinux.org
|
||||
koji_kojira_principal: kojira/koji.rockylinux.org@ROCKYLINUX.ORG
|
||||
koji_kojira_keytab: /etc/keytabs/kojira.keytab
|
||||
|
||||
# MBS
|
||||
koji_mbs: true
|
||||
koji_mbs_user: mbs
|
||||
koji_mbs_user_kerb: mbs/mbs.rockylinux.org
|
||||
koji_mbs_principal: mbs/mbs.rockylinux.org@ROCKYLINUX.ORG
|
||||
koji_mbs_keytab: /etc/mbs.keytab
|
||||
koji_mbs_keytab: /etc/keytabs/mbs.keytab
|
||||
|
||||
# GC
|
||||
koji_gc_keytab: /etc/keytabs/koji-gc.keytab
|
||||
koji_gc_principal: koji-gc/koji.rockylinux.org@ROCKYLINUX.ORG
|
||||
|
||||
# Storage
|
||||
koji_nfs: true
|
||||
|
|
@ -68,9 +73,9 @@ koji_admin_localuser: true
|
|||
koji_admin_localuser_name: koji
|
||||
|
||||
# Hub Settings
|
||||
koji_hub_principal: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG"
|
||||
koji_hub_proxy_principals: koji/kojiweb@ROCKYLINUX.ORG
|
||||
koji_hub_keytab: /etc/koji.keytab
|
||||
koji_hub_principal: "host/kojihub@ROCKYLINUX.ORG"
|
||||
koji_hub_proxy_principals: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG"
|
||||
koji_hub_keytab: /etc/keytabs/host.keytab
|
||||
koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG
|
||||
# This should be sufficient even for LE
|
||||
koji_hub_ca: "{{ koji_web_cacert }}"
|
||||
|
|
@ -84,6 +89,7 @@ koji_fas_url: https://accounts.rockylinux.org
|
|||
koji_hub_plugins: false
|
||||
koji_hub_plugins_list: []
|
||||
|
||||
# Not implemented
|
||||
koji_hub_plugin_mqtt_host: mqtt.rockylinux.org
|
||||
koji_hub_plugin_mqtt_topic: koji
|
||||
koji_hub_plugin_mqtt_ca: "{{ koji_hub_ca }}"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,3 @@
|
|||
# Adapted from Fedora Infra
|
||||
0 8 * * * apache find /mnt/koji/work -xdev -depth -mindepth 2 -mtime +14 \( -type f -o -type l \) -delete -o -type d -empty -delete >& /dev/null
|
||||
0 9 * * * apache find /mnt/koji/scratch -xdev -depth -mtime +14 \( -type f -o -type l \) -delete -o -type d -empty -delete >& /dev/null
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
# Run garbage collector nightly
|
||||
SCRIPT=/usr/sbin/koji-gc
|
||||
MAILTO=infrastructure@rockylinux.org
|
||||
0 8 * * * apache /usr/local/bin/lock-wrapper koji-gc-delete $SCRIPT --action=delete --lock-file /var/tmp/koji-gc.lock
|
||||
0 9 * * * apache /usr/local/bin/lock-wrapper koji-gc-trash $SCRIPT --action=trash --lock-file /var/tmp/koji-gc.lock
|
||||
0 10 * * * apache /usr/local/bin/lock-wrapper koji-gc-prune $SCRIPT --action=prune --lock-file /var/tmp/koji-gc.lock
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
[sidetag]
|
||||
# automatically remove sidetag on untagging last package
|
||||
remove_empty = on
|
||||
|
|
@ -45,7 +45,6 @@ Alias /kojifiles "{{ koji_mount }}/"
|
|||
<Location /kojihub/ssllogin>
|
||||
AuthType GSSAPI
|
||||
AuthName "GSSAPI Single Sign On Login"
|
||||
GssapiCredStore keytab:/etc/koji.keytab
|
||||
GssapiCredStore keytab:{{ koji_hub_keytab }}
|
||||
Require valid-user
|
||||
</Location>
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py"
|
|||
RewriteEngine on
|
||||
RewriteCond %{HTTPS} off
|
||||
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L]
|
||||
RewriteRule ^/$ /koji [R,L]
|
||||
RewriteRule ^/$ /koji [R,L]
|
||||
|
||||
Header always set X-Frame-Options "SAMEORIGIN"
|
||||
Header always set X-Xss-Protection "1; mode=block"
|
||||
|
|
@ -36,7 +36,7 @@ WSGIProcessGroup koji
|
|||
<Location /koji/login>
|
||||
AuthType GSSAPI
|
||||
AuthName "Koji Web UI"
|
||||
GssapiCredStore keytab:/etc/koji.keytab
|
||||
GssapiCredStore keytab:{{ koji_web_keytab }}
|
||||
Require valid-user
|
||||
ErrorDocument 401 /koji-static/errors/unauthorized.html
|
||||
</Location>
|
||||
|
|
@ -69,4 +69,3 @@ Alias /repos {{ koji_mount }}/repos
|
|||
Require all granted
|
||||
</IfVersion>
|
||||
</Directory>
|
||||
|
||||
|
|
|
|||
|
|
@ -2,20 +2,27 @@
|
|||
#earlier = higher precedence!
|
||||
|
||||
[main]
|
||||
key_aliases =
|
||||
30C9ECF8 fedora-test
|
||||
4F2A6FD2 fedora-gold
|
||||
897DA07A redhat-beta
|
||||
1AC70CE6 fedora-extras
|
||||
; Kerberos Auth
|
||||
principal = {{ koji_gc_principal }}
|
||||
keytab = {{ koji_gc_keytab }}
|
||||
krb_rdns = False
|
||||
#key_aliases =
|
||||
# 30C9ECF8 fedora-test
|
||||
# 4F2A6FD2 fedora-gold
|
||||
# 897DA07A redhat-beta
|
||||
# 1AC70CE6 fedora-extras
|
||||
|
||||
unprotected_keys =
|
||||
fedora-test
|
||||
fedora-extras
|
||||
redhat-beta
|
||||
#unprotected_keys =
|
||||
# fedora-test
|
||||
# fedora-extras
|
||||
# redhat-beta
|
||||
|
||||
server = {{ koji_hub_url }}
|
||||
weburl = {{ koji_web_url }}
|
||||
|
||||
# We don't know what we're doing with SSL CA's yet
|
||||
#serverca =
|
||||
|
||||
# The domain name that will be appended to Koji usernames
|
||||
# when creating email notifications
|
||||
#email_domain = fedoraproject.org
|
||||
|
|
@ -30,8 +37,6 @@ policy =
|
|||
#note that tags with master lock engaged are already protected
|
||||
tag *-updates :: keep
|
||||
age < 1 day :: skip
|
||||
sig fedora-gold :: skip
|
||||
sig fedora-test && age < 12 weeks :: keep
|
||||
|
||||
#stuff to chuck semi-rapidly
|
||||
tag *-testing *-candidate :: { # nested rules
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ KojiWebURL = {{ koji_web_url }}
|
|||
|
||||
# The domain name that will be appended to Koji usernames
|
||||
# when creating email notifications
|
||||
#EmailDomain = example.com
|
||||
#EmailDomain = rockylinux.org
|
||||
# whether to send the task owner and package owner email or not on success. this still goes to watchers
|
||||
NotifyOnSuccess = True
|
||||
## Disables all notifications
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
with user_id as (insert into users (name, status, usertype) values ('{{ koji_admin_user }}', 0, 0) returning id)
|
||||
insert into user_krb_principals (user_id, krb_principal) values ((select id from user_id),'{{ koji_admin_principal }}');
|
||||
insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1);
|
||||
with user_id as (insert into users (name, status, usertype) values ('{{ koji_kojira_user_kerb }}', 0, 0) returning id)
|
||||
with user_id as (insert into users (name, status, usertype) values ('{{ koji_kojira_user }}', 0, 0) returning id)
|
||||
insert into user_krb_principals (user_id, krb_principal) values ((select id from user_id),'{{ koji_kojira_principal }}');
|
||||
INSERT INTO user_perms (user_id, perm_id, creator_id) VALUES (2, 10, 1);
|
||||
with user_id as (insert into users (name, status, usertype) values ('{{ koji_mbs_user_kerb }}', 0, 0) returning id)
|
||||
|
|
|
|||
Loading…
Reference in New Issue