diff --git a/defaults/main.yml b/defaults/main.yml
index 4d0e321..42c5cfd 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -34,6 +34,7 @@ koji_theme_file: rocky.tar.gz
koji_web_url: https://koji.rockylinux.org/koji
koji_hub_url: https://koji.rockylinux.org/kojihub
koji_files_url: https://koji.rockylinux.org/kojifiles
+koji_web_keytab: /etc/keytabs/koji-web.keytab
# This should be changed before deployment
koji_hub_secret: cK5XCuzMSXJfgA7yFvXkGwFu
@@ -44,16 +45,20 @@ koji_web_tls_key: /etc/pki/tls/private/koji.rockylinux.org.key
# Kojira
koji_kojira: true
koji_kojira_user: kojira
-koji_kojira_user_kerb: koji/kojira
-koji_kojira_principal: koji/kojira@ROCKYLINUX.ORG
-koji_kojira_keytab: /etc/koji.keytab
+koji_kojira_user_kerb: kojira/koji.rockylinux.org
+koji_kojira_principal: kojira/koji.rockylinux.org@ROCKYLINUX.ORG
+koji_kojira_keytab: /etc/keytabs/kojira.keytab
# MBS
koji_mbs: true
koji_mbs_user: mbs
koji_mbs_user_kerb: mbs/mbs.rockylinux.org
koji_mbs_principal: mbs/mbs.rockylinux.org@ROCKYLINUX.ORG
-koji_mbs_keytab: /etc/mbs.keytab
+koji_mbs_keytab: /etc/keytabs/mbs.keytab
+
+# GC
+koji_gc_keytab: /etc/keytabs/koji-gc.keytab
+koji_gc_principal: koji-gc/koji.rockylinux.org@ROCKYLINUX.ORG
# Storage
koji_nfs: true
@@ -68,9 +73,9 @@ koji_admin_localuser: true
koji_admin_localuser_name: koji
# Hub Settings
-koji_hub_principal: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG"
-koji_hub_proxy_principals: koji/kojiweb@ROCKYLINUX.ORG
-koji_hub_keytab: /etc/koji.keytab
+koji_hub_principal: "host/kojihub@ROCKYLINUX.ORG"
+koji_hub_proxy_principals: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG"
+koji_hub_keytab: /etc/keytabs/host.keytab
koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG
# This should be sufficient even for LE
koji_hub_ca: "{{ koji_web_cacert }}"
@@ -84,6 +89,7 @@ koji_fas_url: https://accounts.rockylinux.org
koji_hub_plugins: false
koji_hub_plugins_list: []
+# Not implemented
koji_hub_plugin_mqtt_host: mqtt.rockylinux.org
koji_hub_plugin_mqtt_topic: koji
koji_hub_plugin_mqtt_ca: "{{ koji_hub_ca }}"
diff --git a/files/etc/cron.d/koji-directory-cleanup b/files/etc/cron.d/koji-directory-cleanup
new file mode 100644
index 0000000..69dbffe
--- /dev/null
+++ b/files/etc/cron.d/koji-directory-cleanup
@@ -0,0 +1,3 @@
+# Adapted from Fedora Infra
+0 8 * * * apache find /mnt/koji/work -xdev -depth -mindepth 2 -mtime +14 \( -type f -o -type l \) -delete -o -type d -empty -delete >& /dev/null
+0 9 * * * apache find /mnt/koji/scratch -xdev -depth -mtime +14 \( -type f -o -type l \) -delete -o -type d -empty -delete >& /dev/null
diff --git a/files/etc/cron.d/koji-gc b/files/etc/cron.d/koji-gc
new file mode 100644
index 0000000..c342808
--- /dev/null
+++ b/files/etc/cron.d/koji-gc
@@ -0,0 +1,6 @@
+# Run garbage collector nightly
+SCRIPT=/usr/sbin/koji-gc
+MAILTO=infrastructure@rockylinux.org
+0 8 * * * apache /usr/local/bin/lock-wrapper koji-gc-delete $SCRIPT --action=delete --lock-file /var/tmp/koji-gc.lock
+0 9 * * * apache /usr/local/bin/lock-wrapper koji-gc-trash $SCRIPT --action=trash --lock-file /var/tmp/koji-gc.lock
+0 10 * * * apache /usr/local/bin/lock-wrapper koji-gc-prune $SCRIPT --action=prune --lock-file /var/tmp/koji-gc.lock
diff --git a/files/etc/koji-hub/plugins/sidetag.conf b/files/etc/koji-hub/plugins/sidetag.conf
new file mode 100644
index 0000000..15e0293
--- /dev/null
+++ b/files/etc/koji-hub/plugins/sidetag.conf
@@ -0,0 +1,3 @@
+[sidetag]
+# automatically remove sidetag on untagging last package
+remove_empty = on
diff --git a/templates/etc/httpd/conf.d/kojihub.conf.j2 b/templates/etc/httpd/conf.d/kojihub.conf.j2
index d7286de..44d9720 100644
--- a/templates/etc/httpd/conf.d/kojihub.conf.j2
+++ b/templates/etc/httpd/conf.d/kojihub.conf.j2
@@ -45,7 +45,6 @@ Alias /kojifiles "{{ koji_mount }}/"
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
- GssapiCredStore keytab:/etc/koji.keytab
+ GssapiCredStore keytab:{{ koji_hub_keytab }}
Require valid-user
-
diff --git a/templates/etc/httpd/conf.d/kojiweb.conf.j2 b/templates/etc/httpd/conf.d/kojiweb.conf.j2
index c8b06a5..2877d2a 100644
--- a/templates/etc/httpd/conf.d/kojiweb.conf.j2
+++ b/templates/etc/httpd/conf.d/kojiweb.conf.j2
@@ -5,7 +5,7 @@ Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py"
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L]
-RewriteRule ^/$ /koji [R,L]
+RewriteRule ^/$ /koji [R,L]
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
@@ -36,7 +36,7 @@ WSGIProcessGroup koji
AuthType GSSAPI
AuthName "Koji Web UI"
- GssapiCredStore keytab:/etc/koji.keytab
+ GssapiCredStore keytab:{{ koji_web_keytab }}
Require valid-user
ErrorDocument 401 /koji-static/errors/unauthorized.html
@@ -69,4 +69,3 @@ Alias /repos {{ koji_mount }}/repos
Require all granted
-
diff --git a/templates/etc/koji-gc/koji-gc.conf.j2 b/templates/etc/koji-gc/koji-gc.conf.j2
index 10388d7..f6e66f3 100644
--- a/templates/etc/koji-gc/koji-gc.conf.j2
+++ b/templates/etc/koji-gc/koji-gc.conf.j2
@@ -2,20 +2,27 @@
#earlier = higher precedence!
[main]
-key_aliases =
- 30C9ECF8 fedora-test
- 4F2A6FD2 fedora-gold
- 897DA07A redhat-beta
- 1AC70CE6 fedora-extras
+; Kerberos Auth
+principal = {{ koji_gc_principal }}
+keytab = {{ koji_gc_keytab }}
+krb_rdns = False
+#key_aliases =
+# 30C9ECF8 fedora-test
+# 4F2A6FD2 fedora-gold
+# 897DA07A redhat-beta
+# 1AC70CE6 fedora-extras
-unprotected_keys =
- fedora-test
- fedora-extras
- redhat-beta
+#unprotected_keys =
+# fedora-test
+# fedora-extras
+# redhat-beta
server = {{ koji_hub_url }}
weburl = {{ koji_web_url }}
+# We don't know what we're doing with SSL CA's yet
+#serverca =
+
# The domain name that will be appended to Koji usernames
# when creating email notifications
#email_domain = fedoraproject.org
@@ -30,8 +37,6 @@ policy =
#note that tags with master lock engaged are already protected
tag *-updates :: keep
age < 1 day :: skip
- sig fedora-gold :: skip
- sig fedora-test && age < 12 weeks :: keep
#stuff to chuck semi-rapidly
tag *-testing *-candidate :: { # nested rules
diff --git a/templates/etc/koji-hub/hub.conf.j2 b/templates/etc/koji-hub/hub.conf.j2
index 899843a..33ad07f 100644
--- a/templates/etc/koji-hub/hub.conf.j2
+++ b/templates/etc/koji-hub/hub.conf.j2
@@ -24,7 +24,7 @@ KojiWebURL = {{ koji_web_url }}
# The domain name that will be appended to Koji usernames
# when creating email notifications
-#EmailDomain = example.com
+#EmailDomain = rockylinux.org
# whether to send the task owner and package owner email or not on success. this still goes to watchers
NotifyOnSuccess = True
## Disables all notifications
diff --git a/templates/koji-pgsql.sql.j2 b/templates/koji-pgsql.sql.j2
index 82defe7..f2f28a4 100644
--- a/templates/koji-pgsql.sql.j2
+++ b/templates/koji-pgsql.sql.j2
@@ -1,7 +1,7 @@
with user_id as (insert into users (name, status, usertype) values ('{{ koji_admin_user }}', 0, 0) returning id)
insert into user_krb_principals (user_id, krb_principal) values ((select id from user_id),'{{ koji_admin_principal }}');
insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1);
-with user_id as (insert into users (name, status, usertype) values ('{{ koji_kojira_user_kerb }}', 0, 0) returning id)
+with user_id as (insert into users (name, status, usertype) values ('{{ koji_kojira_user }}', 0, 0) returning id)
insert into user_krb_principals (user_id, krb_principal) values ((select id from user_id),'{{ koji_kojira_principal }}');
INSERT INTO user_perms (user_id, perm_id, creator_id) VALUES (2, 10, 1);
with user_id as (insert into users (name, status, usertype) values ('{{ koji_mbs_user_kerb }}', 0, 0) returning id)