#272 Add more files to the staging hosts so that they can be ansibled
Closed 3 years ago by smooge. Opened 3 years ago by smooge.
Unknown source master  into  master

copr: set postfix_group variable
Silvie Chlupova • 3 years ago  
file modified
+3
@@ -3,6 +3,9 @@

  

  Welcome! This is the Fedora Infrastructure Ansible Pagure project.

  

+ Pull requests and forks can be made against this repository hosted

+ at https://pagure.io/fedora-infra/ansible

+ 

  This repository is also mirrored for production runs to

  https://infrastructure.fedoraproject.org/infra/ansible/

  but this is the working repository where changes are made.

@@ -13,7 +13,7 @@

  keygen_host: "52.202.64.55"

  

  backend_base_url: "https://download.copr.fedorainfracloud.org"

- postfix_maincf: "postfix/main.cf/main.cf.copr"

+ postfix_group: copr

  

  frontend_base_url: "https://copr.fedorainfracloud.org"

  dist_git_base_url: "copr-dist-git.fedorainfracloud.org"

@@ -14,7 +14,7 @@

  keygen_host: "18.209.1.14"

  

  backend_base_url: "https://download.copr-dev.fedorainfracloud.org"

- postfix_maincf: "postfix/main.cf/main.cf.copr"

+ postfix_group: copr

  

  frontend_base_url: "https://copr-fe-dev.cloud.fedoraproject.org"

  dist_git_base_url: "copr-dist-git-dev.fedorainfracloud.org"

@@ -0,0 +1,9 @@

+ ---

+ datacenter: iad2

+ 

+ br0_ip: 10.3.167.16

+ br0_nm: 255.255.255.0

+ br0_gw: 10.3.167.254

+ br0_dev: eth1

+ 

+ dns: 10.3.163.33

inventory/host_vars/bvmhost-p08-01.stg.iad2.fedoraproject.org inventory/host_vars/bvmhost-p08-04.iad2.fedoraproject.org
file renamed
file was moved with no change to the file
@@ -688,3 +688,8 @@

  

  non_smtpd_milters = unix:/var/run/pagure/paguresock

  smtpd_milters = unix:/var/run/pagure/paguresock

+ 

+ # The following are needed for postfix-3

+ smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} :{permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}

+ compatibility_level = 2

+ 

@@ -19,6 +19,7 @@

          python3-flask-babel \

          python3-flask-htmlmin \

          python3-cssutils \

+         python3-gnupg \

          rubygem-sass \

          babel \

          python3-jinja2 \

@@ -1,1 +0,0 @@

- ## <summary></summary>

@@ -1,11 +1,53 @@

- module pagure 1.0;

+ module pagure 1.1;

  

  require {

-         type httpd_t;

- 	type gitosis_var_lib_t;

- 	class dir { add_name remove_name write };

- 	class file { create link setattr unlink write };

+     type gitosis_var_lib_t;

+     type httpd_log_t;

+     type httpd_t;

+     type http_port_t;

+     type ldconfig_exec_t;

+     type postfix_cleanup_t;

+     type postfix_smtpd_t;

+     type sshd_t;

+     type var_log_t;

+     type var_run_t;

+     type var_t;

+     class dir { add_name remove_name write };

+     class file { create link setattr write execute execute_no_trans getattr map open read rename unlink };

+     class process execmem;

+     class sock_file write;

+     class tcp_socket name_connect;

  }

  

  allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write };

  allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write };

+ 

+ #============= httpd_t ==============

+ 

+ #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'

+ allow httpd_t gitosis_var_lib_t:file map;

+ allow httpd_t httpd_log_t:file { rename unlink };

+ 

+ #!!!! This avc is allowed in the current policy

+ allow httpd_t self:process execmem;

+ allow httpd_t var_log_t:file { open rename };

+ 

+ #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'

+ allow httpd_t var_t:file map;

+ allow httpd_t var_t:file { getattr open read };

+ 

+ #============= postfix_cleanup_t ==============

+ allow postfix_cleanup_t var_run_t:sock_file write;

+ 

+ #============= postfix_smtpd_t ==============

+ allow postfix_smtpd_t var_run_t:sock_file write;

+ 

+ #============= sshd_t ==============

+ 

+ #!!!! This avc is allowed in the current policy

+ allow sshd_t http_port_t:tcp_socket name_connect;

+ 

+ #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'

+ allow sshd_t ldconfig_exec_t:file map;

+ allow sshd_t ldconfig_exec_t:file { execute execute_no_trans open read };

+ 

@@ -472,74 +472,10 @@

    tags:

    - pagure

  

- - name: check the selinux context of the git repo directory

-   command: matchpathcon /srv/git

-   register: distgitcontext

-   check_mode: no

-   changed_when: false

+ - import_tasks: selinux.yml

    tags:

-   - config

-   - pagure

-   - selinux

- 

- - name: set the SELinux policy for the distgit root directory

-   command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?"

-   when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1

-   tags:

-   - config

-   - pagure

-   - selinux

- 

- - name: check the selinux context of the releases directory

-   command: matchpathcon /var/www/releases

-   register: distgitcontext

-   check_mode: no

-   changed_when: false

-   tags:

-   - config

-   - pagure

-   - selinux

- 

- # Note: On Fedora its httpd_sys_content_rw_t - Don't we love confusions?

- - name: set the SELinux policy for the releases directory

-   command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?"

-   when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1

-   tags:

-   - config

-   - pagure

    - selinux

  

- - name: copy over our custom selinux module

-   copy: src=selinux/pagure.pp dest=/usr/local/share/pagure.pp

-   register: selinux_module

-   tags:

-   - pagure

- 

- - name: install our custom selinux module

-   command: semodule -i /usr/local/share/pagure.pp

-   when: selinux_module is changed

-   tags:

-   - pagure

- 

- - name: set sebooleans so pagure can talk to the network (db + redis)

-   seboolean: name=httpd_can_network_connect

-                     state=true

-                     persistent=true

-   tags:

-   - selinux

-   - web

-   - pagure

- 

- - name: set sebooleans so apache can send emails

-   seboolean: name=httpd_can_sendmail

-                     state=true

-                     persistent=true

-   tags:

-   - selinux

-   - web

-   - pagure

- 

- 

  # Ensure all the services are up and running

  

  - name: Start and enable httpd, postfix, pagure_milter

@@ -0,0 +1,106 @@

+ ---

+ - name: check the selinux context of the git repo directory

+   command: matchpathcon /srv/git

+   register: distgitcontext

+   check_mode: no

+   changed_when: false

+   tags:

+   - config

+   - pagure

+   - selinux

+ 

+ - name: set the SELinux policy for the distgit root directory

+   command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?"

+   when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1

+   tags:

+   - config

+   - pagure

+   - selinux

+ 

+ - name: check the selinux context of the releases directory

+   command: matchpathcon /var/www/releases

+   register: distgitcontext

+   check_mode: no

+   changed_when: false

+   tags:

+   - config

+   - pagure

+   - selinux

+ 

+ # Note: On Fedora its httpd_sys_content_rw_t - Don't we love confusions?

+ - name: set the SELinux policy for the releases directory

+   command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?"

+   when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1

+   tags:

+   - config

+   - pagure

+   - selinux

+ 

+ - name: copy over our custom selinux module

+   copy: src=selinux/pagure.te dest=/usr/local/share/pagure.te

+   register: selinux_module

+   tags:

+   - config

+   - pagure

+   - selinux

+ 

+ - name: Build our custom selinux module

+   command: checkmodule -M -m -o /usr/local/share/pagure.mod /usr/local/share/pagure.te

+   when: selinux_module is changed

+   tags:

+   - config

+   - pagure

+   - selinux

+ 

+ - name: Compile our custom selinux module

+   command: semodule_package -o /usr/local/share/pagure.pp -m /usr/local/share/pagure.mod

+   when: selinux_module is changed

+   tags:

+   - config

+   - pagure

+   - selinux

+ 

+ - name: install our custom selinux module

+   command: semodule -i /usr/local/share/pagure.pp

+   when: selinux_module is changed

+   tags:

+   - config

+   - pagure

+   - selinux

+ 

+ - name: set sebooleans so pagure can talk to the network (db + redis)

+   seboolean: name=httpd_can_network_connect

+                     state=true

+                     persistent=true

+   tags:

+   - config

+   - selinux

+   - pagure

+ 

+ - name: set sebooleans so apache can send emails

+   seboolean: name=httpd_can_sendmail

+                     state=true

+                     persistent=true

+   tags:

+   - config

+   - selinux

+   - pagure

+ 

+ - name: set sebooleans so pygit2 can read the git repos

+   seboolean: name=httpd_execmem

+                     state=true

+                     persistent=true

+   tags:

+   - config

+   - selinux

+   - pagure

+ 

+ - name: set sebooleans so ssh can retrieve access info from apache

+   seboolean: name=nis_enabled

+                     state=true

+                     persistent=true

+   tags:

+   - config

+   - selinux

+   - pagure

+ 

@@ -9,8 +9,6 @@

  

  [{{ stunnel_service }}]

  sslVersion = all

- options = NO_SSLv2

  options = NO_SSLv3

- options = NO_TLSv1

  accept = {{ stunnel_source_port }}

  connect = {{ stunnel_destination_port }}

Move the bvmhost-p08-04 to stg and create an a64 one.

Signed-off-by: Stephen Smoogen ssmoogen@redhat.com

20 new commits added

  • pagure - remove refs to sslv1/2 as no longer supported
  • test commit - sorry for the noise - more selinux testing
  • update readme to reference ansible hosted on pagure
  • test commit - sorry for the noise - last one I swear!
  • test commit - sorry for the noise
  • test commit - sorry for the noise
  • test commit - sorry for the noise
  • test commit - sorry for the noise
  • pagure: missed a type in the selinux policy...
  • pagure: adjust the selinux policy some more
  • pagure: fix typo in selinux boolean
  • pagure: Add missing permission in the pagure policy
  • pagure: update the selinux configuration for pagure
  • pagure: enable the nis_enabled selinux boolean
  • pagure: enable the httpd_execmem selinux boolean
  • pagure: adjust pagure's postfix configuration to rhel8
  • Revert "pagure: close all ports but 22 from batcave so we're sure people don't push changes while we do the migration"
  • pagure: close all ports but 22 from batcave so we're sure people don't push changes while we do the migration
  • websites: add python-gnupg for building key bundle and sanity-checking static/keys
  • copr: set postfix_group variable
3 years ago

Pull-Request has been closed by smooge

3 years ago