This commit was a bit nuts and touches everything. We tested it in
staging without issue. This push to production should be fine but as
always keep your eyes open. Not much 'changed' it's just fas is now a
module.
-Mike
---------- Forwarded message ----------
Date: Wed, 8 Apr 2009 15:08:54
From: Mike McGrath <mmcgrath@xxxxxxxxxxxxxxxxx>
To: sysadmin-members@xxxxxxxxxxxxxxxxx
Subject: 3 commits - configs/fas configs/system configs/web manifests/nodes
manifests/servergroups manifests/services modules/fas
configs/fas/fasSync | 1
configs/fas/nsswitch.conf | 45 -
configs/system/export-bugzilla.cfg.erb | 11
configs/system/export-bugzilla.py | 68 --
configs/system/fas.conf.erb | 78 ---
configs/web/accounts-proxy.conf | 12
configs/web/accounts.fedoraproject.org.conf | 13
configs/web/accounts.fedoraproject.org/logs.conf | 2
configs/web/accounts.fedoraproject.org/redirect.conf | 1
configs/web/applications/Makefile.fedora-ca | 70 --
configs/web/applications/accounts.conf | 26 -
configs/web/applications/certhelper.py | 280 -----------
configs/web/applications/fas-log.cfg | 29 -
configs/web/applications/fas-prod.cfg.erb | 163 ------
configs/web/applications/fas.wsgi | 50 --
configs/web/applications/fedora-ca-client-openssl.cnf | 317 -------------
configs/web/fas.fedoraproject.org.conf | 13
configs/web/fas.fedoraproject.org/logs.conf | 2
configs/web/fas.fedoraproject.org/redirect.conf | 1
dev/null |binary
manifests/nodes/app1.stg.fedora.phx.redhat.com.pp | 2
manifests/nodes/backup2.fedoraproject.org.pp | 2
manifests/nodes/bu1.fedoraproject.org.pp | 2
manifests/nodes/buildsys.fedoraproject.org.pp | 2
manifests/nodes/cstore1.fedoraproject.org.pp | 2
manifests/nodes/cstore2.fedoraproject.org.pp | 2
manifests/nodes/db1.stg.fedora.phx.redhat.com.pp | 2
manifests/nodes/fas1.fedora.phx.redhat.com.pp | 2
manifests/nodes/ibiblio1.fedoraproject.org.pp | 2
manifests/nodes/kojipkgs1.fedora.phx.redhat.com.pp | 2
manifests/nodes/kojipkgs2.fedora.phx.redhat.com.pp | 2
manifests/nodes/lb1.fedora.phx.redhat.com.pp | 2
manifests/nodes/lb2.fedora.phx.redhat.com.pp | 2
manifests/nodes/log1.fedora.phx.redhat.com.pp | 2
manifests/nodes/nfs1.fedora.phx.redhat.com.pp | 2
manifests/nodes/nfs2.fedora.phx.redhat.com.pp | 2
manifests/nodes/noc2.fedoraproject.org.pp | 2
manifests/nodes/ns1.fedoraproject.org.pp | 2
manifests/nodes/ns2.fedoraproject.org.pp | 2
manifests/nodes/people1.fedoraproject.org.pp | 2
manifests/nodes/proxy1.stg.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest10.fedoraproject.org.pp | 2
manifests/nodes/publictest12.fedoraproject.org.pp | 2
manifests/nodes/publictest13.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest14.fedoraproject.org.pp | 2
manifests/nodes/publictest15.fedoraproject.org.pp | 2
manifests/nodes/publictest16.fedoraproject.org.pp | 2
manifests/nodes/publictest2.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest3.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest4.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest5.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest6.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest7.fedora.phx.redhat.com.pp | 2
manifests/nodes/publictest9.fedora.phx.redhat.com.pp | 2
manifests/nodes/qa1.fedora.phx.redhat.com.pp | 2
manifests/nodes/rawhide1.fedoraproject.org.pp | 2
manifests/nodes/releng1.fedora.phx.redhat.com.pp | 2
manifests/nodes/secondary1.fedora.phx.redhat.com.pp | 2
manifests/nodes/serverbeach1.fedoraproject.org.pp | 2
manifests/nodes/serverbeach2.fedoraproject.org.pp | 2
manifests/nodes/serverbeach3.fedoraproject.org.pp | 2
manifests/nodes/serverbeach4.fedoraproject.org.pp | 2
manifests/nodes/serverbeach5.fedoraproject.org.pp | 2
manifests/nodes/sign1.fedora.phx.redhat.com.pp | 2
manifests/nodes/sign2.fedora.phx.redhat.com.pp | 2
manifests/nodes/sign3.fedora.phx.redhat.com.pp | 2
manifests/nodes/smtp-mm1.fedoraproject.org.pp | 2
manifests/nodes/telia1.fedoraproject.org.pp | 2
manifests/nodes/test3.fedora.phx.redhat.com.pp | 2
manifests/nodes/test4.fedora.phx.redhat.com.pp | 2
manifests/nodes/test7.fedora.phx.redhat.com.pp | 2
manifests/nodes/test9.fedora.phx.redhat.com.pp | 2
manifests/nodes/torrent1.fedoraproject.org.pp | 2
manifests/nodes/tummy1.fedoraproject.org.pp | 2
manifests/nodes/xen6.fedora.phx.redhat.com.pp | 2
manifests/servergroups/appFcTest.pp | 2
manifests/servergroups/appRelEng.pp | 2
manifests/servergroups/appRhel.pp | 2
manifests/servergroups/appRhelTest.pp | 2
manifests/servergroups/asterisk.pp | 2
manifests/servergroups/build.pp | 2
manifests/servergroups/cnodes.pp | 2
manifests/servergroups/collab.pp | 2
manifests/servergroups/compose.pp | 2
manifests/servergroups/cvs.pp | 2
manifests/servergroups/db.pp | 2
manifests/servergroups/fas-server.pp | 6
manifests/servergroups/gateway.pp | 2
manifests/servergroups/hosted.pp | 2
manifests/servergroups/koji.pp | 2
manifests/servergroups/noc.pp | 2
manifests/servergroups/proxy.pp | 4
manifests/servergroups/puppet.pp | 2
manifests/servergroups/valueadd.pp | 2
manifests/servergroups/xen-server.pp | 2
manifests/services/fas.pp | 292 -----------
modules/fas/README | 10
modules/fas/files/Makefile.fedora-ca | 70 ++
modules/fas/files/accounts-proxy.conf | 11
modules/fas/files/accounts-pubring.gpg |binary
modules/fas/files/accounts.conf | 26 +
modules/fas/files/accounts.fedoraproject.org.conf | 13
modules/fas/files/accounts.fedoraproject.org/logs.conf | 2
modules/fas/files/accounts.fedoraproject.org/redirect.conf | 1
modules/fas/files/certhelper.py | 280 +++++++++++
modules/fas/files/export-bugzilla.py | 68 ++
modules/fas/files/fas-log.cfg | 29 +
modules/fas/files/fas.fedoraproject.org.conf | 13
modules/fas/files/fas.fedoraproject.org/logs.conf | 2
modules/fas/files/fas.fedoraproject.org/redirect.conf | 1
modules/fas/files/fas.wsgi | 50 ++
modules/fas/files/fasSync | 1
modules/fas/files/fedora-ca-client-openssl.cnf | 317 +++++++++++++
modules/fas/files/nsswitch.conf | 45 +
modules/fas/manifests/init.pp | 307 ++++++++++++
modules/fas/templates/export-bugzilla.cfg.erb | 11
modules/fas/templates/fas-prod.cfg.erb | 163 ++++++
modules/fas/templates/fas.conf.erb | 78 +++
118 files changed, 1576 insertions(+), 1552 deletions(-)
New commits:
commit 58e9676244f0f543812dcb6c2723e532319ca512
Author: Mike McGrath <mmcgrath@xxxxxxxxxx>
Date: Wed Apr 8 20:08:51 2009 +0000
have all hosts use new fas module
diff --git a/manifests/nodes/app1.stg.fedora.phx.redhat.com.pp b/manifests/nodes/app1.stg.fedora.phx.redhat.com.pp
index 1f26375..3378a5d 100644
--- a/manifests/nodes/app1.stg.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/app1.stg.fedora.phx.redhat.com.pp
@@ -6,7 +6,7 @@ node 'app1.stg.fedora.phx.redhat.com' {
$groups='sysadmin-main'
include phx
include global
- include fas
+ include fas::fas
}
'staging' : {
diff --git a/manifests/nodes/backup2.fedoraproject.org.pp b/manifests/nodes/backup2.fedoraproject.org.pp
index f19d65b..da8216c 100644
--- a/manifests/nodes/backup2.fedoraproject.org.pp
+++ b/manifests/nodes/backup2.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node backup2 {
$groups='sysadmin-backup'
include global
- include fas
+ include fas::fas
include vpn
include backupPrivKey
include scripts::drBackup
diff --git a/manifests/nodes/bu1.fedoraproject.org.pp b/manifests/nodes/bu1.fedoraproject.org.pp
index d30d71d..69f0602 100644
--- a/manifests/nodes/bu1.fedoraproject.org.pp
+++ b/manifests/nodes/bu1.fedoraproject.org.pp
@@ -2,6 +2,6 @@ node bu1{
$groups='@all'
$relayHost = ' '
include global
- include fas
+ include fas::fas
include people
}
diff --git a/manifests/nodes/buildsys.fedoraproject.org.pp b/manifests/nodes/buildsys.fedoraproject.org.pp
index 7f709fa..2580b66 100644
--- a/manifests/nodes/buildsys.fedoraproject.org.pp
+++ b/manifests/nodes/buildsys.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node buildsys {
$groups = 'sysadmin-main,sysadmin-build,epel_signers'
include global
- include fas
+ include fas::fas
include ipmi
include nagiosPhysical
include plague::user-sync
diff --git a/manifests/nodes/cstore1.fedoraproject.org.pp b/manifests/nodes/cstore1.fedoraproject.org.pp
index 4cfb82b..93f2153 100644
--- a/manifests/nodes/cstore1.fedoraproject.org.pp
+++ b/manifests/nodes/cstore1.fedoraproject.org.pp
@@ -1,6 +1,6 @@
node cstore1{
$groups='sysadmin-main,sysadmin-cloud'
- include fas
+ include fas::fas
include vpn
include dhcpserver-cloud
# Firewall Rules, allow tftp
diff --git a/manifests/nodes/cstore2.fedoraproject.org.pp b/manifests/nodes/cstore2.fedoraproject.org.pp
index 0846147..f490863 100644
--- a/manifests/nodes/cstore2.fedoraproject.org.pp
+++ b/manifests/nodes/cstore2.fedoraproject.org.pp
@@ -1,6 +1,6 @@
node cstore2{
$groups='sysadmin-main,sysadmin-cloud'
- include fas
+ include fas::fas
include vpn
# Firewall Rules, allow (nothing yet)
$tcpPorts = [ ]
diff --git a/manifests/nodes/db1.stg.fedora.phx.redhat.com.pp b/manifests/nodes/db1.stg.fedora.phx.redhat.com.pp
index ce6778a..170e307 100644
--- a/manifests/nodes/db1.stg.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/db1.stg.fedora.phx.redhat.com.pp
@@ -5,7 +5,7 @@ node "db1.stg.fedora.phx.redhat.com" {
$groups='sysadmin-main'
include phx
include global
- include fas
+ include fas::fas
}
'staging' : {
diff --git a/manifests/nodes/fas1.fedora.phx.redhat.com.pp b/manifests/nodes/fas1.fedora.phx.redhat.com.pp
index a65248e..90d17b0 100644
--- a/manifests/nodes/fas1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/fas1.fedora.phx.redhat.com.pp
@@ -1,5 +1,5 @@
node fas1{
include phx
include fasServerGenCert
- include fas-no-balance
+ include fas::fas-no-balance
}
diff --git a/manifests/nodes/ibiblio1.fedoraproject.org.pp b/manifests/nodes/ibiblio1.fedoraproject.org.pp
index 3ce8c3d..a87bb3b 100644
--- a/manifests/nodes/ibiblio1.fedoraproject.org.pp
+++ b/manifests/nodes/ibiblio1.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node ibiblio1{
$groups='sysadmin-main'
include xen-server
- include fas
+ include fas::fas
include vpn
}
diff --git a/manifests/nodes/kojipkgs1.fedora.phx.redhat.com.pp b/manifests/nodes/kojipkgs1.fedora.phx.redhat.com.pp
index 1dd226b..fa7d8fd 100644
--- a/manifests/nodes/kojipkgs1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/kojipkgs1.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node kojipkgs1{
$groups='sysadmin-main,sysadmin-build,sysadmin-noc'
include phx
include global
- include fas
+ include fas::fas
include kojipkgs
include selinux
diff --git a/manifests/nodes/kojipkgs2.fedora.phx.redhat.com.pp b/manifests/nodes/kojipkgs2.fedora.phx.redhat.com.pp
index 3fbae4e..3bb9433 100644
--- a/manifests/nodes/kojipkgs2.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/kojipkgs2.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node kojipkgs2{
$groups='sysadmin-main,sysadmin-build,sysadmin-noc'
include phx
include global
- include fas
+ include fas::fas
include kojipkgs
include selinux
diff --git a/manifests/nodes/lb1.fedora.phx.redhat.com.pp b/manifests/nodes/lb1.fedora.phx.redhat.com.pp
index baebda8..1351fde 100644
--- a/manifests/nodes/lb1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/lb1.fedora.phx.redhat.com.pp
@@ -1,7 +1,7 @@
node lb1{
$groups='sysadmin-main,sysadmin-web'
include phx
- include fas
+ include fas::fas
include global
# Firewall Rules, allow OpenVPN traffic through
diff --git a/manifests/nodes/lb2.fedora.phx.redhat.com.pp b/manifests/nodes/lb2.fedora.phx.redhat.com.pp
index 0b30286..a4e8658 100644
--- a/manifests/nodes/lb2.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/lb2.fedora.phx.redhat.com.pp
@@ -1,7 +1,7 @@
node lb2{
$groups='sysadmin-main,sysadmin-web'
include phx
- include fas
+ include fas::fas
include global
# Firewall Rules, allow OpenVPN traffic through
$tcpPorts = [ 80, 443, 5560 ]
diff --git a/manifests/nodes/log1.fedora.phx.redhat.com.pp b/manifests/nodes/log1.fedora.phx.redhat.com.pp
index b615389..9198af2 100644
--- a/manifests/nodes/log1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/log1.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node log1{
$groups='sysadmin-main,sysadmin-noc'
$rsyslog=1
include global
- include fas
+ include fas::fas
include phx
include vpn
include awstats
diff --git a/manifests/nodes/nfs1.fedora.phx.redhat.com.pp b/manifests/nodes/nfs1.fedora.phx.redhat.com.pp
index 7f39b70..3ca425f 100644
--- a/manifests/nodes/nfs1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/nfs1.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node nfs1{
$groups='sysadmin-main,sysadmin-noc'
include phx
include global
- include fas
+ include fas::fas
include nfs-server
include nfs-server-phx
include selinux
diff --git a/manifests/nodes/nfs2.fedora.phx.redhat.com.pp b/manifests/nodes/nfs2.fedora.phx.redhat.com.pp
index f3be815..994b491 100644
--- a/manifests/nodes/nfs2.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/nfs2.fedora.phx.redhat.com.pp
@@ -1,6 +1,6 @@
node nfs2{
$groups='sysadmin-main'
include phx
- include fas
+ include fas::fas
}
diff --git a/manifests/nodes/noc2.fedoraproject.org.pp b/manifests/nodes/noc2.fedoraproject.org.pp
index 55bc2fa..51aaa3b 100644
--- a/manifests/nodes/noc2.fedoraproject.org.pp
+++ b/manifests/nodes/noc2.fedoraproject.org.pp
@@ -2,7 +2,7 @@ node noc2{
$groups='sysadmin-main,sysadmin-noc'
$relayHost=' '
include global
- include fas
+ include fas::fas
include vpn
include nagios-server-external
include pager
diff --git a/manifests/nodes/ns1.fedoraproject.org.pp b/manifests/nodes/ns1.fedoraproject.org.pp
index 94fae20..624f5da 100644
--- a/manifests/nodes/ns1.fedoraproject.org.pp
+++ b/manifests/nodes/ns1.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node ns1{
$groups = 'sysadmin-main'
include global
- include fas
+ include fas::fas
include dns
}
diff --git a/manifests/nodes/ns2.fedoraproject.org.pp b/manifests/nodes/ns2.fedoraproject.org.pp
index fa6c738..91998e0 100644
--- a/manifests/nodes/ns2.fedoraproject.org.pp
+++ b/manifests/nodes/ns2.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node ns2{
$groups = 'sysadmin-main'
include global
- include fas
+ include fas::fas
include dns
}
diff --git a/manifests/nodes/people1.fedoraproject.org.pp b/manifests/nodes/people1.fedoraproject.org.pp
index cb35312..ef49bc8 100644
--- a/manifests/nodes/people1.fedoraproject.org.pp
+++ b/manifests/nodes/people1.fedoraproject.org.pp
@@ -4,7 +4,7 @@ node people1 {
$sshd_config_PasswordAuthentication='no'
include global
include people
- include fas
+ include fas::fas
include vpn
include planet
}
diff --git a/manifests/nodes/proxy1.stg.fedora.phx.redhat.com.pp b/manifests/nodes/proxy1.stg.fedora.phx.redhat.com.pp
index 48d86e5..90369ae 100644
--- a/manifests/nodes/proxy1.stg.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/proxy1.stg.fedora.phx.redhat.com.pp
@@ -5,7 +5,7 @@ node 'proxy1.stg.fedora.phx.redhat.com' {
$groups='sysadmin-main'
include phx
include global
- include fas
+ include fas::fas
}
'staging' : {
$puppetEnvironment='staging'
diff --git a/manifests/nodes/publictest10.fedoraproject.org.pp b/manifests/nodes/publictest10.fedoraproject.org.pp
index 3992b56..5fbbd61 100644
--- a/manifests/nodes/publictest10.fedoraproject.org.pp
+++ b/manifests/nodes/publictest10.fedoraproject.org.pp
@@ -2,7 +2,7 @@ node publictest10{
$groups='sysadmin-main,sysadmin-test,sysadmin-noc'
include ssh::sshd
include httpd
- include fas
+ include fas::fas
include global
include selinux
include git-package
diff --git a/manifests/nodes/publictest12.fedoraproject.org.pp b/manifests/nodes/publictest12.fedoraproject.org.pp
index 12e6b66..7cdded4 100644
--- a/manifests/nodes/publictest12.fedoraproject.org.pp
+++ b/manifests/nodes/publictest12.fedoraproject.org.pp
@@ -1,6 +1,6 @@
node publictest12{
$groups = 'sysadmin-main,sysadmin-test,sysadmin-noc'
- include fas
+ include fas::fas
include global
$tcpPorts = [ 80, 443 ]
$udpPorts = [ ]
diff --git a/manifests/nodes/publictest13.fedora.phx.redhat.com.pp b/manifests/nodes/publictest13.fedora.phx.redhat.com.pp
index 1c5bb08..a960671 100644
--- a/manifests/nodes/publictest13.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest13.fedora.phx.redhat.com.pp
@@ -1,6 +1,6 @@
node publictest13{
$groups='sysadmin-main,sysadmin-test,sysadmin-noc'
include global
- include fas
+ include fas::fas
}
diff --git a/manifests/nodes/publictest14.fedoraproject.org.pp b/manifests/nodes/publictest14.fedoraproject.org.pp
index 9fc8c05..e5c353c 100644
--- a/manifests/nodes/publictest14.fedoraproject.org.pp
+++ b/manifests/nodes/publictest14.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node publictest14{
$relayHost=' '
$groups = 'sysadmin-main,sysadmin-test,sysadmin-noc,sysadmin-test'
- include fas
+ include fas::fas
include global
$tcpPorts = [ 80, 443 ]
$udpPorts = [ ]
diff --git a/manifests/nodes/publictest15.fedoraproject.org.pp b/manifests/nodes/publictest15.fedoraproject.org.pp
index cd2d98d..54d6821 100644
--- a/manifests/nodes/publictest15.fedoraproject.org.pp
+++ b/manifests/nodes/publictest15.fedoraproject.org.pp
@@ -3,7 +3,7 @@ node publictest15{
$groups='sysadmin-main,sysadmin-test,sysadmin-noc'
include ssh::sshd
include httpd
- include fas
+ include fas::fas
include bodhi-dev
include global
include selinux
diff --git a/manifests/nodes/publictest16.fedoraproject.org.pp b/manifests/nodes/publictest16.fedoraproject.org.pp
index 7b85ddf..6b9b0c3 100644
--- a/manifests/nodes/publictest16.fedoraproject.org.pp
+++ b/manifests/nodes/publictest16.fedoraproject.org.pp
@@ -2,7 +2,7 @@ node publictest16{
$groups='sysadmin-main,sysadmin-test,sysadmin-noc'
include ssh::sshd
include httpd
- include fas
+ include fas::fas
include bodhi-dev
include global
include selinux
diff --git a/manifests/nodes/publictest2.fedora.phx.redhat.com.pp b/manifests/nodes/publictest2.fedora.phx.redhat.com.pp
index 91fdaaf..d224e45 100644
--- a/manifests/nodes/publictest2.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest2.fedora.phx.redhat.com.pp
@@ -2,6 +2,6 @@ node publictest2{
$groups='sysadmin-test,sysadmin-main,sysadmin-web'
include phx
include global
- include fas
+ include fas::fas
}
diff --git a/manifests/nodes/publictest3.fedora.phx.redhat.com.pp b/manifests/nodes/publictest3.fedora.phx.redhat.com.pp
index 207b27b..9e9f235 100644
--- a/manifests/nodes/publictest3.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest3.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node publictest3{
$groups='sysadmin-main,sysadmin-test,sysadmin-noc'
include phx
include xen-guest
- include fas
+ include fas::fas
#Include php.ini & apache...
include apache::php
diff --git a/manifests/nodes/publictest4.fedora.phx.redhat.com.pp b/manifests/nodes/publictest4.fedora.phx.redhat.com.pp
index af6052a..ccc6ff1 100644
--- a/manifests/nodes/publictest4.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest4.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node publictest4{
$groups = 'sysadmin-main,sysadmin-test,sysadmin-noc'
include phx
include xen-guest
- include fas
+ include fas::fas
# Firewall Rules, allow SSH, SIP(TCP 5060), IAX2(UDP 4569), SIP(UDP 5060), RTP(UDP 10000:10500)
$tcpPorts = [ 22, 5060 ]
$udpPorts = [ 4569, 5060, '10000:10500' ]
diff --git a/manifests/nodes/publictest5.fedora.phx.redhat.com.pp b/manifests/nodes/publictest5.fedora.phx.redhat.com.pp
index 2378109..3f9880a 100644
--- a/manifests/nodes/publictest5.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest5.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node publictest5{
$groups = 'sysadmin-main,sysadmin-test,sysadmin-noc'
include phx
include xen-guest
- include fas
+ include fas::fas
# Firewall Rules, allow HTTP (TCP 80), HTTPS (TCP 443), SSH, SIP(TCP 5060), IAX2(UDP 4569), SIP(UDP 5060), RTP(UDP 10000:10500)
$tcpPorts = [ 22, 80, 443, 5060 ]
$udpPorts = [ 4569, 5060, '10000:10500' ]
diff --git a/manifests/nodes/publictest6.fedora.phx.redhat.com.pp b/manifests/nodes/publictest6.fedora.phx.redhat.com.pp
index d8bd031..5ff6931 100644
--- a/manifests/nodes/publictest6.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest6.fedora.phx.redhat.com.pp
@@ -3,6 +3,6 @@ node publictest6{
$groups = 'sysadmin-main'
include phx
include xen-guest
- include fas
+ include fas::fas
}
diff --git a/manifests/nodes/publictest7.fedora.phx.redhat.com.pp b/manifests/nodes/publictest7.fedora.phx.redhat.com.pp
index 257dce5..df44bea 100644
--- a/manifests/nodes/publictest7.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest7.fedora.phx.redhat.com.pp
@@ -3,6 +3,6 @@ node publictest7{
$groups = 'sysadmin-main'
include phx
include xen-guest
- include fas
+ include fas::fas
}
diff --git a/manifests/nodes/publictest9.fedora.phx.redhat.com.pp b/manifests/nodes/publictest9.fedora.phx.redhat.com.pp
index 3d91c12..42819b0 100644
--- a/manifests/nodes/publictest9.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/publictest9.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node publictest9{
$groups='sysadmin-main,sysadmin-test,sysadmin-noc'
include phx
include xen-guest
- include fas
+ include fas::fas
include mediawiki-test::base
$tcpPorts = [ 80, 443, 10050, 11211 ]
diff --git a/manifests/nodes/qa1.fedora.phx.redhat.com.pp b/manifests/nodes/qa1.fedora.phx.redhat.com.pp
index cc3053b..2e5bf19 100644
--- a/manifests/nodes/qa1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/qa1.fedora.phx.redhat.com.pp
@@ -1,7 +1,7 @@
node qa1{
$groups='sysadmin-main,sysadmin-noc,qa-admin'
include phx
- include fas
+ include fas::fas
include global
include git-package
include fedora-packager-package
diff --git a/manifests/nodes/rawhide1.fedoraproject.org.pp b/manifests/nodes/rawhide1.fedoraproject.org.pp
index dc480eb..7377f7d 100644
--- a/manifests/nodes/rawhide1.fedoraproject.org.pp
+++ b/manifests/nodes/rawhide1.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node 'rawhide1.fedoraproject.org' {
$relayHost=' '
$groups = 'sysadmin-main,sysadmin-noc'
- include fas
+ include fas::fas
include global
}
diff --git a/manifests/nodes/releng1.fedora.phx.redhat.com.pp b/manifests/nodes/releng1.fedora.phx.redhat.com.pp
index 60dd139..ad60c71 100644
--- a/manifests/nodes/releng1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/releng1.fedora.phx.redhat.com.pp
@@ -1,6 +1,6 @@
node releng1{
$groups='sysadmin-main,sysadmin-releng,sysadmin-noc'
include phx
- include fas
+ include fas::fas
include global
}
diff --git a/manifests/nodes/secondary1.fedora.phx.redhat.com.pp b/manifests/nodes/secondary1.fedora.phx.redhat.com.pp
index d87ad82..0b98229 100644
--- a/manifests/nodes/secondary1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/secondary1.fedora.phx.redhat.com.pp
@@ -1,7 +1,7 @@
node secondary1{
$groups='sysadmin-main,sysadmin-noc,alt-sugar,alt-k12linux,altvideos'
include global
- include fas
+ include fas::fas
include secondaryMirror
include nfs-server
include selinux
diff --git a/manifests/nodes/serverbeach1.fedoraproject.org.pp b/manifests/nodes/serverbeach1.fedoraproject.org.pp
index 3fffa23..295ea48 100644
--- a/manifests/nodes/serverbeach1.fedoraproject.org.pp
+++ b/manifests/nodes/serverbeach1.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node serverbeach1{
$groups = 'sysadmin-main'
include global
- include fas
+ include fas::fas
include vpn
include xenHost
include ipmi
diff --git a/manifests/nodes/serverbeach2.fedoraproject.org.pp b/manifests/nodes/serverbeach2.fedoraproject.org.pp
index 6a7d8fd..8a759ff 100644
--- a/manifests/nodes/serverbeach2.fedoraproject.org.pp
+++ b/manifests/nodes/serverbeach2.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node serverbeach2{
$groups = 'sysadmin-main'
include global
- include fas
+ include fas::fas
include vpn
include xenHost
include ipmi
diff --git a/manifests/nodes/serverbeach3.fedoraproject.org.pp b/manifests/nodes/serverbeach3.fedoraproject.org.pp
index 018ecf1..4338551 100644
--- a/manifests/nodes/serverbeach3.fedoraproject.org.pp
+++ b/manifests/nodes/serverbeach3.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node serverbeach3{
$groups = 'sysadmin-main'
include global
- include fas
+ include fas::fas
include vpn
include xenHost
include ipmi
diff --git a/manifests/nodes/serverbeach4.fedoraproject.org.pp b/manifests/nodes/serverbeach4.fedoraproject.org.pp
index f855620..ac878e6 100644
--- a/manifests/nodes/serverbeach4.fedoraproject.org.pp
+++ b/manifests/nodes/serverbeach4.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node serverbeach4{
$groups = 'sysadmin-main'
include global
- include fas
+ include fas::fas
include vpn
include xenHost
include ipmi
diff --git a/manifests/nodes/serverbeach5.fedoraproject.org.pp b/manifests/nodes/serverbeach5.fedoraproject.org.pp
index c4a1088..1776e8d 100644
--- a/manifests/nodes/serverbeach5.fedoraproject.org.pp
+++ b/manifests/nodes/serverbeach5.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node serverbeach5{
$groups = 'sysadmin-main'
include global
- include fas
+ include fas::fas
include vpn
include xenHost
include ipmi
diff --git a/manifests/nodes/sign1.fedora.phx.redhat.com.pp b/manifests/nodes/sign1.fedora.phx.redhat.com.pp
index e383736..d77ad31 100644
--- a/manifests/nodes/sign1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/sign1.fedora.phx.redhat.com.pp
@@ -4,7 +4,7 @@
node sign1{
$groups = 'sysadmin-main,sysadmin-releng'
include phx
- include fas
+ include fas::fas
#include global
include pkgsigner
diff --git a/manifests/nodes/sign2.fedora.phx.redhat.com.pp b/manifests/nodes/sign2.fedora.phx.redhat.com.pp
index 3ca66e4..7620e80 100644
--- a/manifests/nodes/sign2.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/sign2.fedora.phx.redhat.com.pp
@@ -1,7 +1,7 @@
node sign2{
$groups = 'sysadmin-main'
include phx
- include fas
+ include fas::fas
include global
include pkgsigner
}
diff --git a/manifests/nodes/sign3.fedora.phx.redhat.com.pp b/manifests/nodes/sign3.fedora.phx.redhat.com.pp
index 2bafff9..18a4323 100644
--- a/manifests/nodes/sign3.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/sign3.fedora.phx.redhat.com.pp
@@ -1,7 +1,7 @@
node sign3{
$groups = 'sysadmin-main'
include phx
- include fas
+ include fas::fas
include global
include pkgsigner
}
diff --git a/manifests/nodes/smtp-mm1.fedoraproject.org.pp b/manifests/nodes/smtp-mm1.fedoraproject.org.pp
index c9c53c8..d5ad7fb 100644
--- a/manifests/nodes/smtp-mm1.fedoraproject.org.pp
+++ b/manifests/nodes/smtp-mm1.fedoraproject.org.pp
@@ -2,7 +2,7 @@ node smtp-mm1{
$groups = 'sysadmin-main,sysadmin-noc,sysadmin-tools'
$isMailmanSMTP=1
include global
- include fas
+ include fas::fas
include postfix::mailman_smtp
# Firewall Rules, allow SMTP traffic through
diff --git a/manifests/nodes/telia1.fedoraproject.org.pp b/manifests/nodes/telia1.fedoraproject.org.pp
index 4e8433d..8035a27 100644
--- a/manifests/nodes/telia1.fedoraproject.org.pp
+++ b/manifests/nodes/telia1.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node telia1{
$groups='sysadmin-main'
include xen-server
- include fas
+ include fas::fas
include vpn
}
diff --git a/manifests/nodes/test3.fedora.phx.redhat.com.pp b/manifests/nodes/test3.fedora.phx.redhat.com.pp
index 303b1c3..0107987 100644
--- a/manifests/nodes/test3.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/test3.fedora.phx.redhat.com.pp
@@ -1,6 +1,6 @@
node test3{
$groups='sysadmin-main,sysadmin-releng'
- include fas
+ include fas::fas
include phx
include xen-guest
}
diff --git a/manifests/nodes/test4.fedora.phx.redhat.com.pp b/manifests/nodes/test4.fedora.phx.redhat.com.pp
index d405088..bda764f 100644
--- a/manifests/nodes/test4.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/test4.fedora.phx.redhat.com.pp
@@ -1,6 +1,6 @@
node test4{
$groups='sysadmin-main,sysadmin-releng'
- include fas
+ include fas::fas
include phx
include xen-guest
}
diff --git a/manifests/nodes/test7.fedora.phx.redhat.com.pp b/manifests/nodes/test7.fedora.phx.redhat.com.pp
index 414143a..62b6078 100644
--- a/manifests/nodes/test7.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/test7.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node test7{
$groups='sysadmin-main,sysadmin-test,sysadmin-noc'
include phx
include xen-guest
- include fas
+ include fas::fas
include fedoraproject-moin
}
diff --git a/manifests/nodes/test9.fedora.phx.redhat.com.pp b/manifests/nodes/test9.fedora.phx.redhat.com.pp
index 4eaae80..c6d655f 100644
--- a/manifests/nodes/test9.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/test9.fedora.phx.redhat.com.pp
@@ -2,6 +2,6 @@ node test9{
$groups = 'sysadmin-main,sysadmin-test,sysadmin-noc'
include phx
include xen-guest
- include fas
+ include fas::fas
}
diff --git a/manifests/nodes/torrent1.fedoraproject.org.pp b/manifests/nodes/torrent1.fedoraproject.org.pp
index 8b11de1..afb7e31 100644
--- a/manifests/nodes/torrent1.fedoraproject.org.pp
+++ b/manifests/nodes/torrent1.fedoraproject.org.pp
@@ -1,6 +1,6 @@
node torrent1{
$groups = 'sysadmin-web,sysadmin-main,torrentadmin,sysadmin-noc,torrent-cc'
include global
- include fas
+ include fas::fas
include torrent
}
diff --git a/manifests/nodes/tummy1.fedoraproject.org.pp b/manifests/nodes/tummy1.fedoraproject.org.pp
index 357637a..ff41f41 100644
--- a/manifests/nodes/tummy1.fedoraproject.org.pp
+++ b/manifests/nodes/tummy1.fedoraproject.org.pp
@@ -1,7 +1,7 @@
node tummy1{
$groups='sysadmin-main'
include xen-server
- include fas
+ include fas::fas
include vpn
}
diff --git a/manifests/nodes/xen6.fedora.phx.redhat.com.pp b/manifests/nodes/xen6.fedora.phx.redhat.com.pp
index 8d8767e..69ff929 100644
--- a/manifests/nodes/xen6.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/xen6.fedora.phx.redhat.com.pp
@@ -2,7 +2,7 @@ node xen6{
include phx
$groups = 'sysadmin-main,sysadmin-cloud'
include global
- include fas
+ include fas::fas
include ipmi
include nagiosPhysical
include selinux
diff --git a/manifests/servergroups/appFcTest.pp b/manifests/servergroups/appFcTest.pp
index 70154d0..94e1dcd 100644
--- a/manifests/servergroups/appFcTest.pp
+++ b/manifests/servergroups/appFcTest.pp
@@ -2,7 +2,7 @@ class appFcTest {
$groups = 'sysadmin-main,sysadmin-test,sysadmin-noc'
include global
include xen-guest
- include fas
+ include fas::fas
include dbaccess
include mounts
include wevisor-server
diff --git a/manifests/servergroups/appRelEng.pp b/manifests/servergroups/appRelEng.pp
index 8b4b790..c3bbf38 100644
--- a/manifests/servergroups/appRelEng.pp
+++ b/manifests/servergroups/appRelEng.pp
@@ -1,7 +1,7 @@
class appRelEng {
$groups='sysadmin-main,sysadmin-noc,sysadmin-releng'
include global
- include fas
+ include fas::fas
include xen-guest
include mash
include rsync::rsyncd
diff --git a/manifests/servergroups/appRhel.pp b/manifests/servergroups/appRhel.pp
index 0165f64..c8f85ef 100644
--- a/manifests/servergroups/appRhel.pp
+++ b/manifests/servergroups/appRhel.pp
@@ -3,7 +3,7 @@ class appRhel {
include global
include http_log
include xen-guest
- include fas
+ include fas::fas
include dbaccess
include pkgdb-server
include bodhi-app
diff --git a/manifests/servergroups/appRhelTest.pp b/manifests/servergroups/appRhelTest.pp
index d68e275..ce4b633 100644
--- a/manifests/servergroups/appRhelTest.pp
+++ b/manifests/servergroups/appRhelTest.pp
@@ -2,7 +2,7 @@ class appRhelTest {
$groups = 'sysadmin-main,sysadmin-test,sysadmin-noc'
include global
include xen-guest
- include fas
+ include fas::fas
include dbaccess-test
#include genericContent
#include hosted-server
diff --git a/manifests/servergroups/asterisk.pp b/manifests/servergroups/asterisk.pp
index 8f9ef9f..5d932fb 100644
--- a/manifests/servergroups/asterisk.pp
+++ b/manifests/servergroups/asterisk.pp
@@ -1,7 +1,7 @@
class asterisk {
$groups = 'sysadmin-main,sysadmin-noc,sysadmin-tools'
include global
- include fas
+ include fas::fas
include asterisk::main
include asterisk::stats
include asterisk::recording
diff --git a/manifests/servergroups/build.pp b/manifests/servergroups/build.pp
index 145ec65..abaccac 100644
--- a/manifests/servergroups/build.pp
+++ b/manifests/servergroups/build.pp
@@ -3,7 +3,7 @@ class build {
$sshd_config_StrictModes = "no"
include global
# include generic-iptables
- include fas
+ include fas::fas
include koji
include plague-builder
include mockuser
diff --git a/manifests/servergroups/cnodes.pp b/manifests/servergroups/cnodes.pp
index 1934097..8670b60 100644
--- a/manifests/servergroups/cnodes.pp
+++ b/manifests/servergroups/cnodes.pp
@@ -1,6 +1,6 @@
class cnodes {
$groups='sysadmin-main,sysadmin-cloud'
- include fas
+ include fas::fas
include vpn
# Firewall Rules, allow tftp
$tcpPorts = [ 3260 ]
diff --git a/manifests/servergroups/collab.pp b/manifests/servergroups/collab.pp
index 8b041b9..463ac9b 100644
--- a/manifests/servergroups/collab.pp
+++ b/manifests/servergroups/collab.pp
@@ -1,7 +1,7 @@
class collab {
$groups = 'sysadmin-main,sysadmin-noc,sysadmin-tools'
include global
- include fas
+ include fas::fas
include vpn
include selinux
include sobby
diff --git a/manifests/servergroups/compose.pp b/manifests/servergroups/compose.pp
index 9478a25..c29b9e0 100644
--- a/manifests/servergroups/compose.pp
+++ b/manifests/servergroups/compose.pp
@@ -3,7 +3,7 @@ class composer {
$groups = 'sysadmin-main,sysadmin-releng'
include global
# include generic-iptables
- include fas
+ include fas::fas
include mockuser
include pungi-package
include livecd-tools-package
diff --git a/manifests/servergroups/cvs.pp b/manifests/servergroups/cvs.pp
index 8dc4038..9ae2c97 100644
--- a/manifests/servergroups/cvs.pp
+++ b/manifests/servergroups/cvs.pp
@@ -5,7 +5,7 @@ class cvs {
$sshd_config_PasswordAuthentication = 'no'
$sshd_config_AllowTcpForwarding = 'no'
include global
- include fas
+ include fas::fas
include cvs-pkgs
include rsync::rsyncd
include drbackupPubKey
diff --git a/manifests/servergroups/db.pp b/manifests/servergroups/db.pp
index 43826cc..27fb1d3 100644
--- a/manifests/servergroups/db.pp
+++ b/manifests/servergroups/db.pp
@@ -1,7 +1,7 @@
class db {
$groups = 'sysadmin-main,sysadmin-dba,sysadmin-noc'
include global
- include fas
+ include fas::fas
include selinux
include aide::scanner
include backupPubKey
diff --git a/manifests/servergroups/fas-server.pp b/manifests/servergroups/fas-server.pp
index 3bfba90..6daed2a 100644
--- a/manifests/servergroups/fas-server.pp
+++ b/manifests/servergroups/fas-server.pp
@@ -2,7 +2,7 @@ class fasServerBase {
$groups = 'sysadmin-main'
include global
include xen-guest
- include fas
+ include fas::fas
include vpn
# Firewall Rules, allow web bodhi traffic through
@@ -24,11 +24,11 @@ class fasServerBase {
}
class fasServer inherits fasServerBase {
- include fas-server
+ include fas::fas-server
}
class fasServerGenCert inherits fasServerBase {
- include fas-server-gencert
+ include fas::fas-server-gencert
semanage_fcontext { '/var/lib/fedora-ca/crl(/.*)?':
type => 'httpd_sys_script_rw_t'
diff --git a/manifests/servergroups/gateway.pp b/manifests/servergroups/gateway.pp
index d33ca7d..7a214b5 100644
--- a/manifests/servergroups/gateway.pp
+++ b/manifests/servergroups/gateway.pp
@@ -8,7 +8,7 @@ class gateway{
include global
include snmp-utils
include vpn-server
- include fas
+ include fas::fas
#include selinux-enforcing
include selinux
include spamassassin_server
diff --git a/manifests/servergroups/hosted.pp b/manifests/servergroups/hosted.pp
index 2708ced..eb9306b 100644
--- a/manifests/servergroups/hosted.pp
+++ b/manifests/servergroups/hosted.pp
@@ -6,7 +6,7 @@ class hosted {
$sshd_config_AllowTcpForwarding = 'no'
include global
include hosted-server
- include fas
+ include fas::fas
# include hosted-proxy
include rsync::rsyncd
include selinux
diff --git a/manifests/servergroups/koji.pp b/manifests/servergroups/koji.pp
index 59477bd..d6801a8 100644
--- a/manifests/servergroups/koji.pp
+++ b/manifests/servergroups/koji.pp
@@ -1,7 +1,7 @@
class kojimasters {
$groups = 'sysadmin-build,sysadmin-main,sysadmin-noc'
include global
- include fas
+ include fas::fas
include kojimaster
include selinux
include nfs-server
diff --git a/manifests/servergroups/noc.pp b/manifests/servergroups/noc.pp
index c8f193d..d58e18d 100644
--- a/manifests/servergroups/noc.pp
+++ b/manifests/servergroups/noc.pp
@@ -1,7 +1,7 @@
class noc {
$groups = 'sysadmin-main,sysadmin-noc'
include global
- include fas
+ include fas::fas
include nagios-server
include cacti-server
include selinux
diff --git a/manifests/servergroups/proxy.pp b/manifests/servergroups/proxy.pp
index 6d9fb2b..85702ae 100644
--- a/manifests/servergroups/proxy.pp
+++ b/manifests/servergroups/proxy.pp
@@ -3,7 +3,7 @@ class proxy {
include global
include http_log
include proxyserver
- include fas
+ include fas::fas
include autofs
include haproxy::server
include smolt-proxy
@@ -19,7 +19,7 @@ class proxy {
include admin-proxy
include nagios-proxy
include cacti-proxy
- include fas-proxy
+ include fas::fas-proxy
include infrastructure-proxy
#include voting-proxy
include pkgdb-proxy
diff --git a/manifests/servergroups/puppet.pp b/manifests/servergroups/puppet.pp
index c393f9a..4a7c5e5 100644
--- a/manifests/servergroups/puppet.pp
+++ b/manifests/servergroups/puppet.pp
@@ -3,7 +3,7 @@ class puppetServer {
$is_certmaster=1
include global
include phx
- include fas
+ include fas::fas
include infrastructure-repo
include puppet::master
include scripts::sync-rhn
diff --git a/manifests/servergroups/valueadd.pp b/manifests/servergroups/valueadd.pp
index 655f6d7..efebd55 100644
--- a/manifests/servergroups/valueadd.pp
+++ b/manifests/servergroups/valueadd.pp
@@ -3,7 +3,7 @@ class valueadd {
include global
include http_log
include xen-guest
- include fas
+ include fas::fas
include dbaccess
if $phx::inPHX {
diff --git a/manifests/servergroups/xen-server.pp b/manifests/servergroups/xen-server.pp
index 90086f7..c581b84 100644
--- a/manifests/servergroups/xen-server.pp
+++ b/manifests/servergroups/xen-server.pp
@@ -5,7 +5,7 @@ class xen-server {
$groups = 'sysadmin-main'
}
include global
- include fas
+ include fas::fas
include xenHost
include ipmi
include nagiosPhysical
commit 0687715af06ef76fa9288ca521e4daae37f19cb0
Author: Mike McGrath <mmcgrath@xxxxxxxxxx>
Date: Wed Apr 8 20:00:26 2009 +0000
removed old fas files
diff --git a/configs/fas/fasSync b/configs/fas/fasSync
deleted file mode 100644
index 4f9f643..0000000
--- a/configs/fas/fasSync
+++ /dev/null
@@ -1 +0,0 @@
-24 * * * * root /bin/sleep $(($RANDOM/20)); /usr/bin/fasClient -i > /dev/null 2>&1
diff --git a/configs/fas/nsswitch.conf b/configs/fas/nsswitch.conf
deleted file mode 100644
index fb4ff62..0000000
--- a/configs/fas/nsswitch.conf
+++ /dev/null
@@ -1,45 +0,0 @@
-# /etc/nsswitch.conf
-#
-# An example Name Service Switch config file. This file should be
-# sorted with the most-used services at the beginning.
-#
-# The entry '[NOTFOUND=return]' means that the search for an
-# entry should stop if the search in the previous entry turned
-# up nothing. Note that if the search failed due to some other reason
-# (like no NIS server responding) then the search continues with the
-# next entry.
-#
-# Legal entries are:
-#
-# nisplus or nis+ Use NIS+ (NIS version 3)
-# nis or yp Use NIS (NIS version 2), also called YP
-# dns Use DNS (Domain Name Service)
-# files Use the local files
-# db Use the local database (.db) files
-# compat Use NIS on compat mode
-# hesiod Use Hesiod for user lookups
-# [NOTFOUND=return] Stop searching if not found so far
-#
-
-passwd: db files
-shadow: db files
-group: db files
-
-#hosts: db files nisplus nis dns
-hosts: files dns
-
-bootparams: nisplus [NOTFOUND=return] files
-
-ethers: files
-netmasks: files
-networks: files
-protocols: files
-rpc: files
-services: files
-
-netgroup: files
-
-publickey: nisplus
-
-automount: files
-aliases: files nisplus
diff --git a/configs/system/export-bugzilla.cfg.erb b/configs/system/export-bugzilla.cfg.erb
deleted file mode 100644
index 6c65f07..0000000
--- a/configs/system/export-bugzilla.cfg.erb
+++ /dev/null
@@ -1,11 +0,0 @@
-[global]
-# bugzilla.url = https://bugdev.devel.redhat.com/bugzilla-cvs/xmlrpc.cgi
-# Running from fas1 so we need the PHX available address.
-bugzilla.url = "https://bzprx.vip.phx.redhat.com/xmlrpc.cgi";
-# bugzilla.url = "https://bugzilla.redhat.com/xmlrpc.cgi";
-bugzilla.username = "<%= bugzillaUser %>"
-bugzilla.password = "<%= bugzillaPassword %>"
-
-# At the moment, we have to extract this information directly from the fas2
-# database. We can build a json interface for it at a later date.
-sqlalchemy.dburi = "postgres://fas:<%= fasDbPassword %>@db2/fas2"
diff --git a/configs/system/export-bugzilla.py b/configs/system/export-bugzilla.py
deleted file mode 100755
index 4b6b416..0000000
--- a/configs/system/export-bugzilla.py
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/usr/bin/python -t
-__requires__ = 'TurboGears'
-import pkg_resources
-pkg_resources.require('CherryPy >= 2.0, < 3.0alpha')
-
-import sys
-import getopt
-import xmlrpclib
-import turbogears
-from turbogears import config
-turbogears.update_config(configfile="/etc/export-bugzilla.cfg")
-from turbogears.database import session
-from fas.model import BugzillaQueue
-
-BZSERVER = config.get('bugzilla.url', 'https://bugdev.devel.redhat.com/bugzilla-cvs/xmlrpc.cgi')
-BZUSER = config.get('bugzilla.username')
-BZPASS = config.get('bugzilla.password')
-
-if __name__ == '__main__':
- opts, args = getopt.getopt(sys.argv[1:], '', ('usage', 'help'))
- if len(args) != 2 or ('--usage','') in opts or ('--help','') in opts:
- print """
- Usage: export-bugzilla.py GROUP BUGZILLA_GROUP
- """
- sys.exit(1)
- ourGroup = args[0]
- bzGroup = args[1]
-
- server = xmlrpclib.Server(BZSERVER)
- bugzilla_queue = BugzillaQueue.query.join('group').filter_by(
- name=ourGroup)
-
- for entry in bugzilla_queue:
- # Make sure we have a record for this user in bugzilla
- if entry.action == 'r':
- # Remove the user's bugzilla group
- try:
- server.bugzilla.updatePerms(entry.email, 'rem', (bzGroup,),
- BZUSER, BZPASS)
- except xmlrpclib.Fault, e:
- if e.faultCode == 504:
- # It's okay, not having this user is equivalent to setting
- # them to not have this group.
- pass
- else:
- raise
-
- elif entry.action == 'a':
- # Try to create the user
- try:
- server.bugzilla.addUser(entry.email, entry.person.human_name, BZUSER, BZPASS)
- except xmlrpclib.Fault, e:
- if e.faultCode == 500:
- # It's okay, we just need to make sure the user has an
- # account.
- pass
- else:
- print entry.email,entry.person.human_name
- raise
- server.bugzilla.updatePerms(entry.email, 'add', (bzGroup,),
- BZUSER, BZPASS)
- else:
- print 'Unrecognized action code: %s %s %s %s %s' % (entry.action,
- entry.email, entry.person.human_name, entry.person.username, entry.group.name)
-
- # Remove them from the queue
- session.delete(entry)
- session.flush()
diff --git a/configs/system/fas.conf.erb b/configs/system/fas.conf.erb
deleted file mode 100644
index d8a3e05..0000000
--- a/configs/system/fas.conf.erb
+++ /dev/null
@@ -1,78 +0,0 @@
-[global]
-; url - Location to fas server
-url = https://admin.fedoraproject.org/accounts/
-
-; temp - Location to generate files while user creation process is happening
-temp = /var/db
-
-; login - username to contact fas
-login = systems
-
-; password - password for login name
-password = <%= systemsUserPassword %>
-
-; prefix - install to a location other than /
-prefix = /
-
-[host]
-; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups
-; so if someone is in all 3, the client behaves the same as if they were just
-; in 'groups'
-
-; groups that should have a shell account on this system.
-<% if groups != "NONE" %>
-groups = <%= groups %>
-<% else %>
-groups = sysadmin-main
-<% end %>
-; groups that should have a restricted account on this system.
-; restricted accounts use the restricted_shell value in [users]
-restricted_groups =
-
-; ssh_restricted_groups: groups that should be restricted by ssh key. You will
-; need to disable password based logins in order for this value to have any
-; security meaning. Group types can be placed here as well, for example
-; @hg,@git,@svn
-<% if sshGroups %>
-ssh_restricted_groups = <%= sshGroups %>
-<% else %>
-ssh_restricted_groups =
-<% end %>
-
-; aliases_template: Gets prepended to the aliases file when it is generated by
-; fasClient
-aliases_template = /etc/aliases.template
-
-[users]
-; default shell given to people in [host] groups
-shell = /bin/bash
-
-; home - the location for fas user home dirs
-home = /home/fedora
-
-; home_backup_dir - Location home dirs should get moved to when a user is
-; deleted this location should be tmpwatched
-home_backup_dir = /home/fedora.bak
-
-; ssh_restricted_app - This is the path to the restricted shell script. It
-; will not work automatically for most people though through alterations it
-; is a powerfull way to restrict access to a machine. An alternative example
-; could be given to people who should only have cvs access on the machine.
-; setting this value to "/usr/bin/cvs server" would do this.
-<% if restrictedApp %>
-ssh_restricted_app = "<%= restrictedApp %>"
-<% else %>
-ssh_restricted_app = "/usr/bin/cvs server"
-<% end %>
-
-; restricted_shell - The shell given to users in the ssh_restricted_groups
-restricted_shell = /sbin/nologin
-
-; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
-ssh_restricted_shell = /bin/bash
-
-; ssh_key_options - Options to be appended to people ssh keys. Users in the
-; ssh_restricted_groups will have the keys they uploaded altered when they are
-; installed on this machine, appended with the options below.
-ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
-
diff --git a/configs/web/accounts-proxy.conf b/configs/web/accounts-proxy.conf
deleted file mode 100644
index 29c9de6..0000000
--- a/configs/web/accounts-proxy.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# fas1 is the only place for gencert right now
-RewriteRule /accounts/user/gencert http://fas1/accounts/user/gencert [P]
-RewriteRule /accounts/user/dogencert http://fas1/accounts/user/dogencert [P]
-# pass ca requests on needed for CRL
-ProxyPass /ca http://fas1/ca
-ProxyPassReverse /ca http://fas1/ca
-
-#RewriteRule ^/accounts/(.*) balancer://accountsCluster/accounts/$1 [P]
-#RewriteRule ^/accounts$ https://admin.fedoraproject.org/accounts/ [R,L]
-
-RewriteRule ^/accounts/(.*) http://localhost:10004/accounts/$1 [P]
-RewriteRule ^/accounts$ https://admin.fedoraproject.org/accounts/ [R,L]
diff --git a/configs/web/accounts.fedoraproject.org.conf b/configs/web/accounts.fedoraproject.org.conf
deleted file mode 100644
index 1220803..0000000
--- a/configs/web/accounts.fedoraproject.org.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# proxy1 - 10.8.32.122
-# proxy2 - 10.8.32.121
-# proxy3 - 66.35.62.166
-# proxy4 - 152.46.7.222
-# proxy5 - 80.239.156.215
-
-
-<VirtualHost 10.8.32.122:80 10.8.32.121:80 66.35.62.166:80 152.46.7.222:80 80.239.156.215:80>
- ServerName accounts.fedoraproject.org
- ServerAdmin admin@xxxxxxxxxxxxxxxxx
-
- include "conf.d/accounts.fedoraproject.org/*.conf
-</VirtualHost>
diff --git a/configs/web/accounts.fedoraproject.org/logs.conf b/configs/web/accounts.fedoraproject.org/logs.conf
deleted file mode 100644
index 733e6e3..0000000
--- a/configs/web/accounts.fedoraproject.org/logs.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/accounts.fedoraproject.org-access.log.%Y-%m-%d 86400" combined
-ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/accounts.fedoraproject.org-error.log.%Y-%m-%d 86400"
diff --git a/configs/web/accounts.fedoraproject.org/redirect.conf b/configs/web/accounts.fedoraproject.org/redirect.conf
deleted file mode 100644
index 1fc6864..0000000
--- a/configs/web/accounts.fedoraproject.org/redirect.conf
+++ /dev/null
@@ -1 +0,0 @@
-Redirect permanent / https://admin.fedoraproject.org/accounts/
diff --git a/configs/web/applications/Makefile.fedora-ca b/configs/web/applications/Makefile.fedora-ca
deleted file mode 100644
index 5da1ea9..0000000
--- a/configs/web/applications/Makefile.fedora-ca
+++ /dev/null
@@ -1,70 +0,0 @@
-# $Id: Makefile,v 1.4 2006/06/20 18:55:37 jmates Exp $
-#
-# NOTE If running OpenSSL 0.9.8a or higher, see -newkey, below.
-#
-# Automates the setup of a custom Certificate Authority and provides
-# routines for signing and revocation of certificates. To use, first
-# customize the commands in this file and the settings in openssl.cnf,
-# then run:
-#
-# make init
-#
-# Then, copy in certificate signing requests, and ensure their suffix is
-# .csr before signing them with the following command:
-#
-# make sign
-#
-# To revoke a key, name the certificate file with the cert option
-# as shown below:
-#
-# make revoke cert=foo.cert
-#
-# This will revoke the certificate and call gencrl; the revocation list
-# will then need to be copied somehow to the various systems that use
-# your CA cert.
-
-requests = *.csr
-
-# remove -batch option if want chance to not certify a particular request
-sign: FORCE
- @openssl ca -batch -config openssl.cnf -days 180 -in $(req) -out $(cert)
-
-revoke:
- @test $${cert:?"usage: make revoke cert=certificate"}
- @openssl ca -config openssl.cnf -revoke $(cert)
- @$(MAKE) gencrl
-
-gencrl:
- @openssl ca -config openssl.cnf -gencrl -out crl/crl.pem
-
-clean:
- -rm ${requests}
-
-# creates required supporting files, CA key and certificate
-init:
- @test ! -f serial
- @mkdir crl newcerts private
- @chmod go-rwx private
- @echo '01' > serial
- @touch index
- # NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher
- @openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM
-
-help:
- @echo make sign req=in.csr cert=out.cert
- @echo ' - signs in.csr, outputting to out.cert'
- @echo
- @echo make revoke cert=filename
- @echo ' - revokes certificate in named file and calls gencrl'
- @echo
- @echo make gencrl
- @echo ' - updates Certificate Revocation List (CRL)'
- @echo
- @echo make clean
- @echo ' - removes all *.csr files in this directory'
- @echo
- @echo make init
- @echo ' - required initial setup command for new CA'
-
-# for legacy make support
-FORCE:
diff --git a/configs/web/applications/accounts-pubring.gpg b/configs/web/applications/accounts-pubring.gpg
deleted file mode 100644
index c75ba2c..0000000
Binary files a/configs/web/applications/accounts-pubring.gpg and /dev/null differ
diff --git a/configs/web/applications/accounts.conf b/configs/web/applications/accounts.conf
deleted file mode 100644
index ad5803a..0000000
--- a/configs/web/applications/accounts.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-Alias /accounts/static /usr/share/fas/static
-Alias /favicon.ico /usr/share/fas/static/favicon.ico
-Alias /accounts/fedora-server-ca.cert /usr/share/fas/static/fedora-server-ca.cert
-Alias /accounts/fedora-upload-ca.cert /usr/share/fas/static/fedora-upload-ca.cert
-# For serving the crl
-Alias /ca /srv/web/ca
-CacheDisable /ca/crl.pem
-AddType application/x-x509-ca-cert cacert.pem
-AddType application/x-x509-crl crl.pem
-
-WSGISocketPrefix run/wsgi
-
-# TG implements its own signal handler.
-WSGIRestrictSignal Off
-
-# These are the real tunables
-WSGIDaemonProcess fas processes=8 threads=2 maximum-requests=50000 user=fas group=fas display-name=fas inactivity-timeout=300
-WSGIPythonOptimize 2
-
-WSGIScriptAlias /accounts /usr/lib/python2.4/site-packages/fas/fas.wsgi/accounts
-
-<Directory /usr/lib/python2.4/site-packages/fas/>
- WSGIProcessGroup fas
- Order deny,allow
- Allow from all
-</Directory>
diff --git a/configs/web/applications/certhelper.py b/configs/web/applications/certhelper.py
deleted file mode 100755
index 3c278a8..0000000
--- a/configs/web/applications/certhelper.py
+++ /dev/null
@@ -1,280 +0,0 @@
-#!/usr/bin/python
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU Library General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-# Copyright 2005 Dan Williams <dcbw@xxxxxxxxxx> and Red Hat, Inc.
-
-
-import sys, os, tempfile
-
-OPENSSL_PROG = '/usr/bin/openssl'
-
-def print_usage(prog):
- print "\nUsage:\n"
- print " %s ca --outdir=<outdir> --name=<name>\n" % prog
- print " %s normal --outdir=<outdir> --name=<name> --cadir=<cadir> --caname=<ca-name>" % prog
- print ""
- print " Types:"
- print " ca - Build system Certificate Authority key & certificate"
- print " normal - Key & certificate that works with the build server and builders"
- print ""
- print "Examples:\n"
- print " %s ca --outdir=/etc/plague/ca --name=my_ca" % prog
- print " %s normal --outdir=/etc/plague/server/certs --name=server --cadir=/etc/plague/ca --caname=my_ca" % prog
- print " %s normal --outdir=/etc/plague/builder/certs --name=builder1 --cadir=/etc/plague/ca --caname=my_ca" % prog
- print "\n"
-
-
-class CertHelperException:
- def __init__(self, message):
- self.message = message
-
-
-class CertHelper:
- def __init__(self, prog, outdir, name):
- self._prog = prog
- self._outdir = outdir
- self._name = name
-
- def dispatch(self, cmd, argslist):
- if cmd.lower() == 'ca':
- self._gencert_ca(argslist)
- elif cmd.lower() == 'normal':
- self._gencert_normal(argslist)
- else:
- print_usage(self._prog)
-
- def _gencert_ca(self, args):
- # Set up CA directory
- if not os.path.exists(self._outdir):
- os.makedirs(self._outdir)
- try:
- os.makedirs(os.path.join(self._outdir, 'certs'))
- os.makedirs(os.path.join(self._outdir, 'crl'))
- os.makedirs(os.path.join(self._outdir, 'newcerts'))
- os.makedirs(os.path.join(self._outdir, 'private'))
- except:
- pass
- cert_db = os.path.join(self._outdir, "index.txt")
- os.system("/bin/touch %s" % cert_db)
- serial = os.path.join(self._outdir, "serial")
- if not os.path.exists(serial):
- os.system("/bin/echo '01' > %s" % serial)
-
- cnf = write_openssl_cnf(self._outdir, self._name, {})
-
- # Create the CA key
- key_file = os.path.join(self._outdir, "private", "cakey.pem")
- cmd = "%s genrsa -out %s 2048" % (OPENSSL_PROG, key_file)
- if os.system(cmd) != 0:
- raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
-
- # Make the self-signed CA certificate
- cert_file = os.path.join(self._outdir, "%s_ca_cert.pem" % self._name)
- cmd = "%s req -config %s -new -x509 -days 3650 -key %s -out %s -extensions v3_ca" % (OPENSSL_PROG, cnf, key_file, cert_file)
- if os.system(cmd) != 0:
- raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
-
- os.remove(cnf)
- print "Success. Your Certificate Authority directory is: %s\n" % self._outdir
-
- def _gencert_normal(self, args):
- cadir = argfind(args, 'cadir')
- if not cadir:
- print_usage(self._prog)
- sys.exit(1)
- caname = argfind(args, 'caname')
- if not caname:
- print_usage(self._prog)
- sys.exit(1)
-
- cnf = write_openssl_cnf(cadir, caname, {})
-
- # Generate key
- key_file = os.path.join(self._outdir, "%s_key.pem" % self._name)
- cmd = "%s genrsa -out %s 2048" % (OPENSSL_PROG, key_file)
- if os.system(cmd) != 0:
- raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
- print ""
-
- # Generate the certificate request
- req_file = os.path.join(self._outdir, "%s_req.pem" % self._name)
- cmd = '%s req -config %s -new -nodes -out %s -key %s' % (OPENSSL_PROG, cnf, req_file, key_file)
- if os.system(cmd) != 0:
- raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
- print ""
-
- # Sign the request with the CA's certificate and key
- cert_file = os.path.join(self._outdir, "%s_cert.pem" % self._name)
- cmd = '%s ca -config %s -days 3650 -out %s -infiles %s' % (OPENSSL_PROG, cnf, cert_file, req_file)
- if os.system(cmd) != 0:
- raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
- print ""
-
- # Cat the normal cert and key together
- key_and_cert = os.path.join(self._outdir, "%s_key_and_cert.pem" % self._name)
- cmd = '/bin/cat %s %s > %s' % (key_file, cert_file, key_and_cert)
- if os.system(cmd) != 0:
- raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
-
- # Cleanup: remove the cert, key, and request files
- cmd = "/bin/rm -f %s %s %s" % (key_file, req_file, cert_file)
- if os.system(cmd) != 0:
- raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
-
- os.remove(cnf)
- print "Success. Your certificate and key file is: %s\n" % key_and_cert
-
-
-def write_openssl_cnf(home, ca_name, opt_dict):
- (fd, name) = tempfile.mkstemp('', 'openssl_cnf_', dir=None, text=True)
- os.write(fd, """
-##############################
-HOME = %s
-RANDFILE = .rand
-
-##############################
-[ ca ]
-default_ca = CA_default\n
-
-##############################
-[ CA_default ]
-
-dir = $HOME
-certs = $dir/certs
-crl_dir = $dir/crl
-database = $dir/index.txt
-new_certs_dir = $dir/newcerts
-
-certificate = $dir/cacert.pem
-private_key = $dir/private/cakey.pem
-serial = $dir/serial
-crl = $dir/crl.pem
-
-x509_extensions = usr_cert
-
-name_opt = ca_default
-cert_opt = ca_default
-
-default_days = 3650
-default_crl_days= 30
-default_md = md5
-preserve = no
-
-policy = policy_match
-
-[ policy_match ]
-countryName = match
-stateOrProvinceName = match
-organizationName = match
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-##############################
-[ req ]
-default_bits = 1024
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-
-string_mask = MASK:0x2002
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = US
-countryName_min = 2
-countryName_max = 2
-
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = North Carolina
-
-localityName = Locality Name (eg, city)
-localityName_default = Raleigh
-
-0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Fedora Project
-
-organizationalUnitName = Organizational Unit Name (eg, section)
-
-commonName = Common Name (eg, your name or your server\'s hostname)
-commonName_max = 64
-
-emailAddress = Email Address
-emailAddress_max = 64
-
-[ req_attributes ]
-challengePassword = A challenge password
-challengePassword_min = 4
-challengePassword_max = 20
-
-unstructuredName = An optional company name
-
-##############################
-[ usr_cert ]
-
-basicConstraints=CA:FALSE
-nsComment = "OpenSSL Generated Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-##############################
-[ v3_ca ]
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:true
-
-""" % (home))
-
- return name
-
-def argfind(arglist, prefix):
- val = None
- for arg in arglist:
- if arg.startswith('--%s=' % prefix):
- val = arg
- break
- if not val:
- return None
- val = val.replace('--%s=' % prefix, '')
- return val
-
-if __name__ == '__main__':
- prog = sys.argv[0]
- if len(sys.argv) < 3:
- print_usage(prog)
- sys.exit(1)
-
- outdir = argfind(sys.argv, 'outdir')
- if not outdir:
- print_usage(prog)
- sys.exit(1)
-
- name = argfind(sys.argv, 'name')
- if not name:
- print_usage(prog)
- sys.exit(1)
-
- ch = CertHelper(prog, outdir, name)
- try:
- ch.dispatch(sys.argv[1], sys.argv)
- except CertHelperException, e:
- print e.message
- sys.exit(1)
-
- sys.exit(0)
-
diff --git a/configs/web/applications/fas-log.cfg b/configs/web/applications/fas-log.cfg
deleted file mode 100644
index 3f7843d..0000000
--- a/configs/web/applications/fas-log.cfg
+++ /dev/null
@@ -1,29 +0,0 @@
-# LOGGING
-# Logging is often deployment specific, but some handlers and
-# formatters can be defined here.
-
-[logging]
-[[formatters]]
-[[[message_only]]]
-format='*(message)s'
-
-[[[full_content]]]
-format='*(name)s *(levelname)s *(message)s'
-
-[[handlers]]
-[[[debug_out]]]
-class='StreamHandler'
-level='DEBUG'
-args='(sys.stdout,)'
-formatter='full_content'
-
-[[[access_out]]]
-class='StreamHandler'
-level='INFO'
-args='(sys.stdout,)'
-formatter='message_only'
-
-[[[error_out]]]
-class='StreamHandler'
-level='ERROR'
-args='(sys.stdout,)'
diff --git a/configs/web/applications/fas-prod.cfg.erb b/configs/web/applications/fas-prod.cfg.erb
deleted file mode 100644
index fa85c4a..0000000
--- a/configs/web/applications/fas-prod.cfg.erb
+++ /dev/null
@@ -1,163 +0,0 @@
-[global]
-samadhi.baseurl = 'https://admin.fedoraproject.org/'
-
-admingroup = 'accounts'
-systemgroup = 'fas-system'
-thirdpartygroup = 'thirdparty'
-
-theme = 'fas'
-
-accounts_email = "accounts@xxxxxxxxxxxxxxxxx"
-legal_cla_email = "legal-cla-archive@xxxxxxxxxxxxxxxxx"
-
-email_host = "fedoraproject.org" # as in, web-members@email_host
-
-gpgexec = "/usr/bin/gpg"
-gpghome = "/etc/fas-gpg"
-gpg_fingerprint = "7662 A6D3 4F21 A653 7BD4 BA64 20A0 8C45 4A0E 6255"
-gpg_passphrase = "<%= fasGpgPassphrase %>"
-gpg_keyserver = "hkp://subkeys.pgp.net"
-
-cla_done_group = "cla_done"
-cla_fedora_group = "cla_fedora"
-
-privileged_view_groups = "(^fas-.*)"
-username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,bin,board,bodhi2,canna,chair,chairman,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,famsco,fax,fedora,fedorarewards,fesco,freemedia,ftp,ftpadm,ftpadmin,games,gdm,gopher,gregdek,halt,hostmaster,ident,info,ingres,jaboutboul,jan,keys,ldap,legal,logo,lp,mail,mailnull,manager,marketing,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,nrpe,nscd,ntp,nut,openvideo,operator,packager,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,root,rpc,rpcuser,rpm,sales,scholarship,secalert,security,shutdown,smmsp,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
-
-openidstore = "/var/tmp/fas/openid"
-
-# Enable or disable generation of SSL certificates for users
-gencert = <%= genCert %>
-
-makeexec = "/usr/bin/make"
-openssl_lockdir = "/var/lock/fedora-ca"
-openssl_digest = "md5"
-openssl_expire = 15552000 # 60*60*24*180 = 6 months
-openssl_ca_dir = "/var/lib/fedora-ca"
-openssl_ca_newcerts = "/var/lib/fedora-ca/newcerts"
-openssl_ca_index = "/var/lib/fedora-ca/index.txt"
-openssl_c = "US"
-openssl_st = "North Carolina"
-openssl_l = "Raleigh"
-openssl_o = "Fedora Project"
-openssl_ou = "Fedora User Cert"
-
-# Groups that automatically grant membership to other groups
-# Format: 'group1:a,b,c|group2:d,e,f'
-auto_approve_groups = 'packager:fedorabugs|cla_fedora:cla_done|cla_redhat:cla_done|cla_dell:cla_done|cla_ibm:cla_done'
-
-# This is where all of your settings go for your development environment
-# Settings that are the same for both development and production
-# (such as template engine, encodings, etc.) all go in
-# fas/config/app.cfg
-
-mail.on = True
-mail.server = 'bastion'
-#mail.testmode = True
-mail.debug = False
-mail.encoding = 'utf-8'
-
-# DATABASE
-
-# pick the form for your database
-# sqlobject.dburi="postgres://username@hostname/databasename"
-# sqlobject.dburi="mysql://username:password@hostname:port/databasename"
-# sqlobject.dburi="sqlite:///file_name_and_path"
-
-# If you have sqlite, here's a simple default to get you started
-# in development
-sqlalchemy.dburi="postgres://fas:<%= fasDbPassword %>@db2/fas2"
-sqlalchemy.echo=False
-
-# if you are using a database or table type without transactions
-# (MySQL default, for example), you should turn off transactions
-# by prepending notrans_ on the uri
-# sqlobject.dburi="notrans_mysql://username:password@hostname:port/databasename"
-
-# for Windows users, sqlite URIs look like:
-# sqlobject.dburi="sqlite:///drive_letter:/path/to/file"
-
-# SERVER
-
-# Some server parameters that you may want to tweak
-server.socket_port=8088
-server.thread_pool=50
-server.socket_queue_size=30
-
-# FAS2 is mmuch busier than other servers due to serving visit and auth via
-# JSON.
-# Double pool_size
-#sqlalchemy.pool_size=10
-# And increase overflow above what other servers have
-#sqlalchemy.max_overflow=25
-# When using wsgi, we want the pool to be very low (as a separate instance is
-# run in each apache mod_wsgi thread. So each one is going to have very few
-# concurrent db connections.
-sqlalchemy.pool_size=1
-sqlalchemy.max_overflow=2
-
-# Enable the debug output at the end on pages.
-# log_debug_info_filter.on = False
-
-server.environment="production"
-autoreload.package="fas"
-
-session_filter.on = True
-
-# Set to True if you'd like to abort execution if a controller gets an
-# unexpected parameter. False by default
-tg.strict_parameters = True
-tg.ignore_parameters = ["_csrf_token"]
-
-server.webpath='/accounts'
-base_url_filter.on = True
-base_url_filter.use_x_forwarded_host = True
-base_url_filter.base_url = "https://admin.fedoraproject.org";
-
-# Make the session cookie only return to the host over an SSL link
-visit.cookie.secure = True
-session_filter.cookie_secure = True
-
-[/fedora-server-ca.cert]
-static_filter.on = True
-static_filter.file = "/etc/pki/fas/fedora-server-ca.cert"
-
-[/fedora-upload-ca.cert]
-static_filter.on = True
-static_filter.file = "/etc/pki/fas/fedora-upload-ca.cert"
-
-# LOGGING
-# Logging configuration generally follows the style of the standard
-# Python logging module configuration. Note that when specifying
-# log format messages, you need to use *() for formatting variables.
-# Deployment independent log configuration is in fas/config/log.cfg
-[logging]
-
-[[loggers]]
-[[[fas]]]
-level='DEBUG'
-qualname='fas'
-handlers=['debug_out']
-
-[[[allinfo]]]
-level='INFO'
-handlers=['debug_out']
-
-#[[[access]]]
-#level='INFO'
-#qualname='turbogears.access'
-#handlers=['access_out']
-#propagate=0
-
-[[[identity]]]
-level='INFO'
-qualname='turbogears.identity'
-handlers=['access_out']
-propagate=0
-
-[[[database]]]
-# Set to INFO to make SQLAlchemy display SQL commands
-level='ERROR'
-qualname='sqlalchemy.engine'
-handlers=['debug_out']
-propagate=0
diff --git a/configs/web/applications/fas.wsgi b/configs/web/applications/fas.wsgi
deleted file mode 100644
index 865cc08..0000000
--- a/configs/web/applications/fas.wsgi
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/usr/bin/python
-import sys
-sys.path.append('/usr/lib/python2.4/site-packages/fas/')
-sys.stdout = sys.stderr
-
-import pkg_resources
-pkg_resources.require('CherryPy <= 3.0alpha')
-
-import os
-os.environ['PYTHON_EGG_CACHE'] = '/var/www/.python-eggs'
-
-import atexit
-import cherrypy
-import cherrypy._cpwsgi
-import turbogears
-import turbogears.startup
-from formencode.variabledecode import NestedVariables
-import fedora.tg.util
-
-class MyNestedVariablesFilter(object):
- def before_main(self):
- if hasattr(cherrypy.request, "params"):
- cherrypy.request.params_backup = cherrypy.request.params
- cherrypy.request.params = \
- NestedVariables.to_python(cherrypy.request.params or {})
-
-turbogears.startup.NestedVariablesFilter = MyNestedVariablesFilter
-
-turbogears.update_config(configfile="/etc/fas.cfg", modulename="fas.config")
-turbogears.config.update({'global': {'server.environment': 'production'}})
-turbogears.config.update({'global': {'autoreload.on': False}})
-turbogears.config.update({'global': {'server.log_to_screen': False}})
-turbogears.config.update({'global': {'server.webpath': '/accounts'}})
-turbogears.config.update({'global': {'base_url_filter.on': True}})
-turbogears.config.update({'global': {'base_url_filter.base_url': 'https://admin.fedoraproject.org'}})
-#turbogears.config.update({'global': {'sqlalchemy.recycle': '10'}})
-
-turbogears.startup.call_on_startup.append(fedora.tg.util.enable_csrf)
-
-import fas.controllers
-
-cherrypy.root = fas.controllers.Root()
-
-if cherrypy.server.state == 0:
- atexit.register(cherrypy.server.stop)
- cherrypy.server.start(init_only=True, server_class=None)
-
-def application(environ, start_response):
- environ['SCRIPT_NAME'] = ''
- return cherrypy._cpwsgi.wsgiApp(environ, start_response)
diff --git a/configs/web/applications/fedora-ca-client-openssl.cnf b/configs/web/applications/fedora-ca-client-openssl.cnf
deleted file mode 100644
index 5c3bb15..0000000
--- a/configs/web/applications/fedora-ca-client-openssl.cnf
+++ /dev/null
@@ -1,317 +0,0 @@
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME = .
-RANDFILE = /var/lib/fedora-ca/.rnd
-
-# Extra OBJECT IDENTIFIER info:
-#oid_file = $ENV::HOME/.oid
-oid_section = new_oids
-
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions =
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
-
-[ new_oids ]
-
-# We can add new OIDs in here for use by 'ca' and 'req'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-
-####################################################################
-[ ca ]
-default_ca = CA_default # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir = . # Where everything is kept
-certs = $dir/certs # Where the issued certs are kept
-crl_dir = $dir/crl # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-#unique_subject = no # Set to 'no' to allow creation of
- # several ctificates with same subject.
-new_certs_dir = $dir/newcerts # default place for new certs.
-
-certificate = $dir/cacert.pem # The CA certificate
-serial = $dir/serial # The current serial number
-crlnumber = $dir/crlnumber # the current crl number
- # must be commented out to leave a V1 CRL
-crl = $dir/crl.pem # The current CRL
-private_key = $dir/private/cakey.pem # The private key
-RANDFILE = $dir/private/.rand # private random number file
-
-x509_extensions = usr_cert # The extentions to add to the cert
-
-# Comment out the following two lines for the "traditional"
-# (and highly broken) format.
-name_opt = ca_default # Subject Name options
-cert_opt = ca_default # Certificate field options
-
-# Extension copying option: use with caution.
-# copy_extensions = copy
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions = crl_ext
-
-default_days = 365 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = sha1 # which md to use.
-preserve = no # keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy = policy_match
-
-# For the CA policy
-[ policy_match ]
-countryName = match
-stateOrProvinceName = match
-organizationName = match
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-####################################################################
-[ req ]
-default_bits = 2048
-default_md = sha1
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-# we use PrintableString+UTF8String mask so if pure ASCII texts are used
-# the resulting certificates are compatible with Netscape
-string_mask = MASK:0x2002
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = US
-countryName_min = 2
-countryName_max = 2
-
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = North Carolina
-
-localityName = Locality Name (eg, city)
-localityName_default = Raleigh
-
-0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Fedora Project
-
-# we can do this but it is not needed normally :-)
-#1.organizationName = Second Organization Name (eg, company)
-#1.organizationName_default = World Wide Web Pty Ltd
-
-organizationalUnitName = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
-
-commonName = Common Name (eg, your name or your server\'s hostname)
-commonName_max = 64
-
-emailAddress = Email Address
-emailAddress_max = 64
-
-# SET-ex3 = SET extension number 3
-
-[ req_attributes ]
-#challengePassword = A challenge password
-#challengePassword_min = 0
-#challengePassword_max = 20
-
-unstructuredName = An optional company name
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-
-# Extensions for a typical CA
-
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
-authorityKeyIdentifier=keyid:always,issuer:always
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
-
-[ proxy_cert_ext ]
-# These extensions should be added when creating a proxy certificate
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This really needs to be in place for it to be a proxy certificate.
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/configs/web/fas.fedoraproject.org.conf b/configs/web/fas.fedoraproject.org.conf
deleted file mode 100644
index 7db2e97..0000000
--- a/configs/web/fas.fedoraproject.org.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# proxy1 - 10.8.32.122
-# proxy2 - 10.8.32.121
-# proxy3 - 66.35.62.166
-# proxy4 - 152.46.7.222
-# proxy5 - 80.239.156.215
-
-
-<VirtualHost 10.8.32.122:80 10.8.32.121:80 66.35.62.166:80 152.46.7.222:80 80.239.156.215:80>
- ServerName fas.fedoraproject.org
- ServerAdmin admin@xxxxxxxxxxxxxxxxx
-
- include "conf.d/fas.fedoraproject.org/*.conf
-</VirtualHost>
diff --git a/configs/web/fas.fedoraproject.org/logs.conf b/configs/web/fas.fedoraproject.org/logs.conf
deleted file mode 100644
index 9195af7..0000000
--- a/configs/web/fas.fedoraproject.org/logs.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/fas.fedoraproject.org-access.log.%Y-%m-%d 86400" combined
-ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/fas.fedoraproject.org-error.log.%Y-%m-%d 86400"
diff --git a/configs/web/fas.fedoraproject.org/redirect.conf b/configs/web/fas.fedoraproject.org/redirect.conf
deleted file mode 100644
index 1fc6864..0000000
--- a/configs/web/fas.fedoraproject.org/redirect.conf
+++ /dev/null
@@ -1 +0,0 @@
-Redirect permanent / https://admin.fedoraproject.org/accounts/
diff --git a/manifests/services/fas.pp b/manifests/services/fas.pp
deleted file mode 100644
index 3ae09e3..0000000
--- a/manifests/services/fas.pp
+++ /dev/null
@@ -1,292 +0,0 @@
-# Fedora Account System
-class fas {
- include fas-clients-package
- include python-fedora-package
-
- if $groups {
- $notGroup = ''
- } else {
- $groups = 'sysadmin-main'
- }
- if $sshGroups {
- $notSshGroup = ''
- } else {
- $sshGroups = ''
- }
- if $restrictedApp {
- $notRestrictedApp = ''
- } else {
- $restrictedApp = '/usr/bin/cvs server'
- }
-
- configfile { "/etc/nsswitch.conf":
- source => "fas/nsswitch.conf"
- }
- templatefile { '/etc/fas.conf':
- content => template('system/fas.conf.erb'),
- mode => '0600',
-
- }
-# exec { 'make-accounts':
-# command => '/usr/bin/fasClient -e; /usr/bin/fasClient -i',
-# subscribe => Templatefile['/etc/fas.conf'],
-# require => Package['fas-clients'],
-# refreshonly => true
-# }
- configfile { '/etc/cron.d/fasSync':
- source => 'fas/fasSync',
- require => Package[fas-clients],
- }
- file { "/root/bin/":
- ensure => directory,
- }
- cert { '/etc/sudoers':
- source => "secure/sudoers"
- }
-}
-
-class fas-proxy inherits httpd {
- apachefile { "/etc/httpd/conf.d/admin.fedoraproject.org/accounts.conf":
- source => 'web/accounts-proxy.conf'
- }
-
- apachefile { '/etc/httpd/conf.d/fas.fedoraproject.org.conf':
- source => 'web/fas.fedoraproject.org.conf',
- }
-
- apachefile { '/etc/httpd/conf.d/fas.fedoraproject.org/':
- source => 'web/fas.fedoraproject.org/',
- recurse => true
- }
-
- apachefile { '/etc/httpd/conf.d/accounts.fedoraproject.org.conf':
- source => 'web/accounts.fedoraproject.org.conf',
- }
-
- apachefile { '/etc/httpd/conf.d/accounts.fedoraproject.org/':
- source => 'web/accounts.fedoraproject.org/',
- recurse => true
- }
-
-}
-
-class fas-server-base inherits turbogears {
- $bugzillaUser='fedora-admin-xmlrpc@xxxxxxxxxx'
- include httpd
- include mod_wsgi::module
-
- package { fas:
- ensure => present,
- }
-
- package { fas-plugin-asterisk:
- ensure => present,
- }
-
- ### HACK: Need to solve this better later
- apachefile { '/usr/lib/python2.4/site-packages/fas/fas.wsgi':
- source => 'web/applications/fas.wsgi',
- require => Package['mod_wsgi']
- }
-
- file { '/var/www/.python-eggs':
- ensure => directory,
- mode => '0700',
- owner => 'apache'
- }
-
- file { '/etc/fas-gpg':
- ensure => directory,
- mode => '0700',
- owner => 'fas',
- group => 'fas',
- }
-
- cert { '/etc/fas-gpg/secring.gpg':
- source => 'secure/accounts-secring.gpg',
- owner => 'fas',
- group => 'fas',
- mode => 600,
- require => File['/etc/fas-gpg']
- }
-
- file { '/etc/fas-gpg/pubring.gpg':
- owner => 'fas',
- group => 'fas',
- mode => 600,
- replace => false,
- ensure => file,
- source => 'puppet:///config/web/applications/accounts-pubring.gpg',
- }
-
- apachefile { '/etc/httpd/conf.d/accounts.conf':
- source => 'web/applications/accounts.conf',
- require => Package['mod_wsgi']
- }
-
- file { '/etc/pki/fas':
- ensure => directory,
- mode => '0700',
- owner => 'fas',
- group => 'fas',
- }
- # These are both public certs so there's no reason to hide them
- configfile { '/etc/pki/fas/fedora-server-ca.cert':
- source => 'secure/fedora-ca.cert',
- }
-
- configfile { '/etc/pki/fas/fedora-upload-ca.cert':
- source => 'secure/fedora-ca.cert',
- }
-
- templatefile { '/etc/export-bugzilla.cfg':
- content => template('system/export-bugzilla.cfg.erb'),
- owner => 'fas',
- # Contains passwords so it needs to be restricted
- mode => '0640'
- }
-
- # Note: This will move into the fas rpm soon
- script { "/usr/local/bin/export-bugzilla.py":
- source => "system/export-bugzilla.py",
- mode => 0755
- }
- cert { '/usr/share/fas/static/fedora-server-ca.cert':
- source => 'secure/fedora-ca.cert',
- owner => 'apache',
- group => 'sysadmin-main',
- mode => '0440'
- }
-
- cert { '/usr/share/fas/static/fedora-upload-ca.cert':
- source => 'secure/fedora-ca.cert',
- owner => 'apache',
- group => 'sysadmin-main',
- mode => '0440'
- }
-
- configfile { '/usr/lib/python2.4/site-packages/fas/config/log.cfg':
- source => 'web/applications/fas-log.cfg',
- owner => 'root',
- group => 'root',
- notify => Service['httpd'],
- require => Package['httpd'],
- mode => '0644'
- }
-}
-
-class fas-server inherits fas-server-base {
-
- $genCert = 'False'
- templatefile { '/etc/fas.cfg':
- content => template('web/applications/fas-prod.cfg.erb'),
- owner => 'fas',
- group => 'apache',
- notify => Service['httpd'],
- require => Package['httpd'],
- mode => '640'
- }
-
-}
-
-class fas-server-gencert inherits fas-server-base {
-
- $genCert = 'True'
- templatefile { '/etc/fas.cfg':
- content => template('web/applications/fas-prod.cfg.erb'),
- owner => 'fas',
- group => 'apache',
- notify => Service['httpd'],
- require => Package['httpd'],
- mode => '640'
- }
-
- # These should be created by the fas package later
- file { '/var/lock/fedora-ca':
- ensure => directory,
- mode => '0700',
- owner => 'fas',
- group => 'fas',
- require => Package[fas],
- }
-
- file { '/var/lib/fedora-ca':
- ensure => directory,
- mode => '0771',
- owner => 'fas',
- group => 'sysadmin-main',
- require => Package[fas],
- }
-
- file { '/var/lib/fedora-ca/newcerts':
- ensure => directory,
- mode => '0770',
- owner => 'fas',
- group => 'sysadmin-main',
- require => Package[fas],
- }
-
- file { '/var/lib/fedora-ca/private':
- ensure => directory,
- mode => '0750',
- owner => 'fas',
- group => 'sysadmin-main'
- }
-
- # For publishing the crl
- file { '/srv/web/ca':
- ensure => directory,
- mode => '0755',
- owner => 'apache',
- group => 'apache'
- }
-
- configfile { '/var/lib/fedora-ca/Makefile':
- source => 'web/applications/Makefile.fedora-ca',
- mode => '0644'
- }
-
- configfile { '/var/lib/fedora-ca/openssl.cnf':
- source => 'web/applications/fedora-ca-client-openssl.cnf',
- mode => '0644'
- }
-
- script { '/var/lib/fedora-ca/certhelper.py':
- source => 'web/applications/certhelper.py',
- mode => '0750',
- owner => 'root',
- group => 'sysadmin-main'
- }
-
-
- # Public keys don't need restrictive permissions
- configfile { '/var/lib/fedora-ca/cacert.pem':
- source => 'secure/fedora-ca.cert',
- mode => '0444'
- }
-
- # First of every month, force a new crl to be created
- cron { gen-crl:
- command => "cd /var/lib/fedora-ca ; /usr/bin/make gencrl &> /dev/null",
- user => "apache",
- minute => 0,
- hour => 0,
- monthday => [ 1, 15 ],
- }
-
- symlink { '/srv/web/ca/crl.pem':
- ensure => '/var/lib/fedora-ca/crl/crl.pem'
- }
-}
-
-# Note: path will change when it moves into the fas rpm
-class fas-no-balance {
- cron { export-bugzilla:
- command => "/usr/local/bin/export-bugzilla.py fedorabugs fedora_contrib",
- user => "fas",
- minute => 10,
- ensure => present,
- require => Package['fas'],
- environment => "MAILTO=root"
- }
-}
commit a5c86d8ecd5cb5aa373a9dd608bb20eb6aaf8a74
Author: Mike McGrath <mmcgrath@xxxxxxxxxx>
Date: Wed Apr 8 19:52:34 2009 +0000
Added fas module
diff --git a/modules/fas/README b/modules/fas/README
new file mode 100644
index 0000000..59b50b3
--- /dev/null
+++ b/modules/fas/README
@@ -0,0 +1,10 @@
+FAS Fedora Account System
+------------------------
+
+The Fedora Account System is a web application that manages the accounts of
+Fedora Project Contributors. It's built in TurboGears and comes with a json
+API for querying against remotely.
+
+The python-fedora-infrastructure package has a TurboGears identity provider
+that works with the Account System.
+
diff --git a/modules/fas/files/Makefile.fedora-ca b/modules/fas/files/Makefile.fedora-ca
new file mode 100644
index 0000000..5da1ea9
--- /dev/null
+++ b/modules/fas/files/Makefile.fedora-ca
@@ -0,0 +1,70 @@
+# $Id: Makefile,v 1.4 2006/06/20 18:55:37 jmates Exp $
+#
+# NOTE If running OpenSSL 0.9.8a or higher, see -newkey, below.
+#
+# Automates the setup of a custom Certificate Authority and provides
+# routines for signing and revocation of certificates. To use, first
+# customize the commands in this file and the settings in openssl.cnf,
+# then run:
+#
+# make init
+#
+# Then, copy in certificate signing requests, and ensure their suffix is
+# .csr before signing them with the following command:
+#
+# make sign
+#
+# To revoke a key, name the certificate file with the cert option
+# as shown below:
+#
+# make revoke cert=foo.cert
+#
+# This will revoke the certificate and call gencrl; the revocation list
+# will then need to be copied somehow to the various systems that use
+# your CA cert.
+
+requests = *.csr
+
+# remove -batch option if want chance to not certify a particular request
+sign: FORCE
+ @openssl ca -batch -config openssl.cnf -days 180 -in $(req) -out $(cert)
+
+revoke:
+ @test $${cert:?"usage: make revoke cert=certificate"}
+ @openssl ca -config openssl.cnf -revoke $(cert)
+ @$(MAKE) gencrl
+
+gencrl:
+ @openssl ca -config openssl.cnf -gencrl -out crl/crl.pem
+
+clean:
+ -rm ${requests}
+
+# creates required supporting files, CA key and certificate
+init:
+ @test ! -f serial
+ @mkdir crl newcerts private
+ @chmod go-rwx private
+ @echo '01' > serial
+ @touch index
+ # NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher
+ @openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM
+
+help:
+ @echo make sign req=in.csr cert=out.cert
+ @echo ' - signs in.csr, outputting to out.cert'
+ @echo
+ @echo make revoke cert=filename
+ @echo ' - revokes certificate in named file and calls gencrl'
+ @echo
+ @echo make gencrl
+ @echo ' - updates Certificate Revocation List (CRL)'
+ @echo
+ @echo make clean
+ @echo ' - removes all *.csr files in this directory'
+ @echo
+ @echo make init
+ @echo ' - required initial setup command for new CA'
+
+# for legacy make support
+FORCE:
diff --git a/modules/fas/files/accounts-proxy.conf b/modules/fas/files/accounts-proxy.conf
new file mode 100644
index 0000000..7a729e4
--- /dev/null
+++ b/modules/fas/files/accounts-proxy.conf
@@ -0,0 +1,11 @@
+# fas1 is the only place for gencert right now
+RewriteRule /accounts/user/gencert http://fas1/accounts/user/gencert [P]
+# pass ca requests on needed for CRL
+ProxyPass /ca http://fas1/ca
+ProxyPassReverse /ca http://fas1/ca
+
+#RewriteRule ^/accounts/(.*) balancer://accountsCluster/accounts/$1 [P]
+#RewriteRule ^/accounts$ https://admin.fedoraproject.org/accounts/ [R,L]
+
+RewriteRule ^/accounts/(.*) http://localhost:10004/accounts/$1 [P]
+RewriteRule ^/accounts$ https://admin.fedoraproject.org/accounts/ [R,L]
diff --git a/modules/fas/files/accounts-pubring.gpg b/modules/fas/files/accounts-pubring.gpg
new file mode 100644
index 0000000..c75ba2c
Binary files /dev/null and b/modules/fas/files/accounts-pubring.gpg differ
diff --git a/modules/fas/files/accounts.conf b/modules/fas/files/accounts.conf
new file mode 100644
index 0000000..ad5803a
--- /dev/null
+++ b/modules/fas/files/accounts.conf
@@ -0,0 +1,26 @@
+Alias /accounts/static /usr/share/fas/static
+Alias /favicon.ico /usr/share/fas/static/favicon.ico
+Alias /accounts/fedora-server-ca.cert /usr/share/fas/static/fedora-server-ca.cert
+Alias /accounts/fedora-upload-ca.cert /usr/share/fas/static/fedora-upload-ca.cert
+# For serving the crl
+Alias /ca /srv/web/ca
+CacheDisable /ca/crl.pem
+AddType application/x-x509-ca-cert cacert.pem
+AddType application/x-x509-crl crl.pem
+
+WSGISocketPrefix run/wsgi
+
+# TG implements its own signal handler.
+WSGIRestrictSignal Off
+
+# These are the real tunables
+WSGIDaemonProcess fas processes=8 threads=2 maximum-requests=50000 user=fas group=fas display-name=fas inactivity-timeout=300
+WSGIPythonOptimize 2
+
+WSGIScriptAlias /accounts /usr/lib/python2.4/site-packages/fas/fas.wsgi/accounts
+
+<Directory /usr/lib/python2.4/site-packages/fas/>
+ WSGIProcessGroup fas
+ Order deny,allow
+ Allow from all
+</Directory>
diff --git a/modules/fas/files/accounts.fedoraproject.org.conf b/modules/fas/files/accounts.fedoraproject.org.conf
new file mode 100644
index 0000000..1220803
--- /dev/null
+++ b/modules/fas/files/accounts.fedoraproject.org.conf
@@ -0,0 +1,13 @@
+# proxy1 - 10.8.32.122
+# proxy2 - 10.8.32.121
+# proxy3 - 66.35.62.166
+# proxy4 - 152.46.7.222
+# proxy5 - 80.239.156.215
+
+
+<VirtualHost 10.8.32.122:80 10.8.32.121:80 66.35.62.166:80 152.46.7.222:80 80.239.156.215:80>
+ ServerName accounts.fedoraproject.org
+ ServerAdmin admin@xxxxxxxxxxxxxxxxx
+
+ include "conf.d/accounts.fedoraproject.org/*.conf
+</VirtualHost>
diff --git a/modules/fas/files/accounts.fedoraproject.org/logs.conf b/modules/fas/files/accounts.fedoraproject.org/logs.conf
new file mode 100644
index 0000000..733e6e3
--- /dev/null
+++ b/modules/fas/files/accounts.fedoraproject.org/logs.conf
@@ -0,0 +1,2 @@
+CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/accounts.fedoraproject.org-access.log.%Y-%m-%d 86400" combined
+ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/accounts.fedoraproject.org-error.log.%Y-%m-%d 86400"
diff --git a/modules/fas/files/accounts.fedoraproject.org/redirect.conf b/modules/fas/files/accounts.fedoraproject.org/redirect.conf
new file mode 100644
index 0000000..1fc6864
--- /dev/null
+++ b/modules/fas/files/accounts.fedoraproject.org/redirect.conf
@@ -0,0 +1 @@
+Redirect permanent / https://admin.fedoraproject.org/accounts/
diff --git a/modules/fas/files/certhelper.py b/modules/fas/files/certhelper.py
new file mode 100755
index 0000000..3c278a8
--- /dev/null
+++ b/modules/fas/files/certhelper.py
@@ -0,0 +1,280 @@
+#!/usr/bin/python
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Library General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# Copyright 2005 Dan Williams <dcbw@xxxxxxxxxx> and Red Hat, Inc.
+
+
+import sys, os, tempfile
+
+OPENSSL_PROG = '/usr/bin/openssl'
+
+def print_usage(prog):
+ print "\nUsage:\n"
+ print " %s ca --outdir=<outdir> --name=<name>\n" % prog
+ print " %s normal --outdir=<outdir> --name=<name> --cadir=<cadir> --caname=<ca-name>" % prog
+ print ""
+ print " Types:"
+ print " ca - Build system Certificate Authority key & certificate"
+ print " normal - Key & certificate that works with the build server and builders"
+ print ""
+ print "Examples:\n"
+ print " %s ca --outdir=/etc/plague/ca --name=my_ca" % prog
+ print " %s normal --outdir=/etc/plague/server/certs --name=server --cadir=/etc/plague/ca --caname=my_ca" % prog
+ print " %s normal --outdir=/etc/plague/builder/certs --name=builder1 --cadir=/etc/plague/ca --caname=my_ca" % prog
+ print "\n"
+
+
+class CertHelperException:
+ def __init__(self, message):
+ self.message = message
+
+
+class CertHelper:
+ def __init__(self, prog, outdir, name):
+ self._prog = prog
+ self._outdir = outdir
+ self._name = name
+
+ def dispatch(self, cmd, argslist):
+ if cmd.lower() == 'ca':
+ self._gencert_ca(argslist)
+ elif cmd.lower() == 'normal':
+ self._gencert_normal(argslist)
+ else:
+ print_usage(self._prog)
+
+ def _gencert_ca(self, args):
+ # Set up CA directory
+ if not os.path.exists(self._outdir):
+ os.makedirs(self._outdir)
+ try:
+ os.makedirs(os.path.join(self._outdir, 'certs'))
+ os.makedirs(os.path.join(self._outdir, 'crl'))
+ os.makedirs(os.path.join(self._outdir, 'newcerts'))
+ os.makedirs(os.path.join(self._outdir, 'private'))
+ except:
+ pass
+ cert_db = os.path.join(self._outdir, "index.txt")
+ os.system("/bin/touch %s" % cert_db)
+ serial = os.path.join(self._outdir, "serial")
+ if not os.path.exists(serial):
+ os.system("/bin/echo '01' > %s" % serial)
+
+ cnf = write_openssl_cnf(self._outdir, self._name, {})
+
+ # Create the CA key
+ key_file = os.path.join(self._outdir, "private", "cakey.pem")
+ cmd = "%s genrsa -out %s 2048" % (OPENSSL_PROG, key_file)
+ if os.system(cmd) != 0:
+ raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+
+ # Make the self-signed CA certificate
+ cert_file = os.path.join(self._outdir, "%s_ca_cert.pem" % self._name)
+ cmd = "%s req -config %s -new -x509 -days 3650 -key %s -out %s -extensions v3_ca" % (OPENSSL_PROG, cnf, key_file, cert_file)
+ if os.system(cmd) != 0:
+ raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+
+ os.remove(cnf)
+ print "Success. Your Certificate Authority directory is: %s\n" % self._outdir
+
+ def _gencert_normal(self, args):
+ cadir = argfind(args, 'cadir')
+ if not cadir:
+ print_usage(self._prog)
+ sys.exit(1)
+ caname = argfind(args, 'caname')
+ if not caname:
+ print_usage(self._prog)
+ sys.exit(1)
+
+ cnf = write_openssl_cnf(cadir, caname, {})
+
+ # Generate key
+ key_file = os.path.join(self._outdir, "%s_key.pem" % self._name)
+ cmd = "%s genrsa -out %s 2048" % (OPENSSL_PROG, key_file)
+ if os.system(cmd) != 0:
+ raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+ print ""
+
+ # Generate the certificate request
+ req_file = os.path.join(self._outdir, "%s_req.pem" % self._name)
+ cmd = '%s req -config %s -new -nodes -out %s -key %s' % (OPENSSL_PROG, cnf, req_file, key_file)
+ if os.system(cmd) != 0:
+ raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+ print ""
+
+ # Sign the request with the CA's certificate and key
+ cert_file = os.path.join(self._outdir, "%s_cert.pem" % self._name)
+ cmd = '%s ca -config %s -days 3650 -out %s -infiles %s' % (OPENSSL_PROG, cnf, cert_file, req_file)
+ if os.system(cmd) != 0:
+ raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+ print ""
+
+ # Cat the normal cert and key together
+ key_and_cert = os.path.join(self._outdir, "%s_key_and_cert.pem" % self._name)
+ cmd = '/bin/cat %s %s > %s' % (key_file, cert_file, key_and_cert)
+ if os.system(cmd) != 0:
+ raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+
+ # Cleanup: remove the cert, key, and request files
+ cmd = "/bin/rm -f %s %s %s" % (key_file, req_file, cert_file)
+ if os.system(cmd) != 0:
+ raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+
+ os.remove(cnf)
+ print "Success. Your certificate and key file is: %s\n" % key_and_cert
+
+
+def write_openssl_cnf(home, ca_name, opt_dict):
+ (fd, name) = tempfile.mkstemp('', 'openssl_cnf_', dir=None, text=True)
+ os.write(fd, """
+##############################
+HOME = %s
+RANDFILE = .rand
+
+##############################
+[ ca ]
+default_ca = CA_default\n
+
+##############################
+[ CA_default ]
+
+dir = $HOME
+certs = $dir/certs
+crl_dir = $dir/crl
+database = $dir/index.txt
+new_certs_dir = $dir/newcerts
+
+certificate = $dir/cacert.pem
+private_key = $dir/private/cakey.pem
+serial = $dir/serial
+crl = $dir/crl.pem
+
+x509_extensions = usr_cert
+
+name_opt = ca_default
+cert_opt = ca_default
+
+default_days = 3650
+default_crl_days= 30
+default_md = md5
+preserve = no
+
+policy = policy_match
+
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+##############################
+[ req ]
+default_bits = 1024
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+string_mask = MASK:0x2002
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = North Carolina
+
+localityName = Locality Name (eg, city)
+localityName_default = Raleigh
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Fedora Project
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+
+commonName = Common Name (eg, your name or your server\'s hostname)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+##############################
+[ usr_cert ]
+
+basicConstraints=CA:FALSE
+nsComment = "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+##############################
+[ v3_ca ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true
+
+""" % (home))
+
+ return name
+
+def argfind(arglist, prefix):
+ val = None
+ for arg in arglist:
+ if arg.startswith('--%s=' % prefix):
+ val = arg
+ break
+ if not val:
+ return None
+ val = val.replace('--%s=' % prefix, '')
+ return val
+
+if __name__ == '__main__':
+ prog = sys.argv[0]
+ if len(sys.argv) < 3:
+ print_usage(prog)
+ sys.exit(1)
+
+ outdir = argfind(sys.argv, 'outdir')
+ if not outdir:
+ print_usage(prog)
+ sys.exit(1)
+
+ name = argfind(sys.argv, 'name')
+ if not name:
+ print_usage(prog)
+ sys.exit(1)
+
+ ch = CertHelper(prog, outdir, name)
+ try:
+ ch.dispatch(sys.argv[1], sys.argv)
+ except CertHelperException, e:
+ print e.message
+ sys.exit(1)
+
+ sys.exit(0)
+
diff --git a/modules/fas/files/export-bugzilla.py b/modules/fas/files/export-bugzilla.py
new file mode 100755
index 0000000..4b6b416
--- /dev/null
+++ b/modules/fas/files/export-bugzilla.py
@@ -0,0 +1,68 @@
+#!/usr/bin/python -t
+__requires__ = 'TurboGears'
+import pkg_resources
+pkg_resources.require('CherryPy >= 2.0, < 3.0alpha')
+
+import sys
+import getopt
+import xmlrpclib
+import turbogears
+from turbogears import config
+turbogears.update_config(configfile="/etc/export-bugzilla.cfg")
+from turbogears.database import session
+from fas.model import BugzillaQueue
+
+BZSERVER = config.get('bugzilla.url', 'https://bugdev.devel.redhat.com/bugzilla-cvs/xmlrpc.cgi')
+BZUSER = config.get('bugzilla.username')
+BZPASS = config.get('bugzilla.password')
+
+if __name__ == '__main__':
+ opts, args = getopt.getopt(sys.argv[1:], '', ('usage', 'help'))
+ if len(args) != 2 or ('--usage','') in opts or ('--help','') in opts:
+ print """
+ Usage: export-bugzilla.py GROUP BUGZILLA_GROUP
+ """
+ sys.exit(1)
+ ourGroup = args[0]
+ bzGroup = args[1]
+
+ server = xmlrpclib.Server(BZSERVER)
+ bugzilla_queue = BugzillaQueue.query.join('group').filter_by(
+ name=ourGroup)
+
+ for entry in bugzilla_queue:
+ # Make sure we have a record for this user in bugzilla
+ if entry.action == 'r':
+ # Remove the user's bugzilla group
+ try:
+ server.bugzilla.updatePerms(entry.email, 'rem', (bzGroup,),
+ BZUSER, BZPASS)
+ except xmlrpclib.Fault, e:
+ if e.faultCode == 504:
+ # It's okay, not having this user is equivalent to setting
+ # them to not have this group.
+ pass
+ else:
+ raise
+
+ elif entry.action == 'a':
+ # Try to create the user
+ try:
+ server.bugzilla.addUser(entry.email, entry.person.human_name, BZUSER, BZPASS)
+ except xmlrpclib.Fault, e:
+ if e.faultCode == 500:
+ # It's okay, we just need to make sure the user has an
+ # account.
+ pass
+ else:
+ print entry.email,entry.person.human_name
+ raise
+ server.bugzilla.updatePerms(entry.email, 'add', (bzGroup,),
+ BZUSER, BZPASS)
+ else:
+ print 'Unrecognized action code: %s %s %s %s %s' % (entry.action,
+ entry.email, entry.person.human_name, entry.person.username, entry.group.name)
+
+ # Remove them from the queue
+ session.delete(entry)
+ session.flush()
diff --git a/modules/fas/files/fas-log.cfg b/modules/fas/files/fas-log.cfg
new file mode 100644
index 0000000..3f7843d
--- /dev/null
+++ b/modules/fas/files/fas-log.cfg
@@ -0,0 +1,29 @@
+# LOGGING
+# Logging is often deployment specific, but some handlers and
+# formatters can be defined here.
+
+[logging]
+[[formatters]]
+[[[message_only]]]
+format='*(message)s'
+
+[[[full_content]]]
+format='*(name)s *(levelname)s *(message)s'
+
+[[handlers]]
+[[[debug_out]]]
+class='StreamHandler'
+level='DEBUG'
+args='(sys.stdout,)'
+formatter='full_content'
+
+[[[access_out]]]
+class='StreamHandler'
+level='INFO'
+args='(sys.stdout,)'
+formatter='message_only'
+
+[[[error_out]]]
+class='StreamHandler'
+level='ERROR'
+args='(sys.stdout,)'
diff --git a/modules/fas/files/fas.fedoraproject.org.conf b/modules/fas/files/fas.fedoraproject.org.conf
new file mode 100644
index 0000000..7db2e97
--- /dev/null
+++ b/modules/fas/files/fas.fedoraproject.org.conf
@@ -0,0 +1,13 @@
+# proxy1 - 10.8.32.122
+# proxy2 - 10.8.32.121
+# proxy3 - 66.35.62.166
+# proxy4 - 152.46.7.222
+# proxy5 - 80.239.156.215
+
+
+<VirtualHost 10.8.32.122:80 10.8.32.121:80 66.35.62.166:80 152.46.7.222:80 80.239.156.215:80>
+ ServerName fas.fedoraproject.org
+ ServerAdmin admin@xxxxxxxxxxxxxxxxx
+
+ include "conf.d/fas.fedoraproject.org/*.conf
+</VirtualHost>
diff --git a/modules/fas/files/fas.fedoraproject.org/logs.conf b/modules/fas/files/fas.fedoraproject.org/logs.conf
new file mode 100644
index 0000000..9195af7
--- /dev/null
+++ b/modules/fas/files/fas.fedoraproject.org/logs.conf
@@ -0,0 +1,2 @@
+CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/fas.fedoraproject.org-access.log.%Y-%m-%d 86400" combined
+ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/fas.fedoraproject.org-error.log.%Y-%m-%d 86400"
diff --git a/modules/fas/files/fas.fedoraproject.org/redirect.conf b/modules/fas/files/fas.fedoraproject.org/redirect.conf
new file mode 100644
index 0000000..1fc6864
--- /dev/null
+++ b/modules/fas/files/fas.fedoraproject.org/redirect.conf
@@ -0,0 +1 @@
+Redirect permanent / https://admin.fedoraproject.org/accounts/
diff --git a/modules/fas/files/fas.wsgi b/modules/fas/files/fas.wsgi
new file mode 100644
index 0000000..865cc08
--- /dev/null
+++ b/modules/fas/files/fas.wsgi
@@ -0,0 +1,50 @@
+#!/usr/bin/python
+import sys
+sys.path.append('/usr/lib/python2.4/site-packages/fas/')
+sys.stdout = sys.stderr
+
+import pkg_resources
+pkg_resources.require('CherryPy <= 3.0alpha')
+
+import os
+os.environ['PYTHON_EGG_CACHE'] = '/var/www/.python-eggs'
+
+import atexit
+import cherrypy
+import cherrypy._cpwsgi
+import turbogears
+import turbogears.startup
+from formencode.variabledecode import NestedVariables
+import fedora.tg.util
+
+class MyNestedVariablesFilter(object):
+ def before_main(self):
+ if hasattr(cherrypy.request, "params"):
+ cherrypy.request.params_backup = cherrypy.request.params
+ cherrypy.request.params = \
+ NestedVariables.to_python(cherrypy.request.params or {})
+
+turbogears.startup.NestedVariablesFilter = MyNestedVariablesFilter
+
+turbogears.update_config(configfile="/etc/fas.cfg", modulename="fas.config")
+turbogears.config.update({'global': {'server.environment': 'production'}})
+turbogears.config.update({'global': {'autoreload.on': False}})
+turbogears.config.update({'global': {'server.log_to_screen': False}})
+turbogears.config.update({'global': {'server.webpath': '/accounts'}})
+turbogears.config.update({'global': {'base_url_filter.on': True}})
+turbogears.config.update({'global': {'base_url_filter.base_url': 'https://admin.fedoraproject.org'}})
+#turbogears.config.update({'global': {'sqlalchemy.recycle': '10'}})
+
+turbogears.startup.call_on_startup.append(fedora.tg.util.enable_csrf)
+
+import fas.controllers
+
+cherrypy.root = fas.controllers.Root()
+
+if cherrypy.server.state == 0:
+ atexit.register(cherrypy.server.stop)
+ cherrypy.server.start(init_only=True, server_class=None)
+
+def application(environ, start_response):
+ environ['SCRIPT_NAME'] = ''
+ return cherrypy._cpwsgi.wsgiApp(environ, start_response)
diff --git a/modules/fas/files/fasSync b/modules/fas/files/fasSync
new file mode 100644
index 0000000..4f9f643
--- /dev/null
+++ b/modules/fas/files/fasSync
@@ -0,0 +1 @@
+24 * * * * root /bin/sleep $(($RANDOM/20)); /usr/bin/fasClient -i > /dev/null 2>&1
diff --git a/modules/fas/files/fedora-ca-client-openssl.cnf b/modules/fas/files/fedora-ca-client-openssl.cnf
new file mode 100644
index 0000000..5c3bb15
--- /dev/null
+++ b/modules/fas/files/fedora-ca-client-openssl.cnf
@@ -0,0 +1,317 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = /var/lib/fedora-ca/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = . # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several ctificates with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem # The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+x509_extensions = usr_cert # The extentions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = sha1 # which md to use.
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_md = sha1
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+# we use PrintableString+UTF8String mask so if pure ASCII texts are used
+# the resulting certificates are compatible with Netscape
+string_mask = MASK:0x2002
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = North Carolina
+
+localityName = Locality Name (eg, city)
+localityName_default = Raleigh
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Fedora Project
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (eg, your name or your server\'s hostname)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 0
+#challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/modules/fas/files/nsswitch.conf b/modules/fas/files/nsswitch.conf
new file mode 100644
index 0000000..fb4ff62
--- /dev/null
+++ b/modules/fas/files/nsswitch.conf
@@ -0,0 +1,45 @@
+# /etc/nsswitch.conf
+#
+# An example Name Service Switch config file. This file should be
+# sorted with the most-used services at the beginning.
+#
+# The entry '[NOTFOUND=return]' means that the search for an
+# entry should stop if the search in the previous entry turned
+# up nothing. Note that if the search failed due to some other reason
+# (like no NIS server responding) then the search continues with the
+# next entry.
+#
+# Legal entries are:
+#
+# nisplus or nis+ Use NIS+ (NIS version 3)
+# nis or yp Use NIS (NIS version 2), also called YP
+# dns Use DNS (Domain Name Service)
+# files Use the local files
+# db Use the local database (.db) files
+# compat Use NIS on compat mode
+# hesiod Use Hesiod for user lookups
+# [NOTFOUND=return] Stop searching if not found so far
+#
+
+passwd: db files
+shadow: db files
+group: db files
+
+#hosts: db files nisplus nis dns
+hosts: files dns
+
+bootparams: nisplus [NOTFOUND=return] files
+
+ethers: files
+netmasks: files
+networks: files
+protocols: files
+rpc: files
+services: files
+
+netgroup: files
+
+publickey: nisplus
+
+automount: files
+aliases: files nisplus
diff --git a/modules/fas/manifests/init.pp b/modules/fas/manifests/init.pp
new file mode 100644
index 0000000..a8074db
--- /dev/null
+++ b/modules/fas/manifests/init.pp
@@ -0,0 +1,307 @@
+# Fedora account system Configuration
+
+class fas::fas {
+ package { fas-clients: ensure => present }
+ package { python-fedora: ensure => present }
+
+ # Set a default group if one has not been explicitly defined
+ if $groups {
+ $notGroup = ''
+ } else {
+ $groups = 'sysadmin-main'
+ }
+ if $sshGroups {
+ $notSshGroup = ''
+ } else {
+ $sshGroups = ''
+ }
+ if $restrictedApp {
+ $notRestrictedApp = ''
+ } else {
+ $restrictedApp = '/usr/bin/cvs server'
+ }
+
+ file { "/etc/nsswitch.conf":
+ source => "puppet:///fas/nsswitch.conf"
+ }
+
+ file { '/etc/fas.conf':
+ content => template('fas/fas.conf.erb'),
+ mode => '0600',
+
+ }
+# exec { 'make-accounts':
+# command => '/usr/bin/fasClient -e; /usr/bin/fasClient -i',
+# subscribe => Templatefile['/etc/fas.conf'],
+# require => Package['fas-clients'],
+# refreshonly => true
+# }
+
+ file { '/etc/cron.d/fasSync':
+ source => 'puppet:///fas/fasSync',
+ require => Package[fas-clients],
+ }
+
+ file { "/root/bin/":
+ ensure => directory,
+ }
+
+ file { '/etc/sudoers':
+ source => "puppet:///config/secure/sudoers",
+ mode => 0440,
+ owner => root,
+ group => root
+ }
+}
+
+class fas::fas-proxy inherits httpd {
+ file { "/etc/httpd/conf.d/admin.fedoraproject.org/accounts.conf":
+ source => 'puppet:///fas/accounts-proxy.conf',
+ notify => Service['httpd'],
+ }
+
+ file { '/etc/httpd/conf.d/fas.fedoraproject.org.conf':
+ source => 'puppet:///fas/fas.fedoraproject.org.conf',
+ notify => Service['httpd'],
+ }
+
+ file { '/etc/httpd/conf.d/fas.fedoraproject.org/':
+ source => 'puppet:///fas/fas.fedoraproject.org/',
+ recurse => true,
+ notify => Service['httpd'],
+ }
+
+ file { '/etc/httpd/conf.d/accounts.fedoraproject.org.conf':
+ source => 'puppet:///fas/accounts.fedoraproject.org.conf',
+ notify => Service['httpd']
+ }
+
+ file { '/etc/httpd/conf.d/accounts.fedoraproject.org/':
+ source => 'puppet:///fas/accounts.fedoraproject.org/',
+ recurse => true,
+ notify => Service['httpd'],
+ }
+
+}
+
+class fas::fas-server-base inherits turbogears {
+ $bugzillaUser='fedora-admin-xmlrpc@xxxxxxxxxx'
+ include httpd
+ include mod_wsgi-package
+
+ package { fas: ensure => present }
+
+ package { fas-plugin-asterisk: ensure => present }
+
+ ### HACK: Need to solve this better later
+ file { '/usr/lib/python2.4/site-packages/fas/fas.wsgi':
+ source => 'puppet:///fas/fas.wsgi',
+ require => Package['mod_wsgi'],
+ notify => Service['httpd']
+ }
+
+ file { '/var/www/.python-eggs':
+ ensure => directory,
+ mode => '0700',
+ owner => 'apache',
+ require => Package['httpd']
+ }
+
+ file { '/etc/fas-gpg':
+ ensure => directory,
+ mode => '0700',
+ owner => 'fas',
+ group => 'fas',
+ require => Package['fas'],
+ }
+
+ file { '/etc/fas-gpg/secring.gpg':
+ source => 'puppet:///config/secure/accounts-secring.gpg',
+ owner => 'fas',
+ group => 'fas',
+ mode => 600,
+ require => File['/etc/fas-gpg']
+ }
+
+ file { '/etc/fas-gpg/pubring.gpg':
+ owner => 'fas',
+ group => 'fas',
+ mode => 600,
+ replace => false,
+ ensure => file,
+ source => 'puppet:///fas/accounts-pubring.gpg',
+ }
+
+ file { '/etc/httpd/conf.d/accounts.conf':
+ source => 'puppet:///fas/accounts.conf',
+ require => Package['mod_wsgi'],
+ }
+
+ file { '/etc/pki/fas':
+ ensure => directory,
+ mode => '0700',
+ owner => 'fas',
+ group => 'fas',
+ }
+ # These are both public certs so there's no reason to hide them
+ file { '/etc/pki/fas/fedora-server-ca.cert':
+ source => 'puppet:///config/secure/fedora-ca.cert',
+ }
+
+ file { '/etc/pki/fas/fedora-upload-ca.cert':
+ source => 'puppet:///config/secure/fedora-ca.cert',
+ }
+
+ file { '/etc/export-bugzilla.cfg':
+ content => template('fas/export-bugzilla.cfg.erb'),
+ owner => 'fas',
+ # Contains passwords so it needs to be restricted
+ mode => '0640'
+ }
+
+ # Note: This will move into the fas rpm soon
+ file { "/usr/local/bin/export-bugzilla.py":
+ source => "puppet:///fas/export-bugzilla.py",
+ mode => 0755,
+ }
+
+ file { '/usr/share/fas/static/fedora-server-ca.cert':
+ source => 'puppet:///config/secure/fedora-ca.cert',
+ owner => 'apache',
+ group => 'sysadmin-main',
+ mode => '0440',
+ require => Package['httpd']
+ }
+
+ file { '/usr/share/fas/static/fedora-upload-ca.cert':
+ source => 'puppet:///config/secure/fedora-ca.cert',
+ owner => 'apache',
+ group => 'sysadmin-main',
+ mode => '0440'
+ }
+
+ file { '/usr/lib/python2.4/site-packages/fas/config/log.cfg':
+ source => 'puppet:///fas/fas-log.cfg',
+ owner => 'root',
+ group => 'root',
+ notify => Service['httpd'],
+ require => Package['httpd'],
+ mode => '0644'
+ }
+}
+
+class fas::fas-server inherits fas-server-base {
+
+ $genCert = 'False'
+ file { '/etc/fas.cfg':
+ content => template('fas/fas-prod.cfg.erb'),
+ owner => 'fas',
+ group => 'apache',
+ notify => Service['httpd'],
+ require => Package['httpd'],
+ mode => '640'
+ }
+
+}
+
+class fas::fas-server-gencert inherits fas-server-base {
+
+ $genCert = 'True'
+ file { '/etc/fas.cfg':
+ content => template('fas/fas-prod.cfg.erb'),
+ owner => 'fas',
+ group => 'apache',
+ notify => Service['httpd'],
+ require => Package['httpd'],
+ mode => '640'
+ }
+
+ # These should be created by the fas package later
+ file { '/var/lock/fedora-ca':
+ ensure => directory,
+ mode => '0700',
+ owner => 'fas',
+ group => 'fas',
+ require => Package[fas],
+ }
+
+ file { '/var/lib/fedora-ca':
+ ensure => directory,
+ mode => '0771',
+ owner => 'fas',
+ group => 'sysadmin-main',
+ require => Package[fas],
+ }
+
+ file { '/var/lib/fedora-ca/newcerts':
+ ensure => directory,
+ mode => '0770',
+ owner => 'fas',
+ group => 'sysadmin-main',
+ require => Package[fas],
+ }
+
+ file { '/var/lib/fedora-ca/private':
+ ensure => directory,
+ mode => '0750',
+ owner => 'fas',
+ group => 'sysadmin-main'
+ }
+
+ # For publishing the crl
+ file { '/srv/web/ca':
+ ensure => directory,
+ mode => '0755',
+ owner => 'apache',
+ group => 'apache'
+ }
+
+ file { '/var/lib/fedora-ca/Makefile':
+ source => 'puppet:///fas/Makefile.fedora-ca',
+ mode => '0644'
+ }
+
+ file { '/var/lib/fedora-ca/openssl.cnf':
+ source => 'puppet:///fas/fedora-ca-client-openssl.cnf',
+ mode => '0644'
+ }
+
+ file { '/var/lib/fedora-ca/certhelper.py':
+ source => 'puppet:///fas/certhelper.py',
+ mode => '0750',
+ owner => 'root',
+ group => 'sysadmin-main'
+ }
+
+
+ # Public keys don't need restrictive permissions
+ file { '/var/lib/fedora-ca/cacert.pem':
+ source => 'puppet:///config/secure/fedora-ca.cert',
+ mode => '0444'
+ }
+
+ # First of every month, force a new crl to be created
+ cron { gen-crl:
+ command => "cd /var/lib/fedora-ca ; /usr/bin/make gencrl &> /dev/null",
+ user => "apache",
+ minute => 0,
+ hour => 0,
+ monthday => [ 1, 15 ],
+ }
+
+ file { '/srv/web/ca/crl.pem':
+ ensure => '/var/lib/fedora-ca/crl/crl.pem'
+ }
+}
+
+# Note: path will change when it moves into the fas rpm
+class fas::fas-no-balance {
+ cron { export-bugzilla:
+ command => "/usr/local/bin/export-bugzilla.py fedorabugs fedora_contrib",
+ user => "fas",
+ minute => 10,
+ ensure => present,
+ require => Package['fas'],
+ environment => "MAILTO=root"
+ }
+}
diff --git a/modules/fas/templates/export-bugzilla.cfg.erb b/modules/fas/templates/export-bugzilla.cfg.erb
new file mode 100644
index 0000000..6c65f07
--- /dev/null
+++ b/modules/fas/templates/export-bugzilla.cfg.erb
@@ -0,0 +1,11 @@
+[global]
+# bugzilla.url = https://bugdev.devel.redhat.com/bugzilla-cvs/xmlrpc.cgi
+# Running from fas1 so we need the PHX available address.
+bugzilla.url = "https://bzprx.vip.phx.redhat.com/xmlrpc.cgi";
+# bugzilla.url = "https://bugzilla.redhat.com/xmlrpc.cgi";
+bugzilla.username = "<%= bugzillaUser %>"
+bugzilla.password = "<%= bugzillaPassword %>"
+
+# At the moment, we have to extract this information directly from the fas2
+# database. We can build a json interface for it at a later date.
+sqlalchemy.dburi = "postgres://fas:<%= fasDbPassword %>@db2/fas2"
diff --git a/modules/fas/templates/fas-prod.cfg.erb b/modules/fas/templates/fas-prod.cfg.erb
new file mode 100644
index 0000000..11cac5a
--- /dev/null
+++ b/modules/fas/templates/fas-prod.cfg.erb
@@ -0,0 +1,163 @@
+[global]
+samadhi.baseurl = 'https://admin.fedoraproject.org/'
+
+admingroup = 'accounts'
+systemgroup = 'fas-system'
+thirdpartygroup = 'thirdparty'
+
+theme = 'fas'
+
+accounts_email = "accounts@xxxxxxxxxxxxxxxxx"
+legal_cla_email = "legal-cla-archive@xxxxxxxxxxxxxxxxx"
+
+email_host = "fedoraproject.org" # as in, web-members@email_host
+
+gpgexec = "/usr/bin/gpg"
+gpghome = "/etc/fas-gpg"
+gpg_fingerprint = "7662 A6D3 4F21 A653 7BD4 BA64 20A0 8C45 4A0E 6255"
+gpg_passphrase = "<%= fasGpgPassphrase %>"
+gpg_keyserver = "hkp://subkeys.pgp.net"
+
+cla_done_group = "cla_done"
+cla_fedora_group = "cla_fedora"
+
+privileged_view_groups = "(^fas-.*)"
+username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,bin,board,bodhi2,canna,chair,chairman,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,famsco,fax,fedorarewards,fesco,freemedia,ftp,ftpadm,ftpadmin,games,gdm,gopher,gregdek,halt,hostmaster,ident,info,ingres,jaboutboul,jan,keys,ldap,legal,logo,lp,mail,mailnull,manager,marketing,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,nrpe,nscd,ntp,nut,openvideo,operator,packager,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,root,rpc,rpcuser,rpm,sales,scholarship,secalert,security,shutdown,smmsp,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
+
+openidstore = "/var/tmp/fas/openid"
+
+# Enable or disable generation of SSL certificates for users
+gencert = <%= genCert %>
+
+makeexec = "/usr/bin/make"
+openssl_lockdir = "/var/lock/fedora-ca"
+openssl_digest = "md5"
+openssl_expire = 15552000 # 60*60*24*180 = 6 months
+openssl_ca_dir = "/var/lib/fedora-ca"
+openssl_ca_newcerts = "/var/lib/fedora-ca/newcerts"
+openssl_ca_index = "/var/lib/fedora-ca/index.txt"
+openssl_c = "US"
+openssl_st = "North Carolina"
+openssl_l = "Raleigh"
+openssl_o = "Fedora Project"
+openssl_ou = "Fedora User Cert"
+
+# Groups that automatically grant membership to other groups
+# Format: 'group1:a,b,c|group2:d,e,f'
+auto_approve_groups = 'packager:fedorabugs|cla_fedora:cla_done|cla_redhat:cla_done|cla_dell:cla_done|cla_ibm:cla_done'
+
+# This is where all of your settings go for your development environment
+# Settings that are the same for both development and production
+# (such as template engine, encodings, etc.) all go in
+# fas/config/app.cfg
+
+mail.on = True
+mail.server = 'bastion'
+#mail.testmode = True
+mail.debug = False
+mail.encoding = 'utf-8'
+
+# DATABASE
+
+# pick the form for your database
+# sqlobject.dburi="postgres://username@hostname/databasename"
+# sqlobject.dburi="mysql://username:password@hostname:port/databasename"
+# sqlobject.dburi="sqlite:///file_name_and_path"
+
+# If you have sqlite, here's a simple default to get you started
+# in development
+sqlalchemy.dburi="postgres://fas:<%= fasDbPassword %>@db2/fas2"
+sqlalchemy.echo=False
+
+# if you are using a database or table type without transactions
+# (MySQL default, for example), you should turn off transactions
+# by prepending notrans_ on the uri
+# sqlobject.dburi="notrans_mysql://username:password@hostname:port/databasename"
+
+# for Windows users, sqlite URIs look like:
+# sqlobject.dburi="sqlite:///drive_letter:/path/to/file"
+
+# SERVER
+
+# Some server parameters that you may want to tweak
+server.socket_port=8088
+server.thread_pool=50
+server.socket_queue_size=30
+
+# FAS2 is mmuch busier than other servers due to serving visit and auth via
+# JSON.
+# Double pool_size
+#sqlalchemy.pool_size=10
+# And increase overflow above what other servers have
+#sqlalchemy.max_overflow=25
+# When using wsgi, we want the pool to be very low (as a separate instance is
+# run in each apache mod_wsgi thread. So each one is going to have very few
+# concurrent db connections.
+sqlalchemy.pool_size=1
+sqlalchemy.max_overflow=2
+
+# Enable the debug output at the end on pages.
+# log_debug_info_filter.on = False
+
+server.environment="production"
+autoreload.package="fas"
+
+# session_filter.on = True
+
+# Set to True if you'd like to abort execution if a controller gets an
+# unexpected parameter. False by default
+tg.strict_parameters = True
+tg.ignore_parameters = ["_csrf_token"]
+
+server.webpath='/accounts'
+base_url_filter.on = True
+base_url_filter.use_x_forwarded_host = True
+base_url_filter.base_url = "https://admin.fedoraproject.org";
+
+# Make the session cookie only return to the host over an SSL link
+visit.cookie.secure = True
+session_filter.cookie_secure = True
+
+[/fedora-server-ca.cert]
+static_filter.on = True
+static_filter.file = "/etc/pki/fas/fedora-server-ca.cert"
+
+[/fedora-upload-ca.cert]
+static_filter.on = True
+static_filter.file = "/etc/pki/fas/fedora-upload-ca.cert"
+
+# LOGGING
+# Logging configuration generally follows the style of the standard
+# Python logging module configuration. Note that when specifying
+# log format messages, you need to use *() for formatting variables.
+# Deployment independent log configuration is in fas/config/log.cfg
+[logging]
+
+[[loggers]]
+[[[fas]]]
+level='DEBUG'
+qualname='fas'
+handlers=['debug_out']
+
+[[[allinfo]]]
+level='INFO'
+handlers=['debug_out']
+
+#[[[access]]]
+#level='INFO'
+#qualname='turbogears.access'
+#handlers=['access_out']
+#propagate=0
+
+[[[identity]]]
+level='INFO'
+qualname='turbogears.identity'
+handlers=['access_out']
+propagate=0
+
+[[[database]]]
+# Set to INFO to make SQLAlchemy display SQL commands
+level='ERROR'
+qualname='sqlalchemy.engine'
+handlers=['debug_out']
+propagate=0
diff --git a/modules/fas/templates/fas.conf.erb b/modules/fas/templates/fas.conf.erb
new file mode 100644
index 0000000..d8a3e05
--- /dev/null
+++ b/modules/fas/templates/fas.conf.erb
@@ -0,0 +1,78 @@
+[global]
+; url - Location to fas server
+url = https://admin.fedoraproject.org/accounts/
+
+; temp - Location to generate files while user creation process is happening
+temp = /var/db
+
+; login - username to contact fas
+login = systems
+
+; password - password for login name
+password = <%= systemsUserPassword %>
+
+; prefix - install to a location other than /
+prefix = /
+
+[host]
+; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups
+; so if someone is in all 3, the client behaves the same as if they were just
+; in 'groups'
+
+; groups that should have a shell account on this system.
+<% if groups != "NONE" %>
+groups = <%= groups %>
+<% else %>
+groups = sysadmin-main
+<% end %>
+; groups that should have a restricted account on this system.
+; restricted accounts use the restricted_shell value in [users]
+restricted_groups =
+
+; ssh_restricted_groups: groups that should be restricted by ssh key. You will
+; need to disable password based logins in order for this value to have any
+; security meaning. Group types can be placed here as well, for example
+; @hg,@git,@svn
+<% if sshGroups %>
+ssh_restricted_groups = <%= sshGroups %>
+<% else %>
+ssh_restricted_groups =
+<% end %>
+
+; aliases_template: Gets prepended to the aliases file when it is generated by
+; fasClient
+aliases_template = /etc/aliases.template
+
+[users]
+; default shell given to people in [host] groups
+shell = /bin/bash
+
+; home - the location for fas user home dirs
+home = /home/fedora
+
+; home_backup_dir - Location home dirs should get moved to when a user is
+; deleted this location should be tmpwatched
+home_backup_dir = /home/fedora.bak
+
+; ssh_restricted_app - This is the path to the restricted shell script. It
+; will not work automatically for most people though through alterations it
+; is a powerfull way to restrict access to a machine. An alternative example
+; could be given to people who should only have cvs access on the machine.
+; setting this value to "/usr/bin/cvs server" would do this.
+<% if restrictedApp %>
+ssh_restricted_app = "<%= restrictedApp %>"
+<% else %>
+ssh_restricted_app = "/usr/bin/cvs server"
+<% end %>
+
+; restricted_shell - The shell given to users in the ssh_restricted_groups
+restricted_shell = /sbin/nologin
+
+; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
+ssh_restricted_shell = /bin/bash
+
+; ssh_key_options - Options to be appended to people ssh keys. Users in the
+; ssh_restricted_groups will have the keys they uploaded altered when they are
+; installed on this machine, appended with the options below.
+ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
+
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
