summaryrefslogtreecommitdiffstats
path: root/roles/koji_hub/templates/hub.conf.j2
blob: e9a3c3061fbac81ad92e52d4b1c8ed3075491de9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
[hub]

## Basic options ##
DBName = koji
DBUser = koji
{% if env == "staging" %}
DBHost = db-koji01
{% else %}
DBHost = db-koji01
{% endif %}
DBPass = {{ kojiPassword }}
AuthPrincipal = host/koji{{env_suffix}}.fedoraproject.org
{% if env == "staging" %}
ProxyPrincipals = modularity@STG.FEDORAPROJECT.ORG,HTTP/koji.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG,sigul/sign-bridge01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG
{% else %}
ProxyPrincipals = HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG,sigul/sign-bridge01.phx2.fedoraproject.org@FEDORAPROJECT.ORG
{% endif %}
KojiDir = /mnt/koji
MemoryWarnThreshold = 10000
MaxRequestLength = 167772160
RLIMIT_AS = 10737418240
CheckClientIP = False

# Kerb auth
{% if env == "staging" %}
HostPrincipalFormat = compile/%s@STG.FEDORAPROJECT.ORG
{% else %}
HostPrincipalFormat = compile/%s@FEDORAPROJECT.ORG
{% endif %}
AuthKeytab = /etc/koji-hub/koji-hub.keytab

##  SSL client certificate auth configuration  ##
#note: ssl auth may also require editing the httpd config (conf.d/kojihub.conf)

## the client username is the common name of the subject of their client certificate
DNUsernameComponent = CN
## separate multiple DNs with |
ProxyDNs = emailAddress=buildsys@fedoraproject.org,CN=kojiweb,OU=Fedora Builders,O=Fedora Project,ST=North Carolina,C=US|emailAddress=releng@fedoraproject.org,CN=sign-bridge1,OU=Package Signing,O=Fedora Project,ST=North Carolina,C=US

## end SSL client certificate auth configuration



##  Other options  ##
LoginCreatesUser = On
KojiWebURL = http://koji.fedoraproject.org/koji
# The domain name that will be appended to Koji usernames
# when creating email notifications
EmailDomain = fedoraproject.org
# Disable sending all notifications from koji, people need to use FMN now
DisableNotifications = True

## If KojiDebug is on, the hub will be /very/ verbose and will report exception
## details to clients for anticipated errors (i.e. koji's own exceptions --
## subclasses of koji.GenericError).
# KojiDebug = On

## Determines how much detail about exceptions is reported to the client (via faults)
## Meaningful values:
##   normal - a basic traceback (format_exception)
##   extended - an extended traceback (format_exc_plus)
##   anything else - no traceback, just the error message
## The extended traceback is intended for debugging only and should NOT be
## used in production, since it may contain sensitive information.
# KojiTraceback = normal

## These options are intended for planned outages
#ServerOffline = True
#OfflineMessage = Offline
# LockOut = False
## If ServerOffline is True, the server will always report a ServerOffline fault (with
## OfflineMessage as the fault string).
## If LockOut is True, the server will report a ServerOffline fault for all non-admin
## requests.

#Plugins = koji-disable-builds-plugin
#Plugins = darkserver-plugin
{% if env == "staging" %}
Plugins = fedmsg-koji-plugin runroot_hub hub_containerbuild tag2distrepo sidetag_hub
{% else %}
Plugins = fedmsg-koji-plugin runroot_hub hub_containerbuild tag2distrepo
{% endif %}


[policy]

tag =
    user mbs/mbs.fedoraproject.org && tag module-* && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
    user mbs/mbs.fedoraproject.org && fromtag module-* && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
    user bodhi && tag *-override && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
    has_perm autosign && fromtag *-pending && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
    has_perm autosign && fromtag *-candidate && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
    has_perm secure-boot && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
    # CoreOS continuous builds, https://pagure.io/releng/issue/8165
    operation tag && tag f{{FedoraRawhideNumber}}-coreos-continuous f{{FedoraBranchedNumber}}-coreos-continuous f{{FedoraCycleNumber}}-coreos-continuous f{{FedoraPreviousCycleNumber}}-coreos-continuous && has_perm coreos-continuous :: allow
    operation untag && fromtag f{{FedoraRawhideNumber}}-coreos-continuous f{{FedoraBranchedNumber}}-coreos-continuous f{{FedoraCycleNumber}}-coreos-continuous f{{FedoraPreviousCycleNumber}}-coreos-continuous && has_perm coreos-continuous :: allow
    # CoreOS coreos-pool and coreos-release tags, https://pagure.io/releng/issue/8294
    operation tag && tag coreos-pool coreos-release && has_perm coreos-continuous :: allow
    operation untag && fromtag coreos-pool coreos-release && has_perm coreos-continuous :: allow
    # deny tagging secureboot packages that are not related to coreos-continuous
    package kernel shim grub2 fedora-release fedora-repos pesign :: deny
# Allow people to tag stuff into infra-candidate if they're infra
    tag *-infra-candidate && has_perm infra :: allow
    tag *-infra-candidate :: deny
# Allow people from infra to promote builds from -infra-stg to -infra tags
    tag *-infra && fromtag *-infra-stg && has_perm infra :: allow
# These two rules makes sure people can't build srpms in infra tags and tag them into distribution tags
    tag *infra* && fromtag *infra* && has_perm infra :: allow
    fromtag *infra* :: deny
    all :: allow

channel =
    method newRepo distRepo :: use createrepo
    method buildContainer :: use container
    has req_channel && has_perm customchannel :: req

#we want pesign-test-app to always go to the secure-boot channel even for scratch builds
    source */pesign-test-app* && has_perm secure-boot :: use secure-boot
#make sure all scratch builds go to default channel
    method build && bool scratch :: use default

#policys to deal with secure boot allowing only people in the secure-boot group to build the packages
    source */kernel* && has_perm secure-boot :: use secure-boot
    source */shim* && has_perm secure-boot :: use secure-boot
    source */grub2* && has_perm secure-boot :: use secure-boot
    source */pesign* && has_perm secure-boot :: use secure-boot
    source */fwupdate* && has_perm secure-boot :: use secure-boot
    source */fwupd* && has_perm secure-boot :: use secure-boot

    is_child_task :: parent
    all :: use default


build_from_srpm =
    has_perm admin :: allow
    tag *-infra-candidate && has_perm infra :: allow
    all :: deny


# Policy for manipulating package lists for tags.
package_list =
    # Removing packages is almost always a mistake, so deny it.
    # Admins can still override this with --force, if necessary.
    match action remove :: deny
    # Admins can do pretty much everything.
    has_perm admin :: allow
    # People with pkglist permission can manage package lists in
    # active f$N and epel$N tags.
    has_perm pkglist :: {
        # Rawhide and epel7: adding, unblocking and blocking is allowed.
        tag f{{FedoraRawhideNumber}} epel7 && match action add unblock block :: allow
        # In branched blocking is allowed only before final freeze.
        tag f{{FedoraBranchedNumber}} && match action add unblock {{ 'block' if not Frozen or FedoraBranchedBodhi != 'postbeta' }} :: allow
        # Stable releases: only adding and unblocking is allowed.
        tag f{{FedoraCycleNumber}} f{{FedoraPreviousCycleNumber}} && match action add unblock :: allow
    }
    # Infra people can themselves add/block/unblock packages in their
    # tags without bothering admins.
    tag *infra* && has_perm infra && match action add unblock block :: allow
    # CoreOS continuous builds, https://pagure.io/releng/issue/8165
    tag f{{FedoraRawhideNumber}}-coreos-continuous f{{FedoraBranchedNumber}}-coreos-continuous f{{FedoraCycleNumber}}-coreos-continuous f{{FedoraPreviousCycleNumber}}-coreos-continuous && has_perm coreos-continuous && match action add unblock block :: allow
    # CoreOS coreos-pool and coreos-release tags, https://pagure.io/releng/issue/8294
    tag coreos-pool coreos-release && has_perm coreos-continuous && match action add unblock block :: allow
    # Catch-all rule.
    all :: deny

{% if env == "staging" %}
sidetag =
    tag f31-build :: allow
    tag f30-build :: allow
    tag f29-build :: allow
    all :: deny
{% endif %}