diff options
| author | Pedro Alvarez Piedehierro <palvarez89@gmail.com> | 2017-10-04 14:40:01 +0000 |
|---|---|---|
| committer | Pedro Alvarez Piedehierro <palvarez89@gmail.com> | 2017-10-04 14:40:01 +0000 |
| commit | 976172c6fc9513395f09909a4ac9392cf00c1b63 (patch) | |
| tree | 0a560a8d3f43f9500a683c978d8f4921c94653de | |
| parent | 9d0b282cc4d2eac1f881ce6ceb311388518672dd (diff) | |
| parent | 8f5352e8f0ccbb4ba358125ffb76af72580a814e (diff) | |
| download | infrastructure-976172c6fc9513395f09909a4ac9392cf00c1b63.tar.gz | |
Merge branch 'kill-obsolete' into 'master'
Kill obsolete system definitions
See merge request baserock/infrastructure!8
95 files changed, 8 insertions, 3827 deletions
diff --git a/README.mdwn b/README.mdwn index 5a85066d..79b43592 100644 --- a/README.mdwn +++ b/README.mdwn @@ -3,16 +3,16 @@ Baserock project public infrastructure This repository contains the definitions for all of the Baserock Project's infrastructure. This includes every service used by the project, except for -the mailing lists (hosted by [Pepperfish]) and the wiki (hosted by -[Branchable]). +the mailing lists (hosted by [Pepperfish]) the wiki (hosted by [Branchable]) +and the GitLab CI runners (set up by Javier Jardón). -Some of these systems are Baserock systems. Other are Ubuntu or Fedora based. -Eventually we want to move all of these to being Baserock systems. +Some of these systems are Baserock systems. This has proved an obstacle to +keeping them up to date with security updates, and we plan to switch everything +to run on mainstream distros in future. -The infrastructure is set up in a way that parallels the preferred Baserock -approach to deployment. All files necessary for (re)deploying the systems -should be contained in this Git repository, with the exception of certain -private tokens (which should be simple to inject at deploy time). +All files necessary for (re)deploying the systems should be contained in this +Git repository. Private tokens should be encrypted using +[ansible-vault](https://www.ansible.com/blog/2014/02/19/ansible-vault). [Pepperfish]: http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo [Branchable]: http://www.branchable.com/ @@ -372,315 +372,6 @@ usual haproxy.cfg file), use 'git grep' to find all of them. You'll need to update all the relevant config files. We really need some internal DNS system to avoid this hassle. -### Database - -Baserock infrastructure uses a shared [MariaDB] database. MariaDB was chosen -because Storyboard only supports MariaDB. - -To deploy this system to production: - - nova boot database-mariadb \ - --key-name=$keyname \ - --flavor dc1.1x1 \ - --image=$fedora_image_id \ - --nic="net-id=$network_id,v4-fixed-ip=192.168.222.146" \ - --security-groups default,database-mysql \ - --user-data ./baserock-ops-team.cloud-config - nova volume-create \ - --display-name database-volume \ - --display-description 'Database volume' \ - --volume-type Ceph \ - 100 - nova volume-attach database-mariadb <volume ID> /dev/vdb - - ansible-playbook -i hosts baserock_database/image-config.yml - ansible-playbook -i hosts baserock_database/instance-config.yml - ansible-playbook -i hosts baserock_database/instance-backup-config.yml - -At this point, if you are restoring from a backup, rsync the data across -from your backup server on the instance, then start the mariadb service and you -are done. - - sudo --preserve-env -- rsync --archive --chown mysql:mysql --hard-links \ - --info=progress2 --partial --sparse \ - root@backupserver:/srv/backup/database/* /var/lib/mysql - sudo systemctl enable mariadb.service - sudo systemctl start mariadb.service - -NOTE: If you see the following message in the journal: - - The datadir located at /var/lib/mysql needs to be upgraded using 'mysql_upgrade' tool. This can be done using the following steps - -This is because the backup you are importing is from an older version of -MariaDB. To fix this, as the message says, you only need to run: - - sudo -u mysql mysql_upgrade -u root -p - -If you are starting from scratch, you need to prepare the system by adding -the required users and databases. Run the following playbook, which can -be altered and rerun whenever you need to add more users or databases, or -you want to check the database configuration matches what you expect. - - ansible -i hosts -m service -a 'name=mariadb enabled=true state=started' - ansible-playbook -i hosts baserock_database/instance-mariadb-config.yml - -The internal IP address of this machine is hardcoded in some places (beyond the -usual haproxy.cfg file), use 'git grep' to find all of them. You'll need to -update all the relevant config files. We really need some internal DNS system -to avoid this hassle. - -[MariaDB]: https://www.mariadb.org - -### Mail relay - -The mail relay is currently a Fedora Cloud 23 image running Exim. - -It is configured to only listen on its internal IP. It's not intended to -receive mail, or relay mail sent by systems outside the baserock.org cloud. - -To deploy it: - - nova boot mail \ - --key-name $keyname \ - --flavor dc1.1x0 \ - --image $fedora_image_id \ - --nic "net-id=$network_id,v4-fixed-ip=192.168.222.145" \ - --security-groups default,internal-mail-relay \ - --user-data ./baserock-ops-team.cloud-config - - ansible-playbook -i hosts baserock_mail/image-config.yml - ansible-playbook -i hosts baserock_mail/instance-config.yml - -The mail relay machine is stateless. - -The internal IP address of this machine is hardcoded in some places (beyond the -usual haproxy.cfg file), use 'git grep' to find all of them. You'll need to -update all the relevant config files. We really need some internal DNS system -to avoid this hassle. - -### OpenID provider - -To deploy this system to production: - - vim baserock_openid_provider/baserock_openid_provider/settings.py - -Check the DATABASE_HOST IP, and check the other settings against the [Django -deployment -checklist](https://docs.djangoproject.com/en/1.7/howto/deployment/checklist/). - - nova boot openid.baserock.org \ - --key-name $keyname \ - --flavor dc1.1x1 \ - --image $fedora_image_id \ - --nic "net-id=$network_id,v4-fixed-ip=192.168.222.144" \ - --security-groups default,web-server \ - --user-data ./baserock-ops-team.cloud-config - - ansible-playbook -i hosts baserock_openid_provider/image-config.yml - ansible-playbook -i hosts baserock_openid_provider/instance-config.yml - -The baserock_openid_provider system is stateless. - -To change Cherokee configuration, it's usually easiest to use the -cherokee-admin tool in a running instance. SSH in as normal but forward port -9090 to localhost (pass `-L9090:localhost:9090` to SSH). Backup the old -/etc/cherokee/cherokee.conf file, then run `cherokee-admin`, and log in using -the creditials it gives you. After changing the configuration, please update -the cherokee.conf in infrastructure.git to match the changes `cherokee-admin` -made. - -### Gerrit - -To deploy to production, run these commands in a Baserock 'devel' -or 'build' system. - - nova volume-create \ - --display-name gerrit-volume \ - --display-description 'Gerrit volume' \ - --volume-type Ceph \ - 100 - - git clone git://git.baserock.org/baserock/baserock/infrastructure.git - cd infrastructure - - morph build systems/gerrit-system-x86_64.morph - morph deploy baserock_gerrit/baserock_gerrit.morph - - nova boot gerrit.baserock.org \ - --key-name $keyname \ - --flavor 'dc1.2x4.40' \ - --image baserock_gerrit \ - --nic "net-id=$network_id,v4-fixed-ip=192.168.222.69" \ - --security-groups default,gerrit,git-server,web-server \ - --user-data baserock-ops-team.cloud-config - - nova volume-attach gerrit.baserock.org <volume-id> /dev/vdb - -Accept the license and download the latest Java Runtime Environment from -http://www.oracle.com/technetwork/java/javase/downloads/server-jre8-downloads-2133154.html - -Accept the license and download the latest Java Cryptography Extensions from -http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html - -Save these two files in the baserock_gerrit/ folder. The instance-config.yml -Ansible playbook will upload them to the new system. - - # Don't copy-paste this! Use the Oracle website instead! - wget --no-cookies --no-check-certificate \ - --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" \ - "http://download.oracle.com/otn-pub/java/jdk/8u40-b25/server-jre-8u40-linux-x64.tar.gz" - wget --no-cookies --no-check-certificate \ - --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" \ - "http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip" - - ansible-playbook -i hosts baserock_gerrit/instance-config.yml - -For baserock.org Gerrit you will also need to run: - - ansible-playbook -i hosts baserock_gerrit/instance-ca-certificate-config.yml - -If you are restoring from a backup, rsync the data across from your -backup server on the instance, then start the gerrit service. - - systemctl stop gerrit.service - rm -r /srv/gerrit/* - - rsync --archive --chown gerrit:gerrit --hard-links \ - --info=progress2 --partial --sparse \ - root@backupserver:/srv/backup/gerrit/* /srv/gerrit/ - - systemctl start gerrit.service - -NOTE: If you are restoring a backup from an older version of Gerrit, you -might need to run some of the following commands to migrate the schemas of the -database, and also gerrit data (This was needed to move from 2.9.4 to 2.11.4): - - java -jar /opt/gerrit/gerrit-2.11.3.war init -d /srv/gerrit - java -jar /opt/gerrit/gerrit-2.11.3.war reindex -d /srv/gerrit - - -#### Access control - -Gerrit should now be up and running and accessible through the web interface. -By default this is on port 8080. Log into the new Gerrit instance with your -credentials. Make sure you're the first one to have registered, and you will -automatically have been added to the Administrators group. - -You can add more users into the Administrators group later on using the [gerrit -set-members] command, or the web interface. - -Go to the settings page, 'HTTP Password' and generate a HTTP password for -yourself. You'll need it in the next step. The password can take a long time to -appear for some reason, or it might not work at all. Click off the page and -come back to it and it might suddenly have appeared. I've not investigated why -this happens. - -Generate the SSH keys you need, if you don't have them. - - mkdir -p keys - ssh-keygen -t rsa -b 4096 -C 'lorry@gerrit.baserock.org' -N '' -f keys/lorry-gerrit.key - -Now set up the Gerrit access configuration. This Ansible playbook requires a -couple of non-standard packages. - - git clone git://git.baserock.org/delta/python-packages/pygerrit.git - git clone git://github.com/ssssam/ansible-gerrit - cd ansible-gerrit && make; cd - - - export GERRIT_URL=gerrit web URL - export GERRIT_ADMIN_USERNAME=your username - export GERRIT_ADMIN_PASSWORD=your generated HTTP password - export GERRIT_ADMIN_REPO=ssh://you@gerrit:29418/All-Projects.git - - ANSIBLE_LIBRARY=./ansible-gerrit PYTHONPATH=./pygerrit \ - ansible-playbook baserock_gerrit/gerrit-access-config.yml - -[gerrit set-members]: https://gerrit-documentation.storage.googleapis.com/Documentation/2.9.4/cmd-set-members.html - -#### Mirroring - -Run: - - ansible-playbook -i hosts baserock_gerrit/instance-mirroring-config.yml - -Now clone the Gerrit's lorry-controller configuration repository, commit the -configuration file to it, and push. - - # FIXME: we could use the git_commit_and_push Ansible module for this now, - # instead of doing it manually. - - git clone ssh://$GERRIT_ADMIN_USERNAME@gerrit.baserock.org:29418/local-config/lorries.git /tmp/lorries - cp baserock_gerrit/lorry-controller.conf /tmp/lorries - cd /tmp/lorries - git checkout -b master - git add . - git commit -m "Add initial Lorry Controller mirroring configuration" - git push origin master - cd - - -Now SSH in as 'root' to gerrit.baserock.org, tunnelling the lorry-controller -webapp's port to your local machine: - - ssh -L 12765:localhost:12765 root@gerrit.baserock.org - -Visit <http://localhost/1.0/status-html>. You should see the lorry-controller -status page. Click 'Re-read configuration', if there are any errors in the -configuration it'll tell you. If not, it should start mirroring stuff from -your Trove. - -Create a Gitano account on the Trove you want to push changes to for the Gerrit -user. The `instance-config.yml` Ansible playbook will have generated an SSH -key. Run these commands on the Gerrit instance: - - ssh git@git.baserock.org user add gerrit "gerrit.baserock.org" gerrit@baserock.org - ssh git@git.baserock.org as gerrit sshkey add main < ~gerrit/.ssh/id_rsa.pub - -Add the 'gerrit' user to the necessary -writers groups on the Trove, to allow -the gerrit-replication plugin to push merged changes to 'master' in the Trove. - - ssh git@git.baserock.org group adduser baserock-writers gerrit - ssh git@git.baserock.org group adduser local-config-writers gerrit - -Add the host key of the remote trove, to the Gerrit system: - - sudo -u gerrit sh -c 'ssh-keyscan git.baserock.org >> ~gerrit/.ssh/known_hosts' - -Check the 'gerrit' user's Trove account is working. - - sudo -u gerrit ssh git@git.baserock.org whoami - -Now enable the gerrit-replication plugin, check that it's now in the list of -plugins, and manually start a replication cycle. You should see log output from -the final SSH command showing any errors. - - ssh $GERRIT_ADMIN_USERNAME@gerrit.baserock.org -p 29418 gerrit plugin enable replication - ssh $GERRIT_ADMIN_USERNAME@gerrit.baserock.org -p 29418 gerrit plugin ls - ssh $GERRIT_ADMIN_USERNAME@gerrit.baserock.org -p 29418 replication start --all --wait - -### StoryBoard - - ansible-galaxy install -r baserock_storyboard/ansible-galaxy-roles.yaml -p ./baserock_storyboard/roles - - nova volume-create \ - --display-name storyboard-volume \ - --display-description 'Storyboard volume' \ - --volume-type Ceph \ - 100 - - nova boot storyboard.baserock.org \ - --key-name $keyname \ - --flavor 'dc1.1x1.20' \ - --image $ubuntu_image_id \ - --nic "net-id=$network_id,v4-fixed-ip=192.168.222.131" \ - --security-groups default,web-server \ - --user-data baserock-ops-team.cloud-config - - nova volume-attach storyboard.baserock.org <volume-id> /dev/vdb - - ansible-playbook -i hosts baserock_storyboard/instance-config.yml - ansible-playbook -i hosts baserock_storyboard/instance-backup-config.yml - ansible-playbook -i hosts baserock_storyboard/instance-storyboard-config.yml - ### Trove To deploy to production, run these commands in a Baserock 'devel' @@ -750,39 +441,6 @@ To deploy this system to production: ansible-playbook -i hosts baserock_ostree/instance-config.yml ansible-playbook -i hosts baserock_ostree/ostree-access-config.yml -Creating new repos ------------------- - -This is a quick guide on how to create a new repo to hold Baserock project -stuff. - -The creation of the repo must have been proposed on baserock-dev and had -two +1s. - -Ideally, don't create a new repo. We don't want development to be split across -dozens of different repos, and we don't want Gerrit and the -<git.baserock.org/baserock/baserock> to become full of clutter. If you're -prototyping something, use a different Git server -([Github](https://www.github.com/), for example). But it is sometimes -necessary. - -1. Create repo on git.baserock.org: - - ssh git@git.baserock.org create baserock/baserock/$NAME - ssh git@git.baserock.org config baserock/baserock/$NAME \ - set project.description "$DESCRIPTION" - - The 'lorry-controller' service on gerrit.baserock.org will automatically - create the corresponding project in Gerrit whenever it next runs. - -2. Add project in Storyboard. First edit `baserock_storyboard/projects.yaml` - add the new project to the list, then: - - scp baserock_storyboard/projects.yaml ubuntu@storyboard.baserock.org: - ssh ubuntu@storyboard.baserock.org storyboard-db-manage load_projects projects.yaml - -3. Submit a patch for infrastructure.git with your changes, and submit to Gerrit. - SSL certificates ================ diff --git a/baserock_database/backup-snapshot.conf b/baserock_database/backup-snapshot.conf deleted file mode 100644 index cb3a2ff0..00000000 --- a/baserock_database/backup-snapshot.conf +++ /dev/null @@ -1,4 +0,0 @@ -services: - - mariadb.service - -volume: /dev/vg0/database diff --git a/baserock_database/baserock_gerrit.database_password.yml b/baserock_database/baserock_gerrit.database_password.yml deleted file mode 100644 index 38caa0cd..00000000 --- a/baserock_database/baserock_gerrit.database_password.yml +++ /dev/null @@ -1,8 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -66306339306134653238353966383236333636663732663137353838383862303161633133373961 -3537353033386136393732616335366437333464346332300a663532386263383766363063633531 -62303532376563323435343163303963343533353835333665343638393239323436653761323663 -6666636434636539320a616131383433613366363331373132323638383966303133376531646134 -35363338363562353935333934333739653237393031373439363238616138366461623136636334 -31616633613465333965323431376232313333343938663163333536653232326435376563383331 -313934363231363363306537333663316538 diff --git a/baserock_database/baserock_openid_provider.database_password.yml b/baserock_database/baserock_openid_provider.database_password.yml deleted file mode 100644 index 87168a6e..00000000 --- a/baserock_database/baserock_openid_provider.database_password.yml +++ /dev/null @@ -1,8 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -32383734393262333363656131643833393837633732616236643132666666306338313630623063 -3139343230336532313731636530373666386434363835610a333166323433616232313562363339 -33316234313337393031616466626138633434653264643531323034616661386531646466666264 -3833646432373665340a613231366633616563333434376130393563316333303963643337363835 -38333130373239363439653766326332626634313964643631646266633263643564316264366135 -62326164376461363833646630663830333566636132333939643138333730323162643934366464 -353437623635626164383262343263656430 diff --git a/baserock_database/baserock_storyboard.database_password.yml b/baserock_database/baserock_storyboard.database_password.yml deleted file mode 100644 index 9eec86d8..00000000 --- a/baserock_database/baserock_storyboard.database_password.yml +++ /dev/null @@ -1,7 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -36386162356637613335666438383662663961383264396564303533336530363136636433613634 -3637383335653134343666323534326661303664326634320a373563663338626462646465326330 -31313930623731633737613161386464663061383433386237383234383064363735306166623039 -3261303036353166640a363666316534353566303665316365353966646466643136366336333363 -64653933356634623833313937393662626235343830613961643231613232336634313435346266 -3565336130396437663738346239666665396234383165666233 diff --git a/baserock_database/image-config.yml b/baserock_database/image-config.yml deleted file mode 100644 index 7b89e700..00000000 --- a/baserock_database/image-config.yml +++ /dev/null @@ -1,46 +0,0 @@ -# System configuration for Baserock database server. -# -# This Ansible playbook expects to be run on a Fedora 23 Cloud image. ---- -- hosts: database-mariadb - gather_facts: False - sudo: True - tasks: - # See: https://fedoramagazine.org/getting-ansible-working-fedora-23/ - - name: install Python2 and required deps for Ansible modules - raw: dnf install -y python2 python2-dnf libselinux-python - - - name: ensure system up to date - dnf: name=* state=latest - - - name: enable persistant journal - shell: mkdir /var/log/journal - args: - creates: /var/log/journal - - - name: install lvm2 tools - dnf: name=lvm2 state=latest - - - name: install MariaDB - dnf: name={{ item }} state=latest - with_items: - - mariadb - - mariadb-server - - MySQL-python - - # By default this is set to /var/lib/mysql, but this causes a hidden - # directory to be created in /var/lib/mysql (.local/share/systemd) which - # breaks MariaDB because it expects each directory in there to represent a - # database, and you see this when upgrading: - # - # Phase 2/6: Fixing views - # mysqlcheck: Got error: 1102: Incorrect database name '#mysql50#.local' when selecting the database - # - - name: fix home directory of MySQL user - user: name=mysql home=/ - - - name: disable SELinux on subsequent boots - selinux: state=disabled - - - name: disable SELinux on current boot - command: setenforce 0 diff --git a/baserock_database/instance-backup-config.yml b/baserock_database/instance-backup-config.yml deleted file mode 100644 index d04e809b..00000000 --- a/baserock_database/instance-backup-config.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Instance backup configuration for the baserock.org database. ---- -- hosts: database-mariadb - gather_facts: false - sudo: yes - vars: - FRONTEND_IP: 192.168.222.143 - tasks: - - name: pyyaml for Python 2 - dnf: PyYAML state=latest - - - name: backup-snapshot script - copy: src=../backup-snapshot dest=/usr/bin/backup-snapshot mode=755 - - - name: backup-snapshot config - copy: src=backup-snapshot.conf dest=/etc/backup-snapshot.conf - - # We need to give the backup automation 'root' access, because it needs to - # manage system services, LVM volumes, and mounts, and because it needs to - # be able to read private data. The risk of having the backup key - # compromised is mitigated by only allowing it to execute the - # 'backup-snapshot' script, and limiting the hosts it can be used from. - - name: access for backup SSH key - authorized_key: - user: root - key: "{{ lookup('file', '../keys/backup.key.pub') }}" - # Quotes are important in this options, the OpenSSH server will reject - # the entry if the 'from' or 'command' values are not quoted. - key_options: 'from="{{FRONTEND_IP}}",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,command="/usr/bin/backup-snapshot"' diff --git a/baserock_database/instance-config.yml b/baserock_database/instance-config.yml deleted file mode 100644 index b3f6a8c6..00000000 --- a/baserock_database/instance-config.yml +++ /dev/null @@ -1,15 +0,0 @@ -# Instance configuration for Baserock database server. -# -# This script expects a volume to be available at /dev/vdb. ---- -- hosts: database-mariadb - gather_facts: False - sudo: yes - tasks: - - include: ../tasks/create-data-volume.yml lv_name=database lv_size=25g mountpoint=/var/lib/mysql - - - name: ensure mysql user owns /var/lib/mysql - file: path=/var/lib/mysql owner=mysql group=mysql mode=600 state=directory - - - name: start MariaDB service - service: name=mariadb state=started diff --git a/baserock_database/instance-mariadb-config.yml b/baserock_database/instance-mariadb-config.yml deleted file mode 100644 index 0febaaf4..00000000 --- a/baserock_database/instance-mariadb-config.yml +++ /dev/null @@ -1,71 +0,0 @@ -# MariaDB configuration for Baserock database server. -# -# The relevant .database_password.yml files will need to be available already. -# Create these manually and keep them somewhere safe and secret. ---- -- hosts: database-mariadb - gather_facts: False - vars_files: - - root.database_password.yml - - baserock_gerrit.database_password.yml - - baserock_openid_provider.database_password.yml - - baserock_storyboard.database_password.yml - tasks: - - name: creating root database user - mysql_user: | - name=root - password={{ root_password }} - login_host=127.0.0.1 - login_user=root - login_password={{ root_password }} - check_implicit_admin=yes - - - name: remove the MySQL test database - mysql_db: - name=test state=absent - login_host=127.0.0.1 - login_user=root - login_password={{ root_password }} - - # Note that UTF-8 encoding and collation is *not* the default. Don't remove - # those lines or you will end up with a horrible disaster of a database. - - name: adding databases - mysql_db: | - name={{ item }} - state=present - login_host=127.0.0.1 - login_user=root - login_password={{ root_password }} - collation=utf8_unicode_ci - encoding=utf8 - with_items: - - gerrit - - openid_provider - - storyboard - - # We could probably restrict the privileges of these users further... - # - # I feel like setting 'host="%"' (i.e. not enforcing that the account can - # only be used by IPs within the cloud's local network, or even a single - # known IP adress) is kind of bad practice, but since the database server - # is not exposed to the internet anyway I don't think it's important right - # now. - - name: adding other database users - mysql_user: | - name="{{ item.name }}" - host="%" - password={{ item.password }} - priv={{ item.priv }} - login_host=127.0.0.1 - login_user=root - login_password={{ root_password }} - with_items: - - name: gerrit - password: "{{ baserock_gerrit_password }}" - priv: gerrit.*:ALL - - name: openid - password: "{{ baserock_openid_provider_password }}" - priv: openid_provider.*:ALL - - name: storyboard - password: "{{ baserock_storyboard_password }}" - priv: storyboard.*:ALL diff --git a/baserock_database/root.database_password.yml b/baserock_database/root.database_password.yml deleted file mode 100644 index 68431d18..00000000 --- a/baserock_database/root.database_password.yml +++ /dev/null @@ -1,7 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -62383563663266373036633362393762316336386439303064313766336166353930623430356430 -3462373632333264303838633164653537336536316638620a356433386563643963363935356666 -34316337626364353430636466386135356531363331643165343332346631633732323062346138 -3665336632386361390a373030386438613332616632353733616262653561666438396437373738 -39313339313566613936353634376666346562373032646236386665633634323761303265323633 -6263643438623661633939366239363430366162393466663133 diff --git a/baserock_gerrit/All-Projects/groups b/baserock_gerrit/All-Projects/groups deleted file mode 100644 index da2baa74..00000000 --- a/baserock_gerrit/All-Projects/groups +++ /dev/null @@ -1,16 +0,0 @@ -# UUID Group Name -# -global:Anonymous-Users Anonymous Users -global:Project-Owners Project Owners -global:Registered-Users Registered Users - -# This file is filled in with the other group IDs by the -# gerrit-access-config.yml Ansible playbook. -b660c33b68509db9dbd9578ae00035da90c0d5eb Administrators -8e467a11f116bb716a65ac85e28bf09ebfeb0d63 Non-Interactive Users -898d9c4232b8fcac6a3b128f7264c5d4c8b1eead Developers -b8fc45c681b94669fe3fa965c48d5221a515a3a6 Mergers -8c788c828285c3dd0a8c1cc152de6735085def9f Mirroring Tools -a7a9cc6639bd943e47da0d20b39267a08b43cd91 Release Team -d643abb0ad6e9d5ac33093af5cd3a3d4e484d95d Reviewers -cea6c19a08e11b74e63a567e050bec2c6eeb14dc Testers diff --git a/baserock_gerrit/All-Projects/project.config b/baserock_gerrit/All-Projects/project.config deleted file mode 100644 index f3069904..00000000 --- a/baserock_gerrit/All-Projects/project.config +++ /dev/null @@ -1,125 +0,0 @@ -# Top-level access controls for projects on Baserock Gerrit. - -# These can be overridden by a project's own project.config file. They are also -# overridden by the config of a project's parent repo, if it is set to something -# other than the default parent project 'All-Projects'. - -# Useful references: -# -# https://gerrit-documentation.storage.googleapis.com/Documentation/2.11/access-control.html -# https://git.openstack.org/cgit/openstack-infra/system-config/tree/doc/source/gerrit.rst - -# To deploy changes to this file, you need to manually commit it and push it to -# the 'refs/meta/config' ref of the All-Projects repo in Gerrit. - -[project] - description = Access inherited by all other projects. - -[receive] - requireContributorAgreement = false - requireSignedOffBy = false - requireChangeId = true - -[submit] - mergeContent = true - action = rebase if necessary - -[capability] - administrateServer = group Administrators - priority = batch group Non-Interactive Users - streamEvents = group Non-Interactive Users - - createProject = group Mirroring Tools - -# Everyone can read everything. -[access "refs/*"] - read = group Administrators - read = group Anonymous Users - - -# Developers can propose changes. All 'Registered Users' are 'Developers'. -[access "refs/for/refs/*"] - push = group Developers - pushMerge = group Developers - - -[access "refs/heads/*"] - forgeAuthor = group Developers - rebase = group Developers - label-Code-Review = -2..+2 group Mergers - submit = group Mergers - label-Code-Review = -1..+1 group Reviewers -# label-Verified = -1..+1 group Testers - - create = group Administrators - forgeAuthor = group Administrators - forgeCommitter = group Administrators - push = group Administrators - create = group Project Owners - forgeAuthor = group Project Owners - forgeCommitter = group Project Owners - push = group Project Owners - create = group Mergers - forgeAuthor = group Mergers - push = +force group Mergers - - create = group Mirroring Tools - forgeAuthor = group Mirroring Tools - forgeCommitter = group Mirroring Tools - push = +force group Mirroring Tools - - -# Nobody should be able to force push to 'master'. In particular, if Lorry -# can force-push master then it will do, in the course of mirroring from -# git.baserock.org, and this may undo merges that Gerrit just did and really -# confuse things. -[access "refs/heads/master"] - exclusiveGroupPermissions = push - push = block +force group Mergers - push = block +force group Mirroring Tools - - -[access "refs/tags/*"] - pushTag = group Release Team - pushSignedTag = group Release Team - - pushTag = group Administrators - pushSignedTag = group Administrators - pushTag = group Project Owners - pushSignedTag = group Project Owners - - create = group Mirroring Tools - forgeAuthor = group Mirroring Tools - forgeCommitter = group Mirroring Tools - push = +force group Mirroring Tools - pushTag = +force group Mirroring Tools - pushSignedTag = +force group Mirroring Tools - - -# Changing project configuration is allowed for Administrators only. (In theory -# anyone who owns a project can change its permissions, but right now all -# projects should be owned by the Administrators group). -[access "refs/meta/config"] - exclusiveGroupPermissions = read - - read = group Administrators - push = group Administrators - read = group Project Owners - push = group Project Owners - -[label "Code-Review"] - function = MaxWithBlock - copyMinScore = true - value = -2 Do not merge - value = -1 This patch needs further work before it can be merged - value = 0 No score - value = +1 Looks good to me, but someone else must approve - value = +2 Looks good to me, approved - -# Disabled for now, because there is no automated test tool hooked up to our -# Gerrit yet. -#[label "Verified"] -# function = MaxWithBlock -# value = -1 Failed -# value = 0 No score -# value = +1 Verified diff --git a/baserock_gerrit/backup-snapshot.conf b/baserock_gerrit/backup-snapshot.conf deleted file mode 100644 index e8e2f3fc..00000000 --- a/baserock_gerrit/backup-snapshot.conf +++ /dev/null @@ -1,5 +0,0 @@ -services: - - lorry-controller-minion@1.service - - gerrit.service - -volume: /dev/vg0/gerrit diff --git a/baserock_gerrit/baserock_gerrit.morph b/baserock_gerrit/baserock_gerrit.morph deleted file mode 100644 index f7907963..00000000 --- a/baserock_gerrit/baserock_gerrit.morph +++ /dev/null @@ -1,27 +0,0 @@ -name: baserock_gerrit -kind: cluster - -description: | - Deployment .morph for baserock.org Gerrit system. - - Configuration of the system is handled separately, with a series of - Ansible playbooks that should be run after an instance of the system - is up and running. See the README for instructions. - -systems: -- morph: systems/gerrit-system-x86_64.morph - deploy: - gerrit.baserock.org: - type: extensions/openstack - location: https://compute.datacentred.io:5000/v2.0 - - # You can use this method to deploy upgrades over SSH, after the - # machine is deployed. - upgrade-type: extensions/ssh-rsync - upgrade-location: root@192.168.222.69 - - OPENSTACK_IMAGENAME: baserock_gerrit - CLOUD_INIT: true - DISK_SIZE: 3G - HOSTNAME: gerrit - KERNEL_ARGS: console=tty0 console=ttyS0 diff --git a/baserock_gerrit/branding/GerritSite.css b/baserock_gerrit/branding/GerritSite.css deleted file mode 100644 index 6a17f43d..00000000 --- a/baserock_gerrit/branding/GerritSite.css +++ /dev/null @@ -1,15 +0,0 @@ -body {color: #000 !important; background: url("static/openstack-page-bkg.jpg") no-repeat scroll 0 0 white !important; position: static} -#gerrit_header {display: block !important; position: relative; top: -60px; margin-bottom: -60px; width: 200px; padding-left: 17px} -#gerrit_header h1 {font-family: 'PT Sans', sans-serif; font-weight: normal; letter-spacing: -1px} - -#gerrit_topmenu {background: none; position:relative; top: 0px; left: 220px; margin-right: 220px} - -#gerrit_topmenu tbody tr td table {border: 0} - -#gerrit_topmenu tbody tr td table.gwt-TabBar {color: #353535; border-bottom: 1px solid #C5E2EA;} -#gerrit_topmenu .gwt-Button {padding: 3px 6px} -.gwt-TabBarItem-selected {color: #CF2F19 !important; border-bottom: 3px solid #CF2F19;} -.gwt-TabBarItem {color: #353535; border-right: 0 !important} -.gwt-TabBar .gwt-TabBarItem, .gwt-TabBar .gwt-TabBarRest, .gwt-TabPanelBottom {background: 0 !important;} - -#gerrit_topmenu .gwt-TextBox {width: 250px} diff --git a/baserock_gerrit/branding/GerritSiteHeader.html b/baserock_gerrit/branding/GerritSiteHeader.html deleted file mode 100644 index 5ad8d902..00000000 --- a/baserock_gerrit/branding/GerritSiteHeader.html +++ /dev/null @@ -1 +0,0 @@ -<h2 class="typo3-logo"> <a href="/"><img src="/static/baserock-logo.png" width="200" /></a> </h2> diff --git a/baserock_gerrit/branding/baserock-logo.png b/baserock_gerrit/branding/baserock-logo.png Binary files differdeleted file mode 100644 index 65811263..00000000 --- a/baserock_gerrit/branding/baserock-logo.png +++ /dev/null diff --git a/baserock_gerrit/branding/openstack-page-bkg.jpg b/baserock_gerrit/branding/openstack-page-bkg.jpg Binary files differdeleted file mode 100644 index f788c41c..00000000 --- a/baserock_gerrit/branding/openstack-page-bkg.jpg +++ /dev/null diff --git a/baserock_gerrit/gerrit-access-config.yml b/baserock_gerrit/gerrit-access-config.yml deleted file mode 100644 index cb8c4fea..00000000 --- a/baserock_gerrit/gerrit-access-config.yml +++ /dev/null @@ -1,159 +0,0 @@ -# Baserock Gerrit access controls, and predefined users, groups and projects. -# -# This Ansible playbook requires the ansible-gerrit modules: -# -# https://www.github.com/ssssam/ansible-gerrit -# -# These modules depend on pygerrit: -# -# https://www.github.com/sonyxperiadev/pygerrit/ -# -# If you want to change the configuration, just edit this script and rerun it, -# as described in the README. -# -# This script currently doesn't handle committing changes to the access control -# rules for the 'All-Projects' project. To set up or modify the access control -# rules, you'll need to manually commit project.config (in the All-Projects -# subdirectory) to the 'refs/meta/config' ref of the All-Projects repo in -# Gerrit. The 'groups' file will need to list all the groups referenced in -# project.config. This script will add the UUIDs of all groups listed below -# to the All-Projects/groups file, so you don't have to create it manually. ---- -- hosts: localhost - tasks: - # System groups: - # - Anonymous Users - # - Change Owner - # - Project Owners - # - Registered Users - - # Prefined groups: - # - Administrators - # - Non-Interactive Users - - - gerrit_group: - name: Administrators - register: administrators_group - - - gerrit_group: - name: Non-Interactive Users - register: non_interactive_users_group - - # The 'owner' of a group defines who can modify that group. Users - # who are in the 'owner' group for a group 'Groupies' can add and remove - # people (and other groups) from 'Groupies' and can change the name, - # description and owner of 'Groupies.' Since we don't want the - # names, descriptions or owners of these predefined groups being - # changed, they are all left owned by the Administrators group. - - - gerrit_group: - name: Developers - description: Registered users who choose to submit changes for consideration. - owner: Administrators - included_groups: - - Registered Users - register: developers_group - - # Right now all Mergers are in the Release Team by default. - - gerrit_group: - name: Release Team - description: Developers who can tag releases - owner: Administrators - included_groups: - - Mergers - register: release_team_group - - - gerrit_group: - name: Mergers - description: Developers who can trigger the actual merging of a change. - owner: Administrators - register: mergers_group - - - gerrit_group: - name: Mirroring Tools - description: Programs that pull changes from external repositories into Gerrit's Git server - owner: Administrators - register: mirroring_tools_group - - - gerrit_group: - name: Reviewers - description: Registered users who choose to give +1 / -1 reviews to proposed changes. - owner: Administrators - included_groups: - - Registered Users - register: reviewers_group - - - gerrit_group: - name: Testers - description: Testers that can give +1 / -1 Verified to proposed changes. - owner: Administrators - register: testers_group - - # Non-interactive accounts. - - - gerrit_account: - username: firehose - fullname: Firehose integration bot - email: firehose@baserock.org - groups: - - Non-Interactive Users - - Developers - #ssh_key: xx - - - gerrit_account: - username: lorry - fullname: Lorry mirroring service - email: lorry@baserock.org - groups: - - Mirroring Tools - - Non-Interactive Users - # FIXME: ansible-gerrit module should be able to handle a filename - # here, instead of needing this hack to read the contents. - ssh_key: "{{ lookup('file', '../keys/lorry-gerrit.key.pub') }}" - - - gerrit_account: - username: mason - fullname: Mason automated tester - email: mason@baserock.org - groups: - - Non-Interactive Users - - Testers - #ssh_key: xx - - # It'd make more sense to do this in the mirroring-config.yml file, but - # then the admin would need to supply their Gerrit credentials to that - # playbook too (which is more tricky, because it doesn't run on - # 'localhost'). - - name: repo to hold Lorry Controller mirroring configuration - gerrit_project: - name: local-config/lorries - description: Configuration for Lorry for mirroring from Trove - - - name: create 'groups' mapping required by Gerrit - lineinfile: - create: yes - dest: All-Projects/groups - line: "{{ item.group_info.id }}\t{{ item.group_info.name }}" - with_items: - - "{{ administrators_group }}" - - "{{ non_interactive_users_group }}" - - "{{ developers_group }}" - - "{{ mergers_group }}" - - "{{ mirroring_tools_group }}" - - "{{ release_team_group }}" - - "{{ reviewers_group }}" - - "{{ testers_group }}" - - - name: push access configuration for all repos - git_commit_and_push: - repo: "{{ ansible_env.GERRIT_ADMIN_REPO }}" - ref: refs/meta/config - files: - - ./All-Projects/groups - - ./All-Projects/project.config - strip_path_components: 1 - commit_message: | - Update global project access control rules. - - This commit was made by an Ansible playbook living in - git://git.baserock.org/baserock/baserock/infrastructure. diff --git a/baserock_gerrit/gerrit.config b/baserock_gerrit/gerrit.config deleted file mode 100644 index e162f052..00000000 --- a/baserock_gerrit/gerrit.config +++ /dev/null @@ -1,54 +0,0 @@ -# This is the main Gerrit configuration. If you make changes to this -# file, rerun `ansible-playbook -i hosts baserock_gerrit/instance-config.yml` -# to deploy them to production. - -[gerrit] - basePath = git - canonicalWebUrl = https://gerrit.baserock.org/ -[database] - type = mysql - hostname = 192.168.222.30 - database = gerrit - username = gerrit -[index] - type = LUCENE -[auth] - type = OPENID_SSO - allowedOpenID = https://openid.baserock.org/ - trustedOpenID = https://openid.baserock.org/ - # XRDS is a mechanism for saying 'here are the services I provide'. Gerrit - # expects the URL provided here to describe the OpenID provider service - # using XRDS. - openIdSsoUrl = https://openid.baserock.org/openid/xrds/ -[sendemail] - smtpServer = 192.168.222.145 - # Send mails as '${user} (Code Review) <gerrit.baserock.org>' - # The gerrit@baserock.org email comes from the user.email setting - # below - from = MIXED -[user] - name = Baserock Gerrit - email = gerrit@baserock.org -[sshd] - listenAddress = *:29418 -[httpd] - listenUrl = proxy-https://*:8080/ -[cache] - directory = cache -[cache "web_sessions"] - # Remember user logins for a year (default is 12 hours, which gets a - # bit annoying). - maxAge = 1 y -[user] - email = "gerrit@baserock.org" - -# It seems like a bad idea to enable remote administration of plugins, but -# there is absolutely no information available on how to do 'local' -# administration of Gerrit plugins, so we can't really avoid it. -[plugins] - allowRemoteAdmin = true -[container] - user = gerrit - javaHome = {{ JRE_DIR }}/jre -[receive] - enableSignedPush = false diff --git a/baserock_gerrit/gerrit.service b/baserock_gerrit/gerrit.service deleted file mode 100644 index 478693c3..00000000 --- a/baserock_gerrit/gerrit.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Gerrit Code Review Server -After=network.target - -[Service] -User=gerrit -Group=gerrit -Type=simple -StandardOutput=syslog -StandardError=syslog -SyslogIdentifier=gerrit -ExecStart={{ run_gerrit }} daemon --site-path /srv/gerrit --console-log -Restart=on-failure - -[Install] -WantedBy=multi-user.target diff --git a/baserock_gerrit/instance-backup-config.yml b/baserock_gerrit/instance-backup-config.yml deleted file mode 100644 index cc647285..00000000 --- a/baserock_gerrit/instance-backup-config.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Instance backup configuration for the baserock.org Gerrit system. ---- -- hosts: gerrit - gather_facts: false - vars: - FRONTEND_IP: 192.168.222.143 - tasks: - - name: backup-snapshot script - copy: src=../backup-snapshot dest=/usr/bin/backup-snapshot mode=755 - - - name: backup-snapshot config - copy: src=backup-snapshot.conf dest=/etc/backup-snapshot.conf - - # Would be good to limit this to 'backup' user. - - name: passwordless sudo - lineinfile: dest=/etc/sudoers state=present line='%wheel ALL=(ALL) NOPASSWD:ALL' validate='visudo -cf %s' - - # We need to give the backup automation 'root' access, because it needs to - # manage system services, LVM volumes, and mounts, and because it needs to - # be able to read private data. The risk of having the backup key - # compromised is mitigated by only allowing it to execute the - # 'backup-snapshot' script, and limiting the hosts it can be used from. - - name: access for backup SSH key - authorized_key: - user: root - key: "{{ lookup('file', '../keys/backup.key.pub') }}" - # Quotes are important in this options, the OpenSSH server will reject - # the entry if the 'from' or 'command' values are not quoted. - key_options: 'from="{{FRONTEND_IP}}",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,command="/usr/bin/backup-snapshot"' diff --git a/baserock_gerrit/instance-ca-certificate-config.yml b/baserock_gerrit/instance-ca-certificate-config.yml deleted file mode 100644 index 60ab9e8f..00000000 --- a/baserock_gerrit/instance-ca-certificate-config.yml +++ /dev/null @@ -1,30 +0,0 @@ -# The CA chain needed for the baserock.org certificate we use is present in -# the system, but it's not present in the set of trusted root certificates -# bundled with Java. -# -# We need Gerrit to trust the baserock.org certificate so that it will trust -# https://openid.baserock.org/. -# -# This playbook is a hack at present: the second time you run it, the command -# will fail because the certificate is already present. There is a proposed -# Ansible module that can do this in a nicer way: -# <https://github.com/ansible/ansible-modules-extras/pull/286/commits>. ---- -- hosts: gerrit - gather_facts: False - vars: - JRE_DIR: /opt/jdk1.8.0_40 - tasks: - - name: baserock.org SSL certificate with chain of trust - copy: - src: ../certs/frontend.pem - dest: /home/gerrit - - - name: install SSL certificate into Java certificate keystore - java_cert: - cert_alias: baserock-frontent-cert - cert_path: /home/gerrit/frontend.pem - keystore_path: "{{ JRE_DIR }}/jre/lib/security/cacerts" - executable: "{{ JRE_DIR }}/jre/bin/keytool" - keystore_pass: changeit - state: present diff --git a/baserock_gerrit/instance-config.yml b/baserock_gerrit/instance-config.yml deleted file mode 100644 index 30bdf7ae..00000000 --- a/baserock_gerrit/instance-config.yml +++ /dev/null @@ -1,133 +0,0 @@ -# Instance-specific configuration for the baserock.org Gerrit system. -# -# You must have the Java SE Runtime Environment binary available in the -# baserock_gerrit directory when you run this script. -# -# Download it from here: -# <http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html> -# -- hosts: gerrit - gather_facts: False - vars: - GERRIT_VERSION: 2.13.1 - - # Download from http://www.oracle.com/technetwork/java/javase/downloads/server-jre8-downloads-2133154.html - JRE_FILE: server-jre-8u40-linux-x64.tar.gz - # This path should correspond to where the JRE ends up if you extract the - # downloaded tarball in /opt. - JRE_DIR: /opt/jdk1.8.0_40 - - # Download from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html - JCE_FILE: jce_policy-8.zip - - run_gerrit: "{{ JRE_DIR }}/bin/java -jar /opt/gerrit/gerrit-{{ GERRIT_VERSION }}.war" - vars_files: - - ../baserock_database/baserock_gerrit.database_password.yml - tasks: - - name: add gerrit user - user: - name: gerrit - shell: /bin/false - generate_ssh_key: yes - ssh_key_comment: gerrit@baserock.org - - - name: unpack the Java Runtime Environment - unarchive: src={{ JRE_FILE }} dest=/opt owner=root group=root creates={{ JRE_DIR }} - - # The Java Cryptography Extensions are needed in order to enable all SSH - # ciphers, due to US export restrictions. - - name: unpack the Java Cryptography Extensions - unarchive: src={{ JCE_FILE }} dest=/opt owner=root group=root creates=/opt/UnlimitedJCEPolicyJDK8/ - - - name: install the Java Cryptography Extensions - file: src=/opt/UnlimitedJCEPolicyJDK8/{{ item }} dest={{ JRE_DIR }}/jre/lib/security/{{ item }} state=link force=yes - with_items: - - local_policy.jar - - US_export_policy.jar - - - name: create /opt/gerrit - file: path=/opt/gerrit state=directory - - - name: download Gerrit - get_url: - url: https://gerrit-releases.storage.googleapis.com/gerrit-{{ GERRIT_VERSION }}.war - dest: /opt/gerrit/gerrit-{{ GERRIT_VERSION }}.war - - - include: ../tasks/create-data-volume.yml lv_name=gerrit lv_size=25g mountpoint=/srv/gerrit - - - name: ensure 'gerrit' user owns /srv/gerrit - file: path=/srv/gerrit owner=gerrit group=gerrit state=directory - - - name: initialise Gerrit application directory - command: "{{ run_gerrit }} init -d /srv/gerrit creates=/srv/gerrit/etc/gerrit.config" - sudo: yes - sudo_user: gerrit - - - name: extract and install some plugins for gerrit - shell: unzip /opt/gerrit/gerrit-{{ GERRIT_VERSION}}.war WEB-INF/plugins/{{ item }}.jar -p > /srv/gerrit/plugins/{{ item }}.jar - args: - creates: /srv/gerrit/plugins/{{ item }}.jar - with_items: - - replication - - download-commands - sudo: yes - sudo_user: gerrit - - # WARNING Non core plugins are not compiled inside gerrit.war file, we need to - # download them from somwhere else (https://gerrit-ci.gerritforge.com/ or - # http://builds.quelltextlich.at/gerrit/nightly/index.html). - # - # We install them from there, but some of the plugins don't have an stable branch for - # a given gerrit version. Check before runnig this script that this task - # is pointing to the right version (API compatible) of the plugin - - name: install non-core plugins for gerrit - shell: wget https://gerrit-ci.gerritforge.com/job/plugin-{{ item }}-master/lastBuild/artifact/buck-out/gen/plugins/{{ item }}/{{ item }}.jar -O /srv/gerrit/plugins/{{ item }}.jar - args: - creates: /srv/gerrit/plugins/{{ item }}.jar - with_items: - - avatars-gravatar - sudo: yes - sudo_user: gerrit - - - name: download extra Java libraries - get_url: - url: "{{ item }}" - dest: /srv/gerrit/lib - with_items: - # MySQL Java Connector - - http://repo2.maven.org/maven2/mysql/mysql-connector-java/5.1.21/mysql-connector-java-5.1.21.jar - - # Bouncy Castle Crypto APIs for Java. The interactive `gerrit init` - # command recommends installing these libraries, and who am I to argue? - - http://repo2.maven.org/maven2/org/bouncycastle/bcpkix-jdk15on/1.52/bcpkix-jdk15on-1.52.jar - - http://repo2.maven.org/maven2/org/bouncycastle/bcprov-jdk15on/1.52/bcprov-jdk15on-1.52.jar - - - name: install gerrit.config - template: src=gerrit.config dest=/srv/gerrit/etc/gerrit.config - - - name: install images for branding - copy: src=branding/{{ item }} dest=/srv/gerrit/static/{{ item }} - with_items: - - baserock-logo.png - - openstack-page-bkg.jpg - sudo: yes - sudo_user: gerrit - - - name: install HTML and CSS for branding - copy: src=branding/{{ item }} dest=/srv/gerrit/etc/{{ item }} - with_items: - - GerritSiteHeader.html - - GerritSite.css - sudo: yes - sudo_user: gerrit - - - name: set database password - command: git config -f /srv/gerrit/etc/secure.config database.password "{{ baserock_gerrit_password }}" - sudo: yes - sudo_user: gerrit - - - name: install gerrit.service - template: src=gerrit.service dest=/etc/systemd/system/gerrit.service - - - name: start Gerrit service - service: name=gerrit enabled=yes state=restarted diff --git a/baserock_gerrit/instance-mirroring-config.yml b/baserock_gerrit/instance-mirroring-config.yml deleted file mode 100644 index 19ac76cc..00000000 --- a/baserock_gerrit/instance-mirroring-config.yml +++ /dev/null @@ -1,68 +0,0 @@ -# This Ansible playbook configures mirroring in and out of Gerrit. -# -# To run it, use: -# ansible-playbook -i hosts baserock_gerrit/instance-mirroring-config.yml -# -# It expects the SSH key for the 'lorry' user to exist at -# ../keys/lorry-gerrit.key. -# -# This script currently doesn't handle the lorry-controller.conf file that -# controls what lorry-controller mirrors into Gerrit. To set up or modify -# lorry-controller configuration you need to commit your changes to the -# 'local-config/lorries' project on the Gerrit. ---- -- hosts: gerrit - gather_facts: no - sudo: yes - tasks: - - name: Lorry user - user: name=lorry comment="Lorry mirroring service" - - # Ansible can generate a new SSH key for Lorry when we add the user, - # but it seems tricky to then extract this and add it to the 'lorry' Gerrit - # user. - - name: SSH private key for Lorry user - copy: src=../keys/lorry-gerrit.key dest=~/.ssh/id_rsa mode=600 - sudo_user: lorry - - - name: SSH public key for Lorry user - copy: src=../keys/lorry-gerrit.key.pub dest=~/.ssh/id_rsa.pub mode=644 - sudo_user: lorry - - - name: directory in /etc for Lorry Controller system configuration - file: dest=/etc/lorry-controller state=directory - - - name: Lorry tool configuration - copy: src=lorry.conf dest=/etc/lorry.conf - - - name: Lorry Controller system configuration - copy: - src=lorry-controller/{{ item }} - dest=/etc/lorry-controller/{{ item }} - with_items: - - minion.conf - - webapp.conf - - - name: enable and restart core lorry controller services. - service: name={{ item }} enabled=yes state=restarted - with_items: - - lighttpd-lorry-controller-webapp.service - - lorry-controller-minion@1.service - - - name: enable lorry-controller scheduled activity timers - service: name={{ item }} enabled=yes - with_items: - - lorry-controller-ls-troves.timer - - lorry-controller-readconf.timer - - lorry-controller-remove-ghost-jobs.timer - - lorry-controller-remove-old-jobs.timer - - lorry-controller-status.timer - - - name: gerrit-replication configuration - copy: src=replication.config dest=/srv/gerrit/etc - notify: - - restart gerrit - -handlers: - - name: restart gerrit - service: name=gerrit state=restarted diff --git a/baserock_gerrit/lorry-controller.conf b/baserock_gerrit/lorry-controller.conf deleted file mode 100644 index 3f4818fe..00000000 --- a/baserock_gerrit/lorry-controller.conf +++ /dev/null @@ -1,38 +0,0 @@ -[ - { - "type": "trove", - - "trovehost": "git.baserock.org", - "protocol": "http", - - "prefixmap": { - "baserock": "baserock", - "delta": "delta" - }, - - "ignore": [ - "baserock/baserock/documentation", - "baserock/baserock/jenkins-config", - "baserock/baserock/lorries", - "baserock/baserock/morph-cache-server", - "baserock/baserock/morphs", - "baserock/baserock/remo", - "baserock/local-config/mason", - "baserock/site/*", - "baserock/tests/*", - "delta/*" - ], - - "ls-interval": "4H", - "interval": "2M" - }, - - { - "type": "lorries", - "interval": "2M", - "prefix": "delta", - "globs": [ - "delta-lorries/*.lorry" - ] - } -] diff --git a/baserock_gerrit/lorry-controller/minion.conf b/baserock_gerrit/lorry-controller/minion.conf deleted file mode 100644 index 99abdba8..00000000 --- a/baserock_gerrit/lorry-controller/minion.conf +++ /dev/null @@ -1,6 +0,0 @@ -[config] -log = syslog -log-level = debug -webapp-host = localhost -webapp-port = 12765 -webapp-timeout = 3600 diff --git a/baserock_gerrit/lorry-controller/webapp.conf b/baserock_gerrit/lorry-controller/webapp.conf deleted file mode 100644 index 755dd61e..00000000 --- a/baserock_gerrit/lorry-controller/webapp.conf +++ /dev/null @@ -1,13 +0,0 @@ -[config] -log = /home/lorry/webapp.log -log-max = 100M -log-keep = 1 -log-level = debug -statedb = /home/lorry/webapp.db -configuration-directory = /home/lorry/confgit -status-html = /home/lorry/lc-status.html -wsgi = yes -debug-port = 12765 -templates = /usr/share/lorry-controller/templates -confgit-url = http://localhost:8080/local-config/lorries -git-server-type = gerrit diff --git a/baserock_gerrit/lorry.conf b/baserock_gerrit/lorry.conf deleted file mode 100644 index 03c1177b..00000000 --- a/baserock_gerrit/lorry.conf +++ /dev/null @@ -1,8 +0,0 @@ -[config] -mirror-base-url-push = ssh://lorry@localhost:29418/ -bundle = never -tarball = never -working-area = /home/lorry/working-area -verbose = yes -log = /dev/stdout -log-level = debug diff --git a/baserock_gerrit/replication.config b/baserock_gerrit/replication.config deleted file mode 100644 index 067acc9b..00000000 --- a/baserock_gerrit/replication.config +++ /dev/null @@ -1,30 +0,0 @@ -# Configuration for gerrit-replication plugin. -# -# This handles pushing changes from gerrit.baserock.org to git.baserock.org. -# -# To deploy changes in this file to production, run: -# ansible-playbook -i hosts baserock_gerrit/instance-mirroring-config.yml - -[remote "trove"] - url = ssh://git@git.baserock.org/${name}.git - - # Disable force-pushing and only sync 'master' and tags. - # - # This will probably prove annoying and we'll need to mirror more branches in - # future. But right now there are hundreds of personal branches and I want to - # avoid potential push errors for branches we don't care about. - push = refs/heads/master:refs/heads/master - push = refs/tags/*:refs/tags/* - - createMissingRepositories = false - replicatePermissions = false - - # What to sync: this is a regexp that must match the whole project name. - projects = ^baserock/.*$ - - # If true, gerrit-replication will remove remote branches that are absent in - # the trove. This is a bit dangerous, but necessary if we are to make gerrit - # the 'master'. Note that if you set 'authGroup', branches that are not - # visible to the configured authorisation group will also be removed. So do - # not set 'authGroup' to anything. - mirror = false diff --git a/baserock_mail/image-config.yml b/baserock_mail/image-config.yml deleted file mode 100644 index 8d65b4f7..00000000 --- a/baserock_mail/image-config.yml +++ /dev/null @@ -1,22 +0,0 @@ -# System configuration for Baserock mail relay. -# -# This Ansible playbook expects to be run on a Fedora 23 Cloud image. ---- -- hosts: mail - gather_facts: false - sudo: yes - tasks: - # See: https://fedoramagazine.org/getting-ansible-working-fedora-23/ - - name: install Python2 and required deps for Ansible modules - raw: dnf install -y python2 python2-dnf libselinux-python - - - name: enable persistant journal - shell: mkdir /var/log/journal - args: - creates: /var/log/journal - - - name: ensure system up to date - dnf: name=* state=latest - - - name: exim4 installation - dnf: name=exim state=installed diff --git a/baserock_mail/instance-config.yml b/baserock_mail/instance-config.yml deleted file mode 100644 index b3cd3999..00000000 --- a/baserock_mail/instance-config.yml +++ /dev/null @@ -1,72 +0,0 @@ -# Configuration for Baserock mail relay -# -# This Ansible playbook expects to be run after the image-config.yml playbook. ---- -- hosts: mail - gather_facts: false - sudo: yes - vars: - LOCAL_IP: 192.168.222.145 - PUBLIC_DOMAIN_NAME: mail.baserock.org - tasks: - # Fedora provides a default /etc/exim/exim.conf. Rather than copy it and - # overwrite it, since we only need to make a few changes, I've used the - # lineinfile module to do search-and-replace. It's a bit ugly though. It - # may be better to just embed exim.conf. - - # Several restrictions here are also enforced by the internal-mail-relay - # security group in firewall.yml, which only opens port 25, and only for - # traffic from the local network. - - # This machine is only for sending mail. - - name: do not accept any incoming mail - lineinfile: - regexp: '^domainlist\s+local_domains.*$' - line: 'domainlist local_domains = ' - dest: /etc/exim/exim.conf - - - name: only accept mail from local network - lineinfile: - regexp: '^hostlist\s+relay_from_hosts.*$' - line: 'hostlist relay_from_hosts = 192.168.222.0/24' - dest: /etc/exim/exim.conf - - - name: only listen on internal interface - lineinfile: - regexp: '^#?local_interfaces.*$' - line: 'local_interfaces = <; ::1 ; 127.0.0.1 ; {{ LOCAL_IP }}' - insertbefore: BOF - dest: /etc/exim/exim.conf - - # The automation email addresses like gerrit@baserock.org do have aliases, - # but these are currently configured at Pepperfish, where our MX (mail) - # records for baserock.org point. So Exim thinks they are not routable - # and refuses to send mail from them, unless we disable this. Note that - # the address does have to be routable by something, or the receiving mail - # server may reject the mail anyway. - - name: do not verify that sender is routable within this Exim instance - lineinfile: - regexp: '^#?\s*require\s+verify\s+=\s+sender.*$' - line: '# require verify = sender' - dest: /etc/exim/exim.conf - - # We don't have DNS in the internal baserock.org cloud right now, so this - # would be pointless. - - name: do not try to resolve hosts making SMTP requests - lineinfile: - regexp: '^#?\s+host_lookup = .*$' - line: '# host_lookup = *' - dest: /etc/exim/exim.conf - - # The hostname of the machine will be 'mail', which isn't a fully-qualified - # domain name so will be rejected by SMTP servers. Ideally we would have - # mail.baserock.org set up and pointing to the floating IP of this machine. - # For now, we just have the IP. - - name: set primary hostname to public IP - lineinfile: - regexp: '^#?\s+primary_hostname =.*$' - line: 'primary_hostname = {{ PUBLIC_DOMAIN_NAME }}' - dest: /etc/exim/exim.conf - - - name: exim4 service - service: name=exim state=started enabled=yes diff --git a/baserock_opengrok/baserock-export.service b/baserock_opengrok/baserock-export.service deleted file mode 100644 index 5b48152a..00000000 --- a/baserock_opengrok/baserock-export.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Baserock Export daemon -After=local-fs.target network-online.target - -[Service] -User=opengrok -ExecStart={{ EXPORT_WORKDIR }}/export.sh - - -[Install] -WantedBy=multi-user.target diff --git a/baserock_opengrok/baserock-export.timer b/baserock_opengrok/baserock-export.timer deleted file mode 100644 index 89e9647b..00000000 --- a/baserock_opengrok/baserock-export.timer +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Runs baserock-export with 5 min between calls - -[Timer] -#Time between baserock-export finishing and calling it again -OnUnitActiveSec=5min -Unit=baserock-export.service - -[Install] -WantedBy=multi-user.target diff --git a/baserock_opengrok/clone-and-index.service b/baserock_opengrok/clone-and-index.service deleted file mode 100644 index ff9db508..00000000 --- a/baserock_opengrok/clone-and-index.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=OpenGrok index daemon -After=local-fs.target network-online.target - -[Service] -User=opengrok -ExecStart={{ OPENGROK_BASE }}/clone-and-index.sh - - -[Install] -WantedBy=multi-user.target diff --git a/baserock_opengrok/clone-and-index.sh b/baserock_opengrok/clone-and-index.sh deleted file mode 100644 index 10a8faac..00000000 --- a/baserock_opengrok/clone-and-index.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh - - -dir={{ OPENGROK_BASE }}/source -if [ ! -d $dir/.git ]; then - git clone /opt/export-workdir/exported-definitions/ $dir -fi - -git --git-dir="$dir/.git" --work-tree="$dir" pull -(cd $dir && git submodule init) -(cd $dir && git submodule sync) -(cd $dir && git submodule update) -git --git-dir="$dir/.git" --work-tree="$dir" clean -xdff - -OPENGROK_INSTANCE_BASE={{ OPENGROK_BASE }} {{ OPENGROK_BASE }}/bin/OpenGrok index {{ OPENGROK_BASE }}/source/ diff --git a/baserock_opengrok/clone-and-index.timer b/baserock_opengrok/clone-and-index.timer deleted file mode 100644 index e7cc4259..00000000 --- a/baserock_opengrok/clone-and-index.timer +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Runs OpenGrok index with 5 min between calls - -[Timer] -#Time between clone-and-index finishing and calling it again -OnUnitActiveSec=5min -Unit=clone-and-index.service - -[Install] -WantedBy=multi-user.target diff --git a/baserock_opengrok/export.sh b/baserock_opengrok/export.sh deleted file mode 100644 index d6a18d46..00000000 --- a/baserock_opengrok/export.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh - -DEFINITIONS_DIR="{{ EXPORT_WORKDIR }}/definitions" -DEFINITIONS_URL="git://git.baserock.org/baserock/baserock/definitions" - -MORPH_DIR="{{ EXPORT_WORKDIR }}/morph" -MORPH_URL="git://git.baserock.org/baserock/baserock/morph" - -EXPORT_DIR="{{ EXPORT_WORKDIR }}/exported-definitions" - -clone_or_pull() { - repo=$1 - dir=$2 - if [ -d "$dir" ]; then - git --git-dir="$dir/.git" --work-tree="$dir" pull - else - git clone $repo $dir - fi -} - - -clone_or_pull $DEFINITIONS_URL $DEFINITIONS_DIR -clone_or_pull $MORPH_URL $MORPH_DIR - -if [ ! -d "$EXPORT_DIR" ]; then - git init "$EXPORT_DIR" -fi - - -git config --global user.email "export@baserock.com" -git config --global user.name "Baserock Export Daemon" - -PYTHONPATH={{ EXPORT_WORKDIR }}/morph python \ - {{ BASEROCK_EXPORT }}/baserock-export-git-submodules.py \ - --git-cache-dir {{ EXPORT_WORKDIR }}/cache \ - --mode submodule \ - $DEFINITIONS_DIR/systems/minimal-system-x86_64-generic.morph \ - "$EXPORT_DIR" diff --git a/baserock_opengrok/index.jsp b/baserock_opengrok/index.jsp deleted file mode 100644 index 418c98f2..00000000 --- a/baserock_opengrok/index.jsp +++ /dev/null @@ -1,3 +0,0 @@ -<% - response.sendRedirect("/source"); -%> diff --git a/baserock_opengrok/instance-config.yml b/baserock_opengrok/instance-config.yml deleted file mode 100644 index 836e805b..00000000 --- a/baserock_opengrok/instance-config.yml +++ /dev/null @@ -1,163 +0,0 @@ -# Configuration for Baserock OpenGrok system image. -# -# This expects to be run on a Fedora 23 cloud image. ---- -- hosts: opengrok - gather_facts: false - sudo: yes - vars: - OG_VERSION: 0.12.1.5 - EXPORT_WORKDIR: /opt/export-workdir - BASEROCK_EXPORT: /opt/baserock-export - OPENGROK_BASE: /opt/opengrok - tasks: - # See: https://fedoramagazine.org/getting-ansible-working-fedora-23/ - - name: install Python2 and required deps for Ansible modules - raw: dnf install -y python2 python2-dnf libselinux-python - - - name: enable persistant journal - shell: mkdir /var/log/journal - args: - creates: /var/log/journal - - - name: ensure system up to date - dnf: name=* state=latest - - - name: Install Tomcat, wget, git, and ctags packages - dnf: - name: "{{ item }}" - state: latest - with_items: - - tomcat - - wget - - git - - ctags - - - name: Enable and start Tomcat - service: - name: tomcat - enabled: yes - - - name: add opengrok user - user: - name: opengrok - shell: /bin/false - - - name: create /opt/.. directories - file: - path: "{{ item }}" - state: directory - owner: opengrok - group: opengrok - with_items: - - "{{ OPENGROK_BASE }}" - - /opt/downloads - - "{{ BASEROCK_EXPORT }}" - - "{{ EXPORT_WORKDIR }}" - - - name: Download opengrok - shell: wget https://java.net/projects/opengrok/downloads/download/opengrok-{{ OG_VERSION }}.tar.gz -O /opt/downloads/opengrok-{{ OG_VERSION }}.tar.gz - args: - creates: /opt/downloads/opengrok-{{ OG_VERSION }}.tar.gz - sudo_user: opengrok - - - name: Unpack opengrok - unarchive: - src: /opt/downloads/opengrok-{{ OG_VERSION }}.tar.gz - copy: no - dest: /opt/downloads - owner: opengrok - group: opengrok - creates: /opt/downloads/opengrok-{{ OG_VERSION }} - register: opengrok_unpacked - - - name: Copy OpenGrok to the right location - shell: cp -r /opt/downloads/opengrok-{{ OG_VERSION }}/* "{{ OPENGROK_BASE }}" - when: opengrok_unpacked|changed - - - name: Install morph dependencies - pip: - name: "{{ item }}" - with_items: - - fs - - pylru - - pyyaml - - jsonschema - - - name: Downloading baserock-export scripts - git: - repo: git://github.com/ssssam/baserock-export - dest: "{{ BASEROCK_EXPORT }}" - accept_hostkey: yes - sudo_user: opengrok - - - name: Install baserock-export wrapper script - template: - src: export.sh - dest: "{{ EXPORT_WORKDIR }}/export.sh" - mode: 0755 - owner: opengrok - group: opengrok - - - name: Install baserock-export service - template: - src: baserock-export.service - dest: /etc/systemd/system/baserock-export.service - - - name: Install baserock-export timer - copy: - src: baserock-export.timer - dest: /etc/systemd/system/baserock-export.timer - - - name: Enable and start baserock-export services - service: - name: "{{ item }}" - enabled: yes - state: started - with_items: - - baserock-export.timer - - baserock-export.service - - - name: Deploy OpenGrok app in Tomcat - shell: OPENGROK_TOMCAT_BASE=/var/lib/tomcat "{{ OPENGROK_BASE }}/bin/OpenGrok" deploy - - - name: Create ROOT folder for Tomcat - file: - path: /var/lib/tomcat/webapps/ROOT - state: directory - owner: tomcat - group: tomcat - - - name: Redirect / to /source (OpenGrok) in Tomcat - copy: - src: index.jsp - dest: /var/lib/tomcat/webapps/ROOT/index.jsp - owner: tomcat - group: tomcat - - - name: Install clone-and-index wrapper script - template: - src: clone-and-index.sh - dest: "{{ OPENGROK_BASE }}/clone-and-index.sh" - mode: 0755 - owner: opengrok - group: opengrok - - - name: Install clone-and-index service - template: - src: clone-and-index.service - dest: /etc/systemd/system/clone-and-index.service - - - name: Install clone-and-index timer - copy: - src: clone-and-index.timer - dest: /etc/systemd/system/clone-and-index.timer - - - name: Enable and start clone-and-index services - service: - name: "{{ item }}" - enabled: yes - state: started - with_items: - - clone-and-index.timer - - clone-and-index.service diff --git a/baserock_openid_provider/baserock_openid_provider.secret_key.yml b/baserock_openid_provider/baserock_openid_provider.secret_key.yml deleted file mode 100644 index 166beebd..00000000 --- a/baserock_openid_provider/baserock_openid_provider.secret_key.yml +++ /dev/null @@ -1,10 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -36663263633734313761323739363430616565623931343036636366313233643363356334633038 -3962643134303938326233336266396261623862316536390a363135646333356334663763333735 -64303365626430666531366232333564366663633031623834663063363632356362386361626137 -3833363630353434330a666437373232666263616562386337643138333530323137643530386539 -62316564393261393866633030633033376663626566643861363533333665313431343366323063 -30643039363538306461343130316137383939313561346335653561653964373137373032646363 -62356436663138633839333662353865306665333639343364333164663064643561613430303836 -33376365653236383662663837373739663463323434393734333631376564666135393066366266 -3731 diff --git a/baserock_openid_provider/baserock_openid_provider/__init__.py b/baserock_openid_provider/baserock_openid_provider/__init__.py deleted file mode 100644 index 8dd54d2a..00000000 --- a/baserock_openid_provider/baserock_openid_provider/__init__.py +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright (C) 2014 Codethink Limited -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - - -import signals diff --git a/baserock_openid_provider/baserock_openid_provider/forms.py b/baserock_openid_provider/baserock_openid_provider/forms.py deleted file mode 100644 index dd6a414d..00000000 --- a/baserock_openid_provider/baserock_openid_provider/forms.py +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright (C) 2015 Codethink Limited -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - - -from registration.forms import RegistrationForm - -from django import forms -from django.utils.translation import ugettext_lazy as _ - - -class RegistrationFormWithNames(RegistrationForm): - # I'd rather just have a 'Full name' box, but django.contrib.auth is - # already set up to separate first_name and last_name. - - first_name = forms.CharField(label=_("First name(s)"), - required=False) - last_name = forms.CharField(label=_("Surname")) diff --git a/baserock_openid_provider/baserock_openid_provider/settings.py b/baserock_openid_provider/baserock_openid_provider/settings.py deleted file mode 100644 index b4d38c2c..00000000 --- a/baserock_openid_provider/baserock_openid_provider/settings.py +++ /dev/null @@ -1,174 +0,0 @@ -""" -Django settings for baserock_openid_provider project. - -For more information on this file, see -https://docs.djangoproject.com/en/1.7/topics/settings/ - -For the full list of settings and their values, see -https://docs.djangoproject.com/en/1.7/ref/settings/ -""" - -import yaml - -import os - -# You must ensure this is the correct IP address! -DATABASE_HOST = '192.168.222.146' - -BASE_DIR = os.path.dirname(os.path.dirname(__file__)) - -# Quick-start development settings - unsuitable for production -# See https://docs.djangoproject.com/en/1.7/howto/deployment/checklist/ - -# SECURITY WARNING: keep the secret key used in production secret! -secret_key_file = '/etc/baserock_openid_provider.secret_key.yml' -with open(secret_key_file) as f: - data = yaml.load(f) - SECRET_KEY = data['baserock_openid_provider_secret_key'] - -# SECURITY WARNING: don't run with debug turned on in production! -DEBUG = False - -TEMPLATE_DEBUG = True - -ALLOWED_HOSTS = [ - 'openid.baserock.org', -] - -# All connections for openid.baserock.org are forced through HTTPS by HAProxy. -# This line is necessary so that the Django code generates https:// rather than -# http:// URLs for internal redirects. -# -# You MUST remove this line if this application is not running behind a proxy -# that forces all traffic through HTTPS. -SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') - - -# Application definition - -INSTALLED_APPS = ( - 'baserock_openid_provider', - 'django.contrib.admin', - 'django.contrib.auth', - 'django.contrib.contenttypes', - 'django.contrib.sessions', - 'django.contrib.messages', - 'django.contrib.staticfiles', - 'openid_provider', - 'registration' -) - -MIDDLEWARE_CLASSES = ( - 'django.contrib.sessions.middleware.SessionMiddleware', - 'django.middleware.common.CommonMiddleware', - 'django.middleware.csrf.CsrfViewMiddleware', - 'django.contrib.auth.middleware.AuthenticationMiddleware', - 'django.contrib.messages.middleware.MessageMiddleware', - 'django.middleware.clickjacking.XFrameOptionsMiddleware', -) - -ROOT_URLCONF = 'baserock_openid_provider.urls' - -WSGI_APPLICATION = 'baserock_openid_provider.wsgi.application' - - -# Logging - -LOGGING = { - 'version': 1, - 'disable_existing_loggers': False, - 'formatters': { - 'simple': { - 'format': '%(asctime)s %(message)s' - } - }, - 'handlers': { - 'file': { - 'level': 'DEBUG', - 'formatter': 'simple', - 'class': 'logging.handlers.RotatingFileHandler', - 'filename': '/var/log/baserock_openid_provider/debug.log', - 'maxBytes': 10 * 1024 * 1024, - 'backupCount': 0, - } - }, - 'loggers': { - 'django.request': { - 'handlers': ['file'], - 'level': 'DEBUG', - 'propagate': True, - }, - 'openid_provider.views': { - 'handlers': ['file'], - 'level': 'DEBUG', - 'propagate': True, - } - } -} - - -# Database -# https://docs.djangoproject.com/en/1.7/ref/settings/#databases - -DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.mysql', - 'NAME': 'openid_provider', - 'USER': 'openid', - 'PORT': '3306', - - 'HOST': DATABASE_HOST - } -} - - -pw_file = '/etc/baserock_openid_provider.database_password.yml' -with open(pw_file) as f: - data = yaml.load(f) - password = data['baserock_openid_provider_password'] - DATABASES['default']['PASSWORD'] = password - -# Internationalization -# https://docs.djangoproject.com/en/1.7/topics/i18n/ - -LANGUAGE_CODE = 'en-us' - -TIME_ZONE = 'UTC' - -USE_I18N = True - -USE_L10N = True - -USE_TZ = True - - -# Static files (CSS, JavaScript, Images) -# https://docs.djangoproject.com/en/1.7/howto/static-files/ - -STATIC_URL = '/static/' - -STATIC_ROOT = '/var/www/static' - -TEMPLATE_DIRS = [os.path.join(BASE_DIR, 'templates')] - - -# Other stuff - -LOGIN_REDIRECT_URL = '/' - - -# We get mailed when stuff breaks. -ADMINS = ( - ('Sam Thursfield', 'sam.thursfield@codethink.co.uk'), -) - -# FIXME: this email address doesn't actually exist. -DEFAULT_FROM_EMAIL = 'openid@baserock.org' - -EMAIL_HOST = 'localhost' -EMAIL_PORT = 25 - - -# django-registration-redux settings - -ACCOUNT_ACTIVATION_DAYS = 3 diff --git a/baserock_openid_provider/baserock_openid_provider/signals.py b/baserock_openid_provider/baserock_openid_provider/signals.py deleted file mode 100644 index dc2a7f78..00000000 --- a/baserock_openid_provider/baserock_openid_provider/signals.py +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright (C) 2014 Codethink Limited -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - - -from django.dispatch import receiver -import registration.signals - -import logging - - -@receiver(registration.signals.user_activated) -def user_activation_handler(sender, user, request, **kwargs): - logging.info('Creating OpenID for user %s' % (user.username)) - user.openid_set.create(openid=user.username) diff --git a/baserock_openid_provider/baserock_openid_provider/static/style.css b/baserock_openid_provider/baserock_openid_provider/static/style.css deleted file mode 100644 index e8237b40..00000000 --- a/baserock_openid_provider/baserock_openid_provider/static/style.css +++ /dev/null @@ -1,268 +0,0 @@ -// Baserock-ish stylesheet -// Fetched from http://wiki.baserock.org/local.css/ on 2015-01-23. - -/* HTML5 display-role reset for older browsers */ -article, aside, details, figcaption, figure, -footer, header, hgroup, menu, nav, section { - display: block; -} -body { - line-height: 1; -} -ol, ul { - padding: 0 0 0 1.5em; - margin: 0 0 1.2em; -} -li > ul, li > ol { - margin: 0; -} -ul { - list-style: disc; -} -ol { - list-style: decimal; -} -blockquote, q { - quotes: none; -} -blockquote:before, blockquote:after, -q:before, q:after { - content: ''; - content: none; -} -table { - border-collapse: collapse; - border-spacing: 0; -} -i, em { - font-style: italic; -} -b, strong { - font-weight: bold; -} - -/* -Main elements -*/ - -html, body { - font-size: 15px; - font-family: 'Open Sans', sans-serif; - line-height: 1.6em; -} -h1 { - color: #58595B; - font-size: 1.6em; - font-weight: bold; - margin: 0 0 0.4em; - padding: 1em 0 0.3em; -} -h2 { - border-bottom: 2px solid #E0E0E0; - border-top: 2px solid #E0E0E0; - background: #fafafa; - color: #58595B; - font-size: 1.4em; - font-weight: bold; - margin: 1.2em 0 0.4em; - padding: 0.4em 0; -} -h3 { - border-bottom: 2px solid #E0E0E0; - color: #58595B; - font-size: 1.2em; - font-weight: bold; - margin: 2em 0 0.3em; -} -h4 { - color: #58595B; - font-size: 1.1em; - font-weight: bold; - margin: 1.7em 0 0.3em; -} -h5 { - color: #58595B; - font-size: 1em; - font-weight: bold; - margin: 1.7em 0 0.3em; -} -a { - color: #bf2400; -} -p { - padding: 0; - margin: 0 0 1.2em; -} -table { - margin-bottom: 1.2em; -} -th, td { - padding: 0.2em 1em; -} -th { - font-weight: bold; - text-align: left; - border-bottom: 1px solid #ddd; -} -pre { - border: 1px solid #aaa; - border-radius: 0.5em; - padding: 1em 2em; - margin: 0 0 1.2em 2em; - background: #faf8f7; - font-size: 80%; -} -pre, code { - font-family: monospace; -} -code { - background: #faf8f7; - padding: 0.2em 0.4em; - border: 1px solid #ddd; - border-radius: 0.3em; - font-size: 0.9em; -} -pre > code { - background: none; - padding: 0; - border: none; - font-size: 1em; -} -blockquote { - border: .4em solid #ffaa55; - border-left-width: 3em; - padding: 0.3em 1em; - margin: 1.2em 3em; - border-radius: 2.2em 0 0 2.2em; -} -blockquote p { - margin: 0; -} -/* -*/ -.max960 { - max-width: 960px; - margin: 0 auto; - position: relative; - height: 80px; -} -input#searchbox { - background: url("wikiicons/search-bg.gif") no-repeat scroll 100% 50% #FFFFFF; - color: #000000; - padding: 0 16px 0 10px; - border: solid 1px #CCC; - width: 180px; - height: 20px; - border-radius: 10px; -} -#searchform { - right: 0 !important; -} -.page { - max-width: 960px; - padding: 0 10px; - margin: 0 auto; -} -.pageheader { - background-color: #FFF; - border-bottom:2px solid #E65837; - color: #009099; - padding: 10px 10px 0 !important; - height: 80px; - background: #333; -} -.pageheader span a { - color: #FFF; -} -.pageheader span.title { - color: #E65837; -} -.pageheader .actions ul li { - background: none !important; - border-color: #28170B; - border-style: solid solid none; - border-width: 0; - margin: 0; - width: auto !important; - color: #FFF; - padding: 0 !important; -} -.pageheader li a:hover { - background: #E65837; - color: #FFF; -} -.header span { - display: inline-block; - padding: 6px 0; -} -.header span span { - padding: 0; -} -.parentlinks { - font: 13px 'Open Sans', sans-serif; -} - -.title { - font: 13px 'Open Sans', sans-serif; - margin-top: 0.2em; - display:inline; -} - -#logo a { - height: 40px; - width: 282px; - display: block; - padding-bottom: 10px; - background: url(logo.png) no-repeat; -} -#logo a span { - display: none; -} -#logo a:hover { - text-decoration: none; -} -.pageheader .actions { - position: static !important; - width: auto !important; - padding: 0 !important; -} -.pageheader .actions ul { - position: absolute; - right: 0; - bottom: 0; - height: auto !important; - padding: 0 !important; -} -.pageheader .actions a { - color: #FFF; - padding: 5px 0.5em; - display: inline-block; - background: #666; -} - -div.header { - background-repeat: no-repeat; - min-width: 282px; - padding-top: 0px; -} -#pageinfo { - border-top: 0; -} - -#content { - max-width: 51em; -} -#content, #comments, #footer { - margin: 1em 2em 1em 0 !important; -} -.pagedate { - font-size:10px; -} -.sidebar { - padding: 10px !important; - border: solid 1px #CCC !important; - background: #F2F2F2 !important; - margin: 1em 0 2em 1em !important; -} - - diff --git a/baserock_openid_provider/baserock_openid_provider/urls.py b/baserock_openid_provider/baserock_openid_provider/urls.py deleted file mode 100644 index 8af8ade5..00000000 --- a/baserock_openid_provider/baserock_openid_provider/urls.py +++ /dev/null @@ -1,12 +0,0 @@ -from django.conf.urls import patterns, include, url -from django.contrib import admin - -from . import views - -urlpatterns = patterns('', - url(r'^$', views.index, name='index'), - - url(r'^accounts/', include('registration.backends.default.urls')), - url(r'^admin/', include(admin.site.urls)), - url(r'^openid/', include('openid_provider.urls')), -) diff --git a/baserock_openid_provider/baserock_openid_provider/views.py b/baserock_openid_provider/baserock_openid_provider/views.py deleted file mode 100644 index d067f66a..00000000 --- a/baserock_openid_provider/baserock_openid_provider/views.py +++ /dev/null @@ -1,53 +0,0 @@ -# Copyright (C) 2015 Codethink Limited -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - - -import registration.backends.default.views - -from registration import signals -from registration.users import UserModel - -from django.contrib.auth import authenticate -from django.contrib.auth import login -from django.shortcuts import render - -from . import forms - - -def index(request): - return render(request, '../templates/index.html') - - -class RegistrationViewWithNames(registration.backends.default.views.RegistrationView): - # Overrides the django-registration default view so that the extended form - # including the full name gets used. - form_class = forms.RegistrationFormWithNames - - def register(self, form): - # Calling the base class first means that we don't have to copy and - # paste the contents of the register() function, but it has the - # downside that we don't know the user's name when we send the - # activation email. - superclass = super(RegistrationViewWithNames, self) - user = superclass.register(form) - - user.first_name = form.cleaned_data['first_name'] - user.last_name = form.cleaned_data['last_name'] - user.save() - - return user - - -registration.backends.default.views.RegistrationView = RegistrationViewWithNames diff --git a/baserock_openid_provider/baserock_openid_provider/wsgi.py b/baserock_openid_provider/baserock_openid_provider/wsgi.py deleted file mode 100644 index 5993d3e5..00000000 --- a/baserock_openid_provider/baserock_openid_provider/wsgi.py +++ /dev/null @@ -1,14 +0,0 @@ -""" -WSGI config for baserock_openid_provider project. - -It exposes the WSGI callable as a module-level variable named ``application``. - -For more information on this file, see -https://docs.djangoproject.com/en/1.7/howto/deployment/wsgi/ -""" - -import os -os.environ.setdefault("DJANGO_SETTINGS_MODULE", "baserock_openid_provider.settings") - -from django.core.wsgi import get_wsgi_application -application = get_wsgi_application() diff --git a/baserock_openid_provider/cherokee.conf b/baserock_openid_provider/cherokee.conf deleted file mode 100644 index 38c4f1fa..00000000 --- a/baserock_openid_provider/cherokee.conf +++ /dev/null @@ -1,300 +0,0 @@ -# Cherokee configuration to run the Baserock OpenID provider, using -# uWSGI to run the Django app from /srv/baserock_openid_provider. - -config!version = 001002103 - -# Overall server config -server!bind!1!port = 80 -server!group = cherokee -server!keepalive = 1 -server!keepalive_max_requests = 500 -server!panic_action = /usr/bin/cherokee-panic -server!pid_file = /var/run/cherokee.pid -server!server_tokens = full -server!timeout = 15 -server!user = cherokee - -# One virtual server which communicates with the uwsgi-django code and -# also serves static files. -vserver!1!directory_index = index.html -vserver!1!document_root = /var/www/cherokee -vserver!1!error_writer!filename = /var/log/cherokee/error_log -vserver!1!error_writer!type = file -vserver!1!logger = combined -vserver!1!logger!access!buffsize = 16384 -vserver!1!logger!access!filename = /var/log/cherokee/access_log -vserver!1!logger!access!type = file -vserver!1!nick = default -vserver!1!rule!110!document_root = /var/www/static -vserver!1!rule!110!handler = file -vserver!1!rule!110!match = directory -vserver!1!rule!110!match!directory = /static -vserver!1!rule!10!document_root = /var/www -vserver!1!rule!10!handler = uwsgi -vserver!1!rule!10!handler!balancer = round_robin -vserver!1!rule!10!handler!balancer!source!10 = 1 -vserver!1!rule!10!handler!iocache = 1 -vserver!1!rule!10!match = default -source!1!env_inherited = 1 -source!1!host = 127.0.0.1:45023 -source!1!interpreter = /usr/sbin/uwsgi --socket 127.0.0.1:45023 --ini=/srv/baserock_openid_provider/uwsgi.ini -source!1!nick = uwsgi-django -source!1!type = interpreter - -# Icons and mime types. -icons!default = page_white.png -icons!directory = folder.png -icons!file!bomb.png = core -icons!file!page_white_go.png = *README* -icons!parent_directory = arrow_turn_left.png -icons!suffix!camera.png = jpg,jpeg,jpe -icons!suffix!cd.png = iso,ngr,cue -icons!suffix!color_wheel.png = png,gif,xcf,bmp,pcx,tiff,tif,cdr,psd,xpm,xbm -icons!suffix!control_play.png = bin,exe,com,msi,out -icons!suffix!css.png = css -icons!suffix!cup.png = java,class,jar -icons!suffix!email.png = eml,mbox,box,email,mbx -icons!suffix!film.png = avi,mpeg,mpe,mpg,mpeg3,dl,fli,qt,mov,movie,flv,webm -icons!suffix!font.png = ttf -icons!suffix!html.png = html,htm -icons!suffix!music.png = au,snd,mid,midi,kar,mpga,mpega,mp2,mp3,sid,wav,aif,aiff,aifc,gsm,m3u,wma,wax,ra,rm,ram,pls,sd2,ogg -icons!suffix!package.png = tar,gz,bz2,zip,rar,ace,lha,7z,dmg,cpk -icons!suffix!page_white_acrobat.png = pdf -icons!suffix!page_white_c.png = c,h,cpp -icons!suffix!page_white_office.png = doc,ppt,xls -icons!suffix!page_white_php.png = php -icons!suffix!page_white_text.png = txt,text,rtf,sdw -icons!suffix!printer.png = ps,eps -icons!suffix!ruby.png = rb -icons!suffix!script.png = sh,csh,ksh,tcl,tk,py,pl -mime!application/bzip2!extensions = bz2 -mime!application/gzip!extensions = gz -mime!application/hta!extensions = hta -mime!application/java-archive!extensions = jar -mime!application/java-serialized-object!extensions = ser -mime!application/java-vm!extensions = class -mime!application/json!extensions = json -mime!application/mac-binhex40!extensions = hqx -mime!application/msaccess!extensions = mdb -mime!application/msword!extensions = doc,dot -mime!application/octet-stream!extensions = bin -mime!application/octetstream!extensions = ace -mime!application/oda!extensions = oda -mime!application/ogg!extensions = ogx -mime!application/pdf!extensions = pdf -mime!application/pgp-keys!extensions = key -mime!application/pgp-signature!extensions = pgp -mime!application/pics-rules!extensions = prf -mime!application/postscript!extensions = ps,ai,eps -mime!application/rar!extensions = rar -mime!application/rdf+xml!extensions = rdf -mime!application/rss+xml!extensions = rss -mime!application/smil!extensions = smi,smil -mime!application/vnd.mozilla.xul+xml!extensions = xul -mime!application/vnd.ms-excel!extensions = xls,xlb,xlt -mime!application/vnd.ms-pki.seccat!extensions = cat -mime!application/vnd.ms-pki.stl!extensions = stl -mime!application/vnd.ms-powerpoint!extensions = ppt,pps -mime!application/vnd.oasis.opendocument.chart!extensions = odc -mime!application/vnd.oasis.opendocument.database!extensions = odb -mime!application/vnd.oasis.opendocument.formula!extensions = odf -mime!application/vnd.oasis.opendocument.graphics!extensions = odg -mime!application/vnd.oasis.opendocument.image!extensions = odi -mime!application/vnd.oasis.opendocument.presentation!extensions = odp -mime!application/vnd.oasis.opendocument.spreadsheet!extensions = ods -mime!application/vnd.oasis.opendocument.text!extensions = odt -mime!application/vnd.oasis.opendocument.text-master!extensions = odm -mime!application/vnd.oasis.opendocument.text-web!extensions = oth -mime!application/vnd.pkg5.info!extensions = p5i -mime!application/vnd.visio!extensions = vsd -mime!application/vnd.wap.wbxml!extensions = wbxml -mime!application/vnd.wap.wmlc!extensions = wmlc -mime!application/vnd.wap.wmlscriptc!extensions = wmlsc -mime!application/x-7z-compressed!extensions = 7z -mime!application/x-abiword!extensions = abw -mime!application/x-apple-diskimage!extensions = dmg -mime!application/x-bcpio!extensions = bcpio -mime!application/x-bittorrent!extensions = torrent -mime!application/x-cdf!extensions = cdf -mime!application/x-cpio!extensions = cpio -mime!application/x-csh!extensions = csh -mime!application/x-debian-package!extensions = deb,udeb -mime!application/x-director!extensions = dcr,dir,dxr -mime!application/x-dvi!extensions = dvi -mime!application/x-flac!extensions = flac -mime!application/x-font!extensions = pfa,pfb,gsf,pcf,pcf.Z -mime!application/x-freemind!extensions = mm -mime!application/x-gnumeric!extensions = gnumeric -mime!application/x-gtar!extensions = gtar,tgz,taz -mime!application/x-gzip!extensions = gz,tgz -mime!application/x-httpd-php!extensions = phtml,pht,php -mime!application/x-httpd-php-source!extensions = phps -mime!application/x-httpd-php3!extensions = php3 -mime!application/x-httpd-php3-preprocessed!extensions = php3p -mime!application/x-httpd-php4!extensions = php4 -mime!application/x-internet-signup!extensions = ins,isp -mime!application/x-iphone!extensions = iii -mime!application/x-iso9660-image!extensions = iso -mime!application/x-java-jnlp-file!extensions = jnlp -mime!application/x-javascript!extensions = js -mime!application/x-kchart!extensions = chrt -mime!application/x-killustrator!extensions = kil -mime!application/x-koan!extensions = skp,skd,skt,skm -mime!application/x-kpresenter!extensions = kpr,kpt -mime!application/x-kspread!extensions = ksp -mime!application/x-kword!extensions = kwd,kwt -mime!application/x-latex!extensions = latex -mime!application/x-lha!extensions = lha -mime!application/x-lzh!extensions = lzh -mime!application/x-lzx!extensions = lzx -mime!application/x-ms-wmd!extensions = wmd -mime!application/x-ms-wmz!extensions = wmz -mime!application/x-msdos-program!extensions = com,exe,bat,dll -mime!application/x-msi!extensions = msi -mime!application/x-netcdf!extensions = nc -mime!application/x-ns-proxy-autoconfig!extensions = pac -mime!application/x-nwc!extensions = nwc -mime!application/x-object!extensions = o -mime!application/x-oz-application!extensions = oza -mime!application/x-pkcs7-certreqresp!extensions = p7r -mime!application/x-pkcs7-crl!extensions = crl -mime!application/x-python-code!extensions = pyc,pyo -mime!application/x-quicktimeplayer!extensions = qtl -mime!application/x-redhat-package-manager!extensions = rpm -mime!application/x-sh!extensions = sh -mime!application/x-shar!extensions = shar -mime!application/x-shockwave-flash!extensions = swf,swfl -mime!application/x-stuffit!extensions = sit,sea -mime!application/x-sv4cpio!extensions = sv4cpio -mime!application/x-sv4crc!extensions = sv4crc -mime!application/x-tar!extensions = tar -mime!application/x-tcl!extensions = tcl -mime!application/x-tex-pk!extensions = pk -mime!application/x-texinfo!extensions = texinfo,texi -mime!application/x-trash!extensions = ~,bak,old,sik -mime!application/x-troff!extensions = t,tr,roff -mime!application/x-troff-man!extensions = man -mime!application/x-troff-me!extensions = me -mime!application/x-troff-ms!extensions = ms -mime!application/x-ustar!extensions = ustar -mime!application/x-x509-ca-cert!extensions = crt -mime!application/x-xcf!extensions = xcf -mime!application/x-xfig!extensions = fig -mime!application/x-xpinstall!extensions = xpi -mime!application/xhtml+xml!extensions = xhtml,xht -mime!application/xml!extensions = xml,xsl -mime!application/zip!extensions = zip -mime!audio/basic!extensions = au,snd -mime!audio/midi!extensions = mid,midi,kar -mime!audio/mpeg!extensions = mpga,mpega,mp2,mp3,m4a -mime!audio/ogg!extensions = ogg,oga -mime!audio/prs.sid!extensions = sid -mime!audio/x-aiff!extensions = aif,aiff,aifc -mime!audio/x-gsm!extensions = gsm -mime!audio/x-mpegurl!extensions = m3u -mime!audio/x-ms-wax!extensions = wax -mime!audio/x-ms-wma!extensions = wma -mime!audio/x-pn-realaudio!extensions = ra,rm,ram -mime!audio/x-realaudio!extensions = ra -mime!audio/x-scpls!extensions = pls -mime!audio/x-sd2!extensions = sd2 -mime!audio/x-wav!extensions = wav -mime!chemical/x-cache!extensions = cac,cache -mime!chemical/x-cache-csf!extensions = csf -mime!chemical/x-cdx!extensions = cdx -mime!chemical/x-cif!extensions = cif -mime!chemical/x-cmdf!extensions = cmdf -mime!chemical/x-cml!extensions = cml -mime!chemical/x-compass!extensions = cpa -mime!chemical/x-crossfire!extensions = bsd -mime!chemical/x-csml!extensions = csml,csm -mime!chemical/x-ctx!extensions = ctx -mime!chemical/x-cxf!extensions = cxf,cef -mime!chemical/x-isostar!extensions = istr,ist -mime!chemical/x-jcamp-dx!extensions = jdx,dx -mime!chemical/x-kinemage!extensions = kin -mime!chemical/x-pdb!extensions = pdb,ent -mime!chemical/x-swissprot!extensions = sw -mime!chemical/x-vamas-iso14976!extensions = vms -mime!chemical/x-vmd!extensions = vmd -mime!chemical/x-xtel!extensions = xtel -mime!chemical/x-xyz!extensions = xyz -mime!image/gif!extensions = gif -mime!image/jpeg!extensions = jpeg,jpg,jpe -mime!image/pcx!extensions = pcx -mime!image/png!extensions = png -mime!image/svg+xml!extensions = svg,svgz -mime!image/tiff!extensions = tiff,tif -mime!image/vnd.djvu!extensions = djvu,djv -mime!image/vnd.wap.wbmp!extensions = wbmp -mime!image/x-icon!extensions = ico -mime!image/x-ms-bmp!extensions = bmp -mime!image/x-photoshop!extensions = psd -mime!image/x-portable-anymap!extensions = pnm -mime!image/x-portable-bitmap!extensions = pbm -mime!image/x-portable-graymap!extensions = pgm -mime!image/x-portable-pixmap!extensions = ppm -mime!image/x-xbitmap!extensions = xbm -mime!image/x-xpixmap!extensions = xpm -mime!image/x-xwindowdump!extensions = xwd -mime!model/iges!extensions = igs,iges -mime!model/mesh!extensions = msh,mesh,silo -mime!model/vrml!extensions = wrl,vrml -mime!text/calendar!extensions = ics,icz -mime!text/comma-separated-values!extensions = csv -mime!text/css!extensions = css -mime!text/h323!extensions = 323 -mime!text/html!extensions = html,htm,shtml -mime!text/iuls!extensions = uls -mime!text/mathml!extensions = mml -mime!text/plain!extensions = asc,txt,text,diff,pot -mime!text/richtext!extensions = rtx -mime!text/rtf!extensions = rtf -mime!text/scriptlet!extensions = sct,wsc -mime!text/tab-separated-values!extensions = tsv -mime!text/vnd.sun.j2me.app-descriptor!extensions = jad -mime!text/vnd.wap.wml!extensions = wml -mime!text/vnd.wap.wmlscript!extensions = wmls -mime!text/x-boo!extensions = boo -mime!text/x-c++hdr!extensions = h++,hpp,hxx,hh -mime!text/x-c++src!extensions = c++,cpp,cxx,cc -mime!text/x-chdr!extensions = h -mime!text/x-csh!extensions = csh -mime!text/x-csrc!extensions = c -mime!text/x-dsrc!extensions = d -mime!text/x-haskell!extensions = hs -mime!text/x-java!extensions = java -mime!text/x-literate-haskell!extensions = lhs -mime!text/x-moc!extensions = moc -mime!text/x-pascal!extensions = p,pas -mime!text/x-pcs-gcd!extensions = gcd -mime!text/x-perl!extensions = pl,pm -mime!text/x-python!extensions = py -mime!text/x-setext!extensions = etx -mime!text/x-sh!extensions = sh -mime!text/x-tcl!extensions = tcl,tk -mime!text/x-tex!extensions = tex,ltx,sty,cls -mime!text/x-vcalendar!extensions = vcs -mime!text/x-vcard!extensions = vcf -mime!video/dl!extensions = dl -mime!video/dv!extensions = dif,dv -mime!video/fli!extensions = fli -mime!video/gl!extensions = gl -mime!video/mp4!extensions = mp4 -mime!video/mpeg!extensions = mpeg,mpg,mpe -mime!video/ogg!extensions = ogv -mime!video/quicktime!extensions = qt,mov -mime!video/vnd.mpegurl!extensions = mxu -mime!video/webm!extensions = webm -mime!video/x-flv!extensions = flv -mime!video/x-la-asf!extensions = lsf,lsx -mime!video/x-mng!extensions = mng -mime!video/x-ms-asf!extensions = asf,asx -mime!video/x-ms-wm!extensions = wm -mime!video/x-ms-wmv!extensions = wmv -mime!video/x-ms-wmx!extensions = wmx -mime!video/x-ms-wvx!extensions = wvx -mime!video/x-msvideo!extensions = avi -mime!video/x-sgi-movie!extensions = movie -mime!x-conference/x-cooltalk!extensions = ice -mime!x-world/x-vrml!extensions = vrm,vrml,wrl diff --git a/baserock_openid_provider/image-config.yml b/baserock_openid_provider/image-config.yml deleted file mode 100644 index 4aa939f8..00000000 --- a/baserock_openid_provider/image-config.yml +++ /dev/null @@ -1,77 +0,0 @@ -# Image configuration for Baserock OpenID provider. ---- -- hosts: openid - gather_facts: False - sudo: yes - tasks: - # See: https://fedoramagazine.org/getting-ansible-working-fedora-23/ - - name: install Python2 and required deps for Ansible modules - raw: dnf install -y python2 python2-dnf libselinux-python - - - name: enable persistant journal - shell: mkdir /var/log/journal - args: - creates: /var/log/journal - - - name: ensure system up to date - dnf: name=* state=latest - - - name: install Cherokee web server - dnf: name=cherokee state=latest - - - name: install Sendmail mail transfer agent - dnf: name=sendmail state=latest - - - name: install uWSGI application container server and Python plugin - dnf: name=uwsgi-plugin-python state=latest - - - name: install PyYAML - dnf: name=PyYAML state=latest - - # Authentication in Gerrit fails if OpenID clock is not set correctly - - name: Install ntp - dnf: name=ntp - - # All this stuff is installed with Pip, which isn't really necessary except - # for django-registration-redux. Fedora packages django-registration but not - # the better django-registration-redux (I think). - # - - name: install Django - pip: name=django executable=pip2.7 - - - name: install South (Django migrations tool) - pip: name=South executable=pip2.7 - - # This is a fork of django-registration which supports Django 1.7. - # Source: https://github.com/macropin/django-registration - # The original django-registration (which seems to be abandoned) lives at: - # https://bitbucket.org/ubernostrum/django-registration/ - - name: install django-registration-redux - pip: name=django-registration-redux executable=pip2.7 - - - name: install python-openid - pip: name=python-openid executable=pip2.7 - - # Install the MySQL-python package from DNF, because if it's installed from - # PyPI you need to have the mariadb-devel package installed to build the C - # code and that's an extra 21MB of dependencies or so. Note that this driver - # doesn't support Python 3, but there is a fork available which does, see: - # https://docs.djangoproject.com/en/dev/ref/databases/#mysql-db-api-drivers - - name: install MySQL-python - dnf: name=MySQL-python state=latest - - - name: install Cherokee configuration - file: src=/srv/baserock_openid_provider/cherokee.conf dest=/etc/cherokee/cherokee.conf state=link force=yes - - - name: create log directory for baserock_openid_provider - file: path=/var/log/baserock_openid_provider owner=cherokee group=cherokee state=directory - - - name: upload application - copy: src=. dest=/srv owner=fedora group=fedora - - # Yes, SELinux prevents Cherokee from working. - - name: disable SELinux on subsequent boots - selinux: state=disabled - - - name: disable SELinux on current boot - command: setenforce 0 diff --git a/baserock_openid_provider/instance-config.yml b/baserock_openid_provider/instance-config.yml deleted file mode 100644 index a0dd059e..00000000 --- a/baserock_openid_provider/instance-config.yml +++ /dev/null @@ -1,46 +0,0 @@ -# Instance configuration for Baserock OpenID provider. -# -# This playbook should be run after starting an instance of the Baserock -# OpenID Provider image. ---- -- hosts: openid - gather_facts: False - sudo: yes - tasks: - - name: install database password - copy: - content: "{{ lookup('file', '../baserock_database/baserock_openid_provider.database_password.yml') }}" - dest: /etc/baserock_openid_provider.database_password.yml - owner: cherokee - group: cherokee - mode: 400 - - - name: install Django secret key - copy: - content: "{{ lookup('file', 'baserock_openid_provider.secret_key.yml') }}" - dest: /etc/baserock_openid_provider.secret_key.yml - owner: cherokee - group: cherokee - mode: 400 - - # This step could be part of image creation, except that because the secret - # key file wouldn't be available at that time, the 'manage.py' script would - # fail to run. - - name: install static content - django_manage: app_path=/srv/baserock_openid_provider command=collectstatic - sudo_user: cherokee - - - name: run database migrations - django_manage: app_path=/srv/baserock_openid_provider command=migrate - sudo_user: cherokee - - # Default configuration of Sendmail in Fedora is to only accept connections from - # localhost. This is what we want, so no extra config required. - - name: enable and start sendmail service - service: name=sendmail enabled=yes state=started - - - name: enable and start Cherokee service - service: name=cherokee enabled=yes state=restarted - - - name: enable and start ntpd service - service: name=ntpd enabled=yes state=restarted diff --git a/baserock_openid_provider/manage.py b/baserock_openid_provider/manage.py deleted file mode 100644 index 924662bf..00000000 --- a/baserock_openid_provider/manage.py +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/env python -import os -import sys - -if __name__ == "__main__": - os.environ.setdefault("DJANGO_SETTINGS_MODULE", "baserock_openid_provider.settings") - - from django.core.management import execute_from_command_line - - execute_from_command_line(sys.argv) diff --git a/baserock_openid_provider/openid_provider/__init__.py b/baserock_openid_provider/openid_provider/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/baserock_openid_provider/openid_provider/__init__.py +++ /dev/null diff --git a/baserock_openid_provider/openid_provider/admin.py b/baserock_openid_provider/openid_provider/admin.py deleted file mode 100644 index 0d1b62aa..00000000 --- a/baserock_openid_provider/openid_provider/admin.py +++ /dev/null @@ -1,17 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: set ts=4 sw=4 : */ - -from django.contrib import admin - -from openid_provider.models import TrustedRoot, OpenID - -class TrustedRootInline(admin.TabularInline): - model = TrustedRoot - -class OpenIDAdmin(admin.ModelAdmin): - list_display = ['openid', 'user', 'default'] - inlines = [TrustedRootInline, ] - raw_id_fields = ("user",) - search_fields = ('user__email',) - -admin.site.register(OpenID, OpenIDAdmin) diff --git a/baserock_openid_provider/openid_provider/conf.py b/baserock_openid_provider/openid_provider/conf.py deleted file mode 100644 index 7355c840..00000000 --- a/baserock_openid_provider/openid_provider/conf.py +++ /dev/null @@ -1,27 +0,0 @@ -import os -from django.conf import settings - -STORE = getattr(settings, 'OPENID_PROVIDER_STORE', - 'openid.store.filestore.FileOpenIDStore') - -if STORE == 'openid.store.filestore.FileOpenIDStore': - import tempfile - tempdir = tempfile.gettempdir() - - FILESTORE_PATH = getattr(settings, 'OPENID_PROVIDER_FILESTORE_PATH', - os.path.join(tempdir, 'openid-filestore')) - -SREG_DATA_CALLBACK = getattr(settings, 'OPENID_PROVIDER_SREG_DATA_CALLBACK', - 'openid_provider.utils.get_default_sreg_data') - -AX_DATA_CALLBACK = getattr(settings, 'OPENID_PROVIDER_AX_DATA_CALLBACK', - 'openid_provider.utils.get_default_ax_data') - -AX_EXTENSION = getattr(settings, 'OPENID_PROVIDER_AX_EXTENSION', False) - -AUTH_USER_MODEL = getattr(settings, 'AUTH_USER_MODEL', 'auth.User') - -# RPs without relying party verification mechanisms will be each time -# redirected to decide page, set to True to disable this: -FAILED_DISCOVERY_AS_VALID = getattr( - settings, 'OPENID_FAILED_DISCOVERY_AS_VALID', False) diff --git a/baserock_openid_provider/openid_provider/models.py b/baserock_openid_provider/openid_provider/models.py deleted file mode 100644 index bad24d9a..00000000 --- a/baserock_openid_provider/openid_provider/models.py +++ /dev/null @@ -1,42 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: set ts=4 sw=4 : */ - -from django.utils.translation import ugettext_lazy as _ -from django.db import models - -from openid_provider.conf import AUTH_USER_MODEL -from openid_provider.utils import get_username - -class OpenID(models.Model): - user = models.ForeignKey(AUTH_USER_MODEL) - openid = models.CharField(max_length=200, blank=True, unique=True) - default = models.BooleanField(default=False) - - class Meta: - verbose_name = _('OpenID') - verbose_name_plural = _('OpenIDs') - ordering = ['openid'] - - def __unicode__(self): - return u"%s|%s" % (get_username(self.user), self.openid) - - def save(self, *args, **kwargs): - if self.openid in ['', u'', None]: - from hashlib import sha1 - import random, base64 - sha = sha1() - sha.update(unicode(get_username(self.user)).encode('utf-8')) - sha.update(str(random.random())) - value = str(base64.b64encode(sha.digest())) - value = value.replace('/', '').replace('+', '').replace('=', '') - self.openid = value - super(OpenID, self).save(*args, **kwargs) - if self.default: - self.user.openid_set.exclude(pk=self.pk).update(default=False) - -class TrustedRoot(models.Model): - openid = models.ForeignKey(OpenID) - trust_root = models.CharField(max_length=200) - - def __unicode__(self): - return unicode(self.trust_root) diff --git a/baserock_openid_provider/openid_provider/south_migrations/0001_initial.py b/baserock_openid_provider/openid_provider/south_migrations/0001_initial.py deleted file mode 100644 index 1857f59a..00000000 --- a/baserock_openid_provider/openid_provider/south_migrations/0001_initial.py +++ /dev/null @@ -1,89 +0,0 @@ -# -*- coding: utf-8 -*- -import datetime -from south.db import db -from south.v2 import SchemaMigration -from django.db import models - - -class Migration(SchemaMigration): - - def forwards(self, orm): - # Adding model 'OpenID' - db.create_table('openid_provider_openid', ( - ('id', self.gf('django.db.models.fields.AutoField')(primary_key=True)), - ('user', self.gf('django.db.models.fields.related.ForeignKey')(to=orm['auth.User'])), - ('openid', self.gf('django.db.models.fields.CharField')(unique=True, max_length=200, blank=True)), - ('default', self.gf('django.db.models.fields.BooleanField')(default=False)), - )) - db.send_create_signal('openid_provider', ['OpenID']) - - # Adding model 'TrustedRoot' - db.create_table('openid_provider_trustedroot', ( - ('id', self.gf('django.db.models.fields.AutoField')(primary_key=True)), - ('openid', self.gf('django.db.models.fields.related.ForeignKey')(to=orm['openid_provider.OpenID'])), - ('trust_root', self.gf('django.db.models.fields.CharField')(max_length=200)), - )) - db.send_create_signal('openid_provider', ['TrustedRoot']) - - - def backwards(self, orm): - # Deleting model 'OpenID' - db.delete_table('openid_provider_openid') - - # Deleting model 'TrustedRoot' - db.delete_table('openid_provider_trustedroot') - - - models = { - 'auth.group': { - 'Meta': {'object_name': 'Group'}, - 'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), - 'name': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '80'}), - 'permissions': ('django.db.models.fields.related.ManyToManyField', [], {'to': "orm['auth.Permission']", 'symmetrical': 'False', 'blank': 'True'}) - }, - 'auth.permission': { - 'Meta': {'ordering': "('content_type__app_label', 'content_type__model', 'codename')", 'unique_together': "(('content_type', 'codename'),)", 'object_name': 'Permission'}, - 'codename': ('django.db.models.fields.CharField', [], {'max_length': '100'}), - 'content_type': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['contenttypes.ContentType']"}), - 'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), - 'name': ('django.db.models.fields.CharField', [], {'max_length': '50'}) - }, - 'auth.user': { - 'Meta': {'object_name': 'User'}, - 'date_joined': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.now'}), - 'email': ('django.db.models.fields.EmailField', [], {'max_length': '75', 'blank': 'True'}), - 'first_name': ('django.db.models.fields.CharField', [], {'max_length': '30', 'blank': 'True'}), - 'groups': ('django.db.models.fields.related.ManyToManyField', [], {'to': "orm['auth.Group']", 'symmetrical': 'False', 'blank': 'True'}), - 'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), - 'is_active': ('django.db.models.fields.BooleanField', [], {'default': 'True'}), - 'is_staff': ('django.db.models.fields.BooleanField', [], {'default': 'False'}), - 'is_superuser': ('django.db.models.fields.BooleanField', [], {'default': 'False'}), - 'last_login': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.now'}), - 'last_name': ('django.db.models.fields.CharField', [], {'max_length': '30', 'blank': 'True'}), - 'password': ('django.db.models.fields.CharField', [], {'max_length': '128'}), - 'user_permissions': ('django.db.models.fields.related.ManyToManyField', [], {'to': "orm['auth.Permission']", 'symmetrical': 'False', 'blank': 'True'}), - 'username': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '30'}) - }, - 'contenttypes.contenttype': { - 'Meta': {'ordering': "('name',)", 'unique_together': "(('app_label', 'model'),)", 'object_name': 'ContentType', 'db_table': "'django_content_type'"}, - 'app_label': ('django.db.models.fields.CharField', [], {'max_length': '100'}), - 'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), - 'model': ('django.db.models.fields.CharField', [], {'max_length': '100'}), - 'name': ('django.db.models.fields.CharField', [], {'max_length': '100'}) - }, - 'openid_provider.openid': { - 'Meta': {'ordering': "['openid']", 'object_name': 'OpenID'}, - 'default': ('django.db.models.fields.BooleanField', [], {'default': 'False'}), - 'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), - 'openid': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '200', 'blank': 'True'}), - 'user': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['auth.User']"}) - }, - 'openid_provider.trustedroot': { - 'Meta': {'object_name': 'TrustedRoot'}, - 'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), - 'openid': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['openid_provider.OpenID']"}), - 'trust_root': ('django.db.models.fields.CharField', [], {'max_length': '200'}) - } - } - - complete_apps = ['openid_provider']
\ No newline at end of file diff --git a/baserock_openid_provider/openid_provider/south_migrations/__init__.py b/baserock_openid_provider/openid_provider/south_migrations/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/baserock_openid_provider/openid_provider/south_migrations/__init__.py +++ /dev/null diff --git a/baserock_openid_provider/openid_provider/templates/openid_provider/base.html b/baserock_openid_provider/openid_provider/templates/openid_provider/base.html deleted file mode 100644 index 94d9808c..00000000 --- a/baserock_openid_provider/openid_provider/templates/openid_provider/base.html +++ /dev/null @@ -1 +0,0 @@ -{% extends "base.html" %} diff --git a/baserock_openid_provider/openid_provider/templates/openid_provider/decide.html b/baserock_openid_provider/openid_provider/templates/openid_provider/decide.html deleted file mode 100644 index 5b87f824..00000000 --- a/baserock_openid_provider/openid_provider/templates/openid_provider/decide.html +++ /dev/null @@ -1,41 +0,0 @@ -{% extends "openid_provider/base.html" %} - -{% block content %} -{% ifequal trust_root_valid "Valid" %} - <!-- Trust root has been validated by OpenID 2 mechanism. --> - <p>The site <tt>{{ trust_root|escape }}</tt> has requested verification - of your OpenID.</p> -{% endifequal %} -{% ifequal trust_root_valid "Invalid" %} -<div class="error"> - <p>This request claims to be from {{ trust_root|escape }} but I have - determined that <em>it is a pack of lies</em>. Beware, if you release - information to them, they are likely to do unconscionable things with it, - being the lying liars that they are.</p> - <p>Please tell the <em>real</em> {{ trust_root|escape }} that someone is - trying to abuse your trust in their good name.</p> -</div> -{% endifequal %} -{% ifequal trust_root_valid "Unreachable" %} - <p>The site <tt>{{ trust_root|escape }}</tt> has requested verification - of your OpenID. I have failed to reach it and thus cannot vouch for its - authenticity. Perhaps it is on your local network.</p> -{% endifequal %} -{% ifequal trust_root_valid "DISCOVERY_FAILED" %} - <p>The site <tt>{{ trust_root|escape }}</tt> has requested verification - of your OpenID. However, <tt>{{ trust_root|escape }}</tt> does not - implement OpenID 2.0's relying party verification mechanism. Please use - extra caution in deciding whether to release information to this party, - and ask <tt>{{ trust_root|escape }}</tt> to implement relying party - verification for your future transactions.</p> - <p>You will return to <tt>{{ return_to|escape }}</tt></p> -{% endifequal %} - -<form method="post">{% csrf_token %} -Verify your identity to the relying party? -<br/> -<input type="hidden" name="decide_page" value="True" /> -<input type="submit" value="Yes (Allow)" name="allow" /> -<input type="submit" value="No (Cancel)" name="cancel" /> -</form> -{% endblock %} diff --git a/baserock_openid_provider/openid_provider/templates/openid_provider/error.html b/baserock_openid_provider/openid_provider/templates/openid_provider/error.html deleted file mode 100644 index 11b77b21..00000000 --- a/baserock_openid_provider/openid_provider/templates/openid_provider/error.html +++ /dev/null @@ -1,6 +0,0 @@ -{% extends "openid_provider/base.html" %} - -{% block content %} -<h1>{{ title }}</h1> -{{ msg }} -{% endblock %} diff --git a/baserock_openid_provider/openid_provider/templates/openid_provider/response.html b/baserock_openid_provider/openid_provider/templates/openid_provider/response.html deleted file mode 100644 index 5f7e46fa..00000000 --- a/baserock_openid_provider/openid_provider/templates/openid_provider/response.html +++ /dev/null @@ -1,12 +0,0 @@ -{% extends "openid_provider/base.html" %} - -{% block content %} -<div id="openid-body"> - {{ body|safe }} -</div> -<script type="text/javascript"> - // the url is too long (> 2047) to be submitted via GET. It needs to be POSTed. - // the should not require to click the "Continue"-Button, therefore we submit it via js - document.getElementById('openid-body').getElementsByTagName('form')[0].submit(); -</script> -{% endblock %} diff --git a/baserock_openid_provider/openid_provider/templates/openid_provider/server.html b/baserock_openid_provider/openid_provider/templates/openid_provider/server.html deleted file mode 100644 index 80615157..00000000 --- a/baserock_openid_provider/openid_provider/templates/openid_provider/server.html +++ /dev/null @@ -1,9 +0,0 @@ -{% extends "openid_provider/base.html" %} - -{% block extrahead %}{{ block.super }} -<meta http-equiv="x-xrds-location" content="{{ xrds_location }}"> -{% endblock %} - -{% block content %} -This is an OpenID server. -{% endblock %} diff --git a/baserock_openid_provider/openid_provider/templates/openid_provider/xrds.xml b/baserock_openid_provider/openid_provider/templates/openid_provider/xrds.xml deleted file mode 100644 index 960685b0..00000000 --- a/baserock_openid_provider/openid_provider/templates/openid_provider/xrds.xml +++ /dev/null @@ -1,10 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> - <XRD> - <Service priority="0">{% for uri in types %} - <Type>{{ uri|escape }}</Type> - {% endfor %}{% for endpoint in endpoints %} - <URI>{{ endpoint }}</URI> - {% endfor %}</Service> - </XRD> -</xrds:XRDS> diff --git a/baserock_openid_provider/openid_provider/urls.py b/baserock_openid_provider/openid_provider/urls.py deleted file mode 100644 index 33f79ce7..00000000 --- a/baserock_openid_provider/openid_provider/urls.py +++ /dev/null @@ -1,14 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: set ts=4 sw=4 : */ - -try: - from django.conf.urls import patterns, url -except ImportError: # Django < 1.4 - from django.conf.urls.defaults import patterns, url - -urlpatterns = patterns('openid_provider.views', - url(r'^$', 'openid_server', name='openid-provider-root'), - url(r'^decide/$', 'openid_decide', name='openid-provider-decide'), - url(r'^xrds/$', 'openid_xrds', name='openid-provider-xrds'), - url(r'^(?P<id>.*)/$', 'openid_xrds', {'identity': True}, name='openid-provider-identity'), -) diff --git a/baserock_openid_provider/openid_provider/utils.py b/baserock_openid_provider/openid_provider/utils.py deleted file mode 100644 index dc0c714f..00000000 --- a/baserock_openid_provider/openid_provider/utils.py +++ /dev/null @@ -1,130 +0,0 @@ -# -*- coding: utf-8 -*- vim: set et ts=4 sw=4 : -# some code from http://www.djangosnippets.org/snippets/310/ by simon -# and from examples/djopenid from python-openid-2.2.4 -from hashlib import sha1 -from openid_provider import conf -from openid.extensions import ax, sreg -from openid.server.server import Server, BROWSER_REQUEST_MODES -from openid.server.trustroot import verifyReturnTo -from openid.yadis.discover import DiscoveryFailure -from openid.fetchers import HTTPFetchingError - -from django.core.exceptions import ImproperlyConfigured -from django.core.urlresolvers import reverse -from django.http import HttpResponse -from django.shortcuts import render_to_response - -from importlib import import_module - -import logging - -logger = logging.getLogger(__name__) - -def import_module_attr(path): - package, module = path.rsplit('.', 1) - return getattr(import_module(package), module) - -def get_username(u): - if hasattr(u, 'get_username'): - return u.get_username() - return u.username - -def get_default_sreg_data(request, orequest): - return { - 'email': request.user.email, - 'nickname': get_username(request.user), - 'fullname': request.user.get_full_name(), - } - -def get_default_ax_data(request, orequest): - return { - 'http://axschema.org/contact/email': request.user.email, - 'http://axschema.org/namePerson': request.user.get_full_name(), - 'http://axschema.org/namePerson/friendly': get_username(request.user), - 'http://axschema.org/namePerson/first': request.user.first_name, - 'http://axschema.org/namePerson/last': request.user.last_name, - } - -def add_sreg_data(request, orequest, oresponse): - callback = get_sreg_callback() - if callback is None or not callable(callback): - return - sreg_data = callback(request, orequest) - sreg_req = sreg.SRegRequest.fromOpenIDRequest(orequest) - sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data) - oresponse.addExtension(sreg_resp) - -def add_ax_data(request, orequest, oresponse): - callback = get_ax_callback() - if callback is None or not callable(callback): - return - ax_data = callback(request, orequest) - ax_req = ax.FetchRequest.fromOpenIDRequest(orequest) - ax_resp = ax.FetchResponse(ax_req) - if ax_req is not None: - for attr in ax_req.getRequiredAttrs(): - value = ax_data.get(attr, None) - if value is not None: - ax_resp.addValue(attr, value) - oresponse.addExtension(ax_resp) - -def get_sreg_callback(): - try: - return import_module_attr(conf.SREG_DATA_CALLBACK) - except (ImportError, AttributeError): - return None - -def get_ax_callback(): - try: - return import_module_attr(conf.AX_DATA_CALLBACK) - except (ImportError, AttributeError): - return None - -def get_store(request): - try: - store_class = import_module_attr(conf.STORE) - except ImportError: - raise ImproperlyConfigured( - "OpenID store %r could not be imported" % conf.STORE) - # The FileOpenIDStore requires a path to save the user files. - if conf.STORE == 'openid.store.filestore.FileOpenIDStore': - return store_class(conf.FILESTORE_PATH) - return store_class() - -def trust_root_validation(orequest): - """ - OpenID specs 9.2.1: using realm for return url verification - """ - try: - return verifyReturnTo( - orequest.trust_root, orequest.return_to) and "Valid" or "Invalid" - except HTTPFetchingError: - return "Unreachable" - except DiscoveryFailure: - return "DISCOVERY_FAILED" - -def get_trust_session_key(orequest): - return 'OPENID_' + sha1( - orequest.trust_root + orequest.return_to).hexdigest() - -def prep_response(request, orequest, oresponse, server=None): - # Convert a webresponse from the OpenID library in to a Django HttpResponse - - if not server: - server = Server(get_store(request), - op_endpoint=request.build_absolute_uri( - reverse('openid-provider-root'))) - webresponse = server.encodeResponse(oresponse) - if webresponse.code == 200 and orequest.mode in BROWSER_REQUEST_MODES: - response = render_to_response('openid_provider/response.html', { - 'body': webresponse.body, - }, context_instance=RequestContext(request)) - logger.debug('rendering browser response') - else: - response = HttpResponse(webresponse.body) - response.status_code = webresponse.code - for key, value in webresponse.headers.items(): - response[key] = value - logger.debug('rendering raw response') - return response - diff --git a/baserock_openid_provider/openid_provider/views.py b/baserock_openid_provider/openid_provider/views.py deleted file mode 100644 index 1b8ef6d5..00000000 --- a/baserock_openid_provider/openid_provider/views.py +++ /dev/null @@ -1,323 +0,0 @@ -# -*- coding: utf-8 -*- -# some code from http://www.djangosnippets.org/snippets/310/ by simon -# and from examples/djopenid from python-openid-2.2.4 -import urlparse -import logging -from urllib import urlencode, quote - -from django.conf import settings -from django.core.urlresolvers import reverse -from django.http import HttpResponse, HttpResponseRedirect, QueryDict -from django.shortcuts import render_to_response -from django.template import RequestContext -from django.utils.translation import ugettext as _ - -from django.utils.encoding import smart_str -try: - from django.views.decorators.csrf import csrf_exempt -except ImportError: - from django.contrib.csrf.middleware import csrf_exempt - -from django.contrib.auth import REDIRECT_FIELD_NAME - -from openid.association import default_negotiator, encrypted_negotiator -from openid.consumer.discover import OPENID_IDP_2_0_TYPE, OPENID_2_0_TYPE -from openid.extensions import sreg, ax -from openid.server.server import Server, BROWSER_REQUEST_MODES -from openid.yadis.constants import YADIS_CONTENT_TYPE - -from openid_provider import conf -from openid_provider.utils import add_sreg_data, add_ax_data, get_store, \ - trust_root_validation, get_trust_session_key, prep_response -from openid_provider.models import TrustedRoot - -logger = logging.getLogger(__name__) - - -# Special URL which means 'let the user choose whichever identity'. -IDENTIFIER_SELECT_URL = 'http://specs.openid.net/auth/2.0/identifier_select' - - -@csrf_exempt -def openid_server(request): - """ - This view is the actual OpenID server - running at the URL pointed to by - the <link rel="openid.server"> tag. - """ - logger.debug('server request %s: %s', - request.method, request.POST or request.GET) - server = openid_get_server(request) - - if not request.is_secure(): - # if request is not secure allow only encrypted association sessions - server.negotiator = encrypted_negotiator - - # Clear AuthorizationInfo session var, if it is set - if request.session.get('AuthorizationInfo', None): - del request.session['AuthorizationInfo'] - - if request.method == 'GET': - querydict = dict(request.GET.items()) - elif request.method == 'POST': - querydict = dict(request.POST.items()) - else: - return HTTPResponseNotAllowed(['GET', 'POST']) - - orequest = server.decodeRequest(querydict) - if not orequest: - orequest = server.decodeRequest(request.session.get('OPENID_REQUEST', None)) - if orequest: - # remove session stored data: - del request.session['OPENID_REQUEST'] - else: - # not request, render info page: - data = { - 'host': request.build_absolute_uri('/'), - 'xrds_location': request.build_absolute_uri( - reverse('openid-provider-xrds')), - } - logger.debug('invalid request, sending info: %s', data) - return render_to_response('openid_provider/server.html', - data, - context_instance=RequestContext(request)) - - if orequest.mode in BROWSER_REQUEST_MODES: - if not request.user.is_authenticated(): - logger.debug('no local authentication, sending landing page') - return landing_page(request, orequest) - - openid = openid_is_authorized(request, orequest.identity, - orequest.trust_root) - - # verify return_to: - trust_root_valid = trust_root_validation(orequest) - validated = False - - if conf.FAILED_DISCOVERY_AS_VALID: - if trust_root_valid == 'DISCOVERY_FAILED': - validated = True - else: - # if in decide already took place, set as valid: - if request.session.get(get_trust_session_key(orequest), False): - validated = True - - if openid is not None and (validated or trust_root_valid == 'Valid'): - if orequest.identity == IDENTIFIER_SELECT_URL: - id_url = request.build_absolute_uri( - reverse('openid-provider-identity', args=[openid.openid])) - else: - # We must return exactly the identity URL that was requested, - # otherwise the openid.server module raises an error. - id_url = orequest.identity - - oresponse = orequest.answer(True, identity=id_url) - logger.debug('orequest.answer(True, identity="%s")', id_url) - elif orequest.immediate: - logger.debug('checkid_immediate mode not supported') - raise Exception('checkid_immediate mode not supported') - else: - request.session['OPENID_REQUEST'] = orequest.message.toPostArgs() - request.session['OPENID_TRUSTROOT_VALID'] = trust_root_valid - logger.debug( - 'Set OPENID_REQUEST to %s in session %s', - request.session['OPENID_REQUEST'], request.session) - logger.debug( - 'Set OPENID_TRUSTROOT_VALID to %s in session %s', - request.session['OPENID_TRUSTROOT_VALID'], request.session) - logger.debug('redirecting to decide page') - return HttpResponseRedirect(reverse('openid-provider-decide')) - else: - oresponse = server.handleRequest(orequest) - if request.user.is_authenticated(): - add_sreg_data(request, orequest, oresponse) - if conf.AX_EXTENSION: - add_ax_data(request, orequest, oresponse) - - return prep_response(request, orequest, oresponse, server) - -def openid_xrds(request, identity=False, id=None): - if identity: - types = [OPENID_2_0_TYPE] - else: - types = [OPENID_IDP_2_0_TYPE, sreg.ns_uri] - if conf.AX_EXTENSION: - types.append(ax.AXMessage.ns_uri) - endpoints = [request.build_absolute_uri(reverse('openid-provider-root'))] - return render_to_response('openid_provider/xrds.xml', { - 'host': request.build_absolute_uri('/'), - 'types': types, - 'endpoints': endpoints, - }, context_instance=RequestContext(request), content_type=YADIS_CONTENT_TYPE) - - -def url_for_openid(request, openid): - return request.build_absolute_uri( - reverse('openid-provider-identity', args=[openid.openid])) - - -def openid_not_found_error_message(request, identity_url): - ids = request.user.openid_set - if ids.count() == 0: - message = "You have no OpenIDs configured. Contact the administrator." - else: - id_urls = [url_for_openid(request, id) for id in ids.iterator()] - id_urls = ', '.join(id_urls) - if ids.count() != 1: - message = "You somehow have multiple OpenIDs: " + id_urls - else: - message = "Your OpenID URL is: " + id_urls - return "You do not have the OpenID '%s'. %s" % (identity_url, message) - - -def openid_decide(request): - """ - The page that asks the user if they really want to sign in to the site, and - lets them add the consumer to their trusted whitelist. - # If user is logged in, ask if they want to trust this trust_root - # If they are NOT logged in, show the landing page - """ - server = openid_get_server(request) - orequest = server.decodeRequest(request.session.get('OPENID_REQUEST')) - trust_root_valid = request.session.get('OPENID_TRUSTROOT_VALID') - - logger.debug('Got OPENID_REQUEST %s, OPENID_TRUSTROOT_VALID %s from ' - 'session %s', orequest, trust_root_valid, request.session) - - if not request.user.is_authenticated(): - return landing_page(request, orequest) - - if orequest is None: - # This isn't normal, but can occur if the user uses the 'back' button - # or if the session data is otherwise lost for some reason. - return error_page( - request, "I've lost track of your session now. Sorry! Please go " - "back to the site you are logging in to with a Baserock " - "OpenID and, if you're not yet logged in, try again.") - - openid = openid_get_identity(request, orequest.identity) - if openid is None: - # User should only ever have one OpenID, created for them when they - # registered. - message = openid_not_found_error_message(request, orequest.identity) - return error_page(request, message) - - if request.method == 'POST' and request.POST.get('decide_page', False): - if request.POST.get('allow', False): - TrustedRoot.objects.get_or_create( - openid=openid, trust_root=orequest.trust_root) - if not conf.FAILED_DISCOVERY_AS_VALID: - request.session[get_trust_session_key(orequest)] = True - return HttpResponseRedirect(reverse('openid-provider-root')) - - oresponse = orequest.answer(False) - logger.debug('orequest.answer(False)') - return prep_response(request, orequest, oresponse) - - return render_to_response('openid_provider/decide.html', { - 'title': _('Trust this site?'), - 'trust_root': orequest.trust_root, - 'trust_root_valid': trust_root_valid, - 'return_to': orequest.return_to, - 'identity': orequest.identity, - }, context_instance=RequestContext(request)) - -def error_page(request, msg): - return render_to_response('openid_provider/error.html', { - 'title': _('Error'), - 'msg': msg, - }, context_instance=RequestContext(request)) - -class SafeQueryDict(QueryDict): - """ - A custom QueryDict class that implements a urlencode method - knowing how to excempt some characters as safe. - - Backported from Django 1.3 - """ - def urlencode(self, safe=None): - output = [] - if safe: - encode = lambda k, v: '%s=%s' % ((quote(k, safe), quote(v, safe))) - else: - encode = lambda k, v: urlencode({k: v}) - for k, list_ in self.lists(): - k = smart_str(k, self.encoding) - output.extend([encode(k, smart_str(v, self.encoding)) - for v in list_]) - return '&'.join(output) - -def landing_page(request, orequest, login_url=None, - redirect_field_name=REDIRECT_FIELD_NAME): - """ - The page shown when the user attempts to sign in somewhere using OpenID - but is not authenticated with the site. For idproxy.net, a message telling - them to log in manually is displayed. - """ - request.session['OPENID_REQUEST'] = orequest.message.toPostArgs() - logger.debug( - 'Set OPENID_REQUEST to %s in session %s', - request.session['OPENID_REQUEST'], request.session) - if not login_url: - login_url = settings.LOGIN_URL - path = request.get_full_path() - login_url_parts = list(urlparse.urlparse(login_url)) - if redirect_field_name: - querystring = SafeQueryDict(login_url_parts[4], mutable=True) - querystring[redirect_field_name] = path - login_url_parts[4] = querystring.urlencode(safe='/') - return HttpResponseRedirect(urlparse.urlunparse(login_url_parts)) - -def openid_is_authorized(request, identity_url, trust_root): - """ - Check that they own the given identity URL, and that the trust_root is - in their whitelist of trusted sites. - """ - if not request.user.is_authenticated(): - return None - - openid = openid_get_identity(request, identity_url) - if openid is None: - return None - - if openid.trustedroot_set.filter(trust_root=trust_root).count() < 1: - return None - - return openid - - -def url_is_equivalent(a, b): - """ - Test if two URLs are equivalent OpenIDs. - """ - return a.rstrip('/') == b.rstrip('/') - - -def openid_get_identity(request, identity_url): - """ - Select openid based on claim (identity_url). - If none was claimed identity_url will be - 'http://specs.openid.net/auth/2.0/identifier_select' - - in that case return default one - - if user has no default one, return any - - in other case return None! - """ - logger.debug('Looking for %s in user %s set of OpenIDs %s', - identity_url, request.user, request.user.openid_set) - for openid in request.user.openid_set.iterator(): - if url_is_equivalent(identity_url, url_for_openid(request, openid)): - return openid - if identity_url == IDENTIFIER_SELECT_URL: - # no claim was made, choose user default openid: - openids = request.user.openid_set.filter(default=True) - if openids.count() == 1: - return openids[0] - if request.user.openid_set.count() > 0: - return request.user.openid_set.all()[0] - return None - - -def openid_get_server(request): - return Server( - get_store(request), - op_endpoint=request.build_absolute_uri( - reverse('openid-provider-root'))) diff --git a/baserock_openid_provider/templates/base.html b/baserock_openid_provider/templates/base.html deleted file mode 100644 index 25a6135d..00000000 --- a/baserock_openid_provider/templates/base.html +++ /dev/null @@ -1,38 +0,0 @@ -{% load i18n %} -<!DOCTYPE html> -<html lang="en"> - -<head> - <link rel="stylesheet" href="{{ STATIC_URL }}style.css" /> - <title>{% block title %}Baserock OpenID Provider{% endblock %}</title> -</head> - -<body> - <div id="header"> - {% block header %} - <a href="{% url 'index' %}">{% trans "Home" %}</a> | - - {% if user.is_authenticated %} - {% trans "Logged in" %}: {{ user.username }} - (<a href="{% url 'auth_logout' %}">{% trans "Log out" %}</a> | - <a href="{% url 'auth_password_change' %}">{% trans "Change password" %}</a>) - {% else %} - <a href="{% url 'auth_login' %}">{% trans "Log in" %}</a> | - <a href="{% url 'registration_register' %}">{% trans "Register" %}</a> - {% endif %} - <hr /> - {% endblock %} - </div> - - <div id="content"> - {% block content %}{% endblock %} - </div> - - <div id="footer"> - {% block footer %} - <hr /> - {% endblock %} - </div> -</body> - -</html> diff --git a/baserock_openid_provider/templates/index.html b/baserock_openid_provider/templates/index.html deleted file mode 100644 index 1cb4bf73..00000000 --- a/baserock_openid_provider/templates/index.html +++ /dev/null @@ -1,15 +0,0 @@ -{% extends "base.html" %} -{% load i18n %} - -{% block content %} -<p>This is the Baserock OpenID provider.</p> - -{% if user.is_authenticated %} - <p>You are registered as {{ user.get_full_name }}.</p> - - <p>Your OpenID is: - <a href="https://openid.baserock.org/openid/{{ user.username }}/">https://openid.baserock.org/openid/{{ user.username }}/</a> - </p> -{% endif %} - -{% endblock %} diff --git a/baserock_openid_provider/templates/registration/activate.html b/baserock_openid_provider/templates/registration/activate.html deleted file mode 100644 index 8deb01c8..00000000 --- a/baserock_openid_provider/templates/registration/activate.html +++ /dev/null @@ -1,8 +0,0 @@ -{% extends "base.html" %} -{% load i18n %} - -{% block content %} - -<p>{% trans "Account activation failed" %}</p> - -{% endblock %} diff --git a/baserock_openid_provider/templates/registration/activation_complete.html b/baserock_openid_provider/templates/registration/activation_complete.html deleted file mode 100644 index df2efd55..00000000 --- a/baserock_openid_provider/templates/registration/activation_complete.html +++ /dev/null @@ -1,6 +0,0 @@ -{% extends "base.html" %} -{% load i18n %} - -{% block content %} -<p>{% trans "Your account is now activated. Please log in." %}</p> -{% endblock %} diff --git a/baserock_openid_provider/templates/registration/activation_email.txt b/baserock_openid_provider/templates/registration/activation_email.txt deleted file mode 100644 index bfa784d9..00000000 --- a/baserock_openid_provider/templates/registration/activation_email.txt +++ /dev/null @@ -1,6 +0,0 @@ -{% load i18n %} -{% trans "Activate account at" %} {{ site.name }}: - -https://{{ site.domain }}{% url 'registration_activate' activation_key %} - -{% blocktrans %}Link is valid for {{ expiration_days }} days.{% endblocktrans %} diff --git a/baserock_openid_provider/templates/registration/activation_email_subject.txt b/baserock_openid_provider/templates/registration/activation_email_subject.txt deleted file mode 100644 index 24f477cb..00000000 --- a/baserock_openid_provider/templates/registration/activation_email_subject.txt +++ /dev/null @@ -1 +0,0 @@ -{% load i18n %}{% trans "Account activation on" %} {{ site.name }} diff --git a/baserock_openid_provider/templates/registration/login.html b/baserock_openid_provider/templates/registration/login.html deleted file mode 100644 index 9b245989..00000000 --- a/baserock_openid_provider/templates/registration/login.html +++ /dev/null @@ -1,15 +0,0 @@ -{% extends "base.html" %} -{% load i18n %} - -{% block content %} -<form method="post" action="."> - {% csrf_token %} - {{ form.as_p }} - - <input type="submit" value="{% trans 'Log in' %}" /> - <input type="hidden" name="next" value="{{ next }}" /> -</form> - -<p>{% trans "Forgot password" %}? <a href="{% url 'auth_password_reset' %}">{% trans "Reset it" %}</a>!</p> -<p>{% trans "Not member" %}? <a href="{% url 'registration_register' %}">{% trans "Register" %}</a>!</p> -{% endblock %} diff --git a/baserock_openid_provider/templates/registration/logout.html b/baserock_openid_provider/templates/registration/logout.html deleted file mode 100644 index f8da51fa..00000000 --- a/baserock_openid_provider/templates/registration/logout.html +++ /dev/null @@ -1,6 +0,0 @@ -{% extends "base.html" %} -{% load i18n %} - -{% block content %} -<p>{% trans "Logged out" %}</p> -{% endblock %} diff --git a/baserock_openid_provider/templates/registration/password_change_done.html b/baserock_openid_provider/templates/registration/password_change_done.html deleted file mode 100644 index 659be0a4..00000000 --- a/baserock_openid_provider/templates/registration/password_change_done.html +++ /dev/null @@ -1,6 +0,0 @@ -{% extends "base.html" %} -{% load i18n %} - -{% block content %} -<p>{% trans "Password changed" %}</p> -{% endblock %} diff --git a/baserock_openid_provider/templates/registration/password_change_form.html b/baserock_openid_provider/templates/registration/password_change_form.html deleted file mode 100644 index 10b1fc13..00000000 --- a/baserock_openid_provider/templates/registration/password_change_form.html +++ /dev/null @@ -1,11 +0,0 @@ -{% extends "base.html" %} -{% load i18n %} - -{% block content %} -<form method="post" action="."> - {% csrf_token %} - {{ form.as_p }} - - <input type="submit" value="{% trans 'Submit' %}" /> -</form> -{% endblock %} diff --git a/baserock_openid_provider/templates/registration/password_reset_complete.html b/baserock_openid_provider/templates/registration/password_reset_complete.html deleted file mode 100644 index 55993e85..00000000 --- a/baserock_openid_provider/templates/registration/password_reset_complete.html +++ /dev/null @@ -1,10 +0,0 @@ -{% extends "base.html" %} -{% load i18n %} - -{% block content %} - -<p>{% trans "Password reset successfully" %}</p> - -<p><a href="{% url 'auth_login' %}">{% trans "Log in" %}</a></p> - -{% endblock %} diff --git a/baserock_openid_provider/templates/registration/password_reset_confirm.html b/baserock_openid_provider/templates/registration/password_reset_confirm.html deleted file mode 100644 index 33bd276a..00000000 --- a/baserock_openid_provider/templates/registration/password_reset_confirm.html +++ /dev/null @@ -1,21 +0,0 @@ -{% extends "base.html" %} -{% load i18n %} - -{% block content %} - -{% if validlink %} - -<form method="post" action="."> - {% csrf_token %} - {{ form.as_p }} - - <input type="submit" value="{% trans 'Submit' %}" /> -</form> - -{% else %} - -<p>{% trans "Password reset failed" %}</p> - -{% endif %} - -{% endblock %} diff --git a/baserock_openid_provider/templates/registration/password_reset_done.html b/baserock_openid_provider/templates/registration/password_reset_done.html deleted file mode 100644 index 6057ccbe..00000000 --- a/baserock_openid_provider/templates/registration/password_reset_done.html +++ /dev/null @@ -1,6 +0,0 @@ -{% extends "base.html" %} -{% load i18n %} - -{% block content %} -<p>{% trans "Email with password reset instructions has been sent." %}</p> -{% endblock %} diff --git a/baserock_openid_provider/templates/registration/password_reset_email.html b/baserock_openid_provider/templates/registration/password_reset_email.html deleted file mode 100644 index c78893ed..00000000 --- a/baserock_openid_provider/templates/registration/password_reset_email.html +++ /dev/null @@ -1,5 +0,0 @@ -{% load i18n %} -{% blocktrans %}Reset password at {{ site_name }}{% endblocktrans %}: -{% block reset_link %} -{{ protocol }}://{{ domain }}{% url 'auth_password_reset_confirm' uid token %} -{% endblock %} diff --git a/baserock_openid_provider/templates/registration/password_reset_form.html b/baserock_openid_provider/templates/registration/password_reset_form.html deleted file mode 100644 index 10b1fc13..00000000 --- a/baserock_openid_provider/templates/registration/password_reset_form.html +++ /dev/null @@ -1,11 +0,0 @@ -{% extends "base.html" %} -{% load i18n %} - -{% block content %} -<form method="post" action="."> - {% csrf_token %} - {{ form.as_p }} - - <input type="submit" value="{% trans 'Submit' %}" /> -</form> -{% endblock %} diff --git a/baserock_openid_provider/templates/registration/registration_closed.html b/baserock_openid_provider/templates/registration/registration_closed.html deleted file mode 100644 index c73cfacc..00000000 --- a/baserock_openid_provider/templates/registration/registration_closed.html +++ /dev/null @@ -1,6 +0,0 @@ -{% extends "base.html" %} -{% load i18n %} - -{% block content %} - <p>{% trans "Registration is currently closed." %}</p> -{% endblock %} diff --git a/baserock_openid_provider/templates/registration/registration_complete.html b/baserock_openid_provider/templates/registration/registration_complete.html deleted file mode 100644 index 757bd50c..00000000 --- a/baserock_openid_provider/templates/registration/registration_complete.html +++ /dev/null @@ -1,11 +0,0 @@ -{% extends "base.html" %} -{% load i18n %} - -{% block content %} -<p>You are now registered. An activation email has been sent to you with -a link that you will need to click to activate your account.</p> - -<p>The mail should arrive within 15 minutes, depending on your mail provider's -use of <a href="https://en.wikipedia.org/wiki/Greylisting">greylisting.</a></p> -</p> -{% endblock %} diff --git a/baserock_openid_provider/templates/registration/registration_form.html b/baserock_openid_provider/templates/registration/registration_form.html deleted file mode 100644 index 6d0854d6..00000000 --- a/baserock_openid_provider/templates/registration/registration_form.html +++ /dev/null @@ -1,11 +0,0 @@ -{% extends "base.html" %} -{% load i18n %} - -{% block content %} -<form method="post" action="."> - {% csrf_token %} - {{ form.as_p }} - - <input type="submit" value="{% trans 'Submit' %}" /> -</form> -{% endblock %} diff --git a/baserock_openid_provider/uwsgi.ini b/baserock_openid_provider/uwsgi.ini deleted file mode 100644 index 0849096d..00000000 --- a/baserock_openid_provider/uwsgi.ini +++ /dev/null @@ -1,22 +0,0 @@ -# Configuration for uWSGI web application gateway for Baserock OpenID provider. -# -# System-wide configuration should live in /etc/uwsgi.ini. -# -# Some good reading for uWSGI: -# - http://uwsgi-docs.readthedocs.org/en/latest/ThingsToKnow.html -# - http://uwsgi-docs.readthedocs.org/en/latest/Configuration.html - -[uwsgi] -need-plugin = python - -# This slightly weird setup seems the only way to avoid -# django.ImproperlyConfigured exceptions. -pythonpath = /srv/baserock_openid_provider -chdir = /srv/baserock_openid_provider/baserock_openid_provider -wsgi = wsgi - -# These numbers are pulled completely out of my arse. Testing should -# be done to find good values. -processes = 1 - -buffer-size = 32768 diff --git a/baserock_storyboard/ansible-galaxy-roles.yaml b/baserock_storyboard/ansible-galaxy-roles.yaml deleted file mode 100644 index 8eedb134..00000000 --- a/baserock_storyboard/ansible-galaxy-roles.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# Ansible Galaxy roles needed -- name: palvarez89.storyboard - version: 2.1.1 - src: https://github.com/palvarez89/ansible-role-storyboard diff --git a/baserock_storyboard/backup-snapshot.conf b/baserock_storyboard/backup-snapshot.conf deleted file mode 100644 index 8a5dd8d3..00000000 --- a/baserock_storyboard/backup-snapshot.conf +++ /dev/null @@ -1,4 +0,0 @@ -services: - - mysql.service - -volume: /dev/vg0/database-storyboard diff --git a/baserock_storyboard/instance-backup-config.yml b/baserock_storyboard/instance-backup-config.yml deleted file mode 100644 index 88737d7f..00000000 --- a/baserock_storyboard/instance-backup-config.yml +++ /dev/null @@ -1,26 +0,0 @@ -# Instance backup configuration for the baserock.org database. ---- -- hosts: storyboard - gather_facts: false - become: yes - vars: - FRONTEND_IP: 192.168.222.143 - tasks: - - name: backup-snapshot script - copy: src=../backup-snapshot dest=/usr/bin/backup-snapshot mode=755 - - - name: backup-snapshot config - copy: src=backup-snapshot.conf dest=/etc/backup-snapshot.conf - - # We need to give the backup automation 'root' access, because it needs to - # manage system services, LVM volumes, and mounts, and because it needs to - # be able to read private data. The risk of having the backup key - # compromised is mitigated by only allowing it to execute the - # 'backup-snapshot' script, and limiting the hosts it can be used from. - - name: access for backup SSH key - authorized_key: - user: root - key: "{{ lookup('file', '../keys/backup.key.pub') }}" - # Quotes are important in this options, the OpenSSH server will reject - # the entry if the 'from' or 'command' values are not quoted. - key_options: 'from="{{FRONTEND_IP}}",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,command="/usr/bin/backup-snapshot"' diff --git a/baserock_storyboard/instance-config.yml b/baserock_storyboard/instance-config.yml deleted file mode 100644 index 6eecbae3..00000000 --- a/baserock_storyboard/instance-config.yml +++ /dev/null @@ -1,35 +0,0 @@ -# Instance configuration for Baserock MySQL on for StoryBoard host -# -# This script expects a volume to be available at /dev/vdb. ---- -- hosts: storyboard - gather_facts: False - become: yes - vars: - - lv_size: 25g - - mountpoint: /var/lib/mysql - - lv_name: database-storyboard - tasks: - - name: install lvm2 tools - apt: name=lvm2 state=latest - - - name: LVM logical volume group on /dev/vdb - lvg: vg=vg0 pvs=/dev/vdb - -# Duplicated from: -#- include: ../tasks/create-data-volume.yml lv_name=database-storyboard lv_size=25g mountpoint=/var/lib/mysql -# given that is not ubuntu compatible - - - name: logical volume for {{ lv_name }} - lvol: vg=vg0 lv={{ lv_name }} size={{ lv_size }} - -# This will NEVER overwrite an existing filesystem. Unless you add -# 'force=yes' to the arguments. So don't do that. See: -# http://docs.ansible.com/filesystem_module.html. -# - - name: ext4 filesystem on /dev/vg0/{{ lv_name }} - filesystem: fstype=ext4 dev=/dev/vg0/{{ lv_name }} - - - name: mount {{ lv_name }} logical volume - mount: src=/dev/vg0/{{ lv_name }} name={{ mountpoint }} fstype=ext4 state=mounted -# End of duplication diff --git a/baserock_storyboard/instance-storyboard-config.yml b/baserock_storyboard/instance-storyboard-config.yml deleted file mode 100644 index 8eaf09d8..00000000 --- a/baserock_storyboard/instance-storyboard-config.yml +++ /dev/null @@ -1,12 +0,0 @@ -# Instance-specific configuration for the baserock.org StoryBoard instance. ---- -- hosts: storyboard - vars_files: - - ../baserock_database/baserock_storyboard.database_password.yml - - ../baserock_database/root.database_password.yml - - storyboard-vars.yml - become: yes - roles: - # We are using a new database here because StoryBoard is not yet compatible - # with MariaDB - - { role: palvarez89.storyboard } diff --git a/baserock_storyboard/projects.yaml b/baserock_storyboard/projects.yaml deleted file mode 100644 index b70a333e..00000000 --- a/baserock_storyboard/projects.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# Projects defined for Baserock Storyboard - -# This file lives in <http://git.baserock.org/baserock/baserock/infrastructure>. -# This is a temporary version for the work-in-progress storyboard. - -# If you update this list, you'll need to log into storyboard.baserock.org and -# run the following: -# -# sudo -u apache storyboard-db-manage \ -# --config-file /etc/storyboard/storyboard.conf \ -# load_projects ./projects.yaml - -- project: baserock/definitions - description: Baserock reference system definitions - use-storyboard: true - -- project: baserock/firehose - description: Firehose automated integration tool - use-storyboard: true - -- project: baserock/import - description: Baserock Import Tool - use-storyboard: true - -- project: baserock/lorry - description: Lorry mirroring tool - use-storyboard: true - -- project: baserock/lorry-controller - description: Lorry Controller scheduling and management tool - use-storyboard: true - -- project: baserock/morph - description: Morph build tool - use-storyboard: true - -- project: baserock/infrastructure - description: baserock.org infrastructure - use-storyboard: true - -- project: baserock/spec - description: Specification for Baserock definitions format - use-storyboard: true - -- project: baserock/wiki - description: Baserock Wiki at http://wiki.baserock.org/ - use-storyboard: true diff --git a/baserock_storyboard/storyboard-vars.yml b/baserock_storyboard/storyboard-vars.yml deleted file mode 100644 index ad1fcd8a..00000000 --- a/baserock_storyboard/storyboard-vars.yml +++ /dev/null @@ -1,50 +0,0 @@ -# For rabbitmq role -rabbitmq_host: localhost -rabbitmq_port: 5672 -rabbitmq_vhost: '/' -rabbitmq_user: storyboard -rabbitmq_user_password: storyboard -rabbitmq_ssl: false -rabbitmq_vhost_definitions: - - name: "{{ rabbitmq_vhost }}" -rabbitmq_users_definitions: - - vhost: "{{ rabbitmq_vhost }}" - user: "{{ rabbitmq_user }}" - password: "{{ rabbitmq_user_password }}" -rabbitmq_conf_tcp_listeners_address: '127.0.0.1' - -# For mysql role -mysql_host: localhost -mysql_port: 3306 -mysql_database: storyboard -mysql_user: storyboard -mysql_user_password: "{{ baserock_storyboard_password }}" -mysql_root_password: "{{ root_password }}" -mysql_databases: - - name: "{{ mysql_database }}" -mysql_users: - - name: "{{ mysql_user }}" - host: "{{ mysql_host }}" - password: "{{ mysql_user_password }}" - priv: "{{ mysql_database }}.*:ALL" -mysql_packages: - - mysql-server-5.6 - - python-mysqldb - -storyboard_enable_email: 'True' -storyboard_email_sender: StoryBoard (Do Not Reply) <do_not_reply@baserock.org> -storyboard_email_smtp_host: 192.168.222.145 -storyboard_email_smtp_timeout: 10 - -storyboard_fqdn: storyboard.baserock.org -storyboard_openid_url: https://openid.baserock.org/openid/ - -storyboard_projects: projects.yaml -storyboard_superusers: users.yaml -storyboard_mysql_user_password: "{{ baserock_storyboard_password }}" - -storyboard_ssl_cert: ../certs/storyboard-full.pem -storyboard_ssl_key: ../private/storyboard.pem -storyboard_resolved_ssl_ca: ../certs/letsencrypt-ca.pem - -storyboard_access_token_ttl: 31622400 diff --git a/baserock_storyboard/users.yaml b/baserock_storyboard/users.yaml deleted file mode 100644 index b42efca9..00000000 --- a/baserock_storyboard/users.yaml +++ /dev/null @@ -1,4 +0,0 @@ -- openid: https://openid.baserock.org/openid/pedroalvarez/ - email: pedro.alvarez@codethink.co.uk -- openid: https://openid.baserock.org/openid/samthursfield/ - email: sam.thursfield@codethink.co.uk |
