roles/koji-hub: Deploy the Koji Hub

The *koji-hub* role installs and configures the Koji Hub. It requires
Apache and mod_wsgi. Management of client certificates must be done
externally.

roles/koji-hub/templates/hub.conf.j2

@@ -0,0 +1,117 @@
+[hub]
+
+## ConfigParser style config file, similar to ini files
+## http://docs.python.org/library/configparser.html
+##
+## Note that multiline values can be set by indenting subsequent lines
+## (which means you should not indent regular lines)
+
+## Basic options ##
+DBName = {{ koji_db_name }}
+DBUser = {{ koji_db_user }}
+{% if ansible_distribution_major_version|int > 6 %}
+DBHost = /run/postgresql
+{% else %}
+#DBHost = db.example.com
+{% endif %}
+#DBPass = example_password
+KojiDir = {{ koji_home }}
+
+
+##  Kerberos authentication options  ##
+
+# AuthPrincipal = host/kojihub@EXAMPLE.COM
+# AuthKeytab = /etc/koji.keytab
+# ProxyPrincipals = koji/kojiweb@EXAMPLE.COM
+## format string for host principals (%s = hostname)
+# HostPrincipalFormat = compile/%s@EXAMPLE.COM
+
+## end Kerberos auth configuration
+
+
+
+##  SSL client certificate auth configuration  ##
+#note: ssl auth may also require editing the httpd config (conf.d/kojihub.conf)
+
+## the client username is the common name of the subject of their client certificate
+DNUsernameComponent = CN
+## separate multiple DNs with |
+{% if koji_hub_proxy_dns is defined %}
+ProxyDNs = {{ koji_hub_proxy_dns|join('|\n           ') }}
+{% else %}
+# ProxyDNs = /C=US/ST=Massachusetts/O=Example Org/OU=Example User/CN=example/emailAddress=example@example.com
+{% endif %}
+
+## end SSL client certificate auth configuration
+
+
+
+##  Other options  ##
+LoginCreatesUser = On
+KojiWebURL = {{ kojiweb_url }}
+# The domain name that will be appended to Koji usernames
+# when creating email notifications
+{% if koji_email_domain is defined %}
+EmailDomain = {{ koji_email_domain }}
+{% else %}
+#EmailDomain = example.com
+{% endif %}
+# whether to send the task owner and package owner email or not on success.  this still goes to watchers
+NotifyOnSuccess = True
+## Disables all notifications
+DisableNotifications = {{ koji_hub_disable_notifications }}
+{% if not koji_hub_check_client_ip %}
+# Disable client IP address check, allowing clients to use
+# the same session with multiple source addresses (e.g. from
+# behind a proxy or when the client's address changes.
+CheckHostIP = False
+{% endif %}
+
+## Extended features
+## Support Maven builds
+# EnableMaven = False
+## Support Windows builds
+# EnableWin = False
+
+## Koji hub plugins
+## The path where plugins are found
+# PluginPath = /usr/lib/koji-hub-plugins
+## A space-separated list of plugins to load
+{% if koji_hub_plugins is defined %}
+Plugins = {{ koji_hub_plugins|join(' ') }}
+{% else %}
+# Plugins = echo
+{% endif %}
+
+## If KojiDebug is on, the hub will be /very/ verbose and will report exception
+## details to clients for anticipated errors (i.e. koji's own exceptions --
+## subclasses of koji.GenericError).
+# KojiDebug = On
+
+## Determines how much detail about exceptions is reported to the client (via faults)
+## Meaningful values:
+##   normal - a basic traceback (format_exception)
+##   extended - an extended traceback (format_exc_plus)
+##   anything else - no traceback, just the error message
+## The extended traceback is intended for debugging only and should NOT be
+## used in production, since it may contain sensitive information.
+# KojiTraceback = normal
+
+## These options are intended for planned outages
+# ServerOffline = False
+# OfflineMessage = temporary outage
+# LockOut = False
+## If ServerOffline is True, the server will always report a ServerOffline fault (with
+## OfflineMessage as the fault string).
+## If LockOut is True, the server will report a ServerOffline fault for all non-admin
+## requests.
+{% if koji_hub_policy is defined %}
+
+[policy]
+{% for policy in koji_hub_policy %}
+{{ policy.name }} =
+{% for rule in policy.rules %}
+    {{ rule }}
+{% endfor %}
+{% endfor %}
+{% endif %}

roles/koji-hub/templates/kojihub.httpd.conf.j2

@@ -0,0 +1,55 @@
+#
+# koji-hub is an xmlrpc interface to the Koji database
+#
+
+WSGIDaemonProcess koji user=koji group=koji display-name=%{GROUP} processes=4 threads=1
+WSGIScriptAlias /kojihub /usr/share/koji-hub/kojixmlrpc.py process-group=koji
+
+<Directory "/usr/share/koji-hub">
+    Options ExecCGI
+    <IfVersion < 2.4>
+        Order allow,deny
+        Allow from all
+    </IfVersion>
+    <IfVersion >= 2.4>
+        Require all granted
+    </IfVersion>
+</Directory>
+
+# Also serve /mnt/koji
+Alias /kojifiles "{{ koji_home }}"
+
+<Directory "{{ koji_home }}">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    <IfVersion < 2.4>
+        Order allow,deny
+        Allow from all
+    </IfVersion>
+    <IfVersion >= 2.4>
+        Require all granted
+    </IfVersion>
+    <FilesMatch "^\..*">
+        <IfVersion < 2.4>
+            Deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </FilesMatch>
+</Directory>
+
+# uncomment this to enable authentication via SSL client certificates
+<Location /kojihub/ssllogin>
+        SSLVerifyClient require
+        SSLVerifyDepth  10
+        SSLOptions +StdEnvVars
+</Location>
+
+# If you need to support koji < 1.4.0 clients using SSL authentication, then use the following instead:
+# <Location /kojihub>
+#         SSLOptions +StdEnvVars
+# </Location>
+# In this case, you will need to enable these options globally (in ssl.conf):
+# SSLVerifyClient require
+# SSLVerifyDepth  10