CONTENT_ORIGIN needs to be poitned at https:// for the
/pulp/container/ redirect to work properly

Since 8c66bff the pulpcore-manager
command runs as root. On a fresh installation this is fine, but on
upgrades the user doesn't own /var/lib/pulp/assets. This explicitly
manages the static root.

It is split off to a separate class to better capture the dependencies.
The database doesn't need to refresh due to static files, nor any
services.

By setting it in settings.py, pulp-manager will also know about it. It
also makes the service file more straight forward.

In a reverse proxy setup, the process is running on HTTP only, but
Apache is running on both HTTP and HTTPS. To let Django know, Apache
sends the X-Forwarded-Proto header[1]. The Django settings documentation
suggests this solution[2].

[1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
[2]: https://docs.djangoproject.com/en/2.2/ref/settings/#secure-proxy-ssl-header

When using systemd, the pid files are actually not important so they can
be dropped.

The the WorkingDirectory is set to ~ which will resolve to the user's
home directory. That means systemd will ensure it is mounted before
starting services. Pulp itself doesn't use it so it's a cheap way for
a more reliable service start.

Subscribing to pulpcore-worker@.service is another bugfix to ensure all
workers use the correct service definition.

Explicitly setting the type and group is more for consistency and
doesn't actually change anything.

This class uses the new yum.theforeman.org repos that are versions per
Pulpcore release. This allows easy switching between versions. It also
properly sets the GPG key validation.

It does switch acceptance testing from staging repositories to stable
repositories. Another implication is that it switches to Pulpcore 3.6 by
default. This was chosen since 3.7 is not complete yet.

If this is not set, the environment is used. Often this causes the
database to be initialized as ASCII which breaks Pulpcore.

In python3-pulpcore 3.7.1-2 the /usr/libexec/pulpcore wrappers have been
introduced to enter the proper SELinux domain.

It has also been cherry picked to 3.6.3-2 but in the SELinux policy is
incomplete so it has no effect. The main benefit of that cherry pick is
to keep the module compatible with both 3.6 and 3.7.

This explicitly sets the all directories and documents the layout. It
diverges from the upstream defaults in that MEDIA_ROOT is set to a
subdirectory and the directory permissions are stricter than upstream.

Upstream this layout is proposed as the default.
https://pulp.plan.io/issues/7178 has been opened for that.

Pulpcore has a default for this (which is copied). That means it's a
good idea to always set it. Otherwise the illusion is created that it's
an optional thing. However, the reverse proxy must be set up to use
this. If the header is not cleared, it's a security risk because an
attack can spoof the header.

The goal of this is that the module can either manage the vhost itself
or attach fragments to another vhost to embed the application. This
allows composition.

The use of a Unix socket between the deployed service and the reverse
proxy provides tighter security as the only users who can access the
socket are root and the configured SocketUser. The introduction of
a systemd socket with a ListenStream also provides automatic activation
of the underlying service and safer restarts.

This change is backwards incompatible as it removes the host and port parameters
for the API and Content services in favor of a single bind parameter for each.

These files need to exist for a Github action to trigger on a PR. The
goal of this commit is to have proper CI checks on the actual PR to
switch over.

[skip ci]

6a88107 changed the docroot to
/var/lib/pulp/docroot. While I still think this is a much more
descriptive name what it is, Pulp upstream has chosen to go with
pulpcore_static. A suggestion to change it was rejected in [7750].

This path will also be included in the SELinux policy so it's important
it matches here.

[7750]: https://pulp.plan.io/issues/7750#note-3