dbbf94a411
Almost global anyway, i.e. inside the VPN. The ipa/client-based shell access and sudo rules are only effective for staging right now, the respective playbook bits are masked out for prod. - Assign Ansible host groups to IPA host groups, the latter don't care about 'stg' in the name and use dashes rather than underscores. - Distill shell access groups from fas_client_groups in group and host vars. - Let all `sysadmin-*` groups in the previous list run anything via sudo in the host group (except bastion & batcave). - Remove `fas_client_groups` from staging host and group vars. - Remove sudoers from staging host and group vars if only `sysadmin-*` groups have shell access. - Set up `ipa_client_shell_groups` on bastion to be a super set of the same on batcave. Newly created IPA host groups: - autosign - badges - basset - bastion - batcave - blockerbugs - bodhi - bugzilla2fedmsg - busgateway - datagrepper - dbserver - dns - fedimg - github2fedmsg - ipa - kernel-qa - kerneltest - kojibuilder - kojihub - kojipkgs - logging - mailman - memcached - mirrormanager - nagios - notifs - oci-registry - odcs - openqa - openqa-workers - osbs - packages - pdc-web - pkgs - proxies - rabbitmq - releng-compose - resultsdb - secondary - sign-bridge - sundries - value - wiki Signed-off-by: Nils Philippsen <nils@redhat.com>
129 lines
3.7 KiB
Text
129 lines
3.7 KiB
Text
---
|
|
# Define resources for this group of hosts here.
|
|
lvm_size: 50000
|
|
mem_size: 8192
|
|
num_cpus: 6
|
|
|
|
# This is used in the httpd.conf to determine the value for serverlimit and
|
|
# maxrequestworkers. On 8gb proxies, 900 seems fine. But on 4gb proxies, this
|
|
# should be lowered in the host vars for that proxy.
|
|
maxrequestworkers: 900
|
|
|
|
tcp_ports: [
|
|
# For apache, generally.
|
|
80,
|
|
443,
|
|
|
|
# This is for TCP krb5
|
|
1088,
|
|
|
|
# This is for RabbitMQ public access
|
|
5671,
|
|
# This is for RabbitMQ internal-public access
|
|
15671,
|
|
|
|
# This is for the haproxy HTML stats page
|
|
# TODO -- there's no need for this to be wide open to the world. With this
|
|
# in place, you can visit https://apps.fedoraproject.org:8080 and get the
|
|
# haproxy stats page. We should close this and just have admins go through
|
|
# the apache reverseproxy at https://admin.fedoraproject.org/haproxy/proxy1
|
|
8080,
|
|
|
|
# This is for TOTP
|
|
8443,
|
|
|
|
# For fedmsg websocket server over stunnel
|
|
9939,
|
|
# For fedmsg raw zeromq socket (outbound)
|
|
9940,
|
|
# 9941 is closed generally, is for the inbound fedmsg and is covered in
|
|
# custom_rules
|
|
]
|
|
custom_rules: [
|
|
# Need for rsync from log01 for logs.
|
|
'-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT',
|
|
'-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
|
|
'-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',
|
|
|
|
# allow varnish from localhost
|
|
'-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT',
|
|
'-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
|
|
|
|
# also allow varnish from internal for purge requests
|
|
'-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT',
|
|
'-A INPUT -p tcp -m tcp -s 10.3.163.0/24 --dport 6081 -j ACCEPT',
|
|
|
|
# Allow happinesspackets.fedorainfracloud.org to talk to inbound fedmsg relay.
|
|
'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.58 -j ACCEPT',
|
|
|
|
# Allow openqa01 to talk to the inbound fedmsg relay.
|
|
'-A INPUT -p tcp -m tcp --dport 9941 -s 10.3.174.0/24 -j ACCEPT',
|
|
|
|
# For Zanata
|
|
# See files/httpd/website_id_fp_o_zanata.conf for info
|
|
'-A INPUT -p tcp -m tcp --dport 44342 -s 209.132.183.252 -j ACCEPT',
|
|
]
|
|
|
|
nat_rules: [
|
|
# For Zanata, redirect 443/tcp -> 43342/tcp for TLS reasons
|
|
# See files/httpd/website_id_fp_o_zanata.conf for info
|
|
'-A PREROUTING -s 209.132.183.252 -p tcp --dport 443 -j REDIRECT --to 44342'
|
|
]
|
|
|
|
blocked_ips: [
|
|
'14.102.69.78',
|
|
'104.219.54.236',
|
|
'103.38.177.2',
|
|
'110.172.140.98',
|
|
'183.80.131.253',
|
|
'113.190.178.137',
|
|
'115.76.39.108',
|
|
'116.109.31.204',
|
|
'209.64.155.56',
|
|
]
|
|
|
|
|
|
blocked_ip_v6: [
|
|
]
|
|
|
|
fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-veteran
|
|
|
|
ipa_host_group: proxies
|
|
ipa_host_group_desc: Proxies between internal hosts and the Internet
|
|
ipa_client_shell_groups:
|
|
- fi-apprentice
|
|
- sysadmin-noc
|
|
- sysadmin-veteran
|
|
- sysadmin-web
|
|
ipa_client_sudo_groups:
|
|
- sysadmin-noc
|
|
- sysadmin-veteran
|
|
- sysadmin-web
|
|
|
|
collectd_apache: true
|
|
|
|
varnish_group: proxies
|
|
|
|
postvpnservices:
|
|
- haproxy
|
|
- varnish
|
|
|
|
# For the MOTD
|
|
csi_security_category: Moderate
|
|
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
|
|
csi_purpose: Provides frontend (reverse) proxy for most web applications
|
|
csi_relationship: |
|
|
Using Apache -> haproxy, these hosts contact app servers and
|
|
other various hosts to provide web applications at sites like
|
|
fedoraproject.org and admin.fedoraproject.org. The proxy servers are
|
|
balanced via dns and geoIP and are spread all over the place.
|
|
|
|
openshift_masters:
|
|
- os-master01.vpn.fedoraproject.org
|
|
- os-master02.vpn.fedoraproject.org
|
|
- os-master03.vpn.fedoraproject.org
|
|
|
|
openshift_nodes:
|
|
- os-node01.vpn.fedoraproject.org
|
|
- os-node02.vpn.fedoraproject.org
|
|
- os-node03.vpn.fedoraproject.org
|