Merge branch 'master' of /git/ansible

2017-07-28 06:19:05 +00:00 · 2017-07-28 06:19:05 +00:00 · 17672eddf7
commit 17672eddf7
parent f04001aa0f c223c76370
48 changed files with 593 additions and 36 deletions
--- a/handlers/restart_services.yml
+++ b/handlers/restart_services.yml
@ -173,3 +173,7 @@

 - name: restart idmapd
  service: name=nfs-idmapd state=restarted
+
+- name: restart darkserver
+  service: name=darkserver state=restarted
+
--- a/inventory/host_vars/darkserver-backend01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/darkserver-backend01.stg.phx2.fedoraproject.org
@ -3,8 +3,8 @@ nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21

-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/

 eth0_ip: 10.5.126.124

--- a/inventory/host_vars/darkserver-web01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/darkserver-web01.stg.phx2.fedoraproject.org
@ -3,8 +3,8 @@ nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21

-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/

 eth0_ip: 10.5.126.92

--- a/inventory/host_vars/darkserver-web02.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/darkserver-web02.stg.phx2.fedoraproject.org
@ -3,8 +3,8 @@ nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21

-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/

 eth0_ip: 10.5.126.120

--- a/playbooks/groups/darkserver-backend.yml
+++ b/playbooks/groups/darkserver-backend.yml
@ -12,7 +12,7 @@

  pre_tasks:

-  - yum: name=libsemanage-python state=present
+  - dnf: name=libsemanage-python state=present
  - name: "Set SElinux booleans"
    seboolean: name=httpd_can_network_connect_db state=yes persistent=yes

@ -65,7 +65,9 @@
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
+  - fedmsg/base
  - fedmsg/hub
+  - rabbitmq
  - darkserver/backend
  - role: collectd/fedmsg-service
    process: fedmsg-hub
--- a/playbooks/groups/releng-compose.yml
+++ b/playbooks/groups/releng-compose.yml
@ -74,5 +74,11 @@
  - include: "{{ tasks_path }}/2fa_client.yml"
  - include: "{{ tasks_path }}/motd.yml"

+  - name: install skopeo for container management
+    package:
+      name: skopeo
+      state: latest
+    when: ansible_architecture != "ppc64"
+
  handlers:
  - include: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/openshift-apps/modernpaste.yml
+++ b/playbooks/openshift-apps/modernpaste.yml
@ -0,0 +1,20 @@
+- name: make the app be real
+  hosts: os-masters-stg
+  user: root
+  gather_facts: True
+
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - "/srv/private/ansible/vars.yml"
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - { role: openshift/object, app: modernpaste, file: imagestream.yml }
+  - { role: openshift/object, app: modernpaste, template: secret.yml }
+  - { role: openshift/object, app: modernpaste, file: buildconfig.yml }
+  - { role: openshift/start-build, app: modernpaste, name: modernpaste-docker-build }
+  - { role: openshift/object, app: modernpaste, template: configmap.yml }
+  - { role: openshift/object, app: modernpaste, file: service.yml }
+  - { role: openshift/object, app: modernpaste, file: route.yml }
+  - { role: openshift/object, app: modernpaste, file: deploymentconfig.yml }
+  - { role: openshift/rollout, app: modernpaste, name: modernpaste-web }
--- a/playbooks/openshift-apps/waiverdb.yml
+++ b/playbooks/openshift-apps/waiverdb.yml
@ -0,0 +1,25 @@
+- name: make the app be real
+  hosts: os-masters-stg
+  user: root
+  gather_facts: True
+
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - "/srv/private/ansible/vars.yml"
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - { role: openshift/object, app: waiverdb, template: project.yml, description: waiverdb }
+  - { role: openshift/object, app: waiverdb, template: secret.yml }
+  #- { role: openshift/secret-file
+  #  , app: waiverdb
+  #  , secret_name: waiverdb-stg-secret
+  #  , key: client_secrets.json
+  #  , template: client_secrets.json
+  #  }
+  - { role: openshift/object, app: waiverdb, file: imagestream.yml }
+  - { role: openshift/object, app: waiverdb, file: configmap.yml }
+  - { role: openshift/object, app: waiverdb, file: service.yml }
+  - { role: openshift/object, app: waiverdb, file: route.yml }
+  - { role: openshift/object, app: waiverdb, file: deploymentconfig.yml }
+  - { role: openshift/rollout, app: waiverdb, name: waiverdb-stg-web }
--- a/roles/anitya/frontend/templates/anitya.cfg
+++ b/roles/anitya/frontend/templates/anitya.cfg
@ -18,6 +18,7 @@ ANITYA_WEB_ADMINS = [
    'http://ralph.id.fedoraproject.org/',
    'http://pingou.id.fedoraproject.org/',
    'http://jcline.id.fedoraproject.org/',
+    'http://tibbs.id.fedoraproject.org/',
 ]

 # Email addresses to send tracebacks to when an HTTP 500 occurs
--- a/roles/bodhi2/backend/templates/atomic-config.py.j2
+++ b/roles/bodhi2/backend/templates/atomic-config.py.j2
@ -71,7 +71,7 @@ config = dict(
            'tree': 'docker-host',
            'treefile': {
                'include': 'fedora-atomic-docker-host.json',
-                'ref': 'fedora-atomic/25/x86_64/updates/docker-host',
+                'ref': 'fedora-atomic/25/x86_64/docker-host',
                'repos': ['fedora-25', 'fedora-25-updates', 'updates'],
                'packages': [],
            },
--- a/roles/darkserver/backend/tasks/main.yml
+++ b/roles/darkserver/backend/tasks/main.yml
@ -3,7 +3,7 @@
 #

 - name: setup darkserver
-  yum: name={{ item }} state=present
+  dnf: name={{ item }} state=present
  with_items:
    - darkserver-importer
  notify:
--- a/roles/darkserver/backend/templates/darkjobworker.conf.j2
+++ b/roles/darkserver/backend/templates/darkjobworker.conf.j2
@ -1,5 +1,5 @@
 [darkserver]
-{% if environment == "staging" %}
+{% if env == "staging" %}
 host=db01.stg.phx2.fedoraproject.org
 password={{ darkserver_stg_writer_password }}
 {% else %}
--- a/roles/distgit/files/fedmsg-genacls-config.py
+++ b/roles/distgit/files/fedmsg-genacls-config.py
@ -1,4 +0,0 @@
-config = {
-    'genacls.consumer.enabled': True,
-    'genacls.consumer.delay': 5, # 5 seconds
-}
--- a/roles/distgit/pagure/files/pagure_worker.service
+++ b/roles/distgit/pagure/files/pagure_worker.service
@ -8,7 +8,7 @@ ExecStart=/usr/bin/celery worker -A pagure.lib.tasks --loglevel=info --autoreloa
 Environment="PAGURE_CONFIG=/etc/pagure/pagure.cfg"
 Type=simple
 User=pagure
-Group=pagure
+#Group=pagure
 Restart=on-failure

 [Install]
--- a/roles/distgit/pagure/tasks/main.yml
+++ b/roles/distgit/pagure/tasks/main.yml
@ -139,7 +139,7 @@

 - name: Override the default pagure_worker.service file to change the user it is run under
  copy: src=pagure_worker.service
-        dest=/usr/lib/systemd/system/pagure_worker.service
+        dest=/etc/systemd/system/pagure_worker.service
        owner=root group=root mode=0755
  notify:
  - reload systemd
--- a/roles/distgit/pagure/templates/0_pagure.conf
+++ b/roles/distgit/pagure/templates/0_pagure.conf
@ -30,7 +30,7 @@ WSGIDaemonProcess pagureproc user=pagure group=packager maximum-requests=1000 di
    git-(upload|receive)-pack))$" \
    /usr/libexec/git-core/git-http-backend/$1

-  <Location /pagure/>
+  <Location /pagure>
   WSGIProcessGroup pagureproc
   <IfModule mod_authz_core.c>
      # Apache 2.4
--- a/roles/distgit/pagure/templates/pagure.cfg
+++ b/roles/distgit/pagure/templates/pagure.cfg
@ -100,7 +100,7 @@ TICKETS_FOLDER = None
 REMOTE_GIT_FOLDER = '/srv/git/remotes'

 ### Configuration file for gitolite
-#GITOLITE_CONFIG = '/srv/git/.gitolite/conf/gitolite.conf'
+GITOLITE_CONFIG = '/srv/git/.gitolite/conf/gitolite.conf.pagure'

 ### Temp folder to be used to make the clones to work around bug in libgit2:
 ## refs: https://github.com/libgit2/libgit2/issues/2965
@ -203,3 +203,5 @@ REQUIRED_GROUPS = {
 PDC_URL = 'https://pdc.stg.fedoraproject.org/rest_api/v1/'

 GITOLITE_BACKEND = 'distgit'
+
+THEME_TEMPLATE_FOLDER = '/usr/share/pagure_dist_git/template/'
--- a/roles/distgit/pagure/templates/pagure.wsgi
+++ b/roles/distgit/pagure/templates/pagure.wsgi
@ -4,7 +4,7 @@
 # two possible version of python-sqlalchemy and python-jinja2
 # These lines make sure the application uses the correct version.
 import __main__
-__main__.__requires__ = ['SQLAlchemy >= 0.8', 'jinja2 >= 2.4']
+__main__.__requires__ = ['SQLAlchemy >= 0.8', 'jinja2 >= 2.4', 'Pygments>=2.1.0']
 import pkg_resources

 import os
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@ -243,7 +243,8 @@
  - distgit

 - name: install the fedmsg configuration
-  copy: src=fedmsg-genacls-config.py dest=/etc/fedmsg.d/genacls.py owner=root group=root mode=0644
+  template: src=fedmsg-genacls-config.py dest=/etc/fedmsg.d/genacls.py
+            owner=root group=root mode=0644
  tags:
  - config
  - distgit
--- a/roles/distgit/templates/fedmsg-genacls-config.py
+++ b/roles/distgit/templates/fedmsg-genacls-config.py
@ -0,0 +1,12 @@
+config = {
+    'genacls.consumer.enabled': True,
+    'genacls.consumer.delay': 5, # 5 seconds
+
+    # New world
+    'gitoliteprefix.consumer.enabled': True,
+    'gitoliteprefix.consumer.delay': 5, # 5 seconds
+    'gitoliteprefix.consumer.filename': '/var/tmp/gitolite-prefix.txt',
+    'gitoliteprefix.consumer.fasurl': 'https://admin.fedoraproject.org/accounts',
+    'gitoliteprefix.consumer.username': "{{ blockerbugs_fas_user }}",
+    'gitoliteprefix.consumer.password': '{{ blockerbugs_fas_password }}',
+}
--- a/roles/fas_client/files/aliases.template
+++ b/roles/fas_client/files/aliases.template
@ -144,7 +144,7 @@ fudcon-paper:    fudcon-cfp
 # flock
 flockpress: bex,fpl
 flockinfo: bex,fpl
-flock-staff: bex,fpl,duffy
+flock-staff: bex,fpl,duffy,sgallagh

 # gnome backups
 gnomebackup: backups@gnome.org
@ -162,7 +162,7 @@ infra-security: puiterwijk

 webmaster: websites@lists.fedoraproject.org
 logo: rlerch@redhat.com,duffy@redhat.com
-ham-radio-exams: nb,jbwillia,robertjw,gholms
+ham-radio-exams: nb,codeblock,gholms
 diversity: tatica

 # Misc Aliases
--- a/roles/git/hooks/files/post-receive-alternativearch
+++ b/roles/git/hooks/files/post-receive-alternativearch
@ -17,7 +17,8 @@ import sys
 from email.mime.text import MIMEText

 abspath = os.path.abspath(os.environ['GIT_DIR'])
-PATTERNS = ('+ExclusiveArch:', '+ExcludeArch:', '+%ifarch', '+%ifnarch')
+PATTERNS = ('+ExclusiveArch:', '+ExcludeArch:', '+%ifarch', '+%ifnarch',
+            '-ExclusiveArch:', '-ExcludeArch:', '-%ifarch', '-%ifnarch')
 FROM_EMAIL = 'githook-noreply@fedoraproject.org'
 TO_MAIL = 'arch-excludes@lists.fedoraproject.org'
 CGIT_URL = 'https://src.fedoraproject.org/cgit/%s/commit/?id=%s'
--- a/roles/ipsilon/tasks/main.yml
+++ b/roles/ipsilon/tasks/main.yml
@ -41,6 +41,7 @@
  - account-scopes
  - mbs
  - beaker
+  - waiverdb
  notify:
  - reload apache
  tags:
--- a/roles/ipsilon/templates/configuration.conf
+++ b/roles/ipsilon/templates/configuration.conf
@ -25,7 +25,7 @@ global enabled=persona,openid,saml2,openidc
 {% if env == "production" %}
 openidc enabled extensions=fedora-account,mbs,beaker
 {% else %}
-openidc enabled extensions=fedora-account,mbs,beaker
+openidc enabled extensions=fedora-account,mbs,beaker,waiverdb
 {% endif %}

 {% if env == 'staging' %}
--- a/roles/kojipkgs/files/kojipkgs.conf
+++ b/roles/kojipkgs/files/kojipkgs.conf
@ -89,6 +89,13 @@ Alias /compose /mnt/fedora_koji/koji/compose
    Require all granted
 </Directory>

+Alias /mass-rebuild "/mnt/fedora_koji/koji/mass-rebuild/"
+
+<Directory "/mnt/fedora_koji/koji/mass-rebuild/">
+    Options Indexes FollowSymLinks
+    Require all granted
+</Directory>
+
 Alias /images /mnt/fedora_koji/koji/images

 <Directory /mnt/fedora_koji/koji/images>
--- a/roles/openqa/worker/tasks/main.yml
+++ b/roles/openqa/worker/tasks/main.yml
@ -23,10 +23,16 @@
  dnf: name={{ item }} state=present
  with_items:
  - libselinux-python
-  - edk2-ovmf
+  - git
  tags:
  - packages

+- name: Install UEFI firmware package (x86_64 only)
+  dnf: name=edk2-ovmf state=present
+  tags:
+  - packages
+  when: "ansible_architecture is defined and ansible_architecture == 'x86_64'"
+
 - include: nfs-client.yml
  when: openqa_hostname is defined and openqa_hostname != "localhost"

--- a/roles/openshift-apps/modernpaste/files/buildconfig.yml
+++ b/roles/openshift-apps/modernpaste/files/buildconfig.yml
@ -0,0 +1,34 @@
+apiVersion: v1
+kind: BuildConfig
+metadata:
+  name: "modernpaste-docker-build"
+  labels:
+    environment: "modernpaste"
+spec:
+  runPolicy: Serial
+  source:
+    dockerfile: |-
+      FROM fedora:25
+      LABEL \
+          name="Modern Paste" \
+          vendor="Fedora Infrastructure" \
+          license="MIT"
+      RUN curl -o /etc/yum.repos.d/infra-stg.repo \
+          https://infrastructure.fedoraproject.org/cgit/ansible.git/plain/files/common/fedora-infra-tags.repo
+      RUN yum -y install modern-paste
+      RUN yum -y install --setopt=tsflags=nodocs \
+          python-gunicorn \
+          python2-mock \
+          python-psycopg2
+      WORKDIR /usr/share/modern-paste
+      RUN sed -i '216,219d;228,229d' app/api/paste.py
+      RUN mv modern_paste.wsgi modern_paste_wsgi.py
+      USER 1001
+      EXPOSE 8080
+      ENTRYPOINT gunicorn --bind 0.0.0.0:8080 --access-logfile=- --chdir /usr/share/modern-paste modern_paste_wsgi:application
+  strategy:
+    type: Docker
+  output:
+    to:
+      kind: ImageStreamTag
+      name: inframodernpaste:latest
--- a/roles/openshift-apps/modernpaste/files/deploymentconfig.yml
+++ b/roles/openshift-apps/modernpaste/files/deploymentconfig.yml
@ -0,0 +1,72 @@
+apiVersion: v1
+kind: DeploymentConfig
+metadata:
+  name: "modernpaste-web"
+  labels:
+    environment: "modernpaste"
+    service: web
+spec:
+  replicas: 1
+  selector:
+    environment: "modernpaste"
+    service: web
+  template:
+    metadata:
+      labels:
+        environment: "modernpaste"
+        service: web
+    spec:
+      containers:
+      - name: web
+        image: 172.30.53.136:5000/modernpaste/inframodernpaste:latest
+        ports:
+        - containerPort: 8080
+        volumeMounts:
+        - name: config-volume
+          mountPath: /etc/modern-paste
+          readOnly: true
+        - name: secret-volume
+          mountPath: /etc/secret
+          readOnly: true
+        env:
+        - name: ENCRYPTION_KEY
+          valueFrom:
+            secretKeyRef:
+              name: "modernpaste-secret"
+              key: encryption-key
+        - name: SESSION_KEY
+          valueFrom:
+            secretKeyRef:
+              name: "modernpaste-secret"
+              key: session-key
+        - name: DATABASE_URI
+          valueFrom:
+            secretKeyRef:
+              name: "modernpaste-secret"
+              key: database-uri
+        #- name: DOMAIN
+        #  value: ${DOMAIN}
+        readinessProbe:
+          timeoutSeconds: 1
+          initialDelaySeconds: 5
+          httpGet:
+            path: /
+            port: 8080
+        livenessProbe:
+          timeoutSeconds: 1
+          initialDelaySeconds: 30
+          httpGet:
+            path: /
+            port: 8080
+        resources:
+          limits:
+            memory: 384Mi
+      volumes:
+      - name: config-volume
+        configMap:
+          name: "modernpaste-configmap"
+      - name: secret-volume
+        secret:
+          secretName: "modernpaste-secret"
+  triggers:
+  - type: ConfigChange
--- a/roles/openshift-apps/modernpaste/files/imagestream.yml
+++ b/roles/openshift-apps/modernpaste/files/imagestream.yml
@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ImageStream
+metadata:
+  labels:
+    environment: "modernpaste"
+  name: "inframodernpaste"
--- a/roles/openshift-apps/modernpaste/files/route.yml
+++ b/roles/openshift-apps/modernpaste/files/route.yml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Route
+metadata:
+  name: "modernpaste-web"
+  labels:
+    environment: "modernpaste"
+spec:
+  port:
+    targetPort: web
+  to:
+    kind: Service
+    name: "modernpaste-web"
+  tls:
+    termination: edge
+    insecureEdgeTerminationPolicy: Redirect
--- a/roles/openshift-apps/modernpaste/files/service.yml
+++ b/roles/openshift-apps/modernpaste/files/service.yml
@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "modernpaste-web"
+  labels:
+    environment: "modernpaste"
+spec:
+  selector:
+    environment: "modernpaste"
+    service: web
+  ports:
+  - name: web
+    port: 8080
+    targetPort: 8080
--- a/roles/openshift-apps/modernpaste/templates/configmap.yml
+++ b/roles/openshift-apps/modernpaste/templates/configmap.yml
@ -0,0 +1,109 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "modernpaste-configmap"
+  labels:
+    environment: "modernpaste"
+data:
+  flask_config.py: |-
+    import config
+    import constants
+    import os
+    
+    SQLALCHEMY_DATABASE_URI = "postgres://{{modernpaste_stg_db_user}}:{{modernpaste_stg_db_password}}@db01.stg.phx2.fedoraproject.org/modernpaste"
+    SQLALCHEMY_TRACK_MODIFICATIONS = False
+    SECRET_KEY = config.FLASK_SECRET_KEY
+  config.py: |-
+    import constants
+    import os
+    
+    # Domain from which you will access this app
+    # If running on a port other than 80, append it after a colon at the end of the domain, e.g. 'domain.com:8080'
+    DOMAIN = "modernpaste-web-modernpaste.app.os.stg.fedoraproject.org"
+    
+    # Use HTTPS by default?
+    # This is only used for deciding whether to use the http:// or https:// prefix when constructing full URLs,
+    # and is not related to your web server configuration.
+    DEFAULT_HTTPS = True
+    
+    # The type of build environment
+    # build_environment.DEV won't minify CSS and Closure-compile JavaScript; build_environment.PROD will.
+    # Dev and prod environments also use separate databases, modern_paste_dev and modern_paste, respectively.
+    BUILD_ENVIRONMENT = constants.build_environment.PROD
+    
+    # Option to use encrypted IDs rather than integer IDs
+    # Set this to True if you want paste IDs to be encrypted, e.g. displayed as h0GZ19np17iT~CtpuIH3NcnRi-rYnlYzizqToCmG3BY=
+    # If False, IDs will be displayed as regular, incrementing integers, e.g. 1, 2, 3, etc.
+    USE_ENCRYPTED_IDS = True
+    
+    # Choose to allow paste attachments
+    # This will allow for users to attach files and images to pastes. If disabled, the MAX_ATTACHMENT_SIZE and
+    # ATTACHMENTS_DIR configuration constants will be ignored.
+    ENABLE_PASTE_ATTACHMENTS = False
+    
+    # Allow only paste attachments below a certain size threshold, in MB
+    # Set this to 0 for an unlimited file size.
+    MAX_ATTACHMENT_SIZE = 5
+    
+    # Location to store paste attachments
+    # Please use an absolute path and ensure that it is writable by www-data.
+    ATTACHMENTS_DIR = '/var/www/modern-paste-attachments'
+    
+    # Choose to enable or disable user registration
+    # If False, the web interface will not allow access to the user registration page. Additionally, the API endpoint
+    # for creating new users will respond with an error.
+    # This is useful for private or internal installations that aren't intended for public use.
+    ENABLE_USER_REGISTRATION = False
+    
+    # Choose to require users to be logged in to post pastes
+    # If True, the web interface will allow access to the paste post interface only if the user is signed in. Additionally,
+    # the API endpoint for creating new pastes will respond with an error if not authenticated with an API key tied to an
+    # existing, active user.
+    # This is useful for private or internal installations that aren't intended for public use.
+    REQUIRE_LOGIN_TO_PASTE = False
+    
+    # AES key for generating encrypted IDs
+    # This is only relevant if USE_ENCRYPTED_IDS above is True. If not, this config parameter can be ignored.
+    # It is recommended, but not strictly required, for you to replace the string below with the output of os.urandom(32),
+    # so that the encrypted IDs generated for the app are specific to this installation.
+    #ID_ENCRYPTION_KEY = os.environ.get('ENCRYPTION_KEY')
+    ID_ENCRYPTION_KEY = '{{modernpaste_stg_encryption_key}}'
+    
+    # Flask session secret key
+    # IMPORTANT NOTE: Open up a Python terminal, and replace the below with the output of os.urandom(32)
+    # This secret key should be different for every installation of Modern Paste.
+    #FLASK_SECRET_KEY = os.environ.get('SECRET_KEY')
+    FLASK_SECRET_KEY = '{{modernpaste_stg_session_key}}'
+    
+    # Languages
+    # A list of all languages you want to support with the app. Add 'text' for plain text support.
+    # Only use strings from the directory app/static/build/lib/codemirror/mode
+    LANGUAGES = [
+        'text',
+        'clike',
+        'cmake',
+        'css',
+        'd',
+        'diff',
+        'dockerfile',
+        'erlang',
+        'go',
+        'haskell',
+        'htmlmixed',
+        'javascript',
+        'jinja2',
+        'lua',
+        'markdown',
+        'perl',
+        'php',
+        'python',
+        'rpm',
+        'rst',
+        'ruby',
+        'rust',
+        'shell',
+        'sql',
+        'swift',
+        'xml',
+        'yaml',
+    ]
--- a/roles/openshift-apps/modernpaste/templates/secret.yml
+++ b/roles/openshift-apps/modernpaste/templates/secret.yml
@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "modernpaste-secret"
+  labels:
+    environment: "modernpaste"
+stringData:
+  encryption-key: "{{modernpaste_stg_encryption_key}}"
+  session-key: "{{modernpaste_stg_session_key}}"
+  database-uri: "postgres://{{modernpaste_stg_db_user}}:{{modernpaste_stg_db_password}}@db01.stg.phx2.fedoraproject.org/modernpaste"
--- a/roles/openshift-apps/waiverdb/files/configmap.yml
+++ b/roles/openshift-apps/waiverdb/files/configmap.yml
@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: waiverdb-stg-configmap
+  labels:
+    app: waiverdb
+data:
+  settings.py: |-
+    DATABASE_URI = 'postgresql+psycopg2://waiverdb@db01.stg.phx2.fedoraproject.org:5432/waiverdb'
+    AUTH_METHOD = 'OIDC'
+    OIDC_CLIENT_SECRETS = '/etc/secret/client_secrets.json'
+    PORT = 8080
--- a/roles/openshift-apps/waiverdb/files/deploymentconfig.yml
+++ b/roles/openshift-apps/waiverdb/files/deploymentconfig.yml
@ -0,0 +1,74 @@
+
+apiVersion: v1
+kind: DeploymentConfig
+metadata:
+  name: waiverdb-stg-web
+  labels:
+    app: waiverdb
+    service: web
+spec:
+  replicas: 2
+  selector:
+    app: waiverdb
+    service: web
+  template:
+    metadata:
+      labels:
+        app: waiverdb
+        service: web
+    spec:
+      containers:
+      - name: web
+        image: waiverdb
+        ports:
+        - containerPort: 8080
+        volumeMounts:
+        - name: config-volume
+          mountPath: /etc/waiverdb
+          readOnly: true
+        - name: secret-volume
+          mountPath: /etc/secret
+          readOnly: true
+        env:
+        - name: DATABASE_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: waiverdb-stg-secret
+              key: database-password
+        - name: SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: waiverdb-stg-secret
+              key: flask-secret-key
+        readinessProbe:
+          timeoutSeconds: 1
+          initialDelaySeconds: 5
+          httpGet:
+            path: /healthcheck
+            port: 8080
+        livenessProbe:
+          timeoutSeconds: 1
+          initialDelaySeconds: 30
+          httpGet:
+            path: /healthcheck
+            port: 8080
+        resources:
+          limits:
+            memory: 384Mi
+      volumes:
+      - name: config-volume
+        configMap:
+          name: waiverdb-stg-configmap
+      - name: secret-volume
+        secret:
+          secretName: waiverdb-stg-secret
+  triggers:
+  - type: ImageChange
+    imageChangeParams:
+      automatic: true
+      containerNames:
+      - web
+      from:
+        kind: ImageStreamTag
+        name: waiverdb:latest
+  - type: ConfigChange
--- a/roles/openshift-apps/waiverdb/files/imagestream.yml
+++ b/roles/openshift-apps/waiverdb/files/imagestream.yml
@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ImageStream
+metadata:
+  name: waiverdb
+spec:
+  tags:
+  - name: latest
+    from:
+      kind: DockerImage
+      name: candidate-registry.fedoraproject.org/f25/waiverdb:latest
--- a/roles/openshift-apps/waiverdb/files/route.yml
+++ b/roles/openshift-apps/waiverdb/files/route.yml
@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Route
+metadata:
+  name: waiverdb-stg-web
+  labels:
+    app: waiverdb
+spec:
+  host: waiverdb.stg.fedoraproject.org
+  port:
+    targetPort: web
+  to:
+    kind: Service
+    name: waiverdb-stg-web
+  tls:
+    termination: edge
+    insecureEdgeTerminationPolicy: Redirect
--- a/roles/openshift-apps/waiverdb/files/service.yml
+++ b/roles/openshift-apps/waiverdb/files/service.yml
@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: waiverdb-stg-web
+  labels:
+    app: waiverdb
+spec:
+  selector:
+    app: waiverdb
+    service: web
+  ports:
+  - name: web
+    port: 8080
+    targetPort: 8080
--- a/roles/openshift-apps/waiverdb/templates/client_secrets.json
+++ b/roles/openshift-apps/waiverdb/templates/client_secrets.json
@ -0,0 +1,10 @@
+{"web": {
+  "redirect_uris": ["https://waiverdb-waiverdb.app.os.stg.fedoraproject.org/"],
+  "token_uri": "https://iddev.fedorainfracloud.org/openidc/Token",
+  "auth_uri": "https://iddev.fedorainfracloud.org/openidc/Authorization",
+  "client_id": "D-e69a1ac7-30fa-4d18-9001-7468c4f34c3c",
+  "client_secret": "qgz8Bzjg6nO7JWCXoB0o8L49KfI5atLF",
+  "userinfo_uri": "https://iddev.fedorainfracloud.org/openidc/UserInfo",
+  "token_introspection_uri": "https://iddev.fedorainfracloud.org/openidc/TokenInfo"
+  }
+}
--- a/roles/openshift-apps/waiverdb/templates/project.yml
+++ b/roles/openshift-apps/waiverdb/templates/project.yml
@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Project
+metadata:
+  annotations:
+    openshift.io/description: "{{description}}"
+    openshift.io/display-name: "{{app}}"
+  creationTimestamp: null
+  name: "{{app}}"
+spec: {}
+status: {}
--- a/roles/openshift-apps/waiverdb/templates/secret.yml
+++ b/roles/openshift-apps/waiverdb/templates/secret.yml
@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "waiverdb-stg-secret"
+  labels:
+    app: "waiverdb"
+stringData:
+  flask-secret-key: "{{stg_waiverdb_secret_key}}"
+  database-password: "{{stg_waiverdb_db_password}}"
+  # This is the same non-secret config we have committed
+  # as conf/client_secrets.json for using in dev environments.
+  client_secrets.json: |-
+    {"web": {
+      "redirect_uris": ["https://waiverdb-waiverdb.app.os.stg.fedoraproject.org/"],
+      "token_uri": "https://iddev.fedorainfracloud.org/openidc/Token",
+      "auth_uri": "https://iddev.fedorainfracloud.org/openidc/Authorization",
+      "client_id": "D-e69a1ac7-30fa-4d18-9001-7468c4f34c3c",
+      "client_secret": "qgz8Bzjg6nO7JWCXoB0o8L49KfI5atLF",
+      "userinfo_uri": "https://iddev.fedorainfracloud.org/openidc/UserInfo",
+      "token_introspection_uri": "https://iddev.fedorainfracloud.org/openidc/TokenInfo"}}
--- a/roles/openshift/object/tasks/main.yml
+++ b/roles/openshift/object/tasks/main.yml
@ -0,0 +1,22 @@
+- name: Create temporary file
+  tempfile: state=file suffix=.yml
+  register: tmpfile
+  run_once: true
+
+- name: Copy template {{template}} to temporary file ({{tmpfile.path}})
+  template: src={{roles_path}}/openshift-apps/{{app}}/templates/{{template}} dest={{tmpfile.path}}
+  when: template is defined
+  run_once: true
+
+- name: Copy file {{file}} to temporary file ({{tmpfile.path}})
+  copy: src={{roles_path}}/openshift-apps/{{app}}/files/{{file}} dest={{tmpfile.path}}
+  when: file is defined
+  run_once: true
+
+- name: Call `oc apply` on the copied file
+  shell: oc -n {{app}} apply -f {{tmpfile.path}}
+  run_once: true
+
+- name: Delete temporary file
+  file: path={{tmpfile.path}} state=absent
+  run_once: true
--- a/roles/openshift/rollout/tasks/main.yml
+++ b/roles/openshift/rollout/tasks/main.yml
@ -0,0 +1,3 @@
+- name: Run `oc rollout latest`
+  shell: oc -n {{app}} rollout latest {{name}}
+  run_once: true
--- a/roles/openshift/secret-file/tasks/main.yml
+++ b/roles/openshift/secret-file/tasks/main.yml
@ -0,0 +1,22 @@
+- name: Create temporary file
+  tempfile: state=file
+  register: tmpfile
+  run_once: true
+
+- name: Copy template {{template}} to temporary file ({{tmpfile.path}})
+  template: src={{roles_path}}/openshift-apps/{{app}}/templates/{{template}} dest={{tmpfile.path}}
+  when: template is defined
+  run_once: true
+
+- name: Copy file {{file}} to temporary file ({{tmpfile.path}})
+  copy: src={{roles_path}}/openshift-apps/{{app}}/files/{{file}} dest={{tmpfile.path}}
+  when: file is defined
+  run_once: true
+
+- name: Call `oc secrets new` on the copied file
+  shell: oc -n {{app}} secrets new {{secret_name}} {{key}}={{tmpfile.path}}
+  run_once: true
+
+- name: Delete temporary file
+  file: path={{tmpfile.path}} state=absent
+  run_once: true
--- a/roles/openshift/start-build/tasks/main.yml
+++ b/roles/openshift/start-build/tasks/main.yml
@ -0,0 +1,3 @@
+- name: Run `oc start-build`
+  shell: oc -n {{app}} start-build {{name}}
+  run_once: true
--- a/roles/rabbitmq/tasks/main.yml
+++ b/roles/rabbitmq/tasks/main.yml
@ -1,5 +1,5 @@
 - name: install needed packages
-  yum: pkg={{ item }} state=present
+  package: pkg={{ item }} state=present
  with_items:
  - rabbitmq-server
  tags:
--- a/roles/robosignatory/files/robosignatory.production.py
+++ b/roles/robosignatory/files/robosignatory.production.py
@ -41,16 +41,10 @@ config = {
            'tags': [
                # Temporary tags
                {
-                    "from": "f26-rebuild",
-                    "to": "f26-rebuild",
-                    "key": "fedora-26",
-                    "keyid": "64dab85d"
-                },
-                {
-                    "from": "f25-llvm39",
-                    "to": "f25-llvm39",
-                    "key": "fedora-25",
-                    "keyid": "fdb19c98"
+                    "from": "f27-rebuild",
+                    "to": "f27-rebuild",
+                    "key": "fedora-27",
+                    "keyid": "f5282ee4"
                },

                # Infra tags
--- a/roles/varnish/templates/kojipkgs.vcl.j2
+++ b/roles/varnish/templates/kojipkgs.vcl.j2
@ -62,5 +62,8 @@ sub vcl_recv {
    if (req.url ~ "h264") {
        return (pipe);
    }
+    if (req.url ~ "^/mass-rebuild/") {
+        return (pipe);
+    }
    return (hash);
 }