Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of /git/ansible

Browse source
This commit is contained in:
Giulia Naponiello 2018-02-16 18:55:11 +00:00
commit 23a7e7dc30
223 changed files with 2463 additions and 1843 deletions
Download patch file Download diff file Expand all files Collapse all files

28
files/fedora-cloud/haproxy.cfg
View file

@ -68,44 +68,44 @@ defaults
frontend neutron
bind 0.0.0.0:9696 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
default_backend neutron
# HSTS (15768000 seconds = 6 months)
rspadd Strict-Transport-Security:\ max-age=15768000
# HSTS (31536000 seconds = 365 days)
rspadd Strict-Transport-Security:\ max-age=31536000
frontend cinder
bind 0.0.0.0:8776 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
default_backend cinder
# HSTS (15768000 seconds = 6 months)
rspadd Strict-Transport-Security:\ max-age=15768000
# HSTS (31536000 seconds = 365 days)
rspadd Strict-Transport-Security:\ max-age=31536000
frontend swift
bind 0.0.0.0:8080 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
default_backend swift
# HSTS (15768000 seconds = 6 months)
rspadd Strict-Transport-Security:\ max-age=15768000
# HSTS (31536000 seconds = 365 days)
rspadd Strict-Transport-Security:\ max-age=31536000
frontend nova
bind 0.0.0.0:8774 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
default_backend nova
# HSTS (15768000 seconds = 6 months)
rspadd Strict-Transport-Security:\ max-age=15768000
# HSTS (31536000 seconds = 365 days)
rspadd Strict-Transport-Security:\ max-age=31536000
frontend ceilometer
bind 0.0.0.0:8777 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
default_backend ceilometer
# HSTS (15768000 seconds = 6 months)
rspadd Strict-Transport-Security:\ max-age=15768000
# HSTS (31536000 seconds = 365 days)
rspadd Strict-Transport-Security:\ max-age=31536000
frontend ec2
bind 0.0.0.0:8773 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
default_backend ec2
# HSTS (15768000 seconds = 6 months)
rspadd Strict-Transport-Security:\ max-age=15768000
# HSTS (31536000 seconds = 365 days)
rspadd Strict-Transport-Security:\ max-age=31536000
frontend glance
bind 0.0.0.0:9292 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
default_backend glance
# HSTS (15768000 seconds = 6 months)
rspadd Strict-Transport-Security:\ max-age=15768000
# HSTS (31536000 seconds = 365 days)
rspadd Strict-Transport-Security:\ max-age=31536000
backend neutron
server neutron 127.0.0.1:8696 check

1
inventory/backups
View file

@ -13,6 +13,7 @@ people02.fedoraproject.org
pkgs02.phx2.fedoraproject.org
log01.phx2.fedoraproject.org
db-qa01.qa.fedoraproject.org
db-qa02.qa.fedoraproject.org
db-koji01.phx2.fedoraproject.org
#copr-be.cloud.fedoraproject.org
copr-fe.cloud.fedoraproject.org

3
inventory/group_vars/all
View file

@ -42,6 +42,7 @@ use_default_epel: true
udp_ports: []
tcp_ports: []
custom_rules: []
nat_rules: []
custom6_rules: []
# defaults for virt installs
@ -78,7 +79,7 @@ virt_install_command_one_nic: virt-install -n {{ inventory_hostname }}
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
--network bridge={{ main_bridge }},model=virtio
--autostart --noautoconsole --watchdog default
--autostart --noautoconsole --watchdog default --cpu host
virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio

3
inventory/group_vars/fedimg-stg
View file

@ -3,6 +3,9 @@ lvm_size: 20000
mem_size: 6144
num_cpus: 2
# Use infrastructure-tags-stg repo
testing: True
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file

28
inventory/group_vars/freshmaker-stg Normal file
View file

@ -0,0 +1,28 @@
---
# For app config
freshmaker_messaging_topic_prefix:
- org.fedoraproject.stg
freshmaker_parsers:
- freshmaker.parsers.git:GitReceiveParser
freshmaker_handlers:
- freshmaker.handlers.git:GitModuleMetadataChangeHandler
- freshmaker.handlers.git:GitRPMSpecChangeHandler
freshmaker_admins:
users:
- jkaluza
- cqi
- qwan
- sochotni
groups: []
freshmaker_dry_run: True
freshmaker_log_level: debug
freshmaker_handler_build_whitelist:
global:
module:
- name:
- testmodule

12
inventory/group_vars/hubs-stg Normal file
View file

@ -0,0 +1,12 @@
---
# Define resources for this group of hosts here.
lvm_size: 20000
mem_size: 4096
num_cpus: 2
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
tcp_ports: [ 80 ]
fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-hubs,sysadmin-veteran

2
inventory/group_vars/jenkins-slave
View file

@ -278,3 +278,5 @@ f25_only:
f26_only:
- python2-koji # Needed for pyrpkg
- python3-koji # Needed for pyrpkg
- python26
- python35

3
inventory/group_vars/koschei-backend
View file

@ -12,6 +12,9 @@ koschei_pgsql_hostname: db01.phx2.fedoraproject.org
koschei_koji_hub: koji.fedoraproject.org
koschei_kojipkgs: kojipkgs.fedoraproject.org
koschei_koji_web: koji.fedoraproject.org
koschei_copr_url: http://copr-fe.cloud.fedoraproject.org
koschei_copr_login: NOT-USED-YET
koschei_copr_token: NOT-USED-YET
host_group: koschei-backend

4
inventory/group_vars/koschei-backend-stg
View file

@ -12,6 +12,9 @@ koschei_pgsql_hostname: pgbdr.stg.phx2.fedoraproject.org
koschei_koji_hub: koji.stg.fedoraproject.org
koschei_kojipkgs: koji.stg.fedoraproject.org
koschei_koji_web: koji.stg.fedoraproject.org
koschei_copr_url: http://copr-fe-dev.cloud.fedoraproject.org
koschei_copr_login: "{{ koschei_copr_login_stg }}"
koschei_copr_token: "{{ koschei_copr_token_stg }}"
tcp_ports: [
@ -55,6 +58,7 @@ csi_relationship: |
- fedmsg hub
- bastion (for mail relay)
- memcached01
- Copr development instance
koschei_backend_services:
- koschei-polling

8
inventory/group_vars/koschei-web
View file

@ -1,7 +1,7 @@
---
# Define resources for this group of hosts here.
lvm_size: 6000
mem_size: 1024
lvm_size: 8000
mem_size: 2048
num_cpus: 1
# for systems that do not match the above - specify the same parameter in
@ -12,9 +12,11 @@ koschei_pgsql_hostname: db01.phx2.fedoraproject.org
koschei_koji_hub: koji02.phx2.fedoraproject.org
koschei_kojipkgs: kojipkgs.fedoraproject.org
koschei_koji_web: koji.fedoraproject.org
koschei_openid_provider: id.fedoraproject.org
koschei_oidc_provider: id.fedoraproject.org
koschei_bugzilla: bugzilla.redhat.com
koschei_oidc_client_secret: "{{ koschei_oidc_client_secret_prod }}"
koschei_oidc_crypto_secret: "{{ koschei_oidc_crypto_secret_prod }}"
tcp_ports: [ 80, 443 ]

5
inventory/group_vars/koschei-web-stg
View file

@ -11,9 +11,12 @@ koschei_topurl: https://apps.stg.fedoraproject.org/koschei
koschei_pgsql_hostname: pgbdr.stg.phx2.fedoraproject.org
koschei_kojipkgs: koji.stg.fedoraproject.org
koschei_koji_web: koji.stg.fedoraproject.org
koschei_openid_provider: id.stg.fedoraproject.org
koschei_oidc_provider: id.stg.fedoraproject.org
koschei_bugzilla: partner-bugzilla.redhat.com
koschei_oidc_client_secret: "{{ koschei_oidc_client_secret_stg }}"
koschei_oidc_crypto_secret: "{{ koschei_oidc_crypto_secret_stg }}"
tcp_ports: [ 80, 443 ]
custom_rules: [

4
inventory/group_vars/odcs-frontend
View file

@ -39,7 +39,9 @@ fedmsg_certs:
odcs_target_dir_url: https://odcs.fedoraproject.org/composes
# Give access to jscotka to be able to develop module testing integration
# for taskotron.
odcs_allowed_clients_users: ["jscotka"]
# Give access to sgallagh to be able to generate testing composes for new
# modules.
odcs_allowed_clients_users: ["jscotka", "sgallagh"]
# For the MOTD
csi_security_category: Low

12
inventory/group_vars/openqa-stg
View file

@ -26,8 +26,8 @@ openqa_dbname: openqa-stg
openqa_dbhost: db-qa01.qa.fedoraproject.org
openqa_dbuser: openqastg
openqa_dbpassword: "{{ stg_openqa_dbpassword }}"
openqa_assetsize: 300
openqa_assetsize_updates: 50
openqa_assetsize: 410
openqa_assetsize_updates: 160
openqa_key: "{{ stg_openqa_apikey }}"
openqa_secret: "{{ stg_openqa_apisecret }}"
@ -71,6 +71,14 @@ fedmsg_certs:
- openqa.jobs.restart
- openqa.job.update.result
- openqa.job.done
- service: ci
owner: root
group: geekotest
can_send:
- ci.productmd-compose.test.queued
- ci.productmd-compose.test.running
- ci.productmd-compose.test.complete
- ci.productmd-compose.test.error
# we need this to log with fedmsg-logger
fedmsg_active: True

2
inventory/group_vars/openshift-pseudohosts-stg Normal file
View file

@ -0,0 +1,2 @@
---
freezes: false

2
inventory/group_vars/osbs
View file

@ -6,7 +6,7 @@ num_cpus: 2
tcp_ports: [ 80, 443, 8443]
fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org"

2
inventory/group_vars/osbs-control
View file

@ -1,6 +1,6 @@
---
# Define resources for this group of hosts here.
fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran
fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
osbs_url: "osbs.fedoraproject.org"

2
inventory/group_vars/osbs-control-stg
View file

@ -1,6 +1,6 @@
---
# Define resources for this group of hosts here.
fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran
fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
osbs_url: "osbs.stg.fedoraproject.org"

2
inventory/group_vars/osbs-masters
View file

@ -6,7 +6,7 @@ num_cpus: 2
tcp_ports: [ 80, 443, 8443]
fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org"

2
inventory/group_vars/osbs-nodes
View file

@ -6,7 +6,7 @@ num_cpus: 2
tcp_ports: [ 80, 443, 8443, 10250]
fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org"

2
inventory/group_vars/osbs-stg
View file

@ -6,7 +6,7 @@ num_cpus: 2
tcp_ports: [ 80, 443, 8443]
fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org"

4
inventory/group_vars/packages
View file

@ -15,7 +15,9 @@ tcp_ports: [ 80, 443,
# Neeed for rsync from log01 for logs.
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran
fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran,sysadmin-packages
sudoers: "{{ private }}/files/sudo/sysadmin-packages"
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:

4
inventory/group_vars/packages-stg
View file

@ -12,7 +12,9 @@ tcp_ports: [ 80, 443,
# Neeed for rsync from log01 for logs.
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
fas_client_groups: sysadmin-noc,sysadmin-web,fi-apprentice,sysadmin-veteran
fas_client_groups: sysadmin-noc,sysadmin-web,fi-apprentice,sysadmin-veteran,sysadmin-packages
sudoers: "{{ private }}/files/sudo/sysadmin-packages"
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:

23
inventory/group_vars/pagure-proxy Normal file
View file

@ -0,0 +1,23 @@
---
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
tcp_ports: [ 22, 25, 80, 443, 9418,
# Used for the eventsource
8088,
# This is for the pagure public fedmsg relay
9940]
fas_client_groups: sysadmin-noc
freezes: true
postfix_group: vpn.pagure
# For the MOTD
csi_security_category: Low
csi_primary_contact: Fedora admins - admin@fedoraproject.org
csi_purpose: Proxy specific ports to OSUOSL for preventing slow peering
csi_relationship: |
This box proxies traffic over to pagure01.fedoraproject.org
(This is done because OSUOSL has terribly slow peering to EU)

7
inventory/group_vars/pkgs
View file

@ -3,12 +3,7 @@ lvm_size: 100000
mem_size: 4096
num_cpus: 4
tcp_ports: [80, 443,
# These 16 ports are used by fedmsg. One for each wsgi thread.
3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT']
tcp_ports: [ 9418, 80, 443 ]
# We have both celery (pagure_worker) and web thread wanting to send out fedmsg's.
# To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg.

6
inventory/group_vars/pkgs-stg
View file

@ -3,11 +3,7 @@ lvm_size: 100000
mem_size: 4096
num_cpus: 4
tcp_ports: [80, 443, 9418,
# These 16 ports are used by fedmsg. One for each wsgi thread.
3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
tcp_ports: [ 9418, 80, 443 ]
# Definining these vars has a number of effects
# 1) mod_wsgi is configured to use the vars for its own setup
# 2) iptables opens enough ports for all threads for fedmsg

2
inventory/group_vars/taskotron-dev
View file

@ -31,7 +31,7 @@ grokmirror_repos:
- { name: fedoraqa/rpmlint, url: 'https://pagure.io/taskotron/task-rpmlint.git'}
- { name: fedoraqa/upgradepath, url: 'https://pagure.io/taskotron/task-upgradepath.git'}
- { name: fedoraqa/upstream-atomic, url: 'https://pagure.io/taskotron/task-upstream-atomic.git'}
grokmirror_default_branch: feature/ansiblize
grokmirror_default_branch: develop
############################################################

2
inventory/group_vars/taskotron-stg
View file

@ -33,7 +33,7 @@ grokmirror_repos:
- { name: fedoraqa/rpmlint, url: 'https://pagure.io/taskotron/task-rpmlint.git'}
- { name: fedoraqa/upgradepath, url: 'https://pagure.io/taskotron/task-upgradepath.git'}
- { name: fedoraqa/upstream-atomic, url: 'https://pagure.io/taskotron/task-upstream-atomic.git'}
grokmirror_default_branch: develop
grokmirror_default_branch: master
############################################################

4
inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org
View file

@ -2,8 +2,8 @@
nm: 255.255.255.0
gw: 10.5.125.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
volgroup: /dev/vg_host01
eth0_ip: 10.5.125.135
eth1_ip: 10.5.127.61

4
inventory/host_vars/bodhi-backend02.phx2.fedoraproject.org
View file

@ -2,8 +2,8 @@
nm: 255.255.255.0
gw: 10.5.125.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
volgroup: /dev/vg_bvirthost06
eth0_ip: 10.5.125.136
eth1_ip: 10.5.127.62

4
inventory/host_vars/bodhi03.phx2.fedoraproject.org
View file

@ -2,8 +2,8 @@
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
volgroup: /dev/vg_virthost01
eth0_ip: 10.5.126.115
vmhost: virthost01.phx2.fedoraproject.org

4
inventory/host_vars/bodhi04.phx2.fedoraproject.org
View file

@ -2,8 +2,8 @@
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
volgroup: /dev/vg_guests
eth0_ip: 10.5.126.116
vmhost: virthost02.phx2.fedoraproject.org

4
inventory/host_vars/commops.fedorainfracloud.org
View file

@ -2,9 +2,9 @@
image: "{{ fedora27_x86_64 }}"
instance_type: m1.medium
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,all-icmp-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,all-icmp-persistent,default
zone: nova
tcp_ports: [22]
tcp_ports: [22, 80, 443]
inventory_tenant: persistent
inventory_instance_name: commops

12
inventory/host_vars/hubs01.stg.phx2.fedoraproject.org Normal file
View file

@ -0,0 +1,12 @@
---
nm: 255.255.255.0
gw: 10.5.128.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
volgroup: /dev/vg_guests
eth0_ip: 10.5.128.190
vmhost: virthost05.phx2.fedoraproject.org
datacenter: phx2

4
inventory/host_vars/koschei-web01.phx2.fedoraproject.org
View file

@ -3,8 +3,8 @@ nm: 255.255.255.0
gw: 10.5.125.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
volgroup: /dev/vg_guests
eth0_ip: 10.5.126.140

2
inventory/host_vars/odcs-backend01.phx2.fedoraproject.org
View file

@ -7,7 +7,7 @@ ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
eth0_ip: 10.5.126.65
eth1_ip: 10.5.127.114
#eth1_ip: 10.5.127.114
volgroup: /dev/vg_guests
vmhost: virthost19.phx2.fedoraproject.org

55
inventory/host_vars/pagure-proxy01.fedoraproject.org Normal file
View file

@ -0,0 +1,55 @@
---
nm: 255.255.255.128
gw: 152.19.134.129
dns: 8.8.8.8
custom_rules: ['-A FORWARD -j ACCEPT']
nat_rules: [
# SSH
'-A PREROUTING --dst 152.19.134.147 -p tcp --dport 22 -j DNAT --to-destination 140.211.169.204:22',
'-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 22 -j SNAT --to-source 152.19.134.147',
'-A OUTPUT --dst 152.19.134.147 -p tcp --dport 22 -j DNAT --to-destination 140.211.169.204:22',
# SMTP
'-A PREROUTING --dst 152.19.134.147 -p tcp --dport 25 -j DNAT --to-destination 140.211.169.204:25',
'-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 25 -j SNAT --to-source 152.19.134.147',
'-A OUTPUT --dst 152.19.134.147 -p tcp --dport 25 -j DNAT --to-destination 140.211.169.204:25',
# web-80
'-A PREROUTING --dst 152.19.134.147 -p tcp --dport 80 -j DNAT --to-destination 140.211.169.204:80',
'-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 80 -j SNAT --to-source 152.19.134.147',
'-A OUTPUT --dst 152.19.134.147 -p tcp --dport 80 -j DNAT --to-destination 140.211.169.204:80',
# web-443
'-A PREROUTING --dst 152.19.134.147 -p tcp --dport 443 -j DNAT --to-destination 140.211.169.204:443',
'-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 443 -j SNAT --to-source 152.19.134.147',
'-A OUTPUT --dst 152.19.134.147 -p tcp --dport 443 -j DNAT --to-destination 140.211.169.204:443',
# 9418
'-A PREROUTING --dst 152.19.134.147 -p tcp --dport 9418 -j DNAT --to-destination 140.211.169.204:9418',
'-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 9418 -j SNAT --to-source 152.19.134.147',
'-A OUTPUT --dst 152.19.134.147 -p tcp --dport 9418 -j DNAT --to-destination 140.211.169.204:9418',
# Eventsource
'-A PREROUTING --dst 152.19.134.147 -p tcp --dport 8088 -j DNAT --to-destination 140.211.169.204:8088',
'-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 8088 -j SNAT --to-source 152.19.134.147',
'-A OUTPUT --dst 152.19.134.147 -p tcp --dport 8088 -j DNAT --to-destination 140.211.169.204:8088',
# Fedmsg
'-A PREROUTING --dst 152.19.134.147 -p tcp --dport 9940 -j DNAT --to-destination 140.211.169.204:9940',
'-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 9940 -j SNAT --to-source 152.19.134.147',
'-A OUTPUT --dst 152.19.134.147 -p tcp --dport 9940 -j DNAT --to-destination 140.211.169.204:9940',
]
ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7-ext
ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests
eth0_ip: 152.19.134.146
eth0_nm: 255.255.255.128
has_ipv6: yes
eth0_ipv6: "2610:28:3090:3001:dead:beef:cafe:fe46"
eth0_ipv6_gw: "2610:28:3090:3001::1"
eth0_secondary_ip: 152.19.134.147
sponsor: ibiblio
datacenter: ibiblio
postfix_group: vpn
vmhost: ibiblio01.fedoraproject.org

4
inventory/host_vars/retrace01.qa.fedoraproject.org
View file

@ -3,8 +3,8 @@ faf_server_name: retrace.fedoraproject.org/faf
rs_use_faf_packages: true
# we do not have enough storage on stg
rs_internal_fedora_vers: [25, 26, 27, rawhide]
rs_internal_fedora_vers_removed: [24]
rs_internal_fedora_vers: [26, 27, rawhide]
rs_internal_fedora_vers_removed: [24, 25]
rs_internal_arch_list: [source, x86_64, i386]
nagios_Check_Services:

18
inventory/host_vars/retrace02.qa.fedoraproject.org Normal file
View file

@ -0,0 +1,18 @@
---
faf_server_name: retrace.fedoraproject.org/faf
rs_use_faf_packages: true
# we do not have enough storage on stg
rs_internal_fedora_vers: [rawhide]
#rs_internal_fedora_vers_removed: [24, 25, 26, 27]
rs_internal_arch_list: [source, x86_64, i386]
nagios_Check_Services:
nrpe: true
sshd: true
named: false
dhcpd: false
httpd: false
swap: false
faf_repos: []

11
inventory/inventory
View file

@ -496,7 +496,7 @@ proxy03.fedoraproject.org
proxy04.fedoraproject.org
proxy05.fedoraproject.org
proxy06.fedoraproject.org
proxy07.fedoraproject.org
#proxy07.fedoraproject.org
proxy08.fedoraproject.org
proxy09.fedoraproject.org
proxy10.phx2.fedoraproject.org
@ -656,7 +656,7 @@ proxy03.fedoraproject.org
proxy04.fedoraproject.org
proxy05.fedoraproject.org
proxy06.fedoraproject.org
proxy07.fedoraproject.org
#proxy07.fedoraproject.org
proxy08.fedoraproject.org
proxy09.fedoraproject.org
proxy10.phx2.fedoraproject.org
@ -708,6 +708,9 @@ smtp-mm-ib01.fedoraproject.org
smtp-mm-osuosl01.fedoraproject.org
smtp-mm-tummy01.fedoraproject.org
[hubs-stg]
hubs01.stg.phx2.fedoraproject.org
[spare]
#
# All staging hosts should be in this group too.
@ -761,6 +764,7 @@ freshmaker-frontend01.stg.phx2.fedoraproject.org
freshmaker-backend01.stg.phx2.fedoraproject.org
github2fedmsg01.stg.phx2.fedoraproject.org
hotness01.stg.phx2.fedoraproject.org
hubs01.stg.phx2.fedoraproject.org
kerneltest01.stg.phx2.fedoraproject.org
koji01.stg.phx2.fedoraproject.org
koschei-backend01.stg.phx2.fedoraproject.org
@ -1318,6 +1322,9 @@ pagure01.fedoraproject.org
[pagure-stg]
pagure-stg01.fedoraproject.org
[pagure-proxy]
pagure-proxy01.fedoraproject.org
[twisted-buildbots]
twisted-fedora24-1.fedorainfracloud.org
twisted-fedora24-2.fedorainfracloud.org

1
master.yml
View file

@ -74,7 +74,6 @@
- import_playbook: /srv/web/infra/ansible/playbooks/groups/maintainer-test.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/mariadb-server.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/mdapi.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/mirrorlist2.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/mirrormanager.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/memcached.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/modernpaste.yml

4
playbooks/groups/buildhw.yml
View file

@ -1,7 +1,7 @@
- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=buildhw:buildaarch64:bkernel"
- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=buildhw:bkernel"
- name: make koji builder(s) on raw hw
hosts: buildhw:buildaarch64:bkernel
hosts: buildhw:bkernel
remote_user: root
gather_facts: True

18
playbooks/groups/freshmaker.yml
View file

@ -46,7 +46,7 @@
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
- name: Set up apache on the frontend MBS API app
- name: set up Freshmaker frontend
hosts: freshmaker-frontend:freshmaker-frontend-stg
user: root
gather_facts: True
@ -58,12 +58,16 @@
roles:
- mod_wsgi
- role: freshmaker/frontend
# TLS is terminated for us at the proxy layer (like for every other app).
freshmaker_force_ssl: False
freshmaker_servername: null
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
- name: set up fedmsg configuration and common freshmaker files
hosts: freshmaker:freshmaker-stg
- name: set up Freshmaker backend
hosts: freshmaker-backend:freshmaker-backend-stg
user: root
gather_facts: True
@ -74,6 +78,14 @@
roles:
- fedmsg/base
- role: freshmaker/backend
freshmaker_servername: freshmaker{{env_suffix}}.fedoraproject.org
- role: keytab/service
service: freshmaker
owner_user: fedmsg
owner_group: fedmsg
host: "freshmaker{{env_suffix}}.fedoraproject.org"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"

14
playbooks/groups/piwik.yml → playbooks/groups/hubs.yml
View file

@ -1,9 +1,9 @@
# These servers run piwik
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=piwik-stg"
# create the hubs server
# NOTE: should be used with --limit most of the time
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=hubs-stg"
- name: make the box be real
hosts: piwik-stg
hosts: hubs-stg
user: root
gather_facts: True
@ -19,10 +19,10 @@
- hosts
- fas_client
- collectd/base
- apache
- fedmsg/base
- piwik
- sudo
- { role: openvpn/client,
when: env != "staging" }
- mod_wsgi
tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"

73
playbooks/groups/mirrorlist2.yml
View file

@ -1,73 +0,0 @@
# create a new mirrorlist server
# NOTE: should be used with --limit most of the time
# NOTE: make sure there is room/space for this server on the vmhost
# NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=mirrorlist2:mirrorlist2-stg:!mirrorlist-host1plus.fedoraproject.org"
- name: make the box be real
hosts: mirrorlist2:mirrorlist2-stg
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
pre_tasks:
- name: Install policycoreutils-python
package: name=policycoreutils-python state=present
- name: Create /srv/web/ for all the goodies.
file: >
dest=/srv/web state=directory
owner=root group=root mode=0755
tags:
- httpd
- httpd/website
- name: check the selinux context of webdir
command: matchpathcon /srv/web
register: webdir
check_mode: no
changed_when: "1 != 1"
tags:
- config
- selinux
- httpd
- httpd/website
- name: /srv/web file contexts
command: semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?"
when: webdir.stdout.find('httpd_sys_content_t') == -1
tags:
- config
- selinux
- httpd
- httpd/website
roles:
- base
- rkhunter
- nagios_client
- geoip
- hosts
- fas_client
- collectd/base
- mod_wsgi
- httpd/mod_ssl
- mirrormanager/mirrorlist2
- sudo
- { role: openvpn/client,
when: env != "staging" }
tasks:
# this is how you include other task lists
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"

31
playbooks/groups/pagure-proxy.yml Normal file
View file

@ -0,0 +1,31 @@
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=pagure-proxy"
- name: make the boxen be real for real
hosts: pagure-proxy
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- base
- rkhunter
- nagios_client
- hosts
- fas_client
- sudo
- collectd/base
tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
- name: Enable ipv4_forward in sysctl
sysctl: name=net.ipv4.ip_forward value=1 state=present sysctl_set=yes reload=yes
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"

4
playbooks/groups/postgresql-server.yml
View file

@ -2,12 +2,12 @@
# NOTE: should be used with --limit most of the time
# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-datanommer01.phx2.fedoraproject.org:db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-arm-koji01.qa.fedoraproject.org:db-ppc-koji01.ppc.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org"
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org"
# Once the instance exists, configure it.
- name: configure postgresql server system
hosts: db-datanommer01.phx2.fedoraproject.org:db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-arm-koji01.qa.fedoraproject.org:db-ppc-koji01.ppc.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org
hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org
user: root
gather_facts: True

1
playbooks/groups/releng-compose.yml
View file

@ -36,6 +36,7 @@
- role: keytab/service
service: compose
host: "koji{{env_suffix}}.fedoraproject.org"
owner_group: releng-team
- role: keytab/service
service: mash
host: "koji{{env_suffix}}.fedoraproject.org"

2
playbooks/groups/virthost.yml
View file

@ -2,6 +2,8 @@
# NOTE: should be used with --limit most of the time
# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=virthost:bvirthost:buildvmhost:virthost-comm:colo-virt"
- name: make virthost server system
hosts: virthost:bvirthost:buildvmhost:virthost-comm:colo-virt
user: root

39
playbooks/hosts/blockerbugs-dev.cloud.fedoraproject.org.yml
View file

@ -1,39 +0,0 @@
- name: check/create instance
hosts: blockerbugs-dev.cloud.fedoraproject.org
user: root
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
tasks:
- import_tasks: "{{ tasks_path }}/persistent_cloud.yml"
- import_tasks: "{{ tasks_path }}/growroot_cloud.yml"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
- name: provision instance
hosts: blockerbugs-dev.cloud.fedoraproject.org
user: root
gather_facts: True
vars:
- tcp_ports: [22, 80, 443]
- udp_ports: []
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- basessh
tasks:
- import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
- name: mount up blockerbugs-dev to /srv/persistent
mount: name=/srv/persistent src='LABEL=blockerbugs-dev' fstype=ext4 state=mounted
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"

11
playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
View file

@ -866,7 +866,18 @@
- { user: puiterwijk, tenant: transient }
- { user: puiterwijk, tenant: maintainertest }
- { user: puiterwijk, tenant: aos-ci-cd }
- { user: mizdebsk, tenant: aos-ci-cd }
- { user: mizdebsk, tenant: cloudintern }
- { user: mizdebsk, tenant: cloudsig }
- { user: mizdebsk, tenant: copr }
- { user: mizdebsk, tenant: coprdev }
- { user: mizdebsk, tenant: infrastructure }
- { user: mizdebsk, tenant: maintainertest }
- { user: mizdebsk, tenant: openshift }
- { user: mizdebsk, tenant: persistent }
- { user: mizdebsk, tenant: pythonbots }
- { user: mizdebsk, tenant: qa }
- { user: mizdebsk, tenant: scratch }
- { user: mizdebsk, tenant: transient }
- { user: clime, tenant: coprdev }
- { user: clime, tenant: persistent }

30
playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
View file

@ -33,32 +33,22 @@
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
- dnf: name={{item}} state=present
with_items:
- git
- name: create the code directory
file: dest=/srv/hubs state=directory owner=fedora group=fedora
- name: git clone the code
git: repo=https://pagure.io/fedora-hubs.git
dest=/srv/hubs/fedora-hubs
version=develop
become_user: fedora
#ignore_errors: true
roles:
- basessh
- role: hubs
main_user: fedora
main_user: hubs
hubs_url_hostname: "{{ ansible_fqdn }}"
hubs_secret_key: demotestinghubsmachine
hubs_db_type: sqlite
hubs_db_type: postgresql
hubs_dev_mode: false
hubs_conf_dir: /etc/fedora-hubs
hubs_var_dir: /var/lib/fedora-hubs
hubs_ssl_cert: /etc/letsencrypt/live/{{ ansible_fqdn }}/fullchain.pem
hubs_ssl_key: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem
hubs_fas_username: "{{ fedoraDummyUser }}"
hubs_fas_password: "{{ fedoraDummyUserPassword }}"
tasks:
@ -71,7 +61,7 @@
- name: add more hubs workers
service: name={{item}} enabled=yes state=started
with_items:
- hubs-triage@3
- hubs-triage@4
- hubs-worker@3
- hubs-worker@4
- fedora-hubs-triage@3
- fedora-hubs-triage@4
- fedora-hubs-worker@3
- fedora-hubs-worker@4

20
playbooks/include/proxies-reverseproxy.yml
View file

@ -545,10 +545,21 @@
- role: httpd/reverseproxy
website: registry.fedoraproject.org
destname: registry
destname: registry-fedora
# proxyurl in this one is totally ignored, because Docker.
# (turns out it uses PATCH requests that Varnish cannot deal with)
proxyurl: "{{ varnish_url }}"
tags:
- registry
- role: httpd/reverseproxy
website: registry.centos.org
destname: registry-centos
# proxyurl in this one is totally ignored, because Docker.
# (turns out it uses PATCH requests that Varnish cannot deal with)
proxyurl: "{{ varnish_url }}"
tags:
- registry
- role: httpd/reverseproxy
website: candidate-registry.fedoraproject.org
@ -629,6 +640,13 @@
tags:
- odcs
- role: httpd/reverseproxy
website: freshmaker.fedoraproject.org
destname: freshmaker
proxyurl: http://localhost:10067
tags:
- freshmaker
- role: httpd/reverseproxy
website: data-analysis.fedoraproject.org
destname: awstats

16
playbooks/include/proxies-websites.yml
View file

@ -52,6 +52,7 @@
server_aliases:
- stg.fedoraproject.org
- localhost
- www.fedoraproject.org
# This is for all the other domains we own
# that redirect to https://fedoraproject.org
@ -126,7 +127,6 @@
- www.fedoraproject.info
- www.fedoraproject.net
- www.fedoraproject.net.cn
- www.fedoraproject.org
- www.fedoraproject.org.uk
- www.fedoraproject.pe
- www.fedoraproject.su
@ -568,6 +568,12 @@
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: registry.centos.org
server_aliases: [registry.stg.centos.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: candidate-registry.fedoraproject.org
server_aliases: [candidate-registry.stg.fedoraproject.org]
@ -784,6 +790,14 @@
sslonly: true
server_aliases: [odcs.stg.fedoraproject.org]
cert_name: "{{wildcard_cert_name}}"
tags: odcs
- role: httpd/website
name: freshmaker.fedoraproject.org
sslonly: true
server_aliases: [freshmaker.stg.fedoraproject.org]
cert_name: "{{wildcard_cert_name}}"
tags: freshmaker
# fedorahosted is retired. We have the site here so we can redirect it.

12
playbooks/manual/rebuild/fedora-packages.yml
View file

@ -39,9 +39,7 @@
tasks:
- name: Pull in the list of packages from pkgdb. Go get a snack. (2 hours)
command: /usr/bin/fcomm-index-packages --index-db-dest /var/cache/fedoracommunity/packages/xapian --icons-dest /var/cache/fedoracommunity/packages/icons --tagger-url https://apps.stg.fedoraproject.org/tagger --pkgdb-url https://admin.stg.fedoraproject.org/pkgdb --mdapi-url https://apps.stg.fedoraproject.org/mdapi --icons-url http://download01.phx2.fedoraproject.org/pub/alt/screenshots/
async: 12000
poll: 60
command: /usr/bin/fcomm-index-packages --index-db-dest=/var/cache/fedoracommunity/packages/xapian --icons-dest /var/cache/fedoracommunity/packages/icons --mdapi-url=https://apps.stg.fedoraproject.org/mdapi --icons-url=https://dl.fedoraproject.org/pub/alt/screenshots --tagger-url=https://apps.stg.fedoraproject.org/tagger
when: install_packages_indexer
- name: Rebuild that search index on the side and install it. (just prod)
@ -58,9 +56,7 @@
tasks:
- name: Pull in the list of packages from pkgdb. Go get a snack. (2 hours)
command: /usr/bin/fcomm-index-packages --index-db-dest /var/cache/fedoracommunity/packages/xapian --icons-dest /var/cache/fedoracommunity/packages/icons --tagger-url https://apps.fedoraproject.org/tagger --pkgdb-url https://admin.fedoraproject.org/pkgdb --mdapi-url https://apps.fedoraproject.org/mdapi --icons-url http://download01.phx2.fedoraproject.org/pub/alt/screenshots/
async: 12000
poll: 60
command: /usr/bin/fcomm-index-packages --index-db-dest=/var/cache/fedoracommunity/packages/xapian --icons-dest /var/cache/fedoracommunity/packages/icons --mdapi-url=https://apps.fedoraproject.org/mdapi --icons-url=https://dl.fedoraproject.org/pub/alt/screenshots --tagger-url=https://apps.fedoraproject.org/tagger
when: install_packages_indexer
- name: leave maintenance mode
@ -74,8 +70,8 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: Make sure the perms are straight
file: path=/var/cache/fedoracommunity/packages/ state=directory owner=apache group=fedmsg mode="g+rw" recursive=yes
- name: Make sure the perms are straight
file: path=/var/cache/fedoracommunity/packages/ state=directory owner=apache group=fedmsg mode="g+rw" recurse=yes
- name: Restart the cache worker
service: name={{item}} state=started

5
playbooks/manual/staging-sync/koji.yml
View file

@ -46,15 +46,14 @@
dest=/var/tmp/koji.dump.xz
owner=postgres
group=postgres
- command: unxz /var/tmp/koji.dump.xz
creates=/var/tmp/koji.dump
# TODO -- stop replication and wipe db's
- command: dropdb koji
- command: createdb -O koji koji
# buildroot_listing is excluded from the sync to save some time
- name: Import the prod db. This will take quite a while. Go get a snack!
shell: cat /var/tmp/koji.dump | psql koji
shell: xzcat /var/tmp/koji.dump.xz | sed '/COPY buildroot_listing /,/\./d' | psql koji
- name: repoint all the prod rpm entries at the secondary volume (and other stuff)
shell: psql koji < /var/lib/pgsql/koji-reset-staging.sql

21
playbooks/manual/staging-sync/templates/koji-reset-staging.sql
View file

@ -24,6 +24,11 @@
-- [unset kojihub ServerOffline setting]
-- wipe obsolete table that only causes problems with the sync, could
-- even be dropped entirely (together with imageinfo table).
select now() as time, 'wiping imageinfo listings' as msg;
delete from imageinfo_listing;
-- bump sequences (not strictly needed anymore)
select now() as time, 'bumping sequences' as msg;
alter sequence task_id_seq restart with 90000000;
@ -57,7 +62,7 @@ delete from rpminfo where build_id in (select id from build where state<>1);
-- expire any active buildroots
select now() as time, 'expiring active buildroots' as msg;
update buildroot set state=3, retire_event=get_event() where state=0;
update standard_buildroot set state=3, retire_event=get_event() where state=0;
-- enable/disable hosts
update host set enabled=False;
@ -75,6 +80,8 @@ update repo set state = 3 where state in (0, 1, 2);
-- The koji hub is x86_64 and i386 and has createrepo ability
{% for host in groups['koji-stg'] %}
select now() as time, 'adding staging host {{ host }}' as msg;
delete from host where name='{{ host }}';
delete from users where name='{{ host }}';
insert into users (name, usertype, krb_principal, status) values ('{{ host }}', 1, 'compile/{{ host }}@STG.FEDORAPROJECT.ORG', 0);
insert into host (user_id, name, arches) values (
(select id from users where name='{{host}}'), '{{host}}', 'i386 x86_64');
@ -87,6 +94,8 @@ insert into host_channels (host_id, channel_id) values (
-- The buildvms are x86_64 and i386 and also have createrepo ability
{% for host in groups['buildvm-stg'] %}
select now() as time, 'adding staging host {{ host }}' as msg;
delete from host where name='{{ host }}';
delete from users where name='{{ host }}';
insert into users (name, usertype, krb_principal, status) values ('{{ host }}', 1, 'compile/{{ host }}@STG.FEDORAPROJECT.ORG', 0);
insert into host (user_id, name, arches) values (
(select id from users where name='{{host}}'), '{{host}}', 'i386 x86_64');
@ -100,6 +109,8 @@ insert into host_channels (host_id, channel_id) values (
{% for host in groups['buildvm-aarch64-stg'] %}
select now() as time, 'adding staging host {{ host }}' as msg;
delete from host where name='{{ host }}';
delete from users where name='{{ host }}';
insert into users (name, usertype, krb_principal, status) values ('{{ host }}', 1, 'compile/{{ host }}@STG.FEDORAPROJECT.ORG', 0);
insert into host (user_id, name, arches) values (
(select id from users where name='{{host}}'), '{{host}}', 'aarch64');
@ -113,6 +124,8 @@ insert into host_channels (host_id, channel_id) values (
{% for host in groups['buildvm-ppc64-stg'] %}
select now() as time, 'adding staging host {{ host }}' as msg;
delete from host where name='{{ host }}';
delete from users where name='{{ host }}';
insert into users (name, usertype, krb_principal, status) values ('{{ host }}', 1, 'compile/{{ host }}@STG.FEDORAPROJECT.ORG', 0);
insert into host (user_id, name, arches) values (
(select id from users where name='{{host}}'), '{{host}}', 'ppc64');
@ -126,6 +139,8 @@ insert into host_channels (host_id, channel_id) values (
{% for host in groups['buildvm-ppc64le-stg'] %}
select now() as time, 'adding staging host {{ host }}' as msg;
delete from host where name='{{ host }}';
delete from users where name='{{ host }}';
insert into users (name, usertype, krb_principal, status) values ('{{ host }}', 1, 'compile/{{ host }}@STG.FEDORAPROJECT.ORG', 0);
insert into host (user_id, name, arches) values (
(select id from users where name='{{host}}'), '{{host}}', 'ppc64le');
@ -137,7 +152,7 @@ insert into host_channels (host_id, channel_id) values (
-- Add some people to be admins, only in staging. Feel free to grow this list..
{% for username in ['modularity', 'mizdebsk', 'ralph', 'psabata', 'puiterwijk', 'jkaluza', 'fivaldi', 'mprahl'] %}
{% for username in ['modularity', 'mizdebsk', 'psabata', 'jkaluza', 'fivaldi', 'mprahl'] %}
select now() as time, 'adding staging admin {{username}}' as msg;
insert into user_perms (user_id, perm_id, active, creator_id) values (
(select id from users where name='{{username}}'),
@ -152,7 +167,7 @@ insert into user_perms (user_id, perm_id, active, creator_id) values (
('hotness', 'hotness/hotness01.stg.phx2.fedoraproject.org'),
('containerbuild', 'osbs/osbs.stg.fedoraproject.org'),
('kojira', 'kojira/koji.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG')] %}
update users set krb_principal='{{principal}}@STG.FEDORAPROJECT.ORG' where username='{{username}}';
update users set krb_principal='{{principal}}@STG.FEDORAPROJECT.ORG' where name='{{username}}';
{% endfor %}
update users set krb_principal=replace(krb_principal, '@FEDORAPROJECT.ORG', '@STG.FEDORAPROJECT.ORG');

59
playbooks/manual/upgrade/fedimg.yml
View file

@ -1,12 +1,10 @@
- name: push packages out
hosts: fedimg:fedimg-stg
user: root
vars_files:
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
testing: False
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
@ -15,53 +13,18 @@
command: yum clean all {%if testing%} --enablerepo=infrastructure-tags-stg {%endif%}
check_mode: no
- name: yum update fedimg packages from main repo
yum: name="python-fedimg" state=latest
yum: name="{{ item }}" state=latest
with_items:
- python-fedimg
- python2-libcloud
- python2-fedfind
when: not testing
- name: yum update fedimg packages from testing repo
yum: name="python-fedimg" state=latest enablerepo=infrastructure-tags-stg
when: testing
- name: yum update libcloud from testing repo
yum: name="python2-libcloud" state=latest enablerepo=epel-testing
when: not testing
- name: update fedfind
hosts: fedimg:fedimg-stg
user: root
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
testing: False
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
tasks:
- name: yum update fedfind packages from main repo
yum: name="fedfind" state=latest
when: not testing
- name: yum update fedfind packages from testing repo
yum: name="fedfind" state=latest enablerepo=infrastructure-tags-stg
when: testing
- name: update python2-fedfind
hosts: fedimg:fedimg-stg
user: root
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
testing: False
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
tasks:
- name: yum update fedfind packages from main repo
yum: name="python2-fedfind" state=latest
when: not testing
- name: yum update fedfind packages from testing repo
yum: name="python2-fedfind" state=latest enablerepo=infrastructure-tags-stg
yum: name="{{ item }}" state=latest enablerepo=infrastructure-tags-stg
with_items:
- python-fedimg
- python2-libcloud
- python2-fedfind
when: testing
- name: verify the backend and restart it

6
playbooks/manual/upgrade/fedmsg.yml
View file

@ -40,16 +40,16 @@
command: yum clean all {%if testing%} --enablerepo=infrastructure-tags-stg {%endif%}
check_mode: no
- name: yum update fedmsg packages from the main repo
yum: name={{item}} state=latest
package: name={{item}} state=latest
when: not testing
with_items: "{{packages}}"
- name: yum update fedmsg packages from testing repo
yum: name={{item}} state=latest enablerepo=infrastructure-tags-stg
package: name={{item}} state=latest enablerepo=infrastructure-tags-stg
when: testing
with_items: "{{packages}}"
# Restart all the backend daemons
- include_tasks: ../restart-fedmsg-services.yml
#- import_tasks: "{{tasks_path}}../restart-fedmsg-services.yml"
# Also restart the frontend web services
- name: bounce apache

2
playbooks/manual/upgrade/koschei.yml
View file

@ -62,7 +62,7 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
fedora_repos:
- epel
- updates
pre_tasks:
- name: schedule nagios downtime
nagios: action=downtime minutes=20 service=host host={{ inventory_hostname_short }}{{ env_suffix }}

10
playbooks/manual/upgrade/packages.yml
View file

@ -12,13 +12,13 @@
tasks:
- name: clean all metadata {%if testing%}(with infrastructure-testing on){%endif%}
command: yum clean all {%if testing%} --enablerepo=infrastructure-tags-stg {%endif%}
command: dnf clean all {%if testing%} --enablerepo=infrastructure-tags-stg {%endif%}
check_mode: no
- name: yum update fedora-packages packages from main repo
yum: name="fedora-packages" state=latest
- name: dnf update fedora-packages packages from main repo
dnf: name="fedora-packages" state=latest
when: not testing
- name: yum update fedora-packages packages from testing repo
yum: name="fedora-packages" state=latest enablerepo=infrastructure-tags-stg
- name: dnf update fedora-packages packages from testing repo
dnf: name="fedora-packages" state=latest enablerepo=infrastructure-tags-stg
when: testing
- name: verify the config and restart it

24
playbooks/openshift-apps/transtats.yml Normal file
View file

@ -0,0 +1,24 @@
- name: make the app be real
hosts: os-masters-stg
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: openshift/project
app: transtats
description: transtats
appowners:
- suanand
- { role: openshift/object, app: transtats, template: secret.yml }
- { role: openshift/object, app: transtats, file: imagestream.yml }
- { role: openshift/object, app: transtats, file: buildconfig.yml }
- { role: openshift/start-build, app: transtats, name: transtats-build }
- { role: openshift/object, app: transtats, file: service.yml }
- { role: openshift/object, app: transtats, file: route.yml }
- { role: openshift/object, app: transtats, file: deploymentconfig.yml }
- { role: openshift/rollout, app: transtats, name: transtats-web }

4
roles/abrt/faf-local/tasks/cron.yml
View file

@ -49,7 +49,6 @@
state: present
when: not devel
with_items:
- "25"
- "26"
- "27"
@ -63,6 +62,7 @@
when: not devel
with_items:
- "24"
- "25"
- name: koops_to_xorg.py
cron:
@ -82,7 +82,6 @@
state: present
when: not devel
with_items:
- "25"
- "26"
- "27"
@ -96,6 +95,7 @@
when: not devel
with_items:
- "24"
- "25"
- name: update BZ bugs fedora
cron:

1
roles/abrt/faf/defaults/main.yml
View file

@ -30,6 +30,7 @@ faf_migrate_db: true
faf_cron_jobs: true
faf_admin_mail: root@localhost
faf_from: no-reply@localhost
faf_spool_dir: /var/spool/faf

2
roles/abrt/faf/meta/.galaxy_install_info
View file

@ -1 +1 @@
{install_date: 'Tue Jul 4 08:35:09 2017', version: ''}
{install_date: 'Wed Feb 7 13:30:30 2018', version: ''}

4
roles/abrt/faf/meta/main.yml
View file

@ -12,8 +12,8 @@ galaxy_info:
- name: Fedora
versions:
- 25
- 24
- 23
- 26
- 27
categories:
- web
dependencies: []

2
roles/abrt/faf/tasks/celery.yml
View file

@ -5,7 +5,7 @@
- packages
- name: install redis package
yum : name={{ item }} state=present
package: name={{ item }} state=present
with_items:
- redis
- python-redis

2
roles/abrt/faf/tasks/web.yml
View file

@ -8,7 +8,7 @@
when: not faf_web_on_root
- name: install faf-webui packages
yum : name={{ item }} state=latest
package : name={{ item }} state=latest
with_items: "{{ faf_web_packages }}"
- import_tasks: celery.yml

3
roles/abrt/faf/templates/etc-faf-faf.conf.j2
View file

@ -20,7 +20,8 @@ Server = {{ smtp_server }}
Port = {{ smtp_port }}
Username = {{ smtp_username|default("", true) }}
Password = {{ smtp_password|default("", true) }}
From = {{ faf_admin_mail }}
From = {{ faf_from }}
[uReport]
# The directory that holds 'reports' and 'attachments' subdirectories
Directory = {{ faf_spool_dir }}

4
roles/abrt/retrace-local/defaults/main.yml
View file

@ -1,8 +1,8 @@
---
# List of fedora versions for reposync
rs_internal_fedora_vers: [25, 26, 27, rawhide]
rs_internal_fedora_vers_removed: [24]
rs_internal_fedora_vers: [26, 27, rawhide]
rs_internal_fedora_vers_removed: [24, 25]
# List of architectures for reposync
# armhfp disabled untill we get more space

2
roles/abrt/retrace/meta/.galaxy_install_info
View file

@ -1 +1 @@
{install_date: 'Tue Jul 4 08:34:40 2017', version: ''}
{install_date: 'Wed Feb 7 13:30:31 2018', version: ''}

6
roles/abrt/retrace/meta/main.yml
View file

@ -10,9 +10,9 @@ galaxy_info:
- 7
- name: Fedora
versions:
- 21
- 22
- 23
- 26
- 27
- 25
categories:
- system
#dependencies:

2
roles/abrt/retrace/tasks/install.yml
View file

@ -4,4 +4,4 @@
when: rs_force_reinstall
- name: install retrace-server package
yum : name=retrace-server state=present
package: name=retrace-server state=present

4
roles/abrt/retrace/tasks/usefafpkgs.yml
View file

@ -18,11 +18,15 @@
- name: ACL for user retrace
acl: path="{{ faf_spool_dir }}/lob" state=present recursive=yes
entity=retrace etype=user permissions=rwX
async: 21600
pool: 0
# for files/dirs created in future
- name: default ACL for user retrace
acl: path="{{ faf_spool_dir }}/lob" state=present recursive=yes default=yes
entity=retrace etype=user permissions=rwX
async: 21600
pool: 0
- name: check for hardlink dir
stat: path={{ rs_faf_link_dir }}

2
roles/anitya/frontend/templates/0_releasemonitoring.conf
View file

@ -9,7 +9,7 @@
SSLEngine on
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/release-monitoring.org.cert
SSLCertificateChainFile /etc/pki/tls/certs/release-monitoring.org.intermediate.cert

15
roles/badges/backend/files/edit-badge
View file

@ -27,12 +27,13 @@ def parse_args():
parser.add_argument('--description', default=None, help='Description..')
parser.add_argument('--criteria', default=None, help='Criteria link')
parser.add_argument('--image', default=None, help='Image link')
parser.add_argument('--tags', default=None, help='Badge Tags')
args = parser.parse_args()
if not args.badge:
print "You must specify a badge id."
sys.exit(1)
if not args.name and not args.description and not args.criteria and not args.image:
print "You must specify either name, description or criteria or image to edit."
if not args.name and not args.description and not args.criteria and not args.image and not args.tags:
print "You must specify either name, description or criteria, tags or image to edit."
sys.exit(1)
return args
@ -51,7 +52,7 @@ def initialize():
return tahrir
def main(tahrir, badge_id, name, description, criteria, image):
def main(tahrir, badge_id, name, description, criteria, image, tags):
badge = tahrir.get_badge(badge_id)
if not badge:
@ -75,6 +76,11 @@ def main(tahrir, badge_id, name, description, criteria, image):
if image:
badge.image = image
print "Setting image on %r to %r" % (badge_id, image)
if tags:
badge.tags = tags
print "Setting tags on %r to %r" % (badge_id, tags)
tahrir.session.commit()
transaction.commit()
@ -82,4 +88,5 @@ def main(tahrir, badge_id, name, description, criteria, image):
if __name__ == '__main__':
args = parse_args()
tahrir = initialize()
main(tahrir, args.badge, args.name, args.description, args.criteria, args.image)
main(tahrir, args.badge, args.name, args.description, args.criteria,
args.image, args.tags)

1
roles/base/files/syncHttpLogs.sh
View file

@ -86,6 +86,7 @@ syncHttpLogs download03.phx2.fedoraproject.org
syncHttpLogs download04.phx2.fedoraproject.org
syncHttpLogs download05.phx2.fedoraproject.org
syncHttpLogs download-rdu01.vpn.fedoraproject.org
syncHttpLogs download-ib01.vpn.fedoraproject.org
syncHttpLogs sundries01.phx2.fedoraproject.org
syncHttpLogs sundries02.phx2.fedoraproject.org
syncHttpLogs sundries01.stg.phx2.fedoraproject.org

6
roles/base/tasks/main.yml
View file

@ -108,12 +108,16 @@
- name: make sure hostname is set right on rhel7 hosts
hostname: name="{{inventory_hostname}}"
#
# We set builders root password in the koji_builder role, so do not set those here
#
- name: set root passwd
user: name=root password={{ rootpw }} state=present
tags:
- rootpw
- base
when: not (inventory_hostname.startswith('rawhide') or inventory_hostname.startswith('branched') or inventory_hostname.startswith('compose') or inventory_hostname.startswith('build') or inventory_hostname.startswith('arm') or inventory_hostname.startswith('bkernel') or inventory_hostname.startswith('koji01.stg') or inventory_hostname.startswith('aarch64') or inventory_hostname.startswith('s390') or inventory_hostname.startswith('fed-cloud09') or inventory_hostname.startswith('ppc8-04'))
when: not inventory_hostname.startswith(('build','bkernel','koji01.stg','s390','fed-cloud09'))
- name: add ansible root key
authorized_key: user=root key="{{ item }}"

3
roles/base/templates/ifcfg.j2
View file

@ -36,3 +36,6 @@ IPV6_DEFAULTDEV={{item}}
IPV6_DEFAULTGW={{ hostvars[inventory_hostname][item + '_ipv6_gw'] }}
IPV6_MTU=1280
{% endif %}
{% if hostvars[inventory_hostname][item + '_secondary_ip'] is defined %}
IPADDR1="{{ hostvars[inventory_hostname][item + '_secondary_ip'] }}"
{% endif %}

13
roles/base/templates/iptables/iptables
View file

@ -110,3 +110,16 @@
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
{% if nat_rules %}
*nat
:PREROUTING ACCEPT [0:]
:INPUT ACCEPT [0:]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% for rule in nat_rules %}
{{ rule }}
{% endfor %}
COMMIT
{% endif %}

1
roles/base/templates/iptables/iptables.kojibuilder
View file

@ -91,6 +91,7 @@
# git on pagure,io
-A OUTPUT -p tcp -m tcp -d 140.211.169.204 --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 152.19.134.147 --dport 443 -j ACCEPT
# admin.fedoraproject.org for fas (proyx(1)01 and proxy(1)10)
-A OUTPUT -p tcp -m tcp -d 10.5.126.8 --dport 80 -j ACCEPT

1
roles/basessh/files/syncHttpLogs.sh
View file

@ -86,6 +86,7 @@ syncHttpLogs download03.phx2.fedoraproject.org
syncHttpLogs download04.phx2.fedoraproject.org
syncHttpLogs download05.phx2.fedoraproject.org
syncHttpLogs download-rdu01.vpn.fedoraproject.org
syncHttpLogs download-ib01.vpn.fedoraproject.org
syncHttpLogs sundries01.phx2.fedoraproject.org
syncHttpLogs sundries02.phx2.fedoraproject.org
syncHttpLogs sundries01.stg.phx2.fedoraproject.org

1
roles/batcave/files/sync-rhn
View file

@ -1,3 +1,2 @@
30 1 * * * root /mnt/fedora/app/fi-repo/rhel/rhel5/rhel5-sync > /dev/null
30 2 * * * root /mnt/fedora/app/fi-repo/rhel/rhel6/rhel6-sync > /dev/null
30 3 * * * root /mnt/fedora/app/fi-repo/rhel/rhel7/rhel7-sync > /dev/null

3
roles/batcave/tasks/main.yml
View file

@ -339,7 +339,8 @@
- config
when: inventory_hostname.startswith('batcave01')
#
# Monday morning run a script to show all the packages we have in infra tags in koji.
# Monday morning run a script to show all the packages we have in infra
# tags in koji.
#
- name: Install infra-tags-report script

2
roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2
View file

@ -114,7 +114,7 @@ ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
SSLCertificateKeyFile /etc/pki/tls/private/{{ wildcard_key_file }}
SSLCertificateChainFile /etc/pki/tls/certs/{{ wildcard_int_file }}
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
SSLHonorCipherOrder On

3
roles/bodhi2/backend/files/new-updates-sync
View file

@ -56,6 +56,9 @@ RELEASES = {'f27': {'topic': 'fedora',
'repos': {'updates': {
'from': 'f26-updates',
'ostrees': [{'ref': 'fedora/26/x86_64/updates/atomic-host',
'dest': os.path.join(ATOMICDEST, '26')},
# Hack around for the fact that ostree on f25 doesn't know links
{'ref': 'fedora/26/x86_64/atomic-host',
'dest': os.path.join(ATOMICDEST, '26')}],
'to': [{'arches': ['x86_64', 'armhfp', 'source'],
'dest': os.path.join(FEDORADEST, '26')},

24
roles/bodhi2/backend/tasks/main.yml
View file

@ -320,9 +320,9 @@
- name: bodhi-check-policies cron job.
cron: name="bodhi-check-policies" hour="*/6" minute=0 user="apache"
job="/usr/bin/bodhi-check-policies > /dev/null"
job="/usr/bin/bodhi-check-policies >& /dev/null"
cron_file=bodhi-check-policies-job
when: inventory_hostname.startswith('bodhi-backend01') and env == "staging"
when: (inventory_hostname.startswith('bodhi-backend01') and env == "staging") or (inventory_hostname.startswith('bodhi-backend02') and env == "production")
tags:
- config
- bodhi
@ -330,7 +330,7 @@
- name: bodhi-expire-overrides cron job.
cron: name="bodhi-expire-overrides" hour="*" minute=0 user="apache"
job="/usr/bin/bodhi-expire-overrides /etc/bodhi/production.ini 2> /dev/null"
job="/usr/bin/bodhi-expire-overrides /etc/bodhi/production.ini 2>&1 | logger -t bodhi-expire-overrides"
cron_file=bodhi-expire-overrides-job
when: inventory_hostname.startswith('bodhi-backend02') and env == "production"
tags:
@ -338,28 +338,14 @@
- bodhi
- cron
- name: setup basic /etc/bodhi/ contents (staging)
template: >
src="{{ roles_path }}/bodhi2/base/templates/staging.ini.j2"
dest="/etc/bodhi/production.ini"
owner=apache
group=apache
mode=0600
when: inventory_hostname.startswith('bodhi-backend') and env == 'staging'
notify:
- reload bodhi httpd
tags:
- config
- bodhi
- name: setup basic /etc/bodhi/ contents (production)
- name: setup basic /etc/bodhi/ contents
template: >
src="{{ roles_path }}/bodhi2/base/templates/production.ini.j2"
dest="/etc/bodhi/production.ini"
owner=apache
group=apache
mode=0600
when: inventory_hostname.startswith('bodhi-backend') and env == 'production'
when: inventory_hostname.startswith('bodhi-backend')
notify:
- reload bodhi httpd
tags:

20
roles/bodhi2/base/tasks/main.yml
View file

@ -19,14 +19,14 @@
- config
- bodhi
- name: setup basic /etc/bodhi/ contents (staging)
- name: setup basic /etc/bodhi/ contents
template: >
src="staging.ini.j2"
src="production.ini.j2"
dest="/etc/bodhi/production.ini"
owner=bodhi
group=bodhi
mode=0600
when: inventory_hostname.startswith('bodhi0') and env == 'staging'
when: inventory_hostname.startswith('bodhi0')
notify:
- reload bodhi httpd
tags:
@ -43,20 +43,6 @@
- config
- bodhi
- name: setup basic /etc/bodhi/ contents (production)
template: >
src="production.ini.j2"
dest="/etc/bodhi/production.ini"
owner=bodhi
group=bodhi
mode=0600
when: inventory_hostname.startswith('bodhi0') and env == 'production'
notify:
- reload bodhi httpd
tags:
- config
- bodhi
- name: Copy some fedmsg configuration of our own for fedmsg-hub
template: >
src={{item}}

557
roles/bodhi2/base/templates/production.ini.j2
View file

@ -1,3 +1,4 @@
# The commented values in this config file represent the defaults.
[filter:proxy-prefix]
use = egg:PasteDeploy#prefix
prefix = /
@ -7,138 +8,193 @@ scheme = https
use = egg:bodhi-server
filter-with = proxy-prefix
# Release status
# pre-beta enforces the 'Pre Beta' policy defined here:
# https://fedoraproject.org/wiki/Updates_Policy
f27.status = post_beta
f27.post_beta.mandatory_days_in_testing = 7
f27.post_beta.critpath.num_admin_approvals = 0
f27.post_beta.critpath.min_karma = 2
f27.post_beta.critpath.stable_after_days_without_negative_karma = 14
f27.pre_beta.mandatory_days_in_testing = 3
f27.pre_beta.critpath.num_admin_approvals = 0
f27.pre_beta.critpath.min_karma = 1
##
## Atomic OSTree support
## This will compose Atomic OSTrees during the push process using the fedmsg-atomic-composer
## https://github.com/fedora-infra/fedmsg-atomic-composer
##
compose_atomic_trees = true
##
## Messages
##
# A notice to flash on the front page
frontpage_notice =
# The bodhi-approve-testing cron job will post this message as a comment from the bodhi user on
# updates that reach the required time in testing if they are not stable yet. Positional
# substitution is used, and the %d will be replaced with the time in testing required for the
# update.
# testing_approval_msg = This update has reached %d days in testing and can be pushed to stable now if the maintainer wishes
# A notice to flash on the New Update page
newupdate_notice =
# not_yet_tested_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/Package_update_acceptance_criteria">Package Update Acceptance Criteria</a>
testing_approval_msg = This update has reached %d days in testing and can be pushed to stable now if the maintainer wishes
not_yet_tested_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/Package_update_acceptance_criteria">Package Update Acceptance Criteria</a>
not_yet_tested_epel_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/EPEL_Updates_Policy">EPEL Updates Policy</a>
stablekarma_comment = This update has reached the stable karma threshold and will be pushed to the stable updates repository
# not_yet_tested_epel_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/EPEL_Updates_Policy">EPEL Update Policy</a>
testing_approval_msg_based_on_karma = This update has reached the stable karma threshold and can be pushed to stable now if the maintainer wishes.
not_yet_tested_msg_based_on_karma = This update has not reached the stable karma threshold.
# Bodhi will post this comment on Updates that don't use autokarma when they reach the stable
# threshold.
# testing_approval_msg_based_on_karma = This update has reached the stable karma threshold and can be pushed to stable now if the maintainer wishes.
# The comment that Bodhi will post on updates when a user posts negative karma.
# disable_automatic_push_to_stable = Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
# Libravatar - If this is true libravatar will work as normal. Otherwise, all
# libravatar links will be replaced with the string "libravatar.org" so that
# the tests can still pass.
libravatar_enabled = True
# libravatar_enabled = True
# Set this to true if you want to do federated dns libravatar lookup
libravatar_dns = False
# libravatar_dns = False
# If libravatar_dns is True, prefer_ssl will define what gets handed to
# libravatar.libravatar_url()'s https setting. It may be set to True or False, but defaults to None,
# which is effectively False.
# prefer_ssl =
# Set this to True in order to send fedmsg messages.
# fedmsg_enabled = False
fedmsg_enabled = True
# Captcha - if 'captcha.secret' is not None, then it will be used for comments
# captcha.secret must be 32 url-safe base64-encoded bytes
# you can generate afresh with >>> cryptography.fernet.Fernet.generate_key()
# Captcha - if 'captcha.secret' is set, then it will be used for comments. Comment it to turn it
# off. captcha.secret must be 32 url-safe base64-encoded bytes.
# You can generate one with >>> cryptography.fernet.Fernet.generate_key()
# captcha.secret = CHANGEME
captcha.secret = {{ bodhi2CaptchaSecret }}
# Dimensions
captcha.image_width = 300
captcha.image_height = 80
# Any truetype font will do.
captcha.font_path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf
captcha.font_size = 36
# Colors
captcha.font_color = #000000
captcha.background_color = #ffffff
# In pixels
captcha.padding = 5
# If a captcha sits around for this many seconds, it will stop working.
captcha.ttl = 300
#datagrepper_url = http://localhost:5000
datagrepper_url = https://apps.fedoraproject.org/datagrepper
badge_ids = binary-star|both-bull-and-self-transcended-tester-viii|catching-the-bull-tester-iv|corporate-drone|corporate-overlord|corporate-shill|discovery-of-the-footprints-tester-ii|in-search-of-the-bull-tester-i|is-this-thing-on-updates-testing-i|is-this-thing-on-updates-testing-ii|is-this-thing-on-updates-testing-iii|is-this-thing-on-updates-testing-iv|it-still-works!|like-a-rock-updates-stable-i|like-a-rock-updates-stable-ii|like-a-rock-updates-stable-iii|like-a-rock-updates-stable-iv|mic-check!-updates-testing-v|missed-the-train|override,-you-say|perceiving-the-bull-tester-iii|reaching-the-source-tester-ix|return-to-society-tester-x|riding-the-bull-home-tester-vi|stop-that-update!|take-this-and-call-me-in-the-morning|taming-the-bull-tester-v|tectonic!-updates-stable-v|the-bull-transcended-tester-vii|what-goes-around-comes-around-karma-i|what-goes-around-comes-around-karma-ii|what-goes-around-comes-around-karma-iii|what-goes-around-comes-around-karma-iv|white-hat|you-can-pry-it-from-my-cold,-dead-hands
# Dimensions
# captcha.image_width = 300
# captcha.image_height = 80
# Any truetype font will do.
# /usr/share/fonts/liberation/LiberationMono-Regular.ttf lives in liberation-mono-fonts.
# /usr/share/fonts/pcaro-hermit/Hermit-medium.otf lives in pcaro-hermit-fonts package.
# captcha.font_path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf
# captcha.font_size = 36
# Colors
# captcha.font_color = #000000
# captcha.background_color = #ffffff
# In pixels
# captcha.padding = 5
# If a captcha sits around for this many seconds, it will stop working.
# captcha.ttl = 300
# The URL for a datagrepper to use in various templates.
# datagrepper_url = https://apps.fedoraproject.org/datagrepper
datagrepper_url = https://apps{{env_suffix}}.fedoraproject.org/datagrepper
# badge_ids = binary-star|both-bull-and-self-transcended-tester-viii|catching-the-bull-tester-iv|corporate-drone|corporate-overlord|corporate-shill|discovery-of-the-footprints-tester-ii|in-search-of-the-bull-tester-i|is-this-thing-on-updates-testing-i|is-this-thing-on-updates-testing-ii|is-this-thing-on-updates-testing-iii|is-this-thing-on-updates-testing-iv|it-still-works!|like-a-rock-updates-stable-i|like-a-rock-updates-stable-ii|like-a-rock-updates-stable-iii|like-a-rock-updates-stable-iv|mic-check!-updates-testing-v|missed-the-train|override,-you-say|perceiving-the-bull-tester-iii|reaching-the-source-tester-ix|return-to-society-tester-x|riding-the-bull-home-tester-vi|stop-that-update!|take-this-and-call-me-in-the-morning|taming-the-bull-tester-v|tectonic!-updates-stable-v|the-bull-transcended-tester-vii|what-goes-around-comes-around-karma-i|what-goes-around-comes-around-karma-ii|what-goes-around-comes-around-karma-iii|what-goes-around-comes-around-karma-iv|white-hat|you-can-pry-it-from-my-cold,-dead-hands
##
## Wiki Test Cases
## Testing
##
## Query the wiki for test cases
# query_wiki_test_cases = False
query_wiki_test_cases = True
wiki_url = https://fedoraproject.org/w/api.php
test_case_base_url = https://fedoraproject.org/wiki/
# wiki_url = https://fedoraproject.org/w/api.php
# test_case_base_url = https://fedoraproject.org/wiki/
wiki_url = https://{{env_suffix}}fedoraproject.org/w/api.php
test_case_base_url = https://{{env_suffix}}fedoraproject.org/wiki/
# URL of the resultsdb for integrating checks and stuff
# resultsdb_api_url = https://taskotron.fedoraproject.org/resultsdb_api/
resultsdb_url = https://taskotron{{env_suffix}}.fedoraproject.org/resultsdb/
# Set this to True to enable gating based on policies enforced by Greenwave. If you set this to
# True, be sure to add a cron job to run the bodhi-check-policies CLI periodically.
# test_gating.required = False
test_gating.required = True
# If this is set to a URL, a "More information about test gating" link will appear on update pages for users
# to click and learn more.
# test_gating.url =
# The API url of Greenwave.
# greenwave_api_url = https://greenwave.fedoraproject.org/api/v1.0
greenwave_api_url = https://greenwave-web-greenwave.app.os{{env_suffix}}.fedoraproject.org/api/v1.0
# The URL for waiverdb's API
# waiverdb_api_url = https://waiverdb-web-waiverdb.app.os.fedoraproject.org/api/v1.0
waiverdb_api_url = https://waiverdb-web-waiverdb.app.os{{env_suffix}}.fedoraproject.org/api/v1.0
# An access token used to authenticate to waiverdb
# waiverdb.access_token =
# Email domain to prepend usernames to
default_email_domain = fedoraproject.org
# default_email_domain = fedoraproject.org
default_email_domain = {{env_suffix}}fedoraproject.org
# domain for generated message IDs
message_id_email_domain = admin.fedoraproject.org
# message_id_email_domain = admin.fedoraproject.org
message_id_email_domain = admin{{env_suffix}}.fedoraproject.org
##
## Mash settings
## Masher settings
##
releng_fedmsg_certname = shell-bodhi-backend01{{env_suffix}}.phx2.fedoraproject.org
# If defined, the bodhi masher will ensure that messages are signed with the given cert
{% if ansible_hostname == 'bodhi-backend01' %}
releng_fedmsg_certname = shell-bodhi-backend01.phx2.fedoraproject.org
{% else %}
releng_fedmsg_certname = shell-bodhi-backend03.phx2.fedoraproject.org
{% endif %}
# The masher is a bodhi instance that is responsible for composing the update
# repositories, regenerating metrics, sending update notices, closing bugs,
# and other costly operations. To set an external masher, set the masher to
# the baseurl of the bodhi instance. If set to None, this bodhi instance
# will act as a masher as well.
#masher = None
{% if 'backend' in inventory_hostname %}
# Where to initially mash repositories. You can use %(here)s to reference the location of this file.
# mash_dir =
{% if ansible_hostname.startswith('bodhi-backend') %}
mash_dir = /mnt/koji/compose/updates/
mash_stage_dir = /mnt/koji/compose/updates/
{% else %}
# do not use on frontends as bodhi will check the mount and refuse to run without it.
#mash_dir = /mnt/koji/compose/updates/
{% endif %}
pungi.basepath = /etc/bodhi
pungi.conf.rpm = pungi.rpm.conf.j2
pungi.conf.module = pungi.module.conf.j2
pungi.labeltype = Update
pungi.extracmdline = --notification-script=/usr/bin/pungi-fedmsg-notification --notification-script=pungi-wait-for-signed-ostree-handler
# The max number of mash threads running at the same time
# max_concurrent_mashes = 2
max_concurrent_mashes = 4
## Our periodic jobs
#jobs = clean_repo nagmail fix_bug_titles cache_release_data approve_testing_updates
jobs = cache_release_data refresh_metrics approve_testing_updates
# Where to symlink the latest repos by their tag name. You can use %(here)s to reference the
# location of this file.
# mash_stage_dir =
{% if ansible_hostname.startswith('bodhi-backend') %}
mash_stage_dir = /mnt/koji/compose/updates/
{% else %}
# do not use on frontends as bodhi will check the mount and refuse to run without it.
#mash_stage_dir = /mnt/koji/compose/updates/
{% endif %}
## Comps configuration
comps_dir = /var/cache/bodhi/comps
comps_url = https://pagure.io/fedora-comps.git
# The following jinja2 template variables are available for use to customize the Pungi configs and
# variants files to the Release and Updates:
#
# * 'id': The id of the Release being mashed.
# * 'release': The Release being mashed.
# * 'request': The request being mashed.
# * 'updates': The Updates being mashed.
#
# NOTE: The jinja2 configuration for these templates replaces the {'s and }'s with ['s and ]'.
# e.g.: a block becomes [% if <something %], and a variable is [[ varname ]].
# The base path where pungi configs will be stored. You will need to put variants.xml templates
# inside pungi.basepath as well. These templates will have access to the same template variables
# described above, and should be named variants.rpm.xml.j2 and variants.module.xml.j2, for RPM
# composes and module composes, respectively.
# pungi.basepath = /etc/bodhi
# The Pungi executable to use when mashing.
# pungi.cmd = /usr/bin/pungi-koji
# The following settings reference filenames of jinja2 templates found in pungi.basepath to be used
# as Pungi configs for mashing modules or RPMs (The RPM config includes dnf, yum, and atomic repos).
# pungi.conf.module = pungi.module.conf
# pungi.conf.rpm = pungi.rpm.conf
pungi.conf.rpm = pungi.rpm.conf.j2
pungi.conf.module = pungi.module.conf.j2
# A space separated list of extra arguments to be passed on to Pungi during mashing.
# pungi.extracmdline =
pungi.extracmdline = --notification-script=/usr/bin/pungi-fedmsg-notification --notification-script=pungi-wait-for-signed-ostree-handler
# What to pass to Pungi's --label flag, which is metadata included in its composeinfo.json.
# pungi.labeltype = Update
##
## Mirror settings
##
file_url = https://download.fedoraproject.org/pub/fedora/linux/updates
# file_url: Used in the repo metadata to set RPM URLs.
# file_url = https://download.fedoraproject.org/pub/fedora/linux/updates
{% if env == 'production' %}
master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%s/%s/repodata/repomd.xml
fedora_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%s/%s/repodata/repomd.xml
fedora_epel_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/%s/%s/repodata/repomd.xml
{% endif %}
# {release}_{request}_master_repomd: This is used by the masher to determine when a
# primary architecture push has been synchronized to the master mirror for a given release and
@ -148,27 +204,45 @@ fedora_epel_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/%s
# arches listed in {release}_{version}_primary_arches when it is defined, else used for all
# arches. You must put two %s's in this setting - the first will be replaced with the release
# version and the second will be replaced with the architecture.
fedora_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%s/%s/repodata/repomd.xml
fedora_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/testing/%s/%s/repodata/repomd.xml
# fedora_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%s/%s/repodata/repomd.xml
# fedora_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/testing/%s/%s/repodata/repomd.xml
# fedora_epel_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/%s/%s/repodata/repomd.xml
# fedora_epel_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/testing/%s/%s/repodata/repomd.xml
{% if env == 'production' %}
fedora_epel_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/%s/%s/repodata/repomd.xml
fedora_epel_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/testing/%s/%s/repodata/repomd.xml
fedora_modular_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/modular/updates/%s/Server/%s/repodata/repomd.xml
fedora_modular_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/modular/updates/testing/%s/Server/%s/repodata/repomd.xml
{% elif env == 'staging' %}
fedora_stable_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates/compose/Everything/%s/os/repodata/repomd.xml
fedora_testing_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates-testing/compose/Everything/%s/os/repodata/repomd.xml
fedora_epel_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/%s/%s/repodata/repomd.xml
fedora_epel_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/testing/%s/%s/repodata/repomd.xml
fedora_modular_stable_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-modular-updates/compose/Everything/%s/os/repodata/repomd.xml
fedora_modular_testing_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-modular-updates-testing/compose/Everything/%s/os/repodata/repomd.xml
{% endif %}
# {release}_{request}_alt_master_repomd: This is used by the masher to determine when a
# secondary architecture push has been synchronized to the master mirror for a given release and
# request. The masher will verify that the checksum of repomd.xml at the master URL matches the
# expected value, and will poll the URL until this test passes. Substitute release and request
# for each release id (replacing -'s with _'s) and request (stable, testing). Used for the
# arches not listed in {release}_{version}_primary_arches if it is defined. You must put two %s's
# in this setting - the first will be replaced with the release version and the second will be
# replaced with the architecture.
# arches not listed in {release}_{version}_primary_arches if it is defined. You must put two
# %s's in this setting - the first will be replaced with the release version and the second will
# be replaced with the architecture.
# fedora_stable_alt_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora-secondary/updates/%s/%s/repodata/repomd.xml
# fedora_testing_alt_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora-secondary/updates/testing/%s/%s/repodata/repomd.xml
{% if env == 'production' %}
fedora_stable_alt_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora-secondary/updates/%s/%s/repodata/repomd.xml
fedora_testing_alt_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora-secondary/updates/testing/%s/%s/repodata/repomd.xml
{% elif env == 'staging' %}
fedora_stable_alt_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates/compose/Everything/%s/os/repodata/repomd.xml
fedora_testing_alt_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates-testing/compose/Everything/%s/os/repodata/repomd.xml
{% endif %}
## The base url of this application
base_address = https://bodhi.fedoraproject.org/
# base_address = https://admin.fedoraproject.org/updates/
base_address = https://bodhi{{env_suffix}}.fedoraproject.org/
## Primary architechures by release
@ -180,91 +254,77 @@ base_address = https://bodhi.fedoraproject.org/
## Bodhi looks for primary arches with the {release}_{request}_master_repomd setting above, and
## for alternative arches at the {release}_{request}_alt_master_repomd setting above. If this
## is not set, Bodhi will assume the release only has primary arches.
# fedora_26_primary_arches = armhfp x86_64
fedora_26_primary_arches = armhfp x86_64
fedora_27_primary_arches = armhfp x86_64
## Supported update types
update_types = bugfix enhancement security newpackage
## Supported architechures
##
## To handle arch name changes between releases, you
## can also configure bodhi to support one arch *or*
## another. For example, EPEL5 mashes produce 'ppc'
## repos, where EPEL6 produces 'ppc64'. To handle this
## scenario, you can specify something like:
##
## arches = ppc/ppc64
##
arches = x86_64 armhfp i386
##
## Email setting
##
# The hostname of an SMTP server Bodhi can use to deliver e-mail.
# smtp_server =
smtp_server = bastion
# The updates system itself. This email address is used in fetching Bugzilla
# information, as well as email notifications
bodhi_email = updates@fedoraproject.org
# bodhi_email = updates@fedoraproject.org
# This is the password used to access Bodhi's bugzilla account.
# bodhi_password =
bodhi_email = updates@{{env_suffix}}fedoraproject.org
bodhi_password = {{ bodhiBugzillaPassword }}
# The address that gets the requests
release_team_address = bodhiadmin-members@fedoraproject.org
# release_team_address = bodhiadmin-members@fedoraproject.org
# The address to notify when security updates are initially added to bodhi
security_team = security_respons-members@fedoraproject.org
# Public announcement lists
# Public lists where we send update announcements.
# These variables should be named per: Release.prefix_id.lower()_announce_list
# fedora_announce_list = package-announce@lists.fedoraproject.org
# fedora_test_announce_list = test@lists.fedoraproject.org
# fedora_epel_announce_list = epel-package-announce@lists.fedoraproject.org
# fedora_epel_test_announce_list = epel-devel@lists.fedoraproject.org
fedora_announce_list = package-announce@lists.fedoraproject.org
fedora_test_announce_list = test@lists.fedoraproject.org
fedora_epel_announce_list = epel-package-announce@lists.fedoraproject.org
fedora_epel_test_announce_list = epel-devel@lists.fedoraproject.org
# Superuser groups
admin_groups = proventesters security_respons bodhiadmin sysadmin-main
# admin_groups = proventesters security_respons bodhiadmin sysadmin-main
# Users that we don't want to show up in the "leaderboard(s)"
stats_blacklist = bodhi anonymous autoqa taskotron
# stats_blacklist = bodhi anonymous autoqa taskotron
# A list of non-person users
system_users = bodhi autoqa taskotron
# system_users = bodhi autoqa taskotron
# The max length for an update title before we truncate it in the web ui
# max_update_length_for_ui = 30
max_update_length_for_ui = 70
# The number of days used for calculating the 'top testers' metric
# top_testers_timeframe = 7
top_testers_timeframe = 900
# The email address of the proventesters
proventesters_email = proventesters-members@fedoraproject.org
# Disabled for the initial release.
stacks_enabled = False
# This defaults to False. We're disabling stacks for the initial release
# because, while you can create stacks, you can't automatically create updates
# *from* a stack (which was the whole point). We'll work on that for a later
# release.
# stacks_enabled = False
# These are the default requirements that we apply to stacks, packages, and
# updates. Users have free-reign to override them for each kind of entity. At
# the end of the day, we only consider the requirements defined by single
# updates themselves when gating in the backend masher process.
site_requirements = dist.rpmdeplint dist.upgradepath
## Some day we'll have rpmgrill, and that will be cool. Ask tflink.
#site_requirements = depcheck upgradepath rpmgrill
# Where do we send update announcements to ?
# These variables should be named per: Release.prefix_id.lower()_announce_list
#fedora_announce_list =
#fedora_test_announce_list =
#fedora_epel_announce_list =
#fedora_epel_test_announce_list =
# site_requirements = dist.rpmdeplint dist.upgradepath
# Cache settings
dogpile.cache.backend = dogpile.cache.dbm
dogpile.cache.expiration_time = 100
# dogpile.cache.backend = dogpile.cache.dbm
# dogpile.cache.expiration_time = 100
# dogpile.cache.arguments.filename = /var/cache/bodhi-dogpile-cache.dbm
dogpile.cache.arguments.filename = /var/cache/bodhi/dogpile-cache.dbm
# Exclude sending emails to these users
exclude_mail = autoqa taskotron
# exclude_mail = autoqa taskotron
##
## Buildsystem settings
@ -273,84 +333,93 @@ exclude_mail = autoqa taskotron
# What buildsystem do we want to use? For development, we'll use a fake
# buildsystem that always does what we tell it to do. For production, we'll
# want to use 'koji'.
# buildsystem = dev
buildsystem = koji
# Koji's XML-RPC hub
koji_hub = https://koji.fedoraproject.org/kojihub
# koji_hub = https://koji.stg.fedoraproject.org/kojihub
koji_hub = https://koji{{env_suffix}}.fedoraproject.org/kojihub
# Root url of the Koji instance to point to. No trailing slash
koji_url = https://koji.fedoraproject.org
koji_url = https://koji{{env_suffix}}.fedoraproject.org
# URL of where users should go to set up their notifications
fmn_url = https://apps.fedoraproject.org/notifications/
# fmn_url = https://apps.fedoraproject.org/notifications/
fmn_url = https://apps{{env_suffix}}.fedoraproject.org/notifications/
# URL of the resultsdb for integrating checks and stuff
resultsdb_url = https://taskotron.fedoraproject.org/resultsdb/
resultsdb_api_url = https://taskotron.fedoraproject.org/resultsdb_api/
# If this is defined, fedmenu's JS will be injected into the master template. Fedora's fedmenu URL
# is https://apps.fedoraproject.org/fedmenu and its data_url is
# https://apps.fedoraproject.org/js/data.js
# fedmenu.url =
# fedmenu.data_url =
fedmenu.url = https://apps{{env_suffix}}.fedoraproject.org/fedmenu
fedmenu.data_url = https://apps{{env_suffix}}.fedoraproject.org/js/data.js
fedmenu.url = https://apps.fedoraproject.org/fedmenu
fedmenu.data_url = https://apps.fedoraproject.org/js/data.js
# Koji Krb stuff
# Koji krb5
# krb_principal =
# krb_keytab =
# krb_ccache=
krb_ccache = /tmp/krb5cc_%{uid}
krb_principal = bodhi/bodhi{{ env_suffix }}.fedoraproject.org@{{ ipa_realm }}
krb_keytab = /etc/krb5.bodhi_bodhi{{ env_suffix }}.fedoraproject.org.keytab
# Set this to True to enable gating based on policies enforced by Greenwave. If you set this to True,
# be sure to add a cron job to run the bodhi-check-policies CLI periodically.
test_gating.required = False
# If this is set to a URL, a "More information about test gating" link will appear on update pages for users
# to click and learn more.
# test_gating.url =
# The API url of Greenwave.
greenwave_api_url = https://greenwave-web-greenwave.app.os.fedoraproject.org/api/v1.0
##
## ACL system
## Choices are 'pkgdb', which will send a JSON query to the pkgdb_url below,
## 'pagure', which will query the pagure_url below, or 'dummy', which will
## always return guest credentials (used for local development).
##
# acl_system = dummy
acl_system = pagure
##
## Package DB
##
pkgdb_url = https://admin.fedoraproject.org/pkgdb
# pkgdb_url = https://admin.fedoraproject.org/pkgdb
##
## Pagure
##
pagure_url = https://src.fedoraproject.org/
# pagure_url = https://src.fedoraproject.org/pagure/
pagure_url = https://src{{env_suffix}}.fedoraproject.org/
##
## Product Definition Center (PDC)
##
# pdc_url = https://pdc.fedoraproject.org/
pdc_url = https://pdc{{env_suffix}}.fedoraproject.org/
# We used to get our package tags from pkgdb, but they come from tagger now.
# https://github.com/fedora-infra/fedora-tagger/pull/74
#pkgtags_url = https://apps.fedoraproject.org/tagger/api/v1/tag/sqlitebuildtags/
##
## Bug tracker settings
##
# Set this to bugzilla to turn on Bugzilla integration.
# bugtracker =
bugtracker = bugzilla
initial_bug_msg = %s has been submitted as an update to %s. %s
stable_bug_msg = %s has been pushed to the %s repository. If problems still persist, please make note of it in this bug report.
testing_bug_msg =
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: %s
# A template that Bodhi will use when commenting on Bugzilla tickets when Updates that reference
# them are created. Positional substitution is used, and the three %s's will be filled in with the
# update title, the release's long name, and the URL to the update, respectively.
# initial_bug_msg = %s has been submitted as an update to %s. %s
# A template that Bodhi will use when commenting on Bugzilla tickets when Updates that reference
# them are marked stable. Positional substitution is used, and the first %s will be filled in with
# the update title and the second will be filled in with the release's long name and the update
# status.
# stable_bug_msg = %s has been pushed to the %s repository. If problems still persist, please make note of it in this bug report.
# The following two templates are used to comment on Bugzilla tickets. %s will be substituted with
# the update's URL. The first is used for all updates, unless the epel setting in defined, which
# will be used for all Updates on Releases that have an id_prefix of FEDORA-EPEL.
# testing_bug_msg =
# See https://fedoraproject.org/wiki/QA:Updates_Testing for
# instructions on how to install test updates.
# You can provide feedback for this update here: %s
# testing_bug_epel_msg =
# See https://fedoraproject.org/wiki/QA:Updates_Testing for
# instructions on how to install test updates.
# You can provide feedback for this update here: %s
testing_bug_epel_msg =
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: %s
##
## Bugzilla settings.
@ -359,18 +428,32 @@ testing_bug_epel_msg =
# The username/password for our bugzilla account comes
# from the bodhi_{email,password} fields.
# A URL to a Bugzilla instance's xmlrpc.cgi script for Bodhi to use.
# bz_server = https://bugzilla.redhat.com/xmlrpc.cgi
{% if env == 'production' %}
bz_server = https://bugzilla.redhat.com/xmlrpc.cgi
#bz_cookie =
{% elif env == 'staging' %}
bz_server = https://partner-bugzilla.redhat.com/xmlrpc.cgi
{% endif %}
# Bodhi will avoid touching bugs that are not against the following products
# Bodhi will avoid touching bugs that are not against the following comma-separated products.
# Fedora's production Bodhi instance sets this to Fedora,Fedora EPEL
# bz_products =
bz_products = Fedora,Fedora EPEL
# A template to use for links to Bugzilla tickets. %s will be filled in with the bug number.
# buglink = https://bugzilla.redhat.com/show_bug.cgi?id=%s
{% if env == 'production' %}
buglink = https://bugzilla.redhat.com/show_bug.cgi?id=%s
{% elif env == 'staging' %}
buglink = https://partner-bugzilla.redhat.com/show_bug.cgi?id=%s
{% endif %}
##
## Packages that should suggest a reboot
##
reboot_pkgs = kernel kernel-smp kernel-xen-hypervisor kernel-PAE kernel-xen0 kernel-xenU kernel-xen kernel-xen-guest glibc hal dbus
reboot_pkgs = kernel kernel-smp kernel-PAE glibc hal dbus
##
## Critical Path Packages
@ -381,20 +464,23 @@ reboot_pkgs = kernel kernel-smp kernel-xen-hypervisor kernel-PAE kernel-xen0 ker
# Database by setting this value to `pkgdb` or the Product Definition
# Center by setting this value to `pdc`. If it isn't set, it'll just use the
# hardcoded list below.
# critpath.type =
critpath.type = pdc
# You can hardcode a list of critical path packages instead of using the PackageDB
#critpath_pkgs = kernel
# You can hardcode a list of critical path packages instead of using the PkgDB
# or PDC. This is used if critpath.type is not defined.
# critpath_pkgs =
# The number of admin approvals it takes to be able to push a critical path
# update to stable for a pending release.
# critpath.num_admin_approvals = 2
critpath.num_admin_approvals = 0
# The net karma required to submit a critial path update to a pending release)
critpath.min_karma = 2
# The net karma required to submit a critial path update to a pending release.
# critpath.min_karma = 2
# Allow critpath to submit for stable after 2 weeks with no negative karma
critpath.stable_after_days_without_negative_karma = 14
# critpath.stable_after_days_without_negative_karma = 14
# The minimum amount of time an update must spend in testing before
# it can reach the stable repository
@ -406,28 +492,34 @@ fedora_modular.mandatory_days_in_testing = 7
## Release status
##
# Pre-beta enforces the Pre Beta policy defined here:
# https://fedoraproject.org/wiki/Updates_Policy
#f15.status = 'pre_beta'
#f15.pre_beta.mandatory_days_in_testing = 3
#f15.pre_beta.critpath.num_admin_approvals = 0
#f15.pre_beta.critpath.min_karma = 1
# For test cases.
f7.status = post_beta
f7.post_beta.mandatory_days_in_testing = 7
f7.post_beta.critpath.num_admin_approvals = 0
f7.post_beta.critpath.min_karma = 2
# The number of days worth of updates/comments to display
feeds.num_days_to_show = 7
feeds.max_entries = 20
# You can define alternative policies than the defaults for specific Releases by defining a setting
# of the form Release.name.status (with -'s removed from the name). You can set the status to any
# string you like, and then for each status, you can override the mandatory days in testing, the
# critpath number of admin approvals, and the critpath minimum karma. For example, if we want to set
# Fedora 28 as a pre-beta, and we want it to have different rules in pre-beta and post-beta, we
# could do something like this:
#f28.status = pre_beta
#f28.pre_beta.mandatory_days_in_testing = 3
#f28.pre_beta.critpath.num_admin_approvals = 0
#f28.pre_beta.critpath.min_karma = 1
#f28.post_beta.mandatory_days_in_testing = 7
#f28.post_beta.critpath.num_admin_approvals = 0
#f28.post_beta.critpath.min_karma = 2
f27.status = post_beta
f27.post_beta.mandatory_days_in_testing = 7
f27.post_beta.critpath.num_admin_approvals = 0
f27.post_beta.critpath.min_karma = 2
f27.post_beta.critpath.stable_after_days_without_negative_karma = 14
f27.pre_beta.mandatory_days_in_testing = 3
f27.pre_beta.critpath.num_admin_approvals = 0
f27.pre_beta.critpath.min_karma = 1
##
## Buildroot Override
##
# Number of days before expiring overrides
# Maximum number of days a buildroot override may expire in, from creation time.
# buildroot_limit = 31
buildroot_overrides.expire_after = 1
##
@ -438,36 +530,54 @@ buildroot_overrides.expire_after = 1
# When a user logs in, bodhi will look for any of these groups and associate #
# them with the user. They will then appear as the users effective principals in
# the format "group:groupname" and can be used in Pyramid ACE's.
# important_groups = proventesters provenpackager releng security_respons packager bodhiadmin
important_groups = proventesters provenpackager releng-team security_respons packager bodhiadmin virtmaint-sig kde-sig eclipse-sig infra-sig gnome-sig python-sig robotics-sig qa-tools-sig nodejs-sig lxqt-sig astro-sig
# Groups that can push updates for any package
# admin_packager_groups = provenpackager releng security_respons
admin_packager_groups = provenpackager releng-team security_respons
# User must be a member of this group to submit updates
mandatory_packager_groups = packager
# mandatory_packager_groups = packager
##
## updateinfo.xml configuraiton
##
updateinfo_rights = Copyright (C) 2015 Red Hat, Inc. and others.
# updateinfo_rights = Copyright (C) {CURRENT_YEAR} Red Hat, Inc. and others.
##
## Authentication & Authorization
##
# pyramid.openid
openid.success_callback = bodhi.server.security:remember_me
openid.provider = https://id.fedoraproject.org/openid/
openid.url = https://id.fedoraproject.org/
openid_template = {username}.id.fedoraproject.org
# pyramid.openid settings.
# openid.success_callback = bodhi.server.security:remember_me
# openid.provider = https://id.fedoraproject.org/openid/
# openid.url = https://id.fedoraproject.org/
# openid_template = {username}.id.fedoraproject.org
# openid.sreg_required = email
# If this is undefined, Bodhi will concatenate the groups listed in the following other settings
# from this file: important_groups, admin_packager_groups, mandatory_packager_groups, and
# admin_groups. You likely want this default, but can override it here if you know what you are
# doing. You can also override it here if you do not know what you are doing, but that would be
# unadvisable.
# openid.groups = DEFAULT_DOCUMENTED_ABOVE
openid.provider = https://id{{env_suffix}}.fedoraproject.org/openid/
openid.url = https://id{{env_suffix}}.fedoraproject.org/
openid_template = {username}.id{{env_suffix}}.fedoraproject.org
openid.sreg_required = email
# CORS allowed origins for cornice services
# This can be wide-open. read-only, we don't care as much about.
cors_origins_ro = *
# This should be more locked down to avoid cross-site request forgery.
cors_origins_rw = https://bodhi.fedoraproject.org
cors_origins_rw = https://bodhi{{env_suffix}}.fedoraproject.org
{% if env == 'production' %}
cors_connect_src = https://*.fedoraproject.org/ wss://hub.fedoraproject.org:9939/
{% elif env == 'staging' %}
cors_connect_src = https://*.stg.fedoraproject.org/ wss://hub.stg.fedoraproject.org:9939/
{% endif %}
##
@ -487,28 +597,51 @@ debugtoolbar.hosts = 127.0.0.1 ::1
##
## Database
##
# This must be a PostgreSQL database. It is weirdly defaulted to sqlite, but that would not be
# suitable for a production environment. You can encode a username and password in the URL. For
# example, postgresql://username:password@hostname/database_name
# sqlalchemy.url = sqlite:////var/cache/bodhi.db
{% if env == 'production' %}
sqlalchemy.url = postgresql://bodhi2:{{ bodhi2Password }}@db-bodhi/bodhi2
{% elif env == 'staging' %}
sqlalchemy.url = postgresql://bodhi2:{{ bodhi2PasswordSTG }}@pgbdr.stg.phx2.fedoraproject.org/bodhi2
{% endif %}
##
## Templates
##
mako.directories = bodhi:server/templates
# Where Bodhi's templates are stored. You likely don't want or need to adjust this setting.
# mako.directories = bodhi:server/templates
##
## Authentication & Sessions
##
# CHANGE THESE IN PRODUCTION!
# authtkt.secret = CHANGEME
# session.secret = CHANGEME
# authtkt.secure = True
# How long should an authorization ticket be valid for, in seconds? Defaults to one day.
# authtkt.timeout = 86400
{% if env == 'production' %}
authtkt.secret = {{ bodhi2AuthTkt }}
session.secret = {{ bodhi2SessionSecret }}
{% elif env == 'staging' %}
authtkt.secret = {{ bodhi2AuthTktSTG }}
session.secret = {{ bodhi2SessionSecretSTG }}
{% endif %}
authtkt.secure = true
# How long should an authorization ticket be valid for, in seconds? Defaults to one day.
authtkt.timeout = 1209600
# pyramid_beaker
session.type = file
session.data_dir = /var/cache/bodhi/sessions/data
session.lock_dir = /var/cache/bodhi/sessions/lock
session.data_dir = %(here)s/data/sessions/data
session.lock_dir = %(here)s/data/sessions/lock
{% if env == 'production' %}
session.key = {{ bodhi2SessionKey }}
{% elif env == 'staging' %}
session.key = {{ bodhi2SessionKeySTG }}
{% endif %}
session.cookie_on_exception = true
# Tell the browser to only send the cookie over TLS
session.secure = true
@ -528,7 +661,7 @@ port = 6543
[pshell]
m = bodhi.server.models
#db = bodhi.server.models.DBSession
#db = bodhi.server.util.pshell_db
t = transaction
# Begin logging configuration

540
roles/bodhi2/base/templates/staging.ini.j2
View file

@ -1,540 +0,0 @@
[filter:proxy-prefix]
use = egg:PasteDeploy#prefix
prefix = /
scheme = https
[app:main]
use = egg:bodhi-server
filter-with = proxy-prefix
##
## Messages
##
# A notice to flash on the front page
frontpage_notice =
# A notice to flash on the New Update page
newupdate_notice =
testing_approval_msg = This update has reached %d days in testing and can be pushed to stable now if the maintainer wishes
not_yet_tested_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/Package_update_acceptance_criteria">Package Update Acceptance Criteria</a>
not_yet_tested_epel_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/EPEL_Updates_Policy">EPEL Updates Policy</a>
stablekarma_comment = This update has reached the stable karma threshold and will be pushed to the stable updates repository
# Libravatar - If this is true libravatar will work as normal. Otherwise, all
# libravatar links will be replaced with the string "libravatar.org" so that
# the tests can still pass.
libravatar_enabled = True
# Set this to true if you want to do federated dns libravatar lookup
libravatar_dns = False
# Set this to True in order to send fedmsg messages.
fedmsg_enabled = True
# Captcha - if 'captcha.secret' is not None, then it will be used for comments
# captcha.secret must be 32 url-safe base64-encoded bytes
# you can generate afresh with >>> cryptography.fernet.Fernet.generate_key()
captcha.secret = {{ bodhi2CaptchaSecretSTG }}
# Dimensions
captcha.image_width = 300
captcha.image_height = 80
# Any truetype font will do.
captcha.font_path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf
captcha.font_size = 36
# Colors
captcha.font_color = #000000
captcha.background_color = #ffffff
# In pixels
captcha.padding = 5
# If a captcha sits around for this many seconds, it will stop working.
captcha.ttl = 300
#datagrepper_url = http://localhost:5000
datagrepper_url = https://apps.stg.fedoraproject.org/datagrepper
badge_ids = binary-star|both-bull-and-self-transcended-tester-viii|catching-the-bull-tester-iv|corporate-drone|corporate-overlord|corporate-shill|discovery-of-the-footprints-tester-ii|in-search-of-the-bull-tester-i|is-this-thing-on-updates-testing-i|is-this-thing-on-updates-testing-ii|is-this-thing-on-updates-testing-iii|is-this-thing-on-updates-testing-iv|it-still-works!|like-a-rock-updates-stable-i|like-a-rock-updates-stable-ii|like-a-rock-updates-stable-iii|like-a-rock-updates-stable-iv|mic-check!-updates-testing-v|missed-the-train|override,-you-say|perceiving-the-bull-tester-iii|reaching-the-source-tester-ix|return-to-society-tester-x|riding-the-bull-home-tester-vi|stop-that-update!|take-this-and-call-me-in-the-morning|taming-the-bull-tester-v|tectonic!-updates-stable-v|the-bull-transcended-tester-vii|what-goes-around-comes-around-karma-i|what-goes-around-comes-around-karma-ii|what-goes-around-comes-around-karma-iii|what-goes-around-comes-around-karma-iv|white-hat|you-can-pry-it-from-my-cold,-dead-hands
##
## Wiki Test Cases
##
## Query the wiki for test cases
query_wiki_test_cases = False
wiki_url = https://fedoraproject.org/w/api.php
test_case_base_url = https://fedoraproject.org/wiki/
# Email domain to prepend usernames to
default_email_domain = fedoraproject.org
# domain for generated message IDs
message_id_email_domain = admin.stg.fedoraproject.org
##
## Mash settings
##
# If defined, the bodhi masher will ensure that messages are signed with the given cert
releng_fedmsg_certname = shell-bodhi-backend01.stg.phx2.fedoraproject.org
# The masher is a bodhi instance that is responsible for composing the update
# repositories, regenerating metrics, sending update notices, closing bugs,
# and other costly operations. To set an external masher, set the masher to
# the baseurl of the bodhi instance. If set to None, this bodhi instance
# will act as a masher as well.
#masher = None
{% if 'backend' in inventory_hostname %}
mash_dir = /mnt/koji/compose/updates/
mash_stage_dir = /mnt/koji/compose/updates/
{% endif %}
pungi.basepath = /etc/bodhi
pungi.conf.rpm = pungi.rpm.conf.j2
pungi.conf.module = pungi.module.conf.j2
pungi.labeltype = Update
pungi.extracmdline = --notification-script=/usr/bin/pungi-fedmsg-notification --notification-script=pungi-wait-for-signed-ostree-handler
## Our periodic jobs
#jobs = clean_repo nagmail fix_bug_titles cache_release_data approve_testing_updates
jobs = cache_release_data refresh_metrics approve_testing_updates
## Comps configuration
comps_dir = /var/cache/bodhi/comps
comps_url = https://pagure.io/fedora-comps.git
##
## Mirror settings
##
file_url = http://download.fedoraproject.org/pub/fedora/linux/updates
# {release}_{request}_master_repomd: This is used by the masher to determine when a
# primary architecture push has been synchronized to the master mirror for a given release and
# request. The masher will verify that the checksum of repomd.xml at the master URL matches the
# expected value, and will poll the URL until this test passes. Substitute release and request
# for each release id (replacing -'s with _'s) and request (stable, testing). Used for the
# arches listed in {release}_{version}_primary_arches when it is defined, else used for all
# arches. You must put two %s's in this setting - the first will be replaced with the release
# version and the second will be replaced with the architecture.
fedora_stable_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates/compose/Everything/%s/os/repodata/repomd.xml
fedora_testing_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates-testing/compose/Everything/%s/os/repodata/repomd.xml
fedora_epel_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/%s/%s/repodata/repomd.xml
fedora_epel_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/testing/%s/%s/repodata/repomd.xml
fedora_modular_stable_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-modular-updates/compose/Everything/%s/os/repodata/repomd.xml
fedora_modular_testing_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-modular-updates-testing/compose/Everything/%s/os/repodata/repomd.xml
# {release}_{request}_alt_master_repomd: This is used by the masher to determine when a
# secondary architecture push has been synchronized to the master mirror for a given release and
# request. The masher will verify that the checksum of repomd.xml at the master URL matches the
# expected value, and will poll the URL until this test passes. Substitute release and request
# for each release id (replacing -'s with _'s) and request (stable, testing). Used for the
# arches not listed in {release}_{version}_primary_arches if it is defined. You must put two %s's
# in this setting - the first will be replaced with the release version and the second will be
# replaced with the architecture.
fedora_stable_alt_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates/compose/Everything/%s/os/repodata/repomd.xml
fedora_testing_alt_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates-testing/compose/Everything/%s/os/repodata/repomd.xml
## The base url of this application
base_address = https://bodhi.stg.fedoraproject.org/
## Primary architechures by release
##
## {release}_{version}_primary_arches: Releases that have alternative arches must define their
## primary arches here. Any arches found during mashing that are not present here are asssumed
## to be alternative arches. This is used during the wait_for_repo() step of the mash where
## Bodhi polls the master repo to find out whether the mash has made it to the repo or not.
## Bodhi looks for primary arches with the {release}_{request}_master_repomd setting above, and
## for alternative arches at the {release}_{request}_alt_master_repomd setting above. If this
## is not set, Bodhi will assume the release only has primary arches.
fedora_26_primary_arches = armhfp x86_64
## Supported update types
update_types = bugfix enhancement security newpackage
## Supported architechures
##
## To handle arch name changes between releases, you
## can also configure bodhi to support one arch *or*
## another. For example, EPEL5 mashes produce 'ppc'
## repos, where EPEL6 produces 'ppc64'. To handle this
## scenario, you can specify something like:
##
## arches = ppc/ppc64
##
arches = i386 x86_64 armhfp
##
## Email setting
##
# Keep email disabled in staging so rube doesn't spam helpless packagers.
#smtp_server = bastion
# The updates system itself. This email address is used in fetching Bugzilla
# information, as well as email notifications
bodhi_email = updates@fedoraproject.org
#bodhi_password =
# The address that gets the requests
release_team_address = bodhiadmin-members@fedoraproject.org
# The address to notify when security updates are initially added to bodhi
security_team = security_respons-members@fedoraproject.org
# Public announcement lists
fedora_announce_list = package-announce@lists.fedoraproject.org
fedora_test_announce_list = test@lists.fedoraproject.org
fedora_epel_announce_list = epel-package-announce@lists.fedoraproject.org
fedora_epel_test_announce_list = epel-devel@lists.fedoraproject.org
fedora_modular_announce_list = package-announce@lists.fedoraproject.org
fedora_modular_test_announce_list = test@lists.fedoraproject.org
# Superuser groups
admin_groups = proventesters security_respons bodhiadmin sysadmin-main
# Users that we don't want to show up in the "leaderboard(s)"
stats_blacklist = bodhi anonymous autoqa taskotron
# A list of non-person users
system_users = bodhi autoqa taskotron
# The max length for an update title before we truncate it in the web ui
max_update_length_for_ui = 70
# The number of days used for calculating the 'top testers' metric
top_testers_timeframe = 900
# The email address of the proventesters
proventesters_email = proventesters-members@fedoraproject.org
# Disabled for the initial release.
stacks_enabled = False
# These are the default requirements that we apply to stacks, packages, and
# updates. Users have free-reign to override them for each kind of entity. At
# the end of the day, we only consider the requirements defined by single
# updates themselves when gating in the backend masher process.
site_requirements = dist.rpmdeplint dist.upgradepath
## Some day we'll have rpmgrill, and that will be cool. Ask tflink.
#site_requirements = depcheck upgradepath rpmgrill
# Where do we send update announcements to ?
# These variables should be named per: Release.prefix_id.lower()_announce_list
#fedora_announce_list =
#fedora_test_announce_list =
#fedora_epel_announce_list =
#fedora_epel_test_announce_list =
# Cache settings
dogpile.cache.backend = dogpile.cache.dbm
dogpile.cache.expiration_time = 100
dogpile.cache.arguments.filename = /var/cache/bodhi/dogpile-cache.dbm
# Exclude sending emails to these users
exclude_mail = autoqa taskotron
##
## Buildsystem settings
##
# What buildsystem do we want to use? For development, we'll use a fake
# buildsystem that always does what we tell it to do. For production, we'll
# want to use 'koji'.
buildsystem = koji
# Koji's XML-RPC hub
koji_hub = https://koji.stg.fedoraproject.org/kojihub
# Root url of the Koji instance to point to. No trailing slash
koji_url = http://koji.stg.fedoraproject.org
# URL of where users should go to set up their notifications
fmn_url = https://apps.stg.fedoraproject.org/notifications/
# URL of the resultsdb for integrating checks and stuff
resultsdb_url = https://taskotron.stg.fedoraproject.org/resultsdb/
resultsdb_api_url = https://taskotron.stg.fedoraproject.org/resultsdb_api/
# Set this to True to enable gating based on policies enforced by Greenwave. If you set this to True,
# be sure to add a cron job to run the bodhi-check-policies CLI periodically.
test_gating.required = True
# If this is set to a URL, a "More information about test gating" link will appear on update pages for users
# to click and learn more.
# test_gating.url =
# The API url of Greenwave.
greenwave_api_url = https://greenwave-web-greenwave.app.os.stg.fedoraproject.org/api/v1.0
fedmenu.url = https://apps.stg.fedoraproject.org/fedmenu
fedmenu.data_url = https://apps.stg.fedoraproject.org/js/data.js
# Koji Krb stuff
krb_ccache = /tmp/krb5cc_%{uid}
krb_principal = bodhi/bodhi{{ env_suffix }}.fedoraproject.org@{{ ipa_realm }}
krb_keytab = /etc/krb5.bodhi_bodhi{{ env_suffix }}.fedoraproject.org.keytab
##
## ACL system
## Choices are 'pkgdb', which will send a JSON query to the pkgdb_url below,
## 'pagure', which will query the pagure_url below, or 'dummy', which will
## always return guest credentials (used for local development).
##
acl_system = pagure
##
## Package DB
##
pkgdb_url = https://admin.stg.fedoraproject.org/pkgdb
##
## Pagure
##
pagure_url = https://src.stg.fedoraproject.org/
##
## Product Definition Center (PDC)
##
pdc_url = https://pdc.stg.fedoraproject.org/
# We used to get our package tags from pkgdb, but they come from tagger now.
# https://github.com/fedora-infra/fedora-tagger/pull/74
#pkgtags_url = https://apps.fedoraproject.org/tagger/api/v1/tag/sqlitebuildtags/
##
## Bug tracker settings
##
#bugtracker = bugzilla
initial_bug_msg = %s has been submitted as an update to %s. %s
stable_bug_msg = %s has been pushed to the %s repository. If problems still persist, please make note of it in this bug report.
testing_bug_msg =
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update %s'
You can provide feedback for this update here: %s
testing_bug_epel_msg =
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update %s'
You can provide feedback for this update here: %s
##
## Bugzilla settings.
##
# The username/password for our bugzilla account comes
# from the bodhi_{email,password} fields.
bz_server = https://partner-bugzilla.redhat.com/xmlrpc.cgi
#bz_cookie =
# Bodhi will avoid touching bugs that are not against the following products
bz_products = Fedora,Fedora EPEL
buglink = https://partner-bugzilla.redhat.com/show_bug.cgi?id=%s
##
## Packages that should suggest a reboot
##
reboot_pkgs = kernel kernel-smp kernel-xen-hypervisor kernel-PAE kernel-xen0 kernel-xenU kernel-xen kernel-xen-guest glibc hal dbus
##
## Critical Path Packages
## https://fedoraproject.org/wiki/Critical_path_package
##
# You can allow Bodhi to query for critpath packages from the Fedora Package
# Database by setting this value to `pkgdb` or the Product Definition
# Center by setting this value to `pdc`. If it isn't set, it'll just use the
# hardcoded list below.
critpath.type = pdc
# You can hardcode a list of critical path packages instead of using the PackageDB
critpath_pkgs = kernel
# The number of admin approvals it takes to be able to push a critical path
# update to stable for a pending release.
critpath.num_admin_approvals = 0
# The net karma required to submit a critial path update to a pending release)
critpath.min_karma = 2
# Allow critpath to submit for stable after 2 weeks with no negative karma
critpath.stable_after_days_without_negative_karma = 14
# The minimum amount of time an update must spend in testing before
# it can reach the stable repository
fedora.mandatory_days_in_testing = 7
fedora_epel.mandatory_days_in_testing = 14
fedora_modular.mandatory_days_in_testing = 7
##
## Release status
##
# Pre-beta enforces the Pre Beta policy defined here:
# https://fedoraproject.org/wiki/Updates_Policy
f27.status = pre_beta
f27.post_beta.mandatory_days_in_testing = 7
f27.post_beta.critpath.num_admin_approvals = 0
f27.post_beta.critpath.min_karma = 2
f27.post_beta.critpath.stable_after_days_without_negative_karma = 14
f27.pre_beta.mandatory_days_in_testing = 3
f27.pre_beta.critpath.num_admin_approvals = 0
f27.pre_beta.critpath.min_karma = 1
# The number of days worth of updates/comments to display
feeds.num_days_to_show = 7
feeds.max_entries = 20
##
## Buildroot Override
##
# Number of days before expiring overrides
buildroot_overrides.expire_after = 1
##
## Groups
##
# FAS Groups that we want to pay attention to
# When a user logs in, bodhi will look for any of these groups and associate #
# them with the user. They will then appear as the users effective principals in
# the format "group:groupname" and can be used in Pyramid ACE's.
important_groups = proventesters provenpackager releng-team security_respons packager bodhiadmin virtmaint-sig kde-sig eclipse-sig infra-sig gnome-sig python-sig robotics-sig
# Groups that can push updates for any package
admin_packager_groups = provenpackager releng-team security_respons
# User must be a member of this group to submit updates
mandatory_packager_groups = packager
##
## updateinfo.xml configuraiton
##
updateinfo_rights = Copyright (C) 2015 Red Hat, Inc. and others.
##
## Authentication & Authorization
##
# pyramid.openid
openid.success_callback = bodhi.server.security:remember_me
openid.provider = https://id.stg.fedoraproject.org/openid/
openid.url = https://id.stg.fedoraproject.org/
openid_template = {username}.id.fedoraproject.org
openid.sreg_required = email
# CORS allowed origins for cornice services
# This can be wide-open. read-only, we don't care as much about.
cors_origins_ro = *
# This should be more locked down to avoid cross-site request forgery.
cors_origins_rw = https://bodhi.stg.fedoraproject.org
cors_connect_src = https://*.fedoraproject.org/ wss://hub.fedoraproject.org:9939/
##
## Pyramid settings
##
pyramid.reload_templates = false
pyramid.debug_authorization = false
pyramid.debug_notfound = false
pyramid.debug_routematch = false
pyramid.default_locale_name = en
pyramid.includes =
pyramid_tm
debugtoolbar.hosts = 127.0.0.1 ::1
##
## Database
##
sqlalchemy.url = postgresql://bodhi2:{{ bodhi2PasswordSTG }}@pgbdr.stg.phx2.fedoraproject.org/bodhi2
##
## Templates
##
mako.directories = bodhi:server/templates
##
## Authentication & Sessions
##
authtkt.secret = {{ bodhi2AuthTktSTG }}
session.secret = {{ bodhi2SessionSecretSTG }}
authtkt.secure = true
# How long should an authorization ticket be valid for, in seconds? Defaults to one day.
authtkt.timeout = 1209600
# pyramid_beaker
session.type = file
session.data_dir = /var/cache/bodhi/sessions/data
session.lock_dir = /var/cache/bodhi/sessions/lock
session.key = {{ bodhi2SessionKeySTG }}
session.cookie_on_exception = true
# Tell the browser to only send the cookie over TLS
session.secure = true
# Create a cookie that is only valid for one day
session.timeout = 86400
cache.regions = default_term, second, short_term, long_term
cache.type = memory
cache.second.expire = 1
cache.short_term.expire = 60
cache.default_term.expire = 300
cache.long_term.expire = 3600
[server:main]
use = egg:waitress#main
host = 0.0.0.0
port = 6543
[pshell]
m = bodhi.server.models
t = transaction
# Begin logging configuration
[loggers]
keys = root, bodhi, sqlalchemy
[handlers]
keys = console
[formatters]
keys = generic
[logger_root]
level = INFO
handlers = console
[logger_bodhi]
level = DEBUG
handlers =
qualname = bodhi
[logger_sqlalchemy]
level = WARN
handlers =
qualname = sqlalchemy.engine
# "level = INFO" logs SQL queries.
# "level = DEBUG" logs SQL queries and results.
# "level = WARN" logs neither. (Recommended for production systems.)
[handler_console]
class = StreamHandler
args = (sys.stderr,)
level = NOTSET
formatter = generic
[formatter_generic]
format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s
# End logging configuration

1
roles/copr/backend/tasks/mount_fs.yml
View file

@ -3,7 +3,6 @@
- name: mount up disk of copr repo
mount: name=/var/lib/copr/public_html src='LABEL=copr-repo' fstype=ext4 state=mounted
when: env != "staging"
- name: mount /tmp/
mount: name=/tmp src='tmpfs' fstype=tmpfs state=mounted

19
roles/copr/frontend/tasks/main.yml
View file

@ -16,11 +16,7 @@
tags:
- packages
- name: ensure python2-flask-whooshee is latest
dnf: state=latest name=python2-flask-whooshee
tags:
- packages
# we install python-alembic because https://bugzilla.redhat.com/show_bug.cgi?id=1536058
- name: install additional pkgs for copr-frontend
dnf: state=present pkg={{ item }}
with_items:
@ -28,6 +24,7 @@
- "mod_ssl"
- redis
- pxz
- python-alembic
tags:
- packages
@ -60,12 +57,12 @@
- import_tasks: "psql_setup.yml"
#- name: upgrade db to head
# command: alembic upgrade head
# become: yes
# become_user: copr-fe
# args:
# chdir: /usr/share/copr/coprs_frontend/
- name: upgrade db to head
command: alembic upgrade head
become: yes
become_user: copr-fe
args:
chdir: /usr/share/copr/coprs_frontend/
- name: set up admins
command: ./manage.py alter_user --admin {{ item }}

4
roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2
View file

@ -4,7 +4,7 @@
# Use secure TLSv1.1 and TLSv1.2 ciphers
SSLCipherSuite {{ ssl_ciphers }}
SSLHonorCipherOrder on
Header always add Strict-Transport-Security "max-age=15768000; preload"
Header always add Strict-Transport-Security "max-age=31536000; preload"
SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
@ -48,7 +48,7 @@
# Use secure TLSv1.1 and TLSv1.2 ciphers
SSLCipherSuite {{ ssl_ciphers }}
SSLHonorCipherOrder on
Header always add Strict-Transport-Security "max-age=15768000; preload"
Header always add Strict-Transport-Security "max-age=31536000; preload"
SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key

91
roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org
View file

@ -202,6 +202,11 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
option routers 10.5.129.254;
option log-servers 10.5.126.29;
range 10.5.129.200 10.5.129.209;
next-server 10.5.126.41;
filename "/uefi/grubaa64.efi";
host ppc8-01 {
hardware ethernet 40:f2:e9:5d:39:43;
fixed-address 10.5.129.20;
@ -235,7 +240,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.101;
next-server 10.5.126.41;
option host-name "aarch64-c01n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c02n1 {
@ -243,7 +248,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.102;
next-server 10.5.126.41;
option host-name "aarch64-c02n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c03n1 {
@ -251,7 +256,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.103;
next-server 10.5.126.41;
option host-name "aarch64-c03n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c04n1 {
@ -259,7 +264,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.104;
next-server 10.5.126.41;
option host-name "aarch64-c04n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c05n1 {
@ -267,7 +272,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.105;
next-server 10.5.126.41;
option host-name "aarch64-c05n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c06n1 {
@ -275,7 +280,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.106;
next-server 10.5.126.41;
option host-name "aarch64-c06n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c07n1 {
@ -283,7 +288,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.107;
next-server 10.5.126.41;
option host-name "aarch64-c07n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c08n1 {
@ -291,15 +296,15 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.108;
next-server 10.5.126.41;
option host-name "aarch64-c08n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c09n1 {
hardware ethernet 14:58:D0:58:E5:B2;
hardware ethernet 14:58:D0:58:A5:52;
fixed-address 10.5.129.109;
next-server 10.5.126.41;
option host-name "aarch64-c09n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c10n1 {
@ -307,7 +312,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.110;
next-server 10.5.126.41;
option host-name "aarch64-c10n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c11n1 {
@ -315,7 +320,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.111;
next-server 10.5.126.41;
option host-name "aarch64-c11n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c12n1 {
@ -323,7 +328,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.112;
next-server 10.5.126.41;
option host-name "aarch64-c12n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c13n1 {
@ -331,15 +336,15 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.113;
next-server 10.5.126.41;
option host-name "aarch64-c13n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c14n1 {
hardware ethernet 14:58:D0:58:75:32;
hardware ethernet 14:58:D0:58:65:E2;
fixed-address 10.5.129.114;
next-server 10.5.126.41;
option host-name "aarch64-c14n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c15n1 {
@ -347,7 +352,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.115;
next-server 10.5.126.41;
option host-name "aarch64-c15n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c16n1 {
@ -355,15 +360,15 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.116;
next-server 10.5.126.41;
option host-name "aarch64-c16n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c17n1 {
hardware ethernet 14:58:D0:58:C4:F2;
hardware ethernet 14:58:d0:58:e5:32;
fixed-address 10.5.129.117;
next-server 10.5.126.41;
option host-name "aarch64-c17n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c18n1 {
@ -371,7 +376,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.118;
next-server 10.5.126.41;
option host-name "aarch64-c18n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c19n1 {
@ -379,7 +384,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.119;
next-server 10.5.126.41;
option host-name "aarch64-c19n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c20n1 {
@ -387,7 +392,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.120;
next-server 10.5.126.41;
option host-name "aarch64-c20n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c21n1 {
@ -395,7 +400,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.121;
next-server 10.5.126.41;
option host-name "aarch64-c21n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c22n1 {
@ -403,7 +408,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.122;
next-server 10.5.126.41;
option host-name "aarch64-c22n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c23n1 {
@ -411,7 +416,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.123;
next-server 10.5.126.41;
option host-name "aarch64-c23n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c24n1 {
@ -419,7 +424,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.124;
next-server 10.5.126.41;
option host-name "aarch64-c24n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-c25n1 {
@ -427,7 +432,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
fixed-address 10.5.129.125;
next-server 10.5.126.41;
option host-name "aarch64-c25n1";
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
}
@ -1777,7 +1782,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.70;
option host-name "compose-aarch64-01";
next-server 10.5.126.41;
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-02a {
@ -1785,7 +1790,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.75;
option host-name "aarch64-02a";
next-server 10.5.126.41;
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-03a {
@ -1793,7 +1798,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.80;
option host-name "aarch64-03a";
next-server 10.5.126.41;
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-04a {
@ -1801,7 +1806,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.85;
option host-name "aarch64-04a";
next-server 10.5.126.41;
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-05a {
@ -1809,7 +1814,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.150;
option host-name "aarch64-05a";
next-server 10.5.126.41;
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-06a {
@ -1817,7 +1822,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.155;
option host-name "aarch64-06a";
next-server 10.5.126.41;
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-07a {
@ -1825,7 +1830,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.160;
option host-name "aarch64-07a";
next-server 10.5.126.41;
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-08a {
@ -1833,7 +1838,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.165;
option host-name "aarch64-08a";
next-server 10.5.126.41;
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-09a {
@ -1841,7 +1846,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.170;
option host-name "aarch64-09a";
next-server 10.5.126.41;
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-10a {
@ -1849,7 +1854,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.175;
option host-name "aarch64-10a";
next-server 10.5.126.41;
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-11a {
@ -1857,7 +1862,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.180;
option host-name "aarch64-11a";
next-server 10.5.126.41;
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-12a {
@ -1865,7 +1870,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.185;
option host-name "aarch64-12a";
next-server 10.5.126.41;
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-13a {
@ -1873,7 +1878,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.190;
option host-name "aarch64-13a";
next-server 10.5.126.41;
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-14a {
@ -1881,7 +1886,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.195;
option host-name "aarch64-14a";
next-server 10.5.126.41;
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
host aarch64-15a {
@ -1889,7 +1894,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
fixed-address 10.5.78.200;
option host-name "aarch64-15a";
next-server 10.5.126.41;
filename "grubaa64.efi";
filename "/uefi/grubaa64.efi";
}
}

2
roles/distgit/files/robots-pkgs.txt Normal file
View file

@ -0,0 +1,2 @@
User-agent: *
Disallow: /

8
roles/distgit/files/robots-src.txt Normal file
View file

@ -0,0 +1,8 @@
User-agent: *
Disallow: /cgit/
User-agent: *
Disallow: /git/
User-agent: *
Disallow: /repo/

2
roles/distgit/pagure/templates/pagure-sync-bugzilla.py.j2
View file

@ -96,8 +96,6 @@ BUGZILLA_OVERRIDE_REPO = 'releng/fedora-scm-requests'
NOTIFYEMAIL = [
'kevin@fedoraproject.org',
'pingou@fedoraproject.org',
'ralph@fedoraproject.org',
'mprahl@fedoraproject.org',
]
VERBOSE = False
DRYRUN = False

2
roles/distgit/pagure/templates/z_pagure.conf
View file

@ -11,7 +11,7 @@ WSGIDaemonProcess pagureproc user=pagure group=packager maximum-requests=1000 di
# SSLEngine on
# SSLProtocol all -SSLv2 -SSLv3
# # Use secure TLSv1.1 and TLSv1.2 ciphers
# Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
# Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
# SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert

8
roles/distgit/tasks/main.yml
View file

@ -114,6 +114,14 @@
tags:
- distgit
- name: Install robots.txt files
copy: src={{item}} dest=/var/www/{{item}}
with_items:
- robots-pkgs.txt
- robots-src.txt
tags:
- distgit
- name: install the DistGit related httpd config
copy: src=git-smart-http.conf dest=/etc/httpd/conf.d/dist-git/git-smart-http.conf
notify:

24
roles/distgit/templates/lookaside-upload.conf
View file

@ -12,12 +12,32 @@ SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
Alias /robots.txt /var/www/robots-src.txt
<Location /robots.txt>
Require all granted
</Location>
<VirtualHost _default_:80>
ServerName pkgs{{ env_suffix }}.fedoraproject.org
#Redirect "/" "https://src{{ env_suffix }}.fedoraproject.org/"
# This is temporary for fixing Kojid because of firewall rules
#RewriteCond expr "! -R '192.168.0.0/16'"
#RewriteCond expr "! -R '10.0.0.0/8'"
#RewriteRule ^(.*)$ https://src.fedoraproject.org/$1 [L,R]
Alias /repo/ /srv/cache/lookaside/
<Location />
Require ip 127.0.0.1
Require ip ::1
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
CustomLog "logs/pkgs-access.log" combined
ErrorLog "logs/pkgs-error.log"
Alias /robots.txt /var/www/robots-pkgs.txt
<Location /robots.txt>
Require all granted
</Location>
RewriteEngine on
RewriteRule "^/$" "https://src{{ env_suffix }}.fedoraproject.org/"
RewriteRule "^/login/$" "https://src{{ env_suffix }}.fedoraproject.org/login/"

4
roles/fas_server/templates/fas.cfg.j2
View file

@ -76,9 +76,9 @@ ipa_sync_certfile = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
# Usernames that are unavailable for fas allocation
{% if env == "staging" %}
username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
{% else %}
username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
{% endif %}
email_domain_blacklist = "{{ fas_blocked_emails }}"

Some files were not shown because too many files have changed in this diff Show more