Merge branch 'master' of /git/ansible

files/fedora-cloud/haproxy.cfg

@@ -68,44 +68,44 @@ defaults
 frontend neutron
   bind 0.0.0.0:9696 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
   default_backend neutron
-  # HSTS (15768000 seconds = 6 months)
+  # HSTS (31536000 seconds = 365 days)
-  rspadd  Strict-Transport-Security:\ max-age=15768000
+  rspadd  Strict-Transport-Security:\ max-age=31536000
 
 frontend cinder
   bind 0.0.0.0:8776 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
   default_backend cinder
-  # HSTS (15768000 seconds = 6 months)
+  # HSTS (31536000 seconds = 365 days)
-  rspadd  Strict-Transport-Security:\ max-age=15768000
+  rspadd  Strict-Transport-Security:\ max-age=31536000
 
 frontend swift
   bind 0.0.0.0:8080 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
   default_backend swift
-  # HSTS (15768000 seconds = 6 months)
+  # HSTS (31536000 seconds = 365 days)
-  rspadd  Strict-Transport-Security:\ max-age=15768000
+  rspadd  Strict-Transport-Security:\ max-age=31536000
 
 frontend nova
   bind 0.0.0.0:8774 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
   default_backend nova
-  # HSTS (15768000 seconds = 6 months)
+  # HSTS (31536000 seconds = 365 days)
-  rspadd  Strict-Transport-Security:\ max-age=15768000
+  rspadd  Strict-Transport-Security:\ max-age=31536000
 
 frontend ceilometer
   bind 0.0.0.0:8777 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
   default_backend ceilometer
-  # HSTS (15768000 seconds = 6 months)
+  # HSTS (31536000 seconds = 365 days)
-  rspadd  Strict-Transport-Security:\ max-age=15768000
+  rspadd  Strict-Transport-Security:\ max-age=31536000
 
 frontend ec2
   bind 0.0.0.0:8773 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
   default_backend ec2
-  # HSTS (15768000 seconds = 6 months)
+  # HSTS (31536000 seconds = 365 days)
-  rspadd  Strict-Transport-Security:\ max-age=15768000
+  rspadd  Strict-Transport-Security:\ max-age=31536000
 
 frontend glance
   bind 0.0.0.0:9292 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
   default_backend glance
-  # HSTS (15768000 seconds = 6 months)
+  # HSTS (31536000 seconds = 365 days)
-  rspadd  Strict-Transport-Security:\ max-age=15768000
+  rspadd  Strict-Transport-Security:\ max-age=31536000
 
 backend neutron
   server neutron 127.0.0.1:8696 check

inventory/backups

@@ -13,6 +13,7 @@ people02.fedoraproject.org
 pkgs02.phx2.fedoraproject.org
 log01.phx2.fedoraproject.org
 db-qa01.qa.fedoraproject.org
+db-qa02.qa.fedoraproject.org
 db-koji01.phx2.fedoraproject.org
 #copr-be.cloud.fedoraproject.org
 copr-fe.cloud.fedoraproject.org

inventory/group_vars/all

@@ -42,6 +42,7 @@ use_default_epel: true
 udp_ports: []
 tcp_ports: []
 custom_rules: []
+nat_rules: []
 custom6_rules: []
 
 # defaults for virt installs
@@ -78,7 +79,7 @@ virt_install_command_one_nic: virt-install -n {{ inventory_hostname }}
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
                  --network bridge={{ main_bridge }},model=virtio
-                 --autostart --noautoconsole --watchdog default
+                 --autostart --noautoconsole --watchdog default --cpu host
 
 virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio

inventory/group_vars/fedimg-stg

@@ -3,6 +3,9 @@ lvm_size: 20000
 mem_size: 6144
 num_cpus: 2
 
+# Use infrastructure-tags-stg repo
+testing: True
+
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 

inventory/group_vars/freshmaker-stg

@@ -0,0 +1,28 @@
+---
+# For app config
+freshmaker_messaging_topic_prefix:
+- org.fedoraproject.stg
+
+freshmaker_parsers:
+- freshmaker.parsers.git:GitReceiveParser
+
+freshmaker_handlers:
+- freshmaker.handlers.git:GitModuleMetadataChangeHandler
+- freshmaker.handlers.git:GitRPMSpecChangeHandler
+
+freshmaker_admins:
+  users:
+  - jkaluza
+  - cqi
+  - qwan
+  - sochotni
+  groups: []
+
+freshmaker_dry_run: True
+freshmaker_log_level: debug
+
+freshmaker_handler_build_whitelist:
+  global:
+    module:
+    - name:
+      - testmodule

inventory/group_vars/hubs-stg

@@ -0,0 +1,12 @@
+---
+# Define resources for this group of hosts here.
+lvm_size: 20000
+mem_size: 4096
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 80 ]
+
+fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-hubs,sysadmin-veteran

inventory/group_vars/jenkins-slave

@@ -278,3 +278,5 @@ f25_only:
 f26_only:
 - python2-koji        # Needed for pyrpkg
 - python3-koji        # Needed for pyrpkg
+- python26
+- python35

inventory/group_vars/koschei-backend

@@ -12,6 +12,9 @@ koschei_pgsql_hostname: db01.phx2.fedoraproject.org
 koschei_koji_hub: koji.fedoraproject.org
 koschei_kojipkgs: kojipkgs.fedoraproject.org
 koschei_koji_web: koji.fedoraproject.org
+koschei_copr_url: http://copr-fe.cloud.fedoraproject.org
+koschei_copr_login: NOT-USED-YET
+koschei_copr_token: NOT-USED-YET
 
 host_group: koschei-backend
 

inventory/group_vars/koschei-backend-stg

@@ -12,6 +12,9 @@ koschei_pgsql_hostname: pgbdr.stg.phx2.fedoraproject.org
 koschei_koji_hub: koji.stg.fedoraproject.org
 koschei_kojipkgs: koji.stg.fedoraproject.org
 koschei_koji_web: koji.stg.fedoraproject.org
+koschei_copr_url: http://copr-fe-dev.cloud.fedoraproject.org
+koschei_copr_login: "{{ koschei_copr_login_stg }}"
+koschei_copr_token: "{{ koschei_copr_token_stg }}"
 
 
 tcp_ports: [
@@ -55,6 +58,7 @@ csi_relationship: |
     - fedmsg hub
     - bastion (for mail relay)
     - memcached01
+    - Copr development instance
 
 koschei_backend_services:
   - koschei-polling

inventory/group_vars/koschei-web

@@ -1,7 +1,7 @@
 ---
 # Define resources for this group of hosts here.
-lvm_size: 6000
+lvm_size: 8000
-mem_size: 1024
+mem_size: 2048
 num_cpus: 1
 
 # for systems that do not match the above - specify the same parameter in
@@ -12,9 +12,11 @@ koschei_pgsql_hostname: db01.phx2.fedoraproject.org
 koschei_koji_hub: koji02.phx2.fedoraproject.org
 koschei_kojipkgs: kojipkgs.fedoraproject.org
 koschei_koji_web: koji.fedoraproject.org
-koschei_openid_provider: id.fedoraproject.org
+koschei_oidc_provider: id.fedoraproject.org
 koschei_bugzilla: bugzilla.redhat.com
 
+koschei_oidc_client_secret: "{{ koschei_oidc_client_secret_prod }}"
+koschei_oidc_crypto_secret: "{{ koschei_oidc_crypto_secret_prod }}"
 
 tcp_ports: [ 80, 443 ]
 

inventory/group_vars/koschei-web-stg

@@ -11,9 +11,12 @@ koschei_topurl: https://apps.stg.fedoraproject.org/koschei
 koschei_pgsql_hostname: pgbdr.stg.phx2.fedoraproject.org
 koschei_kojipkgs: koji.stg.fedoraproject.org
 koschei_koji_web: koji.stg.fedoraproject.org
-koschei_openid_provider: id.stg.fedoraproject.org
+koschei_oidc_provider: id.stg.fedoraproject.org
 koschei_bugzilla: partner-bugzilla.redhat.com
 
+koschei_oidc_client_secret: "{{ koschei_oidc_client_secret_stg }}"
+koschei_oidc_crypto_secret: "{{ koschei_oidc_crypto_secret_stg }}"
+
 tcp_ports: [ 80, 443 ]
 
 custom_rules: [

inventory/group_vars/odcs-frontend

@@ -39,7 +39,9 @@ fedmsg_certs:
 odcs_target_dir_url: https://odcs.fedoraproject.org/composes
 # Give access to jscotka to be able to develop module testing integration
 # for taskotron.
-odcs_allowed_clients_users: ["jscotka"]
+# Give access to sgallagh to be able to generate testing composes for new
+# modules.
+odcs_allowed_clients_users: ["jscotka", "sgallagh"]
 
 # For the MOTD
 csi_security_category: Low

inventory/group_vars/openqa-stg

@@ -26,8 +26,8 @@ openqa_dbname: openqa-stg
 openqa_dbhost: db-qa01.qa.fedoraproject.org
 openqa_dbuser: openqastg
 openqa_dbpassword: "{{ stg_openqa_dbpassword }}"
-openqa_assetsize: 300
+openqa_assetsize: 410
-openqa_assetsize_updates: 50
+openqa_assetsize_updates: 160
 
 openqa_key: "{{ stg_openqa_apikey }}"
 openqa_secret: "{{ stg_openqa_apisecret }}"
@@ -71,6 +71,14 @@ fedmsg_certs:
   - openqa.jobs.restart
   - openqa.job.update.result
   - openqa.job.done
+- service: ci
+  owner: root
+  group: geekotest
+  can_send:
+  - ci.productmd-compose.test.queued
+  - ci.productmd-compose.test.running
+  - ci.productmd-compose.test.complete
+  - ci.productmd-compose.test.error
 
 # we need this to log with fedmsg-logger
 fedmsg_active: True

inventory/group_vars/openshift-pseudohosts-stg

@@ -0,0 +1,2 @@
+---
+freezes: false

inventory/group_vars/osbs

@@ -6,7 +6,7 @@ num_cpus: 2
 
 tcp_ports: [ 80, 443, 8443]
 
-fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
+fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 
 docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org"

inventory/group_vars/osbs-control

@@ -1,6 +1,6 @@
 ---
 # Define resources for this group of hosts here.
-fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran
+fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 
 osbs_url: "osbs.fedoraproject.org"

inventory/group_vars/osbs-control-stg

@@ -1,6 +1,6 @@
 ---
 # Define resources for this group of hosts here.
-fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran
+fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 
 osbs_url: "osbs.stg.fedoraproject.org"

inventory/group_vars/osbs-masters

@@ -6,7 +6,7 @@ num_cpus: 2
 
 tcp_ports: [ 80, 443, 8443]
 
-fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
+fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 
 docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org"

inventory/group_vars/osbs-nodes

@@ -6,7 +6,7 @@ num_cpus: 2
 
 tcp_ports: [ 80, 443, 8443, 10250]
 
-fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
+fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 
 docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org"

inventory/group_vars/osbs-stg

@@ -6,7 +6,7 @@ num_cpus: 2
 
 tcp_ports: [ 80, 443, 8443]
 
-fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
+fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 
 docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org"

inventory/group_vars/packages

@@ -15,7 +15,9 @@ tcp_ports: [ 80, 443,
 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
 
-fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran
+fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran,sysadmin-packages
+
+sudoers: "{{ private }}/files/sudo/sysadmin-packages"
 
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:

inventory/group_vars/packages-stg

@@ -12,7 +12,9 @@ tcp_ports: [ 80, 443,
 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
 
-fas_client_groups: sysadmin-noc,sysadmin-web,fi-apprentice,sysadmin-veteran
+fas_client_groups: sysadmin-noc,sysadmin-web,fi-apprentice,sysadmin-veteran,sysadmin-packages
+
+sudoers: "{{ private }}/files/sudo/sysadmin-packages"
 
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:

inventory/group_vars/pagure-proxy

@@ -0,0 +1,23 @@
+---
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 22, 25, 80, 443, 9418,
+    # Used for the eventsource
+    8088,
+    # This is for the pagure public fedmsg relay
+    9940]
+
+fas_client_groups: sysadmin-noc
+
+freezes: true
+postfix_group: vpn.pagure
+
+# For the MOTD
+csi_security_category: Low
+csi_primary_contact: Fedora admins - admin@fedoraproject.org
+csi_purpose: Proxy specific ports to OSUOSL for preventing slow peering
+csi_relationship: |
+    This box proxies traffic over to pagure01.fedoraproject.org
+
+    (This is done because OSUOSL has terribly slow peering to EU)

inventory/group_vars/pkgs

@@ -3,12 +3,7 @@ lvm_size: 100000
 mem_size: 4096
 num_cpus: 4
 
-tcp_ports: [80, 443,
+tcp_ports: [ 9418, 80, 443 ]
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
-
-custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT']
 
 # We have both celery (pagure_worker) and web thread wanting to send out fedmsg's.
 # To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg.

inventory/group_vars/pkgs-stg

@@ -3,11 +3,7 @@ lvm_size: 100000
 mem_size: 4096
 num_cpus: 4
 
-tcp_ports: [80, 443, 9418,
+tcp_ports: [ 9418, 80, 443 ]
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
-
 # Definining these vars has a number of effects
 # 1) mod_wsgi is configured to use the vars for its own setup
 # 2) iptables opens enough ports for all threads for fedmsg

inventory/group_vars/taskotron-dev

@@ -31,7 +31,7 @@ grokmirror_repos:
   - { name: fedoraqa/rpmlint, url: 'https://pagure.io/taskotron/task-rpmlint.git'}
   - { name: fedoraqa/upgradepath, url: 'https://pagure.io/taskotron/task-upgradepath.git'}
   - { name: fedoraqa/upstream-atomic, url: 'https://pagure.io/taskotron/task-upstream-atomic.git'}
-grokmirror_default_branch: feature/ansiblize
+grokmirror_default_branch: develop
 
 
 ############################################################

inventory/group_vars/taskotron-stg

@@ -33,7 +33,7 @@ grokmirror_repos:
   - { name: fedoraqa/rpmlint, url: 'https://pagure.io/taskotron/task-rpmlint.git'}
   - { name: fedoraqa/upgradepath, url: 'https://pagure.io/taskotron/task-upgradepath.git'}
   - { name: fedoraqa/upstream-atomic, url: 'https://pagure.io/taskotron/task-upstream-atomic.git'}
-grokmirror_default_branch: develop
+grokmirror_default_branch: master
 
 
 ############################################################

inventory/host_vars/bodhi-backend01.phx2.fedoraproject.org

@@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.125.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
 volgroup: /dev/vg_host01
 eth0_ip: 10.5.125.135
 eth1_ip: 10.5.127.61

inventory/host_vars/bodhi-backend02.phx2.fedoraproject.org

@@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.125.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
 volgroup: /dev/vg_bvirthost06
 eth0_ip: 10.5.125.136
 eth1_ip: 10.5.127.62

inventory/host_vars/bodhi03.phx2.fedoraproject.org

@@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
 volgroup: /dev/vg_virthost01
 eth0_ip: 10.5.126.115
 vmhost: virthost01.phx2.fedoraproject.org

inventory/host_vars/bodhi04.phx2.fedoraproject.org

@@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.126.116
 vmhost: virthost02.phx2.fedoraproject.org

inventory/host_vars/commops.fedorainfracloud.org

@@ -2,9 +2,9 @@
 image: "{{ fedora27_x86_64 }}"
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,all-icmp-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,all-icmp-persistent,default
 zone: nova
-tcp_ports: [22]
+tcp_ports: [22, 80, 443]
 
 inventory_tenant: persistent
 inventory_instance_name: commops

inventory/host_vars/hubs01.stg.phx2.fedoraproject.org

@@ -0,0 +1,12 @@
+---
+nm: 255.255.255.0
+gw: 10.5.128.254
+dns: 10.5.126.21
+
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
+
+volgroup: /dev/vg_guests
+eth0_ip: 10.5.128.190
+vmhost: virthost05.phx2.fedoraproject.org
+datacenter: phx2

inventory/host_vars/koschei-web01.phx2.fedoraproject.org

@@ -3,8 +3,8 @@ nm: 255.255.255.0
 gw: 10.5.125.254
 dns: 10.5.126.21
 
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
 
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.126.140

inventory/host_vars/odcs-backend01.phx2.fedoraproject.org

@@ -7,7 +7,7 @@ ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
 ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
 
 eth0_ip: 10.5.126.65
-eth1_ip: 10.5.127.114
+#eth1_ip: 10.5.127.114
 
 volgroup: /dev/vg_guests
 vmhost: virthost19.phx2.fedoraproject.org

inventory/host_vars/pagure-proxy01.fedoraproject.org

@@ -0,0 +1,55 @@
+---
+nm: 255.255.255.128
+gw: 152.19.134.129
+dns: 8.8.8.8
+
+custom_rules: ['-A FORWARD -j ACCEPT']
+
+nat_rules: [
+	# SSH
+	'-A PREROUTING --dst 152.19.134.147 -p tcp --dport 22 -j DNAT --to-destination 140.211.169.204:22',
+	'-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 22 -j SNAT --to-source 152.19.134.147',
+	'-A OUTPUT --dst 152.19.134.147 -p tcp --dport 22 -j DNAT --to-destination 140.211.169.204:22',
+	# SMTP
+	'-A PREROUTING --dst 152.19.134.147 -p tcp --dport 25 -j DNAT --to-destination 140.211.169.204:25',
+	'-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 25 -j SNAT --to-source 152.19.134.147',
+	'-A OUTPUT --dst 152.19.134.147 -p tcp --dport 25 -j DNAT --to-destination 140.211.169.204:25',
+	# web-80
+	'-A PREROUTING --dst 152.19.134.147 -p tcp --dport 80 -j DNAT --to-destination 140.211.169.204:80',
+	'-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 80 -j SNAT --to-source 152.19.134.147',
+	'-A OUTPUT --dst 152.19.134.147 -p tcp --dport 80 -j DNAT --to-destination 140.211.169.204:80',
+	# web-443
+	'-A PREROUTING --dst 152.19.134.147 -p tcp --dport 443 -j DNAT --to-destination 140.211.169.204:443',
+	'-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 443 -j SNAT --to-source 152.19.134.147',
+	'-A OUTPUT --dst 152.19.134.147 -p tcp --dport 443 -j DNAT --to-destination 140.211.169.204:443',
+	# 9418
+	'-A PREROUTING --dst 152.19.134.147 -p tcp --dport 9418 -j DNAT --to-destination 140.211.169.204:9418',
+	'-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 9418 -j SNAT --to-source 152.19.134.147',
+	'-A OUTPUT --dst 152.19.134.147 -p tcp --dport 9418 -j DNAT --to-destination 140.211.169.204:9418',
+	# Eventsource
+	'-A PREROUTING --dst 152.19.134.147 -p tcp --dport 8088 -j DNAT --to-destination 140.211.169.204:8088',
+	'-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 8088 -j SNAT --to-source 152.19.134.147',
+	'-A OUTPUT --dst 152.19.134.147 -p tcp --dport 8088 -j DNAT --to-destination 140.211.169.204:8088',
+	# Fedmsg
+	'-A PREROUTING --dst 152.19.134.147 -p tcp --dport 9940 -j DNAT --to-destination 140.211.169.204:9940',
+	'-A POSTROUTING -p tcp --dst 140.211.169.204 --dport 9940 -j SNAT --to-source 152.19.134.147',
+	'-A OUTPUT --dst 152.19.134.147 -p tcp --dport 9940 -j DNAT --to-destination 140.211.169.204:9940',
+]
+
+
+ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7-ext
+ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
+
+volgroup: /dev/vg_guests
+
+eth0_ip: 152.19.134.146
+eth0_nm: 255.255.255.128
+has_ipv6: yes
+eth0_ipv6: "2610:28:3090:3001:dead:beef:cafe:fe46"
+eth0_ipv6_gw: "2610:28:3090:3001::1"
+eth0_secondary_ip: 152.19.134.147
+
+sponsor: ibiblio
+datacenter: ibiblio
+postfix_group: vpn
+vmhost: ibiblio01.fedoraproject.org

inventory/host_vars/retrace01.qa.fedoraproject.org

@@ -3,8 +3,8 @@ faf_server_name: retrace.fedoraproject.org/faf
 rs_use_faf_packages: true
 
 # we do not have enough storage on stg
-rs_internal_fedora_vers: [25, 26, 27, rawhide]
+rs_internal_fedora_vers: [26, 27, rawhide]
-rs_internal_fedora_vers_removed: [24]
+rs_internal_fedora_vers_removed: [24, 25]
 rs_internal_arch_list: [source, x86_64, i386]
 
 nagios_Check_Services:

inventory/host_vars/retrace02.qa.fedoraproject.org

@@ -0,0 +1,18 @@
+---
+faf_server_name: retrace.fedoraproject.org/faf
+rs_use_faf_packages: true
+
+# we do not have enough storage on stg
+rs_internal_fedora_vers: [rawhide]
+#rs_internal_fedora_vers_removed: [24, 25, 26, 27]
+rs_internal_arch_list: [source, x86_64, i386]
+
+nagios_Check_Services:
+  nrpe: true
+  sshd: true
+  named: false
+  dhcpd: false
+  httpd: false
+  swap: false
+
+faf_repos: []

inventory/inventory

@@ -496,7 +496,7 @@ proxy03.fedoraproject.org
 proxy04.fedoraproject.org
 proxy05.fedoraproject.org
 proxy06.fedoraproject.org
-proxy07.fedoraproject.org
+#proxy07.fedoraproject.org
 proxy08.fedoraproject.org
 proxy09.fedoraproject.org
 proxy10.phx2.fedoraproject.org
@@ -656,7 +656,7 @@ proxy03.fedoraproject.org
 proxy04.fedoraproject.org
 proxy05.fedoraproject.org
 proxy06.fedoraproject.org
-proxy07.fedoraproject.org
+#proxy07.fedoraproject.org
 proxy08.fedoraproject.org
 proxy09.fedoraproject.org
 proxy10.phx2.fedoraproject.org
@@ -708,6 +708,9 @@ smtp-mm-ib01.fedoraproject.org
 smtp-mm-osuosl01.fedoraproject.org
 smtp-mm-tummy01.fedoraproject.org
 
+[hubs-stg]
+hubs01.stg.phx2.fedoraproject.org
+
 [spare]
 #
 # All staging hosts should be in this group too.
@@ -761,6 +764,7 @@ freshmaker-frontend01.stg.phx2.fedoraproject.org
 freshmaker-backend01.stg.phx2.fedoraproject.org
 github2fedmsg01.stg.phx2.fedoraproject.org
 hotness01.stg.phx2.fedoraproject.org
+hubs01.stg.phx2.fedoraproject.org
 kerneltest01.stg.phx2.fedoraproject.org
 koji01.stg.phx2.fedoraproject.org
 koschei-backend01.stg.phx2.fedoraproject.org
@@ -1318,6 +1322,9 @@ pagure01.fedoraproject.org
 [pagure-stg]
 pagure-stg01.fedoraproject.org
 
+[pagure-proxy]
+pagure-proxy01.fedoraproject.org
+
 [twisted-buildbots]
 twisted-fedora24-1.fedorainfracloud.org
 twisted-fedora24-2.fedorainfracloud.org

master.yml

@@ -74,7 +74,6 @@
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/maintainer-test.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/mariadb-server.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/mdapi.yml
-- import_playbook: /srv/web/infra/ansible/playbooks/groups/mirrorlist2.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/mirrormanager.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/memcached.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/modernpaste.yml

playbooks/groups/buildhw.yml

@@ -1,7 +1,7 @@
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=buildhw:buildaarch64:bkernel"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=buildhw:bkernel"
 
 - name: make koji builder(s) on raw hw
-  hosts: buildhw:buildaarch64:bkernel
+  hosts: buildhw:bkernel
   remote_user: root
   gather_facts: True
 

playbooks/groups/freshmaker.yml

@@ -46,7 +46,7 @@
   handlers:
   - import_tasks: "{{ handlers_path }}/restart_services.yml"
 
-- name: Set up apache on the frontend MBS API app
+- name: set up Freshmaker frontend
   hosts: freshmaker-frontend:freshmaker-frontend-stg
   user: root
   gather_facts: True
@@ -58,12 +58,16 @@
 
   roles:
   - mod_wsgi
+  - role: freshmaker/frontend
+    # TLS is terminated for us at the proxy layer (like for every other app).
+    freshmaker_force_ssl: False
+    freshmaker_servername: null
 
   handlers:
   - import_tasks: "{{ handlers_path }}/restart_services.yml"
 
-- name: set up fedmsg configuration and common freshmaker files
+- name: set up Freshmaker backend
-  hosts: freshmaker:freshmaker-stg
+  hosts: freshmaker-backend:freshmaker-backend-stg
   user: root
   gather_facts: True
 
@@ -74,6 +78,14 @@
 
   roles:
   - fedmsg/base
+  - role: freshmaker/backend
+    freshmaker_servername: freshmaker{{env_suffix}}.fedoraproject.org
+
+  - role: keytab/service
+    service: freshmaker
+    owner_user: fedmsg
+    owner_group: fedmsg
+    host: "freshmaker{{env_suffix}}.fedoraproject.org"
 
   handlers:
   - import_tasks: "{{ handlers_path }}/restart_services.yml"

playbooks/groups/hubs.yml

@@ -1,9 +1,9 @@
-# These servers run piwik
+# create the hubs server
-
+# NOTE: should be used with --limit most of the time
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=piwik-stg"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=hubs-stg"
 
 - name: make the box be real
-  hosts: piwik-stg
+  hosts: hubs-stg
   user: root
   gather_facts: True
 
@@ -19,10 +19,10 @@
   - hosts
   - fas_client
   - collectd/base
-  - apache
-  - fedmsg/base
-  - piwik
   - sudo
+  - { role: openvpn/client,
+      when: env != "staging" }
+  - mod_wsgi
 
   tasks:
   - import_tasks: "{{ tasks_path }}/yumrepos.yml"

playbooks/groups/mirrorlist2.yml

@@ -1,73 +0,0 @@
-# create a new mirrorlist server
-# NOTE: should be used with --limit most of the time
-# NOTE: make sure there is room/space for this server on the vmhost
-# NOTE: most of these vars_path come from group_vars/mirrorlist or from hostvars
-
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=mirrorlist2:mirrorlist2-stg:!mirrorlist-host1plus.fedoraproject.org"
-
-- name: make the box be real
-  hosts: mirrorlist2:mirrorlist2-stg
-  user: root
-  gather_facts: True
-
-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - "/srv/private/ansible/vars.yml"
-   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  pre_tasks:
-  - name: Install policycoreutils-python
-    package: name=policycoreutils-python state=present
-
-  - name: Create /srv/web/ for all the goodies.
-    file: >
-        dest=/srv/web state=directory
-        owner=root group=root mode=0755
-    tags:
-    - httpd
-    - httpd/website
-
-  - name: check the selinux context of webdir
-    command: matchpathcon /srv/web
-    register: webdir
-    check_mode: no
-    changed_when: "1 != 1"
-    tags:
-    - config
-    - selinux
-    - httpd
-    - httpd/website
-
-  - name: /srv/web file contexts
-    command: semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?"
-    when: webdir.stdout.find('httpd_sys_content_t') == -1
-    tags:
-    - config
-    - selinux
-    - httpd
-    - httpd/website
-
-  roles:
-  - base
-  - rkhunter
-  - nagios_client
-  - geoip
-  - hosts
-  - fas_client
-  - collectd/base
-  - mod_wsgi
-  - httpd/mod_ssl
-  - mirrormanager/mirrorlist2
-  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }
-
-  tasks:
-  # this is how you include other task lists
-  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
-  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
-  - import_tasks: "{{ tasks_path }}/motd.yml"
-
-
-  handlers:
-  - import_tasks: "{{ handlers_path }}/restart_services.yml"

playbooks/groups/pagure-proxy.yml

@@ -0,0 +1,31 @@
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=pagure-proxy"
+
+- name: make the boxen be real for real
+  hosts: pagure-proxy
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - base
+  - rkhunter
+  - nagios_client
+  - hosts
+  - fas_client
+  - sudo
+  - collectd/base
+
+  tasks:
+  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
+  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
+  - import_tasks: "{{ tasks_path }}/motd.yml"
+
+  - name: Enable ipv4_forward in sysctl
+    sysctl: name=net.ipv4.ip_forward value=1 state=present sysctl_set=yes reload=yes
+
+  handlers:
+  - import_tasks: "{{ handlers_path }}/restart_services.yml"

playbooks/groups/postgresql-server.yml

@@ -2,12 +2,12 @@
 # NOTE: should be used with --limit most of the time
 # NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
 
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-datanommer01.phx2.fedoraproject.org:db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-arm-koji01.qa.fedoraproject.org:db-ppc-koji01.ppc.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org"
 
 # Once the instance exists, configure it.
 
 - name: configure postgresql server system
-  hosts: db-datanommer01.phx2.fedoraproject.org:db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-arm-koji01.qa.fedoraproject.org:db-ppc-koji01.ppc.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org
+  hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org
   user: root
   gather_facts: True
 

playbooks/groups/releng-compose.yml

@@ -36,6 +36,7 @@
   - role: keytab/service
     service: compose
     host: "koji{{env_suffix}}.fedoraproject.org"
+    owner_group: releng-team
   - role: keytab/service
     service: mash
     host: "koji{{env_suffix}}.fedoraproject.org"

playbooks/groups/virthost.yml

@@ -2,6 +2,8 @@
 # NOTE: should be used with --limit most of the time
 # NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
 
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=virthost:bvirthost:buildvmhost:virthost-comm:colo-virt"
+
 - name: make virthost server system
   hosts: virthost:bvirthost:buildvmhost:virthost-comm:colo-virt
   user: root

playbooks/hosts/blockerbugs-dev.cloud.fedoraproject.org.yml

@@ -1,39 +0,0 @@
-- name: check/create instance
-  hosts: blockerbugs-dev.cloud.fedoraproject.org
-  user: root
-  gather_facts: False
-
-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - "/srv/private/ansible/vars.yml"
-
-  tasks:
-  - import_tasks: "{{ tasks_path }}/persistent_cloud.yml"
-  - import_tasks: "{{ tasks_path }}/growroot_cloud.yml"
-
-  handlers:
-  - import_tasks: "{{ handlers_path }}/restart_services.yml"
-
-- name: provision instance
-  hosts: blockerbugs-dev.cloud.fedoraproject.org
-  user: root
-  gather_facts: True
-  vars:
-   - tcp_ports: [22, 80, 443]
-   - udp_ports: []
-
-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - "/srv/private/ansible/vars.yml"
-   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  roles:
-  - basessh
-
-  tasks:
-  - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
-  - name: mount up blockerbugs-dev to /srv/persistent
-    mount: name=/srv/persistent src='LABEL=blockerbugs-dev' fstype=ext4 state=mounted
-
-  handlers:
-  - import_tasks: "{{ handlers_path }}/restart_services.yml"

playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml

@@ -866,7 +866,18 @@
       - { user: puiterwijk, tenant: transient }
       - { user: puiterwijk, tenant: maintainertest }
       - { user: puiterwijk, tenant: aos-ci-cd }
+      - { user: mizdebsk, tenant: aos-ci-cd }
+      - { user: mizdebsk, tenant: cloudintern }
+      - { user: mizdebsk, tenant: cloudsig }
+      - { user: mizdebsk, tenant: copr }
+      - { user: mizdebsk, tenant: coprdev }
       - { user: mizdebsk, tenant: infrastructure }
+      - { user: mizdebsk, tenant: maintainertest }
+      - { user: mizdebsk, tenant: openshift }
+      - { user: mizdebsk, tenant: persistent }
+      - { user: mizdebsk, tenant: pythonbots }
+      - { user: mizdebsk, tenant: qa }
+      - { user: mizdebsk, tenant: scratch }
       - { user: mizdebsk, tenant: transient }
       - { user: clime, tenant: coprdev }
       - { user: clime, tenant: persistent }

playbooks/hosts/hubs-dev.fedorainfracloud.org.yml

@@ -33,32 +33,22 @@
 
   - import_tasks: "{{ tasks_path }}/yumrepos.yml"
 
-  - dnf: name={{item}} state=present
-    with_items:
-    - git
-
-  - name: create the code directory
-    file: dest=/srv/hubs state=directory owner=fedora group=fedora
-
-  - name: git clone the code
-    git: repo=https://pagure.io/fedora-hubs.git
-         dest=/srv/hubs/fedora-hubs
-         version=develop
-    become_user: fedora
-    #ignore_errors: true
-
 
   roles:
   - basessh
 
   - role: hubs
-    main_user: fedora
+    main_user: hubs
     hubs_url_hostname: "{{ ansible_fqdn }}"
     hubs_secret_key: demotestinghubsmachine
-    hubs_db_type: sqlite
+    hubs_db_type: postgresql
     hubs_dev_mode: false
+    hubs_conf_dir: /etc/fedora-hubs
+    hubs_var_dir: /var/lib/fedora-hubs
     hubs_ssl_cert: /etc/letsencrypt/live/{{ ansible_fqdn }}/fullchain.pem
     hubs_ssl_key: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem
+    hubs_fas_username: "{{ fedoraDummyUser }}"
+    hubs_fas_password: "{{ fedoraDummyUserPassword }}"
 
 
   tasks:
@@ -71,7 +61,7 @@
   - name: add more hubs workers
     service: name={{item}} enabled=yes state=started
     with_items:
-    - hubs-triage@3
+    - fedora-hubs-triage@3
-    - hubs-triage@4
+    - fedora-hubs-triage@4
-    - hubs-worker@3
+    - fedora-hubs-worker@3
-    - hubs-worker@4
+    - fedora-hubs-worker@4

playbooks/include/proxies-reverseproxy.yml

@@ -545,10 +545,21 @@
 
   - role: httpd/reverseproxy
     website: registry.fedoraproject.org
-    destname: registry
+    destname: registry-fedora
     # proxyurl in this one is totally ignored, because Docker.
     # (turns out it uses PATCH requests that Varnish cannot deal with)
     proxyurl: "{{ varnish_url }}"
+    tags:
+    - registry
+
+  - role: httpd/reverseproxy
+    website: registry.centos.org
+    destname: registry-centos
+    # proxyurl in this one is totally ignored, because Docker.
+    # (turns out it uses PATCH requests that Varnish cannot deal with)
+    proxyurl: "{{ varnish_url }}"
+    tags:
+    - registry
 
   - role: httpd/reverseproxy
     website: candidate-registry.fedoraproject.org
@@ -629,6 +640,13 @@
     tags:
     - odcs
 
+  - role: httpd/reverseproxy
+    website: freshmaker.fedoraproject.org
+    destname: freshmaker
+    proxyurl: http://localhost:10067
+    tags:
+    - freshmaker
+
   - role: httpd/reverseproxy
     website: data-analysis.fedoraproject.org
     destname: awstats

playbooks/include/proxies-websites.yml

@@ -52,6 +52,7 @@
     server_aliases:
     - stg.fedoraproject.org
     - localhost
+    - www.fedoraproject.org
 
   # This is for all the other domains we own
   # that redirect to https://fedoraproject.org
@@ -126,7 +127,6 @@
     - www.fedoraproject.info
     - www.fedoraproject.net
     - www.fedoraproject.net.cn
-    - www.fedoraproject.org
     - www.fedoraproject.org.uk
     - www.fedoraproject.pe
     - www.fedoraproject.su
@@ -568,6 +568,12 @@
     sslonly: true
     cert_name: "{{wildcard_cert_name}}"
 
+  - role: httpd/website
+    name: registry.centos.org
+    server_aliases: [registry.stg.centos.org]
+    sslonly: true
+    cert_name: "{{wildcard_cert_name}}"
+
   - role: httpd/website
     name: candidate-registry.fedoraproject.org
     server_aliases: [candidate-registry.stg.fedoraproject.org]
@@ -784,6 +790,14 @@
     sslonly: true
     server_aliases: [odcs.stg.fedoraproject.org]
     cert_name: "{{wildcard_cert_name}}"
+    tags: odcs
+
+  - role: httpd/website
+    name: freshmaker.fedoraproject.org
+    sslonly: true
+    server_aliases: [freshmaker.stg.fedoraproject.org]
+    cert_name: "{{wildcard_cert_name}}"
+    tags: freshmaker
 
 # fedorahosted is retired. We have the site here so we can redirect it.
 

playbooks/manual/rebuild/fedora-packages.yml

@@ -39,9 +39,7 @@
 
   tasks:
   - name: Pull in the list of packages from pkgdb.  Go get a snack. (2 hours)
-    command: /usr/bin/fcomm-index-packages --index-db-dest /var/cache/fedoracommunity/packages/xapian --icons-dest /var/cache/fedoracommunity/packages/icons --tagger-url https://apps.stg.fedoraproject.org/tagger --pkgdb-url https://admin.stg.fedoraproject.org/pkgdb --mdapi-url https://apps.stg.fedoraproject.org/mdapi --icons-url http://download01.phx2.fedoraproject.org/pub/alt/screenshots/
+    command: /usr/bin/fcomm-index-packages --index-db-dest=/var/cache/fedoracommunity/packages/xapian --icons-dest /var/cache/fedoracommunity/packages/icons --mdapi-url=https://apps.stg.fedoraproject.org/mdapi --icons-url=https://dl.fedoraproject.org/pub/alt/screenshots --tagger-url=https://apps.stg.fedoraproject.org/tagger
-    async: 12000
-    poll: 60
     when: install_packages_indexer
 
 - name: Rebuild that search index on the side and install it. (just prod)
@@ -58,9 +56,7 @@
 
   tasks:
   - name: Pull in the list of packages from pkgdb.  Go get a snack. (2 hours)
-    command: /usr/bin/fcomm-index-packages --index-db-dest /var/cache/fedoracommunity/packages/xapian --icons-dest /var/cache/fedoracommunity/packages/icons --tagger-url https://apps.fedoraproject.org/tagger --pkgdb-url https://admin.fedoraproject.org/pkgdb --mdapi-url https://apps.fedoraproject.org/mdapi --icons-url http://download01.phx2.fedoraproject.org/pub/alt/screenshots/
+    command: /usr/bin/fcomm-index-packages --index-db-dest=/var/cache/fedoracommunity/packages/xapian --icons-dest /var/cache/fedoracommunity/packages/icons --mdapi-url=https://apps.fedoraproject.org/mdapi --icons-url=https://dl.fedoraproject.org/pub/alt/screenshots --tagger-url=https://apps.fedoraproject.org/tagger
-    async: 12000
-    poll: 60
     when: install_packages_indexer
 
 - name: leave maintenance mode
@@ -74,8 +70,8 @@
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
 
   tasks:
-  - name: Make sure the perms are straight 
+  - name: Make sure the perms are straight
-    file: path=/var/cache/fedoracommunity/packages/ state=directory owner=apache group=fedmsg mode="g+rw" recursive=yes
+    file: path=/var/cache/fedoracommunity/packages/ state=directory owner=apache group=fedmsg mode="g+rw" recurse=yes
 
   - name: Restart the cache worker
     service: name={{item}} state=started

playbooks/manual/staging-sync/koji.yml

@@ -46,15 +46,14 @@
       dest=/var/tmp/koji.dump.xz
       owner=postgres
       group=postgres
-  - command: unxz /var/tmp/koji.dump.xz
-             creates=/var/tmp/koji.dump
 
 # TODO -- stop replication and wipe db's
 
   - command: dropdb koji
   - command: createdb -O koji koji
+# buildroot_listing is excluded from the sync to save some time
   - name: Import the prod db.  This will take quite a while.  Go get a snack!
-    shell: cat /var/tmp/koji.dump | psql koji
+    shell: xzcat /var/tmp/koji.dump.xz | sed '/COPY buildroot_listing /,/\./d' | psql koji
   - name: repoint all the prod rpm entries at the secondary volume (and other stuff)
     shell: psql koji < /var/lib/pgsql/koji-reset-staging.sql
 

playbooks/manual/staging-sync/templates/koji-reset-staging.sql

@@ -24,6 +24,11 @@
 -- [unset kojihub ServerOffline setting]
 
 
+-- wipe obsolete table that only causes problems with the sync, could
+-- even be dropped entirely (together with imageinfo table).
+select now() as time, 'wiping imageinfo listings' as msg;
+delete from imageinfo_listing;
+
 -- bump sequences (not strictly needed anymore)
 select now() as time, 'bumping sequences' as msg;
 alter sequence task_id_seq restart      with 90000000;
@@ -57,7 +62,7 @@ delete from rpminfo where build_id in (select id from build where state<>1);
 
 -- expire any active buildroots
 select now() as time, 'expiring active buildroots' as msg;
-update buildroot set state=3, retire_event=get_event() where state=0;
+update standard_buildroot set state=3, retire_event=get_event() where state=0;
 
 -- enable/disable hosts
 update host set enabled=False;
@@ -75,6 +80,8 @@ update repo set state = 3 where state in (0, 1, 2);
 -- The koji hub is x86_64 and i386 and has createrepo ability
 {% for host in groups['koji-stg'] %}
 select now() as time, 'adding staging host {{ host }}' as msg;
+delete from host where name='{{ host }}';
+delete from users where name='{{ host }}';
 insert into users (name, usertype, krb_principal, status) values ('{{ host }}', 1, 'compile/{{ host }}@STG.FEDORAPROJECT.ORG', 0);
 insert into host (user_id, name, arches) values (
     (select id from users where name='{{host}}'), '{{host}}', 'i386 x86_64');
@@ -87,6 +94,8 @@ insert into host_channels (host_id, channel_id) values (
 -- The buildvms are x86_64 and i386 and also have createrepo ability
 {% for host in groups['buildvm-stg'] %}
 select now() as time, 'adding staging host {{ host }}' as msg;
+delete from host where name='{{ host }}';
+delete from users where name='{{ host }}';
 insert into users (name, usertype, krb_principal, status) values ('{{ host }}', 1, 'compile/{{ host }}@STG.FEDORAPROJECT.ORG', 0);
 insert into host (user_id, name, arches) values (
     (select id from users where name='{{host}}'), '{{host}}', 'i386 x86_64');
@@ -100,6 +109,8 @@ insert into host_channels (host_id, channel_id) values (
 
 {% for host in groups['buildvm-aarch64-stg'] %}
 select now() as time, 'adding staging host {{ host }}' as msg;
+delete from host where name='{{ host }}';
+delete from users where name='{{ host }}';
 insert into users (name, usertype, krb_principal, status) values ('{{ host }}', 1, 'compile/{{ host }}@STG.FEDORAPROJECT.ORG', 0);
 insert into host (user_id, name, arches) values (
     (select id from users where name='{{host}}'), '{{host}}', 'aarch64');
@@ -113,6 +124,8 @@ insert into host_channels (host_id, channel_id) values (
 
 {% for host in groups['buildvm-ppc64-stg'] %}
 select now() as time, 'adding staging host {{ host }}' as msg;
+delete from host where name='{{ host }}';
+delete from users where name='{{ host }}';
 insert into users (name, usertype, krb_principal, status) values ('{{ host }}', 1, 'compile/{{ host }}@STG.FEDORAPROJECT.ORG', 0);
 insert into host (user_id, name, arches) values (
     (select id from users where name='{{host}}'), '{{host}}', 'ppc64');
@@ -126,6 +139,8 @@ insert into host_channels (host_id, channel_id) values (
 
 {% for host in groups['buildvm-ppc64le-stg'] %}
 select now() as time, 'adding staging host {{ host }}' as msg;
+delete from host where name='{{ host }}';
+delete from users where name='{{ host }}';
 insert into users (name, usertype, krb_principal, status) values ('{{ host }}', 1, 'compile/{{ host }}@STG.FEDORAPROJECT.ORG', 0);
 insert into host (user_id, name, arches) values (
     (select id from users where name='{{host}}'), '{{host}}', 'ppc64le');
@@ -137,7 +152,7 @@ insert into host_channels (host_id, channel_id) values (
 
 -- Add some people to be admins, only in staging.  Feel free to grow this list..
 
-{% for username in ['modularity', 'mizdebsk', 'ralph', 'psabata', 'puiterwijk', 'jkaluza', 'fivaldi', 'mprahl'] %}
+{% for username in ['modularity', 'mizdebsk', 'psabata', 'jkaluza', 'fivaldi', 'mprahl'] %}
 select now() as time, 'adding staging admin {{username}}' as msg;
 insert into user_perms (user_id, perm_id, active, creator_id) values (
     (select id from users where name='{{username}}'),
@@ -152,7 +167,7 @@ insert into user_perms (user_id, perm_id, active, creator_id) values (
                                ('hotness', 'hotness/hotness01.stg.phx2.fedoraproject.org'),
                                ('containerbuild', 'osbs/osbs.stg.fedoraproject.org'),
                                ('kojira', 'kojira/koji.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG')] %}
-update users set krb_principal='{{principal}}@STG.FEDORAPROJECT.ORG' where username='{{username}}';
+update users set krb_principal='{{principal}}@STG.FEDORAPROJECT.ORG' where name='{{username}}';
 {% endfor %}
 update users set krb_principal=replace(krb_principal, '@FEDORAPROJECT.ORG', '@STG.FEDORAPROJECT.ORG');
 

playbooks/manual/upgrade/fedimg.yml

@@ -1,12 +1,10 @@
 - name: push packages out
   hosts: fedimg:fedimg-stg
   user: root
-  vars_files: 
+  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-  vars:
-    testing: False
   handlers:
   - import_tasks: "{{ handlers_path }}/restart_services.yml"
 
@@ -15,53 +13,18 @@
     command: yum clean all {%if testing%} --enablerepo=infrastructure-tags-stg {%endif%}
     check_mode: no
   - name: yum update fedimg packages from main repo
-    yum: name="python-fedimg" state=latest
+    yum: name="{{ item }}" state=latest
+    with_items:
+     - python-fedimg
+     - python2-libcloud
+     - python2-fedfind
     when: not testing
   - name: yum update fedimg packages from testing repo
-    yum: name="python-fedimg" state=latest enablerepo=infrastructure-tags-stg
+    yum: name="{{ item }}" state=latest enablerepo=infrastructure-tags-stg
-    when: testing
+    with_items:
-  - name: yum update libcloud from testing repo
+     - python-fedimg
-    yum: name="python2-libcloud" state=latest enablerepo=epel-testing
+     - python2-libcloud
-    when: not testing
+     - python2-fedfind
-
-- name: update fedfind
-  hosts: fedimg:fedimg-stg
-  user: root
-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - "/srv/private/ansible/vars.yml"
-   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-  vars:
-    testing: False
-  handlers:
-  - import_tasks: "{{ handlers_path }}/restart_services.yml"
-
-  tasks:
-  - name: yum update fedfind packages from main repo
-    yum: name="fedfind" state=latest
-    when: not testing
-  - name: yum update fedfind packages from testing repo
-    yum: name="fedfind" state=latest enablerepo=infrastructure-tags-stg
-    when: testing
-
-- name: update python2-fedfind
-  hosts: fedimg:fedimg-stg
-  user: root
-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - "/srv/private/ansible/vars.yml"
-   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-  vars:
-    testing: False
-  handlers:
-  - import_tasks: "{{ handlers_path }}/restart_services.yml"
-
-  tasks:
-  - name: yum update fedfind packages from main repo
-    yum: name="python2-fedfind" state=latest
-    when: not testing
-  - name: yum update fedfind packages from testing repo
-    yum: name="python2-fedfind" state=latest enablerepo=infrastructure-tags-stg
     when: testing
 
 - name: verify the backend and restart it

playbooks/manual/upgrade/fedmsg.yml

@@ -40,16 +40,16 @@
     command: yum clean all {%if testing%} --enablerepo=infrastructure-tags-stg {%endif%}
     check_mode: no
   - name: yum update fedmsg packages from the main repo
-    yum: name={{item}} state=latest
+    package: name={{item}} state=latest
     when: not testing
     with_items: "{{packages}}"
   - name: yum update fedmsg packages from testing repo
-    yum: name={{item}} state=latest enablerepo=infrastructure-tags-stg
+    package: name={{item}} state=latest enablerepo=infrastructure-tags-stg
     when: testing
     with_items: "{{packages}}"
 
   # Restart all the backend daemons
-  - include_tasks: ../restart-fedmsg-services.yml
+  #- import_tasks: "{{tasks_path}}../restart-fedmsg-services.yml"
 
 # Also restart the frontend web services
 - name: bounce apache

playbooks/manual/upgrade/koschei.yml

@@ -62,7 +62,7 @@
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
   vars:
     fedora_repos:
-    - epel
+    - updates
   pre_tasks:
   - name: schedule nagios downtime
     nagios: action=downtime minutes=20 service=host host={{ inventory_hostname_short }}{{ env_suffix }}

playbooks/manual/upgrade/packages.yml

@@ -12,13 +12,13 @@
 
   tasks:
   - name: clean all metadata {%if testing%}(with infrastructure-testing on){%endif%}
-    command: yum clean all {%if testing%} --enablerepo=infrastructure-tags-stg {%endif%}
+    command: dnf clean all {%if testing%} --enablerepo=infrastructure-tags-stg {%endif%}
     check_mode: no
-  - name: yum update fedora-packages packages from main repo
+  - name: dnf update fedora-packages packages from main repo
-    yum: name="fedora-packages" state=latest
+    dnf: name="fedora-packages" state=latest
     when: not testing
-  - name: yum update fedora-packages packages from testing repo
+  - name: dnf update fedora-packages packages from testing repo
-    yum: name="fedora-packages" state=latest enablerepo=infrastructure-tags-stg
+    dnf: name="fedora-packages" state=latest enablerepo=infrastructure-tags-stg
     when: testing
 
 - name: verify the config and restart it

playbooks/openshift-apps/transtats.yml

@@ -0,0 +1,24 @@
+- name: make the app be real
+  hosts: os-masters-stg
+  user: root
+  gather_facts: True
+
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - "/srv/private/ansible/vars.yml"
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - role: openshift/project
+    app: transtats
+    description: transtats
+    appowners:
+    - suanand
+  - { role: openshift/object, app: transtats, template: secret.yml }
+  - { role: openshift/object, app: transtats, file: imagestream.yml }
+  - { role: openshift/object, app: transtats, file: buildconfig.yml }
+  - { role: openshift/start-build, app: transtats, name: transtats-build }
+  - { role: openshift/object, app: transtats, file: service.yml }
+  - { role: openshift/object, app: transtats, file: route.yml }
+  - { role: openshift/object, app: transtats, file: deploymentconfig.yml }
+  - { role: openshift/rollout, app: transtats, name: transtats-web }

roles/abrt/faf-local/tasks/cron.yml

@@ -49,7 +49,6 @@
     state: present
   when: not devel
   with_items:
-    - "25"
     - "26"
     - "27"
 
@@ -63,6 +62,7 @@
   when: not devel
   with_items:
     - "24"
+    - "25"
 
 - name: koops_to_xorg.py
   cron:
@@ -82,7 +82,6 @@
     state: present
   when: not devel
   with_items:
-    - "25"
     - "26"
     - "27"
 
@@ -96,6 +95,7 @@
   when: not devel
   with_items:
     - "24"
+    - "25"
 
 - name: update BZ bugs fedora
   cron:

roles/abrt/faf/defaults/main.yml

@@ -30,6 +30,7 @@ faf_migrate_db: true
 faf_cron_jobs: true
 
 faf_admin_mail: root@localhost
+faf_from: no-reply@localhost
 
 faf_spool_dir: /var/spool/faf
 

roles/abrt/faf/meta/.galaxy_install_info

@@ -1 +1 @@
-{install_date: 'Tue Jul  4 08:35:09 2017', version: ''}
+{install_date: 'Wed Feb  7 13:30:30 2018', version: ''}

roles/abrt/faf/meta/main.yml

@@ -12,8 +12,8 @@ galaxy_info:
    - name: Fedora
      versions:
       - 25
-      - 24
+      - 26
-      - 23
+      - 27
   categories:
    - web
 dependencies: []

roles/abrt/faf/tasks/celery.yml

@@ -5,7 +5,7 @@
   - packages
 
 - name: install redis package
-  yum : name={{ item }} state=present
+  package: name={{ item }} state=present
   with_items:
   - redis
   - python-redis

roles/abrt/faf/tasks/web.yml

@@ -8,7 +8,7 @@
   when: not faf_web_on_root
 
 - name: install faf-webui packages
-  yum : name={{ item }} state=latest
+  package : name={{ item }} state=latest
   with_items: "{{ faf_web_packages }}"
 
 - import_tasks: celery.yml

roles/abrt/faf/templates/etc-faf-faf.conf.j2

@@ -20,7 +20,8 @@ Server = {{ smtp_server }}
 Port = {{ smtp_port }}
 Username = {{ smtp_username|default("", true) }}
 Password = {{ smtp_password|default("", true) }}
-From = {{ faf_admin_mail }}
+From = {{ faf_from }}
+
 [uReport]
 # The directory that holds 'reports' and 'attachments' subdirectories
 Directory = {{ faf_spool_dir }}

roles/abrt/retrace-local/defaults/main.yml

@@ -1,8 +1,8 @@
 ---
 
 # List of fedora versions for reposync
-rs_internal_fedora_vers: [25, 26, 27, rawhide]
+rs_internal_fedora_vers: [26, 27, rawhide]
-rs_internal_fedora_vers_removed: [24]
+rs_internal_fedora_vers_removed: [24, 25]
 
 # List of architectures for reposync
 # armhfp disabled untill we get more space

roles/abrt/retrace/meta/.galaxy_install_info

@@ -1 +1 @@
-{install_date: 'Tue Jul  4 08:34:40 2017', version: ''}
+{install_date: 'Wed Feb  7 13:30:31 2018', version: ''}

roles/abrt/retrace/meta/main.yml

@@ -10,9 +10,9 @@ galaxy_info:
       - 7
    - name: Fedora
      versions:
-      - 21
+      - 26
-      - 22
+      - 27
-      - 23
+      - 25
   categories:
    - system
 #dependencies:

roles/abrt/retrace/tasks/install.yml

@@ -4,4 +4,4 @@
   when: rs_force_reinstall
 
 - name: install retrace-server package
-  yum : name=retrace-server state=present
+  package: name=retrace-server state=present

roles/abrt/retrace/tasks/usefafpkgs.yml

@@ -18,11 +18,15 @@
 - name: ACL for user retrace
   acl: path="{{ faf_spool_dir }}/lob" state=present recursive=yes
        entity=retrace etype=user permissions=rwX
+  async: 21600
+  pool: 0
 
 # for files/dirs created in future
 - name: default ACL for user retrace
   acl: path="{{ faf_spool_dir }}/lob" state=present recursive=yes default=yes
        entity=retrace etype=user permissions=rwX
+  async: 21600
+  pool: 0
 
 - name: check for hardlink dir
   stat: path={{ rs_faf_link_dir }}

roles/anitya/frontend/templates/0_releasemonitoring.conf

@@ -9,7 +9,7 @@
    SSLEngine on
    SSLProtocol {{ ssl_protocols }}
    SSLCipherSuite {{ ssl_ciphers }}
-   Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+   Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 
    SSLCertificateFile /etc/pki/tls/certs/release-monitoring.org.cert
    SSLCertificateChainFile /etc/pki/tls/certs/release-monitoring.org.intermediate.cert

roles/badges/backend/files/edit-badge

@@ -27,12 +27,13 @@ def parse_args():
     parser.add_argument('--description', default=None, help='Description..')
     parser.add_argument('--criteria', default=None, help='Criteria link')
     parser.add_argument('--image', default=None, help='Image link')
+    parser.add_argument('--tags', default=None, help='Badge Tags')
     args = parser.parse_args()
     if not args.badge:
         print "You must specify a badge id."
         sys.exit(1)
-    if not args.name and not args.description and not args.criteria and not args.image:
+    if not args.name and not args.description and not args.criteria and not args.image and not args.tags:
-        print "You must specify either name, description or criteria or image to edit."
+        print "You must specify either name, description or criteria, tags or image to edit."
         sys.exit(1)
     return args
 
@@ -51,7 +52,7 @@ def initialize():
     return tahrir
 
 
-def main(tahrir, badge_id, name, description, criteria, image):
+def main(tahrir, badge_id, name, description, criteria, image, tags):
     badge = tahrir.get_badge(badge_id)
 
     if not badge:
@@ -75,6 +76,11 @@ def main(tahrir, badge_id, name, description, criteria, image):
     if image:
         badge.image = image
         print "Setting image on %r to %r" % (badge_id, image)
+
+    if tags:
+        badge.tags = tags
+        print "Setting tags on %r to %r" % (badge_id, tags)
+
     tahrir.session.commit()
     transaction.commit()
 
@@ -82,4 +88,5 @@ def main(tahrir, badge_id, name, description, criteria, image):
 if __name__ == '__main__':
     args = parse_args()
     tahrir = initialize()
-    main(tahrir, args.badge, args.name, args.description, args.criteria, args.image)
+    main(tahrir, args.badge, args.name, args.description, args.criteria,
+         args.image, args.tags)

roles/base/files/syncHttpLogs.sh

@@ -86,6 +86,7 @@ syncHttpLogs download03.phx2.fedoraproject.org
 syncHttpLogs download04.phx2.fedoraproject.org
 syncHttpLogs download05.phx2.fedoraproject.org
 syncHttpLogs download-rdu01.vpn.fedoraproject.org
+syncHttpLogs download-ib01.vpn.fedoraproject.org
 syncHttpLogs sundries01.phx2.fedoraproject.org
 syncHttpLogs sundries02.phx2.fedoraproject.org
 syncHttpLogs sundries01.stg.phx2.fedoraproject.org

roles/base/tasks/main.yml

@@ -108,12 +108,16 @@
 - name: make sure hostname is set right on rhel7 hosts
   hostname: name="{{inventory_hostname}}"
 
+#
+# We set builders root password in the koji_builder role, so do not set those here
+#
+
 - name: set root passwd
   user: name=root password={{ rootpw }} state=present
   tags:
   - rootpw
   - base
-  when: not (inventory_hostname.startswith('rawhide') or inventory_hostname.startswith('branched') or inventory_hostname.startswith('compose') or inventory_hostname.startswith('build') or inventory_hostname.startswith('arm') or inventory_hostname.startswith('bkernel') or inventory_hostname.startswith('koji01.stg') or inventory_hostname.startswith('aarch64') or inventory_hostname.startswith('s390') or inventory_hostname.startswith('fed-cloud09') or inventory_hostname.startswith('ppc8-04'))
+  when: not inventory_hostname.startswith(('build','bkernel','koji01.stg','s390','fed-cloud09'))
 
 - name: add ansible root key
   authorized_key: user=root key="{{ item }}"

roles/base/templates/ifcfg.j2

@@ -36,3 +36,6 @@ IPV6_DEFAULTDEV={{item}}
 IPV6_DEFAULTGW={{ hostvars[inventory_hostname][item + '_ipv6_gw'] }}
 IPV6_MTU=1280
 {% endif %}
+{% if hostvars[inventory_hostname][item + '_secondary_ip'] is defined %}
+IPADDR1="{{ hostvars[inventory_hostname][item + '_secondary_ip'] }}"
+{% endif %}

roles/base/templates/iptables/iptables

@@ -110,3 +110,16 @@
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 COMMIT
+
+{% if nat_rules %}
+*nat
+:PREROUTING ACCEPT [0:]
+:INPUT ACCEPT [0:]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+{% for rule in nat_rules %}
+{{ rule }}
+{% endfor %}
+COMMIT
+{% endif %}

roles/base/templates/iptables/iptables.kojibuilder

@@ -91,6 +91,7 @@
 
 # git on pagure,io
 -A OUTPUT -p tcp -m tcp -d 140.211.169.204 --dport 443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 152.19.134.147 --dport 443 -j ACCEPT
 
 # admin.fedoraproject.org  for fas (proyx(1)01 and proxy(1)10)
 -A OUTPUT -p tcp -m tcp -d 10.5.126.8 --dport 80 -j ACCEPT

roles/basessh/files/syncHttpLogs.sh

@@ -86,6 +86,7 @@ syncHttpLogs download03.phx2.fedoraproject.org
 syncHttpLogs download04.phx2.fedoraproject.org
 syncHttpLogs download05.phx2.fedoraproject.org
 syncHttpLogs download-rdu01.vpn.fedoraproject.org
+syncHttpLogs download-ib01.vpn.fedoraproject.org
 syncHttpLogs sundries01.phx2.fedoraproject.org
 syncHttpLogs sundries02.phx2.fedoraproject.org
 syncHttpLogs sundries01.stg.phx2.fedoraproject.org

roles/batcave/files/sync-rhn

@@ -1,3 +1,2 @@
-30 1 * * * root /mnt/fedora/app/fi-repo/rhel/rhel5/rhel5-sync > /dev/null
 30 2 * * * root /mnt/fedora/app/fi-repo/rhel/rhel6/rhel6-sync > /dev/null
 30 3 * * * root /mnt/fedora/app/fi-repo/rhel/rhel7/rhel7-sync > /dev/null

roles/batcave/tasks/main.yml

@@ -339,7 +339,8 @@
   - config
   when: inventory_hostname.startswith('batcave01')
 #
-# Monday morning run a script to show all the packages we have in infra tags in koji.
+# Monday morning run a script to show all the packages we have in infra
+# tags in koji.
 #
 
 - name: Install infra-tags-report script

roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2

@@ -114,7 +114,7 @@ ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
   SSLCertificateKeyFile /etc/pki/tls/private/{{ wildcard_key_file }}
   SSLCertificateChainFile /etc/pki/tls/certs/{{ wildcard_int_file }}
 
-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+  Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 
   SSLHonorCipherOrder On
 

roles/bodhi2/backend/files/new-updates-sync

@@ -56,6 +56,9 @@ RELEASES = {'f27': {'topic': 'fedora',
                     'repos': {'updates': {
                         'from': 'f26-updates',
                         'ostrees': [{'ref': 'fedora/26/x86_64/updates/atomic-host',
+                                     'dest': os.path.join(ATOMICDEST, '26')},
+                                    # Hack around for the fact that ostree on f25 doesn't know links
+                                    {'ref': 'fedora/26/x86_64/atomic-host',
                                      'dest': os.path.join(ATOMICDEST, '26')}],
                         'to': [{'arches': ['x86_64', 'armhfp', 'source'],
                                 'dest': os.path.join(FEDORADEST, '26')},

roles/bodhi2/backend/tasks/main.yml

@@ -320,9 +320,9 @@
 
 - name: bodhi-check-policies cron job.
   cron: name="bodhi-check-policies" hour="*/6" minute=0 user="apache"
-        job="/usr/bin/bodhi-check-policies > /dev/null"
+        job="/usr/bin/bodhi-check-policies >& /dev/null"
         cron_file=bodhi-check-policies-job
-  when: inventory_hostname.startswith('bodhi-backend01') and env == "staging"
+  when: (inventory_hostname.startswith('bodhi-backend01') and env == "staging") or (inventory_hostname.startswith('bodhi-backend02') and env == "production")
   tags:
   - config
   - bodhi
@@ -330,7 +330,7 @@
 
 - name: bodhi-expire-overrides cron job.
   cron: name="bodhi-expire-overrides" hour="*" minute=0 user="apache"
-        job="/usr/bin/bodhi-expire-overrides /etc/bodhi/production.ini 2> /dev/null"
+        job="/usr/bin/bodhi-expire-overrides /etc/bodhi/production.ini 2>&1 | logger -t bodhi-expire-overrides"
         cron_file=bodhi-expire-overrides-job
   when: inventory_hostname.startswith('bodhi-backend02') and env == "production"
   tags:
@@ -338,28 +338,14 @@
   - bodhi
   - cron
 
-- name: setup basic /etc/bodhi/ contents (staging)
+- name: setup basic /etc/bodhi/ contents
-  template: >
-    src="{{  roles_path  }}/bodhi2/base/templates/staging.ini.j2"
-    dest="/etc/bodhi/production.ini"
-    owner=apache
-    group=apache
-    mode=0600
-  when: inventory_hostname.startswith('bodhi-backend') and env == 'staging'
-  notify:
-  - reload bodhi httpd
-  tags:
-  - config
-  - bodhi
-
-- name: setup basic /etc/bodhi/ contents (production)
   template: >
     src="{{  roles_path  }}/bodhi2/base/templates/production.ini.j2"
     dest="/etc/bodhi/production.ini"
     owner=apache
     group=apache
     mode=0600
-  when: inventory_hostname.startswith('bodhi-backend') and env == 'production'
+  when: inventory_hostname.startswith('bodhi-backend')
   notify:
   - reload bodhi httpd
   tags:

roles/bodhi2/base/tasks/main.yml

@@ -19,14 +19,14 @@
   - config
   - bodhi
 
-- name: setup basic /etc/bodhi/ contents (staging)
+- name: setup basic /etc/bodhi/ contents
   template: >
-    src="staging.ini.j2"
+    src="production.ini.j2"
     dest="/etc/bodhi/production.ini"
     owner=bodhi
     group=bodhi
     mode=0600
-  when: inventory_hostname.startswith('bodhi0') and env == 'staging'
+  when: inventory_hostname.startswith('bodhi0')
   notify:
   - reload bodhi httpd
   tags:
@@ -43,20 +43,6 @@
   - config
   - bodhi
 
-- name: setup basic /etc/bodhi/ contents (production)
-  template: >
-    src="production.ini.j2"
-    dest="/etc/bodhi/production.ini"
-    owner=bodhi
-    group=bodhi
-    mode=0600
-  when: inventory_hostname.startswith('bodhi0') and env == 'production'
-  notify:
-  - reload bodhi httpd
-  tags:
-  - config
-  - bodhi
-
 - name: Copy some fedmsg configuration of our own for fedmsg-hub
   template: >
       src={{item}}

roles/bodhi2/base/templates/production.ini.j2

@@ -1,3 +1,4 @@
+# The commented values in this config file represent the defaults.
 [filter:proxy-prefix]
 use = egg:PasteDeploy#prefix
 prefix = /
@@ -7,138 +8,193 @@ scheme = https
 use = egg:bodhi-server
 filter-with = proxy-prefix
 
-# Release status
-# pre-beta enforces the 'Pre Beta' policy defined here:
-# https://fedoraproject.org/wiki/Updates_Policy
-f27.status = post_beta
-
-f27.post_beta.mandatory_days_in_testing = 7
-f27.post_beta.critpath.num_admin_approvals = 0
-f27.post_beta.critpath.min_karma = 2
-f27.post_beta.critpath.stable_after_days_without_negative_karma = 14
-
-f27.pre_beta.mandatory_days_in_testing = 3
-f27.pre_beta.critpath.num_admin_approvals = 0
-f27.pre_beta.critpath.min_karma = 1
-
-##
-## Atomic OSTree support
-## This will compose Atomic OSTrees during the push process using the fedmsg-atomic-composer
-## https://github.com/fedora-infra/fedmsg-atomic-composer
-##
-compose_atomic_trees = true
-
 ##
 ## Messages
 ##
 
-# A notice to flash on the front page
+# The bodhi-approve-testing cron job will post this message as a comment from the bodhi user on
-frontpage_notice =
+# updates that reach the required time in testing if they are not stable yet. Positional
+# substitution is used, and the %d will be replaced with the time in testing required for the
+# update.
+# testing_approval_msg = This update has reached %d days in testing and can be pushed to stable now if the maintainer wishes
 
-# A notice to flash on the New Update page
+# not_yet_tested_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/Package_update_acceptance_criteria">Package Update Acceptance Criteria</a>
-newupdate_notice =
 
-testing_approval_msg = This update has reached %d days in testing and can be pushed to stable now if the maintainer wishes
+# not_yet_tested_epel_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/EPEL_Updates_Policy">EPEL Update Policy</a>
-not_yet_tested_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/Package_update_acceptance_criteria">Package Update Acceptance Criteria</a>
-not_yet_tested_epel_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/EPEL_Updates_Policy">EPEL Updates Policy</a>
-stablekarma_comment = This update has reached the stable karma threshold and will be pushed to the stable updates repository
 
-testing_approval_msg_based_on_karma = This update has reached the stable karma threshold and can be pushed to stable now if the maintainer wishes.
+# Bodhi will post this comment on Updates that don't use autokarma when they reach the stable
-not_yet_tested_msg_based_on_karma = This update has not reached the stable karma threshold.
+# threshold.
+# testing_approval_msg_based_on_karma = This update has reached the stable karma threshold and can be pushed to stable now if the maintainer wishes.
+
+# The comment that Bodhi will post on updates when a user posts negative karma.
+# disable_automatic_push_to_stable = Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
 
 # Libravatar - If this is true libravatar will work as normal. Otherwise, all
 # libravatar links will be replaced with the string "libravatar.org" so that
 # the tests can still pass.
-libravatar_enabled = True
+# libravatar_enabled = True
+
 # Set this to true if you want to do federated dns libravatar lookup
-libravatar_dns = False
+# libravatar_dns = False
+
+# If libravatar_dns is True, prefer_ssl will define what gets handed to
+# libravatar.libravatar_url()'s https setting. It may be set to True or False, but defaults to None,
+# which is effectively False.
+# prefer_ssl =
 
 # Set this to True in order to send fedmsg messages.
+# fedmsg_enabled = False
 fedmsg_enabled = True
 
-
+# Captcha - if 'captcha.secret' is set, then it will be used for comments. Comment it to turn it
-# Captcha - if 'captcha.secret' is not None, then it will be used for comments
+# off. captcha.secret must be 32 url-safe base64-encoded bytes.
-# captcha.secret must be 32 url-safe base64-encoded bytes
+# You can generate one with >>> cryptography.fernet.Fernet.generate_key()
-# you can generate afresh with >>> cryptography.fernet.Fernet.generate_key()
+# captcha.secret = CHANGEME
 captcha.secret = {{ bodhi2CaptchaSecret }}
-# Dimensions
-captcha.image_width = 300
-captcha.image_height = 80
-# Any truetype font will do.
-captcha.font_path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf
-captcha.font_size = 36
-# Colors
-captcha.font_color = #000000
-captcha.background_color = #ffffff
-# In pixels
-captcha.padding = 5
-# If a captcha sits around for this many seconds, it will stop working.
-captcha.ttl = 300
 
-#datagrepper_url = http://localhost:5000
+# Dimensions
-datagrepper_url = https://apps.fedoraproject.org/datagrepper
+# captcha.image_width = 300
-badge_ids = binary-star|both-bull-and-self-transcended-tester-viii|catching-the-bull-tester-iv|corporate-drone|corporate-overlord|corporate-shill|discovery-of-the-footprints-tester-ii|in-search-of-the-bull-tester-i|is-this-thing-on-updates-testing-i|is-this-thing-on-updates-testing-ii|is-this-thing-on-updates-testing-iii|is-this-thing-on-updates-testing-iv|it-still-works!|like-a-rock-updates-stable-i|like-a-rock-updates-stable-ii|like-a-rock-updates-stable-iii|like-a-rock-updates-stable-iv|mic-check!-updates-testing-v|missed-the-train|override,-you-say|perceiving-the-bull-tester-iii|reaching-the-source-tester-ix|return-to-society-tester-x|riding-the-bull-home-tester-vi|stop-that-update!|take-this-and-call-me-in-the-morning|taming-the-bull-tester-v|tectonic!-updates-stable-v|the-bull-transcended-tester-vii|what-goes-around-comes-around-karma-i|what-goes-around-comes-around-karma-ii|what-goes-around-comes-around-karma-iii|what-goes-around-comes-around-karma-iv|white-hat|you-can-pry-it-from-my-cold,-dead-hands
+# captcha.image_height = 80
+
+# Any truetype font will do.
+# /usr/share/fonts/liberation/LiberationMono-Regular.ttf lives in liberation-mono-fonts.
+# /usr/share/fonts/pcaro-hermit/Hermit-medium.otf lives in pcaro-hermit-fonts package.
+# captcha.font_path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf
+# captcha.font_size = 36
+
+# Colors
+# captcha.font_color = #000000
+# captcha.background_color = #ffffff
+
+# In pixels
+# captcha.padding = 5
+
+# If a captcha sits around for this many seconds, it will stop working.
+# captcha.ttl = 300
+
+
+# The URL for a datagrepper to use in various templates.
+# datagrepper_url = https://apps.fedoraproject.org/datagrepper
+datagrepper_url = https://apps{{env_suffix}}.fedoraproject.org/datagrepper
+# badge_ids = binary-star|both-bull-and-self-transcended-tester-viii|catching-the-bull-tester-iv|corporate-drone|corporate-overlord|corporate-shill|discovery-of-the-footprints-tester-ii|in-search-of-the-bull-tester-i|is-this-thing-on-updates-testing-i|is-this-thing-on-updates-testing-ii|is-this-thing-on-updates-testing-iii|is-this-thing-on-updates-testing-iv|it-still-works!|like-a-rock-updates-stable-i|like-a-rock-updates-stable-ii|like-a-rock-updates-stable-iii|like-a-rock-updates-stable-iv|mic-check!-updates-testing-v|missed-the-train|override,-you-say|perceiving-the-bull-tester-iii|reaching-the-source-tester-ix|return-to-society-tester-x|riding-the-bull-home-tester-vi|stop-that-update!|take-this-and-call-me-in-the-morning|taming-the-bull-tester-v|tectonic!-updates-stable-v|the-bull-transcended-tester-vii|what-goes-around-comes-around-karma-i|what-goes-around-comes-around-karma-ii|what-goes-around-comes-around-karma-iii|what-goes-around-comes-around-karma-iv|white-hat|you-can-pry-it-from-my-cold,-dead-hands
 
 
 ##
-## Wiki Test Cases
+## Testing
 ##
 
 ## Query the wiki for test cases
+# query_wiki_test_cases = False
 query_wiki_test_cases = True
-wiki_url = https://fedoraproject.org/w/api.php
+# wiki_url = https://fedoraproject.org/w/api.php
-test_case_base_url = https://fedoraproject.org/wiki/
+# test_case_base_url = https://fedoraproject.org/wiki/
+wiki_url = https://{{env_suffix}}fedoraproject.org/w/api.php
+test_case_base_url = https://{{env_suffix}}fedoraproject.org/wiki/
+
+# URL of the resultsdb for integrating checks and stuff
+# resultsdb_api_url = https://taskotron.fedoraproject.org/resultsdb_api/
+resultsdb_url = https://taskotron{{env_suffix}}.fedoraproject.org/resultsdb/
+
+# Set this to True to enable gating based on policies enforced by Greenwave. If you set this to
+# True, be sure to add a cron job to run the bodhi-check-policies CLI periodically.
+# test_gating.required = False
+test_gating.required = True
+
+# If this is set to a URL, a "More information about test gating" link will appear on update pages for users
+# to click and learn more.
+# test_gating.url =
+
+# The API url of Greenwave.
+# greenwave_api_url = https://greenwave.fedoraproject.org/api/v1.0
+greenwave_api_url = https://greenwave-web-greenwave.app.os{{env_suffix}}.fedoraproject.org/api/v1.0
+
+# The URL for waiverdb's API
+# waiverdb_api_url = https://waiverdb-web-waiverdb.app.os.fedoraproject.org/api/v1.0
+waiverdb_api_url = https://waiverdb-web-waiverdb.app.os{{env_suffix}}.fedoraproject.org/api/v1.0
+
+# An access token used to authenticate to waiverdb
+# waiverdb.access_token =
 
 # Email domain to prepend usernames to
-default_email_domain = fedoraproject.org
+# default_email_domain = fedoraproject.org
+default_email_domain = {{env_suffix}}fedoraproject.org
 
 # domain for generated message IDs
-message_id_email_domain = admin.fedoraproject.org
+# message_id_email_domain = admin.fedoraproject.org
+message_id_email_domain = admin{{env_suffix}}.fedoraproject.org
 
 ##
-## Mash settings
+## Masher settings
 ##
+releng_fedmsg_certname = shell-bodhi-backend01{{env_suffix}}.phx2.fedoraproject.org
 
-# If defined, the bodhi masher will ensure that messages are signed with the given cert
+# Where to initially mash repositories. You can use %(here)s to reference the location of this file.
-{% if ansible_hostname == 'bodhi-backend01' %}
+# mash_dir =
-releng_fedmsg_certname = shell-bodhi-backend01.phx2.fedoraproject.org
+{% if ansible_hostname.startswith('bodhi-backend') %}
-{% else %}
-releng_fedmsg_certname = shell-bodhi-backend03.phx2.fedoraproject.org
-{% endif %}
-
-# The masher is a bodhi instance that is responsible for composing the update
-# repositories, regenerating metrics, sending update notices, closing bugs,
-# and other costly operations.  To set an external masher, set the masher to
-# the baseurl of the bodhi instance.  If set to None, this bodhi instance
-# will act as a masher as well.
-#masher = None
-
-{% if 'backend' in inventory_hostname %}
 mash_dir = /mnt/koji/compose/updates/
-mash_stage_dir = /mnt/koji/compose/updates/
+{% else %}
+# do not use on frontends as bodhi will check the mount and refuse to run without it.
+#mash_dir = /mnt/koji/compose/updates/
 {% endif %}
-pungi.basepath = /etc/bodhi
+
-pungi.conf.rpm = pungi.rpm.conf.j2
+# The max number of mash threads running at the same time
-pungi.conf.module = pungi.module.conf.j2
+# max_concurrent_mashes = 2
-pungi.labeltype = Update
-pungi.extracmdline = --notification-script=/usr/bin/pungi-fedmsg-notification --notification-script=pungi-wait-for-signed-ostree-handler
 max_concurrent_mashes = 4
 
-## Our periodic jobs
+# Where to symlink the latest repos by their tag name. You can use %(here)s to reference the
-#jobs = clean_repo nagmail fix_bug_titles cache_release_data approve_testing_updates
+# location of this file.
-jobs = cache_release_data refresh_metrics approve_testing_updates
+# mash_stage_dir =
+{% if ansible_hostname.startswith('bodhi-backend') %}
+mash_stage_dir = /mnt/koji/compose/updates/
+{% else %}
+# do not use on frontends as bodhi will check the mount and refuse to run without it.
+#mash_stage_dir = /mnt/koji/compose/updates/
+{% endif %}
 
-## Comps configuration
+# The following jinja2 template variables are available for use to customize the Pungi configs and
-comps_dir = /var/cache/bodhi/comps
+# variants files to the Release and Updates:
-comps_url = https://pagure.io/fedora-comps.git
+#
+#  * 'id': The id of the Release being mashed.
+#  * 'release': The Release being mashed.
+#  * 'request': The request being mashed.
+#  * 'updates': The Updates being mashed.
+#
+# NOTE: The jinja2 configuration for these templates replaces the {'s and }'s with ['s and ]'.
+# e.g.: a block becomes [% if <something %], and a variable is [[ varname ]].
+
+# The base path where pungi configs will be stored. You will need to put variants.xml templates
+# inside pungi.basepath as well. These templates will have access to the same template variables
+# described above, and should be named variants.rpm.xml.j2 and variants.module.xml.j2, for RPM
+# composes and module composes, respectively.
+# pungi.basepath = /etc/bodhi
+
+# The Pungi executable to use when mashing.
+# pungi.cmd = /usr/bin/pungi-koji
+
+# The following settings reference filenames of jinja2 templates found in pungi.basepath to be used
+# as Pungi configs for mashing modules or RPMs (The RPM config includes dnf, yum, and atomic repos).
+# pungi.conf.module = pungi.module.conf
+# pungi.conf.rpm = pungi.rpm.conf
+pungi.conf.rpm = pungi.rpm.conf.j2
+pungi.conf.module = pungi.module.conf.j2
+
+# A space separated list of extra arguments to be passed on to Pungi during mashing.
+# pungi.extracmdline =
+pungi.extracmdline = --notification-script=/usr/bin/pungi-fedmsg-notification --notification-script=pungi-wait-for-signed-ostree-handler
+
+# What to pass to Pungi's --label flag, which is metadata included in its composeinfo.json.
+# pungi.labeltype = Update
 
 ##
 ## Mirror settings
 ##
-file_url = https://download.fedoraproject.org/pub/fedora/linux/updates
+# file_url: Used in the repo metadata to set RPM URLs.
+# file_url = https://download.fedoraproject.org/pub/fedora/linux/updates
+{% if env == 'production' %}
 master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%s/%s/repodata/repomd.xml
 fedora_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%s/%s/repodata/repomd.xml
 fedora_epel_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/%s/%s/repodata/repomd.xml
+{% endif %}
 
 # {release}_{request}_master_repomd: This is used by the masher to determine when a
 #     primary architecture push has been synchronized to the master mirror for a given release and
@@ -148,27 +204,45 @@ fedora_epel_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/%s
 #     arches listed in {release}_{version}_primary_arches when it is defined, else used for all
 #     arches. You must put two %s's in this setting - the first will be replaced with the release
 #     version and the second will be replaced with the architecture.
-fedora_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%s/%s/repodata/repomd.xml
+# fedora_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%s/%s/repodata/repomd.xml
-fedora_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/testing/%s/%s/repodata/repomd.xml
+# fedora_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/testing/%s/%s/repodata/repomd.xml
+# fedora_epel_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/%s/%s/repodata/repomd.xml
+# fedora_epel_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/testing/%s/%s/repodata/repomd.xml
+{% if env == 'production' %}
 fedora_epel_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/%s/%s/repodata/repomd.xml
 fedora_epel_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/testing/%s/%s/repodata/repomd.xml
 fedora_modular_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/modular/updates/%s/Server/%s/repodata/repomd.xml
 fedora_modular_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora/linux/modular/updates/testing/%s/Server/%s/repodata/repomd.xml
+{% elif env == 'staging' %}
+fedora_stable_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates/compose/Everything/%s/os/repodata/repomd.xml
+fedora_testing_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates-testing/compose/Everything/%s/os/repodata/repomd.xml
+fedora_epel_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/%s/%s/repodata/repomd.xml
+fedora_epel_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/testing/%s/%s/repodata/repomd.xml
+fedora_modular_stable_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-modular-updates/compose/Everything/%s/os/repodata/repomd.xml
+fedora_modular_testing_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-modular-updates-testing/compose/Everything/%s/os/repodata/repomd.xml
+{% endif %}
 
 # {release}_{request}_alt_master_repomd: This is used by the masher to determine when a
 #     secondary architecture push has been synchronized to the master mirror for a given release and
 #     request. The masher will verify that the checksum of repomd.xml at the master URL matches the
 #     expected value, and will poll the URL until this test passes. Substitute release and request
 #     for each release id (replacing -'s with _'s) and request (stable, testing). Used for the
-#     arches not listed in {release}_{version}_primary_arches if it is defined. You must put two %s's
+#     arches not listed in {release}_{version}_primary_arches if it is defined. You must put two
-#     in this setting - the first will be replaced with the release version and the second will be
+#     %s's in this setting - the first will be replaced with the release version and the second will
-#     replaced with the architecture.
+#     be replaced with the architecture.
+# fedora_stable_alt_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora-secondary/updates/%s/%s/repodata/repomd.xml
+# fedora_testing_alt_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora-secondary/updates/testing/%s/%s/repodata/repomd.xml
+{% if env == 'production' %}
 fedora_stable_alt_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora-secondary/updates/%s/%s/repodata/repomd.xml
 fedora_testing_alt_master_repomd = http://download01.phx2.fedoraproject.org/pub/fedora-secondary/updates/testing/%s/%s/repodata/repomd.xml
-
+{% elif env == 'staging' %}
+fedora_stable_alt_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates/compose/Everything/%s/os/repodata/repomd.xml
+fedora_testing_alt_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates-testing/compose/Everything/%s/os/repodata/repomd.xml
+{% endif %}
 
 ## The base url of this application
-base_address = https://bodhi.fedoraproject.org/
+# base_address = https://admin.fedoraproject.org/updates/
+base_address = https://bodhi{{env_suffix}}.fedoraproject.org/
 
 
 ## Primary architechures by release
@@ -180,91 +254,77 @@ base_address = https://bodhi.fedoraproject.org/
 ##      Bodhi looks for primary arches with the {release}_{request}_master_repomd setting above, and
 ##      for alternative arches at the {release}_{request}_alt_master_repomd setting above. If this
 ##      is not set, Bodhi will assume the release only has primary arches.
+# fedora_26_primary_arches = armhfp x86_64
 fedora_26_primary_arches = armhfp x86_64
 fedora_27_primary_arches = armhfp x86_64
 
-
-## Supported update types
-update_types = bugfix enhancement security newpackage
-
-## Supported architechures
-##
-## To handle arch name changes between releases, you
-## can also configure bodhi to support one arch *or*
-## another. For example, EPEL5 mashes produce 'ppc'
-## repos, where EPEL6 produces 'ppc64'. To handle this
-## scenario, you can specify something like:
-##
-##   arches = ppc/ppc64
-##
-arches = x86_64 armhfp i386
-
 ##
 ## Email setting
 ##
 
+# The hostname of an SMTP server Bodhi can use to deliver e-mail.
+# smtp_server =
 smtp_server = bastion
 
 # The updates system itself.  This email address is used in fetching Bugzilla
 # information, as well as email notifications
-bodhi_email = updates@fedoraproject.org
+# bodhi_email = updates@fedoraproject.org
+# This is the password used to access Bodhi's bugzilla account.
+# bodhi_password =
+bodhi_email = updates@{{env_suffix}}fedoraproject.org
 bodhi_password = {{ bodhiBugzillaPassword }}
 
 # The address that gets the requests
-release_team_address = bodhiadmin-members@fedoraproject.org
+# release_team_address = bodhiadmin-members@fedoraproject.org
 
-# The address to notify when security updates are initially added to bodhi
+# Public lists where we send update announcements.
-security_team = security_respons-members@fedoraproject.org
+# These variables should be named per: Release.prefix_id.lower()_announce_list
-
+# fedora_announce_list = package-announce@lists.fedoraproject.org
-# Public announcement lists
+# fedora_test_announce_list = test@lists.fedoraproject.org
+# fedora_epel_announce_list = epel-package-announce@lists.fedoraproject.org
+# fedora_epel_test_announce_list = epel-devel@lists.fedoraproject.org
 fedora_announce_list = package-announce@lists.fedoraproject.org
 fedora_test_announce_list = test@lists.fedoraproject.org
 fedora_epel_announce_list = epel-package-announce@lists.fedoraproject.org
 fedora_epel_test_announce_list = epel-devel@lists.fedoraproject.org
 
 # Superuser groups
-admin_groups = proventesters security_respons bodhiadmin sysadmin-main
+# admin_groups = proventesters security_respons bodhiadmin sysadmin-main
 
 # Users that we don't want to show up in the "leaderboard(s)"
-stats_blacklist = bodhi anonymous autoqa taskotron
+# stats_blacklist = bodhi anonymous autoqa taskotron
 
 # A list of non-person users
-system_users = bodhi autoqa taskotron
+# system_users = bodhi autoqa taskotron
 
 # The max length for an update title before we truncate it in the web ui
+# max_update_length_for_ui = 30
 max_update_length_for_ui = 70
 
 # The number of days used for calculating the 'top testers' metric
+# top_testers_timeframe = 7
 top_testers_timeframe = 900
 
-# The email address of the proventesters
+# This defaults to False.  We're disabling stacks for the initial release
-proventesters_email = proventesters-members@fedoraproject.org
+# because, while you can create stacks, you can't automatically create updates
-
+# *from* a stack (which was the whole point).  We'll work on that for a later
-# Disabled for the initial release.
+# release.
-stacks_enabled = False
+# stacks_enabled = False
 
 # These are the default requirements that we apply to stacks, packages, and
 # updates.  Users have free-reign to override them for each kind of entity.  At
 # the end of the day, we only consider the requirements defined by single
 # updates themselves when gating in the backend masher process.
-site_requirements = dist.rpmdeplint dist.upgradepath
+# site_requirements = dist.rpmdeplint dist.upgradepath
-## Some day we'll have rpmgrill, and that will be cool.  Ask tflink.
-#site_requirements = depcheck upgradepath rpmgrill
-
-# Where do we send update announcements to ?
-# These variables should be named per: Release.prefix_id.lower()_announce_list
-#fedora_announce_list =
-#fedora_test_announce_list =
-#fedora_epel_announce_list =
-#fedora_epel_test_announce_list =
 
 # Cache settings
-dogpile.cache.backend = dogpile.cache.dbm
+# dogpile.cache.backend = dogpile.cache.dbm
-dogpile.cache.expiration_time = 100
+# dogpile.cache.expiration_time = 100
+# dogpile.cache.arguments.filename = /var/cache/bodhi-dogpile-cache.dbm
 dogpile.cache.arguments.filename = /var/cache/bodhi/dogpile-cache.dbm
 
 # Exclude sending emails to these users
-exclude_mail = autoqa taskotron
+# exclude_mail = autoqa taskotron
 
 ##
 ## Buildsystem settings
@@ -273,84 +333,93 @@ exclude_mail = autoqa taskotron
 # What buildsystem do we want to use?  For development, we'll use a fake
 # buildsystem that always does what we tell it to do.  For production, we'll
 # want to use 'koji'.
+# buildsystem = dev
 buildsystem = koji
 
 # Koji's XML-RPC hub
-koji_hub = https://koji.fedoraproject.org/kojihub
+# koji_hub = https://koji.stg.fedoraproject.org/kojihub
+koji_hub = https://koji{{env_suffix}}.fedoraproject.org/kojihub
 
 # Root url of the Koji instance to point to. No trailing slash
-koji_url = https://koji.fedoraproject.org
+koji_url = https://koji{{env_suffix}}.fedoraproject.org
 
 # URL of where users should go to set up their notifications
-fmn_url = https://apps.fedoraproject.org/notifications/
+# fmn_url = https://apps.fedoraproject.org/notifications/
+fmn_url = https://apps{{env_suffix}}.fedoraproject.org/notifications/
 
-# URL of the resultsdb for integrating checks and stuff
+# If this is defined, fedmenu's JS will be injected into the master template. Fedora's fedmenu URL
-resultsdb_url = https://taskotron.fedoraproject.org/resultsdb/
+# is https://apps.fedoraproject.org/fedmenu and its data_url is
-resultsdb_api_url = https://taskotron.fedoraproject.org/resultsdb_api/
+# https://apps.fedoraproject.org/js/data.js
+# fedmenu.url =
+# fedmenu.data_url =
+fedmenu.url = https://apps{{env_suffix}}.fedoraproject.org/fedmenu
+fedmenu.data_url = https://apps{{env_suffix}}.fedoraproject.org/js/data.js
 
-fedmenu.url = https://apps.fedoraproject.org/fedmenu
+# Koji krb5
-fedmenu.data_url = https://apps.fedoraproject.org/js/data.js
+# krb_principal =
-
+# krb_keytab =
-# Koji Krb stuff
+# krb_ccache=
 krb_ccache = /tmp/krb5cc_%{uid}
 krb_principal = bodhi/bodhi{{ env_suffix }}.fedoraproject.org@{{ ipa_realm }}
 krb_keytab = /etc/krb5.bodhi_bodhi{{ env_suffix }}.fedoraproject.org.keytab
 
-# Set this to True to enable gating based on policies enforced by Greenwave. If you set this to True,
-# be sure to add a cron job to run the bodhi-check-policies CLI periodically.
-test_gating.required = False
-
-# If this is set to a URL, a "More information about test gating" link will appear on update pages for users
-# to click and learn more.
-# test_gating.url =
-
-# The API url of Greenwave.
-greenwave_api_url = https://greenwave-web-greenwave.app.os.fedoraproject.org/api/v1.0
-
 ##
 ## ACL system
 ## Choices are 'pkgdb', which will send a JSON query to the pkgdb_url below,
 ## 'pagure', which will query the pagure_url below, or 'dummy', which will
 ## always return guest credentials (used for local development).
 ##
+# acl_system = dummy
 acl_system = pagure
 
 ##
 ## Package DB
 ##
-pkgdb_url = https://admin.fedoraproject.org/pkgdb
+# pkgdb_url = https://admin.fedoraproject.org/pkgdb
 
 ##
 ## Pagure
 ##
-pagure_url = https://src.fedoraproject.org/
+# pagure_url = https://src.fedoraproject.org/pagure/
+pagure_url = https://src{{env_suffix}}.fedoraproject.org/
 
 ##
 ## Product Definition Center (PDC)
 ##
 # pdc_url = https://pdc.fedoraproject.org/
+pdc_url = https://pdc{{env_suffix}}.fedoraproject.org/
 
 
-# We used to get our package tags from pkgdb, but they come from tagger now.
-# https://github.com/fedora-infra/fedora-tagger/pull/74
-#pkgtags_url = https://apps.fedoraproject.org/tagger/api/v1/tag/sqlitebuildtags/
-
 ##
 ## Bug tracker settings
 ##
+# Set this to bugzilla to turn on Bugzilla integration.
+# bugtracker =
 bugtracker = bugzilla
 
-initial_bug_msg = %s has been submitted as an update to %s. %s
+# A template that Bodhi will use when commenting on Bugzilla tickets when Updates that reference
-stable_bug_msg = %s has been pushed to the %s repository. If problems still persist, please make note of it in this bug report.
+# them are created. Positional substitution is used, and the three %s's will be filled in with the
-testing_bug_msg =
+# update title, the release's long name, and the URL to the update, respectively.
-    See https://fedoraproject.org/wiki/QA:Updates_Testing for
+# initial_bug_msg = %s has been submitted as an update to %s. %s
-    instructions on how to install test updates. 
+
-    You can provide feedback for this update here: %s
+# A template that Bodhi will use when commenting on Bugzilla tickets when Updates that reference
+# them are marked stable. Positional substitution is used, and the first %s will be filled in with
+# the update title and the second will be filled in with the release's long name and the update
+# status.
+# stable_bug_msg = %s has been pushed to the %s repository. If problems still persist, please make note of it in this bug report.
+
+# The following two templates are used to comment on Bugzilla tickets. %s will be substituted with
+# the update's URL. The first is used for all updates, unless the epel setting in defined, which
+# will be used for all Updates on Releases that have an id_prefix of FEDORA-EPEL.
+# testing_bug_msg =
+#     See https://fedoraproject.org/wiki/QA:Updates_Testing for
+#     instructions on how to install test updates.
+#     You can provide feedback for this update here: %s
+# testing_bug_epel_msg =
+#     See https://fedoraproject.org/wiki/QA:Updates_Testing for
+#     instructions on how to install test updates.
+#     You can provide feedback for this update here: %s
 
-testing_bug_epel_msg =
-    See https://fedoraproject.org/wiki/QA:Updates_Testing for
-    instructions on how to install test updates. 
-    You can provide feedback for this update here: %s
 
 ##
 ## Bugzilla settings.
@@ -359,18 +428,32 @@ testing_bug_epel_msg =
 # The username/password for our bugzilla account comes
 # from the bodhi_{email,password} fields.
 
+# A URL to a Bugzilla instance's xmlrpc.cgi script for Bodhi to use.
+# bz_server = https://bugzilla.redhat.com/xmlrpc.cgi
+{% if env == 'production' %}
 bz_server = https://bugzilla.redhat.com/xmlrpc.cgi
-#bz_cookie =
+{% elif env == 'staging' %}
+bz_server = https://partner-bugzilla.redhat.com/xmlrpc.cgi
+{% endif %}
 
-# Bodhi will avoid touching bugs that are not against the following products
+# Bodhi will avoid touching bugs that are not against the following comma-separated products.
+# Fedora's production Bodhi instance sets this to Fedora,Fedora EPEL
+# bz_products =
 bz_products = Fedora,Fedora EPEL
 
+# A template to use for links to Bugzilla tickets. %s will be filled in with the bug number.
+# buglink = https://bugzilla.redhat.com/show_bug.cgi?id=%s
+{% if env == 'production' %}
 buglink = https://bugzilla.redhat.com/show_bug.cgi?id=%s
+{% elif env == 'staging' %}
+buglink = https://partner-bugzilla.redhat.com/show_bug.cgi?id=%s
+{% endif %}
 
 ##
 ## Packages that should suggest a reboot
 ##
-reboot_pkgs = kernel kernel-smp kernel-xen-hypervisor kernel-PAE kernel-xen0 kernel-xenU kernel-xen kernel-xen-guest glibc hal dbus
+reboot_pkgs = kernel kernel-smp kernel-PAE glibc hal dbus
+
 
 ##
 ## Critical Path Packages
@@ -381,20 +464,23 @@ reboot_pkgs = kernel kernel-smp kernel-xen-hypervisor kernel-PAE kernel-xen0 ker
 # Database by setting this value to `pkgdb` or the Product Definition
 # Center by setting this value to `pdc`. If it isn't set, it'll just use the
 # hardcoded list below.
+# critpath.type =
 critpath.type = pdc
 
-# You can hardcode a list of critical path packages instead of using the PackageDB
+# You can hardcode a list of critical path packages instead of using the PkgDB
-#critpath_pkgs = kernel
+# or PDC. This is used if critpath.type is not defined.
+# critpath_pkgs =
 
 # The number of admin approvals it takes to be able to push a critical path
 # update to stable for a pending release.
+# critpath.num_admin_approvals = 2
 critpath.num_admin_approvals = 0
 
-# The net karma required to submit a critial path update to a pending release)
+# The net karma required to submit a critial path update to a pending release.
-critpath.min_karma = 2
+# critpath.min_karma = 2
 
 # Allow critpath to submit for stable after 2 weeks with no negative karma
-critpath.stable_after_days_without_negative_karma = 14
+# critpath.stable_after_days_without_negative_karma = 14
 
 # The minimum amount of time an update must spend in testing before
 # it can reach the stable repository
@@ -406,28 +492,34 @@ fedora_modular.mandatory_days_in_testing = 7
 ## Release status
 ##
 
-# Pre-beta enforces the Pre Beta policy defined here:
+# You can define alternative policies than the defaults for specific Releases by defining a setting
-# https://fedoraproject.org/wiki/Updates_Policy
+# of the form Release.name.status (with -'s removed from the name). You can set the status to any
-#f15.status = 'pre_beta'
+# string you like, and then for each status, you can override the mandatory days in testing, the
-#f15.pre_beta.mandatory_days_in_testing = 3
+# critpath number of admin approvals, and the critpath minimum karma. For example, if we want to set
-#f15.pre_beta.critpath.num_admin_approvals = 0
+# Fedora 28 as a pre-beta, and we want it to have different rules in pre-beta and post-beta, we
-#f15.pre_beta.critpath.min_karma = 1
+# could do something like this:
-
+#f28.status = pre_beta
-# For test cases.
+#f28.pre_beta.mandatory_days_in_testing = 3
-f7.status = post_beta
+#f28.pre_beta.critpath.num_admin_approvals = 0
-f7.post_beta.mandatory_days_in_testing = 7
+#f28.pre_beta.critpath.min_karma = 1
-f7.post_beta.critpath.num_admin_approvals = 0
+#f28.post_beta.mandatory_days_in_testing = 7
-f7.post_beta.critpath.min_karma = 2
+#f28.post_beta.critpath.num_admin_approvals = 0
-
+#f28.post_beta.critpath.min_karma = 2
-# The number of days worth of updates/comments to display
+f27.status = post_beta
-feeds.num_days_to_show = 7
+f27.post_beta.mandatory_days_in_testing = 7
-feeds.max_entries = 20
+f27.post_beta.critpath.num_admin_approvals = 0
+f27.post_beta.critpath.min_karma = 2
+f27.post_beta.critpath.stable_after_days_without_negative_karma = 14
+f27.pre_beta.mandatory_days_in_testing = 3
+f27.pre_beta.critpath.num_admin_approvals = 0
+f27.pre_beta.critpath.min_karma = 1
 
 ##
 ## Buildroot Override
 ##
 
-# Number of days before expiring overrides
+# Maximum number of days a buildroot override may expire in, from creation time.
+# buildroot_limit = 31
 buildroot_overrides.expire_after = 1
 
 ##
@@ -438,36 +530,54 @@ buildroot_overrides.expire_after = 1
 # When a user logs in, bodhi will look for any of these groups and associate #
 # them with the user. They will then appear as the users effective principals in
 # the format "group:groupname" and can be used in Pyramid ACE's.
+# important_groups = proventesters provenpackager releng security_respons packager bodhiadmin
 important_groups = proventesters provenpackager releng-team security_respons packager bodhiadmin virtmaint-sig kde-sig eclipse-sig infra-sig gnome-sig python-sig robotics-sig qa-tools-sig nodejs-sig lxqt-sig astro-sig
 
 # Groups that can push updates for any package
+# admin_packager_groups = provenpackager releng security_respons
 admin_packager_groups = provenpackager releng-team security_respons
 
 # User must be a member of this group to submit updates
-mandatory_packager_groups = packager
+# mandatory_packager_groups = packager
+
 
 ##
 ## updateinfo.xml configuraiton
 ##
-updateinfo_rights = Copyright (C) 2015 Red Hat, Inc. and others.
+# updateinfo_rights = Copyright (C) {CURRENT_YEAR} Red Hat, Inc. and others.
 
 ##
 ## Authentication & Authorization
 ##
 
-# pyramid.openid
+# pyramid.openid settings.
-openid.success_callback = bodhi.server.security:remember_me
+# openid.success_callback = bodhi.server.security:remember_me
-openid.provider = https://id.fedoraproject.org/openid/
+# openid.provider = https://id.fedoraproject.org/openid/
-openid.url = https://id.fedoraproject.org/
+# openid.url = https://id.fedoraproject.org/
-openid_template = {username}.id.fedoraproject.org
+# openid_template = {username}.id.fedoraproject.org
+# openid.sreg_required = email
+# If this is undefined, Bodhi will concatenate the groups listed in the following other settings
+# from this file: important_groups, admin_packager_groups, mandatory_packager_groups, and
+# admin_groups. You likely want this default, but can override it here if you know what you are
+# doing. You can also override it here if you do not know what you are doing, but that would be
+# unadvisable.
+# openid.groups = DEFAULT_DOCUMENTED_ABOVE
+openid.provider = https://id{{env_suffix}}.fedoraproject.org/openid/
+openid.url = https://id{{env_suffix}}.fedoraproject.org/
+openid_template = {username}.id{{env_suffix}}.fedoraproject.org
 openid.sreg_required = email
 
 # CORS allowed origins for cornice services
 # This can be wide-open.  read-only, we don't care as much about.
 cors_origins_ro = *
 # This should be more locked down to avoid cross-site request forgery.
-cors_origins_rw = https://bodhi.fedoraproject.org
+cors_origins_rw = https://bodhi{{env_suffix}}.fedoraproject.org
+
+{% if env == 'production' %}
 cors_connect_src = https://*.fedoraproject.org/ wss://hub.fedoraproject.org:9939/
+{% elif env == 'staging' %}
+cors_connect_src = https://*.stg.fedoraproject.org/ wss://hub.stg.fedoraproject.org:9939/
+{% endif %}
 
 
 ##
@@ -487,28 +597,51 @@ debugtoolbar.hosts = 127.0.0.1 ::1
 ##
 ## Database
 ##
+# This must be a PostgreSQL database. It is weirdly defaulted to sqlite, but that would not be
+# suitable for a production environment. You can encode a username and password in the URL. For
+# example, postgresql://username:password@hostname/database_name
+# sqlalchemy.url = sqlite:////var/cache/bodhi.db
+{% if env == 'production' %}
 sqlalchemy.url = postgresql://bodhi2:{{ bodhi2Password }}@db-bodhi/bodhi2
+{% elif env == 'staging' %}
+sqlalchemy.url = postgresql://bodhi2:{{ bodhi2PasswordSTG }}@pgbdr.stg.phx2.fedoraproject.org/bodhi2
+{% endif %}
 
 ##
 ## Templates
 ##
-mako.directories = bodhi:server/templates
+# Where Bodhi's templates are stored. You likely don't want or need to adjust this setting.
+# mako.directories = bodhi:server/templates
 
 ##
 ## Authentication & Sessions
 ##
 
+# CHANGE THESE IN PRODUCTION!
+# authtkt.secret = CHANGEME
+# session.secret = CHANGEME
+# authtkt.secure = True
+# How long should an authorization ticket be valid for, in seconds? Defaults to one day.
+# authtkt.timeout = 86400
+{% if env == 'production' %}
 authtkt.secret = {{ bodhi2AuthTkt }}
 session.secret = {{ bodhi2SessionSecret }}
+{% elif env == 'staging' %}
+authtkt.secret = {{ bodhi2AuthTktSTG }}
+session.secret = {{ bodhi2SessionSecretSTG }}
+{% endif %}
 authtkt.secure = true
-# How long should an authorization ticket be valid for, in seconds? Defaults to one day.
 authtkt.timeout = 1209600
 
 # pyramid_beaker
 session.type = file
-session.data_dir = /var/cache/bodhi/sessions/data
+session.data_dir = %(here)s/data/sessions/data
-session.lock_dir = /var/cache/bodhi/sessions/lock
+session.lock_dir = %(here)s/data/sessions/lock
+{% if env == 'production' %}
 session.key = {{ bodhi2SessionKey }}
+{% elif env == 'staging' %}
+session.key = {{ bodhi2SessionKeySTG }}
+{% endif %}
 session.cookie_on_exception = true
 # Tell the browser to only send the cookie over TLS
 session.secure = true
@@ -528,7 +661,7 @@ port = 6543
 
 [pshell]
 m = bodhi.server.models
-#db = bodhi.server.models.DBSession
+#db = bodhi.server.util.pshell_db
 t = transaction
 
 # Begin logging configuration

roles/bodhi2/base/templates/staging.ini.j2

@@ -1,540 +0,0 @@
-[filter:proxy-prefix]
-use = egg:PasteDeploy#prefix
-prefix = /
-scheme = https
-
-[app:main]
-use = egg:bodhi-server
-filter-with = proxy-prefix
-
-##
-## Messages
-##
-
-# A notice to flash on the front page
-frontpage_notice =
-
-# A notice to flash on the New Update page
-newupdate_notice =
-
-testing_approval_msg = This update has reached %d days in testing and can be pushed to stable now if the maintainer wishes
-not_yet_tested_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/Package_update_acceptance_criteria">Package Update Acceptance Criteria</a>
-not_yet_tested_epel_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/EPEL_Updates_Policy">EPEL Updates Policy</a>
-stablekarma_comment = This update has reached the stable karma threshold and will be pushed to the stable updates repository
-
-# Libravatar - If this is true libravatar will work as normal. Otherwise, all
-# libravatar links will be replaced with the string "libravatar.org" so that
-# the tests can still pass.
-libravatar_enabled = True
-# Set this to true if you want to do federated dns libravatar lookup
-libravatar_dns = False
-
-# Set this to True in order to send fedmsg messages.
-fedmsg_enabled = True
-
-
-# Captcha - if 'captcha.secret' is not None, then it will be used for comments
-# captcha.secret must be 32 url-safe base64-encoded bytes
-# you can generate afresh with >>> cryptography.fernet.Fernet.generate_key()
-captcha.secret = {{ bodhi2CaptchaSecretSTG }}
-# Dimensions
-captcha.image_width = 300
-captcha.image_height = 80
-# Any truetype font will do.
-captcha.font_path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf
-captcha.font_size = 36
-# Colors
-captcha.font_color = #000000
-captcha.background_color = #ffffff
-# In pixels
-captcha.padding = 5
-# If a captcha sits around for this many seconds, it will stop working.
-captcha.ttl = 300
-
-#datagrepper_url = http://localhost:5000
-datagrepper_url = https://apps.stg.fedoraproject.org/datagrepper
-badge_ids = binary-star|both-bull-and-self-transcended-tester-viii|catching-the-bull-tester-iv|corporate-drone|corporate-overlord|corporate-shill|discovery-of-the-footprints-tester-ii|in-search-of-the-bull-tester-i|is-this-thing-on-updates-testing-i|is-this-thing-on-updates-testing-ii|is-this-thing-on-updates-testing-iii|is-this-thing-on-updates-testing-iv|it-still-works!|like-a-rock-updates-stable-i|like-a-rock-updates-stable-ii|like-a-rock-updates-stable-iii|like-a-rock-updates-stable-iv|mic-check!-updates-testing-v|missed-the-train|override,-you-say|perceiving-the-bull-tester-iii|reaching-the-source-tester-ix|return-to-society-tester-x|riding-the-bull-home-tester-vi|stop-that-update!|take-this-and-call-me-in-the-morning|taming-the-bull-tester-v|tectonic!-updates-stable-v|the-bull-transcended-tester-vii|what-goes-around-comes-around-karma-i|what-goes-around-comes-around-karma-ii|what-goes-around-comes-around-karma-iii|what-goes-around-comes-around-karma-iv|white-hat|you-can-pry-it-from-my-cold,-dead-hands
-
-
-##
-## Wiki Test Cases
-##
-
-## Query the wiki for test cases
-query_wiki_test_cases = False
-wiki_url = https://fedoraproject.org/w/api.php
-test_case_base_url = https://fedoraproject.org/wiki/
-
-# Email domain to prepend usernames to
-default_email_domain = fedoraproject.org
-
-# domain for generated message IDs
-message_id_email_domain = admin.stg.fedoraproject.org
-
-##
-## Mash settings
-##
-
-# If defined, the bodhi masher will ensure that messages are signed with the given cert
-releng_fedmsg_certname = shell-bodhi-backend01.stg.phx2.fedoraproject.org
-
-# The masher is a bodhi instance that is responsible for composing the update
-# repositories, regenerating metrics, sending update notices, closing bugs,
-# and other costly operations.  To set an external masher, set the masher to
-# the baseurl of the bodhi instance.  If set to None, this bodhi instance
-# will act as a masher as well.
-#masher = None
-
-{% if 'backend' in inventory_hostname %}
-mash_dir = /mnt/koji/compose/updates/
-mash_stage_dir = /mnt/koji/compose/updates/
-{% endif %}
-pungi.basepath = /etc/bodhi
-pungi.conf.rpm = pungi.rpm.conf.j2
-pungi.conf.module = pungi.module.conf.j2
-pungi.labeltype = Update
-pungi.extracmdline = --notification-script=/usr/bin/pungi-fedmsg-notification --notification-script=pungi-wait-for-signed-ostree-handler
-
-## Our periodic jobs
-#jobs = clean_repo nagmail fix_bug_titles cache_release_data approve_testing_updates
-jobs = cache_release_data refresh_metrics approve_testing_updates
-
-## Comps configuration
-comps_dir = /var/cache/bodhi/comps
-comps_url = https://pagure.io/fedora-comps.git
-
-##
-## Mirror settings
-##
-file_url = http://download.fedoraproject.org/pub/fedora/linux/updates
-
-# {release}_{request}_master_repomd: This is used by the masher to determine when a
-#     primary architecture push has been synchronized to the master mirror for a given release and
-#     request. The masher will verify that the checksum of repomd.xml at the master URL matches the
-#     expected value, and will poll the URL until this test passes. Substitute release and request
-#     for each release id (replacing -'s with _'s) and request (stable, testing). Used for the
-#     arches listed in {release}_{version}_primary_arches when it is defined, else used for all
-#     arches. You must put two %s's in this setting - the first will be replaced with the release
-#     version and the second will be replaced with the architecture.
-fedora_stable_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates/compose/Everything/%s/os/repodata/repomd.xml
-fedora_testing_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates-testing/compose/Everything/%s/os/repodata/repomd.xml
-fedora_epel_stable_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/%s/%s/repodata/repomd.xml
-fedora_epel_testing_master_repomd = http://download01.phx2.fedoraproject.org/pub/epel/testing/%s/%s/repodata/repomd.xml
-fedora_modular_stable_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-modular-updates/compose/Everything/%s/os/repodata/repomd.xml
-fedora_modular_testing_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-modular-updates-testing/compose/Everything/%s/os/repodata/repomd.xml
-
-# {release}_{request}_alt_master_repomd: This is used by the masher to determine when a
-#     secondary architecture push has been synchronized to the master mirror for a given release and
-#     request. The masher will verify that the checksum of repomd.xml at the master URL matches the
-#     expected value, and will poll the URL until this test passes. Substitute release and request
-#     for each release id (replacing -'s with _'s) and request (stable, testing). Used for the
-#     arches not listed in {release}_{version}_primary_arches if it is defined. You must put two %s's
-#     in this setting - the first will be replaced with the release version and the second will be
-#     replaced with the architecture.
-fedora_stable_alt_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates/compose/Everything/%s/os/repodata/repomd.xml
-fedora_testing_alt_master_repomd = https://kojipkgs.stg.fedoraproject.org/compose/updates/f%s-updates-testing/compose/Everything/%s/os/repodata/repomd.xml
-
-
-## The base url of this application
-base_address = https://bodhi.stg.fedoraproject.org/
-
-
-## Primary architechures by release
-##
-## {release}_{version}_primary_arches: Releases that have alternative arches must define their
-##      primary arches here. Any arches found during mashing that are not present here are asssumed
-##      to be alternative arches. This is used during the wait_for_repo() step of the mash where
-##      Bodhi polls the master repo to find out whether the mash has made it to the repo or not.
-##      Bodhi looks for primary arches with the {release}_{request}_master_repomd setting above, and
-##      for alternative arches at the {release}_{request}_alt_master_repomd setting above. If this
-##      is not set, Bodhi will assume the release only has primary arches.
-fedora_26_primary_arches = armhfp x86_64
-
-
-## Supported update types
-update_types = bugfix enhancement security newpackage
-
-## Supported architechures
-##
-## To handle arch name changes between releases, you
-## can also configure bodhi to support one arch *or*
-## another. For example, EPEL5 mashes produce 'ppc'
-## repos, where EPEL6 produces 'ppc64'. To handle this
-## scenario, you can specify something like:
-##
-##   arches = ppc/ppc64
-##
-arches = i386 x86_64 armhfp
-
-##
-## Email setting
-##
-
-# Keep email disabled in staging so rube doesn't spam helpless packagers.
-#smtp_server = bastion
-
-# The updates system itself.  This email address is used in fetching Bugzilla
-# information, as well as email notifications
-bodhi_email = updates@fedoraproject.org
-#bodhi_password =
-
-# The address that gets the requests
-release_team_address = bodhiadmin-members@fedoraproject.org
-
-# The address to notify when security updates are initially added to bodhi
-security_team = security_respons-members@fedoraproject.org
-
-# Public announcement lists
-fedora_announce_list = package-announce@lists.fedoraproject.org
-fedora_test_announce_list = test@lists.fedoraproject.org
-fedora_epel_announce_list = epel-package-announce@lists.fedoraproject.org
-fedora_epel_test_announce_list = epel-devel@lists.fedoraproject.org
-fedora_modular_announce_list = package-announce@lists.fedoraproject.org
-fedora_modular_test_announce_list = test@lists.fedoraproject.org
-
-# Superuser groups
-admin_groups = proventesters security_respons bodhiadmin sysadmin-main
-
-# Users that we don't want to show up in the "leaderboard(s)"
-stats_blacklist = bodhi anonymous autoqa taskotron
-
-# A list of non-person users
-system_users = bodhi autoqa taskotron
-
-# The max length for an update title before we truncate it in the web ui
-max_update_length_for_ui = 70
-
-# The number of days used for calculating the 'top testers' metric
-top_testers_timeframe = 900
-
-# The email address of the proventesters
-proventesters_email = proventesters-members@fedoraproject.org
-
-# Disabled for the initial release.
-stacks_enabled = False
-
-# These are the default requirements that we apply to stacks, packages, and
-# updates.  Users have free-reign to override them for each kind of entity.  At
-# the end of the day, we only consider the requirements defined by single
-# updates themselves when gating in the backend masher process.
-site_requirements = dist.rpmdeplint dist.upgradepath
-## Some day we'll have rpmgrill, and that will be cool.  Ask tflink.
-#site_requirements = depcheck upgradepath rpmgrill
-
-# Where do we send update announcements to ?
-# These variables should be named per: Release.prefix_id.lower()_announce_list
-#fedora_announce_list =
-#fedora_test_announce_list =
-#fedora_epel_announce_list =
-#fedora_epel_test_announce_list =
-
-# Cache settings
-dogpile.cache.backend = dogpile.cache.dbm
-dogpile.cache.expiration_time = 100
-dogpile.cache.arguments.filename = /var/cache/bodhi/dogpile-cache.dbm
-
-# Exclude sending emails to these users
-exclude_mail = autoqa taskotron
-
-##
-## Buildsystem settings
-##
-
-# What buildsystem do we want to use?  For development, we'll use a fake
-# buildsystem that always does what we tell it to do.  For production, we'll
-# want to use 'koji'.
-buildsystem = koji
-
-# Koji's XML-RPC hub
-koji_hub = https://koji.stg.fedoraproject.org/kojihub
-
-# Root url of the Koji instance to point to. No trailing slash
-koji_url = http://koji.stg.fedoraproject.org
-
-# URL of where users should go to set up their notifications
-fmn_url = https://apps.stg.fedoraproject.org/notifications/
-
-# URL of the resultsdb for integrating checks and stuff
-resultsdb_url = https://taskotron.stg.fedoraproject.org/resultsdb/
-resultsdb_api_url = https://taskotron.stg.fedoraproject.org/resultsdb_api/
-
-# Set this to True to enable gating based on policies enforced by Greenwave. If you set this to True,
-# be sure to add a cron job to run the bodhi-check-policies CLI periodically.
-test_gating.required = True
-
-# If this is set to a URL, a "More information about test gating" link will appear on update pages for users
-# to click and learn more.
-# test_gating.url =
-
-# The API url of Greenwave.
-greenwave_api_url = https://greenwave-web-greenwave.app.os.stg.fedoraproject.org/api/v1.0
-
-fedmenu.url = https://apps.stg.fedoraproject.org/fedmenu
-fedmenu.data_url = https://apps.stg.fedoraproject.org/js/data.js
-
-# Koji Krb stuff
-krb_ccache = /tmp/krb5cc_%{uid}
-krb_principal = bodhi/bodhi{{ env_suffix }}.fedoraproject.org@{{ ipa_realm }}
-krb_keytab = /etc/krb5.bodhi_bodhi{{ env_suffix }}.fedoraproject.org.keytab
-
-##
-## ACL system
-## Choices are 'pkgdb', which will send a JSON query to the pkgdb_url below,
-## 'pagure', which will query the pagure_url below, or 'dummy', which will
-## always return guest credentials (used for local development).
-##
-acl_system = pagure
-
-##
-## Package DB
-##
-pkgdb_url = https://admin.stg.fedoraproject.org/pkgdb
-
-##
-## Pagure
-##
-pagure_url = https://src.stg.fedoraproject.org/
-
-##
-## Product Definition Center (PDC)
-##
-pdc_url = https://pdc.stg.fedoraproject.org/
-
-
-# We used to get our package tags from pkgdb, but they come from tagger now.
-# https://github.com/fedora-infra/fedora-tagger/pull/74
-#pkgtags_url = https://apps.fedoraproject.org/tagger/api/v1/tag/sqlitebuildtags/
-
-##
-## Bug tracker settings
-##
-#bugtracker = bugzilla
-
-initial_bug_msg = %s has been submitted as an update to %s. %s
-stable_bug_msg = %s has been pushed to the %s repository. If problems still persist, please make note of it in this bug report.
-testing_bug_msg =
-    If you want to test the update, you can install it with
-    $ su -c 'dnf --enablerepo=updates-testing update %s'
-    You can provide feedback for this update here: %s
-testing_bug_epel_msg =
-    If you want to test the update, you can install it with
-    $ su -c 'yum --enablerepo=epel-testing update %s'
-    You can provide feedback for this update here: %s
-
-##
-## Bugzilla settings.
-##
-
-# The username/password for our bugzilla account comes
-# from the bodhi_{email,password} fields.
-
-bz_server = https://partner-bugzilla.redhat.com/xmlrpc.cgi
-#bz_cookie =
-
-# Bodhi will avoid touching bugs that are not against the following products
-bz_products = Fedora,Fedora EPEL
-
-buglink = https://partner-bugzilla.redhat.com/show_bug.cgi?id=%s
-
-##
-## Packages that should suggest a reboot
-##
-reboot_pkgs = kernel kernel-smp kernel-xen-hypervisor kernel-PAE kernel-xen0 kernel-xenU kernel-xen kernel-xen-guest glibc hal dbus
-
-##
-## Critical Path Packages
-## https://fedoraproject.org/wiki/Critical_path_package
-##
-
-# You can allow Bodhi to query for critpath packages from the Fedora Package
-# Database by setting this value to `pkgdb` or the Product Definition
-# Center by setting this value to `pdc`. If it isn't set, it'll just use the
-# hardcoded list below.
-critpath.type = pdc
-
-# You can hardcode a list of critical path packages instead of using the PackageDB
-critpath_pkgs = kernel
-
-# The number of admin approvals it takes to be able to push a critical path
-# update to stable for a pending release.
-critpath.num_admin_approvals = 0
-
-# The net karma required to submit a critial path update to a pending release)
-critpath.min_karma = 2
-
-# Allow critpath to submit for stable after 2 weeks with no negative karma
-critpath.stable_after_days_without_negative_karma = 14
-
-# The minimum amount of time an update must spend in testing before
-# it can reach the stable repository
-fedora.mandatory_days_in_testing = 7
-fedora_epel.mandatory_days_in_testing = 14
-fedora_modular.mandatory_days_in_testing = 7
-
-##
-## Release status
-##
-
-# Pre-beta enforces the Pre Beta policy defined here:
-# https://fedoraproject.org/wiki/Updates_Policy
-f27.status = pre_beta
-
-f27.post_beta.mandatory_days_in_testing = 7
-f27.post_beta.critpath.num_admin_approvals = 0
-f27.post_beta.critpath.min_karma = 2
-f27.post_beta.critpath.stable_after_days_without_negative_karma = 14
-
-f27.pre_beta.mandatory_days_in_testing = 3
-f27.pre_beta.critpath.num_admin_approvals = 0
-f27.pre_beta.critpath.min_karma = 1
-
-# The number of days worth of updates/comments to display
-feeds.num_days_to_show = 7
-feeds.max_entries = 20
-
-##
-## Buildroot Override
-##
-
-# Number of days before expiring overrides
-buildroot_overrides.expire_after = 1
-
-##
-## Groups
-##
-
-# FAS Groups that we want to pay attention to
-# When a user logs in, bodhi will look for any of these groups and associate #
-# them with the user. They will then appear as the users effective principals in
-# the format "group:groupname" and can be used in Pyramid ACE's.
-important_groups = proventesters provenpackager releng-team security_respons packager bodhiadmin virtmaint-sig kde-sig eclipse-sig infra-sig gnome-sig python-sig robotics-sig
-
-# Groups that can push updates for any package
-admin_packager_groups = provenpackager releng-team security_respons
-
-# User must be a member of this group to submit updates
-mandatory_packager_groups = packager
-
-##
-## updateinfo.xml configuraiton
-##
-updateinfo_rights = Copyright (C) 2015 Red Hat, Inc. and others.
-
-##
-## Authentication & Authorization
-##
-
-# pyramid.openid
-openid.success_callback = bodhi.server.security:remember_me
-openid.provider = https://id.stg.fedoraproject.org/openid/
-openid.url = https://id.stg.fedoraproject.org/
-openid_template = {username}.id.fedoraproject.org
-openid.sreg_required = email
-
-# CORS allowed origins for cornice services
-# This can be wide-open.  read-only, we don't care as much about.
-cors_origins_ro = *
-# This should be more locked down to avoid cross-site request forgery.
-cors_origins_rw = https://bodhi.stg.fedoraproject.org
-cors_connect_src = https://*.fedoraproject.org/ wss://hub.fedoraproject.org:9939/
-
-
-##
-## Pyramid settings
-##
-pyramid.reload_templates = false
-pyramid.debug_authorization = false
-pyramid.debug_notfound = false
-pyramid.debug_routematch = false
-pyramid.default_locale_name = en
-
-pyramid.includes =
-    pyramid_tm
-
-debugtoolbar.hosts = 127.0.0.1 ::1
-
-##
-## Database
-##
-sqlalchemy.url = postgresql://bodhi2:{{ bodhi2PasswordSTG }}@pgbdr.stg.phx2.fedoraproject.org/bodhi2
-
-##
-## Templates
-##
-mako.directories = bodhi:server/templates
-
-##
-## Authentication & Sessions
-##
-
-authtkt.secret = {{ bodhi2AuthTktSTG }}
-session.secret = {{ bodhi2SessionSecretSTG }}
-authtkt.secure = true
-# How long should an authorization ticket be valid for, in seconds? Defaults to one day.
-authtkt.timeout = 1209600
-
-# pyramid_beaker
-session.type = file
-session.data_dir = /var/cache/bodhi/sessions/data
-session.lock_dir = /var/cache/bodhi/sessions/lock
-session.key = {{ bodhi2SessionKeySTG }}
-session.cookie_on_exception = true
-# Tell the browser to only send the cookie over TLS
-session.secure = true
-# Create a cookie that is only valid for one day
-session.timeout = 86400
-cache.regions = default_term, second, short_term, long_term
-cache.type = memory
-cache.second.expire = 1
-cache.short_term.expire = 60
-cache.default_term.expire = 300
-cache.long_term.expire = 3600
-
-[server:main]
-use = egg:waitress#main
-host = 0.0.0.0
-port = 6543
-
-
-[pshell]
-m = bodhi.server.models
-t = transaction
-
-# Begin logging configuration
-
-[loggers]
-keys = root, bodhi, sqlalchemy
-
-[handlers]
-keys = console
-
-[formatters]
-keys = generic
-
-[logger_root]
-level = INFO
-handlers = console
-
-[logger_bodhi]
-level = DEBUG
-handlers =
-qualname = bodhi
-
-[logger_sqlalchemy]
-level = WARN
-handlers =
-qualname = sqlalchemy.engine
-# "level = INFO" logs SQL queries.
-# "level = DEBUG" logs SQL queries and results.
-# "level = WARN" logs neither.  (Recommended for production systems.)
-
-[handler_console]
-class = StreamHandler
-args = (sys.stderr,)
-level = NOTSET
-formatter = generic
-
-[formatter_generic]
-format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s
-
-# End logging configuration

roles/copr/backend/tasks/mount_fs.yml

@@ -3,7 +3,6 @@
 
 - name: mount up disk of copr repo
   mount: name=/var/lib/copr/public_html src='LABEL=copr-repo' fstype=ext4 state=mounted
-  when: env != "staging"
 
 - name: mount /tmp/
   mount: name=/tmp src='tmpfs' fstype=tmpfs state=mounted

roles/copr/frontend/tasks/main.yml

@@ -16,11 +16,7 @@
   tags:
   - packages
 
-- name: ensure python2-flask-whooshee is latest
+  # we install python-alembic because https://bugzilla.redhat.com/show_bug.cgi?id=1536058
-  dnf: state=latest name=python2-flask-whooshee
-  tags:
-  - packages
-
 - name: install additional pkgs for copr-frontend
   dnf: state=present pkg={{ item }}
   with_items:
@@ -28,6 +24,7 @@
   - "mod_ssl"
   - redis
   - pxz
+  - python-alembic
   tags:
   - packages
 
@@ -60,12 +57,12 @@
 
 - import_tasks: "psql_setup.yml"
 
-#- name: upgrade db to head
+- name: upgrade db to head
-#  command: alembic upgrade head
+  command: alembic upgrade head
-#  become: yes
+  become: yes
-#  become_user: copr-fe
+  become_user: copr-fe
-#  args:
+  args:
-#    chdir: /usr/share/copr/coprs_frontend/
+    chdir: /usr/share/copr/coprs_frontend/
 
 - name: set up admins
   command: ./manage.py alter_user --admin {{ item }}

roles/copr/frontend/templates/httpd/coprs_ssl.conf.j2

@@ -4,7 +4,7 @@
     # Use secure TLSv1.1 and TLSv1.2 ciphers
     SSLCipherSuite {{ ssl_ciphers }}
     SSLHonorCipherOrder on
-    Header always add Strict-Transport-Security "max-age=15768000; preload"
+    Header always add Strict-Transport-Security "max-age=31536000; preload"
 
     SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
     SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
@@ -48,7 +48,7 @@
     # Use secure TLSv1.1 and TLSv1.2 ciphers
     SSLCipherSuite {{ ssl_ciphers }}
     SSLHonorCipherOrder on
-    Header always add Strict-Transport-Security "max-age=15768000; preload"
+    Header always add Strict-Transport-Security "max-age=31536000; preload"
 
     SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
     SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key

roles/dhcp_server/files/dhcpd.conf.noc01.phx2.fedoraproject.org

@@ -202,6 +202,11 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
     option routers 10.5.129.254;
     option log-servers 10.5.126.29;
 
+    range 10.5.129.200 10.5.129.209;
+    next-server 10.5.126.41;
+    filename "/uefi/grubaa64.efi";
+
+
     host ppc8-01 {
 	hardware ethernet 40:f2:e9:5d:39:43;
 	fixed-address 10.5.129.20;
@@ -235,7 +240,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.101;
         next-server 10.5.126.41;
         option host-name "aarch64-c01n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c02n1 {
@@ -243,7 +248,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.102;
         next-server 10.5.126.41;
         option host-name "aarch64-c02n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c03n1 {
@@ -251,7 +256,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.103;
         next-server 10.5.126.41;
         option host-name "aarch64-c03n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c04n1 {
@@ -259,7 +264,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.104;
         next-server 10.5.126.41;
         option host-name "aarch64-c04n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c05n1 {
@@ -267,7 +272,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.105;
         next-server 10.5.126.41;
         option host-name "aarch64-c05n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c06n1 {
@@ -275,7 +280,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.106;
         next-server 10.5.126.41;
         option host-name "aarch64-c06n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c07n1 {
@@ -283,7 +288,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.107;
         next-server 10.5.126.41;
         option host-name "aarch64-c07n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c08n1 {
@@ -291,15 +296,15 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.108;
         next-server 10.5.126.41;
         option host-name "aarch64-c08n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c09n1 {
-        hardware ethernet 14:58:D0:58:E5:B2;
+        hardware ethernet 14:58:D0:58:A5:52;
         fixed-address 10.5.129.109;
         next-server 10.5.126.41;
         option host-name "aarch64-c09n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c10n1 {
@@ -307,7 +312,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.110;
         next-server 10.5.126.41;
         option host-name "aarch64-c10n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c11n1 {
@@ -315,7 +320,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.111;
         next-server 10.5.126.41;
         option host-name "aarch64-c11n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c12n1 {
@@ -323,7 +328,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.112;
         next-server 10.5.126.41;
         option host-name "aarch64-c12n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c13n1 {
@@ -331,15 +336,15 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.113;
         next-server 10.5.126.41;
         option host-name "aarch64-c13n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c14n1 {
-        hardware ethernet 14:58:D0:58:75:32;
+        hardware ethernet 14:58:D0:58:65:E2;
         fixed-address 10.5.129.114;
         next-server 10.5.126.41;
         option host-name "aarch64-c14n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c15n1 {
@@ -347,7 +352,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.115;
         next-server 10.5.126.41;
         option host-name "aarch64-c15n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c16n1 {
@@ -355,15 +360,15 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.116;
         next-server 10.5.126.41;
         option host-name "aarch64-c16n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c17n1 {
-        hardware ethernet 14:58:D0:58:C4:F2;
+        hardware ethernet 14:58:d0:58:e5:32;
         fixed-address 10.5.129.117;
         next-server 10.5.126.41;
         option host-name "aarch64-c17n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c18n1 {
@@ -371,7 +376,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.118;
         next-server 10.5.126.41;
         option host-name "aarch64-c18n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c19n1 {
@@ -379,7 +384,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.119;
         next-server 10.5.126.41;
         option host-name "aarch64-c19n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c20n1 {
@@ -387,7 +392,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.120;
         next-server 10.5.126.41;
         option host-name "aarch64-c20n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c21n1 {
@@ -395,7 +400,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.121;
         next-server 10.5.126.41;
         option host-name "aarch64-c21n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c22n1 {
@@ -403,7 +408,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.122;
         next-server 10.5.126.41;
         option host-name "aarch64-c22n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c23n1 {
@@ -411,7 +416,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.123;
         next-server 10.5.126.41;
         option host-name "aarch64-c23n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c24n1 {
@@ -419,7 +424,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.124;
         next-server 10.5.126.41;
         option host-name "aarch64-c24n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-c25n1 {
@@ -427,7 +432,7 @@ subnet 10.5.129.0 netmask 255.255.255.0 {
         fixed-address 10.5.129.125;
         next-server 10.5.126.41;
         option host-name "aarch64-c25n1";
-        filename "grubaa64.efi";
+        filename "/uefi/grubaa64.efi";
     }
 
 }
@@ -1777,7 +1782,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
 	 fixed-address 10.5.78.70;
 	 option host-name "compose-aarch64-01";
 	 next-server 10.5.126.41;
-	 filename "grubaa64.efi";
+	 filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-02a {
@@ -1785,7 +1790,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
 	 fixed-address 10.5.78.75;
 	 option host-name "aarch64-02a";
 	 next-server 10.5.126.41;
-	 filename "grubaa64.efi";
+	 filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-03a {
@@ -1793,7 +1798,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
 	 fixed-address 10.5.78.80;
 	 option host-name "aarch64-03a";
 	 next-server 10.5.126.41;
-	 filename "grubaa64.efi";
+	 filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-04a {
@@ -1801,7 +1806,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
 	 fixed-address 10.5.78.85;
 	 option host-name "aarch64-04a";
 	 next-server 10.5.126.41;
-	 filename "grubaa64.efi";
+	 filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-05a {
@@ -1809,7 +1814,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
          fixed-address 10.5.78.150;
          option host-name "aarch64-05a";
          next-server 10.5.126.41;
-         filename "grubaa64.efi";
+         filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-06a {
@@ -1817,7 +1822,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
          fixed-address 10.5.78.155;
          option host-name "aarch64-06a";
          next-server 10.5.126.41;
-         filename "grubaa64.efi";
+         filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-07a {
@@ -1825,7 +1830,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
          fixed-address 10.5.78.160;
          option host-name "aarch64-07a";
          next-server 10.5.126.41;
-         filename "grubaa64.efi";
+         filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-08a {
@@ -1833,7 +1838,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
          fixed-address 10.5.78.165;
          option host-name "aarch64-08a";
          next-server 10.5.126.41;
-         filename "grubaa64.efi";
+         filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-09a {
@@ -1841,7 +1846,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
          fixed-address 10.5.78.170;
          option host-name "aarch64-09a";
          next-server 10.5.126.41;
-         filename "grubaa64.efi";
+         filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-10a {
@@ -1849,7 +1854,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
          fixed-address 10.5.78.175;
          option host-name "aarch64-10a";
          next-server 10.5.126.41;
-         filename "grubaa64.efi";
+         filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-11a {
@@ -1857,7 +1862,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
          fixed-address 10.5.78.180;
          option host-name "aarch64-11a";
          next-server 10.5.126.41;
-         filename "grubaa64.efi";
+         filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-12a {
@@ -1865,7 +1870,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
          fixed-address 10.5.78.185;
          option host-name "aarch64-12a";
          next-server 10.5.126.41;
-         filename "grubaa64.efi";
+         filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-13a {
@@ -1873,7 +1878,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
          fixed-address 10.5.78.190;
          option host-name "aarch64-13a";
          next-server 10.5.126.41;
-         filename "grubaa64.efi";
+         filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-14a {
@@ -1881,7 +1886,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
          fixed-address 10.5.78.195;
          option host-name "aarch64-14a";
          next-server 10.5.126.41;
-         filename "grubaa64.efi";
+         filename "/uefi/grubaa64.efi";
     }
 
     host aarch64-15a {
@@ -1889,7 +1894,7 @@ subnet 10.5.78.0 netmask 255.255.255.0 {
          fixed-address 10.5.78.200;
          option host-name "aarch64-15a";
          next-server 10.5.126.41;
-         filename "grubaa64.efi";
+         filename "/uefi/grubaa64.efi";
     }
 
 }

roles/distgit/files/robots-pkgs.txt

@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /

roles/distgit/files/robots-src.txt

@@ -0,0 +1,8 @@
+User-agent: *
+Disallow: /cgit/
+
+User-agent: *
+Disallow: /git/
+
+User-agent: *
+Disallow: /repo/

roles/distgit/pagure/templates/pagure-sync-bugzilla.py.j2

@@ -96,8 +96,6 @@ BUGZILLA_OVERRIDE_REPO = 'releng/fedora-scm-requests'
 NOTIFYEMAIL = [
     'kevin@fedoraproject.org',
     'pingou@fedoraproject.org',
-    'ralph@fedoraproject.org',
-    'mprahl@fedoraproject.org',
 ]
 VERBOSE = False
 DRYRUN = False

roles/distgit/pagure/templates/z_pagure.conf

@@ -11,7 +11,7 @@ WSGIDaemonProcess pagureproc user=pagure group=packager maximum-requests=1000 di
 #  SSLEngine on
 #  SSLProtocol all -SSLv2 -SSLv3
 #  # Use secure TLSv1.1 and TLSv1.2 ciphers
-#  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+#  Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 
 #  SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
 #  SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert

roles/distgit/tasks/main.yml

@@ -114,6 +114,14 @@
   tags:
   - distgit
 
+- name: Install robots.txt files
+  copy: src={{item}} dest=/var/www/{{item}}
+  with_items:
+  - robots-pkgs.txt
+  - robots-src.txt
+  tags:
+  - distgit
+
 - name: install the DistGit related httpd config
   copy: src=git-smart-http.conf dest=/etc/httpd/conf.d/dist-git/git-smart-http.conf
   notify:

roles/distgit/templates/lookaside-upload.conf

@@ -12,12 +12,32 @@ SSLRandomSeed startup file:/dev/urandom  256
 SSLRandomSeed connect builtin
 SSLCryptoDevice builtin
 
+Alias /robots.txt /var/www/robots-src.txt
+<Location /robots.txt>
+    Require all granted
+</Location>
+
 <VirtualHost _default_:80>
     ServerName pkgs{{ env_suffix }}.fedoraproject.org
-    #Redirect "/" "https://src{{ env_suffix }}.fedoraproject.org/"
+    #RewriteCond expr "! -R '192.168.0.0/16'"        
-    # This is temporary for fixing Kojid because of firewall rules
+    #RewriteCond expr "! -R '10.0.0.0/8'"            
+    #RewriteRule ^(.*)$ https://src.fedoraproject.org/$1 [L,R]
     Alias /repo/ /srv/cache/lookaside/
 
+    <Location />
+        Require ip 127.0.0.1
+        Require ip ::1
+        Require ip 10.0.0.0/8
+        Require ip 192.168.0.0/16
+    </Location>
+
+    CustomLog "logs/pkgs-access.log" combined
+    ErrorLog "logs/pkgs-error.log"
+    Alias /robots.txt /var/www/robots-pkgs.txt
+    <Location /robots.txt>
+        Require all granted
+    </Location>
+
     RewriteEngine on
     RewriteRule "^/$" "https://src{{ env_suffix }}.fedoraproject.org/"
     RewriteRule "^/login/$" "https://src{{ env_suffix }}.fedoraproject.org/login/"

roles/fas_server/templates/fas.cfg.j2

@@ -76,9 +76,9 @@ ipa_sync_certfile = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
 
 # Usernames that are unavailable for fas allocation
 {% if env == "staging" %}
-username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
+username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
 {% else %}
-username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
+username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
 {% endif %}
 email_domain_blacklist = "{{ fas_blocked_emails }}"