Add a first cut at a s390 koji hub and db.

These are using the normal koji hub and postgresql playbooks
and will live on virthost-s390.qa.

inventory/host_vars/db-s390-koji01.qa.fedoraproject.org

@@ -0,0 +1,42 @@
+---
+nm: 255.255.255.0
+gw: 10.5.131.254
+dns: 10.5.126.21
+volgroup: /dev/vg_guests
+eth0_ip: 10.5.131.16
+vmhost: virthost-ss390.qa.fedoraproject.org
+datacenter: phx2
+
+ks_url: http://infrastructure.phx2.fedoraproject.org/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://infrastructure.phx2.fedoraproject.org/repo/rhel/RHEL7-x86_64/
+
+# This is a generic list, monitored by collectd
+databases:
+- koji
+
+# This is a more strict list, to be made publicly available
+dbs_to_backup:
+- koji
+
+# These are normally group variables, but in this case db servers are often different
+lvm_size: 500000
+mem_size: 25165
+num_cpus: 12
+fas_client_groups: sysadmin-dba,sysadmin-noc,sysadmin-secondary
+
+# kernel SHMMAX value
+kernel_shmmax: 68719476736
+
+#
+# Only allow postgresql access from the frontend node.
+#
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.131.15 --dport 5432 -j ACCEPT' ]
+
+#
+# Large updates pushes cause lots of db threads doing the tag moves, so up this from default. 
+# 
+nrpe_procs_warn: 600
+nrpe_procs_crit: 700
+
+host_backup_targets: ['/backups']
+shared_buffers: "4GB"

inventory/host_vars/s390-koji01.qa.fedoraproject.org

@@ -0,0 +1,12 @@
+---
+nm: 255.255.255.0
+gw: 10.5.131.254
+dns: 10.5.126.21
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+volgroup: /dev/vg_guests
+eth0_ip: 10.5.131.15
+vmhost: virthost-s390.phx2.fedoraproject.org
+datacenter: phx2
+nrpe_procs_warn: 900
+nrpe_procs_crit: 1000

inventory/inventory

@@ -223,6 +223,7 @@ db05.phx2.fedoraproject.org
 db-fas01.phx2.fedoraproject.org
 db-datanommer02.phx2.fedoraproject.org
 db-koji01.phx2.fedoraproject.org
+db-s390-koji01.qa.fedoraproject.org
 db-qa01.qa.fedoraproject.org
 
 [dbserver-stg]
@@ -298,6 +299,7 @@ keys02.fedoraproject.org
 [koji]
 koji01.phx2.fedoraproject.org
 koji02.phx2.fedoraproject.org
+s390-koji01.qa.fedoraproject.org
 
 [koji-stg]
 koji01.stg.phx2.fedoraproject.org

master.yml

@@ -68,7 +68,7 @@
 - include: /srv/web/infra/ansible/playbooks/groups/notifs-backend.yml
 - include: /srv/web/infra/ansible/playbooks/groups/notifs-web.yml
 - include: /srv/web/infra/ansible/playbooks/groups/nuancier.yml
-- include: /srv/web/infra/ansible/playbooks/groups/openstack-compute-nodes.yml
+#- include: /srv/web/infra/ansible/playbooks/groups/openstack-compute-nodes.yml
 - include: /srv/web/infra/ansible/playbooks/groups/packages.yml
 - include: /srv/web/infra/ansible/playbooks/groups/pagure.yml
 - include: /srv/web/infra/ansible/playbooks/groups/paste.yml
@@ -114,7 +114,7 @@
 - include: /srv/web/infra/ansible/playbooks/hosts/devpi.cloud.fedoraproject.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/darkserver-dev.cloud.fedoraproject.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/elections-dev.cloud.fedoraproject.org.yml
-- include: /srv/web/infra/ansible/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
+#- include: /srv/web/infra/ansible/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/fedocal.dev.fedoraproject.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/junk01.phx2.fedoraproject.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/koschei.cloud.fedoraproject.org.yml

playbooks/groups/koji-hub.yml

@@ -3,7 +3,7 @@
 # NOTE: most of these vars_path come from group_vars/koji-hub or from hostvars
 
 - name: make koji hub
-  hosts: koji-stg:koji01.phx2.fedoraproject.org:koji02.phx2.fedoraproject.org
+  hosts: koji-stg:koji01.phx2.fedoraproject.org:koji02.phx2.fedoraproject.org:s390-koji01.qa.fedoraproject.org
   user: root
   gather_facts: False
 
@@ -21,7 +21,7 @@
 # Once the instance exists, configure it. 
 
 - name: make koji_hub server system
-  hosts: koji-stg:koji01.phx2.fedoraproject.org:koji02.phx2.fedoraproject.org
+  hosts: koji-stg:koji01.phx2.fedoraproject.org:koji02.phx2.fedoraproject.org:s390-koji01.qa.fedoraproject.org
   user: root
   gather_facts: True
 
@@ -43,11 +43,15 @@
   - koji_hub
   - { role: koji_builder, when: env == "staging" }
   - { role: nfs/server, when: env == "staging" }
-  - { role: keepalived, when: env != "staging" }
+  - { role: keepalived, when: env == "production" and inventory_hostname.startswith('koji') }
   - role: nfs/client
     mnt_dir: '/mnt/fedora_koji'
     nfs_src_dir: 'fedora_koji'
-    when: env != 'staging'
+    when: env == 'production' and inventory_hostname.startswith('koji')
+  - role: nfs/client
+    mnt_dir: '/mnt/koji'
+    nfs_src_dir: 'fedora_s390/data'
+    when: env == 'production' and inventory_hostname.startswith('s390')
   - sudo
 
   tasks:

playbooks/groups/postgresql-server.yml

@@ -3,7 +3,7 @@
 # NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
 
 - name: make postgresql-server instance
-  hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org
+  hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.qa.fedoraproject.org
   user: root
   gather_facts: False
 
@@ -21,7 +21,7 @@
 # Once the instance exists, configure it. 
 
 - name: configure postgresql server system
-  hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org
+  hosts: db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.qa.fedoraproject.org
   user: root
   gather_facts: True
 

roles/koji_hub/files/koji-ssl.conf.s390

@@ -0,0 +1,226 @@
+#
+# When we also provide SSL we have to listen to the 
+# the HTTPS port in addition.
+#
+Listen 443 https
+
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+#   Inter-Process Session Cache:
+#   Configure the SSL Session Cache: First the mechanism 
+#   to use and second the expiring timeout (in seconds).
+SSLSessionCache         shmcb:/run/httpd/sslcache(1024000)
+SSLSessionCacheTimeout  600
+
+#   Pseudo Random Number Generator (PRNG):
+#   Configure one or more sources to seed the PRNG of the 
+#   SSL library. The seed data should be of good random quality.
+#   WARNING! On some platforms /dev/random blocks if not enough entropy
+#   is available. This means you then cannot use the /dev/random device
+#   because it would lead to very long connection times (as long as
+#   it requires to make more entropy available). But usually those
+#   platforms additionally provide a /dev/urandom device which doesn't
+#   block. So, if available, use this one instead. Read the mod_ssl User
+#   Manual for more details.
+SSLRandomSeed startup file:/dev/urandom  256
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random  512
+#SSLRandomSeed connect file:/dev/random  512
+#SSLRandomSeed connect file:/dev/urandom 512
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names.  NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly. 
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:443>
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+#   SSL Protocol support:
+# List the enable protocol levels with which clients will be able to
+# connect.  Disable SSLv2 access by default:
+SSLProtocol all -SSLv2
+
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_ssl documentation for a complete list.
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+#   Speed-optimized SSL Cipher configuration:
+#   If speed is your main concern (on busy HTTPS servers e.g.),
+#   you might want to force clients to specific, performance
+#   optimized ciphers. In this case, prepend those ciphers
+#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+#   (as in the example below), most connections will no longer
+#   have perfect forward secrecy - if the server's key is
+#   compromised, captures of past or future traffic must be
+#   considered compromised, too.
+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+#SSLHonorCipherOrder on 
+
+#   Server Certificate:
+# Point SSLCertificateFile at a PEM encoded certificate.  If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase.  Note that a kill -HUP will prompt again.  A new
+# certificate can be generated using the genkey(1) command.
+#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+SSLCertificateFile /etc/pki/tls/certs/koji_cert.pem
+
+#   Server Private Key:
+#   If the key is not combined with the certificate, use this
+#   directive to point at the key file.  Keep in mind that if
+#   you've both a RSA and a DSA private key you can configure
+#   both in parallel (to also allow the use of DSA ciphers, etc.)
+#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+SSLCertificateKeyFile /etc/pki/tls/private/koji_key.pem
+
+#   Server Certificate Chain:
+#   Point SSLCertificateChainFile at a file containing the
+#   concatenation of PEM encoded CA certificates which form the
+#   certificate chain for the server certificate. Alternatively
+#   the referenced file can be the same as SSLCertificateFile
+#   when the CA certificates are directly appended to the server
+#   certificate for convinience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+SSLCertificateChainFile /etc/pki/tls/certs/extras_cacert.pem
+
+#   Certificate Authority (CA):
+#   Set the CA certificate verification path where to find CA
+#   certificates for client authentication or alternatively one
+#   huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+SSLCACertificateFile /etc/pki/tls/certs/extras_upload_cacert.pem
+
+SSLCARevocationFile  /etc/pki/tls/crl.pem
+SSLCARevocationCheck chain
+
+#   Client Authentication (Type):
+#   Client certificate verification type and depth.  Types are
+#   none, optional, require and optional_no_ca.  Depth is a
+#   number which specifies how deeply to verify the certificate
+#   issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth  10
+
+#   Access Control:
+#   With SSLRequire you can do per-directory access control based
+#   on arbitrary complex boolean expressions containing server
+#   variable checks and other lookup directives.  The syntax is a
+#   mixture between C and Perl.  See the mod_ssl documentation
+#   for more details.
+#<Location />
+#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+#   SSL Engine Options:
+#   Set various options for the SSL engine.
+#   o FakeBasicAuth:
+#     Translate the client X.509 into a Basic Authorisation.  This means that
+#     the standard Auth/DBMAuth methods can be used for access control.  The
+#     user name is the `one line' version of the client's X.509 certificate.
+#     Note that no password is obtained from the user. Every entry in the user
+#     file needs this password: `xxj31ZMTZzkVA'.
+#   o ExportCertData:
+#     This exports two additional environment variables: SSL_CLIENT_CERT and
+#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+#     server (always existing) and the client (only existing when client
+#     authentication is used). This can be used to import the certificates
+#     into CGI scripts.
+#   o StdEnvVars:
+#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+#     Per default this exportation is switched off for performance reasons,
+#     because the extraction step is an expensive operation and is usually
+#     useless for serving static content. So one usually enables the
+#     exportation for CGI and SSI requests only.
+#   o StrictRequire:
+#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+#     under a "Satisfy any" situation, i.e. when it applies access is denied
+#     and no other module can change it.
+#   o OptRenegotiate:
+#     This enables optimized SSL connection renegotiation handling when SSL
+#     directives are used in per-directory context. 
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+    SSLOptions +StdEnvVars
+</Files>
+<Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
+
+#   SSL Protocol Adjustments:
+#   The safe and default but still SSL/TLS standard compliant shutdown
+#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+#   the close notify alert from client. When you need a different shutdown
+#   approach you can use one of the following variables:
+#   o ssl-unclean-shutdown:
+#     This forces an unclean shutdown when the connection is closed, i.e. no
+#     SSL close notify alert is send or allowed to received.  This violates
+#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+#     this when you receive I/O errors because of the standard approach where
+#     mod_ssl sends the close notify alert.
+#   o ssl-accurate-shutdown:
+#     This forces an accurate shutdown when the connection is closed, i.e. a
+#     SSL close notify alert is send and mod_ssl waits for the close notify
+#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+#     practice often causes hanging connections with brain-dead browsers. Use
+#     this only for browsers where you know that their SSL implementation
+#     works correctly. 
+#   Notice: Most problems of broken clients are also related to the HTTP
+#   keep-alive facility, so you usually additionally want to disable
+#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+#   "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+#   Per-Server Logging:
+#   The home of a custom SSL log file. Use this when you want a
+#   compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+RewriteEngine on
+RewriteRule  ^/$    /koji [R,L]
+</VirtualHost>                                  
+

roles/koji_hub/tasks/main.yml

@@ -76,6 +76,9 @@
   - config
   - koji_hub
 
+#
+# install production certs and keys
+#
 - name: install kojiweb_cert_key.pem
   copy: src={{ puppet_private }}/koji/kojiweb_cert_key.pem dest=/etc/pki/tls/private/kojiweb_cert_key.pem owner=apache mode=600
   notify:
@@ -83,7 +86,7 @@
   tags:
   - config
   - koji_hub
-  when: env != 'staging'
+  when: env != 'staging' and ansible_hostname.startswith('koji')
 
 - name: install production koji_cert.pem
   copy: src={{ puppet_private }}/koji/koji_cert.pem dest=/etc/pki/tls/certs/koji_cert.pem owner=apache mode=600
@@ -92,7 +95,7 @@
   tags:
   - config
   - koji_hub
-  when: env != 'staging'
+  when: env != 'staging' and ansible_hostname.startswith('koji')
 
 - name: install production koji_key.pem
   copy: src={{ puppet_private }}/koji/koji_key.pem dest=/etc/pki/tls/private/koji_key.pem owner=apache mode=600
@@ -101,8 +104,41 @@
   tags:
   - config
   - koji_hub
-  when: env != 'staging'
+  when: env != 'staging' and ansible_hostname.startswith('koji')
 
+#
+# install production s390 certs and keys
+#
+- name: install s390 kojiweb_cert_key.pem
+  copy: src={{ private }}/files/koji/s390.koji.fedoraproject.org_key_and_cert.pem dest=/etc/pki/tls/private/kojiweb_cert_key.pem owner=apache mode=600
+  notify:
+  - restart httpd
+  tags:
+  - config
+  - koji_hub
+  when: ansible_hostname.startswith('s390')
+
+- name: install s390 production koji_cert.pem
+  copy: src={{ private }}/files/koji/s390_koji_cert.pem dest=/etc/pki/tls/certs/koji_cert.pem owner=apache mode=600
+  notify:
+  - restart httpd
+  tags:
+  - config
+  - koji_hub
+  when: ansible_hostname.startswith('s390')
+
+- name: install s390 production koji_key.pem
+  copy: src={{ private }}/files/koji/s390_koji_key.pem dest=/etc/pki/tls/private/koji_key.pem owner=apache mode=600
+  notify:
+  - restart httpd
+  tags:
+  - config
+  - koji_hub
+  when: ansible_hostname.startswith('s390')
+
+#
+# install staging certs and keys
+#
 - name: Install staging koji ssl cert
   copy: src={{ puppet_private }}/koji/koji.stg_cert.pem dest=/etc/pki/tls/certs/koji.stg_cert.pem
   notify:
@@ -137,6 +173,14 @@
   tags:
   - config
   - koji_hub
+  when: ansible_hostname.startswith('koji')
+
+- name: install s390 kojira_cert_key
+  copy: src={{ private }}/files/koji/s390_kojira_cert_key.pem dest=/etc/kojira/kojira_cert_key.pem owner=apache mode=600
+  tags:
+  - config
+  - koji_hub
+  when: ansible_hostname.startswith('s390')
 
 - name: updatecrl script
   copy: src=updatecrl.sh dest=/usr/local/bin/updatecrl.sh owner=root mode=755
@@ -258,21 +302,25 @@
   tags:
   - service
   - koji_hub
+  when: env != 'staging' and ansible_hostname.startswith('koji')
 
 - name: install cert for oscar (garbage collector) user
   copy: src={{ puppet_private }}/koji/gc/oscar_key_and_cert.pem dest=/etc/koji-gc/client.crt
   tags:
   - koji_hub
+  when: env != 'staging' and ansible_hostname.startswith('koji')
 
 - name: install serverca cert for oscar (garbage collector) user
   copy: src={{ puppet_private }}/fedora-ca.cert dest=/etc/koji-gc/serverca.crt
   tags:
   - koji_hub
+  when: env != 'staging' and ansible_hostname.startswith('koji')
 
 - name: install clientca cert for oscar (garbage collector) user
   copy: src={{ puppet_private }}/fedora-ca.cert dest=/etc/koji-gc/clientca.crt
   tags:
   - koji_hub
+  when: env != 'staging' and ansible_hostname.startswith('koji')
 
 - name: install koji-gc.conf
   copy: src=koji-gc.conf dest=/etc/koji-gc/koji-gc.conf

roles/koji_hub/templates/hub.conf.j2

@@ -3,8 +3,13 @@
 ## Basic options ##
 DBName = koji      
 DBUser = koji      
+{% if ansible_hostname.startswith('koji') %}
 DBHost = db-koji01
 DBPass = {{ kojiPassword }}
+{% elseif ansible_hostname == 's390-koji01.qa.fedoraproject.org' %}
+DBHost = db-s390-koji01
+DBPass = {{ s390kojiPassword }}
+{% endif %}
 KojiDir = /mnt/koji       
 MemoryWarnThreshold = 10000
 MaxRequestLength = 83886080
@@ -14,8 +19,12 @@ MaxRequestLength = 83886080
 
 ## the client username is the common name of the subject of their client certificate
 DNUsernameComponent = CN
+{% if ansible_hostname.startswith('koji') %}
 ## separate multiple DNs with |
 ProxyDNs = emailAddress=buildsys@fedoraproject.org,CN=kojiweb,OU=Fedora Builders,O=Fedora Project,ST=North Carolina,C=US|emailAddress=releng@fedoraproject.org,CN=sign-bridge1,OU=Package Signing,O=Fedora Project,ST=North Carolina,C=US
+{% elseif ansible_hostname == 's390-koji01.qa.fedoraproject.org' %}
+ProxyDNs = /C=US/ST=North Carolina/O=Fedora Project/OU=Fedora Builders/CN=s390.koji.fedoraproject.org/emailAddress=buildsys@fedoraproject.org|/C=US/ST=North Carolina/O=Fedora Project/OU=secondary arch/CN=secondary-signer/emailAddress=ausil@fedoraproject.org
+{% endif %}
 
 ## end SSL client certificate auth configuration
 
@@ -23,7 +32,11 @@ ProxyDNs = emailAddress=buildsys@fedoraproject.org,CN=kojiweb,OU=Fedora Builders
 
 ##  Other options  ##
 LoginCreatesUser = On
+{% if ansible_hostname.startswith('koji') %}
 KojiWebURL = http://koji.fedoraproject.org/koji
+{% elseif ansible_hostname == 's390-koji01.qa.fedoraproject.org' %}
+KojiWebURL = http://s390.koji.fedoraproject.org/koji
+{% endif %}
 # The domain name that will be appended to Koji usernames
 # when creating email notifications
 EmailDomain = fedoraproject.org
@@ -57,6 +70,7 @@ DisableNotifications = True
 #Plugins = darkserver-plugin
 Plugins = fedmsg-koji-plugin
 
+{% if ansible_hostname.startswith('koji') %}
 [policy]
 
 
@@ -96,3 +110,4 @@ build_from_srpm =
     tag el6-docs && has_perm docs :: allow
     all :: deny
 
+{% endif %}

roles/koji_hub/templates/web.conf.j2

@@ -6,6 +6,9 @@ SiteName = koji
 {% if env == 'staging' %}
 KojiHubURL = http://koji.stg.fedoraproject.org/kojihub
 KojiFilesURL = https://kojipkgs.stg.fedoraproject.org/
+{% else if ansible_hostname == 's390-koji01.qa.fedoraproject.org' %}
+KojiHubURL = http://s390.koji.fedoraproject.org/kojihub
+KojiFilesURL = http://s390.koji.fedoraproject.org/kojifiles
 {% else %}
 KojiHubURL = http://koji.fedoraproject.org/kojihub
 KojiFilesURL = https://kojipkgs.fedoraproject.org/
@@ -16,7 +19,6 @@ WebCert = /etc/pki/tls/private/kojiweb_cert_key.pem
 ClientCA = /etc/pki/tls/certs/upload_cacert.pem
 KojiHubCA = /etc/pki/tls/certs/extras_cacert.pem
 
-
 LoginTimeout = 72
 
 # This must be changed and uncommented before deployment