Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of /git/ansible

Browse source
This commit is contained in:
Nick Bebout 2017-05-02 18:08:45 +00:00
commit 30d3002882
76 changed files with 663 additions and 99 deletions
Download patch file Download diff file Expand all files Collapse all files

3
inventory/builders
View file

@ -243,7 +243,8 @@ buildppcle-04.ppc.fedoraproject.org
[buildaarch64]
aarch64-02a.arm.fedoraproject.org
aarch64-03a.arm.fedoraproject.org
# Marked DEAD in pdu
#aarch64-03a.arm.fedoraproject.org
aarch64-04a.arm.fedoraproject.org
aarch64-05a.arm.fedoraproject.org
aarch64-06a.arm.fedoraproject.org

1
inventory/group_vars/nagios-new
View file

@ -149,7 +149,6 @@ phx2_management_limited:
- rack47-pdu-b.mgmt.fedoraproject.org
- rack47-serial.mgmt.fedoraproject.org
- rack48-pdu-a.mgmt.fedoraproject.org
- rack48-pdu-b.mgmt.fedoraproject.org
- rack48-serial.mgmt.fedoraproject.org
- rack51-pdu-a.mgmt.fedoraproject.org
- rack51-pdu-b.mgmt.fedoraproject.org

1
inventory/group_vars/taskotron-prod
View file

@ -27,6 +27,7 @@ grokmirror_repos:
- { name: fedoraqa/check_modulemd, url: 'https://github.com/fedora-modularity/check_modulemd'}
- { name: fedoraqa/upstream-atomic, url: 'https://pagure.io/taskotron/task-upstream-atomic.git'}
- { name: fedoraqa/fedora-cloud-tests, url: 'https://pagure.io/taskotron/task-fedora-cloud-tests.git'}
- { name: fedoraqa/modularity-testing-framework, url: 'https://pagure.io/taskotron/task-modularity-testing-framework.git'}
grokmirror_user: grokmirror
grokmirror_default_branch: master

2
inventory/host_vars/artboard.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: rhel7-20141015
instance_type: m1.small
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]
ansible_ifcfg_blacklist: true

2
inventory/host_vars/blockerbugs-dev.cloud.fedoraproject.org
View file

@ -2,7 +2,7 @@
instance_type: m1.medium
image: "{{ el6_qcow_id }}"
keypair: fedora-admin
security_group: webserver
security_group: webserver,all-icmp-persistent,default
zone: nova
hostbase: blockerbugs-dev-
public_ip: 209.132.184.200

2
inventory/host_vars/communityblog.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: rhel7-20141015
instance_type: m1.medium
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/copr-dist-git-dev.fedorainfracloud.org
View file

@ -3,7 +3,7 @@ instance_type: ms1.small
image: "{{ fedora25_x86_64 }}"
#image: rhel7-20141015
keypair: fedora-admin-20130801
security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default
security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
zone: nova
hostbase: copr-dist-git-dev-
public_ip: 209.132.184.179

2
inventory/host_vars/copr-dist-git.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
instance_type: ms1.medium.bigswap
image: "{{ fedora25_x86_64 }}"
keypair: fedora-admin-20130801
security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default
security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
zone: nova
hostbase: copr-dist-git-
public_ip: 209.132.184.163

2
inventory/host_vars/copr-fe-dev.cloud.fedoraproject.org
View file

@ -2,7 +2,7 @@
instance_type: m1.medium
image: "{{ fedora25_x86_64 }}"
keypair: fedora-admin-20130801
security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default
security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
zone: nova
hostbase: copr-fe-dev-
public_ip: 209.132.184.55

2
inventory/host_vars/copr-fe.cloud.fedoraproject.org
View file

@ -5,7 +5,7 @@ base_pkgs_erase: ['PackageKit*', 'sendmail', 'at']
instance_type: ms1.medium
image: "{{ fedora25_x86_64 }}"
keypair: fedora-admin-20130801
security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default
security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,allow-nagios-persistent
zone: nova
hostbase: copr-fe-
public_ip: 209.132.184.54

2
inventory/host_vars/copr-keygen-dev.cloud.fedoraproject.org
View file

@ -3,7 +3,7 @@ instance_type: ms1.small
image: "{{ fedora25_x86_64 }}"
keypair: fedora-admin-20130801
# todo: remove some security groups ?
security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,allow-nagios-persistent
security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
zone: nova
hostbase: copr-keygen-dev-
public_ip: 209.132.184.46

2
inventory/host_vars/darkserver-dev.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: rhel7-20141015
instance_type: m1.large
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/developer.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: "{{ fedora25_x86_64 }}"
instance_type: m1.large
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

4
inventory/host_vars/dopr-dev.cloud.fedoraproject.org
View file

@ -1,4 +0,0 @@
---
resolvconf: "resolv.conf/cloud"
tcp_ports: [80, 443]
freezes: false

2
inventory/host_vars/eclipse.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: "{{ fedora23_x86_64 }}"
instance_type: m1.small
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/faitout.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: rhel7-20141015
instance_type: m1.small
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,pg-5432-anywhere,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,pg-5432-anywhere,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443, 5432]

2
inventory/host_vars/fas2-dev.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: "{{ centos66_x86_64 }}"
instance_type: m1.small
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/fas3-dev.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: rhel7-20141015
instance_type: m1.small
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/fedimg-dev.fedorainfracloud.org
View file

@ -1,7 +1,7 @@
instance_type: m1.medium
image: rhel7-20141015
keypair: fedora-admin-20130801
security_group: default,ssh-anywhere-persistent
security_group: default,ssh-anywhere-persistent,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/fedora-bootstrap.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: Fedora-Cloud-Base-23.x86_64-python2
instance_type: m1.large
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/glittergallery-dev.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: "{{ fedora23_x86_64 }}"
instance_type: m1.medium
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/graphite.fedorainfracloud.org
View file

@ -1,7 +1,7 @@
instance_type: m1.large
image: "{{ fedora23_x86_64 }}"
keypair: fedora-admin-20130801
security_group: default,wide-open-persistent
security_group: default,wide-open-persistent,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]
custom_rules:

18
inventory/host_vars/hubs-dev.fedorainfracloud.org Normal file
View file

@ -0,0 +1,18 @@
---
image: "{{ fedora25_x86_64 }}"
instance_type: m1.medium
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,all-icmp-persistent,default,web-80-anywhere-persistent,web-443-anywhere-persistent,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]
inventory_tenant: persistent
inventory_instance_name: hubs-dev
hostbase: hubs-dev
public_ip: 209.132.184.47
root_auth_users: sayan
description: hubs development instance
cloud_networks:
# persistent-net
- net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"

2
inventory/host_vars/iddev.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: rhel7-20141015
instance_type: m1.small
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]
ansible_ifcfg_blacklist: true

2
inventory/host_vars/insim.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: "{{ fedora25_x86_64 }}"
instance_type: m1.small
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/java-deptools.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: "{{ fedora24_x86_64 }}"
instance_type: m1.medium
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/lists-dev.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: rhel7-20141015
instance_type: m1.large
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/magazine.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: rhel7-20141015
instance_type: m1.large
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,allow-nagios-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,allow-nagios-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/modernpaste.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: "{{ fedora23_x86_64 }}"
instance_type: m1.small
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/modularity.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: "Fedora-Cloud-Base-24 (Final)"
instance_type: m1.medium
keypair: fedora-admin-20130801
security_group: modularity,ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
security_group: modularity,ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/piwik.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: "{{ fedora24_x86_64 }}"
instance_type: m1.large
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/qadevel.cloud.fedoraproject.org
View file

@ -1,2 +0,0 @@
---
host_backup_targets: ['/var/lib/phabricator/files', '/srv/backup']

2
inventory/host_vars/regcfp.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: rhel7-20141015
instance_type: m1.medium
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/respins.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: rhel7-20141015
instance_type: m1.medium
keypair: fedora-admin-20130801
security_group: wide-open-persistent,default
security_group: wide-open-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 6969]

2
inventory/host_vars/shumgrepper-dev.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: rhel7-20141015
instance_type: m1.medium
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/taiga.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: "{{ fedora25_x86_64 }}"
instance_type: m1.medium
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/taigastg.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: "{{ fedora23_x86_64 }}"
instance_type: m1.small
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

2
inventory/host_vars/testdays.fedorainfracloud.org
View file

@ -2,7 +2,7 @@
image: 'rhel7-20141015'
instance_type: m1.small
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]

16
inventory/inventory
View file

@ -139,7 +139,7 @@ osuosl01.fedoraproject.org
osuosl02.fedoraproject.org
osuosl03.fedoraproject.org
tummy01.fedoraproject.org
virthost-rdu01.fedoraproject.org
#virthost-rdu01.fedoraproject.org
virthost-cc-rdu01.fedoraproject.org
[datagrepper]
@ -269,7 +269,7 @@ autocloud-backend01.stg.phx2.fedoraproject.org
autocloud-backend02.stg.phx2.fedoraproject.org
[autosign]
#autosign01.phx2.fedoraproject.org
autosign01.phx2.fedoraproject.org
[autosign-stg]
autosign01.stg.phx2.fedoraproject.org
@ -367,9 +367,6 @@ fas01.stg.phx2.fedoraproject.org
[fas3-stg]
fas3-01.stg.phx2.fedoraproject.org
[hosted]
hosted03.fedoraproject.org
[hotness]
hotness01.phx2.fedoraproject.org
@ -634,7 +631,7 @@ proxy09.fedoraproject.org
proxy10.phx2.fedoraproject.org
proxy11.fedoraproject.org
proxy12.fedoraproject.org
proxy13.fedoraproject.org
#proxy13.fedoraproject.org
proxy14.fedoraproject.org
[proxies-stg]
@ -1092,10 +1089,6 @@ pdc-backend03.stg.phx2.fedoraproject.org
[piwik-stg]
#piwik01.stg.phx2.fedoraproject.org
[transient-cloud]
# fedora-hubs-dev
209.132.184.98
[persistent-cloud]
# artboard instance
artboard.fedorainfracloud.org
@ -1160,6 +1153,8 @@ kolinahr.fedorainfracloud.org
respins.fedorainfracloud.org
# waiverdb-dev - ticket 6009
waiverdb-dev.fedorainfracloud.org
# hubs-dev
hubs-dev.fedorainfracloud.org
#
# These are in the new cloud
@ -1209,7 +1204,6 @@ dns
bastion
backup
infracore
hosted
smtp-mm
memcached
virthost

1
master.yml
View file

@ -142,6 +142,7 @@
- include: /srv/web/infra/ansible/playbooks/hosts/glittergallery-dev.fedorainfracloud.org.yml
- include: /srv/web/infra/ansible/playbooks/hosts/grafana.cloud.fedoraproject.org.yml
- include: /srv/web/infra/ansible/playbooks/hosts/graphite.fedorainfracloud.org.yml
- include: /srv/web/infra/ansible/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
- include: /srv/web/infra/ansible/playbooks/hosts/iddev.fedorainfracloud.org.yml
- include: /srv/web/infra/ansible/playbooks/hosts/insim.fedorainfracloud.org.yml
- include: /srv/web/infra/ansible/playbooks/hosts/lists-dev.fedorainfracloud.org.yml

7
playbooks/groups/noc-new.yml
View file

@ -58,3 +58,10 @@
- { role: tftp_server, when: datacenter == 'phx2' }
- nagios_server
- fedmsg/base
tasks:
- name: install some packages which arent in playbooks
yum: pkg={{ item }} state=present
with_items:
- nmap
- tcpdump

31
playbooks/hosts/fedora-hubs-dev.yml → playbooks/hosts/hubs-dev.fedorainfroacloud.org.yml
View file

@ -1,16 +1,33 @@
- name: provision instance
hosts: 209.132.184.98 # this is transient.. so may change if we destroy it.
user: root
gather_facts: True
- name: check/create instance
hosts: hubs-dev.fedorainfracloud.org
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/private/ansible/vars.yml
- /srv/web/infra/ansible/vars/fedora-cloud.yml
- /srv/private/ansible/files/openstack/passwords.yml
tasks:
- include: "{{ tasks_path }}/persistent_cloud.yml"
- name: setup all the things
hosts: hubs-dev.fedorainfracloud.org
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
pre_tasks:
- include: "{{ tasks_path }}/cloud_setup_basic.yml"
- name: set hostname (required by some services, at least postfix need it)
hostname: name="{{inventory_hostname}}"
tasks:
- include: "{{ tasks_path }}/yumrepos.yml"
- yum: name={{item}} state=present
- dnf: name={{item}} state=present
with_items:
- git
@ -42,7 +59,7 @@
- src: /srv/git/fedora-hubs/systemd/hubs-webapp.service
dest: /usr/lib/systemd/system/hubs-webapp.service
remote_src: True
- yum: name={{item}} state=present
- dnf: name={{item}} state=present
with_items:
- htop
- tmux

4
playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml
View file

@ -24,3 +24,7 @@
- include: "{{ tasks_path }}/cloud_setup_basic.yml"
- name: set hostname (required by some services, at least postfix need it)
hostname: name="{{inventory_hostname}}"
roles:
- nginx
- waiverdb

19
roles/batcave/files/fedmsg-announce-commits.py
View file

@ -49,10 +49,21 @@ def build_stats(commit):
for diff in diffs:
for patch in diff:
path = patch.new_file_path
files[path]['additions'] += patch.additions
files[path]['deletions'] += patch.deletions
files[path]['lines'] += patch.additions + patch.deletions
if hasattr(patch, 'new_file_path'):
path = patch.new_file_path
else:
path = patch.delta.new_file.path
if hasattr(patch, 'additions'):
files[path]['additions'] += patch.additions
files[path]['deletions'] += patch.deletions
files[path]['lines'] += patch.additions + patch.deletions
else:
files[path]['additions'] += patch.line_stats[1]
files[path]['deletions'] += patch.line_stats[2]
files[path]['lines'] += patch.line_stats[1] \
+ patch.line_stats[2]
total = defaultdict(int)
for name, stats in files.items():

5
roles/bodhi2/backend/tasks/main.yml
View file

@ -413,6 +413,11 @@
tags:
- bodhi
- name: ensure fedmsg-hub is enabled and started on the backend
service: name=fedmsg-hub enabled=yes state=started
tags:
- bodhi
#- name: have apache own /mnt/koji/mash/updates
# file: path=/mnt/koji/mash/updates state=directory recurse=yes owner=apache group=apache
# tags:

18
roles/git/hooks/files/post-receive-fedmsg
View file

@ -53,10 +53,20 @@ def build_stats(commit):
for diff in diffs:
for patch in diff:
path = patch.new_file_path
files[path]['additions'] += patch.additions
files[path]['deletions'] += patch.deletions
files[path]['lines'] += patch.additions + patch.deletions
if hasattr(patch, 'new_file_path'):
path = patch.new_file_path
else:
path = patch.delta.new_file.path
if hasattr(patch, 'additions'):
files[path]['additions'] += patch.additions
files[path]['deletions'] += patch.deletions
files[path]['lines'] += patch.additions + patch.deletions
else:
files[path]['additions'] += patch.line_stats[1]
files[path]['deletions'] += patch.line_stats[2]
files[path]['lines'] += patch.line_stats[1] \
+ patch.line_stats[2]
total = defaultdict(int)
for name, stats in files.items():

7
roles/koji_hub/templates/hub.conf.j2
View file

@ -128,16 +128,9 @@ channel =
source */kernel* && has_perm secure-boot :: use secure-boot
source */shim* && has_perm secure-boot :: use secure-boot
source */grub2* && has_perm secure-boot :: use secure-boot
source */fedora-release* && has_perm secure-boot :: use secure-boot
source */fedora-repos* && has_perm secure-boot :: use secure-boot
source */pesign* && has_perm secure-boot :: use secure-boot
source */fwupdate* && has_perm secure-boot :: use secure-boot
# we have some arm builders that have ssd's in them, eclipse is 7 hours faster building on them so lets
# make sure that we always build eclipse on them.
source */eclipse* :: use eclipse
source */gcc* :: use eclipse
all :: use default

2
roles/koschei/backend/templates/config-backend.cfg.j2
View file

@ -28,7 +28,7 @@ config = {
"load_threshold": 1,
{% else %}
"max_builds": 60,
"build_arches": ['i386', 'x86_64', 'armhfp', 'aarch64', 'ppc64', 'ppc64le'],
"build_arches": ['i386', 'x86_64', 'armhfp', 'aarch64', 'ppc64', 'ppc64le', 's390x'],
"load_threshold": 0.65,
{% endif %}
"task_priority": 30,

7
roles/nagios_server/files/nagios/services/disk.cfg
View file

@ -12,13 +12,6 @@ define service {
use disktemplate
}
define service {
hostgroup_name hosted
service_description Disk Space /srv
check_command check_by_nrpe!check_disk_/srv
use disktemplate
}
define service {
hostgroup_name qahardware
service_description Disk Space /srv

3
roles/nagios_server/files/nagios/services/hosted.cfg
View file

@ -1,3 +0,0 @@
#
# This file is dead.
#

4
roles/nagios_server/files/nagios/services/swap.cfg
View file

@ -1,6 +1,6 @@
define service {
hostgroup noswap
service_description No Swap
hostgroup CheckSwap
service_description Swap-Is-Low
check_command check_by_nrpe!check_swap
use criticaltemplate
}

2
roles/nagios_server/files/nagios/services/websites.cfg
View file

@ -184,7 +184,7 @@ define service {
define service {
hostgroup_name koji
service_description http-koji
check_command check_website!koji.fedoraproject.org!/koji/hosts!arm04-builder
check_command check_website!koji.fedoraproject.org!/koji/hosts!fedoraproject.org
use websitetemplate
}

1
roles/nagios_server/files/nrpe/nrpe.cfg
View file

@ -287,7 +287,6 @@ include_dir=/etc/nrpe.d/
command[check_nrpe]=/bin/date
command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10
command[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[check_hosted_load]=/usr/lib64/nagios/plugins/check_load -w 35,30,25 -c 70,60,50
command[check_raid]=/usr/lib64/nagios/plugins/check_raid.py
command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /
command[check_disk_/u01]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /u01

3
roles/nagios_server/tasks/main.yml
View file

@ -182,7 +182,6 @@
- file_age.cfg
- fmn.cfg
- haproxy.cfg
- hosted.cfg
- ipa.cfg
- koji.cfg
- koschei.cfg
@ -311,7 +310,7 @@
with_items:
- all.cfg
- nomail.cfg
- noswap.cfg
- checkswap.cfg
tags:
- nagios_server

6
roles/nagios_server/templates/nagios/hostgroups/checkswap.cfg.j2 Normal file
View file

@ -0,0 +1,6 @@
define hostgroup {
hostgroup_name CheckSwap
alias Swap-Is-Low
members *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, !proxy05.fedoraproject.org, !mirrorlist-host1plus.fedoraproject.org, !download-rdu01.fedoraproject.org, !virthost-rdu01.fedoraproject.org, !fas3-01.stg.phx2.fedoraproject.org, !osbs-control01.phx2.fedoraproject.org, {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %} {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %}
}

2
roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2
View file

@ -1,6 +1,6 @@
define hostgroup {
hostgroup_name nomail
alias No Mail
members *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, {% for host in groups['bastion'] %}!{{host}}, {% endfor %}{% for host in groups['smtp-mm'] %}!{{host}}, {% endfor %} {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %} {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %}
members *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, !proxy05.fedoraproject.org, !mirrorlist-host1plus.fedoraproject.org, !download-rdu01.fedoraproject.org, !virthost-rdu01.fedoraproject.org, !fas3-01.stg.phx2.fedoraproject.org, !osbs-control01.phx2.fedoraproject.org, {% for host in groups['bastion'] %}!{{host}}, {% endfor %}{% for host in groups['smtp-mm'] %}!{{host}}, {% endfor %} {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %} {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %}
}

6
roles/nagios_server/templates/nagios/hostgroups/noswap.cfg.j2
View file

@ -1,6 +0,0 @@
define hostgroup {
hostgroup_name noswap
alias No Swap
members *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %} {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %}
}

72
roles/nginx/README.md Normal file
View file

@ -0,0 +1,72 @@
Overview
========
Role for using nginx. Sets up ssl certs in known locations and inactive
template for application use.
Role options
------------
* `update_ssl_certs` - Only push the SSL key and PEM files and restart Nginx
SSL
---
This role will copy over key/crt by default.
It can be disabled by setting `httpd_no_ssl` to true
You will still need to configure the application to use ssl. A reference template templates/example_ssl.conf.j2 is provided
The script will look for keys and certs in the paths specified by the
`httpd_ssl_key_file`, `httpd_ssl_crt_file` and `httpd_ssl_pem_file` variables.
If that fails, it will attempt to create key/crt pair if there isn't one already installed.
If a pem file exists in the location specified by `httpd_ssl_pem_file`,
it will be copied across as `ssl.pem`. Applications that required the certificate
chain should point at `/etc/nginx/conf.d/ssl.pem`.
Caveats
-------
The key, crt and pem will always be stored on the host under `/etc/nginx/conf.d/{{
inventory_hostname }}.{key,crt,pem}` due to the multi-sourcing nature of the setup.
Use `httpd_no_ssl` and setup as desired if it deviates from what is covered here.
Logrotate
---------
A default template is configured.
SELinux
-------
selinux contexts are application specific. Enable the following as needed by your setup:
```
httpd_can_network_relay
httpd_can_network_memcache
httpd_can_network_connect *
httpd_can_network_connect_db *
httpd_can_sendmail
```
- * commonly used items enabled by default
Handlers
--------
restart nginx - restart the nginx service
Variables
---------
* `service_name` - canonical name for service
* `httpd_no_ssl` - don't set up ssl
* `httpd_ssl_key_file` - local path to use as source for ssl.key file
* `httpd_ssl_crt_file` - local path to use as source for ssl.crt file
* `httpd_ssl_pem_file` - local path to use as source for ssl.pem file
* `ssl_fast_dh` - whether to use a speedy method to generate Diffie Hellman
parameters
* `ssl_intermediate_ca_pattern` - pattern to check if certificate is
self-signed
* `ssl_self_signed_string` - location and CN settings for self signed cert

18
roles/nginx/defaults/main.yml Normal file
View file

@ -0,0 +1,18 @@
---
## set some defaults with the expectation that they will be set in/from calling role
service_name: "{{ inventory_hostname }}"
## nginx core configuration defaults
nginx_default_port: 80
nginx_error_level: "warn"
nginx_worker_processes: 1
nginx_gzip_status: "on"
## variables unset by default
httpd_no_ssl: false
httpd_ssl_key_file: "{{ ssl_key_file | default('/THIS/FILE/PROBABLY/DOESNT/EXIST') }}"
httpd_ssl_crt_file: "{{ ssl_crt_file | default('/THIS/FILE/PROBABLY/DOESNT/EXIST') }}"
httpd_ssl_pem_file: "{{ ssl_pem_file | default('/THIS/FILE/PROBABLY/DOESNT/EXIST') }}"
ssl_self_signed_string: "/C=US/ST=New York/L=New York City/O=My Department/CN={{ service_name }}"
ssl_fast_dh: false
nginx_ssl_ca_line: "#ssl_client_certificate /path/to/ca/file;"

13
roles/nginx/files/etc/logrotate.d/nginx Normal file
View file

@ -0,0 +1,13 @@
/var/log/nginx/*.log {
daily
missingok
rotate 30
compress
delaycompress
notifempty
create 640 nginx adm
sharedscripts
postrotate
[ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
endscript
}

44
roles/nginx/files/etc/nginx/conf.d/default.conf Normal file
View file

@ -0,0 +1,44 @@
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/log/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

5
roles/nginx/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
- name: restart nginx
service:
name: nginx
state: restarted

5
roles/nginx/tasks/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
- include: nginx.yml
- include: ssl-setup.yml
when: not httpd_no_ssl

33
roles/nginx/tasks/nginx.yml Normal file
View file

@ -0,0 +1,33 @@
- name: install nginx
dnf:
name: nginx
state: present
- name: Ensure nginx is started and enabled to start at boot.
service: name=nginx state=started enabled=yes
- name: install nginx logrotation file
copy:
src: etc/logrotate.d/nginx
dest: /etc/logrotate.d/nginx
owner: root
group: root
mode: 0644
- name: install /etc/nginx/nginx.conf
template:
src: etc/nginx/nginx.conf.j2
dest: /etc/nginx/nginx.conf
owner: root
group: root
mode: 0644
notify: restart nginx
- name: install /etc/nginx/conf.d/default.conf
copy:
src: etc/nginx/conf.d/default.conf
dest: /etc/nginx/conf.d/default.conf
owner: root
group: root
mode: 0644
notify: restart nginx

45
roles/nginx/tasks/ssl-setup.yml Normal file
View file

@ -0,0 +1,45 @@
- name: copy over ssl key
copy:
src: "{{ item }}"
dest: "/etc/nginx/conf.d/ssl.key"
with_first_found:
- files:
- "{{ httpd_ssl_key_file }}"
skip: True
register: setup_ssl_key
notify: restart nginx service
no_log: True
tags:
- update_ssl_certs
- name: copy over ssl pem file
copy:
src: "{{ item }}"
dest: "/etc/nginx/conf.d/ssl.pem"
with_first_found:
- files:
- "{{ httpd_ssl_pem_file }}"
- "{{ httpd_ssl_crt_file }}"
skip: True
register: setup_ssl_pem
when: setup_ssl_key|success
tags:
- update_ssl_certs
# generate our own key/crt if pem is missing
- name: generate self signed ssl certificate
command: openssl req -new -nodes -x509 -subj "{{ ssl_self_signed_string }}" -days 3650 -keyout /etc/nginx/conf.d/ssl.key -out /etc/nginx/conf.d/ssl.pem -extensions v3_ca
args:
creates: /etc/nginx/conf.d/ssl.pem
when: setup_ssl_key|failed or setup_ssl_pem|failed
- name: warn that the next step takes a while
debug:
msg: "the next step can take around 15 minutes if it hasn't already been done"
- name: create Diffie Hellman ephemeral parameters
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
command: openssl dhparam {{ '-dsaparam' if ssl_fast_dh else '' }} -out dhparam.pem 4096
args:
chdir: /etc/ssl/certs
creates: /etc/ssl/certs/dhparam.pem

50
roles/nginx/templates/etc/nginx/nginx.conf.j2 Normal file
View file

@ -0,0 +1,50 @@
user nginx;
worker_processes {{ nginx_worker_processes }};
error_log /var/log/nginx/error.log {{ nginx_error_level }};
{% if ansible_distribution_major_version == "7" %}
pid /run/nginx.pid;
{% else %}
pid /var/run/nginx.pid;
{% endif %}
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_names_hash_bucket_size 128;
include /etc/nginx/mime.types;
default_type application/octet-stream;
gzip {{ nginx_gzip_status }};
include /etc/nginx/conf.d/*.conf;
# bind server context for status explicitly to loopback to allow local only actions
server {
listen [::1]:{{ nginx_default_port }} default_server;
listen 127.0.0.1:{{ nginx_default_port }} default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
}
}

29
roles/nginx/templates/example_ssl.conf.2 Normal file
View file

@ -0,0 +1,29 @@
# HTTPS server
#
#server {
# listen 443;
# server_name {{ service_name }};
# ssl on;
# ssl_certificate /etc/nginx/conf.d/ssl.pem;
# ssl_certificate_key /etc/nginx/conf.d/ssl.key;
# {{ nginx_ssl_ca_line }}
# ssl_session_timeout 5m;
# # https://mozilla.github.io/server-side-tls/ssl-config-generator/
# # modern configuration. tweak to your needs.
# ssl_protocols TLSv1.1 TLSv1.2;
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
# ssl_prefer_server_ciphers on;
#
# # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
# add_header Strict-Transport-Security max-age=15768000;
# location / {
# root /usr/share/nginx/html;
# index index.html index.htm;
# }
#}

2
roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2
View file

@ -48,9 +48,7 @@
do:
- {tasks: [fedora-cloud-tests]}
{% if deployment_type in ['dev', 'stg'] %}
- when:
message_type: ModuleBuildComplete
do:
- {tasks: [modularity-testing-framework]}
{% endif %}

6
roles/waiverdb/defaults/main.yml Normal file
View file

@ -0,0 +1,6 @@
---
waiverdb_db_port: 5432
waiverdb_oidc_auth_uri: 'https://iddev.fedorainfracloud.org/openidc/Authorization'
waiverdb_oidc_token_uri: 'https://iddev.fedorainfracloud.org/openidc/Token'
waiverdb_oidc_token_introspection_uri: 'https://iddev.fedorainfracloud.org/openidc/TokenInfo'
waiverdb_oidc_userinfo_uri: 'https://iddev.fedorainfracloud.org/openidc/UserInfo"'

29
roles/waiverdb/files/pg/pg_hba.conf Normal file
View file

@ -0,0 +1,29 @@
# This file is managed by Ansible - changes may be lost
#
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file. A short
# synopsis follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
#
# TYPE DATABASE USER ADDRESS METHOD
# Default:
#
local all postgres trust
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust

10
roles/waiverdb/handlers/main.yml Normal file
View file

@ -0,0 +1,10 @@
---
- name: restart waiverdb
systemd:
name: waiverdb.service
state: restarted
- name: restart postgresql
systemd:
name: postgresql.service
state: restarted

49
roles/waiverdb/tasks/main.yml Normal file
View file

@ -0,0 +1,49 @@
---
- include: psql_setup.yml
- name: install needed packages (yum)
yum: pkg={{ item }} state=present
with_items:
- waiverdb
- gunicorn
- python-psycopg2
notify:
- restart waiverdb
when: ansible_distribution_major_version|int < 22
- name: install needed packages (dnf)
dnf: pkg={{ item }} state=present
with_items:
- waiverdb
- gunicorn
- python-psycopg2
notify:
- restart waiverdb
when: ansible_distribution_major_version|int > 21
- name: start waiverdb on boot
systemd:
name: waiverdb.socket
enabled: yes
- name: copy client secrets
template:
src: etc/waiverdb/client_secrets.json
dest: /etc/wavierdb/client_secrets.json
owner: root
group: root
mode: 0640
notify:
- restart waiverdb
- name: generate the app config
template:
src: etc/waiverdb/settings.py.j2
dest: /etc/waiverdb/settings.py
owner: root
group: root
mode: 0660
backup: yes
force: yes
notify:
- restart waiverdb

63
roles/waiverdb/tasks/psql_setup.yml Normal file
View file

@ -0,0 +1,63 @@
- name: install postresql (yum)
yum: state=present pkg={{ item }}
with_items:
- "postgresql-server"
- "postgresql-contrib"
- "python-psycopg2"
when: ansible_distribution_major_version|int < 22
- name: install postresql (dnf)
dnf: state=present pkg={{ item }}
with_items:
- "postgresql-server"
- "postgresql-contrib"
- "python-psycopg2"
when: ansible_distribution_major_version|int > 21
- name: See if postgreSQL is installed
stat: path=/var/lib/pgsql/initdb_postgresql.log
register: pgsql_installed
- name: init postgresql
shell: "postgresql-setup initdb"
when: not pgsql_installed.stat.exists
- name: copy pg_hba.conf
copy: src="pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600
notify:
- restart postgresql
tags:
- config
- name: Ensure postgres has a place to backup to
file: dest=/backups state=directory owner=postgres
tags:
- config
- name: Copy over backup scriplet
copy: src="{{ files }}/../roles/postgresql_server/files/backup-database" dest=/usr/local/bin/backup-database mode=0755
tags:
- config
- name: Set up some cronjobs to backup databases as configured
template: >
src="{{ files }}/../roles/postgresql_server/templates/cron-backup-database"
dest="/etc/cron.d/cron-backup-database-{{ item }}"
with_items:
- "{{ dbs_to_backup }}"
when: dbs_to_backup != []
tags:
- config
- name: enable Pg service
service: state=started enabled=yes name=postgresql
- name: Create db
postgresql_db: name="waiverdb" encoding='UTF-8'
become: yes
become_user: postgres
- name: Create db user
postgresql_user: db="waiverdb" name="wavierdb-user" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE
become: yes
become_user: postgres

39
roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2 Normal file
View file

@ -0,0 +1,39 @@
# HTTP server
# rewrite to HTTPS
server {
listen 80;
server_name {{service_name}};
return 301 https://$server_name$request_uri;
}
# HTTPs server
server {
listen 443;
server_name {{ service_name }};
ssl on;
ssl_certificate /etc/nginx/conf.d/ssl.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl.key;
ssl_session_timeout 5m;
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /api {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/run/waiverdb/socket:/api;
}
}

11
roles/waiverdb/templates/etc/waiverdb/client_secrets.json Normal file
View file

@ -0,0 +1,11 @@
{
"web": {
"auth_uri": "{{ waiverdb_oidc_auth_uri }}",
"client_id": "{{ waiverdb_oidc_client_id }}",
"client_secret": "{{ waiverdb_oidc_client_secret }}",
"redirect_uris": [],
"token_uri": "{{ waiverdb_oidc_token_uri }}",
"token_introspection_uri": "{{ waiverdb_oidc_token_introspection_uri }}",
"userinfo_uri": "{{ waiverdb_oidc_userinfo_uri }}"
}
}

2
roles/waiverdb/templates/etc/waiverdb/settings.py.j2 Normal file
View file

@ -0,0 +1,2 @@
SECRET_KEY = '{{ waiverdb_secret_key }}'
SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb_user@:{{ waiverdb_db_port }/waiverdb