diff --git a/inventory/builders b/inventory/builders index dd001d6fd5..21a661d319 100644 --- a/inventory/builders +++ b/inventory/builders @@ -243,7 +243,8 @@ buildppcle-04.ppc.fedoraproject.org [buildaarch64] aarch64-02a.arm.fedoraproject.org -aarch64-03a.arm.fedoraproject.org +# Marked DEAD in pdu +#aarch64-03a.arm.fedoraproject.org aarch64-04a.arm.fedoraproject.org aarch64-05a.arm.fedoraproject.org aarch64-06a.arm.fedoraproject.org diff --git a/inventory/group_vars/nagios-new b/inventory/group_vars/nagios-new index 1927a4a327..352a805e3b 100644 --- a/inventory/group_vars/nagios-new +++ b/inventory/group_vars/nagios-new @@ -149,7 +149,6 @@ phx2_management_limited: - rack47-pdu-b.mgmt.fedoraproject.org - rack47-serial.mgmt.fedoraproject.org - rack48-pdu-a.mgmt.fedoraproject.org - - rack48-pdu-b.mgmt.fedoraproject.org - rack48-serial.mgmt.fedoraproject.org - rack51-pdu-a.mgmt.fedoraproject.org - rack51-pdu-b.mgmt.fedoraproject.org diff --git a/inventory/group_vars/taskotron-prod b/inventory/group_vars/taskotron-prod index 44d747c90f..4dd26ed75d 100644 --- a/inventory/group_vars/taskotron-prod +++ b/inventory/group_vars/taskotron-prod @@ -27,6 +27,7 @@ grokmirror_repos: - { name: fedoraqa/check_modulemd, url: 'https://github.com/fedora-modularity/check_modulemd'} - { name: fedoraqa/upstream-atomic, url: 'https://pagure.io/taskotron/task-upstream-atomic.git'} - { name: fedoraqa/fedora-cloud-tests, url: 'https://pagure.io/taskotron/task-fedora-cloud-tests.git'} + - { name: fedoraqa/modularity-testing-framework, url: 'https://pagure.io/taskotron/task-modularity-testing-framework.git'} grokmirror_user: grokmirror grokmirror_default_branch: master diff --git a/inventory/host_vars/artboard.fedorainfracloud.org b/inventory/host_vars/artboard.fedorainfracloud.org index ab6185b26b..8972746f0e 100644 --- a/inventory/host_vars/artboard.fedorainfracloud.org +++ b/inventory/host_vars/artboard.fedorainfracloud.org @@ -2,7 +2,7 @@ image: rhel7-20141015 instance_type: m1.small keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] ansible_ifcfg_blacklist: true diff --git a/inventory/host_vars/blockerbugs-dev.cloud.fedoraproject.org b/inventory/host_vars/blockerbugs-dev.cloud.fedoraproject.org index cbfb1aa9db..b62c5b16e3 100644 --- a/inventory/host_vars/blockerbugs-dev.cloud.fedoraproject.org +++ b/inventory/host_vars/blockerbugs-dev.cloud.fedoraproject.org @@ -2,7 +2,7 @@ instance_type: m1.medium image: "{{ el6_qcow_id }}" keypair: fedora-admin -security_group: webserver +security_group: webserver,all-icmp-persistent,default zone: nova hostbase: blockerbugs-dev- public_ip: 209.132.184.200 diff --git a/inventory/host_vars/communityblog.fedorainfracloud.org b/inventory/host_vars/communityblog.fedorainfracloud.org index 3e67089d1e..0217ac74bf 100644 --- a/inventory/host_vars/communityblog.fedorainfracloud.org +++ b/inventory/host_vars/communityblog.fedorainfracloud.org @@ -2,7 +2,7 @@ image: rhel7-20141015 instance_type: m1.medium keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/copr-dist-git-dev.fedorainfracloud.org b/inventory/host_vars/copr-dist-git-dev.fedorainfracloud.org index 8f18735660..67d46a42f2 100644 --- a/inventory/host_vars/copr-dist-git-dev.fedorainfracloud.org +++ b/inventory/host_vars/copr-dist-git-dev.fedorainfracloud.org @@ -3,7 +3,7 @@ instance_type: ms1.small image: "{{ fedora25_x86_64 }}" #image: rhel7-20141015 keypair: fedora-admin-20130801 -security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default +security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent zone: nova hostbase: copr-dist-git-dev- public_ip: 209.132.184.179 diff --git a/inventory/host_vars/copr-dist-git.fedorainfracloud.org b/inventory/host_vars/copr-dist-git.fedorainfracloud.org index 835f87c502..91a9e2aa3b 100644 --- a/inventory/host_vars/copr-dist-git.fedorainfracloud.org +++ b/inventory/host_vars/copr-dist-git.fedorainfracloud.org @@ -2,7 +2,7 @@ instance_type: ms1.medium.bigswap image: "{{ fedora25_x86_64 }}" keypair: fedora-admin-20130801 -security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default +security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent zone: nova hostbase: copr-dist-git- public_ip: 209.132.184.163 diff --git a/inventory/host_vars/copr-fe-dev.cloud.fedoraproject.org b/inventory/host_vars/copr-fe-dev.cloud.fedoraproject.org index c6d1f6c813..bb357250d5 100644 --- a/inventory/host_vars/copr-fe-dev.cloud.fedoraproject.org +++ b/inventory/host_vars/copr-fe-dev.cloud.fedoraproject.org @@ -2,7 +2,7 @@ instance_type: m1.medium image: "{{ fedora25_x86_64 }}" keypair: fedora-admin-20130801 -security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default +security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent zone: nova hostbase: copr-fe-dev- public_ip: 209.132.184.55 diff --git a/inventory/host_vars/copr-fe.cloud.fedoraproject.org b/inventory/host_vars/copr-fe.cloud.fedoraproject.org index a971d08b69..f7f30c1fdf 100644 --- a/inventory/host_vars/copr-fe.cloud.fedoraproject.org +++ b/inventory/host_vars/copr-fe.cloud.fedoraproject.org @@ -5,7 +5,7 @@ base_pkgs_erase: ['PackageKit*', 'sendmail', 'at'] instance_type: ms1.medium image: "{{ fedora25_x86_64 }}" keypair: fedora-admin-20130801 -security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default +security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,allow-nagios-persistent zone: nova hostbase: copr-fe- public_ip: 209.132.184.54 diff --git a/inventory/host_vars/copr-keygen-dev.cloud.fedoraproject.org b/inventory/host_vars/copr-keygen-dev.cloud.fedoraproject.org index 59e4c4db80..4cabdbe2b0 100644 --- a/inventory/host_vars/copr-keygen-dev.cloud.fedoraproject.org +++ b/inventory/host_vars/copr-keygen-dev.cloud.fedoraproject.org @@ -3,7 +3,7 @@ instance_type: ms1.small image: "{{ fedora25_x86_64 }}" keypair: fedora-admin-20130801 # todo: remove some security groups ? -security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,allow-nagios-persistent +security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent zone: nova hostbase: copr-keygen-dev- public_ip: 209.132.184.46 diff --git a/inventory/host_vars/darkserver-dev.fedorainfracloud.org b/inventory/host_vars/darkserver-dev.fedorainfracloud.org index cad5fcbe6b..00a392f852 100644 --- a/inventory/host_vars/darkserver-dev.fedorainfracloud.org +++ b/inventory/host_vars/darkserver-dev.fedorainfracloud.org @@ -2,7 +2,7 @@ image: rhel7-20141015 instance_type: m1.large keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/developer.fedorainfracloud.org b/inventory/host_vars/developer.fedorainfracloud.org index 4884fc6207..aeac2e7ed0 100644 --- a/inventory/host_vars/developer.fedorainfracloud.org +++ b/inventory/host_vars/developer.fedorainfracloud.org @@ -2,7 +2,7 @@ image: "{{ fedora25_x86_64 }}" instance_type: m1.large keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/dopr-dev.cloud.fedoraproject.org b/inventory/host_vars/dopr-dev.cloud.fedoraproject.org deleted file mode 100644 index 145b8b9e65..0000000000 --- a/inventory/host_vars/dopr-dev.cloud.fedoraproject.org +++ /dev/null @@ -1,4 +0,0 @@ ---- -resolvconf: "resolv.conf/cloud" -tcp_ports: [80, 443] -freezes: false diff --git a/inventory/host_vars/eclipse.fedorainfracloud.org b/inventory/host_vars/eclipse.fedorainfracloud.org index 969ae5e6f4..7ffc7ff6ca 100644 --- a/inventory/host_vars/eclipse.fedorainfracloud.org +++ b/inventory/host_vars/eclipse.fedorainfracloud.org @@ -2,7 +2,7 @@ image: "{{ fedora23_x86_64 }}" instance_type: m1.small keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/faitout.fedorainfracloud.org b/inventory/host_vars/faitout.fedorainfracloud.org index 51e6966c59..1f4e273b41 100644 --- a/inventory/host_vars/faitout.fedorainfracloud.org +++ b/inventory/host_vars/faitout.fedorainfracloud.org @@ -2,7 +2,7 @@ image: rhel7-20141015 instance_type: m1.small keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,pg-5432-anywhere,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,pg-5432-anywhere,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443, 5432] diff --git a/inventory/host_vars/fas2-dev.fedorainfracloud.org b/inventory/host_vars/fas2-dev.fedorainfracloud.org index 6fb39f88bb..f3be911bc3 100644 --- a/inventory/host_vars/fas2-dev.fedorainfracloud.org +++ b/inventory/host_vars/fas2-dev.fedorainfracloud.org @@ -2,7 +2,7 @@ image: "{{ centos66_x86_64 }}" instance_type: m1.small keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/fas3-dev.fedorainfracloud.org b/inventory/host_vars/fas3-dev.fedorainfracloud.org index d19aa4989a..b15a4a2657 100644 --- a/inventory/host_vars/fas3-dev.fedorainfracloud.org +++ b/inventory/host_vars/fas3-dev.fedorainfracloud.org @@ -2,7 +2,7 @@ image: rhel7-20141015 instance_type: m1.small keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/fedimg-dev.fedorainfracloud.org b/inventory/host_vars/fedimg-dev.fedorainfracloud.org index cc2628eab9..a3597d0b5c 100644 --- a/inventory/host_vars/fedimg-dev.fedorainfracloud.org +++ b/inventory/host_vars/fedimg-dev.fedorainfracloud.org @@ -1,7 +1,7 @@ instance_type: m1.medium image: rhel7-20141015 keypair: fedora-admin-20130801 -security_group: default,ssh-anywhere-persistent +security_group: default,ssh-anywhere-persistent,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/fedora-bootstrap.fedorainfracloud.org b/inventory/host_vars/fedora-bootstrap.fedorainfracloud.org index e8cbf375dc..42d6abe4ce 100644 --- a/inventory/host_vars/fedora-bootstrap.fedorainfracloud.org +++ b/inventory/host_vars/fedora-bootstrap.fedorainfracloud.org @@ -2,7 +2,7 @@ image: Fedora-Cloud-Base-23.x86_64-python2 instance_type: m1.large keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/glittergallery-dev.fedorainfracloud.org b/inventory/host_vars/glittergallery-dev.fedorainfracloud.org index ecb50aba30..17a52264e5 100644 --- a/inventory/host_vars/glittergallery-dev.fedorainfracloud.org +++ b/inventory/host_vars/glittergallery-dev.fedorainfracloud.org @@ -2,7 +2,7 @@ image: "{{ fedora23_x86_64 }}" instance_type: m1.medium keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/graphite.fedorainfracloud.org b/inventory/host_vars/graphite.fedorainfracloud.org index 1bef1d3ea8..fe4636c635 100644 --- a/inventory/host_vars/graphite.fedorainfracloud.org +++ b/inventory/host_vars/graphite.fedorainfracloud.org @@ -1,7 +1,7 @@ instance_type: m1.large image: "{{ fedora23_x86_64 }}" keypair: fedora-admin-20130801 -security_group: default,wide-open-persistent +security_group: default,wide-open-persistent,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] custom_rules: diff --git a/inventory/host_vars/hubs-dev.fedorainfracloud.org b/inventory/host_vars/hubs-dev.fedorainfracloud.org new file mode 100644 index 0000000000..909cdd7604 --- /dev/null +++ b/inventory/host_vars/hubs-dev.fedorainfracloud.org @@ -0,0 +1,18 @@ +--- +image: "{{ fedora25_x86_64 }}" +instance_type: m1.medium +keypair: fedora-admin-20130801 +security_group: ssh-anywhere-persistent,all-icmp-persistent,default,web-80-anywhere-persistent,web-443-anywhere-persistent,all-icmp-persistent +zone: nova +tcp_ports: [22, 80, 443] + +inventory_tenant: persistent +inventory_instance_name: hubs-dev +hostbase: hubs-dev +public_ip: 209.132.184.47 +root_auth_users: sayan +description: hubs development instance + +cloud_networks: + # persistent-net + - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f" diff --git a/inventory/host_vars/iddev.fedorainfracloud.org b/inventory/host_vars/iddev.fedorainfracloud.org index 8ac1fdf53d..e729e61afd 100644 --- a/inventory/host_vars/iddev.fedorainfracloud.org +++ b/inventory/host_vars/iddev.fedorainfracloud.org @@ -2,7 +2,7 @@ image: rhel7-20141015 instance_type: m1.small keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] ansible_ifcfg_blacklist: true diff --git a/inventory/host_vars/insim.fedorainfracloud.org b/inventory/host_vars/insim.fedorainfracloud.org index f689bd0b51..5720910268 100644 --- a/inventory/host_vars/insim.fedorainfracloud.org +++ b/inventory/host_vars/insim.fedorainfracloud.org @@ -2,7 +2,7 @@ image: "{{ fedora25_x86_64 }}" instance_type: m1.small keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/java-deptools.fedorainfracloud.org b/inventory/host_vars/java-deptools.fedorainfracloud.org index 7d06d29a9c..00c32c0490 100644 --- a/inventory/host_vars/java-deptools.fedorainfracloud.org +++ b/inventory/host_vars/java-deptools.fedorainfracloud.org @@ -2,7 +2,7 @@ image: "{{ fedora24_x86_64 }}" instance_type: m1.medium keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/lists-dev.fedorainfracloud.org b/inventory/host_vars/lists-dev.fedorainfracloud.org index 906c4f9064..2ea58b3430 100644 --- a/inventory/host_vars/lists-dev.fedorainfracloud.org +++ b/inventory/host_vars/lists-dev.fedorainfracloud.org @@ -2,7 +2,7 @@ image: rhel7-20141015 instance_type: m1.large keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/magazine.fedorainfracloud.org b/inventory/host_vars/magazine.fedorainfracloud.org index 9c20a7654c..cb5a73ae00 100644 --- a/inventory/host_vars/magazine.fedorainfracloud.org +++ b/inventory/host_vars/magazine.fedorainfracloud.org @@ -2,7 +2,7 @@ image: rhel7-20141015 instance_type: m1.large keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,allow-nagios-persistent,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,allow-nagios-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/modernpaste.fedorainfracloud.org b/inventory/host_vars/modernpaste.fedorainfracloud.org index 0f8f4b8b7e..bcddcaf05b 100644 --- a/inventory/host_vars/modernpaste.fedorainfracloud.org +++ b/inventory/host_vars/modernpaste.fedorainfracloud.org @@ -2,7 +2,7 @@ image: "{{ fedora23_x86_64 }}" instance_type: m1.small keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/modularity.fedorainfracloud.org b/inventory/host_vars/modularity.fedorainfracloud.org index fb9e5f3803..6f8d3a3c30 100644 --- a/inventory/host_vars/modularity.fedorainfracloud.org +++ b/inventory/host_vars/modularity.fedorainfracloud.org @@ -2,7 +2,7 @@ image: "Fedora-Cloud-Base-24 (Final)" instance_type: m1.medium keypair: fedora-admin-20130801 -security_group: modularity,ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default +security_group: modularity,ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/piwik.fedorainfracloud.org b/inventory/host_vars/piwik.fedorainfracloud.org index f3b14e3f79..55ac47f0e6 100644 --- a/inventory/host_vars/piwik.fedorainfracloud.org +++ b/inventory/host_vars/piwik.fedorainfracloud.org @@ -2,7 +2,7 @@ image: "{{ fedora24_x86_64 }}" instance_type: m1.large keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/qadevel.cloud.fedoraproject.org b/inventory/host_vars/qadevel.cloud.fedoraproject.org deleted file mode 100644 index 6bf9e9dadb..0000000000 --- a/inventory/host_vars/qadevel.cloud.fedoraproject.org +++ /dev/null @@ -1,2 +0,0 @@ ---- -host_backup_targets: ['/var/lib/phabricator/files', '/srv/backup'] diff --git a/inventory/host_vars/regcfp.fedorainfracloud.org b/inventory/host_vars/regcfp.fedorainfracloud.org index cf8c74bf06..bc4e4e7382 100644 --- a/inventory/host_vars/regcfp.fedorainfracloud.org +++ b/inventory/host_vars/regcfp.fedorainfracloud.org @@ -2,7 +2,7 @@ image: rhel7-20141015 instance_type: m1.medium keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/respins.fedorainfracloud.org b/inventory/host_vars/respins.fedorainfracloud.org index 14b207c8ae..18cd44304d 100644 --- a/inventory/host_vars/respins.fedorainfracloud.org +++ b/inventory/host_vars/respins.fedorainfracloud.org @@ -2,7 +2,7 @@ image: rhel7-20141015 instance_type: m1.medium keypair: fedora-admin-20130801 -security_group: wide-open-persistent,default +security_group: wide-open-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 6969] diff --git a/inventory/host_vars/shumgrepper-dev.fedorainfracloud.org b/inventory/host_vars/shumgrepper-dev.fedorainfracloud.org index 6cc2116e37..c9cfeb281d 100644 --- a/inventory/host_vars/shumgrepper-dev.fedorainfracloud.org +++ b/inventory/host_vars/shumgrepper-dev.fedorainfracloud.org @@ -2,7 +2,7 @@ image: rhel7-20141015 instance_type: m1.medium keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/taiga.fedorainfracloud.org b/inventory/host_vars/taiga.fedorainfracloud.org index 1b4716a3a1..4748024d61 100644 --- a/inventory/host_vars/taiga.fedorainfracloud.org +++ b/inventory/host_vars/taiga.fedorainfracloud.org @@ -2,7 +2,7 @@ image: "{{ fedora25_x86_64 }}" instance_type: m1.medium keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/taigastg.fedorainfracloud.org b/inventory/host_vars/taigastg.fedorainfracloud.org index b4232f6716..bdadd96ed5 100644 --- a/inventory/host_vars/taigastg.fedorainfracloud.org +++ b/inventory/host_vars/taigastg.fedorainfracloud.org @@ -2,7 +2,7 @@ image: "{{ fedora23_x86_64 }}" instance_type: m1.small keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/host_vars/testdays.fedorainfracloud.org b/inventory/host_vars/testdays.fedorainfracloud.org index 88cf721469..b5fa08542b 100644 --- a/inventory/host_vars/testdays.fedorainfracloud.org +++ b/inventory/host_vars/testdays.fedorainfracloud.org @@ -2,7 +2,7 @@ image: 'rhel7-20141015' instance_type: m1.small keypair: fedora-admin-20130801 -security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default +security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent zone: nova tcp_ports: [22, 80, 443] diff --git a/inventory/inventory b/inventory/inventory index 047f878526..cf74f6c35b 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -139,7 +139,7 @@ osuosl01.fedoraproject.org osuosl02.fedoraproject.org osuosl03.fedoraproject.org tummy01.fedoraproject.org -virthost-rdu01.fedoraproject.org +#virthost-rdu01.fedoraproject.org virthost-cc-rdu01.fedoraproject.org [datagrepper] @@ -269,7 +269,7 @@ autocloud-backend01.stg.phx2.fedoraproject.org autocloud-backend02.stg.phx2.fedoraproject.org [autosign] -#autosign01.phx2.fedoraproject.org +autosign01.phx2.fedoraproject.org [autosign-stg] autosign01.stg.phx2.fedoraproject.org @@ -367,9 +367,6 @@ fas01.stg.phx2.fedoraproject.org [fas3-stg] fas3-01.stg.phx2.fedoraproject.org -[hosted] -hosted03.fedoraproject.org - [hotness] hotness01.phx2.fedoraproject.org @@ -634,7 +631,7 @@ proxy09.fedoraproject.org proxy10.phx2.fedoraproject.org proxy11.fedoraproject.org proxy12.fedoraproject.org -proxy13.fedoraproject.org +#proxy13.fedoraproject.org proxy14.fedoraproject.org [proxies-stg] @@ -1092,10 +1089,6 @@ pdc-backend03.stg.phx2.fedoraproject.org [piwik-stg] #piwik01.stg.phx2.fedoraproject.org -[transient-cloud] -# fedora-hubs-dev -209.132.184.98 - [persistent-cloud] # artboard instance artboard.fedorainfracloud.org @@ -1160,6 +1153,8 @@ kolinahr.fedorainfracloud.org respins.fedorainfracloud.org # waiverdb-dev - ticket 6009 waiverdb-dev.fedorainfracloud.org +# hubs-dev +hubs-dev.fedorainfracloud.org # # These are in the new cloud @@ -1209,7 +1204,6 @@ dns bastion backup infracore -hosted smtp-mm memcached virthost diff --git a/master.yml b/master.yml index a468f64478..27bb7e7653 100644 --- a/master.yml +++ b/master.yml @@ -142,6 +142,7 @@ - include: /srv/web/infra/ansible/playbooks/hosts/glittergallery-dev.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/grafana.cloud.fedoraproject.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/graphite.fedorainfracloud.org.yml +- include: /srv/web/infra/ansible/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/iddev.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/insim.fedorainfracloud.org.yml - include: /srv/web/infra/ansible/playbooks/hosts/lists-dev.fedorainfracloud.org.yml diff --git a/playbooks/groups/noc-new.yml b/playbooks/groups/noc-new.yml index 7d65dc01e5..894a4c2032 100644 --- a/playbooks/groups/noc-new.yml +++ b/playbooks/groups/noc-new.yml @@ -58,3 +58,10 @@ - { role: tftp_server, when: datacenter == 'phx2' } - nagios_server - fedmsg/base + + tasks: + - name: install some packages which arent in playbooks + yum: pkg={{ item }} state=present + with_items: + - nmap + - tcpdump diff --git a/playbooks/hosts/fedora-hubs-dev.yml b/playbooks/hosts/hubs-dev.fedorainfroacloud.org.yml similarity index 78% rename from playbooks/hosts/fedora-hubs-dev.yml rename to playbooks/hosts/hubs-dev.fedorainfroacloud.org.yml index 73c0839ec5..099bae9148 100644 --- a/playbooks/hosts/fedora-hubs-dev.yml +++ b/playbooks/hosts/hubs-dev.fedorainfroacloud.org.yml @@ -1,16 +1,33 @@ -- name: provision instance - hosts: 209.132.184.98 # this is transient.. so may change if we destroy it. - user: root - gather_facts: True +- name: check/create instance + hosts: hubs-dev.fedorainfracloud.org + gather_facts: False vars_files: - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" + - /srv/private/ansible/vars.yml + - /srv/web/infra/ansible/vars/fedora-cloud.yml + - /srv/private/ansible/files/openstack/passwords.yml + + tasks: + - include: "{{ tasks_path }}/persistent_cloud.yml" + +- name: setup all the things + hosts: hubs-dev.fedorainfracloud.org + gather_facts: True + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + pre_tasks: + - include: "{{ tasks_path }}/cloud_setup_basic.yml" + - name: set hostname (required by some services, at least postfix need it) + hostname: name="{{inventory_hostname}}" + tasks: - include: "{{ tasks_path }}/yumrepos.yml" - - yum: name={{item}} state=present + - dnf: name={{item}} state=present with_items: - git @@ -42,7 +59,7 @@ - src: /srv/git/fedora-hubs/systemd/hubs-webapp.service dest: /usr/lib/systemd/system/hubs-webapp.service remote_src: True - - yum: name={{item}} state=present + - dnf: name={{item}} state=present with_items: - htop - tmux diff --git a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml index 9838e189d6..dae7fedfc7 100644 --- a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml +++ b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml @@ -24,3 +24,7 @@ - include: "{{ tasks_path }}/cloud_setup_basic.yml" - name: set hostname (required by some services, at least postfix need it) hostname: name="{{inventory_hostname}}" + + roles: + - nginx + - waiverdb diff --git a/roles/batcave/files/fedmsg-announce-commits.py b/roles/batcave/files/fedmsg-announce-commits.py index 70fa95f105..b0fdd66093 100644 --- a/roles/batcave/files/fedmsg-announce-commits.py +++ b/roles/batcave/files/fedmsg-announce-commits.py @@ -49,10 +49,21 @@ def build_stats(commit): for diff in diffs: for patch in diff: - path = patch.new_file_path - files[path]['additions'] += patch.additions - files[path]['deletions'] += patch.deletions - files[path]['lines'] += patch.additions + patch.deletions + if hasattr(patch, 'new_file_path'): + path = patch.new_file_path + else: + path = patch.delta.new_file.path + + if hasattr(patch, 'additions'): + files[path]['additions'] += patch.additions + files[path]['deletions'] += patch.deletions + files[path]['lines'] += patch.additions + patch.deletions + else: + files[path]['additions'] += patch.line_stats[1] + files[path]['deletions'] += patch.line_stats[2] + files[path]['lines'] += patch.line_stats[1] \ + + patch.line_stats[2] + total = defaultdict(int) for name, stats in files.items(): diff --git a/roles/bodhi2/backend/tasks/main.yml b/roles/bodhi2/backend/tasks/main.yml index f50b252cab..4768231686 100644 --- a/roles/bodhi2/backend/tasks/main.yml +++ b/roles/bodhi2/backend/tasks/main.yml @@ -413,6 +413,11 @@ tags: - bodhi +- name: ensure fedmsg-hub is enabled and started on the backend + service: name=fedmsg-hub enabled=yes state=started + tags: + - bodhi + #- name: have apache own /mnt/koji/mash/updates # file: path=/mnt/koji/mash/updates state=directory recurse=yes owner=apache group=apache # tags: diff --git a/roles/git/hooks/files/post-receive-fedmsg b/roles/git/hooks/files/post-receive-fedmsg index 782accde62..3545be2e3b 100755 --- a/roles/git/hooks/files/post-receive-fedmsg +++ b/roles/git/hooks/files/post-receive-fedmsg @@ -53,10 +53,20 @@ def build_stats(commit): for diff in diffs: for patch in diff: - path = patch.new_file_path - files[path]['additions'] += patch.additions - files[path]['deletions'] += patch.deletions - files[path]['lines'] += patch.additions + patch.deletions + if hasattr(patch, 'new_file_path'): + path = patch.new_file_path + else: + path = patch.delta.new_file.path + + if hasattr(patch, 'additions'): + files[path]['additions'] += patch.additions + files[path]['deletions'] += patch.deletions + files[path]['lines'] += patch.additions + patch.deletions + else: + files[path]['additions'] += patch.line_stats[1] + files[path]['deletions'] += patch.line_stats[2] + files[path]['lines'] += patch.line_stats[1] \ + + patch.line_stats[2] total = defaultdict(int) for name, stats in files.items(): diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2 index 61f6edb54b..1631be7583 100644 --- a/roles/koji_hub/templates/hub.conf.j2 +++ b/roles/koji_hub/templates/hub.conf.j2 @@ -128,16 +128,9 @@ channel = source */kernel* && has_perm secure-boot :: use secure-boot source */shim* && has_perm secure-boot :: use secure-boot source */grub2* && has_perm secure-boot :: use secure-boot - source */fedora-release* && has_perm secure-boot :: use secure-boot - source */fedora-repos* && has_perm secure-boot :: use secure-boot source */pesign* && has_perm secure-boot :: use secure-boot source */fwupdate* && has_perm secure-boot :: use secure-boot -# we have some arm builders that have ssd's in them, eclipse is 7 hours faster building on them so lets -# make sure that we always build eclipse on them. - source */eclipse* :: use eclipse - source */gcc* :: use eclipse - all :: use default diff --git a/roles/koschei/backend/templates/config-backend.cfg.j2 b/roles/koschei/backend/templates/config-backend.cfg.j2 index e2668604ab..672c694eef 100644 --- a/roles/koschei/backend/templates/config-backend.cfg.j2 +++ b/roles/koschei/backend/templates/config-backend.cfg.j2 @@ -28,7 +28,7 @@ config = { "load_threshold": 1, {% else %} "max_builds": 60, - "build_arches": ['i386', 'x86_64', 'armhfp', 'aarch64', 'ppc64', 'ppc64le'], + "build_arches": ['i386', 'x86_64', 'armhfp', 'aarch64', 'ppc64', 'ppc64le', 's390x'], "load_threshold": 0.65, {% endif %} "task_priority": 30, diff --git a/roles/nagios_server/files/nagios/services/disk.cfg b/roles/nagios_server/files/nagios/services/disk.cfg index f425e8e953..c927e973ed 100644 --- a/roles/nagios_server/files/nagios/services/disk.cfg +++ b/roles/nagios_server/files/nagios/services/disk.cfg @@ -12,13 +12,6 @@ define service { use disktemplate } -define service { - hostgroup_name hosted - service_description Disk Space /srv - check_command check_by_nrpe!check_disk_/srv - use disktemplate -} - define service { hostgroup_name qahardware service_description Disk Space /srv diff --git a/roles/nagios_server/files/nagios/services/hosted.cfg b/roles/nagios_server/files/nagios/services/hosted.cfg deleted file mode 100644 index 763261e6b3..0000000000 --- a/roles/nagios_server/files/nagios/services/hosted.cfg +++ /dev/null @@ -1,3 +0,0 @@ -# -# This file is dead. -# diff --git a/roles/nagios_server/files/nagios/services/swap.cfg b/roles/nagios_server/files/nagios/services/swap.cfg index 75cc6553d8..dab4ff7d9a 100644 --- a/roles/nagios_server/files/nagios/services/swap.cfg +++ b/roles/nagios_server/files/nagios/services/swap.cfg @@ -1,6 +1,6 @@ define service { - hostgroup noswap - service_description No Swap + hostgroup CheckSwap + service_description Swap-Is-Low check_command check_by_nrpe!check_swap use criticaltemplate } diff --git a/roles/nagios_server/files/nagios/services/websites.cfg b/roles/nagios_server/files/nagios/services/websites.cfg index e5f605a973..d1d94a1669 100644 --- a/roles/nagios_server/files/nagios/services/websites.cfg +++ b/roles/nagios_server/files/nagios/services/websites.cfg @@ -184,7 +184,7 @@ define service { define service { hostgroup_name koji service_description http-koji - check_command check_website!koji.fedoraproject.org!/koji/hosts!arm04-builder + check_command check_website!koji.fedoraproject.org!/koji/hosts!fedoraproject.org use websitetemplate } diff --git a/roles/nagios_server/files/nrpe/nrpe.cfg b/roles/nagios_server/files/nrpe/nrpe.cfg index fac5e37e5b..daaec1e353 100644 --- a/roles/nagios_server/files/nrpe/nrpe.cfg +++ b/roles/nagios_server/files/nrpe/nrpe.cfg @@ -287,7 +287,6 @@ include_dir=/etc/nrpe.d/ command[check_nrpe]=/bin/date command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10 command[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 -command[check_hosted_load]=/usr/lib64/nagios/plugins/check_load -w 35,30,25 -c 70,60,50 command[check_raid]=/usr/lib64/nagios/plugins/check_raid.py command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p / command[check_disk_/u01]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /u01 diff --git a/roles/nagios_server/tasks/main.yml b/roles/nagios_server/tasks/main.yml index 66bcf12683..e9e12f51d8 100644 --- a/roles/nagios_server/tasks/main.yml +++ b/roles/nagios_server/tasks/main.yml @@ -182,7 +182,6 @@ - file_age.cfg - fmn.cfg - haproxy.cfg - - hosted.cfg - ipa.cfg - koji.cfg - koschei.cfg @@ -311,7 +310,7 @@ with_items: - all.cfg - nomail.cfg - - noswap.cfg + - checkswap.cfg tags: - nagios_server diff --git a/roles/nagios_server/templates/nagios/hostgroups/checkswap.cfg.j2 b/roles/nagios_server/templates/nagios/hostgroups/checkswap.cfg.j2 new file mode 100644 index 0000000000..c9750a6c4a --- /dev/null +++ b/roles/nagios_server/templates/nagios/hostgroups/checkswap.cfg.j2 @@ -0,0 +1,6 @@ +define hostgroup { + hostgroup_name CheckSwap + alias Swap-Is-Low + members *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, !proxy05.fedoraproject.org, !mirrorlist-host1plus.fedoraproject.org, !download-rdu01.fedoraproject.org, !virthost-rdu01.fedoraproject.org, !fas3-01.stg.phx2.fedoraproject.org, !osbs-control01.phx2.fedoraproject.org, {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %} {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} + +} diff --git a/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 b/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 index 47857f983d..ab79d76468 100644 --- a/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 +++ b/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 @@ -1,6 +1,6 @@ define hostgroup { hostgroup_name nomail alias No Mail - members *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, {% for host in groups['bastion'] %}!{{host}}, {% endfor %}{% for host in groups['smtp-mm'] %}!{{host}}, {% endfor %} {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %} {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} + members *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, !proxy05.fedoraproject.org, !mirrorlist-host1plus.fedoraproject.org, !download-rdu01.fedoraproject.org, !virthost-rdu01.fedoraproject.org, !fas3-01.stg.phx2.fedoraproject.org, !osbs-control01.phx2.fedoraproject.org, {% for host in groups['bastion'] %}!{{host}}, {% endfor %}{% for host in groups['smtp-mm'] %}!{{host}}, {% endfor %} {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %} {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} } diff --git a/roles/nagios_server/templates/nagios/hostgroups/noswap.cfg.j2 b/roles/nagios_server/templates/nagios/hostgroups/noswap.cfg.j2 deleted file mode 100644 index 1399aa171d..0000000000 --- a/roles/nagios_server/templates/nagios/hostgroups/noswap.cfg.j2 +++ /dev/null @@ -1,6 +0,0 @@ -define hostgroup { - hostgroup_name noswap - alias No Swap - members *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %} {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} - -} diff --git a/roles/nginx/README.md b/roles/nginx/README.md new file mode 100644 index 0000000000..f760a289b0 --- /dev/null +++ b/roles/nginx/README.md @@ -0,0 +1,72 @@ +Overview +======== + +Role for using nginx. Sets up ssl certs in known locations and inactive +template for application use. + + +Role options +------------ +* `update_ssl_certs` - Only push the SSL key and PEM files and restart Nginx + + +SSL +--- +This role will copy over key/crt by default. +It can be disabled by setting `httpd_no_ssl` to true + +You will still need to configure the application to use ssl. A reference template templates/example_ssl.conf.j2 is provided + +The script will look for keys and certs in the paths specified by the +`httpd_ssl_key_file`, `httpd_ssl_crt_file` and `httpd_ssl_pem_file` variables. + +If that fails, it will attempt to create key/crt pair if there isn't one already installed. + +If a pem file exists in the location specified by `httpd_ssl_pem_file`, +it will be copied across as `ssl.pem`. Applications that required the certificate +chain should point at `/etc/nginx/conf.d/ssl.pem`. + +Caveats +------- +The key, crt and pem will always be stored on the host under `/etc/nginx/conf.d/{{ +inventory_hostname }}.{key,crt,pem}` due to the multi-sourcing nature of the setup. +Use `httpd_no_ssl` and setup as desired if it deviates from what is covered here. + +Logrotate +--------- + +A default template is configured. + +SELinux +------- + +selinux contexts are application specific. Enable the following as needed by your setup: + +``` +httpd_can_network_relay +httpd_can_network_memcache +httpd_can_network_connect * +httpd_can_network_connect_db * +httpd_can_sendmail +``` + +- * commonly used items enabled by default + +Handlers +-------- + +restart nginx - restart the nginx service + +Variables +--------- + +* `service_name` - canonical name for service +* `httpd_no_ssl` - don't set up ssl +* `httpd_ssl_key_file` - local path to use as source for ssl.key file +* `httpd_ssl_crt_file` - local path to use as source for ssl.crt file +* `httpd_ssl_pem_file` - local path to use as source for ssl.pem file +* `ssl_fast_dh` - whether to use a speedy method to generate Diffie Hellman + parameters +* `ssl_intermediate_ca_pattern` - pattern to check if certificate is + self-signed +* `ssl_self_signed_string` - location and CN settings for self signed cert diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml new file mode 100644 index 0000000000..0758337b9d --- /dev/null +++ b/roles/nginx/defaults/main.yml @@ -0,0 +1,18 @@ +--- +## set some defaults with the expectation that they will be set in/from calling role +service_name: "{{ inventory_hostname }}" + +## nginx core configuration defaults +nginx_default_port: 80 +nginx_error_level: "warn" +nginx_worker_processes: 1 +nginx_gzip_status: "on" + +## variables unset by default +httpd_no_ssl: false +httpd_ssl_key_file: "{{ ssl_key_file | default('/THIS/FILE/PROBABLY/DOESNT/EXIST') }}" +httpd_ssl_crt_file: "{{ ssl_crt_file | default('/THIS/FILE/PROBABLY/DOESNT/EXIST') }}" +httpd_ssl_pem_file: "{{ ssl_pem_file | default('/THIS/FILE/PROBABLY/DOESNT/EXIST') }}" +ssl_self_signed_string: "/C=US/ST=New York/L=New York City/O=My Department/CN={{ service_name }}" +ssl_fast_dh: false +nginx_ssl_ca_line: "#ssl_client_certificate /path/to/ca/file;" diff --git a/roles/nginx/files/etc/logrotate.d/nginx b/roles/nginx/files/etc/logrotate.d/nginx new file mode 100644 index 0000000000..b02b626368 --- /dev/null +++ b/roles/nginx/files/etc/logrotate.d/nginx @@ -0,0 +1,13 @@ +/var/log/nginx/*.log { + daily + missingok + rotate 30 + compress + delaycompress + notifempty + create 640 nginx adm + sharedscripts + postrotate + [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid` + endscript +} diff --git a/roles/nginx/files/etc/nginx/conf.d/default.conf b/roles/nginx/files/etc/nginx/conf.d/default.conf new file mode 100644 index 0000000000..f2afdc2866 --- /dev/null +++ b/roles/nginx/files/etc/nginx/conf.d/default.conf @@ -0,0 +1,44 @@ +server { + listen 80; + server_name localhost; + + #charset koi8-r; + #access_log /var/log/nginx/log/host.access.log main; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml new file mode 100644 index 0000000000..6deed0cd07 --- /dev/null +++ b/roles/nginx/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart nginx + service: + name: nginx + state: restarted diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml new file mode 100644 index 0000000000..83f24cdee5 --- /dev/null +++ b/roles/nginx/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- include: nginx.yml + +- include: ssl-setup.yml + when: not httpd_no_ssl diff --git a/roles/nginx/tasks/nginx.yml b/roles/nginx/tasks/nginx.yml new file mode 100644 index 0000000000..6cb2eea432 --- /dev/null +++ b/roles/nginx/tasks/nginx.yml @@ -0,0 +1,33 @@ +- name: install nginx + dnf: + name: nginx + state: present + +- name: Ensure nginx is started and enabled to start at boot. + service: name=nginx state=started enabled=yes + +- name: install nginx logrotation file + copy: + src: etc/logrotate.d/nginx + dest: /etc/logrotate.d/nginx + owner: root + group: root + mode: 0644 + +- name: install /etc/nginx/nginx.conf + template: + src: etc/nginx/nginx.conf.j2 + dest: /etc/nginx/nginx.conf + owner: root + group: root + mode: 0644 + notify: restart nginx + +- name: install /etc/nginx/conf.d/default.conf + copy: + src: etc/nginx/conf.d/default.conf + dest: /etc/nginx/conf.d/default.conf + owner: root + group: root + mode: 0644 + notify: restart nginx diff --git a/roles/nginx/tasks/ssl-setup.yml b/roles/nginx/tasks/ssl-setup.yml new file mode 100644 index 0000000000..a0e138f540 --- /dev/null +++ b/roles/nginx/tasks/ssl-setup.yml @@ -0,0 +1,45 @@ +- name: copy over ssl key + copy: + src: "{{ item }}" + dest: "/etc/nginx/conf.d/ssl.key" + with_first_found: + - files: + - "{{ httpd_ssl_key_file }}" + skip: True + register: setup_ssl_key + notify: restart nginx service + no_log: True + tags: + - update_ssl_certs + +- name: copy over ssl pem file + copy: + src: "{{ item }}" + dest: "/etc/nginx/conf.d/ssl.pem" + with_first_found: + - files: + - "{{ httpd_ssl_pem_file }}" + - "{{ httpd_ssl_crt_file }}" + skip: True + register: setup_ssl_pem + when: setup_ssl_key|success + tags: + - update_ssl_certs + + # generate our own key/crt if pem is missing +- name: generate self signed ssl certificate + command: openssl req -new -nodes -x509 -subj "{{ ssl_self_signed_string }}" -days 3650 -keyout /etc/nginx/conf.d/ssl.key -out /etc/nginx/conf.d/ssl.pem -extensions v3_ca + args: + creates: /etc/nginx/conf.d/ssl.pem + when: setup_ssl_key|failed or setup_ssl_pem|failed + +- name: warn that the next step takes a while + debug: + msg: "the next step can take around 15 minutes if it hasn't already been done" + +- name: create Diffie Hellman ephemeral parameters + # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + command: openssl dhparam {{ '-dsaparam' if ssl_fast_dh else '' }} -out dhparam.pem 4096 + args: + chdir: /etc/ssl/certs + creates: /etc/ssl/certs/dhparam.pem diff --git a/roles/nginx/templates/etc/nginx/nginx.conf.j2 b/roles/nginx/templates/etc/nginx/nginx.conf.j2 new file mode 100644 index 0000000000..0f396060cf --- /dev/null +++ b/roles/nginx/templates/etc/nginx/nginx.conf.j2 @@ -0,0 +1,50 @@ +user nginx; +worker_processes {{ nginx_worker_processes }}; + +error_log /var/log/nginx/error.log {{ nginx_error_level }}; +{% if ansible_distribution_major_version == "7" %} +pid /run/nginx.pid; +{% else %} +pid /var/run/nginx.pid; +{% endif %} + +# Load dynamic modules. See /usr/share/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; + + +events { + worker_connections 1024; +} + + +http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_names_hash_bucket_size 128; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + gzip {{ nginx_gzip_status }}; + + include /etc/nginx/conf.d/*.conf; + + # bind server context for status explicitly to loopback to allow local only actions + server { + listen [::1]:{{ nginx_default_port }} default_server; + listen 127.0.0.1:{{ nginx_default_port }} default_server; + server_name _; + root /usr/share/nginx/html; + # Load configuration files for the default server block. + include /etc/nginx/default.d/*.conf; + } +} diff --git a/roles/nginx/templates/example_ssl.conf.2 b/roles/nginx/templates/example_ssl.conf.2 new file mode 100644 index 0000000000..42bc897225 --- /dev/null +++ b/roles/nginx/templates/example_ssl.conf.2 @@ -0,0 +1,29 @@ + + +# HTTPS server +# +#server { +# listen 443; +# server_name {{ service_name }}; + +# ssl on; +# ssl_certificate /etc/nginx/conf.d/ssl.pem; +# ssl_certificate_key /etc/nginx/conf.d/ssl.key; +# {{ nginx_ssl_ca_line }} + +# ssl_session_timeout 5m; + +# # https://mozilla.github.io/server-side-tls/ssl-config-generator/ +# # modern configuration. tweak to your needs. +# ssl_protocols TLSv1.1 TLSv1.2; +# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; +# ssl_prefer_server_ciphers on; +# +# # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) +# add_header Strict-Transport-Security max-age=15768000; + +# location / { +# root /usr/share/nginx/html; +# index index.html index.htm; +# } +#} diff --git a/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2 b/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2 index 0e3b76d052..887dad13df 100644 --- a/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2 +++ b/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2 @@ -48,9 +48,7 @@ do: - {tasks: [fedora-cloud-tests]} -{% if deployment_type in ['dev', 'stg'] %} - when: message_type: ModuleBuildComplete do: - {tasks: [modularity-testing-framework]} -{% endif %} diff --git a/roles/waiverdb/defaults/main.yml b/roles/waiverdb/defaults/main.yml new file mode 100644 index 0000000000..a034212670 --- /dev/null +++ b/roles/waiverdb/defaults/main.yml @@ -0,0 +1,6 @@ +--- +waiverdb_db_port: 5432 +waiverdb_oidc_auth_uri: 'https://iddev.fedorainfracloud.org/openidc/Authorization' +waiverdb_oidc_token_uri: 'https://iddev.fedorainfracloud.org/openidc/Token' +waiverdb_oidc_token_introspection_uri: 'https://iddev.fedorainfracloud.org/openidc/TokenInfo' +waiverdb_oidc_userinfo_uri: 'https://iddev.fedorainfracloud.org/openidc/UserInfo"' diff --git a/roles/waiverdb/files/pg/pg_hba.conf b/roles/waiverdb/files/pg/pg_hba.conf new file mode 100644 index 0000000000..9fcf023732 --- /dev/null +++ b/roles/waiverdb/files/pg/pg_hba.conf @@ -0,0 +1,29 @@ +# This file is managed by Ansible - changes may be lost +# +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# +# TYPE DATABASE USER ADDRESS METHOD + +# Default: +# +local all postgres trust +# "local" is for Unix domain socket connections only +local all all trust +# IPv4 local connections: +host all all 127.0.0.1/32 trust +# IPv6 local connections: +host all all ::1/128 trust diff --git a/roles/waiverdb/handlers/main.yml b/roles/waiverdb/handlers/main.yml new file mode 100644 index 0000000000..40cbeb8b64 --- /dev/null +++ b/roles/waiverdb/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: restart waiverdb + systemd: + name: waiverdb.service + state: restarted + +- name: restart postgresql + systemd: + name: postgresql.service + state: restarted diff --git a/roles/waiverdb/tasks/main.yml b/roles/waiverdb/tasks/main.yml new file mode 100644 index 0000000000..6ba8ffae3d --- /dev/null +++ b/roles/waiverdb/tasks/main.yml @@ -0,0 +1,49 @@ +--- +- include: psql_setup.yml + +- name: install needed packages (yum) + yum: pkg={{ item }} state=present + with_items: + - waiverdb + - gunicorn + - python-psycopg2 + notify: + - restart waiverdb + when: ansible_distribution_major_version|int < 22 + +- name: install needed packages (dnf) + dnf: pkg={{ item }} state=present + with_items: + - waiverdb + - gunicorn + - python-psycopg2 + notify: + - restart waiverdb + when: ansible_distribution_major_version|int > 21 + +- name: start waiverdb on boot + systemd: + name: waiverdb.socket + enabled: yes + +- name: copy client secrets + template: + src: etc/waiverdb/client_secrets.json + dest: /etc/wavierdb/client_secrets.json + owner: root + group: root + mode: 0640 + notify: + - restart waiverdb + +- name: generate the app config + template: + src: etc/waiverdb/settings.py.j2 + dest: /etc/waiverdb/settings.py + owner: root + group: root + mode: 0660 + backup: yes + force: yes + notify: + - restart waiverdb diff --git a/roles/waiverdb/tasks/psql_setup.yml b/roles/waiverdb/tasks/psql_setup.yml new file mode 100644 index 0000000000..9a099fe934 --- /dev/null +++ b/roles/waiverdb/tasks/psql_setup.yml @@ -0,0 +1,63 @@ +- name: install postresql (yum) + yum: state=present pkg={{ item }} + with_items: + - "postgresql-server" + - "postgresql-contrib" + - "python-psycopg2" + when: ansible_distribution_major_version|int < 22 + +- name: install postresql (dnf) + dnf: state=present pkg={{ item }} + with_items: + - "postgresql-server" + - "postgresql-contrib" + - "python-psycopg2" + when: ansible_distribution_major_version|int > 21 + +- name: See if postgreSQL is installed + stat: path=/var/lib/pgsql/initdb_postgresql.log + register: pgsql_installed + +- name: init postgresql + shell: "postgresql-setup initdb" + when: not pgsql_installed.stat.exists + +- name: copy pg_hba.conf + copy: src="pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600 + notify: + - restart postgresql + tags: + - config + +- name: Ensure postgres has a place to backup to + file: dest=/backups state=directory owner=postgres + tags: + - config + +- name: Copy over backup scriplet + copy: src="{{ files }}/../roles/postgresql_server/files/backup-database" dest=/usr/local/bin/backup-database mode=0755 + tags: + - config + +- name: Set up some cronjobs to backup databases as configured + template: > + src="{{ files }}/../roles/postgresql_server/templates/cron-backup-database" + dest="/etc/cron.d/cron-backup-database-{{ item }}" + with_items: + - "{{ dbs_to_backup }}" + when: dbs_to_backup != [] + tags: + - config + +- name: enable Pg service + service: state=started enabled=yes name=postgresql + +- name: Create db + postgresql_db: name="waiverdb" encoding='UTF-8' + become: yes + become_user: postgres + +- name: Create db user + postgresql_user: db="waiverdb" name="wavierdb-user" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE + become: yes + become_user: postgres diff --git a/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2 b/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2 new file mode 100644 index 0000000000..d5d013974a --- /dev/null +++ b/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2 @@ -0,0 +1,39 @@ +# HTTP server +# rewrite to HTTPS +server { + listen 80; + server_name {{service_name}}; + return 301 https://$server_name$request_uri; +} +# HTTPs server +server { + listen 443; + server_name {{ service_name }}; + + ssl on; + ssl_certificate /etc/nginx/conf.d/ssl.pem; + ssl_certificate_key /etc/nginx/conf.d/ssl.key; + + ssl_session_timeout 5m; + + # https://mozilla.github.io/server-side-tls/ssl-config-generator/ + # modern configuration. tweak to your needs. + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; + ssl_prefer_server_ciphers on; + + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + location /api { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://unix:/run/waiverdb/socket:/api; + } +} diff --git a/roles/waiverdb/templates/etc/waiverdb/client_secrets.json b/roles/waiverdb/templates/etc/waiverdb/client_secrets.json new file mode 100644 index 0000000000..83dc8b0ed8 --- /dev/null +++ b/roles/waiverdb/templates/etc/waiverdb/client_secrets.json @@ -0,0 +1,11 @@ +{ + "web": { + "auth_uri": "{{ waiverdb_oidc_auth_uri }}", + "client_id": "{{ waiverdb_oidc_client_id }}", + "client_secret": "{{ waiverdb_oidc_client_secret }}", + "redirect_uris": [], + "token_uri": "{{ waiverdb_oidc_token_uri }}", + "token_introspection_uri": "{{ waiverdb_oidc_token_introspection_uri }}", + "userinfo_uri": "{{ waiverdb_oidc_userinfo_uri }}" + } +} diff --git a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 new file mode 100644 index 0000000000..67ce5c8b58 --- /dev/null +++ b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 @@ -0,0 +1,2 @@ +SECRET_KEY = '{{ waiverdb_secret_key }}' +SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb_user@:{{ waiverdb_db_port }/waiverdb