Merge branch 'master' of /git/ansible

2017-05-02 18:08:45 +00:00 · 2017-05-02 18:08:45 +00:00 · 30d3002882
commit 30d3002882
parent e09d02cc5f 40f69265d7
76 changed files with 663 additions and 99 deletions
--- a/inventory/builders
+++ b/inventory/builders
@ -243,7 +243,8 @@ buildppcle-04.ppc.fedoraproject.org
 [buildaarch64]
 aarch64-02a.arm.fedoraproject.org
-aarch64-03a.arm.fedoraproject.org
+# Marked DEAD in pdu
 #aarch64-03a.arm.fedoraproject.org
 aarch64-04a.arm.fedoraproject.org
 aarch64-05a.arm.fedoraproject.org
 aarch64-06a.arm.fedoraproject.org
--- a/inventory/group_vars/nagios-new
+++ b/inventory/group_vars/nagios-new
@ -149,7 +149,6 @@ phx2_management_limited:
  - rack47-pdu-b.mgmt.fedoraproject.org
  - rack47-serial.mgmt.fedoraproject.org
  - rack48-pdu-a.mgmt.fedoraproject.org
  - rack48-pdu-b.mgmt.fedoraproject.org
  - rack48-serial.mgmt.fedoraproject.org
  - rack51-pdu-a.mgmt.fedoraproject.org
  - rack51-pdu-b.mgmt.fedoraproject.org
--- a/inventory/group_vars/taskotron-prod
+++ b/inventory/group_vars/taskotron-prod
@ -27,6 +27,7 @@ grokmirror_repos:
  - { name: fedoraqa/check_modulemd, url: 'https://github.com/fedora-modularity/check_modulemd'}
  - { name: fedoraqa/upstream-atomic, url: 'https://pagure.io/taskotron/task-upstream-atomic.git'}
  - { name: fedoraqa/fedora-cloud-tests, url: 'https://pagure.io/taskotron/task-fedora-cloud-tests.git'}
  - { name: fedoraqa/modularity-testing-framework, url: 'https://pagure.io/taskotron/task-modularity-testing-framework.git'}
 grokmirror_user: grokmirror
 grokmirror_default_branch: master
--- a/inventory/host_vars/artboard.fedorainfracloud.org
+++ b/inventory/host_vars/artboard.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 ansible_ifcfg_blacklist: true 
--- a/inventory/host_vars/blockerbugs-dev.cloud.fedoraproject.org
+++ b/inventory/host_vars/blockerbugs-dev.cloud.fedoraproject.org
@ -2,7 +2,7 @@
 instance_type: m1.medium
 image: "{{ el6_qcow_id }}"
 keypair: fedora-admin
-security_group: webserver
+security_group: webserver,all-icmp-persistent,default
 zone: nova
 hostbase: blockerbugs-dev-
 public_ip: 209.132.184.200
--- a/inventory/host_vars/communityblog.fedorainfracloud.org
+++ b/inventory/host_vars/communityblog.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/copr-dist-git-dev.fedorainfracloud.org
+++ b/inventory/host_vars/copr-dist-git-dev.fedorainfracloud.org
@ -3,7 +3,7 @@ instance_type: ms1.small
 image: "{{ fedora25_x86_64 }}"
 #image: rhel7-20141015
 keypair: fedora-admin-20130801
-security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default
+security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 hostbase: copr-dist-git-dev-
 public_ip: 209.132.184.179
--- a/inventory/host_vars/copr-dist-git.fedorainfracloud.org
+++ b/inventory/host_vars/copr-dist-git.fedorainfracloud.org
@ -2,7 +2,7 @@
 instance_type: ms1.medium.bigswap
 image: "{{ fedora25_x86_64 }}"
 keypair: fedora-admin-20130801
-security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default
+security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 hostbase: copr-dist-git-
 public_ip: 209.132.184.163
--- a/inventory/host_vars/copr-fe-dev.cloud.fedoraproject.org
+++ b/inventory/host_vars/copr-fe-dev.cloud.fedoraproject.org
@ -2,7 +2,7 @@
 instance_type: m1.medium
 image: "{{ fedora25_x86_64 }}"
 keypair: fedora-admin-20130801
-security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default
+security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 hostbase: copr-fe-dev-
 public_ip: 209.132.184.55
--- a/inventory/host_vars/copr-fe.cloud.fedoraproject.org
+++ b/inventory/host_vars/copr-fe.cloud.fedoraproject.org
@ -5,7 +5,7 @@ base_pkgs_erase: ['PackageKit*', 'sendmail', 'at']
 instance_type: ms1.medium
 image: "{{ fedora25_x86_64 }}"
 keypair: fedora-admin-20130801
-security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default
+security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,allow-nagios-persistent
 zone: nova
 hostbase: copr-fe-
 public_ip: 209.132.184.54
--- a/inventory/host_vars/copr-keygen-dev.cloud.fedoraproject.org
+++ b/inventory/host_vars/copr-keygen-dev.cloud.fedoraproject.org
@ -3,7 +3,7 @@ instance_type: ms1.small
 image: "{{ fedora25_x86_64 }}"
 keypair: fedora-admin-20130801
 # todo: remove some security groups ?
-security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,allow-nagios-persistent
+security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 hostbase: copr-keygen-dev-
 public_ip: 209.132.184.46
--- a/inventory/host_vars/darkserver-dev.fedorainfracloud.org
+++ b/inventory/host_vars/darkserver-dev.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.large
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/developer.fedorainfracloud.org
+++ b/inventory/host_vars/developer.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: "{{ fedora25_x86_64 }}"
 instance_type: m1.large
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/dopr-dev.cloud.fedoraproject.org
+++ b/inventory/host_vars/dopr-dev.cloud.fedoraproject.org
@ -1,4 +0,0 @@
 ---
 resolvconf: "resolv.conf/cloud"
 tcp_ports: [80, 443]
 freezes: false
--- a/inventory/host_vars/eclipse.fedorainfracloud.org
+++ b/inventory/host_vars/eclipse.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: "{{ fedora23_x86_64 }}"
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/faitout.fedorainfracloud.org
+++ b/inventory/host_vars/faitout.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,pg-5432-anywhere,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,pg-5432-anywhere,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443, 5432]
--- a/inventory/host_vars/fas2-dev.fedorainfracloud.org
+++ b/inventory/host_vars/fas2-dev.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: "{{ centos66_x86_64 }}"
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/fas3-dev.fedorainfracloud.org
+++ b/inventory/host_vars/fas3-dev.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/fedimg-dev.fedorainfracloud.org
+++ b/inventory/host_vars/fedimg-dev.fedorainfracloud.org
@ -1,7 +1,7 @@
 instance_type: m1.medium
 image: rhel7-20141015
 keypair: fedora-admin-20130801
-security_group: default,ssh-anywhere-persistent
+security_group: default,ssh-anywhere-persistent,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/fedora-bootstrap.fedorainfracloud.org
+++ b/inventory/host_vars/fedora-bootstrap.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: Fedora-Cloud-Base-23.x86_64-python2
 instance_type: m1.large
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/glittergallery-dev.fedorainfracloud.org
+++ b/inventory/host_vars/glittergallery-dev.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: "{{ fedora23_x86_64 }}"
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/graphite.fedorainfracloud.org
+++ b/inventory/host_vars/graphite.fedorainfracloud.org
@ -1,7 +1,7 @@
 instance_type: m1.large
 image: "{{ fedora23_x86_64 }}"
 keypair: fedora-admin-20130801
-security_group: default,wide-open-persistent
+security_group: default,wide-open-persistent,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 custom_rules:
--- a/inventory/host_vars/hubs-dev.fedorainfracloud.org
+++ b/inventory/host_vars/hubs-dev.fedorainfracloud.org
@ -0,0 +1,18 @@
 ---
 image: "{{ fedora25_x86_64 }}"
 instance_type: m1.medium
 keypair: fedora-admin-20130801
 security_group: ssh-anywhere-persistent,all-icmp-persistent,default,web-80-anywhere-persistent,web-443-anywhere-persistent,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 inventory_tenant: persistent
 inventory_instance_name: hubs-dev
 hostbase: hubs-dev
 public_ip: 209.132.184.47
 root_auth_users: sayan
 description: hubs development instance
 cloud_networks:
  # persistent-net
  - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"
--- a/inventory/host_vars/iddev.fedorainfracloud.org
+++ b/inventory/host_vars/iddev.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 ansible_ifcfg_blacklist: true
--- a/inventory/host_vars/insim.fedorainfracloud.org
+++ b/inventory/host_vars/insim.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: "{{ fedora25_x86_64 }}"
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/java-deptools.fedorainfracloud.org
+++ b/inventory/host_vars/java-deptools.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: "{{ fedora24_x86_64 }}"
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/lists-dev.fedorainfracloud.org
+++ b/inventory/host_vars/lists-dev.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.large
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/magazine.fedorainfracloud.org
+++ b/inventory/host_vars/magazine.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.large
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,allow-nagios-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,allow-nagios-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/modernpaste.fedorainfracloud.org
+++ b/inventory/host_vars/modernpaste.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: "{{ fedora23_x86_64 }}"
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/modularity.fedorainfracloud.org
+++ b/inventory/host_vars/modularity.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: "Fedora-Cloud-Base-24 (Final)"
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: modularity,ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: modularity,ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/piwik.fedorainfracloud.org
+++ b/inventory/host_vars/piwik.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: "{{ fedora24_x86_64 }}"
 instance_type: m1.large
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/qadevel.cloud.fedoraproject.org
+++ b/inventory/host_vars/qadevel.cloud.fedoraproject.org
@ -1,2 +0,0 @@
 ---
 host_backup_targets: ['/var/lib/phabricator/files', '/srv/backup']
--- a/inventory/host_vars/regcfp.fedorainfracloud.org
+++ b/inventory/host_vars/regcfp.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/respins.fedorainfracloud.org
+++ b/inventory/host_vars/respins.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: wide-open-persistent,default
+security_group: wide-open-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 6969]
--- a/inventory/host_vars/shumgrepper-dev.fedorainfracloud.org
+++ b/inventory/host_vars/shumgrepper-dev.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/taiga.fedorainfracloud.org
+++ b/inventory/host_vars/taiga.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: "{{ fedora25_x86_64 }}"
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/taigastg.fedorainfracloud.org
+++ b/inventory/host_vars/taigastg.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: "{{ fedora23_x86_64 }}"
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/host_vars/testdays.fedorainfracloud.org
+++ b/inventory/host_vars/testdays.fedorainfracloud.org
@ -2,7 +2,7 @@
 image: 'rhel7-20141015'
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
--- a/inventory/inventory
+++ b/inventory/inventory
@ -139,7 +139,7 @@ osuosl01.fedoraproject.org
 osuosl02.fedoraproject.org
 osuosl03.fedoraproject.org
 tummy01.fedoraproject.org
-virthost-rdu01.fedoraproject.org
+#virthost-rdu01.fedoraproject.org
 virthost-cc-rdu01.fedoraproject.org
 [datagrepper]
@ -269,7 +269,7 @@ autocloud-backend01.stg.phx2.fedoraproject.org
 autocloud-backend02.stg.phx2.fedoraproject.org
 [autosign]
-#autosign01.phx2.fedoraproject.org
+autosign01.phx2.fedoraproject.org
 [autosign-stg]
 autosign01.stg.phx2.fedoraproject.org
@ -367,9 +367,6 @@ fas01.stg.phx2.fedoraproject.org
 [fas3-stg]
 fas3-01.stg.phx2.fedoraproject.org
 [hosted]
 hosted03.fedoraproject.org
 [hotness]
 hotness01.phx2.fedoraproject.org
@ -634,7 +631,7 @@ proxy09.fedoraproject.org
 proxy10.phx2.fedoraproject.org
 proxy11.fedoraproject.org
 proxy12.fedoraproject.org
-proxy13.fedoraproject.org
+#proxy13.fedoraproject.org
 proxy14.fedoraproject.org
 [proxies-stg]
@ -1092,10 +1089,6 @@ pdc-backend03.stg.phx2.fedoraproject.org
 [piwik-stg]
 #piwik01.stg.phx2.fedoraproject.org
 [transient-cloud]
 # fedora-hubs-dev
 209.132.184.98
 [persistent-cloud]
 # artboard instance
 artboard.fedorainfracloud.org
@ -1160,6 +1153,8 @@ kolinahr.fedorainfracloud.org
 respins.fedorainfracloud.org
 # waiverdb-dev - ticket 6009
 waiverdb-dev.fedorainfracloud.org
 # hubs-dev
 hubs-dev.fedorainfracloud.org
 #
 # These are in the new cloud
@ -1209,7 +1204,6 @@ dns
 bastion
 backup
 infracore
 hosted
 smtp-mm
 memcached
 virthost
--- a/master.yml
+++ b/master.yml
@ -142,6 +142,7 @@
 - include: /srv/web/infra/ansible/playbooks/hosts/glittergallery-dev.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/grafana.cloud.fedoraproject.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/graphite.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/iddev.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/insim.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/lists-dev.fedorainfracloud.org.yml
--- a/playbooks/groups/noc-new.yml
+++ b/playbooks/groups/noc-new.yml
@ -58,3 +58,10 @@
  - { role: tftp_server, when: datacenter == 'phx2' }
  - nagios_server
  - fedmsg/base
  tasks:
  - name: install some packages which arent in playbooks
    yum: pkg={{ item }} state=present
    with_items:
      - nmap
      - tcpdump
--- a/playbooks/hosts/hubs-dev.fedorainfroacloud.org.yml
+++ b/playbooks/hosts/hubs-dev.fedorainfroacloud.org.yml
@ -1,16 +1,33 @@
- name: provision instance
+- name: check/create instance
-  hosts: 209.132.184.98   # this is transient.. so may change if we destroy it.
+  hosts: hubs-dev.fedorainfracloud.org
-  user: root
+  gather_facts: False
  gather_facts: True
  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
-   - "/srv/private/ansible/vars.yml"
+   - /srv/private/ansible/vars.yml
   - /srv/web/infra/ansible/vars/fedora-cloud.yml
   - /srv/private/ansible/files/openstack/passwords.yml
  tasks:
  - include: "{{ tasks_path }}/persistent_cloud.yml"
 - name: setup all the things
  hosts: hubs-dev.fedorainfracloud.org
  gather_facts: True
  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - /srv/private/ansible/vars.yml
   - /srv/private/ansible/files/openstack/passwords.yml
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  pre_tasks:
  - include: "{{ tasks_path }}/cloud_setup_basic.yml"
  - name: set hostname (required by some services, at least postfix need it)
    hostname: name="{{inventory_hostname}}"
  tasks:
  - include: "{{ tasks_path }}/yumrepos.yml"
-  - yum: name={{item}} state=present
+  - dnf: name={{item}} state=present
    with_items:
    - git
@ -42,7 +59,7 @@
    - src: /srv/git/fedora-hubs/systemd/hubs-webapp.service
      dest: /usr/lib/systemd/system/hubs-webapp.service
      remote_src: True
-  - yum: name={{item}} state=present
+  - dnf: name={{item}} state=present
    with_items:
    - htop
    - tmux
--- a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml
+++ b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml
@ -24,3 +24,7 @@
  - include: "{{ tasks_path }}/cloud_setup_basic.yml"
  - name: set hostname (required by some services, at least postfix need it)
    hostname: name="{{inventory_hostname}}"
  roles:
  - nginx
  - waiverdb
--- a/roles/batcave/files/fedmsg-announce-commits.py
+++ b/roles/batcave/files/fedmsg-announce-commits.py
@ -49,10 +49,21 @@ def build_stats(commit):
    for diff in diffs:
        for patch in diff:
-            path = patch.new_file_path
+           if hasattr(patch, 'new_file_path'):
-            files[path]['additions'] += patch.additions
+               path = patch.new_file_path
-            files[path]['deletions'] += patch.deletions
+           else:
-            files[path]['lines'] += patch.additions + patch.deletions
+               path = patch.delta.new_file.path
           if hasattr(patch, 'additions'):
               files[path]['additions'] += patch.additions
               files[path]['deletions'] += patch.deletions
               files[path]['lines'] += patch.additions + patch.deletions
           else:
               files[path]['additions'] += patch.line_stats[1]
               files[path]['deletions'] += patch.line_stats[2]
               files[path]['lines'] += patch.line_stats[1] \
                                       + patch.line_stats[2]
    total = defaultdict(int)
    for name, stats in files.items():
--- a/roles/bodhi2/backend/tasks/main.yml
+++ b/roles/bodhi2/backend/tasks/main.yml
@ -413,6 +413,11 @@
  tags:
  - bodhi
 - name: ensure fedmsg-hub is enabled and started on the backend
  service: name=fedmsg-hub enabled=yes state=started
  tags:
  - bodhi
 #- name: have apache own /mnt/koji/mash/updates
 #  file: path=/mnt/koji/mash/updates state=directory recurse=yes owner=apache group=apache
 #  tags:
--- a/roles/git/hooks/files/post-receive-fedmsg
+++ b/roles/git/hooks/files/post-receive-fedmsg
@ -53,10 +53,20 @@ def build_stats(commit):
    for diff in diffs:
        for patch in diff:
-            path = patch.new_file_path
+            if hasattr(patch, 'new_file_path'):
-            files[path]['additions'] += patch.additions
+                path = patch.new_file_path
-            files[path]['deletions'] += patch.deletions
+            else:
-            files[path]['lines'] += patch.additions + patch.deletions
+                path = patch.delta.new_file.path
            if hasattr(patch, 'additions'):
                files[path]['additions'] += patch.additions
                files[path]['deletions'] += patch.deletions
                files[path]['lines'] += patch.additions + patch.deletions
            else:
                files[path]['additions'] += patch.line_stats[1]
                files[path]['deletions'] += patch.line_stats[2]
                files[path]['lines'] += patch.line_stats[1] \
                                        + patch.line_stats[2]
    total = defaultdict(int)
    for name, stats in files.items():
--- a/roles/koji_hub/templates/hub.conf.j2
+++ b/roles/koji_hub/templates/hub.conf.j2
@ -128,16 +128,9 @@ channel =
    source */kernel* && has_perm secure-boot :: use secure-boot
    source */shim* && has_perm secure-boot :: use secure-boot
    source */grub2* && has_perm secure-boot :: use secure-boot
    source */fedora-release* && has_perm secure-boot :: use secure-boot
    source */fedora-repos* && has_perm secure-boot :: use secure-boot
    source */pesign* && has_perm secure-boot :: use secure-boot
    source */fwupdate* && has_perm secure-boot :: use secure-boot
 # we have some arm builders that have ssd's in them, eclipse is 7 hours faster building on them so lets
 # make sure that we always build eclipse on them.
    source */eclipse* :: use eclipse
    source */gcc* :: use eclipse
    all :: use default
--- a/roles/koschei/backend/templates/config-backend.cfg.j2
+++ b/roles/koschei/backend/templates/config-backend.cfg.j2
@ -28,7 +28,7 @@ config = {
        "load_threshold": 1,
        {% else %}
        "max_builds": 60,
-        "build_arches": ['i386', 'x86_64', 'armhfp', 'aarch64', 'ppc64', 'ppc64le'],
+        "build_arches": ['i386', 'x86_64', 'armhfp', 'aarch64', 'ppc64', 'ppc64le', 's390x'],
        "load_threshold": 0.65,
        {% endif %}
        "task_priority": 30,
--- a/roles/nagios_server/files/nagios/services/disk.cfg
+++ b/roles/nagios_server/files/nagios/services/disk.cfg
@ -12,13 +12,6 @@ define service {
  use                   disktemplate
 }
 define service {
  hostgroup_name	hosted
  service_description   Disk Space /srv
  check_command		check_by_nrpe!check_disk_/srv
  use                   disktemplate
 }
 define service {
  hostgroup_name        qahardware
  service_description   Disk Space /srv
--- a/roles/nagios_server/files/nagios/services/hosted.cfg
+++ b/roles/nagios_server/files/nagios/services/hosted.cfg
@ -1,3 +0,0 @@
 #
 # This file is dead.
 #
--- a/roles/nagios_server/files/nagios/services/swap.cfg
+++ b/roles/nagios_server/files/nagios/services/swap.cfg
@ -1,6 +1,6 @@
 define service {
-  hostgroup             noswap
+  hostgroup             CheckSwap
-  service_description   No Swap
+  service_description   Swap-Is-Low
  check_command         check_by_nrpe!check_swap
  use                   criticaltemplate
 }
--- a/roles/nagios_server/files/nagios/services/websites.cfg
+++ b/roles/nagios_server/files/nagios/services/websites.cfg
@ -184,7 +184,7 @@ define service {
 define service {
  hostgroup_name        koji
  service_description   http-koji
-  check_command         check_website!koji.fedoraproject.org!/koji/hosts!arm04-builder
+  check_command         check_website!koji.fedoraproject.org!/koji/hosts!fedoraproject.org
  use                   websitetemplate
 }
--- a/roles/nagios_server/files/nrpe/nrpe.cfg
+++ b/roles/nagios_server/files/nrpe/nrpe.cfg
@ -287,7 +287,6 @@ include_dir=/etc/nrpe.d/
 command[check_nrpe]=/bin/date
 command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10
 command[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
 command[check_hosted_load]=/usr/lib64/nagios/plugins/check_load -w 35,30,25 -c 70,60,50
 command[check_raid]=/usr/lib64/nagios/plugins/check_raid.py
 command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /
 command[check_disk_/u01]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /u01
--- a/roles/nagios_server/tasks/main.yml
+++ b/roles/nagios_server/tasks/main.yml
@ -182,7 +182,6 @@
    - file_age.cfg
    - fmn.cfg
    - haproxy.cfg
    - hosted.cfg
    - ipa.cfg
    - koji.cfg
    - koschei.cfg
@ -311,7 +310,7 @@
  with_items:
    - all.cfg
    - nomail.cfg
-    - noswap.cfg
+    - checkswap.cfg
  tags:
  - nagios_server
--- a/roles/nagios_server/templates/nagios/hostgroups/checkswap.cfg.j2
+++ b/roles/nagios_server/templates/nagios/hostgroups/checkswap.cfg.j2
@ -0,0 +1,6 @@
 define hostgroup {
        hostgroup_name  CheckSwap
        alias           Swap-Is-Low
 	members         *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, !proxy05.fedoraproject.org, !mirrorlist-host1plus.fedoraproject.org, !download-rdu01.fedoraproject.org, !virthost-rdu01.fedoraproject.org, !fas3-01.stg.phx2.fedoraproject.org, !osbs-control01.phx2.fedoraproject.org, {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %}  {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} 
 }
--- a/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2
+++ b/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2
@ -1,6 +1,6 @@
 define hostgroup {
        hostgroup_name  nomail
        alias           No Mail
-	members         *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, {% for host in groups['bastion'] %}!{{host}}, {% endfor %}{% for host in groups['smtp-mm'] %}!{{host}}, {% endfor %} {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %}  {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} 
+	members         *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, !proxy05.fedoraproject.org, !mirrorlist-host1plus.fedoraproject.org, !download-rdu01.fedoraproject.org, !virthost-rdu01.fedoraproject.org, !fas3-01.stg.phx2.fedoraproject.org, !osbs-control01.phx2.fedoraproject.org, {% for host in groups['bastion'] %}!{{host}}, {% endfor %}{% for host in groups['smtp-mm'] %}!{{host}}, {% endfor %} {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %}  {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} 
 }
--- a/roles/nagios_server/templates/nagios/hostgroups/noswap.cfg.j2
+++ b/roles/nagios_server/templates/nagios/hostgroups/noswap.cfg.j2
@ -1,6 +0,0 @@
 define hostgroup {
        hostgroup_name  noswap
        alias           No Swap
 	members         *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %}  {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} 
 }
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@ -0,0 +1,72 @@
 Overview
 ========
 Role for using nginx.  Sets up ssl certs in known locations and inactive
 template for application use.
 Role options
 ------------
 * `update_ssl_certs` - Only push the SSL key and PEM files and restart Nginx
 SSL
 ---
 This role will copy over key/crt by default.
 It can be disabled by setting `httpd_no_ssl` to true
 You will still need to configure the application to use ssl.  A reference template templates/example_ssl.conf.j2 is provided
 The script will look for keys and certs in the paths specified by the
 `httpd_ssl_key_file`, `httpd_ssl_crt_file` and `httpd_ssl_pem_file` variables.
 If that fails, it will attempt to create key/crt pair if there isn't one already installed.
 If a pem file exists in the location specified by `httpd_ssl_pem_file`,
 it will be copied across as `ssl.pem`. Applications that required the certificate
 chain should point at `/etc/nginx/conf.d/ssl.pem`.
 Caveats
 -------
 The key, crt and pem will always be stored on the host under `/etc/nginx/conf.d/{{
 inventory_hostname }}.{key,crt,pem}` due to the multi-sourcing nature of the setup.
 Use `httpd_no_ssl` and setup as desired if it deviates from what is covered here.
 Logrotate
 ---------
 A default template is configured.
 SELinux
 -------
 selinux contexts are application specific.  Enable the following as needed by your setup:
 ```
 httpd_can_network_relay
 httpd_can_network_memcache
 httpd_can_network_connect *
 httpd_can_network_connect_db *
 httpd_can_sendmail
 ```
 - * commonly used items enabled by default
 Handlers
 --------
 restart nginx - restart the nginx service
 Variables
 ---------
 * `service_name` - canonical name for service
 * `httpd_no_ssl` - don't set up ssl
 * `httpd_ssl_key_file` - local path to use as source for ssl.key file
 * `httpd_ssl_crt_file` - local path to use as source for ssl.crt file
 * `httpd_ssl_pem_file` - local path to use as source for ssl.pem file
 * `ssl_fast_dh` - whether to use a speedy method to generate Diffie Hellman
    parameters
 * `ssl_intermediate_ca_pattern` - pattern to check if certificate is
    self-signed
 * `ssl_self_signed_string` - location and CN settings for self signed cert
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -0,0 +1,18 @@
 ---
 ## set some defaults with the expectation that they will be set in/from calling role
 service_name: "{{ inventory_hostname }}"
 ## nginx core configuration defaults
 nginx_default_port: 80
 nginx_error_level: "warn"
 nginx_worker_processes: 1
 nginx_gzip_status: "on"
 ## variables unset by default
 httpd_no_ssl: false
 httpd_ssl_key_file: "{{ ssl_key_file | default('/THIS/FILE/PROBABLY/DOESNT/EXIST') }}"
 httpd_ssl_crt_file: "{{ ssl_crt_file | default('/THIS/FILE/PROBABLY/DOESNT/EXIST') }}"
 httpd_ssl_pem_file: "{{ ssl_pem_file | default('/THIS/FILE/PROBABLY/DOESNT/EXIST') }}"
 ssl_self_signed_string: "/C=US/ST=New York/L=New York City/O=My Department/CN={{ service_name }}"
 ssl_fast_dh: false
 nginx_ssl_ca_line: "#ssl_client_certificate /path/to/ca/file;"
--- a/roles/nginx/files/etc/logrotate.d/nginx
+++ b/roles/nginx/files/etc/logrotate.d/nginx
@ -0,0 +1,13 @@
 /var/log/nginx/*.log {
        daily
        missingok
        rotate 30
        compress
        delaycompress
        notifempty
        create 640 nginx adm
        sharedscripts
        postrotate
                [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
        endscript
 }
--- a/roles/nginx/files/etc/nginx/conf.d/default.conf
+++ b/roles/nginx/files/etc/nginx/conf.d/default.conf
@ -0,0 +1,44 @@
 server {
    listen       80;
    server_name  localhost;
    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
    #error_page  404              /404.html;
    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}
    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}
    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
 }
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@ -0,0 +1,5 @@
 ---
 - name: restart nginx
  service:
    name: nginx
    state: restarted
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -0,0 +1,5 @@
 ---
 - include: nginx.yml
 - include: ssl-setup.yml
  when: not httpd_no_ssl
--- a/roles/nginx/tasks/nginx.yml
+++ b/roles/nginx/tasks/nginx.yml
@ -0,0 +1,33 @@
 - name: install nginx
  dnf:
    name: nginx
    state: present
 - name: Ensure nginx is started and enabled to start at boot.
  service: name=nginx state=started enabled=yes
 - name: install nginx logrotation file
  copy:
    src: etc/logrotate.d/nginx
    dest: /etc/logrotate.d/nginx
    owner: root
    group: root
    mode: 0644
 - name: install /etc/nginx/nginx.conf
  template:
    src: etc/nginx/nginx.conf.j2
    dest: /etc/nginx/nginx.conf
    owner: root
    group: root
    mode: 0644
  notify: restart nginx
 - name: install /etc/nginx/conf.d/default.conf
  copy:
    src: etc/nginx/conf.d/default.conf
    dest: /etc/nginx/conf.d/default.conf
    owner: root
    group: root
    mode: 0644
  notify: restart nginx
--- a/roles/nginx/tasks/ssl-setup.yml
+++ b/roles/nginx/tasks/ssl-setup.yml
@ -0,0 +1,45 @@
 - name: copy over ssl key
  copy:
    src: "{{ item }}"
    dest: "/etc/nginx/conf.d/ssl.key"
  with_first_found:
  - files:
    - "{{ httpd_ssl_key_file }}"
    skip: True
  register: setup_ssl_key
  notify: restart nginx service
  no_log: True
  tags:
  - update_ssl_certs
 - name: copy over ssl pem file
  copy:
    src: "{{ item }}"
    dest: "/etc/nginx/conf.d/ssl.pem"
  with_first_found:
  - files:
    - "{{ httpd_ssl_pem_file }}"
    - "{{ httpd_ssl_crt_file }}"
    skip: True
  register: setup_ssl_pem
  when: setup_ssl_key|success
  tags:
  - update_ssl_certs
  #  generate our own key/crt if pem is missing
 - name: generate self signed ssl certificate
  command: openssl req -new -nodes -x509 -subj "{{ ssl_self_signed_string }}" -days 3650 -keyout /etc/nginx/conf.d/ssl.key -out /etc/nginx/conf.d/ssl.pem -extensions v3_ca
  args:
    creates: /etc/nginx/conf.d/ssl.pem
  when: setup_ssl_key|failed or setup_ssl_pem|failed
 - name: warn that the next step takes a while
  debug:
    msg: "the next step can take around 15 minutes if it hasn't already been done"
 - name: create Diffie Hellman ephemeral parameters
  # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  command: openssl dhparam {{ '-dsaparam' if ssl_fast_dh else '' }} -out dhparam.pem 4096
  args:
    chdir: /etc/ssl/certs
    creates: /etc/ssl/certs/dhparam.pem
--- a/roles/nginx/templates/etc/nginx/nginx.conf.j2
+++ b/roles/nginx/templates/etc/nginx/nginx.conf.j2
@ -0,0 +1,50 @@
 user  nginx;
 worker_processes  {{ nginx_worker_processes }};
 error_log  /var/log/nginx/error.log {{ nginx_error_level }};
 {% if ansible_distribution_major_version == "7" %}
 pid        /run/nginx.pid;
 {% else %}
 pid        /var/run/nginx.pid;
 {% endif %}
 # Load dynamic modules. See /usr/share/nginx/README.dynamic.
 include /usr/share/nginx/modules/*.conf;
 events {
    worker_connections  1024;
 }
 http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    tcp_nopush     on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    server_names_hash_bucket_size  128;
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    gzip  {{ nginx_gzip_status }};
    include /etc/nginx/conf.d/*.conf;
    # bind server context for status explicitly to loopback to allow local only actions
    server {
        listen      [::1]:{{ nginx_default_port }} default_server;
 	    listen      127.0.0.1:{{ nginx_default_port }} default_server;
        server_name  _;
        root         /usr/share/nginx/html;
       # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
    }
 }
--- a/roles/nginx/templates/example_ssl.conf.2
+++ b/roles/nginx/templates/example_ssl.conf.2
@ -0,0 +1,29 @@
 # HTTPS server
 #
 #server {
 #    listen       443;
 #    server_name  {{ service_name }};
 #    ssl                  on;
 #    ssl_certificate      /etc/nginx/conf.d/ssl.pem;
 #    ssl_certificate_key  /etc/nginx/conf.d/ssl.key;
 #    {{ nginx_ssl_ca_line }}
 #    ssl_session_timeout  5m;
 #    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
 #    # modern configuration. tweak to your needs.
 #    ssl_protocols TLSv1.1 TLSv1.2;
 #    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
 #    ssl_prefer_server_ciphers on;
 #
 #    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
 #    add_header Strict-Transport-Security max-age=15768000;
 #    location / {
 #        root   /usr/share/nginx/html;
 #        index  index.html index.htm;
 #    }
 #}
--- a/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2
+++ b/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2
@ -48,9 +48,7 @@
  do:
    - {tasks: [fedora-cloud-tests]}
 {% if deployment_type in ['dev', 'stg'] %}
 - when:
    message_type: ModuleBuildComplete
  do:
    - {tasks: [modularity-testing-framework]}
 {% endif %}
--- a/roles/waiverdb/defaults/main.yml
+++ b/roles/waiverdb/defaults/main.yml
@ -0,0 +1,6 @@
 ---
 waiverdb_db_port: 5432
 waiverdb_oidc_auth_uri: 'https://iddev.fedorainfracloud.org/openidc/Authorization'
 waiverdb_oidc_token_uri: 'https://iddev.fedorainfracloud.org/openidc/Token'
 waiverdb_oidc_token_introspection_uri: 'https://iddev.fedorainfracloud.org/openidc/TokenInfo'
 waiverdb_oidc_userinfo_uri: 'https://iddev.fedorainfracloud.org/openidc/UserInfo"'
--- a/roles/waiverdb/files/pg/pg_hba.conf
+++ b/roles/waiverdb/files/pg/pg_hba.conf
@ -0,0 +1,29 @@
 # This file is managed by Ansible - changes may be lost
 #
 # PostgreSQL Client Authentication Configuration File
 # ===================================================
 #
 # Refer to the "Client Authentication" section in the PostgreSQL
 # documentation for a complete description of this file.  A short
 # synopsis follows.
 #
 # This file controls: which hosts are allowed to connect, how clients
 # are authenticated, which PostgreSQL user names they can use, which
 # databases they can access.  Records take one of these forms:
 #
 # local      DATABASE  USER  METHOD  [OPTIONS]
 # host       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
 # hostssl    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
 # hostnossl  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
 #
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 # Default:
 # 
 local  all  postgres    trust
 # "local" is for Unix domain socket connections only
 local  all  all    trust
 # IPv4 local connections:
 host  all  all  127.0.0.1/32  trust
 # IPv6 local connections:
 host  all  all  ::1/128  trust
--- a/roles/waiverdb/handlers/main.yml
+++ b/roles/waiverdb/handlers/main.yml
@ -0,0 +1,10 @@
 ---
 - name: restart waiverdb
  systemd:
    name: waiverdb.service
    state: restarted
 - name: restart postgresql
  systemd:
    name: postgresql.service
    state: restarted
--- a/roles/waiverdb/tasks/main.yml
+++ b/roles/waiverdb/tasks/main.yml
@ -0,0 +1,49 @@
 ---
 - include: psql_setup.yml
 - name: install needed packages (yum)
  yum: pkg={{ item }} state=present
  with_items:
  - waiverdb
  - gunicorn
  - python-psycopg2
  notify:
  - restart waiverdb
  when: ansible_distribution_major_version|int < 22
 - name: install needed packages (dnf)
  dnf: pkg={{ item }} state=present
  with_items:
  - waiverdb
  - gunicorn
  - python-psycopg2
  notify:
  - restart waiverdb
  when: ansible_distribution_major_version|int > 21
 - name: start waiverdb on boot
  systemd:
    name: waiverdb.socket
    enabled: yes
 - name: copy client secrets
  template:
    src: etc/waiverdb/client_secrets.json
    dest: /etc/wavierdb/client_secrets.json
    owner: root
    group: root
    mode: 0640
  notify:
  - restart waiverdb
 - name: generate the app config
  template:
    src: etc/waiverdb/settings.py.j2
    dest: /etc/waiverdb/settings.py
    owner: root
    group: root
    mode: 0660
    backup: yes
    force: yes
  notify:
  - restart waiverdb
--- a/roles/waiverdb/tasks/psql_setup.yml
+++ b/roles/waiverdb/tasks/psql_setup.yml
@ -0,0 +1,63 @@
 - name: install postresql (yum)
  yum: state=present pkg={{ item }}
  with_items:
  - "postgresql-server"
  - "postgresql-contrib"
  - "python-psycopg2"
  when: ansible_distribution_major_version|int < 22
 - name: install postresql (dnf)
  dnf: state=present pkg={{ item }}
  with_items:
  - "postgresql-server"
  - "postgresql-contrib"
  - "python-psycopg2"
  when: ansible_distribution_major_version|int > 21
 - name: See if postgreSQL is installed
  stat: path=/var/lib/pgsql/initdb_postgresql.log
  register: pgsql_installed
 - name: init postgresql
  shell: "postgresql-setup initdb"
  when: not pgsql_installed.stat.exists
 - name: copy pg_hba.conf
  copy: src="pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600
  notify:
  - restart postgresql
  tags:
  - config
 - name: Ensure postgres has a place to backup to
  file: dest=/backups state=directory owner=postgres
  tags:
  - config
 - name: Copy over backup scriplet
  copy: src="{{ files }}/../roles/postgresql_server/files/backup-database" dest=/usr/local/bin/backup-database mode=0755
  tags:
  - config
 - name: Set up some cronjobs to backup databases as configured
  template: >
    src="{{ files }}/../roles/postgresql_server/templates/cron-backup-database"
    dest="/etc/cron.d/cron-backup-database-{{ item }}"
  with_items:
  - "{{ dbs_to_backup }}"
  when: dbs_to_backup != []
  tags:
  - config
 - name: enable Pg service
  service: state=started enabled=yes name=postgresql
 - name: Create db
  postgresql_db: name="waiverdb" encoding='UTF-8'
  become: yes
  become_user: postgres
 - name: Create db user
  postgresql_user: db="waiverdb" name="wavierdb-user" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE
  become: yes
  become_user: postgres
--- a/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2
+++ b/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2
@ -0,0 +1,39 @@
 # HTTP server
 # rewrite to HTTPS
 server {
  listen       80;
  server_name  {{service_name}};
  return       301 https://$server_name$request_uri;
 }
 # HTTPs server
 server {
    listen       443;
    server_name  {{ service_name }};
    ssl                  on;
    ssl_certificate      /etc/nginx/conf.d/ssl.pem;
    ssl_certificate_key  /etc/nginx/conf.d/ssl.key;
    ssl_session_timeout  5m;
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_prefer_server_ciphers on;
    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
    location /api {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://unix:/run/waiverdb/socket:/api;
    }
 }
--- a/roles/waiverdb/templates/etc/waiverdb/client_secrets.json
+++ b/roles/waiverdb/templates/etc/waiverdb/client_secrets.json
@ -0,0 +1,11 @@
 {
    "web": {
        "auth_uri": "{{ waiverdb_oidc_auth_uri }}",
        "client_id": "{{ waiverdb_oidc_client_id }}",
        "client_secret": "{{ waiverdb_oidc_client_secret }}",
        "redirect_uris": [],
        "token_uri": "{{ waiverdb_oidc_token_uri }}",
        "token_introspection_uri": "{{ waiverdb_oidc_token_introspection_uri }}",
        "userinfo_uri": "{{ waiverdb_oidc_userinfo_uri }}"
    }
 }
--- a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2
+++ b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2
@ -0,0 +1,2 @@
 SECRET_KEY = '{{ waiverdb_secret_key }}'
 SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb_user@:{{ waiverdb_db_port }/waiverdb
		`@ -1,2 +0,0 @@`
			`---`
			`host_backup_targets: ['/var/lib/phabricator/files', '/srv/backup']`
		`@ -0,0 +1,2 @@`
							`SECRET_KEY = '{{ waiverdb_secret_key }}'`
							`SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb_user@:{{ waiverdb_db_port }/waiverdb`