Merge branch 'master' of /git/ansible

2015-02-13 20:06:43 +00:00 · 2015-02-13 20:06:43 +00:00 · 4794e04057
commit 4794e04057
parent a0872e6de0 552c8dc2df
9 changed files with 36 additions and 22 deletions
--- a/inventory/host_vars/lists-dev.cloud.fedoraproject.org
+++ b/inventory/host_vars/lists-dev.cloud.fedoraproject.org
@ -1,6 +1,6 @@
 ---
 instance_type: m1.large
-image: "{{ f19_qcow_id }}"
+image: "{{ f20_qcow_id }}"
 keypair: fedora-admin-20130801
 security_group: smtpserver
 zone: nova
--- a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
+++ b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
@ -110,10 +110,10 @@
  - service: name=ntpd state=started enabled=yes

  # http://docs.openstack.org/icehouse/install-guide/install/yum/content/basics-packages.html
+  - action: yum state=present name=https://repos.fedorapeople.org/repos/openstack/openstack-icehouse/rdo-release-icehouse-4.noarch.rpm
  - name: install basic openstack packages
    action: yum state=present name={{ item }}
    with_items:
-    - https://repos.fedorapeople.org/repos/openstack/openstack-icehouse/rdo-release-icehouse-4.noarch.rpm
    - http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
    - openstack-utils
    - openstack-selinux
@ -125,9 +125,11 @@

  - name: add ssl cert
    copy: src={{ private }}/files/openstack/fed-cloud09.pem dest=/etc/pki/tls/certs/fed-cloud09.pem mode=600 owner=rabbitmq group=root
-
  - name: add ssl key
    copy: src={{ private }}/files/openstack/fed-cloud09.key dest=/etc/pki/tls/private/fed-cloud09.key mode=600 owner=rabbitmq group=root
+  - name: add cert to ca-bundle.crt so plain curl works
+    copy: src={{ private }}/files/openstack/fed-cloud09.pem dest=/etc/pki/ca-trust/source/anchors/ mode=600 owner=root group=root
+  - command: /usr/bin/update-ca-trust

  # http://docs.openstack.org/trunk/install-guide/install/yum/content/basics-database-controller.html
  - name: install mysql packages
--- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml
+++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml
@ -21,6 +21,8 @@
  - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  vars:
  - mailman_vardir: /srv/persist/mailman
+  - tcp_ports: [22, 25, 80, 443]
+  - udp_ports: []

  roles:
  - sudo
@ -50,24 +52,24 @@
    get_url: url=https://repos.fedorapeople.org/repos/abompard/hyperkitty/hyperkitty.repo
             dest=/etc/yum.repos.d/hyperkitty.repo mode=0444

-  # open up ports (22, 80, 443, 25)
-  - name: poke holes in the firewall
-    command: lokkit {{ item }}
-    with_items:
-    - --service=ssh
-    - --service=https
-    - --service=http
-    - --service=smtp
-
  # Database
+  - name: install postgresql server packages
+    yum: name={{ item }}  state=present
+    with_items:
+    - postgresql-server
+    - postgresql-contrib
+    - python-psycopg2
+
  - name: initialize postgresql
    command: /usr/bin/postgresql-setup initdb
             creates=/var/lib/pgsql/data/postgresql.conf
+
  - name: copy pg_hba.conf
    copy: src="{{ files }}/lists-dev/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf
          owner=postgres group=postgres
    notify:
    - restart postgresql
+
  - name: start postgresql
    service: state=started name=postgresql

--- a/playbooks/include/proxies-redirects.yml
+++ b/playbooks/include/proxies-redirects.yml
@ -40,7 +40,7 @@
  - role: httpd/redirect
    name: people-fp-o
    website: people.fedoraproject.org
-    target: https://fedorapeople.org
+    target: https://fedorapeople.org/

  - role: httpd/redirect
    name: fas
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@ -14,7 +14,6 @@
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
 {% else %}
  Include "conf.d/{{ name }}/*.conf"
 {% endif %}
@ -46,6 +45,9 @@
  SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
  SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

+{% if sslonly %}
+  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+{% endif %}
  Include "conf.d/{{ name }}/*.conf"
 </VirtualHost>
 {% endif %}
--- a/roles/notifs/backend/templates/fmn.consumer.py
+++ b/roles/notifs/backend/templates/fmn.consumer.py
@ -52,11 +52,12 @@ config = {

    # Just drop these topics without considering any preferences.  They are noise that just clog us up.
    "fmn.junk_suffixes": [
-        '.buildsys.package.list.state.change',
+        '.buildsys.package.list.change',
        '.buildsys.tag',
        '.buildsys.untag',
        '.buildsys.repo.init',
        '.buildsys.repo.done',
+        '.buildsys.rpm.sign',
    ],

    # This sets up four threads to handle incoming messages.  At the time of
--- a/roles/taskotron/taskotron-client/files/yumrepoinfo.conf
+++ b/roles/taskotron/taskotron-client/files/yumrepoinfo.conf
@ -2,6 +2,9 @@
 ## Fedora infrastructure.
 ## This file is in a ConfigParser syntax, very similar to INI syntax known from
 ## Windows.
+## There is a guide describing how to update this file after important Fedora
+## release events, please see:
+## https://fedoraproject.org/wiki/How_to_update_yumrepoinfo.conf_in_Taskotron

 [DEFAULT]
 # URLs to yum repos
@ -22,8 +25,9 @@ parent =
 # koji tag defaults to section name
 tag = %(__name__)s

-# true for "top" repos corresponding to currently supported Fedora releases
-supported = no
+# release_status can be one of: obsolete, stable, branched or rawhide
+# for non-top-parent repos this is an empty string
+release_status =

 # Rawhide
 [rawhide]
--- a/roles/taskotron/taskotron-client/tasks/main.yml
+++ b/roles/taskotron/taskotron-client/tasks/main.yml
@ -14,12 +14,13 @@
 - name: generate taskotron.yaml config file
  template: src=taskotron.yaml.j2 dest=/etc/taskotron/taskotron.yaml owner=root group=root mode=0644

- name: upload yumrepoinfo.conf
-  copy: src=yumrepoinfo.conf dest=/etc/taskotron/yumrepoinfo.conf owner=root group=root mode=0644
+# getting rid of this because it leads to out-of-date config setups
+# should be deleted soon
+#- name: upload yumrepoinfo.conf
+#  copy: src=yumrepoinfo.conf dest=/etc/taskotron/yumrepoinfo.conf owner=root group=root mode=0644

-# disabled for now since we're uploading the config file
-#- name: set baseurl of yumrepoinfo.conf
-#  replace: dest=/etc/taskotron/yumrepoinfo.conf regexp='baseurl = http://download\.fedoraproject\.org/.*' replace='baseurl = http://infrastructure.fedoraproject.org/pub/fedora/linux'
+- name: set baseurl of yumrepoinfo.conf
+  replace: dest=/etc/taskotron/yumrepoinfo.conf regexp='baseurl = http://download\.fedoraproject\.org/.*' replace='baseurl = http://infrastructure.fedoraproject.org/pub/fedora/linux'

 # disabled for now until interaction with hosts role is figured out
 #- name: update /etc/hosts so that koji downloads work
--- a/vars/global.yml
+++ b/vars/global.yml
@ -18,6 +18,8 @@ f17_qcow_id: ami-00000001
 f19_qcow_id: ami-00000020
 # Fedora-20
 f20_qcow_id: ami-00000042
+# Fedora-21
+f21_qcow_id: ami-0000005a
 # RHEL7beta
 el7b_qcow_id: ami-0000003f
 # RHEL7