diff --git a/inventory/host_vars/lists-dev.cloud.fedoraproject.org b/inventory/host_vars/lists-dev.cloud.fedoraproject.org index bea082d83a..ffbce05bf5 100644 --- a/inventory/host_vars/lists-dev.cloud.fedoraproject.org +++ b/inventory/host_vars/lists-dev.cloud.fedoraproject.org @@ -1,6 +1,6 @@ --- instance_type: m1.large -image: "{{ f19_qcow_id }}" +image: "{{ f20_qcow_id }}" keypair: fedora-admin-20130801 security_group: smtpserver zone: nova diff --git a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml index eafe85e2bd..6d24bfe685 100644 --- a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml @@ -110,10 +110,10 @@ - service: name=ntpd state=started enabled=yes # http://docs.openstack.org/icehouse/install-guide/install/yum/content/basics-packages.html + - action: yum state=present name=https://repos.fedorapeople.org/repos/openstack/openstack-icehouse/rdo-release-icehouse-4.noarch.rpm - name: install basic openstack packages action: yum state=present name={{ item }} with_items: - - https://repos.fedorapeople.org/repos/openstack/openstack-icehouse/rdo-release-icehouse-4.noarch.rpm - http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm - openstack-utils - openstack-selinux @@ -125,9 +125,11 @@ - name: add ssl cert copy: src={{ private }}/files/openstack/fed-cloud09.pem dest=/etc/pki/tls/certs/fed-cloud09.pem mode=600 owner=rabbitmq group=root - - name: add ssl key copy: src={{ private }}/files/openstack/fed-cloud09.key dest=/etc/pki/tls/private/fed-cloud09.key mode=600 owner=rabbitmq group=root + - name: add cert to ca-bundle.crt so plain curl works + copy: src={{ private }}/files/openstack/fed-cloud09.pem dest=/etc/pki/ca-trust/source/anchors/ mode=600 owner=root group=root + - command: /usr/bin/update-ca-trust # http://docs.openstack.org/trunk/install-guide/install/yum/content/basics-database-controller.html - name: install mysql packages diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml index 60565ed35e..5af08d0c22 100644 --- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml @@ -21,6 +21,8 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml vars: - mailman_vardir: /srv/persist/mailman + - tcp_ports: [22, 25, 80, 443] + - udp_ports: [] roles: - sudo @@ -50,24 +52,24 @@ get_url: url=https://repos.fedorapeople.org/repos/abompard/hyperkitty/hyperkitty.repo dest=/etc/yum.repos.d/hyperkitty.repo mode=0444 - # open up ports (22, 80, 443, 25) - - name: poke holes in the firewall - command: lokkit {{ item }} - with_items: - - --service=ssh - - --service=https - - --service=http - - --service=smtp - # Database + - name: install postgresql server packages + yum: name={{ item }} state=present + with_items: + - postgresql-server + - postgresql-contrib + - python-psycopg2 + - name: initialize postgresql command: /usr/bin/postgresql-setup initdb creates=/var/lib/pgsql/data/postgresql.conf + - name: copy pg_hba.conf copy: src="{{ files }}/lists-dev/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres notify: - restart postgresql + - name: start postgresql service: state=started name=postgresql diff --git a/playbooks/include/proxies-redirects.yml b/playbooks/include/proxies-redirects.yml index 278e55ee19..000dc6e1c0 100644 --- a/playbooks/include/proxies-redirects.yml +++ b/playbooks/include/proxies-redirects.yml @@ -40,7 +40,7 @@ - role: httpd/redirect name: people-fp-o website: people.fedoraproject.org - target: https://fedorapeople.org + target: https://fedorapeople.org/ - role: httpd/redirect name: fas diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf index abdc8dc2fe..e07264ff54 100644 --- a/roles/httpd/website/templates/website.conf +++ b/roles/httpd/website/templates/website.conf @@ -14,7 +14,6 @@ RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE] - Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" {% else %} Include "conf.d/{{ name }}/*.conf" {% endif %} @@ -46,6 +45,9 @@ SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK +{% if sslonly %} + Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" +{% endif %} Include "conf.d/{{ name }}/*.conf" {% endif %} diff --git a/roles/notifs/backend/templates/fmn.consumer.py b/roles/notifs/backend/templates/fmn.consumer.py index 6576b5c039..ca9fde2673 100644 --- a/roles/notifs/backend/templates/fmn.consumer.py +++ b/roles/notifs/backend/templates/fmn.consumer.py @@ -52,11 +52,12 @@ config = { # Just drop these topics without considering any preferences. They are noise that just clog us up. "fmn.junk_suffixes": [ - '.buildsys.package.list.state.change', + '.buildsys.package.list.change', '.buildsys.tag', '.buildsys.untag', '.buildsys.repo.init', '.buildsys.repo.done', + '.buildsys.rpm.sign', ], # This sets up four threads to handle incoming messages. At the time of diff --git a/roles/taskotron/taskotron-client/files/yumrepoinfo.conf b/roles/taskotron/taskotron-client/files/yumrepoinfo.conf index a7febbe9b5..998dbe48ff 100644 --- a/roles/taskotron/taskotron-client/files/yumrepoinfo.conf +++ b/roles/taskotron/taskotron-client/files/yumrepoinfo.conf @@ -2,6 +2,9 @@ ## Fedora infrastructure. ## This file is in a ConfigParser syntax, very similar to INI syntax known from ## Windows. +## There is a guide describing how to update this file after important Fedora +## release events, please see: +## https://fedoraproject.org/wiki/How_to_update_yumrepoinfo.conf_in_Taskotron [DEFAULT] # URLs to yum repos @@ -22,8 +25,9 @@ parent = # koji tag defaults to section name tag = %(__name__)s -# true for "top" repos corresponding to currently supported Fedora releases -supported = no +# release_status can be one of: obsolete, stable, branched or rawhide +# for non-top-parent repos this is an empty string +release_status = # Rawhide [rawhide] diff --git a/roles/taskotron/taskotron-client/tasks/main.yml b/roles/taskotron/taskotron-client/tasks/main.yml index 353e6b81d2..2733bda5d5 100644 --- a/roles/taskotron/taskotron-client/tasks/main.yml +++ b/roles/taskotron/taskotron-client/tasks/main.yml @@ -14,12 +14,13 @@ - name: generate taskotron.yaml config file template: src=taskotron.yaml.j2 dest=/etc/taskotron/taskotron.yaml owner=root group=root mode=0644 -- name: upload yumrepoinfo.conf - copy: src=yumrepoinfo.conf dest=/etc/taskotron/yumrepoinfo.conf owner=root group=root mode=0644 +# getting rid of this because it leads to out-of-date config setups +# should be deleted soon +#- name: upload yumrepoinfo.conf +# copy: src=yumrepoinfo.conf dest=/etc/taskotron/yumrepoinfo.conf owner=root group=root mode=0644 -# disabled for now since we're uploading the config file -#- name: set baseurl of yumrepoinfo.conf -# replace: dest=/etc/taskotron/yumrepoinfo.conf regexp='baseurl = http://download\.fedoraproject\.org/.*' replace='baseurl = http://infrastructure.fedoraproject.org/pub/fedora/linux' +- name: set baseurl of yumrepoinfo.conf + replace: dest=/etc/taskotron/yumrepoinfo.conf regexp='baseurl = http://download\.fedoraproject\.org/.*' replace='baseurl = http://infrastructure.fedoraproject.org/pub/fedora/linux' # disabled for now until interaction with hosts role is figured out #- name: update /etc/hosts so that koji downloads work diff --git a/vars/global.yml b/vars/global.yml index 556b7eea39..f0313e6da7 100644 --- a/vars/global.yml +++ b/vars/global.yml @@ -18,6 +18,8 @@ f17_qcow_id: ami-00000001 f19_qcow_id: ami-00000020 # Fedora-20 f20_qcow_id: ami-00000042 +# Fedora-21 +f21_qcow_id: ami-0000005a # RHEL7beta el7b_qcow_id: ami-0000003f # RHEL7