From 2ac8a57d0562139f7e624ffd7b4f65996bf798ae Mon Sep 17 00:00:00 2001
From: Till Maas <opensource@till.name>
Date: Thu, 12 Feb 2015 21:52:36 +0100
Subject: [PATCH 01/14] Set HSTS header in TLS vhost

---
 roles/httpd/website/templates/website.conf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf
index abdc8dc2fe..e07264ff54 100644
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@@ -14,7 +14,6 @@
   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
 {% else %}
   Include "conf.d/{{ name }}/*.conf"
 {% endif %}
@@ -46,6 +45,9 @@
   SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
   SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
 
+{% if sslonly %}
+  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+{% endif %}
   Include "conf.d/{{ name }}/*.conf"
 </VirtualHost>
 {% endif %}

From 18c077212881bb3ca4955eacc3c62f8dee016ee4 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Fri, 13 Feb 2015 03:17:41 +0000
Subject: [PATCH 02/14] Typofix.

---
 roles/notifs/backend/templates/fmn.consumer.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/notifs/backend/templates/fmn.consumer.py b/roles/notifs/backend/templates/fmn.consumer.py
index 6576b5c039..7050cfd3c8 100644
--- a/roles/notifs/backend/templates/fmn.consumer.py
+++ b/roles/notifs/backend/templates/fmn.consumer.py
@@ -52,7 +52,7 @@ config = {
 
     # Just drop these topics without considering any preferences.  They are noise that just clog us up.
     "fmn.junk_suffixes": [
-        '.buildsys.package.list.state.change',
+        '.buildsys.package.list.change',
         '.buildsys.tag',
         '.buildsys.untag',
         '.buildsys.repo.init',

From 9576a42b27ed1c9510321ba3ee769803e15ad212 Mon Sep 17 00:00:00 2001
From: Tim Flink <tflink@fedoraproject.org>
Date: Fri, 13 Feb 2015 08:39:36 +0000
Subject: [PATCH 03/14] fixing the yumrepoinfo conf on taskotron clients,
 hopefully correct this time

---
 roles/taskotron/taskotron-client/files/yumrepoinfo.conf | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/roles/taskotron/taskotron-client/files/yumrepoinfo.conf b/roles/taskotron/taskotron-client/files/yumrepoinfo.conf
index a7febbe9b5..998dbe48ff 100644
--- a/roles/taskotron/taskotron-client/files/yumrepoinfo.conf
+++ b/roles/taskotron/taskotron-client/files/yumrepoinfo.conf
@@ -2,6 +2,9 @@
 ## Fedora infrastructure.
 ## This file is in a ConfigParser syntax, very similar to INI syntax known from
 ## Windows.
+## There is a guide describing how to update this file after important Fedora
+## release events, please see:
+## https://fedoraproject.org/wiki/How_to_update_yumrepoinfo.conf_in_Taskotron
 
 [DEFAULT]
 # URLs to yum repos
@@ -22,8 +25,9 @@ parent =
 # koji tag defaults to section name
 tag = %(__name__)s
 
-# true for "top" repos corresponding to currently supported Fedora releases
-supported = no
+# release_status can be one of: obsolete, stable, branched or rawhide
+# for non-top-parent repos this is an empty string
+release_status =
 
 # Rawhide
 [rawhide]

From da563b144960c9254d3b611f779354eb10a1dcf0 Mon Sep 17 00:00:00 2001
From: Tim Flink <tflink@fedoraproject.org>
Date: Fri, 13 Feb 2015 09:07:53 +0000
Subject: [PATCH 04/14] changing back to sane way of dealing with taskotron
 client yumrepo config

---
 roles/taskotron/taskotron-client/tasks/main.yml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/roles/taskotron/taskotron-client/tasks/main.yml b/roles/taskotron/taskotron-client/tasks/main.yml
index 353e6b81d2..2733bda5d5 100644
--- a/roles/taskotron/taskotron-client/tasks/main.yml
+++ b/roles/taskotron/taskotron-client/tasks/main.yml
@@ -14,12 +14,13 @@
 - name: generate taskotron.yaml config file
   template: src=taskotron.yaml.j2 dest=/etc/taskotron/taskotron.yaml owner=root group=root mode=0644
 
-- name: upload yumrepoinfo.conf
-  copy: src=yumrepoinfo.conf dest=/etc/taskotron/yumrepoinfo.conf owner=root group=root mode=0644
+# getting rid of this because it leads to out-of-date config setups
+# should be deleted soon
+#- name: upload yumrepoinfo.conf
+#  copy: src=yumrepoinfo.conf dest=/etc/taskotron/yumrepoinfo.conf owner=root group=root mode=0644
 
-# disabled for now since we're uploading the config file
-#- name: set baseurl of yumrepoinfo.conf
-#  replace: dest=/etc/taskotron/yumrepoinfo.conf regexp='baseurl = http://download\.fedoraproject\.org/.*' replace='baseurl = http://infrastructure.fedoraproject.org/pub/fedora/linux'
+- name: set baseurl of yumrepoinfo.conf
+  replace: dest=/etc/taskotron/yumrepoinfo.conf regexp='baseurl = http://download\.fedoraproject\.org/.*' replace='baseurl = http://infrastructure.fedoraproject.org/pub/fedora/linux'
 
 # disabled for now until interaction with hosts role is figured out
 #- name: update /etc/hosts so that koji downloads work

From 32c63ef596d7eb20c31129cd0099be2bbc7630c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miroslav=20Such=C3=BD?= <msuchy@redhat.com>
Date: Fri, 13 Feb 2015 13:32:38 +0000
Subject: [PATCH 05/14] add self-signed cert to trusted ring

---
 playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
index eafe85e2bd..6ae9399a26 100644
--- a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
+++ b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
@@ -125,9 +125,11 @@
 
   - name: add ssl cert
     copy: src={{ private }}/files/openstack/fed-cloud09.pem dest=/etc/pki/tls/certs/fed-cloud09.pem mode=600 owner=rabbitmq group=root
-
   - name: add ssl key
     copy: src={{ private }}/files/openstack/fed-cloud09.key dest=/etc/pki/tls/private/fed-cloud09.key mode=600 owner=rabbitmq group=root
+  - name: add cert to ca-bundle.crt so plain curl works
+    copy: src={{ private }}/files/openstack/fed-cloud09.pem dest=/etc/pki/ca-trust/source/anchors/ mode=600 owner=root group=root
+  - command: /usr/bin/update-ca-trust
 
   # http://docs.openstack.org/trunk/install-guide/install/yum/content/basics-database-controller.html
   - name: install mysql packages

From 2e0842b8728440917f72b928b33781546fd1694b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miroslav=20Such=C3=BD?= <msuchy@redhat.com>
Date: Fri, 13 Feb 2015 13:43:50 +0000
Subject: [PATCH 06/14] separate repo install

otherwise it will fail to install it in one step
---
 playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
index 6ae9399a26..6d24bfe685 100644
--- a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
+++ b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
@@ -110,10 +110,10 @@
   - service: name=ntpd state=started enabled=yes
 
   # http://docs.openstack.org/icehouse/install-guide/install/yum/content/basics-packages.html
+  - action: yum state=present name=https://repos.fedorapeople.org/repos/openstack/openstack-icehouse/rdo-release-icehouse-4.noarch.rpm
   - name: install basic openstack packages
     action: yum state=present name={{ item }}
     with_items:
-    - https://repos.fedorapeople.org/repos/openstack/openstack-icehouse/rdo-release-icehouse-4.noarch.rpm
     - http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
     - openstack-utils
     - openstack-selinux

From 3d2132c2d61cdaf81c2ff84dda113af929b0ac99 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Fri, 13 Feb 2015 14:02:03 +0000
Subject: [PATCH 07/14] Try pointing lists-dev at f21.

---
 inventory/host_vars/lists-dev.cloud.fedoraproject.org | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inventory/host_vars/lists-dev.cloud.fedoraproject.org b/inventory/host_vars/lists-dev.cloud.fedoraproject.org
index bea082d83a..cd0b2fd9fa 100644
--- a/inventory/host_vars/lists-dev.cloud.fedoraproject.org
+++ b/inventory/host_vars/lists-dev.cloud.fedoraproject.org
@@ -1,6 +1,6 @@
 ---
 instance_type: m1.large
-image: "{{ f19_qcow_id }}"
+image: "{{ f21_qcow_id }}"
 keypair: fedora-admin-20130801
 security_group: smtpserver
 zone: nova

From fd0501610d4023a414d3f41f837962abad4c5069 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Fri, 13 Feb 2015 14:03:30 +0000
Subject: [PATCH 08/14] No AMI id defined for f21 yet.

---
 inventory/host_vars/lists-dev.cloud.fedoraproject.org | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inventory/host_vars/lists-dev.cloud.fedoraproject.org b/inventory/host_vars/lists-dev.cloud.fedoraproject.org
index cd0b2fd9fa..ffbce05bf5 100644
--- a/inventory/host_vars/lists-dev.cloud.fedoraproject.org
+++ b/inventory/host_vars/lists-dev.cloud.fedoraproject.org
@@ -1,6 +1,6 @@
 ---
 instance_type: m1.large
-image: "{{ f21_qcow_id }}"
+image: "{{ f20_qcow_id }}"
 keypair: fedora-admin-20130801
 security_group: smtpserver
 zone: nova

From 2fdda6ad96ca52f4281ce849dca385e41144c19a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Fri, 13 Feb 2015 15:24:40 +0000
Subject: [PATCH 09/14] Don't use lokkit to open ports in the firewall

---
 playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml
index 60565ed35e..0404984fe9 100644
--- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml
+++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml
@@ -21,6 +21,8 @@
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
   vars:
   - mailman_vardir: /srv/persist/mailman
+   - tcp_ports: [22, 25, 80, 443]
+   - udp_ports: []
 
   roles:
   - sudo
@@ -50,15 +52,6 @@
     get_url: url=https://repos.fedorapeople.org/repos/abompard/hyperkitty/hyperkitty.repo
              dest=/etc/yum.repos.d/hyperkitty.repo mode=0444
 
-  # open up ports (22, 80, 443, 25)
-  - name: poke holes in the firewall
-    command: lokkit {{ item }}
-    with_items:
-    - --service=ssh
-    - --service=https
-    - --service=http
-    - --service=smtp
-
   # Database
   - name: initialize postgresql
     command: /usr/bin/postgresql-setup initdb

From db0e4830a91634d88d9e785a95ec94ae25420f5d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Fri, 13 Feb 2015 15:26:34 +0000
Subject: [PATCH 10/14] oops, typo

---
 playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml
index 0404984fe9..a75a0ce063 100644
--- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml
+++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml
@@ -21,8 +21,8 @@
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
   vars:
   - mailman_vardir: /srv/persist/mailman
-   - tcp_ports: [22, 25, 80, 443]
-   - udp_ports: []
+  - tcp_ports: [22, 25, 80, 443]
+  - udp_ports: []
 
   roles:
   - sudo

From 1ad2739c53f379851dea4fecfb9316a5f0bee29c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Fri, 13 Feb 2015 15:32:34 +0000
Subject: [PATCH 11/14] lists-dev: install postgresql

---
 playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml
index a75a0ce063..5af08d0c22 100644
--- a/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml
+++ b/playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml
@@ -53,14 +53,23 @@
              dest=/etc/yum.repos.d/hyperkitty.repo mode=0444
 
   # Database
+  - name: install postgresql server packages
+    yum: name={{ item }}  state=present
+    with_items:
+    - postgresql-server
+    - postgresql-contrib
+    - python-psycopg2
+
   - name: initialize postgresql
     command: /usr/bin/postgresql-setup initdb
              creates=/var/lib/pgsql/data/postgresql.conf
+
   - name: copy pg_hba.conf
     copy: src="{{ files }}/lists-dev/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf
           owner=postgres group=postgres
     notify:
     - restart postgresql
+
   - name: start postgresql
     service: state=started name=postgresql
 

From 6dfc46e939e02f8eab0341909d7d387e4f1c0257 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Fri, 13 Feb 2015 16:49:59 +0000
Subject: [PATCH 12/14] See if this helps the people.fedoraproject.org redirect

---
 playbooks/include/proxies-redirects.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/playbooks/include/proxies-redirects.yml b/playbooks/include/proxies-redirects.yml
index 278e55ee19..000dc6e1c0 100644
--- a/playbooks/include/proxies-redirects.yml
+++ b/playbooks/include/proxies-redirects.yml
@@ -40,7 +40,7 @@
   - role: httpd/redirect
     name: people-fp-o
     website: people.fedoraproject.org
-    target: https://fedorapeople.org
+    target: https://fedorapeople.org/
 
   - role: httpd/redirect
     name: fas

From ee5a37211de11aeee9e0f03f35800263eeb3c3d2 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Fri, 13 Feb 2015 17:07:24 +0000
Subject: [PATCH 13/14] (fmn) Another spammy message type to ignore. :zap:

---
 roles/notifs/backend/templates/fmn.consumer.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/notifs/backend/templates/fmn.consumer.py b/roles/notifs/backend/templates/fmn.consumer.py
index 7050cfd3c8..ca9fde2673 100644
--- a/roles/notifs/backend/templates/fmn.consumer.py
+++ b/roles/notifs/backend/templates/fmn.consumer.py
@@ -57,6 +57,7 @@ config = {
         '.buildsys.untag',
         '.buildsys.repo.init',
         '.buildsys.repo.done',
+        '.buildsys.rpm.sign',
     ],
 
     # This sets up four threads to handle incoming messages.  At the time of

From 552c8dc2df9516e119b7ce39ba9a2cb762711dcd Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Fri, 13 Feb 2015 18:39:01 +0000
Subject: [PATCH 14/14] Add f21 ami to vars

---
 vars/global.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/vars/global.yml b/vars/global.yml
index 556b7eea39..f0313e6da7 100644
--- a/vars/global.yml
+++ b/vars/global.yml
@@ -18,6 +18,8 @@ f17_qcow_id: ami-00000001
 f19_qcow_id: ami-00000020
 # Fedora-20
 f20_qcow_id: ami-00000042
+# Fedora-21
+f21_qcow_id: ami-0000005a
 # RHEL7beta
 el7b_qcow_id: ami-0000003f
 # RHEL7