Merge branch 'master' of /git/ansible

inventory/host_vars/lists-dev.cloud.fedoraproject.org

@@ -1,6 +1,6 @@
 ---
 instance_type: m1.large
-image: "{{ f19_qcow_id }}"
+image: "{{ f20_qcow_id }}"
 keypair: fedora-admin-20130801
 security_group: smtpserver
 zone: nova

playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml

@@ -110,10 +110,10 @@
   - service: name=ntpd state=started enabled=yes
 
   # http://docs.openstack.org/icehouse/install-guide/install/yum/content/basics-packages.html
+  - action: yum state=present name=https://repos.fedorapeople.org/repos/openstack/openstack-icehouse/rdo-release-icehouse-4.noarch.rpm
   - name: install basic openstack packages
     action: yum state=present name={{ item }}
     with_items:
-    - https://repos.fedorapeople.org/repos/openstack/openstack-icehouse/rdo-release-icehouse-4.noarch.rpm
     - http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
     - openstack-utils
     - openstack-selinux
@@ -125,9 +125,11 @@
 
   - name: add ssl cert
     copy: src={{ private }}/files/openstack/fed-cloud09.pem dest=/etc/pki/tls/certs/fed-cloud09.pem mode=600 owner=rabbitmq group=root
-
   - name: add ssl key
     copy: src={{ private }}/files/openstack/fed-cloud09.key dest=/etc/pki/tls/private/fed-cloud09.key mode=600 owner=rabbitmq group=root
+  - name: add cert to ca-bundle.crt so plain curl works
+    copy: src={{ private }}/files/openstack/fed-cloud09.pem dest=/etc/pki/ca-trust/source/anchors/ mode=600 owner=root group=root
+  - command: /usr/bin/update-ca-trust
 
   # http://docs.openstack.org/trunk/install-guide/install/yum/content/basics-database-controller.html
   - name: install mysql packages

playbooks/hosts/lists-dev.cloud.fedoraproject.org.yml

@@ -21,6 +21,8 @@
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
   vars:
   - mailman_vardir: /srv/persist/mailman
+  - tcp_ports: [22, 25, 80, 443]
+  - udp_ports: []
 
   roles:
   - sudo
@@ -50,24 +52,24 @@
     get_url: url=https://repos.fedorapeople.org/repos/abompard/hyperkitty/hyperkitty.repo
              dest=/etc/yum.repos.d/hyperkitty.repo mode=0444
 
-  # open up ports (22, 80, 443, 25)
-  - name: poke holes in the firewall
-    command: lokkit {{ item }}
-    with_items:
-    - --service=ssh
-    - --service=https
-    - --service=http
-    - --service=smtp
-
   # Database
+  - name: install postgresql server packages
+    yum: name={{ item }}  state=present
+    with_items:
+    - postgresql-server
+    - postgresql-contrib
+    - python-psycopg2
+
   - name: initialize postgresql
     command: /usr/bin/postgresql-setup initdb
              creates=/var/lib/pgsql/data/postgresql.conf
+
   - name: copy pg_hba.conf
     copy: src="{{ files }}/lists-dev/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf
           owner=postgres group=postgres
     notify:
     - restart postgresql
+
   - name: start postgresql
     service: state=started name=postgresql
 

playbooks/include/proxies-redirects.yml

@@ -40,7 +40,7 @@
   - role: httpd/redirect
     name: people-fp-o
     website: people.fedoraproject.org
-    target: https://fedorapeople.org
+    target: https://fedorapeople.org/
 
   - role: httpd/redirect
     name: fas

roles/httpd/website/templates/website.conf

@@ -14,7 +14,6 @@
   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
 {% else %}
   Include "conf.d/{{ name }}/*.conf"
 {% endif %}
@@ -46,6 +45,9 @@
   SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
   SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
 
+{% if sslonly %}
+  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+{% endif %}
   Include "conf.d/{{ name }}/*.conf"
 </VirtualHost>
 {% endif %}

roles/notifs/backend/templates/fmn.consumer.py

@@ -52,11 +52,12 @@ config = {
 
     # Just drop these topics without considering any preferences.  They are noise that just clog us up.
     "fmn.junk_suffixes": [
-        '.buildsys.package.list.state.change',
+        '.buildsys.package.list.change',
         '.buildsys.tag',
         '.buildsys.untag',
         '.buildsys.repo.init',
         '.buildsys.repo.done',
+        '.buildsys.rpm.sign',
     ],
 
     # This sets up four threads to handle incoming messages.  At the time of

roles/taskotron/taskotron-client/files/yumrepoinfo.conf

@@ -2,6 +2,9 @@
 ## Fedora infrastructure.
 ## This file is in a ConfigParser syntax, very similar to INI syntax known from
 ## Windows.
+## There is a guide describing how to update this file after important Fedora
+## release events, please see:
+## https://fedoraproject.org/wiki/How_to_update_yumrepoinfo.conf_in_Taskotron
 
 [DEFAULT]
 # URLs to yum repos
@@ -22,8 +25,9 @@ parent =
 # koji tag defaults to section name
 tag = %(__name__)s
 
-# true for "top" repos corresponding to currently supported Fedora releases
+# release_status can be one of: obsolete, stable, branched or rawhide
-supported = no
+# for non-top-parent repos this is an empty string
+release_status =
 
 # Rawhide
 [rawhide]

roles/taskotron/taskotron-client/tasks/main.yml

@@ -14,12 +14,13 @@
 - name: generate taskotron.yaml config file
   template: src=taskotron.yaml.j2 dest=/etc/taskotron/taskotron.yaml owner=root group=root mode=0644
 
-- name: upload yumrepoinfo.conf
+# getting rid of this because it leads to out-of-date config setups
-  copy: src=yumrepoinfo.conf dest=/etc/taskotron/yumrepoinfo.conf owner=root group=root mode=0644
+# should be deleted soon
+#- name: upload yumrepoinfo.conf
+#  copy: src=yumrepoinfo.conf dest=/etc/taskotron/yumrepoinfo.conf owner=root group=root mode=0644
 
-# disabled for now since we're uploading the config file
+- name: set baseurl of yumrepoinfo.conf
-#- name: set baseurl of yumrepoinfo.conf
+  replace: dest=/etc/taskotron/yumrepoinfo.conf regexp='baseurl = http://download\.fedoraproject\.org/.*' replace='baseurl = http://infrastructure.fedoraproject.org/pub/fedora/linux'
-#  replace: dest=/etc/taskotron/yumrepoinfo.conf regexp='baseurl = http://download\.fedoraproject\.org/.*' replace='baseurl = http://infrastructure.fedoraproject.org/pub/fedora/linux'
 
 # disabled for now until interaction with hosts role is figured out
 #- name: update /etc/hosts so that koji downloads work

vars/global.yml

@@ -18,6 +18,8 @@ f17_qcow_id: ami-00000001
 f19_qcow_id: ami-00000020
 # Fedora-20
 f20_qcow_id: ami-00000042
+# Fedora-21
+f21_qcow_id: ami-0000005a
 # RHEL7beta
 el7b_qcow_id: ami-0000003f
 # RHEL7