Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of /git/ansible

Browse source
This commit is contained in:
Jan Kaluža 2018-05-29 05:25:39 +00:00
commit 4a412116a6
11 changed files with 133 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

2
inventory/group_vars/librariesio2fedmsg-stg
View file

@ -9,4 +9,4 @@ fedmsg_certs:
- service: librariesio2fedmsg - service: librariesio2fedmsg
can_send: can_send:
- librariesio2fedmsg.sse2fedmsg.librariesio - librariesio2fedmsg.sse2fedmsg.librariesio
- sse2fedmsg.librariesio - librariesio.sse2fedmsg

14
playbooks/openshift-apps/librariesio2fedmsg.yml
View file

@ -19,11 +19,25 @@
secret_name: librariesio2fedmsg-fedmsg-key secret_name: librariesio2fedmsg-fedmsg-key
key: fedmsg-librariesio2fedmsg.key key: fedmsg-librariesio2fedmsg.key
privatefile: fedmsg-certs/keys/librariesio2fedmsg-librariesio2fedmsg.app.os.fedoraproject.org.key privatefile: fedmsg-certs/keys/librariesio2fedmsg-librariesio2fedmsg.app.os.fedoraproject.org.key
when: env != "staging"
- role: openshift/secret-file - role: openshift/secret-file
app: librariesio2fedmsg app: librariesio2fedmsg
secret_name: librariesio2fedmsg-fedmsg-crt secret_name: librariesio2fedmsg-fedmsg-crt
key: fedmsg-librariesio2fedmsg.crt key: fedmsg-librariesio2fedmsg.crt
privatefile: fedmsg-certs/keys/librariesio2fedmsg-librariesio2fedmsg.app.os.fedoraproject.org.crt privatefile: fedmsg-certs/keys/librariesio2fedmsg-librariesio2fedmsg.app.os.fedoraproject.org.crt
when: env != "staging"
- role: openshift/secret-file
app: librariesio2fedmsg
secret_name: librariesio2fedmsg-fedmsg-key
key: fedmsg-librariesio2fedmsg.key
privatefile: fedmsg-certs/keys/librariesio2fedmsg-librariesio2fedmsg.app.os.stg.fedoraproject.key
when: env == "staging"
- role: openshift/secret-file
app: librariesio2fedmsg
secret_name: librariesio2fedmsg-fedmsg-crt
key: fedmsg-librariesio2fedmsg.crt
privatefile: fedmsg-certs/keys/librariesio2fedmsg-librariesio2fedmsg.app.os.stg.fedoraproject.crt
when: env == "staging"
- role: openshift/object - role: openshift/object
app: librariesio2fedmsg app: librariesio2fedmsg
file: imagestream.yml file: imagestream.yml

10
roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2
View file

@ -72,6 +72,11 @@ DocumentRoot /srv/web
Require all granted Require all granted
</Directory> </Directory>
<Directory /srv/web/infra/tmp>
Options -Indexes -FollowSymLinks
Require all granted
</Directory>
<Directory /srv/web/infra/bigfiles> <Directory /srv/web/infra/bigfiles>
Options FollowSymLinks Options FollowSymLinks
Require all granted Require all granted
@ -173,6 +178,11 @@ DocumentRoot /srv/web
Require all granted Require all granted
</Directory> </Directory>
<Directory /srv/web/infra/tmp>
Options -Indexes -FollowSymLinks
Require all granted
</Directory>
<Directory /srv/web/infra/bigfiles> <Directory /srv/web/infra/bigfiles>
Options FollowSymLinks Options FollowSymLinks
Require all granted Require all granted

20
roles/distgit/files/gitolite-suexec-wrapper.sh Normal file
View file

@ -0,0 +1,20 @@
#!/bin/bash
#
# Suexec wrapper for gitolite-shell
#
export GIT_PROJECT_ROOT="/srv/git/repositories"
export PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg
export HOME=/srv/git
export GITOLITE_HTTP_HOME=/srv/git
# Hacky workaround because we set ScriptAlias more specific
export PATH_INFO="$SCRIPT_URL"
if [ -z "$REMOTE_USER" ];
then
# Fall back to default user
export REMOTE_USER="anonymous"
fi
exec /usr/share/gitolite3/gitolite-shell

32
roles/distgit/files/httppush.conf Normal file
View file

@ -0,0 +1,32 @@
SetEnv GIT_PROJECT_ROOT /srv/git/repositories
AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/git/repositories/$1
AliasMatch ^/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /srv/git/repositories/$1
<Location />
AuthType oauth20
Require all granted
</Location>
<LocationMatch ".*/git-receive-pack">
AuthType oauth20
Require claims_expr '(.scope | index("https://src.fedoraproject.org/push") != null)'
</LocationMatch>
<LocationMatch "/info/refs">
<If "%{QUERY_STRING} =~ /service=git-upload-pack/">
Require all granted
</If>
<Else>
AuthType oauth20
Require claims_expr '(.scope | index("https://src.fedoraproject.org/push") != null)'
</Else>
</LocationMatch>
SuexecUserGroup pagure packager
ScriptAliasMatch \
"(?x)^/(.*/(HEAD | \
info/refs | \
objects/info/[^/]+ | \
git-(upload|receive)-pack))$" \
/var/www/bin/gitolite-suexec-wrapper.sh/

4
roles/distgit/pagure/templates/z_pagure.conf
View file

@ -19,7 +19,7 @@ WSGIDaemonProcess pagureproc user=pagure group=packager maximum-requests=1000 di
Alias /static /usr/lib/python2.7/site-packages/pagure/static/ Alias /static /usr/lib/python2.7/site-packages/pagure/static/
Alias /grokmirror /srv/git/grokmirror Alias /grokmirror /srv/git/grokmirror
{% if env != "staging" %}
SetEnv GIT_PROJECT_ROOT /srv/git/repositories SetEnv GIT_PROJECT_ROOT /srv/git/repositories
AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/git/repositories/$1 AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/git/repositories/$1
@ -30,7 +30,7 @@ WSGIDaemonProcess pagureproc user=pagure group=packager maximum-requests=1000 di
objects/info/[^/]+ | \ objects/info/[^/]+ | \
git-(upload|receive)-pack))$" \ git-(upload|receive)-pack))$" \
/usr/libexec/git-core/git-http-backend/$1 /usr/libexec/git-core/git-http-backend/$1
{% endif %}
<Location /> <Location />
WSGIProcessGroup pagureproc WSGIProcessGroup pagureproc
<IfModule mod_authz_core.c> <IfModule mod_authz_core.c>

24
roles/distgit/tasks/main.yml
View file

@ -31,6 +31,30 @@
- distgit - distgit
when: env == "staging" when: env == "staging"
- name: install the http push configuration
copy: src=htpppush.conf dest=/etc/httpd/conf.d/htppush.conf
notify:
- reload httpd
tags:
- distgit
when: env == "staging"
- name: Create suexec wrapper directory
file: path=/var/www/bin state=directory owner=pagure group=packager
tags:
- distgit
when: env == "staging"
- name: Install suexec wrapper
copy:
src=gitolite-suexec-wrapper.sh
dest=/var/www/bin/gitolite-suexec-wrapper.sh
owner=pagure
group=packager
tags:
- distgit
when: env == "staging"
- name: Put in git service config - name: Put in git service config
copy: src=git@.service dest=/etc/systemd/system/git@.service copy: src=git@.service dest=/etc/systemd/system/git@.service
tags: tags:

4
roles/fas_server/templates/fas.cfg.j2
View file

@ -76,9 +76,9 @@ ipa_sync_certfile = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
# Usernames that are unavailable for fas allocation # Usernames that are unavailable for fas allocation
{% if env == "staging" %} {% if env == "staging" %}
username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bexelbie,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" username_blacklist = "abuse,accounts,adm,admin,amanda,anonymous,apache,askfedora,asterisk,axk4545,bexelbie,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
{% else %} {% else %}
username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix" username_blacklist = "abuse,accounts,adm,admin,amanda,anoynous,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
{% endif %} {% endif %}
email_domain_blacklist = "{{ fas_blocked_emails }}" email_domain_blacklist = "{{ fas_blocked_emails }}"

1
roles/koschei/frontend/templates/httpd.conf.j2
View file

@ -23,6 +23,7 @@
OIDCCryptoPassphrase "{{ koschei_oidc_crypto_secret }}" OIDCCryptoPassphrase "{{ koschei_oidc_crypto_secret }}"
OIDCSSLValidateServer On OIDCSSLValidateServer On
OIDCResponseType "code" OIDCResponseType "code"
OIDCSessionType client-cookie
OIDCScope "openid profile" OIDCScope "openid profile"

1
roles/openqa/worker/tasks/createhdds.yml
View file

@ -10,6 +10,7 @@
- python3-fedfind - python3-fedfind
- qemu-kvm - qemu-kvm
- virt-install - virt-install
- withlock
tags: tags:
- packages - packages

28
roles/openshift-apps/greenwave/templates/configmap.yml
View file

File diff suppressed because one or more lines are too long