Reorg copr-be playbook a bit. Use fedmsg/base for all fedmsg. Use iptables template for iptables instead of lokkit.

inventory/host_vars/copr-be.cloud.fedoraproject.org

@@ -0,0 +1,15 @@
+---
+
+tcp_ports: [ 22, 80, 443,
+# These 8 ports are used by fedmsg.  One for each wsgi thread.
+         3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007]
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: root
+- service: copr
+  owner: root
+  group: copr
+

playbooks/hosts/copr-be.cloud.fedoraproject.org.yml

@@ -187,30 +187,6 @@
     tags:
     - config
 
-  - name: fedmsg certs
-    copy: >
-      src="{{ private }}/files/fedmsg-certs/keys/copr-copr-be.cloud.fedoraproject.org.crt"
-      dest=/etc/pki/fedmsg/
-      mode=644
-      owner=root
-      group=copr
-
-  - name: fedmsg keys
-    copy: >
-      src="{{ private }}/files/fedmsg-certs/keys/copr-copr-be.cloud.fedoraproject.org.key"
-      dest=/etc/pki/fedmsg/
-      mode=0640
-      owner=root
-      group=copr
-
-  # open up ports (22, 80, 443)
-  - name: poke holes in the firewall
-    action: command lokkit {{ item }}
-    with_items:
-    - --service=ssh
-    - --service=https
-    - --service=http
-
   - name: copy delete-forgotten-instances.pl
     action: copy src="{{ files }}/copr/delete-forgotten-instances.pl" dest=/home/copr/delete-forgotten-instances.pl mode=755