From 5cd3dea67319c7ad58a9403dc58bce45ae4b452d Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Sun, 14 Jun 2020 09:51:42 -0400 Subject: [PATCH] change a few known hosts from phx2 to iad2 variables. --- inventory/group_vars/all | 13 +++++++------ inventory/group_vars/bastion | 11 +++++++---- inventory/group_vars/bastion_stg | 19 ++++++++++++------- inventory/group_vars/iad2 | 4 +--- inventory/group_vars/kernel_qa | 2 +- inventory/group_vars/osbs_aarch64_masters | 2 +- 6 files changed, 29 insertions(+), 22 deletions(-) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index fd55ca2aa6..de7bd7ece3 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -16,7 +16,7 @@ openshift_ansible: /srv/web/infra/openshift-ansible/ ####### freezes: true -# most of our systems are in phx2 +# most of our systems are in IAD2 datacenter: iad2 preferred_dc: iad2 postfix_group: "none" @@ -63,15 +63,16 @@ lvm_size: 20000 # and DNS1/DNS2 lines are put into ifcfg-(device). ansible_ifcfg_infra_net_devices: [ 'eth0', 'enc900' ] -# Default netmask. Almost all our phx2 nets are /24's with the -# exception of 10.5.124.128/25. Almost all of our non phx2 sites are -# less than a /24. +# Default netmask. All of our iad2 nets are /24's. Almost all of our +# non-iad2 sites are less than a /24. eth0_nm: 255.255.255.0 eth1_nm: 255.255.255.0 -eth1_ip: 10.10.10.10 +eth1_ip: 10.0.0.10 br0_nm: 255.255.255.0 br1_nm: 255.255.255.0 -# Default to managing the network, we want to not do this on select hosts (like cloud nodes) + +# Default to managing the network, we want to not do this on select +# hosts (like cloud nodes) ansible_ifcfg_blocklist: false # List of interfaces to explicitly disable ansible_ifcfg_disabled: [] diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion index 8025886cfd..3ea68173bd 100644 --- a/inventory/group_vars/bastion +++ b/inventory/group_vars/bastion @@ -7,12 +7,12 @@ num_cpus: 4 # # allow incoming openvpn and smtp # -tcp_ports: [ 25, 1194 ] +tcp_ports: [ 22, 25, 1194 ] udp_ports: [ 1194 ] # # drop incoming traffic from less trusted vpn hosts -# allow ntp from internal phx2 10 nets +# allow ntp from internal RH 10 nets # custom_rules: [ '-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', @@ -50,11 +50,14 @@ csi_security_category: High csi_primary_contact: sysadmin-main admin@fedoraproject.org csi_purpose: SSH proxy to access infrastructure not exposed to the web csi_relationship: | - - Provides ssh access to all phx2/vpn connected servers. + - Provides ssh access to all iad2/vpn connected servers. - Bastion is the hub for all infrastructure's VPN connections. - - All incoming SMTP from phx2 and VPN, as well as outgoing SMTP, pass or are filtered here. + - All incoming SMTP from iad2 and VPN, as well as outgoing SMTP, + pass or are filtered here. - Bastion does not accept any mail outside phx2/vpn. nagios_Check_Services: nrpe: true mail: false + +# needed for rhel8 diff --git a/inventory/group_vars/bastion_stg b/inventory/group_vars/bastion_stg index 30f6cca906..63a24ac14c 100644 --- a/inventory/group_vars/bastion_stg +++ b/inventory/group_vars/bastion_stg @@ -1,14 +1,18 @@ --- # Define resources for this group of hosts here. lvm_size: 20000 -mem_size: 3192 -num_cpus: 2 +mem_size: 8192 +num_cpus: 4 -tcp_ports: [ 22 ] +# +# allow incoming openvpn and smtp +# +tcp_ports: [ 22, 25, 1194 ] +udp_ports: [ 1194 ] # # drop incoming traffic from less trusted vpn hosts -# allow ntp from internal phx2 10 nets +# allow ntp from internal RH 10 nets # custom_rules: [ '-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', @@ -19,7 +23,7 @@ custom_rules: [ # TODO - remove modularity-wg membership here once it is not longer needed: # https://fedorahosted.org/fedora-infrastructure/ticket/5363 -fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-gnome,sysadmin-copr,sysadmin-coreos,sysadmin-dbgserver,sysadmin-osbs,sysadmin-odcs +fas_client_groups: sysadmin-analysis,sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-gnome,sysadmin-copr,sysadmin-coreos,sysadmin-dbgserver,sysadmin-osbs,sysadmin-odcs # Disable mail stuff in stg fas_aliases: false @@ -38,9 +42,10 @@ csi_security_category: High csi_primary_contact: sysadmin-main admin@fedoraproject.org csi_purpose: SSH proxy to access STAGING infrastructure not exposed to the web csi_relationship: | - - Provides ssh access to all phx2/vpn connected servers. + - Provides ssh access to all iad2/vpn connected servers. - Bastion is the hub for all infrastructure's VPN connections. - - All incoming SMTP from phx2 and VPN, as well as outgoing SMTP, pass or are filtered here. + - All incoming SMTP from iad2 and VPN, as well as outgoing SMTP, + pass or are filtered here. - Bastion does not accept any mail outside phx2/vpn. nagios_Check_Services: diff --git a/inventory/group_vars/iad2 b/inventory/group_vars/iad2 index cafb917823..9b775b5571 100644 --- a/inventory/group_vars/iad2 +++ b/inventory/group_vars/iad2 @@ -4,13 +4,11 @@ dns1: "10.3.163.33" dns2: "10.3.163.34" datacenter: iad2 -#preferred_dc: iad2 +preferred_dc: iad2 ipa_server: ipa01.iad2.fedoraproject.org -# for now, lets not monitor any of them from phx2. - nagios_Can_Connect: true certbot_datacenter: iad2 diff --git a/inventory/group_vars/kernel_qa b/inventory/group_vars/kernel_qa index dcdac6276b..658df364c3 100644 --- a/inventory/group_vars/kernel_qa +++ b/inventory/group_vars/kernel_qa @@ -1,6 +1,6 @@ --- freezes: false -resolvconf: "{{ files }}/resolv.conf/phx2" +resolvconf: "{{ files }}/resolv.conf/iad2" fas_client_groups: sysadmin-kernel sudoers: "{{ private }}/files/sudo/kernel-qa" custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.122.0/24 --dport 2049 -j ACCEPT' ] diff --git a/inventory/group_vars/osbs_aarch64_masters b/inventory/group_vars/osbs_aarch64_masters index 4c8bbf86e0..1af8753c4c 100644 --- a/inventory/group_vars/osbs_aarch64_masters +++ b/inventory/group_vars/osbs_aarch64_masters @@ -49,7 +49,7 @@ osbs_conf_readwrite_users: - "system:serviceaccount:{{ osbs_namespace }}:builder" #Docker command delegated host -composer: composer.phx2.fedoraproject.org +composer: composer.iad2.fedoraproject.org # Nagios configuration nagios_Check_Services: