Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of /git/ansible

Browse source
This commit is contained in:
Jan Kaluža 2017-11-30 07:43:13 +00:00
commit 6bb4ec0acf
26 changed files with 160 additions and 89 deletions
Download patch file Download diff file Expand all files Collapse all files

12
files/openshift/openshift.repo
View file

@ -1,14 +1,3 @@
[rhel7-openshift-3.4]
name = rhel7 openshift 3.4 $basearch
baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.4-rpms/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[rhel7-openshift-3.5]
name = rhel7 openshift 3.5 $basearch
baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.5-rpms/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
{% if env == 'staging' %}
[rhel7-openshift-3.6] [rhel7-openshift-3.6]
name = rhel7 openshift 3.6 $basearch name = rhel7 openshift 3.6 $basearch
baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.6-rpms/ baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openshift-3.6-rpms/
@ -19,4 +8,3 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
name = rhel7 fast datapath $basearch name = rhel7 fast datapath $basearch
baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-fast-datapath/ baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-fast-datapath/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
{% endif %}

1
inventory/group_vars/os
View file

@ -2,3 +2,4 @@
host_group: os host_group: os
baseiptables: False baseiptables: False
no_http2: True no_http2: True
nm_controlled_resolv: True

1
inventory/group_vars/os-stg
View file

@ -2,3 +2,4 @@
host_group: os host_group: os
baseiptables: False baseiptables: False
no_http2: True no_http2: True
nm_controlled_resolv: True

14
inventory/host_vars/db-koji02.stg.phx2.fedoraproject.org
View file

@ -7,8 +7,8 @@ eth0_ip: 10.5.128.99
vmhost: virthost11.phx2.fedoraproject.org vmhost: virthost11.phx2.fedoraproject.org
datacenter: phx2 datacenter: phx2
ks_url: http://infrastructure.phx2.fedoraproject.org/repo/rhel/ks/kvm-rhel-7 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
ks_repo: http://infrastructure.phx2.fedoraproject.org/repo/rhel/RHEL7-x86_64/ ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
# This is a generic list, monitored by collectd # This is a generic list, monitored by collectd
databases: databases:
@ -19,7 +19,7 @@ lvm_size: 500000
mem_size: 16384 mem_size: 16384
max_mem_size: "{{ mem_size }}" max_mem_size: "{{ mem_size }}"
num_cpus: 8 num_cpus: 8
fas_client_groups: sysadmin-dba,sysadmin-noc,sysadmin-veteran fas_client_groups: sysadmin-dba,sysadmin-noc,sysadmin-veteran,sysadmin-releng
# kernel SHMMAX value # kernel SHMMAX value
kernel_shmmax: 68719476736 kernel_shmmax: 68719476736
@ -44,8 +44,8 @@ shared_buffers: "8GB"
effective_cache_size: "24GB" effective_cache_size: "24GB"
# Keepalived variables # Keepalived variables
keepalived_interface: eth0 #keepalived_interface: eth0
keepalived_priority: 50 #keepalived_priority: 50
keepalived_ipaddress: 10.5.128.97/24 #keepalived_ipaddress: 10.5.128.97/24
keepalived_routerid: 18 #keepalived_routerid: 18

2
inventory/host_vars/os-master02.phx2.fedoraproject.org
View file

@ -5,7 +5,7 @@ dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-osbs ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-osbs
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests volgroup: /dev/vg_guests
eth0_ip: 10.5.126.247 eth0_ip: 10.5.126.246
vmhost: virthost19.phx2.fedoraproject.org vmhost: virthost19.phx2.fedoraproject.org
datacenter: phx2 datacenter: phx2
host_group: os host_group: os

2
inventory/host_vars/os-master03.phx2.fedoraproject.org
View file

@ -5,7 +5,7 @@ dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-osbs ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-osbs
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_virthost15 volgroup: /dev/vg_virthost15
eth0_ip: 10.5.126.164 eth0_ip: 10.5.126.247
vmhost: virthost15.phx2.fedoraproject.org vmhost: virthost15.phx2.fedoraproject.org
datacenter: phx2 datacenter: phx2
host_group: os host_group: os

2
inventory/host_vars/os-node01.phx2.fedoraproject.org
View file

@ -5,7 +5,7 @@ dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-osbs ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-osbs
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests volgroup: /dev/vg_guests
eth0_ip: 10.5.126.246 eth0_ip: 10.5.126.248
vmhost: virthost06.phx2.fedoraproject.org vmhost: virthost06.phx2.fedoraproject.org
datacenter: phx2 datacenter: phx2
host_group: os-nodes host_group: os-nodes

2
inventory/host_vars/os-node02.phx2.fedoraproject.org
View file

@ -5,7 +5,7 @@ dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-osbs ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7-osbs
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests volgroup: /dev/vg_guests
eth0_ip: 10.5.126.248 eth0_ip: 10.5.126.164
vmhost: virthost19.phx2.fedoraproject.org vmhost: virthost19.phx2.fedoraproject.org
datacenter: phx2 datacenter: phx2
host_group: os-nodes host_group: os-nodes

3
inventory/inventory
View file

@ -109,6 +109,7 @@ basset01.stg.phx2.fedoraproject.org
bastion01.phx2.fedoraproject.org bastion01.phx2.fedoraproject.org
bastion02.phx2.fedoraproject.org bastion02.phx2.fedoraproject.org
bastion-comm01.qa.fedoraproject.org bastion-comm01.qa.fedoraproject.org
bastion13.fedoraproject.org
[blockerbugs] [blockerbugs]
blockerbugs01.phx2.fedoraproject.org blockerbugs01.phx2.fedoraproject.org
@ -321,6 +322,7 @@ db-qa-stg01.qa.fedoraproject.org
db-fas01.stg.phx2.fedoraproject.org db-fas01.stg.phx2.fedoraproject.org
db01.stg.phx2.fedoraproject.org db01.stg.phx2.fedoraproject.org
db03.stg.phx2.fedoraproject.org db03.stg.phx2.fedoraproject.org
db-koji02.stg.phx2.fedoraproject.org
# postgresql bidirectional replication servers # postgresql bidirectional replication servers
[pgbdr] [pgbdr]
@ -328,7 +330,6 @@ db03.stg.phx2.fedoraproject.org
# postgresql bidirectional replication servers (stg) # postgresql bidirectional replication servers (stg)
[pgbdr-stg] [pgbdr-stg]
db-koji01.stg.phx2.fedoraproject.org db-koji01.stg.phx2.fedoraproject.org
db-koji02.stg.phx2.fedoraproject.org
pgbdr01.stg.phx2.fedoraproject.org pgbdr01.stg.phx2.fedoraproject.org
pgbdr02.stg.phx2.fedoraproject.org pgbdr02.stg.phx2.fedoraproject.org

5
playbooks/groups/bastion.yml
View file

@ -18,8 +18,9 @@
- fas_client - fas_client
- sudo - sudo
- collectd/base - collectd/base
- { role: openvpn/server, when: not inventory_hostname.startswith('bastion-comm01') } - { role: openvpn/server, when: not inventory_hostname.startswith('bastion-comm01') or inventory_hostname.startswith('bastion13') }
- { role: packager_alias, when: not inventory_hostname.startswith('bastion-comm01') } - { role: openvpn/client, when: inventory_hostname.startswith('bastion13') }
- { role: packager_alias, when: not inventory_hostname.startswith('bastion-comm01') or inventory_hostname.startswith('bastion13') }
- opendkim - opendkim
tasks: tasks:

6
playbooks/groups/os-cluster.yml
View file

@ -125,10 +125,10 @@
- { - {
role: ansible-ansible-openshift-ansible, role: ansible-ansible-openshift-ansible,
cluster_inventory_filename: "cluster-inventory", cluster_inventory_filename: "cluster-inventory",
openshift_release: "v3.5", openshift_release: "v3.6",
openshift_ansible_path: "/root/openshift-ansible", openshift_ansible_path: "/root/openshift-ansible",
openshift_ansible_playbook: "playbooks/byo/config.yml", openshift_ansible_playbook: "playbooks/byo/config.yml",
openshift_ansible_version: "openshift-ansible-3.5.70-1", openshift_ansible_version: "openshift-ansible-3.6.173.0.81-1",
openshift_ansible_ssh_user: root, openshift_ansible_ssh_user: root,
openshift_ansible_install_examples: true, openshift_ansible_install_examples: true,
openshift_ansible_containerized_deploy: false, openshift_ansible_containerized_deploy: false,
@ -162,6 +162,8 @@
tasks: tasks:
- name: enable nrpe for monitoring (noc01) - name: enable nrpe for monitoring (noc01)
iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
tags:
- iptables
- name: Post-Install master setup - name: Post-Install master setup
hosts: os-masters-stg:os-masters hosts: os-masters-stg:os-masters

4
playbooks/groups/postgresql-server-bdr.yml
View file

@ -2,12 +2,12 @@
# NOTE: should be used with --limit most of the time # NOTE: should be used with --limit most of the time
# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars # NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-koji01.stg.phx2.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org:pgbdr01.stg.phx2.fedoraproject.org:pgbdr02.stg.phx2.fedoraproject.org" - import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-koji01.stg.phx2.fedoraproject.org:pgbdr01.stg.phx2.fedoraproject.org:pgbdr02.stg.phx2.fedoraproject.org"
# Once the instance exists, configure it. # Once the instance exists, configure it.
- name: configure postgresql server system - name: configure postgresql server system
hosts: db-koji01.stg.phx2.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org:pgbdr01.stg.phx2.fedoraproject.org:pgbdr02.stg.phx2.fedoraproject.org hosts: db-koji01.stg.phx2.fedoraproject.org:pgbdr01.stg.phx2.fedoraproject.org:pgbdr02.stg.phx2.fedoraproject.org
user: root user: root
gather_facts: True gather_facts: True

4
playbooks/groups/postgresql-server.yml
View file

@ -2,12 +2,12 @@
# NOTE: should be used with --limit most of the time # NOTE: should be used with --limit most of the time
# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars # NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-datanommer01.phx2.fedoraproject.org:db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-arm-koji01.qa.fedoraproject.org:db-ppc-koji01.ppc.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org" - import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db-datanommer01.phx2.fedoraproject.org:db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-arm-koji01.qa.fedoraproject.org:db-ppc-koji01.ppc.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org"
# Once the instance exists, configure it. # Once the instance exists, configure it.
- name: configure postgresql server system - name: configure postgresql server system
hosts: db-datanommer01.phx2.fedoraproject.org:db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-arm-koji01.qa.fedoraproject.org:db-ppc-koji01.ppc.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org hosts: db-datanommer01.phx2.fedoraproject.org:db-datanommer02.phx2.fedoraproject.org:db-qa01.qa.fedoraproject.org:db-koji01.phx2.fedoraproject.org:db-fas01.stg.phx2.fedoraproject.org:db-fas01.phx2.fedoraproject.org:db01.phx2.fedoraproject.org:db01.stg.phx2.fedoraproject.org:db-s390-koji01.s390.fedoraproject.org:db-arm-koji01.qa.fedoraproject.org:db-ppc-koji01.ppc.fedoraproject.org:db-qa-stg01.qa.fedoraproject.org:db-qa02.qa.fedoraproject.org:db-koji02.stg.phx2.fedoraproject.org
user: root user: root
gather_facts: True gather_facts: True

13
playbooks/groups/releng-compose.yml
View file

@ -89,5 +89,18 @@
- python2-dockerfile-parse - python2-dockerfile-parse
when: env == "staging" and ansible_architecture != "ppc64" when: env == "staging" and ansible_architecture != "ppc64"
- name: set releng user keytab
copy:
src: "{{private}}/files/keytabs/{{env}}/releng"
dest: /etc/krb5.releng.keytab
when: env == "staging"
- name: copy releng ssh key for rebuild fedpkg/distgit pushes
copy:
src: "{{private}}/files/releng/sshkeys/container-rebuild-staging"
dest: /etc/pki/releng
when: env == "staging"
handlers: handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml" - import_tasks: "{{ handlers_path }}/restart_services.yml"

3
playbooks/include/proxies-websites.yml
View file

@ -283,8 +283,7 @@
- role: httpd/website - role: httpd/website
name: copr.fedoraproject.org name: copr.fedoraproject.org
ssl: true ssl: true
# We need sslonly=false because copr-cli hardcoded http sslonly: true
sslonly: false
cert_name: "{{wildcard_cert_name}}" cert_name: "{{wildcard_cert_name}}"
- role: httpd/website - role: httpd/website

4
playbooks/manual/push-badges.yml
View file

@ -2,7 +2,7 @@
# #
# Badge artists and badge developers should be pushing stuff to this repo: # Badge artists and badge developers should be pushing stuff to this repo:
# #
# https://pagure.io/Fedora-Badges.git # https://pagure.io/fedora-badges.git
# #
# This playbook will take any new content from there and push it out onto our # This playbook will take any new content from there and push it out onto our
# servers. # servers.
@ -19,7 +19,7 @@
vars: vars:
tempdir: /var/tmp/badges-tempdir tempdir: /var/tmp/badges-tempdir
upstream: "https://pagure.io/Fedora-Badges.git" upstream: "https://pagure.io/fedora-badges.git"
workingdir: /srv/web/infra/badges/ workingdir: /srv/web/infra/badges/
tasks: tasks:

60
playbooks/openshift-apps/waiverdb.yml
View file

@ -19,37 +19,35 @@
- mjia - mjia
- dcallagh - dcallagh
- { role: openshift/object, app: waiverdb, template: secret.yml } - { role: openshift/object, app: waiverdb, template: secret.yml }
#- { role: openshift/secret-file - role: openshift/secret-file
# , app: waiverdb app: waiverdb
# , secret_name: waiverdb-stg-secret secret_name: waiverdb-stg-secret
# , key: client_secrets.json key: client_secrets.json
# , template: client_secrets.json template: client_secrets.json
# } - role: openshift/secret-file
# These secret roles also break if the secret already exists. Can only be run once. app: waiverdb
#- role: openshift/secret-file secret_name: waiverdb-fedmsg-key
# app: waiverdb key: fedmsg-waiverdb.key
# secret_name: waiverdb-fedmsg-key privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.stg.fedoraproject.org.key
# key: fedmsg-waiverdb.key when: env == "staging"
# privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.stg.fedoraproject.org.key - role: openshift/secret-file
# when: env == "staging" app: waiverdb
#- role: openshift/secret-file secret_name: waiverdb-fedmsg-crt
# app: waiverdb key: fedmsg-waiverdb.crt
# secret_name: waiverdb-fedmsg-crt privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.stg.fedoraproject.org.crt
# key: fedmsg-waiverdb.crt when: env == "staging"
# privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.stg.fedoraproject.org.crt - role: openshift/secret-file
# when: env == "staging" app: waiverdb
#- role: openshift/secret-file secret_name: waiverdb-fedmsg-key
# app: waiverdb key: fedmsg-waiverdb.key
# secret_name: waiverdb-fedmsg-key privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.fedoraproject.org.key
# key: fedmsg-waiverdb.key when: env != "staging"
# privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.fedoraproject.org.key - role: openshift/secret-file
# when: env != "staging" app: waiverdb
#- role: openshift/secret-file secret_name: waiverdb-fedmsg-crt
# app: waiverdb key: fedmsg-waiverdb.crt
# secret_name: waiverdb-fedmsg-crt privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.fedoraproject.org.crt
# key: fedmsg-waiverdb.crt when: env != "staging"
# privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.fedoraproject.org.crt
# when: env != "staging"
- { role: openshift/object, app: waiverdb, file: imagestream.yml } - { role: openshift/object, app: waiverdb, file: imagestream.yml }
- { role: openshift/object, app: waiverdb, file: buildconfig.yml } - { role: openshift/object, app: waiverdb, file: buildconfig.yml }
- { role: openshift/object, app: waiverdb, template: configmap.yml } - { role: openshift/object, app: waiverdb, template: configmap.yml }

11
roles/bodhi2/backend/files/new-updates-sync
View file

@ -26,7 +26,12 @@ RELEASES = {'f27': {'topic': 'fedora',
'from': 'f27-updates', 'from': 'f27-updates',
'ostrees': [{'ref': 'fedora/27/%(arch)s/updates/atomic-host', 'ostrees': [{'ref': 'fedora/27/%(arch)s/updates/atomic-host',
'dest': os.path.join(ATOMICDEST, '27'), 'dest': os.path.join(ATOMICDEST, '27'),
'arches': ['x86_64', 'ppc64le', 'aarch64']}], 'arches': ['x86_64', 'ppc64le', 'aarch64']},
{'ref': 'fedora/27/x86_64/updates/workstation',
'dest': os.path.join(ATOMICDEST, 'workstation')},
# Hack around for the fact that ostree on f25 doesn't know links
{'ref': 'fedora/27/x86_64/workstation',
'dest': os.path.join(ATOMICDEST, 'workstation')}],
'to': [{'arches': ['x86_64', 'armhfp', 'source'], 'to': [{'arches': ['x86_64', 'armhfp', 'source'],
'dest': os.path.join(FEDORADEST, '27')}, 'dest': os.path.join(FEDORADEST, '27')},
{'arches': ['aarch64', 'i386', 'ppc64', 'ppc64le', 's390x'], {'arches': ['aarch64', 'i386', 'ppc64', 'ppc64le', 's390x'],
@ -36,7 +41,9 @@ RELEASES = {'f27': {'topic': 'fedora',
'from': 'f27-updates-testing', 'from': 'f27-updates-testing',
'ostrees': [{'ref': 'fedora/27/%(arch)s/testing/atomic-host', 'ostrees': [{'ref': 'fedora/27/%(arch)s/testing/atomic-host',
'dest': os.path.join(ATOMICDEST, '27'), 'dest': os.path.join(ATOMICDEST, '27'),
'arches': ['x86_64', 'ppc64le', 'aarch64']}], 'arches': ['x86_64', 'ppc64le', 'aarch64']},
{'ref': 'fedora/27/x86_64/testing/workstation',
'dest': os.path.join(ATOMICDEST, 'workstation')}],
'to': [{'arches': ['x86_64', 'armhfp', 'source'], 'to': [{'arches': ['x86_64', 'armhfp', 'source'],
'dest': os.path.join(FEDORADEST, 'testing', '27')}, 'dest': os.path.join(FEDORADEST, 'testing', '27')},
{'arches': ['aarch64', 'i386', 'ppc64', 'ppc64le', 's390x'], {'arches': ['aarch64', 'i386', 'ppc64', 'ppc64le', 's390x'],

28
roles/haproxy/files/os-master.production.pem
View file

@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIC6jCCAdKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu MIIC6jCCAdKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu
c2hpZnQtc2lnbmVyQDE1MDM0MjY1MDcwHhcNMTcwODIyMTgyODI2WhcNMjIwODIx c2hpZnQtc2lnbmVyQDE1MTE5MzYxMDUwHhcNMTcxMTI5MDYxNTA0WhcNMjIxMTI4
MTgyODI3WjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE1MDM0MjY1MDcw MDYxNTA1WjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE1MTE5MzYxMDUw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8x8mVwkQA0pPPcMNUKwuz ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuURmWOArUMpoL5jg6YDrG
nthngidbnIK1KPN9OLEkudgxASVMYmNNjAMc1vz5YxGgRURr6AL+tQPLnFfn5GWD xB2QarYLedX7C/iAheCn/LlRZue/gzmWcv/QFXOlZNZl6xyhzCxj36J73f0wNGI3
LbP3FkniCpkg5OAgZTTm9MWXQoO+HmFY7wGdBd9VQXOoVLovSL3IvrFqE9CReRLU nbulv6bkHefPLWSh0OgC26S1GhkwDzbZhm/XBXeUqvCtczAFplGvXOAjk5+OKj7Z
FPA8/z7sZ+4fDSB9+Clk7BoVLiJ7NeD8BzcKHqe7CFt9PYgH2WtK5nOlduVDRjwv busvm+QhFy4TAl31gwwVKGoRfA/VerKaM2MeWwqMb1vjd0jPUhIMZ0+lanwLqZ/u
yOjACtzy1TXxAXec+1m0WkIfPdQ34enbd7U5b9T/jiuQVGp7RcrcQfHTqhyPeiXk yvJuVxdzjCXR+KytGKiSLYgU7kS25zqj/55yvUujiLNOI3jVDvm9FoynlGzvDoA8
yz/QGqXB4h9M0SZJVdx47zXVW+t8kA5i8VajDqFdZe8iwR7IIEEG+6WMJk/2JkaP e4DvAsWosqdJhZAkXJuXUtSWBZDPQgGNAzxkdrXY1wRDxXchUPgaqzOvma7FhwzJ
AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQBIjnRqG7kc2x24F4fJoUKDOwmHXPpuwVNZwR/8PnBs1KWM SIb3DQEBCwUAA4IBAQCUzIEDQDNrbu0DfGXtGwPzrE1m146C4K6ft3vVyOW2TdXb
xmvst3ZJJ7+ZgVuLxauO9pAK9aqlWTC0LkJIskIT6Jj5vbENDSycuxty7eadYVDM etak2gEsvTayNTyOBQGtgcvp+HhQhaJaHei5FzLqvmGXKpa8Q+od8NW7V5PZVZFN
zvJdtR4vuxQ4qdMzM9xcAaY5hfyDzK3c8wzAPzq++blzcxJzVcszKp8+sVRy0o0g RyTOmxAH4Y9+4SOqvclR4zT/Wy89tw5vr34rfN/sxcNW3iB/5/ZAGbaYwoSK96wZ
/4MVFPN0ddKqDXrBV5gQt+c3FLg7a2RVUhED523V3dRlui4nxy9C1M8BqMs6RDu9 3zHgjLPBFTYMgeRjgw+RPr7TRP6w2Mko/wLPXw/Ki2lFNuCyBsBvY98j8viV4eBi
b9AA8KQCVwHTb/FWgKkEyZDcDK+Ph5Qrn6v9eKCyKpYabqbqc1W0Ugi93+JYdn5z xXe6ZdUd4zAOtStHWT6gVQVj3aEBTsPlYxpWsmczLPijoKoa7KKYxwfJPfFpLwQX
vXDoM/KSvt0NR1JWEy3n3dATp4eHJAbGkCNNW5pW ANtgvRRtXEysQ3fKEOyzkPCv2YQlmcNuErrMIvkA
-----END CERTIFICATE----- -----END CERTIFICATE-----

36
roles/httpd/reverseproxy/templates/reversepassproxy.kojipkgs.conf Normal file
View file

@ -0,0 +1,36 @@
{% if rewrite %}
RewriteEngine On
RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301]
{% endif %}
{% if header_scheme %}
RequestHeader set X-Forwarded-Scheme https early
RequestHeader set X-Scheme https early
RequestHeader set X-Forwarded-Proto https early
{% endif %}
{% if header_expect %}
RequestHeader unset Expect early
{% endif %}
{% if keephost %}
ProxyPreserveHost On
{% endif %}
{% if 'phx2' in inventory_hostname %}
{% if balancer_name is defined %}
<Proxy "balancer://{{balancer_name}}">
{% for member in balancer_members %}
BalancerMember "{{ member }}/{{remotepath}}"
{% endfor %}
</Proxy>
ProxyPass {{ localpath }} "balancer://{{balancer_name}}"
{% else %}
ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
{% endif %}
ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
{% else %}
Redirect 421 /
{% endif %}

1
roles/koji_hub/templates/hub.conf.j2
View file

@ -111,6 +111,7 @@ Plugins = fedmsg-koji-plugin runroot_hub hub_containerbuild
tag = tag =
user mbs/mbs.fedoraproject.org && tag module-* && package kernel shim grub2 fedora-release fedora-repos pesign :: allow user mbs/mbs.fedoraproject.org && tag module-* && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
user mbs/mbs.fedoraproject.org && fromtag module-* && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
user bodhi && tag *-override && package kernel shim grub2 fedora-release fedora-repos pesign :: allow user bodhi && tag *-override && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
has_perm autosign && fromtag *-pending && package kernel shim grub2 fedora-release fedora-repos pesign :: allow has_perm autosign && fromtag *-pending && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
has_perm secure-boot && package kernel shim grub2 fedora-release fedora-repos pesign :: allow has_perm secure-boot && package kernel shim grub2 fedora-release fedora-repos pesign :: allow

7
roles/manage-container-images/tasks/main.yml
View file

@ -18,11 +18,12 @@
src: "{{cert_src}}" src: "{{cert_src}}"
dest: "{{cert_dest_dir}}/client.cert" dest: "{{cert_dest_dir}}/client.cert"
owner: root owner: root
mode: 0600 group: "releng-team"
mode: 0640
- name: install docker client key for registry - name: install docker client key for registry
copy: copy:
src: "{{key_src}}" src: "{{key_src}}"
dest: "{{cert_dest_dir}}/client.key" dest: "{{cert_dest_dir}}/client.key"
owner: root group: "releng-team"
mode: 0600 mode: 0640

4
roles/nagios_client/templates/check_disk.cfg.j2
View file

@ -1,4 +1,8 @@
{% if inventory_hostname.startswith('openqa') %}
command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p /
{% else %}
command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p / command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /
{% endif %}
command[check_disk_/boot]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /boot command[check_disk_/boot]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /boot
command[check_disk_/git]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /git command[check_disk_/git]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /git
command[check_disk_/mnt/koji]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p /mnt/koji command[check_disk_/mnt/koji]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p /mnt/koji

2
roles/nagios_server/templates/nagios/services/websites.cfg.j2
View file

@ -121,7 +121,7 @@ define service {
define service { define service {
host_name status host_name status
service_description http-status.fedoraproject.org service_description http-status.fedoraproject.org
check_command check_website!d6tcqd4og8l21.cloudfront.net!/index.html!All systems go check_command check_website_ssl!www.fedorastatus.org!/index.html!All systems go
use websitetemplate use websitetemplate
} }

16
roles/packages3/web/files/packages-httpd.conf
View file

@ -27,6 +27,22 @@ Alias /packages/images/icons /var/cache/fedoracommunity/packages/icons
Alias /packages/images /usr/share/fedoracommunity/public/images Alias /packages/images /usr/share/fedoracommunity/public/images
Alias /packages/_res /usr/share/fedoracommunity/public/toscawidgets/resources/ Alias /packages/_res /usr/share/fedoracommunity/public/toscawidgets/resources/
Alias /packages/tw2/resources/tw2.jqplugins.ui/static /usr/lib/python2.7/site-packages/tw2/jqplugins/ui/static
Alias /packages/tw2/resources/tw2.jquery/static /usr/lib/python2.7/site-packages/tw2/jquery/static
Alias /packages/tw2/resources/fedoracommunity.connectors.widgets.widgets/static /usr/lib/python2.7/site-packages/fedoracommunity/connectors/widgets/static
<Directory /usr/lib/python2.7/site-packages/tw2/jqplugins/ui/static>
Require all granted
</Directory>
<Directory /usr/lib/python2.7/site-packages/tw2/jquery/static>
Require all granted
</Directory>
<Directory /usr/lib/python2.7/site-packages/fedoracommunity/connectors/widgets/static>
Require all granted
</Directory>
# Temporarily disabled until we can figure out how to get the moksha # Temporarily disabled until we can figure out how to get the moksha
# javascript resources pulled in with `python setup.py archive_tw_resources` # javascript resources pulled in with `python setup.py archive_tw_resources`
#Alias /community/toscawidgets /usr/share/fedoracommunity/public/toscawidgets #Alias /community/toscawidgets /usr/share/fedoracommunity/public/toscawidgets

6
roles/push-docker/tasks/main.yml
View file

@ -14,14 +14,16 @@
src: "{{private}}/files/koji/{{docker_cert_name}}.cert.pem" src: "{{private}}/files/koji/{{docker_cert_name}}.cert.pem"
dest: "{{docker_cert_dir}}/client.cert" dest: "{{docker_cert_dir}}/client.cert"
owner: root owner: root
mode: 0600 group: "releng-team"
mode: 0640
- name: install docker client key for registry - name: install docker client key for registry
copy: copy:
src: "{{private}}/files/koji/{{docker_cert_name}}.key.pem" src: "{{private}}/files/koji/{{docker_cert_name}}.key.pem"
dest: "{{docker_cert_dir}}/client.key" dest: "{{docker_cert_dir}}/client.key"
owner: root owner: root
mode: 0600 group: "releng-team"
mode: 0640
- name: start and enable docker - name: start and enable docker
service: name=docker state=started enabled=yes service: name=docker state=started enabled=yes