From 8a59695693ad57af173809c3e6b3b6fa9f40ec2c Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Fri, 16 Apr 2021 10:41:58 -0700
Subject: [PATCH] Add maintainer_test and copr vmhosts to vpn

We need to add these hosts to the vpn to use ipa for auth on them.
They are in the 192.168.100 network, which is the 'more restricted'
subnet of vpn. After the freeze we will probibly want to lock this down
more with a rule on all hosts except ipa* to reject everything from
them. In the mean time the firewall rules blocking most things should be
ok for now.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 .../{vmhost_copr => copr_hypervisor}          |  8 +---
 inventory/group_vars/maintainer_test          |  9 +++++
 inventory/inventory                           |  9 ++---
 playbooks/groups/copr-hypervisor.yml          |  2 +-
 playbooks/groups/maintainer-test.yml          |  3 +-
 playbooks/groups/vmhost_copr.yml              | 38 -------------------
 .../ccd/aarch64-test01.fedorainfracloud.org   |  2 +
 .../files/ccd/el7-test.fedorainfracloud.org   |  2 +
 .../files/ccd/el8-test.fedorainfracloud.org   |  2 +
 .../files/ccd/f32-test.fedorainfracloud.org   |  2 +
 .../files/ccd/f33-test.fedorainfracloud.org   |  2 +
 .../files/ccd/f34-test.fedorainfracloud.org   |  2 +
 .../ccd/ppc64le-test.fedorainfracloud.org     |  2 +
 .../ccd/rawhide-test.fedorainfracloud.org     |  2 +
 ...vmhost-x86-copr01.rdu-cc.fedoraproject.org |  2 +
 ...vmhost-x86-copr02.rdu-cc.fedoraproject.org |  2 +
 ...vmhost-x86-copr03.rdu-cc.fedoraproject.org |  2 +
 ...vmhost-x86-copr04.rdu-cc.fedoraproject.org |  2 +
 18 files changed, 41 insertions(+), 52 deletions(-)
 rename inventory/group_vars/{vmhost_copr => copr_hypervisor} (76%)
 delete mode 100644 playbooks/groups/vmhost_copr.yml
 create mode 100644 roles/openvpn/server/files/ccd/aarch64-test01.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/el7-test.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/el8-test.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/f32-test.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/f33-test.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/f34-test.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/ppc64le-test.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/rawhide-test.fedorainfracloud.org
 create mode 100644 roles/openvpn/server/files/ccd/vmhost-x86-copr01.rdu-cc.fedoraproject.org
 create mode 100644 roles/openvpn/server/files/ccd/vmhost-x86-copr02.rdu-cc.fedoraproject.org
 create mode 100644 roles/openvpn/server/files/ccd/vmhost-x86-copr03.rdu-cc.fedoraproject.org
 create mode 100644 roles/openvpn/server/files/ccd/vmhost-x86-copr04.rdu-cc.fedoraproject.org

diff --git a/inventory/group_vars/vmhost_copr b/inventory/group_vars/copr_hypervisor
similarity index 76%
rename from inventory/group_vars/vmhost_copr
rename to inventory/group_vars/copr_hypervisor
index 13742732f5..3b9f1b06d8 100644
--- a/inventory/group_vars/vmhost_copr
+++ b/inventory/group_vars/copr_hypervisor
@@ -1,6 +1,7 @@
 ---
 virthost: true
 
+vpn: true
 primary_auth_source: ipa
 ipa_host_group: vmhost-copr
 ipa_host_group_desc: VM hosts for COPR
@@ -9,15 +10,10 @@ ipa_client_shell_groups:
 ipa_client_sudo_groups:
 - sysadmin-copr
 
-
 nrpe_procs_warn: 1400
 nrpe_procs_crit: 1500
 
-# These variables are pushed into /etc/system_identification by the base role.
-# Groups and individual hosts should override them with specific info.
-# See http://infrastructure.fedoraproject.org/csi/security-policy/
-
-vpn: false
+vpn: true
 postfix_group: copr
 postfix_maincf: "postfix/main.cf/main.cf.copr"
 
diff --git a/inventory/group_vars/maintainer_test b/inventory/group_vars/maintainer_test
index f264f5c325..8b15d8ac5f 100644
--- a/inventory/group_vars/maintainer_test
+++ b/inventory/group_vars/maintainer_test
@@ -5,3 +5,12 @@ sudoers_main: nopasswd
 host_group: cloud
 datacenter: aws
 ansible_ifcfg_blocklist: true 
+
+vpn: true
+primary_auth_source: ipa
+ipa_host_group: maintainer_test
+ipa_host_group_desc: Test hosts for package maintainers
+ipa_client_shell_groups:
+- packager
+ipa_client_sudo_groups:
+- packager
diff --git a/inventory/inventory b/inventory/inventory
index 119cf5c7e5..28aca94c6b 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -115,12 +115,6 @@ virthost-cc-rdu03.fedoraproject.org
 vmhost-x86-cc06.rdu-cc.fedoraproject.org
 vmhost-x86-cc05.rdu-cc.fedoraproject.org
 
-[vmhost_copr]
-vmhost-x86-copr01.rdu-cc.fedoraproject.org
-vmhost-x86-copr02.rdu-cc.fedoraproject.org
-vmhost-x86-copr03.rdu-cc.fedoraproject.org
-vmhost-x86-copr04.rdu-cc.fedoraproject.org
-
 [datagrepper]
 datagrepper01.iad2.fedoraproject.org
 datagrepper02.iad2.fedoraproject.org
@@ -1000,6 +994,9 @@ copr_dev_aws
 
 [copr_hypervisor]
 vmhost-x86-copr01.rdu-cc.fedoraproject.org
+vmhost-x86-copr02.rdu-cc.fedoraproject.org
+vmhost-x86-copr03.rdu-cc.fedoraproject.org
+vmhost-x86-copr04.rdu-cc.fedoraproject.org
 
 [copr_db_all:children]
 copr_db_stg
diff --git a/playbooks/groups/copr-hypervisor.yml b/playbooks/groups/copr-hypervisor.yml
index 5f9413c180..0592d93912 100644
--- a/playbooks/groups/copr-hypervisor.yml
+++ b/playbooks/groups/copr-hypervisor.yml
@@ -14,10 +14,10 @@
   tasks:
     - import_role: name=base
     - import_role: name=hosts
-    - import_role: name=fas_client
     - import_role: name=rkhunter
     - import_role: name=nagios_client
     - import_role: name=openvpn/client
+    - import_role: name=ipa/client
     - import_role: name=sudo
 
     - import_tasks: "{{ tasks_path }}/2fa_client.yml"
diff --git a/playbooks/groups/maintainer-test.yml b/playbooks/groups/maintainer-test.yml
index 1314e97283..124ac0ae93 100644
--- a/playbooks/groups/maintainer-test.yml
+++ b/playbooks/groups/maintainer-test.yml
@@ -70,7 +70,8 @@
   - base
   - rkhunter
   - hosts
-  - fas_client
+  - openvpn/client
+  - ipa/client
   - sudo
 
   tasks:
diff --git a/playbooks/groups/vmhost_copr.yml b/playbooks/groups/vmhost_copr.yml
deleted file mode 100644
index 843230452e..0000000000
--- a/playbooks/groups/vmhost_copr.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-# create a new virthost server system
-# This is a copy of the main one which is meant to be limited ONLY to vmhost_copr group for rbac
-# NOTE: should be used with --limit most of the time
-# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
-
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=vmhost_copr:!buildvmhost-s390x-01.s390.fedoraproject.org"
-
-- name: make virthost server system
-  hosts: vmhost_copr
-  user: root
-  gather_facts: True
-
-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - "/srv/private/ansible/vars.yml"
-   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  pre_tasks:
-  - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
-  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
-
-  roles:
-  - base
-  - rkhunter
-  - nagios_client
-  - hosts
-  - { role: openvpn/client, when: vpn|bool }
-  - virthost
-  - ipa/client
-  - collectd/base
-  - sudo
-
-  tasks:
-  - import_tasks: "{{ tasks_path }}/motd.yml"
-  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
-
-  handlers:
-  - import_tasks: "{{ handlers_path }}/restart_services.yml"
diff --git a/roles/openvpn/server/files/ccd/aarch64-test01.fedorainfracloud.org b/roles/openvpn/server/files/ccd/aarch64-test01.fedorainfracloud.org
new file mode 100644
index 0000000000..9e5ec009a4
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/aarch64-test01.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.21 192.168.100.21
diff --git a/roles/openvpn/server/files/ccd/el7-test.fedorainfracloud.org b/roles/openvpn/server/files/ccd/el7-test.fedorainfracloud.org
new file mode 100644
index 0000000000..7d9fe85722
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/el7-test.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.18 192.168.100.18
diff --git a/roles/openvpn/server/files/ccd/el8-test.fedorainfracloud.org b/roles/openvpn/server/files/ccd/el8-test.fedorainfracloud.org
new file mode 100644
index 0000000000..5ca0f994a6
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/el8-test.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.19 192.168.100.19
diff --git a/roles/openvpn/server/files/ccd/f32-test.fedorainfracloud.org b/roles/openvpn/server/files/ccd/f32-test.fedorainfracloud.org
new file mode 100644
index 0000000000..7cc82fd473
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/f32-test.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.14 192.168.100.14
diff --git a/roles/openvpn/server/files/ccd/f33-test.fedorainfracloud.org b/roles/openvpn/server/files/ccd/f33-test.fedorainfracloud.org
new file mode 100644
index 0000000000..9a6abce2ec
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/f33-test.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.15 192.168.100.15
diff --git a/roles/openvpn/server/files/ccd/f34-test.fedorainfracloud.org b/roles/openvpn/server/files/ccd/f34-test.fedorainfracloud.org
new file mode 100644
index 0000000000..7c1846e40e
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/f34-test.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.16 192.168.100.16
diff --git a/roles/openvpn/server/files/ccd/ppc64le-test.fedorainfracloud.org b/roles/openvpn/server/files/ccd/ppc64le-test.fedorainfracloud.org
new file mode 100644
index 0000000000..7b363216c4
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/ppc64le-test.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.20 192.168.100.20
diff --git a/roles/openvpn/server/files/ccd/rawhide-test.fedorainfracloud.org b/roles/openvpn/server/files/ccd/rawhide-test.fedorainfracloud.org
new file mode 100644
index 0000000000..494afd4149
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/rawhide-test.fedorainfracloud.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.17 192.168.100.17
diff --git a/roles/openvpn/server/files/ccd/vmhost-x86-copr01.rdu-cc.fedoraproject.org b/roles/openvpn/server/files/ccd/vmhost-x86-copr01.rdu-cc.fedoraproject.org
new file mode 100644
index 0000000000..699cc301f2
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/vmhost-x86-copr01.rdu-cc.fedoraproject.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.22 192.168.100.22
diff --git a/roles/openvpn/server/files/ccd/vmhost-x86-copr02.rdu-cc.fedoraproject.org b/roles/openvpn/server/files/ccd/vmhost-x86-copr02.rdu-cc.fedoraproject.org
new file mode 100644
index 0000000000..c87181776b
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/vmhost-x86-copr02.rdu-cc.fedoraproject.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.23 192.168.100.23
diff --git a/roles/openvpn/server/files/ccd/vmhost-x86-copr03.rdu-cc.fedoraproject.org b/roles/openvpn/server/files/ccd/vmhost-x86-copr03.rdu-cc.fedoraproject.org
new file mode 100644
index 0000000000..474130a007
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/vmhost-x86-copr03.rdu-cc.fedoraproject.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.24 192.168.100.24
diff --git a/roles/openvpn/server/files/ccd/vmhost-x86-copr04.rdu-cc.fedoraproject.org b/roles/openvpn/server/files/ccd/vmhost-x86-copr04.rdu-cc.fedoraproject.org
new file mode 100644
index 0000000000..d6fef8d48f
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/vmhost-x86-copr04.rdu-cc.fedoraproject.org
@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.25 192.168.100.25