Merge branch 'master' of /git/ansible

Conflicts: roles/rsyncd/files/rsyncd.conf.download-ibiblio roles/rsyncd/files/rsyncd.conf.download-phx2 roles/rsyncd/files/rsyncd.conf.download-rdu
2015-08-15 21:46:25 +00:00 · 2015-08-15 21:46:25 +00:00 · 8c4986ce16
commit 8c4986ce16
parent 4ab179dca8 d70a77ccf4
1452 changed files with 75505 additions and 6620 deletions
--- a/inventory/backups
+++ b/inventory/backups
@ -2,22 +2,24 @@
 # This is the list of clients we backup with rdiff-backup. 
 #
 [backup_clients]
-collab04.fedoraproject.org
+collab03.fedoraproject.org
 db01.phx2.fedoraproject.org
-db05.phx2.fedoraproject.org
+db03.phx2.fedoraproject.org
 db-datanommer02.phx2.fedoraproject.org
 db-fas01.phx2.fedoraproject.org
-hosted04.fedoraproject.org
+hosted03.fedoraproject.org
 hosted-lists01.fedoraproject.org
 lockbox01.phx2.fedoraproject.org
-people03.fedoraproject.org
+pagure01.fedoraproject.org
+people01.fedoraproject.org
 pkgs02.phx2.fedoraproject.org
 log01.phx2.fedoraproject.org
-qadevel.cloud.fedoraproject.org
+qadevel.qa.fedoraproject.org:222
 db-qa01.qa.fedoraproject.org
 db-koji01.phx2.fedoraproject.org
 copr-be.cloud.fedoraproject.org
 copr-fe.cloud.fedoraproject.org
 copr-keygen.cloud.fedoraproject.org
 value01.phx2.fedoraproject.org
+taiga.cloud.fedoraproject.org
 taskotron01.qa.fedoraproject.org
--- a/inventory/builders
+++ b/inventory/builders
@ -55,9 +55,20 @@ buildhw-12.phx2.fedoraproject.org
 buildppc-01.phx2.fedoraproject.org
 buildppc-02.phx2.fedoraproject.org

+[buildppc64]
+ppc8-01.qa.fedoraproject.org
+
 [buildaarch64]
 aarch64-03a.arm.fedoraproject.org
 aarch64-04a.arm.fedoraproject.org
+aarch64-05a.arm.fedoraproject.org
+aarch64-06a.arm.fedoraproject.org
+aarch64-07a.arm.fedoraproject.org
+aarch64-08a.arm.fedoraproject.org
+aarch64-09a.arm.fedoraproject.org
+aarch64-10a.arm.fedoraproject.org
+aarch64-11a.arm.fedoraproject.org
+aarch64-12a.arm.fedoraproject.org

 [bkernel]
 bkernel01.phx2.fedoraproject.org
@ -186,9 +197,20 @@ arm04-builder21.arm.fedoraproject.org
 arm04-builder22.arm.fedoraproject.org
 arm04-builder23.arm.fedoraproject.org

+# These hosts get the runroot plugin installed.
+# They should be added to their own 'compose' channel in the koji db
+# .. and they should not appear in the default channel for builds.
+[runroot]
+buildvm-01.stg.phx2.fedoraproject.org
+buildvm-01.phx2.fedoraproject.org
+buildhw-01.phx2.fedoraproject.org
+arm04-builder00.arm.fedoraproject.org
+arm04-builder01.arm.fedoraproject.org
+
 [builders:children]
 buildhw
 buildvm
 buildppc
 buildarm
 buildaarch64
+buildppc64
--- a/inventory/group_vars/OSv3
+++ b/inventory/group_vars/OSv3
@ -0,0 +1,3 @@
+---
+ansible_ssh_user: root
+deployment_type: origin
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@ -55,6 +55,22 @@ fedmsg_certs: []
 # By default, fedmsg should not log debug info.  Groups can override this.
 fedmsg_loglevel: INFO

+# By default, fedmsg hosts are in passive mode.  External hosts are typically
+# active.
+fedmsg_active: False
+
+# Other defaults for fedmsg environments
+fedmsg_prefix: org.fedoraproject
+fedmsg_env: prod
+
+# These are used to:
+#  1) configure mod_wsgi
+#  2) open iptables rules for fedmsg (per wsgi thread)
+#  3) declare enough fedmsg endpoints for the service
+#wsgi_fedmsg_service:  bodhi
+#wsgi_procs: 4
+#wsgi_threads: 4
+
 # By default, nodes don't backup any dbs on them unless they declare it.
 dbs_to_backup: []

@ -68,6 +84,7 @@ nrpe_check_postfix_queue_crit: 5

 # env is staging or production, we default it to production here. 
 env: production
+env_suffix:

 # nfs mount options, override at the group/host level
 nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid"
--- a/inventory/group_vars/anitya-backend
+++ b/inventory/group_vars/anitya-backend
@ -28,8 +28,13 @@ fedmsg_certs:
 - service: anitya
  owner: root
  group: fedmsg
+  can_send:
+  - anitya.project.version.update


+fedmsg_prefix: org.release-monitoring
+fedmsg_env: prod
+
 # For the MOTD
 csi_security_category: Low
 csi_primary_contact: Fedora admins - admin@fedoraproject.org
--- a/inventory/group_vars/anitya-frontend
+++ b/inventory/group_vars/anitya-frontend
@ -30,7 +30,22 @@ fedmsg_certs:
 - service: anitya
  owner: root
  group: apache
+  can_send:
+  - anitya.distro.add
+  - anitya.distro.edit
+  - anitya.distro.remove
+  - anitya.project.add
+  - anitya.project.add.tried
+  - anitya.project.edit
+  - anitya.project.map.new
+  - anitya.project.map.remove
+  - anitya.project.map.update
+  - anitya.project.remove
+  - anitya.project.version.remove
+  - anitya.project.version.update

+fedmsg_prefix: org.release-monitoring
+fedmsg_env: prod

 # For the MOTD
 csi_security_category: Low
--- a/inventory/group_vars/ask
+++ b/inventory/group_vars/ask
@ -25,6 +25,12 @@ fedmsg_certs:
 - service: askbot
  owner: root
  group: apache
+  can_send:
+  - askbot.post.delete
+  - askbot.post.edit
+  - askbot.post.flag_offensive.add
+  - askbot.post.flag_offensive.delete
+  - askbot.tag.update


 # For the MOTD
--- a/inventory/group_vars/ask-stg
+++ b/inventory/group_vars/ask-stg
@ -25,7 +25,12 @@ fedmsg_certs:
 - service: askbot
  owner: root
  group: apache
-
+  can_send:
+  - askbot.post.delete
+  - askbot.post.edit
+  - askbot.post.flag_offensive.add
+  - askbot.post.flag_offensive.delete
+  - askbot.tag.update

 # For the MOTD
 csi_security_category: Low
--- a/inventory/group_vars/autosign
+++ b/inventory/group_vars/autosign
@ -13,10 +13,10 @@ host_group: autosign
 # For the MOTD
 csi_security_category: High
 csi_primary_contact: Release Engineering - rel-eng@lists.fedoraproject.org
-csi_purpose: Provides frontend (reverse) proxy for most web applications
+csi_purpose: Automatically sign Rawhide and Branched packages
 csi_relationship: |
-    This host runs the autosigner.py script which should automatically sign new
-    rawhide and branched builds.  It listens to koji over fedmsg for
+    This host will run the autosigner.py script which should automatically sign
+    new rawhide and branched builds.  It listens to koji over fedmsg for
    notifications of new builds, and then asks sigul, the signing server, to
    sign the rpms and store the new rpm header back in Koji.

--- a/inventory/group_vars/badges-backend
+++ b/inventory/group_vars/badges-backend
@ -20,6 +20,9 @@ fedmsg_certs:
 - service: fedbadges
  owner: root
  group: fedmsg
+  can_send:
+  - fedbadges.badge.award
+  - fedbadges.person.rank.advance


 # For the MOTD
--- a/inventory/group_vars/badges-backend-stg
+++ b/inventory/group_vars/badges-backend-stg
@ -20,6 +20,9 @@ fedmsg_certs:
 - service: fedbadges
  owner: root
  group: fedmsg
+  can_send:
+  - fedbadges.badge.award
+  - fedbadges.person.rank.advance


 # For the MOTD
--- a/inventory/group_vars/badges-web
+++ b/inventory/group_vars/badges-web
@ -4,13 +4,15 @@ mem_size: 4096
 num_cpus: 2
 freezes: false

-# for systems that do not match the above - specify the same parameter in
-# the host_vars/$hostname file
+# Definining these vars has a number of effects
+# 1) mod_wsgi is configured to use the vars for its own setup
+# 2) iptables opens enough ports for all threads for fedmsg
+# 3) roles/fedmsg/base/ declares enough fedmsg endpoints for all threads
+wsgi_fedmsg_service: tahrir
+wsgi_procs: 2
+wsgi_threads: 2

-tcp_ports: [ 80, 443,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+tcp_ports: [ 80 ]

 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
@ -25,6 +27,10 @@ fedmsg_certs:
 - service: tahrir
  owner: root
  group: tahrir
+  can_send:
+  - fedbadges.badge.award
+  - fedbadges.person.rank.advance
+  - fedbadges.person.login.first


 # For the MOTD
--- a/inventory/group_vars/badges-web-stg
+++ b/inventory/group_vars/badges-web-stg
@ -4,13 +4,15 @@ lvm_size: 20000
 mem_size: 1024
 num_cpus: 2

-# for systems that do not match the above - specify the same parameter in
-# the host_vars/$hostname file
+# Definining these vars has a number of effects
+# 1) mod_wsgi is configured to use the vars for its own setup
+# 2) iptables opens enough ports for all threads for fedmsg
+# 3) roles/fedmsg/base/ declares enough fedmsg endpoints for all threads
+wsgi_fedmsg_service: tahrir
+wsgi_procs: 2
+wsgi_threads: 2

-tcp_ports: [ 80, 443,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+tcp_ports: [ 80 ]

 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
@ -25,6 +27,10 @@ fedmsg_certs:
 - service: tahrir
  owner: root
  group: tahrir
+  can_send:
+  - fedbadges.badge.award
+  - fedbadges.person.rank.advance
+  - fedbadges.person.login.first


 # For the MOTD
--- a/inventory/group_vars/bastion
+++ b/inventory/group_vars/bastion
@ -19,7 +19,7 @@ custom_rules: [
 #
 # allow a bunch of sysadmin groups here so they can access internal stuff
 #
-fas_client_groups: sysadmin-ask,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-darkserver,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc
+fas_client_groups: sysadmin-ask,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-darkserver,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei

 #
 # This is a postfix gateway. This will pick up gateway postfix config in base
--- a/inventory/group_vars/beaker-stg
+++ b/inventory/group_vars/beaker-stg
@ -0,0 +1,29 @@
+---
+lvm_size: 50000
+mem_size: 4096
+num_cpus: 2
+
+tcp_ports: [ 80, 443, 8000 ]
+udp_ports: [ 69 ]
+fas_client_groups: sysadmin-qa,sysadmin-main,fi-apprentice
+nrpe_procs_warn: 250
+nrpe_procs_crit: 300
+
+freezes: false
+
+# settings for the beaker db, server and lab controller
+beaker_db_host: localhost
+beaker_db_name: beaker
+beaker_db_user: "{{ stg_beaker_db_user }}"
+beaker_db_password: "{{ stg_beaker_db_password }}"
+mariadb_root_password: "{{ stg_beaker_mariadb_root_password }}"
+
+beaker_server_url: "https://beaker.stg.qa.fedoraproject.org"
+beaker_server_cname: "beaker.stg.fedoraproject.org"
+beaker_server_hostname: "beaker-stg01.qa.fedoraproject.org"
+beaker_server_admin_user: "{{ stg_beaker_server_admin_user }}"
+beaker_server_admin_pass: "{{ stg_beaker_server_admin_pass }}"
+beaker_server_email: "sysadmin-qa-members@fedoraproject.org"
+
+beaker_lab_controller_username: "host/beaker01.qa.fedoraproject.org"
+beaker_lab_controller_password: "{{ stg_beaker_lab_controller_password }}"
--- a/inventory/group_vars/beaker-virthosts
+++ b/inventory/group_vars/beaker-virthosts
@ -0,0 +1,10 @@
+---
+virthost: true
+nrpe_procs_warn: 900
+nrpe_procs_crit: 1000
+
+libvirt_remote_pubkey: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsxg20+vmLTt/U23x6yBtxU6N2Ool8ddlC5TFwr3FktCM7hcxkQ/funJ3VD5v9iN7Qg09g2YsPaPTfvmOPOP4bzX+/Fk8vJJb5nVg++XbS80Uw62eofr8g68ZPf6IWLEBiZ8/hmumK3TxTmsj/jn17bZBFTcQL7sB7Q4y7TxODt+5W9/0mJTLXbKoCvV+BCpxEfokx+50vVcX5CxXLHdgrdhPzKHcBHKtX6d2W8xzFj2dCThgAXl5tULYI1xP0BYTOtG+RaTNQWme4JxNlQZB8xbCxN2U+e1NpZl1Hn7Y9MbRL+nLfMIuWNJjYzUTGP3o9m2Tl9RCc2nhuS652rjfcQ== tflink@imagebuilder.qa.fedoraproject.org'
+libvirt_user: "{{ beaker_libvirt_user }}"
+
+# beaker is not a production service, so the virthosts aren't frozen
+freezes: false
--- a/inventory/group_vars/bkernel
+++ b/inventory/group_vars/bkernel
@ -1,2 +1,6 @@
 ---
 host_group: kojibuilder
+
+koji_server_url: "http://koji.fedoraproject.org/kojihub"
+koji_weburl: "http://koji.fedoraproject.org/koji"
+koji_topurl: "http://kojipkgs.fedoraproject.org/"
--- a/inventory/group_vars/bodhi
+++ b/inventory/group_vars/bodhi
@ -7,8 +7,7 @@ lvm_size: 40000
 mem_size: 4096
 num_cpus: 2

-# for systems that do not match the above - specify the same parameter in
-# the host_vars/$hostname file
+# for systems that do not match the above - specify the same parameter in # the host_vars/$hostname file

 tcp_ports: [ 80, 443,
    # These 16 ports are used by fedmsg.  One for each wsgi thread.
@ -28,3 +27,30 @@ fedmsg_certs:
 - service: bodhi
  owner: root
  group: bodhi
+  can_send:
+  - bodhi.buildroot_override.tag
+  - bodhi.buildroot_override.untag
+  - bodhi.stack.delete
+  - bodhi.stack.save
+  - bodhi.update.comment
+  - bodhi.update.complete.testing
+  - bodhi.update.edit
+  - bodhi.update.karma.threshold
+  - bodhi.update.request.obsolete
+  - bodhi.update.request.revoke
+  - bodhi.update.request.stable
+  - bodhi.update.request.testing
+  - bodhi.update.request.unpush
+
+  # Things that only the mash does - not the web UI
+  #- bodhi.mashtask.complete
+  #- bodhi.mashtask.mashing
+  #- bodhi.mashtask.start
+  #- bodhi.mashtask.sync.done
+  #- bodhi.mashtask.sync.wait
+  #- bodhi.errata.publish
+  #- bodhi.update.eject
+
+  # Rsync messages that get run from somewhere else entirely.
+  #- bodhi.updates.epel.sync
+  #- bodhi.updates.fedora.sync
--- a/inventory/group_vars/bodhi-backend
+++ b/inventory/group_vars/bodhi-backend
@ -0,0 +1,49 @@
+---
+# common items for the releng-* boxes
+lvm_size: 100000
+mem_size: 16384
+num_cpus: 16
+nm: 255.255.255.0
+gw: 10.5.125.254
+dns: 10.5.126.21
+
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+
+virt_install_command: virt-install -n {{ inventory_hostname }} -r {{ mem_size }}
+                 --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
+                 --vcpus={{ num_cpus }}  -l {{ ks_repo }} -x
+                 "ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
+                  hostname={{ inventory_hostname }} nameserver={{ dns }}
+                  ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
+                  ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname }}-nfs:eth1:none"
+                 --network=bridge=br0,model=virtio --network=bridge=br1,model=virtio
+                 --autostart --noautoconsole
+
+# With 16 cpus, theres a bunch more kernel threads
+nrpe_procs_warn: 900
+nrpe_procs_crit: 1000
+
+host_group: releng
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: root
+- service: bodhi
+  owner: root
+  group: masher
+  can_send:
+  - bodhi.mashtask.complete
+  - bodhi.mashtask.mashing
+  - bodhi.mashtask.start
+  - bodhi.mashtask.sync.done
+  - bodhi.mashtask.sync.wait
+  - bodhi.errata.publish
+  - bodhi.update.eject
+  # The ftp sync messages get run here too.
+  - bodhi.updates.epel.sync
+  - bodhi.updates.fedora.sync
+
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3"
--- a/inventory/group_vars/bodhi-backend-stg
+++ b/inventory/group_vars/bodhi-backend-stg
@ -0,0 +1,46 @@
+---
+# common items for the releng-* boxes
+lvm_size: 100000
+mem_size: 4096
+num_cpus: 2
+nm: 255.255.255.0
+gw: 10.5.126.254
+dns: 10.5.126.21
+
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+
+virt_install_command: virt-install -n {{ inventory_hostname }} -r {{ mem_size }}
+                 --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
+                 --vcpus={{ num_cpus }}  -l {{ ks_repo }} -x
+                 "ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
+                  hostname={{ inventory_hostname }} nameserver={{ dns }}
+                  ip={{ eth0_ip }} netmask={{ nm }} gateway={{ gw }} dns={{ dns }}"
+                 --network=bridge=br0,model=virtio --network=bridge=br1,model=virtio
+                 --autostart --noautoconsole
+
+# With 16 cpus, theres a bunch more kernel threads
+nrpe_procs_warn: 900
+nrpe_procs_crit: 1000
+
+host_group: releng
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: root
+#- service: bodhi
+#  owner: root
+#  group: masher
+#  can_send:
+#  - bodhi.mashtask.complete
+#  - bodhi.mashtask.mashing
+#  - bodhi.mashtask.start
+#  - bodhi.mashtask.sync.done
+#  - bodhi.mashtask.sync.wait
+#  - bodhi.errata.publish
+#  - bodhi.update.eject
+#  # The ftp sync messages get run here too.
+#  - bodhi.updates.epel.sync
+#  - bodhi.updates.fedora.sync
--- a/inventory/group_vars/bodhi-stg
+++ b/inventory/group_vars/bodhi-stg
@ -28,3 +28,30 @@ fedmsg_certs:
 - service: bodhi
  owner: root
  group: bodhi
+  can_send:
+  - bodhi.buildroot_override.tag
+  - bodhi.buildroot_override.untag
+  - bodhi.stack.delete
+  - bodhi.stack.save
+  - bodhi.update.comment
+  - bodhi.update.complete.testing
+  - bodhi.update.edit
+  - bodhi.update.karma.threshold
+  - bodhi.update.request.obsolete
+  - bodhi.update.request.revoke
+  - bodhi.update.request.stable
+  - bodhi.update.request.testing
+  - bodhi.update.request.unpush
+
+  # Things that only the mash does - not the web UI
+  #- bodhi.mashtask.complete
+  #- bodhi.mashtask.mashing
+  #- bodhi.mashtask.start
+  #- bodhi.mashtask.sync.done
+  #- bodhi.mashtask.sync.wait
+  #- bodhi.errata.publish
+  #- bodhi.update.eject
+
+  # Rsync messages that get run from somewhere else entirely.
+  #- bodhi.updates.epel.sync
+  #- bodhi.updates.fedora.sync
--- a/inventory/group_vars/bodhi2-stg
+++ b/inventory/group_vars/bodhi2-stg
@ -0,0 +1,34 @@
+---
+# Define resources for this group of hosts here. 
+jobrunner: false
+epelmasher: false
+
+lvm_size: 40000
+mem_size: 4096
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 80, 443,
+    # These 16 ports are used by fedmsg.  One for each wsgi thread.
+    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
+    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+
+# Neeed for rsync from log01 for logs.
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+
+fas_client_groups: sysadmin-noc
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: bodhi
+  owner: root
+  group: bodhi
+
+# Mount /mnt/fedora_koji as read-only in staging
+nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid"
+datacenter: staging
--- a/inventory/group_vars/bugzilla2fedmsg
+++ b/inventory/group_vars/bugzilla2fedmsg
@ -19,6 +19,9 @@ fedmsg_certs:
 - service: bugzilla2fedmsg
  owner: root
  group: fedmsg
+  can_send:
+  - bugzilla.bug.new
+  - bugzilla.bug.update

 # For the MOTD
 csi_security_category: Low
--- a/inventory/group_vars/bugzilla2fedmsg-stg
+++ b/inventory/group_vars/bugzilla2fedmsg-stg
@ -19,6 +19,9 @@ fedmsg_certs:
 - service: bugzilla2fedmsg
  owner: root
  group: fedmsg
+  can_send:
+  - bugzilla.bug.new
+  - bugzilla.bug.update

 # For the MOTD
 csi_security_category: Low
--- a/inventory/group_vars/buildaarch64
+++ b/inventory/group_vars/buildaarch64
@ -1,4 +1,8 @@
 ---
 host_group: kojibuilder
-fas_client_groups: sysadmin-releng
+fas_client_groups: sysadmin-releng,sysadmin-secondary
 sudoers: "{{ private }}/files/sudo/buildaarch64-sudoers"
+
+koji_server_url: "http://arm.koji.fedoraproject.org/kojihub"
+koji_weburl: "http://arm.koji.fedoraproject.org/koji"
+koji_topurl: "http://armpkgs.fedoraproject.org/"
--- a/inventory/group_vars/buildarm
+++ b/inventory/group_vars/buildarm
@ -1,3 +1,7 @@
 host_group: kojibuilder
 fas_client_groups: sysadmin-releng
 sudoers: "{{ private }}/files/sudo/arm-releng-sudoers"
+
+koji_server_url: "http://koji.fedoraproject.org/kojihub"
+koji_weburl: "http:/koji.fedoraproject.org/koji"
+koji_topurl: "http://kojipkgs.fedoraproject.org/"
--- a/inventory/group_vars/buildhw
+++ b/inventory/group_vars/buildhw
@ -3,3 +3,7 @@ host_group: kojibuilder
 fas_client_groups: sysadmin-releng
 sudoers: "{{ private }}/files/sudo/arm-releng-sudoers"
 freezes: true
+
+koji_server_url: "http://koji.fedoraproject.org/kojihub"
+koji_weburl: "http://koji.fedoraproject.org/koji"
+koji_topurl: "http://kojipkgs.fedoraproject.org/"
--- a/inventory/group_vars/buildppc
+++ b/inventory/group_vars/buildppc
@ -0,0 +1,7 @@
+host_group: kojibuilder
+fas_client_groups: sysadmin-releng
+#sudoers: "{{ private }}/files/sudo/ppc-releng-sudoers"
+
+koji_server_url: "http://koji.fedoraproject.org/kojihub"
+koji_weburl: "http://koji.fedoraproject.org/koji"
+koji_topurl: "http://kojipkgs.fedoraproject.org/"
--- a/inventory/group_vars/buildppc64
+++ b/inventory/group_vars/buildppc64
@ -0,0 +1,8 @@
+---
+host_group: kojibuilder
+fas_client_groups: sysadmin-releng,sysadmin-secondary
+#sudoers: "{{ private }}/files/sudo/buildppc64-sudoers"
+
+koji_server_url: "http://ppc.koji.fedoraproject.org/kojihub"
+koji_weburl: "http://ppc.koji.fedoraproject.org/koji"
+koji_topurl: "http://ppcpkgs.fedoraproject.org/"
--- a/inventory/group_vars/buildvm
+++ b/inventory/group_vars/buildvm
@ -25,3 +25,7 @@ virt_install_command: virt-install -n {{ inventory_hostname }} -r {{ mem_size }}
 host_group: kojibuilder
 fas_client_groups: sysadmin-releng
 sudoers: "{{ private }}/files/sudo/arm-releng-sudoers"
+
+koji_server_url: "http://koji.fedoraproject.org/kojihub"
+koji_weburl: "http://koji.fedoraproject.org/koji"
+koji_topurl: "http://kojipkgs.fedoraproject.org/"
--- a/inventory/group_vars/buildvm-stg
+++ b/inventory/group_vars/buildvm-stg
@ -25,3 +25,7 @@ fas_client_groups: sysadmin-releng
 sudoers: "{{ private }}/files/sudo/arm-releng-sudoers"
 datacenter: staging
 nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid"
+
+koji_server_url: "http://koji.stg.fedoraproject.org/kojihub"
+koji_weburl: "http://koji.stg.fedoraproject.org/koji"
+koji_topurl: "http://kojipkgs.stg.fedoraproject.org/"
--- a/inventory/group_vars/composers
+++ b/inventory/group_vars/composers
@ -0,0 +1,58 @@
+---
+# common items for the releng-* boxes
+lvm_size: 100000
+mem_size: 16384
+num_cpus: 16
+nm: 255.255.255.0
+gw: 10.5.125.254
+dns: 10.5.126.21
+
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+
+virt_install_command: virt-install -n {{ inventory_hostname }} -r {{ mem_size }}
+                 --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
+                 --vcpus={{ num_cpus }}  -l {{ ks_repo }} -x
+                 "ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
+                  hostname={{ inventory_hostname }} nameserver={{ dns }}
+                  ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
+                  ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname }}-nfs:eth1:none"
+                 --network=bridge=br0,model=virtio --network=bridge=br1,model=virtio
+                 --autostart --noautoconsole
+
+# With 16 cpus, theres a bunch more kernel threads
+nrpe_procs_warn: 900
+nrpe_procs_crit: 1000
+
+host_group: releng
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: root
+- service: bodhi
+  owner: root
+  group: masher
+  can_send:
+  - compose.branched.complete
+  - compose.branched.mash.complete
+  - compose.branched.mash.start
+  - compose.branched.pungify.complete
+  - compose.branched.pungify.start
+  - compose.branched.rsync.complete
+  - compose.branched.rsync.start
+  - compose.branched.start
+  - compose.epelbeta.complete
+  - compose.rawhide.complete
+  - compose.rawhide.mash.complete
+  - compose.rawhide.mash.start
+  - compose.rawhide.rsync.complete
+  - compose.rawhide.rsync.start
+  - compose.rawhide.start
+
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3"
+
+koji_server_url: "http://koji.fedoraproject.org/kojihub"
+koji_weburl: "http://koji.fedoraproject.org/koji"
+koji_topurl: "http://kojipkgs.fedoraproject.org/"
--- a/inventory/group_vars/composers-stg
+++ b/inventory/group_vars/composers-stg
@ -0,0 +1,4 @@
+---
+koji_server_url: "http://koji.stg.fedoraproject.org/kojihub"
+koji_weburl: "http://koji.stg.fedoraproject.org/koji"
+koji_topurl: "http://kojipkgs.fedoraproject.org/"
--- a/inventory/group_vars/copr
+++ b/inventory/group_vars/copr
@ -3,9 +3,14 @@ devel: false
 _forward_src: "forward"

 # don't forget to update ip in ./copr-keygen, due to custom firewall rules
-copr_backend_ips: "172.16.5.5 209.132.184.142"
-keygen_host: "172.16.5.25"
+
+copr_backend_ips: ["172.25.32.4", "209.132.184.48"]
+keygen_host: "172.25.32.5"
+
 resolvconf: "resolv.conf/cloud"

 backend_base_url: "https://copr-be.cloud.fedoraproject.org"
 postfix_maincf: "postfix/main.cf/main.cf.copr"
+
+frontend_base_url: "https://copr.fedoraproject.org"
+dist_git_base_url: "copr-dist-git.fedorainfracloud.org"
--- a/inventory/group_vars/copr-back
+++ b/inventory/group_vars/copr-back
@ -1,15 +1,17 @@
 ---
 _lighttpd_conf_src: "lighttpd/lighttpd.conf"

-copr_nova_auth_url: "https://fed-cloud09.cloud.fedoraproject.org:5000/v2.0"
+copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0"
 copr_nova_tenant_id: "undefined_tenant_id"
 copr_nova_tenant_name: "copr"
 copr_nova_username: "copr"

-copr_builder_image_name: "builder_base_image_2015_04_01"
-copr_builder_flavor_name: "m1.builder"
+# copr_builder_image_name: "Fedora-Cloud-Base-20141203-21"
+copr_builder_image_name: "builder-2015-05-27"
+copr_builder_flavor_name: "ms2.builder"
 copr_builder_network_name: "copr-net"
 copr_builder_key_name: "buildsys"
+copr_builder_security_groups: "ssh-anywhere-copr,default,ssh-from-persistent-copr"


 fedmsg_enabled: "true"
--- a/inventory/group_vars/copr-back-stg
+++ b/inventory/group_vars/copr-back-stg
@ -1,19 +1,20 @@
 ---
 _lighttpd_conf_src: "lighttpd/lighttpd_dev.conf"

-copr_nova_auth_url: "https://fed-cloud09.cloud.fedoraproject.org:5000/v2.0"
+copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0"
 copr_nova_tenant_id: "566a072fb1694950998ad191fee3833b"
 copr_nova_tenant_name: "coprdev"
 copr_nova_username: "copr"

-copr_builder_image_name: "builder_base_image_2015_04_01"
-copr_builder_flavor_name: "m1.builder"
+copr_builder_image_name: "builder-2015-05-27"
+copr_builder_flavor_name: "ms2.builder"
 copr_builder_network_name: "coprdev-net"
 copr_builder_key_name: "buildsys"
+copr_builder_security_groups: "ssh-anywhere-coprdev,default,ssh-from-persistent-coprdev"

 fedmsg_enabled: "false"

-do_sign: "false"
+do_sign: "true"

 spawn_in_advance: "true"
 frontend_base_url: "http://copr-fe-dev.cloud.fedoraproject.org"
--- a/inventory/group_vars/copr-dist-git
+++ b/inventory/group_vars/copr-dist-git
@ -0,0 +1,5 @@
+---
+tcp_ports: [22, 80]
+datacenter: cloud
+freezes: false
+
--- a/inventory/group_vars/copr-dist-git-stg
+++ b/inventory/group_vars/copr-dist-git-stg
@ -0,0 +1,4 @@
+---
+tcp_ports: [22, 80]
+datacenter: cloud
+freezes: false
--- a/inventory/group_vars/copr-keygen
+++ b/inventory/group_vars/copr-keygen
@ -2,10 +2,10 @@
 tcp_ports: [22]

 # http + signd dest ports
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.16.5.5 --dport 80 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 209.132.184.142 --dport 80 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 172.16.5.5 --dport 5167 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 209.132.184.142 --dport 5167 -j ACCEPT']
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.25.32.4 --dport 80 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 209.132.184.48 --dport 80 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 172.25.32.4 --dport 5167 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 209.132.184.48 --dport 5167 -j ACCEPT']

 datacenter: cloud

--- a/inventory/group_vars/copr-keygen-stg
+++ b/inventory/group_vars/copr-keygen-stg
@ -3,10 +3,10 @@ copr_hostbase: copr-keygen-dev
 tcp_ports: []

 # http + signd dest ports
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.16.5.24 --dport 80 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 209.132.184.179 --dport 80 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 172.16.5.24 --dport 5167 -j ACCEPT',
-                '-A INPUT -p tcp -m tcp -s 209.132.184.179 --dport 5167 -j ACCEPT']
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.25.32.13 --dport 80 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 209.132.184.53 --dport 80 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 172.25.32.13 --dport 5167 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 209.132.184.53 --dport 5167 -j ACCEPT']

 datacenter: cloud

--- a/inventory/group_vars/copr-stg
+++ b/inventory/group_vars/copr-stg
@ -4,9 +4,14 @@ devel: true
 _forward_src: "forward_dev"

 # don't forget to update ip in ./copr-keygen-stg, due to custom firewall rules
-copr_backend_ips: "172.16.5.24 209.132.184.179"
-keygen_host: "172.16.1.6"
+
+copr_backend_ips: ["172.25.32.13", "209.132.184.53"]
+keygen_host: "172.25.32.11"
+
 resolvconf: "resolv.conf/cloud"

 backend_base_url: "http://copr-be-dev.cloud.fedoraproject.org"
 postfix_maincf: "postfix/main.cf/main.cf.copr"
+
+frontend_base_url: "http://copr-fe-dev.cloud.fedoraproject.org"
+dist_git_base_url: "copr-dist-git-dev.fedorainfracloud.org"
--- a/inventory/group_vars/dns
+++ b/inventory/group_vars/dns
@ -14,3 +14,5 @@ fas_client_groups: sysadmin-main,sysadmin-dns

 nrpe_procs_warn: 300
 nrpe_procs_crit: 500
+
+sudoers: "{{ private }}/files/sudo/sysadmin-dns"
--- a/inventory/group_vars/download-phx2
+++ b/inventory/group_vars/download-phx2
@ -6,4 +6,4 @@ nrpe_procs_warn: 900
 nrpe_procs_crit: 1000

 # nfs mount options, overrides the all/default
-nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,actimeo=600"
+nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,actimeo=600,nfsvers=3"
--- a/inventory/group_vars/download-rdu2
+++ b/inventory/group_vars/download-rdu2
@ -6,4 +6,4 @@ nrpe_procs_warn: 900
 nrpe_procs_crit: 1000

 # nfs mount options, overrides the all/default
-nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,actimeo=600"
+nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,actimeo=600,nfsvers=3"
--- a/inventory/group_vars/elections
+++ b/inventory/group_vars/elections
@ -4,11 +4,11 @@ lvm_size: 20000
 mem_size: 2048
 num_cpus: 2

-tcp_ports: [ 80,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+wsgi_fedmsg_service: fedora_elections
+wsgi_procs: 2
+wsgi_threads: 2

+tcp_ports: [ 80 ]

 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
@ -25,4 +25,9 @@ fedmsg_certs:
 - service: fedora_elections
  owner: root
  group: apache
-
+  can_send:
+  - fedora_elections.candidate.delete
+  - fedora_elections.candidate.edit
+  - fedora_elections.candidate.new
+  - fedora_elections.election.edit
+  - fedora_elections.election.new
--- a/inventory/group_vars/elections-stg
+++ b/inventory/group_vars/elections-stg
@ -4,10 +4,11 @@ lvm_size: 20000
 mem_size: 1024
 num_cpus: 2

-tcp_ports: [ 80,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+wsgi_fedmsg_service: fedora_elections
+wsgi_procs: 2
+wsgi_threads: 2
+
+tcp_ports: [ 80 ]

 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
@ -24,4 +25,9 @@ fedmsg_certs:
 - service: fedora_elections
  owner: root
  group: apache
-
+  can_send:
+  - fedora_elections.candidate.delete
+  - fedora_elections.candidate.edit
+  - fedora_elections.candidate.new
+  - fedora_elections.election.edit
+  - fedora_elections.election.new
--- a/inventory/group_vars/fas
+++ b/inventory/group_vars/fas
@ -7,15 +7,11 @@ num_cpus: 4
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-tcp_ports: [ 80, 873, 8443, 8444,
-             # fas has 40 wsgi processes, each of which need their own port
-             # open for outbound fedmsg messages.
-             3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-             3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015,
-             3016, 3017, 3018, 3019, 3020, 3021, 3022, 3023,
-             3024, 3025, 3026, 3027, 3028, 3029, 3030, 3031,
-             3032, 3033, 3034, 3035, 3036, 3037, 3038, 3039,
-             ]
+wsgi_fedmsg_service: fas
+wsgi_procs: 40
+wsgi_threads: 1
+
+tcp_ports: [ 80, 873, 8443, 8444 ]

 fas_client_groups: sysadmin-main,sysadmin-accounts

@ -36,3 +32,12 @@ fedmsg_certs:
 - service: fas
  owner: root
  group: fas
+  can_send:
+  - fas.group.create
+  - fas.group.member.apply
+  - fas.group.member.remove
+  - fas.group.member.sponsor
+  - fas.group.update
+  - fas.role.update
+  - fas.user.create
+  - fas.user.update
--- a/inventory/group_vars/fas-stg
+++ b/inventory/group_vars/fas-stg
@ -7,15 +7,11 @@ num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-tcp_ports: [ 80, 873, 8443, 8444,
-             # fas has 40 wsgi processes, each of which need their own port
-             # open for outbound fedmsg messages.
-             3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-             3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015,
-             3016, 3017, 3018, 3019, 3020, 3021, 3022, 3023,
-             3024, 3025, 3026, 3027, 3028, 3029, 3030, 3031,
-             3032, 3033, 3034, 3035, 3036, 3037, 3038, 3039,
-             ]
+wsgi_fedmsg_service: fas
+wsgi_procs: 40
+wsgi_threads: 1
+
+tcp_ports: [ 80, 873, 8443, 8444 ]

 fas_client_groups: sysadmin-main,sysadmin-accounts

@ -36,3 +32,12 @@ fedmsg_certs:
 - service: fas
  owner: root
  group: fas
+  can_send:
+  - fas.group.create
+  - fas.group.member.apply
+  - fas.group.member.remove
+  - fas.group.member.sponsor
+  - fas.group.update
+  - fas.role.update
+  - fas.user.create
+  - fas.user.update
--- a/inventory/group_vars/fedimg
+++ b/inventory/group_vars/fedimg
@ -6,7 +6,11 @@ num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-tcp_ports: [ 3000 ]
+tcp_ports: [
+   # These are all for outgoing fedmsg.
+   3000, 3001, 3002, 3003, 3004, 3005, 3006,
+   3007, 3008, 3009, 3010, 3011, 3012, 3013,
+]

 # TODO, restrict this down to just sysadmin-releng
 fas_client_groups: sysadmin-datanommer,sysadmin-releng,sysadmin-fedimg
@ -19,3 +23,6 @@ fedmsg_certs:
 - service: fedimg
  owner: root
  group: fedmsg
+  can_send:
+  - fedimg.image.test
+  - fedimg.image.upload
--- a/inventory/group_vars/fedimg-stg
+++ b/inventory/group_vars/fedimg-stg
@ -6,7 +6,11 @@ num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-tcp_ports: [ 3000 ]
+tcp_ports: [
+   # These are all for outgoing fedmsg.
+   3000, 3001, 3002, 3003, 3004, 3005, 3006,
+   3007, 3008, 3009, 3010, 3011, 3012, 3013,
+]

 # TODO, restrict this down to just sysadmin-releng
 fas_client_groups: sysadmin-datanommer,sysadmin-releng,sysadmin-fedimg
@ -19,3 +23,6 @@ fedmsg_certs:
 - service: fedimg
  owner: root
  group: fedmsg
+  can_send:
+  - fedimg.image.test
+  - fedimg.image.upload
--- a/inventory/group_vars/fedoauth-stg
+++ b/inventory/group_vars/fedoauth-stg
@ -1,15 +0,0 @@
---
-# Define resources for this group of hosts here. 
-lvm_size: 20000
-mem_size: 1024
-num_cpus: 2
-
-# for systems that do not match the above - specify the same parameter in
-# the host_vars/$hostname file
-
-tcp_ports: [ 80, 443 ]
-
-# Neeed for rsync from log01 for logs.
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
-
-fas_client_groups: sysadmin-main,sysadmin-accounts
--- a/inventory/group_vars/fedocal
+++ b/inventory/group_vars/fedocal
@ -27,3 +27,13 @@ fedmsg_certs:
 - service: fedocal
  owner: root
  group: apache
+  can_send:
+  - fedocal.calendar.clear
+  - fedocal.calendar.delete
+  - fedocal.calendar.new
+  - fedocal.calendar.update
+  - fedocal.calendar.upload
+  - fedocal.meeting.delete
+  - fedocal.meeting.new
+  - fedocal.meeting.reminder
+  - fedocal.meeting.update
--- a/inventory/group_vars/fedocal-stg
+++ b/inventory/group_vars/fedocal-stg
@ -27,3 +27,13 @@ fedmsg_certs:
 - service: fedocal
  owner: root
  group: apache
+  can_send:
+  - fedocal.calendar.clear
+  - fedocal.calendar.delete
+  - fedocal.calendar.new
+  - fedocal.calendar.update
+  - fedocal.calendar.upload
+  - fedocal.meeting.delete
+  - fedocal.meeting.new
+  - fedocal.meeting.reminder
+  - fedocal.meeting.update
--- a/inventory/group_vars/github2fedmsg
+++ b/inventory/group_vars/github2fedmsg
@ -4,13 +4,15 @@ lvm_size: 20000
 mem_size: 2048
 num_cpus: 2

-# for systems that do not match the above - specify the same parameter in
-# the host_vars/$hostname file
+# Definining these vars has a number of effects
+# 1) mod_wsgi is configured to use the vars for its own setup
+# 2) iptables opens enough ports for all threads for fedmsg
+# 3) roles/fedmsg/base/ declares enough fedmsg endpoints for all threads
+wsgi_fedmsg_service: github2fedmsg
+wsgi_procs: 2
+wsgi_threads: 2

-tcp_ports: [ 80, 443,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+tcp_ports: [ 80 ]

 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
@ -25,3 +27,21 @@ fedmsg_certs:
 - service: github2fedmsg
  owner: root
  group: apache
+  can_send:
+  - github.commit_comment
+  - github.create
+  - github.delete
+  - github.fork
+  - github.issue.comment
+  - github.issue.reopened
+  - github.member
+  - github.page_build
+  - github.pull_request.closed
+  - github.pull_request_review_comment
+  - github.push
+  - github.release
+  - github.star
+  - github.status
+  - github.team_add
+  - github.webhook
+  - github.gollum
--- a/inventory/group_vars/github2fedmsg-stg
+++ b/inventory/group_vars/github2fedmsg-stg
@ -4,13 +4,15 @@ lvm_size: 20000
 mem_size: 1024
 num_cpus: 1

-# for systems that do not match the above - specify the same parameter in
-# the host_vars/$hostname file
+# Definining these vars has a number of effects
+# 1) mod_wsgi is configured to use the vars for its own setup
+# 2) iptables opens enough ports for all threads for fedmsg
+# 3) roles/fedmsg/base/ declares enough fedmsg endpoints for all threads
+wsgi_fedmsg_service: github2fedmsg
+wsgi_procs: 2
+wsgi_threads: 2

-tcp_ports: [ 80, 443,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+tcp_ports: [ 80 ]

 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
@ -25,3 +27,21 @@ fedmsg_certs:
 - service: github2fedmsg
  owner: root
  group: apache
+  can_send:
+  - github.commit_comment
+  - github.create
+  - github.delete
+  - github.fork
+  - github.issue.comment
+  - github.issue.reopened
+  - github.member
+  - github.page_build
+  - github.pull_request.closed
+  - github.pull_request_review_comment
+  - github.push
+  - github.release
+  - github.star
+  - github.status
+  - github.team_add
+  - github.webhook
+  - github.gollum
--- a/inventory/group_vars/hosted
+++ b/inventory/group_vars/hosted
@ -0,0 +1,27 @@
+
+
+# Even though the hosted nodes are still deployed with puppet, we have this
+# definition here so that the fedmsg authz policy can be generated correctly.
+# ... when we eventually fully ansibilize these hosts, just fill out the rest of
+# this file with the other vars we need.  --threebean
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: trac
+  owner: root
+  group: apache
+  can_send:
+  - trac.ticket.delete
+  - trac.ticket.new
+  - trac.ticket.update
+  - trac.wiki.page.delete
+  - trac.wiki.page.new
+  - trac.wiki.page.rename
+  - trac.wiki.page.update
+  - trac.wiki.page.version.delete
+- service: git
+  owner: root
+  group: cla_done
+  can_send:
+  - trac.git.receive
--- a/inventory/group_vars/hotness
+++ b/inventory/group_vars/hotness
@ -19,3 +19,8 @@ fedmsg_certs:
 - service: hotness
  owner: root
  group: fedmsg
+  can_send:
+  - hotness.project.map
+  - hotness.update.bug.file
+  - hotness.update.bug.followup
+  - hotness.update.drop
--- a/inventory/group_vars/hotness-stg
+++ b/inventory/group_vars/hotness-stg
@ -19,3 +19,8 @@ fedmsg_certs:
 - service: hotness
  owner: root
  group: fedmsg
+  can_send:
+  - hotness.project.map
+  - hotness.update.bug.file
+  - hotness.update.bug.followup
+  - hotness.update.drop
--- a/inventory/group_vars/fedoauth
+++ b/inventory/group_vars/fedoauth
--- a/inventory/group_vars/jenkins-cloud
+++ b/inventory/group_vars/jenkins-cloud
@ -1,4 +1,5 @@
 postfix_group: jenkins-cloud
+freezes: false

 tcp_ports: [22, 80, 443]

@ -10,3 +11,10 @@ fedmsg_certs:
 - service: jenkins
  owner: root
  group: jenkins
+  can_send:
+  - jenkins.build.aborted
+  - jenkins.build.failed
+  - jenkins.build.notbuilt
+  - jenkins.build.passed
+  - jenkins.build.start
+  - jenkins.build.unstable
--- a/inventory/group_vars/jenkins-dev
+++ b/inventory/group_vars/jenkins-dev
@ -0,0 +1,184 @@
+---
+datacenter: fedorainfracloud
+freezes: false
+
+slaves:
+- name: EL6
+  host: jenkins-slave-el6.fedorainfracloud.org
+  description: CentOS 6.6
+  labels: el EL el6 EL6 centos CentOS centos6 CentOS6
+- name: EL7
+  host: jenkins-slave-el7.fedorainfracloud.org
+  description: Red Hat Enterprise Linux Server 7.1
+  labels: el EL el7 EL7 rhel RHEL rhel7 RHEL7
+- name: F22
+  host: jenkins-slave-f22.fedorainfracloud.org
+  description: Fedora 22
+  labels: fedora Fedora fedora22 Fedora22
+
+# Packages installed on all Jenkins slaves (Fedora, CentOS)
+slave_packages_common:
+- java-1.8.0-openjdk-devel
+- vim
+- subversion
+- bzr
+- git
+- rpmlint
+- rpmdevtools
+- mercurial
+- mock
+- gcc
+- gcc-c++
+- libjpeg-turbo-devel
+- python-bugzilla
+- python-pip
+- python-virtualenv
+- python-coverage
+- pylint
+- python-argparse
+- python-nose
+- python-BeautifulSoup
+- python-fedora
+- python-unittest2
+- python-pep8
+- python-psycopg2
+- postgresql-devel   # Required to install python-psycopg2 w/in a venv
+- docbook-style-xsl  # Required by gimp-help-2
+- make               # Required by gimp-help-2
+- automake           # Required by gimp-help-2
+- libcurl-devel      # Required by blockerbugs
+- python-formencode  # Required by javapackages-tools
+- asciidoc           # Required by javapackages-tools
+- xmlto              # Required by javapackages-tools
+- pycairo-devel      # Required by dogtail
+- packagedb-cli      # Required by FedoraReview
+- xorg-x11-server-Xvfb  # Required by fedora-rube
+- libffi-devel       # Required by bodhi/cffi/cryptography
+- openssl-devel      # Required by bodhi/cffi/cryptography
+- redis              # Required by copr
+- createrepo_c       # Required by bodhi2
+- python-createrepo_c       # Required by bodhi2
+- python-straight-plugin
+- pyflakes           # Requested by user rholy (ticket #4175)
+- koji               # Required by koschei (ticket #4852)
+- python-hawkey      # Required by koschei (ticket #4852)
+- python-librepo     # Required by koschei (ticket #4852)
+- rpm-python         # Required by koschei (ticket #4852)
+
+# Packages installed only on Fedora Jenkins slaves
+slave_packages_fedora:
+- python3
+- python-nose-cover3
+- python3-nose-cover3
+- glibc.i686
+- glibc-devel.i686
+- libstdc++.i686
+- zlib-devel.i686
+- ncurses-devel.i686
+- libX11-devel.i686
+- libXrender.i686
+- libXrandr.i686
+- nspr-devel           ## Requested by 389-ds-base
+- nss-devel
+- svrcore-devel
+- openldap-devel
+- libdb-devel
+- cyrus-sasl-devel
+- icu
+- libicu-devel
+- gcc-c++
+- net-snmp-devel
+- lm_sensors-devel
+- bzip2-devel
+- zlib-devel
+- openssl-devel
+- tcp_wrappers
+- pam-devel
+- systemd-units
+- policycoreutils-python
+- openldap-clients
+- perl-Mozilla-LDAP
+- nss-tools
+- cyrus-sasl-gssapi
+- cyrus-sasl-md5
+- libdb-utils
+- systemd-units
+- perl-Socket
+- perl-NetAddr-IP
+- pcre-devel            ## End of request list for 389-ds-base
+- maven                 # Required by xmvn https://fedorahosted.org/fedora-infrastructure/ticket/4054
+- gtk3-devel            # Required by dogtail
+- glib2-devel           # Required by Cockpit
+- libgudev1-devel
+- json-glib-devel
+- gobject-introspection-devel
+- libudisks2-devel
+- NetworkManager-glib-devel
+- systemd-devel
+- accountsservice-devel
+- pam-devel
+- autoconf
+- libtool
+- intltool
+- jsl
+- python-scss
+- gtk-doc
+- krb5-devel
+- sshpass
+- perl-Locale-PO
+- perl-JSON
+- glib-networking
+- realmd
+- udisks2
+- mdadm
+- lvm2
+- sshpass           # End requires for Cockpit
+- tito              # Requested by msrb for javapackages-tools and xmvn (ticket#4113)
+- pyflakes          # Requested by user rholy (ticket #4175)
+- devscripts-minimal # Required by FedoraReview
+- firefox           # Required for rube
+- python-devel      # Required for mpi4py
+- python3-devel     # Required for mpi4py
+- pwgen             # Required for mpi4py
+- openmpi-devel     # Required for mpi4py
+- mpich2-devel      # Required for mpi4py
+- pylint            # Required by Ipsilon
+- python-pep8
+- nodejs-less
+- python-openid
+- python-openid-teams
+- python-openid-cla
+- python-cherrypy
+- m2crypto
+- lasso-python
+- python-sqlalchemy
+- python-ldap
+- python-pam
+- python-fedora
+- freeipa-python
+- httpd
+- mod_auth_mellon
+- postgresql-server
+- openssl
+- mod_wsgi
+- python-jinja2
+- python-psycopg2
+- sssd
+- libsss_simpleifp
+- openldap-servers
+- mod_auth_gssapi
+- krb5-server
+- socket_wrapper
+- nss_wrapper
+- python-requests-kerberos
+- python-lesscpy     # End requires for Ipsilon
+- libxml2-python     # Required by gimp-docs
+- createrepo         # Required by dnf
+- dia                # Required by javapackages-tools ticket #4279
+
+# Packages installed only on CentOS Jenkins slaves
+slave_packages_centos:
+# "setup" is just a placeholder value
+- setup
+# el7-only
+#    - python-webob1.4   # Required by bodhi2
--- a/inventory/group_vars/kerneltest
+++ b/inventory/group_vars/kerneltest
@ -4,13 +4,15 @@ lvm_size: 20000
 mem_size: 1024
 num_cpus: 1

-# for systems that do not match the above - specify the same parameter in
-# the host_vars/$hostname file
+# Definining these vars has a number of effects
+# 1) mod_wsgi is configured to use the vars for its own setup
+# 2) iptables opens enough ports for all threads for fedmsg
+# 3) roles/fedmsg/base/ declares enough fedmsg endpoints for all threads
+wsgi_fedmsg_service: kerneltest
+wsgi_procs: 2
+wsgi_threads: 1

-tcp_ports: [ 80, 443,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+tcp_ports: [ 80 ]

 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
@ -25,3 +27,7 @@ fedmsg_certs:
 - service: kerneltest
  owner: root
  group: apache
+  can_send:
+  - kerneltest.release.edit
+  - kerneltest.release.new
+  - kerneltest.upload.new
--- a/inventory/group_vars/kerneltest-stg
+++ b/inventory/group_vars/kerneltest-stg
@ -4,13 +4,15 @@ lvm_size: 20000
 mem_size: 1024
 num_cpus: 1

-# for systems that do not match the above - specify the same parameter in
-# the host_vars/$hostname file
+# Definining these vars has a number of effects
+# 1) mod_wsgi is configured to use the vars for its own setup
+# 2) iptables opens enough ports for all threads for fedmsg
+# 3) roles/fedmsg/base/ declares enough fedmsg endpoints for all threads
+wsgi_fedmsg_service: kerneltest
+wsgi_procs: 2
+wsgi_threads: 1

-tcp_ports: [ 80, 443,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+tcp_ports: [ 80 ]

 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
@ -25,3 +27,7 @@ fedmsg_certs:
 - service: kerneltest
  owner: root
  group: apache
+  can_send:
+  - kerneltest.release.edit
+  - kerneltest.release.new
+  - kerneltest.upload.new
--- a/inventory/group_vars/koji
+++ b/inventory/group_vars/koji
@ -26,8 +26,17 @@ fedmsg_certs:
 - service: koji
  owner: root
  group: apache
+  can_send:
+  - buildsys.build.state.change
+  - buildsys.package.list.change
+  - buildsys.repo.done
+  - buildsys.repo.init
+  - buildsys.rpm.sign
+  - buildsys.tag
+  - buildsys.task.state.change
+  - buildsys.untag

-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3"

 virt_install_command: virt-install -n {{ inventory_hostname }} -r {{ mem_size }}
                 --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
@ -38,3 +47,5 @@ virt_install_command: virt-install -n {{ inventory_hostname }} -r {{ mem_size }}
                  ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname }}-nfs:eth1:none"
                 --network=bridge=br0,model=virtio --network=bridge=br1,model=virtio
                 --autostart --noautoconsole
+
+sudoers: "{{ private }}/files/sudo/arm-releng-sudoers"
--- a/inventory/group_vars/koji-not-yet-ansibilized
+++ b/inventory/group_vars/koji-not-yet-ansibilized
@ -0,0 +1,17 @@
+# See the comment with the explanation of this group in ``inventory/inventory``
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: koji
+  owner: root
+  group: apache
+  can_send:
+  - buildsys.build.state.change
+  - buildsys.package.list.change
+  - buildsys.repo.done
+  - buildsys.repo.init
+  - buildsys.rpm.sign
+  - buildsys.tag
+  - buildsys.task.state.change
+  - buildsys.untag
--- a/inventory/group_vars/koji-stg
+++ b/inventory/group_vars/koji-stg
@ -1,7 +1,7 @@
 ---
 # Define resources for this group of hosts here. 
 lvm_size: 30000
-mem_size: 2048
+mem_size: 4096
 num_cpus: 2

 # for systems that do not match the above - specify the same parameter in
@ -22,5 +22,20 @@ fedmsg_certs:
 - service: koji
  owner: root
  group: apache
+  can_send:
+  - buildsys.build.state.change
+  - buildsys.package.list.change
+  - buildsys.repo.done
+  - buildsys.repo.init
+  - buildsys.rpm.sign
+  - buildsys.tag
+  - buildsys.task.state.change
+  - buildsys.untag

-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid"
+# NOTE -- staging mounts read-only
+nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid"
+sudoers: "{{ private }}/files/sudo/arm-releng-sudoers"
+
+koji_server_url: "http://koji.stg.fedoraproject.org/kojihub"
+koji_weburl: "http://koji.stg.fedoraproject.org/koji"
+koji_topurl: "http://kojipkgs.fedoraproject.org/"
--- a/inventory/group_vars/kojipkgs
+++ b/inventory/group_vars/kojipkgs
@ -29,6 +29,7 @@ csi_relationship: |

    - Things that rely on this host:
      - all koji builders/buildsystem
+      - koschei
      - external users downloading packages from koji. 

 # Need a eth0/eth1 install here. 
--- a/inventory/group_vars/koschei
+++ b/inventory/group_vars/koschei
@ -0,0 +1,56 @@
+---
+# Define resources for this group of hosts here.
+lvm_size: 20000
+mem_size: 4096
+num_cpus: 4
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+koschei_topurl: https://apps.fedoraproject.org/koschei
+koschei_pgsql_hostname: db01.phx2.fedoraproject.org
+koschei_koji_hub: koji02.phx2.fedoraproject.org
+koschei_kojipkgs: kojipkgs.fedoraproject.org
+koschei_koji_web: koji.fedoraproject.org
+koschei_koji_tag: f24
+koschei_openid_provider: id.fedoraproject.org
+koschei_bugzilla: bugzilla.redhat.com
+
+
+tcp_ports: [ 80, 443,
+    # These 4 are for fedmsg.  See also /etc/fedmsg.d/endpoints.py
+    3000, 3001, 3002, 3003,
+]
+
+custom_rules: [
+    # Need for rsync from log01 for logs.
+    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
+ ]
+
+fas_client_groups: sysadmin-koschei,fi-apprentice
+
+freezes: false
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: koschei
+  owner: root
+  group: koschei
+  can_send:
+  - koschei.package.state.change
+
+# For the MOTD
+csi_security_category: Low
+csi_primary_contact: Fedora admins - admin@fedoraproject.org
+csi_purpose: Koschei continuous integration system
+csi_relationship: |
+    This machine depends on:
+    - PostgreSQL DB server
+    - Koji hub and kojipkgs
+    - fedmsg hub
+    - pkgdb2
+    - bastion (for mail relay)
--- a/inventory/group_vars/koschei-stg
+++ b/inventory/group_vars/koschei-stg
@ -0,0 +1,56 @@
+---
+# Define resources for this group of hosts here.
+lvm_size: 20000
+mem_size: 2048
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+koschei_topurl: https://apps.stg.fedoraproject.org/koschei
+koschei_pgsql_hostname: db01.stg.phx2.fedoraproject.org
+koschei_koji_hub: koji01.stg.phx2.fedoraproject.org
+koschei_kojipkgs: koji01.stg.phx2.fedoraproject.org
+koschei_koji_web: koji.stg.fedoraproject.org
+koschei_koji_tag: f23
+koschei_openid_provider: id.stg.fedoraproject.org
+koschei_bugzilla: partner-bugzilla.redhat.com
+
+
+tcp_ports: [ 80, 443,
+    # These 4 are for fedmsg.  See also /etc/fedmsg.d/endpoints.py
+    3000, 3001, 3002, 3003
+]
+
+custom_rules: [
+    # Need for rsync from log01 for logs.
+    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
+ ]
+
+fas_client_groups: sysadmin-koschei,fi-apprentice
+
+freezes: false
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: koschei
+  owner: root
+  group: koschei
+  can_send:
+  - koschei.package.state.change
+
+# For the MOTD
+csi_security_category: Low
+csi_primary_contact: Fedora admins - admin@fedoraproject.org
+csi_purpose: Koschei continuous integration system
+csi_relationship: |
+    This machine depends on:
+    - PostgreSQL DB server
+    - Koji hub and kojipkgs
+    - fedmsg hub
+    - pkgdb2
+    - bastion (for mail relay)
--- a/inventory/group_vars/lockbox
+++ b/inventory/group_vars/lockbox
@ -7,3 +7,21 @@ num_cpus: 2
 tcp_ports: [ 443 ]

 fas_client_groups: sysadmin-noc,sysadmin-qa,fi-apprentice
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+# We don't really use the announce cert.. but it was supposed to be a way for
+# the FPL and other powers that be to broadcast announcements, like the FCC's
+# emergency broadcast system.  The cert are group are here.. but no tools on the
+# client side are configured to do anything with this yet.
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+  can_send:
+  - ansible.playbook.complete
+  - ansible.playbook.start
+- service: announce
+  owner: root
+  group: fedmsg-announce
+  can_send:
+  - announce.announcement
--- a/inventory/group_vars/mailman
+++ b/inventory/group_vars/mailman
@ -18,6 +18,8 @@ fedmsg_certs:
 - service: mailman
  owner: mailman
  group: mailman
+  can_send:
+  - mailman.receive

 # Postfix main.cf
 postfix_group: mailman
--- a/inventory/group_vars/mailman-stg
+++ b/inventory/group_vars/mailman-stg
@ -17,6 +17,8 @@ fedmsg_certs:
 - service: mailman
  owner: mailman
  group: mailman
+  can_send:
+  - mailman.receive

 # default virt install command is for a single nic-device
 # define in another group file for more nics (see buildvm)
--- a/inventory/group_vars/memcached-stg
+++ b/inventory/group_vars/memcached-stg
@ -0,0 +1,12 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 10000
+mem_size: 1536
+num_cpus: 1
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 11211 ]
+
+fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web
--- a/inventory/group_vars/mirrorlist2
+++ b/inventory/group_vars/mirrorlist2
@ -5,7 +5,19 @@ num_cpus: 4
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 80 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 80 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 80 -j ACCEPT', 
+                '-A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 443 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 80 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 443 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 67.219.144.68/32 --dport 443 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 5.175.150.50/32 --dport 443 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 152.19.134.142/32 --dport 443 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 140.211.169.196/32 --dport 443 -j ACCEPT', ]
+
+custom6_rules: [ '-A INPUT -p tcp -m tcp -s 2610:28:3090:3001:dead:beef:cafe:fed3 --dport 443 -j ACCEPT',
+                 '-A INPUT -p tcp -m tcp -s 2604:1580:fe00:0:5054:ff:feae:702c --dport 443 -j ACCEPT',
+                 '-A INPUT -p tcp -m tcp -s 2a00:d1a0:1::131 --dport 443 -j ACCEPT', ]
+
 collectd_apache: true
 fas_client_groups: sysadmin-noc,fi-apprentice
 nrpe_procs_warn: 500
--- a/inventory/group_vars/mirrorlist2-stg
+++ b/inventory/group_vars/mirrorlist2-stg
@ -5,7 +5,10 @@ num_cpus: 4
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 80 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 80 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 80 -j ACCEPT', 
+                '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 80 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 443 -j ACCEPT' ]
+
 collectd_apache: true
 fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web
 nrpe_procs_warn: 500
--- a/inventory/group_vars/mm
+++ b/inventory/group_vars/mm
@ -0,0 +1,4 @@
+---
+# Define resources for this group of hosts here. 
+fas_client_groups: sysadmin-noc,sysadmin-web
+sudoers: "{{ private }}/files/sudo/mm2-sudoers"
--- a/inventory/group_vars/mm-backend
+++ b/inventory/group_vars/mm-backend
@ -0,0 +1,21 @@
+---
+mem_size: 6144
+
+fedmsg_certs:
+- service: shell
+  alias: mirrormanager
+  owner: mirrormanager
+  group: sysadmin
+  can_send:
+  - mirrormanager.netblocks.get
+
+# For the MOTD
+csi_security_category: Medium
+csi_primary_contact: Fedora admin - admin@fedoraproject.org
+csi_purpose: Run mirrormanager backend cron tasks
+csi_relationship: |
+    TODO - we should document:
+
+    * what kinds of processes run here
+    * what other services they depend on
+    * what other services depend on it
--- a/inventory/group_vars/mm-backend-stg
+++ b/inventory/group_vars/mm-backend-stg
@ -0,0 +1,19 @@
+---
+
+fedmsg_certs:
+- service: shell
+  owner: mirrormanager
+  group: sysadmin
+  can_send:
+  - mirrormanager.netblocks.get
+
+# For the MOTD
+csi_security_category: Medium
+csi_primary_contact: Fedora admin - admin@fedoraproject.org
+csi_purpose: Run mirrormanager backend cron tasks
+csi_relationship: |
+    TODO - we should document:
+
+    * what kinds of processes run here
+    * what other services they depend on
+    * what other services depend on it
--- a/inventory/group_vars/mm-crawler
+++ b/inventory/group_vars/mm-crawler
@ -0,0 +1,23 @@
+---
+
+fedmsg_certs:
+- service: shell
+  owner: mirrormanager
+  group: sysadmin
+  can_send:
+  - mirrormanager.crawler.complete
+  - mirrormanager.crawler.start
+
+# For the MOTD
+csi_security_category: Medium
+csi_primary_contact: Fedora admin - admin@fedoraproject.org
+csi_purpose: Run mirrormanager crawlers
+csi_relationship: |
+    TODO - we should document:
+
+    * what kinds of processes run here
+    * what other services they depend on
+    * what other services depend on it
+
+rsyncd_conf: "rsyncd.conf.crawler"
+tcp_ports: [ 873 ]
--- a/inventory/group_vars/mm-crawler-stg
+++ b/inventory/group_vars/mm-crawler-stg
@ -0,0 +1,20 @@
+---
+
+fedmsg_certs:
+- service: shell
+  owner: mirrormanager
+  group: sysadmin
+  can_send:
+  - mirrormanager.crawler.complete
+  - mirrormanager.crawler.start
+
+# For the MOTD
+csi_security_category: Medium
+csi_primary_contact: Fedora admin - admin@fedoraproject.org
+csi_purpose: Run mirrormanager crawlers
+csi_relationship: |
+    TODO - we should document:
+
+    * what kinds of processes run here
+    * what other services they depend on
+    * what other services depend on it
--- a/inventory/group_vars/mm-frontend
+++ b/inventory/group_vars/mm-frontend
@ -0,0 +1,28 @@
+---
+mem_size: 4096
+
+tcp_ports: [ 80,
+    # These 2 ports are used by fedmsg.
+    # One for each wsgi thread.
+    3000, 3001,
+    ]
+
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: mirrormanager2
+  owner: root
+  group: apache
+ 
+
+# For the MOTD
+csi_security_category: Medium
+csi_primary_contact: Fedora admin - admin@fedoraproject.org
+csi_purpose: Run mirrormanager frontend WSGI app
+csi_relationship: |
+    TODO - we should document:
+
+    * what kinds of processes run here
+    * what other services they depend on
+    * what other services depend on it
--- a/inventory/group_vars/mm-frontend-stg
+++ b/inventory/group_vars/mm-frontend-stg
@ -0,0 +1,27 @@
+---
+
+tcp_ports: [ 80,
+    # These 2 ports are used by fedmsg.
+    # One for each wsgi thread.
+    3000, 3001,
+    ]
+
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: mirrormanager2
+  owner: root
+  group: apache
+ 
+
+# For the MOTD
+csi_security_category: Medium
+csi_primary_contact: Fedora admin - admin@fedoraproject.org
+csi_purpose: Run mirrormanager frontend WSGI app
+csi_relationship: |
+    TODO - we should document:
+
+    * what kinds of processes run here
+    * what other services they depend on
+    * what other services depend on it
--- a/inventory/group_vars/notifs-backend
+++ b/inventory/group_vars/notifs-backend
@ -23,3 +23,8 @@ fedmsg_certs:
 - service: fmn
  owner: root
  group: fedmsg
+  can_send:
+  - fmn.filter.update
+  - fmn.preference.update
+  - fmn.rule.update
+  - fmn.confirmation.update
--- a/inventory/group_vars/notifs-backend-stg
+++ b/inventory/group_vars/notifs-backend-stg
@ -19,3 +19,8 @@ fedmsg_certs:
 - service: fmn
  owner: root
  group: fedmsg
+  can_send:
+  - fmn.filter.update
+  - fmn.preference.update
+  - fmn.rule.update
+  - fmn.confirmation.update
--- a/inventory/group_vars/notifs-web
+++ b/inventory/group_vars/notifs-web
@ -7,10 +7,11 @@ num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-tcp_ports: [ 80, 443,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+wsgi_fedmsg_service: fmn
+wsgi_procs: 2
+wsgi_threads: 2
+
+tcp_ports: [ 80 ]

 fas_client_groups: sysadmin-noc,sysadmin-datanommer

@ -22,3 +23,8 @@ fedmsg_certs:
 - service: fmn
  owner: root
  group: apache
+  can_send:
+  - fmn.filter.update
+  - fmn.preference.update
+  - fmn.rule.update
+  - fmn.confirmation.update
--- a/inventory/group_vars/notifs-web-stg
+++ b/inventory/group_vars/notifs-web-stg
@ -7,10 +7,11 @@ num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-tcp_ports: [ 80, 443,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+wsgi_fedmsg_service: fmn
+wsgi_procs: 2
+wsgi_threads: 2
+
+tcp_ports: [ 80 ]

 fas_client_groups: sysadmin-noc,sysadmin-datanommer

@ -22,3 +23,8 @@ fedmsg_certs:
 - service: fmn
  owner: root
  group: apache
+  can_send:
+  - fmn.filter.update
+  - fmn.preference.update
+  - fmn.rule.update
+  - fmn.confirmation.update
--- a/inventory/group_vars/nuancier
+++ b/inventory/group_vars/nuancier
@ -4,15 +4,18 @@ lvm_size: 20000
 mem_size: 2048
 num_cpus: 2

-# for systems that do not match the above - specify the same parameter in
-# the host_vars/$hostname file
+# Definining these vars has a number of effects
+# 1) mod_wsgi is configured to use the vars for its own setup
+# 2) iptables opens enough ports for all threads for fedmsg
+# 3) roles/fedmsg/base/ declares enough fedmsg endpoints for all threads
+wsgi_fedmsg_service: nuancier
+wsgi_procs: 2
+wsgi_threads: 2

-tcp_ports: [ 80, 443,
+tcp_ports: [ 80,
    # This port is required by gluster
    6996,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+    ]

 fas_client_groups: sysadmin-noc,sysadmin-web

@ -26,3 +29,9 @@ fedmsg_certs:
 - service: nuancier
  owner: root
  group: apache
+  can_send:
+  - nuancier.candidate.approved
+  - nuancier.candidate.denied
+  - nuancier.candidate.new
+  - nuancier.election.new
+  - nuancier.election.update
--- a/inventory/group_vars/nuancier-stg
+++ b/inventory/group_vars/nuancier-stg
@ -4,15 +4,18 @@ lvm_size: 20000
 mem_size: 1024
 num_cpus: 2

-# for systems that do not match the above - specify the same parameter in
-# the host_vars/$hostname file
+# Definining these vars has a number of effects
+# 1) mod_wsgi is configured to use the vars for its own setup
+# 2) iptables opens enough ports for all threads for fedmsg
+# 3) roles/fedmsg/base/ declares enough fedmsg endpoints for all threads
+wsgi_fedmsg_service: nuancier
+wsgi_procs: 2
+wsgi_threads: 2

-tcp_ports: [ 80, 443,
+tcp_ports: [ 80,
    # This port is required by gluster
    6996,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+    ]

 fas_client_groups: sysadmin-noc,sysadmin-web

@ -26,3 +29,9 @@ fedmsg_certs:
 - service: nuancier
  owner: root
  group: apache
+  can_send:
+  - nuancier.candidate.approved
+  - nuancier.candidate.denied
+  - nuancier.candidate.new
+  - nuancier.election.new
+  - nuancier.election.update
--- a/inventory/group_vars/openstack-compute
+++ b/inventory/group_vars/openstack-compute
@ -1,2 +1,4 @@
 ---
 host_group: openstack-compute
+nrpe_procs_warn: 900
+nrpe_procs_crit: 1000
--- a/inventory/group_vars/osbs-stg
+++ b/inventory/group_vars/osbs-stg
@ -0,0 +1,10 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 60000
+mem_size: 8192
+num_cpus: 2
+
+tcp_ports: [ 80, 443 ]
+
+fas_client_groups: sysadmin-releng,fi-apprentice
+sudoers: "{{ private }}/files/sudo/arm-releng-sudoers"
--- a/inventory/group_vars/pagure
+++ b/inventory/group_vars/pagure
@ -1,28 +1,71 @@
 ---
 # Define resources for this group of hosts here.
 lvm_size: 20000
-mem_size: 2048
-num_cpus: 2
+mem_size: 8192
+num_cpus: 6

 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-tcp_ports: [ 22, 80, 443, 9418,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015 ]
+tcp_ports: [ 22, 25, 80, 443, 9418,
+    # Used for the eventsource
+    8088,
+    # This is for the pagure public fedmsg relay
+    9940]
+
+stunnel_service: "eventsource"
+stunnel_source_port: 8088
+stunnel_destination_port: 8080
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: pagure
+  owner: git
+  group: apache
+  can_send:
+  - pagure.issue.assigned.added
+  - pagure.issue.assigned.reset
+  - pagure.issue.comment.added
+  - pagure.issue.dependency.added
+  - pagure.issue.dependency.removed
+  - pagure.issue.edit
+  - pagure.issue.new
+  - pagure.issue.tag.added
+  - pagure.issue.tag.removed
+  - pagure.project.edit
+  - pagure.project.forked
+  - pagure.project.new
+  - pagure.project.tag.edited
+  - pagure.project.tag.removed
+  - pagure.project.user.added
+  - pagure.pull-request.closed
+  - pagure.pull-request.comment.added
+  - pagure.pull-request.flag.added
+  - pagure.pull-request.flag.updated
+  - pagure.pull-request.new
+
+
+fedmsg_prefix: io.pagure
+fedmsg_env: prod

 fas_client_groups: sysadmin-noc,sysadmin-web

-freezes: false
+freezes: true
 postfix_group: vpn.pagure

+host_backup_targets: ['/srv/git', '/var/www/releases']
+dbs_to_backup: ['pagure']
+
 # Configuration for the git-daemon/server
 git_group: git
 git_port: 9418
 git_server: /usr/libexec/git-core/git-daemon
 git_server_args: --export-all --syslog --inetd --verbose
 git_basepath: /srv/git/repositories
+git_daemon_user: git

 # For the MOTD
 csi_security_category: Low
--- a/inventory/group_vars/pagure-stg
+++ b/inventory/group_vars/pagure-stg
@ -7,16 +7,54 @@ num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-tcp_ports: [ 22, 80, 443, 9418,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015 ]
+tcp_ports: [ 22, 25, 80, 443, 9418,
+    # Used for the eventsource server
+    8088,
+    # This is for the pagure public fedmsg relay
+    9940]
+
+stunnel_service: "eventsource"
+stunnel_source_port: 8088
+stunnel_destination_port: 8080
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: pagure
+  owner: git
+  group: apache
+  can_send:
+  - pagure.issue.assigned.added
+  - pagure.issue.assigned.reset
+  - pagure.issue.comment.added
+  - pagure.issue.dependency.added
+  - pagure.issue.dependency.removed
+  - pagure.issue.edit
+  - pagure.issue.new
+  - pagure.issue.tag.added
+  - pagure.issue.tag.removed
+  - pagure.project.edit
+  - pagure.project.forked
+  - pagure.project.new
+  - pagure.project.tag.edited
+  - pagure.project.tag.removed
+  - pagure.project.user.added
+  - pagure.pull-request.closed
+  - pagure.pull-request.comment.added
+  - pagure.pull-request.flag.added
+  - pagure.pull-request.flag.updated
+  - pagure.pull-request.new
+
+fedmsg_prefix: io.pagure
+fedmsg_env: stg

 fas_client_groups: sysadmin-noc,sysadmin-web

 freezes: false
 env: pagure-staging
-postfix_group: vpn.pagure
+postfix_group: vpn.pagure-stg

 # Configuration for the git-daemon/server
 git_group: git
@ -24,6 +62,7 @@ git_port: 9418
 git_server: /usr/libexec/git-core/git-daemon
 git_server_args: --export-all --syslog --inetd --verbose
 git_basepath: /srv/git/repositories
+git_daemon_user: git

 # For the MOTD
 csi_security_category: Low
--- a/inventory/group_vars/people
+++ b/inventory/group_vars/people
@ -0,0 +1,40 @@
+---
+clamscan_mailto: admin@fedoraproject.org
+clamscan_paths:
+- /srv/
+
+# Neeed for rsync from log01 for logs.
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+
+git_port: 9418
+git_server: /usr/libexec/git-core/git-daemon
+git_server_args: --export-all --syslog --inetd --verbose
+git_basepath: /
+git_daemon_user: nobody
+
+fas_client_groups: "@all"
+
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: planet
+  owner: root
+  group: planet-user
+  can_send:
+  - planet.post.new
+
+# For the MOTD
+csi_security_category: Low
+csi_primary_contact: Fedora admins - adminfedoraproject.org
+csi_purpose: Provide hosting space for Fedora contributors and Fedora Planet
+
+csi_relationship: |
+ - shell accounts and web space for fedora contributors
+ - web space for personal yum repos
+ - shared space for small group/personal git repos
+
+  Please be aware that this is a shared server, and you should not upload
+  Private/Secret SSH or GPG keys onto this system. Any such keys found
+  will be deleted.
+
--- a/inventory/group_vars/pkgdb
+++ b/inventory/group_vars/pkgdb
@ -7,10 +7,11 @@ num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-tcp_ports: [ 80, 443,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+wsgi_fedmsg_service: pkgdb2
+wsgi_procs: 3
+wsgi_threads: 2
+
+tcp_ports: [ 80 ]

 fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-releng,sysadmin-cvs

@ -22,3 +23,24 @@ fedmsg_certs:
 - service: pkgdb
  owner: root
  group: apache
+  alias: pkgdb2
+  can_send:
+  - pkgdb.acl.delete
+  - pkgdb.acl.update
+  - pkgdb.admin.action.status.update
+  - pkgdb.branch.complete
+  - pkgdb.branch.start
+  - pkgdb.collection.new
+  - pkgdb.collection.update
+  - pkgdb.owner.update
+  - pkgdb.package.branch.delete
+  - pkgdb.package.branch.new
+  - pkgdb.package.branch.request
+  - pkgdb.package.critpath.update
+  - pkgdb.package.delete
+  - pkgdb.package.monitor.update
+  - pkgdb.package.new
+  - pkgdb.package.new.request
+  - pkgdb.package.unretire.request
+  - pkgdb.package.update
+  - pkgdb.package.update.status
--- a/inventory/group_vars/pkgdb-stg
+++ b/inventory/group_vars/pkgdb-stg
@ -7,10 +7,11 @@ num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-tcp_ports: [ 80, 443,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
-    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+wsgi_fedmsg_service: pkgdb2
+wsgi_procs: 2
+wsgi_threads: 2
+
+tcp_ports: [ 80 ]

 fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-releng,sysadmin-cvs

@ -22,3 +23,24 @@ fedmsg_certs:
 - service: pkgdb
  owner: root
  group: apache
+  alias: pkgdb2
+  can_send:
+  - pkgdb.acl.delete
+  - pkgdb.acl.update
+  - pkgdb.admin.action.status.update
+  - pkgdb.branch.complete
+  - pkgdb.branch.start
+  - pkgdb.collection.new
+  - pkgdb.collection.update
+  - pkgdb.owner.update
+  - pkgdb.package.branch.delete
+  - pkgdb.package.branch.new
+  - pkgdb.package.branch.request
+  - pkgdb.package.critpath.update
+  - pkgdb.package.delete
+  - pkgdb.package.monitor.update
+  - pkgdb.package.new
+  - pkgdb.package.new.request
+  - pkgdb.package.unretire.request
+  - pkgdb.package.update
+  - pkgdb.package.update.status
--- a/inventory/group_vars/pkgs
+++ b/inventory/group_vars/pkgs
@ -19,6 +19,7 @@ git_port: 9418
 git_server: /usr/libexec/git-core/git-daemon
 git_server_args: --export-all --syslog --inetd --verbose
 git_basepath: /srv/git/rpms
+git_daemon_user: nobody

 clamscan_mailto: admin@fedoraproject.org
 clamscan_paths:
@ -41,9 +42,19 @@ fedmsg_certs:
 - service: shell
  owner: root
  group: sysadmin
+  can_send:
+  - git.branch
+  - git.mass_branch.complete
+  - git.mass_branch.start
+  - git.pkgdb2branch.complete
+  - git.pkgdb2branch.start
 - service: scm
  owner: root
  group: packager
+  can_send:
+  - git.receive
 - service: lookaside
  owner: root
  group: apache
+  can_send:
+  - git.lookaside.new
--- a/inventory/group_vars/pkgs-stg
+++ b/inventory/group_vars/pkgs-stg
@ -19,6 +19,7 @@ git_port: 9418
 git_server: /usr/libexec/git-core/git-daemon
 git_server_args: --export-all --syslog --inetd --verbose
 git_basepath: /srv/git/rpms
+git_daemon_user: nodoby

 clamscan_mailto: admin@fedoraproject.org
 clamscan_paths:
@ -44,6 +45,15 @@ fedmsg_certs:
 - service: scm
  owner: root
  group: packager
+  can_send:
+  - git.branch
+  - git.mass_branch.complete
+  - git.mass_branch.start
+  - git.pkgdb2branch.complete
+  - git.pkgdb2branch.start
+  - git.receive
 - service: lookaside
  owner: root
  group: apache
+  can_send:
+  - git.lookaside.new
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@ -42,20 +42,24 @@ custom_rules: [
    '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT',

-    # Allow koschei.cloud to talk to the inbound fedmsg relay.
-    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT',
    # Allow jenkins.cloud to talk to the inbound fedmsg relay.
    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.153 -j ACCEPT',
    # Allow copr-be.cloud to talk to the inbound fedmsg relay.
-    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.131 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.48 -j ACCEPT',
    # Also, ppc-composer.qa.fedoraproject.org (secondary arch)
    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.33 -j ACCEPT',
    # Also, ppc-hub.qa.fedoraproject.org (secondary arch koji)
    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.21 -j ACCEPT',
-    # Also, s390-hub01.qa.fedoraproject.org (secondary arch)
-    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.18 -j ACCEPT',
    # Also, arm-hub01.qa.fedoraproject.org (secondary arch)
    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.31 -j ACCEPT',
+
+    # Allow retrace/faf to talk to the inbound fedmsg relay.
+    # retrace01.qa.fedoraproject.org
+    '-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.124.171 -j ACCEPT',
+    # retrace02.qa.fedoraproject.org
+    '-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.124.172 -j ACCEPT',
+    # Also, s390-hub01.qa.fedoraproject.org (secondary arch)
+    '-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.124.191 -j ACCEPT',
 ]

 fas_client_groups: sysadmin-noc,fi-apprentice
--- a/inventory/group_vars/proxies-stg
+++ b/inventory/group_vars/proxies-stg
@ -41,8 +41,6 @@ custom_rules: [
    '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT',

-    # Allow koschei.cloud to talk to the inbound fedmsg relay.
-    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT',
    # Allow jenkins.cloud to talk to the inbound fedmsg relay.
    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.153 -j ACCEPT',
    # Allow copr-be.cloud to talk to the inbound fedmsg relay.
@ -57,7 +55,16 @@ custom_rules: [
    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.31 -j ACCEPT',

    # Allow stg.fedoramagazine.org running at vultr.com to talk inbound fedmsg
+    # Contact cydrobolt about the status of this.  It hasn't hit prod status
+    # yet as of 2015-04-27 (threebean).
    '-A INPUT -p tcp -m tcp --dport 9941 -s 104.207.133.220 -j ACCEPT',
+
+    # Allow retrace/faf to talk to the inbound fedmsg relay.
+    # retrace01.qa.fedoraproject.org
+    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.28 -j ACCEPT',
+    # retrace02.qa.fedoraproject.org
+    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.34 -j ACCEPT',
+
 ]

 fas_client_groups: sysadmin-noc,fi-apprentice
--- a/inventory/group_vars/qadevel-stg
+++ b/inventory/group_vars/qadevel-stg
@ -7,7 +7,7 @@ num_cpus: 1
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-fas_client_groups: sysadmin-qa
+fas_client_groups: sysadmin-qa,sysadmin-main,fi-apprentice

 # default virt install command is for a single nic-device
 # define in another group file for more nics (see buildvm)
@ -19,30 +19,44 @@ virt_install_command: /usr/bin/virt-install -n {{ inventory_hostname }} -r {{ me
                  ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none" 
                 --network=bridge=br0,model=virtio --autostart --noautoconsole

-sshd_config: ssh/sshd_config.qadevel
-external_hostname: qadevel-stg.qa.fedoraproject.org
+sshd_config: ssh/sshd_config.qa-stg
+sshd_port: 222
+external_hostname: qadevel-stg.cloud.fedoraproject.org

-mariadb_host: db-qa01.qa.fedoraproject.org
-mariadb_user: '{{ qadevel_stg_mariadb_user }}'
-mariadb_password: '{{ qadevel_stg_mariadb_password }}'
-phabricator_db_prefix: 'phabricatorstg'
-enable_phabricator_git: False
+sslcertfile: qa-stg.qa.fedoraproject.org.cert
+sslkeyfile: qa-stg.qa.fedoraproject.org.key
+sslintermediatecertfile: ''
+
+mariadb_host: localhost
+mariadb_config: my.cnf.phabricator
+mariadb_user: '{{ qa_stg_mariadb_user }}'
+mariadb_password: '{{ qa_stg_mariadb_password }}'
+
+# phabricator config
+phabricator_db_prefix: 'phabricator'
+enable_phabricator_git: True
 phabricator_vcs_user: git
+phabricator_vcs_user_password: '{{ qa_stg_vcs_user_password }}'
 phabricator_daemon_user: phabdaemon
 phabroot: /usr/share/
 phabricator_filedir: /var/lib/phabricator/files
 phabricator_repodir: /var/lib/phabricator/repos
-phabricator_config_filename: qadevelconfig
+phabricator_config_filename: qaconfig
 phabricator_header_color: 'fluttershy'
 phabricator_mail_enabled: False
+phabricator_mail_domain: stg.fedoraproject.org
 ircnick: fedoraqabot
+phabricator_mysqldump_filename: 'qadevel-stg_phabricator.sql'
+
+# backup details (for parity with prod, not actually used)
 backup_dir: /srv/backup
 backup_username: root
 backup_ssh_pubkey: ssh-dss AAAAB3NzaC1kc3MAAACBAJr3xqn/hHIXeth+NuXPu9P91FG9jozF3Q1JaGmg6szo770rrmhiSsxso/Ibm2mObqQLCyfm/qSOQRynv6tL3tQVHA6EEx0PNacnBcOV7UowR5kd4AYv82K1vQhof3YTxOMmNIOrdy6deDqIf4sLz1TDHvEDwjrxtFf8ugyZWNbTAAAAFQCS5puRZF4gpNbaWxe6gLzm3rBeewAAAIBcEd6pRatE2Qc/dW0YwwudTEaOCUnHmtYs2PHKbOPds0+Woe1aWH38NiE+CmklcUpyRsGEf3O0l5vm3VrVlnfuHpgt/a/pbzxm0U6DGm2AebtqEmaCX3CIuYzKhG5wmXqJ/z+Hc5MDj2mn2TchHqsk1O8VZM+1Ml6zX3Hl4vvBsQAAAIALDt5NFv6GLuid8eik/nn8NORd9FJPDBJxgVqHNIm08RMC6aI++fqwkBhVPFKBra5utrMKQmnKs/sOWycLYTqqcSMPdWSkdWYjBCSJ/QNpyN4laCmPWLgb3I+2zORgR0EjeV2e/46geS0MWLmeEsFwztpSj4Tv4e18L8Dsp2uB2Q==  root@backup03-rdiff-backup

+# buildmaster details
 buildmaster_db_host: localhost
 buildmaster_template: ci.master.cfg.j2
-buildmaster_endpoint: taskmaster
+buildmaster_endpoint: builds
 buildslave_ssh_pubkey: ''
 buildslave_port: 9989
 buildmaster_dir: /home/buildmaster/master
@ -50,7 +64,24 @@ buildslave_dir: /home/buildslave/slave
 buildslave_poll_interval: 1800
 master_dir: /home/buildmaster/master
 master_user: buildmaster
-deployment_type: qadevel-stg
-tcp_ports: [ 80, 222, 443, "{{ buildslave_port }}", 222 ]
+
+# build details
+repo_base: 'https://git.qadevel-stg.cloud.fedoraproject.org/diffusion'
+docs_build_dir: /var/www/docs/
+
+# for now, we're just doing a local slave so we need the slave vars in here
+slave_home: /home/buildslave/
+slave_dir: /home/buildslave/slave
+slave_user: buildslave
+buildslave_name: 'qa-stg01'
+
+deployment_type: qa-stg
+tcp_ports: [ 80, 222, 443, "{{ buildslave_port }}", 3306 ]
+
+# static sites
+static_sites:
+  - name: docs.{{ external_hostname }}
+    document_root: /var/www/docs
+sslonly: false

 freezes: false
--- a/Show more
+++ b/Show more