Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of /git/ansible

Browse source
This commit is contained in:
Stephen Smoogen 2016-03-21 18:40:47 +00:00
commit 948c542da5
17 changed files with 61 additions and 99 deletions
Download patch file Download diff file Expand all files Collapse all files

72
files/httpd/newvirtualhost.conf.j2
View file

@ -1,75 +1,5 @@
<VirtualHost *:443>
# Change this to the domain which points to your host.
ServerName {{ item.name }}
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/{{ item.name }}_error_log
TransferLog logs/{{ item.name }}_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/{{ sslcertfile }}
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/{{ sslkeyfile }}
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
{% if sslintermediatecertfile != '' %}
SSLCertificateChainFile /etc/pki/tls/certs/{{ sslintermediatecertfile }}
{% endif %}
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
DocumentRoot {{ item.document_root }}
Options Indexes FollowSymLinks
</VirtualHost>
<VirtualHost *:80>
# Change this to the domain which points to your host.
ServerName {{ item.name }}
{% if sslonly %}
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
{% else %}
Options Indexes FollowSymLinks
{% endif %}
Options Indexes FollowSymLinks
</VirtualHost>

2
inventory/group_vars/composers
View file

@ -15,6 +15,8 @@ virt_install_command: "{{ virt_install_command_two_nic }}"
nrpe_procs_warn: 900
nrpe_procs_crit: 1000
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
host_group: releng
# These are consumed by a task in roles/fedmsg/base/main.yml

3
inventory/group_vars/openqa
View file

@ -3,6 +3,8 @@ virt_install_command: "{{ virt_install_command_one_nic }} --cpu=host-passthrough
external_hostname: openqa.fedoraproject.org
openqa_static_uid: 601
openqa_hostname: localhost
openqa_email: adamwill@fedoraproject.org
openqa_nickname: adamwill
@ -13,6 +15,7 @@ openqa_dbname: openqa
openqa_dbhost: db-qa01.qa.fedoraproject.org
openqa_dbuser: openqa
openqa_dbpassword: "{{ prod_openqa_dbpassword }}"
openqa_assetsize: 300
openqa_key: "{{ prod_openqa_apikey }}"
openqa_secret: "{{ prod_openqa_apisecret }}"

3
inventory/group_vars/openqa-stg
View file

@ -14,6 +14,8 @@ virt_install_command: "{{ virt_install_command_one_nic }} --cpu=host-passthrough
external_hostname: openqa.stg.fedoraproject.org
openqa_static_uid: 601
openqa_hostname: localhost
openqa_email: adamwill@fedoraproject.org
openqa_nickname: adamwill
@ -24,6 +26,7 @@ openqa_dbname: openqa-stg
openqa_dbhost: db-qa01.qa.fedoraproject.org
openqa_dbuser: openqastg
openqa_dbpassword: "{{ stg_openqa_dbpassword }}"
openqa_assetsize: 300
openqa_workers: 3

2
inventory/group_vars/pkgs
View file

@ -18,7 +18,7 @@ git_group: packager
git_port: 9418
git_server: /usr/libexec/git-core/git-daemon
git_server_args: --export-all --syslog --inetd --verbose
git_basepath: /srv/git/repositories/rpms
git_basepath: /srv/git/repositories
git_daemon_user: nobody
clamscan_mailto: admin@fedoraproject.org

1
playbooks/groups/composers.yml
View file

@ -37,6 +37,7 @@
when: datacenter == 'staging'
- releng
- fedmsg/base
- sudo
tasks:
- include: "{{ tasks }}/yumrepos.yml"

4
playbooks/groups/qa-stg.yml
View file

@ -99,13 +99,13 @@
- name: create dirs for static sites
file: path={{ item.document_root }} state=directory owner=apache group=apache mode=1755
with_items: static_sites
with_items: "{{ static_sites }}"
tags:
- qastaticsites
- name: generate virtualhosts for static sites
template: src={{ files }}/httpd/newvirtualhost.conf.j2 dest=/etc/httpd/conf.d/{{ item.name }}.conf owner=root group=root mode=0644
with_items: static_sites
with_items: "{{ static_sites }}"
notify:
- reload httpd
tags:

6
roles/apps-fp-o/files/apps.yaml
View file

@ -328,10 +328,8 @@ children:
source_url: https://github.com/fedora-infra/nuancier
bugs_url: https://github.com/fedora-infra/nuancier/issues
docs_url: http://nuancier.readthedocs.org/en/latest/
# TODO - write a SOP for nuancier
# https://fedorahosted.org/fedora-infrastructure/ticket/5155
#sops:
# - url goes here
sops:
- https://infrastructure.fedoraproject.org/infra/docs/nuancier.rst
description: >
Nuancier is a simple voting application for the
supplementary wallpapers included in Fedora.

BIN
roles/distgit/files/cgi-nfs.pp
View file

Binary file not shown.

8
roles/distgit/files/cgi-nfs.te
View file

@ -1,20 +1,20 @@
policy_module(nfscgi, 1.0.0)
policy_module(nfscgi, 1.0.1)
require {
type httpd_git_script_t;
type git_script_t;
type git_system_t;
type httpd_git_content_t;
type git_user_content_t;
type nfs_t;
class dir { create write search add_name remove_name getattr open };
class file { create write rename setattr read open };
}
allow git_system_t httpd_git_content_t:dir { getattr read open };
allow git_system_t httpd_git_content_t:file { read open getattr };
allow git_system_t httpd_git_content_t:lnk_file { read open getattr };
allow git_system_t git_user_content_t:lnk_file { read open getattr };
allow httpd_git_script_t nfs_t:dir { write };
allow git_system_t httpd_git_content_t:dir { search };

5
roles/distgit/tasks/main.yml
View file

@ -378,19 +378,24 @@
# Three tasks for handling our selinux policy for upload.cgi
- name: ensure a directory exists for our SELinux policy
file: dest=/usr/local/share/selinux/ state=directory
tags: selinux
- name: copy over our custom selinux policy
copy: src=upload_cgi.pp dest=/usr/local/share/selinux/upload_cgi.pp
register: selinux_module
tags: selinux
- name: install our custom selinux policy
command: semodule -i /usr/local/share/selinux/upload_cgi.pp
when: selinux_module|changed
tags: selinux
- name: copy over our custom nfs selinux policy
copy: src=cgi-nfs.pp dest=/usr/local/share/selinux/cgi-nfs.pp
register: nfs_selinux_module
tags: selinux
- name: install our custom nfs selinux policy
command: semodule -i /usr/local/share/selinux/cgi-nfs.pp
when: nfs_selinux_module|changed
tags: selinux

5
roles/git/server/tasks/main.yml
View file

@ -3,11 +3,13 @@
- name: install the git-daemon package
yum: pkg=git-daemon state=present
tags: git/server
# If NOT using xinetd
- name: delete stock git daemon config
file: path="/usr/lib/systemd/system/git.service" state=absent
when: ansible_distribution_major_version|int == 7
tags: git/server
- name: configure git daemon
template: >
@ -15,11 +17,13 @@
dest="/usr/lib/systemd/system/git@.service"
mode=0644
when: ansible_distribution_major_version|int == 7
tags: git/server
# If using xinetd
- name: install xinetd
yum: pkg=xinetd state=present
when: ansible_distribution_major_version|int == 6
tags: git/server
- name: install the xinetd config file
template: >
@ -27,5 +31,6 @@
dest="/etc/xinetd.d/git"
mode=0644
when: ansible_distribution_major_version|int == 6
tags: git/server
notify:
- restart xinetd

3
roles/openqa/dispatcher/files/openqa_consumer.py
View file

@ -1,3 +0,0 @@
config = {
'fedora_openqa_schedule.consumer.enabled': True,
}

2
roles/openqa/dispatcher/tasks/main.yml
View file

@ -106,7 +106,7 @@
- config
- name: Enable fedmsg consumer
copy: src=openqa_consumer.py dest=/etc/fedmsg.d/openqa_consumer.py owner=root group=root mode=0644
template: src=openqa_consumer.py.j2 dest=/etc/fedmsg.d/openqa_consumer.py owner=root group=root mode=0644
notify:
- restart fedmsg-hub
tags:

10
roles/openqa/dispatcher/templates/openqa_consumer.py.j2 Normal file
View file

@ -0,0 +1,10 @@
config = {
'fedora_openqa_schedule.consumer.enabled': True,
{% if wikitcms_user is defined and wikitcms_password is defined %}
{% if deployment_type == 'stg' %}
'fedora_openqa_schedule.wiki.consumer.stg.enabled': True,
{% else %}
'fedora_openqa_schedule.wiki.consumer.prod.enabled': True,
{% endif %}
{% endif %}
}

29
roles/openqa/server/tasks/main.yml
View file

@ -18,6 +18,9 @@
## default - ansible_nodename
# Optional vars
# - openqa_static_uid
## int - a static ID for the geekotest user and group if desired
## this is useful for NFS mounting openQA data files
# - openqa_dbname
## string - The name of the database to use
# - openqa_dbhost
@ -26,29 +29,30 @@
## string - The database username
# - openqa_dbpassword
## string - The database password
# - openqa_assetsize
## int - the asset size limit to set in GB (upstream default is 100GB)
## higher is recommended for normal Fedora testing, 300GB is good
#
# If openqa_dbhost is set, the others must be too, and the server will be
# configured to use a pgsql database accordingly. If openqa_dbhost is not
# set, the server will use a local SQLite database and the other values
# are ignored.
# As we want to store some geekotest-owned files in shared storage, we
# need to ensure geekotest always has the same uid/gid if we re-deploy
# the servers. So we create the account here with uid/gid 601.
- name: Create geekotest group with static GID
group: "name=geekotest gid={{ openqa_static_uid }} system=yes"
when: "openqa_static_uid is defined"
- name: Create geekotest group with static GID 601
group: name=geekotest gid=601 system=yes
- name: Create geekotest user with static UID 601
- name: Create geekotest user with static UID
user:
name: geekotest
comment: "openQA user"
uid: 601
uid: "{{ openqa_static_uid }}"
group: geekotest
home: "/var/lib/openqa"
createhome: no
system: yes
shell: /sbin/nologin
when: "openqa_static_uid is defined"
# note: we need updates-testing until fedfind 2.x and openQA 4.3-21 go stable
- name: Install required packages (testing)
@ -224,3 +228,12 @@
register: testsdiff
changed_when: "testsdiff.rc > 0"
failed_when: "1 != 1"
- name: Set asset size limit (if specified) (pgsql)
delegate_to: "{{ openqa_dbhost }}"
become_user: postgres
become: true
command: "psql -d {{ openqa_dbname }} -c \"UPDATE job_groups SET size_limit_gb = {{ openqa_assetsize }} WHERE size_limit_gb != {{ openqa_assetsize }};\""
when: "openqa_dbhost is defined and openqa_assetsize is defined"
register: pgsqlsize
changed_when: "pgsqlsize.stdout.find('UPDATE 0') == -1"

5
roles/planet/files/people_base_config
View file

@ -39,11 +39,6 @@ fasname = admin
name = Fedora University Tour
fasname = admin
[http://www.archive.org/services/collection-rss.php]
name = Fedora Videos
filters = regexp_sifter.py?require=[Ff]edora
fasname = admin
[http://www.projetofedora.org/rss.xml]
name = Projeto Fedora Brasil
face = http://fedoraplanet.org/images/heads/map_brazil_fedora_small.png