Setup the production and staging Dist Git
This commit is contained in:
Kevin Fenzi
parent
30ab4bd528
commit
a03781965d
5 changed files with 228 additions and 0 deletions
45
inventory/group_vars/pkgs
Normal file
45
inventory/group_vars/pkgs
Normal file
|
|
@ -0,0 +1,45 @@
|
|||
---
|
||||
# TODO: Define resources for this group of hosts here?
|
||||
|
||||
tcp_ports: [80, 443, 9418,
|
||||
# These 16 ports are used by fedmsg. One for each wsgi thread.
|
||||
3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
|
||||
3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
|
||||
|
||||
fas_client_groups: sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc
|
||||
fas_client_restricted_app: /usr/bin/gl-auth-command
|
||||
fas_client_admin_app: /usr/bin/gl-auth-command -s
|
||||
fas_client_ssh_groups = @cvs,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc
|
||||
|
||||
git_group: packager
|
||||
git_port: 9418
|
||||
git_server: /usr/libexec/git-core/git-daemon
|
||||
git_server_args: --export-all --syslog --inetd --verbose
|
||||
git_basepath: /srv/git/rpms
|
||||
|
||||
clamscan_mailto: admin@fedoraproject.org
|
||||
clamscan_paths:
|
||||
- /srv/cache/lookaside/pkgs
|
||||
clamscan_excludes:
|
||||
- clamav-
|
||||
- amavisd-new-2.3.3.tar.gz
|
||||
- bro-20080804.tgz
|
||||
- mailman-
|
||||
- sagator-
|
||||
- nicotine
|
||||
- fwsnort-1.0.6.tar.gz
|
||||
- psad-2.1.7.tar.bz2
|
||||
- pymilter-
|
||||
- linkchecker-
|
||||
|
||||
# These are consumed by a task in roles/fedmsg/base/main.yml
|
||||
fedmsg_certs:
|
||||
- service: shell
|
||||
owner: root
|
||||
group: sysadmin
|
||||
- service:scm
|
||||
owner: root
|
||||
group: packager
|
||||
- service: lookaside
|
||||
owner: root
|
||||
group: apache
|
||||
|
|
@ -1,2 +1,5 @@
|
|||
---
|
||||
host_backup_targets: ['/srv']
|
||||
|
||||
nm: 255.255.255.0
|
||||
eth1_ip: 10.5.127.67
|
||||
|
|
|
|||
3
inventory/host_vars/pkgs01.stg.phx2.fedoraproject.org
Normal file
3
inventory/host_vars/pkgs01.stg.phx2.fedoraproject.org
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
nm: 255.255.255.0
|
||||
eth0_ip: 10.5.126.83
|
||||
56
playbooks/groups/pkgs.yml
Normal file
56
playbooks/groups/pkgs.yml
Normal file
|
|
@ -0,0 +1,56 @@
|
|||
- name: make pkgs
|
||||
hosts: pkgs:pkgs-stg
|
||||
user: root
|
||||
gather_facts: False
|
||||
|
||||
vars_files:
|
||||
- /srv/web/infra/ansible/vars/global.yml
|
||||
- "{{ private }}/vars.yml"
|
||||
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
|
||||
|
||||
tasks:
|
||||
- include: "{{ tasks }}/virt_instance_create.yml"
|
||||
|
||||
handlers:
|
||||
- include: "{{ handlers }}/restart_services.yml"
|
||||
|
||||
- name: make the box be real
|
||||
hosts: pkgs:pkgs-stg
|
||||
user: root
|
||||
gather_facts: True
|
||||
accelerate: "{{ accelerated }}"
|
||||
|
||||
vars_files:
|
||||
- /srv/web/infra/ansible/vars/global.yml
|
||||
- "{{ private }}/vars.yml"
|
||||
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
|
||||
|
||||
roles:
|
||||
- base
|
||||
- rkhunter
|
||||
- denyhosts
|
||||
- nagios_client
|
||||
- fas_client
|
||||
- collectd/base
|
||||
- fedmsg/base
|
||||
- fedmsg/hub
|
||||
- sudo
|
||||
- git/hooks
|
||||
- git/make_checkout_seed
|
||||
- git/server
|
||||
- gitolite/base
|
||||
- gitolite/check_fedmsg_hooks
|
||||
- cgit/base
|
||||
- cgit/clean_lock_cron
|
||||
- cgit/make_pkgs_list
|
||||
- clamav
|
||||
- distgit
|
||||
|
||||
tasks:
|
||||
- include: "{{ tasks }}/yumrepos.yml"
|
||||
- include: "{{ tasks }}/motd.yml"
|
||||
- include: "{{ tasks }}/apache.yml"
|
||||
- include: "{{ tasks }}/drbackupkey.yml"
|
||||
|
||||
handlers:
|
||||
- include: "{{ handlers }}/restart_services.yml"
|
||||
121
roles/base/files/ssh/sshd_config.pkgs
Normal file
121
roles/base/files/ssh/sshd_config.pkgs
Normal file
|
|
@ -0,0 +1,121 @@
|
|||
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
||||
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
|
||||
|
||||
# The strategy used for options in the default sshd_config shipped with
|
||||
# OpenSSH is to specify options with their default value where
|
||||
# possible, but leave them commented. Uncommented options change a
|
||||
# default value.
|
||||
|
||||
#Port 22
|
||||
#Protocol 2,1
|
||||
Protocol 2
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
|
||||
# HostKey for protocol version 1
|
||||
#HostKey /etc/ssh/ssh_host_key
|
||||
# HostKeys for protocol version 2
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
#KeyRegenerationInterval 1h
|
||||
#ServerKeyBits 768
|
||||
|
||||
# Logging
|
||||
# obsoletes QuietMode and FascistLogging
|
||||
#SyslogFacility AUTH
|
||||
SyslogFacility AUTHPRIV
|
||||
LogLevel VERBOSE
|
||||
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
PermitRootLogin without-password
|
||||
StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
|
||||
#RSAAuthentication yes
|
||||
#PubkeyAuthentication yes
|
||||
#AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#RhostsRSAAuthentication no
|
||||
# similar for protocol version 2
|
||||
#HostbasedAuthentication no
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
#IgnoreRhosts yes
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
#PasswordAuthentication yes
|
||||
#PermitEmptyPasswords no
|
||||
PasswordAuthentication no
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
#ChallengeResponseAuthentication yes
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
GSSAPICleanupCredentials no
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication mechanism.
|
||||
# Depending on your PAM configuration, this may bypass the setting of
|
||||
# PasswordAuthentication, PermitEmptyPasswords, and
|
||||
# "PermitRootLogin without-password". If you just want the PAM account and
|
||||
# session checks to run without PAM authentication, then enable this but set
|
||||
# ChallengeResponseAuthentication=no
|
||||
#UsePAM no
|
||||
UsePAM yes
|
||||
|
||||
# Accept locale-related environment variables
|
||||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
AcceptEnv LC_IDENTIFICATION LC_ALL
|
||||
#AllowTcpForwarding yes
|
||||
AllowTcpForwarding no
|
||||
|
||||
|
||||
#GatewayPorts no
|
||||
#X11Forwarding no
|
||||
X11Forwarding yes
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PrintMotd yes
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#UseLogin no
|
||||
#UsePrivilegeSeparation yes
|
||||
#PermitUserEnvironment no
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
#ShowPatchLevel no
|
||||
#UseDNS yes
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10
|
||||
PermitTunnel no
|
||||
|
||||
# no default banner path
|
||||
#Banner /some/path
|
||||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/openssh/sftp-server
|
||||
Loading…
Add table
Add a link
Reference in a new issue