Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

motd generic template added

Browse source 
migrated notes from infra/hosts

motd changes; excluding CSI infos

removed csi_* vars from group_vars; converted csi_purpose & csi_relationship into notes

fixed merge conflicts

minor changes; var

updating YAMLs & playbooks

udpated YAMLs & playbooks again

updated correctly; buildhw.yml

fixing merge conflicts

dest added in motd.yml
This commit is contained in:
iamyaash 2025-01-06 13:04:00 +05:30 committed by kevin
parent 7799cc2478
commit b3d6a90b9a
112 changed files with 370 additions and 562 deletions
Download patch file Download diff file Expand all files Collapse all files

15
inventory/group_vars/all
View file

@ -83,18 +83,8 @@ communishift_projects:
copr_build_virthost: false
# assume createrepo is true and this builder has the koji nfs mount to do that
createrepo: True
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Unspecified
csi_relationship: |
Unspecified.
* What hosts/services does this rely on?
* What hosts/services rely on this?
To update this text, add the csi_* vars to group_vars/ in ansible.
# This vars get shoved into /etc/system_identification by the base role.
# Groups and individual hosts should override them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: Unspecified
custom6_rules: []
custom_rules: []
nft_custom6_rules: []
@ -323,3 +313,8 @@ wsgi_wants_apache: true
# set no x-forward header by default
x_forward: false
#
notes: |
Unspecified.
* What hosts/services does this rely on?
* What hosts/services rely on this?

16
inventory/group_vars/autosign
View file

@ -3,15 +3,7 @@
ansible_ifcfg_allowlist:
- eth0
- eth1
csi_primary_contact: Release Engineering - rel-eng@lists.fedoraproject.org
csi_purpose: Automatically sign Rawhide and Branched packages
csi_relationship: |
This host will run the robosignatory application which should automatically sign
builds. It listens to koji over fedora-messaging for notifications of new builds,
and then asks sigul, the signing server, to sign the rpms and store the new rpm
header back in Koji.
# For the MOTD
csi_security_category: High
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
@ -31,3 +23,11 @@ lvm_size: 30000
mem_size: 2048
nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=3"
num_cpus: 2
notes: |
Automatically sign Rawhide and Branched packages
This host will run the robosignatory application which should automatically sign
builds. It listens to koji over fedora-messaging for notifications of new builds,
and then asks sigul, the signing server, to sign the rpms and store the new rpm
header back in Koji.

18
inventory/group_vars/bastion
View file

@ -1,17 +1,7 @@
---
# Define resources for this group of hosts here.
csi_primary_contact: sysadmin-main admin@fedoraproject.org
csi_purpose: SSH proxy to access infrastructure not exposed to the web
csi_relationship: |
- Provides ssh access to all iad2/vpn connected servers.
- Bastion is the hub for all infrastructure's VPN connections.
- All incoming SMTP from iad2 and VPN, as well as outgoing SMTP,
pass or are filtered here.
- Bastion does not accept any mail outside phx2/vpn.
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should override them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: High
#
# drop incoming traffic from less trusted vpn hosts
# allow ntp from internal RH 10 nets
@ -72,3 +62,11 @@ primary_auth_source: ipa
#
tcp_ports: [22, 1194]
udp_ports: [1194]
notes: |
SSH proxy to access infrastructure not exposed to the web
* Provides ssh access to all iad2/vpn connected servers.
* Bastion is the hub for all infrastructure's VPN connections.
* All incoming SMTP from iad2 and VPN, as well as outgoing SMTP, pass or are filtered here.
* Bastion does not accept any mail outside phx2/vpn.

17
inventory/group_vars/bastion_stg
View file

@ -11,18 +11,8 @@ bastion_ipa_client_shell_groups:
# this only works if the `batcave_stg` group and at least one host in it is defined
# batcave_ipa_client_shell_groups: "{{ hostvars[groups['batcave_stg'][0]]['ipa_client_shell_groups'] | default([]) }}"
batcave_ipa_client_shell_groups: []
csi_primary_contact: sysadmin-main admin@fedoraproject.org
csi_purpose: SSH proxy to access STAGING infrastructure not exposed to the web
csi_relationship: |
- Provides ssh access to all iad2/vpn connected servers.
- Bastion is the hub for all infrastructure's VPN connections.
- All incoming SMTP from iad2 and VPN, as well as outgoing SMTP,
pass or are filtered here.
- Bastion does not accept any mail outside phx2/vpn.
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should override them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: High
#
# drop incoming traffic from less trusted vpn hosts
# allow ntp from internal RH 10 nets
@ -57,3 +47,10 @@ num_cpus: 4
#
tcp_ports: [22, 25, 1194]
udp_ports: [1194]
notes: |
SSH proxy to access STAGING infrastructure not exposed to the web
* Provides ssh access to all iad2/vpn connected servers.
* Bastion is the hub for all infrastructure's VPN connections.
* All incoming SMTP from iad2 and VPN, as well as outgoing SMTP, pass or are filtered here.
* Bastion does not accept any mail outside phx2/vpn.

34
inventory/group_vars/batcave
View file

@ -1,23 +1,6 @@
---
ansible_base: /srv/web/infra
csi_primary_contact: admin@fedoraproject.org / sysadmin-main-members
csi_purpose: Central management host for ansible
csi_relationship: |
From the batcave batman ventures out to fight crime and protect gotham city!
batcave is the central management host for ansible.
It also is the infrastructure.fedoraproject.org website with various content.
It houses a number of infrastructure git repos.
* This host relies on:
The virthost it's hosted on (virthost22)
* Things that rely on this host:
Things that access rhel/fedora/infra rpm repos, including builders and infra hosts.
If this host is down, ansible runs cannot be made to update other hosts.
If this host is down, crime may go up in gotham city.
# For the MOTD
csi_security_category: High
# Neeed for rsync from log01 for logs.
custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
nft_custom_rules:
@ -80,3 +63,20 @@ tcp_ports: [80, 443, 8442, 8443]
vpn: true
nagios_Check_Services:
swap: false
notes: |
Central management host for ansible
From the batcave batman ventures out to fight crime and protect gotham city!
batcave is the central management host for ansible.
It also is the infrastructure.fedoraproject.org website with various content.
It houses a number of infrastructure git repos.
This host relies on:
* The virthost it's hosted on (virthost22)
Things that rely on this host:
* Things that access rhel/fedora/infra rpm repos, including builders and infra hosts.
* If this host is down, ansible runs cannot be made to update other hosts.
* If this host is down, crime may go up in gotham city.

43
inventory/group_vars/bodhi_backend_stg
View file

@ -4,28 +4,7 @@ bodhi_message_queue_name: "bodhi{{ env_suffix }}_composer"
# Define the topics that our fedora-messaging queue should be subscribed to.
bodhi_message_routing_keys:
- "org.fedoraproject.*.bodhi.composer.start"
csi_primary_contact: Releng Admins sysadmin-releng-members@fedoraproject.org
csi_purpose: Run the Bodhi masher.
csi_relationship: |
The mashing of repos here happens as part of the 'fedmsg-hub' daemon. Check
logs with 'journalctl -u fedmsg-hub'. Check the bodhi masher docs/code for
more detail on what it does:
https://github.com/fedora-infra/bodhi/blob/develop/bodhi/consumers/masher.py
* This host relies on:
* db01 for its database, which is shares with the bodhi2 frontend nodes.
* An NFS mount of koji data in /mnt/koji/
* The fedmsg bus for triggering mashes.
* XMLRPC calls to koji for tagging and untagging updates.
* bugzilla for posting comments about status changes
* the wiki for getting information about QA "Test Cases"
* taksotron (resultsdb) for getting status-check results (gating updates).
* No other systems rely directly on this host. Everything depends on it
indirectly for the creation of new updates repos (which get synced out to
the master mirror for distribution.
# For the MOTD
csi_security_category: Moderate
# Make connections from signing bridges stateless, they break sigul connections
# https://bugzilla.redhat.com/show_bug.cgi?id=1283364
# this is sign-bridge01.iad2 ip 10.3.169.120
@ -48,3 +27,25 @@ nrpe_procs_warn: 900
num_cpus: 2
# Use the infra-testing repo
testing: True
notes: |
Run the Bodhi masher.
The mashing of repos here happens as part of the 'fedmsg-hub' daemon.
Check logs with 'journalctl -u fedmsg-hub'.
Check the bodhi masher docs/code for more detail on what it does:
https://github.com/fedora-infra/bodhi/blob/develop/bodhi/consumers/masher.py
* This host relies on:
* db01 for its database, which is shares with the bodhi2 frontend nodes.
* An NFS mount of koji data in /mnt/koji/
* The fedmsg bus for triggering mashes.
* XMLRPC calls to koji for tagging and untagging updates.
* bugzilla for posting comments about status changes
* the wiki for getting information about QA "Test Cases"
* taksotron (resultsdb) for getting status-check results (gating updates).
* No other systems rely directly on this host. Everything depends on it
indirectly for the creation of new updates repos (which get synced out to
the master mirror for distribution.

16
inventory/group_vars/buildhw
View file

@ -1,14 +1,7 @@
---
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Koji service employs a set of machines to build packages for the Fedora project.
csi_relationship: |
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should ovveride them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: High
docker_registry: "candidate-registry.fedoraproject.org"
freezes: true
host_group: kojibuilder
@ -19,3 +12,10 @@ koji_server_url: "https://koji.fedoraproject.org/kojihub"
koji_topurl: "https://kojipkgs.fedoraproject.org/"
koji_weburl: "https://koji.fedoraproject.org/koji"
source_registry: "registry.fedoraproject.org"
notes: |
Koji service employs a set of machines to build packages for the Fedora project.
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new

16
inventory/group_vars/buildvm
View file

@ -1,13 +1,5 @@
---
# common items for the buildvm-* koji builders
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
csi_relationship: |
* VMs built on top of buildvmhost
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
csi_security_category: High
dns: 10.3.163.33
docker_registry: "candidate-registry.fedoraproject.org"
eth0_ipv4_gw: 10.3.169.254
@ -29,3 +21,11 @@ num_cpus: 6
source_registry: "registry.fedoraproject.org"
virt_install_command: "{{ virt_install_command_one_nic_unsafe }}"
volgroup: /dev/BuildGuests
notes: |
Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
* VMs built on top of buildvmhost
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new

15
inventory/group_vars/buildvm_aarch64
View file

@ -1,13 +1,5 @@
---
# common items for the buildvm-aarch64* koji builders
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
csi_relationship: |
* VMs built on top of buildvmhost
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
csi_security_category: High
dns: 10.3.163.33
docker_registry: "candidate-registry.fedoraproject.org"
eth0_ipv4_gw: 10.3.170.254
@ -30,3 +22,10 @@ num_cpus: 12
source_registry: "registry.fedoraproject.org"
virt_install_command: "{{ virt_install_command_aarch64_one_nic_unsafe }}"
volgroup: /dev/vg_guests
notes: |
Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
* VMs built on top of buildvmhost
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new

16
inventory/group_vars/buildvm_aarch64_stg
View file

@ -1,14 +1,6 @@
---
# common items for the buildvm-* koji builders
createrepo: True
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders (staging).
csi_relationship: |
* VMs built on top of buildvmhost
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
csi_security_category: High
datacenter: iad2
dns: 10.3.163.33
docker_registry: "candidate-registry.stg.fedoraproject.org"
@ -23,7 +15,6 @@ koji_server_url: "https://koji.stg.fedoraproject.org/kojihub"
koji_topurl: "https://kojipkgs.stg.fedoraproject.org/"
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should ovveride them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
koji_weburl: "https://koji.stg.fedoraproject.org/koji"
ks_repo: https://infrastructure.fedoraproject.org/pub/fedora/linux/releases/41/Server/aarch64/os/
@ -38,3 +29,10 @@ source_registry: "registry.stg.fedoraproject.org"
# this is to enable nested virt, which we need for some builds
virt_install_command: "{{ virt_install_command_aarch64_one_nic_unsafe }}"
volgroup: /dev/vg_guests
notes: |
Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders (staging).
* VMs built on top of buildvmhost
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new

13
inventory/group_vars/buildvm_osbuild_ppc64le
View file

@ -1,11 +1,4 @@
# common variables for osbuild workers
csi_primary_contact: Image Builder team - osbuilders@redhat.com
csi_purpose: This group of VMs builds OS images via Koji using image builder for ppc64le architecture.
csi_relationship: |
* Relies on koji-hub and image-builder-api (external).
* Produces automated builds of OS images for the architecture listed. Wokers can be scaled by adding new
virtual instances
datacenter: iad2
dns: 10.3.163.33
dns_search1: iad2.fedoraproject.org
@ -45,3 +38,9 @@ osbuild_worker_koji_instances:
- koji_host: "koji.fedoraproject.org"
krb_principal: "osbuild-automation-bot@FEDORAPROJECT.ORG"
krb_keytab_file: "{{ private }}/files/osbuild/worker_koji.keytab"
notes: |
This group of VMs builds OS images via Koji using image builder for ppc64le architecture.
* Relies on koji-hub and image-builder-api (external).
* Produces automated builds of OS images for the architecture listed. Wokers can be scaled by adding new
virtual instances

13
inventory/group_vars/buildvm_osbuild_ppc64le_staging
View file

@ -1,11 +1,4 @@
# common variables for osbuild workers (staging)
csi_primary_contact: Image Builder team - osbuilders@redhat.com
csi_purpose: This group of VMs builds OS images via Koji (staging) using image builder for ppc64le architecture.
csi_relationship: |
* Relies on koji-hub and image-builder-api (external).
* Produces automated builds of OS images for the architecture listed. Wokers can be scaled by adding new
virtual instances
datacenter: iad2
dns: 10.3.163.33
dns_search1: iad2.fedoraproject.org
@ -45,3 +38,9 @@ osbuild_worker_koji_instances:
- koji_host: "koji.stg.fedoraproject.org"
krb_principal: "osbuild-automation-bot@STG.FEDORAPROJECT.ORG"
krb_keytab_file: "{{ private }}/files/osbuild/worker_stg_koji.keytab"
notes: |
This group of VMs builds OS images via Koji (staging) using image builder for ppc64le architecture.
* Relies on koji-hub and image-builder-api (external).
* Produces automated builds of OS images for the architecture listed. Wokers can be scaled by adding new
virtual instances

20
inventory/group_vars/buildvm_ppc64le
View file

@ -1,15 +1,6 @@
# common items for the buildvm-* koji builders
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Koji service employs a set of virtual machines to build packages for the Fedora project. This group builds packages for ppcle architecture.
csi_relationship: |
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
* virtual instances
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should ovveride them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: High
datacenter: iad2
dns: 10.3.163.33
eth0_ipv4_gw: 10.3.171.254
@ -32,4 +23,13 @@ max_mem_size: 20480
mem_size: 20480
num_cpus: 8
virt_install_command: "{{ virt_install_command_ppc64le_one_nic_unsafe }}"
volgroup: /dev/vg_virt_buildvm_ppc64le_iscsi
volgroup: /dev/vg_guests
notes: |
Koji service employs a set of virtual machines to build packages for the Fedora project. This group builds packages for ppcle architecture.
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
* virtual instances

16
inventory/group_vars/buildvm_ppc64le_stg
View file

@ -1,14 +1,6 @@
---
# common items for the buildvm-* koji builders
createrepo: True
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders (staging).
csi_relationship: |
* VMs built on top of buildvmhost
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
csi_security_category: High
datacenter: staging
dns: 10.3.163.33
docker_registry: "candidate-registry.stg.fedoraproject.org"
@ -23,7 +15,6 @@ koji_server_url: "https://koji.stg.fedoraproject.org/kojihub"
koji_topurl: "https://kojipkgs.stg.fedoraproject.org/"
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should ovveride them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
koji_weburl: "https://koji.stg.fedoraproject.org/koji"
ks_repo: https://infrastructure.fedoraproject.org/pub/fedora-secondary/releases/41/Server/ppc64le/os/
@ -37,3 +28,10 @@ num_cpus: 4
source_registry: "registry.stg.fedoraproject.org"
virt_install_command: "{{ virt_install_command_ppc64le_one_nic_unsafe }}"
volgroup: /dev/vg_guests
notes: |
Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders (staging).
* VMs built on top of buildvmhost
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new

15
inventory/group_vars/buildvm_s390x
View file

@ -1,13 +1,5 @@
---
createrepo: False
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
csi_relationship: |
* VMs built on top of a s390x LPAR
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
csi_security_category: High
dns1: 10.3.163.33
dns2: 10.3.163.34
dns_search1: "iad2.fedoraproject.org"
@ -30,3 +22,10 @@ varnish_group: s390kojipkgs
virt_install_command: "{{ virt_install_command_s390x_one_nic }}"
vmhost: bvmhost-s390x-01.s390.fedoraproject.org
volgroup: /dev/vg_guests
notes: |
Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
* VMs built on top of a s390x LPAR
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new

15
inventory/group_vars/buildvm_s390x_stg
View file

@ -1,13 +1,5 @@
---
createrepo: False
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
csi_relationship: |
* VMs built on top of a s390x LPAR
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
csi_security_category: High
host_group: kojibuilder
koji_hub_nfs: "fedora_koji"
koji_server_url: "https://koji.stg.fedoraproject.org/kojihub"
@ -16,3 +8,10 @@ koji_weburl: "https://koji.stg.fedoraproject.org/koji"
ks_repo: https://infrastructure.fedoraproject.org/pub/fedora-secondary/releases/41/Server/s390x/os/
ks_url: https://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-fedora
virt_install_command: "{{ virt_install_command_s390x_one_nic_unsafe }}"
notes: |
Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
* VMs built on top of a s390x LPAR
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new

16
inventory/group_vars/buildvm_stg
View file

@ -1,13 +1,5 @@
---
# common items for the buildvm-* koji builders
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders (staging).
csi_relationship: |
* VMs built on top of buildvmhost
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
csi_security_category: High
datacenter: iad2
dns1: 10.3.163.33
docker_registry: "candidate-registry.stg.fedoraproject.org"
@ -23,7 +15,6 @@ koji_server_url: "https://koji.stg.fedoraproject.org/kojihub"
koji_topurl: "https://kojipkgs.stg.fedoraproject.org/"
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should ovveride them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
koji_weburl: "https://koji.stg.fedoraproject.org/koji"
ks_repo: https://infrastructure.fedoraproject.org/pub/fedora/linux/releases/41/Server/x86_64/os/
@ -37,3 +28,10 @@ resolvconf: "resolv.conf/iad2"
source_registry: "registry.fedoraproject.org"
virt_install_command: "{{ virt_install_command_one_nic_unsafe }}"
volgroup: /dev/vg_guests
notes: |
Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders (staging).
* VMs built on top of buildvmhost
* Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new

14
inventory/group_vars/buildvmhost
View file

@ -1,17 +1,15 @@
---
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Koji service employs a set of virtual machines to build packages for the Fedora project. This playbook is for the provisioning of a physical host for buildvm's.
csi_relationship: |
* Relies on ansible, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Builder vm's are hosted on hosts created with this playbook.
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should ovveride them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: High
nested: True
nrpe_procs_crit: 1800
nrpe_procs_warn: 1700
virthost: true
nagios_Check_Services:
swap: false
notes: |
Koji service employs a set of virtual machines to build packages for the Fedora project. This playbook is for the provisioning of a physical host for buildvm's.
* Relies on ansible, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Builder vm's are hosted on hosts created with this playbook.

12
inventory/group_vars/copr_back_aws
View file

@ -6,15 +6,8 @@ copr_backend_target: copr-backend.target
# Copr vars
copr_hostbase: copr-be
csi_primary_contact: "msuchy (mirek), frostyx, praiskup IRC #fedora-admin, #fedora-buildsys"
csi_purpose: Provide the backend for copr (3rd party packages)
csi_relationship: |
- Backend: Management of copr cloud infrastructure (OpenStack).
- Small frontend with copr's public stats
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should override them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: High
description: copr dispatcher and repo server
do_sign: "true"
host_backup_targets: ['/var/lib/copr/public_html/results']
@ -59,3 +52,8 @@ copr_backend_data_raid10_volumes:
copr_backend_data_2_raid1_volumes:
- nvme-Amazon_Elastic_Block_Store_vol0f226a7163d28d8fd-part1
- nvme-Amazon_Elastic_Block_Store_vol07293869d85a750b8-part1
notes: |
Provide the backend for copr (3rd party packages)
* Backend: Management of copr cloud infrastructure (OpenStack).
* Small frontend with copr's public stats

9
inventory/group_vars/copr_back_dev_aws
View file

@ -7,13 +7,8 @@ copr_backend_target: copr-backend.target
# Copr vars
copr_hostbase: copr-be-dev
csi_primary_contact: "msuchy (mirek), frostyx, praiskup IRC #fedora-admin, #fedora-buildsys"
csi_purpose: Provide the testing environment of copr's backend
csi_relationship: This host is the testing environment for the cloud infrastructure of copr's backend
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should override them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: Moderate
description: copr dispatcher and repo server - dev instance
do_sign: "true"
# consumed by roles/copr/certbot
@ -53,3 +48,7 @@ copr_backend_data_raid10_volumes:
copr_backend_data_2_raid1_volumes:
- nvme-Amazon_Elastic_Block_Store_vol0ce8220e998e2e32a-part1
- nvme-Amazon_Elastic_Block_Store_vol0038e042c49987b82-part1
notes: |
Provide the testing environment of copr's backend
This host is the testing environment for the cloud infrastructure of copr's backend

8
inventory/group_vars/copr_db_all
View file

@ -1,6 +1,6 @@
---
csi_primary_contact: "msuchy (mirek), frostyx, praiskup IRC #fedora-admin, #fedora-buildsys"
csi_purpose: Provide the testing environment of copr's db
csi_relationship: This host is the testing environment for copr's database
csi_security_category: Low
tcp_ports: [22, 5432]
notes: |
Provide the testing environment of copr's db
This host is the testing environment for copr's database

12
inventory/group_vars/copr_front_aws
View file

@ -8,15 +8,8 @@ copr_messaging_queue: "a9b74258-21c6-4e79-ba65-9e858dc84a2b"
copr_pagure_events:
io.pagure.prod.pagure: "https://pagure.io/"
org.fedoraproject.prod.pagure: "https://src.fedoraproject.org/"
csi_primary_contact: "msuchy (mirek), frostyx, praiskup IRC #fedora-admin, #fedora-buildsys"
csi_purpose: Provide a publicly accessible frontend for 3rd party packages (copr)
csi_relationship: |
- This host provides the frontend part of copr only.
- It's the point of contact between end users and the copr build system (backend, package singer)
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should override them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: Moderate
# consumed by roles/copr/certbot
letsencrypt:
certificates:
@ -33,3 +26,8 @@ tcp_ports: [22, 80, 443,
services_disabled: false
aws_ipv6_addr: "2600:1f18:8ee:ae00:9d1f:4737:93ce:6db/128"
notes: |
Provide a publicly accessible frontend for 3rd party packages (copr)
This host provides the frontend part of copr only.
It's the point of contact between end users and the copr build system (backend, package singer)

8
inventory/group_vars/copr_front_dev_aws
View file

@ -14,10 +14,6 @@ copr_pagure_events:
io.pagure.prod.pagure: "https://pagure.io/"
io.pagure.stg.pagure: "https://stg.pagure.io"
org.fedoraproject.prod.pagure: "https://src.fedoraproject.org/"
csi_primary_contact: "msuchy (mirek), frostyx, praiskup IRC #fedora-admin, #fedora-buildsys"
csi_purpose: Provide the testing environment of copr's frontend
csi_relationship: This host is the testing environment for copr's web interface
csi_security_category: Low
# consumed by roles/copr/certbot
letsencrypt:
certificates:
@ -38,3 +34,7 @@ tcp_ports: [22, 80, 443,
services_disabled: false
aws_ipv6_addr: "2600:1f18:8ee:ae00:66a:fd15:3f16:4092/128"
notes: |
Provide the testing environment of copr's frontend
This host is the testing environment for copr's web interface

9
inventory/group_vars/data_reports
View file

@ -1,10 +1,5 @@
---
# Define resources for this group of hosts here.
csi_primary_contact: "#fedora-admin"
csi_purpose: for developing reports against datanommerdb
csi_relationship: |
- This vm is for creating reports whicl once automated will be moved elsewhere.
csi_security_category: Low
deployment_type: prod
ipa_client_shell_groups:
- fi-apprentice
@ -20,3 +15,7 @@ max_mem_size: 8192
mem_size: 8192
num_cpus: 2
primary_auth_source: ipa
notes: |
for developing reports against datanommerdb
This vm is for creating reports whicl once automated will be moved elsewhere.

10
inventory/group_vars/debuginfod
View file

@ -1,10 +1,6 @@
---
# Define resources for this group of hosts here.
csi_primary_contact: "#fedora-admin"
csi_purpose: Provides debuginfod services
csi_relationship: |
- This server provides a debuginfod server to allow downloading debuginfod
csi_security_category: Low
deployment_type: prod
ipa_client_shell_groups:
- fi-apprentice
@ -21,3 +17,7 @@ mem_size: 24576
num_cpus: 4
primary_auth_source: ipa
tcp_ports: [8002]
notes: |
Provides debuginfod services
This server provides a debuginfod server to allow downloading debuginfod

9
inventory/group_vars/debuginfod_stg
View file

@ -1,10 +1,5 @@
---
# Define resources for this group of hosts here.
csi_primary_contact: "#fedora-admin"
csi_purpose: Provides debuginfod services
csi_relationship: |
- This server provides a debuginfod server to allow downloading debuginfod
csi_security_category: Low
deployment_type: stg
ipa_client_shell_groups:
- fi-apprentice
@ -21,3 +16,7 @@ mem_size: 24576
num_cpus: 4
primary_auth_source: ipa
tcp_ports: [8002]
notes: |
Provides debuginfod services
This server provides a debuginfod server to allow downloading debuginfod

16
inventory/group_vars/dell_fx_build
View file

@ -1,14 +1,14 @@
---
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Koji service employs a set of virtual machines to build packages for the Fedora project. This playbook is for the provisioning of a physical host for buildvm's.
csi_relationship: |
* Relies on ansible, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Builder vm's are hosted on hosts created with this playbook.
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should ovveride them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: High
nrpe_procs_crit: 1000
nrpe_procs_warn: 900
virthost: true
notes: |
Koji service employs a set of virtual machines to build packages for the Fedora project. This playbook is for the provisioning of a physical host for buildvm's.
* Relies on ansible, virthost, and is monitored by nagios
* Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
* Builder vm's are hosted on hosts created with this playbook.

5
inventory/group_vars/dns
View file

@ -1,8 +1,5 @@
---
# Define resources for this group of hosts here.
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Domain Name Service
csi_security_category: High
external: true
ipa_client_shell_groups:
- sysadmin-dns
@ -22,3 +19,5 @@ tcp_ports: [53]
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
udp_ports: [53]
notes: Domain Name Service

30
inventory/group_vars/flatpak_cache
View file

@ -1,20 +1,5 @@
---
csi_primary_contact: admin@fedoraproject.org / sysadmin-main-members
csi_purpose: Centralized cache for any Flatpak requests from OpenQA
csi_relationship: |
This is to avoid slamming Flathub with requests during automated testing.
It hosts squid to cache anything under the flathub.org domain.
It is locked down to only allow requests from OpenQA.
* This host relies on:
The virthost it's hosted on (qvmhost-x86-02)
* Things that rely on this host:
Any requests using Flatpak from OpenQA.
If this host is down, OpenQA hosts might fail.
# For the MOTD
csi_security_category: Low
freezes: false
ipa_client_shell_groups:
- sysadmin-noc
@ -31,3 +16,18 @@ mem_size: 2048
num_cpus: 2
primary_auth_source: ipa
tcp_ports: [3128]
notes: |
Centralized cache for any Flatpak requests from OpenQA
This is to avoid slamming Flathub with requests during automated testing.
It hosts squid to cache anything under the flathub.org domain.
It is locked down to only allow requests from OpenQA.
* This host relies on:
The virthost it's hosted on (qvmhost-x86-02)
* Things that rely on this host:
Any requests using Flatpak from OpenQA.
If this host is down, OpenQA hosts might fail.

11
inventory/group_vars/gnome_backups
View file

@ -1,7 +1,6 @@
csi_purpose: GNOME Infrastructure Backups facility
csi_relationship: |
Provides rdiff-backup based backups to all the GNOME Infrastructure
machines and services
- This machine mainly relies on the Red Hat sponsored NetApp assigned
to the GNOME Project where all the backups do reside
freezes: False
notes: |
GNOME Infrastructure Backups facility
Provides rdiff-backup based backups to all the GNOME Infrastructure machines and services
* This machine mainly relies on the Red Hat sponsored NetApp assigned
to the GNOME Project where all the backups do reside

30
inventory/group_vars/kojipkgs
View file

@ -1,22 +1,6 @@
---
# Define resources for this group of hosts here.
csi_primary_contact: Fedora admins - admin@fedoraproject.org
csi_purpose: Cache packages from koji for builders and others
csi_relationship: |
There are a few things running here:
- apache web server and varnish caching proxy.
- This host relies on:
- koji nfs storage
- proxy01/10 to proxy requests to it.
- Things that rely on this host:
- all koji builders/buildsystem
- koschei
- external users downloading packages from koji.
# For the MOTD
csi_security_category: Moderate
custom_rules: [
# Need for rsync from log01 for logs.
'-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
@ -42,3 +26,17 @@ num_cpus: 16
primary_auth_source: ipa
tcp_ports: [80, 8080]
varnish_group: kojipkgs
notes: |
Cache packages from koji for builders and others
There are a few things running here:
* apache web server and varnish caching.
This host relies on:
* koji nfs storage
* proxy01/10 to proxy requests to it.
Things that rely on this host:
* all koji builders/buildsystem
* koschei
* external users downloading packages from koji.

5
inventory/group_vars/nagios
View file

@ -1,7 +1,4 @@
---
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Monitoring system
csi_security_category: High
deployment_type: prod
dns_external:
- ns-iad01.fedoraproject.org
@ -169,3 +166,5 @@ primary_auth_source: ipa
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
tcp_ports: [80, 443]
notes: Monitoring system

4
inventory/group_vars/noc_rdu_cc
View file

@ -1,7 +1,4 @@
---
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: dhcp and pxe server for rdu-cc
csi_security_category: High
deployment_type: prod
ipa_client_shell_groups:
- sysadmin-noc
@ -11,3 +8,4 @@ ipa_client_sudo_groups:
- sysadmin-noc
ipa_host_group: NocRduCC
ipa_host_group_desc: Rdu CC noc
notes: dhcp and pxe server for rdu-cc

24
inventory/group_vars/pagure
View file

@ -12,20 +12,7 @@ nft_custom_rules:
- 'add rule ip filter INPUT ip saddr 175.24.248.206 counter reject'
- 'add rule ip filter INPUT ip saddr 47.76.209.138 counter reject'
- 'add rule ip filter INPUT ip saddr 47.76.99.127 counter reject'
csi_primary_contact: Fedora admins - admin@fedoraproject.org
csi_purpose: Run the pagure instances for fedora
csi_relationship: |
There are a few things running here:
- The apache/mod_wsgi app for pagure
- This host relies on:
- A postgres db server running locally
- Things that rely on this host:
- nothing currently
# For the MOTD
csi_security_category: Low
db_backup_dir: ['/backups']
dbs_to_backup: ['pagure']
env: pagure
@ -98,3 +85,14 @@ tcp_ports: [22, 25, 80, 443, 8442, 8443, 8444, 8445,
# This is for the pagure public fedmsg relay
9940]
vpn: true
notes: |
Run the pagure instances for fedora
There are a few things running here:
* The apache/mod_wsgi app for pagure
* This host relies on:
* A postgres db server running locally
Things that rely on this host:
* nothing currently

23
inventory/group_vars/pagure_stg
View file

@ -1,19 +1,6 @@
---
# Define resources for this group of hosts here.
csi_primary_contact: Fedora admins - admin@fedoraproject.org
csi_purpose: Run the pagure instances for fedora
csi_relationship: |
There are a few things running here:
- The apache/mod_wsgi app for pagure
- This host relies on:
- A postgres db server running locally
- Things that rely on this host:
- nothing currently
# For the MOTD
csi_security_category: Low
env: pagure-staging
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
@ -88,3 +75,13 @@ tcp_ports: [22, 25, 80, 443, 9418,
# This is for the pagure public fedmsg relay
9940]
vpn: true
notes: |
Run the pagure instances for fedora
There are a few things running here:
* The apache/mod_wsgi app for pagure
* This host relies on:
* A postgres db server running locally
* Things that rely on this host:
* nothing currently

20
inventory/group_vars/people
View file

@ -3,18 +3,7 @@ blocked_ips: []
clamscan_mailto: admin@fedoraproject.org
clamscan_paths:
- /srv/
csi_primary_contact: Fedora admins - admin@fedoraproject.org
csi_purpose: Provide hosting space for Fedora contributors and Fedora Planet
csi_relationship: |
- shell accounts and web space for fedora contributors
- web space for personal yum repos
- shared space for small group/personal git repos
Please be aware that this is a shared server, and you should not upload
Private/Secret SSH or GPG keys onto this system. Any such keys found
will be deleted.
# For the MOTD
csi_security_category: Low
# Neeed for rsync from log01 for logs.
custom_rules: ['-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
nft_custom_rules: ['add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept']
@ -43,3 +32,12 @@ ipa_host_group: people
ipa_host_group_desc: A place for people to host things
primary_auth_source: ipa
vpn: true
notes: |
* Provide hosting space for Fedora contributors and Fedora Planet
* shell accounts and web space for fedora contributors
* web space for personal yum repos
* shared space for small group/personal git repos
Please be aware that this is a shared server, and you should not upload Private/Secret SSH or GPG keys onto this system.
Any such keys found will be deleted.

14
inventory/group_vars/proxies
View file

@ -3,15 +3,7 @@
blocked_ip_v6: []
blocked_ips: ['14.102.69.78', '104.219.54.236', '103.38.177.2', '110.172.140.98', '183.80.131.253', '113.190.178.137', '115.76.39.108', '116.109.31.204', '209.64.155.56']
collectd_apache: true
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Provides frontend (reverse) proxy for most web applications
csi_relationship: |
Using Apache -> haproxy, these hosts contact app servers and
other various hosts to provide web applications at sites like
fedoraproject.org and admin.fedoraproject.org. The proxy servers are
balanced via dns and geoIP and are spread all over the place.
# For the MOTD
csi_security_category: Moderate
custom_rules: [
# Need for rsync from log01 for logs.
'-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',
@ -113,3 +105,9 @@ zabbix_templates:
template: "external_hosts_http.json" # Template name in roles/zabbix/zabbix_templates/files/templatename.json
custom_template: true # Is the template official template bundled with Zabbix or one of our custom templates
hostgroup: "fedora external hosts" # Zabbix hostgroup
notes: |
* Provides frontend (reverse) proxy for most web applications
* Using Apache -> haproxy, these hosts contact app servers and other various hosts to provide web applications at sites like
fedoraproject.org and admin.fedoraproject.org.
* The proxy servers are balanced via dns and geoIP and are spread all over the place.

14
inventory/group_vars/proxies_stg
View file

@ -1,15 +1,7 @@
---
# Define resources for this group of hosts here.
collectd_apache: true
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Provides frontend (reverse) proxy for most web applications
csi_relationship: |
Using Apache -> haproxy, these hosts contact app servers and
other various hosts to provide web applications at sites like
fedoraproject.org and admin.fedoraproject.org. The proxy servers are
balanced via dns and geoIP and are spread all over the place.
# For the MOTD
csi_security_category: Moderate
custom_rules: [
# Need for rsync from log01 for logs.
'-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
@ -97,3 +89,9 @@ tcp_ports: [
]
varnish_group: proxies
zabbix_templates: "{{ [] }}" # For the moment we have no proxies external to IAD2, if this changes, put in the changes in the production group.
notes: |
* Provides frontend (reverse) proxy for most web applications
* Using Apache -> haproxy, these hosts contact app servers and other various hosts to provide web applications
at sites like fedoraproject.org and admin.fedoraproject.org.
* The proxy servers are balanced via dns and geoIP and are spread all over the place.

5
inventory/group_vars/repospanner_temp
View file

@ -1,9 +1,6 @@
---
# Define resources for this group of hosts here.
csi_primary_contact: admin@fedoraproject.org / sysadmin-main-members
csi_purpose: repospanner git syncing host
# For the MOTD
csi_security_category: Low
custom_rules: ['-A INPUT -p tcp -m tcp -s 8.43.84.211 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 8.43.84.212 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 8.43.85.76 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 152.19.134.149 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.20 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 8.43.85.78 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 152.19.134.191 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 140.211.169.199 --dport 8443:8445 -j ACCEPT']
nft_custom_rules:
- 'add rule ip filter INPUT ip saddr 8.43.84.211 tcp dport 8443-8445 counter accept'
@ -24,3 +21,5 @@ nagios_Check_Services:
sshd: false
swap: false
num_cpus: 8
notes: repospanner git syncing host

21
inventory/group_vars/retrace
View file

@ -1,16 +1,4 @@
---
csi_primary_contact: "msrb, abrt-devel-list@redhat.com, Libera.chat #abrt"
csi_purpose: Provide a web interface and backend for ABRT Analytics and Retrace Server.
csi_relationship: |
Three services run on this server:
- An Apache httpd serves the web interface and backed functionality for
ABRT Analytics.
- The same server provides the HTTP endpoints for Retrace Server to allow
remote retracing of crashes in Fedora.
- PostgreSQL server for ABRT Analytics.
The retracing functionality relies on the debuginfod server
(debuginfod.fedoraproject.org).
custom_rules:
- '-A INPUT -p tcp -m tcp -s 10.5.78.11 --dport 2049 -j ACCEPT'
- '-A INPUT -p tcp -m tcp -s 10.5.78.11 --dport 5432 -j ACCEPT'
@ -62,3 +50,12 @@ nrpe_procs_warn: 1800
primary_auth_source: ipa
tcp_ports: [80, 443]
vpn: true
notes: |
Provide a web interface and backend for ABRT Analytics and Retrace Server.
Three services run on this server:
* An Apache httpd serves the web interface and backed functionality for ABRT Analytics.
* The same server provides the HTTP endpoints for Retrace Server to allow remote retracing of crashes in Fedora.
* PostgreSQL server for ABRT Analytics.
The retracing functionality relies on the debuginfod server (debuginfod.fedoraproject.org).

3
inventory/group_vars/retrace_stg_aws
View file

@ -1,6 +1,4 @@
---
csi_primary_contact: "msrb, abrt-devel-list@redhat.com, Libera.chat #abrt"
csi_purpose: Provide staging environment for ABRT Analytics and Retrace Server.
env: staging
nagios_Check_Services:
mail: false
@ -10,3 +8,4 @@ root_auth_users: msuchy mfabik mzidek
sudoers: "{{ private }}/files/sudo/arm-retrace-sudoers"
tcp_ports: [22, 80, 443]
vpn: true
notes: Provide staging environment for ABRT Analytics and Retrace Server.

27
inventory/group_vars/torrent
View file

@ -1,19 +1,5 @@
---
# Define resources for this group of hosts here.
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Torrent master server for Fedora distribution
csi_relationship: |
torrent01 is the master torrent server for Fedora releases
This host relies on:
- The virthost it's hosted on (ibiblio05.fedoraproject.org)
- FAS to authenticate users
- VPN connectivity
Things that rely on this host:
- If this host is down, Fedora will lose a release distribution channel
- The Apache that displays the torrent website
- This server also has opentracker+ running to gather statistics for our torrent
csi_security_category: Low
ipa_client_shell_groups:
- fi-apprentice
- sysadmin-noc
@ -34,3 +20,16 @@ num_cpus: 2
primary_auth_source: ipa
tcp_ports: [53, 80, 443, 873, "6881:6999"]
udp_ports: [53]
notes: |
Torrent master server for Fedora distribution
torrent01 is the master torrent server for Fedora releases
This host relies on:
* The virthost it's hosted on (ibiblio05.fedoraproject.org)
* FAS to authenticate users
* VPN connectivity
Things that rely on this host:
* If this host is down, Fedora will lose a release distribution channel
* The Apache that displays the torrent website
* This server also has opentracker+ running to gather statistics for our torrent

16
inventory/group_vars/value
View file

@ -1,15 +1,6 @@
---
# Define resources for this group of hosts here.
csi_primary_contact: mote admins - sysadmin-mote-members@fedoraproject.org
csi_purpose: Hosts services which help facilitate communication over IRC and related mediums.
csi_relationship: |
There are a couple things running here.
* zodbot, a supybot instance. See the zodbot SOP for more info.
* fedmsg-irc, our fedmsg to IRC relay. 'journalctl -u fedmsg-irc'
* mote, a webapp running behind httpd that serves meetbot log files.
# For the MOTD
csi_security_category: Moderate
custom_rules: [
# Needed for rsync from log01 for logs.
'-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
@ -73,3 +64,10 @@ primary_auth_source: ipa
tcp_ports: [80, 443,
# These 16 ports are used by fedmsg. One for each wsgi thread.
3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
notes: |
Hosts services which help facilitate communication over IRC and related mediums.
There are a couple things running here.
* zodbot, a supybot instance. See the zodbot SOP for more info.
* fedmsg-irc, our fedmsg to IRC relay. 'journalctl -u fedmsg-irc'
* mote, a webapp running behind httpd that serves meetbot log files.

16
inventory/group_vars/value_stg
View file

@ -1,15 +1,6 @@
---
# Define resources for this group of hosts here.
csi_primary_contact: mote admins - sysadmin-mote-members@fedoraproject.org
csi_purpose: Hosts staging services which help facilitate communication over IRC and related mediums.
csi_relationship: |
There are a couple things running here.
* ursabot, a supybot instance. See the zodbot SOP for more info.
* fedmsg-irc, our staging fedmsg to IRC relay. 'journalctl -u fedmsg-irc'
* mote, a webapp running behind httpd that serves meetbot log files.
# For the MOTD
csi_security_category: Moderate
custom_rules: [
# Neeed for rsync from log01 for logs.
'-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
@ -73,3 +64,10 @@ num_cpus: 2
tcp_ports: [80, 443,
# These 16 ports are used by fedmsg. One for each wsgi thread.
3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
notes: |
Hosts staging services which help facilitate communication over IRC and related mediums.
There are a couple things running here.
* ursabot, a supybot instance. See the zodbot SOP for more info.
* fedmsg-irc, our staging fedmsg to IRC relay. 'journalctl -u fedmsg-irc'
* mote, a webapp running behind httpd that serves meetbot log files.

13
inventory/group_vars/virthost
View file

@ -1,14 +1,7 @@
---
# iscsi initiator for netapp iscsi volume
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Host guest virtual machines.
csi_relationship: |
- Guests on this host will be inaccessible if the host is down.
- This host will be required by any application with a virtual machine running on it, therefore, if this host is down those applications will be impacted.
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should override them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: High
nagios_Check_Services:
raid: true
netapp_nfs01_iscsi_name: iqn.1992-08.com.netapp:sn.1573980325:vf.f88732f4-106e-11e2-bc86-00a098162a28
@ -18,3 +11,9 @@ nrpe_procs_crit: 1500
nrpe_procs_warn: 1400
primary_auth_source: ipa
virthost: true
notes: |
Host guest virtual machines.
Guests on this host will be inaccessible if the host is down.
This host will be required by any application with a virtual machine running on it, therefore, if this host is down those applications will be impacted.

15
inventory/group_vars/wiki
View file

@ -1,13 +1,5 @@
---
# Define resources for this group of hosts here.
csi_primary_contact: "#fedora-admin"
csi_purpose: Provides our wiki
csi_relationship: |
- There are multiple servers that this service requires. All proxy servers and Wiki 1 and 2.
- Wiki requires the proxy servers in order for traffic to pass to them
- If the Apache processes stop on wiki01 and wiki02 the wiki will not display
- The wiki also requires fas for log in purposes
csi_security_category: Moderate
deployment_type: prod
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
@ -43,3 +35,10 @@ wikiname: "fp"
wikipath: "wiki"
wikiver: "mediawiki"
wpath: "w"
notes: |
- Provides our wiki
- There are multiple servers that this service requires. All proxy servers and Wiki 1 and 2.
- Wiki requires the proxy servers in order for traffic to pass to them
- If the Apache processes stop on wiki01 and wiki02 the wiki will not display
- The wiki also requires fas for log in purposes

6
inventory/group_vars/zabbix
View file

@ -1,11 +1,6 @@
---
# Define resources for this group of hosts here.
csi_primary_contact: []
csi_purpose: []
csi_relationship: |
Test instance for zabbix server
# For the MOTD
csi_security_category: []
deployment_type: stg
ipa_client_shell_groups:
- fi-apprentice
@ -25,3 +20,4 @@ num_cpus: 4
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
tcp_ports: [80, 443]
notes: Test instanec for zabbix server

6
inventory/group_vars/zabbix_stg
View file

@ -1,11 +1,6 @@
---
# Define resources for this group of hosts here.
csi_primary_contact: []
csi_purpose: []
csi_relationship: |
Test instance for zabbix server
# For the MOTD
csi_security_category: []
deployment_type: stg
ipa_client_shell_groups:
- fi-apprentice
@ -25,3 +20,4 @@ num_cpus: 2
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
tcp_ports: [80, 443]
notes: Test instance for zabbix server

1
inventory/host_vars/ibiblio02.fedoraproject.org
View file

@ -43,3 +43,4 @@ nrpe_procs_crit: 1300
nrpe_procs_warn: 1250
postfix_group: vpn
vpn: true
notes: "vhost at ibiblio"

1
inventory/host_vars/noc02.fedoraproject.org
View file

@ -52,3 +52,4 @@ postfix_transport_filename: transports.noc02.fedoraproject.org
vmhost: ibiblio02.fedoraproject.org
volgroup: /dev/vg_guests
vpn: true
notes: "This is an external nagios server located outside of PHX. It monitors our user websites/applications (fedoraproject.org, FAS, PackageDB, Bodhi/Updates)."