motd generic template added

migrated notes from infra/hosts motd changes; excluding CSI infos removed csi_* vars from group_vars; converted csi_purpose & csi_relationship into notes fixed merge conflicts minor changes; var updating YAMLs & playbooks udpated YAMLs & playbooks again updated correctly; buildhw.yml fixing merge conflicts dest added in motd.yml
2025-01-06 13:04:00 +05:30 · 2025-01-06 13:04:00 +05:30 · b3d6a90b9a
commit b3d6a90b9a
parent 7799cc2478
112 changed files with 370 additions and 562 deletions
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@ -83,18 +83,8 @@ communishift_projects:
 copr_build_virthost: false
 # assume createrepo is true and this builder has the koji nfs mount to do that
 createrepo: True
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Unspecified
 csi_relationship: |
  Unspecified.
  * What hosts/services does this rely on?
  * What hosts/services rely on this?
  To update this text, add the csi_* vars to group_vars/ in ansible.
 # This vars get shoved into /etc/system_identification by the base role.
 # Groups and individual hosts should override them with specific info.
 # See http://infrastructure.fedoraproject.org/csi/security-policy/
 csi_security_category: Unspecified
 custom6_rules: []
 custom_rules: []
 nft_custom6_rules: []
@ -323,3 +313,8 @@ wsgi_wants_apache: true
 # set no x-forward header by default
 x_forward: false
 #
 notes: |
  Unspecified.
    * What hosts/services does this rely on?
    * What hosts/services rely on this?
--- a/inventory/group_vars/autosign
+++ b/inventory/group_vars/autosign
@ -3,15 +3,7 @@
 ansible_ifcfg_allowlist:
  - eth0
  - eth1
 csi_primary_contact: Release Engineering - rel-eng@lists.fedoraproject.org
 csi_purpose: Automatically sign Rawhide and Branched packages
 csi_relationship: |
  This host will run the robosignatory application which should automatically sign
  builds.  It listens to koji over fedora-messaging for notifications of new builds,
  and then asks sigul, the signing server, to sign the rpms and store the new rpm
  header back in Koji.
 # For the MOTD
 csi_security_category: High
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
@ -31,3 +23,11 @@ lvm_size: 30000
 mem_size: 2048
 nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=3"
 num_cpus: 2
 notes: |
  Automatically sign Rawhide and Branched packages
  This host will run the robosignatory application which should automatically sign
  builds.  It listens to koji over fedora-messaging for notifications of new builds,
  and then asks sigul, the signing server, to sign the rpms and store the new rpm
  header back in Koji.
--- a/inventory/group_vars/bastion
+++ b/inventory/group_vars/bastion
@ -1,17 +1,7 @@
 ---
 # Define resources for this group of hosts here.
 csi_primary_contact: sysadmin-main admin@fedoraproject.org
 csi_purpose: SSH proxy to access infrastructure not exposed to the web
 csi_relationship: |
  - Provides ssh access to all iad2/vpn connected servers.
  - Bastion is the hub for all infrastructure's VPN connections.
  - All incoming SMTP from iad2 and VPN, as well as outgoing SMTP,
    pass or are filtered here.
  - Bastion does not accept any mail outside phx2/vpn.
 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should override them with specific info.
 # See http://infrastructure.fedoraproject.org/csi/security-policy/
 csi_security_category: High
 #
 # drop incoming traffic from less trusted vpn hosts
 # allow ntp from internal RH 10 nets
@ -72,3 +62,11 @@ primary_auth_source: ipa
 #
 tcp_ports: [22, 1194]
 udp_ports: [1194]
 notes: |
  SSH proxy to access infrastructure not exposed to the web
  * Provides ssh access to all iad2/vpn connected servers.
  * Bastion is the hub for all infrastructure's VPN connections.
  * All incoming SMTP from iad2 and VPN, as well as outgoing SMTP, pass or are filtered here.
  * Bastion does not accept any mail outside phx2/vpn.
--- a/inventory/group_vars/bastion_stg
+++ b/inventory/group_vars/bastion_stg
@ -11,18 +11,8 @@ bastion_ipa_client_shell_groups:
 # this only works if the `batcave_stg` group and at least one host in it is defined
 # batcave_ipa_client_shell_groups: "{{ hostvars[groups['batcave_stg'][0]]['ipa_client_shell_groups'] | default([]) }}"
 batcave_ipa_client_shell_groups: []
 csi_primary_contact: sysadmin-main admin@fedoraproject.org
 csi_purpose: SSH proxy to access STAGING infrastructure not exposed to the web
 csi_relationship: |
  - Provides ssh access to all iad2/vpn connected servers.
  - Bastion is the hub for all infrastructure's VPN connections.
  - All incoming SMTP from iad2 and VPN, as well as outgoing SMTP,
    pass or are filtered here.
  - Bastion does not accept any mail outside phx2/vpn.
 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should override them with specific info.
 # See http://infrastructure.fedoraproject.org/csi/security-policy/
 csi_security_category: High
 #
 # drop incoming traffic from less trusted vpn hosts
 # allow ntp from internal RH 10 nets
@ -57,3 +47,10 @@ num_cpus: 4
 #
 tcp_ports: [22, 25, 1194]
 udp_ports: [1194]
 notes: |
  SSH proxy to access STAGING infrastructure not exposed to the web
  * Provides ssh access to all iad2/vpn connected servers.
  * Bastion is the hub for all infrastructure's VPN connections.
  * All incoming SMTP from iad2 and VPN, as well as outgoing SMTP, pass or are filtered here.
  * Bastion does not accept any mail outside phx2/vpn.
--- a/inventory/group_vars/batcave
+++ b/inventory/group_vars/batcave
@ -1,23 +1,6 @@
 ---
 ansible_base: /srv/web/infra
 csi_primary_contact: admin@fedoraproject.org / sysadmin-main-members
 csi_purpose: Central management host for ansible
 csi_relationship: |
  From the batcave batman ventures out to fight crime and protect gotham city!
  batcave is the central management host for ansible.
  It also is the infrastructure.fedoraproject.org website with various content.
  It houses a number of infrastructure git repos.
  * This host relies on:
  The virthost it's hosted on (virthost22)
  * Things that rely on this host:
  Things that access rhel/fedora/infra rpm repos, including builders and infra hosts.
  If this host is down, ansible runs cannot be made to update other hosts.
  If this host is down, crime may go up in gotham city.
 # For the MOTD
 csi_security_category: High
 # Neeed for rsync from log01 for logs.
 custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
 nft_custom_rules:
@ -80,3 +63,20 @@ tcp_ports: [80, 443, 8442, 8443]
 vpn: true
 nagios_Check_Services:
    swap: false
 notes: |
  Central management host for ansible
  From the batcave batman ventures out to fight crime and protect gotham city!
  batcave is the central management host for ansible.
  It also is the infrastructure.fedoraproject.org website with various content.
  It houses a number of infrastructure git repos.
  This host relies on:
    * The virthost it's hosted on (virthost22)
  Things that rely on this host:
    * Things that access rhel/fedora/infra rpm repos, including builders and infra hosts.
    * If this host is down, ansible runs cannot be made to update other hosts.
    * If this host is down, crime may go up in gotham city.
--- a/inventory/group_vars/bodhi_backend_stg
+++ b/inventory/group_vars/bodhi_backend_stg
@ -4,28 +4,7 @@ bodhi_message_queue_name: "bodhi{{ env_suffix }}_composer"
 # Define the topics that our fedora-messaging queue should be subscribed to.
 bodhi_message_routing_keys:
  - "org.fedoraproject.*.bodhi.composer.start"
 csi_primary_contact: Releng Admins sysadmin-releng-members@fedoraproject.org
 csi_purpose: Run the Bodhi masher.
 csi_relationship: |
  The mashing of repos here happens as part of the 'fedmsg-hub' daemon.  Check
  logs with 'journalctl -u fedmsg-hub'.  Check the bodhi masher docs/code for
  more detail on what it does:
  https://github.com/fedora-infra/bodhi/blob/develop/bodhi/consumers/masher.py
  * This host relies on:
    * db01 for its database, which is shares with the bodhi2 frontend nodes.
    * An NFS mount of koji data in /mnt/koji/
    * The fedmsg bus for triggering mashes.
    * XMLRPC calls to koji for tagging and untagging updates.
    * bugzilla for posting comments about status changes
    * the wiki for getting information about QA "Test Cases"
    * taksotron (resultsdb) for getting status-check results (gating updates).
  * No other systems rely directly on this host.  Everything depends on it
    indirectly for the creation of new updates repos (which get synced out to
    the master mirror for distribution.
 # For the MOTD
 csi_security_category: Moderate
 # Make connections from signing bridges stateless, they break sigul connections
 # https://bugzilla.redhat.com/show_bug.cgi?id=1283364
 # this is sign-bridge01.iad2 ip 10.3.169.120
@ -48,3 +27,25 @@ nrpe_procs_warn: 900
 num_cpus: 2
 # Use the infra-testing repo
 testing: True
 notes: |
  Run the Bodhi masher.
  The mashing of repos here happens as part of the 'fedmsg-hub' daemon.
  Check logs with 'journalctl -u fedmsg-hub'.
  Check the bodhi masher docs/code for more detail on what it does:
    https://github.com/fedora-infra/bodhi/blob/develop/bodhi/consumers/masher.py
  * This host relies on:
    * db01 for its database, which is shares with the bodhi2 frontend nodes.
    * An NFS mount of koji data in /mnt/koji/
    * The fedmsg bus for triggering mashes.
    * XMLRPC calls to koji for tagging and untagging updates.
    * bugzilla for posting comments about status changes
    * the wiki for getting information about QA "Test Cases"
    * taksotron (resultsdb) for getting status-check results (gating updates).
  * No other systems rely directly on this host.  Everything depends on it
    indirectly for the creation of new updates repos (which get synced out to
    the master mirror for distribution.
--- a/inventory/group_vars/buildhw
+++ b/inventory/group_vars/buildhw
@ -1,14 +1,7 @@
 ---
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Koji service employs a set of machines to build packages for the Fedora project.
 csi_relationship: |
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should ovveride them with specific info.
-# See http://infrastructure.fedoraproject.org/csi/security-policy/
+
 csi_security_category: High
 docker_registry: "candidate-registry.fedoraproject.org"
 freezes: true
 host_group: kojibuilder
@ -19,3 +12,10 @@ koji_server_url: "https://koji.fedoraproject.org/kojihub"
 koji_topurl: "https://kojipkgs.fedoraproject.org/"
 koji_weburl: "https://koji.fedoraproject.org/koji"
 source_registry: "registry.fedoraproject.org"
 notes: |
  Koji service employs a set of machines to build packages for the Fedora project.
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
--- a/inventory/group_vars/buildvm
+++ b/inventory/group_vars/buildvm
@ -1,13 +1,5 @@
 ---
 # common items for the buildvm-* koji builders
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
 csi_relationship: |
  * VMs built on top of buildvmhost
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
 csi_security_category: High
 dns: 10.3.163.33
 docker_registry: "candidate-registry.fedoraproject.org"
 eth0_ipv4_gw: 10.3.169.254
@ -29,3 +21,11 @@ num_cpus: 6
 source_registry: "registry.fedoraproject.org"
 virt_install_command: "{{ virt_install_command_one_nic_unsafe }}"
 volgroup: /dev/BuildGuests
 notes: |
  Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
  * VMs built on top of buildvmhost
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
--- a/inventory/group_vars/buildvm_aarch64
+++ b/inventory/group_vars/buildvm_aarch64
@ -1,13 +1,5 @@
 ---
 # common items for the buildvm-aarch64* koji builders
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
 csi_relationship: |
  * VMs built on top of buildvmhost
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
 csi_security_category: High
 dns: 10.3.163.33
 docker_registry: "candidate-registry.fedoraproject.org"
 eth0_ipv4_gw: 10.3.170.254
@ -30,3 +22,10 @@ num_cpus: 12
 source_registry: "registry.fedoraproject.org"
 virt_install_command: "{{ virt_install_command_aarch64_one_nic_unsafe }}"
 volgroup: /dev/vg_guests
 notes: |
  Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
  * VMs built on top of buildvmhost
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
--- a/inventory/group_vars/buildvm_aarch64_stg
+++ b/inventory/group_vars/buildvm_aarch64_stg
@ -1,14 +1,6 @@
 ---
 # common items for the buildvm-* koji builders
 createrepo: True
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders (staging).
 csi_relationship: |
  * VMs built on top of buildvmhost
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
 csi_security_category: High
 datacenter: iad2
 dns: 10.3.163.33
 docker_registry: "candidate-registry.stg.fedoraproject.org"
@ -23,7 +15,6 @@ koji_server_url: "https://koji.stg.fedoraproject.org/kojihub"
 koji_topurl: "https://kojipkgs.stg.fedoraproject.org/"
 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should ovveride them with specific info.
 # See http://infrastructure.fedoraproject.org/csi/security-policy/
 koji_weburl: "https://koji.stg.fedoraproject.org/koji"
 ks_repo: https://infrastructure.fedoraproject.org/pub/fedora/linux/releases/41/Server/aarch64/os/
@ -38,3 +29,10 @@ source_registry: "registry.stg.fedoraproject.org"
 # this is to enable nested virt, which we need for some builds
 virt_install_command: "{{ virt_install_command_aarch64_one_nic_unsafe }}"
 volgroup: /dev/vg_guests
 notes: |
  Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders (staging).
  * VMs built on top of buildvmhost
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
--- a/inventory/group_vars/buildvm_osbuild_ppc64le
+++ b/inventory/group_vars/buildvm_osbuild_ppc64le
@ -1,11 +1,4 @@
 # common variables for osbuild workers
 csi_primary_contact: Image Builder team - osbuilders@redhat.com
 csi_purpose: This group of VMs builds OS images via Koji using image builder for ppc64le architecture.
 csi_relationship: |
  * Relies on koji-hub and image-builder-api (external).
  * Produces automated builds of OS images for the architecture listed. Wokers can be scaled by adding new
    virtual instances
 datacenter: iad2
 dns: 10.3.163.33
 dns_search1: iad2.fedoraproject.org
@ -45,3 +38,9 @@ osbuild_worker_koji_instances:
  - koji_host: "koji.fedoraproject.org"
    krb_principal: "osbuild-automation-bot@FEDORAPROJECT.ORG"
    krb_keytab_file: "{{ private }}/files/osbuild/worker_koji.keytab"
 notes: |
  This group of VMs builds OS images via Koji using image builder for ppc64le architecture.
  * Relies on koji-hub and image-builder-api (external).
  * Produces automated builds of OS images for the architecture listed. Wokers can be scaled by adding new
    virtual instances
--- a/inventory/group_vars/buildvm_osbuild_ppc64le_staging
+++ b/inventory/group_vars/buildvm_osbuild_ppc64le_staging
@ -1,11 +1,4 @@
 # common variables for osbuild workers (staging)
 csi_primary_contact: Image Builder team - osbuilders@redhat.com
 csi_purpose: This group of VMs builds OS images via Koji (staging) using image builder for ppc64le architecture.
 csi_relationship: |
  * Relies on koji-hub and image-builder-api (external).
  * Produces automated builds of OS images for the architecture listed. Wokers can be scaled by adding new
    virtual instances
 datacenter: iad2
 dns: 10.3.163.33
 dns_search1: iad2.fedoraproject.org
@ -45,3 +38,9 @@ osbuild_worker_koji_instances:
  - koji_host: "koji.stg.fedoraproject.org"
    krb_principal: "osbuild-automation-bot@STG.FEDORAPROJECT.ORG"
    krb_keytab_file: "{{ private }}/files/osbuild/worker_stg_koji.keytab"
 notes: |
  This group of VMs builds OS images via Koji (staging) using image builder for ppc64le architecture.
  * Relies on koji-hub and image-builder-api (external).
  * Produces automated builds of OS images for the architecture listed. Wokers can be scaled by adding new
    virtual instances
--- a/inventory/group_vars/buildvm_ppc64le
+++ b/inventory/group_vars/buildvm_ppc64le
@ -1,15 +1,6 @@
 # common items for the buildvm-* koji builders
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Koji service employs a set of virtual machines to build packages for the Fedora project. This group builds packages for ppcle architecture.
 csi_relationship: |
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
  * virtual instances
 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should ovveride them with specific info.
 # See http://infrastructure.fedoraproject.org/csi/security-policy/
 csi_security_category: High
 datacenter: iad2
 dns: 10.3.163.33
 eth0_ipv4_gw: 10.3.171.254
@ -32,4 +23,13 @@ max_mem_size: 20480
 mem_size: 20480
 num_cpus: 8
 virt_install_command: "{{ virt_install_command_ppc64le_one_nic_unsafe }}"
-volgroup: /dev/vg_virt_buildvm_ppc64le_iscsi
+
 volgroup: /dev/vg_guests
 notes: |
  Koji service employs a set of virtual machines to build packages for the Fedora project. This group builds packages for ppcle architecture.
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
  * virtual instances
--- a/inventory/group_vars/buildvm_ppc64le_stg
+++ b/inventory/group_vars/buildvm_ppc64le_stg
@ -1,14 +1,6 @@
 ---
 # common items for the buildvm-* koji builders
 createrepo: True
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders (staging).
 csi_relationship: |
  * VMs built on top of buildvmhost
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
 csi_security_category: High
 datacenter: staging
 dns: 10.3.163.33
 docker_registry: "candidate-registry.stg.fedoraproject.org"
@ -23,7 +15,6 @@ koji_server_url: "https://koji.stg.fedoraproject.org/kojihub"
 koji_topurl: "https://kojipkgs.stg.fedoraproject.org/"
 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should ovveride them with specific info.
 # See http://infrastructure.fedoraproject.org/csi/security-policy/
 koji_weburl: "https://koji.stg.fedoraproject.org/koji"
 ks_repo: https://infrastructure.fedoraproject.org/pub/fedora-secondary/releases/41/Server/ppc64le/os/
@ -37,3 +28,10 @@ num_cpus: 4
 source_registry: "registry.stg.fedoraproject.org"
 virt_install_command: "{{ virt_install_command_ppc64le_one_nic_unsafe }}"
 volgroup: /dev/vg_guests
 notes: |
  Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders (staging).
  * VMs built on top of buildvmhost
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
--- a/inventory/group_vars/buildvm_s390x
+++ b/inventory/group_vars/buildvm_s390x
@ -1,13 +1,5 @@
 ---
 createrepo: False
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
 csi_relationship: |
  * VMs built on top of a s390x LPAR
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
 csi_security_category: High
 dns1: 10.3.163.33
 dns2: 10.3.163.34
 dns_search1: "iad2.fedoraproject.org"
@ -30,3 +22,10 @@ varnish_group: s390kojipkgs
 virt_install_command: "{{ virt_install_command_s390x_one_nic }}"
 vmhost: bvmhost-s390x-01.s390.fedoraproject.org
 volgroup: /dev/vg_guests
 notes: |
  Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
  * VMs built on top of a s390x LPAR
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
--- a/inventory/group_vars/buildvm_s390x_stg
+++ b/inventory/group_vars/buildvm_s390x_stg
@ -1,13 +1,5 @@
 ---
 createrepo: False
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
 csi_relationship: |
  * VMs built on top of a s390x LPAR
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
 csi_security_category: High
 host_group: kojibuilder
 koji_hub_nfs: "fedora_koji"
 koji_server_url: "https://koji.stg.fedoraproject.org/kojihub"
@ -16,3 +8,10 @@ koji_weburl: "https://koji.stg.fedoraproject.org/koji"
 ks_repo: https://infrastructure.fedoraproject.org/pub/fedora-secondary/releases/41/Server/s390x/os/
 ks_url: https://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-fedora
 virt_install_command: "{{ virt_install_command_s390x_one_nic_unsafe }}"
 notes: |
  Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.
  * VMs built on top of a s390x LPAR
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
--- a/inventory/group_vars/buildvm_stg
+++ b/inventory/group_vars/buildvm_stg
@ -1,13 +1,5 @@
 ---
 # common items for the buildvm-* koji builders
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders (staging).
 csi_relationship: |
  * VMs built on top of buildvmhost
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
 csi_security_category: High
 datacenter: iad2
 dns1: 10.3.163.33
 docker_registry: "candidate-registry.stg.fedoraproject.org"
@ -23,7 +15,6 @@ koji_server_url: "https://koji.stg.fedoraproject.org/kojihub"
 koji_topurl: "https://kojipkgs.stg.fedoraproject.org/"
 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should ovveride them with specific info.
 # See http://infrastructure.fedoraproject.org/csi/security-policy/
 koji_weburl: "https://koji.stg.fedoraproject.org/koji"
 ks_repo: https://infrastructure.fedoraproject.org/pub/fedora/linux/releases/41/Server/x86_64/os/
@ -37,3 +28,10 @@ resolvconf: "resolv.conf/iad2"
 source_registry: "registry.fedoraproject.org"
 virt_install_command: "{{ virt_install_command_one_nic_unsafe }}"
 volgroup: /dev/vg_guests
 notes: |
  Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders (staging).
  * VMs built on top of buildvmhost
  * Relies on koji-hub, Packages, PkgDB, apache, fedmsg, fas, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Produces automated builds of packages for the architecture listed. Builders can be scaled by adding new
--- a/inventory/group_vars/buildvmhost
+++ b/inventory/group_vars/buildvmhost
@ -1,17 +1,15 @@
 ---
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Koji service employs a set of virtual machines to build packages for the Fedora project. This playbook is for the provisioning of a physical host for buildvm's.
 csi_relationship: |
  * Relies on ansible, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Builder vm's are hosted on hosts created with this playbook.
 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should ovveride them with specific info.
 # See http://infrastructure.fedoraproject.org/csi/security-policy/
 csi_security_category: High
 nested: True
 nrpe_procs_crit: 1800
 nrpe_procs_warn: 1700
 virthost: true
 nagios_Check_Services:
    swap: false
 notes: |
  Koji service employs a set of virtual machines to build packages for the Fedora project. This playbook is for the provisioning of a physical host for buildvm's.
  * Relies on ansible, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Builder vm's are hosted on hosts created with this playbook.
--- a/inventory/group_vars/copr_back_aws
+++ b/inventory/group_vars/copr_back_aws
@ -6,15 +6,8 @@ copr_backend_target: copr-backend.target
 # Copr vars
 copr_hostbase: copr-be
 csi_primary_contact: "msuchy (mirek), frostyx, praiskup IRC #fedora-admin, #fedora-buildsys"
 csi_purpose: Provide the backend for copr (3rd party packages)
 csi_relationship: |
  - Backend: Management of copr cloud infrastructure (OpenStack).
  - Small frontend with copr's public stats
 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should override them with specific info.
 # See http://infrastructure.fedoraproject.org/csi/security-policy/
 csi_security_category: High
 description: copr dispatcher and repo server
 do_sign: "true"
 host_backup_targets: ['/var/lib/copr/public_html/results']
@ -59,3 +52,8 @@ copr_backend_data_raid10_volumes:
 copr_backend_data_2_raid1_volumes:
  - nvme-Amazon_Elastic_Block_Store_vol0f226a7163d28d8fd-part1
  - nvme-Amazon_Elastic_Block_Store_vol07293869d85a750b8-part1
 notes: |
  Provide the backend for copr (3rd party packages)
  * Backend: Management of copr cloud infrastructure (OpenStack).
  * Small frontend with copr's public stats
--- a/inventory/group_vars/copr_back_dev_aws
+++ b/inventory/group_vars/copr_back_dev_aws
@ -7,13 +7,8 @@ copr_backend_target: copr-backend.target
 # Copr vars
 copr_hostbase: copr-be-dev
 csi_primary_contact: "msuchy (mirek), frostyx, praiskup IRC #fedora-admin, #fedora-buildsys"
 csi_purpose: Provide the testing environment of copr's backend
 csi_relationship: This host is the testing environment for the cloud infrastructure of copr's backend
 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should override them with specific info.
 # See http://infrastructure.fedoraproject.org/csi/security-policy/
 csi_security_category: Moderate
 description: copr dispatcher and repo server - dev instance
 do_sign: "true"
 # consumed by roles/copr/certbot
@ -53,3 +48,7 @@ copr_backend_data_raid10_volumes:
 copr_backend_data_2_raid1_volumes:
  - nvme-Amazon_Elastic_Block_Store_vol0ce8220e998e2e32a-part1
  - nvme-Amazon_Elastic_Block_Store_vol0038e042c49987b82-part1
 notes: |
  Provide the testing environment of copr's backend
  This host is the testing environment for the cloud infrastructure of copr's backend
--- a/inventory/group_vars/copr_db_all
+++ b/inventory/group_vars/copr_db_all
@ -1,6 +1,6 @@
 ---
 csi_primary_contact: "msuchy (mirek), frostyx,  praiskup IRC #fedora-admin, #fedora-buildsys"
 csi_purpose: Provide the testing environment of copr's db
 csi_relationship: This host is the testing environment for copr's database
 csi_security_category: Low
 tcp_ports: [22, 5432]
 notes: |
  Provide the testing environment of copr's db
  This host is the testing environment for copr's database
--- a/inventory/group_vars/copr_front_aws
+++ b/inventory/group_vars/copr_front_aws
@ -8,15 +8,8 @@ copr_messaging_queue: "a9b74258-21c6-4e79-ba65-9e858dc84a2b"
 copr_pagure_events:
  io.pagure.prod.pagure: "https://pagure.io/"
  org.fedoraproject.prod.pagure: "https://src.fedoraproject.org/"
 csi_primary_contact: "msuchy (mirek), frostyx, praiskup IRC #fedora-admin, #fedora-buildsys"
 csi_purpose: Provide a publicly accessible frontend for 3rd party packages (copr)
 csi_relationship: |
  - This host provides the frontend part of copr only.
  - It's the point of contact between end users and the copr build system (backend, package singer)
 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should override them with specific info.
 # See http://infrastructure.fedoraproject.org/csi/security-policy/
 csi_security_category: Moderate
 # consumed by roles/copr/certbot
 letsencrypt:
  certificates:
@ -33,3 +26,8 @@ tcp_ports: [22, 80, 443,
 services_disabled: false
 aws_ipv6_addr: "2600:1f18:8ee:ae00:9d1f:4737:93ce:6db/128"
 notes: |
  Provide a publicly accessible frontend for 3rd party packages (copr)
  This host provides the frontend part of copr only.
  It's the point of contact between end users and the copr build system (backend, package singer)
--- a/inventory/group_vars/copr_front_dev_aws
+++ b/inventory/group_vars/copr_front_dev_aws
@ -14,10 +14,6 @@ copr_pagure_events:
  io.pagure.prod.pagure: "https://pagure.io/"
  io.pagure.stg.pagure: "https://stg.pagure.io"
  org.fedoraproject.prod.pagure: "https://src.fedoraproject.org/"
 csi_primary_contact: "msuchy (mirek), frostyx,  praiskup IRC #fedora-admin, #fedora-buildsys"
 csi_purpose: Provide the testing environment of copr's frontend
 csi_relationship: This host is the testing environment for copr's web interface
 csi_security_category: Low
 # consumed by roles/copr/certbot
 letsencrypt:
  certificates:
@ -38,3 +34,7 @@ tcp_ports: [22, 80, 443,
 services_disabled: false
 aws_ipv6_addr: "2600:1f18:8ee:ae00:66a:fd15:3f16:4092/128"
 notes: |
  Provide the testing environment of copr's frontend
  This host is the testing environment for copr's web interface
--- a/inventory/group_vars/data_reports
+++ b/inventory/group_vars/data_reports
@ -1,10 +1,5 @@
 ---
 # Define resources for this group of hosts here.
 csi_primary_contact: "#fedora-admin"
 csi_purpose: for developing reports against datanommerdb
 csi_relationship: |
  - This vm is for creating reports whicl once automated will be moved elsewhere.
 csi_security_category: Low
 deployment_type: prod
 ipa_client_shell_groups:
  - fi-apprentice
@ -20,3 +15,7 @@ max_mem_size: 8192
 mem_size: 8192
 num_cpus: 2
 primary_auth_source: ipa
 notes: |
  for developing reports against datanommerdb
  This vm is for creating reports whicl once automated will be moved elsewhere.
--- a/inventory/group_vars/debuginfod
+++ b/inventory/group_vars/debuginfod
@ -1,10 +1,6 @@
 ---
 # Define resources for this group of hosts here.
-csi_primary_contact: "#fedora-admin"
+
 csi_purpose: Provides debuginfod services
 csi_relationship: |
  - This server provides a debuginfod server to allow downloading debuginfod
 csi_security_category: Low
 deployment_type: prod
 ipa_client_shell_groups:
  - fi-apprentice
@ -21,3 +17,7 @@ mem_size: 24576
 num_cpus: 4
 primary_auth_source: ipa
 tcp_ports: [8002]
 notes: |
  Provides debuginfod services
  This server provides a debuginfod server to allow downloading debuginfod
--- a/inventory/group_vars/debuginfod_stg
+++ b/inventory/group_vars/debuginfod_stg
@ -1,10 +1,5 @@
 ---
 # Define resources for this group of hosts here.
 csi_primary_contact: "#fedora-admin"
 csi_purpose: Provides debuginfod services
 csi_relationship: |
  - This server provides a debuginfod server to allow downloading debuginfod
 csi_security_category: Low
 deployment_type: stg
 ipa_client_shell_groups:
  - fi-apprentice
@ -21,3 +16,7 @@ mem_size: 24576
 num_cpus: 4
 primary_auth_source: ipa
 tcp_ports: [8002]
 notes: |
  Provides debuginfod services
  This server provides a debuginfod server to allow downloading debuginfod
--- a/inventory/group_vars/dell_fx_build
+++ b/inventory/group_vars/dell_fx_build
@ -1,14 +1,14 @@
 ---
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Koji service employs a set of virtual machines to build packages for the Fedora project. This playbook is for the provisioning of a physical host for buildvm's.
 csi_relationship: |
  * Relies on ansible, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Builder vm's are hosted on hosts created with this playbook.
 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should ovveride them with specific info.
-# See http://infrastructure.fedoraproject.org/csi/security-policy/
+
 csi_security_category: High
 nrpe_procs_crit: 1000
 nrpe_procs_warn: 900
 virthost: true
 notes: |
  Koji service employs a set of virtual machines to build packages for the Fedora project. This playbook is for the provisioning of a physical host for buildvm's.
  * Relies on ansible, virthost, and is monitored by nagios
  * Several services rely on the builders, including koschei, Bodhi, Tagger, SCM, Darkserver.
  * Builder vm's are hosted on hosts created with this playbook.
--- a/inventory/group_vars/dns
+++ b/inventory/group_vars/dns
@ -1,8 +1,5 @@
 ---
 # Define resources for this group of hosts here.
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Domain Name Service
 csi_security_category: High
 external: true
 ipa_client_shell_groups:
  - sysadmin-dns
@ -22,3 +19,5 @@ tcp_ports: [53]
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 udp_ports: [53]
 notes: Domain Name Service
--- a/inventory/group_vars/flatpak_cache
+++ b/inventory/group_vars/flatpak_cache
@ -1,20 +1,5 @@
 ---
 csi_primary_contact: admin@fedoraproject.org / sysadmin-main-members
 csi_purpose: Centralized cache for any Flatpak requests from OpenQA
 csi_relationship: |
  This is to avoid slamming Flathub with requests during automated testing.
  It hosts squid to cache anything under the flathub.org domain.
  It is locked down to only allow requests from OpenQA.
  * This host relies on:
  The virthost it's hosted on (qvmhost-x86-02)
  * Things that rely on this host:
  Any requests using Flatpak from OpenQA.
  If this host is down, OpenQA hosts might fail.
 # For the MOTD
 csi_security_category: Low
 freezes: false
 ipa_client_shell_groups:
  - sysadmin-noc
@ -31,3 +16,18 @@ mem_size: 2048
 num_cpus: 2
 primary_auth_source: ipa
 tcp_ports: [3128]
 notes: |
  Centralized cache for any Flatpak requests from OpenQA
  This is to avoid slamming Flathub with requests during automated testing.
  It hosts squid to cache anything under the flathub.org domain.
  It is locked down to only allow requests from OpenQA.
  * This host relies on:
    The virthost it's hosted on (qvmhost-x86-02)
  * Things that rely on this host:
    Any requests using Flatpak from OpenQA.
  If this host is down, OpenQA hosts might fail.
--- a/inventory/group_vars/gnome_backups
+++ b/inventory/group_vars/gnome_backups
@ -1,7 +1,6 @@
 csi_purpose: GNOME Infrastructure Backups facility
 csi_relationship: |
  Provides rdiff-backup based backups to all the GNOME Infrastructure
  machines and services
  - This machine mainly relies on the Red Hat sponsored NetApp assigned
    to the GNOME Project where all the backups do reside
 freezes: False
 notes: |
  GNOME Infrastructure Backups facility
  Provides rdiff-backup based backups to all the GNOME Infrastructure machines and services
    * This machine mainly relies on the Red Hat sponsored NetApp assigned
      to the GNOME Project where all the backups do reside
--- a/inventory/group_vars/kojipkgs
+++ b/inventory/group_vars/kojipkgs
@ -1,22 +1,6 @@
 ---
 # Define resources for this group of hosts here.
 csi_primary_contact: Fedora admins - admin@fedoraproject.org
 csi_purpose: Cache packages from koji for builders and others
 csi_relationship: |
  There are a few things running here:
  - apache web server and varnish caching proxy.
  - This host relies on:
    - koji nfs storage
    - proxy01/10 to proxy requests to it.
  - Things that rely on this host:
    - all koji builders/buildsystem
    - koschei
    - external users downloading packages from koji.
 # For the MOTD
 csi_security_category: Moderate
 custom_rules: [
  # Need for rsync from log01 for logs.
  '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
@ -42,3 +26,17 @@ num_cpus: 16
 primary_auth_source: ipa
 tcp_ports: [80, 8080]
 varnish_group: kojipkgs
 notes: |
  Cache packages from koji for builders and others
  There are a few things running here:
    * apache web server and varnish caching.
    This host relies on:
      * koji nfs storage
      * proxy01/10 to proxy requests to it.
    Things that rely on this host:
      * all koji builders/buildsystem
      * koschei
      * external users downloading packages from koji.
--- a/inventory/group_vars/nagios
+++ b/inventory/group_vars/nagios
@ -1,7 +1,4 @@
 ---
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Monitoring system
 csi_security_category: High
 deployment_type: prod
 dns_external:
  - ns-iad01.fedoraproject.org
@ -169,3 +166,5 @@ primary_auth_source: ipa
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 tcp_ports: [80, 443]
 notes: Monitoring system
--- a/inventory/group_vars/noc_rdu_cc
+++ b/inventory/group_vars/noc_rdu_cc
@ -1,7 +1,4 @@
 ---
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: dhcp and pxe server for rdu-cc
 csi_security_category: High
 deployment_type: prod
 ipa_client_shell_groups:
  - sysadmin-noc
@ -11,3 +8,4 @@ ipa_client_sudo_groups:
  - sysadmin-noc
 ipa_host_group: NocRduCC
 ipa_host_group_desc: Rdu CC noc
 notes: dhcp and pxe server for rdu-cc
--- a/inventory/group_vars/pagure
+++ b/inventory/group_vars/pagure
@ -12,20 +12,7 @@ nft_custom_rules:
  - 'add rule ip filter INPUT ip saddr 175.24.248.206 counter reject'
  - 'add rule ip filter INPUT ip saddr 47.76.209.138  counter reject'
  - 'add rule ip filter INPUT ip saddr 47.76.99.127   counter reject'
 csi_primary_contact: Fedora admins - admin@fedoraproject.org
 csi_purpose: Run the pagure instances for fedora
 csi_relationship: |
  There are a few things running here:
  - The apache/mod_wsgi app for pagure
  - This host relies on:
    - A postgres db server running locally
  - Things that rely on this host:
    - nothing currently
 # For the MOTD
 csi_security_category: Low
 db_backup_dir: ['/backups']
 dbs_to_backup: ['pagure']
 env: pagure
@ -98,3 +85,14 @@ tcp_ports: [22, 25, 80, 443, 8442, 8443, 8444, 8445,
  # This is for the pagure public fedmsg relay
  9940]
 vpn: true
 notes: |
  Run the pagure instances for fedora
  There are a few things running here:
    * The apache/mod_wsgi app for pagure
    * This host relies on:
      * A postgres db server running locally
  Things that rely on this host:
    * nothing currently
--- a/inventory/group_vars/pagure_stg
+++ b/inventory/group_vars/pagure_stg
@ -1,19 +1,6 @@
 ---
 # Define resources for this group of hosts here.
 csi_primary_contact: Fedora admins - admin@fedoraproject.org
 csi_purpose: Run the pagure instances for fedora
 csi_relationship: |
  There are a few things running here:
  - The apache/mod_wsgi app for pagure
  - This host relies on:
    - A postgres db server running locally
  - Things that rely on this host:
    - nothing currently
 # For the MOTD
 csi_security_category: Low
 env: pagure-staging
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
@ -88,3 +75,13 @@ tcp_ports: [22, 25, 80, 443, 9418,
  # This is for the pagure public fedmsg relay
  9940]
 vpn: true
 notes: |
  Run the pagure instances for fedora
  There are a few things running here:
    * The apache/mod_wsgi app for pagure
    * This host relies on:
      * A postgres db server running locally
    * Things that rely on this host:
      * nothing currently
--- a/inventory/group_vars/people
+++ b/inventory/group_vars/people
@ -3,18 +3,7 @@ blocked_ips: []
 clamscan_mailto: admin@fedoraproject.org
 clamscan_paths:
  - /srv/
 csi_primary_contact: Fedora admins - admin@fedoraproject.org
 csi_purpose: Provide hosting space for Fedora contributors and Fedora Planet
 csi_relationship: |
  - shell accounts and web space for fedora contributors
  - web space for personal yum repos
  - shared space for small group/personal git repos
   Please be aware that this is a shared server, and you should not upload
   Private/Secret SSH or GPG keys onto this system. Any such keys found
   will be deleted.
 # For the MOTD
 csi_security_category: Low
 # Neeed for rsync from log01 for logs.
 custom_rules: ['-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
 nft_custom_rules: ['add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept']
@ -43,3 +32,12 @@ ipa_host_group: people
 ipa_host_group_desc: A place for people to host things
 primary_auth_source: ipa
 vpn: true
 notes: |
  * Provide hosting space for Fedora contributors and Fedora Planet
  * shell accounts and web space for fedora contributors
  * web space for personal yum repos
  * shared space for small group/personal git repos
  Please be aware that this is a shared server, and you should not upload Private/Secret SSH or GPG keys onto this system.
  Any such keys found will be deleted.
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@ -3,15 +3,7 @@
 blocked_ip_v6: []
 blocked_ips: ['14.102.69.78', '104.219.54.236', '103.38.177.2', '110.172.140.98', '183.80.131.253', '113.190.178.137', '115.76.39.108', '116.109.31.204', '209.64.155.56']
 collectd_apache: true
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Provides frontend (reverse) proxy for most web applications
 csi_relationship: |
  Using Apache -> haproxy, these hosts contact app servers and
      other various hosts to provide web applications at sites like
      fedoraproject.org and admin.fedoraproject.org.  The proxy servers are
      balanced via dns and geoIP and are spread all over the place.
 # For the MOTD
 csi_security_category: Moderate
 custom_rules: [
  # Need for rsync from log01 for logs.
  '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',
@ -113,3 +105,9 @@ zabbix_templates:
    template: "external_hosts_http.json" # Template name in roles/zabbix/zabbix_templates/files/templatename.json
    custom_template: true # Is the template official template bundled with Zabbix or one of our custom templates
    hostgroup: "fedora external hosts" # Zabbix hostgroup
 notes: |
  * Provides frontend (reverse) proxy for most web applications
  * Using Apache -> haproxy, these hosts contact app servers and other various hosts to provide web applications at sites like
    fedoraproject.org and admin.fedoraproject.org.
  * The proxy servers are balanced via dns and geoIP and are spread all over the place.
--- a/inventory/group_vars/proxies_stg
+++ b/inventory/group_vars/proxies_stg
@ -1,15 +1,7 @@
 ---
 # Define resources for this group of hosts here.
 collectd_apache: true
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Provides frontend (reverse) proxy for most web applications
 csi_relationship: |
  Using Apache -> haproxy, these hosts contact app servers and
      other various hosts to provide web applications at sites like
      fedoraproject.org and admin.fedoraproject.org.  The proxy servers are
      balanced via dns and geoIP and are spread all over the place.
 # For the MOTD
 csi_security_category: Moderate
 custom_rules: [
  # Need for rsync from log01 for logs.
  '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
@ -97,3 +89,9 @@ tcp_ports: [
 ]
 varnish_group: proxies
 zabbix_templates: "{{ [] }}" # For the moment we have no proxies external to IAD2, if this changes, put in the changes in the production group.
 notes: |
  * Provides frontend (reverse) proxy for most web applications
  * Using Apache -> haproxy, these hosts contact app servers and other various hosts to provide web applications
    at sites like fedoraproject.org and admin.fedoraproject.org.
  * The proxy servers are balanced via dns and geoIP and are spread all over the place.
--- a/inventory/group_vars/repospanner_temp
+++ b/inventory/group_vars/repospanner_temp
@ -1,9 +1,6 @@
 ---
 # Define resources for this group of hosts here.
 csi_primary_contact: admin@fedoraproject.org / sysadmin-main-members
 csi_purpose: repospanner git syncing host
 # For the MOTD
 csi_security_category: Low
 custom_rules: ['-A INPUT -p tcp -m tcp -s 8.43.84.211 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 8.43.84.212 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 8.43.85.76 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 152.19.134.149 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.20 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 8.43.85.78 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 152.19.134.191 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 140.211.169.199 --dport 8443:8445 -j ACCEPT']
 nft_custom_rules:
  - 'add rule ip filter INPUT ip saddr 8.43.84.211     tcp dport 8443-8445 counter accept'
@ -24,3 +21,5 @@ nagios_Check_Services:
  sshd: false
  swap: false
 num_cpus: 8
 notes: repospanner git syncing host
--- a/inventory/group_vars/retrace
+++ b/inventory/group_vars/retrace
@ -1,16 +1,4 @@
 ---
 csi_primary_contact: "msrb, abrt-devel-list@redhat.com, Libera.chat #abrt"
 csi_purpose: Provide a web interface and backend for ABRT Analytics and Retrace Server.
 csi_relationship: |
  Three services run on this server:
  - An Apache httpd serves the web interface and backed functionality for
    ABRT Analytics.
  - The same server provides the HTTP endpoints for Retrace Server to allow
    remote retracing of crashes in Fedora.
  - PostgreSQL server for ABRT Analytics.
  The retracing functionality relies on the debuginfod server
  (debuginfod.fedoraproject.org).
 custom_rules:
  - '-A INPUT -p tcp -m tcp -s 10.5.78.11 --dport 2049 -j ACCEPT'
  - '-A INPUT -p tcp -m tcp -s 10.5.78.11 --dport 5432 -j ACCEPT'
@ -62,3 +50,12 @@ nrpe_procs_warn: 1800
 primary_auth_source: ipa
 tcp_ports: [80, 443]
 vpn: true
 notes: |
  Provide a web interface and backend for ABRT Analytics and Retrace Server.
  Three services run on this server:
    * An Apache httpd serves the web interface and backed functionality for ABRT Analytics.
    * The same server provides the HTTP endpoints for Retrace Server to allow remote retracing of crashes in Fedora.
    * PostgreSQL server for ABRT Analytics.
  The retracing functionality relies on the debuginfod server (debuginfod.fedoraproject.org).
--- a/inventory/group_vars/retrace_stg_aws
+++ b/inventory/group_vars/retrace_stg_aws
@ -1,6 +1,4 @@
 ---
 csi_primary_contact: "msrb, abrt-devel-list@redhat.com, Libera.chat #abrt"
 csi_purpose: Provide staging environment for ABRT Analytics and Retrace Server.
 env: staging
 nagios_Check_Services:
  mail: false
@ -10,3 +8,4 @@ root_auth_users: msuchy mfabik mzidek
 sudoers: "{{ private }}/files/sudo/arm-retrace-sudoers"
 tcp_ports: [22, 80, 443]
 vpn: true
 notes: Provide staging environment for ABRT Analytics and Retrace Server.
--- a/inventory/group_vars/torrent
+++ b/inventory/group_vars/torrent
@ -1,19 +1,5 @@
 ---
 # Define resources for this group of hosts here.
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Torrent master server for Fedora distribution
 csi_relationship: |
  torrent01 is the master torrent server for Fedora releases
  This host relies on:
  - The virthost it's hosted on (ibiblio05.fedoraproject.org)
  - FAS to authenticate users
  - VPN connectivity
  Things that rely on this host:
  - If this host is down, Fedora will lose a release distribution channel
  - The Apache that displays the torrent website
  - This server also has opentracker+ running to gather statistics for our torrent
 csi_security_category: Low
 ipa_client_shell_groups:
  - fi-apprentice
  - sysadmin-noc
@ -34,3 +20,16 @@ num_cpus: 2
 primary_auth_source: ipa
 tcp_ports: [53, 80, 443, 873, "6881:6999"]
 udp_ports: [53]
 notes: |
  Torrent master server for Fedora distribution
  torrent01 is the master torrent server for Fedora releases
  This host relies on:
    * The virthost it's hosted on (ibiblio05.fedoraproject.org)
    * FAS to authenticate users
    * VPN connectivity
  Things that rely on this host:
    * If this host is down, Fedora will lose a release distribution channel
    * The Apache that displays the torrent website
    * This server also has opentracker+ running to gather statistics for our torrent
--- a/inventory/group_vars/value
+++ b/inventory/group_vars/value
@ -1,15 +1,6 @@
 ---
 # Define resources for this group of hosts here.
 csi_primary_contact: mote admins - sysadmin-mote-members@fedoraproject.org
 csi_purpose: Hosts services which help facilitate communication over IRC and related mediums.
 csi_relationship: |
  There are a couple things running here.
  * zodbot, a supybot instance.  See the zodbot SOP for more info.
  * fedmsg-irc, our fedmsg to IRC relay.  'journalctl -u fedmsg-irc'
  * mote, a webapp running behind httpd that serves meetbot log files.
 # For the MOTD
 csi_security_category: Moderate
 custom_rules: [
  # Needed for rsync from log01 for logs.
  '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
@ -73,3 +64,10 @@ primary_auth_source: ipa
 tcp_ports: [80, 443,
  # These 16 ports are used by fedmsg.  One for each wsgi thread.
  3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
 notes: |
  Hosts services which help facilitate communication over IRC and related mediums.
  There are a couple things running here.
    * zodbot, a supybot instance.  See the zodbot SOP for more info.
    * fedmsg-irc, our fedmsg to IRC relay.  'journalctl -u fedmsg-irc'
    * mote, a webapp running behind httpd that serves meetbot log files.
--- a/inventory/group_vars/value_stg
+++ b/inventory/group_vars/value_stg
@ -1,15 +1,6 @@
 ---
 # Define resources for this group of hosts here.
 csi_primary_contact: mote admins - sysadmin-mote-members@fedoraproject.org
 csi_purpose: Hosts staging services which help facilitate communication over IRC and related mediums.
 csi_relationship: |
  There are a couple things running here.
  * ursabot, a supybot instance.  See the zodbot SOP for more info.
  * fedmsg-irc, our staging fedmsg to IRC relay.  'journalctl -u fedmsg-irc'
  * mote, a webapp running behind httpd that serves meetbot log files.
 # For the MOTD
 csi_security_category: Moderate
 custom_rules: [
  # Neeed for rsync from log01 for logs.
  '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
@ -73,3 +64,10 @@ num_cpus: 2
 tcp_ports: [80, 443,
  # These 16 ports are used by fedmsg.  One for each wsgi thread.
  3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
 notes: |
  Hosts staging services which help facilitate communication over IRC and related mediums.
  There are a couple things running here.
    * ursabot, a supybot instance.  See the zodbot SOP for more info.
    * fedmsg-irc, our staging fedmsg to IRC relay.  'journalctl -u fedmsg-irc'
    * mote, a webapp running behind httpd that serves meetbot log files.
--- a/inventory/group_vars/virthost
+++ b/inventory/group_vars/virthost
@ -1,14 +1,7 @@
 ---
 # iscsi initiator for netapp iscsi volume
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Host guest virtual machines.
 csi_relationship: |
  - Guests on this host will be inaccessible if the host is down.
  - This host will be required by any application with a virtual machine running on it, therefore, if this host is down those applications will be impacted.
 # These variables are pushed into /etc/system_identification by the base role.
 # Groups and individual hosts should override them with specific info.
 # See http://infrastructure.fedoraproject.org/csi/security-policy/
 csi_security_category: High
 nagios_Check_Services:
  raid: true
 netapp_nfs01_iscsi_name: iqn.1992-08.com.netapp:sn.1573980325:vf.f88732f4-106e-11e2-bc86-00a098162a28
@ -18,3 +11,9 @@ nrpe_procs_crit: 1500
 nrpe_procs_warn: 1400
 primary_auth_source: ipa
 virthost: true
 notes: |
  Host guest virtual machines.
  Guests on this host will be inaccessible if the host is down.
  This host will be required by any application with a virtual machine running on it, therefore, if this host is down those applications will be impacted.
--- a/inventory/group_vars/wiki
+++ b/inventory/group_vars/wiki
@ -1,13 +1,5 @@
 ---
 # Define resources for this group of hosts here.
 csi_primary_contact: "#fedora-admin"
 csi_purpose: Provides our wiki
 csi_relationship: |
  - There are multiple servers that this service requires. All proxy servers and Wiki 1 and 2.
  - Wiki requires the proxy servers in order for traffic to pass to them
  - If the Apache processes stop on wiki01 and wiki02 the wiki will not display
  - The wiki also requires fas for log in purposes
 csi_security_category: Moderate
 deployment_type: prod
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
@ -43,3 +35,10 @@ wikiname: "fp"
 wikipath: "wiki"
 wikiver: "mediawiki"
 wpath: "w"
 notes: |
  - Provides our wiki
  - There are multiple servers that this service requires. All proxy servers and Wiki 1 and 2.
  - Wiki requires the proxy servers in order for traffic to pass to them
  - If the Apache processes stop on wiki01 and wiki02 the wiki will not display
  - The wiki also requires fas for log in purposes
--- a/inventory/group_vars/zabbix
+++ b/inventory/group_vars/zabbix
@ -1,11 +1,6 @@
 ---
 # Define resources for this group of hosts here.
 csi_primary_contact: []
 csi_purpose: []
 csi_relationship: |
  Test instance for zabbix server
 # For the MOTD
 csi_security_category: []
 deployment_type: stg
 ipa_client_shell_groups:
  - fi-apprentice
@ -25,3 +20,4 @@ num_cpus: 4
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 tcp_ports: [80, 443]
 notes: Test instanec for zabbix server
--- a/inventory/group_vars/zabbix_stg
+++ b/inventory/group_vars/zabbix_stg
@ -1,11 +1,6 @@
 ---
 # Define resources for this group of hosts here.
 csi_primary_contact: []
 csi_purpose: []
 csi_relationship: |
  Test instance for zabbix server
 # For the MOTD
 csi_security_category: []
 deployment_type: stg
 ipa_client_shell_groups:
  - fi-apprentice
@ -25,3 +20,4 @@ num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 tcp_ports: [80, 443]
 notes: Test instance for zabbix server
--- a/inventory/host_vars/ibiblio02.fedoraproject.org
+++ b/inventory/host_vars/ibiblio02.fedoraproject.org
@ -43,3 +43,4 @@ nrpe_procs_crit: 1300
 nrpe_procs_warn: 1250
 postfix_group: vpn
 vpn: true
 notes: "vhost at ibiblio"
--- a/inventory/host_vars/noc02.fedoraproject.org
+++ b/inventory/host_vars/noc02.fedoraproject.org
@ -52,3 +52,4 @@ postfix_transport_filename: transports.noc02.fedoraproject.org
 vmhost: ibiblio02.fedoraproject.org
 volgroup: /dev/vg_guests
 vpn: true
 notes: "This is an external nagios server located outside of PHX. It monitors our user websites/applications (fedoraproject.org, FAS, PackageDB, Bodhi/Updates)."
--- a/playbooks/groups/backup-server.yml
+++ b/playbooks/groups/backup-server.yml
@ -34,7 +34,6 @@
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  - import_tasks: "{{ tasks_path }}/rdiff_backup_server.yml"
  handlers:
--- a/playbooks/groups/bastion.yml
+++ b/playbooks/groups/bastion.yml
@ -30,8 +30,5 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/batcave.yml
+++ b/playbooks/groups/batcave.yml
@ -62,8 +62,5 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/bodhi-backend.yml
+++ b/playbooks/groups/bodhi-backend.yml
@ -123,7 +123,6 @@
    ansible.builtin.file: src=/mnt/fedora_koji_prod/koji dest=/mnt/koji/vol/prod state=link
    tags: bodhi
    when: env == 'staging'
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/buildhw.yml
+++ b/playbooks/groups/buildhw.yml
@ -88,9 +88,6 @@
    when: env == "staging"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
    when: not inventory_hostname.startswith('bkernel')
  - name: make sure kojid is running
    service: name=kojid state=started enabled=yes
--- a/playbooks/groups/buildvm.yml
+++ b/playbooks/groups/buildvm.yml
@ -72,13 +72,6 @@
      candidate_registry_osbs_password: "{{candidate_registry_osbs_stg_password}}"
      when: env == "staging"
  tasks:
    - import_tasks: "{{ tasks_path }}/motd.yml"
      when: not inventory_hostname.startswith('bkernel') and env == 'production'
 #    - name: Make sure kojid is running
 #      service: name=kojid state=started enabled=yes
  handlers:
    - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/busgateway.yml
+++ b/playbooks/groups/busgateway.yml
@ -28,9 +28,6 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/certgetter.yml
+++ b/playbooks/groups/certgetter.yml
@ -29,9 +29,7 @@
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
-  - import_tasks: "{{ tasks_path }}/motd.yml"
+  - name: make sure certbot is installed
  - name: Make sure certbot is installed
    ansible.builtin.package: name=certbot state=installed
  handlers:
--- a/playbooks/groups/copr-hypervisor.yml
+++ b/playbooks/groups/copr-hypervisor.yml
@ -23,7 +23,5 @@
    - import_role: name=ipa/client
    - import_role: name=copr/hypervisor
    - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/data-reports.yml
+++ b/playbooks/groups/data-reports.yml
@ -28,8 +28,5 @@
  - collectd/base
  - sudo
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/db.aws.yml
+++ b/playbooks/groups/db.aws.yml
@ -72,8 +72,5 @@
  # - collectd/postgres  # This requires a 'databases' var to be set in host_vars
  - sudo
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/debuginfod.yml
+++ b/playbooks/groups/debuginfod.yml
@ -31,9 +31,7 @@
    nfs_src_dir: "fedora_koji"
  tasks:
-  - import_tasks: "{{ tasks_path }}/motd.yml"
+  - name: install debuginfod
  - name: Install debuginfod
    ansible.builtin.package: name=elfutils-debuginfod state=present
    tags: debuginfod
--- a/playbooks/groups/dns.yml
+++ b/playbooks/groups/dns.yml
@ -32,8 +32,5 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/download.yml
+++ b/playbooks/groups/download.yml
@ -50,9 +50,7 @@
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
-  - import_tasks: "{{ tasks_path }}/motd.yml"
+  - name: put in script for syncing fedora on download-ib01
  - name: Put in script for syncing fedora on download-ib01
    ansible.builtin.copy: src="{{ files }}/download/sync-up-downloads.sh.ib01" dest=/usr/local/bin/sync-up-downloads owner=root group=root mode=755
    when: inventory_hostname == 'download-ib01.fedoraproject.org'
  - name: Put in script for syncing fedora-alt on download-ib01
--- a/playbooks/groups/flatpak-cache.yml
+++ b/playbooks/groups/flatpak-cache.yml
@ -23,9 +23,5 @@
  - sudo
  - flatpak-cache
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/github2fedmsg.yml
+++ b/playbooks/groups/github2fedmsg.yml
@ -35,9 +35,6 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/ipa.yml
+++ b/playbooks/groups/ipa.yml
@ -29,9 +29,6 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/ipsilon.yml
+++ b/playbooks/groups/ipsilon.yml
@ -38,9 +38,6 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/koji-hub.yml
+++ b/playbooks/groups/koji-hub.yml
@ -152,9 +152,6 @@
    user_sent_topics: ^org\.fedoraproject\.{{ env_short }}\.buildsys\..*
    when: koji_instance == 'secondary'
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/kojipkgs.yml
+++ b/playbooks/groups/kojipkgs.yml
@ -68,8 +68,5 @@
  - role: kojipkgs
  - role: varnish
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/logserver.yml
+++ b/playbooks/groups/logserver.yml
@ -43,7 +43,6 @@
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
 #
 # We exclude some dirs from restorecon on updates on logservers as they are very large
--- a/playbooks/groups/mailman.yml
+++ b/playbooks/groups/mailman.yml
@ -33,10 +33,6 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  # this is how you include other task lists
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/maintainer-test.yml
+++ b/playbooks/groups/maintainer-test.yml
@ -24,8 +24,6 @@
  tasks:
  # this is how you include other task lists
  - import_tasks: "{{ tasks_path }}/motd.yml"
  - name: Install packager tools (dnf)
    dnf: state=present pkg={{ item }}
    with_items:
--- a/playbooks/groups/mariadb-server.yml
+++ b/playbooks/groups/mariadb-server.yml
@ -31,10 +31,6 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
 # TODO: add iscsi task
  handlers:
--- a/playbooks/groups/memcached.yml
+++ b/playbooks/groups/memcached.yml
@ -29,7 +29,7 @@
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
-  - import_tasks: "{{ tasks_path }}/motd.yml"
+  - import_tasks: "{{ role_path }}/base/tasks/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/nfs-servers.yml
+++ b/playbooks/groups/nfs-servers.yml
@ -24,9 +24,6 @@
  - sudo
  - openvpn/client
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/noc.yml
+++ b/playbooks/groups/noc.yml
@ -43,9 +43,6 @@
    when: datacenter != 'iad2'
  - { role: letsencrypt, site_name: 'nagios-external.fedoraproject.org', when: inventory_hostname.startswith('noc02') }
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/oci-registry.yml
+++ b/playbooks/groups/oci-registry.yml
@ -47,9 +47,6 @@
    when: "env == 'staging'"
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/openqa-onebox-test.yml
+++ b/playbooks/groups/openqa-onebox-test.yml
@ -23,9 +23,6 @@
  - { role: sudo, tags: ['sudo'] }
  - apache
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/openqa-workers.yml
+++ b/playbooks/groups/openqa-workers.yml
@ -25,8 +25,5 @@
  - { role: linux-system-roles.nbde_client, tags: ['nbde_client'], when: openqa_nbde|bool }
  - apache
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/openqa.yml
+++ b/playbooks/groups/openqa.yml
@ -28,7 +28,7 @@
    - apache
  tasks:
-  - import_tasks: "{{ tasks_path }}/motd.yml"
+  - import_tasks: "{{ role_path }}/base/tasks/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/os-control.yml
+++ b/playbooks/groups/os-control.yml
@ -62,7 +62,6 @@
      mode: "0755"
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/os-proxies.yml
+++ b/playbooks/groups/os-proxies.yml
@ -28,9 +28,7 @@
  - keepalived
  tasks:
-  - import_tasks: "{{ tasks_path }}/motd.yml"
+  - name: install haproxy
  - name: Install haproxy
    ansible.builtin.package: name=haproxy state=present
  - name: Install haproxy config
--- a/playbooks/groups/pagure.yml
+++ b/playbooks/groups/pagure.yml
@ -28,9 +28,6 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/people.yml
+++ b/playbooks/groups/people.yml
@ -84,8 +84,5 @@
  - people
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/pkgs.yml
+++ b/playbooks/groups/pkgs.yml
@ -33,7 +33,6 @@
    - krb5
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/postgresql-server.yml
+++ b/playbooks/groups/postgresql-server.yml
@ -35,9 +35,6 @@
  - collectd/postgres  # This requires a 'databases' var to be set in host_vars
  - sudo
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
 # TODO: add iscsi task
  handlers:
--- a/playbooks/groups/proxies.yml
+++ b/playbooks/groups/proxies.yml
@ -37,7 +37,6 @@
 # when: env == "staging"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  # You might think we would want these tasks_path on the proxy nodes, but they
  # actually deliver a configuration that our proxy-specific roles below then go
--- a/playbooks/groups/rabbitmq.yml
+++ b/playbooks/groups/rabbitmq.yml
@ -32,8 +32,5 @@
  - sudo
  - rabbitmq_cluster
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/releng-compose.yml
+++ b/playbooks/groups/releng-compose.yml
@ -187,9 +187,7 @@
  tasks:
  # this is how you include other task lists
-  - import_tasks: "{{ tasks_path }}/motd.yml"
+  - name: install skopeo and buildah for container management
  - name: Install skopeo and buildah for container management
    ansible.builtin.package:
      name:
        - skopeo
--- a/playbooks/groups/retrace.yml
+++ b/playbooks/groups/retrace.yml
@ -73,8 +73,6 @@
    - import_role: name=nagios_client
    - import_role: name=sudo
    - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/secondary.yml
+++ b/playbooks/groups/secondary.yml
@ -55,8 +55,6 @@
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  - name: Install some misc packages needed for various tasks
    ansible.builtin.package:
      state: present
--- a/playbooks/groups/sign-bridge.yml
+++ b/playbooks/groups/sign-bridge.yml
@ -37,8 +37,5 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/smtp-auth.yml
+++ b/playbooks/groups/smtp-auth.yml
@ -29,8 +29,5 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/smtp-mm.yml
+++ b/playbooks/groups/smtp-mm.yml
@ -29,8 +29,5 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/sundries.yml
+++ b/playbooks/groups/sundries.yml
@ -89,8 +89,5 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/tang.yml
+++ b/playbooks/groups/tang.yml
@ -26,8 +26,5 @@
  - sudo
  - tang
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/torrent.yml
+++ b/playbooks/groups/torrent.yml
@ -37,8 +37,5 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/value.yml
+++ b/playbooks/groups/value.yml
@ -48,8 +48,5 @@
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/virthost.yml
+++ b/playbooks/groups/virthost.yml
@ -52,8 +52,5 @@
  - {role: linux-system-roles.nbde_client, tags: ['nbde_client'], when: datacenter == 'iad2' and nbde|bool}
  - {role: serial-console, when: datacenter == 'iad2' and ansible_architecture != 's390x'}
  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/Show more
+++ b/Show more