Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Spring cleaning time. :)

Browse source 
I removed all the old files, inventory, playbooks, roles and other from
services we no longer run or use. There was a bunch of cruft in there
and I hope that will make the repo cleaner and easier to look for things
we actually do run and care about.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2020-05-13 14:02:41 -07:00
parent 0eca617652
commit c529380547
200 changed files with 4 additions and 6667 deletions
Download patch file Download diff file Expand all files Collapse all files

6
files/artboard/artboard-backup
View file

@ -1,6 +0,0 @@
#!/bin/sh
SNAPSHOTTIME=$(date +"%m-%d-%Y")
cd /srv/persist
echo "Snapshot taken $SNAPSHOTTIME.\n" >> /var/www/html/artboard/artboard-backup-summary.log
tar -zcvf "artboard-backup.tar.gz" artboard

16
files/artboard/artboard.conf
View file

@ -1,16 +0,0 @@
<Directory "/var/www/html/artboard">
Options Indexes FollowSymLinks
AllowOverride All
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order deny,allow
Allow from all
</IfModule>
</Directory>

2
files/artboard/redirect.conf
View file

@ -1,2 +0,0 @@
RedirectMatch "^/$" /artboard/

74
files/mysql/my.cnf
View file

@ -1,74 +0,0 @@
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
max_connections=900
query_cache_size=64M
query_cache_limit=2M
ft_min_word_len=3
log-slow-queries=/var/log/mysqld/slow-queries.log
long_query_time = 2
general_log = 1
general_log_file = /var/log/mysqld/mysql-transfer.log
skip-locking
key_buffer = 384M
key_buffer_size=64M
max_allowed_packet = 16M
table_cache = 2048
sort_buffer_size = 8M
join_buffer_size = 8M
read_buffer_size = 2M
read_rnd_buffer_size = 16M
bulk_insert_buffer_size = 64M
myisam_sort_buffer_size = 128M
myisam_max_sort_file_size=15G
myisam_max_extra_sort_file_size = 10G
thread_cache_size = 8
# Try number of CPU's*2 for thread_concurrency
thread_concurrency = 16
thread_stack = 192K
transaction_isolation = REPEATABLE-READ
back_log = 50
binlog_cache_size = 1M
max_heap_table_size = 128M
tmp_table_size = 128M
innodb_additional_mem_pool_size = 16M
innodb_buffer_pool_size = 4G
innodb_file_io_threads = 4
innodb_thread_concurrency = 16
innodb_flush_log_at_trx_commit = 1
innodb_log_buffer_size = 8M
#innodb_log_file_size = 2G
#innodb_log_files_in_group = 3
innodb_max_dirty_pages_pct = 90
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
open-files-limit = 8192
[isamchk]
key_buffer = 512M
sort_buffer_size = 512M
read_buffer = 8M
write_buffer = 8M
[myisamchk]
key_buffer = 512M
sort_buffer_size = 512M
read_buffer = 8M
write_buffer = 8M
[mysqlhotcopy]
interactive-timeout

4
files/newcloud/rhos13.repo
View file

@ -1,4 +0,0 @@
[rhel7-rhos13]
name = rhel7 openstack $basearch
baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openstack-13-rpms
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

19
files/phabricator/phabricator-vhost.conf
View file

@ -1,19 +0,0 @@
NameVirtualHost *:80
<Directory "/srv">
Options All
AllowOverride All
Require all granted
</Directory>
<VirtualHost *:80>
ServerName {{domain}}
DocumentRoot /srv/www/facebook/phabricator/webroot
RewriteEngine on
RewriteRule ^/rsrc/(.*) - [L,QSA]
RewriteRule ^/favicon.ico - [L,QSA]
RewriteRule ^(.*)$ /index.php?__path__=$1 [B,L,QSA]
SetEnv PHABRICATOR_ENV custom/myconfig
</VirtualHost>

18
files/phabricator/phabricator.conf.php
View file

@ -1,18 +0,0 @@
<?php
return array(
'phabricator.base-uri' => 'http://{{domain}}/',
'mysql.host' => 'localhost',
'mysql.user' => 'root',
'metamta.default-address' => 'phabricator@{{domain}}',
'metamta.domain' => '{{domain}}',
'phabricator.timezone' => 'America/New_York',
'pygments.enabled' => true,
// NOTE: Check default.conf.php for detailed explanations of all the
// configuration options, including these.
) + phabricator_read_config_file('production');

10
files/trac/trac-vhost.conf
View file

@ -1,10 +0,0 @@
<VirtualHost *:80>
ServerName trac-dev.cloud.fedoraproject.org
WSGIScriptAlias / /srv/www/trac/trac.wsgi
<Directory /srv/www/trac/trac.wsgi>
WSGIProcessGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
</VirtualHost>

15
files/trac/trac.wsgi
View file

@ -1,15 +0,0 @@
import __main__
if hasattr(__main__, '__requires__'):
if isinstance(__main__.__requires__, basestring):
__main__.__requires__ = [__main__.__requires__]
else:
__main__.__requires__ = []
__main__.__requires__.append('Trac')
import os
os.environ['TRAC_ENV_PARENT_DIR'] = '/srv/www/trac/projects'
os.environ['PYTHON_EGG_CACHE'] = '/var/cache/trac'
import trac.web.main
application = trac.web.main.dispatch_request

1
files/twisted/ssh-pub-key
View file

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxFYkms3bEGIGpH0Dg0JgvsdHI/pWkS4ynCn/poyVcKc+SL1StKoOFPzzFh7dGVIeQ6q8MLbm246H8Swx57R13Q3bhtTs5Gpy5bNC7HejkWbrrMEJuKxVKhIintbC+tT04OFBFklVePuxacsc3EBdTHSnz9o41MfJnjv58VxJB5bwfgsV7FMDLHnBpujlPPH1hZG5A0fwD8VgCwaRVirIs9Kw35yKEUm8D76vOxjAqm7UTexEcPNFb4tYGzI00hbPS374FzoO4ZuXxv1ymakw9iyL54Hwbyj8JxBbgfZ6TvgLSSN9OU+KRqz1NqfepSj+y8up0Q+W8J5UObvf02VZrJKVgnIVe5gw4iDx/5E7F4qmf8qa5YUlJnP3LWRz6jhtQE+m6Ro7zItnoqPR3EtQZ9rMgaS1+/qPX7hcB35hlGZbhj0IDY+HE98ehUivUuxSoLOp8c+COaJ2b5+wSQigi9jRYx0qPeCOCCtA8vF8z4SOmD3I6IsPzlCiejeC5y3tWoQqJPR430TPBJ7CMNbbHPNF8GyzM7vFukqSpgacLq1f/YgBwqiRLVk+ktgUM/+fHuE6mUDMdE+Ag2lfwHnLI7DOwaJdr7JoAoSi6R+uTRhx1d4AET1sMv/HXKD+4Abu0WyaT3l/xO+hBABz+KO33gPUdCsKOw7lvJFZRC+OSyQ==

107
filter_plugins/openstack.py
View file

@ -1,107 +0,0 @@
from ansible import errors
from glanceclient import Client as GlanceClient
from keystoneclient import session
from keystoneclient.auth.identity import v2 as identity
from neutronclient.neutron.client import Client as NeutronClient
from novaclient.v3.client import Client
import glanceclient.exc
import json
import novaclient.exceptions
def flavor_id_to_name(host_vars, user, password, tenant, auth_url):
nt = Client(user, password, tenant, auth_url, service_type="compute")
try:
flavor = nt.flavors.get(host_vars)
except novaclient.exceptions.NotFound:
raise errors.AnsibleFilterError('There is no flavor of name {0} accessible for tenant {1}'.format(host_vars, tenant))
return flavor.name
def flavor_name_to_id(host_vars, user, password, tenant, auth_url):
nt = Client(user, password, tenant, auth_url, service_type="compute")
for i in nt.flavors.list():
if i.name == host_vars:
return i.id
raise errors.AnsibleFilterError('There is no flavor of id {0} accessible for tenant {1}'.format(host_vars, tenant))
def image_id_to_name(host_vars, user, password, tenant, auth_url):
auth = identity.Password(auth_url=auth_url, username=user,
password=password, tenant_name=tenant)
sess = session.Session(auth=auth)
token = auth.get_token(sess)
endpoint = auth.get_endpoint(sess, service_name='glance', service_type='image')
glance = GlanceClient('2', endpoint=endpoint, token=token)
try:
return glance.images.get(host_vars).name
except glanceclient.exc.HTTPNotFound:
raise errors.AnsibleFilterError('There is no image of id {0} accessible for tenant {1}'.format(host_vars, tenant))
def image_name_to_id(host_vars, user, password, tenant, auth_url):
auth = identity.Password(auth_url=auth_url, username=user,
password=password, tenant_name=tenant)
sess = session.Session(auth=auth)
token = auth.get_token(sess)
endpoint = auth.get_endpoint(sess, service_name='glance', service_type='image')
glance = GlanceClient('2', endpoint=endpoint, token=token)
for i in glance.images.list():
if i.name == host_vars:
return i.id
raise errors.AnsibleFilterError('There is no image of name {0} accessible for tenant {1}'.format(host_vars, tenant))
def network_name_to_id(host_vars, user, password, tenant, auth_url):
""" Accept one name of network or list of names of networks and return the same
structure, but names replaced by ids of the network(s). """
auth = identity.Password(auth_url=auth_url, username=user,
password=password, tenant_name=tenant)
sess = session.Session(auth=auth)
token = auth.get_token(sess)
endpoint = auth.get_endpoint(sess, service_name='neutron', service_type='network')
neutron = NeutronClient('2.0', endpoint_url=endpoint, token=token)
result_as_list = isinstance(host_vars, list)
if not result_as_list:
host_vars = [host_vars]
result = []
for net in host_vars:
networks = neutron.list_networks(name=net, fields='name')["networks"]
if networks:
result += [networks[0]['id']]
else:
raise errors.AnsibleFilterError('There is no network of name {0} accessible for tenant {1}'.format(net, tenant))
if result_as_list:
return result
else:
return result[0]
def network_id_to_name(host_vars, user, password, tenant, auth_url):
""" Accept one id of network or list of ids of networks and return the same
structure, but ids replaced by name of the network(s). """
auth = identity.Password(auth_url=auth_url, username=user,
password=password, tenant_name=tenant)
sess = session.Session(auth=auth)
token = auth.get_token(sess)
endpoint = auth.get_endpoint(sess, service_name='neutron', service_type='network')
neutron = NeutronClient('2.0', endpoint_url=endpoint, token=token)
result_as_list = isinstance(host_vars, list)
if not result_as_list:
host_vars = [host_vars]
result = []
for net in host_vars:
networks = neutron.list_networks(id=net, fields='name')["networks"]
if networks:
result += [networks[0]['name']]
else:
raise errors.AnsibleFilterError('There is no network of id {0} accessible for tenant {1}'.format(net, tenant))
if result_as_list:
return result
else:
return result[0]
class FilterModule (object):
def filters(self):
return {"flavor_id_to_name": flavor_id_to_name,
"flavor_name_to_id": flavor_name_to_id,
"image_id_to_name": image_id_to_name,
"image_name_to_id": image_name_to_id,
"network_name_to_id": network_name_to_id,
"network_id_to_name": network_id_to_name,
}

18
handlers/restart_services.yml
View file

@ -86,9 +86,6 @@
- name: fix openvpn routing - name: fix openvpn routing
action: shell /etc/openvpn/fix-routes.sh action: shell /etc/openvpn/fix-routes.sh
- name: restart xinetd
action: service name=xinetd state=restarted
- name: restart netapproute - name: restart netapproute
action: command /etc/sysconfig/network-scripts/ifup-routes eth1 action: command /etc/sysconfig/network-scripts/ifup-routes eth1
@ -110,9 +107,6 @@
- name: restart glusterd - name: restart glusterd
service: name=glusterd state=restarted service: name=glusterd state=restarted
- name: restart supervisord
service: name=supervisord state=restarted
- name: run rkhunter - name: run rkhunter
command: rkhunter --propupd command: rkhunter --propupd
@ -145,15 +139,6 @@
- name: restart stunnel - name: restart stunnel
service: name=stunnel state=restarted service: name=stunnel state=restarted
- name: restart cinder api
service: name=openstack-cinder-api state=restarted
- name: restart cinder scheduler
service: name=openstack-cinder-scheduler state=restarted
- name: restart cinder volume
service: name=openstack-cinder-volume state=restarted
- name: restart mirrorlist-server - name: restart mirrorlist-server
service: name=mirrorlist-server state=restarted service: name=mirrorlist-server state=restarted
@ -187,6 +172,3 @@
name: rabbitmq-server name: rabbitmq-server
state: restarted state: restarted
daemon_reload: yes daemon_reload: yes
- name: restart repoSpanner
action: service name=repoSpanner state=restarted

18
inventory/cloud
View file

@ -1,16 +1,3 @@
#[cloud_phx2]
##
## Hardware
##
#virthost-aarch64-os01.fedorainfracloud.org
#virthost-aarch64-os02.fedorainfracloud.org
#virthost-cloud01.fedorainfracloud.org
#virthost-os01.fedorainfracloud.org
#virthost-os02.fedorainfracloud.org
#virthost-os03.fedorainfracloud.org
#storinator01.fedorainfracloud.org
#cloudvmhost-aarch64-01.fedorainfracloud.org
## ##
## New Community Hardware ## New Community Hardware
## ##
@ -55,11 +42,6 @@ el7-test.fedorainfracloud.org
#aarch64-test02.fedorainfracloud.org #aarch64-test02.fedorainfracloud.org
# iddev # iddev
iddev.fedorainfracloud.org iddev.fedorainfracloud.org
# respins
# exists in aws, we don't manage it.
#respins01.fedorainfracloud.org
# koji simple ci development - ticket 6419
simple-koji-ci-prod.fedorainfracloud.org
retrace-stg.aws.fedoraproject.org retrace-stg.aws.fedoraproject.org
# This is not in aws, but here is good enough for now # This is not in aws, but here is good enough for now
ppc64le-test.fedorainfracloud.org ppc64le-test.fedorainfracloud.org

3
inventory/group_vars/OSv3
View file

@ -1,3 +0,0 @@
---
ansible_ssh_user: root
deployment_type: origin

11
inventory/group_vars/autosign
View file

@ -27,11 +27,8 @@ csi_security_category: High
csi_primary_contact: Release Engineering - rel-eng@lists.fedoraproject.org csi_primary_contact: Release Engineering - rel-eng@lists.fedoraproject.org
csi_purpose: Automatically sign Rawhide and Branched packages csi_purpose: Automatically sign Rawhide and Branched packages
csi_relationship: | csi_relationship: |
This host will run the autosigner.py script which should automatically sign This host will run the robosignatory application which should automatically sign
new rawhide and branched builds. It listens to koji over fedmsg for builds. It listens to koji over fedora-messaging for notifications of new builds,
notifications of new builds, and then asks sigul, the signing server, to and then asks sigul, the signing server, to sign the rpms and store the new rpm
sign the rpms and store the new rpm header back in Koji. header back in Koji.
The script[1] currently runs in the foreground from a git checkout.
[1] https://pagure.io/releng/blob/master/f/scripts/autosigner.py

51
inventory/group_vars/beaker
View file

@ -1,51 +0,0 @@
---
lvm_size: 50000
mem_size: 4096
num_cpus: 2
tcp_ports: [ 80, 443, 8000 ]
udp_ports: [ 69 ]
fas_client_groups: sysadmin-qa,sysadmin-main,fi-apprentice,sysadmin-noc,sysadmin-veteran
nrpe_procs_warn: 250
nrpe_procs_crit: 300
freezes: false
virt_install_command: "{{ virt_install_command_one_nic }}"
# settings for the beaker db, server and lab controller
beaker_db_host: localhost
beaker_db_name: beaker
beaker_db_user: "{{ prod_beaker_db_user }}"
beaker_db_password: "{{ prod_beaker_db_password }}"
mariadb_root_password: "{{ prod_beaker_mariadb_root_password }}"
beaker_server_url: "https://beaker.qa.fedoraproject.org"
beaker_server_cname: "beaker.qa.fedoraproject.org"
beaker_server_hostname: "beaker01.qa.fedoraproject.org"
beaker_server_admin_user: "{{ prod_beaker_server_admin_user }}"
beaker_server_admin_pass: "{{ prod_beaker_server_admin_pass }}"
beaker_server_email: "sysadmin-qa-members@fedoraproject.org"
beaker_oidc_token_info_url: "https://id.fedoraproject.org/openidc/TokenInfo"
beaker_oidc_client_id: "beaker-prod"
beaker_oidc_client_secret: "{{ prod_beaker_oidc_client_secret }}"
beaker_lab_controller_username: "host/beaker01.qa.fedoraproject.org"
beaker_lab_controller_password: "{{ prod_beaker_lab_controller_password }}"
extra_enablerepos: ''
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should ovveride them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: Low
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Manage and automate labs of test computers
csi_relationship: |
There are a couple of things running here.
- beaker lab controller which serves files for network booting, monitors
console logs, and executes fence commands to reboot systems.
- tftp server run by the lab controller for pxe booting provisioned systems
. libvirt for virtualization capabilities

37
inventory/group_vars/beaker_stg
View file

@ -1,37 +0,0 @@
---
lvm_size: 50000
mem_size: 4096
num_cpus: 2
tcp_ports: [ 80, 443, 8000 ]
udp_ports: [ 69 ]
fas_client_groups: sysadmin-qa,sysadmin-main,fi-apprentice,sysadmin-noc,sysadmin-veteran
nrpe_procs_warn: 250
nrpe_procs_crit: 300
freezes: false
virt_install_command: "{{ virt_install_command_rhel6 }}"
# settings for the beaker db, server and lab controller
beaker_db_host: localhost
beaker_db_name: beaker
beaker_db_user: "{{ stg_beaker_db_user }}"
beaker_db_password: "{{ stg_beaker_db_password }}"
mariadb_root_password: "{{ stg_beaker_mariadb_root_password }}"
beaker_server_url: "https://beaker.stg.qa.fedoraproject.org"
beaker_server_cname: "beaker.stg.fedoraproject.org"
beaker_server_hostname: "beaker-stg01.qa.fedoraproject.org"
beaker_server_admin_user: "{{ stg_beaker_server_admin_user }}"
beaker_server_admin_pass: "{{ stg_beaker_server_admin_pass }}"
beaker_server_email: "sysadmin-qa-members@fedoraproject.org"
beaker_oidc_token_info_url: "https://id.stg.fedoraproject.org/openidc/TokenInfo"
beaker_oidc_client_id: "beaker-stg"
beaker_oidc_client_secret: "{{ stg_beaker_oidc_client_secret }}"
beaker_lab_controller_username: "host/beaker-stg01.qa.fedoraproject.org"
beaker_lab_controller_password: "{{ stg_beaker_lab_controller_password }}"
extra_enablerepos: ''

10
inventory/group_vars/keys
View file

@ -1,10 +0,0 @@
---
freezes: false
lvm_size: 40000
mem_size: 4096
num_cpus: 4
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
tcp_ports: [ 80, 443, 11370, 11371 ]
fas_client_groups: sysadmin-noc,sysadmin-keys,sysadmin-veteran

19
inventory/group_vars/koji_not_yet_ansibilized
View file

@ -1,19 +0,0 @@
# See the comment with the explanation of this group in ``inventory/inventory``
fedmsg_certs:
- service: shell
owner: root
group: sysadmin
can_send:
- logger.log
- service: koji
owner: root
group: apache
can_send:
- buildsys.build.state.change
- buildsys.package.list.change
- buildsys.repo.done
- buildsys.repo.init
- buildsys.rpm.sign
- buildsys.tag
- buildsys.task.state.change
- buildsys.untag

9
inventory/group_vars/libravatar
View file

@ -1,9 +0,0 @@
resolvconf: "resolv.conf/cloud"
git_branch: master
server_name: www.libravatar.org
cdn_server_name: cdn.libravatar.org
cdn_server_alias: seccdn.libravatar.org
server_redirect_name: "libravatar.org libravatar.com www.libravatar.com"
server_cert_name: libravatar.org
cdn_server_cert_name: cdn.libravatar.org
mail_to: clime@fedoraproject.org

10
inventory/group_vars/libravatar_stg
View file

@ -1,10 +0,0 @@
resolvconf: "resolv.conf/cloud"
git_branch: devel
server_name: libravatar-stg.fedorainfracloud.org
cdn_server_name: libravatar-stg.fedorainfracloud.org
cdn_server_alias: libravatar-stg.fedorainfracloud.org
server_redirect_name: libravatar-stg.fedorainfracloud.org
server_cert_name: libravatar-stg.fedorainfracloud.org
cdn_server_cert_name: libravatar-stg.fedorainfracloud.org
prod_pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzOpYy2W3hqlvrdpbprv1BAvxh9IsjlVizzxKBo7FvKcj6Xwk1UZXqQqQTBSgEAsuYhTiTIcHK3V4y6xwrSvVQJy0ciqBtPdrAp8z8S+2xBx4uvdc8sb2n8XQGIEkJHel6wIHE+0mCv/PoHn9OPc+bjNFQkncmb7SKbiojll7kiWGdmVzgutrwUULqXcDbsZ1u+HL8Edh7v43IwmK9nVAeA8K8W9rab1EIlFL1oh5z1rrgxV7Gv9OVLbh4NI95DFrHHNEaeH2PpWrdVAYypMSGg2rTOH+mbgYsHhCbA9KRCKkJAqXlOBymGsQuO0yFv2gTzLx+8BkJ3IrXYdhFvoLt root@libravatar.fedorainfracloud.org"
mail_to: clime@fedoraproject.org

1
inventory/group_vars/moonshot
View file

@ -1 +0,0 @@
---

18
inventory/group_vars/newcloud
View file

@ -1,18 +0,0 @@
---
datacenter: cloud
nm: 255.255.254.0
gw: 209.132.184.254
eth1_nm: 255.255.254.0
eth1_gw: 172.23.1.254
fas_client_groups: sysadmin-main
dns: 8.8.8.8
freezes: false
ansible_ifcfg_whitelist: ['eth1']
baseiptables: false
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q cloud-noc01.fedorainfracloud.org"'
nagios_Check_Services:
mail: false
nrpe: false
sshd: false
swap: false
ping: false

8
inventory/group_vars/piwik_stg
View file

@ -1,8 +0,0 @@
---
lvm_size: 20000
mem_size: 8192
# probably 4 in prod:
num_cpus: 2
tcp_ports: [ 80 ]
fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran

25
inventory/group_vars/repospanner
View file

@ -1,25 +0,0 @@
---
# Define resources for this group of hosts here.
lvm_size: 500000
mem_size: 32768
max_mem_size: 32768
num_cpus: 8
# For the MOTD
csi_security_category: High
csi_primary_contact: admin@fedoraproject.org / sysadmin-main-members
csi_purpose: repospanner git syncing host
custom_rules: [ '-A INPUT -p tcp -m tcp -s 8.43.84.211 --dport 8443:8445 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 8.43.84.212 --dport 8443:8445 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 8.43.85.76 --dport 8443:8445 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 152.19.134.149 --dport 8443:8445 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 209.132.181.20 --dport 8443:8445 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.180 --dport 8443:8445 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.184 --dport 8443:8445 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.185 --dport 8443:8445 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 10.5.126.23 --dport 8443:8445 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.41 --dport 8442:8443 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.100.8 --dport 8442:8443 -j ACCEPT']
## End of file

3
inventory/group_vars/twisted_buildbots
View file

@ -1,3 +0,0 @@
---
freezes: false
datacenter: cloud

17
inventory/host_vars/batcomputer01.phx2.fedoraproject.org
View file

@ -1,17 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests
eth0_ip: 10.5.126.6
vmhost: virthost22.phx2.fedoraproject.org
datacenter: phx2
lvm_size: 50g
mem_size: 8192
max_mem_size: 16384
num_cpus: 4

18
inventory/host_vars/beaker-stg01.qa.fedoraproject.org
View file

@ -1,18 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.124.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests
eth0_ip: 10.5.124.141
eth0_nm: 255.255.255.128
vmhost: virthost-comm04.qa.fedoraproject.org
datacenter: phx2
fas_client_groups: sysadmin-qa,sysadmin-main
collectd_apache: ""
# it'd be nice to have this done automagically but I don't know of a reasonable easy way to do that
beaker_virthost_signatures:
- hostname: 'qa04.qa.fedoraproject.org,10.5.124.154'
signature: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcv0X3KnCYYn5xowtKEYcnroNkihoyyfyVhRU8xt3nLmxSbmUHdjd1FWlhUuaOziKxLKe2NPQOS6ExDhgZKkqOTl73KJWIYPx8Uz3MITvGoYLIJ1EhFwEkVb2dlLsbsgKTVMnIht4Ri8HUZf4pHMmTUgWfS6Te32DJwF8dbpe7Xc45fjzWOYH3PcLxrKWR94Qaz228H+pWQuVBYwsk7evZA9NMmChiJG9rCXAynCbGCpEMyW46uDGAPSBDGdAGvSq9+9MrXmQQzWsLcGpWh9zomzkwhO4aOvN7lWI442JO594MCpp9OZfxT9D0JsTcCq6nGaQV/Sqj3hZwh0APb//x'

4
inventory/host_vars/bkernel01.phx2.fedoraproject.org
View file

@ -1,4 +0,0 @@
---
gw: 10.5.125.254
eth0_ip: 10.5.125.51
eth1_ip: 10.5.127.30

4
inventory/host_vars/bkernel02.phx2.fedoraproject.org
View file

@ -1,4 +0,0 @@
---
gw: 10.5.125.254
eth0_ip: 10.5.125.52
eth1_ip: 10.5.127.31

3
inventory/host_vars/buildppc-01.ppc.fedoraproject.org
View file

@ -1,3 +0,0 @@
---
vmhost: ppc8-02.ppc.fedoraproject.org
eth0_ip: 10.5.129.64

3
inventory/host_vars/buildppc-02.ppc.fedoraproject.org
View file

@ -1,3 +0,0 @@
---
vmhost: ppc8-03.ppc.fedoraproject.org
eth0_ip: 10.5.129.66

3
inventory/host_vars/buildppc-03.ppc.fedoraproject.org
View file

@ -1,3 +0,0 @@
---
vmhost: ppc8-01.ppc.fedoraproject.org
eth0_ip: 10.5.129.67

3
inventory/host_vars/buildppc-04.ppc.fedoraproject.org
View file

@ -1,3 +0,0 @@
---
vmhost: ppc8-03.ppc.fedoraproject.org
eth0_ip: 10.5.129.68

3
inventory/host_vars/buildppcle-01.ppc.fedoraproject.org
View file

@ -1,3 +0,0 @@
---
vmhost: ppc8-02.ppc.fedoraproject.org
eth0_ip: 10.5.129.65

3
inventory/host_vars/buildppcle-02.ppc.fedoraproject.org
View file

@ -1,3 +0,0 @@
---
vmhost: ppc8-03.ppc.fedoraproject.org
eth0_ip: 10.5.129.69

3
inventory/host_vars/buildppcle-03.ppc.fedoraproject.org
View file

@ -1,3 +0,0 @@
---
vmhost: ppc8-01.ppc.fedoraproject.org
eth0_ip: 10.5.129.70

3
inventory/host_vars/buildppcle-04.ppc.fedoraproject.org
View file

@ -1,3 +0,0 @@
---
vmhost: ppc8-03.ppc.fedoraproject.org
eth0_ip: 10.5.129.71

20
inventory/host_vars/ci-cc-rdu01.fedoraproject.org
View file

@ -1,20 +0,0 @@
---
nrpe_procs_warn: 900
nrpe_procs_crit: 1000
datacenter: rdu-cc
eth0_ip: 8.43.85.69
eth0_nm: 255.255.255.0
gw: 8.43.85.254
nm: 255.255.255.0
dns: 8.8.8.8
postfix_group: vpn
vpn: true
volgroup: /dev/vg_guests
vmhost: virthost-cc-rdu01.fedoraproject.org
deployment_type: prod
db_backup_dir: ['/backups']
dbs_to_backup: ['resultsdb']
ks_url: http://209.132.181.6/repo/rhel/ks/kvm-fedora-28-ext
#ks_repo: http://209.132.181.6/pub/fedora/linux/releases/28/Server/x86_64/os/
ks_repo: http://download-cc-rdu01.fedoraproject.org/pub/fedora/linux/releases/28/Server/x86_64/os/

14
inventory/host_vars/fas01.stg.phx2.fedoraproject.org
View file

@ -1,14 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.128.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6
ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/
volgroup: /dev/vg_guests
eth0_ip: 10.5.128.129
vmhost: virthost04.stg.phx2.fedoraproject.org
datacenter: phx2
# There's only this server in stg, so it does certs.
master_fas_node: True
gen_cert: True

19
inventory/host_vars/fas03.phx2.fedoraproject.org
View file

@ -1,19 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6
ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/
volgroup: /dev/vg_guests
eth0_ip: 10.5.126.30
vmhost: virthost06.phx2.fedoraproject.org
datacenter: phx2
# This is not the master production fas node, it doesn't do certs
master_fas_node: False
gen_cert: False
# GDPR SAR variables
sar_script: "echo \"https://admin.fedoraproject.org/accounts/user/view/${SAR_USERNAME}\""
sar_script_user: nobody
sar_output_file: fas.link

21
inventory/host_vars/fas3-01.stg.phx2.fedoraproject.org
View file

@ -1,21 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.128.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests
eth0_ip: 10.5.128.130
vmhost: virthost04.stg.phx2.fedoraproject.org
datacenter: phx2
nagios_Check_Services:
mail: false
nrpe: false
swap: false
tcp_ports:
- 22
- 80

18
inventory/host_vars/ibiblio02.fedoraproject.org
View file

@ -1,18 +0,0 @@
---
nrpe_procs_warn: 900
nrpe_procs_crit: 1000
datacenter: ibiblio
nm: 255.255.255.0
gw: 152.19.134.129
fas_client_groups: sysadmin-main
dns: 8.8.8.8
br0_ip: 152.19.134.138
br0_nm: 255.255.255.128
has_ipv6: yes
br0_ipv6: "2610:28:3090:3001:dead:beef:cafe:fe02"
br0_ipv6_gw: "2610:28:3090:3001::1"
postfix_group: vpn
vpn: true
freezes: true

15
inventory/host_vars/ibiblio04.fedoraproject.org
View file

@ -1,15 +0,0 @@
---
nrpe_procs_warn: 900
nrpe_procs_crit: 1000
datacenter: ibiblio
nm: 255.255.255.128
gw: 152.19.134.129
dns: 152.2.21.1
br0_ip: 152.19.134.136
br0_nm: 255.255.255.128
has_ipv6: yes
br0_ipv6: "2610:28:3090:3001:dead:beef:cafe:fe04"
br0_ipv6_gw: "2610:28:3090:3001::1"
postfix_group: vpn
vpn: true

26
inventory/host_vars/infinote.fedoraproject.org
View file

@ -1,26 +0,0 @@
---
nrpe_procs_warn: 900
nrpe_procs_crit: 1000
eth0_ip: 8.43.85.68
eth0_nm: 255.255.255.0
gw: 8.43.85.254
nm: 255.255.255.0
dns: 8.8.8.8
deployment_type: prod
volgroup: /dev/vg_guests
vmhost: virthost-cc-rdu02.fedoraproject.org
datacenter: rdu-cc
has_ipv6: yes
eth0_ipv6: "2620:52:3:1:dead:beef:cafe:fed4"
eth0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe"
postfix_group: vpn
vpn: true
ks_url: http://209.132.181.6/repo/rhel/ks/kvm-rhel-7-ext
ks_repo: http://209.132.181.6/repo/rhel/RHEL7-x86_64/
host_backup_targets: ['/srv']

5
inventory/host_vars/kernel01.qa.fedoraproject.org
View file

@ -1,5 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.124.254
dns: 10.5.126.21
eth0_ip: 10.5.124.173

16
inventory/host_vars/keys01.fedoraproject.org
View file

@ -1,16 +0,0 @@
---
nm: 255.255.255.128
gw: 140.211.169.193
dns: 8.8.8.8
ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7-ext
ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests
eth0_ip: 140.211.169.207
eth0_nm: 255.255.255.128
has_ipv6: yes
eth0_ipv6: "2605:bc80:3010:600:dead:beef:cafe:fedc"
eth0_ipv6_gw: "2605:bc80:3010:600::1"
lvm_size: 80000
vmhost: osuosl02.fedoraproject.org
datacenter: osuosl

14
inventory/host_vars/mirrorlist-host1plus.fedoraproject.org
View file

@ -1,14 +0,0 @@
---
# This is now a cloud instance provided by host1plus
# vmhost: none
datacenter: host1plus
ansible_ifcfg_blacklist: true
nagios_Check_Services:
nrpe: true
sshd: true
named: false
dhcpd: false
httpd: true
swap: false

15
inventory/host_vars/mirrorlist-ibiblio02.fedoraproject.org
View file

@ -1,15 +0,0 @@
---
nm: 255.255.255.128
gw: 152.19.134.129
dns: 152.2.21.1
ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7-ext
ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests
eth0_ip: 152.19.134.197
eth0_nm: 255.255.255.128
has_ipv6: yes
eth0_ipv6: "2610:28:3090:3001:5054:ff:feb5:5472"
eth0_ipv6_gw: "2610:28:3090:3001::1"
vmhost: ibiblio05.fedoraproject.org
datacenter: ibiblio

10
inventory/host_vars/mirrorlist-phx2.phx2.fedoraproject.org
View file

@ -1,10 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests00
eth0_ip: 10.5.126.50
vmhost: virthost14.phx2.fedoraproject.org
datacenter: phx2

13
inventory/host_vars/mirrorlist-phx2.stg.phx2.fedoraproject.org
View file

@ -1,13 +0,0 @@
---
lvm_size: 20000
mem_size: 2048
num_cpus: 2
nm: 255.255.255.0
gw: 10.5.128.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_virthost16
eth0_ip: 10.5.128.149
vmhost: virthost05.stg.phx2.fedoraproject.org
datacenter: phx2

32
inventory/host_vars/nagios01.phx2.fedoraproject.org
View file

@ -1,32 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
eth0_ip: 10.5.126.241
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_virthost
vmhost: virthost18.phx2.fedoraproject.org
datacenter: phx2
tcp_ports: ['22', '80', '443', '67', '68']
udp_ports: ['67','68','69']
custom_rules: [
'-A INPUT -p tcp -m tcp -s 192.168.1.20 --dport 5666 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
]
csi_relationship: |
nagios01 is a test mode for monitoring nagios instance to the phx datacenter.
* This host relies on:
- the virthost it's hosted on (virthost17.phx2.fedoraproject.org)
- FAS to authenticate users
- VPN connectivity
* Things that rely on this host:
- Infrastructure team to be awair of the infra status. operations control process will fail
- if this host is down, it will be difficult to know the status of infra and provide reactive/proactive support
- if this host is down, dhcp/bootp leases/renew will fail. pxe booting will fail as well

33
inventory/host_vars/noc01.stg.phx2.fedoraproject.org
View file

@ -1,33 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.128.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_virthost16
vmhost: virthost05.stg.phx2.fedoraproject.org
datacenter: phx2
tcp_ports: ['22', '80', '443', '67', '68']
udp_ports: ['67','68','69']
custom_rules: [
'-A INPUT -p tcp -m tcp -s 192.168.1.20 --dport 5666 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
]
eth0_ip: 10.5.128.38
csi_relationship: |
noc01.stg is the internal monitoring nagios instance to the phx datacenter.
* This host relies on:
- the virthost it's hosted on (virthost17.phx2.fedoraproject.org)
- FAS to authenticate users
- VPN connectivity
* Things that rely on this host:
- Infrastructure team to be awair of the infra status. operations control process will fail
- if this host is down, it will be difficult to know the status of infra and provide reactive/proactive support
- if this host is down, dhcp/bootp leases/renew will fail. pxe booting will fail as well

12
inventory/host_vars/pkgdb01.phx2.fedoraproject.org
View file

@ -1,12 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests
eth0_ip: 10.5.126.15
vmhost: virthost14.phx2.fedoraproject.org
datacenter: phx2

12
inventory/host_vars/pkgdb01.stg.phx2.fedoraproject.org
View file

@ -1,12 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.128.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests
eth0_ip: 10.5.128.174
vmhost: virthost01.stg.phx2.fedoraproject.org
datacenter: phx2

12
inventory/host_vars/pkgdb02.phx2.fedoraproject.org
View file

@ -1,12 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests
eth0_ip: 10.5.126.16
vmhost: virthost12.phx2.fedoraproject.org
datacenter: phx2

71
inventory/host_vars/relay-stg.ci.centos.org
View file

@ -1,71 +0,0 @@
---
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
- service: shell
owner: root
group: sysadmin
can_send:
- logger.log
- service: fedmsg
owner: root
group: root
can_send:
- ci.pipeline.allpackages-build.complete
- ci.pipeline.allpackages-build.image.complete
- ci.pipeline.allpackages-build.image.queued
- ci.pipeline.allpackages-build.image.running
- ci.pipeline.allpackages-build.package.complete
- ci.pipeline.allpackages-build.package.ignore
- ci.pipeline.allpackages-build.package.ignored
- ci.pipeline.allpackages-build.package.queued
- ci.pipeline.allpackages-build.package.running
- ci.pipeline.allpackages-build.package.test.functional.complete
- ci.pipeline.allpackages-build.package.test.functional.queued
- ci.pipeline.allpackages-build.package.test.functional.running
- ci.pipeline.allpackages-pr.complete
- ci.pipeline.allpackages-pr.ignore
- ci.pipeline.allpackages-pr.ignored
- ci.pipeline.allpackages-pr.image.complete
- ci.pipeline.allpackages-pr.image.ignore
- ci.pipeline.allpackages-pr.image.ignored
- ci.pipeline.allpackages-pr.image.queued
- ci.pipeline.allpackages-pr.image.running
- ci.pipeline.allpackages-pr.package.complete
- ci.pipeline.allpackages-pr.package.ignore
- ci.pipeline.allpackages-pr.package.ignored
- ci.pipeline.allpackages-pr.package.queued
- ci.pipeline.allpackages-pr.package.running
- ci.pipeline.allpackages-pr.package.test.functional.complete
- ci.pipeline.allpackages-pr.package.test.functional.ignore
- ci.pipeline.allpackages-pr.package.test.functional.ignored
- ci.pipeline.allpackages-pr.package.test.functional.queued
- ci.pipeline.allpackages-pr.package.test.functional.running
- ci.pipeline.allpackages-pr.queued
- ci.pipeline.allpackages-pr.running
- ci.pipeline.complete
- ci.pipeline.compose.complete
- ci.pipeline.compose.running
- ci.pipeline.compose.test.integration.complete
- ci.pipeline.compose.test.integration.queued
- ci.pipeline.compose.test.integration.running
- ci.pipeline.image.complete
- ci.pipeline.image.running
- ci.pipeline.image.test.smoke.complete
- ci.pipeline.image.test.smoke.running
- ci.pipeline.package.complete
- ci.pipeline.package.ignore
- ci.pipeline.package.ignored
- ci.pipeline.package.queued
- ci.pipeline.package.running
fedmsg_prefix: org.centos
fedmsg_env: stg
nagios_Can_Connect: false
nagios_Check_Services:
mail: false
nrpe: false
sshd: false
swap: false
ping: false

71
inventory/host_vars/relay.ci.centos.org
View file

@ -1,71 +0,0 @@
---
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
- service: shell
owner: root
group: sysadmin
can_send:
- logger.log
- service: fedmsg
owner: root
group: root
can_send:
- ci.pipeline.allpackages-build.complete
- ci.pipeline.allpackages-build.image.complete
- ci.pipeline.allpackages-build.image.queued
- ci.pipeline.allpackages-build.image.running
- ci.pipeline.allpackages-build.package.complete
- ci.pipeline.allpackages-build.package.ignore
- ci.pipeline.allpackages-build.package.ignored
- ci.pipeline.allpackages-build.package.queued
- ci.pipeline.allpackages-build.package.running
- ci.pipeline.allpackages-build.package.test.functional.complete
- ci.pipeline.allpackages-build.package.test.functional.queued
- ci.pipeline.allpackages-build.package.test.functional.running
- ci.pipeline.allpackages-pr.complete
- ci.pipeline.allpackages-pr.ignore
- ci.pipeline.allpackages-pr.ignored
- ci.pipeline.allpackages-pr.image.complete
- ci.pipeline.allpackages-pr.image.ignore
- ci.pipeline.allpackages-pr.image.ignored
- ci.pipeline.allpackages-pr.image.queued
- ci.pipeline.allpackages-pr.image.running
- ci.pipeline.allpackages-pr.package.complete
- ci.pipeline.allpackages-pr.package.ignore
- ci.pipeline.allpackages-pr.package.ignored
- ci.pipeline.allpackages-pr.package.queued
- ci.pipeline.allpackages-pr.package.running
- ci.pipeline.allpackages-pr.package.test.functional.complete
- ci.pipeline.allpackages-pr.package.test.functional.ignore
- ci.pipeline.allpackages-pr.package.test.functional.ignored
- ci.pipeline.allpackages-pr.package.test.functional.queued
- ci.pipeline.allpackages-pr.package.test.functional.running
- ci.pipeline.allpackages-pr.queued
- ci.pipeline.allpackages-pr.running
- ci.pipeline.complete
- ci.pipeline.compose.complete
- ci.pipeline.compose.running
- ci.pipeline.compose.test.integration.complete
- ci.pipeline.compose.test.integration.queued
- ci.pipeline.compose.test.integration.running
- ci.pipeline.image.complete
- ci.pipeline.image.running
- ci.pipeline.image.test.smoke.complete
- ci.pipeline.image.test.smoke.running
- ci.pipeline.package.complete
- ci.pipeline.package.ignore
- ci.pipeline.package.ignored
- ci.pipeline.package.queued
- ci.pipeline.package.running
fedmsg_prefix: org.centos
fedmsg_env: prod
nagios_Can_Connect: false
nagios_Check_Services:
mail: false
nrpe: false
sshd: false
swap: false
ping: false

26
inventory/host_vars/repospanner-cc-rdu01.fedoraproject.org
View file

@ -1,26 +0,0 @@
---
nrpe_procs_warn: 900
nrpe_procs_crit: 1000
eth0_ip: 8.43.85.76
eth0_nm: 255.255.255.0
gw: 8.43.85.254
nm: 255.255.255.0
dns: 8.8.8.8
deployment_type: prod
volgroup: /dev/vg_guests
vmhost: virthost-cc-rdu02.fedoraproject.org
datacenter: rdu-cc
has_ipv6: yes
eth0_ipv6: "2620:52:3:1:dead:beef:cafe:fed2"
eth0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe"
postfix_group: vpn
vpn: true
ks_url: http://209.132.181.6/repo/rhel/ks/kvm-rhel-7-ext
ks_repo: http://209.132.181.6/repo/rhel/RHEL7-x86_64/

19
inventory/host_vars/repospanner-ibiblio01.fedoraproject.org
View file

@ -1,19 +0,0 @@
---
nm: 255.255.255.128
gw: 152.19.134.129
dns: 8.8.8.8
ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7-ext
ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests
eth0_ip: 152.19.134.149
eth0_nm: 255.255.255.128
has_ipv6: yes
eth0_ipv6: "2610:28:3090:3001:dead:beef:cafe:fedf"
eth0_ipv6_gw: "2610:28:3090:3001::1"
vmhost: ibiblio01.fedoraproject.org
datacenter: ibiblio

24
inventory/host_vars/repospanner-temp01.fedoraproject.org
View file

@ -1,24 +0,0 @@
---
nrpe_procs_warn: 900
nrpe_procs_crit: 1000
eth0_ip: 8.43.85.78
eth0_nm: 255.255.255.0
gw: 8.43.85.254
nm: 255.255.255.0
dns: 8.8.8.8
max_mem_size: 8192
deployment_type: dev
volgroup: /dev/vg_guests
vmhost: virthost-cc-rdu02.fedoraproject.org
datacenter: rdu-cc
has_ipv6: yes
eth0_ipv6: "2620:52:3:1:dead:beef:cafe:fee0"
eth0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe"
vpn: false
ks_url: http://209.132.181.6/repo/rhel/ks/kvm-rhel-7-ext
ks_repo: http://209.132.181.6/repo/rhel/RHEL7-x86_64/

27
inventory/host_vars/repospanner-temp02.fedoraproject.org
View file

@ -1,27 +0,0 @@
---
nrpe_procs_warn: 900
nrpe_procs_crit: 1000
eth0_ip: 152.19.134.191
eth0_nm: 255.255.255.128
nm: 255.255.255.128
gw: 152.19.134.129
dns: 8.8.8.8
max_mem_size: 8192
deployment_type: dev
volgroup: /dev/vg_guests
vmhost: ibiblio01.fedoraproject.org
datacenter: ibiblio
has_ipv6: yes
eth0_ipv6: "2610:28:3090:3001:dead:beef:cafe:fee0"
eth0_ipv6_gw: "2610:28:3090:3001::1"
vpn: false
ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7-ext
ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/

24
inventory/host_vars/repospanner-temp03.fedoraproject.org
View file

@ -1,24 +0,0 @@
---
nrpe_procs_warn: 900
nrpe_procs_crit: 1000
eth0_ip: 140.211.169.199
eth0_nm: 255.255.255.128
nm: 255.255.255.192
gw: 140.211.169.193
dns: 8.8.8.8
max_mem_size: 8192
deployment_type: dev
volgroup: /dev/vg_guests
vmhost: osuosl01.fedoraproject.org
datacenter: osuosl
has_ipv6: yes
eth0_ipv6: "2605:bc80:3010:600:dead:beef:cafe:fee0"
eth0_ipv6_gw: "2605:bc80:3010:600::1"
vpn: false
ks_url: http://209.132.181.6/repo/rhel/ks/kvm-rhel-7-ext
ks_repo: http://209.132.181.6/repo/rhel/RHEL7-x86_64/

10
inventory/host_vars/repospanner01.phx2.fedoraproject.org
View file

@ -1,10 +0,0 @@
---
eth0_ip: 10.5.126.60
nm: 255.255.255.0
gw: 10.5.128.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
volgroup: /dev/vg_guests
vmhost: virthost01.phx2.fedoraproject.org
datacenter: phx2

14
inventory/host_vars/simple-koji-ci-prod.fedorainfracloud.org
View file

@ -1,14 +0,0 @@
---
tcp_ports: [22]
datacenter: aws
nagios_Check_Services:
mail: false
nrpe: false
sshd: false
named: false
dhcpd: false
httpd: false
swap: false
ping: false
raid: false

14
inventory/host_vars/summershum01.phx2.fedoraproject.org
View file

@ -1,14 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
eth0_ip: 10.5.126.205
volgroup: /dev/vg_guests
vmhost: virthost14.phx2.fedoraproject.org
datacenter: phx2

14
inventory/host_vars/summershum01.stg.phx2.fedoraproject.org
View file

@ -1,14 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.128.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
eth0_ip: 10.5.128.184
volgroup: /dev/vg_guests
vmhost: virthost04.stg.phx2.fedoraproject.org
datacenter: phx2

6
inventory/inventory
View file

@ -1071,12 +1071,6 @@ copr_keygen_dev_aws
# virthost-aarch64-os01.fedorainfracloud.org # virthost-aarch64-os01.fedorainfracloud.org
# virthost-aarch64-os02.fedorainfracloud.org # virthost-aarch64-os02.fedorainfracloud.org
#[libravatar]
#libravatar.fedorainfracloud.org
#[libravatar_stg]
#libravatar-stg.fedorainfracloud.org
[pagure] [pagure]
pagure01.fedoraproject.org pagure01.fedoraproject.org

401
library/lvol.py
View file

@ -1,401 +0,0 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# (c) 2013, Jeroen Hoekx <jeroen.hoekx@dsquare.be>, Alexander Bulimov <lazywolf0@gmail.com>
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
DOCUMENTATION = '''
---
author:
- "Jeroen Hoekx (@jhoekx)"
- "Alexander Bulimov (@abulimov)"
module: lvol
short_description: Configure LVM logical volumes
description:
- This module creates, removes or resizes logical volumes.
version_added: "1.1"
options:
vg:
description:
- The volume group this logical volume is part of.
required: true
lv:
description:
- The name of the logical volume.
required: true
size:
description:
- The size of the logical volume, according to lvcreate(8) --size, by
default in megabytes or optionally with one of [bBsSkKmMgGtTpPeE] units; or
according to lvcreate(8) --extents as a percentage of [VG|PVS|FREE];
Float values must begin with a digit.
Resizing using percentage values was not supported prior to 2.1.
state:
choices: [ "present", "absent" ]
default: present
description:
- Control if the logical volume exists. If C(present) the C(size) option
is required.
required: false
force:
version_added: "1.5"
choices: [ "yes", "no" ]
default: "no"
description:
- Shrink or remove operations of volumes requires this switch. Ensures that
that filesystems get never corrupted/destroyed by mistake.
required: false
opts:
version_added: "2.0"
description:
- Free-form options to be passed to the lvcreate command
snapshot:
version_added: "2.1"
description:
- The name of the snapshot volume
required: false
pvs:
version_added: "2.2"
description:
- Comma separated list of physical volumes e.g. /dev/sda,/dev/sdb
required: false
shrink:
version_added: "2.2"
description:
- shrink if current size is higher than size requested
required: false
default: yes
notes:
- Filesystems on top of the volume are not resized.
'''
EXAMPLES = '''
# Create a logical volume of 512m.
- lvol: vg=firefly lv=test size=512
# Create a logical volume of 512m with disks /dev/sda and /dev/sdb
- lvol: vg=firefly lv=test size=512 pvs=/dev/sda,/dev/sdb
# Create cache pool logical volume
- lvol: vg=firefly lv=lvcache size=512m opts='--type cache-pool'
# Create a logical volume of 512g.
- lvol: vg=firefly lv=test size=512g
# Create a logical volume the size of all remaining space in the volume group
- lvol: vg=firefly lv=test size=100%FREE
# Create a logical volume with special options
- lvol: vg=firefly lv=test size=512g opts="-r 16"
# Extend the logical volume to 1024m.
- lvol: vg=firefly lv=test size=1024
# Extend the logical volume to consume all remaining space in the volume group
- lvol: vg=firefly lv=test size=+100%FREE
# Extend the logical volume to take all remaining space of the PVs
- lvol: vg=firefly lv=test size=100%PVS
# Resize the logical volume to % of VG
- lvol: vg-firefly lv=test size=80%VG force=yes
# Reduce the logical volume to 512m
- lvol: vg=firefly lv=test size=512 force=yes
# Set the logical volume to 512m and do not try to shrink if size is lower than current one
- lvol: vg=firefly lv=test size=512 shrink=no
# Remove the logical volume.
- lvol: vg=firefly lv=test state=absent force=yes
# Create a snapshot volume of the test logical volume.
- lvol: vg=firefly lv=test snapshot=snap1 size=100m
'''
import re
decimal_point = re.compile(r"(\d+)")
def mkversion(major, minor, patch):
return (1000 * 1000 * int(major)) + (1000 * int(minor)) + int(patch)
def parse_lvs(data):
lvs = []
for line in data.splitlines():
parts = line.strip().split(';')
lvs.append({
'name': parts[0].replace('[','').replace(']',''),
'size': int(decimal_point.match(parts[1]).group(1))
})
return lvs
def parse_vgs(data):
vgs = []
for line in data.splitlines():
parts = line.strip().split(';')
vgs.append({
'name': parts[0],
'size': int(decimal_point.match(parts[1]).group(1)),
'free': int(decimal_point.match(parts[2]).group(1)),
'ext_size': int(decimal_point.match(parts[3]).group(1))
})
return vgs
def get_lvm_version(module):
ver_cmd = module.get_bin_path("lvm", required=True)
rc, out, err = module.run_command("%s version" % (ver_cmd))
if rc != 0:
return None
m = re.search("LVM version:\s+(\d+)\.(\d+)\.(\d+).*(\d{4}-\d{2}-\d{2})", out)
if not m:
return None
return mkversion(m.group(1), m.group(2), m.group(3))
def main():
module = AnsibleModule(
argument_spec=dict(
vg=dict(required=True),
lv=dict(required=True),
size=dict(type='str'),
opts=dict(type='str'),
state=dict(choices=["absent", "present"], default='present'),
force=dict(type='bool', default='no'),
shrink=dict(type='bool', default='yes'),
snapshot=dict(type='str', default=None),
pvs=dict(type='str')
),
supports_check_mode=True,
)
# Determine if the "--yes" option should be used
version_found = get_lvm_version(module)
if version_found == None:
module.fail_json(msg="Failed to get LVM version number")
version_yesopt = mkversion(2, 2, 99) # First LVM with the "--yes" option
if version_found >= version_yesopt:
yesopt = "--yes"
else:
yesopt = ""
vg = module.params['vg']
lv = module.params['lv']
size = module.params['size']
opts = module.params['opts']
state = module.params['state']
force = module.boolean(module.params['force'])
shrink = module.boolean(module.params['shrink'])
size_opt = 'L'
size_unit = 'm'
snapshot = module.params['snapshot']
pvs = module.params['pvs']
if pvs is None:
pvs = ""
else:
pvs = pvs.replace(",", " ")
if opts is None:
opts = ""
# Add --test option when running in check-mode
if module.check_mode:
test_opt = ' --test'
else:
test_opt = ''
if size:
# LVCREATE(8) -l --extents option with percentage
if '%' in size:
size_parts = size.split('%', 1)
size_percent = int(size_parts[0])
if size_percent > 100:
module.fail_json(msg="Size percentage cannot be larger than 100%")
size_whole = size_parts[1]
if size_whole == 'ORIGIN':
module.fail_json(msg="Snapshot Volumes are not supported")
elif size_whole not in ['VG', 'PVS', 'FREE']:
module.fail_json(msg="Specify extents as a percentage of VG|PVS|FREE")
size_opt = 'l'
size_unit = ''
if not '%' in size:
# LVCREATE(8) -L --size option unit
if size[-1].lower() in 'bskmgtpe':
size_unit = size[-1].lower()
size = size[0:-1]
try:
float(size)
if not size[0].isdigit(): raise ValueError()
except ValueError:
module.fail_json(msg="Bad size specification of '%s'" % size)
# when no unit, megabytes by default
if size_opt == 'l':
unit = 'm'
else:
unit = size_unit
# Get information on volume group requested
vgs_cmd = module.get_bin_path("vgs", required=True)
rc, current_vgs, err = module.run_command(
"%s --noheadings -o vg_name,size,free,vg_extent_size --units %s --separator ';' %s" % (vgs_cmd, unit, vg))
if rc != 0:
if state == 'absent':
module.exit_json(changed=False, stdout="Volume group %s does not exist." % vg, stderr=False)
else:
module.fail_json(msg="Volume group %s does not exist." % vg, rc=rc, err=err)
vgs = parse_vgs(current_vgs)
this_vg = vgs[0]
# Get information on logical volume requested
lvs_cmd = module.get_bin_path("lvs", required=True)
rc, current_lvs, err = module.run_command(
"%s -a --noheadings --nosuffix -o lv_name,size --units %s --separator ';' %s" % (lvs_cmd, unit, vg))
if rc != 0:
if state == 'absent':
module.exit_json(changed=False, stdout="Volume group %s does not exist." % vg, stderr=False)
else:
module.fail_json(msg="Volume group %s does not exist." % vg, rc=rc, err=err)
changed = False
lvs = parse_lvs(current_lvs)
if snapshot is None:
check_lv = lv
else:
check_lv = snapshot
for test_lv in lvs:
if test_lv['name'] == check_lv:
this_lv = test_lv
break
else:
this_lv = None
if state == 'present' and not size:
if this_lv is None:
module.fail_json(msg="No size given.")
else:
module.exit_json(changed=False, vg=vg, lv=this_lv['name'], size=this_lv['size'])
msg = ''
if this_lv is None:
if state == 'present':
### create LV
lvcreate_cmd = module.get_bin_path("lvcreate", required=True)
if snapshot is not None:
cmd = "%s %s %s -%s %s%s -s -n %s %s %s/%s" % (lvcreate_cmd, test_opt, yesopt, size_opt, size, size_unit, snapshot, opts, vg, lv)
else:
cmd = "%s %s %s -n %s -%s %s%s %s %s %s" % (lvcreate_cmd, test_opt, yesopt, lv, size_opt, size, size_unit, opts, vg, pvs)
rc, _, err = module.run_command(cmd)
if rc == 0:
changed = True
else:
module.fail_json(msg="Creating logical volume '%s' failed" % lv, rc=rc, err=err)
else:
if state == 'absent':
### remove LV
if not force:
module.fail_json(msg="Sorry, no removal of logical volume %s without force=yes." % (this_lv['name']))
lvremove_cmd = module.get_bin_path("lvremove", required=True)
rc, _, err = module.run_command("%s %s --force %s/%s" % (lvremove_cmd, test_opt, vg, this_lv['name']))
if rc == 0:
module.exit_json(changed=True)
else:
module.fail_json(msg="Failed to remove logical volume %s" % (lv), rc=rc, err=err)
elif size_opt == 'l':
### Resize LV based on % value
tool = None
size_free = this_vg['free']
if size_whole == 'VG' or size_whole == 'PVS':
size_requested = size_percent * this_vg['size'] / 100
else: # size_whole == 'FREE':
size_requested = size_percent * this_vg['free'] / 100
if '+' in size:
size_requested += this_lv['size']
if this_lv['size'] < size_requested:
if (size_free > 0) and (('+' not in size) or (size_free >= (size_requested - this_lv['size']))):
tool = module.get_bin_path("lvextend", required=True)
else:
module.fail_json(msg="Logical Volume %s could not be extended. Not enough free space left (%s%s required / %s%s available)" % (this_lv['name'], (size_requested - this_lv['size']), unit, size_free, unit))
elif shrink and this_lv['size'] > size_requested + this_vg['ext_size']: # more than an extent too large
if size_requested == 0:
module.fail_json(msg="Sorry, no shrinking of %s to 0 permitted." % (this_lv['name']))
elif not force:
module.fail_json(msg="Sorry, no shrinking of %s without force=yes" % (this_lv['name']))
else:
tool = module.get_bin_path("lvreduce", required=True)
tool = '%s %s' % (tool, '--force')
if tool:
cmd = "%s %s -%s %s%s %s/%s %s" % (tool, test_opt, size_opt, size, size_unit, vg, this_lv['name'], pvs)
rc, out, err = module.run_command(cmd)
if "Reached maximum COW size" in out:
module.fail_json(msg="Unable to resize %s to %s%s" % (lv, size, size_unit), rc=rc, err=err, out=out)
elif rc == 0:
changed = True
msg="Volume %s resized to %s%s" % (this_lv['name'], size_requested, unit)
elif "matches existing size" in err:
module.exit_json(changed=False, vg=vg, lv=this_lv['name'], size=this_lv['size'])
elif "not larger than existing size" in err:
module.exit_json(changed=False, vg=vg, lv=this_lv['name'], size=this_lv['size'], msg="Original size is larger than requested size", err=err)
else:
module.fail_json(msg="Unable to resize %s to %s%s" % (lv, size, size_unit), rc=rc, err=err)
else:
### resize LV based on absolute values
tool = None
if int(size) > this_lv['size']:
tool = module.get_bin_path("lvextend", required=True)
elif shrink and int(size) < this_lv['size']:
if int(size) == 0:
module.fail_json(msg="Sorry, no shrinking of %s to 0 permitted." % (this_lv['name']))
if not force:
module.fail_json(msg="Sorry, no shrinking of %s without force=yes." % (this_lv['name']))
else:
tool = module.get_bin_path("lvreduce", required=True)
tool = '%s %s' % (tool, '--force')
if tool:
cmd = "%s %s -%s %s%s %s/%s %s" % (tool, test_opt, size_opt, size, size_unit, vg, this_lv['name'], pvs)
rc, out, err = module.run_command(cmd)
if "Reached maximum COW size" in out:
module.fail_json(msg="Unable to resize %s to %s%s" % (lv, size, size_unit), rc=rc, err=err, out=out)
elif rc == 0:
changed = True
elif "matches existing size" in err:
module.exit_json(changed=False, vg=vg, lv=this_lv['name'], size=this_lv['size'])
elif "not larger than existing size" in err:
module.exit_json(changed=False, vg=vg, lv=this_lv['name'], size=this_lv['size'], msg="Original size is larger than requested size", err=err)
else:
module.fail_json(msg="Unable to resize %s to %s%s" % (lv, size, size_unit), rc=rc, err=err)
module.exit_json(changed=changed, msg=msg)
# import module snippets
from ansible.module_utils.basic import *
if __name__ == '__main__':
main()

14
playbooks/cloud_prep.yml
View file

@ -1,14 +0,0 @@
# restricted to run on cloud instances only
- hosts: 209.132.184.*
user: root
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"

25
playbooks/destroy_cloud_inst.yml
View file

@ -1,25 +0,0 @@
#DIE DIE DIE
# there is no way this could work so fail
#
# only works with -e target=
# requires --extra-vars="target=hostspec"
- name: destroy the cloud instance
hosts: "{{ target }}"
user: root
gather_facts: false
tasks:
- name: fail if the host/ip is not up
local_action: wait_for host={{ inventory_hostname }} port=22 delay=0 timeout=10
when: inventory_hostname not in result.list_vms
- name: pause for 30s before doing it
pause: seconds=30 prompt="Destroying vm now {{ target }}, abort if this is wrong"
- name: find the instance id from the builder
command: curl -s http://169.254.169.254/latest/meta-data/instance-id
register: instanceid
- name: destroy the vm
command: /usr/sbin/halt -p

45
playbooks/destroy_virt_inst.yml
View file

@ -1,45 +0,0 @@
# only works with -e target=
# read configs from host_vars
# check for host already existing
# if it exists
# kill it
# lvremove disk?
# if not
# exit with failure
# requires --extra-vars="target=hostspec"
- name: destroy and undefine vm
hosts: "{{ target }}"
user: root
gather_facts: false
tasks:
- name: get vm list on the vmhost
delegate_to: "{{ vmhost }}"
virt: command=list_vms
register: result
- name: fail if the host is not already defined/existent
local_action: fail msg="host does not exist on {{ vmhost }}"
when: inventory_hostname not in result.list_vms
- name: schedule 30m host downtime in nagios
nagios: action=downtime minutes=60 service=host host={{ inventory_hostname_short }}{{ env_suffix }}
delegate_to: noc01.phx2.fedoraproject.org
ignore_errors: true
- name: pause for 30s before doing it
pause: seconds=30 prompt="Destroying (and lvremove for) vm now {{ target }}, abort if this is wrong"
- name: destroy the vm
virt: name={{ inventory_hostname }} command=destroy
delegate_to: "{{ vmhost }}"
- name: undefine the vm
virt: name={{ inventory_hostname }} command=undefine
delegate_to: "{{ vmhost }}"
- name: destroy the lv
command: /sbin/lvremove -f {{volgroup}}/{{inventory_hostname}}
delegate_to: "{{ vmhost }}"

33
playbooks/fix_arm_soc.yml
View file

@ -1,33 +0,0 @@
#
# This playbook power cycles an arm soc, sets time and runs playbook on it.
#
# requires -e "target=arm0N-builderXX.arm.fedoraproject.org" -l arm0N-builderXX.arm.fedoraproject.org
- name: power cycle instance
hosts: "{{ target }}"
gather_facts: False
user: root
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
tasks:
- name: power off
delegate_to: noc01.phx2.fedoraproject.org
command: /opt/calxeda/bin/ipmitool -U admin -P "{{ armsocipmipass }}" -H "{{inventory_hostname_short}}-mgmt.arm.fedoraproject.org" power off
# no_log: True
- name: power on
delegate_to: noc01.phx2.fedoraproject.org
command: /opt/calxeda/bin/ipmitool -U admin -P "{{ armsocipmipass }}" -H "{{inventory_hostname_short}}-mgmt.arm.fedoraproject.org" power on
# no_log: True
- name: wait for soc ssh to come back up
local_action: wait_for delay=10 host={{ target }} port=22 state=started timeout=1200
- name: make sure time is set
delegate_to: "{{target}}"
command: ntpdate -u bastion01.phx2.fedoraproject.org
- include_playbook: groups/buildhw.yml hosts="{{target}}"

1
playbooks/groups/koji-hub.yml
View file

@ -28,7 +28,6 @@
- nagios_client - nagios_client
- hosts - hosts
- fas_client - fas_client
- builder_repo
- collectd/base - collectd/base
- apache - apache
- role: keytab/service - role: keytab/service

1
playbooks/groups/releng-compose.yml
View file

@ -23,7 +23,6 @@
roles: roles:
- base - base
- hosts - hosts
- builder_repo
- fas_client - fas_client
- rkhunter - rkhunter
- nagios_client - nagios_client

31
playbooks/hosts/respins.fedorainfracloud.org.yml
View file

@ -1,31 +0,0 @@
- name: check/create instance
hosts: respins.fedorainfracloud.org
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
tasks:
- import_tasks: "{{ tasks_path }}/persistent_cloud.yml"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
- name: setup all the things
hosts: respins.fedorainfracloud.org
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
pre_tasks:
- import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
- name: set hostname (required by some services, at least postfix need it)
hostname: name="{{inventory_hostname}}"
roles:
- basessh

2
playbooks/include/proxies-fedora-web.yml
View file

@ -27,8 +27,6 @@
website: fedoracommunity.org website: fedoracommunity.org
- role: fedora-web/fudcon - role: fedora-web/fudcon
website: fudcon.fedoraproject.org website: fudcon.fedoraproject.org
- role: fedora-web/magazine
website: fedoramagazine.org
- role: fedora-web/getfedora - role: fedora-web/getfedora
website: getfedora.org website: getfedora.org
- role: fedora-web/flocktofedora - role: fedora-web/flocktofedora

56
roles/ansible-ansible-awx/tasks/main.yml
View file

@ -1,56 +0,0 @@
---
- name: Install required packages
package: name="{{ item }}" state=present
with_items:
- ansible
- git
- pyOpenSSL
- docker
- python-docker-py
tags:
- awxinstall
- name: Start and enable docker
service: name=docker enabled=yes state=started
- name: git clone the awx repo
git:
repo: https://github.com/ansible/awx.git
dest: /srv/awx
version: devel
tags:
- awxinstall
- name: git clone the awx-logos repo
git:
repo: https://github.com/ansible/awx-logos.git
dest: /srv/awx-logos
version: master
tags:
- awxinstall
- name: Copy inventory file over
template: src=inventory dest=/srv/awx/installer/inventory
tags:
- awxinstall
#- name: run ansible
# shell: "ansible-playbook install.yml -i inventory"
# args:
# chdir: "/srv/awx/installer"
# register: run_ansible_out
# tags:
# - awxinstall
#
#- name: display run ansible stdout_lines
# debug:
# var: run_ansible_out.stdout_lines
# tags:
# - awxinstall
#
#- name: display run ansible stderr
# debug:
# var: run_ansible_out.stderr
# tags:
# - awxinstall

112
roles/ansible-ansible-awx/templates/inventory
View file

@ -1,112 +0,0 @@
localhost ansible_connection=local ansible_python_interpreter="/usr/bin/env python"
[all:vars]
# Remove these lines if you want to run a local image build
# Otherwise the setup playbook will install the official Ansible images. Versions may
# be selected based on: latest, 1, 1.0, 1.0.0, 1.0.0.123
# by default the base will be used to search for ansible/awx_web and ansible/awx_task
dockerhub_base=ansible
dockerhub_version=latest
# Openshift Install
# Will need to set -e openshift_password=developer -e docker_registry_password=$(oc whoami -t)
# openshift_host=127.0.0.1:8443
# awx_openshift_project=awx
# openshift_user=developer
# awx_node_port=30083
# Kubernetes Install
# kubernetes_context=test-cluster
# awx_kubernetes_namespace=awx
# Kubernetes and Openshift Install Resource Requests
# This is the request value for a pod's "task" container, which is the container
# used to run jobs. The other containers have a fixed resource request. The total amount
# of requested resources for a pod is the sum of all resources requested by all containers
# in the pod
# A cpu_request of 1500 is 1.5 cores for the task container
# A mem_request of 2 is for 2 gigabytes of memory for the task container
# awx_task_cpu_request=1500
# awx_task_mem_request=2
# Common Docker parameters
postgres_data_dir=/tmp/pgdocker
host_port=80
# Docker Compose Install
# use_docker_compose=false
# The docker_compose.yml file will be created in this directory
# The name of the directory (here "awx") will be the prefix of the docker containers
docker_compose_dir=/var/lib/awx
# Required for Openshift when building the image on your own
# Optional for Openshift if using Dockerhub or another prebuilt registry
# Required for Standalone Docker Install if building the image on your own
# Optional for Standalone Docker Install if using Dockerhub or another prebuilt registry
# Required for Docker Compose Install if building the image on your own
# Optional for Docker Compose Install if using Dockerhub or another prebuilt registry
# Define if you want the image pushed to a registry. The container definition will also use these images
# docker_registry=172.30.1.1:5000
# docker_registry_repository=awx
# docker_registry_username=developer
# Docker_image will not attempt to push to remote if the image already exists locally
# Set this to true to delete images from docker on the build host so that they are pushed to the remote repository
# docker_remove_local_images=False
# Set pg_hostname if you have an external postgres server, otherwise
# a new postgres service will be created
pg_hostname=db-fas01.phx2.fedoraproject.org
pg_username={{awx_db_user}}
pg_password={{awx_db_pass}}
pg_database={{awx_db}}
pg_port=5432
# Use a local distribution build container image for building the AWX package
# This is helpful if you don't want to bother installing the build-time dependencies as
# it is taken care of already.
# NOTE: IMPORTANT: If you are running a mininshift install, using this container might not work
# if you are using certain drivers like KVM where the source tree can't be mapped
# into the build container.
# Thus this setting must be set to False which will trigger a local build. To view the
# typical dependencies that you might need to install see:
# installer/image_build/files/Dockerfile.sdist
# use_container_for_build=true
# This will create or update a default admin (superuser) account in AWX, if not provided
# then these default values are used
default_admin_user={{awx_admin}}
default_admin_password={{awx_admin_pw}}
# AWX Secret key
# It's *very* important that this stay the same between upgrades or you will lose the ability to decrypt
# your credentials
awx_secret_key={{awx_secret_key}}
# Build AWX with official logos
# Requires cloning awx-logos repo into the project root.
# Review the trademark guidelines at https://github.com/ansible/awx-logos/blob/master/TRADEMARKS.md
awx_official=true
# Proxy
#http_proxy=http://proxy:3128
#https_proxy=http://proxy:3128
#no_proxy=mycorp.org
# Container networking configuration
# Set the awx_task and awx_web containers' search domain(s)
#awx_container_search_domains=example.com,ansible.com
# Alternate DNS servers
#awx_alternate_dns_servers="10.1.2.3,10.2.3.4"
# AWX project data folder. If you need access to the location where AWX stores the projects
# it manages from the docker host, you can set this to turn it into a volume for the container.
#project_data_dir=/var/lib/awx/projects
# CA Trust directory. If you need to provide custom CA certificates, supplying
# this variable causes this directory on the host to be bind mounted over
# /etc/pki/ca-trust in the awx_task and awx_web containers.
# NOTE: only obeyed in local_docker install
#ca_trust_dir=/etc/pki/ca-trust

13
roles/apps-fp-o/files/apps.yaml
View file

@ -122,19 +122,6 @@ children:
description: > description: >
Maintain your own user profile page, contribute to Maintain your own user profile page, contribute to
documents about features, process, and governance. documents about features, process, and governance.
- name: Fedora Magazine
data:
icon: magazine.png
url: http://fedoramagazine.org
docs_url: https://codex.wordpress.org/
# We don't have a SOP for the magazine yet.
# https://fedorahosted.org/fedora-infrastructure/ticket/5149
#sops:
# - put the url here
description: >
Fedora Magazine is a WordPress-based site which delivers all
the news of the Fedora Community. (It replaces the previous
Fedora Weekly News.)
- name: The Planet - name: The Planet
data: data:
icon: planet_logo.png icon: planet_logo.png

46
roles/autosigner/files/endpoints.py
View file

@ -1,46 +0,0 @@
# This file is part of fedmsg.
# Copyright (C) 2012 Red Hat, Inc.
#
# fedmsg is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# fedmsg is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with fedmsg; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#
# Authors: Ralph Bean <rbean@redhat.com>
#
import socket
hostname = socket.gethostname().split('.', 1)[0]
config = dict(
# This is a dict of possible addresses from which fedmsg can send
# messages. fedmsg.init(...) requires that a 'name' argument be passed
# to it which corresponds with one of the keys in this dict.
endpoints={
# These are here so your local box can listen to the upstream
# infrastructure's bus. Cool, right? :)
"fedora-infrastructure": [
# proxy01, IP by Ralph Bean, the round-robin DNS pool
# hub.fedoraproject.org contains at least one IP autosign01 cannot
# connect to
"tcp://10.5.126.52:9940",
#"tcp://stg.fedoraproject.org:9940",
],
# For other, more 'normal' services, fedmsg will try to guess the
# name of it's calling module to determine which endpoint definition
# to use. This can be overridden by explicitly providing the name in
# the initial call to fedmsg.init(...).
#"bodhi.%s" % hostname: ["tcp://127.0.0.1:3001"],
#"fas.%s" % hostname: ["tcp://127.0.0.1:3002"],
#"fedoratagger.%s" % hostname: ["tcp://127.0.0.1:3003"],
},
)

4
roles/autosigner/meta/main.yml
View file

@ -1,4 +0,0 @@
---
dependencies:
- { role: builder_repo }
- { role: hosts }

46
roles/autosigner/tasks/main.yml
View file

@ -1,46 +0,0 @@
- name: install dependencies
package: state=present pkg={{ item }}
with_items:
- sigul
tags:
- autosigner
- packages
# fedora-packager is required for /etc/koji/$arch-config
- name: install dependencies
package: state=present pkg={{ item }}
with_items:
- fedmsg
- fedmsg-hub
- fedora-packager
- python2-fedmsg-meta-fedora-infrastructure
tags:
- autosigner
- packages
# sigul config for secondary archs:
# https://fedoraproject.org/wiki/Sigul_Client_Setup_SOP
- name: sigul config koji instances
ini_file: dest=/etc/sigul/client.conf section=koji option=koji-instances
value="arm ppc s390"
tags:
- autosigner
- config
- name: sigul config koji config
ini_file: dest=/etc/sigul/client.conf section=koji
option=koji-config-{{ item }} value="/etc/koji/{{ item }}-config"
with_items:
- arm
- ppc
- s390
tags:
- autosigner
- config
- name: fedmsg endpoints config
copy: src=endpoints.py dest=/etc/fedmsg.d/endpoints.py
tags:
- autosigner
- config
- fedmsgdconfig

687
roles/base/files/postfix/main.cf/main.cf.openstack-compute
View file

@ -1,687 +0,0 @@
# "false"
# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
#
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
# http://www.postfix.org/.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.
# SOFT BOUNCE
#
# The soft_bounce parameter provides a limited safety net for
# testing. When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#
#soft_bounce = no
# LOCAL PATHNAME INFORMATION
#
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
#
queue_directory = /var/spool/postfix
# The command_directory parameter specifies the location of all
# postXXX commands.
#
command_directory = /usr/sbin
# The daemon_directory parameter specifies the location of all Postfix
# daemon programs (i.e. programs listed in the master.cf file). This
# directory must be owned by root.
#
daemon_directory = /usr/libexec/postfix
# QUEUE AND PROCESS OWNERSHIP
#
# The mail_owner parameter specifies the owner of the Postfix queue
# and of most Postfix daemon processes. Specify the name of a user
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
# USER.
#
mail_owner = postfix
# The default_privs parameter specifies the default rights used by
# the local delivery agent for delivery to external file or command.
# These rights are used in the absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#
#default_privs = nobody
# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
#mydomain = domain.tld
# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites. If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#
#myorigin = $myhostname
#myorigin = $mydomain
mydomain = fedoraproject.org
myorigin = fedoraproject.org
# RECEIVING MAIL
# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on. By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
inet_interfaces = all
# The proxy_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on by way of a
# proxy or network address translation unit. This setting extends
# the address list specified with the inet_interfaces parameter.
#
# You must specify your proxy/NAT addresses when your system is a
# backup MX host for other domains, otherwise mail delivery loops
# will happen when the primary MX host is down.
#
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4
# The mydestination parameter specifies the list of domains that this
# machine considers itself the final destination for.
#
# These domains are routed to the delivery agent specified with the
# local_transport parameter setting. By default, that is the UNIX
# compatible delivery agent that lookups all recipients in /etc/passwd
# and /etc/aliases or their equivalent.
#
# The default is $myhostname + localhost.$mydomain. On a mail domain
# gateway, you should also include $mydomain.
#
# Do not specify the names of virtual domains - those domains are
# specified elsewhere (see VIRTUAL_README).
#
# Do not specify the names of domains that this machine is backup MX
# host for. Specify those names via the relay_domains settings for
# the SMTP server, or use permit_mx_backup if you are lazy (see
# STANDARD_CONFIGURATION_README).
#
# The local machine is always the final destination for mail addressed
# to user@[the.net.work.address] of an interface that the mail system
# receives mail on (see the inet_interfaces parameter).
#
# Specify a list of host or domain names, /file/name or type:table
# patterns, separated by commas and/or whitespace. A /file/name
# pattern is replaced by its contents; a type:table is matched when
# a name matches a lookup key (the right-hand side is ignored).
# Continue long lines by starting the next line with whitespace.
#
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#
mydestination = $myhostname, localhost.$mydomain, fedora.redhat.com, localhost
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain
# REJECTING MAIL FOR UNKNOWN LOCAL USERS
#
# The local_recipient_maps parameter specifies optional lookup tables
# with all names or addresses of users that are local with respect
# to $mydestination, $inet_interfaces or $proxy_interfaces.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by default.
#
# To turn off local recipient checking in the SMTP server, specify
# local_recipient_maps = (i.e. empty).
#
# The default setting assumes that you use the default Postfix local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
#
# - You define $mydestination domain recipients in files other than
# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
# For example, you define $mydestination domain recipients in
# the $virtual_mailbox_maps files.
#
# - You redefine the local delivery agent in master.cf.
#
# - You redefine the "local_transport" setting in main.cf.
#
# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
# feature of the Postfix local delivery agent (see local(8)).
#
# Details are described in the LOCAL_RECIPIENT_README file.
#
# Beware: if the Postfix SMTP server runs chrooted, you probably have
# to access the passwd file via the proxymap service, in order to
# overcome chroot restrictions. The alternative, having a copy of
# the system passwd file in the chroot jail is just not practical.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify a bare username, an @domain.tld
# wild-card, or specify a user@domain.tld address.
#
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
# The unknown_local_recipient_reject_code specifies the SMTP server
# response code when a recipient domain matches $mydestination or
# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
# and the recipient address or address local-part is not found.
#
# The default setting is 550 (reject mail) but it is safer to start
# with 450 (try again later) until you are certain that your
# local_recipient_maps settings are OK.
#
unknown_local_recipient_reject_code = 550
# TRUST AND RELAY CONTROL
# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix. See the smtpd_recipient_restrictions parameter
# in postconf(5).
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network. Instead, specify an explicit
# mynetworks list by hand, as described below.
#
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host
# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
# The relay_domains parameter restricts what destinations this system will
# relay mail to. See the smtpd_recipient_restrictions description in
# postconf(5) for detailed information.
#
# By default, Postfix relays mail
# - from "trusted" clients (IP address matches $mynetworks) to any destination,
# - from "untrusted" clients to destinations that match $relay_domains or
# subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces or $proxy_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_alias_domains,
# - destinations that match $virtual_mailbox_domains.
# These destinations do not need to be listed in $relay_domains.
#
# Specify a list of hosts or domains, /file/name patterns or type:name
# lookup tables, separated by commas and/or whitespace. Continue
# long lines by starting the next line with whitespace. A file name
# is replaced by its contents; a type:name table is matched when a
# (parent) domain appears as lookup key.
#
# NOTE: Postfix will not automatically forward mail for domains that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction description in postconf(5).
#
#relay_domains = $mydestination
# INTERNET OR INTRANET
# The relayhost parameter specifies the default host to send mail to
# when no entry is matched in the optional transport(5) table. When
# no relayhost is given, mail is routed directly to the destination.
#
# On an intranet, specify the organizational domain name. If your
# internal DNS uses no MX records, specify the name of the intranet
# gateway host instead.
#
# In the case of SMTP, specify a domain, host, host:port, [host]:port,
# [address] or [address]:port; the form [host] turns off MX lookups.
#
# If you're connected via UUCP, see also the default_transport parameter.
#
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
#relayhost = bastion
# REJECTING UNKNOWN RELAY USERS
#
# The relay_recipient_maps parameter specifies optional lookup tables
# with all addresses in the domains that match $relay_domains.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown relay users. This feature is off by default.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify an @domain.tld wild-card, or specify
# a user@domain.tld address.
#
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
# INPUT RATE CONTROL
#
# The in_flow_delay configuration parameter implements mail input
# flow control. This feature is turned on by default, although it
# still needs further development (it's disabled on SCO UNIX due
# to an SCO bug).
#
# A Postfix process will pause for $in_flow_delay seconds before
# accepting a new message, when the message arrival rate exceeds the
# message delivery rate. With the default 100 SMTP server process
# limit, this limits the mail inflow to 100 messages a second more
# than the number of messages delivered per second.
#
# Specify 0 to disable the feature. Valid delays are 0..10.
#
#in_flow_delay = 1s
# ADDRESS REWRITING
#
# The ADDRESS_REWRITING_README document gives information about
# address masquerading or other forms of address rewriting including
# username->Firstname.Lastname mapping.
masquerade_domains = redhat.com
masquerade_exceptions = root apache
# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
#
# The VIRTUAL_README document gives information about the many forms
# of domain hosting that Postfix supports.
# "USER HAS MOVED" BOUNCE MESSAGES
#
# See the discussion in the ADDRESS_REWRITING_README document.
# TRANSPORT MAP
#
# See the discussion in the ADDRESS_REWRITING_README document.
# ALIAS DATABASE
#
# The alias_maps parameter specifies the list of alias databases used
# by the local delivery agent. The default list is system dependent.
#
# On systems with NIS, the default is to search the local alias
# database, then the NIS alias database. See aliases(5) for syntax
# details.
#
# If you change the alias database, run "postalias /etc/aliases" (or
# wherever your system stores the mail alias file), or simply run
# "newaliases" to build the necessary DBM or DB file.
#
# It will take a minute or so before changes become visible. Use
# "postfix reload" to eliminate the delay.
#
#alias_maps = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
# The alias_database parameter specifies the alias database(s) that
# are built with "newaliases" or "sendmail -bi". This is a separate
# configuration parameter, because alias_maps (see above) may specify
# tables that are not necessarily all under control by Postfix.
#
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
# ADDRESS EXTENSIONS (e.g., user+foo)
#
# The recipient_delimiter parameter specifies the separator between
# user names and address extensions (user+foo). See canonical(5),
# local(8), relocated(5) and virtual(5) for the effects this has on
# aliases, canonical, virtual, relocated and .forward file lookups.
# Basically, the software tries user+foo and .forward+foo before
# trying user and .forward.
#
recipient_delimiter = +
# DELIVERY TO MAILBOX
#
# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
# "Maildir/" for qmail-style delivery (the / is required).
#
#home_mailbox = Mailbox
#home_mailbox = Maildir/
# The mail_spool_directory parameter specifies the directory where
# UNIX-style mailboxes are kept. The default setting depends on the
# system type.
#
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery. The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
# Exception: delivery for root is done as $default_user.
#
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
#
# Unlike other Postfix configuration parameters, the mailbox_command
# parameter is not subjected to $parameter substitutions. This is to
# make it easier to specify shell syntax (see example below).
#
# Avoid shell meta characters because they will force Postfix to run
# an expensive shell process. Procmail alone is expensive enough.
#
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#
#mailbox_command = /usr/bin/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"
# The mailbox_transport specifies the optional transport in master.cf
# to use after processing aliases and .forward files. This parameter
# has precedence over the mailbox_command, fallback_transport and
# luser_relay parameters.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
# server using LMTP (Local Mail Transport Protocol), this is prefered
# over the older cyrus deliver program by setting the
# mailbox_transport as below:
#
# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#
# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
# these settings.
#
# local_destination_recipient_limit = 300
# local_destination_concurrency_limit = 5
#
# Of course you should adjust these settings as appropriate for the
# capacity of the hardware you are using. The recipient limit setting
# can be used to take advantage of the single instance message store
# capability of Cyrus. The concurrency limit can be used to control
# how many simultaneous LMTP sessions will be permitted to the Cyrus
# message store.
#
# To use the old cyrus deliver program you have to set:
#mailbox_transport = cyrus
# The fallback_transport specifies the optional transport in master.cf
# to use for recipients that are not found in the UNIX passwd database.
# This parameter has precedence over the luser_relay parameter.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =
#transport_maps = hash:/etc/postfix/transport
# The luser_relay parameter specifies an optional destination address
# for unknown recipients. By default, mail for unknown@$mydestination,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
# as undeliverable.
#
# The following expansions are done on luser_relay: $user (recipient
# username), $shell (recipient shell), $home (recipient home directory),
# $recipient (full recipient address), $extension (recipient address
# extension), $domain (recipient domain), $local (entire recipient
# localpart), $recipient_delimiter. Specify ${name?value} or
# ${name:value} to expand value only when $name does (does not) exist.
#
# luser_relay works only for the default Postfix local delivery agent.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must specify "local_recipient_maps =" (i.e. empty) in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local
# JUNK MAIL CONTROLS
#
# The controls listed here are only a very small subset. The file
# SMTPD_ACCESS_README provides an overview.
# The header_checks parameter specifies an optional table with patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
#
# By default, these patterns also apply to MIME headers and to the
# headers of attached messages. With older Postfix versions, MIME and
# attached message headers were treated as body text.
#
# For details, see "man header_checks".
#
header_checks = regexp:/etc/postfix/header_checks
# FAST ETRN SERVICE
#
# Postfix maintains per-destination logfiles with information about
# deferred mail, so that mail can be flushed quickly with the SMTP
# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
# See the ETRN_README document for a detailed description.
#
# The fast_flush_domains parameter controls what destinations are
# eligible for this service. By default, they are all domains that
# this server is willing to relay mail to.
#
#fast_flush_domains = $relay_domains
# SHOW SOFTWARE VERSION OR NOT
#
# The smtpd_banner parameter specifies the text that follows the 220
# code in the SMTP server's greeting banner. Some people like to see
# the mail version advertised. By default, Postfix shows no version.
#
# You MUST specify $myhostname at the start of the text. That is an
# RFC requirement. Postfix itself does not care.
#
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
# PARALLEL DELIVERY TO THE SAME DESTINATION
#
# How many parallel deliveries to the same user or domain? With local
# delivery, it does not make sense to do massively parallel delivery
# to the same user, because mailbox updates must happen sequentially,
# and expensive pipelines in .forward files can cause disasters when
# too many are run at the same time. With SMTP deliveries, 10
# simultaneous connections to the same domain could be sufficient to
# raise eyebrows.
#
# Each message delivery transport has its XXX_destination_concurrency_limit
# parameter. The default is $default_destination_concurrency_limit for
# most delivery transports. For the local delivery agent the default is 2.
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
# DEBUGGING CONTROL
#
# The debug_peer_level parameter specifies the increment in verbose
# logging level when an SMTP client or server host name or address
# matches a pattern in the debug_peer_list parameter.
#
debug_peer_level = 2
# The debug_peer_list parameter specifies an optional list of domain
# or network patterns, /file/name patterns or type:name tables. When
# an SMTP client or server host name or address matches a pattern,
# increase the verbose logging level by the amount specified in the
# debug_peer_level parameter.
#
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain
# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
#
# debugger_command =
# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
# >$config_directory/$process_name.$process_id.log & sleep 5
#
# Another possibility is to run gdb under a detached screen session.
# To attach to the screen sesssion, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the detached
# sessions (from "screen -list").
#
# debugger_command =
# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
# -dmS $process_name gdb $daemon_directory/$process_name
# $process_id & sleep 1
# INSTALL-TIME CONFIGURATION INFORMATION
#
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail.postfix
# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases.postfix
# mailq_path: The full pathname of the Postfix mailq command. This
# is the Sendmail-compatible mail queue listing command.
#
mailq_path = /usr/bin/mailq.postfix
# setgid_group: The group for mail submission and queue management
# commands. This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
#
setgid_group = postdrop
# html_directory: The location of the Postfix HTML documentation.
#
html_directory = no
# manpage_directory: The location of the Postfix on-line manual pages.
#
manpage_directory = /usr/share/man
# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
#
sample_directory = /usr/share/doc/postfix-2.4.5/samples
# readme_directory: The location of the Postfix README files.
#
readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES
# add this to new postfix to get it to add proper message-id and other
# headers to outgoing emails via the gateway.
message_size_limit = 20971520
#inet_protocols = ipv4

687
roles/base/files/postfix/main.cf/main.cf.upstreamfirst.fedorainfracloud.org
View file

@ -1,687 +0,0 @@
# "false"
# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
#
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
# http://www.postfix.org/.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.
# SOFT BOUNCE
#
# The soft_bounce parameter provides a limited safety net for
# testing. When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#
#soft_bounce = no
# LOCAL PATHNAME INFORMATION
#
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
#
queue_directory = /var/spool/postfix
# The command_directory parameter specifies the location of all
# postXXX commands.
#
command_directory = /usr/sbin
# The daemon_directory parameter specifies the location of all Postfix
# daemon programs (i.e. programs listed in the master.cf file). This
# directory must be owned by root.
#
daemon_directory = /usr/libexec/postfix
# QUEUE AND PROCESS OWNERSHIP
#
# The mail_owner parameter specifies the owner of the Postfix queue
# and of most Postfix daemon processes. Specify the name of a user
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
# USER.
#
mail_owner = postfix
# The default_privs parameter specifies the default rights used by
# the local delivery agent for delivery to external file or command.
# These rights are used in the absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#
#default_privs = nobody
# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
#mydomain = domain.tld
# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites. If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#
#myorigin = $myhostname
#myorigin = $mydomain
mydomain = fedoraproject.org
myorigin = fedoraproject.org
# RECEIVING MAIL
# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on. By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
inet_interfaces = all
# The proxy_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on by way of a
# proxy or network address translation unit. This setting extends
# the address list specified with the inet_interfaces parameter.
#
# You must specify your proxy/NAT addresses when your system is a
# backup MX host for other domains, otherwise mail delivery loops
# will happen when the primary MX host is down.
#
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4
# The mydestination parameter specifies the list of domains that this
# machine considers itself the final destination for.
#
# These domains are routed to the delivery agent specified with the
# local_transport parameter setting. By default, that is the UNIX
# compatible delivery agent that lookups all recipients in /etc/passwd
# and /etc/aliases or their equivalent.
#
# The default is $myhostname + localhost.$mydomain. On a mail domain
# gateway, you should also include $mydomain.
#
# Do not specify the names of virtual domains - those domains are
# specified elsewhere (see VIRTUAL_README).
#
# Do not specify the names of domains that this machine is backup MX
# host for. Specify those names via the relay_domains settings for
# the SMTP server, or use permit_mx_backup if you are lazy (see
# STANDARD_CONFIGURATION_README).
#
# The local machine is always the final destination for mail addressed
# to user@[the.net.work.address] of an interface that the mail system
# receives mail on (see the inet_interfaces parameter).
#
# Specify a list of host or domain names, /file/name or type:table
# patterns, separated by commas and/or whitespace. A /file/name
# pattern is replaced by its contents; a type:table is matched when
# a name matches a lookup key (the right-hand side is ignored).
# Continue long lines by starting the next line with whitespace.
#
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#
mydestination = $myhostname, localhost.$mydomain, fedora.redhat.com, localhost
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain
# REJECTING MAIL FOR UNKNOWN LOCAL USERS
#
# The local_recipient_maps parameter specifies optional lookup tables
# with all names or addresses of users that are local with respect
# to $mydestination, $inet_interfaces or $proxy_interfaces.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by default.
#
# To turn off local recipient checking in the SMTP server, specify
# local_recipient_maps = (i.e. empty).
#
# The default setting assumes that you use the default Postfix local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
#
# - You define $mydestination domain recipients in files other than
# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
# For example, you define $mydestination domain recipients in
# the $virtual_mailbox_maps files.
#
# - You redefine the local delivery agent in master.cf.
#
# - You redefine the "local_transport" setting in main.cf.
#
# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
# feature of the Postfix local delivery agent (see local(8)).
#
# Details are described in the LOCAL_RECIPIENT_README file.
#
# Beware: if the Postfix SMTP server runs chrooted, you probably have
# to access the passwd file via the proxymap service, in order to
# overcome chroot restrictions. The alternative, having a copy of
# the system passwd file in the chroot jail is just not practical.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify a bare username, an @domain.tld
# wild-card, or specify a user@domain.tld address.
#
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
# The unknown_local_recipient_reject_code specifies the SMTP server
# response code when a recipient domain matches $mydestination or
# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
# and the recipient address or address local-part is not found.
#
# The default setting is 550 (reject mail) but it is safer to start
# with 450 (try again later) until you are certain that your
# local_recipient_maps settings are OK.
#
unknown_local_recipient_reject_code = 550
# TRUST AND RELAY CONTROL
# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix. See the smtpd_recipient_restrictions parameter
# in postconf(5).
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network. Instead, specify an explicit
# mynetworks list by hand, as described below.
#
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host
# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
# The relay_domains parameter restricts what destinations this system will
# relay mail to. See the smtpd_recipient_restrictions description in
# postconf(5) for detailed information.
#
# By default, Postfix relays mail
# - from "trusted" clients (IP address matches $mynetworks) to any destination,
# - from "untrusted" clients to destinations that match $relay_domains or
# subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces or $proxy_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_alias_domains,
# - destinations that match $virtual_mailbox_domains.
# These destinations do not need to be listed in $relay_domains.
#
# Specify a list of hosts or domains, /file/name patterns or type:name
# lookup tables, separated by commas and/or whitespace. Continue
# long lines by starting the next line with whitespace. A file name
# is replaced by its contents; a type:name table is matched when a
# (parent) domain appears as lookup key.
#
# NOTE: Postfix will not automatically forward mail for domains that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction description in postconf(5).
#
#relay_domains = $mydestination
# INTERNET OR INTRANET
# The relayhost parameter specifies the default host to send mail to
# when no entry is matched in the optional transport(5) table. When
# no relayhost is given, mail is routed directly to the destination.
#
# On an intranet, specify the organizational domain name. If your
# internal DNS uses no MX records, specify the name of the intranet
# gateway host instead.
#
# In the case of SMTP, specify a domain, host, host:port, [host]:port,
# [address] or [address]:port; the form [host] turns off MX lookups.
#
# If you're connected via UUCP, see also the default_transport parameter.
#
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
#relayhost = bastion
# REJECTING UNKNOWN RELAY USERS
#
# The relay_recipient_maps parameter specifies optional lookup tables
# with all addresses in the domains that match $relay_domains.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown relay users. This feature is off by default.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify an @domain.tld wild-card, or specify
# a user@domain.tld address.
#
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
# INPUT RATE CONTROL
#
# The in_flow_delay configuration parameter implements mail input
# flow control. This feature is turned on by default, although it
# still needs further development (it's disabled on SCO UNIX due
# to an SCO bug).
#
# A Postfix process will pause for $in_flow_delay seconds before
# accepting a new message, when the message arrival rate exceeds the
# message delivery rate. With the default 100 SMTP server process
# limit, this limits the mail inflow to 100 messages a second more
# than the number of messages delivered per second.
#
# Specify 0 to disable the feature. Valid delays are 0..10.
#
#in_flow_delay = 1s
# ADDRESS REWRITING
#
# The ADDRESS_REWRITING_README document gives information about
# address masquerading or other forms of address rewriting including
# username->Firstname.Lastname mapping.
masquerade_domains = redhat.com
masquerade_exceptions = root apache
# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
#
# The VIRTUAL_README document gives information about the many forms
# of domain hosting that Postfix supports.
# "USER HAS MOVED" BOUNCE MESSAGES
#
# See the discussion in the ADDRESS_REWRITING_README document.
# TRANSPORT MAP
#
# See the discussion in the ADDRESS_REWRITING_README document.
# ALIAS DATABASE
#
# The alias_maps parameter specifies the list of alias databases used
# by the local delivery agent. The default list is system dependent.
#
# On systems with NIS, the default is to search the local alias
# database, then the NIS alias database. See aliases(5) for syntax
# details.
#
# If you change the alias database, run "postalias /etc/aliases" (or
# wherever your system stores the mail alias file), or simply run
# "newaliases" to build the necessary DBM or DB file.
#
# It will take a minute or so before changes become visible. Use
# "postfix reload" to eliminate the delay.
#
#alias_maps = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
# The alias_database parameter specifies the alias database(s) that
# are built with "newaliases" or "sendmail -bi". This is a separate
# configuration parameter, because alias_maps (see above) may specify
# tables that are not necessarily all under control by Postfix.
#
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
# ADDRESS EXTENSIONS (e.g., user+foo)
#
# The recipient_delimiter parameter specifies the separator between
# user names and address extensions (user+foo). See canonical(5),
# local(8), relocated(5) and virtual(5) for the effects this has on
# aliases, canonical, virtual, relocated and .forward file lookups.
# Basically, the software tries user+foo and .forward+foo before
# trying user and .forward.
#
recipient_delimiter = +
# DELIVERY TO MAILBOX
#
# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
# "Maildir/" for qmail-style delivery (the / is required).
#
#home_mailbox = Mailbox
#home_mailbox = Maildir/
# The mail_spool_directory parameter specifies the directory where
# UNIX-style mailboxes are kept. The default setting depends on the
# system type.
#
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery. The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
# Exception: delivery for root is done as $default_user.
#
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
#
# Unlike other Postfix configuration parameters, the mailbox_command
# parameter is not subjected to $parameter substitutions. This is to
# make it easier to specify shell syntax (see example below).
#
# Avoid shell meta characters because they will force Postfix to run
# an expensive shell process. Procmail alone is expensive enough.
#
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#
#mailbox_command = /usr/bin/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"
# The mailbox_transport specifies the optional transport in master.cf
# to use after processing aliases and .forward files. This parameter
# has precedence over the mailbox_command, fallback_transport and
# luser_relay parameters.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
# server using LMTP (Local Mail Transport Protocol), this is prefered
# over the older cyrus deliver program by setting the
# mailbox_transport as below:
#
# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#
# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
# these settings.
#
# local_destination_recipient_limit = 300
# local_destination_concurrency_limit = 5
#
# Of course you should adjust these settings as appropriate for the
# capacity of the hardware you are using. The recipient limit setting
# can be used to take advantage of the single instance message store
# capability of Cyrus. The concurrency limit can be used to control
# how many simultaneous LMTP sessions will be permitted to the Cyrus
# message store.
#
# To use the old cyrus deliver program you have to set:
#mailbox_transport = cyrus
# The fallback_transport specifies the optional transport in master.cf
# to use for recipients that are not found in the UNIX passwd database.
# This parameter has precedence over the luser_relay parameter.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =
#transport_maps = hash:/etc/postfix/transport
# The luser_relay parameter specifies an optional destination address
# for unknown recipients. By default, mail for unknown@$mydestination,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
# as undeliverable.
#
# The following expansions are done on luser_relay: $user (recipient
# username), $shell (recipient shell), $home (recipient home directory),
# $recipient (full recipient address), $extension (recipient address
# extension), $domain (recipient domain), $local (entire recipient
# localpart), $recipient_delimiter. Specify ${name?value} or
# ${name:value} to expand value only when $name does (does not) exist.
#
# luser_relay works only for the default Postfix local delivery agent.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must specify "local_recipient_maps =" (i.e. empty) in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local
# JUNK MAIL CONTROLS
#
# The controls listed here are only a very small subset. The file
# SMTPD_ACCESS_README provides an overview.
# The header_checks parameter specifies an optional table with patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
#
# By default, these patterns also apply to MIME headers and to the
# headers of attached messages. With older Postfix versions, MIME and
# attached message headers were treated as body text.
#
# For details, see "man header_checks".
#
header_checks = regexp:/etc/postfix/header_checks
# FAST ETRN SERVICE
#
# Postfix maintains per-destination logfiles with information about
# deferred mail, so that mail can be flushed quickly with the SMTP
# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
# See the ETRN_README document for a detailed description.
#
# The fast_flush_domains parameter controls what destinations are
# eligible for this service. By default, they are all domains that
# this server is willing to relay mail to.
#
#fast_flush_domains = $relay_domains
# SHOW SOFTWARE VERSION OR NOT
#
# The smtpd_banner parameter specifies the text that follows the 220
# code in the SMTP server's greeting banner. Some people like to see
# the mail version advertised. By default, Postfix shows no version.
#
# You MUST specify $myhostname at the start of the text. That is an
# RFC requirement. Postfix itself does not care.
#
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
# PARALLEL DELIVERY TO THE SAME DESTINATION
#
# How many parallel deliveries to the same user or domain? With local
# delivery, it does not make sense to do massively parallel delivery
# to the same user, because mailbox updates must happen sequentially,
# and expensive pipelines in .forward files can cause disasters when
# too many are run at the same time. With SMTP deliveries, 10
# simultaneous connections to the same domain could be sufficient to
# raise eyebrows.
#
# Each message delivery transport has its XXX_destination_concurrency_limit
# parameter. The default is $default_destination_concurrency_limit for
# most delivery transports. For the local delivery agent the default is 2.
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
# DEBUGGING CONTROL
#
# The debug_peer_level parameter specifies the increment in verbose
# logging level when an SMTP client or server host name or address
# matches a pattern in the debug_peer_list parameter.
#
debug_peer_level = 2
# The debug_peer_list parameter specifies an optional list of domain
# or network patterns, /file/name patterns or type:name tables. When
# an SMTP client or server host name or address matches a pattern,
# increase the verbose logging level by the amount specified in the
# debug_peer_level parameter.
#
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain
# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
#
# debugger_command =
# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
# >$config_directory/$process_name.$process_id.log & sleep 5
#
# Another possibility is to run gdb under a detached screen session.
# To attach to the screen sesssion, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the detached
# sessions (from "screen -list").
#
# debugger_command =
# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
# -dmS $process_name gdb $daemon_directory/$process_name
# $process_id & sleep 1
# INSTALL-TIME CONFIGURATION INFORMATION
#
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail.postfix
# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases.postfix
# mailq_path: The full pathname of the Postfix mailq command. This
# is the Sendmail-compatible mail queue listing command.
#
mailq_path = /usr/bin/mailq.postfix
# setgid_group: The group for mail submission and queue management
# commands. This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
#
setgid_group = postdrop
# html_directory: The location of the Postfix HTML documentation.
#
html_directory = no
# manpage_directory: The location of the Postfix on-line manual pages.
#
manpage_directory = /usr/share/man
# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
#
sample_directory = /usr/share/doc/postfix-2.4.5/samples
# readme_directory: The location of the Postfix README files.
#
readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES
# add this to new postfix to get it to add proper message-id and other
# headers to outgoing emails via the gateway.
message_size_limit = 20971520
#inet_protocols = ipv4

4
roles/base/files/resolv.conf/cloud
View file

@ -1,4 +0,0 @@
search cloud.fedoraproject.org fedoraproject.org
nameserver 8.8.8.8
nameserver 8.8.4.4
options rotate timeout:1

4
roles/base/files/resolv.conf/serverbeach
View file

@ -1,4 +0,0 @@
search vpn.fedoraproject.org fedoraproject.org
nameserver 8.8.8.8
nameserver 8.8.4.4
options rotate timeout:1

4
roles/base/files/resolv.conf/telia
View file

@ -1,4 +0,0 @@
search vpn.fedoraproject.org fedoraproject.org
nameserver 213.248.76.210
nameserver 152.3.182.5
options rotate timeout:1

4
roles/base/files/resolv.conf/tummy
View file

@ -1,4 +0,0 @@
search vpn.fedoraproject.org fedoraproject.org
nameserver 198.49.126.1
nameserver 66.35.36.133
options rotate timeout:1

11
roles/beaker/base/files/beaker-server-fedora.repo
View file

@ -1,11 +0,0 @@
[beaker-server]
name=Beaker Server - Fedora$releasever
baseurl=https://beaker-project.org/yum/server/Fedora$releasever/
enabled=1
gpgcheck=0
[beaker-server-testing]
name=Beaker Server -Fedora$releasever - Testing
baseurl=https://beaker-project.org/yum/server-testing/Fedora$releasever/
enabled=0
gpgcheck=0

27
roles/beaker/base/tasks/main.yml
View file

@ -1,27 +0,0 @@
#
# This is the base beaker role - mostly installing repos for beaker
#
---
- name: put beaker server repos on Rhel systems
template:
src: "{{ item }}"
dest: "/etc/yum.repos.d/{{ item }}"
owner: root
group: root
mode: 0644
with_items:
- beaker-server-rhel.repo
when: ansible_distribution == 'RedHat'
- name: put beaker server repos on Fedora systems
copy:
src: "{{ item }}"
dest: "/etc/yum.repos.d/{{ item }}"
owner: root
group: root
mode: 0644
with_items:
- beaker-server-fedora.repo
when: ansible_distribution == 'Fedora'

11
roles/beaker/base/templates/beaker-server-rhel.repo
View file

@ -1,11 +0,0 @@
[beaker-server]
name=Beaker Server - RedHatEnterpriseLinux{{ ansible_distribution_major_version }}
baseurl=https://beaker-project.org/yum/server/RedHatEnterpriseLinux{{ ansible_distribution_major_version }}/
enabled=1
gpgcheck=0
[beaker-server-testing]
name=Beaker Server - RedHatEnterpriseLinux{{ ansible_distribution_major_version }} - Testing
baseurl=https://beaker-project.org/yum/server-testing/RedHatEnterpriseLinux{{ ansible_distribution_major_version }}/
enabled=0
gpgcheck=0

10
roles/beaker/labcontroller/handlers/main.yml
View file

@ -1,10 +0,0 @@
#####################################################################
# Handlers for restarting services specific to beaker lab controllers
#
- name: restart beaker lab controller
service: name={{ item }} state=restarted
with_items:
- beaker-proxy
- beaker-provision
- beaker-watchdog

36
roles/beaker/labcontroller/tasks/main.yml
View file

@ -1,36 +0,0 @@
#
# This is a beaker_labcontroller role.
#
---
- name: install packages needed for beaker lab-controller
package: name={{ item }} state=present
with_items:
- beaker-lab-controller
- tftp-server
- name: Replace default labcontroller.conf file
template:
src: etc/beaker/labcontroller.conf.j2
dest: /etc/beaker/labcontroller.conf
owner: apache
group: root
mode: 0660
backup: yes
force: yes
notify:
- reload httpd
- restart beaker lab controller
tags:
- beaker_lab_controller
- name: start required services
service: name={{ item }} state=started enabled=yes
with_items:
- httpd
- tftp.socket
- beaker-proxy
- beaker-provision
- beaker-watchdog
# beaker-transfer is left disabled, since we have no log archive server
tags:
- beaker_lab_controller

48
roles/beaker/labcontroller/templates/etc/beaker/labcontroller.conf.j2
View file

@ -1,48 +0,0 @@
# Hub xml-rpc address.
#HUB_URL = "https://localhost:8080"
HUB_URL = "http://{{beaker_server_hostname}}/"
# Hub authentication method. Example: krbv, password, worker_key
AUTH_METHOD = "password"
#AUTH_METHOD = "krbv"
# Username and password
USERNAME = "{{beaker_lab_controller_username}}"
PASSWORD = "{{beaker_lab_controller_password}}"
# Kerberos service prefix. Example: host, HTTP
KRB_SERVICE = "HTTP"
# Kerberos realm. If commented, last two parts of domain name are used. Example: MYDOMAIN.COM.
KRB_REALM = "DOMAIN.COM"
#Uncomment and change the following two lines if using krb with qpid
#QPID_KRB_PRINCIPAL='HTTP/localhost'
#QPID_KRB_KEYTAB='/etc/my/file.keytab'
# By default, job logs are stored locally on the lab controller.
# If you have set up an archive server to store job logs, uncomment and
# configure the following settings. You will also need to enable the
# beaker-transfer daemon to move logs to the archive server.
#ARCHIVE_SERVER = "http://archive-example.domain.com/beaker"
#ARCHIVE_BASEPATH = "/var/www/html/beaker"
#ARCHIVE_RSYNC = "rsync://USER@HOST/var/www/html/beaker"
#RSYNC_FLAGS = "-ar --password-file /root/rsync-secret.txt"
# How often to renew our session on the server
#RENEW_SESSION_INTERVAL = 300
# Root directory served by the TFTP server. Netboot images and configs will be
# placed here.
TFTP_ROOT = "/var/lib/tftpboot"
# URL scheme used to generate absolute URLs for this lab controller.
# It is used for job logs served by Apache. Set it to 'https' if you have
# configured Apache for SSL and you want logs to be served over SSL.
#URL_SCHEME = "http"
# Fully qualified domain name of *this* system (not the Beaker server).
# Defaults to socket.gethostname(). Ordinarily that is sufficient, unless you
# have registered this lab controller with Beaker under a CNAME.
URL_DOMAIN = "{{beaker_server_cname}}"

20
roles/beaker/server/files/saml2/beaker.qa.fedoraproject.org/certificate.pem
View file

@ -1,20 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDHzCCAgegAwIBAgIJAIJYzzIqyTO3MA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNV
BAMMG2JlYWtlci5xYS5mZWRvcmFwcm9qZWN0Lm9yZzAeFw0xNjA0MDcxNTI4MDNa
Fw0yMTA0MDYxNTI4MDNaMCYxJDAiBgNVBAMMG2JlYWtlci5xYS5mZWRvcmFwcm9q
ZWN0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO0EiJo2tuXP
T7TMPRHvsJ2Rt0RmcEIlYUAUsyDyJd14zrxpX6XNh5k11MNR/K3gtylpMsXnryGR
ZxV9QEERVD+eOrHWYgKBW+XxUkWvU3+5g6MJrnBK/4MahEOTCuj5dt06hABMgrip
3i5wm/NCa8tu98IB3mP6ApX35nGG7zNgy+pycolzo00Nss1FW/wygZukAG+DDrGz
QUHKx5dGIq3VTd6X/0jnTDh83gmM2IItYorKr6ZgG+Wzjtjr+eAVJbKaOuL895Wv
1D7vpHpnac2pKxKB5Pd81tSDf++tInBKSSN7rb+0+YkV/aHa5zm2XqMZ8YOu8hX0
67TXZLmzYIkCAwEAAaNQME4wHQYDVR0OBBYEFHwukZpuQ6Y0qoK22fyVSvUzRK9G
MB8GA1UdIwQYMBaAFHwukZpuQ6Y0qoK22fyVSvUzRK9GMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAHzMR0NYdK/B2MzDk2nw056/ijebeVfOpawdFbkV
5srXnlexUwZFroC90I5dkd9nPz3mT9A35DTv43j86UgK60RJhJhkoMRQC+nU2YBM
SmxKl2OzsjNY4w0FW3DJhxfahGAy4whvhJYmQuAGdrvh657GPxfOP1OwUcIT4nco
nFr/QRVWvuYE6RsJoBE60eIka1G5mJxz5IlnBqG13Zx/C71a969E2StXVBOIx0cE
gr8IZUw+rCFiM3Pv1ihTqagzydNtQM1OdUIcYYH1nfnm5sbBTaJ9VXrS+xs2lBOg
Z8kuhm+XT1TOvIwyCRxf1vH6cnSmsOHMXnWfZN1YwI9uCS0=
-----END CERTIFICATE-----

35
roles/beaker/server/files/saml2/beaker.qa.fedoraproject.org/metadata.xml
View file

@ -1,35 +0,0 @@
<?xml version='1.0' encoding='UTF-8'?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" cacheDuration="P7D" entityID="https://beaker.qa.fedoraproject.org/saml2">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDHzCCAgegAwIBAgIJAIJYzzIqyTO3MA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNV
BAMMG2JlYWtlci5xYS5mZWRvcmFwcm9qZWN0Lm9yZzAeFw0xNjA0MDcxNTI4MDNa
Fw0yMTA0MDYxNTI4MDNaMCYxJDAiBgNVBAMMG2JlYWtlci5xYS5mZWRvcmFwcm9q
ZWN0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO0EiJo2tuXP
T7TMPRHvsJ2Rt0RmcEIlYUAUsyDyJd14zrxpX6XNh5k11MNR/K3gtylpMsXnryGR
ZxV9QEERVD+eOrHWYgKBW+XxUkWvU3+5g6MJrnBK/4MahEOTCuj5dt06hABMgrip
3i5wm/NCa8tu98IB3mP6ApX35nGG7zNgy+pycolzo00Nss1FW/wygZukAG+DDrGz
QUHKx5dGIq3VTd6X/0jnTDh83gmM2IItYorKr6ZgG+Wzjtjr+eAVJbKaOuL895Wv
1D7vpHpnac2pKxKB5Pd81tSDf++tInBKSSN7rb+0+YkV/aHa5zm2XqMZ8YOu8hX0
67TXZLmzYIkCAwEAAaNQME4wHQYDVR0OBBYEFHwukZpuQ6Y0qoK22fyVSvUzRK9G
MB8GA1UdIwQYMBaAFHwukZpuQ6Y0qoK22fyVSvUzRK9GMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAHzMR0NYdK/B2MzDk2nw056/ijebeVfOpawdFbkV
5srXnlexUwZFroC90I5dkd9nPz3mT9A35DTv43j86UgK60RJhJhkoMRQC+nU2YBM
SmxKl2OzsjNY4w0FW3DJhxfahGAy4whvhJYmQuAGdrvh657GPxfOP1OwUcIT4nco
nFr/QRVWvuYE6RsJoBE60eIka1G5mJxz5IlnBqG13Zx/C71a969E2StXVBOIx0cE
gr8IZUw+rCFiM3Pv1ihTqagzydNtQM1OdUIcYYH1nfnm5sbBTaJ9VXrS+xs2lBOg
Z8kuhm+XT1TOvIwyCRxf1vH6cnSmsOHMXnWfZN1YwI9uCS0=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://beaker.qa.fedoraproject.org/saml2/logout"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://beaker.qa.fedoraproject.org/saml2/logout"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://beaker.qa.fedoraproject.org/saml2/postResponse" index="0" isDefault="true"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://beaker.qa.fedoraproject.org/saml2/paosResponse" index="1"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
</md:SPSSODescriptor>
</md:EntityDescriptor>

19
roles/beaker/server/files/saml2/beaker.stg.fedoraproject.org/certificate.pem
View file

@ -1,19 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDITCCAgmgAwIBAgIJANePJb/F64UnMA0GCSqGSIb3DQEBCwUAMCcxJTAjBgNV
BAMMHGJlYWtlci5zdGcuZmVkb3JhcHJvamVjdC5vcmcwHhcNMTUxMDEzMjM0MTEy
WhcNMjAxMDExMjM0MTEyWjAnMSUwIwYDVQQDDBxiZWFrZXIuc3RnLmZlZG9yYXBy
b2plY3Qub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ldJi2fS
MkriCEsesaaMCSHXyPdYufGfdmgKxKhDEjwXLWj/V7fU5P6nmaACXkbbCb+IXTAr
hSt6PxEZBtBqMn6gccuwIC18xJs1bT5dlt2Xfo0BZWQWaFyqMOZeaj7A3TK1JyuH
rKUVOm/HQASUdZEVG/nzvEZPfNZEljylFTHix37JLAPVjyWJeDwVAATriWi0T+FT
J0kgMzzM29ffXIVrK30BylKpIoILhfM4FYUN78GoXFpAnJL/tqNG0LnKSIAYpiz8
qSKMU04R/FyxzCeymCuZmq7yqh+GvT8ZxfdhyRoIpPqpWs568/NUCkQbfWDyt76t
d2OI585vN1iLXQIDAQABo1AwTjAdBgNVHQ4EFgQU099ELHHVooBjYIH5cOfAk2wH
lrowHwYDVR0jBBgwFoAU099ELHHVooBjYIH5cOfAk2wHlrowDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAQEAcHCzouLDuAfaReCo8Tt0gtblf/Ko5bj+LgbD
7KN7JgPZN3gEt+kbD3/zkfCMOgxwPSDACT2eddfTNOvEvjOfYWINsncryyw4P/Yz
eOf5Lmy2MahZ9PCmBZ3PtNrwniHkeZjVQoZ7vnhTvWtj2zY+E5witIX+oT7TGwej
JBbqBzqIJiahlB1/tEHY2vPMKLRi6fvTaKEBiiD+OscdAwYcIGWfpHLpmtMfhcar
ilPZqFHO+yfFpbmqe8FhaFp37j2g3SyZfZUpS7vJgQyc6EWJE84vZ2XuCHXE1wbF
uTmuWwmvjmEUblL+a6LueUIm4qDy7/I/ghGo3o8Ryj6dGBluqw==
-----END CERTIFICATE-----

81
roles/beaker/server/files/saml2/beaker.stg.fedoraproject.org/idp-metadata.xml
View file

@ -1,81 +0,0 @@
<?xml version='1.0' encoding='UTF-8'?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" validUntil="2020-10-11T22:59:38.296283Z" entityID="http://id.stg.fedoraproject.org/saml2/metadata">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="true">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFOTCCAyGgAwIBAgIJAOtrg+MpYNUgMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNV
BAMMKGlkLmZlZG9yYXByb2plY3Qub3JnIFNURyBURU1QT1JBUlkgU0FNTDIwHhcN
MTUwOTMwMDkxMzU3WhcNMTUxMDMwMDkxMzU3WjAzMTEwLwYDVQQDDChpZC5mZWRv
cmFwcm9qZWN0Lm9yZyBTVEcgVEVNUE9SQVJZIFNBTUwyMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAt1mvOsVxRm9O+dT0QIYxl0vmqQQ4MhQA3wboEeBp
sQYjM2te+2Q/7OOwklVdD5g/rgXuDwOH6ztt1Y6UJmMC9RQCSJ5YNFe95hOE0H+P
ar9/9xm6hlwqxp9S1NftO7G6x7Zad/QHURcQit2EeDJAox/LEk3FEti03Q2tSPBa
wpNk/AUwkXnGn+bQ142JxvfJaO8sdxPpww1955SxKnJ3ClaPw3Qs0SLbD7cQQnyu
gQne0jBNPS5LkXS7DKmPBXY7R7der2gx3Wr6TxHNCcqMruL/RHmGKEB/KnFqxDK1
zNrcUyyghHGBRtGqbJw37kQBWtuoE67iyAiHQWnn4onNHTFeP1SfpzFIM3ya8Iew
Awh93IH2YAAd3SxNsCE27iZej2+8OikkWp6rpG36apskwKLAmOTKATqAII49u32o
aYqMe3LEORzmoR45/FGmQ8fPTxIXoT9kkA8nS3Xa1f6BaGnlxPu+VNAYEQx5hzX1
yhjSEiIcyowIx4/Frp+XHn7USQHb0jBkBGTWlo3QRO3LDarTmcoJZIrMK1fISggv
KJ1jUisrboFm0hX4O0F6TAx9UbWGIpgTiEjynDbBgIWsElGaTOfafPOFAVVusW5W
6na5R0sKDiaw5Ej3tMz5gTlSLk+0Vfc/tQphqIgXu1BIQ5gghyDUAEZRIe7iFEnu
LqUCAwEAAaNQME4wHQYDVR0OBBYEFFIneEZsGOpk6nVXammdrrRVyG5/MB8GA1Ud
IwQYMBaAFFIneEZsGOpk6nVXammdrrRVyG5/MAwGA1UdEwQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggIBAGqXB//gUKBAUFHB4i45/70vWID2lYMu2nFvd7SWI1oc0n78
DTlqFDYDyV05V/qCnezjAb+6KUyyeyAevgZPaDswCVd2aygYGDE9RsvOy60UhZ1c
yfgVx2l/YLzO4bWNKllxpfbLVHTfKo8MfFa99ClN6Y+t8+fucTS2+WOq5MYd5lKS
/4FY7QYq645oYHAlQzOV2PHAcMDbhtaEJJ4CXh4//ArM/NE73NYaH4SGQW1xVD7D
8zS/0TGYDX6MNQvRwzihtKVEtUAGj1zIZZUYFd9+mx4Ir3OBnRozSe8LkfaWYd13
hlRLINzOEQ3ebSGGRlgeFYXw+cTpn64KoyE56CcL//dxZS27LGBIMAul0eARoa6U
Y1DYkZ178QugycphmLCkxe2/Qe9xZjn0ghycxiYAlPqGFG87pW8UC162B7eklOuR
GO/BqcKZcO5GPyWkuslUpx8w0bOnCgXKxVzbt5BGBMvSMxe/QCw9x4sXnKGUtHaV
FqnKqa/sxkfQ8HltSvft8goNw13/I+J5ERHdif0EyI83ba+CyGwEjCe8uZYjp2G3
DqtUXjiYReHTYZr6R9Xgts0RKf44wVJ3D7Fs7P2dBGI7b/R/8HHv9HM+/HcbkRhA
25vdCBgg+KF3u3bZZlUp82PkOtRFcr4kb3GwS4FAaxRC5i/8Z4qI2ICNZFPN
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFOTCCAyGgAwIBAgIJAOtrg+MpYNUgMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNV
BAMMKGlkLmZlZG9yYXByb2plY3Qub3JnIFNURyBURU1QT1JBUlkgU0FNTDIwHhcN
MTUwOTMwMDkxMzU3WhcNMTUxMDMwMDkxMzU3WjAzMTEwLwYDVQQDDChpZC5mZWRv
cmFwcm9qZWN0Lm9yZyBTVEcgVEVNUE9SQVJZIFNBTUwyMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAt1mvOsVxRm9O+dT0QIYxl0vmqQQ4MhQA3wboEeBp
sQYjM2te+2Q/7OOwklVdD5g/rgXuDwOH6ztt1Y6UJmMC9RQCSJ5YNFe95hOE0H+P
ar9/9xm6hlwqxp9S1NftO7G6x7Zad/QHURcQit2EeDJAox/LEk3FEti03Q2tSPBa
wpNk/AUwkXnGn+bQ142JxvfJaO8sdxPpww1955SxKnJ3ClaPw3Qs0SLbD7cQQnyu
gQne0jBNPS5LkXS7DKmPBXY7R7der2gx3Wr6TxHNCcqMruL/RHmGKEB/KnFqxDK1
zNrcUyyghHGBRtGqbJw37kQBWtuoE67iyAiHQWnn4onNHTFeP1SfpzFIM3ya8Iew
Awh93IH2YAAd3SxNsCE27iZej2+8OikkWp6rpG36apskwKLAmOTKATqAII49u32o
aYqMe3LEORzmoR45/FGmQ8fPTxIXoT9kkA8nS3Xa1f6BaGnlxPu+VNAYEQx5hzX1
yhjSEiIcyowIx4/Frp+XHn7USQHb0jBkBGTWlo3QRO3LDarTmcoJZIrMK1fISggv
KJ1jUisrboFm0hX4O0F6TAx9UbWGIpgTiEjynDbBgIWsElGaTOfafPOFAVVusW5W
6na5R0sKDiaw5Ej3tMz5gTlSLk+0Vfc/tQphqIgXu1BIQ5gghyDUAEZRIe7iFEnu
LqUCAwEAAaNQME4wHQYDVR0OBBYEFFIneEZsGOpk6nVXammdrrRVyG5/MB8GA1Ud
IwQYMBaAFFIneEZsGOpk6nVXammdrrRVyG5/MAwGA1UdEwQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggIBAGqXB//gUKBAUFHB4i45/70vWID2lYMu2nFvd7SWI1oc0n78
DTlqFDYDyV05V/qCnezjAb+6KUyyeyAevgZPaDswCVd2aygYGDE9RsvOy60UhZ1c
yfgVx2l/YLzO4bWNKllxpfbLVHTfKo8MfFa99ClN6Y+t8+fucTS2+WOq5MYd5lKS
/4FY7QYq645oYHAlQzOV2PHAcMDbhtaEJJ4CXh4//ArM/NE73NYaH4SGQW1xVD7D
8zS/0TGYDX6MNQvRwzihtKVEtUAGj1zIZZUYFd9+mx4Ir3OBnRozSe8LkfaWYd13
hlRLINzOEQ3ebSGGRlgeFYXw+cTpn64KoyE56CcL//dxZS27LGBIMAul0eARoa6U
Y1DYkZ178QugycphmLCkxe2/Qe9xZjn0ghycxiYAlPqGFG87pW8UC162B7eklOuR
GO/BqcKZcO5GPyWkuslUpx8w0bOnCgXKxVzbt5BGBMvSMxe/QCw9x4sXnKGUtHaV
FqnKqa/sxkfQ8HltSvft8goNw13/I+J5ERHdif0EyI83ba+CyGwEjCe8uZYjp2G3
DqtUXjiYReHTYZr6R9Xgts0RKf44wVJ3D7Fs7P2dBGI7b/R/8HHv9HM+/HcbkRhA
25vdCBgg+KF3u3bZZlUp82PkOtRFcr4kb3GwS4FAaxRC5i/8Z4qI2ICNZFPN
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://id.stg.fedoraproject.org/saml2/SSO/POST"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://id.stg.fedoraproject.org/saml2/SSO/Redirect"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://id.stg.fedoraproject.org/saml2/SLO/Redirect"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

34
roles/beaker/server/files/saml2/beaker.stg.fedoraproject.org/metadata.xml
View file

@ -1,34 +0,0 @@
<?xml version='1.0' encoding='UTF-8'?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" cacheDuration="P7D" entityID="https://beaker.stg.fedoraproject.org/saml2">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDITCCAgmgAwIBAgIJANePJb/F64UnMA0GCSqGSIb3DQEBCwUAMCcxJTAjBgNV
BAMMHGJlYWtlci5zdGcuZmVkb3JhcHJvamVjdC5vcmcwHhcNMTUxMDEzMjM0MTEy
WhcNMjAxMDExMjM0MTEyWjAnMSUwIwYDVQQDDBxiZWFrZXIuc3RnLmZlZG9yYXBy
b2plY3Qub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ldJi2fS
MkriCEsesaaMCSHXyPdYufGfdmgKxKhDEjwXLWj/V7fU5P6nmaACXkbbCb+IXTAr
hSt6PxEZBtBqMn6gccuwIC18xJs1bT5dlt2Xfo0BZWQWaFyqMOZeaj7A3TK1JyuH
rKUVOm/HQASUdZEVG/nzvEZPfNZEljylFTHix37JLAPVjyWJeDwVAATriWi0T+FT
J0kgMzzM29ffXIVrK30BylKpIoILhfM4FYUN78GoXFpAnJL/tqNG0LnKSIAYpiz8
qSKMU04R/FyxzCeymCuZmq7yqh+GvT8ZxfdhyRoIpPqpWs568/NUCkQbfWDyt76t
d2OI585vN1iLXQIDAQABo1AwTjAdBgNVHQ4EFgQU099ELHHVooBjYIH5cOfAk2wH
lrowHwYDVR0jBBgwFoAU099ELHHVooBjYIH5cOfAk2wHlrowDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAQEAcHCzouLDuAfaReCo8Tt0gtblf/Ko5bj+LgbD
7KN7JgPZN3gEt+kbD3/zkfCMOgxwPSDACT2eddfTNOvEvjOfYWINsncryyw4P/Yz
eOf5Lmy2MahZ9PCmBZ3PtNrwniHkeZjVQoZ7vnhTvWtj2zY+E5witIX+oT7TGwej
JBbqBzqIJiahlB1/tEHY2vPMKLRi6fvTaKEBiiD+OscdAwYcIGWfpHLpmtMfhcar
ilPZqFHO+yfFpbmqe8FhaFp37j2g3SyZfZUpS7vJgQyc6EWJE84vZ2XuCHXE1wbF
uTmuWwmvjmEUblL+a6LueUIm4qDy7/I/ghGo3o8Ryj6dGBluqw==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://beaker.stg.fedoraproject.org/saml2/logout"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://beaker.stg.fedoraproject.org/saml2/logout"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://beaker.stg.fedoraproject.org/saml2/postResponse" index="0" isDefault="true"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://beaker.stg.fedoraproject.org/saml2/paosResponse" index="1"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
</md:SPSSODescriptor>
</md:EntityDescriptor>

Some files were not shown because too many files have changed in this diff Show more