From dbbf94a41102e5f79be2172ced0914aab60d989f Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Mon, 25 Jan 2021 11:58:04 +0100 Subject: [PATCH] ipa/client: configure global shell access and sudo Almost global anyway, i.e. inside the VPN. The ipa/client-based shell access and sudo rules are only effective for staging right now, the respective playbook bits are masked out for prod. - Assign Ansible host groups to IPA host groups, the latter don't care about 'stg' in the name and use dashes rather than underscores. - Distill shell access groups from fas_client_groups in group and host vars. - Let all `sysadmin-*` groups in the previous list run anything via sudo in the host group (except bastion & batcave). - Remove `fas_client_groups` from staging host and group vars. - Remove sudoers from staging host and group vars if only `sysadmin-*` groups have shell access. - Set up `ipa_client_shell_groups` on bastion to be a super set of the same on batcave. Newly created IPA host groups: - autosign - badges - basset - bastion - batcave - blockerbugs - bodhi - bugzilla2fedmsg - busgateway - datagrepper - dbserver - dns - fedimg - github2fedmsg - ipa - kernel-qa - kerneltest - kojibuilder - kojihub - kojipkgs - logging - mailman - memcached - mirrormanager - nagios - notifs - oci-registry - odcs - openqa - openqa-workers - osbs - packages - pdc-web - pkgs - proxies - rabbitmq - releng-compose - resultsdb - secondary - sign-bridge - sundries - value - wiki Signed-off-by: Nils Philippsen --- inventory/group_vars/autosign | 6 ++++ inventory/group_vars/badges | 11 +++++++ inventory/group_vars/badges_backend_stg | 2 -- inventory/group_vars/badges_stg | 11 +++++++ inventory/group_vars/badges_web_stg | 2 -- inventory/group_vars/basset_stg | 2 -- inventory/group_vars/bastion | 17 ++++++++++ inventory/group_vars/bastion_stg | 19 +++++++++-- inventory/group_vars/batcave | 33 +++++++++++++++++++ inventory/group_vars/blockerbugs | 12 +++++++ inventory/group_vars/blockerbugs_stg | 13 ++++++-- inventory/group_vars/bodhi_backend | 9 +++++ inventory/group_vars/bodhi_backend_stg | 11 +++++-- inventory/group_vars/bugzilla2fedmsg | 11 +++++++ inventory/group_vars/bugzilla2fedmsg_stg | 12 +++++-- inventory/group_vars/builders | 7 ++++ inventory/group_vars/builders_stg | 7 ++++ inventory/group_vars/buildvm_aarch64_stg | 2 -- inventory/group_vars/buildvm_armv7_stg | 2 -- inventory/group_vars/buildvm_ppc64le_stg | 2 -- inventory/group_vars/buildvm_s390x_stg | 2 -- inventory/group_vars/buildvm_stg | 2 -- inventory/group_vars/busgateway | 10 ++++++ inventory/group_vars/busgateway_stg | 13 ++++++-- inventory/group_vars/certgetter_stg | 2 -- inventory/group_vars/datagrepper | 12 +++++++ inventory/group_vars/datagrepper_stg | 12 ++++++- inventory/group_vars/dbserver | 11 +++++++ inventory/group_vars/dbserver_stg | 11 +++++++ inventory/group_vars/dns | 7 ++++ inventory/group_vars/fedimg | 6 ++++ inventory/group_vars/fedimg_stg | 7 ++-- inventory/group_vars/github2fedmsg | 9 +++++ inventory/group_vars/github2fedmsg_stg | 9 ++++- inventory/group_vars/ipa | 7 ++++ inventory/group_vars/ipa_stg | 7 +++- inventory/group_vars/kernel_qa | 7 ++++ inventory/group_vars/kerneltest | 8 +++++ inventory/group_vars/koji | 7 ++++ inventory/group_vars/koji_stg | 14 +++++++- inventory/group_vars/kojipkgs | 11 +++++++ inventory/group_vars/logging | 16 +++++++++ inventory/group_vars/mailman | 7 ++++ inventory/group_vars/mailman_stg | 10 +++++- inventory/group_vars/memcached | 12 +++++++ inventory/group_vars/memcached_stg | 12 ++++++- inventory/group_vars/mm | 13 +++++++- inventory/group_vars/mm_stg | 14 ++++++-- inventory/group_vars/nagios | 10 ++++++ inventory/group_vars/notifs | 11 +++++++ inventory/group_vars/notifs_backend_stg | 4 --- inventory/group_vars/notifs_stg | 11 +++++++ inventory/group_vars/notifs_web_stg | 4 --- inventory/group_vars/oci_registry | 7 ++++ inventory/group_vars/oci_registry_stg | 9 +++-- inventory/group_vars/odcs | 13 ++++++++ inventory/group_vars/odcs_backend_stg | 2 -- inventory/group_vars/odcs_frontend_stg | 2 -- inventory/group_vars/odcs_stg | 13 ++++++++ inventory/group_vars/openqa_servers_common | 12 +++++++ inventory/group_vars/openqa_workers | 7 ++++ inventory/group_vars/osbs | 14 ++++++++ inventory/group_vars/osbs_aarch64_masters_stg | 3 -- inventory/group_vars/osbs_control_stg | 2 -- inventory/group_vars/osbs_stg | 15 +++++++-- inventory/group_vars/packages | 12 +++++++ inventory/group_vars/packages_stg | 14 ++++++-- inventory/group_vars/pdc_web | 13 ++++++++ inventory/group_vars/pdc_web_stg | 13 +++++++- inventory/group_vars/pkgs | 12 +++++++ inventory/group_vars/pkgs_stg | 16 ++++++--- inventory/group_vars/proxies | 12 +++++++ inventory/group_vars/proxies_stg | 12 ++++++- inventory/group_vars/rabbitmq | 8 +++++ inventory/group_vars/rabbitmq_stg | 8 +++-- inventory/group_vars/releng_compose | 7 ++++ inventory/group_vars/releng_compose_stg | 7 ++++ inventory/group_vars/resultsdb_prod | 8 +++++ inventory/group_vars/resultsdb_stg | 11 +++++++ inventory/group_vars/secondary | 17 ++++++++++ inventory/group_vars/sign_bridge | 6 ++++ inventory/group_vars/sundries | 14 ++++++++ inventory/group_vars/sundries_stg | 15 +++++++-- inventory/group_vars/value | 14 ++++++++ inventory/group_vars/value_stg | 14 +++++++- inventory/group_vars/wiki | 12 +++++++ inventory/group_vars/wiki_stg | 13 +++++++- .../compose-x86-01.stg.iad2.fedoraproject.org | 2 -- ...db-datanommer01.stg.iad2.fedoraproject.org | 1 - .../db-fas01.stg.iad2.fedoraproject.org | 1 - .../db-koji01.stg.iad2.fedoraproject.org | 1 - .../host_vars/db01.stg.iad2.fedoraproject.org | 1 - .../host_vars/db03.stg.iad2.fedoraproject.org | 1 - .../dbgserver01.stg.phx2.fedoraproject.org | 2 -- .../host_vars/log01.iad2.fedoraproject.org | 2 -- .../resultsdb01.stg.iad2.fedoraproject.org | 2 -- inventory/inventory | 8 +++++ 97 files changed, 773 insertions(+), 94 deletions(-) create mode 100644 inventory/group_vars/badges create mode 100644 inventory/group_vars/badges_stg create mode 100644 inventory/group_vars/dbserver create mode 100644 inventory/group_vars/dbserver_stg create mode 100644 inventory/group_vars/logging create mode 100644 inventory/group_vars/notifs create mode 100644 inventory/group_vars/notifs_stg diff --git a/inventory/group_vars/autosign b/inventory/group_vars/autosign index 2ec804471d..87e4cf7da4 100644 --- a/inventory/group_vars/autosign +++ b/inventory/group_vars/autosign @@ -17,6 +17,12 @@ ansible_ifcfg_allowlist: fas_client_groups: sysadmin-releng host_group: autosign +ipa_host_group: autosign +ipa_host_group_desc: Hosts signing content automatically +ipa_client_shell_groups: +- sysadmin-releng +ipa_client_sudo_groups: +- sysadmin-releng fedmsg_error_recipients: [] diff --git a/inventory/group_vars/badges b/inventory/group_vars/badges new file mode 100644 index 0000000000..7249fcbfae --- /dev/null +++ b/inventory/group_vars/badges @@ -0,0 +1,11 @@ +--- +ipa_host_group: badges +ipa_host_group_desc: Hosts running the Badges application +ipa_client_shell_groups: +- sysadmin-badges +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-badges +- sysadmin-noc +- sysadmin-veteran diff --git a/inventory/group_vars/badges_backend_stg b/inventory/group_vars/badges_backend_stg index f30a1cd7fc..57ab50cfad 100644 --- a/inventory/group_vars/badges_backend_stg +++ b/inventory/group_vars/badges_backend_stg @@ -10,8 +10,6 @@ num_cpus: 2 tcp_ports: [ 3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007 ] -fas_client_groups: sysadmin-noc,sysadmin-badges,sysadmin-veteran - # These people get told when something goes wrong. fedmsg_error_recipients: - sysadmin-badges-members@fedoraproject.org diff --git a/inventory/group_vars/badges_stg b/inventory/group_vars/badges_stg new file mode 100644 index 0000000000..7249fcbfae --- /dev/null +++ b/inventory/group_vars/badges_stg @@ -0,0 +1,11 @@ +--- +ipa_host_group: badges +ipa_host_group_desc: Hosts running the Badges application +ipa_client_shell_groups: +- sysadmin-badges +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-badges +- sysadmin-noc +- sysadmin-veteran diff --git a/inventory/group_vars/badges_web_stg b/inventory/group_vars/badges_web_stg index 4e3c70f92f..12039cab3b 100644 --- a/inventory/group_vars/badges_web_stg +++ b/inventory/group_vars/badges_web_stg @@ -17,8 +17,6 @@ tcp_ports: [ 80 ] # Neeed for rsync from log01 for logs. custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] -fas_client_groups: sysadmin-noc,sysadmin-badges,sysadmin-veteran - # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: - service: shell diff --git a/inventory/group_vars/basset_stg b/inventory/group_vars/basset_stg index 4fb7aee9dd..566a92e32c 100644 --- a/inventory/group_vars/basset_stg +++ b/inventory/group_vars/basset_stg @@ -15,5 +15,3 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.128.106 --dport 80 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.128.107 --dport 80 -j ACCEPT', ] - -fas_client_groups: sysadmin-main diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion index a1c09923ce..61790307e5 100644 --- a/inventory/group_vars/bastion +++ b/inventory/group_vars/bastion @@ -23,6 +23,23 @@ custom_rules: [ fas_client_groups: sysadmin-analysis,sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,pungi-devel,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-gnome,sysadmin-copr,sysadmin-coreos,sysadmin-dbgserver,sysadmin-osbs,sysadmin-odcs,sysadmin-kernel +ipa_host_group: bastion +ipa_host_group_desc: Bastion hosts + +# this assumes the `batcave` group exists with at least one host in it +batcave_ipa_client_shell_groups: "{{ hostvars[groups['batcave'][0]]['ipa_client_shell_groups'] | default([]) }}" +bastion_ipa_client_shell_groups: +- pungi-devel +- sysadmin-analysis +- sysadmin-dba +- sysadmin-dbgserver +- sysadmin-ppc +- sysadmin-secondary +- sysadmin-spin +- sysadmin-troubleshoot + +ipa_client_shell_groups: "{{ (bastion_ipa_client_shell_groups + batcave_ipa_client_shell_groups) | sort | unique }}" + # # This is a postfix gateway. This will pick up gateway postfix config in base # diff --git a/inventory/group_vars/bastion_stg b/inventory/group_vars/bastion_stg index ab4f65e5f1..46cc09e6a9 100644 --- a/inventory/group_vars/bastion_stg +++ b/inventory/group_vars/bastion_stg @@ -20,11 +20,24 @@ custom_rules: [ ] # # allow a bunch of sysadmin groups here so they can access internal stuff +# +ipa_host_group: bastion +ipa_host_group_desc: Bastion hosts -fas_client_groups: sysadmin-analysis,sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,pungi-devel,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-gnome,sysadmin-copr,sysadmin-coreos,sysadmin-dbgserver,sysadmin-osbs,sysadmin-odcs +# this only works if the `batcave_stg` group and at least one host in it is defined +# batcave_ipa_client_shell_groups: "{{ hostvars[groups['batcave_stg'][0]]['ipa_client_shell_groups'] | default([]) }}" +batcave_ipa_client_shell_groups: [] +bastion_ipa_client_shell_groups: +- pungi-devel +- sysadmin-analysis +- sysadmin-dba +- sysadmin-dbgserver +- sysadmin-ppc +- sysadmin-secondary +- sysadmin-spin +- sysadmin-troubleshoot -# Disable mail stuff in stg -fas_aliases: false +ipa_client_shell_groups: "{{ (bastion_ipa_client_shell_groups + batcave_ipa_client_shell_groups) | sort | unique }}" # # Sometimes there are lots of postfix processes diff --git a/inventory/group_vars/batcave b/inventory/group_vars/batcave index 05306866bb..e49dcc2104 100644 --- a/inventory/group_vars/batcave +++ b/inventory/group_vars/batcave @@ -10,6 +10,39 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', ' fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-fpdc,sysadmin-messaging,sysadmin-libravatar,sysadmin-gnome,sysadmin-copr,sysadmin-osbs,sysadmin-odcs +ipa_host_group: batcave +ipa_host_group_desc: The Bat Cave +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-ask +- sysadmin-atomic +- sysadmin-badges +- sysadmin-bot +- sysadmin-centos +- sysadmin-cloud +- sysadmin-copr +- sysadmin-coreos +- sysadmin-cvs +- sysadmin-datanommer +- sysadmin-fedimg +- sysadmin-fpdc +- sysadmin-gnome +- sysadmin-hosted +- sysadmin-koschei +- sysadmin-libravatar +- sysadmin-mbs +- sysadmin-messaging +- sysadmin-noc +- sysadmin-odcs +- sysadmin-osbs +- sysadmin-qa +- sysadmin-releasemonitoring +- sysadmin-releng +- sysadmin-tools +- sysadmin-upstreamfirst +- sysadmin-veteran +- sysadmin-web + ansible_base: /srv/web/infra freezes: false nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=3" diff --git a/inventory/group_vars/blockerbugs b/inventory/group_vars/blockerbugs index 0c2c972dd5..ce06bb3d1f 100644 --- a/inventory/group_vars/blockerbugs +++ b/inventory/group_vars/blockerbugs @@ -14,6 +14,18 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', ' fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-qa,sysadmin-veteran sudoers: "{{ private }}/files/sudo/qadevel-sudoers" +ipa_host_group: blockerbugs +ipa_host_group_desc: Blocker bug tracking service +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-noc +- sysadmin-qa +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-qa +- sysadmin-veteran + # This gets overridden by whichever node we want to run special cronjobs. master_blockerbugs_node: False diff --git a/inventory/group_vars/blockerbugs_stg b/inventory/group_vars/blockerbugs_stg index 7f3073ad2b..a25f24e106 100644 --- a/inventory/group_vars/blockerbugs_stg +++ b/inventory/group_vars/blockerbugs_stg @@ -11,8 +11,17 @@ tcp_ports: [ 80, 443, 8888 ] # Neeed for rsync from log01 for logs. custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] -fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-qa,sysadmin-veteran -sudoers: "{{ private }}/files/sudo/qadevel-sudoers" +ipa_host_group: blockerbugs +ipa_host_group_desc: Blocker bug tracking service +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-noc +- sysadmin-qa +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-qa +- sysadmin-veteran # This gets overridden by whichever node we want to run special cronjobs. master_blockerbugs_node: False diff --git a/inventory/group_vars/bodhi_backend b/inventory/group_vars/bodhi_backend index 58831851b2..ed6e2cd685 100644 --- a/inventory/group_vars/bodhi_backend +++ b/inventory/group_vars/bodhi_backend @@ -38,5 +38,14 @@ nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=3" fas_client_groups: sysadmin-releng,sysadmin-bodhi sudoers: "{{ private }}/files/sudo/00releng-sudoers" +ipa_host_group: bodhi +ipa_host_group_desc: Bodhi update service +ipa_client_shell_groups: +- sysadmin-bodhi +- sysadmin-releng +ipa_client_sudo_groups: +- sysadmin-bodhi +- sysadmin-releng + ## XXX - note that the csi_ stuff is kept at the host_vars/ level. diff --git a/inventory/group_vars/bodhi_backend_stg b/inventory/group_vars/bodhi_backend_stg index c7ae22661f..03e01fb9ff 100644 --- a/inventory/group_vars/bodhi_backend_stg +++ b/inventory/group_vars/bodhi_backend_stg @@ -26,9 +26,14 @@ bodhi_message_queue_name: "bodhi{{ env_suffix }}_composer" bodhi_message_routing_keys: - "org.fedoraproject.*.bodhi.composer.start" -fas_client_groups: sysadmin-releng,sysadmin-bodhi -sudoers: "{{ private }}/files/sudo/00releng-sudoers-bodhi-stg" - +ipa_host_group: bodhi +ipa_host_group_desc: Bodhi update service +ipa_client_shell_groups: +- sysadmin-bodhi +- sysadmin-releng +ipa_client_sudo_groups: +- sysadmin-bodhi +- sysadmin-releng # For the MOTD csi_security_category: Moderate diff --git a/inventory/group_vars/bugzilla2fedmsg b/inventory/group_vars/bugzilla2fedmsg index 820fce2a7b..e2d0c3a130 100644 --- a/inventory/group_vars/bugzilla2fedmsg +++ b/inventory/group_vars/bugzilla2fedmsg @@ -12,6 +12,17 @@ tcp_ports: [ 3000, 3001, 3002, 3003 ] fas_client_groups: sysadmin-noc,sysadmin-datanommer,sysadmin-veteran sudoers: "{{ private }}/files/sudo/bugzilla2fedmsg-sudoers" +ipa_host_group: bugzilla2fedmsg +ipa_host_group_desc: Service to bridge Bugzilla events into fedmsg +ipa_client_shell_groups: +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran + # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: - service: shell diff --git a/inventory/group_vars/bugzilla2fedmsg_stg b/inventory/group_vars/bugzilla2fedmsg_stg index 6e86ff179b..9476c14e80 100644 --- a/inventory/group_vars/bugzilla2fedmsg_stg +++ b/inventory/group_vars/bugzilla2fedmsg_stg @@ -9,8 +9,16 @@ num_cpus: 1 tcp_ports: [ 3000, 3001 ] -fas_client_groups: sysadmin-noc,sysadmin-datanommer,sysadmin-veteran -sudoers: "{{ private }}/files/sudo/bugzilla2fedmsg-sudoers" +ipa_host_group: bugzilla2fedmsg +ipa_host_group_desc: Service to bridge Bugzilla events into fedmsg +ipa_client_shell_groups: +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/group_vars/builders b/inventory/group_vars/builders index f286a2fb97..fb5b3bf163 100644 --- a/inventory/group_vars/builders +++ b/inventory/group_vars/builders @@ -6,3 +6,10 @@ nagios_Check_Services: nrpe: false swap: false mail: false + +ipa_host_group: kojibuilder +ipa_host_group_desc: Koji Build hosts +ipa_client_shell_groups: +- sysadmin-releng +ipa_client_sudo_groups: +- sysadmin-releng diff --git a/inventory/group_vars/builders_stg b/inventory/group_vars/builders_stg index f286a2fb97..fb5b3bf163 100644 --- a/inventory/group_vars/builders_stg +++ b/inventory/group_vars/builders_stg @@ -6,3 +6,10 @@ nagios_Check_Services: nrpe: false swap: false mail: false + +ipa_host_group: kojibuilder +ipa_host_group_desc: Koji Build hosts +ipa_client_shell_groups: +- sysadmin-releng +ipa_client_sudo_groups: +- sysadmin-releng diff --git a/inventory/group_vars/buildvm_aarch64_stg b/inventory/group_vars/buildvm_aarch64_stg index 609d567a73..301297296c 100644 --- a/inventory/group_vars/buildvm_aarch64_stg +++ b/inventory/group_vars/buildvm_aarch64_stg @@ -15,8 +15,6 @@ dns: 10.3.163.33 # for systems that do not match the above - specify the same parameter in # the host_vars/$hostname file host_group: kojibuilder -fas_client_groups: sysadmin-releng -sudoers: "{{ private }}/files/sudo/00releng-sudoers" datacenter: staging nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=3" diff --git a/inventory/group_vars/buildvm_armv7_stg b/inventory/group_vars/buildvm_armv7_stg index 14a94973cb..d460746e83 100644 --- a/inventory/group_vars/buildvm_armv7_stg +++ b/inventory/group_vars/buildvm_armv7_stg @@ -15,8 +15,6 @@ dns: 10.3.163.33 # for systems that do not match the above - specify the same parameter in # the host_vars/$hostname file host_group: kojibuilder -fas_client_groups: sysadmin-releng -sudoers: "{{ private }}/files/sudo/00releng-sudoers" datacenter: staging nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=3" diff --git a/inventory/group_vars/buildvm_ppc64le_stg b/inventory/group_vars/buildvm_ppc64le_stg index 6c6f2c6d87..355bfa0119 100644 --- a/inventory/group_vars/buildvm_ppc64le_stg +++ b/inventory/group_vars/buildvm_ppc64le_stg @@ -14,8 +14,6 @@ dns: 10.3.163.33 # for systems that do not match the above - specify the same parameter in # the host_vars/$hostname file host_group: kojibuilder -fas_client_groups: sysadmin-releng -sudoers: "{{ private }}/files/sudo/00releng-sudoers" datacenter: staging nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=3" diff --git a/inventory/group_vars/buildvm_s390x_stg b/inventory/group_vars/buildvm_s390x_stg index a7acb13005..d32fae34c1 100644 --- a/inventory/group_vars/buildvm_s390x_stg +++ b/inventory/group_vars/buildvm_s390x_stg @@ -2,8 +2,6 @@ ansible_ifcfg_blocklist: True createrepo: False host_group: kojibuilder -fas_client_groups: sysadmin-releng -sudoers: "{{ private }}/files/sudo/00releng-sudoers" ks_url: http://10.3.163.35/repo/rhel/ks/buildvm-fedora-32-s390x ks_repo: http://10.3.163.35/pub/fedora-secondary/releases/32/Server/s390x/os/ virt_install_command: "{{ virt_install_command_s390x_one_nic_unsafe }}" diff --git a/inventory/group_vars/buildvm_stg b/inventory/group_vars/buildvm_stg index 697eb69b4f..6bba7e8feb 100644 --- a/inventory/group_vars/buildvm_stg +++ b/inventory/group_vars/buildvm_stg @@ -17,8 +17,6 @@ ipa_server: ipa01.stg.iad2.fedoraproject.org # for systems that do not match the above - specify the same parameter in # the host_vars/$hostname file host_group: kojibuilder -fas_client_groups: sysadmin-releng,sysadmin-osbs -sudoers: "{{ private }}/files/sudo/buildvm-stg-sudoers" datacenter: staging nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4" diff --git a/inventory/group_vars/busgateway b/inventory/group_vars/busgateway index c327b488b1..a5c0273f01 100644 --- a/inventory/group_vars/busgateway +++ b/inventory/group_vars/busgateway @@ -16,6 +16,16 @@ tcp_ports: [ ] fas_client_groups: sysadmin-noc,sysadmin-datanommer,sysadmin-veteran +ipa_host_group: busgateway +ipa_host_group_desc: Bridge between fedmsg and fedora-messaging +ipa_client_shell_groups: +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/group_vars/busgateway_stg b/inventory/group_vars/busgateway_stg index 5dc7cabc89..53a93b0bff 100644 --- a/inventory/group_vars/busgateway_stg +++ b/inventory/group_vars/busgateway_stg @@ -14,9 +14,16 @@ tcp_ports: [ 9919, # The websocket server publishes here. Proxies need to connect. ] -fas_client_groups: sysadmin-noc,sysadmin-datanommer,sysadmin-veteran - -sudoers: "{{ private }}/files/sudo/busgateway-stg-sudoers" +ipa_host_group: busgateway +ipa_host_group_desc: Bridge between fedmsg and fedora-messaging +ipa_client_shell_groups: +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/group_vars/certgetter_stg b/inventory/group_vars/certgetter_stg index 5969ffe27d..7483905e8b 100644 --- a/inventory/group_vars/certgetter_stg +++ b/inventory/group_vars/certgetter_stg @@ -11,5 +11,3 @@ tcp_ports: [ 80, 443 ] # Neeed for rsync from log01 for logs. custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] - -fas_client_groups: sysadmin-main diff --git a/inventory/group_vars/datagrepper b/inventory/group_vars/datagrepper index f2908864c1..9fcc80a767 100644 --- a/inventory/group_vars/datagrepper +++ b/inventory/group_vars/datagrepper @@ -16,6 +16,18 @@ custom_rules: [ fas_client_groups: sysadmin-noc,sysadmin-datanommer,fi-apprentice,sysadmin-veteran +ipa_host_group: datagrepper +ipa_host_group_desc: Service to grep through historical message bus data +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran + freezes: false deployment_type: prod diff --git a/inventory/group_vars/datagrepper_stg b/inventory/group_vars/datagrepper_stg index 4650831c99..8672244d4a 100644 --- a/inventory/group_vars/datagrepper_stg +++ b/inventory/group_vars/datagrepper_stg @@ -11,6 +11,16 @@ tcp_ports: [ 80, 443, 6996 ] # Neeed for rsync from log01 for logs. custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] -fas_client_groups: sysadmin-noc,sysadmin-datanommer,fi-apprentice,sysadmin-veteran +ipa_host_group: datagrepper +ipa_host_group_desc: Service to grep through historical message bus data +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran freezes: false diff --git a/inventory/group_vars/dbserver b/inventory/group_vars/dbserver new file mode 100644 index 0000000000..3f84f48a72 --- /dev/null +++ b/inventory/group_vars/dbserver @@ -0,0 +1,11 @@ +--- +ipa_host_group: dbserver +ipa_host_group_desc: Database server hosts +ipa_client_shell_groups: +- sysadmin-dba +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-dba +- sysadmin-noc +- sysadmin-veteran diff --git a/inventory/group_vars/dbserver_stg b/inventory/group_vars/dbserver_stg new file mode 100644 index 0000000000..3f84f48a72 --- /dev/null +++ b/inventory/group_vars/dbserver_stg @@ -0,0 +1,11 @@ +--- +ipa_host_group: dbserver +ipa_host_group_desc: Database server hosts +ipa_client_shell_groups: +- sysadmin-dba +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-dba +- sysadmin-noc +- sysadmin-veteran diff --git a/inventory/group_vars/dns b/inventory/group_vars/dns index efefd01fa1..fb0db2a8a6 100644 --- a/inventory/group_vars/dns +++ b/inventory/group_vars/dns @@ -12,6 +12,13 @@ tcp_ports: [ 53 ] fas_client_groups: sysadmin-main,sysadmin-dns +ipa_host_group: dns +ipa_host_group_desc: DNS servers +ipa_client_shell_groups: +- sysadmin-dns +ipa_client_sudo_groups: +- sysadmin-dns + nrpe_procs_warn: 300 nrpe_procs_crit: 500 diff --git a/inventory/group_vars/fedimg b/inventory/group_vars/fedimg index d24ed3cf8b..5d8ee330a5 100644 --- a/inventory/group_vars/fedimg +++ b/inventory/group_vars/fedimg @@ -17,6 +17,12 @@ tcp_ports: [ # TODO, restrict this down to just sysadmin-releng fas_client_groups: sysadmin-datanommer,sysadmin-releng,sysadmin-fedimg +ipa_host_group: fedimg +ipa_client_shell_groups: +- sysadmin-releng +ipa_client_sudo_groups: +- sysadmin-releng + # These people get told when something goes wrong. fedmsg_error_recipients: - sysadmin-fedimg-members@fedoraproject.org diff --git a/inventory/group_vars/fedimg_stg b/inventory/group_vars/fedimg_stg index 7579840fb1..90aaadaaa3 100644 --- a/inventory/group_vars/fedimg_stg +++ b/inventory/group_vars/fedimg_stg @@ -15,8 +15,11 @@ tcp_ports: [ 3007, 3008, 3009, 3010, 3011, 3012, 3013, ] -# TODO, restrict this down to just sysadmin-releng -fas_client_groups: sysadmin-datanommer,sysadmin-releng,sysadmin-fedimg,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-atomic +ipa_host_group: fedimg +ipa_client_shell_groups: +- sysadmin-releng +ipa_client_sudo_groups: +- sysadmin-releng fedmsg_debug_loopback: True diff --git a/inventory/group_vars/github2fedmsg b/inventory/group_vars/github2fedmsg index 67bceeac80..f96ccf7b95 100644 --- a/inventory/group_vars/github2fedmsg +++ b/inventory/group_vars/github2fedmsg @@ -19,6 +19,15 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', ' fas_client_groups: sysadmin-noc,sysadmin-veteran +ipa_host_group: github2fedmsg +ipa_host_group_desc: Bridge select GitHub repo events into bus messages +ipa_client_shell_groups: +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-veteran + # for fedora-messaging username: "github2fedmsg{{ env_suffix }}" deployment_type: prod diff --git a/inventory/group_vars/github2fedmsg_stg b/inventory/group_vars/github2fedmsg_stg index f6815660c2..29d068bd6f 100644 --- a/inventory/group_vars/github2fedmsg_stg +++ b/inventory/group_vars/github2fedmsg_stg @@ -17,7 +17,14 @@ tcp_ports: [ 80 ] # Neeed for rsync from log01 for logs. custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] -fas_client_groups: sysadmin-noc,sysadmin-veteran +ipa_host_group: github2fedmsg +ipa_host_group_desc: Bridge select GitHub repo events into bus messages +ipa_client_shell_groups: +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-veteran # for fedora-messaging username: "github2fedmsg{{ env_suffix }}" diff --git a/inventory/group_vars/ipa b/inventory/group_vars/ipa index b97484dd21..628a5c9242 100644 --- a/inventory/group_vars/ipa +++ b/inventory/group_vars/ipa @@ -12,6 +12,13 @@ custom_rules: [ fas_client_groups: sysadmin-main,sysadmin-accounts +ipa_host_group: ipa +ipa_host_group_desc: IPA service +ipa_client_shell_groups: +- sysadmin-accounts +ipa_client_sudo_groups: +- sysadmin-accounts + nrpe_procs_warn: 300 nrpe_procs_crit: 500 diff --git a/inventory/group_vars/ipa_stg b/inventory/group_vars/ipa_stg index 2a60b44bad..8a76c506a6 100644 --- a/inventory/group_vars/ipa_stg +++ b/inventory/group_vars/ipa_stg @@ -6,7 +6,12 @@ num_cpus: 2 tcp_ports: [ 80, 88, 389, 443, 464, 636 ] -fas_client_groups: sysadmin-main,sysadmin-accounts +ipa_host_group: ipa +ipa_host_group_desc: IPA service +ipa_client_shell_groups: +- sysadmin-accounts +ipa_client_sudo_groups: +- sysadmin-accounts nrpe_procs_warn: 300 nrpe_procs_crit: 500 diff --git a/inventory/group_vars/kernel_qa b/inventory/group_vars/kernel_qa index 658df364c3..17c39ccbc7 100644 --- a/inventory/group_vars/kernel_qa +++ b/inventory/group_vars/kernel_qa @@ -3,4 +3,11 @@ freezes: false resolvconf: "{{ files }}/resolv.conf/iad2" fas_client_groups: sysadmin-kernel sudoers: "{{ private }}/files/sudo/kernel-qa" + +ipa_host_group: kernel-qa +ipa_client_shell_groups: +- sysadmin-kernel +ipa_client_sudo_groups: +- sysadmin-kernel + custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.122.0/24 --dport 2049 -j ACCEPT' ] diff --git a/inventory/group_vars/kerneltest b/inventory/group_vars/kerneltest index 3865e3dd81..cd3676f227 100644 --- a/inventory/group_vars/kerneltest +++ b/inventory/group_vars/kerneltest @@ -19,6 +19,14 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', ' fas_client_groups: sysadmin-noc,sysadmin-veteran +ipa_host_group: kerneltest +ipa_client_shell_groups: +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-veteran + # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: - service: shell diff --git a/inventory/group_vars/koji b/inventory/group_vars/koji index ec3d910b0b..68b4ec1ece 100644 --- a/inventory/group_vars/koji +++ b/inventory/group_vars/koji @@ -21,6 +21,13 @@ custom_rules: [ fas_client_groups: sysadmin-releng sudoers: "{{ private }}/files/sudo/00releng-sudoers" +ipa_host_group: kojihub +ipa_host_group_desc: Koji Hub hosts +ipa_client_shell_groups: +- sysadmin-releng +ipa_client_sudo_groups: +- sysadmin-releng + # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: - service: shell diff --git a/inventory/group_vars/koji_stg b/inventory/group_vars/koji_stg index 4b5f9a9714..2978e43bb8 100644 --- a/inventory/group_vars/koji_stg +++ b/inventory/group_vars/koji_stg @@ -12,7 +12,19 @@ tcp_ports: [ 80, 443, 111, 2049, udp_ports: [ 111, 2049 ] -fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs +ipa_host_group: kojihub +ipa_host_group_desc: Koji Hub hosts +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-noc +- sysadmin-osbs +- sysadmin-releng +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-osbs +- sysadmin-releng +- sysadmin-veteran # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/group_vars/kojipkgs b/inventory/group_vars/kojipkgs index 00959c3c13..29c5caed02 100644 --- a/inventory/group_vars/kojipkgs +++ b/inventory/group_vars/kojipkgs @@ -15,6 +15,17 @@ tcp_ports: [80, 8080] fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran +ipa_host_group: kojipkgs +ipa_host_group_desc: Koji Packages hosts +ipa_client_shell_groups: +- sysadmin-noc +- sysadmin-releng +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-releng +- sysadmin-veteran + varnish_group: kojipkgs # For the MOTD diff --git a/inventory/group_vars/logging b/inventory/group_vars/logging new file mode 100644 index 0000000000..9a487a880f --- /dev/null +++ b/inventory/group_vars/logging @@ -0,0 +1,16 @@ +--- +ipa_host_group: logging +ipa_host_group_desc: Logging hosts +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-analysis +- sysadmin-atomic +- sysadmin-logs +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-analysis +- sysadmin-atomic +- sysadmin-logs +- sysadmin-noc +- sysadmin-veteran diff --git a/inventory/group_vars/mailman b/inventory/group_vars/mailman index e0f9cf5f3f..3aff498de4 100644 --- a/inventory/group_vars/mailman +++ b/inventory/group_vars/mailman @@ -15,6 +15,13 @@ tcp_ports: [ fas_client_groups: sysadmin-tools,sysadmin-main +ipa_host_group: mailman +ipa_host_group_desc: Mailing list services +ipa_client_shell_groups: +- sysadmin-tools +ipa_client_sudo_groups: +- sysadmin-tools + deployment_type: prod # These are consumed by a task in roles/fedmsg/base/main.yml diff --git a/inventory/group_vars/mailman_stg b/inventory/group_vars/mailman_stg index 9a269d5d45..23bff4a23e 100644 --- a/inventory/group_vars/mailman_stg +++ b/inventory/group_vars/mailman_stg @@ -11,7 +11,15 @@ tcp_ports: [ # For outbound fedmsg 3000, 3001, 3002, 3003, ] -fas_client_groups: sysadmin-tools,sysadmin-main + +ipa_host_group: mailman +ipa_host_group_desc: Mailing list services +ipa_client_shell_groups: +- sysadmin-tools +ipa_client_sudo_groups: +- sysadmin-tools + +deployment_type: prod # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/group_vars/memcached b/inventory/group_vars/memcached index be8442ab50..984fe28abb 100644 --- a/inventory/group_vars/memcached +++ b/inventory/group_vars/memcached @@ -10,3 +10,15 @@ num_cpus: 2 tcp_ports: [ 11211 ] fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-veteran + +ipa_host_group: memcached +ipa_host_group_desc: Distributed Memory Caching service +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web diff --git a/inventory/group_vars/memcached_stg b/inventory/group_vars/memcached_stg index 7874afb098..98edc5f4f6 100644 --- a/inventory/group_vars/memcached_stg +++ b/inventory/group_vars/memcached_stg @@ -9,4 +9,14 @@ num_cpus: 1 tcp_ports: [ 11211 ] -fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-veteran +ipa_host_group: memcached +ipa_host_group_desc: Distributed Memory Caching service +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web diff --git a/inventory/group_vars/mm b/inventory/group_vars/mm index feefdf838c..93217d0e0b 100644 --- a/inventory/group_vars/mm +++ b/inventory/group_vars/mm @@ -1,7 +1,18 @@ --- -# Define resources for this group of hosts here. +# Define resources for this group of hosts here. fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran sudoers: "{{ private }}/files/sudo/mm2-sudoers" +ipa_host_group: mirrormanager +ipa_host_group_desc: Mirror Manager +ipa_client_shell_groups: +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web + mm2_checkin: false deployment_type: prod diff --git a/inventory/group_vars/mm_stg b/inventory/group_vars/mm_stg index 292c996a17..30e342f8c8 100644 --- a/inventory/group_vars/mm_stg +++ b/inventory/group_vars/mm_stg @@ -1,7 +1,15 @@ --- -# Define resources for this group of hosts here. -fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran -sudoers: "{{ private }}/files/sudo/mm2-sudoers" +# Define resources for this group of hosts here. +ipa_host_group: mirrormanager +ipa_host_group_desc: Mirror Manager +ipa_client_shell_groups: +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web mm2_checkin: false deployment_type: stg diff --git a/inventory/group_vars/nagios b/inventory/group_vars/nagios index b1f71b2149..63b6980a59 100644 --- a/inventory/group_vars/nagios +++ b/inventory/group_vars/nagios @@ -25,6 +25,16 @@ fedmsg_certs: - nagios.service.state.change fas_client_groups: sysadmin-noc,sysadmin-veteran + +ipa_host_group: nagios +ipa_host_group_desc: Nagios Monitoring +ipa_client_shell_groups: +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-veteran + csi_security_category: High csi_primary_contact: Fedora Admins - admin@fedoraproject.org csi_purpose: Monitoring system diff --git a/inventory/group_vars/notifs b/inventory/group_vars/notifs new file mode 100644 index 0000000000..e24391fe8d --- /dev/null +++ b/inventory/group_vars/notifs @@ -0,0 +1,11 @@ +--- +ipa_host_group: notifs +ipa_host_group_desc: Fedora Notifications +ipa_client_shell_groups: +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran diff --git a/inventory/group_vars/notifs_backend_stg b/inventory/group_vars/notifs_backend_stg index 12229e3895..1d9b14d30f 100644 --- a/inventory/group_vars/notifs_backend_stg +++ b/inventory/group_vars/notifs_backend_stg @@ -10,10 +10,6 @@ num_cpus: 4 tcp_ports: [ 3000, 3001, 3002, 3003, 3004 ] -fas_client_groups: sysadmin-noc,sysadmin-datanommer,sysadmin-veteran - -sudoers: "{{ private }}/files/sudo/notifs-sudoers" - deployment_type: stg # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/group_vars/notifs_stg b/inventory/group_vars/notifs_stg new file mode 100644 index 0000000000..e24391fe8d --- /dev/null +++ b/inventory/group_vars/notifs_stg @@ -0,0 +1,11 @@ +--- +ipa_host_group: notifs +ipa_host_group_desc: Fedora Notifications +ipa_client_shell_groups: +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-datanommer +- sysadmin-noc +- sysadmin-veteran diff --git a/inventory/group_vars/notifs_web_stg b/inventory/group_vars/notifs_web_stg index 655976966d..10c01321a2 100644 --- a/inventory/group_vars/notifs_web_stg +++ b/inventory/group_vars/notifs_web_stg @@ -13,10 +13,6 @@ wsgi_threads: 2 tcp_ports: [ 80 ] -fas_client_groups: sysadmin-noc,sysadmin-datanommer,sysadmin-veteran - -sudoers: "{{ private }}/files/sudo/notifs-sudoers" - deployment_type: stg # These are consumed by a task in roles/fedmsg/base/main.yml diff --git a/inventory/group_vars/oci_registry b/inventory/group_vars/oci_registry index 0c04b36db3..cece6f43cf 100644 --- a/inventory/group_vars/oci_registry +++ b/inventory/group_vars/oci_registry @@ -4,6 +4,13 @@ fas_client_groups: sysadmin-releng sudoers: "{{ private }}/files/sudo/00releng-sudoers" +ipa_host_group: oci-registry +ipa_host_group_desc: OCI Registry service +ipa_client_shell_groups: +- sysadmin-releng +ipa_client_sudo_groups: +- sysadmin-releng + tcp_ports: [ 5000 ] nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=3" diff --git a/inventory/group_vars/oci_registry_stg b/inventory/group_vars/oci_registry_stg index 3e906fdf0c..196fe9c2ff 100644 --- a/inventory/group_vars/oci_registry_stg +++ b/inventory/group_vars/oci_registry_stg @@ -1,7 +1,10 @@ --- -fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-veteran - -sudoers: "{{ private }}/files/sudo/00releng-sudoers" +ipa_host_group: oci-registry +ipa_host_group_desc: OCI Registry service +ipa_client_shell_groups: +- sysadmin-releng +ipa_client_sudo_groups: +- sysadmin-releng tcp_ports: [ 5000 ] diff --git a/inventory/group_vars/odcs b/inventory/group_vars/odcs index f027d7ab82..f50edde919 100644 --- a/inventory/group_vars/odcs +++ b/inventory/group_vars/odcs @@ -1,3 +1,16 @@ +ipa_host_group: odcs +ipa_host_group_desc: On Demand Compose Service +ipa_client_shell_groups: +- sysadmin-noc +- sysadmin-odcs +- sysadmin-releng +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-odcs +- sysadmin-releng +- sysadmin-veteran + # Configs executed on releng backends must have "releng_" prefix. odcs_raw_config_urls: releng_fmc: diff --git a/inventory/group_vars/odcs_backend_stg b/inventory/group_vars/odcs_backend_stg index 68c3703b22..db071b3b00 100644 --- a/inventory/group_vars/odcs_backend_stg +++ b/inventory/group_vars/odcs_backend_stg @@ -31,8 +31,6 @@ nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3" # Neeed for rsync from log01 for logs. custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] -fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-odcs,sysadmin-veteran - fedmsg_hub_auto_restart: False odcs_allowed_source_types: ["tag", "module"] diff --git a/inventory/group_vars/odcs_frontend_stg b/inventory/group_vars/odcs_frontend_stg index 33f421c429..8955f9f78b 100644 --- a/inventory/group_vars/odcs_frontend_stg +++ b/inventory/group_vars/odcs_frontend_stg @@ -22,8 +22,6 @@ udp_ports: [ 111 ] # Neeed for rsync from log01 for logs. custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] -fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-odcs,sysadmin-veteran - odcs_allowed_source_types: ["tag", "module"] odcs_target_dir_url: https://odcs.stg.fedoraproject.org/composes diff --git a/inventory/group_vars/odcs_stg b/inventory/group_vars/odcs_stg index a25c415825..e8b9d2dd15 100644 --- a/inventory/group_vars/odcs_stg +++ b/inventory/group_vars/odcs_stg @@ -1,3 +1,16 @@ +ipa_host_group: odcs +ipa_host_group_desc: On Demand Compose Service +ipa_client_shell_groups: +- sysadmin-noc +- sysadmin-odcs +- sysadmin-releng +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-odcs +- sysadmin-releng +- sysadmin-veteran + # Configs executed on releng backends must have "releng_" prefix. odcs_raw_config_urls: releng_fmc: diff --git a/inventory/group_vars/openqa_servers_common b/inventory/group_vars/openqa_servers_common index 8507fb2d5d..eba4223c36 100644 --- a/inventory/group_vars/openqa_servers_common +++ b/inventory/group_vars/openqa_servers_common @@ -57,3 +57,15 @@ openqa_amqp_smtp: bastion # http and NFS tcp_ports: [80, 2049] + +ipa_host_group: openqa-servers +ipa_host_group_desc: OpenQA servers +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-noc +- sysadmin-qa +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-qa +- sysadmin-veteran diff --git a/inventory/group_vars/openqa_workers b/inventory/group_vars/openqa_workers index aaa8bf23e9..82fba757ad 100644 --- a/inventory/group_vars/openqa_workers +++ b/inventory/group_vars/openqa_workers @@ -20,3 +20,10 @@ openqa_nfs_worker: true deployment_type: prod freezes: false + +ipa_host_group: openqa-workers +ipa_host_group_desc: OpenQA worker hosts +ipa_client_shell_groups: +- sysadmin-qa +ipa_client_sudo_groups: +- sysadmin-qa diff --git a/inventory/group_vars/osbs b/inventory/group_vars/osbs index 09f05c378e..8ca4aafa14 100644 --- a/inventory/group_vars/osbs +++ b/inventory/group_vars/osbs @@ -9,6 +9,20 @@ tcp_ports: [ 80, 443, 8443] fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs sudoers: "{{ private }}/files/sudo/osbs-sudoers" +ipa_host_group: osbs +ipa_host_group_desc: OpenShift Build Service +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-noc +- sysadmin-osbs +- sysadmin-releng +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-osbs +- sysadmin-releng +- sysadmin-veteran + docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org" docker_registry: "candidate-registry.fedoraproject.org" source_registry: "registry.fedoraproject.org" diff --git a/inventory/group_vars/osbs_aarch64_masters_stg b/inventory/group_vars/osbs_aarch64_masters_stg index aac8c57f0e..86dfc000b8 100644 --- a/inventory/group_vars/osbs_aarch64_masters_stg +++ b/inventory/group_vars/osbs_aarch64_masters_stg @@ -12,9 +12,6 @@ tcp_ports: [ 80, 443, 8443] openshift_node_labels: {'region':'infra'} openshift_schedulable: False -fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-osbs -sudoers: "{{ private }}/files/sudo/osbs-sudoers" - docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org" source_registry: "registry.stg.fedoraproject.org" docker_registry: "candidate-registry.stg.fedoraproject.org" diff --git a/inventory/group_vars/osbs_control_stg b/inventory/group_vars/osbs_control_stg index 00f191d172..faca721a34 100644 --- a/inventory/group_vars/osbs_control_stg +++ b/inventory/group_vars/osbs_control_stg @@ -1,7 +1,5 @@ --- # Define resources for this group of hosts here. -fas_client_groups: sysadmin-releng,sysadmin-noc,sysadmin-veteran,sysadmin-osbs -sudoers: "{{ private }}/files/sudo/osbs-sudoers" # Variables used in the ansible-ansible-openshift-ansible role in osbs-cluster playbook osbs_url: "osbs.stg.fedoraproject.org" diff --git a/inventory/group_vars/osbs_stg b/inventory/group_vars/osbs_stg index df1344af83..86d9361b96 100644 --- a/inventory/group_vars/osbs_stg +++ b/inventory/group_vars/osbs_stg @@ -6,8 +6,19 @@ num_cpus: 2 tcp_ports: [ 80, 443, 8443] -fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran,sysadmin-osbs -sudoers: "{{ private }}/files/sudo/osbs-sudoers" +ipa_host_group: osbs +ipa_host_group_desc: OpenShift Build Service +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-noc +- sysadmin-osbs +- sysadmin-releng +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-osbs +- sysadmin-releng +- sysadmin-veteran docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org" source_registry: "registry.fedoraproject.org" diff --git a/inventory/group_vars/packages b/inventory/group_vars/packages index 7f91385873..3d65102d82 100644 --- a/inventory/group_vars/packages +++ b/inventory/group_vars/packages @@ -19,6 +19,18 @@ fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran,sysadmin-packages sudoers: "{{ private }}/files/sudo/sysadmin-packages" +ipa_host_group: packages +ipa_client_shell_groups: +- sysadmin-noc +- sysadmin-packages +- sysadmin-veteran +- sysadmin-web +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-packages +- sysadmin-veteran +- sysadmin-web + # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: - service: shell diff --git a/inventory/group_vars/packages_stg b/inventory/group_vars/packages_stg index 139053ff9a..0537876d13 100644 --- a/inventory/group_vars/packages_stg +++ b/inventory/group_vars/packages_stg @@ -12,9 +12,17 @@ tcp_ports: [ 80, 443, # Neeed for rsync from log01 for logs. custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] -fas_client_groups: sysadmin-noc,sysadmin-web,fi-apprentice,sysadmin-veteran,sysadmin-packages - -sudoers: "{{ private }}/files/sudo/sysadmin-packages" +ipa_host_group: packages +ipa_client_shell_groups: +- sysadmin-noc +- sysadmin-packages +- sysadmin-veteran +- sysadmin-web +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-packages +- sysadmin-veteran +- sysadmin-web # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/group_vars/pdc_web b/inventory/group_vars/pdc_web index abfa1a23b6..cc87cc5ff4 100644 --- a/inventory/group_vars/pdc_web +++ b/inventory/group_vars/pdc_web @@ -15,6 +15,19 @@ tcp_ports: [ 80 ] fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-mbs,sysadmin-veteran +ipa_host_group: pdc-web +ipa_host_group_desc: Product Definition Center web app +ipa_client_shell_groups: +- sysadmin-mbs +- sysadmin-noc +- sysadmin-releng +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-mbs +- sysadmin-noc +- sysadmin-releng +- sysadmin-veteran + deployment_type: prod # This just defines the CN of the saml2 cert we pull from the private repo diff --git a/inventory/group_vars/pdc_web_stg b/inventory/group_vars/pdc_web_stg index b07037a7e9..6ab04f8983 100644 --- a/inventory/group_vars/pdc_web_stg +++ b/inventory/group_vars/pdc_web_stg @@ -13,7 +13,18 @@ wsgi_threads: 2 tcp_ports: [ 80 ] -fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-mbs,sysadmin-veteran +ipa_host_group: pdc-web +ipa_host_group_desc: Product Definition Center web app +ipa_client_shell_groups: +- sysadmin-mbs +- sysadmin-noc +- sysadmin-releng +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-mbs +- sysadmin-noc +- sysadmin-releng +- sysadmin-veteran deployment_type: stg diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs index ba91aaeb8f..0c09de1ffe 100644 --- a/inventory/group_vars/pkgs +++ b/inventory/group_vars/pkgs @@ -23,6 +23,18 @@ fas_client_admin_app: PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg HOME=/srv/git /u fas_client_ssh_groups: "@cvs,sysadmin-main,sysadmin-cvs,sysadmin-releng,sysadmin-noc,sysadmin-veteran" admin_groups: "@sysadmin-cvs @sysadmin-releng" +ipa_host_group: pkgs +ipa_client_shell_groups: +- sysadmin-cvs +- sysadmin-main +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-cvs +- sysadmin-main +- sysadmin-noc +- sysadmin-veteran + clamscan_mailto: admin@fedoraproject.org clamscan_paths: - /srv/cache/lookaside/pkgs diff --git a/inventory/group_vars/pkgs_stg b/inventory/group_vars/pkgs_stg index 1aafbf62d2..752a8cfff8 100644 --- a/inventory/group_vars/pkgs_stg +++ b/inventory/group_vars/pkgs_stg @@ -15,11 +15,17 @@ pagure_static_uid: 600 # To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg. fedmsg_active: True -fas_client_groups: sysadmin-main,sysadmin-cvs,sysadmin-releng,sysadmin-noc,sysadmin-veteran -fas_client_restricted_app: PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg HOME=/srv/git /usr/libexec/pagure/aclchecker.py %(username)s -fas_client_admin_app: PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg HOME=/srv/git /usr/libexec/pagure/aclchecker.py %(username)s -fas_client_ssh_groups: "@cvs,sysadmin-main,sysadmin-cvs,sysadmin-releng,sysadmin-noc,sysadmin-veteran" -admin_groups: "@sysadmin-cvs @sysadmin-releng" +ipa_host_group: pkgs +ipa_client_shell_groups: +- sysadmin-cvs +- sysadmin-main +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-cvs +- sysadmin-main +- sysadmin-noc +- sysadmin-veteran clamscan_mailto: admin@fedoraproject.org clamscan_paths: diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies index 34b213c7e1..06188b017d 100644 --- a/inventory/group_vars/proxies +++ b/inventory/group_vars/proxies @@ -88,6 +88,18 @@ blocked_ip_v6: [ fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-veteran +ipa_host_group: proxies +ipa_host_group_desc: Proxies between internal hosts and the Internet +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web + collectd_apache: true varnish_group: proxies diff --git a/inventory/group_vars/proxies_stg b/inventory/group_vars/proxies_stg index 8526e50a48..73073d90d5 100644 --- a/inventory/group_vars/proxies_stg +++ b/inventory/group_vars/proxies_stg @@ -67,7 +67,17 @@ custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.123 -j ACCEPT', ] -fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-veteran +ipa_host_group: proxies +ipa_host_group_desc: Proxies between internal hosts and the Internet +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web collectd_apache: true varnish_group: proxies diff --git a/inventory/group_vars/rabbitmq b/inventory/group_vars/rabbitmq index d75c1dcddb..163e9c7c8c 100644 --- a/inventory/group_vars/rabbitmq +++ b/inventory/group_vars/rabbitmq @@ -34,4 +34,12 @@ custom_rules: [ fas_client_groups: sysadmin-main,sysadmin-messaging sudoers: "{{ private }}/files/sudo/rabbitmq-sudoers" + +ipa_host_group: rabbitmq +ipa_host_group_desc: RabbitMQ service +ipa_shell_groups: +- sysadmin-messaging +ipa_sudo_groups: +- sysadmin-messaging + mem_size: 4096 diff --git a/inventory/group_vars/rabbitmq_stg b/inventory/group_vars/rabbitmq_stg index 430ce30b8e..08619f5167 100644 --- a/inventory/group_vars/rabbitmq_stg +++ b/inventory/group_vars/rabbitmq_stg @@ -49,5 +49,9 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.166.80 --dport 25672 -j ACCEPT', ] -fas_client_groups: sysadmin-main,sysadmin-messaging -sudoers: "{{ private }}/files/sudo/rabbitmq-sudoers" +ipa_host_group: rabbitmq +ipa_host_group_desc: RabbitMQ service +ipa_shell_groups: +- sysadmin-messaging +ipa_sudo_groups: +- sysadmin-messaging diff --git a/inventory/group_vars/releng_compose b/inventory/group_vars/releng_compose index f4ea047947..40ab9e416f 100644 --- a/inventory/group_vars/releng_compose +++ b/inventory/group_vars/releng_compose @@ -19,6 +19,13 @@ fas_client_groups: sysadmin-releng freezes: true sudoers: "{{ private }}/files/sudo/00releng-sudoers" +ipa_host_group: releng-compose +ipa_host_group_desc: Hosts running composes +ipa_client_shell_groups: +- sysadmin-releng +ipa_client_sudo_groups: +- sysadmin-releng + nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=3" # For the mock config diff --git a/inventory/group_vars/releng_compose_stg b/inventory/group_vars/releng_compose_stg index 20745514e6..e2318d5054 100644 --- a/inventory/group_vars/releng_compose_stg +++ b/inventory/group_vars/releng_compose_stg @@ -1,4 +1,11 @@ --- +ipa_host_group: releng-compose +ipa_host_group_desc: Hosts running composes +ipa_client_shell_groups: +- sysadmin-releng +ipa_client_sudo_groups: +- sysadmin-releng + koji_server_url: "https://koji.stg.fedoraproject.org/kojihub" koji_weburl: "https://koji.stg.fedoraproject.org/koji" koji_topurl: "https://kojipkgs.fedoraproject.org/" diff --git a/inventory/group_vars/resultsdb_prod b/inventory/group_vars/resultsdb_prod index 6d9a6369e3..8e97afe960 100644 --- a/inventory/group_vars/resultsdb_prod +++ b/inventory/group_vars/resultsdb_prod @@ -14,6 +14,14 @@ num_cpus: 4 # the host_vars/$hostname file fas_client_groups: sysadmin-qa + +ipa_host_group: resultsdb +ipa_host_group_desc: ResultsDB application servers +ipa_client_shell_groups: +- sysadmin-qa +ipa_client_sudo_groups: +- sysadmin-qa + nrpe_procs_warn: 250 nrpe_procs_crit: 300 diff --git a/inventory/group_vars/resultsdb_stg b/inventory/group_vars/resultsdb_stg index 8ea812c4ff..23b5036c85 100644 --- a/inventory/group_vars/resultsdb_stg +++ b/inventory/group_vars/resultsdb_stg @@ -12,6 +12,17 @@ freezes: false # make sure we're using the stg fedsmg bus fedmsg_env: stg +ipa_host_group: resultsdb +ipa_host_group_desc: ResultsDB application servers +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-noc +- sysadmin-qa +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-qa +- sysadmin-veteran ############################################################ # resultsdb details diff --git a/inventory/group_vars/secondary b/inventory/group_vars/secondary index 5c74534475..736b2b06d7 100644 --- a/inventory/group_vars/secondary +++ b/inventory/group_vars/secondary @@ -11,3 +11,20 @@ nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,actimeo=600,nfsvers=3" fas_client_groups: sysadmin-noc,alt-sugar,alt-k12linux,altvideos,hosted-content,mips-content,s390_content,fi-apprentice,qa-deltaisos,sysadmin-veteran host_group: secondary + +ipa_host_group: secondary +ipa_host_group_desc: Serve secondary arch and archived releases +ipa_client_shell_groups: +- alt-k12linux +- alt-sugar +- altvideos +- fi-apprentice +- hosted-content +- mips-content +- qa-deltaisos +- s390_content +- sysadmin-noc +- sysadmin-veteran +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-veteran diff --git a/inventory/group_vars/sign_bridge b/inventory/group_vars/sign_bridge index c01cbcd6e6..ae8b28ab85 100644 --- a/inventory/group_vars/sign_bridge +++ b/inventory/group_vars/sign_bridge @@ -11,3 +11,9 @@ tcp_ports: [ 44333, 44334 ] fas_client_groups: sysadmin-releng sudoers: "{{ private }}/files/sudo/00releng-sudoers" + +ipa_host_group: sign-bridge +ipa_client_shell_groups: +- sysadmin-releng +ipa_client_sudo_groups: +- sysadmin-releng diff --git a/inventory/group_vars/sundries b/inventory/group_vars/sundries index bb77446827..c92b5bc63a 100644 --- a/inventory/group_vars/sundries +++ b/inventory/group_vars/sundries @@ -22,3 +22,17 @@ nrpe_procs_warn: 300 nrpe_procs_crit: 500 sudoers: "{{ private }}/files/sudo/sundries-sudoers" + +ipa_host_group: sundries +ipa_host_group_desc: Odds and ends +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-noc +- sysadmin-releng +- sysadmin-veteran +- sysadmin-web +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-releng +- sysadmin-veteran +- sysadmin-web diff --git a/inventory/group_vars/sundries_stg b/inventory/group_vars/sundries_stg index cf4e0b15c3..e2ab6d7fa5 100644 --- a/inventory/group_vars/sundries_stg +++ b/inventory/group_vars/sundries_stg @@ -8,7 +8,6 @@ num_cpus: 2 # the host_vars/$hostname file tcp_ports: [ 80, 873 ] -fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-veteran,sysadmin-releng # This gets overridden by whichever node we want to run special cronjobs. master_sundries_node: False @@ -21,4 +20,16 @@ rsync_group: sundries-stg nrpe_procs_warn: 300 nrpe_procs_crit: 500 -sudoers: "{{ private }}/files/sudo/sundries-sudoers" +ipa_host_group: sundries +ipa_host_group_desc: Odds and ends +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-noc +- sysadmin-releng +- sysadmin-veteran +- sysadmin-web +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-releng +- sysadmin-veteran +- sysadmin-web diff --git a/inventory/group_vars/value b/inventory/group_vars/value index 63463e110c..0477b81eed 100644 --- a/inventory/group_vars/value +++ b/inventory/group_vars/value @@ -28,6 +28,20 @@ custom_rules: [ fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-mote,sysadmin-veteran +ipa_host_group: value +ipa_host_group_desc: "Value added: IRC bots, message logging, etc." +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-mote +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web +ipa_client_sudo_groups: +- sysadmin-mote +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web + # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: - service: shell diff --git a/inventory/group_vars/value_stg b/inventory/group_vars/value_stg index 57753046aa..3cd0da80a6 100644 --- a/inventory/group_vars/value_stg +++ b/inventory/group_vars/value_stg @@ -26,7 +26,19 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.23 --dport 5050 -j ACCEPT', ] -fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-mote,sysadmin-veteran +ipa_host_group: value +ipa_host_group_desc: "Value added: IRC bots, message logging, etc." +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-mote +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web +ipa_client_sudo_groups: +- sysadmin-mote +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/group_vars/wiki b/inventory/group_vars/wiki index 3c27d7840c..8b74b07f2a 100644 --- a/inventory/group_vars/wiki +++ b/inventory/group_vars/wiki @@ -12,6 +12,18 @@ virt_install_command: "{{ virt_install_command_two_nic }}" tcp_ports: [ 80 ] fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-veteran +ipa_host_group: wiki +ipa_host_group_desc: Fedora Wiki +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web + # mediawiki variables wikiname: "fp" wikipath: "wiki" diff --git a/inventory/group_vars/wiki_stg b/inventory/group_vars/wiki_stg index 87ffde7e83..fae3a7fcf9 100644 --- a/inventory/group_vars/wiki_stg +++ b/inventory/group_vars/wiki_stg @@ -7,7 +7,18 @@ num_cpus: 2 deployment_type: stg tcp_ports: [ 80 ] -fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-veteran + +ipa_host_group: wiki +ipa_host_group_desc: Fedora Wiki +ipa_client_shell_groups: +- fi-apprentice +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web +ipa_client_sudo_groups: +- sysadmin-noc +- sysadmin-veteran +- sysadmin-web # mediawiki variables wikiname: "fp" diff --git a/inventory/host_vars/compose-x86-01.stg.iad2.fedoraproject.org b/inventory/host_vars/compose-x86-01.stg.iad2.fedoraproject.org index 274d77d0f7..bab0794b53 100644 --- a/inventory/host_vars/compose-x86-01.stg.iad2.fedoraproject.org +++ b/inventory/host_vars/compose-x86-01.stg.iad2.fedoraproject.org @@ -10,8 +10,6 @@ eth0_ip: 10.3.167.33 vmhost: bvmhost-x86-03.stg.iad2.fedoraproject.org datacenter: staging -fas_client_groups: sysadmin-releng,sysadmin-fedimg,modularity-wg,pungi-devel - koji_hub_nfs: "fedora_koji" kojipkgs_url: kojipkgs.fedoraproject.org diff --git a/inventory/host_vars/db-datanommer01.stg.iad2.fedoraproject.org b/inventory/host_vars/db-datanommer01.stg.iad2.fedoraproject.org index db6e6f3564..7498cfce52 100644 --- a/inventory/host_vars/db-datanommer01.stg.iad2.fedoraproject.org +++ b/inventory/host_vars/db-datanommer01.stg.iad2.fedoraproject.org @@ -23,7 +23,6 @@ mem_size: 65536 max_mem_size: 98304 num_cpus: 8 tcp_ports: [ 5432, 443 ] -fas_client_groups: sysadmin-dba,sysadmin-noc,sysadmin-veteran # kernel SHMMAX value kernel_shmmax: 68719476736 diff --git a/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org b/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org index 73c4301476..a393f31ca1 100644 --- a/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org +++ b/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org @@ -22,7 +22,6 @@ dbs_to_backup: lvm_size: 30000 mem_size: 4096 num_cpus: 2 -fas_client_groups: sysadmin-dba,sysadmin-noc,sysadmin-veteran # # Only allow postgresql access from the frontend node and ipsilon01.stg and diff --git a/inventory/host_vars/db-koji01.stg.iad2.fedoraproject.org b/inventory/host_vars/db-koji01.stg.iad2.fedoraproject.org index 71bfd3b364..4d1e252d1f 100644 --- a/inventory/host_vars/db-koji01.stg.iad2.fedoraproject.org +++ b/inventory/host_vars/db-koji01.stg.iad2.fedoraproject.org @@ -20,7 +20,6 @@ lvm_size: 1500000 mem_size: 16384 max_mem_size: "{{ mem_size }}" num_cpus: 8 -fas_client_groups: sysadmin-dba,sysadmin-noc,sysadmin-veteran,sysadmin-releng # kernel SHMMAX value kernel_shmmax: 68719476736 diff --git a/inventory/host_vars/db01.stg.iad2.fedoraproject.org b/inventory/host_vars/db01.stg.iad2.fedoraproject.org index afb12df62f..2a46d01dc9 100644 --- a/inventory/host_vars/db01.stg.iad2.fedoraproject.org +++ b/inventory/host_vars/db01.stg.iad2.fedoraproject.org @@ -27,7 +27,6 @@ databases: lvm_size: 500000 mem_size: 16384 num_cpus: 4 -fas_client_groups: sysadmin-dba,sysadmin-noc,sysadmin-veteran # # We should narrow this down at some point diff --git a/inventory/host_vars/db03.stg.iad2.fedoraproject.org b/inventory/host_vars/db03.stg.iad2.fedoraproject.org index cb4c546550..dd9add51da 100644 --- a/inventory/host_vars/db03.stg.iad2.fedoraproject.org +++ b/inventory/host_vars/db03.stg.iad2.fedoraproject.org @@ -23,7 +23,6 @@ lvm_size: 300000 mem_size: 8192 num_cpus: 2 tcp_ports: [ 5432, 443, 3306 ] -fas_client_groups: sysadmin-dba,sysadmin-noc,sysadmin-veteran # kernel SHMMAX value kernel_shmmax: 68719476736 diff --git a/inventory/host_vars/dbgserver01.stg.phx2.fedoraproject.org b/inventory/host_vars/dbgserver01.stg.phx2.fedoraproject.org index eb4397ad55..d44afcc38a 100644 --- a/inventory/host_vars/dbgserver01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/dbgserver01.stg.phx2.fedoraproject.org @@ -17,8 +17,6 @@ mem_size: 4096 num_cpus: 4 freezes: false -fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran,sysadmin-dbgserver - virt_install_command: "{{ virt_install_command_two_nic }}" sudoers: "{{ private }}/files/sudo/dbgserver-sudoers" diff --git a/inventory/host_vars/log01.iad2.fedoraproject.org b/inventory/host_vars/log01.iad2.fedoraproject.org index 3d55160dda..b559111b50 100644 --- a/inventory/host_vars/log01.iad2.fedoraproject.org +++ b/inventory/host_vars/log01.iad2.fedoraproject.org @@ -20,6 +20,4 @@ lvm_size: 1048576 mem_size: 16384 num_cpus: 16 -fas_client_groups: fi-apprentice,sysadmin-veteran,sysadmin-logs,sysadmin-noc,sysadmin-atomic,sysadmin-analysis - #host_backup_targets: ['/var/log'] diff --git a/inventory/host_vars/resultsdb01.stg.iad2.fedoraproject.org b/inventory/host_vars/resultsdb01.stg.iad2.fedoraproject.org index aef628d7de..38c3888d5b 100644 --- a/inventory/host_vars/resultsdb01.stg.iad2.fedoraproject.org +++ b/inventory/host_vars/resultsdb01.stg.iad2.fedoraproject.org @@ -23,8 +23,6 @@ vmhost: vmhost-x86-05.stg.iad2.fedoraproject.org # virtual machine ############################################################ -fas_client_groups: sysadmin-qa,sysadmin-main,sysadmin-noc,fi-apprentice,sysadmin-veteran lvm_size: 50000 mem_size: 8192 num_cpus: 4 -sudoers: "{{ private }}/files/sudo/qavirt-sudoers" diff --git a/inventory/inventory b/inventory/inventory index 8523e57efc..60855b4cbf 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -314,6 +314,14 @@ iddev.fedorainfracloud.org noc01.iad2.fedoraproject.org noc02.fedoraproject.org +[notifs:children] +notifs_backend +notifs_web + +[notifs_stg:children] +notifs_backend_stg +notifs_web_stg + [notifs_backend] notifs-backend01.iad2.fedoraproject.org