Start of download-server port to ansible. Still needs httpd config (esp. ssl certs) and rsync server stuff I think

playbooks/groups/download.yml

@@ -0,0 +1,50 @@
+- name: Download servers
+  hosts: download
+  user: root
+  gather_facts: False
+  accelerate: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "{{ private }}/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  tasks:
+  - include: "{{ tasks }}/accelerate_prep.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+- name: make the box be real
+  hosts: download
+  user: root
+  gather_facts: True
+  accelerate: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "{{ private }}/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - base
+  - rkhunter
+  - denyhosts
+  - nagios_client
+  - fas_client
+  - collectd/base
+  - download
+  - mod_limitipconn
+  - rsyncd
+
+  tasks:
+  - include: "{{ tasks }}/hosts.yml"
+  - include: "{{ tasks }}/yumrepos.yml"
+  - include: "{{ tasks }}/2fa_client.yml"
+  - include: "{{ tasks }}/motd.yml"
+  - include: "{{ tasks }}/sudo.yml"
+    when: env != "staging"
+  - include: "{{ tasks }}/apache.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"

roles/download/files/logrotate-rsync-fedora

@@ -0,0 +1,6 @@
+/var/log/rsyncd-fedora.log {
+    monthly
+    rotate 4
+    notifempty
+    missingok
+}

roles/download/files/motd_fedora

@@ -0,0 +1,10 @@
+----------------------------
+Fedora Master Mirror Servers
+----------------------------
+Modules for Fedora Core and Extras have been removed, as this content is
+no longer updated. See the instructions below for how to mirror current
+content.
+
+See http://fedoraproject.org/wiki/Infrastructure/Mirroring for
+instructions.
+----------------------------

roles/download/files/system_identification

@@ -0,0 +1,9 @@
+Security Category: Moderate
+Primary Contact: Fedora Admins - admin@fedoraproject.org
+Purpose: Provides mirror access to downstream servers.
+Environment: Production
+Relationship: Mirrormanager depends on this host for some crawling.  This host
+    only depends on the netapp - vtap-fedora-nfs01.storage.phx2.redhat.com
+
+This document is provided as part of CSI standards.  
+See http://infrastructure.fedoraproject.org/csi/security-policy/ for more information

roles/download/tasks/main.yml

@@ -0,0 +1,32 @@
+---
+- name: Get nfs-utils
+  yum: pkg=nfs-utils state=installed
+
+- name: Create /srv/pub directory
+  file: path=/srv/pub state=directory
+
+- name: Set httpd_use_nfs seboolean
+  action: seboolean name=httpd_use_nfs
+
+- name: /srv/pub file contexts
+  command: semanage fcontext -a -t httpd_sys_content_t "/srv/pub(/.*)?"
+
+- name: /var/log/rsyncd-fedora.log file context
+  command: semanage fcontext -a -t rsync_log_t "/var/log/rsyncd-fedora.log"
+
+- name: /etc/system_identification
+  copy: src=system_identification dest=/etc/system_identification
+
+- name: /etc/motd_fedora
+  copy: src=motd_fedora dest=/etc/motd_fedora
+
+- name: Configure logrotate for /var/log/rsyncd-fedora.log
+  copy: src=logrotate-rsync-fedora dest=/etc/logrotate.d/rsync-fedora
+
+- name: NFS mount points (phx2)
+  mount: name=/srv/pub src=vtap-fedora-nfs01.storage.phx2.redhat.com:/vol/fedora_ftp/fedora.redhat.com/pub fstype=nfs opts=defaults,fsc,ro,noatime,nodev,nosuid,hard,intr,nfsvers=3,nocto,actimeo=600 state=mounted
+  when: datacenter == 'phx2'
+
+- name: NFS mount points (rdu)
+  mount: name=/srv/pub src=172.31.1.10:/vol/fedora_ftp/fedora.redhat.com/pub fstype=nfs opts=defaults,ro,noatime,nodev,nosuid,hard,intr,nfsvers=3 state=mounted
+  when: datacenter == 'phx2'

roles/mod_limitipconn/files/limitipconn.conf

@@ -0,0 +1,17 @@
+# This module will not function unless mod_status is loaded and the
+# "ExtendedStatus On" directive is set. So load only if mod_status is too.
+<IfModule mod_status.c>
+
+    # This is always needed
+    ExtendedStatus On
+
+    # mod_limitipconn configuration
+    LoadModule limitipconn_module modules/mod_limitipconn.so
+
+    # A global default configuration doesn't make much sense. See the README
+    # from the mod_limitipconn package for configuration examples.
+
+    MaxConnPerIP 15
+    OnlyIPLimit application/octet-stream application/x-rpm
+
+</IfModule>

roles/mod_limitipconn/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Install package
+  yum: pkg=mod_limitipconn state=installed
+
+- name: Configuration file
+  copy: src=limitipconn.conf dest=/etc/httpd/conf.d/limitipconn.conf