From 310fe97b1cabd49b2a79f280a6a6f97c34738a78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kamil=20P=C3=A1ral?= <kparal@redhat.com>
Date: Fri, 12 Jan 2018 14:19:40 +0100
Subject: [PATCH 01/36] taskotron-dev: enable python-versions task

It has been ansiblized.
---
 .../taskotron-trigger/templates/trigger_rules.yml.j2.dev        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2.dev b/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2.dev
index 27567fc9b5..88dc792cbd 100644
--- a/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2.dev
+++ b/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2.dev
@@ -1,7 +1,7 @@
 ---
 - when: {message_type: KojiBuildPackageCompleted}
   do:
-    - {tasks: [rpmlint, rpmgrill]}
+    - {tasks: [rpmlint, rpmgrill, python-versions]}
 
 - when:
     message_type: KojiBuildPackageCompleted

From 1c9c2b649bcac92f8a107da14c3fb8364239b2d7 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Fri, 12 Jan 2018 15:49:01 +0000
Subject: [PATCH 02/36] Set pdc-web01 to el7.

---
 inventory/host_vars/pdc-web01.phx2.fedoraproject.org | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/inventory/host_vars/pdc-web01.phx2.fedoraproject.org b/inventory/host_vars/pdc-web01.phx2.fedoraproject.org
index 462a6d05aa..b084402229 100644
--- a/inventory/host_vars/pdc-web01.phx2.fedoraproject.org
+++ b/inventory/host_vars/pdc-web01.phx2.fedoraproject.org
@@ -3,8 +3,8 @@ nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
 
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-25
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/
+ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
 
 eth0_ip: 10.5.126.131
 

From 05d37919cebcda90d24b339bde714ffd12942edf Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Fri, 12 Jan 2018 16:43:35 +0000
Subject: [PATCH 03/36] Back to yum, for pdc.

---
 playbooks/manual/upgrade/pdc.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/playbooks/manual/upgrade/pdc.yml b/playbooks/manual/upgrade/pdc.yml
index 1443d63a96..c40111b7b1 100644
--- a/playbooks/manual/upgrade/pdc.yml
+++ b/playbooks/manual/upgrade/pdc.yml
@@ -42,10 +42,10 @@
 
   pre_tasks:
   - name: clean all metadata
-    command: dnf clean all
+    command: yum clean all
     check_mode: no
-  - name: dnf update PDC packages
-    dnf: name="{{item}}" state=latest
+  - name: yum update PDC packages
+    yum: name="{{item}}" state=latest
     with_items:
     - python-pdc
     - python-productmd

From 1fe837bbd4e6f0562d4d6e283fc9488fd409fd61 Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@redhat.com>
Date: Fri, 12 Jan 2018 18:15:49 +0000
Subject: [PATCH 04/36] add in a rule for the control

---
 playbooks/groups/osbs-cluster.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml
index 454e1e42c6..8ebba585f2 100644
--- a/playbooks/groups/osbs-cluster.yml
+++ b/playbooks/groups/osbs-cluster.yml
@@ -548,6 +548,20 @@
         src: "{{files}}/osbs/cleanup-old-osbs-builds"
         dest: "/etc/cron.d/cleanup-old-osbs-builds"
 
+- name: post-install osbs control tasks
+  hosts: osbs-control
+  tags: osbs-post-install
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - /srv/private/ansible/vars.yml
+    - /srv/private/ansible/files/openstack/passwords.yml
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+  tasks:
+    - name: enable nrpe for monitoring (noc01)
+      iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
+      tags:
+      - iptables
+
 
 - name: post-install osbs tasks
   hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes

From 4bb54d7837be04389faaadb563ea6b44541fe405 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Fri, 12 Jan 2018 18:57:38 +0000
Subject: [PATCH 05/36] this will be f27 too

---
 inventory/host_vars/compose-x86-01.phx2.fedoraproject.org | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/inventory/host_vars/compose-x86-01.phx2.fedoraproject.org b/inventory/host_vars/compose-x86-01.phx2.fedoraproject.org
index bd2a2de4cd..13230dcee3 100644
--- a/inventory/host_vars/compose-x86-01.phx2.fedoraproject.org
+++ b/inventory/host_vars/compose-x86-01.phx2.fedoraproject.org
@@ -7,8 +7,8 @@ dns: 10.5.126.21
 #
 libdir: /usr/lib64
 
-ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-25
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
 virt_install_command: "{{ virt_install_command_two_nic }}"
 
 lvm_size: 30000

From ece29a885cfbe4a999d95510fab2979a12d74f89 Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@redhat.com>
Date: Fri, 12 Jan 2018 19:37:14 +0000
Subject: [PATCH 06/36] remove the mirrorlist2 items from haproxy

---
 roles/haproxy/templates/haproxy.cfg | 28 ----------------------------
 1 file changed, 28 deletions(-)

diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
index a507f2e668..37a42259bf 100644
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -49,34 +49,6 @@ backend fp-wiki-backend
 {% endif %}
     option  httpchk GET /wiki/Main_Page
 
-frontend mirror-lists-frontend
-    bind 0.0.0.0:10002
-    default_backend mirror-lists-backend
-
-backend mirror-lists-backend
-    balance hdr(appserver)
-    timeout connect 30s
-{% if env == "staging" %}
-    server  mirrorlist-local1 localhost:18081 check inter 1s rise 2 fall 3 weight 100
-    server  mirrorlist-local2 localhost:18082 check inter 1s rise 2 fall 3 weight 100
-    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup
-{% endif %}
-{% if env == "production" %}
-{% if 'mirrorlist-proxies' in group_names %}
-    server  mirrorlist-local1 localhost:18081 check inter 1s rise 2 fall 3 weight 100
-    server  mirrorlist-local2 localhost:18082 check inter 1s rise 2 fall 3 weight 100
-    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup
-    server  mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup
-    server  mirrorlist-ibiblio02 mirrorlist-ibiblio02:80 check inter 5s rise 2 fall 3 backup
-{% else %}
-    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3
-    server  mirrorlist-ibiblio02 mirrorlist-ibiblio02:80 check inter 5s rise 2 fall 3
-    server  mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup
-{% endif %}
-{% endif %}
-    option  httpchk GET /mirrorlist
-    option  allbackups
-
 frontend pkgdb-frontend
     bind 0.0.0.0:10003
     default_backend pkgdb-backend

From 3aafbd1307c0f7526398547655c5a5f5fce964e8 Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@redhat.com>
Date: Fri, 12 Jan 2018 19:53:59 +0000
Subject: [PATCH 07/36] remove mirrorlists from inventory

---
 inventory/inventory | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/inventory/inventory b/inventory/inventory
index 3d0b532ac3..6e5db620df 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -495,14 +495,6 @@ memcached02.phx2.fedoraproject.org
 [memcached-stg]
 memcached01.stg.phx2.fedoraproject.org
 
-[mirrorlist2]
-mirrorlist-host1plus.fedoraproject.org
-mirrorlist-ibiblio02.fedoraproject.org
-mirrorlist-phx2.phx2.fedoraproject.org
-
-[mirrorlist2-stg]
-mirrorlist-phx2.stg.phx2.fedoraproject.org
-
 [mirrorlist-proxies]
 proxy01.phx2.fedoraproject.org
 proxy02.fedoraproject.org

From 0d355478cc28fed186f457d3a6f29432feabfba0 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Fri, 12 Jan 2018 19:54:00 +0000
Subject: [PATCH 08/36] move this to f27 with all the other compose machines

---
 inventory/host_vars/compose-x86-02.phx2.fedoraproject.org | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/inventory/host_vars/compose-x86-02.phx2.fedoraproject.org b/inventory/host_vars/compose-x86-02.phx2.fedoraproject.org
index ea60152f5e..a001d2c09a 100644
--- a/inventory/host_vars/compose-x86-02.phx2.fedoraproject.org
+++ b/inventory/host_vars/compose-x86-02.phx2.fedoraproject.org
@@ -7,8 +7,8 @@ dns: 10.5.126.21
 #
 libdir: /usr/lib64
 
-ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-26
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/buildvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
 virt_install_command: "{{ virt_install_command_two_nic }}"
 
 lvm_size: 262144

From 1b1c9c496881abed9f10a50b3cb16d77e7510773 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Fri, 12 Jan 2018 20:05:41 +0000
Subject: [PATCH 09/36] add back in containers

---
 roles/haproxy/templates/haproxy.cfg | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
index 37a42259bf..762e3d9d71 100644
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -49,6 +49,18 @@ backend fp-wiki-backend
 {% endif %}
     option  httpchk GET /wiki/Main_Page
 
+frontend mirror-lists-frontend
+    bind 0.0.0.0:10002
+    default_backend mirror-lists-backend
+
+backend mirror-lists-backend
+    balance hdr(appserver)
+    timeout connect 30s
+    server  mirrorlist-local1 localhost:18081 check inter 1s rise 2 fall 3 weight 100
+    server  mirrorlist-local2 localhost:18082 check inter 1s rise 2 fall 3 weight 100
+    option  httpchk GET /mirrorlist
+    option  allbackups
+
 frontend pkgdb-frontend
     bind 0.0.0.0:10003
     default_backend pkgdb-backend

From b58aec5fdb24a13f3bac556c398e87ddc611c466 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Fri, 12 Jan 2018 20:35:18 +0000
Subject: [PATCH 10/36] Perform mirrorlist cache check against proxies

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 .../templates/check_mirrorlist_cache.cfg.j2       |  3 ++-
 .../files/nagios/services/file_age.cfg            | 15 ++++++++++++---
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/roles/nagios_client/templates/check_mirrorlist_cache.cfg.j2 b/roles/nagios_client/templates/check_mirrorlist_cache.cfg.j2
index 94c58be10f..f19eab9534 100644
--- a/roles/nagios_client/templates/check_mirrorlist_cache.cfg.j2
+++ b/roles/nagios_client/templates/check_mirrorlist_cache.cfg.j2
@@ -1 +1,2 @@
-command[check_mirrorlist_cache]={{ libdir }}/nagios/plugins/check_file_age -w 14400 -c 129600 -f /var/lib/mirrormanager/mirrorlist_cache.pkl
+command[check_mirrorlist1_cache]={{ libdir }}/nagios/plugins/check_file_age -w 14400 -c 129600 -f /srv/mirrorlist/data/mirrorlist1/mirrorlist_cache.pkl
+command[check_mirrorlist2_cache]={{ libdir }}/nagios/plugins/check_file_age -w 14400 -c 129600 -f /srv/mirrorlist/data/mirrorlist2/mirrorlist_cache.pkl
diff --git a/roles/nagios_server/files/nagios/services/file_age.cfg b/roles/nagios_server/files/nagios/services/file_age.cfg
index 5de18e7be7..c04ffa69f2 100644
--- a/roles/nagios_server/files/nagios/services/file_age.cfg
+++ b/roles/nagios_server/files/nagios/services/file_age.cfg
@@ -1,7 +1,16 @@
 define service {
-  hostgroup_name	mirrorlist2
-  service_description   Check MirrorList Cache
-  check_command         check_by_nrpe!check_mirrorlist_cache
+  hostgroup_name	proxies
+  service_description   Check MirrorList 1 Cache
+  check_command         check_by_nrpe!check_mirrorlist1_cache
+  use                   defaulttemplate
+  check_interval 120
+  notification_interval 130
+}
+
+define service {
+  hostgroup_name	proxies
+  service_description   Check MirrorList 2 Cache
+  check_command         check_by_nrpe!check_mirrorlist2_cache
   use                   defaulttemplate
   check_interval 120
   notification_interval 130

From ca798ca07d427d8459b9b7120034acb5123374d4 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Fri, 12 Jan 2018 20:44:44 +0000
Subject: [PATCH 11/36] Add check_mirrorlist_cache.cfg

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/nagios_client/tasks/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml
index 0be1a09ef7..329d50f0c2 100644
--- a/roles/nagios_client/tasks/main.yml
+++ b/roles/nagios_client/tasks/main.yml
@@ -147,6 +147,7 @@
   - check_koschei_watcher_proc.cfg
   - check_testcloud.cfg
   - check_mirrorlist_docker_proxy.cfg
+  - check_mirrorlist_cache.cfg
   - check_celery_redis_queue.cfg
   - check_odcs_backend_proc.cfg
   notify:

From 2f48eb9293c6aeb38268f94c588e9978eaf8f71c Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Fri, 12 Jan 2018 20:59:22 +0000
Subject: [PATCH 12/36] Remove deleted box

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 b/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2
index 8aeaf9a75f..8e44071e63 100644
--- a/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2
+++ b/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2
@@ -1,6 +1,6 @@
 define hostgroup {
         hostgroup_name  nomail
         alias           No Mail
-	members         *, !status, !registry-cdn, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, !proxy05.fedoraproject.org, !mirrorlist-host1plus.fedoraproject.org, !download-rdu01.fedoraproject.org, !virthost-rdu01.fedoraproject.org, !fas3-01.stg.phx2.fedoraproject.org, !osbs-control01.phx2.fedoraproject.org, {% for host in groups['bastion'] %}!{{host}}, {% endfor %}{% for host in groups['smtp-mm'] %}!{{host}}, {% endfor %} {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %}  {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} 
+	members         *, !status, !registry-cdn, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, !proxy05.fedoraproject.org, !download-rdu01.fedoraproject.org, !virthost-rdu01.fedoraproject.org, !fas3-01.stg.phx2.fedoraproject.org, !osbs-control01.phx2.fedoraproject.org, {% for host in groups['bastion'] %}!{{host}}, {% endfor %}{% for host in groups['smtp-mm'] %}!{{host}}, {% endfor %} {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %}  {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} 
 
 }

From 07e961bb75269dafd8716c960dbe50ce04ffd867 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Fri, 12 Jan 2018 21:05:03 +0000
Subject: [PATCH 13/36] Freshmaker hosts.

---
 inventory/inventory | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/inventory/inventory b/inventory/inventory
index 6e5db620df..e9fdc08cf3 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -46,17 +46,13 @@ certgetter01.phx2.fedoraproject.org
 faf01.stg.phx2.fedoraproject.org
 
 [freshmaker-frontend]
-# not prod yet, until patrick finishes his audit.
-# https://pagure.io/fedora-infrastructure/issue/6183
-#freshmaker-frontend01.phx2.fedoraproject.org
+freshmaker-frontend01.phx2.fedoraproject.org
 
 [freshmaker-frontend-stg]
 freshmaker-frontend01.stg.phx2.fedoraproject.org
 
 [freshmaker-backend]
-# not prod yet, until patrick finishes his audit.
-# https://pagure.io/fedora-infrastructure/issue/6183
-#freshmaker-backend01.phx2.fedoraproject.org
+freshmaker-backend01.phx2.fedoraproject.org
 
 [freshmaker-backend-stg]
 freshmaker-backend01.stg.phx2.fedoraproject.org
@@ -66,10 +62,8 @@ freshmaker-frontend-stg
 freshmaker-backend-stg
 
 [freshmaker:children]
-# not prod yet, until patrick finishes his audit.
-# https://pagure.io/fedora-infrastructure/issue/6183
-#freshmaker-frontend
-#freshmaker-backend
+freshmaker-frontend
+freshmaker-backend
 
 [ask]
 ask01.phx2.fedoraproject.org

From 1ddf40d19cc4df869eb51e5b12b356d85d1d2830 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Fri, 12 Jan 2018 21:20:03 +0000
Subject: [PATCH 14/36] Put freshmaker backendon virthost21.

---
 inventory/host_vars/freshmaker-backend01.phx2.fedoraproject.org | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inventory/host_vars/freshmaker-backend01.phx2.fedoraproject.org b/inventory/host_vars/freshmaker-backend01.phx2.fedoraproject.org
index a960a4d80c..fce33723d2 100644
--- a/inventory/host_vars/freshmaker-backend01.phx2.fedoraproject.org
+++ b/inventory/host_vars/freshmaker-backend01.phx2.fedoraproject.org
@@ -9,6 +9,6 @@ ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
 eth0_ip: 10.5.126.130
 
 volgroup: /dev/vg_guests
-vmhost: virthost19.phx2.fedoraproject.org
+vmhost: virthost21.phx2.fedoraproject.org
 
 datacenter: phx2

From d3ea8120ee84e7955c0b683033796ebc0d40f52a Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Fri, 12 Jan 2018 21:43:40 +0000
Subject: [PATCH 15/36] Add some more selinux policy to fi-nrpe

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/nagios_client/files/selinux/fi-nrpe.pp | Bin 946 -> 7286 bytes
 roles/nagios_client/files/selinux/fi-nrpe.te |   8 ++++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/roles/nagios_client/files/selinux/fi-nrpe.pp b/roles/nagios_client/files/selinux/fi-nrpe.pp
index 1243b0e73e8fd65fdfc7d2b753a9589501b74324..0e71b44babd54e1c5e8f5e83d30653b2ff8e4e4b 100644
GIT binary patch
literal 7286
zcmc&&OOG4J5gsSb1I!@^koa5xFI<44t;8ptVtXw_h_w>3mM=yyXwKA-o$cwKRQD`N
zKz|`feqjEHPBOmk8FI+wuDB~jDS+f~y56s@?tj01{pOP_%YK$++3&L~`|qb&_OG|E
z-~2YqvdeGjJ8j!FJ$Gem7%0EXvJB|I&Jz48%d$#8veNL+vn+c&d;I5aWeA|a=hN;b
zo`H@JpwcFiLqe?@FvSwDxo899FDMoqR0z^Dg9>;CxcNW02)PV}-}c<Ya2<-_^Na4c
zmjM{!&9%+LXPw~NkgQs0=X1aDf$O|6?E+MP=$!lxDpl6nZi#-=dE!<gX*h?Q^3a=g
z8}uyj+XMXF|A(3Q^#A+cq4|JAygsIfc%UDCj?qGX|9%LEGWu-0O~x;W#2pNA5BVLl
z?GOhA0665+!)@=u`;Zqh7;qcShkE~^05%}5sLNpt@r+pX<<{p<kB{<+B{C#Jxg0Nv
zAr{J`!`d%_Ari`Akn+Q&WALB1uiuPEV>;KuMR2mAMuos)Jxxk2XCo}WRHAAQEdI%8
zOpj+&x>{*VVbkzvOn;nF;cQUavP7!H>8xM>(~Qb3`$RLk3n21uyl9OQf_n!l;qQmi
zDY8C6ol#Wia#PQp(FGZ8uLc?!dzF8Dt>B``D|=>D%_Y6m4g1fZK70CNpjf3V_kY*S
zyW)z2AE<>lA6+fD>uckRD=PU~7fjZb!?c>4kFQfot8bP{R1sKi(X3d?NB36J>?tY_
z<&g(b*6X01-NrF`6lovVa#faj*Ec4qH%v<{Af8%Y#oxjx?<effrayuXiTig{auT*<
z^<XwprPk_o-<?wK4OND)6Ja!_(U>mVrg0LeR)siEl@szvXID|`?-b2qPs*0mu+-Xn
z?QHVT_e<?lm+?#2nv$F~8(OMs-lIOCg@j(<BMM92jK)+bo2Z2=7PiGci=@EkPKG+n
zl1siaX3&12C!F0YzKsCTth0}HoqC8i+u~gSCl%3gg!8)=A*G8;=eZr{a~0G=RDBbH
zx-7X2!pGLT<yW>5eXR{IxIAD&6J8glEty2EbTcK(0gZf0jY5Yy>(n?AQg%GQnHBpf
z5L5EyE-NTFs$FYC3`1+vb97^xga_Ujk|FO}ukE6<3TVAg4)F?M6@ZFJpGwr>4c&WR
z8Sg`zHi`E!>V~J`vLmkO!hV7ulS>ZpBU{(7D0D+lVW|SuuGH0rd{BY!u;FxuZthvG
z`JEg++cHKPMWq*3nLF}li)>30E?8fK)N)uk!8{Z9>0L1%rd87ZGM?Ay2YUAMo7fS0
zII(WVF-{k}8Wc+Gs9=Vw+Kr+8^mzb4+M5lxBjGUs_Wt0uH?QpjkdMt&9x?{A)B)_1
zU3LS{{+zQ9ptv!Oc-osn4ge%aM+HxNBf<gPD=e1{7h0LyLi5TqO@vh$JIhLR;4=zn
zZb-b84N$Z5!0yFgd9&MQE?F>u_3@4}E6ruUX&;|8M%V&f-Ke1F+UT%(5)Fm8uiD^h
z6?E}n4(A)IYF!)=9c_S+7h%aljktonA2_J9@_!EZisN6{G%Vc+(L35NbrtNyw)NC#
zA7-;zI!49!m@){j$+k5GUGpwry0Rr#6J9qm4bpNx#~eMal=0njVpM-grDIRlg*4)X
zr5^N?JZD=PZ8^`QN6WUZH%UkAirRXXK#DA{fHfm(J(scHj>g0yjc6OD<Xu#@FwSFu
z7q(%^n13)K&2bvlwqzT)q{0bKqGog7y?r#snAJG5Qer1Hd#@JVsWWOpim-zI*)66-
zIT51$NdSu+<!@oJlb-#Iw!R&Wsa97^%5K6E8dOS~2N<|uo41~2f-el?Q)+}Oy`GXd
z!@1`$rP}zs<Vv+B7`|qc-iWdbp3;wX;qyWTUO3V0`(ge>h)#eKxH;f;m~_8W$n+e~
z8`nB)rboq`C?rWKl#Ta){mCR<nW}lZNx09EU^I>@&z&=q=(El_`L!}_%#izO7VTHT
zPcBjom0TDlF`1)V@$?1CqnKPgdYn#64-f%&-Vm|#F?;e+ijPugrNa`<R9j`ysYzSX
z7Q<8=L2X;J=z^S-ED70vLB_4vqdpUlrCu!AhgcVYdj$+`iTUOy7t`m-HR(T9;_6P@
zfwH?S?EE!({y=wqtvs%HknDsAcW1sd_87N{dmoJJExVUt!vn)ghawj6oWqLQl6S2X
zObsrXaOA_FW}GUKsNGwPnyq2-=~x<j`<)Q0?5Pt{Wt<ez=X)L)S8KK@Mt5@Av1vW0
zYzQosD%ekvovy(&tc=<0`nd2vTP;j+w@B@gmT6<ET3di%N?zk2TYpI_X9MxNfz9cx
zjkK#s;kJ!Qds5i{p)O6vXHVXhP|@yZHriXYp%tjz>)fBl=h2p}i<4il@r@~P-53=(
zRk^f=eX70_{PZ4Tw>sXCdy>H~x;XUNvQ%-)T_pG43DN3vT=CY?;T5g8_Y;DS#OazH
z+|$~am9g!S^5ii(#xZWbiMZP=c7iy9++DMXF1e%Xu0-Y>H~Ldm{B|91T}EiZtgI*3
z2HeJA$6PnU@%9CWuz2@knag<So-+yKpc5|!2B^rh*zXQU2_Vnj-MOOQzVF<T+IKt}
Oo@!4|n*6mFv7Z3i9m}r(

delta 179
zcmexnv58%$|9{O-Mg|535EfuyVCel{^OK)}fg#vc!6!4Xv_io*KczG$m5G6Yfor0H
z0;9piKn;GF1`tTg%$c|-gcqa$gvCH+P0nLfnjFQ*&&WMFi&0_nenz{=iA*w+C7CoP
z*D^^=-pj->`3Q@^#9IQBd6{`8OEQT}=42LNWS(5dY(6=VSp+OHm)T&lF0;zyv&=P&
OOq1hTG$*fR(FXwNZ7RY5

diff --git a/roles/nagios_client/files/selinux/fi-nrpe.te b/roles/nagios_client/files/selinux/fi-nrpe.te
index 91bcdcc972..b43802782a 100644
--- a/roles/nagios_client/files/selinux/fi-nrpe.te
+++ b/roles/nagios_client/files/selinux/fi-nrpe.te
@@ -1,11 +1,15 @@
-module fi-nrpe 1.0;
+module fi-nrpe 1.1;
 
 require {
     type nagios_system_plugin_t;
+    type nagios_admin_plugin_t;
     type nrpe_exec_t;
-    class file getattr;
+    type bin_t;
+    class file { getattr map execute };
 }
 
 #============= nagios_system_plugin_t ==============
 allow nagios_system_plugin_t nrpe_exec_t:file getattr;
 
+# This is needed for e.g. check_file_age, which is a perl script
+allow nagios_admin_plugin_t bin_t:file { map execute };

From f46144bd783289503173f682972ce45e7cc7fd20 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Fri, 12 Jan 2018 21:47:00 +0000
Subject: [PATCH 16/36] Add mirrorlist container selinux policy

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 .../files/selinux/mirrormanager_container.pp     | Bin 0 -> 7276 bytes
 .../files/selinux/mirrormanager_container.te     |  15 +++++++++++++++
 roles/nagios_client/tasks/main.yml               |   9 +++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 roles/nagios_client/files/selinux/mirrormanager_container.pp
 create mode 100644 roles/nagios_client/files/selinux/mirrormanager_container.te

diff --git a/roles/nagios_client/files/selinux/mirrormanager_container.pp b/roles/nagios_client/files/selinux/mirrormanager_container.pp
new file mode 100644
index 0000000000000000000000000000000000000000..31b843535810b8ed8621363f7ff62c91b4f81c91
GIT binary patch
literal 7276
zcmc&&TaVkg6;|6tTeuHx(E|H=0Ka$u$D6eKl&9|QY|x<1B<O7VvM2;vI<ncJNR^~~
z0rD3X+uzoIlcy9PDcZ8eo_Ho{dH|0!;<?{=$RFRmdHa(r%YK?=+3&L~`_E@t_QSh3
zZ-1R-+4Z;dSE<_#y)b2~7%0EZvJB|I%p!cAWmzq)HMSO7EZF9S(OyW+_Gej^J()fJ
zQ-|3HaKP`g?qgB_5&)G{{PPY+G!5(W7oCa=_QHFc7(flY1I+xNT=?Af1)h3O&|il#
z`2DKmnPdR^csm1g4;?{r3RT;NbN`!8_fuGVhOj&Lzss@=&O3#F=x=2fxli_-g2W2X
z1aNlxANJvw{!h=o-GCup3g8eA^!?v4+LS^=+M$e;6hpkkKdtwnk2~ad%(fv8vL7(y
zli<{M@E-C)C;_KvKGye-1+W2eMKUHIrzc{T>MZ3?!bjcgQ`sjHJW(gH7W!XN7kh%3
z`~7v)!I50=qa1^OzkBm`JQ~xbv|M;&x6}yl*=k3VQre3V7GDV~YW8g1)6tlo%&0WA
zked9q;nA4>Fr%GjfhuykNb7%`QMqFuX-0PeME;EztrC`CXip{l`>}Kitj|zq6coDN
z)^np|K}zbIo<>UFglK$Pt>B``Yki?b%_Y5(4ZAO%J%9GHr&uK`^MBXOnc{}M>#2n=
zpIj}t>uY6-8!CAv3np#Kep=1dr`IW_)i+CFMd8_=(5zV6PwuU#*)vog$|LtyXeYfi
zdKbswQ4~;E%SBn{UEi3*-Y_kt1@Tn#Iy?&{oSU$_n0^mBB<?>@Gf~){)q~jtm0B$~
zsXN8o>#Gc5XToSqqcL5#O=GO5S`^kes*ELvbT$>m#!kU3b|iF34cl5eCykE&`EDs)
z>@sd?T2+$KYD-J8;sfddEhHp?kH{~1I~r3VbfmUiv1MHxvWN<NVQgQAS#-%)O7+?=
z^bC!!Q+yWzplPEY?K^cJZMMU^0!}QV;|P~`Eka5cmrj8_=S$(m!ixGf0(Dt(?JXZ$
z@0MTd#>$mcyx?-cgeJTxR9iAxv6ju0G<!7iDK!Ee>Y`KQOo-X>;&xUXra(x^SNp6W
zZ>Tn{_8|<dj_<*ZZtFbPJ#X~Mkaw+<deK=0wB(Z^USU~ypd!-e5_Nce_uf~=htS4N
z;zNwO<!QL=h%36VpW(;ok^z2TYZ|r!-O!O=3Qx5uWwj;eh37kLIG>@JJGLu+FGt6^
z43S1r$%Pi`j{Mmn>yj)NELR}a?AOL(o(cQ(z8HsT6}7((SxSGW=dZpA9U;M)bu$ie
zy5e=OP(nuqGgQ@n3{BJL0DyEb8}3HJV*u>K!R=sPI|Lvfo2eXR^k%669Fkpk1JB`{
za|ocgHH|nrm_h~slB1)7qk|D)0QU;Zb;E@e>Qrc6JEn<cQHIX4w$k$jc{Dd9Ud#rl
z*?D09;V-=1Z!_0yF@U9b2bq=RGHu$&XN?iIKvOru%ehq2Z=VK3A?~Zzn_75TJeb4f
zR*PB|M??o3AmpWAvZcnFf}QI*sI&5a4)==VpIJ3*yAdKe+AU?}^+dPzR7vM&vspZ_
zgzuO#2%kx}HF;U{K47xaC07&PG<NE3%lRC0^t2Mnb?=c;{Uw!#9ckm^h~t;C*H7}C
zb*ZH0JP#f%+q&LH9kDA)?bvz}q<Iaj8By!F4E=UACbqV*Qu`@66O=8KaTwq&Yrka7
zKbVl_IE_kOvi4k3VJuFfYJ1<keKf|H)flxFR!?enPAt0fUC@FAVFmrOTa1ZvCItJV
z0Jiohe+`R`P3&j1^X+I%wYXstdh3_apb}C&z`zCTymf3R_=915N{!`8Zl+|7;@q*H
zQmtHGawS^j6|Y#uFIMOUPwD%*aCsp-FN~G!(lCD}1SdcV+#K-6PrBz6G98EW#!C9_
z^r)CKg+wWZ&^d3oNGB7#w_eQSO~QSS1fy|Kd2WoF1fO-z$yY+PAw%w`S+HMtH@S*6
zRC1w&4apqbinqrok79E5=t(>+JwOE9c}v9J$Lz=jDK1E%we(9gQ>leUrzWXMY7A3h
z1l4WLRu*Jz$u=Up$E3`f9qKdkSjxqcoey;ZxL3g7mXL35ay5MsT@(MO%9^^<wx{eq
z3p;;JUOdoUUkisT9wa*<!rhrKjy=k(!`=tul4bWYtbbrwOJ9Tnp0i&wYjUQw1yh4d
zCLH-Ns3{{#Bx?5+qh_m^Ts)SB-hL;9Dtl%ui84%z=<|sO#?_j2jM1H3_H0_mF&jMF
zN)+s-$WGH>8Wu`z_kG;*zglUT!fp}UBQ4{`RJFPQ!IYfDLAL&q)<%2cO#_?bSsQ6r
zk-%*mlXN7o|3h7xj4z(PFQJ0n&vmf3YJF>=cG5YW#^=G7or|Miu<?z_bKNN6IaaxC
z6}wn{XZYy@#O`#wCHE|YUv_aw*|HR2%UwkG-wDC$OI-2R!QmCHIr#}eN8)tN4(@4n
z$jZ?6NH}sB9m5zm-v-=W78{E=g50dwT3K>O)m@3qIc)Ujs`%~3<GPH{f>~%sruDdu
z!H&6UEQi|{9Kyogi)Jpvp?l6`83&zkG0;Oro`rrl93_A}dw=H&e*3O-M{M8WXn3wY
Li8T7_AY%Uo^j^yC

literal 0
HcmV?d00001

diff --git a/roles/nagios_client/files/selinux/mirrormanager_container.te b/roles/nagios_client/files/selinux/mirrormanager_container.te
new file mode 100644
index 0000000000..6180969c69
--- /dev/null
+++ b/roles/nagios_client/files/selinux/mirrormanager_container.te
@@ -0,0 +1,15 @@
+module mirrormanager_container 1.0;
+
+require {
+    type container_t;
+    type container_file_t;
+    type mirrormanager_log_t;
+    type nrpe_t;
+    class file { append getattr };
+}
+
+# Allow mirrorlist to append to its log
+allow container_t mirrormanager_log_t:file append;
+# Allow nrpe to check file age of mirrorlist pkl files
+allow nrpe_t container_file_t:file getattr;
+
diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml
index 329d50f0c2..0c55d78e11 100644
--- a/roles/nagios_client/tasks/main.yml
+++ b/roles/nagios_client/tasks/main.yml
@@ -99,6 +99,15 @@
   command: semodule -i /usr/share/nrpe/fi-nrpe.pp
   when: ansible_distribution_major_version|int == 7 and selinux_module|changed
 
+- name: copy over our custom selinux module for mirrorlist
+  copy: src=selinux/fi-nrpe.pp dest=/usr/share/nrpe/mirrormanager_container.pp
+  register: selinux_module_mirrorlist
+  when: 'proxy' in inventory_hostname
+
+- name: install our custom selinux module for mirrorlist
+  command: semodule -i /usr/share/nrpe/mirrormanager_container.pp
+  when: 'proxy' in inventory_hostname and selinux_module|changed
+
 
 # Set up our base config.
 - name: /etc/nagios/nrpe.cfg

From 2b879d49e6e9add578b278db940fd923d8b52f6c Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Fri, 12 Jan 2018 21:48:01 +0000
Subject: [PATCH 17/36] tags

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/nagios_client/tasks/main.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml
index 0c55d78e11..d34605835c 100644
--- a/roles/nagios_client/tasks/main.yml
+++ b/roles/nagios_client/tasks/main.yml
@@ -94,19 +94,35 @@
 - name: copy over our custom selinux module
   copy: src=selinux/fi-nrpe.pp dest=/usr/share/nrpe/fi-nrpe.pp
   register: selinux_module
+  tags:
+  - config
+  - nagios_client
+  - selinux
 
 - name: install our custom selinux module
   command: semodule -i /usr/share/nrpe/fi-nrpe.pp
   when: ansible_distribution_major_version|int == 7 and selinux_module|changed
+  tags:
+  - config
+  - nagios_client
+  - selinux
 
 - name: copy over our custom selinux module for mirrorlist
   copy: src=selinux/fi-nrpe.pp dest=/usr/share/nrpe/mirrormanager_container.pp
   register: selinux_module_mirrorlist
   when: 'proxy' in inventory_hostname
+  tags:
+  - config
+  - nagios_client
+  - selinux
 
 - name: install our custom selinux module for mirrorlist
   command: semodule -i /usr/share/nrpe/mirrormanager_container.pp
   when: 'proxy' in inventory_hostname and selinux_module|changed
+  tags:
+  - config
+  - nagios_client
+  - selinux
 
 
 # Set up our base config.

From a89e7984fa3c29fecedde1e9f52f8d0ce096afc3 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Fri, 12 Jan 2018 21:48:40 +0000
Subject: [PATCH 18/36] Add quotes

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/nagios_client/tasks/main.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml
index d34605835c..9699e09549 100644
--- a/roles/nagios_client/tasks/main.yml
+++ b/roles/nagios_client/tasks/main.yml
@@ -110,7 +110,7 @@
 - name: copy over our custom selinux module for mirrorlist
   copy: src=selinux/fi-nrpe.pp dest=/usr/share/nrpe/mirrormanager_container.pp
   register: selinux_module_mirrorlist
-  when: 'proxy' in inventory_hostname
+  when: "'proxy' in inventory_hostname"
   tags:
   - config
   - nagios_client
@@ -118,7 +118,7 @@
 
 - name: install our custom selinux module for mirrorlist
   command: semodule -i /usr/share/nrpe/mirrormanager_container.pp
-  when: 'proxy' in inventory_hostname and selinux_module|changed
+  when: "'proxy' in inventory_hostname and selinux_module|changed"
   tags:
   - config
   - nagios_client

From 67c97cd08f00bf63a25340a90d38a5734d36bdda Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@redhat.com>
Date: Fri, 12 Jan 2018 21:57:14 +0000
Subject: [PATCH 19/36] we forgot to undefine one define

---
 inventory/inventory | 1 -
 1 file changed, 1 deletion(-)

diff --git a/inventory/inventory b/inventory/inventory
index e9fdc08cf3..01f4f93c13 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -803,7 +803,6 @@ tagger01.stg.phx2.fedoraproject.org
 taskotron-stg01.qa.fedoraproject.org
 value01.stg.phx2.fedoraproject.org
 wiki01.stg.phx2.fedoraproject.org
-mirrorlist-phx2.stg.phx2.fedoraproject.org
 mm-frontend01.stg.phx2.fedoraproject.org
 mm-backend01.stg.phx2.fedoraproject.org
 mm-crawler01.stg.phx2.fedoraproject.org

From 6086e4c18e2b467400cef2a5cde4d11b6eb7546d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Sat, 13 Jan 2018 10:32:49 +0000
Subject: [PATCH 20/36] Fix hubs-dev deployment

---
 roles/hubs/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/hubs/tasks/main.yml b/roles/hubs/tasks/main.yml
index 990aed7dd4..89fb2f415d 100644
--- a/roles/hubs/tasks/main.yml
+++ b/roles/hubs/tasks/main.yml
@@ -157,7 +157,7 @@
     chdir: "{{ hubs_code_dir }}/hubs/static/client"
 
 - name: Build JavaScript assests
-  command: node_modules/.bin/webpack
+  command: npm run build
   become_user: "{{ main_user }}"
   args:
     chdir: "{{ hubs_code_dir }}/hubs/static/client"

From b1d52167f497085464d170c513fd4288272fd94c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Fri, 11 Aug 2017 15:23:46 +0000
Subject: [PATCH 21/36] Hubs: create letsencrypt certs

---
 playbooks/hosts/hubs-dev.fedorainfracloud.org.yml | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
index ab46342d19..59a94a9342 100644
--- a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
+++ b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
@@ -54,12 +54,12 @@
 
   - role: hubs
     main_user: fedora
-    hubs_url_hostname: hubs-dev.fedorainfracloud.org
+    hubs_url_hostname: "{{ ansible_fqdn }}"
     hubs_secret_key: demotestinghubsmachine
     hubs_db_type: sqlite
     hubs_dev_mode: false
-    hubs_ssl_cert: /etc/letsencrypt/live/hubs-dev.fedorainfracloud.org/cert.pem
-    hubs_ssl_key: /etc/letsencrypt/live/hubs-dev.fedorainfracloud.org/privkey.pem
+    hubs_ssl_cert: /etc/letsencrypt/live/{{ ansible_fqdn }}/cert.pem
+    hubs_ssl_key: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem
 
 
   tasks:
@@ -76,3 +76,11 @@
     - hubs-triage@4
     - hubs-worker@3
     - hubs-worker@4
+
+  - name: install python2-certbot-nginx
+    dnf: name=python2-certbot-nginx state=present
+
+  - name: get the letencrypt cert
+    command: certbot certonly -n --nginx -d {{ ansible_fqdn }}
+    args:
+      creates: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem

From 33a47eb4a908163cb5aa98d3876b8da5bad1607e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Sat, 13 Jan 2018 10:42:11 +0000
Subject: [PATCH 22/36] Fix Hubs SSL config for letsencrypt

---
 .../hosts/hubs-dev.fedorainfracloud.org.yml   |  8 -------
 roles/hubs/tasks/webserver.yml                | 22 +++++++++----------
 2 files changed, 11 insertions(+), 19 deletions(-)

diff --git a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
index 59a94a9342..6c2215e564 100644
--- a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
+++ b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
@@ -76,11 +76,3 @@
     - hubs-triage@4
     - hubs-worker@3
     - hubs-worker@4
-
-  - name: install python2-certbot-nginx
-    dnf: name=python2-certbot-nginx state=present
-
-  - name: get the letencrypt cert
-    command: certbot certonly -n --nginx -d {{ ansible_fqdn }}
-    args:
-      creates: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem
diff --git a/roles/hubs/tasks/webserver.yml b/roles/hubs/tasks/webserver.yml
index 3359739aa5..2ef0483419 100644
--- a/roles/hubs/tasks/webserver.yml
+++ b/roles/hubs/tasks/webserver.yml
@@ -8,17 +8,6 @@
     - libsemanage-python
 
 
-- name: Generate SSL certificate and key
-  shell:
-    echo -e "--\nSomeState\nSomeCity\nSomeOrganization\nSomeOrganizationalUnit\nlocalhost.localdomain\nroot@localhost.localdomain"
-    | openssl req -utf8 -newkey rsa:2048
-    -keyout /etc/pki/tls/private/localhost.key
-    -nodes -x509 -days 365
-    -out /etc/pki/tls/certs/localhost.crt
-  args:
-    creates: /etc/pki/tls/certs/localhost.crt
-
-
 - name: Gunicorn logging configuration
   copy:
     src: logging.ini
@@ -48,6 +37,17 @@
     - restart nginx
 
 
+- name: install python2-certbot-nginx
+  dnf: name=python2-certbot-nginx state=present
+
+- name: get the letencrypt cert
+  command: certbot certonly -n --nginx -d {{ ansible_fqdn }}
+  args:
+    creates: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem
+  notify:
+    - restart nginx
+
+
 - name: Nginx proxy configuration
   copy:
     src: "{{ item }}"

From 749cdd2b3f0a739310710efee315b01ff161b76c Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Sat, 13 Jan 2018 10:44:24 +0000
Subject: [PATCH 23/36] Cleanup uunused template

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 .../templates/reversepassproxy.mirrormanager2.conf  | 13 -------------
 1 file changed, 13 deletions(-)
 delete mode 100644 roles/httpd/reverseproxy/templates/reversepassproxy.mirrormanager2.conf

diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.mirrormanager2.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.mirrormanager2.conf
deleted file mode 100644
index c805e3de34..0000000000
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.mirrormanager2.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-<Location {{remotepath}}>
-RequestHeader set CP-Location {{remotepath}}
-SetEnv force-proxy-request-1.0 1
-SetEnv proxy-nokeepalive 1
-</Location>
-
-{% if env != "staging" %}
-ProxyPass "/mirrormanager/xmlrpc" "http://mm-frontend-checkin01/mirrormanager/xmlrpc"
-ProxyPassReverse "/mirrormanager/xmlrpc" "http://mm-frontend-checkin01/mirrormanager/xmlrpc"
-{% endif %}
-
-ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
-ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}

From 8c05e1685b7351a287e041401f6ad369c6dc6114 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Sat, 13 Jan 2018 10:45:07 +0000
Subject: [PATCH 24/36] Extend proxytimeout for admin.fp.o for mirror checkins

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 .../reverseproxy/templates/reversepassproxy.mirrormanager.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.mirrormanager.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.mirrormanager.conf
index d2c6dea4e8..9e5341849f 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.mirrormanager.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.mirrormanager.conf
@@ -5,6 +5,9 @@ SetEnv proxy-nokeepalive 1
 </Location>
 
 {% if env != "staging" %}
+# Checkins are slowish, unfortunately this needs to be on the Server Config level
+ProxyTimeout 180
+
 ProxyPass "/mirrormanager/xmlrpc" "http://mm-frontend-checkin01/mirrormanager/xmlrpc"
 ProxyPassReverse "/mirrormanager/xmlrpc" "http://mm-frontend-checkin01/mirrormanager/xmlrpc"
 {% endif %}

From d548b86bef07fcaa66d089adc19975487f2fc0f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Sat, 13 Jan 2018 10:57:21 +0000
Subject: [PATCH 25/36] Hubs: fix letsencrypt setup

---
 playbooks/hosts/hubs-dev.fedorainfracloud.org.yml | 2 +-
 roles/hubs/tasks/webserver.yml                    | 2 +-
 roles/hubs/templates/nginx_ssl_params             | 2 ++
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
index 6c2215e564..4189bee60f 100644
--- a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
+++ b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
@@ -58,7 +58,7 @@
     hubs_secret_key: demotestinghubsmachine
     hubs_db_type: sqlite
     hubs_dev_mode: false
-    hubs_ssl_cert: /etc/letsencrypt/live/{{ ansible_fqdn }}/cert.pem
+    hubs_ssl_cert: /etc/letsencrypt/live/{{ ansible_fqdn }}/fullchain.pem
     hubs_ssl_key: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem
 
 
diff --git a/roles/hubs/tasks/webserver.yml b/roles/hubs/tasks/webserver.yml
index 2ef0483419..3db6d340e4 100644
--- a/roles/hubs/tasks/webserver.yml
+++ b/roles/hubs/tasks/webserver.yml
@@ -41,7 +41,7 @@
   dnf: name=python2-certbot-nginx state=present
 
 - name: get the letencrypt cert
-  command: certbot certonly -n --nginx -d {{ ansible_fqdn }}
+  command: certbot certonly -n --nginx -d {{ ansible_fqdn }} --agree-tos --email admin@fedoraproject.org
   args:
     creates: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem
   notify:
diff --git a/roles/hubs/templates/nginx_ssl_params b/roles/hubs/templates/nginx_ssl_params
index c8ab38de24..9a411c4157 100644
--- a/roles/hubs/templates/nginx_ssl_params
+++ b/roles/hubs/templates/nginx_ssl_params
@@ -1,3 +1,5 @@
 ssl                  on;
 ssl_certificate      {{ hubs_ssl_cert }};
 ssl_certificate_key  {{ hubs_ssl_key }};
+include /etc/letsencrypt/options-ssl-nginx.conf;
+ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

From 69175c9756e4a82ae8512af13ba69478be4690c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Sat, 13 Jan 2018 11:03:51 +0000
Subject: [PATCH 26/36] Hubs: add dep on MongoDB

---
 playbooks/hosts/hubs-dev.fedorainfracloud.org.yml | 1 -
 roles/hubs/meta/main.yml                          | 3 +++
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 roles/hubs/meta/main.yml

diff --git a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
index 4189bee60f..6d1b6265ed 100644
--- a/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
+++ b/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
@@ -50,7 +50,6 @@
 
   roles:
   - basessh
-  - certbot
 
   - role: hubs
     main_user: fedora
diff --git a/roles/hubs/meta/main.yml b/roles/hubs/meta/main.yml
new file mode 100644
index 0000000000..a5f89de108
--- /dev/null
+++ b/roles/hubs/meta/main.yml
@@ -0,0 +1,3 @@
+dependencies:
+ - certbot
+ - mongodb

From 9ac07ad1b4cb9a4fb3c050a0bdd10d1a5ae967fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Sat, 13 Jan 2018 11:20:07 +0000
Subject: [PATCH 27/36] Hubs: fix some permissions

---
 roles/hubs/tasks/main.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/roles/hubs/tasks/main.yml b/roles/hubs/tasks/main.yml
index 89fb2f415d..a06608abee 100644
--- a/roles/hubs/tasks/main.yml
+++ b/roles/hubs/tasks/main.yml
@@ -164,6 +164,20 @@
     creates: "{{ hubs_code_dir }}/hubs/static/js/build/common.js"
 
 
+- name: Fix permissions if necessary
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ main_user }}"
+    group: "{{ main_user }}"
+    recurse: yes
+    #setype: httpd_sys_content_rw_t
+  with_items:
+    - "{{ hubs_base_dir }}"
+    - "{{ hubs_conf_dir }}"
+    - "{{ hubs_var_dir }}"
+
+
 # Services
 - name: Disable the system-wide fedmsg-hub
   service: name=fedmsg-hub state=stopped enabled=no

From c18ea6b65858647c6e662e773e7a6756d5dd6100 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Sat, 13 Jan 2018 13:59:46 +0000
Subject: [PATCH 28/36] Allow mmfrontend-checkin to connect to VPN

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 .../iptables.mm-frontend-checkin01.phx2.fedoraproject.org     | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/roles/base/templates/iptables/iptables.mm-frontend-checkin01.phx2.fedoraproject.org b/roles/base/templates/iptables/iptables.mm-frontend-checkin01.phx2.fedoraproject.org
index 34f0500df0..b39fb0ffc5 100644
--- a/roles/base/templates/iptables/iptables.mm-frontend-checkin01.phx2.fedoraproject.org
+++ b/roles/base/templates/iptables/iptables.mm-frontend-checkin01.phx2.fedoraproject.org
@@ -46,6 +46,10 @@
 -A OUTPUT --dst 10.5.126.51 -p tcp -m tcp --dport 443 -j ACCEPT
 -A OUTPUT --dst 10.5.126.52 -p tcp -m tcp --dport 443 -j ACCEPT
 
+# Allow VPN access
+-A OUTPUT --dst 10.5.126.11 -p udp -m udp --dport 1194 -j ACCEPT
+-A OUTPUT --dst 10.5.126.12 -p udp -m udp --dport 1194 -j ACCEPT
+
 # otherwise kick everything out
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited

From 190a344f8e5889af812f9c5addbc6180b33b53ba Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Sat, 13 Jan 2018 17:02:16 +0000
Subject: [PATCH 29/36] no longer try to sync to mirrorlist servers as they are
 gone

---
 .../backend/templates/sync_pkl_to_mirrorlists.sh           | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/roles/mirrormanager/backend/templates/sync_pkl_to_mirrorlists.sh b/roles/mirrormanager/backend/templates/sync_pkl_to_mirrorlists.sh
index 9858bef7c7..dddd94fed9 100644
--- a/roles/mirrormanager/backend/templates/sync_pkl_to_mirrorlists.sh
+++ b/roles/mirrormanager/backend/templates/sync_pkl_to_mirrorlists.sh
@@ -1,12 +1,5 @@
 #!/bin/bash
 
-MIRRORLIST_SERVERS="{% for host in groups['mirrorlist2'] %} {{ host }} {% endfor %}"
-
-for s in ${MIRRORLIST_SERVERS}; do
-	rsync -az --delete-delay --delay-updates --delete /var/lib/mirrormanager/{*pkl,*txt} ${s}:/var/lib/mirrormanager/
-	ssh $s 'kill -HUP $(cat /var/run/mirrormanager/mirrorlist_server.pid)'
-done
-
 # sync also to new mirrorlist containers on proxies
 
 MIRRORLIST_PROXY="{% for host in groups['mirrorlist-proxies'] %} {{ host }} {% endfor %}"

From 5da6f7f4795218e90b8b569121bcbae40b3579f7 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Sat, 13 Jan 2018 20:20:36 +0000
Subject: [PATCH 30/36] Fix up fedora repo files.

---
 files/common/fedora-updates-testing.repo | 2 +-
 files/common/fedora-updates.repo         | 2 +-
 files/common/fedora.repo                 | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/files/common/fedora-updates-testing.repo b/files/common/fedora-updates-testing.repo
index 5b195dc6a7..c6e1f2cf88 100644
--- a/files/common/fedora-updates-testing.repo
+++ b/files/common/fedora-updates-testing.repo
@@ -1,7 +1,7 @@
 [updates-testing]
 name=Fedora $releasever - $basearch - Test Updates
 failovermethod=priority
-baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/
+baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
diff --git a/files/common/fedora-updates.repo b/files/common/fedora-updates.repo
index ee6b7c8f4f..1f3959a1e3 100644
--- a/files/common/fedora-updates.repo
+++ b/files/common/fedora-updates.repo
@@ -1,7 +1,7 @@
 [updates]
 name=Fedora $releasever - $basearch - Updates
 failovermethod=priority
-baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/
+baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
 enabled=1
 gpgcheck=1
diff --git a/files/common/fedora.repo b/files/common/fedora.repo
index 372580acdf..6c32df23d9 100644
--- a/files/common/fedora.repo
+++ b/files/common/fedora.repo
@@ -1,11 +1,11 @@
 [fedora]
 name=Fedora $releasever - $basearch
 failovermethod=priority
-baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
+baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
 enabled=1
 metadata_expire=7d
-gpgcheck=0
+gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 
 [fedora-debuginfo]

From 98a7ec292b9d10b3527aaa575f0427e1991ffe91 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Sat, 13 Jan 2018 20:28:24 +0000
Subject: [PATCH 31/36] Allow proxy07

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/batcave/files/allows | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/batcave/files/allows b/roles/batcave/files/allows
index d2efe1f0ea..735b0701ea 100644
--- a/roles/batcave/files/allows
+++ b/roles/batcave/files/allows
@@ -102,6 +102,9 @@ require ip 8.43.85.67
 require ip 8.43.85.68
 require ip 8.43.85.69
 
+# bodhost
+require ip 174.141.234.172
+
 
 #
 # We put this at the end because it fails for hosts with no reverse dns

From 2938c390671ca5c3346e44daebb29240ca3644e9 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Sun, 14 Jan 2018 05:01:42 +0000
Subject: [PATCH 32/36] Drop mirrorlists from templates too

---
 roles/mirrormanager/backend/templates/create_statistics.sh | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/roles/mirrormanager/backend/templates/create_statistics.sh b/roles/mirrormanager/backend/templates/create_statistics.sh
index 16ff660167..73200ef0e1 100644
--- a/roles/mirrormanager/backend/templates/create_statistics.sh
+++ b/roles/mirrormanager/backend/templates/create_statistics.sh
@@ -1,6 +1,5 @@
 #!/bin/sh
 
-MIRRORLIST_SERVERS="{% for host in groups['mirrorlist2'] %} {{ host }} {% endfor %}"
 MIRRORLIST_PROXIES="{% for host in groups['mirrorlist-proxies'] %} {{ host }} {% endfor %}"
 FRONTENDS="{% for host in groups['mm-frontend'] %} {{ host }} {% endfor %}"
 
@@ -24,10 +23,6 @@ OUTPUT=`mktemp -d`
 
 trap "rm -f ${OUTPUT}/*; rmdir ${OUTPUT}" QUIT TERM INT HUP EXIT
 
-# Fetch compressed log files
-for s in ${MIRRORLIST_SERVERS}; do
-	ssh $s "( xzcat $INFILE | gzip -4 )" >> ${OUTPUT}/mirrorlist.log.gz
-done
 for s in ${MIRRORLIST_PROXIES}; do
 	ssh $s "( cat $CONTAINER1 | gzip -4 )" >> ${OUTPUT}/mirrorlist.log.gz
 	ssh $s "( cat $CONTAINER2 | gzip -4 )" >> ${OUTPUT}/mirrorlist.log.gz

From e07dc6a07e44dcf3a85e3ac502886e6aa1d75b80 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Sun, 14 Jan 2018 05:31:04 +0000
Subject: [PATCH 33/36] db01 is now on virthost06

---
 inventory/host_vars/db01.phx2.fedoraproject.org | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inventory/host_vars/db01.phx2.fedoraproject.org b/inventory/host_vars/db01.phx2.fedoraproject.org
index 1213f16d75..b8342fc30f 100644
--- a/inventory/host_vars/db01.phx2.fedoraproject.org
+++ b/inventory/host_vars/db01.phx2.fedoraproject.org
@@ -4,7 +4,7 @@ gw: 10.5.126.254
 dns: 10.5.126.21
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.126.71
-vmhost: virthost02.phx2.fedoraproject.org
+vmhost: virthost06.phx2.fedoraproject.org
 datacenter: phx2
 
 ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7

From 302cee73a972fb409786d749da7fdde95867222b Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Sun, 14 Jan 2018 05:32:44 +0000
Subject: [PATCH 34/36] 8 cpus for proxy06 since the vh is so slow

---
 inventory/host_vars/proxy06.fedoraproject.org | 1 +
 1 file changed, 1 insertion(+)

diff --git a/inventory/host_vars/proxy06.fedoraproject.org b/inventory/host_vars/proxy06.fedoraproject.org
index ca26c6cab7..b1bfff95d6 100644
--- a/inventory/host_vars/proxy06.fedoraproject.org
+++ b/inventory/host_vars/proxy06.fedoraproject.org
@@ -24,3 +24,4 @@ postfix_group: vpn
 nrpe_procs_warn: 1200
 nrpe_procs_crit: 1400
 vpn: true
+num_cpus: 8

From 8748b547a2ccb8b2ab1cf24b895b25c79450b31a Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Sun, 14 Jan 2018 20:51:06 +0000
Subject: [PATCH 35/36] give buildvm-01.stg some more oomph

---
 inventory/host_vars/buildvm-01.stg.phx2.fedoraproject.org | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/inventory/host_vars/buildvm-01.stg.phx2.fedoraproject.org b/inventory/host_vars/buildvm-01.stg.phx2.fedoraproject.org
index a458007591..bb31af05bd 100644
--- a/inventory/host_vars/buildvm-01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/buildvm-01.stg.phx2.fedoraproject.org
@@ -2,3 +2,8 @@
 vmhost: virthost04.phx2.fedoraproject.org
 eth0_ip: 10.5.128.84
 gw: 10.5.128.254
+
+# Override these from the stg group because we need more mem/cpus to do compose channel stuff.
+mem_size: 15360
+max_mem_size: "{{ mem_size }}"
+num_cpus: 6

From 44eed62fad0b38835250603be42825aa2c7111fd Mon Sep 17 00:00:00 2001
From: Tim Flink <tflink@fedoraproject.org>
Date: Mon, 15 Jan 2018 14:31:45 +0000
Subject: [PATCH 36/36] using db-qa02.qa for public resultsdb dumps

---
 scripts/public-db-copy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/public-db-copy b/scripts/public-db-copy
index 6bfd9a99d2..3dad0f1ab1 100755
--- a/scripts/public-db-copy
+++ b/scripts/public-db-copy
@@ -16,5 +16,5 @@ scp db01.phx2.fedoraproject.org:/backups/mailman-$(date +%F).dump.xz /srv/web/in
 scp db01.phx2.fedoraproject.org:/backups/mbs-$(date +%F).dump.xz /srv/web/infra/db-dumps/mbs.dump.xz
 scp db01.phx2.fedoraproject.org:/backups/odcs-$(date +%F).dump.xz /srv/web/infra/db-dumps/odcs.dump.xz
 scp db01.phx2.fedoraproject.org:/backups/hyperkitty-$(date +%F).dump.xz /srv/web/infra/db-dumps/hyperkitty.dump.xz
-scp db-qa01.qa.fedoraproject.org:/backups/resultsdb-$(date +%F).dump.xz /srv/web/infra/db-dumps/resultsdb.dump.xz
+scp db-qa02.qa.fedoraproject.org:/backups/resultsdb-$(date +%F).dump.xz /srv/web/infra/db-dumps/resultsdb.dump.xz
 scp db01.phx2.fedoraproject.org:/backups/waiverdb-$(date +%F).dump.xz /srv/web/infra/db-dumps/waiverdb.dump.xz