Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

allow log01 to get logs from proxies and other hosts. fix both iptables and rsyncd

Browse source
This commit is contained in:
Stephen Smoogen 2020-06-12 11:01:08 -04:00
parent dc92c9d924
commit f65a48aa61
22 changed files with 55 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

2
inventory/group_vars/badges_web
View file

@ -15,7 +15,7 @@ wsgi_threads: 2
tcp_ports: [ 80 ] tcp_ports: [ 80 ]
# Neeed for rsync from log01 for logs. # Neeed for rsync from log01 for logs.
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
fas_client_groups: sysadmin-noc,sysadmin-badges,sysadmin-veteran fas_client_groups: sysadmin-noc,sysadmin-badges,sysadmin-veteran

2
inventory/group_vars/batcave
View file

@ -6,7 +6,7 @@ num_cpus: 10
tcp_ports: [ 80, 443, 8442, 8443 ] tcp_ports: [ 80, 443, 8442, 8443 ]
# Neeed for rsync from log01 for logs. # Neeed for rsync from log01 for logs.
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-fpdc,sysadmin-messaging,sysadmin-libravatar,sysadmin-gnome,sysadmin-copr,sysadmin-osbs,sysadmin-odcs fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-cvs,sysadmin-main,sysadmin-web,sysadmin-noc,sysadmin-hosted,sysadmin-releng,sysadmin-qa,sysadmin-tools,sysadmin-cloud,sysadmin-bot,sysadmin-centos,sysadmin-koschei,sysadmin-datanommer,sysadmin-fedimg,fi-apprentice,sysadmin-badges,sysadmin-mbs,sysadmin-veteran,sysadmin-coreos,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-fpdc,sysadmin-messaging,sysadmin-libravatar,sysadmin-gnome,sysadmin-copr,sysadmin-osbs,sysadmin-odcs

2
inventory/group_vars/certgetter
View file

@ -10,6 +10,6 @@ num_cpus: 2
tcp_ports: [ 80, 443 ] tcp_ports: [ 80, 443 ]
# Neeed for rsync from log01 for logs. # Neeed for rsync from log01 for logs.
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
fas_client_groups: sysadmin-main fas_client_groups: sysadmin-main

2
inventory/group_vars/datagrepper
View file

@ -10,7 +10,7 @@ num_cpus: 2
tcp_ports: [ 80, 443, 6996 ] tcp_ports: [ 80, 443, 6996 ]
# Neeed for rsync from log01 for logs. # Neeed for rsync from log01 for logs.
custom_rules: [ custom_rules: [
'-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
] ]

2
inventory/group_vars/fedocal
View file

@ -13,7 +13,7 @@ tcp_ports: [ 80, 443,
3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015] 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
# Neeed for rsync from log01 for logs. # Neeed for rsync from log01 for logs.
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran

2
inventory/group_vars/github2fedmsg
View file

@ -15,7 +15,7 @@ wsgi_threads: 2
tcp_ports: [ 80 ] tcp_ports: [ 80 ]
# Neeed for rsync from log01 for logs. # Neeed for rsync from log01 for logs.
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
fas_client_groups: sysadmin-noc,sysadmin-veteran fas_client_groups: sysadmin-noc,sysadmin-veteran

2
inventory/group_vars/kerneltest
View file

@ -15,7 +15,7 @@ wsgi_threads: 1
tcp_ports: [ 80 ] tcp_ports: [ 80 ]
# Neeed for rsync from log01 for logs. # Neeed for rsync from log01 for logs.
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
fas_client_groups: sysadmin-noc,sysadmin-veteran fas_client_groups: sysadmin-noc,sysadmin-veteran

2
inventory/group_vars/kojipkgs
View file

@ -7,7 +7,7 @@ num_cpus: 16
custom_rules: [ custom_rules: [
# Need for rsync from log01 for logs. # Need for rsync from log01 for logs.
'-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
] ]

2
inventory/group_vars/mbs_frontend
View file

@ -14,7 +14,7 @@ wsgi_threads: 2
tcp_ports: [ 80 ] tcp_ports: [ 80 ]
# Neeed for rsync from log01 for logs. # Neeed for rsync from log01 for logs.
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-mbs,sysadmin-veteran fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-mbs,sysadmin-veteran

2
inventory/group_vars/odcs_backend
View file

@ -28,7 +28,7 @@ virt_install_command: "{{ virt_install_command_two_nic }}"
nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3" nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3"
# Neeed for rsync from log01 for logs. # Neeed for rsync from log01 for logs.
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-odcs,sysadmin-veteran fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-odcs,sysadmin-veteran

2
inventory/group_vars/odcs_frontend
View file

@ -23,7 +23,7 @@ tcp_ports: [
udp_ports: [ 111 ] udp_ports: [ 111 ]
# Neeed for rsync from log01 for logs. # Neeed for rsync from log01 for logs.
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-odcs,sysadmin-veteran fas_client_groups: sysadmin-noc,sysadmin-releng,sysadmin-odcs,sysadmin-veteran

2
inventory/group_vars/packages
View file

@ -13,7 +13,7 @@ tcp_ports: [ 80, 443,
3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015] 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
# Neeed for rsync from log01 for logs. # Neeed for rsync from log01 for logs.
custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran,sysadmin-packages fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-veteran,sysadmin-packages

2
inventory/group_vars/proxies
View file

@ -41,7 +41,7 @@ tcp_ports: [
] ]
custom_rules: [ custom_rules: [
# Need for rsync from log01 for logs. # Need for rsync from log01 for logs.
'-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',

6
inventory/group_vars/value
View file

@ -16,11 +16,11 @@ tcp_ports: [ 80, 443,
custom_rules: [ custom_rules: [
# Needed for rsync from log01 for logs. # Needed for rsync from log01 for logs.
'-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
# Needed to let nagios on noc01 and noc02 pipe alerts to zodbot here # Needed to let nagios on noc01 and noc02 pipe alerts to zodbot here
'-A INPUT -p tcp -m tcp -s 10.5.126.41 --dport 5050 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5050 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 10.5.126.241 --dport 5050 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.166.10 --dport 5050 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.20 --dport 5050 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.20 --dport 5050 -j ACCEPT',
# batcave01 also needs access to announce commits. # batcave01 also needs access to announce commits.
'-A INPUT -p tcp -m tcp -s 192.168.20.41 --dport 5050 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.20.41 --dport 5050 -j ACCEPT',

2
inventory/group_vars/zanata2fedmsg
View file

@ -18,7 +18,7 @@ tcp_ports: [ 80 ]
# Neeed for rsync from log01 for logs. # Neeed for rsync from log01 for logs.
custom_rules: [ custom_rules: [
'-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
] ]

8
roles/base/templates/iptables/iptables
View file

@ -30,8 +30,8 @@
# FIXME - this is the global nat-ip and we need the noc01-specific ip # FIXME - this is the global nat-ip and we need the noc01-specific ip
-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.3.163.10 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.3.166.10 -j ACCEPT
{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging_friendly'] %} {% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging_friendly'] %}
# #
@ -41,7 +41,7 @@
# production we have marked 'staging-friendly' that we do allow staging to talk to for # production we have marked 'staging-friendly' that we do allow staging to talk to for
# mostly read-only data they need. # mostly read-only data they need.
# #
-A INPUT -s 10.5.128.0/24 -j REJECT --reject-with icmp-host-prohibited
{% endif %} {% endif %}
{% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa_isolated'] %} {% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa_isolated'] %}
@ -90,7 +90,7 @@
{% endif %} {% endif %}
{% endfor %} {% endfor %}
# nagios # nagios
-A INPUT -p tcp -m tcp --dport {{ port }} --src 10.5.126.41 -j ACCEPT -A INPUT -p tcp -m tcp --dport {{ port }} --src 10.3.163.10 -j ACCEPT
{% endfor %} {% endfor %}
{% endif %} {% endif %}

2
roles/base/templates/iptables/iptables.kojibuilder_iad2
View file

@ -74,8 +74,6 @@
-A OUTPUT -p tcp -m tcp -d 10.3.169.104 --dport 22 -j ACCEPT -A OUTPUT -p tcp -m tcp -d 10.3.169.104 --dport 22 -j ACCEPT
{% endif %} {% endif %}
# http to pull sources from pkgs lookaside
#-A OUTPUT -m tcp -p tcp --dport 80 -d 10.5.125.44 -j ACCEPT
# https git on pagure.io # https git on pagure.io
-A OUTPUT -p tcp -m tcp -d 8.43.85.75 --dport 443 -j ACCEPT -A OUTPUT -p tcp -m tcp -d 8.43.85.75 --dport 443 -j ACCEPT

10
roles/base/templates/iptables/iptables.releng
View file

@ -24,8 +24,8 @@
# FIXME - this is the global nat-ip and we need the noc01-specific ip # FIXME - this is the global nat-ip and we need the noc01-specific ip
-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 5666 -j ACCEPT -A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 5666 -j ACCEPT
-A INPUT -p tcp -m tcp -s 209.132.181.35 --dport 5666 -j ACCEPT -A INPUT -p tcp -m tcp -s 209.132.181.35 --dport 5666 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.5.126.41 --dport 5666 -j ACCEPT -A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5666 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.5.126.241 --dport 5666 -j ACCEPT -A INPUT -p tcp -m tcp -s 10.3.166.10 --dport 5666 -j ACCEPT
# if the blocked_ips is defined - drop them # if the blocked_ips is defined - drop them
{% if blocked_ips is defined %} {% if blocked_ips is defined %}
@ -43,10 +43,8 @@
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Allow all netapp traffic # Allow all netapp traffic
-A INPUT -p udp -m udp -s 10.5.88.36 -j ACCEPT -A INPUT -p udp -m udp -s 10.3.162.0/24 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.5.88.36 -j ACCEPT
-A INPUT -p udp -m udp -s 10.5.88.41 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.5.88.41 -j ACCEPT
# Custom Services # Custom Services

2
roles/rsyncd/files/rsyncd.conf.default
View file

@ -13,4 +13,4 @@ path = /var/log
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.13 192.168.1.59 10.3.163.39 hosts allow = 192.168.1.59 10.3.163.39

2
roles/rsyncd/files/rsyncd.conf.people01.fedoraproject.org
View file

@ -13,7 +13,7 @@ path = /var/log
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.13 192.168.1.59 hosts allow = 10.3.163.39 192.168.1.59
[people-repos] [people-repos]
comment = repos.fedorapeople.org content comment = repos.fedorapeople.org content

54
roles/rsyncd/files/rsyncd.conf.sundries
View file

@ -12,7 +12,7 @@ path = /var/log
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.13 192.168.1.59 10.3.163.39 hosts allow = 10.3.163.39 192.168.1.59
[docs-old] [docs-old]
comment = Old Docs Site comment = Old Docs Site
@ -20,7 +20,7 @@ path = /srv/web/docs-old
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[docs] [docs]
comment = Docs Site comment = Docs Site
@ -28,7 +28,7 @@ path = /srv/docs
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[membership-map] [membership-map]
comment = Ambassadors Membership Map comment = Ambassadors Membership Map
@ -36,7 +36,7 @@ path = /srv/web/membership-map
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[review-stats] [review-stats]
comment = Package Review Stats comment = Package Review Stats
@ -44,7 +44,7 @@ path = /srv/web/review-stats
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[gather-easyfix] [gather-easyfix]
comment = Gather easyfix available in Fedora comment = Gather easyfix available in Fedora
@ -52,7 +52,7 @@ path = /srv/web/easyfix
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[fedoraproject.org] [fedoraproject.org]
comment = fedoraproject.org comment = fedoraproject.org
@ -60,7 +60,7 @@ path = /srv/web/fedoraproject.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[spins.fedoraproject.org] [spins.fedoraproject.org]
comment = spins.fedoraproject.org comment = spins.fedoraproject.org
@ -68,7 +68,7 @@ path = /srv/web/spins.fedoraproject.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[talk.fedoraproject.org] [talk.fedoraproject.org]
comment = talk.fedoraproject.org comment = talk.fedoraproject.org
@ -76,7 +76,7 @@ path = /srv/web/talk.fedoraproject.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[start.fedoraproject.org] [start.fedoraproject.org]
comment = start.fedoraproject.org comment = start.fedoraproject.org
@ -84,7 +84,7 @@ path = /srv/web/start.fedoraproject.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[mirrors.fedoraproject.org] [mirrors.fedoraproject.org]
comment = mirrors.fedoraproject.org comment = mirrors.fedoraproject.org
@ -92,7 +92,7 @@ path = /srv/web/mirrors.fedoraproject.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[fedoracommunity.org] [fedoracommunity.org]
comment = fedoracommunity.org comment = fedoracommunity.org
@ -100,7 +100,7 @@ path = /srv/web/fedoracommunity.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[fudcon.fedoraproject.org] [fudcon.fedoraproject.org]
comment = fudcon.fedoraproject.org comment = fudcon.fedoraproject.org
@ -108,7 +108,7 @@ path = /srv/web/fudcon.fedoraproject.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[flocktofedora.org] [flocktofedora.org]
comment = flocktofedora.org comment = flocktofedora.org
@ -116,7 +116,7 @@ path = /srv/web/flocktofedora.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[getfedora.org] [getfedora.org]
comment = getfedora.org comment = getfedora.org
@ -124,7 +124,7 @@ path = /srv/websites/getfedora.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[labs.fedoraproject.org] [labs.fedoraproject.org]
comment = labs.fedoraproject.org comment = labs.fedoraproject.org
@ -132,7 +132,7 @@ path = /srv/web/labs.fedoraproject.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[budget.fedoraproject.org] [budget.fedoraproject.org]
comment = budget.fedoraproject.org comment = budget.fedoraproject.org
@ -140,7 +140,7 @@ path = /srv/web/budget.fedoraproject.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[arm.fedoraproject.org] [arm.fedoraproject.org]
comment = arm.fedoraproject.org comment = arm.fedoraproject.org
@ -148,7 +148,7 @@ path = /srv/web/arm.fedoraproject.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[iot.fedoraproject.org] [iot.fedoraproject.org]
comment = iot.fedoraproject.org comment = iot.fedoraproject.org
@ -156,7 +156,7 @@ path = /srv/web/iot.fedoraproject.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[developer.fedoraproject.org] [developer.fedoraproject.org]
comment = developer.fedoraproject.org comment = developer.fedoraproject.org
@ -164,7 +164,7 @@ path = /srv/web/developer.fedoraproject.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[codecs.fedoraproject.org] [codecs.fedoraproject.org]
comment = codecs.fedoraproject.org comment = codecs.fedoraproject.org
@ -172,7 +172,7 @@ path = /srv/web/codecs.fedoraproject.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[alt.fedoraproject.org] [alt.fedoraproject.org]
comment = alt.fedoraproject.org comment = alt.fedoraproject.org
@ -180,7 +180,7 @@ path = /srv/web/alt.fedoraproject.org
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[fmw] [fmw]
comment = fmw comment = fmw
@ -188,7 +188,7 @@ path = /srv/web/fmw
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[registry-signatures] [registry-signatures]
comment = registry-signatures comment = registry-signatures
@ -196,7 +196,7 @@ path = /srv/web/registry-signatures
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[registry-index] [registry-index]
comment = registry-index comment = registry-index
@ -204,7 +204,7 @@ path = /var/lib/reg-server/static/
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[regindexer] [regindexer]
comment = regindexer comment = regindexer
@ -212,7 +212,7 @@ path = /var/lib/regindexer/
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0
[docs-redirects] [docs-redirects]
comment = Docs Site Redirects comment = Docs Site Redirects
@ -220,4 +220,4 @@ path = /srv/web/docs-redirects
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0 10.5.128.0/255.255.255.0 10.3.160.0/255.255.224.0 hosts allow = 10.3.160.0/255.255.224.0

2
roles/rsyncd/templates/rsyncd.conf.download.j2
View file

@ -172,5 +172,5 @@ refuse options = checksum
uid = root uid = root
gid = root gid = root
read only = yes read only = yes
hosts allow = 10.5.126.13 hosts allow = 10.3.163.39
list = no list = no