Infrastructure/ansible
5
0
Fork 0
Code Issues Pull requests 3 Projects Releases Packages Wiki Activity Actions

Compare commits

base: Infrastructure:main
Branches Tags
Infrastructure:main
Infrastructure:letsencrypt
Infrastructure:rawhide-greenwave
Infrastructure:openqa
Infrastructure:secarch
Infrastructure:darkserver
Infrastructure:openvpn_handler
Infrastructure:easyfix
Infrastructure:denyhosts
..
compare: Infrastructure:easyfix
Branches Tags
Infrastructure:main
Infrastructure:letsencrypt
Infrastructure:rawhide-greenwave
Infrastructure:openqa
Infrastructure:secarch
Infrastructure:darkserver
Infrastructure:openvpn_handler
Infrastructure:easyfix
Infrastructure:denyhosts

1 commit
main ... easyfix

Author SHA1 Message Date
Pierre-Yves Chibon
8fc4efe824 Add first work on the easyfix role 
This still requires some work:
- It has no playbook
- It is missing the proxy bits
   - configuration of the proxies themselves
   - cron job copying the files from the app running the cron job onto
     the proxies
 2014-03-03 17:55:03 +01:00
5050 changed files with 32260 additions and 419905 deletions
Download patch file Download diff file Expand all files Collapse all files

68
.ansible-lint
View file

@ -1,68 +0,0 @@
---
# .ansible-lint
# exclude_paths included in this file are parsed relative to this file's location
# and not relative to the CWD of execution. CLI arguments passed to the --exclude
# option will be parsed relative to the CWD of execution.
exclude_paths:
- .cache/ # implicit unless exclude_paths is defined in config
- cache_plugins
- callback_plugins
- files
- filter_plugins
- handlers
- library
- scripts
# Ignore playbooks with strange error happening in <unicode string>
- playbooks/groups/copr-db.yml
# Some playbooks contains hardcoded paths, so exclude them from check
- playbooks/list-vms-per-host.yml
- playbooks/set_root_auth_keys.yml
- playbooks/update-proxy-dns.yml
- playbooks/update_ticketkey.yml
- playbooks/vhost_reboot.yml
- playbooks/vhost_update_reboot.yml
# parseable: true
# quiet: true
# verbosity: 1
# Mock modules or roles in order to pass ansible-playbook --syntax-check
mock_modules:
- include_playbook
# - zuul_return
# # note the foo.bar is invalid as being neither a module or a collection
# - fake_namespace.fake_collection.fake_module
# - fake_namespace.fake_collection.fake_module.fake_submodule
mock_roles:
- linux-system-roles.network
use_default_rules: true
# Load custom rules from this specific folder
# rulesdir:
# - ./rule/directory/
# Offline mode disables installation of requirements.yml
offline: true
# Define required Ansible's variables to satisfy syntax check
extra_vars:
target: localhost
vhost: localhost
# multiline_string_variable: |
# line1
# line2
# complex_variable: ":{;\t$()"
# List of additional kind:pattern to be added at the top of the default
# match list, first match determines the file kind.
kinds:
# - playbook: "**/examples/*.{yml,yaml}"
# - galaxy: "**/folder/galaxy.yml"
- tasks: "**/tasks/*.yml"
- vars: "**/vars/*.yml"
# - meta: "**/meta/main.yml"
- yaml: "**/*.yaml-too"
skip_list:
- yaml
- role-name[path]
- var-naming[no-role-prefix]

3
.gitignore vendored
View file

@ -1,5 +1,2 @@
*.swp
*.pyc
# emacs projectile
.projectile

5
.mailmap
View file

@ -1,5 +0,0 @@
Rick Elrod <relrod@redhat.com> <codeblock@fedoraproject.org>
Rick Elrod <relrod@redhat.com> Ricky Elrod
Rick Elrod <relrod@redhat.com> Ricky Elrod <codeblock@lockbox01.phx2.fedoraproject.org>
# ... others go here ...

22
.pre-commit-config.yaml
View file

@ -1,22 +0,0 @@
---
# See https://pre-commit.com for more information
# See https://pre-commit.com/hooks.html for more hooks
repos:
# - repo: https://github.com/pre-commit/pre-commit-hooks
# rev: v3.2.0
# hooks:
# - id: trailing-whitespace
# - id: end-of-file-fixer
# - id: check-yaml
# - id: check-added-large-files
- repo: https://github.com/adrienverge/yamllint
rev: v1.35.1
hooks:
- id: yamllint
# - repo: https://github.com/ansible/ansible-lint
# rev: v24.12.1
# hooks:
# - id: ansible-lint

26
.yamllint.yaml
View file

@ -1,26 +0,0 @@
---
extends: default
rules:
comments:
min-spaces-from-content: 1
level: error
comments-indentation: false
braces:
max-spaces-inside: 1
document-start:
level: error
octal-values:
forbid-implicit-octal: true
forbid-explicit-octal: true
indentation:
spaces: 2
indent-sequences: whatever
level: warning
line-length: disable
# line-length:
# max: 100
# level: warning
truthy:
allowed-values: ['true', 'false', 'yes', 'no']
...

6
.zuul.yaml
View file

@ -1,6 +0,0 @@
---
- project:
check:
jobs:
- fi-ansible-lint-diff
- fi-yamllint-diff

6
CONVENTIONS
View file

@ -9,7 +9,7 @@ Playbook naming
===============
The top level playbooks directory should contain:
* Playbooks that are generic and used by several groups/hosts playbooks
* Playbooks that are generic and used by serveral groups/hosts playbooks
* Playbooks used for utility purposes from command line
* Groups and Hosts subdirs.
@ -23,7 +23,7 @@ specific function. Examples: host update, vhost update, vhost reboot.
The playbooks/groups/ directory should contain one playbook per
group. This should be used in the case of multiple machines/instances
in a group. MUST include a hosts entry that describes the hosts in the group.
Examples: packages, proxy, virthost, etc.
Examples: packages, proxy, unbound, virthost, etc.
Try and be descriptive with the name here.
The playbooks/hosts/ directory should contain one playbook per 'host'
@ -95,7 +95,7 @@ We would like to get ansible running over hosts in an automated way.
A git hook could do this.
* On commit:
If we have a way to determine exactly what hosts are affected by a
If we have a way to detemine exactly what hosts are affected by a
change we could simply run only on those hosts.
We might want a short delay (10m) to allow someone to see a problem

1
README
View file

@ -1 +0,0 @@
README.md

245
README Normal file
View file

@ -0,0 +1,245 @@
== ansible repository/structure ==
files - files and templates for use in playbooks/tasks
- subdirs for specific tasks/dirs highly recommended
inventory - where the inventory and additional vars is stored
- All files in this directory in ini format
- added together for total inventory
group_vars:
- per group variables set here in a file per group
host_vars:
- per host variables set here in a file per host
library - library of custom local ansible modules
playbooks - collections of plays we want to run on systems
tasks - snippets of tasks that should be included in plays
roles - specific roles to be use in playbooks.
Each role has it's own files/templates/vars
== Paths ==
public path for everything is:
/srv/web/infra/ansible
private path - which is sysadmin-main accessible only is:
/srv/private/ansible
In general to run any ansible playbook you will want to run:
sudo -i ansible-playbook /path/to/playbook.yml
== Cloud information ==
cloud instances:
to startup a new cloud instance and configure for basic server use run (as
root):
el6:
sudo -i ansible-playbook /srv/web/infra/ansible/playbooks/el6_temp_instance.yml
f19:
sudo -i ansible-playbook /srv/web/infra/ansible/playbooks/f19_temp_instance.yml
The -i is important - ansible's tools need access to root's sshagent as well
as the cloud credentials to run the above playbooks successfully.
This will setup a new instance, provision it and email sysadmin-main that
the instance was created, it's instance id (for terminating it, attaching
volumes, etc) and it's ip address.
You will then be able to login, as root.
You can add various extra vars to the above commands to change the instance
you've just spun up.
variables to define:
instance_type=c1.medium
security_group=default
root_auth_users='username1 username2 @groupname'
hostbase=basename for hostname - will have instance id appended to it
define these with:
--extra-vars="varname=value varname1=value varname2=value"
Name Memory_MB Disk VCPUs
m1.tiny 512 0 1
m1.small 2048 20 1
m1.medium 4096 40 2
m1.large 8192 80 4
m1.xlarge 16384 160 8
m1.builder 5120 50 3
Setting up a new persistent cloud host:
1. select an ip:
source /srv/private/ansible/files/openstack/persistent-admin/ec2rc.sh
euca-describe-addresses
- pick an ip from the list that is not assigned anywhere
- add it into dns - normally in the cloud.fedoraproject.org but it doesn't
have to be
2. If needed create a persistent storage disk for the instance:
source /srv/private/ansible/files/openstack/persistent-admin/ec2rc.sh
euca-create-volume -z nova -s <size in gigabytes>
3. set up the host/ip in ansible host inventory
- add to ansible/inventory/inventory under [persistent-cloud]
- either the ip itself or the hostname you want to refer to it as
4. setup the host_vars
- create file named by the hostname or ip you used in the inventory
- for adding persistent volumes add an entry like this into the host_vars file
volumes: ['-d /dev/vdb vol-BCA33FCD', '-d /dev/vdc vol-DC833F48']
for each volume you want to attach to the instance.
The device names matter - they start at /dev/vdb and increment. However,
they are not reliable IN the instance. You should find the device, partition
it, format it and label the formatted device then mount the device by label
or by UUID. Do not count on the device name being the same each time.
Contents should look like this (remove all the comments)
---
# 2cpus, 3GB of ram 20GB of ephemeral space
instance_type: m1.large
# image id
image: emi-B8793915
keypair: fedora-admin
# what security group to add the host to
security_group: webserver
zone: fedoracloud
# instance id will be appended
hostbase: hostname_base-
# ip should be in the 209.132.184.XXX range
public_ip: $ip_you_selected
# users/groups who should have root ssh access
root_auth_users: skvidal bkabrda
description: some description so someone else can know what this is
The available images can be found by running::
source /srv/private/ansible/files/openstack/persistent-admin/ec2rc.sh
euca-describe-images | grep ami
4. setup a host playbook ansible/playbooks/hosts/$YOUR_HOSTNAME_HERE.yml
Note: the name of this file doesn't really matter but it should normally
be the hostname of the host you're setting up.
- name: check/create instance
hosts: $YOUR_HOSTNAME/IP HERE
user: root
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "{{ private }}/vars.yml"
tasks:
- include: "{{ tasks }}/persistent_cloud.yml"
- name: provision instance
hosts: $YOUR_HOSTNAME/IP HERE
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "{{ private }}/vars.yml"
- /srv/web/infra/ansible/vars//{{ ansible_distribution }}.yml
tasks:
- include: "{{ tasks }}/cloud_setup_basic.yml
# fill in other actions/includes/etc here
handlers:
- include: "{{ handlers }}/restart_services.yml
5. add/commit the above to the git repo and push your changes
6. set it up:
sudo -i ansible-playbook /srv/web/infra/ansible/playbooks/hosts/$YOUR_HOSTNAME_HERE.yml
7. login, etc
You should be able to run that playbook over and over again safely, it will
only setup/create a new instance if the ip is not up/responding.
SECURITY GROUPS
- to edit security groups you must either have your own cloud account or
be a member of sysadmin-main
This gives you the credential to change things in the persistent tenant
- source /srv/private/ansible/files/openstack/persistent-admin/ec2rc.sh
This lists all security groups in that tenant:
- euca-describe-groups | grep GROUP
the output will look like this:
euca-describe-groups | grep GROU
GROUP d4e664a10e2c4210839150be09c46e5e default default
GROUP d4e664a10e2c4210839150be09c46e5e jenkins jenkins instance group
GROUP d4e664a10e2c4210839150be09c46e5e logstash logstash security group
GROUP d4e664a10e2c4210839150be09c46e5e smtpserver list server group. needs web and smtp
GROUP d4e664a10e2c4210839150be09c46e5e webserver webserver security group
GROUP d4e664a10e2c4210839150be09c46e5e wideopen wideopen
This lets you list the rules in a specific group:
- euca-describe-group groupname
the output will look like this:
euca-describe-group wideopen
GROUP d4e664a10e2c4210839150be09c46e5e wideopen wideopen
PERMISSION d4e664a10e2c4210839150be09c46e5e wideopen ALLOWS tcp 1 65535 FROM CIDR 0.0.0.0/0
PERMISSION d4e664a10e2c4210839150be09c46e5e wideopen ALLOWS icmp -1 -1 FROM CIDR 0.0.0.0/0
To create a new group:
euca-create-group -d "group description here" groupname
To add a rule to a group:
euca-authorize -P tcp -p 22 groupname
euca-authorize -P icmp -t -1:-1 groupname
To delete a rule from a group:
euca-revoke -P tcp -p 22 groupname
Notes:
- Be careful removing or adding rules to existing groups b/c you could be
impacting other instances using that security group.
- You will almost always want to allow 22/tcp (sshd) and icmp -1 -1 (ping
and traceroute and friends).
TERMINATING INSTANCES
For transient:
1. source /srv/private/ansible/files/openstack/transient-admin/ec2rc.sh
- OR -
For persistent:
1. source /srv/private/ansible/files/openstack/persistent-admin/ec2rc.sh
2. euca-describe-instances | grep <ip of your instance>
3. euca-terminate-instances <the id, something like i-00000295>

143
README.md
View file

@ -1,143 +0,0 @@
Fedora Infrastructure
=====================
Welcome! This is the Fedora Infrastructure Ansible Pagure project.
Pull requests and forks can be made against this repository hosted
at https://pagure.io/fedora-infra/ansible
This repository is also mirrored for production runs to
https://infrastructure.fedoraproject.org/infra/ansible/
but this is the working repository where changes are made.
If you would like to help out with Fedora Infrastructure, see:
* https://docs.fedoraproject.org/en-US/infra/gettingstarted/
* https://docs.fedoraproject.org/en-US/infra/apprentice/
Ansible repository/structure
----------------------------
```
files - files and templates for use in playbooks/tasks
- subdirs for specific tasks/dirs highly recommended
inventory - where the inventory and additional vars is stored
- All files in this directory in ini format
- added together for total inventory
group_vars:
- per group variables set here in a file per group
host_vars:
- per host variables set here in a file per host
library - library of custom local ansible modules
playbooks - collections of plays we want to run on systems
groups: groups of hosts configured from one playbook.
hosts: playbooks for single hosts.
manual: playbooks that are only run manually by an admin as needed.
tasks - snippets of tasks that should be included in plays
roles - specific roles to be use in playbooks.
Each role has it's own files/templates/vars
filter_plugins - Jinja filters
main.yml - This is the main playbook, consisting of all
current group and host playbooks. Note that the
daily cron doesn't run this, it runs even over
playbooks that are not yet included in main.
This playbook is usefull for making changes over
multiple groups/hosts usually with -t (tag).
```
Paths
-----
The public path on batcave01 (our control host) for everything is `/srv/web/infra/ansible`
The private path on batcave01 (our control host) (which is sysadmin-main accessible only)
is `/srv/private/ansible`
In general to run any ansible playbook you will want to run:
```
sudo -i ansible-playbook /path/to/playbook.yml
```
(On batcave01, our control host)
Scheduled check-diff
--------------------
Every night a cron job runs over all playbooks under `playbooks/{groups}{hosts}`
with `ansible --check --diff`. A report from this is sent to sysadmin-logs.
In the ideal state this report would be empty.
Idempotency
-----------
All playbooks should be idempotent. Ie, if run once they should bring the
machine(s) to the desired state, and if run again N times after that they should
make 0 changes (because the machine(s) are in the desired state).
Please make sure your playbooks are idempotent.
Can be run anytime
------------------
When a playbook or change is checked into ansible you should assume
that it could be run at ***ANY TIME***. Always make sure the checked in state
is the desired state. Always test changes when they land so they don't
surprise you later.
Contributing and Licensing
--------------------------
Contributions to this repository are subject to the Fedora Project
Contributor Agreement. If no license is specified, the MIT license is used, otherwise
the contribution is under the specified acceptable Fedora License.
See https://docs.fedoraproject.org/en-US/legal/fpca/
for more information.
Contributing Pull Requests
--------------------------
If found a way to improve this repository or fix an issue found in our
infrastructure tracker (see https://pagure.io/fedora-infrastructure/issues)
open a pull-request.
You either should have capability to run the playbooks after they have been reviewed,
and merged or find the person responsible and work with them to make sure the changes
will be aplied afterwards.
We are currently working on a simple to use list of Point Of Contanct people for the applications
here, untill it is done, you can, look at people that recently edited the ansible files,
or if you belong to sysadmin group, view the /etc/ansible_utils/rbac.yaml located on batcave01,
where you can see the groups of people that have capabilities to run the relevant playbooks.
For example, to upgrade Release Monitoring, you need to run playbook openshift-apps/release-monitoring.yaml.
People in sysadmin-releasemonitoring have that capability, and you cand find the members in https://accounts.fedoraproject.org/group/sysadmin-releasemonitoring/
If the application in question is not on the critical path it should be sufficient,
if person responsible for the application reviews the PR.
If the files in question are on the critical path, that are necessary for functioning packager workflow,
at least two different people should review the PR.
If there is any risk at all, that the application of the changes would induce downtime,
work closely with other to ensure that the downtime is properly scheduled:
- there is an issue in https://pagure.io/fedora-infrastructure/issues specifying the downtime
- there is an email sent to the devel-list
- https://status.fedoraproject.org is updated (see https://docs.fedoraproject.org/en-US/infra/sysadmin_guide/status-fedora/)
Applications on critical path: pagure, mirrormanager, toddlers, bodhi, noggin, mdapi, rpmautospec,
pagure-dist-git, mirror_from_pagure, fedora-messaging, dist-git, PDC/FPDC, FMN, sigul
robosignatory, tag2distrepo, ci-resultsdb-listener, stylo, mirrorlist
resultsdb, Nagios, koschei, wiki / mediawiki, wiki / moin, waiverdb,
greenwave, ODCS, Mailman3 / HK, mailman 2, OSBS, pungi, koji, MBS,
IPA, rabbitmq, geoip,ipsilon

20
STYLEGUIDE
View file

@ -1,20 +0,0 @@
infrastructure ansible style guide
==================================
* Use 'yml' instead of 'yaml'
* do add '.j2' to the end of templates
* in general let readablity trump grepability, i.e.:
DONT:
- name: This is some play
module: name=thing arg=thing2 anotherlongerarg=thing arg4=anodheranth
DO:
- name: This is some play
module:
- name: thing
- arg: thing2
..etc

17
TODO Normal file
View file

@ -0,0 +1,17 @@
- make it easy to run playbooks against cloud instances w/o modifying
inventory or changing host entries in playbooks
- define standards for:
- playbook naming
- play naming
- hosts or service or groups for talking to sets of systems
- tags:
- config
- service
- initonly
- figure out how and where we are going to run these from cron
- merge in tasks/playbooks/inventory/etc from:
- builders

86
callback_plugins/fedmsg_callback.py Normal file
View file

@ -0,0 +1,86 @@
# (C) 2012, Michael DeHaan, <michael.dehaan@gmail.com>
# based on the log_plays example
# skvidal@fedoraproject.org
# rbean@redhat.com
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
import os
import pwd
import fedmsg
import fedmsg.config
def getlogin():
try:
user = os.getlogin()
except OSError, e:
user = pwd.getpwuid(os.geteuid())[0]
return user
class CallbackModule(object):
""" Publish playbook starts and stops to fedmsg. """
playbook = None
def __init__(self):
config = fedmsg.config.load_config()
config.update(dict(
name='relay_inbound',
cert_prefix='shell',
active=True,
))
fedmsg.init(**config)
def playbook_on_play_start(self, pattern):
# This gets called once for each play.. but we just issue a message once
# for the first one. One per "playbook"
play = getattr(self, 'play', None)
if play:
# figure out where the playbook FILE is
path = os.path.abspath(play.playbook.filename)
# Bail out early without publishing if we're in --check mode
if play.playbook.check:
return
if not self.playbook:
fedmsg.publish(
modname="ansible", topic="playbook.start",
msg=dict(
playbook=path,
userid=getlogin(),
extra_vars=play.playbook.extra_vars,
inventory=play.playbook.inventory.host_list,
playbook_checksum=play.playbook.check,
check=play.playbook.check,
),
)
self.playbook = path
def playbook_on_stats(self, stats):
if not self.playbook:
return
results = dict([(h, stats.summarize(h)) for h in stats.processed])
fedmsg.publish(
modname="ansible", topic="playbook.complete",
msg=dict(
playbook=self.playbook,
userid=getlogin(),
results=results,
),
)

137
callback_plugins/fedora_messaging_callback.py
View file

@ -1,137 +0,0 @@
# (C) 2012, Michael DeHaan, <michael.dehaan@gmail.com>
# based on the log_plays example
# skvidal@fedoraproject.org
# rbean@redhat.com
# karsten@redhat.com changes for fedora-messaging
# abompard@redhat.com changes to adapt to ansible's specific python
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
import json
import logging
import os
import pwd
import uuid
from subprocess import run, PIPE, STDOUT
from tempfile import NamedTemporaryFile
try:
from ansible.plugins.callback import CallbackBase
except ImportError:
# Ansible v1 compat
CallbackBase = object
try:
from ansible.utils.hashing import secure_hash
except ImportError:
from ansible.utils import md5 as secure_hash
LOGGER = logging.getLogger(__name__)
FEDORA_MESSAGING_CONF = "/etc/fedora-messaging/batcave-messaging.toml"
def getlogin():
try:
user = os.getlogin()
except OSError:
user = pwd.getpwuid(os.geteuid())[0]
return user
def send_message(msg):
msg["id"] = str(uuid.uuid4())
msg["headers"] = {
"fedora_messaging_schema": "base.message",
"fedora_messaging_severity": 20,
}
env = os.environ.copy()
env["FEDORA_MESSAGING_CONF"] = FEDORA_MESSAGING_CONF
with NamedTemporaryFile(mode="w+", buffering=1) as msg_file:
json.dump(msg, msg_file)
msg_file.write("\n")
result = run(
["fedora-messaging", "publish", msg_file.name],
stdout=PIPE, stderr=STDOUT, text=True, env=env,
)
if result.returncode > 0:
LOGGER.warning(f"Fedora Messaging plugin failed: {result.stdout}")
print(f"Fedora Messaging plugin failed: {result.stdout}")
class CallbackModule(CallbackBase):
""" Publish playbook starts and stops to fedora_messaging. """
CALLBACK_NAME = "fedora_messaging_callback"
CALLBACK_TYPE = "notification"
CALLBACK_VERSION = 2.0
CALLBACK_NEEDS_WHITELIST = True
playbook_path = None
def __init__(self):
self.play = None
self.playbook = None
super(CallbackModule, self).__init__()
def set_play_context(self, play_context):
self.play_context = play_context
def v2_playbook_on_start(self, playbook):
self.playbook = playbook
def v2_playbook_on_play_start(self, play):
# This gets called once for each play.. but we just issue a message once
# for the first one. One per "playbook"
if not self.playbook:
return
# figure out where the playbook FILE is
path = os.path.abspath(self.playbook._file_name)
# Bail out early without publishing if we're in --check mode
if self.play_context.check_mode:
return
# Only publish on playbook start
if self.playbook_path:
return
msg = {
"topic": "ansible.playbook.start",
"body": {
'playbook': path,
'userid': getlogin(),
'extra_vars': play._variable_manager.extra_vars,
'inventory': play._variable_manager._inventory._sources,
'playbook_checksum': secure_hash(path),
'check': self.play_context.check_mode
},
}
send_message(msg)
self.playbook_path = path
def v2_playbook_on_stats(self, stats):
if not self.playbook_path:
return
results = dict([(h, stats.summarize(h)) for h in stats.processed])
msg = {
"topic": "ansible.playbook.complete",
"body": {
'playbook': self.playbook_path,
'userid': getlogin(),
'results': results
},
}
send_message(msg)

228
callback_plugins/logdetail.py
View file

@ -15,68 +15,37 @@
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Make coding more python3-ish
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
DOCUMENTATION = r'''
callback: logdetail
callback_type: notification
short_description: Logs playbook results, per date, playbook and host.
description: Logs playbook results, per date, playbook and host, in I(log_path).
options:
log_path:
description: The path where log files will be created.
default: /var/log/ansible
ini:
- section: callback_logdetail
key: log_path
env:
- name: ANSIBLE_LOGDETAIL_PATH
'''
import os
import time
import json
import pwd
import gzip
from ansible import utils
try:
from ansible.utils.hashing import secure_hash
except ImportError:
from ansible.utils import md5 as secure_hash
TIME_FORMAT="%b %d %Y %H:%M:%S"
try:
from ansible.plugins.callback import CallbackBase
except ImportError:
# Ansible v1 compat
CallbackBase = object
TIME_FORMAT = "%b %d %Y %H:%M:%S"
MSG_FORMAT = "%(now)s\t%(count)s\t%(category)s\t%(name)s\t%(data)s\n"
MSG_FORMAT="%(now)s\t%(count)s\t%(category)s\t%(name)s\t%(data)s\n"
LOG_PATH = '/var/log/ansible'
def getlogin():
try:
user = os.getlogin()
except OSError:
except OSError, e:
user = pwd.getpwuid(os.geteuid())[0]
return user
class LogMech(object):
def __init__(self, logpath):
def __init__(self):
self.started = time.time()
self.pid = str(os.getpid())
self._pb_fn = None
self._last_task_start = None
self.play_info = {}
self.logpath = logpath
self.logpath = LOG_PATH
if not os.path.exists(self.logpath):
try:
os.makedirs(self.logpath, mode=0o750)
except OSError as e:
os.makedirs(self.logpath, mode=0750)
except OSError, e:
if e.errno != 17:
raise
@ -97,13 +66,13 @@ class LogMech(object):
def logpath_play(self):
# this is all to get our path to look nice ish
tstamp = time.strftime('%Y/%m/%d/%H.%M.%S', time.localtime(self.started))
path = os.path.normpath(self.logpath + '/' + self.playbook_id + '/' + tstamp + '/')
path = os.path.normpath(self.logpath + '/' + self.playbook_id + '/' + tstamp + '/')
if not os.path.exists(path):
try:
os.makedirs(path)
except OSError as e:
if e.errno != 17: # if it is not dir exists then raise it up
except OSError, e:
if e.errno != 17: # if it is not dir exists then raise it up
raise
return path
@ -119,11 +88,11 @@ class LogMech(object):
def task_to_json(self, task):
res = {}
res['task_name'] = task.name
res['task_module'] = task.action
res['task_args'] = task.args
res['task_module'] = task.module_name
res['task_args'] = task.module_args
if self.playbook_id == 'ansible-cmd':
res['task_userid'] = getlogin()
for k in ("delegate_to", "environment", "with_first_found",
for k in ("delegate_to", "environment", "first_available_file",
"local_action", "notified_by", "notify",
"register", "sudo", "sudo_user", "tags",
"transport", "when"):
@ -138,21 +107,22 @@ class LogMech(object):
host = 'HOSTMISSING'
if type(data) == dict:
name = data.get('module_name', None)
name = data.get('module_name',None)
else:
name = "unknown"
# we're in setup - move the invocation info up one level
if 'invocation' in data:
invoc = data['invocation']
if not name and 'module_name' in invoc:
name = invoc['module_name']
# don't add this since it can often contain complete passwords :(
#don't add this since it can often contain complete passwords :(
del(data['invocation'])
if task:
name = task._name
name = task.name
data['task_start'] = self._last_task_start
data['task_end'] = time.time()
data.update(self.task_to_json(task))
@ -165,99 +135,119 @@ class LogMech(object):
if self.play_info.get('check', False) and self.play_info.get('diff', False):
category = 'CHECK_DIFF:' + category
elif self.play_info.get('check', False):
elif self.play_info.get('check', False):
category = 'CHECK:' + category
# Sometimes this is None.. othertimes it's fine. Othertimes it has
# trailing whitespace that kills logview. Strip that, when possible.
if name:
name = name.strip()
sanitize_host = host.replace(' ', '_').replace('>', '-')
fd = gzip.open(self.logpath_play + '/' + sanitize_host + '.log.gz', 'at')
fd = open(self.logpath_play + '/' + host + '.log', 'a')
now = time.strftime(TIME_FORMAT, time.localtime())
fd.write(MSG_FORMAT % dict(now=now, name=name, count=count, category=category, data=json.dumps(data)))
fd.close()
class CallbackModule(CallbackBase):
logmech = LogMech()
class CallbackModule(object):
"""
logs playbook results, per host, in /var/log/ansible/hosts
"""
CALLBACK_NAME = 'logdetail'
CALLBACK_TYPE = 'notification'
CALLBACK_VERSION = 2.0
CALLBACK_NEEDS_WHITELIST = True
def __init__(self):
self._task_count = 0
self._play_count = 0
self.task = None
self.playbook = None
super(CallbackModule, self).__init__()
self.set_options()
self.logmech = LogMech(self.get_option('log_path'))
def on_any(self, *args, **kwargs):
pass
def set_play_context(self, play_context):
self.play_context = play_context
def v2_runner_on_failed(self, result, ignore_errors=False):
def runner_on_failed(self, host, res, ignore_errors=False):
category = 'FAILED'
self.logmech.log(result._host.get_name(), category, result._result, self.task, self._task_count)
task = getattr(self,'task', None)
logmech.log(host, category, res, task, self._task_count)
def v2_runner_on_ok(self, result):
def runner_on_ok(self, host, res):
category = 'OK'
self.logmech.log(result._host.get_name(), category, result._result, self.task, self._task_count)
task = getattr(self,'task', None)
logmech.log(host, category, res, task, self._task_count)
def v2_runner_on_skipped(self, result):
def runner_on_error(self, host, res):
category = 'ERROR'
task = getattr(self,'task', None)
logmech.log(host, category, res, task, self._task_count)
def runner_on_skipped(self, host, item=None):
category = 'SKIPPED'
task = getattr(self,'task', None)
res = {}
res['item'] = self._get_item_label(getattr(result._result, 'results', {}))
self.logmech.log(result._host.get_name(), category, res, self.task, self._task_count)
res['item'] = item
logmech.log(host, category, res, task, self._task_count)
def v2_runner_on_unreachable(self, result):
def runner_on_unreachable(self, host, output):
category = 'UNREACHABLE'
task = getattr(self,'task', None)
res = {}
res['output'] = result._result
self.logmech.log(result._host.get_name(), category, res, self.task, self._task_count)
res['output'] = output
logmech.log(host, category, res, task, self._task_count)
def v2_runner_on_async_failed(self, result):
def runner_on_no_hosts(self):
pass
def runner_on_async_poll(self, host, res, jid, clock):
pass
def runner_on_async_ok(self, host, res, jid):
pass
def runner_on_async_failed(self, host, res, jid):
category = 'ASYNC_FAILED'
self.logmech.log(result._host.get_name(), category, result._result, self.task, self._task_count)
task = getattr(self,'task', None)
logmech.log(host, category, res, task, self._task_count)
def v2_playbook_on_start(self, playbook):
self.playbook = playbook
def playbook_on_start(self):
pass
def v2_playbook_on_task_start(self, task, is_conditional):
self.task = task
if self.task:
self.task._name = task.get_name().strip()
self.logmech._last_task_start = time.time()
def playbook_on_notify(self, host, handler):
pass
def playbook_on_no_hosts_matched(self):
pass
def playbook_on_no_hosts_remaining(self):
pass
def playbook_on_task_start(self, name, is_conditional):
logmech._last_task_start = time.time()
self._task_count += 1
def v2_playbook_on_setup(self):
self._task_count += 1
def playbook_on_vars_prompt(self, varname, private=True, prompt=None, encrypt=None, confirm=False, salt_size=None, salt=None, default=None):
pass
def v2_playbook_on_import_for_host(self, result, imported_file):
def playbook_on_setup(self):
self._task_count += 1
pass
def playbook_on_import_for_host(self, host, imported_file):
task = getattr(self,'task', None)
res = {}
res['imported_file'] = imported_file
self.logmech.log(result._host.get_name(), 'IMPORTED', res, self.task)
logmech.log(host, 'IMPORTED', res, task)
def v2_playbook_on_not_import_for_host(self, result, missing_file):
def playbook_on_not_import_for_host(self, host, missing_file):
task = getattr(self,'task', None)
res = {}
res['missing_file'] = missing_file
self.logmech.log(result._host.get_name(), 'NOTIMPORTED', res, self.task)
logmech.log(host, 'NOTIMPORTED', res, task)
def v2_playbook_on_play_start(self, play):
def playbook_on_play_start(self, pattern):
self._task_count = 0
play = getattr(self, 'play', None)
if play:
# figure out where the playbook FILE is
path = os.path.abspath(self.playbook._file_name)
path = os.path.abspath(play.playbook.filename)
# tel the logger what the playbook is
self.logmech.playbook_id = path
logmech.playbook_id = path
# if play count == 0
# write out playbook info now
@ -266,35 +256,33 @@ class CallbackModule(CallbackBase):
pb_info['playbook_start'] = time.time()
pb_info['playbook'] = path
pb_info['userid'] = getlogin()
pb_info['extra_vars'] = play._variable_manager.extra_vars
pb_info['inventory'] = play._variable_manager._inventory._sources
pb_info['playbook_checksum'] = secure_hash(path)
if hasattr(self, "play_context"):
pb_info['check'] = self.play_context.check_mode
pb_info['diff'] = self.play_context.diff
self.logmech.play_log(json.dumps(pb_info, indent=4))
pb_info['extra_vars'] = play.playbook.extra_vars
pb_info['inventory'] = play.playbook.inventory.host_list
pb_info['playbook_checksum'] = utils.md5(path)
pb_info['check'] = play.playbook.check
pb_info['diff'] = play.playbook.diff
logmech.play_log(json.dumps(pb_info, indent=4))
self._play_count += 1
# then write per-play info that doesn't duplcate the playbook info
info = {}
info['play'] = play.name
info['hosts'] = play.hosts
info['transport'] = play.transport
info['number'] = self._play_count
if hasattr(self, "play_context"):
info['transport'] = str(self.play_context.connection)
info['check'] = self.play_context.check_mode
info['diff'] = self.play_context.diff
self.logmech.play_info = info
try:
self.logmech.play_log(json.dumps(info, indent=4))
except TypeError:
print(("Failed to conver to JSON:", info))
info['check'] = play.playbook.check
info['diff'] = play.playbook.diff
logmech.play_info = info
logmech.play_log(json.dumps(info, indent=4))
def v2_playbook_on_stats(self, stats):
def playbook_on_stats(self, stats):
results = {}
for host in list(stats.processed.keys()):
for host in stats.processed.keys():
results[host] = stats.summarize(host)
self.logmech.log(host, 'STATS', results[host])
self.logmech.play_log(json.dumps({'stats': results}, indent=4))
self.logmech.play_log(json.dumps({'playbook_end': time.time()}, indent=4))
print(('logs written to: %s' % self.logmech.logpath_play))
logmech.log(host, 'STATS', results[host])
logmech.play_log(json.dumps({'stats': results}, indent=4))
logmech.play_log(json.dumps({'playbook_end': time.time()}, indent=4))
print 'logs written to: %s' % logmech.logpath_play

21
files/2fa/pam_url.conf.fakefas01.fedoraproject.org Normal file
View file

@ -0,0 +1,21 @@
pam_url:
{
settings:
{
url = "https://fas-all.phx2.fedoraproject.org:8443/"; # URI to fetch
returncode = "OK"; # The remote script/cgi should return a 200 http code and this string as its only results
userfield = "user"; # userfield name to send
passwdfield = "token"; # passwdfield name to send
extradata = "&do=login"; # extradata to send
prompt = "Password+Token: "; # password prompt
};
ssl:
{
verify_peer = true; # Should we verify SSL ?
verify_host = true; # Should we verify the CN in the SSL cert?
client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
client_key = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
ca_cert = "/etc/pki/tls/private/totpcgi-ca.cert";
};
};

27
files/2fa/pam_url.conf.j2 Normal file
View file

@ -0,0 +1,27 @@
pam_url:
{
settings:
{
{% if env == 'staging' %}
url = "https://fas-all.stg.phx2.fedoraproject.org:8443/"; # URI to fetch
{% elif datacenter == 'phx2' %}
url = "https://fas-all.phx2.fedoraproject.org:8443/"; # URI to fetch
{% else %}
url = "https://fas-all.vpn.fedoraproject.org:8443/"; # URI to fetch
{% endif %}
returncode = "OK"; # The remote script/cgi should return a 200 http code and this string as its only results
userfield = "user"; # userfield name to send
passwdfield = "token"; # passwdfield name to send
extradata = "&do=login"; # extradata to send
prompt = "Password+Token: "; # password prompt
};
ssl:
{
verify_peer = true; # Should we verify SSL ?
verify_host = true; # Should we verify the CN in the SSL cert?
client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
client_key = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
ca_cert = "/etc/pki/tls/private/totpcgi-ca.cert";
};
};

21
files/2fa/pam_url.conf.stg.fedoraproject.org Normal file
View file

@ -0,0 +1,21 @@
pam_url:
{
settings:
{
url = "https://fas-all.stg.phx2.fedoraproject.org:8443/"; # URI to fetch
returncode = "OK"; # The remote script/cgi should return a 200 http code and this string as its only results
userfield = "user"; # userfield name to send
passwdfield = "token"; # passwdfield name to send
extradata = "&do=login"; # extradata to send
prompt = "Password+Token: "; # password prompt
};
ssl:
{
verify_peer = true; # Should we verify SSL ?
verify_host = true; # Should we verify the CN in the SSL cert?
client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
client_key = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
ca_cert = "/etc/pki/tls/private/totpcgi-ca.cert";
};
};

21
files/2fa/pam_url.conf.vpn.fedoraproject.org Normal file
View file

@ -0,0 +1,21 @@
pam_url:
{
settings:
{
url = "https://fas-all.vpn.fedoraproject.org:8443/"; # URI to fetch
returncode = "OK"; # The remote script/cgi should return a 200 http code and this string as its only results
userfield = "user"; # userfield name to send
passwdfield = "token"; # passwdfield name to send
extradata = "&do=login"; # extradata to send
prompt = "Password+Token: "; # password prompt
};
ssl:
{
verify_peer = true; # Should we verify SSL ?
verify_host = true; # Should we verify the CN in the SSL cert?
client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
client_key = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
ca_cert = "/etc/pki/tls/private/totpcgi-ca.cert";
};
};

11
files/2fa/sudo.pam Normal file
View file

@ -0,0 +1,11 @@
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_url.so config=/etc/pam_url.conf
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so

6
files/2fa/sudo.pam.dev.fedoraproject.org Normal file
View file

@ -0,0 +1,6 @@
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so

6
files/artboard/artboard-backup Executable file
View file

@ -0,0 +1,6 @@
#!/bin/sh
SNAPSHOTTIME=$(date +"%m-%d-%Y")
cd /srv/persist
echo "Snapshot taken $SNAPSHOTTIME.\n" >> /var/www/html/artboard/artboard-backup-summary.log
tar -zcvf "artboard-backup.tar.gz" artboard

9
files/artboard/artboard.conf Normal file
View file

@ -0,0 +1,9 @@
<Directory "/var/www/html/artboard">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>

2
files/artboard/redirect.conf Normal file
View file

@ -0,0 +1,2 @@
RedirectMatch "^/$" /artboard/

87
files/aws/iam/policies/fcos-builds-releng.json
View file

@ -1,87 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutAnalyticsConfiguration",
"s3:GetObjectVersionTagging",
"s3:CreateBucket",
"s3:ReplicateObject",
"s3:GetObjectAcl",
"s3:GetBucketObjectLockConfiguration",
"s3:DeleteBucketWebsite",
"s3:PutLifecycleConfiguration",
"s3:GetObjectVersionAcl",
"s3:HeadBucket",
"s3:DeleteObject",
"s3:GetBucketPolicyStatus",
"s3:GetObjectRetention",
"s3:GetBucketWebsite",
"s3:ListJobs",
"s3:PutReplicationConfiguration",
"s3:PutObjectLegalHold",
"s3:GetObjectLegalHold",
"s3:GetBucketNotification",
"s3:PutBucketCORS",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketNotification",
"s3:DescribeJob",
"s3:PutBucketLogging",
"s3:GetAnalyticsConfiguration",
"s3:PutBucketObjectLockConfiguration",
"s3:GetObjectVersionForReplication",
"s3:CreateJob",
"s3:GetLifecycleConfiguration",
"s3:ListBucketByTags",
"s3:GetInventoryConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:RestoreObject",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetObjectVersionTorrent",
"s3:AbortMultipartUpload",
"s3:GetBucketRequestPayment",
"s3:UpdateJobPriority",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketMultipartUploads",
"s3:PutMetricsConfiguration",
"s3:UpdateJobStatus",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:PutInventoryConfiguration",
"s3:GetObjectTorrent",
"s3:GetAccountPublicAccessBlock",
"s3:PutBucketWebsite",
"s3:ListAllMyBuckets",
"s3:PutBucketRequestPayment",
"s3:PutObjectRetention",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:ReplicateDelete",
"s3:GetObjectVersion"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "209.132.181.102/32"
}
}
}
]
}

23
files/aws/iam/policies/fcos-poc-artifacts.json
View file

@ -1,23 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:PutObjectAcl",
"Resource": [
"arn:aws:s3:::fcos-builds/*",
"arn:aws:s3:::fcos-builds"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::fcos-builds/*",
"arn:aws:s3:::fcos-builds"
]
}
]
}

44
files/aws/iam/policies/fcos-upload-amis.json
View file

@ -1,44 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:ImportVolume",
"ec2:CreateTags",
"ec2:RegisterImage",
"ec2:DeregisterImage",
"ec2:CancelConversionTask",
"ec2:CreateSnapshot",
"ec2:ImportSnapshot",
"ec2:CancelImportTask",
"ec2:DeleteSnapshot",
"ec2:CopyImage",
"ec2:DescribeImageAttribute",
"ec2:ModifyImageAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeImportSnapshotTasks",
"ec2:DescribeImages",
"ec2:DeleteVolume",
"ec2:ModifySnapshotAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVolumes",
"ec2:DescribeRegions",
"ec2:DescribeConversionTasks",
"ec2:DescribeTags"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*::image/*"
]
}
]
}

51
files/aws/iam/policies/fedora-centos-ec2.json
View file

@ -1,51 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDescription",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"iam:PassRole",
"iam:ListInstanceProfiles",
"ec2:ImportKeyPair",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowWhenOwnerOrUntagged",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Condition": {
"StringEqualsIfExists": {
"ec2:ResourceTag/FedoraGroup": [
"centos"
]
}
},
"Resource": [
"arn:aws:ec2:*:*:capacity-reservation/*",
"arn:aws:ec2:*:*:elasticGpu/*",
"arn:aws:ec2:*::fpga-image/*",
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:reserved-instances/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*::spot-instance-request/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:subnet/*"
]
}
]
}

51
files/aws/iam/policies/fedora-copr-ec2.json
View file

@ -1,51 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDescription",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"iam:PassRole",
"iam:ListInstanceProfiles",
"ec2:ImportKeyPair",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowWhenOwnerOrUntagged",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Condition": {
"StringEqualsIfExists": {
"ec2:ResourceTag/FedoraGroup": [
"copr"
]
}
},
"Resource": [
"arn:aws:ec2:*:*:capacity-reservation/*",
"arn:aws:ec2:*:*:elasticGpu/*",
"arn:aws:ec2:*::fpga-image/*",
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:reserved-instances/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*::spot-instance-request/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:subnet/*"
]
}
]
}

45
files/aws/iam/policies/fedora-infra-ec2.json
View file

@ -1,45 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"iam:PassRole",
"ec2:ImportKeyPair",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"iam:ListInstanceProfiles"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:elasticGpu/*",
"arn:aws:ec2:*:*:reserved-instances/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:capacity-reservation/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::spot-instance-request/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::fpga-image/*",
"arn:aws:ec2:*::image/*"
],
"Condition": {
"StringEqualsIfExists": {
"ec2:ResourceTag/FedoraGroup": "infra"
}
}
}
]
}

36
files/aws/iam/policies/robosignatory-fcos-devel.json
View file

@ -1,36 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "WriteToTestBucket",
"Effect": "Allow",
"Action": [
"s3:GetBucketPublicAccessBlock",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:GetBucketTagging",
"s3:GetObjectTagging",
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::*/*",
"arn:aws:s3:::robosig-dev-fcos-builds"
]
},
{
"Sid": "ReadFromProdBucket",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*/*",
"arn:aws:s3:::fcos-builds"
]
}
]
}

29
files/common/RPM-GPG-KEY-EPEL-7
View file

@ -1,29 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
mQINBFKuaIQBEAC1UphXwMqCAarPUH/ZsOFslabeTVO2pDk5YnO96f+rgZB7xArB
OSeQk7B90iqSJ85/c72OAn4OXYvT63gfCeXpJs5M7emXkPsNQWWSju99lW+AqSNm
jYWhmRlLRGl0OO7gIwj776dIXvcMNFlzSPj00N2xAqjMbjlnV2n2abAE5gq6VpqP
vFXVyfrVa/ualogDVmf6h2t4Rdpifq8qTHsHFU3xpCz+T6/dGWKGQ42ZQfTaLnDM
jToAsmY0AyevkIbX6iZVtzGvanYpPcWW4X0RDPcpqfFNZk643xI4lsZ+Y2Er9Yu5
S/8x0ly+tmmIokaE0wwbdUu740YTZjCesroYWiRg5zuQ2xfKxJoV5E+Eh+tYwGDJ
n6HfWhRgnudRRwvuJ45ztYVtKulKw8QQpd2STWrcQQDJaRWmnMooX/PATTjCBExB
9dkz38Druvk7IkHMtsIqlkAOQMdsX1d3Tov6BE2XDjIG0zFxLduJGbVwc/6rIc95
T055j36Ez0HrjxdpTGOOHxRqMK5m9flFbaxxtDnS7w77WqzW7HjFrD0VeTx2vnjj
GqchHEQpfDpFOzb8LTFhgYidyRNUflQY35WLOzLNV+pV3eQ3Jg11UFwelSNLqfQf
uFRGc+zcwkNjHh5yPvm9odR1BIfqJ6sKGPGbtPNXo7ERMRypWyRz0zi0twARAQAB
tChGZWRvcmEgRVBFTCAoNykgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMB
AgAiBQJSrmiEAhsPBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBqL66iNSxk
5cfGD/4spqpsTjtDM7qpytKLHKruZtvuWiqt5RfvT9ww9GUUFMZ4ZZGX4nUXg49q
ixDLayWR8ddG/s5kyOi3C0uX/6inzaYyRg+Bh70brqKUK14F1BrrPi29eaKfG+Gu
MFtXdBG2a7OtPmw3yuKmq9Epv6B0mP6E5KSdvSRSqJWtGcA6wRS/wDzXJENHp5re
9Ism3CYydpy0GLRA5wo4fPB5uLdUhLEUDvh2KK//fMjja3o0L+SNz8N0aDZyn5Ax
CU9RB3EHcTecFgoy5umRj99BZrebR1NO+4gBrivIfdvD4fJNfNBHXwhSH9ACGCNv
HnXVjHQF9iHWApKkRIeh8Fr2n5dtfJEF7SEX8GbX7FbsWo29kXMrVgNqHNyDnfAB
VoPubgQdtJZJkVZAkaHrMu8AytwT62Q4eNqmJI1aWbZQNI5jWYqc6RKuCK6/F99q
thFT9gJO17+yRuL6Uv2/vgzVR1RGdwVLKwlUjGPAjYflpCQwWMAASxiv9uPyYPHc
ErSrbRG0wjIfAR3vus1OSOx3xZHZpXFfmQTsDP7zVROLzV98R3JwFAxJ4/xqeON4
vCPFU6OsT3lWQ8w7il5ohY95wmujfr6lk89kEzJdOTzcn7DBbUru33CQMGKZ3Evt
RjsC7FDbL017qxS+ZVA/HGkyfiu4cpgV8VUnbql5eAZ+1Ll6Dw==
=hdPa
-----END PGP PUBLIC KEY BLOCK-----

28
files/common/RPM-GPG-KEY-EPEL-8
View file

@ -1,28 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFz3zvsBEADJOIIWllGudxnpvJnkxQz2CtoWI7godVnoclrdl83kVjqSQp+2
dgxuG5mUiADUfYHaRQzxKw8efuQnwxzU9kZ70ngCxtmbQWGmUmfSThiapOz00018
+eo5MFabd2vdiGo1y+51m2sRDpN8qdCaqXko65cyMuLXrojJHIuvRA/x7iqOrRfy
a8x3OxC4PEgl5pgDnP8pVK0lLYncDEQCN76D9ubhZQWhISF/zJI+e806V71hzfyL
/Mt3mQm/li+lRKU25Usk9dWaf4NH/wZHMIPAkVJ4uD4H/uS49wqWnyiTYGT7hUbi
ecF7crhLCmlRzvJR8mkRP6/4T/F3tNDPWZeDNEDVFUkTFHNU6/h2+O398MNY/fOh
yKaNK3nnE0g6QJ1dOH31lXHARlpFOtWt3VmZU0JnWLeYdvap4Eff9qTWZJhI7Cq0
Wm8DgLUpXgNlkmquvE7P2W5EAr2E5AqKQoDbfw/GiWdRvHWKeNGMRLnGI3QuoX3U
pAlXD7v13VdZxNydvpeypbf/AfRyrHRKhkUj3cU1pYkM3DNZE77C5JUe6/0nxbt4
ETUZBTgLgYJGP8c7PbkVnO6I/KgL1jw+7MW6Az8Ox+RXZLyGMVmbW/TMc8haJfKL
MoUo3TVk8nPiUhoOC0/kI7j9ilFrBxBU5dUtF4ITAWc8xnG6jJs/IsvRpQARAQAB
tChGZWRvcmEgRVBFTCAoOCkgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMB
AgAiBQJc9877AhsPBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAh6kWrL4bW
oWagD/4xnLWws34GByVDQkjprk0fX7Iyhpm/U7BsIHKspHLL+Y46vAAGY/9vMvdE
0fcr9Ek2Zp7zE1RWmSCzzzUgTG6BFoTG1H4Fho/7Z8BXK/jybowXSZfqXnTOfhSF
alwDdwlSJvfYNV9MbyvbxN8qZRU1z7PEWZrIzFDDToFRk0R71zHpnPTNIJ5/YXTw
NqU9OxII8hMQj4ufF11040AJQZ7br3rzerlyBOB+Jd1zSPVrAPpeMyJppWFHSDAI
WK6x+am13VIInXtqB/Cz4GBHLFK5d2/IYspVw47Solj8jiFEtnAq6+1Aq5WH3iB4
bE2e6z00DSF93frwOyWN7WmPIoc2QsNRJhgfJC+isGQAwwq8xAbHEBeuyMG8GZjz
xohg0H4bOSEujVLTjH1xbAG4DnhWO/1VXLX+LXELycO8ZQTcjj/4AQKuo4wvMPrv
9A169oETG+VwQlNd74VBPGCvhnzwGXNbTK/KH1+WRH0YSb+41flB3NKhMSU6dGI0
SGtIxDSHhVVNmx2/6XiT9U/znrZsG5Kw8nIbbFz+9MGUUWgJMsd1Zl9R8gz7V9fp
n7L7y5LhJ8HOCMsY/Z7/7HUs+t/A1MI4g7Q5g5UuSZdgi0zxukiWuCkLeAiAP4y7
zKK4OjJ644NDcWCHa36znwVmkz3ixL8Q0auR15Oqq2BjR/fyog==
=84m8
-----END PGP PUBLIC KEY BLOCK-----

29
files/common/RPM-GPG-KEY-EPEL-9
View file

@ -1,29 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGE3mOsBEACsU+XwJWDJVkItBaugXhXIIkb9oe+7aadELuVo0kBmc3HXt/Yp
CJW9hHEiGZ6z2jwgPqyJjZhCvcAWvgzKcvqE+9i0NItV1rzfxrBe2BtUtZmVcuE6
2b+SPfxQ2Hr8llaawRjt8BCFX/ZzM4/1Qk+EzlfTcEcpkMf6wdO7kD6ulBk/tbsW
DHX2lNcxszTf+XP9HXHWJlA2xBfP+Dk4gl4DnO2Y1xR0OSywE/QtvEbN5cY94ieu
n7CBy29AleMhmbnx9pw3NyxcFIAsEZHJoU4ZW9ulAJ/ogttSyAWeacW7eJGW31/Z
39cS+I4KXJgeGRI20RmpqfH0tuT+X5Da59YpjYxkbhSK3HYBVnNPhoJFUc2j5iKy
XLgkapu1xRnEJhw05kr4LCbud0NTvfecqSqa+59kuVc+zWmfTnGTYc0PXZ6Oa3rK
44UOmE6eAT5zd/ToleDO0VesN+EO7CXfRsm7HWGpABF5wNK3vIEF2uRr2VJMvgqS
9eNwhJyOzoca4xFSwCkc6dACGGkV+CqhufdFBhmcAsUotSxe3zmrBjqA0B/nxIvH
DVgOAMnVCe+Lmv8T0mFgqZSJdIUdKjnOLu/GRFhjDKIak4jeMBMTYpVnU+HhMHLq
uDiZkNEvEEGhBQmZuI8J55F/a6UURnxUwT3piyi3Pmr2IFD7ahBxPzOBCQARAQAB
tCdGZWRvcmEgKGVwZWw5KSA8ZXBlbEBmZWRvcmFwcm9qZWN0Lm9yZz6JAk4EEwEI
ADgWIQT/itE0RZcQbs6BO5GKOHK/MihGfAUCYTeY6wIbDwULCQgHAgYVCgkICwIE
FgIDAQIeAQIXgAAKCRCKOHK/MihGfFX/EACBPWv20+ttYu1A5WvtHJPzwbj0U4yF
3zTQpBglQ2UfkRpYdipTlT3Ih6j5h2VmgRPtINCc/ZE28adrWpBoeFIS2YAKOCLC
nZYtHl2nCoLq1U7FSttUGsZ/t8uGCBgnugTfnIYcmlP1jKKA6RJAclK89evDQX5n
R9ZD+Cq3CBMlttvSTCht0qQVlwycedH8iWyYgP/mF0W35BIn7NuuZwWhgR00n/VG
4nbKPOzTWbsP45awcmivdrS74P6mL84WfkghipdmcoyVb1B8ZP4Y/Ke0RXOnLhNe
CfrXXvuW+Pvg2RTfwRDtehGQPAgXbmLmz2ZkV69RGIr54HJv84NDbqZovRTMr7gL
9k3ciCzXCiYQgM8yAyGHV0KEhFSQ1HV7gMnt9UmxbxBE2pGU7vu3CwjYga5DpwU7
w5wu1TmM5KgZtZvuWOTDnqDLf0cKoIbW8FeeCOn24elcj32bnQDuF9DPey1mqcvT
/yEo/Ushyz6CVYxN8DGgcy2M9JOsnmjDx02h6qgWGWDuKgb9jZrvRedpAQCeemEd
fhEs6ihqVxRFl16HxC4EVijybhAL76SsM2nbtIqW1apBQJQpXWtQwwdvgTVpdEtE
r4ArVJYX5LrswnWEQMOelugUG6S3ZjMfcyOa/O0364iY73vyVgaYK+2XtT2usMux
VL469Kj5m13T6w==
=Mjs/
-----END PGP PUBLIC KEY BLOCK-----

30
files/common/RPM-GPG-KEY-INFRASTRUCTURE-SIGUL
View file

@ -1,30 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFfZrzsBEADGLYtUW4YZNKSq/bawWYSg3Z8OAD3amoWx9BTdiBjWyIn7PzBQ
g/Y2QpTj9Sylhi4ZDqcP6eikrC2bqZdBeJyOAHSkV6Nvt+D/ijHOViEsSg+OwHmC
9axbsNHI+WKYPR7GBb40/hu7miHTOWd7puuJ000nyeHckicSHNYb+KxwoN9TTyON
utqTtzUb1v0f+GZ2E3XHCa/SgHG+syFbKhFiPRqSmwuhESgz7JIPx9UPz/pkg/rA
qHILJDt5PGaxhRNcK4rOVhpIBxTdjyYvtkCzlMr8ZaLqlQx2B5Ub9osYSv7CwQD5
tJTb9ed/p5HKuT9JEDSgtxV2yy6bxEMkBjlD5m4ISnOnZ8GGjPl434FdufusIwDX
vFUQDH5BSGV1xUcoCoNAMY+CUCoUaTBkv5PqLOgsCirSImvXhSCFBT1VVb2sPhuG
J6q9Nk18+i2sMtjflM9PzCblMe7C1gySiuH4q+hvB6IDnYirLLy0ctBvr3siY4hY
lTydy+4z7UuquLv02t5Zbw9jxqX1LEyiMvUppx5XgGyQ0cGQpkRHXRzQqI6bjUny
e8Ub2sfjidjqRWyycY4F7KGG/DeKE3UeclDjFlA+CTvgu88RGgzTMZym5NxgjgfJ
PYj+etPXth3PNzxd8FAC4tWP5b6kEVVJ2Oxiy6Z8dYQJVsAVP110bo/MFwARAQAB
tEBGZWRvcmEgSW5mcmFzdHJ1Y3R1cmUgKGluZnJhc3RydWN0dXJlKSA8YWRtaW5A
ZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMBAgAiBQJX2a87AhsPBgsJCAcDAgYVCAIJ
CgsEFgIDAQIeAQIXgAAKCRCAWYFeR92O+RbAD/9QzUyyoDPvPjlxn341BdT1iG3s
BvKjNOAtQkHeDzRQ0rBXG40yoTjQ+s4X+3aNumy4C+xeGqUiFMcBED/5EdahWcXm
5dqEAysTpiWOaamVfvQaNuBZjKP6GXXUeAVvkEVXggTI18tpNR/xFqfvHMCYuRUJ
QERNDtEPweQn9U3ewr7VOIrF8OnxVEQe9xOPKnGr0yD22NHz5hCiIKXwt34I7m9j
IlKMETTUflmERzzzwWp9CwmwU2o+g9hILqtvLFV/9TDSiWTvr2Ynj/hlNZPG8MhB
K73S8oQADP/ogmwYkK3cx06CkaSEiQciAkpL4v7GzWfw3hTScIxbf/R5YU5i5qHj
N+XJRLoW4AdNRAtrJ1KsLrFhFso9o7cfUlGGDPOwwQu3etoY3t0vViXYanOJrXqA
DaHZ7Ynj7V5KNB97xbjohT+YiApBV1jmMbydAMhNxo2ZlAC9hmlDEwD9L9CSPt1s
PvjcY20/RjVrm62vmXI/Sqa1zPjjYaxceEZzDIcxVDAneeeAdV99zHRDjZLqucux
GGJWwUNyxnuA7ZNdD3ZQBJlefOCT4Tg2Yj2ssH6PdGBoWS2gibnGdUsc/LhIaES4
afRLHVbHRu1HJ3s7pAgxNRY5Cjc5GEqdvm+5LOt/usyyaUwds0cJp55KKovsqZ1v
+h4JFKdsC+6/ZUHRQQ==
=MNfm
-----END PGP PUBLIC KEY BLOCK-----

13
files/common/epel10.repo
View file

@ -1,13 +0,0 @@
[epel]
name=Extras Packages for Enterprise Linux $releasever - $basearch
baseurl=https://infrastructure.fedoraproject.org/pub/epel/10/Everything/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-10
[epel-testing]
name=Extras Packages for Enterprise Linux $releasever - $basearch
baseurl=https://infrastructure.fedoraproject.org/pub/epel/testing/10/Everything/$basearch/
enabled=0
gpgcheck=1
gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-10

13
files/common/epel6.repo Normal file
View file

@ -0,0 +1,13 @@
[epel]
name=Extras Packages for Enterprise Linux $releasever - $basearch
baseurl=http://infrastructure.fedoraproject.org/pub/epel/6/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-6
[epel-testing]
name=Extras Packages for Enterprise Linux $releasever - $basearch
baseurl=http://infrastructure.fedoraproject.org/pub/epel/testing/6/$basearch/
enabled=0
gpgcheck=1
gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-6

20
files/common/epel7.repo
View file

@ -1,20 +0,0 @@
[epel]
name=Extras Packages for Enterprise Linux $releasever - $basearch
baseurl=https://infrastructure.fedoraproject.org/pub/epel/7/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
[epel-testing]
name=Extras Packages for Enterprise Linux $releasever - $basearch
baseurl=https://infrastructure.fedoraproject.org/pub/epel/testing/7/$basearch/
enabled=0
gpgcheck=1
gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
[epel-beta]
name=Extras Packages for Enterprise Linux beta $releasever - $basearch
baseurl=https://infrastructure.fedoraproject.org/pub/epel/beta/7/$basearch/
enabled=0
gpgcheck=1
gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7

13
files/common/epel8.repo
View file

@ -1,13 +0,0 @@
[epel]
name=Extras Packages for Enterprise Linux $releasever - $basearch
baseurl=https://infrastructure.fedoraproject.org/pub/epel/8/Everything/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8
[epel-testing]
name=Extras Packages for Enterprise Linux $releasever - $basearch
baseurl=https://infrastructure.fedoraproject.org/pub/epel/testing/8/Everything/$basearch/
enabled=0
gpgcheck=1
gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8

13
files/common/epel9.repo
View file

@ -1,13 +0,0 @@
[epel]
name=Extras Packages for Enterprise Linux $releasever - $basearch
baseurl=https://infrastructure.fedoraproject.org/pub/epel/9/Everything/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9
[epel-testing]
name=Extras Packages for Enterprise Linux $releasever - $basearch
baseurl=https://infrastructure.fedoraproject.org/pub/epel/testing/9/Everything/$basearch/
enabled=0
gpgcheck=1
gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9

6
files/common/fedora-infra-tags-stg.repo
View file

@ -1,6 +0,0 @@
[infrastructure-tags-stg]
name=Fedora Infrastructure staging tag $releasever - $basearch
baseurl=https://kojipkgs.fedoraproject.org/repos-dist/f$releasever-infra-stg/latest/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://infrastructure.fedoraproject.org/repo/infra/RPM-GPG-KEY-INFRA-TAGS

6
files/common/fedora-infra-tags.repo
View file

@ -1,6 +0,0 @@
[infrastructure-tags]
name=Fedora Infrastructure tag $releasever - $basearch
baseurl=https://kojipkgs.fedoraproject.org/repos-dist/f$releasever-infra/latest/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://infrastructure.fedoraproject.org/repo/infra/RPM-GPG-KEY-INFRA-TAGS

21
files/common/fedora-updates-testing.repo
View file

@ -1,10 +1,7 @@
[updates-testing]
name=Fedora $releasever - $basearch - Test Updates
{% if ansible_distribution_major_version|int >27 %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/testing/$releasever/Everything/$basearch/
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/testing/$releasever/$basearch/
{% endif %}
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
@ -12,11 +9,8 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[updates-testing-debuginfo]
name=Fedora $releasever - $basearch - Test Updates Debug
{% if ansible_distribution_major_version|int >27 %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/testing/$releasever/Everything/$basearch/debug/
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/testing/$releasever/$basearch/debug/
{% endif %}
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/debug/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
@ -24,11 +18,8 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[updates-testing-source]
name=Fedora $releasever - Test Updates Source
{% if ansible_distribution_major_version|int >27 %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/testing/$releasever/Everything/SRPMS/
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/testing/$releasever/SRPMS/
{% endif %}
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/SRPMS/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-source-f$releasever&arch=$basearch
enabled=0
gpgcheck=1

26
files/common/fedora-updates-testing.repo-arm Normal file
View file

@ -0,0 +1,26 @@
[updates-testing]
name=Fedora $releasever - $basearch - Test Updates
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
[updates-testing-debuginfo]
name=Fedora $releasever - $basearch - Test Updates Debug
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/$basearch/debug/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
[updates-testing-source]
name=Fedora $releasever - Test Updates Source
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/SRPMS/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-source-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch

35
files/common/fedora-updates-testing.repo-secondary
View file

@ -1,35 +0,0 @@
[updates-testing]
name=Fedora $releasever - $basearch - Test Updates
{% if ansible_distribution_major_version|int >27 %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/testing/$releasever/Everything/$basearch/
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/testing/$releasever/$basearch/
{% endif %}
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[updates-testing-debuginfo]
name=Fedora $releasever - $basearch - Test Updates Debug
{% if ansible_distribution_major_version|int >27 %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/testing/$releasever/Everything/$basearch/debug/
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/testing/$releasever/$basearch/debug/
{% endif %}
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[updates-testing-source]
name=Fedora $releasever - Test Updates Source
{% if ansible_distribution_major_version|int >27 %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/testing/$releasever/Everything/SRPMS/
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/testing/$releasever/SRPMS/
{% endif %}
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-source-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch

21
files/common/fedora-updates.repo
View file

@ -1,10 +1,7 @@
[updates]
name=Fedora $releasever - $basearch - Updates
{% if ansible_distribution_major_version|int > 27 %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/$releasever/Everything/$basearch/
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/$releasever/$basearch/
{% endif %}
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
enabled=1
gpgcheck=1
@ -12,11 +9,8 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[updates-debuginfo]
name=Fedora $releasever - $basearch - Updates - Debug
{% if ansible_distribution_major_version|int > 27 %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/$releasever/Everything/$basearch/debug/
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/$releasever/$basearch/debug/
{% endif %}
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/debug/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
@ -24,11 +18,8 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[updates-source]
name=Fedora $releasever - Updates Source
{% if ansible_distribution_major_version|int > 27 %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/$releasever/Everything/SRPMS/
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/$releasever/SRPMS/
{% endif %}
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/SRPMS/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-source-f$releasever&arch=$basearch
enabled=0
gpgcheck=1

26
files/common/fedora-updates.repo-arm Normal file
View file

@ -0,0 +1,26 @@
[updates]
name=Fedora $releasever - $basearch - Updates
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/$releasever/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
[updates-debuginfo]
name=Fedora $releasever - $basearch - Updates - Debug
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/$releasever/$basearch/debug/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
[updates-source]
name=Fedora $releasever - Updates Source
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/updates/$releasever/SRPMS/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-source-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch

35
files/common/fedora-updates.repo-secondary
View file

@ -1,35 +0,0 @@
[updates]
name=Fedora $releasever - $basearch - Updates
{% if ansible_distribution_major_version|int >27 %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/$releasever/Everything/$basearch/
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/$releasever/$basearch/
{% endif %}
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[updates-debuginfo]
name=Fedora $releasever - $basearch - Updates - Debug
{% if ansible_distribution_major_version|int >27 %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/$releasever/Everything/$basearch/debug/
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/$releasever/$basearch/debug/
{% endif %}
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[updates-source]
name=Fedora $releasever - Updates Source
{% if ansible_distribution_major_version|int >27 %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/$releasever/SRPMS/
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/$releasever/Everything/SRPMS/
{% endif %}
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-source-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch

23
files/common/fedora.repo
View file

@ -1,24 +1,18 @@
[fedora]
name=Fedora $releasever - $basearch
{% if ansible_distribution_major_version|int < ( FedoraBranchedNumber|int if FedoraBranched == True else FedoraRawhideNumber|int ) %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/releases/$releasever/Everything/$basearch/os/
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/os/
{% endif %}
enabled=1
metadata_expire=7d
gpgcheck=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[fedora-debuginfo]
name=Fedora $releasever - $basearch - Debug
{% if ansible_distribution_major_version|int < ( FedoraBranchedNumber|int if FedoraBranched == True else FedoraRawhideNumber|int ) %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/releases/$releasever/Everything/$basearch/debug/tree/
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/debug/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/debug/tree/
{% endif %}
enabled=0
metadata_expire=7d
gpgcheck=1
@ -26,12 +20,9 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[fedora-source]
name=Fedora $releasever - Source
{% if ansible_distribution_major_version|int < ( FedoraBranchedNumber|int if FedoraBranched|int is defined else FedoraRawhideNumber|int ) %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/releases/$releasever/Everything/source/tree/
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/source/SRPMS/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/source/tree
{% endif %}
enabled=0
metadata_expire=7d
gpgcheck=1

29
files/common/fedora.repo-arm Normal file
View file

@ -0,0 +1,29 @@
[fedora]
name=Fedora $releasever - $basearch
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/$basearch/os/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
enabled=1
metadata_expire=7d
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
[fedora-debuginfo]
name=Fedora $releasever - $basearch - Debug
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/$basearch/debug/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch
enabled=0
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
[fedora-source]
name=Fedora $releasever - Source
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/source/SRPMS/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch
enabled=0
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch

39
files/common/fedora.repo-secondary
View file

@ -1,39 +0,0 @@
[fedora]
name=Fedora $releasever - $basearch
{% if ansible_distribution_major_version|int < ( FedoraBranchedNumber|int if FedoraBranched == True else FedoraRawhideNumber|int ) %}
baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/releases/$releasever/Everything/$basearch/os/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/os/
{% endif %}
enabled=1
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[fedora-debuginfo]
name=Fedora $releasever - $basearch - Debug
{% if ansible_distribution_major_version|int < ( FedoraBranchedNumber|int if FedoraBranched == True else FedoraRawhideNumber|int ) %}
baseurl=http://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/releases/$releasever/Everything/$basearch/debug/tree/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/debug/tree/
{% endif %}
enabled=0
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[fedora-source]
name=Fedora $releasever - Source
{% if ansible_distribution_major_version|int < ( FedoraBranchedNumber|int if FedoraBranched == True else FedoraRawhideNumber|int ) %}
baseurl=http://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/releases/$releasever/Everything/source/tree/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch
{% else %}
baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/source/tree/
{% endif %}
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch
enabled=0
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch

4
files/common/infrastructure-testing.repo
View file

@ -1,7 +1,7 @@
[infrastructure-testing]
name=Extras Packages from Fedora Infrastructure $releasever - $basearch - Testing
baseurl=https://infrastructure.fedoraproject.org/repo/testing/$releasever/$basearch/
baseurl=http://infrastructure.fedoraproject.org/repo/testing/$releasever/$basearch/
enabled=0
gpgcheck=1
gpgkey=https://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE
gpgkey=http://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE

4
files/common/infrastructure.repo
View file

@ -1,6 +1,6 @@
[infrastructure]
name=Extras Packages from Fedora Infrastructure $releasever - $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/$releasever/$basearch/
baseurl=http://infrastructure.fedoraproject.org/repo/$releasever/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE
gpgkey=http://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE

15
files/common/mock
View file

@ -1,15 +0,0 @@
#%PAM-1.0
auth sufficient pam_rootok.so
auth sufficient pam_succeed_if.so user ingroup mock use_uid quiet
account sufficient pam_succeed_if.so user ingroup packager use_uid quiet
auth sufficient pam_succeed_if.so user ingroup packager use_uid quiet
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so user ingroup mock use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so

38
files/common/nbde_client-network-flush
View file

@ -1,38 +0,0 @@
#!/bin/sh
# do_flush() flushes every active network interface. It is intended to
# run before NetworkManager starts, so that when it does it will be able
# to set up the network using the regular host configuration.
do_flush() {
for f in /sys/class/net/*; do
iface="${f##*/}"
[ "${iface}" = "lo" ] && continue
echo "Preparing to flush interface ${iface}" >&2
ip -statistics address flush dev "${iface}"
rm -f /run/NetworkManager/system-connections/default_connection.nmconnection >&2
done
}
# reset_autoconn_prio() will reset the autoconnect priority
# of the existing NM connections to zero.
reset_autoconn_prio() {
nmcli -t -f NAME connection show 2>/dev/null | while read -r _c; do
if ! _prio="$(nmcli -t connection show "${_c}" \
| grep connection.autoconnect-priority: \
| cut -d: -f2)" || [ -z "${_prio}" ]; then
continue
fi
[ "${_prio}" -ge 0 ] && continue
echo "Setting autoconnect-priority of connection ${_c} to zero" >&2
nmcli connection modify "${_c}" connection.autoconnect-priority 0
done
}
case "${1}" in
reset-autoconn-prio)
reset_autoconn_prio;;
flush)
do_flush;;
esac
# vim:set ts=2 sw=2 et:

2
files/common/noautodefault.conf
View file

@ -1,2 +0,0 @@
[main]
no-auto-default=*

24
files/common/original-epel8.repo
View file

@ -1,24 +0,0 @@
[epel]
name=Extra Packages for Enterprise Linux $releasever - $basearch
#baseurl=https://download.fedoraproject.org/pub/epel/$releasever/Everything/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch&infra=$infra&content=$contentdir
enabled=1
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
[epel-debuginfo]
name=Extra Packages for Enterprise Linux $releasever - $basearch - Debug
#baseurl=https://download.fedoraproject.org/pub/epel/$releasever/Everything/$basearch/debug
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-$releasever&arch=$basearch&infra=$infra&content=$contentdir
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
gpgcheck=1
[epel-source]
name=Extra Packages for Enterprise Linux $releasever - $basearch - Source
#baseurl=https://download.fedoraproject.org/pub/epel/$releasever/Everything/SRPMS
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-source-$releasever&arch=$basearch&infra=$infra&content=$contentdir
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
gpgcheck=1

24
files/common/original-epel9.repo
View file

@ -1,24 +0,0 @@
[epel]
name=Extra Packages for Enterprise Linux $releasever - $basearch
#baseurl=https://download.example/pub/epel/$releasever/Everything/$basearch/
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch&infra=$infra&content=$contentdir
enabled=1
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever
[epel-debuginfo]
name=Extra Packages for Enterprise Linux $releasever - $basearch - Debug
#baseurl=https://download.example/pub/epel/$releasever/Everything/$basearch/debug/
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-$releasever&arch=$basearch&infra=$infra&content=$contentdir
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever
gpgcheck=1
[epel-source]
name=Extra Packages for Enterprise Linux $releasever - $basearch - Source
#baseurl=https://download.example/pub/epel/$releasever/Everything/source/tree/
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-source-$releasever&arch=$basearch&infra=$infra&content=$contentdir
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever
gpgcheck=1

19
files/common/rhel-8-aarch64-server-rpms.repo
View file

@ -1,19 +0,0 @@
[rhel8-beta-dvd]
name = rhel8 beta base dvd
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel-8.0-beta-1-$basearch/AppStream
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[rhel8-beta-BaseOS]
name = rhel8 beta BaseOS $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel-8.0-beta-1-aarch64/BaseOS
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[rhel8-beta-ha]
name = rhel8 beta ha $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel8-beta/aarch64/rhel-8-for-aarch64-ha-beta-rpms
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[rhel8-beta-appstream]
name = rhel8 beta appstream $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel8-beta/aarch64/rhel-8-for-aarch64-appstream-beta-rpms
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

6
files/common/rhel-infra-tags-stg.repo
View file

@ -1,6 +0,0 @@
[infrastructure-tags-stg]
name=Fedora Infrastructure tag $releasever - $basearch
baseurl=https://kojipkgs.fedoraproject.org/repos-dist/epel$releasever-infra-stg/latest/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://infrastructure.fedoraproject.org/repo/infra/RPM-GPG-KEY-INFRA-TAGS

6
files/common/rhel-infra-tags.repo
View file

@ -1,6 +0,0 @@
[infrastructure-tags]
name=Fedora Infrastructure tag $releasever - $basearch
baseurl=https://kojipkgs.fedoraproject.org/repos-dist/epel$releasever-infra/latest/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://infrastructure.fedoraproject.org/repo/infra/RPM-GPG-KEY-INFRA-TAGS

34
files/common/rhel10.repo
View file

@ -1,34 +0,0 @@
[rhel10-dvd-BaseOS]
name = rhel10 baseos dvd
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/RHEL10-$basearch/BaseOS
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1
[rhel10-dvd-AppStream]
name = rhel10 AppStream dvd
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/RHEL10-$basearch/AppStream
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1
[rhel10-BaseOS]
name = rhel10 BaseOS $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel10/10.0/repos/$basearch/baseos
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1
[rhel10-AppStream]
name = rhel10 AppStream $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel10/10.0/repos/$basearch/appstream
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1
[rhel10-CRB]
name = rhel10 CodeReadyBuilder $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel10/10.0/repos/$basearch/crb
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1

14
files/common/rhel6.repo Normal file
View file

@ -0,0 +1,14 @@
[rhel6-dvd]
name = rhel6 base dvd
baseurl=http://infrastructure.fedoraproject.org/repo/rhel/RHEL6-$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[rhel6-base]
name = rhel6 base $basearch
baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel-$basearch-server-6/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[rhel6-optional]
name = rhel6 optional $basearch
baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel-$basearch-server-optional-6/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

24
files/common/rhel7.repo
View file

@ -1,24 +0,0 @@
[rhel7-dvd]
name = rhel7 base dvd
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/RHEL7-$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[rhel7-base]
name = rhel7 base $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-server-rpms
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[rhel7-optional]
name = rhel7 optional $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-server-optional-rpms
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[rhel7-extras]
name = rhel7 extras $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-server-extras-rpms
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[rhel7-ha]
name = rhel7 ha $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-ha-for-rhel-7-server-rpms/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

41
files/common/rhel8.repo
View file

@ -1,41 +0,0 @@
[rhel8-dvd-BaseOS]
name = rhel8 baseos dvd
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/RHEL8.0-$basearch/BaseOS
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1
[rhel8-dvd-AppStream]
name = rhel8 AppStream dvd
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/RHEL8.0-$basearch/AppStream
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1
[rhel8-BaseOS]
name = rhel8 BaseOS $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel8/$basearch/rhel-8-for-$basearch-baseos-rpms
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1
[rhel8-AppStream]
name = rhel8 AppStream $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel8/$basearch/rhel-8-for-$basearch-appstream-rpms
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1
[rhel8-CRB]
name = rhel8 CodeReadyBuilder $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel8/$basearch/codeready-builder-for-rhel-8-$basearch-rpms/
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1
[rhel8-advanced-virt]
name = rhel8 AdvancedVirt $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel8/$basearch/rhel-8-advanced-virt/
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1

41
files/common/rhel9.repo
View file

@ -1,41 +0,0 @@
[rhel9-dvd-BaseOS]
name = rhel9 baseos dvd
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/RHEL9.0-$basearch/BaseOS
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1
[rhel9-dvd-AppStream]
name = rhel9 AppStream dvd
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/RHEL9.0-$basearch/AppStream
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1
[rhel9-BaseOS]
name = rhel9 BaseOS $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel9/$basearch/rhel-9-for-$basearch-baseos-rpms
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1
[rhel9-AppStream]
name = rhel9 AppStream $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel9/$basearch/rhel-9-for-$basearch-appstream-rpms
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1
[rhel9-CRB]
name = rhel9 CodeReadyBuilder $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel9/$basearch/codeready-builder-for-rhel-9-$basearch-rpms/
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1
gpgcheck=1
[rhel9-advanced-virt]
name = rhel9 AdvancedVirt $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel9/$basearch/rhel-9-advanced-virt/
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=0
gpgcheck=1

4
files/common/rhos16.repo
View file

@ -1,4 +0,0 @@
[rhel8-rhos16]
name = rhel8 openstack $basearch
baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel8/other/rhel-8-x86_64-openstack-16-rpms
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

20
files/common/rsyslog-logrotate
View file

@ -1,20 +0,0 @@
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
missingok
sharedscripts
postrotate
/usr/bin/systemctl reload rsyslog.service >/dev/null 2>&1 || true
endscript
daily
rotate 7
ifempty
compress
compresscmd /usr/bin/xz
uncompresscmd /usr/bin/xz
compressext .xz
dateext
}

13
files/common/step-tickers
View file

@ -1,7 +1,10 @@
208.75.88.4
216.93.242.12
107.170.242.27
108.166.189.70
199.223.248.98
# [clock.redhat.com]
66.187.233.4
# [time.nist.gov]
192.43.244.18
# [otc1.psu.edu]
128.118.25.5
# [clock.isc.org]
204.152.184.72
# [loopback]
127.127.1.0

13
files/common/sysadmin-main
View file

@ -2,5 +2,16 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAD9QDskl41P2f4wqBuDBRD3VJ7MfKD6gMetMEaOy2b/Czf
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAACAEAstHxky7hl1inyHBy+q/9M+Aen2HSfy8IoW+sAO6HSuHEUT7qWB8AlSNjHhahjXx7sy/BUkUed+NB/177rjlThokZDJ0yoM9KKymp26ETGaamBSkWBxZatTj96BWfD0P2K9jc/9vxtgKBq3VK9UaOt6VtJ9q6mKY3DdWLZn+K6iGQAKMCAgd8cCMgD6epBB5/litz7WhYv+aYTyjZGUGbBojQUiWgXDv9lR7p0w+VP7pnZEeb3//k4pZhsPrKFwwRVRLxBvWgVKNvA6nMXmsdikHCLLj8YAevhEY1xAba+iCKOpTqT7Bu+1Fnb9St8u5iDod21gRmN7MGGWYsO+Iu2MNAW9sw2nsA/sdNR0HEEgBqJLhERjGv399fWKyiZaF90n59lg8Pb6EzE6wHRs6rSB+9uKApBzPk99BEHLvC6mhn6RjrOC+TWSTcmXojAwQYCadqIdgWUaBsxaugKEXBFcmRuDWtpDfsqmM1kjeGU6MiaMlqPW0KjsMaVVChLO5ZvB/T7qW4wr5ZjLri475MuHocCMP0ECSUk7I3YW2h8RU6FEFmTpuULFRQo01iPreY5XJ7l0+xy2eggAWo+X2h3nGjXhCPOelBg+LYe0WOmPgB5oc1m5HZtFTcFzYbhAE+xQKlbwNeYT8HmNmEMhPjVoNyOOV7NAap+ueS2u/7li5D59O5Iy8aa5n/WiuYfkqH4pG796nFyLr5L/LVudzyaYFb/Gk8C1j/NAWYw53D/9aOA277HHe5t0/daJhbo98u0asF5mvPld3swPuPqkEZzgUfmNgH5CkvcQcMzaOvj6qr6xNmQfgsHroCShb46kplQ2uSf1pMAqsjN7jGhk6l+Bu6hKHnJKhZJVLiuAZtgYvkCB1ahaO3wRVozA1VKCAlqHOqoCq4YLIobUL95H08Kwcz7vIRIadX1TkOoLb2EwPkE/xrhDp4BySh+j6YNklSBkiRHvJMBNnRIj8NTRjYyj2o1Om7kJ770lEdryg2og8QBaFWCmFkwzg1QVrBOuu0dN7kt2l7VI7Ib4lavKSVTrqUdxdSbthUlu/b4Qif+pbyEtUFgykRsHVs+5Ofg7FZpsgCJ8rLFjzeVF/hAYX7t3XaIPLu+DL8kzamb/CRy1b7+iAw9nJbd7ED2SGyU6+c2coMPG23y6+YxgEmNG/rkCLCypkEEDOZe4DuMerZQ/RxMo06+glC6HC/3VN2dHlVLtEEV33B04/6Z0plAhqtjG7PVs08f8a5msV/VYn5ifa4z0oIXX1r5CIg3Ejp1JguLhBHpWa7YbS2Mwu6GAbD+hQfCYrsUkFonoOLu5czpITLo7ceJFTQmAt7OxZEoZBfmtYfzADQsQVYQb6J4QwvM3iKJOn30dgtYnJOVlDZEn+0fivedxoBAt9jHJ8lVp2ov/dOFnimi5V+2QIMB0fKTkChsk10zsDZ/KUk6zfijjEju0WfjRHCd357KswNv3aXHazfRIw77S2UOenD+xmUDZ6WgnxservUSDNDz7NldLf/gdPOMO4uSwKZixzsoCNioeLEmQv4gomNK7DyZBLMHLlWlbliqP+QWuIJO1rfoH2vaxzzA7l5tJW1gfnxm87RrrwIf9v5kpdJM6gQZxqmBCRsKQd5VkrEJ/xaFfkv080pWNV0drWTZW8fAAgfUNYB260Hyk3rHsjQlVtQxGJ1aAcgjMi3eGKQMwptbUMYHqct75czX6xp6zgXPiC/glX6AtuiZQ5bOI07imil20ien/ks/dnel8L+dmYDasL9m0B2jZ3lbl3eR1Dy7UhqGyERx//vYQapEBuwFcqQ9UdIWCGGG2Pte1I39BSehUUGSCOOD38a/GCu0l7OWZKdwq80MK/Ixgz4neiZQZ7MD2wPy6vk6Num18PZPN7OynMrI2UG5MViQ0GAhRgxwbUCvc7uKnGRqZo9q2mCabCxLbv+hJ4bppxpHHJxMDDXilTKMfZb0YRbvjBUi7LFKLN3MBMK2U1jHE+PjBgweqF8Jtuw04CQMxK3unajZOVkYAIq8IdMbw0oBVP4++eGB9z0x1eH+IsqL6IgknbbyoMgQqW9/8atm8HW2QYCX47oPd4FHs8rgJZk3bz8MwN3tp8WCRtYnJuwkWGWSq77ans0Ycl/tUfSSwUjnSvMsJnuSbxvdX0XbP5eRWikk0pJz5lM9sjYFOPHrQ44/U254yBa0N6UhyNTQnMGzRvY+fADE49b10hXZwCCrxpY9KvGr1XNJMnMcUke+4p9RS5LUwcZ8A6v7oWtZaZwnuBzvKk+HAn2gevD7Stjto+TnRCx1qcbx8iOhAEC6nvbLl+U313TmawrO/usrI5w3EFKP/4BnlKJDtNBeklJ0MpU3R1fmisqfegjuBW2bbaxq8Uo6m7uqPsYuAl7E6rOyZHLbtA8szvbQ46MSqAHezqxHJajWn2oZXMtbddgO5vlkxbRp3SSVKaPOeIj3XOGl78Owp4gFNRE0RY2EuUvrwUhXZR4wx1VHYjS6o9HAwOx3dH+pf1OiblUEanLQ9HLuOBkLhP8wn1M2slsSw+A1gyuI0ayjRujYFXdw6Mqp6XKTdU8vNue2c3d0I+TMifBypP0oJtxXmEoPp/VsU9yLKA2FF7Xvv/Xq1gtZcuZWAbSwMok/ENY1xeIFyjV+0yBidmax3jaf9yus/XEpyeBS3iIz63ymU10Kb2vrWjubg/sa2yd+q0y96dLdDRbnbwGwMmg6mXvTlVXf8c= ricky@padlock01.home.elrod.me
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDi5bNJQBrvT/YuvfLO0y6smZW5N+946uISkzmDi9myffLgHAZP4nBGeH/4GcB5ns9HJ19xVtbIwqOz4QwIqKh4gKU7DgaqND2Iu0bUUFL1KXPLGyAIW+9N3yHB+nKkH31alDnF4dpKkvO63DRkqh4ptxwEQbZDCFqn+vXuMnG4cPmDEweR3QZUt5m0Vc7HXzbehZxjUZ3xRWvT/pu+khBhJcRFkLlA60Fnqv7Q+MQP1C0Cpf3hiX1LcXUogXkNooAqx1YYRd8VqvI8e9yQW+a99x8FftnmXKlGCxP33ng6+U6Y2H7u3cRDrlRTbWqkry4SuUYo+6MtvZVgL0fw6PsZ jstanley@hawtness.rmrf.net
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJH1lA7WHRCbaFtvzbw0HxHYJstZjuXhax1+eL+SUJ5fFRGosEc4fLrSCP0gSFDfXmNzuspoBgcQTqnNO8FdIUwkJLDEu0vTQls1aT9YUXb+RVwKB7ULA3b1dqFkmOgLEjTJL9AplK4OJ9Su0kq6QBV4mXCxMsgEML/gn6r8muZmu2L/LdzUnxKKggyq7O5q1K/eW5Yy21fpvbHt2UPQX1f6gt4ty7E9Nnuhi7SHCI7fNIa+kHyIesfTm/SzeK/PY9rDwZKjuyS8o22GJXGEScJomK1cjMESH/J+t8Hffaj88BjGHNczvcnXAjq6y73VJQ9DiGLD4zmFquQMxDu0Tf kevin@jelerak.scrye.com
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDefONrBaBJlCxKtDwkYWVhf96lMhRQfwVJyBoBd4Pk6TqKMlAu2eST1xRZlV4cJSxAWgZpOaFgqJ5EGd6mq8PvVk+mKXdtX7CAoWm4f3c6otUFsFDCTw3gVvYSlEk23XBHuACsbAVNL4HmP+9C7PxQBePukbMBFD2smsyQkPcX7lZw+lDJW5lOTz3dHAA92bcopDycxRDI99gGkawzjlmxpm2C9nhRabKS6mpGw3N64d8hwHkkFbtHY7rS0/0Cka0geYYYv0NVki1IIctkhZE9LndcWbVcVe1pIlR0RyW2sorfgCgoa5fRZZhukUCtspdv981h/0b87RpRVUJKuRd1 lmacken@tomservo
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsmLoA/97DrE7roCHOY7NdB5TV/g7oxAsk74HgHcFRYAbn/rkoa7r9ZsgR7qzwd6Z+5Z77qFqvl1Bs3XtJf+1vJ3kwdcNFdKTw1DgTdE/rNPI7QzUgXKKKv/WCiU6UDBX4HHWq8Yuq4tkr/yepS8sLzMz2e0pHU4uWFQuvr5ttP9ABGohhDnPr0IcaT5vm+uBTJItJBrhqGws2fnVxhWEm8Y96AZb2vFZVwiMdcKKqfVZby3/wTuEtaDbv0krQNtLJcjaOTWLHWnxJEvLWSdFgkuIDvoNKR7ZV2lsmh5UD/smStgf8TkORR59r63dp2kWAn0/Jl59ARsdXDXGCiduF3GamxglTUA+kYbkN/PBQbl6o+nNKy4Q5TI53WNmhpdsbEJWCjzT+V1ju5JejFEHIhnWyBoBUWB2NKxWaSlToI2B9E0iJ0HK68IlA7bO4X7SD8q5cZBVTKMByFxt9uQXFeZeG7QRCPIsg6bXsirnFn5028iz+RfVFe3Mavp18v1hObvH6SDTczQauuAhTwYOtphaPZj+iHbaKvKndvlOWdGoyrNxgcx+t4loyEEcEWD0Astdp0bZD39nag94PD7hnoENOC0oE6mbtyUuSCGrU6ogee8qxYAt0AP3Rq1LLaRWXqe/1rM5A9oaDNwNkWA/JWbJbZQf0vvWTZmTib3rfew== mdomsch@fedoraproject.org
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7U0WbKLL/D6iR03/vdDZJ8Lkj1jjAkindSvC4PkXVgi6qJo1YBZnIgsmoQopYcra2yzHFt58crygIh79P/rpQowWY99W+Sk4kB9UNuiAiX/LRi+1YdxwCKcRNTVOwuji6MGZoscACERmIjPY6P1oFPERoXhUkOuzPcrDK/0z/Bp9dpNRVZE/0zN6dvHA9QODLGvcFtgnX73SbZfoIbaVP/37IvOZvjGI1jxC5DwCmY+ihM13GpELP6BM8iihlnl1pjk1vtqPxD9g9Llr14Sc6cZJKl1WCulqhde4SEMOjpMJ8J8cGYBSsdh49hB36pdKQuTTnuCXpEt5Tl8PUKCrr mmcgrath@desktop.mmcgrath.net
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3eVd6Ccegp1r1mhm7tPnlGUcw0zsAbR2p9hrFZ7RKxdIponuVV9ix4lgwpNEVDs0j4vxAApeLpJrsV8R8+YLUZO3Mzi+2s8nM8LXrKHtJT9wKKqoU3O/lC79drbWk3EMgETyP61Zpjkub0hwG2MjviPee63zCuRbxzxyalzk+AtwkRSxYaS2Ha0uKxGDiq1c/Iu6HRgm8HrtW+Pr6QbSSoHLhGUpR0HkgoC6852xXGhrRMkzXXbD9L6vaK9F39YmzD7Z8yey+xDTFW529avkEIWDeqBpbae+HjKqEQaBx71/rcmXhqKYrEagzUGpS8Bwskp3JMksd/v9tMuUhGQ2XaooCeKzvM0KnVUk/Q031ZtjNYxLpy/rEqbyt18+8wYOvVoGgnRZ/yJ/UVwYbGJrttYrrQmaJv7b357bkgDJobkIki+zGzi1xkvb85JWEt0mfh38H2vCnpwQtSAIyF/hmrS+1xsD/oAoc83IUhsVYcDhLbBEVKMX2IsJLMAPwCE6GexRYyVE5vEN4PMV9A8VmGuIC3IzkPEbStdtlbP4ttNKtfwS+MrY+ceAABDixls6xpedgT1he44R+7C1p+w4uj4TnYReLVce6+KgfJ6mz8CTXVULLWM4l2H3PylEUyoHGRDpVanGAvm7h2D0HgxErWIkjZkL79GFhzQc1xjzixQ== notting@nostromo.devel.redhat.com
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDAeAohiRJ2v/RO7R9GS93TF92Gc9ixK6HM7wlbMdlZ4yYAbeoEX8VpeNaSTfo/Nw3zazr9VpmpHg+H70K8ljQsPgRwcgpetRVpF55M5FYjqM5oM+N94HV3nSGcnWbSIho1R31DaDH2ptxVqgh2m5DG7Bc45w9Bd4wjfdQ8nBrGv93tuH7X/cee4g6GvexLm5nXhAngdEmiyxw5MHuJAvj+54l4wMXRWpeF6XlI2iamW42nLSfRMCFkGNiXvBm8zkfkeH2L7I2cNKXXoP/cPCd3G/teIsI9FDqYpZ6CS0zMkWhlTuh7rlCjc9+nJsLdDLgwhb75skiUOOfimGvCCxWeHuCsSL+KpCu4AgI9UAVgO6xblDlmbQXxlGopep29U/s00W/0qv3Zp8Ks4Za0xHdoIwHiaLM0OYymFaNDd3ZqFG0FN23ZjcGqUmFGhGfUQRDt72+e9HtXlBJ0mUaCX9+e4wFGTVciG1/5CKsLHCaLRf+knsWXrv2zcv9BoZ9SCAK32zCZw05wjcmr7jYDCTLmtC6kEBNaOeE9Qqi2oomo4ji8ybg+Qq+1BwOtJKExvmZaooBZud0qd24HmCU0/0ysw732jGcqexzxsCR0VArd+7LKexOD7KwMW0VUss6fdOWac9gwCLx9FaKYh8mVvcQjKhKGI3aO2sXRUWSbBJw8w== ricky@alpha.rzhou.org
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAxnzCHH11nDM1m7yvqo6Uanq5vcZjBcs/mr3LccxwJ59ENzSXwUgEQy/P8vby9VKMwsskoaqZcvJdOSZBFhNV970NTPb69OIXPQAl/xhaLwiJOn606fB+/S8WepeuntS0qLiebbEiA9vIQLteZ+bWl1s/didD/sFo3/wItoTGA4GuShUu1AyWJx5Ue7Y34rwGR+kIvDoy2GHUcunn2PjGt4r3v2vpiR8GuK0JRupJAGYbYCiMBDRMkR0cgEyHW6+QQNqMlA6nRJjp94PcUMKaZK6Tc+6h5v8kLLtzuZ6ZupwMMC4X8sh85YcxqoW9DynrvO28pzaMNBHm7qr9LeY9PIhXscSa35GAcGZ7UwPK4aJAAuIzCf8BzazyvUM3Ye7GPCXHxUwY0kdXk+MHMVKFzZDChNp/ovgdhxNrw9Xzcs4yw7XYambN9Bk567cI6/tWcPuYLYD4ZJQP0qSXVzVgFEPss1lDcgd0k4if+pINyxM8eVFZVAqU+BMeDC+6W8HUUPgv6LiyTWs+xTXTuORwBTSF1pOqWB4LjqsCGIiMAc6n/xdALBGUN7qsuKDU6Q7bwPppaxypi4KCvuJsqW+8sDtMUaZ34I5Zo1q7cu03wqnOljUGoAY6IDn3J66F2KlPPyb/q3PDV3WbY/jnH16L29/xUA73nFUW1p+WXutwmSU= ssmoogen@ponyo.int.smoogespace.com
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFZ3AD/I0OfU84IrK573amZptucuBrDxHoue/c+PUsD3MGIA6QXRceq3ZkLuz25OAAu53hFxzCE4d6eVS299rVR8Cd+tVU8aqBdTHzdqv52Vs8zRfXMW69sV7fhwRLaQDcRTwY90Wmz2MbZmN996XmJDNtUIWI2mML+PBYEdO0PyiB2ttb7mmA3SwtC/rwEMJL2YHh+bTzlJ9W4BgFcFwizMXU3mk5uGp2/q3nKzEvgTROM8yWvqdM34cRYpjFKyOlpo6k3SPt76hgDUEIsAu6Ul1S0FHTCRMIihcxZOSN4frMtXVjX0NhW9mKcn1IRBpzd0Yon/gPB8OJ31ojIIop spot@pterodactyl
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDfgKJEBuHFlFc8/IHDeIpdprNnAFQHkicXAFfAzIJSkhUaOJFjsulmgPZn2TJJpYqFAxYUjhWJOdrOwx7AHSg6gWu4TT4a0sTay+Z0eqZOShf5UL/M587DxJk1JZU8g812yDKZMc7Sv7K6zdteONnCvno1kALSg0F2MVMJXFjE/tSontkIRH6IuG19R19NGEj1h56uGwdfe78xjOmv5wk6RZBjaOKqiPSQKNqCKbY9Kyz6yrem2M5uxRK45u3wSPJdmopo8l/nwf0p6ydrUSL5C/aXGh7LPqh31eTBDQUbWHw9LQMk1SibMGQPwJt59lLMlzc5OQZAJEbadsDAgl6VVA6MZkBQROiK9E087kvPesMoGWE0KBgvTqzpBZj0uHATP9i097dv80gjupMyaePsnQOxk0wRho9nRkxRo18Drt3QPVND4YGHzahMe/YR2N83MkbnGoP8K+GsFhLMAp3NKh6yUofFxTgRiB6H8ULKf3CV+hlk0Z9RJR3CpgMTKILYHPlaleJqoP6sXg6tJxI0rUE+0jUKvaTj+N2gX0MjKfUINk5mTbjD2mdVrPtKOBvos2luNhY5nTDpJuAHQqnFHPlPw8l3lXC2VBWOjqfTeeS+qD7ArKe6F7IO5ZNxJ2mTUuodhaPySta1MS37DWoz6UqeJu+wKIsHok90+EU4aAvUABh3RXSQA1E3IaxkooMhhrdIQO6K4L0M+CZ7lP35sW5pnwsN4sFlPec9Xn5e15LTlb9yFlx7Nm4DE2SX1s9QyMRE7z0LNO0X7wiihojuyQM6OQwc+ZaaDw5HerBisX/3LcC9osVLQQg1pt91YcCczUQ08qfUJV6aOD962K+EGzVFQGGauJDzgEH9BHQg7QwCWr0f3mu8/TNBzys2c0YsywDUc3AT1KP6TEJcR/dy6WbhJD3qyO/BLfCzRrHUOIaz+WbwmfTX8tGEQnVV5sEkZ39PWA1hRQ83b3MNV8cRJl+h/FnTk62yM4ZqGu73+x8JiEG3HAJp9/xYfNSwg8++PojJBXe+yM6DrTh5fTnBhxatLEKB658p8jTqJtF4+YD9D8+L39xEns6GQ7FphNqTC6IcpXyqq+zNuzF7vs/T+5n7978dUs3sK6YpBX4BlDxK6MsRF1WYqajEVeBJEMwdX2rfGkN9B5GfWdmdrzBjZQ6yyvlx5Dg++qgxpMiVOXSnw5v7H03PrT1we9wKre/2SQ1A2Oq/UDt/7tR2cMLoaPDNBpFT1W44LJB7o9iDT9YHUG3dC7R8JoeJ5YjyFmxbUQ5xg1oHnrBaPrGCuEYdQWhuDmp9Px2yRu8Agxzr9rNCZ/W8nWJVmvwvlXoldrum2rAECx0wiWqBhQ/+eX65 badger@unaka.lan
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmS3g5fSXizcCqKMI1n5WPFrfMyu7BMrMkMYyck07rB/cf2orO8kKj5schjILA8NYJFStlv2CGRXmQlendj523FPzPmzxvTP/OT4qdywa4LKGvAxOkRGCMMxWzVFLdEMzsLUE/+FLX+xd1US9UPLGRsbMkdz4ORCc0G8gqTr835H56mQPI+/zPFeQjHoHGYtQA1wnJH/0LCuFFfU82IfzrXzFDIBAA5i2S+eEOk7/SA4Ciek1CthNtqPX27M6UqkJMBmVpnAdeDz2noWMvlzAAUQ7dHL84CiXbUnF3hhYrHDbmD+kEK+KiRrYh3PT+5YfEPVI/xiDJ2fdHGxY7Dr2TQ== root@lockbox01.phx2.fedoraproject.org
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDnI+8JwOdXUO6T7gI6oXHUG4oQJsMsCwEGnRBjU4po93i9g9C5sShgqJMvBI2wzDdgL/xOFJeHuo+WTP6W/oiv8KHEco3wXSI4OlsPanORGn2TajwzEaYlfxJNlQPvmuxFxcrfkPF8cOGa0DRNTLZK7abO3tKfZV7IJyNX3Z0LFZ+VwcJBy1ryg0GonMYkjEreiAgJyGCJ1crnKiRMPSu/QONb0MTytMlJRtc/Lfi/KkT8C/LQ/e3zA5DWo9Ykb79M1k4MmtmE8mIUlWUQ9hagMhCj3/6Uze04H48fpYzDPr6AHU6rqxLTdBGgLCeSIUkE1ReZpAk2E+QAB/fTliydT93ig5i2RDt3YHcAa994C85bc0D+A21u0H/LzR1wbIItx+MpOkZePHevDSe4y8ULx0cUiEHxmTTZ2C6j+1EqaP5PeWEqlU3iXTgiqOzTEwfEaH7nScBpGbFmPnzdgO7xLuKebnvWjGu6d8Jd41KN5dN5WNMJaNEXBl65ySfeQYCCX/JZ5bfvC/07zAKj0/RKOFMyS07rb0rKh3EBcRx/tHgCq0hJ23NwfkShchj7v2Zh+JjgHKBv1+ZiIwnx2/WuYwvKwyqXZ5Jpy+lgxcC7l11w1ZN3tCd66E6NdU8AJIOz0n+trIorsipQBY0In3ZBLUU0PUYwno73e7ZabgcE7Q== patrick-new@fedora.thuis.local
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDep2yv5JTFJ0IdCiqumMFfNdu3H5Ej/rVVDEotS+3n5+1plKvajPXOA9c/0RLrBC/vL8LqDVrxBaiCvPFCIRN9a3Y1ru3Dwg++NmcMEvYq/H3SMHhZsH1yjlCD2r38znpX+D+CBMQnn7F5jqYFAnaMeESrgGGFFANfJN9HdHjb6eIrBGJyUOJ2JnZnhLFT5y7ru2xRMDmgsO3U+crmecYAeX/4iUadUxit36defAniVOA/3Jwva4Gjz73vIDTHNy1mxB8Y2ZBBl9WcL4qHc6wnAyFaiULcT5++Gdjn+MIyL86G/7mIIgC+fcVk/5JrdwMBiAZYMUZO/pzPobOe0spF threebean@marat
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2xAeq5uO72kY4mSFgFl9ZSveiAqe4tUv8hemrxwZH+w24RFOGrW1nOV+hjQhRpYVNwvqJkrd9N7VY/HXkd9df2AgQyYoiVfeMPTA7lB0/e/S1Bd6XGdWudvqRU1O6Rug0j3RQOuz7WDJgnanBVcBl8+X7EaPGpv9aILgh6CJDOVAO2GgaFdzI7CHtR99CMqNG7BsQF8C9Y8ALK+8HOPRE0R1wzgaAw85HTo0gyIWcrZqr4HI/QDuLjUQ6AZSgzE7dTiwZuFnUjLBnL0YP1bxJglt9IFx6r6jvdp/yMD+Bn/91WvmBL/AD+GIQ/ZydoeLo+JQW22ibiX/SzdAE4Cd3 pingou@FedoraProject
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDLVoyChksxZ1T64H8sJ3JjZNwUEIBQ1RKoY3cL1FfntvkvmgluWw/AGKQME49W6iRC6o9IgCRrOPErtd8FtetX1jI7Lkrd5znqRkVUj+FrCyaOq4lCICAYX8q1QC2URlteXiHtoaOWUqHD20c0tQwktCXtBAxfLCQCVjfubvSs7rWRDSyC2diUTCfJGYYLyo41Pr5IyMKg6BMUE/BAURHwTncMXtRMjx8JqxZtMImp4cO5p4QV6BVydn99X/ueHOVE910OrPL46cOsBMV3EIm+Hwr7lAHa7eF6bTv1bsysNPHZZ23TzvEjIB71l2ptlJThm3iECmgRlb4ssllqH2zcnwjSOivnAaalgaHk937At6QlrOdtB2WY6sxklxYG1Uaq0P+IOIRhEOw/6/5mcqBH/G8ebYfwiv5CwJ0EzRZW78y6VOHfUo/XQEetcLMYMS7B1rSaQDMTsfIGTrjBXS5kKn/AEnVYYWbD+wVGC64ShQVhtXzpYEzHTRf2XQwCCnEUF9tSSAt3uuBhlaT5vXXac6rz7qy+4d54xTzxWZnmvgG3pWjaqZ84P8aqz72m6TQR0z1FKVgQkAXvnYunM6BXTzN5Osnr2rz68d4ONUWkldGnDmrIIMo7rxJTeMbCjCqTKMyaTamtAE+Vg3KQldbCOys6HEp+irelZkKdat+VcQ== mobrien@fedoraproject.org

95
files/communishift/haproxy.cfg
View file

@ -1,95 +0,0 @@
# this config needs haproxy-1.1.28 or haproxy-1.2.1
global
log 127.0.0.1 local0 warning
maxconn 4096
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
stats socket /var/run/haproxy-stat user haproxy group nrpe mode 0664
stats socket /var/run/haproxy-admin level admin user root group root mode 0660
#debug
#quiet
defaults
log global
mode tcp
option tcplog
option dontlognull
option httpclose
option redispatch
retries 3
maxconn 5000
timeout connect 5s
timeout client 500s
timeout server 500s
frontend stats-frontend
mode http
option httplog
bind 0.0.0.0:8080
default_backend stats-backend
backend stats-backend
mode http
option httplog
balance hdr(appserver)
stats enable
stats uri /
frontend os-masters-kapi
mode tcp
bind 0.0.0.0:6443
default_backend os-masters-backend-kapi
backend os-masters-backend-kapi
mode tcp
server os-node01.fedorainfracloud.org os-node01.fedorainfracloud.org:6443 weight 1 maxconn 16384 check
server os-node02.fedorainfracloud.org os-node02.fedorainfracloud.org:6443 weight 1 maxconn 16384 check
server os-node09.fedorainfracloud.org os-node09.fedorainfracloud.org:6443 weight 1 maxconn 16384 check
# temp bootstrap node
server os-node11.fedorainfracloud.org os-node11.fedorainfracloud.org:6443 weight 1 maxconn 16384 check
frontend os-masters-machineconfig
mode tcp
bind 0.0.0.0:22623
default_backend os-masters-backend-machineconfig
backend os-masters-backend-machineconfig
mode tcp
server os-node01.fedorainfracloud.org os-node01.fedorainfracloud.org:22623 weight 1 maxconn 16384 check
server os-node02.fedorainfracloud.org os-node02.fedorainfracloud.org:22623 weight 1 maxconn 16384 check
server os-node09.fedorainfracloud.org os-node09.fedorainfracloud.org:22623 weight 1 maxconn 16384 check
# temp bootstrap node
server os-node11.fedorainfracloud.org os-node11.fedorainfracloud.org:22623 weight 1 maxconn 16384 check
frontend os-routers-https
mode tcp
bind 0.0.0.0:443
default_backend os-routers-https
backend os-routers-https
server os-node03.fedorainfracloud.org os-node03.fedorainfracloud.org:443 weight 1 maxconn 16384 check
server os-node04.fedorainfracloud.org os-node04.fedorainfracloud.org:443 weight 1 maxconn 16384 check
server os-node05.fedorainfracloud.org os-node05.fedorainfracloud.org:443 weight 1 maxconn 16384 check
server os-node06.fedorainfracloud.org os-node06.fedorainfracloud.org:443 weight 1 maxconn 16384 check
server os-node07.fedorainfracloud.org os-node07.fedorainfracloud.org:443 weight 1 maxconn 16384 check
server os-node08.fedorainfracloud.org os-node08.fedorainfracloud.org:443 weight 1 maxconn 16384 check
server os-node10.fedorainfracloud.org os-node10.fedorainfracloud.org:443 weight 1 maxconn 16384 check
server os-node11.fedorainfracloud.org os-node11.fedorainfracloud.org:443 weight 1 maxconn 16384 check
frontend os-routers-http
mode tcp
bind 0.0.0.0:80
default_backend os-routers-http
backend os-routers-http
server os-node03.fedorainfracloud.org os-node03.fedorainfracloud.org:80 weight 1 maxconn 16384 check
server os-node04.fedorainfracloud.org os-node04.fedorainfracloud.org:80 weight 1 maxconn 16384 check
server os-node05.fedorainfracloud.org os-node05.fedorainfracloud.org:80 weight 1 maxconn 16384 check
server os-node06.fedorainfracloud.org os-node06.fedorainfracloud.org:80 weight 1 maxconn 16384 check
server os-node07.fedorainfracloud.org os-node07.fedorainfracloud.org:80 weight 1 maxconn 16384 check
server os-node08.fedorainfracloud.org os-node08.fedorainfracloud.org:80 weight 1 maxconn 16384 check
server os-node10.fedorainfracloud.org os-node10.fedorainfracloud.org:80 weight 1 maxconn 16384 check
server os-node11.fedorainfracloud.org os-node11.fedorainfracloud.org:80 weight 1 maxconn 16384 check

28
files/communishift/objects/README.md
View file

@ -1,28 +0,0 @@
Instructions
------------
The files in this directory are the configuration files for communishift to be applied.
For OIDC auth, get the client secret for "communishift" from ansible-private/files/ipsilon/openidc.production.static, and run:
> oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret=<client-secret> -n openshift-config
For certificates, first install [cert-manager](https://docs.cert-manager.io/en/release-0.10/)
NOTE: The 0.11 version is buggy, as is the operator hub '1.0' version. Use 0.10 unless you want
to spend a lot of time debugging.
Next create the Issuer object. You may need to wait a minute or two for the cert-manager install
to complete and have all pods up.
To do this, first create a new access key ID and secret key in AWS for the communishift_acme_dns01 user, and update issuer.yml with the access key ID and then create a secret with the private access key
> oc create -f issuer.yml
> oc -n cert-manager create secret generic route53-access-key-secret --from-literal=access-key=THEACCESSKEY
This gives it the ability to create a TXT record for acmechallenges.fedorainfracloud.org.
To allow certificates for other hostnames, those hostnames need a CNAME of "_acme-challenge.<hostname>" pointing to "acmechallenges.fedorainfracloud.org".
After that, create the two certificate requests for the API server and ingress default cert:
> oc -n openshift-config create -f cert_api.yml
> oc -n openshift-ingress create -f cert_apps.yml
This will start the request of the certificates.
Then run the following commands to update the ingress router (will take affect after its restart) and API server with their new certs:
> oc patch apiserver cluster --type=merge -p '{"spec": {"servingCerts": {"namedCertificates": {"names": "api.os.fedorainfracloud.org"}, "servingCertificate": {"name": "api-certificate"}}}}'
> oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "apps-certificate"}}}' -n openshift-ingress-operator

15
files/communishift/objects/cert_api.yml
View file

@ -1,15 +0,0 @@
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: api-certificate
namespace: openshift-config
spec:
secretName: api-certificate
renewBefore: 360h # 15d
commonName: api.os.fedorainfracloud.org
dnsNames:
- 'api.os.fedorainfracloud.org'
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer

15
files/communishift/objects/cert_apps.yml
View file

@ -1,15 +0,0 @@
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: apps-certificate
namespace: openshift-ingress
spec:
secretName: apps-certificate
renewBefore: 360h # 15d
commonName: apps.os.fedorainfracloud.org
dnsNames:
- '*.apps.os.fedorainfracloud.org'
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer

22
files/communishift/objects/issuer.yml
View file

@ -1,22 +0,0 @@
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
email: admin@fedoraproject.org
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-production-account-key
solvers:
- dns01:
cnameStrategy: Follow
route53:
region: us-east-1
accessKeyID: THEACCESSKEYID
secretAccessKeySecretRef:
namespace: cert-manager
name: route53-access-key-secret
key: access-key
hostedZoneID: Z2MFECC8O90CBA

12
files/communishift/objects/machineconfigs/README.md
View file

@ -1,12 +0,0 @@
MachineConfig files
-------------------
The files in this directory are used as machineconfig files for communishift.
Note that they're template files: some changes will need to be made before "oc create -f".
Specifically:
- The templates have two "DOBOTH" replacements. You want to create the file twice,
once with both DOBOTH cases replaced with "master" and once replaced with "worker".
- The mc_firewall.yml.template has a bit FILL_IN_HERE. Run "./to_data.sh firewall.sh",
and copy the output from that script into the FILL_IN_HERE bit in the MC.
Then run that MC twice as per the previous point (master and worker).

10
files/communishift/objects/machineconfigs/firewall.sh
View file

@ -1,10 +0,0 @@
set -xe
iptables -N fedora-block-ports
iptables -A fedora-block-ports -p tcp --dport 111 -j REJECT
iptables -A fedora-block-ports -p udp --dport 111 -j REJECT
iptables -A fedora-block-ports -p tcp --dport 22623 --src 38.145.48.42 -j ACCEPT
iptables -A fedora-block-ports -p tcp --dport 22623 --src 38.145.48.43 -j ACCEPT
iptables -A fedora-block-ports -p tcp --dport 22623 -j REJECT
iptables -I INPUT 1 -j fedora-block-ports

19
files/communishift/objects/machineconfigs/mc_chrony.yml.template
View file

@ -1,19 +0,0 @@
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
generation: 1
name: 50-chrony-DOBOTH
labels:
machineconfiguration.openshift.io/role: DOBOTH
spec:
config:
ignition:
version: "2.2.0"
storage:
files:
- contents:
source: "data:,server%20cloud-noc01.fedorainfracloud.org%20port%20124"
verification: {}
filesystem: root
mode: 0644
path: /etc/chrony.conf

32
files/communishift/objects/machineconfigs/mc_firewall.yml.template
View file

@ -1,32 +0,0 @@
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
generation: 1
name: 40-firewall-DOBOTH
labels:
machineconfiguration.openshift.io/role: DOBOTH
spec:
config:
ignition:
version: "2.2.0"
storage:
files:
- path: /etc/fedora_firewall.sh
mode: 0755
filesystem: root
contents:
source: "FILL_IN_HERE"
systemd:
units:
- name: "fedora_firewall.service"
enabled: true
contents: |-
[Unit]
Descrption=Block firewall ports for Fedora
[Service]
Type=oneshot
ExecStart=bash /etc/fedora_firewall.sh
[Install]
WantedBy=multi-user.target

4
files/communishift/objects/machineconfigs/to_data.sh
View file

@ -1,4 +0,0 @@
#!/bin/bash
echo -n "data:,"
cat $1 | tr '\n' '*' | sed -e 's/*/%0A/g' | sed -e 's/ /%20/g'
echo

27
files/communishift/objects/oidc_cm.yml
View file

@ -1,27 +0,0 @@
---
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: fedoraidp
login: true
challenge: false
mappingMethod: claim
type: OpenID
openID:
clientID: communishift
clientSecret:
name: fedoraidp-clientsecret
extraScopes:
- email
- profile
claims:
preferredUsername:
- nickname
name:
- name
email:
- email
issuer: https://id.fedoraproject.org

0
roles/copr/backend/files/boto → files/copr/boto
View file

58
files/copr/copr-be.conf Normal file
View file

@ -0,0 +1,58 @@
[backend]
# URL where are results visible
# default is http://copr
results_baseurl=http://copr-be.cloud.fedoraproject.org/results
# ??? What is this
# default is http://coprs/rest/api
#frontend_url=http://copr-fe.cloud.fedoraproject.org/backend
frontend_url=http://172.16.5.6/backend
# must have same value as BACKEND_PASSWORD from have frontend in /etc/copr/copr.conf
# default is PASSWORDHERE but you really should change it. really.
frontend_auth={{ copr_backend_password }}
# path to ansible playbook which spawns builder
# see /usr/share/copr*/playbooks/ for examples
# default is /etc/copr/builder_playbook.yml
spawn_playbook=/home/copr/provision/builderpb.yml
# path to ansible playbook which terminate builder
# default is /etc/copr/terminate_playbook.yml
terminate_playbook=/home/copr/provision/terminatepb.yml
# directory where jobs are stored
# no defaults
jobsdir=/var/lib/copr/jobs
# directory where results are stored
# should be accessible from web using 'results_baseurl' URL
# no default
destdir=/var/lib/copr/public_html/results
# default is 10
sleeptime=30
# default is 8
num_workers=8
# path to log file
# default is /var/log/copr/backend.log
logfile=/var/log/copr/backend.log
# default is /var/log/copr/workers/
worker_logdir=/var/log/copr/workers/
# exit on worker failure
# default is false
#exit_on_worker=false
# publish fedmsg notifications from workers if true
# default is false
#fedmsg_enabled=false
fedmsg_enabled=true
[builder]
# default is 1800
timeout=3600

57
files/copr/copr-be.conf-dev Normal file
View file

@ -0,0 +1,57 @@
[backend]
# URL where are results visible
# default is http://copr
results_baseurl=http://copr-be-dev.cloud.fedoraproject.org/results
# ??? What is this
# default is http://coprs/rest/api
frontend_url=http://copr-fe-dev.cloud.fedoraproject.org/backend
# must have same value as BACKEND_PASSWORD from have frontend in /etc/copr/copr.conf
# default is PASSWORDHERE but you really should change it. really.
frontend_auth=PASSWORDHERE
# path to ansible playbook which spawns builder
# see /usr/share/copr*/playbooks/ for examples
# default is /etc/copr/builder_playbook.yml
spawn_playbook=/home/copr/provision/builderpb.yml
# path to ansible playbook which terminate builder
# default is /etc/copr/terminate_playbook.yml
terminate_playbook=/home/copr/provision/terminatepb.yml
# directory where jobs are stored
# no defaults
jobsdir=/var/lib/copr/jobs
# directory where results are stored
# should be accessible from web using 'results_baseurl' URL
# no default
destdir=/var/lib/copr/public_html/results
# default is 10
sleeptime=30
# default is 8
num_workers=5
# path to log file
# default is /var/log/copr/backend.log
logfile=/var/log/copr/backend.log
# default is /var/log/copr/workers/
worker_logdir=/var/log/copr/workers/
# exit on worker failure
# default is false
#exit_on_worker=false
# publish fedmsg notifications from workers if true
# default is false
#fedmsg_enabled=false
[builder]
# default is 1800
timeout=3600

0
roles/copr/backend/files/copr_bashrc → files/copr/copr_bashrc
View file

1
files/copr/fe/README Normal file
View file

@ -0,0 +1 @@
in this dir is where we put all the configs for the copr frontend

30
files/copr/fe/copr.conf Normal file
View file

@ -0,0 +1,30 @@
# Directory and files where is stored Copr database files
DATA_DIR = '/var/lib/copr/data'
DATABASE = '/var/lib/copr/data/copr.db'
OPENID_STORE = '/var/lib/copr/data/openid_store'
WHOOSHEE_DIR = '/var/lib/copr/data/whooshee'
SECRET_KEY = {{ copr_secret_key }}
BACKEND_PASSWORD = {{ copr_backend_password }}
# restrict access to a set of users
#USE_ALLOWED_USERS = False
#ALLOWED_USERS = ['bonnie', 'clyde']
SQLALCHEMY_DATABASE_URI = {{ copr_database_uri }}
# Token length, defaults to 30 (max 255)
#API_TOKEN_LENGTH = 30
# Expiration of API token in days
#API_TOKEN_EXPIRATION = 180
# logging options
#SEND_LOGS_TO = ['root@localhost']
#LOGGING_LEVEL = logging.ERROR
DEBUG = False
SQLALCHEMY_ECHO = False
CSRF_ENABLED = True
WTF_CSRF_ENABLED = True

64
files/copr/fe/httpd/coprs.conf Normal file
View file

@ -0,0 +1,64 @@
NameVirtualHost *:80
LoadModule wsgi_module modules/mod_wsgi.so
WSGISocketPrefix /var/run/wsgi
<VirtualHost *:80>
ServerName copr-fe.cloud.fedoraproject.org
WSGIPassAuthorization On
WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe threads=5
WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
WSGIProcessGroup 127.0.0.1
ErrorLog logs/error_coprs
CustomLog logs/access_coprs common
<Directory /usr/share/copr>
WSGIApplicationGroup %{GLOBAL}
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2
#optimeize on speed
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
SSLCertificateFile /etc/pki/tls/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
ServerName copr-fe.cloud.fedoraproject.org:443
WSGIPassAuthorization On
#WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe threads=5
WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
WSGIProcessGroup 127.0.0.1
ErrorLog logs/error_coprs
CustomLog logs/access_coprs common
<Directory /usr/share/copr>
WSGIApplicationGroup %{GLOBAL}
Require all granted
</Directory>
</VirtualHost>
<IfModule mod_status.c>
ExtendedStatus On
<Location /server-status>
SetHandler server-status
Require all denied
Require host localhost .redhat.com
</Location>
</IfModule>
<IfModule mpm_prefork_module>
StartServers 8
MinSpareServers 8
MaxSpareServers 20
MaxClients 50
MaxRequestsPerChild 10000
</IfModule>

1
files/copr/fe/httpd/welcome.conf Normal file
View file

@ -0,0 +1 @@
#commented out so it doesn't do that stupid index page

0
roles/copr/frontend/files/pg/pg_hba.conf → files/copr/fe/pg/pg_hba.conf
View file

10
files/copr/fe/yum/copr.repo Normal file
View file

@ -0,0 +1,10 @@
[Copr]
name=Copr
failovermethod=priority
#baseurl=http://copr-be.cloud.fedoraproject.org/results/msuchy/copr/fedora-19-x86_64/
# 172.16.5.4 is copr-be.cloud.fedoraproject.org
# see https://fedorahosted.org/fedora-infrastructure/ticket/4025
baseurl=http://172.16.5.4/results/msuchy/copr/fedora-19-x86_64/
enabled=1
gpgcheck=0

4
files/copr/forward Normal file
View file

@ -0,0 +1,4 @@
msuchy+coprmachine@redhat.com
kevin@scrye.com
nb@fedoraproject.org
sgallagh@redhat.com

0
roles/copr/backend/files/lighttpd/dirlisting.conf → files/copr/lighttpd/dirlisting.conf
View file

455
files/copr/lighttpd/lighttpd.conf Normal file
View file

@ -0,0 +1,455 @@
#######################################################################
##
## /etc/lighttpd/lighttpd.conf
##
## check /etc/lighttpd/conf.d/*.conf for the configuration of modules.
##
#######################################################################
#######################################################################
##
## Some Variable definition which will make chrooting easier.
##
## if you add a variable here. Add the corresponding variable in the
## chroot example aswell.
##
var.log_root = "/var/log/lighttpd"
var.server_root = "/var/www"
var.state_dir = "/var/run"
var.home_dir = "/var/lib/lighttpd"
var.conf_dir = "/etc/lighttpd"
##
## run the server chrooted.
##
## This requires root permissions during startup.
##
## If you run Chrooted set the the variables to directories relative to
## the chroot dir.
##
## example chroot configuration:
##
#var.log_root = "/logs"
#var.server_root = "/"
#var.state_dir = "/run"
#var.home_dir = "/lib/lighttpd"
#var.vhosts_dir = "/vhosts"
#var.conf_dir = "/etc"
#
#server.chroot = "/srv/www"
##
## Some additional variables to make the configuration easier
##
##
## Base directory for all virtual hosts
##
## used in:
## conf.d/evhost.conf
## conf.d/simple_vhost.conf
## vhosts.d/vhosts.template
##
var.vhosts_dir = server_root + "/vhosts"
##
## Cache for mod_compress
##
## used in:
## conf.d/compress.conf
##
var.cache_dir = "/var/cache/lighttpd"
##
## Base directory for sockets.
##
## used in:
## conf.d/fastcgi.conf
## conf.d/scgi.conf
##
var.socket_dir = home_dir + "/sockets"
##
#######################################################################
#######################################################################
##
## Load the modules.
include "modules.conf"
##
#######################################################################
#######################################################################
##
## Basic Configuration
## ---------------------
##
server.port = 80
##
## Use IPv6?
##
server.use-ipv6 = "disable"
##
## bind to a specific IP
##
#server.bind = "localhost"
##
## Run as a different username/groupname.
## This requires root permissions during startup.
##
server.username = "lighttpd"
server.groupname = "lighttpd"
##
## enable core files.
##
#server.core-files = "disable"
##
## Document root
##
server.document-root = "/var/lib/copr/public_html"
##
## The value for the "Server:" response field.
##
## It would be nice to keep it at "lighttpd".
##
#server.tag = "lighttpd"
##
## store a pid file
##
server.pid-file = state_dir + "/lighttpd.pid"
##
#######################################################################
#######################################################################
##
## Logging Options
## ------------------
##
## all logging options can be overwritten per vhost.
##
## Path to the error log file
##
server.errorlog = log_root + "/error.log"
##
## If you want to log to syslog you have to unset the
## server.errorlog setting and uncomment the next line.
##
#server.errorlog-use-syslog = "enable"
##
## Access log config
##
include "conf.d/access_log.conf"
##
## The debug options are moved into their own file.
## see conf.d/debug.conf for various options for request debugging.
##
include "conf.d/debug.conf"
##
#######################################################################
#######################################################################
##
## Tuning/Performance
## --------------------
##
## corresponding documentation:
## http://www.lighttpd.net/documentation/performance.html
##
## set the event-handler (read the performance section in the manual)
##
## possible options on linux are:
##
## select
## poll
## linux-sysepoll
##
## linux-sysepoll is recommended on kernel 2.6.
##
server.event-handler = "linux-sysepoll"
##
## The basic network interface for all platforms at the syscalls read()
## and write(). Every modern OS provides its own syscall to help network
## servers transfer files as fast as possible
##
## linux-sendfile - is recommended for small files.
## writev - is recommended for sending many large files
##
server.network-backend = "linux-sendfile"
##
## As lighttpd is a single-threaded server, its main resource limit is
## the number of file descriptors, which is set to 1024 by default (on
## most systems).
##
## If you are running a high-traffic site you might want to increase this
## limit by setting server.max-fds.
##
## Changing this setting requires root permissions on startup. see
## server.username/server.groupname.
##
## By default lighttpd would not change the operation system default.
## But setting it to 2048 is a better default for busy servers.
##
## With SELinux enabled, this is denied by default and needs to be allowed
## by running the following once : setsebool -P httpd_setrlimit on
#server.max-fds = 2048
##
## Stat() call caching.
##
## lighttpd can utilize FAM/Gamin to cache stat call.
##
## possible values are:
## disable, simple or fam.
##
server.stat-cache-engine = "simple"
##
## Fine tuning for the request handling
##
## max-connections == max-fds/2 (maybe /3)
## means the other file handles are used for fastcgi/files
##
server.max-connections = 1024
##
## How many seconds to keep a keep-alive connection open,
## until we consider it idle.
##
## Default: 5
##
#server.max-keep-alive-idle = 5
##
## How many keep-alive requests until closing the connection.
##
## Default: 16
##
#server.max-keep-alive-requests = 16
##
## Maximum size of a request in kilobytes.
## By default it is unlimited (0).
##
## Uploads to your server cant be larger than this value.
##
#server.max-request-size = 0
##
## Time to read from a socket before we consider it idle.
##
## Default: 60
##
#server.max-read-idle = 60
##
## Time to write to a socket before we consider it idle.
##
## Default: 360
##
#server.max-write-idle = 360
##
## Traffic Shaping
## -----------------
##
## see /usr/share/doc/lighttpd/traffic-shaping.txt
##
## Values are in kilobyte per second.
##
## Keep in mind that a limit below 32kB/s might actually limit the
## traffic to 32kB/s. This is caused by the size of the TCP send
## buffer.
##
## per server:
##
#server.kbytes-per-second = 128
##
## per connection:
##
#connection.kbytes-per-second = 32
##
#######################################################################
#######################################################################
##
## Filename/File handling
## ------------------------
##
## files to check for if .../ is requested
## index-file.names = ( "index.php", "index.rb", "index.html",
## "index.htm", "default.htm" )
##
index-file.names += (
"index.xhtml", "index.html", "index.htm", "default.htm", "index.php"
)
##
## deny access the file-extensions
##
## ~ is for backupfiles from vi, emacs, joe, ...
## .inc is often used for code includes which should in general not be part
## of the document-root
url.access-deny = ( "~", ".inc" )
##
## disable range requests for pdf files
## workaround for a bug in the Acrobat Reader plugin.
##
$HTTP["url"] =~ "\.pdf$" {
server.range-requests = "disable"
}
##
## url handling modules (rewrite, redirect)
##
#url.rewrite = ( "^/$" => "/server-status" )
#url.redirect = ( "^/wishlist/(.+)" => "http://www.example.com/$1" )
##
## both rewrite/redirect support back reference to regex conditional using %n
##
#$HTTP["host"] =~ "^www\.(.*)" {
# url.redirect = ( "^/(.*)" => "http://%1/$1" )
#}
##
## which extensions should not be handle via static-file transfer
##
## .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi
##
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".scgi" )
##
## error-handler for status 404
##
#server.error-handler-404 = "/error-handler.html"
#server.error-handler-404 = "/error-handler.php"
##
## Format: <errorfile-prefix><status-code>.html
## -> ..../status-404.html for 'File not found'
##
#server.errorfile-prefix = "/srv/www/htdocs/errors/status-"
##
## mimetype mapping
##
include "conf.d/mime.conf"
##
## directory listing configuration
##
include "conf.d/dirlisting.conf"
##
## Should lighttpd follow symlinks?
##
server.follow-symlink = "enable"
##
## force all filenames to be lowercase?
##
#server.force-lowercase-filenames = "disable"
##
## defaults to /var/tmp as we assume it is a local harddisk
##
server.upload-dirs = ( "/var/tmp" )
##
#######################################################################
#######################################################################
##
## SSL Support
## -------------
##
## To enable SSL for the whole server you have to provide a valid
## certificate and have to enable the SSL engine.::
##
## ssl.engine = "enable"
## ssl.pemfile = "/path/to/server.pem"
##
## The HTTPS protocol does not allow you to use name-based virtual
## hosting with SSL. If you want to run multiple SSL servers with
## one lighttpd instance you must use IP-based virtual hosting: ::
##
## $SERVER["socket"] == "10.0.0.1:443" {
## ssl.engine = "enable"
## ssl.pemfile = "/etc/ssl/private/www.example.com.pem"
## #
## # Mitigate BEAST attack:
## #
## # A stricter base cipher suite. For details see:
## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
## #
## ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
## #
## # Make the server prefer the order of the server side cipher suite instead of the client suite.
## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
## # This option is enabled by default, but only used if ssl.cipher-list is set.
## #
## # ssl.honor-cipher-order = "enable"
## #
## # Mitigate CVE-2009-3555 by disabling client triggered renegotation
## # This is enabled by default.
## #
## # ssl.disable-client-renegotiation = "enable"
## #
## server.name = "www.example.com"
##
## server.document-root = "/srv/www/vhosts/example.com/www/"
## }
##
## If you have a .crt and a .key file, cat them together into a
## single PEM file:
## $ cat /etc/ssl/private/lighttpd.key /etc/ssl/certs/lighttpd.crt \
## > /etc/ssl/private/lighttpd.pem
##
#ssl.pemfile = "/etc/ssl/private/lighttpd.pem"
##
## optionally pass the CA certificate here.
##
##
#ssl.ca-file = ""
##
#######################################################################
#######################################################################
##
## custom includes like vhosts.
##
#include "conf.d/config.conf"
#include_shell "cat /etc/lighttpd/vhosts.d/*.conf"
##
#######################################################################
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/coprs-be.fedoraproject.org.pem"
ssl.ca-file = "/etc/lighttpd/coprs-be.fedoraproject.org.crt"
ssl.disable-client-renegotiation = "enable"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
}

0
roles/copr/backend/files/lighttpd/mime.conf → files/copr/lighttpd/mime.conf
View file

93
files/copr/provision/ansible.cfg Normal file
View file

@ -0,0 +1,93 @@
# config file for ansible -- http://ansible.github.com
# nearly all parameters can be overridden in ansible-playbook or with command line flags
# ansible will read ~/.ansible.cfg or /etc/ansible/ansible.cfg, whichever it finds first
[defaults]
# location of inventory file, eliminates need to specify -i
hostfile = /home/copr/provision/inventory
# location of ansible library, eliminates need to specify --module-path
library = /home/copr/provision/library:/usr/share/ansible
# default module name used in /usr/bin/ansible when -m is not specified
module_name = command
# home directory where temp files are stored on remote systems. Should
# almost always contain $HOME or be a directory writeable by all users
remote_tmp = $HOME/.ansible/tmp
# the default pattern for ansible-playbooks ("hosts:")
pattern = *
# the default number of forks (parallelism) to be used. Usually you
# can crank this up.
forks=25
# the timeout used by various connection types. Usually this corresponds
# to an SSH timeout
timeout=10
# when using --poll or "poll:" in an ansible playbook, and not specifying
# an explicit poll interval, use this interval
poll_interval=15
# when specifying --sudo to /usr/bin/ansible or "sudo:" in a playbook,
# and not specifying "--sudo-user" or "sudo_user" respectively, sudo
# to this user account
sudo_user=root
# connection to use when -c <connection_type> is not specified
#transport=paramiko
transport=ssh
# this is needed for paramiko, ssh already have this said in .ssh/config
host_key_checking = False
# remote SSH port to be used when --port or "port:" or an equivalent inventory
# variable is not specified.
remote_port=22
# if set, always run /usr/bin/ansible commands as this user, and assume this value
# if "user:" is not set in a playbook. If not set, use the current Unix user
# as the default
remote_user=root
# if set, always use this private key file for authentication, same as if passing
# --private-key-file to ansible or ansible-playbook
#private_key_file=/path/to/file
# additional plugin paths for non-core plugins
action_plugins = /usr/lib/python2.7/site-packages/ansible/runner/action_plugins:/home/copr/provision/action_plugins/
private_key_file=/home/copr/.ssh/id_rsa
[paramiko_connection]
record_host_keys=False
# nothing to configure yet
[ssh_connection]
# if uncommented, sets the ansible ssh arguments to the following. Leaving off ControlPersist
# will result in poor performance, so use transport=paramiko on older platforms rather than
# removing it
ssh_args=-o PasswordAuthentication=no -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/tmp/ansible-ssh-%h-%p-%r

81
files/copr/provision/builderpb.yml Normal file
View file

@ -0,0 +1,81 @@
---
- name: check/create instance
hosts: localhost
user: copr
gather_facts: False
vars:
- keypair: buildsys
- image: ami-0000000e
- instance_type: m1.builder
- security_group: builder
tasks:
- name: spin it up
local_action: ec2 keypair={{ keypair }} image={{ image }} type={{ instance_type }} wait=true group={{ security_group }}
register: inst_res
- name: get its internal ip b/c openstack is sometimes stupid
local_action: shell euca-describe-instances {{ inst_res.instances[0].id }} | grep INSTANCE | cut -f 18
register: int_ip
- name: add it to the special group
local_action: add_host hostname={{ int_ip.stdout }} groupname=builder_temp_group
- name: wait for the host to be hot
local_action: wait_for host={{ int_ip.stdout }} port=22 delay=5 timeout=600
- debug: msg="IP={{ int_ip.stdout }}"
- hosts: builder_temp_group
user: root
vars:
- files: files/
tasks:
- name: edit hostname to be instance name
action: shell hostname `curl -s http://169.254.169.254/2009-04-04/meta-data/instance-id`
- name: install pkgs
action: yum state=present pkg={{ item }}
with_items:
- rsync
- openssh-clients
- libselinux-python
- libsemanage-python
- name: add repos
action: copy src={{ files }}/{{ item }} dest=/etc/yum.repos.d/{{ item }}
with_items:
- builder.repo
- epel6.repo
- name: install additional pkgs
action: yum state=present pkg={{ item }}
with_items:
- mock
- createrepo
- yum-utils
- name: make sure newest rpm
action: yum name=rpm state=latest
- name: mockbuilder user
action: user name=mockbuilder groups=mock
- name: mockbuilder .ssh
action: file state=directory path=/home/mockbuilder/.ssh mode=0700 owner=mockbuilder group=mockbuilder
- name: mockbuilder authorized_keys
action: authorized_key user=mockbuilder key='{{ lookup('file', '/home/copr/provision/files/buildsys.pub') }}'
- name: put updated mock configs into /etc/mock
action: copy src={{ files }}/mock/{{ item }} dest=/etc/mock
with_items:
- site-defaults.cfg
- epel-5-x86_64.cfg
- epel-5-i386.cfg
- fedora-20-x86_64.cfg
- fedora-20-i386.cfg
- epel-7-x86_64.cfg

23
files/copr/provision/files/builder.repo Normal file
View file

@ -0,0 +1,23 @@
[builder-infrastructure]
name=Builder Packages from Fedora Infrastructure $releasever - $basearch
baseurl=http://infrastructure.fedoraproject.org/repo/builder-rpms/$releasever/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE
[msuchy-Mock]
name=Copr repo for Mock owned by msuchy
description=Mock for RHEL6 with patch from https://bugzilla.redhat.com/show_bug.cgi?id=1028438 and https://bugzilla.redhat.com/show_bug.cgi?id=1034805
baseurl=http://172.16.5.4/results/msuchy/Mock/epel-6-$basearch/
skip_if_unavailable=True
gpgcheck=0
enabled=1
[msuchy-scl-utils]
name=Copr repo for scl-utils owned by msuchy
description=scl-utils with patch from https://bugzilla.redhat.com/show_bug.cgi?id=985233
baseurl=http://172.16.5.4/results/msuchy/scl-utils/epel-6-$basearch/
skip_if_unavailable=True
gpgcheck=0
enabled=1

0
roles/copr/backend/files/provision/files/buildsys.pub → files/copr/provision/files/buildsys.pub
View file

13
files/copr/provision/files/epel6.repo Normal file
View file

@ -0,0 +1,13 @@
[epel]
name=Extras Packages for Enterprise Linux $releasever - $basearch
baseurl=http://infrastructure.fedoraproject.org/pub/epel/6/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-6
[epel-testing]
name=Extras Packages for Enterprise Linux $releasever - $basearch
baseurl=http://infrastructure.fedoraproject.org/pub/epel/testing/6/$basearch/
enabled=0
gpgcheck=1
gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-6

Some files were not shown because too many files have changed in this diff Show more