Merge branch 'openvpn_handler' of /git/ansible into openvpn_handler

Add nagios to trusted openid roots
2014-08-02 15:00:10 +00:00 · 2014-08-02 15:00:06 +00:00
5838 changed files with 77728 additions and 400510 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -1,68 +0,0 @@
 ---
 # .ansible-lint
 # exclude_paths included in this file are parsed relative to this file's location
 # and not relative to the CWD of execution. CLI arguments passed to the --exclude
 # option will be parsed relative to the CWD of execution.
 exclude_paths:
  - .cache/ # implicit unless exclude_paths is defined in config
  - cache_plugins
  - callback_plugins
  - files
  - filter_plugins
  - handlers
  - library
  - scripts
  # Ignore playbooks with strange error happening in <unicode string>
  - playbooks/groups/copr-db.yml
  # Some playbooks contains hardcoded paths, so exclude them from check
  - playbooks/list-vms-per-host.yml
  - playbooks/set_root_auth_keys.yml
  - playbooks/update-proxy-dns.yml
  - playbooks/update_ticketkey.yml
  - playbooks/vhost_reboot.yml
  - playbooks/vhost_update_reboot.yml
 # parseable: true
 # quiet: true
 # verbosity: 1
 # Mock modules or roles in order to pass ansible-playbook --syntax-check
 mock_modules:
   - include_playbook
 #  - zuul_return
 #  # note the foo.bar is invalid as being neither a module or a collection
 #  - fake_namespace.fake_collection.fake_module
 #  - fake_namespace.fake_collection.fake_module.fake_submodule
 mock_roles:
  - linux-system-roles.network
 use_default_rules: true
 # Load custom rules from this specific folder
 # rulesdir:
 #   - ./rule/directory/
 # Offline mode disables installation of requirements.yml
 offline: true
 # Define required Ansible's variables to satisfy syntax check
 extra_vars:
  target: localhost
  vhost: localhost
 #  multiline_string_variable: |
 #    line1
 #    line2
 #  complex_variable: ":{;\t$()"
 # List of additional kind:pattern to be added at the top of the default
 # match list, first match determines the file kind.
 kinds:
  # - playbook: "**/examples/*.{yml,yaml}"
  # - galaxy: "**/folder/galaxy.yml"
  - tasks: "**/tasks/*.yml"
  - vars: "**/vars/*.yml"
  # - meta: "**/meta/main.yml"
  - yaml: "**/*.yaml-too"
 skip_list:
  - yaml
  - role-name[path]
  - var-naming[no-role-prefix]
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,2 @@
 *.swp
 *.pyc
 # emacs projectile
 .projectile
--- a/.mailmap
+++ b/.mailmap
@ -1,5 +0,0 @@
 Rick Elrod <relrod@redhat.com> <codeblock@fedoraproject.org>
 Rick Elrod <relrod@redhat.com> Ricky Elrod
 Rick Elrod <relrod@redhat.com> Ricky Elrod <codeblock@lockbox01.phx2.fedoraproject.org>
 # ... others go here ...
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -1,22 +0,0 @@
 ---
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
 repos:
 # -   repo: https://github.com/pre-commit/pre-commit-hooks
 #    rev: v3.2.0
 #    hooks:
 #    -   id: trailing-whitespace
 #    -   id: end-of-file-fixer
 #    -   id: check-yaml
 #    -   id: check-added-large-files
 - repo: https://github.com/adrienverge/yamllint
  rev: v1.35.1
  hooks:
  - id: yamllint
 #  -   repo: https://github.com/ansible/ansible-lint
 #     rev: v24.12.1
 #     hooks:
 #     -   id: ansible-lint
--- a/.yamllint.yaml
+++ b/.yamllint.yaml
@ -1,26 +0,0 @@
 ---
 extends: default
 rules:
  comments:
    min-spaces-from-content: 1
    level: error
  comments-indentation: false
  braces:
    max-spaces-inside: 1
  document-start:
    level: error
  octal-values:
    forbid-implicit-octal: true
    forbid-explicit-octal: true
  indentation:
    spaces: 2
    indent-sequences: whatever
    level: warning
  line-length: disable
  # line-length:
    # max: 100
    # level: warning
  truthy:
    allowed-values: ['true', 'false', 'yes', 'no']
 ...
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -1,6 +0,0 @@
 ---
 - project:
    check:
      jobs:
        - fi-ansible-lint-diff
        - fi-yamllint-diff
--- a/6
+++ b/6
@ -9,7 +9,7 @@ Playbook naming
 ===============
 The top level playbooks directory should contain: 
-* Playbooks that are generic and used by several groups/hosts playbooks
+* Playbooks that are generic and used by serveral groups/hosts playbooks
 * Playbooks used for utility purposes from command line
 * Groups and Hosts subdirs. 
@ -23,7 +23,7 @@ specific function. Examples: host update, vhost update, vhost reboot.
 The playbooks/groups/ directory should contain one playbook per 
 group. This should be used in the case of multiple machines/instances
 in a group. MUST include a hosts entry that describes the hosts in the group.
-Examples: packages, proxy, virthost, etc.
+Examples: packages, proxy, unbound, virthost, etc.
 Try and be descriptive with the name here. 
 The playbooks/hosts/ directory should contain one playbook per 'host'
@ -95,7 +95,7 @@ We would like to get ansible running over hosts in an automated way.
 A git hook could do this. 
 * On commit:
-	If we have a way to determine exactly what hosts are affected by a 
+	If we have a way to detemine exactly what hosts are affected by a 
        change we could simply run only on those hosts. 
        We might want a short delay (10m) to allow someone to see a problem
--- a/1
+++ b/1
@ -1 +0,0 @@
 README.md
--- a/245
+++ b/245
@ -0,0 +1,245 @@
 == ansible repository/structure ==
 files - files and templates for use in playbooks/tasks
      - subdirs for specific tasks/dirs highly recommended
 inventory - where the inventory and additional vars is stored
          - All files in this directory in ini format 
          - added together for total inventory
  group_vars: 
          - per group variables set here in a file per group 
  host_vars: 
          - per host variables set here in a file per host 
 library - library of custom local ansible modules
 playbooks - collections of plays we want to run on systems
 tasks - snippets of tasks that should be included in plays
 roles - specific roles to be use in playbooks. 
        Each role has it's own files/templates/vars
 == Paths ==
 public path for everything is:
 /srv/web/infra/ansible
 private path - which is sysadmin-main accessible only is:
 /srv/private/ansible
 In general to run any ansible playbook you will want to run:
 sudo -i ansible-playbook /path/to/playbook.yml
 == Cloud information ==
 cloud instances:
 to startup a new cloud instance and configure for basic server use run (as
 root):
 el6:
 sudo -i ansible-playbook /srv/web/infra/ansible/playbooks/el6_temp_instance.yml
 f19:
 sudo -i ansible-playbook /srv/web/infra/ansible/playbooks/f19_temp_instance.yml
 The -i is important - ansible's tools need access to root's sshagent as well
 as the cloud credentials to run the above playbooks successfully.
 This will setup a new instance, provision it and email sysadmin-main that
 the instance was created, it's instance id (for terminating it, attaching
 volumes, etc) and it's ip address.
 You will then be able to login, as root.
 You can add various extra vars to the above commands to change the instance
 you've just spun up.
 variables to define:
 instance_type=c1.medium
 security_group=default
 root_auth_users='username1 username2 @groupname'
 hostbase=basename for hostname - will have instance id appended to it
 define these with:
 --extra-vars="varname=value varname1=value varname2=value"
 Name        Memory_MB  Disk   VCPUs
 m1.tiny     512        0      1    
 m1.small    2048       20     1    
 m1.medium   4096       40     2    
 m1.large    8192       80     4    
 m1.xlarge   16384      160    8    
 m1.builder  5120       50     3    
 Setting up a new persistent cloud host:
 1. select an ip:
   source /srv/private/ansible/files/openstack/persistent-admin/ec2rc.sh
   euca-describe-addresses
  - pick an ip from the list that is not assigned anywhere
  - add it into dns - normally in the cloud.fedoraproject.org but it doesn't
    have to be
 2. If needed create a persistent storage disk for the instance:
   source /srv/private/ansible/files/openstack/persistent-admin/ec2rc.sh
   euca-create-volume -z nova -s <size in gigabytes>
 3. set up the host/ip in ansible host inventory
   - add to ansible/inventory/inventory under [persistent-cloud]
     - either the ip itself or the hostname you want to refer to it as
 4. setup the host_vars
   - create file named by the hostname or ip you used in the inventory
   - for adding persistent volumes add an entry like this into the host_vars file
   volumes: ['-d /dev/vdb vol-BCA33FCD', '-d /dev/vdc vol-DC833F48']
   for each volume you want to attach to the instance.
   The device names matter - they start at /dev/vdb and increment. However,
   they are not reliable IN the instance. You should find the device, partition
   it, format it and label the formatted device then mount the device by label
   or  by UUID. Do not count on the device name being the same each time.
 Contents should look like this (remove all the comments)
 ---
 # 2cpus, 3GB of ram 20GB of ephemeral space
 instance_type: m1.large 
 # image id
 image: emi-B8793915 
 keypair: fedora-admin
 # what security group to add the host to
 security_group: webserver 
 zone: fedoracloud 
 # instance id will be appended
 hostbase: hostname_base- 
 # ip should be in the 209.132.184.XXX range
 public_ip: $ip_you_selected
 # users/groups who should have root ssh access
 root_auth_users:  skvidal bkabrda 
 description: some description so someone else can know what this is
 The available images can be found by running::
   source /srv/private/ansible/files/openstack/persistent-admin/ec2rc.sh
   euca-describe-images | grep ami
 4. setup a host playbook ansible/playbooks/hosts/$YOUR_HOSTNAME_HERE.yml
   Note: the name of this file doesn't really matter but it should normally
         be the hostname of the host you're setting up. 
 - name: check/create instance
  hosts: $YOUR_HOSTNAME/IP HERE
  user: root
  gather_facts: False
  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "{{ private }}/vars.yml"
  tasks:
  - include: "{{ tasks }}/persistent_cloud.yml"
 - name: provision instance
  hosts: $YOUR_HOSTNAME/IP HERE
  user: root
  gather_facts: True
  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "{{ private }}/vars.yml"
   - /srv/web/infra/ansible/vars//{{ ansible_distribution }}.yml
  tasks:
  - include: "{{ tasks }}/cloud_setup_basic.yml
  # fill in other actions/includes/etc here
  handlers:
  - include: "{{ handlers }}/restart_services.yml
 5. add/commit the above to the git repo and push your changes
 6. set it up:
   sudo -i ansible-playbook /srv/web/infra/ansible/playbooks/hosts/$YOUR_HOSTNAME_HERE.yml
 7. login, etc
 You should be able to run that playbook over and over again safely, it will
 only setup/create a new instance if the ip is not up/responding.
 SECURITY GROUPS
 - to edit security groups you must either have your own cloud account or
  be a member of sysadmin-main
 This gives you the credential to change things in the persistent tenant
 - source /srv/private/ansible/files/openstack/persistent-admin/ec2rc.sh
 This lists all security groups in that tenant:
 - euca-describe-groups | grep GROUP
 the output will look like this:
 euca-describe-groups  | grep GROU
 GROUP	d4e664a10e2c4210839150be09c46e5e	default	default
 GROUP	d4e664a10e2c4210839150be09c46e5e	jenkins	jenkins instance group
 GROUP	d4e664a10e2c4210839150be09c46e5e	logstash	logstash security group
 GROUP	d4e664a10e2c4210839150be09c46e5e	smtpserver	list server group. needs web and smtp
 GROUP	d4e664a10e2c4210839150be09c46e5e	webserver	webserver security group
 GROUP	d4e664a10e2c4210839150be09c46e5e	wideopen	wideopen
 This lets you list the rules in a specific group:
 - euca-describe-group groupname
 the output will look like this:
 euca-describe-group wideopen
 GROUP	d4e664a10e2c4210839150be09c46e5e	wideopen	wideopen
 PERMISSION	d4e664a10e2c4210839150be09c46e5e	wideopen ALLOWS	tcp	1	65535	FROM	CIDR	0.0.0.0/0
 PERMISSION	d4e664a10e2c4210839150be09c46e5e	wideopen ALLOWS	icmp	-1	-1	FROM	CIDR	0.0.0.0/0
 To create a new group:
 euca-create-group -d "group description here" groupname
 To add a rule to a group:
 euca-authorize -P tcp -p 22 groupname
 euca-authorize -P icmp -t -1:-1 groupname
 To delete a rule from a group:
 euca-revoke -P tcp -p 22 groupname
 Notes:
 - Be careful removing or adding rules to existing groups b/c you could be
 impacting other instances using that security group.
 - You will almost always want to allow 22/tcp (sshd) and icmp -1 -1 (ping
 and traceroute and friends). 
 TERMINATING INSTANCES
 For transient:
 1. source /srv/private/ansible/files/openstack/transient-admin/ec2rc.sh
  - OR -
 For persistent:
 1. source /srv/private/ansible/files/openstack/persistent-admin/ec2rc.sh
 2. euca-describe-instances | grep <ip of your instance>
 3. euca-terminate-instances <the id, something like i-00000295>
--- a/README.md
+++ b/README.md
@ -1,143 +0,0 @@
 Fedora Infrastructure
 =====================
 Welcome! This is the Fedora Infrastructure Ansible Pagure project.
 Pull requests and forks can be made against this repository hosted
 at https://pagure.io/fedora-infra/ansible
 This repository is also mirrored for production runs to
 https://infrastructure.fedoraproject.org/infra/ansible/
 but this is the working repository where changes are made.
 If you would like to help out with Fedora Infrastructure, see:
 * https://docs.fedoraproject.org/en-US/infra/gettingstarted/
 * https://docs.fedoraproject.org/en-US/infra/apprentice/
 Ansible repository/structure
 ----------------------------
 ```
 files - files and templates for use in playbooks/tasks
      - subdirs for specific tasks/dirs highly recommended
 inventory - where the inventory and additional vars is stored
          - All files in this directory in ini format
          - added together for total inventory
  group_vars:
          - per group variables set here in a file per group
  host_vars:
          - per host variables set here in a file per host
 library - library of custom local ansible modules
 playbooks - collections of plays we want to run on systems
  groups: groups of hosts configured from one playbook.
  hosts: playbooks for single hosts.
  manual: playbooks that are only run manually by an admin as needed.
 tasks - snippets of tasks that should be included in plays
 roles - specific roles to be use in playbooks.
        Each role has it's own files/templates/vars
 filter_plugins - Jinja filters
 main.yml - This is the main playbook, consisting of all
             current group and host playbooks. Note that the
             daily cron doesn't run this, it runs even over
             playbooks that are not yet included in main.
             This playbook is usefull for making changes over
             multiple groups/hosts usually with -t (tag).
 ```
 Paths
 -----
 The public path on batcave01 (our control host) for everything is `/srv/web/infra/ansible`
 The private path on batcave01 (our control host) (which is sysadmin-main accessible only)
 is `/srv/private/ansible`
 In general to run any ansible playbook you will want to run:
 ```
 sudo -i ansible-playbook /path/to/playbook.yml
 ```
 (On batcave01, our control host)
 Scheduled check-diff
 --------------------
 Every night a cron job runs over all playbooks under `playbooks/{groups}{hosts}`
 with `ansible --check --diff`. A report from this is sent to sysadmin-logs.
 In the ideal state this report would be empty.
 Idempotency
 -----------
 All playbooks should be idempotent. Ie, if run once they should bring the
 machine(s) to the desired state, and if run again N times after that they should
 make 0 changes (because the machine(s) are in the desired state).
 Please make sure your playbooks are idempotent.
 Can be run anytime
 ------------------
 When a playbook or change is checked into ansible you should assume
 that it could be run at ***ANY TIME***. Always make sure the checked in state
 is the desired state. Always test changes when they land so they don't
 surprise you later.
 Contributing and Licensing
 --------------------------
 Contributions to this repository are subject to the Fedora Project
 Contributor Agreement. If no license is specified, the MIT license is used, otherwise
 the contribution is under the specified acceptable Fedora License.
 See https://docs.fedoraproject.org/en-US/legal/fpca/
 for more information.
 Contributing Pull Requests
 --------------------------
 If found a way to improve this repository or fix an issue found in our
 infrastructure tracker (see https://pagure.io/fedora-infrastructure/issues)
 open a pull-request.
 You either should have capability to run the playbooks after they have been reviewed,
 and merged or find the person responsible and work with them to make sure the changes
 will be aplied afterwards. 
 We are currently working on a simple to use list of Point Of Contanct people for the applications
 here, untill it is done, you can, look at people that recently edited the ansible files,
 or if you belong to sysadmin group, view the /etc/ansible_utils/rbac.yaml located on batcave01,
 where you can see the groups of people that have capabilities to run the relevant playbooks.
 For example, to upgrade Release Monitoring, you need to run playbook openshift-apps/release-monitoring.yaml.
 People in sysadmin-releasemonitoring have that capability, and you cand find the members in https://accounts.fedoraproject.org/group/sysadmin-releasemonitoring/
 If the application in question is not on the critical path it should be sufficient,
 if person responsible for the application reviews the PR.
 If the files in question are on the critical path, that are necessary for functioning packager workflow,
 at least two different people should review the PR.
 If there is any risk at all, that the application of the changes would induce downtime,
 work closely with other to ensure that the downtime is properly scheduled:
 - there is an issue in https://pagure.io/fedora-infrastructure/issues specifying the downtime
 - there is an email sent to the devel-list
 - https://status.fedoraproject.org is updated (see https://docs.fedoraproject.org/en-US/infra/sysadmin_guide/status-fedora/)
 Applications on critical path: pagure, mirrormanager, toddlers, bodhi, noggin, mdapi, rpmautospec, 
 pagure-dist-git, mirror_from_pagure, fedora-messaging, dist-git, PDC/FPDC, FMN, sigul
 robosignatory, tag2distrepo, ci-resultsdb-listener, stylo, mirrorlist
 resultsdb, Nagios, koschei, wiki / mediawiki, wiki / moin, waiverdb, 
 greenwave, ODCS, Mailman3 / HK, mailman 2, OSBS, pungi, koji, MBS, 
 IPA, rabbitmq, geoip,ipsilon
--- a/20
+++ b/20
@ -1,20 +0,0 @@
 infrastructure ansible style guide
 ==================================
 * Use 'yml' instead of 'yaml'
 * do add '.j2' to the end of templates
 * in general let readablity trump grepability, i.e.:
 DONT:
 - name: This is some play
  module: name=thing arg=thing2 anotherlongerarg=thing arg4=anodheranth
 DO:
 - name: This is some play
  module:
  - name: thing
  - arg: thing2
 ..etc
--- a/17
+++ b/17
@ -0,0 +1,17 @@
 - make it easy to run playbooks against cloud instances w/o modifying 
  inventory or changing host entries in playbooks
 - define standards for:
  - playbook naming
  - play naming
  - hosts or service or groups for talking to sets of systems
  - tags:
     - config
     - service
     - initonly
 - figure out how and where we are going to run these from cron
 - merge in tasks/playbooks/inventory/etc from:
  - builders
--- a/callback_plugins/fedmsg_callback.py
+++ b/callback_plugins/fedmsg_callback.py
@ -0,0 +1,93 @@
 # (C) 2012, Michael DeHaan, <michael.dehaan@gmail.com>
 # based on the log_plays example
 # skvidal@fedoraproject.org
 # rbean@redhat.com
 # Ansible is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # Ansible is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
 import os
 import pwd
 import fedmsg
 import fedmsg.config
 def getlogin():
    try:
        user = os.getlogin()
    except OSError, e:
        user = pwd.getpwuid(os.geteuid())[0]
    return user
 class CallbackModule(object):
    """ Publish playbook starts and stops to fedmsg. """
    playbook_path = None
    def __init__(self):
        config = fedmsg.config.load_config()
        config.update(dict(
            name='relay_inbound',
            cert_prefix='shell',
            active=True,
        ))
        # It seems like recursive playbooks call this over and over again and
        # fedmsg doesn't like to be initialized more than once.  So, here, just
        # catch that and ignore it.
        try:
            fedmsg.init(**config)
        except ValueError:
            pass
    def playbook_on_play_start(self, pattern):
        # This gets called once for each play.. but we just issue a message once
        # for the first one.  One per "playbook"
        play = getattr(self, 'play', None)
        if play:
            # figure out where the playbook FILE is
            path = os.path.abspath(play.playbook.filename)
            # Bail out early without publishing if we're in --check mode
            if play.playbook.check:
                return
            if not self.playbook_path:
                fedmsg.publish(
                    modname="ansible", topic="playbook.start",
                    msg=dict(
                        playbook=path,
                        userid=getlogin(),
                        extra_vars=play.playbook.extra_vars,
                        inventory=play.playbook.inventory.host_list,
                        playbook_checksum=play.playbook.check,
                        check=play.playbook.check,
                    ),
                )
                self.playbook_path = path
    def playbook_on_stats(self, stats):
        if not self.playbook_path:
            return
        results = dict([(h, stats.summarize(h)) for h in stats.processed])
        fedmsg.publish(
            modname="ansible", topic="playbook.complete",
            msg=dict(
                playbook=self.playbook_path,
                userid=getlogin(),
                results=results,
            ),
        )
--- a/callback_plugins/fedora_messaging_callback.py
+++ b/callback_plugins/fedora_messaging_callback.py
@ -1,137 +0,0 @@
 # (C) 2012, Michael DeHaan, <michael.dehaan@gmail.com>
 # based on the log_plays example
 # skvidal@fedoraproject.org
 # rbean@redhat.com
 # karsten@redhat.com  changes for fedora-messaging
 # abompard@redhat.com changes to adapt to ansible's specific python
 # Ansible is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # Ansible is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
 import json
 import logging
 import os
 import pwd
 import uuid
 from subprocess import run, PIPE, STDOUT
 from tempfile import NamedTemporaryFile
 try:
    from ansible.plugins.callback import CallbackBase
 except ImportError:
    # Ansible v1 compat
    CallbackBase = object
 try:
    from ansible.utils.hashing import secure_hash
 except ImportError:
    from ansible.utils import md5 as secure_hash
 LOGGER = logging.getLogger(__name__)
 FEDORA_MESSAGING_CONF = "/etc/fedora-messaging/batcave-messaging.toml"
 def getlogin():
    try:
        user = os.getlogin()
    except OSError:
        user = pwd.getpwuid(os.geteuid())[0]
    return user
 def send_message(msg):
    msg["id"] = str(uuid.uuid4())
    msg["headers"] = {
        "fedora_messaging_schema": "base.message",
        "fedora_messaging_severity": 20,
    }
    env = os.environ.copy()
    env["FEDORA_MESSAGING_CONF"] = FEDORA_MESSAGING_CONF
    with NamedTemporaryFile(mode="w+", buffering=1) as msg_file:
        json.dump(msg, msg_file)
        msg_file.write("\n")
        result = run(
            ["fedora-messaging", "publish", msg_file.name],
            stdout=PIPE, stderr=STDOUT, text=True, env=env,
        )
    if result.returncode > 0:
        LOGGER.warning(f"Fedora Messaging plugin failed: {result.stdout}")
        print(f"Fedora Messaging plugin failed: {result.stdout}")
 class CallbackModule(CallbackBase):
    """ Publish playbook starts and stops to fedora_messaging. """
    CALLBACK_NAME = "fedora_messaging_callback"
    CALLBACK_TYPE = "notification"
    CALLBACK_VERSION = 2.0
    CALLBACK_NEEDS_WHITELIST = True
    playbook_path = None
    def __init__(self):
        self.play = None
        self.playbook = None
        super(CallbackModule, self).__init__()
    def set_play_context(self, play_context):
        self.play_context = play_context
    def v2_playbook_on_start(self, playbook):
        self.playbook = playbook
    def v2_playbook_on_play_start(self, play):
        # This gets called once for each play.. but we just issue a message once
        # for the first one.  One per "playbook"
        if not self.playbook:
            return
        # figure out where the playbook FILE is
        path = os.path.abspath(self.playbook._file_name)
        # Bail out early without publishing if we're in --check mode
        if self.play_context.check_mode:
            return
        # Only publish on playbook start
        if self.playbook_path:
            return
        msg = {
            "topic": "ansible.playbook.start",
            "body": {
                'playbook': path,
                'userid': getlogin(),
                'extra_vars': play._variable_manager.extra_vars,
                'inventory': play._variable_manager._inventory._sources,
                'playbook_checksum': secure_hash(path),
                'check': self.play_context.check_mode
            },
        }
        send_message(msg)
        self.playbook_path = path
    def v2_playbook_on_stats(self, stats):
        if not self.playbook_path:
            return
        results = dict([(h, stats.summarize(h)) for h in stats.processed])
        msg = {
            "topic": "ansible.playbook.complete",
            "body": {
                'playbook': self.playbook_path,
                'userid': getlogin(),
                'results': results
            },
        }
        send_message(msg)
--- a/callback_plugins/logdetail.py
+++ b/callback_plugins/logdetail.py
@ -15,68 +15,37 @@
 # You should have received a copy of the GNU General Public License
 # along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
 # Make coding more python3-ish
 from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
 DOCUMENTATION = r'''
 callback: logdetail
 callback_type: notification
 short_description: Logs playbook results, per date, playbook and host.
 description: Logs playbook results, per date, playbook and host, in I(log_path).
 options:
  log_path:
    description: The path where log files will be created.
    default: /var/log/ansible
    ini:
    - section: callback_logdetail
      key: log_path
    env:
    - name: ANSIBLE_LOGDETAIL_PATH
 '''
 import os
 import time
 import json
 import pwd
-import gzip
+from ansible import utils
-try:
+TIME_FORMAT="%b %d %Y %H:%M:%S"
    from ansible.utils.hashing import secure_hash
 except ImportError:
    from ansible.utils import md5 as secure_hash
-try:
+MSG_FORMAT="%(now)s\t%(count)s\t%(category)s\t%(name)s\t%(data)s\n"
    from ansible.plugins.callback import CallbackBase
 except ImportError:
    # Ansible v1 compat
    CallbackBase = object
 TIME_FORMAT = "%b %d %Y %H:%M:%S"
 MSG_FORMAT = "%(now)s\t%(count)s\t%(category)s\t%(name)s\t%(data)s\n"
 LOG_PATH = '/var/log/ansible'
 def getlogin():
    try:
        user = os.getlogin()
-    except OSError:
+    except OSError, e:
        user = pwd.getpwuid(os.geteuid())[0]
    return user
 class LogMech(object):
-    def __init__(self, logpath):
+    def __init__(self):
        self.started = time.time()
        self.pid = str(os.getpid())
        self._pb_fn = None
        self._last_task_start = None
        self.play_info = {}
-        self.logpath = logpath
+        self.logpath = LOG_PATH
        if not os.path.exists(self.logpath):
            try:
-                os.makedirs(self.logpath, mode=0o750)
+                os.makedirs(self.logpath, mode=0750)
-            except OSError as e:
+            except OSError, e:
                if e.errno != 17:
                    raise
@ -102,7 +71,7 @@ class LogMech(object):
        if not os.path.exists(path):
            try:
                os.makedirs(path)
-            except OSError as e:
+            except OSError, e:
                if e.errno != 17: # if it is not dir exists then raise it up
                    raise
@ -119,8 +88,8 @@ class LogMech(object):
    def task_to_json(self, task):
        res = {}
        res['task_name'] = task.name
-        res['task_module'] = task.action
+        res['task_module'] = task.module_name
-        res['task_args'] = task.args
+        res['task_args'] = task.module_args
        if self.playbook_id == 'ansible-cmd':
            res['task_userid'] = getlogin()
        for k in ("delegate_to", "environment", "with_first_found",
@ -138,21 +107,22 @@ class LogMech(object):
            host = 'HOSTMISSING'
        if type(data) == dict:
-            name = data.get('module_name', None)
+            name = data.get('module_name',None)
        else:
            name = "unknown"
        # we're in setup - move the invocation  info up one level
        if 'invocation' in data:
            invoc = data['invocation']
            if not name and 'module_name' in invoc:
                name = invoc['module_name']
-            # don't add this since it can often contain complete passwords :(
+            #don't add this since it can often contain complete passwords :(
            del(data['invocation'])
        if task:
-            name = task._name
+            name = task.name
            data['task_start'] = self._last_task_start
            data['task_end'] = time.time()
            data.update(self.task_to_json(task))
@ -168,96 +138,116 @@ class LogMech(object):
        elif self.play_info.get('check', False):    
            category = 'CHECK:' + category
-        # Sometimes this is None.. othertimes it's fine.  Othertimes it has
+        fd = open(self.logpath_play + '/' + host + '.log', 'a')
        # trailing whitespace that kills logview.  Strip that, when possible.
        if name:
            name = name.strip()
        sanitize_host = host.replace(' ', '_').replace('>', '-')
        fd = gzip.open(self.logpath_play + '/' + sanitize_host + '.log.gz', 'at')
        now = time.strftime(TIME_FORMAT, time.localtime())
        fd.write(MSG_FORMAT % dict(now=now, name=name, count=count, category=category, data=json.dumps(data)))
        fd.close()
-class CallbackModule(CallbackBase):
+logmech = LogMech()
 class CallbackModule(object):
    """
    logs playbook results, per host, in /var/log/ansible/hosts
    """
    CALLBACK_NAME = 'logdetail'
    CALLBACK_TYPE = 'notification'
    CALLBACK_VERSION = 2.0
    CALLBACK_NEEDS_WHITELIST = True
    def __init__(self):
        self._task_count = 0
        self._play_count = 0
        self.task = None
        self.playbook = None
-        super(CallbackModule, self).__init__()
+    def on_any(self, *args, **kwargs):
-        self.set_options()
+        pass
        self.logmech = LogMech(self.get_option('log_path'))
    def set_play_context(self, play_context):
        self.play_context = play_context
-    def v2_runner_on_failed(self, result, ignore_errors=False):
+    def runner_on_failed(self, host, res, ignore_errors=False):
        category = 'FAILED'
-        self.logmech.log(result._host.get_name(), category, result._result, self.task, self._task_count)
+        task = getattr(self,'task', None)
        logmech.log(host, category, res, task, self._task_count)
-    def v2_runner_on_ok(self, result):
+
    def runner_on_ok(self, host, res):
        category = 'OK'
-        self.logmech.log(result._host.get_name(), category, result._result, self.task, self._task_count)
+        task = getattr(self,'task', None)
        logmech.log(host, category, res, task, self._task_count)
-    def v2_runner_on_skipped(self, result):
+
    def runner_on_error(self, host, res):
        category = 'ERROR'
        task = getattr(self,'task', None)
        logmech.log(host, category, res, task, self._task_count)
    def runner_on_skipped(self, host, item=None):
        category = 'SKIPPED'
        task = getattr(self,'task', None)
        res = {}
-        res['item'] = self._get_item_label(getattr(result._result, 'results', {}))
+        res['item'] = item
-        self.logmech.log(result._host.get_name(), category, res, self.task, self._task_count)
+        logmech.log(host, category, res, task, self._task_count)
-    def v2_runner_on_unreachable(self, result):
+    def runner_on_unreachable(self, host, output):
        category = 'UNREACHABLE'
        task = getattr(self,'task', None)
        res = {}
-        res['output'] = result._result
+        res['output'] = output
-        self.logmech.log(result._host.get_name(), category, res, self.task, self._task_count)
+        logmech.log(host, category, res, task, self._task_count)
-    def v2_runner_on_async_failed(self, result):
+    def runner_on_no_hosts(self):
        pass
    def runner_on_async_poll(self, host, res, jid, clock):
        pass
    def runner_on_async_ok(self, host, res, jid):
        pass
    def runner_on_async_failed(self, host, res, jid):
        category = 'ASYNC_FAILED'
-        self.logmech.log(result._host.get_name(), category, result._result, self.task, self._task_count)
+        task = getattr(self,'task', None)
        logmech.log(host, category, res, task, self._task_count)
-    def v2_playbook_on_start(self, playbook):
+    def playbook_on_start(self):
-        self.playbook = playbook
+        pass
-    def v2_playbook_on_task_start(self, task, is_conditional):
+    def playbook_on_notify(self, host, handler):
-        self.task = task
+        pass
-        if self.task:
+
-            self.task._name = task.get_name().strip()
+    def playbook_on_no_hosts_matched(self):
-        self.logmech._last_task_start = time.time()
+        pass
    def playbook_on_no_hosts_remaining(self):
        pass
    def playbook_on_task_start(self, name, is_conditional):
        logmech._last_task_start = time.time()
        self._task_count += 1
-    def v2_playbook_on_setup(self):
+    def playbook_on_vars_prompt(self, varname, private=True, prompt=None, encrypt=None, confirm=False, salt_size=None, salt=None, default=None):
-        self._task_count += 1
+        pass
-    def v2_playbook_on_import_for_host(self, result, imported_file):
+    def playbook_on_setup(self):
        self._task_count += 1
        pass
    def playbook_on_import_for_host(self, host, imported_file):
        task = getattr(self,'task', None)
        res = {}
        res['imported_file'] = imported_file
-        self.logmech.log(result._host.get_name(), 'IMPORTED', res, self.task)
+        logmech.log(host, 'IMPORTED', res, task)
-    def v2_playbook_on_not_import_for_host(self, result, missing_file):
+    def playbook_on_not_import_for_host(self, host, missing_file):
        task = getattr(self,'task', None)
        res = {}
        res['missing_file'] = missing_file
-        self.logmech.log(result._host.get_name(), 'NOTIMPORTED', res, self.task)
+        logmech.log(host, 'NOTIMPORTED', res, task)
-    def v2_playbook_on_play_start(self, play):
+    def playbook_on_play_start(self, pattern):
        self._task_count = 0
        play = getattr(self, 'play', None)
        if play:
            # figure out where the playbook FILE is
-            path = os.path.abspath(self.playbook._file_name)
+            path = os.path.abspath(play.playbook.filename)
            # tel the logger what the playbook is
-            self.logmech.playbook_id = path
+            logmech.playbook_id = path
            # if play count == 0
            # write out playbook info now
@ -266,35 +256,33 @@ class CallbackModule(CallbackBase):
                pb_info['playbook_start'] = time.time()
                pb_info['playbook'] = path
                pb_info['userid'] = getlogin()
-                pb_info['extra_vars'] = play._variable_manager.extra_vars
+                pb_info['extra_vars'] = play.playbook.extra_vars
-                pb_info['inventory'] = play._variable_manager._inventory._sources
+                pb_info['inventory'] = play.playbook.inventory.host_list
-                pb_info['playbook_checksum'] = secure_hash(path)
+                pb_info['playbook_checksum'] = utils.md5(path)
-                if hasattr(self, "play_context"):
+                pb_info['check'] = play.playbook.check
-                    pb_info['check'] = self.play_context.check_mode
+                pb_info['diff'] = play.playbook.diff
-                    pb_info['diff'] = self.play_context.diff
+                logmech.play_log(json.dumps(pb_info, indent=4))
                self.logmech.play_log(json.dumps(pb_info, indent=4))
            self._play_count += 1
            # then write per-play info that doesn't duplcate the playbook info
            info = {}
            info['play'] = play.name
            info['hosts'] = play.hosts
            info['transport'] = play.transport
            info['number'] = self._play_count
-            if hasattr(self, "play_context"):
+            info['check'] = play.playbook.check
-                info['transport'] = str(self.play_context.connection)
+            info['diff'] = play.playbook.diff
-                info['check'] = self.play_context.check_mode
+            logmech.play_info = info
-                info['diff'] = self.play_context.diff
+            logmech.play_log(json.dumps(info, indent=4))
            self.logmech.play_info = info
            try:
                self.logmech.play_log(json.dumps(info, indent=4))
            except TypeError:
                print(("Failed to conver to JSON:", info))
-    def v2_playbook_on_stats(self, stats):
+
    def playbook_on_stats(self, stats):
        results = {}
-        for host in list(stats.processed.keys()):
+        for host in stats.processed.keys():
            results[host] = stats.summarize(host)
-            self.logmech.log(host, 'STATS', results[host])
+            logmech.log(host, 'STATS', results[host])
-        self.logmech.play_log(json.dumps({'stats': results}, indent=4))
+        logmech.play_log(json.dumps({'stats': results}, indent=4))
-        self.logmech.play_log(json.dumps({'playbook_end': time.time()}, indent=4))
+        logmech.play_log(json.dumps({'playbook_end': time.time()}, indent=4))
-        print(('logs written to: %s' % self.logmech.logpath_play))
+        print 'logs written to: %s' % logmech.logpath_play
--- a/callback_plugins/profile_tasks.py
+++ b/callback_plugins/profile_tasks.py
@ -0,0 +1,40 @@
 import time
 class CallbackModule(object):
    """
    A plugin for timing tasks
    """
    def __init__(self):
        self.stats = {}
        self.current = None
    def playbook_on_task_start(self, name, is_conditional):
        """
        Logs the start of each task
        """
        if self.current is not None:
            # Record the running time of the last executed task 
            self.stats[self.current] = time.time() - self.stats[self.current]
        # Record the start time of the current task
        self.current = name
        self.stats[self.current] = time.time()
    def playbook_on_stats(self, stats):
        """
        Prints the timings
        """
        # Record the timing of the very last task
        if self.current is not None:
            self.stats[self.current] = time.time() - self.stats[self.current]
        # Sort the tasks by their running time
        results = sorted(self.stats.items(), key=lambda value: value[1], reverse=True)
        # Just keep the top 10
        results = results[:10]
        # Print the timings
        for name, elapsed in results:
            print "{0:-<70}{1:->9}".format('{0} '.format(name), ' {0:.02f}s'.format(elapsed))
--- a/files/2fa/pam_url.conf.fakefas01.fedoraproject.org
+++ b/files/2fa/pam_url.conf.fakefas01.fedoraproject.org
@ -0,0 +1,21 @@
 pam_url:
 {
 	settings:
 	{
 		url = "https://fas-all.phx2.fedoraproject.org:8443/";	# URI to fetch
 		returncode = "OK";				# The remote script/cgi should return a 200 http code and this string as its only results
 		userfield = "user";				# userfield name to send
 		passwdfield = "token";				# passwdfield name to send
 		extradata = "&do=login";			# extradata to send
 		prompt = "Password+Token: ";			# password prompt
 	};
 	ssl:
 	{
 		verify_peer = true;				# Should we verify SSL ?
 		verify_host = true;				# Should we verify the CN in the SSL cert?
 		client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
 		client_key  = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
                ca_cert     = "/etc/pki/tls/private/totpcgi-ca.cert";
 	};
 };
--- a/files/2fa/pam_url.conf.j2
+++ b/files/2fa/pam_url.conf.j2
@ -0,0 +1,27 @@
 pam_url:
 {
 	settings:
 	{
                {% if env == 'staging' %}
 		url = "https://fas-all.stg.phx2.fedoraproject.org:8443/";	# URI to fetch
                {% elif datacenter == 'phx2' %}
 		url = "https://fas-all.phx2.fedoraproject.org:8443/";	# URI to fetch
                {% else %}
 		url = "https://fas-all.vpn.fedoraproject.org:8443/";	# URI to fetch   
                {% endif %}
 		returncode = "OK";				# The remote script/cgi should return a 200 http code and this string as its only results
 		userfield = "user";				# userfield name to send
 		passwdfield = "token";				# passwdfield name to send
 		extradata = "&do=login";			# extradata to send
 		prompt = "Password+Token: ";			# password prompt
 	};
 	ssl:
 	{
 		verify_peer = true;				# Should we verify SSL ?
 		verify_host = true;				# Should we verify the CN in the SSL cert?
 		client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
 		client_key  = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
                ca_cert     = "/etc/pki/tls/private/totpcgi-ca.cert";
 	};
 };
--- a/files/2fa/pam_url.conf.stg.fedoraproject.org
+++ b/files/2fa/pam_url.conf.stg.fedoraproject.org
@ -0,0 +1,21 @@
 pam_url:
 {
 	settings:
 	{
 		url = "https://fas-all.stg.phx2.fedoraproject.org:8443/";	# URI to fetch
 		returncode = "OK";				# The remote script/cgi should return a 200 http code and this string as its only results
 		userfield = "user";				# userfield name to send
 		passwdfield = "token";				# passwdfield name to send
 		extradata = "&do=login";			# extradata to send
 		prompt = "Password+Token: ";			# password prompt
 	};
 	ssl:
 	{
 		verify_peer = true;				# Should we verify SSL ?
 		verify_host = true;				# Should we verify the CN in the SSL cert?
 		client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
 		client_key  = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
                ca_cert     = "/etc/pki/tls/private/totpcgi-ca.cert";
 	};
 };
--- a/files/2fa/pam_url.conf.taskotron-stg01.qa.fedoraproject.org
+++ b/files/2fa/pam_url.conf.taskotron-stg01.qa.fedoraproject.org
@ -0,0 +1,27 @@
 pam_url:
 {
 	settings:
 	{
                {% if env == 'staging' %}
 		url = "https://fas-all.stg.phx2.fedoraproject.org:8443/";	# URI to fetch
                {% elif datacenter == 'phx2' %}
 		url = "https://fas-all.phx2.fedoraproject.org:8443/";	# URI to fetch
                {% else %}
 		url = "https://fas-all.vpn.fedoraproject.org:8443/";	# URI to fetch   
                {% endif %}
 		returncode = "OK";				# The remote script/cgi should return a 200 http code and this string as its only results
 		userfield = "user";				# userfield name to send
 		passwdfield = "token";				# passwdfield name to send
 		extradata = "&do=login";			# extradata to send
 		prompt = "Password+Token: ";			# password prompt
 	};
 	ssl:
 	{
 		verify_peer = true;				# Should we verify SSL ?
 		verify_host = true;				# Should we verify the CN in the SSL cert?
 		client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
 		client_key  = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
                ca_cert     = "/etc/pki/tls/private/totpcgi-ca.cert";
 	};
 };
--- a/files/2fa/pam_url.conf.vpn.fedoraproject.org
+++ b/files/2fa/pam_url.conf.vpn.fedoraproject.org
@ -0,0 +1,21 @@
 pam_url:
 {
 	settings:
 	{
 		url = "https://fas-all.vpn.fedoraproject.org:8443/";	# URI to fetch
 		returncode = "OK";				# The remote script/cgi should return a 200 http code and this string as its only results
 		userfield = "user";				# userfield name to send
 		passwdfield = "token";				# passwdfield name to send
 		extradata = "&do=login";			# extradata to send
 		prompt = "Password+Token: ";			# password prompt
 	};
 	ssl:
 	{
 		verify_peer = true;				# Should we verify SSL ?
 		verify_host = true;				# Should we verify the CN in the SSL cert?
 		client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
 		client_key  = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
                ca_cert     = "/etc/pki/tls/private/totpcgi-ca.cert";
 	};
 };
--- a/files/2fa/sudo.pam
+++ b/files/2fa/sudo.pam
@ -0,0 +1,11 @@
 #%PAM-1.0
 auth       required     pam_env.so
 auth       sufficient   pam_url.so config=/etc/pam_url.conf
 auth       requisite    pam_succeed_if.so uid >= 500 quiet
 auth       required     pam_deny.so
 auth       include      system-auth
 account    include      system-auth
 password   include      system-auth
 session    optional     pam_keyinit.so revoke
 session    required     pam_limits.so
--- a/files/2fa/sudo.pam.dev.fedoraproject.org
+++ b/files/2fa/sudo.pam.dev.fedoraproject.org
@ -0,0 +1,6 @@
 #%PAM-1.0
 auth       include      system-auth
 account    include      system-auth
 password   include      system-auth
 session    optional     pam_keyinit.so revoke
 session    required     pam_limits.so
--- a/files/artboard/artboard-backup
+++ b/files/artboard/artboard-backup
@ -0,0 +1,6 @@
 #!/bin/sh
 SNAPSHOTTIME=$(date +"%m-%d-%Y")
 cd /srv/persist
 echo "Snapshot taken $SNAPSHOTTIME.\n" >> /var/www/html/artboard/artboard-backup-summary.log
 tar -zcvf "artboard-backup.tar.gz" artboard
--- a/files/artboard/artboard.conf
+++ b/files/artboard/artboard.conf
@ -0,0 +1,9 @@
 <Directory "/var/www/html/artboard">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
 </Directory>
--- a/files/artboard/redirect.conf
+++ b/files/artboard/redirect.conf
@ -0,0 +1,2 @@
 RedirectMatch "^/$" /artboard/
--- a/files/aws/iam/policies/fcos-builds-releng.json
+++ b/files/aws/iam/policies/fcos-builds-releng.json
@ -1,87 +0,0 @@
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutAnalyticsConfiguration",
                "s3:GetObjectVersionTagging",
                "s3:CreateBucket",
                "s3:ReplicateObject",
                "s3:GetObjectAcl",
                "s3:GetBucketObjectLockConfiguration",
                "s3:DeleteBucketWebsite",
                "s3:PutLifecycleConfiguration",
                "s3:GetObjectVersionAcl",
                "s3:HeadBucket",
                "s3:DeleteObject",
                "s3:GetBucketPolicyStatus",
                "s3:GetObjectRetention",
                "s3:GetBucketWebsite",
                "s3:ListJobs",
                "s3:PutReplicationConfiguration",
                "s3:PutObjectLegalHold",
                "s3:GetObjectLegalHold",
                "s3:GetBucketNotification",
                "s3:PutBucketCORS",
                "s3:GetReplicationConfiguration",
                "s3:ListMultipartUploadParts",
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutBucketNotification",
                "s3:DescribeJob",
                "s3:PutBucketLogging",
                "s3:GetAnalyticsConfiguration",
                "s3:PutBucketObjectLockConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:CreateJob",
                "s3:GetLifecycleConfiguration",
                "s3:ListBucketByTags",
                "s3:GetInventoryConfiguration",
                "s3:GetBucketTagging",
                "s3:PutAccelerateConfiguration",
                "s3:DeleteObjectVersion",
                "s3:GetBucketLogging",
                "s3:ListBucketVersions",
                "s3:RestoreObject",
                "s3:ListBucket",
                "s3:GetAccelerateConfiguration",
                "s3:GetBucketPolicy",
                "s3:PutEncryptionConfiguration",
                "s3:GetEncryptionConfiguration",
                "s3:GetObjectVersionTorrent",
                "s3:AbortMultipartUpload",
                "s3:GetBucketRequestPayment",
                "s3:UpdateJobPriority",
                "s3:GetObjectTagging",
                "s3:GetMetricsConfiguration",
                "s3:DeleteBucket",
                "s3:PutBucketVersioning",
                "s3:GetBucketPublicAccessBlock",
                "s3:ListBucketMultipartUploads",
                "s3:PutMetricsConfiguration",
                "s3:UpdateJobStatus",
                "s3:GetBucketVersioning",
                "s3:GetBucketAcl",
                "s3:PutInventoryConfiguration",
                "s3:GetObjectTorrent",
                "s3:GetAccountPublicAccessBlock",
                "s3:PutBucketWebsite",
                "s3:ListAllMyBuckets",
                "s3:PutBucketRequestPayment",
                "s3:PutObjectRetention",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:ReplicateDelete",
                "s3:GetObjectVersion"
            ],
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "209.132.181.102/32"
                }
            }
        }
    ]
 }
--- a/files/aws/iam/policies/fcos-poc-artifacts.json
+++ b/files/aws/iam/policies/fcos-poc-artifacts.json
@ -1,23 +0,0 @@
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:PutObjectAcl",
            "Resource": [
                "arn:aws:s3:::fcos-builds/*",
                "arn:aws:s3:::fcos-builds"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::fcos-builds/*",
                "arn:aws:s3:::fcos-builds"
            ]
        }
    ]
 }
--- a/files/aws/iam/policies/fcos-upload-amis.json
+++ b/files/aws/iam/policies/fcos-upload-amis.json
@ -1,44 +0,0 @@
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:ImportVolume",
                "ec2:CreateTags",
                "ec2:RegisterImage",
                "ec2:DeregisterImage",
                "ec2:CancelConversionTask",
                "ec2:CreateSnapshot",
                "ec2:ImportSnapshot",
                "ec2:CancelImportTask",
                "ec2:DeleteSnapshot",
                "ec2:CopyImage",
                "ec2:DescribeImageAttribute",
                "ec2:ModifyImageAttribute",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSnapshotAttribute",
                "ec2:DescribeImportSnapshotTasks",
                "ec2:DescribeImages",
                "ec2:DeleteVolume",
                "ec2:ModifySnapshotAttribute",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeVolumes",
                "ec2:DescribeRegions",
                "ec2:DescribeConversionTasks",
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ec2:CreateTags",
            "Resource": [
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*::image/*"
            ]
        }
    ]
 }
--- a/files/aws/iam/policies/fedora-centos-ec2.json
+++ b/files/aws/iam/policies/fedora-centos-ec2.json
@ -1,51 +0,0 @@
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowDescription",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "iam:PassRole",
                "iam:ListInstanceProfiles",
                "ec2:ImportKeyPair",
                "ec2:CreateKeyPair",
                "ec2:CreateSecurityGroup"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AllowWhenOwnerOrUntagged",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Condition": {
                "StringEqualsIfExists": {
                    "ec2:ResourceTag/FedoraGroup": [
                        "centos"
                    ]
                }
            },
            "Resource": [
                "arn:aws:ec2:*:*:capacity-reservation/*",
                "arn:aws:ec2:*:*:elasticGpu/*",
                "arn:aws:ec2:*::fpga-image/*",
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:key-pair/*",
                "arn:aws:ec2:*:*:launch-template/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:placement-group/*",
                "arn:aws:ec2:*:*:reserved-instances/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*::spot-instance-request/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:subnet/*"
            ]
        }
    ]
 }
--- a/files/aws/iam/policies/fedora-copr-ec2.json
+++ b/files/aws/iam/policies/fedora-copr-ec2.json
@ -1,51 +0,0 @@
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowDescription",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "iam:PassRole",
                "iam:ListInstanceProfiles",
                "ec2:ImportKeyPair",
                "ec2:CreateKeyPair",
                "ec2:CreateSecurityGroup"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AllowWhenOwnerOrUntagged",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Condition": {
                "StringEqualsIfExists": {
                    "ec2:ResourceTag/FedoraGroup": [
                        "copr"
                    ]
                }
            },
            "Resource": [
                "arn:aws:ec2:*:*:capacity-reservation/*",
                "arn:aws:ec2:*:*:elasticGpu/*",
                "arn:aws:ec2:*::fpga-image/*",
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:key-pair/*",
                "arn:aws:ec2:*:*:launch-template/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:placement-group/*",
                "arn:aws:ec2:*:*:reserved-instances/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*::spot-instance-request/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:subnet/*"
            ]
        }
    ]
 }
--- a/files/aws/iam/policies/fedora-infra-ec2.json
+++ b/files/aws/iam/policies/fedora-infra-ec2.json
@ -1,45 +0,0 @@
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "iam:PassRole",
                "ec2:ImportKeyPair",
                "ec2:CreateKeyPair",
                "ec2:CreateSecurityGroup",
                "iam:ListInstanceProfiles"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": [
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:elasticGpu/*",
                "arn:aws:ec2:*:*:reserved-instances/*",
                "arn:aws:ec2:*:*:launch-template/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:placement-group/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:capacity-reservation/*",
                "arn:aws:ec2:*:*:key-pair/*",
                "arn:aws:ec2:*::spot-instance-request/*",
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*::fpga-image/*",
                "arn:aws:ec2:*::image/*"
            ],
            "Condition": {
                "StringEqualsIfExists": {
                    "ec2:ResourceTag/FedoraGroup": "infra"
                }
            }
        }
    ]
 }
--- a/files/aws/iam/policies/robosignatory-fcos-devel.json
+++ b/files/aws/iam/policies/robosignatory-fcos-devel.json
@ -1,36 +0,0 @@
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "WriteToTestBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPublicAccessBlock",
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:GetBucketTagging",
                "s3:GetObjectTagging",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::*/*",
                "arn:aws:s3:::robosig-dev-fcos-builds"
            ]
        },
        {
            "Sid": "ReadFromProdBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::*/*",
                "arn:aws:s3:::fcos-builds"
            ]
        }
    ]
 }
--- a/files/common/RPM-GPG-KEY-CentOS-SIG-Messaging
+++ b/files/common/RPM-GPG-KEY-CentOS-SIG-Messaging
@ -1,32 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 mQENBF3jBZQBCAC3mGl8pmWoOuUzh8rJAbaqiOXEZ8wa904VN2bTDgxydtwL16cy
 ad54OaW+jyD0+api5b5pKmmu+7qLT3vfndITQaF8lE1w+1qSFFJpbxOSsqU7rVx5
 +KpqfmfBJ9/jTIQsCcIdcx8Ajachgjifj1bM48quYE5pQp4YTu+I/HhwjacO9CEt
 yIcX48wph2CbvY/xPX8E+8kdrc4/gd3F9c5Nmvj5Xa22QsXpCzrJSO5Vm8NIGycU
 O4NhE4ctQLa5MqydvyAyORA4IYrzsK1Ioa8MJeeKvUQ46NWR+N2AsTQPbnULAiJM
 ef3giEt56YpPx3JMe7G4XfAgsnYQphhFdV5VABEBAAG0Y0NlbnRPUyBNZXNzYWdp
 bmcgU0lHIChodHRwczovL3dpa2kuY2VudG9zLm9yZy9TcGVjaWFsSW50ZXJlc3RH
 cm91cC9NZXNzYWdpbmcpIDxzZWN1cml0eUBjZW50b3Mub3JnPokBOQQTAQoAIwIb
 AwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheABQJiTWLmAAoJEIMBTrvhbg0SQFYH
 /0RFI9yxWGchuygAlsiX8bBgp0oM/vWmX+b5gZuZBM0vCPFYgICCSG5yVcRZofqx
 QBCOQ5tCVPlGR6DGxRjKlJJ5AIFLDh57no76wbR+RQAzMzXxrRNSlbu8ccwJX10e
 njSOLvPvKXq16HuLq2PJ2p7ZkmsCpab9fiD080RFXvgr9cQ7etE5jp55zo5zRmF6
 CGSpjZKcgVwRc5zPq3W1OwT7LQNZhClotlWT3RjujkmFkhYjEK4Q2HO9dRc/lHXz
 B24suCv7wGtyUcGr1ghqNGQV5kr2uBpqTK8pvOFs+jJRczGmnUcY8YVKUo/fJZEV
 eGTZc4X0Gfhq2nGTWE4xcDy5AQ0EXeMFlAEIANFN5aHtItH/5c0hxBNv8S4yDnEm
 NwHKzWQBPJv69zjcokjYyAImRs6EqbEKL2hWA+9AbrLOC+s1Fya3U0EJIZmVKsuj
 8GFaFBB7l26t596re8aWMWf+sbHGgBPHxi+Z/3LAkBGViI5r1WZO1h3b/v9j3QOA
 A8WIVAcqGzwbBQDCV4zVZuePoNouYhMLvjai3Y3Ydd8vnZyGT02Zk4zYgBOw7cnh
 0yveyYxJ+11x53UJXFmGI/vbslqmnWawp0eqT5T/TH45KNXHglvGqPct+6FdQ9N/
 sIFjjYDXxuFNr3jCleXdP3SSi+Fvx7OrIVGmXNa0b02DWjci0wouXR0kGn0AEQEA
 AYkBHwQYAQoACQIbDAUCYk1i2gAKCRCDAU674W4NEgtpB/9YAciHdlQm9Bfk/lwA
 otibXlqqzQAtjQ7UAbHsPYL1s8ty1RxrW3Moi2y6fVFcFaDpzo8MEXO22TV7Pff+
 hnhvea/XhXcIpTCEKfuK2gapvVIQ6cHFqpbthrzTj7SAOdp9mxkxdqXYVsiMAoWl
 PweZDxc+S73ryC6OexoI6s/HJBQcmcnhArdQUAxQQed//oEFfz+Gznj3VBsFumMV
 Hldqd3MYc1mcPC5ok4oBoBY2QYg74NYSxIZU5DVsv/rJYrw0cz7+539f9TgOCYqs
 GbyAJgLIJBBZnS0rPyqCEbMyV1H2ah2FgPGFKxo1uVtRWA2/oulu96uHJFeN9rSg
 Ud3Q
 =SGO3
 -----END PGP PUBLIC KEY BLOCK-----
--- a/files/common/RPM-GPG-KEY-EPEL-7
+++ b/files/common/RPM-GPG-KEY-EPEL-7
@ -1,29 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 mQINBFKuaIQBEAC1UphXwMqCAarPUH/ZsOFslabeTVO2pDk5YnO96f+rgZB7xArB
 OSeQk7B90iqSJ85/c72OAn4OXYvT63gfCeXpJs5M7emXkPsNQWWSju99lW+AqSNm
 jYWhmRlLRGl0OO7gIwj776dIXvcMNFlzSPj00N2xAqjMbjlnV2n2abAE5gq6VpqP
 vFXVyfrVa/ualogDVmf6h2t4Rdpifq8qTHsHFU3xpCz+T6/dGWKGQ42ZQfTaLnDM
 jToAsmY0AyevkIbX6iZVtzGvanYpPcWW4X0RDPcpqfFNZk643xI4lsZ+Y2Er9Yu5
 S/8x0ly+tmmIokaE0wwbdUu740YTZjCesroYWiRg5zuQ2xfKxJoV5E+Eh+tYwGDJ
 n6HfWhRgnudRRwvuJ45ztYVtKulKw8QQpd2STWrcQQDJaRWmnMooX/PATTjCBExB
 9dkz38Druvk7IkHMtsIqlkAOQMdsX1d3Tov6BE2XDjIG0zFxLduJGbVwc/6rIc95
 T055j36Ez0HrjxdpTGOOHxRqMK5m9flFbaxxtDnS7w77WqzW7HjFrD0VeTx2vnjj
 GqchHEQpfDpFOzb8LTFhgYidyRNUflQY35WLOzLNV+pV3eQ3Jg11UFwelSNLqfQf
 uFRGc+zcwkNjHh5yPvm9odR1BIfqJ6sKGPGbtPNXo7ERMRypWyRz0zi0twARAQAB
 tChGZWRvcmEgRVBFTCAoNykgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMB
 AgAiBQJSrmiEAhsPBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBqL66iNSxk
 5cfGD/4spqpsTjtDM7qpytKLHKruZtvuWiqt5RfvT9ww9GUUFMZ4ZZGX4nUXg49q
 ixDLayWR8ddG/s5kyOi3C0uX/6inzaYyRg+Bh70brqKUK14F1BrrPi29eaKfG+Gu
 MFtXdBG2a7OtPmw3yuKmq9Epv6B0mP6E5KSdvSRSqJWtGcA6wRS/wDzXJENHp5re
 9Ism3CYydpy0GLRA5wo4fPB5uLdUhLEUDvh2KK//fMjja3o0L+SNz8N0aDZyn5Ax
 CU9RB3EHcTecFgoy5umRj99BZrebR1NO+4gBrivIfdvD4fJNfNBHXwhSH9ACGCNv
 HnXVjHQF9iHWApKkRIeh8Fr2n5dtfJEF7SEX8GbX7FbsWo29kXMrVgNqHNyDnfAB
 VoPubgQdtJZJkVZAkaHrMu8AytwT62Q4eNqmJI1aWbZQNI5jWYqc6RKuCK6/F99q
 thFT9gJO17+yRuL6Uv2/vgzVR1RGdwVLKwlUjGPAjYflpCQwWMAASxiv9uPyYPHc
 ErSrbRG0wjIfAR3vus1OSOx3xZHZpXFfmQTsDP7zVROLzV98R3JwFAxJ4/xqeON4
 vCPFU6OsT3lWQ8w7il5ohY95wmujfr6lk89kEzJdOTzcn7DBbUru33CQMGKZ3Evt
 RjsC7FDbL017qxS+ZVA/HGkyfiu4cpgV8VUnbql5eAZ+1Ll6Dw==
 =hdPa
 -----END PGP PUBLIC KEY BLOCK-----
--- a/files/common/RPM-GPG-KEY-EPEL-8
+++ b/files/common/RPM-GPG-KEY-EPEL-8
@ -1,28 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBFz3zvsBEADJOIIWllGudxnpvJnkxQz2CtoWI7godVnoclrdl83kVjqSQp+2
 dgxuG5mUiADUfYHaRQzxKw8efuQnwxzU9kZ70ngCxtmbQWGmUmfSThiapOz00018
 +eo5MFabd2vdiGo1y+51m2sRDpN8qdCaqXko65cyMuLXrojJHIuvRA/x7iqOrRfy
 a8x3OxC4PEgl5pgDnP8pVK0lLYncDEQCN76D9ubhZQWhISF/zJI+e806V71hzfyL
 /Mt3mQm/li+lRKU25Usk9dWaf4NH/wZHMIPAkVJ4uD4H/uS49wqWnyiTYGT7hUbi
 ecF7crhLCmlRzvJR8mkRP6/4T/F3tNDPWZeDNEDVFUkTFHNU6/h2+O398MNY/fOh
 yKaNK3nnE0g6QJ1dOH31lXHARlpFOtWt3VmZU0JnWLeYdvap4Eff9qTWZJhI7Cq0
 Wm8DgLUpXgNlkmquvE7P2W5EAr2E5AqKQoDbfw/GiWdRvHWKeNGMRLnGI3QuoX3U
 pAlXD7v13VdZxNydvpeypbf/AfRyrHRKhkUj3cU1pYkM3DNZE77C5JUe6/0nxbt4
 ETUZBTgLgYJGP8c7PbkVnO6I/KgL1jw+7MW6Az8Ox+RXZLyGMVmbW/TMc8haJfKL
 MoUo3TVk8nPiUhoOC0/kI7j9ilFrBxBU5dUtF4ITAWc8xnG6jJs/IsvRpQARAQAB
 tChGZWRvcmEgRVBFTCAoOCkgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMB
 AgAiBQJc9877AhsPBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAh6kWrL4bW
 oWagD/4xnLWws34GByVDQkjprk0fX7Iyhpm/U7BsIHKspHLL+Y46vAAGY/9vMvdE
 0fcr9Ek2Zp7zE1RWmSCzzzUgTG6BFoTG1H4Fho/7Z8BXK/jybowXSZfqXnTOfhSF
 alwDdwlSJvfYNV9MbyvbxN8qZRU1z7PEWZrIzFDDToFRk0R71zHpnPTNIJ5/YXTw
 NqU9OxII8hMQj4ufF11040AJQZ7br3rzerlyBOB+Jd1zSPVrAPpeMyJppWFHSDAI
 WK6x+am13VIInXtqB/Cz4GBHLFK5d2/IYspVw47Solj8jiFEtnAq6+1Aq5WH3iB4
 bE2e6z00DSF93frwOyWN7WmPIoc2QsNRJhgfJC+isGQAwwq8xAbHEBeuyMG8GZjz
 xohg0H4bOSEujVLTjH1xbAG4DnhWO/1VXLX+LXELycO8ZQTcjj/4AQKuo4wvMPrv
 9A169oETG+VwQlNd74VBPGCvhnzwGXNbTK/KH1+WRH0YSb+41flB3NKhMSU6dGI0
 SGtIxDSHhVVNmx2/6XiT9U/znrZsG5Kw8nIbbFz+9MGUUWgJMsd1Zl9R8gz7V9fp
 n7L7y5LhJ8HOCMsY/Z7/7HUs+t/A1MI4g7Q5g5UuSZdgi0zxukiWuCkLeAiAP4y7
 zKK4OjJ644NDcWCHa36znwVmkz3ixL8Q0auR15Oqq2BjR/fyog==
 =84m8
 -----END PGP PUBLIC KEY BLOCK-----
--- a/files/common/RPM-GPG-KEY-EPEL-9
+++ b/files/common/RPM-GPG-KEY-EPEL-9
@ -1,29 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBGE3mOsBEACsU+XwJWDJVkItBaugXhXIIkb9oe+7aadELuVo0kBmc3HXt/Yp
 CJW9hHEiGZ6z2jwgPqyJjZhCvcAWvgzKcvqE+9i0NItV1rzfxrBe2BtUtZmVcuE6
 2b+SPfxQ2Hr8llaawRjt8BCFX/ZzM4/1Qk+EzlfTcEcpkMf6wdO7kD6ulBk/tbsW
 DHX2lNcxszTf+XP9HXHWJlA2xBfP+Dk4gl4DnO2Y1xR0OSywE/QtvEbN5cY94ieu
 n7CBy29AleMhmbnx9pw3NyxcFIAsEZHJoU4ZW9ulAJ/ogttSyAWeacW7eJGW31/Z
 39cS+I4KXJgeGRI20RmpqfH0tuT+X5Da59YpjYxkbhSK3HYBVnNPhoJFUc2j5iKy
 XLgkapu1xRnEJhw05kr4LCbud0NTvfecqSqa+59kuVc+zWmfTnGTYc0PXZ6Oa3rK
 44UOmE6eAT5zd/ToleDO0VesN+EO7CXfRsm7HWGpABF5wNK3vIEF2uRr2VJMvgqS
 9eNwhJyOzoca4xFSwCkc6dACGGkV+CqhufdFBhmcAsUotSxe3zmrBjqA0B/nxIvH
 DVgOAMnVCe+Lmv8T0mFgqZSJdIUdKjnOLu/GRFhjDKIak4jeMBMTYpVnU+HhMHLq
 uDiZkNEvEEGhBQmZuI8J55F/a6UURnxUwT3piyi3Pmr2IFD7ahBxPzOBCQARAQAB
 tCdGZWRvcmEgKGVwZWw5KSA8ZXBlbEBmZWRvcmFwcm9qZWN0Lm9yZz6JAk4EEwEI
 ADgWIQT/itE0RZcQbs6BO5GKOHK/MihGfAUCYTeY6wIbDwULCQgHAgYVCgkICwIE
 FgIDAQIeAQIXgAAKCRCKOHK/MihGfFX/EACBPWv20+ttYu1A5WvtHJPzwbj0U4yF
 3zTQpBglQ2UfkRpYdipTlT3Ih6j5h2VmgRPtINCc/ZE28adrWpBoeFIS2YAKOCLC
 nZYtHl2nCoLq1U7FSttUGsZ/t8uGCBgnugTfnIYcmlP1jKKA6RJAclK89evDQX5n
 R9ZD+Cq3CBMlttvSTCht0qQVlwycedH8iWyYgP/mF0W35BIn7NuuZwWhgR00n/VG
 4nbKPOzTWbsP45awcmivdrS74P6mL84WfkghipdmcoyVb1B8ZP4Y/Ke0RXOnLhNe
 CfrXXvuW+Pvg2RTfwRDtehGQPAgXbmLmz2ZkV69RGIr54HJv84NDbqZovRTMr7gL
 9k3ciCzXCiYQgM8yAyGHV0KEhFSQ1HV7gMnt9UmxbxBE2pGU7vu3CwjYga5DpwU7
 w5wu1TmM5KgZtZvuWOTDnqDLf0cKoIbW8FeeCOn24elcj32bnQDuF9DPey1mqcvT
 /yEo/Ushyz6CVYxN8DGgcy2M9JOsnmjDx02h6qgWGWDuKgb9jZrvRedpAQCeemEd
 fhEs6ihqVxRFl16HxC4EVijybhAL76SsM2nbtIqW1apBQJQpXWtQwwdvgTVpdEtE
 r4ArVJYX5LrswnWEQMOelugUG6S3ZjMfcyOa/O0364iY73vyVgaYK+2XtT2usMux
 VL469Kj5m13T6w==
 =Mjs/
 -----END PGP PUBLIC KEY BLOCK-----
--- a/files/common/RPM-GPG-KEY-INFRASTRUCTURE-SIGUL
+++ b/files/common/RPM-GPG-KEY-INFRASTRUCTURE-SIGUL
@ -1,30 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1
 mQINBFfZrzsBEADGLYtUW4YZNKSq/bawWYSg3Z8OAD3amoWx9BTdiBjWyIn7PzBQ
 g/Y2QpTj9Sylhi4ZDqcP6eikrC2bqZdBeJyOAHSkV6Nvt+D/ijHOViEsSg+OwHmC
 9axbsNHI+WKYPR7GBb40/hu7miHTOWd7puuJ000nyeHckicSHNYb+KxwoN9TTyON
 utqTtzUb1v0f+GZ2E3XHCa/SgHG+syFbKhFiPRqSmwuhESgz7JIPx9UPz/pkg/rA
 qHILJDt5PGaxhRNcK4rOVhpIBxTdjyYvtkCzlMr8ZaLqlQx2B5Ub9osYSv7CwQD5
 tJTb9ed/p5HKuT9JEDSgtxV2yy6bxEMkBjlD5m4ISnOnZ8GGjPl434FdufusIwDX
 vFUQDH5BSGV1xUcoCoNAMY+CUCoUaTBkv5PqLOgsCirSImvXhSCFBT1VVb2sPhuG
 J6q9Nk18+i2sMtjflM9PzCblMe7C1gySiuH4q+hvB6IDnYirLLy0ctBvr3siY4hY
 lTydy+4z7UuquLv02t5Zbw9jxqX1LEyiMvUppx5XgGyQ0cGQpkRHXRzQqI6bjUny
 e8Ub2sfjidjqRWyycY4F7KGG/DeKE3UeclDjFlA+CTvgu88RGgzTMZym5NxgjgfJ
 PYj+etPXth3PNzxd8FAC4tWP5b6kEVVJ2Oxiy6Z8dYQJVsAVP110bo/MFwARAQAB
 tEBGZWRvcmEgSW5mcmFzdHJ1Y3R1cmUgKGluZnJhc3RydWN0dXJlKSA8YWRtaW5A
 ZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMBAgAiBQJX2a87AhsPBgsJCAcDAgYVCAIJ
 CgsEFgIDAQIeAQIXgAAKCRCAWYFeR92O+RbAD/9QzUyyoDPvPjlxn341BdT1iG3s
 BvKjNOAtQkHeDzRQ0rBXG40yoTjQ+s4X+3aNumy4C+xeGqUiFMcBED/5EdahWcXm
 5dqEAysTpiWOaamVfvQaNuBZjKP6GXXUeAVvkEVXggTI18tpNR/xFqfvHMCYuRUJ
 QERNDtEPweQn9U3ewr7VOIrF8OnxVEQe9xOPKnGr0yD22NHz5hCiIKXwt34I7m9j
 IlKMETTUflmERzzzwWp9CwmwU2o+g9hILqtvLFV/9TDSiWTvr2Ynj/hlNZPG8MhB
 K73S8oQADP/ogmwYkK3cx06CkaSEiQciAkpL4v7GzWfw3hTScIxbf/R5YU5i5qHj
 N+XJRLoW4AdNRAtrJ1KsLrFhFso9o7cfUlGGDPOwwQu3etoY3t0vViXYanOJrXqA
 DaHZ7Ynj7V5KNB97xbjohT+YiApBV1jmMbydAMhNxo2ZlAC9hmlDEwD9L9CSPt1s
 PvjcY20/RjVrm62vmXI/Sqa1zPjjYaxceEZzDIcxVDAneeeAdV99zHRDjZLqucux
 GGJWwUNyxnuA7ZNdD3ZQBJlefOCT4Tg2Yj2ssH6PdGBoWS2gibnGdUsc/LhIaES4
 afRLHVbHRu1HJ3s7pAgxNRY5Cjc5GEqdvm+5LOt/usyyaUwds0cJp55KKovsqZ1v
 +h4JFKdsC+6/ZUHRQQ==
 =MNfm
 -----END PGP PUBLIC KEY BLOCK-----
--- a/files/common/centos9s-rabbitmq38.repo
+++ b/files/common/centos9s-rabbitmq38.repo
@ -1,23 +0,0 @@
 # See: https://git.centos.org/rpms/centos-release-messaging/blob/c9s-sig-messaging/f/SOURCES
 [centos-rabbitmq38]
 # Yes, the repo is called 38. Yes, it only contains 3.9.x packages as of 2025-06
 name=CentOS-9 - RabbitMQ 38 (3.9.x) - $basearch
 #baseurl=<mirror>/CentOS-Stream/SIGs/9-stream/messaging/x86_64/rabbitmq-38/
 metalink=https://mirrors.centos.org/metalink?release=$releasever&arch=$basearch&repo=centos-messaging-sig-rabbitmq-38-9-stream&protocol=https,http
 enabled=1
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Messaging
 [centos-rabbitmq-38-test]
 name=CentOS-8 - RabbitMQ 38 Testing
 baseurl=https://buildlogs.centos.org/centos/$releasever-stream/messaging/$basearch/rabbitmq-38/
 gpgcheck=0
 enabled=0
 [centos-rabbitmq-38-source]
 name=CentOS-8 - RabbitMQ 38 - Source
 baseurl=http://mirror.stream.centos.org/SIGs/$releasever-stream/messaging/source/rabbitmq-38/
 gpgcheck=1
 enabled=0
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Messaging
--- a/files/common/epel10.repo
+++ b/files/common/epel10.repo
@ -1,13 +0,0 @@
 [epel]
 name=Extras Packages for Enterprise Linux $releasever - $basearch
 baseurl=https://infrastructure.fedoraproject.org/pub/epel/10/Everything/$basearch/
 enabled=1
 gpgcheck=1
 gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-10
 [epel-testing]
 name=Extras Packages for Enterprise Linux $releasever - $basearch
 baseurl=https://infrastructure.fedoraproject.org/pub/epel/testing/10/Everything/$basearch/
 enabled=0
 gpgcheck=1
 gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-10
--- a/files/common/epel6.repo
+++ b/files/common/epel6.repo
@ -0,0 +1,13 @@
 [epel]
 name=Extras Packages for Enterprise Linux $releasever - $basearch
 baseurl=http://infrastructure.fedoraproject.org/pub/epel/6/$basearch/
 enabled=1
 gpgcheck=1
 gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-6
 [epel-testing]
 name=Extras Packages for Enterprise Linux $releasever - $basearch
 baseurl=http://infrastructure.fedoraproject.org/pub/epel/testing/6/$basearch/
 enabled=0
 gpgcheck=1
 gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-6
--- a/files/common/epel7.repo
+++ b/files/common/epel7.repo
@ -1,20 +1,20 @@
 [epel]
 name=Extras Packages for Enterprise Linux $releasever - $basearch
-baseurl=https://infrastructure.fedoraproject.org/pub/epel/7/$basearch/
+baseurl=http://infrastructure.fedoraproject.org/pub/epel/7/$basearch/
-enabled=1
+enabled=0
 gpgcheck=1
-gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
+gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
 [epel-testing]
 name=Extras Packages for Enterprise Linux $releasever - $basearch
-baseurl=https://infrastructure.fedoraproject.org/pub/epel/testing/7/$basearch/
+baseurl=http://infrastructure.fedoraproject.org/pub/epel/testing/7/$basearch/
 enabled=0
 gpgcheck=1
-gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
+gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
 [epel-beta]
 name=Extras Packages for Enterprise Linux beta $releasever - $basearch
-baseurl=https://infrastructure.fedoraproject.org/pub/epel/beta/7/$basearch/
+baseurl=http://infrastructure.fedoraproject.org/pub/epel/beta/7/$basearch/
-enabled=0
+enabled=1
 gpgcheck=1
-gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
+gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
--- a/files/common/epel8.repo
+++ b/files/common/epel8.repo
@ -1,13 +0,0 @@
 [epel]
 name=Extras Packages for Enterprise Linux $releasever - $basearch
 baseurl=https://infrastructure.fedoraproject.org/pub/epel/8/Everything/$basearch/
 enabled=1
 gpgcheck=1
 gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8
 [epel-testing]
 name=Extras Packages for Enterprise Linux $releasever - $basearch
 baseurl=https://infrastructure.fedoraproject.org/pub/epel/testing/8/Everything/$basearch/
 enabled=0
 gpgcheck=1
 gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8
--- a/files/common/epel9.repo
+++ b/files/common/epel9.repo
@ -1,13 +0,0 @@
 [epel]
 name=Extras Packages for Enterprise Linux $releasever - $basearch
 baseurl=https://infrastructure.fedoraproject.org/pub/epel/9/Everything/$basearch/
 enabled=1
 gpgcheck=1
 gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9
 [epel-testing]
 name=Extras Packages for Enterprise Linux $releasever - $basearch
 baseurl=https://infrastructure.fedoraproject.org/pub/epel/testing/9/Everything/$basearch/
 enabled=0
 gpgcheck=1
 gpgkey=https://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9
--- a/files/common/fedora-infra-tags-stg.repo
+++ b/files/common/fedora-infra-tags-stg.repo
@ -1,6 +0,0 @@
 [infrastructure-tags-stg]
 name=Fedora Infrastructure staging tag $releasever - $basearch
 baseurl=https://kojipkgs.fedoraproject.org/repos-dist/f$releasever-infra-stg/latest/$basearch/
 enabled=1
 gpgcheck=1
 gpgkey=https://infrastructure.fedoraproject.org/repo/infra/RPM-GPG-KEY-INFRA-TAGS
--- a/files/common/fedora-infra-tags.repo
+++ b/files/common/fedora-infra-tags.repo
@ -1,6 +0,0 @@
 [infrastructure-tags]
 name=Fedora Infrastructure tag $releasever - $basearch
 baseurl=https://kojipkgs.fedoraproject.org/repos-dist/f$releasever-infra/latest/$basearch/
 enabled=1
 gpgcheck=1
 gpgkey=https://infrastructure.fedoraproject.org/repo/infra/RPM-GPG-KEY-INFRA-TAGS
--- a/files/common/fedora-updates-testing.repo
+++ b/files/common/fedora-updates-testing.repo
@ -1,10 +1,7 @@
 [updates-testing]
 name=Fedora $releasever - $basearch - Test Updates
-{% if ansible_distribution_major_version|int >27  %}
+failovermethod=priority
-baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/testing/$releasever/Everything/$basearch/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/testing/$releasever/$basearch/
 {% endif %}
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
@ -12,11 +9,8 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-testing-debuginfo]
 name=Fedora $releasever - $basearch - Test Updates Debug
-{% if ansible_distribution_major_version|int >27  %}
+failovermethod=priority
-baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/testing/$releasever/Everything/$basearch/debug/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/debug/
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/testing/$releasever/$basearch/debug/
 {% endif %}
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
@ -24,11 +18,8 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-testing-source]
 name=Fedora $releasever - Test Updates Source
-{% if ansible_distribution_major_version|int >27  %}
+failovermethod=priority
-baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/testing/$releasever/Everything/SRPMS/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/SRPMS/
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/testing/$releasever/SRPMS/
 {% endif %}
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-source-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
--- a/files/common/fedora-updates-testing.repo-arm
+++ b/files/common/fedora-updates-testing.repo-arm
@ -0,0 +1,26 @@
 [updates-testing]
 name=Fedora $releasever - $basearch - Test Updates
 failovermethod=priority
 baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
 [updates-testing-debuginfo]
 name=Fedora $releasever - $basearch - Test Updates Debug
 failovermethod=priority
 baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/debug/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
 [updates-testing-source]
 name=Fedora $releasever - Test Updates Source
 failovermethod=priority
 baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/SRPMS/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-source-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
--- a/files/common/fedora-updates-testing.repo-secondary
+++ b/files/common/fedora-updates-testing.repo-secondary
@ -1,35 +0,0 @@
 [updates-testing]
 name=Fedora $releasever - $basearch - Test Updates
 {% if ansible_distribution_major_version|int >27  %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/testing/$releasever/Everything/$basearch/
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/testing/$releasever/$basearch/
 {% endif %}
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-testing-debuginfo]
 name=Fedora $releasever - $basearch - Test Updates Debug
 {% if ansible_distribution_major_version|int >27  %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/testing/$releasever/Everything/$basearch/debug/
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/testing/$releasever/$basearch/debug/
 {% endif %}
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-testing-source]
 name=Fedora $releasever - Test Updates Source
 {% if ansible_distribution_major_version|int >27  %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/testing/$releasever/Everything/SRPMS/
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/testing/$releasever/SRPMS/
 {% endif %}
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-source-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
--- a/files/common/fedora-updates.repo
+++ b/files/common/fedora-updates.repo
@ -1,10 +1,7 @@
 [updates]
 name=Fedora $releasever - $basearch - Updates
-{% if ansible_distribution_major_version|int > 27  %}
+failovermethod=priority
-baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/$releasever/Everything/$basearch/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/$releasever/$basearch/
 {% endif %}
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
 enabled=1
 gpgcheck=1
@ -12,11 +9,8 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-debuginfo]
 name=Fedora $releasever - $basearch - Updates - Debug
-{% if ansible_distribution_major_version|int > 27  %}
+failovermethod=priority
-baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/$releasever/Everything/$basearch/debug/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/debug/
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/$releasever/$basearch/debug/
 {% endif %}
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
@ -24,11 +18,8 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-source]
 name=Fedora $releasever - Updates Source
-{% if ansible_distribution_major_version|int > 27  %}
+failovermethod=priority
-baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/$releasever/Everything/SRPMS/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/SRPMS/
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/updates/$releasever/SRPMS/
 {% endif %}
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-source-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
--- a/files/common/fedora-updates.repo-arm
+++ b/files/common/fedora-updates.repo-arm
@ -0,0 +1,26 @@
 [updates]
 name=Fedora $releasever - $basearch - Updates
 failovermethod=priority
 baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
 enabled=1
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
 [updates-debuginfo]
 name=Fedora $releasever - $basearch - Updates - Debug
 failovermethod=priority
 baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/debug/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
 [updates-source]
 name=Fedora $releasever - Updates Source
 failovermethod=priority
 baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/$releasever/SRPMS/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-source-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
--- a/files/common/fedora-updates.repo-secondary
+++ b/files/common/fedora-updates.repo-secondary
@ -1,35 +0,0 @@
 [updates]
 name=Fedora $releasever - $basearch - Updates
 {% if ansible_distribution_major_version|int >27  %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/$releasever/Everything/$basearch/
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/$releasever/$basearch/
 {% endif %}
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
 enabled=1
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-debuginfo]
 name=Fedora $releasever - $basearch - Updates - Debug
 {% if ansible_distribution_major_version|int >27  %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/$releasever/Everything/$basearch/debug/
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/$releasever/$basearch/debug/
 {% endif %}
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [updates-source]
 name=Fedora $releasever - Updates Source
 {% if ansible_distribution_major_version|int >27  %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/$releasever/SRPMS/
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/updates/$releasever/Everything/SRPMS/
 {% endif %}
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-source-f$releasever&arch=$basearch
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
--- a/files/common/fedora.repo
+++ b/files/common/fedora.repo
@ -1,24 +1,18 @@
 [fedora]
 name=Fedora $releasever - $basearch
-{% if ansible_distribution_major_version|int < ( FedoraBranchedNumber|int if FedoraBranched == True else FedoraRawhideNumber|int )  %}
+failovermethod=priority
-baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/releases/$releasever/Everything/$basearch/os/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/os/
 {% endif %}
 enabled=1
 metadata_expire=7d
-gpgcheck=1
+gpgcheck=0
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [fedora-debuginfo]
 name=Fedora $releasever - $basearch - Debug
-{% if ansible_distribution_major_version|int < ( FedoraBranchedNumber|int if FedoraBranched == True else FedoraRawhideNumber|int )  %}
+failovermethod=priority
-baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/releases/$releasever/Everything/$basearch/debug/tree/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/debug/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/debug/tree/
 {% endif %}
 enabled=0
 metadata_expire=7d
 gpgcheck=1
@ -26,12 +20,9 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [fedora-source]
 name=Fedora $releasever - Source
-{% if ansible_distribution_major_version|int < ( FedoraBranchedNumber|int if FedoraBranched|int is defined else FedoraRawhideNumber|int )  %}
+failovermethod=priority
-baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora/linux/releases/$releasever/Everything/source/tree/
+baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/source/SRPMS/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/source/tree
 {% endif %}
 enabled=0
 metadata_expire=7d
 gpgcheck=1
--- a/files/common/fedora.repo-arm
+++ b/files/common/fedora.repo-arm
@ -0,0 +1,29 @@
 [fedora]
 name=Fedora $releasever - $basearch
 failovermethod=priority
 baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
 enabled=1
 metadata_expire=7d
 gpgcheck=0
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
 [fedora-debuginfo]
 name=Fedora $releasever - $basearch - Debug
 failovermethod=priority
 baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/debug/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch
 enabled=0
 metadata_expire=7d
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
 [fedora-source]
 name=Fedora $releasever - Source
 failovermethod=priority
 baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/source/SRPMS/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch
 enabled=0
 metadata_expire=7d
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
--- a/files/common/fedora.repo-secondary
+++ b/files/common/fedora.repo-secondary
@ -1,39 +0,0 @@
 [fedora]
 name=Fedora $releasever - $basearch
 {% if ansible_distribution_major_version|int < ( FedoraBranchedNumber|int if FedoraBranched == True else FedoraRawhideNumber|int )  %}
 baseurl=https://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/releases/$releasever/Everything/$basearch/os/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/os/
 {% endif %}
 enabled=1
 metadata_expire=7d
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [fedora-debuginfo]
 name=Fedora $releasever - $basearch - Debug
 {% if ansible_distribution_major_version|int < ( FedoraBranchedNumber|int if FedoraBranched == True else FedoraRawhideNumber|int )  %}
 baseurl=http://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/releases/$releasever/Everything/$basearch/debug/tree/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/debug/tree/
 {% endif %}
 enabled=0
 metadata_expire=7d
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 [fedora-source]
 name=Fedora $releasever - Source
 {% if ansible_distribution_major_version|int < ( FedoraBranchedNumber|int if FedoraBranched == True else FedoraRawhideNumber|int )  %}
 baseurl=http://infrastructure.fedoraproject.org/pub{{ archive_if_archived }}/fedora-secondary/releases/$releasever/Everything/source/tree/
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch
 {% else %}
 baseurl=https://infrastructure.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/source/tree/
 {% endif %}
 #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch
 enabled=0
 metadata_expire=7d
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
--- a/files/common/infrastructure-testing.repo
+++ b/files/common/infrastructure-testing.repo
@ -1,7 +1,7 @@
 [infrastructure-testing]
 name=Extras Packages from Fedora Infrastructure $releasever - $basearch - Testing
-baseurl=https://infrastructure.fedoraproject.org/repo/testing/$releasever/$basearch/
+baseurl=http://infrastructure.fedoraproject.org/repo/testing/$releasever/$basearch/
 enabled=0
 gpgcheck=1
-gpgkey=https://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE
+gpgkey=http://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE
--- a/files/common/infrastructure.repo
+++ b/files/common/infrastructure.repo
@ -1,6 +1,6 @@
 [infrastructure]
 name=Extras Packages from Fedora Infrastructure $releasever - $basearch
-baseurl=https://infrastructure.fedoraproject.org/repo/$releasever/$basearch/
+baseurl=http://infrastructure.fedoraproject.org/repo/$releasever/$basearch/
 enabled=1
 gpgcheck=1
-gpgkey=https://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE
+gpgkey=http://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE
--- a/files/common/mock
+++ b/files/common/mock
@ -1,15 +0,0 @@
 #%PAM-1.0
 auth            sufficient      pam_rootok.so
 auth            sufficient      pam_succeed_if.so user ingroup mock use_uid quiet
 account sufficient pam_succeed_if.so user ingroup packager use_uid quiet
 auth sufficient pam_succeed_if.so user ingroup packager use_uid quiet
 # Uncomment the following line to implicitly trust users in the "wheel" group.
 #auth           sufficient      pam_wheel.so trust use_uid
 # Uncomment the following line to require a user to be in the "wheel" group.
 #auth           required        pam_wheel.so use_uid
 auth            include         system-auth
 account         sufficient      pam_succeed_if.so user ingroup mock use_uid quiet
 account         include         system-auth
 password        include         system-auth
 session         include         system-auth
 session         optional        pam_xauth.so
--- a/files/common/nbde_client-network-flush
+++ b/files/common/nbde_client-network-flush
@ -1,38 +0,0 @@
 #!/bin/sh
 # do_flush() flushes every active network interface. It is intended to
 # run before NetworkManager starts, so that when it does it will be able
 # to set up the network using the regular host configuration.
 do_flush() {
  for f in /sys/class/net/*; do
    iface="${f##*/}"
    [ "${iface}" = "lo" ] && continue
    echo "Preparing to flush interface ${iface}" >&2
    ip -statistics address flush dev "${iface}"
    rm -f /run/NetworkManager/system-connections/default_connection.nmconnection >&2
  done
 }
 # reset_autoconn_prio() will reset the autoconnect priority
 # of the existing NM connections to zero.
 reset_autoconn_prio() {
  nmcli -t -f NAME connection show 2>/dev/null | while read -r _c; do
    if ! _prio="$(nmcli -t connection show "${_c}" \
           | grep connection.autoconnect-priority: \
           | cut -d: -f2)" || [ -z "${_prio}" ]; then
      continue
    fi
    [ "${_prio}" -ge 0 ] && continue
    echo "Setting autoconnect-priority of connection ${_c} to zero" >&2
    nmcli connection modify "${_c}" connection.autoconnect-priority 0
  done
 }
 case "${1}" in
 reset-autoconn-prio)
  reset_autoconn_prio;;
 flush)
  do_flush;;
 esac
 # vim:set ts=2 sw=2 et:
--- a/files/common/noautodefault.conf
+++ b/files/common/noautodefault.conf
@ -1,2 +0,0 @@
 [main]
 no-auto-default=*
--- a/files/common/original-epel8.repo
+++ b/files/common/original-epel8.repo
@ -1,24 +0,0 @@
 [epel]
 name=Extra Packages for Enterprise Linux $releasever - $basearch
 #baseurl=https://download.fedoraproject.org/pub/epel/$releasever/Everything/$basearch
 metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch&infra=$infra&content=$contentdir
 enabled=1
 gpgcheck=1
 countme=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
 [epel-debuginfo]
 name=Extra Packages for Enterprise Linux $releasever - $basearch - Debug
 #baseurl=https://download.fedoraproject.org/pub/epel/$releasever/Everything/$basearch/debug
 metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-$releasever&arch=$basearch&infra=$infra&content=$contentdir
 enabled=0
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
 gpgcheck=1
 [epel-source]
 name=Extra Packages for Enterprise Linux $releasever - $basearch - Source
 #baseurl=https://download.fedoraproject.org/pub/epel/$releasever/Everything/SRPMS
 metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-source-$releasever&arch=$basearch&infra=$infra&content=$contentdir
 enabled=0
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
 gpgcheck=1
--- a/files/common/original-epel9.repo
+++ b/files/common/original-epel9.repo
@ -1,24 +0,0 @@
 [epel]
 name=Extra Packages for Enterprise Linux $releasever - $basearch
 #baseurl=https://download.example/pub/epel/$releasever/Everything/$basearch/
 metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch&infra=$infra&content=$contentdir
 enabled=1
 gpgcheck=1
 countme=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever
 [epel-debuginfo]
 name=Extra Packages for Enterprise Linux $releasever - $basearch - Debug
 #baseurl=https://download.example/pub/epel/$releasever/Everything/$basearch/debug/
 metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-$releasever&arch=$basearch&infra=$infra&content=$contentdir
 enabled=0
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever
 gpgcheck=1
 [epel-source]
 name=Extra Packages for Enterprise Linux $releasever - $basearch - Source
 #baseurl=https://download.example/pub/epel/$releasever/Everything/source/tree/
 metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-source-$releasever&arch=$basearch&infra=$infra&content=$contentdir
 enabled=0
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever
 gpgcheck=1
--- a/files/common/rhel-8-aarch64-server-rpms.repo
+++ b/files/common/rhel-8-aarch64-server-rpms.repo
@ -1,19 +0,0 @@
 [rhel8-beta-dvd]
 name = rhel8 beta base dvd
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel-8.0-beta-1-$basearch/AppStream
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 [rhel8-beta-BaseOS]
 name = rhel8 beta BaseOS $basearch
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel-8.0-beta-1-aarch64/BaseOS
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 [rhel8-beta-ha]
 name = rhel8 beta ha $basearch
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel8-beta/aarch64/rhel-8-for-aarch64-ha-beta-rpms
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 [rhel8-beta-appstream]
 name = rhel8 beta appstream $basearch
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel8-beta/aarch64/rhel-8-for-aarch64-appstream-beta-rpms
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
--- a/files/common/rhel-infra-tags-stg.repo
+++ b/files/common/rhel-infra-tags-stg.repo
@ -1,6 +0,0 @@
 [infrastructure-tags-stg]
 name=Fedora Infrastructure tag $releasever - $basearch
 baseurl=https://kojipkgs.fedoraproject.org/repos-dist/epel$releasever-infra-stg/latest/$basearch/
 enabled=1
 gpgcheck=1
 gpgkey=https://infrastructure.fedoraproject.org/repo/infra/RPM-GPG-KEY-INFRA-TAGS
--- a/files/common/rhel-infra-tags.repo
+++ b/files/common/rhel-infra-tags.repo
@ -1,6 +0,0 @@
 [infrastructure-tags]
 name=Fedora Infrastructure tag $releasever - $basearch
 baseurl=https://kojipkgs.fedoraproject.org/repos-dist/epel$releasever-infra/latest/$basearch/
 enabled=1
 gpgcheck=1
 gpgkey=https://infrastructure.fedoraproject.org/repo/infra/RPM-GPG-KEY-INFRA-TAGS
--- a/files/common/rhel10.repo
+++ b/files/common/rhel10.repo
@ -1,34 +0,0 @@
 [rhel10-dvd-BaseOS]
 name = rhel10 baseos dvd
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/RHEL10-$basearch/BaseOS
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
 [rhel10-dvd-AppStream]
 name = rhel10 AppStream dvd
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/RHEL10-$basearch/AppStream
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
 [rhel10-BaseOS]
 name = rhel10 BaseOS $basearch
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel10/10.0/repos/$basearch/baseos
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
 [rhel10-AppStream]
 name = rhel10 AppStream $basearch
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel10/10.0/repos/$basearch/appstream
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
 [rhel10-CRB]
 name = rhel10 CodeReadyBuilder $basearch
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel10/10.0/repos/$basearch/crb
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
--- a/files/common/rhel6.repo
+++ b/files/common/rhel6.repo
@ -0,0 +1,14 @@
 [rhel6-dvd]
 name = rhel6 base dvd
 baseurl=http://infrastructure.fedoraproject.org/repo/rhel/RHEL6-$basearch/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 [rhel6-base]
 name = rhel6 base $basearch
 baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel-$basearch-server-6/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 [rhel6-optional]
 name = rhel6 optional $basearch
 baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel-$basearch-server-optional-6/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
--- a/files/common/rhel7.repo
+++ b/files/common/rhel7.repo
@ -1,24 +1,24 @@
 [rhel7-dvd]
 name = rhel7 base dvd
-baseurl=https://infrastructure.fedoraproject.org/repo/rhel/RHEL7-$basearch/
+baseurl=http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-$basearch/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 [rhel7-base]
 name = rhel7 base $basearch
-baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-server-rpms
+baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-server-rpms
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 [rhel7-optional]
 name = rhel7 optional $basearch
-baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-server-optional-rpms
+baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-server-optional-rpms
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 [rhel7-extras]
 name = rhel7 extras $basearch
-baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-server-extras-rpms
+baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-server-extras-rpms
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 [rhel7-ha]
 name = rhel7 ha $basearch
-baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-ha-for-rhel-7-server-rpms/
+baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-ha-for-rhel-7-server-rpms/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
--- a/files/common/rhel8.repo
+++ b/files/common/rhel8.repo
@ -1,41 +0,0 @@
 [rhel8-dvd-BaseOS]
 name = rhel8 baseos dvd
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/RHEL8.0-$basearch/BaseOS
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
 [rhel8-dvd-AppStream]
 name = rhel8 AppStream dvd
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/RHEL8.0-$basearch/AppStream
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
 [rhel8-BaseOS]
 name = rhel8 BaseOS $basearch
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel8/$basearch/rhel-8-for-$basearch-baseos-rpms
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
 [rhel8-AppStream]
 name = rhel8 AppStream $basearch
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel8/$basearch/rhel-8-for-$basearch-appstream-rpms
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
 [rhel8-CRB]
 name = rhel8 CodeReadyBuilder $basearch
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel8/$basearch/codeready-builder-for-rhel-8-$basearch-rpms/
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
 [rhel8-advanced-virt]
 name = rhel8 AdvancedVirt $basearch
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel8/$basearch/rhel-8-advanced-virt/
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
--- a/files/common/rhel9.repo
+++ b/files/common/rhel9.repo
@ -1,41 +0,0 @@
 [rhel9-dvd-BaseOS]
 name = rhel9 baseos dvd
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/RHEL9.0-$basearch/BaseOS
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
 [rhel9-dvd-AppStream]
 name = rhel9 AppStream dvd
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/RHEL9.0-$basearch/AppStream
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
 [rhel9-BaseOS]
 name = rhel9 BaseOS $basearch
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel9/$basearch/rhel-9-for-$basearch-baseos-rpms
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
 [rhel9-AppStream]
 name = rhel9 AppStream $basearch
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel9/$basearch/rhel-9-for-$basearch-appstream-rpms
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
 [rhel9-CRB]
 name = rhel9 CodeReadyBuilder $basearch
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel9/$basearch/codeready-builder-for-rhel-9-$basearch-rpms/
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=1
 gpgcheck=1
 [rhel9-advanced-virt]
 name = rhel9 AdvancedVirt $basearch
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel9/$basearch/rhel-9-advanced-virt/
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 enabled=0
 gpgcheck=1
--- a/files/common/rhos16.repo
+++ b/files/common/rhos16.repo
@ -1,4 +0,0 @@
 [rhel8-rhos16]
 name = rhel8 openstack $basearch
 baseurl=https://infrastructure.fedoraproject.org/repo/rhel/rhel8/other/rhel-8-x86_64-openstack-16-rpms
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
--- a/files/common/rsyslog-logrotate
+++ b/files/common/rsyslog-logrotate
@ -1,20 +0,0 @@
 /var/log/cron
 /var/log/maillog
 /var/log/messages
 /var/log/secure
 /var/log/spooler
 {
    missingok
    sharedscripts
    postrotate
        /usr/bin/systemctl reload rsyslog.service >/dev/null 2>&1 || true
    endscript
    daily
    rotate 7
    ifempty
    compress
    compresscmd /usr/bin/xz
    uncompresscmd /usr/bin/xz
    compressext .xz
    dateext
 }
--- a/files/common/step-tickers
+++ b/files/common/step-tickers
@ -1,7 +1,10 @@
-208.75.88.4
+# [clock.redhat.com]
-216.93.242.12
+66.187.233.4 
-107.170.242.27
+# [time.nist.gov]
-108.166.189.70
+192.43.244.18
-199.223.248.98
+# [otc1.psu.edu]
 128.118.25.5
 # [clock.isc.org]
 204.152.184.72
 # [loopback]
 127.127.1.0
--- a/files/common/sysadmin-main
+++ b/files/common/sysadmin-main
@ -2,5 +2,16 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAD9QDskl41P2f4wqBuDBRD3VJ7MfKD6gMetMEaOy2b/Czf
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAACAEAstHxky7hl1inyHBy+q/9M+Aen2HSfy8IoW+sAO6HSuHEUT7qWB8AlSNjHhahjXx7sy/BUkUed+NB/177rjlThokZDJ0yoM9KKymp26ETGaamBSkWBxZatTj96BWfD0P2K9jc/9vxtgKBq3VK9UaOt6VtJ9q6mKY3DdWLZn+K6iGQAKMCAgd8cCMgD6epBB5/litz7WhYv+aYTyjZGUGbBojQUiWgXDv9lR7p0w+VP7pnZEeb3//k4pZhsPrKFwwRVRLxBvWgVKNvA6nMXmsdikHCLLj8YAevhEY1xAba+iCKOpTqT7Bu+1Fnb9St8u5iDod21gRmN7MGGWYsO+Iu2MNAW9sw2nsA/sdNR0HEEgBqJLhERjGv399fWKyiZaF90n59lg8Pb6EzE6wHRs6rSB+9uKApBzPk99BEHLvC6mhn6RjrOC+TWSTcmXojAwQYCadqIdgWUaBsxaugKEXBFcmRuDWtpDfsqmM1kjeGU6MiaMlqPW0KjsMaVVChLO5ZvB/T7qW4wr5ZjLri475MuHocCMP0ECSUk7I3YW2h8RU6FEFmTpuULFRQo01iPreY5XJ7l0+xy2eggAWo+X2h3nGjXhCPOelBg+LYe0WOmPgB5oc1m5HZtFTcFzYbhAE+xQKlbwNeYT8HmNmEMhPjVoNyOOV7NAap+ueS2u/7li5D59O5Iy8aa5n/WiuYfkqH4pG796nFyLr5L/LVudzyaYFb/Gk8C1j/NAWYw53D/9aOA277HHe5t0/daJhbo98u0asF5mvPld3swPuPqkEZzgUfmNgH5CkvcQcMzaOvj6qr6xNmQfgsHroCShb46kplQ2uSf1pMAqsjN7jGhk6l+Bu6hKHnJKhZJVLiuAZtgYvkCB1ahaO3wRVozA1VKCAlqHOqoCq4YLIobUL95H08Kwcz7vIRIadX1TkOoLb2EwPkE/xrhDp4BySh+j6YNklSBkiRHvJMBNnRIj8NTRjYyj2o1Om7kJ770lEdryg2og8QBaFWCmFkwzg1QVrBOuu0dN7kt2l7VI7Ib4lavKSVTrqUdxdSbthUlu/b4Qif+pbyEtUFgykRsHVs+5Ofg7FZpsgCJ8rLFjzeVF/hAYX7t3XaIPLu+DL8kzamb/CRy1b7+iAw9nJbd7ED2SGyU6+c2coMPG23y6+YxgEmNG/rkCLCypkEEDOZe4DuMerZQ/RxMo06+glC6HC/3VN2dHlVLtEEV33B04/6Z0plAhqtjG7PVs08f8a5msV/VYn5ifa4z0oIXX1r5CIg3Ejp1JguLhBHpWa7YbS2Mwu6GAbD+hQfCYrsUkFonoOLu5czpITLo7ceJFTQmAt7OxZEoZBfmtYfzADQsQVYQb6J4QwvM3iKJOn30dgtYnJOVlDZEn+0fivedxoBAt9jHJ8lVp2ov/dOFnimi5V+2QIMB0fKTkChsk10zsDZ/KUk6zfijjEju0WfjRHCd357KswNv3aXHazfRIw77S2UOenD+xmUDZ6WgnxservUSDNDz7NldLf/gdPOMO4uSwKZixzsoCNioeLEmQv4gomNK7DyZBLMHLlWlbliqP+QWuIJO1rfoH2vaxzzA7l5tJW1gfnxm87RrrwIf9v5kpdJM6gQZxqmBCRsKQd5VkrEJ/xaFfkv080pWNV0drWTZW8fAAgfUNYB260Hyk3rHsjQlVtQxGJ1aAcgjMi3eGKQMwptbUMYHqct75czX6xp6zgXPiC/glX6AtuiZQ5bOI07imil20ien/ks/dnel8L+dmYDasL9m0B2jZ3lbl3eR1Dy7UhqGyERx//vYQapEBuwFcqQ9UdIWCGGG2Pte1I39BSehUUGSCOOD38a/GCu0l7OWZKdwq80MK/Ixgz4neiZQZ7MD2wPy6vk6Num18PZPN7OynMrI2UG5MViQ0GAhRgxwbUCvc7uKnGRqZo9q2mCabCxLbv+hJ4bppxpHHJxMDDXilTKMfZb0YRbvjBUi7LFKLN3MBMK2U1jHE+PjBgweqF8Jtuw04CQMxK3unajZOVkYAIq8IdMbw0oBVP4++eGB9z0x1eH+IsqL6IgknbbyoMgQqW9/8atm8HW2QYCX47oPd4FHs8rgJZk3bz8MwN3tp8WCRtYnJuwkWGWSq77ans0Ycl/tUfSSwUjnSvMsJnuSbxvdX0XbP5eRWikk0pJz5lM9sjYFOPHrQ44/U254yBa0N6UhyNTQnMGzRvY+fADE49b10hXZwCCrxpY9KvGr1XNJMnMcUke+4p9RS5LUwcZ8A6v7oWtZaZwnuBzvKk+HAn2gevD7Stjto+TnRCx1qcbx8iOhAEC6nvbLl+U313TmawrO/usrI5w3EFKP/4BnlKJDtNBeklJ0MpU3R1fmisqfegjuBW2bbaxq8Uo6m7uqPsYuAl7E6rOyZHLbtA8szvbQ46MSqAHezqxHJajWn2oZXMtbddgO5vlkxbRp3SSVKaPOeIj3XOGl78Owp4gFNRE0RY2EuUvrwUhXZR4wx1VHYjS6o9HAwOx3dH+pf1OiblUEanLQ9HLuOBkLhP8wn1M2slsSw+A1gyuI0ayjRujYFXdw6Mqp6XKTdU8vNue2c3d0I+TMifBypP0oJtxXmEoPp/VsU9yLKA2FF7Xvv/Xq1gtZcuZWAbSwMok/ENY1xeIFyjV+0yBidmax3jaf9yus/XEpyeBS3iIz63ymU10Kb2vrWjubg/sa2yd+q0y96dLdDRbnbwGwMmg6mXvTlVXf8c= ricky@padlock01.home.elrod.me
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDi5bNJQBrvT/YuvfLO0y6smZW5N+946uISkzmDi9myffLgHAZP4nBGeH/4GcB5ns9HJ19xVtbIwqOz4QwIqKh4gKU7DgaqND2Iu0bUUFL1KXPLGyAIW+9N3yHB+nKkH31alDnF4dpKkvO63DRkqh4ptxwEQbZDCFqn+vXuMnG4cPmDEweR3QZUt5m0Vc7HXzbehZxjUZ3xRWvT/pu+khBhJcRFkLlA60Fnqv7Q+MQP1C0Cpf3hiX1LcXUogXkNooAqx1YYRd8VqvI8e9yQW+a99x8FftnmXKlGCxP33ng6+U6Y2H7u3cRDrlRTbWqkry4SuUYo+6MtvZVgL0fw6PsZ jstanley@hawtness.rmrf.net
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJH1lA7WHRCbaFtvzbw0HxHYJstZjuXhax1+eL+SUJ5fFRGosEc4fLrSCP0gSFDfXmNzuspoBgcQTqnNO8FdIUwkJLDEu0vTQls1aT9YUXb+RVwKB7ULA3b1dqFkmOgLEjTJL9AplK4OJ9Su0kq6QBV4mXCxMsgEML/gn6r8muZmu2L/LdzUnxKKggyq7O5q1K/eW5Yy21fpvbHt2UPQX1f6gt4ty7E9Nnuhi7SHCI7fNIa+kHyIesfTm/SzeK/PY9rDwZKjuyS8o22GJXGEScJomK1cjMESH/J+t8Hffaj88BjGHNczvcnXAjq6y73VJQ9DiGLD4zmFquQMxDu0Tf kevin@jelerak.scrye.com
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDefONrBaBJlCxKtDwkYWVhf96lMhRQfwVJyBoBd4Pk6TqKMlAu2eST1xRZlV4cJSxAWgZpOaFgqJ5EGd6mq8PvVk+mKXdtX7CAoWm4f3c6otUFsFDCTw3gVvYSlEk23XBHuACsbAVNL4HmP+9C7PxQBePukbMBFD2smsyQkPcX7lZw+lDJW5lOTz3dHAA92bcopDycxRDI99gGkawzjlmxpm2C9nhRabKS6mpGw3N64d8hwHkkFbtHY7rS0/0Cka0geYYYv0NVki1IIctkhZE9LndcWbVcVe1pIlR0RyW2sorfgCgoa5fRZZhukUCtspdv981h/0b87RpRVUJKuRd1 lmacken@tomservo
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsmLoA/97DrE7roCHOY7NdB5TV/g7oxAsk74HgHcFRYAbn/rkoa7r9ZsgR7qzwd6Z+5Z77qFqvl1Bs3XtJf+1vJ3kwdcNFdKTw1DgTdE/rNPI7QzUgXKKKv/WCiU6UDBX4HHWq8Yuq4tkr/yepS8sLzMz2e0pHU4uWFQuvr5ttP9ABGohhDnPr0IcaT5vm+uBTJItJBrhqGws2fnVxhWEm8Y96AZb2vFZVwiMdcKKqfVZby3/wTuEtaDbv0krQNtLJcjaOTWLHWnxJEvLWSdFgkuIDvoNKR7ZV2lsmh5UD/smStgf8TkORR59r63dp2kWAn0/Jl59ARsdXDXGCiduF3GamxglTUA+kYbkN/PBQbl6o+nNKy4Q5TI53WNmhpdsbEJWCjzT+V1ju5JejFEHIhnWyBoBUWB2NKxWaSlToI2B9E0iJ0HK68IlA7bO4X7SD8q5cZBVTKMByFxt9uQXFeZeG7QRCPIsg6bXsirnFn5028iz+RfVFe3Mavp18v1hObvH6SDTczQauuAhTwYOtphaPZj+iHbaKvKndvlOWdGoyrNxgcx+t4loyEEcEWD0Astdp0bZD39nag94PD7hnoENOC0oE6mbtyUuSCGrU6ogee8qxYAt0AP3Rq1LLaRWXqe/1rM5A9oaDNwNkWA/JWbJbZQf0vvWTZmTib3rfew== mdomsch@fedoraproject.org
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7U0WbKLL/D6iR03/vdDZJ8Lkj1jjAkindSvC4PkXVgi6qJo1YBZnIgsmoQopYcra2yzHFt58crygIh79P/rpQowWY99W+Sk4kB9UNuiAiX/LRi+1YdxwCKcRNTVOwuji6MGZoscACERmIjPY6P1oFPERoXhUkOuzPcrDK/0z/Bp9dpNRVZE/0zN6dvHA9QODLGvcFtgnX73SbZfoIbaVP/37IvOZvjGI1jxC5DwCmY+ihM13GpELP6BM8iihlnl1pjk1vtqPxD9g9Llr14Sc6cZJKl1WCulqhde4SEMOjpMJ8J8cGYBSsdh49hB36pdKQuTTnuCXpEt5Tl8PUKCrr mmcgrath@desktop.mmcgrath.net
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3eVd6Ccegp1r1mhm7tPnlGUcw0zsAbR2p9hrFZ7RKxdIponuVV9ix4lgwpNEVDs0j4vxAApeLpJrsV8R8+YLUZO3Mzi+2s8nM8LXrKHtJT9wKKqoU3O/lC79drbWk3EMgETyP61Zpjkub0hwG2MjviPee63zCuRbxzxyalzk+AtwkRSxYaS2Ha0uKxGDiq1c/Iu6HRgm8HrtW+Pr6QbSSoHLhGUpR0HkgoC6852xXGhrRMkzXXbD9L6vaK9F39YmzD7Z8yey+xDTFW529avkEIWDeqBpbae+HjKqEQaBx71/rcmXhqKYrEagzUGpS8Bwskp3JMksd/v9tMuUhGQ2XaooCeKzvM0KnVUk/Q031ZtjNYxLpy/rEqbyt18+8wYOvVoGgnRZ/yJ/UVwYbGJrttYrrQmaJv7b357bkgDJobkIki+zGzi1xkvb85JWEt0mfh38H2vCnpwQtSAIyF/hmrS+1xsD/oAoc83IUhsVYcDhLbBEVKMX2IsJLMAPwCE6GexRYyVE5vEN4PMV9A8VmGuIC3IzkPEbStdtlbP4ttNKtfwS+MrY+ceAABDixls6xpedgT1he44R+7C1p+w4uj4TnYReLVce6+KgfJ6mz8CTXVULLWM4l2H3PylEUyoHGRDpVanGAvm7h2D0HgxErWIkjZkL79GFhzQc1xjzixQ== notting@nostromo.devel.redhat.com
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDAeAohiRJ2v/RO7R9GS93TF92Gc9ixK6HM7wlbMdlZ4yYAbeoEX8VpeNaSTfo/Nw3zazr9VpmpHg+H70K8ljQsPgRwcgpetRVpF55M5FYjqM5oM+N94HV3nSGcnWbSIho1R31DaDH2ptxVqgh2m5DG7Bc45w9Bd4wjfdQ8nBrGv93tuH7X/cee4g6GvexLm5nXhAngdEmiyxw5MHuJAvj+54l4wMXRWpeF6XlI2iamW42nLSfRMCFkGNiXvBm8zkfkeH2L7I2cNKXXoP/cPCd3G/teIsI9FDqYpZ6CS0zMkWhlTuh7rlCjc9+nJsLdDLgwhb75skiUOOfimGvCCxWeHuCsSL+KpCu4AgI9UAVgO6xblDlmbQXxlGopep29U/s00W/0qv3Zp8Ks4Za0xHdoIwHiaLM0OYymFaNDd3ZqFG0FN23ZjcGqUmFGhGfUQRDt72+e9HtXlBJ0mUaCX9+e4wFGTVciG1/5CKsLHCaLRf+knsWXrv2zcv9BoZ9SCAK32zCZw05wjcmr7jYDCTLmtC6kEBNaOeE9Qqi2oomo4ji8ybg+Qq+1BwOtJKExvmZaooBZud0qd24HmCU0/0ysw732jGcqexzxsCR0VArd+7LKexOD7KwMW0VUss6fdOWac9gwCLx9FaKYh8mVvcQjKhKGI3aO2sXRUWSbBJw8w== ricky@alpha.rzhou.org
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAxnzCHH11nDM1m7yvqo6Uanq5vcZjBcs/mr3LccxwJ59ENzSXwUgEQy/P8vby9VKMwsskoaqZcvJdOSZBFhNV970NTPb69OIXPQAl/xhaLwiJOn606fB+/S8WepeuntS0qLiebbEiA9vIQLteZ+bWl1s/didD/sFo3/wItoTGA4GuShUu1AyWJx5Ue7Y34rwGR+kIvDoy2GHUcunn2PjGt4r3v2vpiR8GuK0JRupJAGYbYCiMBDRMkR0cgEyHW6+QQNqMlA6nRJjp94PcUMKaZK6Tc+6h5v8kLLtzuZ6ZupwMMC4X8sh85YcxqoW9DynrvO28pzaMNBHm7qr9LeY9PIhXscSa35GAcGZ7UwPK4aJAAuIzCf8BzazyvUM3Ye7GPCXHxUwY0kdXk+MHMVKFzZDChNp/ovgdhxNrw9Xzcs4yw7XYambN9Bk567cI6/tWcPuYLYD4ZJQP0qSXVzVgFEPss1lDcgd0k4if+pINyxM8eVFZVAqU+BMeDC+6W8HUUPgv6LiyTWs+xTXTuORwBTSF1pOqWB4LjqsCGIiMAc6n/xdALBGUN7qsuKDU6Q7bwPppaxypi4KCvuJsqW+8sDtMUaZ34I5Zo1q7cu03wqnOljUGoAY6IDn3J66F2KlPPyb/q3PDV3WbY/jnH16L29/xUA73nFUW1p+WXutwmSU= ssmoogen@ponyo.int.smoogespace.com
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFZ3AD/I0OfU84IrK573amZptucuBrDxHoue/c+PUsD3MGIA6QXRceq3ZkLuz25OAAu53hFxzCE4d6eVS299rVR8Cd+tVU8aqBdTHzdqv52Vs8zRfXMW69sV7fhwRLaQDcRTwY90Wmz2MbZmN996XmJDNtUIWI2mML+PBYEdO0PyiB2ttb7mmA3SwtC/rwEMJL2YHh+bTzlJ9W4BgFcFwizMXU3mk5uGp2/q3nKzEvgTROM8yWvqdM34cRYpjFKyOlpo6k3SPt76hgDUEIsAu6Ul1S0FHTCRMIihcxZOSN4frMtXVjX0NhW9mKcn1IRBpzd0Yon/gPB8OJ31ojIIop spot@pterodactyl
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDfgKJEBuHFlFc8/IHDeIpdprNnAFQHkicXAFfAzIJSkhUaOJFjsulmgPZn2TJJpYqFAxYUjhWJOdrOwx7AHSg6gWu4TT4a0sTay+Z0eqZOShf5UL/M587DxJk1JZU8g812yDKZMc7Sv7K6zdteONnCvno1kALSg0F2MVMJXFjE/tSontkIRH6IuG19R19NGEj1h56uGwdfe78xjOmv5wk6RZBjaOKqiPSQKNqCKbY9Kyz6yrem2M5uxRK45u3wSPJdmopo8l/nwf0p6ydrUSL5C/aXGh7LPqh31eTBDQUbWHw9LQMk1SibMGQPwJt59lLMlzc5OQZAJEbadsDAgl6VVA6MZkBQROiK9E087kvPesMoGWE0KBgvTqzpBZj0uHATP9i097dv80gjupMyaePsnQOxk0wRho9nRkxRo18Drt3QPVND4YGHzahMe/YR2N83MkbnGoP8K+GsFhLMAp3NKh6yUofFxTgRiB6H8ULKf3CV+hlk0Z9RJR3CpgMTKILYHPlaleJqoP6sXg6tJxI0rUE+0jUKvaTj+N2gX0MjKfUINk5mTbjD2mdVrPtKOBvos2luNhY5nTDpJuAHQqnFHPlPw8l3lXC2VBWOjqfTeeS+qD7ArKe6F7IO5ZNxJ2mTUuodhaPySta1MS37DWoz6UqeJu+wKIsHok90+EU4aAvUABh3RXSQA1E3IaxkooMhhrdIQO6K4L0M+CZ7lP35sW5pnwsN4sFlPec9Xn5e15LTlb9yFlx7Nm4DE2SX1s9QyMRE7z0LNO0X7wiihojuyQM6OQwc+ZaaDw5HerBisX/3LcC9osVLQQg1pt91YcCczUQ08qfUJV6aOD962K+EGzVFQGGauJDzgEH9BHQg7QwCWr0f3mu8/TNBzys2c0YsywDUc3AT1KP6TEJcR/dy6WbhJD3qyO/BLfCzRrHUOIaz+WbwmfTX8tGEQnVV5sEkZ39PWA1hRQ83b3MNV8cRJl+h/FnTk62yM4ZqGu73+x8JiEG3HAJp9/xYfNSwg8++PojJBXe+yM6DrTh5fTnBhxatLEKB658p8jTqJtF4+YD9D8+L39xEns6GQ7FphNqTC6IcpXyqq+zNuzF7vs/T+5n7978dUs3sK6YpBX4BlDxK6MsRF1WYqajEVeBJEMwdX2rfGkN9B5GfWdmdrzBjZQ6yyvlx5Dg++qgxpMiVOXSnw5v7H03PrT1we9wKre/2SQ1A2Oq/UDt/7tR2cMLoaPDNBpFT1W44LJB7o9iDT9YHUG3dC7R8JoeJ5YjyFmxbUQ5xg1oHnrBaPrGCuEYdQWhuDmp9Px2yRu8Agxzr9rNCZ/W8nWJVmvwvlXoldrum2rAECx0wiWqBhQ/+eX65 badger@unaka.lan
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmS3g5fSXizcCqKMI1n5WPFrfMyu7BMrMkMYyck07rB/cf2orO8kKj5schjILA8NYJFStlv2CGRXmQlendj523FPzPmzxvTP/OT4qdywa4LKGvAxOkRGCMMxWzVFLdEMzsLUE/+FLX+xd1US9UPLGRsbMkdz4ORCc0G8gqTr835H56mQPI+/zPFeQjHoHGYtQA1wnJH/0LCuFFfU82IfzrXzFDIBAA5i2S+eEOk7/SA4Ciek1CthNtqPX27M6UqkJMBmVpnAdeDz2noWMvlzAAUQ7dHL84CiXbUnF3hhYrHDbmD+kEK+KiRrYh3PT+5YfEPVI/xiDJ2fdHGxY7Dr2TQ== root@lockbox01.phx2.fedoraproject.org
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDnI+8JwOdXUO6T7gI6oXHUG4oQJsMsCwEGnRBjU4po93i9g9C5sShgqJMvBI2wzDdgL/xOFJeHuo+WTP6W/oiv8KHEco3wXSI4OlsPanORGn2TajwzEaYlfxJNlQPvmuxFxcrfkPF8cOGa0DRNTLZK7abO3tKfZV7IJyNX3Z0LFZ+VwcJBy1ryg0GonMYkjEreiAgJyGCJ1crnKiRMPSu/QONb0MTytMlJRtc/Lfi/KkT8C/LQ/e3zA5DWo9Ykb79M1k4MmtmE8mIUlWUQ9hagMhCj3/6Uze04H48fpYzDPr6AHU6rqxLTdBGgLCeSIUkE1ReZpAk2E+QAB/fTliydT93ig5i2RDt3YHcAa994C85bc0D+A21u0H/LzR1wbIItx+MpOkZePHevDSe4y8ULx0cUiEHxmTTZ2C6j+1EqaP5PeWEqlU3iXTgiqOzTEwfEaH7nScBpGbFmPnzdgO7xLuKebnvWjGu6d8Jd41KN5dN5WNMJaNEXBl65ySfeQYCCX/JZ5bfvC/07zAKj0/RKOFMyS07rb0rKh3EBcRx/tHgCq0hJ23NwfkShchj7v2Zh+JjgHKBv1+ZiIwnx2/WuYwvKwyqXZ5Jpy+lgxcC7l11w1ZN3tCd66E6NdU8AJIOz0n+trIorsipQBY0In3ZBLUU0PUYwno73e7ZabgcE7Q== patrick-new@fedora.thuis.local
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDep2yv5JTFJ0IdCiqumMFfNdu3H5Ej/rVVDEotS+3n5+1plKvajPXOA9c/0RLrBC/vL8LqDVrxBaiCvPFCIRN9a3Y1ru3Dwg++NmcMEvYq/H3SMHhZsH1yjlCD2r38znpX+D+CBMQnn7F5jqYFAnaMeESrgGGFFANfJN9HdHjb6eIrBGJyUOJ2JnZnhLFT5y7ru2xRMDmgsO3U+crmecYAeX/4iUadUxit36defAniVOA/3Jwva4Gjz73vIDTHNy1mxB8Y2ZBBl9WcL4qHc6wnAyFaiULcT5++Gdjn+MIyL86G/7mIIgC+fcVk/5JrdwMBiAZYMUZO/pzPobOe0spF threebean@marat
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2xAeq5uO72kY4mSFgFl9ZSveiAqe4tUv8hemrxwZH+w24RFOGrW1nOV+hjQhRpYVNwvqJkrd9N7VY/HXkd9df2AgQyYoiVfeMPTA7lB0/e/S1Bd6XGdWudvqRU1O6Rug0j3RQOuz7WDJgnanBVcBl8+X7EaPGpv9aILgh6CJDOVAO2GgaFdzI7CHtR99CMqNG7BsQF8C9Y8ALK+8HOPRE0R1wzgaAw85HTo0gyIWcrZqr4HI/QDuLjUQ6AZSgzE7dTiwZuFnUjLBnL0YP1bxJglt9IFx6r6jvdp/yMD+Bn/91WvmBL/AD+GIQ/ZydoeLo+JQW22ibiX/SzdAE4Cd3 pingou@FedoraProject
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDLVoyChksxZ1T64H8sJ3JjZNwUEIBQ1RKoY3cL1FfntvkvmgluWw/AGKQME49W6iRC6o9IgCRrOPErtd8FtetX1jI7Lkrd5znqRkVUj+FrCyaOq4lCICAYX8q1QC2URlteXiHtoaOWUqHD20c0tQwktCXtBAxfLCQCVjfubvSs7rWRDSyC2diUTCfJGYYLyo41Pr5IyMKg6BMUE/BAURHwTncMXtRMjx8JqxZtMImp4cO5p4QV6BVydn99X/ueHOVE910OrPL46cOsBMV3EIm+Hwr7lAHa7eF6bTv1bsysNPHZZ23TzvEjIB71l2ptlJThm3iECmgRlb4ssllqH2zcnwjSOivnAaalgaHk937At6QlrOdtB2WY6sxklxYG1Uaq0P+IOIRhEOw/6/5mcqBH/G8ebYfwiv5CwJ0EzRZW78y6VOHfUo/XQEetcLMYMS7B1rSaQDMTsfIGTrjBXS5kKn/AEnVYYWbD+wVGC64ShQVhtXzpYEzHTRf2XQwCCnEUF9tSSAt3uuBhlaT5vXXac6rz7qy+4d54xTzxWZnmvgG3pWjaqZ84P8aqz72m6TQR0z1FKVgQkAXvnYunM6BXTzN5Osnr2rz68d4ONUWkldGnDmrIIMo7rxJTeMbCjCqTKMyaTamtAE+Vg3KQldbCOys6HEp+irelZkKdat+VcQ== mobrien@fedoraproject.org
+
--- a/files/communishift/haproxy.cfg
+++ b/files/communishift/haproxy.cfg
@ -1,95 +0,0 @@
 # this config needs haproxy-1.1.28 or haproxy-1.2.1
 global
    log 127.0.0.1   local0 warning
    maxconn 4096
    chroot /var/lib/haproxy
    user haproxy
    group haproxy
    daemon
    stats socket /var/run/haproxy-stat user haproxy group nrpe mode 0664
    stats socket /var/run/haproxy-admin level admin user root group root mode 0660
    #debug
    #quiet
 defaults
    log     global
    mode    tcp
    option  tcplog
    option  dontlognull
    option  httpclose
    option  redispatch
    retries 3
    maxconn 5000
    timeout connect 5s
    timeout client 500s
    timeout server 500s
 frontend stats-frontend
    mode    http
    option  httplog
    bind 0.0.0.0:8080
    default_backend stats-backend
 backend stats-backend
    mode    http
    option  httplog
    balance hdr(appserver)
    stats enable
    stats uri /
 frontend os-masters-kapi
    mode tcp
    bind 0.0.0.0:6443
    default_backend os-masters-backend-kapi
 backend os-masters-backend-kapi
    mode tcp
    server  os-node01.fedorainfracloud.org os-node01.fedorainfracloud.org:6443 weight 1 maxconn 16384 check
    server  os-node02.fedorainfracloud.org os-node02.fedorainfracloud.org:6443 weight 1 maxconn 16384 check
    server  os-node09.fedorainfracloud.org os-node09.fedorainfracloud.org:6443 weight 1 maxconn 16384 check
 # temp bootstrap node
    server  os-node11.fedorainfracloud.org os-node11.fedorainfracloud.org:6443 weight 1 maxconn 16384 check
 frontend os-masters-machineconfig
    mode tcp
    bind 0.0.0.0:22623
    default_backend os-masters-backend-machineconfig
 backend os-masters-backend-machineconfig
    mode tcp
    server  os-node01.fedorainfracloud.org os-node01.fedorainfracloud.org:22623 weight 1 maxconn 16384 check
    server  os-node02.fedorainfracloud.org os-node02.fedorainfracloud.org:22623 weight 1 maxconn 16384 check
    server  os-node09.fedorainfracloud.org os-node09.fedorainfracloud.org:22623 weight 1 maxconn 16384 check
 # temp bootstrap node
    server  os-node11.fedorainfracloud.org os-node11.fedorainfracloud.org:22623 weight 1 maxconn 16384 check
 frontend os-routers-https
    mode tcp
    bind 0.0.0.0:443
    default_backend os-routers-https
 backend os-routers-https
    server  os-node03.fedorainfracloud.org os-node03.fedorainfracloud.org:443 weight 1 maxconn 16384 check
    server  os-node04.fedorainfracloud.org os-node04.fedorainfracloud.org:443 weight 1 maxconn 16384 check
    server  os-node05.fedorainfracloud.org os-node05.fedorainfracloud.org:443 weight 1 maxconn 16384 check
    server  os-node06.fedorainfracloud.org os-node06.fedorainfracloud.org:443 weight 1 maxconn 16384 check
    server  os-node07.fedorainfracloud.org os-node07.fedorainfracloud.org:443 weight 1 maxconn 16384 check
    server  os-node08.fedorainfracloud.org os-node08.fedorainfracloud.org:443 weight 1 maxconn 16384 check
    server  os-node10.fedorainfracloud.org os-node10.fedorainfracloud.org:443 weight 1 maxconn 16384 check
    server  os-node11.fedorainfracloud.org os-node11.fedorainfracloud.org:443 weight 1 maxconn 16384 check
 frontend os-routers-http
    mode tcp
    bind 0.0.0.0:80
    default_backend os-routers-http
 backend os-routers-http
    server  os-node03.fedorainfracloud.org os-node03.fedorainfracloud.org:80 weight 1 maxconn 16384 check
    server  os-node04.fedorainfracloud.org os-node04.fedorainfracloud.org:80 weight 1 maxconn 16384 check
    server  os-node05.fedorainfracloud.org os-node05.fedorainfracloud.org:80 weight 1 maxconn 16384 check
    server  os-node06.fedorainfracloud.org os-node06.fedorainfracloud.org:80 weight 1 maxconn 16384 check
    server  os-node07.fedorainfracloud.org os-node07.fedorainfracloud.org:80 weight 1 maxconn 16384 check
    server  os-node08.fedorainfracloud.org os-node08.fedorainfracloud.org:80 weight 1 maxconn 16384 check
    server  os-node10.fedorainfracloud.org os-node10.fedorainfracloud.org:80 weight 1 maxconn 16384 check
    server  os-node11.fedorainfracloud.org os-node11.fedorainfracloud.org:80 weight 1 maxconn 16384 check
--- a/files/communishift/objects/README.md
+++ b/files/communishift/objects/README.md
@ -1,28 +0,0 @@
 Instructions
 ------------
 The files in this directory are the configuration files for communishift to be applied.
 For OIDC auth, get the client secret for "communishift" from ansible-private/files/ipsilon/openidc.production.static, and run:
 > oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret=<client-secret> -n openshift-config
 For certificates, first install [cert-manager](https://docs.cert-manager.io/en/release-0.10/)
 NOTE: The 0.11 version is buggy, as is the operator hub '1.0' version. Use 0.10 unless you want
 to spend a lot of time debugging.
 Next create the Issuer object. You may need to wait a minute or two for the cert-manager install
 to complete and have all pods up.  
 To do this, first create a new access key ID and secret key in AWS for the communishift_acme_dns01 user, and update issuer.yml with the access key ID and then create a secret with the private access key
 > oc create -f issuer.yml
 > oc -n cert-manager create secret generic route53-access-key-secret --from-literal=access-key=THEACCESSKEY
 This gives it the ability to create a TXT record for acmechallenges.fedorainfracloud.org.
 To allow certificates for other hostnames, those hostnames need a CNAME of "_acme-challenge.<hostname>" pointing to "acmechallenges.fedorainfracloud.org".
 After that, create the two certificate requests for the API server and ingress default cert:
 > oc -n openshift-config create -f cert_api.yml
 > oc -n openshift-ingress create -f cert_apps.yml
 This will start the request of the certificates.
 Then run the following commands to update the ingress router (will take affect after its restart) and API server with their new certs:
 > oc patch apiserver cluster --type=merge -p '{"spec": {"servingCerts": {"namedCertificates": {"names": "api.os.fedorainfracloud.org"}, "servingCertificate": {"name": "api-certificate"}}}}'
 > oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "apps-certificate"}}}' -n openshift-ingress-operator
--- a/files/communishift/objects/cert_api.yml
+++ b/files/communishift/objects/cert_api.yml
@ -1,15 +0,0 @@
 ---
 apiVersion: certmanager.k8s.io/v1alpha1
 kind: Certificate
 metadata:
  name: api-certificate
  namespace: openshift-config
 spec:
  secretName: api-certificate
  renewBefore: 360h # 15d
  commonName: api.os.fedorainfracloud.org
  dnsNames:
  - 'api.os.fedorainfracloud.org'
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
--- a/files/communishift/objects/cert_apps.yml
+++ b/files/communishift/objects/cert_apps.yml
@ -1,15 +0,0 @@
 ---
 apiVersion: certmanager.k8s.io/v1alpha1
 kind: Certificate
 metadata:
  name: apps-certificate
  namespace: openshift-ingress
 spec:
  secretName: apps-certificate
  renewBefore: 360h # 15d
  commonName: apps.os.fedorainfracloud.org
  dnsNames:
  - '*.apps.os.fedorainfracloud.org'
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
--- a/files/communishift/objects/issuer.yml
+++ b/files/communishift/objects/issuer.yml
@ -1,22 +0,0 @@
 ---
 apiVersion: certmanager.k8s.io/v1alpha1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-production
 spec:
  acme:
    email: admin@fedoraproject.org
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-production-account-key
    solvers:
    - dns01:
        cnameStrategy: Follow
        route53:
          region: us-east-1
          accessKeyID: THEACCESSKEYID
          secretAccessKeySecretRef:
            namespace: cert-manager
            name: route53-access-key-secret
            key: access-key
          hostedZoneID: Z2MFECC8O90CBA
--- a/files/communishift/objects/machineconfigs/README.md
+++ b/files/communishift/objects/machineconfigs/README.md
@ -1,12 +0,0 @@
 MachineConfig files
 -------------------
 The files in this directory are used as machineconfig files for communishift.
 Note that they're template files: some changes will need to be made before "oc create -f".
 Specifically:
 - The templates have two "DOBOTH" replacements. You want to create the file twice,
  once with both DOBOTH cases replaced with "master" and once replaced with "worker".
 - The mc_firewall.yml.template has a bit FILL_IN_HERE. Run "./to_data.sh firewall.sh",
  and copy the output from that script into the FILL_IN_HERE bit in the MC.
  Then run that MC twice as per the previous point (master and worker).
--- a/files/communishift/objects/machineconfigs/firewall.sh
+++ b/files/communishift/objects/machineconfigs/firewall.sh
@ -1,10 +0,0 @@
 set -xe
 iptables -N fedora-block-ports
 iptables -A fedora-block-ports -p tcp --dport 111 -j REJECT
 iptables -A fedora-block-ports -p udp --dport 111 -j REJECT
 iptables -A fedora-block-ports -p tcp --dport 22623 --src 38.145.48.42 -j ACCEPT
 iptables -A fedora-block-ports -p tcp --dport 22623 --src 38.145.48.43 -j ACCEPT
 iptables -A fedora-block-ports -p tcp --dport 22623 -j REJECT
 iptables -I INPUT 1 -j fedora-block-ports
--- a/files/communishift/objects/machineconfigs/mc_chrony.yml.template
+++ b/files/communishift/objects/machineconfigs/mc_chrony.yml.template
@ -1,19 +0,0 @@
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 metadata:
  generation: 1
  name: 50-chrony-DOBOTH
  labels:
    machineconfiguration.openshift.io/role: DOBOTH
 spec:
  config:
    ignition:
      version: "2.2.0"
    storage:
      files:
      - contents:
          source: "data:,server%20cloud-noc01.fedorainfracloud.org%20port%20124"
          verification: {}
        filesystem: root
        mode: 0644
        path: /etc/chrony.conf
--- a/files/communishift/objects/machineconfigs/mc_firewall.yml.template
+++ b/files/communishift/objects/machineconfigs/mc_firewall.yml.template
@ -1,32 +0,0 @@
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 metadata:
  generation: 1
  name: 40-firewall-DOBOTH
  labels:
    machineconfiguration.openshift.io/role: DOBOTH
 spec:
  config:
    ignition:
      version: "2.2.0"
    storage:
      files:
      - path: /etc/fedora_firewall.sh
        mode: 0755
        filesystem: root
        contents:
          source: "FILL_IN_HERE"
    systemd:
      units:
      - name: "fedora_firewall.service"
        enabled: true
        contents: |-
          [Unit]
          Descrption=Block firewall ports for Fedora
          [Service]
          Type=oneshot
          ExecStart=bash /etc/fedora_firewall.sh
          [Install]
          WantedBy=multi-user.target
--- a/files/communishift/objects/machineconfigs/to_data.sh
+++ b/files/communishift/objects/machineconfigs/to_data.sh
@ -1,4 +0,0 @@
 #!/bin/bash
 echo -n "data:,"
 cat $1 | tr '\n' '*' | sed -e 's/*/%0A/g' | sed -e 's/ /%20/g'
 echo
--- a/files/communishift/objects/oidc_cm.yml
+++ b/files/communishift/objects/oidc_cm.yml
@ -1,27 +0,0 @@
 ---
 apiVersion: config.openshift.io/v1
 kind: OAuth
 metadata:
  name: cluster
 spec:
  identityProviders:
  - name: fedoraidp
    login: true
    challenge: false
    mappingMethod: claim
    type: OpenID
    openID:
      clientID: communishift
      clientSecret:
        name: fedoraidp-clientsecret
      extraScopes:
      - email
      - profile
      claims:
        preferredUsername:
        - nickname
        name:
        - name
        email:
        - email
      issuer: https://id.fedoraproject.org
--- a/files/copr/DigiCertCA.crt
+++ b/files/copr/DigiCertCA.crt
@ -0,0 +1,28 @@
 -----BEGIN CERTIFICATE-----
 MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
 d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
 ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
 MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
 LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
 YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
 4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
 Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
 itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
 4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
 sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
 bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
 MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
 NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
 dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
 L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
 BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
 UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
 aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
 aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
 E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
 /D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
 xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
 0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
 cPUeybQ=
 -----END CERTIFICATE-----
--- a/roles/copr/backend/files/boto
+++ b/roles/copr/backend/files/boto
--- a/files/copr/copr-be.conf
+++ b/files/copr/copr-be.conf
@ -0,0 +1,60 @@
 [backend]
 # URL where are results visible
 # default is http://copr
 results_baseurl=http://copr-be.cloud.fedoraproject.org/results
 # ??? What is this
 # default is http://coprs/rest/api
 #frontend_url=http://copr-fe.cloud.fedoraproject.org/backend
 frontend_url=http://172.16.5.31/backend
 # must have same value as BACKEND_PASSWORD from have frontend in /etc/copr/copr.conf
 # default is PASSWORDHERE but you really should change it. really.
 frontend_auth={{ copr_backend_password }}
 # path to ansible playbook which spawns builder
 # see /usr/share/copr*/playbooks/ for examples
 # default is /etc/copr/builder_playbook.yml
 spawn_playbook=/home/copr/provision/builderpb.yml
 # path to ansible playbook which terminate builder
 # default is /etc/copr/terminate_playbook.yml 
 terminate_playbook=/home/copr/provision/terminatepb.yml
 terminate_vars=vm_name
 # directory where jobs are stored
 # no defaults
 jobsdir=/var/lib/copr/jobs
 # directory where results are stored
 # should be accessible from web using 'results_baseurl' URL
 # no default
 destdir=/var/lib/copr/public_html/results
 # default is 10
 sleeptime=30
 # default is 8
 num_workers=8
 # path to log file
 # default is /var/log/copr/backend.log
 logfile=/var/log/copr/backend.log
 # default is /var/log/copr/workers/
 worker_logdir=/var/log/copr/workers/
 # exit on worker failure
 # default is false
 #exit_on_worker=false
 # publish fedmsg notifications from workers if true
 # default is false
 #fedmsg_enabled=false
 fedmsg_enabled=true
 [builder]
 # default is 1800
 timeout=3600
--- a/files/copr/copr-be.conf-dev
+++ b/files/copr/copr-be.conf-dev
@ -0,0 +1,57 @@
 [backend]
 # URL where are results visible
 # default is http://copr
 results_baseurl=http://copr-be-dev.cloud.fedoraproject.org/results
 # ??? What is this
 # default is http://coprs/rest/api
 frontend_url=http://copr-fe-dev.cloud.fedoraproject.org/backend
 # must have same value as BACKEND_PASSWORD from have frontend in /etc/copr/copr.conf
 # default is PASSWORDHERE but you really should change it. really.
 frontend_auth=PASSWORDHERE
 # path to ansible playbook which spawns builder
 # see /usr/share/copr*/playbooks/ for examples
 # default is /etc/copr/builder_playbook.yml
 spawn_playbook=/home/copr/provision/builderpb.yml
 # path to ansible playbook which terminate builder
 # default is /etc/copr/terminate_playbook.yml 
 terminate_playbook=/home/copr/provision/terminatepb.yml
 # directory where jobs are stored
 # no defaults
 jobsdir=/var/lib/copr/jobs
 # directory where results are stored
 # should be accessible from web using 'results_baseurl' URL
 # no default
 destdir=/var/lib/copr/public_html/results
 # default is 10
 sleeptime=30
 # default is 8
 num_workers=5
 # path to log file
 # default is /var/log/copr/backend.log
 logfile=/var/log/copr/backend.log
 # default is /var/log/copr/workers/
 worker_logdir=/var/log/copr/workers/
 # exit on worker failure
 # default is false
 #exit_on_worker=false
 # publish fedmsg notifications from workers if true
 # default is false
 #fedmsg_enabled=false
 [builder]
 # default is 1800
 timeout=3600
--- a/roles/copr/backend/files/copr_bashrc
+++ b/roles/copr/backend/files/copr_bashrc
--- a/files/copr/delete-forgotten-instances.cron
+++ b/files/copr/delete-forgotten-instances.cron
@ -0,0 +1,5 @@
 #!/usr/bin/bash
 source /home/copr/cloud/ec2rc.sh
 /home/copr/delete-forgotten-instances.pl
--- a/files/copr/delete-forgotten-instances.pl
+++ b/files/copr/delete-forgotten-instances.pl
@ -0,0 +1,28 @@
 #!/usr/bin/perl
 # this scrip query for all running VM and terminate those
 # which are not currently started by some ansible script
 while (chomp($a = qx(ps ax |grep -v 'sh -c ps ax'  |grep /home/copr/provision/builderpb.yml | grep -v grep))) {
  # we are starting some VM and could not determine correct list of running VMs
  sleep 5;
 }
 #print qx(ps ax |grep ' 172.16.3.' |awk '{ print \$33 }');
@IPs = split('\s+', qx(ps ax |grep ' 172.16.3.' |awk '{ print \$33 }'));
 #print "Running instances\n";
 #print join(", ", @IPs), "\n";
 for my $i (@IPs) {
  $check{$i} = 1;
 }
@instances = split('\n', qx(/bin/euca-describe-instances));
@TO_DELETE = ();
 for my $i (@instances) {
  my @COLUMNS = split('\s+', $i);
  next if $COLUMNS[0] eq 'RESERVATION';
  #print $COLUMNS[1], ", ", $COLUMNS[15], "\n";
  push(@TO_DELETE, $COLUMNS[1]) unless $check{$COLUMNS[15]};
 }
 $id_merged = join(" ", @TO_DELETE);
 qx|euca-terminate-instances $id_merged| if ($id_merged);
--- a/files/copr/fe/README
+++ b/files/copr/fe/README
@ -0,0 +1 @@
 in this dir is where we put all the configs for the copr frontend
--- a/files/copr/fe/copr.conf
+++ b/files/copr/fe/copr.conf
@ -0,0 +1,33 @@
 # Directory and files where is stored Copr database files
 DATA_DIR = '/var/lib/copr/data'
 DATABASE = '/var/lib/copr/data/copr.db'
 OPENID_STORE = '/var/lib/copr/data/openid_store'
 WHOOSHEE_DIR = '/var/lib/copr/data/whooshee'
 SECRET_KEY = '{{ copr_secret_key }}'
 BACKEND_PASSWORD = '{{ copr_backend_password  }}'
 # restrict access to a set of users
 #USE_ALLOWED_USERS = False
 #ALLOWED_USERS = ['bonnie', 'clyde']
 SQLALCHEMY_DATABASE_URI = '{{ copr_database_uri }}'
 # Token length, defaults to 30 (max 255)
 #API_TOKEN_LENGTH = 30
 # Expiration of API token in days
 #API_TOKEN_EXPIRATION = 180
 # logging options
 #SEND_LOGS_TO = ['root@localhost']
 #LOGGING_LEVEL = logging.ERROR
 DEBUG = False
 SQLALCHEMY_ECHO = False
 CSRF_ENABLED = True
 WTF_CSRF_ENABLED = True
 # send emails when user's perms change in project?
 SEND_EMAILS = True
--- a/files/copr/fe/httpd/coprs.conf
+++ b/files/copr/fe/httpd/coprs.conf
@ -0,0 +1,64 @@
 NameVirtualHost *:80
 LoadModule wsgi_module modules/mod_wsgi.so
 WSGISocketPrefix /var/run/wsgi
 <VirtualHost *:80>
    ServerName copr-fe.cloud.fedoraproject.org
    WSGIPassAuthorization On
    WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe threads=5
    WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
    WSGIProcessGroup 127.0.0.1
    #ErrorLog logs/error_coprs
    #CustomLog logs/access_coprs common
    <Directory /usr/share/copr>
        WSGIApplicationGroup %{GLOBAL}
 	Require all granted
    </Directory>
 </VirtualHost>
 <VirtualHost *:443>
    SSLEngine on
    SSLProtocol all -SSLv2
    #optimeize on speed
    SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on
    SSLCertificateFile /etc/pki/tls/ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/ca.key
    ServerName copr-fe.cloud.fedoraproject.org:443
    WSGIPassAuthorization On
    #WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe threads=5
    WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
    WSGIProcessGroup 127.0.0.1
    #ErrorLog logs/error_coprs
    #CustomLog logs/access_coprs common
    <Directory /usr/share/copr>
        WSGIApplicationGroup %{GLOBAL}
        Require all granted
    </Directory>
 </VirtualHost>
 <IfModule mod_status.c>
 ExtendedStatus On
 <Location /server-status>
    SetHandler server-status
    Require all denied
    Require host localhost .redhat.com
 </Location>
 </IfModule>
 <IfModule mpm_prefork_module>
    StartServers          8
    MinSpareServers       8
    MaxSpareServers      20
    MaxClients          50
    MaxRequestsPerChild   10000
 </IfModule>
--- a/files/copr/fe/httpd/welcome.conf
+++ b/files/copr/fe/httpd/welcome.conf
@ -0,0 +1 @@
 #commented out so it doesn't do that stupid index page
--- a/roles/copr/frontend/files/pg/pg_hba.conf
+++ b/roles/copr/frontend/files/pg/pg_hba.conf
--- a/files/copr/fe/yum/copr.repo
+++ b/files/copr/fe/yum/copr.repo
@ -0,0 +1,10 @@
 [Copr]
 name=Copr
 failovermethod=priority
 #baseurl=http://copr-be.cloud.fedoraproject.org/results/msuchy/copr/fedora-19-x86_64/
 # 172.16.5.4 is copr-be.cloud.fedoraproject.org
 # see https://fedorahosted.org/fedora-infrastructure/ticket/4025
 baseurl=http://172.16.5.4/results/msuchy/copr/fedora-20-x86_64/
 enabled=1
 gpgcheck=0
--- a/files/copr/forward
+++ b/files/copr/forward
@ -0,0 +1,4 @@
 msuchy+coprmachine@redhat.com
 kevin@scrye.com
 nb@fedoraproject.org
 sgallagh@redhat.com
--- a/files/copr/forward-dev
+++ b/files/copr/forward-dev
@ -0,0 +1,2 @@
 msuchy+coprmachine@redhat.com
 asamalik@redhat.com
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Patrick Uiterwijk	e35e850ad3	Merge branch 'openvpn_handler' of /git/ansible into openvpn_handler	2014-08-02 15:00:10 +00:00
Patrick Uiterwijk	2c5755dbc4	Add nagios to trusted openid roots	2014-08-02 15:00:06 +00:00
		`@ -0,0 +1 @@`
							`in this dir is where we put all the configs for the copr frontend`
		`@ -0,0 +1 @@`
							`#commented out so it doesn't do that stupid index page`
		`@ -0,0 +1,2 @@`
							`msuchy+coprmachine@redhat.com`
							`asamalik@redhat.com`