change a few known hosts from phx2 to iad2 variables.

inventory/group_vars/all

@@ -16,7 +16,7 @@ openshift_ansible: /srv/web/infra/openshift-ansible/
 #######
 
 freezes: true
-# most of our systems are in phx2
+# most of our systems are in IAD2
 datacenter: iad2
 preferred_dc: iad2
 postfix_group: "none"
@@ -63,15 +63,16 @@ lvm_size: 20000
 # and DNS1/DNS2 lines are put into ifcfg-(device).
 ansible_ifcfg_infra_net_devices: [ 'eth0', 'enc900' ]
 
-# Default netmask. Almost all our phx2 nets are /24's with the
+# Default netmask. All of our iad2 nets are /24's. Almost all of our
-# exception of 10.5.124.128/25. Almost all of our non phx2 sites are
+# non-iad2 sites are less than a /24.
-# less than a /24.
 eth0_nm: 255.255.255.0
 eth1_nm: 255.255.255.0
-eth1_ip: 10.10.10.10
+eth1_ip: 10.0.0.10
 br0_nm: 255.255.255.0
 br1_nm: 255.255.255.0
-# Default to managing the network, we want to not do this on select hosts (like cloud nodes)
+
+# Default to managing the network, we want to not do this on select
+# hosts (like cloud nodes)
 ansible_ifcfg_blocklist: false
 # List of interfaces to explicitly disable
 ansible_ifcfg_disabled: []

inventory/group_vars/bastion

@@ -7,12 +7,12 @@ num_cpus: 4
 #
 # allow incoming openvpn and smtp
 #
-tcp_ports: [ 25, 1194 ]
+tcp_ports: [ 22, 25, 1194 ]
 udp_ports: [ 1194 ]
 
 #
 # drop incoming traffic from less trusted vpn hosts
-# allow ntp from internal phx2 10 nets
+# allow ntp from internal RH 10 nets
 #
 custom_rules: [
     '-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited',
@@ -50,11 +50,14 @@ csi_security_category: High
 csi_primary_contact: sysadmin-main admin@fedoraproject.org
 csi_purpose: SSH proxy to access infrastructure not exposed to the web
 csi_relationship: |
-  - Provides ssh access to all phx2/vpn connected servers.
+  - Provides ssh access to all iad2/vpn connected servers.
   - Bastion is the hub for all infrastructure's VPN connections.
-  - All incoming SMTP from phx2 and VPN, as well as outgoing SMTP, pass or are filtered here.
+  - All incoming SMTP from iad2 and VPN, as well as outgoing SMTP,
+    pass or are filtered here.
   - Bastion does not accept any mail outside phx2/vpn.
 
 nagios_Check_Services:
   nrpe: true
   mail: false
+
+# needed for rhel8

inventory/group_vars/bastion_stg

@@ -1,14 +1,18 @@
 ---
 # Define resources for this group of hosts here.
 lvm_size: 20000
-mem_size: 3192
+mem_size: 8192
-num_cpus: 2
+num_cpus: 4
 
-tcp_ports: [ 22 ]
+#
+# allow incoming openvpn and smtp
+#
+tcp_ports: [ 22, 25, 1194 ]
+udp_ports: [ 1194 ]
 
 #
 # drop incoming traffic from less trusted vpn hosts
-# allow ntp from internal phx2 10 nets
+# allow ntp from internal RH 10 nets
 #
 custom_rules: [
     '-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited',
@@ -19,7 +23,7 @@ custom_rules: [
 
 # TODO - remove modularity-wg membership here once it is not longer needed:
 # https://fedorahosted.org/fedora-infrastructure/ticket/5363
-fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-gnome,sysadmin-copr,sysadmin-coreos,sysadmin-dbgserver,sysadmin-osbs,sysadmin-odcs
+fas_client_groups: sysadmin-analysis,sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-gnome,sysadmin-copr,sysadmin-coreos,sysadmin-dbgserver,sysadmin-osbs,sysadmin-odcs
 
 # Disable mail stuff in stg
 fas_aliases: false
@@ -38,9 +42,10 @@ csi_security_category: High
 csi_primary_contact: sysadmin-main admin@fedoraproject.org
 csi_purpose: SSH proxy to access STAGING infrastructure not exposed to the web
 csi_relationship: |
-  - Provides ssh access to all phx2/vpn connected servers.
+  - Provides ssh access to all iad2/vpn connected servers.
   - Bastion is the hub for all infrastructure's VPN connections.
-  - All incoming SMTP from phx2 and VPN, as well as outgoing SMTP, pass or are filtered here.
+  - All incoming SMTP from iad2 and VPN, as well as outgoing SMTP,
+    pass or are filtered here.
   - Bastion does not accept any mail outside phx2/vpn.
 
 nagios_Check_Services:

inventory/group_vars/iad2

@@ -4,13 +4,11 @@ dns1: "10.3.163.33"
 dns2: "10.3.163.34"
 
 datacenter: iad2
-#preferred_dc: iad2
+preferred_dc: iad2
 
 
 ipa_server: ipa01.iad2.fedoraproject.org
 
-# for now, lets not monitor any of them from phx2.
-
 nagios_Can_Connect: true
 
 certbot_datacenter: iad2

inventory/group_vars/kernel_qa

@@ -1,6 +1,6 @@
 ---
 freezes: false
-resolvconf: "{{ files }}/resolv.conf/phx2"
+resolvconf: "{{ files }}/resolv.conf/iad2"
 fas_client_groups: sysadmin-kernel
 sudoers: "{{ private }}/files/sudo/kernel-qa"
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.122.0/24 --dport 2049 -j ACCEPT' ]

inventory/group_vars/osbs_aarch64_masters

@@ -49,7 +49,7 @@ osbs_conf_readwrite_users:
   - "system:serviceaccount:{{ osbs_namespace }}:builder"
 
 #Docker command delegated host
-composer: composer.phx2.fedoraproject.org
+composer: composer.iad2.fedoraproject.org
 
 # Nagios configuration
 nagios_Check_Services: