Move proxy subplaybooks to an include dir so they don't get run by check/diff script.

2015-01-24 16:49:23 +00:00 · 2015-01-24 16:49:23 +00:00 · 6bedc3a2ca
commit 6bedc3a2ca
parent 136e9397fd
9 changed files with 8 additions and 8 deletions
--- a/playbooks/include/proxies-certificates.yml
+++ b/playbooks/include/proxies-certificates.yml
@ -0,0 +1,36 @@
+- name: Set up those proxy certificates.  Good gravy..
+  hosts: proxies-stg:proxy03.fedoraproject.org
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+  roles:
+
+  - role: httpd/mod_ssl
+    
+  - role: httpd/certificate
+    name: wildcard-2014.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2014.fedoraproject.org.intermediate.cert
+
+  - role: httpd/certificate
+    name: wildcard-2014.id.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2014.id.fedoraproject.org.intermediate.cert
+
+  - role: httpd/certificate
+    name: wildcard-2014.stg.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert
+
+  - role: httpd/certificate
+    name: fedoramagazine.org
+    SSLCertificateChainFile: fedoramagazine.org.intermediate.cert
+
+  - role: httpd/certificate
+    name: getfedora.org
+    SSLCertificateChainFile: getfedora.org.intermediate.cert
--- a/playbooks/include/proxies-fedora-web.yml
+++ b/playbooks/include/proxies-fedora-web.yml
@ -0,0 +1,37 @@
+- name: Set up all that fedora-web goodness.  What a wonder!
+  hosts: proxies-stg:proxy03.fedoraproject.org
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+  roles:
+
+  - role: fedora-web/main
+    website: fedoraproject.org
+  - role: fedora-web/spins
+    website: spins.fedoraproject.org
+  - role: fedora-web/start
+    website: start.fedoraproject.org
+  - role: fedora-web/boot
+    website: boot.fedoraproject.org
+  - role: fedora-web/mirrors
+    website: mirrors.fedoraproject.org
+  - role: fedora-web/community
+    website: fedoracommunity.org
+  - role: fedora-web/fudcon
+    website: fudcon.fedoraproject.org
+  - role: fedora-web/magazine
+    website: fedoramagazine.org
+  - role: fedora-web/getfedora
+    website: getfedora.org
+
+  # Some other static content, not strictly part of "fedora-web" goes below here
+  - role: fedora-docs/proxy
+    website: docs.fedoraproject.org
--- a/playbooks/include/proxies-haproxy.yml
+++ b/playbooks/include/proxies-haproxy.yml
@ -0,0 +1,22 @@
+- name: Set up all the haproxy stuff.
+  hosts: proxies-stg:proxy03.fedoraproject.org
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+  roles:
+
+  # The base haproxy role that sets it all up
+  - role: haproxy
+
+  # And an additional apache rewrite so we can access the web stats
+  - role: haproxy/rewrite
+    website: admin.fedoraproject.org
+    path: /haproxy
--- a/playbooks/include/proxies-miscellaneous.yml
+++ b/playbooks/include/proxies-miscellaneous.yml
@ -0,0 +1,52 @@
+- name: Set up all the other proxy stuff -- miscellaneous
+  hosts: proxies-stg:proxy03.fedoraproject.org
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+  roles:
+
+  - role: httpd/mime-type
+    website: fedoraproject.org
+    mimetype: image/vnd.microsoft.icon
+    extensions:
+    - .ico
+
+  - role: fedmsg/crl
+    website: fedoraproject.org
+    path: /fedmsg
+
+  - role: fedmsg/gateway/slave
+    stunnel_service: "websockets"
+    stunnel_source_port: 9939
+    stunnel_destination_port: 9938
+
+  - role: httpd/fingerprints
+    website: admin.fedoraproject.org
+
+  - role: easyfix/proxy
+    website: fedoraproject.org
+    path: /easyfix
+
+  - role: review-stats/proxy
+    website: fedoraproject.org
+    path: /PackageReviewStatus
+
+  - role: membership-map/proxy
+    website: fedoraproject.org
+    path: /membership-map
+
+  - role: releng-dash
+    website: apps.fedoraproject.org
+    path: /releng-dash
+
+  - role: apps-fp-o
+    website: apps.fedoraproject.org
+    path: /
--- a/playbooks/include/proxies-redirects.yml
+++ b/playbooks/include/proxies-redirects.yml
@ -0,0 +1,320 @@
+- name: Set up those proxy redirects.  Wow!
+  hosts: proxies-stg:proxy03.fedoraproject.org
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+  roles:
+
+  # An exceptional rewrite for bugz.fp.o
+  - role: packages/bugz.fp.o
+    website: bugz.fedoraproject.org
+
+
+  # Various app redirects
+  - role: httpd/redirect
+    name: community
+    website: admin.fedoraproject.org
+    path: /community
+    target: http://apps.fedoraproject.org/packages
+
+  - role: httpd/redirect
+    name: docs
+    website: fedoraproject.org
+    path: /docs
+    target: http://docs.fedoraproject.org/
+
+  - role: httpd/redirect
+    name: elections
+    website: admin.fedoraproject.org
+    path: /voting
+    target: https://apps.fedoraproject.org/voting
+
+  - role: httpd/redirect
+    name: people-fp-o
+    website: people.fedoraproject.org
+    target: https://fedorapeople.org
+
+  - role: httpd/redirect
+    name: fas
+    website: fas.fedoraproject.org
+    target: https://admin.fedoraproject.org/accounts/
+
+  - role: httpd/redirect
+    name: bodhi
+    website: bodhi.fedoraproject.org
+    target: https://admin.fedoraproject.org/updates/
+
+  - role: httpd/redirect
+    name: get-fedora
+    website: get.fedoraproject.org
+    target: http://fedoraproject.org/get-fedora
+    status: 302
+
+  - role: httpd/redirect
+    name: join-fedora
+    website: join.fedoraproject.org
+    target: http://fedoraproject.org/wiki/Join
+    status: 302
+
+  - role: httpd/redirect
+    name: get-help
+    website: help.fedoraproject.org
+    target: http://fedoraproject.org/get-help
+    status: 302
+
+  - role: httpd/redirect
+    name: l10n
+    website: l10n.fedoraproject.org
+    target: https://translate.fedoraproject.org/
+
+
+  # Redirect specific websites from fedoraproject.org to getfedora.org
+  - role: httpd/redirect
+    name: main-fedoraproject
+    website: fedoraproject.org
+    path: /index.html
+    target: https://getfedora.org/
+
+  - role: httpd/redirect
+    name: get-fedora-old
+    website: fedoraproject.org
+    path: /get-fedora
+    target: https://getfedora.org/
+
+  - role: httpd/redirect
+    name: verify
+    website: fedoraproject.org
+    path: /verify
+    target: https://getfedora.org/verify
+
+  - role: httpd/redirect
+    name: keys
+    website: fedoraproject.org
+    path: /keys
+    target: https://getfedora.org/keys
+
+  - role: httpd/redirect
+    name: release-banner
+    website: fedoraproject.org
+    path: /static/js/release-counter-ext.js
+    target: https://getfedora.org/static/js/release-counter-ext.js
+
+
+  # Fonts on the wiki
+  - role: httpd/redirect
+    name: fonts-wiki
+    website: fonts.fedoraproject.org
+    target: https://fedoraproject.org/wiki/Category:Fonts_SIG
+    status: 302
+
+
+  # Releng
+  - role: httpd/redirect
+    name: nightly
+    website: nightly.fedoraproject.org
+    target: https://alt.fedoraproject.org/pub/alt/nightly-composes/
+
+
+  # Send fp.com to fp.org
+  - role: httpd/redirect
+    name: site
+    website: fedoraproject.com
+    target: http://fedoraproject.org/
+
+
+  # Planet/people convenience
+  - role: httpd/redirect
+    name: infofeed
+    website: fedoraproject.org
+    path: /infofeed
+    target: http://planet.fedoraproject.org/infofeed
+
+  - role: httpd/redirect
+    name: people
+    website: fedoraproject.org
+    path: /people
+    target: http://planet.fedoraproject.org/
+
+  - role: httpd/redirect
+    name: fedorapeople
+    website: fedoraproject.org
+    path: /fedorapeople
+    target: http://planet.fedoraproject.org/
+
+
+  # QA
+  - role: httpd/redirect
+    name: qa
+    website: qa.fedoraproject.org
+    target: https://fedoraproject.org/wiki/QA
+
+
+  # Various community sites
+  - role: httpd/redirect
+    name: it-fedoracommunity-redirect
+    website: it.fedoracommunity.org
+    target: http://www.fedoraonline.it/
+    status: 302
+
+  - role: httpd/redirect
+    name: uk-fedoracommunity-redirect
+    website: uk.fedoracommunity.org
+    target: http://www.fedora-uk.org/
+    status: 302
+
+
+  # Spins
+  - role: httpd/redirect
+    name: kde
+    website: kde.fedoraproject.org
+    target: http://spins.fedoraproject.org/kde/
+    status: 302
+
+
+  # Various sites that we are friends with
+  - role: httpd/redirect
+    name: port389
+    website: port389.org
+    target: http://directory.fedoraproject.org/
+
+  - role: httpd/redirect
+    name: k12linux
+    website: k12linux.org
+    target: https://fedorahosted.org/k12linux/
+
+
+  # Cloudy bits
+  - role: httpd/redirect
+    name: cloud-front-page
+    website: cloud.fedoraproject.org
+    target: http://fedoraproject.org/en/get-fedora#clouds
+
+  - role: httpd/redirectmatch
+    name: redirect-cloudstart
+    website: redirect.fedoraproject.org
+    regex: /(console\.aws\.amazon\.com/ec2/v2/home.*)$
+    target: https://$1
+
+  ## Cloud image redirects
+  # Redirects/pointers for fedora 21 BASE cloud images
+  - role: httpd/redirect
+    name: cloud-base-64bit-21
+    website: cloud.fedoraproject.org
+    path: /fedora-21.x86_64.qcow2
+    target: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.qcow2
+
+  - role: httpd/redirect
+    name: cloud-base-64bit-21-raw
+    website: cloud.fedoraproject.org
+    path: /fedora-21.x86_64.raw.xz
+    target: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz
+
+  - role: httpd/redirect
+    name: cloud-base-32bit-21-raw
+    website: cloud.fedoraproject.org
+    path: /fedora-21.i386.raw.xz
+    target: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/i386/Fedora-Cloud-Base-20141203-21.i386.raw.xz
+
+  - role: httpd/redirect
+    name: cloud-base-32bit-21
+    website: cloud.fedoraproject.org
+    path: /fedora-21.i386.qcow2
+    target: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/i386/Fedora-Cloud-Base-20141203-21.i386.qcow2
+
+  # Redirects/pointers for fedora 21 ATOMIC cloud images
+  - role: httpd/redirect
+    name: cloud-atomic-64bit-21
+    website: cloud.fedoraproject.org
+    path: /fedora-atomic-21.x86_64.qcow2
+    target: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Atomic-20141203-21.x86_64.qcow2
+
+  - role: httpd/redirect
+    name: cloud-atomic-64bit-21-raw
+    website: cloud.fedoraproject.org
+    path: /fedora-atomic-21.x86_64.raw.xz
+    target: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Atomic-20141203-21.x86_64.raw.xz
+
+  # Except, there are no 32bit atomic images atm.
+  #- role: httpd/redirect
+  #  name: cloud-atomic-32bit-21-raw
+  #  website: cloud.fedoraproject.org
+  #  path: /fedora-atomic-21.i386.raw.xz
+  #  target: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/i386/Fedora-Cloud-Atomic-20141203-21.i386.raw.xz
+
+  #- role: httpd/redirect
+  #  name: cloud-atomic-32bit-21
+  #  website: cloud.fedoraproject.org
+  #  path: /fedora-atomic-21.i386.qcow2
+  #  target: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/i386/Fedora-Cloud-Atomic-20141203-21.i386.qcow2
+
+  # Redirects/pointers for fedora 20 cloud images
+  - role: httpd/redirect
+    name: cloud-64bit-20
+    website: cloud.fedoraproject.org
+    path: /fedora-20.x86_64.qcow2
+    target: http://download.fedoraproject.org/pub/fedora/linux/updates/20/Images/x86_64/Fedora-x86_64-20-20140407-sda.qcow2
+
+  - role: httpd/redirect
+    name: cloud-32bit-20
+    website: cloud.fedoraproject.org
+    path: /fedora-20.i386.qcow2
+    target: http://download.fedoraproject.org/pub/fedora/linux/updates/20/Images/i386/Fedora-i386-20-20140407-sda.qcow2
+
+  - role: httpd/redirect
+    name: cloud-64bit-20-raw
+    website: cloud.fedoraproject.org
+    path: /fedora-20.x86_64.raw.xz
+    target: http://download.fedoraproject.org/pub/fedora/linux/updates/20/Images/x86_64/Fedora-x86_64-20-20140407-sda.raw.xz
+
+  - role: httpd/redirect
+    name: cloud-32bit-20-raw
+    website: cloud.fedoraproject.org
+    path: /fedora-20.i386.raw.xz
+    target: http://download.fedoraproject.org/pub/fedora/linux/updates/20/Images/i386/Fedora-i386-20-20140407-sda.raw.xz
+
+  # Redirects/pointers for fedora 19 cloud images
+  - role: httpd/redirect
+    name: cloud-64bit-19
+    website: cloud.fedoraproject.org
+    path: /fedora-19.x86_64.qcow2
+    target: http://download.fedoraproject.org/pub/fedora/linux/updates/19/Images/x86_64/Fedora-x86_64-19-20140407-sda.qcow2
+
+  - role: httpd/redirect
+    name: cloud-32bit-19
+    website: cloud.fedoraproject.org
+    path: /fedora-19.i386.qcow2
+    target: http://download.fedoraproject.org/pub/fedora/linux/updates/19/Images/i386/Fedora-i386-19-20140407-sda.qcow2
+
+  # Redirects/pointers for latest fedora cloud images.
+  - role: httpd/redirect
+    name: cloud-64bit-latest
+    website: cloud.fedoraproject.org
+    path: /fedora-latest.x86_64.qcow2
+    target: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.qcow2
+
+  - role: httpd/redirect
+    name: cloud-32bit-latest
+    website: cloud.fedoraproject.org
+    path: /fedora-latest.i386.qcow2
+    target: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/i386/Fedora-Cloud-Base-20141203-21.i386.qcow2
+
+  - role: httpd/redirect
+    name: cloud-atomic-64bit-latest
+    website: cloud.fedoraproject.org
+    path: /fedora-atomic-latest.x86_64.qcow2
+    target: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Atomic-20141203-21.x86_64.qcow2
+
+  # At this time, we are not producing 32bit atomic images.
+  #- role: httpd/redirect
+  #  name: cloud-atomic-32bit-latest
+  #  website: cloud.fedoraproject.org
+  #  path: /fedora-atomic-latest.i386.qcow2
+  #  target: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/i386/Fedora-Cloud-Atomic-20141203-21.i386.qcow2
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@ -0,0 +1,357 @@
+- name: Set up those ProxyPassReverse statements.  Somebody get me a cup of coffee..
+  hosts: proxies-stg:proxy03.fedoraproject.org
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+  vars:
+  - varnish_url: http://localhost:6081
+
+  roles:
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: nagios
+    localpath: /nagios
+    remotepath: /nagios
+    proxyurl: http://noc01
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: nagios-external
+    localpath: /nagios-external
+    remotepath: /nagios-external
+    proxyurl: http://noc02
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: mailman
+    localpath: /mailman
+    remotepath: /mailman
+    proxyurl: http://collab03.fedoraproject.org
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: mailman-icons
+    localpath: /icons
+    remotepath: /icons
+    proxyurl: http://collab03.fedoraproject.org
+
+  - role: httpd/reverseproxy
+    website: lists.fedoraproject.org
+    proxyurl: http://localhost:10033
+    destname: mailman3
+    when: env == "staging"
+
+  - role: httpd/reverseproxy
+    website: meetbot.fedoraproject.org
+    destname: meetbot
+    remotepath: /meetbot/
+    # Talk directly to the app server, not haproxy
+    proxyurl: http://value01
+
+  - role: httpd/reverseproxy
+    website: apps.fedoraproject.org
+    destname: gallery
+    localpath: /gallery
+    proxyurl: http://localhost:10034
+
+  - role: httpd/reverseproxy
+    website: apps.fedoraproject.org
+    destname: nuancier
+    localpath: /nuancier
+    remotepath: /nuancier
+    header_scheme: true
+    proxyurl: http://localhost:10035
+
+  - role: httpd/reverseproxy
+    website: apps.fedoraproject.org
+    destname: github2fedmsg
+    localpath: /github2fedmsg
+    remotepath: /github2fedmsg
+    header_scheme: true
+    proxyurl: http://localhost:10037
+
+  - role: httpd/reverseproxy
+    website: apps.fedoraproject.org
+    destname: fedora-notifications
+    localpath: /notifications
+    remotepath: /notifications
+    header_scheme: true
+    proxyurl: http://localhost:10036
+
+  - role: httpd/reverseproxy
+    website: apps.fedoraproject.org
+    destname: packages
+    localpath: /packages
+    remotepath: /packages
+    proxyurl: http://localhost:10016
+
+  - role: httpd/reverseproxy
+    website: apps.fedoraproject.org
+    destname: tagger
+    localpath: /tagger
+    remotepath: /tagger
+    rewrite: true
+    proxyurl: http://localhost:10017
+
+  - role: httpd/reverseproxy
+    website: ask.fedoraproject.org
+    destname: askbot
+    proxyurl: "{{ varnish_url }}"
+
+  - role: httpd/reverseproxy
+    website: darkserver.fedoraproject.org
+    destname: darkserver
+    remotepath: /darkserver/
+    # Talk directly to the app server, not haproxy
+    proxyurl: http://darkserver01
+
+  - role: httpd/reverseproxy
+    website: paste.fedoraproject.org
+    destname: sticky-notes
+    proxyurl: "{{ varnish_url }}"
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: totpcgiprovision
+    localpath: /totpcgiprovision
+    proxyurl: http://localhost:10019
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: fas
+    remotepath: /accounts
+    localpath: /accounts
+    proxyurl: http://localhost:10004
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: elections
+    remotepath: /voting
+    localpath: /voting
+    proxyurl: http://localhost:10007
+
+  - role: httpd/reverseproxy
+    website: fedoraproject.org
+    destname: fedora-mobile
+    remotepath: /mobile
+    localpath: /mobile
+    proxyurl: http://fedora-infra.github.io
+
+  # Fedoauth is odd here -- it has an entry for both stg and prod.
+  - role: httpd/reverseproxy
+    website: id.stg.fedoraproject.org
+    destname: id
+    proxyurl: http://localhost:10020
+    when: env == "staging"
+
+  - role: httpd/reverseproxy
+    website: id.fedoraproject.org
+    destname: id
+    proxyurl: http://localhost:10020
+
+  - role: httpd/reverseproxy
+    website: apps.fedoraproject.org
+    destname: datagrepper
+    remotepath: /datagrepper
+    localpath: /datagrepper
+    rewrite: true
+    proxyurl: http://localhost:10028
+
+  - role: httpd/reverseproxy
+    website: badges.fedoraproject.org
+    destname: badges
+    proxyurl: http://localhost:10032
+
+  - role: httpd/reverseproxy
+    website: apps.fedoraproject.org
+    destname: fedocal
+    remotepath: /calendar
+    localpath: /calendar
+    header_scheme: true
+    proxyurl: "{{ varnish_url }}"
+
+  - role: httpd/reverseproxy
+    website: apps.fedoraproject.org
+    destname: kerneltest
+    remotepath: /kerneltest
+    localpath: /kerneltest
+    header_scheme: true
+    proxyurl: "{{ varnish_url }}"
+
+  - role: httpd/reverseproxy
+    website: qa.fedoraproject.org
+    destname: blockerbugs
+    remotepath: /blockerbugs
+    localpath: /blockerbugs
+    proxyurl: "{{ varnish_url }}"
+
+  - role: httpd/reverseproxy
+    website: fedoraproject.org
+    destname: fp-wiki
+    wpath: /w
+    wikipath: /wiki
+    proxyurl: "{{ varnish_url }}"
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: pkgdb
+    remotepath: /pkgdb
+    localpath: /pkgdb
+    proxyurl: "{{ varnish_url }}"
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: bodhi
+    remotepath: /updates
+    localpath: /updates
+    proxyurl: http://localhost:10009
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: mirrormanager
+    remotepath: /mirrormanager
+    localpath: /mirrormanager
+    proxyurl: http://localhost:10008
+
+  - role: httpd/reverseproxy
+    website: mirrors.fedoraproject.org
+    destname: mirrormanager-mirrorlist
+    proxyurl: http://localhost:10002
+
+  - role: httpd/reverseproxy
+    website: download.fedoraproject.org
+    destname: mirrormanager-redirector
+    proxyurl: http://localhost:10002
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: mirrormanager2
+    localpath: /mirrormanager2
+    remotepath: /mirrormanager2
+    proxyurl: http://localhost:10039
+    when: env == "staging"
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: yk-val
+    remotepath: /yk-val/verify
+    localpath: /yk-val/verify
+    proxyurl: http://localhost:10004
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: pager
+    remotepath: /pager
+    localpath: /pager
+    # Talk directly to the app server, not haproxy
+    proxyurl: http://sundries01
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: awstats
+    remotepath: /awstats
+    localpath: /awstats
+    # Talk directly to the app server, not haproxy
+    proxyurl: http://log01
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: epylog
+    remotepath: /epylog
+    localpath: /epylog
+    # Talk directly to the app server, not haproxy
+    proxyurl: http://log01
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: maps
+    remotepath: /maps
+    localpath: /maps
+    # Talk directly to the app server, not haproxy
+    proxyurl: http://log01
+
+  - role: httpd/reverseproxy
+    website: fedoraproject.org
+    destname: freemedia
+    remotepath: /freemedia
+    localpath: /freemedia
+    proxyurl: http://localhost:10011
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: docs-backend
+    localpath: /docs-backend
+    # Talk directly to the app server, not haproxy
+    proxyurl: http://docs-backend01
+
+  - role: httpd/reverseproxy
+    website: admin.fedoraproject.org
+    destname: collectd
+    localpath: /collectd
+    remotepath: /collectd
+    # Talk directly to the app server, not haproxy
+    proxyurl: http://log01
+
+  ### Three entries for taskotron for production
+  - role: httpd/reverseproxy
+    website: taskotron.fedoraproject.org
+    destname: taskotron
+    # Talk directly to the app server, not haproxy
+    proxyurl: http://taskotron01.vpn.fedoraproject.org
+
+  - role: httpd/reverseproxy
+    website: taskotron.fedoraproject.org
+    destname: taskotron-resultsdb
+    localpath: /resultsdb
+    remotepath: /resultsdb
+    # Talk directly to the app server, not haproxy
+    proxyurl: http://resultsdb01.vpn.fedoraproject.org
+
+  - role: httpd/reverseproxy
+    website: taskotron.fedoraproject.org
+    destname: taskotron-resultsdbapi
+    localpath: /resultsdb_api
+    remotepath: /resultsdb_api
+    # Talk directly to the app server, not haproxy
+    proxyurl: http://resultsdb01.vpn.fedoraproject.org
+
+  ### And three entries for taskotron for staging
+  - role: httpd/reverseproxy
+    website: taskotron.stg.fedoraproject.org
+    destname: taskotron
+    # Talk directly to the app server, not haproxy
+    proxyurl: http://taskotron-stg01.qa.fedoraproject.org
+    when: env == "staging"
+
+  - role: httpd/reverseproxy
+    website: taskotron.stg.fedoraproject.org
+    destname: taskotron-resultsdb
+    localpath: /resultsdb
+    remotepath: /resultsdb
+    # Talk directly to the app server, not haproxy
+    proxyurl: http://resultsdb-stg01.qa.fedoraproject.org
+    when: env == "staging"
+
+  - role: httpd/reverseproxy
+    website: taskotron.stg.fedoraproject.org
+    destname: taskotron-resultsdbapi
+    localpath: /resultsdb_api
+    remotepath: /resultsdb_api
+    # Talk directly to the app server, not haproxy
+    proxyurl: http://resultsdb-stg01.qa.fedoraproject.org
+    when: env == "staging"
+
+  # This one gets its own role (instead of httpd/reverseproxy) so that it can
+  # copy in some silly static resources (globe.png, index.html)
+  - role: geoip-city-wsgi/proxy
+    website: geoip.fedoraproject.org
+    proxyurl: http://localhost:10029
--- a/playbooks/include/proxies-rewrites.yml
+++ b/playbooks/include/proxies-rewrites.yml
@ -0,0 +1,58 @@
+- name: Set up some domain rewrites.
+  hosts: proxies-stg:proxy03.fedoraproject.org
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+  roles:
+
+  - role: httpd/domainrewrite
+    destname: admin
+    website: admin.fedoraproject.org
+    target: https://apps.fedoraproject.org/
+
+  - role: httpd/domainrewrite
+    destname: apache-status
+    website: admin.fedoraproject.org
+    path: /status
+
+  - role: httpd/domainrewrite
+    destname: 00-admin
+    website: admin.fedoraproject.org
+    path: ^/favicon.ico$
+    status: 301
+    target: http://fedoraproject.org/static/images/favicon.ico
+
+  - role: httpd/domainrewrite
+    destname: 00-docs
+    website: docs.fedoraproject.org
+    path: ^/favicon.ico$
+    status: 301
+    target: http://fedoraproject.org/static/images/favicon.ico
+
+  - role: httpd/domainrewrite
+    destname: 00-start
+    website: start.fedoraproject.org
+    path: ^/favicon.ico$
+    status: 301
+    target: http://fedoraproject.org/static/images/favicon.ico
+
+  - role: httpd/domainrewrite
+    destname: translate
+    website: translate.fedoraproject.org
+    # TODO - At some point, this will switch to fedora.zanata.org
+    target: https://fedora.transifex.net/
+
+  - role: httpd/domainrewrite
+    destname: 00-translate-icon
+    website: translate.fedoraproject.org
+    path: ^/favicon.ico$
+    status: 301
+    target: http://fedoraproject.org/static/images/favicon.ico
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@ -0,0 +1,455 @@
+- name: Set up those proxy websites.  My, my..
+  hosts: proxies-stg:proxy03.fedoraproject.org
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+  vars:
+  - fpo_ips:
+    # Staging
+    - "10.5.126.88"
+
+    # Production
+    - "85.236.55.5"
+    - "[2001:4178:2:1269::fed1]"
+    - "66.35.62.162"
+    - "80.239.156.214"
+    - "152.19.134.142"
+    - "[2610:28:3090:3001:dead:beef:cafe:fed3]"
+    - "140.211.169.196"
+    - "213.175.193.205"
+    - "[2001:2030:0:2::2]"
+    - "10.5.126.52"
+    - "85.236.55.6"
+    - "[2001:4178:2:1269::fed2]"
+    - "80.239.156.215"
+    - "152.19.134.146"
+    - "[2610:28:3090:3001:dead:beef:cafe:fed4]"
+    - "140.211.169.197"
+    - "213.175.193.206"
+    - "[2001:2030:0:2::3]"
+    - "67.203.2.67"
+    - "[2607:f188::dead:beef:cafe:fed1]"
+    - "192.168.122.2"
+
+  - wildcard_fpo_ips:
+    # Staging
+    - "10.5.126.88"
+
+    # Production
+    - "10.5.126.52"
+    - "85.236.55.6"
+    - "[2001:4178:2:1269::fed2]"
+    - "66.35.62.162"
+    - "80.239.156.215"
+    - "152.19.134.146"
+    - "[2610:28:3090:3001:dead:beef:cafe:fed4]"
+    - "140.211.169.197"
+    - "213.175.193.206"
+    - "[2001:2030:0:2::3]"
+    - "67.203.2.67"
+    - "[2607:f188::dead:beef:cafe:fed1]"
+    - "192.168.122.2"
+
+
+  pre_tasks:
+  - name: Create /srv/web/ for all the goodies.
+    file: >
+        dest=/srv/web state=directory
+        owner=root group=root mode=0755
+    tags:
+    - httpd
+    - httpd/website
+  - name: ..and apply the httpd_sys_content_t type recursively to it.
+    file: >
+        dest=/srv/web state=directory
+        setype=httpd_sys_content_t recurse=True
+    tags:
+    - httpd
+    - httpd/website
+
+  roles:
+
+  - role: httpd/website
+    name: fedoraproject.org
+    ips: "{{fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+    server_aliases: [stg.fedoraproject.org]
+
+  # This is for all the other domains we own
+  # that redirect to http://fedoraproject.org
+  - role: httpd/website
+    name: fedoraproject.com
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+    server_aliases:
+    - fedora.redhat.com
+    - fedora.com.my
+    - fedora.my
+    - fedora.pe
+    - fedora.pt
+    - fedora.us
+    - fedoralinux.com
+    - fedoralinux.net
+    - fedoralinux.net
+    - fedoralinux.org
+    - fedoraproject.org.uk
+    - fedoraproject.com
+    - fedoraproject.com.my
+    - fedoraproject.net
+    - projectofedora.org
+    - www.fedora.pe
+    - www.fedora.pt
+    - www.fedora.redhat.com
+    - www.fedora.us
+    - www.fedoralinux.com
+    - www.fedoralinux.net
+    - www.fedoralinux.org
+    - www.fedoraproject.com
+    - www.fedoraproject.com
+    - www.fedoraproject.net
+    - www.fedoraproject.org
+    - www.fedoraproject.org.uk
+    - www.projectofedora.org
+
+  - role: httpd/website
+    name: admin.fedoraproject.org
+    server_aliases: [admin.stg.fedoraproject.org]
+    sslonly: true
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: cloud.fedoraproject.org
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: mirrors.fedoraproject.org
+    server_aliases: [mirrors.stg.fedoraproject.org]
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: download.fedoraproject.org
+    server_aliases:
+    - download01.fedoraproject.org
+    - download02.fedoraproject.org
+    - download03.fedoraproject.org
+    - download04.fedoraproject.org
+    - download05.fedoraproject.org
+    - download06.fedoraproject.org
+    - download07.fedoraproject.org
+    - download08.fedoraproject.org
+    - download09.fedoraproject.org
+    - download10.fedoraproject.org
+    - download.stg.fedoraproject.org
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: translate.fedoraproject.org
+    server_aliases: [translate.stg.fedoraproject.org]
+    sslonly: true
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: spins.fedoraproject.org
+    server_aliases:
+    - spins.stg.fedoraproject.org
+    - spins-test.fedoraproject.org
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: boot.fedoraproject.org
+    server_aliases: [boot.stg.fedoraproject.org]
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: boot.fedoraproject.org
+    server_aliases: [boot.stg.fedoraproject.org]
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: smolts.org
+    ssl: false
+    server_aliases:
+    - smolt.fedoraproject.org
+    - stg.smolts.org
+    - www.smolts.org
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: docs.fedoraproject.org
+    server_aliases:
+    - doc.fedoraproject.org
+    - docs.stg.fedoraproject.org
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: bodhi.fedoraproject.org
+    server_aliases: [bodhi.stg.fedoraproject.org]
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: bugz.fedoraproject.org
+    server_aliases: [bugz.stg.fedoraproject.org]
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: fas.fedoraproject.org
+    server_aliases:
+    - fas.stg.fedoraproject.org
+    - accounts.fedoraproject.org
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: fas.fedoraproject.org
+    server_aliases:
+    - fas.stg.fedoraproject.org
+    - accounts.fedoraproject.org
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: fedoracommunity.org
+    server_aliases:
+    - www.fedoracommunity.org
+    - stg.fedoracommunity.org
+    ssl: false
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: get.fedoraproject.org
+    server_aliases: [get.stg.fedoraproject.org]
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: help.fedoraproject.org
+    server_aliases: [help.stg.fedoraproject.org]
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: it.fedoracommunity.org
+    server_aliases: [it.fedoracommunity.org]
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: uk.fedoracommunity.org
+    server_aliases:
+    - uk.fedoracommunity.org
+    - www.uk.fedoracommunity.org
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: people.fedoraproject.org
+    server_aliases: [people.fedoraproject.org]
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: join.fedoraproject.org
+    server_aliases: [join.stg.fedoraproject.org]
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: l10n.fedoraproject.org
+    server_aliases: [l10n.stg.fedoraproject.org]
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: start.fedoraproject.org
+    server_aliases: [start.stg.fedoraproject.org]
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: kde.fedoraproject.org
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: nightly.fedoraproject.org
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: port389.org
+    server_aliases:
+    - www.port389.org
+    - 389tcp.org
+    - www.389tcp.org
+    ssl: false
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+    
+  - role: httpd/website
+    name: fedoramagazine.org
+    server_aliases: [www.fedoramagazine.org]
+    cert_name: fedoramagazine.org
+    SSLCertificateChainFile: fedoramagazine.org.intermediate.cert
+    ips: "{{wildcard_fpo_ips}}"
+
+  - role: httpd/website
+    name: k12linux.org
+    server_aliases:
+    - www.k12linux.org
+    ssl: false
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: fonts.fedoraproject.org
+    server_aliases: [fonts.stg.fedoraproject.org]
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: meetbot.fedoraproject.org
+    server_aliases: [meetbot.stg.fedoraproject.org]
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: fudcon.fedoraproject.org
+    server_aliases: [fudcon.stg.fedoraproject.org]
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: ask.fedoraproject.org
+    server_aliases: [ask.stg.fedoraproject.org]
+    sslonly: true
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: badges.fedoraproject.org
+    server_aliases: [badges.stg.fedoraproject.org]
+    sslonly: true
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: darkserver.fedoraproject.org
+    server_aliases: [darkserver.stg.fedoraproject.org]
+    sslonly: true
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: paste.fedoraproject.org
+    server_aliases:
+    - paste.stg.fedoraproject.org
+    - fpaste.org
+    - www.fpaste.org
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: apps.fedoraproject.org
+    server_aliases: [apps.stg.fedoraproject.org]
+    sslonly: true
+    gzip: true
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  # Kinda silly that we have two entries here, one for prod and one for stg.
+  # This is inherited from our puppet setup -- we can collapse them as soon as
+  # is convenient.  -- threebean
+  - role: httpd/website
+    name: taskotron.fedoraproject.org
+    server_aliases: [taskotron.fedoraproject.org]
+    sslonly: true
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: taskotron.stg.fedoraproject.org
+    server_aliases: [taskotron.stg.fedoraproject.org]
+    # Set this explicitly to stg here.. as per the original puppet config.
+    SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert
+    sslonly: true
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+    when: env == "staging"
+
+  - role: httpd/website
+    name: lists.fedoraproject.org
+    server_aliases: [lists.stg.fedoraproject.org]
+    sslonly: true
+    # Set this explicitly to stg here.. as per the original puppet config.
+    SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+    when: env == "staging"
+
+  - role: httpd/website
+    name: id.fedoraproject.org
+    server_aliases:
+    - "*.id.fedoraproject.org"
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+    SSLCertificateChainFile: wildcard-2014.id.fedoraproject.org.intermediate.cert
+
+  - role: httpd/website
+    name: id.stg.fedoraproject.org
+    server_aliases:
+    - "*.id.stg.fedoraproject.org"
+    ips: "{{wildcard_fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+    SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert
+    when: env == "staging"
+
+  - role: httpd/website
+    name: getfedora.org
+    server_aliases: [stg.getfedora.org]
+    sslonly: true
+    ips: "{{fpo_ips}}"
+    cert_name: getfedora.org
+    SSLCertificateChainFile: getfedora.org.intermediate.cert
+
+  - role: httpd/website
+    name: qa.fedoraproject.org
+    ips: "{{fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+    server_aliases: [qa.stg.fedoraproject.org]
+    sslonly: true
+
+  - role: httpd/website
+    name: redirect.fedoraproject.org
+    server_aliases: [redirect.stg.fedoraproject.org]
+    sslonly: true
+    gzip: true
+    ips: "{{fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"
+
+  - role: httpd/website
+    name: geoip.fedoraproject.org
+    server_aliases: [geoip.stg.fedoraproject.org]
+    sslonly: true
+    ips: "{{fpo_ips}}"
+    cert_name: "{{wildcard_cert_name}}"