Initial stab at a kojipkgs role and kojipkgs01 instance to replace 02

inventory/group_vars/kojipkgs

@@ -0,0 +1,43 @@
+---
+# Define resources for this group of hosts here.
+lvm_size: 150000
+mem_size: 65536
+num_cpus: 8
+
+custom_rules: [
+    # Need for rsync from log01 for logs.
+    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
+ ]
+
+tcp_ports: [80, 443, 8080]
+
+fas_client_groups: sysadmin-build,sysadmin-noc
+
+# For the MOTD
+csi_security_category: Medium
+csi_primary_contact: Fedora admins - admin@fedoraproject.org
+csi_purpose: Cache packages from koji for builders and others
+csi_relationship: |
+    There are a few things running here:
+
+    - apache web server and squid caching proxy. 
+
+    - This host relies on:
+      - koji nfs storage
+      - koji itself
+
+    - Things that rely on this host:
+      - all koji builders/buildsystem
+      - external users downloading packages from koji. 
+
+# Need a eth0/eth1 install here. 
+virt_install_command: virt-install -n {{ inventory_hostname }} -r {{ mem_size }}
+                 --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
+                 --vcpus={{ num_cpus }}  -l {{ ks_repo }} -x
+                 "ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
+                  hostname={{ inventory_hostname }} nameserver={{ dns }}
+                  ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
+                  ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname }}-nfs:eth1:none"
+                 --network=bridge=br0,model=virtio --network=bridge=br1,model=virtio
+                 --autostart --noautoconsole

inventory/host_vars/kojipkgs01.phx2.fedoraproject.org

@@ -0,0 +1,15 @@
+---
+nm: 255.255.255.0
+gw: 10.5.125.254
+dns: 10.5.126.21
+
+volgroup: /dev/vg_guests
+
+eth0_ip: 10.5.125.35
+eth1_ip: 10.5.127.50
+
+vmhost: bvirthost11.phx2.fedoraproject.org
+datacenter: phx2
+
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/

inventory/inventory

@@ -287,6 +287,9 @@ kojipkgs02.phx2.fedoraproject.org
 [koji-stg]
 koji01.stg.phx2.fedoraproject.org
 
+[kojipkgs]
+kojipkgs01.phx2.fedoraproject.org
+
 [infracore]
 lockbox01.phx2.fedoraproject.org
 log01.phx2.fedoraproject.org

playbooks/groups/kojipkgs.yml

@@ -0,0 +1,49 @@
+- name: make the servers
+  hosts: kojipkgs
+  user: root
+  gather_facts: False
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  tasks:
+  - include: "{{ tasks }}/virt_instance_create.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+- name: make the boxen be real for real
+  hosts: kojipkgs
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - base
+  - rkhunter
+  - nagios_client
+  - hosts
+  - fas_client
+  - sudo
+  - collectd/base
+  - kojipkgs
+  - role: nfs/client
+    mnt_dir: '/mnt/fedora_app/app'
+    nfs_src_dir: 'fedora_app/app'
+  - role: nfs/client
+    mnt_dir: '/mnt/fedora_koji'
+    nfs_src_dir: 'fedora_koji'
+
+  tasks:
+  - include: "{{ tasks }}/yumrepos.yml"
+  - include: "{{ tasks }}/2fa_client.yml"
+  - include: "{{ tasks }}/motd.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"

roles/kojipkgs/files/cachemgr.conf

@@ -0,0 +1,13 @@
+# This file controls which servers may be managed by
+# the cachemgr.cgi script
+#
+# The file consists of one server per line on the format
+#   hostname:port  description
+#
+# Specifying :port is optional. If not specified then
+# the default proxy port is assumed. :* or :any matches
+# any port on the target server.
+#
+# hostname is matched using shell filename matching, allowing
+# * and other shell wildcards.
+localhost:80

roles/kojipkgs/files/infrastructure.conf

@@ -0,0 +1,9 @@
+RewriteEngine on
+
+Alias /repo /mnt/fedora/app/fi-repo
+<Directory /mnt/fedora/app/fi-repo>
+  Options Indexes FollowSymLinks
+  AllowOverride None
+  Order deny,allow
+  Allow from All
+</Directory>

roles/kojipkgs/files/kojipkgs.conf

@@ -0,0 +1,53 @@
+CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/kojipkgs02.fedoraproject.org-access.log.%Y-%m-%d 86400" combined
+ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/kojipkgs02.fedoraproject.org-error.log.%Y-%m-%d 86400"
+
+Alias /packages /mnt/fedora_koji/koji/packages
+Alias /toplink/packages /mnt/fedora_koji/koji/packages
+
+<Directory /mnt/fedora_koji/koji/packages>
+    Options Indexes FollowSymLinks
+    FileETag None
+</Directory>
+
+Alias /repos /mnt/fedora_koji/koji/repos
+
+<Directory /mnt/fedora_koji/koji/repos>
+    Options Indexes FollowSymLinks
+    FileETag None
+</Directory>
+
+Alias /scratch /mnt/fedora_koji/koji/scratch
+
+<Directory /mnt/fedora_koji/koji/scratch>
+    Options Indexes FollowSymLinks
+    FileETag None
+</Directory>
+
+Alias /work /mnt/fedora_koji/koji/work
+
+<Directory /mnt/fedora_koji/koji/work>
+    Options Indexes FollowSymLinks
+    FileETag None
+</Directory>
+
+Alias /mash /mnt/fedora_koji/koji/mash
+
+<Directory /mnt/fedora_koji/koji/mash>
+    Options Indexes FollowSymLinks
+    FileETag None
+</Directory>
+
+Alias /images /mnt/fedora_koji/koji/images
+
+<Directory /mnt/fedora_koji/koji/images>
+    Options Indexes FollowSymLinks
+    FileETag None
+</Directory>
+
+Alias /rhel /mnt/fedora_koji/rhel
+
+<Directory /mnt/fedora_koji/rhel>
+    Options Indexes FollowSymLinks
+    FileETag None
+</Directory>
+

roles/kojipkgs/files/squid-apache.conf

@@ -0,0 +1,14 @@
+
+#
+# This is /etc/httpd/conf.d/squid.conf
+#
+
+ScriptAlias /Squid/cgi-bin/cachemgr.cgi /usr/lib64/squid/cachemgr.cgi
+
+# Only allow access from localhost by default
+<Location /Squid/cgi-bin/cachemgr.cgi>
+ order allow,deny
+ allow from all
+ # Add additional allowed hosts as needed
+ # allow from .example.com
+</Location>

roles/kojipkgs/files/squid.conf

@@ -0,0 +1,68 @@
+http_port 80 defaultsite=kojipkgs.fedoraproject.org
+https_port 443 defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2014.squid.cert key=/etc/pki/tls/private/wildcard-2014.fedoraproject.org.key cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA options=NO_SSLv2,NO_SSLv3
+
+cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=kojipkgs
+hierarchy_stoplist cgi-bin ?
+acl apache rep_header Server ^Apache
+
+cache_swap_low 98
+cache_swap_high 99
+maximum_object_size 204800 KB
+minimum_object_size 0 KB
+cache_replacement_policy heap LFUDA
+
+cache_dir ufs /var/spool/squid 81920 16 256
+
+logformat squid  %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
+logformat squidmime  %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
+logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
+logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+
+access_log /var/log/squid/access.log squid
+cache_log /var/log/squid/cache.log
+cache_store_log /var/log/squid/store.log
+
+refresh_pattern .		1440	100%	10080
+
+acl all src all
+acl phx2 src 10.5.125.0/24 10.5.127.0/24
+acl repo_url url_regex ^http://kojipkgs.fedoraproject.org/repo/
+http_access allow phx2 repo_url
+http_access deny repo_url
+acl manager proto cache_object
+acl localhost src 127.0.0.1/255.255.255.255
+acl to_localhost dst 127.0.0.0/8
+acl SSL_ports port 443
+acl Safe_ports port 80		# http
+acl Safe_ports port 21		# ftp
+acl Safe_ports port 443		# https
+acl Safe_ports port 70		# gopher
+acl Safe_ports port 210		# wais
+acl Safe_ports port 1025-65535	# unregistered ports
+acl Safe_ports port 280		# http-mgmt
+acl Safe_ports port 488		# gss-http
+acl Safe_ports port 591		# filemaker
+acl Safe_ports port 777		# multiling http
+acl CONNECT method CONNECT
+http_access allow manager localhost
+http_access deny manager
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+acl our_sites dstdomain kojipkgs.fedoraproject.org
+http_access allow our_sites
+http_access allow localhost
+http_access deny all
+http_reply_access allow all
+icp_access allow all
+
+cache_peer_access kojipkgs allow our_sites
+cache_peer_access kojipkgs deny all
+
+acl kojipkgs urlpath_regex -i \.(rpm|log|sig)$
+acl mash urlpath_regex -i ^/mash/
+cache deny mash
+cache allow kojipkgs
+cache deny all
+
+coredump_dir /var/spool/squid
+

roles/kojipkgs/tasks/main.yml

@@ -0,0 +1,47 @@
+
+- name: install squid server packages
+  yum: name={{ item }} state=present
+  with_items:
+  - squid
+  - httpd
+  - mod_ssl
+  tags:
+  - packages
+  - squid
+
+- name: make nfs mount directories
+  file: state=directory path={{ item }} owner=root group=root mode=755
+  with_items:
+  - /mnt/fedora_koji
+  - /mnt/fedora_app
+  - /mnt/fedora_app/app
+  tags:
+  - squid
+
+- name: set seboolean for squid server
+  seboolean: name=httpd_can_network_connect state=true persistent=true
+  tags:
+  - squid
+
+- name: install squid config files
+  copy: src={{ item }} dest=/etc/squid/{{ item }} owner=root group=root mode=644
+  with_items:
+  - squid.conf
+  - cachemgr.conf
+  notify:
+  - restart squid
+
+- name: install apache config files for squid
+  copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=root mode=644
+  with_items:
+  - squid-apache.conf
+  - kojipkgs.conf
+  - infrastructure.conf
+  notify:
+  - restart httpd
+
+- name: set squid to start on boot
+  service: name=squid enabled=true state=running
+  tags:
+  - services
+  - squid