Add maintainer_test and copr vmhosts to vpn

We need to add these hosts to the vpn to use ipa for auth on them.
They are in the 192.168.100 network, which is the 'more restricted'
subnet of vpn. After the freeze we will probibly want to lock this down
more with a rule on all hosts except ipa* to reject everything from
them. In the mean time the firewall rules blocking most things should be
ok for now.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

inventory/group_vars/copr_hypervisor

@@ -1,6 +1,7 @@
 ---
 virthost: true
 
+vpn: true
 primary_auth_source: ipa
 ipa_host_group: vmhost-copr
 ipa_host_group_desc: VM hosts for COPR
@@ -9,15 +10,10 @@ ipa_client_shell_groups:
 ipa_client_sudo_groups:
 - sysadmin-copr
 
-
 nrpe_procs_warn: 1400
 nrpe_procs_crit: 1500
 
-# These variables are pushed into /etc/system_identification by the base role.
-# Groups and individual hosts should override them with specific info.
-# See http://infrastructure.fedoraproject.org/csi/security-policy/
-
-vpn: false
+vpn: true
 postfix_group: copr
 postfix_maincf: "postfix/main.cf/main.cf.copr"
 

inventory/group_vars/maintainer_test

@@ -5,3 +5,12 @@ sudoers_main: nopasswd
 host_group: cloud
 datacenter: aws
 ansible_ifcfg_blocklist: true 
+
+vpn: true
+primary_auth_source: ipa
+ipa_host_group: maintainer_test
+ipa_host_group_desc: Test hosts for package maintainers
+ipa_client_shell_groups:
+- packager
+ipa_client_sudo_groups:
+- packager

inventory/inventory

@@ -115,12 +115,6 @@ virthost-cc-rdu03.fedoraproject.org
 vmhost-x86-cc06.rdu-cc.fedoraproject.org
 vmhost-x86-cc05.rdu-cc.fedoraproject.org
 
-[vmhost_copr]
-vmhost-x86-copr01.rdu-cc.fedoraproject.org
-vmhost-x86-copr02.rdu-cc.fedoraproject.org
-vmhost-x86-copr03.rdu-cc.fedoraproject.org
-vmhost-x86-copr04.rdu-cc.fedoraproject.org
-
 [datagrepper]
 datagrepper01.iad2.fedoraproject.org
 datagrepper02.iad2.fedoraproject.org
@@ -1000,6 +994,9 @@ copr_dev_aws
 
 [copr_hypervisor]
 vmhost-x86-copr01.rdu-cc.fedoraproject.org
+vmhost-x86-copr02.rdu-cc.fedoraproject.org
+vmhost-x86-copr03.rdu-cc.fedoraproject.org
+vmhost-x86-copr04.rdu-cc.fedoraproject.org
 
 [copr_db_all:children]
 copr_db_stg

playbooks/groups/copr-hypervisor.yml

@@ -14,10 +14,10 @@
   tasks:
     - import_role: name=base
     - import_role: name=hosts
-    - import_role: name=fas_client
     - import_role: name=rkhunter
     - import_role: name=nagios_client
     - import_role: name=openvpn/client
+    - import_role: name=ipa/client
     - import_role: name=sudo
 
     - import_tasks: "{{ tasks_path }}/2fa_client.yml"

playbooks/groups/maintainer-test.yml

@@ -70,7 +70,8 @@
   - base
   - rkhunter
   - hosts
-  - fas_client
+  - openvpn/client
+  - ipa/client
   - sudo
 
   tasks:

playbooks/groups/vmhost_copr.yml

@@ -1,38 +0,0 @@
-# create a new virthost server system
-# This is a copy of the main one which is meant to be limited ONLY to vmhost_copr group for rbac
-# NOTE: should be used with --limit most of the time
-# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
-
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=vmhost_copr:!buildvmhost-s390x-01.s390.fedoraproject.org"
-
-- name: make virthost server system
-  hosts: vmhost_copr
-  user: root
-  gather_facts: True
-
-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - "/srv/private/ansible/vars.yml"
-   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  pre_tasks:
-  - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
-  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
-
-  roles:
-  - base
-  - rkhunter
-  - nagios_client
-  - hosts
-  - { role: openvpn/client, when: vpn|bool }
-  - virthost
-  - ipa/client
-  - collectd/base
-  - sudo
-
-  tasks:
-  - import_tasks: "{{ tasks_path }}/motd.yml"
-  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
-
-  handlers:
-  - import_tasks: "{{ handlers_path }}/restart_services.yml"

roles/openvpn/server/files/ccd/aarch64-test01.fedorainfracloud.org

@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.21 192.168.100.21

roles/openvpn/server/files/ccd/el7-test.fedorainfracloud.org

@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.18 192.168.100.18

roles/openvpn/server/files/ccd/el8-test.fedorainfracloud.org

@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.19 192.168.100.19

roles/openvpn/server/files/ccd/f32-test.fedorainfracloud.org

@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.14 192.168.100.14

roles/openvpn/server/files/ccd/f33-test.fedorainfracloud.org

@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.15 192.168.100.15

roles/openvpn/server/files/ccd/f34-test.fedorainfracloud.org

@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.16 192.168.100.16

roles/openvpn/server/files/ccd/ppc64le-test.fedorainfracloud.org

@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.20 192.168.100.20

roles/openvpn/server/files/ccd/rawhide-test.fedorainfracloud.org

@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.17 192.168.100.17

roles/openvpn/server/files/ccd/vmhost-x86-copr01.rdu-cc.fedoraproject.org

@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.22 192.168.100.22

roles/openvpn/server/files/ccd/vmhost-x86-copr02.rdu-cc.fedoraproject.org

@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.23 192.168.100.23

roles/openvpn/server/files/ccd/vmhost-x86-copr03.rdu-cc.fedoraproject.org

@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.24 192.168.100.24

roles/openvpn/server/files/ccd/vmhost-x86-copr04.rdu-cc.fedoraproject.org

@@ -0,0 +1,2 @@
+# ifconfig-push actualIP PtPIP
+ifconfig-push 192.168.100.25 192.168.100.25