move of the koji builders creation from builders repo to ansible public

files/common-scripts/hardware-reinstall

@@ -0,0 +1,228 @@
+#!/usr/bin/env python
+# hardware-reinstall - Prepare a physical box in FI for re-install.
+# (c) 2012 Red Hat, Inc.
+# Ricky Elrod <codeblock@fedoraproject.org>
+# GPLv2+
+
+import os
+import sys
+import urllib
+import socket
+import subprocess
+import shlex
+import platform
+from optparse import OptionParser
+
+parser = OptionParser(
+    description='Prepare a physical box in FI for re-install.')
+parser.add_option('-n',
+                  '--noop',
+                  action='store_true',
+                  help="Don't actually modify/download anything, just "
+                       "output stuff.")
+parser.add_option('-y',
+                  '--yes',
+                  action='store_true',
+                  default=False,
+                  dest="yes",
+                  help="Don't prompt to confirm, just do it.")
+parser.add_option('--ip',
+                  help="Override the IP of the box (passed to Grubby)")
+parser.add_option('--gw',
+                  help="Override the Gateway of the box (passed to Grubby)",
+                  dest='gateway')
+parser.add_option('--nm',
+                  help="Override the Netmask of the box (passed to Grubby)",
+                  dest='netmask')
+parser.add_option('--dns',
+                  help="Comma-delimited list of DNS resolvers (passed to "
+                       "Grubby)",
+                  dest='dns_resolvers')
+parser.add_option('--ks-file',
+                  help="Set the kickstart file to use (default:"
+                       "hardware-rhel-6-nohd)",
+                  default='hardware-rhel-6-nohd',
+                  dest='ks_file')
+(options, args) = parser.parse_args()
+
+if options.yes and options.noop:
+    print "Don't ask AND don't do anything? Cmon"
+    sys.exit(1)
+    
+# 0. Get our hostname/primary ip
+# Get our primary IP by resolving our hostname.
+if options.ip:
+    if not options.netmask:
+        print 'You gave a custom IP and should specify a custom netmask too.'
+        sys.exit(1)
+    primary_ip = options.ip
+else:
+    primary_ip = socket.gethostbyname(socket.gethostname())
+
+# so - anaconda sometimes doesn't seem to listen to our dns
+# when fetching kickstarts, etc - so if we give the ip of the host
+# if we're in 10.5.X network (phx2) then things just work.
+if primary_ip.startswith('10.5.'):
+    basehost = "http://10.5.126.23/"
+else:
+    basehost = "http://infrastructure.fedoraproject.org/"
+
+arch = platform.machine()
+VMLINUZ_URL = '%srepo/rhel/RHEL6-%s/images/pxeboot/vmlinuz' % (basehost, arch)
+INITRD_URL = '%srepo/rhel/RHEL6-%s/images/pxeboot/initrd.img' % (basehost,
+                                                                 arch)
+
+# 1. Grab initrd and vmlinuz and throw them in /boot
+# FIXME - more error catching here
+if not options.noop:
+    print 'Fetching vmlinuz'
+    urllib.urlretrieve(VMLINUZ_URL, "/boot/vmlinuz-install")
+
+    print 'Fetching initrd'
+    urllib.urlretrieve(INITRD_URL, "/boot/initrd-install.img")
+
+
+# 2. Find our network info.
+if options.netmask:
+    primary_netmask = options.netmask
+
+# We still have to get the MAC address, of the primary NIC
+# even if we specify a custom IP/NM.
+cmd = subprocess.Popen('/sbin/ifconfig', stdout=subprocess.PIPE)
+stdout = cmd.communicate()[0]
+i = 0
+lines = stdout.split("\n")
+for line in lines:
+    if socket.gethostbyname(socket.gethostname()) in line:
+        # Somewhere between EL6 and F17, ifconfig output has changed.
+        # We accommodate for both.
+        if ':' in line:
+            # We are EL6
+            if not options.netmask:
+                # inet addr:10.5.127.51  Bcast:10.5.127.255  Mask:255.255.255.0
+                primary_netmask = line.split('Mask:')[1]
+
+            # On EL6 MAC addr is always one line before the IP address line
+            primary_mac = lines[i - 1].split('HWaddr ')[1]
+        else:
+            # We are likely something newer
+            if not options.netmask:
+                # inet 10.10.10.113  netmask 255.255.255.0  broadcast
+                # 10.10.10.255           # (cont. from above comment)
+                primary_netmask = line.split('netmask ')[1].split(' ')[0]
+
+            # On newer things, life gets harder. We have to continue
+            # parsing lines until we get one with 'ether ' in it.
+            # The range is the line we're on now -> the last line.
+            for y in xrange(i, len(lines) - 1):
+                if 'ether ' in lines[y]:
+                    primary_mac = lines[y].split('ether ')[1].split(' ')[0]
+                    break
+        break
+    i += 1
+
+# Gateway
+if options.gateway:
+    primary_gateway = options.gateway
+else:
+    cmd = subprocess.Popen(['/sbin/ip', 'route'], stdout=subprocess.PIPE)
+    stdout = cmd.communicate()[0]
+    for line in stdout.split("\n"):
+        if 'default' in line:
+            # default via 10.10.10.1 dev wlan0  proto static
+            primary_gateway = line.split('via ')[1].split(' ')[0]
+            break
+
+# And DNS servers
+if options.dns_resolvers:
+    dns_resolvers = options.dns_resolvers
+else:
+    dns_servers = []
+    with open('/etc/resolv.conf', 'r') as f:
+        for line in f.readlines():
+            if 'nameserver' in line:
+                dns = line.split(' ')
+                if len(dns) == 2:
+                    dns_servers.append(dns[1].strip())
+    dns_resolvers = ','.join(dns_servers)
+
+print '-' * 30
+print 'Primary IP: ' + primary_ip
+print 'Primary Netmask: ' + primary_netmask
+print 'Primary Gateway: ' + primary_gateway
+print 'Primary MAC Address: ' + primary_mac
+print 'DNS Resolvers: ' + dns_resolvers
+print '-' * 30
+
+# 3. Construct the grubby line.
+# grubby --add-kernel=/boot/vmlinuz-install \
+#        --args="ks=http://infrastructure.fedoraproject.org/\
+#        repo/rhel/ks/hardware-rhel-6-nohd \
+#        repo=http://infrastructure.fedoraproject.org/repo/rhel/RHEL6-x86_64/ \
+#        ksdevice=link ip=$IP gateway=$GATEWAY netmask=$NETMASK dns=$DNS" \
+#        --title="install el6" --initrd=/boot/initrd-install.img
+grubby_command = '/sbin/grubby --add-kernel=/boot/vmlinuz-install ' \
+    '--args="ks=%srepo/rhel/ks/%s ksdevice=%s ' \
+    'ip=%s gateway=%s netmask=%s dns=%s repo=%srepo/rhel/RHEL6-x86_64/" ' \
+    '--title="install el6" --initrd=/boot/initrd-install.img' % (basehost,
+    options.ks_file,
+    primary_mac,
+    primary_ip,
+    primary_gateway,
+    primary_netmask,
+    dns_resolvers,
+    basehost)
+
+print 'This grubby command seems like it will work:'
+print '-' * 30
+print grubby_command
+print '-' * 30
+print 'Check the command and be sure that it looks correct.'
+
+if not options.noop:
+    if not options.yes:
+        print 'Type yes to continue, anything else to abort.'
+        print 'By continuing, I will run the above command.'
+        if  raw_input('> ') != 'yes':
+            print 'Removing downloaded files.'
+            os.unlink('/boot/vmlinuz-install')
+            os.unlink('/boot/initrd-install.img')
+            print 'Aborting.'
+            sys.exit(1)
+
+    cmd = subprocess.Popen(shlex.split(grubby_command),
+                           stdout=subprocess.PIPE,
+                           stderr=subprocess.PIPE)
+    stdout, stderr = cmd.communicate()
+    if stdout:
+        print stdout
+    if stderr:
+        print "[STDERR output]"
+        print stderr
+
+    if not options.yes:
+        raw_input(
+            'Examine the above output, if it looks sane, press enter to '
+            'continue.')
+print 'The next command I will run is:'
+print 'echo "savedefault --default=0 --once" | grub --batch'
+
+if not options.noop:
+    cmd = subprocess.Popen(['/sbin/grub', '--batch'],
+                           stdin=subprocess.PIPE,
+                           stdout=subprocess.PIPE,
+                           stderr=subprocess.STDOUT)
+    stdout = cmd.communicate(input='savedefault --default=0 --once\n')
+    print stdout[0]
+
+print 'Done.'
+print 'When you are ready, run: `shutdown -r now` to reboot.'
+print 'Go here:'
+print 'http://infrastructure.fedoraproject.org/infra/docs/kickstarts.txt'
+print 'And control-f for "Installation" (no quotes). Continue from there.'
+
+if options.noop:
+    print '-' * 30
+    print 'Script was run in "no-op" mode - none of the above commands ' \
+          'actually ran.'
+    print '-' * 30

files/common/ntp.conf

@@ -0,0 +1,24 @@
+## Set up restrictions for services.
+restrict default kod nomodify notrap nopeer noquery
+restrict -6 default kod nomodify notrap nopeer noquery
+restrict 127.0.0.1 
+restrict -6 ::1
+
+# setup a set of servers that we all look at.
+server 66.187.233.4   # [clock.redhat.com]
+server 192.43.244.18  # [time.nist.gov]
+server 128.118.25.5   # [otc1.psu.edu]
+server 204.152.184.72 # [clock.isc.org]
+
+# [localhost]
+# Undisciplined Local Clock. This is a fake driver intended for backup
+# and when no outside source of synchronized time is available. 
+server 127.127.1.0     # local clock
+fudge  127.127.1.0 stratum 10  
+
+# Key file containing the keys and key identifiers used when operating
+# with symmetric key cryptography. 
+keys /etc/ntp/keys
+
+# Watch drift
+driftfile /var/lib/ntp/drift

files/hosts/kojibuilder-hosts

@@ -0,0 +1,8 @@
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+10.5.126.23    infrastructure.fedoraproject.org
+10.5.125.63    koji.fedoraproject.org
+10.5.125.36    kojipkgs.fedoraproject.org
+10.5.124.138   arm.koji.fedoraproject.org armpkgs.fedoraproject.org
+10.5.125.44    pkgs.fedoraproject.org  pkgs
+10.5.126.52    mirrors.fedoraproject.org admin.fedoraproject.org

files/iptables/kojibuilder

@@ -24,6 +24,10 @@
 -A OUTPUT -p tcp -m tcp -d 10.5.125.63 --dport 80 -j ACCEPT
 -A OUTPUT -p tcp -m tcp -d 10.5.125.63 --dport 443 -j ACCEPT
 
+#arm.koji.fp.o
+-A OUTPUT -p tcp -m tcp -d 10.5.124.138 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.5.124.138 --dport 443 -j ACCEPT
+
 # DNS
 -A OUTPUT -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
 -A OUTPUT -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
@@ -64,4 +68,6 @@
 -A OUTPUT -m udp -p udp --dport 123 -d 128.118.25.5 -j ACCEPT
 -A OUTPUT -m udp -p udp --dport 123 -d 204.152.184.72 -j ACCEPT
 
+# dhcp
+-A OUTPUT -m udp -p udp --dport 67 -d 10.5.126.41 -j ACCEP
 COMMIT

files/kojibuilder/arm-koji.conf

@@ -0,0 +1,23 @@
+[koji]
+
+;configuration for koji cli tool
+
+;url of XMLRPC server
+server = http://arm.koji.fedoraproject.org/kojihub
+
+;url of web interface
+weburl = http://arm.koji.fedoraproject.org/koji
+
+;path to the koji top directory
+;topdir = /mnt/koji
+
+;configuration for SSL athentication
+
+;client certificate
+;cert = ~/.koji/client.crt
+
+;certificate of the CA that issued the client certificate
+;ca = ~/.koji/clientca.crt
+
+;certificate of the CA that issued the HTTP server certificate
+;serverca = ~/.koji/serverca.crt

files/kojibuilder/arm-kojid.conf

@@ -0,0 +1,62 @@
+[kojid]
+; The number of seconds to sleep between tasks
+; sleeptime=15
+
+; The maximum number of jobs that kojid will handle at a time
+; maxjobs=10
+
+; The minimum amount of free space (in MBs) required for each build root
+; minspace=8192
+
+; The directory root where work data can be found from the koji hub
+; topdir=/mnt/koji
+
+;url of package download site
+topurl = http://armpkgs.fedoraproject.org/
+
+; The directory root for temporary storage
+; workdir=/tmp/koji
+
+; The directory root for mock
+; mockdir=/var/lib/mock
+
+; The user to run as when doing builds
+; mockuser=kojibuilder
+
+; The vendor to use in rpm headers
+vendor=Fedora Project
+
+; The packager to use in rpm headers
+packager=Fedora Project
+
+; the distribution to use in rpm headers
+distribution=Fedora Project
+
+; The _host string to use in mock
+mockhost=redhat-linux-gnu
+
+; The URL for the xmlrpc server
+server=http://arm.koji.fedoraproject.org/kojihub
+
+; The URL for the packages tree
+pkgurl=http://armpkgs.fedoraproject.org/packages
+
+; A space-separated list of hostname:repository pairs that kojid is authorized to checkout from (no quotes)
+allowed_scms=pkgs.fedoraproject.org:/*:false:fedpkg,sources git.fedorahosted.org:/git/spin-kickstarts.git:false
+
+; The mail host to use for sending email notifications
+smtphost=bastion.phx2.fedoraproject.org
+
+; The From address used when sending email notifications
+from_addr=Fedora Koji Build System <buildsys@fedoraproject.org>
+
+;configuration for SSL athentication
+
+;client certificate - puppet generated
+cert = /etc/kojid/kojibuilder.pem
+
+;certificate of the CA that issued the client certificate
+ca = /etc/kojid/cacert.pem
+
+;certificate of the CA that issued the HTTP server certificate
+serverca = /etc/kojid/cacert.pem

files/kojibuilder/builder-infrastructure.repo

@@ -0,0 +1,6 @@
+[builder-infrastructure]
+name=Builder Packages from Fedora Infrastructure $releasever - $basearch
+baseurl=http://infrastructure.fedoraproject.org/repo/builder-rpms/$releasever/$basearch/
+enabled=1
+gpgcheck=1
+gpgkey=http://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE

files/kojibuilder/builders/bkernel-eth0-network

@@ -0,0 +1,11 @@
+DEVICE={{ ansible_eth0["device"] }}
+BOOTPROTO="static"
+DNS1="10.5.126.21"
+DNS2="10.5.126.22"
+GATEWAY="10.5.125.254"
+HWADDR={{ ansible_eth0["macaddress"] }}
+IPADDR={{ ansible_eth0["ipv4"]["address"] }}
+NETMASK={{ ansible_eth0["ipv4"]["netmask"] }}
+NM_CONTROLLED="yes"
+ONBOOT="yes"
+TYPE="Ethernet"

files/kojibuilder/builders/bkernel-site-defaults.cfg

@@ -0,0 +1,2 @@
+# mount the pesign socket into the chroot
+config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/run/pesign', '/var/run/pesign' ))

files/kojibuilder/builders/fedora-devel-pungi-i386.cfg

@@ -0,0 +1,31 @@
+config_opts['root'] = 'fedora-development-pungi-i386'
+config_opts['target_arch'] = 'i386'
+config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build'
+config_opts['dist'] = 'fc9'
+config_opts['plugin_conf']['root_cache_enable'] = False
+config_opts['internal_dev_setup'] = False
+config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/dev', '/dev' ))
+config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/dev/pts', '/dev/pts' ))
+
+
+config_opts['yum.conf'] = """
+[main]
+cachedir=/var/cache/yum
+debuglevel=1
+reposdir=/dev/null
+logfile=/var/log/yum.log
+retries=20
+obsoletes=1
+gpgcheck=0
+assumeyes=1
+
+# repos
+
+[fedora]
+name=fedora
+baseurl=http://kojipkgs.fedoraproject.org/mash/branched/i386/os
+
+[buildroot]
+name=buildroot
+baseurl=http://kojipkgs.fedoraproject.org/repos/f19-build/latest/i386/
+"""

files/kojibuilder/builders/fedora-devel-pungi-x86_64.cfg

@@ -0,0 +1,34 @@
+config_opts['root'] = 'fedora-development-pungi-x86_64'
+config_opts['target_arch'] = 'x86_64'
+config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build'
+config_opts['dist'] = 'fc9'
+config_opts['plugin_conf']['root_cache_enable'] = False
+config_opts['internal_dev_setup'] = False
+config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/dev', '/dev' ))
+config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/dev/pts', '/dev/pts' ))
+
+
+config_opts['yum.conf'] = """
+[main]
+cachedir=/var/cache/yum
+debuglevel=1
+reposdir=/dev/null
+logfile=/var/log/yum.log
+retries=20
+obsoletes=1
+gpgcheck=0
+assumeyes=1
+# grub/syslinux on x86_64 need glibc-devel.i386 which pulls in glibc.i386, need to exclude all
+# .i?86 packages except these.
+exclude=[!g]*.i*86 g[!l]*.i?86  gl[!i]*.i?86 gli[!b]*.i?86 glib[!c]*.i?86 
+
+# repos
+
+[fedora]
+name=fedora
+baseurl=http://kojipkgs.fedoraproject.org/mash/branched/x86_64/os
+
+[buildroot]
+name=buildroot
+baseurl=http://kojipkgs.fedoraproject.org/repos/f19-build/latest/x86_64/
+"""

files/kojibuilder/ftbfs_auth_keys

@@ -0,0 +1,13 @@
+#skvidal
+from="10.5.126.23,10.5.126.12,10.5.126.11" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjlnCEiFMrKpkiIBjs5IW1+RXDald3aKvTszj0hUw9Gl6w3vt3RAiqTD/XRKcNdP0+pVIK/I4KexKfZzemNZ8UYmZ+a9EK+Gj7OQbJv7TQDeR0zyJ8ZgFXaWoN+CnWXLO2mp9poysUR6CILjaDJt4GDxJaD+bebRu+zxUQSlgrjObhIUTSfwsEJu++zK+fy4+xSEMG7SANEJHd+zOAw6+isLnnbp8qY2fs3reKpc8XPkyJscLU4BQV2cGXwlPUhzPVv/itUUV/uWHeAqoz2i5XG4C0/BXk6D85qkGIyE08Nl3COxn6giivrdTIH6W4dUtBdYgTMZ3RgMHL9ClLpS17 skvidal@opus
+#dgilmore
+from="10.5.126.23,10.5.126.12,10.5.126.11" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAD9QDskl41P2f4wqBuDBRD3VJ7MfKD6gMetMEaOy2b/CzfxN1vzeoxEvUxefi4+uh5b5ht5+BhQVhvBV7sTxxYftEH+B7IRmWigqcS1Ndnw+ML6zCbSTCJOqDvTLxmkZic0NUBIBP907ztMCoZjaOW9SSCrdA9Vp87V3x/KEQaeSNntmnFqtnpQI/N0NlmqxB78p97W/QDpLuftqJ33sM0uyvxXSusThLSFBHjisezsWox49nEKY8HW+Kwkmw+k7EF4tsDWymPB+S0gMsMlTxzjutNASVDmn6H+lgkzns+5Xxii4/mZWrcjqfLuH7vCI2mWykZJ6ek0LiQea9tNN+KZomqX6NbTUK3riaDPrZPNexa4I83Fp+DYNmYgnGMInqn+cZ5PoUJ3u3LaqZGBQeuuONTw0yQ8Pkkn5xibpPO6qblHKcet0pfmWQ5ab+5BDrsyLcPXolMci5h45GNWebr7UMuXT6+q+EolnYgbgDzzGJ4xPohF04OW8CwflK64KEnYcqlGs+DF4TNgGFlhKiyCWfXSjizmQusxn17ayi6+yrkiGeqfz72qyZ1pSKlwA8XRYC2VkAAquJP6zAtAKjCUdmRTSyYgCpoIAlMwBO07BiPLLov6lKdphZYY1DI7pTXA98fhVU04PDqJJYR1GKkttmCsjbRWnxjkPl/Zka1+ei3k9DNidT6j4hFj+uTj8SS70qZUtKLNpc5IcedHaGEK0vcXJm9lIEKBIEnN0PCLZCa4kQZnfdsbuep1fbXNf4WYPXea29aRKJc4hiqsdrccTp4KueHgWt1Jj6CZDZcFgX+NlUVWwk6djgjRzHUryExtsjCcgGMPRJWdUnVcpgkQ1qJhEXng3W+nFFboArWfwU8u1pXEdeE1Z+m+ows3nJHdEgQevyy/cUx6BPNPZkBh10MWskSV8Z+vb02vJB+QikRMwQs3Ywf6RMaZFrBkWD4FfUaU24f4wgtPQN7j5xxJ2rWLJ/s9ZOWSl9yrytC6ZUQwmayLmiPUdm4u/7ZZmaly39K1YWqFDl3eUrRAZwf1L/NAqFu/qcQQ3Xf20K0nI55nVbZ8ODyx6BtfwoioblnTEcehK0uud5Vamc5mfpErFY0agEecsc0sMZO+ky9pf/gCUdM7je7kMDI2hdx61fOa8Wypb5u9WNBWKRKx8xT1XUKhb2uFumm3sR1iNm1Qhj92mo/NO2aETOA1lsYSL0XK571Yy0iFK3X1nOqp/gCsEGLI8OPQk6XuFqv8hmfiIXNKV8IwuDStw7eIvuQIgT7bmMkj+1Ca25foSmg3w5FqJux1gO9t5F018LeQZ6LVlYHZaQnaN+eTU7KfoCozhWw1H9pprDz Dennis Gilmore
+#kfenzi
+from="10.5.126.23,10.5.126.12,10.5.126.11" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJH1lA7WHRCbaFtvzbw0HxHYJstZjuXhax1+eL+SUJ5fFRGosEc4fLrSCP0gSFDfXmNzuspoBgcQTqnNO8FdIUwkJLDEu0vTQls1aT9YUXb+RVwKB7ULA3b1dqFkmOgLEjTJL9AplK4OJ9Su0kq6QBV4mXCxMsgEML/gn6r8muZmu2L/LdzUnxKKggyq7O5q1K/eW5Yy21fpvbHt2UPQX1f6gt4ty7E9Nnuhi7SHCI7fNIa+kHyIesfTm/SzeK/PY9rDwZKjuyS8o22GJXGEScJomK1cjMESH/J+t8Hffaj88BjGHNczvcnXAjq6y73VJQ9DiGLD4zmFquQMxDu0Tf kevin@jelerak.scrye.com
+#smooge
+from="10.5.126.23,10.5.126.12,10.5.126.11" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAxnzCHH11nDM1m7yvqo6Uanq5vcZjBcs/mr3LccxwJ59ENzSXwUgEQy/P8vby9VKMwsskoaqZcvJdOSZBFhNV970NTPb69OIXPQAl/xhaLwiJOn606fB+/S8WepeuntS0qLiebbEiA9vIQLteZ+bWl1s/didD/sFo3/wItoTGA4GuShUu1AyWJx5Ue7Y34rwGR+kIvDoy2GHUcunn2PjGt4r3v2vpiR8GuK0JRupJAGYbYCiMBDRMkR0cgEyHW6+QQNqMlA6nRJjp94PcUMKaZK6Tc+6h5v8kLLtzuZ6ZupwMMC4X8sh85YcxqoW9DynrvO28pzaMNBHm7qr9LeY9PIhXscSa35GAcGZ7UwPK4aJAAuIzCf8BzazyvUM3Ye7GPCXHxUwY0kdXk+MHMVKFzZDChNp/ovgdhxNrw9Xzcs4yw7XYambN9Bk567cI6/tWcPuYLYD4ZJQP0qSXVzVgFEPss1lDcgd0k4if+pINyxM8eVFZVAqU+BMeDC+6W8HUUPgv6LiyTWs+xTXTuORwBTSF1pOqWB4LjqsCGIiMAc6n/xdALBGUN7qsuKDU6Q7bwPppaxypi4KCvuJsqW+8sDtMUaZ34I5Zo1q7cu03wqnOljUGoAY6IDn3J66F2KlPPyb/q3PDV3WbY/jnH16L29/xUA73nFUW1p+WXutwmSU= ssmoogen@ponyo.int.smoogespace.com
+#codeblock
+from="10.5.126.23,10.5.126.12,10.5.126.11" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAACAEAstHxky7hl1inyHBy+q/9M+Aen2HSfy8IoW+sAO6HSuHEUT7qWB8AlSNjHhahjXx7sy/BUkUed+NB/177rjlThokZDJ0yoM9KKymp26ETGaamBSkWBxZatTj96BWfD0P2K9jc/9vxtgKBq3VK9UaOt6VtJ9q6mKY3DdWLZn+K6iGQAKMCAgd8cCMgD6epBB5/litz7WhYv+aYTyjZGUGbBojQUiWgXDv9lR7p0w+VP7pnZEeb3//k4pZhsPrKFwwRVRLxBvWgVKNvA6nMXmsdikHCLLj8YAevhEY1xAba+iCKOpTqT7Bu+1Fnb9St8u5iDod21gRmN7MGGWYsO+Iu2MNAW9sw2nsA/sdNR0HEEgBqJLhERjGv399fWKyiZaF90n59lg8Pb6EzE6wHRs6rSB+9uKApBzPk99BEHLvC6mhn6RjrOC+TWSTcmXojAwQYCadqIdgWUaBsxaugKEXBFcmRuDWtpDfsqmM1kjeGU6MiaMlqPW0KjsMaVVChLO5ZvB/T7qW4wr5ZjLri475MuHocCMP0ECSUk7I3YW2h8RU6FEFmTpuULFRQo01iPreY5XJ7l0+xy2eggAWo+X2h3nGjXhCPOelBg+LYe0WOmPgB5oc1m5HZtFTcFzYbhAE+xQKlbwNeYT8HmNmEMhPjVoNyOOV7NAap+ueS2u/7li5D59O5Iy8aa5n/WiuYfkqH4pG796nFyLr5L/LVudzyaYFb/Gk8C1j/NAWYw53D/9aOA277HHe5t0/daJhbo98u0asF5mvPld3swPuPqkEZzgUfmNgH5CkvcQcMzaOvj6qr6xNmQfgsHroCShb46kplQ2uSf1pMAqsjN7jGhk6l+Bu6hKHnJKhZJVLiuAZtgYvkCB1ahaO3wRVozA1VKCAlqHOqoCq4YLIobUL95H08Kwcz7vIRIadX1TkOoLb2EwPkE/xrhDp4BySh+j6YNklSBkiRHvJMBNnRIj8NTRjYyj2o1Om7kJ770lEdryg2og8QBaFWCmFkwzg1QVrBOuu0dN7kt2l7VI7Ib4lavKSVTrqUdxdSbthUlu/b4Qif+pbyEtUFgykRsHVs+5Ofg7FZpsgCJ8rLFjzeVF/hAYX7t3XaIPLu+DL8kzamb/CRy1b7+iAw9nJbd7ED2SGyU6+c2coMPG23y6+YxgEmNG/rkCLCypkEEDOZe4DuMerZQ/RxMo06+glC6HC/3VN2dHlVLtEEV33B04/6Z0plAhqtjG7PVs08f8a5msV/VYn5ifa4z0oIXX1r5CIg3Ejp1JguLhBHpWa7YbS2Mwu6GAbD+hQfCYrsUkFonoOLu5czpITLo7ceJFTQmAt7OxZEoZBfmtYfzADQsQVYQb6J4QwvM3iKJOn30dgtYnJOVlDZEn+0fivedxoBAt9jHJ8lVp2ov/dOFnimi5V+2QIMB0fKTkChsk10zsDZ/KUk6zfijjEju0WfjRHCd357KswNv3aXHazfRIw77S2UOenD+xmUDZ6WgnxservUSDNDz7NldLf/gdPOMO4uSwKZixzsoCNioeLEmQv4gomNK7DyZBLMHLlWlbliqP+QWuIJO1rfoH2vaxzzA7l5tJW1gfnxm87RrrwIf9v5kpdJM6gQZxqmBCRsKQd5VkrEJ/xaFfkv080pWNV0drWTZW8fAAgfUNYB260Hyk3rHsjQlVtQxGJ1aAcgjMi3eGKQMwptbUMYHqct75czX6xp6zgXPiC/glX6AtuiZQ5bOI07imil20ien/ks/dnel8L+dmYDasL9m0B2jZ3lbl3eR1Dy7UhqGyERx//vYQapEBuwFcqQ9UdIWCGGG2Pte1I39BSehUUGSCOOD38a/GCu0l7OWZKdwq80MK/Ixgz4neiZQZ7MD2wPy6vk6Num18PZPN7OynMrI2UG5MViQ0GAhRgxwbUCvc7uKnGRqZo9q2mCabCxLbv+hJ4bppxpHHJxMDDXilTKMfZb0YRbvjBUi7LFKLN3MBMK2U1jHE+PjBgweqF8Jtuw04CQMxK3unajZOVkYAIq8IdMbw0oBVP4++eGB9z0x1eH+IsqL6IgknbbyoMgQqW9/8atm8HW2QYCX47oPd4FHs8rgJZk3bz8MwN3tp8WCRtYnJuwkWGWSq77ans0Ycl/tUfSSwUjnSvMsJnuSbxvdX0XbP5eRWikk0pJz5lM9sjYFOPHrQ44/U254yBa0N6UhyNTQnMGzRvY+fADE49b10hXZwCCrxpY9KvGr1XNJMnMcUke+4p9RS5LUwcZ8A6v7oWtZaZwnuBzvKk+HAn2gevD7Stjto+TnRCx1qcbx8iOhAEC6nvbLl+U313TmawrO/usrI5w3EFKP/4BnlKJDtNBeklJ0MpU3R1fmisqfegjuBW2bbaxq8Uo6m7uqPsYuAl7E6rOyZHLbtA8szvbQ46MSqAHezqxHJajWn2oZXMtbddgO5vlkxbRp3SSVKaPOeIj3XOGl78Owp4gFNRE0RY2EuUvrwUhXZR4wx1VHYjS6o9HAwOx3dH+pf1OiblUEanLQ9HLuOBkLhP8wn1M2slsSw+A1gyuI0ayjRujYFXdw6Mqp6XKTdU8vNue2c3d0I+TMifBypP0oJtxXmEoPp/VsU9yLKA2FF7Xvv/Xq1gtZcuZWAbSwMok/ENY1xeIFyjV+0yBidmax3jaf9yus/XEpyeBS3iIz63ymU10Kb2vrWjubg/sa2yd+q0y96dLdDRbnbwGwMmg6mXvTlVXf8c= ricky@padlock01.home.elrod.me
+#ftbfs
+from="10.5.126.23,10.5.126.12,10.5.126.11" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmareXr00ufdupdcu71ma3vZdFSyBDHOKyHOZarWp77Zf4eUU7GgXBQSgf6lxvz+KvgItW3p71C0VwpAB9O3y+CalxiO4vwLHLDeo2kNipS8UBDeCipI0NUydLVuAyV/Z73Xi5O28xBtTOjQcUQqrG86sHDhQqZbxMHN+V3VnrKNj0i0Ik9beiaeuYbttXF6qqoNA04piywYQAlHo+CX9t27mx+2HD59P5wCToUpU+MiITKthGGWYU0QZg6i7h3t9vJJvzmVNTLAQXvXRIqmhvdSamT7pNggbQIZD0dA1nJoBaOSAOej8q+3qsaZdzE1tyJTADF02rlXSXqsNVrYJQQ== skvidal@lockbox01.phx2.fedoraproject.org
+

files/kojibuilder/history_off.sh

@@ -0,0 +1,2 @@
+unset HISTFILE
+set HISTSIZE=0

files/kojibuilder/idmapd.conf

@@ -0,0 +1,114 @@
+[General]
+#Verbosity = 0
+# The following should be set to the local NFSv4 domain name
+# The default is the host's DNS domain name.
+Domain = fedoraproject.org
+
+# The following is a comma-separated list of Kerberos realm
+# names that should be considered to be equivalent to the
+# local realm, such that <user>@REALM.A can be assumed to
+# be the same user as <user>@REALM.B
+# If not specified, the default local realm is the domain name,
+# which defaults to the host's DNS domain name,
+# translated to upper-case.
+# Note that if this value is specified, the local realm name
+# must be included in the list!
+#Local-Realms = 
+
+[Mapping]
+
+#Nobody-User = nobody
+#Nobody-Group = nobody
+
+[Translation]
+
+# Translation Method is an comma-separated, ordered list of
+# translation methods that can be used.  Distributed methods
+# include "nsswitch", "umich_ldap", and "static".  Each method
+# is a dynamically loadable plugin library.
+# New methods may be defined and inserted in the list.
+# The default is "nsswitch".
+Method = nsswitch
+
+# Optional.  This is a comma-separated, ordered list of
+# translation methods to be used for translating GSS
+# authenticated names to ids.
+# If this option is omitted, the same methods as those
+# specified in "Method" are used.
+#GSS-Methods = <alternate method list for translating GSS names>
+ 
+#-------------------------------------------------------------------#
+# The following are used only for the "static" Translation Method.
+#-------------------------------------------------------------------#
+[Static]
+
+# A "static" list of GSS-Authenticated names to
+# local user name mappings
+
+#someuser@REALM = localuser
+
+
+#-------------------------------------------------------------------#
+# The following are used only for the "umich_ldap" Translation Method.
+#-------------------------------------------------------------------#
+
+[UMICH_SCHEMA]
+
+# server information (REQUIRED)
+LDAP_server = ldap-server.local.domain.edu
+
+# the default search base (REQUIRED)
+LDAP_base = dc=local,dc=domain,dc=edu
+
+#-----------------------------------------------------------#
+# The remaining options have defaults (as shown)
+# and are therefore not required.
+#-----------------------------------------------------------#
+
+# whether or not to perform canonicalization on the
+# name given as LDAP_server
+#LDAP_canonicalize_name = true
+
+# absolute search base for (people) accounts
+#LDAP_people_base = <LDAP_base>
+
+# absolute search base for groups
+#LDAP_group_base = <LDAP_base>
+
+# Set to true to enable SSL - anything else is not enabled
+#LDAP_use_ssl = false
+
+# You must specify a CA certificate location if you enable SSL
+#LDAP_ca_cert = /etc/ldapca.cert
+
+# Objectclass mapping information
+
+# Mapping for the person (account) object class
+#NFSv4_person_objectclass = NFSv4RemotePerson
+
+# Mapping for the nfsv4name attribute the person object
+#NFSv4_name_attr = NFSv4Name
+
+# Mapping for the UID number
+#NFSv4_uid_attr = UIDNumber
+
+# Mapping for the GSSAPI Principal name
+#GSS_principal_attr = GSSAuthName
+
+# Mapping for the account name attribute (usually uid)
+# The value for this attribute must match the value of 
+# the group member attribute - NFSv4_member_attr
+#NFSv4_acctname_attr = uid
+
+# Mapping for the group object class
+#NFSv4_group_objectclass = NFSv4RemoteGroup
+
+# Mapping for the GID attribute
+#NFSv4_gid_attr = GIDNumber
+
+# Mapping for the Group NFSv4 name
+#NFSv4_group_attr = NFSv4Name
+
+# Mapping for the Group member attribute (usually memberUID)
+# The value of this attribute must match the value of NFSv4_acctname_attr
+#NFSv4_member_attr = memberUID

files/kojibuilder/koji.conf

@@ -0,0 +1,23 @@
+[koji]
+
+;configuration for koji cli tool
+
+;url of XMLRPC server
+server = http://koji.fedoraproject.org/kojihub
+
+;url of web interface
+weburl = http://koji.fedoraproject.org/koji
+
+;path to the koji top directory
+;topdir = /mnt/koji
+
+;configuration for SSL athentication
+
+;client certificate
+;cert = ~/.koji/client.crt
+
+;certificate of the CA that issued the client certificate
+;ca = ~/.koji/clientca.crt
+
+;certificate of the CA that issued the HTTP server certificate
+;serverca = ~/.koji/serverca.crt

files/kojibuilder/kojid.conf

@@ -0,0 +1,59 @@
+[kojid]
+; The number of seconds to sleep between tasks
+; sleeptime=15
+
+; The maximum number of jobs that kojid will handle at a time
+; maxjobs=10
+
+; The minimum amount of free space (in MBs) required for each build root
+; minspace=8192
+
+; The directory root where work data can be found from the koji hub
+; topdir=/mnt/koji
+
+;url of package download site
+topurl = http://kojipkgs.fedoraproject.org/
+
+; The directory root for temporary storage
+; workdir=/tmp/koji
+
+; The directory root for mock
+; mockdir=/var/lib/mock
+
+; The user to run as when doing builds
+; mockuser=kojibuilder
+
+; The vendor to use in rpm headers
+vendor=Fedora Project
+
+; The packager to use in rpm headers
+packager=Fedora Project
+
+; the distribution to use in rpm headers
+distribution=Fedora Project
+
+; The _host string to use in mock
+mockhost=redhat-linux-gnu
+
+; The URL for the xmlrpc server
+server=http://koji.fedoraproject.org/kojihub
+
+; A space-separated list of hostname:repository pairs that kojid is authorized to checkout from (no quotes)
+allowed_scms=pkgs.fedoraproject.org:/*:false:fedpkg,sources git.fedorahosted.org:/git/spin-kickstarts.git:false
+
+; The mail host to use for sending email notifications
+smtphost=bastion.phx2.fedoraproject.org
+
+; The From address used when sending email notifications
+from_addr=Fedora Koji Build System <buildsys@fedoraproject.org>
+
+;configuration for SSL athentication
+
+;client certificate - puppet generated
+cert = /etc/kojid/kojibuilder.pem
+
+;certificate of the CA that issued the client certificate
+ca = /etc/kojid/cacert.pem
+
+;certificate of the CA that issued the HTTP server certificate
+serverca = /etc/kojid/cacert.pem

files/kojibuilder/limits.conf

@@ -0,0 +1,53 @@
+# /etc/security/limits.conf
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain>        <type>  <item>  <value>
+#
+#Where:
+#<domain> can be:
+#        - an user name
+#        - a group name, with @group syntax
+#        - the wildcard *, for default entry
+#        - the wildcard %, can be also used with %group syntax,
+#                 for maxlogin limit
+#
+#<type> can have the two values:
+#        - "soft" for enforcing the soft limits
+#        - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+#        - core - limits the core file size (KB)
+#        - data - max data size (KB)
+#        - fsize - maximum filesize (KB)
+#        - memlock - max locked-in-memory address space (KB)
+#        - nofile - max number of open files
+#        - rss - max resident set size (KB)
+#        - stack - max stack size (KB)
+#        - cpu - max CPU time (MIN)
+#        - nproc - max number of processes
+#        - as - address space limit
+#        - maxlogins - max number of logins for this user
+#        - maxsyslogins - max number of logins on the system
+#        - priority - the priority to run user process with
+#        - locks - max number of file locks the user can hold
+#        - sigpending - max number of pending signals
+#        - msgqueue - max memory used by POSIX message queues (bytes)
+#        - nice - max nice priority allowed to raise to
+#        - rtprio - max realtime priority
+#
+#<domain>      <type>  <item>         <value>
+#
+
+*		-	nofile		4096
+
+#*               soft    core            0
+#*               hard    rss             10000
+#@student        hard    nproc           20
+#@faculty        soft    nproc           20
+#@faculty        hard    nproc           50
+#ftp             hard    nproc           0
+#@student        -       maxlogins       4
+
+# End of file
+

files/kojibuilder/mock_auth_keys

@@ -0,0 +1 @@
+from="10.5.125.64,10.5.125.66,10.5.125.67,10.5.125.68" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA8qg9fzb6pbl15hUdIB8vcUIIK4LcoY30iwL/eJ/8PJRtWc0MJloAfhjGGmmgf7sJl5Lt5VGoZqBw5x1thUfLpxN6FasEQnAnjsBCJM3dfF3OybOtdMAX7+2f29V4xJ+r1djdJnBM7FeXQ6zDFLAmGjFF4flUNmKa0PPmHjJqXWPoLvQq3mLWTCkscanWEA2WL+ceQ/0Bac3ZuHJQ7yPY+lD3p/hHTnQlito+rJVItGzLTkSxmiZaS3UwUSkxPBB3Tms8e7coALaY3AM9K91mnFi0oFFW+pCPdccjBUfHuzT6Khx0SrbKVUI57riUZs2+FDLiBSST7OT8nDlIgBwMWiwfjgURfvp5HOh46hc3gb0+DCxScXlocRMs6a47rC/EACN7HB4HjbrvBbfQts3GegU67Ia7d3vgDNRknp1sR/RjhYeTPxFAPqXJN5/hFyuHyFYTjavw0BZpSvZvQHgAVvUIZsHwEshvlwFkMU5qnqgnR6oMJxlZHqYw63K3iKeUsKsFJepSV5xb+r9pTtHL/bmsTuaEaPhUOiW4kgq8E0RQ5K20FERFsGNCEgfMoAOnLYYQX0vaYIemnGHTA0Y4bqgo39opVBj7dKipVp3uENmxeYTBSQJ9pRJhlmQxxfk0AupQbs77+K9dSLvMo0E10gHK3fa8r1FigAA4T/IDtLs= masher@releng2.fedora.phx.redhat.com

files/kojibuilder/releng.repo

@@ -0,0 +1,6 @@
+[releng]
+name=Rel-Eng Packages from Fedora Infrastructure $releasever - $basearch
+baseurl=http://infrastructure.fedoraproject.org/repo/releng/$releasever/$basearch/
+enabled=1
+gpgcheck=1
+gpgkey=http://infrastructure.fedoraproject.org/repo/RPM-GPG-KEY-INFRASTRUCTURE

files/kojibuilder/root_auth_keys

@@ -0,0 +1,2 @@
+#ansible key
+from="10.5.126.23,10.5.126.12,10.5.126.11,209.132.181.6,192.168.1.58,152.19.134.140,192.168.1.42" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmS3g5fSXizcCqKMI1n5WPFrfMyu7BMrMkMYyck07rB/cf2orO8kKj5schjILA8NYJFStlv2CGRXmQlendj523FPzPmzxvTP/OT4qdywa4LKGvAxOkRGCMMxWzVFLdEMzsLUE/+FLX+xd1US9UPLGRsbMkdz4ORCc0G8gqTr835H56mQPI+/zPFeQjHoHGYtQA1wnJH/0LCuFFfU82IfzrXzFDIBAA5i2S+eEOk7/SA4Ciek1CthNtqPX27M6UqkJMBmVpnAdeDz2noWMvlzAAUQ7dHL84CiXbUnF3hhYrHDbmD+kEK+KiRrYh3PT+5YfEPVI/xiDJ2fdHGxY7Dr2TQ== root@lockbox01.phx2.fedoraproject.org

files/kojibuilder/route-eth1

@@ -0,0 +1 @@
+10.5.88.0/24 dev eth1

playbooks/koji/config_builder.yml

@@ -0,0 +1,201 @@
+- hosts: 
+  - builders
+  user: root
+
+  vars_files: 
+   - /srv/web/infra/ansible/vars/global.yml
+   - ${private}/vars.yml
+   - ${vars}/${ansible_distribution}.yml
+
+
+  tasks:
+  - name: enforce certain packages previously assumed from kickstarts
+    action: yum name=$item state=installed
+    with_items:
+    - postfix
+    - joe
+    - perl
+
+  - name: set root passwd
+    action: user name=root password=$rootpw state=present
+
+  - name: add mock user as 425
+    action: user name=mock uid=425 state=present home=/var/lib/mock createhome=yes system=yes
+
+  - name: make mock homedir perms
+    action: file state=directory path=/var/lib/mock mode=2775 owner=root group=mock
+
+  - name: add mock ssh dir
+    action: file state=directory path=/var/lib/mock/.ssh mode=700 owner=mock group=mock
+
+  - name: add mock ssh keys
+    action: copy src=$files/kojibuilder/mock_auth_keys dest=/var/lib/mock/.ssh/authorized_keys mode=640 owner=mock group=mock
+
+  - name: add kojibuilder
+    action: user name=kojibuilder groups=mock 
+
+  - name: add mockbuilder
+    action: user name=mockbuilder groups=mock
+
+  - name: mockbuilder .ssh dir
+    action: file state=directory path=/home/mockbuilder/.ssh mode=700 owner=mockbuilder group=mockbuilder
+
+  - name: mockbuilder ssh key
+    action: copy src=$files/kojibuilder/ftbfs_auth_keys dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder
+
+  - name: iptables
+    action: copy src=$files/iptables/kojibuilder dest=/etc/sysconfig/iptables mode=600
+    notify:
+    - restart iptables
+
+  - name: sshd_config
+    action: copy src=$files/ssh/sshd_config.kojibuilder dest=/etc/ssh/sshd_config mode=600
+    notify:
+    - restart sshd
+
+  - name: /etc/resolv.conf
+    action: copy src=$files/resolv.conf/kojibuilder dest=/etc/resolv.conf
+
+  - name: add to hosts
+    action: copy src=$files/hosts/kojibuilder-hosts dest=/etc/hosts
+
+  - name: rsyslog.conf
+    action: copy src=$files/rsyslog.conf.kojibuilder dest=/etc/rsyslog.conf mode=644
+    notify:
+    - restart rsyslogd
+
+  - name: /etc/postfix/main.cf
+    action: copy src=$files/postfix/main.cf.kojibuilder dest=/etc/postfix/main.cf
+    notify:
+    - restart postfix
+
+  - name: make a bunch of dirs
+    action: file state=directory path=$item
+    with_items:
+      - /pub
+      - /mnt/koji
+      - /pub/fedora
+      - /pub/epel
+      - /var/spool/rsyslog
+
+  - name: add builder infra yum repo
+    action: copy src=$files/kojibuilder/builder-infrastructure.repo dest=/etc/yum.repos.d/builder-infrastructure.repo
+
+  - name: clean up packages we do not need
+    action: yum state=removed pkg=$item
+    with_items:
+      - audit
+      - 'cronie\*'
+
+  - name: add pkgs
+    action: yum  state=installed pkg=$item
+    with_items:
+      - yum-utils
+      - koji-builder
+      - strace
+      - mock
+      - nfs-utils
+      - kernel-firmware
+      - ntp
+      - ntpdate
+
+  - name: update latest
+    action: command /usr/bin/yum -y update
+
+  - name: /etc/kojid/kojid.conf
+    action: copy src=$files/kojibuilder/kojid.conf dest=/etc/kojid/kojid.conf
+    only_if: "not '${ansible_fqdn}'.startswith(('arm01','arm03','arm04')"
+    notify:
+    - restart kojid
+
+
+  - name: arm /etc/kojid/kojid.conf
+    action: copy src=$files/kojibuilder/arm-kojid.conf dest=/etc/kojid/kojid.conf
+    only_if: "'${ansible_fqdn}'.startswith(('arm01','arm03','arm04')"
+    notify:
+    - restart kojid
+
+  - name: /etc/koji/koji.conf
+    action: copy src=$files/kojibuilder/koji.conf dest=/etc/koji.conf
+    only_if: "not '${ansible_fqdn}'.startswith(('arm01','arm03','arm04')"
+
+  - name: /etc/koji/koji.conf
+    action: copy src=$files/kojibuilder/arm-koji.conf dest=/etc/koji.conf
+    only_if: "'${ansible_fqdn}'.startswith(('arm01','arm03','arm04')"
+
+  - name: copy over koji ca cert
+    action: copy src=$private/files/koji/buildercerts/fedora-ca.cert dest=/etc/kojid/cacert.pem
+
+  - name: copy over /etc/security/limits.conf
+    action: copy src=$files/kojibuilder/limits.conf dest=/etc/security/limits.conf
+
+  - name: copy over builder cert to /etc/kojid/kojibuilder.pem
+    action: copy src=$private/files/koji/buildercerts/${ansible_fqdn}.pem dest=/etc/kojid/kojibuilder.pem mode=600   
+    ignore_errors: true
+
+  - name: chkconfig kojid on
+    action: service name=kojid enabled=on
+
+  - name: copy over authorized keys for root
+    action: copy src=$files/kojibuilder/root_auth_keys dest=/root/.ssh/authorized_keys mode=644
+
+  - name: nfs mount points
+    action: mount name=/mnt/koji src=nfs01.phx2.fedoraproject.org:/ fstype=nfs4 opts=ro,hard,bg,intr,noatime,nodev,nosuid passno=0 dump=0 state=present
+    only_if: "not '${ansible_fqdn}'.startswith('bkernel')"
+
+  # mock configs for pungify job
+  - name: put extra special  mock configs in
+    action: copy src=$files/kojibuilder/builders/$item dest=/etc/mock/$item mode=644
+    with_items:
+      - fedora-devel-pungi-i386.cfg
+      - fedora-devel-pungi-x86_64.cfg
+
+  - name: ntp steptickers
+    action: copy src=$files/common/step-tickers dest=/etc/ntp/step-tickers
+
+  - name: ntp.conf
+    action: copy src=$files/common/ntp.conf dest=/etc/ntp.conf
+
+  - name: enable ntpd
+    action: service name=ntpd enabled=true state=started
+
+
+  handlers:
+  - include: $handlers/restart_services.yml
+
+  - name: restart kojid
+    action: service name=kojid state=restarted
+
+- hosts:
+  - bkernel*
+  - buildvm-*
+  - buildhw*
+  user: root
+  vars_files: 
+   - /srv/web/infra/ansible/vars/global.yml
+   - ${private}/vars.yml
+   - ${vars}/${ansible_distribution}.yml
+
+
+  tasks:
+  - name: set kernel params for loopback partitioning
+    action: command /sbin/grubby --update-kernel=ALL --args=loop.max_part=256 
+
+  - name: set kernel params for more loops
+    action: command /sbin/grubby --update-kernel=ALL --args=max_loop=64 
+
+  - name: special pkgs for the x86_64 builders
+    action: yum state=installed pkg=$item
+    with_items:
+    - kmod-hfsplus    
+
+- hosts: 
+  - bkernel*
+  user: root
+  vars_files: 
+   - /srv/web/infra/ansible/vars/global.yml
+   - ${private}/vars.yml
+   - ${vars}/${ansible_distribution}.yml
+
+  tasks:
+  - include: $tasks/bkernel-setup.yml

playbooks/koji/make_builder.yml

@@ -51,6 +51,7 @@
 
   
   # include postinstall playbook
-#  - include: $playbooks/koji/build_postinstall.yml
+- include: $playbooks/koji/config_builder.yml
+
 
 

tasks/bkernel-setup.yml

@@ -0,0 +1,38 @@
+---
+- name: add pkgs for bkernel boxes
+  action: yum state=latest pkg=$item enablerepo=epel-test
+  with_items:
+    - pesign
+    - ccid
+    - pcsc-lite
+    - pcsc-lite-libs
+    - opensc
+    - nss-tools
+
+- name: enable pcscd
+  action: service name=pcscd state=running enabled=1
+
+- name: setup opensc in pcscd
+  action: shell modutil -dbdir /etc/pki/pesign -list | grep -q Fedora ||  modutil -force -dbdir /etc/pki/pesign -add opensc -libfile /usr/lib64/pkcs11/opensc-pkcs11.so
+
+- name: /var/run/pesign perms
+  action: file state=directory path=/var/run/pesign owner=pesign group=pesign mode=0770
+
+- name: enable pesign
+  action: service name=pesign state=started enabled=true
+
+- name: when you awake you will remember nothing
+  action: copy src=$files/kojibuilder/history_off.sh dest=/etc/profile.d/history_off.sh mode=0644
+
+- name: mock site-defaults.cfg
+  action: copy src=$files/kojibuilder/builders/bkernel-site-defaults.cfg dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock
+
+- name: put hw reinstall onto bkernel boxes since they are raw hw
+  action: copy src=$files/common-scriptshardware-reinstall dest=/usr/local/bin/hardware-reinstall mode=0750 owner=root group=root
+
+- name: no nfs mounts on bkernel boxes
+  action: mount name=/mnt/koji src=nfs01.phx2.fedoraproject.org:/ fstype=nfs4 state=absent
+
+- name: make sure our bkernel boxes have static ip
+  action: template src=$files/kojibuilder/builders/bkernel-eth0-network dest=/etc/sysconfig/network-scripts/ifcfg-eth0 
+