infrastructure/ansible
1
0
Fork 0
Code Pull requests 7 Activity Actions
42862 commits 9 branches 0 tags 110 MiB
Commit graph

9463 commits

Author SHA1 Message Date
Kevin Fenzi
35eadbbf4b bastion: move these to block rules too 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-29 11:40:13 -07:00
Kevin Fenzi
ebffcee73c nftables: create a block rules section and move pagure blocks to it 
Before the custom rules was actually intended to _allow_ more things
on a particular host. Putting those blocks in there was useless because
custom rules were applied _after_ all the allowed ports, so it wasn't
really blocking anything.

This moves them to a block_rules applied before the ports are allowed
Also move pagure's to that new rule list.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-29 11:36:20 -07:00
Kevin Fenzi
240aa7b8e0 bastion: add sysadmin-riscv 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-29 09:10:06 -07:00
Kevin Fenzi
5be96729ca builders/builders_stg: not external 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-28 11:26:03 -07:00
Kevin Fenzi
fb2a8a82d6 releng-compose: add troubleshoot group for non sudo access to debug ostree issue with kinoite 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-28 11:03:08 -07:00
Pavel Raiskup
43b8ee52d8 copr-hypervisor: try to go back with iptables 
VMs fail to boot for some reason, and per recent #copr Matrix discussion
this might be the thing.
 2025-04-28 18:51:38 +02:00
Kevin Fenzi
baade64038 drop iad2 external boolean 
I think this is not needed because we actually test for iad2 in
inventory_hostname and in fact it overrides the groups that set it to
true, making them all come up false. ;(

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-26 10:24:43 -07:00
Kevin Fenzi
8302ff44cd pagure: widen ai blockage 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-26 09:04:10 -07:00
Kevin Fenzi
d3d07df333 torrent: try switching port range syntax to the nftables one 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-24 15:07:17 -07:00
Kevin Fenzi
7c670efbfe openqa: do not do the nftables switch on these until we have more time for testing 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-24 13:51:09 -07:00
Kevin Fenzi
4d4365cdf5 nftables: add defined check for nft_nat_rules and set it also [] by default 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-24 13:17:03 -07:00
James Antill
68cbd3dc2c Turn nftables on everywhere. 
Signed-off-by: James Antill <james@and.org>
 2025-04-24 20:05:03 +00:00
Pedro Moura
f62c14df02 Add f42-test 
Signed-off-by: Pedro Moura <pmoura@redhat.com>
 2025-04-23 15:56:18 -03:00
Kevin Fenzi
96911acd1e releng-compose: move rawhide/branched composers to f42 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-19 09:16:24 -07:00
James Antill
84a8bb3a82 Move all production builders to nftables. 
Signed-off-by: James Antill <james@and.org>
 2025-04-18 20:20:01 +00:00
James Antill
1b1da8f88f Move buildhw-a64-04.iad2 to nftables. 
Signed-off-by: James Antill <james@and.org>
 2025-04-17 16:32:19 -04:00
James Antill
49fe6d4ed2 Move buildhw-x86-04.iad2 to nftables. 
Signed-off-by: James Antill <james@and.org>
 2025-04-17 15:12:01 -04:00
Greg Sutcliffe
7f60fdf690 Zabbix-stg: More base server config 
This adds:
- Matrix media type
- User for a Matrix bot
- Trigger using Matrix & the bot
- PSK configuration, using the PSK file already deployed
- 2 base templates
  - a general one suitable even for Koji
  - a dependant one for all other hosts
- Autoregistration config to use the new base template

This is all scoped to staging via a new include in main.yml
 2025-04-02 17:30:59 +01:00
Pavel Raiskup
5a85ca9211 copr: pulp_content_url needs to be slash-terminated 2025-04-01 07:49:20 +02:00
Adam Williamson
7b84f30429 openqa/server: switch prod to OAuth2 
Signed-off-by: Adam Williamson <awilliam@redhat.com>
 2025-03-28 14:37:00 -07:00
Adam Williamson
5da2faac67 openqa/server: allow OAuth2 authentication, enable on lab 
OpenID support in FAS is going away. openQA has OAuth2 support.
I've tested this config to work with manual edits on lab, now
ansiblizing it (for lab only to start with).

Signed-off-by: Adam Williamson <awilliam@redhat.com>
 2025-03-28 13:40:57 -07:00
Kevin Fenzi
5505dff89c bvmhost-p09-04/05: no nbde here 
I had reinstalled these both with no encryption in an attempt to see if
I could get more performance from them. Since we moved to iscsi this is
moot, and we should probibly reinstall them like the others again, but
for now just disable nbde so everything works with the playbook.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-03-27 15:11:49 -07:00
Kevin Fenzi
1cc761ac9b compose-eln01: this is using primary koji 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-03-27 13:39:49 -07:00
Michal Konecny
a807fb3d4f [mailman3] Create gunicorn configuration file 
To make changing the gunicorn configuration more easily let's move
configuration values from systemd service to separate configuration
file.

The file will live in /etc/mailman3/gunicorn.conf.py.
 2025-03-27 13:01:13 +01:00
Kevin Fenzi
f256adda6e bvmhost-p09: also enable nbde here 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-03-26 17:48:52 -07:00
Kevin Fenzi
1f2bba4489 bvmhost-a64 / buildhw-a64: enable nbde role here as well 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-03-26 16:17:37 -07:00
Kevin Fenzi
de320e8298 bvmhost-a64-04: try and enable the nbde handling 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-03-26 16:05:28 -07:00
Kevin Fenzi
82f85d89ad compose / staging: these are primary koji instances 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-03-26 10:30:51 -07:00
Jakub Kadlcik
a6b86224fb copr: rename STG pulp domain 2025-03-25 15:01:07 +01:00
Jakub Kadlcik
5f7d5bda78 copr-fe-dev: fix pulp content URL 2025-03-25 14:22:35 +01:00
Jakub Kadlcik
9cfa240dd8 logdetective01, logdetective02: add sgallagh and mmassari as admins 2025-03-25 13:30:21 +01:00
James Antill
7f429f3d13 Clean nftables var. for specific staging groups. 
Signed-off-by: James Antill <james@and.org>
 2025-03-24 16:18:48 -04:00
James Antill
3d695e58b3 Turn on nftables for all of staging. 
Signed-off-by: James Antill <james@and.org>
 2025-03-24 15:13:35 -04:00
Jakub Kadlcik
a9494929ef logdetective01: drop birthday 2025-03-19 22:47:55 +01:00
Jakub Kadlcik
65cc13ca28 logdetective01: set birthday 2025-03-19 22:38:07 +01:00
Kevin Fenzi
22681acd07 releng_compose: set koji_instance: "primary" 
This was missed when I was adding the riscv secondary koji before
freeze. We need it fixed because it breaks the playbooks on the
primary releng compose machines and we have a freeze break to deploy.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-03-17 10:59:10 -07:00
Jakub Kadlcik
f10301013c copr-dev: try using bootc builder image, pt.3 2025-03-16 17:59:09 +01:00
Kevin Fenzi
d7c1fdf01c pagure.io: double cpus to try and help scraper issues 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-03-14 12:54:31 -07:00
James Antill
8e8fc651fa Turn on nftables for a few more staging groups. 
Signed-off-by: James Antill <james@and.org>
 2025-03-10 16:40:08 -04:00
Jakub Kadlcik
eec596d979 copr-dev: try using bootc builder image, pt.2 2025-03-07 12:18:18 +01:00
Jakub Kadlcik
0f902b6e9b copr-dev: try using bootc builder image 
See https://github.com/fedora-copr/copr-image-builder
 2025-03-06 23:57:10 +01:00
James Antill
172cfc9efa Move staging builders to nftables. 
Signed-off-by: James Antill <james@and.org>
 2025-03-03 21:20:30 +00:00
James Antill
31d65aa439 Actually move to nftables for any host with nftables: true (nothing atm). 
Signed-off-by: James Antill <jantill@redhat.com>
 2025-03-03 21:20:30 +00:00
Kevin Fenzi
4b0331e576 compose-x86-riscv01: set secondary koji instance 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-02-17 14:35:02 -08:00
Kevin Fenzi
5aaff87f87 compose-x86-riscv01: fix name thinkos 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-02-17 14:17:13 -08:00
Kevin Fenzi
f0663ae52f compose-riscv01: add a secondary x86 compose host for riscv 
This vm will hopefully allow for composing images, repos, etc

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-02-17 13:56:23 -08:00
Kevin Fenzi
47fcb90839 buildvm_aarch64_stg: set primary instance here too 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-02-16 08:58:04 -08:00
Kevin Fenzi
f04ff347dd buildvm_s390x_stg: set primary instance here too 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-02-16 08:56:22 -08:00
Michal Konecny
6428f8f772 Sunset github2fedmsg and fedmsg 
This commit is removing all the fedmsg related stuff from ansible
repository.

Signed-off-by: Michal Konecny <mkonecny@redhat.com>
 2025-02-13 10:08:51 +00:00
Kevin Fenzi
5faa76d541 buildvm / staging: set koji instance to primary 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-02-11 15:59:56 -08:00