We need this to try and relay in emails.
It turns out to be bordering on impossible to do this sanely with our
current setup, so make a fedora vm that lets us use saslauthdb to have a
specific (small) list of users that can authenticate and relay emails
via bastion and out. We can't do this on rhel, because they don't build
the saslauthdb backend. We can't use any of the other backends because
they either don't work or would allow any fedora user to relay, which we
do not want.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We add vpn to it to make ipa work, drop old openshift volumes, change
the name and in general get it ready to add to ansible.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Right now this task makes the ccd dir as 0755 and root.root, but then a
later task syncs this from batcave01 and it gets 2755 and
root.sysadmin-main. Just change this to match so we are more idempotent.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We had a bunch of old el6 conditionals in here, and we have 0 el6
machines. We also now have some CentOS instances, so we shouldn't check
for RedHat or Fedora anymore. Also, everything is using the newer
openvpn now so no need to make sure the old one is stopped.
This should not affect the vast majority of hosts, but it should allow
the el7/el8-test instances vpns to actually work.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need to add these hosts to the vpn to use ipa for auth on them.
They are in the 192.168.100 network, which is the 'more restricted'
subnet of vpn. After the freeze we will probibly want to lock this down
more with a rule on all hosts except ipa* to reject everything from
them. In the mean time the firewall rules blocking most things should be
ok for now.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We want to add another ipa server host in case the load gets large when
we migrate from fas. We can always nuke this one or add more.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
When we moved datacenters we had iad2 pointing to 192.168.20 at various
points to migrate things. We should no longer have any hosts using that
ip range. Move them all back.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Note that this just needs to add a new ccd file, nothing has to be
restarted and it can't possibly be used by anything but
'pagure02.fedoraproject.org' so it should not affect freeze on bastion.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need retrace03 on the vpn at least for now, or else 2fa won't work.
At some point when fasClient is gone we may be able to drop this
when we switch to sssd or something else.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
