ansible/inventory/group_vars/all

---
#######
# BEGIN: Ansible roles_path variables
#
#   Background/reference about external repos pulled in:
#       https://pagure.io/fedora-infrastructure/issue/5476
#
# IPA settings
additional_host_keytabs: []
ansible_base: /srv/web/infra
# Default to managing the network, we want to not do this on select
# hosts (like cloud nodes)
# List of interfaces to explicitly disable
ansible_ifcfg_disabled: []
# on MOST infra systems, the interface connected to the infra network
# is eth0. but not on quite ALL systems. e.g. on s390 boxes it's enc900,
# on openqa-ppc64le-01.qa it's eth2 for some reason, and on qa01.qa and
# qa02.qa it's em3. currently this only affects whether GATEWAY, DOMAIN
# and DNS1/DNS2 lines are put into ifcfg-(device).
ansible_ifcfg_infra_net_devices: ['eth0', 'enc900']
#
# Autodetect python version
#
ansible_python_interpreter: auto
# Set variable if we want to use our global iptables defaults
# Some things need to set their own.
baseiptables: True
# by default set become to false here We can override it as needed.
# Note that if become is true, you need to unset requiretty for
# ssh controlpersist to work.
become: false
br0_nm: 255.255.255.0
br1_nm: 255.255.255.0
# assume collectd apache
collectd_apache: true
# communishift project resource overrides
communishift_projects:
  communishift-admins:
    do_not_delete: true                           # Marked do not delete 2024-11-25
  communishift-eventbot:
    name: communishift-eventbot
  communishift-fedora-review-service:
    name: communishift-fedora-review-service
    do_not_delete: true                           # Marked do not delete 2024-10-21
  communishift-lightspeed-build:
    name: communishift-lightspeed-build
  communishift-log-detective:
    name: communishift-log-detective
    do_not_delete: true                           # Marked do not delete 2024-10-21
    memory_requests: 4Gi
    memory_limits: 6Gi
    storage_requests: 10Gi
  communishift-mattdm:
    name: communishift-mattdm
  communishift-metrics:
    name: communishift-metrics
  communishift-openscanhub:
    name: communishift-openscanhub
    cpu_requests: 2
    memory_requests: 2Gi
    cpu_limits: 2
    memory_limits: 4Gi
    pods: 16
  communishift-planet:
    name: communishift-planet
  communishift-forgejo:
    name: communishift-forgejo
  communishift-gitlabce:
    name: communishift-gitlabce
  communishift-ocm:
    name: communishift-ocm
  communishift-weekly-bootc:
    name: communishift-weekly-bootc
    do_not_delete: true                           # Marked do not delete 2024-11-26. Needed until end of bootc initative.
  communishift-fossology:
    name: communishift-fossology
  communishift-commops-analytics:
    name: communishift-commops-analytics
  communishift-commops-datanom:
    name: communishift-commops-datanom
# true or false if we are or are not a copr build virthost.
# Default to false
copr_build_virthost: false
# assume createrepo is true and this builder has the koji nfs mount to do that
createrepo: True
# This vars get shoved into /etc/system_identification by the base role.
# Groups and individual hosts should override them with specific info.
custom6_rules: []
custom_rules: []
# most of our systems are in IAD2
datacenter: iad2

# Datanommer
datanommer_db_hostname: db-datanommer02
# By default, nodes don't backup any dbs on them unless they declare it.
dbs_to_backup: []
# dnf-automatic-install.service mode default: security-only
dnf_automatic_type: security
dns: "10.3.163.33"
dns1: "10.3.163.33"
dns2: "10.3.163.34"
dns_search1: "iad2.fedoraproject.org"
dns_search2: "fedoraproject.org"
# env is staging or production, we default it to production here.
env: production
env_prefix: ""
env_short: prod
env_suffix: ""
# Default netmask. All of our iad2 nets are /24's. Almost all of our
# non-iad2 sites are less than a /24.
eth0_ipv4_nm: 24
eth1_ip: 10.0.0.10
eth1_nm: 255.255.255.0
# END: Ansible roles_path variables
#######
freezes: true
# defaults for hw installs
install_noc: none
ipa_admin_password: "{{ ipa_prod_admin_password }}"
ipa_realm: FEDORAPROJECT.ORG
ipa_server: ipa01.iad2.fedoraproject.org
ipa_server_nodes:
  - ipa01.iad2.fedoraproject.org
  - ipa02.iad2.fedoraproject.org
  - ipa03.iad2.fedoraproject.org
ks_repo: https://infrastructure.fedoraproject.org/repo/rhel/RHEL9-x86_64/
# defaults for virt installs
ks_url: https://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel
# most of our systems are 64bit.
# Used to install various nagios scripts and the like.
libdir: /usr/lib64
lvm_size: 20000
mac_address: RANDOM
mac_address1: RANDOM
main_bridge: br0
max_cpu: "{{ num_cpus * 5 }}"
max_mem_size: "{{ mem_size * 5 }}"
mem_size: 4096
nagios_Can_Connect: true
# Nagios global variables
nagios_Check_Services:
  dhcpd: false
  httpd: false
  mail: true
  named: false
  nrpe: true
  ping: true
  raid: false
  sshd: true
  swap: true
nat_rules: []
# Do we want to use nftables instead of iptables
nftables: True
# nftables variants of custom*_rules
nft_custom6_rules: []
nft_custom_rules: []
nft_nat_rules: []
# default network block device encryption settings for linux-system-roles/nbde_client
nbde: true
nbde_device: /dev/md2
nbde_client_bindings:
  - device: "{{ nbde_device }}"
    encryption_password: "{{ nbde_password }}"
    password_temporary: no
    threshold: 1
    servers:
      - http://tang01.iad2.fedoraproject.org
      - http://tang02.iad2.fedoraproject.org
# usually we do not want to enable nested virt, only on some virthosts
nested: false
network_allow_restart: yes
network_connections:
  - autoconnect: yes
    ip:
      address:
        - "{{ eth0_ipv4_ip }}/{{ eth0_ipv4_nm }}"
      dhcp4: no
      dns:
        - "{{ dns1 }}"
        - "{{ dns2 }}"
      dns_search:
        - "{{ dns_search1 }}"
        - "{{ dns_search2 }}"
      gateway4: "{{ eth0_ipv4_gw }}"
    mac: "{{ ansible_default_ipv4.macaddress }}"
    name: eth0
    type: ethernet
    state: up
nfs_bridge: br1
# nfs mount options, override at the group/host level
nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3"
nm: 255.255.255.0
# Most of our machines have manual resolv.conf files
# These settings are for machines where NM is supposed to control resolv.conf.
nrpe_check_postfix_queue_crit: 5
# by default, the number of emails in queue before we whine
nrpe_check_postfix_queue_warn: 2
nrpe_procs_crit: 300
# by default the number of procs we allow before we whine
nrpe_procs_warn: 250
num_cpus: 2
# ocp4 is default now in some proxy roles
ocp4: true
# All the ocp production workers.
# This is used by the openvpn openshift app to make sure there's a vpn pod on each node.
ocp_nodes:
  - worker01.ocp.iad2.fedoraproject.org
  - worker02.ocp.iad2.fedoraproject.org
  - worker03.ocp.iad2.fedoraproject.org
  - worker04.ocp.iad2.fedoraproject.org
  - worker05.ocp.iad2.fedoraproject.org
  - worker06.ocp.iad2.fedoraproject.org
ocp_wildcard_cert_file: wildcard-2024.apps.ocp.fedoraproject.org.cert
# This is the openshift wildcard cert for ocp
ocp_wildcard_cert_name: wildcard-2024.apps.ocp.fedoraproject.org
ocp_wildcard_int_file: wildcard-2024.apps.ocp.fedoraproject.org.intermediate.cert
ocp_wildcard_key_file: wildcard-2024.apps.ocp.fedoraproject.org.key
# Path to the openshift-ansible checkout as external git repo brought into
# Fedora Infra
openshift_ansible: /srv/web/infra/openshift-ansible/
postfix_group: "none"
# This is a list of services that need to wait for VPN to be up before getting started.
postvpnservices: []
preferred_dc: iad2
primary_auth_source: ipa
#
# Set a redirectmatch variable we can use to disable some redirectmatches
# like the prerelease to final ones.
#
redirectmatch_enabled: True
# default the root_auth_users to nothing.
# This should be set for cloud instances in their host or group vars.
root_auth_users: ''
# List of names under which the host is available
ssh_hostnames: []
# This enables/disables the SSH "keyhelper" used by Pagure for verifying users'
# SSH keys from the Pagure database
sshd_keyhelper: false
# Normal default sshd port is 22
sshd_port: 22
tcp_ports: []
# example of ports for default iptables
# tcp_ports: [ 22, 80, 443 ]
# udp_ports: [ 110, 1024, 2049 ]
# multiple lines can be handled as below
# custom_rules: [ '-A INPUT -p tcp -m tcp --dport 8888 -j ACCEPT',
#                  '-A INPUT -p tcp -m tcp --dport 8889 -j ACCEPT' ]
# We default these to empty
udp_ports: []
# Most EL systems need default EPEL repos.
# Some systems (notably fed-cloud*) need to get their own
# EPEL files because EPEL overrides packages in their core repos.
use_default_epel: true
#
# The default virt-install works for rhel9 or fedora with 1 nic
#
virt_install_command: "{{ virt_install_command_one_nic }}"
virt_install_command_aarch64_one_nic: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole
virt_install_command_aarch64_one_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole
virt_install_command_aarch64_two_nic: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --network=bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address1 }} --autostart --noautoconsole --rng /dev/random
virt_install_command_one_nic: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns }} nameserver=8.8.8.8 ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ eth0_ipv4_nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --watchdog default --rng /dev/random --cpu host
virt_install_command_one_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns1 }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ eth0_ipv4_nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --watchdog default --rng /dev/random --cpu host
virt_install_command_ppc64le_one_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ eth0_ipv4_nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --watchdog default --rng /dev/random
virt_install_command_ppc64le_two_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --network=bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address1 }} --autostart --noautoconsole --watchdog default --rng /dev/random
virt_install_command_pxe_rhcos: virt-install -n {{ inventory_hostname }} --vcpus {{ num_cpus }},maxvcpus={{ num_cpus }} --cpu host --memory  {{ mem_size }} --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --nographics --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --hvm --accelerate --autostart --wait=-1 --extra-args "ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:ens2:none hostname={{ inventory_hostname }} nameserver={{ dns }} console=ttyS0 nomodeset rd.neednet=1 coreos.inst=yes coreos.inst.install_dev=vda coreos.live.rootfs_url={{ rhcos_install_rootfs_url }} coreos.inst.ignition_url={{ rhcos_ignition_file_url }}" --os-variant rhel9 --location  {{ rhcos_install_url }}
virt_install_command_s390x_one_nic: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --rng /dev/random --cpu host
virt_install_command_s390x_one_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --rng /dev/random --cpu host
virt_install_command_two_nic: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --network=bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address1 }} --autostart --noautoconsole --watchdog default --rng /dev/random
virt_install_command_two_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --network bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address1 }} --autostart --noautoconsole --watchdog default --rng /dev/random
# assume vpn is false
vpn: False
# This is the wildcard certname for our proxies.  It has a different name for
# the staging group and is used in the proxies.yml playbook.
wildcard_cert_name: wildcard-2024.fedoraproject.org
wildcard_crt_file: wildcard-2024.fedoraproject.org.cert
wildcard_int_file: wildcard-2024.fedoraproject.org.intermediate.cert
wildcard_key_file: wildcard-2024.fedoraproject.org.key
#
# say if we want the apache role dependency for mod_wsgi or not
# In some cases we want mod_wsgi and no apache (for python3 httpaio stuff)
#
wsgi_wants_apache: true
# set no x-forward header by default
x_forward: false
#

# Template defaults are defined in the template macros. If we need a specific
# host to have different values for a macro, define it here. Use the macro name
# as it is in Zabbix so we can search for it easily. If you remove a key,
# Zabbix is *not* updated - set the value to "absent" instead.

# This is overriden at the host_var level, this is empty just so the var exists
zabbix_macros: {}

notes: |
  Unspecified.
    * What hosts/services does this rely on?
    * What hosts/services rely on this?