infrastructure/ansible
1
0
Fork 0
Code Pull requests 7 Activity Actions
ansible/inventory/group_vars/value
Nils Philippsen dbbf94a411 ipa/client: configure global shell access and sudo 
Almost global anyway, i.e. inside the VPN.

The ipa/client-based shell access and sudo rules are only effective for
staging right now, the respective playbook bits are masked out for prod.

- Assign Ansible host groups to IPA host groups, the latter don't care
  about 'stg' in the name and use dashes rather than underscores.
- Distill shell access groups from fas_client_groups in group and host
  vars.
- Let all `sysadmin-*` groups in the previous list run anything via sudo
  in the host group (except bastion & batcave).
- Remove `fas_client_groups` from staging host and group vars.
- Remove sudoers from staging host and group vars if only `sysadmin-*`
  groups have shell access.
- Set up `ipa_client_shell_groups` on bastion to be a super set of the
  same on batcave.

Newly created IPA host groups:
- autosign
- badges
- basset
- bastion
- batcave
- blockerbugs
- bodhi
- bugzilla2fedmsg
- busgateway
- datagrepper
- dbserver
- dns
- fedimg
- github2fedmsg
- ipa
- kernel-qa
- kerneltest
- kojibuilder
- kojihub
- kojipkgs
- logging
- mailman
- memcached
- mirrormanager
- nagios
- notifs
- oci-registry
- odcs
- openqa
- openqa-workers
- osbs
- packages
- pdc-web
- pkgs
- proxies
- rabbitmq
- releng-compose
- resultsdb
- secondary
- sign-bridge
- sundries
- value
- wiki

Signed-off-by: Nils Philippsen <nils@redhat.com>
2021-02-01 22:23:41 +00:00

81 lines
2.5 KiB
Text
Raw Blame History

---
# Define resources for this group of hosts here.
lvm_size: 30000
mem_size: 6144
num_cpus: 2
deployment_type: prod
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
tcp_ports: [ 80, 443,
# These 16 ports are used by fedmsg. One for each wsgi thread.
3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
custom_rules: [
# Needed for rsync from log01 for logs.
'-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
# Needed to let nagios on noc01 and noc02 pipe alerts to zodbot here
'-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5050 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 10.3.166.10 --dport 5050 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.20 --dport 5050 -j ACCEPT',
# batcave01 also needs access to announce commits.
'-A INPUT -p tcp -m tcp -s 192.168.1.41 --dport 5050 -j ACCEPT',
]
fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-mote,sysadmin-veteran
ipa_host_group: value
ipa_host_group_desc: "Value added: IRC bots, message logging, etc."
ipa_client_shell_groups:
- fi-apprentice
- sysadmin-mote
- sysadmin-noc
- sysadmin-veteran
- sysadmin-web
ipa_client_sudo_groups:
- sysadmin-mote
- sysadmin-noc
- sysadmin-veteran
- sysadmin-web
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
- service: shell
owner: root
group: sysadmin
can_send:
- logger.log
- service: supybot
owner: root
group: daemon
can_send:
# cookies!
- irc.karma
# standard meetbot stuff
- meetbot.meeting.complete
- meetbot.meeting.start
- meetbot.meeting.topic.update
# meetbot line items
- meetbot.meeting.item.agreed
- meetbot.meeting.item.accepted
- meetbot.meeting.item.rejected
- meetbot.meeting.item.action
- meetbot.meeting.item.info
- meetbot.meeting.item.idea
- meetbot.meeting.item.help
- meetbot.meeting.item.link
# For the MOTD
csi_security_category: Moderate
csi_primary_contact: mote admins - sysadmin-mote-members@fedoraproject.org
csi_purpose: Hosts services which help facilitate communication over IRC and related mediums.
csi_relationship: |
There are a couple things running here.
* zodbot, a supybot instance. See the zodbot SOP for more info.
* fedmsg-irc, our fedmsg to IRC relay. 'journalctl -u fedmsg-irc'
* mote, a webapp running behind httpd that serves meetbot log files.
View git blame Copy permalink