[ansible] Switch to bundle-ca when unsorted
by Nicolas Chauvet
commit dfd67e32966874f9747c38660520604d53495ad1
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Nov 3 14:13:57 2016 +0100
Switch to bundle-ca when unsorted
roles/koji_hub/tasks/main.yml | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
---
diff --git a/roles/koji_hub/tasks/main.yml b/roles/koji_hub/tasks/main.yml
index 2544802..258da56 100644
--- a/roles/koji_hub/tasks/main.yml
+++ b/roles/koji_hub/tasks/main.yml
@@ -193,8 +193,8 @@
- koji_hub
when: env == 'staging'
-- name: instaall rpmfusion-ca.cert in various places
- copy: src={{ private }}/files/rpmfusion-ca.cert dest={{ item }} owner=apache
+- name: install rpmfusion-bundle-ca.cert in various places
+ copy: src={{ private }}/files/rpmfusion-bundle-ca.cert dest={{ item }} owner=apache
with_items:
- /etc/kojira/extras_cacert.pem
- /etc/pki/tls/certs/extras_cacert.pem
@@ -351,7 +351,7 @@
when: env != 'staging' and ansible_hostname.startswith('koji')
- name: install serverca cert for oscar (garbage collector) user
- copy: src={{ private }}/files/rpmfusion-ca.cert dest=/etc/koji-gc/serverca.crt
+ copy: src={{ private }}/files/rpmfusion-server-ca.cert dest=/etc/koji-gc/serverca.crt
tags:
- koji_hub
when: env != 'staging' and ansible_hostname.startswith('koji')
7 years, 5 months
[ansible] Update iptables for koji
by Nicolas Chauvet
commit 92a069409eb7ecc3bcf866ee78abe48efe0a65f5
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Nov 3 12:55:07 2016 +0100
Update iptables for koji
group_vars/koji | 10 ++--------
1 files changed, 2 insertions(+), 8 deletions(-)
---
diff --git a/group_vars/koji b/group_vars/koji
index ec7b45f..8c15770 100644
--- a/group_vars/koji
+++ b/group_vars/koji
@@ -6,17 +6,11 @@ num_cpus: 16
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
-tcp_ports: [ 80, 443, 111, 2049,
+tcp_ports: [ 80, 443,
# These 8 ports are used by fedmsg. One for each wsgi thread.
3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007]
-udp_ports: [ 111, 2049 ]
-
-custom_rules: [
- # Needed for keepalived
- '-A INPUT -d 224.0.0.0/8 -j ACCEPT',
- '-A INPUT -p vrrp -j ACCEPT',
-]
+udp_ports: []
fas_client_groups: sysadmin-build
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
7 years, 5 months
[ansible] Fixup proxies
by Nicolas Chauvet
commit 5259f279642462ec834c4e22cbe45aaa0cf9ee34
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Nov 3 12:43:40 2016 +0100
Fixup proxies
playbooks/include/proxies-websites.yml | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
---
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index b6a4638..f2d53af 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -74,14 +74,15 @@
- role: httpd/website
name: id.rpmfusion.org
- server_aliases:
- - "*.id.rpmfusion.org"
+ #server_aliases:
+ #- "*.id.rpmfusion.org"
# Must not be sslonly, because example.id.fedoraproject.org must be reachable
# via plain http for openid identity support
sslonly: false
cert_name: id.rpmfusion.org
SSLCertificateChainFile : id.rpmfusion.org-intermediate.cert
+ - role: httpd/website
name: lists.rpmfusion.org
sslonly: true
#cert_name: lists.rpmfusion.org
7 years, 5 months
[ansible] Update proxy certs
by Nicolas Chauvet
commit 44704b26740d5a0b02090eb0690d762fc3d1d69f
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Nov 3 12:36:28 2016 +0100
Update proxy certs
playbooks/include/proxies-websites.yml | 10 ++++------
1 files changed, 4 insertions(+), 6 deletions(-)
---
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index a39b3bd..b6a4638 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -61,8 +61,8 @@
- role: httpd/website
name: bugzilla.rpmfusion.org
sslonly: true
- #cert_name: bugzilla.rpmfusion.org
- cert_name: "{{wildcard_cert_name}}"
+ cert_name: bugzilla.rpmfusion.org
+ SSLCertificateChainFile : bugzilla.rpmfusion.org-intermediate.cert
- role: httpd/website
@@ -79,11 +79,9 @@
# Must not be sslonly, because example.id.fedoraproject.org must be reachable
# via plain http for openid identity support
sslonly: false
- #cert_name: id.rpmfusion.org
- cert_name: "{{wildcard_cert_name}}"
+ cert_name: id.rpmfusion.org
+ SSLCertificateChainFile : id.rpmfusion.org-intermediate.cert
-
- - role: httpd/website
name: lists.rpmfusion.org
sslonly: true
#cert_name: lists.rpmfusion.org
7 years, 5 months
[ansible] Add missing ipsilon and fas2 in db02
by Nicolas Chauvet
commit e70c65345ec021255a0ab2d0a6ec90c80392caf9
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Nov 3 12:12:14 2016 +0100
Add missing ipsilon and fas2 in db02
roles/postgresql_server/files/pg_hba.conf | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
---
diff --git a/roles/postgresql_server/files/pg_hba.conf b/roles/postgresql_server/files/pg_hba.conf
index 07e1b6e..34bfab4 100644
--- a/roles/postgresql_server/files/pg_hba.conf
+++ b/roles/postgresql_server/files/pg_hba.conf
@@ -74,8 +74,10 @@ local all all ident
host bugs bugs 192.168.181.157 255.255.255.255 md5
host koji koji 192.168.181.135 255.255.255.255 md5
host bodhi2 bodhi2 192.168.181.141 255.255.255.255 md5
+host fas2 fas 192.168.181.172 255.255.255.255 md5
host pkgdb2 pkgdb2 192.168.181.138 255.255.255.255 md5
host pkgdb2 pkgdb2_user 192.168.181.138 255.255.255.255 md5
+host all ipsilon 192.168.181.160 255.255.255.0 md5
# Note, I can't think of a reason to make this more restrictive than ipv4 but
# only fakefas needs it so far
host all all ::1/128 md5
7 years, 5 months
[ansible] Switch to working bz account
by Nicolas Chauvet
commit 4e68230cef2ab7cdcad350577581971a66adf114
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Nov 3 11:37:34 2016 +0100
Switch to working bz account
roles/bodhi2/base/templates/production.ini.j2 | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/roles/bodhi2/base/templates/production.ini.j2 b/roles/bodhi2/base/templates/production.ini.j2
index 7e6a394..5679b92 100644
--- a/roles/bodhi2/base/templates/production.ini.j2
+++ b/roles/bodhi2/base/templates/production.ini.j2
@@ -165,7 +165,7 @@ smtp_server = 192.168.181.254
# The updates system itself. This email address is used in fetching Bugzilla
# information, as well as email notifications
-bodhi_email = updates(a)rpmfusion.org
+bodhi_email = noreply(a)rpmfusion.org
bodhi_password = {{ bodhiBugzillaPassword }}
# The address that gets the requests
7 years, 5 months
[ansible] Avoid openvpn/client for bodhi
by Nicolas Chauvet
commit 70ac4506254638b5bcd7873e1d66f8ff0f5bf06a
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Nov 3 10:51:45 2016 +0100
Avoid openvpn/client for bodhi
playbooks/groups/bodhi2.yml | 2 --
1 files changed, 0 insertions(+), 2 deletions(-)
---
diff --git a/playbooks/groups/bodhi2.yml b/playbooks/groups/bodhi2.yml
index 0a12c32..b9af783 100644
--- a/playbooks/groups/bodhi2.yml
+++ b/playbooks/groups/bodhi2.yml
@@ -19,8 +19,6 @@
- sudo
- collectd/base
- rsyncd
- - { role: openvpn/client,
- when: env != "staging" }
- apache
- { role: bodhi2/base, when: "inventory_hostname.startswith('bodhi0')" }
- { role: fedmsg/base, when: "inventory_hostname.startswith('bodhi0')" }
7 years, 5 months
[ansible] Fix unhashable type
by Nicolas Chauvet
commit d2f9482527521533776f285b83ad7198f75d620a
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Nov 3 10:10:57 2016 +0100
Fix unhashable type
roles/bugzilla/meta/main.yml | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/roles/bugzilla/meta/main.yml b/roles/bugzilla/meta/main.yml
index 52d8846..dbc49c7 100644
--- a/roles/bugzilla/meta/main.yml
+++ b/roles/bugzilla/meta/main.yml
@@ -27,6 +27,6 @@ dependencies:
# List your role dependencies here, one per line.
# Be sure to remove the '[]' above if you add dependencies
# to this list.
- - { role: mariadb_server, tags: ['mariadb'], when: { bugzilla_db_driver == 'MySQL' and bugzilla_db_host == 'localhost' }}
- - { role: postgresql_server, tags: ['postgresql'], when: { bugzilla_db_driver == 'Pg' and bugzilla_db_host == 'localhost' }}
+ - { role: mariadb_server, tags: ['mariadb'], when: bugzilla_db_driver == 'MySQL' and bugzilla_db_host == 'localhost' }
+ - { role: postgresql_server, tags: ['postgresql'], when: bugzilla_db_driver == 'Pg' and bugzilla_db_host == 'localhost' }
7 years, 5 months