[ansible] Enable bind recursion on internal view
by Nicolas Chauvet
commit f1131181e26fe6cc0c998432c62d5cf774f8ee3a
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Jan 4 23:01:49 2018 +0100
Enable bind recursion on internal view
roles/dns/files/named.conf | 17 +++++++++++++++++
1 files changed, 17 insertions(+), 0 deletions(-)
---
diff --git a/roles/dns/files/named.conf b/roles/dns/files/named.conf
index 5f8462e..e0c587c 100644
--- a/roles/dns/files/named.conf
+++ b/roles/dns/files/named.conf
@@ -22,12 +22,19 @@ acl "everyone" { 0.0.0.0/0; ::0/0; };
//
acl "ns_kimsufi" { 213.186.33.199; 2001:41d0:8:2b87::/128; };
acl "ns_online" { 62.210.16.8; };
+
+acl "local" {
+ localhost;
+ localnets;
+};
+
//
options {
directory "/";
auth-nxdomain yes;
allow-query { everyone; };
dnssec-enable yes;
+ dnssec-validation yes;
query-source address * port *;
query-source-v6 address * port *;
allow-transfer { localhost; slaves; ns_kimsufi; ns_online;};
@@ -84,6 +91,16 @@ controls {
inet 127.0.0.1 port 953 allow { localhost; } keys { rndc-key; };
};
+view "INTERNAL" {
+ match-clients { local; };
+ recursion yes;
+ include "/etc/named/zones.conf";
+ forwarders {
+ 62.210.16.6;
+ 62.210.16.7;
+ };
+ forward only;
+};
view "DEFAULT" {
match-clients { any; };
6 years, 10 months
[ansible] Add opendkim files
by Nicolas Chauvet
commit bf94217076257aebe45f3188adce2af42ee90ff0
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Jan 4 20:33:30 2018 +0100
Add opendkim files
files/opendkim.conf | 133 ++++++++++++++++++++
files/opendkim/KeyTable | 7 +
files/opendkim/SigningTable | 26 ++++
files/opendkim/TrustedHosts | 12 ++
files/opendkim/keys/default.txt | 2 +
.../opendkim/keys/lists.rpmfusion.org/default.txt | 2 +
6 files changed, 182 insertions(+), 0 deletions(-)
---
diff --git a/files/opendkim.conf b/files/opendkim.conf
new file mode 100644
index 0000000..777334e
--- /dev/null
+++ b/files/opendkim.conf
@@ -0,0 +1,133 @@
+## BASIC OPENDKIM CONFIGURATION FILE
+## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more
+
+## BEFORE running OpenDKIM you must:
+
+## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
+## - generate keys for your domain (if signing)
+## - edit your DNS records to publish your public keys (if signing)
+
+## See /usr/share/doc/opendkim/INSTALL for detailed instructions.
+
+## DEPRECATED CONFIGURATION OPTIONS
+##
+## The following configuration options are no longer valid. They should be
+## removed from your existing configuration file to prevent potential issues.
+## Failure to do so may result in opendkim being unable to start.
+##
+## Removed in 2.10.0:
+## AddAllSignatureResults
+## ADSPAction
+## ADSPNoSuchDomain
+## BogusPolicy
+## DisableADSP
+## LDAPSoftStart
+## LocalADSP
+## NoDiscardableMailTo
+## On-PolicyError
+## SendADSPReports
+## UnprotectedPolicy
+
+## CONFIGURATION OPTIONS
+
+## Specifies the path to the process ID file.
+PidFile /var/run/opendkim/opendkim.pid
+
+## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
+## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
+## messages.
+Mode sv
+
+## Log activity to the system log.
+Syslog yes
+
+## Log additional entries indicating successful signing or verification of messages.
+SyslogSuccess yes
+
+## If logging is enabled, include detailed logging about why or why not a message was
+## signed or verified. This causes an increase in the amount of log data generated
+## for each message, so set this to No (or comment it out) if it gets too noisy.
+LogWhy yes
+
+## Attempt to become the specified user before starting operations.
+UserID opendkim:opendkim
+
+## Create a socket through which your MTA can communicate.
+Socket inet:8891@localhost
+
+## Required to use local socket with MTAs that access the socket as a non-
+## privileged user (e.g. Postfix)
+Umask 002
+
+## This specifies a text file in which to store DKIM transaction statistics.
+## OpenDKIM must be manually compiled with --enable-stats to enable this feature.
+# Statistics /var/spool/opendkim/stats.dat
+
+## Specifies whether or not the filter should generate report mail back
+## to senders when verification fails and an address for such a purpose
+## is provided. See opendkim.conf(5) for details.
+SendReports yes
+
+## Specifies the sending address to be used on From: headers of outgoing
+## failure reports. By default, the e-mail address of the user executing
+## the filter is used (executing_user@hostname).
+# ReportAddress "Example.com Postmaster" <postmaster(a)example.com>
+
+## Add a DKIM-Filter header field to messages passing through this filter
+## to identify messages it has processed.
+SoftwareHeader yes
+
+## SIGNING OPTIONS
+
+## Selects the canonicalization method(s) to be used when signing messages.
+Canonicalization relaxed/relaxed
+
+## Domain(s) whose mail should be signed by this filter. Mail from other domains will
+## be verified rather than being signed. Uncomment and use your domain name.
+## This parameter is not required if a SigningTable is in use.
+#Domain rpmfusion.org
+
+## Defines the name of the selector to be used when signing messages.
+Selector default
+
+## Specifies the minimum number of key bits for acceptable keys and signatures.
+MinimumKeyBits 1024
+
+## Gives the location of a private key to be used for signing ALL messages. This
+## directive is ignored if KeyTable is enabled.
+#KeyFile /etc/opendkim/keys/default.private
+
+## Gives the location of a file mapping key names to signing keys. In simple terms,
+## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
+## directive in the configuration file. Requires SigningTable be enabled.
+KeyTable /etc/opendkim/KeyTable
+
+## Defines a table used to select one or more signatures to apply to a message based
+## on the address found in the From: header field. In simple terms, this tells
+## OpenDKIM how to use your keys. Requires KeyTable be enabled.
+SigningTable refile:/etc/opendkim/SigningTable
+
+## Identifies a set of "external" hosts that may send mail through the server as one
+## of the signing domains without credentials as such.
+# ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
+
+## Identifies a set "internal" hosts whose mail should be signed rather than verified.
+InternalHosts refile:/etc/opendkim/TrustedHosts
+
+## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
+## whose mail should be neither signed nor verified by this filter. See man
+## page for file format.
+# PeerList X.X.X.X
+
+## Always oversign From (sign using actual From and a null From to prevent
+## malicious signatures header fields (From and/or others) between the signer
+## and the verifier. From is oversigned by default in the Fedora package
+## because it is often the identity key used by reputation systems and thus
+## somewhat security sensitive.
+OversignHeaders From
+
+## Instructs the DKIM library to maintain its own local cache of keys and
+## policies retrieved from DNS, rather than relying on the nameserver for
+## caching service. Useful if the nameserver being used by the filter is
+## not local.
+QueryCache yes
diff --git a/files/opendkim/KeyTable b/files/opendkim/KeyTable
new file mode 100644
index 0000000..89fd30f
--- /dev/null
+++ b/files/opendkim/KeyTable
@@ -0,0 +1,7 @@
+# OPENDKIM KEY TABLE
+# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
+# then uncomment the following line and replace example.com with your domain
+# name, then restart OpenDKIM. Additional keys may be added on separate lines.
+
+default._domainkey.rpmfusion.org rpmfusion.org:default:/etc/opendkim/keys/default.private
+default._domainkey.lists.rpmfusion.org lists.rpmfusion.org:default:/etc/opendkim/keys/lists.rpmfusion.org/defaul...
diff --git a/files/opendkim/SigningTable b/files/opendkim/SigningTable
new file mode 100644
index 0000000..5e5803d
--- /dev/null
+++ b/files/opendkim/SigningTable
@@ -0,0 +1,26 @@
+# OPENDKIM SIGNING TABLE
+# This table controls how to apply one or more signatures to outgoing messages based
+# on the address found in the From: header field. In simple terms, this tells
+# OpenDKIM "how" to apply your keys.
+
+# To use this file, uncomment the SigningTable option in /etc/opendkim.conf,
+# then uncomment one of the usage examples below and replace example.com with your
+# domain name, then restart OpenDKIM.
+
+# WILDCARD EXAMPLE
+# Enables signing for any address on the listed domain(s), but will work only if
+# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
+# Create additional lines for additional domains.
+
+#*(a)example.com default._domainkey.example.com
+
+# NON-WILDCARD EXAMPLE
+# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then
+# wildcards will not work. Instead, full user@host is checked first, then simply host,
+# then user@.domain (with all superdomains checked in sequence, so "foo.example.com"
+# would first check "user(a)foo.example.com", then "user@.example.com", then "user@.com"),
+# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under
+# "SigningTable" for more details.
+
+*(a)rpmfusion.org default._domainkey.rpmfusion.org
+*(a)lists.rpmfusion.org default._domainkey.lists.rpmfusion.org
diff --git a/files/opendkim/TrustedHosts b/files/opendkim/TrustedHosts
new file mode 100644
index 0000000..ff5ac00
--- /dev/null
+++ b/files/opendkim/TrustedHosts
@@ -0,0 +1,12 @@
+# OPENDKIM TRUSTED HOSTS
+# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
+# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
+# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
+# The localhost IP (127.0.0.1) should always be the first entry in this file.
+127.0.0.1
+::1
+#host.example.com
+#192.168.1.0/24
+192.168.181.0/24
+192.168.182.0/24
+212.129.31.200/32
diff --git a/files/opendkim/keys/default.txt b/files/opendkim/keys/default.txt
new file mode 100644
index 0000000..a68da4b
--- /dev/null
+++ b/files/opendkim/keys/default.txt
@@ -0,0 +1,2 @@
+default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
+ "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8wVULGQX5DGJ5Wm1za1AzYl5zg7iaywao+5TL9caGh060L8HTvn7wNZ91D5ZWXqY4XRdOuJKggzVdKO5+7pSG/aBwO8/mSezn1tioNwxnRTiO25SdEtLqq1mG2ZMASehKcGMH7w4RITqAA3rPzeB/WKTKiSV1eW/Y2OKLOOjRmwIDAQAB" ) ; ----- DKIM key default for rpmfusion.org
diff --git a/files/opendkim/keys/lists.rpmfusion.org/default.txt b/files/opendkim/keys/lists.rpmfusion.org/default.txt
new file mode 100644
index 0000000..18a8551
--- /dev/null
+++ b/files/opendkim/keys/lists.rpmfusion.org/default.txt
@@ -0,0 +1,2 @@
+default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
+ "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDROK1sJQe852unJ8SkU/t2HyetU1UU1pG4kBfghdC/Owdu75eGMeBmbfiAcVhtYuvfCMXHHb4J8CwfjhkAYJLFBtuaOVeH5vzcT3eA5hk4c+1kbvcq7lJ82RE4VZek3AUYQF3+vZX/TVeYstT6YpNUZmzQhNHCSwp7Tjr3+ucDewIDAQAB" ) ; ----- DKIM key default for lists.rpmfusion.org
6 years, 10 months
[ansible] Add proxy iptable access
by Nicolas Chauvet
commit 4d1e783e2e66f11fbf335797af1e1c10d97cf659
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jan 3 22:28:43 2018 +0100
Add proxy iptable access
inventory/host_vars/proxy01.scaleway.rpmfusion.net | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/inventory/host_vars/proxy01.scaleway.rpmfusion.net b/inventory/host_vars/proxy01.scaleway.rpmfusion.net
index 8c9b244..53b4691 100644
--- a/inventory/host_vars/proxy01.scaleway.rpmfusion.net
+++ b/inventory/host_vars/proxy01.scaleway.rpmfusion.net
@@ -1,4 +1,4 @@
datacenter: scaleway
# Neeed for builders to access proxy
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.1.0.228 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.32.225 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.0.204 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.48.151 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.41.76 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.34.85 --dport 3128 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.1.17.90 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.17.88 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.32.118 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.48.151 --dport 3128 -j ACCEPT']
6 years, 10 months
[ansible] fixup koji_builder
by Nicolas Chauvet
commit e6470d29cc4836f555bd557f022297431f9327f4
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jan 3 20:34:21 2018 +0100
fixup koji_builder
roles/koji_builder/tasks/main.yml | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml
index 1e462b7..204e489 100644
--- a/roles/koji_builder/tasks/main.yml
+++ b/roles/koji_builder/tasks/main.yml
@@ -170,7 +170,7 @@
copy: src={{ private }}/files/koji/config.yaml dest=/root/.psphere/config.yaml
tags:
- koji_builder
- when: ansible_architecture != 's390x'
+ when: ansible_architecture != 'armv7l'
# done oz/imagefactory
- name: copy over koji ca cert
@@ -214,7 +214,7 @@
- koji_builder
- name: mock site-defaults.cfg
- template: src=builders/site-defaults.cfg dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock
+ file: src=builders/site-defaults.cfg dest=/etc/mock/site-defaults.cfg mode=0644 owner=root group=mock
when: not inventory_hostname.startswith('bkernel')
tags:
- koji_builder
6 years, 10 months
[ansible] Drop kernel on armv7hl
by Nicolas Chauvet
commit db94efb3368be1b45fe5c2f5dd92a2e0be0ccc33
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jan 3 20:26:54 2018 +0100
Drop kernel on armv7hl
As sclaway-c1 doesn't use a packaged kernel
roles/koji_builder/tasks/main.yml | 7 +++----
1 files changed, 3 insertions(+), 4 deletions(-)
---
diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml
index 193d3ac..1e462b7 100644
--- a/roles/koji_builder/tasks/main.yml
+++ b/roles/koji_builder/tasks/main.yml
@@ -96,9 +96,9 @@
- pykickstart
tags:
- koji_builder
- when: ansible_architecture != 's390x'
+ when: ansible_architecture != 'armv7l'
-- name: add pkgs (s390x)
+- name: add pkgs (armv7l)
dnf: state=present pkg={{ item }}
with_items:
- yum-utils
@@ -107,7 +107,6 @@
- koji-containerbuild-builder
- strace
- mock
- - kernel-firmware
- ntp
- ntpdate
- rsyslog
@@ -117,7 +116,7 @@
- pykickstart
tags:
- koji_builder
- when: ansible_architecture == 's390x'
+ when: ansible_architecture == 'armv7l'
- name: enable virtlogd service
service: name=virtlogd state=started enabled=yes
6 years, 10 months
[ansible] Drop the kojid.service override
by Nicolas Chauvet
commit c86a7ee3a669576db4ba508491fae15db4018402
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jan 3 19:17:10 2018 +0100
Drop the kojid.service override
roles/koji_builder/tasks/main.yml | 8 --------
1 files changed, 0 insertions(+), 8 deletions(-)
---
diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml
index e53affb..193d3ac 100644
--- a/roles/koji_builder/tasks/main.yml
+++ b/roles/koji_builder/tasks/main.yml
@@ -156,14 +156,6 @@
tags:
- koji_builder
-- name: override kojid.service file to set TasksMax to unlimited
- copy: src=kojid.service dest=/etc/systemd/system/kojid.service
- notify:
- - reload systemd
- - restart kojid
- tags:
- - koji_builder
-
# setup for oz/imagefactory
- name: make .psphere dir
file: state=directory path=/root/.psphere mode=775 owner=root group=root
6 years, 10 months
[ansible] Bump rpmbuild_timeout to 72 hours for arm
by Nicolas Chauvet
commit 77061bca455073aebb45b4be97683be85554d3c4
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jan 3 12:39:28 2018 +0100
Bump rpmbuild_timeout to 72 hours for arm
roles/koji_builder/templates/kojid.conf | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
---
diff --git a/roles/koji_builder/templates/kojid.conf b/roles/koji_builder/templates/kojid.conf
index 07c694b..9180b43 100644
--- a/roles/koji_builder/templates/kojid.conf
+++ b/roles/koji_builder/templates/kojid.conf
@@ -14,7 +14,11 @@ maxjobs=25
; Disable keepalive for now since it's not working in f23.
keepalive=False
+{% if inventory_hostname.startswith('arm') %}
+rpmbuild_timeout=259200
+{% else %}
rpmbuild_timeout=172800
+{% endif %}
use_createrepo_c=True
6 years, 10 months
[ansible] Update arm-builder04 local ip
by Nicolas Chauvet
commit 5ff47f3b77e34afaa8d52f1a22e3f4fe78f4e12b
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jan 3 12:34:16 2018 +0100
Update arm-builder04 local ip
inventory/host_vars/proxy01.scaleway.rpmfusion.net | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/inventory/host_vars/proxy01.scaleway.rpmfusion.net b/inventory/host_vars/proxy01.scaleway.rpmfusion.net
index b13dda0..8c9b244 100644
--- a/inventory/host_vars/proxy01.scaleway.rpmfusion.net
+++ b/inventory/host_vars/proxy01.scaleway.rpmfusion.net
@@ -1,4 +1,4 @@
datacenter: scaleway
# Neeed for builders to access proxy
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.1.0.228 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.32.225 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.0.204 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.48.151 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.41.76 --dport 3128 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.1.0.228 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.32.225 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.0.204 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.48.151 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.41.76 --dport 3128 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.1.34.85 --dport 3128 -j ACCEPT' ]
6 years, 10 months