The pagure user needs to be uid 1000 because suexec won't let users with
uid under that suexec. ;(
Also, filter pagure user out in sssd so we get the local user.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Setup osbuild so it only needs to exist on the specific builders in the
osbuild channel, not all builders.
Also, setup things so we can add a blocklist that will block external
subnets/ip's if we need to do so. Currently it should just be an empty
set, but we can implement it as needed/desired starting with the ips we
already were blocking on just some hosts.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This was done using yq (
https://mikefarah.gitbook.io/yq/operators/sort-keys )
Doing things this way makes it much easier to see if a variable is set
in a file or if two hosts differ in what variables they set. Hopefully
we can keep things sorted moving forward.
Basically this means just sort a-z anything you add to any host or group
vaiable and it will be in the right place.
Additionally, this enforces 'normal' intent rules for all the variable
files which we should also try and obey. 2 spaces for first level, 3 for
next, etc. When in doubt you can run yq on it.
This should cause NO actual vairable changes, it's all just readability
fixing for humans, ansible parses it exactly the same.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Almost global anyway, i.e. inside the VPN.
The ipa/client-based shell access and sudo rules are only effective for
staging right now, the respective playbook bits are masked out for prod.
- Assign Ansible host groups to IPA host groups, the latter don't care
about 'stg' in the name and use dashes rather than underscores.
- Distill shell access groups from fas_client_groups in group and host
vars.
- Let all `sysadmin-*` groups in the previous list run anything via sudo
in the host group (except bastion & batcave).
- Remove `fas_client_groups` from staging host and group vars.
- Remove sudoers from staging host and group vars if only `sysadmin-*`
groups have shell access.
- Set up `ipa_client_shell_groups` on bastion to be a super set of the
same on batcave.
Newly created IPA host groups:
- autosign
- badges
- basset
- bastion
- batcave
- blockerbugs
- bodhi
- bugzilla2fedmsg
- busgateway
- datagrepper
- dbserver
- dns
- fedimg
- github2fedmsg
- ipa
- kernel-qa
- kerneltest
- kojibuilder
- kojihub
- kojipkgs
- logging
- mailman
- memcached
- mirrormanager
- nagios
- notifs
- oci-registry
- odcs
- openqa
- openqa-workers
- osbs
- packages
- pdc-web
- pkgs
- proxies
- rabbitmq
- releng-compose
- resultsdb
- secondary
- sign-bridge
- sundries
- value
- wiki
Signed-off-by: Nils Philippsen <nils@redhat.com>
Adjust pkgs prod to...what it actually already is.
Adjust stg to match prod so we can sync all the content to it.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need to keep these variables defined as they are used in the .wsgi files
to set the number of procs and threads for apache.
This reverts commit 6e92ba25a7.
