Right now we are sending infra web requests (like for packages) to the
iad2 batcave01 via external. Lets allow this so we can install builders,
then change dns/drop it once we move.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Before the custom rules was actually intended to _allow_ more things
on a particular host. Putting those blocks in there was useless because
custom rules were applied _after_ all the allowed ports, so it wasn't
really blocking anything.
This moves them to a block_rules applied before the ports are allowed
Also move pagure's to that new rule list.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The messaging bridges openshift project and github2fedmsg VM were
already removed in staging. This is to clean the ansible playbooks.
I will create a separate one for production after this one is merged.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
migrated notes from infra/hosts
motd changes; excluding CSI infos
removed csi_* vars from group_vars; converted csi_purpose & csi_relationship into notes
fixed merge conflicts
minor changes; var
updating YAMLs & playbooks
udpated YAMLs & playbooks again
updated correctly; buildhw.yml
fixing merge conflicts
dest added in motd.yml
We want to allow internal mx'es to send us email still.
We want to drop the global allow for port 25 now that we hopefully have
all the legit senders listed.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Setup things so we accept smtp connections from all the places we
currently do, but also from mimecast as incoming emails may come via
that. We don't want to globally allow everyone to inject emails here.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This `[0:]` syntax doesn't seem to be correct. iptables 1.8.10
errors out on encountering it, saying:
invalid policy counters for chain 'PREROUTING'
this seems to be because the check was tightened between 1.8.9
and 1.8.10 to apply even when iptables is not actively restoring
the counters:
https://git.netfilter.org/iptables/commit/?id=4a2b2008fdf4df980433f99a6d8f2003f2005296
I think these are all meant to be 0:0, so let's make them that
and stop iptables choking.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
We want to move (well, really re-install) all these over on the new lpar
in rdu. This will have much higher stats and be in general faster by
both network and cpu. Hopefully all these will replace all the old
boston ones.
We may need to break these up some more into smaller vm's if the number
isn't able to keep up ok. We can adjust after things are all working.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Lets move this vm over to rdu, and set it up as a new varnish cache.
This way we can test 01 doing builds before moving others.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
