WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-04-29 13:01:36 +08:00
Code Issues Packages Projects Releases Wiki Activity
44,116 Commits 9 Branches 0 Tags
27d7161ea00a2e2f6c35c111efc32163cd480cf5
Commit Graph

997 Commits

Author SHA1 Message Date
Kevin Fenzi
2a2f75daf1 base / iptables: don't remove iptables for now 
This was a good change in theory, but in practice it's not.
The 'iptables-legacy' package provides 'iptables' so it gets removed,
but there's some things we still install that depend on it, so it just
gets pulled in later as a dependency.

Examples:

build* machines install oz and ImageFactory that need it
(but we can possibly drop those now)

virthosts have some libvirt subpackages that require it.

I'm not sure we can readd this in a targeted way or should just drop it
for now entirely.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-08-09 09:17:18 -07:00
Kevin Fenzi
edd8677758 base / iptables: don't try and disable ip6tables on rhel8 with nftables 
rhel8 instances using nftables don't have iptables-services installed,
because we remove 'iptables'. On rhel9 and fedora iptables-services only
needs iptables-libs installed, so it's there and works to disable.

Once the last things (rhel8 copr hypervisors) are moved to nftables, we
can drop all this.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-07-23 13:10:55 -07:00
Michal Konecny
dcdc636596 [base] Install missing iptables package on ppc64le 
The Fedora 42 on ppc64le needs iptables-legacy package as well.
 2025-07-22 11:24:11 +02:00
Michal Konecny
0e8dd65fc5 [base] Remove tasks to disable iptables/nftables 
It doesn't make sense to disable something that isn't installed. Let's
instead make sure that the package is not installed.
 2025-07-17 18:29:28 +02:00
Nils Philippsen
6c85fda0c9 Mass remove/replace iad2 -> rdu3, 10.3. -> 10.16. 
Signed-off-by: Nils Philippsen <nils@redhat.com>
 2025-07-03 20:05:02 +02:00
Kevin Fenzi
1df69acbfd kojibuilder: nftables: drop a rdu3 restriction, we need this for s390x as well 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-07-02 14:15:46 -07:00
Kevin Fenzi
07b5336e55 nftables: rework for s390x builders, rip out iad2 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-07-02 12:40:06 -07:00
Kevin Fenzi
846638ba2c postfix: fix some relayhosts that were still trying to use iad2 in rdu3 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-07-02 10:04:54 -07:00
James Antill
99d4f5215b rsyslog: Copy over log01.iad2 rsyslog.conf to log01.rdu3 
Signed-off-by: James Antill <james@and.org>
 2025-06-30 16:19:32 -04:00
Kevin Fenzi
1b027f42dd releng-compose: nftables, allow rdu3 noc 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-27 20:43:59 -07:00
Kevin Fenzi
56c028d684 bastion: nftables, allow rdu3 noc 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-27 20:40:54 -07:00
Francois Andrieu
3fea252fd8 use rsyslogd v8 conf as the default 2025-06-28 01:41:02 +00:00
Francois Andrieu
a19fa50f32 add rsyslogd/rhel9 conf 2025-06-26 17:41:36 +00:00
Kevin Fenzi
2095058e53 bastion / rdu3: allow relay from rdu3 hosts 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-25 20:16:06 -07:00
Kevin Fenzi
aa3e21cb89 nftables / kojibuilder/rdu3: also allow proxy01/10.iad2 external ips for kojipkgs there, fix after move 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 12:17:42 -07:00
Kevin Fenzi
327bf02f05 nftables / kojibuilder: more copypasta 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 11:55:12 -07:00
Kevin Fenzi
3b73e26506 nftables / kojibuilder: move rdu3 to the proper section, fix syntax errors 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 11:50:14 -07:00
Kevin Fenzi
ef87a8d197 nftables / kojibuilder: adjust ipa rules to allow rdu3 to us iad2 servers for now 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 11:38:42 -07:00
Kevin Fenzi
96dbff9277 nftables / kojibuilder / rdu3: temp allow external iad infra 
Right now we are sending infra web requests (like for packages) to the
iad2 batcave01 via external. Lets allow this so we can install builders,
then change dns/drop it once we move.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 11:23:20 -07:00
Kevin Fenzi
0efed466be nftables: some more tweaks, add batcave01.iad2 to be able to manage rdu3 builders, adjust osuosl for new external ips 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 10:35:37 -07:00
James Antill
b697488d03 nftables.kojibuilder: NFS is also split, not shared. 
Signed-off-by: James Antill <james@and.org>
 2025-06-24 11:40:21 -04:00
Greg Sutcliffe
1a17a7f9e6 postfix: quick-and-dirty fix for SMTP nftables on bastion.rdu3 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-06-24 10:17:51 +01:00
Greg Sutcliffe
11fb7208ad postfix: Set relayhost correctly for rdu3 hosts 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-06-24 10:17:51 +01:00
James Antill
34ff986944 nftables.kojibuilder: Add more rdu3 changes. Add comments. 
Signed-off-by: James Antill <james@and.org>
 2025-06-24 01:09:58 -04:00
Kevin Fenzi
d7ecffec22 nftables / staging / rdu3: allow noc01 in rdu3 staging 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-23 15:33:45 -07:00
Kevin Fenzi
449385c8b0 nagios: move rdu3 hosts over to noc01.rdu3 
Also open firewalls to allow noc03.rdu3 to access them.
Also enable nagios_server on noc01.rdu3.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-20 20:29:24 -07:00
Kevin Fenzi
7842e1d593 builders: add rdu3 groups and modify rdu3 builder nftables to allow rdu3 things 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-20 17:44:17 -07:00
Kevin Fenzi
25fd560e86 base: add new ed25519 ssh key 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-11 10:19:43 -07:00
Kevin Fenzi
ebe5fa82a1 rdu3: fix a logic conditional thinko 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-05-21 16:28:25 -07:00
Kevin Fenzi
835a7156c1 rdu3: fix ps1 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-05-21 16:05:48 -07:00
Kevin Fenzi
b9518cd6cd rdu3: set root prompt for rdu3 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-05-21 15:40:38 -07:00
James Antill
2e3f4fa81c Add the main nft_block_rules addition to bastion template. 
Signed-off-by: James Antill <james@and.org>
 2025-04-29 15:05:29 -04:00
Kevin Fenzi
ebffcee73c nftables: create a block rules section and move pagure blocks to it 
Before the custom rules was actually intended to _allow_ more things
on a particular host. Putting those blocks in there was useless because
custom rules were applied _after_ all the allowed ports, so it wasn't
really blocking anything.

This moves them to a block_rules applied before the ports are allowed
Also move pagure's to that new rule list.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-29 11:36:20 -07:00
Kevin Fenzi
174789bad7 base: try and handle undefined external 
Right now we have to add external to everything in iad2, but most of it
isn't external at all. This way we can just assume it's not external if
it's not defined and just define it on the ones where it's true.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-28 12:27:23 -07:00
Kevin Fenzi
ca12850f5a osuosl: drop br0 interface requirement 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-24 15:41:14 -07:00
James Antill
c063b94af3 Add nftables.bastion for smtp stuff. 
Signed-off-by: James Antill <james@and.org>
 2025-04-24 21:55:25 +00:00
Kevin Fenzi
a2d6cf7dd4 nftables / osuosl: fix interface for ssh connections 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-24 14:09:02 -07:00
Kevin Fenzi
4d4365cdf5 nftables: add defined check for nft_nat_rules and set it also [] by default 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-24 13:17:03 -07:00
James Antill
50d04f6e95 Remove nftables cron and disable service, when using iptables (for backout). 
Signed-off-by: James Antill <james@and.org>
 2025-04-11 00:33:11 +00:00
Kevin Fenzi
b9eb773848 ipsilon: change crypto policy back to default 
Since https://pagure.io/fedora-infrastructure/issue/12321
is fixed on the bugzilla side, we should be able to move back
to using DEFAULT.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-03-19 20:39:56 +00:00
Kevin Fenzi
17c8094c2f log01 / rsyslog / splunk: adjust ip again as the previous one was not desired 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-03-12 14:20:27 -07:00
Andrew Heath
d616fa6c6c Update Splunk syslog address 
Update Splunk syslog address per Red Hat's Monitoring and Loging team.
The old address will be decomed in about a week per their
communications.
 2025-03-11 18:30:47 +00:00
James Antill
69911c5d72 Enable IPv6 nftables. 
Signed-off-by: James Antill <james@and.org>
 2025-03-04 14:31:54 -05:00
James Antill
e83b42b572 Remove iptables cron and stop/disable services, when using nftables. 
Signed-off-by: James Antill <james@and.org>
 2025-03-04 14:14:37 -05:00
James Antill
ca18224faa Change osbuildapi set table to the ip filter table. 
Signed-off-by: James Antill <james@and.org>
 2025-03-03 17:08:20 -05:00
James Antill
224d98cbb0 Remove typo from kojibuilder nftables template. 
Signed-off-by: James Antill <james@and.org>
 2025-03-03 16:52:02 -05:00
James Antill
4fac049b6a Actually install the nftable template file. 
Signed-off-by: James Antill <james@and.org>
 2025-03-03 21:20:30 +00:00
James Antill
31d65aa439 Actually move to nftables for any host with nftables: true (nothing atm). 
Signed-off-by: James Antill <jantill@redhat.com>
 2025-03-03 21:20:30 +00:00
Michal Konecny
6428f8f772 Sunset github2fedmsg and fedmsg 
This commit is removing all the fedmsg related stuff from ansible
repository.

Signed-off-by: Michal Konecny <mkonecny@redhat.com>
 2025-02-13 10:08:51 +00:00
Kevin Fenzi
de84b616f6 riscv-koji: setup correct krb5.conf for the hub 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-02-11 11:07:53 -08:00