WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-05-01 22:11:01 +08:00
Code Issues Packages Projects Releases Wiki Activity
43,401 Commits 9 Branches 0 Tags
7aa7553b84af5dc8efa78e9d8a4e50dde369052d
Commit Graph

983 Commits

Author SHA1 Message Date
Kevin Fenzi
aa3e21cb89 nftables / kojibuilder/rdu3: also allow proxy01/10.iad2 external ips for kojipkgs there, fix after move 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 12:17:42 -07:00
Kevin Fenzi
327bf02f05 nftables / kojibuilder: more copypasta 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 11:55:12 -07:00
Kevin Fenzi
3b73e26506 nftables / kojibuilder: move rdu3 to the proper section, fix syntax errors 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 11:50:14 -07:00
Kevin Fenzi
ef87a8d197 nftables / kojibuilder: adjust ipa rules to allow rdu3 to us iad2 servers for now 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 11:38:42 -07:00
Kevin Fenzi
96dbff9277 nftables / kojibuilder / rdu3: temp allow external iad infra 
Right now we are sending infra web requests (like for packages) to the
iad2 batcave01 via external. Lets allow this so we can install builders,
then change dns/drop it once we move.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 11:23:20 -07:00
Kevin Fenzi
0efed466be nftables: some more tweaks, add batcave01.iad2 to be able to manage rdu3 builders, adjust osuosl for new external ips 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 10:35:37 -07:00
James Antill
b697488d03 nftables.kojibuilder: NFS is also split, not shared. 
Signed-off-by: James Antill <james@and.org>
 2025-06-24 11:40:21 -04:00
Greg Sutcliffe
1a17a7f9e6 postfix: quick-and-dirty fix for SMTP nftables on bastion.rdu3 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-06-24 10:17:51 +01:00
Greg Sutcliffe
11fb7208ad postfix: Set relayhost correctly for rdu3 hosts 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-06-24 10:17:51 +01:00
James Antill
34ff986944 nftables.kojibuilder: Add more rdu3 changes. Add comments. 
Signed-off-by: James Antill <james@and.org>
 2025-06-24 01:09:58 -04:00
Kevin Fenzi
d7ecffec22 nftables / staging / rdu3: allow noc01 in rdu3 staging 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-23 15:33:45 -07:00
Kevin Fenzi
449385c8b0 nagios: move rdu3 hosts over to noc01.rdu3 
Also open firewalls to allow noc03.rdu3 to access them.
Also enable nagios_server on noc01.rdu3.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-20 20:29:24 -07:00
Kevin Fenzi
7842e1d593 builders: add rdu3 groups and modify rdu3 builder nftables to allow rdu3 things 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-20 17:44:17 -07:00
Kevin Fenzi
25fd560e86 base: add new ed25519 ssh key 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-11 10:19:43 -07:00
Kevin Fenzi
ebe5fa82a1 rdu3: fix a logic conditional thinko 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-05-21 16:28:25 -07:00
Kevin Fenzi
835a7156c1 rdu3: fix ps1 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-05-21 16:05:48 -07:00
Kevin Fenzi
b9518cd6cd rdu3: set root prompt for rdu3 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-05-21 15:40:38 -07:00
James Antill
2e3f4fa81c Add the main nft_block_rules addition to bastion template. 
Signed-off-by: James Antill <james@and.org>
 2025-04-29 15:05:29 -04:00
Kevin Fenzi
ebffcee73c nftables: create a block rules section and move pagure blocks to it 
Before the custom rules was actually intended to _allow_ more things
on a particular host. Putting those blocks in there was useless because
custom rules were applied _after_ all the allowed ports, so it wasn't
really blocking anything.

This moves them to a block_rules applied before the ports are allowed
Also move pagure's to that new rule list.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-29 11:36:20 -07:00
Kevin Fenzi
174789bad7 base: try and handle undefined external 
Right now we have to add external to everything in iad2, but most of it
isn't external at all. This way we can just assume it's not external if
it's not defined and just define it on the ones where it's true.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-28 12:27:23 -07:00
Kevin Fenzi
ca12850f5a osuosl: drop br0 interface requirement 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-24 15:41:14 -07:00
James Antill
c063b94af3 Add nftables.bastion for smtp stuff. 
Signed-off-by: James Antill <james@and.org>
 2025-04-24 21:55:25 +00:00
Kevin Fenzi
a2d6cf7dd4 nftables / osuosl: fix interface for ssh connections 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-24 14:09:02 -07:00
Kevin Fenzi
4d4365cdf5 nftables: add defined check for nft_nat_rules and set it also [] by default 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-24 13:17:03 -07:00
James Antill
50d04f6e95 Remove nftables cron and disable service, when using iptables (for backout). 
Signed-off-by: James Antill <james@and.org>
 2025-04-11 00:33:11 +00:00
Kevin Fenzi
b9eb773848 ipsilon: change crypto policy back to default 
Since https://pagure.io/fedora-infrastructure/issue/12321
is fixed on the bugzilla side, we should be able to move back
to using DEFAULT.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-03-19 20:39:56 +00:00
Kevin Fenzi
17c8094c2f log01 / rsyslog / splunk: adjust ip again as the previous one was not desired 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-03-12 14:20:27 -07:00
Andrew Heath
d616fa6c6c Update Splunk syslog address 
Update Splunk syslog address per Red Hat's Monitoring and Loging team.
The old address will be decomed in about a week per their
communications.
 2025-03-11 18:30:47 +00:00
James Antill
69911c5d72 Enable IPv6 nftables. 
Signed-off-by: James Antill <james@and.org>
 2025-03-04 14:31:54 -05:00
James Antill
e83b42b572 Remove iptables cron and stop/disable services, when using nftables. 
Signed-off-by: James Antill <james@and.org>
 2025-03-04 14:14:37 -05:00
James Antill
ca18224faa Change osbuildapi set table to the ip filter table. 
Signed-off-by: James Antill <james@and.org>
 2025-03-03 17:08:20 -05:00
James Antill
224d98cbb0 Remove typo from kojibuilder nftables template. 
Signed-off-by: James Antill <james@and.org>
 2025-03-03 16:52:02 -05:00
James Antill
4fac049b6a Actually install the nftable template file. 
Signed-off-by: James Antill <james@and.org>
 2025-03-03 21:20:30 +00:00
James Antill
31d65aa439 Actually move to nftables for any host with nftables: true (nothing atm). 
Signed-off-by: James Antill <jantill@redhat.com>
 2025-03-03 21:20:30 +00:00
Michal Konecny
6428f8f772 Sunset github2fedmsg and fedmsg 
This commit is removing all the fedmsg related stuff from ansible
repository.

Signed-off-by: Michal Konecny <mkonecny@redhat.com>
 2025-02-13 10:08:51 +00:00
Kevin Fenzi
de84b616f6 riscv-koji: setup correct krb5.conf for the hub 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-02-11 11:07:53 -08:00
Michal Konecny
2ec055db6f Use first uppercase letter for all handlers 
This will unify all the handlers to use first uppercase letter for
ansible-lint to stop complaining.

I went through all `notify:` occurrences and fixed them by running
```
set TEXT "text_to_replace"; set REPLACEMENT "replacement_text"; git grep
-rlz "$TEXT" . | xargs -0 sed -i "s/$TEXT/$REPLACEMENT/g"
```

Then I went through all the changes and removed the ones that wasn't
expected to be changed.

Fixes https://pagure.io/fedora-infrastructure/issue/12391

Signed-off-by: Michal Konecny <mkonecny@redhat.com>
 2025-02-10 20:31:49 +00:00
Michal Konecny
7b58dfdce8 Remove fedmsg and github2fedmsg from staging 
The messaging bridges openshift project and github2fedmsg VM were
already removed in staging. This is to clean the ansible playbooks.

I will create a separate one for production after this one is merged.

Signed-off-by: Michal Konecny <mkonecny@redhat.com>
 2025-02-04 09:13:40 +01:00
Kevin Fenzi
77fe8423e0 base: drop system_identification 
We don't need or want this anymore since CSI is gone/dead.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-01-28 10:49:57 -08:00
iamyaash
b3d6a90b9a motd generic template added 
migrated notes from infra/hosts

motd changes; excluding CSI infos

removed csi_* vars from group_vars; converted csi_purpose & csi_relationship into notes

fixed merge conflicts

minor changes; var

updating YAMLs & playbooks

udpated YAMLs & playbooks again

updated correctly; buildhw.yml

fixing merge conflicts

dest added in motd.yml
 2025-01-28 01:10:14 +00:00
Kevin Fenzi
759ee55f18 bastion: fix delivering non contributors emails locally 
Should fix:
https://pagure.io/fedora-infrastructure/issue/12361

Basically postfix default is:
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
so if the user is a local user or an alias, it's valid.
However, sssd and ipa show all users (even ones with no
access to that host). This means we were accepting and delivering
(locally) emails for anyuser@fedoraproject.org.

Setting this to just $alias_maps will just treat aliases as valid
and ignore all the local users. This should be fine as we use
aliases to send even to root or other system users.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-01-17 15:31:21 -08:00
Kevin Fenzi
e196958322 base: fix another handler case 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-01-16 14:52:49 -08:00
Kevin Fenzi
1e77199920 base: fix more handler renaming issues 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-01-16 14:44:00 -08:00
James Antill
80aa4bbbc2 Initial version of iptables to nftables conversion. 2025-01-16 11:28:24 -05:00
Ryan Lerch
47c68f478d ansiblelint fixes - fqcn[action-core] - template to ansible.builtin.template 
Replaces references to template: with ansible.builtin.template

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
 2025-01-15 11:30:29 +10:00
Ryan Lerch
3c41882bb0 ansiblelint fixes - fqcn[action-core] - shell to ansible.builtin.shell 
Replaces references to shell: with ansible.builtin.shell

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
 2025-01-15 11:29:10 +10:00
Ryan Lerch
25391e95b7 ansiblelint fixes - fqcn[action-core] - package to ansible.builtin.package 
Replaces many references to  package: with ansible.builtin.package

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
 2025-01-15 11:28:00 +10:00
Ryan Lerch
462176464b ansiblelint fixes-- fqcn[action-core] - command to ansible.builtin.command 
Replaces many references to  command: with ansible.builtin.command

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
 2025-01-15 11:26:47 +10:00
Ryan Lerch
6a3816dfdc ansiblelint fixes-- fqcn[action-core] - copy to ansible.builtin.copy 
Replaces many references to 'copy' with ansible.builtin.copy

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
 2025-01-15 10:43:31 +10:00
Ryan Lerch
62952df107 ansiblelint fixes-- fqcn[action-core] - file to ansible.builtin.file 
Replaces many references to  file: with ansible.builtin.file

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
 2025-01-15 10:41:52 +10:00