WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-03-20 03:57:02 +08:00
Code Issues Packages Projects Releases Wiki Activity
45,338 Commits 9 Branches 0 Tags
a943654af2095b3da4c730ce38e5c6c53a258b0f
Commit Graph

1039 Commits

Author SHA1 Message Date
Kevin Fenzi
a754144f19 Update infra pagure.io links to forge.fp.o (WIP) 
This should update all the references we have to
https://pagure.io/fedora-infrastructure to the
new https://forge.fedoraproject.org/infra/tickets/ area.

Do not merge this before the migration on tuesday.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2026-01-20 14:39:40 -08:00
James Antill
c3e35d5807 Try to deal with giant bodhi_bodhi-consumer-13-mdrln_bodhi etc. messages. 
Signed-off-by: James Antill <james@and.org>
 2026-01-14 11:02:16 -05:00
Kevin Fenzi
8caea853ad base: rsyslog-audit: no audit to log01 in aws 
In the aws 'datacenter' we don't want to send audit logs to log01, since
there is no access to log01 from there and it just doesn't work.

https://pagure.io/fedora-infrastructure/issue/12947

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2026-01-13 14:15:12 -08:00
Adam Williamson
b9fe2e598e proxies: add nft_block_rules to nftables.staging 
Signed-off-by: Adam Williamson <awilliam@redhat.com>
 2025-12-30 08:56:14 -08:00
James Antill
c4bdc997e3 log*: Compress combined-http on a 12 day cycle. 
Signed-off-by: James Antill <james@and.org>
 2025-12-10 11:59:44 -05:00
Kevin Fenzi
a47c38f68a koji_builder: update pagure.io ip address for builders firewall 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-12-03 16:26:50 -08:00
Greg Sutcliffe
b65110b95f Adjust templates to disable un-needed checks and rework Postfix 2025-11-17 15:53:55 +00:00
Kevin Fenzi
5c85cfd5ac base: use normal password on koji hubs 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-11-06 15:44:58 -08:00
Greg Sutcliffe
11154ab7d4 Zabbix: Make crond & rsyslog triggers more robust 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-11-05 17:27:34 +00:00
Greg Sutcliffe
39017bbbde Zabbix: Add process monitoring template (replaces rsyslog-only template) 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-11-05 13:09:12 +00:00
Greg Sutcliffe
68f6aa9b95 Base: Make the SElinux module compilation reusable 
THis moves the SELinux "handler" in roles/base to a global
task file, which allows it to be reused by other roles.

Eventually this should probably be a native Ansible type,
but this is still an improvment.

Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-10-31 12:38:36 +00:00
Greg Sutcliffe
0ae9436498 Zabbix: fleet-wide LLD monitoring for discovered RAID devices 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-10-30 12:19:19 +00:00
James Antill
17dc35b432 postfix: Make sure package is installed. 
Signed-off-by: James Antill <james@and.org>
 2025-10-22 11:16:51 -04:00
James Antill
a5ef33fc87 ip6tables: No service on el10. 
Signed-off-by: James Antill <james@and.org>
 2025-10-22 10:46:05 -04:00
James Antill
4fa8443c68 postfix: Turn off TLSv1.0/1.1 
Signed-off-by: James Antill <james@and.org>
 2025-10-21 11:50:11 -04:00
Greg Sutcliffe
69645f5da5 HAProxy/Rsyslog: fix logging to the rsyslog UDP port that haproxy expects 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-10-07 21:21:02 +00:00
Greg Sutcliffe
7b68d4a008 Zabbix: Re-export & re-import Postfix template 
Seriously, don't edit templates by hand. Lesson learned.

Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-10-03 12:05:18 +01:00
Greg Sutcliffe
a0eacec896 Zabbix: Fix missing quotemark in template 
Don't edit templates by hand, kids ...

Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-10-03 11:33:46 +01:00
Greg Sutcliffe
de1a667f82 Zabbix: Allow for different mailq thresholds using macros 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-10-03 11:24:45 +01:00
Greg Sutcliffe
14c193e019 Zabbix: Fix issue with missing zabbix user in early role 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-10-02 12:48:51 +01:00
Kevin Fenzi
a054b3ce0f zabbix: fix some perms so that zabbix is idempotent 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-10-01 09:42:50 -07:00
Pavel Raiskup
d217ab4b30 logdetective: another workaround 
Skip the whole include.
 2025-09-29 17:04:07 +02:00
Greg Sutcliffe
2dacafc7b6 Zabbix/Rsyslog: add item tags to template item 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-29 15:26:01 +01:00
Greg Sutcliffe
af7c2d7145 Zabbix/Rsyslog: fix typo in template path 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-29 15:22:26 +01:00
Greg Sutcliffe
f0aa9e747d Zabbix/Rsyslogd: New template & hostgroup for rsyslogd processes 
Also some minor fixes for the postfix templates

Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-29 15:20:23 +01:00
Greg Sutcliffe
d97e627ae3 Zabbix/Postfix: Postqueue map, socket policy, and template update 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-29 11:53:44 +01:00
Greg Sutcliffe
80f01b264f Zabbix/Postfix: Sendmail mmap policy 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-29 11:13:29 +01:00
Greg Sutcliffe
144066c8f4 Zabbix/Postfix: Rules for postqueue using tmpfs 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 12:24:21 +01:00
Greg Sutcliffe
5957d2c832 Zabbix/Postfix: Rules for postfix_master 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 12:16:08 +01:00
Greg Sutcliffe
a7a2232e7b Zabbix/Postfix: Even more denials, sigh 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 12:07:55 +01:00
Greg Sutcliffe
4a97d2cbda Zabbix/Postfix: Add postqueue exec_no_trans 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 11:53:08 +01:00
Greg Sutcliffe
0496e663ed Zabbix/Postfix: Add postqueue execution 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 11:44:50 +01:00
Greg Sutcliffe
6c8b3337ac Zabbix/Postfix: Apparently postfix_etc_t needs open as well as read 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 11:36:04 +01:00
Greg Sutcliffe
a41c0a3546 Zabbix/Postfix: Add missing type for postfix_etc_t 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 11:25:07 +01:00
Greg Sutcliffe
224f21142d Zabbix/Postfix: Remove old pp file and add new exception for postfix_etc_t 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 11:19:41 +01:00
Greg Sutcliffe
abbb813f6e Zabbix/Postfix: Switch to handler-based local compilation of SELinux module 
We're hitting errors on older hosts because the precompiled module was
on too-new a policy version. This moves the compilation of the module
to the target, via handlers.

Right now this is hardcoded to the specific module in base/postfix, but
we can generalise it to compile all the various SELinux modules later on

Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 10:44:04 +01:00
Greg Sutcliffe
d2a66a0bf4 Zabbix/Postfix: Ensure drop-in dir exists 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-25 12:00:16 +01:00
Greg Sutcliffe
8141b597d5 Zabbix/Postfix: Add tags to SELinux module install so it actually runs 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-24 17:09:28 +01:00
Greg Sutcliffe
17f06ff65f Zabbix/Postfix: Compile the module on an older host so the policy version is compatible 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-24 16:55:30 +01:00
Greg Sutcliffe
325019aa3f Zabbix/Postfix: Update SELinux module to allow the agent to run mailq 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-24 16:47:20 +01:00
Greg Sutcliffe
4651ff72b8 Zabbix: Ensure Postfix role creates the Postfix hostgroup 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-24 15:27:18 +01:00
Greg Sutcliffe
a8d00abea1 Zabbix: Add monitoring to the base/postfix role 
This adds an example implementation of how to add Zabbix agent
monitoring to the Postfix role

There are 5 parts
    - The agent dropin file
    - The (optional) script the agent will call
    - A custom SELinux module to allow the agent to run it's tools
    - An API call to ensure the target template exists
    - An API call to add the host to the right template

See the PR for details on how this works...

Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-24 15:16:02 +01:00
Kevin Fenzi
2a2f75daf1 base / iptables: don't remove iptables for now 
This was a good change in theory, but in practice it's not.
The 'iptables-legacy' package provides 'iptables' so it gets removed,
but there's some things we still install that depend on it, so it just
gets pulled in later as a dependency.

Examples:

build* machines install oz and ImageFactory that need it
(but we can possibly drop those now)

virthosts have some libvirt subpackages that require it.

I'm not sure we can readd this in a targeted way or should just drop it
for now entirely.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-08-09 09:17:18 -07:00
Kevin Fenzi
edd8677758 base / iptables: don't try and disable ip6tables on rhel8 with nftables 
rhel8 instances using nftables don't have iptables-services installed,
because we remove 'iptables'. On rhel9 and fedora iptables-services only
needs iptables-libs installed, so it's there and works to disable.

Once the last things (rhel8 copr hypervisors) are moved to nftables, we
can drop all this.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-07-23 13:10:55 -07:00
Michal Konecny
dcdc636596 [base] Install missing iptables package on ppc64le 
The Fedora 42 on ppc64le needs iptables-legacy package as well.
 2025-07-22 11:24:11 +02:00
Michal Konecny
0e8dd65fc5 [base] Remove tasks to disable iptables/nftables 
It doesn't make sense to disable something that isn't installed. Let's
instead make sure that the package is not installed.
 2025-07-17 18:29:28 +02:00
Nils Philippsen
6c85fda0c9 Mass remove/replace iad2 -> rdu3, 10.3. -> 10.16. 
Signed-off-by: Nils Philippsen <nils@redhat.com>
 2025-07-03 20:05:02 +02:00
Kevin Fenzi
1df69acbfd kojibuilder: nftables: drop a rdu3 restriction, we need this for s390x as well 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-07-02 14:15:46 -07:00
Kevin Fenzi
07b5336e55 nftables: rework for s390x builders, rip out iad2 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-07-02 12:40:06 -07:00
Kevin Fenzi
846638ba2c postfix: fix some relayhosts that were still trying to use iad2 in rdu3 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-07-02 10:04:54 -07:00