WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-04-24 10:31:56 +08:00
Code Issues Packages Projects Releases Wiki Activity
33,932 Commits 9 Branches 0 Tags
c994c4e5cd27324052d04de7e5c534f479b79adb
Commit Graph

784 Commits

Author SHA1 Message Date
Pavel Raiskup
a2d65ff508 Move devel servers to elastic IPs, too 2021-01-18 14:58:58 +01:00
Mark O'Brien
8c00c6840b iptables change wasnt needed 2020-11-24 17:35:33 +00:00
Mark O'Brien
a426b0e240 no iptables on Centos 8 2020-11-24 17:26:29 +00:00
Pavel Raiskup
f14b897b1f copr: point playbooks to new set of (elastic) IPs 2020-11-13 10:05:21 +01:00
Jakub Kadlcik
e043b62c5a reprovisioning copr-fe-dev from a new instance 2020-11-11 14:12:15 +01:00
Kevin Fenzi
e5606578de base: try changing f33 crypto-policies to a less open version to get 2fa working 
LEGACY allows all kinds of old junk, lets try and just
enable the things that FEDORA32 allowed.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-11-03 14:10:39 -08:00
Adam Williamson
e14052db33 ok debug stuff did its job goodbye 
Signed-off-by: Adam Williamson <awilliam@redhat.com>
 2020-10-30 13:14:54 -07:00
Adam Williamson
ea70d16680 gah stupid tags 
Signed-off-by: Adam Williamson <awilliam@redhat.com>
 2020-10-30 13:12:33 -07:00
Adam Williamson
a4deb8dbaa try and fix this debug stuff why is ansible so hard 
Signed-off-by: Adam Williamson <awilliam@redhat.com>
 2020-10-30 13:11:51 -07:00
Adam Williamson
c60897306c sigh yaml 
Signed-off-by: Adam Williamson <awilliam@redhat.com>
 2020-10-30 13:06:42 -07:00
Adam Williamson
e02baf2149 Add a bit of debugging to crypto-policies 
aka why isn't it working on a64 worker02

Signed-off-by: Adam Williamson <awilliam@redhat.com>
 2020-10-30 13:05:29 -07:00
Adam Williamson
fd292f9aa7 Try and fix syntax in that last commit 
Signed-off-by: Adam Williamson <awilliam@redhat.com>
 2020-10-29 11:14:45 -07:00
Adam Williamson
bb286d8099 Enhance the crypto-policy stuff to actually set the policy 
Just writing a config file isn't enough, apparently. We need to
really call update-crypto-policies. This attempts to do so, but
only if it's really necessary, by using some handy check args.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
 2020-10-29 11:12:01 -07:00
Kevin Fenzi
4e63bbb7b2 Add a crypto-policies to set to LEGACY on fedora 33 hosts 
This is needed to get our 2fa working.
We should drop this once we are moved to sssd.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-10-29 10:17:04 -07:00
Aurélien Bompard
fa6eaf9f42 get rid of phx2 in krb5.conf 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2020-10-07 14:14:06 +02:00
Stephen Smoogen
522c62c273 try to make the postfix milter part better searched and some debugging to opendkim and turn off the sending of reports 2020-10-06 12:20:09 -04:00
Kevin Fenzi
c5f4e27746 roles/base/postfix: add a rdu-cc postfix main.cf 
This one just uses the vpn endpoint for bastion to avoid dns and ipv6
issues.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-10-05 16:03:55 -07:00
Pierre-Yves Chibon
8a13932c66 postfix: Drop the main.cf for pagure02 - never worked 
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
 2020-10-02 09:50:42 +02:00
Kevin Fenzi
71d475085b iptables / koji_builder: update ip address for pagure.io 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-10-01 16:55:00 -07:00
Pierre-Yves Chibon
5383f87f30 pagure: adjust pagure's postfix configuration to rhel8 
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
 2020-10-01 11:06:52 +02:00
Pierre-Yves Chibon
200282de8d pagure: add a dedicated postfix configuration file for pagure02 
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
 2020-09-25 12:10:31 +02:00
Silvie Chlupova
3ded4aae28 Fix DKIM signing 2020-09-24 10:58:17 +00:00
Stephen Smoogen
8d58708305 remove 10.5.126 ips from nrpe to try and figure out why host was not connecting 2020-09-23 17:08:17 -04:00
Mark O'Brien
1b787aef8b add proxy39/40 to http log sync 2020-09-22 11:08:31 +01:00
Mark O'Brien
e4e6ede45b [proxies] add proxy37/38 2020-09-01 15:45:29 +01:00
Stephen Smoogen
fede1317e7 proxy*.stg.iad2.fedoraproject.org is not on the vpn 2020-08-31 11:09:14 -04:00
Stephen Smoogen
15348981f8 try to fix part of ticket #9273 by increasing the number of open files allowed on log servers and people as they have a large number of files to deal with. 2020-08-28 08:26:19 -04:00
Mark O'Brien
5f114a7c98 [proxies] setup for proxy35/36 2020-08-24 17:21:00 +01:00
Stephen Smoogen
25d3faff49 put in a relay host for copr 2020-08-13 14:55:18 -04:00
Stephen Smoogen
17965d6ea7 merge and remove duplicate gateway file that bastion.iad2 had. add in copr addresses to allow for relay 2020-08-13 14:53:33 -04:00
Kevin Fenzi
f551e07637 base: use linux system roles network role for hosts that define network_connections 
This is VASTLY better than the hack we have in base now to try and setup
ifcfg files. It uses a standard role that has lots of options and does
the right thing with NetworkManager. Ideally we would switch everything
to this, but lets try it here first to see. It should work with bridges,
etc as well.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-08-13 10:37:12 -07:00
Stephen Smoogen
04efbcf732 add in correct main.cf also 2020-08-12 20:45:14 -04:00
Stephen Smoogen
c9cb4a5d5f fix postfix entries so that they use 10.3.160.0/19 network versus phx2 networks 2020-08-12 20:42:57 -04:00
Mark O'Brien
f7ba779b61 [proxies] add proxy34 2020-08-04 15:41:04 +01:00
Kevin Fenzi
c96131045d base / iptables / kojibuilder: allow port 80 on new s390x cache instance 
Moving the local to s390x cache from 07 (a zvm instance) to 24 (a kvm
instance) needs to adjust the firewalls for those builders to know that
they can use port 80 on the new one. After that we will update dns to
point it to the new location.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-08-03 12:40:54 -07:00
Mark O'Brien
6994fef4f8 [proxies] new proxy33 in aws capetown 2020-07-28 15:34:59 +01:00
Kevin Fenzi
7825d7664b base keytab: try and just use --force here 
We made this change for other keytabs, so just do it here too.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-07-27 15:35:00 -07:00
Kevin Fenzi
461fbcf0aa Revert "base / keytab: Try and throttle task to 1" 
Didn't help. ;(

This reverts commit 37db5af9f0.
 2020-07-27 15:30:48 -07:00
Kevin Fenzi
37db5af9f0 base / keytab: Try and throttle task to 1 
This task seems to fail with a nameserver failed to answer message when
you provision a bunch of hosts at once. Try running just one at a time
and see if it helps any.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-07-27 15:27:21 -07:00
Kevin Fenzi
e1d77f58d6 base / iptables / staging: drop nat section in iptables 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-07-18 16:25:45 -07:00
Kevin Fenzi
3c340cf69b base / resolv.conf: fix staging to adjust for iad2 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-07-18 15:46:37 -07:00
Stephen Smoogen
c1c1905ce4 fix syntax error in syncHttpLogs causing it to fail on log01. File needed } at the end of variable. Consolidated debug statements 2020-07-14 13:54:31 -04:00
Kevin Fenzi
971d49a426 base / resolv.conf / rdu: increase timeout to 5s at rdu 
The nameserver there seems slow, it takes more than a second to resolve
things sometimes.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-07-11 10:17:48 -07:00
Stephen Smoogen
5674c1e0ad try to fix syncHttpLogs so it doesnt try to download files whcih do not exist. The rsync command has entries like speedup and data and we just want the logs 2020-07-10 17:07:22 -04:00
Stephen Smoogen
f615527d42 remove the template sync. It will not work because most logs need to be done over vpn which the ansible inventory does not know 2020-07-10 09:29:41 -04:00
Stephen Smoogen
fdf96ef734 fix bug in syncHttpLogs causing them to fail 2020-07-10 09:29:41 -04:00
Kevin Fenzi
11ec8e6adf base / resolv.conf / rdu2: vpn has to come first 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-07-06 14:10:15 -07:00
Kevin Fenzi
a02d9a2da0 base / iptables / koji_builder: The s390x hosts need to talk to kojipkgs01/02 
Actually it's only the varnish caching host that needs to talk to them
at this point, but might as well allow it on any of them in case we
switch how the caching works there or the like.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-07-06 10:38:44 -07:00
Kevin Fenzi
f56d189995 base / dist enabled services 
At some point not too long ago we set 'logrotate.timer' as a dist
enabled service. This mostly works fine as all supported Fedora and RHEL
releases have this. However, we still have some old unsupported hosts
(like notifs-backend01) and this caused playbooks to fail on them.
So, lets conditionalize it only to newer ones so we can run playbooks on
the EOL ones.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2020-07-02 14:50:46 -07:00
Stephen Smoogen
736b3db7d1 make the syncHttpLogs a little less noisy and hopefully more useful 2020-07-02 08:54:57 -04:00