WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-06-27 23:57:02 +08:00
Code Issues Packages Projects Releases Wiki Activity
44,307 Commits 9 Branches 0 Tags
d97e627ae3055451d91887c0a654aa30478a6a40
Commit Graph

1014 Commits

Author SHA1 Message Date
Greg Sutcliffe
d97e627ae3 Zabbix/Postfix: Postqueue map, socket policy, and template update 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-29 11:53:44 +01:00
Greg Sutcliffe
80f01b264f Zabbix/Postfix: Sendmail mmap policy 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-29 11:13:29 +01:00
Greg Sutcliffe
144066c8f4 Zabbix/Postfix: Rules for postqueue using tmpfs 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 12:24:21 +01:00
Greg Sutcliffe
5957d2c832 Zabbix/Postfix: Rules for postfix_master 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 12:16:08 +01:00
Greg Sutcliffe
a7a2232e7b Zabbix/Postfix: Even more denials, sigh 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 12:07:55 +01:00
Greg Sutcliffe
4a97d2cbda Zabbix/Postfix: Add postqueue exec_no_trans 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 11:53:08 +01:00
Greg Sutcliffe
0496e663ed Zabbix/Postfix: Add postqueue execution 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 11:44:50 +01:00
Greg Sutcliffe
6c8b3337ac Zabbix/Postfix: Apparently postfix_etc_t needs open as well as read 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 11:36:04 +01:00
Greg Sutcliffe
a41c0a3546 Zabbix/Postfix: Add missing type for postfix_etc_t 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 11:25:07 +01:00
Greg Sutcliffe
224f21142d Zabbix/Postfix: Remove old pp file and add new exception for postfix_etc_t 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 11:19:41 +01:00
Greg Sutcliffe
abbb813f6e Zabbix/Postfix: Switch to handler-based local compilation of SELinux module 
We're hitting errors on older hosts because the precompiled module was
on too-new a policy version. This moves the compilation of the module
to the target, via handlers.

Right now this is hardcoded to the specific module in base/postfix, but
we can generalise it to compile all the various SELinux modules later on

Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-26 10:44:04 +01:00
Greg Sutcliffe
d2a66a0bf4 Zabbix/Postfix: Ensure drop-in dir exists 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-25 12:00:16 +01:00
Greg Sutcliffe
8141b597d5 Zabbix/Postfix: Add tags to SELinux module install so it actually runs 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-24 17:09:28 +01:00
Greg Sutcliffe
17f06ff65f Zabbix/Postfix: Compile the module on an older host so the policy version is compatible 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-24 16:55:30 +01:00
Greg Sutcliffe
325019aa3f Zabbix/Postfix: Update SELinux module to allow the agent to run mailq 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-24 16:47:20 +01:00
Greg Sutcliffe
4651ff72b8 Zabbix: Ensure Postfix role creates the Postfix hostgroup 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-24 15:27:18 +01:00
Greg Sutcliffe
a8d00abea1 Zabbix: Add monitoring to the base/postfix role 
This adds an example implementation of how to add Zabbix agent
monitoring to the Postfix role

There are 5 parts
    - The agent dropin file
    - The (optional) script the agent will call
    - A custom SELinux module to allow the agent to run it's tools
    - An API call to ensure the target template exists
    - An API call to add the host to the right template

See the PR for details on how this works...

Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-09-24 15:16:02 +01:00
Kevin Fenzi
2a2f75daf1 base / iptables: don't remove iptables for now 
This was a good change in theory, but in practice it's not.
The 'iptables-legacy' package provides 'iptables' so it gets removed,
but there's some things we still install that depend on it, so it just
gets pulled in later as a dependency.

Examples:

build* machines install oz and ImageFactory that need it
(but we can possibly drop those now)

virthosts have some libvirt subpackages that require it.

I'm not sure we can readd this in a targeted way or should just drop it
for now entirely.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-08-09 09:17:18 -07:00
Kevin Fenzi
edd8677758 base / iptables: don't try and disable ip6tables on rhel8 with nftables 
rhel8 instances using nftables don't have iptables-services installed,
because we remove 'iptables'. On rhel9 and fedora iptables-services only
needs iptables-libs installed, so it's there and works to disable.

Once the last things (rhel8 copr hypervisors) are moved to nftables, we
can drop all this.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-07-23 13:10:55 -07:00
Michal Konecny
dcdc636596 [base] Install missing iptables package on ppc64le 
The Fedora 42 on ppc64le needs iptables-legacy package as well.
 2025-07-22 11:24:11 +02:00
Michal Konecny
0e8dd65fc5 [base] Remove tasks to disable iptables/nftables 
It doesn't make sense to disable something that isn't installed. Let's
instead make sure that the package is not installed.
 2025-07-17 18:29:28 +02:00
Nils Philippsen
6c85fda0c9 Mass remove/replace iad2 -> rdu3, 10.3. -> 10.16. 
Signed-off-by: Nils Philippsen <nils@redhat.com>
 2025-07-03 20:05:02 +02:00
Kevin Fenzi
1df69acbfd kojibuilder: nftables: drop a rdu3 restriction, we need this for s390x as well 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-07-02 14:15:46 -07:00
Kevin Fenzi
07b5336e55 nftables: rework for s390x builders, rip out iad2 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-07-02 12:40:06 -07:00
Kevin Fenzi
846638ba2c postfix: fix some relayhosts that were still trying to use iad2 in rdu3 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-07-02 10:04:54 -07:00
James Antill
99d4f5215b rsyslog: Copy over log01.iad2 rsyslog.conf to log01.rdu3 
Signed-off-by: James Antill <james@and.org>
 2025-06-30 16:19:32 -04:00
Kevin Fenzi
1b027f42dd releng-compose: nftables, allow rdu3 noc 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-27 20:43:59 -07:00
Kevin Fenzi
56c028d684 bastion: nftables, allow rdu3 noc 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-27 20:40:54 -07:00
Francois Andrieu
3fea252fd8 use rsyslogd v8 conf as the default 2025-06-28 01:41:02 +00:00
Francois Andrieu
a19fa50f32 add rsyslogd/rhel9 conf 2025-06-26 17:41:36 +00:00
Kevin Fenzi
2095058e53 bastion / rdu3: allow relay from rdu3 hosts 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-25 20:16:06 -07:00
Kevin Fenzi
aa3e21cb89 nftables / kojibuilder/rdu3: also allow proxy01/10.iad2 external ips for kojipkgs there, fix after move 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 12:17:42 -07:00
Kevin Fenzi
327bf02f05 nftables / kojibuilder: more copypasta 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 11:55:12 -07:00
Kevin Fenzi
3b73e26506 nftables / kojibuilder: move rdu3 to the proper section, fix syntax errors 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 11:50:14 -07:00
Kevin Fenzi
ef87a8d197 nftables / kojibuilder: adjust ipa rules to allow rdu3 to us iad2 servers for now 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 11:38:42 -07:00
Kevin Fenzi
96dbff9277 nftables / kojibuilder / rdu3: temp allow external iad infra 
Right now we are sending infra web requests (like for packages) to the
iad2 batcave01 via external. Lets allow this so we can install builders,
then change dns/drop it once we move.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 11:23:20 -07:00
Kevin Fenzi
0efed466be nftables: some more tweaks, add batcave01.iad2 to be able to manage rdu3 builders, adjust osuosl for new external ips 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-24 10:35:37 -07:00
James Antill
b697488d03 nftables.kojibuilder: NFS is also split, not shared. 
Signed-off-by: James Antill <james@and.org>
 2025-06-24 11:40:21 -04:00
Greg Sutcliffe
1a17a7f9e6 postfix: quick-and-dirty fix for SMTP nftables on bastion.rdu3 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-06-24 10:17:51 +01:00
Greg Sutcliffe
11fb7208ad postfix: Set relayhost correctly for rdu3 hosts 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
 2025-06-24 10:17:51 +01:00
James Antill
34ff986944 nftables.kojibuilder: Add more rdu3 changes. Add comments. 
Signed-off-by: James Antill <james@and.org>
 2025-06-24 01:09:58 -04:00
Kevin Fenzi
d7ecffec22 nftables / staging / rdu3: allow noc01 in rdu3 staging 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-23 15:33:45 -07:00
Kevin Fenzi
449385c8b0 nagios: move rdu3 hosts over to noc01.rdu3 
Also open firewalls to allow noc03.rdu3 to access them.
Also enable nagios_server on noc01.rdu3.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-20 20:29:24 -07:00
Kevin Fenzi
7842e1d593 builders: add rdu3 groups and modify rdu3 builder nftables to allow rdu3 things 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-20 17:44:17 -07:00
Kevin Fenzi
25fd560e86 base: add new ed25519 ssh key 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-06-11 10:19:43 -07:00
Kevin Fenzi
ebe5fa82a1 rdu3: fix a logic conditional thinko 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-05-21 16:28:25 -07:00
Kevin Fenzi
835a7156c1 rdu3: fix ps1 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-05-21 16:05:48 -07:00
Kevin Fenzi
b9518cd6cd rdu3: set root prompt for rdu3 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-05-21 15:40:38 -07:00
James Antill
2e3f4fa81c Add the main nft_block_rules addition to bastion template. 
Signed-off-by: James Antill <james@and.org>
 2025-04-29 15:05:29 -04:00
Kevin Fenzi
ebffcee73c nftables: create a block rules section and move pagure blocks to it 
Before the custom rules was actually intended to _allow_ more things
on a particular host. Putting those blocks in there was useless because
custom rules were applied _after_ all the allowed ports, so it wasn't
really blocking anything.

This moves them to a block_rules applied before the ports are allowed
Also move pagure's to that new rule list.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-04-29 11:36:20 -07:00