Right now we are sending infra web requests (like for packages) to the
iad2 batcave01 via external. Lets allow this so we can install builders,
then change dns/drop it once we move.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Before the custom rules was actually intended to _allow_ more things
on a particular host. Putting those blocks in there was useless because
custom rules were applied _after_ all the allowed ports, so it wasn't
really blocking anything.
This moves them to a block_rules applied before the ports are allowed
Also move pagure's to that new rule list.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Right now we have to add external to everything in iad2, but most of it
isn't external at all. This way we can just assume it's not external if
it's not defined and just define it on the ones where it's true.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This will unify all the handlers to use first uppercase letter for
ansible-lint to stop complaining.
I went through all `notify:` occurrences and fixed them by running
```
set TEXT "text_to_replace"; set REPLACEMENT "replacement_text"; git grep
-rlz "$TEXT" . | xargs -0 sed -i "s/$TEXT/$REPLACEMENT/g"
```
Then I went through all the changes and removed the ones that wasn't
expected to be changed.
Fixes https://pagure.io/fedora-infrastructure/issue/12391
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
The messaging bridges openshift project and github2fedmsg VM were
already removed in staging. This is to clean the ansible playbooks.
I will create a separate one for production after this one is merged.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
migrated notes from infra/hosts
motd changes; excluding CSI infos
removed csi_* vars from group_vars; converted csi_purpose & csi_relationship into notes
fixed merge conflicts
minor changes; var
updating YAMLs & playbooks
udpated YAMLs & playbooks again
updated correctly; buildhw.yml
fixing merge conflicts
dest added in motd.yml
Should fix:
https://pagure.io/fedora-infrastructure/issue/12361
Basically postfix default is:
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
so if the user is a local user or an alias, it's valid.
However, sssd and ipa show all users (even ones with no
access to that host). This means we were accepting and delivering
(locally) emails for anyuser@fedoraproject.org.
Setting this to just $alias_maps will just treat aliases as valid
and ignore all the local users. This should be fine as we use
aliases to send even to root or other system users.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
