Moved to https://forge.fedoraproject.org/infra/ansible

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

README.md

@@ -1,143 +1,3 @@
-Fedora Infrastructure
-=====================
-
-Welcome! This is the Fedora Infrastructure Ansible Pagure project.
-
-Pull requests and forks can be made against this repository hosted
-at https://pagure.io/fedora-infra/ansible
-
-This repository is also mirrored for production runs to
-https://infrastructure.fedoraproject.org/infra/ansible/
-but this is the working repository where changes are made.
-
-If you would like to help out with Fedora Infrastructure, see:
-
-* https://docs.fedoraproject.org/en-US/infra/gettingstarted/
-* https://docs.fedoraproject.org/en-US/infra/apprentice/
-
-Ansible repository/structure
-----------------------------
-
-```
-files - files and templates for use in playbooks/tasks
-      - subdirs for specific tasks/dirs highly recommended
-
-inventory - where the inventory and additional vars is stored
-          - All files in this directory in ini format
-          - added together for total inventory
-  group_vars:
-          - per group variables set here in a file per group
-  host_vars:
-          - per host variables set here in a file per host
-
-library - library of custom local ansible modules
-
-playbooks - collections of plays we want to run on systems
-
-  groups: groups of hosts configured from one playbook.
-
-  hosts: playbooks for single hosts.
-
-  manual: playbooks that are only run manually by an admin as needed.
-
-tasks - snippets of tasks that should be included in plays
-
-roles - specific roles to be use in playbooks.
-        Each role has it's own files/templates/vars
-
-filter_plugins - Jinja filters
-
-main.yml - This is the main playbook, consisting of all
-             current group and host playbooks. Note that the
-             daily cron doesn't run this, it runs even over
-             playbooks that are not yet included in main.
-             This playbook is usefull for making changes over
-             multiple groups/hosts usually with -t (tag).
-```
-
-Paths
------
-
-The public path on batcave01 (our control host) for everything is `/srv/web/infra/ansible`
-
-The private path on batcave01 (our control host) (which is sysadmin-main accessible only)
-is `/srv/private/ansible`
-
-In general to run any ansible playbook you will want to run:
-
-```
-sudo -i ansible-playbook /path/to/playbook.yml
-```
-
-(On batcave01, our control host)
-
-Scheduled check-diff
---------------------
-
-Every night a cron job runs over all playbooks under `playbooks/{groups}{hosts}`
-with `ansible --check --diff`. A report from this is sent to sysadmin-logs.
-In the ideal state this report would be empty.
-
-Idempotency
------------
-
-All playbooks should be idempotent. Ie, if run once they should bring the
-machine(s) to the desired state, and if run again N times after that they should
-make 0 changes (because the machine(s) are in the desired state).
-Please make sure your playbooks are idempotent.
-
-Can be run anytime
-------------------
-
-When a playbook or change is checked into ansible you should assume
-that it could be run at ***ANY TIME***. Always make sure the checked in state
-is the desired state. Always test changes when they land so they don't
-surprise you later.
-
-Contributing and Licensing
---------------------------
-
-Contributions to this repository are subject to the Fedora Project
-Contributor Agreement. If no license is specified, the MIT license is used, otherwise
-the contribution is under the specified acceptable Fedora License.
-See https://docs.fedoraproject.org/en-US/legal/fpca/
-for more information.
-
-Contributing Pull Requests
---------------------------
-
-If found a way to improve this repository or fix an issue found in our
-infrastructure tracker (see https://forge.fedoraproject.org/infra/tickets)
-open a pull-request.
-
-You either should have capability to run the playbooks after they have been reviewed,
-and merged or find the person responsible and work with them to make sure the changes
-will be aplied afterwards. 
-
-We are currently working on a simple to use list of Point Of Contanct people for the applications
-here, untill it is done, you can, look at people that recently edited the ansible files,
-or if you belong to sysadmin group, view the /etc/ansible_utils/rbac.yaml located on batcave01,
-where you can see the groups of people that have capabilities to run the relevant playbooks.
-
-For example, to upgrade Release Monitoring, you need to run playbook openshift-apps/release-monitoring.yaml.
-People in sysadmin-releasemonitoring have that capability, and you cand find the members in https://accounts.fedoraproject.org/group/sysadmin-releasemonitoring/
-
-If the application in question is not on the critical path it should be sufficient,
-if person responsible for the application reviews the PR.
-
-If the files in question are on the critical path, that are necessary for functioning packager workflow,
-at least two different people should review the PR.
-
-If there is any risk at all, that the application of the changes would induce downtime,
-work closely with other to ensure that the downtime is properly scheduled:
-
-- there is an issue in https://forge.fedoraproject.org/infra/tickets specifying the downtime
-- there is an email sent to the devel-list
-- https://status.fedoraproject.org is updated (see https://docs.fedoraproject.org/en-US/infra/sysadmin_guide/status-fedora/)
-
-Applications on critical path: pagure, mirrormanager, toddlers, bodhi, noggin, mdapi, rpmautospec, pagure-dist-git, mirror_from_pagure, fedora-messaging, dist-git, PDC/FPDC, FMN, sigul
-robosignatory, tag2distrepo, ci-resultsdb-listener, stylo, mirrorlist
-resultsdb, Nagios, koschei, wiki / mediawiki, wiki / moin, waiverdb, 
-greenwave, ODCS, Mailman3 / HK, mailman 2, OSBS, pungi, koji, MBS, 
-IPA, rabbitmq, geoip,ipsilon
+This repo has moved to https://forge.fedoraproject.org/infra/ansible
 
+Please go there to make any changes.

files/scripts/updates-uptime-cmd.py

@@ -50,9 +50,6 @@ conf_term_keyword = 'underline'
 conf_term_time = 'underline'
 conf_term_title = 'italic'
 
-#  Use version cmp() for hostnames.
-conf_verscmp = True
-
 #  Use _ instead of , for number seperator.
 conf_num_sep_ = False
 
@@ -152,7 +149,7 @@ def _user_conf_line(line):
 
     key = 'conf_' + key.strip().lower()
     if key not in globals():
-        print(" Error: Configuration not found: ", key, file=sys.stderr)
+        print(" Warn: Configuration not found: ", key, file=sys.stderr)
         return
 
     if False: pass
@@ -189,42 +186,85 @@ def _user_conf_line(line):
         print(" Error: Configuration ", key,'bad op', file=sys.stderr)
         return
 
-# This isn't fast but it's SMALL:
-# Sort as: ABC1, ABC2, ABC10b, ...
-def verscmp(x, y):
-    if not conf_verscmp:
-        if x == y:
-            return 0
-        if x > y:
-            return 1
-        return -1
 
-    xc = re.split(r'(\d+|\W+)', x)
-    yc = re.split(r'(\d+|\W+)', y)
-    while xc and yc:
-        if xc[0] == yc[0]:
-            xc.pop(0)
-            yc.pop(0)
-            continue
+# This is kind of fast and kind of small. No re, and no allocation.
+# Sort as: 0, 00, 000, 01, 011, 1, 11, a01, a1, z01, z1, etc.
+def natcmp(x, y):
+    """ Natural sort string comparison.
+    https://en.wikipedia.org/wiki/Natural_sort_order
+    Aka. vercmp() """
 
-        if xc[0].isnumeric():
-            if not yc[0].isnumeric():
-                return 1
-            nx = int(xc[0])
-            ny = int(yc[0])
-            if nx != ny: # don't make 0 == 00 ... we aren't rpm.
-                return nx - ny
-        elif yc[0].isnumeric():
+    def _cmp_xy_mix(): # One is a digit, the other isn't.
+        if inum is not None: # 0/1 vs. x/.
+            return  1
+        if x[i] > y[i]:
+            return  1
+        else:
             return -1
 
-        # Neither numeric, but also 0 == 00 BS
-        if xc[0] > yc[0]:
-            return 1
+    inum = None
+    check_zeros = False
+    for i in range(min(len(x), len(y))):
+        if x[i] in "0123456789" and y[i] not in "0123456789":
+            return _cmp_xy_mix()
+        if x[i] not in "0123456789" and y[i] in "0123456789":
+            return _cmp_xy_mix()
+
+        if x[i] in "0123456789": # Both are digits...
+            if inum is None:
+                check_zeros = True
+                inum = 0
+
+            if check_zeros: # Leading zeros... (0 < 00 < 01 < 011 < 1 < 11)
+                if x[i] == '0' and y[i] == '0':
+                    continue
+                elif x[i] == '0':
+                    return -1
+                elif y[i] == '0':
+                    return  1
+                else:
+                    check_zeros = False
+
+            #  If we are already in a number, we only care about the length or
+            # the first digit that is different.
+            if inum != 0:
+                continue
+
+            if x[i] == y[i]:
+                continue
+
+            # Non-zero first digit, Eg. 7 < 9
+            inum = int(x[i]) - int(y[i])
+            continue
+
+        # Both are not digits...
+        if inum is not None and inum != 0:
+            return inum
+        inum = None
+
+        # Can be equal
+        if x[i] > y[i]:
+            return  1
+        if x[i] < y[i]:
+            return -1
+
+    if len(x) > len(y):
+        if inum is not None and inum != 0 and x[i+1] not in "0123456789":
+            return inum
+        return  1
+    if len(x) < len(y):
+        if inum is not None and inum != 0 and y[i+1] not in "0123456789":
+            return inum
         return -1
-    return len(xc) - len(yc)
+
+    if inum is None: # Same length, not in a num.
+        assert x == y
+        return 0 # So the strings are equal.
+
+    return inum
 
 
-class VerscmpString():
+class NatCmp():
     __slots__ = ['s',]
     def __init__(self, s):
         self.s = s
@@ -236,16 +276,14 @@ class VerscmpString():
         return self.s == other.s
 
     def __gt__(self, other):
-        ret = verscmp(self.s, other.s)
+        ret = natcmp(self.s, other.s)
         if ret > 0:
             return True
-        if False and ret < 0:
-            return False
         return False
 
-# Given a list of strings, sort them using verscmp()
-def _verscmp_strings(xs):
-    for ret in sorted(VerscmpString(x) for x in xs):
+# Given a list of strings, sort them using natcmp()
+def nat_sorted(xs):
+    for ret in sorted(NatCmp(x) for x in xs):
         yield ret.s
 
 
@@ -490,7 +528,7 @@ class Host():
         return True
 
     def __gt__(self, other):
-        ret = verscmp(self.name, other.name)
+        ret = natcmp(self.name, other.name)
         if ret > 0:
             return True
         if ret < 0:
@@ -1337,7 +1375,7 @@ def _cmd_stats(args):
     max_nhosts_lvl_2 = 0
     max_update_lvl_2 = 0
     max_uptime_lvl_2 = 0
-    for osi in _verscmp_strings(osdata['hosts']):
+    for osi in nat_sorted(osdata['hosts']):
         if '/' not in osi:
             max_nhosts_lvl_1 = max(max_nhosts_lvl_1, osdata['hosts'][osi])
             supd = osdata['updates'][osi] / osdata['hosts'][osi]
@@ -1385,7 +1423,7 @@ def _cmd_stats(args):
                 suf = _ui_t_high(suf)
             return uiosi, uinhosts, uiupdates, uiuptimes, uinpdates, uinptimes, suf
 
-    for osi in _verscmp_strings(osdata['hosts']):
+    for osi in nat_sorted(osdata['hosts']):
         if '/' not in osi:
             if len(osdata['vers'][osi]) == 1:
                 subprefix = ''
@@ -2003,7 +2041,7 @@ utf8: {conf_utf8}
 {_conf_utf8_diff_os} = Different OS information, but machine id is the same
 {_conf_utf8_diff_hw} = Machine id is different
 
- {_hlp_als("host")}
+ {_hlp_als("hosts")}
  Eg. {prog} {args.hcmd}
      {prog} {args.hcmd} 'batcave*'
      {prog} {args.hcmd} 'batcave*' 'noc*'

inventory/group_vars/copr_aws

@@ -25,6 +25,8 @@ builders:
   aws_reserved:
     aarch64: [50, 20, 33]
     x86_64: [58, 20, 52]
+  aws_reserved_powerful:
+    x86_64: [1, 1, 1]
   aws_powerful:
     aarch64: [10, 2, 0]
     x86_64: [10, 2, 1]
@@ -37,7 +39,7 @@ builders:
   ppc64le_hypervisor_02:
     ppc64le: [0, 4, 13]
   p09_hypervisor_01:
-    ppc64le: [0, 5, 31]
+    ppc64le: [15, 5, 15]
   p09_hypervisor_02:
     ppc64le: [15, 5, 15]
   p09_hypervisor_03:
@@ -45,13 +47,13 @@ builders:
   p09_hypervisor_04:
     ppc64le: [15, 5, 15]
   x86_hypervisor_01:
-    x86_64: [0, 4, 20]
+    x86_64: [20, 4, 20]
   x86_hypervisor_02:
-    x86_64: [0, 4, 20]
+    x86_64: [20, 4, 20]
   x86_hypervisor_03:
-    x86_64: [0, 4, 20]
+    x86_64: [20, 4, 20]
   x86_hypervisor_04:
-    x86_64: [0, 4, 20]
+    x86_64: [20, 4, 20]
 
   ibm_cloud_us_east_hp:
     s390x: [2, 1, 0]

inventory/group_vars/copr_dev_aws

@@ -38,7 +38,7 @@ builders:
   ppc64le_hypervisor_02:
     ppc64le: [0, 1, 1]
   p09_hypervisor_01:
-    ppc64le: [0, 1, 1]
+    ppc64le: [1, 1, 1]
   p09_hypervisor_02:
     ppc64le: [1, 1, 1]
   p09_hypervisor_03:
@@ -46,11 +46,11 @@ builders:
   p09_hypervisor_04:
     ppc64le: [1, 1, 1]
   x86_hypervisor_01:
-    x86_64: [0, 1, 1]
+    x86_64: [2, 1, 1]
   x86_hypervisor_02:
-    x86_64: [0, 1, 1]
+    x86_64: [2, 1, 1]
   x86_hypervisor_03:
-    x86_64: [0, 1, 1]
+    x86_64: [2, 1, 1]
   x86_hypervisor_04:
     x86_64: [2, 1, 1]
 

inventory/group_vars/nagios

@@ -34,8 +34,12 @@ rdu3_external:
   - ns-iad02.fedoraproject.org
   - pkgs.fedoraproject.org
   - proxy01.fedoraproject.org
+  - proxy03.fedoraproject.org
   - proxy10.fedoraproject.org
+  - proxy14.fedoraproject.org
   - secondary01.fedoraproject.org
+  - smtp-mm-iso01.fedoraproject.org
+  - storinator01.fedoraproject.org
 #
 # This is a list of hosts which are in the RDU3 160 mgmt network
 # we do not have them in ansible because it tries to connect

inventory/group_vars/proxies

@@ -84,6 +84,7 @@ nft_block_rules:
   - 'add rule ip filter INPUT ip saddr 101.47.184.0/21  counter reject'
   - 'add rule ip filter INPUT ip saddr 101.47.185.0/24  counter reject'
   - 'add rule ip filter INPUT ip saddr 101.47.186.0/23  counter reject'
+  - 'add rule ip filter INPUT ip saddr 34.159.191.146/32  counter reject'
 nft_custom_rules:
   # Need for rsync from log01 for logs.
   - 'add rule ip filter INPUT ip saddr 10.16.163.39     tcp dport 873 counter accept'

inventory/hardware

@@ -76,11 +76,12 @@ backup01.rdu3.fedoraproject.org
 [powerpc]
 #bvmhost-p09-01.stg.rdu3.fedoraproject.org
 bvmhost-p09-05.rdu3.fedoraproject.org
-vmhost-p08-copr01.rdu-cc.fedoraproject.org
-vmhost-p08-copr02.rdu-cc.fedoraproject.org
-vmhost-p09-copr01.rdu3.fedoraproject.org
 bvmhost-p10-01.rdu3.fedoraproject.org
 bvmhost-p10-02.rdu3.fedoraproject.org
+vmhost-p09-copr01.rdu3.fedoraproject.org
+vmhost-p09-copr02.rdu3.fedoraproject.org
+vmhost-p09-copr03.rdu3.fedoraproject.org
+vmhost-p09-copr04.rdu3.fedoraproject.org
 
 [appliedmicro]
 bvmhost-a64-01.stg.rdu3.fedoraproject.org

inventory/host_vars/buildhw-x86-02.rdu3.fedoraproject.org

@@ -4,6 +4,7 @@ dns1: 10.16.163.33
 br0_ipv4_ip: 10.16.169.32
 br0_ipv4_gw: 10.16.169.254
 br0_ipv4_nm: 24
+freezes: false
 has_ipv4: yes
 has_ipv6: no
 mac0: c4:cb:e1:e1:5c:02

inventory/host_vars/logdetective01.fedorainfracloud.org

@@ -15,7 +15,7 @@ drive_device: 38e6c8c2-5747-47bf-b3d2-9f0dea371edc
 
 datacenter: aws
 devel: false
-root_auth_users: msuchy frostyx praiskup nikromen ttomecek jpodivin sgallagh mmassari
+root_auth_users: msuchy frostyx praiskup nikromen ttomecek jpodivin sgallagh mmassari jmatufka
 
 nrpe_client_uid: 500
 

inventory/host_vars/logdetective02.fedorainfracloud.org

@@ -15,7 +15,7 @@ drive_device: c62e20b2-3388-459f-87ff-aa937d6a9318
 
 datacenter: aws
 devel: false
-root_auth_users: msuchy frostyx praiskup nikromen ttomecek jpodivin sgallagh mmassari
+root_auth_users: msuchy frostyx praiskup nikromen ttomecek jpodivin sgallagh mmassari jmatufka
 
 nagios_Can_Connect: false
 nagios_Check_Services:

inventory/host_vars/storinator01.rdu3.fedoraproject.org

@@ -10,10 +10,10 @@ br0_ipv4_nm: 24
 freezes: false
 has_ipv4: true
 has_ipv6: false
-mac0: 00:25:90:bb:d1:a0
-mac1: 00:25:90:bb:d1:a1
-mac2: 0c:c4:7a:ea:9d:9c
-mac3: 0c:c4:7a:ea:9d:9d
+mac0: ac:1f:6b:b0:6a:12
+mac1: ac:1f:6b:b0:6a:13
+mac2: ac:1f:6b:ac:67:ec
+mac3: ac:1f:6b:ac:67:ed
 network_connections:
    # Bridge profile
    - name: br0

inventory/host_vars/vmhost-p09-copr01.rdu3.fedoraproject.org

@@ -6,8 +6,11 @@ br0_ipv6_ip: 2620:52:6:1161::10
 br0_ipv6_gw: 2620:52:6:1161::1
 br0_ipv6_nm: 64
 datacenter: rdu3
+dns1: 10.16.163.33
+dns2: 10.16.163.34
+dns_search2: "rdu3.fedoraproject.org"
+dns_search3: "fedoraproject.org"
 has_ipv4: yes
-has_ipv6: yes
 nbde: false
 mac0: "08:94:ef:81:d0:aa"
 mac1: "08:94:ef:81:d0:ab"
@@ -15,8 +18,9 @@ mac2: "b8:ce:f6:c6:00:c6"
 mac3: "b8:ce:f6:c6:00:c7"
 mac4: "b8:ce:f6:c6:00:d0"
 mac5: "b8:ce:f6:c6:00:d1"
+libvirt_host: "[{{ br0_ipv6_ip }}]"
 libvirt_pool: vmhost_p09_01
-libvirt_pool_order_id: 6
+libvirt_pool_order_id: 4
 libvirt_arch: ppc64le
 network_connections:
    # Bridge profile
@@ -37,6 +41,7 @@ network_connections:
         - "{{ dns_search1 }}"
         - "{{ dns_search2 }}"
       gateway4: "{{ br0_ipv4_gw }}"
+      gateway6: "{{ br0_ipv6_gw }}"
    # Bond profile
    - name: bond0
      type: bond

inventory/host_vars/vmhost-x86-copr01.rdu3.fedoraproject.org

@@ -19,7 +19,8 @@ mac5: b4:96:91:63:3b:e9
 mac6: b4:96:91:63:3b:ea 
 mac7: b4:96:91:63:3b:eb
 mac8: f4:02:70:d3:15:95
-libvirt_pool: copr_hv_x86_64_01
+libvirt_host: "[{{ br0_ipv6_ip }}]"
+libvirt_pool: vmhost_x86_01
 libvirt_pool_order_id: 7
 libvirt_arch: x86_64
 network_connections:

inventory/host_vars/vmhost-x86-copr02.rdu3.fedoraproject.org

@@ -18,7 +18,8 @@ mac4: b4:96:91:63:3b:9d
 mac5: 84:16:0c:bc:24:e0
 mac6: b4:96:91:63:3b:9e
 mac7: b4:96:91:63:3b:9f
-libvirt_pool: copr_hv_x86_64_02
+libvirt_host: "[{{ br0_ipv6_ip }}]"
+libvirt_pool: vmhost_x86_02
 libvirt_pool_order_id: 8
 libvirt_arch: x86_64
 network_connections:

inventory/host_vars/vmhost-x86-copr03.rdu3.fedoraproject.org

@@ -18,7 +18,8 @@ mac4: "b4:96:91:63:3b:50"
 mac5: "b4:96:91:63:3b:51"
 mac6: "b4:96:91:63:3b:52"
 mac7: "b4:96:91:63:3b:53"
-libvirt_pool: copr_hv_x86_64_03
+libvirt_host: "[{{ br0_ipv6_ip }}]"
+libvirt_pool: vmhost_x86_03
 libvirt_pool_order_id: 9
 libvirt_arch: x86_64
 network_connections:

playbooks/groups/batcave.yml

@@ -35,10 +35,10 @@
     user_name: "batcave{{ env_suffix }}"
     user_sent_topics: ^org\.fedoraproject\.{{ env_short }}\.(ansible|git|infragit|logger)\..*
   - role: rabbit/queue
-    queue_username: "mirror_pagure_ansible{{ env_suffix }}"
-    queue_name: "mirror_pagure_ansible{{ env_suffix }}"
+    queue_username: "mirror_forge_ansible{{ env_suffix }}"
+    queue_name: "mirror_forge_ansible{{ env_suffix }}"
     queue_routing_keys:
-    - "io.pagure.*.pagure.git.receive"
+    - "org.fedoraproject.prod.forgejo.push"
     queue_thresholds:
       warning: 10
       critical: 100
@@ -48,7 +48,7 @@
     when: datacenter == 'rdu3'
   - { role: nfs/client, when: inventory_hostname.startswith('batcave'), mnt_dir: '/srv/web/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }
   - { role: nfs/client, when: inventory_hostname.startswith('batcave01'), mnt_dir: '/mnt/fedora/app', nfs_src_dir: 'fedora_app/app' }
-  - { role: mirror_pagure_ansible, tags: ['mirror_pagure_ansible'] }
+  - { role: mirror_forge_ansible, tags: ['mirror_forge_ansible'] }
   - kickstarts
 
   pre_tasks:

playbooks/groups/copr-hypervisor.yml

@@ -38,7 +38,9 @@
     - import_role: name=openvpn/client
     - import_role: name=zabbix/zabbix_agent
     - import_role: name=ipa/client
-    - import_role: name=copr/hypervisor
+    - import_role:
+        name: copr/hypervisor
+      tags: copr_hypervisor
     - {import_role: name=linux-system-roles.nbde_client, tags: ['nbde_client'], when: (nbde|bool) }
 
 

playbooks/openshift-apps/fedora-coreos-pipeline.yml

@@ -14,6 +14,7 @@
     project_description: Fedora CoreOS Pipeline
     appowners:
     - aaradhak
+    - acervera
     - afrosi
     - azukku
     - bipinbn

roles/anubis-el/files/anubis.service

@@ -3,19 +3,13 @@ Description=Anubis Container
 
 [Service]
 User=anubis
-Environment=DIFFICULTY=4
-Environment=METRICS_BIND=":9090"
-Environment=SERVE_ROBOTS_TXT="true"
-Environment=TARGET=http://localhost:3001
-Environment=POLICY_FNAME="/data/cfg/botPolicy.yaml"
-Environment=OG_PASSTHROUGH="true"
-Environment=OG_EXPIRY_TIME="24h"
 ExecStartPre=-/usr/bin/podman stop -t 1 %n
 ExecStartPre=-/usr/bin/podman rm %n --force
 ExecStart=/usr/bin/podman run \
             --net=host --userns=keep-id \
             --rm=true --name %n \
-            -v /srv/anubis:/data/ \
+            -v /srv/anubis:/srv/anubis \
+            --env-file=/srv/anubis/cfg/env \
             --publish 8923:8923 \
             ghcr.io/techarohq/anubis:latest
 ExecStop=/usr/bin/podman stop -t 1 %n

roles/anubis-el/files/botPolicy.yaml

@@ -12,6 +12,12 @@ bots:
     weight:
       adjust: 20
     path_regex: ^/fork/
+  - name: allow POSTs
+    expression: method == "POST"
+    action: ALLOW
+  - name: cloudfront
+    user_agent_regex: ".*CloudFront.*"
+    action: ALLOW
   # allow Pagure attachment files (referenced from Fedora Forge)
   - name: pagure attachment files
     path_regex: ^/.+?/issue/raw/files/

roles/anubis-el/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart anubis-el
+  service:
+    name: anubis
+    state: restarted

roles/anubis-el/tasks/main.yml

@@ -78,10 +78,31 @@
     owner: root
     group: root
     mode: '0644'
+  notify:
+  - Restart anubis-el
   tags:
   - config
   - anubis
 
+- name: Set SELinux context for anubis directory
+  community.general.sefcontext:
+    target: "/srv/anubis(/.*)?"
+    setype: container_file_t
+    state: present
+  tags:
+  - config
+  - anubis
+  - selinux
+
+- name: Apply SELinux changes to anubis directory
+  ansible.builtin.command: restorecon -irv "/srv/anubis/"
+  register: restorecon_output
+  changed_when: restorecon_output.stdout is defined and restorecon_output.stdout | length > 0
+  tags:
+  - config
+  - anubis
+  - selinux
+
 # This service calls podman to pull the anubis container,
 # then sets various env variables for the service and runs it.
 
@@ -98,6 +119,16 @@
   notify:
   - Reload systemd
 
+- name: Add the anubis env file
+  ansible.builtin.template:
+    src: env.j2
+    dest: /srv/anubis/cfg/env
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+  - Restart anubis-el
+
 - name: Enable and make sure pod is started
   ansible.builtin.systemd:
     name: anubis

roles/anubis-el/templates/env.j2

@@ -0,0 +1,10 @@
+DIFFICULTY=4
+METRICS_BIND=:9090
+SERVE_ROBOTS_TXT=true
+TARGET=http://localhost:3923
+POLICY_FNAME=/srv/anubis/cfg/botPolicy.yaml
+OG_PASSTHROUGH=true
+OG_EXPIRY_TIME=24h
+{% if inventory_hostname in groups['download'] %}
+ED25519_PRIVATE_KEY_HEX={{ anubis_dl_ed25519_key }}
+{% endif %}

roles/anubis/templates/policies.yaml.j2

@@ -15,6 +15,9 @@ bots:
   - name: bodhi and badges rss feeds
     path_regex: /rss/
     action: ALLOW
+  - name: allow POSTs
+    expression: method == "POST"
+    action: ALLOW
   - name: allow ostree
     path_regex: ^/ostree
     action: ALLOW
@@ -36,6 +39,9 @@ bots:
   - name: productmd
     user_agent_regex: productmd
     action: ALLOW
+  - name: zchunk
+    path_regex: '.*zck'
+    action: ALLOW
   - name: atlassian
     user_agent_regex: Atlassian-Jira-Automation/*
     action: ALLOW

roles/batcave/files/centos-10-sync

@@ -23,4 +23,4 @@ ${RSYNC} ${RS_OPT} ${RS_DEADLY} ${CENT_EXCLUDES} ${SERVER}::${RSYNC_MOD} ${RSYNC
 # resembles RHEL 10.x for the epel10.x-build tag to use temporarily until the
 # actual RHEL 10.x is released.
 # https://forge.fedoraproject.org/infra/tickets/12394
-#${RSYNC} ${RS_OPT} ${RS_DEADLY} --link-dest=${RSYNC_DESTDIR} ${RSYNC_DESTDIR} ${RSYNC_SNAPDIR}
+${RSYNC} ${RS_OPT} ${RS_DEADLY} --link-dest=${RSYNC_DESTDIR} ${RSYNC_DESTDIR} ${RSYNC_SNAPDIR}

roles/copr/backend/tasks/resalloc.yml

@@ -45,11 +45,6 @@
         set -- $(echo "$decoded")
         IP=$1
       fi
-      case $RESALLOC_NAME in
-      *vmhost_p09_02_prod_01867876_20260202_151259*)
-        exit 0
-        ;;
-      esac
       ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=10 "${SSH_USER-root}@$IP" true
     mode: "0755"
     dest: /usr/local/bin/resalloc-check-vm-ip

roles/copr/backend/templates/resalloc/pools.yaml.j2

@@ -15,7 +15,7 @@
 #   default priority is 0
 #   reserved instances in cloud has > 0
 #   on-premise instance < 0
-#   high performance instances <= 40
+#   high performance instances <= - 40
 #
 # - if you need to drop a pool, it requires you to do a few steps:
 #   a) first evacutate the pool by setting `max: 0`,
@@ -26,7 +26,7 @@
 
 {% macro aws(arch, max, max_starting, max_prealloc, spot=False, on_demand=none, priority=0, reserved=False) %}
 aws_{{ arch }}_{{ on_demand + '_' if on_demand is not none else '' }}{% if spot %}spot{% else %}normal{% endif %}{% if reserved %}reserved{% endif %}_{% if devel %}dev{% else %}prod{% endif %}:
-{% if on_demand %}
+{% if on_demand and not reserved %}
     max: 10
     max_starting: 4
 {% elif reserved and devel %}
@@ -195,7 +195,7 @@ copr_osuosl_{% if cpu == "p10" %}p10{% else %}p09{% endif %}_{% if on_demand %}{
 {% endmacro %}
 
 # x86_64 hypervisors
-{% for hv in ["04"] %}
+{% for hv in ["01", "02", "03", "04"] %}
 {% if "x86_hypervisor_" + hv in builders %}
 vmhost_x86_{{ hv }}_{% if devel %}dev{% else %}prod{% endif %}:
     max: {{ builders["x86_hypervisor_" + hv]["x86_64"][0] }}
@@ -467,11 +467,18 @@ copr_ic_s390x_{{ zone }}_{% if devel %}dev{% else %}prod{% endif %}:
 #### High performance builders
 # priority should be less than any other normal builder. i.e., <= -40
 
+# aws(arch, max, max_starting, max_prealloc, spot=False, on_demand=none, priority=0, reserved=False)
+{% if not devel %}
+{{ aws('x86_64', builders.aws_reserved_powerful.x86_64[0], builders.aws_reserved_powerful.x86_64[1],
+       builders.aws_reserved_powerful.x86_64[2], on_demand='powerful', reserved=True, priority=-40) }}
+{% endif %}
+
+
 {{ aws('x86_64', builders.aws_powerful.x86_64[0], builders.aws_powerful.x86_64[1],
-       builders.aws_powerful.x86_64[2], spot=True, on_demand='powerful', priority=-40) }}
+       builders.aws_powerful.x86_64[2], spot=True, on_demand='powerful', priority=-50) }}
 
 {{ aws('aarch64', builders.aws_powerful.aarch64[0], builders.aws_powerful.aarch64[1],
-       builders.aws_powerful.aarch64[2], spot=True, on_demand='powerful', priority=-40) }}
+       builders.aws_powerful.aarch64[2], spot=True, on_demand='powerful', priority=-50) }}
 
 {{ aws('x86_64', builders.aws_powerful.x86_64[0], builders.aws_powerful.x86_64[1],
        builders.aws_powerful.x86_64[2], on_demand='powerful', priority=-60) }}

roles/copr/frontend/templates/copr.conf

@@ -280,10 +280,6 @@ EXTRA_BUILDCHROOT_TAGS = [{
     # powerful builders for RISC-V team - specific packages
     "pattern": "@forge-riscv-members/.*/.*riscv64/(kernel|gcc|llvm|clang).*",
     "tags": ["on_demand_powerful"],
-}, {
-    # powerful builders for RISC-V team - repos ending with _kernel
-    "pattern": "@forge-riscv-members/.*_kernel/.*riscv64/.*",
-    "tags": ["on_demand_powerful"],
 }]
 {% endif %}
 
@@ -294,6 +290,10 @@ USAGE_TREEMAP_TEAMS = {
     "Python-team": ["@python", "thrnciar", "torsava", "encukou", "cstratak", "churchyard"],
 }
 
+# What storage should be set for new projects.
+# Possible options are "backend" and "pulp"
+DEFAULT_STORAGE = "pulp"
+
 PULP_CONTENT_URL = '{{ backend_base_url }}/results/'
 
 

roles/distgit/pagure/templates/fedora-messaging.toml

@@ -11,6 +11,8 @@ topic_prefix = "org.fedoraproject.stg"
 topic_prefix = "org.fedoraproject.prod"
 {% endif %}
 
+publish_exchange = "amq.topic"
+
 [tls]
 ca_cert = "/etc/pki/rabbitmq/pagurecert/src.fp.o.ca"
 keyfile = "/etc/pki/rabbitmq/pagurecert/src.fp.o.key"

roles/distgit/pagure/templates/pagure.cfg

@@ -40,7 +40,7 @@ DB_URL = 'postgresql://{{ distgit_pagure_db_user }}:{{ distgit_pagure_db_pass }}
 
 # Something breaks the database connections after a while, recycle them sooner
 # https://forge.fedoraproject.org/infra/tickets/12622
-DB_POOL_RECYCLE = 600
+DB_POOL_RECYCLE = 300
 
 ### FAS groups of pagure admins
 ADMIN_GROUP = ['cvsadmin', 'sysadmin-main']

roles/download/templates/httpd/dl.fedoraproject.org.conf

@@ -32,6 +32,11 @@
    SSLProtocol {{ ssl_protocols }}
    SSLCipherSuite {{ ssl_ciphers }}
 
+  RewriteEngine On
+  RewriteCond %{REQUEST_URI} ^/pub/alt/virtio-win/.*$
+  RewriteRule .* - [F]
+
+
   # proxy all requests to anubis after ssl termination
 
   RequestHeader set "X-Real-Ip" expr=%{REMOTE_ADDR}

roles/hosts/files/storinator01.rdu3.fedoraproject.org-hosts

@@ -0,0 +1,9 @@
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+
+# Map canonical names of IPA servers to their VPN IP addresses
+192.168.1.156   ipa01.rdu3.fedoraproject.org
+192.168.1.157   ipa02.rdu3.fedoraproject.org
+192.168.1.162   ipa03.rdu3.fedoraproject.org
+
+10.16.163.31    gateway

roles/logdetective/tasks/main.yml

@@ -1,5 +1,6 @@
 ---
-- import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
+- name: Import common cloud setup tasks
+  ansible.builtin.import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
 
 - name: Install basic packages
   ansible.builtin.dnf:
@@ -19,10 +20,11 @@
   ansible.builtin.get_url:
     url: https://developer.download.nvidia.com/compute/cuda/repos/fedora41/x86_64/cuda-fedora41.repo
     dest: /etc/yum.repos.d/
+    mode: "0644"
   tags:
     - cuda_installation
 
-- name: install cuda
+- name: Install cuda
   ansible.builtin.package:
     name: cuda-toolkit-12
   register: cuda_installation
@@ -31,12 +33,12 @@
 
 - name: Restart the system
   ansible.builtin.reboot:
-  when: cuda_installation.changed
+  when: cuda_installation.changed # noqa: no-handler
   tags:
     - cuda_installation
 
 - name: Ensure state of secondary drive
-  ignore_errors: true
+  ignore_errors: true # noqa: ignore-errors
   when:
     - drive_device is defined
   block:
@@ -44,6 +46,7 @@
       ansible.builtin.file:
         path: /mnt/srv
         state: directory
+        mode: "0755"
 
     - name: Mount the drive on boot
       ansible.posix.mount:
@@ -74,6 +77,7 @@
         block: |
           export HUGGINGFACE_HUB_CACHE=/mnt/srv/.cache/huggingface
           export PIP_CACHE_DIR=/mnt/srv/.cache/pip
+        mode: "0644"
 
     - name: Set up CUDA binary paths
       ansible.builtin.lineinfile:
@@ -85,6 +89,7 @@
         path: /etc/profile.d/models.sh
         line: export MODELS_PATH=/mnt/srv/models/
         create: true
+        mode: "0644"
 
     # TODO Configure Podman to store data on our secondary drive in
     # /mnt/srv/containers_storage/
@@ -108,13 +113,16 @@
 
 
 - name: Stop and disable nftables service
-  systemd:
+  ansible.builtin.systemd:
     name: nftables
     state: stopped
     enabled: false
 
 - name: Start firewalld so that we can allow ports more easily
-  systemd: state=started name=firewalld enabled=yes
+  ansible.builtin.systemd:
+    name: firewalld
+    state: started
+    enabled: true
 
 - name: Allow accessing 443 from the outside
   ansible.posix.firewalld:
@@ -122,6 +130,12 @@
     permanent: true
     state: enabled
 
+- name: Allow accessing 8090 from the outside for Packit Interface
+  ansible.posix.firewalld:
+    port: 8090/tcp
+    permanent: true
+    state: enabled
+
 - name: Allow HTTP and HTTPS in firewall
   ansible.posix.firewalld:
     service: "{{ item }}"

roles/mailman3/templates/settings.py.j2

@@ -300,6 +300,7 @@ Q_CLUSTER = {
 #
 REST_FRAMEWORK = {
     'PAGE_SIZE': 10,
+    'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination',
     'DEFAULT_RENDERER_CLASSES': [
         'rest_framework.renderers.JSONRenderer',
     ],

roles/mirror_forge_ansible/tasks/main.yml

@@ -0,0 +1,125 @@
+---
+- name: Install packages
+  ansible.builtin.package: state=present name={{ item }}
+  with_items:
+  - fedora-messaging
+  - git
+  tags:
+  - packages
+  - mirror_forge_ansible
+
+
+# Create the user the service will run under
+
+- name: Setup forge user
+  user:
+    name: mirror_forge_ansible
+    shell: /sbin/nologin
+    comment: "mirror_forge_ansible User"
+  tags:
+  - mirror_forge_ansible
+  - mirror_forge_ansible/user
+
+
+# Ensure the user can write to where we want to store the mirror
+- name: Give access to mirror_forge_ansible to /srv
+  ansible.builtin.command: setfacl -m d:u:mirror_forge_ansible:rwx /srv -m u:mirror_forge_ansible:rwx /srv/
+  tags:
+  - config
+  - mirror_forge_ansible
+
+
+# configure all the fedora-messaging files
+
+- name: Create /etc/pki/fedora-messaging
+  ansible.builtin.file:
+    dest: /etc/pki/fedora-messaging
+    mode: "0775"
+    owner: root
+    group: root
+    state: directory
+  tags:
+  - config
+  - mirror_forge_ansible
+
+- name: Deploy forge/rabbitmq certificate
+  ansible.builtin.copy: src={{ item.src }}
+        dest=/etc/pki/fedora-messaging/{{ item.dest }}
+        owner={{ item.owner }} group={{ item.group}} mode={{ item.mode }}
+  with_items:
+    - src: "{{private}}/files/rabbitmq/production/pki/issued/mirror_forge_ansible{{env_suffix}}.crt"
+      dest: mirror_forge_ansible.crt
+      owner: mirror_forge_ansible
+      group: mirror_forge_ansible
+      mode: "0644"
+    - src: "{{private}}/files/rabbitmq/production/pki/private/mirror_forge_ansible{{env_suffix}}.key"
+      dest: mirror_forge_ansible.key
+      owner: mirror_forge_ansible
+      group: mirror_forge_ansible
+      mode: "0600"
+    - src: "{{private}}/files/rabbitmq/production/ca-combined.crt"
+      dest: cacert.pem
+      owner: mirror_forge_ansible
+      group: mirror_forge_ansible
+      mode: "0644"
+  tags:
+  - forge
+  - fedora-messaging
+
+- name: Setup mirror_forge_ansible fedora-messaging config
+  ansible.builtin.template:
+    src: mirror_forge_ansible.cfg
+    dest: /etc/fedora-messaging/mirror_forge_ansible.toml
+    owner: mirror_forge_ansible
+    group: mirror_forge_ansible
+    mode: "0640"
+  tags:
+  - config
+  - mirror_forge_ansible
+
+
+# Install the script
+
+- name: Create /usr/local/libexec/mirror_forge_ansible
+  ansible.builtin.file:
+    dest: /usr/local/libexec/mirror_forge_ansible
+    mode: "0775"
+    owner: root
+    group: root
+    state: directory
+  tags:
+  - config
+  - mirror_forge_ansible
+
+- name: Install the consumer
+  ansible.builtin.template:
+    src: mirror_from_forge_bus.py
+    dest: /usr/local/libexec/mirror_forge_ansible/mirror_from_forge_bus.py
+  tags:
+  - packages
+  - mirror_forge_ansible
+
+
+# Install and start the service
+
+- name: Install the dedicated service file for mirror_forge_ansible
+  ansible.builtin.template:
+    src: mirror_forge_ansible.service
+    dest: /etc/systemd/system/mirror_forge_ansible.service
+    owner: root
+    group: root
+    mode: "0755"
+  notify:
+  - Reload systemd
+  tags:
+  - config
+  - mirror_forge_ansible
+
+- name: Enable and started the service
+  service:
+    name: mirror_forge_ansible.service
+    enabled: yes
+    state: started
+  tags:
+  - config
+  - mirror_forge_ansible

roles/mirror_forge_ansible/templates/mirror_forge_ansible.cfg

@@ -0,0 +1,86 @@
+amqp_url = "amqps://mirror_forge_ansible{{ env_suffix }}:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub"
+
+publish_exchange = "amq.topic"
+passive_declares = true
+
+callback = "mirror_from_forge_bus:MirrorFromForge"
+
+# Don't use topic_prefix, since outgoing message topics are derived from incoming messages.
+# topic_prefix = ""
+
+[[bindings]]
+{% if inventory_hostname.startswith('batcave01') %}
+queue = "mirror_forge_ansible{{ env_suffix }}"
+{% endif %}
+exchange = "amq.topic"
+routing_keys = [
+    "org.fedoraproject.prod.forgejo.push",
+]
+
+[tls]
+ca_cert = "/etc/pki/fedora-messaging/cacert.pem"
+keyfile = "/etc/pki/fedora-messaging/mirror_forge_ansible.key"
+certfile = "/etc/pki/fedora-messaging/mirror_forge_ansible.crt"
+
+[client_properties]
+app = "mirror_from_forge"
+app_url = "https://forge.fedoraproject.org/infra/mirror_from_forge"
+app_contacts_email = ["pingou@fedoraproject.org"]
+
+{% if inventory_hostname.startswith('batcave01') %}
+[queues."mirror_forge_ansible{{ env_suffix }}"]
+{% endif %}
+durable = true
+auto_delete = false
+exclusive = false
+arguments = {}
+
+[consumer_config]
+mirror_folder = "/srv/git/mirrors/"
+trigger_names = ["infra/ansible"]
+urls = [
+    "https://forge.fedoraproject.org/infra/ansible.git",
+]
+
+[qos]
+prefetch_size = 0
+prefetch_count = 25
+
+[log_config]
+version = 1
+disable_existing_loggers = true
+
+[log_config.formatters.simple]
+format = "[%(levelname)s %(name)s] %(message)s"
+
+[log_config.handlers.console]
+class = "logging.StreamHandler"
+formatter = "simple"
+stream = "ext://sys.stdout"
+
+[log_config.loggers.fedora_messaging]
+level = "INFO"
+propagate = false
+handlers = ["console"]
+
+[log_config.loggers.twisted]
+level = "INFO"
+propagate = false
+handlers = ["console"]
+
+[log_config.loggers.pika]
+level = "WARNING"
+propagate = false
+handlers = ["console"]
+
+# If your consumer sets up a logger, you must add a configuration for it
+# here in order for the messages to show up. e.g. if it set up a logger
+# called 'example_printer', you could do:
+[log_config.loggers.mirror_from_forge_bus]
+level = "DEBUG"
+propagate = false
+handlers = ["console"]
+
+[log_config.root]
+level = "ERROR"
+handlers = ["console"]

roles/mirror_forge_ansible/templates/mirror_forge_ansible.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Fedora Messaging consumer
+Documentation=http://fedora-messaging.readthedocs.io/
+
+[Service]
+Type=simple
+Environment="PYTHONPATH=/usr/local/libexec/mirror_forge_ansible"
+ExecStart=/usr/bin/fedora-messaging --conf /etc/fedora-messaging/mirror_forge_ansible.toml consume
+Restart=on-failure
+User=mirror_forge_ansible
+Group=mirror_forge_ansible
+
+[Install]
+WantedBy=multi-user.target
+

roles/mirror_forge_ansible/templates/mirror_from_forge_bus.py

@@ -0,0 +1,148 @@
+"""
+This script runs in a loop and clone or update the clone of the ansible repo
+hosted in forge.fp.o
+"""
+from __future__ import print_function
+
+import logging
+import os
+import subprocess
+import time
+
+from fedora_messaging import config, message
+
+_msg_topic = "org.fedoraproject.prod.forgejo.push"
+
+# "pagure" or "forgejo"
+_msg_from = "forgejo"
+
+_log = logging.getLogger("mirror_from_forge_bus")
+
+
+def run_command(command, cwd=None):
+    """ Run the specified command in a specific working directory if one
+    is specified.
+
+    :arg command: the command to run
+    :type command: list
+    :kwarg cwd: the working directory in which to run this command
+    :type cwd: str or None
+    """
+    output = None
+    try:
+        output = subprocess.check_output(command, cwd=cwd, stderr=subprocess.PIPE)
+    except subprocess.CalledProcessError as e:
+        _log.error("Command `%s` return code: `%s`", " ".join(command), e.returncode)
+        _log.error("Output:\n------\n%s", e.output)
+        # To enable when we move to python3
+        # _log.error("stdout:\n-------\n%s", e.stdout)
+        # _log.error("stderr:\n-------\n%s", e.stderr)
+        raise
+
+    return output
+
+
+class MirrorFromForge(object):
+    """
+    A fedora-messaging consumer update a local mirror of a repo hosted on
+    forge.fp.o
+
+    Three configuration key is used from fedora-messaging's
+    "consumer_config" key:
+     - "mirror_folder", which indicates where mirrors should be store
+     - "urls", which is a list of mirrors to keep up to date
+     - "triggers_name", the fullname of the project (ie: name or namespace/name)
+       that we want to trigger a refresh of our clone on
+
+     ::
+
+        [consumer_config]
+        mirror_folder = "mirrors"
+        trigger_names = ["infra/ansible"]
+        urls = ["https://forge.fp.o/infra/ansible.git"]
+    """
+
+    def __init__(self):
+        """Perform some one-time initialization for the consumer."""
+        self.path = config.conf["consumer_config"]["mirror_folder"]
+        self.urls = config.conf["consumer_config"]["urls"]
+        self.trigger_names = config.conf["consumer_config"]["trigger_names"]
+
+        if not os.path.exists(self.path):
+            raise OSError("No folder %s found on disk" % self.path)
+
+        _log.info("Ready to consume and trigger on %s", self.trigger_names)
+
+        msg = message.Message
+        msg.topic = _msg_topic
+        if _msg_from is None:
+            pass
+        elif _msg_from == "forgejo": # Lots of things missing here...
+            msg.body = {"repository": {"full_name": self.trigger_names[0]}}
+        elif _msg_from == "pagure":
+            msg.body = {"repo": {"fullname": self.trigger_names[0]}}
+        self.__call__(message=msg)
+
+    def __call__(self, message, cnt=0):
+        """
+        Invoked when a message is received by the consumer.
+
+        Args:
+            message (fedora_messaging.api.Message): The message from AMQP.
+        """
+        _log.info("Received topic: %s", message.topic)
+        if message.topic == _msg_topic:
+            #  In theory we could try both here, but it might be confusing later
+            # so just use _msg_from and try one.
+            if _msg_from is None:
+                pass
+            elif _msg_from == "forgejo":
+                repo_name = message.body.get("repository", {}).get("full_name")
+            elif _msg_from == "pagure":
+                repo_name = message.body.get("repo", {}).get("fullname")
+            if repo_name not in self.trigger_names:
+                _log.info("%s is not a forge repo of interest, bailing", repo_name)
+                return
+        else:
+            _log.info("Unexpected topic received: %s", message.topic)
+            return
+
+        try:
+            for url in self.urls:
+                _log.info("Syncing %s", url)
+                name = url.rsplit("/", 1)[-1]
+
+                dest_folder = os.path.join(self.path, name)
+                if not os.path.exists(dest_folder):
+                    _log.info("   Cloning as new %s", url)
+                    cmd = ["git", "clone", "--mirror", url]
+                    run_command(cmd, cwd=self.path)
+
+                _log.info(
+                    "   Running `git -c transfer.fsckObjects=1 fetch` in %s",
+                    dest_folder,
+                )
+                cmd = ["git", "-c", "transfer.fsckObjects=1", "fetch"]
+                run_command(cmd, cwd=dest_folder)
+
+                cmd = ["git", "remote"]
+                output = run_command(cmd, cwd=dest_folder).decode("utf-8").strip()
+                if output:
+                    for remote in output.split("\n"):
+                        if remote == "origin":
+                            continue
+                        _log.info(
+                            "  Running git push --mirror %s in %s",
+                            remote, dest_folder)
+                        cmd = ["git", "push", "--mirror", remote]
+                        run_command(cmd, cwd=dest_folder)
+                else:
+                    _log.info("  No remotes found")
+
+        except Exception:
+            _log.exception("Something happened while calling git")
+            if cnt >= 3:
+                raise
+            _log.info("  Re-running in 10 seconds")
+            time.sleep(10)
+            self.__call__(message, cnt=cnt + 1)

roles/nagios_server/templates/nagios/hosts/rdu3-hosts.cfg.j2

@@ -1,5 +1,5 @@
 {% for host in groups['all']|sort %}
-{% if hostvars[host].datacenter == 'rdu3' and hostvars[host].nagios_Can_Connect == true %}
+{% if hostvars[host].datacenter.startswith('rdu3') and hostvars[host].nagios_Can_Connect == true %}
 define host {
 {% if hostvars[host].nagios_Check_Services['nrpe'] == true %}
    use                     defaulttemplate
@@ -26,4 +26,4 @@ define host {
 {% endif %}
 }
 {% endif %}
-{% endfor %}
+{% endfor %}

roles/nagios_server/templates/nagios/services/websites.cfg.j2

@@ -246,7 +246,7 @@ define service {
 define service {
   host_name             pagure.io
   service_description   https://forge.fedoraproject.org/infra/tickets
-  check_command         check_website_follow!pagure.io!https://forge.fedoraproject.org/infra/tickets!Issues
+  check_command         check_website_follow!pagure.io!https://pagure.io/fedora-infrastructure/issues!Issues
   max_check_attempts    8
   use                   websitetemplate
 }

roles/openshift-apps/bugzilla2fedmsg/templates/buildconfig.yml.j2

@@ -17,7 +17,7 @@ spec:
       from:
         kind: ImageStreamTag
         namespace: openshift
-        name: python:3.9-ubi8
+        name: python:3.11-ubi9
   triggers:
   - type: ImageChange
   - type: ConfigChange

roles/openshift-apps/bugzilla2fedmsg/templates/fedora-messaging.toml

@@ -20,19 +20,37 @@ certfile = "/etc/pki/fedora-messaging/bugzilla2fedmsg-cert.pem"
 [consumer_config]
     fasjson_url = "https://fasjson{{ env_suffix }}.fedoraproject.org"
 
+    {% if env == "staging" %}
+    [consumer_config.kafka]
+    # Kafka servers
+    # https://kafka-python.readthedocs.io/en/master/apidoc/KafkaConsumer.html
+    {% if env == "staging" %}
+    servers = [
+        "b-1.itpreprod.sui7dp.c7.kafka.us-east-1.amazonaws.com:9096",
+        "b-2.itpreprod.sui7dp.c7.kafka.us-east-1.amazonaws.com:9096",
+        "b-6.itpreprod.sui7dp.c7.kafka.us-east-1.amazonaws.com:9096",
+    ]
+    username = "{{ redhat_kafka_staging_username }}"
+    password = "{{ redhat_kafka_staging_password }}"
+    topics = ["qa.ants.engineering.bugzilla.bug", "stage.ants.engineering.bugzilla.bug"]
+    {% else %}
+    servers = [
+        "b-3.itprod.bvduhl.c8.kafka.us-east-1.amazonaws.com:9096",
+        "b-2.itprod.bvduhl.c8.kafka.us-east-1.amazonaws.com:9096",
+        "b-1.itprod.bvduhl.c8.kafka.us-east-1.amazonaws.com:9096",
+    ]
+    username = "{{ redhat_kafka_prod_username }}"
+    password = "{{ redhat_kafka_prod_password }}"
+    topics = ["ants.engineering.bugzilla.bug"]
+    {% endif %}
+    {% else %}
     [consumer_config.stomp]
     # Broker URI
     # http://nikipore.github.io/stompest/protocol.html#stompest.protocol.failover.StompFailoverUri
     # Example: failover:(tcp://remote1:61615,tcp://localhost:61616)?randomize=false,startupMaxReconnectAttempts=3,initialReconnectDelay=7,maxReconnectDelay=8,maxReconnectAttempts=0
-{% if env == 'staging' %}
-    uri = "ssl://umb.stage.api.redhat.com:61612"
-    user = "{{ redhat_dmz_dev_broker_username }}"
-    pass = "{{ redhat_dmz_dev_broker_password }}"
-{% else %}
     uri = "ssl://umb.api.redhat.com:61612"
     user = "{{ redhat_dmz_prod_broker_username }}"
     pass = "{{ redhat_dmz_prod_broker_password }}"
-{% endif %}
     ssl_crt = "/etc/pki/stomp/msg-client-fedora-prod.crt"
     ssl_key = "/etc/pki/stomp/msg-client-fedora-prod.key"
 
@@ -44,6 +62,7 @@ certfile = "/etc/pki/fedora-messaging/bugzilla2fedmsg-cert.pem"
 
     # How many messages to prefetch
     prefetch_size = 100
+    {% endif %}
 
     [consumer_config.bugzilla]
     # Products to relay messages for - messages for bugs files against

roles/openshift-apps/forgejo/templates/values.yaml.j2

@@ -518,7 +518,11 @@ gitea:
         "forge-operations-members":{"operations":["Members"]},
         "forge-design-owners":{"design":["Owners"]},
         "forge-design-members":{"design":["Members"]},
-        "forge-workstation-owners":{"workstation":["Owners"]}
+        "forge-workstation-owners":{"workstation":["Owners"]},
+        "forge-join-owners":{"join":["Owners"]},
+        "forge-join-members":{"join":["Members"]},
+        "forge-fesco-owners":{"fesco":["Owners"]},
+        "forge-fesco-members":{"fesco":["Members"]}
       }'
 {% endif %}
     # - name: 'OAuth 1'

roles/openshift-apps/greenwave/templates/imagestream.yml.j2

@@ -13,8 +13,8 @@ spec:
 {% if env == 'staging' %}
       # The latest successful build of master that passes tests
       # is auto-tagged here. 
-      name: quay.io/factory2/greenwave:latest
+      name: quay.io/redhat-user-workloads/exd-sp-rhel-wf-tenant/greenwave:latest
 {% else %}
       # This is 'prod' tag is maintained by hand.
-      name: quay.io/factory2/greenwave:prod-fedora
+      name: quay.io/redhat-user-workloads/exd-sp-rhel-wf-tenant/greenwave:prod-fedora
 {% endif %}

roles/openshift-apps/waiverdb/templates/imagestream.yml.j2

@@ -13,8 +13,8 @@ spec:
 {% if env == 'staging' %}
       # The latest successful build of master that passes tests
       # is auto-tagged here. 
-      name: quay.io/factory2/waiverdb:latest
+      name: quay.io/redhat-user-workloads/exd-sp-rhel-wf-tenant/waiverdb:latest
 {% else %}
       # This is 'prod' tag is maintained by hand.
-      name: quay.io/factory2/waiverdb:prod-fedora
+      name: quay.io/redhat-user-workloads/exd-sp-rhel-wf-tenant/waiverdb:prod-fedora
 {% endif %}

roles/rabbitmq_cluster/tasks/apps.yml

@@ -37,9 +37,7 @@
     user_sent_topics: ^org\.(fedoraproject|centos)\.{{ env_short }}\.ci\..*
   loop:
     - "osci-pipelines{{ env_suffix }}-queue-2"
-    - "osci-pipelines{{ env_suffix }}-queue-4"
     - "osci-pipelines{{ env_suffix }}-queue-5"
-    - "osci-pipelines{{ env_suffix }}-queue-7"
     - "osci-pipelines{{ env_suffix }}-queue-9"
     - "osci-pipelines{{ env_suffix }}-queue-10"
     - "osci-pipelines{{ env_suffix }}-queue-11"

vars/all/FedoraBranchedBodhi.yaml

@@ -4,4 +4,4 @@
 # postbeta: After beta release and before final release
 # current: After final release
 ---
-FedoraBranchedBodhi: preenable
+FedoraBranchedBodhi: prebeta

vars/all/Frozen.yaml

@@ -2,6 +2,6 @@
 # is the infrastructure freeze currently in place?
 InfraFrozen: False
 # is the pending release (Branched) currently frozen?
-NextReleaseFrozen: False
+NextReleaseFrozen: True
 # for 'backwards compatibility'
 Frozen: "{{ InfraFrozen }}"