mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-02-02 20:59:02 +08:00
Compare commits
6 Commits
57db17afb3
...
f3406c7ee7
| Author | SHA1 | Date | |
|---|---|---|---|
|
f3406c7ee7 | ||
|
|
4e9729d938 | ||
|
|
896ab6360b | ||
|
|
07940d97ac | ||
|
|
6ceb3ea68b | ||
|
|
9717d920af |
@@ -110,4 +110,6 @@ ipa_host_group: download
|
||||
ipa_host_group_desc: Download servers
|
||||
nagios_Check_Services:
|
||||
swap: false
|
||||
nft_block_rules:
|
||||
- 'add rule ip filter INPUT ip saddr 212.143.41.0/24 counter reject'
|
||||
primary_auth_source: ipa
|
||||
|
||||
@@ -40,6 +40,9 @@
|
||||
- collectd/base
|
||||
- apache
|
||||
- download
|
||||
- role: anubis-el
|
||||
tags:
|
||||
- anubis
|
||||
- rsyncd
|
||||
- { role: nfs/client, when: "'download_rdu3' in group_names" , mnt_dir: '/srv/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }
|
||||
- { role: nfs/client, when: "'download_rdu3' in group_names" , mnt_dir: '/srv/pub/archive', nfs_src_dir: 'fedora_ftp_archive' }
|
||||
|
||||
@@ -79,7 +79,7 @@
|
||||
^io\.pagure\.{{ env_short }}\..*
|
||||
|
||||
- pagure
|
||||
- role: anubis-el8
|
||||
- role: anubis-el
|
||||
tags:
|
||||
- anubis
|
||||
|
||||
|
||||
1
roles/anubis-el/files/subgid
Normal file
1
roles/anubis-el/files/subgid
Normal file
@@ -0,0 +1 @@
|
||||
anubis:231072:65536
|
||||
1
roles/anubis-el/files/subuid
Normal file
1
roles/anubis-el/files/subuid
Normal file
@@ -0,0 +1 @@
|
||||
anubis:231072:65536
|
||||
@@ -25,6 +25,40 @@
|
||||
- config
|
||||
- anubis
|
||||
|
||||
- name: install subuid file
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/subuid
|
||||
src: subuid
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
tags:
|
||||
- config
|
||||
- anubis
|
||||
|
||||
- name: install subgid file
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/subgid
|
||||
src: subuid
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
tags:
|
||||
- config
|
||||
- anubis
|
||||
|
||||
- name: Check semanage ports
|
||||
ansible.builtin.command: semanage port -l
|
||||
register: semanageoutput
|
||||
check_mode: no
|
||||
changed_when: "1 != 1"
|
||||
tags:
|
||||
- anubis
|
||||
|
||||
- name: Set ports so httpd can bind to 3923
|
||||
ansible.builtin.command: semanage port -a -t http_port_t -p tcp 3923
|
||||
when: semanageoutput.stdout.find("3923") == -1
|
||||
|
||||
- name: Create the directory to store the anubis policy file
|
||||
ansible.builtin.file:
|
||||
dest: /srv/anubis/cfg/
|
||||
@@ -44,8 +44,6 @@
|
||||
- name: Set ports so httpd can bind to 8345
|
||||
ansible.builtin.command: semanage port -a -t http_port_t -p tcp 8345
|
||||
when: semanageoutput.stdout.find("8345") == -1
|
||||
tags:
|
||||
- anubis
|
||||
|
||||
- name: Allow Apache to make network connections for proxy
|
||||
ansible.posix.seboolean:
|
||||
|
||||
@@ -17,6 +17,10 @@
|
||||
- name: Set httpd_use_nfs seboolean
|
||||
seboolean: name=httpd_use_nfs state=yes persistent=yes
|
||||
|
||||
- name: Set httpd_can_network_connect needed for anubis
|
||||
seboolean: name=httpd_can_network_connect state=yes persistent=yes
|
||||
|
||||
|
||||
- name: Check the selinux context rsyncd log
|
||||
ansible.builtin.command: matchpathcon /var/log/rsyncd-fedora.log
|
||||
register: rsyncdlog
|
||||
|
||||
@@ -32,12 +32,38 @@
|
||||
SSLProtocol {{ ssl_protocols }}
|
||||
SSLCipherSuite {{ ssl_ciphers }}
|
||||
|
||||
Include "conf.d/dl.fedoraproject.org/*.conf"
|
||||
# proxy all requests to anubis after ssl termination
|
||||
|
||||
RequestHeader set "X-Real-Ip" expr=%{REMOTE_ADDR}
|
||||
RequestHeader set X-Forwarded-Proto "https"
|
||||
RequestHeader set "X-Http-Version" "%{SERVER_PROTOCOL}s"
|
||||
|
||||
ProxyPreserveHost On
|
||||
|
||||
ProxyRequests Off
|
||||
ProxyVia Off
|
||||
|
||||
ProxyPass / http://[::1]:8923/
|
||||
ProxyPassReverse / http://[::1]:8923/
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
# Prefork tuning
|
||||
<IfModule mpm_prefork_module>
|
||||
ServerLimit {{ httpd_maxrequestworkers * 1.5 }}
|
||||
MaxRequestWorkers {{ httpd_maxrequestworkers }}
|
||||
MaxConnectionsPerChild {{ httpd_maxrequestworkers * 5 }}
|
||||
</IfModule>
|
||||
# Once anubis has processed the request it sends it to port 3923
|
||||
|
||||
Listen 3923 http
|
||||
<VirtualHost *:3923>
|
||||
ServerName dl.fedoraproject.org
|
||||
ServerAlias archive.fedoraproject.org archives.fedoraproject.org secondary.fedoraproject.org download-ib01.fedoraproject.org download-cc-rdu01.fedoraproject.org
|
||||
ServerAdmin webmaster@fedoraproject.org
|
||||
|
||||
RemoteIPHeader X-Real-Ip
|
||||
RemoteIPInternalProxy ::1
|
||||
|
||||
Include "conf.d/dl.fedoraproject.org/*.conf"
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
|
||||
ServerLimit 3200
|
||||
MaxRequestWorkers 3200
|
||||
MaxRequestsPerChild 10000
|
||||
|
||||
Reference in New Issue
Block a user