Add the darkserver playbook

Start working on the darkserver role
tag the fedimg role.
2026-02-03 05:03:34 +08:00 · 2014-12-06 20:33:58 +01:00 · 2014-12-06 20:33:47 +01:00 · 2014-12-06 19:06:53 +00:00 · 2014-12-06 18:59:29 +00:00 · 2014-12-06 18:59:08 +00:00
806 changed files with 22458 additions and 3046 deletions
--- a/8
+++ b/8
@@ -81,7 +81,7 @@ m1.builder  5120       50     3
 Setting up a new persistent cloud host:
 1. select an ip:
   source /srv/private/ansible/files/openstack/persistent-admin/ec2rc.sh
-   euca-describe-addresses
+   oeuca-describe-addresses
  - pick an ip from the list that is not assigned anywhere
  - add it into dns - normally in the cloud.fedoraproject.org but it doesn't
    have to be
@@ -114,9 +114,9 @@ Contents should look like this (remove all the comments)
 ---
 # 2cpus, 3GB of ram 20GB of ephemeral space
 instance_type: m1.large 
-# image id
-image: emi-B8793915 
-keypair: fedora-admin
+# image id - see global vars. You can also use euca-describe-images to find other images as well
+image: "{{ el6_qcow_id }}"
+keypair: fedora-admin-20130801
 # what security group to add the host to
 security_group: webserver 
 zone: fedoracloud 
--- a/files/2fa/pam_url.conf.cloud
+++ b/files/2fa/pam_url.conf.cloud
@@ -0,0 +1,21 @@
+pam_url:
+{
+	settings:
+	{
+		url = "https://fas-all.phx2.fedoraproject.org:8443/";	# URI to fetch
+		returncode = "OK";				# The remote script/cgi should return a 200 http code and this string as its only results
+		userfield = "user";				# userfield name to send
+		passwdfield = "token";				# passwdfield name to send
+		extradata = "&do=login";			# extradata to send
+		prompt = "Password+Token: ";			# password prompt
+	};
+
+	ssl:
+	{
+		verify_peer = true;				# Should we verify SSL ?
+		verify_host = true;				# Should we verify the CN in the SSL cert?
+		client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
+		client_key  = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
+                ca_cert     = "/etc/pki/tls/private/totpcgi-ca.cert";
+	};
+};
--- a/files/common/epel7.repo
+++ b/files/common/epel7.repo
@@ -1,7 +1,7 @@
 [epel]
 name=Extras Packages for Enterprise Linux $releasever - $basearch
 baseurl=http://infrastructure.fedoraproject.org/pub/epel/7/$basearch/
-enabled=0
+enabled=1
 gpgcheck=1
 gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7

@@ -15,6 +15,6 @@ gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
 [epel-beta]
 name=Extras Packages for Enterprise Linux beta $releasever - $basearch
 baseurl=http://infrastructure.fedoraproject.org/pub/epel/beta/7/$basearch/
-enabled=1
+enabled=0
 gpgcheck=1
 gpgkey=http://infrastructure.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
--- a/files/copr/copr-be.conf
+++ b/files/copr/copr-be.conf
@@ -2,12 +2,12 @@

 # URL where are results visible
 # default is http://copr
-results_baseurl=http://copr-be.cloud.fedoraproject.org/results
+results_baseurl=https://copr-be.cloud.fedoraproject.org/results

 # ??? What is this
 # default is http://coprs/rest/api
 #frontend_url=http://copr-fe.cloud.fedoraproject.org/backend
-frontend_url=http://172.16.5.31/backend
+frontend_url=https://172.16.5.31/backend

 # must have same value as BACKEND_PASSWORD from have frontend in /etc/copr/copr.conf
 # default is PASSWORDHERE but you really should change it. really.
@@ -55,6 +55,25 @@ worker_logdir=/var/log/copr/workers/
 #fedmsg_enabled=false
 fedmsg_enabled=true

+# minimum age for builds to be pruned
+prune_days=14
+# path to executable script to clean old build
+prune_script=/usr/share/copr/copr_prune_old_builds.sh
+
+# enable package signing, require configured
+# signer host and correct /etc/sign.conf
+do_sign={{ do_sign }}
+
+# host or ip of machine with copr-keygen
+# usually the same as in /etc/sign.conf
+keygen_host={{ keygen_host }}
+
+# Spawn builder in advance, before we get task?
+# It save time, but consume resources even when
+# nothing is in queue
+
+spawn_in_advance={{ spawn_in_advance }}
+
 [builder]
 # default is 1800
 timeout=3600
--- a/files/copr/copr-be.conf-dev
+++ b/files/copr/copr-be.conf-dev
@@ -51,6 +51,24 @@ worker_logdir=/var/log/copr/workers/
 # default is false
 #fedmsg_enabled=false

+# minimum age for builds to be pruned
+prune_days=14
+# path to executable script to clean old build
+prune_script=/usr/share/copr/copr_prune_old_builds.sh
+
+# enable package signing, require configured
+# signer host and correct /etc/sign.conf
+do_sign={{ do_sign }}
+
+# host or ip of machine with copr-keygen
+# usually the same as in /etc/sign.conf
+keygen_host={{ keygen_host }}
+
+# Spawn builder in advance, before we get task?
+# It save time, but consume resources even when
+# nothing is in queue
+
+spawn_in_advance={{ spawn_in_advance }}

 [builder]
 # default is 1800
--- a/files/copr/delete-forgotten-instances.pl
+++ b/files/copr/delete-forgotten-instances.pl
@@ -2,7 +2,7 @@
 # this scrip query for all running VM and terminate those
 # which are not currently started by some ansible script

-while (chomp($a = qx(ps ax |grep -v 'sh -c ps ax'  |grep /home/copr/provision/builderpb.yml | grep -v grep))) {
+while (chomp($a = qx(ps ax |grep -v 'sh -c ps ax'  |grep 'Task: ' | grep -v grep))) {
  # we are starting some VM and could not determine correct list of running VMs
  sleep 5;
 }
--- a/files/copr/fe/copr.conf
+++ b/files/copr/fe/copr.conf
@@ -3,6 +3,7 @@ DATA_DIR = '/var/lib/copr/data'
 DATABASE = '/var/lib/copr/data/copr.db'
 OPENID_STORE = '/var/lib/copr/data/openid_store'
 WHOOSHEE_DIR = '/var/lib/copr/data/whooshee'
+WHOSHEE_MIN_STRING_LEN = 2

 SECRET_KEY = '{{ copr_secret_key }}'
 BACKEND_PASSWORD = '{{ copr_backend_password  }}'
@@ -31,3 +32,5 @@ WTF_CSRF_ENABLED = True

 # send emails when user's perms change in project?
 SEND_EMAILS = True
+
+PUBLIC_COPR_HOSTNAME = '{{ copr_frontend_public_hostname }}'
--- a/files/copr/fe/httpd/coprs.conf
+++ b/files/copr/fe/httpd/coprs.conf
@@ -22,9 +22,10 @@ WSGISocketPrefix /var/run/wsgi
 <VirtualHost *:443>
    SSLEngine on
    SSLProtocol all -SSLv2
-    #optimeize on speed
-    SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
+    # Use secure TLSv1.1 and TLSv1.2 ciphers
+    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on
+    Header add Strict-Transport-Security "max-age=15768000"

    SSLCertificateFile /etc/pki/tls/ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/ca.key
--- a/files/copr/forward-dev
+++ b/files/copr/forward-dev
@@ -1,2 +1,3 @@
 msuchy+coprmachine@redhat.com
 asamalik@redhat.com
+vgologuz@redhat.com
--- a/files/copr/provision/builderpb.yml
+++ b/files/copr/provision/builderpb.yml
@@ -71,6 +71,7 @@
    with_items:
    - rpm
    - glib2
+    - ca-certificates

  - yum: name=mock  enablerepo=epel-testing state=latest

--- a/files/copr/provision/files/mock/epel-7-x86_64.cfg
+++ b/files/copr/provision/files/mock/epel-7-x86_64.cfg
@@ -1,28 +1,16 @@
-config_opts['chroothome'] = '/builddir'
-config_opts['basedir'] = '/var/lib/mock'
 config_opts['root'] = 'epel-7-x86_64'
 config_opts['target_arch'] = 'x86_64'
 config_opts['legal_host_arches'] = ('x86_64',)
-config_opts['chroot_setup_cmd'] = 'install bash bzip2 coreutils cpio diffutils findutils gawk gcc gcc-c++ grep gzip info make patch redhat-release-server redhat-rpm-config rpm-build sed shadow-utils tar unzip util-linux which xz'
+config_opts['chroot_setup_cmd'] = 'install @buildsys-build'
 config_opts['dist'] = 'el7'  # only useful for --resultdir variable subst
-config_opts['macros'] = {}
-config_opts['macros']['%dist'] = '.el7'
-config_opts['macros']['%rhel'] = '7'
-config_opts['macros']['%el7'] = '1'
-config_opts['macros']['%_topdir'] = '/builddir/build'
-config_opts['macros']['%_rpmfilename'] = '%%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm'
 config_opts['releasever'] = '7'

-config_opts['plugin_conf']['root_cache_enable'] = False
-config_opts['plugin_conf']['yum_cache_enable'] = False
-config_opts['plugin_conf']['ccache_enable'] = False
-
 config_opts['yum.conf'] = """
 [main]
 cachedir=/var/cache/yum
 debuglevel=1
-logfile=/var/log/yum.log
 reposdir=/dev/null
+logfile=/var/log/yum.log
 retries=20
 obsoletes=1
 gpgcheck=0
@@ -31,15 +19,42 @@ syslog_ident=mock
 syslog_device=

 # repos
+[base]
+name=BaseOS
+mirrorlist=http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os
+failovermethod=priority

-[beta]
-name=beta
-baseurl=http://kojipkgs.fedoraproject.org/rhel/beta/7/x86_64/os/
+[updates]
+name=updates
+enabled=1
+mirrorlist=http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=updates
+failovermethod=priority

 [epel]
-name=Extra Packages for Enterprise Linux 7 - $basearch
-#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
-mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
+name=epel
+mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-7&arch=x86_64
 failovermethod=priority
-enabled=1
+
+[extras]
+name=extras
+mirrorlist=http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=extras
+failovermethod=priority
+
+[testing]
+name=epel-testing
+enabled=0
+mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel7&arch=x86_64
+failovermethod=priority
+
+[local]
+name=local
+baseurl=http://kojipkgs.fedoraproject.org/repos/epel7-build/latest/x86_64/
+cost=2000
+enabled=0
+
+[epel-debug]
+name=epel-debug
+mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-7&arch=x86_64
+failovermethod=priority
+enabled=0
 """
--- a/files/copr/provision/files/mock/site-defaults.cfg
+++ b/files/copr/provision/files/mock/site-defaults.cfg
@@ -57,7 +57,7 @@
 # NOTE: Some of the caching options can theoretically affect build
 #  reproducability. Change with care.
 #
-config_opts['plugin_conf']['package_state_enable'] = True
+config_opts['plugin_conf']['package_state_enable'] = False
 # config_opts['plugin_conf']['ccache_enable'] = True
 # config_opts['plugin_conf']['ccache_opts']['max_cache_size'] = '4G'
 # config_opts['plugin_conf']['ccache_opts']['compress'] = None
--- a/files/download/sync-up-downloads.sh
+++ b/files/download/sync-up-downloads.sh
@@ -8,7 +8,7 @@
 RSYNC='/usr/bin/rsync'
 RS_OPT="-avSHP  --numeric-ids"
 RS_DEADLY="--delete --delete-excluded --delete-delay --delay-updates"
-ALT_EXCLUDES="--exclude deltaisos/archive"
+ALT_EXCLUDES="--exclude deltaisos/archive --exclude 21_Alpha* --exclude 21-Alpha* --exclude 21_Beta* --exclude=F21a-TC1"
 EPL_EXCLUDES=""
 FED_EXCLUDES=""

--- a/files/fedora-cloud/fed09-ssh-key.pub
+++ b/files/fedora-cloud/fed09-ssh-key.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfk627wDgkJisjGl4RbrUS457WoPdSate1vzgZXApQeAkTG9LLEstAEyThphnJZzDWRYceId+DqZvyrwZttB6Tfptwqs9qwW60HelSVtvq6RDoiQO5yB1ffbeelM6ci5spvzA0b8llUmYpDlCmrbv/or5IXtO9ScAxK7S6Pp2XQYyHJepEclCqfUkmgOXqnoFPFhKhIdaNe7wXCDKnjHSL0HLQmpTREbJ98HNexI76DMdiuG+II7m42XbfToHZtDrsUfd5HGyWLqUWqFfLFoFSSrARE7Aqa2cS1zrLdKHTFnDitBezNeb2J4Go3/23bHe58LV8RfPdIQG9Z8hqYiD9 root@fed-cloud09.cloud.fedoraproject.org
--- a/files/fedora-cloud/hosts
+++ b/files/fedora-cloud/hosts
@@ -0,0 +1,13 @@
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4                                     
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6 
+
+# http://docs.openstack.org/trunk/install-guide/install/yum/content/basics-neutron-networking-controller-node.html
+# controller
+{{ controller_public_ip }}       controller
+
+# network
+{{ network_public_ip }}       network
+
+# compute1
+# compute1_public_ip        compute1
+
--- a/files/fedora-cloud/ifcfg-br-ex
+++ b/files/fedora-cloud/ifcfg-br-ex
@@ -0,0 +1,9 @@
+DEVICE=br-ex
+DEVICETYPE=ovs
+TYPE=OVSBridge
+BOOTPROTO=static
+IPADDR={{ network_public_ip }}
+NETMASK={{ public_netmask }}  # your netmask
+GATEWAY={{ public_gateway_ip }}  # your gateway
+DNS1={{ public_dns }}     # your nameserver
+ONBOOT=yes
--- a/files/fedora-cloud/keystonerc_msuchy
+++ b/files/fedora-cloud/keystonerc_msuchy
@@ -0,0 +1,5 @@
+export OS_USERNAME=msuchy
+export OS_TENANT_NAME=copr
+export OS_PASSWORD=TBD
+export OS_AUTH_URL=http://209.132.184.9:5000/v2.0/
+export PS1='[\u@\h \W(keystone_msuchy)]\$ '
--- a/files/fedora-cloud/my.cnf
+++ b/files/fedora-cloud/my.cnf
@@ -0,0 +1,4 @@
+[client]
+host=localhost
+user=root
+password={{ DBPASSWORD }}
--- a/files/fedora-cloud/packstack-controller-answers.txt
+++ b/files/fedora-cloud/packstack-controller-answers.txt
@@ -0,0 +1,502 @@
+[general]
+
+# Path to a Public key to install on servers. If a usable key has not
+# been installed on the remote servers the user will be prompted for a
+# password and this key will be installed so the password will not be
+# required again
+CONFIG_SSH_KEY=/root/.ssh/id_rsa.pub
+
+# Set to 'y' if you would like Packstack to install MySQL
+CONFIG_MARIADB_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack Image
+# Service (Glance)
+CONFIG_GLANCE_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack Block
+# Storage (Cinder)
+CONFIG_CINDER_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack Compute
+# (Nova)
+CONFIG_NOVA_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack
+# Networking (Neutron)
+CONFIG_NEUTRON_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack
+# Dashboard (Horizon)
+CONFIG_HORIZON_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack Object
+# Storage (Swift)
+CONFIG_SWIFT_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack
+# Metering (Ceilometer)
+CONFIG_CEILOMETER_INSTALL=y
+
+# Set to 'y' if you would like Packstack to install OpenStack
+# Orchestration (Heat)
+CONFIG_HEAT_INSTALL=n
+
+# Set to 'y' if you would like Packstack to install the OpenStack
+# Client packages. An admin "rc" file will also be installed
+CONFIG_CLIENT_INSTALL=y
+
+# Comma separated list of NTP servers. Leave plain if Packstack
+# should not install ntpd on instances.
+CONFIG_NTP_SERVERS=
+
+# Set to 'y' if you would like Packstack to install Nagios to monitor
+# OpenStack hosts
+CONFIG_NAGIOS_INSTALL=n
+
+# Comma separated list of servers to be excluded from installation in
+# case you are running Packstack the second time with the same answer
+# file and don't want Packstack to touch these servers. Leave plain if
+# you don't need to exclude any server.
+EXCLUDE_SERVERS=
+
+# Set to 'y' if you want to run OpenStack services in debug mode.
+# Otherwise set to 'n'.
+CONFIG_DEBUG_MODE=n
+
+# Set to 'y' if you want to use VMware vCenter as hypervisor and
+# storageOtherwise set to 'n'.
+CONFIG_VMWARE_BACKEND=n
+
+# The IP address of the server on which to install MySQL
+CONFIG_MARIADB_HOST={{ controller_public_ip }}
+
+# Username for the MySQL admin user
+CONFIG_MARIADB_USER=root
+
+# Password for the MySQL admin user
+CONFIG_MARIADB_PW={{ DBPASSWORD }}
+
+# Set the server for the AMQP service
+CONFIG_AMQP_BACKEND=rabbitmq
+
+# The IP address of the server on which to install the AMQP service
+CONFIG_AMQP_HOST={{ controller_public_ip }}
+
+# Enable SSL for the AMQP service
+CONFIG_AMQP_ENABLE_SSL=n
+
+# Enable Authentication for the AMQP service
+CONFIG_AMQP_ENABLE_AUTH=n
+
+# The password for the NSS certificate database of the AMQP service
+CONFIG_AMQP_NSS_CERTDB_PW={{ CONFIG_AMQP_NSS_CERTDB_PW }}
+
+# The port in which the AMQP service listens to SSL connections
+CONFIG_AMQP_SSL_PORT=5671
+
+# The filename of the certificate that the AMQP service is going to
+# use
+CONFIG_AMQP_SSL_CERT_FILE=/etc/pki/tls/certs/amqp_selfcert.pem
+
+# The filename of the private key that the AMQP service is going to
+# use
+CONFIG_AMQP_SSL_KEY_FILE=/etc/pki/tls/private/amqp_selfkey.pem
+
+# Auto Generates self signed SSL certificate and key
+CONFIG_AMQP_SSL_SELF_SIGNED=y
+
+# User for amqp authentication
+CONFIG_AMQP_AUTH_USER=amqp_user
+
+# Password for user authentication
+CONFIG_AMQP_AUTH_PASSWORD={{ CONFIG_AMQP_AUTH_PASSWORD }}
+
+# The password to use for the Keystone to access DB
+CONFIG_KEYSTONE_DB_PW={{ KEYSTONE_DBPASS }}
+
+# The token to use for the Keystone service api
+CONFIG_KEYSTONE_ADMIN_TOKEN={{ ADMIN_TOKEN }}
+
+# The password to use for the Keystone admin user
+CONFIG_KEYSTONE_ADMIN_PW={{ ADMIN_PASS }}
+
+# The password to use for the Keystone demo user
+CONFIG_KEYSTONE_DEMO_PW={{ DEMO_PASS }}
+
+# Kestone token format. Use either UUID or PKI
+CONFIG_KEYSTONE_TOKEN_FORMAT=PKI
+
+# The password to use for the Glance to access DB
+CONFIG_GLANCE_DB_PW={{ GLANCE_DBPASS }}
+
+# The password to use for the Glance to authenticate with Keystone
+CONFIG_GLANCE_KS_PW={{ GLANCE_PASS }}
+
+# The password to use for the Cinder to access DB
+CONFIG_CINDER_DB_PW={{ CINDER_DBPASS }}
+
+# The password to use for the Cinder to authenticate with Keystone
+CONFIG_CINDER_KS_PW={{ CINDER_PASS }}
+
+# The Cinder backend to use, valid options are: lvm, gluster, nfs,
+# vmdk
+CONFIG_CINDER_BACKEND=lvm
+
+# Create Cinder's volumes group. This should only be done for testing
+# on a proof-of-concept installation of Cinder.  This will create a
+# file-backed volume group and is not suitable for production usage.
+CONFIG_CINDER_VOLUMES_CREATE=n
+
+# Cinder's volumes group size. Note that actual volume size will be
+# extended with 3% more space for VG metadata.
+CONFIG_CINDER_VOLUMES_SIZE=5G
+
+# A single or comma separated list of gluster volume shares to mount,
+# eg: ip-address:/vol-name, domain:/vol-name
+CONFIG_CINDER_GLUSTER_MOUNTS=
+
+# A single or comma seprated list of NFS exports to mount, eg: ip-
+# address:/export-name
+CONFIG_CINDER_NFS_MOUNTS=
+
+# The IP address of the VMware vCenter datastore
+CONFIG_VCENTER_HOST=
+
+# The username to authenticate to VMware vCenter datastore
+CONFIG_VCENTER_USER=
+
+# The password to authenticate to VMware vCenter datastore
+CONFIG_VCENTER_PASSWORD=
+
+# A comma separated list of IP addresses on which to install the Nova
+# Compute services
+CONFIG_COMPUTE_HOSTS={{ controller_public_ip }}
+
+# The IP address of the server on which to install the Nova Conductor
+# service
+CONFIG_NOVA_CONDUCTOR_HOST={{ controller_public_ip }}
+
+# The password to use for the Nova to access DB
+CONFIG_NOVA_DB_PW={{ NOVA_DBPASS }}
+
+# The password to use for the Nova to authenticate with Keystone
+CONFIG_NOVA_KS_PW={{ NOVA_PASS }}
+
+# The overcommitment ratio for virtual to physical CPUs. Set to 1.0
+# to disable CPU overcommitment
+CONFIG_NOVA_SCHED_CPU_ALLOC_RATIO=16.0
+
+# The overcommitment ratio for virtual to physical RAM. Set to 1.0 to
+# disable RAM overcommitment
+CONFIG_NOVA_SCHED_RAM_ALLOC_RATIO=1.5
+
+# Private interface for Flat DHCP on the Nova compute servers
+CONFIG_NOVA_COMPUTE_PRIVIF=lo
+
+# The list of IP addresses of the server on which to install the Nova
+# Nova network manager
+CONFIG_NOVA_NETWORK_MANAGER=nova.network.manager.FlatDHCPManager
+
+# Public interface on the Nova network server
+CONFIG_NOVA_NETWORK_PUBIF={{ controller_public_ip }}
+
+# Private interface for network manager on the Nova network server
+CONFIG_NOVA_NETWORK_PRIVIF=lo
+
+# IP Range for network manager
+CONFIG_NOVA_NETWORK_FIXEDRANGE={{ internal_interface_cidr }}
+
+# IP Range for Floating IP's
+CONFIG_NOVA_NETWORK_FLOATRANGE={{ public_interface_cidr }}
+
+# Name of the default floating pool to which the specified floating
+# ranges are added to
+CONFIG_NOVA_NETWORK_DEFAULTFLOATINGPOOL=external
+
+# Automatically assign a floating IP to new instances
+CONFIG_NOVA_NETWORK_AUTOASSIGNFLOATINGIP=y
+
+# First VLAN for private networks
+CONFIG_NOVA_NETWORK_VLAN_START=100
+
+# Number of networks to support
+CONFIG_NOVA_NETWORK_NUMBER=1
+
+# Number of addresses in each private subnet
+CONFIG_NOVA_NETWORK_SIZE=255
+
+# The IP address of the VMware vCenter server
+CONFIG_VCENTER_HOST=
+
+# The username to authenticate to VMware vCenter server
+CONFIG_VCENTER_USER=
+
+# The password to authenticate to VMware vCenter server
+CONFIG_VCENTER_PASSWORD=
+
+# The name of the vCenter cluster
+CONFIG_VCENTER_CLUSTER_NAME=
+
+# The password to use for Neutron to authenticate with Keystone
+CONFIG_NEUTRON_KS_PW={{ NEUTRON_PASS }}
+
+# The password to use for Neutron to access DB
+CONFIG_NEUTRON_DB_PW={{ NEUTRON_DBPASS }}
+
+# A comma separated list of IP addresses on which to install Neutron
+CONFIG_NETWORK_HOSTS={{ controller_public_ip }}
+
+# The name of the bridge that the Neutron L3 agent will use for
+# external traffic, or 'provider' if using provider networks
+CONFIG_NEUTRON_L3_EXT_BRIDGE=provider
+
+
+# The name of the L2 plugin to be used with Neutron
+CONFIG_NEUTRON_L2_PLUGIN=ml2
+
+# A comma separated list of IP addresses on which to install Neutron
+# metadata agent
+CONFIG_NEUTRON_METADATA_PW={{ NEUTRON_PASS }}
+
+# A comma separated list of network type driver entrypoints to be
+# loaded from the neutron.ml2.type_drivers namespace.
+CONFIG_NEUTRON_ML2_TYPE_DRIVERS=local,flat,gre
+
+# A comma separated ordered list of network_types to allocate as
+# tenant networks. The value 'local' is only useful for single-box
+# testing but provides no connectivity between hosts.
+CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=gre
+
+# A comma separated ordered list of networking mechanism driver
+# entrypoints to be loaded from the neutron.ml2.mechanism_drivers
+# namespace.
+CONFIG_NEUTRON_ML2_MECHANISM_DRIVERS=openvswitch
+
+# A comma separated  list of physical_network names with which flat
+# networks can be created. Use * to allow flat networks with arbitrary
+# physical_network names.
+CONFIG_NEUTRON_ML2_FLAT_NETWORKS=*
+
+# A comma separated list of <physical_network>:<vlan_min>:<vlan_max>
+# or <physical_network> specifying physical_network names usable for
+# VLAN provider and tenant networks, as well as ranges of VLAN tags on
+# each available for allocation to tenant networks.
+CONFIG_NEUTRON_ML2_VLAN_RANGES=
+
+# A comma separated list of <tun_min>:<tun_max> tuples enumerating
+# ranges of GRE tunnel IDs that are available for tenant network
+# allocation. Should be an array with tun_max +1 - tun_min > 1000000
+CONFIG_NEUTRON_ML2_TUNNEL_ID_RANGES=1:1000
+
+# Multicast group for VXLAN. If unset, disables VXLAN enable sending
+# allocate broadcast traffic to this multicast group. When left
+# unconfigured, will disable multicast VXLAN mode. Should be an
+# Multicast IP (v4 or v6) address.
+CONFIG_NEUTRON_ML2_VXLAN_GROUP=
+
+# A comma separated list of <vni_min>:<vni_max> tuples enumerating
+# ranges of VXLAN VNI IDs that are available for tenant network
+# allocation. Min value is 0 and Max value is 16777215.
+CONFIG_NEUTRON_ML2_VNI_RANGES=
+
+# The name of the L2 agent to be used with Neutron
+CONFIG_NEUTRON_L2_AGENT=openvswitch
+
+# The type of network to allocate for tenant networks (eg. vlan,
+# local)
+CONFIG_NEUTRON_LB_TENANT_NETWORK_TYPE=gre
+
+# A comma separated list of VLAN ranges for the Neutron linuxbridge
+# plugin (eg. physnet1:1:4094,physnet2,physnet3:3000:3999)
+CONFIG_NEUTRON_LB_VLAN_RANGES=
+
+# A comma separated list of interface mappings for the Neutron
+# linuxbridge plugin (eg. physnet1:br-eth1,physnet2:br-eth2,physnet3
+# :br-eth3)
+CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS=
+
+# Type of network to allocate for tenant networks (eg. vlan, local,
+# gre, vxlan)
+CONFIG_NEUTRON_OVS_TENANT_NETWORK_TYPE=gre
+
+# A comma separated list of VLAN ranges for the Neutron openvswitch
+# plugin (eg. physnet1:1:4094,physnet2,physnet3:3000:3999)
+CONFIG_NEUTRON_OVS_VLAN_RANGES=floatnet
+
+# A comma separated list of bridge mappings for the Neutron
+# openvswitch plugin (eg. physnet1:br-eth1,physnet2:br-eth2,physnet3
+# :br-eth3)
+CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=floatnet:br-ex
+
+# A comma separated list of colon-separated OVS bridge:interface
+# pairs. The interface will be added to the associated bridge.
+CONFIG_NEUTRON_OVS_BRIDGE_IFACES=br-tun:eth1
+
+# A comma separated list of tunnel ranges for the Neutron openvswitch
+# plugin (eg. 1:1000)
+CONFIG_NEUTRON_OVS_TUNNEL_RANGES=1:1000
+
+# The interface for the OVS tunnel. Packstack will override the IP
+# address used for tunnels on this hypervisor to the IP found on the
+# specified interface. (eg. eth1)
+CONFIG_NEUTRON_OVS_TUNNEL_IF=eth1
+
+# VXLAN UDP port
+CONFIG_NEUTRON_OVS_VXLAN_UDP_PORT=4789
+
+# To set up Horizon communication over https set this to "y"
+CONFIG_HORIZON_SSL=y
+
+# PEM encoded certificate to be used for ssl on the https server,
+# leave blank if one should be generated, this certificate should not
+# require a passphrase
+CONFIG_SSL_CERT=/etc/pki/tls/certs/fed-cloud09.pem
+
+# PEM encoded CA certificates from which the certificate chain of the
+# # server certificate can be assembled.
+CONFIG_SSL_CACHAIN=/etc/pki/tls/certs/fed-cloud09.pem
+
+# Keyfile corresponding to the certificate if one was entered
+CONFIG_SSL_KEY=/etc/pki/tls/private/fed-cloud09.key
+
+# The password to use for the Swift to authenticate with Keystone
+CONFIG_SWIFT_KS_PW={{ SWIFT_PASS }}
+
+# A comma separated list of IP addresses on which to install the
+# Swift Storage services, each entry should take the format
+# <ipaddress>[/dev], for example 127.0.0.1/vdb will install /dev/vdb
+# on 127.0.0.1 as a swift storage device(packstack does not create the
+# filesystem, you must do this first), if /dev is omitted Packstack
+# will create a loopback device for a test setup
+CONFIG_SWIFT_STORAGES=
+
+# Number of swift storage zones, this number MUST be no bigger than
+# the number of storage devices configured
+CONFIG_SWIFT_STORAGE_ZONES=1
+
+# Number of swift storage replicas, this number MUST be no bigger
+# than the number of storage zones configured
+CONFIG_SWIFT_STORAGE_REPLICAS=1
+
+# FileSystem type for storage nodes
+CONFIG_SWIFT_STORAGE_FSTYPE=ext4
+
+# Shared secret for Swift
+CONFIG_SWIFT_HASH={{ SWIFT_HASH }}
+
+# Size of the swift loopback file storage device
+CONFIG_SWIFT_STORAGE_SIZE=2G
+
+# Whether to provision for demo usage and testing. Note that
+# provisioning is only supported for all-in-one installations.
+CONFIG_PROVISION_DEMO=n
+
+# Whether to configure tempest for testing. Note that provisioning is
+# only supported for all-in-one installations.
+CONFIG_PROVISION_TEMPEST=n
+
+# The CIDR network address for the floating IP subnet
+CONFIG_PROVISION_DEMO_FLOATRANGE=
+
+# The uri of the tempest git repository to use
+CONFIG_PROVISION_TEMPEST_REPO_URI=https://github.com/openstack/tempest.git
+
+# The revision of the tempest git repository to use
+CONFIG_PROVISION_TEMPEST_REPO_REVISION=master
+
+# Whether to configure the ovs external bridge in an all-in-one
+# deployment
+CONFIG_PROVISION_ALL_IN_ONE_OVS_BRIDGE=n
+
+# The password used by Heat user to authenticate against MySQL
+CONFIG_HEAT_DB_PW={{ HEAT_DBPASS }}
+
+# The encryption key to use for authentication info in database
+CONFIG_HEAT_AUTH_ENC_KEY={{ HEAT_AUTH_ENC_KEY }}
+
+# The password to use for the Heat to authenticate with Keystone
+CONFIG_HEAT_KS_PW={{ HEAT_PASS }}
+
+# Set to 'y' if you would like Packstack to install Heat CloudWatch
+# API
+CONFIG_HEAT_CLOUDWATCH_INSTALL=n
+
+# Set to 'y' if you would like Packstack to install Heat
+# CloudFormation API
+CONFIG_HEAT_CFN_INSTALL=n
+
+# The IP address of the server on which to install Heat CloudWatch
+# API service
+CONFIG_HEAT_CLOUDWATCH_HOST={{ controller_public_ip }}
+
+# The IP address of the server on which to install Heat
+# CloudFormation API service
+CONFIG_HEAT_CFN_HOST={{ controller_public_ip }}
+
+# The IP address of the management node
+CONFIG_CONTROLLER_HOST={{ controller_public_ip }}
+
+# Secret key for signing metering messages.
+CONFIG_CEILOMETER_SECRET={{ CEILOMETER_SECRET }}
+
+# The password to use for Ceilometer to authenticate with Keystone
+CONFIG_CEILOMETER_KS_PW={{ CEILOMETER_PASS }}
+
+# The IP address of the server on which to install mongodb
+CONFIG_MONGODB_HOST={{ controller_public_ip }}
+
+# The password of the nagiosadmin user on the Nagios server
+CONFIG_NAGIOS_PW=
+
+# To subscribe each server to EPEL enter "y"
+CONFIG_USE_EPEL=y
+
+# A comma separated list of URLs to any additional yum repositories
+# to install
+CONFIG_REPO=
+
+# To subscribe each server with Red Hat subscription manager, include
+# this with CONFIG_RH_PW
+CONFIG_RH_USER=
+
+# To subscribe each server with Red Hat subscription manager, include
+# this with CONFIG_RH_USER
+CONFIG_RH_PW=
+
+# To subscribe each server to Red Hat Enterprise Linux 6 Server Beta
+# channel (only needed for Preview versions of RHOS) enter "y"
+CONFIG_RH_BETA_REPO=n
+
+# To subscribe each server with RHN Satellite,fill Satellite's URL
+# here. Note that either satellite's username/password or activation
+# key has to be provided
+CONFIG_SATELLITE_URL=
+
+# Username to access RHN Satellite
+CONFIG_SATELLITE_USER=
+
+# Password to access RHN Satellite
+CONFIG_SATELLITE_PW=
+
+# Activation key for subscription to RHN Satellite
+CONFIG_SATELLITE_AKEY=
+
+# Specify a path or URL to a SSL CA certificate to use
+CONFIG_SATELLITE_CACERT=
+
+# If required specify the profile name that should be used as an
+# identifier for the system in RHN Satellite
+CONFIG_SATELLITE_PROFILE=
+
+# Comma separated list of flags passed to rhnreg_ks. Valid flags are:
+# novirtinfo, norhnsd, nopackages
+CONFIG_SATELLITE_FLAGS=
+
+# Specify a HTTP proxy to use with RHN Satellite
+CONFIG_SATELLITE_PROXY=
+
+# Specify a username to use with an authenticated HTTP proxy
+CONFIG_SATELLITE_PROXY_USER=
+
+# Specify a password to use with an authenticated HTTP proxy.
+CONFIG_SATELLITE_PROXY_PW=
--- a/files/fedora-cloud/uninstall.sh
+++ b/files/fedora-cloud/uninstall.sh
@@ -0,0 +1,32 @@
+# Warning! Dangerous step! Destroys VMs
+# if you do know what you are doing feel free to remove the line below to proceed
+exit 1
+# also if you really insist to remove VM, uncomment that vgremove near bottom
+
+for x in $(virsh list --all | grep instance- | awk '{print $2}') ; do
+    virsh destroy $x ;
+    virsh undefine $x ;
+done ;
+
+# Warning! Dangerous step! Removes lots of packages, including many
+# which may be unrelated to RDO.
+yum remove -y nrpe "*openstack*" \
+"*nova*" "*keystone*" "*glance*" "*cinder*" "*swift*" \
+mysql mysql-server httpd "*memcache*" ;
+
+ps -ef | grep -i repli | grep swift | awk '{print $2}' | xargs kill ;
+
+# Warning! Dangerous step! Deletes local application data
+rm -rf /etc/nagios /etc/yum.repos.d/packstack_* /root/.my.cnf \
+/var/lib/mysql/* /var/lib/glance /var/lib/nova /etc/nova /etc/swift \
+/srv/node/device*/* /var/lib/cinder/ /etc/rsync.d/frag* \
+/var/cache/swift /var/log/keystone ;
+
+umount /srv/node/device* ;
+killall -9 dnsmasq tgtd httpd ;
+#vgremove -f cinder-volumes ;
+losetup -a | sed -e 's/:.*//g' | xargs losetup -d ;
+find /etc/pki/tls -name "ssl_ps*" | xargs rm -rf ;
+for x in $(df | grep "/lib/" | sed -e 's/.* //g') ; do
+    umount $x ;
+done
--- a/files/gnome/backup.sh
+++ b/files/gnome/backup.sh
@@ -29,7 +29,8 @@ MACHINES='signal.gnome.org
          puppet.gnome.org
          accelerator.gnome.org
          range.gnome.org
-          pentagon.gimp.org'
+          pentagon.gimp.org
+          account.gnome.org'

 BACKUP_DIR='/fedora_backups/gnome/'
 LOGS_DIR='/fedora_backups/gnome/logs'
--- a/files/iptables/iptables
+++ b/files/iptables/iptables
@@ -17,12 +17,6 @@
 # allow ssh - always
 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT

-# for fireball mode - allow port 5099 from lockbox and it's ips
-A INPUT -p tcp -m tcp --dport 5099 -s 192.168.1.58 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.126.23 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.127.51 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5099 -s 209.132.181.6 -j ACCEPT
-
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
--- a/files/iptables/iptables.staging
+++ b/files/iptables/iptables.staging
@@ -29,12 +29,6 @@ COMMIT
 # allow ssh - always
 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT

-# for fireball mode - allow port 5099 from lockbox and it's ips
-A INPUT -p tcp -m tcp --dport 5099 -s 192.168.1.58 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.126.23 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.127.51 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5099 -s 209.132.181.6 -j ACCEPT
-
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
--- a/files/jenkins/master/config.xml
+++ b/files/jenkins/master/config.xml
@@ -30,22 +30,6 @@ class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
  <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
  <clouds/>
  <slaves>
-    <slave>
-      <name>Fedora19</name>
-      <description></description>
-      <remoteFS>/mnt/jenkins/</remoteFS>
-      <numExecutors>2</numExecutors>
-      <mode>NORMAL</mode>
-      <retentionStrategy class="hudson.slaves.RetentionStrategy$Always"/>
-      <launcher class="hudson.plugins.sshslaves.SSHLauncher"
-      plugin="ssh-slaves@0.21">
-        <host>172.16.5.12</host>
-        <port>22</port>
-        <credentialsId>d844d352-af1d-466b-9fc9-cbb19348103a</credentialsId>
-      </launcher>
-      <label></label>
-      <nodeProperties/>
-    </slave>
    <slave>
      <name>EL6</name>
      <description></description>
--- a/files/jenkins/slaves/sbt.repo
+++ b/files/jenkins/slaves/sbt.repo
@@ -1,6 +1,6 @@
-[sbt-fedorapeople]
-name=SBT Fedorapeople Repo
-baseurl=http://repos.fedorapeople.org/repos/codeblock/sbt/fedora-18/RPMS/
-enabled=1
-skip_if_unavailable=1
+[codeblock-sbt-extras]
+name=Copr repo for sbt-extras owned by codeblock
+baseurl=https://copr-be.cloud.fedoraproject.org/results/codeblock/sbt-extras/fedora-$releasever-$basearch/
+skip_if_unavailable=True
 gpgcheck=0
+enabled=0
--- a/files/rdiff-backup/#run-rdiff-backups.cron#
+++ b/files/rdiff-backup/#run-rdiff-backups.cron#
@@ -1,3 +0,0 @@
-# run rdiff backups
-MAILTO=kevin@scrye.com,smooge@gmail.com
-00 22 * * * root /usr/local/bin/lock-wrapper run-rdiff-backups "/usr/local/bin/run-rdiff-backups"
--- a/files/rdiff-backup/run-rdiff-backups
+++ b/files/rdiff-backup/run-rdiff-backups
@@ -5,5 +5,5 @@ source /root/sshagent >>/dev/null
 TMPDIR=`mktemp -d /tmp/backups.XXXX`

 cd $TMPDIR
-git clone http://infrastructure.fedoraproject.org/infra/ansible.git
+git clone https://infrastructure.fedoraproject.org/infra/ansible.git
 ansible-playbook -i ansible/inventory ansible/playbooks/rdiff-backup.yml 
--- a/files/rdo/rdo.conf
+++ b/files/rdo/rdo.conf
@@ -1,7 +0,0 @@
-Alias /openstack /srv/persist/openstack
-<Directory "/srv/persist/openstack">
-    Options Indexes MultiViews FollowSymLinks
-    AllowOverride None
-    Order allow,deny
-    Allow from all
-</Directory>
--- a/files/scripts/confine-ssh.sh
+++ b/files/scripts/confine-ssh.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+# Confine ssh commands
+case "$SSH_ORIGINAL_COMMAND" in
+*\&*)
+echo "Rejected"
+;;
+*\;*)
+echo "Rejected"
+;;
+rsync\ --server\ --sender*)
+$SSH_ORIGINAL_COMMAND
+;;
+*)
+echo "Rejected"
+;;
+esac
--- a/files/virthost/99-bridge.rules
+++ b/files/virthost/99-bridge.rules
@@ -0,0 +1 @@
+ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"
--- a/handlers/restart_services.yml
+++ b/handlers/restart_services.yml
@@ -65,16 +65,16 @@
 - name: restart ntpd
  action: service name=ntpd state=restarted

- name: restart openvpn
+- name: restart openvpn (Fedora)
+  when: ansible_distribution == "Fedora"
+  action: service name=openvpn@openvpn state=restarted
+
+- name: restart openvpn (RHEL6)
+  when: ansible_distribution == "RedHat" and ansible_distribution_major_version == "6"
  action: service name=openvpn state=restarted

- name: restart openvpn 2
-  action: service name=openvpn state=restarted
-
- name: restart openvpn 6
-  action: service name=openvpn state=restarted
-
- name: restart openvpn 7
+- name: restart openvpn (RHEL7)
+  when: ansible_distribution == "RedHat" and ansible_distribution_major_version == "7"
  action: service name=openvpn@openvpn state=restarted

 - name: restart postfix
@@ -98,6 +98,9 @@
 - name: restart netapproute
  action: command /etc/sysconfig/network-scripts/ifup-routes eth1

+- name: restart network
+  action: service name=network state=restarted
+
 - name: restart unbound
  action: service name=unbound state=restarted

@@ -121,3 +124,20 @@

 - name: restart memcached
  service: name=memcached state=restarted
+
+- name: reload systemd
+  command: systemctl daemon-reload
+
+- name: restart nagios
+  shell: nagios -v /etc/nagios/nagios.cfg && systemctl restart nagios
+
+- name: restart bridge
+  shell: /usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge
+
+- name: hup libvirtd
+  command: pkill -HUP libvirtd
+  ignore_errors: true
+  when: inventory_hostname.startswith('buildhw')
+
+- name: restart fcomm-cache-worker
+  service: name=fcomm-cache-worker state=restarted
--- a/inventory/backups
+++ b/inventory/backups
@@ -0,0 +1,19 @@
+#
+# This is the list of clients we backup with rdiff-backup. 
+#
+[backup_clients]
+collab04.fedoraproject.org
+db01.phx2.fedoraproject.org
+db-datanommer02.phx2.fedoraproject.org
+hosted04.fedoraproject.org
+hosted-lists01.fedoraproject.org
+lockbox01.phx2.fedoraproject.org
+people03.fedoraproject.org
+pkgs01.phx2.fedoraproject.org
+log01.phx2.fedoraproject.org
+qadevel.cloud.fedoraproject.org
+db-qa01.qa.fedoraproject.org
+db-koji01.phx2.fedoraproject.org
+copr-be.cloud.fedoraproject.org
+value01.phx2.fedoraproject.org
+taskotron01.qa.fedoraproject.org
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -54,6 +54,10 @@ dbs_to_backup: []
 nrpe_procs_warn: 250
 nrpe_procs_crit: 300

+# by default, the number of emails in queue before we whine
+nrpe_check_postfix_queue_warn: 2
+nrpe_check_postfix_queue_crit: 5
+
 # env is staging or production, we default it to production here. 
 env: production

--- a/inventory/group_vars/anitya-backend
+++ b/inventory/group_vars/anitya-backend
@@ -0,0 +1,28 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 8192
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+custom_rules: [
+    # Need for rsync from log01 for logs.
+    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
+ ]
+
+# No other ports open.  no web service running here.
+#tcp_ports: []
+
+fas_client_groups: sysadmin-noc
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: anitya
+  owner: root
+  group: fedmsg
--- a/inventory/group_vars/anitya-frontend
+++ b/inventory/group_vars/anitya-frontend
@@ -0,0 +1,30 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 2048
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+# 9940 is for the anitya public relay
+tcp_ports: [ 80, 443, 9940 ]
+
+custom_rules: [
+    # Need for rsync from log01 for logs.
+    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
+    # Need so that anitya-backend can talk fedmsg to our relay
+    '-A INPUT -p tcp -m tcp -s 140.211.169.230 --dport 9941 -j ACCEPT',
+ ]
+
+fas_client_groups: sysadmin-noc,sysadmin-web
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: anitya
+  owner: root
+  group: apache
--- a/inventory/group_vars/arm-releng
+++ b/inventory/group_vars/arm-releng
@@ -1,4 +1,5 @@
 ---
+host_group: releng
 fas_client_groups: sysadmin-releng
 freezes: false
 #
@@ -6,3 +7,7 @@ freezes: false
 #
 libdir: /usr/lib
 sudoers: "{{ private }}/files/sudo/arm-releng-sudoers"
+
+# For the mock config
+kojipkgs_url: kojipkgs.fedoraproject.org
+kojihub_url: koji.fedoraproject.org/kojihub
--- a/inventory/group_vars/badges-backend
+++ b/inventory/group_vars/badges-backend
@@ -7,7 +7,8 @@ freezes: false
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-tcp_ports: [ 3000 ]
+tcp_ports: [ 3000, 3001, 3002, 3003,
+             3004, 3005, 3006, 3007 ]

 fas_client_groups: sysadmin-noc,sysadmin-badges

--- a/inventory/group_vars/badges-backend-stg
+++ b/inventory/group_vars/badges-backend-stg
@@ -7,7 +7,8 @@ num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-tcp_ports: [ 3000 ]
+tcp_ports: [ 3000, 3001, 3002, 3003,
+             3004, 3005, 3006, 3007 ]

 fas_client_groups: sysadmin-noc,sysadmin-badges

--- a/inventory/group_vars/bastion
+++ b/inventory/group_vars/bastion
@@ -0,0 +1,39 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 8192
+num_cpus: 4
+
+#
+# allow incoming openvpn and smtp
+#
+tcp_ports: [ 25, 1194 ]
+udp_ports: [ 1194 ]
+
+#
+# drop incoming traffic from less trusted vpn hosts
+#
+custom_rules: [
+    '-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited',
+]
+#
+# allow a bunch of sysadmin groups here so they can access internal stuff
+#
+fas_client_groups: sysadmin-ask,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-darkserver,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc
+
+#
+# This is a postfix gateway. This will pick up gateway postfix config in base
+#
+postfix_group: gateway
+postfix_transport_filename: transports.gateway
+
+#
+# Set this to get fasclient cron to make the aliases file
+#
+fas_aliases: true
+
+#
+# Sometimes there are lots of postfix processes
+#
+nrpe_procs_warn: 900
+nrpe_procs_crit: 1000
--- a/inventory/group_vars/beaker
+++ b/inventory/group_vars/beaker
@@ -11,3 +11,5 @@ udp_ports: [ 69 ]
 fas_client_groups: sysadmin-qa
 nrpe_procs_warn: 250
 nrpe_procs_crit: 300
+
+freezes: false
--- a/inventory/group_vars/copr
+++ b/inventory/group_vars/copr
@@ -0,0 +1,6 @@
+---
+devel: false
+_forward_src: "forward"
+copr_backend_ips: "172.16.5.4"
+resolvconf: "resolv.conf/cloud"
+
--- a/inventory/group_vars/copr-back
+++ b/inventory/group_vars/copr-back
@@ -0,0 +1,8 @@
+---
+_lighttpd_conf_src: "lighttpd/lighttpd.conf"
+_copr_be_conf: "copr-be.conf"
+
+do_sign: "false"
+keygen_host: "copr-keygen.cloud.fedoraproject.org"
+
+spawn_in_advance: "true"
--- a/inventory/group_vars/copr-back-stg
+++ b/inventory/group_vars/copr-back-stg
@@ -0,0 +1,8 @@
+---
+_lighttpd_conf_src: "lighttpd/lighttpd_dev.conf"
+_copr_be_conf: "copr-be.conf-dev"
+
+do_sign: "true"
+keygen_host: "209.132.184.124"
+
+spawn_in_advance: "true"
--- a/inventory/group_vars/copr-front
+++ b/inventory/group_vars/copr-front
@@ -0,0 +1,3 @@
+---
+copr_hostname: "copr-fe.cloud.fedoraproject.org"
+copr_frontend_public_hostname: "copr.fedoraproject.org"
--- a/inventory/group_vars/copr-front-stg
+++ b/inventory/group_vars/copr-front-stg
@@ -0,0 +1,2 @@
+---
+copr_frontend_public_hostname: "copr-fe-dev.cloud.fedoraproject.org"
--- a/inventory/group_vars/copr-keygen
+++ b/inventory/group_vars/copr-keygen
@@ -0,0 +1,2 @@
+---
+tcp_ports: [80, 5167]
--- a/inventory/group_vars/copr-keygen-stg
+++ b/inventory/group_vars/copr-keygen-stg
@@ -0,0 +1,3 @@
+---
+copr_hostbase: copr-keygen-dev
+tcp_ports: [80, 5167]
--- a/inventory/group_vars/copr-stg
+++ b/inventory/group_vars/copr-stg
@@ -0,0 +1,7 @@
+---
+devel: true
+#_forward-src: "{{ files }}/copr/forward-dev"
+_forward_src: "forward_dev"
+
+copr_backend_ips: "172.16.5.5 172.16.5.4 172.16.5.24"
+resolvconf: "resolv.conf/cloud"
--- a/inventory/group_vars/fas
+++ b/inventory/group_vars/fas
@@ -0,0 +1,26 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 30000
+mem_size: 2048
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 80, 8443, 8444,
+             # fas has 32 wsgi processes, each of which need their own port
+             # open for outbound fedmsg messages.
+             8000, 8001, 8002, 8003, 8004, 8005, 8006, 8007,
+             8008, 8009, 8010, 8011, 8012, 8013, 8014, 8015,
+             8016, 8017, 8018, 8019, 8020, 8021, 8022, 8023,
+             8024, 8025, 8026, 8027, 8028, 8029, 8030, 8031, ]
+
+fas_client_groups: sysadmin-main,sysadmin-accounts
+
+master_fas_node: False 
+
+# A host group for rsync config
+rsync_group: fas
+
+nrpe_procs_warn: 300
+nrpe_procs_crit: 500
--- a/inventory/group_vars/fedimg
+++ b/inventory/group_vars/fedimg
@@ -9,7 +9,7 @@ num_cpus: 2
 tcp_ports: [ 3000 ]

 # TODO, restrict this down to just sysadmin-releng
-fas_client_groups: sysadmin-datanommer,sysadmin-releng
+fas_client_groups: sysadmin-datanommer,sysadmin-releng,sysadmin-fedimg

 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
--- a/inventory/group_vars/fedimg-stg
+++ b/inventory/group_vars/fedimg-stg
@@ -9,7 +9,7 @@ num_cpus: 2
 tcp_ports: [ 3000 ]

 # TODO, restrict this down to just sysadmin-releng
-fas_client_groups: sysadmin-datanommer,sysadmin-releng
+fas_client_groups: sysadmin-datanommer,sysadmin-releng,sysadmin-fedimg

 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
--- a/inventory/group_vars/hotness
+++ b/inventory/group_vars/hotness
@@ -0,0 +1,21 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 1024
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 3000, 3001, 3002, 3003 ]
+
+fas_client_groups: sysadmin-noc
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: hotness
+  owner: root
+  group: fedmsg
--- a/inventory/group_vars/hotness-stg
+++ b/inventory/group_vars/hotness-stg
@@ -0,0 +1,21 @@
+---
+# Define resources for this group of hosts here. 
+lvm_size: 20000
+mem_size: 1024
+num_cpus: 1
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 3000, 3001, 3002, 3003 ]
+
+fas_client_groups: sysadmin-noc
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: hotness
+  owner: root
+  group: fedmsg
--- a/inventory/group_vars/jenkins-cloud
+++ b/inventory/group_vars/jenkins-cloud
@@ -1,5 +1,7 @@
 postfix_group: jenkins-cloud

+tcp_ports: [22, 80, 443]
+
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
 - service: shell
--- a/inventory/group_vars/kernel-qa
+++ b/inventory/group_vars/kernel-qa
@@ -1,5 +1,5 @@
 ---
-freezes: true
+freezes: false
 resolvconf: "{{ files }}/resolv.conf/phx2"
 fas_client_groups: sysadmin-kernel
 sudoers: "{{ private }}/files/sudo/kernel-qa"
--- a/inventory/group_vars/mailman
+++ b/inventory/group_vars/mailman
@@ -23,4 +23,9 @@ fedmsg_certs:
 postfix_group: mailman

 # Used by the mailman role
-mailman_dbserver: db01.phx2.fedoraproject.org
+mailman_db_server: db01.phx2.fedoraproject.org
+mailman_url: lists.fedoraproject.org
+
+# by default, the number of emails in queue before we whine
+nrpe_check_postfix_queue_warn: 20
+nrpe_check_postfix_queue_crit: 50
--- a/inventory/group_vars/mailman-stg
+++ b/inventory/group_vars/mailman-stg
@@ -30,6 +30,11 @@ virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ m

 # Postfix main.cf
 postfix_group: mailman-stg
+mailman_url: lists.stg.fedoraproject.org

 # Used by the mailman role
-mailman_dbserver: db02.stg.phx2.fedoraproject.org
+mailman_db_server: db02.stg.phx2.fedoraproject.org
+
+# by default, the number of emails in queue before we whine
+nrpe_check_postfix_queue_warn: 20
+nrpe_check_postfix_queue_crit: 50
--- a/inventory/group_vars/mirrorlist
+++ b/inventory/group_vars/mirrorlist
@@ -1,6 +1,6 @@
 ---
 lvm_size: 20000
-mem_size: 4096
+mem_size: 8192
 num_cpus: 4
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
--- a/inventory/group_vars/mm-stg
+++ b/inventory/group_vars/mm-stg
@@ -0,0 +1,3 @@
+---
+# Define resources for this group of hosts here. 
+fas_client_groups: sysadmin-noc
--- a/inventory/group_vars/nagios-phx
+++ b/inventory/group_vars/nagios-phx
--- a/inventory/group_vars/notifs-backend
+++ b/inventory/group_vars/notifs-backend
@@ -1,13 +1,13 @@
 ---
 # Define resources for this group of hosts here. 
 lvm_size: 20000
-mem_size: 2048
-num_cpus: 2
+mem_size: 6144
+num_cpus: 4

 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-tcp_ports: [ 3000, 3001, 3002, 3003 ]
+tcp_ports: [ 3000, 3001, 3002, 3003, 3004 ]

 fas_client_groups: sysadmin-noc,sysadmin-datanommer

--- a/inventory/group_vars/notifs-backend-stg
+++ b/inventory/group_vars/notifs-backend-stg
@@ -7,7 +7,7 @@ num_cpus: 2
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-tcp_ports: [ 3000, 3001, 3002, 3003 ]
+tcp_ports: [ 3000, 3001, 3002, 3003, 3004 ]

 fas_client_groups: sysadmin-noc,sysadmin-datanommer

--- a/inventory/group_vars/pkgs
+++ b/inventory/group_vars/pkgs
@@ -0,0 +1,47 @@
+---
+lvm_size: 100000
+mem_size: 4096
+num_cpus: 4
+
+tcp_ports: [80, 443, 9418,
+    # These 16 ports are used by fedmsg.  One for each wsgi thread.
+    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
+    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+
+fas_client_groups: sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc
+fas_client_restricted_app: /usr/bin/gl-auth-command
+fas_client_admin_app: /usr/bin/gl-auth-command -s
+fas_client_ssh_groups: "@cvs,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc"
+
+git_group: packager
+git_port: 9418
+git_server: /usr/libexec/git-core/git-daemon
+git_server_args: --export-all --syslog --inetd --verbose
+git_basepath: /srv/git/rpms
+
+clamscan_mailto: admin@fedoraproject.org
+clamscan_paths:
+- /srv/cache/lookaside/pkgs
+clamscan_excludes:
+- clamav-
+- amavisd-new-2.3.3.tar.gz
+- bro-20080804.tgz
+- mailman-
+- sagator-
+- nicotine
+- fwsnort-1.0.6.tar.gz
+- psad-2.1.7.tar.bz2
+- pymilter-
+- linkchecker-
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: scm
+  owner: root
+  group: packager
+- service: lookaside
+  owner: root
+  group: apache
--- a/inventory/group_vars/pkgs-stg
+++ b/inventory/group_vars/pkgs-stg
@@ -0,0 +1,47 @@
+---
+lvm_size: 100000
+mem_size: 4096
+num_cpus: 4
+
+tcp_ports: [80, 443, 9418,
+    # These 16 ports are used by fedmsg.  One for each wsgi thread.
+    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
+    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+
+fas_client_groups: sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc
+fas_client_restricted_app: HOME=/srv/git /usr/share/gitolite3/gitolite-shell user
+fas_client_admin_app: HOME=/srv/git /usr/share/gitolite3/gitolite-shell admin
+fas_client_ssh_groups: "@cvs,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc"
+
+git_group: packager
+git_port: 9418
+git_server: /usr/libexec/git-core/git-daemon
+git_server_args: --export-all --syslog --inetd --verbose
+git_basepath: /srv/git/rpms
+
+clamscan_mailto: admin@fedoraproject.org
+clamscan_paths:
+- /srv/cache/lookaside/pkgs
+clamscan_excludes:
+- clamav-
+- amavisd-new-2.3.3.tar.gz
+- bro-20080804.tgz
+- mailman-
+- sagator-
+- nicotine
+- fwsnort-1.0.6.tar.gz
+- psad-2.1.7.tar.bz2
+- pymilter-
+- linkchecker-
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service: scm
+  owner: root
+  group: packager
+- service: lookaside
+  owner: root
+  group: apache
--- a/inventory/group_vars/postgresql-server
+++ b/inventory/group_vars/postgresql-server
@@ -6,5 +6,4 @@ num_cpus: 4
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file

-tcp_ports: [ 80 ]
 fas_client_groups: sysadmin-noc
--- a/inventory/group_vars/qadevel
+++ b/inventory/group_vars/qadevel
@@ -18,3 +18,24 @@ virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ m
                  gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0
                  hostname={{ inventory_hostname }}"
                 --network=bridge=br0 --autostart --noautoconsole
+
+buildmaster_db_host: localhost
+buildmaster_template: ci.master.cfg.j2
+buildmaster_endpoint: buildmaster
+buildslave_ssh_pubkey: ''
+buildslave_port: 9989
+buildmaster_dir: /home/buildmaster/master
+buildslave_dir: /home/buildslave/slave
+buildslave_poll_interval: 1800
+master_dir: /home/buildmaster/master
+master_user: buildmaster
+external_hostname: qadevel.qa.fedoraproject.org
+deployment_type: qadevel-prod
+tcp_ports: [ 80, 443, "{{ buildslave_port }}" ]
+
+# for now, we're just doing a local slave so we need the slave vars in here
+slave_home: /home/buildslave/
+slave_dir: /home/buildslave/slave
+slave_user: buildslave
+
+freezes: false
--- a/inventory/group_vars/qadevel-stg
+++ b/inventory/group_vars/qadevel-stg
@@ -18,3 +18,19 @@ virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ m
                  gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0
                  hostname={{ inventory_hostname }}"
                 --network=bridge=br0 --autostart --noautoconsole
+
+buildmaster_db_host: localhost
+buildmaster_template: ci.master.cfg.j2
+buildmaster_endpoint: taskmaster
+buildslave_ssh_pubkey: ''
+buildslave_port: 9989
+buildmaster_dir: /home/buildmaster/master
+buildslave_dir: /home/buildslave/slave
+buildslave_poll_interval: 1800
+master_dir: /home/buildmaster/master
+master_user: buildmaster
+external_hostname: qadevel-stg.qa.fedoraproject.org
+deployment_type: qadevel-stg
+tcp_ports: [ 80, 443, "{{ buildslave_port }}" ]
+
+freezes: false
--- a/inventory/group_vars/resultsdb-dev
+++ b/inventory/group_vars/resultsdb-dev
@@ -26,3 +26,5 @@ resultsdb_fe_endpoint: '/resultsdb'
 resultsdb_db_name: resultsdb_dev
 allowed_hosts:
    - 10.5.124
+
+freezes: false
--- a/inventory/group_vars/resultsdb-prod
+++ b/inventory/group_vars/resultsdb-prod
@@ -11,7 +11,7 @@ fas_client_groups: sysadmin-qa
 nrpe_procs_warn: 250
 nrpe_procs_crit: 300

-virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ mem_size }}
+virt_install_command: /usr/bin/virt-install -n {{ inventory_hostname }} -r {{ mem_size }}
                 --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
                 --vcpus={{ num_cpus }}  -l {{ ks_repo }} -x
                 "ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
--- a/inventory/group_vars/resultsdb-stg
+++ b/inventory/group_vars/resultsdb-stg
@@ -27,3 +27,5 @@ resultsdb_fe_endpoint: '/resultsdb'
 resultsdb_db_name: resultsdb_stg
 allowed_hosts:
    - 10.5.124
+
+freezes: false
--- a/inventory/group_vars/arm-retrace
+++ b/inventory/group_vars/arm-retrace
@@ -1,10 +1,9 @@
 ---
 fas_client_groups: retrace
 freezes: false
-#
-# These are 32bit
-#
-libdir: /usr/lib
 sudoers: "{{ private }}/files/sudo/arm-retrace-sudoers"

-tcp_ports: [ 80 ]
+tcp_ports: [ 80, 443 ]
+
+nrpe_procs_warn: 900
+nrpe_procs_crit: 1000
--- a/inventory/group_vars/sign-bridge
+++ b/inventory/group_vars/sign-bridge
@@ -8,6 +8,6 @@ lvm_size: 10000
 mem_size: 4096
 num_cpus: 4

-tcp_ports: [ 44333, 44334 ]
+tcp_ports: [ 22, 44333, 44334 ]

 fas_client_groups: sysadmin-releng
--- a/inventory/group_vars/tagger
+++ b/inventory/group_vars/tagger
@@ -8,9 +8,11 @@ num_cpus: 2
 # the host_vars/$hostname file

 tcp_ports: [ 80, 443,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
+    # These 32 ports are used by fedmsg.  One for each wsgi thread.
    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015,
+    3016, 3017, 3018, 3019, 3020, 3021, 3022, 3023,
+    3024, 3025, 3026, 3027, 3028, 3029, 3030, 3031]

 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
--- a/inventory/group_vars/tagger-stg
+++ b/inventory/group_vars/tagger-stg
@@ -8,9 +8,11 @@ num_cpus: 2
 # the host_vars/$hostname file

 tcp_ports: [ 80, 443,
-    # These 16 ports are used by fedmsg.  One for each wsgi thread.
+    # These 32 ports are used by fedmsg.  One for each wsgi thread.
    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
-    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015,
+    3016, 3017, 3018, 3019, 3020, 3021, 3022, 3023,
+    3024, 3025, 3026, 3027, 3028, 3029, 3030, 3031]

 # Neeed for rsync from log01 for logs.
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
--- a/inventory/group_vars/taskotron
+++ b/inventory/group_vars/taskotron
@@ -1,20 +0,0 @@
---
-# common items for the releng-* boxes
-lvm_size: 50000
-mem_size: 4096
-num_cpus: 4
-# for systems that do not match the above - specify the same parameter in
-# the host_vars/$hostname file
-
-tcp_ports: [ 80, 443, 9989 ]
-fas_client_groups: sysadmin-qa
-nrpe_procs_warn: 250
-nrpe_procs_crit: 300
-
-virt_install_command: /usr/sbin/virt-install -n {{ inventory_hostname }} -r {{ mem_size }}
-                 --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
-                 --vcpus={{ num_cpus }}  -l {{ ks_repo }} -x
-                 "ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
-                  hostname={{ inventory_hostname }} nameserver={{ dns }}
-                  ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none"
-                 --network=bridge=br0,model=virtio --autostart --noautoconsole
--- a/inventory/group_vars/taskotron-dev
+++ b/inventory/group_vars/taskotron-dev
@@ -23,7 +23,7 @@ master_user: buildmaster
 external_hostname: taskotron-dev.fedoraproject.org
 resultsdb_url: http://resultsdb-dev01.qa.fedoraproject.org/resultsdb_api/api/v1.0
 resultsdb_frontend_url: http://resultsdb-dev01.qa.fedoraproject.org/resultsdb/
-resultsdb_external_url: https://taskotron-dev.fedoraproject.org/resultsdb_api/
+resultsdb_external_url: https://taskotron-dev.fedoraproject.org/resultsdb/
 resultsdb_endpoint: resultsdb
 resultsdb_api_endpoint: resultsdb_api
 landingpage_title: "Taskotron Development"
@@ -34,3 +34,4 @@ fakefedorainfra_db_name: dev_fakefedorainfra
 fakefedorainfra_endpoint: fakefedorainfra
 fakefedorainfra_url: https://taskotron-dev.fedoraproject.org/fakefedorainfra
 taskotron_docs_url: https://docs.qadevel.cloud.fedoraproject.org/libtaskotron/latest/
+freezes: false
--- a/inventory/group_vars/taskotron-dev-clients
+++ b/inventory/group_vars/taskotron-dev-clients
@@ -21,3 +21,4 @@ buildslave_public_sshkey_file: dev-buildslave-sshkey/dev_buildslave.pub
 taskotron_admin_email: taskotron-admin-members@fedoraproject.org
 sudoers: "{{ private }}/files/sudo/qavirt-sudoers"
 buildmaster_pubkey: "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK4M03mLIZ0Wf9CzoJtUfOV8pcSxYLSsd4zxaFovDIHZGZH3ifg5Ocwut6L6lBalR3iepa/9EuFvgosi90WM3iI="
+freezes: false
--- a/inventory/group_vars/taskotron-prod-clients
+++ b/inventory/group_vars/taskotron-prod-clients
@@ -1,12 +1,13 @@
 ---
-lvm_size: 20000
-mem_size: 4096
+lvm_size: 60000
+mem_size: 8096
 num_cpus: 2

 slave_user: buildslave
 taskotron_fas_user: taskotron
 resultsdb_server: http://resultsdb01.qa.fedoraproject.org/resultsdb_api/api/v1.0/
-bodhi_server: http://10.5.124.206/fakefedorainfra/bodhi/
+# this is proxy01.phx2
+bodhi_server: https://admin.fedoraproject.org/updates
 kojihub_url: http://koji.fedoraproject.org/kojihub
 taskotron_master: https://taskotron.fedoraproject.org/taskmaster/
 deployment_type: prod
@@ -20,4 +21,4 @@ buildslave_private_sshkey_file: prod-buildslave-sshkey/prod_buildslave
 buildslave_public_sshkey_file: prod-buildslave-sshkey/prod_buildslave.pub
 taskotron_admin_email: taskotron-admin-members@fedoraproject.org
 sudoers: "{{ private }}/files/sudo/qavirt-sudoers"
-buildmaster_pubkey: 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM5J0rmopyW96QyCVq5qyRmvsMIevnnPxXRNView1/vFI0ZkmQNeG6KYp0jmXsTDzPMeD4aC1nYIzyLp6OiMjvQ='
+buildmaster_pubkey: 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBlB0+PK20wI+MN1eYTDCjpnRZCo3eEdAwR2yuOFhm5BdMvdAokpS3CjA6KSKPQjgTc9UHz4WjwGVysV0sns9h0='
--- a/inventory/group_vars/taskotron-stg
+++ b/inventory/group_vars/taskotron-stg
@@ -30,3 +30,4 @@ fakefedorainfra_db_name: fakefedorainfra_stg
 fakefedorainfra_endpoint: fakefedorainfra
 fakefedorainfra_url: https://taskotron.stg.fedoraproject.org/fakefedorainfra
 taskotron_docs_url: https://docs.qadevel.cloud.fedoraproject.org/libtaskotron/latest/
+freezes: false
--- a/inventory/group_vars/taskotron-stg-clients
+++ b/inventory/group_vars/taskotron-stg-clients
@@ -21,3 +21,4 @@ buildslave_public_sshkey_file: stg-buildslave-sshkey/stg_buildslave.pub
 taskotron_admin_email: taskotron-admin-members@fedoraproject.org
 sudoers: "{{ private }}/files/sudo/qavirt-sudoers"
 buildmaster_pubkey: 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJJ4xAImruf8x0ghwxfq0DM6S00pSoEhpI1VZiG2DT14xD+eMubFQcUMpoQ3IBs3eaatlwVr2qjM4EEBfds/1Zs='
+freezes: false
--- a/inventory/group_vars/unbound
+++ b/inventory/group_vars/unbound
@@ -7,3 +7,4 @@ tcp_ports: [ 80, 443 ]
 custom_rules: [ '-A INPUT -p tcp -m tcp -s 209.132.184.0/24 --dport 53 -j ACCEPT', '-A INPUT -p udp -m udp -s 209.132.184.0/24 --dport 53 -j ACCEPT' ]

 fas_client_groups: sysadmin-dns
+freezes: false
--- a/inventory/group_vars/unbound-dns
+++ b/inventory/group_vars/unbound-dns
@@ -1,2 +0,0 @@
---
-freezes: false
--- a/inventory/hardware
+++ b/inventory/hardware
@@ -12,6 +12,7 @@ virthost03.phx2.fedoraproject.org
 virthost01.phx2.fedoraproject.org
 bvirthost07.phx2.fedoraproject.org
 ibiblio04.fedoraproject.org
+virthost-comm03.qa.fedoraproject.org

 [ciscos]
 virthost14.phx2.fedoraproject.org
--- a/inventory/host_vars/209.132.184.137
+++ b/inventory/host_vars/209.132.184.137
@@ -1,10 +1,11 @@
 ---
 instance_type: m1.xlarge
-image: "{{ el7b_qcow_id }}"
+image: "{{ el7_qcow_id }}"
 keypair: fedora-admin-20130801
 security_group: jenkins
 zone: nova
-hostbase: jenkins-el7b
+hostbase: jenkins-el7
 public_ip: 209.132.184.137
 root_auth_users: pingou
-description: jenkins el7b worker/slave
+description: jenkins el7 worker/slave
+freezes: false
--- a/inventory/host_vars/209.132.184.143
+++ b/inventory/host_vars/209.132.184.143
@@ -9,3 +9,4 @@ public_ip: 209.132.184.143
 root_auth_users:  duffy kevin
 description: artboard cloud instance for the fedora art group
 volumes: ['-d /dev/vdb vol-00000009']
+freezes: false
--- a/inventory/host_vars/209.132.184.146
+++ b/inventory/host_vars/209.132.184.146
@@ -9,3 +9,4 @@ public_ip: 209.132.184.146
 root_auth_users: lmacken
 description: cloud instance for developing/testing logstash
 volumes: ['-d /dev/vdb vol-0000000d']
+freezes: false
--- a/inventory/host_vars/209.132.184.147
+++ b/inventory/host_vars/209.132.184.147
@@ -9,4 +9,4 @@ public_ip: 209.132.184.147
 root_auth_users:  pingou
 description: fedocal dev server
 volumes: ['-d /dev/vdb vol-00000010']
-
+freezes: false
--- a/inventory/host_vars/209.132.184.148
+++ b/inventory/host_vars/209.132.184.148
@@ -0,0 +1,16 @@
+# 2cpus, 3GB of ram 20GB of ephemeral space
+instance_type: m1.large
+# image id
+image: "{{ el6_qcow_id }}"
+keypair: fedora-admin-20130801
+# what security group to add the host to
+security_group: webserver
+zone: fedoracloud
+# instance id will be appended
+hostbase: darkserver-dev-
+# ip should be in the 209.132.184.XXX range
+public_ip: 209.132.184.148
+# users/groups who should have root ssh access
+root_auth_users:  kushal @sysadmin-main sayanchowdhury
+description: darkserver dev server
+freezes: false
--- a/inventory/host_vars/209.132.184.153
+++ b/inventory/host_vars/209.132.184.153
@@ -9,3 +9,4 @@ public_ip: 209.132.184.153
 root_auth_users: pingou puiterwijk
 description: jenkins cloud master
 volumes: ['-d /dev/vdb vol-00000011']
+freezes: false
--- a/inventory/host_vars/209.132.184.157
+++ b/inventory/host_vars/209.132.184.157
@@ -9,3 +9,4 @@ public_ip: 209.132.184.157
 root_auth_users: besser82
 description: shogun-ca instance, see ticket 4032, besser82 contact
 volumes: ['-d /dev/vdb vol-00000026']
+freezes: false
--- a/inventory/host_vars/209.132.184.158
+++ b/inventory/host_vars/209.132.184.158
@@ -1,10 +0,0 @@
---
-instance_type: m1.xlarge
-image: "{{ f19_qcow_id }}"
-keypair: fedora-admin-20130801
-security_group: jenkins
-zone: nova
-hostbase: jenkins-f19
-public_ip: 209.132.184.158
-root_auth_users: pingou
-description: jenkins f19 worker/slave
--- a/inventory/host_vars/209.132.184.162
+++ b/inventory/host_vars/209.132.184.162
@@ -9,3 +9,4 @@ public_ip: 209.132.184.162
 root_auth_users:  toshio fchiulli
 description: cloud instance for developing the next version of the elections app
 volumes: ['-d /dev/vdb vol-0000000e']
+freezes: false
--- a/inventory/host_vars/209.132.184.165
+++ b/inventory/host_vars/209.132.184.165
@@ -8,3 +8,4 @@ hostbase: jenkins-el6
 public_ip: 209.132.184.165
 root_auth_users: pingou
 description: jenkins el6 worker/slave
+freezes: false
--- a/inventory/host_vars/209.132.184.166
+++ b/inventory/host_vars/209.132.184.166
@@ -1,10 +1,18 @@
---
+# 2cpus, 3GB of ram 20GB of ephemeral space
 instance_type: m1.large
-image: "{{ f18_qcow_id }}"
+# image id
+image: "{{ el7_qcow_id }}"
 keypair: fedora-admin-20130801
-security_group: jenkins
-zone: nova
-hostbase: jenkins-f18
+# what security group to add the host to
+security_group: webserver
+zone: fedoracloud
+# instance id will be appended
+hostbase: devpi-
+# ip should be in the 209.132.184.XXX range
 public_ip: 209.132.184.166
-root_auth_users: pingou
-description: jenkins f18 worker/slave
+# users/groups who should have root ssh access
+root_auth_users: bkabrda ncoghlan
+description: devpi test server
+freezes: false
+# 5gb persistent storage
+volumes: ['-d /dev/vdb vol-0000002d']
--- a/inventory/host_vars/209.132.184.209
+++ b/inventory/host_vars/209.132.184.209
@@ -8,3 +8,4 @@ hostbase: jenkins-f20
 public_ip: 209.132.184.209
 root_auth_users: pingou
 description: jenkins f20 worker/slave
+freezes: false
--- a/inventory/host_vars/anitya-backend01.fedoraproject.org
+++ b/inventory/host_vars/anitya-backend01.fedoraproject.org
@@ -0,0 +1,19 @@
+---
+nm: 255.255.255.128
+gw: 140.211.169.193
+dns: 140.211.166.130
+
+volgroup: /dev/vg_guests
+
+eth0_ip: 140.211.169.230
+ansible_ssh_host: anitya-backend01.fedoraproject.org
+
+postfix_group: vpn
+
+vmhost: osuosl03.fedoraproject.org
+datacenter: osuosl
+
+#
+# Only allow postgresql access from the frontend node.
+#
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 140.211.169.229 --dport 5432 -j ACCEPT' ]
--- a/inventory/host_vars/anitya-frontend01.fedoraproject.org
+++ b/inventory/host_vars/anitya-frontend01.fedoraproject.org
@@ -0,0 +1,16 @@
+---
+nm: 255.255.255.128
+gw: 140.211.169.193
+dns: 140.211.166.130
+
+ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
+volgroup: /dev/vg_guests
+
+eth0_ip: 140.211.169.229
+ansible_ssh_host: anitya-frontend01.fedoraproject.org
+
+postfix_group: vpn
+
+vmhost: osuosl03.fedoraproject.org
+datacenter: osuosl
--- a/inventory/host_vars/arm01-retrace01.arm.fedoraproject.org
+++ b/inventory/host_vars/arm01-retrace01.arm.fedoraproject.org
@@ -0,0 +1,3 @@
+---
+# This is a 32bit host
+libdir: /usr/lib
--- a/inventory/host_vars/badges-backend01.phx2.fedoraproject.org
+++ b/inventory/host_vars/badges-backend01.phx2.fedoraproject.org
@@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6
-ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
 volgroup: /dev/vg_guests00
 eth0_ip: 10.5.126.100
 vmhost: virthost14.phx2.fedoraproject.org
--- a/inventory/host_vars/badges-backend01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/badges-backend01.stg.phx2.fedoraproject.org
@@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6
-ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.126.68
 vmhost: virthost12.phx2.fedoraproject.org
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfk627wDgkJisjGl4RbrUS457WoPdSate1vzgZXApQeAkTG9LLEstAEyThphnJZzDWRYceId+DqZvyrwZttB6Tfptwqs9qwW60HelSVtvq6RDoiQO5yB1ffbeelM6ci5spvzA0b8llUmYpDlCmrbv/or5IXtO9ScAxK7S6Pp2XQYyHJepEclCqfUkmgOXqnoFPFhKhIdaNe7wXCDKnjHSL0HLQmpTREbJ98HNexI76DMdiuG+II7m42XbfToHZtDrsUfd5HGyWLqUWqFfLFoFSSrARE7Aqa2cS1zrLdKHTFnDitBezNeb2J4Go3/23bHe58LV8RfPdIQG9Z8hqYiD9 root@fed-cloud09.cloud.fedoraproject.org`
				`@@ -0,0 +1 @@`
				`ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"`