--- ####### # BEGIN: Ansible roles_path variables # # Background/reference about external repos pulled in: # https://pagure.io/fedora-infrastructure/issue/5476 # # IPA settings additional_host_keytabs: [] ansible_base: /srv/web/infra # Default to managing the network, we want to not do this on select # hosts (like cloud nodes) # List of interfaces to explicitly disable ansible_ifcfg_disabled: [] # on MOST infra systems, the interface connected to the infra network # is eth0. but not on quite ALL systems. e.g. on s390 boxes it's enc900, # on openqa-ppc64le-01.qa it's eth2 for some reason, and on qa01.qa and # qa02.qa it's em3. currently this only affects whether GATEWAY, DOMAIN # and DNS1/DNS2 lines are put into ifcfg-(device). ansible_ifcfg_infra_net_devices: ['eth0', 'enc900'] # # Autodetect python version # ansible_python_interpreter: auto # Set variable if we want to use our global iptables defaults # Some things need to set their own. baseiptables: True # by default set become to false here We can override it as needed. # Note that if become is true, you need to unset requiretty for # ssh controlpersist to work. become: false br0_nm: 255.255.255.0 br1_nm: 255.255.255.0 # assume collectd apache collectd_apache: true # communishift project resource overrides communishift_projects: communishift-admins: do_not_delete: true # Marked do not delete 2024-11-25 communishift-eventbot: name: communishift-eventbot communishift-fedora-review-service: name: communishift-fedora-review-service do_not_delete: true # Marked do not delete 2024-10-21 communishift-lightspeed-build: name: communishift-lightspeed-build communishift-log-detective: name: communishift-log-detective do_not_delete: true # Marked do not delete 2024-10-21 memory_requests: 4Gi memory_limits: 6Gi storage_requests: 10Gi communishift-mattdm: name: communishift-mattdm communishift-metrics: name: communishift-metrics communishift-openscanhub: name: communishift-openscanhub cpu_requests: 2 memory_requests: 2Gi cpu_limits: 2 memory_limits: 4Gi pods: 16 communishift-planet: name: communishift-planet communishift-forgejo: name: communishift-forgejo communishift-gitlabce: name: communishift-gitlabce communishift-ocm: name: communishift-ocm communishift-weekly-bootc: name: communishift-weekly-bootc do_not_delete: true # Marked do not delete 2024-11-26. Needed until end of bootc initative. communishift-fossology: name: communishift-fossology communishift-commops-analytics: name: communishift-commops-analytics communishift-commops-datanom: name: communishift-commops-datanom # true or false if we are or are not a copr build virthost. # Default to false copr_build_virthost: false # assume createrepo is true and this builder has the koji nfs mount to do that createrepo: True # This vars get shoved into /etc/system_identification by the base role. # Groups and individual hosts should override them with specific info. custom6_rules: [] custom_rules: [] # most of our systems are in IAD2 datacenter: iad2 # Datanommer datanommer_db_hostname: db-datanommer02 # By default, nodes don't backup any dbs on them unless they declare it. dbs_to_backup: [] # dnf-automatic-install.service mode default: security-only dnf_automatic_type: security dns: "10.3.163.33" dns1: "10.3.163.33" dns2: "10.3.163.34" dns_search1: "iad2.fedoraproject.org" dns_search2: "fedoraproject.org" # env is staging or production, we default it to production here. env: production env_prefix: "" env_short: prod env_suffix: "" # Default netmask. All of our iad2 nets are /24's. Almost all of our # non-iad2 sites are less than a /24. eth0_ipv4_nm: 24 eth1_ip: 10.0.0.10 eth1_nm: 255.255.255.0 # END: Ansible roles_path variables ####### freezes: true # defaults for hw installs install_noc: none ipa_admin_password: "{{ ipa_prod_admin_password }}" ipa_realm: FEDORAPROJECT.ORG ipa_server: ipa01.iad2.fedoraproject.org ipa_server_nodes: - ipa01.iad2.fedoraproject.org - ipa02.iad2.fedoraproject.org - ipa03.iad2.fedoraproject.org - ipa01.rdu3.fedoraproject.org - ipa02.rdu3.fedoraproject.org - ipa03.rdu3.fedoraproject.org ks_repo: https://infrastructure.fedoraproject.org/repo/rhel/RHEL9-x86_64/ # defaults for virt installs ks_url: https://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel # most of our systems are 64bit. # Used to install various nagios scripts and the like. libdir: /usr/lib64 lvm_size: 20000 mac_address: RANDOM mac_address1: RANDOM main_bridge: br0 max_cpu: "{{ num_cpus * 5 }}" max_mem_size: "{{ mem_size * 5 }}" mem_size: 4096 nagios_Can_Connect: true # Nagios global variables nagios_Check_Services: dhcpd: false httpd: false mail: true named: false nrpe: true ping: true raid: false sshd: true swap: true nat_rules: [] # Do we want to use nftables instead of iptables nftables: True # nftables variants of custom*_rules nft_custom6_rules: [] nft_custom_rules: [] nft_nat_rules: [] # usually we do not want to enable nested virt, only on some virthosts nested: false network_allow_restart: yes network_connections: - autoconnect: yes ip: address: - "{{ eth0_ipv4_ip }}/{{ eth0_ipv4_nm }}" dhcp4: no dns: - "{{ dns1 }}" - "{{ dns2 }}" dns_search: - "{{ dns_search1 }}" - "{{ dns_search2 }}" gateway4: "{{ eth0_ipv4_gw }}" mac: "{{ ansible_default_ipv4.macaddress }}" name: eth0 type: ethernet state: up nfs_bridge: br1 # nfs mount options, override at the group/host level nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3" nm: 255.255.255.0 # Most of our machines have manual resolv.conf files # These settings are for machines where NM is supposed to control resolv.conf. nrpe_check_postfix_queue_crit: 5 # by default, the number of emails in queue before we whine nrpe_check_postfix_queue_warn: 2 nrpe_procs_crit: 300 # by default the number of procs we allow before we whine nrpe_procs_warn: 250 num_cpus: 2 # ocp4 is default now in some proxy roles ocp4: true # ocp4_rdu3 is not default yet, only set it for things that have moved to rdu3 ocp4_rdu3: false # All the ocp production workers. # This is used by the openvpn openshift app to make sure there's a vpn pod on each node. ocp_nodes: - worker01.ocp.iad2.fedoraproject.org - worker02.ocp.iad2.fedoraproject.org - worker03.ocp.iad2.fedoraproject.org - worker04.ocp.iad2.fedoraproject.org - worker05.ocp.iad2.fedoraproject.org - worker06.ocp.iad2.fedoraproject.org ocp_nodes_rdu3: - worker01.ocp.rdu3.fedoraproject.org - worker02.ocp.rdu3.fedoraproject.org - worker03.ocp.rdu3.fedoraproject.org - worker04.ocp.rdu3.fedoraproject.org - worker05.ocp.rdu3.fedoraproject.org ocp_wildcard_cert_file: wildcard-2024.apps.ocp.fedoraproject.org.cert # This is the openshift wildcard cert for ocp ocp_wildcard_cert_name: wildcard-2024.apps.ocp.fedoraproject.org ocp_wildcard_int_file: wildcard-2024.apps.ocp.fedoraproject.org.intermediate.cert ocp_wildcard_key_file: wildcard-2024.apps.ocp.fedoraproject.org.key # rdu3 ocp cert while we are not yet moved ocp_rdu3_wildcard_cert_file: wildcard-2025.apps.ocp-rdu3.fedoraproject.org.cert ocp_rdu3_wildcard_cert_name: wildcard-2025.apps.ocp-rdu3.fedoraproject.org ocp_rdu3_wildcard_int_file: wildcard-2025.apps.ocp-rdu3.fedoraproject.org.intermediate.cert ocp_rdu3_wildcard_key_file: wildcard-2025.apps.ocp-rdu3.fedoraproject.org.key # Path to the openshift-ansible checkout as external git repo brought into # Fedora Infra openshift_ansible: /srv/web/infra/openshift-ansible/ postfix_group: "none" # This is a list of services that need to wait for VPN to be up before getting started. postvpnservices: [] preferred_dc: iad2 primary_auth_source: ipa # # Set a redirectmatch variable we can use to disable some redirectmatches # like the prerelease to final ones. # redirectmatch_enabled: True # default the root_auth_users to nothing. # This should be set for cloud instances in their host or group vars. root_auth_users: '' # List of names under which the host is available ssh_hostnames: [] # This enables/disables the SSH "keyhelper" used by Pagure for verifying users' # SSH keys from the Pagure database sshd_keyhelper: false # Normal default sshd port is 22 sshd_port: 22 tcp_ports: [] # example of ports for default iptables # tcp_ports: [ 22, 80, 443 ] # udp_ports: [ 110, 1024, 2049 ] # multiple lines can be handled as below # custom_rules: [ '-A INPUT -p tcp -m tcp --dport 8888 -j ACCEPT', # '-A INPUT -p tcp -m tcp --dport 8889 -j ACCEPT' ] # We default these to empty udp_ports: [] # Most EL systems need default EPEL repos. # Some systems (notably fed-cloud*) need to get their own # EPEL files because EPEL overrides packages in their core repos. use_default_epel: true # # The default virt-install works for rhel9 or fedora with 1 nic # virt_install_command: "{{ virt_install_command_one_nic }}" virt_install_command_aarch64_one_nic: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole virt_install_command_aarch64_one_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole virt_install_command_aarch64_two_nic: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --network=bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address1 }} --autostart --noautoconsole --rng /dev/random virt_install_command_one_nic: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns1 }} nameserver={{ dns2 }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ eth0_ipv4_nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --watchdog default --rng /dev/random --cpu host virt_install_command_one_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns1 }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ eth0_ipv4_nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --watchdog default --rng /dev/random --cpu host virt_install_command_ppc64le_one_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ eth0_ipv4_nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --watchdog default --rng /dev/random virt_install_command_ppc64le_two_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --network=bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address1 }} --autostart --noautoconsole --watchdog default --rng /dev/random virt_install_command_pxe_rhcos: virt-install -n {{ inventory_hostname }} --vcpus {{ num_cpus }},maxvcpus={{ num_cpus }} --memory {{ mem_size }} --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --nographics --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --hvm --accelerate --autostart --wait=-1 --extra-args "ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:enp1s0:none hostname={{ inventory_hostname }} nameserver={{ dns }} console=ttyS0 nomodeset rd.neednet=1 coreos.inst=yes coreos.inst.install_dev=vda coreos.live.rootfs_url={{ rhcos_install_rootfs_url }} coreos.inst.ignition_url={{ rhcos_ignition_file_url }}" --os-variant rhel9.5 --location {{ rhcos_install_url }} virt_install_command_s390x_one_nic: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --rng /dev/random --cpu host virt_install_command_s390x_one_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --rng /dev/random --cpu host virt_install_command_two_nic: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --network=bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address1 }} --autostart --noautoconsole --watchdog default --rng /dev/random virt_install_command_two_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --network bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address1 }} --autostart --noautoconsole --watchdog default --rng /dev/random # assume vpn is false vpn: False # This is the wildcard certname for our proxies. It has a different name for # the staging group and is used in the proxies.yml playbook. wildcard_cert_name: wildcard-2024.fedoraproject.org wildcard_crt_file: wildcard-2024.fedoraproject.org.cert wildcard_int_file: wildcard-2024.fedoraproject.org.intermediate.cert wildcard_key_file: wildcard-2024.fedoraproject.org.key # # say if we want the apache role dependency for mod_wsgi or not # In some cases we want mod_wsgi and no apache (for python3 httpaio stuff) # wsgi_wants_apache: true # set no x-forward header by default x_forward: false # # Template defaults are defined in the template macros. If we need a specific # host to have different values for a macro, define it here. Use the macro name # as it is in Zabbix so we can search for it easily. If you remove a key, # Zabbix is *not* updated - set the value to "absent" instead. # This is overriden at the host_var level, this is empty just so the var exists zabbix_macros: {} notes: | Unspecified. * What hosts/services does this rely on? * What hosts/services rely on this?