mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-05-11 18:36:53 +08:00
dbbf94a411
Almost global anyway, i.e. inside the VPN. The ipa/client-based shell access and sudo rules are only effective for staging right now, the respective playbook bits are masked out for prod. - Assign Ansible host groups to IPA host groups, the latter don't care about 'stg' in the name and use dashes rather than underscores. - Distill shell access groups from fas_client_groups in group and host vars. - Let all `sysadmin-*` groups in the previous list run anything via sudo in the host group (except bastion & batcave). - Remove `fas_client_groups` from staging host and group vars. - Remove sudoers from staging host and group vars if only `sysadmin-*` groups have shell access. - Set up `ipa_client_shell_groups` on bastion to be a super set of the same on batcave. Newly created IPA host groups: - autosign - badges - basset - bastion - batcave - blockerbugs - bodhi - bugzilla2fedmsg - busgateway - datagrepper - dbserver - dns - fedimg - github2fedmsg - ipa - kernel-qa - kerneltest - kojibuilder - kojihub - kojipkgs - logging - mailman - memcached - mirrormanager - nagios - notifs - oci-registry - odcs - openqa - openqa-workers - osbs - packages - pdc-web - pkgs - proxies - rabbitmq - releng-compose - resultsdb - secondary - sign-bridge - sundries - value - wiki Signed-off-by: Nils Philippsen <nils@redhat.com>
109 lines
2.7 KiB
Plaintext
109 lines
2.7 KiB
Plaintext
---
|
|
lvm_size: 500000
|
|
mem_size: 16384
|
|
max_mem_size: 32768
|
|
num_cpus: 8
|
|
|
|
tcp_ports: [ 80, 443 ]
|
|
|
|
# We have both celery (pagure_worker) and web thread wanting to send out fedmsg's.
|
|
# To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg.
|
|
fedmsg_active: True
|
|
|
|
# There vars are used to configure mod_wsgi
|
|
wsgi_procs: 6
|
|
wsgi_threads: 6
|
|
|
|
pagure_static_uid: 600
|
|
|
|
|
|
fas_client_groups: sysadmin-main,sysadmin-cvs,sysadmin-noc,sysadmin-veteran
|
|
fas_client_restricted_app: PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg HOME=/srv/git /usr/libexec/pagure/aclchecker.py %(username)s
|
|
fas_client_admin_app: PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg HOME=/srv/git /usr/libexec/pagure/aclchecker.py %(username)s
|
|
fas_client_ssh_groups: "@cvs,sysadmin-main,sysadmin-cvs,sysadmin-releng,sysadmin-noc,sysadmin-veteran"
|
|
admin_groups: "@sysadmin-cvs @sysadmin-releng"
|
|
|
|
ipa_host_group: pkgs
|
|
ipa_client_shell_groups:
|
|
- sysadmin-cvs
|
|
- sysadmin-main
|
|
- sysadmin-noc
|
|
- sysadmin-veteran
|
|
ipa_client_sudo_groups:
|
|
- sysadmin-cvs
|
|
- sysadmin-main
|
|
- sysadmin-noc
|
|
- sysadmin-veteran
|
|
|
|
clamscan_mailto: admin@fedoraproject.org
|
|
clamscan_paths:
|
|
- /srv/cache/lookaside/pkgs
|
|
clamscan_excludes:
|
|
- clamav-
|
|
- amavisd-new-2.3.3.tar.gz
|
|
- bro-20080804.tgz
|
|
- mailman-
|
|
- sagator-
|
|
- nicotine
|
|
- fwsnort-1.0.6.tar.gz
|
|
- psad-2.1.7.tar.bz2
|
|
- pymilter-
|
|
- linkchecker-
|
|
- julia-0.3.7.tar.gz
|
|
- jbossws-cxf-5.1.5.Final.zip
|
|
- wss4j-2.1.5-source-release.zip
|
|
- python-impacket-0.9.14-67fc19e.tar.gz
|
|
- gdk-pixbuf-
|
|
|
|
# These are consumed by a task in roles/fedmsg/base/main.yml
|
|
fedmsg_certs:
|
|
- service: shell
|
|
owner: root
|
|
group: sysadmin
|
|
can_send:
|
|
- git.branch
|
|
- git.mass_branch.complete
|
|
- git.mass_branch.start
|
|
- logger.log
|
|
- pagure.git.receive
|
|
- service: scm
|
|
owner: root
|
|
group: packager
|
|
can_send:
|
|
- git.receive
|
|
- pagure.git.receive
|
|
- service: lookaside
|
|
owner: root
|
|
group: apache
|
|
can_send:
|
|
- git.lookaside.new
|
|
- service: pagure
|
|
owner: pagure
|
|
group: apache
|
|
can_send:
|
|
- pagure.git.receive
|
|
- pagure.issue.assigned.added
|
|
- pagure.issue.assigned.reset
|
|
- pagure.issue.comment.added
|
|
- pagure.issue.dependency.added
|
|
- pagure.issue.dependency.removed
|
|
- pagure.issue.edit
|
|
- pagure.issue.new
|
|
- pagure.issue.tag.added
|
|
- pagure.issue.tag.removed
|
|
- pagure.project.edit
|
|
- pagure.project.forked
|
|
- pagure.project.group.added
|
|
- pagure.project.new
|
|
- pagure.project.tag.edited
|
|
- pagure.project.tag.removed
|
|
- pagure.project.user.added
|
|
- pagure.project.user.removed
|
|
- pagure.pull-request.closed
|
|
- pagure.pull-request.comment.added
|
|
- pagure.pull-request.comment.edited
|
|
- pagure.pull-request.flag.added
|
|
- pagure.pull-request.flag.updated
|
|
- pagure.pull-request.new
|
|
- pagure.request.assigned.added
|