See #6166 for the security audit.

Can I get a :+1: from another sysadmin to go ahead and start provisioning these VMs even though we don't have feedback on the security audit yet?

@ralph dev and stg, sure.

OK - I created stg nodes and I claimed IPs for the prod node, although they're commented out in the ansible inventory so they won't be created.

Please note that an SOP is required between development and staging.
Could we please get an SOP committed to https://pagure.io/infra-docs?

Phase I

• Software: Freshmaker
• Advantage for Fedora: Automatically rebuild compound artifacts. Modules introduce a potentially higher overhead for packagers. If you patch a specfile, you have to submit a build of all modules that include that specfile. After building rpms (or modules), you have to rebuild all containers including those rpms (or modules). Freshmaker automates this.
• Sponsor: @ralph

Phase II

• Email list thread:
  • thread 1
  • thread 2
  • thread 3
• Upstream source: https://pagure.io/freshmaker
• Development contacts: @jkaluza, @cqi, @qwan, @sochotni, @ralph
• Maintainership contacts: @jkaluza, @cqi, @qwan, @sochotni, @ralph
• Load balanceable: The frontend, yes. It just serves an API. The backend is not. It is a fedmsg-hub, and therefore has the same load-balancing problems that all fedmsg-hub backends do.
• Caching: No. No static assets to speak of.

Phase III

• SOP link: https://pagure.io/infra-docs/pull-request/70
• Audit request: https://pagure.io/fedora-infrastructure/issue/6166
• Audit timeline: We wanted to deploy this before the F27 Beta freeze, but there's a lot going on. In progress now. I guess we'd like to have the audit resolved before F27 GA? If that's unreasonable, we can move it back.

Phase IV

• Ansible playbooks: TODO (/cc @qwan)
• Fully rebuilt from ansible: TODO
• Production goal: Original, August, 2017. Then, end of November, 2017. Arbitrary date. Now, end of February, 2018.
• Approved audit: https://pagure.io/fedora-infrastructure/issue/6166

OK, the audit is passed, and the VMs should be in place. @qwan, can you take on the ansible role? Sync with @jkaluza - we should have a card for it in jira, too.

@ralph, sure, and we already have a card in jira assigned to me.

So, initial dumb (without any handlers/parsers) Freshmaker on staging is deployed, but it seems haproxy is not configured to forward data to its frontend, so https://freshmaker.stg.fedoraproject.org/api/1/events does not work.

@ralph: Can you configure it somehow? It would also helped a lot to get us sudo on backend(s) to do "journalctl -f -u fedmsg".

Stg is answering haproxy for me now. :)

Looks like prod is in place now too? What else is left to complete this RFR?

I think this is done as far as I can tell, so I am going to close it.

If there's anything anyone can see missing, please finish it up asap or let me know...

:custard: