8 files changed, 144 insertions, 8 deletions

diff --git a/inventory/group_vars/kojipkgs b/inventory/group_vars/kojipkgs
index d9745dbe3..94b14ced4 100644
--- a/inventory/group_vars/kojipkgs
+++ b/inventory/group_vars/kojipkgs
@@ -15,6 +15,8 @@ tcp_ports: [80, 443, 8080]
 
 fas_client_groups: sysadmin-releng,sysadmin-noc
 
+varnish_group: kojipkgs
+
 # For the MOTD
 csi_security_category: Moderate
 csi_primary_contact: Fedora admins - admin@fedoraproject.org
diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies
index e5767e78e..a39282ee6 100644
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@@ -88,6 +88,8 @@ fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-veteran
 
 collectd_apache: true
 
+varnish_group: proxies
+
 # For the MOTD
 csi_security_category: Moderate
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
diff --git a/inventory/group_vars/proxies-stg b/inventory/group_vars/proxies-stg
index 7988338b7..04083b7d3 100644
--- a/inventory/group_vars/proxies-stg
+++ b/inventory/group_vars/proxies-stg
@@ -76,6 +76,7 @@ custom_rules: [
 fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-veteran
 
 collectd_apache: true
+varnish_group: proxies
 
 # For the MOTD
 csi_security_category: Moderate
diff --git a/roles/varnish/files/varnish b/roles/varnish/files/varnish.el7
index 763e5fdbc..763e5fdbc 100644
--- a/roles/varnish/files/varnish
+++ b/roles/varnish/files/varnish.el7
diff --git a/roles/varnish/files/varnish.f25 b/roles/varnish/files/varnish.f25
new file mode 100644
index 000000000..a348db526
--- /dev/null
+++ b/roles/varnish/files/varnish.f25
@@ -0,0 +1,32 @@
+# Varnish environment configuration description. This was derived from
+# the old style sysconfig/defaults settings
+
+# Set this to 1 to make systemd reload try to switch VCL without restart.
+RELOAD_VCL=1
+
+# Main configuration file. You probably want to change it.
+VARNISH_VCL_CONF=/etc/varnish/default.vcl
+
+# Default address and port to bind to. Blank address means all IPv4
+# and IPv6 interfaces, otherwise specify a host name, an IPv4 dotted
+# quad, or an IPv6 address in brackets.
+# VARNISH_LISTEN_ADDRESS=192.168.1.5
+VARNISH_LISTEN_PORT=6081
+
+# Admin interface listen address and port
+VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
+VARNISH_ADMIN_LISTEN_PORT=6082
+
+# Shared secret file for admin interface
+VARNISH_SECRET_FILE=/etc/varnish/secret
+
+# Backend storage specification, see Storage Types in the varnishd(5)
+# man page for details.
+VARNISH_STORAGE="malloc,256M"
+
+# User and group for the varnishd worker processes
+VARNISH_USER=varnish
+VARNISH_GROUP=varnish
+
+# Other options, see the man page varnishd(1)
+#DAEMON_OPTS="-p thread_pool_min=5 -p thread_pool_max=500 -p thread_pool_timeout=300"
diff --git a/roles/varnish/tasks/main.yml b/roles/varnish/tasks/main.yml
index cede84094..5fb573df4 100644
--- a/roles/varnish/tasks/main.yml
+++ b/roles/varnish/tasks/main.yml
@@ -15,19 +15,24 @@
   - varnish
   - selinux
 
-- name: install varnish /etc/sysconfig/varnish
-  copy: src={{ item.file }} dest={{ item.dest }}
-        owner=root group=root
-  with_items:
-  - { file: varnish, dest: /etc/sysconfig/varnish }
+- name: install varnish /etc/sysconfig/varnish file (el7
+  copy: src=varnish.el7 dest=/etc/sysconfig/varnish owner=root group=root
+  notify:
+  - restart varnish
+  tags:
+  - varnish
+  when: ansible_distribution_major_version|int == 7
+
+- name: install varnish /etc/sysconfig/varnish file (fedora)
+  copy: src=varnish.f25 dest=/etc/varnish/varnish.params owner=root group=root
   notify:
   - restart varnish
   tags:
   - varnish
+  when: ansible_distribution_major_version|int > 24
 
-- name: install /etc/varnish/default.vcl
-  template: src=proxy.vcl.j2 dest=/etc/varnish/default.vcl
-            owner=root group=root
+- name: install /etc/varnish/default.vcl (proxies)
+  template: src={{ varnish_group }}.vcl.j2 dest=/etc/varnish/default.vcl owner=root group=root
   notify:
   - restart varnish
   tags:
diff --git a/roles/varnish/templates/kojipkgs.vcl.j2 b/roles/varnish/templates/kojipkgs.vcl.j2
new file mode 100644
index 000000000..e21c96a4e
--- /dev/null
+++ b/roles/varnish/templates/kojipkgs.vcl.j2
@@ -0,0 +1,94 @@
+vcl 5.0;
+
+import directors;
+
+#
+# These nets/machines are allowed /repo access
+#
+acl repoallowed {
+  "10.5.125.0"/24;
+  "10.5.127.0"/24;
+  "10.5.129.0"/24;
+  "10.5.126.14"/32;
+  "10.5.126.223"/32;
+  "10.5.126.224"/32;
+  "10.5.126.225"/32;
+  "10.5.126.226"/32;
+}
+
+acl pdc {
+  "10.5.126.134"/32;
+}
+
+acl proxies {
+  "10.5.126.51"/32;
+  "10.5.126.52"/32;
+}
+
+acl purge {
+  "127.0.0.1"/32;
+}
+
+backend local-apache { 
+  .host = "127.0.0.1"; 
+  .port = "8080";
+  .probe = { 
+      .url = "/"; 
+      .interval = 5s; 
+      .timeout = 1s;
+      .window = 5;
+      .threshold = 3; }
+}
+
+sub vcl_synth {
+    set resp.http.Content-Type = "text/html; charset=utf-8";
+    set resp.http.Retry-After = "5";
+    synthetic( {"<!DOCTYPE html>
+<html>
+  <head>
+    <title>"} + resp.status + " " + resp.reason + {"</title>
+  </head>
+  <body>
+    <h1>Error "} + resp.status + " " + resp.reason + {"</h1>
+    <p>"} + resp.reason + {"</p>
+    <h3>Guru Meditation:</h3>
+    <p>XID: "} + req.xid + {"</p>
+    <hr>
+    <p>Varnish cache server on {{ inventory_hostname }}</p>
+  </body>
+</html>
+"} );
+    return (deliver);
+}
+
+sub vcl_recv {
+    if (req.method == "PURGE") {
+        if (!client.ip ~ purge) {
+            return (synth(405, "Not allowed"));
+        }
+        return(purge);
+    }
+
+    if (req.url ~ "^/repo/") {
+        if (client.ip ~ repoallowed) {
+          set req.backend_hint = apache-local;
+          unset req.http.cookie;
+          set req.http.clear-cookies = "yes";
+        }
+        else {
+          return(synth(403, "Access denied."));
+        }
+    }
+    if (req.url ~ "^/mash/") {
+        set req.backend_hint = apache-local;
+        return (pipe);
+    }
+    if (req.url ~ "^/compose/") {
+        set req.backend_hint = apache-local;
+        return (pipe);
+    }
+#
+# deny the open264 rpms and such
+# if (req.url ~ openh264)
+#
+}
diff --git a/roles/varnish/templates/proxy.vcl.j2 b/roles/varnish/templates/proxies.vcl.j2
index a129f2dae..a129f2dae 100644
--- a/roles/varnish/templates/proxy.vcl.j2
+++ b/roles/varnish/templates/proxies.vcl.j2