2 files changed, 12 insertions, 5 deletions

diff --git a/roles/fedmsg/base/templates/base.py.j2 b/roles/fedmsg/base/templates/base.py.j2
index 8a4427a22..c04852b0d 100644
--- a/roles/fedmsg/base/templates/base.py.j2
+++ b/roles/fedmsg/base/templates/base.py.j2
@@ -1,11 +1,7 @@
 config = dict(
     # Set this to dev if you're hacking on fedmsg or an app locally.
     # Set to stg or prod if running in the Fedora Infrastructure.
-    {% if env == 'staging' %}
-    environment="stg",
-    {% else %}
-    environment="prod",
-    {% endif %}
+    environment="{{ fedmsg_env }}",
 
     # Most hosts will be "false" here indicating that if they publish messages,
     # they will passively bind to ports and have other consuming services
diff --git a/roles/fedmsg/base/templates/policy.py.j2 b/roles/fedmsg/base/templates/policy.py.j2
index 3e2212cde..85c0739cf 100644
--- a/roles/fedmsg/base/templates/policy.py.j2
+++ b/roles/fedmsg/base/templates/policy.py.j2
@@ -216,6 +216,17 @@ config = dict(
         topic_prefix + "announce.announcement": [
             "announce-lockbox01.phx2.fedoraproject.org",
         ],
+
+        {% if env == 'staging' %}
+        # ** policy dynamically generated from inventory vars
+        # See ansible/filter_plugins/fedmsg.py for this inversion filter.
+        {% for topic, certs in hostvars | invert_fedmsg_authz_policy %}
+        "{{topic}}": [
+        {% for cert in certs %}
+            "{{ cert }}",{% endfor %}
+        ],
+        {% endfor %}
+        {% endif %}
     },
 )