system-config/zuul.d/system-config-run.yaml

- job:
    name: system-config-run
    timeout: 3600
    description: |
      Run the "base" playbook for system-config hosts.

      This is a parent job designed to be inherited.
    abstract: true
    pre-run: playbooks/zuul/run-base-pre.yaml
    run: playbooks/zuul/run-base.yaml
    post-run: playbooks/zuul/run-base-post.yaml
    vars:
      zuul_copy_output: "{{ copy_output | combine(host_copy_output | default({})) }}"
      stage_dir: "{{ ansible_user_dir }}/zuul-output"
      copy_output:
        '/var/log/apparmor_status': logs_txt
        '/var/log/syslog': logs_txt
        '/var/log/messages': logs_txt
        '/var/log/exim4': logs
        '/var/log/docker': logs
        '/var/log/containers': logs
        '/var/log/dstat-csv.log': logs
        '/etc/iptables/rules.v4': logs_txt
        '/etc/iptables/rules.v6': logs_txt
    host-vars:
      bridge99.opendev.org:
        install_ansible_ara_enable: true
        host_copy_output:
          '{{ zuul.project.src_dir }}/junit.xml': logs
          '{{ zuul.project.src_dir }}/test-results.html': logs
          '{{ zuul.project.src_dir }}/inventory/base/gate-hosts.yaml': logs
          '/var/log/screenshots': logs
          '/var/log/ansible': logs

# Note: the following two jobs implement the variant-based multiple
# inheritance trick.  Both of these variants will always apply,
# therefore both parents will appear in the inheritance hierarchy).
- job:
    name: system-config-run-containers
    parent: system-config-run

# Note: see above re multiple-inheritance.
- job:
    name: system-config-run-containers
    parent: opendev-buildset-registry-consumer
    description: |
      Run the "base" playbook for system-config hosts which use
      containers.

      This is a parent job designed to be inherited.  Use this job if
      the service in question is container-based.  It expects a
      buildset registry and pulls images from the intermediate
      registry.

- job:
    name: system-config-run-base
    parent: system-config-run
    description: |
      Run the "base" playbook on each of the node types
      currently in use.
    nodeset:
      nodes:
        - &bridge_node_x86 { name: bridge99.opendev.org, label: ubuntu-jammy }
        - name: bionic
          label: ubuntu-bionic
        - name: focal
          label: ubuntu-focal
        - name: jammy
          label: ubuntu-jammy
        - name: noble
          label: ubuntu-noble
      groups:
        # Each job should define this group -- to avoid hard-coding
        # the bastion hostname in the job setup, playbooks/tasks refer
        # to it only by this group.  This should only have one entry
        # -- in a couple of places the jobs use the actual hostname
        # and assume element [0] here is that hostname.
        #
        # Note that this shouldn't be confused with the group in
        # inventory/service/groups.yaml -- this group contains the
        # host that Zuul, running on the executor, will setup as the
        # bridge node.  This node will then run a nested Ansible to
        # test the production playbooks -- *that* Ansible has a
        # "bastion" group too
        - &bastion_group { name: prod_bastion, nodes: [ bridge99.opendev.org ] }
    files:
      - tox.ini
      - launch/
      - playbooks/
      - roles/
      - testinfra/
      - inventory/

- job:
    name: system-config-run-base-ansible-devel
    parent: system-config-run-base
    description: |
      Run the base playbook with the latest ansible.
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: bionic
          label: ubuntu-bionic
        - name: focal
          label: ubuntu-focal
        - name: jammy
          label: ubuntu-jammy
      groups:
        - <<: *bastion_group
    required-projects:
      - name: github.com/ansible/ansible
        override-checkout: devel
      - name: github.com/pytest-dev/pytest-testinfra
        override-checkout: main
      - name: openstack/openstacksdk
      - name: github.com/ansible-collections/ansible.posix
        override-checkout: main
      - name: github.com/ansible-collections/ansible.netcommon
        override-checkout: main
      - name: github.com/ansible-collections/community.crypto
        override-checkout: main
      - name: github.com/ansible-collections/community.general
        override-checkout: main
    vars:
      install_ansible_requirements:
        # Zuul checkout of Ansible devel
        - '{{ ansible_user_dir}}/src/github.com/ansible/ansible'
        - '{{ ansible_user_dir }}/src/opendev.org/openstack/openstacksdk'
      # These are required because we are not install the pypi
      # "ansible" bundle here, but the upstream devel branch
      install_ansible_collections:
        - namespace: ansible
          name: netcommon
          repo: ansible-collections/ansible.netcommon
        - namespace: ansible
          name: posix
          repo: ansible-collections/ansible.posix
        - namespace: community
          name: general
          repo: ansible-collections/community.general
        - namespace: community
          name: crypto
          repo: ansible-collections/community.crypto


# Although we don't have an arm64 based bridge; Zuul can't currently
# allocate a mixed x86/arm64 situation across clouds.  Thus it helps
# to keep this clean so we can run the other tests.
- job:
    name: system-config-run-base-arm64
    parent: system-config-run
    description: |
      Run the "base" playbook on ARM64.
    nodeset:
      nodes:
        - &bridge_node_arm64 { name: bridge99.opendev.org, label: ubuntu-jammy-arm64 }
        - name: bionic
          label: ubuntu-bionic-arm64
        - name: focal
          label: ubuntu-focal-arm64
        - name: jammy
          label: ubuntu-jammy-arm64
      groups:
        - <<: *bastion_group
    files:
      - playbooks/
      - roles/
      - testinfra/
      - inventory/

- job:
    name: system-config-run-eavesdrop
    parent: system-config-run-containers
    description: |
      Run the playbook for an eavesdrop server.
    required-projects:
      - opendev/system-config
      - openstack/project-config
    requires:
      - accessbot-container-image
      - gerritbot-container-image
      - statusbot-container-image
      - ircbot-container-image
      - matrix-eavesdrop-container-image
      - ptgbot-container-image
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: eavesdrop01.opendev.org
          label: ubuntu-focal
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-eavesdrop.yaml
    host-vars:
      eavesdrop01.opendev.org:
        host_copy_output:
          '/var/lib/limnoria': logs
          '/var/log/apache2': logs
          '/var/log/acme.sh': logs
          '/etc/apache2': logs
          '/var/log/statusbot': logs
          '/etc/statusbot': logs
    files:
      - playbooks/service-eavesdrop.yaml
      - playbooks/run-accessbot.yaml
      - inventory/service/group_vars/eavesdrop.yaml
      - playbooks/roles/install-docker
      - playbooks/roles/accessbot
      - playbooks/roles/limnoria
      - playbooks/roles/logrotate
      - playbooks/roles/matrix-eavesdrop
      - playbooks/roles/matrix-gerritbot
      - playbooks/roles/statusbot
      - playbooks/roles/ptgbot
      - playbooks/zuul/templates/group_vars/eavesdrop.yaml.j2
      - docker/accessbot/
      - docker/ircbot
      - docker/matrix-eavesdrop
      - testinfra/test_eavesdrop.py

- job:
    name: system-config-run-letsencrypt
    parent: system-config-run
    description: |
      Run the playbook for letsencrypt key acquisition
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        # The other tests run the letsencrypt.yaml playbook to create
        # self-signed certificates but do not exercise any of the DNS
        # path because they don't have DNS servers in the inventory.
        # By adding them for this test, the letsencrypt.yaml playbook
        # will make a request to LE staging and get TXT records, which
        # it will populate to the test DNS servers.  LE won't actually
        # authenticate those records, but we are validating the path
        # of at least creating and collecting them here.
        - name: adns99.opendev.org
          label: ubuntu-jammy
        - name: ns99.opendev.org
          label: ubuntu-jammy
        - name: letsencrypt01.opendev.org
          label: ubuntu-jammy
        - name: letsencrypt02.opendev.org
          label: ubuntu-jammy
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/service-nameserver.yaml
        - playbooks/letsencrypt.yaml
        # Run twice to ensure correct behavior on a second pass
        - playbooks/letsencrypt.yaml
      # Make sure this test runs acme.sh
      letsencrypt_self_generate_tokens: False
    host-vars:
      bridge99.opendev.org:
        host_copy_output:
          '/var/lib/certcheck': logs
      letsencrypt01.opendev.org:
        host_copy_output:
          '/var/log/acme.sh': logs
      letsencrypt02.opendev.org:
        host_copy_output:
          '/var/log/acme.sh': logs
    files:
      - playbooks/bootstrap-bridge.yaml
      - inventory/service/group_vars/letsencrypt.yaml
      # This is split because we ant to avoid
      # ...create-certs/handlers/main.yaml matching since every
      # letsencrypt user has its handler in there.  re2 matching
      # doesn't provide us a way to say "everything but this file"
      - playbooks/roles/letsencrypt-acme-sh-install
      - playbooks/roles/letsencrypt-config-certcheck
      - playbooks/roles/letsencrypt-create-certs/defaults
      - playbooks/roles/letsencrypt-create-certs/handlers/restart_apache.yaml
      - playbooks/roles/letsencrypt-create-certs/handlers/touch_file.yaml
      - playbooks/roles/letsencrypt-create-certs/tasks
      - playbooks/roles/letsencrypt-install-txt-record
      - playbooks/roles/letsencrypt-request-certs

- job:
    name: system-config-run-lists3
    # We don't use the system-config-run-containers base job because we
    # are consuming upstream containers only.
    parent: system-config-run-containers
    requires: mailman-container-images
    description: |
      Run the playbook for a mailman3 list server.
    timeout: 3600
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: lists99.opendev.org
          label: ubuntu-jammy
      groups:
        - <<: *bastion_group
    required-projects:
      - opendev/system-config
    files:
      - docker/mailman
      - playbooks/bootstrap-bridge.yaml
      - inventory/service/group_vars/mailman3.yaml
      - playbooks/roles/base/exim
      - playbooks/roles/mailman3
      - playbooks/service-lists3.yaml
      - playbooks/test-lists3.yaml
      - playbooks/zuul/templates/group_vars/mailman3.yaml.j2
      - testinfra/test_lists_opendev_org.py
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-lists3.yaml
        # Run this twice to check idempotency
        - playbooks/service-lists3.yaml
        - playbooks/zuul/lists3-alias-logs.yaml
      run_test_playbook: playbooks/zuul/test-lists3.yaml
    host-vars:
      lists99.opendev.org:
        host_copy_output:
          '/var/log/acme.sh': logs
          '/var/log/apache2': logs
          '/var/lib/mailman/mailman-web-logs': logs
          '/var/lib/mailman/mailman-core-logs': logs

- job:
    name: system-config-run-nodepool
    parent: system-config-run
    description: |
      Run the playbook for nodepool.
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: zk04.opendev.org
          label: ubuntu-focal
        - name: nl01.opendev.org
          label: ubuntu-focal
        - name: nb01.opendev.org
          label: ubuntu-focal
      groups:
        - <<: *bastion_group
    required-projects:
      - opendev/system-config
      - openstack/project-config
    host-vars:
      nl01.opendev.org:
        host_copy_output:
          '/etc/nodepool/nodepool.yaml': logs
          '/var/log/nodepool/launcher-debug.log': logs
      nb01.opendev.org:
        host_copy_output:
          '/etc/nodepool/nodepool.yaml': logs
          '/var/log/nodepool/builder-debug.log': logs
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-zookeeper.yaml
        - playbooks/service-nodepool.yaml
        # Test our ad hoc restart playbook works
        - playbooks/nodepool_restart.yaml
    files:
      - playbooks/bootstrap-bridge.yaml
      - inventory/service/group_vars/nodepool.yaml
      - inventory/service/group_vars/nodepool-builder.yaml
      - inventory/service/group_vars/nodepool-launcher.yaml
      - playbooks/roles/configure-openstacksdk/
      - playbooks/roles/nodepool
      - playbooks/templates/clouds/
      - playbooks/nodepool_restart.yaml
      - testinfra/test_nodepool.py
      - playbooks/zuul/templates/group_vars/nodepool.yaml.j2

- job:
    name: system-config-run-dns
    parent: system-config-run
    description: |
      Run the playbook for dns.
    required-projects:
      - opendev/zone-opendev.org
      - opendev/zone-zuul-ci.org
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: adns99.opendev.org
          label: ubuntu-jammy
        - name: ns99.opendev.org
          label: ubuntu-jammy
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/service-nameserver.yaml
    host-vars:
      adns99.opendev.org:
        host_copy_output:
          '/etc/bind/named.conf': logs
          '/var/lib/bind/zones': logs
    files:
      - playbooks/bootstrap-bridge.yaml
      - inventory/service/group_vars/adns-primary.yaml
      - inventory/service/group_vars/adns-secondary.yaml
      - inventory/service/group_vars/adns.yaml
      - playbooks/zuul/templates/group_vars/adns-primary.yaml.j2
      - playbooks/zuul/templates/group_vars/adns-secondary.yaml.j2
      - playbooks/roles/master-nameserver/
      - playbooks/roles/nameserver/
      - testinfra/test_adns.py
      - testinfra/test_ns.py

- job:
    name: system-config-run-borg-backup
    parent: system-config-run
    description: |
      Run the playbook for borg backup configuration
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: borg-backup01.region.provider.opendev.org
          label: ubuntu-focal
        - name: borg-backup-focal.opendev.org
          label: ubuntu-focal
        - name: borg-backup-bionic.opendev.org
          label: ubuntu-bionic
        - name: borg-backup-jammy.opendev.org
          label: ubuntu-jammy
        - name: borg-backup-noble.opendev.org
          label: ubuntu-noble
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/test-borg-backup-pre.yaml
        - playbooks/service-borg-backup.yaml
      run_test_playbook: playbooks/test-borg-backup.yaml
    files:
      - playbooks/service-borg-backup.yaml
      - playbooks/test-borg-backup.yaml
      - playbooks/bootstrap-bridge.yaml
      - playbooks/roles/install-borg
      - playbooks/roles/borg-backup
      - playbooks/roles/create-venv
      - playbooks/zuul/templates/host_vars/borg-backup
      - testinfra/test_borg_backups.py
    host-vars:
      borg-backup01.region.provider.opendev.org:
        host_copy_output:
          '/var/log/prune-borg-backups.log': logs
          '/var/log/verify-borg-backups.log': logs
      borg-backup-bionic.opendev.org:
        host_copy_output:
          '/var/log/borg-backup-borg-backup01.region.provider.opendev.org.log': logs
      borg-backup-focal.opendev.org:
        host_copy_output:
          '/var/log/borg-backup-borg-backup01.region.provider.opendev.org.log': logs
      borg-backup-jammy.opendev.org:
        host_copy_output:
          '/var/log/borg-backup-borg-backup01.region.provider.opendev.org.log': logs
      borg-backup-noble.opendev.org:
        host_copy_output:
          '/var/log/borg-backup-borg-backup01.region.provider.opendev.org.log': logs

- job:
    name: system-config-run-mirror-base
    parent: system-config-run
    abstract: true
    description: |
      Run the playbook for a mirror node
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-mirror.yaml
    host-vars:
      mirror01.openafs.provider.opendev.org:
        host_copy_output:
          '/var/log/apache2/': logs
          '/var/log/acme.sh': logs
          '/etc/apache2/sites-available/mirror.conf': logs
      mirror02.openafs.provider.opendev.org:
        host_copy_output:
          '/var/log/apache2/': logs
          '/var/log/acme.sh': logs
          '/etc/apache2/sites-available/mirror.conf': logs
      mirror03.openafs.provider.opendev.org:
        host_copy_output:
          '/var/log/apache2/': logs
          '/var/log/acme.sh': logs
          '/etc/apache2/sites-available/mirror.conf': logs
    files:
      - playbooks/bootstrap-bridge.yaml
      - roles/
      - playbooks/roles/base/
      - inventory/service/group_vars/mirror.yaml
      - playbooks/roles/mirror/
      - playbooks/roles/letsencrypt
      - playbooks/letsencrypt.yaml
      - playbooks/service-mirror.yaml
      - playbooks/zuul/templates/group_vars/mirror.yaml.j2
      - testinfra/test_mirror.py

- job:
    name: system-config-run-mirror-x86
    parent: system-config-run-mirror-base
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: mirror01.openafs.provider.opendev.org
          label: ubuntu-bionic
        - name: mirror02.openafs.provider.opendev.org
          label: ubuntu-focal
        - name: mirror03.openafs.provider.opendev.org
          label: ubuntu-jammy
        - name: mirror04.openafs.provider.opendev.org
          label: ubuntu-noble
      groups:
        - <<: *bastion_group

- job:
    name: system-config-run-mirror-arm64
    parent: system-config-run-mirror-base
    nodeset:
      nodes:
        - <<: *bridge_node_arm64
        - name: mirror01.openafs.provider.opendev.org
          label: ubuntu-noble-arm64
      groups:
        - <<: *bastion_group

- job:
    name: system-config-run-mirror-update
    parent: system-config-run
    description: |
      Run the playbook for a mirror update node
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: mirror-update99.opendev.org
          label: ubuntu-focal
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/service-mirror-update.yaml
    files:
      - playbooks/bootstrap-bridge.yaml
      - roles/
      - playbooks/roles/mirror-update/
      - playbooks/roles/reprepro/
      - playbooks/roles/afs-release/
      - playbooks/service-mirror-update.yaml
      - playbooks/zuul/templates/host_vars/mirror-update99.opendev.org.yaml.j2
      - testinfra/test_mirror-update.py

- job:
    name: system-config-run-docker-registry
    parent: system-config-run
    description: |
      Run the playbook for the docker registry.
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: insecure-ci-registry99.opendev.org
          label: ubuntu-jammy
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-registry.yaml
    host-vars:
      insecure-ci-registry99.opendev.org:
        host_copy_output:
          '/var/registry/auth': logs
          '/var/registry/conf': logs
          '/var/registry/certs': logs
    files:
      - playbooks/bootstrap-bridge.yaml
      - inventory/service/group_vars/registry.yaml
      - inventory/service/host_vars/insecure-ci-registry\d+.opendev.org.yaml
      - playbooks/zuul/templates/group_vars/registry.yaml.j2
      - playbooks/roles/letsencrypt-create-certs/handlers/restart_zuul_registry.yaml
      - playbooks/roles/registry/
      - playbooks/roles/pip3/
      - playbooks/roles/install-docker/
      - testinfra/test_registry.py

- job:
    name: system-config-run-codesearch
    parent: system-config-run-containers
    description: |
      Run the playbook for the codesearch server.
    requires: codesearch-container-image
    required-projects:
      - opendev/system-config
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: codesearch02.opendev.org
          label: ubuntu-noble
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-codesearch.yaml
      run_test_playbook: playbooks/test-codesearch.yaml
    files:
      - playbooks/bootstrap-bridge.yaml
      - playbooks/letsencrypt.yaml
      - playbooks/service-codesearch.yaml
      - playbooks/roles/codesearch/
      - playbooks/roles/install-docker/
      - playbooks/roles/pip3/
      - playbooks/roles/run-selenium/
      - playbooks/zuul/templates/group_vars/codesearch.yaml.j2
      - testinfra/util.py
      - docker/hound/
      - testinfra/test_codesearch.py


- job:
    name: system-config-run-etherpad
    parent: system-config-run-containers
    description: |
      Run the playbook for the etherpad servers.
    requires: etherpad-container-image
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: etherpad99.opendev.org
          label: ubuntu-jammy
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-etherpad.yaml
    files:
      - playbooks/bootstrap-bridge.yaml
      - playbooks/letsencrypt.yaml
      - playbooks/service-etherpad.yaml
      - playbooks/roles/etherpad/
      - playbooks/roles/install-docker/
      - playbooks/roles/pip3/
      - docker/etherpad/
      - testinfra/test_etherpad.py

- job:
    name: system-config-run-gitea
    parent: system-config-run-containers
    description: |
      Run the playbook for the gitea servers.
    timeout: 5400
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: gitea-lb02.opendev.org
          label: ubuntu-jammy
        - name: gitea99.opendev.org
          label: ubuntu-jammy
      groups:
        - <<: *bastion_group
    required-projects:
      - openstack/project-config
      - opendev/system-config
    requires:
      - gitea-container-image
      - haproxy-statsd-container-image
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-gitea-lb.yaml
        - playbooks/service-gitea.yaml
        - playbooks/manage-projects.yaml
        - playbooks/test-update-zuul-description.yaml
        # Run twice to ensure that we noop properly when
        # all projects are created in gitea. We also update
        # zuul's description to ensure that descriptions are
        # updated. This uses a test specific playbook to set
        # the always_update flag.
        - playbooks/test-manage-projects.yaml
      run_test_playbook: playbooks/test-gitea.yaml
    host-vars:
      gitea99.opendev.org:
        host_copy_output:
          '/var/gitea/conf': logs
          '/var/gitea/certs': logs
          '/var/gitea/logs': logs
          '/var/log/apache2': logs
      gitea-lb02.opendev.org:
        host_copy_output:
          '/var/lib/haproxy/etc': logs
          '/var/log/haproxy.log': logs
    files:
      - playbooks/bootstrap-bridge.yaml
      - playbooks/letsencrypt.yaml
      - playbooks/service-gitea-lb.yaml
      - playbooks/service-gitea.yaml
      - playbooks/manage-projects.yaml
      - playbooks/test-gitea.yaml
      - playbooks/rename_repos.yaml
      - inventory/service/group_vars/gitea.yaml
      - inventory/service/group_vars/gitea-lb.yaml
      - inventory/service/host_vars/gitea
      - playbooks/zuul/templates/group_vars/gitea.yaml.j2
      - playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2
      - playbooks/roles/apache-ua-filter/
      - playbooks/roles/pip3/
      - playbooks/roles/install-docker/
      - playbooks/roles/gerrit/
      - playbooks/roles/gitea.*
      - playbooks/roles/haproxy/
      - playbooks/roles/letsencrypt-create-certs/handlers/restart_gitea.yaml
      - testinfra/test_gitea.py
      - testinfra/test_gitea_lb.py
      # From gitea_files -- If we rebuild the image, we want to run
      # this job as well.
      - docker/gitea/
      # From haproxy-statsd_files -- If we rebuild the image, we want
      # to run this job as well.
      - docker/haproxy-statsd/
      - playbooks/roles/run-selenium/
      - testinfra/util.py

- job:
    name: system-config-run-grafana
    parent: system-config-run-containers
    description: |
      Run the playbook for the etherpad servers.
    requires: grafyaml-container-image
    required-projects:
      - opendev/system-config
      - openstack/project-config
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: grafana02.opendev.org
          label: ubuntu-noble
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-grafana.yaml
      run_test_playbook: playbooks/test-grafana.yaml
    host-vars:
      grafana02.opendev.org:
        host_copy_output:
          '/tmp/json_blobs': logs
    files:
      - playbooks/bootstrap-bridge.yaml
      - playbooks/letsencrypt.yaml
      - playbooks/service-grafana.yaml
      - playbooks/roles/grafana/
      - playbooks/roles/install-docker/
      - playbooks/roles/pip3/
      - playbooks/roles/run-selenium/
      - playbooks/zuul/templates/group_vars/grafana
      - tesinfra/util.py
      - testinfra/test_grafana.py

- job:
    name: system-config-run-graphite
    parent: system-config-run
    description: |
      Run the playbook for the graphite servers.
    required-projects:
      - opendev/system-config
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: graphite02.opendev.org
          label: ubuntu-focal
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-graphite.yaml
    host-vars:
      graphite02.opendev.org:
        host_copy_output:
          '/var/log/graphite': logs
          '/etc/graphite-docker': logs
    files:
      - playbooks/bootstrap-bridge.yaml
      - playbooks/letsencrypt.yaml
      - playbooks/service-graphite.yaml
      - playbooks/roles/graphite
      - playbooks/roles/install-docker/
      - playbooks/roles/letsencrypt-create-certs/handlers/restart_graphite.yaml
      - playbooks/roles/pip3/
      - testinfra/test_graphite.py

- job:
    name: system-config-run-keycloak
    parent: system-config-run
    description: |
      Run the playbook for the keycloak servers.
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: keycloak99.opendev.org
          label: ubuntu-jammy
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-keycloak.yaml
    files:
      - inventory/service/group_vars/keycloak.yaml
      - playbooks/install-ansible.yaml
      - playbooks/letsencrypt.yaml
      - playbooks/service-keycloak.yaml
      - playbooks/roles/keycloak/
      - playbooks/roles/install-docker/
      - playbooks/roles/iptables/
      - playbooks/zuul/templates/group_vars/keycloak.yaml.j2
      - testinfra/test_keycloak.py

- job:
    name: system-config-run-meetpad
    parent: system-config-run
    description: |
      Run the playbook for jitsi-meet.
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: meetpad99.opendev.org
          label: ubuntu-jammy
        - name: jvb99.opendev.org
          label: ubuntu-jammy
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-meetpad.yaml
    host-vars:
      meetpad99.opendev.org:
        host_copy_output:
          '/var/jitsi-meet': logs
      jvb99.opendev.org:
        host_copy_output:
          '/var/jitsi-meet': logs
    files:
      - playbooks/bootstrap-bridge.yaml
      - inventory/service/group_vars/meetpad.yaml
      - inventory/service/host_vars/meetpad\d+.opendev.org.yaml
      - playbooks/roles/letsencrypt-create-certs/handlers/restart_jitsi_meet.yaml
      - playbooks/roles/jitsi-meet/
      - playbooks/roles/pip3/
      - playbooks/roles/install-docker/
      - playbooks/zuul/templates/group_vars/meetpad.yaml.j2
      - testinfra/test_meetpad.py

- job:
    name: system-config-run-paste
    parent: system-config-run-containers
    description: |
      Run the playbook for the paste server.
    required-projects:
      - opendev/system-config
    requires:
      - lodgeit-container-image
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: paste99.opendev.org
          label: ubuntu-noble
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-paste.yaml
      run_test_playbook: playbooks/test-paste.yaml
    files:
      - playbooks/bootstrap-bridge.yaml
      - playbooks/letsencrypt.yaml
      - playbooks/service-paste.yaml
      - playbooks/roles/lodgeit
      - playbooks/roles/install-docker/
      - playbooks/roles/pip3/
      - playbooks/roles/run-selenium/
      - testinfra/util.py
      - playbooks/test-paste.yaml
      - testinfra/test_paste.py

- job:
    name: system-config-run-tracing
    parent: system-config-run
    description: |
      Run the playbook for the jaeger servers.
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: tracing99.opendev.org
          label: ubuntu-noble
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-tracing.yaml
    files:
      - inventory/service/group_vars/tracing.yaml
      - playbooks/install-ansible.yaml
      - playbooks/letsencrypt.yaml
      - playbooks/service-tracing.yaml
      - playbooks/roles/jaeger/
      - playbooks/roles/install-docker/
      - playbooks/roles/iptables/
      - testinfra/test_tracing.py

- job:
    name: system-config-run-zookeeper
    parent: system-config-run
    description: |
      Run the playbook for the zookeeper cluster.
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: zk04.opendev.org
          label: ubuntu-focal
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/service-zookeeper.yaml
    files:
      - playbooks/bootstrap-bridge.yaml
      - inventory/service/group_vars/zookeeper.yaml
      - ^inventory/service/host_vars/zk\d+\..*
      - playbooks/roles/zookeeper/
      - playbooks/roles/pip3/
      - playbooks/roles/install-docker/
      - testinfra/test_zookeeper.py
      # From zookeeper-statsd_files -- If we rebuild the image, we want
      # to run this job as well.
      - docker/zookeeper-statsd/

- job:
    name: system-config-run-zuul-preview
    parent: system-config-run
    description: |
      Run the playbook for the zuul-preview service.
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: zp99.opendev.org
          label: ubuntu-jammy
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/service-zuul-preview.yaml
    files:
      - playbooks/bootstrap-bridge.yaml
      - playbooks/roles/zuul-preview/
      - playbooks/roles/pip3/
      - playbooks/roles/install-docker/
      - testinfra/test_zuul_preview.py

- job:
    name: system-config-run-zuul
    parent: system-config-run
    description: |
      Run the playbook for the main Zuul cluster.
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: zk04.opendev.org
          label: ubuntu-focal
        - name: zm01.opendev.org
          label: ubuntu-jammy
        - name: zl01.opendev.org
          label: ubuntu-jammy
        - name: ze01.opendev.org
          label: ubuntu-jammy
        - name: zuul02.opendev.org
          label: ubuntu-focal
        - name: zuul-lb02.opendev.org
          label: ubuntu-noble
        - name: zuul-db99.opendev.org
          label: ubuntu-jammy
      groups:
        - <<: *bastion_group
    required-projects:
      - openstack/project-config
      - opendev/system-config
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-zookeeper.yaml
        - playbooks/service-zuul-db.yaml
        - playbooks/service-zuul.yaml
        - playbooks/service-zuul-lb.yaml
        # Test our ad hoc restart playbook works
        - playbooks/zuul_restart.yaml
    host-vars:
      zm01.opendev.org:
        host_copy_output:
          '/etc/hosts': logs
          '/etc/zuul/zuul.conf': logs
          '/var/log/zuul/merger-debug.log': logs
      zl01.opendev.org:
        host_copy_output:
          '/etc/hosts': logs
          '/etc/zuul/zuul.conf': logs
          '/var/log/zuul/launcher-debug.log': logs
      ze01.opendev.org:
        host_copy_output:
          '/etc/hosts': logs
          '/etc/zuul/zuul.conf': logs
          '/var/log/zuul/executor-debug.log': logs
      zuul02.opendev.org:
        host_copy_output:
          '/etc/hosts': logs
          '/etc/zuul/zuul.conf': logs
          '/var/log/zuul/debug.log': logs
      bridge99.opendev.org:
        host_copy_output:
          '/etc/hosts': logs
      zuul-lb02.opendev.org:
        host_copy_output:
          '/var/lib/haproxy/etc': logs
          '/var/log/haproxy.log': logs
    files:
      - playbooks/bootstrap-bridge.yaml
      - playbooks/service-zookeeper.yaml
      - playbooks/service-zuul.yaml
      - playbooks/service-zuul-db.yaml
      - playbooks/service-zuul-lb.yaml
      - inventory/service/group_vars/zuul
      - inventory/service/group_vars/zuul-db.yaml
      - inventory/service/group_vars/zuul-lb.yaml
      - inventory/service/group_vars/zookeeper.yaml
      - inventory/service/host_vars/zk\d+
      - inventory/service/host_vars/zuul02.opendev.org
      - playbooks/roles/haproxy/
      - playbooks/roles/mariadb/
      - playbooks/roles/zookeeper/
      - playbooks/roles/install-apt-repo/
      - playbooks/roles/zuul.*
      - playbooks/zuul/templates/group_vars/zuul.*
      - playbooks/zuul/templates/group_vars/zookeeper.yaml
      - playbooks/zuul/templates/group_vars/zuul-lb.yaml.j2
      - playbooks/zuul/templates/host_vars/zk\d+
      - playbooks/zuul/templates/host_vars/zuul02.opendev.org
      - playbooks/zuul_restart.yaml
      - testinfra/test_zuul_executor.py
      - testinfra/test_zuul_scheduler.py
      - testinfra/test_zuul_merger.py
      - testinfra/test_zuul_launcher.py
      - testinfra/test_zuul_db.py
      - testinfra/util.py

- job:
    name: system-config-run-review-base
    parent: system-config-run-containers
    description: |
      Base job for testing gerrit
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: review99.opendev.org
          label: ubuntu-focal
      groups:
        - <<: *bastion_group
    required-projects:
      - openstack/project-config
      - opendev/system-config
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-review.yaml
      run_test_playbook: playbooks/zuul/bootstrap-and-test-review.yaml
    host-vars:
      review99.opendev.org:
        host_copy_output:
          '/home/gerrit2/review_site/etc': logs
          '/home/gerrit2/review_site/logs': logs
          '/var/log/apache2/': logs
          '/var/log/acme.sh': logs
    files:
      - playbooks/bootstrap-bridge.yaml
      - playbooks/letsencrypt.yaml
      - playbooks/service-review.*.yaml
      - playbooks/rename_repos.yaml
      - inventory/service/group_vars/review.yaml
      - playbooks/roles/pip3/
      - playbooks/roles/run-selenium/
      - testinfra/util.py
      - playbooks/roles/install-docker/
      - playbooks/roles/gerrit/
      - playbooks/zuul/gerrit/
      - playbooks/zuul/templates/host_vars/review99.opendev.org.yaml.j2
      - roles/bazelisk-build/
      - testinfra/test_gerrit.py
      - docker/gerrit/
      - playbooks/zuul/bootstrap-and-test-review.yaml
      - playbooks/zuul/bootstrap-test-review.yaml
      - playbooks/zuul/test-review.yaml
      - playbooks/zuul/upgrade-review.yaml
      - zuul.d/docker-images/gerrit.yaml

- job:
    name: system-config-run-review-3.10
    parent: system-config-run-review-base
    description: |
      Run the playbook for gerrit 3.10 (in a container).
    requires: gerrit-3.10-container-image
    vars:
      zuul_test_gerrit_version: '3.10'

- job:
    name: system-config-run-review-3.11
    parent: system-config-run-review-base
    description: |
      Run the playbook for gerrit 3.11 (in a container).
    requires: gerrit-3.11-container-image
    vars:
      zuul_test_gerrit_version: '3.11'

- job:
    name: system-config-upgrade-review
    parent: system-config-run-review-base
    description: |
      Test we can upgrade a gerrit 3.10 to 3.11
    requires:
      - gerrit-3.10-container-image
      - gerrit-3.11-container-image
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/zuul/upgrade-review.yaml
      run_test_playbook: playbooks/zuul/test-review.yaml
      zuul_test_gerrit_version: '3.10'

- job:
    name: system-config-run-static
    parent: system-config-run
    description: |
      Run the playbook for a static node.
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: static99.opendev.org
          label: ubuntu-jammy
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-static.yaml
    files:
      - playbooks/bootstrap-bridge.yaml
      - playbooks/roles/apache-ua-filter/
      - playbooks/roles/static/
      - playbooks/roles/letsencrypt
      - playbooks/letsencrypt.yaml
      - playbooks/service-static.yaml
      - testinfra/test_static.py
    host-vars:
      static99.opendev.org:
        host_copy_output:
          '/var/log/acme.sh/': logs
          '/etc/apache2/': logs
          '/var/log/apache2/': logs

- job:
    name: system-config-run-refstack
    parent: system-config-run
    description: |
      Run the playbook for refstack server.
    requires:
      - refstack-container-image
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: refstack01.openstack.org
          label: ubuntu-focal
      groups:
        - <<: *bastion_group
    host-vars:
      refstack01.openstack.org:
        host_copy_output:
          '/var/log/apache2/': logs
          '/var/lib/refstack/': logs
          '/var/refstack/': logs
    vars:
      run_playbooks:
        - playbooks/letsencrypt.yaml
        - playbooks/service-refstack.yaml
      container_command: docker
    files:
      - playbooks/bootstrap-bridge.yaml
      - inventory/service/group-vars/refstack.yaml
      - playbooks/zuul/templates/group_vars/refstack.yaml.j2
      - playbooks/roles/refstack/
      - playbooks/roles/letsencrypt-create-certs/handlers/restart_apache.yaml
      - testinfra/test_refstack.py
      # If we rebuild the image, we want to run this job as well.
      - docker/refstack/.*

- job:
    name: system-config-run-kerberos
    parent: system-config-run
    description: |
      Run the playbook for kerberos servers
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: kdc-primary.opendev.org
          label: ubuntu-focal
        - name: kdc-replica.opendev.org
          label: ubuntu-focal
      groups:
        - <<: *bastion_group
    host-vars:
      kdc-primary.opendev.org:
        host_copy_output:
          '/etc/krb5kdc/': logs
          '/var/krb5kdc/': logs
      kdc-replica.opendev.org:
        host_copy_output:
          '/etc/krb5kdc/': logs
          '/var/krb5kdc/': logs
    vars:
      run_playbooks:
        - playbooks/service-kerberos.yaml
        # Run twice to double-check idempotence
        - playbooks/service-kerberos.yaml
      run_test_playbook: playbooks/test-kerberos.yaml
    files:
      - playbooks/bootstrap-bridge.yaml
      - playbooks/roles/kerberos-kdc/