Just to note that threebean should have root access to host trough fedora@modularity.fedorainfracloud.org

OK, lkocman told me:

1) they do need messages from modularity.fedorainfracloud.org to be received on composer.stg

2) they do need messages from composer.stg to be received on modularity.fedorainfracloud.org

Here's my recommendation:

For the first part,

1) we run a fedmsg-relay on modularity.fedorainfracloud.org port 4001. This effectively gives it its own "bus", kind of like debian's bus.

2) we then add an entry to the endpoints.py file for composer.stg only so that it subscribes to this "external" bus, and will get messages from there.

3) they won't be signed, so we'll need to also disable message signature validation on composer.stg

4) that should do it.

on the second part

1) pungi running on composer.stg needs to sign and send messages, so I'll create a new cert, just for this dev work, only in staging, and have the key owned by the modularity-wg group.

2) that will allow dev users on the box to sign messages as their own users without having to have any sudo rights.

3) those messages from pungi on composer.stg will make it onto the stg-wide stg bus and will be published externally at tcp://stg.fedoraproject.org:9940, signed with valid (for staging) certs.

4) whatever needs to listen to that, can listen to that.

Part 1: https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=b1d0171a84085ece3cde61d11b4d356f3e5b9a14

Part 2: https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=3eab17a0cce7c07e23e1add709526bc794af88f4

OK, I think this is done.

One more tweak, post audit from @puiterwijk: https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=69d6bf52ea401e78b060a6f8c3c6e79dc5a929b2