Add files via upload

install_checkmk.yaml

@@ -0,0 +1,132 @@
+---
+- name: install check
+  hosts: all
+  become: true
+
+  vars:
+
+  tasks:
+    - name: Create network CheckNet
+      community.docker.docker_network:
+        name: CheckNet
+
+    - name: remove other files
+      include_tasks: yaml_sub/install_docker.yaml
+
+    - name: mount dirs
+      include_tasks: yaml_sub/mount_info.yaml
+
+    - name: set ldap
+      include_tasks: yaml_sub/ldap.yaml
+
+    - name: set sssd
+      include_tasks: yaml_sub/sssd.yaml
+
+    - name: Create volume monitoring
+      community.docker.docker_volume:
+        name: monitoring
+        state: present
+
+    - name: Create checkmk
+      community.docker.docker_container:
+        name: checkmk
+        image: checkmk/check-mk-raw
+        state: started
+        recreate: no
+        restart_policy: always
+        published_ports:
+          - "80:5000/tcp"
+          - "8000:8000/tcp"
+        volumes:
+          - "monitoring:/omd/sites"
+          - "/etc/localtime:/etc/localtime:ro"
+        env:
+          MAIL_RELAY_HOST: "smtpd"
+          
+        networks:
+          - name: CheckNet
+          - name: bridge
+        comparisons:
+          networks: strict
+        hostname: "neuro.uni-bremen.de"
+
+    - name: set smtpd_pre.conf
+      blockinfile:
+        path: /root/opensmtpd/smtpd_pre.conf
+        state: present
+        create: true
+        owner: "root"
+        group: "root"
+        mode: "0644"
+        block: |
+          listen on 0.0.0.0
+          listen on ::
+          
+          table aliases file:/etc/smtpd/aliases
+          
+          queue ttl 4d
+          bounce warn-interval 1h, 6h, 2d
+          smtp max-message-size 35M
+          
+          table authinfo db:/etc/smtpd/authinfo.db
+          action default relay host "smtps://user@mailhost.neurotec.uni-bremen.de:465" auth <authinfo> tls no-verify
+          match from any for any action default
+
+    - name: Create a volume smtpd_spool
+      community.docker.docker_volume:
+        name: smtpd_spool
+        state: present
+
+    - name: Create OpenSMTPd
+      community.docker.docker_container:
+        name: smtpd
+        image: wodby/opensmtpd
+        state: started
+        recreate: no
+        restart_policy: always
+        published_ports:
+          - "25:25/tcp"
+        env:
+          RELAY_HOST: "XXX"
+          RELAY_PROTO: "smtps"
+          RELAY_PORT: "XXX"
+          RELAY_USER: "{{ EMAIL__USERNAME }}"
+          RELAY_PASSWORD: "{{ EMAIL__PASSWORD }}"
+
+        volumes:
+          - "/root/opensmtpd/smtpd_pre.conf:/etc/gotpl/smtpd.conf.tmpl"
+          - "smtpd_spool:/var/spool/smtpd"
+
+        networks:
+          - name: CheckNet
+          - name: bridge
+        comparisons:
+          networks: strict
+
+
+    - name: install mailx
+      dnf:
+        name: "mailx,telnet,sendmail"
+        state: latest
+        update_cache: true
+        skip_broken: true
+        nobest: false
+        allowerasing: true
+
+    - name: esmtprc
+      blockinfile:
+        path: /etc/esmtprc
+        state: present
+        create: true
+        block: |
+          hostname = 127.0.0.1:25
+          mda "/usr/bin/procmail -d %T"
+
+
+
+# You will find the provisional password for the cmkadmin account in the logs that are written for this container
+# docker container logs monitoring
+# dnf install -y http://10.10.0.3/cmk/check_mk/agents/check-mk-agent-2.2.0p24-1.noarch.rpm
+# 
+# myhostname=`hostname`
+# cmk-agent-ctl register --server 10.10.0.3:8000 --site cmk --user automation --trust-cert --password 'UTUBJELBGMKMSHEHHOMC' --hostname $myhostname

install_checkmk_client_phase_a.yaml

@@ -0,0 +1,23 @@
+---
+- name: install check client 
+  hosts: all
+  become: true
+
+
+  tasks:
+
+    - name: remove other files
+      include_tasks: yaml_sub/myrepo_clean.yaml
+
+    - name: update file myrepo.repo
+      import_tasks: yaml_sub/myrepo_data.yaml
+
+    - name: install client
+      ansible.builtin.dnf:
+        name: "http://10.10.0.3/cmk/check_mk/agents/check-mk-agent-2.2.0p24-1.noarch.rpm"
+        state: present
+        update_cache: true
+        skip_broken: true
+        nobest: false
+        allowerasing: true
+        disable_gpg_check: true

install_checkmk_client_phase_b.yaml

@@ -0,0 +1,9 @@
+---
+- name: register check client 
+  hosts: all
+  become: true
+
+  tasks:
+    - name: register check client
+      shell: "myhostname=`hostname` ; cmk-agent-ctl register --server 10.10.0.3:8000 --site cmk --user automation --trust-cert --password '{{ password }}' --hostname $myhostname"
+

install_docker_web.yaml

@@ -18,7 +18,7 @@
         name: portainerweb
         image: portainer/portainer-ce
         state: started
-        recreate: yes
+        recreate: no
         restart_policy: always
         published_ports:
           - "8000:8000/tcp"

install_gitlab.yaml

@@ -0,0 +1,61 @@
+---
+- name: install gitlab
+  hosts: all
+  become: true
+  
+  tasks:
+
+
+    - name: Create network GitLabNet
+      community.docker.docker_network:
+        name: GitLabNet
+
+
+
+
+#    - name: install docker 
+#      ansible.builtin.include_tasks: yaml_sub/install_docker.yaml
+
+    - name: Create a volume
+      community.docker.docker_volume:
+        name: gitlab_opt
+        state: present
+
+    - name: Create a volume
+      community.docker.docker_volume:
+        name: gitlab_etc
+        state: present
+
+    - name: Create a volume
+      community.docker.docker_volume:
+        name: gitlab_log
+        state: present
+
+
+#    - name: Create gitlab container
+#      community.docker.docker_container:
+#        name: gitlab
+#        image: gitlab/gitlab-ce
+#        state: started
+#        recreate: no
+# GITLAB_ROOT_PASSWORD
+## hostname: 'gitlab.example.com'
+#      GITLAB_OMNIBUS_CONFIG: |
+#        # Add any other gitlab.rb configuration here, each on its own line
+#        external_url 'https://gitlab.example.com'
+#        restart_policy: always
+##        published_ports:
+##          - "443:443/tcp" 
+##          - "80:80/tcp" 
+##          - "22:22/tcp"
+#        volumes:
+#          - "gitlab_opt:/var/opt/gitlab"
+#          - "gitlab_etc:/etc/gitlab"
+#          - "gitlab_log:/var/log/gitlab"
+##          - /var/run/docker.sock:/var/run/docker.sock
+#        networks:
+#          - name: OverleafNet
+#          - name: bridge
+#        comparisons:
+#          networks: strict
+# shm_size: '256m'

install_ldap_389ds.yaml

@@ -139,4 +139,4 @@
 
 # cd /root ; dscreate from-file instance.inf
 
-# ldapsearch -x -H ldap://ldap.neuro.uni-bremen.de -s base -b "" "objectclass=*"
+# ldapsearch -x -H ldap://ldap.neuro.uni-bremen.de -s base -b "" "objectclass=*"

install_pi_hole.yaml

@@ -34,7 +34,7 @@
         name: pihole
         image: pihole/pihole
         state: started
-        recreate: yes
+        recreate: no
         restart_policy: always
         published_ports:
           - "53:53/tcp"

install_slurm.yaml

@@ -0,0 +1,76 @@
+---
+- name: install slurm
+  hosts: all
+  become: true
+
+  vars:
+    sqlpwd: "{{ env_sql_pw}}"
+    sqlrootpwd: "{{ env_root_sql_pw}}"
+  
+  tasks:
+
+    - name: export munge user
+      shell: "export MUNGEUSER=10001"
+
+    - name: export export SlurmUSER
+      shell: "export export SlurmUSER=10000"
+    
+    - name: mount_info
+      include_tasks: yaml_sub/mount_info.yaml
+
+    - name: ldap
+      include_tasks: yaml_sub/ldap.yaml
+
+    - name: sssd
+      include_tasks: yaml_sub/sssd.yaml
+
+    - name: install docker 
+      ansible.builtin.include_tasks: yaml_sub/install_docker.yaml
+
+    - name: Create volume slurm_maria_db
+      community.docker.docker_volume:
+        name: slurm_maria_db
+        state: present
+
+    - name: Create mariab container
+      community.docker.docker_container:
+        name: slurmmariadb
+        image: mariadb
+        state: started
+        recreate: no
+        restart_policy: always
+        env:
+          MARIADB_DATABASE: "slurm"
+          MARIADB_USER: "slurm"
+          MARIADB_PASSWORD: "{{ sqlpwd }}"
+          MARIADB_ROOT_PASSWORD : "{{ sqlrootpwd }}"
+          MYSQL_ROOT_HOST: '%'
+        published_ports:
+          - "3306:3306/tcp" 
+        networks:
+          - name: bridge
+        comparisons:
+          networks: strict
+        volumes:
+          - "slurm_maria_db:/var/lib/mysql"
+
+
+    - name: remove other files
+      include_tasks: yaml_sub/myrepo_clean.yaml
+    - name: update file myrepo.repo
+      import_tasks: yaml_sub/myrepo_data.yaml
+
+
+    - name: install slurm
+      dnf:
+        name: slurm,slurm-slurmctld,slurm-slurmdbd,slurm-slurmrestd,slurm-gui,munge,python3-mysql
+        state: present
+        update_cache: true
+        skip_broken: true
+        nobest: false
+        allowerasing: true
+
+    - name: install munge server
+      include_tasks: yaml_sub/install_munge_server.yaml
+
+

ldap_fix_group_permissions.lif

@@ -0,0 +1,38 @@
+# ldapmodify -x -W -D "cn=admin" -f temp.lif
+# ldapsearch -x -W -D "cn=admin" -b "dc=ldap,dc=neuro,dc=uni-bremen,dc=de" -LLL -s sub '(aci=*)' aci
+
+dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
+changetype: modify
+delete: aci
+aci: (targetattr="cn || member || memberUid || gidNumber || nsUniqueId || description || objectClass")(targetfilter="(objectClass=groupOfNames)")(version 3.0; acl "Enable anyone group read"; allow (read, search, compare)(userdn="ldap:///anyone");)
+
+dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
+changetype: modify
+delete: aci
+aci: (targetattr="member")(targetfilter="(objectClass=groupOfNames)")(version 3.0; acl "Enable group_modify to alter members"; allow (write)(groupdn="ldap:///cn=group_modify,ou=permissions,dc=ldap,dc=neuro,dc=uni-bremen,dc=de");)
+
+dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
+changetype: modify
+delete: aci
+aci: (targetattr="cn || member || gidNumber || description || objectClass")(targetfilter="(objectClass=groupOfNames)")(version 3.0; acl "Enable group_admin to manage groups"; allow (write, add, delete)(groupdn="ldap:///cn=group_admin,ou=permissions,dc=ldap,dc=neuro,dc=uni-bremen,dc=de");)
+
+
+
+dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
+changetype: modify
+add: aci
+aci: (targetattr="cn || member || memberUid || gidNumber || nsUniqueId || description || objectClass")(targetfilter="(objectClass=posixGroup)")(version 3.0; acl "Enable anyone group read"; allow (read, search, compare)(userdn="ldap:///anyone");)
+
+dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
+changetype: modify
+add: aci
+aci: (targetattr="member")(targetfilter="(objectClass=posixGroup)")(version 3.0; acl "Enable group_modify to alter members"; allow (write)(groupdn="ldap:///cn=group_modify,ou=permissions,dc=ldap,dc=neuro,dc=uni-bremen,dc=de");)
+
+dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
+changetype: modify
+add: aci
+aci: (targetattr="cn || member || gidNumber || description || objectClass")(targetfilter="(objectClass=posixGroup)")(version 3.0; acl "Enable group_admin to manage groups"; allow (write, add, delete)(groupdn="ldap:///cn=group_admin,ou=permissions,dc=ldap,dc=neuro,dc=uni-bremen,dc=de");)
+
+
+
+

machines/check

@@ -0,0 +1,2 @@
+check.neuro.uni-bremen.de
+

machines/cluster

@@ -0,0 +1,43 @@
+gate0
+gate1
+gate2
+gp3u1
+gp3u2
+gp4u1
+gp4u2
+gp4u3
+gp4u4
+gp4u5
+gp4u6
+gp4u7
+granat1
+granat2
+granat3
+granat4
+granat5
+granat6
+granat7
+granat8
+octopode
+doppio
+fatbastard
+nc46
+nc47
+nc48
+nc49
+nc50
+nc51
+nc52
+nc53
+nc54
+nc55
+nc56
+nc57
+nc58
+nc59
+nc60
+nc61
+nc62
+nc63
+nc64
+nc66

machines/crystal

@@ -0,0 +1 @@
+crystal.neuro.uni-bremen.de

machines/gitlab

@@ -0,0 +1 @@
+10.10.0.6

machines/haggis

@@ -0,0 +1 @@
+haggis.neuro.uni-bremen.de

machines/slurm

@@ -0,0 +1 @@
+10.10.0.7

update_ldap.yaml

@@ -0,0 +1,11 @@
+---
+- name: update ldap setting
+  hosts: all
+  become: true
+
+  tasks:
+    - name: ldap
+      include_tasks: yaml_sub/ldap.yaml
+
+    - name: sssd
+      include_tasks: yaml_sub/sssd.yaml

yaml_sub/install_base_system.yaml

@@ -114,38 +114,17 @@
         name: firewalld
       ignore_errors: true
 
-    - name: remove other files
-      include_tasks: yaml_sub/myrepo_clean.yaml
-    - name: update file myrepo.repo
-      import_tasks: yaml_sub/myrepo_data.yaml
-
-    - name: install nfs tools
-      dnf:
-        name: nfs-utils,nfs-utils-coreos,nfsv4-client-utils,rpcbind
-        state: present
-        update_cache: true
-        skip_broken: true
-        nobest: false
-        allowerasing: true
-
-    - name: Make sure rpcbind service unit is started
-      systemd_service:
-        enabled: true
-        state: started
-        name: rpcbind
-
     - name: mount_info
       include_tasks: yaml_sub/mount_info.yaml
 
-
     - name: remove other files
       include_tasks: yaml_sub/myrepo_clean.yaml
     - name: update file myrepo.repo
       import_tasks: yaml_sub/myrepo_data.yaml
 
-    - name: ssh and sss
+    - name: ssh
       dnf:
-        name: "openssh,openssh-clients,openssh-server,sssd"
+        name: "openssh,openssh-clients,openssh-server"
         state: present
         update_cache: true
         skip_broken: true
@@ -202,19 +181,9 @@
         line: "ServerName 10.10.10.16"
         create: true
 
-    - name: set LDAP
-      blockinfile:
-        path: /etc/openldap/ldap.conf
-        state: present
-        create: true
-        owner: "root"
-        group: "root"
-        mode: "0644"
-        block: |
-          URI ldap://ldap.neuro.uni-bremen.de
-          BASE dc=ldap,dc=neuro,dc=uni-bremen,dc=de
-          TLS_REQCERT never
-          
+    - name: ldap
+      include_tasks: yaml_sub/ldap.yaml
+        
     - name: sssd
       include_tasks: yaml_sub/sssd.yaml
 

yaml_sub/install_munge_server.yaml

@@ -0,0 +1,67 @@
+---
+    - name: remove other files
+      include_tasks: yaml_sub/myrepo_clean.yaml
+    - name: update file myrepo.repo
+      import_tasks: yaml_sub/myrepo_data.yaml
+
+    - name: export munge user
+      shell: "export MUNGEUSER=10001"
+
+    - name: install slurm
+      dnf:
+        name: munge
+        state: present
+        update_cache: true
+        skip_broken: true
+        nobest: false
+        allowerasing: true
+
+    - name: save munge key 
+      ansible.builtin.copy:
+        src: "../munge.key"
+        dest: "/etc/munge/munge.key"
+        owner: "munge"
+        group: "munge"
+        mode: 0400
+
+    - name: deal with directories /etc/munge
+      ansible.builtin.file:
+        path: "/etc/munge"
+        owner: "munge"
+        group: "munge"
+        mode: 0700
+        state: "directory"
+
+    - name: deal with directories /var/log/munge/ 
+      ansible.builtin.file:
+        path: "/var/log/munge"
+        owner: "munge"
+        group: "munge"
+        mode: 0700
+        state: "directory"
+
+    - name: Make sure munge is running
+      systemd_service:
+        daemon_reload: true
+        state: started
+        enabled: true
+        name: munge
+
+    - name: Set number of munge threads
+      lineinfile:
+        path: "/etc/systemd/system/multi-user.target.wants/munge.service"
+        regexp: "^ExecStart=/usr/sbin/munged"
+        line: "ExecStart=/usr/sbin/munged --num-threads 10"
+        create: true
+
+    - name: Make sure munge is restarted
+      systemd_service:
+        daemon_reload: true
+        state: restarted
+        enabled: true
+        name: munge
+
+
+      
+    
+        

yaml_sub/ldap.yaml

@@ -0,0 +1,41 @@
+---
+
+- name: remove other files
+  include_tasks: yaml_sub/myrepo_clean.yaml
+- name: update file myrepo.repo
+  import_tasks: yaml_sub/myrepo_data.yaml
+
+- name: install openldap
+  dnf:
+    name: nss-pam-ldapd,openldap,openldap-clients
+    state: present
+    update_cache: true
+    skip_broken: true
+    nobest: false
+    allowerasing: true
+
+- name: Remove old entry (URI)
+  ansible.builtin.lineinfile:
+    path: /etc/openldap/ldap.conf
+    state: absent
+    line: "URI ldap://10.10.1.31"
+
+- name: Remove old entry (BASE)
+  ansible.builtin.lineinfile:
+    path: /etc/openldap/ldap.conf
+    state: absent
+    line: "BASE dc=nas1,dc=neuro,dc=itp"
+    
+
+- name: set LDAP
+  blockinfile:
+    path: /etc/openldap/ldap.conf
+    state: present
+    create: true
+    owner: "root"
+    group: "root"
+    mode: "0644"
+    block: |
+      URI ldaps://ldap.neuro.uni-bremen.de:636
+      BASE dc=ldap,dc=neuro,dc=uni-bremen,dc=de
+      TLS_REQCERT never

yaml_sub/mount_info.yaml

@@ -1,4 +1,24 @@
 ---
+- name: remove other files
+  include_tasks: yaml_sub/myrepo_clean.yaml
+- name: update file myrepo.repo
+  import_tasks: yaml_sub/myrepo_data.yaml
+
+- name: install nfs tools
+  dnf:
+    name: nfs-utils,nfs-utils-coreos,nfsv4-client-utils,rpcbind
+    state: present
+    update_cache: true
+    skip_broken: true
+    nobest: false
+    allowerasing: true
+        
+- name: Make sure rpcbind service unit is started
+  systemd_service:
+    enabled: true
+    state: started
+    name: rpcbind
+
 - name: Mount /home
   ansible.posix.mount:
     src: 10.10.1.21:/volume1/home_dir
@@ -7,6 +27,7 @@
     boot: true 
     state: mounted
     fstype: nfs
+
 - name: Mount /glocal
   ansible.posix.mount:
     src: 10.10.1.1:/volume1/glocal
@@ -15,6 +36,7 @@
     boot: true
     state: mounted
     fstype: nfs
+
 - name: Mount /tools
   ansible.posix.mount:
     src: 10.10.1.1:/volume1/tools
@@ -23,6 +45,7 @@
     boot: true
     state: mounted
     fstype: nfs
+
 - name: Mount /0
   ansible.posix.mount:
     src: 10.10.1.1:/volume1/data
@@ -31,6 +54,7 @@
     boot: true
     state: mounted
     fstype: nfs
+
 - name: Mount /sge-root
   ansible.posix.mount:
     src: 10.10.10.16:/sge-root
@@ -39,6 +63,7 @@
     boot: true
     state: mounted
     fstype: nfs
+
 - name: Mount /data_1
   ansible.posix.mount:
     src: 10.10.1.31:/volume1/data
@@ -47,6 +72,7 @@
     boot: true
     state: mounted
     fstype: nfs
+
 - name: Mount /web
   ansible.posix.mount:
     src: 10.10.1.1:/volume1/web

yaml_sub/sssd.yaml

@@ -1,4 +1,19 @@
 ---
+
+- name: remove other files
+  include_tasks: yaml_sub/myrepo_clean.yaml
+- name: update file myrepo.repo
+  import_tasks: yaml_sub/myrepo_data.yaml
+
+- name: install sssd
+  dnf:
+    name: sssd,sssd-ldap,sssd-tools
+    state: present
+    update_cache: true
+    skip_broken: true
+    nobest: false
+    allowerasing: true
+
 - name: Check for marker line
   lineinfile:
     path: /etc/sssd/sssd.conf
@@ -28,21 +43,31 @@
       
       [domain/default]
       id_provider = ldap
+      auth_provider = ldap
+      chpass_provider = ldap
+      
       ldap_uri = ldaps://ldap.neuro.uni-bremen.de:636
       ldap_search_base = dc=ldap,dc=neuro,dc=uni-bremen,dc=de
+      ldap_user_search_base = ou=people,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
+      ldap_group_search_base = ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
       
       ldap_user_name = uid
       ldap_user_uid_number = uidNumber
       ldap_user_gid_number = gidNumber
       ldap_user_home_directory = homeDirectory
-      loginShell = loginShell
+      ldap_user_shell = loginShell
       ldap_user_fullname = cn
       ldap_user_object_class = posixAccount
       ldap_default_authtok_type = password
       ldap_tls_reqcert = never
       
-      # ldap_auth_disable_tls_never_use_in_production = true
-      # ldap_id_use_start_tls = False
+      ldap_group_object_class = posixGroup
+      ldap_group_gid_number = gidNumber
+      ldap_group_member = memberUid
+      ldap_group_name = cn
+      ldap_group_nesting_level = 5
+      
+      
   register: marker_check
 
 - name: enable sssd