diff --git a/install_checkmk.yaml b/install_checkmk.yaml new file mode 100644 index 0000000..beb0ff3 --- /dev/null +++ b/install_checkmk.yaml @@ -0,0 +1,132 @@ +--- +- name: install check + hosts: all + become: true + + vars: + + tasks: + - name: Create network CheckNet + community.docker.docker_network: + name: CheckNet + + - name: remove other files + include_tasks: yaml_sub/install_docker.yaml + + - name: mount dirs + include_tasks: yaml_sub/mount_info.yaml + + - name: set ldap + include_tasks: yaml_sub/ldap.yaml + + - name: set sssd + include_tasks: yaml_sub/sssd.yaml + + - name: Create volume monitoring + community.docker.docker_volume: + name: monitoring + state: present + + - name: Create checkmk + community.docker.docker_container: + name: checkmk + image: checkmk/check-mk-raw + state: started + recreate: no + restart_policy: always + published_ports: + - "80:5000/tcp" + - "8000:8000/tcp" + volumes: + - "monitoring:/omd/sites" + - "/etc/localtime:/etc/localtime:ro" + env: + MAIL_RELAY_HOST: "smtpd" + + networks: + - name: CheckNet + - name: bridge + comparisons: + networks: strict + hostname: "neuro.uni-bremen.de" + + - name: set smtpd_pre.conf + blockinfile: + path: /root/opensmtpd/smtpd_pre.conf + state: present + create: true + owner: "root" + group: "root" + mode: "0644" + block: | + listen on 0.0.0.0 + listen on :: + + table aliases file:/etc/smtpd/aliases + + queue ttl 4d + bounce warn-interval 1h, 6h, 2d + smtp max-message-size 35M + + table authinfo db:/etc/smtpd/authinfo.db + action default relay host "smtps://user@mailhost.neurotec.uni-bremen.de:465" auth tls no-verify + match from any for any action default + + - name: Create a volume smtpd_spool + community.docker.docker_volume: + name: smtpd_spool + state: present + + - name: Create OpenSMTPd + community.docker.docker_container: + name: smtpd + image: wodby/opensmtpd + state: started + recreate: no + restart_policy: always + published_ports: + - "25:25/tcp" + env: + RELAY_HOST: "XXX" + RELAY_PROTO: "smtps" + RELAY_PORT: "XXX" + RELAY_USER: "{{ EMAIL__USERNAME }}" + RELAY_PASSWORD: "{{ EMAIL__PASSWORD }}" + + volumes: + - "/root/opensmtpd/smtpd_pre.conf:/etc/gotpl/smtpd.conf.tmpl" + - "smtpd_spool:/var/spool/smtpd" + + networks: + - name: CheckNet + - name: bridge + comparisons: + networks: strict + + + - name: install mailx + dnf: + name: "mailx,telnet,sendmail" + state: latest + update_cache: true + skip_broken: true + nobest: false + allowerasing: true + + - name: esmtprc + blockinfile: + path: /etc/esmtprc + state: present + create: true + block: | + hostname = 127.0.0.1:25 + mda "/usr/bin/procmail -d %T" + + + +# You will find the provisional password for the cmkadmin account in the logs that are written for this container +# docker container logs monitoring +# dnf install -y http://10.10.0.3/cmk/check_mk/agents/check-mk-agent-2.2.0p24-1.noarch.rpm +# +# myhostname=`hostname` +# cmk-agent-ctl register --server 10.10.0.3:8000 --site cmk --user automation --trust-cert --password 'UTUBJELBGMKMSHEHHOMC' --hostname $myhostname \ No newline at end of file diff --git a/install_checkmk_client_phase_a.yaml b/install_checkmk_client_phase_a.yaml new file mode 100644 index 0000000..d978059 --- /dev/null +++ b/install_checkmk_client_phase_a.yaml @@ -0,0 +1,23 @@ +--- +- name: install check client + hosts: all + become: true + + + tasks: + + - name: remove other files + include_tasks: yaml_sub/myrepo_clean.yaml + + - name: update file myrepo.repo + import_tasks: yaml_sub/myrepo_data.yaml + + - name: install client + ansible.builtin.dnf: + name: "http://10.10.0.3/cmk/check_mk/agents/check-mk-agent-2.2.0p24-1.noarch.rpm" + state: present + update_cache: true + skip_broken: true + nobest: false + allowerasing: true + disable_gpg_check: true diff --git a/install_checkmk_client_phase_b.yaml b/install_checkmk_client_phase_b.yaml new file mode 100644 index 0000000..b1af752 --- /dev/null +++ b/install_checkmk_client_phase_b.yaml @@ -0,0 +1,9 @@ +--- +- name: register check client + hosts: all + become: true + + tasks: + - name: register check client + shell: "myhostname=`hostname` ; cmk-agent-ctl register --server 10.10.0.3:8000 --site cmk --user automation --trust-cert --password '{{ password }}' --hostname $myhostname" + diff --git a/install_docker_web.yaml b/install_docker_web.yaml index a45c4de..11faa4f 100644 --- a/install_docker_web.yaml +++ b/install_docker_web.yaml @@ -18,7 +18,7 @@ name: portainerweb image: portainer/portainer-ce state: started - recreate: yes + recreate: no restart_policy: always published_ports: - "8000:8000/tcp" diff --git a/install_gitlab.yaml b/install_gitlab.yaml new file mode 100644 index 0000000..7cd9425 --- /dev/null +++ b/install_gitlab.yaml @@ -0,0 +1,61 @@ +--- +- name: install gitlab + hosts: all + become: true + + tasks: + + + - name: Create network GitLabNet + community.docker.docker_network: + name: GitLabNet + + + + +# - name: install docker +# ansible.builtin.include_tasks: yaml_sub/install_docker.yaml + + - name: Create a volume + community.docker.docker_volume: + name: gitlab_opt + state: present + + - name: Create a volume + community.docker.docker_volume: + name: gitlab_etc + state: present + + - name: Create a volume + community.docker.docker_volume: + name: gitlab_log + state: present + + +# - name: Create gitlab container +# community.docker.docker_container: +# name: gitlab +# image: gitlab/gitlab-ce +# state: started +# recreate: no +# GITLAB_ROOT_PASSWORD +## hostname: 'gitlab.example.com' +# GITLAB_OMNIBUS_CONFIG: | +# # Add any other gitlab.rb configuration here, each on its own line +# external_url 'https://gitlab.example.com' +# restart_policy: always +## published_ports: +## - "443:443/tcp" +## - "80:80/tcp" +## - "22:22/tcp" +# volumes: +# - "gitlab_opt:/var/opt/gitlab" +# - "gitlab_etc:/etc/gitlab" +# - "gitlab_log:/var/log/gitlab" +## - /var/run/docker.sock:/var/run/docker.sock +# networks: +# - name: OverleafNet +# - name: bridge +# comparisons: +# networks: strict +# shm_size: '256m' \ No newline at end of file diff --git a/install_ldap_389ds.yaml b/install_ldap_389ds.yaml index aaf9d1c..aad4777 100644 --- a/install_ldap_389ds.yaml +++ b/install_ldap_389ds.yaml @@ -139,4 +139,4 @@ # cd /root ; dscreate from-file instance.inf -# ldapsearch -x -H ldap://ldap.neuro.uni-bremen.de -s base -b "" "objectclass=*" +# ldapsearch -x -H ldap://ldap.neuro.uni-bremen.de -s base -b "" "objectclass=*" \ No newline at end of file diff --git a/install_pi_hole.yaml b/install_pi_hole.yaml index 8f42844..95dff6c 100644 --- a/install_pi_hole.yaml +++ b/install_pi_hole.yaml @@ -34,7 +34,7 @@ name: pihole image: pihole/pihole state: started - recreate: yes + recreate: no restart_policy: always published_ports: - "53:53/tcp" diff --git a/install_slurm.yaml b/install_slurm.yaml new file mode 100644 index 0000000..5fb9e86 --- /dev/null +++ b/install_slurm.yaml @@ -0,0 +1,76 @@ +--- +- name: install slurm + hosts: all + become: true + + vars: + sqlpwd: "{{ env_sql_pw}}" + sqlrootpwd: "{{ env_root_sql_pw}}" + + tasks: + + - name: export munge user + shell: "export MUNGEUSER=10001" + + - name: export export SlurmUSER + shell: "export export SlurmUSER=10000" + + - name: mount_info + include_tasks: yaml_sub/mount_info.yaml + + - name: ldap + include_tasks: yaml_sub/ldap.yaml + + - name: sssd + include_tasks: yaml_sub/sssd.yaml + + - name: install docker + ansible.builtin.include_tasks: yaml_sub/install_docker.yaml + + - name: Create volume slurm_maria_db + community.docker.docker_volume: + name: slurm_maria_db + state: present + + - name: Create mariab container + community.docker.docker_container: + name: slurmmariadb + image: mariadb + state: started + recreate: no + restart_policy: always + env: + MARIADB_DATABASE: "slurm" + MARIADB_USER: "slurm" + MARIADB_PASSWORD: "{{ sqlpwd }}" + MARIADB_ROOT_PASSWORD : "{{ sqlrootpwd }}" + MYSQL_ROOT_HOST: '%' + published_ports: + - "3306:3306/tcp" + networks: + - name: bridge + comparisons: + networks: strict + volumes: + - "slurm_maria_db:/var/lib/mysql" + + + - name: remove other files + include_tasks: yaml_sub/myrepo_clean.yaml + - name: update file myrepo.repo + import_tasks: yaml_sub/myrepo_data.yaml + + + - name: install slurm + dnf: + name: slurm,slurm-slurmctld,slurm-slurmdbd,slurm-slurmrestd,slurm-gui,munge,python3-mysql + state: present + update_cache: true + skip_broken: true + nobest: false + allowerasing: true + + - name: install munge server + include_tasks: yaml_sub/install_munge_server.yaml + + diff --git a/ldap_fix_group_permissions.lif b/ldap_fix_group_permissions.lif new file mode 100644 index 0000000..0b3db0a --- /dev/null +++ b/ldap_fix_group_permissions.lif @@ -0,0 +1,38 @@ +# ldapmodify -x -W -D "cn=admin" -f temp.lif +# ldapsearch -x -W -D "cn=admin" -b "dc=ldap,dc=neuro,dc=uni-bremen,dc=de" -LLL -s sub '(aci=*)' aci + +dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de +changetype: modify +delete: aci +aci: (targetattr="cn || member || memberUid || gidNumber || nsUniqueId || description || objectClass")(targetfilter="(objectClass=groupOfNames)")(version 3.0; acl "Enable anyone group read"; allow (read, search, compare)(userdn="ldap:///anyone");) + +dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de +changetype: modify +delete: aci +aci: (targetattr="member")(targetfilter="(objectClass=groupOfNames)")(version 3.0; acl "Enable group_modify to alter members"; allow (write)(groupdn="ldap:///cn=group_modify,ou=permissions,dc=ldap,dc=neuro,dc=uni-bremen,dc=de");) + +dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de +changetype: modify +delete: aci +aci: (targetattr="cn || member || gidNumber || description || objectClass")(targetfilter="(objectClass=groupOfNames)")(version 3.0; acl "Enable group_admin to manage groups"; allow (write, add, delete)(groupdn="ldap:///cn=group_admin,ou=permissions,dc=ldap,dc=neuro,dc=uni-bremen,dc=de");) + + + +dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de +changetype: modify +add: aci +aci: (targetattr="cn || member || memberUid || gidNumber || nsUniqueId || description || objectClass")(targetfilter="(objectClass=posixGroup)")(version 3.0; acl "Enable anyone group read"; allow (read, search, compare)(userdn="ldap:///anyone");) + +dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de +changetype: modify +add: aci +aci: (targetattr="member")(targetfilter="(objectClass=posixGroup)")(version 3.0; acl "Enable group_modify to alter members"; allow (write)(groupdn="ldap:///cn=group_modify,ou=permissions,dc=ldap,dc=neuro,dc=uni-bremen,dc=de");) + +dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de +changetype: modify +add: aci +aci: (targetattr="cn || member || gidNumber || description || objectClass")(targetfilter="(objectClass=posixGroup)")(version 3.0; acl "Enable group_admin to manage groups"; allow (write, add, delete)(groupdn="ldap:///cn=group_admin,ou=permissions,dc=ldap,dc=neuro,dc=uni-bremen,dc=de");) + + + + diff --git a/machines/check b/machines/check new file mode 100644 index 0000000..d014e9d --- /dev/null +++ b/machines/check @@ -0,0 +1,2 @@ +check.neuro.uni-bremen.de + diff --git a/machines/cluster b/machines/cluster new file mode 100644 index 0000000..376411e --- /dev/null +++ b/machines/cluster @@ -0,0 +1,43 @@ +gate0 +gate1 +gate2 +gp3u1 +gp3u2 +gp4u1 +gp4u2 +gp4u3 +gp4u4 +gp4u5 +gp4u6 +gp4u7 +granat1 +granat2 +granat3 +granat4 +granat5 +granat6 +granat7 +granat8 +octopode +doppio +fatbastard +nc46 +nc47 +nc48 +nc49 +nc50 +nc51 +nc52 +nc53 +nc54 +nc55 +nc56 +nc57 +nc58 +nc59 +nc60 +nc61 +nc62 +nc63 +nc64 +nc66 diff --git a/machines/crystal b/machines/crystal new file mode 100644 index 0000000..1101d32 --- /dev/null +++ b/machines/crystal @@ -0,0 +1 @@ +crystal.neuro.uni-bremen.de \ No newline at end of file diff --git a/machines/gitlab b/machines/gitlab new file mode 100644 index 0000000..8e9148e --- /dev/null +++ b/machines/gitlab @@ -0,0 +1 @@ +10.10.0.6 \ No newline at end of file diff --git a/machines/haggis b/machines/haggis new file mode 100644 index 0000000..47b2949 --- /dev/null +++ b/machines/haggis @@ -0,0 +1 @@ +haggis.neuro.uni-bremen.de \ No newline at end of file diff --git a/machines/slurm b/machines/slurm new file mode 100644 index 0000000..44f176c --- /dev/null +++ b/machines/slurm @@ -0,0 +1 @@ +10.10.0.7 \ No newline at end of file diff --git a/update_ldap.yaml b/update_ldap.yaml new file mode 100644 index 0000000..f39ea31 --- /dev/null +++ b/update_ldap.yaml @@ -0,0 +1,11 @@ +--- +- name: update ldap setting + hosts: all + become: true + + tasks: + - name: ldap + include_tasks: yaml_sub/ldap.yaml + + - name: sssd + include_tasks: yaml_sub/sssd.yaml diff --git a/yaml_sub/install_base_system.yaml b/yaml_sub/install_base_system.yaml index 04b588a..845b802 100644 --- a/yaml_sub/install_base_system.yaml +++ b/yaml_sub/install_base_system.yaml @@ -114,38 +114,17 @@ name: firewalld ignore_errors: true - - name: remove other files - include_tasks: yaml_sub/myrepo_clean.yaml - - name: update file myrepo.repo - import_tasks: yaml_sub/myrepo_data.yaml - - - name: install nfs tools - dnf: - name: nfs-utils,nfs-utils-coreos,nfsv4-client-utils,rpcbind - state: present - update_cache: true - skip_broken: true - nobest: false - allowerasing: true - - - name: Make sure rpcbind service unit is started - systemd_service: - enabled: true - state: started - name: rpcbind - - name: mount_info include_tasks: yaml_sub/mount_info.yaml - - name: remove other files include_tasks: yaml_sub/myrepo_clean.yaml - name: update file myrepo.repo import_tasks: yaml_sub/myrepo_data.yaml - - name: ssh and sss + - name: ssh dnf: - name: "openssh,openssh-clients,openssh-server,sssd" + name: "openssh,openssh-clients,openssh-server" state: present update_cache: true skip_broken: true @@ -202,19 +181,9 @@ line: "ServerName 10.10.10.16" create: true - - name: set LDAP - blockinfile: - path: /etc/openldap/ldap.conf - state: present - create: true - owner: "root" - group: "root" - mode: "0644" - block: | - URI ldap://ldap.neuro.uni-bremen.de - BASE dc=ldap,dc=neuro,dc=uni-bremen,dc=de - TLS_REQCERT never - + - name: ldap + include_tasks: yaml_sub/ldap.yaml + - name: sssd include_tasks: yaml_sub/sssd.yaml diff --git a/yaml_sub/install_munge_server.yaml b/yaml_sub/install_munge_server.yaml new file mode 100644 index 0000000..090e51f --- /dev/null +++ b/yaml_sub/install_munge_server.yaml @@ -0,0 +1,67 @@ +--- + - name: remove other files + include_tasks: yaml_sub/myrepo_clean.yaml + - name: update file myrepo.repo + import_tasks: yaml_sub/myrepo_data.yaml + + - name: export munge user + shell: "export MUNGEUSER=10001" + + - name: install slurm + dnf: + name: munge + state: present + update_cache: true + skip_broken: true + nobest: false + allowerasing: true + + - name: save munge key + ansible.builtin.copy: + src: "../munge.key" + dest: "/etc/munge/munge.key" + owner: "munge" + group: "munge" + mode: 0400 + + - name: deal with directories /etc/munge + ansible.builtin.file: + path: "/etc/munge" + owner: "munge" + group: "munge" + mode: 0700 + state: "directory" + + - name: deal with directories /var/log/munge/ + ansible.builtin.file: + path: "/var/log/munge" + owner: "munge" + group: "munge" + mode: 0700 + state: "directory" + + - name: Make sure munge is running + systemd_service: + daemon_reload: true + state: started + enabled: true + name: munge + + - name: Set number of munge threads + lineinfile: + path: "/etc/systemd/system/multi-user.target.wants/munge.service" + regexp: "^ExecStart=/usr/sbin/munged" + line: "ExecStart=/usr/sbin/munged --num-threads 10" + create: true + + - name: Make sure munge is restarted + systemd_service: + daemon_reload: true + state: restarted + enabled: true + name: munge + + + + + \ No newline at end of file diff --git a/yaml_sub/ldap.yaml b/yaml_sub/ldap.yaml new file mode 100644 index 0000000..5646ca2 --- /dev/null +++ b/yaml_sub/ldap.yaml @@ -0,0 +1,41 @@ +--- + +- name: remove other files + include_tasks: yaml_sub/myrepo_clean.yaml +- name: update file myrepo.repo + import_tasks: yaml_sub/myrepo_data.yaml + +- name: install openldap + dnf: + name: nss-pam-ldapd,openldap,openldap-clients + state: present + update_cache: true + skip_broken: true + nobest: false + allowerasing: true + +- name: Remove old entry (URI) + ansible.builtin.lineinfile: + path: /etc/openldap/ldap.conf + state: absent + line: "URI ldap://10.10.1.31" + +- name: Remove old entry (BASE) + ansible.builtin.lineinfile: + path: /etc/openldap/ldap.conf + state: absent + line: "BASE dc=nas1,dc=neuro,dc=itp" + + +- name: set LDAP + blockinfile: + path: /etc/openldap/ldap.conf + state: present + create: true + owner: "root" + group: "root" + mode: "0644" + block: | + URI ldaps://ldap.neuro.uni-bremen.de:636 + BASE dc=ldap,dc=neuro,dc=uni-bremen,dc=de + TLS_REQCERT never diff --git a/yaml_sub/mount_info.yaml b/yaml_sub/mount_info.yaml index 9eba641..7bc6997 100644 --- a/yaml_sub/mount_info.yaml +++ b/yaml_sub/mount_info.yaml @@ -1,4 +1,24 @@ --- +- name: remove other files + include_tasks: yaml_sub/myrepo_clean.yaml +- name: update file myrepo.repo + import_tasks: yaml_sub/myrepo_data.yaml + +- name: install nfs tools + dnf: + name: nfs-utils,nfs-utils-coreos,nfsv4-client-utils,rpcbind + state: present + update_cache: true + skip_broken: true + nobest: false + allowerasing: true + +- name: Make sure rpcbind service unit is started + systemd_service: + enabled: true + state: started + name: rpcbind + - name: Mount /home ansible.posix.mount: src: 10.10.1.21:/volume1/home_dir @@ -7,6 +27,7 @@ boot: true state: mounted fstype: nfs + - name: Mount /glocal ansible.posix.mount: src: 10.10.1.1:/volume1/glocal @@ -15,6 +36,7 @@ boot: true state: mounted fstype: nfs + - name: Mount /tools ansible.posix.mount: src: 10.10.1.1:/volume1/tools @@ -23,6 +45,7 @@ boot: true state: mounted fstype: nfs + - name: Mount /0 ansible.posix.mount: src: 10.10.1.1:/volume1/data @@ -31,6 +54,7 @@ boot: true state: mounted fstype: nfs + - name: Mount /sge-root ansible.posix.mount: src: 10.10.10.16:/sge-root @@ -39,6 +63,7 @@ boot: true state: mounted fstype: nfs + - name: Mount /data_1 ansible.posix.mount: src: 10.10.1.31:/volume1/data @@ -47,6 +72,7 @@ boot: true state: mounted fstype: nfs + - name: Mount /web ansible.posix.mount: src: 10.10.1.1:/volume1/web diff --git a/yaml_sub/sssd.yaml b/yaml_sub/sssd.yaml index fe83868..74fc9ad 100644 --- a/yaml_sub/sssd.yaml +++ b/yaml_sub/sssd.yaml @@ -1,4 +1,19 @@ --- + +- name: remove other files + include_tasks: yaml_sub/myrepo_clean.yaml +- name: update file myrepo.repo + import_tasks: yaml_sub/myrepo_data.yaml + +- name: install sssd + dnf: + name: sssd,sssd-ldap,sssd-tools + state: present + update_cache: true + skip_broken: true + nobest: false + allowerasing: true + - name: Check for marker line lineinfile: path: /etc/sssd/sssd.conf @@ -28,21 +43,31 @@ [domain/default] id_provider = ldap + auth_provider = ldap + chpass_provider = ldap + ldap_uri = ldaps://ldap.neuro.uni-bremen.de:636 ldap_search_base = dc=ldap,dc=neuro,dc=uni-bremen,dc=de + ldap_user_search_base = ou=people,dc=ldap,dc=neuro,dc=uni-bremen,dc=de + ldap_group_search_base = ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de ldap_user_name = uid ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = homeDirectory - loginShell = loginShell + ldap_user_shell = loginShell ldap_user_fullname = cn ldap_user_object_class = posixAccount ldap_default_authtok_type = password ldap_tls_reqcert = never - # ldap_auth_disable_tls_never_use_in_production = true - # ldap_id_use_start_tls = False + ldap_group_object_class = posixGroup + ldap_group_gid_number = gidNumber + ldap_group_member = memberUid + ldap_group_name = cn + ldap_group_nesting_level = 5 + + register: marker_check - name: enable sssd