davrot/neuro_ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add files via upload

Browse source
This commit is contained in:
David Rotermund 2024-04-16 10:10:11 +02:00 committed by GitHub
parent 23a8918257
commit 193e98165b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
21 changed files with 569 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

132
install_checkmk.yaml Normal file
View file

@ -0,0 +1,132 @@
---
- name: install check
hosts: all
become: true
vars:
tasks:
- name: Create network CheckNet
community.docker.docker_network:
name: CheckNet
- name: remove other files
include_tasks: yaml_sub/install_docker.yaml
- name: mount dirs
include_tasks: yaml_sub/mount_info.yaml
- name: set ldap
include_tasks: yaml_sub/ldap.yaml
- name: set sssd
include_tasks: yaml_sub/sssd.yaml
- name: Create volume monitoring
community.docker.docker_volume:
name: monitoring
state: present
- name: Create checkmk
community.docker.docker_container:
name: checkmk
image: checkmk/check-mk-raw
state: started
recreate: no
restart_policy: always
published_ports:
- "80:5000/tcp"
- "8000:8000/tcp"
volumes:
- "monitoring:/omd/sites"
- "/etc/localtime:/etc/localtime:ro"
env:
MAIL_RELAY_HOST: "smtpd"
networks:
- name: CheckNet
- name: bridge
comparisons:
networks: strict
hostname: "neuro.uni-bremen.de"
- name: set smtpd_pre.conf
blockinfile:
path: /root/opensmtpd/smtpd_pre.conf
state: present
create: true
owner: "root"
group: "root"
mode: "0644"
block: |
listen on 0.0.0.0
listen on ::
table aliases file:/etc/smtpd/aliases
queue ttl 4d
bounce warn-interval 1h, 6h, 2d
smtp max-message-size 35M
table authinfo db:/etc/smtpd/authinfo.db
action default relay host "smtps://user@mailhost.neurotec.uni-bremen.de:465" auth <authinfo> tls no-verify
match from any for any action default
- name: Create a volume smtpd_spool
community.docker.docker_volume:
name: smtpd_spool
state: present
- name: Create OpenSMTPd
community.docker.docker_container:
name: smtpd
image: wodby/opensmtpd
state: started
recreate: no
restart_policy: always
published_ports:
- "25:25/tcp"
env:
RELAY_HOST: "XXX"
RELAY_PROTO: "smtps"
RELAY_PORT: "XXX"
RELAY_USER: "{{ EMAIL__USERNAME }}"
RELAY_PASSWORD: "{{ EMAIL__PASSWORD }}"
volumes:
- "/root/opensmtpd/smtpd_pre.conf:/etc/gotpl/smtpd.conf.tmpl"
- "smtpd_spool:/var/spool/smtpd"
networks:
- name: CheckNet
- name: bridge
comparisons:
networks: strict
- name: install mailx
dnf:
name: "mailx,telnet,sendmail"
state: latest
update_cache: true
skip_broken: true
nobest: false
allowerasing: true
- name: esmtprc
blockinfile:
path: /etc/esmtprc
state: present
create: true
block: |
hostname = 127.0.0.1:25
mda "/usr/bin/procmail -d %T"
# You will find the provisional password for the cmkadmin account in the logs that are written for this container
# docker container logs monitoring
# dnf install -y http://10.10.0.3/cmk/check_mk/agents/check-mk-agent-2.2.0p24-1.noarch.rpm
#
# myhostname=`hostname`
# cmk-agent-ctl register --server 10.10.0.3:8000 --site cmk --user automation --trust-cert --password 'UTUBJELBGMKMSHEHHOMC' --hostname $myhostname

23
install_checkmk_client_phase_a.yaml Normal file
View file

@ -0,0 +1,23 @@
---
- name: install check client
hosts: all
become: true
tasks:
- name: remove other files
include_tasks: yaml_sub/myrepo_clean.yaml
- name: update file myrepo.repo
import_tasks: yaml_sub/myrepo_data.yaml
- name: install client
ansible.builtin.dnf:
name: "http://10.10.0.3/cmk/check_mk/agents/check-mk-agent-2.2.0p24-1.noarch.rpm"
state: present
update_cache: true
skip_broken: true
nobest: false
allowerasing: true
disable_gpg_check: true

9
install_checkmk_client_phase_b.yaml Normal file
View file

@ -0,0 +1,9 @@
---
- name: register check client
hosts: all
become: true
tasks:
- name: register check client
shell: "myhostname=`hostname` ; cmk-agent-ctl register --server 10.10.0.3:8000 --site cmk --user automation --trust-cert --password '{{ password }}' --hostname $myhostname"

2
install_docker_web.yaml
View file

@ -18,7 +18,7 @@
name: portainerweb
image: portainer/portainer-ce
state: started
recreate: yes
recreate: no
restart_policy: always
published_ports:
- "8000:8000/tcp"

61
install_gitlab.yaml Normal file
View file

@ -0,0 +1,61 @@
---
- name: install gitlab
hosts: all
become: true
tasks:
- name: Create network GitLabNet
community.docker.docker_network:
name: GitLabNet
# - name: install docker
# ansible.builtin.include_tasks: yaml_sub/install_docker.yaml
- name: Create a volume
community.docker.docker_volume:
name: gitlab_opt
state: present
- name: Create a volume
community.docker.docker_volume:
name: gitlab_etc
state: present
- name: Create a volume
community.docker.docker_volume:
name: gitlab_log
state: present
# - name: Create gitlab container
# community.docker.docker_container:
# name: gitlab
# image: gitlab/gitlab-ce
# state: started
# recreate: no
# GITLAB_ROOT_PASSWORD
## hostname: 'gitlab.example.com'
# GITLAB_OMNIBUS_CONFIG: |
# # Add any other gitlab.rb configuration here, each on its own line
# external_url 'https://gitlab.example.com'
# restart_policy: always
## published_ports:
## - "443:443/tcp"
## - "80:80/tcp"
## - "22:22/tcp"
# volumes:
# - "gitlab_opt:/var/opt/gitlab"
# - "gitlab_etc:/etc/gitlab"
# - "gitlab_log:/var/log/gitlab"
## - /var/run/docker.sock:/var/run/docker.sock
# networks:
# - name: OverleafNet
# - name: bridge
# comparisons:
# networks: strict
# shm_size: '256m'

2
install_pi_hole.yaml
View file

@ -34,7 +34,7 @@
name: pihole
image: pihole/pihole
state: started
recreate: yes
recreate: no
restart_policy: always
published_ports:
- "53:53/tcp"

76
install_slurm.yaml Normal file
View file

@ -0,0 +1,76 @@
---
- name: install slurm
hosts: all
become: true
vars:
sqlpwd: "{{ env_sql_pw}}"
sqlrootpwd: "{{ env_root_sql_pw}}"
tasks:
- name: export munge user
shell: "export MUNGEUSER=10001"
- name: export export SlurmUSER
shell: "export export SlurmUSER=10000"
- name: mount_info
include_tasks: yaml_sub/mount_info.yaml
- name: ldap
include_tasks: yaml_sub/ldap.yaml
- name: sssd
include_tasks: yaml_sub/sssd.yaml
- name: install docker
ansible.builtin.include_tasks: yaml_sub/install_docker.yaml
- name: Create volume slurm_maria_db
community.docker.docker_volume:
name: slurm_maria_db
state: present
- name: Create mariab container
community.docker.docker_container:
name: slurmmariadb
image: mariadb
state: started
recreate: no
restart_policy: always
env:
MARIADB_DATABASE: "slurm"
MARIADB_USER: "slurm"
MARIADB_PASSWORD: "{{ sqlpwd }}"
MARIADB_ROOT_PASSWORD : "{{ sqlrootpwd }}"
MYSQL_ROOT_HOST: '%'
published_ports:
- "3306:3306/tcp"
networks:
- name: bridge
comparisons:
networks: strict
volumes:
- "slurm_maria_db:/var/lib/mysql"
- name: remove other files
include_tasks: yaml_sub/myrepo_clean.yaml
- name: update file myrepo.repo
import_tasks: yaml_sub/myrepo_data.yaml
- name: install slurm
dnf:
name: slurm,slurm-slurmctld,slurm-slurmdbd,slurm-slurmrestd,slurm-gui,munge,python3-mysql
state: present
update_cache: true
skip_broken: true
nobest: false
allowerasing: true
- name: install munge server
include_tasks: yaml_sub/install_munge_server.yaml

38
ldap_fix_group_permissions.lif Normal file
View file

@ -0,0 +1,38 @@
# ldapmodify -x -W -D "cn=admin" -f temp.lif
# ldapsearch -x -W -D "cn=admin" -b "dc=ldap,dc=neuro,dc=uni-bremen,dc=de" -LLL -s sub '(aci=*)' aci
dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
changetype: modify
delete: aci
aci: (targetattr="cn || member || memberUid || gidNumber || nsUniqueId || description || objectClass")(targetfilter="(objectClass=groupOfNames)")(version 3.0; acl "Enable anyone group read"; allow (read, search, compare)(userdn="ldap:///anyone");)
dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
changetype: modify
delete: aci
aci: (targetattr="member")(targetfilter="(objectClass=groupOfNames)")(version 3.0; acl "Enable group_modify to alter members"; allow (write)(groupdn="ldap:///cn=group_modify,ou=permissions,dc=ldap,dc=neuro,dc=uni-bremen,dc=de");)
dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
changetype: modify
delete: aci
aci: (targetattr="cn || member || gidNumber || description || objectClass")(targetfilter="(objectClass=groupOfNames)")(version 3.0; acl "Enable group_admin to manage groups"; allow (write, add, delete)(groupdn="ldap:///cn=group_admin,ou=permissions,dc=ldap,dc=neuro,dc=uni-bremen,dc=de");)
dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
changetype: modify
add: aci
aci: (targetattr="cn || member || memberUid || gidNumber || nsUniqueId || description || objectClass")(targetfilter="(objectClass=posixGroup)")(version 3.0; acl "Enable anyone group read"; allow (read, search, compare)(userdn="ldap:///anyone");)
dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
changetype: modify
add: aci
aci: (targetattr="member")(targetfilter="(objectClass=posixGroup)")(version 3.0; acl "Enable group_modify to alter members"; allow (write)(groupdn="ldap:///cn=group_modify,ou=permissions,dc=ldap,dc=neuro,dc=uni-bremen,dc=de");)
dn: ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
changetype: modify
add: aci
aci: (targetattr="cn || member || gidNumber || description || objectClass")(targetfilter="(objectClass=posixGroup)")(version 3.0; acl "Enable group_admin to manage groups"; allow (write, add, delete)(groupdn="ldap:///cn=group_admin,ou=permissions,dc=ldap,dc=neuro,dc=uni-bremen,dc=de");)

2
machines/check Normal file
View file

@ -0,0 +1,2 @@
check.neuro.uni-bremen.de

43
machines/cluster Normal file
View file

@ -0,0 +1,43 @@
gate0
gate1
gate2
gp3u1
gp3u2
gp4u1
gp4u2
gp4u3
gp4u4
gp4u5
gp4u6
gp4u7
granat1
granat2
granat3
granat4
granat5
granat6
granat7
granat8
octopode
doppio
fatbastard
nc46
nc47
nc48
nc49
nc50
nc51
nc52
nc53
nc54
nc55
nc56
nc57
nc58
nc59
nc60
nc61
nc62
nc63
nc64
nc66

1
machines/crystal Normal file
View file

@ -0,0 +1 @@
crystal.neuro.uni-bremen.de

1
machines/gitlab Normal file
View file

@ -0,0 +1 @@
10.10.0.6

1
machines/haggis Normal file
View file

@ -0,0 +1 @@
haggis.neuro.uni-bremen.de

1
machines/slurm Normal file
View file

@ -0,0 +1 @@
10.10.0.7

11
update_ldap.yaml Normal file
View file

@ -0,0 +1,11 @@
---
- name: update ldap setting
hosts: all
become: true
tasks:
- name: ldap
include_tasks: yaml_sub/ldap.yaml
- name: sssd
include_tasks: yaml_sub/sssd.yaml

39
yaml_sub/install_base_system.yaml
View file

@ -114,38 +114,17 @@
name: firewalld
ignore_errors: true
- name: remove other files
include_tasks: yaml_sub/myrepo_clean.yaml
- name: update file myrepo.repo
import_tasks: yaml_sub/myrepo_data.yaml
- name: install nfs tools
dnf:
name: nfs-utils,nfs-utils-coreos,nfsv4-client-utils,rpcbind
state: present
update_cache: true
skip_broken: true
nobest: false
allowerasing: true
- name: Make sure rpcbind service unit is started
systemd_service:
enabled: true
state: started
name: rpcbind
- name: mount_info
include_tasks: yaml_sub/mount_info.yaml
- name: remove other files
include_tasks: yaml_sub/myrepo_clean.yaml
- name: update file myrepo.repo
import_tasks: yaml_sub/myrepo_data.yaml
- name: ssh and sss
- name: ssh
dnf:
name: "openssh,openssh-clients,openssh-server,sssd"
name: "openssh,openssh-clients,openssh-server"
state: present
update_cache: true
skip_broken: true
@ -202,18 +181,8 @@
line: "ServerName 10.10.10.16"
create: true
- name: set LDAP
blockinfile:
path: /etc/openldap/ldap.conf
state: present
create: true
owner: "root"
group: "root"
mode: "0644"
block: |
URI ldap://ldap.neuro.uni-bremen.de
BASE dc=ldap,dc=neuro,dc=uni-bremen,dc=de
TLS_REQCERT never
- name: ldap
include_tasks: yaml_sub/ldap.yaml
- name: sssd
include_tasks: yaml_sub/sssd.yaml

67
yaml_sub/install_munge_server.yaml Normal file
View file

@ -0,0 +1,67 @@
---
- name: remove other files
include_tasks: yaml_sub/myrepo_clean.yaml
- name: update file myrepo.repo
import_tasks: yaml_sub/myrepo_data.yaml
- name: export munge user
shell: "export MUNGEUSER=10001"
- name: install slurm
dnf:
name: munge
state: present
update_cache: true
skip_broken: true
nobest: false
allowerasing: true
- name: save munge key
ansible.builtin.copy:
src: "../munge.key"
dest: "/etc/munge/munge.key"
owner: "munge"
group: "munge"
mode: 0400
- name: deal with directories /etc/munge
ansible.builtin.file:
path: "/etc/munge"
owner: "munge"
group: "munge"
mode: 0700
state: "directory"
- name: deal with directories /var/log/munge/
ansible.builtin.file:
path: "/var/log/munge"
owner: "munge"
group: "munge"
mode: 0700
state: "directory"
- name: Make sure munge is running
systemd_service:
daemon_reload: true
state: started
enabled: true
name: munge
- name: Set number of munge threads
lineinfile:
path: "/etc/systemd/system/multi-user.target.wants/munge.service"
regexp: "^ExecStart=/usr/sbin/munged"
line: "ExecStart=/usr/sbin/munged --num-threads 10"
create: true
- name: Make sure munge is restarted
systemd_service:
daemon_reload: true
state: restarted
enabled: true
name: munge

41
yaml_sub/ldap.yaml Normal file
View file

@ -0,0 +1,41 @@
---
- name: remove other files
include_tasks: yaml_sub/myrepo_clean.yaml
- name: update file myrepo.repo
import_tasks: yaml_sub/myrepo_data.yaml
- name: install openldap
dnf:
name: nss-pam-ldapd,openldap,openldap-clients
state: present
update_cache: true
skip_broken: true
nobest: false
allowerasing: true
- name: Remove old entry (URI)
ansible.builtin.lineinfile:
path: /etc/openldap/ldap.conf
state: absent
line: "URI ldap://10.10.1.31"
- name: Remove old entry (BASE)
ansible.builtin.lineinfile:
path: /etc/openldap/ldap.conf
state: absent
line: "BASE dc=nas1,dc=neuro,dc=itp"
- name: set LDAP
blockinfile:
path: /etc/openldap/ldap.conf
state: present
create: true
owner: "root"
group: "root"
mode: "0644"
block: |
URI ldaps://ldap.neuro.uni-bremen.de:636
BASE dc=ldap,dc=neuro,dc=uni-bremen,dc=de
TLS_REQCERT never

26
yaml_sub/mount_info.yaml
View file

@ -1,4 +1,24 @@
---
- name: remove other files
include_tasks: yaml_sub/myrepo_clean.yaml
- name: update file myrepo.repo
import_tasks: yaml_sub/myrepo_data.yaml
- name: install nfs tools
dnf:
name: nfs-utils,nfs-utils-coreos,nfsv4-client-utils,rpcbind
state: present
update_cache: true
skip_broken: true
nobest: false
allowerasing: true
- name: Make sure rpcbind service unit is started
systemd_service:
enabled: true
state: started
name: rpcbind
- name: Mount /home
ansible.posix.mount:
src: 10.10.1.21:/volume1/home_dir
@ -7,6 +27,7 @@
boot: true
state: mounted
fstype: nfs
- name: Mount /glocal
ansible.posix.mount:
src: 10.10.1.1:/volume1/glocal
@ -15,6 +36,7 @@
boot: true
state: mounted
fstype: nfs
- name: Mount /tools
ansible.posix.mount:
src: 10.10.1.1:/volume1/tools
@ -23,6 +45,7 @@
boot: true
state: mounted
fstype: nfs
- name: Mount /0
ansible.posix.mount:
src: 10.10.1.1:/volume1/data
@ -31,6 +54,7 @@
boot: true
state: mounted
fstype: nfs
- name: Mount /sge-root
ansible.posix.mount:
src: 10.10.10.16:/sge-root
@ -39,6 +63,7 @@
boot: true
state: mounted
fstype: nfs
- name: Mount /data_1
ansible.posix.mount:
src: 10.10.1.31:/volume1/data
@ -47,6 +72,7 @@
boot: true
state: mounted
fstype: nfs
- name: Mount /web
ansible.posix.mount:
src: 10.10.1.1:/volume1/web

31
yaml_sub/sssd.yaml
View file

@ -1,4 +1,19 @@
---
- name: remove other files
include_tasks: yaml_sub/myrepo_clean.yaml
- name: update file myrepo.repo
import_tasks: yaml_sub/myrepo_data.yaml
- name: install sssd
dnf:
name: sssd,sssd-ldap,sssd-tools
state: present
update_cache: true
skip_broken: true
nobest: false
allowerasing: true
- name: Check for marker line
lineinfile:
path: /etc/sssd/sssd.conf
@ -28,21 +43,31 @@
[domain/default]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.neuro.uni-bremen.de:636
ldap_search_base = dc=ldap,dc=neuro,dc=uni-bremen,dc=de
ldap_user_search_base = ou=people,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
ldap_group_search_base = ou=groups,dc=ldap,dc=neuro,dc=uni-bremen,dc=de
ldap_user_name = uid
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = homeDirectory
loginShell = loginShell
ldap_user_shell = loginShell
ldap_user_fullname = cn
ldap_user_object_class = posixAccount
ldap_default_authtok_type = password
ldap_tls_reqcert = never
# ldap_auth_disable_tls_never_use_in_production = true
# ldap_id_use_start_tls = False
ldap_group_object_class = posixGroup
ldap_group_gid_number = gidNumber
ldap_group_member = memberUid
ldap_group_name = cn
ldap_group_nesting_level = 5
register: marker_check
- name: enable sssd