ansible/roles/ldap_config/templates/nslcd.conf.j2

+# This is the configuration file for the LDAP nameservice
+# switch library's nslcd daemon. It configures the mapping
+# between NSS names (see /etc/nsswitch.conf) and LDAP
+# information in the directory.
+# See the manual page nslcd.conf(5) for more information.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid ldap
+
+# The uri pointing to the LDAP server to use for name lookups.
+# Multiple entries may be specified. The address that is used
+# here should be resolvable without using LDAP (obviously).
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+uri {{ ldap_uri }}
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+#ldap_version 3
+
+# The distinguished name of the search base.
+base dc=cm,dc=cluster
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+#binddn cn=proxyuser,dc=example,dc=com
+
+# The credentials to bind with.
+# Optional: default is no credentials.
+# Note that if you set a bindpw you should check the permissions of this file.
+#bindpw secret
+
+# The distinguished name to perform password modifications by root by.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# The default search scope.
+#scope sub
+#scope one
+#scope base
+
+# Customize certain database lookups.
+#base   group  ou=Groups,dc=example,dc=com
+#base   passwd ou=People,dc=example,dc=com
+#base   shadow ou=People,dc=example,dc=com
+#scope  group  onelevel
+#scope  hosts  sub
+
+# Bind/connect timelimit.
+#bind_timelimit 30
+
+# Search timelimit.
+#timelimit 30
+
+# Idle timelimit. nslcd will close connections if the
+# server has not been contacted for the number of seconds.
+idle_timelimit 240
+
+# Use StartTLS without verifying the server certificate.
+#ssl start_tls
+#tls_reqcert never
+
+{% if ldap_uri | regex_search('^ldaps://') %}
+ssl on
+tls_reqcert demand
+
+# CA certificates for server certificate verification
+#tls_cacertdir /etc/ssl/certs
+tls_cacertfile /cm/local/apps/openldap/etc/certs/ca.pem
+tls_cert /cm/local/apps/openldap/etc/certs/ldap.pem
+tls_key /cm/local/apps/openldap/etc/certs/ldap.key
+{% endif %}
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+
+# Mappings for Services for UNIX 3.5
+#filter passwd (objectClass=User)
+#map    passwd uid              msSFU30Name
+#map    passwd userPassword     msSFU30Password
+#map    passwd homeDirectory    msSFU30HomeDirectory
+#map    passwd homeDirectory    msSFUHomeDirectory
+#filter shadow (objectClass=User)
+#map    shadow uid              msSFU30Name
+#map    shadow userPassword     msSFU30Password
+#filter group  (objectClass=Group)
+#map    group  member           msSFU30PosixMember
+
+# Mappings for Services for UNIX 2.0
+#filter passwd (objectClass=User)
+#map    passwd uid              msSFUName
+#map    passwd userPassword     msSFUPassword
+#map    passwd homeDirectory    msSFUHomeDirectory
+#map    passwd gecos            msSFUName
+#filter shadow (objectClass=User)
+#map    shadow uid              msSFUName
+#map    shadow userPassword     msSFUPassword
+#map    shadow shadowLastChange pwdLastSet
+#filter group  (objectClass=Group)
+#map    group  member           posixMember
+
+# Mappings for Active Directory
+#pagesize 1000
+#referrals off
+#idle_timelimit 800
+#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
+#map    passwd uid              sAMAccountName
+#map    passwd homeDirectory    unixHomeDirectory
+#map    passwd gecos            displayName
+#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
+#map    shadow uid              sAMAccountName
+#map    shadow shadowLastChange pwdLastSet
+#filter group  (objectClass=group)
+
+# Alternative mappings for Active Directory
+# (replace the SIDs in the objectSid mappings with the value for your domain)
+#pagesize 1000
+#referrals off
+#idle_timelimit 800
+#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
+#map    passwd uid           cn
+#map    passwd uidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
+#map    passwd gidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
+#map    passwd homeDirectory "/home/$cn"
+#map    passwd gecos         displayName
+#map    passwd loginShell    "/bin/bash"
+#filter group (|(objectClass=group)(objectClass=person))
+#map    group gidNumber      objectSid:S-1-5-21-3623811015-3361044348-30300820
+
+# Mappings for AIX SecureWay
+#filter passwd (objectClass=aixAccount)
+#map    passwd uid              userName
+#map    passwd userPassword     passwordChar
+#map    passwd uidNumber        uid
+#map    passwd gidNumber        gid
+#filter group  (objectClass=aixAccessGroup)
+#map    group  cn               groupName
+#map    group  gidNumber        gid
+# This comment prevents repeated auto-migration of settings.

ansible/roles/nfs_mounts/tasks/autofs.yml

+---
+- name: Create base directories
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: "{{ item.mode }}"
+  loop:
+    - { path: /local, mode: '0777' }
+    - { path: /share, mode: '0755' }
+
+- name: Create mountpoint dirs
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: "{{ item.mode }}"
+  loop:
+    "{{ autofs_mounts }}"
+
+- name: Remove unused entry in master map
+  ansible.builtin.replace:
+    dest: /etc/auto.master
+    regexp: '{{ item.regexp }}'
+    replace: '{{ item.replace }}'
+    backup: true
+  loop:
+    - { regexp: '^(/misc)', replace: '#\1' }
+    - { regexp: '^(/net)', replace: '#\1' }
+    - { regexp: '^(\+auto.master)', replace: '#\1' }
+
+- name: Add master map file
+  ansible.builtin.lineinfile:
+    path: "/etc/auto.master.d/gpfs.autofs"
+    line: "{{ item.mount_point }} /etc/auto.{{ item.map_name }}"
+    create: yes
+  loop:
+    "{{ autofs_mounts }}"
+
+- name: Set up autofs map files
+  ansible.builtin.lineinfile:
+    path: "/etc/auto.{{ item.map_name }}"
+    line: "{{ item.key }} -{{ item.opts }} {{ item.src }}"
+    create: true
+  loop:
+    "{{ autofs_mounts }}"
+
+- name: Create symbolic links
+  ansible.builtin.file:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    force: yes
+    state: link
+  loop:
+    - { src: /data/rc/apps, dest: /share/apps }
+
+- name: Enable and start autofs service
+  ansible.builtin.service:
+    name: autofs
+    enabled: true
+    state: restarted

ansible/roles/nfs_mounts/tasks/fstab.yml

+---
+- name: Create base directories
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: "{{ item.mode }}"
+  loop:
+    "{{ mount_points }}"
+
+- name: Mount the directories
+  ansible.posix.mount:
+    src: "{{ item.src }}"
+    path: "{{ item.path }}"
+    opts: "{{ item.opts }}"
+    state: mounted
+    fstype: nfs
+  loop:
+    "{{ mount_points }}"

ansible/roles/nfs_mounts/tasks/main.yml

 ---
-- name: Create base directories
-  ansible.builtin.file:
-    path: "{{ item.dir }}"
-    state: directory
-    mode: "{{ item.mode }}"
-  loop:
-    - { dir: /local, mode: '0777' }
-    - { dir: /scratch, mode: '0755' }
-    - { dir: /share, mode: '0755' }
-    - { dir: /data/rc/apps, mode: '0755' } # this is only required for the symlink to be happy
-    - { dir: /data/user, mode: '0755' }
-    - { dir: /data/project, mode: '0755' }
+- name: nfs_mounts using fstab
+  include_tasks: fstab.yml
+  when: use_fstab
 
-- name: Remove unused entry in master map
-  ansible.builtin.replace:
-    dest: /etc/auto.master
-    regexp: '{{ item.regexp }}'
-    replace: '{{ item.replace }}'
-    backup: true
-  loop:
-    - { regexp: '^(/misc)', replace: '#\1' }
-    - { regexp: '^(/net)', replace: '#\1' }
-    - { regexp: '^(\+auto.master)', replace: '#\1' }
-
-- name: Add master map file
-  ansible.builtin.lineinfile:
-    path: "/etc/auto.master.d/gpfs.autofs"
-    line: "{{ item.mount_point }} /etc/auto.{{ item.map_name }}"
-    create: yes
-  loop:
-    - { mount_point: "/cm/shared", map_name: "cm-share" }
-    - { mount_point: "/data/project", map_name: "data-project" }
-    - { mount_point: "/data/user", map_name: "data-user" }
-    - { mount_point: "/data/rc/apps", map_name: "data-rc-apps" }
-    - { mount_point: "/scratch", map_name: "scratch" }
-    - { mount_point: "/home", map_name: "home" }
-
-- name: Set up autofs map files
-  ansible.builtin.lineinfile:
-    path: "/etc/auto.{{ item.map_name }}"
-    line: "{{ item.key }} -{{ item.opts }} {{ item.src }}"
-    create: true
-  loop:
-    - { map_name: "cm-share", key: "*", src: "gpfs.rc.uab.edu:/data/cm/shared-8.2/&", opts: "fstype=nfs,vers=3,_netdev,defaults" }
-    - { map_name: "data-project", key: "*", src: "gpfs.rc.uab.edu:/data/project/&", opts: "fstype=nfs,vers=3,_netdev,defaults" }
-    - { map_name: "data-user", key: "*", src: "gpfs.rc.uab.edu:/data/user/&", opts: "fstype=nfs,vers=3,_netdev,local_lock=posix,defaults" }
-    - { map_name: "data-rc-apps", key: "*", src: "gpfs.rc.uab.edu:/data/rc/apps/&", opts: "fstype=nfs,vers=3,_netdev,defaults" }
-    - { map_name: "scratch", key: "*", src: "gpfs.rc.uab.edu:/scratch/&", opts: "fstype=nfs,vers=3,_netdev,local_lock=posix,defaults" }
-    - { map_name: "home", key: "*", src: ":/data/user/home/&", opts: 'fstype=bind' }
-
-- name: Create symbolic links
-  ansible.builtin.file:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: root
-    force: yes
-    state: link
-  loop:
-    - { src: /data/rc/apps, dest: /share/apps }
+- name: nfs_mounts using autofs
+  include_tasks: autofs.yml
+  when: use_autofs

ansible/roles/rewrite_map/tasks/main.yaml

+---
+- name: Add apache rewritemap script config
+  ansible.builtin.template:
+    src: rewrite_map_config_py.j2
+    mode: '600'
+    owner: root
+    group: root
+    dest: /var/www/rewrite_map_config.py
+
+- name: Replace OOD rewrite condition regex in Apache configuration
+  ansible.builtin.replace:
+    path: /etc/httpd/conf.d/front-end.conf
+    regexp: "RewriteCond %{HTTP:REMOTE_USER} '\\^\\(\\.\\+\\)\\$'"
+    replace: |
+      RewriteCond %{HTTP:REMOTE_USER} '([a-zA-Z0-9_.+-]+)@uab.edu$' [OR]
+          RewriteCond %{HTTP:REMOTE_USER} 'urn:mace:incommon:uab.edu!https://uabgrid.uab.edu/shibboleth!(.+)$'
+
+- name: Replace account app port in Apache configuration
+  ansible.builtin.replace:
+    path: /etc/httpd/conf.d/front-end.conf
+    regexp: "account-app:8000"
+    replace: "account-app:{{ account_app_port }}"
+
+- name: Restart httpd services
+  ansible.builtin.service:
+    name: httpd
+    enabled: true
+    state: restarted

ansible/roles/rewrite_map/templates/rewrite_map_config_py.j2

+DEBUG = False
+target_groups = {
+    {% for group in target_groups %}
+    "{{ group.name }}": "{{ group.host }}",
+    {% endfor %}
+}
+{% for group in target_groups %}
+{% if group.default %}
+default_hostname = "{{ group.host }}"
+{% endif %}
+{% endfor %}

ansible/roles/rsyslog_config/tasks/main.yml

+---
+- name: Add rsyslog configuration
+  ansible.builtin.template:
+    src: rsyslog.conf.j2
+    dest: /etc/rsyslog.conf
+    mode: 0644
+    owner: root
+    group: root
+    backup: true
+
+- name: Enable and start rsyslog
+  ansible.builtin.service:
+    name: rsyslog
+    enabled: true
+    state: restarted

ansible/roles/rsyslog_config/templates/rsyslog.conf.j2

+# rsyslog configuration file
+
+# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
+# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
+
+# Added for distro update >= 4 (7u4)
+global (
+net.enabledns="off"
+)
+
+#### MODULES ####
+
+# The imjournal module bellow is now used as a message source instead of imuxsock.
+$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
+$ModLoad imjournal # provides access to the systemd journal
+#$ModLoad imklog # reads kernel messages (the same are read from journald)
+#$ModLoad immark  # provides --MARK-- message capability
+
+# Provides UDP syslog reception
+#$ModLoad imudp
+#$UDPServerRun 514
+
+# Provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+
+
+#### GLOBAL DIRECTIVES ####
+
+# Where to place auxiliary files
+$WorkDirectory /var/lib/rsyslog
+
+# Use default timestamp format
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+# File syncing capability is disabled by default. This feature is usually not required,
+# not useful and an extreme performance hit
+#$ActionFileEnableSync on
+
+# Include all config files in /etc/rsyslog.d/
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+# Turn off message reception via local log socket;
+# local messages are retrieved through imjournal now.
+$OmitLocalLogging on
+
+# File to store the position in the journal
+$IMJournalStateFile imjournal.state
+
+
+#### RULES ####
+
+# Log all kernel messages to the console.
+# Logging much else clutters up the screen.
+#kern.*                                                 /dev/console
+
+# Filter nslcd ldap ldap_abandon and ldap_result messages.
+if $programname == 'nslcd' and $syslogseverity >= '3' and $msg contains ' failed: Can\'t contact LDAP server' then stop
+if $programname == 'nslcd' and $syslogseverity >= '3' and $msg contains 'ldap_abandon() failed to abandon search: Other (e.g., implementation specific) error' then stop
+if $programname == 'nslcd' and $syslogseverity >= '3' and $msg contains 'ldap_abandon() failed to abandon search: Can\'t contact LDAP server: Transport endpoint is not connected' then stop
+if $programname == 'nslcd' and $syslogseverity >= '3' and $msg contains 'no available LDAP server found, sleeping ' then stop
+if $programname == 'nslcd' and $syslogseverity >= '3' and $msg contains 'connected to LDAP server ldap://local' then stop
+
+# Filter sntp started messages.
+if $programname == 'sntp' and $syslogseverity > '3' and $msg contains 'Started sntp' then stop
+
+# MariaDB Galera
+# disabled, as these messages are being generated every few seconds
+:msg, contains, "START: cm-check-galera-status" stop
+:msg, contains, "EXIT: cm-check-galera-status" stop
+
+# HAProxy for OpenStack
+if $syslogfacility-text == 'local4' and ($programname == 'haproxy') then {
+  local4.* /var/log/haproxy.log
+  stop
+}
+
+# OpenStack specific
+if $syslogfacility-text == 'daemon' then {
+
+  # needed for proper handling of Python stack traces
+  $EscapeControlCharactersOnReceive off
+
+  if $programname startswith 'keystone' then {
+    *.* /var/log/keystone/keystone.log
+  }
+
+  if $programname startswith 'nova' then {
+    *.* /var/log/nova/nova.log
+
+    if $programname == 'nova-api' then {
+      *.* /var/log/nova/nova-api.log
+    }
+    if $programname == 'nova-scheduler' then {
+      *.* /var/log/nova/nova-scheduler.log
+    }
+    if $programname == 'nova-conductor' then {
+      *.* /var/log/nova/nova-conductor.log
+    }
+    if $programname == 'nova-novncproxy' then {
+      *.* /var/log/nova/nova-novncproxy.log
+    }
+    if $programname == 'nova-compute' then {
+      *.* /var/log/nova/nova-compute.log
+    }
+  }
+
+  if $programname startswith 'neutron' then {
+    *.* /var/log/neutron/neutron.log
+
+    if $programname == 'neutron-server' then {
+      *.* /var/log/neutron/neutron-server.log
+    }
+    if $programname == 'neutron-metadata-agent' then {
+      *.* /var/log/neutron/neutron-metadata-agent.log
+    }
+    if $programname == 'neutron-l3-agent' then {
+      *.* /var/log/neutron/neutron-l3-agent.log
+    }
+    if $programname == 'neutron-dhcp-agent' then {
+      *.* /var/log/neutron/neutron-dhcp-agent.log
+    }
+    if $programname == 'neutron-openvswitch-agent' then {
+      *.* /var/log/neutron/neutron-openvswitch-agent.log
+    }
+
+  }
+
+  if $programname startswith 'glance' then {
+    *.* /var/log/glance/glance.log
+
+    if $programname == 'glance-api' then {
+      *.* /var/log/glance/glance-api.log
+    }
+    if $programname == 'glance-registry' then {
+      *.* /var/log/glance/glance-registry.log
+    }
+
+  }
+
+  if $programname startswith 'cinder' then {
+    *.* /var/log/cinder/cinder.log
+
+    if $programname == 'cinder-api' then {
+      *.* /var/log/cinder/cinder-api.log
+    }
+    if $programname == 'cinder-scheduler' then {
+      *.* /var/log/cinder/cinder-scheduler.log
+    }
+    if $programname == 'cinder-volume' then {
+      *.* /var/log/cinder/cinder-volume.log
+    }
+    if $programname == 'cinder-backup' then {
+      *.* /var/log/cinder/cinder-backup.log
+    }
+  }
+
+  if $programname startswith 'heat' then {
+    *.* /var/log/heat/heat.log
+
+    if $programname == 'heat-api' then {
+      *.* /var/log/heat/heat-api.log
+    }
+    if $programname == 'heat-engine' then {
+      *.* /var/log/heat/heat-engine.log
+    }
+  }
+
+  if $programname startswith 'keystone' or \
+     $programname startswith 'nova' or \
+     $programname startswith 'neutron' or \
+     $programname startswith 'glance' or \
+     $programname startswith 'cinder' or \
+     $programname startswith 'heat' then {
+
+     *.* /var/log/openstack
+     *.* @master:514
+     stop
+  }
+}
+
+# Log anything (except mail) of level info or higher.
+# Don't log private authentication messages!
+*.info;mail.none;authpriv.none;cron.none;local5.none;local6.none   /var/log/messages
+
+# The authpriv file has restricted access.
+authpriv.*                                              /var/log/secure
+
+# Log all the mail messages in one place.
+mail.*                                                  -/var/log/maillog
+
+
+# Log cron stuff
+cron.*                                                  /var/log/cron
+
+# Everybody gets emergency messages
+*.emerg                                                 :omusrmsg:*
+
+# Save news errors of level crit and higher in a special file.
+uucp,news.crit                                          /var/log/spooler
+
+# Save boot messages also to boot.log
+local7.*                                                /var/log/boot.log
+
+# cm related log files:
+local5.* -/var/log/node-installer
+local6.* -/var/log/cmdaemon
+
+# ### begin forwarding rule ###
+# The statement between the begin ... end define a SINGLE forwarding
+# rule. They belong together, do NOT split them. If you create multiple
+# forwarding rules, duplicate the whole block!
+# Remote Logging (we use TCP for reliable delivery)
+#
+# An on-disk queue is created for this action. If the remote host is
+# down, messages are spooled to disk and sent when it is up again.
+#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
+#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
+#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
+#$ActionQueueType LinkedList   # run asynchronously
+#$ActionResumeRetryCount -1    # infinite retries if host is down
+# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
+#*.* @@remote-host:514
+#CM
+{{ rsyslog_target }}
+#### end of the forwarding rule ###

ansible/roles/slurm_client/tasks/main.yml

@@ -19,6 +19,7 @@
     state: present
     uid: 450
     group: slurm
+    create_home: false
 
 - name: Copy munge key
   ansible.builtin.copy:
@@ -28,6 +29,19 @@
     group: root
     mode: 0400
 
+- name: Create symbolic links for Slurm config files
+  ansible.builtin.file:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    state: link
+    force: yes  # Force the creation of the symlinks even if source files do not exist yet
+  loop:
+    - { src: "/cm/shared/apps/slurm/var/etc/cgroup.conf", dest: "/etc/slurm/cgroup.conf" }
+    - { src: "/cm/shared/apps/slurm/var/etc/gres.conf", dest: "/etc/slurm/gres.conf" }
+    - { src: "/cm/shared/apps/slurm/var/etc/slurm.conf", dest: "/etc/slurm/slurm.conf" }
+    - { src: "/cm/shared/apps/slurm/var/etc/slurmdbd.conf", dest: "/etc/slurm/slurmdbd.conf" }
+    - { src: "/cm/shared/apps/slurm/var/etc/job_submit.lua", dest: "/etc/slurm/job_submit.lua" }
+
 - name: Enable services
   ansible.builtin.service:
     name: "{{ item }}"

ansible/roles/ssh_host_keys/tasks/main.yml

+---
+- name: Ensure destination directory exists only if not present
+  ansible.builtin.file:
+    path: /tmp/ssh_keys
+    state: directory
+    mode: '0755'
+
+- name: Install require package
+  ansible.builtin.pip:
+    name: boto3
+    extra_args: "--extra-index-url https://pypi.python.org/simple"
+    executable: "/usr/bin/pip3"
+
+- name: Download SSH host keys tar.gz from S3
+  aws_s3:
+    mode: get
+    s3_url: "{{ S3_ENDPOINT }}"
+    bucket: "{{ SSH_HOST_KEYS_S3_BUCKET }}"
+    object: "{{ SSH_HOST_KEYS_S3_OBJECT }}"
+    dest: "/tmp/ssh_keys/{{ SSH_HOST_KEYS_S3_OBJECT }}"
+    aws_access_key: "{{ LTS_ACCESS_KEY }}"
+    aws_secret_key: "{{ LTS_SECRET_KEY }}"
+  vars:
+    ansible_python_interpreter: /usr/bin/python3
+  when: SSH_HOST_KEYS_S3_BUCKET | length > 0 and SSH_HOST_KEYS_S3_OBJECT | length > 0
+
+- name: Unpack SSH host keys to /etc/ssh
+  ansible.builtin.unarchive:
+    src: "/tmp/ssh_keys/{{ SSH_HOST_KEYS_S3_OBJECT }}"
+    dest: "/etc/ssh"
+    group: root
+    owner: root
+    remote_src: yes
+  become: true
+  when: SSH_HOST_KEYS_S3_BUCKET | length > 0 and SSH_HOST_KEYS_S3_OBJECT | length > 0
+
+- name: Remove the temporary folder after put in place
+  ansible.builtin.file:
+    path: /tmp/ssh_keys
+    state: absent
+
+- name: Restart SSH service
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
+  become: true

ansible/roles/ssh_proxy_config/tasks/main.yml

+---
+- name: Configure sshpiper yaml plugin
+  ansible.builtin.template:
+    src: sshpiperd.yaml.j2
+    dest: "{{ sshpiper_dest_dir }}/sshpiperd.yaml"
+    backup: true
+
+- name: Enable and start sshpiper service
+  ansible.builtin.service:
+    name: sshpiperd
+    enabled: true
+    state: restarted

ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2

+# yaml-language-server: $schema=https://raw.githubusercontent.com/tg123/sshpiper/master/plugin/yaml/schema.json
+version: "1.0"
+pipes:
+{% for group in target_groups %}
+{% if not group.default %}
+- from:
+    - groupname: "{{ group.name }}"
+      authorized_keys: "{{ group.authorized_keys }}"
+  to:
+    host: "{{ group.host }}"
+    ignore_hostkey: true
+    private_key: "{{ group.private_key }}"
+- from:
+    - groupname: "{{ group.name }}"
+  to:
+    host: "{{ group.host }}"
+    ignore_hostkey: true
+{% else %}
+- from:
+    - username: ".*" # catch all
+      username_regex_match: true
+      authorized_keys: "{{ group.authorized_keys }}"
+  to:
+    host: "{{ group.host }}"
+    ignore_hostkey: true
+    private_key: "{{ group.private_key }}"
+- from:
+    - username: ".*"
+      username_regex_match: true
+  to:
+    host: "{{ group.host }}"
+    ignore_hostkey: true
+{% endif %}
+{% endfor %}

ansible/roles/ssl_cert/tasks/main.yaml

+---
+- name: Download SSL Certs from S3
+  aws_s3:
+    mode: get
+    s3_url: "{{ S3_ENDPOINT }}"
+    bucket: "{{ ssl_cert_s3_bucket }}"
+    object: "{{ item }}"
+    dest: "{{ ssl_cert_file_location }}/{{ item }}"
+    aws_access_key: "{{ LTS_ACCESS_KEY }}"
+    aws_secret_key: "{{ LTS_SECRET_KEY }}"
+  vars:
+    ansible_python_interpreter: /usr/bin/python3
+  when: ssl_cert_s3_bucket | length > 0 and item | length > 0
+  loop:
+    - "{{ ssl_cert_file }}"
+    - "{{ ssl_cert_chain_file }}"
+
+- name: Change cert files permissions
+  ansible.builtin.file:
+    path: "{{ ssl_cert_file_location }}/{{ item }}"
+    owner: root
+    group: root
+    mode: '0600'
+  when: ssl_cert_s3_bucket | length > 0 and item | length > 0
+  loop:
+    - "{{ ssl_cert_file }}"
+    - "{{ ssl_cert_chain_file }}"
+
+- name: Download SSL key from S3
+  aws_s3:
+    mode: get
+    s3_url: "{{ S3_ENDPOINT }}"
+    bucket: "{{ ssl_cert_s3_bucket }}"
+    object: "{{ ssl_cert_key }}"
+    dest: "{{ ssl_cert_key_location }}/{{ ssl_cert_key }}"
+    aws_access_key: "{{ LTS_ACCESS_KEY }}"
+    aws_secret_key: "{{ LTS_SECRET_KEY }}"
+  vars:
+    ansible_python_interpreter: /usr/bin/python3
+  when: ssl_cert_s3_bucket | length > 0 and ssl_cert_key | length > 0
+
+- name: Change key file permissions
+  ansible.builtin.file:
+    path: "{{ ssl_cert_key_location }}/{{ ssl_cert_key }}"
+    owner: root
+    group: root
+    mode: '0400'
+  when: ssl_cert_s3_bucket | length > 0 and ssl_cert_key | length > 0
+
+- name: Update SSL in Apache config
+  ansible.builtin.replace:
+    path: "{{ ssl_apache_config }}"
+    regexp: "{{ item.regexp }}"
+    replace: "\\1 {{ item.location }}/{{ item.value }}"
+    backup: true
+  when: ssl_apache_config | length > 0 and item.value | length > 0
+  loop:
+    - { regexp: "#?(SSLCertificateFile).*$", location: "{{ ssl_cert_file_location }}", value: "{{ ssl_cert_file }}" }
+    - { regexp: "#?(SSLCertificateChainFile).*$", location: "{{ ssl_cert_file_location }}", value: "{{ ssl_cert_chain_file }}" }
+    - { regexp: "#?(SSLCertificateKeyFile).*$", location: "{{ ssl_cert_key_location }}", value: "{{ ssl_cert_key }}" }
+
+- name: Restart apache service
+  ansible.builtin.service:
+    name: "{{ apache_service }}"
+    state: restarted

openstack-compute/nodeimage.pkr.hcl → openstack-login/nodeimage.pkr.hcl

@@ -36,11 +36,19 @@ source "openstack" "image" {
 build {
   sources = ["source.openstack.image"]
 
+  provisioner "shell" {
+    inline = [
+      "sudo yum install -y libselinux-python3 python3 python3-pip tmux vim git bash-completion curl wget unzip",
+      "sudo python3 -m pip install --upgrade pip",
+      "sudo pip3 install s3cmd==2.3.0 ansible==4.10.0 python-openstackclient==5.8.0"
+    ]
+  }
+
   provisioner "ansible" {
     use_proxy     = false
     user          = var.ssh_username
     groups        = ["compute"]
-    playbook_file = "./ansible/compute.yml"
+    playbook_file = "./ansible/login.yml"
     roles_path    = "./ansible/roles"
     extra_arguments = [
       "--extra-vars", "root_ssh_key='${var.root_ssh_key}'"
@@ -53,5 +61,8 @@ build {
     groups           = ["compute"]
     ansible_env_vars = ["ANSIBLE_HOST_KEY_CHECKING=False"]
     playbook_file    = "./CRI_XCBC/compute-packer.yaml"
+    extra_arguments  = [
+      "--extra-vars", "${var.extra_vars}"
+    ]
   }
 }

openstack-compute/variables.pkr.hcl → openstack-login/variables.pkr.hcl

 variable "root_ssh_key" {
   type        = string
   description = "The root key to use for ssh"
+  default     = ""
 }
 
 variable "image_name" {
@@ -87,4 +88,10 @@ variable "volume_size" {
   type        = number
   default     = 20
   description = "The default volume size for building iamge"
-}
+}
\ No newline at end of file
+
+variable "extra_vars" {
+  type        = string
+  default     = ""
+  description = "Extra vars to pass to ansible playbook command"
+}

openstack-ood/nodeimage.pkr.hcl

@@ -40,6 +40,9 @@ build {
     use_proxy     = false
     user          = var.ssh_username
     groups        = ["ood"]
+    ansible_env_vars = [
+      "ANSIBLE_CONFIG=./ansible/ansible.cfg"
+    ]
     playbook_file = "./ansible/ood.yml"
     roles_path    = "./ansible/roles"
     extra_arguments = [
@@ -51,7 +54,22 @@ build {
     use_proxy        = false
     user             = var.ssh_username
     groups           = ["ood", "knightly"]
-    ansible_env_vars = ["ANSIBLE_HOST_KEY_CHECKING=False"]
+    ansible_env_vars = [
+      "ANSIBLE_HOST_KEY_CHECKING=False",
+      "ANSIBLE_CONFIG=./CRI_XCBC/ansible.cfg"
+    ]
     playbook_file    = "./CRI_XCBC/ood-packer.yaml"
+    extra_arguments  = [
+      "--extra-vars", "${var.extra_vars}"
+    ]
   }
+
+  provisioner "shell" {
+    inline = [
+      "sudo yum install -y libselinux-python3 python3 python3-pip tmux vim git bash-completion curl wget unzip NetworkManager",
+      "sudo python3 -m pip install --upgrade pip",
+      "sudo pip3 install s3cmd==2.3.0 ansible==4.10.0 python-openstackclient==5.8.0"
+    ]
+  }
+
 }

openstack-ood/variables.pkr.hcl

 variable "root_ssh_key" {
   type        = string
+  default     = ""
   description = "The root key to use for ssh"
 }
 
@@ -87,4 +88,10 @@ variable "volume_size" {
   type        = number
   default     = 20
   description = "The default volume size for building iamge"
-}
+}
\ No newline at end of file
+
+variable "extra_vars" {
+  type        = string
+  default     = ""
+  description = "Extra vars to pass to ansible playbook command"
+}

openstack-proxy/README.md

+This contains packer hcl files for creating images. For documentation on packer, see [here](https://www.packer.io/docs); for information about the openstack-specific builder, see [here](https://www.packer.io/plugins/builders/openstack)

openstack-proxy/nodeimage.pkr.hcl

+packer {
+  required_plugins {
+    openstack = {
+      version = "~> 1"
+      source  = "github.com/hashicorp/openstack"
+    }
+    ansible = {
+      version = "~> 1"
+      source  = "github.com/hashicorp/ansible"
+    }
+  }
+}
+
+locals {
+  local_image_name = "${var.image_name}${var.image_date_suffix ? formatdate("-YYYYMMDDHHmm", timestamp()) : ""}"
+}
+
+source "openstack" "image" {
+  skip_create_image         = var.skip_create_image
+  image_name                = local.local_image_name
+  source_image              = var.source_image
+  image_members             = var.image_membership
+  image_auto_accept_members = var.auto_accept_members
+  image_tags                = var.image_tags
+  image_disk_format         = var.image_format
+  volume_size               = var.volume_size
+  flavor                    = var.flavor
+  instance_name             = var.build_instance_name
+  use_blockstorage_volume   = true
+  floating_ip_network       = var.floating_ip_network
+  networks                  = var.networks
+  security_groups           = var.security_groups
+  ssh_username              = var.ssh_username
+}
+
+build {
+  sources = ["source.openstack.image"]
+
+  provisioner "shell" {
+    inline = [
+      "sudo yum install -y epel-release",
+      "sudo dnf config-manager --set-enabled crb",
+      "sudo yum install -y libselinux-python3 python3 python3-pip tmux vim git bash-completion curl wget unzip httpd",
+      "sudo python3 -m pip install --upgrade pip",
+      "sudo pip3 install s3cmd==2.3.0 ansible==4.10.0 python-openstackclient==5.8.0"
+    ]
+  }
+
+  provisioner "ansible" {
+    use_proxy        = false
+    user             = var.ssh_username
+    groups           = ["proxy"]
+    ansible_env_vars = [
+      "ANSIBLE_TIMEOUT=60",
+      "ANSIBLE_HOST_KEY_CHECKING=False",
+      "ANSIBLE_VERBOSITY=${var.ANSIBLE_VERBOSITY}",
+      "ANSIBLE_DEBUG=${var.ANSIBLE_DEBUG}",
+      "ANSIBLE_FORCE_COLOR=true"
+    ]
+    playbook_file    = "./CRI_XCBC/proxy.yaml"
+    extra_arguments  = [
+      "--extra-vars", "${var.extra_vars}"
+    ]
+  }
+}