CRI_XCBC/roles/ood_shib_sso/tasks/main.yml

----
-  # Implement web single sign on support using shibboleth
-
-# Shibboleth repo config from
-# https://shibboleth.net/downloads/service-provider/latest/RPMS/
-- name: Add shibboleth openSUSE build service repository
-  yum_repository:
-    name: shibboleth
-    description: Shibboleth (CentOS_7)
-    mirrorlist: https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_7
-    gpgkey: https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
-    gpgcheck: yes
-    enabled: yes
-
-# note the copr repo for shibboleth was added during node prep roles
-- name: install shibboleth rpm for scl apache
-  yum: name=shibboleth state=latest
-
-# note the shibboleth rpm is not fully scl-yet so need hand correction
-- name: copy shibbolth apache module into ood scl installe
-  copy:
-    src: /etc/httpd/conf.d/shib.conf
-    dest: /opt/rh/httpd24/root/etc/httpd/conf.d/
-    remote_src: yes
-
-# this loads a stock shibboleth config that will work with rpm-provided
-# shibboleth credentials against the samltest.id
-# must use the SP target host name testshib.dev.rc.uab.edu for ood node
-# from client running web browser.  e.g. edit /etc/hosts to map to localhost
-# also requires ood to be accessible on port 8080 to match entityID
-# note testshib.dev.rc.uab.edu is not a real Hostname
-- name: load samltest.id shibboleth config
-  copy:
-    src: shibboleth2.xml
-    dest: /etc/shibboleth/shibboleth2.xml
-
-- name: add saml-to-ood user map file
-  copy:
-    src: ood-user-mapfile
-    dest: /etc/ood/ood-user-mapfile
-
-- name: update ood portal config with user mapfile
-  replace:
-    path: /etc/ood/config/ood_portal.yml
-    regexp: '^#user_map_cmd:.*$'
-    replace: "user_map_cmd: '/opt/ood/ood_auth_map/bin/ood_auth_map.mapfile --file /etc/ood/ood-user-mapfile'\nuser_env: 'REMOTE_USER'\n"
-    backup: yes
-
-- name: update ood portal config for shibboleth authn
-  replace:
-    path: /etc/ood/config/ood_portal.yml
-    regexp: "^(#  - 'Require valid-user')"
-    replace: '\1\nauth:\n - "AuthType shibboleth"\n - "ShibRequestSetting requireSession 1"\n - "Require valid-user"\n'
-    backup: yes
-
-- name: Build the updated Apache config
-  command: /opt/ood/ood-portal-generator/sbin/update_ood_portal
-  ignore_errors: yes
-
-- name: start shibd and enable on boot
-  service:
-    name: shibd
-    state: started
-    enabled: yes
-
-- name: Restart service httpd, in all cases
-  service:
-    name: httpd24-httpd
-    state: restarted

CRI_XCBC/roles/ood_user_reg/files/uab_ood_auth.regex

-#!/bin/env ruby
-$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
-
-require 'ood_auth_map'
-
-class Regex < OodAuthMap
-  # Default regular expression to use when parsing authenticated username
-  DEFAULT_REGEX = "^(.+)$"
-
-  # Body of option parser
-  define_body do |parser|
-    parser.separator ""
-    parser.separator "Used to parse for a mapped authenticated user from a string using a regular expression."
-
-    parser.separator ""
-    parser.separator "General options:"
-
-    options[:regex] = DEFAULT_REGEX
-    parser.on("-r", "--regex=REGEX", "# Regular expression used to capture the system-level username", "# Default: #{DEFAULT_REGEX}") do |regex|
-      options[:regex] = regex
-    end
-  end
-
-  # Footer of option parser
-  define_footer do |parser|
-    parser.separator ""
-    parser.separator <<-EOF.gsub(/^ {6}/, "")
-      Examples:
-          If the authenticated username completely matches the system-level
-          username use the default regular expression:
-              #{File.basename($0)} bob
-          this will return `bob`.
-          For more complicated strings, a regular expression needs to be
-          supplied as an option:
-              #{File.basename($0)} --regex='^(\\w+)@osc.edu$' bob@osc.edu
-          where the first captured match is returned as the system-level username.
-          If no match is found in the string, then a blank line is returned:
-              #{File.basename($0)} --regex='^(\\w+)@osc.edu$' bob@mit.edu
-          this will return a blank line, meaning no match was found.
-    EOF
-    parser.separator ""
-  end
-
-  define_run do |auth_user|
-    user_check = `getent passwd #{auth_user} | cut -d : -f 1`
-    #puts user_check
-    if user_check != ""
-      puts auth_user
-    else
-      puts ""
-      exit(false)
-    end
-  end
-end
-
-# Start the workflow of the Regex CLI
-Regex.run

CRI_XCBC/roles/ood_user_reg/tasks/main.yml

----
-- name: Enable Copr Repos
-  shell: yum -y copr enable "{{ item.repo_name }}"
-  with_items: "{{ copr_repos }}"
-  when: enable_copr == true and inventory_hostname in item.host
-
-- name: Install mod_wsgi for httpd24
-  yum: name="{{ mod_wsgi_pkg_name }}" state=latest
-
-- name: Install pip via yum
-  yum: name=python2-pip state=latest
-
-- name: Install virtualenv via pip
-  pip: name=virtualenv state=latest
-
-- name: Remove existing user register app install
-  file:
-    path: "{{ user_register_app_path }}"
-    state: absent
-
-- name: Creates directory to clone the user register app
-  file:
-    path: "{{ user_register_app_path }}"
-    state: directory
-
-- name: Clone user register app form from gitlab
-  git:
-    repo: "{{ user_register_app_repo }}"
-    dest: "{{ user_register_app_path }}"
-
-- name: Install requirements in virtualenv
-  pip:
-    requirements: requirements.txt
-    virtualenv: venv
-    chdir: "{{ user_register_app_path }}"
-
-- name: Put apache config file in place
-  template:
-    src: user-reg_conf.j2
-    dest: "/opt/rh/httpd24/root/etc/httpd/conf.d/user-reg.conf"
-
-- name: Put wsgi config file in place
-  template:
-    src: wsgi.j2
-    dest: "{{ user_register_app_path }}/{{ user_register_app}}.wsgi"
-
-- name: Enable user registration redirect
-  replace:
-    path: /etc/ood/config/ood_portal.yml
-    regexp: '{{ item.regexp }}'
-    replace: '{{ item.replace }}'
-    backup: yes
-  with_items:
-      - { regexp: "^#?(user_map_cmd:).*", replace: "\\1 '/opt/ood/ood_auth_map/bin/uab_ood_auth.regex'" }
-      - { regexp: "^#?(map_fail_uri:).*", replace: "\\1 '/register'" }
-      - { regexp: "^#?(register_uri:).*", replace: "\\1 '/register'" }
-
-- name: Stage regex file for ood
-  copy:
-    src: uab_ood_auth.regex
-    dest: /opt/ood/ood_auth_map/bin/uab_ood_auth.regex
-    owner: root
-    group: root
-    mode: 0755
-
-- name: Build the updated Apache config
-  command: /opt/ood/ood-portal-generator/sbin/update_ood_portal
-  ignore_errors: yes
-
-- name: Get UID and GID of RegUser from OHPC
-  stat: 
-     path: /home/{{ RegUser_app_user }}
-  register: RegUser_stat
-
-- name: Create Group for RegUser on OOD
-  group:
-    gid: "{{ RegUser_stat.stat.gid  }}"
-    name: "{{ RegUser_app_user  }}"
-    state: present
-
-- name: Create RegUser on OOD
-  user:
-    name: "{{ RegUser_app_user }}"
-    comment: "{{ RegUser_app_user_full_name }}"
-    shell: /bin/bash
-    uid: "{{ RegUser_stat.stat.uid }}"
-    group: "{{ RegUser_app_user  }}"
-    createhome: no
-    state: present

CRI_XCBC/roles/ood_user_reg/templates/user-reg_conf.j2

-WSGIDaemonProcess "{{ user_register_app }}" user={{ RegUser_app_user }} group={{ RegUser_app_user }} threads=5
-WSGIProcessGroup "{{ user_register_app }}"
-WSGIScriptAlias /register "{{ user_register_app_path}}/{{ user_register_app }}.wsgi"
-<Location /register>
-        AuthType Basic
-        AuthName "Private"
-        AuthUserFile "/opt/rh/httpd24/root/etc/httpd/.htpasswd"
-        RequestHeader unset Authorization
-        Require valid-user
-</Location>
-<Directory {{ user_register_app_path }}>
-        WSGIProcessGroup {{ user_register_app }}
-        WSGIApplicationGroup %{GLOBAL}
-        Require all granted
-</Directory>

CRI_XCBC/roles/ood_user_reg/templates/wsgi.j2

-#!/bin/python
-
-# Activate virtualenv
-activate_this = '{{ user_register_app_path }}/venv/bin/activate_this.py'
-execfile(activate_this, dict(__file__=activate_this))
-
-import sys
-import os
-sys.path.append("{{ user_register_app_path }}")
-os.environ['FLASK_CONFIG'] = 'production'
-
-from run import app as application

CRI_XCBC/roles/ood_vnc_form/files/custom-novnc.html.erb

-<%= link_to icon('fas', 'eye', 'Launch Desktop in new tab'), novnc_link(connect), class: 'btn btn-primary', target: '_blank' %>
-<%= link_to 'View Only (Share-able Link)', novnc_link(connect, view_only: true), class: 'btn btn-default pull-right', target: '_blank' %>

CRI_XCBC/roles/ood_vnc_form/files/vnc-submit.yml.erb

----
-script:
-  native:
-    - "-N 1"
-    - "-n <%= bc_num_slots.blank? ? 1 : bc_num_slots.to_i %>"
-    - "--mem-per-cpu=<%= bc_num_mems.blank? ? 4 : bc_num_mems.to_i %>G"
-    - "--partition=<%= bc_partition %>"
-    - "--time=<%= bc_num_hours.blank? ? 1 : bc_num_hours.to_i %>:00:00"
-    - "--job-name=ood-vnc"
-<%- if bc_partition == "pascalnodes" -%>
-    - "--gres=gpu:1"
-<%- end -%>

CRI_XCBC/roles/ood_vnc_form/tasks/main.yml

----
-- name: Put custom cluster.yml in place
-  template:
-    src: cluster.yml
-    dest: /etc/ood/config/apps/bc_desktop/{{ cluster_name }}.yml
-    backup: yes
-
-- name: Put submit.yml.erb in place
-  copy:
-    src: vnc-submit.yml.erb
-    dest: /etc/ood/config/apps/bc_desktop/submit/submit.yml.erb
-    backup: yes
-
-- name: Put noVNC.html.erb in place
-  copy:
-    src: custom-novnc.html.erb
-    dest: /var/www/ood/apps/sys/dashboard/app/views/batch_connect/sessions/connections/_novnc.html.erb
-    backup: yes

CRI_XCBC/roles/ood_vnc_form/templates/cluster.yml

----
-title: "HPC Desktop"
-cluster: {{ cluster_name }} 
-submit: "submit/submit.yml.erb"
-attributes:
-  desktop: "xfce"
-  bc_num_slots:
-    label: Number of CPU
-    value: 1
-    min: 1
-    max: 24
-    step: 1
-
-  bc_num_mems:
-    widget: "number_field"
-    label: Memory per CPU (GB)
-    value: 4
-    min: 1
-    max: 128
-    step: 1
-
-  bc_partition:
-    widget: select
-    label: Partition
-    options:
-      - [ "low", "low" ]
-
-form:
-  - desktop
-  - bc_num_hours
-  - bc_partition
-  - bc_num_slots
-  - bc_num_mems

CRI_XCBC/roles/pre_ohpc/tasks/main.yml

----
-
-#   - name: check hostname
-#   - fail:
-#       msg: "Hostname in inventory/headnode doesn't match local hostname! Please fix and run again."
-#     when: inventory_hostname != ansible_hostname
-
-#   - name: yum update
-#     yum: name=* state=latest update_cache=yes
-
-   - fail:
-       msg: "Kernel version mismatch between loaded kernel and group-vars/all! Please fix and run again."
-     when: build_kernel_ver != ansible_kernel
-
-   - name: install necessary stuff
-     yum:
-       state: latest
-       name:
-         - "MySQL-python"
-         - "epel-release"
-         - "wget" 
-         - "tcpdump"
-         - "whois" 
-         - "lsof" 
-         - "xinetd"
-         - "vim" 
-         - "net-tools"
-         - "exportfs" 
-         - "firewalld"
-         - "chrony"
-         - "pciutils"
-         - "rsync"
-         - "bash-completion"
-         - "libselinux-python"
-         - "libsemanage-python"
-         - "policycoreutils"
-#         - "lua"  # testing; this could fix the lmod-ohpc issue?
- #otherwise, do a yum update --skip-broken, yum update...
-
-   - name: get OpenHPC Repo #hardcoded version # :(
-     yum: name={{ openhpc_release_rpm }} state=present
-
-   - name: Install Copr plugin for yum
-     yum: name=yum-plugin-copr state=present update_cache=true
-     when: enable_copr == true
-
-   - name: enable Copr Repos
-     shell: yum -y copr enable "{{ item.repo_name }}"
-     with_items: "{{ copr_repos }}"
-     when: enable_copr == true and inventory_hostname in item.host
-
-   - name: install fail2ban # separate b/c it's in epel
-     yum: name=fail2ban state=latest 
-
-#this is only necessary for non-local ansible!
-#   - name: turn off requiretty for sudo
-#     lineinfile:
-#       dest: /etc/sudoers
-#       regexp: "Defaults    requiretty"
-#       line:  "Defaults    !requiretty"
-#       state: present
-
-   - template: src=firewall_conf/services/slurm.xml dest=/etc/firewalld/services/slurm.xml
- 
-   - template: src=firewall_conf/firewalld.conf dest=/etc/firewalld/firewalld.conf
-
-   - template: src=firewall_conf/zones/internal.xml dest=/etc/firewalld/zones/internal.xml
-
-   - template: src=firewall_conf/zones/public.xml dest=/etc/firewalld/zones/public.xml
-
-   # default network profile naming in CentOS-7 uses the name  'System ethN' as
-   # the profile name for the 'ethN' interface. The ansible framework uses
-   # a single variable for the profile name interface name.   We change the
-   # default profile names to match the interface name to match this convesion
-   # and make nmcli commands more consistent with tranditional naming.
-   - name: check for default public network profile name
-     shell: nmcli con | grep '{{ public_interface }}'
-     register: network_profile_name
-
-   - name: simplify the name of the public network profile name
-     command: nmcli con mod 'System {{ public_interface }}' connection.id '{{ public_interface }}'
-     when: "'System' in network_profile_name.stdout"
-
-   - name: check for default private network profile name
-     shell: nmcli con | grep '{{ private_interface }}'
-     register: network_profile_name
-
-   - name: simplify the name of the private network profile name
-     command: nmcli con mod 'System {{ private_interface }}' connection.id '{{ private_interface }}'
-     when: "'System' in network_profile_name.stdout"
-
-   - name: add private interface to internal zone via nmcli
-     command: nmcli connection modify {{ private_interface }} connection.zone internal
-
-   - name: add public interface to public zone via nmcli
-     command: nmcli connection modify {{ public_interface }} connection.zone public
-
-#   - name: restart dbus for firewalld :(
-#     service: name=dbus state=restarted
-
-# Changing it temporarily to stop
-   - name: firewalld restart # to load new slurm service
-     service: name=firewalld state=stopped
-
-## This section seems to be redundant 
-##   - name: add interface to internal zone firewall-cmd
-##     firewalld:
-##       zone: internal
-##       interface: "{{ private_interface }}"
-##       permanent: yes
-##       state: enabled
-##
-##   - name: add interface to external zone firewall-cmd
-##     firewalld:
-##       zone: public
-##       interface: "{{ public_interface }}"
-##       permanent: yes
-##       state: enabled
-##
-###   - name: add interfaces to external zone firewalld
-###     lineinfile: dest=/etc/sysconfig/network-scripts/ifcfg-{{ public_interface }} regexp=^ZONE= line=ZONE=public
-##
-##   - name: add services to internal zone firewall-cmd
-##     firewalld:
-##       zone: internal
-##       service: '{{ item }}'
-##       permanent: yes
-##       immediate: yes
-##       state: enabled
-##     with_items:
-##       - 'slurm'
-##       - 'mdns'
-##       - 'ipp-client'
-##       - 'dhcpv6-client'
-##       - 'ssh'
-##       - 'nfs'
-##       - 'mountd'
-##       - 'rpc-bind'
-##       - 'http'
-##       - 'https'
-##       - 'tftp'
-##       - 'samba-client'
-##
-##   - name: firewalld restart
-##     service: name=firewalld state=restarted
- 
-   - name: set up /etc/hosts
-     template: src=hosts.j2 dest=/etc/hosts
-
-   - name: set up /etc/ssh/sshd_config
-     template: src=sshd_config.j2 dest=/etc/ssh/sshd_config
-
-   - name: restart sshd
-     service: name=sshd state=restarted
-
-   - name: selinux allow homedirs
-     seboolean: 
-       name: use_nfs_home_dirs
-       state: yes
-       persistent: yes
-
-   - name: create /export dir for software
-     file: path=/export state=directory owner=root group=root mode=0777
-
-   - name: open up chrony across private network
-     lineinfile:
-       path: /etc/chrony.conf
-       regexp: '^#allow 192'
-       line: "allow all {{ private_network }}/24"
-       state: present
-       
- 
-   - name: enable and restart chrony
-     service: name=chronyd state=restarted enabled=yes
-

CRI_XCBC/roles/pre_ohpc/templates/firewall_conf/firewalld.conf

-# firewalld config file
-
-# default zone
-# The default zone used if an empty zone string is used.
-# Default: public
-DefaultZone=public
-
-# Minimal mark
-# Marks up to this minimum are free for use for example in the direct 
-# interface. If more free marks are needed, increase the minimum
-# Default: 100
-MinimalMark=100
-
-# Clean up on exit
-# If set to no or false the firewall configuration will not get cleaned up
-# on exit or stop of firewalld
-# Default: yes
-CleanupOnExit=yes
-
-# Lockdown
-# If set to enabled, firewall changes with the D-Bus interface will be limited
-# to applications that are listed in the lockdown whitelist.
-# The lockdown whitelist file is lockdown-whitelist.xml
-# Default: no
-Lockdown=no
-
-# IPv6_rpfilter
-# Performs a reverse path filter test on a packet for IPv6. If a reply to the
-# packet would be sent via the same interface that the packet arrived on, the 
-# packet will match and be accepted, otherwise dropped.
-# The rp_filter for IPv4 is controlled using sysctl.
-# Default: yes
-IPv6_rpfilter=yes

CRI_XCBC/roles/pre_ohpc/templates/firewall_conf/services/slurm.xml

-<?xml version="1.0" encoding="utf-8"?>
-<service>
-  <short>Slurmctld</short>
-  <description> Slurmctld is the controller daemon for the Slurm 
-   scheduler, which communicates with slurmd on controlled nodes.
-  </description>
-  <port protocol="tcp" port="6817"/>
-  <port protocol="udp" port="6817"/>
-  <port protocol="tcp" port="6818"/>
-  <port protocol="udp" port="6818"/>
-  <port protocol="tcp" port="7321"/>
-  <port protocol="udp" port="7321"/>
-</service>

CRI_XCBC/roles/pre_ohpc/templates/firewall_conf/zones/external.xml

-<?xml version="1.0" encoding="utf-8"?>
-<zone>
-  <short>External</short>
-  <description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
-  <service name="ssh"/>
-  <masquerade/>
-</zone>

CRI_XCBC/roles/pre_ohpc/templates/firewall_conf/zones/internal.xml

-<?xml version="1.0" encoding="utf-8"?>
-<zone>
-  <short>Internal</short>
-  <description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
-  <service name="mdns"/>
-  <service name="ipp-client"/>
-  <service name="dhcpv6-client"/>
-  <service name="ssh"/>
-  <service name="nfs"/>
-  <service name="ntp"/>
-  <service name="mountd"/>
-  <service name="rpc-bind"/>
-  <service name="http"/>
-  <service name="https"/>
-  <service name="tftp"/>
-  <service name="slurm"/>
-  <service name="samba-client"/>
-</zone>

CRI_XCBC/roles/pre_ohpc/templates/firewall_conf/zones/public.xml

-<?xml version="1.0" encoding="utf-8"?>
-<zone>
-  <short>Public</short>
-  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
-  <service name="ssh"/>
-</zone>

CRI_XCBC/roles/pre_ohpc/templates/hosts.j2

-127.0.0.1 localhost
-::1 localhost
-
-{% for host in groups['headnode'] %}
-{{ hostvars[inventory_hostname]['ansible_eth1']['ipv4']['address'] }} {{ hostvars[host]['inventory_hostname'] }}  {{ hostvars[host]['inventory_hostname'] }}.local
-{% endfor %}

CRI_XCBC/roles/pre_ohpc/templates/sshd_config.j2

-#	$OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
-# If you want to change the port on a SELinux system, you have to tell
-# SELinux about this change.
-# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
-#
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-# The default requires explicit activation of protocol 1
-#Protocol 2
-
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 1024
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-# obsoletes QuietMode and FascistLogging
-#SyslogFacility AUTH
-SyslogFacility AUTHPRIV
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-PermitRootLogin yes
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-#RSAAuthentication yes
-PubkeyAuthentication yes
-
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile .ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-PasswordAuthentication no
-
-# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
-ChallengeResponseAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-#KerberosUseKuserok yes
-
-# GSSAPI options
-GSSAPIAuthentication yes
-GSSAPICleanupCredentials no
-#GSSAPIStrictAcceptorCheck yes
-#GSSAPIKeyExchange no
-#GSSAPIEnablek5users no
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
-# problems.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-X11Forwarding yes
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-#PrintMotd yes
-#PrintLastLog yes
-#TCPKeepAlive yes
-#UseLogin no
-UsePrivilegeSeparation sandbox		# Default for new installations.
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#ShowPatchLevel no
-#UseDNS yes
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# Accept locale-related environment variables
-AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
-AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
-AcceptEnv XMODIFIERS
-
-# override default of no subsystems
-Subsystem sftp	/usr/libexec/openssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server

CRI_XCBC/roles/prep_ood/tasks/main.yaml

----
-- name: Get OpenHPC repo
-  yum: name={{ openhpc_release_rpm }} state=present update_cache=true
-
-- name: Install Copr plugin for yum
-  yum: name=yum-plugin-copr state=present update_cache=true
-  when: enable_copr == true
-
-- name: enable Copr Repos
-  shell: yum -y copr enable "{{ item.repo_name }}"
-  with_items: "{{ copr_repos }}"
-  when: enable_copr == true and inventory_hostname in item.host
-
-- name: Install dependencies-nfs-utils, ohpc packages, ntp and other required tools.
-  yum: 
-    state: installed
-    update_cache: true
-    name:
-      - nfs-utils
-      - ohpc-base-compute
-      - slurm-ohpc
-      - zsh
-      - git
-      - vim
-      - tmux
-      - ruby
-
-- name: Mount /home, /opt/ohpc/pub from OHPC node
-  mount:
-    path: "{{ item.path }}"
-    src: "{{ item.src }}"
-    fstype: nfs
-    opts: nfsvers=3,nodev,noatime
-    state: mounted
-  with_items:
-    - { path: "/home", src: "{{ headnode_private_ip }}:/home" }
-    - { path: "/opt/ohpc/pub", src: "{{ headnode_private_ip }}:/opt/ohpc/pub" }

CRI_XCBC/roles/reg_user_create_scripts/tasks/main.yml

----
-- name: Remove existing cloned repo
-  file: 
-    path: "{{ user_create_scripts_path }}"
-    state: absent
-
-- name: Creates directory to clone ohpc user create
-  file:
-    path: "{{ user_create_scripts_path }}"
-    state: directory
-    
-- name: Clone template repo from upstream
-  git:
-    repo: "{{ user_create_script_repo }}"
-    dest: "{{ user_create_scripts_path }}"
-
-- name: Commands access for RegUser
-  lineinfile:
-    dest: /etc/sudoers
-    insertafter: EOF
-    line: "{{ RegUser_app_user }} ALL= NOPASSWD: {{ user_create_scripts_path }}/user_create"
-    state: present

CRI_XCBC/roles/viz_build_nodes/tasks/main.yml

----
-
-#   - name: print single node info
-#     debug:
-#       var: item.mac
-#     with_items: "{{ viz_nodes }}"
-
-   - name: add node to ww db
-     command: wwsh -y node new {{ item.name }} --ipaddr={{ item.ip }} --hwaddr={{ item.mac }} -D {{ private_interface }}
-     with_items: "{{ viz_nodes }}"
-
-   - name: set nodes bootloader
-     command: wwsh -y object modify -s bootloader=sda -t node {{ item.name }}
-     with_items: "{{ viz_nodes }}"
-
-   - name: set nodes partitions
-     command: wwsh -y object modify -s diskpartition=sda -t node {{ item.name }}
-     with_items: "{{ viz_nodes }}"
-
-   - name: format partitions
-     command: wwsh -y object modify -s diskformat=sda1,sda2,sda3 -t node {{ item.name }}
-     with_items: "{{ viz_nodes }}"
-
-   - name: define filesystems
-     command: wwsh -y object modify -s filesystems="{{ sda1 }},{{ sda2 }},{{ sda3 }}" -t node {{ item.name }}
-     with_items: "{{ viz_nodes }}"
-#" for vim
-  
-   - name: remove node from slurm.conf if it exists already # to avoid duplication!
-     lineinfile:
-       dest: /etc/slurm/slurm.conf
-       regexp: "^NodeName={{ item.name }}"
-       state: absent
-     with_items: "{{ viz_nodes }}"
-
-   - name: add node to slurm.conf
-     lineinfile:
-       dest: /etc/slurm/slurm.conf
-       line: "NodeName={{ item.name }} Sockets={{ item.sockets }} CoresPerSocket={{ item.corespersocket }} State=UNKNOWN"
-       insertbefore: "^# PARTITIONS"
-       state: present
-     with_items: "{{ viz_nodes }}"
-
-   - name: set files to provision
-     command: wwsh -y provision set {{ item.name }} --vnfs={{ item.vnfs }} --bootstrap={{ build_kernel_ver }} --files=passwd,group,shadow,munge.key,slurm.conf,dynamic_hosts,network,slurm.conf
-     with_items: "{{ viz_nodes }}"
-
-   - name: restart dhcp
-     service: name=dhcpd state=restarted
- 
-   - name: update pxeconfig to let node boot from pxe
-     command: wwsh -y object modify -D bootlocal -t node {{ item.name }}
-     with_items: "{{ compute_nodes }}"
- 
-   - name: wwsh pxe update
-     command: wwsh -v pxe update
-     register: command_result
-     failed_when: "'Building Pxelinux' not in command_result.stdout"