diff --git a/.gitignore b/.gitignore index b727bead7..426e8b7e0 100644 --- a/.gitignore +++ b/.gitignore @@ -12,4 +12,4 @@ promtools/results/* roles/hpc-cloud roles/HPCplaybooks roles/HPCplaybooks/* -ssh-host-ca +ssh-host-ca/umcg-hpc-ca diff --git a/README.md b/README.md index 0a271a0c3..23110078c 100644 --- a/README.md +++ b/README.md @@ -79,6 +79,9 @@ These roles install various docker images built and hosted by RuG webhosting. Th #### Deployment of OpenStack The steps below describe how to get from machines with a bare ubuntu 16.04 installed to a running openstack installation. +#### Steps to upgrade the OpenStack cluster + +### 3. Steps to deploy HPC compute cluster on top of OpenStack cluster --- 0. Clone this repo. @@ -108,13 +111,13 @@ The steps below describe how to get from machines with a bare ubuntu 16.04 insta 3. Configure Ansible settings including the vault. * To create (a new) secrets.yml: - Generate and encrypt the passwords for the various openstack components. + Generate and encrypt the passwords for the various OpenStack components. ```bash ./generate_secrets.py ansible-vault --vault-password-file=.vault_pass.txt encrypt secrets.yml ``` - The encrypted secrets.yml can now safely be comitted. - The `.vault_pass.txt` file is in the .gitignore and needs to be tranfered in a secure way. + The encrypted secrets.yml can now safely be committed. + The `.vault_pass.txt` file is in the .gitignore and needs to be transfered in a secure way. * To use use an existing encrypted secrets.yml add .vault_pass.txt to the root folder of this repo and create in the same location ansible.cfg using the following template: @@ -126,10 +129,37 @@ The steps below describe how to get from machines with a bare ubuntu 16.04 insta remote_user = your_local_account_not_from_the_LDAP ``` -4. Build Prometheus Node Exporter +4. Configure the Certificate Authority (CA). + We use an SSH public-private key pair to sign the host keys of all the machines in a cluster. + This way users only need the public key of the CA in their ```~.ssh/known_hosts``` file + and will not get bothered by messages like this: + ``` + The authenticity of host '....' can't be established. + ECDSA key fingerprint is .... + Are you sure you want to continue connecting (yes/no)? + ``` + * The filename of the CA private key is specified using the ```ssh_host_signer_ca_private_key``` variable defined in ```group_vars/*/vars.yml``` + * The filename of the corresponding CA public key must be the same as the one of the private key suffixed with ```.pub``` + * The password required to decrypt the CA private key must be specified using the ```ssh_host_signer_ca_private_key_pass``` variable defined in ```group_vars/*/secrets.yml```, + which must be encrypted with ```ansible-vault```. + * Each user must add the content of the CA public key to their ```~.ssh/known_hosts``` like this: + ``` + @cert-authority [names of the hosts for which the cert is valid] [content of the CA public key] + ``` + E.g.: + ``` + @cert-authority reception*,*talos,*tl-* ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDWNAF....VMZpZ5b9+5GA3O8w== UMCG HPC Development CA + ``` + * Example to create a new CA key pair with the ```rsa``` algorithm: + ```bash + ssh-keygen -t ed25519 -a 101 -f ssh-host-ca/ca-key-file-name -C "CA key for ..." + ``` + +5. Build Prometheus Node Exporter * Make sure you are a member of the `docker` group. Otherwise you will get this error: - ```ERRO[0000] failed to dial gRPC: cannot connect to the Docker daemon. + ``` + ERRO[0000] failed to dial gRPC: cannot connect to the Docker daemon. Is 'docker daemon' running on this host?: dial unix /var/run/docker.sock: connect: permission denied context canceled @@ -140,7 +170,7 @@ The steps below describe how to get from machines with a bare ubuntu 16.04 insta ./build.sh ``` -5. Running playbooks. Some examples: +6. Running playbooks. Some examples: * Install the OpenStack cluster. ```bash ansible-playbook site.yml @@ -150,8 +180,4 @@ The steps below describe how to get from machines with a bare ubuntu 16.04 insta ansible-playbook site.yml -i talos_hosts slurm.yml ``` -6. verify operation. - -#### Steps to upgrade openstack cluster. - -### 3. Steps to install Compute cluster on top of openstack cluster. +7. verify operation. diff --git a/cluster.yml b/cluster.yml index c96afc4a3..7da05e880 100644 --- a/cluster.yml +++ b/cluster.yml @@ -1,4 +1,10 @@ --- +- name: Sign host keys of all cluster hosts. + hosts: all + roles: + - ssh_host_signer + - ssh_known_hosts + - name: Install roles needed for all virtual cluster components except jumphosts. hosts: cluster become: true @@ -11,8 +17,8 @@ - name: Install ansible on admin interfaces (DAI & SAI). hosts: - - imperator - - sugarsnax + - sys-admin-interface + - deploy-admin-interface become: True tasks: - name: install Ansible @@ -65,16 +71,14 @@ - isilon - slurm-client - -- name: export /home +- name: Export /home on NFS server. hosts: user-interface:&talos-cluster roles: - nfs_home_server -- name: export /home +- name: Mount /home on NFS clients. hosts: compute-vm&talos-cluster roles: - nfs_home_client - import_playbook: users.yml - #- import_playbook: ssh-host-signer.yml diff --git a/galaxy-requirements.yml b/galaxy-requirements.yml index 01121fd24..7679b9e6a 100644 --- a/galaxy-requirements.yml +++ b/galaxy-requirements.yml @@ -1,7 +1,7 @@ --- -- src: chrisgavin.ansible-ssh-host-signer - src: geerlingguy.firewall version: 2.4.0 - src: geerlingguy.postfix - src: geerlingguy.repo-epel - src: geerlingguy.security +... \ No newline at end of file diff --git a/gearshift_cluster.yml b/gearshift_cluster.yml deleted file mode 100644 index 28d8f57e8..000000000 --- a/gearshift_cluster.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- hosts: all - tasks: - - include_vars: group_vars/gearshift/secrets.yml - - include_vars: group_vars/gearshift/vars.yml - -- import_playbook: cluster.yml diff --git a/gearshift_hosts.ini b/gearshift_hosts.ini index bdfae587a..07a7483d1 100644 --- a/gearshift_hosts.ini +++ b/gearshift_hosts.ini @@ -44,13 +44,16 @@ airlock [slurm] imperator +[sys-admin-interface] +imperator + [deploy-admin-interface] sugarsnax -[administration] -gearshift -imperator -sugarsnax +[administration:children] +sys-admin-interface +deploy-admin-interface +user-interface [user-interface] gearshift @@ -64,6 +67,7 @@ administration [gearshift-cluster:children] cluster +jumphost [metal] gs-openstack diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index b538c8c3e..caee5db9e 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -1,5 +1,8 @@ --- admin_ranges: "129.125.249.0/24,172.23.40.1/24" -ssh_host_signer_hostnames: "{{ ansible_fqdn }},{{ ansible_hostname }},{% for host in groups['jumphost'] %}{{ host }}+{{ ansible_hostname }}{% endfor %}" +ssh_host_signer_ca_keypair_dir: "{{ inventory_dir }}/ssh-host-ca" +ssh_host_signer_ca_private_key: "{{ ssh_host_signer_ca_keypair_dir }}/hpc-ca" +ssh_host_signer_key_types: '.*(rsa|ed25519).*' +ssh_host_signer_hostnames: "{{ ansible_fqdn }},{{ ansible_hostname }}{% for host in groups['jumphost'] %},{{ host }}+{{ ansible_hostname }}{% endfor %}" spacewalk_server_url: 'http://spacewalk.hpc.rug.nl/XMLRPC' ... diff --git a/group_vars/gearshift/secrets.yml b/group_vars/gearshift-cluster/secrets.yml similarity index 100% rename from group_vars/gearshift/secrets.yml rename to group_vars/gearshift-cluster/secrets.yml diff --git a/group_vars/gearshift/vars.yml b/group_vars/gearshift-cluster/vars.yml similarity index 90% rename from group_vars/gearshift/vars.yml rename to group_vars/gearshift-cluster/vars.yml index 98a3c5d3e..f9cd8fb2f 100644 --- a/group_vars/gearshift/vars.yml +++ b/group_vars/gearshift-cluster/vars.yml @@ -16,6 +16,7 @@ ui_cores_per_socket: 2 ui_real_memory: 8192 ui_local_disk: 0 ui_features: 'prm01,tmp01' +ssh_host_signer_ca_private_key: "{{ ssh_host_signer_ca_keypair_dir }}/umcg-hpc-ca" uri_ldap: 172.23.40.249 uri_ldaps: comanage-in.id.rug.nl ldap_port: 389 diff --git a/group_vars/gearshift_secrets.yml b/group_vars/gearshift_secrets.yml deleted file mode 100644 index 06c53ad82..000000000 --- a/group_vars/gearshift_secrets.yml +++ /dev/null @@ -1,20 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -63393034306630343830386161646536343435303164633731623635393031623661653431303332 -3534386464333363343333623561356635326339643131360a653064353366343334393738623335 -37346230386364303863393237383732363362646433646261386634366430316533323535353639 -6536343162323832300a333864343239336336386433343934616131363365346663653532303963 -34346637616634316434346535303439356336343262383963643532373330653739376334356562 -30366264323631626666306563356538613739326461353638626364353666646539353733623764 -62316665316235666438363033313166383865383331616261323262313831303864396538666134 -64303036373263643835343734653464376335326434633862643762323531313566643838316466 -65623832643233336336663037373934646165393363666331303738366535613063376430643533 -63346161353732626537653530383930373235343435383962653137613661303466663364386236 -36353035386532383935336130623461643436366337623038383635363432333038313364613236 -66623164646231636132343535646330633839333861666431623337366664643938373138346335 -39363265333931383461643463626531636162613331643532396437326531666565303266633863 -64323538633638353738613936616335356233373631373061303734306634333166376332356234 -66656239306664653539663436653964366166343439623837313831353336616662313739373663 -34323931653039356438666532616461313265636238313332636231376439303137366530396637 -30623666306562383837613137333338326639353732376239666363323339323535306531373936 -38386236666137663862383931396233376337643430613463633534363965663361366233303838 -646532333733343130353031386438376136 diff --git a/group_vars/hyperchicken/secrets.yml b/group_vars/hyperchicken-cluster/secrets.yml similarity index 100% rename from group_vars/hyperchicken/secrets.yml rename to group_vars/hyperchicken-cluster/secrets.yml diff --git a/group_vars/hyperchicken/vars.yml b/group_vars/hyperchicken-cluster/vars.yml similarity index 92% rename from group_vars/hyperchicken/vars.yml rename to group_vars/hyperchicken-cluster/vars.yml index 64f472fd3..b010e2cdf 100644 --- a/group_vars/hyperchicken/vars.yml +++ b/group_vars/hyperchicken-cluster/vars.yml @@ -16,6 +16,7 @@ ui_cores_per_socket: 1 ui_real_memory: 3000 ui_local_disk: 0 ui_features: 'prm07,tmp07' +ssh_host_signer_ca_private_key: "{{ ssh_host_signer_ca_keypair_dir }}/umcg-hpc-ca" key_name: Gerben image_cirros: cirros-0.3.4-x86_64-disk.img image_centos7: centos7 diff --git a/group_vars/talos-cluster/secrets.yml b/group_vars/talos-cluster/secrets.yml new file mode 100644 index 000000000..91c1b90df --- /dev/null +++ b/group_vars/talos-cluster/secrets.yml @@ -0,0 +1,27 @@ +$ANSIBLE_VAULT;1.1;AES256 +36363232356235643436383162303734376463343966373436646339303861326236666337633138 +6561663835303037373831383233333134366461653539360a643237333166393266656338613530 +66366266643264383761313831343934636261666366396539376130666465313662313537366332 +3235616432613462370a623130393439636466663734326136646139373962393331316663326662 +30643837373934343337646430373463623865383931383764366466376261663034306234356133 +64386666643562653664653933336236363462346134336534616166363561306235356463653963 +65656463663232626137613533316139623462653434666532343263316362656361623032333230 +33343630376437613033333263343439636666636365336263393938383264346138333364393832 +31613663303362353364663038366637303932353364333661303635623030323666346433393265 +36303739313338353932326139373038316130323639323938613764623833353631623539316663 +33653636653865323733383133653338303861313434383136653830393637636264363234303161 +38666363636563613464313362333839643631363333636137343231306433373235336165346438 +39643634383863333631313764303161333764623930343731353037326530633937646263326234 +38656236366665663737333235336632303835333530303236363336333766626666386330303138 +34636433316163376335656431613631646436386530363837366133383764326465303865343961 +63663833303732373762303034636465383639623232663664386334323931313034353631666366 +30336266616137373862316531646464336132363436396430373233316330343336346635646537 +36613439623561393365383539366435393235356434643937323733313462386430303832653635 +35663966356561383161386464396635353935623738333965336637613931383235336138393931 +32663066613062326231393865363137613932356237343762626536316266663332333566383737 +66663933313361653639336664653934303761363966373536623231366364666362393535663933 +30383166643366613230333739333165336364383637303236316137333865313762643361383363 +65666263343463353966353461616231623164393738373034396662616563306536616538346335 +35356238323965346639313063306365313031366563653866616534636538373534653233663535 +38633963323534616336353164333435616635373165623761363864666337353764636333303132 +3132333039393739303933646165343862306632613032336538 diff --git a/group_vars/talos/vars.yml b/group_vars/talos-cluster/vars.yml similarity index 70% rename from group_vars/talos/vars.yml rename to group_vars/talos-cluster/vars.yml index 305bcd097..74d738673 100644 --- a/group_vars/talos/vars.yml +++ b/group_vars/talos-cluster/vars.yml @@ -16,4 +16,11 @@ ui_cores_per_socket: 2 ui_real_memory: 8192 ui_local_disk: 0 ui_features: 'prm08,tmp08' +ssh_host_signer_ca_private_key: "{{ ssh_host_signer_ca_keypair_dir }}/umcg-hpc-development-ca" +uri_ldap: 172.23.40.249 +uri_ldaps: comanage-in.id.rug.nl +ldap_port: 389 +ldaps_port: 636 +ldap_base: ou=umcg,o=asds +ldap_binddn: cn=clusteradminumcg,o=asds ... \ No newline at end of file diff --git a/group_vars/talos/secrets.yml b/group_vars/talos/secrets.yml deleted file mode 100644 index 0e87409a4..000000000 --- a/group_vars/talos/secrets.yml +++ /dev/null @@ -1,22 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -65373739663965393330306364356663356530313363386530663433393666616532613531656361 -3564613662306133353337306134353433366338396438620a383438656235343634346464383663 -33313862663236623630346631616261326430653636623632376137653133303639656638383737 -3561393265663637390a303339353963386665343261326236386639373130383364343234626230 -32313338386534633366343763643065336531636635616231353664306630333961613832343834 -37313435303164356633343731363962363633373363376434343833346535353230316663663233 -63333162363363653830636634343965363063666465613537353163636132656438653330353531 -35383765626634646563346438393934366239363132366138396531323062353835303838666330 -32613466343034356262383833616163376463306462356630373061303234633463613839623638 -33366563643531613462373363373665376638376434383932666132363833306362393830383764 -32393066396265626133303836663665386661393339386433343837386362383861396165343830 -61343433643439613630333865326162356134366430396339316366313232633837633264313465 -30356164613030373230396338636261343930636466363963316139356631323031303635363335 -30313462333463623638636432623138613130613961663665626533636662323032643235343630 -33373633383832353435663238316234366439373938633861366132333466313431373430373236 -30666335383939346534373934323663353465613436306331363936383835353834633436623132 -38366533343339316463356662333635396631346161613034383064326664663039653865343338 -65393930623561363832303434313237383533393632383761323331366562373038353433363236 -30333464373235653133656233373931346264633361633338363339303732373261616331356632 -37383533643331646137386162303662353864326661306632356265353837653936626663336565 -35636461313961343932653864343662366366646566313231393463663039383363 diff --git a/host_vars/hc-sai b/host_vars/hc-sai new file mode 100644 index 000000000..b13ae5593 --- /dev/null +++ b/host_vars/hc-sai @@ -0,0 +1,3 @@ +--- +mailhub: 192.168.0.5 +rewrite_domain: hc-sai.gcc.rug.nl diff --git a/hyperchicken_cluster.yml b/hyperchicken_cluster.yml deleted file mode 100644 index 719cf821a..000000000 --- a/hyperchicken_cluster.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- hosts: all - tasks: - - include_vars: group_vars/hyperchicken/secrets.yml - - include_vars: group_vars/hyperchicken/vars.yml - -- import_playbook: hc-cluster.yml diff --git a/hyperchicken_hosts.ini b/hyperchicken_hosts.ini index e59609c12..eb5c64c34 100644 --- a/hyperchicken_hosts.ini +++ b/hyperchicken_hosts.ini @@ -1,8 +1,11 @@ +[jumphost] +portal + [slurm] hc-sai -[jumphost] -portal +[sys-admin-interface] +hc-sai [user-interface] hyperchicken @@ -10,10 +13,10 @@ hyperchicken [deploy-admin-interface] hc-dai -[administration] -hc-sai -hc-dai -hyperchicken +[administration:children] +sys-admin-interface +deploy-admin-interface +user-interface [compute-vm] hc-vcompute[01:05] @@ -24,3 +27,4 @@ administration [hyperchicken-cluster:children] cluster +jumphost diff --git a/roles/ansible-ssh-host-signer b/roles/ansible-ssh-host-signer deleted file mode 160000 index 1ef7f5d9b..000000000 --- a/roles/ansible-ssh-host-signer +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 1ef7f5d9bab19e987acf003672c319dc0a4442f5 diff --git a/roles/cluster/files/known_hosts b/roles/cluster/files/known_hosts deleted file mode 100644 index d2d3aa3cd..000000000 --- a/roles/cluster/files/known_hosts +++ /dev/null @@ -1 +0,0 @@ -@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDN8m3uPzwVJxsW3gvXTwc7f2WRwHFQ9aBXTGRRgdW/qVZydDC+rBTR1ZdapGtOqnOJ6VNzI7c2ziYWfx7kfYhFjhDZ3dv9XuOn1827Ktw5M0w8Y47bHfX+E/D9xMX1htdHGgja/yh0mTbs7Ponn3zOne8e8oUTUd7q/w/kO4KVsXaBsUz1ZG9wXjOA8TacwdoqMhzdhhQkhhKKGLArYeQ4gsa6N2MnXqd3glkhITQGOUQvFHxKP8nArfYeOK15UgzhkitcBsi4lkx1THuOu+u/oGskmacSaBWSUObP7LHKdw4v15/5S8qjD6NSm6ezfEtw1ltO3eVA6ZD5NbhHMZ3IkCeMlRKmVqQUmNqkcMSPwi91K5rcfduL4EYLT5nq+Z0Kv2UO8QXH9zBCb0K8zSdwtpoABfk0rbbdxtZXZD1y20DkRlbC3WMS79O9HsWAkugnwJ8LANGS3odY6spDAF6Rt7By/bcS+TobBLCUA6eQ+W1oml5hCCLPSsa0BPvIR1YxYxWbD6Gb/PDsTwZJ7ZDgEHd67ylrdL+aQvnJXVC3V0uEjyQbLN2txjgO3okFpzcOz9ERWEvz6fQgi387Idyy8fsmFOJ4RjEPlnUs/T4PfThZgo2hZYlYWMmRFxUK1PzC0zHcTnaTS9qoHogRZYJUn1kiiF6dB7atu1julDJzTw== CA diff --git a/roles/cluster/tasks/main.yml b/roles/cluster/tasks/main.yml index a5969e2a7..70fecadb6 100644 --- a/roles/cluster/tasks/main.yml +++ b/roles/cluster/tasks/main.yml @@ -14,12 +14,12 @@ hostname: name: '{{ inventory_hostname }}' -- name: set selinux in permissive mode +- name: Set selinux in permissive mode selinux: policy: targeted state: permissive -- name: install some standard software +- name: Install some standard software yum: state: latest update_cache: yes @@ -41,9 +41,4 @@ - figlet tags: - software - -- name: Create ssh_known_hosts file with CA used for signed host keys. - copy: - dest: /etc/ssh/ssh_known_hosts - src: files/known_hosts - tags: ['known_hosts'] +... diff --git a/roles/ldap/defaults/main.yml b/roles/ldap/defaults/main.yml index dac27df42..89105e686 100644 --- a/roles/ldap/defaults/main.yml +++ b/roles/ldap/defaults/main.yml @@ -1,3 +1,10 @@ --- firewall_allowed_tcp_ports: - "22" +ldap_port: 389 +ldaps_port: 636 +uri_ldap: '' +uri_ldaps: '' +ldap_base: '' +ldap_binddn: '' +... diff --git a/roles/ldap/meta/main.yml b/roles/ldap/meta/main.yml index a04372266..050e08555 100644 --- a/roles/ldap/meta/main.yml +++ b/roles/ldap/meta/main.yml @@ -4,3 +4,4 @@ dependencies: vars: firewall_allowed_tcp_ports: - "22" +... diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml index da98ba40e..5b5eefd97 100644 --- a/roles/ldap/tasks/main.yml +++ b/roles/ldap/tasks/main.yml @@ -11,7 +11,7 @@ - pam_script - oddjob-mkhomedir -- name: install nslcd.conf +- name: Deploy nslcd.conf template: src: nslcd.conf dest: /etc/nslcd.conf @@ -19,7 +19,7 @@ group: root mode: '0600' -- name: install ldap.conf +- name: Deploy ldap.conf template: src: ldap.conf dest: /etc/ssh/ldap.conf @@ -27,7 +27,7 @@ group: root mode: '0644' -- name: install nsswitch.conf +- name: Deploy nsswitch.conf copy: src: nsswitch.conf dest: /etc/nsswitch.conf @@ -35,11 +35,12 @@ group: root mode: '0644' -- file: +- name: Create /etc/pam-script.d/ dir. + file: name: /etc/pam-script.d state: directory -- name: install login_checks.sh +- name: Install login_checks.sh script. copy: src: login_checks.sh dest: /etc/pam-script.d/login_checks.sh @@ -47,7 +48,7 @@ group: root mode: '0755' -- name: set symlinks to pam_script +- name: Enable pam_script. file: src: pam_script dest: "/etc/{{ item }}" @@ -61,7 +62,7 @@ - pam_script_ses_close - pam_script_ses_open -- name: set symlinks to login_checks.sh +- name: Enable login_checks.sh script for ses_open. file: src: login_checks.sh dest: "/etc/pam-script.d/{{ item }}" @@ -71,34 +72,38 @@ with_items: - login_checks.sh_ses_open -- copy: +- name: Deploy password-auth-ac for PAM. + copy: src: password-auth-ac dest: /etc/pam.d/password-auth-ac owner: root group: root mode: '0600' -- name: set sshd config +- name: Deploy sshd config. template: src: templates/sshd_config dest: /etc/ssh/sshd_config -- name: enable services +- name: Enable services. systemd: name: "{{ item }}" enabled: yes with_items: - nslcd + - dbus.service - oddjobd.service -- name: authconfig magic +- name: Run authconfig update. shell: "authconfig --enablemkhomedir --update" -- name: restart daemons +- name: Reload services. service: name: "{{item}}" - state: restarted + state: reloaded with_items: - nslcd + - dbus - oddjobd - sshd +... \ No newline at end of file diff --git a/roles/ldap/templates/sshd_config b/roles/ldap/templates/sshd_config index eb1375a28..4cd5cb55a 100644 --- a/roles/ldap/templates/sshd_config +++ b/roles/ldap/templates/sshd_config @@ -14,7 +14,6 @@ HostKey /etc/ssh/ssh_host_ed25519_key HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub HostKey /etc/ssh/ssh_host_rsa_key HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub -HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub # # Supported KEX (Key Exchange) algorithms. diff --git a/roles/ldap/vars/main.yml b/roles/ldap/vars/main.yml deleted file mode 100644 index c45863cb1..000000000 --- a/roles/ldap/vars/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -uri_ldap: 172.23.40.249 -uri_ldaps: comanage-in.id.rug.nl -ldap_port: 389 -ldaps_port: 636 -ldap_base: ou=umcg,o=asds -ldap_binddn: cn=clusteradminumcg,o=asds diff --git a/roles/slurm-client/tasks/main.yml b/roles/slurm-client/tasks/main.yml index d54f9564f..382591840 100644 --- a/roles/slurm-client/tasks/main.yml +++ b/roles/slurm-client/tasks/main.yml @@ -47,23 +47,23 @@ - name: /etc/slurm owner: root group: root - mode: 0755 + mode: '0755' - name: /etc/nhc owner: root group: root - mode: 0755 + mode: '0755' - name: /var/log/slurm owner: root group: root - mode: 0750 + mode: '0750' - name: /var/spool/slurm owner: slurm group: root - mode: 0750 + mode: '0750' - name: /var/spool/slurmd owner: slurm group: root - mode: 0750 + mode: '0750' - name: Deploy slurm.conf template: @@ -97,7 +97,7 @@ - name: Deploy nhc.conf template: - src: template/nhc.conf + src: templates/nhc.conf dest: /etc/nhc/nhc.conf owner: root group: root diff --git a/roles/slurm/files/configure_slurm_accounting_db.bash b/roles/slurm/files/configure_slurm_accounting_db.bash index b2916e838..97fc90792 100644 --- a/roles/slurm/files/configure_slurm_accounting_db.bash +++ b/roles/slurm/files/configure_slurm_accounting_db.bash @@ -59,22 +59,22 @@ sacctmgr -i create qos set \ Name='regular-short' \ Priority=10 \ Description='regular-short' \ - GrpSubmit=30000 MaxSubmitJobsPU=5000 MaxWall=06:00:00 + GrpSubmit=30000 MaxSubmitJobsPU=5000 MaxWall=06:00:00 sacctmgr -i create qos set \ Name='regular-medium' \ Priority=10 \ Description='regular-medium' \ GrpSubmit=30000 MaxSubmitJobsPU=5000 MaxWall=1-00:00:00 \ - MaxTRESPU=cpu={{ (cluster_cores_total * 0.4) | int }},mem={{ (cluster_mem_total * 0.4) | int }} + MaxTRESPU=cpu={{ (cluster_cores_total | float * 0.4) | int }},mem={{ (cluster_mem_total | float * 0.4) | int }} sacctmgr -i create qos set \ Name='regular-long' \ Priority=10 \ Description='regular-long' \ GrpSubmit=3000 MaxSubmitJobsPU=1000 MaxWall=7-00:00:00 \ - GrpTRES=cpu={{ (cluster_cores_total * 0.3) | int }},mem={{ (cluster_mem_total * 0.3) | int }} \ - MaxTRESPU=cpu={{ (cluster_cores_total * 0.15) | int }},mem={{ (cluster_mem_total * 0.15) | int }} + GrpTRES=cpu={{ (cluster_cores_total | float * 0.3) | int }},mem={{ (cluster_mem_total | float * 0.3) | int }} \ + MaxTRESPU=cpu={{ (cluster_cores_total | float * 0.15) | int }},mem={{ (cluster_mem_total | float * 0.15) | int }} # # QoS priority @@ -93,7 +93,7 @@ sacctmgr -i create qos set \ UsageFactor=2 \ Description='priority-short' \ GrpSubmit=5000 MaxSubmitJobsPU=1000 MaxWall=06:00:00 \ - MaxTRESPU=cpu={{ (cluster_cores_total * 0.25) | int }},mem={{ (cluster_mem_total * 0.25) | int }} + MaxTRESPU=cpu={{ (cluster_cores_total | float * 0.25) | int }},mem={{ (cluster_mem_total | float * 0.25) | int }} sacctmgr -i create qos set \ Name='priority-medium' \ @@ -101,8 +101,8 @@ sacctmgr -i create qos set \ UsageFactor=2 \ Description='priority-medium' \ GrpSubmit=2500 MaxSubmitJobsPU=500 MaxWall=1-00:00:00 \ - GrpTRES=cpu={{ (cluster_cores_total * 0.5) | int }},mem={{ (cluster_mem_total * 0.5) | int }} \ - MaxTRESPU=cpu={{ (cluster_cores_total * 0.2) | int }},mem={{ (cluster_mem_total * 0.2) | int }} + GrpTRES=cpu={{ (cluster_cores_total | float * 0.5) | int }},mem={{ (cluster_mem_total | float * 0.5) | int }} \ + MaxTRESPU=cpu={{ (cluster_cores_total | float * 0.2) | int }},mem={{ (cluster_mem_total | float * 0.2) | int }} sacctmgr -i create qos set \ Name='priority-long' \ @@ -110,8 +110,8 @@ sacctmgr -i create qos set \ UsageFactor=2 \ Description='priority-long' \ GrpSubmit=250 MaxSubmitJobsPU=50 MaxWall=7-00:00:00 \ - GrpTRES=cpu={{ (cluster_cores_total * 0.2) | int }},mem={{ (cluster_mem_total * 0.2) | int }} \ - MaxTRESPU=cpu={{ (cluster_cores_total * 0.1) | int }},mem={{ (cluster_mem_total * 0.1) | int }} + GrpTRES=cpu={{ (cluster_cores_total | float * 0.2) | int }},mem={{ (cluster_mem_total | float * 0.2) | int }} \ + MaxTRESPU=cpu={{ (cluster_cores_total | float * 0.1) | int }},mem={{ (cluster_mem_total | float * 0.1) | int }} # # QoS ds diff --git a/roles/slurm/files/thalos_munge.key b/roles/slurm/files/talos_munge.key similarity index 100% rename from roles/slurm/files/thalos_munge.key rename to roles/slurm/files/talos_munge.key diff --git a/roles/slurm/meta/main.yml b/roles/slurm/meta/main.yml index 94bfeb2d6..d4e3df4aa 100644 --- a/roles/slurm/meta/main.yml +++ b/roles/slurm/meta/main.yml @@ -2,3 +2,4 @@ dependencies: - { role: docker } - { role: mariadb } +... diff --git a/roles/slurm/tasks/main.yml b/roles/slurm/tasks/main.yml index a73c491d4..c780f0046 100644 --- a/roles/slurm/tasks/main.yml +++ b/roles/slurm/tasks/main.yml @@ -1,12 +1,6 @@ # Build and install a docker image for slurm. --- -- name: Determine cluster size (number of vcompute nodes, cores per node, mem per node, etc.) - set_fact: - vcompute_host_count: "{{ groups['compute-vm'] | length }}" - cluster_cores_total: "{{ vcompute_host_count * vcompute_max_cpus_per_node }}" - cluster_mem_total: "{{ vcompute_host_count * vcompute_max_mem_per_node }}" - -- name: Install yum dependencies +- name: Install yum dependencies. yum: state: latest update_cache: yes @@ -15,64 +9,66 @@ - MySQL-python - postfix -- name: Set postfix config file +- name: Set postfix config file. copy: src: files/main.cf owner: root dest: /etc/postfix/main.cf mode: 0644 -- name: Add slurm group +- name: Add slurm group. group: name: slurm gid: "{{ slurm_gid }}" -- name: Add munge group +- name: Add munge group. group: name: munge gid: "{{ munge_gid }}" -- name: Add slurm user +- name: Add slurm user. user: name: slurm uid: "{{ slurm_uid }}" group: slurm -- name: Add munge user +- name: Add munge user. user: name: munge uid: "{{ munge_uid }}" group: munge -- name: set selinux in permissive mode to allow docker volumes +- name: Set selinux in permissive mode to allow Docker volumes. selinux: policy: targeted state: permissive -- name: make sure the database user is present +- name: Make sure the database user is present. mysql_user: - login_host: 127.0.0.1 - login_user: root - login_password: "{{ MYSQL_ROOT_PASSWORD }}" - name: "{{ slurm_storage_user }}" - password: "{{ slurm_storage_pass }}" - host: '%' - priv: '*.*:ALL' - -- name: Create a database for slurm accounting + login_host: 127.0.0.1 + login_user: root + login_password: "{{ MYSQL_ROOT_PASSWORD }}" + name: "{{ slurm_storage_user }}" + password: "{{ slurm_storage_pass }}" + host: '%' + priv: '*.*:ALL' + no_log: True + +- name: Create a database for Slurm accounting. mysql_db: - login_host: 127.0.0.1 - login_user: root - login_password: "{{ MYSQL_ROOT_PASSWORD }}" - name: slurm_acct_db - state: present + login_host: 127.0.0.1 + login_user: root + login_password: "{{ MYSQL_ROOT_PASSWORD }}" + name: slurm_acct_db + state: present + no_log: True -- name: install docker config +- name: Install Docker config. template: src: files/daemon.json dest: /etc/docker/daemon.json -- name: make sure service is started +- name: Start services and make sure they will start on (re)boot. systemd: name: "{{item}}" state: started @@ -80,14 +76,14 @@ - docker - ntpd -- name: Make docker build dir +- name: Make docker build dir. file: path: /srv/slurm state: directory owner: slurm mode: 0755 -- name: Make dirs to be used as a volumes +- name: Make dirs to be used as a volumes. file: path: "/srv/slurm/volumes{{item}}" state: directory @@ -99,18 +95,14 @@ - /etc/slurm - /scripts -- name: Install munge_keyfile +- name: Install munge.key file. copy: src: files/{{ slurm_cluster_name }}_munge.key owner: munge - dest: /srv/slurm/volumes/etc/munge/munge.key - -- name: set permissions for munge key - file: - path: /srv/slurm/volumes/etc/munge/munge.key mode: 0600 + dest: /srv/slurm/volumes/etc/munge/munge.key -- name: install slurm config files +- name: Install Slurm config files. template: src: files/{{ item }} dest: /srv/slurm/volumes/etc/slurm/ @@ -122,7 +114,7 @@ - slurm.epilog - slurm.taskprolog -- name: install build files +- name: Install build files. template: src: files/{{ item }} dest: /srv/slurm/ @@ -132,7 +124,7 @@ - runslurmdbd.sh - ssmtp.conf -- name: install build files +- name: Install build files for LDAP. template: src: files/{{ item }} dest: /srv/slurm/ @@ -143,7 +135,7 @@ - nsswitch.conf when: slurm_ldap -- name: force (re)build slurm image +- name: Force (re)build Slurm image. docker_image: state: present force: yes @@ -167,10 +159,10 @@ tags: - service-files -- name: install service files +- name: Make services reload their configs. command: systemctl daemon-reload -- name: make sure servcies are started. +- name: Make sure servcies are started. systemd: name: "{{item}}" state: restarted @@ -203,12 +195,12 @@ and "already exists" not in command_result.stdout and "slurm.service\" is already in use by container" not in command_result.stderr -- name: Start slurm.service now that the cluster db is present. +- name: Start slurm.service now that the cluster DB is present. systemd: name: slurm.service state: restarted -- name: Make backup dir +- name: Make backup dir. file: path: /srv/slurm/backup state: directory @@ -217,7 +209,7 @@ tags: - backup -- name: run an initial backup +- name: Run an initial backup. shell: > /bin/docker run --network host --rm mariadb mysqldump --all-databases -uroot @@ -225,6 +217,7 @@ > /srv/slurm/backup/slurm.sql tags: - backup + no_log: True - name: Dump the database every night. Keep 7 backups. cron: @@ -241,4 +234,5 @@ /bin/find /srv/slurm/backup/slurm_bak.sql.* -mtime 7 -delete tags: - backup + no_log: True ... diff --git a/roles/slurm/vars/main.yml b/roles/slurm/vars/main.yml new file mode 100644 index 000000000..3fe18d25b --- /dev/null +++ b/roles/slurm/vars/main.yml @@ -0,0 +1,10 @@ +--- +# +# Determine cluster size based on +# * number of vcompute nodes in inventory and +# * cores per node, mem per node, etc. as specified in group_vars for cluster. +# +vcompute_host_count: "{{ groups['compute-vm']|list|length }}" +cluster_cores_total: "{{ vcompute_host_count|int * vcompute_max_cpus_per_node|int }}" +cluster_mem_total: "{{ vcompute_host_count|int * vcompute_max_mem_per_node|int }}" +... diff --git a/roles/spacewalk_client/tasks/main.yml b/roles/spacewalk_client/tasks/main.yml index 0224e7531..b0471e951 100644 --- a/roles/spacewalk_client/tasks/main.yml +++ b/roles/spacewalk_client/tasks/main.yml @@ -4,7 +4,7 @@ name: https://copr-be.cloud.fedoraproject.org/results/@spacewalkproject/spacewalk-2.8-client/epel-7-x86_64/00742644-spacewalk-repo/spacewalk-client-repo-2.8-11.el7.centos.noarch.rpm state: present -- name: install spacewalk client packages. +- name: Install spacewalk client packages. yum: name: - rhn-client-tools @@ -14,12 +14,12 @@ - m2crypto - yum-rhn-plugin -- name: restart spacewalk daemon +- name: Restart spacewalk daemon. systemd: name: rhnsd.service state: restarted -- name: register at the spacewalk server +- name: Register client at the spacewalk server. rhn_register: state: present activationkey: "{{activation_key}}" @@ -30,24 +30,25 @@ retries: 3 delay: 3 ignore_errors: yes + no_log: True -- name: Disable gpgcheck +- name: Disable gpgcheck. command: sed -i 's/gpgcheck = 1/gpgcheck = 0/g' /etc/yum/pluginconf.d/rhnplugin.conf args: warn: false -- name: remove all current repos +- name: Remove all current repo config files. shell: "rm -rf /etc/yum.repos.d/*" args: warn: false -- name: remove all current repos +- name: Clear the yum cache. command: "yum clean all" args: warn: false ignore_errors: yes -- name: upgrade all packages +- name: Upgrade all packages to version specified in spacewalk channel. yum: name: '*' state: latest diff --git a/roles/ssh_host_signer/README.md b/roles/ssh_host_signer/README.md new file mode 100644 index 000000000..a5627e693 --- /dev/null +++ b/roles/ssh_host_signer/README.md @@ -0,0 +1,22 @@ +# SSH Host Signer role +An Ansible role to securely sign SSH host keys with an SSH certificate authority. +* The CA private key never leaves your local machine. +* Based on https://galaxy.ansible.com/chrisgavin/ansible-ssh-host-signer + * Extended with option to use HostCertificates only for certain key types. + By default all host keys found on the target machine are signed, but + * `HostKey` and matching `HostCertificate` directives are only added to the SSH config file for the key types specified. + * Any `HostKey` and matching `HostCertificate` directives for keys that do not match the key type regex will be removed from the SSH config. + * Extended with option to deploy the public key of the CA as cert in /etc/ssh/ssh_known_hosts. + +## Requirements +The machine running this playbook is expected to have an `ssh-keygen` binary on the path. It should be new enough to support SSH CAs. + +## Variables +* `ssh_host_signer_ca_keypair_dir` - (defaults to `/etc/ssh`) +* `ssh_host_signer_ca_private_key` - The path to the CA key used to sign host keys. (defaults to `{{ ssh_host_signer_ca_keypair_dir }}/ca_key`) +* `ssh_host_signer_id` - The ID of the certificate to be generated. (defaults to `{{ ansible_fqdn }}`) +* `ssh_host_signer_hostnames` - The comma separated list of hostnames for which the certificate should be valid. (defaults to `{{ ansible_fqdn }},{{ ansible_hostname }}`) +* `ssh_host_signer_key_directory` - The path on the server to look for SSH host keys to sign. (defaults to `/etc/ssh/`) +* `ssh_host_signer_key_types` - The types of keys for which to use a HostCertificate. (defaults to `.*`) + The is a regex that must match the key file names (we do not check if the key type in the name of the file matches the actual content of the key file.) +* `ssh_host_signer_ssh_config` - The path to the SSH config file which the certificates will be added to. (defaults to `/etc/ssh/sshd_config`) diff --git a/roles/ssh_host_signer/defaults/main.yml b/roles/ssh_host_signer/defaults/main.yml new file mode 100644 index 000000000..bf75d51c4 --- /dev/null +++ b/roles/ssh_host_signer/defaults/main.yml @@ -0,0 +1,9 @@ +--- +ssh_host_signer_ca_keypair_dir: '/etc/ssh' +ssh_host_signer_ca_private_key: "{{ ssh_host_signer_ca_keypair_dir }}/ca-key" +ssh_host_signer_id: "{{ ansible_fqdn }}" +ssh_host_signer_hostnames: "{{ ansible_fqdn }},{{ ansible_hostname }}" +ssh_host_signer_key_directory: '/etc/ssh/' +ssh_host_signer_key_types: '.*' +ssh_host_signer_ssh_config: '/etc/ssh/sshd_config' +... diff --git a/roles/ssh_host_signer/handlers/main.yml b/roles/ssh_host_signer/handlers/main.yml new file mode 100644 index 000000000..42b84222a --- /dev/null +++ b/roles/ssh_host_signer/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Reload SSH configuration. + service: + name: sshd + state: reloaded + become: true diff --git a/roles/ssh_host_signer/tasks/main.yml b/roles/ssh_host_signer/tasks/main.yml new file mode 100644 index 000000000..dab1b6e1a --- /dev/null +++ b/roles/ssh_host_signer/tasks/main.yml @@ -0,0 +1,105 @@ +--- +- name: Find SSH host keys. + find: + path: "{{ ssh_host_signer_key_directory }}" + pattern: ssh_host_*_key + register: private_keys + failed_when: "\"matched\" not in private_keys or private_keys.matched == 0" + become: true + +- name: Create local temporary directory. + local_action: + module: tempfile + suffix: ssh_host_signer + state: directory + changed_when: false + register: temporary_directory + +- name: Fetch public keys. + fetch: + src: "{{ item.path }}.pub" + dest: "{{ temporary_directory.path }}/public_keys/" + with_items: "{{ private_keys.files }}" + changed_when: false + +- name: Fetch existing certificates. + fetch: + src: "{{ item.path }}-cert.pub" + dest: "{{ temporary_directory.path }}/existing_certificates/" + fail_on_missing: false + with_items: "{{ private_keys.files }}" + changed_when: false + +- name: Check if we have a CA private key with correct permissions. + file: + path: "{{ ssh_host_signer_ca_private_key }}" + mode: 0600 + delegate_to: localhost + +- name: Sign SSH keys. + command: ssh-keygen -s {{ ssh_host_signer_ca_private_key | quote }} -P {{ ssh_host_signer_ca_private_key_pass | quote }} -I {{ ssh_host_signer_id | quote }} -h -n {{ ssh_host_signer_hostnames | quote }} "{{ temporary_directory.path }}/public_keys/{{ inventory_hostname | quote }}{{ item.path | quote }}.pub" + with_items: "{{ private_keys.files }}" + changed_when: false + delegate_to: localhost + no_log: True + +- name: Find certificates. + local_action: + module: find + path: "{{ temporary_directory.path }}/public_keys/{{ inventory_hostname }}{{ ssh_host_signer_key_directory }}" + pattern: ssh_host_*_key-cert.pub + register: certificates + +- name: Compare certificates. + local_action: shell diff <(ssh-keygen -L -f {{ item.path | quote }} | tail -n +2) <(ssh-keygen -L -f {{ temporary_directory.path | quote }}/existing_certificates/{{ inventory_hostname | quote }}{{ ssh_host_signer_key_directory }}/{{ item.path | basename | quote }} | tail -n +2) + args: + executable: /bin/bash + with_items: "{{ certificates.files }}" + changed_when: false + failed_when: false + register: certificate_comparison + +- name: Copy certificates back to server. + copy: + src: "{{ item.item.path }}" + dest: "{{ ssh_host_signer_key_directory }}" + when: item.rc != 0 + with_items: "{{ certificate_comparison.results }}" + notify: Reload SSH configuration. + become: true + +- name: Remove local temporary directory. + local_action: + module: file + name: "{{ temporary_directory.path }}" + state: absent + changed_when: false + +- name: Add the signed certificates to SSH configuration file. + lineinfile: + dest: "{{ ssh_host_signer_ssh_config }}" + line: HostCertificate {{ item.path }}-cert.pub + state: present + insertafter: HostKey {{ item.path }} + backup: yes + with_items: "{{ private_keys.files | selectattr('path', 'match', ssh_host_signer_key_types) | list}}" + notify: Reload SSH configuration. + become: true + +- name: Remove HostKey directives from the SSH configuration file for unused ssh host key types. + lineinfile: + dest: "{{ ssh_host_signer_ssh_config }}" + line: HostCertificate {{ item.path }}-cert.pub + state: absent + with_items: "{{ private_keys.files | rejectattr('path', 'match', ssh_host_signer_key_types) | list}}" + notify: Reload SSH configuration. + become: true + +- name: Remove corresponding HostCertificate directives from the SSH configuration file for unused ssh host key types. + lineinfile: + dest: "{{ ssh_host_signer_ssh_config }}" + line: HostKey {{ item.path }} + state: absent + with_items: "{{ private_keys.files | rejectattr('path', 'match', ssh_host_signer_key_types) | list}}" + notify: Reload SSH configuration. + become: true \ No newline at end of file diff --git a/roles/ssh_known_hosts/tasks/main.yml b/roles/ssh_known_hosts/tasks/main.yml new file mode 100644 index 000000000..09350d9ac --- /dev/null +++ b/roles/ssh_known_hosts/tasks/main.yml @@ -0,0 +1,10 @@ +--- +- name: Create /etc/ssh/ssh_known_hosts file with public key from CA that signed the host keys. + copy: + dest: /etc/ssh/ssh_known_hosts + mode: 0644 + owner: root + group: root + content: "@cert-authority * {{ lookup('file', ssh_host_signer_ca_private_key+'.pub') }}" + become: true +... diff --git a/ssh-host-ca/umcg-hpc-development-ca b/ssh-host-ca/umcg-hpc-development-ca new file mode 100644 index 000000000..31ba1fff3 --- /dev/null +++ b/ssh-host-ca/umcg-hpc-development-ca @@ -0,0 +1,8 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCViZrnYl +lIsl1fpwIBBZ/oAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIJ2R24oebG0oGQxJ +QvxzCVjd7lAVFzlOB9ygg5N+WUDpAAAAoED/slN77LCfjBMd41yeXF+84qlUbP5/vzLu/F +4kozjpT2/atimYs0i7YYwVs6gHNnIyTbhs4JORTMa+wszWPt67Nwu2ooir1qfBF+my72yQ +dcSTzQxCMiQVM9EwXxmcXUikBihIfjcsZYKGMfcCf8CwEJCDiD4ojId12aLB7fF/ON0Jkz +dnT8PXA2gbnd41ry1W9hI6/tzvl979ylxQ21s= +-----END OPENSSH PRIVATE KEY----- diff --git a/ssh-host-ca/umcg-hpc-development-ca.pub b/ssh-host-ca/umcg-hpc-development-ca.pub new file mode 100644 index 000000000..536ecfa46 --- /dev/null +++ b/ssh-host-ca/umcg-hpc-development-ca.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2R24oebG0oGQxJQvxzCVjd7lAVFzlOB9ygg5N+WUDp UMCG HPC Development CA diff --git a/ssh-host-signer.yml b/ssh-host-signer.yml deleted file mode 100644 index 2c07d8fd7..000000000 --- a/ssh-host-signer.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- hosts: all - name: Dummy to gather facts - tasks: [] - -- hosts: all - roles: - - chrisgavin.ansible-ssh-host-signer - - vars: - ssh_host_signer_ca_key: "ssh-host-ca/umcg-hpc-ca" - - tasks: - - name: Remove wronlgly placed HostCertificate line - lineinfile: - path: /etc/ssh/sshd_config - line: HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub - state: absent - become: true - - - name: Place the line at the correct place - lineinfile: - path: /etc/ssh/sshd_config - line: HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub - insertafter: HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub - become: true diff --git a/ssh_host_signer.yml b/ssh_host_signer.yml new file mode 100644 index 000000000..ee5fcf19d --- /dev/null +++ b/ssh_host_signer.yml @@ -0,0 +1,6 @@ +--- +- hosts: all + roles: + - ssh_host_signer + - ssh_known_hosts +... \ No newline at end of file diff --git a/talos_cluster.yml b/talos_cluster.yml deleted file mode 100644 index d1e1be23a..000000000 --- a/talos_cluster.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- hosts: all - tasks: - - include_vars: group_vars/talos/secrets.yml - - include_vars: group_vars/talos/vars.yml - -- import_playbook: cluster.yml diff --git a/talos_hosts.ini b/talos_hosts.ini index 61dec36bf..5637aeacc 100644 --- a/talos_hosts.ini +++ b/talos_hosts.ini @@ -1,20 +1,22 @@ [jumphost] reception -airlock [slurm] tl-sai +[sys-admin-interface] +tl-sai + [deploy-admin-interface] tl-dai [user-interface] talos -[administration] -tl-sai -tl-dai -talos +[administration:children] +sys-admin-interface +deploy-admin-interface +user-interface [compute-vm] tl-vcompute[01:03] @@ -25,3 +27,4 @@ administration [talos-cluster:children] cluster +jumphost