diff --git a/.ansible-lint b/.ansible-lint
index 6fb50d890..6870352c5 100644
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -2,7 +2,8 @@
exclude_paths:
- '~/.ansible' # Exclude external playbooks.
skip_list:
- # We explicitly use latest combined with other tech to pin versions (e.g. Spacewalk).
+ # We explicitly use latest combined with other tech to pin versions (e.g. Pulp).
- 'package-latest' # "Package installs should not use latest (403)."
- 'meta-no-info' # "No 'galaxy_info' found in meta/main.yml of a role (701)."
+ - 'experimental' # All rules tagged as experimental.
...
diff --git a/.circleci/config.yml b/.circleci/config.yml
index 9ebea1e3c..109d20c45 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -21,8 +21,8 @@ jobs:
command: |
python -m venv venv
. venv/bin/activate
- pip install "ansible-lint[community,yamllint]"
- ansible-galaxy install -r galaxy-requirements.yml
+ pip install ansible-lint
+ ansible-galaxy install -r requirements.yml
- run:
name: run tests
shell: /bin/bash
@@ -36,7 +36,7 @@ jobs:
else
export ANSIBLE_ROLES_PATH="${HOME}/.ansible/roles/"
fi
- if ansible-lint -p --nocolor cluster.yml deploy-os_servers.yml > lint_results 2>&1; then
+ if ansible-lint -p --nocolor *.yml > lint_results 2>&1; then
lint_errors=0
else
cat lint_results
diff --git a/README.md b/README.md
index f2dd565ab..313d26359 100644
--- a/README.md
+++ b/README.md
@@ -144,7 +144,7 @@ pip3 install mitogen
#### 1. First import the required roles and collections for the playbooks:
```bash
-ansible-galaxy install -r galaxy-requirements.yml
+ansible-galaxy install -r requirements.yml
```
Note: the default location where these dependencies will get installed with the above command is ```${HOME}/.ansible/```.
diff --git a/cluster.yml b/cluster.yml
index a5d9bf109..b9517808e 100644
--- a/cluster.yml
+++ b/cluster.yml
@@ -1,39 +1,7 @@
----
#
-# Order of deployment required to prevent chicken versus the egg issues:
-# 0. For all deployment phases:
-# export AI_PROXY="${jumphost_name}"
-# export ANSIBLE_INVENTORY="static_inventories/${stack_name}.yml"
-# ANSIBLE_VAULT_PASSWORD_FILE=".vault_pass.txt.${stack_name}"
-# 1. Use standard CentOS cloud image user 'centos' or 'root' user and without host key checking:
-# export ANSIBLE_HOST_KEY_CHECKING=False
-# ansible-playbook -u centos -l 'jumphost,cluster' single_role_playbooks/admin_users.yml
-# ansible-playbook -u root -l 'docs' single_role_playbooks/admin_users.yml
-# 2. Use local admin user's account and without host key checking:
-# export ANSIBLE_HOST_KEY_CHECKING=False
-# ansible-playbook -u [admin_account] single_role_playbooks/ssh_host_signer.yml
-# 3. Use local admin user's account and with strict host key checking to deploy everything else:
-# export ANSIBLE_HOST_KEY_CHECKING=True
-# ansible-playbook -u [admin_account] cluster.yml
-# This will configure:
-# * Jumphost first as it is required to access the other machines.
-# * Repo management server second as it is required for version control of the packages
-# installed on all other machines except for the jumphost, which will always get the latest updates for security.
-# * Basic roles for all cluster machines part 1:
-# * Roles that do NOT require regular accounts or groups to be present.
-# * An LDAP with regular user accounts, which may be required for additional roles.
-# (E.g. a chmod or chgrp for a file/folder requires the corresponding user or group to be present.)
-# * Basic roles for all cluster machines part 2:
-# * Roles that DO depend on regular accounts and groups.
-# * SAI as it is required to:
-# * Configure layout on shared storage devices used by other machines.
-# * Configure Slurm control and Slurm database.
-# * DAI
-# * UI
-# * Compute nodes
-# * Documentation server
+# See README.md for instructins how to use this playbook.
#
-
+---
#
# Dummy play to ping jumphosts and establish a persisting SSH connection
# before trying to connect to the machines behind the jumphost,
diff --git a/create-docs-server.yml b/create-docs-server.yml
index 172f24172..9c8e99663 100644
--- a/create-docs-server.yml
+++ b/create-docs-server.yml
@@ -1,28 +1,5 @@
#
-# 1. $> cd git/league-of-robots
-# Create Python virtual environment (once)
-# 2. $> python3 -m venv openstacksdk.venv
-# Activate virtual environment.
-# 3. $> source openstacksdk.venv/bin/activate
-# Install OpenStack SDK (once).
-# 4. $> pip3 install openstacksdk
-# $> pip3 install ruamel.yaml
-# NOTE: Openstack RC file must be sourced first to be able to use Openstack API from SDK:
-# 5. Login to OpenStack web interface -> "Identity" -> "Application Credentials" -> click the "Create Application Credential" button.
-# This will result in a popup window: specify "Name", "Expiration Date", "Expiration Time", leave the rest empty / use defaults and
-# click the "Create Application Credential" button.
-# In the new popup window click the "Download openrc file" button and save the generated *-openrc.sh file in the root of the repo.
-# 6. Source the downloaded file. E.g.:
-# $> source ./[Application_Credential_Name]-openrc.sh
-# 7. Fetch Ansible dependencies
-# $> ansible-galaxy install -r galaxy-requirements.yml
-# Configure this repo for deployment of a specifc HPC cluster.
-# 8. Source lor-init from this repo. E.g.:
-# $> source ./lor-init
-# 9. Configure League of Robots for a specific cluster. E.g.:
-# $> lor-config nb
-# 10. Execute playbook to create VMs. E.g.:
-# $> ansible-playbook deploy-os_servers.yml
+# See README.md for instructins how to use this playbook.
#
---
- name: 'Sanity checks before we start.'
@@ -30,7 +7,7 @@
connection: local
pre_tasks:
- name: 'Verify Ansible version meets requirements.'
- assert:
+ ansible.builtin.assert:
that: "ansible_version.full is version_compare('2.10', '>=')"
msg: 'You must update Ansible to at least 2.10.x to use this playbook.'
##############################################################################
@@ -47,6 +24,8 @@
# which would fail to use the interpretor from an activated virtual environment.
#
- ansible_python_interpreter: python
+ roles:
+ - include_vars_from_other_groups
tasks:
- name: "Create {{ network_private_management_id }} network."
openstack.cloud.network:
@@ -104,47 +83,39 @@
Allows all outbound traffic.
wait: true
timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_webservers security group: allow SSH inbound from external jumphost on port 22."
+ - name: "Add rules to {{ stack_prefix }}_webservers security group: allow inbound SSH from jumphosts."
openstack.cloud.security_group_rule:
security_group: "{{ stack_prefix }}_webservers"
direction: ingress
protocol: tcp
port_range_min: 22
port_range_max: 22
- remote_ip_prefix: "{{ ip_addresses[item].addr }}{{ ip_addresses[item].mask }}"
+ remote_ip_prefix: "{{ remote_ip_address }}{{ remote_ip_netmask }}"
wait: true
timeout: "{{ openstack_api_timeout }}"
- with_items: "{{ jumphosts }}"
- - name: "Add rule to {{ stack_prefix }}_webservers security group: allow HTTP inbound on port 80."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_webservers"
- direction: ingress
- protocol: tcp
- port_range_min: 80
- port_range_max: 80
- remote_ip_prefix: 0.0.0.0/0
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_webservers security group: allow HTTPS inbound on port 443."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_webservers"
- direction: ingress
- protocol: tcp
- port_range_min: 443
- port_range_max: 443
- remote_ip_prefix: 0.0.0.0/0
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_webservers security group: allow ICMP inbound."
+ vars:
+ remote_ip_address: "{{ lookup('vars', item.0.group)['ip_addresses'][item.1.hostname][item.1.network]['address'] }}"
+ remote_ip_netmask: "{{ lookup('vars', item.0.group)['ip_addresses'][item.1.hostname][item.1.network]['netmask'] }}"
+ with_subelements:
+ - "{{ jumphosts }}"
+ - hosts
+ - name: "Add rules to {{ stack_prefix }}_webservers security group: allow inbound HTTP(S) and ICMP."
openstack.cloud.security_group_rule:
security_group: "{{ stack_prefix }}_webservers"
direction: ingress
- protocol: icmp
- port_range_min: -1 # ICMP protocol does not have any ports.
- port_range_max: -1 # ICMP protocol does not have any ports.
+ protocol: "{{ item.protocol }}"
+ port_range_min: "{{ item.port }}"
+ port_range_max: "{{ item.port }}"
remote_ip_prefix: 0.0.0.0/0
wait: true
timeout: "{{ openstack_api_timeout }}"
+ with_items:
+ - protocol: tcp
+ port: 80 # HTTP
+ - protocol: tcp
+ port: 443 # HTTPS
+ - protocol: icmp
+ port: -1 # ICMP protocol does not have any ports.
##############################################################################
# Configure documentation server(s) from inventory using Openstack API.
##############################################################################
@@ -165,7 +136,7 @@
state: present
name: "{{ inventory_hostname }}"
image: "{{ cloud_image }}"
- flavor: "{{ flavor_docs }}"
+ flavor: "{{ cloud_flavor }}"
security_groups: "{{ stack_prefix }}_webservers"
auto_floating_ip: false
nics:
@@ -229,18 +200,33 @@
# as filtering directly during the API call is problematic.
# Will filter the results for the relevant servers later on.
#
+ - name: Get info on floating IPs from OpenStack API.
+ openstack.cloud.floating_ip_info:
+ register: api_fip_info
+ - name: Get info on networks from OpenStack API.
+ openstack.cloud.networks_info:
+ register: api_network_info
- name: Get server info from OpenStack API.
openstack.cloud.server_info:
register: api_server_info
- - name: "ToDo"
- debug:
+ - name: "Add addresses to {{ playbook_dir }}/group_vars/{{ stack_name }}/ip_addresses.yml.new"
+ ansible.builtin.template:
+ src: "{{ playbook_dir }}/group_vars/template/ip_addresses.yml.j2"
+ dest: "{{ playbook_dir }}/group_vars/{{ stack_name }}/ip_addresses.yml.new"
+ mode: '0644'
+ vars:
+ relevant_servers_list: "{{ groups['docs'] | default([]) }}"
+ relevant_servers_info: "{{ api_server_info.openstack_servers | selectattr('name', 'in', relevant_servers_list) | list }}"
+ - name: ToDo
+ ansible.builtin.debug:
msg: |
***********************************************************************************************************
IMPORTANT: Manual work!
+ Ansible created:
+ {{ playbook_dir }}/group_vars/{{ stack_name }}/ip_addresses.yml.new
+ Please inspect this file carefully with:
+ diff -y {{ playbook_dir }}/group_vars/{{ stack_name }}/ip_addresses.yml{.new,}
+ and if Ok execute:
+ mv {{ playbook_dir }}/group_vars/{{ stack_name }}/ip_addresses.yml{.new,}
***********************************************************************************************************
- Check if public IP address "{{ api_server_info.openstack_servers | selectattr('name', 'equalto', item) | map(attribute='accessIPv4') | first }}" for server "{{ item }}"
- needs to be updated in:
- {{ playbook_dir }}/group_vars/all/ip_addresses.yml
- ***********************************************************************************************************
- with_items: "{{ groups['docs'] | default([]) }}"
-...
\ No newline at end of file
+...
diff --git a/create-jenkins-server.yml b/create-jenkins-server.yml
index a90fffbe6..19fc999be 100644
--- a/create-jenkins-server.yml
+++ b/create-jenkins-server.yml
@@ -1,28 +1,5 @@
#
-# 1. $> cd git/league-of-robots
-# Create Python virtual environment (once)
-# 2. $> python3 -m venv openstacksdk.venv
-# Activate virtual environment.
-# 3. $> source openstacksdk.venv/bin/activate
-# Install OpenStack SDK (once).
-# 4. $> pip3 install openstacksdk
-# $> pip3 install ruamel.yaml
-# NOTE: Openstack RC file must be sourced first to be able to use Openstack API from SDK:
-# 5. Login to OpenStack web interface -> "Identity" -> "Application Credentials" -> click the "Create Application Credential" button.
-# This will result in a popup window: specify "Name", "Expiration Date", "Expiration Time", leave the rest empty / use defaults and
-# click the "Create Application Credential" button.
-# In the new popup window click the "Download openrc file" button and save the generated *-openrc.sh file in the root of the repo.
-# 6. Source the downloaded file. E.g.:
-# $> source ./[Application_Credential_Name]-openrc.sh
-# 7. Fetch Ansible dependencies
-# $> ansible-galaxy install -r galaxy-requirements.yml
-# Configure this repo for deployment of a specifc HPC cluster.
-# 8. Source lor-init from this repo. E.g.:
-# $> source ./lor-init
-# 9. Configure League of Robots for a specific cluster. E.g.:
-# $> lor-config jenkins
-# 10. Execute playbook to create VMs. E.g.:
-# $> ansible-playbook create-jenkins-server.yml
+# See README.md for instructins how to use this playbook.
#
---
- name: 'Sanity checks before we start.'
@@ -30,7 +7,7 @@
connection: local
pre_tasks:
- name: 'Verify Ansible version meets requirements.'
- assert:
+ ansible.builtin.assert:
that: "ansible_version.full is version_compare('2.10', '>=')"
msg: 'You must update Ansible to at least 2.10.x to use this playbook.'
##############################################################################
@@ -47,6 +24,8 @@
# which would fail to use the interpretor from an activated virtual environment.
#
- ansible_python_interpreter: python
+ roles:
+ - include_vars_from_other_groups
tasks:
- name: "Create {{ network_private_management_id }} network."
openstack.cloud.network:
@@ -104,48 +83,39 @@
Allows all outbound traffic.
wait: true
timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_webservers security group: allow SSH inbound from external jumphost on port 22."
+ - name: "Add rules to {{ stack_prefix }}_webservers security group: allow inbound SSH from jumphosts."
openstack.cloud.security_group_rule:
security_group: "{{ stack_prefix }}_webservers"
direction: ingress
protocol: tcp
port_range_min: 22
port_range_max: 22
- remote_ip_prefix: "{{ ip_addresses[item].addr }}{{ ip_addresses[item].mask }}"
+ remote_ip_prefix: "{{ remote_ip_address }}{{ remote_ip_netmask }}"
wait: true
timeout: "{{ openstack_api_timeout }}"
- with_items: "{{ jumphosts }}"
- - name: "Add rule to {{ stack_prefix }}_webservers security group: allow HTTP inbound on port 80."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_webservers"
- direction: ingress
- protocol: tcp
- port_range_min: 80
- port_range_max: 80
- remote_ip_prefix: 0.0.0.0/0
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_webservers security group: allow HTTPS inbound on port 443."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_webservers"
- direction: ingress
- protocol: tcp
- port_range_min: 443
- port_range_max: 443
- remote_ip_prefix: 0.0.0.0/0
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_webservers security group: allow ICMP inbound."
+ vars:
+ remote_ip_address: "{{ lookup('vars', item.0.group)['ip_addresses'][item.1.hostname][item.1.network]['address'] }}"
+ remote_ip_netmask: "{{ lookup('vars', item.0.group)['ip_addresses'][item.1.hostname][item.1.network]['netmask'] }}"
+ with_subelements:
+ - "{{ jumphosts }}"
+ - hosts
+ - name: "Add rules to {{ stack_prefix }}_webservers security group: allow inbound HTTP(S) and ICMP."
openstack.cloud.security_group_rule:
security_group: "{{ stack_prefix }}_webservers"
direction: ingress
- protocol: icmp
- port_range_min: -1 # ICMP protocol does not have any ports.
- port_range_max: -1 # ICMP protocol does not have any ports.
+ protocol: "{{ item.protocol }}"
+ port_range_min: "{{ item.port }}"
+ port_range_max: "{{ item.port }}"
remote_ip_prefix: 0.0.0.0/0
wait: true
timeout: "{{ openstack_api_timeout }}"
-
+ with_items:
+ - protocol: tcp
+ port: 80 # HTTP
+ - protocol: tcp
+ port: 443 # HTTPS
+ - protocol: icmp
+ port: -1 # ICMP protocol does not have any ports.
##############################################################################
# Configure Jenkins server(s) from inventory using Openstack API.
##############################################################################
@@ -230,18 +200,33 @@
# as filtering directly during the API call is problematic.
# Will filter the results for the relevant servers later on.
#
+ - name: Get info on floating IPs from OpenStack API.
+ openstack.cloud.floating_ip_info:
+ register: api_fip_info
+ - name: Get info on networks from OpenStack API.
+ openstack.cloud.networks_info:
+ register: api_network_info
- name: Get server info from OpenStack API.
openstack.cloud.server_info:
register: api_server_info
- - name: "ToDo"
- debug:
+ - name: "Add addresses to {{ playbook_dir }}/group_vars/{{ stack_name }}/ip_addresses.yml.new"
+ ansible.builtin.template:
+ src: "{{ playbook_dir }}/group_vars/template/ip_addresses.yml.j2"
+ dest: "{{ playbook_dir }}/group_vars/{{ stack_name }}/ip_addresses.yml.new"
+ mode: '0644'
+ vars:
+ relevant_servers_list: "{{ groups['jenkins'] | default([]) }}"
+ relevant_servers_info: "{{ api_server_info.openstack_servers | selectattr('name', 'in', relevant_servers_list) | list }}"
+ - name: ToDo
+ ansible.builtin.debug:
msg: |
***********************************************************************************************************
IMPORTANT: Manual work!
+ Ansible created:
+ {{ playbook_dir }}/group_vars/{{ stack_name }}/ip_addresses.yml.new
+ Please inspect this file carefully with:
+ diff -y {{ playbook_dir }}/group_vars/{{ stack_name }}/ip_addresses.yml{.new,}
+ and if Ok execute:
+ mv {{ playbook_dir }}/group_vars/{{ stack_name }}/ip_addresses.yml{.new,}
***********************************************************************************************************
- Check if public IP address "{{ api_server_info.openstack_servers | selectattr('name', 'equalto', item) | map(attribute='accessIPv4') | first }}" for server "{{ item }}"
- needs to be updated in:
- {{ playbook_dir }}/group_vars/all/ip_addresses.yml
- ***********************************************************************************************************
- with_items: "{{ groups['docs'] | default([]) }}"
...
diff --git a/deploy-os_servers.yml b/deploy-os_servers.yml
index 66c0ed3d0..630e74a12 100644
--- a/deploy-os_servers.yml
+++ b/deploy-os_servers.yml
@@ -1,28 +1,5 @@
#
-# 1. $> cd git/league-of-robots
-# Create Python virtual environment (once)
-# 2. $> python3 -m venv openstacksdk.venv
-# Activate virtual environment.
-# 3. $> source openstacksdk.venv/bin/activate
-# Install OpenStack SDK (once).
-# 4. $> pip3 install openstacksdk
-# $> pip3 install ruamel.yaml
-# NOTE: Openstack RC file must be sourced first to be able to use Openstack API from SDK:
-# 5. Login to OpenStack web interface -> "Identity" -> "Application Credentials" -> click the "Create Application Credential" button.
-# This will result in a popup window: specify "Name", "Expiration Date", "Expiration Time", leave the rest empty / use defaults and
-# click the "Create Application Credential" button.
-# In the new popup window click the "Download openrc file" button and save the generated *-openrc.sh file in the root of the repo.
-# 6. Source the downloaded file. E.g.:
-# $> source ./[Application_Credential_Name]-openrc.sh
-# 7. Fetch Ansible dependencies
-# $> ansible-galaxy install -r galaxy-requirements.yml
-# Configure this repo for deployment of a specifc HPC cluster.
-# 8. Source lor-init from this repo. E.g.:
-# $> source ./lor-init
-# 9. Configure League of Robots for a specific cluster. E.g.:
-# $> lor-config nb
-# 10. Execute playbook to create VMs. E.g.:
-# $> ansible-playbook deploy-os_servers.yml
+# See README.md for instructins how to use this playbook.
#
---
- name: 'Sanity checks before we start.'
@@ -122,46 +99,25 @@
Allows all outbound traffic.
wait: true
timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_jumphosts security group: allow SSH inbound on port 22."
+ - name: "Add rules to {{ stack_prefix }}_jumphosts security group."
openstack.cloud.security_group_rule:
security_group: "{{ stack_prefix }}_jumphosts"
direction: ingress
- protocol: tcp
- port_range_min: 22
- port_range_max: 22
- remote_ip_prefix: 0.0.0.0/0
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_jumphosts security group: allow SSH inbound on port 443."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_jumphosts"
- direction: ingress
- protocol: tcp
- port_range_min: 443
- port_range_max: 443
- remote_ip_prefix: 0.0.0.0/0
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_jumphosts security group: allow LDAPS inbound on port 636."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_jumphosts"
- direction: ingress
- protocol: tcp
- port_range_min: 636
- port_range_max: 636
- remote_ip_prefix: 0.0.0.0/0 # ToDo restrict to {{ ldap_uri }}
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_jumphosts security group: allow ICMP inbound."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_jumphosts"
- direction: ingress
- protocol: icmp
- port_range_min: -1 # ICMP protocol does not have any ports.
- port_range_max: -1 # ICMP protocol does not have any ports.
+ protocol: "{{ item.protocol }}"
+ port_range_min: "{{ item.port }}"
+ port_range_max: "{{ item.port }}"
remote_ip_prefix: 0.0.0.0/0
wait: true
timeout: "{{ openstack_api_timeout }}"
+ with_items:
+ - protocol: tcp
+ port: 22 # SSH
+ - protocol: tcp
+ port: 443 # SSH fallback
+ - protocol: tcp
+ port: 636 # LDAPS
+ - protocol: icmp
+ port: -1 # ICMP protocol does not have any ports.
#
# Data staging security group.
#
@@ -176,122 +132,25 @@
Allows all outbound traffic.
wait: true
timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_ds security group: allow SSH inbound on port 22."
+ - name: "Add rules to {{ stack_prefix }}_ds security group."
openstack.cloud.security_group_rule:
security_group: "{{ stack_prefix }}_ds"
direction: ingress
- protocol: tcp
- port_range_min: 22
- port_range_max: 22
+ protocol: "{{ item.protocol }}"
+ port_range_min: "{{ item.port }}"
+ port_range_max: "{{ item.port }}"
remote_ip_prefix: 0.0.0.0/0
wait: true
timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_ds security group: allow SSH inbound on port 443."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_ds"
- direction: ingress
- protocol: tcp
- port_range_min: 443
- port_range_max: 443
- remote_ip_prefix: 0.0.0.0/0
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_ds security group: allow LDAPS inbound on port 636."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_ds"
- direction: ingress
- protocol: tcp
- port_range_min: 636
- port_range_max: 636
- remote_ip_prefix: 0.0.0.0/0 # ToDo restrict to {{ ldap_uri }}
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_ds security group: allow ICMP inbound."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_ds"
- direction: ingress
- protocol: icmp
- port_range_min: -1 # ICMP protocol does not have any ports.
- port_range_max: -1 # ICMP protocol does not have any ports.
- remote_ip_prefix: 0.0.0.0/0
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- #
- # (Pulp) repo server security group.
- #
- # Note: only local admin accounts on repo machines, so no need for LDAPS traffic on port 636.
- #
- - name: "Create security group for {{ stack_prefix }} repo machines behind jumphost."
- openstack.cloud.security_group:
- state: present
- name: "{{ stack_prefix }}_repo"
- description: |
- Security group for repo machines behind a jumphost.
- Allows SSH and ICMP inbound from machines in the jumphost security group.
- Allows HTTPS traffic inbound from machines in cluster and irods security group.
- Allows all outbound traffic.
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_repo security group: allow SSH inbound on port 22 from {{ stack_prefix }}_jumphosts security group."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_repo"
- direction: ingress
- protocol: tcp
- port_range_min: 22
- port_range_max: 22
- remote_group: "{{ stack_prefix }}_jumphosts"
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_repo security group: allow ICMP inbound from {{ stack_prefix }}_jumphosts security group."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_repo"
- direction: ingress
- protocol: icmp
- port_range_min: -1 # ICMP protocol does not have any ports.
- port_range_max: -1 # ICMP protocol does not have any ports.
- remote_group: "{{ stack_prefix }}_jumphosts"
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_repo security group: allow HTTPS inbound from machines within the cluster security group."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_repo"
- direction: ingress
- protocol: tcp
- port_range_min: 443
- port_range_max: 443
- remote_group: "{{ stack_prefix }}_cluster"
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_repo security group: allow HTTPS traffic from machines within the irods security group."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_repo"
- direction: ingress
- protocol: tcp
- port_range_min: 443
- port_range_max: 443
- remote_group: "{{ stack_prefix }}_irods"
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_repo security group: allow any inbound icmp traffic from machines within the cluster security group."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_repo"
- direction: ingress
- protocol: icmp
- port_range_min: -1 # ICMP protocol does not have any ports.
- port_range_max: -1 # ICMP protocol does not have any ports.
- remote_group: "{{ stack_prefix }}_cluster"
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_repo security group: allow any inbound icmp traffic from machines within the irods security group."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_repo"
- direction: ingress
- protocol: icmp
- port_range_min: -1 # ICMP protocol does not have any ports.
- port_range_max: -1 # ICMP protocol does not have any ports.
- remote_group: "{{ stack_prefix }}_irods"
- wait: true
- timeout: "{{ openstack_api_timeout }}"
+ with_items:
+ - protocol: tcp
+ port: 22 # SSH
+ - protocol: tcp
+ port: 443 # SSH fallback
+ - protocol: tcp
+ port: 636 # LDAPS; ToDo: restrict to {{ ldap_uri }}
+ - protocol: icmp
+ port: -1 # ICMP protocol does not have any ports.
#
# Cluster security group.
#
@@ -306,16 +165,6 @@
Allows all outbound traffic.
wait: true
timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_cluster security group: allow SSH inbound on port 22 from {{ stack_prefix }}_jumphosts security group."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_cluster"
- direction: ingress
- protocol: tcp
- port_range_min: 22
- port_range_max: 22
- remote_group: "{{ stack_prefix }}_jumphosts"
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- name: "Add rule to {{ stack_prefix }}_cluster security group: allow LDAPS inbound on port 636."
openstack.cloud.security_group_rule:
security_group: "{{ stack_prefix }}_cluster"
@@ -323,49 +172,41 @@
protocol: tcp
port_range_min: 636
port_range_max: 636
- remote_ip_prefix: 0.0.0.0/0 # ToDo restrict to {{ ldap_uri }}
+ remote_ip_prefix: 0.0.0.0/0 # ToDo: restrict to {{ ldap_uri }}
wait: true
timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_cluster security group: allow ICMP inbound from {{ stack_prefix }}_jumphosts security group."
+ - name: "Add rules to {{ stack_prefix }}_cluster security group: allow inbound traffic from {{ stack_prefix }}_jumphosts security group."
openstack.cloud.security_group_rule:
security_group: "{{ stack_prefix }}_cluster"
direction: ingress
- protocol: icmp
- port_range_min: -1 # ICMP protocol does not have any ports.
- port_range_max: -1 # ICMP protocol does not have any ports.
+ protocol: "{{ item.protocol }}"
+ port_range_min: "{{ item.port }}"
+ port_range_max: "{{ item.port }}"
remote_group: "{{ stack_prefix }}_jumphosts"
wait: true
timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_cluster security group: allow any inbound tcp traffic from machines within the same security group."
+ with_items:
+ - protocol: tcp
+ port: 22 # SSH
+ - protocol: icmp
+ port: -1 # ICMP protocol does not have any ports.
+ - name: "Add rules to {{ stack_prefix }}_cluster security group: allow inbound traffic from machines in the same security group."
openstack.cloud.security_group_rule:
security_group: "{{ stack_prefix }}_cluster"
direction: ingress
- protocol: tcp
- port_range_min: -1 # Port range min -1 and max -1 means the same as min 1 and max 65535,
- port_range_max: -1 # but the latter is not idempotent due to a known bug.
- remote_group: "{{ stack_prefix }}_cluster"
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_cluster security group: allow any inbound udp traffic from machines within the same security group."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_cluster"
- direction: ingress
- protocol: udp
- port_range_min: -1 # Port range min -1 and max -1 means the same as min 1 and max 65535,
- port_range_max: -1 # but the latter is not idempotent due to a known bug.
- remote_group: "{{ stack_prefix }}_cluster"
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_cluster security group: allow any inbound icmp traffic from machines within the same security group."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_cluster"
- direction: ingress
- protocol: icmp
- port_range_min: -1 # ICMP protocol does not have any ports.
- port_range_max: -1 # ICMP protocol does not have any ports.
+ protocol: "{{ item.protocol }}"
+ port_range_min: "{{ item.port }}"
+ port_range_max: "{{ item.port }}"
remote_group: "{{ stack_prefix }}_cluster"
wait: true
timeout: "{{ openstack_api_timeout }}"
+ with_items:
+ - protocol: tcp
+ port: -1 # Port range min -1 and max -1 means the same as min 1 and max 65535, but the latter is not idempotent due to a known bug.
+ - protocol: udp
+ port: -1 # Port range min -1 and max -1 means the same as min 1 and max 65535, but the latter is not idempotent due to a known bug.
+ - protocol: icmp
+ port: -1 # ICMP protocol does not have any ports.
#
# Configure IRODS security group using Openstack API.
#
@@ -381,106 +222,115 @@
Allows all outbound traffic.
wait: true
timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_irods security group: allow SSH inbound on port 22."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_irods"
- direction: ingress
- protocol: tcp
- port_range_min: 22
- port_range_max: 22
- remote_ip_prefix: 0.0.0.0/0
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_irods security group: allow SSH inbound on port 1247."
+ when: groups['irods'] | default([]) | length >= 1
+ - name: "Add rules to {{ stack_prefix }}_irods security group."
openstack.cloud.security_group_rule:
security_group: "{{ stack_prefix }}_irods"
direction: ingress
- protocol: tcp
- port_range_min: 1247
- port_range_max: 1247
- remote_ip_prefix: 0.0.0.0/0
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_irods security group: allow PostgreSQL inbound on port 5432."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_irods"
- direction: ingress
- protocol: tcp
- port_range_min: 5432
- port_range_max: 5432
- remote_ip_prefix: 0.0.0.0/0
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_irods security group: allow SSH inbound on port 20000:20199."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_irods"
- direction: ingress
- protocol: tcp
- port_range_min: 20000
- port_range_max: 20199
+ protocol: "{{ item.protocol }}"
+ port_range_min: "{{ item.port_min }}"
+ port_range_max: "{{ item.port_max }}"
remote_ip_prefix: 0.0.0.0/0
wait: true
timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_irods security group: allow SSH inbound on port 443."
+ with_items:
+ - protocol: tcp
+ port_min: 22 # SSH
+ port_max: 22 # SSH
+ - protocol: tcp
+ port_min: 443 # SSH
+ port_max: 443 # SSH
+ - protocol: tcp
+ port_min: 636 # LDAPS
+ port_max: 636 # LDAPS
+ - protocol: tcp
+ port_min: 1247 # iRODS
+ port_max: 1247 # iRODS
+ - protocol: tcp
+ port_min: 5432 # iRODS
+ port_max: 5432 # iRODS
+ - protocol: tcp
+ port_min: 20000 # iRODS
+ port_max: 20199 # iRODS
+ - protocol: icmp
+ port_min: -1 # ICMP protocol does not have any ports.
+ port_max: -1 # ICMP protocol does not have any ports.
+ when: groups['irods'] | default([]) | length >= 1
+ - name: "Add rules to {{ stack_prefix }}_irods security group: allow inbound traffic from machines in the same security group."
openstack.cloud.security_group_rule:
security_group: "{{ stack_prefix }}_irods"
direction: ingress
- protocol: tcp
- port_range_min: 443
- port_range_max: 443
- remote_ip_prefix: 0.0.0.0/0
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_irods security group: allow LDAPS inbound on port 636."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_irods"
- direction: ingress
- protocol: tcp
- port_range_min: 636
- port_range_max: 636
- remote_ip_prefix: 0.0.0.0/0 # ToDo restrict to {{ ldap_uri }}
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_irods security group: allow ICMP inbound."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_irods"
- direction: ingress
- protocol: icmp
- port_range_min: -1 # ICMP protocol does not have any ports.
- port_range_max: -1 # ICMP protocol does not have any ports.
- remote_ip_prefix: 0.0.0.0/0
+ protocol: "{{ item.protocol }}"
+ port_range_min: "{{ item.port }}"
+ port_range_max: "{{ item.port }}"
+ remote_group: "{{ stack_prefix }}_irods"
wait: true
timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_irods security group: allow any inbound tcp traffic from machines within the same security group."
- openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_irods"
- direction: ingress
- protocol: tcp
- port_range_min: -1 # Port range min -1 and max -1 means the same as min 1 and max 65535,
- port_range_max: -1 # but the latter is not idempotent due to a known bug.
- remote_group: "{{ stack_prefix }}_cluster"
+ with_items:
+ - protocol: tcp
+ port: -1 # Port range min -1 and max -1 means the same as min 1 and max 65535, but the latter is not idempotent due to a known bug.
+ - protocol: udp
+ port: -1 # Port range min -1 and max -1 means the same as min 1 and max 65535, but the latter is not idempotent due to a known bug.
+ - protocol: icmp
+ port: -1 # ICMP protocol does not have any ports.
+ when: groups['irods'] | default([]) | length >= 1
+ #
+ # (Pulp) repo server security group.
+ #
+ # Note: only local admin accounts on repo machines, so no need for LDAPS traffic on port 636.
+ #
+ - name: "Create security group for {{ stack_prefix }} repo machines behind jumphost."
+ openstack.cloud.security_group:
+ state: present
+ name: "{{ stack_prefix }}_repo"
+ description: |
+ Security group for repo machines behind a jumphost.
+ Allows SSH and ICMP inbound from machines in the jumphost security group.
+ Allows HTTPS traffic inbound from machines in cluster and irods security group.
+ Allows all outbound traffic.
wait: true
timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_irods security group: allow any inbound udp traffic from machines within the same security group."
+ - name: "Add rules to {{ stack_prefix }}_repo security group."
openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_irods"
+ security_group: "{{ stack_prefix }}_repo"
direction: ingress
- protocol: udp
- port_range_min: -1 # Port range min -1 and max -1 means the same as min 1 and max 65535,
- port_range_max: -1 # but the latter is not idempotent due to a known bug.
- remote_group: "{{ stack_prefix }}_irods"
- wait: true
- timeout: "{{ openstack_api_timeout }}"
- - name: "Add rule to {{ stack_prefix }}_irods security group: allow any inbound icmp traffic from machines within the same security group."
+ protocol: "{{ item.protocol }}"
+ port_range_min: "{{ item.port }}"
+ port_range_max: "{{ item.port }}"
+ remote_group: "{{ item.remote_group }}"
+ wait: true
+ timeout: "{{ openstack_api_timeout }}"
+ with_items:
+ - protocol: tcp
+ port: 22 # SSH
+ remote_group: "{{ stack_prefix }}_jumphosts"
+ - protocol: icmp
+ port: -1 # ICMP protocol does not have any ports.
+ remote_group: "{{ stack_prefix }}_jumphosts"
+ - protocol: tcp
+ port: 443 # HTTPS
+ remote_group: "{{ stack_prefix }}_cluster"
+ - protocol: icmp
+ port: -1 # ICMP protocol does not have any ports.
+ remote_group: "{{ stack_prefix }}_cluster"
+ - name: "Add rules to {{ stack_prefix }}_repo security group: allow inbound traffic from {{ stack_prefix }}_irods security group."
openstack.cloud.security_group_rule:
- security_group: "{{ stack_prefix }}_irods"
+ security_group: "{{ stack_prefix }}_repo"
direction: ingress
- protocol: icmp
- port_range_min: -1 # ICMP protocol does not have any ports.
- port_range_max: -1 # ICMP protocol does not have any ports.
- remote_group: "{{ stack_prefix }}_irods"
- wait: true
- timeout: "{{ openstack_api_timeout }}"
+ protocol: "{{ item.protocol }}"
+ port_range_min: "{{ item.port }}"
+ port_range_max: "{{ item.port }}"
+ remote_group: "{{ item.remote_group }}"
+ wait: true
+ timeout: "{{ openstack_api_timeout }}"
+ with_items:
+ - protocol: tcp
+ port: 443 # HTTPS
+ remote_group: "{{ stack_prefix }}_irods"
+ - protocol: icmp
+ port: -1 # ICMP protocol does not have any ports.
+ remote_group: "{{ stack_prefix }}_irods"
+ when: groups['irods'] | default([]) | length >= 1
##############################################################################
# Configure jumphosts from inventory using Openstack API.
##############################################################################
@@ -902,7 +752,6 @@
volume: "{{ inventory_hostname }}-volume"
wait: true
timeout: "{{ openstack_api_timeout }}"
-
#############################################################################
# Configure DAI from inventory using Openstack API.
#############################################################################
@@ -986,6 +835,12 @@
# as filtering directly during the API call is problematic.
# Will filter the results for the relevant servers later on.
#
+ - name: Get info on floating IPs from OpenStack API.
+ openstack.cloud.floating_ip_info:
+ register: api_fip_info
+ - name: Get info on networks from OpenStack API.
+ openstack.cloud.networks_info:
+ register: api_network_info
- name: Get server info from OpenStack API.
openstack.cloud.server_info:
register: api_server_info
@@ -997,7 +852,8 @@
vars:
relevant_servers_list: "{{ groups['jumphost'] | default([]) + \
groups['data_transfer'] | default([]) + \
- groups['repo'] | default([]) + groups['cluster'] | default([]) }}"
+ groups['repo'] | default([]) + \
+ groups['cluster'] | default([]) }}"
relevant_servers_info: "{{ api_server_info.openstack_servers | selectattr('name', 'in', relevant_servers_list) | list }}"
- name: "ToDo"
ansible.builtin.debug:
diff --git a/documentation/Configuring_Pulp.md b/documentation/Configuring_Pulp.md
index 28878b08d..89b2f29f4 100644
--- a/documentation/Configuring_Pulp.md
+++ b/documentation/Configuring_Pulp.md
@@ -123,7 +123,7 @@ See the `README.md` in the root of this repo for details.
Make sure the requirements/dependencies from Ansible Galaxy were installed.
The exec summary:
```bash
-ansible-galaxy install -r galaxy-requirements.yml
+ansible-galaxy install -r requirements.yml
```
See the `README.md` in the root of this repo for details.
Next you can use
diff --git a/group_vars/all/ip_addresses.yml b/group_vars/all/ip_addresses.yml
index a2b93b322..ed1edde53 100644
--- a/group_vars/all/ip_addresses.yml
+++ b/group_vars/all/ip_addresses.yml
@@ -1,453 +1,237 @@
-$ANSIBLE_VAULT;1.2;AES256;all
-63316363666665356132326134316536663737306364316366373832643665326663626637363632
-3436323931373165393164393165396563336332323330640a343038383663396664666238336665
-33623864373761653930386331323965323065613831373835346632643064313230623964353835
-3835666535333261640a396562623561366232613532613534623266633831316465383864653130
-36323562383936303135643365323933623563636463613734366234353366366463653532306330
-62356339666330353066633862373163313636306433343830613137306131626263646238393536
-37396531626666313263626230323061333865343564626431663738626365653835373638636366
-38383532663632363266303736653039386461356534373565373036663535326463663936356534
-36363261363639333334663330376535373432633030393062333237353931623433333831353437
-61623461613161343036656332656134613264333336333535666635646436326462663537313963
-30666331363036383430666131396437653934393261376237666565363632316461386532386661
-38326133643565306237373061353030373161396337386464616231346637383134346635383766
-31396337336330343537393735353164643336343762313563383633616265653964396335373164
-65636438623536326664633930326266373531373465623131613631336165373032616335373537
-36313139396136643361393663393264376430306261636337383463623239653861323238333064
-61633739383439636262303033653235323737343963316161666262376638366662613265626662
-62663762366239356661663836346566343532663936373730396634373364636565613438333231
-39653832343131306533633964393837396634353766356335653330323535633061393636666461
-31313439646262303732333963623161646135363763626636643134653261386530396334656161
-38646536373830333661323336316535643836363232663761326362663164626365383635313235
-32343838633538663033333233356134643236353862396530323336613031393462663738616437
-31303763616265303461643762616139343463333832326338366331306136323561363361323963
-30653034393932336239353931356333303436383933303238356263393263633363366136373738
-31663236343461646433383532343266613039393534303333653833303835653165383337373832
-37633763653561396463623266376266346233356533353739363233626339366631386664396132
-30356438373230376535333230393165366631663835366334353765373237363935313432306166
-63333539306538393537353139303935333337636265653634326234393237666234303537306464
-31396531306562623665386431393934313234666239306331373662303938653062333037613066
-64313738396438323261383139393230313064333066323965613135316536613332306533646361
-36646633623161303637633836656262616638623330366266376161643432343938383866373535
-37653235313561303264636433613861646431353664333435663235366530336438326435636437
-36366336303764666434636533346434313834643734303830373266396538353865663530336462
-37616135376664366333663931363661643563383738333462613739613935363165353638323532
-34653534316662323537346439643636303537366433323138346436333535643862653164386261
-62383230323333333137663262636339343662336262396631353936316339323635316530383733
-38616465343533353233653230323131663537633133343166653665656265326439363662653037
-34663239663136633634663030343564366265376563393361376563376338623562633331616230
-61343362343166316636633730306366353861653163386130613538626634383834646439393534
-61663530363436306566363032333566336439343534313430393162383764343263646136656631
-34396166386134333866633262313235323836323639373761666634396234666164316136623634
-37613030306661363938303637366238303239643363343235323165333933353934393232353232
-35373236303335376135616535383433303162343332306239323036346363633331373632383238
-34663961363033616231343264353237343136663765373237383230626264323561636463353033
-37346238323834333662373264323631363931613739656437636336613334616166623833366538
-63323639396438363833323532383363333830633039383639363965363438366265303039306631
-65303461323533396136373931643333343335313534303266363735646431616232343861313363
-64653765333532303466366532323930316362306135303263663137323632373431303935383265
-36626139376566393730313966663532316239373434616137383762623166343362636439653262
-32353035346437353565306166623039383333356534343832353033373564343136623430303934
-39323932393461343633633536646533343630303063663438373333623062643234643334343065
-35373731353330376439653164323734643839623531313933646161616333353739356662623138
-62626164666433613736313135613934656439643033373336363931343533393363626364306335
-31653532363864366632393061336165303765613763643339376564633932333761383130356636
-35663632613966323265393262373762666332343737363233326330633463653761613263336138
-61613036643662303339313038646233643239323537373735633963613366313739306531393837
-30303964373631306536343865613436613164333739386130646539363164343931666564336363
-35663734343261393763323961373963346565663830363238333765373937343637663931336630
-30636331396639336566386433336564666432356266616662336262623134666363393764623838
-33646233653433653032353163363535373564323764616462653161623663363436646238356264
-62313633383032656637356464393036633666303162393037373662613838316537373364316237
-37326131613334646239306562633635343438323235633237336534363563303731626366613961
-62363332663537623331313663623564303233383337643334306661636131316431633336333061
-30643136616133633134323037303237376532356461633365303234666431636631633531663264
-65366566663438353364313533636236633330363862366539363230333939626338643565383934
-34636166316231313232383332383834623133376339636233306661386336333238366263666237
-34373735306139303764336361653232373036633133613933373930396338386163346464626263
-66653164356662636632393765376166356535656132323933376635666235356664363032373662
-31343732303239633262323132626432626464656165613231336635396365623638643632636130
-63386237356163343566323131356265633661623163383339666437363632333535343566633836
-61653539613732376330396539636464326232366138313835343762306532356637396466663731
-33666338346430353261376231633932633364383039646638623234663634333837326439343566
-35353131356334643537613166366364356461386234333931323661636333376365313530636432
-64306664653232623561303163663030643239326161363334313766613430636637653731353333
-37653538326264353031663263386130633638643162303333633738393565313835623739663164
-61396461623665303337326236373633623165363964306666313164353733363132333565346138
-38326562626161316161616563616665343130313331346434323538626334393530636630356563
-64396264653039613033653864623736633930356534336666316537646230613266363336393139
-39303334386636386439373666633737393130633737386237656536616664666463333733316537
-61613931323732393330376266643937363362353937343932343064643835336434393136663365
-30613839306639323235343138393639636165323736383638333765623534646535373865316237
-37663661646335396663343066376263376162303364663461363263613532373139373866376539
-32653564633632316665343236316364316131313930333062643461336436393463633535393338
-33343266623062313930336631323534323663663861373935356236393836343566346234633961
-61386261323865623834646334663034646264383265646531653931396433613935343139373061
-30323136636165306665643538346330626632653932626330623730323064363738363934343935
-38623034356239333763383633366335613465343737323032663765636662613838356530313035
-37613461643265663464616566303866666439383663373664366665653264343234353332356662
-34313037623631386262366461336231396438303262373636643737346131663938333363393539
-32316366393965666438376230643134356463366266303535383833313631376234393765363965
-39626564363231646566356562643762666466656138633766626430626661363930663761373530
-38356666633965363835363038306263393434376130323561663761383131646635633834373339
-38383833663138633537646231366264316234666434346233373431346563626466633636663535
-35333033663338383139663836313032313434666536383462333866376466383235393739353163
-65643831346234316335643034636334393736393531383262666230653234316134363334653533
-34643433633437363938643562333565636661633233396366636565623162623565626130313163
-30353762646431393664366234363463356564373033623761666234396234373361326236646664
-66623236323738616564386662343934616535353837343634323332643262333461663936363333
-35333533393338303435306564323664663763313833353761336430643066333430343964653435
-63323161656134343763363137393434373830393236666633636262643935643536616439363839
-39353063323161626633383462653463383130313036656635303163366663353163336466363632
-66316530316633323034323463363533386431336530366365366237643964633763623930326338
-34646364303131653864623833326164393033306232373433633836303237623761383361353537
-36386439363663383763316231613832393234323561306462636461376331613237643436636161
-32383834353863373039623337653138313061363335633063616631616631323663613131323532
-66633238633231353830343939353534303738353631643864623333623664626333366165383339
-63623838646564343832643732376131376430613061333836363533616662373035633132643035
-36626464656131626462316162653630396565366634613737633163643336333835326661353965
-32663139653964383365653965633466666633663064323632316135633631623466373137643865
-36393636383461623466386132623532393264653931336330313837666236646230356336653636
-39656139333361616462653031303939396437356161373161626265303933333130636533653532
-65306362316534666231366561363131393961396136353831663037666232643338653561393235
-65353234653066383235323034396338373032333136393535623132353837356437326534383930
-64323032353366316435613236623466373964626662656431656536353366366436613336326138
-31653633346464663431336663663834626463393562396332326333373064353861646466653633
-35333764663761363130313364306263663035616265346236303536663966653432373165326534
-64613264393637306661303832666331346639376362323262306565383333376439613836396364
-61356632623132383738303361363335653433663631323432356632653833373133646161353830
-31326564653736326432643431313333323361636138363533643530303064323866373462643761
-64316561626233613631666161373939316532626661316434613635633738353432353032373637
-35626233353136333262616232643864383538303831383236616462333363333338393334393132
-32656138306465373332373764623266313737613636316136636365376234333034373661383736
-31373038636332306131663562363164346261326262353333316236616637343537616161363432
-62653235383334343633653030346363363064613836376565656465353963346666633130633530
-34623263363432633932623261376162323439303266333131373132363063313637383332663038
-32623438616166643162383833613662333165376133316261643935613438366232666437353837
-62613238313533653366333136643565626265366232623233363362333834346564316131376462
-66623662313533396664393166313038396330393562363430623933333664653739666564303130
-37306634373230623639376239653830353434306666383234383966336334303737313437393638
-31636637353832343633356636353265363537633237653432656532383333626265363039383033
-34363939336237626134633866396561376437643161393030363031313863356635633362646432
-62313239373839376465363034326130363463663362326130643766326237633533343837356161
-31663566306162356338613666353237326366303332613233333462646438646332343763663334
-35656230363262313031376336646639333766613562383230636165393236363266366638643762
-62336230656165346362323038373462356561353830616166353536663134643230663530623735
-31343635336363306232666431616362616433323431616636353066303630653961303637643336
-31613933336239306164376636366661303138653238306261663538363631313535306534616339
-35376337623638393962633264363461656534646234303232636465663333313162313433666561
-39313335376635313863636666656137373330623433333136616331616230383431306332336461
-39356230623633393033353635326661653435323366643630363839646364626633643764363436
-36626232373738623138393838613833646362343961663238316339323537666239383036306238
-65373332623066313062303163393138346337323762323230626631393932633237666261366231
-32646465396463653535633435616663643732323165646439366465356166383638393539393463
-38393264623431383066303631643739643830396530366665653638623233326639663231383237
-65303165383036633433386434643038633662353266326263343064396662323431346135383963
-34636464373061383636636239333961613963626333643831626334663738336134663764383130
-33363737656634643339653234333135343739626434626262313832386433393462616261313763
-61646338633764333436613734333864386131343764623565613864656232333634613831373830
-33363737386331393065623035623562376334323632376662353939376130653263383731633266
-38303039633730303361383364366566363163353662323530373166616362383365336632383433
-36613935643838306538653732633634626565356432393663373239656333646337353663393862
-66373362613538346662656135386638383830396134356137383064326135616237666435353362
-36336334623464353832623130353061353461333731366661663164663165383437643163613739
-30633334623135623261306133643530386564393036363635356437326636326262663366336564
-66616639336635613431306637346264646635653237646462663362613439633666353835663064
-35393265626539343539343234326265323730333165356132326637363763626161646632346364
-64383939623539663362303162616434343665323038363131353033306438313865393363373332
-37653933666164316230633330393465346636356434393062333135323538366437363732353066
-34336236373330353730636262636137316664393833643236343534323734303865626435376537
-31353166393536363834356234623634666437666431356232313162333033343439616239386566
-37633832363765353665323130656265373839396564336631643933313537656635366462666537
-36666236636661373866633362376531656262616666653833346536373464356163356136383764
-61613334656164663336616236373431333339633863333239356162623334343662373063653537
-37366137663333666136656437333766616435646530613466373635653637653135613130363165
-37356431366363633339356563376135373133313263323736363339613638633664656137633131
-30616539623335336465363163313063663832333364613765623663356462653130333964613535
-64653737646531393864323639333364313336323264623763373434393134636638303837346532
-39343632626364343165306239633164393131313631623439313237303262366137383761633235
-34616166323765303833613466633762333435626338393138636633633135613239643562316363
-63323865343936663333396261333565643431653332613434313031373631353836326336393731
-66333164356237323637393638616631653762333934313361613931636264653130323362383538
-33326330353639646235666164613361393765666131643333623936613834333338326630616431
-65343035356562613166616535336133333964333339313535366562343630383231663030366563
-37356561323437663338626236336538663531373531613830623036376433633365396132663533
-62343465646334666437633536663231373962326330316336303061386338303565653862666266
-38323964313934383531396239366131616139336339303939356566646261356136653661393737
-35656530336364383035653265393430303730613534343164373439343464616538323239626534
-38333162613834303165343933356666363034313865653832303730383337376462623665306336
-33666133636166343738333931626361306634646230643763373232346534356465663035653465
-39353662623062366130663235363061326531616630613630663964363462373664343137363731
-37303436396130356163313335666362393566366137343365646262343065353539646539356637
-37643463346339333963663861366561613933656666626366626138666430333663343166633630
-39376237313261323235613138653436636434336237343137303639376631303561623630666230
-33353332653430376635353036313530336239313132613764623962386533366333343030636437
-31613566613536346432346364616436356261356533396562326233326564363930353738623339
-35646239613533373336633966323031376533366235613330313930333236643337343735623531
-35626534623564333365326565303861623733366464323862316362386434313232663935363164
-32613831616232396534303835303632343637613830323434303730666162373766313739643038
-39636166636538656336366235613938623061376336333435663336666666393666656263373136
-66653066356630626332636233373365373461326663313830353137656164376162363166316166
-64653338353938303864353535383334656264393464396538323861336433613030656139303264
-31626631613761313733376435363636333931316662333366346430666538666562633266353236
-34376364323439343738663537323838366666363861343534303665376664643430323632663439
-62316430386135353538613630353937373031343535306461393435653562666433643232386262
-37343330356561303536636666653431353762383135616666303037376366306366313736666339
-32656637393365636232363165333133393832346139653236636161373137316133393333653036
-30633538623838303739616231313037613139346132353161616264616366353633663131633064
-64303734303062336639363362346664336231386435393036653935343236623237343536356331
-66643534643133663037643237303233353837373263643562343432383537383163663338353966
-34366532366537373239303333653662366265343934633231303233356534306437616438396264
-61366635343937653332633939306262643934323430356265666337626438386634326434366363
-33636166393831666162313364643335316630383330633831326236393963333535313661343134
-62313662383736313039616335373864656131393564613832653263653063643931386565653733
-31393735363763663434363137666536323837306436366236646661613434663561346333623062
-34306462383663613636363135373733636536613235643735396266306235303433373430343562
-63646235316465346236326331633239383035636131336434646336326563643439376663396664
-33396336356433646532643533643937383364636666386365643565303434633265326539653762
-66333634323830313361316465396266393035336232373634316365303465313161633861356235
-30306636633064336564626165613333613961353064313266653339383437393963663834373932
-65343061616239623930396332336335316464323739363639363837333662633138336566353466
-30386436363061306331636266333035663264636566396562666238346230333439323064313965
-63316236323963333939316234643833336535376264303731353436653466316631373531626234
-39323735383934633331623738303963653838336464363039386432316563613936336236353465
-33643335373636613332646632653366376635306639313239343939383361613065363262336130
-31366336623837343939623066393436656561356331323138396464633930653337616563626561
-31633637373439313861396538363136323263316533656235636134366435326133396463613961
-62633839623239333961346363656230313563616431303965646330383930313765616234633232
-33643864343763313135636131343035623234343136663230633839363133363634616633646437
-61316134376462373831656562623331643964356266316637313938613537303837663936376636
-32333332666632313862373839306334656463323063326332633636613566656436636234386661
-65383338666537646566633937386261346635343037616434396538393139353834633730663834
-61643536303331346466376534356237366437383635373062613131393235353764633661323866
-38363032663638323465623034653139366239663333303637363530623732653164336238633166
-62636532366630323639663266663534323230316636383163363033396139396362326366363039
-63626431373065663964313164373663646461383037656435353666633930383432373062316665
-38353065613739333564616537623166353039383133623864643032616464386663393731386339
-65316665386238396437393736623139653464383935643464343133373735616339323631623038
-63346232396664363038336433643363613434353536306430363439393437303064376265633032
-30646364666365663561663031666234393938313062633130636230303366356364353234343035
-31393436653261373531613961313063393061313365646535303836636338313638393130363931
-36306365373035636139366133386533633261643834383733313333623166653664323964313863
-37393662363035343064636135316464616631376331306331323566613562643638623764623962
-61313666313133356533333336616665623638316635373365373238643962623761373963393130
-32623665393266316234373935613338383936353239343665666630303464303962366433653162
-30626166633837623465343865323531633730626338396362386166346539356439366335386661
-36323065326637623862343961326532376265313464613364393439323434323836613963393436
-35336466343435613131623535303638656236346539373833336535356333636438303234623833
-62653234386633316134346238616530356532666566633233386363336630383239363362393236
-37383630366234316639663130303836636565363139643062613839396139636262356534336662
-35376231326334646337303733353762353538306461663137393362383236626663363338623138
-39616162343031646362646665616264663438316432303432303131376638633366316436313661
-30316263656537653764643632613262363939343436373930626431633837313134383165663636
-38623136653135626464333638643462343035353234613332363639646531613735373662386664
-30393061656638653933623665303938343535633238353736363334356631336463353866336266
-62373032363330386336626337303639653666353131346262333438306235636235633130343465
-38363666383961353839396235383163656337326238613065353866613233353165616138636332
-35656439383761343637343639303832306261336264303563383238646237643939366431653762
-36326533396162343338326563373166633331303139363631636265633266663330653735343133
-65336366373533353038363839393435363663633632636537623539356333633561643565646536
-30636431616466333161623361393764336531353931643331643562613033663464396338343736
-30306663373133633166313136626235653734386139653133343266366232346163623066613939
-32353434346561646665383633646634343336613634643562613466356234653332623231366566
-38636632633331363533376664623639373638663736343739343339643732616133326335376662
-63373933303836363630373330306133656434303735663335336631623038623437386235653936
-61356437386534303530633164346364663266346566373636393162306339616531656535393533
-32353663393630353535613638346539373964366639383239326163666234653463666636393230
-63323863633166623666623861646435663130386133353032613933346535386137333831636164
-31333166376262613632626639383862313964343133623734633566653035323161643764303365
-32393963326161623338366463383761663836373639316264656636663266623832653363646634
-66303839653332623130363365653330346635613161353833353330663965653037356539633234
-36386431646334616439653764356235643635356363333066646165666136653532376339323364
-35623966386163633262363462643134616561393139626239386538643932356438666165313635
-33363137353763623939626239313937343165626138363761643330343139323764313735373461
-65393963356231633232326631323835313836356635663438323130373335313566306435303338
-38356163656238663964343138386438373066656666306163393363386637303630633238343535
-38616239343663316633393531366335313065346561343332643865393066356238393861366361
-63663835646535303164366336386430306565323731623665646635666534326533336533386163
-38366631366232663961373430333233313734323230373834666239626239333131663534383631
-39356137383837363066373565313634396362663037656163363033646466613962343239306162
-30333462636330306230636565633261363936666434316366343662383064656363333632613662
-64333537333266643863656161613461303739343562616438336236373338353763656438393765
-61386330393833643133393261343034353437626433616233393033303138653862333439633633
-37613466393131346638623065646439376362623666656133616630613066333735633731663931
-38366336616134643535303065643538313566363763353430623763646230666161303061623866
-66623734376662633066643431343433353835393565306365333731396464376235373366636636
-36386336303461666262383436643165383363346639346264626534613936616261333030663937
-39643330363536376162383066343361333631656561393163343730666530303066373539376161
-39656565363530613237616235636366353165363532336636356561623465623566316636303662
-64613366306665643030323665626135333536653965653661313865376362633433333061383433
-36326331306633376433386335396363323433633665326662323337333061623064633838346639
-65613037316161656533663037623464356164633063396438393436636531623065336238333238
-38326463646439306432333664353435316335653536623031306137646631663634653436363837
-31386536343339313632633036366234366537626132663533333165366430303331656439323130
-36346436663031636331613031623337393232323837633065336162356466353736333537643763
-38663662666231623332636366666134383239313963373737323737313235346165333439653563
-63343764623265666363393430623766313335656463363731306134666261383761333261323162
-37313165316535386635333533616165663534343566373534633335393131386336363265636431
-65363138623633336165313830323236383164313962363230656663353433363136633433616665
-61633661373736343266306661653661343930613736626435656565343163626239383965623863
-66363463616464343434303533333363306366346436313539636434363662646566356136346161
-37663733653637343562313636373836386633386266333862383737346336613562383339316531
-65353165633536393936323837383030383734623830333237646630376238343533336466346231
-31643430303935613533666531396530303664316332366164656337363764323638306634396462
-31663034346565626165316562646238373835626465333261653638663966616332656232666332
-39306165373962656434393434353336363464653865346539363139623235616434636533306333
-36653863633436363465353331363533346465616538626461633435623035336365636133333732
-30333631306364666336383937336261323338656637353637303437363236323735303864656339
-34623639323434353161366263666333363766336432613135313636313437666465326331663433
-32333662386433376134656636326135656235613438613365666534383136663739623163646536
-31643433353035643236306564396265393865326661653362323532376630366336663635626138
-62376339393235333066353239343062623966343638666664303234386661623338383137653263
-65306662396336663130653762386535373837343731636339393530613165373637656163323062
-66656235653631386637316566643133383435636338383934346332656266393439313532623331
-65323036613334393131343639343637326666306164366661646363306436356230623163373238
-35643662386433646232656535633634363234306565343731313833356262643239396136626537
-35333436613733386661613062306137333935613138656235346533306130313165643034386230
-38303531333430643463343436383465396365653565626231333963353137346333303135306463
-34346433656331636566626230613561623038326564623466383732303666623333363736353462
-34376163363239386562666166356533643866393466353162653961663639386566646435646133
-64323462643634313963633236353731326264376339633262376662646134313362343732343461
-35396138306362343665656233646232353164666238656234656462643839356662643561303230
-61353438653164346630393963363963613331626432633531313164633762376363363439633762
-38366532366566373731313734373262626532313264356462353632643165333932346536343032
-33626536386636643063343066653661613737663834643764623131373965336530306434613337
-30346535643934343531356632343266306634383863623039323030306134343866373661373337
-63393833303762353665383432346165386139343338666331333332356533323734323465636532
-31316336396230663531633463343237663830336239343338656364376461643463313730383136
-65343734336134396430663165323266643339656564346333663539623064363962653835623061
-36633562336134323730363664356566323266663966663531343839373135633135653635653064
-39303731353261636661306233353966396436356461356663323836633039396232343361373637
-31326335633732633165396237373139666264366531353836326438343462653632303961343730
-62396539626462633564353361643138643236653136353038323332356261376261303264383738
-38643961653536303064613062633531396133636166323937333633306463316534333933623538
-32386465396231363134363739336262366634353465366636343531613334386531306139643464
-37323938316165313631613435383736626430656161613036633062653334383835373938326537
-62663133313262303731303631653033393831396234636635333831366338323663356130303138
-39613237376163366633383937306262373439636266636564396134613661393761333463653166
-38353765343763333863626335613836306633666532366631323135666663663635373864353763
-37363663343065666265383765623764393833653230326531666139316435656139346665313532
-35373430373235376262623165643435393166366466326233323635623463363230336335336331
-30613963346262626533316430643030623737643838326665623464336163373461626266653532
-39333434656538313530366139316534393538386263353739626436303837373666316633663331
-32663532353733636233323965613664313661663233643533343835363961626133396263343964
-32313438316364356138333231646166613137313161316337326139633863333764363534363836
-36653930663132363065393765346236313466383965623438336162346365623939623436633462
-31626639656134626463616565393132663163313766396366396231366632386664353736623130
-37393630343966303863663732643466323263306532376237376535316335653339306463643865
-35656139616464386361663531326465663866326238313962363563366365663731373037363438
-30353330643639636364326232366237333732653638643861643365613938393363636233626661
-30663630336235306361326237303761663337666366383732636238383563613134343530636236
-31316563373235313533313162333739326631336537383038376463623532306637666364626662
-63316533343761333737306134373035336537653736643737303532633630653963643138373032
-35666333346532346666616266616564303538306533326164356662393230336161643030353163
-61663833323166396139303262366330343932393733626634653463333564396530653661656564
-62366637623734366434393531653932653436353633376439396233633964383063373038626361
-30383739393336643264636536353436366633363334333964323838353335393966633934303334
-65313737383061323938616633306666646635306530306136646137326164323965623963376565
-63336565376261666465623435303736303164383831356533306639613935393364343563376430
-38316630393961623463353434633161363732313364643161353736656430373136656261313134
-32656531623439366536326332656130333362313936333264353763396536333064393235616432
-37353533326635376436376139386430663535353138313831663666336562383739663561613632
-30346139366364396333323862643639663265383737393139383537393532656437313365646532
-30343261366533333764363235346330613162303061346534623234626438656631346231626239
-61323335353836396561626663363731633030623263626439633965303532633137383130313562
-34343431393635306633353630643365343736653162666562393039363064663733373336323235
-31333236633431636231353432626638356365613731663863366637663839363339393637313030
-30373866323962386264616330383361626430333962303632306534346430656435646333386439
-33313736313165613334336363616264353762646636623238613332376363633166643633383636
-30383630313732613465323162383062633934303034626432636634646334366537363463663235
-62393364396563626364313134343035653062663862666136353136613636646537623233333931
-31366538313565396237396132306661306531666239353138383837393430303562323566666139
-39373634323664366132363864383835366365346436313130643230316139333931623132363437
-39336633656461313139393164376336646465336538396335306361623232646531666237666131
-62333935636434653534653837393964393366303665366332333937363138343833363636376130
-30383635643939366530653635656565353831326466393632353432613464613230326232346435
-64343034643532333236636366373638636334306630393536653363363166353537613766666266
-39663634613037383766323665393363653137333463643038346339353566346231643130326265
-65656237613962383331336461316637663663633064653030643963646665303736636434343461
-63313432363930336439626535636138383331646434616138313863663031626137643938333136
-65613361383536623663633863623131366231363762393031363961643562636465396235333433
-39306230363965653733373837393366373464636533373434656439626139346336643634316265
-35373138373938343339313332336438346163313530363266356338333030633762616162353032
-61643661653135383564366362366533333433363765646263373732663433656166303066353464
-63333930323639326664343035663835346237663238626639343562306432626634393335316338
-35313564613932623830363534383966356336333663313130346363303161636134316166386637
-38666466666530393335316430333833396130376634303664666235656562396632306238613934
-39343433383830383061396238393030313865316539356137353138306336303239343231393334
-30666536343232366464323730393638346237306663303934326532356633323631353437636136
-33653132633838353033663038303930636463316265393066326338626166623866356465643333
-64363065343736373864336332383437666461343733376362373633653931353062376235303236
-38326536313730343262353163323766613566313636626462396363303562353536376433386263
-39373136326462623963393461333730653237616232396538353166356136646664356238333261
-39616166336665326164306263353033643033363930313766313239376134323038353839616563
-63316536323361396236363063316634313235353864306234646234373438383939336436343762
-64323265306238303131336139303131303535333962636161396439376466393365343639323535
-34353862393664373330653737303039386138653833366538346265613564656635373365336231
-31313964633561313337333634643134663633386432353735626361393731373734336435613961
-32633436326630616464623665656632643538643265656164613366653536623462323235653336
-39623834353266353365323435373464636236383761636336663061356636323336366237663338
-62623835626365303061643963643338353931376130646364356131313639653164643230643636
-39353738323834626531303632336535383965663362663330306164323035353839626631646631
-31386162303661656664373763336632336135313136633034653536646130313635383139386463
-32376238623436393163616261653862633463373537623161393564656539653036376336353261
-34383063373935356337616532363735386633346137636334393266333062316132343062386362
-63633834363439323931396334613761323333386462313037323934626530303033633134623130
-34393831373661396661663831346230353666633433333261653031313565616137353366373030
-64393638316633313932656265663166366366633563656666386336643036663531373931303338
-61303336636139373633633461393835353637346662356437623663623430643765316462393435
-38323830336266663832623235346563383561373762393138373965623461346561653537303565
-61373961363536633765666235326431653336316261333866356337376238663163663033333461
-63393436346664376535343834353935366139333165386566306538346631336361626430616339
-36393462353361313237623964386330323563646166636233386533343966643832336232373865
-66323734656366323138363332343136316638346164383537613534666339613938623337333235
-61373764303238346332386463616536373235343739353234663530376535383439653465633635
-61346639366333393035373238666438386366646137306534663736626161663438333338393165
-32323336373035663932313664353666346265636136613662633161623164306239383065633766
-62336637363661383062323865316261303364643831626239333565393831656565663838363936
-30633161323534643062653135333364326161393263646531386137396330623630633633333365
-36663566393933326530626365363832613132663936363663346664333437316265663839353034
-37383436616438336337666438343632613439356637616234383139636532643433663966326661
-39363435386336373262656438613839323161316636636234616165306231663934306630636634
-36663735326535363437366565653662333263313637383730636532323639663337336630373232
-62376538386633323636623330343930373338653333313166353966353461326166653365386266
-63366533623264383432393764646365623834343130356365666138383532373261376539366530
-37313163636666376466653330386662353762653933333936343931356431613238346637386366
-36343065623962393364306537373665313236653639613233323531346336613634353234383136
-38653861353335356132363462386130346130396530616466313665383866356233633335313063
-66393638333563323366363637616636393038316265336131356130353533616133333534353164
-33313638636236623933616131653233316461633266373834393861653761383262366437623936
-37613031646536346130333262336165666333313733643232393039653030663537333436326234
-64303730393430383835343730623433396138313932353434386665653361626561643335376261
-33653730393765313961363436346139326137656164336661613332393565393736613064346338
-39613562333661333736616538316430663830643938323937633433663735326465333437316362
-33633265646338616161386464623364663931386663373162386638376233333734363230333662
-33313434346261333130663237373338366533643962383766643533633732613930376637393138
-33336664633439393564333436613963353232353432353364626433346534313033303365303438
-65313165366332306331313436373635616661343338356166386636356536353832636265303664
-66663466306263653137633331626465393935633361396536323432666334373937613939366639
-37643331323663633334666639363063363132333434303831323362656238316239366261396136
-33356362313436346133643538646364333036656362396637386366623164306336373333613231
-31303435343135393162363139666366643566613165336461613962626663306234306266333931
-34353036363661393664303333643333326564373636633263303765643835303533613266316432
-39393765616534326365633463303631363462316164663663393064346362613138633765343137
-35326639306363613665356231356233393337623661653130636563333832633263313234363931
-61343962623231666139346435666238336130393561326536333632666132346462393930313137
-39313861353735306230633633386365386665396332343531623536663862386531313134366362
-61383261343931373431633965366530633535663364393732663137346530373565376332666563
-66646636626466613763643832366331316333356435323235386364663430613162356633613635
-62373537623133343064613836323662346538333662623661636635666430316262393462653930
-63373038636331333562653963393339323061333331656432316634393239623139343861316230
-37396563343935663231356362323762646132333634623239373464616562393034643435663035
-61336231653165333438663964313961636337356338643635396562646338356363356163323232
-61646433643363386166613866636361383364373037643165373765333036346633353762616532
-38323334353334636335613363383436383865623164323436633262656361373165633132616139
-30626532363132346131616263616330323134643630616664643736366430653765623161326264
-37623333393461663262353234613337386134626333643365323966306664333862326561336565
-63323661313839373737313563363331353939623837653563336133663639633138643733396337
-38626163316466326630383434316161326537646138363430663034643266623261653933653832
-37653661316536386466326133636331396334366465633234666231383964663362623736653539
-63636564336238613162383132373665323433316265646665313565316534343937353162313566
-62636263393261663064336433616362303336373538363634346538333536646238653065643863
-31346233306261356530633962626236663761396231346439366636333631666632383066643264
-65323663373336373931
+ip_addresses:
+ #
+ # UMCG network ranges:
+ # 192.87.23.66-67
+ # 192.87.23.100-105
+ # 20.67.122.56
+ #
+ umcg:
+ net1:
+ address: '192.87.23.66'
+ netmask: '/31'
+ desc: 'UMCG firewalls / core routers'
+ net2:
+ address: '192.87.23.100'
+ netmask: '/30'
+ desc: 'UMCG firewalls / core routers'
+ net3:
+ address: '192.87.23.104'
+ netmask: '/31'
+ desc: 'UMCG firewalls / core routers'
+ net4:
+ address: '20.67.122.56'
+ netmask: '/32'
+ desc: 'UMCG firewalls / core routers'
+ #
+ # RUG network ranges.
+ #
+ rug:
+ bwp_net:
+ address: '129.125.249.0'
+ netmask: '/24'
+ desc: 'RUG BWP'
+ operator:
+ address: '129.125.50.41'
+ netmask: '/32'
+ desc: 'operator.service.rug.nl / monitoring'
+ f5:
+ address: '129.125.2.0'
+ netmask: '/24'
+ desc: 'RUG F5 load balancers.'
+ #
+ # RUG research cluster UIs.
+ #
+ peregrine:
+ public:
+ address: '129.125.60.96'
+ netmask: '/32'
+ fqdn: 'peregrine.hpc.rug.nl'
+ #
+ # Dedicated raw sequence data conversion servers.
+ #
+ gaf:
+ public:
+ address: '195.169.22.215'
+ netmask: '/32'
+ fqdn: 'gaf.gcc.rug.nl'
+ gattaca01:
+ public:
+ address: '195.169.22.97'
+ netmask: '/32'
+ fqdn: 'gattaca01.gcc.rug.nl'
+ gattaca02:
+ public:
+ address: '195.169.22.98'
+ netmask: '/32'
+ fqdn: 'gattaca02.gcc.rug.nl'
+ gcc:
+ cloud_net:
+ address: '195.169.22.1'
+ netmask: '/23'
+ desc: 'Includes many molgenis[0-9]+.gcc.rug.nl VMs, but not all IPs in range belong to GCC cloud.'
+ tnt1:
+ address: '195.169.23.126'
+ netmask: '/32'
+ fqdn: 'molgenis96.gcc.rug.nl'
+ desc: 'Molgenis Track and Trace for analysis team.'
+ tnt2:
+ address: '195.169.23.206'
+ netmask: '/32'
+ fqdn: 'molgenis06.gcc.rug.nl'
+ desc: 'Molgenis Track and Trace for analysis team.'
+ molgenis_downloads:
+ address: '195.169.23.226'
+ netmask: '/32'
+ fqdn: 'molgenis26.gcc.rug.nl'
+ desc: 'Public downloads.'
+ #
+ # Other clusters / grid / DS machines.
+ #
+ surfsara:
+ grid_ui:
+ address: '145.100.5.194'
+ netmask: '/32'
+ fqdn: 'ui.grid.sara.nl'
+ eriba:
+ ds:
+ address: '129.125.161.80'
+ netmask: '/32'
+ desc: 'SFTP server @ ERIBA'
+ lumc:
+ shark_ui:
+ address: '145.88.35.10'
+ netmask: '/32'
+ desc: 'Jumphost for LUMC Shark cluster.'
+ #
+ # EBI & Sanger servers.
+ #
+ # Services are frequently moved to other machines and
+ # in addition most services are behind load balancers
+ # resulting in frequently changing IP addresses: -> allow their entire subnets.
+ # Services include:
+ # * ftp.ensembl.org (FTP)
+ # * ftp.ega.ebi.ac.uk (FTP)
+ # * sra-ftps.ebi.ac.uk (FTP)
+ # * ensembldb.ensembl.org (MySQL on ports 3306 & 5306)
+ # * ensembldb.sanger.ac.uk (MySQL on ports 3306 & 5306)
+ # * martdb.sanger.ac.uk (MySQL on port 5316)
+ # * martdb.ensembl.org (MySQL on port 5316)
+ # * fasp.ega.ebi.ac.uk (Aspera)
+ # * fasp.sra.ebi.ac.uk (Aspera)
+ #
+ ebi:
+ net1:
+ address: '193.62.192.1'
+ netmask: '/24'
+ desc: 'EBI / Ensembl.'
+ net2:
+ address: '193.62.193.1'
+ netmask: '/24'
+ desc: 'EBI / Ensembl.'
+ sanger:
+ sftp:
+ address: '193.62.203.29'
+ netmask: '/32'
+ fqdn: 'sftpsrv.sanger.ac.uk'
+ globus:
+ address: '193.62.202.248'
+ netmask: '/32'
+ fqdn: 'globus.sanger.ac.uk'
+ #
+ # Broad Institute servers.
+ #
+ broad:
+ ftp:
+ address: '69.173.80.251'
+ netmask: '/32'
+ fqdn: 'ftp.broadinstitute.org'
+ aspera_portal:
+ address: '69.173.125.33'
+ netmask: '/32'
+ fqdn: 'dmz-asperashares.broadinstitute.org'
+ aspera_1:
+ address: '23.236.57.4'
+ netmask: '/32'
+ desc: 'Broad Institute Aspera server.'
+ aspera_2:
+ address: '69.173.124.97'
+ netmask: '/32'
+ desc: 'Broad Institute Aspera server.'
+ aspera_3:
+ address: '69.173.124.98'
+ netmask: '/32'
+ desc: 'Broad Institute Aspera server.'
+ aspera_4:
+ address: '130.211.143.166'
+ netmask: '/32'
+ desc: 'Broad Institute Aspera server.'
+ aspera_5:
+ address: '130.211.148.168'
+ netmask: '/32'
+ desc: 'Broad Institute Aspera server.'
+ aspera_6:
+ address: '130.211.174.182'
+ netmask: '/32'
+ desc: 'Broad Institute Aspera server.'
+ aspera_7:
+ address: '130.211.182.54'
+ netmask: '/32'
+ desc: 'Broad Institute Aspera server.'
+ aspera_8:
+ address: '130.211.186.135'
+ netmask: '/32'
+ desc: 'Broad Institute Aspera server.'
+ aspera_9:
+ address: '146.148.76.138'
+ netmask: '/32'
+ desc: 'Broad Institute Aspera server.'
+ #
+ # NCBI servers.
+ #
+ # Services are frequently moved to other machines and in addition most services are behind load balancers
+ # resulting in frequently changing IP addresses: -> allow entire subnets.
+ # Services include:
+ # * gap-upload.ncbi.nlm.nih.gov (FTP & Aspera)
+ # * ftp-trace.ncbi.nlm.nih.gov (FTP & Aspera)
+ # * ftp-private.ncbi.nlm.nih.gov (FTP & Aspera)
+ # * ftp.ncbi.nlm.nih.gov (FTP & Aspera)
+ # * upload.ncbi.nlm.nih.gov (FTP & Aspera)
+ #
+ ncbi:
+ net1:
+ address: '130.14.29.0'
+ netmask: '/24'
+ desc: '*.ncbi.nlm.nih.gov'
+ net2:
+ address: '130.14.250.0'
+ netmask: '/24'
+ desc: '*.ncbi.nlm.nih.gov'
+ #
+ # Centro Nacional de Analisis Genomico (CNAG), Barcelona, Catalonia, Spain.
+ #
+ cnag:
+ sftp:
+ address: '84.88.66.214'
+ netmask: '/32'
+ desc: 'ftp.cnag.cat, but name is misleading: server uses sftp.'
+ #
+ # Erasmus MC servers.
+ #
+ erasmus_mc:
+ net:
+ address: '156.83.1.0'
+ netmask: '/24'
+ desc: 'A.o. for data transfer using sftp/rsync.'
+ #
+ # Globus.
+ #
+ globus_org:
+ net:
+ address: '54.237.254.192'
+ netmask: '/29'
+ desc: '*.globusonline.org for data transfers with Globus ToolKit (GTK).'
+ google:
+ stun:
+ address: '74.125.143.127'
+ netmask: '/32'
+ desc: 'stun.l.google.com for connection to STUN server when setting up a session with another Globus Connect Personal endpoint.'
diff --git a/group_vars/betabarrel_cluster/ip_addresses.yml b/group_vars/betabarrel_cluster/ip_addresses.yml
index 3db5de510..08ec03951 100644
--- a/group_vars/betabarrel_cluster/ip_addresses.yml
+++ b/group_vars/betabarrel_cluster/ip_addresses.yml
@@ -1,9 +1,7 @@
---
ip_addresses:
betabarrel:
- addr: 172.23.41.225
- mask: /32
- vlan: VLAN 983
- fqdn:
- desc: Slurm in a box
+ vlan983:
+ address: 172.23.41.225
+ netmask: /32
...
diff --git a/group_vars/betabarrel_cluster/vars.yml b/group_vars/betabarrel_cluster/vars.yml
index ceb70a007..6fcd9c91f 100644
--- a/group_vars/betabarrel_cluster/vars.yml
+++ b/group_vars/betabarrel_cluster/vars.yml
@@ -1,6 +1,6 @@
---
slurm_cluster_name: 'betabarrel'
-slurm_cluster_domain: '' # Only add hpc.rug.nl domain when jumphost is registered in DNS.
+stack_domain: '' # Only add hpc.rug.nl domain when jumphost is registered in DNS.
stack_name: "{{ slurm_cluster_name }}_cluster" # stack_name must match the name of the folder that contains this vars.yml file.
stack_prefix: 'bb'
slurm_version: '20.11.8-1.el7.umcg'
@@ -15,16 +15,16 @@ slurm_partitions:
features: "{{ groups['regular'] | map('extract', hostvars, 'slurm_features') | first | default('none') }}"
extra_options: 'TRESBillingWeights="CPU=1.0,Mem=0.25G"'
repo_manager: 'none'
-rewrite_domain: "{{ stack_prefix }}-sai{% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}"
figlet_font: 'ogre'
motd: |
=========================================================
Welcome to {{ slurm_cluster_name | capitalize }}
=========================================================
additional_etc_hosts:
- - group: all
- hosts:
- - docs_on_merlin
+ - group: docs_library
+ nodes:
+ - name: docs_on_merlin
+ network: vlan16
use_ldap: yes
create_ldap: no
use_sssd: yes
@@ -47,12 +47,10 @@ totp:
machines: "{{ groups['jumphost'] }}"
excluded:
- 'LOCAL'
- - "{{ all.ip_addresses['umcg_net1']['addr'] }}{{ all.ip_addresses['umcg_net1']['mask'] }}"
- - "{{ all.ip_addresses['umcg_net2']['addr'] }}{{ all.ip_addresses['umcg_net2']['mask'] }}"
- - "{{ all.ip_addresses['umcg_net3']['addr'] }}{{ all.ip_addresses['umcg_net3']['mask'] }}"
- - "{{ all.ip_addresses['umcg_net4']['addr'] }}{{ all.ip_addresses['umcg_net4']['mask'] }}"
-public_ip_addresses:
- porch: '195.169.22.170'
+ - "{{ all.ip_addresses['umcg']['net1']['address'] }}{{ all.ip_addresses['umcg']['net1']['netmask'] }}"
+ - "{{ all.ip_addresses['umcg']['net2']['address'] }}{{ all.ip_addresses['umcg']['net2']['netmask'] }}"
+ - "{{ all.ip_addresses['umcg']['net3']['address'] }}{{ all.ip_addresses['umcg']['net3']['netmask'] }}"
+ - "{{ all.ip_addresses['umcg']['net4']['address'] }}{{ all.ip_addresses['umcg']['net4']['netmask'] }}"
nameservers: [
'8.8.4.4', # Google DNS.
'8.8.8.8', # Google DNS.
diff --git a/group_vars/boxy_cluster/ip_addresses.yml b/group_vars/boxy_cluster/ip_addresses.yml
deleted file mode 100644
index f833516f2..000000000
--- a/group_vars/boxy_cluster/ip_addresses.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-ip_addresses:
- boxy-management:
- addr: 172.23.40.237
- mask: /32
- vlan: vlan983
- boxy-storage:
- addr: 172.23.34.237
- mask: /32
- vlan: vlan985
-...
diff --git a/group_vars/boxy_cluster/vars.yml b/group_vars/boxy_cluster/vars.yml
index 5f328065b..fe51253c4 100644
--- a/group_vars/boxy_cluster/vars.yml
+++ b/group_vars/boxy_cluster/vars.yml
@@ -1,6 +1,6 @@
---
slurm_cluster_name: 'boxy'
-slurm_cluster_domain: 'hpc.rug.nl'
+stack_domain: 'hpc.rug.nl'
stack_name: "{{ slurm_cluster_name }}_cluster" # stack_name must match the name of the folder that contains this vars.yml file.
stack_prefix: 'bx'
ldap_uri: ldap://172.23.40.249
diff --git a/group_vars/calculon_cluster/ip_addresses.yml b/group_vars/calculon_cluster/ip_addresses.yml
index 6889424a2..4459b23b5 100644
--- a/group_vars/calculon_cluster/ip_addresses.yml
+++ b/group_vars/calculon_cluster/ip_addresses.yml
@@ -1,161 +1,127 @@
---
ip_addresses:
- calculon-management:
- addr: 172.23.40.247
- mask: /32
- vlan: vlan983
- calculon-storage:
- addr: 172.23.34.247
- mask: /32
- vlan: vlan985
+ calculon:
+ vlan16:
+ address: 195.169.22.247
+ netmask: /32
+ fqdn: 'calculon.hpc.rug.nl'
+ vlan983:
+ address: 172.23.40.247
+ netmask: /32
+ vlan985:
+ address: 172.23.34.247
+ netmask: /32
winterpeen:
- addr: 172.23.40.230
- mask: /32
- vlan:
- fqdn:
- desc: Sys Admin Interface
+ #vlan?:
+ # address: 129.125.60.102
+ # netmask: /32
+ # fqdn: 'winterpeen.hpc.rug.nl'
+ vlan983:
+ address: 172.23.40.230
+ netmask: /32
umcg-node001:
- addr: 172.23.40.1
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.1
+ netmask: /32
umcg-node002:
- addr: 172.23.40.2
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.2
+ netmask: /32
umcg-node003:
- addr: 172.23.40.3
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.3
+ netmask: /32
umcg-node004:
- addr: 172.23.40.4
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.4
+ netmask: /32
umcg-node005:
- addr: 172.23.40.5
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.5
+ netmask: /32
umcg-node006:
- addr: 172.23.40.6
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.6
+ netmask: /32
umcg-node007:
- addr: 172.23.40.7
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.7
+ netmask: /32
umcg-node008:
- addr: 172.23.40.8
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.8
+ netmask: /32
umcg-node009:
- addr: 172.23.40.9
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.9
+ netmask: /32
umcg-node010:
- addr: 172.23.40.10
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.10
+ netmask: /32
umcg-node011:
- addr: 172.23.40.11
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.11
+ netmask: /32
umcg-node012:
- addr: 172.23.40.12
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.12
+ netmask: /32
umcg-node013:
- addr: 172.23.40.13
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.13
+ netmask: /32
umcg-node014:
- addr: 172.23.40.14
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.14
+ netmask: /32
umcg-node015:
- addr: 172.23.40.15
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.15
+ netmask: /32
umcg-node016:
- addr: 172.23.40.16
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.16
+ netmask: /32
umcg-node017:
- addr: 172.23.40.17
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.17
+ netmask: /32
umcg-node018:
- addr: 172.23.40.18
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.18
+ netmask: /32
umcg-node019:
- addr: 172.23.40.19
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.19
+ netmask: /32
umcg-node020:
- addr: 172.23.40.20
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
- calculon:
- addr: 172.23.40.247
- mask: /32
- vlan:
- fqdn:
- desc: User Interface
+ vlan983:
+ address: 172.23.40.20
+ netmask: /32
bender:
- addr: 172.23.40.246
- mask: /32
- vlan:
- fqdn:
- desc: User Interface
+ vlan16:
+ address: 195.169.22.246
+ netmask: /32
+ fqdn: 'bender.gcc.rug.nl'
+ vlan983:
+ address: 172.23.40.246
+ netmask: /32
flexo:
- addr: 172.23.40.248
- mask: /32
- vlan:
- fqdn:
- desc: User Interface
+ vlan16:
+ address: 195.169.22.248
+ netmask: /32
+ fqdn: 'flexo.gcc.rug.nl'
+ vlan983:
+ address: 172.23.40.248
+ netmask: /32
lobby:
- addr: 10.10.1.144
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Jumphost
+ cc_internal_management:
+ address: 10.10.1.144
+ netmask: /32
+ publicly_exposed: true # This internal IP is linked to a public (floating) IP.
+ vlan16:
+ address: 195.169.22.135
+ netmask: /32
+ fqdn: 'lobby.hpc.rug.nl'
...
diff --git a/group_vars/calculon_cluster/vars.yml b/group_vars/calculon_cluster/vars.yml
index a0bea61ea..3df14263b 100644
--- a/group_vars/calculon_cluster/vars.yml
+++ b/group_vars/calculon_cluster/vars.yml
@@ -1,6 +1,6 @@
---
slurm_cluster_name: 'calculon'
-slurm_cluster_domain: 'hpc.rug.nl'
+stack_domain: 'hpc.rug.nl'
stack_name: "{{ slurm_cluster_name }}_cluster" # stack_name must match the name of the folder that contains this vars.yml file.
stack_prefix: 'cc'
repo_manager: 'spacewalk'
@@ -12,16 +12,30 @@ motd: |
Welcome to: {{ slurm_cluster_name | capitalize }}
=========================================================
additional_etc_hosts:
+ - group: calculon_cluster
+ nodes:
+ - name: calculon
+ network: vlan983
+ - name: flexo
+ network: vlan983
+ - name: bender
+ work: vlan983
+ - name: winterpeen
+ network: vlan983
+ - group: docs_library
+ nodes:
+ - name: docs_on_merlin
+ network: vlan16
+ - group: jenkins_server
+ nodes:
+ - name: jenkins
+ network: vlan16
- group: all
- hosts:
- - docs
- - gattaca01
- - gattaca02
- - calculon
- - boxy
- - bender
- - flexo
- - winterpeen
+ nodes:
+ - name: gattaca01
+ network: public
+ - name: gattaca02
+ network: public
ssh_host_signer_ca_private_key: "{{ ssh_host_signer_ca_keypair_dir }}/umcg-hpc-development-ca"
use_ldap: yes
create_ldap: no
@@ -32,13 +46,11 @@ ldap_group_object_class: 'groupofnames'
cloud_image: CentOS 7
cloud_user: centos
network_public_external_id: vlan16
-network_private_management_id: internal_management
+network_private_management_id: "{{ stack_prefix }}_internal_management"
network_private_management_cidr: '10.10.1.0/24'
network_private_management_gw: '10.10.1.1'
-network_private_storage_id: internal_storage
+network_private_storage_id: "{{ stack_prefix }}_internal_storage"
network_private_storage_cidr: '10.10.2.0/24'
-public_ip_addresses:
- lobby: '195.169.22.135'
availability_zone: nova
nameservers: [
'8.8.4.4', # Google DNS.
diff --git a/group_vars/data_transfer.yml b/group_vars/data_transfer.yml
index 3b59e8038..4bdb51ef2 100644
--- a/group_vars/data_transfer.yml
+++ b/group_vars/data_transfer.yml
@@ -3,9 +3,19 @@ firewall_allowed_tcp_ports:
- 22 # SSH.
- 443 # SSH.
ssh_host_signer_hostnames: "{{ ansible_hostname }}\
- {% if slurm_cluster_domain | length %},{{ ansible_hostname }}.{{ slurm_cluster_domain }}{% endif %}\
- {% if public_ip_addresses[ansible_hostname] is defined and public_ip_addresses[ansible_hostname] | length %},{{ public_ip_addresses[ansible_hostname] }}{% endif %}\
- {% for host in groups['jumphost'] %},{{ host }}+{{ ansible_hostname }}{% endfor %}"
+ {% for network_id in ip_addresses[ansible_hostname] %}\
+ {% if ip_addresses[ansible_hostname][network_id]['fqdn'] is defined and
+ ip_addresses[ansible_hostname][network_id]['fqdn'] | length >= 1 %}\
+ {% if ip_addresses[ansible_hostname][network_id]['fqdn'] == 'NXDOMAIN' %}\
+ ,{{ ip_addresses[ansible_hostname][network_id]['address'] }}\
+ {% else %}\
+ ,{{ ip_addresses[ansible_hostname][network_id]['fqdn'] }}\
+ {% endif %}\
+ {% endif %}\
+ {% endfor %}\
+ {% for host in groups['jumphost'] %}\
+ ,{{ host }}+{{ ansible_hostname }}\
+ {% endfor %}"
volumes:
- mount_point: '/groups'
device: '/dev/vdb'
diff --git a/group_vars/docs_library/ip_addresses.yml b/group_vars/docs_library/ip_addresses.yml
new file mode 100644
index 000000000..e99e768d1
--- /dev/null
+++ b/group_vars/docs_library/ip_addresses.yml
@@ -0,0 +1,12 @@
+---
+ip_addresses:
+ docs_on_merlin:
+ docs_internal_management:
+ address: 10.10.1.165
+ netmask: /32
+ publicly_exposed: true # This internal IP is linked to a public (floating) IP.
+ vlan16:
+ address: 195.169.22.179
+ netmask: /32
+ fqdn: 'docs.gcc.rug.nl'
+...
diff --git a/group_vars/docs_library/vars.yml b/group_vars/docs_library/vars.yml
index 2b399cd52..99fa4f7fa 100644
--- a/group_vars/docs_library/vars.yml
+++ b/group_vars/docs_library/vars.yml
@@ -1,5 +1,6 @@
---
stack_prefix: 'docs'
+stack_domain: 'gcc.rug.nl'
stack_name: "{{ stack_prefix }}_library" # stack_name must match the name of the folder that contains this vars.yml file.
cloud_image: CentOS 7
cloud_user: centos
@@ -7,8 +8,6 @@ network_public_external_id: vlan16
network_private_management_id: "{{ stack_prefix }}_internal_management"
network_private_management_cidr: '10.10.1.0/24'
network_private_management_gw: '10.10.1.1'
-public_ip_addresses:
-# docs: 'xxx'
availability_zone: nova
nameservers: [
'8.8.4.4', # Google DNS.
@@ -31,10 +30,28 @@ local_admin_users:
# We will restrict SSH login on port 22 to these jumphosts using OpenStack security rules.
#
jumphosts:
- - 'airlock' # Gearshift
- - 'reception' # Talos
- - 'portal' # Hyperchicken
- - 'corridor' # Fender
- - 'tunnel' # Nibbler
- - 'porch' # Wingedhelix
+ - group: gearshift_cluster
+ hosts:
+ - hostname: airlock
+ network: vlan16
+ - group: talos_cluster
+ hosts:
+ - hostname: reception
+ network: vlan16
+ - group: hyperchicken_cluster
+ hosts:
+ - hostname: portal
+ network: public
+ - group: fender_cluster
+ hosts:
+ - hostname: corridor
+ network: public
+ - group: nibbler_cluster
+ hosts:
+ - hostname: tunnel
+ network: vlan16
+ - group: wingedhelix_cluster
+ hosts:
+ - hostname: porch
+ network: vlan16
...
diff --git a/group_vars/fender_cluster/ip_addresses.yml b/group_vars/fender_cluster/ip_addresses.yml
index 99b952dfe..d6b1a6de9 100644
--- a/group_vars/fender_cluster/ip_addresses.yml
+++ b/group_vars/fender_cluster/ip_addresses.yml
@@ -1,104 +1,121 @@
---
ip_addresses:
+ corridor:
+ fd_internal_management:
+ address: 10.10.1.3
+ netmask: /32
+ publicly_exposed: true # This internal IP is linked to a public (floating) IP.
+ public:
+ address: 45.88.81.213
+ netmask: /32
+ fqdn: 'NXDOMAIN'
fd-dai:
- addr: 10.10.1.63
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: Deploy Admin Interface
+ fd_internal_management:
+ address: 10.10.1.63
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.15
+ netmask: /32
fd-repo:
- addr: 10.10.1.217
- mask: /32
- vlan: fd_internal_management
- fqdn:
+ fd_internal_management:
+ address: 10.10.1.217
+ netmask: /32
fd-sai:
- addr: 10.10.1.25
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: Sys Admin Interface
- fd-vcompute12:
- addr: 10.10.1.213
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: Compute Node
- fd-vcompute11:
- addr: 10.10.1.97
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: Compute Node
- fd-vcompute09:
- addr: 10.10.1.195
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: Compute Node
- fd-vcompute10:
- addr: 10.10.1.253
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: Compute Node
- fd-vcompute08:
- addr: 10.10.1.59
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: Compute Node
- fd-vcompute07:
- addr: 10.10.1.105
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: Compute Node
- fd-vcompute06:
- addr: 10.10.1.96
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: Compute Node
+ fd_internal_management:
+ address: 10.10.1.25
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.132
+ netmask: /32
fd-vcompute01:
- addr: 10.10.1.191
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: Compute Node
+ fd_internal_management:
+ address: 10.10.1.191
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.109
+ netmask: /32
fd-vcompute02:
- addr: 10.10.1.234
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: Compute Node
+ fd_internal_management:
+ address: 10.10.1.234
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.138
+ netmask: /32
+ fd-vcompute03:
+ fd_internal_management:
+ address: 10.10.1.254
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.59
+ netmask: /32
fd-vcompute04:
- addr: 10.10.1.173
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: Compute Node
+ fd_internal_management:
+ address: 10.10.1.173
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.91
+ netmask: /32
fd-vcompute05:
- addr: 10.10.1.117
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: Compute Node
- fd-vcompute03:
- addr: 10.10.1.254
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: Compute Node
+ fd_internal_management:
+ address: 10.10.1.117
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.81
+ netmask: /32
+ fd-vcompute06:
+ fd_internal_management:
+ address: 10.10.1.96
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.119
+ netmask: /32
+ fd-vcompute07:
+ fd_internal_management:
+ address: 10.10.1.105
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.157
+ netmask: /32
+ fd-vcompute08:
+ fd_internal_management:
+ address: 10.10.1.59
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.178
+ netmask: /32
+ fd-vcompute09:
+ fd_internal_management:
+ address: 10.10.1.195
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.20
+ netmask: /32
+ fd-vcompute10:
+ fd_internal_management:
+ address: 10.10.1.253
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.214
+ netmask: /32
+ fd-vcompute11:
+ fd_internal_management:
+ address: 10.10.1.97
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.176
+ netmask: /32
+ fd-vcompute12:
+ fd_internal_management:
+ address: 10.10.1.213
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.146
+ netmask: /32
fender:
- addr: 10.10.1.100
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: User Interface
- corridor:
- addr: 10.10.1.3
- mask: /32
- vlan: fd_internal_management
- fqdn:
- desc: Jumphost
+ fd_internal_management:
+ address: 10.10.1.100
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.226
+ netmask: /32
...
diff --git a/group_vars/fender_cluster/vars.yml b/group_vars/fender_cluster/vars.yml
index c5545d9a9..a72d2a1f8 100644
--- a/group_vars/fender_cluster/vars.yml
+++ b/group_vars/fender_cluster/vars.yml
@@ -1,6 +1,6 @@
---
slurm_cluster_name: 'fender'
-slurm_cluster_domain: ''
+stack_domain: ''
stack_name: "{{ slurm_cluster_name }}_cluster" # stack_name must match the name of the folder that contains this vars.yml file.
stack_prefix: 'fd'
slurm_version: '20.11.8-1.el7.umcg'
@@ -24,15 +24,13 @@ slurm_partitions:
features: "{{ groups['user_interface'] | map('extract', hostvars, 'slurm_features') | first | default('none') }}"
extra_options: 'TRESBillingWeights="CPU=1.0,Mem=1.0G" AllowQos=ds-short,ds-medium,ds-long'
repo_manager: 'pulp'
-mailhub: '192.168.0.5'
-rewrite_domain: "{{ stack_prefix }}-sai{% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}"
figlet_font: 'slant'
motd: "To solve or not to solve, that's the question."
additional_etc_hosts:
- - group: all
- hosts:
- - docs
- - docs_on_merlin
+ - group: docs_library
+ nodes:
+ - name: docs_on_merlin
+ network: vlan16
use_ldap: yes
create_ldap: yes
ldap_uri: ldaps://fd-dai
@@ -47,8 +45,6 @@ network_private_management_cidr: '10.10.1.0/24'
network_private_management_gw: '10.10.1.1'
network_private_storage_id: "subnet-nfs-data-2541"
network_private_storage_cidr: '10.35.141.0/24'
-public_ip_addresses:
- corridor: '45.88.81.213'
availability_zone: nova
nameservers: [
'8.8.4.4', # Google DNS.
diff --git a/group_vars/gearshift_cluster/ip_addresses.yml b/group_vars/gearshift_cluster/ip_addresses.yml
index a1c0f7f7f..4a2b864cc 100644
--- a/group_vars/gearshift_cluster/ip_addresses.yml
+++ b/group_vars/gearshift_cluster/ip_addresses.yml
@@ -1,98 +1,71 @@
---
ip_addresses:
- sugarsnax:
- addr: 172.23.40.35
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Deploy Admin Interface
- imperator:
- addr: 172.23.40.34
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Sys Admin Interface
- gs-repo:
- addr: 172.23.40.98
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Repository Management
- gs-vcompute10:
- addr: 172.23.40.90
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Compute Node
- gs-vcompute09:
- addr: 172.23.40.89
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Compute Node
- gs-vcompute08:
- addr: 172.23.40.88
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Compute Node
- gs-vcompute07:
- addr: 172.23.40.87
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Compute Node
- gs-vcompute06:
- addr: 172.23.40.86
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Compute Node
- gs-vcompute05:
- addr: 172.23.40.85
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Compute Node
- gs-vcompute04:
- addr: 172.23.40.84
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Compute Node
- gs-vcompute03:
- addr: 172.23.40.83
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Compute Node
- gs-vcompute02:
- addr: 172.23.40.82
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Compute Node
+ airlock:
+ vlan983:
+ address: 172.23.40.36
+ netmask: /32
+ publicly_exposed: true # This internal IP is linked to a public (floating) IP.
+ vlan16:
+ address: 129.125.60.196
+ netmask: /32
+ fqdn: 'airlock.hpc.rug.nl'
gs-vcompute01:
- addr: 172.23.40.81
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.81
+ netmask: /32
+ gs-vcompute02:
+ vlan983:
+ address: 172.23.40.82
+ netmask: /32
+ gs-vcompute03:
+ vlan983:
+ address: 172.23.40.83
+ netmask: /32
+ gs-vcompute04:
+ vlan983:
+ address: 172.23.40.84
+ netmask: /32
+ gs-vcompute05:
+ vlan983:
+ address: 172.23.40.85
+ netmask: /32
+ gs-vcompute06:
+ vlan983:
+ address: 172.23.40.86
+ netmask: /32
+ gs-vcompute07:
+ vlan983:
+ address: 172.23.40.87
+ netmask: /32
+ gs-vcompute08:
+ vlan983:
+ address: 172.23.40.88
+ netmask: /32
+ gs-vcompute09:
+ vlan983:
+ address: 172.23.40.89
+ netmask: /32
+ gs-vcompute10:
+ vlan983:
+ address: 172.23.40.90
+ netmask: /32
+ gs-repo:
+ vlan983:
+ address: 172.23.40.98
+ netmask: /32
gearshift:
- addr: 172.23.40.33
- mask: /32
- vlan: vlan983
- fqdn:
- desc: User Interface
- gearshift-storage:
- addr: 172.23.34.33
- mask: /32
- vlan: vlan985
- desc: User Interface - Storage VLAN
- airlock:
- addr: 172.23.40.36
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Jumphost
+ vlan983:
+ address: 172.23.40.33
+ netmask: /32
+ vlan985:
+ address: 172.23.34.33
+ netmask: /32
+ imperator:
+ vlan983:
+ address: 172.23.40.34
+ netmask: /32
+ sugarsnax:
+ vlan983:
+ address: 172.23.40.35
+ netmask: /32
...
diff --git a/group_vars/gearshift_cluster/vars.yml b/group_vars/gearshift_cluster/vars.yml
index ae855187a..1349041bf 100644
--- a/group_vars/gearshift_cluster/vars.yml
+++ b/group_vars/gearshift_cluster/vars.yml
@@ -1,6 +1,6 @@
---
slurm_cluster_name: 'gearshift'
-slurm_cluster_domain: 'hpc.rug.nl'
+stack_domain: 'hpc.rug.nl'
stack_name: "{{ slurm_cluster_name }}_cluster" # stack_name must match the name of the folder that contains this vars.yml file.
stack_prefix: 'gs'
slurm_version: '20.11.8-1.el7.umcg'
@@ -24,8 +24,6 @@ slurm_partitions:
features: "{{ groups['user_interface'] | map('extract', hostvars, 'slurm_features') | first | default('none') }}"
extra_options: 'TRESBillingWeights="CPU=1.0,Mem=1.0G" AllowQos=ds-short,ds-medium,ds-long'
repo_manager: 'pulp'
-mailhub: '172.23.34.34'
-rewrite_domain: "imperator{% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}"
figlet_font: 'cyberlarge'
motd: |
============================================================
@@ -36,18 +34,10 @@ motd: |
all data in home dirs and tmp* group dirs will be lost!
============================================================
additional_etc_hosts:
- - group: all
- hosts:
- - docs
- - docs_on_merlin
- - group: boxy_cluster
- hosts:
- - boxy-management
- - boxy-storage
- - group: calculon_cluster
- hosts:
- - calculon-management
- - calculon-storage
+ - group: docs_library
+ nodes:
+ - name: docs_on_merlin
+ network: vlan16
ssh_host_signer_ca_private_key: "{{ ssh_host_signer_ca_keypair_dir }}/umcg-hpc-ca"
use_ldap: yes
create_ldap: no
diff --git a/group_vars/hyperchicken_cluster/ip_addresses.yml b/group_vars/hyperchicken_cluster/ip_addresses.yml
index 28dfe5595..ac3ff8961 100644
--- a/group_vars/hyperchicken_cluster/ip_addresses.yml
+++ b/group_vars/hyperchicken_cluster/ip_addresses.yml
@@ -1,38 +1,44 @@
---
ip_addresses:
hc-dai:
- addr: 10.10.1.252
- mask: /32
- vlan: hc_internal_management
- fqdn:
- desc: Deploy Admin Interface
+ hc_internal_management:
+ address: 10.10.1.252
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.105
+ netmask: /32
+ hc-repo:
+ hc_internal_management:
+ address: 10.10.1.87
+ netmask: /32
hc-sai:
- addr: 10.10.1.111
- mask: /32
- vlan: hc_internal_management
- fqdn:
- desc: Sys Admin Interface
+ hc_internal_management:
+ address: 10.10.1.111
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.41
+ netmask: /32
hc-vcompute01:
- addr: 10.10.1.18
- mask: /32
- vlan: hc_internal_management
- fqdn:
- desc: Compute Node
+ hc_internal_management:
+ address: 10.10.1.18
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.125
+ netmask: /32
hyperchicken:
- addr: 10.10.1.54
- mask: /32
- vlan: hc_internal_management
- fqdn:
- desc: User Interface
- hc-repo:
- addr: 10.10.1.87
- mask: /32
- vlan: hc_internal_management
- fqdn:
+ hc_internal_management:
+ address: 10.10.1.54
+ netmask: /32
+ subnet-nfs-data-2541:
+ address: 10.35.141.70
+ netmask: /32
portal:
- addr: 10.10.1.37
- mask: /32
- vlan: hc_internal_management
- fqdn:
- desc: Jumphost
+ hc_internal_management:
+ address: 10.10.1.37
+ netmask: /32
+ publicly_exposed: true # This internal IP is linked to a public (floating) IP.
+ public:
+ address: 45.88.81.146
+ netmask: /32
+ fqdn: 'NXDOMAIN'
...
diff --git a/group_vars/hyperchicken_cluster/vars.yml b/group_vars/hyperchicken_cluster/vars.yml
index e1036300a..e454cc95a 100644
--- a/group_vars/hyperchicken_cluster/vars.yml
+++ b/group_vars/hyperchicken_cluster/vars.yml
@@ -1,6 +1,6 @@
---
slurm_cluster_name: 'hyperchicken'
-slurm_cluster_domain: ''
+stack_domain: ''
stack_name: "{{ slurm_cluster_name }}_cluster" # stack_name must match the name of the folder that contains this vars.yml file.
stack_prefix: 'hc'
slurm_version: '20.11.8-1.el7.umcg'
@@ -24,15 +24,13 @@ slurm_partitions:
features: "{{ groups['user_interface'] | map('extract', hostvars, 'slurm_features') | first | default('none') }}"
extra_options: 'TRESBillingWeights="CPU=1.0,Mem=1.0G" AllowQos=ds-short,ds-medium,ds-long'
repo_manager: 'pulp'
-mailhub: '192.168.0.5'
-rewrite_domain: "{{ stack_prefix }}-sai{% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}"
figlet_font: 'lockergnome'
motd: "To solve or not to solve, that's the question."
additional_etc_hosts:
- - group: all
- hosts:
- - docs
- - docs_on_merlin
+ - group: docs_library
+ nodes:
+ - name: docs_on_merlin
+ network: vlan16
use_ldap: yes
create_ldap: yes
ldap_uri: ldaps://hc-dai
@@ -47,8 +45,6 @@ network_private_management_cidr: '10.10.1.0/24'
network_private_management_gw: '10.10.1.1'
network_private_storage_id: "subnet-nfs-data-2541"
network_private_storage_cidr: '10.35.141.0/24'
-public_ip_addresses:
- portal: '45.88.81.146'
availability_zone: nova
nameservers: [
'8.8.4.4', # Google DNS.
diff --git a/group_vars/jenkins_server/ip_addresses.yml b/group_vars/jenkins_server/ip_addresses.yml
new file mode 100644
index 000000000..e198fa2cd
--- /dev/null
+++ b/group_vars/jenkins_server/ip_addresses.yml
@@ -0,0 +1,12 @@
+---
+ip_addresses:
+ jenkins:
+ jenkins_internal_management:
+ address: 10.10.1.181
+ netmask: /32
+ publicly_exposed: true # This internal IP is linked to a public (floating) IP.
+ vlan16:
+ address: 195.169.22.185
+ netmask: /32
+ fqdn: 'jenkins.gcc.rug.nl'
+...
diff --git a/group_vars/jenkins_server/vars.yml b/group_vars/jenkins_server/vars.yml
index 05bceca39..4c83da3c2 100644
--- a/group_vars/jenkins_server/vars.yml
+++ b/group_vars/jenkins_server/vars.yml
@@ -7,7 +7,6 @@ network_public_external_id: vlan16
network_private_management_id: "{{ stack_prefix }}_internal_management"
network_private_management_cidr: '10.10.1.0/24'
network_private_management_gw: '10.10.1.1'
-public_ip_addresses:
availability_zone: nova
nameservers: [
'8.8.4.4', # Google DNS.
@@ -30,12 +29,30 @@ local_admin_users:
# We will restrict SSH login on port 22 to these jumphosts using OpenStack security rules.
#
jumphosts:
- - 'airlock' # Gearshift
- - 'reception' # Talos
- - 'portal' # Hyperchicken
- - 'corridor' # Fender
- - 'tunnel' # Nibbler
- - 'porch' # Wingedhelix
+ - group: gearshift_cluster
+ hosts:
+ - hostname: airlock
+ network: vlan16
+ - group: talos_cluster
+ hosts:
+ - hostname: reception
+ network: vlan16
+ - group: hyperchicken_cluster
+ hosts:
+ - hostname: portal
+ network: public
+ - group: fender_cluster
+ hosts:
+ - hostname: corridor
+ network: public
+ - group: nibbler_cluster
+ hosts:
+ - hostname: tunnel
+ network: vlan16
+ - group: wingedhelix_cluster
+ hosts:
+ - hostname: porch
+ network: vlan16
jenkins_plugins:
- warnings-ng
jenkins_plugins_install_dependencies: true
diff --git a/group_vars/jumphost.yml b/group_vars/jumphost.yml
index 510012217..ca2447d54 100644
--- a/group_vars/jumphost.yml
+++ b/group_vars/jumphost.yml
@@ -6,10 +6,14 @@ firewall_allowed_tcp_ports:
firewall_additional_rules:
- "iptables -A INPUT -i eth1 -p tcp -s 129.125.2.233,129.125.2.225,129.125.2.226 --dport 9090 -j ACCEPT -m comment --comment 'prometheus server'"
ssh_host_signer_hostnames: "{{ ansible_hostname }}\
- {% if slurm_cluster_domain | length %}\
- ,{{ ansible_hostname }}.{{ slurm_cluster_domain }}\
- {% endif %}\
- {% if public_ip_addresses[ansible_hostname] is defined and public_ip_addresses[ansible_hostname] | length %}\
- ,{{ public_ip_addresses[ansible_hostname] }}\
- {% endif %}"
+ {% for network_id in ip_addresses[ansible_hostname] %}\
+ {% if ip_addresses[ansible_hostname][network_id]['fqdn'] is defined and
+ ip_addresses[ansible_hostname][network_id]['fqdn'] | length >= 1 %}\
+ {% if ip_addresses[ansible_hostname][network_id]['fqdn'] == 'NXDOMAIN' %}\
+ ,{{ ip_addresses[ansible_hostname][network_id]['address'] }}\
+ {% else %}\
+ ,{{ ip_addresses[ansible_hostname][network_id]['fqdn'] }}\
+ {% endif %}\
+ {% endif %}\
+ {% endfor %}"
...
diff --git a/group_vars/marvin_cluster/ip_addresses.yml b/group_vars/marvin_cluster/ip_addresses.yml
deleted file mode 100644
index 260559c26..000000000
--- a/group_vars/marvin_cluster/ip_addresses.yml
+++ /dev/null
@@ -1,33 +0,0 @@
----
-ip_addresses:
- mv-dai:
- addr: 192.168.0.11
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Deploy Admin Interface
- mv-sai:
- addr: 192.168.0.12
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Sys Admin Interface
- mv-vcompute01:
- addr: 192.168.0.7
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Compute Node
- marvin:
- addr: 192.168.0.4
- mask: /32
- vlan: vlan983
- fqdn:
- desc: User Interface
- dockingport:
- addr: 192.168.0.9
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Jumphost
-...
diff --git a/group_vars/marvin_cluster/vars.yml b/group_vars/marvin_cluster/vars.yml
index 6f60b860d..3d872d61e 100644
--- a/group_vars/marvin_cluster/vars.yml
+++ b/group_vars/marvin_cluster/vars.yml
@@ -1,6 +1,6 @@
---
slurm_cluster_name: 'marvin'
-slurm_cluster_domain: ''
+stack_domain: ''
stack_name: "{{ slurm_cluster_name }}_cluster" # stack_name must match the name of the folder that contains this vars.yml file.
stack_prefix: 'mv'
slurm_version: '20.11.8-1.el7.umcg'
@@ -24,16 +24,13 @@ slurm_partitions:
features: "{{ groups['user_interface'] | map('extract', hostvars, 'slurm_features') | first | default('none') }}"
extra_options: 'TRESBillingWeights="CPU=1.0,Mem=1.0G" AllowQos=ds-short,ds-medium,ds-long'
repo_manager: 'pulp'
-mailhub: '192.168.0.5'
-rewrite_domain: "{{ stack_prefix }}-sai{% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}"
figlet_font: 'speed'
motd: "It is rare, but not unheard of."
additional_etc_hosts:
- - group: all
- hosts:
- - docs
- - docs_on_merlin
-use_ldap: yes
+ - group: docs_library
+ nodes:
+ - name: docs_on_merlin
+ network: vlan16
create_ldap: yes
use_sssd: yes
ldap_domains:
@@ -51,8 +48,6 @@ ldap_domains:
cloud_image: centos7
cloud_user: centos
public_net_id: ext-net-37
-public_ip_addresses:
- dockingport: '193.62.55.244'
private_net_id: EJP-RD-network
private_subnet_id: EJP-RD-subnet
private_storage_net_id:
diff --git a/group_vars/nibbler_cluster/ip_addresses.yml b/group_vars/nibbler_cluster/ip_addresses.yml
index 444cc9468..6026ee151 100644
--- a/group_vars/nibbler_cluster/ip_addresses.yml
+++ b/group_vars/nibbler_cluster/ip_addresses.yml
@@ -1,73 +1,93 @@
---
ip_addresses:
- irods-test:
- addr: 10.10.1.182
- mask: /32
- vlan: internal_management
- fqdn:
irods-catalogus:
- addr: 10.10.1.121
- mask: /32
- vlan: internal_management
- fqdn:
- nb-transfer:
- addr: 10.10.1.12
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Data Transfer
+ nb_internal_management:
+ address: 10.10.1.121
+ netmask: /32
+ nb_internal_management_13:
+ address: 10.10.3.154
+ netmask: /32
+ publicly_exposed: true # This internal IP is linked to a public (floating) IP.
+ vlan13:
+ address: 129.125.55.10
+ netmask: /32
+ fqdn: 'umcg-icat01.hpc.rug.nl'
+ irods-test:
+ nb_internal_management:
+ address: 10.10.1.182
+ netmask: /32
+ nb_internal_management_13:
+ address: 10.10.3.17
+ netmask: /32
+ nb-dai:
+ nb_internal_management:
+ address: 10.10.1.75
+ netmask: /32
+ nb_internal_storage:
+ address: 10.10.2.61
+ netmask: /32
nb-repo:
- addr: 10.10.1.56
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Repository Management
+ nb_internal_management:
+ address: 10.10.1.56
+ netmask: /32
nb-sai:
- addr: 10.10.1.106
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Sys Admin Interface
- nb-dai:
- addr: 10.10.1.75
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Deploy Admin Interface
- nb-vcompute04:
- addr: 10.10.1.152
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
- nb-vcompute03:
- addr: 10.10.1.108
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
- nb-vcompute02:
- addr: 10.10.1.140
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ nb_internal_management:
+ address: 10.10.1.106
+ netmask: /32
+ nb_internal_storage:
+ address: 10.10.2.68
+ netmask: /32
+ nb-transfer:
+ nb_internal_management:
+ address: 10.10.1.12
+ netmask: /32
+ publicly_exposed: true # This internal IP is linked to a public (floating) IP.
+ vlan16:
+ address: 195.169.22.166
+ netmask: /32
+ fqdn: 'nb-transfer.hpc.rug.nl'
nb-vcompute01:
- addr: 10.10.1.199
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Compute Node
+ nb_internal_management:
+ address: 10.10.1.199
+ netmask: /32
+ nb_internal_storage:
+ address: 10.10.2.215
+ netmask: /32
+ nb-vcompute02:
+ nb_internal_management:
+ address: 10.10.1.140
+ netmask: /32
+ nb_internal_storage:
+ address: 10.10.2.38
+ netmask: /32
+ nb-vcompute03:
+ nb_internal_management:
+ address: 10.10.1.108
+ netmask: /32
+ nb_internal_storage:
+ address: 10.10.2.55
+ netmask: /32
+ nb-vcompute04:
+ nb_internal_management:
+ address: 10.10.1.missing
+ netmask: /32
+ nb_internal_storage:
+ address: 10.10.2.missing
+ netmask: /32
nibbler:
- addr: 10.10.1.112
- mask: /32
- vlan: internal_management
- fqdn:
- desc: User Interface
+ nb_internal_management:
+ address: 10.10.1.112
+ netmask: /32
+ nb_internal_storage:
+ address: 10.10.2.87
+ netmask: /32
tunnel:
- addr: 10.10.1.188
- mask: /32
- vlan: internal_management
- fqdn:
- desc: Jumphost
+ nb_internal_management:
+ address: 10.10.1.188
+ netmask: /32
+ publicly_exposed: true # This internal IP is linked to a public (floating) IP.
+ vlan16:
+ address: 195.169.22.136
+ netmask: /32
+ fqdn: 'tunnel.hpc.rug.nl'
...
diff --git a/group_vars/nibbler_cluster/vars.yml b/group_vars/nibbler_cluster/vars.yml
index cb38010f6..3c042f06e 100644
--- a/group_vars/nibbler_cluster/vars.yml
+++ b/group_vars/nibbler_cluster/vars.yml
@@ -1,6 +1,6 @@
---
slurm_cluster_name: 'nibbler'
-slurm_cluster_domain: 'hpc.rug.nl'
+stack_domain: 'hpc.rug.nl'
stack_name: "{{ slurm_cluster_name }}_cluster" # stack_name must match the name of the folder that contains this vars.yml file.
stack_prefix: 'nb'
slurm_version: '20.11.8-1.el7.umcg'
@@ -33,8 +33,6 @@ slurm_partitions:
features: "{{ groups['user_interface'] | map('extract', hostvars, 'slurm_features') | first | default('none') }}"
extra_options: 'TRESBillingWeights="CPU=1.0,Mem=1.0G" AllowQos=ds-short,ds-medium,ds-long'
repo_manager: 'pulp'
-mailhub: '192.168.0.5'
-rewrite_domain: "{{ stack_prefix }}-sai{% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}"
figlet_font: 'ogre'
motd: |
=========================================================
@@ -47,19 +45,14 @@ motd: |
which are on a different (production) storage system.
=========================================================
additional_etc_hosts:
- - group: all
- hosts:
- - docs
- - docs_on_merlin
- - jenkins
- - group: boxy_cluster
- hosts:
- - boxy-management
- - boxy-storage
- - group: calculon_cluster
- hosts:
- - calculon-management
- - calculon-storage
+ - group: docs_library
+ nodes:
+ - name: docs_on_merlin
+ network: vlan16
+ - group: jenkins_server
+ nodes:
+ - name: jenkins
+ network: vlan16
ssh_host_signer_ca_private_key: "{{ ssh_host_signer_ca_keypair_dir }}/umcg-hpc-development-ca"
use_ldap: yes
create_ldap: no
@@ -93,11 +86,11 @@ ldap_domains:
cloud_image: CentOS 7
cloud_user: centos
network_public_external_id: vlan16
-network_private_management_id: internal_management
-network_private_management_id_13: internal_management_13
+network_private_management_id: "{{ stack_prefix }}_internal_management"
+network_private_management_id_13: "{{ stack_prefix }}_internal_management_13"
network_private_management_cidr: '10.10.1.0/24'
network_private_management_gw: '10.10.1.1'
-network_private_storage_id: internal_storage
+network_private_storage_id: "{{ stack_prefix }}_internal_storage"
network_private_storage_cidr: '10.10.2.0/24'
availability_zone: nova
nameservers: [
diff --git a/group_vars/talos_cluster/ip_addresses.yml b/group_vars/talos_cluster/ip_addresses.yml
index 996fa1c42..6c980c3c8 100644
--- a/group_vars/talos_cluster/ip_addresses.yml
+++ b/group_vars/talos_cluster/ip_addresses.yml
@@ -1,56 +1,43 @@
---
ip_addresses:
- tl-repo:
- addr: 172.23.40.99
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Repository Management
+ reception:
+ vlan983:
+ address: 172.23.40.100
+ netmask: /32
+ publicly_exposed: true # This internal IP is linked to a public (floating) IP.
+ vlan16:
+ address: 129.125.60.18
+ netmask: /32
+ fqdn: 'reception.hpc.rug.nl'
+ talos:
+ vlan983:
+ address: 172.23.40.92
+ netmask: /32
+ vlan985:
+ address: 172.23.34.92
+ netmask: /32
tl-dai:
- addr: 172.23.40.94
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Deploy Admin Interface
+ vlan983:
+ address: 172.23.40.94
+ netmask: /32
+ tl-repo:
+ vlan983:
+ address: 172.23.40.99
+ netmask: /32
tl-sai:
- addr: 172.23.40.93
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Sys Admin Interface
- tl-vcompute03:
- addr: 172.23.40.97
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Compute Node
- tl-vcompute02:
- addr: 172.23.40.96
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Compute Node
+ vlan983:
+ address: 172.23.40.93
+ netmask: /32
tl-vcompute01:
- addr: 172.23.40.95
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Compute Node
- talos:
- addr: 172.23.40.92
- mask: /32
- vlan: vlan983
- fqdn:
- desc: User Interface
- talos-storage:
- addr: 172.23.34.92
- mask: /32
- vlan: vlan985
- desc: User Interface - Storage VLAN
- reception:
- addr: 172.23.40.100
- mask: /32
- vlan: vlan983
- fqdn:
- desc: Jumphost
+ vlan983:
+ address: 172.23.40.95
+ netmask: /32
+ tl-vcompute02:
+ vlan983:
+ address: 172.23.40.96
+ netmask: /32
+ tl-vcompute03:
+ vlan983:
+ address: 172.23.40.97
+ netmask: /32
...
diff --git a/group_vars/talos_cluster/vars.yml b/group_vars/talos_cluster/vars.yml
index 87a6542e0..e1c5f577b 100644
--- a/group_vars/talos_cluster/vars.yml
+++ b/group_vars/talos_cluster/vars.yml
@@ -1,6 +1,6 @@
---
slurm_cluster_name: 'talos'
-slurm_cluster_domain: 'hpc.rug.nl'
+stack_domain: 'hpc.rug.nl'
stack_name: "{{ slurm_cluster_name }}_cluster" # stack_name must match the name of the folder that contains this vars.yml file.
stack_prefix: 'tl'
slurm_version: '20.11.8-1.el7.umcg'
@@ -25,8 +25,6 @@ slurm_partitions:
features: "{{ groups['user_interface'] | map('extract', hostvars, 'slurm_features') | first | default('none') }}"
extra_options: 'TRESBillingWeights="CPU=1.0,Mem=1.0G" AllowQos=ds-short,ds-medium,ds-long'
repo_manager: 'pulp'
-mailhub: '172.23.34.34'
-rewrite_domain: "{{ stack_prefix }}-sai{% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}"
figlet_font: 'ogre'
motd: |
=========================================================
@@ -39,18 +37,10 @@ motd: |
which are on a different (production) storage system.
=========================================================
additional_etc_hosts:
- - group: all
- hosts:
- - docs
- - docs_on_merlin
- - group: boxy_cluster
- hosts:
- - boxy-management
- - boxy-storage
- - group: calculon_cluster
- hosts:
- - calculon-management
- - calculon-storage
+ - group: docs_library
+ nodes:
+ - name: docs_on_merlin
+ network: vlan16
ssh_host_signer_ca_private_key: "{{ ssh_host_signer_ca_keypair_dir }}/umcg-hpc-development-ca"
use_ldap: yes
create_ldap: no
@@ -197,10 +187,10 @@ iptables_allow_icmp_inbound:
- 'calculon'
- 'flexo'
- 'gate'
- - 'zinc-finger'
+ - 'zinc_finger'
- 'coenzyme'
- 'passage'
- - 'leucine-zipper'
+ - 'leucine_zipper'
- 'chaperone'
- 'airlock'
- 'jenkins1'
@@ -218,10 +208,10 @@ iptables_allow_ssh_inbound:
- 'calculon'
- 'flexo'
- 'gate'
- - 'zinc-finger'
+ - 'zinc_finger'
- 'coenzyme'
- 'passage'
- - 'leucine-zipper'
+ - 'leucine_zipper'
- 'chaperone'
- 'airlock'
- 'jenkins1'
diff --git a/group_vars/template/ip_addresses.yml.j2 b/group_vars/template/ip_addresses.yml.j2
index e456da0b1..910374034 100644
--- a/group_vars/template/ip_addresses.yml.j2
+++ b/group_vars/template/ip_addresses.yml.j2
@@ -1,26 +1,36 @@
#jinja2: trim_blocks:True, lstrip_blocks: True
---
ip_addresses:
-{% for server_info in relevant_servers_info %}
+{% for server_info in relevant_servers_info | sort(attribute='name') %}
{{ server_info.name }}:
- addr: {{ server_info.addresses[network_private_management_id] | selectattr('OS-EXT-IPS:type', 'equalto', 'fixed') | map(attribute='addr') | first }}
- mask: /32
- vlan: {{ network_private_management_id }}
- fqdn:
- {% if server_info.name in groups['jumphost']%}
- desc: Jumphost
- {% elif server_info.name in groups['repo']%}
- desc: Repository Management
- {% elif server_info.name in groups['data_transfer']%}
- desc: Data Transfer
- {% elif server_info.name in groups['sys_admin_interface']%}
- desc: Sys Admin Interface
- {% elif server_info.name in groups['deploy_admin_interface']%}
- desc: Deploy Admin Interface
- {% elif server_info.name in groups['user_interface'] %}
- desc: User Interface
- {% elif server_info.name in groups['compute_vm']%}
- desc: Compute Node
+ {% for network_id in server_info.addresses | default([]) | sort %}
+ {{ network_id }}:
+ address: {{ server_info.addresses[network_id] | selectattr('OS-EXT-IPS:type', 'equalto', 'fixed') | map(attribute='addr') | first }}
+ netmask: /32
+ {% if server_info.addresses[network_id] | selectattr('OS-EXT-IPS:type', 'equalto', 'floating') | map(attribute='addr') | first is defined %}
+ publicly_exposed: true # This internal IP is linked to a public (floating) IP.
+ {% set floating_ip = server_info.addresses[network_id]
+ | selectattr('OS-EXT-IPS:type', 'equalto', 'floating')
+ | map(attribute='addr')
+ | first %}
+ {% set floating_network_id = api_fip_info.floating_ips
+ | selectattr('floating_ip_address', 'equalto', floating_ip)
+ | map(attribute='floating_network_id')
+ | first %}
+ {% set dns_a_record = lookup('community.general.dig', floating_ip + '/PTR')
+ | regex_replace('\.$', '') %}
+ {% if dns_a_record == 'NXDOMAIN' %}
+ {% set fqdn = dns_a_record %}
+ {% elif stack_domain is defined and stack_domain | length >= 1 and stack_domain in dns_a_record %}
+ {% set fqdn = dns_a_record %}
+ {% else %}
+ {% set fqdn = 'WARNING: Check manually for DNS CNAME records a.k.a. aliases: we cannot reverse lookup an alias automagically.' %}
+ {% endif %}
+ {{ api_network_info.openstack_networks | selectattr('id', 'equalto', floating_network_id) | map(attribute='name') | first }}:
+ address: {{ server_info.addresses[network_id] | selectattr('OS-EXT-IPS:type', 'equalto', 'floating') | map(attribute='addr') | first }}
+ netmask: /32
+ fqdn: '{{ fqdn }}'
{% endif %}
+ {% endfor %}
{% endfor %}
...
diff --git a/group_vars/wingedhelix_cluster/ip_addresses.yml b/group_vars/wingedhelix_cluster/ip_addresses.yml
index 5126a86e8..4decad7d5 100644
--- a/group_vars/wingedhelix_cluster/ip_addresses.yml
+++ b/group_vars/wingedhelix_cluster/ip_addresses.yml
@@ -1,44 +1,51 @@
---
ip_addresses:
+ porch:
+ wh_internal_management:
+ address: 10.10.1.148
+ netmask: /32
+ publicly_exposed: true # This internal IP is linked to a public (floating) IP.
+ vlan16:
+ address: 195.169.22.170
+ netmask: /32
+ fqdn: 'NXDOMAIN'
wh-dai:
- addr: 10.10.1.155
- mask: /32
- vlan: wh_internal_management
- fqdn:
- desc: Deploy Admin Interface
+ wh_internal_management:
+ address: 10.10.1.155
+ netmask: /32
+ wh_internal_storage:
+ address: 10.10.2.192
+ netmask: /32
+ wh-repo:
+ wh_internal_management:
+ address: 10.10.1.107
+ netmask: /32
wh-sai:
- addr: 10.10.1.36
- mask: /32
- vlan: wh_internal_management
- fqdn:
- desc: Sys Admin Interface
- wh-vcompute02:
- addr: 10.10.1.230
- mask: /32
- vlan: wh_internal_management
- fqdn:
- desc: Compute Node
+ wh_internal_management:
+ address: 10.10.1.36
+ netmask: /32
+ wh_internal_storage:
+ address: 10.10.2.20
+ netmask: /32
wh-vcompute01:
- addr: 10.10.1.219
- mask: /32
- vlan: wh_internal_management
- fqdn:
- desc: Compute Node
+ wh_internal_management:
+ address: 10.10.1.219
+ netmask: /32
+ wh_internal_storage:
+ address: 10.10.2.67
+ netmask: /32
+ wh-vcompute02:
+ wh_internal_management:
+ address: 10.10.1.230
+ netmask: /32
+ wh_internal_storage:
+ address: 10.10.2.185
+ netmask: /32
wingedhelix:
- addr: 10.10.1.245
- mask: /32
- vlan: wh_internal_management
- fqdn:
- desc: User Interface
- wh-repo:
- addr: 10.10.1.107
- mask: /32
- vlan: wh_internal_management
- fqdn:
- porch:
- addr: 10.10.1.148
- mask: /32
- vlan: wh_internal_management
- fqdn:
- desc: Jumphost
+ wh_internal_management:
+ address: 10.10.1.245
+ netmask: /32
+ wh_internal_storage:
+ address: 10.10.2.77
+ netmask: /32
...
diff --git a/group_vars/wingedhelix_cluster/vars.yml b/group_vars/wingedhelix_cluster/vars.yml
index c81ad7119..3db878eaf 100644
--- a/group_vars/wingedhelix_cluster/vars.yml
+++ b/group_vars/wingedhelix_cluster/vars.yml
@@ -1,6 +1,6 @@
---
slurm_cluster_name: 'wingedhelix'
-slurm_cluster_domain: '' # Only add hpc.rug.nl domain when jumphost is registered in DNS.
+stack_domain: 'hpc.rug.nl'
stack_name: "{{ slurm_cluster_name }}_cluster" # stack_name must match the name of the folder that contains this vars.yml file.
stack_prefix: 'wh'
slurm_version: '20.11.8-1.el7.umcg'
@@ -24,18 +24,22 @@ slurm_partitions:
features: "{{ groups['user_interface'] | map('extract', hostvars, 'slurm_features') | first | default('none') }}"
extra_options: 'TRESBillingWeights="CPU=1.0,Mem=1.0G" AllowQos=ds-short,ds-medium,ds-long'
repo_manager: 'pulp'
-mailhub: '192.168.0.5' # we need to check or remove, as it looks like it is not used anywhere
-rewrite_domain: "{{ stack_prefix }}-sai{% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}"
figlet_font: 'ogre'
motd: |
=========================================================
Welcome to {{ slurm_cluster_name | capitalize }}
=========================================================
additional_etc_hosts:
+ - group: docs_library
+ nodes:
+ - name: docs_on_merlin
+ network: vlan16
- group: all
- hosts:
- - docs
- - docs_on_merlin
+ nodes:
+ - name: gattaca01
+ network: public
+ - name: gattaca02
+ network: public
use_ldap: yes
create_ldap: no
use_sssd: yes
@@ -58,19 +62,18 @@ totp:
machines: "{{ groups['jumphost'] }}"
excluded:
- 'LOCAL'
- - "{{ all.ip_addresses['umcg_net1']['addr'] }}{{ all.ip_addresses['umcg_net1']['mask'] }}"
- - "{{ all.ip_addresses['umcg_net2']['addr'] }}{{ all.ip_addresses['umcg_net2']['mask'] }}"
- - "{{ all.ip_addresses['umcg_net3']['addr'] }}{{ all.ip_addresses['umcg_net3']['mask'] }}"
+ - "{{ all.ip_addresses['umcg']['net1']['address'] }}{{ all.ip_addresses['umcg']['net1']['netmask'] }}"
+ - "{{ all.ip_addresses['umcg']['net2']['address'] }}{{ all.ip_addresses['umcg']['net2']['netmask'] }}"
+ - "{{ all.ip_addresses['umcg']['net3']['address'] }}{{ all.ip_addresses['umcg']['net3']['netmask'] }}"
+ - "{{ all.ip_addresses['umcg']['net4']['address'] }}{{ all.ip_addresses['umcg']['net4']['netmask'] }}"
cloud_image: CentOS 7
cloud_user: centos
network_public_external_id: vlan16
-network_private_management_id: wh_internal_management
+network_private_management_id: "{{ stack_prefix }}_internal_management"
network_private_management_cidr: '10.10.1.0/24'
network_private_management_gw: '10.10.1.1'
-network_private_storage_id: wh_internal_storage
+network_private_storage_id: "{{ stack_prefix }}_internal_storage"
network_private_storage_cidr: '10.10.2.0/24'
-public_ip_addresses:
- porch: '195.169.22.170'
availability_zone: nova
nameservers: [
'8.8.4.4', # Google DNS.
diff --git a/galaxy-requirements.yml b/requirements.yml
similarity index 92%
rename from galaxy-requirements.yml
rename to requirements.yml
index 8d03c0f4c..ef913e5ce 100644
--- a/galaxy-requirements.yml
+++ b/requirements.yml
@@ -12,16 +12,18 @@ roles:
- src: geerlingguy.postgresql
version: 3.1.1
collections:
+ - name: ansible.utils
+ version: '>=2.0.1'
+ - name: ansible.posix
+ version: '>=1.2.0'
- name: community.general
version: '>=3.0.2'
+ - name: community.mysql
+ version: '>=2.3.5'
- name: openstack.cloud
version: '>=1.5.0'
- - name: ansible.posix
- version: '>=1.2.0'
- name: pulp.pulp_installer
version: '==3.16.0'
- name: pulp.squeezer
version: '>=0.0.8'
- - name: community.mysql
- version: '>=2.3.5'
...
diff --git a/roles/include_vars_from_other_groups/README.md b/roles/include_vars_from_other_groups/README.md
new file mode 100644
index 000000000..a82e9204b
--- /dev/null
+++ b/roles/include_vars_from_other_groups/README.md
@@ -0,0 +1,132 @@
+# Role to include variables from other stack groups.
+
+## group_vars/{{ stackname }}/ ip_addresses.yml
+
+The `ip_addresses.yml` files are
+ * either generated with a playbook that creates machines by talking to the OpenStack API
+ and using the template from `group_vars/template/ip_addresses.yml.j2`
+ * or manually created for stacks for which the machines are only configured with Ansible,
+ but not not created via the OpenStack API. E.g. `group_vars/all/ip_addresses.yml` was created manually.
+
+The data structure in an `ip_addresses.yml` file is a 2 level deep nested dict.
+For machines it can be something like this:
+
+```
+ip_addresses:
+ machine:
+ some_internal_network_name:
+ address: 10.10.1.1
+ netmask: /32
+ another_internal_network_name:
+ address: 10.10.3.1
+ netmask: /32
+ publicly_exposed: true # This internal IP is linked to a public (floating) IP.
+ public_network_name:
+ address: 123.1.2.3
+ netmask: /32
+ fqdn: 'machine.some.domain'
+```
+
+For network ranges for external systems/networks defined in `group_vars/all/ip_addresses.yml` it can be something like this:
+
+```
+ip_addresses:
+ institute:
+ some_network_range_name:
+ address: 123.321.123.0
+ netmask: /24
+ another_network_range_name:
+ address: 111.222.111.0
+ netmask: /24
+ desc: 'a description of what this subnet is used for.'
+```
+
+## Data structures provided by this role
+
+The info from all `ip_addresses.yml` files (recursively) found in the group_vars is combined into 2 data structures,
+which are available to other roles when a dependency in this role is defined in the role's `meta/main.yml` like this:
+
+```
+dependencies:
+ - role: include_vars_from_other_groups
+```
+
+#### 1. ip_addresses per stack
+
+```
+stack_name:
+ ip_addresses:
+ machine:
+ some_internal_network_name:
+ address: 10.10.1.1
+ netmask: /32
+ another_internal_network_name:
+ address: 10.10.3.1
+ netmask: /32
+ publicly_exposed: true # This internal IP is linked to a public (floating) IP.
+ public_network_name:
+ address: 123.1.2.3
+ netmask: /32
+ fqdn: 'machine.some.domain'
+all:
+ ip_addresses:
+ institute:
+ some_network_range_name:
+ address: 123.321.123.0
+ netmask: /24
+ another_network_range_name:
+ address: 111.222.111.0
+ netmask: /24
+ desc: 'a description of what this subnet is used for.'
+```
+
+To find a specific item you will need 3 keys:
+
+ * `{{ stack_name }}`
+ * `{{ node_name }}` (a machine or institute)`
+ * `{{ network_name }}`
+
+E.g. for the example data structure listed above:
+```
+{{ lookup('vars', item['stack_name'])['ip_addresses']['my_machine']['public_network_name']['address'] }}
+```
+
+
+#### 2. Combined network info in one dict for all items from all stacks.
+
+This can be used for lookups by the name of an item when you do not know in which stack an item was located.
+
+```
+all_ip_addresses:
+ my_machine:
+ some_internal_network_name:
+ address: 10.10.1.1
+ netmask: /32
+ another_internal_network_name:
+ address: 10.10.3.1
+ netmask: /32
+ publicly_exposed: true # This internal IP is linked to a public (floating) IP.
+ public_network_name:
+ address: 123.1.2.3
+ netmask: /32
+ fqdn: 'machine.some.domain'
+ other_institute:
+ some_network_range_name:
+ address: 123.321.123.0
+ netmask: /24
+ another_network_range_name:
+ address: 111.222.111.0
+ netmask: /24
+ desc: 'a description of what this subnet is used for.'
+```
+
+To find a specific item you will need 2 keys:
+
+ * `{{ node_name }}` (a machine or institute)`
+ * `{{ network_name }}`
+
+E.g. for the example data structure listed above:
+```
+{{ all_ip_addresses['other_institute']['some_network_range_name']['address'] }}"
+```
+
diff --git a/roles/include_vars_from_other_groups/tasks/main.yml b/roles/include_vars_from_other_groups/tasks/main.yml
new file mode 100644
index 000000000..089c7872e
--- /dev/null
+++ b/roles/include_vars_from_other_groups/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+- name: "Find all ip_addresses.yml files in {{ playbook_dir }}/group_vars/*."
+ ansible.builtin.find:
+ paths: "{{ playbook_dir }}/group_vars/"
+ recurse: true
+ patterns: 'ip_addresses.yml'
+ register: ip_addresses_files_found
+ delegate_to: localhost
+ connection: local
+
+- name: Include ip_addresses per stack from ip_addresses.yml files.
+ ansible.builtin.include_vars:
+ file: "{{ item }}"
+ name: "{{ item | dirname | basename }}"
+ with_items: "{{ ip_addresses_files_found.files | map (attribute='path') | list }}"
+ register: included_ip_addresses
+ delegate_to: localhost
+ connection: local
+
+- name: Combine network info from ip_addresses per stack into one dict for all items from all stacks.
+ ansible.builtin.set_fact:
+ all_ip_addresses: "{{ included_ip_addresses.results | json_query('[].ansible_facts.*[].ip_addresses') | combine() }}"
+ delegate_to: localhost
+ connection: local
+...
diff --git a/roles/iptables/handlers/main.yml b/roles/iptables/handlers/main.yml
index c02cb749f..3c899bf12 100755
--- a/roles/iptables/handlers/main.yml
+++ b/roles/iptables/handlers/main.yml
@@ -11,7 +11,8 @@
listen: restart_iptables
- name: 'Configure iptables based firewalls (IPv4 and IPv6).'
- ansible.builtin.command: '/root/configure-iptables-firewall.bash'
+ ansible.builtin.command:
+ cmd: '/etc/sysconfig/iptables-init.bash'
become: true
- listen: configure_iptables
+ listen: initialize_iptables
...
diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml
index 4d5d493e6..39096646a 100644
--- a/roles/iptables/tasks/main.yml
+++ b/roles/iptables/tasks/main.yml
@@ -93,12 +93,12 @@
- name: 'Deploy firewall configuration script.'
ansible.builtin.template:
- src: 'configure-iptables-firewall.bash.j2'
- dest: '/root/configure-iptables-firewall.bash'
+ src: 'iptables-init.bash.j2'
+ dest: '/etc/sysconfig/iptables-init.bash'
owner: root
group: root
- mode: 0740
-# notify: reconfigure_iptables
+ mode: 0700
+# notify: initialize_iptables
become: true
#
diff --git a/roles/iptables/templates/configure-iptables-firewall.bash.j2 b/roles/iptables/templates/configure-iptables-firewall.bash.j2
deleted file mode 100755
index 02b97ac47..000000000
--- a/roles/iptables/templates/configure-iptables-firewall.bash.j2
+++ /dev/null
@@ -1,430 +0,0 @@
-#!/bin/bash
-
-#
-# Script to configure an iptables based firewall using template from Ansible playbook role.
-#
-# This file must be located in /etc/firewall.bash
-#
-# Common port reference:
-# 22: SSH
-# 25: SMTP
-# 80: HTTP
-# 123: NTP
-# 443: HTTPS
-
-#
-# Bash sanity.
-#
-set -u
-
-#
-# Hosts and interfaces.
-#
-TARGET_SERVER='{{ ansible_hostname }}'
-declare -a INTERNAL_INTERFACES=(
-{% for internal_interface in internal_interfaces %}
- '{{ internal_interface }}'
-{% endfor %}
-)
-declare -a EXTERNAL_INTERFACES=(
-{% for external_interface in external_interfaces %}
- '{{ external_interface }}'
-{% endfor %}
-)
-
-#
-# Network addresses and ranges.
-#
-LOOPBACK='127.0.0.0/8'
-
-declare -a ALLOW_ICMP_INBOUND=(
-{% for ip in iptables_allow_icmp_inbound %}
- '{{ ip.addr }}' # {{ ip.desc }}
-{% endfor %}
-)
-declare -a ALLOW_SSH_INBOUND=(
-{% for ip in iptables_allow_ssh_inbound %}
- '{{ ip.addr }}' # {{ ip.desc }}
-{% endfor %}
-)
-declare -a ALLOW_SSH_OUTBOUND=(
-{% for ip in iptables_allow_ssh_outbound %}
- '{{ ip.addr }}' # {{ ip.desc }}
-{% endfor %}
-)
-declare -a ALLOW_EBI_MYSQL_OUTBOUND=(
-{% for ip in iptables_allow_ebi_mysql_outbound %}
- '{{ ip.addr }}' # {{ ip.desc }}
-{% endfor %}
-)
-declare -a ALLOW_FTP_OUTBOUND=(
-{% for ip in iptables_allow_ftp_outbound %}
- '{{ ip.addr }}' # {{ ip.desc }}
-{% endfor %}
-)
-declare -a ALLOW_ASPERA_OUTBOUND=(
-{% for ip in iptables_allow_aspera_outbound %}
- '{{ ip.addr }}' # {{ ip.desc }}
-{% endfor %}
-)
-declare -a ALLOW_GLOBUS_OUTBOUND=(
-{% for ip in iptables_allow_globus_outbound %}
- '{{ ip.addr }}' # {{ ip.desc }}
-{% endfor %}
-)
-
-#
-##
-### Main.
-##
-#
-
-#
-# Get (short) name of the server where this script is executed.
-# * Ignore the domain.
-# * Remove any -mgmt suffixes
-#
-SERVER_NAME="$(hostname -s)"
-SERVER_NAME="$(echo ${SERVER_NAME} | sed 's/-mgmt//')"
-
-#
-# Check if we have a config valid for this server.
-#
-if [[ "${SERVER_NAME}" == "${TARGET_SERVER}" ]]; then
- echo "INFO: Hostname check passed. Will configure iptables firewall..."
-else
- echo "ERROR: This config file is for \"${TARGET_SERVER}\", but this is \"${SERVER_NAME}\"."
- echo 'FATAL: Cannot configure firewall on this server.'
- exit 1
-fi
-
-#
-##
-### Kernel tweaks.
-##
-#
-
-
-############ ToDo #####################################
-# Kernel tweaks old and not yet migrated to new syntax.
-#
-echo '0' > /proc/sys/net/ipv4/ip_forward
-#######################################################
-
-#
-# Prevent SYNC-floods.
-#
-echo '1' > /proc/sys/net/ipv4/tcp_syncookies # confusing name, but applies to IP version 6 as well.
-
-#
-# Limit response to ICMP packets.
-#
-echo '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
-echo '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
-
-#
-# Disable redirects and forwarding, which are only required on routers.
-#
-echo '0' > /proc/sys/net/ipv4/conf/all/accept_redirects
-echo '0' > /proc/sys/net/ipv6/conf/all/accept_redirects
-echo '0' > /proc/sys/net/ipv4/conf/all/forwarding
-echo '0' > /proc/sys/net/ipv6/conf/all/forwarding
-
-#
-# Disable logging of spoofed packets, source routed packets,
-# and redirect packets to prevent flooding the logs.
-#
-echo '0' > /proc/sys/net/ipv4/conf/all/log_martians
-
-#
-# Disable source routed packets, which should only be required for debugging network issues.
-#
-echo '0' > /proc/sys/net/ipv4/conf/all/accept_source_route
-echo '0' > /proc/sys/net/ipv6/conf/all/accept_source_route
-
-#
-# Enable IP spoofing protection.
-#
-echo '1' > /proc/sys/net/ipv4/conf/all/rp_filter
-
-#
-##
-### IPv6: disable all and log.
-##
-#
-
-#
-# Flush and delete existing rules.
-#
-ip6tables -F
-ip6tables -X
-
-#
-# Set the default policies to drop everything.
-#
-ip6tables -P INPUT DROP
-ip6tables -P OUTPUT DROP
-ip6tables -P FORWARD DROP
-
-#
-# We must accept IPv6 traffic on the loopback interface to prevent tests from failing
-# during installation of verious software packages with network functionality.
-#
-ip6tables -A INPUT -i lo -j ACCEPT
-ip6tables -A OUTPUT -o lo -j ACCEPT
-
-#
-##
-### IPv4.
-##
-#
-
-#
-# Initialize and flush everything to start with a clean slate.
-#
-iptables -F
-iptables -X
-iptables -t nat -F
-iptables -t nat -X
-iptables -t mangle -F
-iptables -t mangle -X
-iptables -t raw -F
-iptables -t raw -X
-iptables -t security -F
-iptables -t security -X
-iptables -Z
-
-#
-# Create custom chain for LOGDROP.
-#
-iptables -N LOGDROP
-iptables -A LOGDROP -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix 'Dropped by iptables firewall: '
-iptables -A LOGDROP -j DROP
-
-#
-# Config default policies to drop.
-#
-# Log EVERYTHING (ONLY for Debug).
-# iptables -A INPUT -j LOG
-{% if iptables_log_dropped_packets %}
-iptables -P INPUT LOGDROP
-{% else %}
-iptables -P INPUT DROP
-{% endif %}
-iptables -P OUTPUT DROP
-iptables -P FORWARD DROP
-
-#
-# Refuse loopback packets incoming from external interface.
-#
-for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]}"; do
- iptables -A INPUT -i "${EXT_INTERFACE}" -d "${LOOPBACK}" -j DROP
-done
-
-#
-# Allow loopback.
-#
-iptables -A INPUT -i lo -j ACCEPT
-iptables -A OUTPUT -o lo -j ACCEPT
-
-#
-# Allow anything over internal interfaces.
-#
-for INT_INTERFACE in "${INTERNAL_INTERFACES[@]}"; do
- iptables -A INPUT -i "${INT_INTERFACE}" -j ACCEPT
- iptables -A OUTPUT -o "${INT_INTERFACE}" -j ACCEPT
-done
-
-###############################################################################################################################################
-
-
-
-# Forwarded ports.
-{# Add a rule for each forwarded port #}
-{% for forwarded_port in iptables_forwarded_tcp_ports %}
-iptables -t nat -I PREROUTING -p tcp --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
-iptables -t nat -I OUTPUT -p tcp -o lo --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
-{% endfor %}
-{% for forwarded_port in iptables_forwarded_udp_ports %}
-iptables -t nat -I PREROUTING -p udp --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
-iptables -t nat -I OUTPUT -p udp -o lo --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
-{% endfor %}
-
-#
-# Allow established connections:
-#
-iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-
-
-
-
-############################################################################################################################3
-
-#
-# Allow all outbound ICMP.
-# Allow limited inbound ICMP:
-# Type 0 Echo Reply (a.k.a. pong) must be RELATED.
-# Type 8 Echo Request (a.k.a. ping)
-# Type 3 Destination Unreachable:
-# Unable to deliver the datagram to the specified network, host, protocal, or port.
-# Also sent if the datagram needs to be fragmented and the the Don't Fragment flag is on.
-# Required for Path-MTU Discovery and to prevent a PMTU "black hole".
-# Type 11 Time Exceeded:
-# The Time To Live (TTL) for the datagram has been exceeded.
-# Required for traceroute.
-#
-iptables -A OUTPUT -o ${INTERFACE_EXT} -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-iptables -A INPUT -i ${INTERFACE_EXT} -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
-for IP_ADDRESS in ${ALLOW_ICMP_INBOUND[@]}; do
- iptables -A INPUT -i ${INTERFACE_EXT} -p icmp --icmp-type 3 -s ${IP_ADDRESS} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -i ${INTERFACE_EXT} -p icmp --icmp-type 8 -s ${IP_ADDRESS} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -i ${INTERFACE_EXT} -p icmp --icmp-type 11 -s ${IP_ADDRESS} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-done
-
-#
-# Allow outbound NTP.
-#
-iptables -A OUTPUT -o ${INTERFACE_EXT} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-iptables -A INPUT -i ${INTERFACE_EXT} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
-
-#
-# Allow outbound SMTP.
-#
-iptables -A OUTPUT -o ${INTERFACE_EXT} -p tcp -m multiport --dport 25,587 -m state --state NEW,ESTABLISHED -j ACCEPT
-iptables -A INPUT -i ${INTERFACE_EXT} -p tcp -m multiport --sport 25,587 -m state --state ESTABLISHED -j ACCEPT
-
-#
-# Allow outbound DNS.
-#
-iptables -A OUTPUT -o ${INTERFACE_EXT} -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-iptables -A INPUT -i ${INTERFACE_EXT} -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -o ${INTERFACE_EXT} -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-iptables -A INPUT -i ${INTERFACE_EXT} -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-
-#
-# Allow outbound HTTP.
-#
-iptables -A OUTPUT -o ${INTERFACE_EXT} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-iptables -A INPUT -i ${INTERFACE_EXT} -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-
-#
-# Allow outbound HTTPS.
-#
-iptables -A OUTPUT -o ${INTERFACE_EXT} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-iptables -A INPUT -i ${INTERFACE_EXT} -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-
-#
-# Allow SSH inbound and outbound.
-#
-for IP_ADDRESS in ${ALLOW_SSH_INBOUND[@]}; do
- iptables -A INPUT -i ${INTERFACE_EXT} -p tcp -s ${IP_ADDRESS} --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-done
-for IP_ADDRESS in ${ALLOW_SSH_OUTBOUND[@]}; do
- iptables -A OUTPUT -o ${INTERFACE_EXT} -p tcp -d ${IP_ADDRESS} --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-done
-iptables -A OUTPUT -o ${INTERFACE_EXT} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-iptables -A INPUT -i ${INTERFACE_EXT} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-
-#
-# Allow MySQL outbound.
-#
-# Required a.o. for conncections to the public Ensembl databases via the Ensembl Perl API
-#
-for IP_ADDRESS in ${ALLOW_EBI_MYSQL_OUTBOUND[@]}; do
- iptables -A OUTPUT -o ${INTERFACE_EXT} -p tcp -d ${IP_ADDRESS} -m multiport --dports 3306,5306,5316 -m state --state NEW,ESTABLISHED -j ACCEPT
-done
-iptables -A INPUT -i ${INTERFACE_EXT} -p tcp -m multiport --sports 3306,5306,5316 -m state --state ESTABLISHED -j ACCEPT
-
-#
-# Allow FTP outbound.
-#
-# We need a default and an additional connection tracking kernel module
-# in order to track FTP connections and know what is a RELATED connection.
-# The extra module must be added to /etc/sysconfig/iptables-config
-# IPTABLES_MODULES="nf_conntrack_ftp"
-#
-/sbin/modprobe nf_conntrack # Default module: should already be present, just checking here.
-/sbin/modprobe nf_conntrack_ftp # Extra module: should be added to /etc/sysconfig/iptables-config, just checking here.
-#
-# Firstly, allow FTP control initiated by the client.
-#
-for IP_ADDRESS in ${ALLOW_FTP_OUTBOUND[@]}; do
- iptables -A OUTPUT -o ${INTERFACE_EXT} -p tcp -d ${IP_ADDRESS} --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-done
-iptables -A INPUT -i ${INTERFACE_EXT} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-#
-# Secondly, allow FTP data connections.
-# * For Active Mode FTP the client must accept RELATED connections from the server on port 20
-# to the client on a port number negotiated in the FTP control connection.
-# * For Passive Mode FTP the client starts a RELATED connection from a random own high port number
-# to the server's fixed high port number negotiated in the FTP control connection.
-# * For both Active and Passive Mode FTP, the nf_conntrack_ftp kernel module is required at the FTP client
-# to pick up the negotiated port number from the FTP control packet payloads.
-#
-iptables -A INPUT -i ${INTERFACE_EXT} -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT # Active Mode
-iptables -A OUTPUT -o ${INTERFACE_EXT} -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # Active Mode
-iptables -A OUTPUT -o ${INTERFACE_EXT} -p tcp --sport 1024: --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT # Passive Mode
-iptables -A INPUT -i ${INTERFACE_EXT} -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT # Passive Mode
-
-#
-# Allow Aspera outbound.
-#
-# Aspera requires (most common configs):
-# * SSH on either TCP port 22 or TCP 33001 for control and
-# * Data stream on at least UDP port 33001.
-# In case the server OS doesn't allow UDP port sharing a range of UDP ports is used
-# where the number of ports determines the max number of concurrent connections/clients.
-#
-for IP_ADDRESS in ${ALLOW_ASPERA_OUTBOUND[@]}; do
- iptables -A OUTPUT -o ${INTERFACE_EXT} -p tcp -d ${IP_ADDRESS} -m multiport --dports 22,33001 -m state --state NEW,ESTABLISHED -j ACCEPT
- iptables -A OUTPUT -o ${INTERFACE_EXT} -p udp -d ${IP_ADDRESS} -m multiport --dports 33001:33100 -m state --state NEW,ESTABLISHED -j ACCEPT
-done
-iptables -A INPUT -i ${INTERFACE_EXT} -p tcp -m multiport --sports 22,33001 -m state --state ESTABLISHED -j ACCEPT
-iptables -A INPUT -i ${INTERFACE_EXT} -p udp -m multiport --sports 33001:33100 -m state --state ESTABLISHED -j ACCEPT
-
-#
-# Allow Globus outbound.
-#
-# Globus requires (most common configs) for "broker" service:
-# * TCP port 2223 outbound for control channel with the Globus Transfer service and for obtaining certificates during initial setup.
-# Normally this will be the *.globus.org subnet.
-# * UDP port 19302 outbound for connecting to STUN server when setting up a session with another Globus Connect Personal endpoint.
-# Normally this will be the stun.l.google.com Google STUN server.
-# For each endpoint:
-# * TCP ports 50000-51000 outbound for data channel for transfers with Globus Connect Server endpoints.
-# * UDP ports 32768-65535 outbound for data channel for transfers with other Globus Connect Personal endpoints.
-
-# ToDo: GLOBUS_ORG_NET and GOOGLE_STUN
-iptables -A OUTPUT -o ${INTERFACE_EXT} -p tcp -d ${GLOBUS_ORG_NET} --dport 2223 -m state --state NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -o ${INTERFACE_EXT} -p udp -d ${GOOGLE_STUN} --dport 19302 -m state --state NEW,ESTABLISHED -j ACCEPT
-for IP_ADDRESS in ${ALLOW_GLOBUS_OUTBOUND[@]}; do
- iptables -A OUTPUT -o ${INTERFACE_EXT} -p tcp -d ${IP_ADDRESS} -m multiport --dports 50000:51000 -m state --state NEW,ESTABLISHED -j ACCEPT
- iptables -A OUTPUT -o ${INTERFACE_EXT} -p udp -d ${IP_ADDRESS} -m multiport --dports 32678:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-done
-
-#
-# (Re)start fail2ban, so it will (re)create a custom f2b-SSH iptables chain.
-#
-#service fail2ban restart
-
-#
-# List the rules:
-#
-echo '#'
-echo '##'
-echo '### iptables --list -n ###'
-echo '##'
-echo '#'
-iptables --list -n
-echo '#'
-echo '##'
-echo '### ip6tables --list -n ###'
-echo '##'
-echo '#'
-ip6tables --list -n
-
-#
-# Save config for next boot.
-#
-service iptables save
-service ip6tables save
diff --git a/roles/iptables/templates/firewall.unit.j2 b/roles/iptables/templates/firewall.unit.j2
index 5165d88ff..ad2655806 100755
--- a/roles/iptables/templates/firewall.unit.j2
+++ b/roles/iptables/templates/firewall.unit.j2
@@ -4,7 +4,7 @@ After=syslog.target network.target
[Service]
Type=oneshot
-ExecStart=/etc/firewall.bash
+ExecStart=/etc/sysconfig/iptables-init.bash
ExecStop=/sbin/iptables -F
RemainAfterExit=yes
diff --git a/roles/iptables/templates/iptables-init.bash.j2 b/roles/iptables/templates/iptables-init.bash.j2
new file mode 100755
index 000000000..cd891c055
--- /dev/null
+++ b/roles/iptables/templates/iptables-init.bash.j2
@@ -0,0 +1,398 @@
+#!/bin/bash
+
+#
+# Script to configure an iptables based firewall using a template from an Ansible playbook role "iptables".
+# DO NOT EDIT this file manually; edit the the template instead and redeploy using Ansible!
+#
+# This file must be located in /etc/sysconfig/iptables-init.bash
+#
+# Common port reference:
+# 22: SSH
+# 25: SMTP
+# 80: HTTP
+# 123: NTP
+# 443: HTTPS
+
+#
+# Bash sanity.
+#
+set -u
+
+#
+# Hosts and interfaces.
+#
+TARGET_SERVER='{{ ansible_hostname }}'
+declare -a INTERNAL_INTERFACES=(
+{% for internal_interface in internal_interfaces %}
+ '{{ internal_interface }}'
+{% endfor %}
+)
+declare -a EXTERNAL_INTERFACES=(
+{% for external_interface in external_interfaces %}
+ '{{ external_interface }}'
+{% endfor %}
+)
+
+#
+# Network addresses and ranges.
+#
+LOOPBACK='127.0.0.0/8'
+
+declare -a ALLOW_ICMP_INBOUND=(
+{% for ip in iptables_allow_icmp_inbound %}
+ '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }}
+{% endfor %}
+)
+declare -a ALLOW_SSH_INBOUND=(
+{% for ip in iptables_allow_ssh_inbound %}
+ '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }}
+{% endfor %}
+)
+declare -a ALLOW_SSH_OUTBOUND=(
+{% for ip in iptables_allow_ssh_outbound %}
+ '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }}
+{% endfor %}
+)
+declare -a ALLOW_EBI_MYSQL_OUTBOUND=(
+{% for ip in iptables_allow_ebi_mysql_outbound %}
+ '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }}
+{% endfor %}
+)
+declare -a ALLOW_FTP_OUTBOUND=(
+{% for ip in iptables_allow_ftp_outbound %}
+ '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }}
+{% endfor %}
+)
+declare -a ALLOW_ASPERA_OUTBOUND=(
+{% for ip in iptables_allow_aspera_outbound %}
+ '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }}
+{% endfor %}
+)
+declare -a ALLOW_GLOBUS_OUTBOUND=(
+{% for ip in iptables_allow_globus_outbound %}
+ '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }}
+{% endfor %}
+)
+declare GLOBUS_ORG_NET='{{ ip_addresses.globus_org_net.addr }}' # {{ ip_addresses.globus_org_net.desc }}
+declare GOOGLE_STUN='{{ ip_addresses.google_stun.addr }}' # {{ ip_addresses.google_stun.desc }}
+
+#
+##
+### Main.
+##
+#
+
+#
+# Get (short) name of the server where this script is executed.
+# * Ignore the domain.
+# * Remove any -mgmt suffixes
+#
+SERVER_NAME="$(hostname -s)"
+SERVER_NAME="$(echo ${SERVER_NAME} | sed 's/-mgmt//')"
+
+#
+# Check if we have a config valid for this server.
+#
+if [[ "${SERVER_NAME}" == "${TARGET_SERVER}" ]]; then
+ echo "INFO: Hostname check passed. Will configure iptables firewall..."
+else
+ echo "ERROR: This config file is for \"${TARGET_SERVER}\", but this is \"${SERVER_NAME}\"."
+ echo 'FATAL: Cannot configure firewall on this server.'
+ exit 1
+fi
+
+#
+##
+### Kernel tweaks.
+##
+#
+
+#
+# Disable redirects and forwarding, which are only required on routers.
+#
+echo '0' > /proc/sys/net/ipv4/conf/all/forwarding
+echo '0' > /proc/sys/net/ipv6/conf/all/forwarding
+echo '0' > /proc/sys/net/ipv4/conf/all/accept_redirects
+echo '0' > /proc/sys/net/ipv6/conf/all/accept_redirects
+
+#
+# Prevent SYNC-floods.
+#
+echo '1' > /proc/sys/net/ipv4/tcp_syncookies # confusing name, but applies to IP version 6 as well.
+
+#
+# Limit response to ICMP packets.
+#
+echo '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+echo '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
+
+#
+# Disable logging of spoofed packets, source routed packets,
+# and redirect packets to prevent flooding the logs.
+#
+echo '0' > /proc/sys/net/ipv4/conf/all/log_martians
+
+#
+# Disable source routed packets, which should only be required for debugging network issues.
+#
+echo '0' > /proc/sys/net/ipv4/conf/all/accept_source_route
+echo '0' > /proc/sys/net/ipv6/conf/all/accept_source_route
+
+#
+# Enable IP spoofing protection.
+#
+echo '1' > /proc/sys/net/ipv4/conf/all/rp_filter
+
+#
+##
+### IPv6: disable all and log.
+##
+#
+
+#
+# Flush and delete existing rules.
+#
+ip6tables -F
+ip6tables -X
+
+#
+# Set the default policies to drop everything.
+#
+ip6tables -P INPUT DROP
+ip6tables -P OUTPUT DROP
+ip6tables -P FORWARD DROP
+
+#
+# We must accept IPv6 traffic on the loopback interface to prevent tests from failing
+# during installation of verious software packages with network functionality.
+#
+ip6tables -A INPUT -i lo -j ACCEPT
+ip6tables -A OUTPUT -o lo -j ACCEPT
+
+#
+##
+### IPv4.
+##
+#
+
+#
+# Initialize and flush everything to start with a clean slate.
+#
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -t raw -F
+iptables -t raw -X
+iptables -t security -F
+iptables -t security -X
+iptables -Z
+
+#
+# Create custom chain for LOGDROP.
+#
+iptables -N LOGDROP
+iptables -A LOGDROP -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix 'Dropped by iptables firewall: '
+iptables -A LOGDROP -j DROP
+
+#
+# Config default policies to drop.
+#
+# Log EVERYTHING (ONLY for Debugging).
+# iptables -A INPUT -j LOG
+{% if iptables_log_dropped_packets %}
+iptables -P INPUT LOGDROP
+{% else %}
+iptables -P INPUT DROP
+{% endif %}
+iptables -P OUTPUT DROP
+iptables -P FORWARD DROP
+
+#
+# Refuse loopback packets incoming from external interface.
+#
+for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do
+ [[ -z "${EXT_INTERFACE}" ]] && continue
+ iptables -A INPUT -i "${EXT_INTERFACE}" -d "${LOOPBACK}" -j DROP
+done
+
+#
+# Allow loopback.
+#
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+
+#
+# Allow anything over internal interfaces.
+#
+for INT_INTERFACE in "${INTERNAL_INTERFACES[@]:-}"; do
+ [[ -z "${INT_INTERFACE}" ]] && continue
+ iptables -A INPUT -i "${INT_INTERFACE}" -j ACCEPT
+ iptables -A OUTPUT -o "${INT_INTERFACE}" -j ACCEPT
+done
+
+#
+# Filter traffic over external interfaces.
+#
+for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do
+ [[ -z "${EXT_INTERFACE}" ]] && continue
+ #
+ # Allow all outbound ICMP.
+ # Allow limited inbound ICMP:
+ # Type 0 Echo Reply (a.k.a. pong) must be RELATED.
+ # Type 8 Echo Request (a.k.a. ping)
+ # Type 3 Destination Unreachable:
+ # Unable to deliver the datagram to the specified network, host, protocal, or port.
+ # Also sent if the datagram needs to be fragmented and the the Don't Fragment flag is on.
+ # Required for Path-MTU Discovery and to prevent a PMTU "black hole".
+ # Type 11 Time Exceeded:
+ # The Time To Live (TTL) for the datagram has been exceeded.
+ # Required for traceroute.
+ #
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+ iptables -A INPUT -i ${EXT_INTERFACE} -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
+ for IP_ADDRESS in ${ALLOW_ICMP_INBOUND[@]}; do
+ iptables -A INPUT -i ${EXT_INTERFACE} -p icmp --icmp-type 3 -s ${IP_ADDRESS} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+ iptables -A INPUT -i ${EXT_INTERFACE} -p icmp --icmp-type 8 -s ${IP_ADDRESS} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+ iptables -A INPUT -i ${EXT_INTERFACE} -p icmp --icmp-type 11 -s ${IP_ADDRESS} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+ done
+ #
+ # Allow outbound NTP.
+ #
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
+ iptables -A INPUT -i ${EXT_INTERFACE} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
+ #
+ # Allow outbound SMTP.
+ #
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -m multiport --dport 25,587 -m state --state NEW,ESTABLISHED -j ACCEPT
+ iptables -A INPUT -i ${EXT_INTERFACE} -p tcp -m multiport --sport 25,587 -m state --state ESTABLISHED -j ACCEPT
+ #
+ # Allow outbound DNS.
+ #
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+ iptables -A INPUT -i ${EXT_INTERFACE} -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+ iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
+ #
+ # Allow outbound HTTP.
+ #
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+ iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
+ #
+ # Allow outbound HTTPS.
+ #
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+ iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
+ #
+ # Allow SSH inbound and outbound.
+ #
+ for IP_ADDRESS in ${ALLOW_SSH_INBOUND[@]}; do
+ iptables -A INPUT -i ${EXT_INTERFACE} -p tcp -s ${IP_ADDRESS} --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+ done
+ for IP_ADDRESS in ${ALLOW_SSH_OUTBOUND[@]}; do
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${IP_ADDRESS} --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+ done
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+ iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+ #
+ # Allow MySQL outbound.
+ #
+ # Required a.o. for conncections to the public Ensembl databases via the Ensembl Perl API
+ #
+ for IP_ADDRESS in ${ALLOW_EBI_MYSQL_OUTBOUND[@]}; do
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${IP_ADDRESS} -m multiport --dports 3306,5306,5316 -m state --state NEW,ESTABLISHED -j ACCEPT
+ done
+ iptables -A INPUT -i ${EXT_INTERFACE} -p tcp -m multiport --sports 3306,5306,5316 -m state --state ESTABLISHED -j ACCEPT
+ #
+ # Allow FTP outbound.
+ #
+ # We need a default and an additional connection tracking kernel module
+ # in order to track FTP connections and know what is a RELATED connection.
+ # The extra module must be added to /etc/sysconfig/iptables-config
+ # IPTABLES_MODULES="nf_conntrack_ftp"
+ #
+ /sbin/modprobe nf_conntrack # Default module: should already be present, just checking here.
+ /sbin/modprobe nf_conntrack_ftp # Extra module: should be added to /etc/sysconfig/iptables-config, just checking here.
+ #
+ # Firstly, allow FTP control initiated by the client.
+ #
+ for IP_ADDRESS in ${ALLOW_FTP_OUTBOUND[@]}; do
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${IP_ADDRESS} --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+ done
+ iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
+ #
+ # Secondly, allow FTP data connections.
+ # * For Active Mode FTP the client must accept RELATED connections from the server on port 20
+ # to the client on a port number negotiated in the FTP control connection.
+ # * For Passive Mode FTP the client starts a RELATED connection from a random own high port number
+ # to the server's fixed high port number negotiated in the FTP control connection.
+ # * For both Active and Passive Mode FTP, the nf_conntrack_ftp kernel module is required at the FTP client
+ # to pick up the negotiated port number from the FTP control packet payloads.
+ #
+ iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT # Active Mode
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # Active Mode
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT # Passive Mode
+ iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT # Passive Mode
+ #
+ # Allow Aspera outbound.
+ #
+ # Aspera requires (most common configs):
+ # * SSH on either TCP port 22 or TCP 33001 for control and
+ # * Data stream on at least UDP port 33001.
+ # In case the server OS doesn't allow UDP port sharing a range of UDP ports is used
+ # where the number of ports determines the max number of concurrent connections/clients.
+ #
+ for IP_ADDRESS in ${ALLOW_ASPERA_OUTBOUND[@]}; do
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${IP_ADDRESS} -m multiport --dports 22,33001 -m state --state NEW,ESTABLISHED -j ACCEPT
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p udp -d ${IP_ADDRESS} -m multiport --dports 33001:33100 -m state --state NEW,ESTABLISHED -j ACCEPT
+ done
+ iptables -A INPUT -i ${EXT_INTERFACE} -p tcp -m multiport --sports 22,33001 -m state --state ESTABLISHED -j ACCEPT
+ iptables -A INPUT -i ${EXT_INTERFACE} -p udp -m multiport --sports 33001:33100 -m state --state ESTABLISHED -j ACCEPT
+ #
+ # Allow Globus outbound.
+ #
+ # Globus requires (most common configs) for "broker" service:
+ # * TCP port 2223 outbound for control channel with the Globus Transfer service and for obtaining certificates during initial setup.
+ # Normally this will be the *.globus.org subnet.
+ # * UDP port 19302 outbound for connecting to STUN server when setting up a session with another Globus Connect Personal endpoint.
+ # Normally this will be the stun.l.google.com Google STUN server.
+ # For each endpoint:
+ # * TCP ports 50000-51000 outbound for data channel for transfers with Globus Connect Server endpoints.
+ # * UDP ports 32768-65535 outbound for data channel for transfers with other Globus Connect Personal endpoints.
+ #
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${GLOBUS_ORG_NET} --dport 2223 -m state --state NEW,ESTABLISHED -j ACCEPT
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p udp -d ${GOOGLE_STUN} --dport 19302 -m state --state NEW,ESTABLISHED -j ACCEPT
+ for IP_ADDRESS in ${ALLOW_GLOBUS_OUTBOUND[@]}; do
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${IP_ADDRESS} -m multiport --dports 50000:51000 -m state --state NEW,ESTABLISHED -j ACCEPT
+ iptables -A OUTPUT -o ${EXT_INTERFACE} -p udp -d ${IP_ADDRESS} -m multiport --dports 32678:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+ done
+done
+
+#
+# (Re)start fail2ban, so it will (re)create a custom f2b-SSH iptables chain.
+#
+#service fail2ban restart
+
+#
+# List the rules:
+#
+echo '#'
+echo '##'
+echo '### iptables --list -n ###'
+echo '##'
+echo '#'
+iptables --list -n
+echo '#'
+echo '##'
+echo '### ip6tables --list -n ###'
+echo '##'
+echo '#'
+ip6tables --list -n
+
+#
+# Save config for next boot.
+#
+service iptables save
+service ip6tables save
diff --git a/roles/irods_davrods/defaults/main.yml b/roles/irods_davrods/defaults/main.yml
index ed699d9ed..231f67da8 100644
--- a/roles/irods_davrods/defaults/main.yml
+++ b/roles/irods_davrods/defaults/main.yml
@@ -1,6 +1,5 @@
+---
davrods_docker_user: davrods
davrods_docker_folder: 'davrods_docker' # relative to the davrods_user_home
davrods_default_resource: 'default_res' # davrods default resource to use for uploading the files
-davrods_icat_ip: "{{ ip_addresses[inventory_hostname].addr }}"
- # IP address of ICAT server, currently set for docker to use local icat IP
- # could be instead just remote IP
+...
\ No newline at end of file
diff --git a/roles/irods_davrods/tasks/davrods.yml b/roles/irods_davrods/tasks/davrods.yml
index ac3403469..2da2094e1 100644
--- a/roles/irods_davrods/tasks/davrods.yml
+++ b/roles/irods_davrods/tasks/davrods.yml
@@ -1,3 +1,4 @@
+---
- name: 'Ensure that /etc/irods directory exists'
ansible.builtin.file:
dest: "/etc/irods"
@@ -124,3 +125,4 @@
changed_when: false
become_user: '{{ davrods_docker_user }}'
become: true
+...
\ No newline at end of file
diff --git a/roles/irods_davrods/tasks/main.yml b/roles/irods_davrods/tasks/main.yml
index 8a189e7ca..5396e9d81 100644
--- a/roles/irods_davrods/tasks/main.yml
+++ b/roles/irods_davrods/tasks/main.yml
@@ -1,4 +1,8 @@
-- include: davrods.yml
+---
+- name: Include tasks for installing and configuring davrods.
+ ansible.builtin.include_tasks:
+ file: davrods.yml
when:
- davrods_install is defined
- davrods_install == True
+...
\ No newline at end of file
diff --git a/roles/online_docs/defaults/main.yml b/roles/online_docs/defaults/main.yml
index 72d99df47..abb7febd6 100644
--- a/roles/online_docs/defaults/main.yml
+++ b/roles/online_docs/defaults/main.yml
@@ -2,34 +2,69 @@
external_hrefs:
spacewalk: 'https://spacewalkproject.github.io/'
pulp: 'https://pulpproject.org/'
-known_hosts_hostnames: "{% for jumphost in groups['jumphost'] %}\
- {{ jumphost }}*,\
- {% if public_ip_addresses[jumphost] is defined and public_ip_addresses[jumphost] | length %}\
- {{ public_ip_addresses[jumphost] }},\
- {% endif %}\
- {% endfor %}\
- {% for dthost in groups['data_transfer'] | default([]) %}\
- *{{ dthost }}*,\
- {% if public_ip_addresses[dthost] is defined and public_ip_addresses[dthost] | length %}\
- {{ public_ip_addresses[dthost] }},\
- {% endif %}\
- {% endfor %}\
- {% for adminhost in groups['administration'] %}\
- *{{ adminhost }},\
- {% endfor %}\
- {% for dochost in groups['docs'] %}\
- *{{ dochost }},\
- {% endfor %}\
- *{{ stack_prefix }}-*"
-dt_server_address: "{% if groups['data_transfer'] is defined and groups['data_transfer'] | length %}\
- {% if public_ip_addresses[groups['data_transfer'] | first] is defined \
- and public_ip_addresses[groups['data_transfer'] | first] | length %}\
- {{ public_ip_addresses[groups['data_transfer'] | first] }}\
- {% else %}\
- {{ groups['data_transfer'] | first }}\
- {% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}\
- {% endif %}\
- {% else %}\
- not available\
- {% endif %}"
+known_hosts_hostnames: "\
+ {% for jumphost in groups['jumphost'] %}\
+ {{ jumphost }}*,\
+ {% for network_id in ip_addresses[jumphost] %}\
+ {% if ip_addresses[jumphost][network_id]['fqdn'] is defined and
+ ip_addresses[jumphost][network_id]['fqdn'] == 'NXDOMAIN' %}\
+ {{ ip_addresses[jumphost][network_id]['address'] }},\
+ {% endif %}\
+ {% endfor %}\
+ {% endfor %}\
+ {% for dthost in groups['data_transfer'] | default([]) %}\
+ *{{ dthost }}*,\
+ {% for network_id in ip_addresses[dthost] %}\
+ {% if ip_addresses[dthost][network_id]['fqdn'] is defined and
+ ip_addresses[dthost][network_id]['fqdn'] == 'NXDOMAIN' %}\
+ {{ ip_addresses[dthost][network_id]['address'] }},\
+ {% endif %}\
+ {% endfor %}\
+ {% endfor %}\
+ {% for adminhost in groups['administration'] %}\
+ *{{ adminhost }},\
+ {% endfor %}\
+ {% for dochost in groups['docs'] %}\
+ *{{ dochost }},\
+ {% endfor %}\
+ *{{ stack_prefix }}-*"
+first_dt_server_address: "\
+ {% if groups['data_transfer'] is defined and
+ groups['data_transfer'] | length %}\
+ {% set first_dthost = groups['data_transfer']
+ | first %}\
+ {% set network_id = ip_addresses[first_dthost]
+ | dict2items
+ | json_query('[?value.fqdn].key')
+ | first %}\
+ {% if ip_addresses[first_dthost][network_id]['fqdn'] is defined %}\
+ {% if ip_addresses[first_dthost][network_id]['fqdn'] == 'NXDOMAIN' %}\
+ {{ ip_addresses[first_dthost][network_id]['address'] }}\
+ {% else %}\
+ {{ ip_addresses[first_dthost][network_id]['fqdn'] }}\
+ {% endif %}\
+ {% else %}\
+ not available\
+ {% endif %}\
+ {% else %}\
+ not available\
+ {% endif %}"
+first_jumphost_name: "{{ groups['jumphost'] | first }}"
+first_jumphost_address: "\
+ {% set first_jumphost = groups['jumphost']
+ | first %}\
+ {% set network_id = ip_addresses[first_jumphost]
+ | dict2items
+ | json_query('[?value.fqdn].key')
+ | first %}\
+ {% if ip_addresses[first_jumphost][network_id]['fqdn'] == 'NXDOMAIN' %}\
+ {{ ip_addresses[first_jumphost][network_id]['address'] }}\
+ {% else %}\
+ {{ ip_addresses[first_jumphost][network_id]['fqdn'] }}\
+ {% endif %}"
+first_doc_server_address: "\
+ {{ all_ip_addresses[groups['docs'] | first].values()
+ | selectattr('fqdn', 'defined')
+ | map(attribute='fqdn')
+ | first }}"
...
diff --git a/roles/online_docs/meta/main.yml b/roles/online_docs/meta/main.yml
index 90d75ccd1..18a487495 100644
--- a/roles/online_docs/meta/main.yml
+++ b/roles/online_docs/meta/main.yml
@@ -1,4 +1,5 @@
---
dependencies:
+ - role: include_vars_from_other_groups
- role: rsync
...
diff --git a/roles/online_docs/tasks/main.yml b/roles/online_docs/tasks/main.yml
index d3fb7d54b..0d643474c 100644
--- a/roles/online_docs/tasks/main.yml
+++ b/roles/online_docs/tasks/main.yml
@@ -64,7 +64,7 @@
ansible.builtin.shell:
cmd: |
set -o pipefail
- ssh-keygen -lf <(ssh-keyscan {{ dt_server_address }} 2>/dev/null) \
+ ssh-keygen -lf <(ssh-keyscan {{ first_dt_server_address }} 2>/dev/null) \
| awk '{print $2,$4}'
args:
executable: '/bin/bash'
@@ -79,30 +79,6 @@
- groups['data_transfer'] is defined
- groups['data_transfer'] | first | length >= 1
-- name: "Find all ip_addresses.yml files in {{ playbook_dir }}/group_vars/*."
- ansible.builtin.find:
- paths: "{{ playbook_dir }}/group_vars/"
- recurse: true
- patterns: 'ip_addresses.yml'
- register: ip_addresses_files
- delegate_to: localhost
- connection: local
-
-- name: 'Include variables from all ip_addresses.yml files.'
- ansible.builtin.include_vars:
- file: "{{ item }}"
- name: "networking_lookup"
- with_items: "{{ ip_addresses_files.files | map (attribute='path') | list }}"
- register: networking_lookups
- delegate_to: localhost
- connection: local
-
-- name: 'Combine network info from ip_addresses.yml files into one dict.'
- ansible.builtin.set_fact:
- networking_lookups: "{{ networking_lookups.results | json_query('[].ansible_facts.networking_lookup.ip_addresses') | combine() }}"
- delegate_to: localhost
- connection: local
-
- name: 'Set selinux in permissive mode.'
ansible.posix.selinux:
policy: 'targeted'
diff --git a/roles/online_docs/templates/attachments/ssh-client-config.bash b/roles/online_docs/templates/attachments/ssh-client-config.bash
index fcd5af3d9..b8fc0a1a1 100755
--- a/roles/online_docs/templates/attachments/ssh-client-config.bash
+++ b/roles/online_docs/templates/attachments/ssh-client-config.bash
@@ -361,11 +361,20 @@ Host{% for jumphost in groups['jumphost'] %} {{ jumphost }}*{% endfor %}
ControlPersist 1m
#
# Expand short jumphost names to FQDN or IP address.
-#{% for jumphost in groups['jumphost'] %}{% if public_ip_addresses[jumphost] is defined and public_ip_addresses[jumphost] | length %}
+#
+{% for jumphost in groups['jumphost'] %}
+ {%- set network_id = ip_addresses[jumphost]
+ | dict2items
+ | json_query('[?value.fqdn].key')
+ | first -%}
+ {%- if ip_addresses[jumphost][network_id]['fqdn'] == 'NXDOMAIN' -%}
+ {%- set ssh_hostname = ip_addresses[jumphost][network_id]['address'] -%}
+ {%- else -%}
+ {%- set ssh_hostname = ip_addresses[jumphost][network_id]['fqdn'] -%}
+ {%- endif -%}
Host {{ jumphost }}
- HostName {{ public_ip_addresses[jumphost] }}{% else %}
-Host {{ jumphost }} {% if slurm_cluster_domain | length %}!*.{{ slurm_cluster_domain }}{% endif %}
- HostName %h{% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}{% endif %}{% endfor %}
+ HostName {{ ssh_hostname }}
+{% endfor -%}
#
# Universal jumphost settings for triple-hop SSH.
#
@@ -375,14 +384,14 @@ Host *+*+*
# Double-hop SSH settings to connect via specific jumphosts.
#
Host {% for jumphost in groups['jumphost'] %}{{ jumphost}}+* {% endfor %}{% raw %}{% endraw %}
- ProxyCommand ssh -x -q \$(echo "\${JUMPHOST_USER:-%r}")@\$(echo %h | sed 's/+[^+]*$//'){% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %} -W \$(echo %h | sed 's/^[^+]*+//'):%p
+ ProxyCommand ssh -x -q \$(echo "\${JUMPHOST_USER:-%r}")@\$(echo %h | sed 's/+[^+]*$//'){% if stack_domain | length %}.{{ stack_domain }}{% endif %} -W \$(echo %h | sed 's/^[^+]*+//'):%p
#
# Sometimes port 22 for the SSH protocol is blocked by firewalls; in that case you can try to use SSH on port 443 as fall-back.
# Do not use port 443 by default for SSH as it is officially assigned to HTTPS traffic
# and some firewalls will cause problems with SSH traffic over port 443.
#
Host {% for jumphost in groups['jumphost'] %}{{ jumphost}}443+* {% endfor %}{% raw %}{% endraw %}
- ProxyCommand ssh -x -q \$(echo "\${JUMPHOST_USER:-%r}")@\$(echo %h | sed 's/443+[^+]*$//'){% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %} -W \$(echo %h | sed 's/^[^+]*+//'):%p -p 443
+ ProxyCommand ssh -x -q \$(echo "\${JUMPHOST_USER:-%r}")@\$(echo %h | sed 's/443+[^+]*$//'){% if stack_domain | length %}.{{ stack_domain }}{% endif %} -W \$(echo %h | sed 's/^[^+]*+//'):%p -p 443
EOF
}
@@ -493,7 +502,7 @@ manageConfig "${user}" "${private_key_file}"
#
log4Bash 'INFO' "${LINENO}" "${FUNCNAME[0]:-main}" '0' 'Finished configuring your SSH client for logins to {{ slurm_cluster_name | capitalize }}.'
log4Bash 'INFO' "${LINENO}" "${FUNCNAME[0]:-main}" '0' 'You can log in to User Interface {{ groups['user_interface'] | first }}'
-log4Bash 'INFO' "${LINENO}" "${FUNCNAME[0]:-main}" '0' ' via jumphost {{ groups['jumphost'] | first }}{% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}'
+log4Bash 'INFO' "${LINENO}" "${FUNCNAME[0]:-main}" '0' ' via jumphost {{ groups['jumphost'] | first }}{% if stack_domain | length %}.{{ stack_domain }}{% endif %}'
log4Bash 'INFO' "${LINENO}" "${FUNCNAME[0]:-main}" '0' ' in a terminal with the following SSH command:'
log4Bash 'INFO' "${LINENO}" "${FUNCNAME[0]:-main}" '0' ' ssh {{ groups['jumphost'] | first }}+{{ groups['user_interface'] | first }}'
log4Bash 'INFO' "${LINENO}" "${FUNCNAME[0]:-main}" '0' 'We will now test your connection by executing the above SSH command to login and logout.'
diff --git a/roles/online_docs/templates/mkdocs/docs/2FA.md b/roles/online_docs/templates/mkdocs/docs/2FA.md
index 7bf0edc41..21002ecc9 100644
--- a/roles/online_docs/templates/mkdocs/docs/2FA.md
+++ b/roles/online_docs/templates/mkdocs/docs/2FA.md
@@ -28,11 +28,11 @@
2.1. Connect to the trusted system (f.e. to UMCG WOM, or use your laptop from within UMCG network) and start the MobaXTerm
- 2.2. Create the session to connect to Jumphost {% for jumphost in groups['jumphost'] %}{{ jumphost }}{% endfor %} only
+ 2.2. Create the session to connect to Jumphost {{ first_jumphost_name }} only
2.3. **Create session** > **SSH**
- 2.4. **Remote host**: {% for jumphost in groups['jumphost'] %}{{ public_ip_addresses[jumphost] }}{% endfor %}
+ 2.4. **Remote host**: {{ first_jumphost_address }}
2.5. **Specify username**: your-username
@@ -81,7 +81,7 @@
When user (with already created 2FA key) connects from untrusted IP to the 2FA enhanced jumphost, prompt will appear:
- `(your-username@{% for jumphost in groups['jumphost'] %}{{ public_ip_addresses[jumphost] }}{% endfor %}) Your verification code for {% for jumphost in groups['jumphost'] %}{{ jumphost }}{% endfor %}:`
+ `(your-username@{{ first_jumphost_address }}) Your verification code for {{ first_jumphost_address }}:`
Users mobile app generates 2FA code that is valid for short (30 seconds) time, after it expires and another one is generated. Codes are also different for each username on each server, so in case you have more than one, make sure you are using the correct one.
@@ -91,7 +91,7 @@
When connecting to server you get
- `your-username@{% for jumphost in groups['jumphost'] %}{{ public_ip_addresses[jumphost] }}{% endfor %}: Permission denied (keyboard-interactive).`
+ `your-username@{{ first_jumphost_address }}: Permission denied (keyboard-interactive).`
**Solution**:
diff --git a/roles/online_docs/templates/mkdocs/docs/cluster.md b/roles/online_docs/templates/mkdocs/docs/cluster.md
index 90ce9708b..362ff7c13 100644
--- a/roles/online_docs/templates/mkdocs/docs/cluster.md
+++ b/roles/online_docs/templates/mkdocs/docs/cluster.md
@@ -61,7 +61,7 @@ Some of these can be accessed directly by users, whereas others cannot be access
Test/development clusters are named after other robots.
E.g.: {{ slurm_cluster_name | capitalize }} UI = _{{ groups['user_interface'] | first }}_
* Jumphosts are named after rooms preceding other rooms.
- E.g.: {{ slurm_cluster_name | capitalize }} Jumphost = _{{ groups['jumphost'] | first }}{% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}_
+ E.g.: {{ slurm_cluster_name | capitalize }} Jumphost = _{{ groups['jumphost'] | first }}{% if stack_domain | length %}.{{ stack_domain }}{% endif %}_
* Other machines that are part of the cluster and only accessible using internal network interfaces (schedulers, compute nodes, account servers, etc.)
will use a two character prefix _{{ stack_prefix }}_ followed by a dash and the function of the machine.
E.g. {{ slurm_cluster_name | capitalize }} compute node = _{{ groups['compute_vm'] | first }}_
diff --git a/roles/online_docs/templates/mkdocs/docs/dedicated-dt-server-cluster-users.md b/roles/online_docs/templates/mkdocs/docs/dedicated-dt-server-cluster-users.md
index a10920430..3b900d29e 100644
--- a/roles/online_docs/templates/mkdocs/docs/dedicated-dt-server-cluster-users.md
+++ b/roles/online_docs/templates/mkdocs/docs/dedicated-dt-server-cluster-users.md
@@ -1,5 +1,5 @@
#jinja2: trim_blocks:False
-# Data transfers - How to move data to / from {{ dt_server_address }}
+# Data transfers - How to move data to / from {{ first_dt_server_address }}
Firstly and independent of technical options: make sure you are familiar with the _code of conduct_ / _terms and conditions_ / _license_ or whatever it is called and that you are allowed to upload/download a data set!
When in doubt contact your supervisor / principal investigator and the group/institute that created the data set.
@@ -30,7 +30,7 @@ ${{ groups['user_interface'] | first }}> ssh-add -l
#### Transfer data with rsync
Once you have your private key temporarily forwarded to _{{ groups['user_interface'] | first }}_
-you can use _rsync_ (over ssh) with the _guest_ account to transfer data to/from _{{ dt_server_address }}_.
+you can use _rsync_ (over ssh) with the _guest_ account to transfer data to/from _{{ first_dt_server_address }}_.
See below for some syntax examples.
Note:
@@ -46,11 +46,11 @@ Note:
#
# Request a list of rsync modules available for user some-guest-account.
#
-rsync -v --rsh='ssh -p 443 -l some-guest-account' {{ dt_server_address }}::
+rsync -v --rsh='ssh -p 443 -l some-guest-account' {{ first_dt_server_address }}::
#
# List contents in the "home" module.
#
-rsync -v --rsh='ssh -p 443 -l some-guest-account' {{ dt_server_address }}::home/
+rsync -v --rsh='ssh -p 443 -l some-guest-account' {{ first_dt_server_address }}::home/
#
##
### Specify both a source as well as a destination to transfer data.
@@ -59,11 +59,11 @@ rsync -v --rsh='ssh -p 443 -l some-guest-account' {{ dt_server_address }}::home/
#
# Push a file from user interface to data transfer server.
#
-rsync -av --rsh='ssh -p 443 -l some-guest-account' path/to/file_on_{{ groups['user_interface'] | first }} {{ dt_server_address }}::home/
+rsync -av --rsh='ssh -p 443 -l some-guest-account' path/to/file_on_{{ groups['user_interface'] | first }} {{ first_dt_server_address }}::home/
#
# Reverse source and destination to pull a file from data transfer server onto user interface server.
#
-rsync -av --rsh='ssh -p 443 -l some-guest-account' {{ dt_server_address }}::home/data_on_transfer_server path/to/dir_on_{{ groups['user_interface'] | first }}/
+rsync -av --rsh='ssh -p 443 -l some-guest-account' {{ first_dt_server_address }}::home/data_on_transfer_server path/to/dir_on_{{ groups['user_interface'] | first }}/
```
-----
diff --git a/roles/online_docs/templates/mkdocs/docs/dedicated-dt-server-external-collaborators.md b/roles/online_docs/templates/mkdocs/docs/dedicated-dt-server-external-collaborators.md
index 341535f4a..ffac35709 100644
--- a/roles/online_docs/templates/mkdocs/docs/dedicated-dt-server-external-collaborators.md
+++ b/roles/online_docs/templates/mkdocs/docs/dedicated-dt-server-external-collaborators.md
@@ -1,5 +1,5 @@
#jinja2: trim_blocks:False
-# Data transfers - How to move data to / from {{ dt_server_address }}
+# Data transfers - How to move data to / from {{ first_dt_server_address }}
Firstly and independent of technical options: make sure you are familiar with the _code of conduct_ / _terms and conditions_ / _license_ or whatever it is called and that you are allowed to upload/download a data set!
When in doubt contact your supervisor / principal investigator and the group/institute that created the data set.
@@ -28,16 +28,16 @@ as opposed to the FileZilla _installer_ (filename of the download ends in _.exe_
- * 1: Click the _**Site Manager**_ button to configure the connection to {{ dt_server_address }}
+ * 1: Click the _**Site Manager**_ button to configure the connection to {{ first_dt_server_address }}
-###### Create new site with connection details for {{ dt_server_address }}
+###### Create new site with connection details for {{ first_dt_server_address }}
* 2: Click the _**New Site**_ button.
* 3: Provide a name for the new site.
* 4: Select the _**SFTP**_ protocol.
- * 5: Enter the address **{{ dt_server_address }}** in the _**Host**_ field.
+ * 5: Enter the address **{{ first_dt_server_address }}** in the _**Host**_ field.
* 6: Use _**Port**_ **22** (default).
* 7: Select _**Logon Type**_ **Key File**.
* 8: Enter the guest **accountname** you received from the helpdesk in the _**User**_ field.
@@ -53,7 +53,7 @@ as opposed to the FileZilla _installer_ (filename of the download ends in _.exe_
###### Unknown host key
-If this is the first time you connect to {{ dt_server_address }},
+If this is the first time you connect to {{ first_dt_server_address }},
FileZilla will show you the _**fingerprint**_ of the server's host key.
@@ -74,7 +74,7 @@ FileZilla will show you the _**fingerprint**_ of the server's host key.
###### Drag and drop files or folders to start a transfer
FileZilla will login and start a session.
-You can browse files/folders on your local machine in the left column and on {{ dt_server_address }} in the right column.
+You can browse files/folders on your local machine in the left column and on {{ first_dt_server_address }} in the right column.
Drag files/folder from the left column to the right one to upload or vice versa to download.
@@ -87,16 +87,16 @@ Drag files/folder from the left column to the right one to upload or vice versa
- * 1: Click the _**Site Manager**_ button to configure the connection to {{ dt_server_address }}
+ * 1: Click the _**Site Manager**_ button to configure the connection to {{ first_dt_server_address }}
-###### Create new site with connection details for {{ dt_server_address }}
+###### Create new site with connection details for {{ first_dt_server_address }}
* 2: Click the _**New Site**_ button.
* 3: Provide a name for the new site.
* 4: Select the _**SFTP**_ protocol.
- * 5: Enter the address **{{ dt_server_address }}** in the _**Host**_ field.
+ * 5: Enter the address **{{ first_dt_server_address }}** in the _**Host**_ field.
* 6: Use _**Port**_ **22** (default).
* 7: Select _**Logon Type**_ **Key File**.
* 8: Enter the guest **accountname** you received from the helpdesk in the _**User**_ field.
@@ -136,7 +136,7 @@ It cannot use private keys in OpenSSH format, but can convert a private key gene
###### Unknown host key
-If this is the first time you connect to {{ dt_server_address }},
+If this is the first time you connect to {{ first_dt_server_address }},
FileZilla will show you the _**fingerprint**_ of the server's host key.
@@ -150,7 +150,7 @@ FileZilla will show you the _**fingerprint**_ of the server's host key.
###### Drag and drop files or folders to start a transfer
FileZilla will login and start a session.
-You can browse files/folders on your local machine in the left column and on {{ dt_server_address }} in the right column.
+You can browse files/folders on your local machine in the left column and on {{ first_dt_server_address }} in the right column.
Drag files/folder from the left column to the right one to upload or vice versa to download.
@@ -159,7 +159,7 @@ Drag files/folder from the left column to the right one to upload or vice versa
-You can use rsync (over ssh) to transfer data to/from _{{ dt_server_address }}_.
+You can use rsync (over ssh) to transfer data to/from _{{ first_dt_server_address }}_.
Note that the data transfer uses _rsync modules_, which uses double colon syntax (::) to separate the name/address of the server from the path on the server.
The rsync protocol is more efficient for large data sets and easier to automate, but unfortunately there are no free and good rsync client apps with a Graphical User Interface (GUI).
See below for some syntax examples.
@@ -172,11 +172,11 @@ See below for some syntax examples.
#
# Request a list of rsync modules available for user some-guest-account.
#
-rsync -v --rsh='ssh -p 443 -l some-guest-account' {{ dt_server_address }}::
+rsync -v --rsh='ssh -p 443 -l some-guest-account' {{ first_dt_server_address }}::
#
# List contents in the home module.
#
-rsync -v --rsh='ssh -p 443 -l some-guest-account' {{ dt_server_address }}::home/
+rsync -v --rsh='ssh -p 443 -l some-guest-account' {{ first_dt_server_address }}::home/
#
##
### Specify both a source as well as a destination to transfer data.
@@ -184,11 +184,11 @@ rsync -v --rsh='ssh -p 443 -l some-guest-account' {{ dt_server_address }}::home/
#
# Push a file from user interface to data transfer server.
#
-rsync -av --rsh='ssh -p 443 -l some-guest-account' path/to/file_on_local_computer {{ dt_server_address }}::home/
+rsync -av --rsh='ssh -p 443 -l some-guest-account' path/to/file_on_local_computer {{ first_dt_server_address }}::home/
#
# Reverse source and destination to pull a file from data transfer server onto user interface server.
#
-rsync -av --rsh='ssh -p 443 -l some-guest-account' {{ dt_server_address }}::home/data_on_transfer_server path/to/dir_on_local_computer/
+rsync -av --rsh='ssh -p 443 -l some-guest-account' {{ first_dt_server_address }}::home/data_on_transfer_server path/to/dir_on_local_computer/
```
-----
diff --git a/roles/online_docs/templates/mkdocs/docs/dedicated-dt-server-overview.md b/roles/online_docs/templates/mkdocs/docs/dedicated-dt-server-overview.md
index c3dd8ad07..f97cf6a17 100644
--- a/roles/online_docs/templates/mkdocs/docs/dedicated-dt-server-overview.md
+++ b/roles/online_docs/templates/mkdocs/docs/dedicated-dt-server-overview.md
@@ -5,7 +5,7 @@ Firstly and independent of technical options: make sure you are familiar with th
and that you are allowed to upload / download a data set!
When in doubt contact your supervisor / principal investigator and the group / institute that created the data set.
-The {{ slurm_cluster_name | capitalize }} HPC cluster features a dedicated data transfer server _{{ dt_server_address }}_,
+The {{ slurm_cluster_name | capitalize }} HPC cluster features a dedicated data transfer server _{{ first_dt_server_address }}_,
which can be used to exchange data with external collaborators,
that do not have a _regular_ cluster account with full shell access.
This dedicated data transfer server can only be used with _guest_ accounts, which can transfer data using
@@ -19,9 +19,9 @@ This dedicated data transfer server can only be used with _guest_ accounts, whic
to user interface server _{{ groups['user_interface'] | first }}_
via jumphost _{{ groups['jumphost'] | first }}_
* **R2**: Cluster user uses _guest_ account to transfer data from _{{ groups['user_interface'] | first }}_
- to _{{ dt_server_address }}_ or vice versa.
+ to _{{ first_dt_server_address }}_ or vice versa.
* **G1**: External collaborator uses _guest_ account to transfer data to/from
- _{{ dt_server_address }}_.
+ _{{ first_dt_server_address }}_.
## Arranging a guest account for data transfers
@@ -37,7 +37,7 @@ This dedicated data transfer server can only be used with _guest_ accounts, whic
* the name of the project for which data will be exchanged and
* for how long you will need the _guest_ account.
* We will assign a temporary _guest_ account for your data transfer and link both your public key(s) as well as the public key(s) of your collaborator(s) to the same _guest_ account.
- * You can now transfer data from/to {{ dt_server_address }} using the _guest_ account and your _private key_.
+ * You can now transfer data from/to {{ first_dt_server_address }} using the _guest_ account and your _private key_.
#### Procedure for external collaborators
@@ -46,9 +46,9 @@ This dedicated data transfer server can only be used with _guest_ accounts, whic
for [Windows clients](../generate-key-pair-mobaxterm/) or for [macOS/Linux/Unix clients](../generate-key-pair-openssh/).
* You will send **only** your **public** key to our [helpdesk](../contact/).
* We will link your public key to a _guest_ account and notify you when the _guest_ account is ready.
- * You can now transfer data from/to {{ dt_server_address }} using the _guest_ account and your _private key_.
+ * You can now transfer data from/to {{ first_dt_server_address }} using the _guest_ account and your _private key_.
-## Using the guest account to transfer data to/from _{{ dt_server_address }}_
+## Using the guest account to transfer data to/from _{{ first_dt_server_address }}_
* [Instructions for cluster users](../dedicated-dt-server-cluster-users/)
* [Instructions for external collaborators](../dedicated-dt-server-external-collaborators/)
diff --git a/roles/online_docs/templates/mkdocs/docs/logins-linux-config.md b/roles/online_docs/templates/mkdocs/docs/logins-linux-config.md
index 17019e7ae..6c5d37d54 100644
--- a/roles/online_docs/templates/mkdocs/docs/logins-linux-config.md
+++ b/roles/online_docs/templates/mkdocs/docs/logins-linux-config.md
@@ -116,11 +116,20 @@ Host {% for jumphost in groups['jumphost'] %}{{ jumphost }}* {% endfor %}{% raw
ControlPersist 1m
#
# Expand short jumphost names to FQDN or IP address.
-#{% for jumphost in groups['jumphost'] %}{% if public_ip_addresses[jumphost] is defined and public_ip_addresses[jumphost] | length %}
+#
+{% for jumphost in groups['jumphost'] %}
+ {%- set network_id = ip_addresses[jumphost]
+ | dict2items
+ | json_query('[?value.fqdn].key')
+ | first -%}
+ {%- if ip_addresses[jumphost][network_id]['fqdn'] == 'NXDOMAIN' -%}
+ {%- set ssh_hostname = ip_addresses[jumphost][network_id]['address'] -%}
+ {%- else -%}
+ {%- set ssh_hostname = ip_addresses[jumphost][network_id]['fqdn'] -%}
+ {%- endif -%}
Host {{ jumphost }}
- HostName {{ public_ip_addresses[jumphost] }}{% else %}
-Host {{ jumphost }} {% if slurm_cluster_domain | length %}!*.{{ slurm_cluster_domain }}{% endif %}
- HostName %h{% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}{% endif %}{% endfor %}
+ HostName {{ ssh_hostname }}
+{% endfor -%}
#
# Universal jumphost settings for triple-hop SSH.
#
@@ -130,14 +139,14 @@ Host *+*+*
# Double-hop SSH settings to connect via specific jumphosts.
#
Host {% for jumphost in groups['jumphost'] %}{{ jumphost }}+* {% endfor %}{% raw %}{% endraw %}
- ProxyCommand ssh -x -q $(echo "${JUMPHOST_USER:-%r}")@$(echo %h | sed 's/+[^+]*$//'){% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %} -W $(echo %h | sed 's/^[^+]*+//'):%p
+ ProxyCommand ssh -x -q $(echo "${JUMPHOST_USER:-%r}")@$(echo %h | sed 's/+[^+]*$//'){% if stack_domain | length %}.{{ stack_domain }}{% endif %} -W $(echo %h | sed 's/^[^+]*+//'):%p
#
# Sometimes port 22 for the SSH protocol is blocked by firewalls; in that case you can try to use SSH on port 443 as fall-back.
# Do not use port 443 by default for SSH as it officially assigned to HTTPS traffic
# and some firewalls will cause problems when trying to route SSH over port 443.
#
Host {% for jumphost in groups['jumphost'] %}{{ jumphost }}443+* {% endfor %}{% raw %}{% endraw %}
- ProxyCommand ssh -x -q $(echo "${JUMPHOST_USER:-%r}")@$(echo %h | sed 's/443+[^+]*$//'){% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %} -W $(echo %h | sed 's/^[^+]*+//'):%p -p 443
+ ProxyCommand ssh -x -q $(echo "${JUMPHOST_USER:-%r}")@$(echo %h | sed 's/443+[^+]*$//'){% if stack_domain | length %}.{{ stack_domain }}{% endif %} -W $(echo %h | sed 's/^[^+]*+//'):%p -p 443
```
## 5. Login
diff --git a/roles/online_docs/templates/mkdocs/docs/logins-macos-linux.md b/roles/online_docs/templates/mkdocs/docs/logins-macos-linux.md
index 7cd1ccb3c..cdfdf07af 100644
--- a/roles/online_docs/templates/mkdocs/docs/logins-macos-linux.md
+++ b/roles/online_docs/templates/mkdocs/docs/logins-macos-linux.md
@@ -15,7 +15,7 @@ If you want to transfer data using the commandline or analyze data on the cluste
* You can login to the _UI_ named ```{{ groups['user_interface'] | first }}```
with the account as specified in your ```${HOME}/.ssh/conf.d/{{ slurm_cluster_name }}```
- via the _Jumphost_ named ```{{ groups['jumphost'] | first }}{% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}```
+ via the _Jumphost_ named ```{{ groups['jumphost'] | first }}{% if stack_domain | length %}.{{ stack_domain }}{% endif %}```
using the alias ```{{ groups['jumphost'] | first }}+{{ groups['user_interface'] | first }}```.
Type the following command in a terminal:
diff --git a/roles/online_docs/templates/mkdocs/docs/logins-windows.md b/roles/online_docs/templates/mkdocs/docs/logins-windows.md
index 891d950aa..b54fd3019 100644
--- a/roles/online_docs/templates/mkdocs/docs/logins-windows.md
+++ b/roles/online_docs/templates/mkdocs/docs/logins-windows.md
@@ -38,8 +38,8 @@ If you prefer another terminal application consult the corresponding manual.
* SSH jump hosts popup window
- * 5: _Gateway host_ field: Use the _Jumphost_ {% if public_ip_addresses is defined and public_ip_addresses | length %}IP address _**{{ public_ip_addresses[groups['jumphost'] | first] }}**_{% else %}address _**{{ groups['jumphost'] | first }}{% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}**_{% endif %}.
- * Optional: _Port_ field: The default port for SSH is 22 and this is usually fine.
+ * 5: _Gateway host_ field: Use _**{{ first_jumphost_address }}**_ for the _Jumphost_ address.
+ * Optional: _Port_ field: The default port for SSH is _**22**_ and this is usually fine.
However if you encounter a network where port 22 is blocked, you can try port 443. (Normally used for HTTPS, but our Jumposts can use it for SSH too.)
* 6: _Username_ field: Use your _**account name**_ as you received it by email from the helpdesk (same as for 3).
* 7: Select _Use SSH key_ and
diff --git a/roles/online_docs/templates/mkdocs/docs/logins.md b/roles/online_docs/templates/mkdocs/docs/logins.md
index 807f4f8cb..cd4cd88ef 100644
--- a/roles/online_docs/templates/mkdocs/docs/logins.md
+++ b/roles/online_docs/templates/mkdocs/docs/logins.md
@@ -16,7 +16,7 @@ In order to access the UI you will need to hop via a _**Jumphost**_,
which is a security hardened machine that is not in any way involved in the processing of jobs nor in storing data and does receive daily (security) updates.
In order to apply/activate security patches the _Jumphost_ may be temporarily unavailable, which means you cannot login to the _UI_ and hence cannot manage jobs nor create new ones,
but existing jobs (running or queued) won't be affected and the cluster will continue to process those.
-The _**Jumphost**_ for the {{ slurm_cluster_name | capitalize }} HPC cluster is named _**{{ groups['jumphost'] | first }}{% if slurm_cluster_domain | length %}.{{ slurm_cluster_domain }}{% endif %}**_
+The _**Jumphost**_ for the {{ slurm_cluster_name | capitalize }} HPC cluster is named _**{{ groups['jumphost'] | first }}{% if stack_domain | length %}.{{ stack_domain }}{% endif %}**_
## Request an account
@@ -35,4 +35,4 @@ Configure your SSH client with the instructions for your operating system:
## Configure 2-Factor-Authentication
Make sure you have working account and configured SSH client first, then [follow 2-factor-authentication instructions](../2FA/).
-{% endif %}
+{% endif %}
diff --git a/roles/online_docs/templates/mkdocs/mkdocs.yml b/roles/online_docs/templates/mkdocs/mkdocs.yml
index eee4010b3..87ee22d06 100644
--- a/roles/online_docs/templates/mkdocs/mkdocs.yml
+++ b/roles/online_docs/templates/mkdocs/mkdocs.yml
@@ -1,5 +1,5 @@
site_name: "{{ slurm_cluster_name | capitalize }} HPC cluster"
-site_url: "http://{{ networking_lookups[groups['docs'] | first].fqdn }}/{{ slurm_cluster_name }}/"
+site_url: "http://{{ first_doc_server_address }}/{{ slurm_cluster_name }}/"
use_directory_urls: true
theme:
name: readthedocs
diff --git a/roles/shared_storage/tasks/main.yml b/roles/shared_storage/tasks/main.yml
index f2f1b2f88..9151599fe 100644
--- a/roles/shared_storage/tasks/main.yml
+++ b/roles/shared_storage/tasks/main.yml
@@ -33,7 +33,7 @@
- name: 'Mount complete Physical File Systems (PFS-ses).'
ansible.posix.mount:
- path: "/mnt/{{ item.pfs }}"
+ path: "/mnt/{{ item.pfs | regex_replace('\\$$', '') }}"
src: "{{ item.source }}/{{ item.pfs }}"
fstype: "{{ item.type }}"
opts: "{{ item.rw_options }}{{ extra_opts }}"
diff --git a/roles/sshd/meta/main.yml b/roles/sshd/meta/main.yml
new file mode 100644
index 000000000..0b7ed2d93
--- /dev/null
+++ b/roles/sshd/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+ - role: include_vars_from_other_groups
+...
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index 35017b2c8..05b04e908 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -1,21 +1,4 @@
---
-- name: "Find all ip_addresses.yml files in {{ playbook_dir }}/group_vars/*."
- ansible.builtin.find:
- paths: "{{ playbook_dir }}/group_vars/"
- recurse: true
- patterns: 'ip_addresses.yml'
- register: ip_addresses_files
- delegate_to: localhost
- connection: local
-
-- name: Include variables from all ip_addresses.yml files.
- ansible.builtin.include_vars:
- file: "{{ item }}"
- name: "{{ item | dirname | basename }}"
- with_items: "{{ ip_addresses_files.files | map (attribute='path') | list }}"
- delegate_to: localhost
- connection: local
-
- name: Check if system has /etc/pam.d/sshd
ansible.builtin.stat:
path: /etc/pam.d/sshd
diff --git a/roles/static_hostname_lookup/meta/main.yml b/roles/static_hostname_lookup/meta/main.yml
new file mode 100644
index 000000000..0b7ed2d93
--- /dev/null
+++ b/roles/static_hostname_lookup/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+ - role: include_vars_from_other_groups
+...
diff --git a/roles/static_hostname_lookup/tasks/main.yml b/roles/static_hostname_lookup/tasks/main.yml
index a002082f0..19c75c4cb 100644
--- a/roles/static_hostname_lookup/tasks/main.yml
+++ b/roles/static_hostname_lookup/tasks/main.yml
@@ -1,21 +1,4 @@
---
-- name: "Find all ip_addresses.yml files in {{ playbook_dir }}/group_vars/*."
- ansible.builtin.find:
- paths: "{{ playbook_dir }}/group_vars/"
- recurse: true
- patterns: 'ip_addresses.yml'
- register: ip_addresses_files
- delegate_to: localhost
- connection: local
-
-- name: Include variables from all ip_addresses.yml files.
- ansible.builtin.include_vars:
- file: "{{ item }}"
- name: "{{ item | dirname | basename }}"
- with_items: "{{ ip_addresses_files.files | map (attribute='path') | list }}"
- delegate_to: localhost
- connection: local
-
- name: Deploy /etc/hosts file.
ansible.builtin.template:
src: templates/hosts.j2
diff --git a/roles/static_hostname_lookup/templates/hosts.j2 b/roles/static_hostname_lookup/templates/hosts.j2
index d0aced068..edfe901b2 100644
--- a/roles/static_hostname_lookup/templates/hosts.j2
+++ b/roles/static_hostname_lookup/templates/hosts.j2
@@ -10,14 +10,14 @@
#
# localhost
#
-127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4{% if groups['irods'] is defined and inventory_hostname in groups['irods'] +%} {{ hostvars[inventory_hostname]['fqdn'] | regex_replace('\..*$', '')}}.localdomain{% endif %}
+127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4{% if groups['irods'] is defined and inventory_hostname in groups['irods'] %} {{ hostvars[inventory_hostname]['fqdn'] | regex_replace('\..*$', '')}}.localdomain{% endif +%}
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
{% if groups['jumphost'] is defined and groups['jumphost'] | length >= 1 %}
#
# Jumphosts
#
- {% for server_hostname in groups['jumphost'] %}
-{{ "%-15s" | format(ip_addresses[server_hostname].addr) }} {{ server_hostname }}
+ {% for host in groups['jumphost'] %}
+{{ "%-15s" | format(ip_addresses[host][network_private_management_id].address) }} {{ host }}
{% endfor %}
{% endif %}
{% if inventory_hostname in groups['jumphost'] %}
@@ -25,8 +25,8 @@
#
# Data Staging servers
#
- {% for server in groups['data_transfer'] %}
-{{ "%-15s" | format(ip_addresses[server].addr) }} {{ server }}
+ {% for host in groups['data_transfer'] %}
+{{ "%-15s" | format(ip_addresses[host][network_private_management_id].address) }} {{ host }}
{% endfor %}
{% endif %}
{% endif %}
@@ -34,57 +34,57 @@
#
# Repo servers
#
- {% for server in groups['repo'] %}
-{{ "%-15s" | format(ip_addresses[server].addr) }} {{ server }}
+ {% for host in groups['repo'] %}
+{{ "%-15s" | format(ip_addresses[host][network_private_management_id].address) }} {{ host }}
{% endfor %}
{% endif %}
{% if groups['irods'] is defined and groups['irods'] | length >= 1 %}
#
# IRODS servers
#
- {% for server in groups['irods'] %}
-{{ "%-15s" | format(ip_addresses[server].addr) }} {{ hostvars[server]['fqdn'] }} {{ hostvars[server]['fqdn'] | regex_replace('\..*$', '')}} {{ server }}
+ {% for host in groups['irods'] %}
+{{ "%-15s" | format(ip_addresses[host][network_private_management_id].address) }} {{ hostvars[host]['fqdn'] }} {{ hostvars[host]['fqdn'] | regex_replace('\..*$', '')}} {{ host }}
{% endfor %}
{% endif %}
{% if groups['sys_admin_interface'] is defined and groups['sys_admin_interface'] | length >= 1 %}
#
# Sys Admin Interfaces (SAIs)
#
- {% for server in groups['sys_admin_interface'] %}
-{{ "%-15s" | format(ip_addresses[server].addr) }} {{ server }}
+ {% for host in groups['sys_admin_interface'] %}
+{{ "%-15s" | format(ip_addresses[host][network_private_management_id].address) }} {{ host }}
{% endfor %}
{% endif %}
{% if groups['deploy_admin_interface'] is defined and groups['deploy_admin_interface'] | length >= 1 %}
#
# Deploy Admin Interfaces (DAIs)
#
- {% for server in groups['deploy_admin_interface'] %}
-{{ "%-15s" | format(ip_addresses[server].addr) }} {{ server }}
+ {% for host in groups['deploy_admin_interface'] %}
+{{ "%-15s" | format(ip_addresses[host][network_private_management_id].address) }} {{ host }}
{% endfor %}
{% endif %}
{% if groups['user_interface'] is defined and groups['user_interface'] | length >= 1 %}
#
# User Interfaces (UIs)
#
- {% for server in groups['user_interface'] %}
-{{ "%-15s" | format(ip_addresses[server].addr) }} {{ server }}
+ {% for host in groups['user_interface'] %}
+{{ "%-15s" | format(ip_addresses[host][network_private_management_id].address) }} {{ host }}
{% endfor %}
{% endif %}
{% if groups['compute_vm'] is defined and groups['compute_vm'] | length >= 1 %}
#
# Compute nodes
#
- {% for server in groups['compute_vm'] %}
-{{ "%-15s" | format(ip_addresses[server].addr) }} {{ server }}
+ {% for host in groups['compute_vm'] %}
+{{ "%-15s" | format(ip_addresses[host][network_private_management_id].address) }} {{ host }}
{% endfor %}
{% endif %}
{% if groups['docs'] is defined and groups['docs'] | length >= 1 %}
#
# Documentation webservers
#
- {% for server in groups['docs'] %}
- {% if ip_addresses[server] is defined %}
-{{ "%-15s" | format(ip_addresses[server].addr) }} {{ server }}
+ {% for host in groups['docs'] %}
+ {% if ip_addresses[host] is defined %}
+{{ "%-15s" | format(ip_addresses[host][network_private_management_id].address) }} {{ host }}
{% endif %}
{% endfor %}
{% endif %}
@@ -93,9 +93,9 @@
# Additional hosts.
#
{% for item in additional_etc_hosts %}
- {% set additional_ip_addresses = lookup('vars', item.group).ip_addresses %}
- {% for server in item.hosts %}
-{{ "%-15s" | format(additional_ip_addresses[server].addr) }} {{ server }}
+ {% for node in item['nodes'] %}
+ {% set address = lookup('vars', item['group'])['ip_addresses'][node['name']][node['network']]['address'] %}
+{{ "%-15s" | format(address) }} {{ node['name'] }}
{% endfor %}
{% endfor %}
{% endif %}
diff --git a/single_group_playbooks/galaxy-requirements.yml b/single_group_playbooks/galaxy-requirements.yml
deleted file mode 120000
index e851af3f8..000000000
--- a/single_group_playbooks/galaxy-requirements.yml
+++ /dev/null
@@ -1 +0,0 @@
-../galaxy-requirements.yml
\ No newline at end of file
diff --git a/single_group_playbooks/irods.yml b/single_group_playbooks/irods.yml
index 4c9976d12..56c3cbb84 100644
--- a/single_group_playbooks/irods.yml
+++ b/single_group_playbooks/irods.yml
@@ -1,22 +1,3 @@
-#
-# 1. $> cd git/league-of-robots
-# 2. Create VM for irods with deploy-os_servers.yml playbook.
-# 3. Fetch Ansible dependencies
-# $> ansible-galaxy install -r galaxy-requirements.yml
-# Configure this repo for deployment of a specifc HPC cluster.
-# 4. Source lor-init from this repo. E.g.:
-# $> source ./lor-init
-# 5. Configure League of Robots for a specific cluster. E.g.:
-# $> lor-config nb
-# 6. Execute playbook to deploy machines. E.g.:
-# $> ansible-playbook deploy-os_servers.yml -l 'irods,localhost'
-# $> export ANSIBLE_HOST_KEY_CHECKING=False
-# Assosiate floating ip to the machine.
-# $> ansible-playbook -u centos -l 'irods' single_role_playbooks/admin_users.yml
-# $> ansible-playbook -u single_role_playbooks/static_hostname_lookup.yml -l 'jumphost'
-# $> ansible-playbook -u ssh_host_signer.yml -l 'irods'
-# $> export ANSIBLE_HOST_KEY_CHECKING=True
-# $> ansible-playbook -u deploy-irods.yml -vvv
---
- import_playbook: pre_deploy_checks.yml
diff --git a/single_group_playbooks/pre_deploy_checks.yml b/single_group_playbooks/pre_deploy_checks.yml
index 0baee20f9..58801ab23 100644
--- a/single_group_playbooks/pre_deploy_checks.yml
+++ b/single_group_playbooks/pre_deploy_checks.yml
@@ -29,7 +29,7 @@
connection: local
- name: 'Download dependencies from Ansible Galaxy on the Ansible control host.'
ansible.builtin.command:
- cmd: ansible-galaxy install -r galaxy-requirements.yml
+ cmd: ansible-galaxy install -r requirements.yml
run_once: true
delegate_to: localhost
connection: local
diff --git a/single_group_playbooks/requirements.yml b/single_group_playbooks/requirements.yml
new file mode 120000
index 000000000..6e76d5252
--- /dev/null
+++ b/single_group_playbooks/requirements.yml
@@ -0,0 +1 @@
+../requirements.yml
\ No newline at end of file
diff --git a/single_role_playbooks/irods_davrods.yml b/single_role_playbooks/irods_davrods.yml
new file mode 100644
index 000000000..3663fc13a
--- /dev/null
+++ b/single_role_playbooks/irods_davrods.yml
@@ -0,0 +1,5 @@
+---
+- hosts: irods
+ roles:
+ - irods_davrods
+...
diff --git a/static_inventories/calculon_cluster.yml b/static_inventories/calculon_cluster.yml
new file mode 100644
index 000000000..e3550b622
--- /dev/null
+++ b/static_inventories/calculon_cluster.yml
@@ -0,0 +1,15 @@
+---
+all:
+ children:
+ openstack_api:
+ hosts:
+ localhost:
+ jumphost:
+ hosts:
+ lobby:
+ cloud_flavor: m1.small
+calculon_cluster:
+ children:
+ openstack_api:
+ jumphost:
+...
diff --git a/static_inventories/docs_library.yml b/static_inventories/docs_library.yml
index 51b45d5ba..df8f69a3a 100644
--- a/static_inventories/docs_library.yml
+++ b/static_inventories/docs_library.yml
@@ -6,7 +6,7 @@ all:
localhost:
docs:
hosts:
- docs:
+ docs_on_merlin:
cloud_flavor: m1.small
docs_library:
children:
diff --git a/static_inventories/nibbler_cluster.yml b/static_inventories/nibbler_cluster.yml
index 52578432f..2b3e1a3b2 100644
--- a/static_inventories/nibbler_cluster.yml
+++ b/static_inventories/nibbler_cluster.yml
@@ -25,6 +25,7 @@ all:
cloud_flavor: m1.large
local_volume_size_extra: 20
fqdn: umcg-icat01.hpc.rug.nl
+ davrods_icat_ip: "{{ ip_addresses[inventory_hostname][network_private_management_id]['address'] }}"
docs:
hosts:
docs_on_merlin: