Bb initial commit

group_vars/all/vars.yml

@@ -105,4 +105,38 @@ pulp_repos:
     description: 'Lustre client Long Term Support (LTS) releases for Enterprise Linux 7.'
     remote_url: https://downloads.whamcloud.com/public/lustre/latest-2.12-release/el7/client/
     client_baseurl: "https://{{ stack_prefix }}-repo/pulp/content/{{ slurm_cluster_name }}/lustre7/"
+#
+# List of repos for machines that do not use Pulp or Spacewalk
+#
+yum_repos:
+  - name: centos7-base
+    description: 'CentOS-7 - Base.'
+    baseurl: http://mirror.centos.org/centos/7/os/x86_64/
+    gpgcheck: 'true'
+    gpgkey: 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7'
+  - name: centos7-updates
+    description: 'CentOS-7 - Updates.'
+    baseurl: http://mirror.centos.org/centos/7/updates/x86_64/
+    gpgcheck: 'true'
+    gpgkey: 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7'
+  - name: centos7-extras
+    description: 'CentOS-7 - Extras.'
+    baseurl: http://mirror.centos.org/centos/7/extras/x86_64/
+    gpgcheck: 'true'
+    gpgkey: 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7'
+  - name: epel7
+    description: 'Extra Packages for Enterprise Linux 7 (EPEL).'
+    baseurl: https://download.fedoraproject.org/pub/epel/7/x86_64/
+    gpgcheck: 'true'
+    gpgkey: 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7' # comes preinstalled with epel-release
+  - name: irods7
+    description: 'RENCI iRODS Repository for Enterprise Linux 7.'
+    baseurl: https://packages.irods.org/yum/pool/centos7/x86_64/
+    gpgcheck: 'false'
+    gpgkey: ''
+  - name: lustre7
+    description: 'Lustre client Long Term Support (LTS) releases for Enterprise Linux 7.'
+    baseurl: https://downloads.whamcloud.com/public/lustre/latest-2.12-release/el7/client/
+    gpgcheck: 'false'
+    gpgkey: ''
 ...

group_vars/betabarrel_cluster/ip_addresses.yml

@@ -3,5 +3,8 @@ ip_addresses:
   betabarrel:
     vlan983:
       address: 172.23.41.225
-      netmask: /32
+      netmask: /23
+    vlan13:
+      address: 129.125.55.13
+      netmask: /24
 ...

group_vars/betabarrel_cluster/vars.yml

@@ -29,8 +29,8 @@ use_ldap: yes
 create_ldap: no
 use_sssd: yes
 ldap_domains:
-  grunn:
-    uri: ldaps://svrs.id.rug.nl
+  default_domain:
+    uri: ldaps://172.23.40.249
     search_base: ou=gd,o=asds
     schema: rfc2307
     min_id: 50100000
@@ -43,6 +43,7 @@ ldap_domains:
     group_object_class: groupofnames
     group_quota_soft_limit_template: ruggroupumcgquotaLFSsoft
     group_quota_hard_limit_template: ruggroupumcgquotaLFS
+ssh_host_signer_hostnames: "{{ ansible_fqdn }},{{ ansible_hostname }},{{ inventory_hostname }}"
 totp:
   machines: "{{ groups['jumphost'] }}"
   excluded:
@@ -55,6 +56,28 @@ nameservers: [
   '8.8.4.4',  # Google DNS.
   '8.8.8.8',  # Google DNS.
 ]
+network_private_management_id: "vlan983"
+network_private_management_cidr: '172.23.41.225/24'
+#network_private_storage_id: "{{ stack_prefix }}_internal_storage"
+#network_private_storage_cidr: '10.10.2.0/24'
+
+iptables_allow_icmp_inbound:
+  - "{{ all.ip_addresses['umcg']['net1'] }}"
+  - "{{ all.ip_addresses['umcg']['net2'] }}"
+  - "{{ all.ip_addresses['umcg']['net3'] }}"
+  - "{{ all.ip_addresses['umcg']['net4'] }}"
+  - "{{ all.ip_addresses['rug']['bwp_net'] }}"
+  - "{{ all.ip_addresses['rug']['operator'] }}"
+  - "{{ all.ip_addresses['gcc']['cloud_net'] }}"
+  - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}"
+iptables_allow_ssh_inbound:
+  - "{{ all.ip_addresses['umcg']['net1'] }}"
+  - "{{ all.ip_addresses['umcg']['net2'] }}"
+  - "{{ all.ip_addresses['umcg']['net3'] }}"
+  - "{{ all.ip_addresses['umcg']['net4'] }}"
+  - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}"
+iptables_allow_ssh_outbound:
+  - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}"
 
 local_backups: # list of folders for cron to make daily backup
   - name: apps # don't modify after once deployed!
@@ -140,10 +163,11 @@ regular_users:
 #
 pfs_mounts:
   - pfs: local_raid
-    source:
-    type:
-    rw_options:
-    ro_options:
+    device: /data  # needs to be already mounted on system (f.e. /dev/sdc1 > /data)
+    source: '/mnt'
+    type: 'none'
+    rw_options: 'bind'
+    ro_options: 'bind,ro'
     machines: "{{ groups['sys_admin_interface'] }}"
   - pfs: 'medgen_zincfinger$'
     source: '//storage3.umcg.nl'
@@ -167,7 +191,7 @@ lfs_mounts:
   - lfs: home
     pfs: local_raid
     rw_machines: "{{ groups['cluster'] }}"
-  - lfs: tmp06
+  - lfs: tmp05
     pfs: local_raid
     groups:
       - name: umcg-atd
@@ -241,7 +265,7 @@ lfs_mounts:
       - name: umcg-gst
       - name: umcg-vipt
     rw_machines: "{{ groups['chaperone'] }}"
-  - lfs: env06
+  - lfs: env05
     pfs: local_raid
     ro_machines: "{{ groups['compute_vm'] + groups['user_interface'] }}"
     rw_machines: "{{ groups['deploy_admin_interface'] }}"

group_vars/wingedhelix_cluster/vars.yml

@@ -40,6 +40,14 @@ additional_etc_hosts:
         network: public
       - name: gattaca02
         network: public
+  - group: betabarrel_cluster
+    nodes:
+      - name: betabarrel
+        network: vlan13
+  - group: copperfist_cluster
+    nodes:
+      - name: copperfist
+        network: vlan13
 use_ldap: true
 create_ldap: false
 use_sssd: true

roles/sssd/templates/sssd.conf

@@ -74,4 +74,4 @@ ldap_tls_reqcert = demand
 ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.trust.crt
 #ldap_tls_cipher_suite = HIGH:MEDIUM  # SSSD uses OpenSSL style cipher suites.
 debug_level = 3
-{% endfor %}
+{% endfor %}

roles/yum_repos/tasks/main.yml

@@ -1,10 +1,30 @@
 ---
-- name: "Add custom yum repos."
-  yum_repository:
-    name: "{{ item }}"
-    description: "{{ yum_repos[item].description }}"
-    baseurl: "{{ yum_repos[item].baseurl }}"
-    gpgcheck: false
-  with_items: "{{ yum_repos }}"
+- name: Flush handlers.
+  ansible.builtin.meta: flush_handlers
+
+- name: Find all *.repo files in /etc/yum.repos.d/.
+  ansible.builtin.find:
+    paths: '/etc/yum.repos.d/'
+    use_regex: false
+    patterns: '*.repo'
+    excludes: 'local_yum.repo'
+  register: yum_existing_repos
+
+- name: Remove *.repo files from /etc/yum.repos.d/ that do not correspond to our repos.
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  with_items: "{{ yum_existing_repos.files | map (attribute='path') | list }}"
+  when: item | basename | regex_replace('.repo$','') not in yum_repos | map(attribute='name') | list
+  become: true
+
+- name: Add custom yum repos.
+  ansible.builtin.yum_repository:
+    name: "{{ item.name }}"
+    description: "{{ item.description }}"
+    baseurl: "{{ item.baseurl }}"
+    gpgcheck: "{{ item.gpgcheck }}"
+    gpgkey: "{{ item.gpgkey }}"
+  with_list: "{{ yum_repos }}"
   become: true
 ...

single_group_playbooks/cluster_part1.yml

@@ -12,6 +12,7 @@
     - swap
     - {role: spacewalk_client, when: repo_manager == 'spacewalk'}
     - {role: pulp_client, when: repo_manager == 'pulp'}
+    - {role: yum_repos, when: repo_manager == 'none'}
     - {role: yum_local, when: local_yum_repository is defined}
     - static_hostname_lookup
     - logrotate

static_inventories/betabarrel_cluster.yml

@@ -4,10 +4,6 @@ all:
     openstack_api:
       hosts:
         localhost:
-    jumphost:
-      hosts:
-        porch:
-          cloud_flavor: m1.small
     docs:
       hosts:
         docs_on_merlin:
@@ -18,6 +14,14 @@ all:
     deploy_admin_interface:
       hosts:
         betabarrel:
+          volumes:
+            - mount_point: '/apps'
+              device: '/mnt/env05/apps/'
+              mounted_owner: root
+              mounted_group: "{{ envsync_group }}"
+              mounted_mode: '2775'
+              mount_options: 'bind'
+              type: none
     user_interface:
       hosts:
         betabarrel: