Merge branch 'main' into feat/auto-bump-timestamps

Author: wtripp180901

.github/workflows/stackhpc.yml

@@ -111,9 +111,9 @@ jobs:
           . venv/bin/activate
           . environments/.stackhpc/activate
           ansible-playbook ansible/adhoc/generate-passwords.yml
-          echo vault_testuser_password: "$TESTUSER_PASSWORD" > $APPLIANCES_ENVIRONMENT_ROOT/inventory/group_vars/all/test_user.yml
+          echo vault_demo_user_password: "$DEMO_USER_PASSWORD" > $APPLIANCES_ENVIRONMENT_ROOT/inventory/group_vars/all/test_user.yml
         env:
-          TESTUSER_PASSWORD: ${{ secrets.TEST_USER_PASSWORD }}
+          DEMO_USER_PASSWORD: ${{ secrets.TEST_USER_PASSWORD }}
 
       - name: Provision nodes using fat image
         id: provision_servers
@@ -175,12 +175,12 @@ jobs:
             --spider \
             --server-response \
             --no-check-certificate \
-            --http-user=testuser \
-            --http-password=${TESTUSER_PASSWORD} https://${openondemand_servername} \
+            --http-user=demo_user \
+            --http-password=${DEMO_USER_PASSWORD} https://${openondemand_servername} \
             2>&1)
           (echo $statuscode | grep "200 OK") || (echo $statuscode  && exit 1)
         env:
-          TESTUSER_PASSWORD: ${{ secrets.TEST_USER_PASSWORD }}
+          DEMO_USER_PASSWORD: ${{ secrets.TEST_USER_PASSWORD }}
 
       # - name: Build environment-specific compute image
       #   id: packer_build

README.md

@@ -104,6 +104,7 @@ To deploy this infrastructure, ensure the venv and the environment are [activate
 
     export OS_CLOUD=openstack
     cd environments/$ENV/terraform/
+    tofu init
     tofu apply
 
 and follow the prompts. Note the OS_CLOUD environment variable assumes that OpenStack credentials are defined using a [clouds.yaml](https://docs.openstack.org/python-openstackclient/latest/configuration/index.html#clouds-yaml) file in a default location with the default cloud name of `openstack`.

ansible/.gitignore

@@ -58,6 +58,10 @@ roles/*
 !roles/squid/**
 !roles/tuned/
 !roles/tuned/**
+!roles/sssd/
+!roles/sssd/**
+!roles/sshd/
+!roles/sshd/**
 !roles/compute_init/
 !roles/compute_init/**
 !roles/k3s/

ansible/bootstrap.yml

@@ -110,6 +110,15 @@
         policy: "{{ selinux_policy }}"
       register: sestatus
 
+- hosts: sshd
+  tags: sshd
+  gather_facts: no
+  become: yes
+  tasks:
+    - name: Configure sshd
+      import_role:
+        name: sshd
+
 - hosts: dnf_repos
   become: yes
   tasks:

ansible/fatimage.yml

@@ -54,6 +54,11 @@
         name: freeipa
         tasks_from: client-install.yml
       when: "'freeipa_client' in group_names"
+    - name: Install sssd
+      import_role:
+        name: sssd
+        tasks_from: install.yml
+      when: "'sssd' in group_names"
 
     # - import_playbook: filesystems.yml:
     - name: Install nfs packages

ansible/iam.yml

@@ -40,3 +40,12 @@
       import_role:
         name: freeipa
         tasks_from: users.yml
+
+- hosts: sssd
+  become: yes
+  gather_facts: no
+  tags: sssd
+  tasks:
+    - name: Configure sssd
+      import_role:
+        name: sssd

ansible/roles/basic_users/README.md

@@ -24,6 +24,7 @@ Role Variables
   - An additional key `sudo` may optionally be specified giving a string (possibly multiline) defining sudo rules to be templated.
   - Any other keys may present for other purposes (i.e. not used by this role).
 - `basic_users_groups`: Optional, default empty list. A list of mappings defining information for each group. Mapping keys/values are passed through as parameters to [ansible.builtin.group](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/group_module.html) and default values are as given there.
+- `basic_users_override_sssd`: Optional bool, default false. Whether to disable `sssd` when ensuring users/groups exist with this role. Permits creating local users/groups even if they clash with users provided via sssd (e.g. from LDAP). Ignored if host is not in group `sssd` as well. Note with this option active `sssd` will be stopped and restarted each time this role is run.
 
 Dependencies
 ------------

ansible/roles/basic_users/defaults/main.yml

@@ -7,3 +7,4 @@ basic_users_userdefaults:
   shell: "{{'/sbin/nologin' if 'control' in group_names else omit }}"
 basic_users_users: []
 basic_users_groups: []
+basic_users_override_sssd: false

ansible/roles/basic_users/tasks/main.yml

@@ -7,7 +7,16 @@
     label: "{{ item.name }}"
   when:
     - "item.state | default('present') == 'absent'"
-  
+
+- name: Stop sssd if required
+  systemd:
+    name: sssd
+    state: stopped
+  register: _stop_sssd
+  when:
+    - "'sssd' in group_names"
+    - basic_users_override_sssd | bool
+
 - name: Create groups
   ansible.builtin.group: "{{ item }}"
   loop:  "{{ basic_users_groups }}"
@@ -19,6 +28,12 @@
     label: "{{ item.name }} [{{ item.state | default('present') }}]"
   register: basic_users_info
 
+- name: Restart sssd if required
+  systemd:
+    name: sssd
+    state: started
+  when: _stop_sssd is changed
+
 - name: Write supplied public key as authorized for SSH access
   authorized_key:
     user: "{{ item.name }}"

ansible/roles/passwords/defaults/main.yml

@@ -10,6 +10,7 @@ slurm_appliance_secrets:
   vault_freeipa_admin_password: "{{ vault_freeipa_admin_password | default(lookup('password', '/dev/null')) }}"
   vault_k3s_token: "{{ vault_k3s_token | default(lookup('ansible.builtin.password', '/dev/null', length=64)) }}"
   vault_pulp_admin_password: "{{ vault_pulp_admin_password | default(lookup('password', '/dev/null', chars=['ascii_letters', 'digits'])) }}"
+  vault_demo_user_password: "{{ vault_demo_user_password | default(lookup('password', '/dev/null')) }}"
 
 secrets_openhpc_mungekey_default:
   content: "{{ lookup('pipe', 'dd if=/dev/urandom bs=1 count=1024 2>/dev/null | base64') }}"