Commit 2c22cf9b authored by Julian Gethmann's avatar Julian Gethmann

Add common role

* Common for all systems
parents
[defaults]
inventory=hosts
pipelining = True
remote_user=gethmann
roles_path=roles
become=False
become_user="root"
become_ask_pass=True
become_method="sudo"
- hosts: all
roles:
- common
- hosts: cn
become: yes
tasks:
- hostname: name=las-bernhard.anka.kit.edu
tags:
- cn
- always
---
# file: group_vars/all
common_software:
- git
- vim
- htop
- tmux
- iotop
- dmidecode
client_software:
- gnuplot
python_software:
- python3-scipy
- python3-matplotlib
# - anaconda3
client_software:
- kpcli
desktop_software:
- thunderbird
# - king/Clipboard
# - dagolden/Capture-Tiny
- firefox
- libreoffice
ipaserver: las101.las.kit.edu
ipaserver2: las126.las.kit.edu
sudoer:
- bernhard
- gethmann
userinstall_vars:
- {name: "gethmann", password: "$6$HEmrpe9IMPI7nwxK$7VyjN.1tf/bJ2JJUeXQa.HEK3PFB1ggUVqpvMD0M/b/Ln.8QkzSMit9xukPaNhVg4caTnQBmcn1DXVwbfCmJt."}
- {name: "bernhard", password: "$6$Q9NiWWvweGVfXXUP$6jhQWNGEs1f/RZc2aeDJ4Wv7huT5eAyW/uO0hOr8Yzi.h5Sa149LDpzp6utQI2VbnKF6O7TfpZeoKHFaNKGY51"}
ansible_connection: local
ansible_user: gethmann
user_account: gethmann
ip_suffix: -gethmann
loc: 618
# stable
[las-archiv1]
las113.las.kit.edu
las111.las.kit.edu
las93.las.kit.edu
las-gethmann.las.kit.edu
[opera]
las113.las.kit.edu
las114.las.kit.edu
las-bernhard.anka.kit.edu
las111.las.kit.edu
las118.las.kit.edu
las117.las.kit.edu
las126.las.kit.edu
las-gethmann.las.kit.edu
[elegant]
las113.las.kit.edu
las117.las.kit.edu
las111.las.kit.edu
las126.las.kit.edu
las-gethmann.las.kit.edu
[lab]
las93.las.kit.edu
[rpmbuild]
las113.las.kit.edu
las-gethmann.las.kit.edu
[clients]
las111.las.kit.edu
127.0.0.1
las114.las.kit.edu
las116.las.kit.edu
las118.las.kit.edu
las113.las.kit.edu
las93.las.kit.edu
las-gethmann.las.kit.edu
[desktop]
las111.las.kit.edu
las113.las.kit.edu
las114.las.kit.edu
las116.las.kit.edu
las118.las.kit.edu
las-gethmann.las.kit.edu
# semi stable
[scipy]
las114.las.kit.edu
las113.las.kit.edu
las111.las.kit.edu
las126.las.kit.edu
# testing
[alle]
las101.las.kit.edu
las111.las.kit.edu
las113.las.kit.edu
las114.las.kit.edu
las118.las.kit.edu
las126.las.kit.edu
las-bernhard.anka.kit.edu
[local]
127.0.0.1 ansible_connection=local
[admin]
las113.las.kit.edu
las101.las.kit.edu
las-gethmann.las.kit.edu
[server]
las101.las.kit.edu
[cn]
las-bernhard.anka.kit.edu
[simulation]
las126.las.kit.edu
# Generated by NetworkManager
search physik.kit.edu physik.uni-karlsruhe.de anka.kit.edu kit.edu
nameserver 129.13.64.5
nameserver 129.13.96.2
nameserver 8.8.8.8
---
- name: enable sshd
become: yes
service: name=sshd enabled=yes
- name: restart sshd
become: yes
service: name=sshd state=restarted
- name: reload sshd
become: yes
service: name=sshd state=reloaded
- name: start sshd
become: yes
service: name=sshd state=started
- name: enable ntp
become: yes
service: name=ntpdate enabled=yes
- name: start ntp
become: yes
service: name=ntpdate state=started
---
# not tested yet
- name: install etckeeper
become: yes
dnf: name=etckeeper state=installed
- name: Initialise etckeeper
tags: etckeeper
command: etckeeper init creates=/etc/.etckeeper chdir=/etc
become: yes
- name: dnf as package manager
lineinfile: dest=/etc/etckeeper/etckeeper.conf line="HIGHLEVEL_PACKAGE_MANAGER=dnf" regexp="HIGHLEVEL_PACKAGE_MANAGER=.*" backup=yes
become: yes
---
- name: set hostname
hostname: "name=las{{ ip_suffix }}.las.kit.edu"
become: yes
- name: deploy resolv.conf
become: yes
copy: src=resolv.conf dest=/etc/resolv.conf backup=yes mode=644 owner=root
---
- include: etckeeper.yml
- include: hostname.yml
# - include: networking.yml
- include: sshd.yml
- include: sudoer.yml
- include: sysupdate.yml
- include: ntp.yml
- include: yumrepos.yml
- include: software.yml
---
- name: install ntpdate
dnf: state=latest name=ntpdate
become: yes
- name: set time server
command: ntpdate -u ntp1.scc.kit.edu ntp2.scc.kit.edu ntp3.scc.kit.edu 0.fedora.pool.ntp.org 0.fedora.pool.ntp.org
become: yes
notify:
- start ntp
- enable ntp
changed_when: False
---
- name: install common software
package: name={{item}} state=latest
with_items: "{{ common_software }}"
become: true
---
- name: Installed sshd
dnf: state=installed name=openssh-server
become: yes
- name: Disable empty password login
lineinfile: dest=/etc/ssh/sshd_config regexp=".*PermitEmptyPasswords.*" line="PermitEmptyPasswords no" backup=yes
notify: restart sshd
become: yes
- name: Disable remote root login
lineinfile: dest=/etc/ssh/sshd_config regexp=".*PermitRootLogin.*" line="PermitRootLogin no" backup=yes
notify: restart sshd
become: yes
- name: Enable tunnel
lineinfile: dest=/etc/ssh/sshd_config regexp=".*PermitTunnel.*" line="PermitTunnel yes" backup=yes
notify:
- enable sshd
- restart sshd
become: yes
# - name: always start sshd
# command: chkconfig sshd on
- name: Add curves
lineinfile: dest=/etc/ssh/sshd_config regexp="HostKey.*ed25519.*" line="HostKey /etc/ssh/ssh_host_ed25519_key" backup=yes
notify: restart sshd
become: yes
- name: enable PAM
lineinfile: dest=/etc/ssh/sshd_config regexp=".*UsePAM .*" line="UsePAM yes" backup=yes
become: yes
notify: restart sshd
---
- name: Ensure sudo is installed
dnf: pkg=sudo state=installed
become: yes
- name: Copy sudoers file including validation
become: yes
template: src=sudoers.j2 dest=/etc/sudoers.d/sudoers validate='visudo -cf %s' backup=yes owner=root group=root mode=440
register: sudoers_enrole_result
- name: requiretty in sudoers
lineinfile: backup=yes regexp="Defaults !?requiretty" state=present dest=/etc/sudoers line="Defaults !requiretty" validate="visudo -c -f %s"
become: yes
- name: Lock the root user
become: yes
shell: passwd -l root
#failed_when: "'Success' not in command_result.stdout"
when: sudoers_enrole_result|success and sudoers_enrole_result|changed
tags: lock root
---
- name: Updating the system
become: yes
dnf: name=* state=latest
---
- name: Add LAS dnf repository
yum_repository:
name: lasrepo-nonfree
description: Laboratory for Applications of Synchrotron radiation (CS)
baseurl: "https://las101.las.kit.edu/lasrepo/${releasever}/${basearch}/"
enabled: yes
gpgcheck: no
keepalive: yes
keepcache: 0
become: yes
# GPG-Key holen TODO
- name: Add Adobe Reader
yum_repository:
name: adobe-linux-i386
description: Adobe Systems Incorporated
baseurl: http://linuxdownload.adobe.com/linux/i386/
enabled: yes
gpgcheck: yes
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
become: yes
{% for s in sudoer %}
{{s}} ALL=(ALL) ALL
{% endfor %}
---
- include: common.yml
#- include: opera.yml
#- include: elegant.yml
#- include: admincomputer.yml
#- include: scipy.yml
#- include: server.yml
#- include: nfs.yml
#- include: update.yml
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment