...
 
Commits (133)
local
*.retry
host_vars/127.0.0.1
repos:
- repo: https://github.com/willthames/ansible-lint.git
sha: v3.4.16
hooks:
- id: ansible-lint
files: \.(yaml|yml)$
- repo: https://github.com/pre-commit/pre-commit-hooks.git
sha: v1.1.1
hooks:
- id: trailing-whitespace
- id: check-added-large-files
# [Ansible](https://docs.ansible.com/ansible/index.html) repository for LAS/CS NSQ computer
You need to have access to this repository (you need to add your public ssh-key (`ssh-keygen`) to your profile here).
Then you can clone the git repository to work on in locally.
`git clone git@git.scc.kit.edu:las/ansible.git`
Add your computer to the hosts file or if you are just testing add it to the local file.
Add your hostname under each role name (the name in the square brackets) you want to be run on your computer.
Also create a new file which is named
after your [fully-qualified-domain-name](https://de.wikipedia.org/wiki/Domain_(Internet)#Fully_Qualified_Domain_Name_.28FQDN.29}) (FQDN) in the `host_vars` directory including a [yaml](https://docs.ansible.com/ansible/YAMLSyntax.html) list with some host specific configuration variables, e. g. copy another similar host and adjust it.
These files do not have the `.yml` extension and do not start with `---`
Then create a file named after your FQDN with the extension ".yml" in the main directory of ansible which contains includes all the roles one want to run. This step needs root priviledges and therefore makes only sense for the first installation of a computer.
* install ansible and some dependencies:
```
dnf install ansible git python2-dnf libselinux-python
```
* run [ansible-pull](https://docs.ansible.com/ansible/playbooks_intro.html#ansible-pull):
```
ansible-pull -K -U git@git.scc.kit.edu:las/ansible.git playbook_name.yml
```
* If you only want some parts of the roles to be run, you can use the option `-t TAGNAME` to run only those tasks with the given tag.
### Ask for new software
Open an issue in the GitLab issue tracker with the label: softwarerequest
## How to get new software on your computer
## Available roles
* common.yml: basic configuration for all LAS/NSQ computers
* clients.yml: all computers not acting as a server (only) ^1
* desktop.yml: all desktop computers including laptops (having X11/Wayland)
* python.yml: basic python_stack for scientific Python usage (including fitting) ^1
* ipynb.yml: IPython/Jupyter notebook ^1
* MAD-8: MAD 8 inofficial build for Fedora
* nfs.yml:
* nfs-server: export /las-archiv1 to our network
* lasarchiv: client side mount las126/las-archiv1
* opera.yml: Cobham's Opera3d (client) ^2 ^3
* admin.yml: tools for administrators
* latex.yml: basic LaTeX installation (Arial not yet) ^1
* kdev.yml: KDevelope (with Python PlugIn) ^1
* jabref.yml: Cross platform BibTeX bibilography software [JabRef](http://www.jabref.org/)
* pycharm.yml: Cross platform Python IDE: [PyCharm](https://www.jetbrains.com/pycharm/) IDE
* chrome.yml: Google Chrome for Fedora (for Adobe Connect usage)
* elegant.yml: elegant (no Pelegant, yet)
* inovesa.yml: [Inovesa](https://github.com/Inovesa/Inovesa)
^1: (also put your FQDN to the \[common\] section in the hosts file as it depends hereon)
^3: (also put your FQDN to the \[lasarchiv\] section in the hosts file as it depends hereon)
### ^2 Opera
After installing Opera via ansible you must confirm the license agreement at first start and go to "Licensing -> Set License Path" and switch to `Other computer(s)` and fill in `@129.13.108.100`.
# Develop new roles, extend or modify existing ones and update roles for new software
## Branches
All roles in the master branch should work and should not brake on any of our systems (desktop, server, simulation, notebooks). The `site.yml` should always be runnable and include all roles that are stable and not explicitly for setup purposes only.
For developement and testing you should use development branches like `dev-latex`.
You can check the syntax of the files by running `ansible-playbook --check-syntax filename.yml` (or by using the pre-commit-hook from the Snipplets.
If you just want to install one or many packages you can use `jabref.yml` as a basis.
# Run as admin
## Bootstrap
* Add your SSH-key to the host `ssh-copy-id lasXXX.las.kit.edu`
* Do the steps described for the self-setup
* Run `ansible-playbook -K sites.yml` probably with the option `-l lasXXX.las.kit.edu`
- hosts: admin_pcs
tasks:
- dnf: name={{item}} state=latest
become: yes
with_items: admin_software
- name: install admin software
become: yes
dnf:
name: "{{ item }}"
state: present
with_items: "{{ admin_software }}"
[defaults]
inventory=hosts
pipelining = True
ssh_args = -o ControlMaster=auto -o ControlPersist=60s
remote_user=gethmann
roles_path=roles
become=False
......
- hosts: chrome
roles:
- google-chrome
......@@ -5,7 +5,8 @@
- hosts: cn
become: yes
tasks:
- hostname: name=las-bernhard.anka.kit.edu
- name: rename CN computer
hostname: name=las-bernhard.anka.kit.edu
tags:
- cn
- always
- hosts: desktop
tasks:
- dnf: name={{item}} state=latest
become: yes
when: ansible_distribution == 'Fedora'
with_items:
- desktop_software
- name: install desktop software
dnf:
name: "{{ item }}"
state: present
become: yes
when: ansible_distribution == 'Fedora'
with_items:
- "{{ desktop_software }}"
- hosts: elegant
roles:
- elegant
---
- hosts: epics
roles:
- epics
......@@ -3,18 +3,23 @@
common_software:
- git
- vim
- htop
- tmux
- iotop
- iftop
- ncdu
- dmidecode
# diagnostic for admins
- htop # processes
- iotop # disk IO
- iftop # network IO
- ncdu # nice disk usage
- dmidecode # general hardware information
- lm_sensors # cpu/gpu temperatures
- hddtemp # HDD temperatures
client_software:
- gnuplot
- kpcli
handy_software:
- zsh
- neovim
admin_software:
- ansible
......@@ -28,21 +33,13 @@ admin_software:
- ansible-lint
- ansible-inventory-grapher
python_software:
- python3-scipy
- python3-matplotlib
# - anaconda3
client_software:
- kpcli
desktop_software:
- thunderbird
# - king/Clipboard
# - dagolden/Capture-Tiny
- firefox
- libreoffice
- bwSyncAndShare
# - bwSyncAndShare
- perl-Clipboard
- perl-Capture-Tiny
ipaserver: las101.las.kit.edu
ipaserver2: las126.las.kit.edu
......@@ -55,3 +52,4 @@ userinstall_vars:
- {name: "gethmann", password: "$6$HEmrpe9IMPI7nwxK$7VyjN.1tf/bJ2JJUeXQa.HEK3PFB1ggUVqpvMD0M/b/Ln.8QkzSMit9xukPaNhVg4caTnQBmcn1DXVwbfCmJt."}
- {name: "bernhard", password: "$6$Q9NiWWvweGVfXXUP$6jhQWNGEs1f/RZc2aeDJ4Wv7huT5eAyW/uO0hOr8Yzi.h5Sa149LDpzp6utQI2VbnKF6O7TfpZeoKHFaNKGY51"}
admin_mail: gethmann@kit.edu
---
nfs_server: 129.13.108.126
texpath: /usr/share/texlive/texmf-local
kit_tikz:
- texlive-tikzpfeile
- texlive-tikz-feynman
- texlive-tikzmark
- texlive-tikzscale
- texlive-circuitikz
- texlive-tikzsymbols
- texlive-tikzinclude
- texlive-tikzposter
- texlive-tikz-palattice
- texlive-aobs-tikz
- texlive-tikz-3dplot
- texlive-tikz-timing
- texlive-hf-tikz
- texlive-tikzscale
- texlive-tikz-dependency
- texlive-pgfgantt
- texlive-venndiagram
- texlive-flowchart
- texlive-mycv
- texlive-pgf-spectra
texlivepackages:
- texlive.x86_64
- kile
- texmaker
- texlive-epstopdf-bin
- texlive-quotmark
- texlive-hyphen-german
- texlive-babel-german
- texlive-pgfplots
- texlive-units
- texlive-mnsymbol
- texlive-pgfgantt
- texlive-pgf-umlcd
- texlive-pgf-umlsd
- texlive-prettyref
- texlive-faktor
- texlive-overpic
# Sphinx (Python docu)
- texlive-sidecap
- texlive-framed
- texlive-threeparttable
- texlive-wrapfig
- texlive-upquote
- texlive-capt-of
- texlive-multirow
- texlive-eqparbox
# fsphys/thesisvorlage-latex
- texlive-vmargin
- texlive-floatflt
- texlive-acronym
- texlive-mhchem
# KIT-{beamer,poster,brief}
- texlive-blindtext
# Bechleunigerphysik II Übung
- texlive-siunitx
- texlive-SIunits
- texlive-was
- texlive-commath
- texlive-ulem
# system docu
- texlive-draftwatermark
# JaCoW
- texlive-sttools
- texlive-boondox
- biber
- texlive-newtx
# biber dependencies
# gdbm-devel
# libdb-devel
# perl-Business-ISMN
# perl-Business-ISSN
# perl-Data-Compare
# perl-Data-Dump
# perl-Data-OptList
# perl-Date-Simple
# perl-Devel-GlobalDestruction
# perl-Dist-CheckConflicts
# perl-Email-Date-Format
# perl-Exporter-Tiny
# perl-ExtUtils-Command
# perl-ExtUtils-Install
# perl-ExtUtils-MakeMaker
# perl-ExtUtils-Manifest
# perl-ExtUtils-ParseXS
# perl-File-Find-Rule
# perl-File-Slurp
# perl-File-Slurp-Tiny
# perl-IPC-Cmd
# perl-IPC-Run3
# perl-LWP-Protocol-https
# perl-List-AllUtils
# perl-List-MoreUtils
# perl-Locale-Maketext
# perl-Locale-Maketext-Simple
# perl-Log-Dispatch
# perl-Log-Dispatch-FileRotate
# perl-Log-Log4perl
# perl-MIME-Charset
# perl-MIME-Lite
# perl-MIME-Types
# perl-Mail-Sender
# perl-Mail-Sendmail
# perl-MailTools
# perl-Module-Implementation
# perl-Module-Load
# perl-Module-Load-Conditional
# perl-Module-Metadata
# perl-Module-Runtime
# perl-Mozilla-CA
# perl-Net-SMTP-SSL
# perl-Number-Compare
# perl-Package-Generator
# perl-Params-Check
# perl-Params-Util
# perl-Params-Validate
# perl-Readonly
# perl-Regexp-Common
# perl-Sub-Exporter
# perl-Sub-Exporter-Progressive
# perl-Sub-Install
# perl-Sub-Name
# perl-Sys-Syslog
# perl-Text-BibTeX
# perl-Text-Glob
# perl-Tie-Cycle
# perl-Try-Tiny
# perl-Unicode-LineBreak
# perl-XML-LibXML
# perl-XML-LibXML-Simple
# perl-XML-LibXSLT
# perl-XML-NamespaceSupport
# perl-XML-SAX
# perl-XML-SAX-Base
# perl-XML-Writer
# perl-autovivification
# perl-devel
# rrdtool-perl
# sombok
# systemtap-sdt-devel
# Xe(La)TeX
- texlive-xetex
- texlive-collection-xetex
- texlive-xetex-def
- texlive-xetexfontinfo
- texlive-xevlna
- texlive-euenc
- texlive-unicode-math
- texlive-mathspec
- texlive-xgreek
- texlive-xecolor
- texlive-fontspec
# Thought to be usefull
- texlive-texlive-de-doc.noarch
- texlive-texlive-common-doc.noarch
- texlive-texlive-docindex-doc.noarch
- texlive-ae.noarch
- texlive-cm.noarch
- texlive-cv.noarch
- texlive-ec.noarch
- texlive-ed.noarch
- texlive-fp.noarch
- texlive-gu.noarch
- texlive-hc.noarch
- texlive-lm.noarch
- texlive-t2.noarch
- texlive-alg.noarch
- texlive-doi.noarch
- texlive-dox.noarch
- texlive-eco.noarch
- texlive-ecv.noarch
- texlive-emp.noarch
- texlive-esk.noarch
- texlive-fbs.noarch
- texlive-fmp.noarch
- texlive-gmp.noarch
- texlive-hep.noarch
- texlive-iso.noarch
- texlive-lcg.noarch
- texlive-lfb.noarch
- texlive-msg.noarch
- texlive-nag.noarch
- texlive-nuc.noarch
- texlive-ofs.noarch
- texlive-pax.noarch
- texlive-pgf.noarch
- texlive-qcm.noarch
- texlive-sfg.noarch
- texlive-svg.noarch
- texlive-svn.noarch
- texlive-tap.noarch
- texlive-ucs.noarch
- texlive-uml.noarch
- texlive-uri.noarch
- texlive-url.noarch
- texlive-vpe.noarch
- texlive-base.noarch
- texlive-abbr.noarch
- texlive-acro.noarch
- texlive-bohr.noarch
- texlive-cals.noarch
- texlive-circ.noarch
- texlive-cite.noarch
- texlive-cmap.noarch
- texlive-cmll.noarch
- texlive-cmpj.noarch
- texlive-cmsd.noarch
- texlive-cool.noarch
- texlive-crop.noarch
- texlive-dhua.noarch
- texlive-epsf.noarch
- texlive-etoc.noarch
- texlive-euro.noarch
- texlive-exam.noarch
- texlive-feyn.noarch
- texlive-fink.noarch
- texlive-mycv.noarch
- texlive-nath.noarch
- texlive-pbox.noarch
- texlive-pdfx.noarch
- texlive-spot.noarch
- texlive-tikz-palattice
- texlive-biblatex.noarch
- texlive-enumitem.noarch
- texlive-ctablestack.noarch
- texlive-gitinfo2.noarch
- texlive-fncychap # e. g. Sphinx
- texlive-tabulary
- texlive-latexdiff
# - texlive-latexdiff-bin
- texlive-a4wide
# systemdocu
- texlive-koma-script
- texlive-ctablestack
# to be continued
opera_path: /usr/local/share/Opera_18R2
---
python3pkg:
- bumpversion
- ptpython3
- python3
- python3-ipython
- python3-matplotlib-qt4
# - python3-matplotlib-qt5 # does not work: https://github.com/matplotlib/matplotlib/pull/6854
- python3-numpy
- python3-pandas
- python3-pip
- python3-pylint
- python3-scipy
- python3-setuptools
- python3-sphinx
- python3-tox
python3pip:
- brewer2mpl
- Cython
- flake8
- flake8-mypy
- flake8-pep257
- i18n
- mypy_extensions
- pipenv
- pre-commit
- PyScaffold
- pytest-yapf
- tox
- yapf
python2pkg:
- python2
- python2-setuptools
- python-pip
python2pip:
- backports.shutil_get_terminal_size
- brewer2mpl
- Cython
- ipython
- mpld3
- notebook
- pandas
- sklearn
ansible_connection: local
ansible_user: gethmann
user_account: gethmann
ip_suffix: -gethmann
loc: 618
os: Fedora 25
extra_software:
- subversion # for ANKA software
- borgbackup
- mosh # ssh alternative
# keepass compatible console client
- kpcli
- perl-Clipboard
- perl-Capture-Tiny
- ctags # vim tags
- zsh
ansible_user: gethmann
ansible_ssh_user: gethmann
ansible_remote_user: gethmann
remote_user: gethmann
ip_suffix: 101
loc: 620
os: Fedora 24
ansible_user: gethmann
user_account: gethmann
ip_suffix: 113
loc: 618
os: Fedora 27
extra_software:
- subversion # ANKA software
- borgbackup
- mosh # ssh alternative
# keepass compatible console client
- kpcli
- perl-Clipboard
- perl-Capture-Tiny
- ctags # vim tags
- zsh
# ansible_connection: local
ansible_user: gethmann
user_account: gethmann
ip_suffix: 114
loc: 619
os: Fedora 26
ansible_user: gethmann
user_account: rossmanith
ip_suffix: 115
loc: 619
os: Fedora 25
ansible_connection: local
ansible_user: gethmann
user_account: widmann
ip_suffix: 116
loc: 618
os: Fedora 24
ansible_user: gethmann
user_account: blomley
ip_suffix: 117
loc: 620
os: Fedora 25
# ansible_connection: local
ansible_user: gethmann
user_account: gethmann
ip_suffix: 118
loc: 620
os: Fedora 25
ansible_user: gethmann
user_account: tong
ip_suffix: 120
loc: 621
os: Fedora 26
# ansible_connection: local
ansible_user: gethmann
user_account: petri
ip_suffix: 122
loc: 621
os: Fedora 26
ansible_user: gethmann
user_account: gethmann
ip_suffix: 126
loc: 618
os: Fedora 25
ansible_user: bernhard
user_account: bernhard
ip_suffix: 127
loc: 622
os: Fedora 25
ansible_user: gethmann
user_account: bernhard
ip_suffix: 93
loc: -10.
os: ubuntu
# stable
[las-archiv1]
[clients]
las113.las.kit.edu
las111.las.kit.edu
las115.las.kit.edu
las116.las.kit.edu
las118.las.kit.edu
las120.las.kit.edu
las122.las.kit.edu
las93.las.kit.edu
las-gethmann.las.kit.edu
[opera]
[desktop]
las113.las.kit.edu
las114.las.kit.edu
las-bernhard.anka.kit.edu
las111.las.kit.edu
las115.las.kit.edu
las116.las.kit.edu
las118.las.kit.edu
las117.las.kit.edu
las120.las.kit.edu
las122.las.kit.edu
las-gethmann.las.kit.edu
las122.las.kit.edu
[lasarchiv]
las113.las.kit.edu
las118.las.kit.edu
las120.las.kit.edu
las122.las.kit.edu
las126.las.kit.edu
las127.las.kit.edu
las93.las.kit.edu
las-gethmann.las.kit.edu
[elegant]
[python]
las-gethmann.las.kit.edu
las113.las.kit.edu
las117.las.kit.edu
las111.las.kit.edu
las120.las.kit.edu
las122.las.kit.edu
[ipynb] # Jupyter notebook
las-gethmann.las.kit.edu
las120.las.kit.edu
las122.las.kit.edu
[kdev] # KDevelope
[jabref]
las113.las.kit.edu
las-gethmann.las.kit.edu
[pynaff]
las-gethmann.las.kit.edu
las113.las.kit.edu
las126.las.kit.edu
[pycharm]
las-gethmann.las.kit.edu
las113.las.kit.edu
las122.las.kit.edu
[chrome]
las-gethmann.las.kit.edu
[latex]
las-gethmann.las.kit.edu
las113.las.kit.edu
las118.las.kit.edu
las120.las.kit.edu
las122.las.kit.edu
[opera]
las113.las.kit.edu
las118.las.kit.edu
las122.las.kit.edu
las126.las.kit.edu
las127.las.kit.edu
[mad8]
las113.las.kit.edu
las-gethmann.las.kit.edu
[nfs-server]
las126.las.kit.edu
# developement
[lab]
las93.las.kit.edu
......@@ -29,45 +89,32 @@ las93.las.kit.edu
las113.las.kit.edu
las-gethmann.las.kit.edu
[clients]
las111.las.kit.edu
127.0.0.1
las114.las.kit.edu
las116.las.kit.edu
las118.las.kit.edu
[elegant]
las113.las.kit.edu
las93.las.kit.edu
las117.las.kit.edu
las120.las.kit.edu
# las122.las.kit.edu
# las111.las.kit.edu
las126.las.kit.edu
las-gethmann.las.kit.edu
[desktop]
las111.las.kit.edu
[epics]
las113.las.kit.edu
las114.las.kit.edu
las116.las.kit.edu
las118.las.kit.edu
las-gethmann.las.kit.edu
# semi stable
[scipy]
las114.las.kit.edu
[ripgrep]
las113.las.kit.edu
las111.las.kit.edu
las126.las.kit.edu
las-gethmann.las.kit.edu
las101.las.kit.edu
# testing
[alle]
las101.las.kit.edu
las111.las.kit.edu
[inovesa]
las113.las.kit.edu
las114.las.kit.edu
las118.las.kit.edu
las126.las.kit.edu
las-bernhard.anka.kit.edu
# semi stable
[local]
127.0.0.1 ansible_connection=local
# 127.0.0.1 ansible_connection=local
[admin-pcs]
[admin_pcs]
las113.las.kit.edu
las101.las.kit.edu
las-gethmann.las.kit.edu
......@@ -77,6 +124,3 @@ las101.las.kit.edu
[cn]
las-bernhard.anka.kit.edu
[simulation]
las126.las.kit.edu
- hosts: inovesa
roles:
- inovesa
- hosts: ipynb
roles:
- ipynb
- hosts: jabref
tasks:
- name: install Jabref
become: yes
dnf:
name: jabref
state: present
- hosts: kdev
roles:
- kdev
---
- include: common.yml
- include: clients.yml
tags: client
- include: opera.yml
tags: opera
#- include: update.yml
# tags: update
- include: desktop.yml
- include: admin.yml
- include: latex.yml
tags: latex
- include: kdev.yml
---
- include: common.yml
- include: clients.yml
tags: client
# - include: opera.yml
#- include: update.yml
# tags: update
- include: desktop.yml
- include: latex.yml
tags: latex
- hosts: latex
roles:
- latex
- hosts: mad8
roles:
- mad8
- hosts: nfs-server
roles:
- nfs-server
tags: nfs-server
- hosts: lasarchiv
roles:
- lasarchiv
tags: nfs-clients
---
- hosts: opera
become: yes
roles:
- opera
tags: opera
- hosts: pycharm
roles:
- pycharm
- hosts: pygui
roles:
- pygui
- hosts: pynaff
roles:
- naff_cpp
- hosts: python
roles:
- python_stack
- hosts: ripgrep
roles:
- ripgrep
---
- name: "Install basic client software"
apt: name={{ item }} state=latest
apt:
name: "{{ item }}"
state: present
with_items: "{{ client_software }}"
when: ansible_distribution == 'Ubuntu'
become: yes
- name: "Install basic client software"
dnf: name={{ item }} state=latest
dnf:
name: "{{ item }}"
state: present
with_items: "{{ client_software }}"
when: ansible_distribution == 'Fedora'
become: yes
---
- name: install CUPS
become: yes
dnf: name=cups state=latest
dnf:
name: cups
state: present
when: ansible_distribution == 'Fedora'
become: yes
- name: install CUPS
become: yes
apt: name=cups state=latest
apt:
name: cups
state: present
when: ansible_distribution == 'Ubuntu'
become: yes
- name: copy CUPS' configs
become: yes
copy: src={{ item }} dest=/etc/cups backup=yes group=lp owner=root
copy:
src: "{{ item }}"
dest: /etc/cups
backup: yes
group: lp
owner: root
with_items:
- "printers.conf"
- "cupsd.conf"
......@@ -21,7 +28,13 @@
- name: copy PPD files
become: yes
copy: src=ppd/{{ item }} dest=/etc/cups/ppd backup=yes group=root owner=root mode=644
copy:
src: "ppd/{{ item }}"
dest: /etc/cups/ppd
backup: yes
group: root
owner: root
mode: 0644
notify: restart cups
with_items:
- "HP-LaserJet-P2015-Series.ppd"
......
---
- name: check
become: yes
blockinfile:
block: |
Section "ServerFlags"
Option "DontZap" "false"
EndSection
Section "InputClass"
Identifier "Keyboard Defaults"
MatchIsKeyboard "yes"
Option "XkbOptions" "terminate:ctrl_alt_bksp"
EndSection
path: /etc/X11/xorg.conf.d/10-enable-ctrl-alt-backspace
create: yes
backup: yes
state: present
tags: xorg
---
- include: cups.yml
- include: basic_software.yml
- import_tasks: cups.yml
- import_tasks: basic_software.yml
- import_tasks: kill_x.yml
---
- name: enable sshd
become: yes
service: name=sshd enabled=yes
service:
name: sshd
enabled: yes
- name: restart sshd
become: yes
service: name=sshd state=restarted
service:
name: sshd
state: restarted
- name: reload sshd
become: yes
service: name=sshd state=reloaded
service:
name: sshd
state: reloaded
- name: start sshd
become: yes
service: name=sshd state=started
service:
name: sshd
state: started
- name: enable ntp
become: yes
service: name=ntpdate enabled=yes
service:
name: ntpdate
enabled: yes
- name: start ntp
become: yes
service: name=ntpdate state=started
service:
name: ntpdate
state: started
- name: update-ca-trust
become: yes
command: update-ca-trust extract
- name: lock root user
become: yes
command: passwd -l root
- name: reload firewalld
become: yes
service:
name: firewalld
state: reloaded
- name: restart firewalld
become: yes
service:
name: firewalld
state: restarted
- name: enable ufw
become: yes
service:
name: ufw
enabled: yes
- name: restart ufw
become: yes
service:
name: ufw
state: restarted
- name: enable smartd
become: yes
service:
name: smartd
enabled: yes
- name: restart smartd
become: yes
service:
name: smartd
state: restarted
---
dependencies:
- { role: mail }
---
# not tested yet
- name: install etckeeper
become: yes
dnf: name=etckeeper state=installed
package:
name: etckeeper
state: present
- name: Initialise etckeeper
tags: etckeeper
command: etckeeper init creates=/etc/.etckeeper chdir=/etc
become: yes
tags: etckeeper
command: etckeeper init
args:
creates: "/etc/.etckeeper"
chdir: /etc
- name: dnf as package manager
lineinfile: dest=/etc/etckeeper/etckeeper.conf line="HIGHLEVEL_PACKAGE_MANAGER=dnf" regexp="HIGHLEVEL_PACKAGE_MANAGER=.*" backup=yes
become: yes
lineinfile:
dest: /etc/etckeeper/etckeeper.conf
line: "HIGHLEVEL_PACKAGE_MANAGER=dnf"
regexp: "HIGHLEVEL_PACKAGE_MANAGER=.*"
backup: yes
when: (ansible_distribution == "Fedora" and ansible_distribution_major_version >= "18")
- name: yum as package manager
become: yes
lineinfile:
dest: /etc/etckeeper/etckeeper.conf
line: "HIGHLEVEL_PACKAGE_MANAGER=yum"
regexp: "HIGHLEVEL_PACKAGE_MANAGER=.*"
backup: yes
when: (ansible_distribution == "CentOS" and ansible_distribution_major_version <= "7")
- name: apt as package manager
lineinfile:
dest: /etc/etckeeper/etckeeper.conf
line: "HIGHLEVEL_PACKAGE_MANAGER=apt"
regexp: "HIGHLEVEL_PACKAGE_MANAGER=.*"
backup: yes
become: yes
when: ansible_os_family == "Debian"
- name: use git
lineinfile:
dest: /etc/etckeeper/etckeeper.conf
line: 'VCS="git"'
regexp: '.*VCS="git"'
backup: yes
become: yes
- name: do not use bzr
lineinfile:
dest: /etc/etckeeper/etckeeper.conf
line: '# VCS="bzr"'
regexp: '.*VCS="bzr"'
backup: yes
become: yes
---
# - name: install needed network manager libs
# become: yes
# dnf:
# name: '{{ item }}'
# state: present
# with_items:
# - NetworkManager-glib
# - libnm-qt-devel.x86_64
# - nm-connection-editor.x86_64
# - libsemanage-python
# - policycoreutils-python
# when: ((ansible_distribution == "Fedora" and ansible_distribution_number < 27) or ansible_distribution == "CentOS")
# does not work at the moment
# - name: set DNS Server
# nmcli:
# conn_name: enp0s31f6
# dns4:
# - 129.13.64.5
# - 141.3.175.65
# # - 8.8.8.8
# state: present
# type: ethernet
- name: set hostname
hostname: "name=las{{ ip_suffix }}.las.kit.edu"
become: yes
hostname:
name: "las{{ ip_suffix }}.las.kit.edu"
- name: install needed network manager libs
dnf:
name: '{{ item }}'
state: installed
with_items:
- NetworkManager-glib
- libnm-qt-devel.x86_64
- nm-connection-editor.x86_64
- libsemanage-python
- policycoreutils-python
- name: set DNS Server
nmcli:
dns4:
- 129.13.64.5
- 141.3.175.65
- 8.8.8.8
state: present
---
- include: etckeeper.yml
- include: hostname.yml
# - include: networking.yml
- include: sshd.yml
- include: sudoer.yml
- include: sysupdate.yml
- include: ntp.yml
- include: yumrepos.yml
- include: software.yml
- import_tasks: etckeeper.yml
- import_tasks: hostname.yml
# - import_tasks: networking.yml
- import_tasks: sshd.yml
when: "'laptop' not in group_names"
- import_tasks: sudoer.yml
- import_tasks: sysupdate.yml
- import_tasks: ntp.yml
- import_tasks: yumrepos.yml
tags: lasrepo
- import_tasks: software.yml
- import_tasks: smartd.yml
tags: smartd
- import_tasks: sysrq.yml
---
- name: install ntpdate
dnf: state=latest name=ntpdate
package:
state: present
name: ntpdate
become: yes
- name: set time server
......@@ -10,3 +12,17 @@
- start ntp
- enable ntp
changed_when: False
- name: insert SCC into ntp configuration
become: yes
blockinfile:
insertafter: ^server .*[a-z]+.*$
path: /etc/ntp.conf
backup: yes
state: present
block: |
server ntp1.scc.kit.edu
server ntp2.scc.kit.edu
server ntp3.scc.kit.edu
server ntp4.scc.kit.edu
tags: ntp
---
- name: install smartd
become: yes
package:
name: smartmontools
state: present
notify:
- enable smartd
- restart smartd
- name: configure smartd on Fedora/CentOS
become: yes
lineinfile:
line: "DEVICESCAN -H -m {{ admin_mail }} -M exec /usr/libexec/smartmontools/smartdnotify -n standby,10,q -s (S/../.././02|L/../../6/03) -W 4,35,40"
regexp: ^DEVICESCAN .*$
backup: yes
path: /etc/smartmontools/smartd.conf
notify:
- enable smartd
- restart smartd
when: (ansible_distribution == "Fedora" or ansible_distribution == "CentOS")
---
- name: install common software
package: name={{item}} state=latest
become: true
package:
name: "{{ item }}"
state: present
with_items: "{{ common_software }}"
- name: install extra software
become: true
package:
name: "{{ item }}"
state: present
with_items: "{{ extra_software }}"
when: extra_software is defined
---
- name: Installed sshd
dnf: state=installed name=openssh-server
become: yes
package:
state: present
name: openssh-server
- name: install firewalld
become: yes
package:
name: python-firewall
state: present
when: ansible_distribution == "Fedora" or
(ansible_distribution == "CentOS" and ansible_distribution_major_version >= 7)
- name: Open port 22 on Fedora/CentOS
become: yes
firewalld:
port: 22/tcp
state: enabled
permanent: true
when: ansible_distribution == "Fedora" or
(ansible_distribution == "CentOS" and ansible_distribution_major_version >= 7)
notify:
- reload firewalld
- restart firewalld
- name: Open port 22 on Ubuntu
become: yes
ufw:
name: OpenSSH
rule: allow
notify:
- reload ufw
- enable ufw
when: ansible_distribution == "Ubuntu"
- name: Disable empty password login
lineinfile: dest=/etc/ssh/sshd_config regexp=".*PermitEmptyPasswords.*" line="PermitEmptyPasswords no" backup=yes
notify: restart sshd
become: yes
lineinfile:
dest: /etc/ssh/sshd_config
regexp: ".*PermitEmptyPasswords.*"
line: "PermitEmptyPasswords no"
backup: yes
notify: restart sshd
- name: Disable remote root login
lineinfile: dest=/etc/ssh/sshd_config regexp=".*PermitRootLogin.*" line="PermitRootLogin no" backup=yes
notify: restart sshd
become: yes
lineinfile:
dest: /etc/ssh/sshd_config
regexp: ".*PermitRootLogin.*"
line: "PermitRootLogin no"
backup: yes
notify: restart sshd
- name: Enable tunnel
lineinfile: dest=/etc/ssh/sshd_config regexp=".*PermitTunnel.*" line="PermitTunnel yes" backup=yes
lineinfile:
dest: /etc/ssh/sshd_config
regexp: ".*PermitTunnel.*"
line: "PermitTunnel yes"
backup: yes
notify:
- enable sshd
- restart sshd
......@@ -24,11 +68,19 @@
# command: chkconfig sshd on
- name: Add curves
lineinfile: dest=/etc/ssh/sshd_config regexp="HostKey.*ed25519.*" line="HostKey /etc/ssh/ssh_host_ed25519_key" backup=yes
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "HostKey.*ed25519.*"
line: "HostKey /etc/ssh/ssh_host_ed25519_key"
backup: yes
notify: restart sshd
become: yes
- name: enable PAM
lineinfile: dest=/etc/ssh/sshd_config regexp=".*UsePAM .*" line="UsePAM yes" backup=yes
lineinfile:
dest: /etc/ssh/sshd_config
regexp: ".*UsePAM .*"
line: "UsePAM yes"
backup: yes
become: yes
notify: restart sshd
---
- name: Ensure sudo is installed
dnf: pkg=sudo state=installed
become: yes
package:
pkg: sudo
state: present
- name: Copy sudoers file including validation
become: yes
template: src=sudoers.j2 dest=/etc/sudoers.d/sudoers validate='visudo -cf %s' backup=yes owner=root group=root mode=440
register: sudoers_enrole_result
template:
src: sudoers.j2
dest: /etc/sudoers.d/sudoers
validate: 'visudo -cf %s'
backup: yes
owner: root
group: root
mode: 0440
notify: lock root user
- name: requiretty in sudoers
lineinfile: backup=yes regexp="Defaults !?requiretty" state=present dest=/etc/sudoers line="Defaults !requiretty" validate="visudo -c -f %s"
become: yes
- name: Lock the root user
become: yes
shell: passwd -l root
#failed_when: "'Success' not in command_result.stdout"
when: sudoers_enrole_result|success and sudoers_enrole_result|changed
tags: lock root
lineinfile:
backup: yes
regexp: "Defaults !?requiretty"
state: present
dest: /etc/sudoers
line: "Defaults !requiretty"
validate: "visudo -c -f %s"
---
- name: enable all magic keys or SysRq
become: yes
sysctl:
name: kernel.sysrq
value: 1
state: present
sysctl_file: /etc/sysctl.d/90-sysrq.conf
---
- name: Updating the system
become: yes
dnf: name=* state=latest
package: name=* state=latest
tags:
- skip_ansible_lint
when: ansible_distribution != "Ubuntu"
---
- name: download SSL-Cert
#shell: openssl s_client -connect las101.las.kit.edu:443 <<<'' | openssl x509 -out /etc/pki/ca-trust/source/anchors/las101.crt
# shell: echo -n |openssl s_client -connect las101.las.kit.edu:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/pki/ca-trust/source/anchors/las101.pem
shell: echo -n |openssl s_client -connect las101.las.kit.edu:443 -showcerts |sed -n '/^-----BEGIN CERT/,/^-----END CERT/p' > /etc/pki/ca-trust/source/anchors/las101.pem
args:
creates: /etc/pki/ca-trust/source/anchors/las101.pem
become: yes
notify: update-ca-trust
when: (ansible_distribution == "Fedora" or ansible_distribution == "CentOS")
- name: Add LAS dnf repository
yum_repository:
name: lasrepo-nonfree
description: Laboratory for Applications of Synchrotron radiation (CS)
baseurl: "https://las101.las.kit.edu/lasrepo/${releasever}/${basearch}/"
baseurl:
- "https://las101.las.kit.edu/lasrepo/${releasever}/${bas