Fixed creation of analyst vm

create-analyst-node.yml

@@ -53,6 +53,16 @@
       shell: pwgen -A 10 1 > /tmp/vmid
       delegate_to: 127.0.0.1
 
+    - name: Generate keypair
+      community.crypto.openssh_keypair:
+        path: "/tmp/id_{{ lookup('file', '/tmp/vmid') }}_rsa"
+      delegate_to: 127.0.0.1
+
+    - name: Modify key
+      file:
+        path: "/tmp/id_{{ lookup('file', '/tmp/vmid') }}_rsa"
+        mode: '0644'
+
 - hosts: controlnode
   vars_files:
     - vars/auth.yml
@@ -70,13 +80,6 @@
 
 # CREATE ANALYST NODE
 
-- hosts: controlnode
-  become: yes
-  tasks:
-    - name: Generate node name
-      shell: pwgen -A 10 1 > /tmp/vmid
-      delegate_to: 127.0.0.1
-
 - hosts: controlnode
   vars_files:
     - vars/auth.yml
@@ -109,10 +112,14 @@
   roles:
     - role: disable_port
       vars:
-        instance: "Analyst Node {{ lookup('file', '/tmp/vmid') }}"
+        type: analyst
+        network: vpn
+        node: "{{ lookup('file', '/tmp/vmid') }}"
     - role: disable_port
       vars:
-        instance: "Desktop Node {{ lookup('file', '/tmp/vmid') }}"
+        type: desktop
+        network: vpn
+        node: "{{ lookup('file', '/tmp/vmid') }}"
 
 # START NODES
 
@@ -125,7 +132,38 @@
       vars:
         instance: "Analyst Node {{ lookup('file', '/tmp/vmid') }}"
 
-# REMOVE PORTS
+# COPY SSH KEY
+
+- hosts: controlnode
+  become: yes
+  tasks:
+    - name: Wait start
+      pause: seconds=60
+
+    - name: Get address
+      openstack.cloud.port_info:
+        port: "ossdip-desktop-{{ lookup('file', '/tmp/vmid') }}-vnc"
+      register: port_result1
+      failed_when: port_result1.openstack_ports | length == 0
+
+    - name: Add host
+      add_host:
+        name: vncdesktop
+        ansible_ssh_host: "{{ port_result1.openstack_ports[0].fixed_ips[0].ip_address }}"
+        ansible_user: sysadmin
+        ansible_connection: ssh
+        ansible_ssh_private_key_file: ~/.ssh/id_ossdip_sysadmin_rsa
+
+- hosts: vncdesktop
+  become: yes
+  tasks:
+    - name: Copy
+      copy:
+        src: "/tmp/id_{{ lookup('file', '/tmp/vmid') }}_rsa"
+        dest: "/home/{{ username }}/.ssh/id_rsa"
+        owner: "{{ username }}"
+        group: "{{ username }}"
+        mode: '0600'
 
 # CLEAN
 
@@ -167,6 +205,8 @@
           loop:
             - /tmp/vmid
             - /tmp/vncpasswd
+            - "/tmp/id_{{ lookup('file', '/tmp/vmid') }}_rsa"
+            - "/tmp/id_{{ lookup('file', '/tmp/vmid') }}_rsa.pub"
 
         - name: Clean up
           meta: clear_facts
\ No newline at end of file

inventory

@@ -22,6 +22,7 @@ all:
         ansible_user: dbadmin
         ansible_connection: ssh
         ansible_ssh_private_key_file: ~/.ssh/id_ossdip_dbadmin_rsa
+        ansible_ssh_common_args: '-F ./ssh.cfg -J VPNgate'
     providernodes:
       hosts:
         progate:
@@ -36,7 +37,6 @@ all:
         ansible_user: sysadmin
         ansible_connection: ssh
         ansible_ssh_private_key_file: ~/.ssh/id_ossdip_sysadmin_rsa
-        ansible_ssh_common_args: '-F ./ssh.cfg -J VPNgate'
     vncnodes:
       hosts:
         vncgate:
@@ -47,7 +47,6 @@ all:
         ansible_user: sysadmin
         ansible_connection: ssh
         ansible_ssh_private_key_file: ~/.ssh/id_ossdip_sysadmin_rsa
-        ansible_ssh_common_args: '-F ./ssh.cfg -J VPNgate'
     vpnnodes:
       hosts:
         vpnvpn:
@@ -68,7 +67,6 @@ all:
         ansible_user: sysadmin
         ansible_connection: ssh
         ansible_ssh_private_key_file: ~/.ssh/id_ossdip_sysadmin_rsa
-        ansible_ssh_common_args: '-F ./ssh.cfg -J VPNgate'
     ownernodes:
       hosts:
         owngate:
@@ -79,7 +77,6 @@ all:
         ansible_user: sysadmin
         ansible_connection: ssh
         ansible_ssh_private_key_file: ~/.ssh/id_ossdip_sysadmin_rsa
-        ansible_ssh_common_args: '-F ./ssh.cfg -J VPNgate'
     datanodes:
       hosts:
         datdata:

roles/disable_port/tasks/main.yml

@@ -3,13 +3,13 @@
 ### DO NOT CHANGE BELOW THIS LINE ######################################################################################
 ########################################################################################################################
 
-- name: Delete port
+- name: Disable port
   openstack.cloud.port:
     name: "ossdip-{{ type }}-{{ node }}-{{ network }}"
     admin_state_up: no
   when: type is defined
 
-- name: Delete port
+- name: Disable port
   openstack.cloud.port:
     name: "ossdip-{{ node }}-{{ network }}"
     admin_state_up: no

roles/setup_node/tasks/main.yml

@@ -16,13 +16,13 @@
 - name: Create port
   openstack.cloud.port:
     state: present
-    name: "ossdip-{{ id }}-{{ item.name }}"
+    name: "ossdip-{{ type }}-{{ id }}-{{ item.name }}"
     network: "{{ item.name }}"
     security_groups: "{{ vms[type].networks | map(attribute='name') | list }}"
   with_items: "{{ vms[type].networks }}"
   when: type is defined
 
-- name: Create volume
+- name: Create setup volume
   openstack.cloud.volume:
     state: present
     image: Rocky 8.4
@@ -30,6 +30,17 @@
     size: 20
     display_name: "ossdip-{{ id }}-root"
     volume_type: "{{ vol_enc_type }}"
+  when: type is undefined
+
+- name: Create volume
+  openstack.cloud.volume:
+    state: present
+    image: Rocky 8.4
+    bootable: yes
+    size: 20
+    display_name: "ossdip-{{ type }}-{{ id }}-root"
+    volume_type: "{{ vol_enc_type }}"
+  when: type is defined
 
 # TEMPLATE
 
@@ -69,12 +80,12 @@
   openstack.cloud.server:
     state: present
     name: "OSSDIP {{ instance }}"
-    boot_volume: "ossdip-{{ id }}-root"
+    boot_volume: "ossdip-{{ type }}-{{ id }}-root"
     terminate_volume: yes
     auto_ip: no
     timeout: 200
     flavor: "{{ flavor }}"
-    nics: "{{ vms[type].networks | map(attribute='name') | map('regex_replace', '(.*)', 'port-name=' + 'ossdip-' + id + '-\\1') | join(',') }}"
+    nics: "{{ vms[type].networks | map(attribute='name') | map('regex_replace', '(.*)', 'port-name=' + 'ossdip-' + type + '-' + id + '-\\1') | join(',') }}"
     security_groups: "{{ vms[type].networks | map(attribute='name') | list }}"
     userdata: "{{ lookup('file', '/tmp/' + type + '.cfg') }}"
   when: type is defined

roles/setup_node/templates/analyst.cfg.j2

@@ -16,9 +16,15 @@ users:
   - name: {{ username }}
     groups: analyst, mfa
     lock_passwd: true
+    ssh_authorized_keys:
+      - {{ lookup('file', '/tmp/id_' + lookup('file', '/tmp/vmid') + '_rsa.pub') }}
 bootcmd:
   - echo "success" > /status
 final_message: "Finished setup after $UPTIME seconds ..."
+power_state:
+  mode: poweroff
+  message: Installation finished, shutdown.
+  condition: cloud-init status | grep "done"
 packages:
   - epel-release
   - firewalld
@@ -35,11 +41,8 @@ packages:
   - freeipa-client
 runcmd:
   - /root/rsyslog-init && logger "Configured rsyslog"
-  - /root/chrono-init && logger "Configured chrono"
   - /root/firewall-init && logger "Configured firewalld"
   - /root/software-init && logger "Configured software"
-  - /root/idm-init && logger "Configured identity client"
-  - /usr/bin/rm -f /root/idm-init
   - /root/crontab-init && logger "Configured crontab"
 write_files:
   - path: /root/firewall-init
@@ -61,31 +64,13 @@ write_files:
       /bin/systemctl enable rsyslog
       /bin/systemctl start rsyslog
 
-  - path: /root/idm-init
-    permissions: '0744'
-    content: |
-      #!/bin/bash
-      logger "Configuring ipa client"
-      /usr/bin/hostnamectl set-hostname analyst-{{ id }}.ossdip.at
-      /usr/bin/hostname
-      ipa-client-install --server="{{ idm_domain }}" --domain="{{ idm_domain }}" --no-ntp --principal="admin" \
-        --password="{{ idm_adm_passwd }}" --unattended
-      echo '{{ idm_adm_passwd }}' | kinit admin
-      #ipa hostgroup-add-member ownernodes --hosts=analyst-{{ id }}.ossdip.at
-
-  - path: /root/chrono-init
-    permissions: '0744'
-    content: |
-      #!/bin/bash
-      logger "Configuring chrono ..."
-      /usr/bin/timedatectl set-timezone Europe/Vienna
-
   - path: /root/software-init
     permissions: '0744'
     content: |
       #!/bin/bash
       logger "Configuring extra packages ..."
       # R and RStudio
+      /usr/bin/dnf config-manager --set-enabled powertools
       /usr/bin/dnf install -y R
       /usr/bin/dnf install -y https://download1.rstudio.org/desktop/centos8/x86_64/rstudio-2021.09.1-372-x86_64.rpm
       # Jupyter Notebooks

roles/setup_node/templates/desktop.cfg.j2

@@ -36,10 +36,7 @@ runcmd:
   - /root/rsyslog-init && logger "Configured rsyslog"
   - /root/chrono-init && logger "Configured chrono"
   - /root/firewall-init && logger "Configured firewalld"
-  - /root/idm-init && logger "Configured identity client"
-  - /usr/bin/rm -f /root/idm-init
   - /root/vnc-init && logger "Configured vnc"
-  - /root/repos-disable && logger "Configured repos"
   - /root/crontab-init && logger "Configured crontab"
 write_files:
   - path: /root/firewall-init
@@ -62,18 +59,6 @@ write_files:
       /bin/systemctl enable rsyslog
       /bin/systemctl start rsyslog
 
-  - path: /root/idm-init
-    permissions: '0744'
-    content: |
-      #!/bin/bash
-      logger "Configuring ipa client"
-      /usr/bin/hostnamectl set-hostname desktop-{{ id }}.ossdip.at
-      /usr/bin/hostname
-      ipa-client-install --server="{{ idm_domain }}" --domain="{{ idm_domain }}" --no-ntp --principal="admin" \
-        --password="{{ idm_adm_passwd }}" --unattended
-      echo '{{ idm_adm_passwd }}' | kinit admin
-      #ipa hostgroup-add-member ownernodes --hosts=desktop-{{ id }}.ossdip.at
-
   - path: /root/chrono-init
     permissions: '0744'
     content: |
@@ -87,20 +72,20 @@ write_files:
       #!/bin/bash
       VNC_PROXY_VERSION="1.12"
       logger "Configuring TigerVNC ..."
-      /usr/bin/dnf groupinstall -y core base-x GNOME
-      sudo -H -u {{ username }} bash -c 'printf "{{ lookup('password', '/tmp/vncpasswd chars=ascii_letters,digits') }}\n{{ lookup('file', '/tmp/vncpasswd') }}\n\n" | vncpasswd'
+      /usr/bin/dnf groupinstall -y core base-x Xfce
+      sudo -H -u {{ username }} bash -c 'printf "{{ lookup('password', '/tmp/vncpasswd chars=ascii_letters,digits') }}\n{{ lookup('file', '/tmp/vncpasswd') }}\nn\n" | vncpasswd'
       sudo -H -u {{ username }} bash -c 'touch ~/.Xauthority'
       /usr/bin/cp /root/vncserver-config-mandatory /etc/tigervnc/vncserver-config-mandatory
       /usr/bin/cp /root/vncserver.users /etc/tigervnc/vncserver.users
       # fix the initial prompt to refresh repositories
-      /usr/bin/cp /root/repos.pkla /etc/polkit-1/localauthority/50-local.d/repos.pkla
-      /bin/systemctl restart polkit
+      #/usr/bin/cp /root/repos.pkla /etc/polkit-1/localauthority/50-local.d/repos.pkla
+      #/bin/systemctl restart polkit
       # selinux prevents vnc
-      sudo setenforce 0
+      /usr/bin/sed -i 's|SELINUX=.*|SELINUX=disabled|g' /etc/selinux/config
       # start vnc
       /bin/systemctl set-default graphical.target
       /bin/systemctl isolate graphical.target
-      /bin/systemctl enable vncserver@:0 --now
+      /bin/systemctl enable vncserver@:0
       # ssh.d config
       cat <<EOF >> /etc/ssh/sshd_config
       Match Group desktop
@@ -117,7 +102,7 @@ write_files:
       # /usr/bin/rm "./vncproxy-linux-amd64-v${VNC_PROXY_VERSION}.zip"
       # /usr/bin/mkdir -p /var/log/vncproxy
       # /root/proxy -recDir /var/log/vncproxy/ -target /var/run/vncserver@.sock -tcpPort 5901 -vncPass {{ lookup('password', '/tmp/vncpasswd_owner chars=ascii_letters,digits,punctuation') }}
-      /bin/systemctl restart vncserver@:0
+      #/bin/systemctl restart vncserver@:0
 
   - path: /root/vncserver-config-mandatory
     permissions: '0644'
@@ -144,4 +129,4 @@ write_files:
       echo "0 3 * * * /usr/bin/dnf update -y" >> ./mycron
       echo "0 4 * 1-12/3 * /usr/bin/dnf upgrade -y" >> ./mycron
       crontab ./mycron
-      rm -f ./mycron
+      rm -f ./mycron
\ No newline at end of file

roles/setup_node/templates/vpn.cfg.j2

@@ -45,6 +45,7 @@ write_files:
       #!/bin/bash
       logger "Configuring firewalld ..."
       /bin/firewall-offline-cmd --add-port=1194/udp
+      /bin/firewall-offline-cmd --add-service={ssh}
       /bin/firewall-offline-cmd --add-masquerade
       /bin/firewall-offline-cmd --list-all
 

roles/setup_node/vars/main.yml

@@ -12,11 +12,11 @@ vms:
     networks:
       - name: vpn
       - name: analyst
-      - name: vnc
   desktop:
     networks:
       - name: vpn
       - name: vnc
+      - name: analyst
   key:
     networks:
       - ip: 172.27.48.147