Integrated the owner node now

f3706782 · Weise, Martin · 25ec2cab · f3706782 · f3706782 · f3706782
Verified Commit f3706782 authored 3 years ago by Weise, Martin
--- a/create-owner-node.yml
+++ b/create-owner-node.yml
@@ -53,6 +53,7 @@
 - hosts: controlnode
  vars_files:
+    - vars/auth.yml
    - vars/vms.yml
  roles:
    - role: setup_node
@@ -72,12 +73,6 @@
 - hosts: controlnode
  roles:
-    - role: teardown_port
-      vars:
-        type: owner
-        node: "{{ lookup('file', '/tmp/vmid') }}"
-        instance: "Owner Node {{ lookup('file', '/tmp/vmid') }}"
-        network: vpn
    - role: start_node
      vars:
        instance: "Owner Node {{ lookup('file', '/tmp/vmid') }}"

--- a/roles/setup_node/templates/identity.cfg.j2
+++ b/roles/setup_node/templates/identity.cfg.j2
@@ -85,6 +85,9 @@ write_files:
      ipa hostgroup-add corenodes --desc="Core infrastructure nodes"
      ipa hostgroup-add-member corenodes --hosts=id.ossdip.at
      ipa hostgroup-add datanodes --desc="Data infrastructure nodes"
+      ipa hostgroup-add ownernodes --desc="Owner nodes"
+      ipa hostgroup-add analystnodes --desc="Analyst nodes"
+      ipa hostgroup-add desktopnodes --desc="Remote Desktop nodes"
      ipa hbacrule-add allow_sysadmin
      ipa hbacrule-add-user allow_sysadmin --user=sysadmin
      ipa hbacrule-add-host allow_sysadmin --hostgroups=corenodes

--- a/roles/setup_node/templates/owner.cfg.j2
+++ b/roles/setup_node/templates/owner.cfg.j2
@@ -35,7 +35,6 @@ runcmd:
  - /root/rsyslog-init && logger "Configured rsyslog"
  - /root/chrono-init && logger "Configured chrono"
  - /root/firewall-init && logger "Configured firewalld"
-  - /root/2fa-init && logger "Configured two-factor authentication"
  - /root/idm-init && logger "Configured identity client"
  - /usr/bin/rm -f /root/idm-init
 write_files:
@@ -64,12 +63,12 @@ write_files:
    content: |
      #!/bin/bash
      logger "Configuring ipa client"
-      /usr/bin/hostnamectl set-hostname owner1.ossdip.at
+      /usr/bin/hostnamectl set-hostname owner-{{ id }}.ossdip.at
      /usr/bin/hostname
      ipa-client-install --server="{{ idm_domain }}" --domain="{{ idm_domain }}" --no-ntp --principal="admin" \
        --password="{{ idm_adm_passwd }}" --unattended
      echo '{{ idm_adm_passwd }}' | kinit admin
-      ipa hostgroup-add-member corenodes --hosts=owner1.ossdip.at
+      #ipa hostgroup-add-member ownernodes --hosts=owner-{{ id }}.ossdip.at
  - path: /root/chrono-init
    permissions: '0744'

--- a/roles/setup_node/templates/vpn.cfg.j2
+++ b/roles/setup_node/templates/vpn.cfg.j2
@@ -43,16 +43,27 @@ write_files:
    content: |
      #!/bin/bash
      logger "Configuring firewalld ..."
-      /bin/firewall-offline-cmd --zone=public --add-port=1194/udp
+      /bin/firewall-offline-cmd --add-port=1194/udp
-      /bin/firewall-offline-cmd --zone=public --add-masquerade
+      /bin/firewall-offline-cmd --add-masquerade
-      /bin/firewall-offline-cmd --zone=public --remove-interface=eth3         # provider
+      /bin/firewall-offline-cmd --list-all
-      /bin/firewall-offline-cmd --zone=public --list-all
-      #/bin/firewall-offline-cmd --new-zone=private
+      /bin/firewall-offline-cmd --new-zone=vnc
-      #/bin/firewall-offline-cmd --zone=private --add-service=ssh
+      /bin/firewall-offline-cmd --zone=vnc --add-port=5900/tcp
-      #/bin/firewall-offline-cmd --zone=private --add-masquerade
+      /bin/firewall-offline-cmd --zone=vnc --add-masquerade
-      #/bin/firewall-offline-cmd --zone=private --add-interface=eth3           # provider
+      /bin/firewall-offline-cmd --zone=vnc --add-interface=eth1          # vnc
-      #/bin/firewall-offline-cmd --zone=private --add-source=10.8.0.2
+      /bin/firewall-offline-cmd --zone=vnc --list-all
-      #/bin/firewall-offline-cmd --zone=private --list-all
+      /bin/firewall-offline-cmd --new-zone=owner
+      /bin/firewall-offline-cmd --zone=owner --add-port=22/tcp
+      /bin/firewall-offline-cmd --zone=owner --add-interface=eth2        # owner
+      /bin/firewall-offline-cmd --zone=owner --list-all
+      /bin/firewall-offline-cmd --new-zone=provider
+      /bin/firewall-offline-cmd --zone=provider --add-port=22/tcp
+      /bin/firewall-offline-cmd --zone=provider --add-interface=eth3    # provider
+      /bin/firewall-offline-cmd --zone=provider --add-source=10.8.0.2
+      /bin/firewall-offline-cmd --zone=provider --list-all
      /bin/systemctl enable firewalld
      /bin/systemctl start firewalld
@@ -157,4 +168,7 @@ write_files:
      #!/bin/bash
      cat <<EOF >> /etc/hosts
      172.27.48.141 VPNgate
+      172.27.48.6   PROgate
+      172.27.48.70  VNCgate
+      172.27.49.140 OWNgate
      EOF
--- a/roles/setup_node/vars/main.yml
+++ b/roles/setup_node/vars/main.yml
@@ -27,6 +27,12 @@ vms:
    networks:
      - ip: 172.27.48.140
        name: vpn
+      - ip: 172.27.48.72
+        name: vnc
+      - ip: 172.27.49.142
+        name: owner
+      - ip: 172.27.48.9
+        name: provider
  gate:
    networks:
      - ip: 172.27.48.141