roles/apache2/tasks/apacheDebian.yml

+---
+-
+ name: "Install Apache2"
+ apt: name={{ item }} state=present
+ with_items:
+  - apache2
+  - apache2-dev
+ become: true
+
+-
+ name: "Templating default-ssl site"
+ template: src=default-ssl.j2 dest=/etc/apache2/sites-available/default-ssl.conf owner=www-data group=www-data
+ become: true
+-
+ name: "Templating default site"
+ template: src=default.j2 dest=/etc/apache2/sites-available/000-default.conf owner=www-data group=www-data
+ become: true
+
+-
+ name: "Enable ssl module"
+ apache2_module: state=present name=ssl
+ become: true
+
+-
+ name: "Enable default-ssl site"
+ shell: a2ensite default-ssl
+ become: true
+ notify: restart apache2
+
+

roles/apache2/tasks/apacheRedHat.yml

+---
+
+-
+ name: "Installing Apache"
+ become: true
+ yum: name={{ item }} state=present
+ with_items:
+  - mod_ssl
+  - mod_wsgi
+  - openssl
+  - httpd
+  - httpd-devel
+-
+ name: Setting httpd.conf
+ become: true
+ replace: dest=/etc/httpd/conf/httpd.conf regexp="^#ServerName www.example.com:80" replace="ServerName {{ ansible_fqdn }}"
+
+-
+ name: "Templating default-ssl site"
+ template: src=default-ssl.j2 dest=/etc/httpd/conf.d/ssl.conf owner=apache group=apache
+ become: true
+
+-
+ name: Templating wsgi.conf
+ become: true
+ template: src=wsgi.conf.j2 dest=/etc/httpd/conf.d/wsgi.conf owner=root group=root
+-
+ name: Restarting Apache
+ become: true
+ service: name=httpd state=restarted

roles/apache2/tasks/main.yml

+---
+- include: apacheDebian.yml
+  when: ansible_os_family == "Debian"
+- include: apacheRedHat.yml
+  when: ansible_os_family == 'RedHat'
+
+- name: "Create apache key directory"
+  file: path={{ x509_key | dirname }} state=directory owner={{ apache_user }} mode=700
+  become: true
+
+- name: "Create apache cert directory"
+  file: path={{ x509_cert | dirname }} state=directory owner={{ apache_user }} mode=755
+  become: true
+
+- name: "Copying the apache key file"
+  template: src="files/{{ apache_key_file }}" dest="{{ x509_key }}" mode=0600 owner={{ apache_user }} group={{ apache_group }}
+  become: true
+  when: apache_key_file is defined
+
+- name: "Copying the apache cert file"
+  template: src="files/{{ apache_cert_file }}" dest="{{ x509_cert }}" mode=0644 owner={{ apache_user }} group={{ apache_group }}
+  become: true
+  when: apache_cert_file is defined
+
+- name: "Create log directory, start aoacge will have errors without it"
+  file: dest=/etc/apache2/logs state=directory
+  become: true
+
+-
+ name: "Change permissions for /var/www"
+ file: path=/var/www state=directory owner=root group={{ apache_user }} mode=0775
+ become: true
+
+-
+ name: "Starting Apache2"
+ service: name=apache2 state=started enabled=yes
+ become: true
+ when: ansible_os_family=="Debian"
+
+

roles/apache2/templates/default-ssl.j2

+<IfModule mod_ssl.c>
+<VirtualHost _default_:443>
+	ServerAdmin webmaster@localhost
+    {% if hpcidDomain is defined %}
+    ServerName {{ hpcidDomain }}
+    {% endif %}
+
+	DocumentRoot /var/www
+	<Directory />
+		Options FollowSymLinks
+		AllowOverride None
+	</Directory>
+	<Directory /var/www/>
+		Options Indexes FollowSymLinks MultiViews
+		AllowOverride None
+		Order allow,deny
+		allow from all
+	</Directory>
+
+	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+	<Directory "/usr/lib/cgi-bin">
+		AllowOverride None
+		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+		Order allow,deny
+		Allow from all
+	</Directory>
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+
+	# Possible values include: debug, info, notice, warn, error, crit,
+	# alert, emerg.
+	LogLevel warn
+
+	CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
+
+	#   SSL Engine Switch:
+	#   Enable/Disable SSL for this virtual host.
+	SSLEngine on
+
+	#   A self-signed (snakeoil) certificate can be created by installing
+	#   the ssl-cert package. See
+	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
+	#   If both key and certificate are stored in the same file, only the
+	#   SSLCertificateFile directive is needed.
+	SSLCertificateFile    {{ x509_cert }}
+	SSLCertificateKeyFile {{ x509_key }}
+
+	#   Server Certificate Chain:
+	#   Point SSLCertificateChainFile at a file containing the
+	#   concatenation of PEM encoded CA certificates which form the
+	#   certificate chain for the server certificate. Alternatively
+	#   when the CA certificates are directly appended to the server
+	#   certificate for convinience.
+	# SSLCertificateChainFile 
+
+	#   Certificate Authority (CA):
+	#   Set the CA certificate verification path where to find CA
+	#   certificates for client authentication or alternatively one
+	#   huge file containing all of them (file must be PEM encoded)
+	#   Note: Inside SSLCACertificatePath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+
+	#   Certificate Revocation Lists (CRL):
+	#   Set the CA revocation path where to find CA CRLs for client
+	#   authentication or alternatively one huge file containing all
+	#   of them (file must be PEM encoded)
+	#   Note: Inside SSLCARevocationPath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	#SSLCARevocationPath /etc/apache2/ssl.crl/
+	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+	#   Client Authentication (Type):
+	#   Client certificate verification type and depth.  Types are
+	#   none, optional, require and optional_no_ca.  Depth is a
+	#   number which specifies how deeply to verify the certificate
+	#   issuer chain before deciding the certificate is not valid.
+	#SSLVerifyClient require
+	#SSLVerifyDepth  10
+
+	#   Access Control:
+	#   With SSLRequire you can do per-directory access control based
+	#   on arbitrary complex boolean expressions containing server
+	#   variable checks and other lookup directives.  The syntax is a
+	#   mixture between C and Perl.  See the mod_ssl documentation
+	#   for more details.
+	#<Location />
+	#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+	#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+	#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+	#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+	#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+	#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+	#</Location>
+
+	#   SSL Engine Options:
+	#   Set various options for the SSL engine.
+	#   o FakeBasicAuth:
+	#     Translate the client X.509 into a Basic Authorisation.  This means that
+	#     the standard Auth/DBMAuth methods can be used for access control.  The
+	#     user name is the `one line' version of the client's X.509 certificate.
+	#     Note that no password is obtained from the user. Every entry in the user
+	#     file needs this password: `xxj31ZMTZzkVA'.
+	#   o ExportCertData:
+	#     This exports two additional environment variables: SSL_CLIENT_CERT and
+	#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+	#     server (always existing) and the client (only existing when client
+	#     authentication is used). This can be used to import the certificates
+	#     into CGI scripts.
+	#   o StdEnvVars:
+	#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+	#     Per default this exportation is switched off for performance reasons,
+	#     because the extraction step is an expensive operation and is usually
+	#     useless for serving static content. So one usually enables the
+	#     exportation for CGI and SSI requests only.
+	#   o StrictRequire:
+	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+	#     under a "Satisfy any" situation, i.e. when it applies access is denied
+	#     and no other module can change it.
+	#   o OptRenegotiate:
+	#     This enables optimized SSL connection renegotiation handling when SSL
+	#     directives are used in per-directory context.
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+
+	#   SSL Protocol Adjustments:
+	#   The safe and default but still SSL/TLS standard compliant shutdown
+	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+	#   the close notify alert from client. When you need a different shutdown
+	#   approach you can use one of the following variables:
+	#   o ssl-unclean-shutdown:
+	#     This forces an unclean shutdown when the connection is closed, i.e. no
+	#     SSL close notify alert is send or allowed to received.  This violates
+	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+	#     this when you receive I/O errors because of the standard approach where
+	#     mod_ssl sends the close notify alert.
+	#   o ssl-accurate-shutdown:
+	#     This forces an accurate shutdown when the connection is closed, i.e. a
+	#     SSL close notify alert is send and mod_ssl waits for the close notify
+	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+	#     practice often causes hanging connections with brain-dead browsers. Use
+	#     this only for browsers where you know that their SSL implementation
+	#     works correctly.
+	#   Notice: Most problems of broken clients are also related to the HTTP
+	#   keep-alive facility, so you usually additionally want to disable
+	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+	#   "force-response-1.0" for this.
+	BrowserMatch "MSIE [2-6]" \
+		nokeepalive ssl-unclean-shutdown \
+		downgrade-1.0 force-response-1.0
+	# MSIE 7 and newer should be able to use keepalive
+	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+</VirtualHost>
+</IfModule>

roles/apache2/templates/default.j2

+<VirtualHost *:80>
+        ServerAdmin webmaster@localhost
+		ServerName {{ ansible_nodename }}
+		Redirect permanent / https://{{ ansible_nodename }}/
+
+        DocumentRoot /var/www
+        <Directory />
+                Options FollowSymLinks
+                AllowOverride None
+        </Directory>
+        <Directory /var/www/>
+                Options Indexes FollowSymLinks MultiViews
+                AllowOverride None
+                Order allow,deny
+                allow from all
+        </Directory>
+#		<Directory /etc/karaage3>
+#                Options FollowSymLinks
+#                AllowOverride None
+#        </Directory>
+
+        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+        <Directory "/usr/lib/cgi-bin">
+                AllowOverride None
+                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+                Order allow,deny
+                Allow from all
+        </Directory>
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+
+        # Possible values include: debug, info, notice, warn, error, crit,
+        # alert, emerg.
+        LogLevel warn
+
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>

roles/apache2/vars/main.yml

+---
+ apache_user: "{% if ansible_os_family == 'RedHat'  %}apache{% else %}www-data{% endif %}"
+ apache_group: "{% if ansible_os_family == 'RedHat'  %}apache{% else %}www-data{% endif %}"
+ apache_config: "/etc/{% if ansible_os_family == 'RedHat' %}httpd{% else %}apache2{% endif %}"
+ x509_cert: "{{ apache_config }}/ssl/certs/server.cert.pem"
+ x509_key: "{{ apache_config }}/ssl/private/server.key.pem"

roles/apt-get-update/tasks/main.yml

+---
+- name: apt-get update
+  apt: update_cache=True
+  become: true
+  when: ansible_os_family=="Debian"

roles/apt_preferences/tasks/main.yml

+---
+- name: create package hold files in apt prefferences
+  template:
+    src: hold.pref.j2
+    dest: /etc/apt/preferences.d/hold-{{ item.pkg_name }}.pref
+  become: true
+  when: ansible_os_family=="Debian"
+  loop: "{{ apt_preferences }}"
+  
+# example data
+#apt_preferences:
+# - { pkg_name: 'yaru-theme-sound', pkg_version: "20.04.10.1", pkg_priority: "1002" }
+# - { pkg_name: 'yaru-theme-gnome-shell', pkg_version: "20.04.10.1" }

roles/apt_preferences/templates/hold.pref.j2

+# This file is generated by ansible role apt_preferences
+Explanation: : {{ item.pkg_name }}
+Package: {{ item.pkg_name }}
+Pin: version {{ item.pkg_version }}
+Pin-Priority: {{ item.pkg_priority|default("1001", true) }}

roles/buildLustreClient/defaults/main.yml

+---
+lustreVersion: v2_12_7

roles/buildLustreClient/tasks/main.yml

+---
+# see documentation at https://sites.google.com/a/monash.edu/hpc-services/work-instructions/system-configuration/lustre/compile-lustre-client-from-source
+- name: install dependencies
+  package:
+    name: git
+    state: present
+  become: true
+
+- name: get lustre sources for latest tags see https://git.whamcloud.com/?p=fs/lustre-release.git;a=summary
+  git:
+    repo: git://git.whamcloud.com/fs/lustre-release.git
+    dest: /tmp/lustre-release
+    version: "{{ lustreVersion }}"
+  #command: git clone git://git.whamcloud.com/fs/lustre-release.git -b v2_12_5
+   # chdir: /tmp/lustre-release
+  #  creates: /tmp/lustre-release
+
+#- name: get a magic patch
+#    command: git fetch https://review.whamcloud.com/fs/lustre-release refs/changes/67/32267/1 && git checkout FETCH_HEAD
+#    chdir: /tmp/lustre-release
+- name: install dependencies
+  package: #libelf-dev, libelf-devel or elfutils-libelf-devel
+    name:
+      - libyaml
+      - libyaml-devel
+      - libtool
+      - elfutils-libelf-devel
+      - libselinux-devel
+      #- kernel-rpm-macros #centos8.2
+      - kernel-abi-whitelists
+    state: present
+  become: true
+  when: ansible_os_family == 'RedHat'
+
+- name: install dependencies
+  package: #libelf-dev, libelf-devel or elfutils-libelf-devel
+    name:
+      #- libyaml
+      - libyaml-dev
+      - libtool
+      #- elfutils-libelf-devel
+      - libselinux1-dev
+      - libpython3.8-dev #unconfirmed
+      #- kernel-abi-whitelists
+      - zlib1g-dev
+      - libssl-dev
+      - libiberty-dev
+      - module-assistant
+      - libreadline-dev
+      - libsnmp-dev
+      - mpi-default-dev
+    state: present
+  become: true
+  when: ansible_os_family == 'Debian'
+
+- name: autogen
+  command:
+    cmd: '/bin/sh ./autogen.sh'
+    chdir: /tmp/lustre-release
+
+- name: configure
+  command:
+    cmd: './configure --disable-server --with-o2ib=/usr/src/ofa_kernel/default'
+    chdir: /tmp/lustre-release
+  when: "'fitdgx' not in inventory_hostname"
+
+- name: fail on fitdgx for a manuall process
+  fail:
+    msg: "check the linux src directory. likely with uname -r. and comment this fail and edit the task below. sorry this is manual for now."
+  when: "'fitdgx' in inventory_hostname"
+
+- name: configure on fitdgx
+  command:
+    cmd: './configure --with-linux=/usr/src/linux-headers-5.4.0-74-generic --disable-server --with-o2ib=yes --disable-doc --disable-tests'
+    chdir: /tmp/lustre-release
+  when: "'fitdgx' in inventory_hostname"
+
+- name: make
+  make:
+    chdir: /tmp/lustre-release
+    params:
+      NUM_THREADS: 6
+#- name: make rpms
+#    command: make rpms
+#    chdir: /tmp/lustre-release
+- name: make rpms
+  make:
+    target: rpms
+    chdir: /tmp/lustre-release
+  when: ansible_os_family == 'RedHat'
+
+- name: make debs
+  make:
+    target: debs
+    chdir: /tmp/lustre-release
+  when: ansible_os_family == 'Debian'

roles/calculateEtcHosts/files/makehosts.py

+#!/usr/bin/python
+import sys
+import json
+import socket
+filename = sys.argv[1]
+try:
+ domain = sys.argv[2]
+except IndexError:
+ domain = None
+f=open(filename,'r')
+s=f.read()
+d=json.loads(s)
+f.close()
+hosts={}
+
+for group in d['groups'].keys():
+    i=0
+    for h in d['groups'][group]:
+      name = d['hostvars'][h]['ansible_hostname']
+      name = h
+      if not domain:
+        hosts[h] = [name]
+      else:
+        hosts[h] = ['%s.%s %s'%(name,domain,name)]
+
+for h in sorted(hosts.keys()):
+    if d['hostvars'].has_key(h):
+	for addr in d['hostvars'][h]['ansible_all_ipv4_addresses']:
+	    if "172.16.200" in addr:
+		string="%s"%addr
+		for name in hosts[h]:
+		    string=string+" %s"%(name)
+		print string
+
+for h in sorted(hosts.keys()):
+    if d['hostvars'].has_key(h):
+        string="%s"%(d['hostvars'][h]['ansible_default_ipv4']['address'])
+        for name in hosts[h]:
+            string=string+" %s"%(name)
+        print string
+
+for h in sorted(hosts.keys()):
+    if d['hostvars'].has_key(h):
+        if d['hostvars'][h].has_key('ansible_tun0'):
+            string="%s"%(d['hostvars'][h]['ansible_tun0']['ipv4']['address'])
+            string=string+" %s-vpn"%h
+            print string

roles/calculateEtcHosts/files/makehostsp3.py

+#!/usr/bin/python3
+import sys
+import json
+import socket
+filename = sys.argv[1]
+try:
+ domain = sys.argv[2]
+except IndexError:
+ domain = None
+f=open(filename,'r')
+s=f.read()
+d=json.loads(s)
+f.close()
+hosts={}
+
+for group in list(d['groups'].keys()):
+    i=0
+    for h in d['groups'][group]:
+      name = d['hostvars'][h]['ansible_hostname']
+      name = h
+      if not domain:
+        hosts[h] = [name]
+      else:
+        hosts[h] = ['%s.%s %s'%(name,domain,name)]
+
+for h in sorted(hosts.keys()):
+    if h in d['hostvars']:
+        for addr in d['hostvars'][h]['ansible_all_ipv4_addresses']:
+            if "172.16.200" in addr:
+                string="%s"%addr
+                for name in hosts[h]:
+                    string=string+" %s"%(name)
+                print(string)
+
+for h in sorted(hosts.keys()):
+    if h in d['hostvars']:
+        string="%s"%(d['hostvars'][h]['ansible_default_ipv4']['address'])
+        for name in hosts[h]:
+            string=string+" %s"%(name)
+        print(string)
+
+for h in sorted(hosts.keys()):
+    if h in d['hostvars']:
+        if 'ansible_tun0' in d['hostvars'][h]:
+            string="%s"%(d['hostvars'][h]['ansible_tun0']['ipv4']['address'])
+            string=string+" %s-vpn"%h
+            print(string)

roles/calculateEtcHosts/tasks/main.yml

+---
+- name: get_groups_json
+  template: dest=/tmp/groups src=groups.j2
+
+- name: copy script
+  copy: src=makehosts.py dest=/tmp/makehosts.py mode=755
+  when: ansible_os_family == "RedHat"
+
+- name: copy script
+  copy: src=makehostsp3.py dest=/tmp/makehosts.py mode=755
+  when: ansible_os_family == "Debian"
+
+- name: make hosts data
+  command: /tmp/makehosts.py /tmp/groups {{ domain }}
+  register: hosts_data
+
+- name: write hosts file
+  template: dest=/tmp/etcHosts src=etcHosts.j2
+
+- name: fetch hosts file
+  fetch: src=/tmp/etcHosts dest=files/etcHosts flat=yes
+
+- name: make sure our repo server is resolvable
+  lineinfile:
+    path: files/etcHosts
+    line: "{{ reposerverip }} {{ reposervername }}"
+    owner: root
+    group: root
+  become: True
+  when: reposerverip  is defined and reposervername is defined

roles/calculateEtcHosts/templates/etcHosts.j2

+127.0.0.1 localhost
+::1     ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+
+{% for item in hosts_data.stdout_lines %}
+{{ item }}
+{% endfor %}

roles/calculateEtcHosts/templates/groups.j2

+{ 
+  "groups": {{ groups | to_nice_json }},
+  "hostvars": {
+{% for host in groups['all'] %}
+"{{ host }}" : {{ hostvars[host]|to_nice_json }}
+{% if not loop.last %}
+    ,
+{% endif %}
+{% endfor %}
+}
+}

roles/calculateExports/tasks/main.yml

+- name: "Templating /etc/exports"
+  template: src=exports.j2 dest=/tmp/exports owner=root group=root mode=644
+  become: true
+
+- name: "Fetch etcExports"
+  fetch: src=/tmp/exports dest=files/etcExports flat=yes

roles/calculateExports/templates/exports.j2

+{% for export in exportList %}
+{% set iplist = [] %}
+{% for group in export.group %}
+{% for node in groups[group] %}
+{% if hostvars[node]['ansible_'+export.interface] is defined %}
+{% if iplist.append(hostvars[node]['ansible_'+export.interface]['ipv4']['address']) %} 
+{% endif %}
+{% endif %}
+{% endfor %}
+{% endfor %}
+{{ export.src }} {% for ip in iplist|unique %}{{ ip }}({{ export.srvopts }}) {% endfor %}
+
+{% endfor %}

roles/calculateKnownHosts/tasks/main.yml

+- name: "Templating /etc/ssh/known_hosts"
+  template: src=known_hosts.j2 dest=/tmp/ssh_known_hosts owner=root group=root mode=644
+  become: true
+  register: sshknownhost
+
+- name: fetch known_hosts file
+  fetch: src=/tmp/ssh_known_hosts dest=files/ssh_known_hosts flat=yes
+
+- name: delete ssh_known_hosts
+  file: path=/tmp/ssh_known_hosts  state=absent
+  become: true
+
+

roles/calculateKnownHosts/templates/known_hosts.j2

+{% set keytypes = [ { 'type': 'ssh-rsa', 'fact': 'ansible_ssh_host_key_rsa_public' }, { 'type': 'ecdsa-sha2-nistp256', 'fact': 'ansible_ssh_host_key_ecdsa_public'} ] %}
+{% for node in groups['all'] %}
+{% for hostkey in keytypes %}
+{% if hostkey['fact'] in hostvars[node] %}
+{{ node }} {{ hostkey['type'] }} {{ hostvars[node][hostkey['fact']] }}
+{% for ip in hostvars[node]['ansible_all_ipv4_addresses'] %}
+{{ ip }} {{ hostkey['type'] }} {{ hostvars[node][hostkey['fact']] }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endfor %}
+