diff --git a/ansible/anna.yml b/ansible/anna.yml
index eff6f33320dde99665454e808be4c8761dfd6c53..be38c72a53dcefd19d2669f98c48cb66c846cea3 100644
--- a/ansible/anna.yml
+++ b/ansible/anna.yml
@@ -20,8 +20,8 @@
- import_role:
name: pds_mount
- - import_role:
- name: ghc_deb
+# - import_role:
+# name: ghc_deb
- import_role:
name: llvm_deb
diff --git a/ansible/pontos.yml b/ansible/pontos.yml
index bb3402fa3d65959f04f05917be4a14a8e9fab40a..6c6520883ddb7dd1598e95aaee8df24b39fc0a86 100644
--- a/ansible/pontos.yml
+++ b/ansible/pontos.yml
@@ -26,8 +26,8 @@
- import_role:
name: pds_mount
- - import_role:
- name: ghc_deb
+# - import_role:
+# name: ghc_deb
- import_role:
name: llvm_deb
diff --git a/ansible/roles/common_deb/tasks/main.yml b/ansible/roles/common_deb/tasks/main.yml
index 9d1a23c7e218b2797915885c40217f185ba96e1d..bb08d8005c583df0437bef37ef4ca73a2e738b50 100644
--- a/ansible/roles/common_deb/tasks/main.yml
+++ b/ansible/roles/common_deb/tasks/main.yml
@@ -211,7 +211,6 @@
line: "X11Forwarding yes"
- regexp: '^#?ChallengeResponseAuthentication'
line: "ChallengeResponseAuthentication no"
-
- name: install base utilities
apt:
@@ -263,6 +262,7 @@
- iotop
- socat
- ethtool
+ - libunistring-dev
- name: monitoring
apt:
diff --git a/ansible/roles/pds_deb/tasks/main.yml b/ansible/roles/pds_deb/tasks/main.yml
index 0789237ddff7a690f7fc0f0078d2fa8fdef82dca..597a7ed730217d3d68e8b954b45e6f76400ab40a 100644
--- a/ansible/roles/pds_deb/tasks/main.yml
+++ b/ansible/roles/pds_deb/tasks/main.yml
@@ -1,11 +1,15 @@
- name: "Apt sources list"
copy:
dest: /etc/apt/sources.list
+ # nb. single newlines are remove by ansible :-/
content:
deb http://ftp.fi.muni.cz/pub/linux/debian/ bullseye main contrib non-free
+
deb-src http://ftp.fi.muni.cz/pub/linux/debian/ bullseye main contrib non-free
+
deb http://security.debian.org/ bullseye-security main contrib non-free
+
deb-src http://security.debian.org/ bullseye-security main contrib non-free
register: apt_sources
@@ -20,6 +24,29 @@
path: /var/obj
mode: 01777
+- name: SSH authorized_keys (root)
+ lineinfile:
+ create: yes
+ path: /root/.ssh/authorized_keys
+ owner: root
+ group: root
+ regexp: '{{item.regexp}}'
+ line: '{{item.line}}'
+ state: '{{item.state|default("present")}}'
+ insertafter: EOF
+ with_items:
+ - regexp: 'xstill@xstill-lenovo$'
+ line: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyTqSTbfhzJUlAV3/WQPefOz/nX0xfGgBbb9mMxwXNm3OKpTLaSJZZ78aUvucCqbiWhWQKCKlUqMsaWCqHLIL5kFDgDRcfGhF8ERCjIG7TCPs1zPPoFVL8hvGeMmWsHgvm8pKjPFCp/NxjTDx3RmLzVyP1z8rLwD3X1xC2bRSETuRwwOIKLEJhzNSQ1EchTNRTH0CuMqVZHdQLVDP6Tdqo7WV61znELRW5ZPw7BPJU216+He7AziIGcLbv06JbuFyFsoZ+8dmH20rs/CwOnicFH/P44yOZmB+JWVzBosKkG8JliM/nzaru7aPPQe/7XIsOQ5iymm31WAK112htIy3N xstill@xstill-lenovo'
+
+ - regexp: 'mornfall@oak.fixp.eu$'
+ line: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+QGySGvuDPKSA4zcg/WZAx+WpxityRFt7ejd/tbwAcpQ7C5Y+SoUdhqG8LaOO2rP5M/n8IQO23BPFNTH1sgIdgPAyc9dj9J9oMMrZqOt+3JEwU9TWrSBEJzfLZZx200ft9KwIJu+rSKpvOy+ePsBxMAfdslW48aNj6wBKuxezj55GOYko9GmToA4o3nk65GjVreh6z2mzKqZFZ5wUB1SBd3qQz8k26fuQpDPRTfgivp0IL0GPBwcKCZEwrsBxUdu9JOhiu8B9b2I7zD8gHKbDyp+XEjGAIs6Pta4Ib58go/ufpNl/L4rsqpytGJXnkHGuqnnTtRHxF+0wpaT/N+aB mornfall@oak.fixp.eu'
+
+ - regexp: 'mornfall@magnolia.fixp.eu$'
+ line: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzCmaR3dDl3mjO9u1MFsToxRIrTLiIc5aKBBrFZ4srvaptvPDr1sw570G6ZXH212/NlGTMWh1cRH1YhoMUxejKzcJx8Gub3LvJZVEANsE7s4pWP21GvaI0ZIymWReqtb3lP/6+hkFSrpir17hor6VjRymbGfkATD+4fE3yK0Qk1c16G0+1/n1JXOSwG65xzCq+EA12ReQzE4XAofk0nkaUT2xCV1xOE04XgW84AfrJq3HIuZctLs6/FqecJGC/6NO6QVVza5YQNGzEPlag0tqCFUFgfjLB9ggnxqxaU3P8dbKudsH7giZDzJXgyCA2frY6SM2XF4o+tAjZRtHI8zlh mornfall@magnolia.fixp.eu'
+
+ - regexp: 'xkonicar@fi$'
+ line: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIINb6K2zbFgUbFlKHD7mRzWAzNU1sCc2a9sJiZuW7OSA xkonicar@fi'
+
- name: "Shells & utils"
apt:
pkg:
@@ -78,6 +105,36 @@
notify:
- restart nscd
+# - name: "Does legacy ParaDiSe group exist?"
+# group:
+# name: paradise
+# state: present
+# check_mode: true
+# register: paradise_legacy_group
+
+# - name: "Rename ParaDiSe legacy group"
+# lineinfile:
+# path: '{{item}}'
+# regexp: '^paradise:(.*)$'
+# line: 'student:\1'
+# backrefs: true
+# loop:
+# - /etc/group
+# - /etc/gshadow
+# when: not paradise_legacy_group.changed and paradise_legacy_group.gid == 10100
+
+# - name: "Local copy of relevant FI groups"
+# group:
+# name: '{{item.name}}'
+# gid: '{{item.gid}}'
+# loop:
+# - name: student
+# gid: 10100
+# - name: staff
+# gid: 10000
+# - name: paradise
+# gid: 10240
+
- name: known_hosts update script
copy:
src: ../bin/get_ssh_hosts
@@ -150,16 +207,18 @@
pkg:
- irssi
-- name: "Block various user-level systemd services we do not want"
+- name: "Stop various user-level systemd services we do not want"
systemd:
scope: 'global'
name: "{{item}}"
state: "stopped"
- masked: true
- loop:
- - 'pipewire.socket'
- - 'pipewire.service'
- - 'tracker-extract.service'
- - 'tracker-miner-fs.service'
- - 'tracker-store.service'
- - 'tracker-writeback.service'
+ failed_when: false # ignore failure
+ loop: "{{masked}}"
+
+- name: "Block various user-level systemd services we do not want"
+ file:
+ src: "/dev/null"
+ dest: "/etc/systemd/user/{{item}}"
+ follow: false
+ state: link
+ loop: "{{masked}}"
diff --git a/ansible/roles/pds_mount/defaults/main.yml b/ansible/roles/pds_mount/defaults/main.yml
index 0cfeaf453c627144f6ac3f81b746a26f3cf7bf8f..07ebdaaec0e6763776ca55da8dcc07cdcdb7174a 100644
--- a/ansible/roles/pds_mount/defaults/main.yml
+++ b/ansible/roles/pds_mount/defaults/main.yml
@@ -1,6 +1,6 @@
autofs_prefix: /etc
mount:
- export_to:
+ export_to: # must be full hostnames
- antea.fi.muni.cz
- arke.fi.muni.cz
- pontos*.fi.muni.cz
@@ -9,8 +9,13 @@ mount:
- pandora*.fi.muni.cz
export_ro_to:
- anna.fi.muni.cz
- export_web_to: # must be full hostnames
+ export_web_to:
- anna.fi.muni.cz
+ sudo_users:
+ - 'xstill'
+ - 'xrockai'
+ - 'xkonicar'
+ - 'xbarnat'
home:
pontos:
"01":
diff --git a/conf/antea/etc/systemd/system/iscsi-thecus.service b/conf/antea/etc/systemd/system/iscsi-thecus.service
index a917f887d1b9169e6bac4b1afccff3739592d05f..12c10973f66ec82409f80689d9d34cb4233eb0c8 100644
--- a/conf/antea/etc/systemd/system/iscsi-thecus.service
+++ b/conf/antea/etc/systemd/system/iscsi-thecus.service
@@ -8,10 +8,8 @@ Before=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStart=/usr/bin/ip addr add 192.168.0.10/24 dev enp1s0f1
-ExecStart=/usr/bin/iscsiadm -m discovery -t sendtargets -p 192.168.0.100
-ExecStart=/usr/bin/iscsiadm -m node --targetname=iqn.2016-04.com.thecus.n8800prov2:iscsi.3x4t.raid0 --login -p 192.168.0.100
-ExecStart=/usr/bin/iscsiadm -m node --targetname=iqn.2016-12.com.thecus.n8800prov2:iscsi.raid5b.raid1 --login -p 192.168.0.100
+ExecStart=bash -xc "/usr/bin/ip addr show dev enp1s0f1 | grep -F 192.168.0.10/24 || /usr/bin/ip addr add 192.168.0.10/24 dev enp1s0f1"
+ExecStart=/usr/bin/bash -xc "for i in `/usr/bin/iscsiadm -m discovery -t sendtargets -p 192.168.0.100 | cut -d' ' -f2`; do /usr/bin/iscsiadm -m node --targetname=$i --login -p 192.168.0.100; done"
[Install]
WantedBy=multi-user.target