(role/tma) add tma profile and test

Author: cbarria

hieradata/role/tma.yaml

@@ -0,0 +1,32 @@
+---
+classes:
+  - "profile::core::common"
+  - "profile::core::debugutils"
+  - "profile::core::docker"
+  - "profile::ts::tma"
+
+packages:
+  - "@base-x"
+  - "@xfce-desktop"
+  - "git"
+  - "git-lfs"
+  - "perl-File-Copy"
+  - "sddm"
+  - "tigervnc-server"
+  - "unzip"
+
+profile::ts::tma::tma_db_repo: "[email protected]:lsst-ts/ts_tma_mariadb-docker.git"
+profile::ts::tma::tma_db_path: "/opt/tma/mariadb-docker"
+profile::ts::tma::opman_path: "/opt/tma/operation-manager"
+profile::ts::tma::pxi_0_ip: "10.0.0.10"
+profile::ts::tma::pxi_1_ip: "10.0.0.11"
+
+profile::ts::tma::labview_rpm_url: "https://repo-nexus.lsst.org/nexus/repository/ts_yum/releases/ni-labview-2024-pro-24.3.2.49152-0%2Bf0-rhel9.noarch.rpm"
+profile::ts::tma::vipm_zip: "/opt/installers/vipm-22.1.2354-linux.zip"
+profile::ts::tma::vipm_root: "/usr/local/JKI/VIPM"
+profile::ts::tma::vipc_path: "/usr/local/JKI/VIPM/LSST_tma_dependencies.vipc"
+profile::ts::tma::vipc_url: "https://github.com/lsst-ts/ts_tma_vipm_dependency/raw/develop/LSST_tma_dependencies.vipc"
+
+profile::ts::tma::enable_graphical: true
+profile::ts::tma::enable_vnc_auto_setup: true
+profile::ts::tma::vnc_geometry: "1920x1080"

site/profile/manifests/ts/tma.pp

@@ -0,0 +1,231 @@
+# @summary
+# TMA multi-user workstation: XFCE, Docker services, LabVIEW, VIPM, per-user VNC
+#
+# @param tma_db_repo TMA MariaDB repository
+# @param tma_db_path Path for TMA DB (shared service)
+# @param pxi_0_ip PXI 0 IP address
+# @param pxi_1_ip PXI 1 IP address
+# @param opman_path Operation Manager path (shared service)
+# @param labview_rpm_url Full URL to NI LabVIEW RPM
+# @param compose_cmd Docker compose command (docker-compose or docker compose)
+# @param ghcr_username GitHub Container Registry username
+# @param ghcr_token GitHub Container Registry token (Sensitive)
+# @param vipm_zip VIPM ZIP path (optional, for offline install)
+# @param vipc_url VIPC dependencies URL
+# @param vipc_username VIPC credentials username (optional)
+# @param vipc_password VIPC credentials password (Sensitive, optional)
+# @param vipm_root VIPM root installation path
+# @param vipc_path VIPC file destination path
+# @param enable_graphical Enable graphical mode (XFCE + LightDM)
+# @param enable_vnc_auto_setup Enable automatic VNC setup for LDAP users
+# @param vnc_geometry Default VNC geometry for all users
+# @param tma_group LDAP group name for TMA users (must exist in FreeIPA)
+class profile::ts::tma (
+  String[1]                      $tma_db_repo,
+  Stdlib::Absolutepath           $tma_db_path,
+  String[1]                      $pxi_0_ip,
+  String[1]                      $pxi_1_ip,
+  Stdlib::Absolutepath           $opman_path              = '/opt/tma/operation-manager',
+  String[1]                      $labview_rpm_url         = 'https://repo-nexus.lsst.org/nexus/repository/ts_yum/releases/ni-labview-2024-pro-24.3.2.49152-0%2Bf0-rhel9.noarch.rpm',
+  String[1]                      $compose_cmd             = 'docker-compose',
+  Optional[String[1]]            $ghcr_username           = undef,
+  Optional[Sensitive[String[1]]] $ghcr_token              = undef,
+  Optional[Stdlib::Absolutepath] $vipm_zip                = undef,
+  String[1]                      $vipc_url                = 'https://github.com/lsst-ts/ts_tma_vipm_dependency/raw/develop/LSST_tma_dependencies.vipc',
+  Optional[String[1]]            $vipc_username           = undef,
+  Optional[Sensitive[String[1]]] $vipc_password           = undef,
+  Stdlib::Absolutepath           $vipm_root               = '/usr/local/JKI/VIPM',
+  Stdlib::Absolutepath           $vipc_path               = '/usr/local/JKI/VIPM/LSST_tma_dependencies.vipc',
+  Boolean                        $enable_graphical        = true,
+  Boolean                        $enable_vnc_auto_setup   = true,
+  String[1]                      $vnc_geometry            = '1920x1080',
+  String[1]                      $tma_group               = 'tma',
+) {
+  if $enable_graphical {
+    exec { 'set-graphical-target':
+      command => '/bin/systemctl set-default graphical.target',
+      unless  => '/bin/systemctl get-default | grep -q graphical.target',
+      path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+    }
+
+    exec { 'switch-to-sddm':
+      command => '/bin/bash -c "systemctl disable gdm lightdm; systemctl enable --force sddm; systemctl stop gdm lightdm; systemctl start sddm"',
+      unless  => '/bin/systemctl is-enabled sddm 2>/dev/null',
+      path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+      require => Exec['set-graphical-target'],
+    }
+  }
+
+  if $enable_vnc_auto_setup {
+    file { '/usr/local/bin/tma-vnc-setup':
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0755',
+      content => epp('profile/ts/tma/vnc-setup.sh.epp', {
+          vnc_geometry => $vnc_geometry,
+      }),
+    }
+
+    file { '/etc/profile.d/tma-user-setup.sh':
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => epp('profile/ts/tma/user-setup.sh.epp'),
+    }
+  }
+
+  if $ghcr_username != undef and $ghcr_token != undef {
+    exec { 'docker-login-ghcr':
+      command => "bash -lc 'printf %s ${ghcr_token.unwrap} | docker login ghcr.io -u ${ghcr_username} --password-stdin'",
+      unless  => "bash -lc 'docker info 2>/dev/null | grep -q ghcr.io'",
+      path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+    }
+  }
+
+  file { '/opt/tma':
+    ensure => directory,
+    owner  => 'root',
+    group  => $tma_group,
+    mode   => '0775',
+  }
+
+  file { $tma_db_path:
+    ensure  => directory,
+    owner   => 'root',
+    group   => $tma_group,
+    mode    => '2775',
+    require => File['/opt/tma'],
+  }
+
+  vcsrepo { $tma_db_path:
+    ensure   => present,
+    provider => git,
+    source   => $tma_db_repo,
+    require  => File[$tma_db_path],
+  }
+
+  file { "${tma_db_path}/backup":
+    ensure => directory,
+    owner  => 'root',
+    group  => $tma_group,
+    mode   => '2775',
+  }
+
+  exec { 'tma-db-up':
+    command     => "${compose_cmd} up -d",
+    cwd         => $tma_db_path,
+    refreshonly => true,
+    subscribe   => Vcsrepo[$tma_db_path],
+    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin', '/usr/local/bin'],
+  }
+
+  cron { 'tma-db-createbackup':
+    ensure  => present,
+    command => "${tma_db_path}/createbackup.pl",
+    minute  => '5',
+    hour    => '12',
+    user    => 'root',
+  }
+
+  cron { 'tma-db-python-backup':
+    ensure  => present,
+    command => "docker run --rm -v ${tma_db_path}/python:/script -v ${tma_db_path}/backup:/backup python:3.7 python /script/main.py",
+    minute  => '5',
+    hour    => '13',
+    user    => 'root',
+  }
+
+  file { $opman_path:
+    ensure  => directory,
+    owner   => 'root',
+    group   => $tma_group,
+    mode    => '2775',
+    require => File['/opt/tma'],
+  }
+
+  $compose_content = @("COMPOSE")
+    version: '3'
+    services:
+      mt-mount-manager:
+        image: ghcr.io/lsst-ts/ts_tma_operation-manager_mt-mount-operation-manager:latest
+        container_name: mt-mount-manager
+        ports:
+          - "60005:60005"
+          - "40005:40005"
+          - "30005:30005"
+        volumes:
+          - /var/log/mtmount_operation_manager/:/var/log/mtmount_operation_manager
+        environment:
+          - PXI_0_IP=${pxi_0_ip}
+          - PXI_1_IP=${pxi_1_ip}
+        restart: unless-stopped
+    | COMPOSE
+
+  file { "${opman_path}/docker-compose.yml":
+    ensure  => file,
+    owner   => 'root',
+    group   => $tma_group,
+    mode    => '0664',
+    content => $compose_content,
+    notify  => Exec['opman-up'],
+  }
+
+  exec { 'opman-up':
+    command     => "${compose_cmd} up -d",
+    cwd         => $opman_path,
+    refreshonly => true,
+    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin', '/usr/local/bin'],
+  }
+
+  package { 'ni-labview-2024-el9-pro':
+    ensure   => installed,
+    provider => 'rpm',
+    source   => $labview_rpm_url,
+  }
+
+  file { '/usr/local/JKI':
+    ensure => directory,
+    owner  => 0,
+    group  => 0,
+    mode   => '0755',
+  }
+
+  file { '/etc/JKI':
+    ensure => directory,
+    owner  => 0,
+    group  => 0,
+    mode   => '0755',
+  }
+
+  file { $vipm_root:
+    ensure  => directory,
+    owner   => 0,
+    group   => 0,
+    mode    => '0755',
+    require => File['/usr/local/JKI'],
+  }
+
+  if $vipm_zip != undef {
+    exec { 'vipm-unzip':
+      command => "unzip -o ${vipm_zip} -d ${vipm_root}",
+      unless  => "test -x ${vipm_root}/vipm",
+      path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+      require => File[$vipm_root],
+    }
+  }
+
+  if $vipc_username != undef and $vipc_password != undef {
+    exec { 'vipc-fetch':
+      command => "bash -lc 'curl -fsSL -u ${vipc_username}:${vipc_password.unwrap} -o ${vipc_path} ${vipc_url}'",
+      creates => $vipc_path,
+      path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+      require => File[$vipm_root],
+    }
+  } else {
+    notify { 'vipc-skip':
+      message => 'VIPC skip: no creds',
+    }
+  }
+}

site/profile/templates/ts/tma/user-setup.sh.epp

@@ -0,0 +1,5 @@
+#!/bin/bash
+if groups | grep -q '\btma\b' && [ ! -d "$HOME/.vnc" ]; then
+  /usr/local/bin/tma-vnc-setup
+fi
+

site/profile/templates/ts/tma/vnc-setup.sh.epp

@@ -0,0 +1,55 @@
+<%- |
+  String[1] $vnc_geometry,
+| -%>
+#!/bin/bash
+set -euo pipefail
+
+if ! groups | grep -q '\btma\b'; then
+    exit 0
+fi
+
+USER_UID=$(id -u)
+VNC_DISPLAY=$((USER_UID % 100))
+
+if [ ! -d "$HOME/.vnc" ]; then
+    mkdir -p "$HOME/.vnc"
+    chmod 700 "$HOME/.vnc"
+fi
+
+cat > "$HOME/.vnc/config" <<EOF
+session=xfce
+securitytypes=vncauth,tlsvnc
+geometry=<%= $vnc_geometry %>
+localhost
+alwaysshared
+EOF
+
+echo ""
+echo "================================================================================"
+echo " TMA VNC Setup - User: $(whoami)"
+echo "================================================================================"
+echo ""
+echo " VNC Display: :${VNC_DISPLAY}"
+echo " VNC Port:    $((5900 + VNC_DISPLAY))"
+echo ""
+echo " To set your VNC password, run:"
+echo "   vncpasswd"
+echo ""
+echo " To start your VNC server:"
+echo "   vncserver :${VNC_DISPLAY}"
+echo ""
+echo " To stop your VNC server:"
+echo "   vncserver -kill :${VNC_DISPLAY}"
+echo ""
+echo " To connect remotely:"
+echo "   vncviewer <hostname>:${VNC_DISPLAY}"
+echo ""
+echo "================================================================================"
+echo ""
+
+if [ ! -f "$HOME/.vnc/passwd" ]; then
+    echo "IMPORTANT: Set your VNC password by running 'vncpasswd'"
+fi
+
+exit 0
+