From ba06e41efe52d70ea5259d10b784106f4b2f6b81 Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Mon, 10 Feb 2025 16:49:16 +0000
Subject: [PATCH 1/2] set locked mem limits on user nodes, configure login
 access

---
 .../roles/compute_init/files/compute-init.yml | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/ansible/roles/compute_init/files/compute-init.yml b/ansible/roles/compute_init/files/compute-init.yml
index 430e2cf65..8b5ea7336 100644
--- a/ansible/roles/compute_init/files/compute-init.yml
+++ b/ansible/roles/compute_init/files/compute-init.yml
@@ -244,6 +244,27 @@
             cmd: "cvmfs_config setup"
       when: enable_eessi
 
+    - name: Set locked memory limits on user-facing nodes
+      lineinfile:
+        path: /etc/security/limits.conf
+        regexp: '\* soft memlock unlimited'
+        line: "* soft memlock unlimited"
+
+    - name: Configure sshd pam module
+      blockinfile:
+        path: /etc/pam.d/sshd
+        insertafter: 'account\s+required\s+pam_nologin.so'
+        block: |
+          account    sufficient   pam_access.so
+          account    required     pam_slurm.so
+
+    - name: Configure login access control
+      blockinfile:
+        path: /etc/security/access.conf
+        block: |
+          +:adm:ALL
+          -:ALL:ALL
+
     # NB: don't need conditional block on enable_compute as have already exited
     # if not the case
     - name: Write Munge key

From 951e98f8a30ff8e20db7c43b64aa39f1f494c6e1 Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Tue, 11 Feb 2025 13:34:43 +0000
Subject: [PATCH 2/2] reorder compute-init.yml to reflect slurm.yml playbook

---
 .../roles/compute_init/files/compute-init.yml | 42 +++++++++----------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/ansible/roles/compute_init/files/compute-init.yml b/ansible/roles/compute_init/files/compute-init.yml
index 8b5ea7336..b66c8bde0 100644
--- a/ansible/roles/compute_init/files/compute-init.yml
+++ b/ansible/roles/compute_init/files/compute-init.yml
@@ -244,27 +244,6 @@
             cmd: "cvmfs_config setup"
       when: enable_eessi
 
-    - name: Set locked memory limits on user-facing nodes
-      lineinfile:
-        path: /etc/security/limits.conf
-        regexp: '\* soft memlock unlimited'
-        line: "* soft memlock unlimited"
-
-    - name: Configure sshd pam module
-      blockinfile:
-        path: /etc/pam.d/sshd
-        insertafter: 'account\s+required\s+pam_nologin.so'
-        block: |
-          account    sufficient   pam_access.so
-          account    required     pam_slurm.so
-
-    - name: Configure login access control
-      blockinfile:
-        path: /etc/security/access.conf
-        block: |
-          +:adm:ALL
-          -:ALL:ALL
-
     # NB: don't need conditional block on enable_compute as have already exited
     # if not the case
     - name: Write Munge key
@@ -297,6 +276,27 @@
         enabled: true
         state: started
 
+    - name: Set locked memory limits on user-facing nodes
+      lineinfile:
+        path: /etc/security/limits.conf
+        regexp: '\* soft memlock unlimited'
+        line: "* soft memlock unlimited"
+
+    - name: Configure sshd pam module
+      blockinfile:
+        path: /etc/pam.d/sshd
+        insertafter: 'account\s+required\s+pam_nologin.so'
+        block: |
+          account    sufficient   pam_access.so
+          account    required     pam_slurm.so
+
+    - name: Configure login access control
+      blockinfile:
+        path: /etc/security/access.conf
+        block: |
+          +:adm:ALL
+          -:ALL:ALL
+
     - name: Ensure node is resumed
       # TODO: consider if this is always safe for all job states?
       command: scontrol update state=resume nodename={{ ansible_hostname }}