stackhpc · sjpb · Feb 14, 2025 · Feb 11, 2025 · Feb 11, 2025 · Feb 12, 2025
@@ -46,7 +46,7 @@ it also requires an image build with the role name added to the
 | bootstrap.yml            | (system users)          | None required - use image build | No                  |
 | bootstrap.yml            | systemd                 | None required - use image build | No                  |
 | bootstrap.yml            | selinux                 | None required - use image build | Maybe [1]           |
-| bootstrap.yml            | sshd                    | None at present                 | No                  |
+| bootstrap.yml            | sshd                    | Fully supported                 | No                  |
 | bootstrap.yml            | dnf_repos               | None at present [2]             | -                   |
 | bootstrap.yml            | squid                   | Not relevant for compute nodes  | n/a                 |
 | bootstrap.yml            | tuned                   | Fully supported                 | No                  |         
@@ -63,7 +63,7 @@ it also requires an image build with the role name added to the
 | hooks/post-bootstrap.yml | ?                       | None at present                 | n/a                 |
 | iam.yml                  | freeipa_client          | None at present [3]             | Yes                 |
 | iam.yml                  | freeipa_server          | Not relevant for compute nodes  | n/a                 |
-| iam.yml                  | sssd                    | None at present                 | No                  |
+| iam.yml                  | sssd                    | Fully supported                 | No                  |
 | filesystems.yml          | block_devices           | None required - role deprecated | n/a                 |
 | filesystems.yml          | nfs                     | All client functionality        | No                  |
 | filesystems.yml          | manila                  | All functionality               | No [4]              |

@@ -9,6 +9,8 @@
     enable_compute: "{{ os_metadata.meta.compute | default(false) | bool }}"
     enable_resolv_conf: "{{ os_metadata.meta.resolv_conf | default(false) | bool }}"
     enable_etc_hosts: "{{ os_metadata.meta.etc_hosts | default(false) | bool }}"
+    enable_sssd: "{{ os_metadata.meta.sssd | default(false) | bool }}"
+    enable_sshd: "{{ os_metadata.meta.sshd | default(false) | bool }}"
     enable_tuned:  "{{ os_metadata.meta.tuned | default(false) | bool }}"
     enable_nfs: "{{ os_metadata.meta.nfs | default(false) | bool }}"
     enable_manila: "{{ os_metadata.meta.manila | default(false) | bool }}"
@@ -18,6 +20,14 @@
     # TODO: "= role defaults" - could be moved to a vars_file: on play with similar precedence effects
     resolv_conf_nameservers: []
 
+    sssd_enable_mkhomedir: false
+    sssd_conf_dest: /etc/sssd/sssd.conf
+    sssd_started: true
+    sssd_enabled: true
+
+    sshd_password_authentication: false
+    sshd_conf_dest: /etc/ssh/sshd_config.d/10-ansible.conf
+
     tuned_profile_baremetal: hpc-compute
     tuned_profile_vm: virtual-guest
     tuned_profile: "{{ tuned_profile_baremetal if ansible_virtualization_role != 'guest' else tuned_profile_vm }}"
@@ -132,6 +142,93 @@
         mode: 0644
       when: enable_etc_hosts
 
+    - name: Configure sssd
+      block:
+        - name: Manage sssd.conf configuration
+          copy:
+            src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf"
+            dest: "{{ sssd_conf_dest }}"
+            owner: root
+            group: root
+            mode: "0600"
+
+        - name: Restart sssd
+          systemd:
+            name: sssd
+            state: restarted
+          when: sssd_started | bool
+
+        - name: Ensure sssd service state
+          systemd:
+            name: sssd
+            state: "{{ 'started' if sssd_started | bool else 'stopped' }}"
+            enabled: "{{ sssd_enabled | bool }}"
+
+        - name: Get current authselect configuration
+          command: authselect current --raw
+          changed_when: false
+          failed_when:
+            - _authselect_current.rc != 0
+            - "'No existing configuration detected' not in _authselect_current.stdout"
+          register: _authselect_current # stdout: sssd with-mkhomedir
+
+        - name: Configure nsswitch and PAM for SSSD
+          command: "authselect select sssd --force{% if sssd_enable_mkhomedir | bool %} with-mkhomedir{% endif %}"
+          when: "'sssd' not in _authselect_current.stdout"
+
+        - name: "Ensure oddjob is started"
+          service:
+            name: oddjobd
+            state: 'started'
+            enabled: true
+          when: sssd_enable_mkhomedir | bool
+      when: enable_sssd
+
+    - name: Configure sshd
+      block:
+        - name: Grab facts to determine distribution
+          setup:
+
+        - name: Ensure drop in directory exists
+          file:
+            path: /etc/ssh/sshd_config.d/*.conf
+            state: directory
+            owner: root
+            group: root
+            mode: "0700"
+
+        - name: Ensure drop in directory is included
+          blockinfile:
+            dest: /etc/ssh/sshd_config
+            content: | 
+              # To modify the system-wide sshd configuration, create a  *.conf  file under
+              #  /etc/ssh/sshd_config.d/  which will be automatically included below
+              Include /etc/ssh/sshd_config.d/*.conf
+            state: present
+            insertafter: "# default value."
+            validate: sshd -t -f %s
+          when: ansible_facts.distribution_major_version == '8'
+
+        - name: Restart sshd
+          systemd:
+            name: sshd
+            state: restarted
+
+        - name: Manage sshd.conf configuration
+          copy:
+            src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sshd.conf"
+            dest: "{{ sshd_conf_dest }}"
+            owner: root
+            group: root
+            mode: "0600"
+            validate: sshd -t -f %s
+
+        - name: Restart sshd
+          systemd:
+            name: sshd
+            state: restarted
+      when: enable_sshd
+
     - name: Configure tuned
       include_tasks: tasks/tuned.yml
       when: enable_tuned

@@ -71,3 +71,22 @@
     remote_src: true
   run_once: true
   delegate_to: "{{ groups['control'] | first }}"
+
+- name: Create hostconfig directory
+  file:
+    path: "/exports/cluster/hostconfig/{{ inventory_hostname }}/"
+    state: directory
+    owner: root
+    group: root
+    mode: u=rw,go=
+  delegate_to: "{{ groups['control'] | first }}"
+
+- name: Template sssd config 
+  import_role:
+    name: sssd
+    tasks_from: export.yml
+
+- name: Template sshd config 
+  import_role:
+    name: sshd
+    tasks_from: export.yml
@@ -0,0 +1,11 @@
+# Exclusively used for compute-init
+- name: Inject host specific config template
+  template:
+    src: "{{ sshd_conf_src | default('') }}"
+    dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/sshd.conf"
+    owner: root
+    group: root
+    mode: u=rw,go=
+  when:
+    - sshd_conf_src != ''
+  delegate_to: "{{ groups['control'] | first }}"
@@ -30,5 +30,12 @@
 - name: "Ensure oddjob is started"
   service:
     name: oddjobd
-    state: "{{ sssd_enable_mkhomedir }}"
+    state: "{{ 'started' if sssd_enable_mkhomedir else 'stopped' }}"
     enabled: "{{ sssd_enable_mkhomedir }}"
+
+- name: "Ensure oddjob is started"
+  service:
+    name: oddjobd
+    state: 'started'
+    enabled: true
+  when: sssd_enable_mkhomedir | bool
@@ -0,0 +1,11 @@
+# Exclusively used for compute-init
+- name: Inject host specific config template
+  template:
+    src: "{{ sssd_conf_src | default('') }}"
+    dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/sssd.conf"
+    owner: root
+    group: root
+    mode: u=rw,go=
+  when:
+    - sssd_conf_src != ''
+  delegate_to: "{{ groups['control'] | first }}"