fix task guarding, improve compute-init script

Author: bertiethorpe

ansible/roles/compute_init/files/compute-init.yml

@@ -143,90 +143,18 @@
       when: enable_etc_hosts
 
     - name: Configure sssd
-      block:
-        - name: Manage sssd.conf configuration
-          copy:
-            src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf"
-            dest: "{{ sssd_conf_dest }}"
-            owner: root
-            group: root
-            mode: "0600"
-
-        - name: Restart sssd
-          systemd:
-            name: sssd
-            state: restarted
-          when: sssd_started | bool
-
-        - name: Ensure sssd service state
-          systemd:
-            name: sssd
-            state: "{{ 'started' if sssd_started | bool else 'stopped' }}"
-            enabled: "{{ sssd_enabled | bool }}"
-
-        - name: Get current authselect configuration
-          command: authselect current --raw
-          changed_when: false
-          failed_when:
-            - _authselect_current.rc != 0
-            - "'No existing configuration detected' not in _authselect_current.stdout"
-          register: _authselect_current # stdout: sssd with-mkhomedir
-
-        - name: Configure nsswitch and PAM for SSSD
-          command: "authselect select sssd --force{% if sssd_enable_mkhomedir | bool %} with-mkhomedir{% endif %}"
-          when: "'sssd' not in _authselect_current.stdout"
-
-        - name: "Ensure oddjob is started"
-          service:
-            name: oddjobd
-            state: 'started'
-            enabled: true
-          when: sssd_enable_mkhomedir | bool
-      when: enable_sssd
+      ansible.builtin.include_role:
+        name: sssd
+        tasks_from: configure.yml
+      vars:
+        sssd_conf_src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf"
+      when: enable_sshd
 
     - name: Configure sshd
-      block:
-        - name: Grab facts to determine distribution
-          setup:
-
-        - name: Ensure drop in directory exists
-          file:
-            path: /etc/ssh/sshd_config.d/*.conf
-            state: directory
-            owner: root
-            group: root
-            mode: "0700"
-
-        - name: Ensure drop in directory is included
-          blockinfile:
-            dest: /etc/ssh/sshd_config
-            content: | 
-              # To modify the system-wide sshd configuration, create a  *.conf  file under
-              #  /etc/ssh/sshd_config.d/  which will be automatically included below
-              Include /etc/ssh/sshd_config.d/*.conf
-            state: present
-            insertafter: "# default value."
-            validate: sshd -t -f %s
-          when: ansible_facts.distribution_major_version == '8'
-
-        - name: Restart sshd
-          systemd:
-            name: sshd
-            state: restarted
-
-        - name: Manage sshd.conf configuration
-          copy:
-            src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sshd.conf"
-            dest: "{{ sshd_conf_dest }}"
-            owner: root
-            group: root
-            mode: "0600"
-            validate: sshd -t -f %s
-
-        - name: Restart sshd
-          systemd:
-            name: sshd
-            state: restarted
+      ansible.builtin.include_role:
+        name: sshd
+      vars:
+        sshd_conf_src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sshd.conf"
       when: enable_sshd
 
     - name: Configure tuned

ansible/roles/compute_init/tasks/export.yml

@@ -85,8 +85,10 @@
   import_role:
     name: sssd
     tasks_from: export.yml
+  when: "'sssd' in group_names"
 
 - name: Template sshd config 
   import_role:
     name: sshd
     tasks_from: export.yml
+  when: "'sshd' in group_names"

ansible/roles/compute_init/tasks/install.yml

@@ -13,6 +13,7 @@
     - library
     - filter_plugins
     - tasks
+    - roles
 
 - name: Inject files from roles
   copy:
@@ -32,6 +33,10 @@
       dest: files/NetworkManager-dns-none.conf
     - src: ../../basic_users/filter_plugins/filter_keys.py
       dest: filter_plugins/filter_keys.py
+    - src: ../../sssd
+      dest: roles/
+    - src: ../../sshd
+      dest: roles/
     - src: ../../tuned/tasks/configure.yml
       dest: tasks/tuned.yml
     - src: ../../stackhpc.nfs/tasks/nfs-clients.yml

ansible/roles/sshd/tasks/export.yml

@@ -1,11 +1,9 @@
 # Exclusively used for compute-init
 - name: Inject host specific config template
   template:
-    src: "{{ sshd_conf_src | default('') }}"
+    src: "{{ sshd_conf_src }}"
     dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/sshd.conf"
     owner: root
     group: root
     mode: u=rw,go=
-  when:
-    - sshd_conf_src != ''
   delegate_to: "{{ groups['control'] | first }}"

ansible/roles/sssd/tasks/configure.yml

@@ -27,12 +27,6 @@
   command: "authselect select sssd --force{% if sssd_enable_mkhomedir | bool %} with-mkhomedir{% endif %}"
   when: "'sssd' not in _authselect_current.stdout"
 
-- name: "Ensure oddjob is started"
-  service:
-    name: oddjobd
-    state: "{{ 'started' if sssd_enable_mkhomedir else 'stopped' }}"
-    enabled: "{{ sssd_enable_mkhomedir }}"
-
 - name: "Ensure oddjob is started"
   service:
     name: oddjobd

ansible/roles/sssd/tasks/export.yml

@@ -1,11 +1,9 @@
 # Exclusively used for compute-init
 - name: Inject host specific config template
   template:
-    src: "{{ sssd_conf_src | default('') }}"
+    src: "{{ sssd_conf_src }}"
     dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/sssd.conf"
     owner: root
     group: root
     mode: u=rw,go=
-  when:
-    - sssd_conf_src != ''
   delegate_to: "{{ groups['control'] | first }}"