From 8243023460a2eec20c966b47898a63e7443161ec Mon Sep 17 00:00:00 2001
From: Steve Brasier <steveb@stackhpc.com>
Date: Thu, 22 Feb 2024 16:29:01 +0000
Subject: [PATCH 1/3] remove special-case for firewalld in builder

---
 ansible/fatimage.yml                               |  7 -------
 ansible/roles/firewalld/tasks/main.yml             | 14 +-------------
 ansible/roles/firewalld/tasks/runtime.yml          | 12 ++++++++++++
 .../inventory/group_vars/builder/defaults.yml      |  2 ++
 4 files changed, 15 insertions(+), 20 deletions(-)
 create mode 100644 ansible/roles/firewalld/tasks/runtime.yml

diff --git a/ansible/fatimage.yml b/ansible/fatimage.yml
index dbbfe815b..658d24d44 100644
--- a/ansible/fatimage.yml
+++ b/ansible/fatimage.yml
@@ -27,13 +27,6 @@
   become: yes
   gather_facts: no
   tasks:
-    - name: Disable firewalld
-      # This is enabled on installation, which isn't what we want
-      systemd:
-        name: firewalld
-        state: stopped
-        enabled: false
-
     # - import_playbook: iam.yml
     - name: Install FreeIPA client
       import_role:
diff --git a/ansible/roles/firewalld/tasks/main.yml b/ansible/roles/firewalld/tasks/main.yml
index 7b6bf8db1..98a7aa732 100644
--- a/ansible/roles/firewalld/tasks/main.yml
+++ b/ansible/roles/firewalld/tasks/main.yml
@@ -1,15 +1,3 @@
 ---
 - import_tasks: install.yml
-
-- name: Apply filewalld configs
-  ansible.posix.firewalld: "{{ item }}"
-  notify: Restart filewalld
-  loop: "{{ firewalld_configs }}"
-
-- meta: flush_handlers
-
-- name: Ensure filewalld state
-  ansible.builtin.systemd:
-    name: firewalld
-    state: "{{ firewalld_state }}"
-    enabled: "{{ firewalld_enabled | default('yes' ) }}"
+- import_tasks: runtime.yml
diff --git a/ansible/roles/firewalld/tasks/runtime.yml b/ansible/roles/firewalld/tasks/runtime.yml
new file mode 100644
index 000000000..2c9ab59cc
--- /dev/null
+++ b/ansible/roles/firewalld/tasks/runtime.yml
@@ -0,0 +1,12 @@
+- name: Apply filewalld configs
+  ansible.posix.firewalld: "{{ item }}"
+  notify: Restart filewalld
+  loop: "{{ firewalld_configs }}"
+
+- meta: flush_handlers
+
+- name: Ensure filewalld state
+  ansible.builtin.systemd:
+    name: firewalld
+    state: "{{ firewalld_state }}"
+    enabled: "{{ firewalld_enabled | default(true) }}"
diff --git a/environments/common/inventory/group_vars/builder/defaults.yml b/environments/common/inventory/group_vars/builder/defaults.yml
index a9fde767c..70ae835d5 100644
--- a/environments/common/inventory/group_vars/builder/defaults.yml
+++ b/environments/common/inventory/group_vars/builder/defaults.yml
@@ -14,3 +14,5 @@ block_devices_configurations: [] # as volumes will not be attached to Packer bui
 mysql_state: stopped # as it tries to connect to real mysql node
 opensearch_state: stopped # avoid writing config+certs+db into image
 cuda_persistenced_state: stopped # probably don't have GPU in Packer build VMs
+firewalld_enabled: false # dnf install of firewalld enables it
+firewalld_state: stopped # dnf install of firewalld enables it

From 8b52efc9ccc1aa417764be2fb09cbdf599fbe53a Mon Sep 17 00:00:00 2001
From: Steve Brasier <steveb@stackhpc.com>
Date: Thu, 22 Feb 2024 16:38:24 +0000
Subject: [PATCH 2/3] move host/image name output to hook

---
 ansible/fatimage.yml                 | 7 -------
 environments/.stackhpc/hooks/pre.yml | 7 +++++++
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/ansible/fatimage.yml b/ansible/fatimage.yml
index 658d24d44..2df851470 100644
--- a/ansible/fatimage.yml
+++ b/ansible/fatimage.yml
@@ -1,12 +1,5 @@
 # Builder version of site.yml just installing binaries
 
-- hosts: builder
-  become: no
-  gather_facts: no
-  tasks:
-    - name: Report hostname (= final image name)
-      command: hostname
-
 - name: Run pre.yml hook
   vars:
     appliances_environment_root: "{{ lookup('env', 'APPLIANCES_ENVIRONMENT_ROOT') }}"
diff --git a/environments/.stackhpc/hooks/pre.yml b/environments/.stackhpc/hooks/pre.yml
index 65dfad72d..a2927aea9 100644
--- a/environments/.stackhpc/hooks/pre.yml
+++ b/environments/.stackhpc/hooks/pre.yml
@@ -1,3 +1,10 @@
+- hosts: builder
+  become: no
+  gather_facts: no
+  tasks:
+    - name: Report hostname (= final image name)
+      command: hostname
+
 - hosts: control:!builder
   become: yes
   gather_facts: false

From a7927874d823ae330b0eb0418a1010af02b402ef Mon Sep 17 00:00:00 2001
From: Steve Brasier <steveb@stackhpc.com>
Date: Thu, 22 Feb 2024 16:46:03 +0000
Subject: [PATCH 3/3] remove some differences bewteen fatimage.yml and site.yml

---
 ansible/fatimage.yml                          | 33 +++++++++++--------
 ansible/site.yml                              |  8 -----
 .../inventory/group_vars/builder/defaults.yml |  1 +
 3 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/ansible/fatimage.yml b/ansible/fatimage.yml
index 2df851470..cb2916e31 100644
--- a/ansible/fatimage.yml
+++ b/ansible/fatimage.yml
@@ -2,16 +2,21 @@
 
 - name: Run pre.yml hook
   vars:
-    appliances_environment_root: "{{ lookup('env', 'APPLIANCES_ENVIRONMENT_ROOT') }}"
+    # hostvars not available here, so have to recalculate environment root:
+    appliances_environment_root: "{{ ansible_inventory_sources | last | dirname }}"
     hook_path: "{{ appliances_environment_root }}/hooks/pre.yml"
   import_playbook: "{{ hook_path if hook_path | exists else 'noop.yml' }}"
   when: hook_path | exists
 
+- import_playbook: validate.yml
+  when: appliances_validate | default(true)
+
 - import_playbook: bootstrap.yml
 
 - name: Run post-bootstrap.yml hook
   vars:
-    appliances_environment_root: "{{ lookup('env', 'APPLIANCES_ENVIRONMENT_ROOT') }}"
+    # hostvars not available here, so have to recalculate environment root:
+    appliances_environment_root: "{{ ansible_inventory_sources | last | dirname }}"
     hook_path: "{{ appliances_environment_root }}/hooks/post-bootstrap.yml"
   import_playbook: "{{ hook_path if hook_path | exists else 'noop.yml' }}"
   when: hook_path | exists
@@ -20,14 +25,14 @@
   become: yes
   gather_facts: no
   tasks:
-    # - import_playbook: iam.yml
+    # import_playbook: iam.yml:
     - name: Install FreeIPA client
       import_role:
         name: freeipa
         tasks_from: client-install.yml
       when: "'freeipa_client' in group_names"
 
-    # - import_playbook: filesystems.yml:
+    # import_playbook: filesystems.yml:
     - name: Install nfs packages
       dnf:
         name: nfs-utils
@@ -44,7 +49,7 @@
   become: yes
   gather_facts: no
   tasks:
-    # - import_playbook: slurm.yml:
+    # import_playbook: slurm.yml:
     - name: Setup DB
       include_role:
         name: mysql
@@ -58,7 +63,7 @@
       include_vars: "{{ appliances_repository_root }}/ansible/roles/osc.ood/vars/Rocky/8.yml"
     # FUTURE: install-apps.yml - this is git clones
 
-    # - import_playbook: portal.yml
+    # import_playbook: portal.yml
     - name: Open Ondemand server
       import_role:
         name: osc.ood
@@ -68,7 +73,7 @@
         name: openondemand
         tasks_from: vnc_compute.yml
 
-    # - import_playbook: monitoring.yml:
+    # import_playbook: monitoring.yml:
     - import_role:
         name: opensearch
         tasks_from: install.yml
@@ -154,18 +159,20 @@
 
 - name: Run post.yml hook
   vars:
-    appliances_environment_root: "{{ lookup('env', 'APPLIANCES_ENVIRONMENT_ROOT') }}"
+    # hostvars not available here, so have to recalculate environment root:
+    appliances_environment_root: "{{ ansible_inventory_sources | last | dirname }}"
     hook_path: "{{ appliances_environment_root }}/hooks/post.yml"
   import_playbook: "{{ hook_path if hook_path | exists else 'noop.yml' }}"
   when: hook_path | exists
 
-- hosts: builder
-  become: yes
+- name: Clean up and shutdown Packer VM
+  hosts: builder
   gather_facts: no
+  become: yes
   tasks:
-    # - meta: end_here
     - name: Cleanup image
       import_tasks: cleanup.yml
-
     - name: Shutdown Packer VM
-      community.general.shutdown:
+    community.general.shutdown:
+
+...
\ No newline at end of file
diff --git a/ansible/site.yml b/ansible/site.yml
index bb379399d..d72c29d8b 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -36,12 +36,4 @@
   import_playbook: "{{ hook_path if hook_path | exists else 'noop.yml' }}"
   when: hook_path | exists
 
-- name: Clean up and shutdown Packer VM
-  hosts: builder
-  gather_facts: no
-  become: yes
-  tasks:
-    - import_tasks: cleanup.yml
-    - community.general.shutdown:
-
 ...
\ No newline at end of file
diff --git a/environments/common/inventory/group_vars/builder/defaults.yml b/environments/common/inventory/group_vars/builder/defaults.yml
index 70ae835d5..ae889114c 100644
--- a/environments/common/inventory/group_vars/builder/defaults.yml
+++ b/environments/common/inventory/group_vars/builder/defaults.yml
@@ -16,3 +16,4 @@ opensearch_state: stopped # avoid writing config+certs+db into image
 cuda_persistenced_state: stopped # probably don't have GPU in Packer build VMs
 firewalld_enabled: false # dnf install of firewalld enables it
 firewalld_state: stopped # dnf install of firewalld enables it
+appliances_validate: false