diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2018-12-09 01:53:23 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2018-12-09 01:53:23 +0100 |
| commit | 755a54f2233e2aa9a27d3ab018879f7efbe8c501 (patch) | |
| tree | 5d61aaafac00352b99a52dc20e13ba3fd7a35f34 /roles | |
| parent | fixed acmetool self-signed cert handling (diff) | |
| parent | vm installation works now again (diff) | |
Merge branch 'new-repo-structure'
Diffstat (limited to 'roles')
27 files changed, 519 insertions, 198 deletions
diff --git a/roles/blackmagic-desktopvideo/defaults/main.yml b/roles/blackmagic-desktopvideo/defaults/main.yml new file mode 100644 index 00000000..8dde7e4d --- /dev/null +++ b/roles/blackmagic-desktopvideo/defaults/main.yml @@ -0,0 +1,4 @@ +--- +blackmagic_desktopvideo_apt: + username: "change-me" +# password: "secret" diff --git a/roles/blackmagic-desktopvideo/tasks/main.yml b/roles/blackmagic-desktopvideo/tasks/main.yml index 632f36ea..5283b628 100644 --- a/roles/blackmagic-desktopvideo/tasks/main.yml +++ b/roles/blackmagic-desktopvideo/tasks/main.yml @@ -11,7 +11,7 @@ - name: add repository entry apt_repository: - repo: deb https://{{ vault_build_spreadspace_blackmagic.username }}:{{ vault_build_spreadspace_blackmagic.password }}@build.spreadspace.org/ {{ ansible_distribution_release }} blackmagic + repo: "deb https://{{ blackmagic_desktopvideo_apt.username }}:{{ blackmagic_desktopvideo_apt.password }}@build.spreadspace.org/ {{ ansible_distribution_release }} blackmagic" state: present filename: blackmagic mode: 0600 diff --git a/roles/debian-installer/defaults/main.yml b/roles/debian-installer/defaults/main.yml new file mode 100644 index 00000000..94e8d6c2 --- /dev/null +++ b/roles/debian-installer/defaults/main.yml @@ -0,0 +1,18 @@ +distros: + - distro: debian + codename: stretch + arch: + - amd64 + - i386 + + - distro: ubuntu + codename: bionic + arch: + - amd64 + - i386 + +debian_installer_force_download: no + +debian_installer_url: + debian: "https://debian.ffgraz.net/debian" + ubuntu: "https://debian.ffgraz.net/ubuntu" diff --git a/roles/debian-installer/tasks/main.yml b/roles/debian-installer/tasks/main.yml new file mode 100644 index 00000000..eb32f6aa --- /dev/null +++ b/roles/debian-installer/tasks/main.yml @@ -0,0 +1,27 @@ +- name: prepare directories for installer images + with_subelements: + - "{{ distros }}" + - arch + file: + name: "{{ debian_installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}" + state: directory + +- name: download installer kernel images + with_subelements: + - "{{ distros }}" + - arch + get_url: + url: "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/images/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/linux" + dest: "{{ debian_installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/linux" + mode: 0644 + force: "{{ debian_installer_force_download }}" + +- name: download installer initrd.gz + with_subelements: + - "{{ distros }}" + - arch + get_url: + url: "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/images/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/initrd.gz" + dest: "{{ debian_installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/initrd.gz" + mode: 0644 + force: "{{ debian_installer_force_download }}" diff --git a/roles/preseed/defaults/main.yml b/roles/preseed/defaults/main.yml new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/roles/preseed/defaults/main.yml diff --git a/roles/preseed/tasks/main.yml b/roles/preseed/tasks/main.yml new file mode 100644 index 00000000..7406154c --- /dev/null +++ b/roles/preseed/tasks/main.yml @@ -0,0 +1,25 @@ +- name: Copy initramfs into position + copy: + remote_src: yes + src: "{{ debian_installer_path | mandatory }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[hostname].install_cooked.arch | default('amd64') }}/initrd.gz" + dest: "{{ preseed_tmpdir }}/initrd.preseed.gz" + +- name: Generate preseed file + template: + src: "preseed_{{ install_distro }}-{{ install_codename }}.cfg.j2" + dest: "{{ preseed_tmpdir }}/preseed.cfg" + +- name: Generate authorized_keys file + authorized_key: + user: root + manage_dir: no + path: "{{ preseed_tmpdir }}/authorized_keys" + key: "{{ ssh_keys_root | join('\n') }}" + +- name: Inject files into initramfs + shell: cpio -H newc -o | gzip -9 >> 'initrd.preseed.gz' + args: + chdir: "{{ preseed_tmpdir }}" + stdin: | + preseed.cfg + authorized_keys diff --git a/roles/vm/install/templates/preseed_debian-stretch.cfg.j2 b/roles/preseed/templates/preseed_debian-stretch.cfg.j2 index 8e221671..36d221a1 100644 --- a/roles/vm/install/templates/preseed_debian-stretch.cfg.j2 +++ b/roles/preseed/templates/preseed_debian-stretch.cfg.j2 @@ -4,20 +4,24 @@ d-i debian-installer/language string en d-i debian-installer/country string AT -d-i debian-installer/locale string de_AT.UTF-8 -d-i keyboard-configuration/xkb-keymap select de - - -#d-i netcfg/choose_interface select enp1s1 -#d-i netcfg/disable_autoconfig boolean false -#d-i netcfg/get_ipaddress string {{ hostvars[vmname].vm_network_cooked.primary.ip }} -#d-i netcfg/get_netmask string {{ hostvars[vmname].vm_network_cooked.primary.mask }} -#d-i netcfg/get_gateway string {{ hostvars[vmname].vm_network_cooked.primary.gateway }} -#d-i netcfg/get_nameservers string {{ hostvars[vmname].vm_network_cooked.nameservers | join(' ') }} -#d-i netcfg/confirm_static boolean true - -d-i netcfg/get_hostname string {{ vmname }} -d-i netcfg/get_domain string {{ hostvars[vmname].vm_network_cooked.domain }} +d-i debian-installer/locale string en_US.UTF-8 +d-i keyboard-configuration/xkb-keymap select us + +d-i hw-detect/load_firmware boolean false + +d-i netcfg/disable_dhcp boolean true +d-i netcfg/choose_interface select {{ install_interface | default(hostvars[hostname].network_cooked.primary.interface) }} +d-i netcfg/disable_autoconfig boolean false +d-i netcfg/get_ipaddress string {{ hostvars[hostname].network_cooked.primary.ip }} +d-i netcfg/get_netmask string {{ hostvars[hostname].network_cooked.primary.mask }} +d-i netcfg/get_gateway string {{ hostvars[hostname].network_cooked.primary.gateway }} +d-i netcfg/get_nameservers string {{ hostvars[hostname].network_cooked.nameservers | join(' ') }} +d-i netcfg/confirm_static boolean true + +d-i netcfg/hostname string {{ hostname }} +d-i netcfg/get_hostname string {{ hostname }} +d-i netcfg/domain string {{ hostvars[hostname].network_cooked.domain }} +d-i netcfg/get_domain string {{ hostvars[hostname].network_cooked.domain }} d-i netcfg/wireless_wep string @@ -37,8 +41,12 @@ d-i time/zone string Europe/Vienna d-i clock-setup/ntp boolean false -d-i partman-auto/disk string /dev/{{ hostvars[vmname].vm_install_cooked.disks.primary }} +d-i partman-auto/disk string /dev/{{ hostvars[hostname].install_cooked.disks.primary }} d-i partman-auto/method string lvm +d-i partman-auto/purge_lvm_from_device boolean true +d-i partman-auto-lvm/new_vg_name string {{ hostname }} +d-i partman-auto-lvm/guided_size string max + d-i partman-lvm/device_remove_lvm boolean true d-i partman-md/device_remove_md boolean true @@ -49,22 +57,22 @@ d-i partman-auto/expert_recipe string \ boot-root :: \ 1000 10000 -1 ext4 \ $defaultignore{ } $primary{ } $bootable{ } \ - method{ lvm } vg_name{ {{ vmname }} } \ + method{ lvm } vg_name{ {{ hostname }} } \ . \ 2048 10000 2560 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ / } \ . \ 1024 11000 1280 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ /var } \ . \ 768 10000 768 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ /var/log } \ @@ -72,7 +80,7 @@ d-i partman-auto/expert_recipe string \ options/noexec{ noexec } \ . \ 16 20000 -1 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method( keep } lv_name{ dummy } \ . @@ -92,7 +100,7 @@ d-i pkgsel/include string openssh-server python d-i pkgsel/upgrade select safe-upgrade popularity-contest popularity-contest/participate boolean false -d-i grub-installer/choose_bootdev string /dev/{{ hostvars[vmname].vm_install_cooked.disks.primary }} +d-i grub-installer/choose_bootdev string /dev/{{ hostvars[hostname].install_cooked.disks.primary }} d-i grub-installer/only_debian boolean true d-i grub-installer/with_other_os boolean false @@ -100,6 +108,12 @@ d-i finish-install/reboot_in_progress note d-i preseed/late_command string \ - lvremove -f {{ vmname }}/dummy; \ + lvremove -f {{ hostname }}/dummy; \ in-target bash -c "apt-get update -q && apt-get full-upgrade -y -q"; \ - in-target bash -c "passwd -d root; passwd -l root; umask 077; mkdir -p /root/.ssh/; echo -e '{{ sshserver_root_keys }}' > /root/.ssh/authorized_keys" + in-target bash -c "passwd -d root && passwd -l root"; \ + in-target bash -c "sed -e 's/^allow-hotplug/auto/' -i /etc/network/interfaces"; \ + mkdir -p -m 0700 /target/root/.ssh; \ + cp /authorized_keys /target/root/.ssh/; \ +{% if hostvars[hostname].ansible_port is defined %} + in-target bash -c "sed -e 's/^\(\s*#*\s*Port.*\)/Port {{ hostvars[hostname].ansible_port }}/' -i /etc/ssh/sshd_config" +{% endif %} diff --git a/roles/preseed/templates/preseed_ubuntu-bionic.cfg.j2 b/roles/preseed/templates/preseed_ubuntu-bionic.cfg.j2 new file mode 100644 index 00000000..8c7093aa --- /dev/null +++ b/roles/preseed/templates/preseed_ubuntu-bionic.cfg.j2 @@ -0,0 +1,126 @@ +######################################################################### +# spreadspace preseed file for Ubuntu bionic based VMs +######################################################################### + +d-i debian-installer/language string en +d-i debian-installer/country string AT +d-i debian-installer/locale string en_US.UTF-8 +d-i localechooser/preferred-locale string en_US.UTF-8 +d-i localechooser/supported-locales multiselect de_DE.UTF-8, de_AT.UTF-8 +d-i console-setup/ask_detect boolean false +d-i keyboard-configuration/xkb-keymap select us +d-i keyboard-configuration/layoutcode string us + +d-i hw-detect/load_firmware boolean false + +d-i netcfg/disable_dhcp boolean true +d-i netcfg/choose_interface select {{ install_interface | default(hostvars[hostname].network_cooked.primary.interface) }} +d-i netcfg/disable_autoconfig boolean false +d-i netcfg/get_ipaddress string {{ hostvars[hostname].network_cooked.primary.ip }} +d-i netcfg/get_netmask string {{ hostvars[hostname].network_cooked.primary.mask }} +d-i netcfg/get_gateway string {{ hostvars[hostname].network_cooked.primary.gateway }} +d-i netcfg/get_nameservers string {{ hostvars[hostname].network_cooked.nameservers | join(' ') }} +d-i netcfg/confirm_static boolean true + +d-i netcfg/hostname string {{ hostname }} +d-i netcfg/get_hostname string {{ hostname }} +d-i netcfg/domain string {{ hostvars[hostname].network_cooked.domain }} +d-i netcfg/get_domain string {{ hostvars[hostname].network_cooked.domain }} +d-i netcfg/wireless_wep string + + +d-i mirror/country string manual +d-i mirror/http/hostname string archive.ubuntu.com +d-i mirror/http/directory string /ubuntu +d-i mirror/http/proxy string + + +d-i passwd/make-user boolean false +d-i passwd/root-login boolean true +d-i passwd/root-password password this-very-very-secure-password-will-be-removed-by-latecommand +d-i passwd/root-password-again password this-very-very-secure-password-will-be-removed-by-latecommand + + +d-i clock-setup/utc boolean true +d-i time/zone string Europe/Vienna +d-i clock-setup/ntp boolean false + + +d-i partman-auto/disk string /dev/{{ hostvars[hostname].install_cooked.disks.primary }} +d-i partman-auto/method string lvm +d-i partman-auto/purge_lvm_from_device boolean true +d-i partman-auto-lvm/new_vg_name string {{ hostname }} +d-i partman-auto-lvm/guided_size string max + +d-i partman-lvm/device_remove_lvm boolean true +d-i partman-md/device_remove_md boolean true + +d-i partman-lvm/confirm boolean true +d-i partman-lvm/confirm_nooverwrite boolean true + +d-i partman-auto/expert_recipe string \ + boot-root :: \ + 1000 10000 -1 ext4 \ + $defaultignore{ } $primary{ } $bootable{ } \ + method{ lvm } vg_name{ {{ hostname }} } \ + . \ + 2048 10000 2560 ext4 \ + $lvmok{ } in_vg{ {{ hostname }} } \ + method{ format } format{ } \ + use_filesystem{ } filesystem{ ext4 } \ + mountpoint{ / } \ + . \ + 1024 11000 1280 ext4 \ + $lvmok{ } in_vg{ {{ hostname }} } \ + method{ format } format{ } \ + use_filesystem{ } filesystem{ ext4 } \ + mountpoint{ /var } \ + . \ + 768 10000 768 ext4 \ + $lvmok{ } in_vg{ {{ hostname }} } \ + method{ format } format{ } \ + use_filesystem{ } filesystem{ ext4 } \ + mountpoint{ /var/log } \ + options/nodev{ nodev } options/noatime{ noatime } \ + options/noexec{ noexec } \ + . \ + 16 20000 -1 ext4 \ + $lvmok{ } in_vg{ {{ hostname }} } \ + method( keep } lv_name{ dummy } \ + . + +d-i partman-auto-lvm/no_boot boolean true +d-i partman-basicfilesystems/no_swap true +d-i partman-partitioning/confirm_write_new_label boolean true +d-i partman/choose_partition select finish +d-i partman/confirm boolean true +d-i partman/confirm_nooverwrite boolean true + + +d-i base-installer/install-recommends boolean false +d-i apt-setup/security_host string archive.ubuntu.com + +tasksel tasksel/first multiselect +d-i pkgsel/include string openssh-server python +d-i pkgsel/upgrade select safe-upgrade +popularity-contest popularity-contest/participate boolean false +d-i pkgsel/update-policy select none + +d-i grub-installer/choose_bootdev string /dev/{{ hostvars[hostname].install_cooked.disks.primary }} +d-i grub-installer/only_debian boolean true +d-i grub-installer/with_other_os boolean false + +d-i finish-install/reboot_in_progress note + + +d-i preseed/late_command string \ + lvremove -f {{ hostname }}/dummy; \ + in-target bash -c "swapoff -a; sed -e '/^\/swapfile/d' -i /etc/fstab; rm -f /swapfile"; \ + in-target bash -c "apt-get update -q && apt-get full-upgrade -y -q"; \ + in-target bash -c "passwd -d root && passwd -l root"; \ + in-target bash -c "sed -e 's/^allow-hotplug/auto/' -i /etc/network/interfaces"; \ + mkdir -p -m 0700 /target/root/.ssh; \ + cp /authorized_keys /target/root/.ssh/; \ +{% if hostvars[hostname].ansible_port is defined %} + in-target bash -c "sed -e 's/^\(\s*#*\s*Port.*\)/Port {{ hostvars[hostname].ansible_port }}/' -i /etc/ssh/sshd_config" +{% endif %} diff --git a/roles/vm/install/templates/preseed_ubuntu-xenial.cfg.j2 b/roles/preseed/templates/preseed_ubuntu-xenial.cfg.j2 index dc53fd36..1be16ff8 100644 --- a/roles/vm/install/templates/preseed_ubuntu-xenial.cfg.j2 +++ b/roles/preseed/templates/preseed_ubuntu-xenial.cfg.j2 @@ -11,17 +11,21 @@ d-i console-setup/ask_detect boolean false d-i keyboard-configuration/xkb-keymap select us d-i keyboard-configuration/layoutcode string us - -#d-i netcfg/choose_interface select enp1s1 -#d-i netcfg/disable_autoconfig boolean false -#d-i netcfg/get_ipaddress string {{ hostvars[vmname].vm_network_cooked.primary.ip }} -#d-i netcfg/get_netmask string {{ hostvars[vmname].vm_network_cooked.primary.mask }} -#d-i netcfg/get_gateway string {{ hostvars[vmname].vm_network_cooked.primary.gateway }} -#d-i netcfg/get_nameservers string {{ hostvars[vmname].vm_network_cooked.nameservers | join(' ') }} -#d-i netcfg/confirm_static boolean true - -d-i netcfg/get_hostname string {{ vmname }} -d-i netcfg/get_domain string {{ hostvars[vmname].vm_network_cooked.domain }} +d-i hw-detect/load_firmware boolean false + +d-i netcfg/disable_dhcp boolean true +d-i netcfg/choose_interface select {{ install_interface | default(hostvars[hostname].network_cooked.primary.interface) }} +d-i netcfg/disable_autoconfig boolean false +d-i netcfg/get_ipaddress string {{ hostvars[hostname].network_cooked.primary.ip }} +d-i netcfg/get_netmask string {{ hostvars[hostname].network_cooked.primary.mask }} +d-i netcfg/get_gateway string {{ hostvars[hostname].network_cooked.primary.gateway }} +d-i netcfg/get_nameservers string {{ hostvars[hostname].network_cooked.nameservers | join(' ') }} +d-i netcfg/confirm_static boolean true + +d-i netcfg/hostname string {{ hostname }} +d-i netcfg/get_hostname string {{ hostname }} +d-i netcfg/domain string {{ hostvars[hostname].network_cooked.domain }} +d-i netcfg/get_domain string {{ hostvars[hostname].network_cooked.domain }} d-i netcfg/wireless_wep string @@ -42,13 +46,15 @@ d-i time/zone string Europe/Vienna d-i clock-setup/ntp boolean false -d-i partman-auto/disk string /dev/{{ hostvars[vmname].vm_install_cooked.disks.primary }} +d-i partman-auto/disk string /dev/{{ hostvars[hostname].install_cooked.disks.primary }} d-i partman-auto/method string lvm d-i partman-auto/purge_lvm_from_device boolean true -d-i partman-auto-lvm/new_vg_name string {{ vmname }} +d-i partman-auto-lvm/new_vg_name string {{ hostname }} d-i partman-auto-lvm/guided_size string max d-i partman-lvm/device_remove_lvm boolean true +d-i partman-md/device_remove_md boolean true + d-i partman-lvm/confirm boolean true d-i partman-lvm/confirm_nooverwrite boolean true @@ -56,22 +62,22 @@ d-i partman-auto/expert_recipe string \ boot-root :: \ 1000 10000 -1 ext4 \ $defaultignore{ } $primary{ } $bootable{ } \ - method{ lvm } vg_name{ {{ vmname }} } \ + method{ lvm } vg_name{ {{ hostname }} } \ . \ 2048 10000 2560 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ / } \ . \ 1024 11000 1280 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ /var } \ . \ 768 10000 768 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ /var/log } \ @@ -79,7 +85,7 @@ d-i partman-auto/expert_recipe string \ options/noexec{ noexec } \ . \ 16 20000 -1 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method( keep } lv_name{ dummy } \ . @@ -100,7 +106,7 @@ d-i pkgsel/upgrade select safe-upgrade popularity-contest popularity-contest/participate boolean false d-i pkgsel/update-policy select none -d-i grub-installer/choose_bootdev string /dev/{{ hostvars[vmname].vm_install_cooked.disks.primary }} +d-i grub-installer/choose_bootdev string /dev/{{ hostvars[hostname].install_cooked.disks.primary }} d-i grub-installer/only_debian boolean true d-i grub-installer/with_other_os boolean false @@ -108,6 +114,12 @@ d-i finish-install/reboot_in_progress note d-i preseed/late_command string \ - lvremove -f {{ vmname }}/dummy; \ + lvremove -f {{ hostname }}/dummy; \ in-target bash -c "apt-get update -q && apt-get full-upgrade -y -q"; \ - in-target bash -c "passwd -d root; passwd -l root; umask 077; mkdir -p /root/.ssh/; echo -e '{{ sshserver_root_keys }}' > /root/.ssh/authorized_keys" + in-target bash -c "passwd -d root && passwd -l root"; \ + in-target bash -c "sed -e 's/^allow-hotplug/auto/' -i /etc/network/interfaces"; \ + mkdir -p -m 0700 /target/root/.ssh; \ + cp /authorized_keys /target/root/.ssh/; \ +{% if hostvars[hostname].ansible_port is defined %} + in-target bash -c "sed -e 's/^\(\s*#*\s*Port.*\)/Port {{ hostvars[hostname].ansible_port }}/' -i /etc/ssh/sshd_config" +{% endif %} diff --git a/roles/sshserver/tasks/main.yml b/roles/sshserver/tasks/main.yml index 6d6cc59c..cd4c5043 100644 --- a/roles/sshserver/tasks/main.yml +++ b/roles/sshserver/tasks/main.yml @@ -29,7 +29,7 @@ - name: install ssh keys for root authorized_key: user: root - key: "{{ sshserver_root_keys }}" + key: "{{ ssh_keys_root | join('\n') }}" exclusive: yes - name: delete root password diff --git a/roles/usb-install/meta/main.yml b/roles/usb-install/meta/main.yml new file mode 100644 index 00000000..bca7f83d --- /dev/null +++ b/roles/usb-install/meta/main.yml @@ -0,0 +1,6 @@ +dependencies: + - role: debian-installer + distros: + - distro: "{{ install_distro }}" + codename: "{{ install_codename }}" + arch: [ "{{ install.arch | default('amd64') }}" ] diff --git a/roles/usb-install/tasks/main.yml b/roles/usb-install/tasks/main.yml new file mode 100644 index 00000000..1523aedc --- /dev/null +++ b/roles/usb-install/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- block: + - name: Create temporary workdir + command: mktemp -d + register: tmpdir + + - import_role: + name: preseed + vars: + preseed_tmpdir: "{{ tmpdir.stdout }}" + + - name: Copy the preseed initramfs to the artifacts directory + copy: + src: "{{ tmpdir.stdout }}/initrd.preseed.gz" + dest: "{{ artifacts_dir }}/" + + + always: + - name: Cleanup temporary workdir + file: + path: "{{ tmpdir.stdout }}" + state: absent diff --git a/roles/vm/grub/tasks/main.yml b/roles/vm/grub/tasks/main.yml index f751243a..eb868d38 100644 --- a/roles/vm/grub/tasks/main.yml +++ b/roles/vm/grub/tasks/main.yml @@ -1,16 +1,15 @@ --- - name: enable serial console in grub and for kernel - with_items: - - regexp: '^GRUB_TIMEOUT=' - line: 'GRUB_TIMEOUT=2' - - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="console=ttyS0,115200n8"' - - regexp: '^GRUB_TERMINAL=' - line: 'GRUB_TERMINAL=serial' - - regexp: '^GRUB_SERIAL_COMMAND=' - line: 'GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1"' + with_dict: + GRUB_TIMEOUT: 2 + GRUB_CMDLINE_LINUX: '"console=ttyS0,115200n8"' + GRUB_TERMINAL: serial + GRUB_SERIAL_COMMAND: >- + "serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1" lineinfile: dest: /etc/default/grub - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" + regexp: "^{{ item.key }}=" + line: "{{ item.key }}={{ item.value }}" notify: update grub + loop_control: + label: "{{ item.key }}" diff --git a/roles/vm/guest/defaults/main.yml b/roles/vm/guest/defaults/main.yml new file mode 100644 index 00000000..b4deefa0 --- /dev/null +++ b/roles/vm/guest/defaults/main.yml @@ -0,0 +1,3 @@ +rngd_config: + HRNGDEVICE: /dev/hwrng + RNGDOPTIONS: '"-s 256 -W 80%"' diff --git a/roles/vm/guest/handlers/main.yml b/roles/vm/guest/handlers/main.yml new file mode 100644 index 00000000..5b57f3bc --- /dev/null +++ b/roles/vm/guest/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart rngd + service: + name: rng-tools + state: restarted diff --git a/roles/vm/guest/tasks/main.yml b/roles/vm/guest/tasks/main.yml new file mode 100644 index 00000000..4830d051 --- /dev/null +++ b/roles/vm/guest/tasks/main.yml @@ -0,0 +1,37 @@ +- name: Install rngd + apt: + name: rng-tools + state: present + +- name: Configure rngd [1/2] + lineinfile: + path: /etc/default/rng-tools + line: '{{ item.key }}={{ item.value }}' + regexp: '^#?{{ item.key }}=' + with_dict: '{{ rngd_config }}' + loop_control: + label: "{{ item.key }}" + notify: restart rngd + +- name: Configure rngd [2/2] + lineinfile: + path: /etc/default/rng-tools + regexp: '^{{ item.key }}=(?!{{ item.value }})' + state: absent + with_dict: '{{ rngd_config }}' + loop_control: + label: "{{ item.key }}" + notify: restart rngd + +- name: Provide a root shell on the VM console [1/2] + file: + path: /etc/systemd/system/serial-getty@ttyS0.service.d/ + state: directory + +- name: Provide a root shell on the VM console [2/2] + copy: + dest: /etc/systemd/system/serial-getty@ttyS0.service.d/autologon.conf + content: | + [Service] + ExecStart= + ExecStart=-/sbin/agetty --keep-baud 115200,38400,9600 --noclear --autologin root --login-pause --host {{ vm_host }} %I $TERM diff --git a/roles/vm/host/defaults/main.yml b/roles/vm/host/defaults/main.yml deleted file mode 100644 index 0e3cddf1..00000000 --- a/roles/vm/host/defaults/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -vm_host_force_download_installer: False -vm_host_installer_url: - # debian: "{{ debian_mirror.packages | default('http://deb.debian.org/debian') }}" - # ubuntu: "{{ ubuntu_mirror | default('http://archive.ubuntu.com/ubuntu') }}" - debian: "http://deb.debian.org/debian" - ubuntu: "http://archive.ubuntu.com/ubuntu" diff --git a/roles/vm/host/handlers/main.yml b/roles/vm/host/handlers/main.yml index 158f4dcd..6541dd80 100644 --- a/roles/vm/host/handlers/main.yml +++ b/roles/vm/host/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: restart inetd +- name: restart haveged service: - name: openbsd-inetd + name: haveged state: restarted diff --git a/roles/vm/host/meta/main.yml b/roles/vm/host/meta/main.yml new file mode 100644 index 00000000..40f6fcb3 --- /dev/null +++ b/roles/vm/host/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: debian-installer diff --git a/roles/vm/host/tasks/main.yml b/roles/vm/host/tasks/main.yml index 248f855c..010fdce4 100644 --- a/roles/vm/host/tasks/main.yml +++ b/roles/vm/host/tasks/main.yml @@ -1,53 +1,25 @@ --- -- name: install tftpd and python-libvirt +- name: install dependencies apt: name: - - atftpd - - openbsd-inetd - qemu-kvm - - libvirt-bin + - # configuration package, pulls in libvirt-clients and libvirt-daemon + libvirt-daemon-system - python-libvirt + - haveged state: present -- name: configure tftpd via inetd +- name: configure haveged lineinfile: - regexp: "^#?({{ vm_host.network.ip }}:)?tftp" - line: "{{ vm_host.network.ip }}:tftp dgram udp4 wait nobody /usr/sbin/tcpd /usr/sbin/in.tftpd --tftpd-timeout 300 --retry-timeout 5 --maxthread 10 --verbose=5 {{ vm_host.installer.preseed_path }}" - path: /etc/inetd.conf - notify: restart inetd + regexp: "^#?DAEMON_ARGS" + line: 'DAEMON_ARGS="-w 3072"' + path: /etc/default/haveged + notify: restart haveged - name: make sure installer directories exists with_items: - - "{{ vm_host.installer.path }}" - - "{{ vm_host.installer.preseed_path }}" + - "{{ debian_installer_path }}" + - "{{ preseed_path }}" file: name: "{{ item }}" state: directory - -- name: prepare directories for installer images - with_subelements: - - "{{ vm_host.installer.distros }}" - - arch - file: - name: "{{ vm_host.installer.path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}" - state: directory - -- name: download installer kernel images - with_subelements: - - "{{ vm_host.installer.distros }}" - - arch - get_url: - url: "{{ vm_host_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/images/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/linux" - dest: "{{ vm_host.installer.path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/linux" - mode: 0644 - force: "{{ vm_host_force_download_installer }}" - -- name: download installer initrd.gz - with_subelements: - - "{{ vm_host.installer.distros }}" - - arch - get_url: - url: "{{ vm_host_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/images/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/initrd.gz" - dest: "{{ vm_host.installer.path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/initrd.gz" - mode: 0644 - force: "{{ vm_host_force_download_installer }}" diff --git a/roles/vm/install/meta/main.yml b/roles/vm/install/meta/main.yml new file mode 100644 index 00000000..d5f95204 --- /dev/null +++ b/roles/vm/install/meta/main.yml @@ -0,0 +1,7 @@ +--- +dependencies: + - role: debian-installer + distros: + - distro: "{{ install_distro }}" + codename: "{{ install_codename }}" + arch: [ "{{ hostvars[hostname].install_cooked.arch | default('amd64') }}" ] diff --git a/roles/vm/install/tasks/main.yml b/roles/vm/install/tasks/main.yml index c4220434..973f44d1 100644 --- a/roles/vm/install/tasks/main.yml +++ b/roles/vm/install/tasks/main.yml @@ -1,11 +1,6 @@ --- -- name: generate preseed file - template: - src: "preseed_{{ vmdistro }}-{{ vmdistcodename }}.cfg.j2" - dest: "{{ vm_host.installer.preseed_path }}/vm-{{ vmname }}-{{ vmdistro }}-{{ vmdistcodename }}.cfg" - - name: create disks for vm - with_dict: "{{ hostvars[vmname].vm_install_cooked.disks.virtio | default({}) | combine(hostvars[vmname].vm_install_cooked.disks.scsi | default({})) }}" + with_dict: "{{ hostvars[hostname].install_cooked.disks.virtio | default({}) | combine(hostvars[hostname].install_cooked.disks.scsi | default({})) }}" lvol: vg: "{{ item.value.vg }}" lv: "{{ item.value.lv }}" @@ -13,84 +8,107 @@ - name: check if vm already exists virt: - name: "{{ vmname }}" + name: "{{ hostname }}" command: info register: vmhost_info -- name: destroy exisiting vm - virt: - name: "{{ vmname }}" - state: destroyed - when: vmname in vmhost_info - -- name: wait for vm to be destroyed - wait_for_virt: - name: "{{ vmname }}" - states: shutdown,crashed - timeout: 5 - when: vmname in vmhost_info - -- name: undefining exisiting vm - virt: - name: "{{ vmname }}" - command: undefine - when: vmname in vmhost_info - -- name: enable installer in VM config - set_fact: - run_installer: True - -- name: define new installer vm - virt: - name: "{{ vmname }}" - command: define - xml: "{{ lookup('template', 'libvirt-domain.xml.j2') }}" - -- name: start vm - virt: - name: "{{ vmname }}" - state: running - -- name: wait for installer to start - wait_for_virt: - name: "{{ vmname }}" - states: running - timeout: 10 - -- debug: - msg: "you can check on the status of the installer running this command 'virsh console {{ vmname }}' on host {{ inventory_hostname }}." - -- name: wait for installer to finish or crash - wait_for_virt: - name: "{{ vmname }}" - states: shutdown,crashed - timeout: 1200 - register: installer_result - failed_when: installer_result.failed or installer_result.state == "crashed" - -- name: undefining installer vm - virt: - name: "{{ vmname }}" - command: undefine - -- name: disable installer in VM config - set_fact: - run_installer: False +- block: + - name: destroy exisiting vm + virt: + name: "{{ hostname }}" + state: destroyed + + - name: wait for vm to be destroyed + wait_for_virt: + name: "{{ hostname }}" + states: shutdown,crashed + timeout: 5 + + - name: undefining exisiting vm + virt: + name: "{{ hostname }}" + command: undefine + + when: hostname in vmhost_info + +- block: + - name: create a temporary workdir + command: mktemp -d + register: tmpdir + + - import_role: + name: preseed + vars: + ssh_keys_root: "{{ hostvars[hostname].ssh_keys_root }}" + install_interface: enp1s1 + preseed_tmpdir: "{{ tmpdir.stdout }}" + + - name: Make preseed workdir readable by qemu + acl: + path: "{{ tmpdir.stdout }}" + state: present + entity: libvirt-qemu + etype: user + permissions: rx + + - name: define new installer vm + virt: + name: "{{ hostname }}" + command: define + xml: "{{ lookup('template', 'libvirt-domain.xml.j2') }}" + vars: + run_installer: yes + preseed_tmpdir: "{{ tmpdir.stdout }}" + + - name: start vm + virt: + name: "{{ hostname }}" + state: running + + - name: wait for installer to start + wait_for_virt: + name: "{{ hostname }}" + states: running + timeout: 10 + + - debug: + msg: "you can check on the status of the installer running this command 'virsh console {{ hostname }}' on host {{ inventory_hostname }}." + + - name: wait for installer to finish or crash + wait_for_virt: + name: "{{ hostname }}" + states: shutdown,crashed + timeout: 900 + register: installer_result + failed_when: installer_result.failed or installer_result.state == "crashed" + + - name: undefining installer vm + virt: + name: "{{ hostname }}" + command: undefine + + always: + - name: cleanup temporary workdir + file: + path: "{{ tmpdir.stdout }}" + state: absent - name: define new production vm virt: - name: "{{ vmname }}" + name: "{{ hostname }}" command: define xml: "{{ lookup('template', 'libvirt-domain.xml.j2') }}" + vars: + run_installer: no - name: start vm virt: - name: "{{ vmname }}" + name: "{{ hostname }}" state: running - name: mark vm as autostarted virt: - name: "{{ vmname }}" - autostart: "{{ hostvars[vmname].vm_install_cooked.autostart }}" + name: "{{ hostname }}" + autostart: "{{ hostvars[hostname].install_cooked.autostart }}" command: info ## virt module needs either command or state - when: hostvars[vmname].vm_install_cooked.autostart is defined + when: hostvars[hostname].install_cooked.autostart is defined diff --git a/roles/vm/install/templates/libvirt-domain.xml.j2 b/roles/vm/install/templates/libvirt-domain.xml.j2 index 2bf4b57b..f3bdeae1 100644 --- a/roles/vm/install/templates/libvirt-domain.xml.j2 +++ b/roles/vm/install/templates/libvirt-domain.xml.j2 @@ -1,14 +1,14 @@ <domain type='kvm'> - <name>{{ vmname }}</name> - <memory>{{ hostvars[vmname].vm_install_cooked.mem * 1024 }}</memory> - <currentMemory>{{ hostvars[vmname].vm_install_cooked.mem * 1024 }}</currentMemory> - <vcpu>{{ hostvars[vmname].vm_install_cooked.numcpu }}</vcpu> + <name>{{ hostname }}</name> + <memory>{{ hostvars[hostname].install_cooked.mem * 1024 }}</memory> + <currentMemory>{{ hostvars[hostname].install_cooked.mem * 1024 }}</currentMemory> + <vcpu>{{ hostvars[hostname].install_cooked.numcpu }}</vcpu> <os> <type arch='x86_64' machine='pc-0.12'>hvm</type> {% if run_installer %} - <kernel>{{ vm_host.installer.path }}/{{ vmdistro }}-{{ vmdistcodename }}/{{ hostvars[vmname].vm_install_cooked.arch | default('amd64') }}/linux</kernel> - <initrd>{{ vm_host.installer.path }}/{{ vmdistro }}-{{ vmdistcodename }}/{{ hostvars[vmname].vm_install_cooked.arch | default('amd64') }}/initrd.gz</initrd> - <cmdline>console=ttyS0,115200n8 auto=true interface=auto url=tftp://{{ hostvars[inventory_hostname]['ansible_' + (vm_host.installer.net_if | replace('-', '_'))].ipv4.address }}/vm-{{ vmname }}-{{ vmdistro }}-{{ vmdistcodename }}.cfg netcfg/choose_interface=enp1s1 netcfg/disable_autoconfig=true netcfg/get_ipaddress={{ hostvars[vmname].vm_network_cooked.primary.ip }} netcfg/get_netmask={{ hostvars[vmname].vm_network_cooked.primary.mask }} netcfg/get_gateway={{ hostvars[vmname].vm_network_cooked.primary.gateway }} netcfg/get_nameservers="{{ hostvars[vmname].vm_network_cooked.nameservers | join(' ') }}" netcfg/confirm_static=true netcfg/get_hostname={{ vmname }} netcfg/get_domain={{ hostvars[vmname].vm_network_cooked.domain }}</cmdline> + <kernel>{{ debian_installer_path }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[hostname].install_cooked.arch | default('amd64') }}/linux</kernel> + <initrd>{{ preseed_tmpdir }}/initrd.preseed.gz</initrd> + <cmdline>console=ttyS0,115200n8</cmdline> {% endif %} <boot dev='hd'/> </os> @@ -28,9 +28,15 @@ {% endif %} <devices> <emulator>/usr/bin/kvm</emulator> + <!-- Provide a virtualized RNG to the guest --> + <rng model='virtio'> + <!-- Allow consuming up to 10kb/s, measured over 2s --> + <rate period="2000" bytes="20480"/> + <backend model='random'>/dev/random</backend> + </rng> -{% if 'virtio' in hostvars[vmname].vm_install_cooked.disks %} -{% for device, lv in hostvars[vmname].vm_install_cooked.disks.virtio.items() %} +{% if 'virtio' in hostvars[hostname].install_cooked.disks %} +{% for device, lv in hostvars[hostname].install_cooked.disks.virtio.items() %} <disk type='block' device='disk'> <driver name='qemu' type='raw' cache='none' discard='unmap'/> <source dev='/dev/mapper/{{ lv.vg | replace('-', '--') }}-{{ lv.lv | replace('-', '--') }}'/> @@ -39,9 +45,9 @@ {% endfor %} {% endif %} -{% if 'scsi' in hostvars[vmname].vm_install_cooked.disks %} +{% if 'scsi' in hostvars[hostname].install_cooked.disks %} <controller type='scsi' index='0' model='virtio-scsi'/> -{% for device, lv in hostvars[vmname].vm_install_cooked.disks.scsi.items() %} +{% for device, lv in hostvars[hostname].install_cooked.disks.scsi.items() %} <disk type='block' device='disk'> <driver name='qemu' type='raw' cache='none' discard='unmap'/> <source dev='/dev/mapper/{{ lv.vg | replace('-', '--') }}-{{ lv.lv | replace('-', '--') }}'/> @@ -50,8 +56,8 @@ {% endfor %} {% endif %} -{% if hostvars[vmname].vm_install_cooked.interfaces %} -{% for if in hostvars[vmname].vm_install_cooked.interfaces %} +{% if hostvars[hostname].install_cooked.interfaces %} +{% for if in hostvars[hostname].install_cooked.interfaces %} <interface type='bridge'> <source bridge='{{ if.bridge }}'/> <model type='virtio'/> diff --git a/roles/vm/network/tasks/main.yml b/roles/vm/network/tasks/main.yml index 3d51fff2..9bef36ed 100644 --- a/roles/vm/network/tasks/main.yml +++ b/roles/vm/network/tasks/main.yml @@ -9,7 +9,7 @@ state: absent - name: install systemd network link units - with_items: "{{ vm_network.systemd_link.interfaces }}" + with_items: "{{ network.systemd_link.interfaces }}" loop_control: index_var: interface_index template: @@ -17,13 +17,28 @@ dest: "/etc/systemd/network/{{ '%02d' | format(interface_index + 11) }}-{{ item.name }}.link" notify: rebuild initramfs - when: vm_network.systemd_link is defined + when: network.systemd_link is defined - name: install basic interface config template: src: interfaces.j2 dest: /etc/network/interfaces mode: 0644 + when: ansible_distribution == "Debian" or (ansible_distribution == "Ubuntu" and (ansible_distribution_major_version | int) < 18) + +- block: + - name: remove default netplan config + file: + path: /etc/netplan/01-netcfg.yaml + state: absent + + - name: install basic netplan config + template: + src: netplan.yaml.j2 + dest: "/etc/netplan/01-{{ network.primary.interface }}.yaml" + mode: 0644 + + when: ansible_distribution == "Ubuntu" and (ansible_distribution_major_version | int) >= 18 - name: remove resolvconf package apt: diff --git a/roles/vm/network/templates/interfaces.j2 b/roles/vm/network/templates/interfaces.j2 index 542e18d6..829a3e7d 100644 --- a/roles/vm/network/templates/interfaces.j2 +++ b/roles/vm/network/templates/interfaces.j2 @@ -8,10 +8,10 @@ auto lo iface lo inet loopback # The primary network interface -auto {{ vm_network.primary.interface }} -iface {{ vm_network.primary.interface }} inet static - address {{ vm_network.primary.ip }} - netmask {{ vm_network.primary.mask }} - gateway {{ vm_network.primary.gateway }} +auto {{ network.primary.interface }} +iface {{ network.primary.interface }} inet static + address {{ network.primary.ip }} + netmask {{ network.primary.mask }} + gateway {{ network.primary.gateway }} pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf diff --git a/roles/vm/network/templates/netplan.yaml.j2 b/roles/vm/network/templates/netplan.yaml.j2 new file mode 100644 index 00000000..0d78ab46 --- /dev/null +++ b/roles/vm/network/templates/netplan.yaml.j2 @@ -0,0 +1,10 @@ +# This file describes the network interfaces available on your system +# For more information, see netplan(5). +network: + version: 2 + renderer: networkd + ethernets: + {{ network.primary.interface }}: + addresses: [ {{ (network.primary.ip + '/' + network.primary.mask) | ipaddr('address/prefix') }} ] + gateway4: {{ network.primary.gateway }} + accept-ra: false diff --git a/roles/vm/network/templates/resolv.conf.j2 b/roles/vm/network/templates/resolv.conf.j2 index 86d4201e..a32ec181 100644 --- a/roles/vm/network/templates/resolv.conf.j2 +++ b/roles/vm/network/templates/resolv.conf.j2 @@ -1,4 +1,4 @@ -{% for nsrv in vm_network.nameservers %} +{% for nsrv in network.nameservers %} nameserver {{ nsrv }} {% endfor %} -search {{ vm_network.domain }} +search {{ network.domain }} |