diff options
42 files changed, 327 insertions, 166 deletions
diff --git a/chaos-at-home/ch-ap.yml b/chaos-at-home/ch-ap.yml index 1d3c8903..5dcb5ea2 100644 --- a/chaos-at-home/ch-ap.yml +++ b/chaos-at-home/ch-ap.yml @@ -2,5 +2,7 @@ - name: Basic Setup hosts: chaos-at-home-ap connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/chaos-at-home/ch-atlas.yml b/chaos-at-home/ch-atlas.yml index 887d6be3..34fa1141 100644 --- a/chaos-at-home/ch-atlas.yml +++ b/chaos-at-home/ch-atlas.yml @@ -5,4 +5,7 @@ - role: core/sshd - role: core/zsh - role: vm/host - - role: installer/debian/base + ## gpg on this host is too old to open the keyrings. + ## to work around this problem the files have been manually converted + ## applying the role would break this again!! + # - role: installer/debian/base diff --git a/chaos-at-home/ch-router.yml b/chaos-at-home/ch-router.yml index f61feb15..6543ce8c 100644 --- a/chaos-at-home/ch-router.yml +++ b/chaos-at-home/ch-router.yml @@ -2,5 +2,7 @@ - name: Basic Setup hosts: ch-router connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/chaos-at-home/mz-ap.yml b/chaos-at-home/mz-ap.yml index ccae1763..869f051d 100644 --- a/chaos-at-home/mz-ap.yml +++ b/chaos-at-home/mz-ap.yml @@ -2,5 +2,7 @@ - name: Basic Setup hosts: mz-ap connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/chaos-at-home/mz-router.yml b/chaos-at-home/mz-router.yml index 301da764..94646991 100644 --- a/chaos-at-home/mz-router.yml +++ b/chaos-at-home/mz-router.yml @@ -2,6 +2,8 @@ - name: Basic Setup hosts: mz-router connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/common/usb-install.yml b/common/usb-install.yml index 27633c15..1776f75b 100644 --- a/common/usb-install.yml +++ b/common/usb-install.yml @@ -11,7 +11,8 @@ roles: - role: installer/debian/usb - installer_path: "{{ global_cache_dir }}/debian-installer" + installer_base_path: "{{ global_cache_dir }}/debian-installer" + installer_keyrings_path: "{{ global_files_dir }}/common/keyrings" post_tasks: - name: Make the USB disk bootable diff --git a/dan/ele-ap.yml b/dan/ele-ap.yml index 42c00522..1bccdc57 100644 --- a/dan/ele-ap.yml +++ b/dan/ele-ap.yml @@ -2,6 +2,8 @@ - name: Basic Setup hosts: ele-ap connection: local + gather_facts: no + roles: - role: openwrt/image # post_tasks: diff --git a/dan/ele-dolmetsch-ctl.yml b/dan/ele-dolmetsch-ctl.yml index 717def3f..c9d47ea8 100644 --- a/dan/ele-dolmetsch-ctl.yml +++ b/dan/ele-dolmetsch-ctl.yml @@ -2,5 +2,7 @@ - name: Basic Setup hosts: ele-dolmetsch-ctl connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/dan/ele-orpheum.yml b/dan/ele-orpheum.yml index 97b77edb..140d4fef 100644 --- a/dan/ele-orpheum.yml +++ b/dan/ele-orpheum.yml @@ -2,5 +2,7 @@ - name: Basic Setup hosts: ele-orpheum connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/dan/ele-router.yml b/dan/ele-router.yml index 098b82b3..ebb8f8bd 100644 --- a/dan/ele-router.yml +++ b/dan/ele-router.yml @@ -2,5 +2,7 @@ - name: Basic Setup hosts: ele-router connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/dan/ele-tub.yml b/dan/ele-tub.yml index c8bbe912..01668916 100644 --- a/dan/ele-tub.yml +++ b/dan/ele-tub.yml @@ -2,5 +2,7 @@ - name: Basic Setup hosts: ele-tub connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/dan/ele-ups.yml b/dan/ele-ups.yml index fa780eaf..de4efce7 100644 --- a/dan/ele-ups.yml +++ b/dan/ele-ups.yml @@ -2,6 +2,8 @@ - name: Basic Setup hosts: ele-ups connection: local + gather_facts: no + roles: - role: openwrt/image # post_tasks: diff --git a/files/common/keyrings/debian-buster.gpg b/files/common/keyrings/debian-buster.gpg Binary files differnew file mode 100644 index 00000000..9abf7837 --- /dev/null +++ b/files/common/keyrings/debian-buster.gpg diff --git a/files/common/keyrings/debian-stretch.gpg b/files/common/keyrings/debian-stretch.gpg Binary files differnew file mode 100644 index 00000000..77016799 --- /dev/null +++ b/files/common/keyrings/debian-stretch.gpg diff --git a/roles/openwrt/image/openwrt-keyring.gpg b/files/common/keyrings/openwrt.gpg Binary files differindex 7dc3d397..7dc3d397 100644 --- a/roles/openwrt/image/openwrt-keyring.gpg +++ b/files/common/keyrings/openwrt.gpg diff --git a/files/common/keyrings/ubuntu-archive.gpg b/files/common/keyrings/ubuntu-archive.gpg Binary files differnew file mode 100644 index 00000000..9ad1e96e --- /dev/null +++ b/files/common/keyrings/ubuntu-archive.gpg diff --git a/inventory/group_vars/kvmhosts/main.yml b/inventory/group_vars/kvmhosts/main.yml index 917b41eb..36a5be1d 100644 --- a/inventory/group_vars/kvmhosts/main.yml +++ b/inventory/group_vars/kvmhosts/main.yml @@ -1,2 +1,2 @@ --- -installer_path: /srv/installer +installer_base_path: /srv/installer diff --git a/roles/installer/debian/base/defaults/main.yml b/roles/installer/debian/base/defaults/main.yml deleted file mode 100644 index fe6d880d..00000000 --- a/roles/installer/debian/base/defaults/main.yml +++ /dev/null @@ -1,28 +0,0 @@ -debian_installer_distros: - - distro: debian - codename: stretch - arch: - - amd64 - - i386 - - distro: debian - codename: buster - arch: - - amd64 - - i386 - - - distro: ubuntu - codename: bionic - arch: - - amd64 - - i386 - - distro: ubuntu - codename: focal - arch: - - amd64 - -debian_installer_force_download: no -debian_installer_url: -# debian: "https://debian.ffgraz.net/debian" -# ubuntu: "https://debian.ffgraz.net/ubuntu" - debian: "http://deb.debian.org/debian" - ubuntu: "http://archive.ubuntu.com/ubuntu" diff --git a/roles/installer/debian/base/tasks/main.yml b/roles/installer/debian/base/tasks/main.yml index f7841572..119b3670 100644 --- a/roles/installer/debian/base/tasks/main.yml +++ b/roles/installer/debian/base/tasks/main.yml @@ -1,31 +1,18 @@ -- name: prepare directories for installer images - loop: "{{ debian_installer_distros | subelements('arch') }}" - loop_control: - label: "{{ item.0.distro }}/{{ item.0.codename }} {{ item.1 }}" +--- +- name: prepare directory keyrings file: - name: "{{ installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}" + name: "{{ installer_base_path }}/keyrings" state: directory -- name: download installer kernel images - loop: "{{ debian_installer_distros | subelements('arch') }}" - loop_control: - label: "{{ item.0.distro }}/{{ item.0.codename }} {{ item.1 }}" - get_url: - url: "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/{{ [item.0.distro, item.0.codename] | di_images_path }}/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/linux" - dest: "{{ installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/linux" - mode: 0644 - force: "{{ debian_installer_force_download }}" - -- name: download installer initrd.gz - loop: "{{ debian_installer_distros | subelements('arch') }}" +- name: copy debian keyring files + loop: "{{ lookup('fileglob', global_files_dir+'/common/keyrings/debian-*.gpg', wantlist=True) }}" loop_control: - label: "{{ item.0.distro }}/{{ item.0.codename }} {{ item.1 }}" - get_url: - url: "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/{{ [item.0.distro, item.0.codename] | di_images_path }}/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/initrd.gz" - dest: "{{ installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/initrd.gz" - mode: 0644 - force: "{{ debian_installer_force_download }}" + label: "{{ item | basename }}" + copy: + src: "{{ item }}" + dest: "{{ installer_base_path }}/keyrings/{{ item | basename }}" -## TODO verfiy downloaded files using: -## "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/InRelease -## "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/{{ [item.0.distro, item.0.codename] | di_images_path }}/SHA256SUMS +- name: copy ubuntu keyring file + copy: + src: "{{ global_files_dir }}/common/keyrings/ubuntu-archive.gpg" + dest: "{{ installer_base_path }}/keyrings/ubuntu-archive.gpg" diff --git a/roles/installer/debian/fetch/defaults/main.yml b/roles/installer/debian/fetch/defaults/main.yml new file mode 100644 index 00000000..eebc59bf --- /dev/null +++ b/roles/installer/debian/fetch/defaults/main.yml @@ -0,0 +1,12 @@ +--- +# debian_installer_distro: debian +# debian_installer_codename: buster +debian_installer_arch: amd64 +# debian_installer_variant: netboot + +debian_installer_force_download: no +debian_installer_url: +# debian: "https://debian.ffgraz.net/debian" +# ubuntu: "https://debian.ffgraz.net/ubuntu" + debian: "http://deb.debian.org/debian" + ubuntu: "http://archive.ubuntu.com/ubuntu" diff --git a/roles/installer/debian/base/filter_plugins/main.py b/roles/installer/debian/fetch/filter_plugins/main.py index 298e7efd..298e7efd 100644 --- a/roles/installer/debian/base/filter_plugins/main.py +++ b/roles/installer/debian/fetch/filter_plugins/main.py diff --git a/roles/installer/debian/fetch/tasks/main.yml b/roles/installer/debian/fetch/tasks/main.yml new file mode 100644 index 00000000..dc87655f --- /dev/null +++ b/roles/installer/debian/fetch/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: prepare directories for installer files + file: + name: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" + state: directory + +- name: download and verify installer files + block: + - name: fetch and verify installer checksums + include_tasks: "verify-{{ install_distro }}.yml" + + - name: download installer kernel image + get_url: + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ debian_installer_variant_kernal_image_name }}" + checksum: "{{ debian_installer_kernel_checksum }}" + force: "{{ debian_installer_force_download }}" + mode: 0644 + + - name: download installer initrd.gz + get_url: + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/initrd.gz" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/initrd.gz" + checksum: "{{ debian_installer_initrd_checksum }}" + force: "{{ debian_installer_force_download }}" + mode: 0644 + + rescue: + - name: remove all downloaded files + file: + name: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" + state: absent + + - fail: + msg: "download/verification of installer files failed" diff --git a/roles/installer/debian/fetch/tasks/verify-debian.yml b/roles/installer/debian/fetch/tasks/verify-debian.yml new file mode 100644 index 00000000..6846451d --- /dev/null +++ b/roles/installer/debian/fetch/tasks/verify-debian.yml @@ -0,0 +1,46 @@ +--- +- name: download Release and Signature file + loop: + - Release + - Release.gpg + get_url: + url: "{{ debian_installer_base_url | dirname | dirname | dirname | dirname }}/{{ item }}" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" + +- name: verfiy signature of Release file + command: >- + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --keyring "{{ installer_keyrings_path | default(installer_base_path+'/keyrings') }}/debian-{{ install_codename }}.gpg" + --verify "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release.gpg" + "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" + changed_when: False + register: debian_installer_gpg_result + +- debug: + var: debian_installer_gpg_result.stderr_lines + +- name: extract checksum file hash from Release file + command: grep -E "^ [0-9a-z]{64} .* main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}/SHA256SUMS$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" + changed_when: false + register: debian_installer_inrelease_sha256 + +- name: download SHA256SUMS + get_url: + url: "{{ debian_installer_base_url }}/SHA256SUMS" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + checksum: "sha256:{{ (debian_installer_inrelease_sha256.stdout | trim).split(' ') | first }}" + +- name: extract kernel image hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_kernel + +- name: extract inital ramdisk hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_initrd + +- name: set checksum variables + set_fact: + debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" + debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/fetch/tasks/verify-ubuntu.yml b/roles/installer/debian/fetch/tasks/verify-ubuntu.yml new file mode 100644 index 00000000..e7cff3ae --- /dev/null +++ b/roles/installer/debian/fetch/tasks/verify-ubuntu.yml @@ -0,0 +1,35 @@ +--- +- name: download SHA256SUMS and signature file + loop: + - SHA256SUMS + - SHA256SUMS.gpg + get_url: + url: "{{ debian_installer_base_url }}/{{ item }}" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" + +- name: verfiy signature of SHA256SUMS.gpg file + command: >- + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --keyring "{{ installer_keyrings_path | default(installer_base_path+'/keyrings') }}/ubuntu-archive.gpg" + --verify "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS.gpg" + "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: False + register: debian_installer_gpg_result + +- debug: + var: debian_installer_gpg_result.stderr_lines + +- name: extract kernel image hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_kernel + +- name: extract inital ramdisk hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_initrd + +- name: set checksum variables + set_fact: + debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" + debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/fetch/vars/main.yml b/roles/installer/debian/fetch/vars/main.yml new file mode 100644 index 00000000..404b571a --- /dev/null +++ b/roles/installer/debian/fetch/vars/main.yml @@ -0,0 +1,13 @@ +--- +debian_installer_base_url: "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}" + +_debian_installer_variant_path_: + netboot: "netboot/{{ debian_installer_distro }}-installer/{{ debian_installer_arch }}" + hd-media: "hd-media" + +_debian_installer_variant_kernel_image_name_: + netboot: "linux" + hd-media: "vmlinuz" + +debian_installer_variant_path: "{{ _debian_installer_variant_path_[debian_installer_variant] }}" +debian_installer_variant_kernal_image_name: "{{ _debian_installer_variant_kernel_image_name_[debian_installer_variant] }}" diff --git a/roles/installer/debian/preseed/defaults/main.yml b/roles/installer/debian/preseed/defaults/main.yml index cfdef902..b5aad35c 100644 --- a/roles/installer/debian/preseed/defaults/main.yml +++ b/roles/installer/debian/preseed/defaults/main.yml @@ -1,7 +1,8 @@ --- -#preseed_tmpdir: +# preseed_orig_initrd +# preseed_tmpdir: -#preseed_force_net_ifnames_policy: path +# preseed_force_net_ifnames_policy: path preseed_no_netplan: no preseed_virtual_machine: no diff --git a/roles/installer/debian/preseed/tasks/main.yml b/roles/installer/debian/preseed/tasks/main.yml index 2934ca1b..2d229aa8 100644 --- a/roles/installer/debian/preseed/tasks/main.yml +++ b/roles/installer/debian/preseed/tasks/main.yml @@ -2,8 +2,8 @@ - name: Copy initramfs into position copy: remote_src: yes - src: "{{ installer_path | mandatory }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}/initrd.gz" - dest: "{{ preseed_tmpdir }}/initrd.preseed.gz" + src: "{{ preseed_orig_initrd }}" + dest: "{{ preseed_tmpdir }}/initrd.{{ install_hostname }}.gz" - name: Generate preseed file template: @@ -42,7 +42,7 @@ NamePolicy={{ preseed_force_net_ifnames_policy }} - name: Inject files into initramfs - shell: cpio -H newc -o | gzip -9 >> 'initrd.preseed.gz' + shell: cpio -H newc -o | gzip -9 >> 'initrd.{{ install_hostname }}.gz' args: chdir: "{{ preseed_tmpdir }}" stdin: | diff --git a/roles/installer/debian/usb/tasks/main.yml b/roles/installer/debian/usb/tasks/main.yml index 8d2df387..44f793e9 100644 --- a/roles/installer/debian/usb/tasks/main.yml +++ b/roles/installer/debian/usb/tasks/main.yml @@ -12,13 +12,12 @@ - block: - name: download installer vars: - debian_installer_distros: - - distro: "{{ install_distro }}" - codename: "{{ install_codename }}" - arch: - - "{{ install.arch | default('amd64') }}" + debian_installer_distro: "{{ install_distro }}" + debian_installer_codename: "{{ install_codename }}" + debian_installer_arch: "{{ install.arch | default('amd64') }}" + debian_installer_variant: netboot import_role: - role: installer/debian/base + role: installer/debian/fetch - name: Create temporary workdir tempfile: @@ -33,18 +32,19 @@ - name: Copy the preseed initramfs to the usb drive copy: - src: "{{ tmpdir.path }}/initrd.preseed.gz" + src: "{{ tmpdir.path }}/initrd.{{ install_hostname }}.gz" dest: "{{ usb_install_path }}/initrd.{{ install_hostname }}.gz" always: - name: Cleanup temporary workdir + when: tmpdir.path is defined file: path: "{{ tmpdir.path }}" state: absent - name: Copy linux kernel image to the USB drive copy: - src: "{{ global_cache_dir }}/debian-installer/{{ install_distro }}-{{ install_codename }}/{{ install.arch | default('amd64') }}/linux" + src: "{{ global_cache_dir }}/debian-installer/{{ install_distro }}-{{ install_codename }}/{{ install.arch | default('amd64') }}-{{ debian_installer_variant }}/linux" dest: "{{ usb_install_path }}/" - name: Generate syslinux configuration for BIOS boot diff --git a/roles/installer/openbsd/autoinstall/defaults/main.yml b/roles/installer/openbsd/autoinstall/defaults/main.yml index 27f7221a..b166c191 100644 --- a/roles/installer/openbsd/autoinstall/defaults/main.yml +++ b/roles/installer/openbsd/autoinstall/defaults/main.yml @@ -1,10 +1,7 @@ --- +# obsd_autoinstall_orig_iso: # obsd_autoinstall_tmpdir: -obsd_autoinstall_arch: "{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}" -obsd_autoinstall_version: "{{ install_codename }}" -obsd_autoinstall_version_short: "{{ obsd_autoinstall_version | replace('.', '') }}" - # obsd_autoinstall_serial_device: com0 # obsd_autoinstall_serial_baudrate: 115200 diff --git a/roles/installer/openbsd/autoinstall/tasks/main.yml b/roles/installer/openbsd/autoinstall/tasks/main.yml index b8e88b53..fc5f6194 100644 --- a/roles/installer/openbsd/autoinstall/tasks/main.yml +++ b/roles/installer/openbsd/autoinstall/tasks/main.yml @@ -29,7 +29,7 @@ - "INSTALL.{{ obsd_autoinstall_arch }}" - "{{ obsd_autoinstall_file_sets | product([obsd_autoinstall_version_short+'.tgz']) | map('join') | list }}" iso_extract: - image: "{{ installer_path }}/openbsd-{{ obsd_autoinstall_version }}/{{ obsd_autoinstall_arch }}/install{{ obsd_autoinstall_version | replace('.', '') }}.iso" + image: "{{ obsd_autoinstall_orig_iso }}" dest: "{{ obsd_autoinstall_tmpdir }}/files" files: "{{ [obsd_autoinstall_version+'/'+obsd_autoinstall_arch+'/'] | product(installer_files | flatten) | map('join') | list }}" @@ -45,7 +45,7 @@ dest: "{{ obsd_autoinstall_tmpdir }}/files/site{{ obsd_autoinstall_version_short }}.tgz" - name: generate host specific installer image - command: 'genisoimage -RTLldDN -o "install.iso" -no-emul-boot -b "cdbr" -c "boot.catalog" files/' + command: 'genisoimage -RTLldDN -o "{{ install_hostname }}.iso" -no-emul-boot -b "cdbr" -c "boot.catalog" files/' args: chdir: "{{ obsd_autoinstall_tmpdir }}/" diff --git a/roles/installer/openbsd/autoinstall/vars/main.yml b/roles/installer/openbsd/autoinstall/vars/main.yml new file mode 100644 index 00000000..c20909d1 --- /dev/null +++ b/roles/installer/openbsd/autoinstall/vars/main.yml @@ -0,0 +1,2 @@ +--- +obsd_autoinstall_version_short: "{{ obsd_autoinstall_version | replace('.', '') }}" diff --git a/roles/installer/openbsd/base/defaults/main.yml b/roles/installer/openbsd/base/defaults/main.yml deleted file mode 100644 index 10e9c840..00000000 --- a/roles/installer/openbsd/base/defaults/main.yml +++ /dev/null @@ -1,13 +0,0 @@ -openbsd_versions: - - version: 6.7 - arch: - - amd64 - - i386 - -openbsd_signing_keys: - 6.7: | - untrusted comment: openbsd 6.7 base public key - RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj - -openbsd_installer_force_download: no -openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD" diff --git a/roles/installer/openbsd/base/tasks/main.yml b/roles/installer/openbsd/base/tasks/main.yml index 2d6e905e..412f3680 100644 --- a/roles/installer/openbsd/base/tasks/main.yml +++ b/roles/installer/openbsd/base/tasks/main.yml @@ -5,48 +5,3 @@ - genisoimage - signify-openbsd state: present - -- name: prepare directories for installer iso files - loop: "{{ openbsd_versions | subelements('arch') }}" - loop_control: - label: "openbsd-{{ item.0.version }} {{ item.1 }}" - file: - name: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}" - state: directory - -- name: download installer iso files - loop: "{{ openbsd_versions | subelements('arch') }}" - loop_control: - label: "openbsd-{{ item.0.version }} {{ item.1 }}" - get_url: - url: "{{ openbsd_installer_url }}/{{ item.0.version }}/{{ item.1 }}/install{{ item.0.version | replace('.', '') }}.iso" - dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/install{{ item.0.version | replace('.', '') }}.iso" - mode: 0644 - force: "{{ openbsd_installer_force_download }}" - -- name: download signed sha256 files - loop: "{{ openbsd_versions | subelements('arch') }}" - loop_control: - label: "openbsd-{{ item.0.version }} {{ item.1 }}" - get_url: - url: "{{ openbsd_installer_url }}/{{ item.0.version }}/{{ item.1 }}/SHA256.sig" - dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/SHA256.sig" - mode: 0644 - force: "{{ openbsd_installer_force_download }}" - -- name: create signing key files - loop: "{{ openbsd_versions }}" - loop_control: - label: "openbsd-{{ item.version }}" - copy: - content: "{{ openbsd_signing_keys[item.version] }}" - dest: "{{ installer_path }}/openbsd-{{ item.version }}/openbsd-{{ item.version | replace('.', '') }}-base.pub" - -- name: verfiy downloaded iso files - loop: "{{ openbsd_versions | subelements('arch') }}" - loop_control: - label: "openbsd-{{ item.0.version }} {{ item.1 }}" - command: "signify-openbsd -Cp ../openbsd-{{ item.0.version | replace('.', '') }}-base.pub -x SHA256.sig install{{ item.0.version | replace('.', '') }}.iso" - args: - chdir: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}" - changed_when: false diff --git a/roles/installer/openbsd/fetch/defaults/main.yml b/roles/installer/openbsd/fetch/defaults/main.yml new file mode 100644 index 00000000..eeeaf2d0 --- /dev/null +++ b/roles/installer/openbsd/fetch/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# openbsd_installer_version: 6.7 +openbsd_installer_arch: amd64 + +openbsd_installer_force_download: no +openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD" diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml new file mode 100644 index 00000000..97e8fb57 --- /dev/null +++ b/roles/installer/openbsd/fetch/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- name: prepare directories for installer iso files + file: + name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" + state: directory + +- name: download signed sha256 and buildinfo files + loop: + - SHA256.sig + - BUILDINFO + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}" + force: "{{ openbsd_installer_force_download }}" + mode: 0644 + +- name: create signing key files + copy: + content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub" + +## Unfortunately signify can't be used to verify just the sha256 file. If we would use the sha256 hashes without +## verification an attacker could trick us into deleting a valid ISO file and downloading a harmful image instead. +## Since the signature would be checked eventually the attacker cannot trick us into booting it but re-downlaoding +## hundreds of megabytes is not fun. +## As a workaround we download the smallest file that exists on the download server and use this file (BUILDINFO) +## to verfiy the signature. +## This process should speed up the installation quite a bit and make the overall image download process more solid. + +- name: verify downloaded files + command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig BUILDINFO" + args: + chdir: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" + changed_when: false + register: openbsd_installer_signify_result + +- debug: + var: openbsd_installer_signify_result.stdout_lines + +- name: extract sha256 hash for iso file + command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + changed_when: false + register: openbsd_installer_sha256sum + +- name: download installer iso file + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}" + force: "{{ openbsd_installer_force_download }}" + mode: 0644 diff --git a/roles/installer/openbsd/fetch/vars/main.yml b/roles/installer/openbsd/fetch/vars/main.yml new file mode 100644 index 00000000..dad9f064 --- /dev/null +++ b/roles/installer/openbsd/fetch/vars/main.yml @@ -0,0 +1,7 @@ +--- +openbsd_installer_version_short: "{{ openbsd_installer_version | replace('.', '') }}" + +openbsd_installer_signing_keys: + "6.7": | + untrusted comment: openbsd 6.7 base public key + RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj diff --git a/roles/openwrt/image/tasks/fetch.yml b/roles/openwrt/image/tasks/fetch.yml index 05d2ad6e..e68e2da5 100644 --- a/roles/openwrt/image/tasks/fetch.yml +++ b/roles/openwrt/image/tasks/fetch.yml @@ -22,11 +22,14 @@ - name: Check OpenPGP signature command: >- - gpg --no-options --no-default-keyring --secret-keyring /dev/null - --verify --keyring "{{ role_path }}/openwrt-keyring.gpg" - --trust-model always + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --verify --keyring "{{ global_files_dir }}/common/keyrings/openwrt.gpg" "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" changed_when: False + register: openwrt_image_gpg_result + + - debug: + var: openwrt_image_gpg_result.stderr_lines - name: Extract SHA256 hash of the imagebuilder archive command: grep '{{ openwrt_tarball_name }}' "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256" diff --git a/roles/vm/define/templates/libvirt-domain.xml.j2 b/roles/vm/define/templates/libvirt-domain.xml.j2 index c4c9e52a..ba0dcd5a 100644 --- a/roles/vm/define/templates/libvirt-domain.xml.j2 +++ b/roles/vm/define/templates/libvirt-domain.xml.j2 @@ -7,8 +7,8 @@ <type arch='x86_64' machine='pc-0.12'>hvm</type> {% if vm_define_installer %} {% if install_distro == 'debian' or install_distro == 'ubuntu' %} - <kernel>{{ installer_path }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}/linux</kernel> - <initrd>{{ preseed_tmpdir }}/initrd.preseed.gz</initrd> + <kernel>{{ installer_base_path }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}-netboot/linux</kernel> + <initrd>{{ installer_tmpdir }}/initrd.{{ install_hostname }}.gz</initrd> <cmdline>console=ttyS0,115200n8 DEBCONF_DEBUG=5</cmdline> <boot dev='hd'/> {% elif install_distro == 'openbsd' %} @@ -44,7 +44,7 @@ {% if vm_define_installer and install_distro == 'openbsd' %} <disk type='file' device='cdrom'> <driver name='qemu'/> - <source file='{{ obsd_autoinstall_tmpdir }}/install.iso'/> + <source file='{{ installer_tmpdir }}/{{ install_hostname }}.iso'/> <target dev='hdc' bus='ide'/> <readonly/> </disk> diff --git a/roles/vm/host/tasks/main.yml b/roles/vm/host/tasks/main.yml index 390016a2..4c29970d 100644 --- a/roles/vm/host/tasks/main.yml +++ b/roles/vm/host/tasks/main.yml @@ -43,11 +43,11 @@ - name: mount filesytem mount: src: "/dev/mapper/{{ installer_lvm.vg | replace('-', '--') }}-{{ installer_lvm.lv | replace('-', '--') }}" - path: "{{ installer_path }}" + path: "{{ installer_base_path }}" fstype: "{{ installer_lvm.fs }}" state: mounted - name: make sure installer directory exists file: - name: "{{ installer_path }}" + name: "{{ installer_base_path }}" state: directory diff --git a/roles/vm/install/tasks/installer-debian.yml b/roles/vm/install/tasks/installer-debian.yml new file mode 100644 index 00000000..e0492969 --- /dev/null +++ b/roles/vm/install/tasks/installer-debian.yml @@ -0,0 +1,21 @@ +--- +- name: fetch debian installer files + vars: + debian_installer_distro: "{{ install_distro }}" + debian_installer_codename: "{{ install_codename }}" + debian_installer_arch: "{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}" + debian_installer_variant: netboot + import_role: + name: installer/debian/fetch + +- name: generate host specific initial ramdisk + vars: + ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}" + preseed_orig_initrd: "{{ installer_base_path }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}-netboot/initrd.gz" + preseed_tmpdir: "{{ tmpdir.path }}" + preseed_virtual_machine: yes + preseed_force_net_ifnames_policy: path + preseed_no_netplan: yes + install_interface: enp1s1 + import_role: + name: installer/debian/preseed diff --git a/roles/vm/install/tasks/installer-openbsd.yml b/roles/vm/install/tasks/installer-openbsd.yml new file mode 100644 index 00000000..afa17c45 --- /dev/null +++ b/roles/vm/install/tasks/installer-openbsd.yml @@ -0,0 +1,19 @@ +--- +- name: fetch openbsd installer files + vars: + openbsd_installer_version: "{{ install_codename }}" + openbsd_installer_arch: "{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}" + import_role: + name: installer/openbsd/fetch + +- name: generate host specific autoinstall iso + vars: + ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}" + obsd_autoinstall_orig_iso: "{{ installer_base_path }}/openbsd-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}/install{{ openbsd_installer_version_short }}.iso" + obsd_autoinstall_tmpdir: "{{ tmpdir.path }}" + obsd_autoinstall_version: "{{ install_codename }}" + obsd_autoinstall_arch: "{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}" + obsd_autoinstall_serial_device: com0 + install_interface: vio0 + import_role: + name: installer/openbsd/autoinstall diff --git a/roles/vm/install/tasks/main.yml b/roles/vm/install/tasks/main.yml index 6b8f9ca7..a4511459 100644 --- a/roles/vm/install/tasks/main.yml +++ b/roles/vm/install/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: create lvm-based disks for vm - loop: "{{ hostvars[install_hostname].install_cooked.disks.virtio | default({}) | combine(hostvars[install_hostname].install_cooked.disks.scsi | default({})) | dict2items | selectattr('value.type', 'eq', 'lvm') | list }}" + loop: "{{ hostvars[install_hostname].install_cooked.disks.virtio | default({}) | combine(hostvars[install_hostname].install_cooked.disks.scsi | default({})) | dict2items | selectattr('value.type', 'eq', 'lvm') | list }}" loop_control: label: "{{ item.value.vg }} / {{ item.value.lv }} ({{ item.value.size }})" lvol: @@ -31,28 +31,16 @@ - block: - name: create a temporary workdir tempfile: + path: "{{ installer_base_path }}/" + prefix: ".{{ install_hostname }}." state: directory register: tmpdir - when: install_distro in ['debian', 'ubuntu'] - vars: - ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}" - preseed_tmpdir: "{{ tmpdir.path }}" - preseed_virtual_machine: yes - preseed_force_net_ifnames_policy: path - preseed_no_netplan: yes - install_interface: enp1s1 - import_role: - name: installer/debian/preseed + import_tasks: installer-debian.yml - when: install_distro in ['openbsd'] - vars: - ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}" - obsd_autoinstall_tmpdir: "{{ tmpdir.path }}" - obsd_autoinstall_serial_device: com0 - install_interface: vio0 - import_role: - name: installer/openbsd/autoinstall + import_tasks: installer-openbsd.yml - name: Make installer workdir readable by qemu acl: @@ -62,11 +50,11 @@ etype: user permissions: rx - - import_role: - name: vm/define - vars: + - vars: vm_define_installer: yes - preseed_tmpdir: "{{ tmpdir.path }}" + installer_tmpdir: "{{ tmpdir.path }}" + import_role: + name: vm/define - debug: msg: "you can check on the status of the installer running this command 'virsh console {{ install_hostname }}' on host {{ inventory_hostname }}." @@ -94,7 +82,7 @@ path: "{{ tmpdir.path }}" state: absent -- import_role: - name: vm/define - vars: +- vars: vm_define_installer: no + import_role: + name: vm/define |