diff options
Diffstat (limited to 'roles/installer/openbsd')
-rw-r--r-- | roles/installer/openbsd/autoinstall/defaults/main.yml | 5 | ||||
-rw-r--r-- | roles/installer/openbsd/autoinstall/tasks/main.yml | 4 | ||||
-rw-r--r-- | roles/installer/openbsd/autoinstall/vars/main.yml | 2 | ||||
-rw-r--r-- | roles/installer/openbsd/base/defaults/main.yml | 13 | ||||
-rw-r--r-- | roles/installer/openbsd/base/tasks/main.yml | 45 | ||||
-rw-r--r-- | roles/installer/openbsd/fetch/defaults/main.yml | 6 | ||||
-rw-r--r-- | roles/installer/openbsd/fetch/tasks/main.yml | 51 | ||||
-rw-r--r-- | roles/installer/openbsd/fetch/vars/main.yml | 7 |
8 files changed, 69 insertions, 64 deletions
diff --git a/roles/installer/openbsd/autoinstall/defaults/main.yml b/roles/installer/openbsd/autoinstall/defaults/main.yml index 27f7221a..b166c191 100644 --- a/roles/installer/openbsd/autoinstall/defaults/main.yml +++ b/roles/installer/openbsd/autoinstall/defaults/main.yml @@ -1,10 +1,7 @@ --- +# obsd_autoinstall_orig_iso: # obsd_autoinstall_tmpdir: -obsd_autoinstall_arch: "{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}" -obsd_autoinstall_version: "{{ install_codename }}" -obsd_autoinstall_version_short: "{{ obsd_autoinstall_version | replace('.', '') }}" - # obsd_autoinstall_serial_device: com0 # obsd_autoinstall_serial_baudrate: 115200 diff --git a/roles/installer/openbsd/autoinstall/tasks/main.yml b/roles/installer/openbsd/autoinstall/tasks/main.yml index b8e88b53..fc5f6194 100644 --- a/roles/installer/openbsd/autoinstall/tasks/main.yml +++ b/roles/installer/openbsd/autoinstall/tasks/main.yml @@ -29,7 +29,7 @@ - "INSTALL.{{ obsd_autoinstall_arch }}" - "{{ obsd_autoinstall_file_sets | product([obsd_autoinstall_version_short+'.tgz']) | map('join') | list }}" iso_extract: - image: "{{ installer_path }}/openbsd-{{ obsd_autoinstall_version }}/{{ obsd_autoinstall_arch }}/install{{ obsd_autoinstall_version | replace('.', '') }}.iso" + image: "{{ obsd_autoinstall_orig_iso }}" dest: "{{ obsd_autoinstall_tmpdir }}/files" files: "{{ [obsd_autoinstall_version+'/'+obsd_autoinstall_arch+'/'] | product(installer_files | flatten) | map('join') | list }}" @@ -45,7 +45,7 @@ dest: "{{ obsd_autoinstall_tmpdir }}/files/site{{ obsd_autoinstall_version_short }}.tgz" - name: generate host specific installer image - command: 'genisoimage -RTLldDN -o "install.iso" -no-emul-boot -b "cdbr" -c "boot.catalog" files/' + command: 'genisoimage -RTLldDN -o "{{ install_hostname }}.iso" -no-emul-boot -b "cdbr" -c "boot.catalog" files/' args: chdir: "{{ obsd_autoinstall_tmpdir }}/" diff --git a/roles/installer/openbsd/autoinstall/vars/main.yml b/roles/installer/openbsd/autoinstall/vars/main.yml new file mode 100644 index 00000000..c20909d1 --- /dev/null +++ b/roles/installer/openbsd/autoinstall/vars/main.yml @@ -0,0 +1,2 @@ +--- +obsd_autoinstall_version_short: "{{ obsd_autoinstall_version | replace('.', '') }}" diff --git a/roles/installer/openbsd/base/defaults/main.yml b/roles/installer/openbsd/base/defaults/main.yml deleted file mode 100644 index 10e9c840..00000000 --- a/roles/installer/openbsd/base/defaults/main.yml +++ /dev/null @@ -1,13 +0,0 @@ -openbsd_versions: - - version: 6.7 - arch: - - amd64 - - i386 - -openbsd_signing_keys: - 6.7: | - untrusted comment: openbsd 6.7 base public key - RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj - -openbsd_installer_force_download: no -openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD" diff --git a/roles/installer/openbsd/base/tasks/main.yml b/roles/installer/openbsd/base/tasks/main.yml index 2d6e905e..412f3680 100644 --- a/roles/installer/openbsd/base/tasks/main.yml +++ b/roles/installer/openbsd/base/tasks/main.yml @@ -5,48 +5,3 @@ - genisoimage - signify-openbsd state: present - -- name: prepare directories for installer iso files - loop: "{{ openbsd_versions | subelements('arch') }}" - loop_control: - label: "openbsd-{{ item.0.version }} {{ item.1 }}" - file: - name: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}" - state: directory - -- name: download installer iso files - loop: "{{ openbsd_versions | subelements('arch') }}" - loop_control: - label: "openbsd-{{ item.0.version }} {{ item.1 }}" - get_url: - url: "{{ openbsd_installer_url }}/{{ item.0.version }}/{{ item.1 }}/install{{ item.0.version | replace('.', '') }}.iso" - dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/install{{ item.0.version | replace('.', '') }}.iso" - mode: 0644 - force: "{{ openbsd_installer_force_download }}" - -- name: download signed sha256 files - loop: "{{ openbsd_versions | subelements('arch') }}" - loop_control: - label: "openbsd-{{ item.0.version }} {{ item.1 }}" - get_url: - url: "{{ openbsd_installer_url }}/{{ item.0.version }}/{{ item.1 }}/SHA256.sig" - dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/SHA256.sig" - mode: 0644 - force: "{{ openbsd_installer_force_download }}" - -- name: create signing key files - loop: "{{ openbsd_versions }}" - loop_control: - label: "openbsd-{{ item.version }}" - copy: - content: "{{ openbsd_signing_keys[item.version] }}" - dest: "{{ installer_path }}/openbsd-{{ item.version }}/openbsd-{{ item.version | replace('.', '') }}-base.pub" - -- name: verfiy downloaded iso files - loop: "{{ openbsd_versions | subelements('arch') }}" - loop_control: - label: "openbsd-{{ item.0.version }} {{ item.1 }}" - command: "signify-openbsd -Cp ../openbsd-{{ item.0.version | replace('.', '') }}-base.pub -x SHA256.sig install{{ item.0.version | replace('.', '') }}.iso" - args: - chdir: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}" - changed_when: false diff --git a/roles/installer/openbsd/fetch/defaults/main.yml b/roles/installer/openbsd/fetch/defaults/main.yml new file mode 100644 index 00000000..eeeaf2d0 --- /dev/null +++ b/roles/installer/openbsd/fetch/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# openbsd_installer_version: 6.7 +openbsd_installer_arch: amd64 + +openbsd_installer_force_download: no +openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD" diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml new file mode 100644 index 00000000..97e8fb57 --- /dev/null +++ b/roles/installer/openbsd/fetch/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- name: prepare directories for installer iso files + file: + name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" + state: directory + +- name: download signed sha256 and buildinfo files + loop: + - SHA256.sig + - BUILDINFO + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}" + force: "{{ openbsd_installer_force_download }}" + mode: 0644 + +- name: create signing key files + copy: + content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub" + +## Unfortunately signify can't be used to verify just the sha256 file. If we would use the sha256 hashes without +## verification an attacker could trick us into deleting a valid ISO file and downloading a harmful image instead. +## Since the signature would be checked eventually the attacker cannot trick us into booting it but re-downlaoding +## hundreds of megabytes is not fun. +## As a workaround we download the smallest file that exists on the download server and use this file (BUILDINFO) +## to verfiy the signature. +## This process should speed up the installation quite a bit and make the overall image download process more solid. + +- name: verify downloaded files + command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig BUILDINFO" + args: + chdir: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" + changed_when: false + register: openbsd_installer_signify_result + +- debug: + var: openbsd_installer_signify_result.stdout_lines + +- name: extract sha256 hash for iso file + command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + changed_when: false + register: openbsd_installer_sha256sum + +- name: download installer iso file + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}" + force: "{{ openbsd_installer_force_download }}" + mode: 0644 diff --git a/roles/installer/openbsd/fetch/vars/main.yml b/roles/installer/openbsd/fetch/vars/main.yml new file mode 100644 index 00000000..dad9f064 --- /dev/null +++ b/roles/installer/openbsd/fetch/vars/main.yml @@ -0,0 +1,7 @@ +--- +openbsd_installer_version_short: "{{ openbsd_installer_version | replace('.', '') }}" + +openbsd_installer_signing_keys: + "6.7": | + untrusted comment: openbsd 6.7 base public key + RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj |