summaryrefslogtreecommitdiff
path: root/roles/installer/openbsd
diff options
context:
space:
mode:
Diffstat (limited to 'roles/installer/openbsd')
-rw-r--r--roles/installer/openbsd/autoinstall/defaults/main.yml5
-rw-r--r--roles/installer/openbsd/autoinstall/tasks/main.yml4
-rw-r--r--roles/installer/openbsd/autoinstall/vars/main.yml2
-rw-r--r--roles/installer/openbsd/base/defaults/main.yml13
-rw-r--r--roles/installer/openbsd/base/tasks/main.yml45
-rw-r--r--roles/installer/openbsd/fetch/defaults/main.yml6
-rw-r--r--roles/installer/openbsd/fetch/tasks/main.yml51
-rw-r--r--roles/installer/openbsd/fetch/vars/main.yml7
8 files changed, 69 insertions, 64 deletions
diff --git a/roles/installer/openbsd/autoinstall/defaults/main.yml b/roles/installer/openbsd/autoinstall/defaults/main.yml
index 27f7221a..b166c191 100644
--- a/roles/installer/openbsd/autoinstall/defaults/main.yml
+++ b/roles/installer/openbsd/autoinstall/defaults/main.yml
@@ -1,10 +1,7 @@
---
+# obsd_autoinstall_orig_iso:
# obsd_autoinstall_tmpdir:
-obsd_autoinstall_arch: "{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}"
-obsd_autoinstall_version: "{{ install_codename }}"
-obsd_autoinstall_version_short: "{{ obsd_autoinstall_version | replace('.', '') }}"
-
# obsd_autoinstall_serial_device: com0
# obsd_autoinstall_serial_baudrate: 115200
diff --git a/roles/installer/openbsd/autoinstall/tasks/main.yml b/roles/installer/openbsd/autoinstall/tasks/main.yml
index b8e88b53..fc5f6194 100644
--- a/roles/installer/openbsd/autoinstall/tasks/main.yml
+++ b/roles/installer/openbsd/autoinstall/tasks/main.yml
@@ -29,7 +29,7 @@
- "INSTALL.{{ obsd_autoinstall_arch }}"
- "{{ obsd_autoinstall_file_sets | product([obsd_autoinstall_version_short+'.tgz']) | map('join') | list }}"
iso_extract:
- image: "{{ installer_path }}/openbsd-{{ obsd_autoinstall_version }}/{{ obsd_autoinstall_arch }}/install{{ obsd_autoinstall_version | replace('.', '') }}.iso"
+ image: "{{ obsd_autoinstall_orig_iso }}"
dest: "{{ obsd_autoinstall_tmpdir }}/files"
files: "{{ [obsd_autoinstall_version+'/'+obsd_autoinstall_arch+'/'] | product(installer_files | flatten) | map('join') | list }}"
@@ -45,7 +45,7 @@
dest: "{{ obsd_autoinstall_tmpdir }}/files/site{{ obsd_autoinstall_version_short }}.tgz"
- name: generate host specific installer image
- command: 'genisoimage -RTLldDN -o "install.iso" -no-emul-boot -b "cdbr" -c "boot.catalog" files/'
+ command: 'genisoimage -RTLldDN -o "{{ install_hostname }}.iso" -no-emul-boot -b "cdbr" -c "boot.catalog" files/'
args:
chdir: "{{ obsd_autoinstall_tmpdir }}/"
diff --git a/roles/installer/openbsd/autoinstall/vars/main.yml b/roles/installer/openbsd/autoinstall/vars/main.yml
new file mode 100644
index 00000000..c20909d1
--- /dev/null
+++ b/roles/installer/openbsd/autoinstall/vars/main.yml
@@ -0,0 +1,2 @@
+---
+obsd_autoinstall_version_short: "{{ obsd_autoinstall_version | replace('.', '') }}"
diff --git a/roles/installer/openbsd/base/defaults/main.yml b/roles/installer/openbsd/base/defaults/main.yml
deleted file mode 100644
index 10e9c840..00000000
--- a/roles/installer/openbsd/base/defaults/main.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-openbsd_versions:
- - version: 6.7
- arch:
- - amd64
- - i386
-
-openbsd_signing_keys:
- 6.7: |
- untrusted comment: openbsd 6.7 base public key
- RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj
-
-openbsd_installer_force_download: no
-openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD"
diff --git a/roles/installer/openbsd/base/tasks/main.yml b/roles/installer/openbsd/base/tasks/main.yml
index 2d6e905e..412f3680 100644
--- a/roles/installer/openbsd/base/tasks/main.yml
+++ b/roles/installer/openbsd/base/tasks/main.yml
@@ -5,48 +5,3 @@
- genisoimage
- signify-openbsd
state: present
-
-- name: prepare directories for installer iso files
- loop: "{{ openbsd_versions | subelements('arch') }}"
- loop_control:
- label: "openbsd-{{ item.0.version }} {{ item.1 }}"
- file:
- name: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}"
- state: directory
-
-- name: download installer iso files
- loop: "{{ openbsd_versions | subelements('arch') }}"
- loop_control:
- label: "openbsd-{{ item.0.version }} {{ item.1 }}"
- get_url:
- url: "{{ openbsd_installer_url }}/{{ item.0.version }}/{{ item.1 }}/install{{ item.0.version | replace('.', '') }}.iso"
- dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/install{{ item.0.version | replace('.', '') }}.iso"
- mode: 0644
- force: "{{ openbsd_installer_force_download }}"
-
-- name: download signed sha256 files
- loop: "{{ openbsd_versions | subelements('arch') }}"
- loop_control:
- label: "openbsd-{{ item.0.version }} {{ item.1 }}"
- get_url:
- url: "{{ openbsd_installer_url }}/{{ item.0.version }}/{{ item.1 }}/SHA256.sig"
- dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/SHA256.sig"
- mode: 0644
- force: "{{ openbsd_installer_force_download }}"
-
-- name: create signing key files
- loop: "{{ openbsd_versions }}"
- loop_control:
- label: "openbsd-{{ item.version }}"
- copy:
- content: "{{ openbsd_signing_keys[item.version] }}"
- dest: "{{ installer_path }}/openbsd-{{ item.version }}/openbsd-{{ item.version | replace('.', '') }}-base.pub"
-
-- name: verfiy downloaded iso files
- loop: "{{ openbsd_versions | subelements('arch') }}"
- loop_control:
- label: "openbsd-{{ item.0.version }} {{ item.1 }}"
- command: "signify-openbsd -Cp ../openbsd-{{ item.0.version | replace('.', '') }}-base.pub -x SHA256.sig install{{ item.0.version | replace('.', '') }}.iso"
- args:
- chdir: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}"
- changed_when: false
diff --git a/roles/installer/openbsd/fetch/defaults/main.yml b/roles/installer/openbsd/fetch/defaults/main.yml
new file mode 100644
index 00000000..eeeaf2d0
--- /dev/null
+++ b/roles/installer/openbsd/fetch/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+# openbsd_installer_version: 6.7
+openbsd_installer_arch: amd64
+
+openbsd_installer_force_download: no
+openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD"
diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml
new file mode 100644
index 00000000..97e8fb57
--- /dev/null
+++ b/roles/installer/openbsd/fetch/tasks/main.yml
@@ -0,0 +1,51 @@
+---
+- name: prepare directories for installer iso files
+ file:
+ name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}"
+ state: directory
+
+- name: download signed sha256 and buildinfo files
+ loop:
+ - SHA256.sig
+ - BUILDINFO
+ get_url:
+ url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}"
+ dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}"
+ force: "{{ openbsd_installer_force_download }}"
+ mode: 0644
+
+- name: create signing key files
+ copy:
+ content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}"
+ dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub"
+
+## Unfortunately signify can't be used to verify just the sha256 file. If we would use the sha256 hashes without
+## verification an attacker could trick us into deleting a valid ISO file and downloading a harmful image instead.
+## Since the signature would be checked eventually the attacker cannot trick us into booting it but re-downlaoding
+## hundreds of megabytes is not fun.
+## As a workaround we download the smallest file that exists on the download server and use this file (BUILDINFO)
+## to verfiy the signature.
+## This process should speed up the installation quite a bit and make the overall image download process more solid.
+
+- name: verify downloaded files
+ command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig BUILDINFO"
+ args:
+ chdir: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}"
+ changed_when: false
+ register: openbsd_installer_signify_result
+
+- debug:
+ var: openbsd_installer_signify_result.stdout_lines
+
+- name: extract sha256 hash for iso file
+ command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig"
+ changed_when: false
+ register: openbsd_installer_sha256sum
+
+- name: download installer iso file
+ get_url:
+ url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso"
+ dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso"
+ checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}"
+ force: "{{ openbsd_installer_force_download }}"
+ mode: 0644
diff --git a/roles/installer/openbsd/fetch/vars/main.yml b/roles/installer/openbsd/fetch/vars/main.yml
new file mode 100644
index 00000000..dad9f064
--- /dev/null
+++ b/roles/installer/openbsd/fetch/vars/main.yml
@@ -0,0 +1,7 @@
+---
+openbsd_installer_version_short: "{{ openbsd_installer_version | replace('.', '') }}"
+
+openbsd_installer_signing_keys:
+ "6.7": |
+ untrusted comment: openbsd 6.7 base public key
+ RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-29 12:33:51 +0000