HW4F
/
ansible-install-server
5
0
Fork 1
Code Issues Pull Requests 1 Projects Releases Wiki Activity

WIP

pull/2/head
Alexander Böhm 2020-10-15 00:20:05 +02:00
parent e676b4c40c
commit 82b8dc4fad
28 changed files with 345 additions and 523 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -3,3 +3,7 @@
# Vagrant
.vagrant
# ansible
hosts
ansible.cfg

100
README.md Normal file
View File

@ -0,0 +1,100 @@
# HW4F Netboot Installer
Server die automatische Installation über das Netzwerks von Ubuntu 20.04 im Rahmen des **https://hardwareforfuture.de(Hardware for Future)** Projekts des dezentrale e.V.
Für den Betrieb wird einmalig eine Internetverbindung benötigt. Der Server wird über Ansible aufgesetzt. Hierfür werden verschiedene Komponenten installiert, u.a. FAI (Fully Automatic Installtion). Mit dem Server wird ein Netz aufgespannt, welches für den Anschluß des zu installierenden Rechner verwendet wird. Wenn die Rechner mit dem Netzwerk verbunden sind, können sie über einen Netzwerkboot (F-Testen beim Start des Rechners) über PXE gebootet werden. PXE lädt die erforderliche Dateien vom Server und der FAI-Installer installiert dann Ubuntu auf den Rechner.
Es wird ein Nutzer *demo* angelegt. Das Passwort ist *fai*. Dieser Nutzer kann Administrationsrechte erlang und es sollte nach der Anmeldung das Passwort dringenst geändert werden.
## Voraussetzungen
Server:
* Debian Buster
Zu installierende Clients:
* CPU mit x86-64 Unterstützung
* 512 MB RAM empfohlen
* mehr als 20 GB Festsplatte oder SSD
* PXE-fähig oder USB-Stick mit bootfähigen iPXE oder iPXE-CD zum Booten des Rechern
## Verwendung
Zunächst ansible für die automatische Installation und Konfiguration aller Komponeten herunterladen:
```console
apt install ansible
```
Danach ein Playbook (z.B. *fai.yml*) anlegen und die grundlegende Parameter festlegen:
```yml
- hosts: localhost
become: true
vars:
dhcp_interface: eth1 # NIC für die Installer Netz
wan_interface: eth0 # NIC zum Internet
roles:
- fai
```
Danach das Playbook ausführen:
```
ansible-playbook fai.yml
```
### Konfiguration
Über Ansible-Variablen kann die Installation noch weiter angepasst werden.
|**Variable** |**Bedeutung** |**Standard** |
|--- |--- |--- |
|dhcp_interface |NIC des Installtionnetzs |eth1 |
|wan_interface |NIC zum Internet |eth0 |
|server_name |Server-Name |faiserver |
|domain_name |Domain-Name des Netzes |local |
|server_ip |IP des Servers |192.168.33.1 |
|server_netbits |Bits der Netzmaske |24 |
|server_netmask |Netzmaske |255.255.255.0 |
|apt_cacher_offline_mode |true, um nur den vorhanden Packet-Cache als Repository zu nutzen |false |
|debian_release |Debian Release, was für FAI genutzt werden soll. |buster |
Beispielsweise kann der Server mit obigen Playbook aufgesetzt werden, eine Rechner mit Ubuntu installiert werden und danach der Server wie folgt in den Offline-Installationsmodus versetzt werden:
```yml
- hosts: localhost
become: true
vars:
dhcp_interface: eth1 # NIC für die Installer Netz
wan_interface: eth0 # NIC zum Internet
apt_cacher_offline_mode: true
roles:
- fai
```
Danach das Playbook noch einmal ausführen, um die Konfigration zu aktualisieren:
```
ansible-playbook fai.yml
```
## Details
*TBD*
### Komponenten
* DHCP: isc-dhcp-server
* TFTP: tftpd-hpa
* DNS: unbound
* ntp: ntp
* time: inetd
* HTTP: nginx
## Verweise
* https://fai-project.org(FAI Project)
* https://ipxe.org(iPXE)
* https://www.ansible.com(Ansible)

6
Vagrantfile vendored
View File

@ -11,12 +11,10 @@ def create(config, name)
vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
end
v.vm.network "private_network", ip: "192.168.33.1", virtualbox__intnet: true
v.vm.network "private_network", virtualbox__intnet: true, auto_config: false
v.vm.provision "ansible" do |ans|
ans.playbook = "setup.yml"
#ans.vault_password_file = ".vault_pass"
ans.verbose = true
ans.playbook = "playbook-vagrant.yml"
end
end
end

14
playbook-vagrant.yml Normal file
View File

@ -0,0 +1,14 @@
- hosts: faiserver
become: true
vars:
# interface to the clients to install
dhcp_interface: eth1
# interface for a internet connection
wan_interface: eth0
# customized server name
server_name: faiserver
# ip of the server of the installer network
server_ip: 192.168.33.1
roles:
- fai

11
roles/fai/defaults/main.yml
View File

@ -1,17 +1,12 @@
---
# defaults file for fai
use_ipxe: true
fai_menu: true
ensure_fai_setup_run: false
disable_fai_chroot_build: false
dhcp_interface: eth1
wan_interface: eth0
server_name: faiserver
domain_name: local
server_ip: 192.168.33.1
server_net: 192.168.33
server_netbits: 24
server_netmask: 255.255.255.0
domain_name: lan
linux_version: 4.19.0-10
use_apt_cache: true
apt_cacher_offline_mode: false
debian_release: buster

2
roles/fai/files/profiles/class/menu.profile
View File

@ -4,7 +4,7 @@ Name: HW4F Desktop
Description: Desktop installtion for Hardware for future
Short: HW4F
Long: Ubuntu 20.04 LTS (Focal Fossa) Desktop installtion
Classes: INSTALL HW4F_DESKTOP UBUNTU HW4F_DESKTOP_LAST
Classes: INSTALL GERMAN HW4F_DESKTOP UBUNTU HW4F_DESKTOP_LAST
Name: Secure erase SSD
Description: Run a secure erase for SSD

1
roles/fai/files/profiles/files/etc/apt/apt.conf.d/00-proxy/HW4F_DESKTOP
View File

@ -1 +0,0 @@
Acquire::http::Proxy "http://faiserver:3142";

26
roles/fai/tasks/apt-cacher-ng.yml
View File

@ -11,21 +11,31 @@
SupportDir: /usr/lib/apt-cacher-ng
Port: 3142
# Mappings
Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian # Debian Archives
Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu # Ubuntu Archives
Remap-secdeb: security.debian.org ; security.debian.org deb.debian.org/debian-security
Remap-fai: fai-project.org /download
# The Report page
ReportPage: acng-report.html
ExThreshold: 4
Offlinemode: {% if apt_cacher_offline_mode %}1{% else %}0{% endif %}
# 120 days till a package will expire
ExThreshold: 120
# use one connection to reduce disruptions
ReuseConnections: 1
PipelineDepth: 1
# don't wait to long for server
NetworkTimeout: 5
# Only serve available files
Offlinemode: {% if apt_cacher_offline_mode %}1{% else %}0{% endif %}
dest: /etc/apt-cacher-ng/acng.conf
owner: root
group: root
mode: 0644
mode: u=rw,g=r,o=r
register: apt_cacher_config
- name: ensure service is started and enabled
@ -39,3 +49,13 @@
name: apt-cacher-ng
state: restarted
when: apt_cacher_config.changed
- name: set apt cache also for installer host
copy:
dest: /etc/apt/apt.conf.d/00proxy
content: |
Acquire::http::Proxy "http://localhost:3142";
owner: root
group: root
mode: u=rw,g=r,o=r

22
roles/fai/tasks/fai-configure.yml
View File

@ -1,27 +1,21 @@
- name: setup repos for fai
copy:
dest: /etc/fai/apt/sources.list
mode: 0644
content: |
deb http://localhost:3142/deb.debian.org/debian buster main contrib non-free
deb http://localhost:3142/security.debian.org/debian-security buster/updates main
deb http://localhost:3142/deb.debian.org/debian/ buster-updates main
deb http://localhost:3142/fai-project.org/download buster koeln
mode: u=rw,g=r,o=r
owner: root
group: root
content: |
deb http://deb.debian.org/debian buster main contrib non-free
deb http://deb.debian.org/debian-security buster/updates main contrib non-free
deb http://deb.debian.org/debian buster-backports main contrib non-free
# fai automated install
deb http://fai-project.org/download buster koeln
tags:
- fai
- apt
register: fai_apt_mirrors
- name: set loguser
copy:
dest: /etc/fai/fai.conf
mode: 0644
mode: u=rw,g=r,o=r
owner: root
group: root
content: |
LOGUSER=root
tags:
- fai

5
roles/fai/tasks/fai-finish.yml
View File

@ -1,5 +0,0 @@
- name: pack fai configuration
shell: tar -C /srv/fai/config -cf /srv/fai/config.tar .
when: fai_profiles.changed

3
roles/fai/tasks/fai-install.yml
View File

@ -1,3 +0,0 @@
- apt:
name: fai-server
state: present

12
roles/fai/tasks/fai-prepare.yml
View File

@ -3,15 +3,13 @@
id: B11EE3273F6B2DEB528C93DA2BF8D9FE074BCDE4
url: https://fai-project.org/download/2BF8D9FE074BCDE4.asc
state: present
tags:
- apt
- fai
- name: add fai repo
apt_repository:
repo: deb http://fai-project.org/download buster koeln
repo: deb http://fai-project.org/download {{ debian_release }} koeln
state: present
tags:
- apt
- fai
- name: install all required fai programs
package:
name: [fai-server, squashfs-tools, ipxe]
state: present

16
roles/fai/tasks/fai-profile.yml
View File

@ -1,16 +0,0 @@
- name: create fai dir
file:
name: /srv/fai/config
state: directory
owner: root
group: root
mode: 0755
- name: copy profile
synchronize:
src: profiles/
dest: /srv/fai/config/
mode: push
delete: yes
recursive: yes
register: fai_profiles

30
roles/fai/tasks/fai-profiles.yml Normal file
View File

@ -0,0 +1,30 @@
- name: create fai dir
file:
name: /srv/fai/config
state: directory
owner: root
group: root
mode: u=rw,g=r,o=r
- name: copy fai profile
synchronize:
src: profiles/
dest: /srv/fai/config/
mode: push
delete: yes
recursive: yes
register: fai_profiles
- name: Set APT proxy
template:
src: fai-profile-00-proxy.yml
dest: /srv/fai/config/files/etc/apt/apt.conf.d/00-proxy/HW4F_DESKTOP
owner: root
group: root
mode: u=rw,g=r,o=r
register: fai_profiles_apt_proxy
- name: pack fai configuration
shell: tar -C /srv/fai/config -cf /srv/fai/config.tar .
when: "fai_profiles.changed or fai_profiles_apt_proxy.changed"

28
roles/fai/tasks/fai-pxe-ipxe.yml
View File

@ -1,26 +1,15 @@
- name: install ipxe
package:
- package:
name: ipxe
state: present
tags:
- pxe
- bios
- efi
- ipxe
- name: copy ipxe
copy:
src: "{{ item }}"
dest: /srv/tftp/
dest: /srv/tftp/fai
remote_src: yes
with_items:
- /usr/lib/ipxe/ipxe.efi
- /usr/lib/ipxe/ipxe.pxe
tags:
- pxe
- ipxe
- bios
- efi
- name: write ipxe menu
copy:
@ -39,7 +28,6 @@
menu iPXE boot menu
item --key f fai FAI Installer
item --gap --
item --key p pxelinux PXE Linux
item --key d dban Dariks boot and nuke (DBAN)
item --gap --
item --key c config Configure settings
@ -76,9 +64,9 @@
exit
:fai
kernel fai/vmlinuz-4.19.0-10-amd64
initrd fai/initrd.img-4.19.0-10-amd64
imgargs vmlinuz-4.19.0-10-amd64 ip=dhcp root=live:http://192.168.33.1/tftp/fai/squash.img FAI_FLAGS=verbose,sshd,createv,menu FAI_CONFIG_SRC=http://192.168.33.1/fai/config.tar FAI_ACTION=install
kernel {{ fai_live_vmlinuz }}
initrd {{ fai_live_initrd }}
imgargs {{ fai_live_vmlinuz }} ip=dhcp root=live:http://{{ server_name }}/tftp/fai/squash.img FAI_FLAGS=verbose,sshd,createv,menu FAI_CONFIG_SRC=http://{{ server_name }}/fai/config.tar FAI_ACTION=install net.ifnames=0
boot || goto failed
goto start
@ -87,12 +75,8 @@
imgargs dban.bzi silent vga=785
boot || goto failed
goto start
dest: /srv/tftp/menu.ipxe
dest: /srv/tftp/fai/menu.ipxe
mode: 0644
owner: root
group: root
tags:
- pxe
- tftp
- fai

288
roles/fai/tasks/fai-pxe-pxelinux.yml
View File

@ -1,288 +0,0 @@
- name: install syslinux
package:
name: "{{ item }}"
state: present
with_items:
- pxelinux
- syslinux
- syslinux-efi
tags:
- pxe
- bios
- efi
- syslinux
- name: generate pxe directory structure
file:
name: "{{ item }}"
state: directory
with_items:
- /srv/tftp/fai/bios
- /srv/tftp/fai/efi32
- /srv/tftp/fai/efi64
tags:
- pxe
- bios
- efi
- syslinux
- name: copy pxelinux
copy:
src: /usr/lib/PXELINUX/pxelinux.0
dest: /srv/tftp/fai/bios/pxelinux.0
owner: root
group: root
remote_src: yes
tags:
- pxe
- syslinux
- name: copy pxe efi32
copy:
src: /usr/lib/SYSLINUX.EFI/efi32/syslinux.efi
dest: /srv/tftp/fai/efi32/syslinux.efi
owner: root
group: root
remote_src: yes
- name: copy pxe bios modules
copy:
src: "{{ item }}"
dest: /srv/tftp/fai/bios/
owner: root
group: root
remote_src: yes
with_items:
- /usr/lib/syslinux/modules/bios/dmitest.c32
- /usr/lib/syslinux/modules/bios/chain.c32
- /usr/lib/syslinux/modules/bios/libcom32.c32
- /usr/lib/syslinux/modules/bios/sysdump.c32
- /usr/lib/syslinux/modules/bios/sanboot.c32
- /usr/lib/syslinux/modules/bios/host.c32
- /usr/lib/syslinux/modules/bios/vesainfo.c32
- /usr/lib/syslinux/modules/bios/liblua.c32
- /usr/lib/syslinux/modules/bios/gfxboot.c32
- /usr/lib/syslinux/modules/bios/mboot.c32
- /usr/lib/syslinux/modules/bios/disk.c32
- /usr/lib/syslinux/modules/bios/meminfo.c32
- /usr/lib/syslinux/modules/bios/hdt.c32
- /usr/lib/syslinux/modules/bios/cpuid.c32
- /usr/lib/syslinux/modules/bios/cpu.c32
- /usr/lib/syslinux/modules/bios/libgpl.c32
- /usr/lib/syslinux/modules/bios/libutil.c32
- /usr/lib/syslinux/modules/bios/kontron_wdt.c32
- /usr/lib/syslinux/modules/bios/kbdmap.c32
- /usr/lib/syslinux/modules/bios/vesamenu.c32
- /usr/lib/syslinux/modules/bios/pci.c32
- /usr/lib/syslinux/modules/bios/ethersel.c32
- /usr/lib/syslinux/modules/bios/pmload.c32
- /usr/lib/syslinux/modules/bios/cptime.c32
- /usr/lib/syslinux/modules/bios/gpxecmd.c32
- /usr/lib/syslinux/modules/bios/whichsys.c32
- /usr/lib/syslinux/modules/bios/vesa.c32
- /usr/lib/syslinux/modules/bios/pxechn.c32
- /usr/lib/syslinux/modules/bios/lfs.c32
- /usr/lib/syslinux/modules/bios/ifplop.c32
- /usr/lib/syslinux/modules/bios/dmi.c32
- /usr/lib/syslinux/modules/bios/pcitest.c32
- /usr/lib/syslinux/modules/bios/cmenu.c32
- /usr/lib/syslinux/modules/bios/reboot.c32
- /usr/lib/syslinux/modules/bios/debug.c32
- /usr/lib/syslinux/modules/bios/ifmemdsk.c32
- /usr/lib/syslinux/modules/bios/zzjson.c32
- /usr/lib/syslinux/modules/bios/sdi.c32
- /usr/lib/syslinux/modules/bios/ldlinux.c32
- /usr/lib/syslinux/modules/bios/dhcp.c32
- /usr/lib/syslinux/modules/bios/menu.c32
- /usr/lib/syslinux/modules/bios/poweroff.c32
- /usr/lib/syslinux/modules/bios/elf.c32
- /usr/lib/syslinux/modules/bios/hexdump.c32
- /usr/lib/syslinux/modules/bios/libmenu.c32
- /usr/lib/syslinux/modules/bios/vpdtest.c32
- /usr/lib/syslinux/modules/bios/ifcpu.c32
- /usr/lib/syslinux/modules/bios/ls.c32
- /usr/lib/syslinux/modules/bios/cpuidtest.c32
- /usr/lib/syslinux/modules/bios/cmd.c32
- /usr/lib/syslinux/modules/bios/rosh.c32
- /usr/lib/syslinux/modules/bios/pwd.c32
- /usr/lib/syslinux/modules/bios/linux.c32
- /usr/lib/syslinux/modules/bios/config.c32
- /usr/lib/syslinux/modules/bios/ifcpu64.c32
- /usr/lib/syslinux/modules/bios/cat.c32
- /usr/lib/syslinux/modules/bios/lua.c32
- /usr/lib/syslinux/modules/bios/syslinux.c32
- /usr/lib/syslinux/modules/bios/prdhcp.c32
- /usr/lib/syslinux/modules/bios/dir.c32
tags:
- pxe
- efi
- name: copy pxe efi32 modules
copy:
src: "{{ item }}"
dest: /srv/tftp/fai/efi32/
owner: root
group: root
remote_src: yes
with_items:
- /usr/lib/syslinux/modules/efi32/dmitest.c32
- /usr/lib/syslinux/modules/efi32/chain.c32
- /usr/lib/syslinux/modules/efi32/libcom32.c32
- /usr/lib/syslinux/modules/efi32/sysdump.c32
- /usr/lib/syslinux/modules/efi32/host.c32
- /usr/lib/syslinux/modules/efi32/liblua.c32
- /usr/lib/syslinux/modules/efi32/gfxboot.c32
- /usr/lib/syslinux/modules/efi32/mboot.c32
- /usr/lib/syslinux/modules/efi32/meminfo.c32
- /usr/lib/syslinux/modules/efi32/hdt.c32
- /usr/lib/syslinux/modules/efi32/cpuid.c32
- /usr/lib/syslinux/modules/efi32/cpu.c32
- /usr/lib/syslinux/modules/efi32/libgpl.c32
- /usr/lib/syslinux/modules/efi32/ldlinux.e32
- /usr/lib/syslinux/modules/efi32/libutil.c32
- /usr/lib/syslinux/modules/efi32/vesamenu.c32
- /usr/lib/syslinux/modules/efi32/pci.c32
- /usr/lib/syslinux/modules/efi32/cptime.c32
- /usr/lib/syslinux/modules/efi32/whichsys.c32
- /usr/lib/syslinux/modules/efi32/vesa.c32
- /usr/lib/syslinux/modules/efi32/lfs.c32
- /usr/lib/syslinux/modules/efi32/dmi.c32
- /usr/lib/syslinux/modules/efi32/cmenu.c32
- /usr/lib/syslinux/modules/efi32/reboot.c32
- /usr/lib/syslinux/modules/efi32/debug.c32
- /usr/lib/syslinux/modules/efi32/zzjson.c32
- /usr/lib/syslinux/modules/efi32/dhcp.c32
- /usr/lib/syslinux/modules/efi32/menu.c32
- /usr/lib/syslinux/modules/efi32/hexdump.c32
- /usr/lib/syslinux/modules/efi32/libmenu.c32
- /usr/lib/syslinux/modules/efi32/vpdtest.c32
- /usr/lib/syslinux/modules/efi32/ifcpu.c32
- /usr/lib/syslinux/modules/efi32/ls.c32
- /usr/lib/syslinux/modules/efi32/cpuidtest.c32
- /usr/lib/syslinux/modules/efi32/cmd.c32
- /usr/lib/syslinux/modules/efi32/rosh.c32
- /usr/lib/syslinux/modules/efi32/pwd.c32
- /usr/lib/syslinux/modules/efi32/linux.c32
- /usr/lib/syslinux/modules/efi32/config.c32
- /usr/lib/syslinux/modules/efi32/ifcpu64.c32
- /usr/lib/syslinux/modules/efi32/cat.c32
- /usr/lib/syslinux/modules/efi32/lua.c32
- /usr/lib/syslinux/modules/efi32/syslinux.c32
- /usr/lib/syslinux/modules/efi32/dir.c32
tags:
- pxe
- efi
- name: copy pxe efi64 modules
copy:
src: "{{ item }}"
dest: /srv/tftp/fai/efi64/
owner: root
group: root
remote_src: yes
with_items:
- /usr/lib/syslinux/modules/efi64/dmitest.c32
- /usr/lib/syslinux/modules/efi64/chain.c32
- /usr/lib/syslinux/modules/efi64/libcom32.c32
- /usr/lib/syslinux/modules/efi64/sysdump.c32
- /usr/lib/syslinux/modules/efi64/host.c32
- /usr/lib/syslinux/modules/efi64/liblua.c32
- /usr/lib/syslinux/modules/efi64/gfxboot.c32
- /usr/lib/syslinux/modules/efi64/mboot.c32
- /usr/lib/syslinux/modules/efi64/meminfo.c32
- /usr/lib/syslinux/modules/efi64/hdt.c32
- /usr/lib/syslinux/modules/efi64/cpuid.c32
- /usr/lib/syslinux/modules/efi64/cpu.c32
- /usr/lib/syslinux/modules/efi64/libgpl.c32
- /usr/lib/syslinux/modules/efi64/ldlinux.e64
- /usr/lib/syslinux/modules/efi64/libutil.c32
- /usr/lib/syslinux/modules/efi64/vesamenu.c32
- /usr/lib/syslinux/modules/efi64/pci.c32
- /usr/lib/syslinux/modules/efi64/cptime.c32
- /usr/lib/syslinux/modules/efi64/whichsys.c32
- /usr/lib/syslinux/modules/efi64/vesa.c32
- /usr/lib/syslinux/modules/efi64/lfs.c32
- /usr/lib/syslinux/modules/efi64/dmi.c32
- /usr/lib/syslinux/modules/efi64/cmenu.c32
- /usr/lib/syslinux/modules/efi64/reboot.c32
- /usr/lib/syslinux/modules/efi64/debug.c32
- /usr/lib/syslinux/modules/efi64/zzjson.c32
- /usr/lib/syslinux/modules/efi64/dhcp.c32
- /usr/lib/syslinux/modules/efi64/menu.c32
- /usr/lib/syslinux/modules/efi64/hexdump.c32
- /usr/lib/syslinux/modules/efi64/libmenu.c32
- /usr/lib/syslinux/modules/efi64/vpdtest.c32
- /usr/lib/syslinux/modules/efi64/ifcpu.c32
- /usr/lib/syslinux/modules/efi64/ls.c32
- /usr/lib/syslinux/modules/efi64/cpuidtest.c32
- /usr/lib/syslinux/modules/efi64/cmd.c32
- /usr/lib/syslinux/modules/efi64/rosh.c32
- /usr/lib/syslinux/modules/efi64/pwd.c32
- /usr/lib/syslinux/modules/efi64/linux.c32
- /usr/lib/syslinux/modules/efi64/config.c32
- /usr/lib/syslinux/modules/efi64/ifcpu64.c32
- /usr/lib/syslinux/modules/efi64/cat.c32
- /usr/lib/syslinux/modules/efi64/lua.c32
- /usr/lib/syslinux/modules/efi64/syslinux.c32
- /usr/lib/syslinux/modules/efi64/dir.c32
tags:
- pxe
- efi
- name: write pxe default config for bios/efi32/efi64
copy:
content: |
DEFAULT bios/menu.c32
PROMPT 0
MENU TITLE FAI Setup
MENU AUTOBOOT Starting FAI install
TIMEOUT 300
INCLUDE ::fai.cfg
INCLUDE ::dban.cfg
dest: /srv/tftp/fai/bios/default
mode: 0644
owner: root
group: root
with_items:
- /srv/tftp/fai/bios/default
- /srv/tftp/fai/efi32/default
- /srv/tftp/fai/efi64/default
tags:
- pxe
- tftp
- fai
- name: write pxe fai boot config
copy:
content: |
LABEL fai
MENU DEFAULT
MENU LABEL FAI Installer
KERNEL vmlinuz-{{linux_version}}-amd64
APPEND initrd=initrd.img-{{linux_version}}-amd64 ip=dhcp root=live:http://{{server_ip}}/tftp/fai/squash.img FAI_FLAGS=verbose,sshd,createv{% if fai_menu %},menu{% endif %} FAI_CONFIG_SRC=http://{{server_ip}}/fai/config.tar FAI_ACTION=install
dest: /srv/tftp/fai/fai.cfg
mode: 0644
owner: root
group: root
tags:
- pxe
- tftp
- fai
- name: write pxe fai boot config
copy:
content: |
LABEL dban
MENU LABEL Darik's Boot And Nuke Tool
KERNEL dban.bzi
APPEND nuke="dwipe" silent vga=785
dest: /srv/tftp/fai/dban.cfg
mode: 0644
owner: root
group: root
tags:
- pxe
- tftp
- fai

56
roles/fai/tasks/fai-pxe.yml
View File

@ -1,22 +1,37 @@
- name: test pxe config already exists
stat:
path: /srv/tftp/fai
register: fai_tftp
- find:
paths: /srv/fai/nfsroot/boot
patterns: "vmlinuz-*"
register: fai_live_vmlinuz
- name: generate tftp config
shell: fai-chboot -IF -u http://{{server_ip}}/fai/config.tar default
when: fai_tftp.changed
tags:
- fai
- pxe
- http
- find:
paths: /srv/fai/nfsroot/boot
patterns: "initrd.img-*"
register: fai_live_initrd
- name: ensure fai dir exists
file:
path: /srv/tftp/fai
- set_fact:
fai_live_vmlinuz: "{{ fai_live_vmlinuz.files[0].path |regex_replace('.*/', '') }}"
fai_live_initrd: "{{ fai_live_initrd.files[0].path |regex_replace('.*/', '') }}"
- name: copy linux kernel and initrd to tftp root
copy:
src: "/srv/fai/nfsroot/boot/{{ item }}"
dest: "/srv/tftp/fai/{{ item }}"
owner: root
group: root
mode: 0755
mode: u=rw,g=r,o=r
remote_src: true
with_items:
- "{{ fai_live_vmlinuz }}"
- "{{ fai_live_initrd }}"
- name: generate squashfs image of root files
stat:
path: /srv/tftp/fai/squash.img
register: squash_img
- name: generate a downloadable squashfs of root filesystem
shell: fai-cd -f -M -S /srv/tftp/fai/squash.img
when: "not squash_img.stat.exists or fai_profiles.changed or fai_profiles_apt_proxy.changed"
- name: copy dban image
copy:
@ -24,9 +39,12 @@
dest: /srv/tftp/fai/dban.bzi
owner: root
group: root
mode: u=rw,g=r,o=r
- include: fai-pxe-ipxe.yml
when: use_ipxe
- name: setup iPXE
include: fai-pxe-ipxe.yml
- include: fai-pxe-pxelinux.yml
when: not use_ipxe
- name: force restart tftp server
service:
name: tftpd-hpa
state: restarted

53
roles/fai/tasks/fai-root.yml
View File

@ -1,35 +1,28 @@
- copy:
dest: /etc/fai/nfsroot.conf
content: |
# For a detailed description see nfsroot.conf(5)
# "<suite> <mirror>" for debootstrap
FAI_DEBOOTSTRAP="{{ debian_release }} http://localhost:3142/debian"
FAI_ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1'
NFSROOT=/srv/fai/nfsroot
TFTPROOT=/srv/tftp/fai
NFSROOT_HOOKS=/etc/fai/nfsroot-hooks/
FAI_DEBOOTSTRAP_OPTS="--exclude=wget"
# Configuration space
FAI_CONFIGDIR=/srv/fai/config
owner: root
group: root
mode: u=rw,g=r,o=r
- name: test nfsroot exists
stat:
path: /srv/fai/nfsroot
register: nfsroot_res
tags:
- fai
- root
- name: test if fai-setup already ran
file:
dest: /srv/fai/nfsroot
state: absent
when: "ensure_fai_setup_run and not disable_fai_chroot_build"
tags:
- fai
- root
- name: generate fai chroot
shell: fai-make-nfsroot -N
when: "(not nfsroot_res.stat.exists or ensure_fai_setup_run) and not disable_fai_chroot_build"
tags:
- fai
- root
- name: test squash image
stat:
path: /srv/tftp/fai/squash.img
register: squash_img
- name: generate squashfs
shell: fai-cd -f -M -S /srv/tftp/fai/squash.img
when: "(not squash_img.stat.exists or ensure_fai_setup_run) and not disable_fai_chroot_build"
tags:
- fai
- root
- name: generate root filesystem, kernel and initrd
shell: fai-make-nfsroot
when: "not nfsroot_res.stat.exists"

25
roles/fai/tasks/isc-dhcp-server.yml
View File

@ -2,8 +2,6 @@
apt:
name: isc-dhcp-server
state: present
tags:
- dhcp
- name: configure dhcp server
copy:
@ -35,27 +33,24 @@
if exists user-class and option user-class = "iPXE" {
filename "menu.ipxe";
} else {
if option architecture-type = 00:00 {
filename "ipxe.pxe";
} elsif option architecture-type = 00:09 {
filename "fai/efi64/syslinux.efi";
if option architecture-type = 00:09 {
filename "ipxe.efi";
} elsif option architecture-type = 00:07 {
filename "fai/efi64/syslinux.efi";
filename "ipxe.efi";
} elsif option architecture-type = 00:06 {
filename "fai/efi32/syslinux.efi";
filename "ipxe.efi";
} else {
filename "ipxe.pxe";
}
}
}
}
dest: /etc/dhcp/dhcpd.conf
mode: 0644
mode: u=rw,g=r,o=o
owner: root
group: root
# validate: dhcpd -t -cf %s
register: dhcpd_config
tags:
- dhcp
- routing
- name: set dhcp server interface
copy:
@ -63,18 +58,14 @@
INTERFACESv4="{{dhcp_interface}}"
INTERFACESv6=""
dest: /etc/default/isc-dhcp-server
mode: 0644
mode: u=rw,g=r,o=o
owner: root
group: root
register: dhcp_default_config
tags:
- dhcp
- name: reload dhcp
systemd:
name: isc-dhcp-server
state: restarted
when: dhcp_default_config.changed or dhcpd_config.changed
tags:
- dhcp

31
roles/fai/tasks/main.yml
View File

@ -1,15 +1,28 @@
---
# tasks file for fai
- include: routing.yml
- include: time-server.yml
- include: isc-dhcp-server.yml
- include: nginx.yml
- include: unbound.yml
- include: apt-cacher-ng.yml
- name: setup apt proxy cache
include: apt-cacher-ng.yml
- name: configure a time server
include: time-server.yml
- name: configure a web server
include: nginx.yml
- name: configure tftp
include: tftpd-hpa.yml
- name: configure dns server
include: unbound.yml
- name: configure nic
include: network.yml
- name: setup dhcp
include: isc-dhcp-server.yml
- include: fai-prepare.yml
- include: fai-install.yml
- include: fai-configure.yml
- include: fai-profile.yml
- include: fai-profiles.yml
- include: fai-root.yml
- include: fai-pxe.yml
- include: fai-finish.yml

13
roles/fai/tasks/routing.yml → roles/fai/tasks/network.yml
View File

@ -2,8 +2,6 @@
apt:
name: ['iptables', 'ifupdown']
state: present
tags:
- routing
- name: ensure resolved is stopped and disabled
service:
@ -27,7 +25,7 @@
- name: setup lan interface
shell: |
ifdown {{ dhcp_interface }} || true
ifdown --force {{ dhcp_interface }} || true
ifup {{ dhcp_interface }}
when: lan_iface_cfg.changed
@ -43,17 +41,13 @@
COMMIT
dest: /etc/network/iptables.up.rules
register: iptables_up_rules
tags:
- routing
- name: apply iptables rules
iptables:
table: nat
chain: POSTROUTING
out_interface: "{{wan_interface}}"
out_interface: "{{ wan_interface }}"
jump: MASQUERADE
tags:
- routing
- name: enable ip forwarding
sysctl:
@ -62,6 +56,3 @@
sysctl_set: yes
state: present
reload: yes
tags:
- routing

21
roles/fai/tasks/nginx.yml
View File

@ -2,8 +2,6 @@
apt:
name: nginx-light
state: present
tags:
- http
- name: configure http server
copy:
@ -19,18 +17,9 @@
autoindex on;
try_files $uri $uri/ =404;
}
}
server {
listen 80 apt.faiserver.lan;
listen [::]:80 apt.faiserver.lan;
root /var/cache/apt-cacher-ng/uburep;
index index.html;
server_name _;
location / {
autoindex on;
try_files $uri $uri/ =404;
location /apt-mirror {
root /var/cache/apt-cacher-ng/uburep;
}
}
dest: /etc/nginx/sites-enabled/default
@ -38,22 +27,16 @@
owner: root
group: root
register: nginx_conf
tags:
- http
- name: ensure http server is running
service:
name: nginx
state: started
enabled: true
tags:
- http
- name: ensure http server is restart after config change
systemd:
name: nginx
state: restarted
when: nginx_conf.changed
tags:
- http

31
roles/fai/tasks/tftpd-hpa.yml Normal file
View File

@ -0,0 +1,31 @@
- name: install tftp server
package:
name: [tftpd-hpa]
state: present
- file:
name: /srv/tftp/fai
state: directory
owner: root
group: root
mode: u=rwx,g=rx,o=rx
recurse: true
- name: configure tftp server
copy:
dest: /etc/default/tftpd-hpa
content: |
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/srv/tftp/fai"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure"
owner: root
group: root
mode: 0644
register: tftpd_cfg
- service:
name: tftpd-hpa
state: restarted
enabled: true
when: tftpd_cfg.changed

26
roles/fai/tasks/time-server.yml
View File

@ -1,10 +1,7 @@
- name: install inetd
apt:
package:
name: inetutils-tools
state: present
tags:
- time
- rdate
- name: activate rdate
copy:
@ -13,21 +10,24 @@
dest: /etc/inetd.conf
owner: root
group: root
mode: 0644
mode: u=rw,g=r,o=r
register: inetd_conf
tags:
- time
- rdate
- name: ensure inetd started
- name: ensure inetd is started
service:
name: inetutils-inetd
state: restarted
name: inetd
state: started
enabled: true
when: inetd_conf.changed
- name: ensure inetd is refreshed, when config changed
service:
name: inetd
state: restarted
when: inetd_conf.changed
- name: install ntp server
apt:
package:
name: ntp
state: present
@ -70,7 +70,7 @@
enabled: true
- name: reload ntp config
systemd:
service:
name: ntp
state: restarted
when: ntp_conf.changed

24
roles/fai/tasks/unbound.yml
View File

@ -1,44 +1,34 @@
- name: install unbound server
apt:
package:
name: unbound
state: present
tags:
- dns
- name: configure dns
copy:
content: |
server:
access-control: {{server_net}}.0/{{server_netbits}} allow
private-domain: "{{domain_name}}"
domain-insecure: "{{domain_name}}"
access-control: {{ server_net }}.0/{{ server_netbits }} allow
private-domain: "{{ domain_name }}"
domain-insecure: "{{ domain_name }}"
interface: 0.0.0.0
local-zone: "{{domain_name}}." static
local-data: "{{server_name}}.{{domain_name}}. IN A {{server_ip}}"
local-data: "apt.{{server_name}}.{{domain_name}}. IN A {{server_ip}}"
local-data: "monserver.{{domain_name}} IN A {{server_ip}}"
local-zone: "{{ domain_name }}." static
local-data: "{{ server_name }}.{{ domain_name }}. IN A {{ server_ip }}"
dest: /etc/unbound/unbound.conf.d/fai.conf
mode: 0644
mode: u=rw,g=r,o=r
owner: root
group: root
register: unbound_conf
tags:
- dns
- name: ensure unbound is enabled and running
service:
name: unbound
state: started
enabled: true
tags:
- dns
- name: apply dns config
systemd:
name: unbound
state: restarted
when: unbound_conf.changed
tags:
- dns

1
roles/fai/templates/fai-profile-00-proxy.yml Normal file
View File

@ -0,0 +1 @@
Acquire::http::Proxy "http://{{ server_name }}:3142";

4
roles/fai/vars/main.yml
View File

@ -1,2 +1,4 @@
---
# vars file for fai
# vars file for fai
server_net: "{{ server_ip |regex_replace('.[0-9]+$', '') }}"

15
setup.yml
View File

@ -1,15 +0,0 @@
- hosts: all
vars:
ensure_fai_setup_run: false
dhcp_interface: eth1
wan_interface: eth0
server_name: faiserver
server_ip: 192.168.33.1
server_net: 192.168.33
server_netbits: 24
server_netmask: 255.255.255.0
domain_name: lan
linux_version: 4.19.0-10
roles:
- fai