From 82b8dc4fad0c39f5b1772d1aef18545069ec9672 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20B=C3=B6hm?= Date: Thu, 15 Oct 2020 00:20:05 +0200 Subject: [PATCH] WIP --- .gitignore | 4 + README.md | 100 ++++++ Vagrantfile | 6 +- playbook-vagrant.yml | 14 + roles/fai/defaults/main.yml | 11 +- roles/fai/files/profiles/class/menu.profile | 2 +- .../etc/apt/apt.conf.d/00-proxy/HW4F_DESKTOP | 1 - roles/fai/tasks/apt-cacher-ng.yml | 26 +- roles/fai/tasks/fai-configure.yml | 22 +- roles/fai/tasks/fai-finish.yml | 5 - roles/fai/tasks/fai-install.yml | 3 - roles/fai/tasks/fai-prepare.yml | 12 +- roles/fai/tasks/fai-profile.yml | 16 - roles/fai/tasks/fai-profiles.yml | 30 ++ roles/fai/tasks/fai-pxe-ipxe.yml | 28 +- roles/fai/tasks/fai-pxe-pxelinux.yml | 288 ------------------ roles/fai/tasks/fai-pxe.yml | 56 ++-- roles/fai/tasks/fai-root.yml | 53 ++-- roles/fai/tasks/isc-dhcp-server.yml | 25 +- roles/fai/tasks/main.yml | 31 +- roles/fai/tasks/{routing.yml => network.yml} | 13 +- roles/fai/tasks/nginx.yml | 21 +- roles/fai/tasks/tftpd-hpa.yml | 31 ++ roles/fai/tasks/time-server.yml | 26 +- roles/fai/tasks/unbound.yml | 24 +- roles/fai/templates/fai-profile-00-proxy.yml | 1 + roles/fai/vars/main.yml | 4 +- setup.yml | 15 - 28 files changed, 345 insertions(+), 523 deletions(-) create mode 100644 README.md create mode 100644 playbook-vagrant.yml delete mode 100644 roles/fai/files/profiles/files/etc/apt/apt.conf.d/00-proxy/HW4F_DESKTOP delete mode 100644 roles/fai/tasks/fai-finish.yml delete mode 100644 roles/fai/tasks/fai-install.yml delete mode 100644 roles/fai/tasks/fai-profile.yml create mode 100644 roles/fai/tasks/fai-profiles.yml delete mode 100644 roles/fai/tasks/fai-pxe-pxelinux.yml rename roles/fai/tasks/{routing.yml => network.yml} (88%) create mode 100644 roles/fai/tasks/tftpd-hpa.yml create mode 100644 roles/fai/templates/fai-profile-00-proxy.yml delete mode 100644 setup.yml diff --git a/.gitignore b/.gitignore index c1efe06..40bcb8a 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,7 @@ # Vagrant .vagrant + +# ansible +hosts +ansible.cfg diff --git a/README.md b/README.md new file mode 100644 index 0000000..282a952 --- /dev/null +++ b/README.md @@ -0,0 +1,100 @@ +# HW4F Netboot Installer + +Server die automatische Installation über das Netzwerks von Ubuntu 20.04 im Rahmen des **https://hardwareforfuture.de(Hardware for Future)** Projekts des dezentrale e.V. + +Für den Betrieb wird einmalig eine Internetverbindung benötigt. Der Server wird über Ansible aufgesetzt. Hierfür werden verschiedene Komponenten installiert, u.a. FAI (Fully Automatic Installtion). Mit dem Server wird ein Netz aufgespannt, welches für den Anschluß des zu installierenden Rechner verwendet wird. Wenn die Rechner mit dem Netzwerk verbunden sind, können sie über einen Netzwerkboot (F-Testen beim Start des Rechners) über PXE gebootet werden. PXE lädt die erforderliche Dateien vom Server und der FAI-Installer installiert dann Ubuntu auf den Rechner. + +Es wird ein Nutzer *demo* angelegt. Das Passwort ist *fai*. Dieser Nutzer kann Administrationsrechte erlang und es sollte nach der Anmeldung das Passwort dringenst geändert werden. + +## Voraussetzungen + +Server: + +* Debian Buster + +Zu installierende Clients: + +* CPU mit x86-64 Unterstützung +* 512 MB RAM empfohlen +* mehr als 20 GB Festsplatte oder SSD +* PXE-fähig oder USB-Stick mit bootfähigen iPXE oder iPXE-CD zum Booten des Rechern + +## Verwendung + +Zunächst ansible für die automatische Installation und Konfiguration aller Komponeten herunterladen: + +```console +apt install ansible +``` + +Danach ein Playbook (z.B. *fai.yml*) anlegen und die grundlegende Parameter festlegen: + +```yml +- hosts: localhost + become: true + vars: + dhcp_interface: eth1 # NIC für die Installer Netz + wan_interface: eth0 # NIC zum Internet + roles: + - fai +``` + +Danach das Playbook ausführen: + +``` +ansible-playbook fai.yml +``` + +### Konfiguration + +Über Ansible-Variablen kann die Installation noch weiter angepasst werden. + +|**Variable** |**Bedeutung** |**Standard** | +|--- |--- |--- | +|dhcp_interface |NIC des Installtionnetzs |eth1 | +|wan_interface |NIC zum Internet |eth0 | +|server_name |Server-Name |faiserver | +|domain_name |Domain-Name des Netzes |local | +|server_ip |IP des Servers |192.168.33.1 | +|server_netbits |Bits der Netzmaske |24 | +|server_netmask |Netzmaske |255.255.255.0 | +|apt_cacher_offline_mode |true, um nur den vorhanden Packet-Cache als Repository zu nutzen |false | +|debian_release |Debian Release, was für FAI genutzt werden soll. |buster | + +Beispielsweise kann der Server mit obigen Playbook aufgesetzt werden, eine Rechner mit Ubuntu installiert werden und danach der Server wie folgt in den Offline-Installationsmodus versetzt werden: + +```yml +- hosts: localhost + become: true + vars: + dhcp_interface: eth1 # NIC für die Installer Netz + wan_interface: eth0 # NIC zum Internet + apt_cacher_offline_mode: true + roles: + - fai +``` + +Danach das Playbook noch einmal ausführen, um die Konfigration zu aktualisieren: + +``` +ansible-playbook fai.yml +``` + +## Details + +*TBD* + +### Komponenten + +* DHCP: isc-dhcp-server +* TFTP: tftpd-hpa +* DNS: unbound +* ntp: ntp +* time: inetd +* HTTP: nginx + +## Verweise + +* https://fai-project.org(FAI Project) +* https://ipxe.org(iPXE) +* https://www.ansible.com(Ansible) diff --git a/Vagrantfile b/Vagrantfile index 57189fd..59af0bb 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -11,12 +11,10 @@ def create(config, name) vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"] end - v.vm.network "private_network", ip: "192.168.33.1", virtualbox__intnet: true + v.vm.network "private_network", virtualbox__intnet: true, auto_config: false v.vm.provision "ansible" do |ans| - ans.playbook = "setup.yml" - #ans.vault_password_file = ".vault_pass" - ans.verbose = true + ans.playbook = "playbook-vagrant.yml" end end end diff --git a/playbook-vagrant.yml b/playbook-vagrant.yml new file mode 100644 index 0000000..fc2e1d7 --- /dev/null +++ b/playbook-vagrant.yml @@ -0,0 +1,14 @@ +- hosts: faiserver + become: true + vars: + # interface to the clients to install + dhcp_interface: eth1 + # interface for a internet connection + wan_interface: eth0 + # customized server name + server_name: faiserver + # ip of the server of the installer network + server_ip: 192.168.33.1 + roles: + - fai + diff --git a/roles/fai/defaults/main.yml b/roles/fai/defaults/main.yml index e72cee5..8709d60 100644 --- a/roles/fai/defaults/main.yml +++ b/roles/fai/defaults/main.yml @@ -1,17 +1,12 @@ --- # defaults file for fai -use_ipxe: true -fai_menu: true -ensure_fai_setup_run: false -disable_fai_chroot_build: false dhcp_interface: eth1 wan_interface: eth0 server_name: faiserver +domain_name: local server_ip: 192.168.33.1 -server_net: 192.168.33 +server_netbits: 24 server_netmask: 255.255.255.0 -domain_name: lan -linux_version: 4.19.0-10 -use_apt_cache: true apt_cacher_offline_mode: false +debian_release: buster diff --git a/roles/fai/files/profiles/class/menu.profile b/roles/fai/files/profiles/class/menu.profile index 5e10210..e0c6181 100644 --- a/roles/fai/files/profiles/class/menu.profile +++ b/roles/fai/files/profiles/class/menu.profile @@ -4,7 +4,7 @@ Name: HW4F Desktop Description: Desktop installtion for Hardware for future Short: HW4F Long: Ubuntu 20.04 LTS (Focal Fossa) Desktop installtion -Classes: INSTALL HW4F_DESKTOP UBUNTU HW4F_DESKTOP_LAST +Classes: INSTALL GERMAN HW4F_DESKTOP UBUNTU HW4F_DESKTOP_LAST Name: Secure erase SSD Description: Run a secure erase for SSD diff --git a/roles/fai/files/profiles/files/etc/apt/apt.conf.d/00-proxy/HW4F_DESKTOP b/roles/fai/files/profiles/files/etc/apt/apt.conf.d/00-proxy/HW4F_DESKTOP deleted file mode 100644 index 32bc8e1..0000000 --- a/roles/fai/files/profiles/files/etc/apt/apt.conf.d/00-proxy/HW4F_DESKTOP +++ /dev/null @@ -1 +0,0 @@ -Acquire::http::Proxy "http://faiserver:3142"; diff --git a/roles/fai/tasks/apt-cacher-ng.yml b/roles/fai/tasks/apt-cacher-ng.yml index 10e7823..745ffa7 100644 --- a/roles/fai/tasks/apt-cacher-ng.yml +++ b/roles/fai/tasks/apt-cacher-ng.yml @@ -11,21 +11,31 @@ SupportDir: /usr/lib/apt-cacher-ng Port: 3142 + # Mappings Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian # Debian Archives Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu # Ubuntu Archives Remap-secdeb: security.debian.org ; security.debian.org deb.debian.org/debian-security + Remap-fai: fai-project.org /download + # The Report page ReportPage: acng-report.html - ExThreshold: 4 - Offlinemode: {% if apt_cacher_offline_mode %}1{% else %}0{% endif %} + # 120 days till a package will expire + ExThreshold: 120 + # use one connection to reduce disruptions ReuseConnections: 1 PipelineDepth: 1 + + # don't wait to long for server + NetworkTimeout: 5 + + # Only serve available files + Offlinemode: {% if apt_cacher_offline_mode %}1{% else %}0{% endif %} dest: /etc/apt-cacher-ng/acng.conf owner: root group: root - mode: 0644 + mode: u=rw,g=r,o=r register: apt_cacher_config - name: ensure service is started and enabled @@ -39,3 +49,13 @@ name: apt-cacher-ng state: restarted when: apt_cacher_config.changed + +- name: set apt cache also for installer host + copy: + dest: /etc/apt/apt.conf.d/00proxy + content: | + Acquire::http::Proxy "http://localhost:3142"; + owner: root + group: root + mode: u=rw,g=r,o=r + diff --git a/roles/fai/tasks/fai-configure.yml b/roles/fai/tasks/fai-configure.yml index 4d6ff4f..4b6d30e 100644 --- a/roles/fai/tasks/fai-configure.yml +++ b/roles/fai/tasks/fai-configure.yml @@ -1,27 +1,21 @@ - name: setup repos for fai copy: dest: /etc/fai/apt/sources.list - mode: 0644 + content: | + deb http://localhost:3142/deb.debian.org/debian buster main contrib non-free + deb http://localhost:3142/security.debian.org/debian-security buster/updates main + deb http://localhost:3142/deb.debian.org/debian/ buster-updates main + deb http://localhost:3142/fai-project.org/download buster koeln + mode: u=rw,g=r,o=r owner: root group: root - content: | - deb http://deb.debian.org/debian buster main contrib non-free - deb http://deb.debian.org/debian-security buster/updates main contrib non-free - deb http://deb.debian.org/debian buster-backports main contrib non-free - - # fai automated install - deb http://fai-project.org/download buster koeln - tags: - - fai - - apt + register: fai_apt_mirrors - name: set loguser copy: dest: /etc/fai/fai.conf - mode: 0644 + mode: u=rw,g=r,o=r owner: root group: root content: | LOGUSER=root - tags: - - fai diff --git a/roles/fai/tasks/fai-finish.yml b/roles/fai/tasks/fai-finish.yml deleted file mode 100644 index b1e24a7..0000000 --- a/roles/fai/tasks/fai-finish.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: pack fai configuration - shell: tar -C /srv/fai/config -cf /srv/fai/config.tar . - when: fai_profiles.changed - - diff --git a/roles/fai/tasks/fai-install.yml b/roles/fai/tasks/fai-install.yml deleted file mode 100644 index 2504137..0000000 --- a/roles/fai/tasks/fai-install.yml +++ /dev/null @@ -1,3 +0,0 @@ -- apt: - name: fai-server - state: present diff --git a/roles/fai/tasks/fai-prepare.yml b/roles/fai/tasks/fai-prepare.yml index 7d85844..353e945 100644 --- a/roles/fai/tasks/fai-prepare.yml +++ b/roles/fai/tasks/fai-prepare.yml @@ -3,15 +3,13 @@ id: B11EE3273F6B2DEB528C93DA2BF8D9FE074BCDE4 url: https://fai-project.org/download/2BF8D9FE074BCDE4.asc state: present - tags: - - apt - - fai - name: add fai repo apt_repository: - repo: deb http://fai-project.org/download buster koeln + repo: deb http://fai-project.org/download {{ debian_release }} koeln state: present - tags: - - apt - - fai +- name: install all required fai programs + package: + name: [fai-server, squashfs-tools, ipxe] + state: present diff --git a/roles/fai/tasks/fai-profile.yml b/roles/fai/tasks/fai-profile.yml deleted file mode 100644 index ca03966..0000000 --- a/roles/fai/tasks/fai-profile.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: create fai dir - file: - name: /srv/fai/config - state: directory - owner: root - group: root - mode: 0755 - -- name: copy profile - synchronize: - src: profiles/ - dest: /srv/fai/config/ - mode: push - delete: yes - recursive: yes - register: fai_profiles diff --git a/roles/fai/tasks/fai-profiles.yml b/roles/fai/tasks/fai-profiles.yml new file mode 100644 index 0000000..9b119d6 --- /dev/null +++ b/roles/fai/tasks/fai-profiles.yml @@ -0,0 +1,30 @@ +- name: create fai dir + file: + name: /srv/fai/config + state: directory + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: copy fai profile + synchronize: + src: profiles/ + dest: /srv/fai/config/ + mode: push + delete: yes + recursive: yes + register: fai_profiles + +- name: Set APT proxy + template: + src: fai-profile-00-proxy.yml + dest: /srv/fai/config/files/etc/apt/apt.conf.d/00-proxy/HW4F_DESKTOP + owner: root + group: root + mode: u=rw,g=r,o=r + register: fai_profiles_apt_proxy + +- name: pack fai configuration + shell: tar -C /srv/fai/config -cf /srv/fai/config.tar . + when: "fai_profiles.changed or fai_profiles_apt_proxy.changed" + diff --git a/roles/fai/tasks/fai-pxe-ipxe.yml b/roles/fai/tasks/fai-pxe-ipxe.yml index 6557c8c..39cbf2b 100644 --- a/roles/fai/tasks/fai-pxe-ipxe.yml +++ b/roles/fai/tasks/fai-pxe-ipxe.yml @@ -1,26 +1,15 @@ -- name: install ipxe - package: +- package: name: ipxe state: present - tags: - - pxe - - bios - - efi - - ipxe - name: copy ipxe copy: src: "{{ item }}" - dest: /srv/tftp/ + dest: /srv/tftp/fai remote_src: yes with_items: - /usr/lib/ipxe/ipxe.efi - /usr/lib/ipxe/ipxe.pxe - tags: - - pxe - - ipxe - - bios - - efi - name: write ipxe menu copy: @@ -39,7 +28,6 @@ menu iPXE boot menu item --key f fai FAI Installer item --gap -- - item --key p pxelinux PXE Linux item --key d dban Dariks boot and nuke (DBAN) item --gap -- item --key c config Configure settings @@ -76,9 +64,9 @@ exit :fai - kernel fai/vmlinuz-4.19.0-10-amd64 - initrd fai/initrd.img-4.19.0-10-amd64 - imgargs vmlinuz-4.19.0-10-amd64 ip=dhcp root=live:http://192.168.33.1/tftp/fai/squash.img FAI_FLAGS=verbose,sshd,createv,menu FAI_CONFIG_SRC=http://192.168.33.1/fai/config.tar FAI_ACTION=install + kernel {{ fai_live_vmlinuz }} + initrd {{ fai_live_initrd }} + imgargs {{ fai_live_vmlinuz }} ip=dhcp root=live:http://{{ server_name }}/tftp/fai/squash.img FAI_FLAGS=verbose,sshd,createv,menu FAI_CONFIG_SRC=http://{{ server_name }}/fai/config.tar FAI_ACTION=install net.ifnames=0 boot || goto failed goto start @@ -87,12 +75,8 @@ imgargs dban.bzi silent vga=785 boot || goto failed goto start - dest: /srv/tftp/menu.ipxe + dest: /srv/tftp/fai/menu.ipxe mode: 0644 owner: root group: root - tags: - - pxe - - tftp - - fai diff --git a/roles/fai/tasks/fai-pxe-pxelinux.yml b/roles/fai/tasks/fai-pxe-pxelinux.yml deleted file mode 100644 index eb5fbe0..0000000 --- a/roles/fai/tasks/fai-pxe-pxelinux.yml +++ /dev/null @@ -1,288 +0,0 @@ -- name: install syslinux - package: - name: "{{ item }}" - state: present - with_items: - - pxelinux - - syslinux - - syslinux-efi - tags: - - pxe - - bios - - efi - - syslinux - -- name: generate pxe directory structure - file: - name: "{{ item }}" - state: directory - with_items: - - /srv/tftp/fai/bios - - /srv/tftp/fai/efi32 - - /srv/tftp/fai/efi64 - tags: - - pxe - - bios - - efi - - syslinux - -- name: copy pxelinux - copy: - src: /usr/lib/PXELINUX/pxelinux.0 - dest: /srv/tftp/fai/bios/pxelinux.0 - owner: root - group: root - remote_src: yes - tags: - - pxe - - syslinux - -- name: copy pxe efi32 - copy: - src: /usr/lib/SYSLINUX.EFI/efi32/syslinux.efi - dest: /srv/tftp/fai/efi32/syslinux.efi - owner: root - group: root - remote_src: yes - -- name: copy pxe bios modules - copy: - src: "{{ item }}" - dest: /srv/tftp/fai/bios/ - owner: root - group: root - remote_src: yes - with_items: - - /usr/lib/syslinux/modules/bios/dmitest.c32 - - /usr/lib/syslinux/modules/bios/chain.c32 - - /usr/lib/syslinux/modules/bios/libcom32.c32 - - /usr/lib/syslinux/modules/bios/sysdump.c32 - - /usr/lib/syslinux/modules/bios/sanboot.c32 - - /usr/lib/syslinux/modules/bios/host.c32 - - /usr/lib/syslinux/modules/bios/vesainfo.c32 - - /usr/lib/syslinux/modules/bios/liblua.c32 - - /usr/lib/syslinux/modules/bios/gfxboot.c32 - - /usr/lib/syslinux/modules/bios/mboot.c32 - - /usr/lib/syslinux/modules/bios/disk.c32 - - /usr/lib/syslinux/modules/bios/meminfo.c32 - - /usr/lib/syslinux/modules/bios/hdt.c32 - - /usr/lib/syslinux/modules/bios/cpuid.c32 - - /usr/lib/syslinux/modules/bios/cpu.c32 - - /usr/lib/syslinux/modules/bios/libgpl.c32 - - /usr/lib/syslinux/modules/bios/libutil.c32 - - /usr/lib/syslinux/modules/bios/kontron_wdt.c32 - - /usr/lib/syslinux/modules/bios/kbdmap.c32 - - /usr/lib/syslinux/modules/bios/vesamenu.c32 - - /usr/lib/syslinux/modules/bios/pci.c32 - - /usr/lib/syslinux/modules/bios/ethersel.c32 - - /usr/lib/syslinux/modules/bios/pmload.c32 - - /usr/lib/syslinux/modules/bios/cptime.c32 - - /usr/lib/syslinux/modules/bios/gpxecmd.c32 - - /usr/lib/syslinux/modules/bios/whichsys.c32 - - /usr/lib/syslinux/modules/bios/vesa.c32 - - /usr/lib/syslinux/modules/bios/pxechn.c32 - - /usr/lib/syslinux/modules/bios/lfs.c32 - - /usr/lib/syslinux/modules/bios/ifplop.c32 - - /usr/lib/syslinux/modules/bios/dmi.c32 - - /usr/lib/syslinux/modules/bios/pcitest.c32 - - /usr/lib/syslinux/modules/bios/cmenu.c32 - - /usr/lib/syslinux/modules/bios/reboot.c32 - - /usr/lib/syslinux/modules/bios/debug.c32 - - /usr/lib/syslinux/modules/bios/ifmemdsk.c32 - - /usr/lib/syslinux/modules/bios/zzjson.c32 - - /usr/lib/syslinux/modules/bios/sdi.c32 - - /usr/lib/syslinux/modules/bios/ldlinux.c32 - - /usr/lib/syslinux/modules/bios/dhcp.c32 - - /usr/lib/syslinux/modules/bios/menu.c32 - - /usr/lib/syslinux/modules/bios/poweroff.c32 - - /usr/lib/syslinux/modules/bios/elf.c32 - - /usr/lib/syslinux/modules/bios/hexdump.c32 - - /usr/lib/syslinux/modules/bios/libmenu.c32 - - /usr/lib/syslinux/modules/bios/vpdtest.c32 - - /usr/lib/syslinux/modules/bios/ifcpu.c32 - - /usr/lib/syslinux/modules/bios/ls.c32 - - /usr/lib/syslinux/modules/bios/cpuidtest.c32 - - /usr/lib/syslinux/modules/bios/cmd.c32 - - /usr/lib/syslinux/modules/bios/rosh.c32 - - /usr/lib/syslinux/modules/bios/pwd.c32 - - /usr/lib/syslinux/modules/bios/linux.c32 - - /usr/lib/syslinux/modules/bios/config.c32 - - /usr/lib/syslinux/modules/bios/ifcpu64.c32 - - /usr/lib/syslinux/modules/bios/cat.c32 - - /usr/lib/syslinux/modules/bios/lua.c32 - - /usr/lib/syslinux/modules/bios/syslinux.c32 - - /usr/lib/syslinux/modules/bios/prdhcp.c32 - - /usr/lib/syslinux/modules/bios/dir.c32 - tags: - - pxe - - efi - -- name: copy pxe efi32 modules - copy: - src: "{{ item }}" - dest: /srv/tftp/fai/efi32/ - owner: root - group: root - remote_src: yes - with_items: - - /usr/lib/syslinux/modules/efi32/dmitest.c32 - - /usr/lib/syslinux/modules/efi32/chain.c32 - - /usr/lib/syslinux/modules/efi32/libcom32.c32 - - /usr/lib/syslinux/modules/efi32/sysdump.c32 - - /usr/lib/syslinux/modules/efi32/host.c32 - - /usr/lib/syslinux/modules/efi32/liblua.c32 - - /usr/lib/syslinux/modules/efi32/gfxboot.c32 - - /usr/lib/syslinux/modules/efi32/mboot.c32 - - /usr/lib/syslinux/modules/efi32/meminfo.c32 - - /usr/lib/syslinux/modules/efi32/hdt.c32 - - /usr/lib/syslinux/modules/efi32/cpuid.c32 - - /usr/lib/syslinux/modules/efi32/cpu.c32 - - /usr/lib/syslinux/modules/efi32/libgpl.c32 - - /usr/lib/syslinux/modules/efi32/ldlinux.e32 - - /usr/lib/syslinux/modules/efi32/libutil.c32 - - /usr/lib/syslinux/modules/efi32/vesamenu.c32 - - /usr/lib/syslinux/modules/efi32/pci.c32 - - /usr/lib/syslinux/modules/efi32/cptime.c32 - - /usr/lib/syslinux/modules/efi32/whichsys.c32 - - /usr/lib/syslinux/modules/efi32/vesa.c32 - - /usr/lib/syslinux/modules/efi32/lfs.c32 - - /usr/lib/syslinux/modules/efi32/dmi.c32 - - /usr/lib/syslinux/modules/efi32/cmenu.c32 - - /usr/lib/syslinux/modules/efi32/reboot.c32 - - /usr/lib/syslinux/modules/efi32/debug.c32 - - /usr/lib/syslinux/modules/efi32/zzjson.c32 - - /usr/lib/syslinux/modules/efi32/dhcp.c32 - - /usr/lib/syslinux/modules/efi32/menu.c32 - - /usr/lib/syslinux/modules/efi32/hexdump.c32 - - /usr/lib/syslinux/modules/efi32/libmenu.c32 - - /usr/lib/syslinux/modules/efi32/vpdtest.c32 - - /usr/lib/syslinux/modules/efi32/ifcpu.c32 - - /usr/lib/syslinux/modules/efi32/ls.c32 - - /usr/lib/syslinux/modules/efi32/cpuidtest.c32 - - /usr/lib/syslinux/modules/efi32/cmd.c32 - - /usr/lib/syslinux/modules/efi32/rosh.c32 - - /usr/lib/syslinux/modules/efi32/pwd.c32 - - /usr/lib/syslinux/modules/efi32/linux.c32 - - /usr/lib/syslinux/modules/efi32/config.c32 - - /usr/lib/syslinux/modules/efi32/ifcpu64.c32 - - /usr/lib/syslinux/modules/efi32/cat.c32 - - /usr/lib/syslinux/modules/efi32/lua.c32 - - /usr/lib/syslinux/modules/efi32/syslinux.c32 - - /usr/lib/syslinux/modules/efi32/dir.c32 - tags: - - pxe - - efi - -- name: copy pxe efi64 modules - copy: - src: "{{ item }}" - dest: /srv/tftp/fai/efi64/ - owner: root - group: root - remote_src: yes - with_items: - - /usr/lib/syslinux/modules/efi64/dmitest.c32 - - /usr/lib/syslinux/modules/efi64/chain.c32 - - /usr/lib/syslinux/modules/efi64/libcom32.c32 - - /usr/lib/syslinux/modules/efi64/sysdump.c32 - - /usr/lib/syslinux/modules/efi64/host.c32 - - /usr/lib/syslinux/modules/efi64/liblua.c32 - - /usr/lib/syslinux/modules/efi64/gfxboot.c32 - - /usr/lib/syslinux/modules/efi64/mboot.c32 - - /usr/lib/syslinux/modules/efi64/meminfo.c32 - - /usr/lib/syslinux/modules/efi64/hdt.c32 - - /usr/lib/syslinux/modules/efi64/cpuid.c32 - - /usr/lib/syslinux/modules/efi64/cpu.c32 - - /usr/lib/syslinux/modules/efi64/libgpl.c32 - - /usr/lib/syslinux/modules/efi64/ldlinux.e64 - - /usr/lib/syslinux/modules/efi64/libutil.c32 - - /usr/lib/syslinux/modules/efi64/vesamenu.c32 - - /usr/lib/syslinux/modules/efi64/pci.c32 - - /usr/lib/syslinux/modules/efi64/cptime.c32 - - /usr/lib/syslinux/modules/efi64/whichsys.c32 - - /usr/lib/syslinux/modules/efi64/vesa.c32 - - /usr/lib/syslinux/modules/efi64/lfs.c32 - - /usr/lib/syslinux/modules/efi64/dmi.c32 - - /usr/lib/syslinux/modules/efi64/cmenu.c32 - - /usr/lib/syslinux/modules/efi64/reboot.c32 - - /usr/lib/syslinux/modules/efi64/debug.c32 - - /usr/lib/syslinux/modules/efi64/zzjson.c32 - - /usr/lib/syslinux/modules/efi64/dhcp.c32 - - /usr/lib/syslinux/modules/efi64/menu.c32 - - /usr/lib/syslinux/modules/efi64/hexdump.c32 - - /usr/lib/syslinux/modules/efi64/libmenu.c32 - - /usr/lib/syslinux/modules/efi64/vpdtest.c32 - - /usr/lib/syslinux/modules/efi64/ifcpu.c32 - - /usr/lib/syslinux/modules/efi64/ls.c32 - - /usr/lib/syslinux/modules/efi64/cpuidtest.c32 - - /usr/lib/syslinux/modules/efi64/cmd.c32 - - /usr/lib/syslinux/modules/efi64/rosh.c32 - - /usr/lib/syslinux/modules/efi64/pwd.c32 - - /usr/lib/syslinux/modules/efi64/linux.c32 - - /usr/lib/syslinux/modules/efi64/config.c32 - - /usr/lib/syslinux/modules/efi64/ifcpu64.c32 - - /usr/lib/syslinux/modules/efi64/cat.c32 - - /usr/lib/syslinux/modules/efi64/lua.c32 - - /usr/lib/syslinux/modules/efi64/syslinux.c32 - - /usr/lib/syslinux/modules/efi64/dir.c32 - tags: - - pxe - - efi - -- name: write pxe default config for bios/efi32/efi64 - copy: - content: | - DEFAULT bios/menu.c32 - PROMPT 0 - - MENU TITLE FAI Setup - MENU AUTOBOOT Starting FAI install - TIMEOUT 300 - - INCLUDE ::fai.cfg - INCLUDE ::dban.cfg - dest: /srv/tftp/fai/bios/default - mode: 0644 - owner: root - group: root - with_items: - - /srv/tftp/fai/bios/default - - /srv/tftp/fai/efi32/default - - /srv/tftp/fai/efi64/default - tags: - - pxe - - tftp - - fai - -- name: write pxe fai boot config - copy: - content: | - LABEL fai - MENU DEFAULT - MENU LABEL FAI Installer - KERNEL vmlinuz-{{linux_version}}-amd64 - APPEND initrd=initrd.img-{{linux_version}}-amd64 ip=dhcp root=live:http://{{server_ip}}/tftp/fai/squash.img FAI_FLAGS=verbose,sshd,createv{% if fai_menu %},menu{% endif %} FAI_CONFIG_SRC=http://{{server_ip}}/fai/config.tar FAI_ACTION=install - dest: /srv/tftp/fai/fai.cfg - mode: 0644 - owner: root - group: root - tags: - - pxe - - tftp - - fai - -- name: write pxe fai boot config - copy: - content: | - LABEL dban - MENU LABEL Darik's Boot And Nuke Tool - KERNEL dban.bzi - APPEND nuke="dwipe" silent vga=785 - dest: /srv/tftp/fai/dban.cfg - mode: 0644 - owner: root - group: root - tags: - - pxe - - tftp - - fai diff --git a/roles/fai/tasks/fai-pxe.yml b/roles/fai/tasks/fai-pxe.yml index 387fb1f..d3d6c6f 100644 --- a/roles/fai/tasks/fai-pxe.yml +++ b/roles/fai/tasks/fai-pxe.yml @@ -1,22 +1,37 @@ -- name: test pxe config already exists - stat: - path: /srv/tftp/fai - register: fai_tftp +- find: + paths: /srv/fai/nfsroot/boot + patterns: "vmlinuz-*" + register: fai_live_vmlinuz -- name: generate tftp config - shell: fai-chboot -IF -u http://{{server_ip}}/fai/config.tar default - when: fai_tftp.changed - tags: - - fai - - pxe - - http +- find: + paths: /srv/fai/nfsroot/boot + patterns: "initrd.img-*" + register: fai_live_initrd -- name: ensure fai dir exists - file: - path: /srv/tftp/fai +- set_fact: + fai_live_vmlinuz: "{{ fai_live_vmlinuz.files[0].path |regex_replace('.*/', '') }}" + fai_live_initrd: "{{ fai_live_initrd.files[0].path |regex_replace('.*/', '') }}" + +- name: copy linux kernel and initrd to tftp root + copy: + src: "/srv/fai/nfsroot/boot/{{ item }}" + dest: "/srv/tftp/fai/{{ item }}" owner: root group: root - mode: 0755 + mode: u=rw,g=r,o=r + remote_src: true + with_items: + - "{{ fai_live_vmlinuz }}" + - "{{ fai_live_initrd }}" + +- name: generate squashfs image of root files + stat: + path: /srv/tftp/fai/squash.img + register: squash_img + +- name: generate a downloadable squashfs of root filesystem + shell: fai-cd -f -M -S /srv/tftp/fai/squash.img + when: "not squash_img.stat.exists or fai_profiles.changed or fai_profiles_apt_proxy.changed" - name: copy dban image copy: @@ -24,9 +39,12 @@ dest: /srv/tftp/fai/dban.bzi owner: root group: root + mode: u=rw,g=r,o=r -- include: fai-pxe-ipxe.yml - when: use_ipxe +- name: setup iPXE + include: fai-pxe-ipxe.yml -- include: fai-pxe-pxelinux.yml - when: not use_ipxe +- name: force restart tftp server + service: + name: tftpd-hpa + state: restarted diff --git a/roles/fai/tasks/fai-root.yml b/roles/fai/tasks/fai-root.yml index e2f606e..b010d95 100644 --- a/roles/fai/tasks/fai-root.yml +++ b/roles/fai/tasks/fai-root.yml @@ -1,35 +1,28 @@ +- copy: + dest: /etc/fai/nfsroot.conf + content: | + # For a detailed description see nfsroot.conf(5) + + # " " for debootstrap + FAI_DEBOOTSTRAP="{{ debian_release }} http://localhost:3142/debian" + FAI_ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1' + + NFSROOT=/srv/fai/nfsroot + TFTPROOT=/srv/tftp/fai + NFSROOT_HOOKS=/etc/fai/nfsroot-hooks/ + FAI_DEBOOTSTRAP_OPTS="--exclude=wget" + + # Configuration space + FAI_CONFIGDIR=/srv/fai/config + owner: root + group: root + mode: u=rw,g=r,o=r + - name: test nfsroot exists stat: path: /srv/fai/nfsroot register: nfsroot_res - tags: - - fai - - root -- name: test if fai-setup already ran - file: - dest: /srv/fai/nfsroot - state: absent - when: "ensure_fai_setup_run and not disable_fai_chroot_build" - tags: - - fai - - root - -- name: generate fai chroot - shell: fai-make-nfsroot -N - when: "(not nfsroot_res.stat.exists or ensure_fai_setup_run) and not disable_fai_chroot_build" - tags: - - fai - - root - -- name: test squash image - stat: - path: /srv/tftp/fai/squash.img - register: squash_img - -- name: generate squashfs - shell: fai-cd -f -M -S /srv/tftp/fai/squash.img - when: "(not squash_img.stat.exists or ensure_fai_setup_run) and not disable_fai_chroot_build" - tags: - - fai - - root +- name: generate root filesystem, kernel and initrd + shell: fai-make-nfsroot + when: "not nfsroot_res.stat.exists" diff --git a/roles/fai/tasks/isc-dhcp-server.yml b/roles/fai/tasks/isc-dhcp-server.yml index 8a3ab80..2afc1c0 100644 --- a/roles/fai/tasks/isc-dhcp-server.yml +++ b/roles/fai/tasks/isc-dhcp-server.yml @@ -2,8 +2,6 @@ apt: name: isc-dhcp-server state: present - tags: - - dhcp - name: configure dhcp server copy: @@ -35,27 +33,24 @@ if exists user-class and option user-class = "iPXE" { filename "menu.ipxe"; } else { - if option architecture-type = 00:00 { - filename "ipxe.pxe"; - } elsif option architecture-type = 00:09 { - filename "fai/efi64/syslinux.efi"; + if option architecture-type = 00:09 { + filename "ipxe.efi"; } elsif option architecture-type = 00:07 { - filename "fai/efi64/syslinux.efi"; + filename "ipxe.efi"; } elsif option architecture-type = 00:06 { - filename "fai/efi32/syslinux.efi"; + filename "ipxe.efi"; + } else { + filename "ipxe.pxe"; } } } } dest: /etc/dhcp/dhcpd.conf - mode: 0644 + mode: u=rw,g=r,o=o owner: root group: root # validate: dhcpd -t -cf %s register: dhcpd_config - tags: - - dhcp - - routing - name: set dhcp server interface copy: @@ -63,18 +58,14 @@ INTERFACESv4="{{dhcp_interface}}" INTERFACESv6="" dest: /etc/default/isc-dhcp-server - mode: 0644 + mode: u=rw,g=r,o=o owner: root group: root register: dhcp_default_config - tags: - - dhcp - name: reload dhcp systemd: name: isc-dhcp-server state: restarted when: dhcp_default_config.changed or dhcpd_config.changed - tags: - - dhcp diff --git a/roles/fai/tasks/main.yml b/roles/fai/tasks/main.yml index eae8778..c1951ae 100644 --- a/roles/fai/tasks/main.yml +++ b/roles/fai/tasks/main.yml @@ -1,15 +1,28 @@ --- # tasks file for fai -- include: routing.yml -- include: time-server.yml -- include: isc-dhcp-server.yml -- include: nginx.yml -- include: unbound.yml -- include: apt-cacher-ng.yml +- name: setup apt proxy cache + include: apt-cacher-ng.yml + +- name: configure a time server + include: time-server.yml + +- name: configure a web server + include: nginx.yml + +- name: configure tftp + include: tftpd-hpa.yml + +- name: configure dns server + include: unbound.yml + +- name: configure nic + include: network.yml + +- name: setup dhcp + include: isc-dhcp-server.yml + - include: fai-prepare.yml -- include: fai-install.yml - include: fai-configure.yml -- include: fai-profile.yml +- include: fai-profiles.yml - include: fai-root.yml - include: fai-pxe.yml -- include: fai-finish.yml diff --git a/roles/fai/tasks/routing.yml b/roles/fai/tasks/network.yml similarity index 88% rename from roles/fai/tasks/routing.yml rename to roles/fai/tasks/network.yml index 926db00..84bcce0 100644 --- a/roles/fai/tasks/routing.yml +++ b/roles/fai/tasks/network.yml @@ -2,8 +2,6 @@ apt: name: ['iptables', 'ifupdown'] state: present - tags: - - routing - name: ensure resolved is stopped and disabled service: @@ -27,7 +25,7 @@ - name: setup lan interface shell: | - ifdown {{ dhcp_interface }} || true + ifdown --force {{ dhcp_interface }} || true ifup {{ dhcp_interface }} when: lan_iface_cfg.changed @@ -43,17 +41,13 @@ COMMIT dest: /etc/network/iptables.up.rules register: iptables_up_rules - tags: - - routing - name: apply iptables rules iptables: table: nat chain: POSTROUTING - out_interface: "{{wan_interface}}" + out_interface: "{{ wan_interface }}" jump: MASQUERADE - tags: - - routing - name: enable ip forwarding sysctl: @@ -62,6 +56,3 @@ sysctl_set: yes state: present reload: yes - tags: - - routing - diff --git a/roles/fai/tasks/nginx.yml b/roles/fai/tasks/nginx.yml index 2f65d28..6462fcf 100644 --- a/roles/fai/tasks/nginx.yml +++ b/roles/fai/tasks/nginx.yml @@ -2,8 +2,6 @@ apt: name: nginx-light state: present - tags: - - http - name: configure http server copy: @@ -19,18 +17,9 @@ autoindex on; try_files $uri $uri/ =404; } - } - server { - listen 80 apt.faiserver.lan; - listen [::]:80 apt.faiserver.lan; - root /var/cache/apt-cacher-ng/uburep; - index index.html; - server_name _; - - location / { - autoindex on; - try_files $uri $uri/ =404; + location /apt-mirror { + root /var/cache/apt-cacher-ng/uburep; } } dest: /etc/nginx/sites-enabled/default @@ -38,22 +27,16 @@ owner: root group: root register: nginx_conf - tags: - - http - name: ensure http server is running service: name: nginx state: started enabled: true - tags: - - http - name: ensure http server is restart after config change systemd: name: nginx state: restarted when: nginx_conf.changed - tags: - - http diff --git a/roles/fai/tasks/tftpd-hpa.yml b/roles/fai/tasks/tftpd-hpa.yml new file mode 100644 index 0000000..66ca73a --- /dev/null +++ b/roles/fai/tasks/tftpd-hpa.yml @@ -0,0 +1,31 @@ +- name: install tftp server + package: + name: [tftpd-hpa] + state: present + +- file: + name: /srv/tftp/fai + state: directory + owner: root + group: root + mode: u=rwx,g=rx,o=rx + recurse: true + +- name: configure tftp server + copy: + dest: /etc/default/tftpd-hpa + content: | + TFTP_USERNAME="tftp" + TFTP_DIRECTORY="/srv/tftp/fai" + TFTP_ADDRESS="0.0.0.0:69" + TFTP_OPTIONS="--secure" + owner: root + group: root + mode: 0644 + register: tftpd_cfg + +- service: + name: tftpd-hpa + state: restarted + enabled: true + when: tftpd_cfg.changed diff --git a/roles/fai/tasks/time-server.yml b/roles/fai/tasks/time-server.yml index 8fa6082..dd66279 100644 --- a/roles/fai/tasks/time-server.yml +++ b/roles/fai/tasks/time-server.yml @@ -1,10 +1,7 @@ - name: install inetd - apt: + package: name: inetutils-tools state: present - tags: - - time - - rdate - name: activate rdate copy: @@ -13,21 +10,24 @@ dest: /etc/inetd.conf owner: root group: root - mode: 0644 + mode: u=rw,g=r,o=r register: inetd_conf - tags: - - time - - rdate -- name: ensure inetd started +- name: ensure inetd is started service: - name: inetutils-inetd - state: restarted + name: inetd + state: started enabled: true when: inetd_conf.changed +- name: ensure inetd is refreshed, when config changed + service: + name: inetd + state: restarted + when: inetd_conf.changed + - name: install ntp server - apt: + package: name: ntp state: present @@ -70,7 +70,7 @@ enabled: true - name: reload ntp config - systemd: + service: name: ntp state: restarted when: ntp_conf.changed diff --git a/roles/fai/tasks/unbound.yml b/roles/fai/tasks/unbound.yml index 607c4ac..d813f9a 100644 --- a/roles/fai/tasks/unbound.yml +++ b/roles/fai/tasks/unbound.yml @@ -1,44 +1,34 @@ - name: install unbound server - apt: + package: name: unbound state: present - tags: - - dns - name: configure dns copy: content: | server: - access-control: {{server_net}}.0/{{server_netbits}} allow - private-domain: "{{domain_name}}" - domain-insecure: "{{domain_name}}" + access-control: {{ server_net }}.0/{{ server_netbits }} allow + private-domain: "{{ domain_name }}" + domain-insecure: "{{ domain_name }}" interface: 0.0.0.0 - local-zone: "{{domain_name}}." static - local-data: "{{server_name}}.{{domain_name}}. IN A {{server_ip}}" - local-data: "apt.{{server_name}}.{{domain_name}}. IN A {{server_ip}}" - local-data: "monserver.{{domain_name}} IN A {{server_ip}}" + local-zone: "{{ domain_name }}." static + local-data: "{{ server_name }}.{{ domain_name }}. IN A {{ server_ip }}" dest: /etc/unbound/unbound.conf.d/fai.conf - mode: 0644 + mode: u=rw,g=r,o=r owner: root group: root register: unbound_conf - tags: - - dns - name: ensure unbound is enabled and running service: name: unbound state: started enabled: true - tags: - - dns - name: apply dns config systemd: name: unbound state: restarted when: unbound_conf.changed - tags: - - dns diff --git a/roles/fai/templates/fai-profile-00-proxy.yml b/roles/fai/templates/fai-profile-00-proxy.yml new file mode 100644 index 0000000..5b6a506 --- /dev/null +++ b/roles/fai/templates/fai-profile-00-proxy.yml @@ -0,0 +1 @@ +Acquire::http::Proxy "http://{{ server_name }}:3142"; diff --git a/roles/fai/vars/main.yml b/roles/fai/vars/main.yml index 4b052e6..6dd67d7 100644 --- a/roles/fai/vars/main.yml +++ b/roles/fai/vars/main.yml @@ -1,2 +1,4 @@ --- -# vars file for fai \ No newline at end of file +# vars file for fai + +server_net: "{{ server_ip |regex_replace('.[0-9]+$', '') }}" diff --git a/setup.yml b/setup.yml deleted file mode 100644 index c52b982..0000000 --- a/setup.yml +++ /dev/null @@ -1,15 +0,0 @@ -- hosts: all - vars: - ensure_fai_setup_run: false - dhcp_interface: eth1 - wan_interface: eth0 - server_name: faiserver - server_ip: 192.168.33.1 - server_net: 192.168.33 - server_netbits: 24 - server_netmask: 255.255.255.0 - domain_name: lan - linux_version: 4.19.0-10 - roles: - - fai -