WIP

.gitignore

@@ -3,3 +3,7 @@
 
 # Vagrant
 .vagrant
+
+# ansible
+hosts
+ansible.cfg

README.md

@@ -0,0 +1,100 @@
+# HW4F Netboot Installer
+
+Server die automatische Installation über das Netzwerks von Ubuntu 20.04 im Rahmen des **https://hardwareforfuture.de(Hardware for Future)** Projekts des dezentrale e.V.
+
+Für den Betrieb wird einmalig eine Internetverbindung benötigt. Der Server wird über Ansible aufgesetzt. Hierfür werden verschiedene Komponenten installiert, u.a. FAI (Fully Automatic Installtion). Mit dem Server wird ein Netz aufgespannt, welches für den Anschluß des zu installierenden Rechner verwendet wird. Wenn die Rechner mit dem Netzwerk verbunden sind, können sie über einen Netzwerkboot (F-Testen beim Start des Rechners) über PXE gebootet werden. PXE lädt die erforderliche Dateien vom Server und der FAI-Installer installiert dann Ubuntu auf den Rechner.
+
+Es wird ein Nutzer *demo* angelegt. Das Passwort ist *fai*. Dieser Nutzer kann Administrationsrechte erlang und es sollte nach der Anmeldung das Passwort dringenst geändert werden.
+
+## Voraussetzungen
+
+Server:
+
+* Debian Buster
+
+Zu installierende Clients:
+
+* CPU mit x86-64 Unterstützung
+* 512 MB RAM empfohlen
+* mehr als 20 GB Festsplatte oder SSD
+* PXE-fähig oder USB-Stick mit bootfähigen iPXE oder iPXE-CD zum Booten des Rechern
+
+## Verwendung
+
+Zunächst ansible für die automatische Installation und Konfiguration aller Komponeten herunterladen:
+
+```console
+apt install ansible
+```
+
+Danach ein Playbook (z.B. *fai.yml*) anlegen und die grundlegende Parameter festlegen:
+
+```yml
+- hosts: localhost
+  become: true
+  vars:
+    dhcp_interface: eth1 # NIC für die Installer Netz
+    wan_interface: eth0  # NIC zum Internet
+  roles:
+    - fai
+```
+
+Danach das Playbook ausführen:
+
+```
+ansible-playbook fai.yml
+```
+
+### Konfiguration
+
+Über Ansible-Variablen kann die Installation noch weiter angepasst werden.
+
+|**Variable**            |**Bedeutung**                                                    |**Standard**  |
+|---                     |---                                                              |---           |
+|dhcp_interface          |NIC des Installtionnetzs                                         |eth1          |
+|wan_interface           |NIC zum Internet                                                 |eth0          |
+|server_name             |Server-Name                                                      |faiserver     |
+|domain_name             |Domain-Name des Netzes                                           |local         |
+|server_ip               |IP des Servers                                                   |192.168.33.1  |
+|server_netbits          |Bits der Netzmaske                                               |24            |
+|server_netmask          |Netzmaske                                                        |255.255.255.0 |
+|apt_cacher_offline_mode |true, um nur den vorhanden Packet-Cache als Repository zu nutzen |false         |
+|debian_release          |Debian Release, was für FAI genutzt werden soll.                 |buster        |
+
+Beispielsweise kann der Server mit obigen Playbook aufgesetzt werden, eine Rechner mit Ubuntu installiert werden und danach der Server wie folgt in den Offline-Installationsmodus versetzt werden:
+
+```yml
+- hosts: localhost
+  become: true
+  vars:
+    dhcp_interface: eth1 # NIC für die Installer Netz
+    wan_interface: eth0  # NIC zum Internet
+    apt_cacher_offline_mode: true
+  roles:
+    - fai
+```
+
+Danach das Playbook noch einmal ausführen, um die Konfigration zu aktualisieren:
+
+```
+ansible-playbook fai.yml
+```
+
+## Details
+
+*TBD*
+
+### Komponenten
+
+* DHCP: isc-dhcp-server
+* TFTP: tftpd-hpa
+* DNS: unbound
+* ntp: ntp
+* time: inetd
+* HTTP: nginx
+
+## Verweise
+
+* https://fai-project.org(FAI Project)
+* https://ipxe.org(iPXE)
+* https://www.ansible.com(Ansible)

Vagrantfile

@@ -11,12 +11,10 @@ def create(config, name)
       vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
     end
 
-    v.vm.network "private_network", ip: "192.168.33.1", virtualbox__intnet: true
+    v.vm.network "private_network", virtualbox__intnet: true, auto_config: false
 
     v.vm.provision "ansible" do |ans|
-      ans.playbook = "setup.yml"
+      ans.playbook = "playbook-vagrant.yml"
-      #ans.vault_password_file = ".vault_pass"
-      ans.verbose = true
     end
   end
 end

playbook-vagrant.yml

@@ -0,0 +1,14 @@
+- hosts: faiserver
+  become: true
+  vars:
+    # interface to the clients to install
+    dhcp_interface: eth1
+    # interface for a internet connection
+    wan_interface: eth0
+    # customized server name
+    server_name: faiserver
+    # ip of the server of the installer network
+    server_ip: 192.168.33.1
+  roles:
+    - fai
+

roles/fai/defaults/main.yml

@@ -1,17 +1,12 @@
 ---
 # defaults file for fai
 
-use_ipxe: true
-fai_menu: true
-ensure_fai_setup_run: false
-disable_fai_chroot_build: false
 dhcp_interface: eth1
 wan_interface: eth0
 server_name: faiserver
+domain_name: local
 server_ip: 192.168.33.1
-server_net: 192.168.33
+server_netbits: 24
 server_netmask: 255.255.255.0
-domain_name: lan
-linux_version: 4.19.0-10
-use_apt_cache: true
 apt_cacher_offline_mode: false
+debian_release: buster

roles/fai/files/profiles/class/menu.profile

@@ -4,7 +4,7 @@ Name: HW4F Desktop
 Description: Desktop installtion for Hardware for future
 Short: HW4F
 Long: Ubuntu 20.04 LTS (Focal Fossa) Desktop installtion
-Classes: INSTALL HW4F_DESKTOP UBUNTU HW4F_DESKTOP_LAST
+Classes: INSTALL GERMAN HW4F_DESKTOP UBUNTU HW4F_DESKTOP_LAST
 
 Name: Secure erase SSD
 Description: Run a secure erase for SSD

roles/fai/files/profiles/files/etc/apt/apt.conf.d/00-proxy/HW4F_DESKTOP

@@ -1 +0,0 @@
-Acquire::http::Proxy "http://faiserver:3142";

roles/fai/tasks/apt-cacher-ng.yml

@@ -11,21 +11,31 @@
       SupportDir: /usr/lib/apt-cacher-ng
       Port: 3142
 
+      # Mappings
       Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian # Debian Archives
       Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu # Ubuntu Archives
       Remap-secdeb: security.debian.org ; security.debian.org deb.debian.org/debian-security
+      Remap-fai:    fai-project.org /download
 
+      # The Report page
       ReportPage: acng-report.html
 
-      ExThreshold: 4
+      # 120 days till a package will expire
-      Offlinemode: {% if apt_cacher_offline_mode %}1{% else %}0{% endif %}
+      ExThreshold: 120
 
+      # use one connection to reduce disruptions
       ReuseConnections: 1
       PipelineDepth: 1
+
+      # don't wait to long for server
+      NetworkTimeout: 5
+
+      # Only serve available files
+      Offlinemode: {% if apt_cacher_offline_mode %}1{% else %}0{% endif %}
     dest: /etc/apt-cacher-ng/acng.conf
     owner: root
     group: root
-    mode: 0644
+    mode: u=rw,g=r,o=r
   register: apt_cacher_config
 
 - name: ensure service is started and enabled
@@ -39,3 +49,13 @@
     name: apt-cacher-ng
     state: restarted
   when: apt_cacher_config.changed
+
+- name: set apt cache also for installer host
+  copy:
+    dest: /etc/apt/apt.conf.d/00proxy
+    content: |
+      Acquire::http::Proxy "http://localhost:3142";
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+

roles/fai/tasks/fai-configure.yml

@@ -1,27 +1,21 @@
 - name: setup repos for fai
   copy:
     dest: /etc/fai/apt/sources.list
-    mode: 0644
+    content: |
+      deb http://localhost:3142/deb.debian.org/debian buster main contrib non-free
+      deb http://localhost:3142/security.debian.org/debian-security buster/updates main
+      deb http://localhost:3142/deb.debian.org/debian/ buster-updates main
+      deb http://localhost:3142/fai-project.org/download buster koeln
+    mode: u=rw,g=r,o=r
     owner: root
     group: root
-    content: |
+  register: fai_apt_mirrors
-      deb http://deb.debian.org/debian buster main contrib non-free
-      deb http://deb.debian.org/debian-security buster/updates main contrib non-free
-      deb http://deb.debian.org/debian buster-backports main contrib non-free
-
-      # fai automated install 
-      deb http://fai-project.org/download buster koeln
-  tags:
-    - fai
-    - apt
 
 - name: set loguser
   copy:
     dest: /etc/fai/fai.conf
-    mode: 0644
+    mode: u=rw,g=r,o=r
     owner: root
     group: root
     content: |
       LOGUSER=root
-  tags:
-    - fai

roles/fai/tasks/fai-finish.yml

@@ -1,5 +0,0 @@
-- name: pack fai configuration
-  shell: tar -C /srv/fai/config -cf /srv/fai/config.tar .
-  when: fai_profiles.changed
-
-

roles/fai/tasks/fai-install.yml

@@ -1,3 +0,0 @@
-- apt:
-    name: fai-server
-    state: present

roles/fai/tasks/fai-prepare.yml

@@ -3,15 +3,13 @@
     id: B11EE3273F6B2DEB528C93DA2BF8D9FE074BCDE4
     url: https://fai-project.org/download/2BF8D9FE074BCDE4.asc 
     state: present
-  tags:
-    - apt
-    - fai
 
 - name: add fai repo
   apt_repository:
-    repo: deb http://fai-project.org/download buster koeln 
+    repo: deb http://fai-project.org/download {{ debian_release }} koeln 
     state: present
-  tags:
-    - apt
-    - fai
 
+- name: install all required fai programs
+  package:
+    name: [fai-server, squashfs-tools, ipxe]
+    state: present

roles/fai/tasks/fai-profile.yml

@@ -1,16 +0,0 @@
-- name: create fai dir
-  file:
-    name: /srv/fai/config
-    state: directory
-    owner: root
-    group: root
-    mode: 0755
-
-- name: copy profile
-  synchronize:
-    src: profiles/
-    dest: /srv/fai/config/
-    mode: push
-    delete: yes
-    recursive: yes
-  register: fai_profiles

roles/fai/tasks/fai-profiles.yml

@@ -0,0 +1,30 @@
+- name: create fai dir
+  file:
+    name: /srv/fai/config
+    state: directory
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: copy fai profile
+  synchronize:
+    src: profiles/
+    dest: /srv/fai/config/
+    mode: push
+    delete: yes
+    recursive: yes
+  register: fai_profiles
+
+- name: Set APT proxy
+  template:
+    src: fai-profile-00-proxy.yml
+    dest: /srv/fai/config/files/etc/apt/apt.conf.d/00-proxy/HW4F_DESKTOP
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  register: fai_profiles_apt_proxy
+
+- name: pack fai configuration
+  shell: tar -C /srv/fai/config -cf /srv/fai/config.tar .
+  when: "fai_profiles.changed or fai_profiles_apt_proxy.changed"
+

roles/fai/tasks/fai-pxe-ipxe.yml

@@ -1,26 +1,15 @@
-- name: install ipxe
+- package:
-  package:
     name: ipxe
     state: present
-  tags:
-    - pxe
-    - bios
-    - efi
-    - ipxe
 
 - name: copy ipxe
   copy:
     src: "{{ item }}"
-    dest: /srv/tftp/
+    dest: /srv/tftp/fai
     remote_src: yes
   with_items:
     - /usr/lib/ipxe/ipxe.efi
     - /usr/lib/ipxe/ipxe.pxe
-  tags:
-    - pxe
-    - ipxe
-    - bios
-    - efi
 
 - name: write ipxe menu
   copy:
@@ -39,7 +28,6 @@
       menu iPXE boot menu
       item --key f fai          FAI Installer
       item --gap --
-      item --key p pxelinux     PXE Linux
       item --key d dban         Dariks boot and nuke (DBAN)
       item --gap --
       item --key c config       Configure settings
@@ -76,9 +64,9 @@
       exit
 
       :fai
-      kernel fai/vmlinuz-4.19.0-10-amd64
+      kernel {{ fai_live_vmlinuz }}
-      initrd fai/initrd.img-4.19.0-10-amd64
+      initrd {{ fai_live_initrd }}
-      imgargs vmlinuz-4.19.0-10-amd64 ip=dhcp root=live:http://192.168.33.1/tftp/fai/squash.img FAI_FLAGS=verbose,sshd,createv,menu FAI_CONFIG_SRC=http://192.168.33.1/fai/config.tar FAI_ACTION=install
+      imgargs {{ fai_live_vmlinuz }} ip=dhcp root=live:http://{{ server_name }}/tftp/fai/squash.img FAI_FLAGS=verbose,sshd,createv,menu FAI_CONFIG_SRC=http://{{ server_name }}/fai/config.tar FAI_ACTION=install net.ifnames=0
       boot || goto failed
       goto start
 
@@ -87,12 +75,8 @@
       imgargs dban.bzi silent vga=785
       boot || goto failed
       goto start
-    dest: /srv/tftp/menu.ipxe
+    dest: /srv/tftp/fai/menu.ipxe
     mode: 0644
     owner: root
     group: root
-  tags:
-    - pxe
-    - tftp
-    - fai
 

roles/fai/tasks/fai-pxe-pxelinux.yml

@@ -1,288 +0,0 @@
-- name: install syslinux
-  package:
-    name: "{{ item }}"
-    state: present
-  with_items:
-    - pxelinux
-    - syslinux
-    - syslinux-efi
-  tags:
-    - pxe
-    - bios
-    - efi
-    - syslinux
-
-- name: generate pxe directory structure
-  file:
-    name: "{{ item }}"
-    state: directory
-  with_items:
-    - /srv/tftp/fai/bios
-    - /srv/tftp/fai/efi32
-    - /srv/tftp/fai/efi64
-  tags:
-    - pxe
-    - bios
-    - efi
-    - syslinux
-
-- name: copy pxelinux
-  copy:
-    src: /usr/lib/PXELINUX/pxelinux.0
-    dest: /srv/tftp/fai/bios/pxelinux.0
-    owner: root
-    group: root
-    remote_src: yes
-  tags:
-    - pxe
-    - syslinux
-
-- name: copy pxe efi32
-  copy:
-    src: /usr/lib/SYSLINUX.EFI/efi32/syslinux.efi
-    dest: /srv/tftp/fai/efi32/syslinux.efi
-    owner: root
-    group: root
-    remote_src: yes
-
-- name: copy pxe bios modules
-  copy:
-    src: "{{ item }}"
-    dest: /srv/tftp/fai/bios/
-    owner: root
-    group: root
-    remote_src: yes
-  with_items:
-    - /usr/lib/syslinux/modules/bios/dmitest.c32
-    - /usr/lib/syslinux/modules/bios/chain.c32
-    - /usr/lib/syslinux/modules/bios/libcom32.c32
-    - /usr/lib/syslinux/modules/bios/sysdump.c32
-    - /usr/lib/syslinux/modules/bios/sanboot.c32
-    - /usr/lib/syslinux/modules/bios/host.c32
-    - /usr/lib/syslinux/modules/bios/vesainfo.c32
-    - /usr/lib/syslinux/modules/bios/liblua.c32
-    - /usr/lib/syslinux/modules/bios/gfxboot.c32
-    - /usr/lib/syslinux/modules/bios/mboot.c32
-    - /usr/lib/syslinux/modules/bios/disk.c32
-    - /usr/lib/syslinux/modules/bios/meminfo.c32
-    - /usr/lib/syslinux/modules/bios/hdt.c32
-    - /usr/lib/syslinux/modules/bios/cpuid.c32
-    - /usr/lib/syslinux/modules/bios/cpu.c32
-    - /usr/lib/syslinux/modules/bios/libgpl.c32
-    - /usr/lib/syslinux/modules/bios/libutil.c32
-    - /usr/lib/syslinux/modules/bios/kontron_wdt.c32
-    - /usr/lib/syslinux/modules/bios/kbdmap.c32
-    - /usr/lib/syslinux/modules/bios/vesamenu.c32
-    - /usr/lib/syslinux/modules/bios/pci.c32
-    - /usr/lib/syslinux/modules/bios/ethersel.c32
-    - /usr/lib/syslinux/modules/bios/pmload.c32
-    - /usr/lib/syslinux/modules/bios/cptime.c32
-    - /usr/lib/syslinux/modules/bios/gpxecmd.c32
-    - /usr/lib/syslinux/modules/bios/whichsys.c32
-    - /usr/lib/syslinux/modules/bios/vesa.c32
-    - /usr/lib/syslinux/modules/bios/pxechn.c32
-    - /usr/lib/syslinux/modules/bios/lfs.c32
-    - /usr/lib/syslinux/modules/bios/ifplop.c32
-    - /usr/lib/syslinux/modules/bios/dmi.c32
-    - /usr/lib/syslinux/modules/bios/pcitest.c32
-    - /usr/lib/syslinux/modules/bios/cmenu.c32
-    - /usr/lib/syslinux/modules/bios/reboot.c32
-    - /usr/lib/syslinux/modules/bios/debug.c32
-    - /usr/lib/syslinux/modules/bios/ifmemdsk.c32
-    - /usr/lib/syslinux/modules/bios/zzjson.c32
-    - /usr/lib/syslinux/modules/bios/sdi.c32
-    - /usr/lib/syslinux/modules/bios/ldlinux.c32
-    - /usr/lib/syslinux/modules/bios/dhcp.c32
-    - /usr/lib/syslinux/modules/bios/menu.c32
-    - /usr/lib/syslinux/modules/bios/poweroff.c32
-    - /usr/lib/syslinux/modules/bios/elf.c32
-    - /usr/lib/syslinux/modules/bios/hexdump.c32
-    - /usr/lib/syslinux/modules/bios/libmenu.c32
-    - /usr/lib/syslinux/modules/bios/vpdtest.c32
-    - /usr/lib/syslinux/modules/bios/ifcpu.c32
-    - /usr/lib/syslinux/modules/bios/ls.c32
-    - /usr/lib/syslinux/modules/bios/cpuidtest.c32
-    - /usr/lib/syslinux/modules/bios/cmd.c32
-    - /usr/lib/syslinux/modules/bios/rosh.c32
-    - /usr/lib/syslinux/modules/bios/pwd.c32
-    - /usr/lib/syslinux/modules/bios/linux.c32
-    - /usr/lib/syslinux/modules/bios/config.c32
-    - /usr/lib/syslinux/modules/bios/ifcpu64.c32
-    - /usr/lib/syslinux/modules/bios/cat.c32
-    - /usr/lib/syslinux/modules/bios/lua.c32
-    - /usr/lib/syslinux/modules/bios/syslinux.c32
-    - /usr/lib/syslinux/modules/bios/prdhcp.c32
-    - /usr/lib/syslinux/modules/bios/dir.c32
-  tags:
-    - pxe
-    - efi
-
-- name: copy pxe efi32 modules
-  copy:
-    src: "{{ item }}"
-    dest: /srv/tftp/fai/efi32/
-    owner: root
-    group: root
-    remote_src: yes
-  with_items:
-    - /usr/lib/syslinux/modules/efi32/dmitest.c32
-    - /usr/lib/syslinux/modules/efi32/chain.c32
-    - /usr/lib/syslinux/modules/efi32/libcom32.c32
-    - /usr/lib/syslinux/modules/efi32/sysdump.c32
-    - /usr/lib/syslinux/modules/efi32/host.c32
-    - /usr/lib/syslinux/modules/efi32/liblua.c32
-    - /usr/lib/syslinux/modules/efi32/gfxboot.c32
-    - /usr/lib/syslinux/modules/efi32/mboot.c32
-    - /usr/lib/syslinux/modules/efi32/meminfo.c32
-    - /usr/lib/syslinux/modules/efi32/hdt.c32
-    - /usr/lib/syslinux/modules/efi32/cpuid.c32
-    - /usr/lib/syslinux/modules/efi32/cpu.c32
-    - /usr/lib/syslinux/modules/efi32/libgpl.c32
-    - /usr/lib/syslinux/modules/efi32/ldlinux.e32
-    - /usr/lib/syslinux/modules/efi32/libutil.c32
-    - /usr/lib/syslinux/modules/efi32/vesamenu.c32
-    - /usr/lib/syslinux/modules/efi32/pci.c32
-    - /usr/lib/syslinux/modules/efi32/cptime.c32
-    - /usr/lib/syslinux/modules/efi32/whichsys.c32
-    - /usr/lib/syslinux/modules/efi32/vesa.c32
-    - /usr/lib/syslinux/modules/efi32/lfs.c32
-    - /usr/lib/syslinux/modules/efi32/dmi.c32
-    - /usr/lib/syslinux/modules/efi32/cmenu.c32
-    - /usr/lib/syslinux/modules/efi32/reboot.c32
-    - /usr/lib/syslinux/modules/efi32/debug.c32
-    - /usr/lib/syslinux/modules/efi32/zzjson.c32
-    - /usr/lib/syslinux/modules/efi32/dhcp.c32
-    - /usr/lib/syslinux/modules/efi32/menu.c32
-    - /usr/lib/syslinux/modules/efi32/hexdump.c32
-    - /usr/lib/syslinux/modules/efi32/libmenu.c32
-    - /usr/lib/syslinux/modules/efi32/vpdtest.c32
-    - /usr/lib/syslinux/modules/efi32/ifcpu.c32
-    - /usr/lib/syslinux/modules/efi32/ls.c32
-    - /usr/lib/syslinux/modules/efi32/cpuidtest.c32
-    - /usr/lib/syslinux/modules/efi32/cmd.c32
-    - /usr/lib/syslinux/modules/efi32/rosh.c32
-    - /usr/lib/syslinux/modules/efi32/pwd.c32
-    - /usr/lib/syslinux/modules/efi32/linux.c32
-    - /usr/lib/syslinux/modules/efi32/config.c32
-    - /usr/lib/syslinux/modules/efi32/ifcpu64.c32
-    - /usr/lib/syslinux/modules/efi32/cat.c32
-    - /usr/lib/syslinux/modules/efi32/lua.c32
-    - /usr/lib/syslinux/modules/efi32/syslinux.c32
-    - /usr/lib/syslinux/modules/efi32/dir.c32
-  tags:
-    - pxe
-    - efi
-
-- name: copy pxe efi64 modules
-  copy:
-    src: "{{ item }}"
-    dest: /srv/tftp/fai/efi64/
-    owner: root
-    group: root
-    remote_src: yes
-  with_items:
-    - /usr/lib/syslinux/modules/efi64/dmitest.c32
-    - /usr/lib/syslinux/modules/efi64/chain.c32
-    - /usr/lib/syslinux/modules/efi64/libcom32.c32
-    - /usr/lib/syslinux/modules/efi64/sysdump.c32
-    - /usr/lib/syslinux/modules/efi64/host.c32
-    - /usr/lib/syslinux/modules/efi64/liblua.c32
-    - /usr/lib/syslinux/modules/efi64/gfxboot.c32
-    - /usr/lib/syslinux/modules/efi64/mboot.c32
-    - /usr/lib/syslinux/modules/efi64/meminfo.c32
-    - /usr/lib/syslinux/modules/efi64/hdt.c32
-    - /usr/lib/syslinux/modules/efi64/cpuid.c32
-    - /usr/lib/syslinux/modules/efi64/cpu.c32
-    - /usr/lib/syslinux/modules/efi64/libgpl.c32
-    - /usr/lib/syslinux/modules/efi64/ldlinux.e64
-    - /usr/lib/syslinux/modules/efi64/libutil.c32
-    - /usr/lib/syslinux/modules/efi64/vesamenu.c32
-    - /usr/lib/syslinux/modules/efi64/pci.c32
-    - /usr/lib/syslinux/modules/efi64/cptime.c32
-    - /usr/lib/syslinux/modules/efi64/whichsys.c32
-    - /usr/lib/syslinux/modules/efi64/vesa.c32
-    - /usr/lib/syslinux/modules/efi64/lfs.c32
-    - /usr/lib/syslinux/modules/efi64/dmi.c32
-    - /usr/lib/syslinux/modules/efi64/cmenu.c32
-    - /usr/lib/syslinux/modules/efi64/reboot.c32
-    - /usr/lib/syslinux/modules/efi64/debug.c32
-    - /usr/lib/syslinux/modules/efi64/zzjson.c32
-    - /usr/lib/syslinux/modules/efi64/dhcp.c32
-    - /usr/lib/syslinux/modules/efi64/menu.c32
-    - /usr/lib/syslinux/modules/efi64/hexdump.c32
-    - /usr/lib/syslinux/modules/efi64/libmenu.c32
-    - /usr/lib/syslinux/modules/efi64/vpdtest.c32
-    - /usr/lib/syslinux/modules/efi64/ifcpu.c32
-    - /usr/lib/syslinux/modules/efi64/ls.c32
-    - /usr/lib/syslinux/modules/efi64/cpuidtest.c32
-    - /usr/lib/syslinux/modules/efi64/cmd.c32
-    - /usr/lib/syslinux/modules/efi64/rosh.c32
-    - /usr/lib/syslinux/modules/efi64/pwd.c32
-    - /usr/lib/syslinux/modules/efi64/linux.c32
-    - /usr/lib/syslinux/modules/efi64/config.c32
-    - /usr/lib/syslinux/modules/efi64/ifcpu64.c32
-    - /usr/lib/syslinux/modules/efi64/cat.c32
-    - /usr/lib/syslinux/modules/efi64/lua.c32
-    - /usr/lib/syslinux/modules/efi64/syslinux.c32
-    - /usr/lib/syslinux/modules/efi64/dir.c32
-  tags:
-    - pxe
-    - efi
-
-- name: write pxe default config for bios/efi32/efi64
-  copy:
-    content: |
-      DEFAULT bios/menu.c32
-      PROMPT 0
-
-      MENU TITLE FAI Setup
-      MENU AUTOBOOT Starting FAI install
-      TIMEOUT 300
-
-      INCLUDE ::fai.cfg
-      INCLUDE ::dban.cfg
-    dest: /srv/tftp/fai/bios/default
-    mode: 0644
-    owner: root
-    group: root
-  with_items:
-    - /srv/tftp/fai/bios/default
-    - /srv/tftp/fai/efi32/default
-    - /srv/tftp/fai/efi64/default
-  tags:
-    - pxe
-    - tftp
-    - fai
-
-- name: write pxe fai boot config
-  copy:
-    content: |
-      LABEL fai
-      MENU DEFAULT
-      MENU LABEL FAI Installer
-      KERNEL vmlinuz-{{linux_version}}-amd64
-      APPEND initrd=initrd.img-{{linux_version}}-amd64 ip=dhcp root=live:http://{{server_ip}}/tftp/fai/squash.img FAI_FLAGS=verbose,sshd,createv{% if fai_menu %},menu{% endif %} FAI_CONFIG_SRC=http://{{server_ip}}/fai/config.tar FAI_ACTION=install
-    dest: /srv/tftp/fai/fai.cfg
-    mode: 0644
-    owner: root
-    group: root
-  tags:
-    - pxe
-    - tftp
-    - fai
-
-- name: write pxe fai boot config
-  copy:
-    content: |
-      LABEL dban
-      MENU LABEL Darik's Boot And Nuke Tool
-      KERNEL dban.bzi
-      APPEND nuke="dwipe" silent vga=785
-    dest: /srv/tftp/fai/dban.cfg
-    mode: 0644
-    owner: root
-    group: root
-  tags:
-    - pxe
-    - tftp
-    - fai

roles/fai/tasks/fai-pxe.yml

@@ -1,22 +1,37 @@
-- name: test pxe config already exists
+- find:
-  stat:
+    paths: /srv/fai/nfsroot/boot
-    path: /srv/tftp/fai
+    patterns: "vmlinuz-*"
-  register: fai_tftp
+  register: fai_live_vmlinuz
 
-- name: generate tftp config
+- find:
-  shell: fai-chboot -IF -u http://{{server_ip}}/fai/config.tar default
+    paths: /srv/fai/nfsroot/boot
-  when: fai_tftp.changed
+    patterns: "initrd.img-*"
-  tags:
+  register: fai_live_initrd
-    - fai
-    - pxe
-    - http
 
-- name: ensure fai dir exists
+- set_fact:
-  file:
+    fai_live_vmlinuz: "{{ fai_live_vmlinuz.files[0].path |regex_replace('.*/', '') }}"
-    path: /srv/tftp/fai
+    fai_live_initrd: "{{ fai_live_initrd.files[0].path |regex_replace('.*/', '') }}"
+
+- name: copy linux kernel and initrd to tftp root
+  copy:
+    src: "/srv/fai/nfsroot/boot/{{ item }}"
+    dest: "/srv/tftp/fai/{{ item }}"
     owner: root
     group: root
-    mode: 0755
+    mode: u=rw,g=r,o=r
+    remote_src: true
+  with_items:
+    - "{{ fai_live_vmlinuz }}"
+    - "{{ fai_live_initrd }}"
+
+- name: generate squashfs image of root files
+  stat:
+    path: /srv/tftp/fai/squash.img
+  register: squash_img
+
+- name: generate a downloadable squashfs of root filesystem
+  shell: fai-cd -f -M -S /srv/tftp/fai/squash.img
+  when: "not squash_img.stat.exists or fai_profiles.changed or fai_profiles_apt_proxy.changed"
 
 - name: copy dban image
   copy:
@@ -24,9 +39,12 @@
     dest: /srv/tftp/fai/dban.bzi
     owner: root
     group: root
+    mode: u=rw,g=r,o=r
 
-- include: fai-pxe-ipxe.yml
+- name: setup iPXE
-  when: use_ipxe
+  include: fai-pxe-ipxe.yml
 
-- include: fai-pxe-pxelinux.yml
+- name: force restart tftp server
-  when: not use_ipxe
+  service:
+    name: tftpd-hpa
+    state: restarted

roles/fai/tasks/fai-root.yml

@@ -1,35 +1,28 @@
+- copy:
+    dest: /etc/fai/nfsroot.conf
+    content: |
+      # For a detailed description see nfsroot.conf(5)
+
+      # "<suite> <mirror>" for debootstrap
+      FAI_DEBOOTSTRAP="{{ debian_release }} http://localhost:3142/debian"
+      FAI_ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1'
+
+      NFSROOT=/srv/fai/nfsroot
+      TFTPROOT=/srv/tftp/fai
+      NFSROOT_HOOKS=/etc/fai/nfsroot-hooks/
+      FAI_DEBOOTSTRAP_OPTS="--exclude=wget"
+
+      # Configuration space
+      FAI_CONFIGDIR=/srv/fai/config
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
 - name: test nfsroot exists
   stat:
     path: /srv/fai/nfsroot
   register: nfsroot_res
-  tags:
-    - fai
-    - root
 
-- name: test if fai-setup already ran
+- name: generate root filesystem, kernel and initrd
-  file:
+  shell: fai-make-nfsroot
-    dest: /srv/fai/nfsroot
+  when: "not nfsroot_res.stat.exists"
-    state: absent
-  when: "ensure_fai_setup_run and not disable_fai_chroot_build"
-  tags:
-    - fai
-    - root
-
-- name: generate fai chroot
-  shell: fai-make-nfsroot -N
-  when: "(not nfsroot_res.stat.exists or ensure_fai_setup_run) and not disable_fai_chroot_build"
-  tags:
-    - fai
-    - root
-
-- name: test squash image
-  stat:
-    path: /srv/tftp/fai/squash.img
-  register: squash_img
-
-- name: generate squashfs
-  shell: fai-cd -f -M -S /srv/tftp/fai/squash.img
-  when: "(not squash_img.stat.exists or ensure_fai_setup_run) and not disable_fai_chroot_build"
-  tags:
-    - fai
-    - root

roles/fai/tasks/isc-dhcp-server.yml

@@ -2,8 +2,6 @@
   apt:
     name: isc-dhcp-server
     state: present
-  tags:
-    - dhcp
 
 - name: configure dhcp server
   copy:
@@ -35,27 +33,24 @@
           if exists user-class and option user-class = "iPXE" {
               filename "menu.ipxe";
           } else {
-            if option architecture-type = 00:00 {
+            if option architecture-type = 00:09 {
-              filename "ipxe.pxe";
+              filename "ipxe.efi";
-            } elsif option architecture-type = 00:09 {
-              filename "fai/efi64/syslinux.efi";
             } elsif option architecture-type = 00:07 {
-              filename "fai/efi64/syslinux.efi";
+              filename "ipxe.efi";
             } elsif option architecture-type = 00:06 {
-              filename "fai/efi32/syslinux.efi";
+              filename "ipxe.efi";
+            } else {
+              filename "ipxe.pxe";
             }
           }
         }
       }
     dest: /etc/dhcp/dhcpd.conf
-    mode: 0644
+    mode: u=rw,g=r,o=o
     owner: root
     group: root
     #    validate: dhcpd -t -cf %s
   register: dhcpd_config
-  tags:
-    - dhcp
-    - routing
 
 - name: set dhcp server interface
   copy:
@@ -63,18 +58,14 @@
       INTERFACESv4="{{dhcp_interface}}"
       INTERFACESv6=""
     dest: /etc/default/isc-dhcp-server
-    mode: 0644
+    mode: u=rw,g=r,o=o
     owner: root
     group: root
   register: dhcp_default_config
-  tags:
-    - dhcp
 
 - name: reload dhcp
   systemd:
     name: isc-dhcp-server
     state: restarted
   when: dhcp_default_config.changed or dhcpd_config.changed
-  tags:
-    - dhcp
 

roles/fai/tasks/main.yml

@@ -1,15 +1,28 @@
 ---
 # tasks file for fai
-- include: routing.yml
+- name: setup apt proxy cache
-- include: time-server.yml
+  include: apt-cacher-ng.yml
-- include: isc-dhcp-server.yml
+
-- include: nginx.yml
+- name: configure a time server
-- include: unbound.yml
+  include: time-server.yml
-- include: apt-cacher-ng.yml
+
+- name: configure a web server
+  include: nginx.yml
+
+- name: configure tftp
+  include: tftpd-hpa.yml
+
+- name: configure dns server
+  include: unbound.yml
+
+- name: configure nic
+  include: network.yml
+
+- name: setup dhcp
+  include: isc-dhcp-server.yml
+
 - include: fai-prepare.yml
-- include: fai-install.yml
 - include: fai-configure.yml
-- include: fai-profile.yml
+- include: fai-profiles.yml
 - include: fai-root.yml
 - include: fai-pxe.yml
-- include: fai-finish.yml

roles/fai/tasks/network.yml

@@ -2,8 +2,6 @@
   apt:
     name: ['iptables', 'ifupdown']
     state: present
-  tags:
-    - routing
 
 - name: ensure resolved is stopped and disabled
   service:
@@ -27,7 +25,7 @@
 
 - name: setup lan interface
   shell: |
-    ifdown {{ dhcp_interface }} || true
+    ifdown --force {{ dhcp_interface }} || true
     ifup {{ dhcp_interface }}
   when: lan_iface_cfg.changed
 
@@ -43,17 +41,13 @@
       COMMIT
     dest: /etc/network/iptables.up.rules
   register: iptables_up_rules
-  tags:
-    - routing
 
 - name: apply iptables rules
   iptables:
     table: nat
     chain: POSTROUTING
-    out_interface: "{{wan_interface}}"
+    out_interface: "{{ wan_interface }}"
     jump: MASQUERADE
-  tags:
-    - routing
 
 - name: enable ip forwarding
   sysctl:
@@ -62,6 +56,3 @@
     sysctl_set: yes
     state: present
     reload: yes
-  tags:
-    - routing
-

roles/fai/tasks/nginx.yml

@@ -2,8 +2,6 @@
   apt:
     name: nginx-light
     state: present
-  tags:
-    - http
 
 - name: configure http server
   copy:
@@ -19,18 +17,9 @@
           autoindex on;
           try_files $uri $uri/ =404;
         }
-      }
 
-      server {
+        location /apt-mirror {
-        listen 80 apt.faiserver.lan;
+          root /var/cache/apt-cacher-ng/uburep;
-        listen [::]:80 apt.faiserver.lan;
-        root /var/cache/apt-cacher-ng/uburep;
-        index index.html;
-        server_name _;
-
-        location / {
-          autoindex on;
-          try_files $uri $uri/ =404;
         }
       }
     dest: /etc/nginx/sites-enabled/default
@@ -38,22 +27,16 @@
     owner: root
     group: root
   register: nginx_conf
-  tags:
-    - http
 
 - name: ensure http server is running
   service:
     name: nginx
     state: started
     enabled: true
-  tags:
-    - http
 
 - name: ensure http server is restart after config change
   systemd:
     name: nginx
     state: restarted
   when: nginx_conf.changed
-  tags:
-    - http
 

roles/fai/tasks/tftpd-hpa.yml

@@ -0,0 +1,31 @@
+- name: install tftp server
+  package:
+    name: [tftpd-hpa]
+    state: present
+
+- file:
+    name: /srv/tftp/fai
+    state: directory
+    owner: root
+    group: root
+    mode: u=rwx,g=rx,o=rx
+    recurse: true
+
+- name: configure tftp server
+  copy:
+    dest: /etc/default/tftpd-hpa
+    content: |
+      TFTP_USERNAME="tftp"
+      TFTP_DIRECTORY="/srv/tftp/fai"
+      TFTP_ADDRESS="0.0.0.0:69"
+      TFTP_OPTIONS="--secure"
+    owner: root
+    group: root
+    mode: 0644
+  register: tftpd_cfg
+
+- service:
+    name: tftpd-hpa
+    state: restarted
+    enabled: true
+  when: tftpd_cfg.changed

roles/fai/tasks/time-server.yml

@@ -1,10 +1,7 @@
 - name: install inetd
-  apt:
+  package:
     name: inetutils-tools
     state: present
-  tags:
-    - time
-    - rdate
 
 - name: activate rdate
   copy:
@@ -13,21 +10,24 @@
     dest: /etc/inetd.conf
     owner: root
     group: root
-    mode: 0644
+    mode: u=rw,g=r,o=r
   register: inetd_conf
-  tags:
-    - time
-    - rdate
 
-- name: ensure inetd started
+- name: ensure inetd is started
   service:
-    name: inetutils-inetd
+    name: inetd
-    state: restarted
+    state: started
     enabled: true
   when: inetd_conf.changed
 
+- name: ensure inetd is refreshed, when config changed
+  service:
+    name: inetd
+    state: restarted
+  when: inetd_conf.changed
+
 - name: install ntp server
-  apt:
+  package:
     name: ntp
     state: present
 
@@ -70,7 +70,7 @@
     enabled: true
 
 - name: reload ntp config
-  systemd:
+  service:
     name: ntp
     state: restarted
   when: ntp_conf.changed

roles/fai/tasks/unbound.yml

@@ -1,44 +1,34 @@
 - name: install unbound server
-  apt:
+  package:
     name: unbound
     state: present
-  tags:
-    - dns
 
 - name: configure dns
   copy:
     content: |
       server:
-        access-control: {{server_net}}.0/{{server_netbits}} allow
+        access-control: {{ server_net }}.0/{{ server_netbits }} allow
-        private-domain: "{{domain_name}}"
+        private-domain: "{{ domain_name }}"
-        domain-insecure: "{{domain_name}}"
+        domain-insecure: "{{ domain_name }}"
 
         interface: 0.0.0.0
 
-        local-zone: "{{domain_name}}." static
+        local-zone: "{{ domain_name }}." static
-        local-data: "{{server_name}}.{{domain_name}}. IN A {{server_ip}}"
+        local-data: "{{ server_name }}.{{ domain_name }}. IN A {{ server_ip }}"
-        local-data: "apt.{{server_name}}.{{domain_name}}. IN A {{server_ip}}"
-        local-data: "monserver.{{domain_name}} IN A {{server_ip}}"
     dest: /etc/unbound/unbound.conf.d/fai.conf
-    mode: 0644
+    mode: u=rw,g=r,o=r
     owner: root
     group: root
   register: unbound_conf
-  tags:
-    - dns
 
 - name: ensure unbound is enabled and running
   service:
     name: unbound
     state: started
     enabled: true
-  tags:
-    - dns
 
 - name: apply dns config
   systemd:
     name: unbound
     state: restarted
   when: unbound_conf.changed
-  tags:
-    - dns

roles/fai/templates/fai-profile-00-proxy.yml

@@ -0,0 +1 @@
+Acquire::http::Proxy "http://{{ server_name }}:3142";

roles/fai/vars/main.yml

@@ -1,2 +1,4 @@
 ---
-# vars file for fai
+# vars file for fai
+
+server_net: "{{ server_ip |regex_replace('.[0-9]+$', '') }}"

setup.yml

@@ -1,15 +0,0 @@
-- hosts: all
-  vars:
-    ensure_fai_setup_run: false
-    dhcp_interface: eth1
-    wan_interface: eth0
-    server_name: faiserver
-    server_ip: 192.168.33.1
-    server_net: 192.168.33
-    server_netbits: 24
-    server_netmask: 255.255.255.0
-    domain_name: lan
-    linux_version: 4.19.0-10
-  roles:
-    - fai
-