diff options
-rwxr-xr-x | build-installer.sh | 2 | ||||
-rw-r--r-- | installer.vmdb (renamed from v-i.vmdb) | 4 | ||||
-rw-r--r-- | installer.yml (renamed from v-i.yml) | 9 | ||||
-rw-r--r-- | liw.yml | 8 | ||||
-rw-r--r-- | std.yml | 113 | ||||
-rwxr-xr-x | v-i | 64 |
6 files changed, 168 insertions, 32 deletions
diff --git a/build-installer.sh b/build-installer.sh index 1927fa2..6ed4e6f 100755 --- a/build-installer.sh +++ b/build-installer.sh @@ -4,5 +4,5 @@ set -eu -o pipefail tarball="$1" -vmdb2 --output v-i.img --log v-i.log v-i.vmdb \ +vmdb2 --output installer.img --log installer.log installer.vmdb \ --verbose --rootfs-tarball "$tarball" diff --git a/v-i.vmdb b/installer.vmdb index 9411282..218a809 100644 --- a/v-i.vmdb +++ b/installer.vmdb @@ -65,10 +65,6 @@ steps: - ansible: / playbook: v-i.yml - - copy-file: /root/x220.sh - src: x220.sh - perm: 0755 - - fstab: / - grub: uefi @@ -26,7 +26,7 @@ - name: "set root authorized keys" copy: content: | - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems + {{ user_pub }} dest: /root/.ssh/authorized_keys owner: root group: root @@ -76,11 +76,6 @@ src: "{{ rootfs_tarball }}" dest: /root/rootfs.tar.gz - - name: "add my ssh pub key to root's authorized keys" - authorized_key: - user: root - key: "{{ user_pub }}" - - name: "add APT key for CI repo with vmdb2" copy: content: "{{ ci_prod_signing_key }}" @@ -98,7 +93,7 @@ hostname: v-i ansible_python_interpreter: /usr/bin/python3 user_pub: | - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50 + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems ci_prod_signing_key: | -----BEGIN PGP PUBLIC KEY BLOCK----- @@ -0,0 +1,8 @@ +hostname: x220 +user_pub: | + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems +user_locale: | + LC_CTYPE=fi_FI.UTF8 +user_keyboard_model: pc105 +user_keyboard_layout: fi +user_console_codeset: Lat15 @@ -0,0 +1,113 @@ +# Ansible playbook to install stuff for a standard install with v-i. + +- hosts: image + tasks: + - name: "set /etc/hostname" + copy: + content: | + {{ hostname }} + dest: /etc/hostname + + - name: "disable root password" + shell: | + passwd -l root + + - name: "create ~root/.ssh" + file: + state: directory + path: /root/.ssh + owner: root + group: root + mode: 0700 + + - name: "set ~root/.ssh/authorized keys" + copy: + content: | + {{ user_pub }} + dest: /root/.ssh/authorized_keys + owner: root + group: root + mode: 0600 + + - name: "configure keyboard layout" + copy: + content: | + XKBMODEL="{{ user_keyboard_model }}" + XKBLAYOUT="{{ user_keyboard_layout }}" + XKBVARIANT="" + XKBOPTIONS="" + BACKSPACE="guess" + dest: /etc/default/keyboard + + - name: "configure console" + copy: + content: | + ACTIVE_CONSOLES="/dev/tty[1-6]" + CHARMAP="UTF-8" + CODESET="{{ user_console_codeset }}" + FONTFACE="Fixed" + FONTSIZE="8x16" + VIDEOMODE= + dest: /etc/default/console-setup + + - name: "set default locales for all users" + copy: + content: | + {{ user_locale }} + dest: /etc/profile.d/finnish.sh + + - name: "configure Ethernet networking" + copy: + content: | + auto eth0 + iface eth0 inet dhcp + iface eth0 inet6 auto + dest: /etc/network/interfaces.d/wired + + # - name: "restrict root logins over ssh" + # lineinfile: + # path: /etc/ssh/sshd_config + # regex: "#* *PasswordAuthentication" + # line: "PasswordAuthentication no" + + vars: + hostname: v-i + user_pub: | + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems + user_locale: | + LC_CTYPE=fi_FI.UTF8 + user_keyboard_model: pc105 + user_keyboard_layout: fi + user_console_codeset: Lat15 + + ansible_python_interpreter: /usr/bin/python3 + ci_prod_signing_key: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + + mQINBFrLO7kBEADdz6mHstYmKU5Dp6OSjxWtWaqTDOX1sJdmmaIK/9EKVIH0Maxp + 5kvVO5G6mULLAjv/kLG0MxasHPrq8I2A/y8AqKAGVL8QelwLjQMIFZ30/VbGQPHS + +T5TZXEnoQtNce1GUhFwJ38ZyjjwHBFV9tSec7rZ2Q3YeM3nNnGPf6DacXGfEOPO + HIN4sXAN2hzNXNjKRzTIvxQseb6nr7afUh/SlZ3yhQOCrIzmYlD7tP9WJe7ofL0p + JY4pDQYw8rT6nC2BE/ioemh84kERCT1vCe+OVFlSRuMlqfEv+ZpKQ+itOmPDQ/lM + jpUm1K2hrW/lWpxT/ZxHKo/w1K36J5WshgMZxfUu5BMCL9LMqMcrXNhNjDMfxDMM + 3yBPOvQ4ls6fecOZ/bsFo1p8VzMk/w/eG8vPs5yuNa5XxN95yFMXoOHGb5Xbu8D4 + 6yiW+Af70LbiSNpGdmNdneiGB2fY38NxBukPw5u3S5qG8HedSmMr1RvSr5kHoAAe + UbOY+BYaaKsTAT7+1skUW1o3FJSqoRKCHAzTsMWC6zzhR8hRn7jVrrguH1hGbqq5 + TZSCFQZExuTJ7uXrTLG0WoBXIjB5wWNcSeXn8myUWYB51nJNF4tJBouZOz9JwWGl + kiAQkrHnBttLQWdW9FyjbIoTZMtpvVx+m6ObGTGdGL1cNlLAvWprMXGc+QARAQAB + tDJJY2sgQVBUIHJlcG9zaXRvcnkgc2lnbmluZyBrZXkgKDIwMTgpIDxsaXdAbGl3 + LmZpPokCTgQTAQgAOBYhBKL1uyDoXyxUH3O717Wr+TZVS6PGBQJayzu5AhsDBQsJ + CAcCBhUICQoLAgQWAgMBAh4BAheAAAoJELWr+TZVS6PGB5QQANTcikhRUHwt9N4h + dGc/Hp6CbqdshMoWlwpFskttoVDxQG5OAobuZl5XyzGcmja1lT85RGkZFfbca0IZ + LnXOLLSAu51QBkXNaj4OhjK/0uQ+ITrvL6RQSXNgHiUTR/W2XD1GIUq6nBqe2GSN + 31S1baYKKVj5QIMsi7Dq8ls3BBXuPCE+xTSaNmGWjes2t9pPidcRvxsksCLY1qgw + P1GFXBeMkBQ29kBP87SUL15SIk7OiQLlEURCy5iRls5rt/YEsdEpRWIb0Tm5Nrjv + 2M3VM+iBhfNXTwj0rJ34mlycF1qQmA7YcTEobT7z587GPY0VWzBpQUnEQj7rQWPM + cDYY0b+I6kQ8VKOaL4wVAtE98d7HzFIrIrwhTKufnrWrVDPYsmLZ+LPC1jiF7JBD + SR6Vftb+SdDR9xoE1yRuXbC6IfoW+5/qQNrdQ2mm9BFw5jOonBqchs18HTTf3441 + 6SWwP9fY3Vi+IZphPPi0Gf85oMStgnv/Wnw6LacEL32ek39Desero/D8iGLZernK + Q2mC9mua5A/bYGVhsNWyURNFkKdbFa+/wW3NfdKYyZnsSfo+jJ2luNewrhAY7Kod + GWXTer9RxzTGA3EXFGvNr+BBOOxSj0SfWTl0Olo7J5dnxof+jLAUS1VHpceHGHps + GSJSdir7NkZidgwoCPA7BTqsb5LN + =dXB0 + -----END PGP PUBLIC KEY BLOCK----- @@ -107,7 +107,7 @@ def clean_up_disks(): run(["cryptsetup", "close", mapping], check=False) -def vmdb_spec(cryptsetup_password, playbook): +def vmdb_spec(cryptsetup_password, playbook, extra_vars): device = "{{ image }}" spec = { "steps": [ @@ -190,16 +190,17 @@ def vmdb_spec(cryptsetup_password, playbook): { "mount": "root", }, - {"mount": "boot", "dirname": "/boot", "mount-on": "root"}, + { + "mount": "boot", + "dirname": "/boot", + "mount-on": "root", + }, { "mount": "efi", "dirname": "/boot/efi", "mount-on": "boot", }, { - "virtual-filesystems": "root", - }, - { "unpack-rootfs": "root", }, { @@ -209,35 +210,46 @@ def vmdb_spec(cryptsetup_password, playbook): "unless": "rootfs_unpacked", }, { + "apt": "install", + "packages": [ + "console-setup", + "dosfstools", + "ifupdown", + "linux-image-amd64", + "locales-all", + "lvm2", + "psmisc", + "python3", + "ssh", + "strace", + ], + "tag": "root", + "unless": "rootfs_unpacked", + }, + { "cache-rootfs": "root", "unless": "rootfs_unpacked", }, { - "fstab": "root", + # This MUST be after the debootstrap step. + "virtual-filesystems": "root", }, { - "apt": "install", - "packages": ["linux-image-amd64"], - "tag": "root", + "fstab": "root", }, { + # These MUST come after the fstab step so that they add the + # crypttab in the initramfs. "apt": "install", "packages": [ - "console-setup", "cryptsetup", "cryptsetup-initramfs", - "dosfstools", - "ifupdown", - "locales-all", - "lvm2", - "psmisc", - "python3", - "ssh", - "strace", ], "tag": "root", }, { + # This also MUST come outside the rootfs caching, as it install + # things outside the file systems. "grub": "uefi", "tag": "root", "efi": "efi", @@ -249,7 +261,9 @@ def vmdb_spec(cryptsetup_password, playbook): # If a playbook has been specified, add an ansible step. if playbook: - spec["steps"].append({"ansible": "root", "playbook": playbook}) + spec["steps"].append( + {"ansible": "root", "playbook": playbook, "extra_vars": extra_vars} + ) return spec @@ -260,13 +274,19 @@ def main(): p.add_argument("--log", default="install.log") p.add_argument("--cache", default="cache.tar.gz") p.add_argument("--playbook") + p.add_argument("--vars") p.add_argument("--luks") p.add_argument("device") args = p.parse_args() + extra_vars = {} + if args.vars: + with open(args.vars) as f: + extra_vars = yaml.safe_load(f) + clean_up_disks() - spec = vmdb_spec(args.luks, args.playbook) + spec = vmdb_spec(args.luks, args.playbook, extra_vars) tmp = tempfile.mkdtemp() specfile = os.path.join(tmp, "spec.yaml") if args.verbose: @@ -275,6 +295,10 @@ def main(): yaml.dump(spec, stream=f, indent=4) log(f"run vmdb2 to install on {args.device}") + env = dict(os.environ) + env["ANSIBLE_STDOUT_CALLBACK"] = "yaml" + env["ANSIBLE_NOCOWS"] = "1" + env["ANSIBLE_LOG_PATH"] = "ansible.log" run( [ "vmdb2", |