# Ansible playbook to install stuff for v-i. - hosts: image tasks: # This is a workaround for the fact the the chroot vmdb2 creates # lacks an /etc/resolv.conf. - name: "install a temporary /etc/resolv.conf" copy: content: nameserver 8.8.8.8 dest: /etc/resolv.conf - name: "check /etc/resolv.conf and DNS lookup work" shell: | cat /etc/resolv.conf || true ping -c1 pieni.net # General configuration of installer system. - name: "install file with version info of installer" copy: content: | {{ lookup('pipe', 'git describe --dirty') }} dest: /etc/v-i-version - name: "set hostname in /etc/hostname" shell: | echo "{{ hostname }}" > /etc/hostname - name: "unset root password so that virtual console logins work" shell: | sed -i '/^root:[^:]*:/s//root::/' /etc/passwd /etc/shadow - name: "remove ping so it can be re-installed for the right capabilities" apt: name: iputils-ping state: absent - name: "re-install ping" apt: name: iputils-ping state: present - name: "uninstall rsyslogd to avoid writing logs to slow disk" apt: name: rsyslogd state: absent purge: yes - name: "make systemd journal non-persistent, to avoid writing logs to slow disk" lineinfile: path: /etc/systemd/journald.conf regexp: Storage= line: Storage=volatile - name: "enable v-i-config service" shell: | install -d /etc/systemd/system/ssh.service.wants ln -nsf /etc/systemd/system/v-i-config.service /etc/systemd/system/ssh.service.wants/v-i-config.service - name: "add non-free-firmware (and more) to apt sources, for wifi" apt_repository: repo: "deb http://deb.debian.org/debian bookworm contrib non-free non-free-firmware" # Install vmdb2, which actually does the installation to the # target system. - name: "add APT key for CI repo with vmdb2" copy: content: "{{ apt_liw_fi_signing_key }}" dest: /etc/apt/trusted.gpg.d/apt_liw_fi.asc - name: "add CI repo with vmdb2 to apt sources" apt_repository: repo: "deb http://apt.liw.fi/debian unstable main" - name: "install vmdb2" apt: name: vmdb2 # Locale specific configuration. - name: "configure keyboard layout" copy: content: | XKBMODEL="pc105" XKBLAYOUT="us" XKBVARIANT="" XKBOPTIONS="" BACKSPACE="guess" dest: /etc/default/keyboard - name: "configure console" copy: content: | ACTIVE_CONSOLES="/dev/tty[1-6]" CHARMAP="UTF-8" CODESET="Lat15" FONTFACE="Fixed" FONTSIZE="8x16" VIDEOMODE= dest: /etc/default/console-setup mode: 0644 - name: "set default LC_TYPE for all users" shell: echo export LC_CTYPE=fi_FI.UTF8 >> /etc/profile.d/finnish.sh - name: "silence kernel messages to console" copy: content: kernel.printk = 3 4 1 3 dest: /etc/sysctl.d/kernel.conf mode: 0644 # SSH configuration. - name: "restrict root logins over ssh to require a key" lineinfile: path: /etc/ssh/sshd_config regex: "#* *PasswordAuthentication" line: "PasswordAuthentication no" - name: "create /root/.ssh" file: state: directory path: /root/.ssh owner: root group: root mode: 0700 # Network configuration. - name: "install wifi firmware and iwd" apt: name: - firmware-brcm80211 - firmware-iwlwifi - firmware-libertas - firmware-misc-nonfree - firmware-realtek - firmware-ti-connectivity - iwd - name: "remove ifupdown in favor of systemd-networkd" apt: name: ifupdown state: absent - name: "enable systemd-networkd" systemd: name: systemd-networkd enabled: true - name: "configure eth0 to get an address using DHCP" copy: content: | [Match] Name=eth0 [Network] DHCP=ipv4 [DHCPv4] RouteMetric=20 UseDomains=true dest: /etc/systemd/network/eth0.network # Allow lookup of domain-less names, when the DHCP server doesn't # set a domain for the LAN. See # https://wiki.archlinux.org/title/Systemd-resolved#systemd-resolved_does_not_resolve_hostnames_without_suffix - name: "tweak resolved.conf for domain-less DNS lookup" lineinfile: path: /etc/systemd/resolved.conf regexp: ResolveUnicastSingleLabel= line: ResolveUnicastSingleLabel=yes - name: "configure bridge device br0 for local network ports" copy: content: | [NetDev] Name=br0 Kind=bridge dest: /etc/systemd/network/br0.netdev - name: "add local network ports to br0" copy: content: | [Match] Name=eth[^0]* [Network] Bridge=br0 dest: /etc/systemd/network/local.network - name: "configure bridge br0" copy: content: | [Match] Name=br0 [Network] Address={{ puomi_lan_ip }}/24 DHCPServer=false IPForward=false IPMasquerade=false ConfigureWithoutCarrier=true dest: /etc/systemd/network/br0.network - name: "configure wifi" copy: content: | [Match] Name=wlan0 [Network] DHCP=yes [DHCPv4] RouteMetric=20 dest: /etc/systemd/network/wireless.network - name: "enable iwd" systemd: name: iwd enabled: yes - name: "install dnsmasq" apt: name: dnsmasq - name: "configure dnsmasq for configuration .d directory support" lineinfile: path: /etc/dnsmasq.conf regexp: ^conf-dir line: "conf-dir=/etc/dnsmasq.d/,*.conf" - name: "configure dnsmasq for local bridge br0" copy: content: | dhcp-range={{ puomi_dhcp_start }},{{ puomi_dhcp_end }},{{ puomi_dhcp_netmask }},{{ puomi_dhcp_lease }} host-record={{ hostname }},{{ puomi_lan_ip }} interface=br0 interface=lo max-cache-ttl=30 neg-ttl=10 dest: /etc/dnsmasq.d/router.conf vars: hostname: v-i ansible_python_interpreter: /usr/bin/python3 apt_liw_fi_signing_key: | -----BEGIN PGP PUBLIC KEY BLOCK----- mDMEZZJdGhYJKwYBBAHaRw8BAQdAqeF0fisweYyKM1ijm2TofKLI56kxprqQQgRI 3XS7sfOI0QQfFgoAgwWCZZJdGgWJAeGFNAMLCQcJEDAjOV80dhuBRxQAAAAAAB4A IHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ6QIq8aJr7rZ4To0YujnzP+e VPuNqYamrIwP7oedSJuRAxUKCAKbAQIeARYhBNMIjAl0ALjhurGI1DAjOV80dhuB AADPhAD9E7FKlBGQ4+kBNyJMSc6Kjp8DgI7GU1SsmGejPz97YsgA/ir2dwmq2Ik3 Mh8zxzUkrLT6K20iOi/ZoCXw2h/lNzgPtCthcHQubGl3LmZpIGFyY2hpdmUgc2ln bmluZyBrZXkgPGxpd0BsaXcuZmk+iNQEExYKAIYFgmWSXRoFiQHhhTQDCwkHCRAw IzlfNHYbgUcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmci FPskp0wwO97SSRdxY+2fEeZ+OomxFq+LdrIf1qwhEwMVCggCmQECmwECHgEWIQTT CIwJdAC44bqxiNQwIzlfNHYbgQAAGAMA/2uERO4xdI3DOeTx6GZtENeMNbBTe7X+ fh2IjXFv/xmXAQCT0eiqaHKEGq3RwrOoCBRmxec4yMgOfIuCt0l7YvytA4h1BBAW CgAdFiEE6gtzmezPkoKnTvj4MdqAMggdkB0FAmWSXdwACgkQMdqAMggdkB3FXwEA q82Xm0RheXzOMSKoCYOCxhM8rbn1wWIrufIo3znkrhABALMelmzI+LmzT7s62zGE 2z8V7Nv0JnjZyrf+FZhNAqYFuDMEZZJdGhYJKwYBBAHaRw8BAQdAF+jg51KWsd8V HxeHo6bab39J6gGNsJZcUVqRqCfrrzSJAYUEGBYKATcFgmWSXRoFiQHhhTQJEDAj OV80dhuBRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ+J5 7Y6sMbUC82e9ztMS6yorTd1niehqKtaj22Fq9xREApsCvqAEGRYKAG8FgmWSXRoJ EJqO39bYba7MRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9y Z/Kx/ROGuSeEFI8QlSRIBLTxGvqRP+G0MIVtj5277onuFiEEbwX90zO8sdjuP23I mo7f1thtrswAAIZrAQCWL1DboWlW3fCUEx++p8KTSjEt925x9uEt+QYk1W8wgQD+ PnefEb8sHyZBkznoZcqgWdiqFQzgpJHYK0rieZt51AAWIQTTCIwJdAC44bqxiNQw IzlfNHYbgQAANkwBAKPT/FYSCp1w2moONOyKjxLkURCa6bXM+HPODBUn/0ozAQDa kaEaS+5jPDYzDJdpB6+7JJNu9IbT2RcI85S4KUr1Ag== =by66 -----END PGP PUBLIC KEY BLOCK----- puomi_lan_ip: 10.20.20.1 puomi_dhcp_start: 10.20.20.10 puomi_dhcp_end: 10.20.20.250 puomi_dhcp_netmask: 255.255.255.0 puomi_dhcp_lease: 1h