# Ansible playbook to install stuff for v-i. - hosts: image tasks: # This is a workaround for the fact the the chroot vmdb2 creates # lacks an /etc/resolv.conf. - name: "install a temporary /etc/resolv.conf" copy: content: nameserver 8.8.8.8 dest: /etc/resolv.conf - name: "check /etc/resolv.conf and DNS lookup work" shell: | cat /etc/resolv.conf || true ping -c1 pieni.net # General configuration of installer system. - name: "install file with version info of installer" copy: content: | {{ lookup('pipe', 'git describe --dirty') }} dest: /etc/v-i-version - name: "set hostname in /etc/hostname" shell: | echo "{{ hostname }}" > /etc/hostname - name: "unset root password so that virtual console logins work" shell: | sed -i '/^root:[^:]*:/s//root::/' /etc/passwd /etc/shadow - name: "remove ping so it can be re-installed for the right capabilities" apt: name: iputils-ping state: absent - name: "re-install ping" apt: name: iputils-ping state: present - name: "uninstall rsyslogd to avoid writing logs to slow disk" apt: name: rsyslogd state: absent purge: yes - name: "make systemd journal non-persistent, to avoid writing logs to slow disk" lineinfile: path: /etc/systemd/journald.conf regexp: Storage= line: Storage=volatile - name: "enable v-i-config service" shell: | install -d /etc/systemd/system/ssh.service.wants ln -nsf /etc/systemd/system/v-i-config.service /etc/systemd/system/ssh.service.wants/v-i-config.service - name: "add non-free-firmware (and more) to apt sources, for wifi" apt_repository: repo: "deb http://deb.debian.org/debian bookworm contrib non-free non-free-firmware" # Install vmdb2, which actually does the installation to the # target system. - name: "add APT key for CI repo with vmdb2" copy: content: "{{ ci_prod_signing_key }}" dest: /etc/apt/trusted.gpg.d/ci_prod.asc - name: "add CI repo with vmdb2 to apt sources" apt_repository: repo: "deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main" - name: "install vmdb2" apt: name: vmdb2 # Locale specific configuration. - name: "configure keyboard layout" copy: content: | XKBMODEL="pc105" XKBLAYOUT="us" XKBVARIANT="" XKBOPTIONS="" BACKSPACE="guess" dest: /etc/default/keyboard - name: "configure console" copy: content: | ACTIVE_CONSOLES="/dev/tty[1-6]" CHARMAP="UTF-8" CODESET="Lat15" FONTFACE="Fixed" FONTSIZE="8x16" VIDEOMODE= dest: /etc/default/console-setup mode: 0644 - name: "set default LC_TYPE for all users" shell: echo export LC_CTYPE=fi_FI.UTF8 >> /etc/profile.d/finnish.sh - name: "silence kernel messages to console" copy: content: kernel.printk = 3 4 1 3 dest: /etc/sysctl.d/kernel.conf mode: 0644 # SSH configuration. - name: "restrict root logins over ssh to require a key" lineinfile: path: /etc/ssh/sshd_config regex: "#* *PasswordAuthentication" line: "PasswordAuthentication no" - name: "create /root/.ssh" file: state: directory path: /root/.ssh owner: root group: root mode: 0700 # Network configuration. - name: "install wifi firmware and iwd" apt: name: - firmware-brcm80211 - firmware-iwlwifi - firmware-libertas - firmware-misc-nonfree - firmware-realtek - firmware-ti-connectivity - iwd - name: "remove ifupdown in favor of systemd-networkd" apt: name: ifupdown state: absent - name: "enable systemd-networkd" systemd: name: systemd-networkd enabled: true - name: "configure eth0 to get an address using DHCP" copy: content: | [Match] Name=eth0 [Network] DHCP=ipv4 [DHCPv4] RouteMetric=20 UseDomains=true dest: /etc/systemd/network/eth0.network # Allow lookup of domain-less names, when the DHCP server doesn't # set a domain for the LAN. See # https://wiki.archlinux.org/title/Systemd-resolved#systemd-resolved_does_not_resolve_hostnames_without_suffix - name: "tweak resolved.conf for domain-less DNS lookup" lineinfile: path: /etc/systemd/resolved.conf regexp: ResolveUnicastSingleLabel= line: ResolveUnicastSingleLabel=yes - name: "configure bridge device br0 for local network ports" copy: content: | [NetDev] Name=br0 Kind=bridge dest: /etc/systemd/network/br0.netdev - name: "add local network ports to br0" copy: content: | [Match] Name=eth[^0]* [Network] Bridge=br0 dest: /etc/systemd/network/local.network - name: "configure bridge br0" copy: content: | [Match] Name=br0 [Network] Address={{ puomi_lan_ip }}/24 DHCPServer=false IPForward=false IPMasquerade=false ConfigureWithoutCarrier=true dest: /etc/systemd/network/br0.network - name: "configure wifi" copy: content: | [Match] Name=wlan0 [Network] DHCP=yes [DHCPv4] RouteMetric=20 dest: /etc/systemd/network/wireless.network - name: "enable iwd" systemd: name: iwd enabled: yes - name: "install dnsmasq" apt: name: dnsmasq - name: "configure dnsmasq for configuration .d directory support" lineinfile: path: /etc/dnsmasq.conf regexp: ^conf-dir line: "conf-dir=/etc/dnsmasq.d/,*.conf" - name: "configure dnsmasq for local bridge br0" copy: content: | dhcp-range={{ puomi_dhcp_start }},{{ puomi_dhcp_end }},{{ puomi_dhcp_netmask }},{{ puomi_dhcp_lease }} host-record={{ hostname }},{{ puomi_lan_ip }} interface=br0 interface=lo max-cache-ttl=30 neg-ttl=10 dest: /etc/dnsmasq.d/router.conf vars: hostname: v-i ansible_python_interpreter: /usr/bin/python3 ci_prod_signing_key: | -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFrLO7kBEADdz6mHstYmKU5Dp6OSjxWtWaqTDOX1sJdmmaIK/9EKVIH0Maxp 5kvVO5G6mULLAjv/kLG0MxasHPrq8I2A/y8AqKAGVL8QelwLjQMIFZ30/VbGQPHS +T5TZXEnoQtNce1GUhFwJ38ZyjjwHBFV9tSec7rZ2Q3YeM3nNnGPf6DacXGfEOPO HIN4sXAN2hzNXNjKRzTIvxQseb6nr7afUh/SlZ3yhQOCrIzmYlD7tP9WJe7ofL0p JY4pDQYw8rT6nC2BE/ioemh84kERCT1vCe+OVFlSRuMlqfEv+ZpKQ+itOmPDQ/lM jpUm1K2hrW/lWpxT/ZxHKo/w1K36J5WshgMZxfUu5BMCL9LMqMcrXNhNjDMfxDMM 3yBPOvQ4ls6fecOZ/bsFo1p8VzMk/w/eG8vPs5yuNa5XxN95yFMXoOHGb5Xbu8D4 6yiW+Af70LbiSNpGdmNdneiGB2fY38NxBukPw5u3S5qG8HedSmMr1RvSr5kHoAAe UbOY+BYaaKsTAT7+1skUW1o3FJSqoRKCHAzTsMWC6zzhR8hRn7jVrrguH1hGbqq5 TZSCFQZExuTJ7uXrTLG0WoBXIjB5wWNcSeXn8myUWYB51nJNF4tJBouZOz9JwWGl kiAQkrHnBttLQWdW9FyjbIoTZMtpvVx+m6ObGTGdGL1cNlLAvWprMXGc+QARAQAB tDJJY2sgQVBUIHJlcG9zaXRvcnkgc2lnbmluZyBrZXkgKDIwMTgpIDxsaXdAbGl3 LmZpPokCTgQTAQgAOBYhBKL1uyDoXyxUH3O717Wr+TZVS6PGBQJayzu5AhsDBQsJ CAcCBhUICQoLAgQWAgMBAh4BAheAAAoJELWr+TZVS6PGB5QQANTcikhRUHwt9N4h dGc/Hp6CbqdshMoWlwpFskttoVDxQG5OAobuZl5XyzGcmja1lT85RGkZFfbca0IZ LnXOLLSAu51QBkXNaj4OhjK/0uQ+ITrvL6RQSXNgHiUTR/W2XD1GIUq6nBqe2GSN 31S1baYKKVj5QIMsi7Dq8ls3BBXuPCE+xTSaNmGWjes2t9pPidcRvxsksCLY1qgw P1GFXBeMkBQ29kBP87SUL15SIk7OiQLlEURCy5iRls5rt/YEsdEpRWIb0Tm5Nrjv 2M3VM+iBhfNXTwj0rJ34mlycF1qQmA7YcTEobT7z587GPY0VWzBpQUnEQj7rQWPM cDYY0b+I6kQ8VKOaL4wVAtE98d7HzFIrIrwhTKufnrWrVDPYsmLZ+LPC1jiF7JBD SR6Vftb+SdDR9xoE1yRuXbC6IfoW+5/qQNrdQ2mm9BFw5jOonBqchs18HTTf3441 6SWwP9fY3Vi+IZphPPi0Gf85oMStgnv/Wnw6LacEL32ek39Desero/D8iGLZernK Q2mC9mua5A/bYGVhsNWyURNFkKdbFa+/wW3NfdKYyZnsSfo+jJ2luNewrhAY7Kod GWXTer9RxzTGA3EXFGvNr+BBOOxSj0SfWTl0Olo7J5dnxof+jLAUS1VHpceHGHps GSJSdir7NkZidgwoCPA7BTqsb5LN =dXB0 -----END PGP PUBLIC KEY BLOCK----- puomi_lan_ip: 10.20.20.1 puomi_dhcp_start: 10.20.20.10 puomi_dhcp_end: 10.20.20.250 puomi_dhcp_netmask: 255.255.255.0 puomi_dhcp_lease: 1h