blob: 14f516c6cde1184ad7bea9cbb3c9089fa5a52e89 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
|
# Ansible playbook to install stuff for a standard install with v-i.
# You should inspect the user_* variables at the end, and override
# them with "ansible_vars" in the system spec file. v-i sets the
# hostname variable automatically.
- hosts: image
tasks:
- name: "set /etc/hostname"
copy:
content: |
{{ hostname }}
dest: /etc/hostname
- name: "lock root password"
shell: |
passwd -l root
when: passwordless_root is not defined or not passwordless_root
- name: "remove root password"
shell: |
sed -i '/^root:[^:]*:/s//root::/' /etc/passwd
when: passwordless_root
- name: "create ~root/.ssh"
when: user_pub is defined
file:
state: directory
path: /root/.ssh
owner: root
group: root
mode: 0700
- name: "set ~root/.ssh/authorized keys"
when: user_pub is defined
copy:
content: |
{{ user_pub }}
dest: /root/.ssh/authorized_keys
owner: root
group: root
mode: 0600
- name: "install user CA public key"
when: user_ca_pubkey is defined
copy:
content: |
{{ user_ca_pubkey }}
dest: /etc/ssh/user_ca_pubs
- name: "restrict root logins over ssh to require a key"
lineinfile:
path: /etc/ssh/sshd_config
regex: "#* *PasswordAuthentication"
line: "PasswordAuthentication no"
- name: "configure sshd to accept CA for users"
when: user_ca_pubkey is defined
copy:
content: |
TrustedUserCAKeys /etc/ssh/user_ca_pubs
dest: /etc/ssh/sshd_config.d/user_ca.conf
- name: "install host key"
when: host_key is defined
copy:
content: |
{{ host_key }}
dest: /etc/ssh/ssh_host_key
mode: 0600
- name: "install host cert"
when: host_cert is defined
copy:
content: |
{{ host_cert }}
dest: /etc/ssh/ssh_host_key-cert.pub
mode: 0644
- name: "configue sshd to use host cert"
when: host_cert is defined
copy:
content: |
HostKey /etc/ssh/ssh_host_key
HostCertificate /etc/ssh/ssh_host_key-cert.pub
dest: /etc/ssh/sshd_config.d/host_cert.conf
- name: "configure keyboard layout"
copy:
content: |
XKBMODEL="{{ user_keyboard_model }}"
XKBLAYOUT="{{ user_keyboard_layout }}"
XKBVARIANT=""
XKBOPTIONS=""
BACKSPACE="guess"
dest: /etc/default/keyboard
- name: "configure console"
copy:
content: |
ACTIVE_CONSOLES="/dev/tty[1-6]"
CHARMAP="UTF-8"
CODESET="{{ user_console_codeset }}"
FONTFACE="Fixed"
FONTSIZE="8x16"
VIDEOMODE=
dest: /etc/default/console-setup
- name: "set default locales for all users"
copy:
content: |
{{ user_locale }}
dest: /etc/profile.d/locale.sh
- name: "remove ifupdown"
apt:
name: ifupdown
state: absent
- name: "enable the non-free-firmware component"
when: debian_release != "bullseye"
apt_repository:
repo: "deb http://deb.debian.org/debian {{ debian_release }} non-free-firmware"
state: present
update_cache: yes
- name: "enable the non-free component"
when: debian_release == "bullseye"
apt_repository:
repo: "deb http://deb.debian.org/debian {{ debian_release }} non-free"
state: present
update_cache: yes
- name: "install iwd and firmware for wifi"
apt:
name:
- firmware-brcm80211
- firmware-iwlwifi
- firmware-libertas
- firmware-misc-nonfree
- firmware-realtek
- firmware-ti-connectivity
- iwd
- name: "enable iwd"
systemd:
name: iwd
enabled: yes
- name: "configure networkd for Ethernet"
copy:
content: |
[Match]
Name=eth0
[Network]
DHCP=yes
dest: /etc/systemd/network/external.network
- name: "configure networkd for wireless"
copy:
content: |
[Match]
Name=wlan*
[Network]
DHCP=yes
dest: /etc/systemd/network/wireless.network
- name: "copy wireless credentials from host to target"
copy:
src: /var/lib/iwd/
dest: /var/lib/iwd/
- name: "enable networkd"
systemd:
name: systemd-networkd
enabled: yes
- name: "install resolved"
apt:
name:
- systemd-resolved
- name: "enable resolved"
systemd:
name: systemd-resolved
enabled: yes
# Allow lookup of domain-less names, when the DHCP server doesn't
# set a domain for the LAN. See
# https://wiki.archlinux.org/title/Systemd-resolved#systemd-resolved_does_not_resolve_hostnames_without_suffix
- name: "tweak resolved.conf for domain-less DNS lookup"
lineinfile:
path: /etc/systemd/resolved.conf
regexp: ResolveUnicastSingleLabel=
line: ResolveUnicastSingleLabel=yes
vars:
ansible_python_interpreter: /usr/bin/python3
user_locale: |
export LC_CTYPE=C.UTF8
# You may want to override these to get a non-US keyboard layout.
user_keyboard_model: pc105
user_keyboard_layout: us
user_console_codeset: Lat15
passwordless_root: false
|