Provisioning works now

2025-05-10 14:21:35 +02:00 · 2022-05-15 02:31:41 +02:00 · 2022-05-15 02:31:41 +02:00 · 60df856435
commit 60df856435
parent c751a1e64d
16 changed files with 84 additions and 38 deletions
--- a/metal/roles/pxe-server/templates/dhcpd.conf.j2
+++ b/metal/roles/pxe-server/templates/dhcpd.conf.j2
@ -5,8 +5,17 @@ option pxelinux.pathprefix code 210 = text;
 option pxelinux.reboottime code 211 = unsigned integer 32;
 option architecture-type code 93 = unsigned integer 16;

+{% for item in groups['metal'] %}
+host {{ hostvars[item]['inventory_hostname'] }} {
+    hardware ethernet {{ hostvars[item]['mac'] }};
+    option host-name "{{ hostvars[item]['inventory_hostname'] }}";
+}
+{% endfor %}
+
 subnet {{ subnet }} netmask {{ netmask }} {
    option routers {{ gateway }};
+    option domain-name-servers {{ nameserver }};
+    option domain-name "{{ domain }}";
    range {{ subnet | ansible.utils.ipmath(3) }} {{ subnet | ansible.utils.ipmath(254) }};

    class "pxeclients" {
--- a/metal/roles/pxe-server/templates/grub.cfg.j2
+++ b/metal/roles/pxe-server/templates/grub.cfg.j2
@ -2,9 +2,13 @@ set timeout=1

 menuentry 'Auto install Debian Bullseye (PXE)' {
    set background_color=black
+    set
    linux linux \
        vga=788 \
-        url=http://{{ ansible_default_ipv4.address }}/preseed/${net_default_mac}.conf \
-        --- auto quiet
+        auto=true \
+        url=tftp://{{ ansible_default_ipv4.address }}/preseed/${net_default_mac}.cfg \
+        priority=critical \
+        ipv6.disable=1 \
+        --- quiet
    initrd initrd.gz
 }
--- a/metal/roles/pxe-server/templates/preseed.cfg.j2
+++ b/metal/roles/pxe-server/templates/preseed.cfg.j2
@ -1,3 +1,4 @@
+#_preseed_V1
 # For documentation see: https://www.debian.org/releases/stable/example-preseed.txt

 # Set default locale and keyboard layout
@ -7,6 +8,9 @@ d-i keyboard-configuration/xkb-keymap select {{ keyboard_layout | default('de')
 # Set network interface used by default
 d-i netcfg/choose_interface select auto

+# Work around the problem that the network configuration is not applied, because the preseed file is loaded after it already completed. So we just run the network configuration again! :D
+d-i preseed/early_command string kill-all-dhcp; netcfg
+
 # Static network config
 d-i netcfg/disable_autoconfig boolean true
 d-i netcfg/dhcp_failed note
@ -40,9 +44,9 @@ d-i passwd/root-login boolean false

 # Create new user
 d-i passwd/user-fullname string {{ user_fullname | default('Debian User') }}
-d-i passwd/username string {{ username | default('debian') }}
-d-i passwd/user-password password {{ password | default('insecure') }}
-d-i passwd/user-password-again password {{ password | default('insecure') }}
+d-i passwd/username string {{ ansible_user | default('debian') }}
+d-i passwd/user-password password {{ ansible_become_password | default('insecure') }}
+d-i passwd/user-password-again password {{ ansible_become_password | default('insecure') }}

 # Setup timezone and NTP server
 d-i clock-setup/utc boolean true
@ -63,8 +67,7 @@ d-i apt-setup/cdrom/set-first boolean false
 d-i apt-setup/disable-cdrom-entries boolean true

 # Install openssh-server and basic system tools
-d-i pkgsel/run_tasksel boolean false
-d-i pkgsel/include string openssh-server build-essential
+tasksel tasksel/first multiselect standard, ssh-server
 d-i pkgsel/upgrade select safe-upgrade

 # Disable package reporting
@ -74,5 +77,15 @@ popularity-contest popularity-contest/participate boolean false
 d-i grub-installer/only_debian boolean true
 d-i grub-installer/bootdev string {{ hostvars[item]['disk'] | default('/dev/sda') }}

+# Configure openssh-server. Include public key, disable root login and passord based login.
+d-i preseed/late_command string in-target mkdir -p /home/{{ ansible_user | default('debian') }}/.ssh/ ; \
+                                in-target /bin/sh -c 'echo "{{ ssh_public_key }}" >> /home/{{ ansible_user | default('debian') }}/.ssh/authorized_keys' ; \
+                                in-target chmod -R 700 /home/{{ ansible_user | default('debian') }}/.ssh/ ; \
+                                in-target chown -R {{ ansible_user | default('debian') }}:{{ ansible_user | default('debian') }} /home/{{ ansible_user | default('debian') }}/.ssh/ ; \
+                                in-target grep -q '^PermitRootLogin ' /etc/ssh/sshd_config || in-target sh -c 'echo "PermitRootLogin no" >> /etc/ssh/sshd_config' ; \
+                                in-target sed 's/^PermitRootLogin .*/PermitRootLogin no/' -i /etc/ssh/sshd_config ; \
+                                in-target grep -q '^PasswordAuthentication ' /etc/ssh/sshd_config || in-target sh -c 'echo "PasswordAuthentication no" >> /etc/ssh/sshd_config' ; \
+                                in-target sed 's/^PasswordAuthentication .*/PasswordAuthentication no/' -i /etc/ssh/sshd_config
+
 # Reboot to installed system without confirmation
 d-i finish-install/reboot_in_progress note