Provisioning works now

metal/README.md

@@ -4,3 +4,4 @@
 - Render config files (PXE config, GRUB config, preseed files etc.) from their corresponding [templates](./roles/pxe-server/templates).
 - Spin up an PXE environment (DHCP, TFTP and HTTP server) using Docker compose.
 - Wake machines using WoL to install the OS via PXE. Machines will auto reboot into the finished preseeded OS after the installation is complete.
+- Tear down the docker compose project for PXE.

metal/group_variables/all.yml

@@ -1,3 +0,0 @@
-ansible_user: root
-ansible_ssh_private_key_file: ~/.ssh/id_rsa
-ssh_public_key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"

metal/group_vars/all/.gitignore

@@ -0,0 +1 @@
+vault.yml

metal/group_vars/all/all.yml

@@ -0,0 +1,14 @@
+ansible_ssh_private_key_file: ~/.ssh/id_rsa
+ssh_public_key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
+
+# Network config
+subnet: "192.168.6.0"
+netmask: "255.255.255.0"
+gateway: "192.168.6.1"
+nameserver: "192.168.6.1"
+domain: "lab.bluemedia.dev"
+
+# User config from vault
+user_fullname: "{{ vault_user_fullname }}"
+ansible_user: "{{ vault_ansible_user }}"
+ansible_become_password: "{{ vault_ansible_become_password }}"

metal/group_vars/all/vault.tmpl

@@ -0,0 +1,4 @@
+# Copy this file to vault.yml, change the values below and encrypt it using ansible-vault.
+vault_user_fullname: "Lab User"
+vault_ansible_user: lab
+vault_ansible_become_password: "insecure" # Become password will also be the users password.

metal/install-os.yml

@@ -8,3 +8,9 @@
   gather_facts: false
   roles:
     - wol-wake
+
+- name: Tear down PXE stack
+  hosts: localhost
+  gather_facts: false
+  roles:
+    - pxe-teardown

metal/inventories/lab.yml

@@ -2,9 +2,9 @@ metal:
   children:
     masters:
       hosts:
-        lab-mini-1: {ansible_host: 192.168.1.21, mac: '4c:52:62:1c:bf:6c', disk: '/dev/nvme0n1'}
+        lab-mini-1: {ansible_host: 192.168.6.21, mac: '4c:52:62:1c:bf:6c', disk: '/dev/nvme0n1'}
-        lab-mini-2: {ansible_host: 192.168.1.22, mac: '4c:52:62:0f:09:6d', disk: '/dev/nvme0n1'}
+        lab-mini-2: {ansible_host: 192.168.6.22, mac: '4c:52:62:0f:09:6d', disk: '/dev/nvme0n1'}
-        lab-mini-3: {ansible_host: 192.168.1.23, mac: '4c:52:62:0f:0a:23', disk: '/dev/nvme0n1'}
+        lab-mini-3: {ansible_host: 192.168.6.23, mac: '4c:52:62:0f:0a:23', disk: '/dev/nvme0n1'}
     workers:
       hosts:
-        lab-mini-4: {ansible_host: 192.168.1.24, mac: '90:1b:0e:f8:e8:af', disk: '/dev/nvme0n1'}
+        lab-mini-4: {ansible_host: 192.168.6.24, mac: '90:1b:0e:f8:e8:af', disk: '/dev/nvme0n1'}

metal/roles/pxe-server/defaults/main.yml

@@ -1,11 +1,2 @@
 os_download_url: "https://deb.debian.org/debian/dists/bullseye/main/installer-amd64/current/images/netboot/netboot.tar.gz"
 os_download_checksum: "sha256:ec3b71964457f30a57061ea758c12394bf2b792b461c697e61cc2d47053c5878"
-
-user_fullname: "Lab User"
-username: "lab"
-domain: "lab.bluemedia.dev"
-
-subnet: "192.168.6.0"
-netmask: "255.255.255.0"
-gateway: "192.168.6.1"
-nameserver: "192.168.6.1"

metal/roles/pxe-server/files/docker-compose.yml

@@ -10,13 +10,15 @@ services:
     build: ./tftp
     network_mode: host
     volumes:
-      - ./data/pxe-config/grub.cfg:/var/lib/tftpboot/grub.cfg
+      - ./data/os/debian-installer/amd64/grub:/var/lib/tftpboot/debian-installer/amd64/grub
+      - ./data/pxe-config/grub.cfg:/var/lib/tftpboot/debian-installer/amd64/grub/grub.cfg
       - ./data/os/debian-installer/amd64/grubx64.efi:/var/lib/tftpboot/grubx64.efi
       - ./data/os/debian-installer/amd64/initrd.gz:/var/lib/tftpboot/initrd.gz
       - ./data/os/debian-installer/amd64/linux:/var/lib/tftpboot/linux
-  http:
+      - ./data/preseed:/var/lib/tftpboot/preseed
-    image: nginx:latest
+  #http:
-    network_mode: host
+  #  image: nginx:latest
-    volumes:
+  #  network_mode: host
-      - ./data/os:/usr/share/nginx/html/os:ro
+  #  volumes:
-      - ./data/preseed:/usr/share/nginx/html/preseed:ro
+  #    - ./data/os:/usr/share/nginx/html/os:ro
+  #    - ./data/preseed:/usr/share/nginx/html/preseed:ro

metal/roles/pxe-server/tasks/main.yml

@@ -32,6 +32,7 @@
 - name: Start PXE stack
   docker_compose:
     project_src: "{{ role_path }}/files"
+    project_name: "pxe"
     state: present
     restarted: true
     build: true

metal/roles/pxe-server/templates/dhcpd.conf.j2

@@ -5,8 +5,17 @@ option pxelinux.pathprefix code 210 = text;
 option pxelinux.reboottime code 211 = unsigned integer 32;
 option architecture-type code 93 = unsigned integer 16;
 
+{% for item in groups['metal'] %}
+host {{ hostvars[item]['inventory_hostname'] }} {
+    hardware ethernet {{ hostvars[item]['mac'] }};
+    option host-name "{{ hostvars[item]['inventory_hostname'] }}";
+}
+{% endfor %}
+
 subnet {{ subnet }} netmask {{ netmask }} {
     option routers {{ gateway }};
+    option domain-name-servers {{ nameserver }};
+    option domain-name "{{ domain }}";
     range {{ subnet | ansible.utils.ipmath(3) }} {{ subnet | ansible.utils.ipmath(254) }};
 
     class "pxeclients" {

metal/roles/pxe-server/templates/grub.cfg.j2

@@ -2,9 +2,13 @@ set timeout=1
 
 menuentry 'Auto install Debian Bullseye (PXE)' {
     set background_color=black
+    set
     linux linux \
         vga=788 \
-        url=http://{{ ansible_default_ipv4.address }}/preseed/${net_default_mac}.conf \
+        auto=true \
-        --- auto quiet
+        url=tftp://{{ ansible_default_ipv4.address }}/preseed/${net_default_mac}.cfg \
+        priority=critical \
+        ipv6.disable=1 \
+        --- quiet
     initrd initrd.gz
 }

metal/roles/pxe-server/templates/preseed.cfg.j2

@@ -1,3 +1,4 @@
+#_preseed_V1
 # For documentation see: https://www.debian.org/releases/stable/example-preseed.txt
 
 # Set default locale and keyboard layout
@@ -7,6 +8,9 @@ d-i keyboard-configuration/xkb-keymap select {{ keyboard_layout | default('de')
 # Set network interface used by default
 d-i netcfg/choose_interface select auto
 
+# Work around the problem that the network configuration is not applied, because the preseed file is loaded after it already completed. So we just run the network configuration again! :D
+d-i preseed/early_command string kill-all-dhcp; netcfg
+
 # Static network config
 d-i netcfg/disable_autoconfig boolean true
 d-i netcfg/dhcp_failed note
@@ -40,9 +44,9 @@ d-i passwd/root-login boolean false
 
 # Create new user
 d-i passwd/user-fullname string {{ user_fullname | default('Debian User') }}
-d-i passwd/username string {{ username | default('debian') }}
+d-i passwd/username string {{ ansible_user | default('debian') }}
-d-i passwd/user-password password {{ password | default('insecure') }}
+d-i passwd/user-password password {{ ansible_become_password | default('insecure') }}
-d-i passwd/user-password-again password {{ password | default('insecure') }}
+d-i passwd/user-password-again password {{ ansible_become_password | default('insecure') }}
 
 # Setup timezone and NTP server
 d-i clock-setup/utc boolean true
@@ -63,8 +67,7 @@ d-i apt-setup/cdrom/set-first boolean false
 d-i apt-setup/disable-cdrom-entries boolean true
 
 # Install openssh-server and basic system tools
-d-i pkgsel/run_tasksel boolean false
+tasksel tasksel/first multiselect standard, ssh-server
-d-i pkgsel/include string openssh-server build-essential
 d-i pkgsel/upgrade select safe-upgrade
 
 # Disable package reporting
@@ -74,5 +77,15 @@ popularity-contest popularity-contest/participate boolean false
 d-i grub-installer/only_debian boolean true
 d-i grub-installer/bootdev string {{ hostvars[item]['disk'] | default('/dev/sda') }}
 
+# Configure openssh-server. Include public key, disable root login and passord based login.
+d-i preseed/late_command string in-target mkdir -p /home/{{ ansible_user | default('debian') }}/.ssh/ ; \
+                                in-target /bin/sh -c 'echo "{{ ssh_public_key }}" >> /home/{{ ansible_user | default('debian') }}/.ssh/authorized_keys' ; \
+                                in-target chmod -R 700 /home/{{ ansible_user | default('debian') }}/.ssh/ ; \
+                                in-target chown -R {{ ansible_user | default('debian') }}:{{ ansible_user | default('debian') }} /home/{{ ansible_user | default('debian') }}/.ssh/ ; \
+                                in-target grep -q '^PermitRootLogin ' /etc/ssh/sshd_config || in-target sh -c 'echo "PermitRootLogin no" >> /etc/ssh/sshd_config' ; \
+                                in-target sed 's/^PermitRootLogin .*/PermitRootLogin no/' -i /etc/ssh/sshd_config ; \
+                                in-target grep -q '^PasswordAuthentication ' /etc/ssh/sshd_config || in-target sh -c 'echo "PasswordAuthentication no" >> /etc/ssh/sshd_config' ; \
+                                in-target sed 's/^PasswordAuthentication .*/PasswordAuthentication no/' -i /etc/ssh/sshd_config
+
 # Reboot to installed system without confirmation
 d-i finish-install/reboot_in_progress note

metal/roles/pxe-teardown/tasks/main.yml

@@ -0,0 +1,5 @@
+- name: Tear down PXE stack
+  docker_compose:
+    project_name: "pxe"
+    project_src: "{{ playbook_dir }}/roles/pxe-server/files/"
+    state: absent

scripts/pxe-log.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
-docker-compose \
+docker compose \
-    --project-directory ./metal/roles/pxe-server/files/ \
+    --project-name pxe \
     logs \
-    --f \
+    --follow \
     ${@}

scripts/pxe-teardown.sh

@@ -1,2 +0,0 @@
-#!/bin/bash
-docker compose --project-directory metal/roles/pxe-server/files/ down