Add PXE installer functionality

eyulf · eyulf · commit f899339a932e · 2022-10-01T23:59:40.000+10:00
diff --git a/Taskfile.yaml b/Taskfile.yaml
@@ -9,7 +9,7 @@
 version: '3'
 
 vars:
-  PYTHON_VERSION: '3.8.5'
+  PYTHON_VERSION: '3.10.7'
   PYTHON_VENV_NAME:
     sh: basename "{{.PWD}}"
   PYTHON_VENV_ROOT:
diff --git a/ansible/Taskfile.yaml b/ansible/Taskfile.yaml
@@ -39,3 +39,13 @@ tasks:
     desc: Run Ansible playbooks on file servers
     cmds:
       - '{{.ANSIBLE_PROD}} file-server.yml'
+
+  pxe-start:
+    desc: Start PXE Server
+    cmds:
+      - '{{.ANSIBLE_PROD}} pxe-boot.yml -K -t start'
+
+  pxe-stop:
+    desc: Stop PXE Server
+    cmds:
+      - '{{.ANSIBLE_PROD}} pxe-boot.yml -K -t stop'
diff --git a/ansible/group_vars/all.sops.yml b/ansible/group_vars/all.sops.yml
@@ -1,8 +1,11 @@
----
 email: ENC[AES256_GCM,data:Ge33wDgmRXynuD/5Wj3BRg9MAaX8EI4iNuh5HV+b,iv:eYA03KsPrB1b6DpjlSL7RsNhFDCIanTh+JQkQ5cEAd4=,tag:KwMVyTgPbWXmasgd73nkwQ==,type:str]
 admin_users:
     - ENC[AES256_GCM,data:WFyXmPcq,iv:uvI8bjEv0YeT+4W94duJWaJx3MxMC7mgumMpRf+KVMQ=,tag:QpovnpmCQt1MB5+kuZk87Q==,type:str]
 ansible_user: ENC[AES256_GCM,data:1FB48orO,iv:0SbHHuq30p3nTBrh5YVs/pik4jRR00lviOtuZ4wac/I=,tag:4pPe3V1VeXybnnB6PeZmcQ==,type:str]
+ansible_ssh_private_key_file: ENC[AES256_GCM,data:mZLwSnN21ZCSwJqKfKs9n11kpx+5CJMVDu8n0K+vUHU=,iv:Vp/ceLjBAj+uqrJngbiIlKoZoRg5al8A9HrFfyLk9y0=,tag:pN1p9BHsOJP6YavgXwaGsw==,type:str]
+#ENC[AES256_GCM,data:/JHS9s4wTwY=,iv:N6FC5XyZQwF6fsYLpZSIdSkpLnqZ1kf1PH0qW6xeew0=,tag:AzADUOoyC2PKwP/puB3FAg==,type:comment]
+preseed_user_fullname: ENC[AES256_GCM,data:8CXibEgGDp1F3ksy,iv:znAfDKWih3zX/WnJa1KJbDjXdonIe8/YslgEWi7Fnlk=,tag:Z18aTaN2/+W8ghT/TpE7/w==,type:str]
+preseed_user_password: ENC[AES256_GCM,data:ZU5GaJtIItuuJZ5oXsx8,iv:pz0UkHQ5uKMId/kVVdRhIj1IdQjSqZC640bQTs0sGAY=,tag:b3iRxHYkypQ+ReqRbC+VwQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -18,8 +21,8 @@ sops:
             cDdjUkhCRXkyZi9vRitDNDd6R08rcFkK/UGF7Bisk9Uh/sBh3EeeNC24VIsYsYnM
             ZI4f7nB6h/YpQGhQiicvAf+LQMeggY7SmJ07xtEK49DkGJVZAFDf3w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-06-18T08:02:55Z"
-    mac: ENC[AES256_GCM,data:6KmV1udN6BWrwzpMOjv5QN7GV6fbDAcKNlpYG3/3Rt0g9GnZ0KTg5JILOFxt9YQoyp+88ILt329QYTqdDu7lVIp9ZrSH0+3AmNIIoaK9auH/9sYVEkdrIiDd1PxRAD91CA4rdhJbfEUrO8BTGcgdqdmXZ7x3MmgecgdPQpnhgoQ=,iv:7Oi8yiavXLwnouYxsrQn87aYRFqbCkT4Efaq7DBOYWw=,tag:/f1Xfs84sMM75JNhUBniHg==,type:str]
+    lastmodified: "2022-09-24T06:13:09Z"
+    mac: ENC[AES256_GCM,data:DxWxcCzIJzU283EmZJW1576O+QWwOeZa2KskENBzpk0/jX5Db8TGFR8kKd6dS/6YSftm0SONyc7+WzjQt5DNDC7qnijyJDyfjc84qGK9S0pNScPCi6nfh8yE4u3KxhJ0aLhk4IkVRN5vGSUW99Vl0t+4SzsvN1EPiG1lqibjCno=,iv:d0/E3I4zuohY8J3wv6zK+9OazuD1e/VmWjXi9PcGtpY=,tag:I5UH6ee2lNBpfUX6cUfiVA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.1
diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
@@ -15,7 +15,9 @@ firewall_servers_subnet: 10.1.1.0/24
 firewall_wireless_subnet: 10.1.2.0/24
 firewall_clients_subnet: 10.1.3.0/24
 
+ssh_public_key: "{{ lookup('file', (ansible_ssh_private_key_file + '.pub')) }}"
+
 timezone: Australia/Sydney
-debian_version: buster
 
 ansible_python_interpreter: /usr/bin/python3.7
+debian_version: buster
diff --git a/ansible/host_vars/kvm1.yml b/ansible/host_vars/kvm1.yml
@@ -1,2 +1,3 @@
 ---
 ansible_host: '10.1.1.21'
+mac: '00:23:24:a3:e1:58'
diff --git a/ansible/host_vars/kvm2.yml b/ansible/host_vars/kvm2.yml
@@ -1,2 +1,3 @@
 ---
 ansible_host: '10.1.1.22'
+mac: '00:23:24:aa:7b:0e'
diff --git a/ansible/host_vars/kvm3.yml b/ansible/host_vars/kvm3.yml
@@ -1,2 +1,6 @@
 ---
 ansible_host: '10.1.1.23'
+mac: '00:23:24:aa:7d:0f'
+
+ansible_python_interpreter: /usr/bin/python3.9
+debian_version: bullseye
diff --git a/ansible/host_vars/localhost.sops.yml b/ansible/host_vars/localhost.sops.yml
@@ -0,0 +1,23 @@
+---
+routeros_api_username: ENC[AES256_GCM,data:AImZyJK5,iv:QcAWsh0W5s3Fs+QOX6tKSM+aHpSyvOxdM85SfnaFXqw=,tag:M3ZnQt1P1Jwu3g0XwLg0EA==,type:str]
+routeros_api_password: ENC[AES256_GCM,data:MR28SFoFD3Qdja+zPRBz5Y6xJ3JZATmAtT5t6p3C,iv:QxArLbdpoRx+y5v9822Onu7bTk4RXV2CNFxyMqO5n2U=,tag:5yGIjQyrTMADpZO1/brVkg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ety65vhtrhlevgmm899eyvdmv4avfm0replxg5tz6a2jyq84n4us7ryfc6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1K2FmbjBDSTB3Q2pCYjNJ
+            SGt1NUlUS24yRnJveFpBemtJOEFCQjZWaEFJCjNoRFFSU0xjQVJIZ204cWJIelRB
+            N1JBc1J0YXhBZVF5ekhYNTBEYUVXejAKLS0tIDJRakJRYmxXbHIzUXZVV3p6YTI4
+            bFNFWSsvTlRlZFFTcFNPTGhhc0pZbXMKwDuDzVkMWVq6eceFcAJACcN2IjBk3Hea
+            rhc/qAqXqOm32RZFKi9GD1RtKdx0EHYxQVzpTKYvnmp+ImPAyXf5Mw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-10-01T13:11:04Z"
+    mac: ENC[AES256_GCM,data:RhrNfF7OUjOWHzc02L5fe4OuiJVn+a5xoK+Gftp5jx1vJttRjvXkgigDBoyhB0o9VVDjJoeIyuIRU+n4aV4MIsewXOYUiE9LvzdxMCdDsKl/d6mWmFp25xpSt6+4HuVxfbaXBCSkB5RABk16T2BMlh83Fq99YlcISUnVkC4CQ9c=,iv:FwIkuRAFYO24x8V4E0ZMI0r7uldja+BOfg3lFy4209E=,tag:frRN8e6gOSEK3IB9IbQyBA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1
diff --git a/ansible/production b/ansible/production
@@ -22,5 +22,15 @@ k8s-worker-03
 k8s_controllers
 k8s_workers
 
-[file_server]
+[file_servers]
 storage
+
+[metal_storage:children]
+file_servers
+
+[metal_kvm:children]
+kvm_hypervisors
+
+[metal:children]
+metal_storage
+metal_kvm
diff --git a/ansible/pxe-boot.yml b/ansible/pxe-boot.yml
@@ -0,0 +1,6 @@
+---
+- name: pxe_boot
+  hosts: localhost
+  gather_facts: true
+  roles:
+    - pxe_boot
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
@@ -6,3 +6,11 @@ collections:
     version: 1.4.1
   - name: community.mysql
     version: 3.5.1
+  - name: ansible.utils
+    version: 2.6.1
+  - name: community.docker
+    version: 2.7.1
+  - name: ansible.posix
+    version: 1.4.0
+  - name: community.routeros
+    version: 2.3.0
diff --git a/ansible/roles/pxe_boot/defaults/main.yml b/ansible/roles/pxe_boot/defaults/main.yml
@@ -0,0 +1,7 @@
+installer_img_url: https://deb.debian.org/debian/dists/bullseye/main/installer-amd64/20210731+deb11u5/images/netboot/netboot.tar.gz
+installer_img_checksum: sha256:e8edf26ac9837d7dbbcfd96f47f51530260a6c68568938978e1b63ea698d5663
+
+subnet: "{{ firewall_servers_subnet | ansible.utils.ipaddr('network') }}"
+netmask: "{{ firewall_servers_subnet | ansible.utils.ipaddr('netmask') }}"
+gateway: '{{ firewall_servers_subnet | ansible.utils.nthhost(1) }}'
+nameserver: '{{ firewall_servers_subnet | ansible.utils.nthhost(1) }}'
diff --git a/ansible/roles/pxe_boot/files/data/os/.gitignore b/ansible/roles/pxe_boot/files/data/os/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
diff --git a/ansible/roles/pxe_boot/files/data/preseed/.gitignore b/ansible/roles/pxe_boot/files/data/preseed/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
diff --git a/ansible/roles/pxe_boot/files/data/pxe-config/.gitignore b/ansible/roles/pxe_boot/files/data/pxe-config/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
diff --git a/ansible/roles/pxe_boot/files/data/source/.gitignore b/ansible/roles/pxe_boot/files/data/source/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
diff --git a/ansible/roles/pxe_boot/files/docker-compose.yml b/ansible/roles/pxe_boot/files/docker-compose.yml
@@ -0,0 +1,11 @@
+version: "3"
+
+services:
+  tftp:
+    build: ./tftp
+    network_mode: host
+    volumes:
+      - ./data/os/debian-installer:/var/lib/tftpboot/debian-installer
+      - ./data/pxe-config/grub.cfg:/var/lib/tftpboot/debian-installer/amd64/grub/grub.cfg
+      - ./data/os/debian-installer/amd64/grubx64.efi:/var/lib/tftpboot/grubx64.efi
+      - ./data/preseed:/var/lib/tftpboot/preseed
diff --git a/ansible/roles/pxe_boot/files/tftp/Dockerfile b/ansible/roles/pxe_boot/files/tftp/Dockerfile
@@ -0,0 +1,7 @@
+FROM alpine:3.16
+
+RUN apk add busybox tftp-hpa
+
+ENTRYPOINT [ "/bin/sh", "-c" ]
+
+CMD [ "busybox syslogd -n -O /dev/stdout & in.tftpd -vvv --foreground --secure /var/lib/tftpboot" ]
diff --git a/ansible/roles/pxe_boot/tasks/main.yml b/ansible/roles/pxe_boot/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+- name: PXE | Start
+  ansible.builtin.import_tasks: start.yml
+  tags:
+    - pxe_boot
+    - start
+  when: ansible_facts['distribution'] == 'Fedora'
+
+- name: PXE | Stop
+  ansible.builtin.import_tasks: stop.yml
+  tags:
+    - pxe_boot
+    - stop
+  when: ansible_facts['distribution'] == 'Fedora'
diff --git a/ansible/roles/pxe_boot/tasks/start.yml b/ansible/roles/pxe_boot/tasks/start.yml
@@ -0,0 +1,84 @@
+---
+- name: PXE | download installer image
+  ansible.builtin.get_url:
+    url: '{{ installer_img_url }}'
+    dest: '{{ role_path }}/files/data/source/{{ installer_img_url | basename }}'
+    checksum: '{{ installer_img_checksum }}'
+    mode: 0644
+  register: installer_img
+  tags:
+    - pxe_boot
+    - start
+  when: ansible_facts['distribution'] == 'Fedora'
+
+- name: PXE | extract installer image
+  ansible.builtin.unarchive:
+    src: '{{ installer_img.dest }}'
+    dest: '{{ role_path }}/files/data/os'
+  tags:
+    - pxe_boot
+    - start
+  when: ansible_facts['distribution'] == 'Fedora'
+
+- name: PXE | generate grub config
+  ansible.builtin.template:
+    src: data/pxe-config/grub.cfg.j2
+    dest: '{{ role_path }}/files/data/pxe-config/grub.cfg'
+    mode: 0644
+  tags:
+    - pxe_boot
+    - start
+  when: ansible_facts['distribution'] == 'Fedora'
+
+- name: PXE | generate preseed file for each kvm machine
+  ansible.builtin.template:
+    src: data/preseed/preseed-kvm.cfg.j2
+    dest: "{{ role_path }}/files/data/preseed/{{ hostvars[item]['mac'] }}.cfg"
+    mode: 0644
+  loop: "{{ groups['metal_kvm'] }}"
+  tags:
+    - pxe_boot
+    - start
+  when: ansible_facts['distribution'] == 'Fedora'
+
+- name: PXE | start the pxe container
+  community.docker.docker_compose:
+    project_src: '{{ role_path }}/files'
+    project_name: pxe
+    state: present
+    restarted: true
+    build: true
+  tags:
+    - pxe_boot
+    - start
+  when: ansible_facts['distribution'] == 'Fedora'
+
+- name: PXE | allow tftp inbound
+  ansible.posix.firewalld:
+    zone: public
+    service: tftp
+    permanent: false
+    state: enabled
+  become: true
+  vars:
+    ansible_python_interpreter: /usr/bin/python3.10 # https://github.com/ansible-collections/ansible.posix/issues/283
+  tags:
+    - pxe_boot
+    - start
+  when: ansible_facts['distribution'] == 'Fedora'
+
+- name: PXE | add dhcp options
+  community.routeros.api_find_and_modify:
+    hostname: '{{ gateway }}'
+    username: '{{ routeros_api_username }}'
+    password: '{{ routeros_api_password }}'
+    tls: true
+    path: ip dhcp-server network
+    find:
+      address: '{{ firewall_servers_subnet }}'
+    values:
+      next-server: "{{ ansible_facts['default_ipv4']['address'] }}"
+      boot-file-name: grubx64.efi
+    require_matches_min: 1
+    require_matches_max: 1
+  when: ansible_facts['distribution'] == 'Fedora'
diff --git a/ansible/roles/pxe_boot/tasks/stop.yml b/ansible/roles/pxe_boot/tasks/stop.yml
@@ -0,0 +1,94 @@
+---
+- name: PXE | add dhcp options
+  community.routeros.api_find_and_modify:
+    hostname: '{{ gateway }}'
+    username: '{{ routeros_api_username }}'
+    password: '{{ routeros_api_password }}'
+    tls: true
+    path: ip dhcp-server network
+    find:
+      address: '{{ firewall_servers_subnet }}'
+    values:
+      next-server: '127.0.0.1' # Appears that this part of the api does not support unsetting values
+    require_matches_min: 1
+    require_matches_max: 1
+  when: ansible_facts['distribution'] == 'Fedora'
+
+# FIXME: Could not process rule: No such file or directory
+# - name: PXE | Block TFTP inbound
+#   ansible.posix.firewalld:
+#     zone: public
+#     service: tftp
+#     permanent: false
+#     state: disabled
+#   become: true
+#   vars:
+#     ansible_python_interpreter: /usr/bin/python3.10 # https://github.com/ansible-collections/ansible.posix/issues/283
+#   tags:
+#     - pxe_boot
+#     - stop
+#   when: ansible_facts['distribution'] == 'Fedora'
+
+# FIXME: Workaround for the above failing
+- name: PXE | block tftp inbound
+  ansible.builtin.service:
+    name: firewalld
+    state: restarted
+  become: true
+  tags:
+    - pxe_boot
+    - stop
+  when: ansible_facts['distribution'] == 'Fedora'
+
+- name: PXE | remove the pxe container
+  community.docker.docker_compose:
+    project_src: '{{ role_path }}/files'
+    project_name: pxe
+    state: absent
+  tags:
+    - pxe_boot
+    - stop
+  when: ansible_facts['distribution'] == 'Fedora'
+
+- name: PXE | remove preseed files
+  ansible.builtin.file:
+    path: "{{ role_path }}/files/data/preseed/{{ hostvars[item]['mac'] }}.cfg"
+    state: absent
+  loop: "{{ groups['metal_kvm'] }}"
+  tags:
+    - pxe_boot
+    - stop
+  when: ansible_facts['distribution'] == 'Fedora'
+
+- name: PXE | remove grub config
+  ansible.builtin.file:
+    path: '{{ role_path }}/files/data/pxe-config/grub.cfg'
+    state: absent
+  tags:
+    - pxe_boot
+    - stop
+  when: ansible_facts['distribution'] == 'Fedora'
+
+- name: PXE | remove os files
+  ansible.builtin.file:
+    path: '{{ role_path }}/files/data/os/{{ item }}'
+    state: absent
+  loop:
+    - debian-installer
+    - pxelinux.cfg
+    - ldlinux.c32
+    - pxelinux.0
+    - version.info
+  tags:
+    - pxe_boot
+    - stop
+  when: ansible_facts['distribution'] == 'Fedora'
+
+- name: PXE | remove installer image
+  ansible.builtin.file:
+    path: '{{ role_path }}/files/data/source/{{ installer_img_url | basename }}'
+    state: absent
+  tags:
+    - pxe_boot
+    - stop
+  when: ansible_facts['distribution'] == 'Fedora'
diff --git a/ansible/roles/pxe_boot/templates/data/preseed/preseed-kvm.cfg.j2 b/ansible/roles/pxe_boot/templates/data/preseed/preseed-kvm.cfg.j2
diff --git a/ansible/roles/pxe_boot/templates/data/pxe-config/grub.cfg.j2 b/ansible/roles/pxe_boot/templates/data/pxe-config/grub.cfg.j2
diff --git a/requirements.txt b/requirements.txt

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`---`
`2`	`2`	`ansible_host: '10.1.1.21'`
	`3`	`+mac: '00:23:24:a3:e1:58'`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`---`
`2`	`2`	`ansible_host: '10.1.1.22'`
	`3`	`+mac: '00:23:24:aa:7b:0e'`