From e1fb6b94ee41a1282995a6f5d7432534d5373742 Mon Sep 17 00:00:00 2001 From: michael Date: Sun, 13 Aug 2023 14:03:03 +1000 Subject: [PATCH] fix systemd templates --- .../ansible_connection.yaml | 21 +++-------- .../ansible_credentials.yaml | 10 ++++++ .../systemd_networkd.yaml | 6 ++-- ansible/roles/archinstall/tasks/main.yml | 35 +++++++++++++++++-- ansible/roles/hypervisor/defaults/main.yaml | 11 +++--- .../roles/systemd_networkd/tasks/main.yaml | 2 +- .../templates/ethernet.link.j2 | 3 +- .../templates/ethernet.network.j2 | 4 +-- 8 files changed, 62 insertions(+), 30 deletions(-) create mode 100644 ansible/inventory/host_vars/hv00.balsillie.house/ansible_credentials.yaml diff --git a/ansible/inventory/host_vars/hv00.balsillie.house/ansible_connection.yaml b/ansible/inventory/host_vars/hv00.balsillie.house/ansible_connection.yaml index 561cf55..40ac8d4 100644 --- a/ansible/inventory/host_vars/hv00.balsillie.house/ansible_connection.yaml +++ b/ansible/inventory/host_vars/hv00.balsillie.house/ansible_connection.yaml @@ -1,16 +1,5 @@ -$ANSIBLE_VAULT;1.1;AES256 -30653030376238643536303332376530306565363333613230303263653935626332383862646539 -3739623265323837613333343363343461353837643637650a616637656563313265636366616134 -61636335613330393239656262663735316365613435303766643964353964666537353338646666 -3536363034316632390a363234343466363937613631316130333566313037306636386130303137 -33366462303461393866633233643033356231343232313832636335336232383234626163623533 -64656339346264306265353839373362373034306261316238346365373639326566313866363263 -62613639313566373233303734666331633038383638316361353838313634383163626563333137 -62393835663963646431353431396238663062363031613735623937373835383630653165373634 -32356365363162333661323765333236363934636461366664666431333338326362656439366339 -62313265616666386164343336623032386536343134336232613164363236656236646332356335 -36643362613832656666376233363436313030626566356134306533643862333536336662653630 -32663936333434346530343639383330633538306536346432333136393765316366356362353735 -30636536333436346166616232643238373964306139313265623934616636663234336162306338 -34343934613136623837353436353462303036643837656636386533333266663265643538633333 -373133383866666465383332373336343739 + +ansible_connection: ssh +ansible_host: hv00.balsillie.house +ansible_port: 22 +ansible_become_method: sudo diff --git a/ansible/inventory/host_vars/hv00.balsillie.house/ansible_credentials.yaml b/ansible/inventory/host_vars/hv00.balsillie.house/ansible_credentials.yaml new file mode 100644 index 0000000..dd336a4 --- /dev/null +++ b/ansible/inventory/host_vars/hv00.balsillie.house/ansible_credentials.yaml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +39396638396432646535366136363633313138643130333565633334663764336333373235623336 +6561323733316666626134613234343231313866643934630a303137653935616562326136363465 +37343038613463366435346139616161636238373230643533343462646430636162333261666535 +6332646133313830390a306166363133383735346261636530633733313631356165313665346334 +66333138663962353665396430326138666266663337323662376235346661393065376430386261 +34613233313837303664343634666636623731323034353262643639623065333566363831393332 +36653737336164623838306531396466323832626331373737363135376136636565306565356266 +33666366383033313865633331363665633164623461636435343663303135616537353066663361 +32346262316133343037353334303733343465656363656461356634663433333530 diff --git a/ansible/inventory/host_vars/hv00.balsillie.house/systemd_networkd.yaml b/ansible/inventory/host_vars/hv00.balsillie.house/systemd_networkd.yaml index 6512ba9..8374f9e 100644 --- a/ansible/inventory/host_vars/hv00.balsillie.house/systemd_networkd.yaml +++ b/ansible/inventory/host_vars/hv00.balsillie.house/systemd_networkd.yaml @@ -8,7 +8,7 @@ systemd_networkd_configs: - name: 00-eth2.link src: ethernet.link.j2 mac_address: 64-62-66-21-e9-c5 - - name: 00-eth3.link + - name: 00-wan.link src: ethernet.link.j2 mac_address: 64-62-66-21-e9-c6 - name: 01-eth0.network @@ -47,10 +47,10 @@ systemd_networkd_configs: - 210 - 220 - 230 - - name: 01-eth3.network + - name: 01-wan.network src: ethernet.network.j2 mac_address: 64-62-66-21-e9-c6 - arp: false + arp: true lldp: false dhcp: true - name: 10-br0.netdev diff --git a/ansible/roles/archinstall/tasks/main.yml b/ansible/roles/archinstall/tasks/main.yml index a1ea27f..5b5360f 100644 --- a/ansible/roles/archinstall/tasks/main.yml +++ b/ansible/roles/archinstall/tasks/main.yml @@ -39,7 +39,7 @@ # pacstrap # pacstrap -K /mnt/root base linux-lts linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup -# sbctl fwupd fwupd-efi dmidecode udisks2 +# sbctl sbsigntools fwupd fwupd-efi dmidecode udisks2 usbutils # gen fstab # genfstab -L /mnt/root >> /mnt/root/etc/fstab @@ -79,8 +79,39 @@ # echo 'cryptdevice=dbbb9fb2-5509-4701-a2bb-5660934a5378:root root=/dev/mapper/root rw' > /etc/kernel/cmdline # echo 'rd.luks.name=dbbb9fb2-5509-4701-a2bb-5660934a5378=root root=/dev/mapper/root rw' > /etc/kernel/cmdline + # create a default systemd-networkd config + # enable systemd-networkd + # enable sshd + # enable ufw service + # enable ufw firewall + # create ufw config to allow ssh port 22 # modify mkinitcpio for encryption # old HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block filesystems fsck) # new HOOKS=(base systemd keyboard autodetect modconf kms block sd-encrypt filesystems fsck) - # sed -i 's/^HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)/HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)/g' /etc/mkinitcpio.conf \ No newline at end of file + # sed -i 's/^HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)/HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)/g' /etc/mkinitcpio.conf + + # geneate sb keys with sbctl + # keys go to /usr/share/secureboot/keys/db/db.pem + # enroll sbctl keys + + # add console= option to cmdline file + + # create initcpio post hook /etc/initcpio/post/uki-sbsign + # make /etc/initcpio/post/uki-sbsign executable + # chmod +x /etc/initcpio/post/uki-sbsign + # make initcpio + # mkinitcpio -p linux-lts + + # vfio and iommu + # add 'intel_iommu=on iommu=pt' to kernel cmdline + + # add vfio binding + # vp2420 iGPU = 8086:4555 + # add vfio-pci ids to /etc/kernel/cmdline + # vfio-pci.ids=8086:4555 + + # add vfio modules to mkinitcpio.conf + # MODULES=(vfio_pci vfio vfio_iommu_type1) + # ensure modconf hook is in mkinitcpio.conf + # HOOKS=(base systemd keyboard autodetect modconf kms block sd-encrypt filesystems fsck) \ No newline at end of file diff --git a/ansible/roles/hypervisor/defaults/main.yaml b/ansible/roles/hypervisor/defaults/main.yaml index 0787198..aec255e 100644 --- a/ansible/roles/hypervisor/defaults/main.yaml +++ b/ansible/roles/hypervisor/defaults/main.yaml @@ -10,7 +10,10 @@ libvirt_packages: hypervisor: storage: dir device: /dev/sda - datasets: - - name: tank/vhds - compression: lz4 - encryption: 'off' \ No newline at end of file + +# hypervisor: +# storage: zfs +# datasets: +# - name: tank/vhds +# compression: lz4 +# encryption: 'off' \ No newline at end of file diff --git a/ansible/roles/systemd_networkd/tasks/main.yaml b/ansible/roles/systemd_networkd/tasks/main.yaml index 57a5ffd..cc92680 100644 --- a/ansible/roles/systemd_networkd/tasks/main.yaml +++ b/ansible/roles/systemd_networkd/tasks/main.yaml @@ -14,7 +14,7 @@ - name: Create systemd-networkd config files ansible.builtin.template: src: "{{ item.src }}" - dest: /etc/systemd/network/"{{ item.name }}" + dest: /etc/systemd/network/{{ item.name }} owner: root group: root mode: '0644' diff --git a/ansible/roles/systemd_networkd/templates/ethernet.link.j2 b/ansible/roles/systemd_networkd/templates/ethernet.link.j2 index 898c099..0608af3 100644 --- a/ansible/roles/systemd_networkd/templates/ethernet.link.j2 +++ b/ansible/roles/systemd_networkd/templates/ethernet.link.j2 @@ -3,6 +3,5 @@ PermanentMACAddress={{ item.mac_address }} [Link] Name={{ item.name | regex_replace('^[0-9]*-', '') | regex_replace('\.link', '') }} -MACAddressPolicy=permanent -MACAddress={{ item.mac_address }} +MACAddressPolicy=persistent diff --git a/ansible/roles/systemd_networkd/templates/ethernet.network.j2 b/ansible/roles/systemd_networkd/templates/ethernet.network.j2 index 4137b4d..78965b0 100644 --- a/ansible/roles/systemd_networkd/templates/ethernet.network.j2 +++ b/ansible/roles/systemd_networkd/templates/ethernet.network.j2 @@ -1,5 +1,5 @@ [Match] -MACAddress={{ item.mac_address }} +Name={{ item.name | regex_replace('^[0-9]*-', '') | regex_replace('\.network', '') }} [Link] ARP={{ item.arp | default(true) }} @@ -62,7 +62,7 @@ Type=unicast {% endif -%} {% if item.bridge is defined and item.bridge.vlans is defined %} -[BridgeVLANs] +[BridgeVLAN] {% for vlan in item.bridge.vlans -%} VLAN={{ vlan }} {% endfor -%}