michael/IaC
1
0
Fork 0
Code Packages

fix systemd templates

Browse Source
This commit is contained in:
michael 2023-08-13 14:03:03 +10:00
parent a2ec933cf8
commit e1fb6b94ee
8 changed files with 62 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
ansible/inventory/host_vars/hv00.balsillie.house/ansible_connection.yaml
View File

@ -1,16 +1,5 @@
$ANSIBLE_VAULT;1.1;AES256
30653030376238643536303332376530306565363333613230303263653935626332383862646539 ansible_connection: ssh
3739623265323837613333343363343461353837643637650a616637656563313265636366616134 ansible_host: hv00.balsillie.house
61636335613330393239656262663735316365613435303766643964353964666537353338646666 ansible_port: 22
3536363034316632390a363234343466363937613631316130333566313037306636386130303137 ansible_become_method: sudo
33366462303461393866633233643033356231343232313832636335336232383234626163623533
64656339346264306265353839373362373034306261316238346365373639326566313866363263
62613639313566373233303734666331633038383638316361353838313634383163626563333137
62393835663963646431353431396238663062363031613735623937373835383630653165373634
32356365363162333661323765333236363934636461366664666431333338326362656439366339
62313265616666386164343336623032386536343134336232613164363236656236646332356335
36643362613832656666376233363436313030626566356134306533643862333536336662653630
32663936333434346530343639383330633538306536346432333136393765316366356362353735
30636536333436346166616232643238373964306139313265623934616636663234336162306338
34343934613136623837353436353462303036643837656636386533333266663265643538633333
373133383866666465383332373336343739

10
ansible/inventory/host_vars/hv00.balsillie.house/ansible_credentials.yaml Normal file
View File

@ -0,0 +1,10 @@
$ANSIBLE_VAULT;1.1;AES256
39396638396432646535366136363633313138643130333565633334663764336333373235623336
6561323733316666626134613234343231313866643934630a303137653935616562326136363465
37343038613463366435346139616161636238373230643533343462646430636162333261666535
6332646133313830390a306166363133383735346261636530633733313631356165313665346334
66333138663962353665396430326138666266663337323662376235346661393065376430386261
34613233313837303664343634666636623731323034353262643639623065333566363831393332
36653737336164623838306531396466323832626331373737363135376136636565306565356266
33666366383033313865633331363665633164623461636435343663303135616537353066663361
32346262316133343037353334303733343465656363656461356634663433333530

6
ansible/inventory/host_vars/hv00.balsillie.house/systemd_networkd.yaml
View File

@ -8,7 +8,7 @@ systemd_networkd_configs:
- name: 00-eth2.link - name: 00-eth2.link
src: ethernet.link.j2 src: ethernet.link.j2
mac_address: 64-62-66-21-e9-c5 mac_address: 64-62-66-21-e9-c5
- name: 00-eth3.link - name: 00-wan.link
src: ethernet.link.j2 src: ethernet.link.j2
mac_address: 64-62-66-21-e9-c6 mac_address: 64-62-66-21-e9-c6
- name: 01-eth0.network - name: 01-eth0.network
@ -47,10 +47,10 @@ systemd_networkd_configs:
- 210 - 210
- 220 - 220
- 230 - 230
- name: 01-eth3.network - name: 01-wan.network
src: ethernet.network.j2 src: ethernet.network.j2
mac_address: 64-62-66-21-e9-c6 mac_address: 64-62-66-21-e9-c6
arp: false arp: true
lldp: false lldp: false
dhcp: true dhcp: true
- name: 10-br0.netdev - name: 10-br0.netdev

33
ansible/roles/archinstall/tasks/main.yml
View File

@ -39,7 +39,7 @@
# pacstrap # pacstrap
# pacstrap -K /mnt/root base linux-lts linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup # pacstrap -K /mnt/root base linux-lts linux-firmware nano openssh bind bash efibootmgr reflector screen pv pinentry sudo man-db man-pages texinfo ufw nftables intel-ucode e2fsprogs dosfstools curl cryptsetup
# sbctl fwupd fwupd-efi dmidecode udisks2 # sbctl sbsigntools fwupd fwupd-efi dmidecode udisks2 usbutils
# gen fstab # gen fstab
# genfstab -L /mnt/root >> /mnt/root/etc/fstab # genfstab -L /mnt/root >> /mnt/root/etc/fstab
@ -79,8 +79,39 @@
# echo 'cryptdevice=dbbb9fb2-5509-4701-a2bb-5660934a5378:root root=/dev/mapper/root rw' > /etc/kernel/cmdline # echo 'cryptdevice=dbbb9fb2-5509-4701-a2bb-5660934a5378:root root=/dev/mapper/root rw' > /etc/kernel/cmdline
# echo 'rd.luks.name=dbbb9fb2-5509-4701-a2bb-5660934a5378=root root=/dev/mapper/root rw' > /etc/kernel/cmdline # echo 'rd.luks.name=dbbb9fb2-5509-4701-a2bb-5660934a5378=root root=/dev/mapper/root rw' > /etc/kernel/cmdline
# create a default systemd-networkd config
# enable systemd-networkd
# enable sshd
# enable ufw service
# enable ufw firewall
# create ufw config to allow ssh port 22
# modify mkinitcpio for encryption # modify mkinitcpio for encryption
# old HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block filesystems fsck) # old HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block filesystems fsck)
# new HOOKS=(base systemd keyboard autodetect modconf kms block sd-encrypt filesystems fsck) # new HOOKS=(base systemd keyboard autodetect modconf kms block sd-encrypt filesystems fsck)
# sed -i 's/^HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)/HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)/g' /etc/mkinitcpio.conf # sed -i 's/^HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)/HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)/g' /etc/mkinitcpio.conf
# geneate sb keys with sbctl
# keys go to /usr/share/secureboot/keys/db/db.pem
# enroll sbctl keys
# add console= option to cmdline file
# create initcpio post hook /etc/initcpio/post/uki-sbsign
# make /etc/initcpio/post/uki-sbsign executable
# chmod +x /etc/initcpio/post/uki-sbsign
# make initcpio
# mkinitcpio -p linux-lts
# vfio and iommu
# add 'intel_iommu=on iommu=pt' to kernel cmdline
# add vfio binding
# vp2420 iGPU = 8086:4555
# add vfio-pci ids to /etc/kernel/cmdline
# vfio-pci.ids=8086:4555
# add vfio modules to mkinitcpio.conf
# MODULES=(vfio_pci vfio vfio_iommu_type1)
# ensure modconf hook is in mkinitcpio.conf
# HOOKS=(base systemd keyboard autodetect modconf kms block sd-encrypt filesystems fsck)

11
ansible/roles/hypervisor/defaults/main.yaml
View File

@ -10,7 +10,10 @@ libvirt_packages:
hypervisor: hypervisor:
storage: dir storage: dir
device: /dev/sda device: /dev/sda
datasets:
- name: tank/vhds # hypervisor:
compression: lz4 # storage: zfs
encryption: 'off' # datasets:
# - name: tank/vhds
# compression: lz4
# encryption: 'off'

2
ansible/roles/systemd_networkd/tasks/main.yaml
View File

@ -14,7 +14,7 @@
- name: Create systemd-networkd config files - name: Create systemd-networkd config files
ansible.builtin.template: ansible.builtin.template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: /etc/systemd/network/"{{ item.name }}" dest: /etc/systemd/network/{{ item.name }}
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'

3
ansible/roles/systemd_networkd/templates/ethernet.link.j2
View File

@ -3,6 +3,5 @@ PermanentMACAddress={{ item.mac_address }}
[Link] [Link]
Name={{ item.name | regex_replace('^[0-9]*-', '') | regex_replace('\.link', '') }} Name={{ item.name | regex_replace('^[0-9]*-', '') | regex_replace('\.link', '') }}
MACAddressPolicy=permanent MACAddressPolicy=persistent
MACAddress={{ item.mac_address }}

4
ansible/roles/systemd_networkd/templates/ethernet.network.j2
View File

@ -1,5 +1,5 @@
[Match] [Match]
MACAddress={{ item.mac_address }} Name={{ item.name | regex_replace('^[0-9]*-', '') | regex_replace('\.network', '') }}
[Link] [Link]
ARP={{ item.arp | default(true) }} ARP={{ item.arp | default(true) }}
@ -62,7 +62,7 @@ Type=unicast
{% endif -%} {% endif -%}
{% if item.bridge is defined and item.bridge.vlans is defined %} {% if item.bridge is defined and item.bridge.vlans is defined %}
[BridgeVLANs] [BridgeVLAN]
{% for vlan in item.bridge.vlans -%} {% for vlan in item.bridge.vlans -%}
VLAN={{ vlan }} VLAN={{ vlan }}
{% endfor -%} {% endfor -%}