From f10f8d027ccbc35daac8d4a7dc8091b15bdcfc33 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 22 Apr 2018 12:46:07 +0200 Subject: [PATCH 01/16] ansible: use variables for ssh keys --- ansible/group_vars/all/main.yml | 18 ++++++++++++++---- ansible/roles/base/tasks/main.yml | 2 +- ansible/ssh/noc/equinox@realraum.pub | 1 - ansible/ssh/noc/gebi.pub | 1 - ansible/ssh/noc/nicoo@harbard.pub | 1 - ansible/ssh/noc/xro@realraum.pub | 1 - 6 files changed, 15 insertions(+), 9 deletions(-) delete mode 100644 ansible/ssh/noc/equinox@realraum.pub delete mode 100644 ansible/ssh/noc/gebi.pub delete mode 100644 ansible/ssh/noc/nicoo@harbard.pub delete mode 100644 ansible/ssh/noc/xro@realraum.pub diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml index 90463fc..0c8abc3 100644 --- a/ansible/group_vars/all/main.yml +++ b/ansible/group_vars/all/main.yml @@ -9,20 +9,30 @@ user_groups: users: equinox: email: equinox@realraum.at - gpg: 0xD74907C9E64E6CED8FE3 + gpg: 0xD74907C9E64E6CED8FE3 + ssh: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDj7AcnQZCRihToOI7/L5YslP4bkZlZwR2dg6hV8EfQ+37z1p0imhoqc2Oz/zIEgOVARBHkn5XmfR9Bu6e3YfKpXpJXC9O3jpRSw34Xac/8qXzWZsqVAXbtzvBlYA/G4j0NQM9XIVBa1ZzBZu87xeE4KUWzO80fnQ+G3GSBp28BM4TUiSOmX9y58chPZfUp2DE80fInoXv11ikLLCBDXfMkzFCZ4Gcexhr0TYcBUgLV7ufL0xqLg4yE+Z21PLtttvVYgZIers2nWetLPoREi5yDGKeCjJVyT00X2rp6h3eFkc/VaHfb5c2MY9/4BOt+cbFCx73sG0C1SnSzWd624K/8CEoJTsX4MazLLrxwi3hIwiYX1mCCfq4+S4PpSFvMUGdMWB52PkBRXulQislCVBA/lzma93xJr1jWVFSikjkvAUt8Zt33vHMRd7RMYDfsDVIEKpUT49cBj0v7zs6IVE858J33sUZoVXaiA2sjsap8RguNtjJMSYx8+nwkQAjxwlTiV2J6pHGQHJDyeVsqGlnMpEk32ZeSs/BQ7XWPG62FT3SN6E4C/fa8dawvs7RgY0cbZkhucECBu9Zto/KakIhzLtFzgDighPmK5SlAPoNEJLJYPo5ry2SBTysc4uV7xYZSQ6OVofeQeFXKL8oPe/ZAvKafn3Zk0mQcCtH0Z8q8iQ== equinox@realraum.at gebi: email: michael@mgeb.org - gpg: 0x6E302CF4D98B9702 + gpg: 0x6E302CF4D98B9702 + ssh: + - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAvjmZbqEQ9EpTcyTFoxqCJileq4dF//ye0JiPBP0kPvtoW33V3TUNon5btd28DzLnFeiU/3NEjTqkaHFRM+t8EoIj4kc/6lozjIlsZN7xoz6CnNrbbHPsgi3FvelyBcsi0sbunFEV2Qw1q1tTC93UcaPqL3hx01Cxfw0Dycs/6lyljvR4eW5O5nFnvtDAoDQYwq5i4U/VZs0Gz1XAOuAb4JQ0KzLeBhfdzvmhANSWIvybmb1V6UPtdK9pCxdo9FL5NwB8nkGloIa3kC4JAINC/Pvk0czZ80rXfIckBgZKxQVUCDVUKZUZ4GZYPI6azglQmZuslziAmiTmhiUkhSZ/m2m9EN1TnMEYEmcoscvrd97l0v2BzBZPkzqL7cSAoehpQsrIe/ceBNjZP1eotS3/fFY70GabW0o2+QFx1ZXGUqRVIwOZ2ZWRp4SoqMl+UtRZx6EMGO20H17etB1b5gF6xO1e8723FFXiS3oY9oUfS+lMX5BDgGUc5wJQ696jPK/pRYrasf6piKuyFpoF+nh/rOvIGSbwHSOOApxKZoj5R+fwfVyoD2uoxd0g5meKEfqB6RDGz+W4cLgS9Th6uEAXo+LLcinjMAJNr50rJFuXYRF1zpa7p4LG/97doq2hk8LXZuTqjB3WCnTUrLy59sHrmwdkRSs6bj7mLEdRRrI1TxU= secure key of gebi nicoo: email: nicolas@braud-santoni.eu - gpg: 0x3F41B0739AAD91B7CDC0 + gpg: 0x3F41B0739AAD91B7CDC0 + ssh: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDirhW/XNWCDMBy9TAEZgrahGSMlYdddyc9bNAOBbLJ8TVDe0M7YAZ4kU5EYGZBmd4NGZ4Z2Vb+sc0xlJE1MYprL0hFoOSMmU17pa6uzXwAfWtiYAsm/Z8QssOVvyte629gCPUgw1oJM19N7/i8yZh+5j+iEpffbv66USpatLJqJgeM67VjcHPLHf75dEBwkqsWMvpIk3+8gtwXDR8t8YUuxJgHOLFUEWQ6wiXxBoIJTAvdzAzykIs/yJbsMpKjDNLfF0guaRDC5GnjwHqTkGegxBS3l/MzkOpXtWbbbhYX8yIvFkryBFbyB0oa/rnE2HnYbaq2riyZpcsKRXqIvvFFa80FqGE+8sQnMlHn2IaOlkmkBMBytL+6rP3feFWq+vGZLRMs7ezMs+o0ofe0svMhLjy79AJnRBfaFn350AnmqNGZ8HbS0A1vOpPJsJVMhcqx+0cPHfxIedNGs7BJZypmBiw6vZ0rzxm1YX7CZcpiIe2Ob9o/+ypwWVXlT1zcLMC6u5/2YXDCXea0QtiOnM9h4ahkRaBb8CUTMtDurOf9uPtwE8wzmq34baAOQMfY3Tb9uGvAlCcLbke5RDCLfvBx3C2g2KkaboFL/7V9YQ1DCpj+zpOEdr/Jr1wKoWBzgCfZcfXn954J2z2BjbHZRTpCW6EmaYXj4J2bRIX7FalKkw== nicoo@harbard bernhard: email: xro@realraum.at - gpg: 0xE3468B9CE81EB4F91486 + gpg: 0xE3468B9CE81EB4F91486 + ssh: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYjli6dqjyOVemjvBBckdxFBMfxhInzEpd/4ROcb950UI38thuJ0C0m9JAK77xOtGAkHG8lA0rtlymFeWuXhWO+OYHzLB9kspesrbejkc24D5F88FHR725xjdVazHnMgYt8WlY9LkSgZGuaR/6D2bkJl339eSCjn5yTc5HGnwlB+e2xRdvFqfHiQjkkQToO70xv+xYMmThYk8MPhwvlzqPNyMd28FVXG3n6QE+QTqpFHhmEabIBjCdvNr3ESXnCd1z7nwvQZYayvbkigH/gea8uN6A19wUYZHYzwk0is6XTa0fQCYklQIq6F4KWQ3iZUQTgOPJWVqdqLnddkkBNuefav559SoAT1fd8D9PNijCFv6eXy6h2gvYPKeHRzTSbtYneUAZeYYbkMvHeQB8TFq2b/z7kQIgkt+mDlw60JVxRVP2Ts2s98flfM2yKPfKmUEjbISuLNQzBvyxEuD7g3aTtRZZzA9CV4yxwpOW5bgVSSBanGC8S/y7xbToZ3ZX1dmfkV5/yG9eI2F4bb9Kxoec/p6CMtGgJgS6m+JX+sY8/bQrjrq58XTxQEGcaLES64AFoHz/o5c17Klz0QFSNe0QaDu5rqvln0b67j4lLg4XRDDYaoalflotv1haRRUYNemCOTso/XWbUhQhN0puV3k7rNAN9ZJEkAiKzH4qd8AS6w== xro@r3.at noc_groups: - adm - sudo + +noc_ssh_keys: "{{ user_groups.noc | map('extract', users) | map(attribute='ssh') | flatten | list }}" diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml index f209fe4..17e95ab 100644 --- a/ansible/roles/base/tasks/main.yml +++ b/ansible/roles/base/tasks/main.yml @@ -47,7 +47,7 @@ - name: Set authorized keys for root user authorized_key: user: root - key: "{{ lookup('pipe','cat ssh/noc/*.pub') }}" + key: "{{ noc_ssh_keys | join('\n') }}" exclusive: yes - name: disable apt suggests and recommends diff --git a/ansible/ssh/noc/equinox@realraum.pub b/ansible/ssh/noc/equinox@realraum.pub deleted file mode 100644 index bc68a15..0000000 --- a/ansible/ssh/noc/equinox@realraum.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDj7AcnQZCRihToOI7/L5YslP4bkZlZwR2dg6hV8EfQ+37z1p0imhoqc2Oz/zIEgOVARBHkn5XmfR9Bu6e3YfKpXpJXC9O3jpRSw34Xac/8qXzWZsqVAXbtzvBlYA/G4j0NQM9XIVBa1ZzBZu87xeE4KUWzO80fnQ+G3GSBp28BM4TUiSOmX9y58chPZfUp2DE80fInoXv11ikLLCBDXfMkzFCZ4Gcexhr0TYcBUgLV7ufL0xqLg4yE+Z21PLtttvVYgZIers2nWetLPoREi5yDGKeCjJVyT00X2rp6h3eFkc/VaHfb5c2MY9/4BOt+cbFCx73sG0C1SnSzWd624K/8CEoJTsX4MazLLrxwi3hIwiYX1mCCfq4+S4PpSFvMUGdMWB52PkBRXulQislCVBA/lzma93xJr1jWVFSikjkvAUt8Zt33vHMRd7RMYDfsDVIEKpUT49cBj0v7zs6IVE858J33sUZoVXaiA2sjsap8RguNtjJMSYx8+nwkQAjxwlTiV2J6pHGQHJDyeVsqGlnMpEk32ZeSs/BQ7XWPG62FT3SN6E4C/fa8dawvs7RgY0cbZkhucECBu9Zto/KakIhzLtFzgDighPmK5SlAPoNEJLJYPo5ry2SBTysc4uV7xYZSQ6OVofeQeFXKL8oPe/ZAvKafn3Zk0mQcCtH0Z8q8iQ== equinox@realraum.at diff --git a/ansible/ssh/noc/gebi.pub b/ansible/ssh/noc/gebi.pub deleted file mode 100644 index 56c8f5b..0000000 --- a/ansible/ssh/noc/gebi.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAvjmZbqEQ9EpTcyTFoxqCJileq4dF//ye0JiPBP0kPvtoW33V3TUNon5btd28DzLnFeiU/3NEjTqkaHFRM+t8EoIj4kc/6lozjIlsZN7xoz6CnNrbbHPsgi3FvelyBcsi0sbunFEV2Qw1q1tTC93UcaPqL3hx01Cxfw0Dycs/6lyljvR4eW5O5nFnvtDAoDQYwq5i4U/VZs0Gz1XAOuAb4JQ0KzLeBhfdzvmhANSWIvybmb1V6UPtdK9pCxdo9FL5NwB8nkGloIa3kC4JAINC/Pvk0czZ80rXfIckBgZKxQVUCDVUKZUZ4GZYPI6azglQmZuslziAmiTmhiUkhSZ/m2m9EN1TnMEYEmcoscvrd97l0v2BzBZPkzqL7cSAoehpQsrIe/ceBNjZP1eotS3/fFY70GabW0o2+QFx1ZXGUqRVIwOZ2ZWRp4SoqMl+UtRZx6EMGO20H17etB1b5gF6xO1e8723FFXiS3oY9oUfS+lMX5BDgGUc5wJQ696jPK/pRYrasf6piKuyFpoF+nh/rOvIGSbwHSOOApxKZoj5R+fwfVyoD2uoxd0g5meKEfqB6RDGz+W4cLgS9Th6uEAXo+LLcinjMAJNr50rJFuXYRF1zpa7p4LG/97doq2hk8LXZuTqjB3WCnTUrLy59sHrmwdkRSs6bj7mLEdRRrI1TxU= secure key of gebi diff --git a/ansible/ssh/noc/nicoo@harbard.pub b/ansible/ssh/noc/nicoo@harbard.pub deleted file mode 100644 index ec60523..0000000 --- a/ansible/ssh/noc/nicoo@harbard.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDirhW/XNWCDMBy9TAEZgrahGSMlYdddyc9bNAOBbLJ8TVDe0M7YAZ4kU5EYGZBmd4NGZ4Z2Vb+sc0xlJE1MYprL0hFoOSMmU17pa6uzXwAfWtiYAsm/Z8QssOVvyte629gCPUgw1oJM19N7/i8yZh+5j+iEpffbv66USpatLJqJgeM67VjcHPLHf75dEBwkqsWMvpIk3+8gtwXDR8t8YUuxJgHOLFUEWQ6wiXxBoIJTAvdzAzykIs/yJbsMpKjDNLfF0guaRDC5GnjwHqTkGegxBS3l/MzkOpXtWbbbhYX8yIvFkryBFbyB0oa/rnE2HnYbaq2riyZpcsKRXqIvvFFa80FqGE+8sQnMlHn2IaOlkmkBMBytL+6rP3feFWq+vGZLRMs7ezMs+o0ofe0svMhLjy79AJnRBfaFn350AnmqNGZ8HbS0A1vOpPJsJVMhcqx+0cPHfxIedNGs7BJZypmBiw6vZ0rzxm1YX7CZcpiIe2Ob9o/+ypwWVXlT1zcLMC6u5/2YXDCXea0QtiOnM9h4ahkRaBb8CUTMtDurOf9uPtwE8wzmq34baAOQMfY3Tb9uGvAlCcLbke5RDCLfvBx3C2g2KkaboFL/7V9YQ1DCpj+zpOEdr/Jr1wKoWBzgCfZcfXn954J2z2BjbHZRTpCW6EmaYXj4J2bRIX7FalKkw== nicoo@harbard diff --git a/ansible/ssh/noc/xro@realraum.pub b/ansible/ssh/noc/xro@realraum.pub deleted file mode 100644 index 3cb67d6..0000000 --- a/ansible/ssh/noc/xro@realraum.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYjli6dqjyOVemjvBBckdxFBMfxhInzEpd/4ROcb950UI38thuJ0C0m9JAK77xOtGAkHG8lA0rtlymFeWuXhWO+OYHzLB9kspesrbejkc24D5F88FHR725xjdVazHnMgYt8WlY9LkSgZGuaR/6D2bkJl339eSCjn5yTc5HGnwlB+e2xRdvFqfHiQjkkQToO70xv+xYMmThYk8MPhwvlzqPNyMd28FVXG3n6QE+QTqpFHhmEabIBjCdvNr3ESXnCd1z7nwvQZYayvbkigH/gea8uN6A19wUYZHYzwk0is6XTa0fQCYklQIq6F4KWQ3iZUQTgOPJWVqdqLnddkkBNuefav559SoAT1fd8D9PNijCFv6eXy6h2gvYPKeHRzTSbtYneUAZeYYbkMvHeQB8TFq2b/z7kQIgkt+mDlw60JVxRVP2Ts2s98flfM2yKPfKmUEjbISuLNQzBvyxEuD7g3aTtRZZzA9CV4yxwpOW5bgVSSBanGC8S/y7xbToZ3ZX1dmfkV5/yG9eI2F4bb9Kxoec/p6CMtGgJgS6m+JX+sY8/bQrjrq58XTxQEGcaLES64AFoHz/o5c17Klz0QFSNe0QaDu5rqvln0b67j4lLg4XRDDYaoalflotv1haRRUYNemCOTso/XWbUhQhN0puV3k7rNAN9ZJEkAiKzH4qd8AS6w== xro@r3.at -- 1.7.10.4 From 8b725abbd453499388e1108987d951a023ab29c5 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 22 Apr 2018 13:59:37 +0200 Subject: [PATCH 02/16] ansible: first proposl for nicer inventory names --- ansible/hosts.ini | 35 ++++++++++++++------ .../roles/localconfig/templates/ssh/10r3.conf.j2 | 7 ++-- 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/ansible/hosts.ini b/ansible/hosts.ini index b618973..a741934 100644 --- a/ansible/hosts.ini +++ b/ansible/hosts.ini @@ -3,23 +3,38 @@ host_domain=realraum.at ansible_host={{ inventory_hostname }}.{{ host_domain }} ansible_user=root +[net-zone-mgmt] +#torwaechter +alfred +calendar +galley +hacksch +## TODO: remove the variable once https://github.com/ansible/ansible/issues/39119 is fixed +metrics localconfig_ssh_config_user=root +r3home +tickets + +[net-zone-mgmt:vars] +host_domain=mgmt.realraum.at + +########################## + [baremetalservers] -alfred.mgmt +alfred [kvmhosts] -alfred.mgmt +alfred [virtualservers] athsdisc -calendar.mgmt +calendar ctf entrance -galley.mgmt -hacksch.mgmt -## TODO: remove the variable once https://github.com/ansible/ansible/issues/39119 is fixed -metrics.mgmt localconfig_ssh_config_user=root -r3home.mgmt -tickets.mgmt +galley +hacksch +metrics +r3home +tickets vex [servers:children] @@ -33,7 +48,7 @@ wuerfel #[alix] #gw -#torwaechter.mgmt +#torwaechter #[apu] #gnocchi1 diff --git a/ansible/roles/localconfig/templates/ssh/10r3.conf.j2 b/ansible/roles/localconfig/templates/ssh/10r3.conf.j2 index ba11160..dd33944 100644 --- a/ansible/roles/localconfig/templates/ssh/10r3.conf.j2 +++ b/ansible/roles/localconfig/templates/ssh/10r3.conf.j2 @@ -2,12 +2,11 @@ # realraum ssh-config (generated by ansible NOC repo) ####################################### -### dynamically generated hosts +### dynamically generated host configs {% for host in (groups['all'] | sort) %} -{% set shortname = (host.split('.') | first) %} -Host {{ host }}.realraum.at r3-{{ shortname }} r3g-{{ shortname }} r3e-{{ shortname }} - Hostname {{ host }}.realraum.at +Host {{ hostvars[host].ansible_host }} r3-{{ host }} r3g-{{ host }} r3e-{{ host }} + Hostname {{ hostvars[host].ansible_host }} {% if 'localconfig_ssh_config_proxycommand' in hostvars[host] %} ProxyCommand {{ hostvars[host].localconfig_ssh_config_proxycommand }} {% endif %} -- 1.7.10.4 From c28e1f4030cc918f74bbac6b40bd8b5398238e4b Mon Sep 17 00:00:00 2001 From: nicoo Date: Sun, 22 Apr 2018 23:13:29 +0200 Subject: [PATCH 03/16] Add torwaechter to inventory --- ansible/hosts.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/hosts.ini b/ansible/hosts.ini index a741934..0701464 100644 --- a/ansible/hosts.ini +++ b/ansible/hosts.ini @@ -4,7 +4,7 @@ ansible_host={{ inventory_hostname }}.{{ host_domain }} ansible_user=root [net-zone-mgmt] -#torwaechter +torwaechter alfred calendar galley -- 1.7.10.4 From 785542e8910eae20c61fe025f6004f483c8bd777 Mon Sep 17 00:00:00 2001 From: nicoo Date: Thu, 19 Apr 2018 15:56:43 +0200 Subject: [PATCH 04/16] Initial role for building OpenWRT images --- ansible/.gitignore | 2 + ansible/roles/openwrt-image/README.md | 3 ++ ansible/roles/openwrt-image/defaults/main.yml | 11 ++++ ansible/roles/openwrt-image/tasks/00-fetch.yml | 52 +++++++++++++++++++ ansible/roles/openwrt-image/tasks/02-prepare.yml | 1 + ansible/roles/openwrt-image/tasks/main.yml | 58 ++++++++++++++++++++++ 6 files changed, 127 insertions(+) create mode 100644 ansible/roles/openwrt-image/README.md create mode 100644 ansible/roles/openwrt-image/defaults/main.yml create mode 100644 ansible/roles/openwrt-image/tasks/00-fetch.yml create mode 100644 ansible/roles/openwrt-image/tasks/02-prepare.yml create mode 100644 ansible/roles/openwrt-image/tasks/main.yml diff --git a/ansible/.gitignore b/ansible/.gitignore index 808abb8..3c4fe7e 100644 --- a/ansible/.gitignore +++ b/ansible/.gitignore @@ -1,5 +1,7 @@ /log /gpg/vault-keyring.gpg~ +/files/openwrt +/files/.cache *.pyc *.retry .*.sw? diff --git a/ansible/roles/openwrt-image/README.md b/ansible/roles/openwrt-image/README.md new file mode 100644 index 0000000..d56affe --- /dev/null +++ b/ansible/roles/openwrt-image/README.md @@ -0,0 +1,3 @@ +# Build OpenWRT images with Ansible + +## Configuration diff --git a/ansible/roles/openwrt-image/defaults/main.yml b/ansible/roles/openwrt-image/defaults/main.yml new file mode 100644 index 0000000..6c94890 --- /dev/null +++ b/ansible/roles/openwrt-image/defaults/main.yml @@ -0,0 +1,11 @@ +openwrt_release: 17.01.4 +download_dir: .cache/openwrt +openwrt_tarball_basename: lede-imagebuilder-{{ openwrt_release }}-{{ openwrt_arch }}{% if openwrt_target != 'generic' %}-{{ openwrt_target }}{% endif %}.Linux-x86_64 +openwrt_tarball_name: "{{ openwrt_tarball_basename }}.tar.xz" +openwrt_target: generic +openwrt_output_dir: files/openwrt + + +openwrt_packages_remove: [] +openwrt_packages_add: [] +openwrt_packages_extra: [] diff --git a/ansible/roles/openwrt-image/tasks/00-fetch.yml b/ansible/roles/openwrt-image/tasks/00-fetch.yml new file mode 100644 index 0000000..b3da57f --- /dev/null +++ b/ansible/roles/openwrt-image/tasks/00-fetch.yml @@ -0,0 +1,52 @@ +- name: Create download directory + file: + dest: "{{ download_dir }}" + state: directory + +- block: + - name: Generate OpenWrt download URLs + set_fact: + openwrt_url: + https://downloads.openwrt.org/releases/{{ openwrt_release }}/targets/{{ openwrt_arch | mandatory }}/{{ openwrt_target }} + + - name: Download sha256sums + get_url: + url: "{{ openwrt_url }}/sha256sums" + dest: "{{ download_dir }}/{{ openwrt_tarball_basename }}.sha256" + + - name: Download sha256sums.asc + get_url: + url: "{{ openwrt_url }}/sha256sums.asc" + dest: "{{ download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" + + - name: Check OpenPGP signature + command: gpg --verify "{{ download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" + changed_when: False + + - name: Extract SHA256 hash of the imagebuilder archive + command: grep '{{ openwrt_tarball_name }}' "{{ download_dir }}/{{ openwrt_tarball_basename }}.sha256" + register: sha256 + changed_when: False + + - name: Download imagebuilder + get_url: + url: "{{ openwrt_url }}/{{ openwrt_tarball_name }}" #lede-imagebuilder-{{ openwrt_release }}-{{ openwrt_arch }}.Linux-x86_64.tar.xz" + dest: "{{ download_dir }}/{{ openwrt_tarball_name }}" + checksum: sha256:{{ sha256.stdout.split(' ') | first }} + + # /!\ This needs to be the last task in 00-fetch.yml +# - set_fact: +# openwrt_imgbuilder_tarball: > +# {{ download_dir }}/{{ openwrt_tarball_name }} + + rescue: + - name: Delete downloaded artifacts + file: + path: "{{ item }}" + state: absent + with_items: + - "{{ download_dir }}/{{ openwrt_tarball_basename }}.sha256" + - "{{ download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" + - "{{ download_dir }}/{{ openwrt_tarball_name }}" + - fail: + msg: Something borked diff --git a/ansible/roles/openwrt-image/tasks/02-prepare.yml b/ansible/roles/openwrt-image/tasks/02-prepare.yml new file mode 100644 index 0000000..277cc02 --- /dev/null +++ b/ansible/roles/openwrt-image/tasks/02-prepare.yml @@ -0,0 +1 @@ +- diff --git a/ansible/roles/openwrt-image/tasks/main.yml b/ansible/roles/openwrt-image/tasks/main.yml new file mode 100644 index 0000000..a7641c2 --- /dev/null +++ b/ansible/roles/openwrt-image/tasks/main.yml @@ -0,0 +1,58 @@ +- include: 00-fetch.yml + when: openwrt_imgbuilder_tarball is not defined + +- name: Create temporary build directory + command: mktemp -d openwrt-{{ ansible_hostname }}.XXXXXX + register: tmpdir + +- set_fact: + openwrt_imgbuilder_dir: "{{ tmpdir.stdout }}" + openwrt_imgbuilder_files: "{{ tmpdir.stdout }}/files" + +- name: Create the directory for slipstreamed files + file: + path: "{{ openwrt_imgbuilder_files }}" + state: directory + + +- block: +# - unarchive: +# copy: False +# src: "{{ download_dir }}/{{ openwrt_tarball_name }}" +# dest: "{{ openwrt_imgbuilder_dir }}" + + - name: Decompress the OpenWrt image builder + command: >- + tar -xf "{{ download_dir }}/{{ openwrt_tarball_name }}" + -C "{{ openwrt_imgbuilder_dir }}" + +# - include: 02-prepare.yml + + - name: Create the output directory for built images + file: + path: "{{ openwrt_output_dir }}" + state: directory + + - name: Build the OpenWrt image + shell: >- + make -C {{ openwrt_imgbuilder_dir }}/{{ openwrt_tarball_basename }} image + + FILES="{{ openwrt_imgbuilder_files }}" + + PACKAGES=" + {% for x in openwrt_packages_remove %}-{{x}} {% endfor %} + {% for x in openwrt_packages_add %} {{x}} {% endfor %} + {% for x in openwrt_packages_extra %} {{x}} {% endfor %} + " + BIN_DIR="{{ openwrt_output_dir }}" + + {% if openwrt_extra_name is defined %} + EXTRA_IMAGE_NAME="{{ openwrt_extra_name }}" + {% endif %} + + + always: + - name: Delete the temporary build directory + file: + path: "{{ openwrt_imgbuilder_dir }}" + state: absent -- 1.7.10.4 From 55eac8aae5964353c4ed9b2391304b4a01dfa6c6 Mon Sep 17 00:00:00 2001 From: nicoo Date: Thu, 19 Apr 2018 15:59:57 +0200 Subject: [PATCH 05/16] Ansible playbook for building a torwaechter image (WIP) --- ansible/tuer.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 ansible/tuer.yml diff --git a/ansible/tuer.yml b/ansible/tuer.yml new file mode 100644 index 0000000..dcfacab --- /dev/null +++ b/ansible/tuer.yml @@ -0,0 +1,25 @@ +- hosts: torwaechter + connection: local + roles: + - role: openwrt-image + delegate_to: localhost + vars: + openwrt_arch: x86 + openwrt_target: geode + openwrt_packages_remove: + - ppp + - ppp-mod-pppoe + - dnsmasq + - firewall + - odhcpd + openwrt_packages_add: + - flashrom + - haveged + - htop + - hwclock + - ip + - less + - nano + - tcpdump + openwrt_packages_extra: + - git -- 1.7.10.4 From d00b456d24b9439c1a04d0a1b8b86aab4ef6fc61 Mon Sep 17 00:00:00 2001 From: nicoo Date: Sun, 22 Apr 2018 23:16:23 +0200 Subject: [PATCH 06/16] tuer: Build go binaries --- ansible/tuer.yml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/ansible/tuer.yml b/ansible/tuer.yml index dcfacab..cd06649 100644 --- a/ansible/tuer.yml +++ b/ansible/tuer.yml @@ -1,5 +1,46 @@ - hosts: torwaechter connection: local + tasks: + - name: Create cache repository + file: + path: .cache/openwrt/tuer + state: directory + + - name: Create GOPATH directory + file: + path: .cache/openwrt/tuer/gopath + state: directory + + - name: Clone necessary git repositories + git: + repo: https://github.com/realraum/{{ item }}.git + dest: .cache/openwrt/tuer/{{ item }} + update: True + with_items: [ door_and_sensors ] + +# - name: Build update-keys + + - name: Download dependencies + command: go get -d ./... + args: + chdir: .cache/openwrt/tuer/door_and_sensors/{{ item }} + environment: + GOPATH: "{{ playbook_dir }}/.cache/openwrt/tuer/gopath" + with_items: [ door_client, door_daemon ] + + - name: Cross-compile Go binaries + command: go build -ldflags "-s" + args: + chdir: .cache/openwrt/tuer/door_and_sensors/{{ item }} + environment: + GO386: 387 + CGO_ENABLED: 0 + GOOS: linux + GOARCH: 386 + with_items: [ door_client, door_daemon ] + +- hosts: torwaechter + connection: local roles: - role: openwrt-image delegate_to: localhost -- 1.7.10.4 From f20d1bcbcc14c1f4daed22d902d7eb3834cb611e Mon Sep 17 00:00:00 2001 From: nicoo Date: Sun, 22 Apr 2018 23:24:58 +0200 Subject: [PATCH 07/16] tuer: Avoid polluting the user's homedir with go crap --- ansible/tuer.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/ansible/tuer.yml b/ansible/tuer.yml index cd06649..438a65b 100644 --- a/ansible/tuer.yml +++ b/ansible/tuer.yml @@ -1,15 +1,11 @@ - hosts: torwaechter connection: local tasks: - - name: Create cache repository + - name: Create go directories file: - path: .cache/openwrt/tuer - state: directory - - - name: Create GOPATH directory - file: - path: .cache/openwrt/tuer/gopath + path: .cache/openwrt/tuer/{{ item }} state: directory + with_items: [ gopath, gocache ] - name: Clone necessary git repositories git: @@ -25,7 +21,8 @@ args: chdir: .cache/openwrt/tuer/door_and_sensors/{{ item }} environment: - GOPATH: "{{ playbook_dir }}/.cache/openwrt/tuer/gopath" + GOCACHE: "{{ playbook_dir }}/.cache/openwrt/tuer/gocache" + GOPATH: "{{ playbook_dir }}/.cache/openwrt/tuer/gopath" with_items: [ door_client, door_daemon ] - name: Cross-compile Go binaries @@ -33,6 +30,8 @@ args: chdir: .cache/openwrt/tuer/door_and_sensors/{{ item }} environment: + GOCACHE: "{{ playbook_dir }}/.cache/openwrt/tuer/gocache" + GOPATH: "{{ playbook_dir }}/.cache/openwrt/tuer/gopath" GO386: 387 CGO_ENABLED: 0 GOOS: linux -- 1.7.10.4 From ee57b201e2ab36c752fb4df472e1b49b0869a7db Mon Sep 17 00:00:00 2001 From: nicoo Date: Fri, 4 May 2018 02:51:06 +0200 Subject: [PATCH 08/16] Tuer firmware (WIP) --- ansible/roles/openwrt-image/tasks/main.yml | 56 ++++++++++++++++++---------- ansible/tuer.yml | 49 ++++++++++++++++++++---- 2 files changed, 78 insertions(+), 27 deletions(-) diff --git a/ansible/roles/openwrt-image/tasks/main.yml b/ansible/roles/openwrt-image/tasks/main.yml index a7641c2..f136f89 100644 --- a/ansible/roles/openwrt-image/tasks/main.yml +++ b/ansible/roles/openwrt-image/tasks/main.yml @@ -2,18 +2,37 @@ when: openwrt_imgbuilder_tarball is not defined - name: Create temporary build directory - command: mktemp -d openwrt-{{ ansible_hostname }}.XXXXXX + command: mktemp --tmpdir -d openwrt-{{ ansible_hostname }}.XXXXXX register: tmpdir - set_fact: openwrt_imgbuilder_dir: "{{ tmpdir.stdout }}" openwrt_imgbuilder_files: "{{ tmpdir.stdout }}/files" -- name: Create the directory for slipstreamed files +- name: Create the directories for mixins file: - path: "{{ openwrt_imgbuilder_files }}" + path: "{{ item }}" state: directory + with_items: + - "{{ openwrt_imgbuilder_files }}" + - "{{ openwrt_mixin.files | map('dirname') | map('regex_replace', '^', openwrt_imgbuilder_files) | unique | list }}" + - "{{ openwrt_mixin.content | map('dirname') | map('regex_replace', '^', openwrt_imgbuilder_files) | unique | list }}" +- name: Copy mixins in place [1/2] + copy: + src: "{{ item.value }}" + dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}" + with_dict: "{{ openwrt_mixin.files }}" + loop_control: + label: "{{ item.key }}" + +- name: Copy mixins in place [2/2] + copy: + content: "{{ item.value }}" + dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}" + with_dict: "{{ openwrt_mixin.content }}" + loop_control: + label: "{{ item.key }}" - block: # - unarchive: @@ -33,26 +52,23 @@ path: "{{ openwrt_output_dir }}" state: directory + - set_fact: + openwrt_packages: >- + {{ openwrt_packages_remove | map('regex_replace', '^', '-') | join(' ') }} + {{ openwrt_packages_add | join(' ') }} + {{ openwrt_packages_extra | join(' ') }} + - name: Build the OpenWrt image - shell: >- + command: >- make -C {{ openwrt_imgbuilder_dir }}/{{ openwrt_tarball_basename }} image - FILES="{{ openwrt_imgbuilder_files }}" - - PACKAGES=" - {% for x in openwrt_packages_remove %}-{{x}} {% endfor %} - {% for x in openwrt_packages_add %} {{x}} {% endfor %} - {% for x in openwrt_packages_extra %} {{x}} {% endfor %} - " + PACKAGES="{{ openwrt_packages }}" BIN_DIR="{{ openwrt_output_dir }}" - - {% if openwrt_extra_name is defined %} - EXTRA_IMAGE_NAME="{{ openwrt_extra_name }}" - {% endif %} + {% if openwrt_extra_name is defined %} EXTRA_IMAGE_NAME="{{ openwrt_extra_name }}" {% endif %} - always: - - name: Delete the temporary build directory - file: - path: "{{ openwrt_imgbuilder_dir }}" - state: absent +# always: +# - name: Delete the temporary build directory +# file: +# path: "{{ openwrt_imgbuilder_dir }}" +# state: absent diff --git a/ansible/tuer.yml b/ansible/tuer.yml index 438a65b..a55e085 100644 --- a/ansible/tuer.yml +++ b/ansible/tuer.yml @@ -1,6 +1,6 @@ - hosts: torwaechter connection: local - tasks: + pre_tasks: - name: Create go directories file: path: .cache/openwrt/tuer/{{ item }} @@ -14,8 +14,6 @@ update: True with_items: [ door_and_sensors ] -# - name: Build update-keys - - name: Download dependencies command: go get -d ./... args: @@ -23,7 +21,7 @@ environment: GOCACHE: "{{ playbook_dir }}/.cache/openwrt/tuer/gocache" GOPATH: "{{ playbook_dir }}/.cache/openwrt/tuer/gopath" - with_items: [ door_client, door_daemon ] + with_items: [ door_client, door_daemon, update-keys ] - name: Cross-compile Go binaries command: go build -ldflags "-s" @@ -36,10 +34,8 @@ CGO_ENABLED: 0 GOOS: linux GOARCH: 386 - with_items: [ door_client, door_daemon ] + with_items: [ door_client, door_daemon, update-keys ] -- hosts: torwaechter - connection: local roles: - role: openwrt-image delegate_to: localhost @@ -63,3 +59,42 @@ - tcpdump openwrt_packages_extra: - git + + openwrt_mixin: + files: + # Go binaries + /usr/local/bin/door_client: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_client/door_client" + /usr/local/bin/door_daemon: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_daemon/door_daemon" + /usr/local/bin/update-keys: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/update-keys/update-keys" + + content: + /etc/config/network: | + config interface 'loopback' + option ifname 'lo' + option proto 'static' + option ipaddr '127.0.0.1' + option netmask '255.0.0.0' + + config globals 'globals' + option ula_prefix 'fdc9:e01f:83db::/48' + + config interface 'lan' + option ifname 'eth0' + option accept_ra '0' + option proto 'static' + option ipaddr '192.168.33.7' + option netmask '255.255.255.0' + option gateway '192.168.33.1' + option dns '192.168.33.1' + option dns_search 'realraum.at' + + /etc/config/dropbear: | + config dropbear + option PasswordAuth 'on' + option RootPasswordAuth 'off' + option Port '22000' + + /etc/dropbear/authorized_keys: |- + {% for key in noc_ssh_keys %} + key + {% endfor %} -- 1.7.10.4 From 4649fe7abd60b492916e07f614f85378c433b433 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 4 May 2018 21:14:48 +0200 Subject: [PATCH 09/16] cosmetic changes --- ansible/.gitignore | 2 -- ansible/roles/openwrt-image/defaults/main.yml | 3 ++- ansible/roles/openwrt-image/tasks/00-fetch.yml | 25 +++++++++++----------- ansible/roles/openwrt-image/tasks/02-prepare.yml | 1 + ansible/roles/openwrt-image/tasks/main.yml | 5 +++-- ansible/tuer.yml | 1 + 6 files changed, 20 insertions(+), 17 deletions(-) diff --git a/ansible/.gitignore b/ansible/.gitignore index 3c4fe7e..808abb8 100644 --- a/ansible/.gitignore +++ b/ansible/.gitignore @@ -1,7 +1,5 @@ /log /gpg/vault-keyring.gpg~ -/files/openwrt -/files/.cache *.pyc *.retry .*.sw? diff --git a/ansible/roles/openwrt-image/defaults/main.yml b/ansible/roles/openwrt-image/defaults/main.yml index 6c94890..e0724a8 100644 --- a/ansible/roles/openwrt-image/defaults/main.yml +++ b/ansible/roles/openwrt-image/defaults/main.yml @@ -1,5 +1,6 @@ +--- openwrt_release: 17.01.4 -download_dir: .cache/openwrt +openwrt_download_dir: .cache/openwrt openwrt_tarball_basename: lede-imagebuilder-{{ openwrt_release }}-{{ openwrt_arch }}{% if openwrt_target != 'generic' %}-{{ openwrt_target }}{% endif %}.Linux-x86_64 openwrt_tarball_name: "{{ openwrt_tarball_basename }}.tar.xz" openwrt_target: generic diff --git a/ansible/roles/openwrt-image/tasks/00-fetch.yml b/ansible/roles/openwrt-image/tasks/00-fetch.yml index b3da57f..a69e65b 100644 --- a/ansible/roles/openwrt-image/tasks/00-fetch.yml +++ b/ansible/roles/openwrt-image/tasks/00-fetch.yml @@ -1,8 +1,9 @@ +--- - name: Create download directory file: - dest: "{{ download_dir }}" + dest: "{{ openwrt_download_dir }}" state: directory - + - block: - name: Generate OpenWrt download URLs set_fact: @@ -12,41 +13,41 @@ - name: Download sha256sums get_url: url: "{{ openwrt_url }}/sha256sums" - dest: "{{ download_dir }}/{{ openwrt_tarball_basename }}.sha256" + dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256" - name: Download sha256sums.asc get_url: url: "{{ openwrt_url }}/sha256sums.asc" - dest: "{{ download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" + dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" - name: Check OpenPGP signature - command: gpg --verify "{{ download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" + command: gpg --verify "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" changed_when: False - name: Extract SHA256 hash of the imagebuilder archive - command: grep '{{ openwrt_tarball_name }}' "{{ download_dir }}/{{ openwrt_tarball_basename }}.sha256" + command: grep '{{ openwrt_tarball_name }}' "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256" register: sha256 changed_when: False - name: Download imagebuilder get_url: url: "{{ openwrt_url }}/{{ openwrt_tarball_name }}" #lede-imagebuilder-{{ openwrt_release }}-{{ openwrt_arch }}.Linux-x86_64.tar.xz" - dest: "{{ download_dir }}/{{ openwrt_tarball_name }}" + dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}" checksum: sha256:{{ sha256.stdout.split(' ') | first }} # /!\ This needs to be the last task in 00-fetch.yml # - set_fact: # openwrt_imgbuilder_tarball: > -# {{ download_dir }}/{{ openwrt_tarball_name }} - +# {{ openwrt_download_dir }}/{{ openwrt_tarball_name }} + rescue: - name: Delete downloaded artifacts file: path: "{{ item }}" state: absent with_items: - - "{{ download_dir }}/{{ openwrt_tarball_basename }}.sha256" - - "{{ download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" - - "{{ download_dir }}/{{ openwrt_tarball_name }}" + - "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256" + - "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" + - "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}" - fail: msg: Something borked diff --git a/ansible/roles/openwrt-image/tasks/02-prepare.yml b/ansible/roles/openwrt-image/tasks/02-prepare.yml index 277cc02..28bf10e 100644 --- a/ansible/roles/openwrt-image/tasks/02-prepare.yml +++ b/ansible/roles/openwrt-image/tasks/02-prepare.yml @@ -1 +1,2 @@ +--- - diff --git a/ansible/roles/openwrt-image/tasks/main.yml b/ansible/roles/openwrt-image/tasks/main.yml index f136f89..d182a5b 100644 --- a/ansible/roles/openwrt-image/tasks/main.yml +++ b/ansible/roles/openwrt-image/tasks/main.yml @@ -1,3 +1,4 @@ +--- - include: 00-fetch.yml when: openwrt_imgbuilder_tarball is not defined @@ -37,12 +38,12 @@ - block: # - unarchive: # copy: False -# src: "{{ download_dir }}/{{ openwrt_tarball_name }}" +# src: "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}" # dest: "{{ openwrt_imgbuilder_dir }}" - name: Decompress the OpenWrt image builder command: >- - tar -xf "{{ download_dir }}/{{ openwrt_tarball_name }}" + tar -xf "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}" -C "{{ openwrt_imgbuilder_dir }}" # - include: 02-prepare.yml diff --git a/ansible/tuer.yml b/ansible/tuer.yml index a55e085..c73b047 100644 --- a/ansible/tuer.yml +++ b/ansible/tuer.yml @@ -1,3 +1,4 @@ +--- - hosts: torwaechter connection: local pre_tasks: -- 1.7.10.4 From 3ca11d4bcb124eee97b958149c34201bdf83677c Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 4 May 2018 22:56:50 +0200 Subject: [PATCH 10/16] ansible: copy resulting openwrt image to correct location --- ansible/.gitignore | 1 + ansible/roles/openwrt-image/defaults/main.yml | 9 +++- ansible/roles/openwrt-image/tasks/00-fetch.yml | 53 ------------------ ansible/roles/openwrt-image/tasks/02-prepare.yml | 2 - ansible/roles/openwrt-image/tasks/fetch.yml | 48 +++++++++++++++++ ansible/roles/openwrt-image/tasks/main.yml | 63 +++++----------------- ansible/roles/openwrt-image/tasks/prepare.yml | 44 +++++++++++++++ ansible/tuer.yml | 19 ++++--- 8 files changed, 123 insertions(+), 116 deletions(-) delete mode 100644 ansible/roles/openwrt-image/tasks/00-fetch.yml delete mode 100644 ansible/roles/openwrt-image/tasks/02-prepare.yml create mode 100644 ansible/roles/openwrt-image/tasks/fetch.yml create mode 100644 ansible/roles/openwrt-image/tasks/prepare.yml diff --git a/ansible/.gitignore b/ansible/.gitignore index 808abb8..d5e5f4b 100644 --- a/ansible/.gitignore +++ b/ansible/.gitignore @@ -4,3 +4,4 @@ *.retry .*.sw? /.cache/ +/files/ diff --git a/ansible/roles/openwrt-image/defaults/main.yml b/ansible/roles/openwrt-image/defaults/main.yml index e0724a8..92932fc 100644 --- a/ansible/roles/openwrt-image/defaults/main.yml +++ b/ansible/roles/openwrt-image/defaults/main.yml @@ -1,11 +1,16 @@ --- +openwrt_variant: lede openwrt_release: 17.01.4 openwrt_download_dir: .cache/openwrt -openwrt_tarball_basename: lede-imagebuilder-{{ openwrt_release }}-{{ openwrt_arch }}{% if openwrt_target != 'generic' %}-{{ openwrt_target }}{% endif %}.Linux-x86_64 +openwrt_tarball_basename: "{{ openwrt_variant }}-imagebuilder-{{ openwrt_release }}-{{ openwrt_arch }}{% if openwrt_target != 'generic' %}-{{ openwrt_target }}{% endif %}.Linux-x86_64" openwrt_tarball_name: "{{ openwrt_tarball_basename }}.tar.xz" openwrt_target: generic -openwrt_output_dir: files/openwrt +openwrt_output_dir: files/openwrt/{{ inventory_hostname }} +openwrt_output_image_name_base: "{{ openwrt_variant }}-{{ openwrt_release }}-{{ openwrt_arch }}{% if openwrt_target != 'generic' %}-{{ openwrt_target }}{% endif %}" +openwrt_output_image_suffixes: + - squashfs-sysupgrade.bin + - squashfs-factory.bin openwrt_packages_remove: [] openwrt_packages_add: [] diff --git a/ansible/roles/openwrt-image/tasks/00-fetch.yml b/ansible/roles/openwrt-image/tasks/00-fetch.yml deleted file mode 100644 index a69e65b..0000000 --- a/ansible/roles/openwrt-image/tasks/00-fetch.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -- name: Create download directory - file: - dest: "{{ openwrt_download_dir }}" - state: directory - -- block: - - name: Generate OpenWrt download URLs - set_fact: - openwrt_url: - https://downloads.openwrt.org/releases/{{ openwrt_release }}/targets/{{ openwrt_arch | mandatory }}/{{ openwrt_target }} - - - name: Download sha256sums - get_url: - url: "{{ openwrt_url }}/sha256sums" - dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256" - - - name: Download sha256sums.asc - get_url: - url: "{{ openwrt_url }}/sha256sums.asc" - dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" - - - name: Check OpenPGP signature - command: gpg --verify "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" - changed_when: False - - - name: Extract SHA256 hash of the imagebuilder archive - command: grep '{{ openwrt_tarball_name }}' "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256" - register: sha256 - changed_when: False - - - name: Download imagebuilder - get_url: - url: "{{ openwrt_url }}/{{ openwrt_tarball_name }}" #lede-imagebuilder-{{ openwrt_release }}-{{ openwrt_arch }}.Linux-x86_64.tar.xz" - dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}" - checksum: sha256:{{ sha256.stdout.split(' ') | first }} - - # /!\ This needs to be the last task in 00-fetch.yml -# - set_fact: -# openwrt_imgbuilder_tarball: > -# {{ openwrt_download_dir }}/{{ openwrt_tarball_name }} - - rescue: - - name: Delete downloaded artifacts - file: - path: "{{ item }}" - state: absent - with_items: - - "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256" - - "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" - - "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}" - - fail: - msg: Something borked diff --git a/ansible/roles/openwrt-image/tasks/02-prepare.yml b/ansible/roles/openwrt-image/tasks/02-prepare.yml deleted file mode 100644 index 28bf10e..0000000 --- a/ansible/roles/openwrt-image/tasks/02-prepare.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- diff --git a/ansible/roles/openwrt-image/tasks/fetch.yml b/ansible/roles/openwrt-image/tasks/fetch.yml new file mode 100644 index 0000000..4b5b1c8 --- /dev/null +++ b/ansible/roles/openwrt-image/tasks/fetch.yml @@ -0,0 +1,48 @@ +--- +- name: Create download directory + file: + dest: "{{ openwrt_download_dir }}" + state: directory + +- block: + - name: Generate OpenWrt download URLs + set_fact: + openwrt_url: + https://downloads.openwrt.org/releases/{{ openwrt_release }}/targets/{{ openwrt_arch | mandatory }}/{{ openwrt_target }} + + - name: Download sha256sums + get_url: + url: "{{ openwrt_url }}/sha256sums" + dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256" + + - name: Download sha256sums.asc + get_url: + url: "{{ openwrt_url }}/sha256sums.asc" + dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" + + - name: Check OpenPGP signature + command: gpg --verify "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" + changed_when: False + + - name: Extract SHA256 hash of the imagebuilder archive + command: grep '{{ openwrt_tarball_name }}' "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256" + register: sha256 + changed_when: False + + - name: Download imagebuilder + get_url: + url: "{{ openwrt_url }}/{{ openwrt_tarball_name }}" + dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}" + checksum: sha256:{{ sha256.stdout.split(' ') | first }} + + rescue: + - name: Delete downloaded artifacts + file: + path: "{{ item }}" + state: absent + with_items: + - "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256" + - "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" + - "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}" + - fail: + msg: Something borked diff --git a/ansible/roles/openwrt-image/tasks/main.yml b/ansible/roles/openwrt-image/tasks/main.yml index d182a5b..5f9cc52 100644 --- a/ansible/roles/openwrt-image/tasks/main.yml +++ b/ansible/roles/openwrt-image/tasks/main.yml @@ -1,52 +1,9 @@ --- -- include: 00-fetch.yml +- include: fetch.yml when: openwrt_imgbuilder_tarball is not defined -- name: Create temporary build directory - command: mktemp --tmpdir -d openwrt-{{ ansible_hostname }}.XXXXXX - register: tmpdir - -- set_fact: - openwrt_imgbuilder_dir: "{{ tmpdir.stdout }}" - openwrt_imgbuilder_files: "{{ tmpdir.stdout }}/files" - -- name: Create the directories for mixins - file: - path: "{{ item }}" - state: directory - with_items: - - "{{ openwrt_imgbuilder_files }}" - - "{{ openwrt_mixin.files | map('dirname') | map('regex_replace', '^', openwrt_imgbuilder_files) | unique | list }}" - - "{{ openwrt_mixin.content | map('dirname') | map('regex_replace', '^', openwrt_imgbuilder_files) | unique | list }}" - -- name: Copy mixins in place [1/2] - copy: - src: "{{ item.value }}" - dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}" - with_dict: "{{ openwrt_mixin.files }}" - loop_control: - label: "{{ item.key }}" - -- name: Copy mixins in place [2/2] - copy: - content: "{{ item.value }}" - dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}" - with_dict: "{{ openwrt_mixin.content }}" - loop_control: - label: "{{ item.key }}" - - block: -# - unarchive: -# copy: False -# src: "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}" -# dest: "{{ openwrt_imgbuilder_dir }}" - - - name: Decompress the OpenWrt image builder - command: >- - tar -xf "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}" - -C "{{ openwrt_imgbuilder_dir }}" - -# - include: 02-prepare.yml + - include: prepare.yml - name: Create the output directory for built images file: @@ -64,12 +21,16 @@ make -C {{ openwrt_imgbuilder_dir }}/{{ openwrt_tarball_basename }} image FILES="{{ openwrt_imgbuilder_files }}" PACKAGES="{{ openwrt_packages }}" - BIN_DIR="{{ openwrt_output_dir }}" {% if openwrt_extra_name is defined %} EXTRA_IMAGE_NAME="{{ openwrt_extra_name }}" {% endif %} + - name: Copy newly built OpenWrt image + with_items: "{{ openwrt_output_image_suffixes }}" + copy: + src: "{{ openwrt_imgbuilder_dir }}/{{ openwrt_tarball_basename }}/bin/targets/{{ openwrt_arch }}/{{ openwrt_target }}/{{ openwrt_output_image_name_base }}-{{ item }}" + dest: "{{ openwrt_output_dir }}" -# always: -# - name: Delete the temporary build directory -# file: -# path: "{{ openwrt_imgbuilder_dir }}" -# state: absent + always: + - name: Delete the temporary build directory + file: + path: "{{ openwrt_imgbuilder_dir }}" + state: absent diff --git a/ansible/roles/openwrt-image/tasks/prepare.yml b/ansible/roles/openwrt-image/tasks/prepare.yml new file mode 100644 index 0000000..30cd32b --- /dev/null +++ b/ansible/roles/openwrt-image/tasks/prepare.yml @@ -0,0 +1,44 @@ +--- +- name: Create temporary build directory + command: mktemp --tmpdir -d openwrt-{{ inventory_hostname }}.XXXXXX + register: tmpdir + +- set_fact: + openwrt_imgbuilder_dir: "{{ tmpdir.stdout }}" + openwrt_imgbuilder_files: "{{ tmpdir.stdout }}/files" + +- name: Create the directories for mixins + file: + path: "{{ item }}" + state: directory + with_items: + - "{{ openwrt_imgbuilder_files }}" + - "{{ openwrt_mixin.files | map('dirname') | map('regex_replace', '^', openwrt_imgbuilder_files) | unique | list }}" + - "{{ openwrt_mixin.content | map('dirname') | map('regex_replace', '^', openwrt_imgbuilder_files) | unique | list }}" + +- name: Copy mixins in place [1/2] + copy: + src: "{{ item.value }}" + dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}" + with_dict: "{{ openwrt_mixin.files }}" + loop_control: + label: "{{ item.key }}" + +- name: Copy mixins in place [2/2] + copy: + content: "{{ item.value }}" + dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}" + with_dict: "{{ openwrt_mixin.content }}" + loop_control: + label: "{{ item.key }}" + +### TODO: this just hangs? +# - unarchive: +# copy: False +# src: "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}" +# dest: "{{ openwrt_imgbuilder_dir }}" + +- name: Decompress the OpenWrt image builder + command: >- + tar -xf "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}" + -C "{{ openwrt_imgbuilder_dir }}" diff --git a/ansible/tuer.yml b/ansible/tuer.yml index c73b047..f7c7bf4 100644 --- a/ansible/tuer.yml +++ b/ansible/tuer.yml @@ -43,6 +43,9 @@ vars: openwrt_arch: x86 openwrt_target: geode + openwrt_output_image_suffixes: + - combined-ext4.img.gz + - combined-squashfs.img openwrt_packages_remove: - ppp - ppp-mod-pppoe @@ -75,19 +78,19 @@ option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' - + config globals 'globals' option ula_prefix 'fdc9:e01f:83db::/48' - + config interface 'lan' option ifname 'eth0' option accept_ra '0' option proto 'static' - option ipaddr '192.168.33.7' - option netmask '255.255.255.0' - option gateway '192.168.33.1' - option dns '192.168.33.1' - option dns_search 'realraum.at' + option ipaddr '192.168.33.7' + option netmask '255.255.255.0' + option gateway '192.168.33.1' + option dns '192.168.33.1' + option dns_search 'realraum.at' /etc/config/dropbear: | config dropbear @@ -97,5 +100,5 @@ /etc/dropbear/authorized_keys: |- {% for key in noc_ssh_keys %} - key + {{ key }} {% endfor %} -- 1.7.10.4 From 5edd0fe042597035922f1bc215b88053a82c68b2 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 4 May 2018 23:06:13 +0200 Subject: [PATCH 11/16] ansible: add todo message for nicoo --- ansible/tuer.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/tuer.yml b/ansible/tuer.yml index f7c7bf4..f0017c7 100644 --- a/ansible/tuer.yml +++ b/ansible/tuer.yml @@ -98,6 +98,7 @@ option RootPasswordAuth 'off' option Port '22000' + # TODO: mode needs to be 0600 /etc/dropbear/authorized_keys: |- {% for key in noc_ssh_keys %} {{ key }} -- 1.7.10.4 From 5e6f9dbbbcc55a143e3fda63973183f5fdea1212 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 5 May 2018 00:05:31 +0200 Subject: [PATCH 12/16] fix localconfig ssh user for openwrt hosts --- ansible/hosts.ini | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ansible/hosts.ini b/ansible/hosts.ini index 0701464..dcba449 100644 --- a/ansible/hosts.ini +++ b/ansible/hosts.ini @@ -46,6 +46,13 @@ virtualservers wuerfel +[openwrt] +torwaechter + +[openwrt:vars] +localconfig_ssh_config_user=root + + #[alix] #gw #torwaechter -- 1.7.10.4 From f5333654916e3e41923f538ee21385d4bf96a974 Mon Sep 17 00:00:00 2001 From: nicoo Date: Sun, 6 May 2018 13:14:09 +0200 Subject: [PATCH 13/16] tuer: Disallow all password auth --- ansible/tuer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/tuer.yml b/ansible/tuer.yml index f0017c7..db757c5 100644 --- a/ansible/tuer.yml +++ b/ansible/tuer.yml @@ -94,7 +94,7 @@ /etc/config/dropbear: | config dropbear - option PasswordAuth 'on' + option PasswordAuth 'off' option RootPasswordAuth 'off' option Port '22000' -- 1.7.10.4 From 3751b141f2abac4c5e2d188846966bef7d4f3eff Mon Sep 17 00:00:00 2001 From: nicoo Date: Sun, 6 May 2018 13:38:40 +0200 Subject: [PATCH 14/16] roles/openwrt-image: Refactor openwrt-mixins --- ansible/roles/openwrt-image/tasks/prepare.yml | 11 ++++++----- ansible/tuer.yml | 24 ++++++++++++++---------- 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/ansible/roles/openwrt-image/tasks/prepare.yml b/ansible/roles/openwrt-image/tasks/prepare.yml index 30cd32b..056daf3 100644 --- a/ansible/roles/openwrt-image/tasks/prepare.yml +++ b/ansible/roles/openwrt-image/tasks/prepare.yml @@ -13,14 +13,14 @@ state: directory with_items: - "{{ openwrt_imgbuilder_files }}" - - "{{ openwrt_mixin.files | map('dirname') | map('regex_replace', '^', openwrt_imgbuilder_files) | unique | list }}" - - "{{ openwrt_mixin.content | map('dirname') | map('regex_replace', '^', openwrt_imgbuilder_files) | unique | list }}" + - "{{ openwrt_mixin | map('dirname') | map('regex_replace', '^', openwrt_imgbuilder_files) | unique | list }}" - name: Copy mixins in place [1/2] copy: - src: "{{ item.value }}" + src: "{{ item.file }}" dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}" - with_dict: "{{ openwrt_mixin.files }}" + with_dict: "{{ openwrt_mixin }}" + when: '"file" in item' loop_control: label: "{{ item.key }}" @@ -28,7 +28,8 @@ copy: content: "{{ item.value }}" dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}" - with_dict: "{{ openwrt_mixin.content }}" + with_dict: "{{ openwrt_mixin }}" + when: '"content" in item' loop_control: label: "{{ item.key }}" diff --git a/ansible/tuer.yml b/ansible/tuer.yml index db757c5..9989e0d 100644 --- a/ansible/tuer.yml +++ b/ansible/tuer.yml @@ -65,14 +65,16 @@ - git openwrt_mixin: - files: - # Go binaries - /usr/local/bin/door_client: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_client/door_client" - /usr/local/bin/door_daemon: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_daemon/door_daemon" - /usr/local/bin/update-keys: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/update-keys/update-keys" + # Go binaries + /usr/local/bin/door_client: + file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_client/door_client" + /usr/local/bin/door_daemon: + file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_daemon/door_daemon" + /usr/local/bin/update-keys: + file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/update-keys/update-keys" - content: - /etc/config/network: | + /etc/config/network: + content: | config interface 'loopback' option ifname 'lo' option proto 'static' @@ -92,14 +94,16 @@ option dns '192.168.33.1' option dns_search 'realraum.at' - /etc/config/dropbear: | + /etc/config/dropbear: + content: | config dropbear option PasswordAuth 'off' option RootPasswordAuth 'off' option Port '22000' - # TODO: mode needs to be 0600 - /etc/dropbear/authorized_keys: |- + # TODO: mode needs to be 0600 + /etc/dropbear/authorized_keys: + content: |- {% for key in noc_ssh_keys %} {{ key }} {% endfor %} -- 1.7.10.4 From a2ecec5f11993e0f9e291bc5d3e7d50ab59dd400 Mon Sep 17 00:00:00 2001 From: nicoo Date: Sun, 6 May 2018 13:39:03 +0200 Subject: [PATCH 15/16] roles/openwrt-image: Add support for setting file modes --- ansible/roles/openwrt-image/tasks/prepare.yml | 2 ++ ansible/tuer.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ansible/roles/openwrt-image/tasks/prepare.yml b/ansible/roles/openwrt-image/tasks/prepare.yml index 056daf3..29e24cd 100644 --- a/ansible/roles/openwrt-image/tasks/prepare.yml +++ b/ansible/roles/openwrt-image/tasks/prepare.yml @@ -19,6 +19,7 @@ copy: src: "{{ item.file }}" dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}" + mode: "{{ item.mode | default(0644) }}" with_dict: "{{ openwrt_mixin }}" when: '"file" in item' loop_control: @@ -28,6 +29,7 @@ copy: content: "{{ item.value }}" dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}" + mode: "{{ item.mode | default(0644) }}" with_dict: "{{ openwrt_mixin }}" when: '"content" in item' loop_control: diff --git a/ansible/tuer.yml b/ansible/tuer.yml index 9989e0d..9d4ceec 100644 --- a/ansible/tuer.yml +++ b/ansible/tuer.yml @@ -101,8 +101,8 @@ option RootPasswordAuth 'off' option Port '22000' - # TODO: mode needs to be 0600 /etc/dropbear/authorized_keys: + mode: 0600 content: |- {% for key in noc_ssh_keys %} {{ key }} -- 1.7.10.4 From 4582c57b9fe0d77f0997c08f471a1ae38c52377f Mon Sep 17 00:00:00 2001 From: nicoo Date: Wed, 16 May 2018 21:28:16 +0200 Subject: [PATCH 16/16] tuer: Make installed binaries executable --- ansible/tuer.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ansible/tuer.yml b/ansible/tuer.yml index 9d4ceec..1ed9f12 100644 --- a/ansible/tuer.yml +++ b/ansible/tuer.yml @@ -67,10 +67,13 @@ openwrt_mixin: # Go binaries /usr/local/bin/door_client: + mode: 0755 file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_client/door_client" /usr/local/bin/door_daemon: + mode: 0755 file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/door_daemon/door_daemon" /usr/local/bin/update-keys: + mode: 0755 file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/update-keys/update-keys" /etc/config/network: -- 1.7.10.4