From 8917adda209f16243189d96a1b8d9fd91b91cb30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Thu, 4 Apr 2024 17:01:42 +0200 Subject: [PATCH] rework the playbook --- .gitignore | 3 - ansible/.gitignore | 2 + ansible/README.MD | 147 ++-------- ansible/ansible.cfg | 7 +- ansible/bootstrap-ostree.yaml | 77 ++++++ ansible/build.yaml | 252 ++++++++++++++++++ ansible/files/edge-installer.toml | 6 + .../minimal.toml} | 0 ansible/group_vars/all/config.yaml | 4 + ansible/playbooks/blueprint_preparation.yaml | 102 ------- ansible/playbooks/build_RPMS.yaml | 80 ------ ansible/playbooks/full_play.yaml | 7 - ansible/playbooks/gen_iso_image.yaml | 46 ---- ansible/playbooks/initial_ostree.yaml | 67 ----- ansible/playbooks/kickstart.yaml | 66 ----- ansible/playbooks/ostree_construction.yaml | 69 ----- ansible/playbooks/repo_creation.yaml | 71 ----- ansible/prerequisites.yaml | 148 ++++++++++ ansible/requirements.yaml | 4 + ansible/templates/kiosk.ks.j2 | 88 ++++++ ansible/templates/kiosk.toml.j2 | 46 ++++ 21 files changed, 648 insertions(+), 644 deletions(-) create mode 100644 ansible/.gitignore create mode 100755 ansible/bootstrap-ostree.yaml create mode 100644 ansible/build.yaml create mode 100644 ansible/files/edge-installer.toml rename ansible/{blueprints/blueprint_example.toml => files/minimal.toml} (100%) create mode 100644 ansible/group_vars/all/config.yaml delete mode 100644 ansible/playbooks/blueprint_preparation.yaml delete mode 100644 ansible/playbooks/build_RPMS.yaml delete mode 100644 ansible/playbooks/full_play.yaml delete mode 100644 ansible/playbooks/gen_iso_image.yaml delete mode 100755 ansible/playbooks/initial_ostree.yaml delete mode 100644 ansible/playbooks/kickstart.yaml delete mode 100644 ansible/playbooks/ostree_construction.yaml delete mode 100644 ansible/playbooks/repo_creation.yaml create mode 100644 ansible/prerequisites.yaml create mode 100644 ansible/requirements.yaml create mode 100644 ansible/templates/kiosk.ks.j2 create mode 100644 ansible/templates/kiosk.toml.j2 diff --git a/.gitignore b/.gitignore index 7848b25..722d5e7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1 @@ -ansible/inventory.yaml .vscode -ansible/credentials.yaml -ansible/config.yaml \ No newline at end of file diff --git a/ansible/.gitignore b/ansible/.gitignore new file mode 100644 index 0000000..9b14a9f --- /dev/null +++ b/ansible/.gitignore @@ -0,0 +1,2 @@ +inventory.yaml +vault.yaml diff --git a/ansible/README.MD b/ansible/README.MD index 32ad91f..82942b7 100644 --- a/ansible/README.MD +++ b/ansible/README.MD @@ -14,158 +14,41 @@ Microshift pre-requisites : - RHEL 9.2 or 9.3 - LVM volume group (VG) with unused space -## Install Pre-requisites +## Pre-requisites on the target machine ```sh sudo subscription-manager register --username $RHN_LOGIN --auto-attach sudo subscription-manager attach --pool=$RHN_POOL_ID -sudo dnf install -y osbuild-composer composer-cli cockpit-composer git firewalld python3-toml -sudo systemctl enable --now osbuild-composer.socket -sudo systemctl enable --now firewalld -sudo systemctl enable --now cockpit.socket -sudo systemctl restart osbuild-composer -sudo usermod -a -G weldr "$(id -un)" ``` -Check that **os-composer** is working. - -``` -$ source /etc/bash_completion.d/composer-cli -$ composer-cli status show -API server status: - Database version: 0 - Database supported: true - Schema version: 0 - API version: 1 - Backend: osbuild-composer - Build: NEVRA:osbuild-composer-88.3-1.el9_3.x86_64 - -$ composer-cli sources list -appstream -baseos -``` - -## Create the container image +## Ansible Config -Install podman and buildah. +Create a `inventory.yaml` file inside the ansible folder or define the inventory path inside the `ansible.cfg` file -```sh -sudo dnf install -y podman buildah -``` +Update `config.yaml` in `ansible/group_vars/all/` to match your environment. -Define the target image properties. +Create an ansible vault named `vault.yaml` in `ansible/group_vars/all/` with the following content. -```sh -REGISTRY="quay.io" -IMAGE_NAME="nmasse_itix/kiosk-app" -IMAGE_TAG="latest" +```yaml +blueprint_admin_password_hash: # Generate one with "mkpasswd -m bcrypt" +kickstart_microshift_pull_secret: # Generate one on https://console.redhat.com/openshift/install/pull-secret ``` -Build and push the image to the registry. +Install the required collections. ```sh -cd "$GIT_REPO_CLONE/application" -podman build -t localhost/kiosk-app:latest . -podman login "$REGISTRY" -podman tag localhost/kiosk-app:latest "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG" -podman push "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG" +ansible-galaxy collection install -r requirements.yaml ``` -## Nginx configuration - -Install and configure nginx. +## Prepare the target machine ```sh -sudo dnf install -y nginx -sudo systemctl enable --now nginx.service -sudo firewall-cmd --permanent --add-port={80/tcp,443/tcp} -sudo firewall-cmd --reload -sudo mkdir -p /var/www -sudo restorecon -Rv /var/www -sudo sed -i.${EPOCHREALTIME:-bak} 's|/usr/share/nginx/html|/var/www|g' /etc/nginx/nginx.conf -sudo systemctl restart nginx.service +ansible-playbook prerequisites.yaml +ansible-playbook bootstrap-ostree.yaml ``` -Find the IP address of the current server. +## Regular builds ```sh -MYIP="$(ip -4 -br addr show scope global | awk 'NR == 1 { split($3, parts, "/"); print parts[1]; }')" -``` -## Ansible Config - -Create a `inventory.yaml` file inside the ansible folder or define the inventory path inside the `ansible.cfg` file - -Create a `config.yaml` file inside the ansible folder following this model: -```yaml -blueprint: #name of the blueprint you want to use from the ansible/bluprint folder. EXAMPLE blueprint: blueprint_example.toml -repo_location: #EXAMPLE repo_location: /opt/custom-rpms/ -ADMIN_SSH_PUBLIC_KEY: # ssh-rsa AA... -ADMIN_PASSWORD: -MICROSHIFT_PULL_SECRET: # Generate one on https://console.redhat.com/openshift/install/pull-secret -``` - -## Run all the Ansible files -To run all of the ansible files, use the following command: -``` -ansible-playbook playbooks/full_play.yaml -``` - - -## Create the initial ostree repo - - -Add blueprint file into the blueprint folder or use the `blueprint_example.toml` -The blueprint use in this opperation is define in `config.yaml` as `blueprint:` - -Create the initial ostree repo using `blueprint_example.toml` use the following command: -``` -ansible-playbook playbooks/initial_ostree.yaml +ansible-playbook build.yaml ``` - - -## Build the RPMS - -To build RPM for kiosk-config, microshift-manifests and Google Chrome, run the `build_RPMS.yaml` playbook -``` -ansible-playbook playbooks/build_RPMS.yaml -``` - -## Repository Creation -To build a repository containing the RPMS we created, run the `repo_creation.yaml` playbook -The directory where the repo is created is define in `config.yaml` as `repo_location:` - -To start the build, run : -``` -ansible-playbook playbooks/repo_creation.yaml -``` - - -## Blueprint preparation - -To work properly, this playbook needs the property `ADMIN_SSH_PUBLIC_KEY` and `ADMIN_PASSWORD` to be define in `config.yaml` - -To start the build, run : -``` -ansible-playbook playbooks/blueprint_preparation.yaml -``` - -## Ostree construction - -Create the ostree image and add it to the ostree repository with `ref = rhel/9/x86_64/edge-kiosk` by using the following playbook : -``` -ansible-playbook playbooks/ostree_construction.yaml -``` - -## Generate the Installer ISO image - -Generate the ISO image of the installer by using the following playbook : -``` -ansible-playbook playbooks/gen_iso_image.yaml -``` - -## Prepare & inject the Kickstart script -Prepare & inject the Kisckstart script and create the final kiosk.iso, use the followin playbook : -``` -ansible-playbook playbooks/kickstart.yaml -``` - diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index ece41cd..5509ce7 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,2 +1,7 @@ [defaults] -inventory= inventory.yaml +# Use the provided inventory +inventory = inventory.yaml + +# To get the vault password from the KDE Wallet +vault_identity_list = itix@/home/nmasse/local/bin/get-vault-password + diff --git a/ansible/bootstrap-ostree.yaml b/ansible/bootstrap-ostree.yaml new file mode 100755 index 0000000..b5e1d33 --- /dev/null +++ b/ansible/bootstrap-ostree.yaml @@ -0,0 +1,77 @@ +- name: Create the initial ostree repo + hosts: all + become: false + tasks: + - name: Read blueprint + register: results + args: + executable: /usr/bin/python3 + stdin: "{{ lookup('ansible.builtin.file', playbook_dir ~ '/files/minimal.toml') }}" + shell: | + import toml + import json + import sys + str=sys.stdin.read() + obj=toml.loads(str) + print(json.dumps(obj)) + delegate_to: localhost + become: false + changed_when: false + + - set_fact: + blueprint_name: '{{ blueprint_object.name }}' + vars: + blueprint_object: '{{ results.stdout | from_json }}' + + - name: Push blueprint + infra.osbuild.push_blueprint: + blueprint: "{{ lookup('ansible.builtin.file', playbook_dir ~ '/files/minimal.toml') }}" + + - name: Start ostree compose + infra.osbuild.start_compose: + blueprint: "{{ blueprint_name }}" + allow_duplicate: true + compose_type: edge-commit + timeout: "{{ compose_timeout }}" + register: builder_compose_start_out + + - ansible.builtin.set_fact: + compose_id: "{{ builder_compose_start_out['result']['body']['build_id'] }}" + + - name: Wait for compose to finish + infra.osbuild.wait_compose: + compose_id: "{{ compose_id }}" + timeout: 3600 + + - ansible.builtin.tempfile: + state: directory + suffix: build + register: tmp + + - name: Export the compose artifact + infra.osbuild.export_compose: # noqa only-builtins + compose_id: "{{ compose_id }}" + dest: "{{ tmp.path }}/{{ compose_id }}.tar" + + - name: Clear directory /var/www/repo + ansible.builtin.file: + path: "{{ www_location }}/repo" + state: absent + + - name: Extract compose artifact into /var/www/repo + ansible.builtin.unarchive: + src: "{{ tmp.path }}/{{ compose_id }}.tar" + dest: "{{ www_location }}" + remote_src: true + become: true + + - name: Create an empty tree + ansible.builtin.file: + path: "{{ tmp.path }}/empty-tree" + mode: '0755' + state: directory + become: true + + - name: Create an empty commit + ansible.builtin.shell: "ostree --repo={{ www_location }}/repo commit -b 'empty' --tree=dir={{ tmp.path }}/empty-tree" + become: true diff --git a/ansible/build.yaml b/ansible/build.yaml new file mode 100644 index 0000000..3f5f89d --- /dev/null +++ b/ansible/build.yaml @@ -0,0 +1,252 @@ +- name: Build the Kiosk images + hosts: all + become: false + tasks: + - name: Checkout the git repo + ansible.builtin.git: + repo: 'https://github.com/nmasse-itix/red-hat-kiosk.git' + dest: "{{ ansible_user_dir }}/red-hat-kiosk" + update: yes + clone: yes + + ## + ## RPM construction + ## + + - debug: + msg: "Starting RPM build..." + + - name: Ensure ~/rpmbuild is a symbolic link + ansible.builtin.file: + src: "{{ ansible_user_dir }}/red-hat-kiosk/rpms" + dest: "{{ ansible_user_dir }}/rpmbuild" + state: link + + - name: Build the kiosk-config RPMS + ansible.builtin.shell: | + spectool -g -R {{ ansible_user_dir }}/rpmbuild/SPECS/kiosk-config.spec + rpmbuild -ba {{ ansible_user_dir }}/rpmbuild/SPECS/kiosk-config.spec + + - name: Build the microshift-manifests RPM + ansible.builtin.shell: | + spectool -g -R {{ ansible_user_dir }}/rpmbuild/SPECS/microshift-manifests.spec + rpmbuild -ba {{ ansible_user_dir }}/rpmbuild/SPECS/microshift-manifests.spec + + - name: Ensure the VENDOR directory exists + ansible.builtin.file: + path: "{{ ansible_user_dir }}/rpmbuild/VENDOR" + state: directory + mode: '0755' + + - name: Download Google Chrome RPM + ansible.builtin.get_url: + url: https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm + dest: "{{ ansible_user_dir }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm" + + - name: Rebuild the Google Chrome RPM + ansible.builtin.shell: | + set -Eeuo pipefail + rpmrebuild -s {{ ansible_user_dir }}/rpmbuild/SPECS/google-chrome-stable.spec -p {{ ansible_user_dir }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm + RPM=$(rpm -q {{ ansible_user_dir }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm) + mkdir -p {{ ansible_user_dir }}/rpmbuild/BUILDROOT/$RPM/ + rpm2cpio {{ ansible_user_dir }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm | cpio -idmv -D {{ ansible_user_dir }}/rpmbuild/BUILDROOT/$RPM/ + mv {{ ansible_user_dir }}/rpmbuild/BUILDROOT/$RPM/opt/google/ {{ ansible_user_dir }}/rpmbuild/BUILDROOT/$RPM/usr/bin/ + cd {{ ansible_user_dir }}/rpmbuild/BUILDROOT/$RPM/usr/bin/ + rm -f google-chrome-stable + ln -s google/chrome/google-chrome google-chrome-stable + ln -s google/chrome/google-chrome chrome + sed -i.${EPOCHREALTIME:-bak} 's|/opt/google|/usr/bin/google|g' {{ ansible_user_dir }}/rpmbuild/SPECS/google-chrome-stable.spec + rpmbuild -bb {{ ansible_user_dir }}/rpmbuild/SPECS/google-chrome-stable.spec + args: + executable: /bin/bash + register: rebuild_result + failed_when: rebuild_result.rc != 0 + + - name: Get built RPMS + ansible.builtin.find: + path: "{{ ansible_user_dir }}/rpmbuild/RPMS/x86_64/" + patterns: "*.rpm" + register: build_rpms + + - name: Extract filenames from paths of built RPMs + ansible.builtin.set_fact: + rpm_filenames: "{{ build_rpms.files | map(attribute='path') | list }}" + + - name: Copy RPMs to the repository location + ansible.builtin.copy: + src: '{{ item }}' + dest: "{{ repo_location }}" + owner: root + group: root + mode: '0644' + remote_src: yes + loop: '{{ rpm_filenames }}' + loop_control: + label: "{{ item | basename }}" + become: true + + - name: Update the repository with createrepo + become: true + ansible.builtin.command: + cmd: "createrepo {{ repo_location }}" + + - name: Clean dnf cache + become: true + ansible.builtin.command: + cmd: dnf clean all + + ## + ## Ostree construction + ## + + - debug: + msg: "Starting ostree build..." + + - name: Parse blueprint + register: results + args: + executable: /usr/bin/python3 + stdin: "{{ lookup('ansible.builtin.template', 'kiosk.toml.j2') }}" + shell: | + import toml + import json + import sys + str=sys.stdin.read() + obj=toml.loads(str) + print(json.dumps(obj)) + become: false + changed_when: false + + - set_fact: + blueprint_name: '{{ blueprint_object.name }}' + vars: + blueprint_object: '{{ results.stdout | from_json }}' + + - name: Push Blueprint + infra.osbuild.push_blueprint: + blueprint: "{{ lookup('ansible.builtin.template', 'kiosk.toml.j2') }}" + + - name: Start ostree compose + infra.osbuild.start_compose: + blueprint: "{{ blueprint_name }}" + allow_duplicate: true + compose_type: edge-commit + ostree_ref: "rhel/9/{{ ansible_facts['userspace_architecture'] }}/edge-kiosk" + ostree_parent: "rhel/9/{{ ansible_facts['userspace_architecture'] }}/edge" + ostree_url: http://{{ ansible_default_ipv4.address }}/repo + timeout: "{{ compose_timeout }}" + register: builder_compose_start_out + + - ansible.builtin.set_fact: + compose_id: "{{ builder_compose_start_out['result']['body']['build_id'] }}" + + - name: Wait for compose to finish + infra.osbuild.wait_compose: + compose_id: "{{ compose_id }}" + timeout: 3600 + + - ansible.builtin.tempfile: + state: directory + suffix: build + register: tmp + + - name: Export the compose artifact + infra.osbuild.export_compose: # noqa only-builtins + compose_id: "{{ compose_id }}" + dest: "{{ tmp.path }}/{{ compose_id }}.tar" + + - name: Create commit directory + ansible.builtin.file: + path: "{{ tmp.path }}/{{ compose_id }}" + mode: '0755' + state: directory + + - name: Extract compose artifact + ansible.builtin.unarchive: + src: "{{ tmp.path }}/{{ compose_id }}.tar" + dest: "{{ tmp.path }}/{{ compose_id }}" + remote_src: true + + - name: Pull local ostree repository + ansible.builtin.shell: ostree --repo={{ www_location }}/repo pull-local "{{ tmp.path }}/{{ compose_id }}/repo" + become: true + + ## + ## ISO Construction + ## + + - debug: + msg: "Starting ISO build..." + + - name: Read blueprint + register: results + args: + executable: /usr/bin/python3 + stdin: "{{ lookup('ansible.builtin.file', playbook_dir ~ '/files/edge-installer.toml') }}" + shell: | + import toml + import json + import sys + str=sys.stdin.read() + obj=toml.loads(str) + print(json.dumps(obj)) + delegate_to: localhost + become: false + changed_when: false + + - set_fact: + blueprint_name: '{{ blueprint_object.name }}' + vars: + blueprint_object: '{{ results.stdout | from_json }}' + + - name: Push blueprint + infra.osbuild.push_blueprint: + blueprint: "{{ lookup('ansible.builtin.file', playbook_dir ~ '/files/edge-installer.toml') }}" + + - name: Start ostree compose + infra.osbuild.start_compose: + blueprint: "{{ blueprint_name }}" + allow_duplicate: true + compose_type: edge-installer + ostree_ref: empty + ostree_url: http://{{ ansible_default_ipv4.address }}/repo + timeout: "{{ compose_timeout }}" + register: builder_compose_start_out + + - ansible.builtin.set_fact: + compose_id: "{{ builder_compose_start_out['result']['body']['build_id'] }}" + + - name: Wait for compose to finish + infra.osbuild.wait_compose: + compose_id: "{{ compose_id }}" + timeout: 3600 + + - ansible.builtin.tempfile: + state: directory + suffix: build + register: tmp + + - name: Export the compose artifact + infra.osbuild.export_compose: # noqa only-builtins + compose_id: "{{ compose_id }}" + dest: "{{ tmp.path }}/{{ compose_id }}.iso" + + - name: Create kiosk.ks from template + ansible.builtin.template: + src: "kiosk.ks.j2" + dest: "{{ tmp.path }}/kiosk.ks" + + - name: Validate kiosk.ks using ksvalidator + ansible.builtin.command: + cmd: "ksvalidator {{ tmp.path }}/kiosk.ks" + + - name: Create new kiosk.iso file + ansible.builtin.command: + cmd: "mkksiso -r 'inst.ks' --ks {{ tmp.path }}/kiosk.ks {{ tmp.path }}/{{ compose_id }}.iso {{ tmp.path }}/kiosk.iso" + + - name: Copy new ISO to /var/www + copy: + src: "{{ tmp.path }}/kiosk.iso" + dest: "{{ www_location }}/kiosk.iso" + remote_src: true + become: true diff --git a/ansible/files/edge-installer.toml b/ansible/files/edge-installer.toml new file mode 100644 index 0000000..8364105 --- /dev/null +++ b/ansible/files/edge-installer.toml @@ -0,0 +1,6 @@ +name = "edge-installer" +description = "" +version = "0.0.0" +modules = [] +groups = [] +packages = [] diff --git a/ansible/blueprints/blueprint_example.toml b/ansible/files/minimal.toml similarity index 100% rename from ansible/blueprints/blueprint_example.toml rename to ansible/files/minimal.toml diff --git a/ansible/group_vars/all/config.yaml b/ansible/group_vars/all/config.yaml new file mode 100644 index 0000000..6e75911 --- /dev/null +++ b/ansible/group_vars/all/config.yaml @@ -0,0 +1,4 @@ +repo_location: /opt/custom-rpms +blueprint_admin_ssh_public_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFW62WJXI1ZCMfNA4w0dMpL0fsldhbEfULNGIUB0nQui nmasse@localhost.localdomain +www_location: /var/www +compose_timeout: 300 diff --git a/ansible/playbooks/blueprint_preparation.yaml b/ansible/playbooks/blueprint_preparation.yaml deleted file mode 100644 index bea6b0f..0000000 --- a/ansible/playbooks/blueprint_preparation.yaml +++ /dev/null @@ -1,102 +0,0 @@ -- name: Create the initial ostree repo - hosts: all - vars_files: ../credentials.yaml - tasks: - - name: Extract userspace architecture - ansible.builtin.set_fact: - userspace_arch: "{{ ansible_facts['userspace_architecture']}}" - - name: Enable required rhocp repositories using subscription-manager - become: true - ansible.builtin.command: - cmd: "sudo subscription-manager repos --enable rhocp-4.14-for-rhel-9-{{ userspace_arch }}-rpms --enable fast-datapath-for-rhel-9-{{ userspace_arch }}-rpms" - - name: Get information about the microshift package - ansible.builtin.command: - cmd: "dnf info microshift" - register: microshift_info - - - name: Display microshift package information - ansible.builtin.debug: - var: microshift_info.stdout_lines - - - name: Install mkpasswd and podman packages - become: true - ansible.builtin.dnf: - name: - - mkpasswd - - podman - state: present - - - name: Generate bcrypt hash of the admin password - command: mkpasswd -m bcrypt "{{ ADMIN_PASSWORD }}" - register: admin_password_hash - changed_when: false - - - name: Set admin password in kiosk.toml - ansible.builtin.lineinfile: - path: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.toml" - regexp: '^password =.*$' - line: 'password = "{{ ADMIN_PASSWORD }}"' - backrefs: yes - - - name: Set admin SSH public key in kiosk.toml - ansible.builtin.lineinfile: - path: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.toml" - regexp: '^key =.*$' - line: 'key = "{{ ADMIN_SSH_PUBLIC_KEY }}"' - backrefs: yes - - - - name: Add custom packages source to composer - ansible.builtin.shell: | - echo " - check_gpg = false - check_ssl = false - id = 'custom' - name = 'custom packages for RHEL' - system = false - type = 'yum-baseurl' - url = 'file://{{ repo_location }}' - " | composer-cli sources add /dev/stdin - - - name: Add RH OCP 4.14 source to composer - ansible.builtin.shell: | - echo " - id = 'rhocp-4.14' - name = 'Red Hat OpenShift Container Platform 4.14 for RHEL 9' - type = 'yum-baseurl' - url = 'https://cdn.redhat.com/content/dist/layered/rhel9/{{ ansible_architecture }}/rhocp/4.14/os' - check_gpg = true - check_ssl = true - system = false - rhsm = true - " | composer-cli sources add /dev/stdin - - - name: Add Fast Datapath source to composer - ansible.builtin.shell: | - echo " - id = 'fast-datapath' - name = 'Fast Datapath for RHEL 9' - type = 'yum-baseurl' - url = 'https://cdn.redhat.com/content/dist/layered/rhel9/{{ ansible_architecture }}/fast-datapath/os' - check_gpg = true - check_ssl = true - system = false - rhsm = true - " | composer-cli sources add /dev/stdin - - - name: Add EPEL source to composer - ansible.builtin.shell: | - echo " - id = 'epel' - name = 'Extra Packages for Enterprise Linux' - type = 'yum-baseurl' - url = 'http://mirror.in2p3.fr/pub/epel/9/Everything/{{ ansible_architecture }}/' - check_gpg = false - check_ssl = false - system = false - rhsm = false - " | composer-cli sources add /dev/stdin - - - name: Push Blueprint - infra.osbuild.push_blueprint: - src: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.toml" diff --git a/ansible/playbooks/build_RPMS.yaml b/ansible/playbooks/build_RPMS.yaml deleted file mode 100644 index ee8f24d..0000000 --- a/ansible/playbooks/build_RPMS.yaml +++ /dev/null @@ -1,80 +0,0 @@ -- name: Build the RPMS - hosts: all - tasks: - - name: Install EPEL release package - become: true - ansible.builtin.dnf: - name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm - state: present - disable_gpg_check: true - - name: Install software - become: true - ansible.builtin.dnf: - name: - - git - - rpm-build - - rpmdevtools - - rpmrebuild - state: present - - name: Install rpmrebuild - become: true - ansible.builtin.yum: - name: rpmrebuild - state: present - - name: Clear directory $HOME/rpmbuild - ansible.builtin.file: - path: "{{ ansible_env.HOME }}/rpmbuild" - state: absent - - name: Clear symbolic link between - ansible.builtin.file: - src: "{{ ansible_env.HOME }}/red-hat-kiosk/rpms" - dest: "{{ ansible_env.HOME }}/rpmbuild" - state: link - - name: Build the kiosk-config RPMS - ansible.builtin.shell: - spectool -g -R $HOME/rpmbuild/SPECS/kiosk-config.spec | - rpmbuild -ba $HOME/rpmbuild/SPECS/kiosk-config.spec - - name: Build the microshift-manifests RPM - ansible.builtin.shell: - spectool -g -R $HOME/rpmbuild/SPECS/microshift-manifests.spec | - rpmbuild -ba $HOME/rpmbuild/SPECS/microshift-manifests.spec - - name: Ensure the VENDOR directory exists - ansible.builtin.file: - path: "{{ ansible_env.HOME }}/rpmbuild/VENDOR" - state: directory - mode: '0755' - - name: Download Google Chrome RPM - ansible.builtin.get_url: - url: https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm - dest: "{{ ansible_env.HOME }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm" - - name: Rebuild the Google Chrome RPM - ansible.builtin.shell: | - set -Eeuo pipefail - rpmrebuild -s {{ ansible_env.HOME }}/rpmbuild/SPECS/google-chrome-stable.spec -p {{ ansible_env.HOME }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm - RPM=$(rpm -q {{ ansible_env.HOME }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm) - mkdir -p {{ ansible_env.HOME }}/rpmbuild/BUILDROOT/$RPM/ - rpm2cpio {{ ansible_env.HOME }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm | cpio -idmv -D {{ ansible_env.HOME }}/rpmbuild/BUILDROOT/$RPM/ - mv {{ ansible_env.HOME }}/rpmbuild/BUILDROOT/$RPM/opt/google/ {{ ansible_env.HOME }}/rpmbuild/BUILDROOT/$RPM/usr/bin/ - cd {{ ansible_env.HOME }}/rpmbuild/BUILDROOT/$RPM/usr/bin/ - rm -f google-chrome-stable - ln -s google/chrome/google-chrome google-chrome-stable - ln -s google/chrome/google-chrome chrome - sed -i.${EPOCHREALTIME:-bak} 's|/opt/google|/usr/bin/google|g' {{ ansible_env.HOME }}/rpmbuild/SPECS/google-chrome-stable.spec - rpmbuild -bb {{ ansible_env.HOME }}/rpmbuild/SPECS/google-chrome-stable.spec - args: - executable: /bin/bash - register: rebuild_result - failed_when: rebuild_result.rc != 0 - - - name: Get build RMPS - ansible.builtin.find: - path: "{{ ansible_env.HOME }}/rpmbuild/RPMS/x86_64/" - register: build_rpms - - - name: Extract filenames from paths of built RPMs - ansible.builtin.set_fact: - rpm_filenames: "{{ build_rpms.files | map(attribute='path') | map('basename') | list }}" - - - name: List build RMPS - ansible.builtin.debug: - msg: "{{ rpm_filenames }}" diff --git a/ansible/playbooks/full_play.yaml b/ansible/playbooks/full_play.yaml deleted file mode 100644 index 301b0fe..0000000 --- a/ansible/playbooks/full_play.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- import_playbook: initial_ostree.yaml -- import_playbook: build_RPMS.yaml -- import_playbook: repo_creation.yaml -- import_playbook: ostree_construction.yaml -- import_playbook: gen_iso_image.yaml -- import_playbook: kickstart.yaml \ No newline at end of file diff --git a/ansible/playbooks/gen_iso_image.yaml b/ansible/playbooks/gen_iso_image.yaml deleted file mode 100644 index a0a654a..0000000 --- a/ansible/playbooks/gen_iso_image.yaml +++ /dev/null @@ -1,46 +0,0 @@ -- name: Generate the Installer ISO image - hosts: all - vars_files: ../credentials.yaml - tasks: - - name: Clear /tmp/microshift_bluprint.toml - ansible.builtin.file: - path: /tmp/microshift_bluprint.toml - state: absent - - name: Create /tmp/microshift_bluprint.toml - ansible.builtin.file: - path: /tmp/microshift_bluprint.toml - state: touch - mode: "0755" - - name: Write blueprint content to /tmp/microshift_bluprint file - ansible.builtin.copy: - dest: "/tmp/microshift_blueprint.toml" - content: | - name = "microshift-installer" - - description = "" - version = "0.0.0" - modules = [] - groups = [] - packages = [] - become: true - - - - name: Push Blueprint - infra.osbuild.push_blueprint: - src: "/tmp/microshift_blueprint.toml" - - - name: Start OSTree Compose - ansible.builtin.shell: - cmd: composer-cli compose start-ostree --url http://{{ ansible_default_ipv4.address }}/repo --ref empty microshift-installer edge-installer | awk '{print $2}' - register: build_id - - - - name: Wait for compose to finish - infra.osbuild.wait_compose: - compose_id: "{{build_id.stdout_lines | first}}" - timeout: 3600 - - - name: Export the compose artifact to /tmp/commit - infra.osbuild.export_compose: # noqa only-builtins - compose_id: "{{ build_id.stdout_lines | first }}" - dest: /{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/installer.iso diff --git a/ansible/playbooks/initial_ostree.yaml b/ansible/playbooks/initial_ostree.yaml deleted file mode 100755 index 3c0f1f5..0000000 --- a/ansible/playbooks/initial_ostree.yaml +++ /dev/null @@ -1,67 +0,0 @@ -- name: Create the initial ostree repo - hosts: all - become: true - vars_files: ../config.yaml - tasks: - - name: Create Blueprint /tmp/blueprints repo - ansible.builtin.file: - path: /tmp/blueprints - mode: '0755' - state: directory - - name: Copy Blueprint file to /tmp/blueprints - ansible.builtin.copy: - src: "{{ playbook_dir }}/../blueprints/{{ blueprint }}" - dest: /tmp/blueprints/blueprint.toml - mode: '0755' - - name: Reading Blueprint file - ansible.builtin.slurp: - src: /tmp/blueprints/blueprint.toml - register: toml_file_content - - name: Getting Blueprint Name - ansible.builtin.shell: "echo '{{ toml_file_content.content | b64decode }}' | python -c 'import sys, toml; print(toml.loads(sys.stdin.read())[\"name\"])'" - register: blueprint_name - - name: Push Blueprint - infra.osbuild.push_blueprint: - src: "/tmp/blueprints/blueprint.toml" - - name: Start ostree compose - infra.osbuild.start_compose: - blueprint: "{{ blueprint_name.stdout }}" - allow_duplicate: true - register: builder_compose_start_out - - name: Wait for compose to finish - infra.osbuild.wait_compose: - compose_id: "{{ builder_compose_start_out['result']['body']['build_id'] }}" - timeout: 3600 - - name: Create /tmp/images repo - ansible.builtin.file: - path: /tmp/images/ - mode: '0755' - state: directory - - name: Export the compose artifact to /tmp/images - infra.osbuild.export_compose: # noqa only-builtins - compose_id: "{{ builder_compose_start_out['result']['body']['build_id'] }}" - dest: /tmp/images/{{ builder_compose_start_out['result']['body']['build_id'] }}.tar - - name: Clear directory /var/www/repo - ansible.builtin.file: - path: /var/www/repo - state: absent - - name: Extract compose artifact into /var/www/repo - ansible.builtin.unarchive: - src: /tmp/images/{{ builder_compose_start_out['result']['body']['build_id'] }}.tar - dest: /var/www/ - remote_src: true - - name: adding /var/www/repo to OSTree - ansible.builtin.shell: "ostree --repo=/var/www/repo refs" - - name: Create /tmp/empty-tree repo - ansible.builtin.file: - path: /tmp/empty-tree - mode: '0755' - state: directory - - name: optimizing OSTree - ansible.builtin.shell: "ostree --repo=/var/www/repo commit -b 'empty' --tree=dir=/tmp/empty-tree" - - name: adding /var/www/repo to OSTree - ansible.builtin.shell: "ostree --repo=/var/www/repo refs" - - name: Clear directory /tmp/images/ - ansible.builtin.file: - path: /tmp/images/ - state: absent diff --git a/ansible/playbooks/kickstart.yaml b/ansible/playbooks/kickstart.yaml deleted file mode 100644 index 9e1e1a6..0000000 --- a/ansible/playbooks/kickstart.yaml +++ /dev/null @@ -1,66 +0,0 @@ -- name: Create kickstart - hosts: all - vars_files: ../config.yaml - tasks: - - name : Remove existing kiosk.ks - ansible.builtin.file: - path: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.ks" - state: absent - - - name : Remove existing kiosk.ios - ansible.builtin.file: - path: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.ios" - state: absent - - - name: Copy fresh kiosk.ks - ansible.builtin.copy: - src: "{{ playbook_dir }}/../../imagebuilder/kiosk.ks" - dest: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.ks" - mode: '0755' - - - name: Set repo adress - ansible.builtin.lineinfile: - path: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.ks" - regexp: '--url=http://__MYIP__/repo' - line: 'ostreesetup --nogpg --osname=rhel --remote=edge --url=http://{{ ansible_default_ipv4.address }} --ref=rhel/9/x86_64/edge-kiosk' - backrefs: true - - - name: Set MICROSHIFT_PULL_SECRET - ansible.builtin.lineinfile: - path: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.ks" - regexp: '__MICROSHIFT_PULL_SECRET__' - line: "{{ MICROSHIFT_PULL_SECRET }}" - - - name: Install lorax & pykickstart packages - become: true - ansible.builtin.dnf: - state: present - name: - - lorax - - pykickstart - - - name: Validate kiosk.ks using ksvalidator - ansible.builtin.command: - cmd: "ksvalidator {{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.ks" - register: ksvalidator_output - ignore_errors: yes - - - name: Output error message if ksvalidator fails - ansible.builtin.debug: - msg: "{{ ksvalidator_output.stderr_lines }}" - when: ksvalidator_output is failed - - - name: Remove existing kiosk.ios - ansible.builtin.file: - path: "/{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.iso" - state: absent - - - name: Create new kiosk.ios file - ansible.builtin.command: - cmd: "mkksiso -r 'inst.ks' --ks {{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.ks '{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/installer.iso' {{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.iso" - register: mkksiso_output - - - name: Remove installer.iso - ansible.builtin.file: - path: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/installer.iso" - state: absent diff --git a/ansible/playbooks/ostree_construction.yaml b/ansible/playbooks/ostree_construction.yaml deleted file mode 100644 index 6fe9fde..0000000 --- a/ansible/playbooks/ostree_construction.yaml +++ /dev/null @@ -1,69 +0,0 @@ -- name: Create the initial ostree repo - hosts: all - vars_files: ../credentials.yaml - tasks: - - name: Solve dependencies for the blueprint - ansible.builtin.command: composer-cli blueprints depsolve kiosk - - - name: Start OSTree Compose - ansible.builtin.shell: - cmd: composer-cli compose start-ostree kiosk edge-commit --url http://{{ ansible_default_ipv4.address }}/repo --ref "rhel/9/{{ ansible_architecture }}/edge-kiosk" --parent "rhel/9/{{ ansible_architecture }}/edge" | awk '{print $2}' - register: build_id - - - name: Wait for compose to finish - infra.osbuild.wait_compose: - compose_id: "{{build_id.stdout_lines | first}}" - timeout: 3600 - - - - name: Create /tmp/commit repo - ansible.builtin.file: - path: /tmp/commit/ - mode: '0755' - state: directory - - - name: Export the compose artifact to /tmp/commit - infra.osbuild.export_compose: # noqa only-builtins - compose_id: "{{ build_id.stdout_lines | first }}" - dest: /tmp/commit/{{ build_id.stdout_lines | first }}.tar - - - name: Create /tmp/commit/ID repo - ansible.builtin.file: - path: /tmp/commit/{{ build_id.stdout_lines | first }} - mode: '0755' - state: directory - - - - name: Extract compose artifact into /tmp/commit/ID - ansible.builtin.unarchive: - src: /tmp/commit/{{ build_id.stdout_lines | first }}.tar - dest: /tmp/commit/{{ build_id.stdout_lines | first }} - remote_src: true - - - name: Pull local ostree repository - become: true - ansible.builtin.shell: ostree --repo=/var/www/repo pull-local "/tmp/commit/{{ build_id.stdout_lines | first }}/repo" - - - name: Clear /tmp/commit repo - ansible.builtin.file: - path: /tmp/commit/ - state: absent - - - name: config ostree ref - become: true - ansible.builtin.shell: ostree --repo=/var/www/repo refs - register: refs - - - name: Print refs - ansible.builtin.debug: - var: refs.stdout_lines - - - name: config ostree logs kiosk - become: true - ansible.builtin.shell: ostree --repo=/var/www/repo log rhel/9/{{ ansible_architecture }}/edge-kiosk - register: logs - - - name: Print refs - ansible.builtin.debug: - var: logs.stdout_lines - diff --git a/ansible/playbooks/repo_creation.yaml b/ansible/playbooks/repo_creation.yaml deleted file mode 100644 index 1da2d24..0000000 --- a/ansible/playbooks/repo_creation.yaml +++ /dev/null @@ -1,71 +0,0 @@ ---- -- name: Create a custom RPM repository - hosts: all - vars_files: ../config.yaml - tasks: - - name: Install createrepo package - become: true - ansible.builtin.dnf: - name: createrepo - state: present - - - name: Clear the repository directory exists - become: true - ansible.builtin.file: - path: "{{ repo_location }}" - state: absent - - - name: Old custom repo - become: true - ansible.builtin.file: - path: /etc/yum.repos.d/custom.repo - state: absent - - - name: Ensure the repository directory exists - become: true - ansible.builtin.file: - path: "{{ repo_location }}" - state: directory - mode: '0755' - - - name: Copy RPMs to the repository location - ansible.builtin.shell: sudo cp {{ ansible_env.HOME }}/rpmbuild/RPMS/x86_64/* {{ repo_location }} - - - name: Initialize the repository with createrepo - become: true - ansible.builtin.command: - cmd: "createrepo {{ repo_location }}" - - - name: Create custom repo file - become: true - ansible.builtin.lineinfile: - path: /etc/yum.repos.d/custom.repo - line: "{{ item }}" - create: true - mode: '0755' - loop: - - "[custom]" - - "name = Custom RPMS" - - "baseurl = file://{{ repo_location }}" - - "enabled = 1" - - "gpgcheck = 0" - - - name: Clean dnf cache - become: true - ansible.builtin.command: - cmd: dnf clean all - - - name: Verify packages are present - ansible.builtin.shell: - cmd: "sudo dnf list available --disablerepo='*' --enablerepo='custom' kiosk-config google-chrome-stable microshift-manifests" - register: package_info - ignore_errors: true - - - name: Verify packages are present - become: true - ansible.builtin.shell: - cmd: "dnf config-manager --enable custom" - - - name: Display package info output - ansible.builtin.debug: - var: package_info.stdout_lines \ No newline at end of file diff --git a/ansible/prerequisites.yaml b/ansible/prerequisites.yaml new file mode 100644 index 0000000..ce690b1 --- /dev/null +++ b/ansible/prerequisites.yaml @@ -0,0 +1,148 @@ +- name: Install prerequisites + hosts: all + become: true + tasks: + - community.general.rhsm_repository: + name: + - rhocp-4.14-for-rhel-9-{{ ansible_facts['userspace_architecture'] }}-rpms + - fast-datapath-for-rhel-9-{{ ansible_facts['userspace_architecture'] }}-rpms + state: enabled + + - name: Install EPEL release package + become: true + ansible.builtin.dnf: + name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm + state: present + disable_gpg_check: true + + - name: Install packages + ansible.builtin.dnf: + name: + - python3-toml + - createrepo + - git + - rpm-build + - rpmdevtools + - rpmrebuild + - mkpasswd + - podman + - buildah + - nginx + - lorax + - pykickstart + - osbuild-composer + - composer-cli + - cockpit-composer + - git + - firewalld + state: installed + + - name: Start services + ansible.builtin.systemd: + name: "{{ item }}" + enabled: yes + state: started + loop: + - osbuild-composer.socket + - firewalld.service + - cockpit.socket + - nginx.service + + - name: Adding ansible_user to the weldr group + ansible.builtin.user: + name: '{{ ansible_user | default(ansible_env.SUDO_USER) }}' + groups: weldr + append: yes + + - name: Allow HTTP and HTTPS + ansible.posix.firewalld: + service: '{{ item }}' + permanent: true + immediate: true + state: enabled + loop: + - http + - https + + - name: Ensure the ostree directory exists + become: true + ansible.builtin.file: + path: "{{ www_location }}" + state: directory + mode: '0755' + serole: object_r + setype: httpd_sys_content_t + seuser: system_u + + - name: Configure nginx + lineinfile: + path: /etc/nginx/nginx.conf + line: "root {{ www_location }};" + regexp: "^\\s*root\\s+.*;" + + - name: Restart nginx + ansible.builtin.systemd: + name: nginx.service + state: restarted + + - name: Ensure the repository directory exists + become: true + ansible.builtin.file: + path: "{{ repo_location }}" + state: directory + mode: '0755' + + - name: Update the repository with createrepo + become: true + ansible.builtin.command: + cmd: "createrepo {{ repo_location }}" + + - name: Add custom repository + ansible.builtin.yum_repository: + name: custom + file: custom + description: Custom RPMS + baseurl: file://{{ repo_location }} + enabled: true + gpgcheck: false + + - name: Add sources + infra.osbuild.repository: '{{ item }}' + loop: + - repo_name: custom packages for RHEL + type: yum-baseurl + base_url: file://{{ repo_location }} + check_gpg: false + check_ssl: false + rhsm: false + state: present + - repo_name: Red Hat OpenShift Container Platform 4.14 for RHEL 9 + type: yum-baseurl + base_url: https://cdn.redhat.com/content/dist/layered/rhel9/{{ ansible_facts['userspace_architecture'] }}/rhocp/4.14/os + check_gpg: true + check_ssl: true + rhsm: true + state: present + - repo_name: Fast Datapath for RHEL 9 + type: yum-baseurl + base_url: https://cdn.redhat.com/content/dist/layered/rhel9/{{ ansible_facts['userspace_architecture'] }}/fast-datapath/os + check_gpg: true + check_ssl: true + rhsm: true + state: present + - repo_name: Extra Packages for Enterprise Linux + type: yum-baseurl + base_url: http://mirror.in2p3.fr/pub/epel/9/Everything/{{ ansible_facts['userspace_architecture'] }}/ + check_gpg: false + check_ssl: false + rhsm: false + state: present + loop_control: + label: '{{ item.repo_name }}' + + - name: Install packages on the ansible controller + dnf: + name: + - python3-toml + state: installed + delegate_to: localhost diff --git a/ansible/requirements.yaml b/ansible/requirements.yaml new file mode 100644 index 0000000..4a8d5a8 --- /dev/null +++ b/ansible/requirements.yaml @@ -0,0 +1,4 @@ +collections: +- infra.osbuild +- community.general +- ansible.posix diff --git a/ansible/templates/kiosk.ks.j2 b/ansible/templates/kiosk.ks.j2 new file mode 100644 index 0000000..eee7d1e --- /dev/null +++ b/ansible/templates/kiosk.ks.j2 @@ -0,0 +1,88 @@ +## +## Environment setup +## + +# French I18n +lang fr_FR.UTF-8 + +# French keyboard layout +keyboard fr + +# Timezone is UTC to avoid issue with DST +timezone UTC --utc + +# Configure NTP +timesource --ntp-server=rhel.pool.ntp.org + +# Which action to perform after install: poweroff or reboot +reboot + +# Install mode: text (interactive installs) or cmdline (unattended installs) +text + +## +## Storage configuration +## + +# Clear the target disk +zerombr + +# Remove existing partitions +clearpart --all --initlabel + +# Automatically create partitions required by hardware platform +# and add a separate /boot partition +reqpart --add-boot + + +## +## Alternative partitioning on only one disk +## /dev/disk/by-path/pci-0000:00:12.0-ata-1 instead of sda when sda is taken by the usb stick +## +zerombr +clearpart --all --initlabel +reqpart --add-boot +part pv.01 --size=10240 --ondisk=/dev/disk/by-path/pci-0000:00:12.0-ata-1 +volgroup system pv.01 +logvol / --fstype="xfs" --size=1 --grow --name=root --vgname=system +part pv.02 --size=1 --grow --ondisk=/dev/disk/by-path/pci-0000:00:12.0-ata-1 +volgroup data pv.02 + +## +## Network configuration +## + +# Configure the first network device +network --bootproto=dhcp --device=enp1s0 --noipv6 --activate + +# Configure hostname +network --hostname=kiosk.localdomain + +## +## Ostree installation +## + +# Use this line if creating an Edge Installer ISO that includes a local ostree commit +#ostreesetup --nogpg --osname=rhel --remote=edge --url=file:///run/install/repo/ostree/repo --ref=rhel/9/x86_64/edge + +# Use this to fetch from a remote URL +ostreesetup --nogpg --osname=rhel --remote=edge --url=http://{{ ansible_default_ipv4.address }}/repo --ref=rhel/9/x86_64/edge-kiosk + +## +## Post install scripts +## +%post --log=/var/log/anaconda/post-install.log --erroronfail +# Add the pull secret to CRI-O and set root user-only read/write permissions +cat > /etc/crio/openshift-pull-secret << 'EOF' +{{ kickstart_microshift_pull_secret }} +EOF +chmod 600 /etc/crio/openshift-pull-secret + +# Configure the firewall with the mandatory rules for MicroShift +firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16 +firewall-offline-cmd --zone=trusted --add-source=169.254.169.1 + +# Do not ask password for sudo +sed -i.post-install -e "s/^%wheel\tALL=(ALL)\tALL/%wheel ALL=(ALL) NOPASSWD: ALL/" /etc/sudoers + +%end diff --git a/ansible/templates/kiosk.toml.j2 b/ansible/templates/kiosk.toml.j2 new file mode 100644 index 0000000..2086768 --- /dev/null +++ b/ansible/templates/kiosk.toml.j2 @@ -0,0 +1,46 @@ +name = "kiosk" +description = "Example Kiosk" +version = "0.0.8" +modules = [] +groups = [] + +[[packages]] +name = "kiosk-config" +version = "*" + +[[packages]] +name = "cockpit" + +[[packages]] +name = "microshift-manifests" +version = "*" + +[[packages]] +name = "cockpit-system" + +[customizations] +hostname = "kiosk.local" + +[customizations.services] +enabled = ["cockpit.socket", "sshd", "microshift"] + +[customizations.timezone] +timezone = "Europe/Paris" +ntpservers = ["0.fr.pool.ntp.org", "1.fr.pool.ntp.org"] + +[customizations.locale] +languages = ["fr_FR.UTF-8"] +keyboard = "fr" + +#22 ssh / 9090 cockpit / 6443 microshift +[customizations.firewall] +ports = ["22:tcp", "30000:tcp", "9090:tcp", "6443:tcp"] + +[[customizations.user]] +name = "admin" +description = "admin" +password = '{{ blueprint_admin_password_hash }}' +key = "{{ blueprint_admin_ssh_public_key }}" +home = "/home/admin/" +shell = "/usr/bin/bash" +groups = ["users", "wheel"]