From c84a334163c385074743729ca825a303fb979454 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Fri, 5 Apr 2024 14:07:44 +0200 Subject: [PATCH] automatic update + kiosk fix --- ansible/README.MD | 1 + ansible/build.yaml | 17 +++++++++++++++++ ansible/templates/kiosk.ks.j2 | 4 ---- ansible/templates/kiosk.toml.j2 | 33 ++++++++++++++++++++++++++++++++- 4 files changed, 50 insertions(+), 5 deletions(-) diff --git a/ansible/README.MD b/ansible/README.MD index 82942b7..ffa5f9a 100644 --- a/ansible/README.MD +++ b/ansible/README.MD @@ -31,6 +31,7 @@ Create an ansible vault named `vault.yaml` in `ansible/group_vars/all/` with the ```yaml blueprint_admin_password_hash: # Generate one with "mkpasswd -m bcrypt" +blueprint_kiosk_password_hash: # Generate one with "mkpasswd -m bcrypt" kickstart_microshift_pull_secret: # Generate one on https://console.redhat.com/openshift/install/pull-secret ``` diff --git a/ansible/build.yaml b/ansible/build.yaml index 1659e3d..2b32ea6 100644 --- a/ansible/build.yaml +++ b/ansible/build.yaml @@ -14,6 +14,23 @@ suffix: -build register: tmp + ## + ## Cleanup + ## + + - name: Get all images for removal + ansible.builtin.command: /usr/bin/composer-cli compose list + register: builder_output + changed_when: false + + - name: Remove each image by UUID + ansible.builtin.command: "/usr/bin/composer-cli compose delete {{ (item | split)[0] }}" + loop: "{{ builder_output.stdout_lines }}" + loop_control: + label: "{{ (item | split)[0] }}" + changed_when: true + when: (item | split)[0] != "ID" + ## ## RPM construction ## diff --git a/ansible/templates/kiosk.ks.j2 b/ansible/templates/kiosk.ks.j2 index 7ddd157..7ffd110 100644 --- a/ansible/templates/kiosk.ks.j2 +++ b/ansible/templates/kiosk.ks.j2 @@ -58,10 +58,6 @@ cat > /etc/crio/openshift-pull-secret << 'EOF' EOF chmod 600 /etc/crio/openshift-pull-secret -# User creation in the ostree is now deprecated. Doing it in the Kickstart, then. -groupadd -r kiosk -useradd -r -N -g kiosk -d /home/kiosk -m kiosk - # Configure the firewall with the mandatory rules for MicroShift firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16 firewall-offline-cmd --zone=trusted --add-source=169.254.169.1 diff --git a/ansible/templates/kiosk.toml.j2 b/ansible/templates/kiosk.toml.j2 index 2086768..f862dd8 100644 --- a/ansible/templates/kiosk.toml.j2 +++ b/ansible/templates/kiosk.toml.j2 @@ -11,6 +11,9 @@ version = "*" [[packages]] name = "cockpit" +[[packages]] +name = "htop" + [[packages]] name = "microshift-manifests" version = "*" @@ -22,7 +25,7 @@ name = "cockpit-system" hostname = "kiosk.local" [customizations.services] -enabled = ["cockpit.socket", "sshd", "microshift"] +enabled = ["cockpit.socket", "sshd", "microshift", "rpm-ostreed", "rpm-ostreed-automatic.timer"] [customizations.timezone] timezone = "Europe/Paris" @@ -36,6 +39,26 @@ keyboard = "fr" [customizations.firewall] ports = ["22:tcp", "30000:tcp", "9090:tcp", "6443:tcp"] +## +## Automatic updates +## +## This file is used by the rpm-ostreed service that is triggered by the +## rpm-ostreed-automatic systemd timer: +## +## [Timer] +## OnBootSec=1h # 1 hour after boot +## OnUnitInactiveSec=1d # 1 day after last check +## +## But you can trigger a check manually with: +## +## sudo rpm-ostree upgrade --trigger-automatic-update-policy +## +[[customizations.files]] +path = "/etc/rpm-ostreed.conf" +data = """[Daemon] +AutomaticUpdatePolicy=apply +""" + [[customizations.user]] name = "admin" description = "admin" @@ -44,3 +67,11 @@ key = "{{ blueprint_admin_ssh_public_key }}" home = "/home/admin/" shell = "/usr/bin/bash" groups = ["users", "wheel"] + +[[customizations.user]] +name = "kiosk" +description = "kiosk" +password = '{{ blueprint_kiosk_password_hash }}' +home = "/home/kiosk/" +shell = "/bin/bash" +