From f246600cbb66834c1289bf52cf7bd95cc6428b02 Mon Sep 17 00:00:00 2001 From: clyhtsuriva Date: Sat, 1 Feb 2025 02:12:10 +0100 Subject: Working debian packer template w/ ansible to set up fw rules after reboot --- ansible/ansible.cfg | 2 + ansible/playbooks/common.yml | 7 + ansible/playbooks/test.yml | 13 ++ ansible/roles/README.md | 2 + ansible/roles/common/handlers/main.yml | 6 + ansible/roles/common/tasks/main.yml | 4 + ansible/roles/common/tasks/ufw.yml | 35 +++ ansible/roles/nginx/tasks/update_nginx.yml | 25 ++ ansible/roles/nginx/update_nginx.yml | 25 -- .../debian-server-bookworm.pkr.hcl | 36 ++- packer/debian-server-bookworm/http/preseed.cfg | 5 +- packer/pkr-builder.pkr.hcl | 6 +- .../ubuntu-server-noble.pkr.hcl | 260 ++++++++++----------- 13 files changed, 257 insertions(+), 169 deletions(-) create mode 100644 ansible/ansible.cfg create mode 100644 ansible/playbooks/common.yml create mode 100644 ansible/playbooks/test.yml create mode 100644 ansible/roles/common/handlers/main.yml create mode 100644 ansible/roles/common/tasks/main.yml create mode 100644 ansible/roles/common/tasks/ufw.yml create mode 100644 ansible/roles/nginx/tasks/update_nginx.yml delete mode 100644 ansible/roles/nginx/update_nginx.yml diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 0000000..002a50d --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +roles_path = ./roles diff --git a/ansible/playbooks/common.yml b/ansible/playbooks/common.yml new file mode 100644 index 0000000..a9a64d4 --- /dev/null +++ b/ansible/playbooks/common.yml @@ -0,0 +1,7 @@ +--- +- name: Apply common configurations to all VMs + hosts: all + become: true + roles: + - role: common +... diff --git a/ansible/playbooks/test.yml b/ansible/playbooks/test.yml new file mode 100644 index 0000000..638572f --- /dev/null +++ b/ansible/playbooks/test.yml @@ -0,0 +1,13 @@ +--- +- name: Create a file in /root/ called toto with content tata + hosts: all + become: true + tasks: + - name: Ensure /root/toto exists with content "tata" + ansible.builtin.copy: + dest: /root/toto + content: "tata" + owner: root + group: root + mode: '0644' +... diff --git a/ansible/roles/README.md b/ansible/roles/README.md index 59841b5..744532c 100644 --- a/ansible/roles/README.md +++ b/ansible/roles/README.md @@ -3,4 +3,6 @@ This folder contains reusable Ansible roles for configuration management. ## Available Roles +- common +- docker - nginx diff --git a/ansible/roles/common/handlers/main.yml b/ansible/roles/common/handlers/main.yml new file mode 100644 index 0000000..d090d0e --- /dev/null +++ b/ansible/roles/common/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart UFW + ansible.builtin.service: + name: ufw + state: restarted +... diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml new file mode 100644 index 0000000..f15e2b7 --- /dev/null +++ b/ansible/roles/common/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- name: Include UFW tasks + include_tasks: ufw.yml +... diff --git a/ansible/roles/common/tasks/ufw.yml b/ansible/roles/common/tasks/ufw.yml new file mode 100644 index 0000000..155579f --- /dev/null +++ b/ansible/roles/common/tasks/ufw.yml @@ -0,0 +1,35 @@ +--- +- name: Ensure UFW is installed + ansible.builtin.apt: + name: ufw + state: present + +- name: Allow SSH + community.general.ufw: + rule: allow + name: OpenSSH + comment: "Allow SSH" + +- name: Allow HTTP + community.general.ufw: + rule: allow + port: 80 + proto: tcp + comment: "Allow HTTP" + +- name: Allow HTTPS + community.general.ufw: + rule: allow + port: 443 + proto: tcp + comment: "Allow HTTPS" + +- name: Enable UFW + community.general.ufw: + state: enabled + +- name: Ensure UFW is enabled on boot + ansible.builtin.systemd: + name: ufw + enabled: true +... diff --git a/ansible/roles/nginx/tasks/update_nginx.yml b/ansible/roles/nginx/tasks/update_nginx.yml new file mode 100644 index 0000000..4813e6c --- /dev/null +++ b/ansible/roles/nginx/tasks/update_nginx.yml @@ -0,0 +1,25 @@ +--- +- name: Update nginx if needed + hosts: vps + become: true + become_user: root + tasks: + + - name: Ensure nginx is at the latest version + ansible.builtin.package: + name: nginx + state: latest + notify: restart nginx + + - name: Ensure nginx is running + ansible.builtin.service: + name: nginx + state: started + enabled: true + + handlers: + - name: Restart nginx + ansible.builtin.service: + name: nginx + state: restarted +... diff --git a/ansible/roles/nginx/update_nginx.yml b/ansible/roles/nginx/update_nginx.yml deleted file mode 100644 index 4813e6c..0000000 --- a/ansible/roles/nginx/update_nginx.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- name: Update nginx if needed - hosts: vps - become: true - become_user: root - tasks: - - - name: Ensure nginx is at the latest version - ansible.builtin.package: - name: nginx - state: latest - notify: restart nginx - - - name: Ensure nginx is running - ansible.builtin.service: - name: nginx - state: started - enabled: true - - handlers: - - name: Restart nginx - ansible.builtin.service: - name: nginx - state: restarted -... diff --git a/packer/debian-server-bookworm/debian-server-bookworm.pkr.hcl b/packer/debian-server-bookworm/debian-server-bookworm.pkr.hcl index d91d308..d93af5e 100644 --- a/packer/debian-server-bookworm/debian-server-bookworm.pkr.hcl +++ b/packer/debian-server-bookworm/debian-server-bookworm.pkr.hcl @@ -21,6 +21,11 @@ variable "vm_hostname" { default = "debian-server-bookworm-test-1" } +variable "ssh_private_key_file" { + type = string + default = "~/.ssh/id_ecdsa" +} + # Resource Definition for the VM Template source "proxmox-iso" "debian-server-bookworm-test-1" { @@ -60,11 +65,11 @@ source "proxmox-iso" "debian-server-bookworm-test-1" { scsi_controller = "virtio-scsi-single" disks { - disk_size = "20G" - format = "raw" - storage_pool = "local-lvm" - type = "virtio" - iothread = true + disk_size = "20G" + format = "raw" + storage_pool = "local-lvm" + type = "virtio" + io_thread = true } # VM CPU Settings @@ -75,9 +80,9 @@ source "proxmox-iso" "debian-server-bookworm-test-1" { # VM Network Settings network_adapters { - model = "virtio" - bridge = "vmbr0" - firewall = "false" + model = "virtio" + bridge = "vmbr0" + firewall = "false" } # VM Cloud-Init Settings @@ -91,7 +96,7 @@ source "proxmox-iso" "debian-server-bookworm-test-1" { ] boot = "c" - boot_wait = "10s" + boot_wait = "20s" communicator = "ssh" # PACKER Autoinstall Settings @@ -107,7 +112,7 @@ source "proxmox-iso" "debian-server-bookworm-test-1" { # ssh_password = "your-password" # - or - # (Option 2) Add your Private SSH KEY file here - ssh_private_key_file = "~/.ssh/id_ecdsa" + ssh_private_key_file = "${var.ssh_private_key_file}" # Raise the timeout, when installation takes longer ssh_timeout = "30m" @@ -119,6 +124,17 @@ build { name = "debian-server-bookworm-test-1" sources = ["source.proxmox-iso.debian-server-bookworm-test-1"] + # Using ansible playbooks to configure common base + provisioner "ansible" { + playbook_file = "../../ansible/playbooks/common.yml" + use_proxy = false + user = "mas" + ansible_env_vars = [ + "ANSIBLE_HOST_KEY_CHECKING=False", + "ANSIBLE_CONFIG=${path.root}/../../ansible/ansible.cfg", + ] + } + # Copy default cloud-init config provisioner "file" { source = "files/cloud.cfg" diff --git a/packer/debian-server-bookworm/http/preseed.cfg b/packer/debian-server-bookworm/http/preseed.cfg index e5dd8c6..a63e4ab 100644 --- a/packer/debian-server-bookworm/http/preseed.cfg +++ b/packer/debian-server-bookworm/http/preseed.cfg @@ -34,6 +34,7 @@ d-i apt-setup/use_mirror boolean true d-i partman-auto/method string lvm d-i partman-lvm/device_remove_lvm boolean true d-i partman-lvm/confirm boolean true +d-i partman-lvm/confirm_nooverwrite boolean true d-i partman-auto-lvm/guided_size string max d-i partman-auto/choose_recipe select atomic d-i partman-partitioning/confirm_write_new_label boolean true @@ -68,14 +69,12 @@ d-i preseed/late_command string \ in-target sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config && \ in-target sed -i 's|^#\?AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|' /etc/ssh/sshd_config && \ in-target sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config && \ - in-targer sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && \ + in-target sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && \ in-target systemctl restart ssh && \ in-target apt-get purge -y snapd unattended-upgrades && \ in-target apt-get autoremove -y && \ in-target apt-get clean && \ in-target cloud-init clean --logs && \ - in-target ufw allow ssh && \ - in-target ufw enable && \ in-target sed -i '/^deb cdrom:/s/^/#/' /etc/apt/sources.list ### Configure GRUB bootloader diff --git a/packer/pkr-builder.pkr.hcl b/packer/pkr-builder.pkr.hcl index 4265280..99fccd2 100644 --- a/packer/pkr-builder.pkr.hcl +++ b/packer/pkr-builder.pkr.hcl @@ -1,8 +1,12 @@ packer { required_plugins { - name = { + proxmox = { version = "~> 1" source = "github.com/hashicorp/proxmox" } + ansible = { + version = "~> 1" + source = "github.com/hashicorp/ansible" + } } } diff --git a/packer/ubuntu-server-noble/ubuntu-server-noble.pkr.hcl b/packer/ubuntu-server-noble/ubuntu-server-noble.pkr.hcl index 5ba2019..1bdae1c 100644 --- a/packer/ubuntu-server-noble/ubuntu-server-noble.pkr.hcl +++ b/packer/ubuntu-server-noble/ubuntu-server-noble.pkr.hcl @@ -4,151 +4,151 @@ # Variable Definitions variable "proxmox_api_url" { - type = string + type = string } variable "proxmox_api_token_id" { - type = string + type = string } variable "proxmox_api_token_secret" { - type = string - sensitive = true + type = string + sensitive = true } # Resource Definiation for the VM Template source "proxmox-iso" "ubuntu-server-noble-test-1" { - # Proxmox Connection Settings - proxmox_url = "${var.proxmox_api_url}" - username = "${var.proxmox_api_token_id}" - token = "${var.proxmox_api_token_secret}" - # (Optional) Skip TLS Verification - insecure_skip_tls_verify = true - - # VM General Settings - node = "pve" - vm_id = "101" - vm_name = "ubuntu-server-noble-test-1" - template_description = "Ubuntu Server Noble Image Test 1" - - # VM OS Settings - # (Option 1) Local ISO File - # iso_file = "local:iso/ubuntu-24.04.1-live-server-amd64.iso" - # - or - - # (Option 2) Download ISO - # iso_url = "https://releases.ubuntu.com/24.04/ubuntu-24.04-live-server-amd64.iso" - # iso_checksum = "8762f7e74e4d64d72fceb5f70682e6b069932deedb4949c6975d0f0fe0a91be3" - # iso_storage_pool = "local" - # unmount_iso = true - boot_iso { - type = "scsi" - iso_file = "local:iso/ubuntu-24.04.1-live-server-amd64.iso" - unmount = true - iso_checksum = "sha512:3d518612aabbdb77fd6b49cb55b824fed11e40540e4af52f5f26174257715c93740f83079ea618b4d933081f0b1bc69d32b7885b7c75bc90da5ad3fe1814cfd4" - } - - - # VM System Settings - qemu_agent = true - - # VM Hard Disk Settings - scsi_controller = "virtio-scsi-pci" - - disks { - disk_size = "20G" - format = "raw" - storage_pool = "local-lvm" - type = "virtio" - } - - # VM CPU Settings - cores = "1" - - # VM Memory Settings - memory = "2048" - - # VM Network Settings - network_adapters { - model = "virtio" - bridge = "vmbr0" - firewall = "false" - } - - # VM Cloud-Init Settings - cloud_init = true - cloud_init_storage_pool = "local-lvm" - - # PACKER Boot Commands - boot_command = [ - "", - "e", - "", - "", - "autoinstall ds=nocloud-net\\;s=http://{{ .HTTPIP }}:{{ .HTTPPort }}/ ---", - "" - ] - - boot = "c" - boot_wait = "10s" - communicator = "ssh" - - # PACKER Autoinstall Settings - http_directory = "http" - # (Optional) Bind IP Address and Port - # http_bind_address = "0.0.0.0" - # http_port_min = 8802 - # http_port_max = 8802 - - ssh_username = "mas" - - # (Option 1) Add your Password here - # ssh_password = "your-password" - # - or - - # (Option 2) Add your Private SSH KEY file here - ssh_private_key_file = "~/.ssh/id_ecdsa" - - # Raise the timeout, when installation takes longer - ssh_timeout = "30m" - ssh_pty = true + # Proxmox Connection Settings + proxmox_url = "${var.proxmox_api_url}" + username = "${var.proxmox_api_token_id}" + token = "${var.proxmox_api_token_secret}" + # (Optional) Skip TLS Verification + insecure_skip_tls_verify = true + + # VM General Settings + node = "pve" + vm_id = "101" + vm_name = "ubuntu-server-noble-test-1" + template_description = "Ubuntu Server Noble Image Test 1" + + # VM OS Settings + # (Option 1) Local ISO File + # iso_file = "local:iso/ubuntu-24.04.1-live-server-amd64.iso" + # - or - + # (Option 2) Download ISO + # iso_url = "https://releases.ubuntu.com/24.04/ubuntu-24.04-live-server-amd64.iso" + # iso_checksum = "8762f7e74e4d64d72fceb5f70682e6b069932deedb4949c6975d0f0fe0a91be3" + # iso_storage_pool = "local" + # unmount_iso = true + boot_iso { + type = "scsi" + iso_file = "local:iso/ubuntu-24.04.1-live-server-amd64.iso" + unmount = true + iso_checksum = "sha512:3d518612aabbdb77fd6b49cb55b824fed11e40540e4af52f5f26174257715c93740f83079ea618b4d933081f0b1bc69d32b7885b7c75bc90da5ad3fe1814cfd4" + } + + + # VM System Settings + qemu_agent = true + + # VM Hard Disk Settings + scsi_controller = "virtio-scsi-pci" + + disks { + disk_size = "20G" + format = "raw" + storage_pool = "local-lvm" + type = "virtio" + } + + # VM CPU Settings + cores = "1" + + # VM Memory Settings + memory = "2048" + + # VM Network Settings + network_adapters { + model = "virtio" + bridge = "vmbr0" + firewall = "false" + } + + # VM Cloud-Init Settings + cloud_init = true + cloud_init_storage_pool = "local-lvm" + + # PACKER Boot Commands + boot_command = [ + "", + "e", + "", + "", + "autoinstall ds=nocloud-net\\;s=http://{{ .HTTPIP }}:{{ .HTTPPort }}/ ---", + "" + ] + + boot = "c" + boot_wait = "10s" + communicator = "ssh" + + # PACKER Autoinstall Settings + http_directory = "http" + # (Optional) Bind IP Address and Port + # http_bind_address = "0.0.0.0" + # http_port_min = 8802 + # http_port_max = 8802 + + ssh_username = "mas" + + # (Option 1) Add your Password here + # ssh_password = "your-password" + # - or - + # (Option 2) Add your Private SSH KEY file here + ssh_private_key_file = "~/.ssh/id_ecdsa" + + # Raise the timeout, when installation takes longer + ssh_timeout = "30m" + ssh_pty = true } # Build Definition to create the VM Template build { - name = "ubuntu-server-noble-test-1" - sources = ["source.proxmox-iso.ubuntu-server-noble-test-1"] - - # Provisioning the VM Template for Cloud-Init Integration in Proxmox #1 - provisioner "shell" { - inline = [ - "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for cloud-init...'; sleep 1; done", - "sudo rm /etc/ssh/ssh_host_*", - "sudo truncate -s 0 /etc/machine-id", - "sudo apt -y autoremove --purge", - "sudo apt -y clean", - "sudo apt -y autoclean", - "sudo cloud-init clean", - "sudo rm -f /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg", - "sudo rm -f /etc/netplan/00-installer-config.yaml", - "sudo sync" - ] - } - - # Provisioning the VM Template for Cloud-Init Integration in Proxmox #2 - provisioner "file" { - source = "files/99-pve.cfg" - destination = "/tmp/99-pve.cfg" - } - - # Provisioning the VM Template for Cloud-Init Integration in Proxmox #3 - provisioner "shell" { - inline = [ "sudo cp /tmp/99-pve.cfg /etc/cloud/cloud.cfg.d/99-pve.cfg" ] - } - - # Random personal test, ID #4 - provisioner "shell" { - inline = [ "id" ] - } + name = "ubuntu-server-noble-test-1" + sources = ["source.proxmox-iso.ubuntu-server-noble-test-1"] + + # Provisioning the VM Template for Cloud-Init Integration in Proxmox #1 + provisioner "shell" { + inline = [ + "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for cloud-init...'; sleep 1; done", + "sudo rm /etc/ssh/ssh_host_*", + "sudo truncate -s 0 /etc/machine-id", + "sudo apt -y autoremove --purge", + "sudo apt -y clean", + "sudo apt -y autoclean", + "sudo cloud-init clean", + "sudo rm -f /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg", + "sudo rm -f /etc/netplan/00-installer-config.yaml", + "sudo sync" + ] + } + + # Provisioning the VM Template for Cloud-Init Integration in Proxmox #2 + provisioner "file" { + source = "files/99-pve.cfg" + destination = "/tmp/99-pve.cfg" + } + + # Provisioning the VM Template for Cloud-Init Integration in Proxmox #3 + provisioner "shell" { + inline = ["sudo cp /tmp/99-pve.cfg /etc/cloud/cloud.cfg.d/99-pve.cfg"] + } + + # Random personal test, ID #4 + provisioner "shell" { + inline = ["id"] + } } -- cgit v1.2.3