create-dc: Update to use new provisioning process

Instead of running `virt-install` directly from the `create-dc.sh` script, it now relies on `newvm.sh`. This will ensure that VMs created to be domain controllers will conform to the same expectations as all other machines, such as using the libvirt domain metadata to build dynamic inventory. Similarly, the `create-dc.yml` playbook now imports the `host-setup.yml` playbook, which covers the basic setup of a new machine. Again, this ensures that the same policy is applied to DCs as to other machines. Finally, domain controller machines now no longer use _winbind_ for OS user accounts and authentication. This never worked particularly well on DCs anyway (particularly because of the way _winbind_ insists on using domain-prefixed user accounts when it runs on a DC), and is now worse with recent Fedora changes. Instead, DCs now have local users who authenticate via SSH certificates, the same as other current-generaton servers.
2025-10-24 11:20:12 -05:00
parent 3f761eacb4
commit 7929176b4e
5 changed files with 36 additions and 40 deletions
--- a/create-dc.sh
+++ b/create-dc.sh
@@ -1,56 +1,51 @@
 #!/bin/sh
 # vim: set sw=4 ts=4 sts=4 et :

-export http_proxy=http://proxy.pyrocufflink.blue:3128/
-
 ipaddr=$1
-fedora=${2:-40}
+fedora=$2
 if [ -z "${ipaddr}" ]; then
    printf 'usage: %s ipaddr [fedora]\n' "${0##*/}" >&2
    exit 2
 fi
-if [ -z "${LIBVIRT_DEFAULT_URI}" ]; then
-    printf 'LIBVIRT_DEFAULT_URI environment variable must be set\n' >&2
-    exit 1
-fi
+
+ansible-playbook -l samba-dc facts.yml --become || exit

 wordlist=$(
    python -c 'from diceware.wordlist import *;print(get_wordlist_path("en_eff"))'
 )
-
 name=dc-$(sort -R "${wordlist}" | awk '{if(length($2) < 13){print $2;exit}}')
-printf 'Creating VM %s : watch progress with\n' "${name}"
-printf '    virsh -c %s console %s\n' "$(virsh uri)" "${name}"
-virt-install \
-    --name ${name} \
-    --memory 2048 \
-    --vcpus 2 \
-    --cpu host \
-    --location http://dl.fedoraproject.org/pub/fedora/linux/releases/${fedora}/Everything/x86_64/os \
-    --extra-args "ip=${ipaddr}::172.30.0.1:255.255.255.192:${name}::none:172.30.0.1 inst.notmux inst.proxy=${http_proxy} inst.ks=http://rosalina.pyrocufflink.blue/~dustin/kickstart/fedora-dc.ks console=ttyS0 quiet systemd.show_status=1" \
-    --os-variant fedora$(rpm -E %fedora) \
-    --disk pool=default,size=16,cache=none \
-    --network network=prod,model=virtio \
-    --graphics none \
-    --sound none \
-    --redirdev none \
-    --rng /dev/urandom \
-    --noautoconsole \
-    --wait -1 \
+./newvm.sh "${name}" \
+    --ip-address "${ipaddr}/26" \
+    --nameserver 172.30.0.1 \
+    ${fedora:+--fedora} ${fedora} \
+    --kickstart 'http://pxe.pyrocufflink.blue/kickstart/master/fedora-dc.ks' \
+    --network network=prod \
+    --domain pyrocufflink.blue \
+    --group samba-dc \
+    --no-console \
    || exit

 printf 'Waiting for %s to come up ...\n' "${name}"
 until ssh -l root "${ipaddr}" : >/dev/null 2>&1; do sleep 10; done

-ansible-playbook -l samba-dc facts.yml || exit
+bootstrap_vars=host_vars/"${name}".pyrocufflink.blue/_bootstrap.yml
+trap 'rm -fv "${bootstrap_vars}"' INT TERM EXIT QUIT
+mkdir -p "${bootstrap_vars%/*}"
+cat > "${bootstrap_vars}" <<EOF  # lang: yaml
+ansible_host: '${ipaddr}'
+ansible_become: false
+ansible_user: root
+EOF

-sed -i \
-    -e "/\[pyrocufflink\]/a${name}.pyrocufflink.blue ansible_host=${ipaddr} ansible_user=root ansible_become=false" \
-    -e "/\[samba-dc\]/a${name}.pyrocufflink.blue" \
-    hosts \
-    || exit
+if [ -f .env ]; then
+    set -a
+    . ./.env
+    set +a
+fi

+ANSIBLE_STDOUT_CALLBACK=community.general.default_without_diff \
 ansible-playbook -l "${name}".pyrocufflink.blue \
    --become \
-    create-dc.yml
+    --diff \
+    create-dc.yml \
    -e @join.creds
--- a/create-dc.yml
+++ b/create-dc.yml
@@ -1,6 +1,3 @@
- import_playbook: bootstrap.yml
- import_playbook: pyrocufflink.yml
- import_playbook: promtail.yml
- import_playbook: domain-controller.yml
- import_playbook: collectd.yml
- import_playbook: auto-updates.yml
+- import_playbook: host-setup.yml
+
+- import_playbook: samba-dc.yml
--- a/group_vars/pyrocufflink-ad.yml
+++ b/group_vars/pyrocufflink-ad.yml
@@ -0,0 +1 @@
+krb5_realm: PYROCUFFLINK.BLUE
--- a/group_vars/pyrocufflink/main.yml
+++ b/group_vars/pyrocufflink/main.yml
@@ -1,6 +1,5 @@
 ansible_become_method: sudo

-krb5_realm: PYROCUFFLINK.BLUE
 samba_security: ads
 samba_use_winbind: true
 pam_winbind: true
--- a/4
+++ b/4
@@ -194,6 +194,10 @@ pxe0.pyrocufflink.blue
 smtp1.pyrocufflink.blue
 web0.pyrocufflink.blue

+[pyrocufflink-ad:children]
+samba-dc
+pyrocufflink
+
 [pyrocufflink-dhcp]

 [radius:children]