From 7929176b4ef4b3d9b2e4fc222db6fc36099f70df Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 24 Oct 2025 11:20:12 -0500
Subject: [PATCH] create-dc: Update to use new provisioning process

Instead of running `virt-install` directly from the `create-dc.sh`
script, it now relies on `newvm.sh`.  This will ensure that VMs created
to be domain controllers will conform to the same expectations as all
other machines, such as using the libvirt domain metadata to build
dynamic inventory.

Similarly, the `create-dc.yml` playbook now imports the `host-setup.yml`
playbook, which covers the basic setup of a new machine.  Again, this
ensures that the same policy is applied to DCs as to other machines.

Finally, domain controller machines now no longer use _winbind_ for
OS user accounts and authentication.  This never worked particularly
well on DCs anyway (particularly because of the way _winbind_ insists on
using domain-prefixed user accounts when it runs on a DC), and is now
worse with recent Fedora changes.  Instead, DCs now have local users who
authenticate via SSH certificates, the same as other current-generaton
servers.
---
 create-dc.sh                     | 61 +++++++++++++++-----------------
 create-dc.yml                    |  9 ++---
 group_vars/pyrocufflink-ad.yml   |  1 +
 group_vars/pyrocufflink/main.yml |  1 -
 hosts                            |  4 +++
 5 files changed, 36 insertions(+), 40 deletions(-)
 create mode 100644 group_vars/pyrocufflink-ad.yml

diff --git a/create-dc.sh b/create-dc.sh
index 86b31ad..e777f84 100644
--- a/create-dc.sh
+++ b/create-dc.sh
@@ -1,56 +1,51 @@
 #!/bin/sh
 # vim: set sw=4 ts=4 sts=4 et :
 
-export http_proxy=http://proxy.pyrocufflink.blue:3128/
-
 ipaddr=$1
-fedora=${2:-40}
+fedora=$2
 if [ -z "${ipaddr}" ]; then
     printf 'usage: %s ipaddr [fedora]\n' "${0##*/}" >&2
     exit 2
 fi
-if [ -z "${LIBVIRT_DEFAULT_URI}" ]; then
-    printf 'LIBVIRT_DEFAULT_URI environment variable must be set\n' >&2
-    exit 1
-fi
+
+ansible-playbook -l samba-dc facts.yml --become || exit
 
 wordlist=$(
     python -c 'from diceware.wordlist import *;print(get_wordlist_path("en_eff"))'
 )
-
 name=dc-$(sort -R "${wordlist}" | awk '{if(length($2) < 13){print $2;exit}}')
-printf 'Creating VM %s : watch progress with\n' "${name}"
-printf '    virsh -c %s console %s\n' "$(virsh uri)" "${name}"
-virt-install \
-    --name ${name} \
-    --memory 2048 \
-    --vcpus 2 \
-    --cpu host \
-    --location http://dl.fedoraproject.org/pub/fedora/linux/releases/${fedora}/Everything/x86_64/os \
-    --extra-args "ip=${ipaddr}::172.30.0.1:255.255.255.192:${name}::none:172.30.0.1 inst.notmux inst.proxy=${http_proxy} inst.ks=http://rosalina.pyrocufflink.blue/~dustin/kickstart/fedora-dc.ks console=ttyS0 quiet systemd.show_status=1" \
-    --os-variant fedora$(rpm -E %fedora) \
-    --disk pool=default,size=16,cache=none \
-    --network network=prod,model=virtio \
-    --graphics none \
-    --sound none \
-    --redirdev none \
-    --rng /dev/urandom \
-    --noautoconsole \
-    --wait -1 \
+./newvm.sh "${name}" \
+    --ip-address "${ipaddr}/26" \
+    --nameserver 172.30.0.1 \
+    ${fedora:+--fedora} ${fedora} \
+    --kickstart 'http://pxe.pyrocufflink.blue/kickstart/master/fedora-dc.ks' \
+    --network network=prod \
+    --domain pyrocufflink.blue \
+    --group samba-dc \
+    --no-console \
     || exit
 
 printf 'Waiting for %s to come up ...\n' "${name}"
 until ssh -l root "${ipaddr}" : >/dev/null 2>&1; do sleep 10; done
 
-ansible-playbook -l samba-dc facts.yml || exit
+bootstrap_vars=host_vars/"${name}".pyrocufflink.blue/_bootstrap.yml
+trap 'rm -fv "${bootstrap_vars}"' INT TERM EXIT QUIT
+mkdir -p "${bootstrap_vars%/*}"
+cat > "${bootstrap_vars}" <<EOF  # lang: yaml
+ansible_host: '${ipaddr}'
+ansible_become: false
+ansible_user: root
+EOF
 
-sed -i \
-    -e "/\[pyrocufflink\]/a${name}.pyrocufflink.blue ansible_host=${ipaddr} ansible_user=root ansible_become=false" \
-    -e "/\[samba-dc\]/a${name}.pyrocufflink.blue" \
-    hosts \
-    || exit
+if [ -f .env ]; then
+    set -a
+    . ./.env
+    set +a
+fi
 
+ANSIBLE_STDOUT_CALLBACK=community.general.default_without_diff \
 ansible-playbook -l "${name}".pyrocufflink.blue \
     --become \
-    create-dc.yml
+    --diff \
+    create-dc.yml \
     -e @join.creds
diff --git a/create-dc.yml b/create-dc.yml
index d888841..5210103 100644
--- a/create-dc.yml
+++ b/create-dc.yml
@@ -1,6 +1,3 @@
-- import_playbook: bootstrap.yml
-- import_playbook: pyrocufflink.yml
-- import_playbook: promtail.yml
-- import_playbook: domain-controller.yml
-- import_playbook: collectd.yml
-- import_playbook: auto-updates.yml
+- import_playbook: host-setup.yml
+
+- import_playbook: samba-dc.yml
diff --git a/group_vars/pyrocufflink-ad.yml b/group_vars/pyrocufflink-ad.yml
new file mode 100644
index 0000000..07926e0
--- /dev/null
+++ b/group_vars/pyrocufflink-ad.yml
@@ -0,0 +1 @@
+krb5_realm: PYROCUFFLINK.BLUE
diff --git a/group_vars/pyrocufflink/main.yml b/group_vars/pyrocufflink/main.yml
index f397d9e..4dff198 100644
--- a/group_vars/pyrocufflink/main.yml
+++ b/group_vars/pyrocufflink/main.yml
@@ -1,6 +1,5 @@
 ansible_become_method: sudo
 
-krb5_realm: PYROCUFFLINK.BLUE
 samba_security: ads
 samba_use_winbind: true
 pam_winbind: true
diff --git a/hosts b/hosts
index fbdcb9f..4cc43a9 100644
--- a/hosts
+++ b/hosts
@@ -194,6 +194,10 @@ pxe0.pyrocufflink.blue
 smtp1.pyrocufflink.blue
 web0.pyrocufflink.blue
 
+[pyrocufflink-ad:children]
+samba-dc
+pyrocufflink
+
 [pyrocufflink-dhcp]
 
 [radius:children]