dustin/configpolicy
1
1
Fork 0
Code Issues Releases Activity

create-dc: Update to use new provisioning process

Browse Source 
Instead of running `virt-install` directly from the `create-dc.sh`
script, it now relies on `newvm.sh`.  This will ensure that VMs created
to be domain controllers will conform to the same expectations as all
other machines, such as using the libvirt domain metadata to build
dynamic inventory.

Similarly, the `create-dc.yml` playbook now imports the `host-setup.yml`
playbook, which covers the basic setup of a new machine.  Again, this
ensures that the same policy is applied to DCs as to other machines.

Finally, domain controller machines now no longer use _winbind_ for
OS user accounts and authentication.  This never worked particularly
well on DCs anyway (particularly because of the way _winbind_ insists on
using domain-prefixed user accounts when it runs on a DC), and is now
worse with recent Fedora changes.  Instead, DCs now have local users who
authenticate via SSH certificates, the same as other current-generaton
servers.
This commit is contained in:
Dustin
2025-10-24 11:20:12 -05:00
parent 3f761eacb4
commit 7929176b4e
5 changed files with 36 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
create-dc.sh
View File

@@ -1,56 +1,51 @@
#!/bin/sh #!/bin/sh
# vim: set sw=4 ts=4 sts=4 et : # vim: set sw=4 ts=4 sts=4 et :
export http_proxy=http://proxy.pyrocufflink.blue:3128/
ipaddr=$1 ipaddr=$1
fedora=${2:-40} fedora=$2
if [ -z "${ipaddr}" ]; then if [ -z "${ipaddr}" ]; then
printf 'usage: %s ipaddr [fedora]\n' "${0##*/}" >&2 printf 'usage: %s ipaddr [fedora]\n' "${0##*/}" >&2
exit 2 exit 2
fi fi
if [ -z "${LIBVIRT_DEFAULT_URI}" ]; then
printf 'LIBVIRT_DEFAULT_URI environment variable must be set\n' >&2 ansible-playbook -l samba-dc facts.yml --become || exit
exit 1
fi
wordlist=$( wordlist=$(
python -c 'from diceware.wordlist import *;print(get_wordlist_path("en_eff"))' python -c 'from diceware.wordlist import *;print(get_wordlist_path("en_eff"))'
) )
name=dc-$(sort -R "${wordlist}" | awk '{if(length($2) < 13){print $2;exit}}') name=dc-$(sort -R "${wordlist}" | awk '{if(length($2) < 13){print $2;exit}}')
printf 'Creating VM %s : watch progress with\n' "${name}" ./newvm.sh "${name}" \
printf ' virsh -c %s console %s\n' "$(virsh uri)" "${name}" --ip-address "${ipaddr}/26" \
virt-install \ --nameserver 172.30.0.1 \
--name ${name} \ ${fedora:+--fedora} ${fedora} \
--memory 2048 \ --kickstart 'http://pxe.pyrocufflink.blue/kickstart/master/fedora-dc.ks' \
--vcpus 2 \ --network network=prod \
--cpu host \ --domain pyrocufflink.blue \
--location http://dl.fedoraproject.org/pub/fedora/linux/releases/${fedora}/Everything/x86_64/os \ --group samba-dc \
--extra-args "ip=${ipaddr}::172.30.0.1:255.255.255.192:${name}::none:172.30.0.1 inst.notmux inst.proxy=${http_proxy} inst.ks=http://rosalina.pyrocufflink.blue/~dustin/kickstart/fedora-dc.ks console=ttyS0 quiet systemd.show_status=1" \ --no-console \
--os-variant fedora$(rpm -E %fedora) \
--disk pool=default,size=16,cache=none \
--network network=prod,model=virtio \
--graphics none \
--sound none \
--redirdev none \
--rng /dev/urandom \
--noautoconsole \
--wait -1 \
|| exit || exit
printf 'Waiting for %s to come up ...\n' "${name}" printf 'Waiting for %s to come up ...\n' "${name}"
until ssh -l root "${ipaddr}" : >/dev/null 2>&1; do sleep 10; done until ssh -l root "${ipaddr}" : >/dev/null 2>&1; do sleep 10; done
ansible-playbook -l samba-dc facts.yml || exit bootstrap_vars=host_vars/"${name}".pyrocufflink.blue/_bootstrap.yml
trap 'rm -fv "${bootstrap_vars}"' INT TERM EXIT QUIT
mkdir -p "${bootstrap_vars%/*}"
cat > "${bootstrap_vars}" <<EOF # lang: yaml
ansible_host: '${ipaddr}'
ansible_become: false
ansible_user: root
EOF
sed -i \ if [ -f .env ]; then
-e "/\[pyrocufflink\]/a${name}.pyrocufflink.blue ansible_host=${ipaddr} ansible_user=root ansible_become=false" \ set -a
-e "/\[samba-dc\]/a${name}.pyrocufflink.blue" \ . ./.env
hosts \ set +a
|| exit fi
ANSIBLE_STDOUT_CALLBACK=community.general.default_without_diff \
ansible-playbook -l "${name}".pyrocufflink.blue \ ansible-playbook -l "${name}".pyrocufflink.blue \
--become \ --become \
create-dc.yml --diff \
create-dc.yml \
-e @join.creds -e @join.creds

9
create-dc.yml
View File

@@ -1,6 +1,3 @@
- import_playbook: bootstrap.yml - import_playbook: host-setup.yml
- import_playbook: pyrocufflink.yml
- import_playbook: promtail.yml - import_playbook: samba-dc.yml
- import_playbook: domain-controller.yml
- import_playbook: collectd.yml
- import_playbook: auto-updates.yml

1
group_vars/pyrocufflink-ad.yml Normal file
View File

@@ -0,0 +1 @@
krb5_realm: PYROCUFFLINK.BLUE

1
group_vars/pyrocufflink/main.yml
View File

@@ -1,6 +1,5 @@
ansible_become_method: sudo ansible_become_method: sudo
krb5_realm: PYROCUFFLINK.BLUE
samba_security: ads samba_security: ads
samba_use_winbind: true samba_use_winbind: true
pam_winbind: true pam_winbind: true

4
hosts
View File

@@ -194,6 +194,10 @@ pxe0.pyrocufflink.blue
smtp1.pyrocufflink.blue smtp1.pyrocufflink.blue
web0.pyrocufflink.blue web0.pyrocufflink.blue
[pyrocufflink-ad:children]
samba-dc
pyrocufflink
[pyrocufflink-dhcp] [pyrocufflink-dhcp]
[radius:children] [radius:children]