From cce485db54f1a03fa854ee962478d4570187db20 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 1 Dec 2025 10:01:07 -0600 Subject: [PATCH] pikvm: Add role/playbook for PiKVM PiKVM comes with its own custom Arch Linux-based operating systems. We want to be able to manage it with our configuration policy, especially for setting up authentication, etc. It won't really work with the host-provisioner without some pretty significant changes to the base playbooks, but we can control some bits directly. --- group_vars/pikvm.yml | 9 +++++++ hosts | 2 ++ pikvm.yml | 19 ++++++++++++++ roles/pikvm/defaults/main.yml | 6 +++++ roles/pikvm/files/sshd_config | 2 ++ roles/pikvm/handlers/main.yml | 4 +++ roles/pikvm/tasks/main.yml | 48 +++++++++++++++++++++++++++++++++++ 7 files changed, 90 insertions(+) create mode 100644 group_vars/pikvm.yml create mode 100644 pikvm.yml create mode 100644 roles/pikvm/defaults/main.yml create mode 100644 roles/pikvm/files/sshd_config create mode 100644 roles/pikvm/handlers/main.yml create mode 100644 roles/pikvm/tasks/main.yml diff --git a/group_vars/pikvm.yml b/group_vars/pikvm.yml new file mode 100644 index 0000000..8efdb36 --- /dev/null +++ b/group_vars/pikvm.yml @@ -0,0 +1,9 @@ +root_authorized_keys: | + {{ dustin_ssh_keys_sk }} + +root_password_hash: '' + +pikvm_users: +- username: dustin + password: >- + {{ lookup('pipe','rbw get --folder Pyrocufflink ' + ansible_hostname + ' dustin') }} diff --git a/hosts b/hosts index 83bf22d..a8ab906 100644 --- a/hosts +++ b/hosts @@ -175,6 +175,8 @@ vm-hosts chromie.pyrocufflink.blue nvr2.pyrocufflink.blue +[pikvm] + [postgresql] db0.pyrocufflink.blue diff --git a/pikvm.yml b/pikvm.yml new file mode 100644 index 0000000..281dc85 --- /dev/null +++ b/pikvm.yml @@ -0,0 +1,19 @@ +- hosts: pikvm + pre_tasks: + - name: remount rootfs read-write + command: rw + tags: + - remount-rw + - remount + roles: + - role: hostname + - role: base + - role: pikvm + tags: + - pikvm + tasks: + - name: remount rootfs read-only + command: ro + tags: + - remount-ro + - remount diff --git a/roles/pikvm/defaults/main.yml b/roles/pikvm/defaults/main.yml new file mode 100644 index 0000000..357e2dc --- /dev/null +++ b/roles/pikvm/defaults/main.yml @@ -0,0 +1,6 @@ +pikvm_users: [] + +pikvm_meta: + server: + host: '{{ ansible_fqdn }}' + kvm: {} diff --git a/roles/pikvm/files/sshd_config b/roles/pikvm/files/sshd_config new file mode 100644 index 0000000..f742952 --- /dev/null +++ b/roles/pikvm/files/sshd_config @@ -0,0 +1,2 @@ +PermitRootLogin prohibit-password +PasswordAuthentication no diff --git a/roles/pikvm/handlers/main.yml b/roles/pikvm/handlers/main.yml new file mode 100644 index 0000000..46ccb50 --- /dev/null +++ b/roles/pikvm/handlers/main.yml @@ -0,0 +1,4 @@ +- name: reload sshd + service: + name: sshd + state: reloaded diff --git a/roles/pikvm/tasks/main.yml b/roles/pikvm/tasks/main.yml new file mode 100644 index 0000000..c8fa24a --- /dev/null +++ b/roles/pikvm/tasks/main.yml @@ -0,0 +1,48 @@ +- name: ensure sshd is configured for pikvm + copy: + src: sshd_config + dest: /etc/ssh/sshd_config.d/pikvm.conf + owner: root + group: root + mode: u=rw,go= + notify: + - reload sshd + +- name: ensure kvmd-webterm is disabled + service: + name: kvmd-webterm + state: stopped + enabled: false + tags: + - service + +- name: ensure pikvm users are configured + htpasswd: + name: '{{ item.username }}' + password: '{{ item.password }}' + path: /etc/kvmd/htpasswd + hash_scheme: ldap_salted_sha512 + state: present + loop: '{{ pikvm_users }}' + loop_control: + label: '{{ item.username }}' + tags: + - htpasswd + +- name: ensure pikvm admin user is removed + htpasswd: + name: admin + path: /etc/kvmd/htpasswd + state: absent + tags: + - htpasswd + +- name: ensure pikvm meta info is set + copy: + content: '{{ pikvm_meta | to_nice_yaml(indent=2) }}' + dest: /etc/kvmd/meta.yaml + owner: root + group: root + mode: u=rw,go=r + tags: + - config