1
0
mirror of https://git.libreschool.org/paspo/brasatore.git synced 2025-01-04 15:50:06 +00:00

Merge branch 'main' of ssh://git.libreschool.org:1022/paspo/brasatore into main

This commit is contained in:
Paolo Asperti 2023-10-27 10:44:01 +02:00
commit 646b4804de
Signed by: paspo
GPG Key ID: 06D46905D19D5182
26 changed files with 404 additions and 203 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
hosts.ini

View File

@ -21,4 +21,6 @@ Questo coso fa da gateway+dhcp+dns per una rete e tramite PXE ti permette di ins
| zorin lite | ✅ | ✅ |
| opensuse | ✅ | ✅ |
| freedos | ❌ | ✅ |
| netboot.xyz | ❌ | ✅ |
| netboot.xyz | ✅ | ✅ |
FreeDOS: funziona solo su BIOS, by design, non ci possiamo fare nulla. [more info](http://wiki.freedos.org/wiki/index.php/UEFI)

6
ansible.cfg Normal file
View File

@ -0,0 +1,6 @@
[defaults]
retry_files_enabled = False
host_key_checking=False
inventory=hosts.ini
roles_path=roles
pipelining=True

15
hosts.ini.example Normal file
View File

@ -0,0 +1,15 @@
[all:vars]
ansible_connection=ssh
ansible_user=root
hostname=brasatore
lan_iface=eth0
wan_iface=wlan0
dhcp_start=172.16.77.50
dhcp_end=172.16.77.150
lan_ip=172.16.77.1
lan_subnet=255.255.255.0
ssh_key=https://github.com/paspo.keys
[default]
192.168.1.22 hostname=brasatore-test LAN_IFACE=ens224 WAN_IFACE=ens192

View File

@ -1,202 +0,0 @@
#!/bin/bash
LAN_IFACE=ens224
WAN_IFACE=ens192
HOSTNAME=brasatore
DHCP_START=172.16.77.50
DHCP_END=172.16.77.150
LAN_IP=172.16.77.1
LAN_SUBNET=255.255.255.0
# pacchetti
cat >/etc/apt/sources.list <<EOF
deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
deb http://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
EOF
apt update
apt install -y dnsmasq nginx iptables ipxe syslinux-common unzip nfs-kernel-server
# directory
mkdir -p /srv/pxe/iso /srv/pxe/mount /srv/tftp
# nginx config
cat > /etc/nginx/sites-available/pxe <<EOF
server {
listen 80 default_server;
listen [::]:80 default_server;
root /srv/pxe;
location / {
autoindex on;
}
}
EOF
[ -f /etc/nginx/sites-enabled/default ] && rm /etc/nginx/sites-enabled/default
[ ! -f /etc/nginx/sites-enabled/pxe ] && ln -s /etc/nginx/sites-available/pxe /etc/nginx/sites-enabled/pxe
service nginx restart
# hostname
echo "$HOSTNAME" > /etc/hostname
hostname -F /etc/hostname
cat > /etc/hosts <<EOF
127.0.0.1 localhost
127.0.1.1 $HOSTNAME
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
EOF
# network
cat > /etc/network/interfaces.d/lan <<EOF
auto $LAN_IFACE
iface $LAN_IFACE inet static
address $LAN_IP
netmask $LAN_SUBNET
EOF
ifup $LAN_IFACE
# routing/firewall
iptables -t nat -F
iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
iptables -F
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -p icmp -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i $LAN_IFACE -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 67 -j ACCEPT
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 69 -j ACCEPT
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 111 -j ACCEPT
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 2049 -j ACCEPT
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p tcp --dport 4047 -j ACCEPT
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 4047 -j ACCEPT
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p tcp --dport 4048 -j ACCEPT
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 4048 -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $LAN_IFACE -j REJECT
iptables -P INPUT DROP
iptables-save > /etc/iptables.rules
cat > /etc/network/if-pre-up.d/iptables <<EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
EOF
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/ipv4_forward.conf
# dnsmasq config
cat > /etc/dnsmasq.d/tftp <<EOF
enable-tftp
tftp-root=/srv/tftp
tftp-no-fail
EOF
cat > /etc/dnsmasq.d/dhcp <<EOF
dhcp-range=$DHCP_START,$DHCP_END,4h
dhcp-option=option:router,$LAN_IP
dhcp-option=option:dns-server,$LAN_IP
dhcp-authoritative
log-dhcp
EOF
cat > /etc/dnsmasq.d/dns <<EOF
bogus-priv
no-resolv
server=9.9.9.9
server=1.1.1.2
expand-hosts
log-queries
EOF
service dnsmasq restart
# netboot.xyz (alternativa 1)
#cat > /etc/dnsmasq.d/pxe <<EOF
#dhcp-match=set:bios,option:client-arch,0
#dhcp-boot=tag:bios,netboot.xyz.kpxe
#dhcp-boot=tag:!bios,netboot.xyz.efi
#EOF
#wget -c -O /srv/tftp/netboot.xyz.kpxe http://boot.netboot.xyz/ipxe/netboot.xyz.kpxe
#wget -c -O /srv/tftp/netboot.xyz.efi http://boot.netboot.xyz/ipxe/netboot.xyz.efi
#service dnsmasq restart
# ipxe (alternativa 2)
#cat > /etc/dnsmasq.d/pxe <<EOF
#dhcp-match=set:bios,option:client-arch,0
#dhcp-boot=tag:bios,undionly.kpxe
#dhcp-boot=tag:!bios,ipxe.efi
#dhcp-match=ipxe,175
#dhcp-boot=net:ipxe,http://$LAN_IP/boot-netboot.txt
#EOF
#cat > /srv/pxe/boot-netboot.txt <<EOF
##!ipxe
#dhcp
#chain --autofree http://boot.netboot.xyz
#EOF
#[ ! -f /srv/tftp/undionly.kpxe ] && cp /usr/lib/ipxe/undionly.kpxe /srv/tftp/undionly.kpxe
#[ ! -f /srv/tftp/ipxe.efi ] && cp /usr/lib/ipxe/ipxe.efi /srv/tftp/ipxe.efi
#service dnsmasq restart
# nfs
sed -i 's/^RPCMOUNTDOPTS.*/RPCMOUNTDOPTS="--manage-gids --port 4047"/' /etc/default/nfs-kernel-server
cat > /etc/exports <<EOF
/srv/pxe ${LAN_IP}/${LAN_SUBNET}(ro,async,no_root_squash,no_subtree_check,crossmnt)
EOF
exportfs -r
# questo è da fare meglio in modo che sia ripetibile
cat >> /etc/services <<EOF
mountd 4047/tcp
mountd 4047/udp
lockd 4048/tcp
lockd 4048/udp
EOF
# ipxe OK
cat > /etc/dnsmasq.d/pxe <<EOF
dhcp-match=set:bios,option:client-arch,0
dhcp-boot=tag:bios,undionly.kpxe
dhcp-boot=tag:!bios,ipxe.efi
dhcp-match=ipxe,175
dhcp-boot=net:ipxe,http://$LAN_IP/boot.txt
EOF
[ ! -f /srv/tftp/undionly.kpxe ] && cp /usr/lib/ipxe/undionly.kpxe /srv/tftp/undionly.kpxe
[ ! -f /srv/tftp/ipxe.efi ] && cp /usr/lib/ipxe/ipxe.efi /srv/tftp/ipxe.efi
[ ! -f /srv/pxe/memdisk ] && cp /usr/lib/syslinux/memdisk /srv/pxe/memdisk
if [ ! -f /srv/pxe/iso/freedos.iso] ; then
wget -c -O /tmp/FD13-LiveCD.zip https://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.3/official/FD13-LiveCD.zip
unzip /tmp/FD13-LiveCD.zip -d /srv/pxe/iso/ *.iso && rm /tmp/FD13-LiveCD.zip
fi
# memtest: https://www.memtest.org/download/v6.20/mt86plus_6.20.binaries.zip
# mount on boot
cat > /etc/systemd/system/mount-isos.service <<EOF
[Unit]
Description=Mount ISOs
[Service]
ExecStart=/srv/pxe/mount/mount-all.sh
[Install]
WantedBy=multi-user.target
EOF
cat > /srv/pxe/mount/mount-all.sh <<EOF
#!/bin/bash
montami() {
B=\$(basename \$1)
mount "/srv/pxe/iso/\$B" "/srv/pxe/mount/\$B"
echo "mounted '/srv/pxe/iso/\$B' on '/srv/pxe/mount/\$B'"
}
export -f montami
find /srv/pxe/mount/ -mindepth 1 -maxdepth 1 -type d -exec bash -c 'montami "\$0"' {} \;
EOF
chmod u+x /srv/pxe/mount/mount-all.sh
systemctl enable mount-isos

4
playbook.yml Normal file
View File

@ -0,0 +1,4 @@
---
- hosts: all
roles:
- pxeserver

View File

@ -0,0 +1,26 @@
---
- name: reboot
reboot:
become: true
- name: nginx_restart
service:
name: nginx
state: restarted
become: true
- name: dnsmasq_restart
service:
name: dnsmasq
state: restarted
become: true
- name: nfs_reload_exports
shell: exportfs -r
become: true
- name: nfs_restart
service:
name: nfs-kernel-server
state: restarted
become: true

View File

@ -0,0 +1,83 @@
---
- name: Set up multiple authorized keys
authorized_key:
user: root
state: present
key: "{{ ssh_key }}"
- name: Set hostname
template:
src: etc_hostname
dest: /etc/hostname
owner: root
group: root
mode: "0644"
become: true
- name: Set hostname (hosts file)
template:
src: etc_hosts
dest: /etc/hosts
owner: root
group: root
mode: "0644"
become: true
notify: reboot
- name: Updating package cache
apt:
update_cache: yes
cache_valid_time: 3600
become: true
ignore_errors: true
- name: Installing common packages
apt:
name:
[
"htop",
"screen",
"ntpdate",
"unattended-upgrades",
"dnsmasq",
"nginx",
"iptables",
"ipxe",
"syslinux-common",
"unzip",
"nfs-kernel-server",
"iptables-persistent"
]
state: latest
become: true
ignore_errors: true
- name: Upgrade all packages to the latest version
apt:
name: "*"
state: latest
become: true
ignore_errors: true
- name: Configure NTP
ini_file:
path: /etc/systemd/timesyncd.conf
section: Time
option: NTP
value: pool.ntp.org
become: true
- name: sets the timezone
timezone:
name: "Europe/Rome"
become: true
- name: Create storage directories
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0755"
with_items:
- /srv/pxe/iso
- /srv/pxe/mount
- /srv/tftp

View File

@ -0,0 +1,30 @@
---
- name: DNSMASQ dhcp
template:
src: dnsmasq/dhcp
dest: /etc/dnsmasq.d/dhcp
owner: root
group: root
mode: "0644"
become: true
notify: dnsmasq_restart
- name: DNSMASQ tftp
template:
src: dnsmasq/tftp
dest: /etc/dnsmasq.d/tftp
owner: root
group: root
mode: "0644"
become: true
notify: dnsmasq_restart
- name: DNSMASQ dns
template:
src: dnsmasq/dns
dest: /etc/dnsmasq.d/dns
owner: root
group: root
mode: "0644"
become: true
notify: dnsmasq_restart

View File

@ -0,0 +1,35 @@
---
- name: FIREWALL rules
template:
src: rules.v4
dest: /etc/iptables/rules.v4
owner: root
group: root
mode: "0644"
become: true
# notify: nfs_reload_exports
- name: FIREWALL rules restore
shell: iptables-restore /etc/iptables/rules.v4
- name: FIREWALL enable IPv4 forward
sysctl:
name: net.ipv4.ip_forward
value: "1"
sysctl_file: /etc/sysctl.d/ipv4_forward.conf
sysctl_set: yes
state: present
reload: yes
ignoreerrors: yes
- name: FIREWALL disable IPv6
sysctl:
name: net.ipv6.conf.all.disable_ipv6
value: "1"
sysctl_file: /etc/sysctl.d/disable_ipv6.conf
sysctl_set: yes
state: present
reload: yes
ignoreerrors: yes

View File

@ -0,0 +1,31 @@
---
- name: IPXE dnsmasq
template:
src: dnsmasq/pxe
dest: /etc/dnsmasq.d/pxe
owner: root
group: root
mode: "0644"
become: true
- name: IPXE bios firmware
ansible.builtin.file:
src: /usr/lib/ipxe/undionly.kpxe
dest: /srv/tftp/undionly.kpxe
state: link
become: true
- name: IPXE efi firmware
ansible.builtin.file:
src: /usr/lib/ipxe/ipxe.efi
dest: /srv/tftp/ipxe.efi
state: link
become: true
- name: IPXE memdisk
ansible.builtin.file:
src: /usr/lib/syslinux/memdisk
dest: /srv/pxe/memdisk
state: link
become: true

View File

@ -0,0 +1,25 @@
---
- name: ISO script
template:
src: iso/mount-all.sh
dest: /srv/pxe/mount/mount-all.sh
owner: root
group: root
mode: "0755"
become: true
- name: ISO service
template:
src: iso/mount-isos.service
dest: /etc/systemd/system/mount-isos.service
owner: root
group: root
mode: "0644"
become: true
- name: ISO Enable service
service:
name: mount-isos
enabled: yes
become: true

View File

@ -0,0 +1,9 @@
---
- include: common.yml
- include: nginx.yml
- include: dns.yml
- include: nfs.yml
- include: firewall.yml
- include: iso.yml
- include: ipxe.yml

View File

@ -0,0 +1,31 @@
---
- name: NFS rpcmountd options
lineinfile:
path: /etc/default/nfs-kernel-server
regexp: '^RPCMOUNTDOPTS='
line: 'RPCMOUNTDOPTS="--manage-gids --port 4047"'
become: true
notify: nfs_restart
- name: NFS services ports
lineinfile:
path: /etc/services
line: "{{ item }}"
with_items:
- mountd 4047/tcp
- mountd 4047/udp
- lockd 4048/tcp
- lockd 4048/udp
become: true
notify: nfs_restart
- name: NFS exports
template:
src: nfs_exports
dest: /etc/exports
owner: root
group: root
mode: "0644"
become: true
notify: nfs_reload_exports

View File

@ -0,0 +1,23 @@
---
- name: NGINX site config
template:
src: nginx.conf
dest: /etc/nginx/sites-available/pxe
owner: root
group: root
mode: "0644"
become: true
notify: nginx_restart
- name: NGINX remove default config
ansible.builtin.file:
path: /etc/nginx/sites-enabled/default
state: absent
notify: nginx_restart
- name: NGINX enable site
ansible.builtin.file:
src: /etc/nginx/sites-available/pxe
dest: /etc/nginx/sites-enabled/pxe
state: link
notify: nginx_restart

View File

@ -0,0 +1,5 @@
dhcp-range={{ dhcp_start }},{{ dhcp_end }},4h
dhcp-option=option:router,{{ lan_ip }}
dhcp-option=option:dns-server,{{ lan_ip }}
dhcp-authoritative
log-dhcp

View File

@ -0,0 +1,6 @@
bogus-priv
no-resolv
server=9.9.9.9
server=1.1.1.2
expand-hosts
log-queries

View File

@ -0,0 +1,5 @@
dhcp-match=set:bios,option:client-arch,0
dhcp-boot=tag:bios,undionly.kpxe
dhcp-boot=tag:!bios,ipxe.efi
dhcp-match=ipxe,175
dhcp-boot=net:ipxe,http://{{ lan_ip }}/boot.txt

View File

@ -0,0 +1,3 @@
enable-tftp
tftp-root=/srv/tftp
tftp-no-fail

View File

@ -0,0 +1 @@
{{ hostname }}

View File

@ -0,0 +1,6 @@
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.1.1 {{ hostname }}

View File

@ -0,0 +1,9 @@
#!/bin/bash
montami() {
B=$(basename $1)
mount "/srv/pxe/iso/$B" "/srv/pxe/mount/$B"
echo "mounted '/srv/pxe/iso/$B' on '/srv/pxe/mount/$B'"
}
export -f montami
find /srv/pxe/mount/ -mindepth 1 -maxdepth 1 -type d -exec bash -c 'montami "$0"' {} \;

View File

@ -0,0 +1,8 @@
[Unit]
Description=Mount ISOs
[Service]
ExecStart=/srv/pxe/mount/mount-all.sh
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1 @@
/srv/pxe {{ lan_ip }}/{{ lan_subnet }}(ro,async,no_root_squash,no_subtree_check,crossmnt)

View File

@ -0,0 +1,8 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
root /srv/pxe;
location / {
autoindex on;
}
}

View File

@ -0,0 +1,30 @@
*filter
:INPUT DROP [2:72]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8441:830478]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state NEW -j ACCEPT
-A INPUT ! -i {{ lan_iface }} -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 67 -j ACCEPT
-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 69 -j ACCEPT
-A INPUT -i {{ lan_iface }} -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
-A INPUT -i {{ lan_iface }} -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT
-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 4047 -j ACCEPT
-A INPUT -i {{ lan_iface }} -p tcp -m state --state NEW -m tcp --dport 4047 -j ACCEPT
-A INPUT -i {{ lan_iface }} -p tcp -m state --state NEW -m tcp --dport 4048 -j ACCEPT
-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 4048 -j ACCEPT
-A FORWARD -i {{ lan_iface }} -o {{ lan_iface }} -j REJECT --reject-with icmp-port-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [72:10770]
:INPUT ACCEPT [68:10030]
:OUTPUT ACCEPT [39:2999]
:POSTROUTING ACCEPT [1:84]
-A POSTROUTING -o {{ wan_iface }} -j MASQUERADE
COMMIT