Merge branch 'main' of ssh://git.libreschool.org:1022/paspo/brasatore into main

.gitignore

@@ -0,0 +1 @@
+hosts.ini

README.md

@@ -21,4 +21,6 @@ Questo coso fa da gateway+dhcp+dns per una rete e tramite PXE ti permette di ins
 | zorin lite    | ✅  | ✅   |
 | opensuse      | ✅  | ✅   |
 | freedos       | ❌  | ✅   |
-| netboot.xyz   | ❌  | ✅   |
+| netboot.xyz   | ✅  | ✅   |
+
+FreeDOS: funziona solo su BIOS, by design, non ci possiamo fare nulla. [more info](http://wiki.freedos.org/wiki/index.php/UEFI)

ansible.cfg

@@ -0,0 +1,6 @@
+[defaults]
+retry_files_enabled = False
+host_key_checking=False
+inventory=hosts.ini
+roles_path=roles
+pipelining=True

hosts.ini.example

@@ -0,0 +1,15 @@
+[all:vars]
+ansible_connection=ssh
+ansible_user=root
+hostname=brasatore
+lan_iface=eth0
+wan_iface=wlan0
+dhcp_start=172.16.77.50
+dhcp_end=172.16.77.150
+lan_ip=172.16.77.1
+lan_subnet=255.255.255.0
+ssh_key=https://github.com/paspo.keys
+
+
+[default]
+192.168.1.22          hostname=brasatore-test LAN_IFACE=ens224 WAN_IFACE=ens192

install.sh

@@ -1,202 +0,0 @@
-#!/bin/bash
-
-LAN_IFACE=ens224
-WAN_IFACE=ens192
-HOSTNAME=brasatore
-DHCP_START=172.16.77.50
-DHCP_END=172.16.77.150
-LAN_IP=172.16.77.1
-LAN_SUBNET=255.255.255.0
-
-# pacchetti
-cat >/etc/apt/sources.list <<EOF
-deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
-deb http://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
-deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
-EOF
-apt update
-apt install -y dnsmasq nginx iptables ipxe syslinux-common unzip nfs-kernel-server
-
-# directory
-mkdir -p /srv/pxe/iso /srv/pxe/mount /srv/tftp
-
-# nginx config
-cat > /etc/nginx/sites-available/pxe <<EOF
-server {
-	listen 80 default_server;
-	listen [::]:80 default_server;
-	root /srv/pxe;
-	location / {
-		autoindex on;
-	}
-}
-EOF
-[ -f /etc/nginx/sites-enabled/default ] && rm /etc/nginx/sites-enabled/default
-[ ! -f /etc/nginx/sites-enabled/pxe ] && ln -s /etc/nginx/sites-available/pxe /etc/nginx/sites-enabled/pxe
-service nginx restart
-
-# hostname
-echo "$HOSTNAME" > /etc/hostname
-hostname -F /etc/hostname
-cat > /etc/hosts <<EOF
-127.0.0.1	localhost
-127.0.1.1	$HOSTNAME
-# The following lines are desirable for IPv6 capable hosts
-::1     localhost ip6-localhost ip6-loopback
-ff02::1 ip6-allnodes
-ff02::2 ip6-allrouters
-EOF
-
-# network
-cat > /etc/network/interfaces.d/lan <<EOF
-auto $LAN_IFACE
-iface $LAN_IFACE inet static
-  address $LAN_IP
-  netmask $LAN_SUBNET
-EOF
-ifup $LAN_IFACE
-
-# routing/firewall
-iptables -t nat -F
-iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
-iptables -F
-iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-iptables -A INPUT -m state --state NEW -p icmp -j ACCEPT
-iptables -A INPUT -m state --state NEW ! -i $LAN_IFACE -j ACCEPT
-iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
-iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
-iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
-iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 67 -j ACCEPT
-iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 69 -j ACCEPT
-iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p tcp --dport 111 -j ACCEPT
-iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 111 -j ACCEPT
-iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p tcp --dport 2049 -j ACCEPT
-iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 2049 -j ACCEPT
-iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p tcp --dport 4047 -j ACCEPT
-iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 4047 -j ACCEPT
-iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p tcp --dport 4048 -j ACCEPT
-iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 4048 -j ACCEPT
-iptables -A FORWARD -i $LAN_IFACE -o $LAN_IFACE -j REJECT
-iptables -P INPUT DROP
-iptables-save > /etc/iptables.rules
-cat > /etc/network/if-pre-up.d/iptables <<EOF
-#!/bin/sh
-iptables-restore < /etc/iptables.rules
-exit 0
-EOF
-echo 1 > /proc/sys/net/ipv4/ip_forward
-echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/ipv4_forward.conf
-
-
-# dnsmasq config
-cat > /etc/dnsmasq.d/tftp <<EOF
-enable-tftp
-tftp-root=/srv/tftp
-tftp-no-fail
-EOF
-cat > /etc/dnsmasq.d/dhcp <<EOF
-dhcp-range=$DHCP_START,$DHCP_END,4h
-dhcp-option=option:router,$LAN_IP
-dhcp-option=option:dns-server,$LAN_IP
-dhcp-authoritative
-log-dhcp
-EOF
-cat > /etc/dnsmasq.d/dns <<EOF
-bogus-priv
-no-resolv
-server=9.9.9.9
-server=1.1.1.2
-expand-hosts
-log-queries
-EOF
-service dnsmasq restart
-
-
-# netboot.xyz (alternativa 1)
-#cat > /etc/dnsmasq.d/pxe <<EOF
-#dhcp-match=set:bios,option:client-arch,0
-#dhcp-boot=tag:bios,netboot.xyz.kpxe 
-#dhcp-boot=tag:!bios,netboot.xyz.efi
-#EOF
-#wget -c -O /srv/tftp/netboot.xyz.kpxe http://boot.netboot.xyz/ipxe/netboot.xyz.kpxe
-#wget -c -O /srv/tftp/netboot.xyz.efi http://boot.netboot.xyz/ipxe/netboot.xyz.efi
-#service dnsmasq restart
-
-# ipxe (alternativa 2)
-#cat > /etc/dnsmasq.d/pxe <<EOF
-#dhcp-match=set:bios,option:client-arch,0
-#dhcp-boot=tag:bios,undionly.kpxe
-#dhcp-boot=tag:!bios,ipxe.efi
-#dhcp-match=ipxe,175
-#dhcp-boot=net:ipxe,http://$LAN_IP/boot-netboot.txt
-#EOF
-#cat > /srv/pxe/boot-netboot.txt <<EOF
-##!ipxe 
-#dhcp
-#chain --autofree http://boot.netboot.xyz
-#EOF
-#[ ! -f /srv/tftp/undionly.kpxe ] && cp /usr/lib/ipxe/undionly.kpxe /srv/tftp/undionly.kpxe
-#[ ! -f /srv/tftp/ipxe.efi ] && cp /usr/lib/ipxe/ipxe.efi /srv/tftp/ipxe.efi
-#service dnsmasq restart
-
-# nfs
-sed -i 's/^RPCMOUNTDOPTS.*/RPCMOUNTDOPTS="--manage-gids --port 4047"/' /etc/default/nfs-kernel-server
-cat > /etc/exports <<EOF
-/srv/pxe ${LAN_IP}/${LAN_SUBNET}(ro,async,no_root_squash,no_subtree_check,crossmnt)
-EOF
-exportfs -r
-# questo è da fare meglio in modo che sia ripetibile
-cat >> /etc/services <<EOF
-mountd 4047/tcp
-mountd 4047/udp
-lockd 4048/tcp
-lockd 4048/udp
-EOF
-
-
-# ipxe OK
-cat > /etc/dnsmasq.d/pxe <<EOF
-dhcp-match=set:bios,option:client-arch,0
-dhcp-boot=tag:bios,undionly.kpxe
-dhcp-boot=tag:!bios,ipxe.efi
-dhcp-match=ipxe,175
-dhcp-boot=net:ipxe,http://$LAN_IP/boot.txt
-EOF
-[ ! -f /srv/tftp/undionly.kpxe ] && cp /usr/lib/ipxe/undionly.kpxe /srv/tftp/undionly.kpxe
-[ ! -f /srv/tftp/ipxe.efi ] && cp /usr/lib/ipxe/ipxe.efi /srv/tftp/ipxe.efi
-[ ! -f /srv/pxe/memdisk ] && cp /usr/lib/syslinux/memdisk /srv/pxe/memdisk
-if [ ! -f /srv/pxe/iso/freedos.iso] ; then
-  wget -c -O /tmp/FD13-LiveCD.zip https://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.3/official/FD13-LiveCD.zip
-  unzip /tmp/FD13-LiveCD.zip -d /srv/pxe/iso/ *.iso && rm /tmp/FD13-LiveCD.zip
-fi
-
-
-
-# memtest: https://www.memtest.org/download/v6.20/mt86plus_6.20.binaries.zip
-
-# mount on boot
-cat > /etc/systemd/system/mount-isos.service <<EOF
-[Unit]
-Description=Mount ISOs
-
-[Service]
-ExecStart=/srv/pxe/mount/mount-all.sh
-
-[Install]
-WantedBy=multi-user.target
-EOF
-cat > /srv/pxe/mount/mount-all.sh <<EOF
-#!/bin/bash 
-
-montami() {
-	B=\$(basename \$1)
-	mount "/srv/pxe/iso/\$B" "/srv/pxe/mount/\$B"
-	echo "mounted '/srv/pxe/iso/\$B' on '/srv/pxe/mount/\$B'"
-}
-export -f montami
-find /srv/pxe/mount/ -mindepth 1 -maxdepth 1 -type d -exec bash -c 'montami "\$0"' {} \; 
-
-EOF
-chmod u+x /srv/pxe/mount/mount-all.sh
-systemctl enable mount-isos

playbook.yml

@@ -0,0 +1,4 @@
+---
+- hosts: all
+  roles:
+    - pxeserver

roles/pxeserver/handlers/main.yaml

@@ -0,0 +1,26 @@
+---
+- name: reboot
+  reboot:
+  become: true
+
+- name: nginx_restart
+  service:
+    name: nginx
+    state: restarted
+  become: true
+
+- name: dnsmasq_restart
+  service:
+    name: dnsmasq
+    state: restarted
+  become: true
+
+- name: nfs_reload_exports
+  shell: exportfs -r
+  become: true
+
+- name: nfs_restart
+  service:
+    name: nfs-kernel-server
+    state: restarted
+  become: true

roles/pxeserver/tasks/common.yml

@@ -0,0 +1,83 @@
+---
+- name: Set up multiple authorized keys
+  authorized_key:
+    user: root
+    state: present
+    key: "{{ ssh_key }}"
+
+- name: Set hostname
+  template:
+    src: etc_hostname
+    dest: /etc/hostname
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+
+- name: Set hostname (hosts file)
+  template:
+    src: etc_hosts
+    dest: /etc/hosts
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  notify: reboot
+
+- name: Updating package cache
+  apt:
+    update_cache: yes
+    cache_valid_time: 3600
+  become: true
+  ignore_errors: true
+
+- name: Installing common packages
+  apt:
+    name:
+      [
+        "htop",
+        "screen",
+        "ntpdate",
+        "unattended-upgrades",
+        "dnsmasq",
+        "nginx",
+        "iptables",
+        "ipxe",
+        "syslinux-common",
+        "unzip",
+        "nfs-kernel-server",
+        "iptables-persistent"
+      ]
+    state: latest
+  become: true
+  ignore_errors: true
+
+- name: Upgrade all packages to the latest version
+  apt:
+    name: "*"
+    state: latest
+  become: true
+  ignore_errors: true
+
+- name: Configure NTP
+  ini_file:
+    path: /etc/systemd/timesyncd.conf
+    section: Time
+    option: NTP
+    value: pool.ntp.org
+  become: true
+
+- name: sets the timezone
+  timezone:
+    name: "Europe/Rome"
+  become: true
+
+- name: Create storage directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+  with_items:
+    - /srv/pxe/iso
+    - /srv/pxe/mount
+    - /srv/tftp

roles/pxeserver/tasks/dns.yml

@@ -0,0 +1,30 @@
+---
+- name: DNSMASQ dhcp
+  template:
+    src: dnsmasq/dhcp
+    dest: /etc/dnsmasq.d/dhcp
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  notify: dnsmasq_restart
+
+- name: DNSMASQ tftp
+  template:
+    src: dnsmasq/tftp
+    dest: /etc/dnsmasq.d/tftp
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  notify: dnsmasq_restart
+
+- name: DNSMASQ dns
+  template:
+    src: dnsmasq/dns
+    dest: /etc/dnsmasq.d/dns
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  notify: dnsmasq_restart

roles/pxeserver/tasks/firewall.yml

@@ -0,0 +1,35 @@
+---
+
+- name: FIREWALL rules
+  template:
+    src: rules.v4
+    dest: /etc/iptables/rules.v4
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  # notify: nfs_reload_exports
+
+- name: FIREWALL rules restore
+  shell: iptables-restore /etc/iptables/rules.v4
+
+- name: FIREWALL enable IPv4 forward
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"
+    sysctl_file: /etc/sysctl.d/ipv4_forward.conf
+    sysctl_set: yes
+    state: present
+    reload: yes
+    ignoreerrors: yes
+
+- name: FIREWALL disable IPv6
+  sysctl:
+    name: net.ipv6.conf.all.disable_ipv6
+    value: "1"
+    sysctl_file: /etc/sysctl.d/disable_ipv6.conf
+    sysctl_set: yes
+    state: present
+    reload: yes
+    ignoreerrors: yes
+    

roles/pxeserver/tasks/ipxe.yml

@@ -0,0 +1,31 @@
+---
+
+- name: IPXE dnsmasq
+  template:
+    src: dnsmasq/pxe
+    dest: /etc/dnsmasq.d/pxe
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+
+- name: IPXE bios firmware
+  ansible.builtin.file:
+    src: /usr/lib/ipxe/undionly.kpxe
+    dest: /srv/tftp/undionly.kpxe
+    state: link
+  become: true
+
+- name: IPXE efi firmware
+  ansible.builtin.file:
+    src: /usr/lib/ipxe/ipxe.efi
+    dest: /srv/tftp/ipxe.efi
+    state: link
+  become: true
+
+- name: IPXE memdisk
+  ansible.builtin.file:
+    src: /usr/lib/syslinux/memdisk
+    dest: /srv/pxe/memdisk
+    state: link
+  become: true

roles/pxeserver/tasks/iso.yml

@@ -0,0 +1,25 @@
+---
+
+- name: ISO script
+  template:
+    src: iso/mount-all.sh
+    dest: /srv/pxe/mount/mount-all.sh
+    owner: root
+    group: root
+    mode: "0755"
+  become: true
+
+- name: ISO service
+  template:
+    src: iso/mount-isos.service
+    dest: /etc/systemd/system/mount-isos.service
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+
+- name: ISO Enable service 
+  service:
+    name: mount-isos
+    enabled: yes
+  become: true

roles/pxeserver/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+
+- include: common.yml  
+- include: nginx.yml  
+- include: dns.yml
+- include: nfs.yml
+- include: firewall.yml
+- include: iso.yml
+- include: ipxe.yml

roles/pxeserver/tasks/nfs.yml

@@ -0,0 +1,31 @@
+---
+
+- name: NFS rpcmountd options
+  lineinfile:
+    path: /etc/default/nfs-kernel-server
+    regexp: '^RPCMOUNTDOPTS='
+    line: 'RPCMOUNTDOPTS="--manage-gids --port 4047"'
+  become: true
+  notify: nfs_restart
+
+- name: NFS services ports
+  lineinfile:
+    path: /etc/services
+    line: "{{ item }}"
+  with_items:
+    - mountd 4047/tcp
+    - mountd 4047/udp
+    - lockd 4048/tcp
+    - lockd 4048/udp
+  become: true
+  notify: nfs_restart
+
+- name: NFS exports
+  template:
+    src: nfs_exports
+    dest: /etc/exports
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  notify: nfs_reload_exports

roles/pxeserver/tasks/nginx.yml

@@ -0,0 +1,23 @@
+---
+- name: NGINX site config
+  template:
+    src: nginx.conf
+    dest: /etc/nginx/sites-available/pxe
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  notify: nginx_restart
+
+- name: NGINX remove default config
+  ansible.builtin.file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+  notify: nginx_restart
+
+- name: NGINX enable site
+  ansible.builtin.file:
+    src: /etc/nginx/sites-available/pxe
+    dest: /etc/nginx/sites-enabled/pxe
+    state: link
+  notify: nginx_restart

roles/pxeserver/templates/dnsmasq/dhcp

@@ -0,0 +1,5 @@
+dhcp-range={{ dhcp_start }},{{ dhcp_end }},4h
+dhcp-option=option:router,{{ lan_ip }}
+dhcp-option=option:dns-server,{{ lan_ip }}
+dhcp-authoritative
+log-dhcp

roles/pxeserver/templates/dnsmasq/dns

@@ -0,0 +1,6 @@
+bogus-priv
+no-resolv
+server=9.9.9.9
+server=1.1.1.2
+expand-hosts
+log-queries

roles/pxeserver/templates/dnsmasq/pxe

@@ -0,0 +1,5 @@
+dhcp-match=set:bios,option:client-arch,0
+dhcp-boot=tag:bios,undionly.kpxe
+dhcp-boot=tag:!bios,ipxe.efi
+dhcp-match=ipxe,175
+dhcp-boot=net:ipxe,http://{{ lan_ip }}/boot.txt

roles/pxeserver/templates/dnsmasq/tftp

@@ -0,0 +1,3 @@
+enable-tftp
+tftp-root=/srv/tftp
+tftp-no-fail

roles/pxeserver/templates/etc_hostname

@@ -0,0 +1 @@
+{{ hostname }}

roles/pxeserver/templates/etc_hosts

@@ -0,0 +1,6 @@
+127.0.0.1	localhost
+::1		localhost ip6-localhost ip6-loopback
+ff02::1		ip6-allnodes
+ff02::2		ip6-allrouters
+
+127.0.1.1		{{ hostname }}

roles/pxeserver/templates/iso/mount-all.sh

@@ -0,0 +1,9 @@
+#!/bin/bash 
+
+montami() {
+	B=$(basename $1)
+	mount "/srv/pxe/iso/$B" "/srv/pxe/mount/$B"
+	echo "mounted '/srv/pxe/iso/$B' on '/srv/pxe/mount/$B'"
+}
+export -f montami
+find /srv/pxe/mount/ -mindepth 1 -maxdepth 1 -type d -exec bash -c 'montami "$0"' {} \; 

roles/pxeserver/templates/iso/mount-isos.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=Mount ISOs
+
+[Service]
+ExecStart=/srv/pxe/mount/mount-all.sh
+
+[Install]
+WantedBy=multi-user.target

roles/pxeserver/templates/nfs_exports

@@ -0,0 +1 @@
+/srv/pxe {{ lan_ip }}/{{ lan_subnet }}(ro,async,no_root_squash,no_subtree_check,crossmnt)

roles/pxeserver/templates/nginx.conf

@@ -0,0 +1,8 @@
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+	root /srv/pxe;
+	location / {
+		autoindex on;
+	}
+}

roles/pxeserver/templates/rules.v4

@@ -0,0 +1,30 @@
+*filter
+:INPUT DROP [2:72]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [8441:830478]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -m state --state NEW -j ACCEPT
+-A INPUT ! -i {{ lan_iface }} -m state --state NEW -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
+-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
+-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 67 -j ACCEPT
+-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 69 -j ACCEPT
+-A INPUT -i {{ lan_iface }} -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
+-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
+-A INPUT -i {{ lan_iface }} -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
+-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT
+-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 4047 -j ACCEPT
+-A INPUT -i {{ lan_iface }} -p tcp -m state --state NEW -m tcp --dport 4047 -j ACCEPT
+-A INPUT -i {{ lan_iface }} -p tcp -m state --state NEW -m tcp --dport 4048 -j ACCEPT
+-A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 4048 -j ACCEPT
+-A FORWARD -i {{ lan_iface }} -o {{ lan_iface }} -j REJECT --reject-with icmp-port-unreachable
+COMMIT
+*nat
+:PREROUTING ACCEPT [72:10770]
+:INPUT ACCEPT [68:10030]
+:OUTPUT ACCEPT [39:2999]
+:POSTROUTING ACCEPT [1:84]
+-A POSTROUTING -o {{ wan_iface }} -j MASQUERADE
+COMMIT