-
Notifications
You must be signed in to change notification settings - Fork 29
/
Copy pathsite.yml
309 lines (307 loc) · 9.96 KB
/
site.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
---
- hosts: all
tasks:
- name: Abort if the host is not booted from the Arch install media
fail:
msg: "This host is not booted from the Arch install media!"
when: ansible_nodename != 'archiso'
tags:
- quick_exit
- name: Synchronize clock via NTP
command: timedatectl set-ntp true
tags:
- sync_clock
- name: Repartition install drive
block:
- name: Wipe install drive and all its partitions
command: find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;
tags:
- wipefs
- name: Create boot partition
parted:
device: '{{ install_drive }}'
label: gpt
number: 1
part_end: 512MB
name: boot
flags: [boot, esp]
state: present
- name: Create root partition
parted:
device: '{{ install_drive }}'
label: gpt
number: 2
part_start: 512MB
name: root
flags: [lvm]
state: present
tags:
- repartition
- name: Setup LVM root and tmp volumes
block:
- name: Remove existing volume group
lvg:
vg: VolumeGroup00
force: yes
state: absent
- name: Configure volume group
lvg:
vg: VolumeGroup00
pvs:
- '{{ install_drive }}{{ root_partition_suffix }}'
- name: Configure logical volumes
lvol:
vg: VolumeGroup00
lv: '{{ item.lv }}'
size: '{{ item.size }}'
loop:
- {lv: tmp, size: 512m}
- {lv: root, size: "100%FREE"}
tags:
- lvm
- name: Setup LUKS encryption for root filesystem
block:
- name: Copy keyfile
copy:
src: '{{ luks_keyfile }}'
dest: /root/keyfile
- name: Destroy existing LUKS volume
luks_device:
device: /dev/VolumeGroup00/root
state: absent
- name: Create and open LUKS volume
luks_device:
device: /dev/VolumeGroup00/root
keyfile: /root/keyfile
name: root
state: opened
- name: Get UUID for root LUKS volume
command: blkid -s UUID -o value /dev/VolumeGroup00/root
register: root_luks_uuid
changed_when: false
tags:
- luks
- name: Create filesystems
block:
- name: Create FAT32 filesystem in boot partition
filesystem:
dev: '{{ install_drive }}{{ boot_partition_suffix }}'
fstype: vfat
opts: -F32
force: yes
- name: Create ext4 filesystem in root volume
filesystem:
dev: /dev/mapper/root
fstype: ext4
force: yes
- name: Get UUID for boot filesystem
command: blkid -s UUID -o value '{{ install_drive }}{{ boot_partition_suffix }}'
register: boot_uuid
changed_when: false
- name: Get UUID for root filesystem
command: blkid -s UUID -o value /dev/mapper/root
register: root_uuid
changed_when: false
tags:
- create_filesystems
- name: Mount filesystems
block:
- name: Mount root filesystem
mount:
path: /mnt
src: UUID={{ root_uuid.stdout }}
fstype: ext4
state: mounted
- name: Create mountpoint for boot volume
file:
path: /mnt/boot
state: directory
- name: Mount boot filesystem
mount:
path: /mnt/boot
src: UUID={{ boot_uuid.stdout }}
fstype: vfat
state: mounted
tags:
- mount_filesystems
- name: Run pacstrap
command: pacstrap /mnt base dhclient dhcpcd efibootmgr grub linux linux-firmware lvm2 netctl openssh python reflector sudo
tags:
- pacstrap
- name: Restrict reflector to only US mirrors
ansible.builtin.lineinfile:
insertafter: \# --country
line: --country "United States"
path: /mnt/etc/xdg/reflector/reflector.conf
tags:
- mirrors
- name: Generate fstab
block:
- name: Generate blank fstab
command: genfstab -U /mnt >> /mnt/etc/fstab
- name: Add root volume to fstab
mount:
fstab: /mnt/etc/fstab
path: /
src: UUID={{ root_uuid.stdout }}
fstype: ext4
opts: defaults
passno: '1'
state: present
- name: Add boot volume to fstab
mount:
fstab: /mnt/etc/fstab
path: /boot
src: UUID={{ boot_uuid.stdout }}
fstype: vfat
opts: defaults
passno: '2'
state: present
- name: Add tmp volume to fstab
mount:
fstab: /mnt/etc/fstab
path: /tmp
src: /dev/mapper/tmp
fstype: tmpfs
opts: defaults
state: present
tags:
- fstab
- name: Add tmp volume to crypttab
crypttab:
path: /mnt/etc/crypttab
backing_device: /dev/VolumeGroup00/tmp
name: tmp
password: /dev/urandom
opts: tmp,cipher=aes-xts-plain64,size=512
state: present
tags:
- crypttab
- name: Set local timezone
command: arch-chroot /mnt ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
tags:
- timezone
- name: Generate adjtime file
command: arch-chroot /mnt hwclock --systohc
tags:
- adjtime
- name: Setup locales
block:
- name: Configure locale.gen
lineinfile:
dest: /mnt/etc/locale.gen
regexp: '{{ item.regex }}'
line: '{{ item.line }}'
loop:
- {regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8}
- {regex: en_US ISO-8859-1, line: en_US ISO-8859-1}
- name: Create locale.conf
copy:
content: "LANG=en_US.UTF-8"
dest: /mnt/etc/locale.conf
- name: Generate locales
command: arch-chroot /mnt locale-gen
tags:
- locales
- name: Set hostname
copy:
content: '{{ inventory_hostname }}'
dest: /mnt/etc/hostname
tags:
- hostname
- name: Setup netctl
block:
- name: Create netctl profile for wired connection
copy:
content: |
Description='Wired with DHCP'
Interface={{ wired_interface }}
Connection=ethernet
IP=dhcp
IP6=dhcp-noaddr
# IPv6 traffic is tunneled over IPv4, which eats 20 bytes of the MTU.
ExecUpPost='/usr/bin/ip link set {{ wired_interface }} mtu 1480'
dest: /mnt/etc/netctl/wired
- name: Enable wired netctl profile
command: arch-chroot /mnt netctl enable wired
tags:
- netctl
- name: Enable sshd
command: arch-chroot /mnt systemctl enable sshd
tags:
- sshd
- name: Set up initramfs
block:
- name: Add mkinitcpio.conf hooks
lineinfile:
dest: /mnt/etc/mkinitcpio.conf
regexp: ^HOOKS=
line: HOOKS=(base udev autodetect keyboard keymap modconf block encrypt lvm2 filesystems fsck)
- name: Create new initramfs
command: arch-chroot /mnt mkinitcpio -p linux
tags:
- initramfs
- mkinitcpio
- name: Set up grub
block:
- name: Add commandline information to grub config
lineinfile:
dest: /mnt/etc/default/grub
regexp: ^GRUB_CMDLINE_LINUX=
line: GRUB_CMDLINE_LINUX="cryptdevice=UUID={{ root_luks_uuid.stdout }}:root root=/dev/mapper/root"
- name: Install grub
command: arch-chroot /mnt grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
- name: Create grub config
command: arch-chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
tags:
- grub
- name: Setup user account
block:
- name: Create user account
command: arch-chroot /mnt useradd --create-home --user-group --groups wheel {{ user_name }} --password {{ user_password }}
- name: Create user's ssh directory
file:
path: /mnt/home/{{ user_name }}/.ssh
state: directory
- name: Set mode, owner, and group on user's ssh directory
command: arch-chroot /mnt {{ item }}
loop:
- chmod 0700 /home/{{ user_name }}/.ssh
- chown {{ user_name }}:{{ user_name }} /home/{{ user_name }}/.ssh
- name: Copy over ssh key from current Ansible controller as an authorized key
copy:
src: '{{ lookup("env", "HOME") }}/.ssh/id_ed25519.pub'
dest: /mnt/home/{{ user_name }}/.ssh/authorized_keys
- name: Set mode, owner, and group on user's authorized_key file
command: arch-chroot /mnt {{ item }}
loop:
- chmod 0600 /home/{{ user_name }}/.ssh/authorized_keys
- chown {{ user_name }}:{{ user_name }} /home/{{ user_name }}/.ssh/authorized_keys
tags:
- user_account
- name: Give passwordless sudo access to wheel group
copy:
content: '%wheel ALL=(ALL) NOPASSWD: ALL'
dest: /mnt/etc/sudoers.d/wheel
validate: /usr/sbin/visudo --check --file=%s
tags:
- sudo
- hosts: thunderbolt
tasks:
- name: Install and enable bolt
block:
- name: Install bolt
ansible.builtin.command: arch-chroot /mnt pacman --sync --noconfirm bolt
- name: Enable bolt service
ansible.builtin.command: arch-chroot /mnt systemctl enable bolt.service
tags:
- thunderbolt
- hosts: all
tasks:
- name: Reboot
reboot:
connect_timeout: 1
reboot_timeout: 1
failed_when: false
tags:
- reboot