Merge pull request 'dev' (#3) from dev into main

Reviewed-on: #3

ansible.cfg

@@ -19,6 +19,11 @@ vault_password_file = ./vault.secret
 # Ansible-Verhalten
 ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S
 
+# Use the YAML callback plugin.
+stdout_callback = yaml
+# Use the stdout_callback when running ad-hoc commands.
+bin_ansible_callbacks = True
+
 [privilege_escalation]
 become = True
 become_method = sudo

playbooks/heyer.systems/build_debian-minimal-image.yml

@@ -0,0 +1,7 @@
+- name: Build Debian image for Proxmox using bootstrap-vz (local)
+  hosts: localhost
+  connection: local
+  gather_facts: false
+
+  roles:
+    - create_image_debian-minimal

roles/create_image_debian-minimal/.gitignore

@@ -0,0 +1 @@
+files/*

roles/create_image_debian-minimal/defaults/main.yml

@@ -0,0 +1,14 @@
+---
+packer_version: "1.13.1"
+
+ssh_key_url: "https://skulldev.de/Skull-IT/trusted-ssh-keys/raw/branch/main/trusted-ssh-keys"
+
+image_output_dir: "/tmp/packer_images"
+
+debian_iso_url: "https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.11.0-amd64-netinst.iso"
+debian_iso_checksum_url: "https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA256SUMS"
+# https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA256SUMS
+debian_iso_filename: "debian-12.11.0-amd64-netinst.iso"
+
+ssh_username: "localadmin"
+ssh_password: "packer"

roles/create_image_debian-minimal/tasks/main.yml

@@ -0,0 +1,96 @@
+---
+- name: Ensure QEMU, KVM and dependencies are installed
+  ansible.builtin.apt:
+    name:
+      - qemu-system-x86
+      - qemu-utils
+      - libvirt-daemon-system
+      - libvirt-clients
+      - bridge-utils
+      - virtinst
+      - virt-manager
+      - cpu-checker
+      - unzip
+      - curl
+    state: present
+  become: true
+
+- name: Download Packer
+  ansible.builtin.get_url:
+    url: "https://releases.hashicorp.com/packer/{{ packer_version }}/packer_{{ packer_version }}_linux_amd64.zip"
+    dest: "/tmp/packer.zip"
+    mode: '0644'
+
+- name: Unarchive Packer
+  ansible.builtin.unarchive:
+    src: /tmp/packer.zip
+    dest: /usr/local/bin/
+    remote_src: yes
+  become: true
+
+- name: Ensure packer is executable
+  ansible.builtin.file:
+    path: /usr/local/bin/packer
+    mode: '0755'
+    owner: root
+    group: root
+  become: true
+
+- name: Create output directory for Packer images
+  ansible.builtin.file:
+    path: "{{ image_output_dir }}"
+    state: directory
+    mode: '0755'
+  become: true
+
+- name: Create HTTP directory inside output dir for preseed.cfg
+  ansible.builtin.file:
+    path: "{{ image_output_dir }}/http"
+    state: directory
+    mode: '0755'
+  become: true
+
+- name: Copy preseed.cfg template to HTTP directory
+  ansible.builtin.template:
+    src: preseed.cfg.j2
+    dest: "{{ image_output_dir }}/http/preseed.cfg"
+    mode: '0644'
+
+- name: Download Debian ISO checksums
+  ansible.builtin.get_url:
+    url: "{{ debian_iso_checksum_url }}"
+    dest: /tmp/debian_sha256sums.txt
+    mode: '0644'
+
+- name: Extract checksum for ISO
+  ansible.builtin.shell: |
+    grep "{{ debian_iso_filename }}" /tmp/debian_sha256sums.txt | awk '{ print $1 }'
+  register: debian_iso_checksum_result
+  changed_when: false
+
+- name: Set fact with full checksum string
+  ansible.builtin.set_fact:
+    debian_iso_checksum: "sha256:{{ debian_iso_checksum_result.stdout }}"
+
+- name: Template Packer HCL config
+  ansible.builtin.template:
+    src: debian_minimal.pkr.hcl.j2
+    dest: "{{ image_output_dir }}/debian_minimal.pkr.hcl"
+
+- name: Run `packer init`
+  ansible.builtin.command: packer init debian_minimal.pkr.hcl
+  args:
+    chdir: "{{ image_output_dir }}"
+
+- name: Run `packer build`
+  ansible.builtin.command: >
+    sh -c 'PACKER_LOG=1 PACKER_LOG_PATH=/tmp/packer.log packer build debian_minimal.pkr.hcl'
+  args:
+    chdir: "{{ image_output_dir }}"
+
+- name: Copy built image to role files directory
+  ansible.builtin.copy:
+    src: "{{ image_output_dir }}/debian-minimal/debian-minimal.qcow2"
+    dest: "{{ role_path }}/files/debian-minimal.qcow2"
+    remote_src: yes
+  become: true

roles/create_image_debian-minimal/templates/debian_minimal.pkr.hcl.j2

@@ -0,0 +1,53 @@
+source "qemu" "debian" {
+  iso_url          = "{{ debian_iso_url }}"
+  iso_checksum     = "{{ debian_iso_checksum }}"
+
+  output_directory = "{{ image_output_dir }}/debian-minimal"
+  vm_name          = "debian-minimal.qcow2"
+  shutdown_command = "echo 'packer' | sudo -S shutdown -P now"
+  ssh_username     = "{{ ssh_username }}"
+  ssh_password     = "{{ ssh_password }}"
+  ssh_timeout      = "60m"
+  disk_interface   = "virtio"
+  format           = "qcow2"
+  accelerator      = "kvm"
+
+  http_directory = "http"
+
+  headless = true
+
+  qemuargs = [
+    ["-m", "2048M"],
+    ["-smp", "2"],
+    ["-cpu", "host"],
+    ["-device", "virtio-rng-pci"]
+  ]
+
+  boot_wait = "15s"
+
+  boot_command = [
+    {% raw %}
+    "<esc><wait>",
+    "<esc><wait>",
+    "auto priority=critical interface=auto netcfg/disable_dhcp=false preseed/url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/preseed.cfg debian-installer=de_DE locale=de_DE.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/layoutcode=de keyboard-configuration/modelcode=pc105 keyboard-configuration/variant=de console-setup/ask_detect=false netcfg/get_hostname=debian fb=false debconf/frontend=noninteractive initrd=/install.amd/initrd.gz /install.amd/vmlinuz quiet <enter>"
+    {% endraw %}
+  ]
+
+}
+
+build {
+  sources = ["source.qemu.debian"]
+
+  provisioner "shell" {
+    inline = [
+      "export DEBIAN_FRONTEND=noninteractive",
+
+      "sudo apt-get update -y",
+      "sudo apt-get install -y sudo curl vim",   # 'passwd' ist eh schon da
+
+      "sudo mkdir -p /root/.ssh",
+      "curl -fsSL '{{ ssh_key_url }}' | sudo tee /root/.ssh/authorized_keys",
+      "sudo chmod 600 /root/.ssh/authorized_keys"
+    ]
+  }
+}

roles/create_image_debian-minimal/templates/preseed.cfg.j2

@@ -0,0 +1,77 @@
+d-i partman/early_command string \
+   debconf-set partman/confirm_write_new_label true; \
+   debconf-set partman/confirm_nooverwrite true; \
+   debconf-set partman/confirm true
+
+# Preseeding only locale sets language, country and locale.
+d-i debian-installer/locale string de_DE.UTF-8
+
+# Keyboard selection
+d-i console-setup/ask_detect boolean false
+d-i keyboard-configuration/xkb-keymap select de
+d-i keyboard-configuration/layoutcode string de
+d-i keyboard-configuration/variant string de
+d-i keyboard-configuration/modelcode string pc105
+
+# Clock and time zone setup
+d-i clock-setup/utc boolean true
+d-i time/zone string Europe/Berlin
+
+# Avoid that last message about the install being complete.
+d-i finish-install/reboot_in_progress note
+
+# Partitioning
+d-i partman-auto/method string lvm
+d-i partman-auto-lvm/guided_size string max
+d-i partman-lvm/device_remove_lvm boolean true
+d-i partman-md/device_remove_md boolean true
+
+## This makes partman automatically partition without confirmation.
+d-i partman-md/confirm boolean true
+d-i partman-partitioning/confirm_write_new_label boolean true
+d-i partman-auto/choose_recipe select atomic
+d-i partman/choose_partition select finish
+d-i partman-lvm/confirm boolean true
+d-i partman-lvm/confirm_nooverwrite boolean true
+d-i partman/confirm boolean true
+
+# Bootloader
+d-i grub-installer/only_debian boolean true
+d-i grub-installer/with_other_os boolean true
+d-i grub-installer/bootdev string /dev/vda
+
+# Account setup
+
+## Root Account
+d-i passwd/root-login boolean false
+
+## User Account
+d-i passwd/user-fullname string heyeradmin
+d-i passwd/user-uid string 1000
+d-i passwd/user-default-groups string sudo,adm,cdrom,dip,plugdev
+d-i passwd/user-password password packer
+d-i passwd/user-password-again password packer
+d-i passwd/username string heyeradmin
+d-i user-setup/allow-password-weak boolean true
+d-i user-setup/encrypt-home boolean false
+
+d-i preseed/late_command string \
+  in-target bash -c \
+    'echo "heyeradmin ALL=(ALL) NOPASSWD:ALL" >/etc/sudoers.d/99_heyeradmin && \
+     chmod 440 /etc/sudoers.d/99_heyeradmin'
+
+# Hostname
+d-i netcfg/get_hostname string debian
+d-i netcfg/get_domain string localdomain
+d-i netcfg/disable_dhcp boolean false
+
+
+# Package selection
+tasksel tasksel/first standard
+d-i pkgsel/include string openssh-server build-essential
+d-i pkgsel/update-policy select none
+d-i pkgsel/upgrade select full-upgrade
+
+d-i partman/confirm_write_new_label boolean true
+d-i partman/confirm_nooverwrite boolean true
+d-i partman/confirm boolean true