From 311893c3bc2bbd18669b5c80bf884e9d25889b74 Mon Sep 17 00:00:00 2001
From: Emil Renner Berthing <esmil@labitat.dk>
Date: Sat, 22 Sep 2018 15:29:45 +0200
Subject: space_server: update for Fedora 29

---
 roles/space_server/bootstrap.sh                    | 31 +++++++++++++++++-----
 .../files/kernel/90-loaderentry.install            | 10 ++++---
 .../files/kernel/95-syslinux-menu.install          | 10 ++++---
 roles/space_server/tasks/avahi.yml                 |  7 +++--
 roles/space_server/tasks/bird.yml                  |  7 +++--
 roles/space_server/tasks/kernel.yml                |  8 ++++--
 roles/space_server/tasks/nftables.yml              | 17 ++++++------
 roles/space_server/tasks/radius.yml                |  9 +++----
 roles/space_server/tasks/sshd.yml                  |  4 ++-
 roles/space_server/tasks/unbound.yml               |  6 +++--
 roles/space_server/templates/cmdline.j2            |  2 +-
 roles/space_server/vars/main.yml                   |  8 ++++--
 12 files changed, 75 insertions(+), 44 deletions(-)

(limited to 'roles/space_server')

diff --git a/roles/space_server/bootstrap.sh b/roles/space_server/bootstrap.sh
index f80a454..98a62e5 100755
--- a/roles/space_server/bootstrap.sh
+++ b/roles/space_server/bootstrap.sh
@@ -23,8 +23,9 @@
 #
 # Install syslinux:
 # mount -o noatime,fmask=0133,dmask=0022,utf8 /dev/sda1 /boot
+# mkdir /boot/syslinux
 # syslinux -d syslinux -i /dev/sda1
-# cp /usr/share/syslinux/{ldlinux,libutil,menu}.c32 /boot/syslinux/
+# cp /usr/share/syslinux/{libutil,menu}.c32 /boot/syslinux/
 # dd bs=440 count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda
 #
 # Mount root filesystem:
@@ -39,7 +40,7 @@
 set -e
 set -x
 
-release=27
+release=29
 secrets='/etc/ansible/secrets.yml'
 dest="/mnt/fedora$release"
 if [[ -e "$dest" ]]; then
@@ -57,15 +58,31 @@ dnf \
   --disablerepo='*' \
   --enablerepo=fedora \
   --enablerepo=updates \
-  install dnf git python2-dnf python-netaddr ansible
+  install glibc-langpack-en dnf git ansible python3-netaddr python-unversioned-command
 
 if [[ -f "$secrets" ]]; then
   install -m660 "$secrets" "$dest$secrets"
 fi
 
-systemd-nspawn -D "$dest" -M space -E ANSIBLE_FORCE_COLOR=1 \
-  --bind /boot --bind /home -- \
-  ansible-pull -i space, -c local \
-    -U 'https://github.com/labitat/labitat-ansible.git' space.yml
+for i in /var/lib/machines /var/lib/portables; do
+  if [[ -d "$dest$i" ]]; then
+    btrfs subvolume delete "$dest$i"
+  fi
+  echo "Creating $i"
+  install -o root -g root -m755 -d "$dest$i"
+done
+
+exec systemd-nspawn \
+  -D "$dest" \
+  -M space \
+  -E ANSIBLE_FORCE_COLOR=1 \
+  --bind /boot \
+  --bind /home \
+  -- \
+  ansible-pull \
+  -i space.labitat.dk, \
+  -c local \
+  -U 'https://github.com/labitat/labitat-ansible.git' \
+  space.yml
 
 # vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/files/kernel/90-loaderentry.install b/roles/space_server/files/kernel/90-loaderentry.install
index df0526e..40d325a 100755
--- a/roles/space_server/files/kernel/90-loaderentry.install
+++ b/roles/space_server/files/kernel/90-loaderentry.install
@@ -7,14 +7,16 @@ KERNEL_VERSION="$2"
 BOOT_DIR_ABS="$3"
 KERNEL_IMAGE="$4"
 
-if [[ -f /etc/machine-id ]]; then
-    read MACHINE_ID < /etc/machine-id
+if ! [[ $KERNEL_INSTALL_MACHINE_ID ]]; then
+    exit 0
 fi
 
-if ! [[ $MACHINE_ID ]]; then
-    exit 1
+if ! [[ -d "$BOOT_DIR_ABS" ]]; then
+    exit 0
 fi
 
+MACHINE_ID=$KERNEL_INSTALL_MACHINE_ID
+
 BOOT_DIR="/$MACHINE_ID/$KERNEL_VERSION"
 BOOT_ROOT=${BOOT_DIR_ABS%$BOOT_DIR}
 LOADER_ENTRY="$BOOT_ROOT/loader/entries/$MACHINE_ID-$KERNEL_VERSION.conf"
diff --git a/roles/space_server/files/kernel/95-syslinux-menu.install b/roles/space_server/files/kernel/95-syslinux-menu.install
index 183da9e..2dd2772 100755
--- a/roles/space_server/files/kernel/95-syslinux-menu.install
+++ b/roles/space_server/files/kernel/95-syslinux-menu.install
@@ -7,14 +7,16 @@ KERNEL_VERSION="$2"
 BOOT_DIR_ABS="$3"
 KERNEL_IMAGE="$4"
 
-if [[ -f /etc/machine-id ]]; then
-    read MACHINE_ID < /etc/machine-id
+if ! [[ $KERNEL_INSTALL_MACHINE_ID ]]; then
+    exit 0
 fi
 
-if ! [[ $MACHINE_ID ]]; then
-    exit 1
+if ! [[ -d "$BOOT_DIR_ABS" ]]; then
+    exit 0
 fi
 
+MACHINE_ID=$KERNEL_INSTALL_MACHINE_ID
+
 BOOT_DIR="/$MACHINE_ID/$KERNEL_VERSION"
 BOOT_ROOT=${BOOT_DIR_ABS%$BOOT_DIR}
 MENU="$BOOT_ROOT/loader/${MACHINE_ID}.cfg"
diff --git a/roles/space_server/tasks/avahi.yml b/roles/space_server/tasks/avahi.yml
index 1161863..f4decb8 100644
--- a/roles/space_server/tasks/avahi.yml
+++ b/roles/space_server/tasks/avahi.yml
@@ -1,11 +1,10 @@
 ---
 - name: Install avahi, tools and nss-mdns
   dnf:
-    name: '{{ item }}'
+    name:
+    - avahi-tools # pulls in avahi package
+    - nss-mdns
     state: present
-  with_items:
-  - avahi-tools # pulls in avahi package
-  - nss-mdns
   tags:
   - packages
 
diff --git a/roles/space_server/tasks/bird.yml b/roles/space_server/tasks/bird.yml
index cdf402b..aeaa7bd 100644
--- a/roles/space_server/tasks/bird.yml
+++ b/roles/space_server/tasks/bird.yml
@@ -1,11 +1,10 @@
 ---
 - name: Install bird and bird6 packages
   dnf:
-    name: '{{ item }}'
+    name:
+    - bird
+    - bird6
     state: present
-  with_items:
-  - bird
-  - bird6
   tags:
   - packages
 
diff --git a/roles/space_server/tasks/kernel.yml b/roles/space_server/tasks/kernel.yml
index b87bccc..d22fa86 100644
--- a/roles/space_server/tasks/kernel.yml
+++ b/roles/space_server/tasks/kernel.yml
@@ -10,11 +10,15 @@
   - '/etc/kernel'
   - '/etc/kernel/install.d'
 
-- name: Mask grubby
+- name: Mask grub and grubby
   file:
-    path: '/etc/kernel/install.d/20-grubby.install'
+    path: '/etc/kernel/install.d/{{ item }}'
     src: '/dev/null'
     state: link
+    force: yes
+  with_items:
+  - 20-grub.install
+  - 20-grubby.install
 
 - name: Create syslinux loader entry and menu
   copy:
diff --git a/roles/space_server/tasks/nftables.yml b/roles/space_server/tasks/nftables.yml
index 1f56a93..a589980 100644
--- a/roles/space_server/tasks/nftables.yml
+++ b/roles/space_server/tasks/nftables.yml
@@ -14,14 +14,6 @@
   tags:
   - packages
 
-- name: Symlink to /etc/nftables.conf
-  file:
-    path: '/etc/sysconfig/nftables.conf'
-    src: '../nftables.conf'
-    state: link
-    force: yes
-  notify:
-  - reload nftables
 - name: Configure nftables
   copy:
     dest: '/etc/nftables.conf'
@@ -32,6 +24,15 @@
   notify:
   - reload nftables
 
+- name: Symlink to /etc/nftables.conf
+  file:
+    path: '/etc/sysconfig/nftables.conf'
+    src: '../nftables.conf'
+    state: link
+    force: yes
+  notify:
+  - reload nftables
+
 - name: Enable nftables service
   systemd:
     name: nftables.service
diff --git a/roles/space_server/tasks/radius.yml b/roles/space_server/tasks/radius.yml
index 972cc40..d66d8f6 100644
--- a/roles/space_server/tasks/radius.yml
+++ b/roles/space_server/tasks/radius.yml
@@ -1,12 +1,11 @@
 ---
 - name: Install freeradius-python, curl and diffutils package
   dnf:
-    name: '{{ item }}'
+    name:
+    - freeradius-python
+    - curl
+    - diffutils
     state: present
-  with_items:
-  - freeradius-python
-  - curl
-  - diffutils
   tags:
   - packages
 
diff --git a/roles/space_server/tasks/sshd.yml b/roles/space_server/tasks/sshd.yml
index 63f3367..176ee5a 100644
--- a/roles/space_server/tasks/sshd.yml
+++ b/roles/space_server/tasks/sshd.yml
@@ -36,9 +36,11 @@
     regexp: '{{ item.regexp }}'
     line: '{{ item.line }}'
   with_items:
+  - regexp: '^[# ]*PermitRootLogin'
+    line: 'PermitRootLogin no'
   - regexp: '^PasswordAuthentication'
     line: 'PasswordAuthentication no'
-  - regexp: '^#*GSSAPIAuthentication'
+  - regexp: '^[# ]*GSSAPIAuthentication'
     line: 'GSSAPIAuthentication no'
   notify:
   - restart sshd
diff --git a/roles/space_server/tasks/unbound.yml b/roles/space_server/tasks/unbound.yml
index 81199b9..a3726a0 100644
--- a/roles/space_server/tasks/unbound.yml
+++ b/roles/space_server/tasks/unbound.yml
@@ -1,7 +1,9 @@
 ---
 - name: Install unbound package
   dnf:
-    name: unbound
+    name:
+    - policycoreutils # needed for unbound-keygen.service
+    - unbound
     state: present
   tags:
   - packages
@@ -37,4 +39,4 @@
     group: root
     mode: 0644
 
-# vim: set ts=2 sw=2 et ft=yaml:
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/templates/cmdline.j2 b/roles/space_server/templates/cmdline.j2
index d3bd2e7..4e523b6 100644
--- a/roles/space_server/templates/cmdline.j2
+++ b/roles/space_server/templates/cmdline.j2
@@ -5,4 +5,4 @@
 {% else %}
 {% set subvol = '/%s%s' % (ansible_distribution.lower(), ansible_distribution_version) %}
 {% endif %}
-console=ttyS0,115200n8 ro root={{ root.device }} rootfstype=btrfs ro rootflags={{ root.options|regex_replace('noatime,','') }},subvol={{ subvol }} rootwait audit=0
+console=ttyS0,115200n8 ro root={{ root.device }} rootfstype=btrfs ro rootflags={{ root.options|regex_replace('noatime,','') }},subvol={{ subvol }} rootwait audit=0 systemd.unified_cgroup_hierarchy=1
diff --git a/roles/space_server/vars/main.yml b/roles/space_server/vars/main.yml
index 94dec47..0778f2e 100644
--- a/roles/space_server/vars/main.yml
+++ b/roles/space_server/vars/main.yml
@@ -13,14 +13,18 @@ dnf_conf:
   'main.deltarpm': 'False'
 
 dnf_packages:
+  'glibc-langpack-da': present
+  'glibc-langpack-en': present
   'initscripts': present
+  'hostname': present
+  'iproute': present
   'dosfstools': present
   'btrfs-progs': present
   'dnf': present
-  'python2-dnf': present
   'dnf-command(leaves)': present
+  'python-unversioned-command': present
   'ansible': present
-  'python-netaddr': present
+  'python3-netaddr': present # for dhcpd template
   'vim-enhanced': present
   'git': present
   'diffutils': present
-- 
cgit v1.2.1