Upgrade binary

.drone.yml

@@ -14,54 +14,56 @@ steps:
 - name: Debugging information
   image: bv11-cr01.bessems.eu/library/packer-extended
   commands:
-  - yamllint --version
+  - ansible --version
-  - packer --version
-  - pwsh --version
   - ovftool --version
-- name: Windows 10
+  - packer --version
+  - yamllint --version
+- name: Kubernetes Bootstrap Appliance
   image: bv11-cr01.bessems.eu/library/packer-extended
   pull: always
   commands:
-  - sed -i -e "s/<<img-productkey>>/$${PRODUCTKEY}/" packer/preseed/Windows10/Autounattend.xml
   - |
-    sed -i -e "s/<<img-password>>/$${WINRM_PASSWORD}/g" \
+    sed -i -e "s/<<img-password>>/$${SSH_PASSWORD}/g" \
-      packer/preseed/Windows10/Autounattend.xml \
+      packer/preseed/UbuntuServer22.04/user-data
-      packer/preseed/Windows10/Sysprep_Unattend.xml
   - |
-    yamllint -d "{extends: relaxed, rules: {line-length: disable}}" scripts
+    yamllint -d "{extends: relaxed, rules: {line-length: disable}}" \
+      ansible \
+      packer/preseed/UbuntuServer22.04/user-data \
+      scripts
+  - |
+    ansible-galaxy install \
+      -r ansible/requirements.yml
   - |
     packer init -upgrade \
       ./packer
   - |
     packer validate \
       -var vm_name=$DRONE_BUILD_NUMBER-${DRONE_COMMIT_SHA:0:10} \
-      -var vm_guestos=win10 \
+      -var vm_guestos=k8sbootstrap \
       -var repo_username=$${REPO_USERNAME} \
       -var repo_password=$${REPO_PASSWORD} \
       -var vsphere_password=$${VSPHERE_PASSWORD} \
-      -var winrm_password=$${WINRM_PASSWORD} \
+      -var ssh_password=$${SSH_PASSWORD} \
       ./packer
   - |
     packer build \
-      -on-error=cleanup \
+      -on-error=cleanup -timestamp-ui \
       -var vm_name=$DRONE_BUILD_NUMBER-${DRONE_COMMIT_SHA:0:10} \
-      -var vm_guestos=win10 \
+      -var vm_guestos=k8sbootstrap \
       -var repo_username=$${REPO_USERNAME} \
       -var repo_password=$${REPO_PASSWORD} \
       -var vsphere_password=$${VSPHERE_PASSWORD} \
-      -var winrm_password=$${WINRM_PASSWORD} \
+      -var ssh_password=$${SSH_PASSWORD} \
       ./packer
   environment:
     VSPHERE_PASSWORD:
       from_secret: vsphere_password
-    WINRM_PASSWORD:
+    SSH_PASSWORD:
-      from_secret: winrm_password
+      from_secret: ssh_password
     REPO_USERNAME:
       from_secret: repo_username
     REPO_PASSWORD:
       from_secret: repo_password
-    PRODUCTKEY:
-      from_secret: prodkey_win10
     # PACKER_LOG: 1
   volumes:
   - name: output

README.md

@@ -1 +1 @@
-# Packer.Images [![Build Status](https://ci.spamasaurus.com/api/badges/djpbessems/Packer.Images/status.svg?ref=refs/heads/Windows10)](https://ci.spamasaurus.com/djpbessems/Packer.Images)
+# Packer.Images [![Build Status](https://ci.spamasaurus.com/api/badges/djpbessems/Packer.Images/status.svg?ref=refs/heads/Kubernetes.Bootstrap.Appliance)](https://ci.spamasaurus.com/djpbessems/Packer.Images)

ansible/ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+deprecation_warnings = False
+remote_tmp           = /tmp/.ansible-${USER}/tmp

ansible/playbook.yml

@@ -0,0 +1,12 @@
+---
+- hosts: all
+  gather_facts: false
+  vars_files:
+    - metacluster.yml
+    - workloadcluster.yml
+  become: true
+  roles:
+    - os
+    - firstboot
+    - appliance
+    - metacluster

ansible/requirements.yml

@@ -0,0 +1,4 @@
+collections:
+  - ansible.utils
+  - community.general
+  - kubernetes.core

ansible/roles/appliance/tasks/dependencies.archive_compressed.yml

@@ -0,0 +1,27 @@
+---
+- name: Initialize tempfolder
+  ansible.builtin.tempfile:
+    state: directory
+  register: archive
+
+- name: Download & extract archived static binary
+  ansible.builtin.unarchive:
+    src: "{{ item.url }}"
+    dest: "{{ archive.path }}"
+    remote_src: yes
+    extra_opts: "{{ item.extra_opts | default(omit) }}"
+
+- name: Install extracted binary
+  ansible.builtin.copy:
+    src: "{{ archive.path }}/{{ item.filename }}"
+    dest: /usr/local/bin/{{ item.filename }}
+    remote_src: yes
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Cleanup tempfolder
+  ansible.builtin.file:
+    path: "{{ archive.path }}"
+    state: absent
+  when: archive.path is defined

ansible/roles/appliance/tasks/dependencies.yml

@@ -0,0 +1,53 @@
+# - name: Create folder structure(s)
+#  ansible.builtin.file:
+#    path: "{{ item }}"
+#    state: directory
+#  loop:
+#    - /foo
+
+- name: Download & install static binaries
+  ansible.builtin.get_url:
+    url: "{{ item.url }}"
+    url_username: "{{ item.username | default(omit) }}"
+    url_password: "{{ item.password | default(omit) }}"
+    dest: /usr/local/bin/{{ item.filename }}
+    owner: root
+    group: root
+    mode: 0755
+  loop: "{{ dependencies.static_binaries | selectattr('archive', 'undefined') }}"
+  loop_control:
+    label: "{{ item.filename }}"
+
+- name: Download, extract & install archived static binaries
+  include_tasks: dependencies.archive_compressed.yml
+  loop: "{{ dependencies.static_binaries | rejectattr('archive', 'undefined') | selectattr('archive', 'equalto', 'compressed') }}"
+  loop_control:
+    label: "{{ item.filename }}"
+
+- name: Install ansible-galaxy collections
+  ansible.builtin.shell:
+    cmd: ansible-galaxy collection install {{ item }}
+  loop: "{{ dependencies.ansible_galaxy_collections }}"
+
+- name: Install distro packages
+  ansible.builtin.apt:
+    pkg: "{{ dependencies.packages.apt }}"
+    state: latest
+    update_cache: yes
+    install_recommends: no
+
+- name: Upgrade all packages
+  ansible.builtin.apt:
+    name: '*'
+    state: latest
+    update_cache: yes
+
+- name: Install additional python packages
+  ansible.builtin.pip:
+    name: "{{ dependencies.packages.pip }}"
+    state: latest
+
+- name: Cleanup apt cache
+  ansible.builtin.apt:
+    autoremove: yes
+    purge: yes

ansible/roles/appliance/tasks/main.yml

@@ -0,0 +1,2 @@
+- name: Install & configure dependencies
+  import_tasks: dependencies.yml

ansible/roles/firstboot/files/ansible_payload/playbook.yml

@@ -0,0 +1,24 @@
+---
+- hosts: 127.0.0.1
+  connection: local
+  gather_facts: false
+  vars_files:
+    - metacluster.yml
+  # become: true
+  roles:
+    - vapp
+    - network
+    - users
+    - disks
+    - metacluster
+    - workloadcluster
+    - tty
+    - cleanup
+  handlers:
+    - name: Apply manifests
+      kubernetes.core.k8s:
+        src: "{{ item }}"
+        state: present
+        kubeconfig: "{{ kubeconfig.path }}"
+      loop: "{{ query('ansible.builtin.fileglob', '/var/lib/rancher/k3s/server/manifests/*.yaml') | sort }}"
+      ignore_errors: yes

ansible/roles/firstboot/files/ansible_payload/roles/cleanup/tasks/main.yml

@@ -0,0 +1,8 @@
+- name: Disable crontab job
+  ansible.builtin.cron:
+    name: firstboot
+    state: absent
+
+- name: Reboot host
+  ansible.builtin.shell:
+    cmd: /usr/sbin/reboot now

ansible/roles/firstboot/files/ansible_payload/roles/disks/tasks/main.yml

@@ -0,0 +1,24 @@
+- name: Create volume group
+  community.general.lvg:
+    vg: longhorn_vg
+    pvs:
+      - /dev/sdb
+    pvresize: yes
+
+- name: Create logical volume
+  community.general.lvol:
+    vg: longhorn_vg
+    lv: longhorn_lv
+    size: 100%VG
+
+- name: Create filesystem
+  community.general.filesystem:
+    dev: /dev/mapper/longhorn_vg-longhorn_lv
+    fstype: ext4
+
+- name: Mount dynamic disk
+  ansible.posix.mount:
+    path: /mnt/blockstorage
+    src: /dev/mapper/longhorn_vg-longhorn_lv
+    fstype: ext4
+    state: mounted

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/filter_plugins/netaddr.py

@@ -0,0 +1,14 @@
+import netaddr
+
+def netaddr_iter_iprange(ip_start, ip_end):
+    return [str(ip) for ip in netaddr.iter_iprange(ip_start, ip_end)]
+
+class FilterModule(object):
+        ''' Ansible filter. Interface to netaddr methods.
+            https://pypi.org/project/netaddr/
+        '''
+
+        def filters(self):
+            return {
+                'netaddr_iter_iprange': netaddr_iter_iprange
+            }

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/assets.yml

@@ -0,0 +1,7 @@
+- name: Import container images
+  ansible.builtin.command:
+    cmd: k3s ctr image import {{ item }}
+    chdir: /opt/metacluster/container-images
+  loop: "{{ query('ansible.builtin.fileglob', '/opt/metacluster/container-images/*.tar') | sort }}"
+  loop_control:
+    label: "{{ item | basename }}"

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml

@@ -0,0 +1,122 @@
+- name: Install step-ca chart
+  kubernetes.core.helm:
+    name: step-certificates
+    chart_ref: /opt/metacluster/helm-charts/step-certificates
+    release_namespace: step-ca
+    create_namespace: yes
+    wait: yes
+    kubeconfig: "{{ kubeconfig.path }}"
+    values: "{{ components.stepcertificates.chart_values }}"
+
+- name: Retrieve configmap w/ root certificate
+  kubernetes.core.k8s_info:
+    kind: ConfigMap
+    name: step-certificates-certs
+    namespace: step-ca
+    kubeconfig: "{{ kubeconfig.path }}"
+  register: stepca_cm_certs
+
+- name: Create target namespaces
+  kubernetes.core.k8s:
+    kind: Namespace
+    name: "{{ item }}"
+    state: present
+    kubeconfig: "{{ kubeconfig.path }}"
+  loop:
+    - argo-cd
+    # - kube-system
+
+- name: Store root certificate in namespaced configmaps/secrets
+  kubernetes.core.k8s:
+    state: present
+    template: "{{ item.kind }}.j2"
+    kubeconfig: "{{ kubeconfig.path }}"
+  vars:
+    _template:
+      name: "{{ item.name }}"
+      namespace: "{{ item.namespace }}"
+      annotations: "{{ item.annotations | default('{}') | indent(width=4, first=True) }}"
+      labels: "{{ item.labels | default('{}') | indent(width=4, first=True) }}"
+      data: "{{ item.data }}"
+  loop:
+    - name: argocd-tls-certs-cm
+      namespace: argo-cd
+      kind: configmap
+      annotations: |
+        meta.helm.sh/release-name: argo-cd
+        meta.helm.sh/release-namespace: argo-cd
+      labels: |
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: argocd-cm
+        app.kubernetes.io/part-of: argocd
+      data:
+        - key: git.{{ vapp['metacluster.fqdn'] }}
+          value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}"
+    - name: step-certificates-certs
+      namespace: kube-system
+      kind: secret
+      data:
+        - key: root_ca.crt
+          value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] | b64encode }}"
+  loop_control:
+    label: "{{ item.kind + '/' + item.name + ' (' + item.namespace + ')' }}"
+
+- name: Configure step-ca passthrough ingress
+  ansible.builtin.template:
+    src: ingressroutetcp.j2
+    dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
+    owner: root
+    group: root
+    mode: 0600
+  vars:
+    _template:
+      name: step-ca
+      namespace: step-ca
+      config: |2
+          entryPoints:
+            - websecure
+          routes:
+          - match: HostSNI(`ca.{{ vapp['metacluster.fqdn'] }}`)
+            services:
+            - name: step-certificates
+              port: 443
+          tls:
+            passthrough: true
+  notify:
+    - Apply manifests
+
+- name: Inject step-ca certificate into traefik container
+  ansible.builtin.blockinfile:
+    path: /var/lib/rancher/k3s/server/manifests/traefik-config.yaml
+    block: |2
+          volumes:
+            - name: step-certificates-certs
+              mountPath: /step-ca
+              type: secret
+          env:
+            - name: LEGO_CA_CERTIFICATES
+              value: /step-ca/root_ca.crt
+    marker: '    # {mark} ANSIBLE MANAGED BLOCK'
+  notify:
+    - Apply manifests
+
+- name: Trigger handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Retrieve step-ca configuration
+  kubernetes.core.k8s_info:
+    kind: ConfigMap
+    name: step-certificates-config
+    namespace: step-ca
+    kubeconfig: "{{ kubeconfig.path }}"
+  register: stepca_cm_config
+
+- name: Install root CA in system truststore
+  ansible.builtin.shell:
+    cmd: >-
+      step ca bootstrap \
+        --ca-url=https://ca.{{ vapp['metacluster.fqdn'] }} \
+        --fingerprint={{ stepca_cm_config.resources[0].data['defaults.json'] | from_json | json_query('fingerprint') }} \
+        --install \
+        --force
+      update-ca-certificates

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/cleanup.yml

@@ -0,0 +1,12 @@
+- name: Compress tarballs
+  community.general.archive:
+    dest: /opt/metacluster/container-images/image-tarballs.tgz
+    path: /opt/metacluster/container-images/*
+    format: gz
+    remove: yes
+
+- name: Cleanup tempfile
+  ansible.builtin.file:
+    path: "{{ kubeconfig.path }}"
+    state: absent
+  when: kubeconfig.path is defined

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/git.yml

@@ -0,0 +1,137 @@
+- block:
+
+    - name: Install gitea chart
+      kubernetes.core.helm:
+        name: gitea
+        chart_ref: /opt/metacluster/helm-charts/gitea
+        release_namespace: gitea
+        create_namespace: yes
+        wait: yes
+        kubeconfig: "{{ kubeconfig.path }}"
+        values: "{{ components.gitea.chart_values }}"
+
+    - name: Configure additional SSH ingress
+      ansible.builtin.template:
+        src: ingressroutetcp.j2
+        dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
+        owner: root
+        group: root
+        mode: 0600
+      vars:
+        _template:
+          name: gitea-ssh
+          namespace: gitea
+          config: |2
+              entryPoints:
+                - ssh
+              routes:
+              - match: HostSNI(`*`)
+                services:
+                - name: gitea-ssh
+                  port: 22
+      notify:
+        - Apply manifests
+
+    - name: Trigger handlers
+      ansible.builtin.meta: flush_handlers
+
+    - name: Ensure gitea API availability
+      ansible.builtin.uri:
+        url: https://git.{{ vapp['metacluster.fqdn'] }}/api/healthz
+        method: GET
+      register: api_readycheck
+      until: api_readycheck.json.status is defined
+      retries: 3
+      delay: 30
+
+    - name: Generate gitea API token
+      ansible.builtin.uri:
+        url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/users/administrator/tokens
+        method: POST
+        user: administrator
+        password: "{{ vapp['guestinfo.rootpw'] }}"
+        force_basic_auth: yes
+        body:
+          name: token_init_{{ lookup('password', '/dev/null length=5 chars=ascii_letters,digits') }}
+      register: gitea_api_token
+
+    - name: Retrieve existing gitea configuration
+      ansible.builtin.uri:
+        url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/repos/search
+        method: GET
+      register: gitea_existing_config
+
+    - block:
+
+        - name: Register SSH public key
+          ansible.builtin.uri:
+            url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/user/keys
+            method: POST
+            headers:
+              Authorization: token {{ gitea_api_token.json.sha1 }}
+            body:
+              key: "{{ gitops_sshkey.public_key }}"
+              read_only: false
+              title: GitOps
+
+        - name: Create organization(s)
+          ansible.builtin.uri:
+            url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/orgs
+            method: POST
+            headers:
+              Authorization: token {{ gitea_api_token.json.sha1 }}
+            body: "{{ item }}"
+          loop:
+            - full_name: Meta-cluster
+              description: Meta-cluster configuration items
+              username: mc
+              website: https://git.{{ vapp['metacluster.fqdn'] }}/mc
+              location: '[...]'
+              visibility: public
+            - full_name: Workload-cluster
+              description: Workload-cluster configuration items
+              username: wl
+              website: https://git.{{ vapp['metacluster.fqdn'] }}/wl
+              location: '[...]'
+              visibility: public
+          loop_control:
+            label: "{{ item.full_name }}"
+
+        - name: Create repositories
+          ansible.builtin.uri:
+            url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/orgs/{{ item.organization }}/repos
+            method: POST
+            headers:
+              Authorization: token {{ gitea_api_token.json.sha1 }}
+            body: "{{ item.body }}"
+          loop:
+            - organization: mc
+              body:
+                name: GitOps.Config
+                # auto_init: true
+                # default_branch: main
+                description: GitOps manifests
+            - organization: wl
+              body:
+                name: Template.GitOps.Config
+                # auto_init: true
+                # default_branch: main
+                description: GitOps manifests
+          loop_control:
+            label: "{{ item.organization + '/' + item.body.name }}"
+
+        - name: Rebase/Push source gitops repository
+          ansible.builtin.shell:
+            cmd: |
+              git config --local http.sslVerify false
+              git remote set-url origin https://administrator:{{ vapp['guestinfo.rootpw'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.Config.git
+              git push
+            chdir: /opt/metacluster/git-repositories/gitops
+
+      when: (gitea_existing_config.json is undefined) or (gitea_existing_config.json.data | length == 0)
+
+  module_defaults:
+    ansible.builtin.uri:
+      validate_certs: no
+      status_code: [200, 201]
+      body_format: json

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/gitops.yml

@@ -0,0 +1,69 @@
+- block:
+
+    - name: Install argo-cd chart
+      kubernetes.core.helm:
+        name: argo-cd
+        chart_ref: /opt/metacluster/helm-charts/argo-cd
+        release_namespace: argo-cd
+        create_namespace: yes
+        wait: yes
+        kubeconfig: "{{ kubeconfig.path }}"
+        values: "{{ components.argocd.chart_values }}"
+
+    - name: Ensure argo-cd API availability
+      ansible.builtin.uri:
+        url: https://gitops.{{ vapp['metacluster.fqdn'] }}/api/version
+        method: GET
+      register: api_readycheck
+      until: api_readycheck.json.Version is defined
+      retries: 3
+      delay: 30
+
+    - name: Generate argo-cd API token
+      ansible.builtin.uri:
+        url: https://gitops.{{ vapp['metacluster.fqdn'] }}/api/v1/session
+        method: POST
+        force_basic_auth: yes
+        body:
+          username: admin
+          password: "{{ vapp['guestinfo.rootpw'] }}"
+      register: argocd_api_token
+
+    - name: Configure metacluster-gitops repository
+      ansible.builtin.template:
+        src: gitrepo.j2
+        dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
+        owner: root
+        group: root
+        mode: 0600
+      vars:
+        _template:
+          name: argocd-gitrepo-metacluster
+          namespace: argo-cd
+          uid: "{{ lookup('ansible.builtin.password', '/dev/null length=5 chars=ascii_lowercase,digits seed=inventory_hostname') }}"
+          privatekey: "{{ lookup('ansible.builtin.file', '~/.ssh/git_rsa_id') | indent(4, true) }}"
+      notify:
+        - Apply manifests
+
+    - name: Create applicationset
+      ansible.builtin.template:
+        src: applicationset.j2
+        dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
+        owner: root
+        group: root
+        mode: 0600
+      vars:
+        _template:
+          name: argocd-applicationset-metacluster
+          namespace: argo-cd
+      notify:
+        - Apply manifests
+
+    - name: Trigger handlers
+      ansible.builtin.meta: flush_handlers
+
+  module_defaults:
+    ansible.builtin.uri:
+      validate_certs: no
+      status_code: [200, 201]
+      body_format: json

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/ingress.yml

@@ -0,0 +1,26 @@
+- name: Configure traefik dashboard ingress
+  ansible.builtin.template:
+    src: ingressroute.j2
+    dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
+    owner: root
+    group: root
+    mode: 0600
+  vars:
+    _template:
+      name: traefik-dashboard
+      namespace: kube-system
+      config: |2
+          entryPoints:
+          - web
+          - websecure
+          routes:
+          - kind: Rule
+            match: Host(`ingress.{{ vapp['metacluster.fqdn'] }}`)
+            services:
+            - kind: TraefikService
+              name: api@internal
+  notify:
+    - Apply manifests
+
+- name: Trigger handlers
+  ansible.builtin.meta: flush_handlers

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/init.yml

@@ -0,0 +1,13 @@
+- name: Configure fallback name resolution
+  ansible.builtin.lineinfile:
+    path: /etc/hosts
+    line: "{{ vapp['guestinfo.ipaddress'] }}  {{ item + '.' + vapp['metacluster.fqdn'] }}"
+    state: present
+  loop:
+    # TODO: Make this list dynamic
+    - ca
+    - git
+    - gitops
+    - ingress
+    - registry
+    - storage

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/k3s.yml

@@ -0,0 +1,44 @@
+- name: Gather service facts
+  ansible.builtin.service_facts:
+    # Module requires no attributes
+
+- name: Install K3s
+  ansible.builtin.command:
+    cmd: ./install.sh
+    chdir: /opt/metacluster/k3s
+  environment:
+    INSTALL_K3S_SKIP_DOWNLOAD: 'true'
+    INSTALL_K3S_EXEC: 'server --cluster-init --disable local-storage'
+  when: ansible_facts.services['k3s.service'] is undefined
+
+- name: Ensure API availability
+  ansible.builtin.uri:
+    url: https://{{ vapp['guestinfo.ipaddress'] }}:6443/livez?verbose
+    method: GET
+    validate_certs: no
+    status_code: [200, 401]
+  register: api_readycheck
+  until: api_readycheck.json.apiVersion is defined
+  retries: 3
+  delay: 30
+
+- name: Install kubectl tab-completion
+  ansible.builtin.shell:
+    cmd: kubectl completion bash | tee /etc/bash_completion.d/kubectl
+
+- name: Initialize tempfile
+  ansible.builtin.tempfile:
+    state: file
+  register: kubeconfig
+
+- name: Retrieve kubeconfig
+  ansible.builtin.command:
+    cmd: kubectl config view --raw
+  register: kubectl_config
+
+- name: Store kubeconfig in tempfile
+  ansible.builtin.copy:
+    dest: "{{ kubeconfig.path }}"
+    content: "{{ kubectl_config.stdout }}"
+    mode: 0600
+  no_log: true

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml

@@ -0,0 +1,12 @@
+- import_tasks: init.yml
+- import_tasks: k3s.yml
+- import_tasks: assets.yml
+- import_tasks: ingress.yml
+- import_tasks: storage.yml
+- import_tasks: certauthority.yml
+- import_tasks: registry.yml
+- import_tasks: secrets.yml
+- import_tasks: git.yml
+- import_tasks: gitops.yml
+
+- import_tasks: cleanup.yml

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/registry.yml

@@ -0,0 +1,32 @@
+- name: Install harbor chart
+  kubernetes.core.helm:
+    name: harbor
+    chart_ref: /opt/metacluster/helm-charts/harbor
+    release_namespace: harbor
+    create_namespace: yes
+    wait: yes
+    kubeconfig: "{{ kubeconfig.path }}"
+    values: "{{ components.harbor.chart_values }}"
+
+- name: Push images to registry
+  ansible.builtin.shell:
+    cmd: >-
+      skopeo copy \
+        --insecure-policy \
+        --dest-tls-verify=false \
+        --dest-creds admin:{{ vapp['guestinfo.rootpw'] }} \
+        docker-archive:./{{ item | basename }} \
+        docker://registry.{{ vapp['metacluster.fqdn'] }}/library/$( \
+          skopeo list-tags \
+            --insecure-policy \
+            docker-archive:./{{ item | basename }} | \
+          jq -r '.Tags[0]')
+    chdir: /opt/metacluster/container-images/
+  loop: "{{ query('ansible.builtin.fileglob', '/opt/metacluster/container-images/*.tar') | sort }}"
+  loop_control:
+    label: "{{ item | basename }}"
+
+- name: Configure K3s node for private registry
+  ansible.builtin.template:
+    dest: /etc/rancher/k3s/registries.yaml
+    src: registries.j2

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/secrets.yml

@@ -0,0 +1,52 @@
+- name: Install sealed-secrets chart
+  kubernetes.core.helm:
+    name: sealed-secrets-controller
+    chart_ref: /opt/metacluster/helm-charts/sealed-secrets
+    release_namespace: kube-system
+    wait: yes
+    kubeconfig: "{{ kubeconfig.path }}"
+    # values: "{{ components.sealedsecrets.chart_values }}"
+
+- name: Store hypervisor details in configmap/secret
+  kubernetes.core.k8s:
+    state: present
+    template: "{{ item.kind }}.j2"
+    kubeconfig: "{{ kubeconfig.path }}"
+  vars:
+    _template:
+      name: "{{ item.name }}"
+      namespace: "{{ item.namespace }}"
+      annotations: "{{ item.annotations | default('{}') | indent(width=4, first=True) }}"
+      labels: "{{ item.labels | default('{}') | indent(width=4, first=True) }}"
+      data: "{{ item.data }}"
+  loop:
+    - name: hypervisor-credentials
+      namespace: kube-system
+      kind: secret
+      data:
+        - key: HV_FQDN
+          value: "{{ vapp['hv.fqdn'] | b64encode }}"
+        - key: HV_USERNAME
+          value: "{{ vapp['hv.username'] | b64encode }}"
+        - key: HV_PASSWORD
+          value: "{{ vapp['hv.password'] | b64encode }}"
+    - name: hypervisor-ippool
+      namespace: kube-system
+      kind: configmap
+      data:
+        - key: VAPP_MOREF
+          value: "{{ moref_id }}"
+        - key: VAPP_IPPOOL_FQDN
+          value: "{{ vapp['metacluster.fqdn'] }}"
+        - key: VAPP_IPPOOL_NETWORK
+          value: "{{ (vapp['guestinfo.ipaddress'] + '/' + vapp['guestinfo.prefixlength']) | ansible.utils.ipaddr('network') }}"
+        - key: VAPP_IPPOOL_NETMASK
+          value: "{{ (vapp['guestinfo.ipaddress'] + '/' + vapp['guestinfo.prefixlength']) | ansible.utils.ipaddr('netmask') }}"
+        - key: VAPP_IPPOOL_DNSSERVER
+          value: "{{ vapp['guestinfo.dnsserver'] }}"
+        - key: VAPP_IPPOOL_GATEWAY
+          value: "{{ vapp['guestinfo.gateway'] }}"
+        - key: VAPP_IPPOOL_RANGE
+          value: "{{ vapp['ippool.startip'] + '#' + (vapp['ippool.startip'] | netaddr_iter_iprange(vapp['ippool.endip']) | length | string) }}"
+  loop_control:
+    label: "{{ item.kind + '/' + item.name + ' (' + item.namespace + ')' }}"

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/storage.yml

@@ -0,0 +1,9 @@
+- name: Install longhorn chart
+  kubernetes.core.helm:
+    name: longhorn
+    chart_ref: /opt/metacluster/helm-charts/longhorn
+    release_namespace: longhorn-system
+    create_namespace: yes
+    wait: yes
+    kubeconfig: "{{ kubeconfig.path }}"
+    values: "{{ components.longhorn.chart_values }}"

ansible/roles/firstboot/files/ansible_payload/roles/network/tasks/main.yml

@@ -0,0 +1,12 @@
+- name: Set hostname
+  ansible.builtin.hostname:
+    name: "{{ vapp['guestinfo.hostname'] }}"
+
+- name: Create netplan configuration file
+  ansible.builtin.template:
+    src: netplan.j2
+    dest: /etc/netplan/00-installer-config.yaml
+
+- name: Apply netplan configuration
+  ansible.builtin.shell:
+    cmd: /usr/sbin/netplan apply

ansible/roles/firstboot/files/ansible_payload/roles/network/templates/netplan.j2

@@ -0,0 +1,10 @@
+network:
+  version: 2
+  ethernets:
+    ens192:
+      addresses:
+      - {{ vapp['guestinfo.ipaddress'] }}/{{ vapp['guestinfo.prefixlength'] }}
+      gateway4: {{ vapp['guestinfo.gateway'] }}
+      nameservers:
+        addresses:
+        - {{ vapp['guestinfo.dnsserver'] }}

ansible/roles/firstboot/files/ansible_payload/roles/tty/tasks/main.yml

@@ -0,0 +1,20 @@
+- name: Create folder structure(s)
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - /opt/firstboot
+
+- name: Save tty script file
+  ansible.builtin.template:
+    src: tty.j2
+    dest: /opt/firstboot/tty.sh
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Create @reboot crontab job
+  ansible.builtin.cron:
+    name: tty.consolemessage
+    special_time: reboot
+    job: /opt/firstboot/tty.sh

ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml

@@ -0,0 +1,39 @@
+- name: Set root password
+  ansible.builtin.user:
+    name: root
+    password: "{{ vapp['guestinfo.rootpw'] | password_hash('sha512', 65534 | random(seed=vapp['guestinfo.hostname']) | string) }}"
+    generate_ssh_key: yes
+    ssh_key_bits: 2048
+    ssh_key_file: .ssh/id_rsa
+
+- name: Save root SSH publickey
+  ansible.builtin.lineinfile:
+    path: /root/.ssh/authorized_keys
+    line: "{{ vapp['guestinfo.rootsshkey'] }}"
+
+- name: Disable SSH password authentication
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regex: "{{ item.regex }}"
+    line: "{{ item.line }}"
+    state: "{{ item.state }}"
+  loop:
+  - regex: '^#PasswordAuthentication'
+    line: 'PasswordAuthentication no'
+    state: present
+  - regex: '^PasswordAuthentication yes'
+    line: 'PasswordAuthentication yes'
+    state: absent
+  loop_control:
+    label: "{{ '[' + item.line + '] ' + item.state }}"
+
+- name: Create dedicated SSH keypair
+  community.crypto.openssh_keypair:
+    path: /root/.ssh/git_rsa_id
+  register: gitops_sshkey
+
+- name: Delete 'ubuntu' user
+  ansible.builtin.user:
+    name: ubuntu
+    state: absent
+    remove: yes

ansible/roles/firstboot/files/ansible_payload/roles/vapp/tasks/main.yml

@@ -0,0 +1,38 @@
+- name: Store current ovfEnvironment
+  ansible.builtin.shell:
+    cmd: /usr/bin/vmtoolsd --cmd "info-get guestinfo.ovfEnv"
+  register: ovfenv
+
+- name: Parse XML for MoRef ID
+  community.general.xml:
+    xmlstring: "{{ ovfenv.stdout }}"
+    namespaces:
+      ns: http://schemas.dmtf.org/ovf/environment/1
+      ve: http://www.vmware.com/schema/ovfenv
+    xpath: /ns:Environment
+    content: attribute
+  register: environment_attribute
+
+- name: Store MoRef ID
+  ansible.builtin.set_fact:
+    moref_id: "{{ ((environment_attribute.matches[0].values() | list)[0].values() | list)[1] }}"
+
+- name: Parse XML for vApp properties
+  community.general.xml:
+    xmlstring: "{{ ovfenv.stdout }}"
+    namespaces:
+      ns: http://schemas.dmtf.org/ovf/environment/1
+    xpath: /ns:Environment/ns:PropertySection/ns:Property
+    content: attribute
+  register: property_section
+
+- name: Assign vApp properties to dictionary
+  ansible.builtin.set_fact:
+    vapp: >-
+      {{ vapp | default({}) | combine({
+        ((item.values() | list)[0].values() | list)[0]:
+        ((item.values() | list)[0].values() | list)[1]})
+      }}
+  loop: "{{ property_section.matches }}"
+  loop_control:
+    label: "{{ ((item.values() | list)[0].values() | list)[0] }}"

ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/main.yml

@@ -0,0 +1,106 @@
+- block:
+
+    - name: Gather hypervisor details
+      ansible.builtin.shell:
+        cmd: govc ls -L {{ item.moref }} | awk -F/ '{print ${{ item.part }}}'
+      environment:
+        GOVC_INSECURE: '1'
+        GOVC_URL: "{{ vapp['hv.fqdn'] }}"
+        GOVC_USERNAME: "{{ vapp['hv.username'] }}"
+        GOVC_PASSWORD: "{{ vapp['hv.password'] }}"
+      register: govc_inventory
+      loop:
+        - attribute: cluster
+          moref: >-
+            $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
+              jq -r '.[] | select(.Name == "runtime").Val.Host | .Type + ":" + .Value')
+          part: (NF-1)
+        - attribute: datacenter
+          moref: VirtualMachine:{{ moref_id }}
+          part: 2
+        - attribute: datastore
+          moref: >-
+            $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
+              jq -r '.[] | select(.Name == "datastore").Val.ManagedObjectReference | .[].Type + ":" + .[].Value')
+          part: NF
+        - attribute: folder
+          moref: >-
+            $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
+              jq -r '.[] | select(.Name == "parent").Val | .Type + ":" + .Value')
+          part: 0
+        # - attribute: host
+        #   moref: >-
+        #     $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
+        #       jq -r '.[] | select(.Name == "runtime").Val.Host | .Type + ":" + .Value')
+        #   part: NF
+        - attribute: network
+          moref: >-
+            $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
+              jq -r '.[] | select(.Name == "network").Val.ManagedObjectReference | .[].Type + ":" + .[].Value')
+          part: NF
+      loop_control:
+        label: "{{ item.attribute }}"
+
+    - name: Store hypervisor details in dictionary
+      ansible.builtin.set_fact:
+        vcenter_info: "{{ vcenter_info | default({}) | combine({ item.item.attribute : item.stdout }) }}"
+      loop: "{{ govc_inventory.results }}"
+      loop_control:
+        label: "{{ item.item.attribute }}"
+
+- block:
+
+    - name: Check for existing templates on hypervisor
+      community.vmware.vmware_guest_info:
+        name: "{{ (item | basename | split('.'))[:-1] | join('.') }}"
+      register: existing_ova
+      loop: "{{ query('ansible.builtin.fileglob', '/opt/workloadcluster/node-templates/*.ova') | sort }}"
+      ignore_errors: yes
+
+    - name: Parse OVA files for network mappings
+      ansible.builtin.shell:
+        cmd: govc import.spec -json {{ item }}
+      environment:
+        GOVC_INSECURE: '1'
+        GOVC_URL: "{{ vapp['hv.fqdn'] }}"
+        GOVC_USERNAME: "{{ vapp['hv.username'] }}"
+        GOVC_PASSWORD: "{{ vapp['hv.password'] }}"
+      register: ova_spec
+      when: existing_ova.results[index] is failed
+      loop: "{{ query('ansible.builtin.fileglob', '/opt/workloadcluster/node-templates/*.ova') | sort }}"
+      loop_control:
+        index_var: index
+
+    - name: Deploy OVA templates on hypervisor
+      community.vmware.vmware_deploy_ovf:
+        cluster: "{{ vcenter_info.cluster }}"
+        datastore: "{{ vcenter_info.datastore }}"
+        folder: "{{ vcenter_info.folder }}"
+        name: "{{ (item | basename | split('.'))[:-1] | join('.') }}"
+        networks: "{u'{{ ova_spec.results[index].stdout | from_json | json_query('NetworkMapping[0].Name') }}':u'{{ vcenter_info.network }}'}"
+        allow_duplicates: no
+        power_on: false
+        ovf: "{{ item }}"
+      register: ova_deploy
+      when: existing_ova.results[index] is failed
+      loop: "{{ query('ansible.builtin.fileglob', '/opt/workloadcluster/node-templates/*.ova') | sort }}"
+      loop_control:
+        index_var: index
+
+    - name: Mark deployed VM's as templates
+      community.vmware.vmware_guest:
+        name: "{{ item.instance.hw_name }}"
+        is_template: yes
+      when: ova_deploy.results[index] is not skipped
+      loop: "{{ ova_deploy.results }}"
+      loop_control:
+        index_var: index
+        label: "{{ item.item }}"
+
+  module_defaults:
+    group/vmware:
+      hostname: "{{ vapp['hv.fqdn'] }}"
+      validate_certs: no
+      username: "{{ vapp['hv.username'] }}"
+      password: "{{ vapp['hv.password'] }}"
+      datacenter: "{{ vcenter_info.datacenter }}"

ansible/roles/firstboot/files/ansible_payload/templates/applicationset.j2

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: {{ _template.name }}
+  namespace: {{ _template.namespace }}
+spec:
+  generators:
+  - git:
+      repoURL: ssh://git@gitea-ssh.gitea.svc.cluster.local/mc/GitOps.Config.git
+      revision: HEAD
+      directories:
+      - path: metacluster-applicationset/*
+  template:
+    metadata:
+      name: {% raw %}'{{ path.basename }}'{% endraw +%}
+    spec:
+      project: default
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+      source:
+        repoURL: ssh://git@gitea-ssh.gitea.svc.cluster.local/mc/GitOps.Config.git
+        targetRevision: HEAD
+        path: {% raw %}'{{ path }}'{% endraw +%}
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: default

ansible/roles/firstboot/files/ansible_payload/templates/configmap.j2

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ _template.name }}
+  namespace: {{ _template.namespace }}
+  annotations:
+{{ _template.annotations }}
+  labels:
+{{ _template.labels }}
+data:
+{% for kv_pair in _template.data %}
+  "{{ kv_pair.key }}": |
+{{ kv_pair.value | indent(width=4, first=True) }}
+{% endfor %}

ansible/roles/firstboot/files/ansible_payload/templates/gitrepo.j2

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ _template.name }}-{{ _template.uid }}
+  namespace: {{ _template.namespace }}
+  labels:
+    argocd.argoproj.io/secret-type: repository
+stringData:
+  url: ssh://git@gitea-ssh.gitea.svc.cluster.local/mc/GitOps.Config.git
+  name: {{ _template.name }}
+  insecure: 'true'
+  sshPrivateKey: |
+{{ _template.privatekey }}

ansible/roles/firstboot/files/ansible_payload/templates/ingressroute.j2

@@ -0,0 +1,7 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ _template.name }}
+  namespace: {{ _template.namespace }}
+spec:
+{{ _template.config }}

ansible/roles/firstboot/files/ansible_payload/templates/ingressroutetcp.j2

@@ -0,0 +1,7 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: {{ _template.name }}
+  namespace: {{ _template.namespace }}
+spec:
+{{ _template.config }}

ansible/roles/firstboot/files/ansible_payload/templates/registries.j2

@@ -0,0 +1,25 @@
+mirrors:
+  cr.step.cm:
+    endpoint:
+      - https://registry.{{ vapp['metacluster.fqdn'] }}
+    rewrite:
+      "(.*)": "library/cr.step.sm/$1"
+  docker.io:
+    endpoint:
+      - https://registry.{{ vapp['metacluster.fqdn'] }}
+    rewrite:
+      "(.*)": "library/docker.io/$1"
+  ghcr.io:
+    endpoint:
+      - https://registry.{{ vapp['metacluster.fqdn'] }}
+    rewrite:
+      "(.*)": "library/ghcr.io/$1"
+  quay.io:
+    endpoint:
+      - https://registry.{{ vapp['metacluster.fqdn'] }}
+    rewrite:
+      "(.*)": "library/quay.io/$1"
+configs:
+  registry.{{ vapp['metacluster.fqdn'] }}:
+    tls:
+      insecure_skip_verify: true

ansible/roles/firstboot/files/ansible_payload/templates/secret.j2

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ _template.name }}
+  namespace: {{ _template.namespace }}
+data:
+{% for kv_pair in _template.data %}
+  "{{ kv_pair.key }}": {{ kv_pair.value }}
+{% endfor %}

ansible/roles/firstboot/files/ansible_payload/templates/tty.j2

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+export TERM=linux
+
+BGRN='\033[1;92m'
+BGRY='\033[1;30m'
+BBLU='\033[1;34m'
+BRED='\033[1;91m'
+BWHI='\033[1;97m'
+CBLA='\033[?16;0;30c' # Hide blinking cursor
+DFLT='\033[0m'        # Reset colour
+LCLR='\033[K'         # Clear to end of line
+PRST='\033[0;0H'      # Reset cursor position
+
+# COMPONENTS=('ca' 'ingress' 'storage' 'registry' 'git' 'gitops')
+COMPONENTS=('ca' 'storage' 'registry' 'git' 'gitops')
+FQDN='{{ vapp['metacluster.fqdn'] }}'
+IPADDRESS='{{ vapp['guestinfo.ipaddress'] }}'
+
+# Waiting to allow boot sequence to finish; crude!
+sleep 30
+clear > /dev/tty1
+
+while /bin/true; do
+  echo -e "${PRST}" > /dev/tty1
+  echo -e "\n\n\t${DFLT}To manage this appliance, please connect to one of the following:${LCLR}\n" > /dev/tty1
+
+  for c in "${COMPONENTS[@]}"; do
+    STATUS=$(curl -ks "https://${c}.${FQDN}" -o /dev/null -w '%{http_code}')
+
+    if [[ "${STATUS}" -eq "200" ]]; then
+      echo -e "\t [${BGRN}+${DFLT}] ${BBLU}https://${c}.${FQDN}${DFLT}${LCLR}" > /dev/tty1
+    else
+      echo -e "\t [${BRED}-${DFLT}] ${BBLU}https://${c}.${FQDN}${DFLT}${LCLR}" > /dev/tty1
+    fi
+  done
+
+  echo -e "\n\t${BGRY}Note that your DNS zone ${DFLT}must have${BGRY} respective records defined,\n\teach pointing to: ${DFLT}${IPADDRESS}${LCLR}" > /dev/tty1
+
+  echo -e "${CBLA}" > /dev/tty1
+  sleep 1
+done

ansible/roles/firstboot/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: Create destination folder
+  ansible.builtin.file:
+    path: /opt/firstboot
+    state: directory
+
+- name: Create firstboot script file
+  ansible.builtin.template:
+    src: firstboot.j2
+    dest: /opt/firstboot/firstboot.sh
+    owner: root
+    group: root
+    mode: o+x
+
+- name: Create @reboot crontab job
+  ansible.builtin.cron:
+    name: firstboot
+    special_time: reboot
+    job: "/opt/firstboot/firstboot.sh >/dev/tty1 2>&1"
+
+- name: Copy payload folder
+  ansible.builtin.copy:
+    src: ansible_payload/
+    dest: /opt/firstboot/ansible/
+    owner: root
+    group: root
+    mode: '0644'

ansible/roles/firstboot/templates/firstboot.j2

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Apply firstboot configuration w/ ansible
+/usr/local/bin/ansible-playbook /opt/firstboot/ansible/playbook.yml | tee -a /var/log/firstboot.log > /dev/tty1 2>&1

ansible/roles/metacluster/tasks/components.yml

@@ -0,0 +1,68 @@
+- name: Create folder structure(s)
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - /opt/metacluster/helm-charts
+    - /opt/metacluster/container-images
+
+- name: Add helm repositories
+  kubernetes.core.helm_repository:
+    name: "{{ item.name }}"
+    repo_url: "{{ item.url }}"
+    state: present
+  loop: "{{ platform.helm_repositories }}"
+
+- name: Fetch helm charts
+  ansible.builtin.command:
+    cmd: helm fetch {{ item.value.helm.chart }} --untar --version {{ item.value.helm.version }}
+    chdir: /opt/metacluster/helm-charts
+  loop: "{{ lookup('ansible.builtin.dict', components) }}"
+  loop_control:
+    label: "{{ item.key }}"
+
+- block:
+
+    - name: Aggregate chart_values into dict
+      ansible.builtin.set_fact:
+        chart_values: "{{ chart_values | default({}) | combine({ (item.key | regex_replace('[^A-Za-z0-9]', '')): { 'chart_values': (item.value.helm.chart_values | from_yaml) } }) }}"
+      when: item.value.helm.chart_values is defined
+      loop: "{{ lookup('ansible.builtin.dict', components) }}"
+      loop_control:
+        label: "{{ item.key }}"
+
+    - name: Write dict to vars_file
+      ansible.builtin.copy:
+        dest: /opt/firstboot/ansible/vars/metacluster.yml
+        content: "{{ { 'components': chart_values } | to_nice_yaml(indent=2, width=4096) }}"
+
+- name: Parse helm charts for container images
+  ansible.builtin.shell:
+    cmd: "{{ item.value.helm.parse_logic }}"
+    chdir: /opt/metacluster/helm-charts/{{ item.key }}
+  register: containerimages
+  loop: "{{ lookup('ansible.builtin.dict', components) }}"
+  loop_control:
+    label: "{{ item.key }}"
+
+- name: Pull and store containerimages
+  ansible.builtin.shell:
+    cmd: >-
+      skopeo copy \
+        --insecure-policy \
+        --retry-times=5 \
+        docker://{{ item }} \
+        docker-archive:./{{ ( item | regex_findall('[^/:]+'))[-2] }}.tar:{{ item }}
+    chdir: /opt/metacluster/container-images
+  loop: "{{ ((containerimages.results | map(attribute='stdout_lines') | flatten) + dependencies.container_images) | unique }}"
+
+# - name: Inject manifests
+#   ansible.builtin.template:
+#     src: "{{ item.type }}.j2"
+#     dest: /var/lib/rancher/k3s/server/manifests/{{ item.name }}-manifest.yaml
+#     owner: root
+#     group: root
+#     mode: 0600
+#   loop: "{{ lookup('ansible.builtin.dict', components) | map(attribute='value.manifests') | list | select('defined') | flatten }}"
+#   loop_control:
+#     label: "{{ item.type + '/' + item.name }}"

ansible/roles/metacluster/tasks/k3s.yml

@@ -0,0 +1,52 @@
+- name: Create folder structure(s)
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - /var/lib/rancher/k3s/agent/images
+    - /var/lib/rancher/k3s/server/manifests
+    - /opt/metacluster/k3s
+
+- name: Download & install K3s binary
+  ansible.builtin.get_url:
+    url: https://github.com/k3s-io/k3s/releases/download/{{ platform.k3s.version }}/k3s
+    dest: /usr/local/bin/k3s
+    owner: root
+    group: root
+    mode: 0755
+  register: download
+  until: download is not failed
+  retries: 3
+  delay: 10
+
+- name: Download K3s images tarball
+  ansible.builtin.get_url:
+    url: https://github.com/k3s-io/k3s/releases/download/{{ platform.k3s.version }}/k3s-airgap-images-amd64.tar.gz
+    dest: /var/lib/rancher/k3s/agent/images
+  register: download
+  until: download is not failed
+  retries: 3
+  delay: 10
+
+- name: Download K3s install script
+  ansible.builtin.get_url:
+    url: https://get.k3s.io
+    dest: /opt/metacluster/k3s/install.sh
+    owner: root
+    group: root
+    mode: 0755
+  register: download
+  until: download is not failed
+  retries: 3
+  delay: 10
+
+- name: Inject manifests
+  ansible.builtin.template:
+    src: helmchartconfig.j2
+    dest: /var/lib/rancher/k3s/server/manifests/{{ item.name }}-config.yaml
+    owner: root
+    group: root
+    mode: 0600
+  loop: "{{ platform.packaged_components }}"
+  loop_control:
+    label: "{{ item.name }}"

ansible/roles/metacluster/tasks/main.yml

@@ -0,0 +1,8 @@
+- name: Pre-stage K3s components
+  import_tasks: k3s.yml
+
+- name: Pre-stage meta-cluster components
+  import_tasks: components.yml
+
+- name: Pre-stage meta-cluster configuration and workload-cluster components
+  import_tasks: staging.yml

ansible/roles/metacluster/tasks/staging.yml

@@ -0,0 +1,21 @@
+- name: Create folder structure(s)
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - /opt/metacluster/git-repositories/gitops
+    - /opt/workloadcluster/node-templates
+
+- name: Clone git repository
+  ansible.builtin.git:
+    repo: "{{ platform.gitops.repository.uri }}"
+    version: "{{ platform.gitops.repository.revision }}"
+    dest: /opt/metacluster/git-repositories/gitops
+
+- name: Download node-template images
+  ansible.builtin.uri:
+    url: "{{ item.url }}"
+    dest: /opt/workloadcluster/node-templates/{{ downstream.node_templates.prefix }}{{ item.name }}
+  loop: "{{ downstream.node_templates.images }}"
+  loop_control:
+    label: "{{ downstream.node_templates.prefix }}{{ item.name }}"

ansible/roles/metacluster/templates/helmchartconfig.j2

@@ -0,0 +1,8 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: {{ item.name }}
+  namespace: {{ item.namespace }}
+spec:
+  valuesContent: |-
+{{ item.config }}

ansible/roles/os/tasks/cloud-init.yml

@@ -0,0 +1,13 @@
+- name: Delete cloud-init package
+  ansible.builtin.apt:
+    name: cloud-init
+    state: absent
+    purge: yes
+
+- name: Delete cloud-init files
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/cloud
+    - /var/lib/cloud

ansible/roles/os/tasks/logging.yml

@@ -0,0 +1,5 @@
+- name: Enable crontab logging
+  ansible.builtin.lineinfile:
+    path: /etc/rsyslog.d/50-default.conf
+    regexp: '^#cron\.\*.*'
+    line: "cron.*\t\t\t\t./var/log/cron.log"

ansible/roles/os/tasks/main.yml

@@ -0,0 +1,17 @@
+- name: Disable tty logins
+  import_tasks: tty.yml
+
+- name: Remove snapd
+  import_tasks: snapd.yml
+
+- name: Remove cloud-init
+  import_tasks: cloud-init.yml
+
+- name: Configure default logging
+  import_tasks: logging.yml
+
+- name: Configure services
+  import_tasks: services.yml
+
+- name: Install packages
+  import_tasks: packages.yml

ansible/roles/os/tasks/packages.yml

@@ -0,0 +1,24 @@
+- name: Install additional packages
+  ansible.builtin.apt:
+    pkg: "{{ packages.apt }}"
+    state: latest
+    update_cache: yes
+    install_recommends: no
+
+- name: Upgrade all packages
+  ansible.builtin.apt:
+    name: '*'
+    state: latest
+    update_cache: yes
+
+- name: Install additional python packages
+  ansible.builtin.pip:
+    name: "{{ item }}"
+    executable: pip3
+    state: latest
+  loop: "{{ packages.pip }}"
+
+- name: Cleanup
+  ansible.builtin.apt:
+    autoremove: yes
+    purge: yes

ansible/roles/os/tasks/services.yml

@@ -0,0 +1,5 @@
+- name: Disable & mask networkd-wait-online
+  ansible.builtin.systemd:
+    name: systemd-networkd-wait-online
+    enabled: no
+    masked: yes

ansible/roles/os/tasks/snapd.yml

@@ -0,0 +1,19 @@
+- name: Delete snapd package
+  ansible.builtin.apt:
+    name: snapd
+    state: absent
+    purge: yes
+
+- name: Delete leftover files
+  ansible.builtin.file:
+    path: /root/snap
+    state: absent
+
+- name: Hold snapd package
+  ansible.builtin.dpkg_selections:
+    name: snapd
+    selection: hold
+
+- name: Reload systemd unit configurations
+  ansible.builtin.systemd:
+    daemon_reload: yes

ansible/roles/os/tasks/tty.yml

@@ -0,0 +1,16 @@
+- name: Disable extra tty
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/logind.conf
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  loop:
+  - regexp: '^#NAutoVTs='
+    line: 'NAutoVTs=1'
+  - regexp: '^#ReserveVT='
+    line: 'ReserveVT=11'
+
+- name: Mask getty@tty1 service
+  ansible.builtin.systemd:
+    name: getty@tty1
+    enabled: no
+    masked: yes

ansible/roles/os/vars/main.yml

@@ -0,0 +1,12 @@
+packages:
+  apt:
+    - jq
+    - python3-pip
+  pip:
+    - ansible-core
+    - jinja2
+    - lxml
+    - markupsafe
+    - pip
+    - setuptools
+    - wheel

ansible/vars/metacluster.yml

@@ -0,0 +1,220 @@
+platform:
+
+  k3s:
+    version: v1.24.1+k3s1
+
+  gitops:
+    repository:
+      uri: https://code.spamasaurus.com/djpbessems/GitOps.MetaCluster.git
+      # revision: v0.1.0
+      revision: HEAD
+
+  packaged_components:
+    - name: traefik
+      namespace: kube-system
+      config: |2
+            additionalArguments:
+              - "--certificatesResolvers.stepca.acme.caserver=https://step-certificates.step-ca.svc.cluster.local/acme/acme/directory"
+              - "--certificatesResolvers.stepca.acme.email=admin"
+              - "--certificatesResolvers.stepca.acme.storage=/data/acme.json"
+              - "--certificatesResolvers.stepca.acme.tlsChallenge=true"
+              - "--certificatesresolvers.stepca.acme.certificatesduration=24"
+            globalArguments: []
+            ingressRoute:
+              dashboard:
+                enabled: false
+            ports:
+              ssh:
+                port: 8022
+                protocol: TCP
+              web:
+                redirectTo: websecure
+              websecure:
+                tls:
+                  certResolver: stepca
+
+  helm_repositories:
+    - name: argo
+      url: https://argoproj.github.io/argo-helm
+    - name: gitea-charts
+      url: https://dl.gitea.io/charts/
+    - name: harbor
+      url: https://helm.goharbor.io
+    - name: jetstack
+      url: https://charts.jetstack.io
+    - name: longhorn
+      url: https://charts.longhorn.io
+    - name: sealed-secrets
+      url: https://bitnami-labs.github.io/sealed-secrets
+    - name: smallstep
+      url: https://smallstep.github.io/helm-charts/
+
+components:
+
+  argo-cd:
+    helm:
+      version: 4.9.7  # (= ArgoCD v2.4.2)
+      chart: argo/argo-cd
+      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
+      chart_values: !unsafe |
+        configs:
+          secret:
+            argocdServerAdminPassword: "{{ vapp['guestinfo.rootpw'] | password_hash('bcrypt') }}"
+        server:
+          extraArgs:
+            - --insecure
+          ingress:
+            enabled: true
+            hosts:
+              - gitops.{{ vapp['metacluster.fqdn'] }}
+
+  cert-manager:
+    helm:
+      version: 1.9.1
+      chart: jetstack/cert-manager
+      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
+      # chart_values: !unsafe |
+      #   installCRDs: true
+
+  gitea:
+    helm:
+      version: v6.0.0 # (= Gitea v1.17.1)
+      chart: gitea-charts/gitea
+      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | sed '/:/!s/$/:latest/'
+      chart_values: !unsafe |
+        gitea:
+          admin:
+            username: administrator
+            password: "{{ vapp['guestinfo.rootpw'] }}"
+            email: admin@{{ vapp['metacluster.fqdn'] }}
+          config:
+            server:
+              OFFLINE_MODE: true
+              PROTOCOL: http
+              ROOT_URL: https://git.{{ vapp['metacluster.fqdn'] }}/
+        image:
+          pullPolicy: IfNotPresent
+        ingress:
+          enabled: true
+          hosts:
+            - host: git.{{ vapp['metacluster.fqdn'] }}
+              paths:
+                - path: /
+                  pathType: Prefix
+        service:
+          ssh:
+            type: ClusterIP
+            port: 22
+            clusterIP:
+
+  harbor:
+    helm:
+      version: 1.9.1  # (= Harbor v2.5.1)
+      chart: harbor/harbor
+      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
+      chart_values: !unsafe |
+        expose:
+          ingress:
+            annotations: {}
+            hosts:
+              core: registry.{{ vapp['metacluster.fqdn'] }}
+          tls:
+            certSource: none
+            enabled: false
+        externalURL: https://registry.{{ vapp['metacluster.fqdn'] }}
+        harborAdminPassword: "{{ vapp['guestinfo.rootpw'] }}"
+        notary:
+          enabled: false
+
+  longhorn:
+    helm:
+      version: 1.3.0
+      chart: longhorn/longhorn
+      parse_logic: cat values.yaml | yq eval '.. | select(has("repository")) | .repository + ":" + .tag'
+      chart_values: !unsafe |
+        defaultSettings:
+          defaultDataPath: /mnt/blockstorage
+          defaultReplicaCount: 1
+        ingress:
+          enabled: true
+          host: storage.{{ vapp['metacluster.fqdn'] }}
+        persistence:
+          defaultClassReplicaCount: 1
+
+  sealed-secrets:
+    helm:
+      version: 2.4.0  # (= SealedSecrets v0.18.1)
+      chart: sealed-secrets/sealed-secrets
+      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
+
+  step-certificates:
+    helm:
+      version: 1.18.2+20220324
+      chart: smallstep/step-certificates
+      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u
+      chart_values: !unsafe |
+        ca:
+          bootstrap:
+            postInitHook: |
+              echo '{{ vapp["guestinfo.rootpw"] }}' > ~/pwfile
+              step ca provisioner add acme \
+                --type ACME \
+                --password-file=~/pwfile \
+                --force-cn
+              rm ~/pwfile
+          dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1
+          password: "{{ vapp['guestinfo.rootpw'] }}"
+          provisioner:
+            name: admin
+            password: "{{ vapp['guestinfo.rootpw'] }}"
+        inject:
+          secrets:
+            ca_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}"
+            provisioner_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}"
+        service:
+          targetPort: 9000
+
+dependencies:
+
+  ansible_galaxy_collections:
+    - ansible.posix
+    - ansible.utils
+    - community.crypto
+    - community.general
+    - community.vmware
+    - kubernetes.core
+
+  container_images:
+    - vmware/powerclicore:12.7
+
+  static_binaries:
+    - filename: clusterctl
+      url: https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.2/clusterctl-linux-amd64
+    - filename: govc
+      url: https://github.com/vmware/govmomi/releases/download/v0.29.0/govc_Linux_x86_64.tar.gz
+      archive: compressed
+    - filename: helm
+      url: https://get.helm.sh/helm-v3.9.0-linux-amd64.tar.gz
+      archive: compressed
+      extra_opts: --strip-components=1
+    - filename: kubeseal
+      url: https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.2/kubeseal-0.18.2-linux-amd64.tar.gz
+      archive: compressed
+    - filename: skopeo
+      url: https://code.spamasaurus.com/djpbessems/-/packages/generic/skopeo/v1.10.0/files/2
+    - filename: step
+      url: https://dl.step.sm/gh-release/cli/gh-release-header/v0.21.0/step_linux_0.21.0_amd64.tar.gz
+      archive: compressed
+      extra_opts: --strip-components=2
+    - filename: yq
+      url: http://github.com/mikefarah/yq/releases/download/v4.25.3/yq_linux_amd64
+
+  packages:
+    apt:
+      - lvm2
+    pip:
+      - jmespath
+      - kubernetes
+      - netaddr
+      - passlib
+      - pyvmomi

ansible/vars/workloadcluster.yml

@@ -0,0 +1,7 @@
+downstream:
+
+  node_templates:
+    prefix: NodeTmpl_
+    images:
+      - url: https://stable.release.flatcar-linux.net/amd64-usr/3227.2.0/flatcar_production_vmware_ova.ova
+        name: flatcar.ova

inspec/Windows10IoTEnterprise/profile/controls/Win10/Disabled IPv6.rb

@@ -1,16 +0,0 @@
-script = <<-EOH
-$nic = get-netadapter
-
-Get-NetAdapterBinding –InterfaceAlias $nic.name –ComponentID ms_tcpip6
-EOH
-
-control "ipv6" do
-    title 'Disabled network protocol IPv6'
-    desc '
-        This test assures that IPv6 is disabled
-    '
-
-    describe powershell(script) do
-        its('stdout') { should match 'False' }
-    end
-end

inspec/Windows10IoTEnterprise/profile/controls/Win10/Disabled Services.rb

@@ -1,29 +0,0 @@
-script = <<-EOH
-  # Initialize variable to empty array
-  $NonCompliantServices = @()
-
-  # Specify relevant services
-  $Services = @(
-      "wuauserv",
-      "W3SVC",
-      "XboxGipSvc",
-      "XblGameSave"
-  )
-
-  # Enumerate all services
-  $NonCompliantServices += Get-Service $Services -ErrorAction 'SilentlyContinue' | Where-Object {$_.StartType -ne 'Disabled'}
-
-  # Output; 'True' or list of noncompliant services
-  Write-Output ($True, $NonCompliantServices)[!($NonCompliantServices.Count -eq 0)]
-EOH
-
-control "disabled_services" do
-    title 'Disabled services'
-    desc '
-        This test assures that all unneeded services are set to "disabled".
-    '
-
-    describe powershell(script) do
-        its('stdout') { should match 'True' }
-    end
-end

inspec/Windows10IoTEnterprise/profile/controls/Win10/Single Disk.rb

@@ -1,29 +0,0 @@
-script = <<-EOH
-  # Initialize variable to empty array
-  $LogicalDisks = @()
-
-  # Enumerate all logicaldisks
-  # DriveType:
-  #  Unknown (0)
-  #  No Root Directory (1)
-  #  Removable Disk (2)
-  #  Local Disk (3)
-  #  Network Drive (4)
-  #  Compact Disc (5)
-  #  RAM Disk (6)
-  $LogicalDisks += Get-WmiObject -Class 'win32_logicaldisk' -Filter 'DriveType=3'
-
-  # Filter/Quantify
-  ($LogicalDisks.Count -eq 1) -and (($LogicalDisks | Where-Object {$_.DeviceID -ne 'C:'}).Count -eq 0)
-EOH
-
-control "single_disk" do
-    title 'Single Disk'
-    desc '
-        This test assures that only a single disk (C:) is available
-    '
-
-    describe powershell(script) do
-        its('stdout') { should match 'True' }
-    end
-end

inspec/Windows10IoTEnterprise/profile/controls/Win10/Software Installed.rb

@@ -1,54 +0,0 @@
-control "software_installed-7zip" do
-    title 'Included Default Applications: 7-Zip'
-    desc '
-        This test assures that the software application "7-Zip" is installed.
-    '
-
-    describe chocolatey_package('7zip.install') do
-        it { should be_installed }
-    end
-end
-
-# control "software_installed-dotnetfx" do
-#     title 'Included Default Applications: .NET'
-#     desc '
-#         This test assures that the software application ".NET" is installed.
-#     '
-
-#     describe chocolatey_package('dotnetfx') do
-#         it { should be_installed }
-#     end
-# end
-
-# control "software_installed-foxitreader" do
-#    title 'Included Default Applications: Foxit Reader'
-#    desc '
-#        This test assures that the software application "Foxit Reader" is installed.
-#    '
-
-#    describe chocolatey_package('foxitreader') do
-#        it { should be_installed }
-#    end
-# end
-
-# control "software_installed-notepadplusplus" do
-#     title 'Included Default Applications: Notepad++'
-#     desc '
-#         This test assures that the software application "Notepad++" is installed.
-#     '
-
-#     describe chocolatey_package('notepadplusplus') do
-#         it { should be_installed }
-#     end
-# end
-
-# control "software_installed-putty" do
-#     title 'Included Default Applications: Putty'
-#     desc '
-#         This test assures that the software application "PuTTy" is installed.
-#     '
-
-#     describe chocolatey_package('putty') do
-#         it { should be_installed }
-#     end
-# end

inspec/Windows10IoTEnterprise/profile/inspec.yml

@@ -1,10 +0,0 @@
----
-name: Windows 10 IoT Enterprise
-title: Windows 10 IoT Enterprise InSpec Tests
-summary: Unit test for Windows 10 IoT Enterprise
-version: 1.0.0
-maintainer: https://code.spamasaurus.com/djpbessems
-copyright: https://code.spamasaurus.com/djpbessems
-license: Proprietary
-supports:
-  - platform-family: windows

packer/iso.auto.pkrvars.hcl

@@ -0,0 +1,4 @@
+iso_url      = "sn.itch.fyi/Repository/iso/Canonical/Ubuntu%20Server%2022.04/ubuntu-22.04-live-server-amd64.iso"
+iso_checksum = "sha256:84AEAF7823C8C61BAA0AE862D0A06B03409394800000B3235854A6B38EB4856F"
+// iso_url      = "sn.itch.fyi/Repository/iso/Canonical/Ubuntu%20Server%2020.04/ubuntu-20.04.2-live-server-amd64.iso"
+// iso_checksum = "sha256:D1F2BF834BBE9BB43FAF16F9BE992A6F3935E65BE0EDECE1DEE2AA6EB1767423"

packer/k8sbootstrap.pkr.hcl

@@ -0,0 +1,101 @@
+packer {
+  required_plugins {
+  }
+}
+
+source "vsphere-iso" "k8sbootstrap" {
+  vcenter_server          = var.vcenter_server
+  username                = var.vsphere_username
+  password                = var.vsphere_password
+  insecure_connection     = "true"
+
+  vm_name                 = "${var.vm_guestos}-${var.vm_name}"
+  datacenter              = var.vsphere_datacenter
+  cluster                 = var.vsphere_cluster
+  host                    = var.vsphere_host
+  folder                  = var.vsphere_folder
+  datastore               = var.vsphere_datastore
+
+  guest_os_type           = "ubuntu64Guest"
+
+  boot_order              = "disk,cdrom"
+  boot_command            = [
+    "e<down><down><down><end>",
+    " autoinstall ds=nocloud;",
+    "<F10>"
+  ]
+  boot_wait               = "2s"
+
+  communicator            = "ssh"
+  ssh_username            = "ubuntu"
+  ssh_password            = var.ssh_password
+  ssh_timeout             = "20m"
+  ssh_handshake_attempts  = "100"
+  ssh_pty                 = true
+
+  CPUs                    = 2
+  RAM                     = 8192
+
+  network_adapters {
+    network               = var.vsphere_network
+    network_card          = "vmxnet3"
+  }
+  storage {
+    disk_size             = 76800
+    disk_thin_provisioned = true
+  }
+  disk_controller_type    = ["pvscsi"]
+  usb_controller          = ["xhci"]
+
+  cd_files                = [
+    "packer/preseed/UbuntuServer22.04/user-data",
+    "packer/preseed/UbuntuServer22.04/meta-data"
+  ]
+  cd_label                = "cidata"
+  iso_url                 = local.iso_authenticatedurl
+  iso_checksum            = var.iso_checksum
+
+  shutdown_command        = "echo '${var.ssh_password}' | sudo -S shutdown -P now"
+  shutdown_timeout        = "5m"
+
+  export {
+    images                = false
+    output_directory      = "/scratch/k8sbootstrap"
+  }
+  remove_cdrom            = true
+}
+
+build {
+  sources = [
+    "source.vsphere-iso.k8sbootstrap"
+  ]
+
+  provisioner "ansible" {
+    pause_before     = "2m30s"
+
+    playbook_file    = "ansible/playbook.yml"
+    user             = "ubuntu"
+    ansible_env_vars = [
+      "ANSIBLE_CONFIG=ansible/ansible.cfg"
+    ]
+    use_proxy        = "false"
+    extra_arguments  = [
+      "--extra-vars", "ansible_ssh_pass=${var.ssh_password}",
+      "--extra-vars", "repo_username=${var.repo_username}",
+      "--extra-vars", "repo_password=${var.repo_password}"
+    ]
+  }
+
+  post-processor "shell-local" {
+    inline = [
+      "pwsh -command \"& scripts/Update-OvfConfiguration.ps1 \\",
+      " -OVFFile '/scratch/k8sbootstrap/${var.vm_guestos}-${var.vm_name}.ovf' \\",
+      " -Parameter @{'appliance.name'='${var.vm_guestos}';'appliance.version'='${var.vm_name}'}\"",
+      "pwsh -file scripts/Update-Manifest.ps1 \\",
+      " -ManifestFileName '/scratch/k8sbootstrap/${var.vm_guestos}-${var.vm_name}.mf'",
+      "ovftool --acceptAllEulas --allowExtraConfig --overwrite \\",
+      " '/scratch/k8sbootstrap/${var.vm_guestos}-${var.vm_name}.ovf' \\",
+      " /output/Kubernetes.Bootstrap.Appliance.ova"
+    ]
+  }
+}

packer/preseed/UbuntuServer22.04/user-data

@@ -0,0 +1,29 @@
+#cloud-config
+autoinstall:
+  version: 1
+  locale: en_US
+  keyboard:
+    layout: en
+    variant: us
+  network:
+    network:
+      version: 2
+      ethernets:
+        ens192:
+          dhcp4: true
+          dhcp-identifier: mac
+  storage:
+    layout:
+      name: direct
+  identity:
+    hostname: packer-template
+    username: ubuntu
+    # password: $6$ZThRyfmSMh9499ar$KSZus58U/l58Efci0tiJEqDKFCpoy.rv25JjGRv5.iL33AQLTY2aljumkGiDAiX6LsjzVsGTgH85Tx4S.aTfx0
+    password: $6$rounds=4096$ZKfzRoaQOtc$M.fhOsI0gbLnJcCONXz/YkPfSoefP4i2/PQgzi2xHEi2x9CUhush.3VmYKL0XVr5JhoYvnLfFwqwR/1YYEqZy/
+  ssh:
+    install-server: yes
+    allow-pw: true
+  user-data:
+    disable_root: false
+  late-commands:
+    - echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' > /target/etc/sudoers.d/ubuntu

packer/preseed/Windows10/Autounattend.xml

@@ -1,159 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<unattend xmlns="urn:schemas-microsoft-com:unattend">
-    <servicing/>
-    <settings pass="windowsPE">
-        <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
-            <DiskConfiguration>
-                <Disk wcm:action="add">
-                    <CreatePartitions>
-                        <CreatePartition wcm:action="add">
-                            <Order>1</Order>
-                            <Type>Primary</Type>
-                            <Extend>true</Extend>
-                        </CreatePartition>
-                    </CreatePartitions>
-                    <ModifyPartitions>
-                        <ModifyPartition wcm:action="add">
-                            <Extend>false</Extend>
-                            <Format>NTFS</Format>
-                            <Letter>C</Letter>
-                            <Order>1</Order>
-                            <PartitionID>1</PartitionID>
-                            <Label>Windows 10</Label>
-                        </ModifyPartition>
-                    </ModifyPartitions>
-                    <DiskID>0</DiskID>
-                    <WillWipeDisk>true</WillWipeDisk>
-                </Disk>
-                <WillShowUI>OnError</WillShowUI>
-            </DiskConfiguration>
-            <UserData>
-                <AcceptEula>true</AcceptEula>
-                <!-- <FullName>Spamasaurus Rex</FullName>
-                <Organization>Spamasaurus Rex</Organization> -->
-                <ProductKey>
-                    <Key><<img-productkey>></Key>
-                    <WillShowUI>Never</WillShowUI>
-                </ProductKey>
-            </UserData>
-            <ImageInstall>
-                <OSImage>
-                    <InstallTo>
-                        <DiskID>0</DiskID>
-                        <PartitionID>1</PartitionID>
-                    </InstallTo>
-                    <WillShowUI>OnError</WillShowUI>
-                    <InstallToAvailablePartition>false</InstallToAvailablePartition>
-                    <InstallFrom>
-                        <MetaData wcm:action="add">
-                            <Key>/IMAGE/INDEX</Key>
-                            <Value>3</Value>
-                        </MetaData>
-                    </InstallFrom>
-                </OSImage>
-            </ImageInstall>
-        </component>
-        <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
-            <SetupUILanguage>
-                <UILanguage>en-US</UILanguage>
-            </SetupUILanguage>
-            <InputLocale>en-US</InputLocale>
-            <SystemLocale>en-US</SystemLocale>
-            <UILanguage>en-US</UILanguage>
-            <UILanguageFallback>en-US</UILanguageFallback>
-            <UserLocale>en-US</UserLocale>
-        </component>
-    </settings>
-    <settings pass="offlineServicing">
-        <component name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
-            <EnableLUA>false</EnableLUA>
-        </component>
-    </settings>
-    <settings pass="oobeSystem">
-        <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-            <InputLocale>en-US</InputLocale>
-            <SystemLocale>en-US</SystemLocale>
-            <UILanguage>en-US</UILanguage>
-            <UserLocale>en-US</UserLocale>
-        </component>
-        <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
-            <UserAccounts>
-                <AdministratorPassword>
-                    <Value><<img-password>></Value>
-                    <PlainText>true</PlainText>
-                </AdministratorPassword>
-            </UserAccounts>
-            <OOBE>
-                <HideEULAPage>true</HideEULAPage>
-                <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
-                <NetworkLocation>Home</NetworkLocation>
-                <ProtectYourPC>1</ProtectYourPC>
-            </OOBE>
-            <AutoLogon>
-                <Password>
-                    <Value><<img-password>></Value>
-                    <PlainText>true</PlainText>
-                </Password>
-                <Username>administrator</Username>
-                <Enabled>true</Enabled>
-            </AutoLogon>
-            <FirstLogonCommands>
-                <SynchronousCommand wcm:action="add">
-                    <CommandLine>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine>
-                    <Description>Set execution policy 64bit</Description>
-                    <Order>1</Order>
-                    <RequiresUserInput>true</RequiresUserInput>
-                </SynchronousCommand>
-                <SynchronousCommand wcm:action="add">
-                    <CommandLine>C:\Windows\SysWOW64\cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine>
-                    <Description>Set execution policy 32bit</Description>
-                    <Order>2</Order>
-                    <RequiresUserInput>true</RequiresUserInput>
-                </SynchronousCommand>
-                <SynchronousCommand wcm:action="add">
-                    <CommandLine>cmd.exe /c reg add "HKLM\System\CurrentControlSet\Control\Network\NewNetworkWindowOff"</CommandLine>
-                    <Description>Disable new network prompt</Description>
-                    <Order>3</Order>
-                    <RequiresUserInput>true</RequiresUserInput>
-                </SynchronousCommand>
-                <SynchronousCommand wcm:action="add">
-                    <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\Set-NetworkProfile.ps1</CommandLine>
-                    <Description>Set network profile to private</Description>
-                    <Order>4</Order>
-                    <RequiresUserInput>true</RequiresUserInput>
-                </SynchronousCommand>
-                <SynchronousCommand wcm:action="add">
-                    <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\Disable-WinRM.ps1</CommandLine>
-                    <Description>Disable WinRM</Description>
-                    <Order>5</Order>
-                    <RequiresUserInput>true</RequiresUserInput>
-                </SynchronousCommand>
-                <SynchronousCommand wcm:action="add">
-                    <CommandLine>cmd.exe /c a:\Install-VMwareTools.cmd</CommandLine>
-                    <Order>13</Order>
-                    <Description>Install VMware Tools</Description>
-                </SynchronousCommand>
-                <SynchronousCommand wcm:action="add">
-                    <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\Enable-WinRM.ps1</CommandLine>
-                    <Description>Enable WinRM</Description>
-                    <Order>99</Order>
-                </SynchronousCommand>
-            </FirstLogonCommands>
-            <ShowWindowsLive>false</ShowWindowsLive>
-        </component>
-    </settings>
-    <settings pass="specialize">
-        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
-            <OEMInformation>
-                <HelpCustomized>false</HelpCustomized>
-            </OEMInformation>
-            <!-- Rename computer here. -->
-            <ComputerName>packer-template</ComputerName>
-            <TimeZone>W. Europe Standard Time</TimeZone>
-            <RegisteredOwner/>
-        </component>
-        <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
-            <SkipAutoActivation>true</SkipAutoActivation>
-        </component>
-    </settings>
-</unattend>

packer/preseed/Windows10/Sysprep_Unattend.xml

@@ -1,42 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<unattend xmlns="urn:schemas-microsoft-com:unattend">
-    <settings pass="generalize">
-        <component name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-            <SkipRearm>1</SkipRearm>
-        </component>
-        <component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-            <PersistAllDeviceInstalls>true</PersistAllDeviceInstalls>
-            <DoNotCleanUpNonPresentDevices>true</DoNotCleanUpNonPresentDevices>
-        </component>
-    </settings>
-    <settings pass="oobeSystem">
-        <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-            <InputLocale>en-US</InputLocale>
-            <SystemLocale>en-US</SystemLocale>
-            <UILanguage>en-US</UILanguage>
-            <UserLocale>en-US</UserLocale>
-        </component>
-        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-            <OOBE>
-                <HideEULAPage>true</HideEULAPage>
-                <HideLocalAccountScreen>true</HideLocalAccountScreen>
-                <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
-                <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
-                <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
-                <NetworkLocation>Work</NetworkLocation>
-                <ProtectYourPC>1</ProtectYourPC>
-                <SkipMachineOOBE>true</SkipMachineOOBE>
-                <SkipUserOOBE>true</SkipUserOOBE>
-            </OOBE>
-            <TimeZone>UTC</TimeZone>
-            <UserAccounts>
-                <AdministratorPassword>
-                    <Value><<img-password>></Value>
-                    <PlainText>true</PlainText>
-                </AdministratorPassword>
-            </UserAccounts>
-        </component>
-    </settings>
-    <settings pass="specialize">
-    </settings>
-</unattend>

packer/variables.pkr.hcl

@@ -1,9 +1,12 @@
 variable "vcenter_server" {}
 variable "vsphere_username" {}
-variable "vsphere_password" {}
+variable "vsphere_password" {
+    sensitive = true
+}
 
 variable "vsphere_host" {}
 variable "vsphere_datacenter" {}
+variable "vsphere_cluster" {}
 
 variable "vsphere_templatefolder" {}
 variable "vsphere_folder" {}
@@ -12,7 +15,17 @@ variable "vsphere_network" {}
 
 variable "vm_name" {}
 variable "vm_guestos" {}
-variable "winrm_password" {}
+variable "ssh_password" {
+    sensitive = true
+}
 
+variable "iso_url" {}
+variable "iso_checksum" {}
 variable "repo_username" {}
-variable "repo_password" {}
+variable "repo_password" {
+    sensitive = true
+}
+local "iso_authenticatedurl" {
+    expression = "https://${var.repo_username}:${var.repo_password}@${var.iso_url}"
+    sensitive  = true
+}

packer/vsphere.auto.pkrvars.hcl

@@ -1,8 +1,9 @@
 vcenter_server         = "bv11-vc.bessems.lan"
 vsphere_username       = "administrator@vsphere.local"
 vsphere_datacenter     = "DeSchakel"
-vsphere_host           = "bv11-esx.bessems.lan"
+vsphere_cluster        = "Cluster.01"
-vsphere_datastore      = "Datastore01.SSD"
+vsphere_host           = "bv11-esx02.bessems.lan"
+vsphere_datastore      = "NAS01.RAID5"
 vsphere_folder         = "/Packer"
 vsphere_templatefolder = "/Templates"
 vsphere_network        = "LAN"

packer/windows10.pkr.hcl

@@ -1,133 +0,0 @@
-packer {
-  required_plugins {
-    windows-update = {
-      version = ">= 0.14.0"
-      source  = "github.com/rgl/windows-update"
-    }
-  }
-}
-
-source "vsphere-iso" "win10" {
-  vcenter_server          = var.vcenter_server
-  username                = var.vsphere_username
-  password                = var.vsphere_password
-  insecure_connection     = "true"
-
-  vm_name                 = "${var.vm_guestos}-${var.vm_name}"
-  datacenter              = var.vsphere_datacenter
-  host                    = var.vsphere_host
-  folder                  = var.vsphere_folder
-  datastore               = var.vsphere_datastore
-
-  guest_os_type           = "windows9_64Guest"
-
-  boot_order              = "disk,cdrom"
-  boot_command            = [""]
-  boot_wait               = "5m"
-
-  communicator            = "winrm"
-  winrm_username          = "administrator"
-  winrm_password          = var.winrm_password
-  winrm_timeout           = "10m"
-
-  CPUs                    = 2
-  RAM                     = 8192
-
-  network_adapters {
-    network               = var.vsphere_network
-    network_card          = "vmxnet3"
-  }
-  storage {
-    disk_size             = 20480
-    disk_thin_provisioned = true
-  }
-  disk_controller_type    = ["lsilogic-sas"]
-  usb_controller          = ["xhci"]
-
-  floppy_files            = [
-    "packer/preseed/Windows10/Autounattend.xml",
-    "packer/preseed/Windows10/Sysprep_Unattend.xml",
-    "scripts/Set-NetworkProfile.ps1",
-    "scripts/Disable-WinRM.ps1",
-    "scripts/Enable-WinRM.ps1",
-    "scripts/Install-VMwareTools.cmd"
-  ]
-  iso_checksum            = "sha256:8D1663B71280533824CF95C7AB48ADAF5A187C38FCFF5B16A569F903688916D0"
-  iso_paths               = [
-    "ISO-files/VMware-tools-windows-11.3.5-18557794/VMware-tools-windows-11.3.5-18557794.iso"
-  ]
-  iso_url                 = "https://${var.repo_username}:${var.repo_password}@sn.itch.fyi/Repository/iso/Microsoft/Windows%2010/20H2/en_windows_10_enterprise_20H2_x64.iso"
-
-  shutdown_command        = "C:\\Windows\\System32\\Sysprep\\sysprep.exe /generalize /oobe /unattend:A:\\Sysprep_Unattend.xml"
-  shutdown_timeout        = "1h"
-
-  export {
-    images                = false
-    output_directory      = "/scratch/win10"
-  }
-  remove_cdrom            = true
-}
-
-build {
-  sources = ["source.vsphere-iso.win10"]
-
-  provisioner "windows-update" {
-    filters = [
-      "exclude:$_.Title -like '*Preview*'",
-      "include:$true"
-    ]
-  }
-
-  provisioner "powershell" {
-    inline = [
-      "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12",
-      "Invoke-Expression ((New-Object Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
-    ]
-  }
-
-  provisioner "powershell" {
-    inline = [
-      "choco config set --name=limit-output --value=LimitOutput",
-      "choco install -y 7zip.install",
-      "choco install -y sysinternals",
-      "choco install -y firefox"
-    ]
-  }
-
-  provisioner "windows-update" {
-    filters = [
-      "exclude:$_.Title -like '*Preview*'",
-      "include:$true"
-    ]
-  }
-
-  provisioner "powershell" {
-    inline = [
-      "New-Item -Path 'C:\\Payload\\Scripts' -ItemType 'Directory' -Force:$True -Confirm:$False"
-    ]
-  }
-
-  provisioner "file" {
-    destination = "C:\\Payload\\"
-    source      = "scripts/Windows10/payload/"
-  }
-
-  provisioner "powershell" {
-    scripts = [
-      "scripts/Windows10/Register-ScheduledTask.ps1"
-    ]
-  }
-
-  post-processor "shell-local" {
-    inline = [
-      "pwsh -command \"& scripts/Update-OvfConfiguration.ps1 \\",
-      " -OVFFile '/scratch/win10/${var.vm_guestos}-${var.vm_name}.ovf' \\",
-      " -Parameter @{'appliance.name'='${var.vm_guestos}';'appliance.version'='${var.vm_name}'}\"",
-      "pwsh -file scripts/Update-Manifest.ps1 \\",
-      " -ManifestFileName '/scratch/win10/${var.vm_guestos}-${var.vm_name}.mf'",
-      "ovftool --acceptAllEulas --allowExtraConfig --overwrite \\",
-      " '/scratch/win10/${var.vm_guestos}-${var.vm_name}.ovf' \\",
-      " /output/Windows10.ova"
-    ]
-  }
-}

scripts/Disable-WinRM.ps1

@@ -1,8 +0,0 @@
-netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=block
-netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes
-$winrmService = Get-Service -Name WinRM
-if ($winrmService.Status -eq "Running"){
-    Disable-PSRemoting -Force
-}
-Stop-Service winrm
-Set-Service -Name winrm -StartupType Disabled

scripts/Enable-WinRM.ps1

@@ -1,18 +0,0 @@
-$NetworkListManager = [Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]"{DCB00C01-570F-4A9B-8D69-199FDBA5723B}"))
-$Connections = $NetworkListManager.GetNetworkConnections()
-$Connections | ForEach-Object { $_.GetNetwork().SetCategory(1) }
-
-Enable-PSRemoting -Force
-winrm quickconfig -q
-winrm quickconfig -transport:http
-winrm set winrm/config '@{MaxTimeoutms="1800000"}'
-winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="800"}'
-winrm set winrm/config/service '@{AllowUnencrypted="true"}'
-winrm set winrm/config/service/auth '@{Basic="true"}'
-winrm set winrm/config/client/auth '@{Basic="true"}'
-winrm set winrm/config/listener?Address=*+Transport=HTTP '@{Port="5985"}'
-netsh advfirewall firewall set rule group="Windows Remote Administration" new enable=yes
-netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=allow
-netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" profile=public new remoteip=any
-Set-Service winrm -startuptype "auto"
-Restart-Service winrm

scripts/Install-VMwareTools.cmd

@@ -1,2 +0,0 @@
-@rem Silent mode, basic UI, no reboot
-e:\setup64 /s /v "/qb REBOOT=R"

scripts/MVMC/BlockList.xml

@@ -1,73 +0,0 @@
-<?xml version="1.0"  encoding="utf-8" ?>
-<BlockList>
-    <!-- services to disable -->
-    <Services>
-		<Name>MVMCP2VAgent</Name>
-		<Name>VMTools</Name>
-		<Name> VMUpgradeHelper </Name>
-		<Name> vmvss </Name>
-        <Name>vmdesched</Name>
-        <Name>Virtual Server</Name>
-        <!-- Virtual Machine Helper -->
-        <Name>vmh</Name>
-        <!-- Xen-specific service -->
-        <Name>xensvc</Name>
-    </Services>
-    <!-- drivers to disable -->
-    <Drivers>
-        <Name>vmx_svga</Name>
-        <Name>vmmouse</Name>
-        <Name>vmscsi</Name>
-        <Name>amdpcn</Name>
-        <Name>PCnet</Name>
-        <Name>VMMEMCTL</Name>
-
-        <Name> pvscsi </Name>
-        <Name> vmci </Name>
-        <Name> vmmouse </Name>
-        <Name> vmaudio </Name>
-        <Name> vmrawdsk </Name>
-        <Name> vmxnet </Name>
-        <Name> vmxnet3ndis6 </Name>
-        <Name> vm3dmp </Name>
-        <Name> vmdebug </Name>
-        <Name> vmxnet3ndis5 </Name>
-
-        
-        <Name>cirrus</Name>
-        <!-- storage drivers -->
-        <Name>buslogic</Name>
-        <Name>symc810</Name>
-        <Name>cpqarray</Name>
-        <Name>pcntn4m</Name>
-        <Name>cpqnf3</Name>
-        <Name>MRaidNT</Name>
-        <Name>Symc8XX</Name>
-        <!-- VIA chipset drivers -->
-        <Name>viaide</Name>
-        <Name>VIAudio</Name>
-        <Name>VIAPFD</Name>
-        <Name>viafilter</Name>
-        <Name>viaagp</Name>
-        <Name>viaagp1</Name>
-        <!-- network drivers: Intel(R) PRO/100 -->
-        <Name>E100B</Name>
-        <!-- tape drivers -->
-        <Name>4mmdat</Name>
-        <Name>4mmdat-SeSFT</Name>
-        <Name>SCSIChanger</Name>
-
-        <!-- Virtual Machine Monitor -->
-        <Name>vmm</Name>
-        <!-- Xen-specific drivers -->
-        <Name>xenevtchn</Name>
-        <Name>xenvbd</Name>
-        <Name>xennet</Name>
-    </Drivers>
-    <Programs>
-        <Name>ProMON</Name>
-        <Name>s3tray2</Name>
-        <Name>VMwareTray</Name>
-        <Name>VMwareUser</Name>
-    </Programs>
-</BlockList>