Configure 'needrestart' package

.drone.yml

@@ -18,17 +18,17 @@ steps:
   - packer --version
   - ansible --version
   - ovftool --version
-- name: Ubuntu Server 20.04
+- name: Ubuntu Server 22.04
   image: bv11-cr01.bessems.eu/library/packer-extended
   pull: always
   commands:
   - |
     sed -i -e "s/<<img-password>>/$${SSH_PASSWORD}/g" \
-      packer/preseed/UbuntuServer20.04/user-data
+      packer/preseed/UbuntuServer22.04/user-data
   - |
     yamllint -d "{extends: relaxed, rules: {line-length: disable}}" \
       ansible \
-      packer/preseed/UbuntuServer20.04/user-data \
+      packer/preseed/UbuntuServer22.04/user-data \
       scripts
   - |
     packer init -upgrade \
@@ -36,7 +36,7 @@ steps:
   - |
     packer validate \
       -var vm_name=$DRONE_BUILD_NUMBER-${DRONE_COMMIT_SHA:0:10} \
-      -var vm_guestos=ubuntuserver20.04 \
+      -var vm_guestos=ubuntuserver22.04 \
       -var repo_username=$${REPO_USERNAME} \
       -var repo_password=$${REPO_PASSWORD} \
       -var vsphere_password=$${VSPHERE_PASSWORD} \
@@ -46,7 +46,7 @@ steps:
     packer build \
       -on-error=cleanup -timestamp-ui \
       -var vm_name=$DRONE_BUILD_NUMBER-${DRONE_COMMIT_SHA:0:10} \
-      -var vm_guestos=ubuntuserver20.04 \
+      -var vm_guestos=ubuntuserver22.04 \
       -var repo_username=$${REPO_USERNAME} \
       -var repo_password=$${REPO_PASSWORD} \
       -var vsphere_password=$${VSPHERE_PASSWORD} \

README.md

@@ -1 +1 @@
-# Packer.Images [![Build Status](https://ci.spamasaurus.com/api/badges/djpbessems/Packer.Images/status.svg?ref=refs/heads/Windows10)](https://ci.spamasaurus.com/djpbessems/Packer.Images)
+# Packer.Images [![Build Status](https://ci.spamasaurus.com/api/badges/djpbessems/Packer.Images/status.svg?ref=refs/heads/UbuntuServer22.04)](https://ci.spamasaurus.com/djpbessems/Packer.Images)

ansible/roles/firstboot/files/ansible_payload/playbook.yml

@@ -6,3 +6,5 @@
   roles:
     - vapp
     - network
+    - users
+    - cleanup

ansible/roles/firstboot/files/ansible_payload/roles/cleanup/tasks/main.yml

@@ -0,0 +1,20 @@
+- name: Disable crontab job
+  ansible.builtin.cron:
+    name: firstboot
+    state: absent
+- name: Restore extra tty
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/logind.conf
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  loop:
+  - { regexp: '^NAutoVTs=', line: '#NAutoVTs=6'}
+  - { regexp: '^ReserveVT=', line: '#ReserveVT=6'}
+- name: Unmask getty@tty1 service
+  ansible.builtin.systemd:
+    name: getty@tty1
+    enabled: yes
+    masked: no
+- name: Reboot host
+  ansible.builtin.shell:
+    cmd: /usr/sbin/reboot now

ansible/roles/firstboot/files/ansible_payload/roles/network/tasks/main.yml

@@ -0,0 +1,10 @@
+- name: Set hostname
+  ansible.builtin.hostname:
+    name: "{{ ovfproperties['guestinfo.hostname'] }}"
+- name: Create netplan configuration file
+  ansible.builtin.template:
+    src: netplan.j2
+    dest: /etc/netplan/00-installer-config.yaml
+- name: Apply netplan configuration
+  ansible.builtin.shell:
+    cmd: /usr/sbin/netplan apply

ansible/roles/firstboot/files/ansible_payload/roles/network/templates/netplan.j2

@@ -0,0 +1,10 @@
+network:
+  version: 2
+  ethernets:
+    ens192:
+      addresses:
+      - {{ ovfproperties['guestinfo.ipaddress'] }}/{{ ovfproperties['guestinfo.prefixlength'] }}
+      gateway4: {{ ovfproperties['guestinfo.gateway'] }}
+      nameservers:
+        addresses:
+        - {{ ovfproperties['guestinfo.dnsserver'] }}

ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml

@@ -0,0 +1,25 @@
+- name: Set root password
+  ansible.builtin.user:
+    name: root
+    password: "{{ ovfproperties['guestinfo.rootpw'] | password_hash('sha512', 65534 | random(seed=ovfproperties['guestinfo.hostname']) | string) }}"
+    generate_ssh_key: yes
+    ssh_key_bits: 2048
+    ssh_key_file: .ssh/id_rsa
+- name: Save root SSH publickey
+  ansible.builtin.lineinfile:
+    path: /root/.ssh/authorized_keys
+    line: "{{ ovfproperties['guestinfo.rootsshkey'] }}"
+- name: Disable SSH password authentication
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regex: "{{ item.regex }}"
+    line: "{{ item.line }}"
+    state: "{{ item.state }}"
+  loop:
+  - { regex: '^#PasswordAuthentication', line: 'PasswordAuthentication no', state: present}
+  - { regex: '^PasswordAuthentication yes', line: 'PasswordAuthentication yes', state: absent}
+- name: Delete 'ubuntu' user
+  ansible.builtin.user:
+    name: ubuntu
+    state: absent
+    remove: yes

ansible/roles/firstboot/files/ansible_payload/roles/vapp/tasks/main.yml

@@ -1,41 +1,21 @@
-- name: Store current vApp configuration
+- name: Store current ovfEnvironment
   ansible.builtin.shell:
-    cmd: vmtoolsd --cmd "info-get guestinfo.ovfEnv"
+    cmd: /usr/bin/vmtoolsd --cmd "info-get guestinfo.ovfEnv"
-  register: ovfEnv
+  register: ovfenv
-- name: Parse XML into variables
+- name: Parse XML for vApp properties
   community.general.xml:
-    xmlstring: "{{ ovfEnv }}"
+    xmlstring: "{{ ovfenv.stdout }}"
     namespaces:
-      oe: http://schemas.dmtf.org/ovf/environment/1
+      ns: http://schemas.dmtf.org/ovf/environment/1
-    xpath: /Environment/PropertySection/Property
+    xpath: /ns:Environment/ns:PropertySection/ns:Property
-    content: oe:key
+    content: attribute
-
+  register: ovfenv
-
+- name: Assign vApp properties to dictionary
-# <?xml version="1.0" encoding="UTF-8"?>
+  ansible.builtin.set_fact:
-# <Environment
+    ovfproperties: >-
-#      xmlns="http://schemas.dmtf.org/ovf/environment/1"
+      {{ ovfproperties | default({}) |
-#      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      combine({((item.values() | list)[0].values() | list)[0]:
-#      xmlns:oe="http://schemas.dmtf.org/ovf/environment/1"
+      ((item.values() | list)[0].values() | list)[1]})
-#      xmlns:ve="http://www.vmware.com/schema/ovfenv"
+      }}
-#      oe:id=""
+  loop: "{{ ovfenv.matches }}"
-#      ve:vCenterId="vm-1171">
+  no_log: true
-#    <PlatformSection>
-#       <Kind>VMware ESXi</Kind>
-#       <Version>7.0.1</Version>
-#       <Vendor>VMware, Inc.</Vendor>
-#       <Locale>en</Locale>
-#    </PlatformSection>
-#    <PropertySection>
-#          <Property oe:key="deployment.type" oe:value="ubuntu-small"/>
-#          <Property oe:key="guestinfo.dnsserver" oe:value="1.1.1.1"/>
-#          <Property oe:key="guestinfo.gateway" oe:value="10.0.0.1"/>
-#          <Property oe:key="guestinfo.hostname" oe:value="SRV01"/>
-#          <Property oe:key="guestinfo.ipaddress" oe:value="10.0.0.84"/>
-#          <Property oe:key="guestinfo.ntpserver" oe:value="0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org"/>
-#          <Property oe:key="guestinfo.prefixlength" oe:value="24"/>
-#          <Property oe:key="guestinfo.rootpw" oe:value=""/>
-#    </PropertySection>
-#    <ve:EthernetAdapterSection>
-#       <ve:Adapter ve:mac="00:50:56:8a:09:08" ve:network="Staging" ve:unitNumber="7"/>
-#    </ve:EthernetAdapterSection>
-# </Environment>

ansible/roles/firstboot/tasks/main.yml

@@ -1,3 +1,7 @@
+- name: Create destination folder
+  ansible.builtin.file:
+    path: /opt/firstboot
+    state: directory
 - name: Create firstboot script file
   ansible.builtin.template:
     src: firstboot.j2
@@ -7,7 +11,7 @@
     mode: o+x
 - name: Create @reboot crontab job
   ansible.builtin.cron:
-    name: "firstboot"
+    name: firstboot
     special_time: reboot
     job: "/opt/firstboot/firstboot.sh"
 - name: Copy payload folder

ansible/roles/firstboot/templates/firstboot.j2

@@ -1,3 +1,4 @@
 #!/bin/bash
 
-# FOO
+# Apply firstboot configuration w/ ansible
+/usr/local/bin/ansible-playbook /opt/firstboot/ansible/playbook.yml | tee -a /var/log/firstboot.log > /dev/tty1

ansible/roles/os/tasks/ansible.yml

@@ -0,0 +1,6 @@
+- name: Install ansible (w/ dependencies)
+  ansible.builtin.pip:
+    name: "{{ item }}"
+    executable: pip3
+    state: latest
+  loop: "{{ pip_packages }}"

ansible/roles/os/tasks/logging.yml

@@ -0,0 +1,5 @@
+- name: Enable crontab logging
+  ansible.builtin.lineinfile:
+    path: /etc/rsyslog.d/50-default.conf
+    regexp: '^#cron\.\*.*'
+    line: "cron.*\t\t\t\t./var/log/cron.log"

ansible/roles/os/tasks/main.yml

@@ -1,11 +1,20 @@
+- name: Disable tty logins
+  import_tasks: tty.yml
+
 - name: Remove snapd
   import_tasks: snapd.yml
 
 - name: Remove cloud-init
   import_tasks: cloud-init.yml
 
-- name: Configure network
+- name: Configure default logging
-  import_tasks: network.yml
+  import_tasks: logging.yml
+
+- name: Configure services
+  import_tasks: services.yml
 
 - name: Install packages
   import_tasks: packages.yml
+
+- name: Install ansible
+  import_tasks: ansible.yml

ansible/roles/os/tasks/packages.yml

@@ -1,15 +1,28 @@
+- name: Configure 'needrestart' package
+  ansible.builtin.lineinfile:
+    path: /etc/needrestart/needrestart.conf
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  loop:
+    - regexp: "^#\\$nrconf\\{restart\\} = 'i';"
+      line: "$nrconf{restart} = 'a';"
+    - regexp: "^#\\$nrconf\\{kernelhints\\} = -1;"
+      line: "$nrconf{kernelhints} = -1;"
+
 - name: Install additional packages
   ansible.builtin.apt:
     name: "{{ item }}"
     state: latest
     update_cache: yes
   loop: "{{ packages }}"
+
 - name: Upgrade all packages
   ansible.builtin.apt:
     name: "*"
     state: latest
     update_cache: yes
+
 - name: Cleanup
   ansible.builtin.apt:
-    autoclean: yes
     autoremove: yes
+    purge: yes

ansible/roles/os/tasks/snapd.yml

@@ -3,6 +3,14 @@
     name: snapd
     state: absent
     purge: yes
+- name: Delete leftover files
+  ansible.builtin.file:
+    path: /root/snap
+    state: absent
+- name: Hold snapd package
+  ansible.builtin.dpkg_selections:
+    name: snapd
+    selection: hold
 - name: Reload systemd unit configurations
   ansible.builtin.systemd:
     daemon_reload: yes

ansible/roles/os/tasks/tty.yml

@@ -0,0 +1,13 @@
+- name: Disable extra tty
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/logind.conf
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  loop:
+  - { regexp: '^#NAutoVTs=', line: 'NAutoVTs=1'}
+  - { regexp: '^#ReserveVT=', line: 'ReserveVT=11'}
+- name: Mask getty@tty1 service
+  ansible.builtin.systemd:
+    name: getty@tty1
+    enabled: no
+    masked: yes

ansible/roles/os/vars/main.yml

@@ -1,3 +1,11 @@
 packages:
-  - ansible
+  - jq
-  - libxml2-utils
+  # (python3-*) Dependency for installation of Ansible
+  - python3-pip
+  - python3-setuptools
+  - python3-wheel
+
+pip_packages:
+  - pip
+  - ansible-core
+  - lxml

packer/iso.auto.pkrvars.hcl

@@ -0,0 +1,4 @@
+iso_url      = "sn.itch.fyi/Repository/iso/Canonical/Ubuntu%20Server%2022.04/ubuntu-22.04-live-server-amd64.iso"
+iso_checksum = "sha256:84AEAF7823C8C61BAA0AE862D0A06B03409394800000B3235854A6B38EB4856F"
+// iso_url      = "sn.itch.fyi/Repository/iso/Canonical/Ubuntu%20Server%2020.04/ubuntu-20.04.2-live-server-amd64.iso"
+// iso_checksum = "sha256:D1F2BF834BBE9BB43FAF16F9BE992A6F3935E65BE0EDECE1DEE2AA6EB1767423"

packer/preseed/UbuntuServer22.04/user-data

@@ -11,12 +11,14 @@ autoinstall:
       ethernets:
         ens192:
           dhcp4: true
+          dhcp-identifier: mac
   storage:
     layout:
-      name: lvm
+      name: direct
   identity:
     hostname: packer-template
     username: ubuntu
+    # password: $6$ZThRyfmSMh9499ar$KSZus58U/l58Efci0tiJEqDKFCpoy.rv25JjGRv5.iL33AQLTY2aljumkGiDAiX6LsjzVsGTgH85Tx4S.aTfx0
     password: $6$rounds=4096$ZKfzRoaQOtc$M.fhOsI0gbLnJcCONXz/YkPfSoefP4i2/PQgzi2xHEi2x9CUhush.3VmYKL0XVr5JhoYvnLfFwqwR/1YYEqZy/
   ssh:
     install-server: yes

packer/ubuntuserver22.04.pkr.hcl

@@ -11,6 +11,7 @@ source "vsphere-iso" "ubuntuserver" {
 
   vm_name                 = "${var.vm_guestos}-${var.vm_name}"
   datacenter              = var.vsphere_datacenter
+  cluster                 = var.vsphere_cluster
   host                    = var.vsphere_host
   folder                  = var.vsphere_folder
   datastore               = var.vsphere_datastore
@@ -19,9 +20,9 @@ source "vsphere-iso" "ubuntuserver" {
 
   boot_order              = "disk,cdrom"
   boot_command            = [
-    "<enter><wait2><enter><wait><f6><esc><wait>",
+    "e<down><down><down><end>",
-    " autoinstall<wait2> ds=nocloud;",
+    " autoinstall ds=nocloud;",
-    "<wait><enter>"
+    "<F10>"
   ]
   boot_wait               = "2s"
 
@@ -47,12 +48,12 @@ source "vsphere-iso" "ubuntuserver" {
   usb_controller          = ["xhci"]
 
   cd_files                = [
-    "packer/preseed/UbuntuServer20.04/user-data",
+    "packer/preseed/UbuntuServer22.04/user-data",
-    "packer/preseed/UbuntuServer20.04/meta-data"
+    "packer/preseed/UbuntuServer22.04/meta-data"
   ]
   cd_label                = "cidata"
-  iso_checksum            = "sha256:D1F2BF834BBE9BB43FAF16F9BE992A6F3935E65BE0EDECE1DEE2AA6EB1767423"
+  iso_url                 = local.iso_authenticatedurl
-  iso_url                 = "https://${var.repo_username}:${var.repo_password}@sn.itch.fyi/Repository/iso/Canonical/Ubuntu%20Server%2020.04/ubuntu-20.04.2-live-server-amd64.iso"
+  iso_checksum            = var.iso_checksum
 
   shutdown_command        = "echo '${var.ssh_password}' | sudo -S shutdown -P now"
   shutdown_timeout        = "5m"
@@ -65,9 +66,13 @@ source "vsphere-iso" "ubuntuserver" {
 }
 
 build {
-  sources = ["source.vsphere-iso.ubuntuserver"]
+  sources = [
+    "source.vsphere-iso.ubuntuserver"
+  ]
 
   provisioner "ansible" {
+    only             = ["vsphere-iso.ubuntuserver"]
+
     playbook_file    = "ansible/playbook.yml"
     user             = "ubuntu"
     ansible_env_vars = [
@@ -80,6 +85,7 @@ build {
   }
 
   post-processor "shell-local" {
+    only   = ["vsphere-iso.ubuntuserver"]
     inline = [
       "pwsh -command \"& scripts/Update-OvfConfiguration.ps1 \\",
       " -OVFFile '/scratch/ubuntuserver/${var.vm_guestos}-${var.vm_name}.ovf' \\",
@@ -88,7 +94,7 @@ build {
       " -ManifestFileName '/scratch/ubuntuserver/${var.vm_guestos}-${var.vm_name}.mf'",
       "ovftool --acceptAllEulas --allowExtraConfig --overwrite \\",
       " '/scratch/ubuntuserver/${var.vm_guestos}-${var.vm_name}.ovf' \\",
-      " /output/Ubuntu-Server-20.04.ova"
+      " /output/Ubuntu-Server-22.04.ova"
     ]
   }
 }

packer/variables.pkr.hcl

@@ -1,9 +1,12 @@
 variable "vcenter_server" {}
 variable "vsphere_username" {}
-variable "vsphere_password" {}
+variable "vsphere_password" {
+    sensitive = true
+}
 
 variable "vsphere_host" {}
 variable "vsphere_datacenter" {}
+variable "vsphere_cluster" {}
 
 variable "vsphere_templatefolder" {}
 variable "vsphere_folder" {}
@@ -12,7 +15,17 @@ variable "vsphere_network" {}
 
 variable "vm_name" {}
 variable "vm_guestos" {}
-variable "ssh_password" {}
+variable "ssh_password" {
+    sensitive = true
+}
 
+variable "iso_url" {}
+variable "iso_checksum" {}
 variable "repo_username" {}
-variable "repo_password" {}
+variable "repo_password" {
+    sensitive = true
+}
+local "iso_authenticatedurl" {
+    expression = "https://${var.repo_username}:${var.repo_password}@${var.iso_url}"
+    sensitive  = true
+}

packer/vsphere.auto.pkrvars.hcl

@@ -1,8 +1,9 @@
 vcenter_server         = "bv11-vc.bessems.lan"
 vsphere_username       = "administrator@vsphere.local"
 vsphere_datacenter     = "DeSchakel"
+vsphere_cluster        = "Cluster.Legacy"
 vsphere_host           = "bv11-esx.bessems.lan"
-vsphere_datastore      = "Datastore01.SSD"
+vsphere_datastore      = "ESX00.SSD01"
 vsphere_folder         = "/Packer"
 vsphere_templatefolder = "/Templates"
 vsphere_network        = "LAN"

scripts/Update-OvfConfiguration.yml

@@ -34,7 +34,14 @@ PropertyCategories:
     Type: password(7..)
     Label: Local root password*
     Description: ''
-    DefaultValue: password
+    DefaultValue: ''
+    Configurations: '*'
+    UserConfigurable: true
+  - Key: guestinfo.rootsshkey
+    Type: password(1..)
+    Label: Local root SSH public key*
+    Description: This line should start with 'ssh-rsa AAAAB3N'
+    DefaultValue: ''
     Configurations: '*'
     UserConfigurable: true
   - Key: guestinfo.ntpserver