commit c0b1e964c70bb01746a122d7ce079559de80d27c
parent 6408f2fb19bbeef347d2622b64a86af0a6330018
Author: Andreas Gruhler <agruhl@gmx.ch>
Date: Sun, 23 Nov 2025 22:38:15 +0100
feat(intel): configure br0, add debian_postinstall.sh
Diffstat:
6 files changed, 61 insertions(+), 8 deletions(-)
diff --git a/bootstrap.sh b/bootstrap.sh
@@ -82,4 +82,7 @@ cat << EOF > /etc/cloud/cloud.cfg.d/99_hashipi_cloudinit.cfg
# Resize filesystem to use all available space on partition
resize_rootfs: noblock
+
+# Disable network configuration
+network: {config: disabled}
EOF
diff --git a/config/preseed.cfg b/config/preseed.cfg
@@ -106,17 +106,15 @@ d-i user-setup/encrypt-home boolean false
### Package selection
tasksel tasksel/first multiselect standard, ssh-server
-d-i pkgsel/include string cloud-initramfs-growroot openssh-server build-essential sudo gnupg2 unzip lxc
+d-i pkgsel/include string cloud-initramfs-growroot openssh-server \
+ build-essential sudo gnupg2 unzip lxc bridge-utils mdadm vim
d-i pkgsel/upgrade select full-upgrade
-# Allow ssh root login
+# Temporarily allow ssh root login for packer builder
d-i preseed/late_command string \
in-target sed -i 's/^.*PermitRootLogin.*/PermitRootLogin yes/g' /etc/ssh/sshd_config
-# Configure sudoers and ssh pubkeys
+# Configure ssh pubkeys for packer builder
d-i preseed/late_command string \
- echo 'in0rdr ALL=(ALL) NOPASSWD:ALL' > /target/etc/sudoers.d/90-preseed ; \
- in-target sh -c 'mkdir -p /home/in0rdr/.ssh'; \
- in-target sh -c 'echo -e "$pubkey" > /home/in0rdr/.ssh/authorized_keys'; \
in-target sh -c 'mkdir -p /root/.ssh'; \
in-target sh -c 'echo $pubkey > /root/.ssh/authorized_keys';
diff --git a/debian_postinstall.sh b/debian_postinstall.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+#
+# Postinstall scripts after Debian preseed
+#
+# set -o errexit
+# set -o nounset
+set -o xtrace
+
+# Reset ssh root login
+sed -i 's/^.*PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config
+
+# Configure sudoers and ssh pubkeys
+echo "$USERNAME ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/90-packer
+mkdir -p "/home/$USERNAME/.ssh"
+echo -e "$AUTHORIZED_KEYS" > "/home/$USERNAME/.ssh/authorized_keys"
+
+# Disable LXC bridge
+sed -i 's/^USE_LXC_BRIDGE="true"/USE_LXC_BRIDGE="false"/g' /etc/default/lxc-net
+
+# Disable dhcp on eth0
+sed -i 's/^iface eth0 inet dhcp/iface eth0 inet static/g' /etc/network/interfaces
+
+# Enable host device bridge
+# https://wiki.debian.org/LXC/SimpleBridge#Host_device_as_bridge
+cat <<EOF > /etc/network/interfaces.d/br0
+auto br0
+iface br0 inet dhcp
+ hwaddress ether 02:cf:f3:37:2a:be
+ bridge_ports eth0
+ bridge_fd 0
+ bridge_maxwait 0
+EOF
diff --git a/hashi-pi.pkr.hcl b/hashi-pi.pkr.hcl
@@ -108,6 +108,11 @@ variable "vault_addr" {
default = "https://vault.in0rdr.ch"
}
+variable "bao_interface" {
+ type = string
+ default = "eth0"
+}
+
variable "vault_transit_server" {
type = string
default = ""
@@ -256,6 +261,15 @@ build {
"NOMAD_SERVER=${var.nomad_server}",
"VAULT_TRANSIT_SERVER=${var.vault_transit_server}",
"VAULT_TRANSIT_TOKEN=${var.vault_transit_token}"
+ "BAO_INTERFACE=${var.bao_interface}"
+ ]
+ }
+
+ provisioner "shell" {
+ script = "debian_postinstall.sh"
+ environment_vars = [
+ "USERNAME=${var.username}",
+ "AUTHORIZED_KEYS=${var.authorized_keys}"
]
}
diff --git a/hosts/intel0.pkrvars.hcl b/hosts/intel0.pkrvars.hcl
@@ -1,5 +1,6 @@
architecture = "amd64"
hostname = "intel0"
img_name = "HashiIntel0.img"
+bao_interace = "br0"
nomad_server = true
nomad_client = true
diff --git a/openbao.sh b/openbao.sh
@@ -37,9 +37,9 @@ listener "tcp" {
#
# API_ADDR for client redirection (fallback, if request forwarding is
# disabled). Uses go-sockaddr template to fetch the actual ip for an interface
-api_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}:8200"
+api_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"$BAO_INTERFACE\" | attr \"address\" }}:8200"
# CLUSTER_ADDR: Vault listens for server-to-server cluster requests
-cluster_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}:8201"
+cluster_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"$BAO_INTERFACE\" | attr \"address\" }}:8201"
storage "raft" {
path = "/opt/openbao/data"
@@ -60,6 +60,11 @@ storage "raft" {
leader_tls_servername = "vault.in0rdr.ch"
leader_ca_cert_file = "/etc/openbao/tls/$HOSTNAME.pem"
}
+ retry_join {
+ leader_api_addr = "https://intel0:8200"
+ leader_tls_servername = "vault.in0rdr.ch"
+ leader_ca_cert_file = "/etc/openbao/tls/$HOSTNAME.pem"
+ }
}
seal "transit" {
