light show

prep scripts

Having installed OpenBSD, one has to do a few more things to make a machine manageable by Ansible.

The one unavoidable task is to install python3. I also add a dedicated user for Ansible, hook into a local OpenBsd mirror, and patch.

To do this, I’ve written a set of scripts. The first script runs on the Ansible host. It collects any necessary configuration files, then runs the second script on the target.

It expects to find a directory called prep, which contains:

  • a file with the current user name, the new desired user name, and root, each of which contain the corresponding user password. Rather obviously, these files are protected.
  • A directory called init, containing the second script and the files that script requires. Note that the first script will put some additional files here.

The script makes presumptions about directory locations. It requires the package sshpass to be installed on the Ansible server, which can be added using pkg_add.

#!/bin/sh
#

set -e

if [[ "$6" == "" ]] ; then
  /bin/echo "prep.sh IP USER IF FILE HOSTNAME COUNTRY"
  /bin/echo "IP machine ip address"
  /bin/echo "USER init file named for new user account containing password"
  /bin/echo "IF interface name for /etc/hostname.IF"
  /bin/echo "FILE file containing contents of new /etc/hostname.IF"
  /bin/echo "HOSTNAME new hostname"
  /bin/echo "COUNTRY two letter code for host country"
  return 3
fi

if [[ ! -f "$4" ]] ; then
  /bin/echo cannot find $4.
  return
fi

if [[ ! -f "~/ansible/prep/init/profile.$6" ]] ; then
  /bin/echo cannot find ~/ansible/prep/init/profile.$6.
  return
fi

cd ~/ansible/prep

if [[ -f init.tgz ]] ; then
  rm -f init.tgz
fi

/bin/cp -f "$4" init/hostname.$3
/bin/echo $6 >init/country
/bin/echo $5 >init/hn
/bin/echo $3 >init/if
/bin/echo $2 >init/user
#/bin/echo python-3.6.8p0 >init/package
/bin/echo python-3.7.4 >init/package
/bin/tar czf init.tgz init
/bin/rm -f init/hostname.$3 init/if init/user init/package

/bin/cat $USER | /usr/local/bin/sshpass /usr/bin/ssh -o StrictHostKeyChecking=accept-new $USER@$1 "/bin/rm -rf init init.tgz"
/bin/cat $USER | /usr/local/bin/sshpass /usr/bin/scp init.tgz "$USER@$1:."
/bin/rm init.tgz
/bin/cat $USER | /usr/local/bin/sshpass /usr/bin/ssh $USER@$1 "/bin/tar xzf init.tgz"
/bin/cat $USER | /usr/local/bin/sshpass /usr/bin/ssh $USER@$1 "/bin/cat init/authorized_keys.$USER >> .ssh/authorized_keys"
/bin/cat root | /usr/bin/ssh $USER@$1 /usr/bin/su root -c /home/$USER/init/init.sh

It’s fairly simple to use. Supply no parameters to see what it wants, and then use it as follows:

./prep.sh 192.168.0.5 ansible em0 hostname.em0 fubar.example.com lu

The hostname file is the contents of /etc/hostname.???. The country code corresponds to a file called profile.<code>, which contains any extra data to go in the new user’s .profile, such as exporting PKG_PATH to point to a local mirror. The parameter doesn’t have to be a country code, that’s just how I use it.

The second script activates doas, configures the machine to use a nearby OpenBSD mirror, adds the Ansible account, adds authorised ssh keys to various accounts, patches OpenBSD, installs Python 3, sets up networking, and reboots the machine.

Once it has run, Ansible can carry out any additional configuration. Indeed, some of the tasks carried out by the script could be done by Ansible itself, such as patching, but I prefer to patch it as soon as I can. It’s not like it’s difficult!

#!/bin/sh
#

RELEASE=`uname -r`
ARCH=`uname -m`
PKG_PATH=https://ftp.halifax.rwth-aachen.de/openbsd/$RELEASE/packages/$ARCH/

H=`cat init/hn`
I=`cat init/if`
U=`cat init/user`
A=`cat init/package`
L=`cat init/country`

/bin/echo init.sh $I $U $A $H

cp /etc/examples/doas.conf /etc
cat /home/$USER/init/authorized_keys.root >> /root/.ssh/authorized_keys
hostname $H
cat /home/$USER/init/profile.$L >> /home/$USER/.profile

if [[ "$U" != "" ]] ; then
  useradd -G wheel -m -c "additional user $U" -d /home/$U -p `cat /home/$USER/init/passwd.$U | encrypt` $U
  cat /home/$USER/init/authorized_keys.$U >> /home/$U/.ssh/authorized_keys
  cat /home/$USER/init/profile.$L >> /home/$U/.profile
fi

syspatch
pkg_add $A

if [[ -f "/home/$USER/init/hostname.$I" ]] ; then
  cp -f /home/$USER/init/hostname.$I /etc
fi

rm -rf /home/$USER/init

/bin/echo "rebooting..."
/bin/sleep 1
reboot

It would make more sense if I set up automatic configuration when installing OpenBSD, but I’ve yet to explore those features.

Remember, copying and pasting code found on the interwebs is a surefire way to introduce errors. I make no promises about this code, and strongly advise you, if you use it, to check it thoroughly and ensure you adapt it carefully to your environment. Enjoy!