The one unavoidable task is to install python3. I also add a dedicated user for Ansible, hook into a local OpenBsd mirror, and patch.
To do this, I’ve written a set of scripts. The first script runs on the Ansible host. It collects any necessary configuration files, then runs the second script on the target.
It expects to find a directory called prep, which contains:
- a file with the current user name, the new desired user name, and root, each of which contain the corresponding user password. Rather obviously, these files are protected.
- A directory called init, containing the second script and the files that script requires. Note that the first script will put some additional files here.
The script makes presumptions about directory locations. It requires the package sshpass to be installed on the Ansible server, which can be added using pkg_add.
#!/bin/sh # set -e if [[ "$6" == "" ]] ; then /bin/echo "prep.sh IP USER IF FILE HOSTNAME COUNTRY" /bin/echo "IP machine ip address" /bin/echo "USER init file named for new user account containing password" /bin/echo "IF interface name for /etc/hostname.IF" /bin/echo "FILE file containing contents of new /etc/hostname.IF" /bin/echo "HOSTNAME new hostname" /bin/echo "COUNTRY two letter code for host country" return 3 fi if [[ ! -f "$4" ]] ; then /bin/echo cannot find $4. return fi if [[ ! -f "~/ansible/prep/init/profile.$6" ]] ; then /bin/echo cannot find ~/ansible/prep/init/profile.$6. return fi cd ~/ansible/prep if [[ -f init.tgz ]] ; then rm -f init.tgz fi /bin/cp -f "$4" init/hostname.$3 /bin/echo $6 >init/country /bin/echo $5 >init/hn /bin/echo $3 >init/if /bin/echo $2 >init/user #/bin/echo python-3.6.8p0 >init/package /bin/echo python-3.7.4 >init/package /bin/tar czf init.tgz init /bin/rm -f init/hostname.$3 init/if init/user init/package /bin/cat $USER | /usr/local/bin/sshpass /usr/bin/ssh -o StrictHostKeyChecking=accept-new $USER@$1 "/bin/rm -rf init init.tgz" /bin/cat $USER | /usr/local/bin/sshpass /usr/bin/scp init.tgz "$USER@$1:." /bin/rm init.tgz /bin/cat $USER | /usr/local/bin/sshpass /usr/bin/ssh $USER@$1 "/bin/tar xzf init.tgz" /bin/cat $USER | /usr/local/bin/sshpass /usr/bin/ssh $USER@$1 "/bin/cat init/authorized_keys.$USER >> .ssh/authorized_keys" /bin/cat root | /usr/bin/ssh $USER@$1 /usr/bin/su root -c /home/$USER/init/init.sh
It’s fairly simple to use. Supply no parameters to see what it wants, and then use it as follows:
./prep.sh 192.168.0.5 ansible em0 hostname.em0 fubar.example.com lu
The hostname file is the contents of /etc/hostname.???. The country code corresponds to a file called profile.<code>, which contains any extra data to go in the new user’s .profile, such as exporting PKG_PATH to point to a local mirror. The parameter doesn’t have to be a country code, that’s just how I use it.
The second script activates doas, configures the machine to use a nearby OpenBSD mirror, adds the Ansible account, adds authorised ssh keys to various accounts, patches OpenBSD, installs Python 3, sets up networking, and reboots the machine.
Once it has run, Ansible can carry out any additional configuration. Indeed, some of the tasks carried out by the script could be done by Ansible itself, such as patching, but I prefer to patch it as soon as I can. It’s not like it’s difficult!
#!/bin/sh # RELEASE=`uname -r` ARCH=`uname -m` PKG_PATH=https://ftp.halifax.rwth-aachen.de/openbsd/$RELEASE/packages/$ARCH/ H=`cat init/hn` I=`cat init/if` U=`cat init/user` A=`cat init/package` L=`cat init/country` /bin/echo init.sh $I $U $A $H cp /etc/examples/doas.conf /etc cat /home/$USER/init/authorized_keys.root >> /root/.ssh/authorized_keys hostname $H cat /home/$USER/init/profile.$L >> /home/$USER/.profile if [[ "$U" != "" ]] ; then useradd -G wheel -m -c "additional user $U" -d /home/$U -p `cat /home/$USER/init/passwd.$U | encrypt` $U cat /home/$USER/init/authorized_keys.$U >> /home/$U/.ssh/authorized_keys cat /home/$USER/init/profile.$L >> /home/$U/.profile fi syspatch pkg_add $A if [[ -f "/home/$USER/init/hostname.$I" ]] ; then cp -f /home/$USER/init/hostname.$I /etc fi rm -rf /home/$USER/init /bin/echo "rebooting..." /bin/sleep 1 reboot
It would make more sense if I set up automatic configuration when installing OpenBSD, but I’ve yet to explore those features.
Remember, copying and pasting code found on the interwebs is a surefire way to introduce errors. I make no promises about this code, and strongly advise you, if you use it, to check it thoroughly and ensure you adapt it carefully to your environment. Enjoy!