/ Ansible

Arch linux install with ansible provisioning

Here's how I get a quick arch linux workstation up and running with everything I need for a development environment. You can check out the source code on github to follow along. This tool is meant to be used with arch linux after a base installation has been performed. Ansible will be installed after the base install to double-check our work and handle the rest.

Table of Contents

Initial installation

dd:

First go to archlinux downloads and download the latest .iso file.

Burn it to a cd or memory stick.

dd bs=4M if=~/Downloads/archlinuxinstall.iso of=/dev/sdb && sync

dm-crypt wipe on an empty disk or partition

Dm-crypt Drive_preparation

Boot up into the live arch linux environment and wipe your drives.

First, create a temporary encrypted container on the partition (sdXY) or the full disk (sdX) to be encrypted,
e.g. using default encryption parameters and a random key via the --key-file /dev/{u}random option

cryptsetup open --type plain /dev/sdXY container --key-file /dev/random

Second, check it exists:

fdisk -l
Disk /dev/mapper/container: 1000 MB, 1000277504 bytes

Wipe the container with zeros. A use of if=/dev/urandom is not required as the encryption cipher is used for randomness.

dd if=/dev/zero of=/dev/mapper/container bs=1M status=progress

Finally, close the temporary container:

cryptsetup close container

LVM on LUKS

LVM_on_LUKS

NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda             8:0    0   477G  0 disk
|-sda1          8:1    0   487M  0 part  /boot
`-sda2          8:2    0 476.5G  0 part
  `-vg        254:0    0 476.5G  0 crypt
    |-vg-swap 254:1    0     8G  0 lvm   [SWAP]
    |-vg-root 254:2    0   100G  0 lvm   /
    |-vg-var  254:3    0   100G  0 lvm   /var
    `-vg-home 254:4    0 268.5G  0 lvm   /home
# partitions for /boot and /(encrypted drive)
parted -s /dev/sda mklabel msdos
parted -s -a optimal /dev/sda mkpart primary 0% 512MB
parted -s -a optimal /dev/sda mkpart primary 512MB 100%

# encrypt
cryptsetup luksFormat /dev/sda2
# password: # *use yubikey for 2FA*

# open encrypted drive
cryptsetup open /dev/sda2 cryptolvm
# password: # *use yubikey for 2FA*

partitioning.sh

wget https://raw.githubusercontent.com/jahrik/ansible-arch-workstation/master/partitioning.sh

LVM

# create volume group
pvcreate /dev/mapper/cryptolvm
vgcreate vg /dev/mapper/cryptolvm

# create logical volumes
lvcreate -L 8G vg -n swap
lvcreate -L 100G vg -n root
lvcreate -L 100G vg -n var
lvcreate -l 100%FREE vg -n home

Format the partitions

mkfs.ext4 /dev/sda1
mkfs.ext4 /dev/mapper/vg-root
mkfs.ext4 /dev/mapper/vg-var
mkfs.ext4 /dev/mapper/vg-home
mkswap /dev/mapper/vg-swap

Mount file systems

mount /dev/mapper/vg-root /mnt
mkdir /mnt/home
mount /dev/mapper/vg-home /mnt/home
mkdir /mnt/var
mount /dev/mapper/vg-var /mnt/var
swapon /dev/mapper/vg-swap
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot

Install the base system:

pacstrap /mnt base base-devel

Generate an fstab:

genfstab -U -p /mnt >> /mnt/etc/fstab

Check to see it was written.

cat /mnt/etc/fstab

Chroot

arch-chroot /mnt /bin/bash

Install vim

pacman -S vim

Networking

pacman -S iw wpa_supplicant dialog

Root password

# first change root password
passwd

Configuring mkinitcpio

Edit /etc/mkinitcpio.conf and add the word "encrypt" and "lvm2" to HOOKS='...' just before "filesystems"

...
HOOKS="base udev autodetect modconf keyboard encrypt lvm2 block filesystems fsck"
...

Then run the command

mkinitcpio -p linux

Bootloader

Boot_loader

pacman -S grub

Edit /etc/default/grub

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:vg root=/dev/mapper/vg-root"

Configure grub

grub-install --target=i386-pc /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg

User

pacman -S zsh
groupadd <user>
useradd -m -g <user> -s /bin/zsh <user>

Sudo

pacman -S sudo

Add user to /etc/sudoers.d/config

<user> ALL=(ALL) NOPASSWD: ALL

Ansible

Stuff and things go here...

...

...

Vagrant lab

Not working yet. Need to build a new packer arch box for testing.

Testing locally for now...

Bring up an arch box

vagrant up

Check the status of vagrant

vagrant status
Current machine states:

arch-vm              running (virtualbox)

SSH into a box

vagrant ssh arch-vm.dev

Run the playbook against the vm

ansible-playbook site.yml
jahrik

jahrik

Self-taught, multilingual programmer, working in DevOps. Automating Linux server administration and deployment with the use of tools like Jenkins, Ansible, and Docker Swarm.

Read More