From 1f5f4b3685d6afcf9b1e509c66a75b283b728f0c Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@thegeeklab.de>
Date: Fri, 9 Sep 2022 10:29:00 +0200
Subject: [PATCH] refactor: rework cloud-init and communicator integration

---
 README.md                            |  4 +-
 rocky-9/data/files/90-proxmox.cfg    | 69 ++++++++++++++++++++++++++++
 rocky-9/data/files/93-proxmox.cfg    |  9 ++++
 rocky-9/data/init.ks.pkrtpl.hcl      | 54 ++++++++++++----------
 rocky-9/server.auto.pkrvars.hcl      |  8 ++--
 rocky-9/server.pkr.hcl               | 31 ++++++-------
 rocky-9/variables.pkr.hcl            | 36 +++++++--------
 scripts/{rocky-9.x.sh => rocky-9.sh} | 29 ++++++------
 8 files changed, 160 insertions(+), 80 deletions(-)
 create mode 100644 rocky-9/data/files/90-proxmox.cfg
 create mode 100644 rocky-9/data/files/93-proxmox.cfg
 rename scripts/{rocky-9.x.sh => rocky-9.sh} (75%)

diff --git a/README.md b/README.md
index 556249a..c79989c 100644
--- a/README.md
+++ b/README.md
@@ -41,8 +41,8 @@ If required, modify the configuration and scripts files.
 Initialize packer and start a build.
 
 ```Shell
-packer init rocky-9.0/
-packer build rocky-9.0/
+packer init rocky-9/
+packer build rocky-9/
 ```
 
 ## License
diff --git a/rocky-9/data/files/90-proxmox.cfg b/rocky-9/data/files/90-proxmox.cfg
new file mode 100644
index 0000000..82829a4
--- /dev/null
+++ b/rocky-9/data/files/90-proxmox.cfg
@@ -0,0 +1,69 @@
+users:
+ - default
+
+disable_root: 0
+ssh_pwauth:   0
+
+mount_default_fields: [~, ~, 'auto', 'defaults,nofail,x-systemd.requires=cloud-init.service', '0', '2']
+resize_rootfs_tmp: /dev
+ssh_deletekeys:   1
+ssh_genkeytypes:  ['rsa', 'ecdsa', 'ed25519']
+syslog_fix_perms: ~
+disable_vmware_customization: false
+
+cloud_init_modules:
+ - disk_setup
+ - migrator
+ - bootcmd
+ - write-files
+ - [ growpart, always ]
+ - [ resizefs, always ]
+ - set_hostname
+ - update_hostname
+ - [ update_etc_hosts, once-per-instance ]
+ - rsyslog
+ - users-groups
+ - ssh
+
+cloud_config_modules:
+ - mounts
+ - locale
+ - set-passwords
+ - rh_subscription
+ - yum-add-repo
+ - package-update-upgrade-install
+ - timezone
+ - puppet
+ - chef
+ - salt-minion
+ - mcollective
+ - disable-ec2-metadata
+ - runcmd
+
+cloud_final_modules:
+ - rightscale_userdata
+ - scripts-per-once
+ - scripts-per-boot
+ - scripts-per-instance
+ - scripts-user
+ - ssh-authkey-fingerprints
+ - keys-to-console
+ - phone-home
+ - final-message
+ - power-state-change
+
+system_info:
+  default_user:
+    name: cloud-user
+    lock_passwd: true
+    gecos: Cloud User
+    groups: [adm, systemd-journal]
+    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
+    shell: /bin/bash
+  distro: rhel
+  paths:
+    cloud_dir: /var/lib/cloud
+    templates_dir: /etc/cloud/templates
+  ssh_svcname: sshd
+
+# vim:syntax=yaml
diff --git a/rocky-9/data/files/93-proxmox.cfg b/rocky-9/data/files/93-proxmox.cfg
new file mode 100644
index 0000000..ec5740a
--- /dev/null
+++ b/rocky-9/data/files/93-proxmox.cfg
@@ -0,0 +1,9 @@
+disable_root: 0
+ssh_pwauth:   1
+
+# Set the distro defaults
+system_info:
+    default_user:
+        name: root
+        shell: /bin/bash
+        lock_passwd: false
diff --git a/rocky-9/data/init.ks.pkrtpl.hcl b/rocky-9/data/init.ks.pkrtpl.hcl
index 1b2db81..d0d81f5 100644
--- a/rocky-9/data/init.ks.pkrtpl.hcl
+++ b/rocky-9/data/init.ks.pkrtpl.hcl
@@ -1,6 +1,15 @@
-### Installs from the first attached CD-ROM/DVD on the system.
+### Install from the first attached CD-ROM/DVD on the system
 cdrom
 
+### Configure network information for target system and activate network devices in the installer environment (optional)
+### --onboot	  enable device at a boot time
+### --device	  device to be activated and / or configured with the network command
+### --bootproto	  method to obtain networking configuration for device (default dhcp)
+### --noipv6	  disable IPv6 on this device
+###
+### network  --bootproto=static --ip=172.16.11.200 --netmask=255.255.255.0 --gateway=172.16.11.200 --nameserver=172.16.11.4 --hostname centos-linux-8
+network  --bootproto=dhcp --device=link --activate --onboot=on
+
 ### Performs the kickstart installation in text mode.
 ### By default, kickstart installations are performed in graphical mode.
 text
@@ -14,18 +23,8 @@ lang ${vm_guest_os_language}
 ### Sets the default keyboard type for the system.
 keyboard ${vm_guest_os_keyboard}
 
-### Configure network information for target system and activate network devices in the installer environment (optional)
-### --onboot	  enable device at a boot time
-### --device	  device to be activated and / or configured with the network command
-### --bootproto	  method to obtain networking configuration for device (default dhcp)
-### --noipv6	  disable IPv6 on this device
-###
-### network  --bootproto=static --ip=172.16.11.200 --netmask=255.255.255.0 --gateway=172.16.11.200 --nameserver=172.16.11.4 --hostname centos-linux-8
-network --bootproto=dhcp
-
-### The selected profile will restrict root login.
-### Add a user that can login and escalate privileges.
-user --name=${build_username} --iscrypted --password=${build_password_encrypted} --groups=wheel
+### Set initial root password
+rootpw --iscrypted ${build_password_encrypted}
 
 ### Configure firewall settings for the system.
 ### --enabled	reject incoming connections that are not in response to outbound requests
@@ -58,9 +57,9 @@ clearpart --all --initlabel
 
 ### Modify partition sizes for the virtual machine hardware.
 ### Create primary system partitions.
-part /boot --fstype xfs --size=1024 --label=BOOTFS
-part /boot/efi --fstype vfat --size=1024 --label=EFIFS
-part pv.01 --size=25 --grow
+part /boot --fstype xfs --size=512 --label=BOOTFS
+part /boot/efi --fstype vfat --size=512 --label=EFIFS
+part pv.01 --size=19 --grow
 
 ### Create a logical volume management (LVM) group.
 volgroup vg00 --pesize=4096 pv.01
@@ -68,15 +67,15 @@ volgroup vg00 --pesize=4096 pv.01
 ### Modify logical volume sizes for the virtual machine hardware.
 ### Create logical volumes.
 logvol swap --fstype swap --name=lv_swap --vgname=vg00 --size=2048 --label=SWAPFS
-logvol / --fstype xfs --name=lv_root --vgname=vg00 --size=8000 --label=ROOTFS
-logvol /home --fstype xfs --name=lv_home --vgname=vg00 --size=4000 --label=HOMEFS
+logvol / --fstype xfs --name=lv_root --vgname=vg00 --size=6000 --label=ROOTFS
+logvol /home --fstype xfs --name=lv_home --vgname=vg00 --size=3000 --label=HOMEFS
 logvol /opt --fstype xfs --name=lv_opt --vgname=vg00 --size=1000 --label=OPTFS
-logvol /tmp --fstype xfs --name=lv_tmp --vgname=vg00 --size=1000 --label=TMPFS --fsoptions="nosuid,noexec,nodev"
+logvol /tmp --fstype xfs --name=lv_tmp --vgname=vg00 --size=512 --label=TMPFS --fsoptions="nosuid,noexec,nodev"
 logvol /var --fstype xfs --name=lv_var --vgname=vg00 --size=2000 --label=VARFS --fsoptions="nosuid"
-logvol /var/tmp --fstype xfs --name=lv_vartmp --vgname=vg00 --size=1000 --label=LOGFS --fsoptions="nosuid,noexec,nodev"
-logvol /var/www --fstype xfs --name=lv_www --vgname=vg00 --size=2000 --label=LOGFS --fsoptions="nosuid,noexec,nodev"
+logvol /var/tmp --fstype xfs --name=lv_vartmp --vgname=vg00 --size=512 --label=LOGFS --fsoptions="nosuid,noexec,nodev"
+logvol /var/www --fstype xfs --name=lv_www --vgname=vg00 --size=1000 --label=LOGFS --fsoptions="nosuid,noexec,nodev"
 logvol /var/log --fstype xfs --name=lv_log --vgname=vg00 --size=1000 --label=LOGFS --fsoptions="nosuid,noexec,nodev"
-logvol /var/log/audit --fstype xfs --name=lv_audit --vgname=vg00 --size=1024 --label=AUDITFS --fsoptions="nosuid,noexec,nodev"
+logvol /var/log/audit --fstype xfs --name=lv_audit --vgname=vg00 --size=512 --label=AUDITFS --fsoptions="nosuid,noexec,nodev"
 
 ### Modifies the default set of services that will run under the default runlevel.
 services --enabled=NetworkManager,sshd,qemu-guest-agent
@@ -98,6 +97,7 @@ curl
 python3
 python3-libselinux
 qemu-guest-agent
+jq
 -aic94xx-firmware
 -atmel-firmware
 -b43-openfwwf
@@ -136,9 +136,15 @@ dnf install -y cloud-init
 dnf clean all
 
 touch /etc/cloud/cloud-init.disabled
+cat >/etc/cloud/cloud.cfg.d/90-proxmox.cfg <<EOF
+${files_proxmox_default_init}
+EOF
+cat >/etc/cloud/cloud.cfg.d/93-proxmox.cfg <<EOF
+${files_proxmox_init}
+EOF
 echo "Completed cloud-init step!"
-echo "${build_username} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/${build_username}
-sed -i "s/^.*requiretty/#Defaults requiretty/" /etc/sudoers
+
+sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
 %end
 
 ### Reboot after the installation is complete.
diff --git a/rocky-9/server.auto.pkrvars.hcl b/rocky-9/server.auto.pkrvars.hcl
index e876591..e612a62 100644
--- a/rocky-9/server.auto.pkrvars.hcl
+++ b/rocky-9/server.auto.pkrvars.hcl
@@ -10,13 +10,11 @@ vm_qemu_agent              = true
 proxmox_iso_pool = "local:iso"
 proxmox_iso_file = "Rocky-9.0-x86_64-minimal.iso"
 
-proxmox_template_description = "Rocky Linux 9.0 Template"
-proxmox_template_name        = "rocky-90-cloud"
-
+proxmox_template_description = "Rocky Linux 9 Template"
+proxmox_template_name        = "rocky-9-cloud"
 
 // Communicator Settings
-communicator_port    = 22
 communicator_timeout = "30m"
 
 // Provisioner Settings
-scripts = ["scripts/rocky-9.x.sh"]
+build_scripts = ["scripts/rocky-9.sh"]
diff --git a/rocky-9/server.pkr.hcl b/rocky-9/server.pkr.hcl
index f77ab76..cbcbfae 100644
--- a/rocky-9/server.pkr.hcl
+++ b/rocky-9/server.pkr.hcl
@@ -12,20 +12,22 @@ locals {
   buildtime = formatdate("YYYY-MM-DD hh:mm ZZZ", timestamp())
   data_source_content = {
     "/ks.cfg" = templatefile("${abspath(path.root)}/data/init.ks.pkrtpl.hcl", {
-      build_username           = var.build_username
-      build_password_encrypted = var.build_password_encrypted
-      vm_guest_os_language     = var.vm_guest_os_language
-      vm_guest_os_keyboard     = var.vm_guest_os_keyboard
-      vm_guest_os_timezone     = var.vm_guest_os_timezone
+      build_password_encrypted   = var.build_password_encrypted
+      vm_guest_os_language       = var.vm_guest_os_language
+      vm_guest_os_keyboard       = var.vm_guest_os_keyboard
+      vm_guest_os_timezone       = var.vm_guest_os_timezone
+      files_proxmox_default_init = file("${abspath(path.root)}/data/files/90-proxmox.cfg")
+      files_proxmox_init         = file("${abspath(path.root)}/data/files/93-proxmox.cfg")
     })
   }
   data_source_command = "inst.ks=http://{{ .HTTPIP }}:{{ .HTTPPort }}/ks.cfg"
 }
 
-source "proxmox-iso" "rocky-linux-90" {
+source "proxmox-iso" "rocky-linux-9" {
   // Proxmox Settings
   proxmox_url = "${var.proxmox_url}"
   node        = "${var.proxmox_node}"
+  username    = "${var.proxmox_username}"
   token       = "${var.proxmox_token}"
 
   // Virtual Machine Settings
@@ -70,23 +72,20 @@ source "proxmox-iso" "rocky-linux-90" {
 
   // Communicator Settings and Credentials
   communicator = "ssh"
-  ssh_username = "${var.build_username}"
+  ssh_username = "root"
   ssh_password = "${var.build_password}"
-  ssh_port     = "${var.communicator_port}"
   ssh_timeout  = "${var.communicator_timeout}"
 
-  proxmox_template_description = "${var.proxmox_template_description} on ${local.buildtime}"
-  proxmox_template_name        = "${var.proxmox_template_name}"
-  unmount_iso                  = true
+  template_description = "${var.proxmox_template_description} on ${local.buildtime}"
+  template_name        = "${var.proxmox_template_name}"
+  unmount_iso          = true
 }
 
 build {
-  sources = ["source.proxmox-iso.rocky-linux-90"]
+  sources = ["source.proxmox-iso.rocky-linux-9"]
 
   provisioner "shell" {
-    execute_command = "echo '${var.build_password}' | {{.Vars}} sudo -E -S sh -eux '{{.Path}}'"
-    scripts         = formatlist("${path.cwd}/%s", var.scripts)
-    remote_folder   = "/home/${var.build_username}"
+    scripts       = formatlist("${path.cwd}/%s", var.build_scripts)
+    remote_folder = "/root"
   }
-
 }
diff --git a/rocky-9/variables.pkr.hcl b/rocky-9/variables.pkr.hcl
index 2615aec..6342316 100644
--- a/rocky-9/variables.pkr.hcl
+++ b/rocky-9/variables.pkr.hcl
@@ -13,6 +13,8 @@ variable "proxmox_iso_pool" {
 variable "proxmox_url" {
   type        = string
   description = "URL to the Proxmox API, including the full path."
+  sensitive   = true
+  default     = ""
 }
 
 variable "proxmox_node" {
@@ -20,9 +22,18 @@ variable "proxmox_node" {
   description = "Name of a node in the Proxmox cluster on which to start the virtual machine when it is created."
 }
 
+variable "proxmox_username" {
+  type        = string
+  description = "The username must include the token id after an exclamation mark."
+  sensitive   = true
+  default     = ""
+}
+
 variable "proxmox_token" {
   type        = string
   description = "Token for authenticating API calls."
+  sensitive   = true
+  default     = ""
 }
 
 variable "proxmox_storage_format" {
@@ -111,7 +122,7 @@ variable "vm_mem_size" {
 variable "vm_disk_size" {
   type        = string
   description = "The size for the virtual disk."
-  default     = "32G"
+  default     = "20G"
 }
 
 variable "vm_disk_controller_type" {
@@ -163,15 +174,9 @@ variable "vm_qemu_agent" {
 }
 
 // Communicator Settings and Credentials
-variable "build_username" {
-  type        = string
-  description = "The username to login to the guest operating system."
-  sensitive   = true
-}
-
 variable "build_password" {
   type        = string
-  description = "The password to login to the guest operating system."
+  description = "The password to login the guest operating system."
   sensitive   = true
 }
 
@@ -181,10 +186,10 @@ variable "build_password_encrypted" {
   sensitive   = true
 }
 
-variable "communicator_port" {
-  type        = number
-  description = "The port for the communicator protocol."
-  default     = 22
+variable "build_scripts" {
+  type        = list(string)
+  description = "A list of scripts and their relative paths to transfer and execute."
+  default     = []
 }
 
 variable "communicator_timeout" {
@@ -192,10 +197,3 @@ variable "communicator_timeout" {
   description = "The timeout for the communicator protocol."
   default     = "30m"
 }
-
-// Provisioner Settings
-variable "scripts" {
-  type        = list(string)
-  description = "A list of scripts and their relative paths to transfer and execute."
-  default     = []
-}
diff --git a/scripts/rocky-9.x.sh b/scripts/rocky-9.sh
similarity index 75%
rename from scripts/rocky-9.x.sh
rename to scripts/rocky-9.sh
index 368b14e..2657195 100644
--- a/scripts/rocky-9.x.sh
+++ b/scripts/rocky-9.sh
@@ -3,12 +3,11 @@ set -eo pipefail
 
 #### Update system
 echo '> Update packages ...'
-dnf update -y
-dnf clean all
+dnf -y -q update
+dnf -q clean all
 
-### Cleans all audit logs. ###
+### Cleans all audit logs
 echo '> Cleaning all audit logs ...'
-
 if [ -f /var/log/audit/audit.log ]; then
     cat /dev/null >/var/log/audit/audit.log
 fi
@@ -21,40 +20,42 @@ if [ -f /var/log/lastlog ]; then
     cat /dev/null >/var/log/lastlog
 fi
 
-### Cleans persistent udev rules. ###
+### Cleans persistent udev rules
 echo '> Cleaning persistent udev rules ...'
 if [ -f /etc/udev/rules.d/70-persistent-net.rules ]; then
     rm /etc/udev/rules.d/70-persistent-net.rules
 fi
 
-### Clean the /tmp directories. ###
+### Clean the /tmp directories
 echo '> Cleaning /tmp directories ...'
 rm -rf /tmp/*
 rm -rf /var/tmp/*
 rm -rf /var/cache/dnf/*
 
-### Clean the SSH keys. ###
+### Clean the SSH keys
 echo '> Cleaning the SSH keys ...'
 shred -u /etc/ssh/*_key /etc/ssh/*_key.pub
 rm -f /etc/ssh/ssh_config.d/allow-root-ssh.conf
+rm -rf /root/.ssh/authorized_keys
+sed -i 's/PermitRootLogin yes/#PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
 
-### Clean the machine-id. ###
+### Clean the machine-id
 echo '> Cleaning the machine-id ...'
 truncate -s 0 /etc/machine-id
 rm -f /var/lib/dbus/machine-id
 mkdir -p /var/lib/dbus
 ln -s /etc/machine-id /var/lib/dbus/machine-id
 
-### Clean the shell history. ###
+### Prepare cloud-init
+echo '> Preparing cloud-init ...'
+rm -f /etc/cloud/cloud-init.disabled
+
+### Clean the shell history
 echo '> Cleaning the shell history ...'
 unset HISTFILE
 history -cw
 echo >~/.bash_history
 rm -f /root/.bash_history
 
-### Prepare cloud-init ###
-echo '> Preparing cloud-init ...'
-rm -f /etc/cloud/cloud-init.disabled
-
-### Done. ###
+### Done
 echo '> Done.'