commit 546dabd7aa96fc4986b0f45fa6d6381cb14264e1
Author: Andreas B. Mundt <andi@debian.org>
Date:   Thu May 31 18:20:51 2018 +0300

    Add 'installbox' configuration.

diff --git a/installbox.yml b/installbox.yml
new file mode 100644
index 0000000..7f4e9cc
--- /dev/null
+++ b/installbox.yml
@@ -0,0 +1,24 @@
+---
+# This playbook deploys the installbox on a minimal installation.
+
+- name: apply configuration to the installbox
+  hosts: installboxes
+  remote_user: ansible
+  become: yes
+  vars:
+    hostname: installbox
+    di_dist: "stretch"
+    if_lan: "ens8"
+    if_wan: "{{ ansible_default_ipv4.interface }}"
+    ipaddr_lan: 192.168.0.10
+    dhcp_range: 192.168.0.50,192.168.0.150,2h
+    tftp_root: "/var/lib/tftpboot"
+    deb_mirror: "ftp-stud.hs-esslingen.de"
+
+  roles:
+    - up2date-debian
+    - two-interface-shorewall
+    - dhcp-dns-dnsmasq
+    - transparent-squid
+    - tftp-netboot-installer
+    - preseed-installer
diff --git a/roles/dhcp-dns-dnsmasq/handlers/main.yml b/roles/dhcp-dns-dnsmasq/handlers/main.yml
new file mode 100644
index 0000000..f549f18
--- /dev/null
+++ b/roles/dhcp-dns-dnsmasq/handlers/main.yml
@@ -0,0 +1,3 @@
+- name: restart dnsmasq
+  service: name=dnsmasq state=restarted enabled=yes
+  listen: "restart dnsmasq"
diff --git a/roles/dhcp-dns-dnsmasq/tasks/main.yml b/roles/dhcp-dns-dnsmasq/tasks/main.yml
new file mode 100644
index 0000000..840a4d7
--- /dev/null
+++ b/roles/dhcp-dns-dnsmasq/tasks/main.yml
@@ -0,0 +1,10 @@
+- name: install dns-firewall packages
+  apt:
+    name: dnsmasq
+    state: latest
+
+- name: configure dnsmasq
+  template:
+    src: dnsmasq-transparent-proxy.j2
+    dest: /etc/dnsmasq.d/transparent-proxy
+  notify: "restart dnsmasq"
diff --git a/roles/dhcp-dns-dnsmasq/templates/dnsmasq-transparent-proxy.j2 b/roles/dhcp-dns-dnsmasq/templates/dnsmasq-transparent-proxy.j2
new file mode 100644
index 0000000..a6ca62b
--- /dev/null
+++ b/roles/dhcp-dns-dnsmasq/templates/dnsmasq-transparent-proxy.j2
@@ -0,0 +1,2 @@
+interface={{ if_lan }}
+dhcp-range={{ dhcp_range }}
diff --git a/roles/preseed-installer/tasks/main.yml b/roles/preseed-installer/tasks/main.yml
new file mode 100644
index 0000000..326b857
--- /dev/null
+++ b/roles/preseed-installer/tasks/main.yml
@@ -0,0 +1,27 @@
+- name: make preseed directory available
+  file:
+    path: "{{ tftp_root }}/d-i/{{ di_dist }}"
+    state: directory
+
+- name: provide preseed file
+  template:
+    src: preseed.cfg
+    dest: "{{ tftp_root }}/d-i/{{ di_dist }}"
+
+- name: make installbox resolvable in /etc/hosts from LAN
+  replace:
+    dest: /etc/hosts
+    regexp: '(127.0.1.1\s+)installbox'
+    replace: '\1localhost\n{{ ipaddr_lan }}	installbox'
+
+- name: add auto boot entry to di-netboot-assistant
+  blockinfile:
+    dest: /etc/di-netboot-assistant/pxelinux.HEAD
+    insertbefore: EOF
+    block: |
+      LABEL quick
+      MENU LABEL Debian Installer ({{ di_dist }} ; amd64 + Preseed)
+      kernel ::/di-netboot-pkg/images/9/amd64/text/debian-installer/amd64/linux
+      append initrd=::/di-netboot-pkg/images/9/amd64/text/debian-installer/amd64/initrd.gz auto=true priority=critical url=tftp://installbox
+      TIMEOUT 100
+  notify: "rebuild di-netboot-assistant menu"
diff --git a/roles/preseed-installer/templates/preseed.cfg b/roles/preseed-installer/templates/preseed.cfg
new file mode 100644
index 0000000..e544344
--- /dev/null
+++ b/roles/preseed-installer/templates/preseed.cfg
@@ -0,0 +1,37 @@
+#### Preconfiguration file
+## For more examples and comments:
+##   https://www.debian.org/releases/stable/example-preseed.txt
+
+## To change default values:
+#d-i foo/bar string value
+#d-i foo/bar seen false
+
+## Use this as boot parameter:
+## DEBCONF_DEBUG=5
+## Boot parameter locale?=de_DE
+
+# Preseeding only locale sets language, country and locale:
+d-i debian-installer/locale string de_DE
+d-i keyboard-configuration/xkb-keymap select de
+
+## Skip root account:
+d-i passwd/root-login boolean false
+
+### Apt setup
+d-i apt-setup/non-free boolean true
+d-i apt-setup/contrib boolean true
+d-i mirror/http/mirror string {{ deb_mirror }}
+
+### Ansible User
+d-i passwd/user-fullname string Ansible User
+d-i passwd/username string ansible
+d-i passwd/user-password password insecure
+d-i passwd/user-password-again password insecure
+#d-i passwd/user-password-crypted password [crypt(3) hash]
+
+### Package selection
+tasksel tasksel/desktop multiselect standard openssh-server
+tasksel tasksel/desktop seen false
+
+# Individual additional packages to install
+d-i pkgsel/include string firmware-linux
diff --git a/roles/tftp-netboot-installer/handlers/main.yml b/roles/tftp-netboot-installer/handlers/main.yml
new file mode 100644
index 0000000..9aee0b2
--- /dev/null
+++ b/roles/tftp-netboot-installer/handlers/main.yml
@@ -0,0 +1,3 @@
+- name: rebuild di-netboot-assistant menu
+  command: di-netboot-assistant rebuild-menu
+  listen: rebuild di-netboot-assistant menu
diff --git a/roles/tftp-netboot-installer/tasks/main.yml b/roles/tftp-netboot-installer/tasks/main.yml
new file mode 100644
index 0000000..cb71006
--- /dev/null
+++ b/roles/tftp-netboot-installer/tasks/main.yml
@@ -0,0 +1,28 @@
+- name: install tftp-netboot-installer packages
+  apt:
+    name:
+      - di-netboot-assistant
+      - debian-installer-9-netboot-amd64
+
+- name: bind mount images
+  mount:
+    name: "{{ tftp_root }}/di-netboot-pkg/"
+    src: /usr/lib/debian-installer/
+    fstype: none
+    opts: bind
+#    state: mounted   BEGINN WORKAROUND
+    state: present
+  register: fstab
+
+- name: Reload fstab
+  command: mount -a
+  when: fstab.changed
+# https://github.com/ansible/ansible/issues/23487 END WORKAROUND
+
+- name: configure dnsmasq
+  template:
+    src: dnsmasq-tftp-netboot-installer.j2
+    dest: /etc/dnsmasq.d/tftp-netboot-installer
+  notify:
+    - restart dnsmasq
+    - rebuild di-netboot-assistant menu
diff --git a/roles/tftp-netboot-installer/templates/dnsmasq-tftp-netboot-installer.j2 b/roles/tftp-netboot-installer/templates/dnsmasq-tftp-netboot-installer.j2
new file mode 100644
index 0000000..3e627d8
--- /dev/null
+++ b/roles/tftp-netboot-installer/templates/dnsmasq-tftp-netboot-installer.j2
@@ -0,0 +1,5 @@
+enable-tftp
+tftp-root={{ tftp_root }}
+dhcp-boot=debian-installer/pxelinux.0
+dhcp-match=set:efi-x86_64,option:client-arch,7
+dhcp-boot=tag:efi-x86_64,debian-installer/bootnetx64.efi
diff --git a/roles/transparent-squid/files/store_id_regex.conf b/roles/transparent-squid/files/store_id_regex.conf
new file mode 100644
index 0000000..3d88f21
--- /dev/null
+++ b/roles/transparent-squid/files/store_id_regex.conf
@@ -0,0 +1,2 @@
+^http:\/\/.+\/(.+\.deb)	http://debian.mirrors.squid.internal/Archive-http/$1
+^http:\/\/.+\/(.+\.udeb)	http://debian.mirrors.squid.internal/Archive-http/$1
diff --git a/roles/transparent-squid/handlers/main.yml b/roles/transparent-squid/handlers/main.yml
new file mode 100644
index 0000000..c103a79
--- /dev/null
+++ b/roles/transparent-squid/handlers/main.yml
@@ -0,0 +1,3 @@
+- name: restart squid
+  service: name=squid state=restarted enabled=yes
+  listen: "restart squid"
diff --git a/roles/transparent-squid/tasks/main.yml b/roles/transparent-squid/tasks/main.yml
new file mode 100644
index 0000000..581acc9
--- /dev/null
+++ b/roles/transparent-squid/tasks/main.yml
@@ -0,0 +1,62 @@
+- name: install squid package
+  apt:
+    name: squid
+    state: latest
+
+- name: configure squid extra lines
+  lineinfile:
+    dest: /etc/squid/squid.conf
+    line: "{{ item.line }}"
+    insertafter: "{{ item.insertafter }}"
+  with_items:
+    - { line: "acl localnet src 192.168.0.0/16", insertafter: "#acl localnet src 192.168.0.0/16" }
+    - { line: "http_access allow localnet", insertafter: "#http_access allow localnet" }
+    - { line: "http_port 3129 intercept", insertafter: "http_port 3128" }
+    - { line: "maximum_object_size_in_memory 10240 KB", insertafter: "# maximum_object_size_in_memory" }
+    - { line: "maximum_object_size 512 MB", insertafter: "# maximum_object_size" }
+    - { line: "cache_dir aufs /var/spool/squid 20000 16 256", insertafter: "#cache_dir ufs /var/spool/squid" }
+  notify: "restart squid"
+
+- name: configure squid store IDs
+  blockinfile:
+    dest: /etc/squid/squid.conf
+    insertbefore: "TAG: store_miss"
+    block: |
+      store_id_program /usr/lib/squid/storeid_file_rewrite /etc/squid/store_id_regex.conf
+      store_id_bypass off
+      acl Ordinary http_status 200-299
+      send_hit deny !Ordinary
+      store_miss deny !Ordinary
+    marker: "# {mark} ANSIBLE MANAGED BLOCK store_id"
+  notify: "restart squid"
+
+- name: provide store_id_regex.conf
+  copy:
+    src: store_id_regex.conf
+    dest: /etc/squid/store_id_regex.conf
+  notify: "restart squid"
+
+- name: configure squid as package cache
+  blockinfile:
+    dest: /etc/squid/squid.conf
+    insertbefore: "# Add any of your own refresh_pattern entries above these."
+    block: |
+      # refresh pattern for debs and udebs
+      refresh_pattern deb$ 129600 100% 129600
+      refresh_pattern udeb$ 129600 100% 129600
+      refresh_pattern tar.gz$ 129600 100% 129600
+      refresh_pattern tar.xz$ 129600 100% 129600
+      refresh_pattern tar.bz2$ 129600 100% 129600
+      # always refresh Packages and Release files
+      refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
+      refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
+      refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
+      refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0
+    marker: "# {mark} ANSIBLE MANAGED BLOCK refresh_pattern"
+  notify: "restart squid"
+
+- name: redirect www traffic in shorewall
+  lineinfile:
+    dest: /etc/shorewall/rules
+    line: "REDIRECT	loc		3129		tcp	www"
+  notify: "restart shorewall"
diff --git a/roles/two-interface-shorewall/handlers/main.yml b/roles/two-interface-shorewall/handlers/main.yml
new file mode 100644
index 0000000..58e1a17
--- /dev/null
+++ b/roles/two-interface-shorewall/handlers/main.yml
@@ -0,0 +1,7 @@
+- name: restart networking
+  service: name=networking state=restarted enabled=yes
+  listen: restart networking
+
+- name: restart shorewall
+  service: name=shorewall state=restarted enabled=yes
+  listen: restart shorewall
diff --git a/roles/two-interface-shorewall/tasks/main.yml b/roles/two-interface-shorewall/tasks/main.yml
new file mode 100644
index 0000000..e2a273e
--- /dev/null
+++ b/roles/two-interface-shorewall/tasks/main.yml
@@ -0,0 +1,86 @@
+- name: add if_lan with static address
+  template:
+    src: interfaces-static.j2
+    dest: /etc/network/interfaces.d/static
+
+- name: make if_wan auto start
+  lineinfile:
+    dest: /etc/network/interfaces
+    line: "auto {{ if_wan }}"
+    insertbefore: "iface\\s+{{ if_wan }}\\s+inet\\s+dhcp"
+  notify: restart networking
+
+- name: install shorewall packages
+  apt: name=shorewall state=latest
+
+- name: copy shorewall configuration
+  command: cp {{ item }} /etc/shorewall/
+  args:
+    chdir: /usr/share/doc/shorewall/examples/two-interfaces/
+    creates: "/etc/shorewall/{{ item }}"
+  with_items:
+    - interfaces
+    - snat
+    - policy
+    - rules
+    - stoppedrules
+    - zones
+  notify: restart shorewall
+
+- name: find files in /etc/shorewall/
+  find:
+    paths: /etc/shorewall/
+    use_regex: yes
+    pattern: '.+[^~]$'
+    contains: '.*(eth0|eth1).*'
+  register: find_result
+  notify: restart shorewall
+
+- name: fix WAN interface name in shorewall configuration
+  replace:
+    dest: "{{ item.path }}"
+    regexp: 'eth0'
+    replace: "{{ if_wan }}"
+    backup: yes
+  with_items: "{{ find_result.files }}"
+  notify: restart shorewall
+
+- name: fix LAN interface name in shorewall configuration
+  replace:
+    dest: "{{ item.path }}"
+    regexp: 'eth1'
+    replace: "{{ if_lan }}"
+    backup: yes
+  with_items: "{{ find_result.files }}"
+  notify: restart shorewall
+
+- name: configure forwarding in shorewall.conf
+  replace:
+    dest: /etc/shorewall/shorewall.conf
+    regexp: 'IP_FORWARDING=Keep'
+    replace: 'IP_FORWARDING=Yes'
+    backup: yes
+  notify: restart shorewall
+
+- name: configure shorewall policy
+  replace:
+    dest: /etc/shorewall/policy
+    regexp: 'loc(\s+)net(\s+)ACCEPT'
+    replace: 'loc\1all\2ACCEPT\n$FW\1all\2ACCEPT'
+    backup: yes
+  notify: restart shorewall
+
+- name: configure shorewall rules
+  replace:
+    dest: /etc/shorewall/rules
+    regexp: '(SSH\(ACCEPT\)\s+)loc(\s+\$FW)'
+    replace: '\1all\2'
+    backup: yes
+  notify: restart shorewall
+
+- name: enable shorewall in /etc/defaults/shorewall
+  replace:
+    dest: /etc/default/shorewall
+    regexp: 'startup=0'
+    replace: 'startup=1'
+  notify: restart shorewall
diff --git a/roles/two-interface-shorewall/templates/interfaces-static.j2 b/roles/two-interface-shorewall/templates/interfaces-static.j2
new file mode 100644
index 0000000..6c0fd53
--- /dev/null
+++ b/roles/two-interface-shorewall/templates/interfaces-static.j2
@@ -0,0 +1,5 @@
+auto {{ if_lan }}
+allow-hotplug {{ if_lan }}
+iface {{ if_lan }} inet static
+  address {{ ipaddr_lan }}
+  netmask 255.255.255.0
diff --git a/roles/up2date-debian/tasks/main.yml b/roles/up2date-debian/tasks/main.yml
new file mode 100644
index 0000000..81d2d5c
--- /dev/null
+++ b/roles/up2date-debian/tasks/main.yml
@@ -0,0 +1,19 @@
+# Update lists and upgrade packages.
+
+- name: update apt package lists
+  apt:
+    update_cache: yes
+    cache_valid_time: 86400
+
+- name: upgrade packages
+  apt:
+    upgrade: dist
+    autoremove: yes
+
+- name: install some packages
+  apt: name={{ item }} state=latest
+  with_items:
+    - etckeeper
+
+#- name: clean apt package cache
+#  command: apt clean