automate installs

right now, installing machines is mostly a manual, or semi-manual process: we install debian, preferably with crypto, and then do stuff on top.

some of it is done by hand, some is done in puppet.

we should have a standardized install process that gives us a reproducible, identical install across platforms. then Puppet is what customizes the machine on top of that.

this ticket aims at documenting what we already have and where we could possibly go. this is one of the question we answered "no" on in the "ops questionnaire" in legacy/trac#30881 (moved). see also the automated upgrade part in legacy/trac#31957 (moved).

When we started this work, the installer had this many manual steps:

• new-machine (common trunk): 14 steps
• new-machine-hetzner-robot: +43 steps (57 total)
• new-machine-hetzner-cloud: +21 steps (35 total)

Ideally, all this would be done through an automated process, or at least scripted so that only important questions (say "hostname" and "purpose") would be answered by an operator. The plan right now is to do this with fabric. This is a checklist of things to do to fully automate our known install processes:

• new-machine common trunk
  1. add to spreadsheet (deprecate? see #29816 (closed))
  2. clone tsa-misc fabric-tasks repo (#41484)
  3. LDAP bootstrap
  4. open firewall on Puppet
  5. bootstrap puppet
  6. reboot
  7. add to nagios (puppetize, see #32901 (closed))
  8. add to dnswl (skip?)
• new-machine-hetzner-robot remaining:
  • order server (skip?)
  • extra fingerprint from email (skip?)
  • document root password in tor-passwords (skip: switch to Trocla instead: #33332)
  • new-machine-mandos (#40096)
  • reboot
• new-machine-hetzner-robot automated with Fabric:
  1. SSH with fingerprint
  2. set hostname
  3. partition disks (with fai-setup-storage)
  4. install system (with grml-debootstrap)
  5. dropbear-initramfs setup (in a grml-deboostrap hook, could be moved to fabric)
  6. review crypttab configuration (skip)
  7. review network configuration (skipped, moved to new-machine)
  8. rebuilt initramfs (in a grml-debootstrap hook, could also be moved to fabric)
  9. unmount everything
  10. close everything
• new-machine-hetzner-cloud remaining:
  • order server
  • reboot in rescue
  • export SSH keys
  • reboot
  • add to tor-passwords
  • dropbear disk unlock
  • new-machine-mandos (#40096)
  • reverse DNS
• new-machine-hetzner-cloud to automate with Fabric:
  • SSH with fingerprint (implemented in fabric!)
  • partition disks (with kpartx, but could be done with fai-setup-storage?)
  • setup fstab (move to grml-debootstrap?)
  • setup /etc/hosts (skip, move to common trunk)
  • figure out why we touch etc/udev/rules.d/75-persistent-net-generator.rules
  • setup /etc/network/interfaces (skip, move to common trunk?)
  • setup /etc/resolv.conf (skip, move to common trunk?)
  • install some more base packages (merge with grml-debootstrap? installed packages are: isc-dhcp-client locales-all net-tools iproute2 ifupdown dialog vim netbase udev psmisc usbutils pciutils iputils-ping telnet bind9-host cryptsetup systemd systemd-sysv initscripts kbd console-setup dropbear-initramfs busybox-static linux-image-amd64 grub2 ssh acpi-support-base lldpd libpam-systemd dbus cron logrotate rsyslog)
  • figure out etc/initramfs-tools/scripts/init-premount/local-hetzner-default-gw hack
  • generate and set root and LUKS password (move to grml-debootstrap?)
  • setup unattended-upgrades (skip: moved to puppet)