There was a time before Windows... A happier time...

Author: nightkr

.dir-locals.el

@@ -0,0 +1,5 @@
+;;; Directory Local Variables            -*- no-byte-compile: t -*-
+;;; For more information see (info "(emacs) Directory Variables")
+
+((yaml-mode . ((yaml-indent-offset . 2)
+               (evil-shift-width . 2))))

.gitignore

@@ -0,0 +1,6 @@
+.DS_Store
+.idea
+*.log
+tmp/
+/target
+roles/create-vm/files/guest-files/spice-guest-tools.exe

install.yaml

@@ -0,0 +1,22 @@
+- name: Create VM and install Windows
+  hosts: localhost
+  roles:
+    - role: create-vm
+- name: Wait for VM to install and boot
+  hosts: sble-addc
+  gather_facts: false
+  tasks:
+    - name: |
+        Wait for VM to install and boot.
+        Make sure to connect to the VM (via virt-manager, virt-viewer, or similar) and follow the prompts (press any key to boot from DVD, confirm partitioning).
+        This will take a while.. if it times out, restart the playbook but leave the VM running to resume.
+        It is normal to see a bunch of QEMU guest agent errors in the Ansible output while waiting.
+      ansible.builtin.wait_for_connection:
+- name: Install AD and initialize domain controller
+  hosts: sble-addc
+  roles:
+    - role: ad-dc
+- name: Connect Kubernetes To AD
+  hosts: localhost
+  roles:
+    - role: connect-k8s

inventory.ini

@@ -0,0 +1,2 @@
+[windows]
+sble-addc ansible_connection=community.libvirt.libvirt_qemu ansible_libvirt_uri=qemu:///system ansible_host=stackable-adds-test ansible_shell_type=powershell

roles/ad-dc/tasks/main.yaml

@@ -0,0 +1,67 @@
+# - name: Install AD DS
+#   win_command: Install-WindowsFeature -name AD-Domain-Services -IncludeManagementTools
+- name: Promote to Domain Controller
+  microsoft.ad.domain:
+    dns_domain_name: sble.test
+    domain_netbios_name: sbletest
+    safe_mode_password: Asdf1234
+    reboot: true
+
+- name: Update Facts With Domain Membership
+  ansible.builtin.gather_facts:
+- name: Extract Primary IP address
+  set_fact:
+    vm_network_ipv4: "{{ (ansible_facts.interfaces | rekey_on_member('macaddress'))[vm_network_mac | upper].ipv4.address }}"
+
+- name: Name Secret-Operator User
+  set_fact:
+    secret_operator_principal: stackable-secret-operator@{{ ansible_facts.domain | upper }}
+- name: Create Secret-Operator User
+  microsoft.ad.user:
+    name: stackable-secret-operator
+    sam_account_name: sble-sec-op
+    password: Asdf1234
+    enabled: true
+    identity: CN=stackable-secret-operator,CN=Users,DC=sble,DC=test
+    upn: "{{ secret_operator_principal }}"
+    groups:
+      add:
+        - Domain Admins
+- name: Create Secret-Operator Keytab
+  ansible.windows.win_command:
+    cmd: ktpass /princ {{ secret_operator_principal }} /out secret-op.kt +rndPass /ptype KRB5_NT_PRINCIPAL /mapuser {{ secret_operator_principal }} /crypto AES256-SHA1
+- name: Fetch Secret-Operator Keytab
+  ansible.builtin.fetch:
+    src: secret-op.kt
+    dest: target/
+    flat: true
+
+- name: Install AD Certificate Services
+  ansible.windows.win_feature:
+    name:
+      - AD-Certificate
+      - ADCS-Cert-Authority
+    include_management_tools: true
+- name: Install ADCS Certificate Authority
+  ansible.windows.win_shell: |
+    # Try to access certificate authority, should fail
+    # iff it is not installed yet
+    try {
+      Get-CATemplate
+    } catch {
+      Install-AdcsCertificationAuthority -Force
+    }
+- name: Export CA Certificate
+  ansible.windows.win_command:
+    cmd: certutil -f -ca.cert ca.crt
+- name: Fetch CA Certificate
+  ansible.builtin.slurp:
+    src: ca.crt
+  register: ca_crt
+- name: Convert CA Certificate
+  community.crypto.x509_certificate_convert:
+    src_content: "{{ ca_crt.content }}"
+    src_content_base64: true
+    dest_path: target/ca.crt
+    format: pem
+  delegate_to: localhost

roles/connect-k8s/tasks/main.yaml

@@ -0,0 +1,74 @@
+- name: Export Current CoreDNS Corefile
+  kubernetes.core.k8s_info:
+    api_version: v1
+    kind: ConfigMap
+    namespace: kube-system
+    name: coredns
+  register: corefile
+- name: Export Current Corefile
+  ansible.builtin.copy:
+    dest: target/Corefile
+    content: "{{ corefile.resources[0].data.Corefile }}"
+- name: Delegate AD Domain To AD
+  ansible.builtin.lineinfile:
+    path: target/Corefile
+    search_string: "forward {{ hostvars['sble-addc'].ansible_facts.domain }}. "
+    line: "    forward {{ hostvars['sble-addc'].ansible_facts.domain }}. {{ hostvars['sble-addc'].vm_network_ipv4 }}"
+    insertbefore: "forward . "
+- name: Update Corefile
+  kubernetes.core.k8s:
+    resource_definition:
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        namespace: kube-system
+        name: coredns
+      data:
+        Corefile: "{{ lookup('file', 'target/Corefile') }}"
+
+- name: Update Secret-Operator Credentials
+  kubernetes.core.k8s:
+    resource_definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        namespace: default
+        name: secret-operator-ad-credentials
+      data:
+        ca.crt: "{{ lookup('file', 'target/ca.crt') | b64encode }}"
+        keytab: "{{ lookup('file', 'target/secret-op.kt') | b64encode }}"
+- name: Update Secret-Operator Password Cache
+  kubernetes.core.k8s:
+    resource_definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        namespace: default
+        name: secret-operator-ad-passwords
+- name: Create Kerberos SecretClass
+  kubernetes.core.k8s:
+    resource_definition:
+      apiVersion: secrets.stackable.tech/v1alpha1
+      kind: SecretClass
+      metadata:
+        name: kerberos-ad
+      spec:
+        backend:
+          kerberosKeytab:
+            realmName: "{{ hostvars['sble-addc'].ansible_facts.domain | upper }}"
+            kdc: "{{ hostvars['sble-addc'].ansible_facts.fqdn }}"
+            adminPrincipal: "{{ hostvars['sble-addc'].secret_operator_principal }}"
+            adminKeytabSecret:
+              namespace: default
+              name: secret-operator-ad-credentials
+            admin:
+              activeDirectory:
+                ldapServer: "{{ hostvars['sble-addc'].ansible_facts.fqdn }}"
+                ldapTlsCaSecret:
+                  namespace: default
+                  name: secret-operator-ad-credentials
+                passwordCacheSecret:
+                  namespace: default
+                  name: secret-operator-ad-passwords
+                userDistinguishedName: CN=Users,DC=sble,DC=test
+                schemaDistinguishedName: CN=Schema,CN=Configuration,DC=sble,DC=test

roles/create-vm/defaults/main.yaml

@@ -0,0 +1,20 @@
+libvirt_uri: qemu:///system
+
+vm_name: stackable-adds-test
+vm_memory_mib: 4096
+vm_vcpus: 8
+vm_disk_name: stackable-adds-test.qcow2
+vm_disk_pool: default
+vm_disk_size_gib: 30
+vm_disk_format: qcow2
+vm_disk_path: /var/lib/libvirt/images/stackable-adds-test.qcow2
+
+install_iso_windows: /mnt/data/DL/OS/Windows Server 2022 EVAL.iso
+
+install_iso_virtio_win_url: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.248-1/virtio-win-0.1.248.iso
+install_iso_virtio_win_checksum: sha256:d5b5739cf297f0538d263e30678d5a09bba470a7c6bcbd8dff74e44153f16549
+install_iso_virtio_win: "{{ lookup('first_found', 'target') }}/virtio-win.iso"
+
+install_exe_spice_guest_tools_url: https://www.spice-space.org/download/windows/spice-guest-tools/spice-guest-tools-0.141/spice-guest-tools-0.141.exe
+install_exe_spice_guest_tools_checksum: sha256:b5be0754802bcd7f7fe0ccdb877f8a6224ba13a2af7d84eb087a89b3b0237da2
+install_exe_spice_guest_tools: "{{ lookup('first_found', 'guest-files') }}/spice-guest-tools.exe"

roles/create-vm/files/guest-files/.gitkeep

@@ -0,0 +1,153 @@
+<?xml version="1.0" encoding="utf-8"?>
+<unattend xmlns="urn:schemas-microsoft-com:unattend">
+  <settings pass="windowsPE">
+    <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-PnpCustomizationsWinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
+      <DriverPaths>
+        <PathAndCredentials wcm:keyValue="2ddfcae9" wcm:action="add">
+          <!-- Install QEMU storage drivers from virtio-win drive -->
+          <!-- The drive letter doesn't match the paths user later on, because the primary drive will be inserted as C: after partitioning, shifting all other drive letters a step -->
+          <Path>E:\</Path>
+        </PathAndCredentials>
+      </DriverPaths>
+    </component>
+    <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
+      <!-- FIXME: Auto-partitioning seems to prevent install from working? -->
+      <!-- <DiskConfiguration> -->
+      <!--   <Disk wcm:action="add"> -->
+      <!--     <CreatePartitions> -->
+      <!--       <CreatePartition wcm:action="add"> -->
+      <!--         <Type>EFI</Type> -->
+      <!--         <Size>200</Size> -->
+      <!--         <Order>1</Order> -->
+      <!--       </CreatePartition> -->
+      <!--       <CreatePartition wcm:action="add"> -->
+      <!--         <Type>MSR</Type> -->
+      <!--         <Size>200</Size> -->
+      <!--         <Order>2</Order> -->
+      <!--       </CreatePartition> -->
+      <!--       <CreatePartition wcm:action="add"> -->
+      <!--         <Type>Primary</Type> -->
+      <!--         <Size>1024</Size> -->
+      <!--         <Order>3</Order> -->
+      <!--       </CreatePartition> -->
+      <!--     </CreatePartitions> -->
+      <!--     <ModifyPartitions> -->
+      <!--       <ModifyPartition wcm:action="add"> -->
+      <!--         <!-\- <Active>true</Active> -\-> -->
+      <!--         <Order>1</Order> -->
+      <!--         <!-\- <PartitionID>1</PartitionID> -\-> -->
+      <!--         <!-\- <Label>System</Label> -\-> -->
+      <!--         <Format>NTFS</Format> -->
+      <!--         <!-\- <TypeID>0x27</TypeID> -\-> -->
+      <!--       </ModifyPartition> -->
+      <!--       <ModifyPartition wcm:action="add"> -->
+      <!--         <!-\- <Active>true</Active> -\-> -->
+      <!--         <Order>2</Order> -->
+      <!--         <!-\- <PartitionID>2</PartitionID> -\-> -->
+      <!--         <!-\- <Label>Microsoft Reserved</Label> -\-> -->
+      <!--         <Format>NTFS</Format> -->
+      <!--         <!-\- <TypeID>0x27</TypeID> -\-> -->
+      <!--       </ModifyPartition> -->
+      <!--       <ModifyPartition wcm:action="add"> -->
+      <!--         <Order>3</Order> -->
+      <!--         <!-\- <PartitionID>3</PartitionID> -\-> -->
+      <!--         <!-\- <Active>true</Active> -\-> -->
+      <!--         <Format>NTFS</Format> -->
+      <!--         <Extend>true</Extend> -->
+      <!--         <Letter>C</Letter> -->
+      <!--       </ModifyPartition> -->
+      <!--     </ModifyPartitions> -->
+      <!--     <DiskID>0</DiskID> -->
+      <!--     <WillWipeDisk>true</WillWipeDisk> -->
+      <!--   </Disk> -->
+      <!-- </DiskConfiguration> -->
+      <ImageInstall>
+        <OSImage>
+          <InstallFrom>
+            <MetaData wcm:action="add">
+              <Key>/IMAGE/NAME</Key>
+              <Value>Windows Server 2022 SERVERDATACENTER</Value>
+            </MetaData>
+          </InstallFrom>
+          <!-- <InstallToAvailablePartition>true</InstallToAvailablePartition> -->
+          <!-- <WillShowUI>OnError</WillShowUI> -->
+        </OSImage>
+      </ImageInstall>
+      <UserData>
+        <AcceptEula>true</AcceptEula>
+      </UserData>
+    </component>
+    <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
+      <SetupUILanguage>
+        <UILanguage>en-US</UILanguage>
+      </SetupUILanguage>
+      <UILanguage>en-US</UILanguage>
+      <InputLocale>sv-SE</InputLocale>
+    </component>
+  </settings>
+  <settings pass="specialize">
+    <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
+      <RunSynchronous>
+        <!-- Install guest tools certificate to suppress driver permission prompts -->
+        <RunSynchronousCommand wcm:action="add">
+          <Order>1</Order>
+          <Path>certutil -addstore TrustedPublisher A:\redhat-drivers.crt</Path>
+        </RunSynchronousCommand>
+        <!-- Disable the "new network detected" prompt -->
+        <RunSynchronousCommand wcm:action="add">
+          <Order>2</Order>
+          <Path>reg add HKLM\System\CurrentControlSet\Control\Network\NewNetworkWindowOff /f</Path>
+        </RunSynchronousCommand>
+        <!-- RTC is in UTC -->
+        <!-- If time is desynced then ADCS will generate certificates that aren't valid yet -->
+        <RunSynchronousCommand wcm:action="add">
+          <Order>3</Order>
+          <Path>reg add HKLM\System\CurrentControlSet\Control\TimeZoneInformation /v RealTimeIsUniversal /t REG_DWORD /d 1 /f</Path>
+        </RunSynchronousCommand>
+      </RunSynchronous>
+    </component>
+  </settings>
+  <!-- <settings pass="auditSystem"> -->
+  <!--   <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> -->
+  <!--     <AuditComputerName> -->
+  <!--       <Name>sble-adds</Name> -->
+  <!--     </AuditComputerName> -->
+  <!--   </component> -->
+  <!-- </settings> -->
+  <settings pass="oobeSystem">
+    <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
+      <UserAccounts>
+        <AdministratorPassword>
+          <Value>Asdf1234</Value>
+          <PlainText>true</PlainText>
+        </AdministratorPassword>
+      </UserAccounts>
+      <AutoLogon>
+        <Enabled>true</Enabled>
+        <Username>Administrator</Username>
+        <Password>
+          <Value>Asdf1234</Value>
+          <PlainText>true</PlainText>
+        </Password>
+      </AutoLogon>
+      <FirstLogonCommands>
+        <!-- Install QEMU and SPICE guest tools -->
+        <!-- NOTE: MUST happen in OOBE stage since Ansible assumes that having guest tools (more specifically, the qemu guest agent) available means the install is ready to proceed -->
+        <SynchronousCommand wcm:action="add">
+          <Order>1</Order>
+          <!-- QEMU guest tools are on virtio-win drive -->
+          <CommandLine>F:\virtio-win-guest-tools.exe /passive</CommandLine>
+          <RequiresUserInput>true</RequiresUserInput>
+        </SynchronousCommand>
+        <!-- SPICE guest tools aren't strictly required, but makes it Nicer(tm) to interact with graphically (automatic resolution adjustment, clipboard sync, etc) -->
+        <SynchronousCommand wcm:action="add">
+          <Order>2</Order>
+          <!-- SPICE guest tools are on the guest-files virtual USB drive -->
+          <CommandLine>D:\spice-guest-tools.exe /S</CommandLine>
+          <RequiresUserInput>true</RequiresUserInput>
+        </SynchronousCommand>
+      </FirstLogonCommands>
+    </component>
+  </settings>
+  <cpi:offlineImage xmlns:cpi="urn:schemas-microsoft-com:cpi" cpi:source="wim:c:/users/administrator/desktop/install.wim#Windows Server 2022 SERVERDATACENTER"/>
+</unattend>

roles/create-vm/files/windows-install-config/Autounattend.xml

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFBjCCA+6gAwIBAgIQVsbSZ63gf3LutGA7v4TOpTANBgkqhkiG9w0BAQUFADCB
+tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
+YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMl
+VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xNjAzMTgw
+MDAwMDBaFw0xODEyMjkyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5O
+b3J0aCBDYXJvbGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChQNUmVkIEhh
+dCwgSW5jLjEWMBQGA1UEAxQNUmVkIEhhdCwgSW5jLjCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAMA3SYpIcNIEzqqy1PNimjt3bVY1KuIuvDABkx8hKUG6
+rl9WDZ7ibcW6f3cKgr1bKOAeOsMSDu6i/FzB7Csd9u/a/YkASAIIw48q9iD4K6lb
+Kvd+26eJCUVyLHcWlzVkqIEFcvCrvaqaU/YlX/antLWyHGbtOtSdN3FfY5pvvTbW
+xf8PJBWGO3nV9CVL1DMK3wSn3bRNbkTLttdIUYdgiX+q8QjbM/VyGz7nA9UvGO0n
+FWTZRdoiKWI7HA0Wm7TjW3GSxwDgoFb2BZYDDNSlfzQpZmvnKth/fQzNDwumhDw7
+tVicu/Y8E7BLhGwxFEaP0xZtENTpn+1f0TxPxpzL2zMCAwEAAaOCAV0wggFZMAkG
+A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6
+Ly9zZi5zeW1jYi5jb20vc2YuY3JsMGEGA1UdIARaMFgwVgYGZ4EMAQQBMEwwIwYI
+KwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkM
+F2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMBMGA1UdJQQMMAoGCCsGAQUFBwMDMFcG
+CCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3NmLnN5bWNkLmNvbTAm
+BggrBgEFBQcwAoYaaHR0cDovL3NmLnN5bWNiLmNvbS9zZi5jcnQwHwYDVR0jBBgw
+FoAUz5mp6nsm9EvJjo/X8AUm7+PSp50wHQYDVR0OBBYEFL/39F5yNDVDib3B3Uk3
+I8XJSrxaMA0GCSqGSIb3DQEBBQUAA4IBAQDWtaW0Dar82t1AdSalPEXshygnvh87
+Rce6PnM2/6j/ijo2DqwdlJBNjIOU4kxTFp8jEq8oM5Td48p03eCNsE23xrZl5qim
+xguIfHqeiBaLeQmxZavTHPNM667lQWPAfTGXHJb3RTT4siowcmGhxwJ3NGP0gNKC
+PHW09x3CdMNCIBfYw07cc6h9+Vm2Ysm9MhqnVhvROj+AahuhvfT9K0MJd3IcEpjX
+Z7aMX78Vt9/vrAIUR8EJ54YGgQsF/G9Adzs6fsfEw5Nrk8R0pueRMHRTMSroTe0V
+Ae2nvuUU6rVI30q8+UjQCxu/ji1/JnitNkUyOPyC46zL+kfHYSnld8U1
+-----END CERTIFICATE-----