ansible-pull-deploy/ubuntu-autoinstall/autoinstall.yaml

# Ubuntu Server Autoinstall — Iron Legion G9 Headless Deploy
# Usage: Place as 'user-data' on nocloud USB alongside empty 'meta-data' file
# See README.md for USB creation instructions

version: 1
autoinstall:
  # ── Identity ──
  identity:
    hostname: ubuntu
    username: jarvis
    password: "$6$iypA63f5vLDzTGQ2$eOrvsyhnM6c4istoy65GUConWL4St.rzy28wFt8QxUWk7F3fSx7mHytwnjHosvIj7JAMBPeC4jkUctAZJeKDx/"
    ssh:
      install-server: true
      allow-pw: true
      authorized-keys:
        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPSBrRCROUHOiZX9IB3teEK89VFfghbdu7OF5NoJ1Y6g

  # ── Storage ──
  storage:
    config:
      - type: disk
        id: disk0
        ptable: gpt
        wipe: superblock-recursive
        path: /dev/nvme0n1
      - type: partition
        id: boot-part
        number: 1
        size: 1GB
        device: disk0
        flag: boot
        grub_device: true
      - type: format
        id: boot-format
        fstype: ext4
        volume: boot-part
      - type: mount
        id: boot-mount
        device: boot-format
        path: /boot
      - type: partition
        id: root-part
        number: 2
        size: -1
        device: disk0
      - type: format
        id: root-format
        fstype: ext4
        volume: root-part
      - type: mount
        id: root-mount
        device: root-format
        path: /

  # ── Networking ──
  network:
    version: 2
    ethernets:
      en0:
        match:
          name: "en*"
        dhcp4: true
        dhcp6: true

  # ── Packages ──
  packages:
    - openssh-server
    - curl
    - git
    - ca-certificates
    - gnupg
    - net-tools
    - iputils-ping
    - htop
    - ufw
    - nfs-common

  # ── First boot scripts ──
  late-commands:
    # Hostname from MAC address
    - |
      MAC=$(cat /sys/class/net/en*/address 2>/dev/null | head -1 | tr -d ':')
      case "$MAC" in
        e051d81c5d56) HOST="mk-33" ;;
        e051d81c5c75) HOST="mk-34" ;;
        e051d81c5dca) HOST="mk-39" ;;
        e051d81c5d5c) HOST="mk-42" ;;
        *) HOST="g9-$(echo $MAC | tail -c 5)" ;;
      esac
      hostnamectl set-hostname "$HOST"
      echo "$HOST" > /etc/hostname
      printf "127.0.1.1\t%s\n" "$HOST" >> /etc/hosts

    # Disable cloud-init re-run
    - |
      mkdir -p /etc/cloud/cloud.cfg.d
      echo "preserve_hostname: true" > /etc/cloud/cloud.cfg.d/99_preserve_hostname.cfg
      touch /etc/cloud/cloud-init.disabled

    # Install Docker
    - |
      install -m 0755 -d /etc/apt/keyrings
      curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
      chmod a+r /etc/apt/keyrings/docker.gpg
      echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu noble stable" > /etc/apt/sources.list.d/docker.list
      apt-get update
      apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
      usermod -aG docker jarvis

    # Install Tailscale
    - |
      curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.noarmor.gpg | tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
      curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.tailscale-keyring.list | tee /etc/apt/sources.list.d/tailscale.list
      apt-get update
      apt-get install -y tailscale

    # Clone ansible-pull repo
    - |
      sudo -u jarvis bash -c 'mkdir -p ~/.ansible-repo && cd ~/.ansible-repo && git clone https://gitea.nb.bobbysh.me/Iron-Legion/ansible-pull-deploy.git . 2>/dev/null || true'

    # SSH hardening (keep PW auth enabled for fleet standard)
    - |
      sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
      sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
      systemctl restart ssh

    # Enable UFW basic rules
    - |
      ufw default deny incoming
      ufw default allow outgoing
      ufw allow 22/tcp
      ufw --force enable

    # Reboot to finalize
    - reboot