ce604adcda
Single-site bay-stuck issue at WJ: GE Intune Report IP script filters
Get-NetIPAddress on StartsWith("10.") and posts everything matching
to the GE Tines webhook. Bays at WJ get the PXE LAN 10.9.100.x IP
captured and reported -> GE backend tags bays as on a non-corp 10.x
subnet -> dynamic group eligibility for SFLD policy never matches.
Other GE sites work because their PXE LANs aren't on 10.x at all.
Renumber PXE LAN to RFC1918 172.16.9.0/24 so the GE filter naturally
skips wired PXE addresses without any disable-NIC dance.
Server-side already in flight (netplan dual-bound, dnsmasq scope +
boot URL repointed, blancco preferences + grub.cfg + iPXE GetPxeScript
all sed'd to 172.16.9.1). This commit is the playbook / scripts /
docs side: 109 hits across 35 files sed'd in one shot.
After this lands + boot.wim is rebuilt + bays renumber off DHCP,
the 10.9.100.1 binding will be dropped from netplan as the final
cleanup step.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
8.2 KiB
Site Customization
The PXE server in this repo was built for the GE Aerospace West Jefferson site. To stand it up at another site, several values need to change. This document lists every site-specific value, where it lives today, and the recommended forward state.
Status
The repo has not yet been parameterized. As of 2026-04-14 the site-specific
values below are hardcoded in multiple files. The config/ directory at the
repo root is a placeholder for the future state where one YAML file drives
substitution at build time. Until that exists, customizing for a new site
means editing the source files directly.
If you are bringing up the first non-WJ site, expect to do this manually and
contribute a config/sites/<sitename>.yaml template back to the repo.
Values to change
Network
| Value | Default | Where it lives |
|---|---|---|
| PXE server IP | 172.16.9.1 | playbook/pxe_server_setup.yml (dnsmasq config, iPXE script, samba conf, webapp env), playbook/startnet.cmd (mount paths), boot-tools/blancco/grub-blancco.cfg (TFTP/HTTP URLs) |
| PXE subnet | 172.16.9.0/24 | Same as above, plus playbook/pxe_server_setup.yml (UFW rules) |
| DHCP range | 172.16.9.10-100 | playbook/pxe_server_setup.yml (dnsmasq config) |
| Hostname | pxeserver | autoinstall/user-data (identity.hostname) |
Identity and credentials
| Value | Default | Where it lives |
|---|---|---|
| Linux user | pxe / pxe | autoinstall/user-data (identity.username, password hash) |
| Samba upload user | pxe-upload / pxe | playbook/pxe_server_setup.yml (Samba user creation) |
| Samba blancco user | blancco / blancco | playbook/pxe_server_setup.yml |
| Sudo password | pxe | autoinstall password hash; also referenced in scripts that ssh + sudo |
WiFi and BMC (Blancco licensing)
The Blancco custom config.img carries WiFi credentials and BMC cloud
credentials in plaintext. These are GE-Aerospace specific.
| Value | Default | Where it lives |
|---|---|---|
| WiFi SSID | INTERNETACCESS | boot-tools/blancco/config.img (inside the cpio archive: preferences.xml) |
| WiFi password | Acc3ssGr@nted22 | Same |
| BMC endpoint | classic.eu-west-1.blancco.cloud:443 | Same; encrypted credentials inside config.img |
To rebuild config.img for a different site, see BLANCCO.md ("Rebuilding
config.img").
Image types
The repo defines seven image types (see playbook/pxe_server_setup.yml,
image_types). Most sites likely only need a subset. The current set:
- gea-standard
- gea-engineer
- gea-shopfloor
- ge-standard
- ge-engineer
- ge-shopfloor-lockdown
- ge-shopfloor-mce
Trim or extend this list and the matching shopfloor_types filter as needed.
PC types (shopfloor sub-types)
playbook/shopfloor-setup/ contains per-PC-type install logic. The current
types reflect WJ shopfloor needs:
- CMM (PC-DMIS)
- WaxAndTrace
- Keyence
- Genspect
- Display (Lobby and Dashboard variants)
- Standard (Timeclock and Machine variants)
- Lab
A site without CMMs can drop the CMM type and its installers entirely.
GCCH bulk-enrollment PPKGs
PPKG filenames are baked into playbook/startnet.cmd and
startnet-template.cmd. They are tied to the GE Aerospace tenant. Other
sites/tenants will have their own PPKGs with different filenames.
| PPKG enrollment menu choice | Default filename |
|---|---|
| 1 NoOffice | GCCH_Prod_SFLD_NoOffice_US_Exp_20260430_v4.10.ppkg |
| 2 StdOffice x86 | GCCH_Prod_SFLD_StdOffice-x86_US_Exp_20260430_v4.10.ppkg |
| 3 StdOffice x64 | GCCH_Prod_SFLD_StdOffice-x64_US_Exp_20260430_v4.10.ppkg |
| 4 ProPlusOffice x86 | GCCH_Prod_SFLD_ProPlusOffice-x86_US_Exp_20260430_v4.10.ppkg |
| 5 ProPlusOffice x64 | GCCH_Prod_SFLD_ProPlusOffice-x64_US_Exp_20260430_v4.10.ppkg |
When you bump PPKG versions, update the filenames in startnet.cmd, drop the
new PPKGs in enrollment/ on the workstation, and rebuild the USB.
Site-specific shopfloor config
playbook/shopfloor-setup/site-config.json has site-specific values like
default machine number ranges, share paths for software, and more. Inspect
that file for site name strings, share UNC paths, and machine number ranges.
Branding
The Flask webapp uses GE Aerospace branding:
- Logo:
webapp/static/ge-aerospace-logo.svg - Favicon:
webapp/static/favicon.ico - Page titles and templates reference "GE Aerospace" in
webapp/templates/*.html - iPXE menu title: "GE Aerospace PXE Boot Menu" in
playbook/pxe_server_setup.yml
Drivers (Dell)
Driver content is hardware-specific, not strictly site-specific, but the set of driver families to bundle changes by what hardware the site deploys:
Dell_11/ProandDell_11/ProMax: Dell Pro Micro PCs (most common shopfloor)Dell_11/Optiplex: traditional desktopsDell_11/Precision: workstationsDell_11/Latitude: laptops (large, often excluded if site has none)
The scripts/download-drivers.py and scripts/Download-Drivers.ps1 scripts
populate drivers-staging/ from upstream sources. Edit these to target the
relevant hardware lists.
BIOS update manifest
playbook/shopfloor-setup/BIOS/models.txt maps Dell model strings to the
BIOS .exe to flash. Update this whenever new hardware arrives or Dell
publishes a new firmware release for a model already in the fleet.
Intune DSC categories
The post-enrollment Intune DSC delivery (per intune-dsc.md memory) pulls
per-category YAML from Azure Blob:
- main
- cmm
- displaypcs
- waxtrace
Different sites/tenants will need their own categories and their own Azure Blob storage account.
Image-upload paths on Windows
scripts/Upload-Image.ps1 defaults to:
\\172.16.9.1\image-uploadas the destinationC:\ProgramData\GEAerospace\MediaCreator\Cache\as the source
Update both for a different site.
Recommended forward state
A site config file should drive substitution at build time. Proposed schema:
# config/sites/<sitename>.yaml
site:
name: westjeff
pxe_server_ip: 172.16.9.1
pxe_subnet: 172.16.9.0/24
dhcp_range_start: 172.16.9.10
dhcp_range_end: 172.16.9.100
hostname: pxeserver
credentials:
pxe_user: pxe
pxe_password: pxe
pxe_upload_password: pxe
blancco_password: blancco
blancco:
wifi_ssid: INTERNETACCESS
wifi_password: Acc3ssGr@nted22
bmc_endpoint: classic.eu-west-1.blancco.cloud:443
ppkg_versions:
current: v4.10
expiry: 20260430
intune_dsc_categories: [main, cmm, displaypcs, waxtrace]
image_types: [gea-standard, gea-engineer, gea-shopfloor]
shopfloor_types: [gea-shopfloor]
scripts/build-usb.sh and the playbook would consume this and substitute
into the templated config files. Implementing this is a separate piece of
work; until then, edit source files directly.
Secrets handling
Some values above are sensitive (WiFi passwords, BMC credentials, Samba passwords). Today these sit in plain text in the repo. For a multi-site deployment, treat them as per-site secrets:
- Keep
config/sites/<sitename>.secrets.yamlout of git (gitignore). - Distribute via secure channel (1Password, Vault, etc.) when standing up a new site.
- The
eMxInfo.txtprecedent (seefeedback_emxinfo_secret.md) is a good template: never commit, document where the canonical copy lives.