====== VMware ======

===== NUC =====

8th gen nuc needs a customised install with either the net-community vib or the usbnic fling slipstreamed in.

  * Instructions for building a slipstreamed install USB stick: [[https://www.virten.net/2020/04/how-to-add-the-usb-nic-fling-to-esxi-7-0-base-image/]]
  * usbnic fling (used by usb-c dock): [[https://flings.vmware.com/usb-network-native-driver-for-esxi]]
  * net-community drivers (needed for nuc8 onboard nic): [[https://flings.vmware.com/community-networking-driver-for-esxi]]

===== vCenter =====

==== OIDC SSO authentication via KeyCloak ====

Officially vCenter 7 adds support for OIDC for ADFS only, however with some tweaks, it can be made to work using KeyCloak instead.

  * Ensure KeyCloak docker container is running with env vars <code bash>
JAVA_OPTS_APPEND = "-Dkeycloak.profile.feature.scripts=enabled -Dkeycloak.profile.feature.upload_scripts=enabled"
</code>
  * Add a client with ID ''vmware''
  * Ensure enabled, standard flow and direct access grants are enabled
  * For the Root URL, Admin URL, Web Origins, use ''https://vcenter.fqdn''
  * For Valid Redirect URIs use ''https://vcenter.fqdn/ui/login/oauth2/authcode'' or ''https://vcenter.fqdn/*''
  * 
  * For backchannel logout URL use ''https://vcenter.fqdn/ui/login'' and enable Backchannel logout session required
  * Set Client Protocol to ''openid-connect'' and Access Type to ''confidential''
  * On the Credentials tab, make a note of the secret
  * On the mappers tab:
    * Add a hardcoded claim for claim ''domain'', with the value matching the vmware SSO domain that will be used (e.g. the bit after the @ sign of the username, in my case ''sihnon.net'')
    * Add a script mapper named ''nameid'' with value: <code javascript>
token.setSubject(user.getUsername());
</code> This sets the ''sub'' claim in the JWT to be the plain username, as opposed to the internal keycloak user UUID which is the default. Without this, vcenter can't match to a user from LDAP
  * Under Realm Settings -> Endpoints, right click ''OpenID Endpoint Configuration'' and copy the URL

Under vCenter -> Administration -> Single Sign On -> Configuration
  * Click ''Change identity provider'' and select ''ADFS''
  * Under Client Identifier, enter ''vmware'', or the value picked for client ID in keycloak
  * Under shared secret, enter the secret noted earlier
  * Under OpenID address, paste the URL noted earlier
  * Fill in the LDAP details when prompted. Be sure to upload the root CA certificate (needed even for LetsEncrypt certs)

If there are certificate errors, try also adding the LetsEncrypt root cert under vCenter -> Administration -> Certificates -> Certificate Management. If this view does not render in chrome, try firefox, or logging in with ''Administrator@vsphere.local''

====== Reset Eval license ======

https://marte-it.at/en/reset-esxi-evaluation-license/

  * Start the SSH service on the ESXi host
  * Start a SSH connection with a SSH client (e.g. PuTTY)
  * Delete the current license: <code bash>
rm -r /etc/vmware/license.cfg
</code>
  * Copy the new license: <code bash>
cp /etc/vmware/.#license.cfg /etc/vmware/license.cfg
</code>
  * Restart the VPXA service: <code bash>
/etc/init.d/vpxa restart
</code>