Hi folks,
(As reader may guess, I'm more familiar & comfortable in the Linux/POSIX world, so please keep that in mind)
I'm in the process of rebuilding n+20 laptops, intended for semi-public use (MakerSpace: think classroom or library), and want to set them up in an immutable/ephemeral manner.
I want them to be 'flushed' periodically, so that they are all similar/standard, and clean for the next persons' use.
Planning on doing this around every major OS update ("patch Tuesday"?), so that the desktops have updates pre-installed rather than individually updated or wait-times during installation boots.
Users/guests constantly log into the desktops an/or browsers with their personal gmail/o365 accounts, which has us/my environ represent a privacy & security risk.
The game-plan looks like:
- set up a base-line or reference (W10) desktop with
- stripped-down OS, with updates , patches & system-level tweaks applied
- relevant accounts loaded - logons & browsers logged into relevant web-apps (cookies loaded), etc
- using the likes winget, choco/vagrant/ansible/puppet/chef/whatever/etc to install our standard app set
- setting up local server/'cloud' back-end for docker/VM's/etc to rapidly try out options
- PXE imaging & deployment tool - Foreman/Cobbler, FOG, etc
- Guests/users store configs & personal data on LAN NAS (ala NextCloud)
- image or build periodic reference snapshot of reference-machines (including updates) that get deployed via PXE
Essentially what I'm after is something akin to Fedora Silverblue, that's an immutable/ephemeral desktop, where nothing "sticks" across reboots & the underlying remains unchanged. Thinking of it in a similar way Docker images have changes "layered" on top of each other or a ZFS or Git, where changes are taken as incremental snapshots that can be committed or rolled back gracefully.
I/we have not committed to AD yet - the environment has not been large or complex enough to warrant it yet - but I know the short answer is to use GPO; I plan on burning that bridge eventually.
Is there a way or some other best-practice means for me to achieve this goal?
How can I build an OS or image that gets nuked - from the ground up - across reboots, to the point where the HDD's are interchangeable & no update are ever prompted?
BONUS QUESTION: I'm guessing(?) I can fully virtualize sets of hardware specs? (this is further down on my to-do list)
I'm hoping to fully virtualize the sets of machines we've been given - mostly HP's, but slightly different generations/models - so that I can manage & maintain a "reference machine" that I keep current with apps & updates, including drivers, that I can then image & deploy via the PXE stack above.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 15%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 93%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)