---
title: "RMU Build: MaaS Setup"
slug: rmu-build-maas
description: Provision the MaaS (Metal as a Service) container on the Gen-1.5 RMU, install MaaS, share it via Teleport, perform the initial configuration, and reserve a DHCP range for BMCs.
tags:
  - node-provider
  - rmu
  - gen-1
  - maas
  - networking
  - infrastructure
  - runbook
date: 2026-05-04
related:
  - node-provider-documentation
  - gen-1-to-gen-1-5-rmu-build
  - rmu-build-teleport
  - rmu-build-best-practices
---

This page covers section IV of the
[Gen-1 to Gen-1.5 RMU build runbook](/wiki/gen-1-to-gen-1-5-rmu-build/).
[MaaS (Metal as a Service)](https://maas.io) provides DHCP/DNS and
device discovery on the management network.

Complete the [Teleport setup](/wiki/rmu-build-teleport/) before
starting.

## A. Create Proxmox CT

1. From the main Proxmox page, click **Create CT** to open the
   **Create: LXC Container** dialog.
2. Tick **Advanced** and configure:
   - **CT ID**: `120`
   - **Hostname**: `<dc>-maas`
   - Set a non-trivial password for `root` and store it in your
     password manager as `MaaS {ICR}`. Optionally add your SSH public
     key.

   Click **Next**.
3. Select the `ubuntu-22.04-standard` template. Click **Next**.
4. Set the disk size to `30` GB. Click **Next**.
5. Set **Cores** to `8`. Click **Next**.
6. Set **Memory** and **Swap** to `4096`. Click **Next**.
7. Configure the network:
   - **Bridge**: `vmbr1` (`LAN`)
   - Uncheck **Firewall**.
   - **IPv4**: `Static`, IP `10.10.100.20/24` (CIDR is required)
   - **Gateway**: `10.10.100.1`
   - **IPv6**: `SLAAC`

   Click **Next**.
8. No changes are required on the **DNS** tab. Click **Next**.
9. Tick **Start after created** and click **Finish**.
10. When complete, close the dialog window.
11. Ensure Proxmox is configured to start the VM at boot. Select the
    VM in the left navigation, click **Options**, double-click
    **Start at Boot**, tick the box, and click **OK**.

## B. Install MaaS software via APT

1. Open the console: **RMU** > **120 (maas)** > **Console**. Update
   the server software:

   ```bash
   apt update && apt upgrade -y
   reboot
   ```

2. Add a generic admin account. Replace `<admin>` with your admin
   username — this account will be used to log in to the MaaS web
   GUI:

   ```bash
   useradd -u1000 -U -m -c "Admin" -s /bin/bash <admin>
   ```

3. Install software tools (so that `apt-add-repository` works):

   ```bash
   apt install software-properties-common curl -y
   ```

4. Install MaaS 3.3, running these commands one at a time:

   ```bash
   apt-add-repository ppa:maas/3.3
   apt update
   apt remove systemd-timesyncd -y
   apt install maas-region-controller -y
   apt install maas-rack-controller -y
   maas createadmin --username=<admin> --email=<email address>
   ```

   Replace `<admin>` and `<email address>`. Set a non-trivial
   password and store it in your password manager. Optionally import
   an SSH public key.

## C. Share services via Teleport

Reference video:
[Sharing services via Teleport](https://www.youtube.com/watch?v=cvW4b96aPL0).

### On the Teleport server

1. Create a short-lived token to "invite" the MaaS application:

   ```bash
   tctl tokens add \
       --type=app,node \
       --app-name=<dc>-maas \
       --app-uri=http://localhost:5240
   ```

   Take note of the `token` and `ca_pin` values.

### On the MaaS server

1. Install the Teleport agent (use the same Teleport version
   installed earlier):

   ```bash
   sudo curl https://goteleport.com/static/install.sh | bash -s <teleport version>
   ```

2. Create the Teleport application config:

   ```bash
   sudo teleport configure --output=file \
       --proxy=<domain name>:443 \
       --token=/var/lib/teleport/token \
       --roles=app,node \
       --app-name=<dc>-maas \
       --app-uri=http://localhost:5240
   ```

3. Save the token generated on the Teleport server:

   ```bash
   sudo vi /var/lib/teleport/token
   ```

4. Save the `ca_pin`:

   ```bash
   sudo vi /var/lib/teleport/ca_pin
   ```

5. Edit `/etc/teleport.yaml` to update the `ca_pin` resource:

   ```bash
   sudo vi /etc/teleport.yaml
   ```

   - Set the `ca_pin` resource path to `/var/lib/teleport/ca_pin`.
   - Add a `labels:` section under `ssh_service:`:

     ```yaml
     labels:
         dc: "<dc>"
         login: "<admin user login>"
     ```

   - Remove the `commands:` section under `ssh_service:`:

     ```yaml
     commands:
       - name: hostname
         command: [hostname]
         period: 1m0s
     ```

   - Add `labels:` under
     `app_service: -> apps: -> <dc>-maas` service:

     ```yaml
     - name: <dc>-maas
         uri: http://localhost:5240
         public_addr: ""
         insecure_skip_verify: false
         labels:
           dc: "<dc>"
           type: "maas"
     ```

   Sample `/etc/teleport.yaml`:

   ```yaml
   version: v3
   teleport:
     nodename: maas
     data_dir: /var/lib/teleport
     join_params:
       token_name: /var/lib/teleport/token
       method: token
     proxy_server: teleport.<domain>:443
     log:
       output: stderr
       severity: INFO
       format:
         output: text
     ca_pin: /var/lib/teleport/ca_pin
     diag_addr: ""
   auth_service:
     enabled: "no"
   ssh_service:
     enabled: "yes"
     labels:
       dc: "<dc>"
       login: "maas"
   proxy_service:
     enabled: "no"
     https_keypairs: []
     https_keypairs_reload_interval: 0s
     acme: {}
   app_service:
     enabled: "yes"
     debug_app: false
     apps:
     - name: bo1-maas
       uri: http://localhost:5240
       public_addr: ""
       insecure_skip_verify: false
       labels:
         dc: "<dc>"
         type: "maas"
   ```

6. Add Teleport to `/etc/hosts`:

   ```bash
   sudo vi /etc/hosts
   ```

   Add an entry:

   ```text
   10.10.100.22 <Domain name of your teleport server>
   ```

   Save and quit the file.

7. Start the Teleport agent:

   ```bash
   sudo systemctl enable teleport
   sudo systemctl start teleport
   ```

## D. Initial configuration of MaaS server

1. Log in to the Teleport server and click **Launch** next to the new
   MaaS resource to perform the initial MaaS configuration.
2. Sign in to the MaaS web GUI using the credentials you created in
   the previous section.
3. Set the **DNS forwarder** list to `1.1.1.1 8.8.8.8` and click
   **Save and continue**.
4. Select the Ubuntu release **22.04 LTS** and architecture
   **AMD64**, click **Update selection**, then **Continue**.
5. Click **Finish setup**.
6. Import any additional SSH keys for the `dfnadmin` user, then
   click **Finish setup** again.

## E. Configure DHCP subnet on MaaS

1. Click **Subnets** in the top navigation bar.
2. Click `10.10.100.0/24`.
3. Click **Reserve Range** > **Reserve dynamic range**.
4. Configure the dynamic range:
   - **Start IP address**: `10.10.100.53`
   - **End IP address**: `10.10.100.99`

   Click **Reserve**.
5. Click **Subnets** in the top navigation bar.
6. Click **untagged**.
7. Click **Configure DHCP**.
8. Ensure **MAAS provides DHCP** is ticked.
9. Select **Provide DHCP from rack controller(s)**.
10. In the **Rack controller** drop-down, select `<dc>-maas` and
    click **Configure DHCP**.

## Continue

Proceed to [Best Practices: Proxmox Security](/wiki/rmu-build-best-practices/#a-proxmox-security-recommended).

## Related

- [RMU build — Gen-1.5](/wiki/gen-1-to-gen-1-5-rmu-build/) — the parent runbook index.
- [RMU Build: Teleport Setup](/wiki/rmu-build-teleport/) — the previous section.
- [RMU Build: Best Practices](/wiki/rmu-build-best-practices/) — the next section.