From 06ca8d87873fa7013f300478adc5bf1e781f0dba Mon Sep 17 00:00:00 2001 From: Sandwich Date: Thu, 11 Jul 2024 22:20:45 +0200 Subject: [PATCH] ansible-lint fixes --- main.yml | 105 +++++++++--------- roles/bootstrap/tasks/main.yml | 23 ++-- roles/bootstrap/vars/packages.yml | 3 +- roles/cis/tasks/main.yml | 136 ++++++++++++----------- roles/cleanup/tasks/main.yml | 15 +-- roles/configuration/tasks/main.yml | 147 +++++++++++++------------ roles/environment/tasks/main.yml | 58 +++++----- roles/partitioning/tasks/btrfs.yml | 20 ++-- roles/partitioning/tasks/ext4.yml | 6 +- roles/partitioning/tasks/main.yml | 84 ++++++++------ roles/partitioning/tasks/xfs.yml | 4 +- roles/virtualization/tasks/libvirt.yml | 22 ++-- roles/virtualization/tasks/main.yml | 3 +- roles/virtualization/tasks/proxmox.yml | 39 +++---- roles/virtualization/tasks/vmware.yml | 9 +- 15 files changed, 349 insertions(+), 325 deletions(-) diff --git a/main.yml b/main.yml index 92ea0b4..513a2c3 100644 --- a/main.yml +++ b/main.yml @@ -5,87 +5,86 @@ gather_facts: false become: true vars_prompt: - - name: user_name - prompt: | - What is your username? - private: false + - name: user_name + prompt: | + What is your username? + private: false - - name: user_password - prompt: | - What is your password? - confirm: true + - name: user_password + prompt: | + What is your password? + confirm: true - - name: root_password - prompt: | - What is your root password? - confirm: true + - name: root_password + prompt: | + What is your root password? + confirm: true - - name: hypervisor - prompt: | - Select an Hypervisor: - - libvirt - - proxmox - - vmware - private: false - default: "proxmox" + - name: hypervisor + prompt: | + Select an Hypervisor: + - libvirt + - proxmox + - vmware + private: false + default: proxmox - - name: install_drive - prompt: | - "Enter the drive to install the system (default: /dev/sda)" - confirm: true - private: false - default: "/dev/sda" + - name: install_drive + prompt: | + "Enter the drive to install the system (default: /dev/sda)" + confirm: true + private: false + default: /dev/sda vars_files: vars.yml pre_tasks: - name: Set ansible_python_interpreter when: os | lower in ["almalinux", "rhel9", "rhel8", "rocky"] - set_fact: + ansible.builtin.set_fact: ansible_python_interpreter: /usr/bin/python3 - name: Validate variables - assert: + ansible.builtin.assert: that: - hypervisor in ["libvirt", "proxmox", "vmware", "none"] - filesystem in ["btrfs", "ext4", "xfs"] - os in ["archlinux", "almalinux", "debian11", "debian12", "fedora", "rocky", "ubuntu", "ubuntu-lts"] - fail_msg: "Invalid input specified, please try again" + fail_msg: Invalid input specified, please try again - name: Set connection when: hypervisor == "vmware" - set_fact: + ansible.builtin.set_fact: ansible_connection: vmware_tools roles: + - role: virtualization + when: install_type == "virtual" + become: false + vars: + ansible_connection: local - - role: virtualization - when: install_type == "virtual" - become: false - vars: - ansible_connection: local + - role: environment + vars: + ansible_connection: "{{ 'vmware_tools' if hypervisor == 'vmware' else 'ssh' }}" - - role: environment - vars: - ansible_connection: "{{ 'vmware_tools' if hypervisor == 'vmware' else 'ssh' }}" + - role: partitioning + vars: + boot_partition_suffix: 1 + main_partition_suffix: 2 - - role: partitioning - vars: - boot_partition_suffix: 1 - main_partition_suffix: 2 + - role: bootstrap - - role: bootstrap + - role: configuration - - role: configuration + - role: cis + when: cis == true - - role: cis - when: cis == true - - - role: cleanup - when: install_type == "virtual" - vars: - ansible_connection: local + - role: cleanup + when: install_type == "virtual" + vars: + ansible_connection: local tasks: - name: Reboot system when: hypervisor != "libvirt" - command: reboot - ignore_errors: true \ No newline at end of file + ansible.builtin.command: reboot + ignore_errors: true diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml index ece840a..4ce3ddb 100644 --- a/roles/bootstrap/tasks/main.yml +++ b/roles/bootstrap/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Include Packages - include_vars: + ansible.builtin.include_vars: file: packages.yml name: role_packages @@ -8,11 +8,10 @@ block: - name: Bootstrap ArchLinux when: os | lower == 'archlinux' - command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit - + ansible.builtin.command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit - name: Bootstrap Debian System when: os | lower in ['debian11', 'debian12'] - shell: "{{ item }}" + ansible.builtin.command: "{{ item }}" with_items: - debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} /mnt http://deb.debian.org/debian/ - arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }} @@ -20,7 +19,7 @@ - name: Bootstrap Ubuntu System when: os | lower in ['ubuntu', 'ubuntu-lts'] - shell: "{{ item }}" + ansible.builtin.command: "{{ item }}" with_items: - debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'mantic' if os == 'ubuntu' else 'jammy' }} /mnt http://archive.ubuntu.com/ubuntu/ - arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list @@ -29,7 +28,7 @@ - name: Bootstrap AlmaLinux 9 when: os | lower == 'almalinux' - shell: "{{ item }}" + ansible.builtin.command: "{{ item }}" with_items: - dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core - echo "nameserver 1.0.0.1" > /mnt/etc/resolv.conf @@ -37,7 +36,7 @@ - name: Bootstrap Fedora 40 when: os | lower == 'fedora' - shell: "{{ item }}" + ansible.builtin.command: "{{ item }}" with_items: - dnf --releasever=40 --best --repo=fedora --repo=fedora-updates --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core - arch-chroot /mnt dnf --releasever=40 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }} @@ -45,7 +44,7 @@ - name: Bootstrap RockyLinux 9 when: os | lower == 'rocky' - shell: "{{ item }}" + ansible.builtin.command: "{{ item }}" with_items: - dnf --releasever=9 --best --repo=rocky-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core - echo "nameserver 1.0.0.1" > /mnt/etc/resolv.conf @@ -53,8 +52,8 @@ - name: Bootstrap RHEL System when: os | lower in ['rhel8', 'rhel9'] - shell: "{{ item }}" + ansible.builtin.command: "{{ item }}" with_items: - - "dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core" - - "echo 'nameserver 1.0.0.1' > /mnt/etc/resolv.conf" - - "arch-chroot /mnt dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --setopt=install_weak_deps=False install -y {{ role_packages[os] | join(' ') }}" \ No newline at end of file + - dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core + - echo 'nameserver 1.0.0.1' > /mnt/etc/resolv.conf + - arch-chroot /mnt dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --setopt=install_weak_deps=False install -y {{ role_packages[os] | join(' ') }} diff --git a/roles/bootstrap/vars/packages.yml b/roles/bootstrap/vars/packages.yml index d35b893..98982f2 100644 --- a/roles/bootstrap/vars/packages.yml +++ b/roles/bootstrap/vars/packages.yml @@ -1,3 +1,4 @@ +--- almalinux: - bind-utils - cloud-init @@ -304,4 +305,4 @@ ubuntu-lts: - tcpd - vim - wget - - zstd \ No newline at end of file + - zstd diff --git a/roles/cis/tasks/main.yml b/roles/cis/tasks/main.yml index 74aee8c..bc0e2db 100644 --- a/roles/cis/tasks/main.yml +++ b/roles/cis/tasks/main.yml @@ -1,7 +1,8 @@ +--- - name: Configurationg System for CIS conformity block: - name: Disable Kernel Modules - copy: + ansible.builtin.copy: dest: /mnt/etc/modprobe.d/cis.conf content: | CIS LVL 3 Restrictions @@ -19,7 +20,7 @@ install tipc /bin/true - name: Create USB Rules - copy: + ansible.builtin.copy: dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh content: | By default, disable all. @@ -35,7 +36,7 @@ ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1" - name: Create a consolidated sysctl configuration file - copy: + ansible.builtin.copy: dest: /mnt/etc/sysctl.d/10-cis.conf content: | ## CIS Sysctl configurations @@ -66,10 +67,10 @@ # - { regexp: '^UMASK.*', replace: 'UMASK 027' } - name: Ensure files exist - file: + ansible.builtin.file: path: "{{ item }}" state: touch - mode: '0600' + mode: "0600" loop: - /mnt/etc/at.allow - /mnt/etc/cron.allow @@ -77,82 +78,87 @@ - /mnt/etc/hosts.deny - name: Add Security related lines into config files - lineinfile: + ansible.builtin.lineinfile: path: "{{ item.path }}" line: "{{ item.content }}" loop: - - { path: '/mnt/etc/security/limits.conf', content: '* hard core 0' } - - { path: '/mnt/etc/security/pwquality.conf', content: 'minlen = 14' } - - { path: '/mnt/etc/security/pwquality.conf', content: 'dcredit = -1' } - - { path: '/mnt/etc/security/pwquality.conf', content: 'ucredit = -1' } - - { path: '/mnt/etc/security/pwquality.conf', content: 'ocredit = -1' } - - { path: '/mnt/etc/security/pwquality.conf', content: 'lcredit = -1' } - - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: 'umask 077' } - - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: 'export TMOUT=3000' } - - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: 'Storage=persistent' } - - { path: '/mnt/etc/sudoers', content: 'Defaults logfile="/var/log/sudo.log"' } - - { path: '/mnt/etc/pam.d/su', content: 'auth required pam_wheel.so' } - - { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', content: 'auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900' } - - { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', content: 'account required pam_faillock.so' } - - { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}', content: 'password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5' } - - { path: '/mnt/etc/hosts.deny', content: 'ALL: ALL' } - - { path: '/mnt/etc/hosts.allow', content: 'sshd: ALL' } + - { path: /mnt/etc/security/limits.conf, content: "* hard core 0" } + - { path: /mnt/etc/security/pwquality.conf, content: minlen = 14 } + - { path: /mnt/etc/security/pwquality.conf, content: dcredit = -1 } + - { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 } + - { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 } + - { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 } + - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: umask 077 } + - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: export TMOUT=3000 } + - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent } + - { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" } + - { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so } + - path: /mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" + }} + content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 + - path: /mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else + "pam.d/system-auth" }} + content: account required pam_faillock.so + - path: /mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }} + content: password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 + - { path: /mnt/etc/hosts.deny, content: "ALL: ALL" } + - { path: /mnt/etc/hosts.allow, content: "sshd: ALL" } - name: Set permissions for various files and directories - file: + ansible.builtin.file: path: "{{ item.path }}" owner: "{{ item.owner | default(omit) }}" group: "{{ item.group | default(omit) }}" mode: "{{ item.mode }}" loop: - - { path: '/mnt/etc/ssh/sshd_config', mode: '0600' } - - { path: '/mnt/etc/cron.hourly', mode: '0700' } - - { path: '/mnt/etc/cron.daily', mode: '0700' } - - { path: '/mnt/etc/cron.weekly', mode: '0700' } - - { path: '/mnt/etc/cron.monthly', mode: '0700' } - - { path: '/mnt/etc/cron.d', mode: '0700' } - - { path: '/mnt/etc/crontab', mode: '0600' } - - { path: '/mnt/etc/logrotate.conf', mode: '0644' } - - { path: '/mnt/usr/sbin/pppd', mode: '754' } - - { path: '/mnt/usr/bin/{{ "fusermount3" if os in ["archlinux", "debian12", "fedora"] else "fusermount" }}', mode: '755' } - - { path: '/mnt/usr/bin/{{ "write.ul" if os == "debian11" else "write" }}', mode: '755' } + - { path: /mnt/etc/ssh/sshd_config, mode: "0600" } + - { path: /mnt/etc/cron.hourly, mode: "0700" } + - { path: /mnt/etc/cron.daily, mode: "0700" } + - { path: /mnt/etc/cron.weekly, mode: "0700" } + - { path: /mnt/etc/cron.monthly, mode: "0700" } + - { path: /mnt/etc/cron.d, mode: "0700" } + - { path: /mnt/etc/crontab, mode: "0600" } + - { path: /mnt/etc/logrotate.conf, mode: "0644" } + - { path: /mnt/usr/sbin/pppd, mode: "754" } + - { path: '/mnt/usr/bin/{{ "fusermount3" if os in ["archlinux", "debian12", "fedora"] else "fusermount" }}', mode: "755" } + - { path: '/mnt/usr/bin/{{ "write.ul" if os == "debian11" else "write" }}', mode: "755" } - name: Adjust SSHD config - lineinfile: + ansible.builtin.lineinfile: path: /mnt/etc/ssh/sshd_config - regexp: '^\s*#?{{ item.option }}\s+.*$' - line: '{{ item.option }} {{ item.value }}' + regexp: ^\s*#?{{ item.option }}\s+.*$ + line: "{{ item.option }} {{ item.value }}" with_items: - - {option: 'LogLevel', value: 'VERBOSE'} - - {option: 'LoginGraceTime', value: '60'} - - {option: 'PermitRootLogin', value: 'no'} - - {option: 'StrictModes', value: 'yes'} - - {option: 'MaxAuthTries', value: '4'} - - {option: 'MaxSessions', value: '10'} - - {option: 'MaxStartups', value: '10:30:60'} - - {option: 'PubkeyAuthentication', value: 'yes'} - - {option: 'HostbasedAuthentication', value: 'no'} - - {option: 'IgnoreRhosts', value: 'yes'} - - {option: 'PasswordAuthentication', value: 'no'} - - {option: 'PermitEmptyPasswords', value: 'no'} - - {option: 'KerberosAuthentication', value: 'no'} - - {option: 'GSSAPIAuthentication', value: 'no'} - - {option: 'GSSAPIKeyExchange', value: 'no'} - - {option: 'AllowAgentForwarding', value: 'no'} - - {option: 'AllowTcpForwarding', value: 'no'} - - {option: 'ChallengeResponseAuthentication', value: 'no'} - - {option: 'GatewayPorts', value: 'no'} - - {option: 'X11Forwarding', value: 'no'} - - {option: 'PermitUserEnvironment', value: 'no'} - - {option: 'ClientAliveInterval', value: '300'} - - {option: 'ClientAliveCountMax', value: '0'} - - {option: 'PermitTunnel', value: 'no'} - - {option: 'Banner', value: '/etc/issue.net'} + - { option: LogLevel, value: VERBOSE } + - { option: LoginGraceTime, value: "60" } + - { option: PermitRootLogin, value: "no" } + - { option: StrictModes, value: "yes" } + - { option: MaxAuthTries, value: "4" } + - { option: MaxSessions, value: "10" } + - { option: MaxStartups, value: 10:30:60 } + - { option: PubkeyAuthentication, value: "yes" } + - { option: HostbasedAuthentication, value: "no" } + - { option: IgnoreRhosts, value: "yes" } + - { option: PasswordAuthentication, value: "no" } + - { option: PermitEmptyPasswords, value: "no" } + - { option: KerberosAuthentication, value: "no" } + - { option: GSSAPIAuthentication, value: "no" } + - { option: GSSAPIKeyExchange, value: "no" } + - { option: AllowAgentForwarding, value: "no" } + - { option: AllowTcpForwarding, value: "no" } + - { option: ChallengeResponseAuthentication, value: "no" } + - { option: GatewayPorts, value: "no" } + - { option: X11Forwarding, value: "no" } + - { option: PermitUserEnvironment, value: "no" } + - { option: ClientAliveInterval, value: "300" } + - { option: ClientAliveCountMax, value: "0" } + - { option: PermitTunnel, value: "no" } + - { option: Banner, value: /etc/issue.net } - name: Append CIS Specific configurations to sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /mnt/etc/ssh/sshd_config - line: | + line: |2- ## CIS Specific Protocol 2 @@ -170,4 +176,4 @@ AllowUsers svcansible AllowGroups * DenyUsers nobody - DenyGroups nobody \ No newline at end of file + DenyGroups nobody diff --git a/roles/cleanup/tasks/main.yml b/roles/cleanup/tasks/main.yml index 5d143ff..a187f37 100644 --- a/roles/cleanup/tasks/main.yml +++ b/roles/cleanup/tasks/main.yml @@ -1,3 +1,4 @@ +--- - name: Setup Cleanup when: hypervisor == "proxmox" delegate_to: localhost @@ -20,7 +21,7 @@ when: hypervisor == "vmware" delegate_to: localhost ignore_errors: true - vmware_guest: + community.vmware.vmware_guest: hostname: "{{ hypervisor_url }}" username: "{{ hypervisor_username }}" password: "{{ hypervisor_password }}" @@ -30,7 +31,7 @@ cdrom: - controller_number: 0 unit_number: 0 - controller_type: "sata" + controller_type: sata type: iso iso_path: "{{ boot_iso }}" state: absent @@ -46,22 +47,22 @@ state: shutdown - name: Remove cloud-init disk - file: + ansible.builtin.file: path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso" state: absent - name: Get list of CD-ROM devices - shell: virsh --connect qemu:///system domblklist {{ hostname }} --details | grep 'cdrom' | awk '{print $3}' + ansible.builtin.shell: virsh --connect qemu:///system domblklist {{ hostname }} --details | grep 'cdrom' | awk '{print $3}' changed_when: false register: cdrom_devices - name: Wait for VM to spin down - wait_for: + ansible.builtin.wait_for: timeout: 15 - name: Remove CD-ROM devices when: cdrom_devices.stdout_lines | length > 0 - command: virsh --connect qemu:///system detach-disk {{ hostname }} {{ item }} --persistent + ansible.builtin.command: virsh --connect qemu:///system detach-disk {{ hostname }} {{ item }} --persistent with_items: "{{ cdrom_devices.stdout_lines }}" - name: Start the VM @@ -71,5 +72,5 @@ - name: Wait for VM to boot up delegate_to: "{{ inventory_hostname }}" - wait_for_connection: + ansible.builtin.wait_for_connection: timeout: 300 diff --git a/roles/configuration/tasks/main.yml b/roles/configuration/tasks/main.yml index a6b0a4b..a9b7787 100644 --- a/roles/configuration/tasks/main.yml +++ b/roles/configuration/tasks/main.yml @@ -1,22 +1,22 @@ +--- - name: Configuration block: - name: Generate fstab - shell: genfstab -LU /mnt > /mnt/etc/fstab - + ansible.builtin.shell: genfstab -LU /mnt > /mnt/etc/fstab - name: Append TempFS to fstab - lineinfile: + ansible.builtin.lineinfile: path: /mnt/etc/fstab line: "{{ item }}" insertafter: EOF with_items: - "" - "# TempFS" - - "tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0" - - "tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0" - - "tmpfs /dev/shm tmpfs defaults,noexec 0 0" + - tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0 + - tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0 + - tmpfs /dev/shm tmpfs defaults,noexec 0 0 - name: Set local timezone - command: '{{ item }}' + ansible.builtin.command: "{{ item }}" with_items: - systemctl daemon-reload - arch-chroot /mnt ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime @@ -25,132 +25,134 @@ block: - name: Configure locale.gen when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] - lineinfile: + ansible.builtin.lineinfile: dest: /mnt/etc/locale.gen - regexp: '{{ item.regex }}' - line: '{{ item.line }}' + regexp: "{{ item.regex }}" + line: "{{ item.line }}" loop: - - {regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8} + - { regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8 } - name: Generate locales\ when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] - command: arch-chroot /mnt /usr/sbin/locale-gen - + ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen - name: Set hostname - copy: + ansible.builtin.copy: content: "{{ hostname }}" dest: /mnt/etc/hostname - name: Add host entry to /etc/hosts - lineinfile: + ansible.builtin.lineinfile: path: /mnt/etc/hosts line: "{{ ansible_host }} {{ hostname }}" state: present - name: Create vconsole.conf - copy: - content: "KEYMAP=us-intl" + ansible.builtin.copy: + content: KEYMAP=us-intl dest: /mnt/etc/vconsole.conf - name: Create locale.conf - copy: - content: "LANG=en_US.UTF-8" + ansible.builtin.copy: + content: LANG=en_US.UTF-8 dest: /mnt/etc/locale.conf - name: SSH permit Password - replace: + ansible.builtin.replace: path: /mnt/etc/ssh/sshd_config - regexp: '#PasswordAuthentication yes' - replace: 'PasswordAuthentication yes' + regexp: "#PasswordAuthentication yes" + replace: PasswordAuthentication yes - name: Enable Systemd Services block: - - name: Enable sshd - when: os | lower == "archlinux" - command: arch-chroot /mnt systemctl enable sshd logrotate systemd-resolved systemd-timesyncd NetworkManager - + - name: Enable sshd + when: os | lower == "archlinux" + ansible.builtin.command: arch-chroot /mnt systemctl enable sshd logrotate systemd-resolved systemd-timesyncd NetworkManager - name: Configure grub when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] block: - name: Add commandline information to grub config - lineinfile: + ansible.builtin.lineinfile: dest: /mnt/etc/default/grub regexp: ^GRUB_CMDLINE_LINUX_DEFAULT= - line: 'GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3"' + line: GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3" - name: Change Grub time - lineinfile: + ansible.builtin.lineinfile: dest: /mnt/etc/default/grub regexp: ^GRUB_TIMEOUT= - line: 'GRUB_TIMEOUT=1' + line: GRUB_TIMEOUT=1 - name: Configure Bootloader block: - name: Install Bootloader - command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/efibootmgr -c -L '{{ os }}' -d "{{ install_drive }}" -p 1 -l '\efi\EFI\{{ os }}\shimx64.efi'{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }} --bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}{% endif %} - + ansible.builtin.command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/efibootmgr -c + -L '{{ os }}' -d "{{ install_drive }}" -p 1 -l '\efi\EFI\{{ os }}\shimx64.efi'{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ + "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }} --bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}{% + endif %} - name: Generate grub config - command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{{ os }}/grub.cfg{% else %}/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}{% endif %} - + ansible.builtin.command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/grub2-mkconfig + -o /boot/efi/EFI/{{ os }}/grub.cfg{% else %}/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else + "/boot/grub/grub.cfg" }}{% endif %} - name: Regenerate initramfs when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] - command: arch-chroot /mnt {% if os | lower == "archlinux" %}/usr/sbin/mkinitcpio -P{% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %}/usr/bin/dracut --regenerate-all --force{% else %}echo "Skipping initramfs regeneration"{% endif %} - + ansible.builtin.command: arch-chroot /mnt {% if os | lower == "archlinux" %}/usr/sbin/mkinitcpio -P{% elif os | lower not in ["debian11", "debian12", "ubuntu", + "ubuntu-lts", "archlinux"] %}/usr/bin/dracut --regenerate-all --force{% else %}echo "Skipping initramfs regeneration"{% endif %} - name: Extra Configuration block: - name: Append lines to vimrc ignore_errors: true - lineinfile: + ansible.builtin.lineinfile: path: "{{ '/mnt/etc/vim/vimrc' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '/mnt/etc/vimrc' }}" line: "{{ item }}" insertafter: EOF with_items: - - "set encoding=utf-8" - - "set number" - - "set autoindent" - - "set smartindent" - - "set mouse=a" + - set encoding=utf-8 + - set number + - set autoindent + - set smartindent + - set mouse=a - name: Copy FirstRun Script when: os | lower != "archlinux" - template: + ansible.builtin.template: src: firstrun.sh.j2 dest: /mnt/root/firstrun.sh - mode: '0755' + mode: "0755" - name: Copy Custom Shell config - template: + ansible.builtin.template: src: custom.sh.j2 dest: /mnt/etc/profile.d/custom.sh - name: Setup Network block: - - name: Generate UUID for Network Profile - command: "uuidgen" - register: net_uuid + - name: Generate UUID for Network Profile + ansible.builtin.command: uuidgen + register: net_uuid - - name: Retrieve Network Interface Name - shell: "ip r | awk 'NR==1 {print $5}'" - register: net_inf + - name: Retrieve Network Interface Name + ansible.builtin.shell: ip r | awk 'NR==1 {print $5}' + register: net_inf - - name: Copy NetworkManager keyfile - template: - src: network.j2 - dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection - mode: '0600' + - name: Copy NetworkManager keyfile + ansible.builtin.template: + src: network.j2 + dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection + mode: "0600" - name: Setup user account block: - name: Create user account - command: '{{ item }}' + ansible.builtin.command: "{{ item }}" with_items: - - arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups {{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "wheel" }} {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash - - arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash + - arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups {{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else + "wheel" }} {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash + - arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash - name: Add SSH public key to authorized_keys when: user_public_key is defined - lineinfile: - path: "/mnt/home/{{ user_name }}/.ssh/authorized_keys" + ansible.builtin.lineinfile: + path: /mnt/home/{{ user_name }}/.ssh/authorized_keys line: "{{ user_public_key }}" owner: 1000 group: 1000 @@ -158,21 +160,20 @@ create: true - name: Give sudo access to wheel group - copy: + ansible.builtin.copy: content: "{{ '%sudo ALL=(ALL) ALL' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}" dest: /mnt/etc/sudoers.d/01-wheel - mode: 0440 + mode: "0440" validate: /usr/sbin/visudo --check --file=%s - name: Fix SELinux block: - - name: Relabel the filesystem - when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rocky'] - command: touch /mnt/.autorelabel - - - name: Disable SELinux - when: os | lower == "fedora" - lineinfile: - path: /mnt/etc/selinux/config - regexp: '^SELINUX=' - line: 'SELINUX=permissive' + - name: Relabel the filesystem + when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rocky'] + ansible.builtin.command: touch /mnt/.autorelabel + - name: Disable SELinux + when: os | lower == "fedora" + ansible.builtin.lineinfile: + path: /mnt/etc/selinux/config + regexp: ^SELINUX= + line: SELINUX=permissive diff --git a/roles/environment/tasks/main.yml b/roles/environment/tasks/main.yml index 8537339..df6bcd2 100644 --- a/roles/environment/tasks/main.yml +++ b/roles/environment/tasks/main.yml @@ -1,62 +1,60 @@ +--- - name: Configre work environment become: true block: - name: Wait for connection - wait_for_connection: + ansible.builtin.wait_for_connection: timeout: 300 delay: 5 - name: Gather facts - setup: + ansible.builtin.setup: - name: Check if host is booted from the Arch install media - stat: + ansible.builtin.stat: path: /run/archiso register: archiso_stat - name: Abort if the host is not booted from the Arch install media - fail: - msg: "This host is not booted from the Arch install media!" + ansible.builtin.fail: + msg: This host is not booted from the Arch install media! when: not archiso_stat.stat.exists - name: Setect Interface when: hypervisor == "vmware" - shell: "ip l | awk -F': ' '!/lo/{print $2; exit}'" + ansible.builtin.shell: "ip l | awk -F': ' '!/lo/{print $2; exit}'" register: interface_name - name: Set IP-Address when: hypervisor == "vmware" - command: ip addr replace {{ ansible_host }}/24 dev {{ interface_name.stdout }} - + ansible.builtin.command: ip addr replace {{ ansible_host }}/24 dev {{ interface_name.stdout }} - name: Set Default Gateway when: hypervisor == "vmware" - command: ip route replace default via {{ vm_gw }} - + ansible.builtin.command: ip route replace default via {{ vm_gw }} - name: Synchronize clock via NTP - command: timedatectl set-ntp true - + ansible.builtin.command: timedatectl set-ntp true - name: Speed-up Bootstrap process - lineinfile: + ansible.builtin.lineinfile: path: /etc/pacman.conf - regexp: '^#ParallelDownloads =' - line: 'ParallelDownloads = 20' + regexp: ^#ParallelDownloads = + line: ParallelDownloads = 20 - name: Wait for Pacman - wait_for: + ansible.builtin.wait_for: timeout: 15 - name: Setup Pacman - pacman: + community.general.pacman: update_cache: true force: true name: "{{ item.name }}" state: latest loop: - - { name: 'glibc' } - - { name: 'dnf', os: ['almalinux', 'fedora', 'rhel9', 'rhel8', 'rocky'] } - - { name: 'debootstrap', os: ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] } - - { name: 'debian-archive-keyring', os: ['debian11', 'debian12'] } - - { name: 'ubuntu-keyring', os: ['ubuntu', 'ubuntu-lts'] } + - { name: glibc } + - { name: dnf, os: [almalinux, fedora, rhel9, rhel8, rocky] } + - { name: debootstrap, os: [debian11, debian12, ubuntu, ubuntu-lts] } + - { name: debian-archive-keyring, os: [debian11, debian12] } + - { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] } when: "'os' not in item or os in item.os" retries: 4 delay: 15 @@ -64,12 +62,12 @@ - name: Configure RHEL Repos for installation when: os | lower in ["almalinux", "fedora", "rocky"] block: - - name: Create directories for repository files and RPM GPG keys - file: - path: /etc/yum.repos.d - state: directory + - name: Create directories for repository files and RPM GPG keys + ansible.builtin.file: + path: /etc/yum.repos.d + state: directory - - name: Create RHEL repository file - template: - src: '{{ os | lower }}.repo.j2' - dest: '/etc/yum.repos.d/{{ os | lower }}.repo' + - name: Create RHEL repository file + ansible.builtin.template: + src: "{{ os | lower }}.repo.j2" + dest: /etc/yum.repos.d/{{ os | lower }}.repo diff --git a/roles/partitioning/tasks/btrfs.yml b/roles/partitioning/tasks/btrfs.yml index b85b736..84f367a 100644 --- a/roles/partitioning/tasks/btrfs.yml +++ b/roles/partitioning/tasks/btrfs.yml @@ -2,25 +2,25 @@ - name: Setup BTRFS block: - name: Create btrfs filesystem in main volume - filesystem: - dev: '{{ install_drive }}{{ main_partition_suffix }}' + community.general.filesystem: + dev: "{{ install_drive }}{{ main_partition_suffix }}" fstype: btrfs force: true - name: Prepare BTRFS Subvolume - mount: + ansible.posix.mount: path: /mnt - src: '{{ install_drive }}{{ main_partition_suffix }}' + src: "{{ install_drive }}{{ main_partition_suffix }}" fstype: btrfs opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async state: mounted - name: Enable quotas on Btrfs filesystem - command: btrfs quota enable /mnt + ansible.builtin.command: btrfs quota enable /mnt - name: Make root subvolumes when: cis == true or item.subvol not in ['var_log', 'var_log_audit'] - command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} + ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} loop: - { subvol: root } - { subvol: home } @@ -30,13 +30,13 @@ - name: Set quotas for subvolumes when: cis == true or item.subvol not in ['var_log', 'var_log_audit'] - command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} + ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} loop: - - { subvol: home, quota: '2G' } + - { subvol: home, quota: 2G } - name: Unmount Partition - mount: + ansible.posix.mount: path: /mnt - src: '{{ install_drive }}{{ main_partition_suffix }}' + src: "{{ install_drive }}{{ main_partition_suffix }}" fstype: btrfs state: unmounted diff --git a/roles/partitioning/tasks/ext4.yml b/roles/partitioning/tasks/ext4.yml index 5eb218a..ecb814d 100644 --- a/roles/partitioning/tasks/ext4.yml +++ b/roles/partitioning/tasks/ext4.yml @@ -1,8 +1,8 @@ --- - name: Create and format ext4 logical volumes when: cis == true or item.lv not in ['var_log', 'var_log_audit'] - filesystem: - dev: '/dev/sys/{{ item.lv }}' + community.general.filesystem: + dev: /dev/sys/{{ item.lv }} fstype: ext4 force: true loop: @@ -14,7 +14,7 @@ - name: Remove Unsupported features for older Systems when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky', 'ubuntu-lts']) and (cis == true or item.lv not in ['var_log', 'var_log_audit']) - command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}" + ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}" loop: - { lv: root } - { lv: home } diff --git a/roles/partitioning/tasks/main.yml b/roles/partitioning/tasks/main.yml index ed70765..4305881 100644 --- a/roles/partitioning/tasks/main.yml +++ b/roles/partitioning/tasks/main.yml @@ -3,16 +3,16 @@ block: - name: Prepare partitions ignore_errors: true - command: "{{ item.cmd }}" + ansible.builtin.command: "{{ item.cmd }}" loop: - - { cmd: "umount -l /mnt" } - - { cmd: "vgremove -f sys" } - - { cmd: "find /dev -wholename \"{{ install_drive }}*\" -exec wipefs --force --all {} \\;" } + - { cmd: umount -l /mnt } + - { cmd: vgremove -f sys } + - { cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;' } loop_control: label: "{{ item.cmd }}" - name: Define partitions - parted: + community.general.parted: device: "{{ install_drive }}" label: gpt number: "{{ item.number }}" @@ -22,56 +22,56 @@ flags: "{{ item.flags | default(omit) }}" state: present loop: - - { number: 1, part_end: '500MiB', name: 'boot', flags: ['boot', 'esp'] } - - { number: 2, part_start: '500MiB', name: 'root' } + - { number: 1, part_end: 500MiB, name: boot, flags: [boot, esp] } + - { number: 2, part_start: 500MiB, name: root } - name: Create LVM logical volumes when: filesystem != 'btrfs' block: - name: Create LVM volume group - lvg: + community.general.lvg: vg: sys - pvs: '{{ install_drive }}{{ main_partition_suffix }}' + pvs: "{{ install_drive }}{{ main_partition_suffix }}" - name: Create LVM logical volumes when: cis or (not cis and item.lv != 'var_log' and item.lv != 'var_log_audit') - lvol: + community.general.lvol: vg: sys lv: "{{ item.lv }}" size: "{{ item.size }}" state: present loop: - - { lv: 'root', size: '12G' } - - { lv: 'home', size: '2G' } - - { lv: 'var', size: '2G' } - - { lv: 'var_log', size: '2G' } - - { lv: 'var_log_audit', size: '1.5G' } + - { lv: root, size: 12G } + - { lv: home, size: 2G } + - { lv: var, size: 2G } + - { lv: var_log, size: 2G } + - { lv: var_log_audit, size: 1.5G } - name: Create filesystems block: - name: Create FAT32 filesystem in boot partition - filesystem: - dev: '{{ install_drive }}{{ boot_partition_suffix }}' + community.general.filesystem: + dev: "{{ install_drive }}{{ boot_partition_suffix }}" fstype: vfat opts: -F32 force: true - name: Create filesystem - include_tasks: "{{ filesystem }}.yml" + ansible.builtin.include_tasks: "{{ filesystem }}.yml" - name: Get UUID for boot filesystem - command: blkid -s UUID -o value '{{ install_drive }}{{ boot_partition_suffix }}' + ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ boot_partition_suffix }}' changed_when: false register: boot_uuid - name: Get UUID for main filesystem - command: blkid -s UUID -o value '{{ install_drive }}{{ main_partition_suffix }}' + ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ main_partition_suffix }}' changed_when: false register: main_uuid - name: Get UUIDs for LVM filesystems when: filesystem != 'btrfs' and (cis == true or item not in ['var_log', 'var_log_audit']) - command: blkid -s UUID -o value /dev/sys/{{ item }} + ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }} changed_when: false register: uuid_result loop: @@ -81,7 +81,7 @@ - var_log - var_log_audit - - set_fact: + - ansible.builtin.set_fact: uuid_root: "{{ uuid_result.results[0].stdout_lines }}" uuid_home: "{{ uuid_result.results[1].stdout_lines }}" uuid_var: "{{ uuid_result.results[2].stdout_lines }}" @@ -92,33 +92,47 @@ - name: Mount filesystems block: - name: Mount filesystems and subvolumes - when: "cis or (not cis and item.path != '/var/log' and item.path != '/var/log/audit')" - mount: - path: "/mnt{{ item.path }}" + when: cis or (not cis and item.path != '/var/log' and item.path != '/var/log/audit') + ansible.posix.mount: + path: /mnt{{ item.path }} src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}" fstype: "{{ filesystem }}" opts: "{{ item.opts }}" state: mounted loop: - - { path: '', uuid: "{{ uuid_root[0] | default(omit) }}", opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}" } - - { path: '/home', uuid: "{{ uuid_home[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}" } - - { path: '/var', uuid: "{{ uuid_var[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}" } - - { path: '/var/log', uuid: "{{ uuid_var_log[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}" } - - { path: '/var/log/audit', uuid: "{{ uuid_var_log_audit[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}" } + - path: "" + uuid: "{{ uuid_root[0] | default(omit) }}" + opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}" + - path: /home + uuid: "{{ uuid_home[0] | default(omit) }}" + opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' + }}" + - path: /var + uuid: "{{ uuid_var[0] | default(omit) }}" + opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' + }}" + - path: /var/log + uuid: "{{ uuid_var_log[0] | default(omit) }}" + opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' + }}" + - path: /var/log/audit + uuid: "{{ uuid_var_log_audit[0] | default(omit) }}" + opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' + }}" - name: Mount tmp and var_tmp filesystems - mount: - path: "/mnt{{ item.path }}" + ansible.posix.mount: + path: /mnt{{ item.path }} src: tmpfs fstype: tmpfs opts: defaults,nosuid,nodev,noexec state: mounted loop: - - { path: '/tmp' } - - { path: '/var/tmp' } + - { path: /tmp } + - { path: /var/tmp } - name: Mount boot filesystem - mount: + ansible.posix.mount: path: "{{ '/mnt/boot/efi' if os | lower in ['ubuntu', 'ubuntu-lts'] else '/mnt/boot' }}" src: UUID={{ boot_uuid.stdout }} fstype: vfat diff --git a/roles/partitioning/tasks/xfs.yml b/roles/partitioning/tasks/xfs.yml index 3582a10..08f997e 100644 --- a/roles/partitioning/tasks/xfs.yml +++ b/roles/partitioning/tasks/xfs.yml @@ -1,8 +1,8 @@ --- - name: Create and format XFS logical volumes when: cis == true or item.lv not in ['var_log', 'var_log_audit'] - filesystem: - dev: '/dev/sys/{{ item.lv }}' + community.general.filesystem: + dev: /dev/sys/{{ item.lv }} fstype: xfs force: true loop: diff --git a/roles/virtualization/tasks/libvirt.yml b/roles/virtualization/tasks/libvirt.yml index 0f81f63..34487a9 100644 --- a/roles/virtualization/tasks/libvirt.yml +++ b/roles/virtualization/tasks/libvirt.yml @@ -1,32 +1,34 @@ +--- - name: Check if VM disk exists delegate_to: localhost - stat: + ansible.builtin.stat: path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2" register: vm_disk_stat - name: Create VM disk when: not vm_disk_stat.stat.exists delegate_to: localhost - command: "qemu-img create -f qcow2 {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2 {{ vm_size }}G" + ansible.builtin.command: qemu-img create -f qcow2 {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2 {{ vm_size }}G - name: Generate Random MAC Address delegate_to: localhost - shell: openssl rand -hex 5 | sed 's/\(..\)/\1:/g; s/.$//' | sed 's/^/02:/' + ansible.builtin.shell: openssl rand -hex 5 | sed 's/\(..\)/\1:/g; s/.$//' | sed 's/^/02:/' changed_when: false register: mac_address_output - name: Render cloud config templates delegate_to: localhost - template: + ansible.builtin.template: src: "{{ item.src }}" - dest: "/tmp/{{ item.dest_prefix }}-{{ hostname }}.yml" + dest: /tmp/{{ item.dest_prefix }}-{{ hostname }}.yml loop: - - { src: "cloud-user-data.yml.j2", dest_prefix: "cloud-user-data" } - - { src: "cloud-network-config.yml.j2", dest_prefix: "cloud-network-config" } + - { src: cloud-user-data.yml.j2, dest_prefix: cloud-user-data } + - { src: cloud-network-config.yml.j2, dest_prefix: cloud-network-config } - name: Create cloud-init disk delegate_to: localhost - command: "cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso /tmp/cloud-user-data-{{ hostname }}.yml -N /tmp/cloud-network-config-{{ hostname }}.yml" + ansible.builtin.command: cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso /tmp/cloud-user-data-{{ hostname }}.yml -N + /tmp/cloud-network-config-{{ hostname }}.yml - name: Create VM using libvirt delegate_to: localhost @@ -34,8 +36,8 @@ command: define xml: "{{ lookup('template', 'vm.xml.j2') }}" -- name: start vm +- name: Start vm delegate_to: localhost community.libvirt.virt: name: "{{ hostname }}" - state: running \ No newline at end of file + state: running diff --git a/roles/virtualization/tasks/main.yml b/roles/virtualization/tasks/main.yml index 45eb882..7dd1976 100644 --- a/roles/virtualization/tasks/main.yml +++ b/roles/virtualization/tasks/main.yml @@ -1,2 +1,3 @@ +--- - name: Create Virtual Machine - include_tasks: "{{ hypervisor }}.yml" \ No newline at end of file + ansible.builtin.include_tasks: "{{ hypervisor }}.yml" diff --git a/roles/virtualization/tasks/proxmox.yml b/roles/virtualization/tasks/proxmox.yml index 4d45e96..3762ee4 100644 --- a/roles/virtualization/tasks/proxmox.yml +++ b/roles/virtualization/tasks/proxmox.yml @@ -1,48 +1,49 @@ +--- - name: Deploy VM on Proxmox delegate_to: localhost - proxmox_kvm: + community.general.proxmox_kvm: api_host: "{{ hypervisor_url }}" api_user: "{{ hypervisor_username }}" api_password: "{{ hypervisor_password }}" ciuser: "{{ user_name }}" cipassword: "{{ user_password }}" - node: "{{ hypervisor_node }}" # Proxmox node name - vmid: "{{ vm_id }}" # Unique ID for the VM - name: "{{ hostname }}" # Name of the VM - cpu: "host" - cores: "{{ vm_cpus }}" # Number of CPU cores - memory: "{{ vm_memory }}" # Memory size in MB + node: "{{ hypervisor_node }}" # Proxmox node name + vmid: "{{ vm_id }}" # Unique ID for the VM + name: "{{ hostname }}" # Name of the VM + cpu: host + cores: "{{ vm_cpus }}" # Number of CPU cores + memory: "{{ vm_memory }}" # Memory size in MB balloon: "{{ vm_ballo | default(omit) }}" # Minimum Memory size in MB numa_enabled: true - hotplug: "network,disk" + hotplug: network,disk bios: ovmf - boot: "ac" - scsihw: "virtio-scsi-single" + boot: ac + scsihw: virtio-scsi-single scsi: - scsi0: "{{ hypervisor_storage }}:{{ vm_size }}" # Disk configuration + scsi0: "{{ hypervisor_storage }}:{{ vm_size }}" # Disk configuration efidisk0: - efitype: "4m" - format: "raw" + efitype: 4m + format: raw pre_enrolled_keys: false storage: "{{ hypervisor_storage }}" ide: ide0: "{{ boot_iso }},media=cdrom" ide1: "{{ hypervisor_storage }}:cloudinit" net: - net0: "virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %}" + net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %} ipconfig: - ipconfig0: "ip={{ vm_ip }},gw={{ vm_gw }}" + ipconfig0: ip={{ vm_ip }},gw={{ vm_gw }} nameservers: "{{ vm_dns }}" - onboot: true # Start the VM on boot - state: present # Ensure the VM is present + onboot: true # Start the VM on boot + state: present # Ensure the VM is present - name: Start VM on Proxmox delegate_to: localhost - proxmox_kvm: + community.general.proxmox_kvm: api_host: "{{ hypervisor_url }}" api_user: "{{ hypervisor_username }}" api_password: "{{ hypervisor_password }}" node: "{{ hypervisor_node }}" name: "{{ hostname }}" vmid: "{{ vm_id }}" - state: started # Ensure the VM is present + state: started # Ensure the VM is present diff --git a/roles/virtualization/tasks/vmware.yml b/roles/virtualization/tasks/vmware.yml index 496b233..71dab76 100644 --- a/roles/virtualization/tasks/vmware.yml +++ b/roles/virtualization/tasks/vmware.yml @@ -1,6 +1,7 @@ +--- - name: Create VM in vCenter delegate_to: localhost - vmware_guest: + community.vmware.vmware_guest: hostname: "{{ hypervisor_url }}" username: "{{ hypervisor_username }}" password: "{{ hypervisor_password }}" @@ -9,7 +10,7 @@ cluster: "{{ hypervisor_node }}" folder: "{{ vm_path }}" name: "{{ hostname }}" - guest_id: "otherGuest64" + guest_id: otherGuest64 state: poweredon disk: - size_gb: "{{ vm_size }}" @@ -18,12 +19,12 @@ hardware: memory_mb: "{{ vm_memory }}" num_cpus: "{{ vm_cpus }}" - boot_firmware: "efi" + boot_firmware: efi secure_boot: false cdrom: - controller_number: 0 unit_number: 0 - controller_type: "sata" + controller_type: sata state: present type: iso iso_path: "{{ boot_iso }}"