sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ansible-lint fixes

Browse Source
This commit is contained in:
Sandwich
2024-07-11 22:20:45 +02:00
parent 374b5fc7ef
commit 06ca8d8787
15 changed files with 349 additions and 325 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
roles/partitioning/tasks/btrfs.yml
View File

@@ -2,25 +2,25 @@
- name: Setup BTRFS
block:
- name: Create btrfs filesystem in main volume
filesystem:
dev: '{{ install_drive }}{{ main_partition_suffix }}'
community.general.filesystem:
dev: "{{ install_drive }}{{ main_partition_suffix }}"
fstype: btrfs
force: true
- name: Prepare BTRFS Subvolume
mount:
ansible.posix.mount:
path: /mnt
src: '{{ install_drive }}{{ main_partition_suffix }}'
src: "{{ install_drive }}{{ main_partition_suffix }}"
fstype: btrfs
opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async
state: mounted
- name: Enable quotas on Btrfs filesystem
command: btrfs quota enable /mnt
ansible.builtin.command: btrfs quota enable /mnt
- name: Make root subvolumes
when: cis == true or item.subvol not in ['var_log', 'var_log_audit']
command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
loop:
- { subvol: root }
- { subvol: home }
@@ -30,13 +30,13 @@
- name: Set quotas for subvolumes
when: cis == true or item.subvol not in ['var_log', 'var_log_audit']
command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
loop:
- { subvol: home, quota: '2G' }
- { subvol: home, quota: 2G }
- name: Unmount Partition
mount:
ansible.posix.mount:
path: /mnt
src: '{{ install_drive }}{{ main_partition_suffix }}'
src: "{{ install_drive }}{{ main_partition_suffix }}"
fstype: btrfs
state: unmounted

6
roles/partitioning/tasks/ext4.yml
View File

@@ -1,8 +1,8 @@
---
- name: Create and format ext4 logical volumes
when: cis == true or item.lv not in ['var_log', 'var_log_audit']
filesystem:
dev: '/dev/sys/{{ item.lv }}'
community.general.filesystem:
dev: /dev/sys/{{ item.lv }}
fstype: ext4
force: true
loop:
@@ -14,7 +14,7 @@
- name: Remove Unsupported features for older Systems
when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky', 'ubuntu-lts']) and (cis == true or item.lv not in ['var_log', 'var_log_audit'])
command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
loop:
- { lv: root }
- { lv: home }

84
roles/partitioning/tasks/main.yml
View File

@@ -3,16 +3,16 @@
block:
- name: Prepare partitions
ignore_errors: true
command: "{{ item.cmd }}"
ansible.builtin.command: "{{ item.cmd }}"
loop:
- { cmd: "umount -l /mnt" }
- { cmd: "vgremove -f sys" }
- { cmd: "find /dev -wholename \"{{ install_drive }}*\" -exec wipefs --force --all {} \\;" }
- { cmd: umount -l /mnt }
- { cmd: vgremove -f sys }
- { cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;' }
loop_control:
label: "{{ item.cmd }}"
- name: Define partitions
parted:
community.general.parted:
device: "{{ install_drive }}"
label: gpt
number: "{{ item.number }}"
@@ -22,56 +22,56 @@
flags: "{{ item.flags | default(omit) }}"
state: present
loop:
- { number: 1, part_end: '500MiB', name: 'boot', flags: ['boot', 'esp'] }
- { number: 2, part_start: '500MiB', name: 'root' }
- { number: 1, part_end: 500MiB, name: boot, flags: [boot, esp] }
- { number: 2, part_start: 500MiB, name: root }
- name: Create LVM logical volumes
when: filesystem != 'btrfs'
block:
- name: Create LVM volume group
lvg:
community.general.lvg:
vg: sys
pvs: '{{ install_drive }}{{ main_partition_suffix }}'
pvs: "{{ install_drive }}{{ main_partition_suffix }}"
- name: Create LVM logical volumes
when: cis or (not cis and item.lv != 'var_log' and item.lv != 'var_log_audit')
lvol:
community.general.lvol:
vg: sys
lv: "{{ item.lv }}"
size: "{{ item.size }}"
state: present
loop:
- { lv: 'root', size: '12G' }
- { lv: 'home', size: '2G' }
- { lv: 'var', size: '2G' }
- { lv: 'var_log', size: '2G' }
- { lv: 'var_log_audit', size: '1.5G' }
- { lv: root, size: 12G }
- { lv: home, size: 2G }
- { lv: var, size: 2G }
- { lv: var_log, size: 2G }
- { lv: var_log_audit, size: 1.5G }
- name: Create filesystems
block:
- name: Create FAT32 filesystem in boot partition
filesystem:
dev: '{{ install_drive }}{{ boot_partition_suffix }}'
community.general.filesystem:
dev: "{{ install_drive }}{{ boot_partition_suffix }}"
fstype: vfat
opts: -F32
force: true
- name: Create filesystem
include_tasks: "{{ filesystem }}.yml"
ansible.builtin.include_tasks: "{{ filesystem }}.yml"
- name: Get UUID for boot filesystem
command: blkid -s UUID -o value '{{ install_drive }}{{ boot_partition_suffix }}'
ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ boot_partition_suffix }}'
changed_when: false
register: boot_uuid
- name: Get UUID for main filesystem
command: blkid -s UUID -o value '{{ install_drive }}{{ main_partition_suffix }}'
ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ main_partition_suffix }}'
changed_when: false
register: main_uuid
- name: Get UUIDs for LVM filesystems
when: filesystem != 'btrfs' and (cis == true or item not in ['var_log', 'var_log_audit'])
command: blkid -s UUID -o value /dev/sys/{{ item }}
ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }}
changed_when: false
register: uuid_result
loop:
@@ -81,7 +81,7 @@
- var_log
- var_log_audit
- set_fact:
- ansible.builtin.set_fact:
uuid_root: "{{ uuid_result.results[0].stdout_lines }}"
uuid_home: "{{ uuid_result.results[1].stdout_lines }}"
uuid_var: "{{ uuid_result.results[2].stdout_lines }}"
@@ -92,33 +92,47 @@
- name: Mount filesystems
block:
- name: Mount filesystems and subvolumes
when: "cis or (not cis and item.path != '/var/log' and item.path != '/var/log/audit')"
mount:
path: "/mnt{{ item.path }}"
when: cis or (not cis and item.path != '/var/log' and item.path != '/var/log/audit')
ansible.posix.mount:
path: /mnt{{ item.path }}
src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
fstype: "{{ filesystem }}"
opts: "{{ item.opts }}"
state: mounted
loop:
- { path: '', uuid: "{{ uuid_root[0] | default(omit) }}", opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}" }
- { path: '/home', uuid: "{{ uuid_home[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}" }
- { path: '/var', uuid: "{{ uuid_var[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}" }
- { path: '/var/log', uuid: "{{ uuid_var_log[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}" }
- { path: '/var/log/audit', uuid: "{{ uuid_var_log_audit[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}" }
- path: ""
uuid: "{{ uuid_root[0] | default(omit) }}"
opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}"
- path: /home
uuid: "{{ uuid_home[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home'
}}"
- path: /var
uuid: "{{ uuid_var[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var'
}}"
- path: /var/log
uuid: "{{ uuid_var_log[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log'
}}"
- path: /var/log/audit
uuid: "{{ uuid_var_log_audit[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit'
}}"
- name: Mount tmp and var_tmp filesystems
mount:
path: "/mnt{{ item.path }}"
ansible.posix.mount:
path: /mnt{{ item.path }}
src: tmpfs
fstype: tmpfs
opts: defaults,nosuid,nodev,noexec
state: mounted
loop:
- { path: '/tmp' }
- { path: '/var/tmp' }
- { path: /tmp }
- { path: /var/tmp }
- name: Mount boot filesystem
mount:
ansible.posix.mount:
path: "{{ '/mnt/boot/efi' if os | lower in ['ubuntu', 'ubuntu-lts'] else '/mnt/boot' }}"
src: UUID={{ boot_uuid.stdout }}
fstype: vfat

4
roles/partitioning/tasks/xfs.yml
View File

@@ -1,8 +1,8 @@
---
- name: Create and format XFS logical volumes
when: cis == true or item.lv not in ['var_log', 'var_log_audit']
filesystem:
dev: '/dev/sys/{{ item.lv }}'
community.general.filesystem:
dev: /dev/sys/{{ item.lv }}
fstype: xfs
force: true
loop: