diff --git a/roles/bootstrap/tasks/_dnf_family.yml b/roles/bootstrap/tasks/_dnf_family.yml index d60d78f..df9ff7b 100644 --- a/roles/bootstrap/tasks/_dnf_family.yml +++ b/roles/bootstrap/tasks/_dnf_family.yml @@ -18,6 +18,9 @@ groupinstall -y {{ _dnf_groups }} register: bootstrap_dnf_base_result changed_when: bootstrap_dnf_base_result.rc == 0 + failed_when: + - bootstrap_dnf_base_result.rc != 0 + - "'scriptlet' not in bootstrap_dnf_base_result.stderr" - name: Ensure chroot has DNS resolution ansible.builtin.file: diff --git a/roles/cleanup/tasks/libvirt.yml b/roles/cleanup/tasks/libvirt.yml index 40666c8..13b03d1 100644 --- a/roles/cleanup/tasks/libvirt.yml +++ b/roles/cleanup/tasks/libvirt.yml @@ -72,6 +72,12 @@ | trim }} + - name: Ensure boot device is set to hard disk in VM XML + when: "'- + {{ cleanup_libvirt_domain_xml_clean | regex_replace('()', '\1\n ') }} + - name: Update VM definition without installer media community.libvirt.virt: command: define diff --git a/roles/environment/tasks/_detect_live.yml b/roles/environment/tasks/_detect_live.yml index 8f233fb..bea071a 100644 --- a/roles/environment/tasks/_detect_live.yml +++ b/roles/environment/tasks/_detect_live.yml @@ -68,6 +68,23 @@ Boot from a live installer (Arch, Debian, Ubuntu, etc.) and retry. quiet: true +- name: Harden sshd for Ansible automation + ansible.builtin.blockinfile: + path: /etc/ssh/sshd_config + marker: "# {mark} BOOTSTRAP ANSIBLE SETTINGS" + block: | + PerSourcePenalties no + MaxStartups 50:30:100 + ClientAliveInterval 30 + ClientAliveCountMax 10 + register: _sshd_config_result + +- name: Restart sshd immediately if config was changed + when: _sshd_config_result is changed + ansible.builtin.service: + name: sshd + state: restarted + - name: Abort if the host is not booted from the Arch install media when: - not (custom_iso | bool) diff --git a/roles/environment/tasks/_prepare_installer.yml b/roles/environment/tasks/_prepare_installer.yml index ea96aef..667cc60 100644 --- a/roles/environment/tasks/_prepare_installer.yml +++ b/roles/environment/tasks/_prepare_installer.yml @@ -25,6 +25,7 @@ state: latest loop: - { name: glibc } + - { name: lua, os: [almalinux, fedora, rhel, rocky] } - { name: dnf, os: [almalinux, fedora, rhel, rocky] } - { name: debootstrap, os: [debian, ubuntu, ubuntu-lts] } - { name: debian-archive-keyring, os: [debian] } diff --git a/roles/global_defaults/tasks/system.yml b/roles/global_defaults/tasks/system.yml index 68ffdf4..990f6d5 100644 --- a/roles/global_defaults/tasks/system.yml +++ b/roles/global_defaults/tasks/system.yml @@ -17,6 +17,27 @@ - name: Normalize disk configuration ansible.builtin.include_tasks: _normalize_disks.yml +- name: Populate primary network fields from first interface + when: + - system_cfg is defined + - system_cfg.network.interfaces | default([]) | length > 0 + - system_cfg.network.ip | default('') | string | length == 0 + vars: + _primary: "{{ system_cfg.network.interfaces[0] }}" + ansible.builtin.set_fact: + system_cfg: >- + {{ + system_cfg | combine({ + 'network': system_cfg.network | combine({ + 'bridge': _primary.bridge | default(''), + 'vlan': _primary.vlan | default(''), + 'ip': _primary.ip | default(''), + 'prefix': _primary.prefix | default(''), + 'gateway': _primary.gateway | default('') + }) + }, recursive=True) + }} + - name: Check if pre-computed system_cfg needs enrichment when: system_cfg is defined ansible.builtin.set_fact: diff --git a/roles/virtualization/tasks/delete.yml b/roles/virtualization/tasks/delete.yml index fac2e6e..5a02cc8 100644 --- a/roles/virtualization/tasks/delete.yml +++ b/roles/virtualization/tasks/delete.yml @@ -40,10 +40,10 @@ failed_when: false - name: Undefine libvirt VM - community.libvirt.virt: - name: "{{ hostname }}" - command: undefine - uri: "{{ libvirt_uri | default('qemu:///system') }}" + ansible.builtin.command: + cmd: "virsh -c {{ libvirt_uri | default('qemu:///system') }} undefine {{ hostname }} --nvram" + register: _libvirt_undefine_result + changed_when: _libvirt_undefine_result.rc == 0 failed_when: false - name: Remove libvirt disk images