diff --git a/main.yml b/main.yml index ee40ee4..498c9f4 100644 --- a/main.yml +++ b/main.yml @@ -22,45 +22,33 @@ vars_files: vars.yml pre_tasks: - name: Set ansible_python_interpreter - when: os | lower in ["almalinux", "rhel9", "rhel8", "rocky"] + when: os | lower in ["rhel9", "rhel8"] ansible.builtin.set_fact: ansible_python_interpreter: /usr/bin/python3 - - name: Set SSH Access - when: hypervisor != "vmware" - ansible.builtin.set_fact: - ansible_user: "{{ user_name }}" - ansible_password: "{{ user_password }}" - ansible_become_password: "{{ user_password }}" - ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" - - name: Validate variables ansible.builtin.assert: that: - - hypervisor in ["libvirt", "proxmox", "vmware", "none"] - - filesystem in ["btrfs", "ext4", "xfs"] + - filesystem in ["ext4", "xfs"] - install_drive is defined - - os in ["archlinux", "almalinux", "debian11", "debian12", "fedora", "rhel8", "rhel9", "rocky", "ubuntu", "ubuntu-lts"] - - os not in ["rhel8", "rhel9"] or rhel_iso is defined - - (filesystem == "btrfs" and (vm_size | int) >= 10) or (filesystem != "btrfs" and (vm_size | int) >= 20) + - os in ["rhel8", "rhel9"] + - (vm_size | int) >= 20) - (vm_size | float) >= ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory | float / 2048), [vm_memory | float / 1024, 4.0] | max) + 16) fail_msg: Invalid input specified, please try again. - name: Set connection - when: hypervisor == "vmware" ansible.builtin.set_fact: ansible_connection: vmware_tools roles: - role: virtualization - when: install_type == "virtual" become: false vars: ansible_connection: local - role: environment vars: - ansible_connection: "{{ 'vmware_tools' if hypervisor == 'vmware' else 'ssh' }}" + ansible_connection: vmware - role: partitioning vars: @@ -75,13 +63,12 @@ when: cis | bool - role: cleanup - when: install_type == "virtual" vars: ansible_connection: local tasks: - name: Set final SSH Credentials - when: hypervisor == 'vmware' and vmware_ssh | bool + when: vmware_ssh | bool ansible.builtin.set_fact: ansible_user: "{{ user_name }}" ansible_password: "{{ user_password }}" diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml index 4fa1dfc..502b0ca 100644 --- a/roles/bootstrap/tasks/main.yml +++ b/roles/bootstrap/tasks/main.yml @@ -6,72 +6,7 @@ - name: Run OS-specific bootstrap process block: - - name: Bootstrap ArchLinux - when: os | lower == 'archlinux' - ansible.builtin.command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit - changed_when: result.rc == 0 - register: result - - - name: Bootstrap Debian System - when: os | lower in ['debian11', 'debian12'] - ansible.builtin.command: "{{ item }}" - changed_when: result.rc == 0 - register: result - with_items: - - debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} - /mnt http://deb.debian.org/debian/ - - arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }} - - arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data - - - name: Bootstrap Ubuntu System - when: os | lower in ['ubuntu', 'ubuntu-lts'] - ansible.builtin.command: "{{ item }}" - changed_when: result.rc == 0 - register: result - with_items: - - debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'oracular' if os == 'ubuntu' else 'noble' }} - /mnt http://archive.ubuntu.com/ubuntu/ - - ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf - - arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list - - arch-chroot /mnt apt update -y - - arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }} - - - name: Bootstrap AlmaLinux 9 - when: os | lower == 'almalinux' - ansible.builtin.command: "{{ item }}" - changed_when: result.rc == 0 - register: result - with_items: - - dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core - - ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf - - arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.almalinux | join(' ') }} - - - name: Bootstrap Fedora 41 - when: os | lower == 'fedora' - ansible.builtin.command: "{{ item }}" - changed_when: result.rc == 0 - register: result - with_items: - - dnf --releasever=41 --best --repo=fedora --repo=fedora-updates - --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core - - ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf - - arch-chroot /mnt dnf --releasever=41 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }} - - arch-chroot /mnt dnf reinstall -y kernel-core - - - name: Bootstrap RockyLinux 9 - when: os | lower == 'rocky' - ansible.builtin.command: "{{ item }}" - changed_when: result.rc == 0 - register: result - with_items: - - dnf --releasever=9 --best --repo=rocky-baseos --installroot=/mnt - --setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists - groupinstall -y base core - - ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf - - arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.rocky | join(' ') }} - - name: Bootstrap RHEL System - when: os | lower in ['rhel8', 'rhel9'] block: - name: Install base packages in chroot environment ansible.builtin.command: >- diff --git a/roles/bootstrap/vars/packages.yml b/roles/bootstrap/vars/packages.yml index 20724f5..94a5f0e 100644 --- a/roles/bootstrap/vars/packages.yml +++ b/roles/bootstrap/vars/packages.yml @@ -1,201 +1,3 @@ -almalinux: - - bind-utils - - dbus-daemon - - dhcp-client - - efibootmgr - - glibc-langpack-de - - glibc-langpack-en - - grub2 - - grub2-efi - - lrzsz - - lvm2 - - nc - - nfs-utils - - nfsv4-client-utils - - mtr - - open-vm-tools - - ppp - - shim - - telnet - - tmux - - vim - - wget - - zram-generator - - zstd - -archlinux: - - base - - btrfs-progs - - cronie - - dhcpcd - - efibootmgr - - firewalld - - fish - - fzf - - grub - - htop - - libpwquality - - linux - - logrotate - - lrzsz - - lsof - - lvm2 - - ncdu - - neofetch - - networkmanager - - nfs-utils - - open-vm-tools - - openssh - - ppp - - prometheus-node-exporter - - python-psycopg2 - - qemu-guest-agent - - reflector - - rsync - - screen - - sudo - - tldr - - vim - - wireguard-tools - - zram-generator - -debian11: - base: - - apparmor-utils - - btrfs-progs - - chrony - - cron - - gnupg - - grub-efi - - grub-efi-amd64-signed - - grub2-common - - linux-image-amd64 - - locales - - logrotate - - lvm2 - - net-tools - - openssh-server - - python3 - - sudo - - xfsprogs - - extra: - - bat - - curl - - entr - - firewalld - - fish - - fzf - - htop - - jq - - libpam-pwquality - - lrzsz - - mtr - - ncdu - - neofetch - - network-manager - - open-vm-tools - - python-is-python3 - - ripgrep - - rsync - - screen - - software-properties-common - - syslog-ng - - tcpd - - tldr - - vim - - wget - - zstd - -debian12: - base: - - btrfs-progs - - cron - - gnupg - - grub-efi - - grub-efi-amd64-signed - - grub2-common - - linux-image-amd64 - - locales - - logrotate - - lvm2 - - xfsprogs - - extra: - - apparmor-utils - - bat - - chrony - - curl - - duf - - entr - - firewalld - - fish - - fzf - - htop - - jq - - libpam-pwquality - - logrotate - - lrzsz - - mtr - - ncdu - - neofetch - - net-tools - - network-manager - - open-vm-tools - - openssh-server - - python-is-python3 - - python3 - - ripgrep - - rsync - - screen - - software-properties-common - - sudo - - syslog-ng - - systemd-zram-generator - - tcpd - - tldr - - vim - - wget - - zstd - -fedora: - - bat - - bind-utils - - btrfs-progs - - cronie - - dhcp-client - - duf - - dust - - efibootmgr - - entr - - eza - - fish - - fzf - - glibc-langpack-de - - glibc-langpack-en - - grub2 - - grub2-efi - - htop - - iperf3 - - logrotate - - lrzsz - - lvm2 - - nc - - nfs-utils - - nfsv4-client-utils - - open-vm-tools - - polkit - - ppp - - ripgrep - - shim - - telnet - - tmux - - vim-default-editor - - wget - - zoxide - - zram-generator - - zstd - rhel8: - dhcp-client - efibootmgr @@ -228,145 +30,3 @@ rhel9: - vim - zram-generator - zstd - -rocky: - - bind-utils - - dbus-daemon - - dhcp-client - - efibootmgr - - glibc-langpack-de - - glibc-langpack-en - - grub2 - - grub2-efi - - lrzsz - - lvm2 - - mtr - - nc - - nfs-utils - - nfsv4-client-utils - - open-vm-tools - - ppp - - shim - - telnet - - tmux - - util-linux-core - - vim - - wget - - zram-generator - - zstd - -ubuntu: - base: - - btrfs-progs - - cron - - gnupg - - grub-efi - - grub-efi-amd64-signed - - grub2-common - - initramfs-tools - - linux-image-generic - - locales - - lvm2 - - xfsprogs - - extra: - - apparmor-utils - - bash-completion - - bat - - chrony - - curl - - dnsutils - - duf - - entr - - eza - - fdupes - - fio - - firewalld - - fish - - htop - - jq - - libpam-pwquality - - logrotate - - lrzsz - - mtr - - ncdu - - net-tools - - network-manager - - open-vm-tools - - openssh-server - - python-is-python3 - - python3 - - ripgrep - - rsync - - screen - - software-properties-common - - sudo - - syslog-ng - - systemd-zram-generator - - tcpd - - tldr - - tmux - - traceroute - - vim - - wget - - yq - - zoxide - - zstd - -ubuntu-lts: - base: - - btrfs-progs - - cron - - gnupg - - grub-efi - - grub-efi-amd64-signed - - grub2-common - - initramfs-tools - - linux-image-generic - - locales - - lvm2 - - xfsprogs - - extra: - - apparmor-utils - - bash-completion - - bat - - chrony - - curl - - dnsutils - - duf - - entr - - eza - - fdupes - - fio - - firewalld - - fish - - htop - - jq - - libpam-pwquality - - logrotate - - lrzsz - - mtr - - ncdu - - net-tools - - network-manager - - open-vm-tools - - openssh-server - - python-is-python3 - - python3 - - ripgrep - - rsync - - screen - - software-properties-common - - sudo - - syslog-ng - - systemd-zram-generator - - tcpd - - tldr - - tmux - - traceroute - - vim - - wget - - yq - - zoxide - - zstd diff --git a/roles/cis/tasks/main.yml b/roles/cis/tasks/main.yml index 8e29b28..c365728 100644 --- a/roles/cis/tasks/main.yml +++ b/roles/cis/tasks/main.yml @@ -91,17 +91,15 @@ - { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 } - { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 } - { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 } - - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', content: umask 077 } - - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', content: export TMOUT=3000 } - - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent } + - { path: '/mnt/etc/bashrc', content: umask 077 } + - { path: '/mnt/etc/bashrc', content: export TMOUT=3000 } + - { path: '/mnt/etc/systemd/journald.conf', content: Storage=persistent } - { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" } - { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so } - - { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] - else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', + - { path: '/mnt/etc/pam.d/system-auth', content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 } - - { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" - if os == "fedora" else "pam.d/system-auth" }}', content: account required pam_faillock.so } - - { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}', + - { path: '/mnt/etc/pam.d/system-auth', content: account required pam_faillock.so } + - { path: '/mnt/etc/pam.d/passwd', content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" } - { path: /mnt/etc/hosts.deny, content: "ALL: ALL" } - { path: /mnt/etc/hosts.allow, content: "sshd: ALL" } @@ -122,10 +120,10 @@ { "path": "/mnt/etc/cron.d", "mode": "0700" }, { "path": "/mnt/etc/crontab", "mode": "0600" }, { "path": "/mnt/etc/logrotate.conf", "mode": "0644" }, - { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9"] else None, - { "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["almalinux", "archlinux", "debian12", "fedora", "rhel9", "rocky"] + { "path": "/mnt/usr/sbin/pppd", "mode": "0754" }, + { "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["rhel9"] else "fusermount"), "mode": "755" }, - { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" } + { "path": "/mnt/usr/bin/write", "mode": "755" } ] | reject("none") }} - name: Adjust SSHD config diff --git a/roles/cleanup/tasks/main.yml b/roles/cleanup/tasks/main.yml index 5d2a55f..53687e0 100644 --- a/roles/cleanup/tasks/main.yml +++ b/roles/cleanup/tasks/main.yml @@ -4,31 +4,7 @@ vars: ansible_connection: ssh -- name: Setup Cleanup - when: hypervisor == "proxmox" - delegate_to: localhost - become: false - block: - - name: Cleanup Setup Disks - community.general.proxmox_disk: - api_host: "{{ hypervisor_url }}" - api_user: "{{ hypervisor_username }}" - api_password: "{{ hypervisor_password }}" - name: "{{ hostname }}" - vmid: "{{ vm_id }}" - disk: "{{ item }}" - state: absent - loop: - - ide0 - - ide2 - - - name: Reboot system - ansible.builtin.command: reboot - failed_when: false - changed_when: false - - name: Clean vCenter VM - when: hypervisor == "vmware" delegate_to: localhost become: false block: @@ -66,39 +42,3 @@ datacenter: "{{ hypervisor_cluster }}" name: "{{ hostname }}" state: powered-on - -- name: Remove Archiso and cloud-init disks - when: hypervisor == "libvirt" - delegate_to: localhost - become: false - block: - - name: Remove cloud-init disk - ansible.builtin.file: - path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso" - state: absent - - - name: Get list of CD-ROM devices - ansible.builtin.shell: set -o pipefail && virsh --connect qemu:///system domblklist {{ hostname }} --details | grep 'cdrom' | awk '{print $3}' - changed_when: false - register: cdrom_devices - - - name: Wait for VM to spin down - ansible.builtin.wait_for: - timeout: 15 - - - name: Remove CD-ROM devices - when: cdrom_devices.stdout_lines | length > 0 - ansible.builtin.command: virsh --connect qemu:///system detach-disk {{ hostname }} {{ item }} --persistent - with_items: "{{ cdrom_devices.stdout_lines | select('ne', 'sdc') | list }}" - changed_when: result.rc == 0 - register: result - - - name: Start the VM - community.libvirt.virt: - name: "{{ hostname }}" - state: running - - - name: Wait for VM to boot up - delegate_to: "{{ inventory_hostname }}" - ansible.builtin.wait_for_connection: - timeout: 300 diff --git a/roles/configuration/tasks/main.yml b/roles/configuration/tasks/main.yml index 6e38b94..b8f97ca 100644 --- a/roles/configuration/tasks/main.yml +++ b/roles/configuration/tasks/main.yml @@ -6,13 +6,6 @@ changed_when: result.rc == 0 register: result - - name: Remove depricated attr2 and disable large extent - when: os in ["almalinux", "rhel8", "rhel9", "rocky"] and filesystem == "xfs" - ansible.builtin.replace: - path: /mnt/etc/fstab - regexp: '(xfs.*?)(attr2)' - replace: '\1allocsize=64m' - - name: Replace ISO UUID entry with /dev/sr0 in fstab when: os in ["rhel8", "rhel9"] ansible.builtin.lineinfile: @@ -24,7 +17,6 @@ backrefs: true - name: Write image from RHEL ISO to the target machine - when: os in ["rhel8", "rhel9"] and hypervisor == 'vmware' ansible.builtin.command: dd if=/dev/sr1 of=/mnt/usr/local/install/redhat/rhel.iso bs=4M changed_when: result.rc == 0 register: result @@ -51,21 +43,6 @@ - name: Setup locales block: - - name: Configure locale.gen - when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] - ansible.builtin.lineinfile: - dest: /mnt/etc/locale.gen - regexp: "{{ item.regex }}" - line: "{{ item.line }}" - loop: - - { regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8 } - - - name: Generate locales - when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] - ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen - changed_when: result.rc == 0 - register: result - - name: Set hostname ansible.builtin.copy: content: "{{ hostname }}" @@ -103,72 +80,27 @@ replace: "PermitRootLogin yes" - name: Enable Systemd Services - ansible.builtin.command: > - arch-chroot /mnt systemctl enable NetworkManager - {{ - ' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else - (' sshd' if os | lower not in ['debian11', 'debian12'] else '') - }} - {{ - 'logrotate systemd-resolved systemd-timesyncd systemd-networkd' - if os | lower == 'archlinux' else '' - }} + ansible.builtin.command: arch-chroot /mnt systemctl enable NetworkManager sshd changed_when: result.rc == 0 register: result - - name: Configure grub - when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] - block: - - name: Add commandline information to grub config - ansible.builtin.lineinfile: - dest: /mnt/etc/default/grub - regexp: ^GRUB_CMDLINE_LINUX_DEFAULT= - line: GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3" - - - name: Change Grub time - ansible.builtin.lineinfile: - dest: /mnt/etc/default/grub - regexp: ^GRUB_TIMEOUT= - line: GRUB_TIMEOUT=1 - - name: Configure Bootloader block: - name: Install Bootloader - ansible.builtin.command: arch-chroot /mnt - {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr - -c -L '{{ os }}' -d "{{ install_drive }}" -p 1 - -l '\efi\EFI\{% if os | lower in ["rhel8", "rhel9"] %}redhat{% else %}{{ os | lower }}{% endif %}\shimx64.efi' - {% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }} - --bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }} - {% endif %} + ansible.builtin.command: arch-chroot /mnt /usr/sbin/efibootmgr -c -L '{{ os }}' + -d "{{ install_drive }}" -p 1 + -l '\efi\EFI\redhat\shimx64.efi' changed_when: result.rc == 0 register: result - name: Generate grub config - ansible.builtin.command: arch-chroot /mnt - {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} - /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{% if os | lower in ["rhel8", "rhel9"] %}redhat{% else %}{{ os | lower }}{% endif %}/grub.cfg - {% else %} - /usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }} - {% endif %} + ansible.builtin.command: arch-chroot /mnt /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg changed_when: result.rc == 0 register: result - - name: Ensure lvm2 for non btrfs filesystems - when: os | lower == "archlinux" and filesystem != "btrfs" - ansible.builtin.lineinfile: - path: /mnt/etc/mkinitcpio.conf - regexp: '^(HOOKS=.*block)(?!.*lvm2)(.*)' - line: '\1 lvm2\2' - backrefs: true - - name: Regenerate initramfs when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] - ansible.builtin.command: arch-chroot /mnt - {% if os | lower == "archlinux" %} /usr/sbin/mkinitcpio -P - {% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %} /usr/bin/dracut --regenerate-all --force - {% else %} echo "Skipping initramfs regeneration" - {% endif %} + ansible.builtin.command: arch-chroot /mnt /usr/bin/dracut --regenerate-all --force changed_when: result.rc == 0 register: result @@ -177,8 +109,7 @@ - name: Append vim configurations to vimrc failed_when: false ansible.builtin.blockinfile: - path: "{{ '/mnt/etc/vim/vimrc' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] - else '/mnt/etc/vimrc' }}" + path: "/mnt/etc/vimrc" block: | set encoding=utf-8 set number @@ -202,7 +133,7 @@ mode: '0644' - name: Create zram config - when: os not in ['debian11', 'rhel8'] + when: os not in ['rhel8'] ansible.builtin.copy: dest: /mnt/etc/systemd/zram-generator.conf content: | @@ -214,7 +145,6 @@ mode: '0644' - name: Copy FirstRun Script - when: os | lower != "archlinux" ansible.builtin.template: src: firstrun.sh.j2 dest: /mnt/root/firstrun.sh @@ -249,20 +179,12 @@ dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection mode: "0600" - - name: Fix Ubuntu unmanaged devices - when: os | lower in ["ubuntu", "ubuntu-lts"] - ansible.builtin.file: - path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf - state: touch - mode: '0644' - - name: Setup user account block: - name: Create user account ansible.builtin.command: "{{ item }}" with_items: - - arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups - {{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "wheel" }} + - arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups wheel {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash - arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash changed_when: result.rc == 0 @@ -280,22 +202,12 @@ - name: Give sudo access to wheel group ansible.builtin.copy: - content: "{{ '%sudo ALL=(ALL) ALL' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}" + content: "%wheel ALL=(ALL) ALL" dest: /mnt/etc/sudoers.d/01-wheel mode: "0440" validate: /usr/sbin/visudo --check --file=%s - name: Fix SELinux - block: - - name: Relabel the filesystem - when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rocky'] - ansible.builtin.command: "arch-chroot /mnt /sbin/fixfiles onboot" - changed_when: result.rc == 0 - register: result - - - name: Disable SELinux - when: os | lower == "fedora" - ansible.builtin.lineinfile: - path: /mnt/etc/selinux/config - regexp: ^SELINUX= - line: SELINUX=permissive + ansible.builtin.command: "arch-chroot /mnt /sbin/fixfiles onboot" + changed_when: result.rc == 0 + register: result diff --git a/roles/environment/tasks/main.yml b/roles/environment/tasks/main.yml index 05e7377..f4552cc 100644 --- a/roles/environment/tasks/main.yml +++ b/roles/environment/tasks/main.yml @@ -21,19 +21,16 @@ when: not archiso_stat.stat.exists - name: Setect Interface - when: hypervisor == "vmware" ansible.builtin.shell: "set -o pipefail && ip l | awk -F': ' '!/lo/{print $2; exit}'" changed_when: interface_name.rc == 0 register: interface_name - name: Set IP-Address - when: hypervisor == "vmware" ansible.builtin.command: "ip addr replace {{ ansible_host }}/{{ vm_nms | default(24) }} dev {{ interface_name.stdout }}" changed_when: result.rc == 0 register: result - name: Set Default Gateway - when: hypervisor == "vmware" ansible.builtin.command: "ip route replace default via {{ vm_gw }}" changed_when: result.rc == 0 register: result @@ -44,7 +41,7 @@ register: result - name: Configure SSH for root login - when: hypervisor == "vmware" and vmware_ssh | bool + when: vmware_ssh | bool block: - name: Allow empty passwords temporarily ansible.builtin.replace: @@ -85,15 +82,11 @@ community.general.pacman: update_cache: true force: true - name: "{{ item.name }}" + name: "{{ item }}" state: latest loop: - - { name: glibc } - - { name: dnf, os: [almalinux, fedora, rhel9, rhel8, rocky] } - - { name: debootstrap, os: [debian11, debian12, ubuntu, ubuntu-lts] } - - { name: debian-archive-keyring, os: [debian11, debian12] } - - { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] } - when: "'os' not in item or os in item.os" + - glibc + - dnf retries: 4 delay: 15 @@ -108,14 +101,13 @@ - name: Mount RHEL ISO ansible.posix.mount: - src: "{{ '/dev/sr1' if hypervisor == 'vmware' else '/dev/sr2' }}" + src: "/dev/sr1" path: /usr/local/install/redhat/dvd fstype: iso9660 opts: "ro,loop" state: mounted - name: Configure RHEL Repos for installation - when: os | lower in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] block: - name: Create directories for repository files and RPM GPG keys ansible.builtin.file: diff --git a/roles/partitioning/tasks/btrfs.yml b/roles/partitioning/tasks/btrfs.yml deleted file mode 100644 index c5ba5b3..0000000 --- a/roles/partitioning/tasks/btrfs.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -- name: Setup BTRFS - block: - - name: Create btrfs filesystem in main volume - community.general.filesystem: - dev: "{{ install_drive }}{{ main_partition_suffix }}" - fstype: btrfs - force: true - - - name: Prepare BTRFS Subvolume - ansible.posix.mount: - path: /mnt - src: "{{ install_drive }}{{ main_partition_suffix }}" - fstype: btrfs - opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async - state: mounted - - - name: Enable quotas on Btrfs filesystem - ansible.builtin.command: btrfs quota enable /mnt - changed_when: result.rc == 0 - register: result - - - name: Make root subvolumes - when: cis | bool or item.subvol not in ['var_log_audit'] - ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} - changed_when: result.rc == 0 - register: result - loop: - - { subvol: root } - - { subvol: swap } - - { subvol: home } - - { subvol: var } - - { subvol: var_log } - - { subvol: var_log_audit } - - - name: Set quotas for subvolumes - when: cis | bool or item.subvol not in ['var_log_audit'] - ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} - changed_when: result.rc == 0 - register: result - loop: - - { subvol: home, quota: 2G } - - - name: Create a Btrfs swap file - ansible.builtin.command: >- - btrfs filesystem mkswapfile --size {{ ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory - | float / 2048) | int, [vm_memory | float / 1024, 4.0] | max) | int) }}g --uuid clear /mnt/@swap/swapfile - changed_when: result.rc == 0 - register: result - - - name: Unmount Partition - ansible.posix.mount: - path: /mnt - src: "{{ install_drive }}{{ main_partition_suffix }}" - fstype: btrfs - state: unmounted diff --git a/roles/partitioning/tasks/ext4.yml b/roles/partitioning/tasks/ext4.yml index 2dda340..34c907e 100644 --- a/roles/partitioning/tasks/ext4.yml +++ b/roles/partitioning/tasks/ext4.yml @@ -11,15 +11,3 @@ - { lv: var } - { lv: var_log } - { lv: var_log_audit } - -- name: Remove Unsupported features for older Systems - when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']) - ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}" - changed_when: result.rc == 0 - register: result - loop: - - { lv: root } - - { lv: home } - - { lv: var } - - { lv: var_log } - - { lv: var_log_audit } diff --git a/roles/partitioning/tasks/main.yml b/roles/partitioning/tasks/main.yml index e62f316..869167e 100644 --- a/roles/partitioning/tasks/main.yml +++ b/roles/partitioning/tasks/main.yml @@ -28,7 +28,6 @@ - { number: 2, part_start: 500MiB, name: root } - name: Create LVM logical volumes - when: filesystem != 'btrfs' block: - name: Create LVM volume group community.general.lvg: @@ -92,7 +91,6 @@ force: true - name: Create swap filesystem - when: filesystem != 'btrfs' community.general.filesystem: fstype: swap dev: /dev/sys/swap @@ -111,7 +109,7 @@ register: main_uuid - name: Get UUIDs for LVM filesystems - when: filesystem != 'btrfs' and (cis | bool or item not in ['home', 'var', 'var_log', 'var_log_audit']) + when: cis | bool or item not in ['home', 'var', 'var_log', 'var_log_audit'] ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }} changed_when: false register: uuid_result @@ -124,7 +122,6 @@ - var_log_audit - name: Assign UUIDs to Variables - when: filesystem != 'btrfs' ansible.builtin.set_fact: uuid_root: "{{ uuid_result.results[0].stdout_lines }}" uuid_swap: "{{ uuid_result.results[1].stdout_lines }}" @@ -139,7 +136,6 @@ when: - cis | bool or (not cis and (item.path == '/var/log' and filesystem == 'btrfs') or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit'])) - - not (item.path == '/swap' and filesystem != 'btrfs') ansible.posix.mount: path: /mnt{{ item.path }} src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}" @@ -149,25 +145,20 @@ loop: - path: "" uuid: "{{ uuid_root[0] | default(omit) }}" - opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}" - - path: /swap - opts: "rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@swap" + opts: "defaults" - path: /home uuid: "{{ uuid_home[0] | default(omit) }}" opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}" - path: /var uuid: "{{ uuid_var[0] | default(omit) }}" - opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' - else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}" + opts: "defaults,nosuid,nodev" - path: /var/log uuid: "{{ uuid_var_log[0] | default(omit) }}" - opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' - else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}" + opts: "defaults,nosuid,nodev,noexec" - path: /var/log/audit uuid: "{{ uuid_var_log_audit[0] | default(omit) }}" - opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' - else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}" + opts: "defaults,nosuid,nodev,noexec" - name: Mount tmp and var_tmp filesystems ansible.posix.mount: @@ -182,12 +173,12 @@ - name: Mount boot filesystem ansible.posix.mount: - path: "{{ '/mnt/boot/efi' if os | lower in ['rhel8', 'ubuntu', 'ubuntu-lts'] else '/mnt/boot' }}" + path: "{{ '/mnt/boot/efi' if os | lower in ['rhel8'] else '/mnt/boot' }}" src: UUID={{ boot_uuid.stdout }} fstype: vfat state: mounted - name: Activate swap - ansible.builtin.command: "{{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + uuid_swap[0] }}" + ansible.builtin.command: "{{ 'swapon -U ' + uuid_swap[0] }}" changed_when: result.rc == 0 register: result diff --git a/roles/virtualization/tasks/libvirt.yml b/roles/virtualization/tasks/libvirt.yml deleted file mode 100644 index b1bcd90..0000000 --- a/roles/virtualization/tasks/libvirt.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -- name: Check if VM disk exists - delegate_to: localhost - ansible.builtin.stat: - path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2" - register: vm_disk_stat - -- name: Create VM disk - when: not vm_disk_stat.stat.exists - delegate_to: localhost - ansible.builtin.command: qemu-img create -f qcow2 {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2 {{ vm_size }}G - changed_when: result.rc == 0 - register: result - -- name: Generate Random MAC Address - delegate_to: localhost - ansible.builtin.shell: set -o pipefail && openssl rand -hex 5 | sed 's/\(..\)/\1:/g; s/.$//' | sed 's/^/02:/' - changed_when: false - register: mac_address_output - -- name: Render cloud config templates - delegate_to: localhost - ansible.builtin.template: - src: "{{ item.src }}" - dest: /tmp/{{ item.dest_prefix }}-{{ hostname }}.yml - mode: '0644' - loop: - - { src: cloud-user-data.yml.j2, dest_prefix: cloud-user-data } - - { src: cloud-network-config.yml.j2, dest_prefix: cloud-network-config } - -- name: Create cloud-init disk - delegate_to: localhost - ansible.builtin.command: > - cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}/{{ hostname }}-cloudinit.iso - /tmp/cloud-user-data-{{ hostname }}.yml - -N /tmp/cloud-network-config-{{ hostname }}.yml - changed_when: result.rc == 0 - register: result - -- name: Create VM using libvirt - delegate_to: localhost - community.libvirt.virt: - command: define - xml: "{{ lookup('template', 'vm.xml.j2') }}" - -- name: Start vm - delegate_to: localhost - community.libvirt.virt: - name: "{{ hostname }}" - state: running diff --git a/roles/virtualization/tasks/proxmox.yml b/roles/virtualization/tasks/proxmox.yml deleted file mode 100644 index 2968757..0000000 --- a/roles/virtualization/tasks/proxmox.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -- name: Deploy VM on Proxmox - delegate_to: localhost - community.general.proxmox_kvm: - api_host: "{{ hypervisor_url }}" - api_user: "{{ hypervisor_username }}" - api_password: "{{ hypervisor_password }}" - ciuser: "{{ user_name }}" - cipassword: "{{ user_password }}" - ciupgrade: false - node: "{{ hypervisor_node }}" - vmid: "{{ vm_id }}" - name: "{{ hostname }}" - cpu: host - cores: "{{ vm_cpus }}" - memory: "{{ vm_memory }}" - balloon: "{{ vm_ballo | default(omit) }}" - numa_enabled: true - hotplug: network,disk - bios: ovmf - boot: ac - scsihw: virtio-scsi-single - scsi: - scsi0: "{{ hypervisor_storage }}:{{ vm_size }}" - efidisk0: - efitype: 4m - format: raw - pre_enrolled_keys: false - storage: "{{ hypervisor_storage }}" - ide: - ide0: "{{ boot_iso }},media=cdrom" - ide1: "{{ rhel_iso | default(omit) }},media=cdrom" - ide2: "{{ hypervisor_storage }}:cloudinit" - net: - net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %} - ipconfig: - ipconfig0: ip={{ vm_ip }},gw={{ vm_gw }} - nameservers: "{{ vm_dns }}" - onboot: true - state: present - -- name: Start VM on Proxmox - delegate_to: localhost - community.general.proxmox_kvm: - api_host: "{{ hypervisor_url }}" - api_user: "{{ hypervisor_username }}" - api_password: "{{ hypervisor_password }}" - node: "{{ hypervisor_node }}" - name: "{{ hostname }}" - vmid: "{{ vm_id }}" - state: started diff --git a/roles/virtualization/templates/cloud-network-config.yml.j2 b/roles/virtualization/templates/cloud-network-config.yml.j2 deleted file mode 100644 index ca3e391..0000000 --- a/roles/virtualization/templates/cloud-network-config.yml.j2 +++ /dev/null @@ -1,11 +0,0 @@ -network: - version: 2 - ethernets: - id0: - match: - macaddress: "{{ mac_address_output.stdout }}" - addresses: - - "{{ vm_ip }}" - gateway4: "{{ vm_gw }}" - nameservers: - addresses: ['1.1.1.1', '1.0.0.1'] \ No newline at end of file diff --git a/roles/virtualization/templates/cloud-user-data.yml.j2 b/roles/virtualization/templates/cloud-user-data.yml.j2 deleted file mode 100644 index 51d230d..0000000 --- a/roles/virtualization/templates/cloud-user-data.yml.j2 +++ /dev/null @@ -1,10 +0,0 @@ -#cloud-config -hostname: "archiso" -ssh_pwauth: true -users: - - name: "{{ user_name }}" - primary_group: "{{ user_name }}" - groups: users - sudo: ALL=(ALL) NOPASSWD:ALL - passwd: "{{ user_password | password_hash('sha512') }}" - lock_passwd: False \ No newline at end of file diff --git a/roles/virtualization/templates/vm.xml.j2 b/roles/virtualization/templates/vm.xml.j2 deleted file mode 100644 index 87c8128..0000000 --- a/roles/virtualization/templates/vm.xml.j2 +++ /dev/null @@ -1,62 +0,0 @@ - - {{ hostname }} - {{ vm_memory | int * 1024 }} - {% if vm_ballo is defined %}{{ vm_ballo | int * 1024 }}{% endif %} - {{ vm_cpus }} - - hvm - - - - /usr/share/edk2/x64/OVMF_CODE.secboot.fd - - - - - - - - - - destroy - restart - destroy - - - - - - - - - - - - - - - - - {% if rhel_iso is defined %} - - - - - - {% endif %} - - - - - - - - - - - - - - diff --git a/templates/almalinux.repo.j2 b/templates/almalinux.repo.j2 deleted file mode 100644 index dc24881..0000000 --- a/templates/almalinux.repo.j2 +++ /dev/null @@ -1,43 +0,0 @@ -[alma-appstream] -name=AlmaLinux $releasever - AppStream -mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream -# baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/$basearch/os/ -enabled=1 -gpgcheck=1 -countme=1 -gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever -metadata_expire=86400 -enabled_metadata=1 - -[alma-baseos] -name=AlmaLinux $releasever - BaseOS -mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos -# baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/$basearch/os/ -enabled=1 -gpgcheck=1 -countme=1 -gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever -metadata_expire=86400 -enabled_metadata=1 - -[alma-extras] -name=AlmaLinux $releasever - Extras -mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras -# baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/$basearch/os/ -enabled=1 -gpgcheck=1 -countme=1 -gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever -metadata_expire=86400 -enabled_metadata=0 - -[alma-highavailability] -name=AlmaLinux $releasever - HighAvailability -mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/highavailability -# baseurl=https://repo.almalinux.org/almalinux/$releasever/HighAvailability/$basearch/os/ -enabled=1 -gpgcheck=1 -countme=1 -gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever -metadata_expire=86400 -enabled_metadata=0 \ No newline at end of file diff --git a/templates/fedora.repo.j2 b/templates/fedora.repo.j2 deleted file mode 100644 index 9e68f98..0000000 --- a/templates/fedora.repo.j2 +++ /dev/null @@ -1,25 +0,0 @@ -[fedora] -name=Fedora $releasever - $basearch -#baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/ -metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch -enabled=1 -countme=1 -metadata_expire=86400 -repo_gpgcheck=0 -type=rpm -gpgcheck=1 -gpgkey=https://getfedora.org/static/fedora.gpg -skip_if_unavailable=False - -[fedora-updates] -name=Fedora $releasever - $basearch - Updates -#baseurl=http://download.example/pub/fedora/linux/updates/$releasever/Everything/$basearch/ -metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch -enabled=1 -countme=1 -repo_gpgcheck=0 -type=rpm -gpgcheck=1 -metadata_expire=86400 -gpgkey=https://getfedora.org/static/fedora.gpg -skip_if_unavailable=False diff --git a/templates/rocky.repo.j2 b/templates/rocky.repo.j2 deleted file mode 100644 index 9582e31..0000000 --- a/templates/rocky.repo.j2 +++ /dev/null @@ -1,10 +0,0 @@ -[rocky-baseos] -name=Rocky Linux $releasever - BaseOS -mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever -#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/ -gpgcheck=1 -enabled=1 -countme=1 -gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever -metadata_expire=86400 -enabled_metadata=1