sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Normalize user-facing defaults

Browse Source
This commit is contained in:
Sandwich
2025-12-28 16:41:11 +01:00
parent cc77f646d7
commit 7fe2a0dcc1
26 changed files with 283 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
group_vars/all.yml Normal file
View File

@@ -0,0 +1,77 @@
---
os: ""
filesystem: ""
hostname: ""
install_type: "physical"
hypervisor: "none"
install_drive: "/dev/sda"
boot_iso: ""
rhel_iso: ""
custom_iso: false
cis: false
selinux: true
is_rhel: false
is_debian: false
hypervisor_url: ""
hypervisor_username: ""
hypervisor_password: ""
hypervisor_datacenter: ""
hypervisor_cluster: ""
hypervisor_node: ""
hypervisor_storage: ""
vm_path: ""
vmware_ssh: false
vlan_name: ""
note: ""
vm_ip: ""
vm_nms: 24
vm_gw: ""
vm_dns: ""
vm_dns_search: ""
vm_nif: "vmbr0"
vm_id: 0
vm_size: 0
vm_memory: 0
vm_cpus: 4
vm_ballo: 0
extra_packages: []
luks_enabled: false
luks_passphrase: ""
luks_mapper_name: "SYSTEM_DECRYPTED"
luks_auto_decrypt: true
luks_auto_decrypt_method: "tpm2"
luks_tpm2_device: "auto"
luks_tpm2_pcrs: ""
luks_keyfile_size: 64
luks_options: "discard,tries=3"
luks_type: "luks2"
luks_cipher: "aes-xts-plain64"
luks_hash: "sha512"
luks_iter_time: 4000
luks_key_size: 512
luks_pbkdf: "argon2id"
luks_use_urandom: true
luks_verify_passphrase: true
partitioning_luks_enabled: "{{ luks_enabled }}"
partitioning_luks_passphrase: "{{ luks_passphrase }}"
partitioning_luks_mapper_name: "{{ luks_mapper_name }}"
partitioning_luks_type: "{{ luks_type }}"
partitioning_luks_cipher: "{{ luks_cipher }}"
partitioning_luks_hash: "{{ luks_hash }}"
partitioning_luks_iter_time: "{{ luks_iter_time }}"
partitioning_luks_key_size: "{{ luks_key_size }}"
partitioning_luks_pbkdf: "{{ luks_pbkdf }}"
partitioning_luks_use_urandom: "{{ luks_use_urandom }}"
partitioning_luks_verify_passphrase: "{{ luks_verify_passphrase }}"
partitioning_luks_auto_decrypt: "{{ luks_auto_decrypt }}"
partitioning_luks_auto_decrypt_method: "{{ luks_auto_decrypt_method }}"
partitioning_luks_tpm2_device: "{{ luks_tpm2_device }}"
partitioning_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
partitioning_luks_keyfile_size: "{{ luks_keyfile_size }}"
partitioning_luks_options: "{{ luks_options }}"
partitioning_vm_size: 0
partitioning_vm_memory: 0

40
main.yml
View File

@@ -32,26 +32,26 @@
- install_type in ["virtual", "physical"] - install_type in ["virtual", "physical"]
- hypervisor in ["libvirt", "proxmox", "vmware", "none"] - hypervisor in ["libvirt", "proxmox", "vmware", "none"]
- filesystem in ["btrfs", "ext4", "xfs"] - filesystem in ["btrfs", "ext4", "xfs"]
- install_drive is defined - install_drive | length > 0
- install_type == "physical" or vm_size is defined - install_type == "physical" or (vm_size | float) > 0
- install_type == "physical" or vm_memory is defined - install_type == "physical" or (vm_memory | float) > 0
- os in ["archlinux", "almalinux", "debian11", "debian12", "debian13", "fedora", "rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"] - os in ["archlinux", "almalinux", "debian11", "debian12", "debian13", "fedora", "rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"]
- os not in ["rhel8", "rhel9", "rhel10"] or rhel_iso is defined - os not in ["rhel8", "rhel9", "rhel10"] or rhel_iso | length > 0
- >- - >-
install_type == "physical" install_type == "physical"
or ( or (
(filesystem == "btrfs" and (vm_size | default(0) | int) >= 10) (filesystem == "btrfs" and (vm_size | int) >= 10)
or (filesystem != "btrfs" and (vm_size | default(0) | int) >= 20) or (filesystem != "btrfs" and (vm_size | int) >= 20)
) )
- >- - >-
install_type == "physical" install_type == "physical"
or ( or (
(vm_size | default(0) | float) (vm_size | float)
>= ( >= (
(vm_memory | default(0) | float / 1024 >= 16.0) (vm_memory | float / 1024 >= 16.0)
| ternary( | ternary(
(vm_memory | default(0) | float / 2048), (vm_memory | float / 2048),
[vm_memory | default(0) | float / 1024, 4.0] | max [vm_memory | float / 1024, 4.0] | max
) )
+ 16 + 16
) )
@@ -60,10 +60,10 @@
- name: Normalize optional flags - name: Normalize optional flags
ansible.builtin.set_fact: ansible.builtin.set_fact:
cis: "{{ cis | default(false) | bool }}" cis: "{{ cis | bool }}"
custom_iso: "{{ custom_iso | default(false) | bool }}" custom_iso: "{{ custom_iso | bool }}"
is_rhel: "{{ os | default('') | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky'] }}" is_rhel: "{{ os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky'] }}"
is_debian: "{{ os | default('') | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'] }}" is_debian: "{{ os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'] }}"
changed_when: false changed_when: false
- name: Set Python interpreter for RHEL-based installers - name: Set Python interpreter for RHEL-based installers
@@ -110,7 +110,7 @@
- role: configuration - role: configuration
- role: cis - role: cis
when: cis | default(false) | bool when: cis | bool
- role: cleanup - role: cleanup
when: install_type in ["virtual", "physical"] when: install_type in ["virtual", "physical"]
@@ -122,7 +122,7 @@
post_reboot_can_connect: >- post_reboot_can_connect: >-
{{ {{
(ansible_connection | default('ssh')) != 'ssh' (ansible_connection | default('ssh')) != 'ssh'
or ((vm_ip | default('') | string | length) > 0) or ((vm_ip | string | length) > 0)
or ( or (
install_type == 'physical' install_type == 'physical'
and (ansible_host | default('') | string | length) > 0 and (ansible_host | default('') | string | length) > 0
@@ -132,7 +132,7 @@
- name: Set final SSH credentials for post-reboot tasks - name: Set final SSH credentials for post-reboot tasks
when: when:
- post_reboot_can_connect | default(false) | bool - post_reboot_can_connect | bool
ansible.builtin.set_fact: ansible.builtin.set_fact:
ansible_user: "{{ user_name }}" ansible_user: "{{ user_name }}"
ansible_password: "{{ user_password }}" ansible_password: "{{ user_password }}"
@@ -141,8 +141,8 @@
- name: Install post-reboot extra packages - name: Install post-reboot extra packages
when: when:
- extra_packages is defined - post_reboot_can_connect | bool
- post_reboot_can_connect | default(false) | bool - extra_packages | length > 0
block: block:
- name: Normalize extra package list - name: Normalize extra package list
ansible.builtin.set_fact: ansible.builtin.set_fact:
@@ -151,7 +151,7 @@
( (
extra_packages extra_packages
if (extra_packages is iterable and extra_packages is not string) if (extra_packages is iterable and extra_packages is not string)
else (extra_packages | default('') | string).split(',') else (extra_packages | string).split(',')
) )
| map('trim') | map('trim')
| reject('equalto', '') | reject('equalto', '')

106
roles/bootstrap/vars/main.yml
View File

@@ -17,10 +17,10 @@ bootstrap_almalinux:
- ppp - ppp
- shim - shim
- tmux - tmux
- "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}" - "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}" - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}" - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim - vim
- wget - wget
- zram-generator - zram-generator
@@ -56,10 +56,10 @@ bootstrap_archlinux:
- sudo - sudo
- tldr - tldr
- tmux - tmux
- "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}" - "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}" - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}" - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim - vim
- wireguard-tools - wireguard-tools
- zram-generator - zram-generator
@@ -74,8 +74,8 @@ bootstrap_debian11:
- grub-efi - grub-efi
- grub-efi-amd64-signed - grub-efi-amd64-signed
- grub2-common - grub2-common
- "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'cryptsetup-initramfs' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
- linux-image-amd64 - linux-image-amd64
- locales - locales
- logrotate - logrotate
@@ -109,9 +109,9 @@ bootstrap_debian11:
- syslog-ng - syslog-ng
- tcpd - tcpd
- tldr - tldr
- "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}" - "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}" - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}" - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim - vim
- wget - wget
- zstd - zstd
@@ -124,8 +124,8 @@ bootstrap_debian12:
- grub-efi - grub-efi
- grub-efi-amd64-signed - grub-efi-amd64-signed
- grub2-common - grub2-common
- "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'cryptsetup-initramfs' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
- linux-image-amd64 - linux-image-amd64
- locales - locales
- logrotate - logrotate
@@ -164,9 +164,9 @@ bootstrap_debian12:
- systemd-zram-generator - systemd-zram-generator
- tcpd - tcpd
- tldr - tldr
- "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}" - "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}" - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}" - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim - vim
- wget - wget
- zstd - zstd
@@ -179,8 +179,8 @@ bootstrap_debian13:
- grub-efi - grub-efi
- grub-efi-amd64-signed - grub-efi-amd64-signed
- grub2-common - grub2-common
- "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'cryptsetup-initramfs' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
- linux-image-amd64 - linux-image-amd64
- locales - locales
- logrotate - logrotate
@@ -217,9 +217,9 @@ bootstrap_debian13:
- syslog-ng - syslog-ng
- systemd-zram-generator - systemd-zram-generator
- tcpd - tcpd
- "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}" - "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}" - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}" - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim - vim
- wget - wget
- zstd - zstd
@@ -252,10 +252,10 @@ bootstrap_fedora:
- ripgrep - ripgrep
- shim - shim
- tmux - tmux
- "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}" - "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}" - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}" - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim-default-editor - vim-default-editor
- wget - wget
- zoxide - zoxide
@@ -280,10 +280,10 @@ bootstrap_rhel8:
- python39 - python39
- shim - shim
- tmux - tmux
- "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}" - "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}" - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}" - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim - vim
- zstd - zstd
@@ -305,10 +305,10 @@ bootstrap_rhel9:
- python - python
- shim - shim
- tmux - tmux
- "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}" - "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}" - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}" - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim - vim
- zram-generator - zram-generator
- zstd - zstd
@@ -330,10 +330,10 @@ bootstrap_rhel10:
- python - python
- shim - shim
- tmux - tmux
- "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}" - "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}" - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}" - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim - vim
- zram-generator - zram-generator
- zstd - zstd
@@ -357,10 +357,10 @@ bootstrap_rocky:
- shim - shim
- telnet - telnet
- tmux - tmux
- "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}" - "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}" - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}" - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- util-linux-core - util-linux-core
- vim - vim
- wget - wget
@@ -375,8 +375,8 @@ bootstrap_ubuntu:
- grub-efi - grub-efi
- grub-efi-amd64-signed - grub-efi-amd64-signed
- grub2-common - grub2-common
- "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'cryptsetup-initramfs' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
- linux-image-generic - linux-image-generic
- locales - locales
- lvm2 - lvm2
@@ -419,9 +419,9 @@ bootstrap_ubuntu:
- tcpd - tcpd
- tldr - tldr
- tmux - tmux
- "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}" - "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}" - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}" - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- traceroute - traceroute
- util-linux-extra - util-linux-extra
- vim - vim
@@ -438,8 +438,8 @@ bootstrap_ubuntu_lts:
- grub-efi - grub-efi
- grub-efi-amd64-signed - grub-efi-amd64-signed
- grub2-common - grub2-common
- "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'cryptsetup-initramfs' if luks_enabled | default(false) else '' }}" - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
- linux-image-generic - linux-image-generic
- locales - locales
- lvm2 - lvm2
@@ -482,9 +482,9 @@ bootstrap_ubuntu_lts:
- tcpd - tcpd
- tldr - tldr
- tmux - tmux
- "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}" - "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}" - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}" - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- traceroute - traceroute
- util-linux-extra - util-linux-extra
- vim - vim

4
roles/cis/tasks/security_lines.yml
View File

@@ -10,8 +10,8 @@
- {path: /mnt/etc/security/pwquality.conf, content: ucredit = -1} - {path: /mnt/etc/security/pwquality.conf, content: ucredit = -1}
- {path: /mnt/etc/security/pwquality.conf, content: ocredit = -1} - {path: /mnt/etc/security/pwquality.conf, content: ocredit = -1}
- {path: /mnt/etc/security/pwquality.conf, content: lcredit = -1} - {path: /mnt/etc/security/pwquality.conf, content: lcredit = -1}
- {path: '/mnt/etc/{{ "bashrc" if is_rhel | default(false) else "bash.bashrc" }}', content: umask 077} - {path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: umask 077}
- {path: '/mnt/etc/{{ "bashrc" if is_rhel | default(false) else "bash.bashrc" }}', content: export TMOUT=3000} - {path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=3000}
- {path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent} - {path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent}
- {path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log"} - {path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log"}
- {path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so} - {path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so}

7
roles/cleanup/tasks/libvirt.yml
View File

@@ -6,7 +6,8 @@
block: block:
- name: Set libvirt image paths - name: Set libvirt image paths
vars: vars:
cleanup_libvirt_image_dir_value: "{{ vm_path | default('/var/lib/libvirt/images') }}" cleanup_libvirt_image_dir_value: >-
{{ vm_path if vm_path | length > 0 else '/var/lib/libvirt/images' }}
ansible.builtin.set_fact: ansible.builtin.set_fact:
cleanup_libvirt_image_dir: "{{ cleanup_libvirt_image_dir_value }}" cleanup_libvirt_image_dir: "{{ cleanup_libvirt_image_dir_value }}"
cleanup_libvirt_cloudinit_path: >- cleanup_libvirt_cloudinit_path: >-
@@ -38,7 +39,7 @@
changed_when: false changed_when: false
- name: Remove boot ISO device from VM XML (source match) - name: Remove boot ISO device from VM XML (source match)
when: boot_iso is defined and (boot_iso | length > 0) when: boot_iso | length > 0
community.general.xml: community.general.xml:
xmlstring: "{{ cleanup_libvirt_domain_xml }}" xmlstring: "{{ cleanup_libvirt_domain_xml }}"
xpath: "/domain/devices/disk[contains(source/@file, '{{ boot_iso | basename }}')]" xpath: "/domain/devices/disk[contains(source/@file, '{{ boot_iso | basename }}')]"
@@ -46,7 +47,7 @@
register: cleanup_libvirt_xml_strip_boot_source register: cleanup_libvirt_xml_strip_boot_source
- name: Update cleaned VM XML after removing boot ISO source match - name: Update cleaned VM XML after removing boot ISO source match
when: boot_iso is defined and (boot_iso | length > 0) when: boot_iso | length > 0
ansible.builtin.set_fact: ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot_source.xmlstring }}" cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot_source.xmlstring }}"
changed_when: false changed_when: false

2
roles/cleanup/tasks/vmware.yml
View File

@@ -24,7 +24,7 @@
unit_number: 1 unit_number: 1
controller_type: sata controller_type: sata
type: iso type: iso
iso_path: "{{ rhel_iso | default(omit) }}" iso_path: "{{ rhel_iso if rhel_iso | length > 0 else omit }}"
state: absent state: absent
failed_when: false failed_when: false

18
roles/configuration/tasks/bootloader.yml
View File

@@ -3,16 +3,8 @@
block: block:
- name: Install Bootloader - name: Install Bootloader
vars: vars:
configuration_use_efibootmgr: "{{ is_rhel | default(false) }}" configuration_use_efibootmgr: "{{ is_rhel | bool }}"
configuration_efi_dir: >- configuration_efi_dir: "{{ partitioning_efi_mountpoint }}"
{{
partitioning_efi_mountpoint
| default(
"/boot/efi"
if (is_rhel | default(false)) or (os | lower in ["ubuntu", "ubuntu-lts"])
else "/boot"
)
}}
configuration_bootloader_id: >- configuration_bootloader_id: >-
{{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }} {{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
configuration_efi_vendor: >- configuration_efi_vendor: >-
@@ -47,7 +39,7 @@
else ( else (
'/usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ' '/usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin '
+ '/usr/sbin/update-initramfs -u -k all' + '/usr/sbin/update-initramfs -u -k all'
if is_debian | default(false) if is_debian | bool
else '/usr/bin/dracut --regenerate-all --force' else '/usr/bin/dracut --regenerate-all --force'
) )
}} }}
@@ -62,9 +54,9 @@
configuration_grub_cfg_cmd: >- configuration_grub_cfg_cmd: >-
{{ {{
'/usr/sbin/grub2-mkconfig -o ' '/usr/sbin/grub2-mkconfig -o '
+ (partitioning_efi_mountpoint | default('/boot/efi')) + partitioning_efi_mountpoint
+ '/EFI/' + configuration_efi_vendor + '/grub.cfg' + '/EFI/' + configuration_efi_vendor + '/grub.cfg'
if is_rhel | default(false) if is_rhel | bool
else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg' else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg'
}} }}
ansible.builtin.command: "arch-chroot /mnt {{ configuration_grub_cfg_cmd }}" ansible.builtin.command: "arch-chroot /mnt {{ configuration_grub_cfg_cmd }}"

54
roles/configuration/tasks/encryption.yml
View File

@@ -1,31 +1,17 @@
--- ---
- name: Configure disk encryption - name: Configure disk encryption
when: partitioning_luks_enabled | default(luks_enabled | default(false)) | bool when: partitioning_luks_enabled | bool
vars: vars:
configuration_luks_passphrase_effective: >- configuration_luks_passphrase_effective: >-
{{ (partitioning_luks_passphrase | default(luks_passphrase | default(''))) | string }} {{ partitioning_luks_passphrase | string }}
block: block:
- name: Set LUKS configuration facts - name: Set LUKS configuration facts
vars: vars:
configuration_luks_mapper_name_value: >- configuration_luks_mapper_name_value: >-
{{ {{ partitioning_luks_mapper_name }}
partitioning_luks_mapper_name configuration_luks_device_value: "{{ partitioning_luks_device }}"
| default(luks_mapper_name | default('SYSTEM_DECRYPTED'))
}}
configuration_luks_device_value: >-
{{
partitioning_luks_device
| default(
install_drive
~ (
partitioning_root_partition_suffix
| default(partitioning_main_partition_suffix | default(2))
| string
)
)
}}
configuration_luks_tpm2_pcrs_raw: >- configuration_luks_tpm2_pcrs_raw: >-
{{ partitioning_luks_tpm2_pcrs | default(luks_tpm2_pcrs | default('')) }} {{ partitioning_luks_tpm2_pcrs }}
configuration_luks_tpm2_pcrs_effective_value: >- configuration_luks_tpm2_pcrs_effective_value: >-
{{ {{
( (
@@ -43,17 +29,17 @@
configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}" configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}"
configuration_luks_device: "{{ configuration_luks_device_value }}" configuration_luks_device: "{{ configuration_luks_device_value }}"
configuration_luks_options: >- configuration_luks_options: >-
{{ partitioning_luks_options | default(luks_options | default('discard,tries=3')) }} {{ partitioning_luks_options }}
configuration_luks_auto_method: >- configuration_luks_auto_method: >-
{{ {{
(partitioning_luks_auto_decrypt | default(luks_auto_decrypt | default(true)) | bool) (partitioning_luks_auto_decrypt | bool)
| ternary( | ternary(
partitioning_luks_auto_decrypt_method | default(luks_auto_decrypt_method | default('tpm2')), partitioning_luks_auto_decrypt_method,
'manual' 'manual'
) )
}} }}
configuration_luks_tpm2_device: >- configuration_luks_tpm2_device: >-
{{ partitioning_luks_tpm2_device | default(luks_tpm2_device | default('auto')) }} {{ partitioning_luks_tpm2_device }}
configuration_luks_tpm2_pcrs: "{{ configuration_luks_tpm2_pcrs_raw }}" configuration_luks_tpm2_pcrs: "{{ configuration_luks_tpm2_pcrs_raw }}"
configuration_luks_tpm2_pcrs_effective: "{{ configuration_luks_tpm2_pcrs_effective_value }}" configuration_luks_tpm2_pcrs_effective: "{{ configuration_luks_tpm2_pcrs_effective_value }}"
configuration_luks_keyfile_path: >- configuration_luks_keyfile_path: >-
@@ -151,7 +137,7 @@
- name: Ensure keyfile pattern for initramfs-tools - name: Ensure keyfile pattern for initramfs-tools
when: when:
- is_debian | default(false) - is_debian | bool
- configuration_luks_keyfile_in_use - configuration_luks_keyfile_in_use
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/cryptsetup-initramfs/conf-hook path: /mnt/etc/cryptsetup-initramfs/conf-hook
@@ -215,14 +201,14 @@
}}) }})
- name: Ensure dracut config directory exists - name: Ensure dracut config directory exists
when: is_rhel | default(false) when: is_rhel | bool
ansible.builtin.file: ansible.builtin.file:
path: /mnt/etc/dracut.conf.d path: /mnt/etc/dracut.conf.d
state: directory state: directory
mode: "0755" mode: "0755"
- name: Configure dracut for LUKS - name: Configure dracut for LUKS
when: is_rhel | default(false) when: is_rhel | bool
ansible.builtin.copy: ansible.builtin.copy:
dest: /mnt/etc/dracut.conf.d/crypt.conf dest: /mnt/etc/dracut.conf.d/crypt.conf
content: | content: |
@@ -233,13 +219,13 @@
mode: "0644" mode: "0644"
- name: Read kernel cmdline defaults - name: Read kernel cmdline defaults
when: is_rhel | default(false) when: is_rhel | bool
ansible.builtin.slurp: ansible.builtin.slurp:
src: /mnt/etc/kernel/cmdline src: /mnt/etc/kernel/cmdline
register: configuration_kernel_cmdline_slurp register: configuration_kernel_cmdline_slurp
- name: Build kernel cmdline with LUKS args - name: Build kernel cmdline with LUKS args
when: is_rhel | default(false) when: is_rhel | bool
vars: vars:
configuration_kernel_cmdline_current_value: >- configuration_kernel_cmdline_current_value: >-
{{ configuration_kernel_cmdline_slurp.content | b64decode | trim }} {{ configuration_kernel_cmdline_slurp.content | b64decode | trim }}
@@ -265,14 +251,14 @@
changed_when: false changed_when: false
- name: Write kernel cmdline with LUKS args - name: Write kernel cmdline with LUKS args
when: is_rhel | default(false) when: is_rhel | bool
ansible.builtin.copy: ansible.builtin.copy:
dest: /mnt/etc/kernel/cmdline dest: /mnt/etc/kernel/cmdline
mode: "0644" mode: "0644"
content: "{{ configuration_kernel_cmdline_new }}\n" content: "{{ configuration_kernel_cmdline_new }}\n"
- name: Find BLS entries - name: Find BLS entries
when: is_rhel | default(false) when: is_rhel | bool
ansible.builtin.find: ansible.builtin.find:
paths: /mnt/boot/loader/entries paths: /mnt/boot/loader/entries
patterns: "*.conf" patterns: "*.conf"
@@ -281,7 +267,7 @@
- name: Update BLS options with LUKS args - name: Update BLS options with LUKS args
when: when:
- is_rhel | default(false) - is_rhel | bool
- configuration_kernel_bls_entries.files | length > 0 - configuration_kernel_bls_entries.files | length > 0
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ item.path }}" path: "{{ item.path }}"
@@ -292,13 +278,13 @@
label: "{{ item.path }}" label: "{{ item.path }}"
- name: Read grub defaults - name: Read grub defaults
when: not is_rhel | default(false) when: not is_rhel | bool
ansible.builtin.slurp: ansible.builtin.slurp:
src: /mnt/etc/default/grub src: /mnt/etc/default/grub
register: configuration_grub_slurp register: configuration_grub_slurp
- name: Build grub command lines with LUKS args - name: Build grub command lines with LUKS args
when: not is_rhel | default(false) when: not is_rhel | bool
vars: vars:
configuration_grub_content_value: "{{ configuration_grub_slurp.content | b64decode }}" configuration_grub_content_value: "{{ configuration_grub_slurp.content | b64decode }}"
configuration_grub_cmdline_linux_value: >- configuration_grub_cmdline_linux_value: >-
@@ -362,7 +348,7 @@
configuration_grub_cmdline_default_new: "{{ configuration_grub_cmdline_default_new_value }}" configuration_grub_cmdline_default_new: "{{ configuration_grub_cmdline_default_new_value }}"
- name: Update GRUB_CMDLINE_LINUX_DEFAULT for LUKS - name: Update GRUB_CMDLINE_LINUX_DEFAULT for LUKS
when: not is_rhel | default(false) when: not is_rhel | bool
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/default/grub path: /mnt/etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=' regexp: '^GRUB_CMDLINE_LINUX_DEFAULT='

4
roles/configuration/tasks/encryption/keyfile.yml
View File

@@ -16,7 +16,7 @@
{{ {{
lookup( lookup(
'community.general.random_string', 'community.general.random_string',
length=(partitioning_luks_keyfile_size | default(luks_keyfile_size | default(64)) | int), length=(partitioning_luks_keyfile_size | int),
override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
) )
}} }}
@@ -71,7 +71,7 @@
{{ {{
lookup( lookup(
'community.general.random_string', 'community.general.random_string',
length=(partitioning_luks_keyfile_size | default(luks_keyfile_size | default(64)) | int), length=(partitioning_luks_keyfile_size | int),
override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
) )
}} }}

2
roles/configuration/tasks/extras.yml
View File

@@ -1,7 +1,7 @@
--- ---
- name: Append vim configurations to vimrc - name: Append vim configurations to vimrc
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: "{{ '/mnt/etc/vim/vimrc' if is_debian | default(false) else '/mnt/etc/vimrc' }}" path: "{{ '/mnt/etc/vim/vimrc' if is_debian | bool else '/mnt/etc/vimrc' }}"
block: | block: |
set encoding=utf-8 set encoding=utf-8
set number set number

6
roles/configuration/tasks/grub.yml
View File

@@ -1,6 +1,6 @@
--- ---
- name: Configure grub defaults - name: Configure grub defaults
when: not is_rhel | default(false) when: not is_rhel | bool
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: /mnt/etc/default/grub dest: /mnt/etc/default/grub
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
@@ -12,7 +12,7 @@
line: GRUB_TIMEOUT=1 line: GRUB_TIMEOUT=1
- name: Ensure grub defaults file exists for RHEL-based systems - name: Ensure grub defaults file exists for RHEL-based systems
when: is_rhel | default(false) when: is_rhel | bool
block: block:
- name: Build RHEL kernel command line defaults - name: Build RHEL kernel command line defaults
vars: vars:
@@ -106,7 +106,7 @@
label: "{{ item.path }}" label: "{{ item.path }}"
- name: Enable GRUB cryptodisk for encrypted /boot - name: Enable GRUB cryptodisk for encrypted /boot
when: partitioning_grub_enable_cryptodisk | default(false) | bool when: partitioning_grub_enable_cryptodisk | bool
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/default/grub path: /mnt/etc/default/grub
regexp: '^GRUB_ENABLE_CRYPTODISK=' regexp: '^GRUB_ENABLE_CRYPTODISK='

10
roles/configuration/tasks/locales.yml
View File

@@ -10,7 +10,7 @@
- name: Setup locales - name: Setup locales
block: block:
- name: Configure locale.gen - name: Configure locale.gen
when: not is_rhel | default(false) when: not is_rhel | bool
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: /mnt/etc/locale.gen dest: /mnt/etc/locale.gen
regexp: "{{ item.regex }}" regexp: "{{ item.regex }}"
@@ -19,7 +19,7 @@
- {regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8} - {regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8}
- name: Generate locales - name: Generate locales
when: not is_rhel | default(false) when: not is_rhel | bool
ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
register: configuration_locale_result register: configuration_locale_result
changed_when: configuration_locale_result.rc == 0 changed_when: configuration_locale_result.rc == 0
@@ -32,7 +32,7 @@
if '.' in hostname if '.' in hostname
else ( else (
hostname + '.' + vm_dns_search hostname + '.' + vm_dns_search
if vm_dns_search is defined and vm_dns_search | length if vm_dns_search | length
else hostname else hostname
) )
}} }}
@@ -49,7 +49,7 @@
if '.' in hostname if '.' in hostname
else ( else (
hostname + '.' + vm_dns_search hostname + '.' + vm_dns_search
if vm_dns_search is defined and vm_dns_search | length if vm_dns_search | length
else hostname else hostname
) )
}} }}
@@ -57,7 +57,7 @@
configuration_hostname_entries: >- configuration_hostname_entries: >-
{{ [configuration_hostname_fqdn, configuration_hostname_short] | unique | join(' ') }} {{ [configuration_hostname_fqdn, configuration_hostname_short] | unique | join(' ') }}
configuration_hosts_line: >- configuration_hosts_line: >-
{{ vm_ip | default(inventory_hostname) }} {{ configuration_hostname_entries }} {{ (vm_ip if vm_ip | length > 0 else inventory_hostname) }} {{ configuration_hostname_entries }}
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/hosts path: /mnt/etc/hosts
line: "{{ configuration_hosts_line }}" line: "{{ configuration_hosts_line }}"

6
roles/configuration/tasks/selinux.yml
View File

@@ -1,9 +1,9 @@
--- ---
- name: Fix SELinux - name: Fix SELinux
when: is_rhel | default(false) when: is_rhel | bool
block: block:
- name: Fix SELinux by pre-labeling the filesystem before first boot - name: Fix SELinux by pre-labeling the filesystem before first boot
when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux | default(true) | bool) when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux | bool)
ansible.builtin.command: > ansible.builtin.command: >
arch-chroot /mnt /sbin/setfiles -v -F arch-chroot /mnt /sbin/setfiles -v -F
-e /dev -e /proc -e /sys -e /run -e /dev -e /proc -e /sys -e /run
@@ -12,7 +12,7 @@
changed_when: configuration_setfiles_result.rc == 0 changed_when: configuration_setfiles_result.rc == 0
- name: Disable SELinux - name: Disable SELinux
when: os | lower == "fedora" or not (selinux | default(true) | bool) when: os | lower == "fedora" or not (selinux | bool)
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/selinux/config path: /mnt/etc/selinux/config
regexp: ^SELINUX= regexp: ^SELINUX=

2
roles/configuration/tasks/sudo.yml
View File

@@ -1,7 +1,7 @@
--- ---
- name: Give sudo access to wheel group - name: Give sudo access to wheel group
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ '%sudo ALL=(ALL) ALL' if is_debian | default(false) else '%wheel ALL=(ALL) ALL' }}" content: "{{ '%sudo ALL=(ALL) ALL' if is_debian | bool else '%wheel ALL=(ALL) ALL' }}"
dest: /mnt/etc/sudoers.d/01-wheel dest: /mnt/etc/sudoers.d/01-wheel
mode: "0440" mode: "0440"
validate: /usr/sbin/visudo --check --file=%s validate: /usr/sbin/visudo --check --file=%s

6
roles/configuration/tasks/users.yml
View File

@@ -2,7 +2,7 @@
- name: Create user account - name: Create user account
vars: vars:
configuration_user_group: >- configuration_user_group: >-
{{ "sudo" if is_debian | default(false) else "wheel" }} {{ "sudo" if is_debian | bool else "wheel" }}
configuration_useradd_cmd: >- configuration_useradd_cmd: >-
arch-chroot /mnt /usr/sbin/useradd --create-home --user-group arch-chroot /mnt /usr/sbin/useradd --create-home --user-group
--groups {{ configuration_user_group }} {{ user_name }} --groups {{ configuration_user_group }} {{ user_name }}
@@ -18,7 +18,7 @@
changed_when: configuration_user_result.rc == 0 changed_when: configuration_user_result.rc == 0
- name: Ensure .ssh directory exists - name: Ensure .ssh directory exists
when: user_public_key is defined when: user_public_key | length > 0
ansible.builtin.file: ansible.builtin.file:
path: /mnt/home/{{ user_name }}/.ssh path: /mnt/home/{{ user_name }}/.ssh
state: directory state: directory
@@ -27,7 +27,7 @@
mode: "0700" mode: "0700"
- name: Add SSH public key to authorized_keys - name: Add SSH public key to authorized_keys
when: user_public_key is defined when: user_public_key | length > 0
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/home/{{ user_name }}/.ssh/authorized_keys path: /mnt/home/{{ user_name }}/.ssh/authorized_keys
line: "{{ user_public_key }}" line: "{{ user_public_key }}"

8
roles/configuration/templates/network.j2
View File

@@ -7,14 +7,14 @@ type=ethernet
mac-address={{ configuration_net_mac }} mac-address={{ configuration_net_mac }}
[ipv4] [ipv4]
{% set dns_value = vm_dns | default('') %} {% set dns_value = vm_dns %}
{% set dns_list_raw = dns_value if dns_value is iterable and dns_value is not string else dns_value.split(',') %} {% set dns_list_raw = dns_value if dns_value is iterable and dns_value is not string else dns_value.split(',') %}
{% set dns_list = dns_list_raw | map('trim') | reject('equalto', '') | list %} {% set dns_list = dns_list_raw | map('trim') | reject('equalto', '') | list %}
{% set search_value = vm_dns_search | default('') %} {% set search_value = vm_dns_search %}
{% set search_list_raw = search_value if search_value is iterable and search_value is not string else search_value.split(',') %} {% set search_list_raw = search_value if search_value is iterable and search_value is not string else search_value.split(',') %}
{% set search_list = search_list_raw | map('trim') | reject('equalto', '') | list %} {% set search_list = search_list_raw | map('trim') | reject('equalto', '') | list %}
{% if vm_ip is defined and vm_ip | length %} {% if vm_ip | length %}
address1={{ vm_ip }}/{{ vm_nms | default(24) }}{{ (',' ~ vm_gw) if (vm_gw is defined and vm_gw | length) else '' }} address1={{ vm_ip }}/{{ vm_nms }}{{ (',' ~ vm_gw) if (vm_gw | length) else '' }}
method=manual method=manual
{% else %} {% else %}
method=auto method=auto

23
roles/environment/tasks/main.yml
View File

@@ -17,7 +17,7 @@
- name: Abort if the host is not booted from the Arch install media - name: Abort if the host is not booted from the Arch install media
when: when:
- not (custom_iso | default(false) | bool) - not (custom_iso | bool)
- not environment_archiso_stat.stat.exists - not environment_archiso_stat.stat.exists
ansible.builtin.fail: ansible.builtin.fail:
msg: This host is not booted from the Arch install media! msg: This host is not booted from the Arch install media!
@@ -40,10 +40,9 @@
- name: Set IP-Address - name: Set IP-Address
when: when:
- hypervisor == "vmware" - hypervisor == "vmware"
- vm_ip is defined - vm_ip | length > 0
- vm_ip | length
ansible.builtin.command: >- ansible.builtin.command: >-
ip addr replace {{ vm_ip }}/{{ vm_nms | default(24) }} ip addr replace {{ vm_ip }}/{{ vm_nms }}
dev {{ environment_interface_name }} dev {{ environment_interface_name }}
register: environment_ip_result register: environment_ip_result
changed_when: environment_ip_result.rc == 0 changed_when: environment_ip_result.rc == 0
@@ -51,10 +50,8 @@
- name: Set Default Gateway - name: Set Default Gateway
when: when:
- hypervisor == "vmware" - hypervisor == "vmware"
- vm_gw is defined - vm_gw | length > 0
- vm_gw | length - vm_ip | length > 0
- vm_ip is defined
- vm_ip | length
ansible.builtin.command: "ip route replace default via {{ vm_gw }}" ansible.builtin.command: "ip route replace default via {{ vm_gw }}"
register: environment_gateway_result register: environment_gateway_result
changed_when: environment_gateway_result.rc == 0 changed_when: environment_gateway_result.rc == 0
@@ -65,7 +62,7 @@
changed_when: false changed_when: false
- name: Configure SSH for root login - name: Configure SSH for root login
when: hypervisor == "vmware" and (vmware_ssh is defined and vmware_ssh | bool) when: hypervisor == "vmware" and (vmware_ssh | bool)
block: block:
- name: Allow login - name: Allow login
ansible.builtin.replace: ansible.builtin.replace:
@@ -91,14 +88,14 @@
- name: Prepare installer environment - name: Prepare installer environment
block: block:
- name: Speed-up Bootstrap process - name: Speed-up Bootstrap process
when: not (custom_iso | default(false) | bool) when: not (custom_iso | bool)
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/pacman.conf path: /etc/pacman.conf
regexp: ^#ParallelDownloads = regexp: ^#ParallelDownloads =
line: ParallelDownloads = 20 line: ParallelDownloads = 20
- name: Wait for pacman lock to be released - name: Wait for pacman lock to be released
when: not (custom_iso | default(false) | bool) when: not (custom_iso | bool)
ansible.builtin.wait_for: ansible.builtin.wait_for:
path: /var/lib/pacman/db.lck path: /var/lib/pacman/db.lck
state: absent state: absent
@@ -107,7 +104,7 @@
- name: Setup Pacman - name: Setup Pacman
when: when:
- not (custom_iso | default(false) | bool) - not (custom_iso | bool)
- "'os' not in item or os in item.os" - "'os' not in item or os in item.os"
community.general.pacman: community.general.pacman:
update_cache: true update_cache: true
@@ -141,7 +138,7 @@
state: mounted state: mounted
- name: Configure RHEL Repos for installation - name: Configure RHEL Repos for installation
when: is_rhel | default(false) when: is_rhel | bool
block: block:
- name: Create directories for repository files and RPM GPG keys - name: Create directories for repository files and RPM GPG keys
ansible.builtin.file: ansible.builtin.file:

54
roles/partitioning/defaults/main.yml
View File

@@ -1,20 +1,20 @@
--- ---
partitioning_luks_enabled: "{{ luks_enabled | default(false) | bool }}" partitioning_luks_enabled: "{{ luks_enabled | bool }}"
partitioning_luks_mapper_name: "{{ luks_mapper_name | default('SYSTEM_DECRYPTED') }}" partitioning_luks_mapper_name: "{{ luks_mapper_name }}"
partitioning_luks_type: "{{ luks_type | default('luks2') }}" partitioning_luks_type: "{{ luks_type }}"
partitioning_luks_cipher: "{{ luks_cipher | default('aes-xts-plain64') }}" partitioning_luks_cipher: "{{ luks_cipher }}"
partitioning_luks_hash: "{{ luks_hash | default('sha512') }}" partitioning_luks_hash: "{{ luks_hash }}"
partitioning_luks_iter_time: "{{ luks_iter_time | default(4000) }}" partitioning_luks_iter_time: "{{ luks_iter_time }}"
partitioning_luks_key_size: "{{ luks_key_size | default(512) }}" partitioning_luks_key_size: "{{ luks_key_size }}"
partitioning_luks_pbkdf: "{{ luks_pbkdf | default('argon2id') }}" partitioning_luks_pbkdf: "{{ luks_pbkdf }}"
partitioning_luks_use_urandom: "{{ luks_use_urandom | default(true) | bool }}" partitioning_luks_use_urandom: "{{ luks_use_urandom | bool }}"
partitioning_luks_verify_passphrase: "{{ luks_verify_passphrase | default(true) | bool }}" partitioning_luks_verify_passphrase: "{{ luks_verify_passphrase | bool }}"
partitioning_luks_auto_decrypt: "{{ luks_auto_decrypt | default(true) | bool }}" partitioning_luks_auto_decrypt: "{{ luks_auto_decrypt | bool }}"
partitioning_luks_auto_decrypt_method: "{{ luks_auto_decrypt_method | default('tpm2') }}" partitioning_luks_auto_decrypt_method: "{{ luks_auto_decrypt_method }}"
partitioning_luks_tpm2_device: "{{ luks_tpm2_device | default('auto') }}" partitioning_luks_tpm2_device: "{{ luks_tpm2_device }}"
partitioning_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs | default('') }}" partitioning_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
partitioning_luks_keyfile_size: "{{ luks_keyfile_size | default(64) }}" partitioning_luks_keyfile_size: "{{ luks_keyfile_size }}"
partitioning_luks_options: "{{ luks_options | default('discard,tries=3') }}" partitioning_luks_options: "{{ luks_options }}"
partitioning_boot_partition_suffix: 1 partitioning_boot_partition_suffix: 1
partitioning_main_partition_suffix: 2 partitioning_main_partition_suffix: 2
partitioning_efi_size_mib: 50 partitioning_efi_size_mib: 50
@@ -22,13 +22,13 @@ partitioning_boot_size_mib: 1024
partitioning_separate_boot: >- partitioning_separate_boot: >-
{{ {{
(partitioning_luks_enabled | bool) (partitioning_luks_enabled | bool)
and (os | default('') | lower not in ['archlinux']) and (os | lower not in ['archlinux'])
}} }}
partitioning_boot_fs_fstype: >- partitioning_boot_fs_fstype: >-
{{ {{
(filesystem | default('') | lower) (filesystem | lower)
if (filesystem | default('') | lower) != 'btrfs' if (filesystem | lower) != 'btrfs'
else ('xfs' if (is_rhel | default(false)) else 'ext4') else ('xfs' if is_rhel else 'ext4')
}} }}
partitioning_boot_fs_partition_suffix: >- partitioning_boot_fs_partition_suffix: >-
{{ {{
@@ -46,7 +46,7 @@ partitioning_efi_mountpoint: >-
if (partitioning_separate_boot | bool) if (partitioning_separate_boot | bool)
else ( else (
'/boot/efi' '/boot/efi'
if (is_rhel | default(false)) or (os | default('') | lower in ['ubuntu', 'ubuntu-lts']) if is_rhel or (os | lower in ['ubuntu', 'ubuntu-lts'])
else '/boot' else '/boot'
) )
}} }}
@@ -107,8 +107,16 @@ partitioning_root_device: >-
if (partitioning_luks_enabled | bool) if (partitioning_luks_enabled | bool)
else install_drive ~ (partitioning_root_partition_suffix | string) else install_drive ~ (partitioning_root_partition_suffix | string)
}} }}
partitioning_vm_size_effective: "{{ (partitioning_vm_size | default(vm_size | default(0))) | float }}" partitioning_vm_size_effective: >-
partitioning_vm_memory_effective: "{{ (partitioning_vm_memory | default(vm_memory | default(0))) | float }}" {{
(partitioning_vm_size if (partitioning_vm_size | float) > 0 else vm_size)
| float
}}
partitioning_vm_memory_effective: >-
{{
(partitioning_vm_memory if (partitioning_vm_memory | float) > 0 else vm_memory)
| float
}}
partitioning_swap_size_gb: >- partitioning_swap_size_gb: >-
{{ {{
((partitioning_vm_memory_effective / 1024) >= 16.0) ((partitioning_vm_memory_effective / 1024) >= 16.0)

2
roles/partitioning/tasks/btrfs.yml
View File

@@ -10,7 +10,7 @@
{{ {{
'-K' '-K'
if (partitioning_luks_enabled | bool) if (partitioning_luks_enabled | bool)
and not ('discard' in (partitioning_luks_options | default('') | lower)) and not ('discard' in (partitioning_luks_options | lower))
else omit else omit
}} }}

16
roles/partitioning/tasks/main.yml
View File

@@ -1,8 +1,8 @@
--- ---
- name: Detect system memory for swap sizing - name: Detect system memory for swap sizing
when: when:
- partitioning_vm_memory is not defined - (partitioning_vm_memory | float) <= 0
- vm_memory is not defined - (vm_memory | float) <= 0
block: block:
- name: Read system memory - name: Read system memory
ansible.builtin.command: awk '/MemTotal/ {print int($2/1024)}' /proc/meminfo ansible.builtin.command: awk '/MemTotal/ {print int($2/1024)}' /proc/meminfo
@@ -17,9 +17,9 @@
- name: Set partitioning vm_size for physical installs - name: Set partitioning vm_size for physical installs
when: when:
- install_type == "physical" - install_type == "physical"
- partitioning_vm_size is not defined - (partitioning_vm_size | float) <= 0
- vm_size is not defined - (vm_size | float) <= 0
- install_drive is defined - install_drive | length > 0
block: block:
- name: Detect install drive size - name: Detect install drive size
ansible.builtin.command: "lsblk -b -dn -o SIZE {{ install_drive }}" ansible.builtin.command: "lsblk -b -dn -o SIZE {{ install_drive }}"
@@ -157,7 +157,7 @@
when: partitioning_luks_enabled | bool when: partitioning_luks_enabled | bool
vars: vars:
partitioning_luks_passphrase_effective: >- partitioning_luks_passphrase_effective: >-
{{ (partitioning_luks_passphrase | default(luks_passphrase | default(''))) | string }} {{ partitioning_luks_passphrase | string }}
block: block:
- name: Validate LUKS passphrase - name: Validate LUKS passphrase
ansible.builtin.assert: ansible.builtin.assert:
@@ -207,7 +207,7 @@
state: opened state: opened
name: "{{ partitioning_luks_mapper_name }}" name: "{{ partitioning_luks_mapper_name }}"
passphrase: "{{ partitioning_luks_passphrase_effective }}" passphrase: "{{ partitioning_luks_passphrase_effective }}"
allow_discards: "{{ 'discard' in (partitioning_luks_options | default('') | lower) }}" allow_discards: "{{ 'discard' in (partitioning_luks_options | lower) }}"
register: partitioning_luks_open_result register: partitioning_luks_open_result
no_log: true no_log: true
rescue: rescue:
@@ -235,7 +235,7 @@
state: opened state: opened
name: "{{ partitioning_luks_mapper_name }}" name: "{{ partitioning_luks_mapper_name }}"
passphrase: "{{ partitioning_luks_passphrase_effective }}" passphrase: "{{ partitioning_luks_passphrase_effective }}"
allow_discards: "{{ 'discard' in (partitioning_luks_options | default('') | lower) }}" allow_discards: "{{ 'discard' in (partitioning_luks_options | lower) }}"
register: partitioning_luks_open_retry register: partitioning_luks_open_retry
no_log: true no_log: true

7
roles/virtualization/defaults/main.yml
View File

@@ -1,11 +1,10 @@
--- ---
virtualization_tpm2_enabled: >- virtualization_tpm2_enabled: >-
{{ {{
(partitioning_luks_enabled | default(luks_enabled | default(false)) | bool) (partitioning_luks_enabled | bool)
and (partitioning_luks_auto_decrypt | default(luks_auto_decrypt | default(true)) | bool) and (partitioning_luks_auto_decrypt | bool)
and ( and (
(partitioning_luks_auto_decrypt_method | default(luks_auto_decrypt_method | default('tpm2'))) (partitioning_luks_auto_decrypt_method | lower)
| lower
== 'tpm2' == 'tpm2'
) )
}} }}

3
roles/virtualization/tasks/libvirt.yml
View File

@@ -2,7 +2,8 @@
- name: Set libvirt image paths - name: Set libvirt image paths
delegate_to: localhost delegate_to: localhost
vars: vars:
virtualization_libvirt_image_dir_value: "{{ vm_path | default('/var/lib/libvirt/images') }}" virtualization_libvirt_image_dir_value: >-
{{ vm_path if vm_path | length > 0 else '/var/lib/libvirt/images' }}
ansible.builtin.set_fact: ansible.builtin.set_fact:
virtualization_libvirt_image_dir: "{{ virtualization_libvirt_image_dir_value }}" virtualization_libvirt_image_dir: "{{ virtualization_libvirt_image_dir_value }}"
virtualization_libvirt_disk_path: >- virtualization_libvirt_disk_path: >-

16
roles/virtualization/tasks/proxmox.yml
View File

@@ -2,7 +2,7 @@
- name: Deploy VM on Proxmox - name: Deploy VM on Proxmox
delegate_to: localhost delegate_to: localhost
vars: vars:
virtualization_dns_value: "{{ vm_dns | default('') }}" virtualization_dns_value: "{{ vm_dns }}"
virtualization_dns_list_raw: >- virtualization_dns_list_raw: >-
{{ {{
virtualization_dns_value virtualization_dns_value
@@ -11,7 +11,7 @@
}} }}
virtualization_dns_list: >- virtualization_dns_list: >-
{{ virtualization_dns_list_raw | map('trim') | reject('equalto', '') | list }} {{ virtualization_dns_list_raw | map('trim') | reject('equalto', '') | list }}
virtualization_search_value: "{{ vm_dns_search | default('') }}" virtualization_search_value: "{{ vm_dns_search }}"
virtualization_search_list_raw: >- virtualization_search_list_raw: >-
{{ {{
virtualization_search_value virtualization_search_value
@@ -33,7 +33,7 @@
cpu: host cpu: host
cores: "{{ vm_cpus }}" cores: "{{ vm_cpus }}"
memory: "{{ vm_memory }}" memory: "{{ vm_memory }}"
balloon: "{{ vm_ballo | default(omit) }}" balloon: "{{ vm_ballo if vm_ballo | int > 0 else omit }}"
numa_enabled: true numa_enabled: true
hotplug: network,disk hotplug: network,disk
update: "{{ virtualization_tpm2_enabled | bool }}" update: "{{ virtualization_tpm2_enabled | bool }}"
@@ -57,16 +57,16 @@
}} }}
ide: ide:
ide0: "{{ boot_iso }},media=cdrom" ide0: "{{ boot_iso }},media=cdrom"
ide1: "{{ rhel_iso + ',media=cdrom' if rhel_iso is defined else omit }}" ide1: "{{ rhel_iso + ',media=cdrom' if rhel_iso | length > 0 else omit }}"
ide2: "{{ hypervisor_storage }}:cloudinit" ide2: "{{ hypervisor_storage }}:cloudinit"
net: net:
net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %} net0: virtio,bridge={{ vm_nif }}{% if vlan_name | length > 0 %},tag={{ vlan_name }}{% endif %}
ipconfig: ipconfig:
ipconfig0: >- ipconfig0: >-
{{ {{
'ip=' ~ vm_ip ~ '/' ~ (vm_nms | default(24)) 'ip=' ~ vm_ip ~ '/' ~ vm_nms
~ (',gw=' ~ vm_gw if vm_gw is defined and vm_gw | length else '') ~ (',gw=' ~ vm_gw if vm_gw | length else '')
if vm_ip is defined and vm_ip | length if vm_ip | length
else 'ip=dhcp' else 'ip=dhcp'
}} }}
nameservers: "{{ virtualization_dns_list if virtualization_dns_list | length else omit }}" nameservers: "{{ virtualization_dns_list if virtualization_dns_list | length else omit }}"

10
roles/virtualization/tasks/vmware.yml
View File

@@ -8,11 +8,11 @@
validate_certs: false validate_certs: false
datacenter: "{{ hypervisor_datacenter }}" datacenter: "{{ hypervisor_datacenter }}"
cluster: "{{ hypervisor_cluster }}" cluster: "{{ hypervisor_cluster }}"
folder: "{{ vm_path | default(omit) }}" folder: "{{ vm_path if vm_path | length > 0 else omit }}"
name: "{{ hostname }}" name: "{{ hostname }}"
guest_id: otherLinux64Guest guest_id: otherLinux64Guest
annotation: | annotation: |
{{ note | default('') }} {{ note }}
state: "{{ 'poweredoff' if virtualization_tpm2_enabled | bool else 'poweredon' }}" state: "{{ 'poweredoff' if virtualization_tpm2_enabled | bool else 'poweredon' }}"
disk: disk:
- size_gb: "{{ vm_size }}" - size_gb: "{{ vm_size }}"
@@ -41,12 +41,12 @@
"state": "present", "state": "present",
"type": "iso", "type": "iso",
"iso_path": rhel_iso "iso_path": rhel_iso
} ] if rhel_iso is defined and rhel_iso|length > 0 else [] ) } ] if rhel_iso | length > 0 else [] )
}} }}
networks: networks:
- name: "{{ vm_nif }}" - name: "{{ vm_nif }}"
type: dhcp type: dhcp
vlan: "{{ vlan_name | default(omit) }}" vlan: "{{ vlan_name if vlan_name | length > 0 else omit }}"
- name: Ensure vTPM2 is enabled when required - name: Ensure vTPM2 is enabled when required
when: virtualization_tpm2_enabled | bool when: virtualization_tpm2_enabled | bool
@@ -57,7 +57,7 @@
password: "{{ hypervisor_password }}" password: "{{ hypervisor_password }}"
validate_certs: false validate_certs: false
datacenter: "{{ hypervisor_datacenter }}" datacenter: "{{ hypervisor_datacenter }}"
folder: "{{ vm_path | default(omit) }}" folder: "{{ vm_path if vm_path | length > 0 else omit }}"
name: "{{ hostname }}" name: "{{ hostname }}"
state: present state: present

16
roles/virtualization/templates/cloud-network-config.yml.j2
View File

@@ -4,27 +4,27 @@ network:
id0: id0:
match: match:
macaddress: "{{ virtualization_mac_address }}" macaddress: "{{ virtualization_mac_address }}"
{% set has_static = vm_ip is defined and vm_ip | length %} {% set has_static = vm_ip | length %}
{% set dns_value = vm_dns | default('') %} {% set dns_value = vm_dns %}
{% set dns_list_raw = dns_value if dns_value is iterable and dns_value is not string else dns_value.split(',') %} {% set dns_list_raw = dns_value if dns_value is iterable and dns_value is not string else dns_value.split(',') %}
{% set dns_list = dns_list_raw | map('trim') | reject('equalto', '') | list %} {% set dns_list = dns_list_raw | map('trim') | reject('equalto', '') | list %}
{% set search_value = vm_dns_search | default('') %} {% set search_value = vm_dns_search %}
{% set search_list_raw = search_value if search_value is iterable and search_value is not string else search_value.split(',') %} {% set search_list_raw = search_value if search_value is iterable and search_value is not string else search_value.split(',') %}
{% set search_list = search_list_raw | map('trim') | reject('equalto', '') | list %} {% set search_list = search_list_raw | map('trim') | reject('equalto', '') | list %}
{% if has_static %} {% if has_static %}
addresses: addresses:
- "{{ vm_ip }}/{{ vm_nms | default(24) }}" - "{{ vm_ip }}/{{ vm_nms }}"
{% if vm_gw is defined and vm_gw | length %} {% if vm_gw | length %}
gateway4: "{{ vm_gw }}" gateway4: "{{ vm_gw }}"
{% endif %} {% endif %}
{% else %} {% else %}
dhcp4: true dhcp4: true
{% if (vm_dns is defined and vm_dns | length) or (vm_dns_search is defined and vm_dns_search | length) %} {% if (vm_dns | length) or (vm_dns_search | length) %}
dhcp4-overrides: dhcp4-overrides:
{% if vm_dns is defined and vm_dns | length %} {% if vm_dns | length %}
use-dns: false use-dns: false
{% endif %} {% endif %}
{% if vm_dns_search is defined and vm_dns_search | length %} {% if vm_dns_search | length %}
use-domains: false use-domains: false
{% endif %} {% endif %}
{% endif %} {% endif %}

6
roles/virtualization/templates/vm.xml.j2
View File

@@ -1,7 +1,7 @@
<domain type='kvm'> <domain type='kvm'>
<name>{{ hostname }}</name> <name>{{ hostname }}</name>
<memory>{{ vm_memory | int * 1024 }}</memory> <memory>{{ vm_memory | int * 1024 }}</memory>
{% if vm_ballo is defined %}<currentMemory>{{ vm_ballo | int * 1024 }}</currentMemory>{% endif %} {% if vm_ballo | int > 0 %}<currentMemory>{{ vm_ballo | int * 1024 }}</currentMemory>{% endif %}
<vcpu placement='static'>{{ vm_cpus }}</vcpu> <vcpu placement='static'>{{ vm_cpus }}</vcpu>
<os> <os>
<type arch='x86_64' machine="pc-q35-8.0">hvm</type> <type arch='x86_64' machine="pc-q35-8.0">hvm</type>
@@ -37,7 +37,7 @@
<source file="{{ virtualization_libvirt_cloudinit_path }}"/> <source file="{{ virtualization_libvirt_cloudinit_path }}"/>
<target dev="sdb" bus="sata"/> <target dev="sdb" bus="sata"/>
</disk> </disk>
{% if rhel_iso is defined %} {% if rhel_iso | length > 0 %}
<disk type="file" device="cdrom"> <disk type="file" device="cdrom">
<driver name="qemu" type="raw"/> <driver name="qemu" type="raw"/>
<source file="{{ rhel_iso }}"/> <source file="{{ rhel_iso }}"/>
@@ -49,7 +49,7 @@
<source network='default'/> <source network='default'/>
<model type='virtio'/> <model type='virtio'/>
</interface> </interface>
{% if virtualization_tpm2_enabled | default(false) %} {% if virtualization_tpm2_enabled %}
<tpm model='tpm-crb'> <tpm model='tpm-crb'>
<backend type='emulator' version='2.0'/> <backend type='emulator' version='2.0'/>
</tpm> </tpm>