fix: EL10 PAM and crypto readiness via authselect profile and DEFAULT policy
This commit is contained in:
@@ -49,6 +49,15 @@
|
||||
bootstrap_var_key: "{{ 'bootstrap_' + (os | replace('-lts', '') | replace('-', '_')) }}"
|
||||
ansible.builtin.include_tasks: "{{ bootstrap_os_task_map[os] }}"
|
||||
|
||||
# dnf --installroot never runs anaconda, so no authselect profile is selected and
|
||||
# /etc/pam.d/system-auth is missing, leaving the system unable to authenticate.
|
||||
# local is the right profile: local-auth only, no pam_sss.so, still CIS-capable.
|
||||
- name: Select default authselect profile for the PAM stack
|
||||
when: is_authselect | bool
|
||||
ansible.builtin.command: "{{ chroot_command }} authselect select local --force"
|
||||
register: bootstrap_authselect_result
|
||||
changed_when: bootstrap_authselect_result.rc == 0
|
||||
|
||||
- name: Install hardware-matched firmware/microcode/GPU/peripheral packages
|
||||
when: >-
|
||||
(system_cfg.features.firmware.enabled | bool)
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
# Feature-gated packages shared across all distros.
|
||||
# Arch has special nftables handling and composes this differently.
|
||||
# Feature-gated packages shared across all distros. Arch strips nftables from
|
||||
# this and composes it differently.
|
||||
bootstrap_common_conditional: >-
|
||||
{{
|
||||
(
|
||||
@@ -15,12 +15,29 @@ bootstrap_common_conditional: >-
|
||||
)
|
||||
}}
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Per-OS package definitions: base (rootfs/group install), extra (post-base),
|
||||
# conditional (feature/version-gated, appended by task files).
|
||||
# DNF-based distros also carry repos (dnf --repo) and use base as group names.
|
||||
# ---------------------------------------------------------------------------
|
||||
# Native-installer parity backfill: anaconda and the d-i "standard" task leave
|
||||
# these, but install_weak_deps=False / Recommends-off minimal installs drop them.
|
||||
bootstrap_el_runtime:
|
||||
- NetworkManager
|
||||
- authselect
|
||||
- authselect-libs
|
||||
- chrony
|
||||
- crypto-policies
|
||||
- crypto-policies-scripts
|
||||
- dbus
|
||||
- polkit
|
||||
|
||||
bootstrap_deb_runtime:
|
||||
- apparmor-utils
|
||||
- chrony
|
||||
- libpam-pwquality
|
||||
- needrestart
|
||||
- network-manager
|
||||
- sudo
|
||||
|
||||
# Per-OS package definitions: base (rootfs/group install), extra (post-base),
|
||||
# conditional (feature/version-gated, appended by task files). DNF distros also
|
||||
# carry repos and use base as group names.
|
||||
bootstrap_rhel:
|
||||
repos:
|
||||
- "rhel{{ os_version_major }}-baseos"
|
||||
@@ -53,6 +70,7 @@ bootstrap_rhel:
|
||||
+ (['python39'] if os_version_major | default('') == '8' else ['python'])
|
||||
+ (['kernel'] if os_version_major | default('') == '10' else [])
|
||||
+ (['zram-generator'] if os_version_major | default('') in ['9', '10'] else [])
|
||||
+ bootstrap_el_runtime
|
||||
+ bootstrap_common_conditional
|
||||
}}
|
||||
|
||||
@@ -87,8 +105,8 @@ bootstrap_almalinux:
|
||||
- zstd
|
||||
conditional: >-
|
||||
{{
|
||||
(['dbus-daemon'] if (os_version_major | default('10') | int) >= 9 else [])
|
||||
+ (['dhcp-client'] if (os_version_major | default('10') | int) < 10 else [])
|
||||
(['dhcp-client'] if (os_version_major | default('10') | int) < 10 else [])
|
||||
+ bootstrap_el_runtime
|
||||
+ bootstrap_common_conditional
|
||||
}}
|
||||
|
||||
@@ -127,6 +145,7 @@ bootstrap_rocky:
|
||||
conditional: >-
|
||||
{{
|
||||
(['dhcp-client'] if (os_version_major | default('9') | int) < 10 else [])
|
||||
+ bootstrap_el_runtime
|
||||
+ bootstrap_common_conditional
|
||||
}}
|
||||
|
||||
@@ -160,7 +179,6 @@ bootstrap_fedora:
|
||||
- nc
|
||||
- nfs-utils
|
||||
- nfsv4-client-utils
|
||||
- polkit
|
||||
- ppp
|
||||
- python3
|
||||
- ripgrep
|
||||
@@ -171,7 +189,7 @@ bootstrap_fedora:
|
||||
- zoxide
|
||||
- zram-generator
|
||||
- zstd
|
||||
conditional: "{{ bootstrap_common_conditional }}"
|
||||
conditional: "{{ bootstrap_el_runtime + bootstrap_common_conditional }}"
|
||||
|
||||
bootstrap_debian:
|
||||
base:
|
||||
@@ -189,28 +207,22 @@ bootstrap_debian:
|
||||
- python3
|
||||
- xfsprogs
|
||||
extra:
|
||||
- apparmor-utils
|
||||
- bat
|
||||
- chrony
|
||||
- curl
|
||||
- entr
|
||||
- fish
|
||||
- fzf
|
||||
- htop
|
||||
- jq
|
||||
- libpam-pwquality
|
||||
- linux-image-amd64
|
||||
- lrzsz
|
||||
- mtr
|
||||
- ncdu
|
||||
- needrestart
|
||||
- net-tools
|
||||
- network-manager
|
||||
- python-is-python3
|
||||
- ripgrep
|
||||
- rsync
|
||||
- screen
|
||||
- sudo
|
||||
- syslog-ng
|
||||
- tcpd
|
||||
- vim
|
||||
@@ -225,6 +237,7 @@ bootstrap_debian:
|
||||
+ (['systemd-zram-generator'] if (os_version | string) not in ['10', '11'] else [])
|
||||
+ (['tldr'] if (os_version | string) not in ['13', 'unstable'] else [])
|
||||
+ (['shim-signed'] if system_cfg.features.secure_boot.enabled | bool else [])
|
||||
+ bootstrap_deb_runtime
|
||||
+ bootstrap_common_conditional
|
||||
}}
|
||||
|
||||
@@ -246,10 +259,8 @@ bootstrap_ubuntu:
|
||||
- python3
|
||||
- xfsprogs
|
||||
extra:
|
||||
- apparmor-utils
|
||||
- bash-completion
|
||||
- bat
|
||||
- chrony
|
||||
- curl
|
||||
- dnsutils
|
||||
- duf
|
||||
@@ -261,20 +272,16 @@ bootstrap_ubuntu:
|
||||
- fzf
|
||||
- htop
|
||||
- jq
|
||||
- libpam-pwquality
|
||||
- lrzsz
|
||||
- mtr
|
||||
- ncdu
|
||||
- ncurses-term
|
||||
- needrestart
|
||||
- net-tools
|
||||
- network-manager
|
||||
- python-is-python3
|
||||
- ripgrep
|
||||
- rsync
|
||||
- screen
|
||||
- software-properties-common
|
||||
- sudo
|
||||
- syslog-ng
|
||||
- systemd-zram-generator
|
||||
- tcpd
|
||||
@@ -288,6 +295,7 @@ bootstrap_ubuntu:
|
||||
conditional: >-
|
||||
{{
|
||||
(['shim-signed'] if system_cfg.features.secure_boot.enabled | bool else [])
|
||||
+ bootstrap_deb_runtime
|
||||
+ bootstrap_common_conditional
|
||||
}}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user