sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: EL10 PAM and crypto readiness via authselect profile and DEFAULT policy

Browse Source
This commit is contained in:
Sandwich
2026-05-28 17:30:57 +02:00
parent 6fe843355e
commit 89e366d0f0
6 changed files with 84 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
roles/bootstrap/tasks/main.yml
View File

@@ -49,6 +49,15 @@
bootstrap_var_key: "{{ 'bootstrap_' + (os | replace('-lts', '') | replace('-', '_')) }}"
ansible.builtin.include_tasks: "{{ bootstrap_os_task_map[os] }}"
# dnf --installroot never runs anaconda, so no authselect profile is selected and
# /etc/pam.d/system-auth is missing, leaving the system unable to authenticate.
# local is the right profile: local-auth only, no pam_sss.so, still CIS-capable.
- name: Select default authselect profile for the PAM stack
when: is_authselect | bool
ansible.builtin.command: "{{ chroot_command }} authselect select local --force"
register: bootstrap_authselect_result
changed_when: bootstrap_authselect_result.rc == 0
- name: Install hardware-matched firmware/microcode/GPU/peripheral packages
when: >-
(system_cfg.features.firmware.enabled | bool)