diff --git a/README.md b/README.md index 86fda80..db8316c 100644 --- a/README.md +++ b/README.md @@ -3,9 +3,11 @@ An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner, utilizing ArchISO as the foundational tool. # Info + Most of the roles are adaptable for use with systems beyond ArchLinux, requiring only that the target system can install a necessary package manager, such as `dnf` for RHEL-based systems. Additionally, a replacement for the `arch-chroot` command may be required for these systems. **NOTE**: + - For RHEL 8 and RHEL 9, repository access requires the `rhel_iso` variable. This variable specifies a local ISO or proxy repository. - RHEL systems do not support `btrfs`. Use `ext4` or `xfs` as alternatives. - For RHEL 8, `xfs` may cause installation issues; `ext4` is recommended. @@ -15,7 +17,7 @@ Most of the roles are adaptable for use with systems beyond ArchLinux, requiring This playbook supports multiple Linux distributions with specific versions tailored to each. Below is a list of supported distributions: | `os` | Distribution | -|------------|------------------------------------| +| ---------- | ---------------------------------- | | archlinux | ArchLinux (Latest rolling release) | | almalinux | AlmaLinux 9.x | | debian11 | Debian 11 (Bullseye) | @@ -23,6 +25,7 @@ This playbook supports multiple Linux distributions with specific versions tailo | fedora | Fedora 41 | | rhel8 | Red Hat Enterprise Linux 8 | | rhel9 | Red Hat Enterprise Linux 9 | +| rhel10 | Red Hat Enterprise Linux 10 | | rocky | Rocky Linux 9.x | | ubuntu | Ubuntu 24.10 (Oracular Oriole) | | ubuntu-lts | Ubuntu 24.04 LTS (Noble Numbat) | @@ -47,21 +50,21 @@ The playbook uses the ArchLinux ISO as a foundational tool to provides an effici Global variables apply across your Ansible project and are loaded from `vars.yml` by default. These variables define common settings such as hypervisor connection details and the boot ISO path. They can be overridden by inventory variables for specific hosts or VMs if needed. -| Variable | Description | Example Value | -|-----------------------|--------------------------------------------------------------------|-----------------------------------------| -| `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` | -| `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8 and RHEL 9. |`local-btrfs:iso/rhel-9.4-x86_64-dvd.iso`| -| `hypervisor` | Type of hypervisor. | `libvirt`, `proxmox`, `vmware`, `none` | -| `vmware_ssh` | If Ansible should use SSH after base VM setup on VMware. | `true`, `false (default)` | -| `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` | -| `hypervisor_node` | Hypervisor node name. | `node01` | -| `hypervisor_password` | Password for hypervisor authentication. | `123456` | -| `hypervisor_storage` | Storage identifier for VM disks. | `local-btrfs` | -| `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` | -| `hypervisor_username` | Username for hypervisor authentication. | `root@pam` | -| `install_drive` | Drive where the system will be installed. | `/dev/sda` | -| `install_type` | Type of installation. | `virtual`, `physical` | -| `vlan_name` (optional)| VLAN for the VM's network interface. | `vlan100` | +| Variable | Description | Example Value | +| ---------------------- | ---------------------------------------------------------- | ----------------------------------------- | +| `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` | +| `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8 and RHEL 9. | `local-btrfs:iso/rhel-9.4-x86_64-dvd.iso` | +| `hypervisor` | Type of hypervisor. | `libvirt`, `proxmox`, `vmware`, `none` | +| `vmware_ssh` | If Ansible should use SSH after base VM setup on VMware. | `true`, `false (default)` | +| `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` | +| `hypervisor_node` | Hypervisor node name. | `node01` | +| `hypervisor_password` | Password for hypervisor authentication. | `123456` | +| `hypervisor_storage` | Storage identifier for VM disks. | `local-btrfs` | +| `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` | +| `hypervisor_username` | Username for hypervisor authentication. | `root@pam` | +| `install_drive` | Drive where the system will be installed. | `/dev/sda` | +| `install_type` | Type of installation. | `virtual`, `physical` | +| `vlan_name` (optional) | VLAN for the VM's network interface. | `vlan100` | To protect sensitive information, such as passwords, API keys, and other confidential variables (e.g., `hypervisor_password`), **it is recommended to use Ansible Vault**. @@ -69,30 +72,30 @@ To protect sensitive information, such as passwords, API keys, and other confide Inventory variables are defined for individual hosts or VMs in the inventory file, allowing customization of settings such as the operating system, filesystem, and compliance with CIS benchmarks. These variables can be set globally and overridden for specific hosts or VMs. -| Variable | Description | Example Value | -|-------------------------|-----------------------------------------------------------------------------------|----------------------------------------------------| -| `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` | -| `selinux` (optional) | Toggle SELinux, `false` means it should be disabled.` | `true`, `false` | -| `filesystem` | Filesystem type for the VM's primary storage. | `btrfs`, `ext4`, `xfs` | -| `hostname` | The hostname assigned to the virtual machine or system. | `vm01` | -| `os` | Operating system to be installed on the VM. | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora`, `rhel8`, `rhel9`, `rocky`, `ubuntu`, `ubuntu-lts` | -| `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` | -| `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` | -| `user_password` | Password for the user account within the VM. | `UserPass123` | -| `user_public_key` | SSH Key for the user account within the VM. | `ssh-ed25519 AAAAC` | -| `vm_ballo` (optional) | Ballooning memory size for the VM, used to adjust memory allocation dynamically. | `2048` | -| `vm_cpus` | Number of CPU cores assigned to the virtual machine. | `4` | -| `vm_dns` | DNS server IP address(es) for the virtual machine's network configuration. | `1.0.0.1`, `1.1.1.1` | -| `vm_dns_search` | DNS search zone for the virtual machine's network configuration. | `example.com` | -| `vm_gw` | Default gateway IP address for the virtual machine's network configuration. | `192.168.0.1` | -| `vm_id` | Unique identifier for the virtual machine. | `101` | -| `vm_ip` | IP address assigned to the virtual machine. | `192.168.0.10` | -| `vm_nm` (optional) | IP address netmask assigned to the virtual machine. | `255.255.255.0` | -| `vm_nms` (optional) | IP address netmask assigned to the virtual machine. | `24` | -| `vm_memory` | Amount of memory (in MB) allocated to the virtual machine. | `2048` | -| `vm_nif` | Network interface type or identifier for the VM's network connection. | `vmbr0` | -| `vm_path (optional)` | Path or folder where the VM configuration or related files will be stored. | `/var/lib/libvirt/images/` | -| `vm_size` | Disk size allocated for the VM's primary storage (in GB). | `20` | +| Variable | Description | Example Value | +| --------------------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | +| `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` | +| `selinux` (optional) | Toggle SELinux, `false` means it should be disabled.` | `true`, `false` | +| `filesystem` | Filesystem type for the VM's primary storage. | `btrfs`, `ext4`, `xfs` | +| `hostname` | The hostname assigned to the virtual machine or system. | `vm01` | +| `os` | Operating system to be installed on the VM. | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora`, `rhel8`, `rhel9`, `rhel10`, `rocky`, `ubuntu`, `ubuntu-lts` | +| `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` | +| `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` | +| `user_password` | Password for the user account within the VM. | `UserPass123` | +| `user_public_key` | SSH Key for the user account within the VM. | `ssh-ed25519 AAAAC` | +| `vm_ballo` (optional) | Ballooning memory size for the VM, used to adjust memory allocation dynamically. | `2048` | +| `vm_cpus` | Number of CPU cores assigned to the virtual machine. | `4` | +| `vm_dns` | DNS server IP address(es) for the virtual machine's network configuration. | `1.0.0.1`, `1.1.1.1` | +| `vm_dns_search` | DNS search zone for the virtual machine's network configuration. | `example.com` | +| `vm_gw` | Default gateway IP address for the virtual machine's network configuration. | `192.168.0.1` | +| `vm_id` | Unique identifier for the virtual machine. | `101` | +| `vm_ip` | IP address assigned to the virtual machine. | `192.168.0.10` | +| `vm_nm` (optional) | IP address netmask assigned to the virtual machine. | `255.255.255.0` | +| `vm_nms` (optional) | IP address netmask assigned to the virtual machine. | `24` | +| `vm_memory` | Amount of memory (in MB) allocated to the virtual machine. | `2048` | +| `vm_nif` | Network interface type or identifier for the VM's network connection. | `vmbr0` | +| `vm_path (optional)` | Path or folder where the VM configuration or related files will be stored. | `/var/lib/libvirt/images/` | +| `vm_size` | Disk size allocated for the VM's primary storage (in GB). | `20` | ## 4. How to Use the Playbook diff --git a/main.yml b/main.yml index 6dddc99..e88ea79 100644 --- a/main.yml +++ b/main.yml @@ -9,7 +9,7 @@ prompt: | What is your username? private: false - + - name: user_public_key prompt: | What is your ssh key? @@ -27,10 +27,14 @@ vars_files: vars.yml pre_tasks: - name: Set ansible_python_interpreter - when: os | lower in ["almalinux", "rhel9", "rhel8", "rocky"] + when: os | lower in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"] ansible.builtin.set_fact: ansible_python_interpreter: /usr/bin/python3 + - name: Set default variables + ansible.builtin.set_fact: + cis: false + - name: Set SSH Access when: hypervisor != "vmware" ansible.builtin.set_fact: @@ -45,8 +49,8 @@ - hypervisor in ["libvirt", "proxmox", "vmware", "none"] - filesystem in ["btrfs", "ext4", "xfs"] - install_drive is defined - - os in ["archlinux", "almalinux", "debian11", "debian12", "fedora", "rhel8", "rhel9", "rocky", "ubuntu", "ubuntu-lts"] - - os not in ["rhel8", "rhel9"] or rhel_iso is defined + - os in ["archlinux", "almalinux", "debian11", "debian12", "fedora", "rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"] + - os not in ["rhel8", "rhel9", "rhel10"] or rhel_iso is defined - (filesystem == "btrfs" and (vm_size | int) >= 10) or (filesystem != "btrfs" and (vm_size | int) >= 20) - (vm_size | float) >= ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory | float / 2048), [vm_memory | float / 1024, 4.0] | max) + 16) fail_msg: Invalid input specified, please try again. @@ -97,4 +101,3 @@ when: not (hypervisor == 'vmware' and cis | bool) ansible.builtin.wait_for_connection: timeout: 300 - diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml index f16081f..74964e0 100644 --- a/roles/bootstrap/tasks/main.yml +++ b/roles/bootstrap/tasks/main.yml @@ -1,14 +1,9 @@ --- -- name: Include Packages - ansible.builtin.include_vars: - file: packages.yml - name: role_packages - - name: Run OS-specific bootstrap process block: - name: Bootstrap ArchLinux when: os | lower == 'archlinux' - ansible.builtin.command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit + ansible.builtin.command: pacstrap /mnt {{ archlinux | join(' ') }} --asexplicit changed_when: result.rc == 0 register: result @@ -18,9 +13,9 @@ changed_when: result.rc == 0 register: result with_items: - - debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} + - debootstrap --include={{ vars[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} /mnt http://deb.debian.org/debian/ - - arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }} + - arch-chroot /mnt apt install -y {{ vars[os].extra | join(' ') }} - arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data - name: Bootstrap Ubuntu System @@ -29,12 +24,12 @@ changed_when: result.rc == 0 register: result with_items: - - debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'oracular' if os == 'ubuntu' else 'noble' }} + - debootstrap --include={{ vars[os].base | join(',') }} {{ 'oracular' if os == 'ubuntu' else 'noble' }} /mnt http://archive.ubuntu.com/ubuntu/ - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf - arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list - arch-chroot /mnt apt update -y - - arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }} + - arch-chroot /mnt apt install -y {{ vars[os].extra | join(' ') }} - name: Bootstrap AlmaLinux 9 when: os | lower == 'almalinux' @@ -44,7 +39,7 @@ with_items: - dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf - - arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.almalinux | join(' ') }} + - arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ almalinux | join(' ') }} - name: Bootstrap Fedora 41 when: os | lower == 'fedora' @@ -55,7 +50,7 @@ - dnf --releasever=41 --best --repo=fedora --repo=fedora-updates --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf - - arch-chroot /mnt dnf --releasever=41 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }} + - arch-chroot /mnt dnf --releasever=41 --setopt=install_weak_deps=False install -y {{ fedora | join(' ') }} - arch-chroot /mnt dnf reinstall -y kernel-core - name: Bootstrap RockyLinux 9 @@ -68,14 +63,14 @@ --setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists groupinstall -y base core - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf - - arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.rocky | join(' ') }} + - arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ rocky | join(' ') }} - name: Bootstrap RHEL System - when: os | lower in ['rhel8', 'rhel9'] + when: os | lower in ['rhel8', 'rhel9', 'rhel10'] block: - name: Install base packages in chroot environment ansible.builtin.command: >- - dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --repo={{ os | lower }}-baseos + dnf --releasever={{ os | lower | replace('rhel', '') }} --repo={{ os | lower }}-baseos --installroot=/mnt --setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists groupinstall -y core base standard @@ -95,12 +90,12 @@ ansible.builtin.copy: src: /etc/yum.repos.d/{{ os | lower }}.repo dest: /mnt/etc/yum.repos.d/redhat.repo - mode: '0644' + mode: "0644" remote_src: true - name: Install additional packages in chroot ansible.builtin.command: >- - arch-chroot /mnt dnf --releasever={{ '8' if os == 'rhel8' else '9' }} - --setopt=install_weak_deps=False install -y {{ role_packages[os] | join(' ') }} + arch-chroot /mnt dnf --releasever={{ os | lower | replace('rhel', '') }} + --setopt=install_weak_deps=False install -y {{ vars[os] | join(' ') }} changed_when: result.rc == 0 register: result diff --git a/roles/cis/tasks/main.yml b/roles/cis/tasks/main.yml index 7795bad..c1b03ea 100644 --- a/roles/cis/tasks/main.yml +++ b/roles/cis/tasks/main.yml @@ -94,8 +94,10 @@ - /mnt/etc/pam.d/password-auth - name: Configure System Cryptography Policy - when: os in ["almalinux", "rhel9", "rocky"] + when: os in ["almalinux", "rhel9", "rhel10", "rocky"] ansible.builtin.command: arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1 + register: crypto_policy_result + changed_when: "'Setting system-wide crypto-policies to' in crypto_policy_result.stdout" - name: Mask Systemd Services ansible.builtin.command: > @@ -135,11 +137,11 @@ - { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 } - { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 } - { - path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', + path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"] else "bash.bashrc" }}', content: umask 077, } - { - path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', + path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"] else "bash.bashrc" }}', content: export TMOUT=3000, } - { @@ -186,8 +188,8 @@ { "path": "/mnt/etc/cron.d", "mode": "0700" }, { "path": "/mnt/etc/crontab", "mode": "0600" }, { "path": "/mnt/etc/logrotate.conf", "mode": "0644" }, - { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9"] else None, - { "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["almalinux", "archlinux", "debian12", "fedora", "rhel9", "rocky"] + { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None, + { "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["almalinux", "archlinux", "debian12", "fedora", "rhel9", "rhel10", "rocky"] else "fusermount"), "mode": "755" }, { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" } ] | reject("none") }} diff --git a/roles/configuration/tasks/main.yml b/roles/configuration/tasks/main.yml index ed043a1..a089d5c 100644 --- a/roles/configuration/tasks/main.yml +++ b/roles/configuration/tasks/main.yml @@ -7,14 +7,14 @@ register: result - name: Remove depricated attr2 and disable large extent - when: os in ["almalinux", "rhel8", "rhel9", "rocky"] and filesystem == "xfs" + when: os in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"] and filesystem == "xfs" ansible.builtin.replace: path: /mnt/etc/fstab regexp: "(xfs.*?)(attr2)" replace: '\1allocsize=64m' - name: Replace ISO UUID entry with /dev/sr0 in fstab - when: os in ["rhel8", "rhel9"] + when: os in ["rhel8", "rhel9", "rhel10"] ansible.builtin.lineinfile: path: /mnt/etc/fstab regexp: '^.*\/dvd.*$' @@ -25,7 +25,7 @@ backrefs: true - name: Write image from RHEL ISO to the target machine - when: os in ["rhel8", "rhel9"] and hypervisor == 'vmware' + when: os in ["rhel8", "rhel9", "rhel10"] and hypervisor == 'vmware' ansible.builtin.command: dd if=/dev/sr1 of=/mnt/usr/local/install/redhat/rhel.iso bs=4M changed_when: result.rc == 0 register: result @@ -53,7 +53,7 @@ - name: Setup locales block: - name: Configure locale.gen - when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] + when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky'] ansible.builtin.lineinfile: dest: /mnt/etc/locale.gen regexp: "{{ item.regex }}" @@ -62,7 +62,7 @@ - { regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8 } - name: Generate locales - when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] + when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky'] ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen changed_when: result.rc == 0 register: result @@ -118,7 +118,7 @@ register: result - name: Configure grub - when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] + when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky'] block: - name: Add commandline information to grub config ansible.builtin.lineinfile: @@ -138,23 +138,13 @@ ansible.builtin.command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr -c -L '{{ os }}' -d "{{ install_drive }}" -p 1 - -l '\efi\EFI\{% if os | lower in ["rhel8", "rhel9"] %}redhat{% else %}{{ os | lower }}{% endif %}\shimx64.efi' + -l '\efi\EFI\{% if os | lower in ["rhel8", "rhel9", "rhel10"] %}redhat{% else %}{{ os | lower }}{% endif %}\shimx64.efi' {% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }} --bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }} {% endif %} changed_when: result.rc == 0 register: result - - name: Generate grub config - ansible.builtin.command: arch-chroot /mnt - {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} - /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{% if os | lower in ["rhel8", "rhel9"] %}redhat{% else %}{{ os | lower }}{% endif %}/grub.cfg - {% else %} - /usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }} - {% endif %} - changed_when: result.rc == 0 - register: result - - name: Ensure lvm2 for non btrfs filesystems when: os | lower == "archlinux" and filesystem != "btrfs" ansible.builtin.lineinfile: @@ -167,8 +157,17 @@ when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] ansible.builtin.command: arch-chroot /mnt {% if os | lower == "archlinux" %} /usr/sbin/mkinitcpio -P - {% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %} /usr/bin/dracut --regenerate-all --force - {% else %} echo "Skipping initramfs regeneration" + {% else %} /usr/bin/dracut --regenerate-all --force + {% endif %} + changed_when: result.rc == 0 + register: result + + - name: Generate grub config + ansible.builtin.command: arch-chroot /mnt + {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} + /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{% if os | lower in ["rhel8", "rhel9", "rhel10"] %}redhat{% else %}{{ os | lower }}{% endif %}/grub.cfg + {% else %} + /usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }} {% endif %} changed_when: result.rc == 0 register: result @@ -238,7 +237,7 @@ - /etc/issue.net - name: Remove motd files - when: os | lower in ["rhel8", "rhel9"] + when: os | lower in ["rhel8", "rhel9", "rhel10"] ansible.builtin.file: path: "{{ item }}" state: absent @@ -306,13 +305,16 @@ validate: /usr/sbin/visudo --check --file=%s - name: Fix SELinux - when: os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] + when: os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky'] block: - - name: Relabel the filesystem - when: os | lower != "fedora" - ansible.builtin.command: "arch-chroot /mnt /sbin/fixfiles onboot" - changed_when: result.rc == 0 - register: result + - name: Fix SELinux by pre-labeling the filesystem before first boot + when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux | default(true) | bool) + ansible.builtin.command: > + arch-chroot /mnt /sbin/setfiles -v -F + -e /dev -e /proc -e /sys -e /run + /etc/selinux/targeted/contexts/files/file_contexts / + register: setfiles_result + changed_when: setfiles_result.rc == 0 - name: Disable SELinux when: os | lower == "fedora" or not (selinux | default(true) | bool) diff --git a/roles/environment/tasks/main.yml b/roles/environment/tasks/main.yml index d21e335..22a863a 100644 --- a/roles/environment/tasks/main.yml +++ b/roles/environment/tasks/main.yml @@ -69,7 +69,7 @@ ansible_user: "root" ansible_password: "" ansible_become_password: "" - ansible_ssh_extra_args: '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' + ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" - name: Speed-up Bootstrap process ansible.builtin.lineinfile: @@ -81,30 +81,14 @@ ansible.builtin.wait_for: timeout: 15 - - name: Setup Pacman - community.general.pacman: - update_cache: true - force: true - name: "{{ item.name }}" - state: latest - loop: - - { name: glibc } - - { name: dnf, os: [almalinux, fedora, rhel9, rhel8, rocky] } - - { name: debootstrap, os: [debian11, debian12, ubuntu, ubuntu-lts] } - - { name: debian-archive-keyring, os: [debian11, debian12] } - - { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] } - when: "'os' not in item or os in item.os" - retries: 4 - delay: 15 - - name: Prepare /iso mount and repository for RHEL-based systems - when: os | lower in ["rhel8", "rhel9"] + when: os | lower in ["rhel8", "rhel9", "rhel10"] block: - name: Create /iso directory ansible.builtin.file: path: /usr/local/install/redhat/dvd state: directory - mode: '0755' + mode: "0755" - name: Mount RHEL ISO ansible.posix.mount: @@ -115,16 +99,16 @@ state: mounted - name: Configure RHEL Repos for installation - when: os | lower in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] + when: os | lower in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"] block: - name: Create directories for repository files and RPM GPG keys ansible.builtin.file: path: /etc/yum.repos.d state: directory - mode: '0755' + mode: "0755" - name: Create RHEL repository file ansible.builtin.template: src: "{{ os | lower }}.repo.j2" dest: /etc/yum.repos.d/{{ os | lower }}.repo - mode: '0644' + mode: "0644" diff --git a/roles/partitioning/tasks/main.yml b/roles/partitioning/tasks/main.yml index 9abd7ca..127bafd 100644 --- a/roles/partitioning/tasks/main.yml +++ b/roles/partitioning/tasks/main.yml @@ -9,7 +9,9 @@ loop: - { cmd: umount -l /mnt } - { cmd: vgremove -f sys } - - { cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;' } + - { + cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;', + } loop_control: label: "{{ item.cmd }}" @@ -138,19 +140,19 @@ - path: /home uuid: "{{ uuid_home[0] | default(omit) }}" opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' - else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}" + else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}" - path: /var uuid: "{{ uuid_var[0] | default(omit) }}" opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' - else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}" + else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}" - path: /var/log uuid: "{{ uuid_var_log[0] | default(omit) }}" opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' - else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}" + else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}" - path: /var/log/audit uuid: "{{ uuid_var_log_audit[0] | default(omit) }}" opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' - else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}" + else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}" - name: Mount tmp and var_tmp filesystems ansible.posix.mount: diff --git a/roles/virtualization/templates/cloud-user-data.yml.j2 b/roles/virtualization/templates/cloud-user-data.yml.j2 index 51d230d..6f28dde 100644 --- a/roles/virtualization/templates/cloud-user-data.yml.j2 +++ b/roles/virtualization/templates/cloud-user-data.yml.j2 @@ -1,10 +1,12 @@ #cloud-config hostname: "archiso" ssh_pwauth: true +package_update: false +package_upgrade: false users: - name: "{{ user_name }}" primary_group: "{{ user_name }}" groups: users sudo: ALL=(ALL) NOPASSWD:ALL passwd: "{{ user_password | password_hash('sha512') }}" - lock_passwd: False \ No newline at end of file + lock_passwd: False diff --git a/templates/rhel10.repo.j2 b/templates/rhel10.repo.j2 new file mode 100644 index 0000000..bbc3118 --- /dev/null +++ b/templates/rhel10.repo.j2 @@ -0,0 +1,13 @@ +[rhel10-baseos] +name=RHEL 10 BaseOS +baseurl=file:///usr/local/install/redhat/dvd/BaseOS +enabled=1 +gpgcheck=0 +gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release + +[rhel10-appstream] +name=RHEL 10 AppStream +baseurl=file:///usr/local/install/redhat/dvd/AppStream +enabled=1 +gpgcheck=0 +gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release