diff --git a/main.yml b/main.yml index ec27052..c64493a 100644 --- a/main.yml +++ b/main.yml @@ -141,6 +141,15 @@ ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" ansible_python_interpreter: /usr/bin/python3 + - name: Wait for the rebooted host to accept SSH + when: + - post_reboot_can_connect | bool + ansible.builtin.wait_for_connection: + delay: 5 + sleep: 5 + # 600s: a selinux-enabled first boot relabels the filesystem and reboots once more. + timeout: 600 + - name: Re-gather facts for target OS after reboot when: - post_reboot_can_connect | bool @@ -150,6 +159,13 @@ - min - pkg_mgr + - name: Register with the Satellite content source + when: + - post_reboot_can_connect | bool + - system_cfg.content.source == 'satellite' + - system_cfg.os | lower in os_family_rhel + ansible.builtin.include_tasks: "{{ playbook_dir }}/roles/configuration/tasks/satellite_register.yml" + - name: Install post-reboot packages when: - post_reboot_can_connect | bool diff --git a/roles/bootstrap/vars/main.yml b/roles/bootstrap/vars/main.yml index d8cbd52..be20790 100644 --- a/roles/bootstrap/vars/main.yml +++ b/roles/bootstrap/vars/main.yml @@ -11,6 +11,7 @@ bootstrap_common_conditional: >- + (['cryptsetup', 'tpm2-tools'] if system_cfg.luks.enabled | bool else []) + (['qemu-guest-agent'] if hypervisor_type in ['libvirt', 'proxmox'] else []) + (['open-vm-tools'] if hypervisor_type == 'vmware' else []) + + (['cloud-init'] if system_cfg.features.cloud_init | bool else []) ) }} diff --git a/roles/configuration/tasks/selinux.yml b/roles/configuration/tasks/selinux.yml index 88bd294..4883cbb 100644 --- a/roles/configuration/tasks/selinux.yml +++ b/roles/configuration/tasks/selinux.yml @@ -11,6 +11,16 @@ register: configuration_setfiles_result changed_when: configuration_setfiles_result.rc == 0 + # setfiles in the chroot misses paths created at first boot (e.g. /var/lib/sss), + # leaving unlabeled_t files that block services under enforcing SELinux. Force a + # complete relabel on first boot; fixfiles consumes and removes the flag. + - name: Force a complete SELinux relabel on first boot + when: os in ['almalinux', 'rocky', 'rhel'] and system_cfg.features.selinux.enabled | bool + ansible.builtin.file: + path: /mnt/.autorelabel + state: touch + mode: "0644" + # Fedora: setfiles segfaults during bootstrap chroot relabeling, so SELinux # is left permissive and expected to relabel on first boot. - name: Disable SELinux diff --git a/roles/global_defaults/defaults/main.yml b/roles/global_defaults/defaults/main.yml index a08cb6c..ab98706 100644 --- a/roles/global_defaults/defaults/main.yml +++ b/roles/global_defaults/defaults/main.yml @@ -58,6 +58,8 @@ system_defaults: version: "" filesystem: "ext4" name: "" + # consumed by the golden produce/deploy wrappers, not the bootstrap itself + source: "" id: "" cpus: 0 memory: 0 # MiB @@ -101,6 +103,10 @@ system_defaults: bits: 512 pbkdf: "argon2id" features: + # Bake cloud-init for the deterministic clone-deploy golden path; off by + # default (ansible-direct everywhere, smaller image). Package name is + # uniform across families. + cloud_init: false cis: enabled: false profile: default # default|l1|l2 (default = current house behaviour) diff --git a/roles/global_defaults/tasks/_normalize_system.yml b/roles/global_defaults/tasks/_normalize_system.yml index f0bc798..b1d8fb1 100644 --- a/roles/global_defaults/tasks/_normalize_system.yml +++ b/roles/global_defaults/tasks/_normalize_system.yml @@ -140,6 +140,7 @@ pbkdf: "{{ system_raw.luks.pbkdf | string }}" # --- Feature flags --- features: + cloud_init: "{{ system_raw.features.cloud_init | default(false) | bool }}" cis: enabled: "{{ system_raw.features.cis.enabled | bool }}" profile: "{{ system_raw.features.cis.profile | default('default') | string }}"