diff --git a/inventory_example.yml b/inventory_example.yml index 3f8f153..bc246bc 100644 --- a/inventory_example.yml +++ b/inventory_example.yml @@ -1,65 +1,127 @@ --- all: vars: - install_type: "virtual" hypervisor: type: "proxmox" url: "pve01.example.com" username: "root@pam" password: "CHANGE_ME" - node: "pve01" + host: "pve01" storage: "local-lvm" - install_drive: "/dev/sda" boot_iso: "local:iso/archlinux-x86_64.iso" children: proxmox: hosts: app01.example.com: ansible_host: 10.0.0.10 - os: "archlinux" filesystem: "btrfs" system: + type: "virtual" + os: "archlinux" name: "app01.example.com" id: 100 cpus: 2 - memory_mb: 4096 + memory: 4096 + balloon: 0 network: "vmbr0" ip: 10.0.0.10 prefix: 24 gateway: 10.0.0.1 - dns_servers: - - 1.1.1.1 - - 1.0.0.1 + dns: + servers: + - 1.1.1.1 + - 1.0.0.1 + search: + - example.com disks: - size: 40 - size: 80 - mount: /data - fstype: xfs - extra_packages: - - jq - - tmux + mount: + path: /data + fstype: xfs + label: DATA + opts: defaults + user: + name: "ops" + password: "CHANGE_ME" + public_key: "ssh-ed25519 AAAA..." + root: + password: "CHANGE_ME" + packages: + - jq + - tmux + features: + cis: + enabled: false + selinux: + enabled: true + firewall: + enabled: true + backend: "firewalld" + toolkit: "nftables" + ssh: + enabled: true + zstd: + enabled: true + swap: + enabled: true + banner: + motd: true + sudo: true + chroot: + tool: "arch-chroot" db01.example.com: ansible_host: 10.0.0.11 - os: "rhel" - os_version: "9" filesystem: "xfs" + rhel_iso: "local:iso/rhel-9.4-x86_64-dvd.iso" system: + type: "virtual" + os: "rhel" + os_version: "9" name: "db01.example.com" id: 101 cpus: 4 - memory_mb: 8192 + memory: 8192 network: "vmbr0" ip: 10.0.0.11 prefix: 24 gateway: 10.0.0.1 - dns_servers: "1.1.1.1,1.0.0.1" + dns: + servers: "1.1.1.1,1.0.0.1" disks: - size: 80 - rhel_iso: "local:iso/rhel-9.4-x86_64-dvd.iso" - luks_enabled: true - luks_passphrase: "CHANGE_ME" - luks_auto_decrypt_method: "keyfile" - luks_keyfile_size: 128 - cis: true - selinux: false - firewall_enabled: false + - size: 200 + mount: + path: /srv/data + fstype: ext4 + user: + name: "dbadmin" + password: "CHANGE_ME" + public_key: "ssh-ed25519 AAAA..." + root: + password: "CHANGE_ME" + luks: + enabled: true + passphrase: "CHANGE_ME" + auto_decrypt_method: "keyfile" + keyfile_size: 128 + features: + cis: + enabled: true + selinux: + enabled: false + firewall: + enabled: false + backend: "firewalld" + toolkit: "nftables" + ssh: + enabled: true + zstd: + enabled: true + swap: + enabled: true + banner: + motd: true + sudo: true + chroot: + tool: "arch-chroot" diff --git a/inventory_libvirt_example.yml b/inventory_libvirt_example.yml index 3a7c0a2..76d3796 100644 --- a/inventory_libvirt_example.yml +++ b/inventory_libvirt_example.yml @@ -1,65 +1,126 @@ --- all: vars: - install_type: "virtual" hypervisor: type: "libvirt" - install_drive: "/dev/vda" + url: "localhost" + username: "" + password: "" + host: "" + storage: "default" boot_iso: "/var/lib/libvirt/images/archlinux-x86_64.iso" children: libvirt: hosts: - web01.example.com: - ansible_host: 192.168.122.10 - os: "debian" - os_version: "12" + web01.local: + ansible_host: 192.168.122.20 filesystem: "ext4" system: - name: "web01.example.com" + type: "virtual" + os: "debian" + os_version: "12" + name: "web01.local" cpus: 2 - memory_mb: 2048 - ip: 192.168.122.10 + memory: 2048 + network: "default" + ip: 192.168.122.20 prefix: 24 gateway: 192.168.122.1 - dns_servers: 1.1.1.1 + dns: + servers: + - 1.1.1.1 + search: + - lab.local + path: "/var/lib/libvirt/images" disks: - size: 30 - extra_packages: - - nginx - - fail2ban - vault01.example.com: - ansible_host: 192.168.122.11 - os: "ubuntu-lts" + - size: 80 + mount: + path: /var/www + fstype: xfs + user: + name: "web" + password: "CHANGE_ME" + public_key: "ssh-ed25519 AAAA..." + root: + password: "CHANGE_ME" + packages: + - nginx + - curl + features: + firewall: + enabled: true + backend: "ufw" + toolkit: "nftables" + db01.local: + ansible_host: 192.168.122.21 + filesystem: "xfs" + rhel_iso: "/var/lib/libvirt/images/rhel-9.4-x86_64-dvd.iso" + system: + type: "virtual" + os: "rhel" + os_version: "9" + name: "db01.local" + cpus: 4 + memory: 4096 + network: "default" + ip: 192.168.122.21 + prefix: 24 + gateway: 192.168.122.1 + dns: + servers: + - 9.9.9.9 + search: + - example.com + disks: + - size: 60 + - size: 120 + mount: + path: /data + fstype: ext4 + user: + name: "db" + password: "CHANGE_ME" + public_key: "ssh-ed25519 AAAA..." + root: + password: "CHANGE_ME" + luks: + enabled: true + passphrase: "CHANGE_ME" + auto_decrypt_method: "keyfile" + features: + firewall: + enabled: false + backend: "firewalld" + toolkit: "nftables" + compute01.local: + ansible_host: 192.168.122.22 filesystem: "btrfs" system: - name: "vault01.example.com" - cpus: 2 - memory_mb: 4096 - ip: 192.168.122.11 + type: "virtual" + os: "fedora" + os_version: "41" + name: "compute01.local" + cpus: 8 + memory: 8192 + network: "default" + ip: 192.168.122.22 prefix: 24 gateway: 192.168.122.1 - dns_search: "example.com" - disks: - - size: 40 - luks_enabled: true - luks_passphrase: "CHANGE_ME" - luks_auto_decrypt_method: "keyfile" - firewall_enabled: false - rhel9.example.com: - ansible_host: 192.168.122.12 - os: "rhel" - os_version: "9" - filesystem: "xfs" - system: - name: "rhel9.example.com" - cpus: 4 - memory_mb: 8192 - vlan: "100" - ip: 192.168.122.12 - prefix: 24 - gateway: 192.168.122.1 - dns_servers: "1.1.1.1,1.0.0.1" - path: "/srv/libvirt/images" + dns: + servers: "1.1.1.1,1.0.0.1" disks: - size: 80 - rhel_iso: "/var/lib/libvirt/images/rhel-9.4-x86_64-dvd.iso" + - size: 200 + mount: + path: /data + fstype: btrfs + user: + name: "compute" + password: "CHANGE_ME" + public_key: "ssh-ed25519 AAAA..." + root: + password: "CHANGE_ME" + features: + cis: + enabled: true diff --git a/vars_baremetal_example.yml b/vars_baremetal_example.yml index 76cc32a..a382635 100644 --- a/vars_baremetal_example.yml +++ b/vars_baremetal_example.yml @@ -1,20 +1,61 @@ --- +# Example variables for baremetal installs. hypervisor: type: "none" -install_type: "physical" -install_drive: "/dev/sda" -os: "archlinux" filesystem: "btrfs" -cis: false -selinux: true -firewall_enabled: true - -luks_enabled: true -luks_passphrase: "1234" -luks_mapper_name: "SYSTEM_DECRYPTED" -luks_auto_decrypt: true -luks_auto_decrypt_method: "tpm2" -luks_tpm2_device: "auto" -luks_tpm2_pcrs: "7" +system: + type: "physical" + os: "archlinux" + name: "{{ inventory_hostname }}" + cpus: 8 + memory: 16384 + ip: "{{ ansible_host | default('') }}" + prefix: 24 + gateway: "10.0.0.1" + dns: + servers: + - "1.1.1.1" + disks: + - device: "/dev/sda" + size: 120 + - device: "/dev/sdb" + size: 500 + mount: + path: /data + fstype: ext4 + user: + name: "admin" + password: "CHANGE_ME" + public_key: "ssh-ed25519 AAAA..." + root: + password: "CHANGE_ME" + luks: + enabled: true + passphrase: "CHANGE_ME" + mapper_name: "SYSTEM_DECRYPTED" + auto_decrypt: true + auto_decrypt_method: "tpm2" + tpm2_device: "auto" + tpm2_pcrs: "7" + features: + cis: + enabled: false + selinux: + enabled: true + firewall: + enabled: true + backend: "firewalld" + toolkit: "nftables" + ssh: + enabled: true + zstd: + enabled: true + swap: + enabled: true + banner: + motd: true + sudo: true + chroot: + tool: "arch-chroot" diff --git a/vars_example.yml b/vars_example.yml index e9c2d79..665274a 100644 --- a/vars_example.yml +++ b/vars_example.yml @@ -1,47 +1,92 @@ --- -# Set system.ip for static addressing. Remove system.ip to use DHCP. -system: - ip: "{{ inventory_hostname }}" - -install_type: "virtual" -install_drive: "/dev/sda" # Use /dev/vda for virtio/libvirt. -custom_iso: false # Set true to skip ArchISO-specific validation and pacman setup. -cis: false # Set true to enable CIS hardening. -selinux: true # Toggle SELinux where supported. -firewall_enabled: true # Toggle firewall package and service. +# Example variables for virtual provisioning. +filesystem: "btrfs" +custom_iso: false hypervisor: type: "proxmox" # libvirt|proxmox|vmware|xen|none url: "pve01.example.com" username: "root@pam" password: "CHANGE_ME" - node: "pve01" + host: "pve01" storage: "local-lvm" datacenter: "dc01" cluster: "cluster01" validate_certs: false + ssh: true # VMware only; enables temporary SSH in installer -# VMware (only needed when hypervisor: vmware) -# system: -# path: "/Folder" # Optional folder path segment in vCenter. -vmware_ssh: true - -# LUKS disk encryption (optional) -# These map to partitioning_luks_* internally. -luks_enabled: false -luks_passphrase: "CHANGE_ME" -luks_mapper_name: "SYSTEM_DECRYPTED" -luks_auto_decrypt: true -luks_auto_decrypt_method: "tpm2" -luks_tpm2_device: "auto" -luks_tpm2_pcrs: "7" -luks_keyfile_size: 64 -luks_options: "discard,tries=3" -luks_type: "luks2" -luks_cipher: "aes-xts-plain64" -luks_hash: "sha512" -luks_iter_time: 4000 -luks_key_size: 512 -luks_pbkdf: "argon2id" -luks_use_urandom: true -luks_verify_passphrase: true +system: + type: "virtual" # virtual|physical + os: "archlinux" + os_version: "" + name: "{{ inventory_hostname }}" + id: 100 + cpus: 4 + memory: 8192 + balloon: 0 + network: "vmbr0" + ip: "{{ inventory_hostname }}" + prefix: 24 + gateway: "10.0.0.1" + dns: + servers: + - "1.1.1.1" + - "1.0.0.1" + search: + - "example.com" + path: "/Lab/Example" + disks: + - size: 80 + - size: 200 + mount: + path: /data + fstype: xfs + label: DATA + opts: defaults + user: + name: "ops" + password: "CHANGE_ME" + public_key: "ssh-ed25519 AAAA..." + root: + password: "CHANGE_ME" + luks: + enabled: false + passphrase: "CHANGE_ME" + mapper_name: "SYSTEM_DECRYPTED" + auto_decrypt: true + auto_decrypt_method: "tpm2" + tpm2_device: "auto" + tpm2_pcrs: "7" + keyfile_size: 64 + options: "discard,tries=3" + type: "luks2" + cipher: "aes-xts-plain64" + hash: "sha512" + iter_time: 4000 + key_size: 512 + pbkdf: "argon2id" + use_urandom: true + verify_passphrase: true + packages: + - jq + - tmux + features: + cis: + enabled: false + selinux: + enabled: true + firewall: + enabled: true + backend: "firewalld" # firewalld|ufw + toolkit: "nftables" # nftables|iptables + ssh: + enabled: true + zstd: + enabled: true + swap: + enabled: true + banner: + motd: true + sudo: true + chroot: + tool: "arch-chroot" # arch-chroot|chroot|systemd-nspawn