sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: deep analysis audit — no_log, resolv.conf, service conflicts, lint

Browse Source
This commit is contained in:
Sandwich
2026-02-20 18:34:59 +01:00
parent 09b3ed44ba
commit b6d06dd96d
17 changed files with 66 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
roles/bootstrap/tasks/debian.yml
View File

@@ -55,6 +55,18 @@
register: bootstrap_debian_base_result
changed_when: bootstrap_debian_base_result.rc == 0
- name: Generate resolv.conf for chroot
ansible.builtin.copy:
content: |
{% for ns in system_cfg.network.dns.servers | default(['1.1.1.1', '8.8.8.8']) %}
nameserver {{ ns }}
{% endfor %}
{% if system_cfg.network.dns.search | default([]) | length > 0 %}
search {{ system_cfg.network.dns.search | join(' ') }}
{% endif %}
dest: /mnt/etc/resolv.conf
mode: "0644"
- name: Install extra packages
when: bootstrap_debian_extra_packages | length > 0
ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_debian_extra_args }}"

11
roles/bootstrap/tasks/ubuntu.yml
View File

@@ -47,11 +47,16 @@
register: bootstrap_ubuntu_base_result
changed_when: bootstrap_ubuntu_base_result.rc == 0
- name: Ensure chroot has resolv.conf
- name: Generate resolv.conf for chroot
ansible.builtin.copy:
src: /etc/resolv.conf
content: |
{% for ns in system_cfg.network.dns.servers | default(['1.1.1.1', '8.8.8.8']) %}
nameserver {{ ns }}
{% endfor %}
{% if system_cfg.network.dns.search | default([]) | length > 0 %}
search {{ system_cfg.network.dns.search | join(' ') }}
{% endif %}
dest: /mnt/etc/resolv.conf
remote_src: true
mode: "0644"
- name: Enable universe repository

6
roles/bootstrap/vars/main.yml
View File

@@ -4,8 +4,8 @@
bootstrap_common_conditional:
- "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
- "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
- "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}"
- "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
- "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' and system_cfg.features.firewall.enabled | bool else '' }}"
- "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' and system_cfg.features.firewall.enabled | bool else '' }}"
- "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
- "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
@@ -51,7 +51,7 @@ bootstrap_fedora: >-
'glibc-langpack-de', 'glibc-langpack-en', 'grub2', 'grub2-efi',
'htop', 'iperf3', 'logrotate', 'lrzsz', 'lvm2',
'nc', 'nfs-utils', 'nfsv4-client-utils', 'polkit', 'ppp',
'ripgrep', 'shim', 'tmux', 'vim-default-editor',
'python3', 'ripgrep', 'shim', 'tmux', 'vim-default-editor',
'wget', 'zoxide', 'zram-generator', 'zstd']
+ bootstrap_common_conditional
}}

13
roles/cis/tasks/auth.yml
View File

@@ -10,6 +10,13 @@
dest: "{{ item }}"
regexp: "\\s*nullok"
replace: ""
loop:
- /mnt/etc/pam.d/system-auth
- /mnt/etc/pam.d/password-auth
loop: >-
{{
['/mnt/etc/pam.d/system-auth', '/mnt/etc/pam.d/password-auth']
if is_rhel | bool
else (
['/mnt/etc/pam.d/common-auth', '/mnt/etc/pam.d/common-password']
if is_debian | bool
else []
)
}}

12
roles/cleanup/tasks/proxmox.yml
View File

@@ -13,9 +13,14 @@
vmid: "{{ system_cfg.id }}"
disk: "{{ item }}"
state: absent
loop:
- ide0
- ide2
loop: >-
{{
['ide0']
+ (['ide1'] if rhel_iso is defined and rhel_iso | length > 0 else [])
+ ['ide2']
}}
failed_when: false
no_log: true
- name: Start the VM
community.proxmox.proxmox_kvm:
@@ -25,3 +30,4 @@
node: "{{ hypervisor_cfg.host }}"
vmid: "{{ system_cfg.id }}"
state: restarted
no_log: true

4
roles/cleanup/tasks/virtual.yml
View File

@@ -118,6 +118,7 @@
name: "{{ hostname }}"
vmid: "{{ system_cfg.id }}"
state: stopped
no_log: true
- name: Delete VM for proxmox
when:
@@ -134,6 +135,7 @@
vmid: "{{ system_cfg.id }}"
state: absent
unprivileged: false
no_log: true
- name: Remove VM for VMware
when:
@@ -149,6 +151,7 @@
name: "{{ hostname }}"
folder: "{{ system_cfg.path | default('/') }}"
state: poweredoff
no_log: true
- name: Delete VM for VMware
when:
@@ -164,6 +167,7 @@
name: "{{ hostname }}"
folder: "{{ system_cfg.path | default('/') }}"
state: absent
no_log: true
- name: Destroy Xen VM if running
when:

2
roles/cleanup/tasks/vmware.yml
View File

@@ -26,6 +26,7 @@
iso_path: "{{ rhel_iso if rhel_iso is defined and rhel_iso | length > 0 else omit }}"
state: absent
failed_when: false
no_log: true
- name: Start VM in vCenter
vmware.vmware.vm_powerstate:
@@ -36,3 +37,4 @@
datacenter: "{{ hypervisor_cfg.datacenter }}"
name: "{{ hostname }}"
state: powered-on
no_log: true

8
roles/configuration/tasks/bootloader.yml
View File

@@ -21,19 +21,19 @@
- name: Check existing EFI boot entries
ansible.builtin.command: efibootmgr
register: _efi_entries
register: configuration_efi_entries
changed_when: false
- name: Ensure EFI boot entry exists
when: ('* ' + _efi_vendor) not in _efi_entries.stdout
when: ('* ' + _efi_vendor) not in configuration_efi_entries.stdout
ansible.builtin.command: >-
efibootmgr -c
-L '{{ _efi_vendor }}'
-d '{{ install_drive }}'
-p 1
-l '\EFI\{{ _efi_vendor }}\{{ _efi_loader }}'
register: _efi_entry_result
changed_when: _efi_entry_result.rc == 0
register: configuration_efi_entry_result
changed_when: configuration_efi_entry_result.rc == 0
- name: Ensure lvm2 for non btrfs filesystems
when: os == "archlinux" and system_cfg.filesystem != "btrfs"

2
roles/configuration/tasks/encryption.yml
View File

@@ -142,7 +142,7 @@
regexp: "^HOOKS="
line: >-
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole
block sd-encrypt lvm2 filesystems fsck)
block sd-encrypt{{ ' lvm2' if system_cfg.filesystem != 'btrfs' else '' }} filesystems fsck)
- name: Read mkinitcpio configuration
when: os == 'archlinux'

2
roles/configuration/tasks/services.yml
View File

@@ -10,7 +10,7 @@
if system_cfg.features.ssh.enabled | bool else ''
}}
{{
'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
' logrotate systemd-timesyncd'
if os == 'archlinux' else ''
}}
register: configuration_enable_services_result

2
roles/configuration/tasks/users.yml
View File

@@ -7,6 +7,7 @@
ansible.builtin.command: "{{ configuration_root_cmd }}"
register: configuration_root_result
changed_when: configuration_root_result.rc == 0
no_log: true
- name: Create user accounts
vars:
@@ -24,6 +25,7 @@
label: "{{ item.name }}"
register: configuration_user_result
changed_when: configuration_user_result.rc == 0
no_log: true
- name: Ensure .ssh directory exists
when: item['keys'] | default([]) | length > 0

1
roles/global_defaults/tasks/main.yml
View File

@@ -49,6 +49,7 @@
ansible_password: "{{ system_cfg.users[0].password }}"
ansible_become_password: "{{ system_cfg.users[0].password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
no_log: true
- name: Set connection for VMware
when: hypervisor_type == "vmware"

2
roles/global_defaults/tasks/system.yml
View File

@@ -174,6 +174,7 @@
hostname: "{{ system_name }}"
os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}"
os_version: "{{ system_raw.version | default('') | string }}"
no_log: true
- name: Populate primary network fields from first interface
when:
@@ -294,4 +295,3 @@
- system_disks_cfg[0].device | string | length > 0
ansible.builtin.set_fact:
install_drive: "{{ system_disks_cfg[0].device }}"

2
roles/partitioning/tasks/main.yml
View File

@@ -93,7 +93,7 @@
failed_when: false
- name: Wipe filesystem signatures
ansible.builtin.command: >-
ansible.builtin.shell: >-
find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;
register: partitioning_wipefs_result
changed_when: false

2
roles/system_check/tasks/main.yml
View File

@@ -37,6 +37,7 @@
type: qemu
register: system_check_proxmox_check_result
changed_when: false
no_log: true
- name: Abort if VM already exists on Proxmox
when: hypervisor_type == "proxmox"
@@ -63,6 +64,7 @@
register: system_check_vmware_check_result
failed_when: false
changed_when: false
no_log: true
- name: Fail if vCenter lookup failed unexpectedly
when: hypervisor_type == "vmware"

2
roles/virtualization/tasks/proxmox.yml
View File

@@ -74,6 +74,7 @@
searchdomains: "{{ system_cfg.network.dns.search if system_cfg.network.dns.search | length else omit }}"
onboot: true
state: present
no_log: true
- name: Start VM on Proxmox
delegate_to: localhost
@@ -85,6 +86,7 @@
name: "{{ hostname }}"
vmid: "{{ system_cfg.id }}"
state: started
no_log: true
register: virtualization_proxmox_start_result
- name: Set VM created fact

3
roles/virtualization/tasks/vmware.yml
View File

@@ -65,6 +65,7 @@
} ] if rhel_iso is defined and rhel_iso | length > 0 else [] )
}}
networks: "{{ virtualization_vmware_networks }}"
no_log: true
register: virtualization_vmware_create_result
- name: Set VM created fact when VM was powered on during creation
@@ -87,6 +88,7 @@
folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}"
name: "{{ hostname }}"
state: present
no_log: true
- name: Start VM in vCenter
when: virtualization_tpm2_enabled | bool
@@ -99,6 +101,7 @@
datacenter: "{{ hypervisor_cfg.datacenter }}"
name: "{{ hostname }}"
state: powered-on
no_log: true
register: virtualization_vmware_start_result
- name: Set VM created fact when VM was started separately (TPM2 case)