From b6d06dd96daacb3674d7c77f0e3e4adc3e29a3d4 Mon Sep 17 00:00:00 2001 From: Sandwich Date: Fri, 20 Feb 2026 18:34:59 +0100 Subject: [PATCH] =?UTF-8?q?fix:=20deep=20analysis=20audit=20=E2=80=94=20no?= =?UTF-8?q?=5Flog,=20resolv.conf,=20service=20conflicts,=20lint?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/bootstrap/tasks/debian.yml | 12 ++++++++++++ roles/bootstrap/tasks/ubuntu.yml | 11 ++++++++--- roles/bootstrap/vars/main.yml | 6 +++--- roles/cis/tasks/auth.yml | 13 ++++++++++--- roles/cleanup/tasks/proxmox.yml | 12 +++++++++--- roles/cleanup/tasks/virtual.yml | 4 ++++ roles/cleanup/tasks/vmware.yml | 2 ++ roles/configuration/tasks/bootloader.yml | 8 ++++---- roles/configuration/tasks/encryption.yml | 2 +- roles/configuration/tasks/services.yml | 2 +- roles/configuration/tasks/users.yml | 2 ++ roles/global_defaults/tasks/main.yml | 1 + roles/global_defaults/tasks/system.yml | 2 +- roles/partitioning/tasks/main.yml | 2 +- roles/system_check/tasks/main.yml | 2 ++ roles/virtualization/tasks/proxmox.yml | 2 ++ roles/virtualization/tasks/vmware.yml | 3 +++ 17 files changed, 66 insertions(+), 20 deletions(-) diff --git a/roles/bootstrap/tasks/debian.yml b/roles/bootstrap/tasks/debian.yml index d6eaf2c..7ef4638 100644 --- a/roles/bootstrap/tasks/debian.yml +++ b/roles/bootstrap/tasks/debian.yml @@ -55,6 +55,18 @@ register: bootstrap_debian_base_result changed_when: bootstrap_debian_base_result.rc == 0 + - name: Generate resolv.conf for chroot + ansible.builtin.copy: + content: | + {% for ns in system_cfg.network.dns.servers | default(['1.1.1.1', '8.8.8.8']) %} + nameserver {{ ns }} + {% endfor %} + {% if system_cfg.network.dns.search | default([]) | length > 0 %} + search {{ system_cfg.network.dns.search | join(' ') }} + {% endif %} + dest: /mnt/etc/resolv.conf + mode: "0644" + - name: Install extra packages when: bootstrap_debian_extra_packages | length > 0 ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_debian_extra_args }}" diff --git a/roles/bootstrap/tasks/ubuntu.yml b/roles/bootstrap/tasks/ubuntu.yml index 04fd7f5..39e6bcb 100644 --- a/roles/bootstrap/tasks/ubuntu.yml +++ b/roles/bootstrap/tasks/ubuntu.yml @@ -47,11 +47,16 @@ register: bootstrap_ubuntu_base_result changed_when: bootstrap_ubuntu_base_result.rc == 0 - - name: Ensure chroot has resolv.conf + - name: Generate resolv.conf for chroot ansible.builtin.copy: - src: /etc/resolv.conf + content: | + {% for ns in system_cfg.network.dns.servers | default(['1.1.1.1', '8.8.8.8']) %} + nameserver {{ ns }} + {% endfor %} + {% if system_cfg.network.dns.search | default([]) | length > 0 %} + search {{ system_cfg.network.dns.search | join(' ') }} + {% endif %} dest: /mnt/etc/resolv.conf - remote_src: true mode: "0644" - name: Enable universe repository diff --git a/roles/bootstrap/vars/main.yml b/roles/bootstrap/vars/main.yml index 9c0aa32..8abe67d 100644 --- a/roles/bootstrap/vars/main.yml +++ b/roles/bootstrap/vars/main.yml @@ -4,8 +4,8 @@ bootstrap_common_conditional: - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}" - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}" - - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}" - - "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}" + - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' and system_cfg.features.firewall.enabled | bool else '' }}" + - "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' and system_cfg.features.firewall.enabled | bool else '' }}" - "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}" - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}" - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}" @@ -51,7 +51,7 @@ bootstrap_fedora: >- 'glibc-langpack-de', 'glibc-langpack-en', 'grub2', 'grub2-efi', 'htop', 'iperf3', 'logrotate', 'lrzsz', 'lvm2', 'nc', 'nfs-utils', 'nfsv4-client-utils', 'polkit', 'ppp', - 'ripgrep', 'shim', 'tmux', 'vim-default-editor', + 'python3', 'ripgrep', 'shim', 'tmux', 'vim-default-editor', 'wget', 'zoxide', 'zram-generator', 'zstd'] + bootstrap_common_conditional }} diff --git a/roles/cis/tasks/auth.yml b/roles/cis/tasks/auth.yml index ad07600..350b03c 100644 --- a/roles/cis/tasks/auth.yml +++ b/roles/cis/tasks/auth.yml @@ -10,6 +10,13 @@ dest: "{{ item }}" regexp: "\\s*nullok" replace: "" - loop: - - /mnt/etc/pam.d/system-auth - - /mnt/etc/pam.d/password-auth + loop: >- + {{ + ['/mnt/etc/pam.d/system-auth', '/mnt/etc/pam.d/password-auth'] + if is_rhel | bool + else ( + ['/mnt/etc/pam.d/common-auth', '/mnt/etc/pam.d/common-password'] + if is_debian | bool + else [] + ) + }} diff --git a/roles/cleanup/tasks/proxmox.yml b/roles/cleanup/tasks/proxmox.yml index fc4406c..8e13500 100644 --- a/roles/cleanup/tasks/proxmox.yml +++ b/roles/cleanup/tasks/proxmox.yml @@ -13,9 +13,14 @@ vmid: "{{ system_cfg.id }}" disk: "{{ item }}" state: absent - loop: - - ide0 - - ide2 + loop: >- + {{ + ['ide0'] + + (['ide1'] if rhel_iso is defined and rhel_iso | length > 0 else []) + + ['ide2'] + }} + failed_when: false + no_log: true - name: Start the VM community.proxmox.proxmox_kvm: @@ -25,3 +30,4 @@ node: "{{ hypervisor_cfg.host }}" vmid: "{{ system_cfg.id }}" state: restarted + no_log: true diff --git a/roles/cleanup/tasks/virtual.yml b/roles/cleanup/tasks/virtual.yml index b36db13..3cf6c90 100644 --- a/roles/cleanup/tasks/virtual.yml +++ b/roles/cleanup/tasks/virtual.yml @@ -118,6 +118,7 @@ name: "{{ hostname }}" vmid: "{{ system_cfg.id }}" state: stopped + no_log: true - name: Delete VM for proxmox when: @@ -134,6 +135,7 @@ vmid: "{{ system_cfg.id }}" state: absent unprivileged: false + no_log: true - name: Remove VM for VMware when: @@ -149,6 +151,7 @@ name: "{{ hostname }}" folder: "{{ system_cfg.path | default('/') }}" state: poweredoff + no_log: true - name: Delete VM for VMware when: @@ -164,6 +167,7 @@ name: "{{ hostname }}" folder: "{{ system_cfg.path | default('/') }}" state: absent + no_log: true - name: Destroy Xen VM if running when: diff --git a/roles/cleanup/tasks/vmware.yml b/roles/cleanup/tasks/vmware.yml index 87dc54a..70217d0 100644 --- a/roles/cleanup/tasks/vmware.yml +++ b/roles/cleanup/tasks/vmware.yml @@ -26,6 +26,7 @@ iso_path: "{{ rhel_iso if rhel_iso is defined and rhel_iso | length > 0 else omit }}" state: absent failed_when: false + no_log: true - name: Start VM in vCenter vmware.vmware.vm_powerstate: @@ -36,3 +37,4 @@ datacenter: "{{ hypervisor_cfg.datacenter }}" name: "{{ hostname }}" state: powered-on + no_log: true diff --git a/roles/configuration/tasks/bootloader.yml b/roles/configuration/tasks/bootloader.yml index acf50c5..0473f11 100644 --- a/roles/configuration/tasks/bootloader.yml +++ b/roles/configuration/tasks/bootloader.yml @@ -21,19 +21,19 @@ - name: Check existing EFI boot entries ansible.builtin.command: efibootmgr - register: _efi_entries + register: configuration_efi_entries changed_when: false - name: Ensure EFI boot entry exists - when: ('* ' + _efi_vendor) not in _efi_entries.stdout + when: ('* ' + _efi_vendor) not in configuration_efi_entries.stdout ansible.builtin.command: >- efibootmgr -c -L '{{ _efi_vendor }}' -d '{{ install_drive }}' -p 1 -l '\EFI\{{ _efi_vendor }}\{{ _efi_loader }}' - register: _efi_entry_result - changed_when: _efi_entry_result.rc == 0 + register: configuration_efi_entry_result + changed_when: configuration_efi_entry_result.rc == 0 - name: Ensure lvm2 for non btrfs filesystems when: os == "archlinux" and system_cfg.filesystem != "btrfs" diff --git a/roles/configuration/tasks/encryption.yml b/roles/configuration/tasks/encryption.yml index 4230182..7c640b1 100644 --- a/roles/configuration/tasks/encryption.yml +++ b/roles/configuration/tasks/encryption.yml @@ -142,7 +142,7 @@ regexp: "^HOOKS=" line: >- HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole - block sd-encrypt lvm2 filesystems fsck) + block sd-encrypt{{ ' lvm2' if system_cfg.filesystem != 'btrfs' else '' }} filesystems fsck) - name: Read mkinitcpio configuration when: os == 'archlinux' diff --git a/roles/configuration/tasks/services.yml b/roles/configuration/tasks/services.yml index bd089bd..d686eb2 100644 --- a/roles/configuration/tasks/services.yml +++ b/roles/configuration/tasks/services.yml @@ -10,7 +10,7 @@ if system_cfg.features.ssh.enabled | bool else '' }} {{ - 'logrotate systemd-resolved systemd-timesyncd systemd-networkd' + ' logrotate systemd-timesyncd' if os == 'archlinux' else '' }} register: configuration_enable_services_result diff --git a/roles/configuration/tasks/users.yml b/roles/configuration/tasks/users.yml index 2ba7055..e4784a9 100644 --- a/roles/configuration/tasks/users.yml +++ b/roles/configuration/tasks/users.yml @@ -7,6 +7,7 @@ ansible.builtin.command: "{{ configuration_root_cmd }}" register: configuration_root_result changed_when: configuration_root_result.rc == 0 + no_log: true - name: Create user accounts vars: @@ -24,6 +25,7 @@ label: "{{ item.name }}" register: configuration_user_result changed_when: configuration_user_result.rc == 0 + no_log: true - name: Ensure .ssh directory exists when: item['keys'] | default([]) | length > 0 diff --git a/roles/global_defaults/tasks/main.yml b/roles/global_defaults/tasks/main.yml index 7c409ea..4f474f8 100644 --- a/roles/global_defaults/tasks/main.yml +++ b/roles/global_defaults/tasks/main.yml @@ -49,6 +49,7 @@ ansible_password: "{{ system_cfg.users[0].password }}" ansible_become_password: "{{ system_cfg.users[0].password }}" ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" + no_log: true - name: Set connection for VMware when: hypervisor_type == "vmware" diff --git a/roles/global_defaults/tasks/system.yml b/roles/global_defaults/tasks/system.yml index 51e7b2f..4889f55 100644 --- a/roles/global_defaults/tasks/system.yml +++ b/roles/global_defaults/tasks/system.yml @@ -174,6 +174,7 @@ hostname: "{{ system_name }}" os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}" os_version: "{{ system_raw.version | default('') | string }}" + no_log: true - name: Populate primary network fields from first interface when: @@ -294,4 +295,3 @@ - system_disks_cfg[0].device | string | length > 0 ansible.builtin.set_fact: install_drive: "{{ system_disks_cfg[0].device }}" - diff --git a/roles/partitioning/tasks/main.yml b/roles/partitioning/tasks/main.yml index b59103c..f84ad1b 100644 --- a/roles/partitioning/tasks/main.yml +++ b/roles/partitioning/tasks/main.yml @@ -93,7 +93,7 @@ failed_when: false - name: Wipe filesystem signatures - ansible.builtin.command: >- + ansible.builtin.shell: >- find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \; register: partitioning_wipefs_result changed_when: false diff --git a/roles/system_check/tasks/main.yml b/roles/system_check/tasks/main.yml index d8e8179..19efcb9 100644 --- a/roles/system_check/tasks/main.yml +++ b/roles/system_check/tasks/main.yml @@ -37,6 +37,7 @@ type: qemu register: system_check_proxmox_check_result changed_when: false + no_log: true - name: Abort if VM already exists on Proxmox when: hypervisor_type == "proxmox" @@ -63,6 +64,7 @@ register: system_check_vmware_check_result failed_when: false changed_when: false + no_log: true - name: Fail if vCenter lookup failed unexpectedly when: hypervisor_type == "vmware" diff --git a/roles/virtualization/tasks/proxmox.yml b/roles/virtualization/tasks/proxmox.yml index b827c3e..60d0618 100644 --- a/roles/virtualization/tasks/proxmox.yml +++ b/roles/virtualization/tasks/proxmox.yml @@ -74,6 +74,7 @@ searchdomains: "{{ system_cfg.network.dns.search if system_cfg.network.dns.search | length else omit }}" onboot: true state: present + no_log: true - name: Start VM on Proxmox delegate_to: localhost @@ -85,6 +86,7 @@ name: "{{ hostname }}" vmid: "{{ system_cfg.id }}" state: started + no_log: true register: virtualization_proxmox_start_result - name: Set VM created fact diff --git a/roles/virtualization/tasks/vmware.yml b/roles/virtualization/tasks/vmware.yml index eb783c7..37e03f0 100644 --- a/roles/virtualization/tasks/vmware.yml +++ b/roles/virtualization/tasks/vmware.yml @@ -65,6 +65,7 @@ } ] if rhel_iso is defined and rhel_iso | length > 0 else [] ) }} networks: "{{ virtualization_vmware_networks }}" + no_log: true register: virtualization_vmware_create_result - name: Set VM created fact when VM was powered on during creation @@ -87,6 +88,7 @@ folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}" name: "{{ hostname }}" state: present + no_log: true - name: Start VM in vCenter when: virtualization_tpm2_enabled | bool @@ -99,6 +101,7 @@ datacenter: "{{ hypervisor_cfg.datacenter }}" name: "{{ hostname }}" state: powered-on + no_log: true register: virtualization_vmware_start_result - name: Set VM created fact when VM was started separately (TPM2 case)