sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: deep analysis audit — no_log, resolv.conf, service conflicts, lint

Browse Source
This commit is contained in:
Sandwich
2026-02-20 18:34:59 +01:00
parent 09b3ed44ba
commit b6d06dd96d
17 changed files with 66 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
roles/bootstrap/tasks/debian.yml
View File

@@ -55,6 +55,18 @@
register: bootstrap_debian_base_result register: bootstrap_debian_base_result
changed_when: bootstrap_debian_base_result.rc == 0 changed_when: bootstrap_debian_base_result.rc == 0
- name: Generate resolv.conf for chroot
ansible.builtin.copy:
content: |
{% for ns in system_cfg.network.dns.servers | default(['1.1.1.1', '8.8.8.8']) %}
nameserver {{ ns }}
{% endfor %}
{% if system_cfg.network.dns.search | default([]) | length > 0 %}
search {{ system_cfg.network.dns.search | join(' ') }}
{% endif %}
dest: /mnt/etc/resolv.conf
mode: "0644"
- name: Install extra packages - name: Install extra packages
when: bootstrap_debian_extra_packages | length > 0 when: bootstrap_debian_extra_packages | length > 0
ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_debian_extra_args }}" ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_debian_extra_args }}"

11
roles/bootstrap/tasks/ubuntu.yml
View File

@@ -47,11 +47,16 @@
register: bootstrap_ubuntu_base_result register: bootstrap_ubuntu_base_result
changed_when: bootstrap_ubuntu_base_result.rc == 0 changed_when: bootstrap_ubuntu_base_result.rc == 0
- name: Ensure chroot has resolv.conf - name: Generate resolv.conf for chroot
ansible.builtin.copy: ansible.builtin.copy:
src: /etc/resolv.conf content: |
{% for ns in system_cfg.network.dns.servers | default(['1.1.1.1', '8.8.8.8']) %}
nameserver {{ ns }}
{% endfor %}
{% if system_cfg.network.dns.search | default([]) | length > 0 %}
search {{ system_cfg.network.dns.search | join(' ') }}
{% endif %}
dest: /mnt/etc/resolv.conf dest: /mnt/etc/resolv.conf
remote_src: true
mode: "0644" mode: "0644"
- name: Enable universe repository - name: Enable universe repository

6
roles/bootstrap/vars/main.yml
View File

@@ -4,8 +4,8 @@
bootstrap_common_conditional: bootstrap_common_conditional:
- "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}" - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
- "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}" - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
- "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}" - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' and system_cfg.features.firewall.enabled | bool else '' }}"
- "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}" - "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' and system_cfg.features.firewall.enabled | bool else '' }}"
- "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}" - "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
- "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}" - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}" - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
@@ -51,7 +51,7 @@ bootstrap_fedora: >-
'glibc-langpack-de', 'glibc-langpack-en', 'grub2', 'grub2-efi', 'glibc-langpack-de', 'glibc-langpack-en', 'grub2', 'grub2-efi',
'htop', 'iperf3', 'logrotate', 'lrzsz', 'lvm2', 'htop', 'iperf3', 'logrotate', 'lrzsz', 'lvm2',
'nc', 'nfs-utils', 'nfsv4-client-utils', 'polkit', 'ppp', 'nc', 'nfs-utils', 'nfsv4-client-utils', 'polkit', 'ppp',
'ripgrep', 'shim', 'tmux', 'vim-default-editor', 'python3', 'ripgrep', 'shim', 'tmux', 'vim-default-editor',
'wget', 'zoxide', 'zram-generator', 'zstd'] 'wget', 'zoxide', 'zram-generator', 'zstd']
+ bootstrap_common_conditional + bootstrap_common_conditional
}} }}

13
roles/cis/tasks/auth.yml
View File

@@ -10,6 +10,13 @@
dest: "{{ item }}" dest: "{{ item }}"
regexp: "\\s*nullok" regexp: "\\s*nullok"
replace: "" replace: ""
loop: loop: >-
- /mnt/etc/pam.d/system-auth {{
- /mnt/etc/pam.d/password-auth ['/mnt/etc/pam.d/system-auth', '/mnt/etc/pam.d/password-auth']
if is_rhel | bool
else (
['/mnt/etc/pam.d/common-auth', '/mnt/etc/pam.d/common-password']
if is_debian | bool
else []
)
}}

12
roles/cleanup/tasks/proxmox.yml
View File

@@ -13,9 +13,14 @@
vmid: "{{ system_cfg.id }}" vmid: "{{ system_cfg.id }}"
disk: "{{ item }}" disk: "{{ item }}"
state: absent state: absent
loop: loop: >-
- ide0 {{
- ide2 ['ide0']
+ (['ide1'] if rhel_iso is defined and rhel_iso | length > 0 else [])
+ ['ide2']
}}
failed_when: false
no_log: true
- name: Start the VM - name: Start the VM
community.proxmox.proxmox_kvm: community.proxmox.proxmox_kvm:
@@ -25,3 +30,4 @@
node: "{{ hypervisor_cfg.host }}" node: "{{ hypervisor_cfg.host }}"
vmid: "{{ system_cfg.id }}" vmid: "{{ system_cfg.id }}"
state: restarted state: restarted
no_log: true

4
roles/cleanup/tasks/virtual.yml
View File

@@ -118,6 +118,7 @@
name: "{{ hostname }}" name: "{{ hostname }}"
vmid: "{{ system_cfg.id }}" vmid: "{{ system_cfg.id }}"
state: stopped state: stopped
no_log: true
- name: Delete VM for proxmox - name: Delete VM for proxmox
when: when:
@@ -134,6 +135,7 @@
vmid: "{{ system_cfg.id }}" vmid: "{{ system_cfg.id }}"
state: absent state: absent
unprivileged: false unprivileged: false
no_log: true
- name: Remove VM for VMware - name: Remove VM for VMware
when: when:
@@ -149,6 +151,7 @@
name: "{{ hostname }}" name: "{{ hostname }}"
folder: "{{ system_cfg.path | default('/') }}" folder: "{{ system_cfg.path | default('/') }}"
state: poweredoff state: poweredoff
no_log: true
- name: Delete VM for VMware - name: Delete VM for VMware
when: when:
@@ -164,6 +167,7 @@
name: "{{ hostname }}" name: "{{ hostname }}"
folder: "{{ system_cfg.path | default('/') }}" folder: "{{ system_cfg.path | default('/') }}"
state: absent state: absent
no_log: true
- name: Destroy Xen VM if running - name: Destroy Xen VM if running
when: when:

2
roles/cleanup/tasks/vmware.yml
View File

@@ -26,6 +26,7 @@
iso_path: "{{ rhel_iso if rhel_iso is defined and rhel_iso | length > 0 else omit }}" iso_path: "{{ rhel_iso if rhel_iso is defined and rhel_iso | length > 0 else omit }}"
state: absent state: absent
failed_when: false failed_when: false
no_log: true
- name: Start VM in vCenter - name: Start VM in vCenter
vmware.vmware.vm_powerstate: vmware.vmware.vm_powerstate:
@@ -36,3 +37,4 @@
datacenter: "{{ hypervisor_cfg.datacenter }}" datacenter: "{{ hypervisor_cfg.datacenter }}"
name: "{{ hostname }}" name: "{{ hostname }}"
state: powered-on state: powered-on
no_log: true

8
roles/configuration/tasks/bootloader.yml
View File

@@ -21,19 +21,19 @@
- name: Check existing EFI boot entries - name: Check existing EFI boot entries
ansible.builtin.command: efibootmgr ansible.builtin.command: efibootmgr
register: _efi_entries register: configuration_efi_entries
changed_when: false changed_when: false
- name: Ensure EFI boot entry exists - name: Ensure EFI boot entry exists
when: ('* ' + _efi_vendor) not in _efi_entries.stdout when: ('* ' + _efi_vendor) not in configuration_efi_entries.stdout
ansible.builtin.command: >- ansible.builtin.command: >-
efibootmgr -c efibootmgr -c
-L '{{ _efi_vendor }}' -L '{{ _efi_vendor }}'
-d '{{ install_drive }}' -d '{{ install_drive }}'
-p 1 -p 1
-l '\EFI\{{ _efi_vendor }}\{{ _efi_loader }}' -l '\EFI\{{ _efi_vendor }}\{{ _efi_loader }}'
register: _efi_entry_result register: configuration_efi_entry_result
changed_when: _efi_entry_result.rc == 0 changed_when: configuration_efi_entry_result.rc == 0
- name: Ensure lvm2 for non btrfs filesystems - name: Ensure lvm2 for non btrfs filesystems
when: os == "archlinux" and system_cfg.filesystem != "btrfs" when: os == "archlinux" and system_cfg.filesystem != "btrfs"

2
roles/configuration/tasks/encryption.yml
View File

@@ -142,7 +142,7 @@
regexp: "^HOOKS=" regexp: "^HOOKS="
line: >- line: >-
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole
block sd-encrypt lvm2 filesystems fsck) block sd-encrypt{{ ' lvm2' if system_cfg.filesystem != 'btrfs' else '' }} filesystems fsck)
- name: Read mkinitcpio configuration - name: Read mkinitcpio configuration
when: os == 'archlinux' when: os == 'archlinux'

2
roles/configuration/tasks/services.yml
View File

@@ -10,7 +10,7 @@
if system_cfg.features.ssh.enabled | bool else '' if system_cfg.features.ssh.enabled | bool else ''
}} }}
{{ {{
'logrotate systemd-resolved systemd-timesyncd systemd-networkd' ' logrotate systemd-timesyncd'
if os == 'archlinux' else '' if os == 'archlinux' else ''
}} }}
register: configuration_enable_services_result register: configuration_enable_services_result

2
roles/configuration/tasks/users.yml
View File

@@ -7,6 +7,7 @@
ansible.builtin.command: "{{ configuration_root_cmd }}" ansible.builtin.command: "{{ configuration_root_cmd }}"
register: configuration_root_result register: configuration_root_result
changed_when: configuration_root_result.rc == 0 changed_when: configuration_root_result.rc == 0
no_log: true
- name: Create user accounts - name: Create user accounts
vars: vars:
@@ -24,6 +25,7 @@
label: "{{ item.name }}" label: "{{ item.name }}"
register: configuration_user_result register: configuration_user_result
changed_when: configuration_user_result.rc == 0 changed_when: configuration_user_result.rc == 0
no_log: true
- name: Ensure .ssh directory exists - name: Ensure .ssh directory exists
when: item['keys'] | default([]) | length > 0 when: item['keys'] | default([]) | length > 0

1
roles/global_defaults/tasks/main.yml
View File

@@ -49,6 +49,7 @@
ansible_password: "{{ system_cfg.users[0].password }}" ansible_password: "{{ system_cfg.users[0].password }}"
ansible_become_password: "{{ system_cfg.users[0].password }}" ansible_become_password: "{{ system_cfg.users[0].password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
no_log: true
- name: Set connection for VMware - name: Set connection for VMware
when: hypervisor_type == "vmware" when: hypervisor_type == "vmware"

2
roles/global_defaults/tasks/system.yml
View File

@@ -174,6 +174,7 @@
hostname: "{{ system_name }}" hostname: "{{ system_name }}"
os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}" os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}"
os_version: "{{ system_raw.version | default('') | string }}" os_version: "{{ system_raw.version | default('') | string }}"
no_log: true
- name: Populate primary network fields from first interface - name: Populate primary network fields from first interface
when: when:
@@ -294,4 +295,3 @@
- system_disks_cfg[0].device | string | length > 0 - system_disks_cfg[0].device | string | length > 0
ansible.builtin.set_fact: ansible.builtin.set_fact:
install_drive: "{{ system_disks_cfg[0].device }}" install_drive: "{{ system_disks_cfg[0].device }}"

2
roles/partitioning/tasks/main.yml
View File

@@ -93,7 +93,7 @@
failed_when: false failed_when: false
- name: Wipe filesystem signatures - name: Wipe filesystem signatures
ansible.builtin.command: >- ansible.builtin.shell: >-
find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \; find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;
register: partitioning_wipefs_result register: partitioning_wipefs_result
changed_when: false changed_when: false

2
roles/system_check/tasks/main.yml
View File

@@ -37,6 +37,7 @@
type: qemu type: qemu
register: system_check_proxmox_check_result register: system_check_proxmox_check_result
changed_when: false changed_when: false
no_log: true
- name: Abort if VM already exists on Proxmox - name: Abort if VM already exists on Proxmox
when: hypervisor_type == "proxmox" when: hypervisor_type == "proxmox"
@@ -63,6 +64,7 @@
register: system_check_vmware_check_result register: system_check_vmware_check_result
failed_when: false failed_when: false
changed_when: false changed_when: false
no_log: true
- name: Fail if vCenter lookup failed unexpectedly - name: Fail if vCenter lookup failed unexpectedly
when: hypervisor_type == "vmware" when: hypervisor_type == "vmware"

2
roles/virtualization/tasks/proxmox.yml
View File

@@ -74,6 +74,7 @@
searchdomains: "{{ system_cfg.network.dns.search if system_cfg.network.dns.search | length else omit }}" searchdomains: "{{ system_cfg.network.dns.search if system_cfg.network.dns.search | length else omit }}"
onboot: true onboot: true
state: present state: present
no_log: true
- name: Start VM on Proxmox - name: Start VM on Proxmox
delegate_to: localhost delegate_to: localhost
@@ -85,6 +86,7 @@
name: "{{ hostname }}" name: "{{ hostname }}"
vmid: "{{ system_cfg.id }}" vmid: "{{ system_cfg.id }}"
state: started state: started
no_log: true
register: virtualization_proxmox_start_result register: virtualization_proxmox_start_result
- name: Set VM created fact - name: Set VM created fact

3
roles/virtualization/tasks/vmware.yml
View File

@@ -65,6 +65,7 @@
} ] if rhel_iso is defined and rhel_iso | length > 0 else [] ) } ] if rhel_iso is defined and rhel_iso | length > 0 else [] )
}} }}
networks: "{{ virtualization_vmware_networks }}" networks: "{{ virtualization_vmware_networks }}"
no_log: true
register: virtualization_vmware_create_result register: virtualization_vmware_create_result
- name: Set VM created fact when VM was powered on during creation - name: Set VM created fact when VM was powered on during creation
@@ -87,6 +88,7 @@
folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}" folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}"
name: "{{ hostname }}" name: "{{ hostname }}"
state: present state: present
no_log: true
- name: Start VM in vCenter - name: Start VM in vCenter
when: virtualization_tpm2_enabled | bool when: virtualization_tpm2_enabled | bool
@@ -99,6 +101,7 @@
datacenter: "{{ hypervisor_cfg.datacenter }}" datacenter: "{{ hypervisor_cfg.datacenter }}"
name: "{{ hostname }}" name: "{{ hostname }}"
state: powered-on state: powered-on
no_log: true
register: virtualization_vmware_start_result register: virtualization_vmware_start_result
- name: Set VM created fact when VM was started separately (TPM2 case) - name: Set VM created fact when VM was started separately (TPM2 case)