diff --git a/main.yml b/main.yml index 385d9c8..fcf8be4 100644 --- a/main.yml +++ b/main.yml @@ -43,6 +43,7 @@ - os in ["archlinux", "almalinux", "debian11", "debian12", "fedora", "rhel8", "rhel9", "rocky", "ubuntu", "ubuntu-lts"] - os not in ["rhel8", "rhel9"] or rhel_iso is defined - (filesystem == "btrfs" and (vm_size | int) >= 10) or (filesystem != "btrfs" and (vm_size | int) >= 20) + - (vm_size | float) >= ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory | float / 2048), [vm_memory | float / 1024, 4.0] | max) + 16) fail_msg: Invalid input specified, please try again. - name: Set connection diff --git a/roles/bootstrap/vars/packages.yml b/roles/bootstrap/vars/packages.yml index 78958e0..5a495a9 100644 --- a/roles/bootstrap/vars/packages.yml +++ b/roles/bootstrap/vars/packages.yml @@ -53,6 +53,7 @@ archlinux: - sudo - vim - wireguard-tools + - zram-generator debian11: base: diff --git a/roles/cleanup/tasks/main.yml b/roles/cleanup/tasks/main.yml index 2b82a75..258517d 100644 --- a/roles/cleanup/tasks/main.yml +++ b/roles/cleanup/tasks/main.yml @@ -1,9 +1,4 @@ --- -- name: Unmount /mnt recursively - ansible.builtin.command: umount -l /mnt - changed_when: result.rc == 0 - register: result - - name: Setup Cleanup when: hypervisor == "proxmox" delegate_to: localhost diff --git a/roles/configuration/tasks/main.yml b/roles/configuration/tasks/main.yml index 12c892b..8d0e663 100644 --- a/roles/configuration/tasks/main.yml +++ b/roles/configuration/tasks/main.yml @@ -154,6 +154,14 @@ changed_when: result.rc == 0 register: result + - name: Ensure lvm2 for non btrfs filesystems + when: os | lower == "archlinux" and filesystem != "btrfs" + ansible.builtin.lineinfile: + path: /mnt/etc/mkinitcpio.conf + regexp: '^(HOOKS=.*block)(?!.*lvm2)(.*)' + line: '\1 lvm2\2' + backrefs: true + - name: Regenerate initramfs when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] ansible.builtin.command: arch-chroot /mnt diff --git a/roles/partitioning/tasks/btrfs.yml b/roles/partitioning/tasks/btrfs.yml index 7bb3c23..c5ba5b3 100644 --- a/roles/partitioning/tasks/btrfs.yml +++ b/roles/partitioning/tasks/btrfs.yml @@ -21,25 +21,33 @@ register: result - name: Make root subvolumes - when: cis | bool or item.subvol not in ['var_log', 'var_log_audit'] + when: cis | bool or item.subvol not in ['var_log_audit'] ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} changed_when: result.rc == 0 register: result loop: - { subvol: root } + - { subvol: swap } - { subvol: home } - { subvol: var } - { subvol: var_log } - { subvol: var_log_audit } - name: Set quotas for subvolumes - when: cis | bool or item.subvol not in ['var_log', 'var_log_audit'] + when: cis | bool or item.subvol not in ['var_log_audit'] ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} changed_when: result.rc == 0 register: result loop: - { subvol: home, quota: 2G } + - name: Create a Btrfs swap file + ansible.builtin.command: >- + btrfs filesystem mkswapfile --size {{ ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory + | float / 2048) | int, [vm_memory | float / 1024, 4.0] | max) | int) }}g --uuid clear /mnt/@swap/swapfile + changed_when: result.rc == 0 + register: result + - name: Unmount Partition ansible.posix.mount: path: /mnt diff --git a/roles/partitioning/tasks/ext4.yml b/roles/partitioning/tasks/ext4.yml index e188a96..2dda340 100644 --- a/roles/partitioning/tasks/ext4.yml +++ b/roles/partitioning/tasks/ext4.yml @@ -1,6 +1,6 @@ --- - name: Create and format ext4 logical volumes - when: cis | bool or item.lv not in ['var_log', 'var_log_audit'] + when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] community.general.filesystem: dev: /dev/sys/{{ item.lv }} fstype: ext4 @@ -13,7 +13,7 @@ - { lv: var_log_audit } - name: Remove Unsupported features for older Systems - when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis | bool or item.lv not in ['var_log', 'var_log_audit']) + when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']) ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}" changed_when: result.rc == 0 register: result diff --git a/roles/partitioning/tasks/main.yml b/roles/partitioning/tasks/main.yml index 8aa262e..66b6933 100644 --- a/roles/partitioning/tasks/main.yml +++ b/roles/partitioning/tasks/main.yml @@ -36,19 +36,22 @@ pvs: "{{ install_drive }}{{ main_partition_suffix }}" - name: Create LVM logical volumes - when: cis | bool or item.lv not in ['var_log', 'var_log_audit'] + when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] community.general.lvol: vg: sys lv: "{{ item.lv }}" size: "{{ item.size }}" state: present loop: - - { lv: root, size: "{{ '12G' if (vm_size | int * 0.4) < 12 - else (vm_size | int * 0.4) | round(0, 'ceil') | int | string + 'G' }}" } - - { lv: home, size: 2G } - - { lv: var, size: 2G } - - { lv: var_log, size: 2G } - - { lv: var_log_audit, size: 1.5G } + - { lv: root, size: "{{ [(vm_size | float) - 0.5 - (((vm_memory | float / 1024) >= 16.0) + | ternary((vm_memory | float / 1024 / 2) | int, 4)) - 7.5, 1] | max | float + | round(1) | string + 'G' }}" } + - { lv: swap, size: "{{ ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory | float / 2048) + | int, [vm_memory | float / 1024, 4.0] | max)) | string + 'G' }}" } + - { lv: home, size: "2G" } + - { lv: var, size: "2G" } + - { lv: var_log, size: "2G" } + - { lv: var_log_audit, size: "1.5G" } - name: Create filesystems block: @@ -59,6 +62,12 @@ opts: -F32 -n BOOT force: true + - name: Create swap filesystem + when: filesystem != 'btrfs' + community.general.filesystem: + fstype: swap + dev: /dev/sys/swap + - name: Create filesystem ansible.builtin.include_tasks: "{{ filesystem }}.yml" @@ -73,30 +82,35 @@ register: main_uuid - name: Get UUIDs for LVM filesystems - when: filesystem != 'btrfs' and (cis | bool or item not in ['var_log', 'var_log_audit']) + when: filesystem != 'btrfs' and (cis | bool or item not in ['home', 'var', 'var_log', 'var_log_audit']) ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }} changed_when: false register: uuid_result loop: - root + - swap - home - var - var_log - var_log_audit - name: Assign UUIDs to Variables + when: filesystem != 'btrfs' ansible.builtin.set_fact: uuid_root: "{{ uuid_result.results[0].stdout_lines }}" - uuid_home: "{{ uuid_result.results[1].stdout_lines }}" - uuid_var: "{{ uuid_result.results[2].stdout_lines }}" - uuid_var_log: "{{ uuid_result.results[3].stdout_lines if cis == true else '' }}" - uuid_var_log_audit: "{{ uuid_result.results[4].stdout_lines if cis == true else '' }}" - when: filesystem != 'btrfs' + uuid_swap: "{{ uuid_result.results[1].stdout_lines }}" + uuid_home: "{{ uuid_result.results[2].stdout_lines if cis | bool else '' }}" + uuid_var: "{{ uuid_result.results[3].stdout_lines if cis | bool else '' }}" + uuid_var_log: "{{ uuid_result.results[4].stdout_lines if cis | bool else '' }}" + uuid_var_log_audit: "{{ uuid_result.results[5].stdout_lines if cis | bool else '' }}" - name: Mount filesystems block: - name: Mount filesystems and subvolumes - when: cis | bool or (not cis and item.path != '/var/log' and item.path != '/var/log/audit') + when: + - cis | bool or (not cis and (item.path == '/var/log' and filesystem == 'btrfs') + or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit'])) + - not (item.path == '/swap' and filesystem != 'btrfs') ansible.posix.mount: path: /mnt{{ item.path }} src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}" @@ -107,6 +121,8 @@ - path: "" uuid: "{{ uuid_root[0] | default(omit) }}" opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}" + - path: /swap + opts: "rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@swap" - path: /home uuid: "{{ uuid_home[0] | default(omit) }}" opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' @@ -141,3 +157,8 @@ src: UUID={{ boot_uuid.stdout }} fstype: vfat state: mounted + + - name: Activate swap + ansible.builtin.command: "{{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + uuid_swap[0] }}" + changed_when: result.rc == 0 + register: result diff --git a/roles/partitioning/tasks/xfs.yml b/roles/partitioning/tasks/xfs.yml index b4f29b5..c9eb6de 100644 --- a/roles/partitioning/tasks/xfs.yml +++ b/roles/partitioning/tasks/xfs.yml @@ -1,6 +1,6 @@ --- - name: Create and format XFS logical volumes - when: cis | bool or item.lv not in ['var_log', 'var_log_audit'] + when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] community.general.filesystem: dev: /dev/sys/{{ item.lv }} fstype: xfs