diff --git a/README.md b/README.md index e3998ef..ec81244 100644 --- a/README.md +++ b/README.md @@ -149,11 +149,12 @@ all: These top-level variables sit outside the `system`/`hypervisor` dictionaries. -| Variable | Type | Description | -| ------------ | ------ | ------------------------------------------------ | -| `boot_iso` | string | Path to the boot ISO image (required for virtual installs). | -| `rhel_iso` | string | Path to the RHEL ISO (required when `system.os: rhel`). | -| `custom_iso` | bool | Skip ArchISO validation and pacman setup. Default `false`. | +| Variable | Type | Description | +| ----------------------------------- | ------ | ------------------------------------------------ | +| `boot_iso` | string | Path to the boot ISO image (required for virtual installs). | +| `rhel_iso` | string | Path to the RHEL ISO (required when `system.os: rhel`). | +| `custom_iso` | bool | Skip ArchISO validation and pacman setup. Default `false`. | +| `thirdparty_tasks` | string | Drop-in task file included during environment setup. Default `dropins/preparation.yml`. | ### 4.2 `system` Dictionary diff --git a/roles/configuration/tasks/banner.yml b/roles/configuration/tasks/banner.yml index aee3bc7..c0c7562 100644 --- a/roles/configuration/tasks/banner.yml +++ b/roles/configuration/tasks/banner.yml @@ -26,30 +26,25 @@ - name: Configure sudo banner when: system_cfg.features.banner.sudo | bool block: - - name: Create sudoers banner directory - ansible.builtin.file: - path: /mnt/etc/sudoers.d - state: directory - mode: "0755" - owner: root - group: root - - - name: Create sudo banner file + - name: Create sudo lecture file ansible.builtin.copy: content: | I am Groot, and I know what I'm doing. - dest: /mnt/etc/sudoers.d/banner + dest: /mnt/etc/sudo_lecture mode: "0644" owner: root group: root - - name: Enable sudo banner in sudoers + - name: Enable sudo lecture in sudoers ansible.builtin.lineinfile: path: /mnt/etc/sudoers - line: "Defaults lecture=@/etc/sudoers.d/banner" + line: "{{ item }}" state: present create: true mode: "0440" owner: root group: root validate: "/usr/sbin/visudo --check --file=%s" + loop: + - "Defaults lecture=always" + - "Defaults lecture_file=/etc/sudo_lecture" diff --git a/roles/configuration/tasks/bootloader.yml b/roles/configuration/tasks/bootloader.yml index 9785e90..56259c9 100644 --- a/roles/configuration/tasks/bootloader.yml +++ b/roles/configuration/tasks/bootloader.yml @@ -6,9 +6,9 @@ configuration_use_efibootmgr: "{{ is_rhel | bool }}" configuration_efi_dir: "{{ partitioning_efi_mountpoint }}" configuration_bootloader_id: >- - {{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }} + {{ "ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os }} configuration_efi_vendor: >- - {{ "redhat" if os | lower == "rhel" else os | lower }} + {{ "redhat" if os == "rhel" else os }} configuration_efibootmgr_cmd: >- /usr/sbin/efibootmgr -c -L '{{ os }}' -d "{{ install_drive }}" -p 1 -l '\efi\EFI\{{ configuration_efi_vendor }}\shimx64.efi' @@ -23,7 +23,7 @@ changed_when: configuration_bootloader_result.rc == 0 - name: Ensure lvm2 for non btrfs filesystems - when: os | lower == "archlinux" and system_cfg.filesystem != "btrfs" + when: os == "archlinux" and system_cfg.filesystem != "btrfs" ansible.builtin.lineinfile: path: /mnt/etc/mkinitcpio.conf regexp: "^(HOOKS=.*block)(?!.*lvm2)(.*)" @@ -31,12 +31,12 @@ backrefs: true - name: Regenerate initramfs - when: os | lower not in ["alpine", "void"] + when: os not in ["alpine", "void"] vars: configuration_initramfs_cmd: >- {{ '/usr/sbin/mkinitcpio -P' - if os | lower == "archlinux" + if os == "archlinux" else ( '/usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ' + '/usr/sbin/update-initramfs -u -k all' @@ -51,7 +51,7 @@ - name: Generate grub config vars: configuration_efi_vendor: >- - {{ "redhat" if os | lower == "rhel" else os | lower }} + {{ "redhat" if os == "rhel" else os }} configuration_grub_cfg_cmd: >- {{ '/usr/sbin/grub2-mkconfig -o ' diff --git a/roles/configuration/tasks/encryption.yml b/roles/configuration/tasks/encryption.yml index 561e5cc..4230182 100644 --- a/roles/configuration/tasks/encryption.yml +++ b/roles/configuration/tasks/encryption.yml @@ -136,7 +136,7 @@ mode: "0644" - name: Configure mkinitcpio hooks for LUKS - when: os | lower == 'archlinux' + when: os == 'archlinux' ansible.builtin.lineinfile: path: /mnt/etc/mkinitcpio.conf regexp: "^HOOKS=" @@ -145,13 +145,13 @@ block sd-encrypt lvm2 filesystems fsck) - name: Read mkinitcpio configuration - when: os | lower == 'archlinux' + when: os == 'archlinux' ansible.builtin.slurp: src: /mnt/etc/mkinitcpio.conf register: configuration_mkinitcpio_slurp - name: Build mkinitcpio FILES list - when: os | lower == 'archlinux' + when: os == 'archlinux' vars: mkinitcpio_files_list: >- {{ @@ -180,7 +180,7 @@ configuration_mkinitcpio_files_list_new: "{{ mkinitcpio_files_list_new }}" - name: Configure mkinitcpio FILES list - when: os | lower == 'archlinux' + when: os == 'archlinux' ansible.builtin.lineinfile: path: /mnt/etc/mkinitcpio.conf regexp: "^FILES=" diff --git a/roles/configuration/tasks/extras.yml b/roles/configuration/tasks/extras.yml index 7242246..9f51aea 100644 --- a/roles/configuration/tasks/extras.yml +++ b/roles/configuration/tasks/extras.yml @@ -28,7 +28,7 @@ - name: Create zram config when: - (os != "debian" or (os_version | string) != "11") and os != "rhel" - - os | lower not in ["alpine", "void"] + - os not in ["alpine", "void"] - system_cfg.features.swap.enabled | bool ansible.builtin.copy: dest: /mnt/etc/systemd/zram-generator.conf diff --git a/roles/configuration/tasks/grub.yml b/roles/configuration/tasks/grub.yml index eff9c52..e468a67 100644 --- a/roles/configuration/tasks/grub.yml +++ b/roles/configuration/tasks/grub.yml @@ -20,7 +20,7 @@ {{ ( partitioning_main_uuid.stdout - if (system_cfg.filesystem | lower) == 'btrfs' + if system_cfg.filesystem == 'btrfs' else (partitioning_uuid_root | default([]) | first | default('')) ) | default('') @@ -36,11 +36,11 @@ else [] ) ) - if (system_cfg.filesystem | lower) != 'btrfs' + if system_cfg.filesystem != 'btrfs' else [] }} grub_root_flags: >- - {{ ['rootflags=subvol=@'] if (system_cfg.filesystem | lower) == 'btrfs' else [] }} + {{ ['rootflags=subvol=@'] if system_cfg.filesystem == 'btrfs' else [] }} grub_cmdline_linux_base: >- {{ (['crashkernel=auto'] + grub_lvm_args) diff --git a/roles/configuration/tasks/locales.yml b/roles/configuration/tasks/locales.yml index 8249910..d26ae47 100644 --- a/roles/configuration/tasks/locales.yml +++ b/roles/configuration/tasks/locales.yml @@ -78,15 +78,3 @@ content: "LANG={{ system_cfg.locale }}" dest: /mnt/etc/locale.conf mode: "0644" - -- name: Ensure SSH password authentication is enabled - ansible.builtin.lineinfile: - path: /mnt/etc/ssh/sshd_config - regexp: "^#?PasswordAuthentication\\s+" - line: "PasswordAuthentication yes" - -- name: SSH permit root login - ansible.builtin.replace: - path: /mnt/etc/ssh/sshd_config - regexp: "^#?PermitRootLogin.*" - replace: "PermitRootLogin yes" diff --git a/roles/configuration/tasks/main.yml b/roles/configuration/tasks/main.yml index f862c3c..928314e 100644 --- a/roles/configuration/tasks/main.yml +++ b/roles/configuration/tasks/main.yml @@ -5,6 +5,7 @@ - banner.yml - fstab.yml - locales.yml + - ssh.yml - services.yml - grub.yml - encryption.yml diff --git a/roles/configuration/tasks/network.yml b/roles/configuration/tasks/network.yml index bb641e8..aea2b2d 100644 --- a/roles/configuration/tasks/network.yml +++ b/roles/configuration/tasks/network.yml @@ -30,7 +30,7 @@ fail_msg: Failed to detect any network interfaces. - name: Configure NetworkManager profiles - when: os | lower not in ["alpine", "void"] + when: os not in ["alpine", "void"] block: - name: Copy NetworkManager keyfile per interface vars: @@ -47,14 +47,14 @@ label: "LAN-{{ idx }}" - name: Fix Ubuntu unmanaged devices - when: os | lower in ["ubuntu", "ubuntu-lts"] + when: os in ["ubuntu", "ubuntu-lts"] ansible.builtin.file: path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf state: touch mode: "0644" - name: Configure Alpine networking - when: os | lower == "alpine" + when: os == "alpine" vars: configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}" block: @@ -90,7 +90,7 @@ {% endfor %} - name: Configure Void networking - when: os | lower == "void" + when: os == "void" vars: configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}" block: diff --git a/roles/configuration/tasks/selinux.yml b/roles/configuration/tasks/selinux.yml index fcc8b32..aaaa5ec 100644 --- a/roles/configuration/tasks/selinux.yml +++ b/roles/configuration/tasks/selinux.yml @@ -12,7 +12,7 @@ changed_when: configuration_setfiles_result.rc == 0 - name: Disable SELinux - when: os | lower == "fedora" or not system_cfg.features.selinux.enabled | bool + when: os == "fedora" or not system_cfg.features.selinux.enabled | bool ansible.builtin.lineinfile: path: /mnt/etc/selinux/config regexp: ^SELINUX= diff --git a/roles/configuration/tasks/services.yml b/roles/configuration/tasks/services.yml index 3b28754..bd089bd 100644 --- a/roles/configuration/tasks/services.yml +++ b/roles/configuration/tasks/services.yml @@ -1,6 +1,6 @@ --- - name: Enable Systemd Services - when: os | lower not in ['alpine', 'void'] + when: os not in ['alpine', 'void'] ansible.builtin.command: > {{ chroot_command }} systemctl enable NetworkManager {{ ' firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }} @@ -11,13 +11,13 @@ }} {{ 'logrotate systemd-resolved systemd-timesyncd systemd-networkd' - if os | lower == 'archlinux' else '' + if os == 'archlinux' else '' }} register: configuration_enable_services_result changed_when: configuration_enable_services_result.rc == 0 - name: Enable OpenRC services - when: os | lower == 'alpine' + when: os == 'alpine' vars: configuration_openrc_services: >- {{ @@ -48,7 +48,7 @@ when: item.stat.exists - name: Enable runit services - when: os | lower == 'void' + when: os == 'void' vars: configuration_runit_services: >- {{ diff --git a/roles/configuration/tasks/ssh.yml b/roles/configuration/tasks/ssh.yml new file mode 100644 index 0000000..8d56ef7 --- /dev/null +++ b/roles/configuration/tasks/ssh.yml @@ -0,0 +1,12 @@ +--- +- name: Ensure SSH password authentication is enabled + ansible.builtin.lineinfile: + path: /mnt/etc/ssh/sshd_config + regexp: "^#?PasswordAuthentication\\s+" + line: "PasswordAuthentication yes" + +- name: SSH permit root login + ansible.builtin.replace: + path: /mnt/etc/ssh/sshd_config + regexp: "^#?PermitRootLogin.*" + replace: "PermitRootLogin yes" diff --git a/roles/configuration/tasks/sudo.yml b/roles/configuration/tasks/sudo.yml index fa287f0..33f08d6 100644 --- a/roles/configuration/tasks/sudo.yml +++ b/roles/configuration/tasks/sudo.yml @@ -1,4 +1,12 @@ --- +- name: Ensure sudoers.d directory exists + ansible.builtin.file: + path: /mnt/etc/sudoers.d + state: directory + mode: "0755" + owner: root + group: root + - name: Give sudo access to wheel group ansible.builtin.copy: content: "{{ '%sudo ALL=(ALL) ALL\n' if is_debian | bool else '%wheel ALL=(ALL) ALL\n' }}" diff --git a/roles/environment/tasks/main.yml b/roles/environment/tasks/main.yml index e464df8..2569bae 100644 --- a/roles/environment/tasks/main.yml +++ b/roles/environment/tasks/main.yml @@ -231,9 +231,9 @@ ansible.builtin.set_fact: environment_thirdparty_tasks_path: >- {{ - thirdparty_preparation_tasks_path - if thirdparty_preparation_tasks_path | regex_search('^/') - else playbook_dir + '/' + thirdparty_preparation_tasks_path + thirdparty_tasks + if thirdparty_tasks | regex_search('^/') + else playbook_dir + '/' + thirdparty_tasks }} changed_when: false @@ -245,6 +245,6 @@ - name: Run third-party preparation tasks when: - - thirdparty_preparation_tasks_path | length > 0 + - thirdparty_tasks | length > 0 - environment_thirdparty_tasks_stat.stat.exists ansible.builtin.include_tasks: "{{ environment_thirdparty_tasks_path }}" diff --git a/roles/global_defaults/defaults/main.yml b/roles/global_defaults/defaults/main.yml index 093af5c..b49bb72 100644 --- a/roles/global_defaults/defaults/main.yml +++ b/roles/global_defaults/defaults/main.yml @@ -15,7 +15,7 @@ hypervisor_defaults: ssh: false custom_iso: false -thirdparty_preparation_tasks_path: "dropins/preparation.yml" +thirdparty_tasks: "dropins/preparation.yml" system_defaults: type: "virtual" # virtual|physical diff --git a/roles/global_defaults/tasks/main.yml b/roles/global_defaults/tasks/main.yml index feb15a3..7c409ea 100644 --- a/roles/global_defaults/tasks/main.yml +++ b/roles/global_defaults/tasks/main.yml @@ -14,8 +14,8 @@ - name: Set OS family flags ansible.builtin.set_fact: - is_rhel: "{{ os | lower in ['almalinux', 'fedora', 'rhel', 'rocky'] }}" - is_debian: "{{ os | lower in ['debian', 'ubuntu', 'ubuntu-lts'] }}" + is_rhel: "{{ os in ['almalinux', 'fedora', 'rhel', 'rocky'] }}" + is_debian: "{{ os in ['debian', 'ubuntu', 'ubuntu-lts'] }}" - name: Normalize OS version for keying when: diff --git a/roles/partitioning/defaults/main.yml b/roles/partitioning/defaults/main.yml index b97b28d..a1958cd 100644 --- a/roles/partitioning/defaults/main.yml +++ b/roles/partitioning/defaults/main.yml @@ -10,12 +10,12 @@ partitioning_use_full_disk: true partitioning_separate_boot: >- {{ (system_cfg.luks.enabled | bool) - and (os | lower not in ['archlinux']) + and (os not in ['archlinux']) }} partitioning_boot_fs_fstype: >- {{ - (system_cfg.filesystem | lower) - if (system_cfg.filesystem | lower) != 'btrfs' + system_cfg.filesystem + if system_cfg.filesystem != 'btrfs' else ('xfs' if is_rhel else 'ext4') }} partitioning_boot_fs_partition_suffix: >-