diff --git a/README.md b/README.md index 6f90704..036c6c9 100644 --- a/README.md +++ b/README.md @@ -58,13 +58,13 @@ Global variables apply across your Ansible project and are loaded from `vars.yml | Variable | Description | Example Value | | ----------------------- | ---------------------------------------------------------- | ----------------------------------------- | | `install_type` | Type of installation. | `virtual`, `physical` | -| `hypervisor` | Type of hypervisor. | `libvirt`, `proxmox`, `vmware`, `none` | +| `hypervisor` | Type of hypervisor (required for virtual installs). | `libvirt`, `proxmox`, `vmware`, `none` | | `install_drive` | Drive where the system will be installed. | `/dev/sda` | | `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` | | `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8/9/10. | `local-btrfs:iso/rhel-9.4-x86_64-dvd.iso` | | `custom_iso` (optional) | Skip ArchISO checks and pacman setup on installer media. | `true`, `false (default)` | -| `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` | -| `selinux` (optional) | Toggle SELinux where supported. | `true`, `false` | +| `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false (default)` | +| `selinux` (optional) | Toggle SELinux where supported. | `true (default)`, `false` | ### 2.2 Hypervisor Access (virtual installs) @@ -78,7 +78,7 @@ Global variables apply across your Ansible project and are loaded from `vars.yml | `hypervisor_node` | Hypervisor node name. | `node01` | | `hypervisor_storage` | Storage identifier for VM disks. | `local-btrfs` | | `vm_path` (optional) | Libvirt image dir or VMware folder path. | `/var/lib/libvirt/images` | -| `vmware_ssh` | If Ansible should use SSH after base VMware setup. | `true`, `false` | +| `vmware_ssh` | If Ansible should use SSH after base VMware setup. | `true`, `false (default)` | | `vlan_name` (optional) | VLAN for the VM's network interface. | `vlan100` | | `note` (optional) | VMware VM annotation. | `Provisioned by Ansible` | @@ -161,7 +161,7 @@ These are prompted by default via `vars_prompt` in `main.yml`, but can be suppli | `vm_id` | Unique identifier for the VM. | `101` | | `vm_size` | Disk size allocated in GB. | `20` | | `vm_memory` | Amount of memory in MB. | `2048` | -| `vm_cpus` | Number of CPU cores. | `4` | +| `vm_cpus` | Number of CPU cores (virtual installs). | `4` | | `vm_ballo` | Ballooning memory size (optional).| `2048` | ### 3.5 Post-install Packages @@ -194,7 +194,7 @@ Use `inventory_example.yml`, `vars_example.yml`, and the bare-metal examples as ## Notes -- `vm_size`/`vm_memory` are required for virtual installs only, physical installs use the full disk. +- `vm_size`/`vm_memory`/`vm_cpus` are required for virtual installs only, physical installs use the full disk. - `vm_dns` and `vm_dns_search` accept comma-separated strings or YAML lists. - `hypervisor` determines which backend-specific roles run. - Guest tools are installed based on `hypervisor`: `qemu-guest-agent` for `libvirt`/`proxmox`, `open-vm-tools` for `vmware`, otherwise none. diff --git a/main.yml b/main.yml index 1db63ad..10eb0bd 100644 --- a/main.yml +++ b/main.yml @@ -34,13 +34,15 @@ ansible.builtin.assert: that: - install_type is defined and install_type in ["virtual", "physical"] - - hypervisor is defined and hypervisor in ["libvirt", "proxmox", "vmware", "none"] + - hypervisor in ["libvirt", "proxmox", "vmware", "none"] + - install_type is defined and (install_type == "physical" or hypervisor in ["libvirt", "proxmox", "vmware"]) - filesystem is defined and filesystem in ["btrfs", "ext4", "xfs"] - install_drive is defined and install_drive | length > 0 - hostname is defined and hostname | length > 0 - os is defined and os in ["archlinux", "almalinux", "debian11", "debian12", "debian13", "fedora", "rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"] - os is defined and (os not in ["rhel8", "rhel9", "rhel10"] or (rhel_iso is defined and rhel_iso | length > 0)) - install_type is defined and (install_type == "physical" or (boot_iso is defined and boot_iso | length > 0)) + - install_type is defined and (install_type == "physical" or (vm_cpus is defined and (vm_cpus | int) > 0)) - install_type is defined and (install_type == "physical" or (vm_size is defined and (vm_size | float) > 0)) - install_type is defined and (install_type == "physical" or (vm_memory is defined and (vm_memory | float) > 0)) - >- diff --git a/roles/configuration/tasks/selinux.yml b/roles/configuration/tasks/selinux.yml index e52b100..0c2176e 100644 --- a/roles/configuration/tasks/selinux.yml +++ b/roles/configuration/tasks/selinux.yml @@ -3,7 +3,7 @@ when: is_rhel | bool block: - name: Fix SELinux by pre-labeling the filesystem before first boot - when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux is not defined or selinux | bool) + when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and selinux | bool ansible.builtin.command: > arch-chroot /mnt /sbin/setfiles -v -F -e /dev -e /proc -e /sys -e /run @@ -12,7 +12,7 @@ changed_when: configuration_setfiles_result.rc == 0 - name: Disable SELinux - when: os | lower == "fedora" or (selinux is defined and not (selinux | bool)) + when: os | lower == "fedora" or not selinux | bool ansible.builtin.lineinfile: path: /mnt/etc/selinux/config regexp: ^SELINUX= diff --git a/roles/environment/tasks/main.yml b/roles/environment/tasks/main.yml index 661faca..4237c70 100644 --- a/roles/environment/tasks/main.yml +++ b/roles/environment/tasks/main.yml @@ -62,7 +62,7 @@ changed_when: false - name: Configure SSH for root login - when: hypervisor == "vmware" and (vmware_ssh is defined and vmware_ssh | bool) + when: hypervisor == "vmware" and vmware_ssh | bool block: - name: Allow login ansible.builtin.replace: diff --git a/roles/global_defaults/defaults/main.yml b/roles/global_defaults/defaults/main.yml index d9f41da..0442f29 100644 --- a/roles/global_defaults/defaults/main.yml +++ b/roles/global_defaults/defaults/main.yml @@ -1,7 +1,12 @@ --- -vm_cpus: 4 -cis_enabled: "{{ cis is defined and cis | bool }}" -custom_iso_enabled: "{{ custom_iso is defined and custom_iso | bool }}" +hypervisor: "none" +custom_iso: false +cis: false +selinux: true +vmware_ssh: false + +cis_enabled: "{{ cis | bool }}" +custom_iso_enabled: "{{ custom_iso | bool }}" luks_enabled: false luks_mapper_name: "SYSTEM_DECRYPTED" diff --git a/vars_baremetal_example.yml b/vars_baremetal_example.yml index abb1735..ee3610c 100644 --- a/vars_baremetal_example.yml +++ b/vars_baremetal_example.yml @@ -6,6 +6,9 @@ install_drive: "/dev/sda" os: "archlinux" filesystem: "btrfs" +cis: false +selinux: true + luks_enabled: true luks_passphrase: "1234" luks_mapper_name: "SYSTEM_DECRYPTED" diff --git a/vars_example.yml b/vars_example.yml index 9a1ced8..3aa7075 100644 --- a/vars_example.yml +++ b/vars_example.yml @@ -5,6 +5,8 @@ vm_ip: "{{ inventory_hostname }}" install_type: "virtual" install_drive: "/dev/sda" # Use /dev/vda for virtio/libvirt. custom_iso: false # Set true to skip ArchISO-specific validation and pacman setup. +cis: false # Set true to enable CIS hardening. +selinux: true # Toggle SELinux where supported. hypervisor_url: "pve01.example.com" hypervisor_username: "root@pam"