diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml index 4ce3ddb..ea64ca8 100644 --- a/roles/bootstrap/tasks/main.yml +++ b/roles/bootstrap/tasks/main.yml @@ -13,7 +13,9 @@ when: os | lower in ['debian11', 'debian12'] ansible.builtin.command: "{{ item }}" with_items: - - debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} /mnt http://deb.debian.org/debian/ + - | + debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} \ + /mnt http://deb.debian.org/debian/ - arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }} - arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data @@ -21,7 +23,9 @@ when: os | lower in ['ubuntu', 'ubuntu-lts'] ansible.builtin.command: "{{ item }}" with_items: - - debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'mantic' if os == 'ubuntu' else 'jammy' }} /mnt http://archive.ubuntu.com/ubuntu/ + - | + debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'mantic' if os == 'ubuntu' else 'jammy' }} \ + /mnt http://archive.ubuntu.com/ubuntu/ - arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list - arch-chroot /mnt apt update -y - arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }} @@ -38,7 +42,9 @@ when: os | lower == 'fedora' ansible.builtin.command: "{{ item }}" with_items: - - dnf --releasever=40 --best --repo=fedora --repo=fedora-updates --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core + - | + dnf --releasever=40 --best --repo=fedora --repo=fedora-updates \ + --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core - arch-chroot /mnt dnf --releasever=40 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }} - arch-chroot /mnt dnf reinstall -y kernel-core diff --git a/roles/cis/tasks/main.yml b/roles/cis/tasks/main.yml index bc0e2db..97f3bee 100644 --- a/roles/cis/tasks/main.yml +++ b/roles/cis/tasks/main.yml @@ -93,14 +93,13 @@ - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent } - { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" } - { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so } - - path: /mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" - }} - content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 - - path: /mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else - "pam.d/system-auth" }} - content: account required pam_faillock.so - - path: /mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }} - content: password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 + - { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] + else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', + content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 } + - { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" + if os == "fedora" else "pam.d/system-auth" }}', content: account required pam_faillock.so } + - { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}', + content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" } - { path: /mnt/etc/hosts.deny, content: "ALL: ALL" } - { path: /mnt/etc/hosts.allow, content: "sshd: ALL" } @@ -165,15 +164,20 @@ ### Ciphers and keying ### RekeyLimit 512M 6h - KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 - Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr - MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 + KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org, + diffie-hellman-group14-sha256,diffie-hellman-group16-sha512, + diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384, + ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com, + aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com, + hmac-sha2-512,hmac-sha2-256 ########################### AllowStreamLocalForwarding no PermitUserRC no - AllowUsers svcansible + AllowUsers * AllowGroups * DenyUsers nobody DenyGroups nobody diff --git a/roles/configuration/tasks/main.yml b/roles/configuration/tasks/main.yml index a9b7787..82b28fe 100644 --- a/roles/configuration/tasks/main.yml +++ b/roles/configuration/tasks/main.yml @@ -85,18 +85,26 @@ - name: Configure Bootloader block: - name: Install Bootloader - ansible.builtin.command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/efibootmgr -c - -L '{{ os }}' -d "{{ install_drive }}" -p 1 -l '\efi\EFI\{{ os }}\shimx64.efi'{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ - "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }} --bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}{% - endif %} + ansible.builtin.command: arch-chroot /mnt + {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr + -c -L '{{ os }}' -d "{{ install_drive }}" -p 1 -l '\efi\EFI\{{ os }}\shimx64.efi' + {% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }} + --bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }} + {% endif %} - name: Generate grub config - ansible.builtin.command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/grub2-mkconfig - -o /boot/efi/EFI/{{ os }}/grub.cfg{% else %}/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else - "/boot/grub/grub.cfg" }}{% endif %} + ansible.builtin.command: arch-chroot /mnt + {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} /usr/sbin/grub2-mkconfig + -o /boot/efi/EFI/{{ os }}/grub.cfg + {% else %}/usr/sbin/grub-mkconfig -o + {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }} + {% endif %} - name: Regenerate initramfs when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] - ansible.builtin.command: arch-chroot /mnt {% if os | lower == "archlinux" %}/usr/sbin/mkinitcpio -P{% elif os | lower not in ["debian11", "debian12", "ubuntu", - "ubuntu-lts", "archlinux"] %}/usr/bin/dracut --regenerate-all --force{% else %}echo "Skipping initramfs regeneration"{% endif %} + ansible.builtin.command: arch-chroot /mnt + {% if os | lower == "archlinux" %} /usr/sbin/mkinitcpio -P + {% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %} /usr/bin/dracut --regenerate-all --force + {% else %} echo "Skipping initramfs regeneration" + {% endif %} - name: Extra Configuration block: - name: Append lines to vimrc @@ -145,8 +153,9 @@ - name: Create user account ansible.builtin.command: "{{ item }}" with_items: - - arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups {{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else - "wheel" }} {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash + - arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups + {{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "wheel" }} + {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash - arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash - name: Add SSH public key to authorized_keys diff --git a/roles/partitioning/tasks/main.yml b/roles/partitioning/tasks/main.yml index 0a3c19b..80d0dc9 100644 --- a/roles/partitioning/tasks/main.yml +++ b/roles/partitioning/tasks/main.yml @@ -106,20 +106,20 @@ opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}" - path: /home uuid: "{{ uuid_home[0] | default(omit) }}" - opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' - }}" + opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' + else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}" - path: /var uuid: "{{ uuid_var[0] | default(omit) }}" - opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' - }}" + opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' + else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}" - path: /var/log uuid: "{{ uuid_var_log[0] | default(omit) }}" - opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' - }}" + opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' + else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}" - path: /var/log/audit uuid: "{{ uuid_var_log_audit[0] | default(omit) }}" - opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' - }}" + opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' + else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}" - name: Mount tmp and var_tmp filesystems ansible.posix.mount: diff --git a/roles/virtualization/tasks/libvirt.yml b/roles/virtualization/tasks/libvirt.yml index 34487a9..ca00553 100644 --- a/roles/virtualization/tasks/libvirt.yml +++ b/roles/virtualization/tasks/libvirt.yml @@ -27,8 +27,10 @@ - name: Create cloud-init disk delegate_to: localhost - ansible.builtin.command: cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso /tmp/cloud-user-data-{{ hostname }}.yml -N - /tmp/cloud-network-config-{{ hostname }}.yml + ansible.builtin.command: cloud-localds + {{ vm_path | default('/var/lib/libvirt/images/') }} + {{ hostname }}-cloudinit.iso /tmp/cloud-user-data-{{ hostname }}.yml + -N /tmp/cloud-network-config-{{ hostname }}.yml - name: Create VM using libvirt delegate_to: localhost