Fix line-length
This commit is contained in:
parent
8b773d2304
commit
f788767839
@ -13,7 +13,9 @@
|
|||||||
when: os | lower in ['debian11', 'debian12']
|
when: os | lower in ['debian11', 'debian12']
|
||||||
ansible.builtin.command: "{{ item }}"
|
ansible.builtin.command: "{{ item }}"
|
||||||
with_items:
|
with_items:
|
||||||
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} /mnt http://deb.debian.org/debian/
|
- |
|
||||||
|
debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} \
|
||||||
|
/mnt http://deb.debian.org/debian/
|
||||||
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
|
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
|
||||||
- arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
|
- arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
|
||||||
|
|
||||||
@ -21,7 +23,9 @@
|
|||||||
when: os | lower in ['ubuntu', 'ubuntu-lts']
|
when: os | lower in ['ubuntu', 'ubuntu-lts']
|
||||||
ansible.builtin.command: "{{ item }}"
|
ansible.builtin.command: "{{ item }}"
|
||||||
with_items:
|
with_items:
|
||||||
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'mantic' if os == 'ubuntu' else 'jammy' }} /mnt http://archive.ubuntu.com/ubuntu/
|
- |
|
||||||
|
debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'mantic' if os == 'ubuntu' else 'jammy' }} \
|
||||||
|
/mnt http://archive.ubuntu.com/ubuntu/
|
||||||
- arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
|
- arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
|
||||||
- arch-chroot /mnt apt update -y
|
- arch-chroot /mnt apt update -y
|
||||||
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
|
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
|
||||||
@ -38,7 +42,9 @@
|
|||||||
when: os | lower == 'fedora'
|
when: os | lower == 'fedora'
|
||||||
ansible.builtin.command: "{{ item }}"
|
ansible.builtin.command: "{{ item }}"
|
||||||
with_items:
|
with_items:
|
||||||
- dnf --releasever=40 --best --repo=fedora --repo=fedora-updates --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
|
- |
|
||||||
|
dnf --releasever=40 --best --repo=fedora --repo=fedora-updates \
|
||||||
|
--installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
|
||||||
- arch-chroot /mnt dnf --releasever=40 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }}
|
- arch-chroot /mnt dnf --releasever=40 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }}
|
||||||
- arch-chroot /mnt dnf reinstall -y kernel-core
|
- arch-chroot /mnt dnf reinstall -y kernel-core
|
||||||
|
|
||||||
|
@ -93,14 +93,13 @@
|
|||||||
- { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent }
|
- { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent }
|
||||||
- { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" }
|
- { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" }
|
||||||
- { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
|
- { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
|
||||||
- path: /mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth"
|
- { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
|
||||||
}}
|
else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}',
|
||||||
content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900
|
content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 }
|
||||||
- path: /mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else
|
- { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth"
|
||||||
"pam.d/system-auth" }}
|
if os == "fedora" else "pam.d/system-auth" }}', content: account required pam_faillock.so }
|
||||||
content: account required pam_faillock.so
|
- { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}',
|
||||||
- path: /mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}
|
content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" }
|
||||||
content: password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5
|
|
||||||
- { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
|
- { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
|
||||||
- { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }
|
- { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }
|
||||||
|
|
||||||
@ -165,15 +164,20 @@
|
|||||||
|
|
||||||
### Ciphers and keying ###
|
### Ciphers and keying ###
|
||||||
RekeyLimit 512M 6h
|
RekeyLimit 512M 6h
|
||||||
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,
|
||||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,
|
||||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
|
diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,
|
||||||
|
ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,
|
||||||
|
aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||||
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
|
||||||
|
hmac-sha2-512,hmac-sha2-256
|
||||||
###########################
|
###########################
|
||||||
|
|
||||||
AllowStreamLocalForwarding no
|
AllowStreamLocalForwarding no
|
||||||
PermitUserRC no
|
PermitUserRC no
|
||||||
|
|
||||||
AllowUsers svcansible
|
AllowUsers *
|
||||||
AllowGroups *
|
AllowGroups *
|
||||||
DenyUsers nobody
|
DenyUsers nobody
|
||||||
DenyGroups nobody
|
DenyGroups nobody
|
||||||
|
@ -85,18 +85,26 @@
|
|||||||
- name: Configure Bootloader
|
- name: Configure Bootloader
|
||||||
block:
|
block:
|
||||||
- name: Install Bootloader
|
- name: Install Bootloader
|
||||||
ansible.builtin.command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/efibootmgr -c
|
ansible.builtin.command: arch-chroot /mnt
|
||||||
-L '{{ os }}' -d "{{ install_drive }}" -p 1 -l '\efi\EFI\{{ os }}\shimx64.efi'{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{
|
{% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr
|
||||||
"/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }} --bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}{%
|
-c -L '{{ os }}' -d "{{ install_drive }}" -p 1 -l '\efi\EFI\{{ os }}\shimx64.efi'
|
||||||
endif %}
|
{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }}
|
||||||
|
--bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
|
||||||
|
{% endif %}
|
||||||
- name: Generate grub config
|
- name: Generate grub config
|
||||||
ansible.builtin.command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/grub2-mkconfig
|
ansible.builtin.command: arch-chroot /mnt
|
||||||
-o /boot/efi/EFI/{{ os }}/grub.cfg{% else %}/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else
|
{% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} /usr/sbin/grub2-mkconfig
|
||||||
"/boot/grub/grub.cfg" }}{% endif %}
|
-o /boot/efi/EFI/{{ os }}/grub.cfg
|
||||||
|
{% else %}/usr/sbin/grub-mkconfig -o
|
||||||
|
{{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}
|
||||||
|
{% endif %}
|
||||||
- name: Regenerate initramfs
|
- name: Regenerate initramfs
|
||||||
when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
|
when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
|
||||||
ansible.builtin.command: arch-chroot /mnt {% if os | lower == "archlinux" %}/usr/sbin/mkinitcpio -P{% elif os | lower not in ["debian11", "debian12", "ubuntu",
|
ansible.builtin.command: arch-chroot /mnt
|
||||||
"ubuntu-lts", "archlinux"] %}/usr/bin/dracut --regenerate-all --force{% else %}echo "Skipping initramfs regeneration"{% endif %}
|
{% if os | lower == "archlinux" %} /usr/sbin/mkinitcpio -P
|
||||||
|
{% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %} /usr/bin/dracut --regenerate-all --force
|
||||||
|
{% else %} echo "Skipping initramfs regeneration"
|
||||||
|
{% endif %}
|
||||||
- name: Extra Configuration
|
- name: Extra Configuration
|
||||||
block:
|
block:
|
||||||
- name: Append lines to vimrc
|
- name: Append lines to vimrc
|
||||||
@ -145,8 +153,9 @@
|
|||||||
- name: Create user account
|
- name: Create user account
|
||||||
ansible.builtin.command: "{{ item }}"
|
ansible.builtin.command: "{{ item }}"
|
||||||
with_items:
|
with_items:
|
||||||
- arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups {{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else
|
- arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups
|
||||||
"wheel" }} {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
|
{{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "wheel" }}
|
||||||
|
{{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
|
||||||
- arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
|
- arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
|
||||||
|
|
||||||
- name: Add SSH public key to authorized_keys
|
- name: Add SSH public key to authorized_keys
|
||||||
|
@ -106,20 +106,20 @@
|
|||||||
opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}"
|
opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}"
|
||||||
- path: /home
|
- path: /home
|
||||||
uuid: "{{ uuid_home[0] | default(omit) }}"
|
uuid: "{{ uuid_home[0] | default(omit) }}"
|
||||||
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home'
|
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
|
||||||
}}"
|
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}"
|
||||||
- path: /var
|
- path: /var
|
||||||
uuid: "{{ uuid_var[0] | default(omit) }}"
|
uuid: "{{ uuid_var[0] | default(omit) }}"
|
||||||
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var'
|
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
|
||||||
}}"
|
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}"
|
||||||
- path: /var/log
|
- path: /var/log
|
||||||
uuid: "{{ uuid_var_log[0] | default(omit) }}"
|
uuid: "{{ uuid_var_log[0] | default(omit) }}"
|
||||||
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log'
|
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
|
||||||
}}"
|
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}"
|
||||||
- path: /var/log/audit
|
- path: /var/log/audit
|
||||||
uuid: "{{ uuid_var_log_audit[0] | default(omit) }}"
|
uuid: "{{ uuid_var_log_audit[0] | default(omit) }}"
|
||||||
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit'
|
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
|
||||||
}}"
|
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}"
|
||||||
|
|
||||||
- name: Mount tmp and var_tmp filesystems
|
- name: Mount tmp and var_tmp filesystems
|
||||||
ansible.posix.mount:
|
ansible.posix.mount:
|
||||||
|
@ -27,8 +27,10 @@
|
|||||||
|
|
||||||
- name: Create cloud-init disk
|
- name: Create cloud-init disk
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
ansible.builtin.command: cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso /tmp/cloud-user-data-{{ hostname }}.yml -N
|
ansible.builtin.command: cloud-localds
|
||||||
/tmp/cloud-network-config-{{ hostname }}.yml
|
{{ vm_path | default('/var/lib/libvirt/images/') }}
|
||||||
|
{{ hostname }}-cloudinit.iso /tmp/cloud-user-data-{{ hostname }}.yml
|
||||||
|
-N /tmp/cloud-network-config-{{ hostname }}.yml
|
||||||
|
|
||||||
- name: Create VM using libvirt
|
- name: Create VM using libvirt
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
Loading…
Reference in New Issue
Block a user