sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor(vars): add system/hypervisor dict inputs

Browse Source
This commit is contained in:
Sandwich
2026-02-11 05:37:18 +01:00
parent c4c96dbfb5
commit fc05708466
62 changed files with 2422 additions and 871 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
roles/configuration/tasks/banner.yml Normal file
View File

@@ -0,0 +1,56 @@
---
- name: Configure MOTD
when: configuration_motd_enabled | bool
block:
- name: Create MOTD file
ansible.builtin.copy:
content: |
***************************************************************************
* AUTHORIZED ACCESS ONLY. ALL ACTIVITIES ARE MONITORED AND LOGGED. *
* *
***************************************************************************
dest: /mnt/etc/motd
mode: "0644"
owner: root
group: root
- name: Remove other MOTD files
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /mnt/etc/motd.d/99-motd
- /mnt/etc/motd.d/cockpit
- /mnt/etc/motd.d/insights-client
failed_when: false
- name: Configure sudo banner
when: configuration_sudo_banner_enabled | bool
block:
- name: Create sudoers banner directory
ansible.builtin.file:
path: /mnt/etc/sudoers.d
state: directory
mode: "0755"
owner: root
group: root
- name: Create sudo banner file
ansible.builtin.copy:
content: |
I am Groot, and I know what I'm doing.
dest: /mnt/etc/sudoers.d/banner
mode: "0644"
owner: root
group: root
- name: Enable sudo banner in sudoers
ansible.builtin.lineinfile:
path: /mnt/etc/sudoers
line: "Defaults lecture=@/etc/sudoers.d/banner"
state: present
create: true
mode: "0440"
owner: root
group: root
validate: "visudo -cf - %s"

13
roles/configuration/tasks/bootloader.yml
View File

@@ -8,7 +8,7 @@
configuration_bootloader_id: >-
{{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
configuration_efi_vendor: >-
{{ "redhat" if os | lower in ["rhel8", "rhel9", "rhel10"] else os | lower }}
{{ "redhat" if os | lower == "rhel" else os | lower }}
configuration_efibootmgr_cmd: >-
/usr/sbin/efibootmgr -c -L '{{ os }}' -d "{{ install_drive }}" -p 1
-l '\efi\EFI\{{ configuration_efi_vendor }}\shimx64.efi'
@@ -18,7 +18,7 @@
--bootloader-id={{ configuration_bootloader_id }}
configuration_bootloader_cmd: >-
{{ configuration_efibootmgr_cmd if configuration_use_efibootmgr else configuration_grub_cmd }}
ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_bootloader_cmd }}"
ansible.builtin.command: "{{ chroot_command }} {{ configuration_bootloader_cmd }}"
register: configuration_bootloader_result
changed_when: configuration_bootloader_result.rc == 0
@@ -27,10 +27,11 @@
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: "^(HOOKS=.*block)(?!.*lvm2)(.*)"
line: '\1 lvm2\2'
line: "\\1 lvm2\\2"
backrefs: true
- name: Regenerate initramfs
when: os | lower not in ["alpine", "void"]
vars:
configuration_initramfs_cmd: >-
{{
@@ -43,14 +44,14 @@
else '/usr/bin/dracut --regenerate-all --force'
)
}}
ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_initramfs_cmd }}"
ansible.builtin.command: "{{ chroot_command }} {{ configuration_initramfs_cmd }}"
register: configuration_initramfs_result
changed_when: configuration_initramfs_result.rc == 0
- name: Generate grub config
vars:
configuration_efi_vendor: >-
{{ "redhat" if os | lower in ["rhel8", "rhel9", "rhel10"] else os | lower }}
{{ "redhat" if os | lower == "rhel" else os | lower }}
configuration_grub_cfg_cmd: >-
{{
'/usr/sbin/grub2-mkconfig -o '
@@ -59,6 +60,6 @@
if is_rhel | bool
else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg'
}}
ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_grub_cfg_cmd }}"
ansible.builtin.command: "{{ chroot_command }} {{ configuration_grub_cfg_cmd }}"
register: configuration_grub_result
changed_when: configuration_grub_result.rc == 0

12
roles/configuration/tasks/encryption.yml
View File

@@ -141,8 +141,8 @@
- configuration_luks_keyfile_in_use
ansible.builtin.lineinfile:
path: /mnt/etc/cryptsetup-initramfs/conf-hook
regexp: '^KEYFILE_PATTERN='
line: 'KEYFILE_PATTERN=/etc/cryptsetup-keys.d/*.key'
regexp: "^KEYFILE_PATTERN="
line: "KEYFILE_PATTERN=/etc/cryptsetup-keys.d/*.key"
create: true
mode: "0644"
@@ -150,7 +150,7 @@
when: os | lower == 'archlinux'
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: '^HOOKS='
regexp: "^HOOKS="
line: >-
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole
block sd-encrypt lvm2 filesystems fsck)
@@ -194,7 +194,7 @@
when: os | lower == 'archlinux'
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: '^FILES='
regexp: "^FILES="
line: >-
FILES=({{
configuration_mkinitcpio_files_list_new | join(' ')
@@ -271,7 +271,7 @@
- configuration_kernel_bls_entries.files | length > 0
ansible.builtin.lineinfile:
path: "{{ item.path }}"
regexp: '^options '
regexp: "^options "
line: "options {{ configuration_kernel_cmdline_new }}"
loop: "{{ configuration_kernel_bls_entries.files }}"
loop_control:
@@ -351,5 +351,5 @@
when: not is_rhel | bool
ansible.builtin.lineinfile:
path: /mnt/etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX_DEFAULT='
regexp: "^GRUB_CMDLINE_LINUX_DEFAULT="
line: 'GRUB_CMDLINE_LINUX_DEFAULT="{{ configuration_grub_cmdline_default_new }}"'

2
roles/configuration/tasks/encryption/tpm2.yml
View File

@@ -36,7 +36,7 @@
+ [configuration_luks_device]
}}
configuration_luks_enroll_chroot_cmd: >-
{{ chroot_command }} /mnt {{ configuration_luks_enroll_args | join(' ') }}
{{ chroot_command }} {{ configuration_luks_enroll_args | join(' ') }}
ansible.builtin.command: "{{ configuration_luks_enroll_chroot_cmd }}"
register: configuration_luks_tpm2_enroll_chroot
changed_when: configuration_luks_tpm2_enroll_chroot.rc == 0

5
roles/configuration/tasks/extras.yml
View File

@@ -27,7 +27,8 @@
- name: Create zram config
when:
- os | lower not in ['debian11', 'rhel8']
- (os != "debian" or (os_version | string) != "11") and os != "rhel"
- os | lower not in ["alpine", "void"]
- swap_enabled | bool
ansible.builtin.copy:
dest: /mnt/etc/systemd/zram-generator.conf
@@ -62,7 +63,7 @@
- /mnt/etc/issue.net
- name: Remove motd files
when: os | lower in ["rhel8", "rhel9", "rhel10"]
when: os == "rhel"
ansible.builtin.file:
path: "{{ item }}"
state: absent

18
roles/configuration/tasks/fstab.yml
View File

@@ -17,14 +17,14 @@
mode: "0644"
- name: Remove deprecated attr2 and disable large extent
when: os | lower in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"] and filesystem == "xfs"
when: os in ["almalinux", "rocky", "rhel"] and filesystem == "xfs"
ansible.builtin.replace:
path: /mnt/etc/fstab
regexp: "(xfs.*?)(attr2)"
replace: '\1allocsize=64m'
replace: "\\1allocsize=64m"
- name: Replace ISO UUID entry with /dev/sr0 in fstab
when: os in ["rhel8", "rhel9", "rhel10"]
when: os == "rhel"
vars:
configuration_fstab_dvd_line: >-
{{
@@ -34,12 +34,12 @@
}}
ansible.builtin.lineinfile:
path: /mnt/etc/fstab
regexp: '^.*\/dvd.*$'
regexp: "^.*\\/dvd.*$"
line: "{{ configuration_fstab_dvd_line }}"
state: present
- name: Write image from RHEL ISO to the target machine
when: os in ["rhel8", "rhel9", "rhel10"] and hypervisor == 'vmware'
when: os == "rhel" and hypervisor == 'vmware'
ansible.builtin.command:
argv:
- dd
@@ -57,9 +57,9 @@
line: "{{ fstab_entry.line }}"
insertafter: EOF
loop:
- {regexp: '^# TempFS$', line: '# TempFS'}
- {regexp: '^tmpfs\\s+/tmp\\s+', line: 'tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0'}
- {regexp: '^tmpfs\\s+/var/tmp\\s+', line: 'tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0'}
- {regexp: '^tmpfs\\s+/dev/shm\\s+', line: 'tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0'}
- { regexp: "^# TempFS$", line: "# TempFS" }
- { regexp: "^tmpfs\\\\s+/tmp\\\\s+", line: "tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0" }
- { regexp: "^tmpfs\\\\s+/var/tmp\\\\s+", line: "tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0" }
- { regexp: "^tmpfs\\\\s+/dev/shm\\\\s+", line: "tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0" }
loop_control:
loop_var: fstab_entry

4
roles/configuration/tasks/grub.yml
View File

@@ -106,7 +106,7 @@
when: configuration_grub_bls_entries.files | length > 0
ansible.builtin.lineinfile:
path: "{{ item.path }}"
regexp: '^options '
regexp: "^options "
line: "options {{ configuration_kernel_cmdline_base }}"
loop: "{{ configuration_grub_bls_entries.files }}"
loop_control:
@@ -116,5 +116,5 @@
when: partitioning_grub_enable_cryptodisk | bool
ansible.builtin.lineinfile:
path: /mnt/etc/default/grub
regexp: '^GRUB_ENABLE_CRYPTODISK='
regexp: "^GRUB_ENABLE_CRYPTODISK="
line: GRUB_ENABLE_CRYPTODISK=y

22
roles/configuration/tasks/locales.yml
View File

@@ -1,5 +1,6 @@
---
- name: Reload systemd in installer environment
when: ansible_service_mgr == 'systemd'
ansible.builtin.systemd:
daemon_reload: true
@@ -19,14 +20,15 @@
regexp: "{{ item.regex }}"
line: "{{ item.line }}"
loop:
- {regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8}
- { regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8 }
- name: Generate locales
when: not is_rhel | bool
ansible.builtin.command: "{{ chroot_command }} /mnt /usr/sbin/locale-gen"
ansible.builtin.command: "{{ chroot_command }} /usr/sbin/locale-gen"
register: configuration_locale_result
changed_when: configuration_locale_result.rc == 0
- name: Set hostname
vars:
configuration_hostname_fqdn: >-
@@ -34,8 +36,8 @@
hostname
if '.' in hostname
else (
hostname + '.' + vm_dns_search
if vm_dns_search is defined and vm_dns_search | length
hostname + '.' + system_cfg.dns_search
if system_cfg.dns_search is defined and system_cfg.dns_search | length
else hostname
)
}}
@@ -51,16 +53,22 @@
hostname
if '.' in hostname
else (
hostname + '.' + vm_dns_search
if vm_dns_search is defined and vm_dns_search | length
hostname + '.' + system_cfg.dns_search
if system_cfg.dns_search is defined and system_cfg.dns_search | length
else hostname
)
}}
configuration_hostname_short: "{{ hostname.split('.')[0] }}"
configuration_hostname_entries: >-
{{ [configuration_hostname_fqdn, configuration_hostname_short] | unique | join(' ') }}
configuration_hosts_ip: >-
{{
system_cfg.ip
if system_cfg.ip is defined and (system_cfg.ip | string | length) > 0
else inventory_hostname
}}
configuration_hosts_line: >-
{{ (vm_ip if vm_ip is defined and vm_ip | length > 0 else inventory_hostname) }} {{ configuration_hostname_entries }}
{{ configuration_hosts_ip }} {{ configuration_hostname_entries }}
ansible.builtin.lineinfile:
path: /mnt/etc/hosts
line: "{{ configuration_hosts_line }}"

1
roles/configuration/tasks/main.yml
View File

@@ -2,6 +2,7 @@
- name: Include configuration tasks
ansible.builtin.include_tasks: "{{ configuration_task }}"
loop:
- banner.yml
- fstab.yml
- locales.yml
- services.yml

107
roles/configuration/tasks/network.yml
View File

@@ -82,15 +82,100 @@
- configuration_net_mac | length > 0
fail_msg: Failed to detect the MAC address for network interface {{ configuration_net_inf }}.
- name: Copy NetworkManager keyfile
ansible.builtin.template:
src: network.j2
dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection
mode: "0600"
- name: Configure NetworkManager profile
when: os | lower not in ["alpine", "void"]
block:
- name: Copy NetworkManager keyfile
ansible.builtin.template:
src: network.j2
dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection
mode: "0600"
- name: Fix Ubuntu unmanaged devices
when: os | lower in ["ubuntu", "ubuntu-lts"]
ansible.builtin.file:
path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
state: touch
mode: "0644"
- name: Fix Ubuntu unmanaged devices
when: os | lower in ["ubuntu", "ubuntu-lts"]
ansible.builtin.file:
path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
state: touch
mode: "0644"
- name: Configure Alpine networking
when: os | lower == "alpine"
vars:
configuration_dns_value: "{{ system_cfg.dns_servers if system_cfg.dns_servers is defined else '' }}"
configuration_dns_list_raw: >-
{{
configuration_dns_value
if configuration_dns_value is iterable and configuration_dns_value is not string
else configuration_dns_value.split(',')
}}
configuration_dns_list: >-
{{ configuration_dns_list_raw | map('trim') | reject('equalto', '') | list }}
configuration_alpine_static: >-
{{
system_cfg.ip is defined
and system_cfg.ip | string | length > 0
and system_cfg.prefix is defined
and (system_cfg.prefix | string | length) > 0
}}
block:
- name: Write Alpine network interfaces
ansible.builtin.copy:
dest: /mnt/etc/network/interfaces
mode: "0644"
content: |
auto lo
iface lo inet loopback
auto {{ configuration_net_inf }}
iface {{ configuration_net_inf }} inet {{ 'static' if configuration_alpine_static | bool else 'dhcp' }}
{% if configuration_alpine_static | bool %}
address {{ system_cfg.ip }}/{{ system_cfg.prefix }}
{% if system_cfg.gateway is defined and system_cfg.gateway | string | length %}
gateway {{ system_cfg.gateway }}
{% endif %}
{% endif %}
- name: Set Alpine DNS resolvers
when: configuration_dns_list | length > 0
ansible.builtin.copy:
dest: /mnt/etc/resolv.conf
mode: "0644"
content: |
{% for resolver in configuration_dns_list %}
nameserver {{ resolver }}
{% endfor %}
- name: Configure Void networking
when: os | lower == "void"
vars:
configuration_dns_value: "{{ system_cfg.dns_servers if system_cfg.dns_servers is defined else '' }}"
configuration_dns_list_raw: >-
{{
configuration_dns_value
if configuration_dns_value is iterable and configuration_dns_value is not string
else configuration_dns_value.split(',')
}}
configuration_dns_list: >-
{{ configuration_dns_list_raw | map('trim') | reject('equalto', '') | list }}
configuration_void_static: >-
{{
system_cfg.ip is defined
and system_cfg.ip | string | length > 0
and system_cfg.prefix is defined
and (system_cfg.prefix | string | length) > 0
}}
block:
- name: Write dhcpcd configuration for static networking
when: configuration_void_static | bool
ansible.builtin.copy:
dest: /mnt/etc/dhcpcd.conf
mode: "0644"
content: |
interface {{ configuration_net_inf }}
static ip_address={{ system_cfg.ip }}/{{ system_cfg.prefix }}
{% if system_cfg.gateway is defined and system_cfg.gateway | string | length %}
static routers={{ system_cfg.gateway }}
{% endif %}
{% if configuration_dns_list | length > 0 %}
static domain_name_servers={{ configuration_dns_list | join(' ') }}
{% endif %}

4
roles/configuration/tasks/selinux.yml
View File

@@ -3,9 +3,9 @@
when: is_rhel | bool
block:
- name: Fix SELinux by pre-labeling the filesystem before first boot
when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and selinux | bool
when: os in ['almalinux', 'rocky', 'rhel'] and selinux | bool
ansible.builtin.command: >
{{ chroot_command }} /mnt /sbin/setfiles -v -F
{{ chroot_command }} /sbin/setfiles -v -F
-e /dev -e /proc -e /sys -e /run
/etc/selinux/targeted/contexts/files/file_contexts /
register: configuration_setfiles_result

71
roles/configuration/tasks/services.yml
View File

@@ -1,11 +1,12 @@
---
- name: Enable Systemd Services
when: os | lower not in ['alpine', 'void']
ansible.builtin.command: >
{{ chroot_command }} /mnt systemctl enable NetworkManager
{{ ' firewalld' if firewalld_enabled | bool else '' }}
{{ chroot_command }} systemctl enable NetworkManager
{{ ' firewalld' if firewall_backend == 'firewalld' and firewall_enabled | bool else '' }}
{{ ' ufw' if firewall_backend == 'ufw' and firewall_enabled | bool else '' }}
{{
(' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
(' sshd' if os | lower not in ['debian11', 'debian12', 'debian13'] else ''))
(' ssh' if is_debian | bool else ' sshd')
if ssh_enabled | bool else ''
}}
{{
@@ -14,3 +15,65 @@
}}
register: configuration_enable_services_result
changed_when: configuration_enable_services_result.rc == 0
- name: Enable OpenRC services
when: os | lower == 'alpine'
vars:
configuration_openrc_services: >-
{{
['networking']
+ (['sshd'] if ssh_enabled | bool else [])
+ ([firewall_backend] if firewall_enabled | bool else [])
}}
block:
- name: Ensure OpenRC runlevel directory exists
ansible.builtin.file:
path: /mnt/etc/runlevels/default
state: directory
mode: "0755"
- name: Check OpenRC init scripts
ansible.builtin.stat:
path: "/mnt/etc/init.d/{{ item }}"
loop: "{{ configuration_openrc_services }}"
register: configuration_openrc_service_stats
changed_when: false
- name: Enable OpenRC services
ansible.builtin.file:
src: "/mnt/etc/init.d/{{ item.item }}"
dest: "/mnt/etc/runlevels/default/{{ item.item }}"
state: link
loop: "{{ configuration_openrc_service_stats.results }}"
when: item.stat.exists
- name: Enable runit services
when: os | lower == 'void'
vars:
configuration_runit_services: >-
{{
['dhcpcd']
+ (['sshd'] if ssh_enabled | bool else [])
+ ([firewall_backend] if firewall_enabled | bool else [])
}}
block:
- name: Ensure runit service directory exists
ansible.builtin.file:
path: /mnt/var/service
state: directory
mode: "0755"
- name: Check runit service definitions
ansible.builtin.stat:
path: "/mnt/etc/sv/{{ item }}"
loop: "{{ configuration_runit_services }}"
register: configuration_runit_service_stats
changed_when: false
- name: Enable runit services
ansible.builtin.file:
src: "/mnt/etc/sv/{{ item.item }}"
dest: "/mnt/var/service/{{ item.item }}"
state: link
loop: "{{ configuration_runit_service_stats.results }}"
when: item.stat.exists

4
roles/configuration/tasks/users.yml
View File

@@ -4,11 +4,11 @@
configuration_user_group: >-
{{ "sudo" if is_debian | bool else "wheel" }}
configuration_useradd_cmd: >-
{{ chroot_command }} /mnt /usr/sbin/useradd --create-home --user-group
{{ chroot_command }} /usr/sbin/useradd --create-home --user-group
--groups {{ configuration_user_group }} {{ user_name }}
--password {{ user_password | password_hash('sha512') }} --shell /bin/bash
configuration_root_cmd: >-
{{ chroot_command }} /mnt /usr/sbin/usermod --password
{{ chroot_command }} /usr/sbin/usermod --password
'{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
ansible.builtin.command: "{{ item }}"
loop: